| Age | Commit message (Collapse) | Author |
|---|
|
ok patrick@
|
|
ok patrick@
|
|
warning: format '%s' expects type 'char *', but argument 2 has type 'void *'
Seen on sparc64.
OK tobhe
|
|
|
|
negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
|
matching destination ID.
ok patrick@ markus@
|
|
avoids sh difficulties, etc.
from Matthew Martin.
ok deraadt reyk
|
|
validity for the ca certificate. Raise this from 365 days to 4500 as expiry means
installing new CA certificates on all client machines which can cause significant
pain. This doesn't change the default validity for server certificates which
remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate
on these can be done easily without visiting all machines. ok deraadt@
|
|
From Thomas Barabosch <thomas DOT barabosch AT fkie DOT fraunhofer DOT de>
Thanks.
ok jca@
|
|
already sets the extension values and returns. ca_sign() re-uses the
information to write out the extension file. Since ca_request() uses
strings stored on the stack, on return the pointers to those strings
will be unusable. To fix this, strdup() the strings passed ca_setenv()
so we can re-use them in another scope. And free() them when we clear
the environment in ca_clrenv().
Initial report and diff from Andrei-Marius Radu.
ok markus@
|
|
From Andrei-Marius Radu via sthen@
|
|
set to the cert to revoke, and indirectly from ca_create() with a
keyname set to NULL.
ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname
is NULL and the crl database is being initialised.
Avoids "REQ_EXT already set" when creating a CA error introduced
in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
|
|
|
|
ok yasuoka mikeb
|
|
in r1.41. ok reyk deraadt
|
|
when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another CA for signing, they often copy
extensions from the request. ok reyk@
|
|
|
|
|
|
OK deraadt@ mikeb@
|
|
|
|
general openssl cnf files install the ikeca.cnf file.
ok sthen@ requested by reyk@
|
|
another request for the ca portion.
ok deraadt@
|
|
As the ca section of the cnf file requires a default_md line
(unlike req) this change also requires updating the installed ikeca.cnf
or equivalent files.
Requested by and ok reyk@ who also tested this against ios9 with iked.
|
|
This way openssl will add valid signed certs to the index file
which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating
the default cnf files with equivalent sections.
Requested by and ok reyk@
|
|
This way openssl will add valid signed certs to the index file
which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating
the default cnf files with equivalent sections.
Requested by and ok reyk@
|
|
key usage for OCSP signing.
Requested by and ok reyk@
|
|
uppercase the description of /var/run/iked.sock (found by jmc@);
add missing full stop.
ok jmc@
|
|
Based on previous observation by semarie@
|
|
|
|
Pointed out by semarie@
|
|
OK jsg@
|
|
the environment has been removed in LibreSSL. This was a good step
but it unintentionally broke the "ikectl ca" commands. Rework the
implementation for copying the .cnf files and expanding the $ENV::
variables ourselves before passing the generated .cnf file to the
"openssl" command.
Reported and tested by Jona Joachim (thanks!)
OK jsg@
|
|
ok sthen@
|
|
- a if condition don't set errno
- strlcpy(3) don't set errno (no mention is man page)
- ca_readpass() already manage errno error message with warn(3)
ok sthen@
|
|
ok jmc@
|
|
Pointed out by Markus Elfring
OK mikeb@ millert@
|
|
Predefined strings are not very portable across troff implementations,
and they make the source much harder to read. Usually the intended
character can be written directly.
No output changes, except for two instances where the incorrect escape
was used in the first place.
tweaks + ok schwarze@
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom where it is irrelevant.
|
|
a system/superuser binary. At the same time, move the source code from its
current lib/libssl/src/apps location to a more appropriate home under
usr.bin/openssl.
ok deraadt@ miod@
|
|
concept ok deraadt@
diff looks ok tedu@
|
|
the errno of an intervening cleanup operation like close/unlink/etc.
Diff from Doug Hogan (doug (at) acyclic.org)
|
|
ok beck reyk
|
|
|
|
ok benno
|
|
otto@ millert@ lteo@ mikeb@ deraadt@
|
|
|
|
to 2013 while I'm here... this is my way of saying "happy new year!".
|
|
reported by david hill
|
|
based on snmpctl. Found and committed from the plane in 10km (35.000
feet). No functional change and this diff doesn't touch any crypto
code so the current country below me cannot blame me for importing /
exporting any crypto.
ok benno@
|
