| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
work anyway. Dynamic binaries help building errata, reduce disk
usage and make ROP harder. Also remove an unused bsd.subdir.mk
include.
OK sthen@ mvs@ deraadt@ tobhe@ patrick@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
ok patrick@
|
| |
|
|
|
|
| |
when exiting.
"make sense" deraadt
|
| |
|
|
|
|
| |
the path sanitizer in the privsep parent. Bring back the checks
in a way that works with new realpath(3).
tested and OK hshoexer@
|
| |
|
|
|
|
|
| |
ENOENT. In this case, try to open(2) the path. Then a non-existing
file will be created, but a missing directory component still causes
an error. This fixes isakmpd(8) IKE pcap file creation.
from hshoexer@
|
| |
|
|
|
|
| |
isakmpd and iked to REQUIRE. Filter policy violations earlier.
ok sashan@ bluhm@
|
| |
|
|
|
|
| |
non existing isakmpd.conf(5) file. This was a result of the changed
realpath(3) behavior. Now isakmpd(8) uses the errno from the system.
reported by igor kos; OK deraadt@
|
| |
|
|
| |
help/ok deraadt
|
| | |
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- show an example sed to substitute the $ENV::CERTIP/CERTFQDN strings
while copying /etc/ssl/x509v3.cnf to a temp file
- don't use /etc/ssl/x509v3.cnf on the command line when we've just
told people to copy and edit
- fix an instance of CERTIP that should have been CERTFQDN
based on diffs from Sevan Janiyan, feedback/ok jmc@
|
| |
|
|
|
|
| |
where the "wrong" #define was used.
ok dlg@
|
| |
|
|
| |
ok millert@ mpi@
|
| |
|
|
|
|
| |
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@
|
| | |
|
| |
|
|
| |
No object change.
|
| |
|
|
|
|
|
| |
Fix at least interoperability with Cisco when isakmpd(8) is initiating
the connections, originally reported by sebastia@ in 2014.
Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
|
| |
|
|
| |
From Scott Cheloha, ok tb@
|
| |
|
|
| |
also some minor tweaks while here...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of the full point, only the X point is included.
The member g_xy is always the shared secret but so far its buffer has
been allocated using the size of the public points. Since this is a
different size now, as the shared secret for EC Groups should only store
the x point, we need another member to specify the length of g_xy.
Since this is a backwards incompatible change older isakmpds won't be
able to negotiate if you use EC groups. Bump the version of our own
vendor tag so peers can try to keep compatibility based on the presen-
ted tag. This could be used to implement backwards compatibility to
older isakmpds.
Prompted by and ok mpi@
|
| |
|
|
| |
ok visa@, markus@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
`finalize' function with the `fail' argument when this happen.
Introduce some sanity checks in exchange_free() to be able to call if
even if the data structure isn't completely initialized.
Plug memory leaks when exchange_establish() fails. While here fix a
double free in one of the error paths.
Based on a diff from hshoexer@, ok stsp@, markus@
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
|
|
|
|
|
|
| |
arguments to f_key_v2_connection_check().
The race can be triggered by sending SIGHUP to the daemon. Note that
this change do not fix the memory leak if exchange_establish() fails.
Reported by Michał Koc.
ok hshoexer@, markus@, henning@
|
| |
|
|
|
|
|
|
|
| |
This deference can occur because sa_find() is called from a timer and
iterates over all existing `sa'. At that time the corresponding
`finalize_exchange' might not have been called, in which case it is
unsafe to dereference `src_net', `dst_net' & co.
Issue reported by Michał Koc. ok hshoexer@, markus@
|
| |
|
|
| |
okay millert@
|
| |
|
|
| |
OK espie@
|
| |
|
|
|
| |
programs will build even without a make depend first.
okay tb@ millert@
|
| |
|
|
| |
Started by, and ok, deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
| |
|
|
|
|
| |
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed.
ok florian@ beck@ millert@
|
| |
|
|
| |
Brought up by doug@, ok reyk, djm, doug
|
| |
|
|
|
|
| |
if they precede the noun and omit hyphens otherwise.
ok tj
|
| |
|
|
|
| |
# If you have ElectricFence available, you can spot abuses of the heap."
Or, uhm you can simply use our malloc.
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
| |
Diff from Yuuichi Someya.
ok reyk markus
|
| |
|
|
|
|
|
|
|
| |
is when sanitising standard fd's before calling daemon().
Use a tweaked version of the ssh(1) function in all three places
found using fcntl() this way.
ok jca@ beck@
|
| |
|
|
| |
Feedback millert@ kettenis@
|
| |
|
|
|
|
| |
Base on diff from Yuuichi Someya
ok markus reyk mikeb
|
| |
|
|
|
|
| |
issue reported by igor.kos
(temporary) fix entirely provided by sthen
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
| |
|
|
| |
ok deraadt@
|
| | |
|
bluhm
mortimer
tobhe
yasuoka
jmc
deraadt
sthen
krw
jsg
stsp
mpi
jca
patrick
espie
tom
guenther
mikeb
tb
mmcc
naddy
schwarze