| Age | Commit message (Collapse) | Author |
|---|
|
From Larry Hynes via tech@.
|
|
|
|
ok kn@ patrick@
|
|
When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.
With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.
Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.
This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.
ok and tested by kn@
ok patrick@
|
|
used by the processor chip. Although we have a SENSOR_WATTHOUR sensor
type its units are not really suitable for this sensor. So add a
SENSOR_ENERGY type that uses micro Joules as its unit.
ok deraadt@
|
|
ok patrick@
|
|
in phase one to be used in phase 5, unless we're tight on memory.
From FreeBSD; ok bket@
|
|
|
|
|
|
is properly cleaned up in ikev2_msg_retransmit_timeout().
ok patrick@
|
|
w/o using string functions on data that *MIGHT NOT* be NUL
terminated. Fiddle parse_domain_name_list() to avoid string functions
for the same reason.
Problem encountered by Jesper Wallin when running with
vm.malloc_conf=CFGJUR, although he later proved 'J' (more junking) was
the actual trouble maker.
|
|
ok patrick@
|
|
family and length field. This fixes route(8) to handle "::/0"
properly. Also fix "route add -inet 0.0.0.0 -prefixlen 0 (gateway)"
to work properly.
ok kn
|
|
This is the name the other BSDs use for this, there is no reason to
be different, the IPv6 RFCs call these addresses temporary, and some
software in ports wants to use this as well.
Most recently pointed out for firefox by landry.
OK claudio, sthen
|
|
|
|
|
|
OK florian@, kn@, millert@
|
|
IKEV2_CERT_X509_CERT.
|
|
parser aren't needed as they are checked at runtime during the handshake.
Moreover, these checks during startup of the daemon never worked
properly when dstid was not explicitly configured. The dstid depends
on the ID message payload which is only known after the initial handshake.
ok patrick@
|
|
|
|
|
|
naddy gave me a pointer in the right direction
ok millert@ deraadt@
looks good to matt dunwoodie
|
|
|
|
|
|
note that this links ifconfig with libcrypto to get at base64
encoding and decoding routines. im looking at an alternative way
to do that, so hopefully this is temporary.
secondly, note that all the wireguard stuff is under ifndef SMALL,
so the special build of ifconfig for install media does include
wireguard support, and also does not need libcrypto.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
ncg * ipg calcualtion can overflow if signed types are used. Move
to uint32_t for the relevant values. Aligned with FreeBSD changes.
Also make sure newfs refuses to create an fs with more that 2^32-1
inodes. ok millert@
|
|
ok patrick@
|
|
ok patrick@
|
|
|
|
ok patrick@
|
|
ok patrick@
|
|
improving clarity.
No intentional functional change.
|
|
ok patrick@
|
|
ok patrick@
|
|
ok patrick@
|
|
|
|
conversion steps). it only contains kernel prototypes for 4 interfaces,
all of which legitimately belong in sys/systm.h, which are already included
by all enqueue_randomness() users.
|
|
ok patrick@
|
|
|
|
from the range [1..UINT_MAX] initially. On inode re-use increment
and on wrap refill from the range [1..UINT_MAX-1] to avoid
assigning UINT_MAX (the original value). Zero still means uninitialized.
ok millert@
|
|
|
|
'address'.
|
|
|
|
|
|
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@
|
|
slaacd and unwind start very early in the boot process and syslog is
not fully available yet so these messages tend to get lost.
But they are also not particularly useful.
Prompted by a report by Jason Mader on bugs@
OK deraadt, claudio, bluhm
Note that this code has been copied around to all our privsep daemons
and also lives in usr.sbin. Leave it alone there because multiple people
said they find it useful for those daemons.
|
|
allusions to 'rtstatic'.
|
|
extraction function.
|
|
current usage.
|
|
|
