![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.39 / (download) - annotate - [select for diffs], Tue May 21 05:00:47 2024 UTC (12 days, 10 hours ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.38: +1 -2 lines
Diff to previous 1.38 (colored)
remove prototypes with no matching function and externs with no var partly checked by millert@
Revision 1.38 / (download) - annotate - [select for diffs], Wed Jan 24 10:09:07 2024 UTC (4 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.37: +27 -5 lines
Diff to previous 1.37 (colored)
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid between the processes so the reply can be sent on the matching connection. from markus@
Revision 1.37 / (download) - annotate - [select for diffs], Wed Mar 8 04:43:06 2023 UTC (14 months, 3 weeks ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.36: +1 -3 lines
Diff to previous 1.36 (colored)
Delete obsolete /* ARGSUSED */ lint comments. ok miod@ millert@
Revision 1.36 / (download) - annotate - [select for diffs], Sun Mar 5 22:17:22 2023 UTC (14 months, 4 weeks ago) by tobhe
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update. ok patrick@
Revision 1.35 / (download) - annotate - [select for diffs], Sat Mar 4 22:22:50 2023 UTC (14 months, 4 weeks ago) by tobhe
Branch: MAIN
Changes since 1.34: +4 -4 lines
Diff to previous 1.34 (colored)
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. ok bluhm@ patrick@
Revision 1.34 / (download) - annotate - [select for diffs], Sun Dec 4 11:54:31 2022 UTC (17 months, 4 weeks ago) by tobhe
Branch: MAIN
Changes since 1.33: +9 -9 lines
Diff to previous 1.33 (colored)
Rename sun to s_un for portability. ok patrick@
Revision 1.33 / (download) - annotate - [select for diffs], Mon Sep 19 20:54:02 2022 UTC (20 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.32: +3 -1 lines
Diff to previous 1.32 (colored)
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'. ok bluhm@ patrick@ from and ok markus@
Revision 1.32 / (download) - annotate - [select for diffs], Sun Nov 21 22:44:08 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.31: +21 -1 lines
Diff to previous 1.31 (colored)
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates. ok markus@
Revision 1.31 / (download) - annotate - [select for diffs], Tue Apr 20 21:11:56 2021 UTC (3 years, 1 month ago) by dv
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
Move TAILQ initialization to files where they are used. These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
Revision 1.30 / (download) - annotate - [select for diffs], Fri Oct 9 08:59:15 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.29: +1 -3 lines
Diff to previous 1.29 (colored)
More unused headers.
Revision 1.29 / (download) - annotate - [select for diffs], Fri Apr 3 08:20:32 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)
Don't fallthrough in IMSG_CTL_RESET_ID case. From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
Revision 1.28 / (download) - annotate - [select for diffs], Sun Mar 22 15:59:05 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.27: +21 -2 lines
Diff to previous 1.27 (colored)
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows. ok patrick@
Revision 1.27 / (download) - annotate - [select for diffs], Wed Mar 18 22:12:43 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.26: +6 -2 lines
Diff to previous 1.26 (colored)
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID. ok patrick@ markus@
Revision 1.26 / (download) - annotate - [select for diffs], Mon Aug 6 06:30:06 2018 UTC (5 years, 9 months ago) by mestre
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.25: +2 -13 lines
Diff to previous 1.25 (colored)
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files. OK kn@
Revision 1.25 / (download) - annotate - [select for diffs], Tue Jan 17 22:10:55 2017 UTC (7 years, 4 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jan 9 14:49:21 2017 UTC (7 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Stop accessing verbose and debug variables from log.c directly. This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
Revision 1.23 / (download) - annotate - [select for diffs], Mon Jan 9 14:04:31 2017 UTC (7 years, 4 months ago) by krw
Branch: MAIN
Changes since 1.22: +5 -4 lines
Diff to previous 1.22 (colored)
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH(). No intentional functional change. ok reyk@
Revision 1.22 / (download) - annotate - [select for diffs], Sun Sep 4 16:55:43 2016 UTC (7 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.21: +1 -2 lines
Diff to previous 1.21 (colored)
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process. Thanks for the bug report to Wouter Clarie OK vgross@
Revision 1.21 / (download) - annotate - [select for diffs], Sat Dec 5 13:09:46 2015 UTC (8 years, 5 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.20: +3 -2 lines
Diff to previous 1.20 (colored)
EAGAIN handling for imsg_read. OK henning@ benno@
Revision 1.20 / (download) - annotate - [select for diffs], Mon Nov 23 19:28:33 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.19: +4 -7 lines
Diff to previous 1.19 (colored)
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4(). OK claudio@ jung@
Revision 1.19 / (download) - annotate - [select for diffs], Thu Oct 22 15:55:18 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.18: +26 -1 lines
Diff to previous 1.18 (colored)
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process. Committed in agreement with many but nobody was brave enough to OK it. Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
Revision 1.18 / (download) - annotate - [select for diffs], Mon Oct 19 11:27:35 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
Revision 1.17 / (download) - annotate - [select for diffs], Mon Oct 19 11:25:35 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.16: +1 -2 lines
Diff to previous 1.16 (colored)
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs. OK mikeb@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.15: +1 -2 lines
Diff to previous 1.15 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jun 3 06:25:47 2014 UTC (10 years ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.14: +4 -9 lines
Diff to previous 1.14 (colored)
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c ok reyk
Revision 1.14 / (download) - annotate - [select for diffs], Tue Apr 22 12:00:03 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.13: +5 -5 lines
Diff to previous 1.13 (colored)
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit. ok mikeb@
Revision 1.13 / (download) - annotate - [select for diffs], Fri Nov 15 12:30:19 2013 UTC (10 years, 6 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Cope with the EAGAIN API change for msgbuf_write()
Revision 1.12 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.11: +1 -2 lines
Diff to previous 1.11 (colored)
remove excessive includes
Revision 1.11 / (download) - annotate - [select for diffs], Mon Mar 11 17:40:10 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +3 -2 lines
Diff to previous 1.10 (colored)
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.9: +2 -3 lines
Diff to previous 1.9 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.9 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.8 / (download) - annotate - [select for diffs], Thu Apr 5 17:31:36 2012 UTC (12 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.7: +36 -12 lines
Diff to previous 1.7 (colored)
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
Revision 1.7 / (download) - annotate - [select for diffs], Mon May 9 11:15:18 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.6: +5 -5 lines
Diff to previous 1.6 (colored)
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
Revision 1.6 / (download) - annotate - [select for diffs], Thu May 5 12:55:52 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.5: +3 -2 lines
Diff to previous 1.5 (colored)
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
Revision 1.5 / (download) - annotate - [select for diffs], Wed Dec 22 16:37:52 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (colored)
Fix a little control socket bug, as discussed with mikeb@
Revision 1.4 / (download) - annotate - [select for diffs], Tue Dec 21 13:24:11 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.3: +3 -3 lines
Diff to previous 1.3 (colored)
fixup log_warn and log_debug arguments; ok reyk
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 24 20:15:30 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
unbreak the ikectl log verbose/brief commands.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 10 14:08:37 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.1: +5 -1 lines
Diff to previous 1.1 (colored)
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@