Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
217,844 Commits 606 Branches 0 Tags 3.1 GiB
e29eeb0057
Commit Graph

596 Commits

Author SHA1 Message Date
tteras
32d6075c95 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Do not send out 
illegal zero length MODE_CFG attributes.
 2013-04-12 10:03:45 +00:00
tteras
3d2760a386 Some logging improvements. 2013-04-12 09:53:10 +00:00
tteras
fde1259d48 Fix source port selection 2013-02-05 11:36:17 +00:00
tteras
0849876e12 From Ian West <ian@niw.com.au>: Fix double free of the radius info on 
config reload.
 2013-02-05 06:22:29 +00:00
tteras
b889f6fc93 Fix handling of deletion notification. 2013-01-24 06:47:50 +00:00
tteras
b607d37b51 Fix errors from automake 1.13 2013-01-08 12:42:31 +00:00
tteras
252bdda2a4 Don't derefence the directory symlink which we might be recreating. 2013-01-08 12:38:40 +00:00
tteras
c577d46f00 From Götz Babin-Ebell <g.babin-ebell@novamedia.de>: Smarter X.509 subject 
name compare.
 2012-12-24 14:50:04 +00:00
tteras
411eef5f44 From Götz Babin-Ebell <g.babin-ebell@novamedia.de: 
Require OpenSSL 0.9.8s or higher
 2012-12-24 08:46:27 +00:00
wiz
43e793251e Bump date for previous. 2012-11-30 08:19:01 +00:00
vanhu
2bdb1d3e0a Added support for AES GCM 16 in phase2 negociations. Code from Christophe Carre / NETASQ 2012-11-29 15:31:24 +00:00
tteras
880340da60 From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies 
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.
 2012-08-29 12:01:30 +00:00
tteras
6c437507a2 From Roman Hoog Antink <rha@open.ch>: add remote's IP address to the 
"certificate not verified" error message.
 2012-08-29 11:34:37 +00:00
tteras
f2b1919eeb From Roman Hoog Antink <rha@open.ch>: do not print unnecessary warning 
about non-verified certificate when using raw plain-rsa.
 2012-08-29 11:24:11 +00:00
manu
5fe2cf73eb Fix make test on powermac G5. Patch from Nakano Takaharu 2012-08-15 14:51:30 +00:00
wiz
de33c51b97 Bump date for previous. 2012-02-18 13:51:29 +00:00
drochner
544002eb2d mention esp-udp 2012-02-18 13:42:45 +00:00
wiz
e2fe99ce62 Use the correct constant. 
From FreeBSD via Henning Petersen in PR 46005.
 2012-02-13 13:03:06 +00:00
wiz
71a175ae1b Bump date for previous. 2012-01-26 21:54:26 +00:00
drochner
c51fcdeec7 also mention the aes-gcm ESP variants 2012-01-26 21:11:27 +00:00
tteras
aa9b8479a9 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Enhance splitnet 
environment variable string value generation.
 2012-01-10 12:07:30 +00:00
wiz
59bb0b8307 Bump date for previous. 2012-01-09 15:41:21 +00:00
drochner
4fa381bcb2 allow setkey(8) set and display the ESP fragment size in the NAT-T case, 
userland part of PR kern/44952 by Wolfgang Stukenbrock, just changed
the "frag" option name to "esp_frag", for consistency to the existing
option of similar effect in racoon(8)
 2012-01-09 15:25:13 +00:00
wiz
8d8e2b7310 Bump date for previous. 2012-01-04 16:30:50 +00:00
drochner
8fd6dadaf8 include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland 
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))
 2012-01-04 16:09:40 +00:00
drochner
3712f81ced -consistently use "char *" for the compiled policy buffer in the 
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
 in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
 differences between KAME ans FAST_IPSEC
 2012-01-04 15:55:35 +00:00
tteras
2713c54c73 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Fix one byte too 
short memory allocation in isakmp_unity.c:splitnet_list_2str().
 2012-01-01 17:31:42 +00:00
tteras
11e30c248c From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix default NAT-T 
port for listen { isakmp_natt } config directive.
 2012-01-01 16:14:11 +00:00
tteras
40d768bf75 From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix various typos in 
comments and log messages. Fix default port used in copy_ph1addresses().
 2012-01-01 15:57:31 +00:00
tteras
dbe8969919 Fix myaddr_getsport() to return -1 if no suitable address is found. This is 
used in pfkey.c:pk_recvacquire() to check if IKE negotiation should be
started or not.
 2012-01-01 15:54:51 +00:00
tteras
838cfe4724 Fix the previous commit. 2012-01-01 15:44:06 +00:00
tteras
b448c51c51 From Wolfgang Schmieder <wolfgang@die-schmieders.de>: Fix memory leaks from 
configuration reading code, and clean up error handling.
 2012-01-01 15:29:28 +00:00
vanhu
0a7daa593d fixed some crashes in LIST_FOREACH where current element could be removed during the loop 2011-11-17 14:41:55 +00:00
wiz
3efedf2ce7 Bump date for new tls option. 2011-11-15 19:15:58 +00:00
tteras
c7d190f034 From Vincent Bernat <bernat@luffy.cx>: TLS support for LDAP 2011-11-15 13:51:23 +00:00
tteras
84d53e8c5d From Marcelo Leitner <mleitner@redhat.com>: do not shrink pfkey socket 
buffers (if system default is larger than what we want as minimum)
 2011-11-14 13:24:04 +00:00
tteras
a09a6d0cd5 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Release unused 
phase2 of passive remotes after acquire.
 2011-10-11 14:50:15 +00:00
tteras
4c2f40f96a From Wolfgang Schmieder <wolfgang.schmieder@honeywell.com>: setup phase1 
port properly.
 2011-10-11 14:37:17 +00:00
tteras
cbb586e05f Allow inherited remote blocks without additional remote statements to 
be specified in a simpler way. patch by Roman Hoog Antink <rha@open.ch>
 2011-08-19 05:36:47 +00:00
tteras
cd00f2949d Have privilege separation child process exit if the parent exits. 2011-08-12 05:21:50 +00:00
drochner
b9e08c16fb replace questionable pointer games which could cause reads of 
uninitialized memory, from Wolfgang Stukenbrock per PR bin/44951
 2011-05-27 18:00:21 +00:00
drochner
0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD 
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
 2011-05-26 21:50:02 +00:00
wiz
e20f01d499 Bump date for previous. 2011-05-24 08:54:40 +00:00
drochner
fed8f3aa3c update draft-ipsec-* -> RFC 
clarify a sentence
 2011-05-23 16:00:07 +00:00
christos
45d5b08c5f fix prototype. 2011-05-15 17:13:23 +00:00
vanhu
2337f22d7b fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:42:58 +00:00
vanhu
949304356c free name later, to avoid a memory use after free in oakley_check_certid(). also give iph1->remote to some plog() calls. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:39:06 +00:00
vanhu
ebfca0c74d fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:35:24 +00:00
vanhu
5279815e7c directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free 2011-03-15 13:20:14 +00:00
tteras
4e499ee605 Explicitly compare return value of cmpsaddr() against a return value 
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
 2011-03-14 17:18:12 +00:00