![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.33 / (download) - annotate - [select for diffs], Fri Jul 28 07:31:38 2023 UTC (10 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.32: +8 -8 lines
Diff to previous 1.32 (colored)
Use ibuf_data() instead of accessing the ibuf buf pointer directly. Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate. OK tobhe@ tb@
Revision 1.32 / (download) - annotate - [select for diffs], Sat Dec 3 22:34:35 2022 UTC (17 months, 4 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.31: +3 -3 lines
Diff to previous 1.31 (colored)
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Dec 13 18:06:56 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.30: +2 -4 lines
Diff to previous 1.30 (colored)
Avoid a potential double free in group_free() In the unlikely event that EC_KEY_check_key() in ec_init() fails, the group would be freed twice: once in ec_init(), and later in group_free(). ok tobhe
Revision 1.30 / (download) - annotate - [select for diffs], Mon Nov 29 06:43:42 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.29: +4 -4 lines
Diff to previous 1.29 (colored)
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
Revision 1.29 / (download) - annotate - [select for diffs], Fri May 28 18:01:39 2021 UTC (3 years ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.28: +162 -2 lines
Diff to previous 1.28 (colored)
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'. ok markus@ patrick@
Revision 1.28 / (download) - annotate - [select for diffs], Thu May 13 14:01:35 2021 UTC (3 years ago) by tb
Branch: MAIN
Changes since 1.27: +3 -5 lines
Diff to previous 1.27 (colored)
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
Revision 1.27 / (download) - annotate - [select for diffs], Thu Feb 4 20:38:26 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.26: +42 -42 lines
Diff to previous 1.26 (colored)
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes. ok patrick@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Feb 4 20:15:02 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.25: +7 -21 lines
Diff to previous 1.25 (colored)
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant. discussed with tb@ ok patrick@
Revision 1.25 / (download) - annotate - [select for diffs], Thu Feb 4 19:59:15 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.24: +20 -8 lines
Diff to previous 1.24 (colored)
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed. ok markus@ patrick@
Revision 1.24 / (download) - annotate - [select for diffs], Wed Oct 28 20:54:13 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.23: +33 -5 lines
Diff to previous 1.23 (colored)
Refactor parts of the dh_* API. ok patrick@
Revision 1.23 / (download) - annotate - [select for diffs], Tue Apr 28 15:18:52 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.22: +2 -5 lines
Diff to previous 1.22 (colored)
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility. Feedback from sthen@ ok kn@
Revision 1.22 / (download) - annotate - [select for diffs], Tue Apr 2 09:42:55 2019 UTC (5 years, 2 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.21: +2 -4 lines
Diff to previous 1.21 (colored)
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations. "this is the right time" deraadt@ "I like the idea" reyk@ If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
Revision 1.21 / (download) - annotate - [select for diffs], Fri Oct 27 14:26:35 2017 UTC (6 years, 7 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.20: +51 -11 lines
Diff to previous 1.20 (colored)
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly. ok markus@
Revision 1.20 / (download) - annotate - [select for diffs], Sun May 21 02:37:52 2017 UTC (7 years ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.19: +2 -6 lines
Diff to previous 1.19 (colored)
A few more freezero() uses ok yasuoka mikeb
Revision 1.19 / (download) - annotate - [select for diffs], Mon Mar 27 17:17:49 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.18: +21 -13 lines
Diff to previous 1.18 (colored)
Don't cache the DH group in the policy When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified. With and OK reyk
Revision 1.18 / (download) - annotate - [select for diffs], Wed Jan 4 12:31:01 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.17: +1 -63 lines
Diff to previous 1.17 (colored)
Remove modular exponential groups specified in RFC5114 Brought up by doug@, ok reyk, djm, doug
Revision 1.17 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:27 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.16: +27 -26 lines
Diff to previous 1.16 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.15 / (download) - annotate - [select for diffs], Sun Oct 12 15:57:00 2014 UTC (9 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation. Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem. ok reyk@
Revision 1.14 / (download) - annotate - [select for diffs], Wed Aug 27 10:28:57 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.13: +79 -2 lines
Diff to previous 1.13 (colored)
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently. OK mikeb@ markus@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Aug 25 14:36:10 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.12: +7 -3 lines
Diff to previous 1.12 (colored)
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto. ok markus@ mikeb@
Revision 1.12 / (download) - annotate - [select for diffs], Thu Jul 10 12:50:05 2014 UTC (9 years, 10 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Nov 14 12:30:35 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.10: +29 -1 lines
Diff to previous 1.10 (colored)
verify EC points; from hshoexer; ok mikeb
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.9: +2 -3 lines
Diff to previous 1.9 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.9 / (download) - annotate - [select for diffs], Sat Dec 15 23:18:17 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.8: +2 -1 lines
Diff to previous 1.8 (colored)
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
Revision 1.8 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 4 09:14:29 2012 UTC (12 years ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.6: +10 -4 lines
Diff to previous 1.6 (colored)
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
Revision 1.6 / (download) - annotate - [select for diffs], Sun Jul 3 20:20:23 2011 UTC (12 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.5: +22 -4 lines
Diff to previous 1.5 (colored)
iked requires the same dh diff as isakmpd: When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
Revision 1.5 / (download) - annotate - [select for diffs], Mon Nov 29 22:49:26 2010 UTC (13 years, 6 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.4: +1 -4 lines
Diff to previous 1.4 (colored)
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jun 29 19:38:26 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.3: +9 -6 lines
Diff to previous 1.3 (colored)
Add missing frees.
Revision 1.3 / (download) - annotate - [select for diffs], Wed Jun 23 11:26:13 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.2: +10 -9 lines
Diff to previous 1.2 (colored)
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
Revision 1.2 / (download) - annotate - [select for diffs], Wed Jun 23 10:49:37 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.1: +10 -73 lines
Diff to previous 1.1 (colored)
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@