Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
241,999 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

619 Commits

Author SHA1 Message Date
christos 8cf4c21bed CID 1356385: Add fallthrough comment 2016-03-16 21:09:39 +00:00
christos a8a1a8c522 PR/50943: David Binderman: Fix misplaced parenthesis. 2016-03-11 18:28:43 +00:00
christos 71f53a526c From Frank Wille: 
Request "IKE mode config" in "rsasig" (certificates on both sides only)
authentication mode, if "mode_cfg" is configured to "on".
Tested with a Lancom router, using the following configuration:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote "wpsd"
{
    remote_address 1.2.3.4;
    exchange_mode main,base;

    my_identifier asn1dn;
    certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
    ca_type x509 "ca.crt";

    mode_cfg on;
    dpd_delay 20;
    nat_traversal on;
    lifetime time 8 hour;
    script "phase1-up.sh" phase1_up;
    script "phase1-down.sh" phase1_down;

    proposal {
        encryption_algorithm aes;
        hash_algorithm md5;
        authentication_method rsasig;
        dh_group 2;
    }
    proposal_check obey;
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}
 2016-03-09 22:27:17 +00:00
christos d2bf8aa2c7 PR/50918: David Binderman: Fix memory leak 2016-03-09 15:58:25 +00:00
christos f91581fb8e PR/50815: David Binderman: Remove dup test 2016-02-17 20:11:17 +00:00
christos e0b253ee23 Detect error earlier to avoid memory leak. 
XXX: pullup-7
 2015-05-19 15:16:00 +00:00
christos 58416d2a6d Protect against a NULL pointer dereference described in: 
https://www.altsci.com/ipsec/

XXX: pullup-7
 2015-05-19 15:14:25 +00:00
christos 59bf05d0af fix grammar stupidity: ipandport takes an optional port but has 2 grammar 
productions, one with and one without an optional port. make the port
not optional and kill reduce-reduce conflicts.
 2014-09-10 21:04:08 +00:00
christos 52f10dbca1 remove dup 2014-09-10 21:01:33 +00:00
christos 1aafa42e67 don't warn for 80211 messages 2014-06-14 22:39:36 +00:00
riastradh 6cb10275d0 Merge riastradh-drm2 to HEAD. 2014-03-18 18:20:35 +00:00
tteras a96c32cedb From Adam Majer <adamm@zombino.com>: Support IPv6 in X509 subjectAltName 2014-02-27 08:37:58 +00:00
christos 7eb6f06c8c remove unused variables 2013-10-20 21:17:28 +00:00
wiz a5684d07dd Use Mt for email addresses. 2013-07-20 21:39:55 +00:00
tteras 2d9f2eda4f From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Export phase1 
remote address as Radius Calling-Station-Id.
 2013-07-19 10:54:52 +00:00
christos a2f4868d2a add RTM_LOSING, RTM_REDIRECT 2013-07-18 17:02:58 +00:00
tteras 4595769cee From Sven Vermeulen <sven.vermeulen@siphos.be>: Moves ploginit() up, 
allowing logging events from init_avc() to show up as well.
 2013-07-12 13:11:50 +00:00
christos c59ba37534 Add an option --enable-wildcard-match to enable wildcard matching and explain 
why we might want it and why it is a bad idea in general that's why it is
not enabled by default. ok tteras@, manu@
 2013-06-20 15:41:18 +00:00
tteras 4f62ef74bd From Paul Barker: Remove redundant memset after calloc that caused compile 
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.
 2013-06-18 05:39:50 +00:00
christos 54da44c072 Accept - as stdin 
Be nice and let the user know which file it could not open.
 2013-06-14 16:29:14 +00:00
tteras 05fbc8efab From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port 
establish-sa for tunnel mode SAs.
 2013-06-03 05:49:31 +00:00
tteras fdd5bac4fc From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Fix 
SADB_X_EALG_CASTCBC definition to use system definition (which
differs at least on Linux).
------------------------
 2013-05-23 05:42:29 +00:00
mbalmer b1090dff8a racoon default config is in /etc/racoon/racoon.conf 2013-05-08 20:03:02 +00:00
tteras 32d6075c95 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Do not send out 
illegal zero length MODE_CFG attributes.
 2013-04-12 10:03:45 +00:00
tteras 3d2760a386 Some logging improvements. 2013-04-12 09:53:10 +00:00
tteras fde1259d48 Fix source port selection 2013-02-05 11:36:17 +00:00
tteras 0849876e12 From Ian West <ian@niw.com.au>: Fix double free of the radius info on 
config reload.
 2013-02-05 06:22:29 +00:00
tteras b889f6fc93 Fix handling of deletion notification. 2013-01-24 06:47:50 +00:00
tteras b607d37b51 Fix errors from automake 1.13 2013-01-08 12:42:31 +00:00
tteras 252bdda2a4 Don't derefence the directory symlink which we might be recreating. 2013-01-08 12:38:40 +00:00
tteras c577d46f00 From Götz Babin-Ebell <g.babin-ebell@novamedia.de>: Smarter X.509 subject 
name compare.
 2012-12-24 14:50:04 +00:00
tteras 411eef5f44 From Götz Babin-Ebell <g.babin-ebell@novamedia.de: 
Require OpenSSL 0.9.8s or higher
 2012-12-24 08:46:27 +00:00
wiz 43e793251e Bump date for previous. 2012-11-30 08:19:01 +00:00
vanhu 2bdb1d3e0a Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre / NETASQ 2012-11-29 15:31:24 +00:00
tteras 880340da60 From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies 
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.
 2012-08-29 12:01:30 +00:00
tteras 6c437507a2 From Roman Hoog Antink <rha@open.ch>: add remote's IP address to the 
"certificate not verified" error message.
 2012-08-29 11:34:37 +00:00
tteras f2b1919eeb From Roman Hoog Antink <rha@open.ch>: do not print unnecessary warning 
about non-verified certificate when using raw plain-rsa.
 2012-08-29 11:24:11 +00:00
manu 5fe2cf73eb Fix make test on powermac G5. Patch from Nakano Takaharu 2012-08-15 14:51:30 +00:00
wiz de33c51b97 Bump date for previous. 2012-02-18 13:51:29 +00:00
drochner 544002eb2d mention esp-udp 2012-02-18 13:42:45 +00:00
wiz e2fe99ce62 Use the correct constant. 
From FreeBSD via Henning Petersen in PR 46005.
 2012-02-13 13:03:06 +00:00
wiz 71a175ae1b Bump date for previous. 2012-01-26 21:54:26 +00:00
drochner c51fcdeec7 also mention the aes-gcm ESP variants 2012-01-26 21:11:27 +00:00
tteras aa9b8479a9 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Enhance splitnet 
environment variable string value generation.
 2012-01-10 12:07:30 +00:00
wiz 59bb0b8307 Bump date for previous. 2012-01-09 15:41:21 +00:00
drochner 4fa381bcb2 allow setkey(8) set and display the ESP fragment size in the NAT-T case, 
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the "frag" option name to "esp_frag", for consistency to the existing
option of similar effect in racoon(8)
 2012-01-09 15:25:13 +00:00
wiz 8d8e2b7310 Bump date for previous. 2012-01-04 16:30:50 +00:00
drochner 8fd6dadaf8 include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland 
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))
 2012-01-04 16:09:40 +00:00
drochner 3712f81ced -consistently use "char *" for the compiled policy buffer in the 
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
 in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
 differences between KAME ans FAST_IPSEC
 2012-01-04 15:55:35 +00:00
tteras 2713c54c73 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Fix one byte too 
short memory allocation in isakmp_unity.c:splitnet_list_2str().
 2012-01-01 17:31:42 +00:00