the bitrig master branch has been updated by pedro with 2 new commits: commit f2df661ea0ea69995c0ac3352a8d5a0fd7d2dc06 diff: https://github.com/bitrig/bitrig/commit/f2df661 author: pedro martelletto <[email protected]> date: Fri Dec 5 09:41:33 2014 +0100
fix i2d_X509_NAME() error checking use int instead of size_t to store the return of i2d_X509_NAME(), fixing a < 0 check for error. ok patrick@ M sbin/iked/ikev2.c commit aa67e558245d79936436a5816458aa781f05a168 diff: https://github.com/bitrig/bitrig/commit/aa67e55 author: pedro martelletto <[email protected]> date: Fri Dec 5 07:45:09 2014 +0100 fix intermittent iked crashes in ca_reload(), set iovcnt according to the number of iov entries filled. there are four cases we need to be concerned with: 1. certificate revocation lists (CRLs) have been configured in this case, we load the CRLs and issue one IMSG_CERTREQ message to the ikev2 process with the list of revoked certificates. (iovcnt = 2) 2. valid certificates have been configured in this case, we load the certificates and issue one IMSG_CERTREQ message to the ikev2 process with the list of valid certificates. (iovcnt = 1) 3. CRLs *and* valid certificates have been configured in this case, we load the CRLs and issue one initial IMSG_CERTREQ message to the ikev2 process with the list of revoked certificates, i.e we do step 1. however, we also do step 2, with a twist: we send a second IMSG_CERTREQ message to the ikev2 process with a list of revoked certificates *and* a list of valid certificates. ikev2 discards previously received IMSG_CERTREQ messages once it receives a new one, so this works. (iovcnt = 2 for both messages) 4. no CRLs and no valid certificates have been configured in this case, we send an empty IMSG_CERTREQ message to the ikev2 process. (iovcnt = 1) ok patrick@ M sbin/iked/ca.c
