![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.146 / (download) - annotate - [select for diffs], Thu Apr 25 14:24:54 2024 UTC (6 weeks, 5 days ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.145: +3 -1 lines
Diff to previous 1.145 (colored)
add fstat() call removed in 1.145 to avoid uninitialised var use ok tobhe@
Revision 1.145 / (download) - annotate - [select for diffs], Sat Apr 13 15:58:10 2024 UTC (8 weeks, 3 days ago) by jrick
Branch: MAIN
Changes since 1.144: +3 -3 lines
Diff to previous 1.144 (colored)
check group and world permissions of iked psk files Similar to the permission checks performed on iked.conf(5) due to the possibility of it containing inline psk strings, require psk files to not be group writable or world read-writable. ok tobhe@
Revision 1.144 / (download) - annotate - [select for diffs], Fri Aug 11 11:24:55 2023 UTC (10 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.143: +5 -1 lines
Diff to previous 1.143 (colored)
Add iked support for route based sec(4) tunnels. To use sec(4) instead of policy based tunnels, create a sec(4) interface and add 'iface secXX' to your policy config. sec(4) interfaces also support auto configuration for dynamic client IPs via 'request any' like all other interfaces. The config won't work without traffic selectors, 'from any to any' should work for now but I plan to make this optional in the future. ok dlg@
Revision 1.143 / (download) - annotate - [select for diffs], Wed Jun 14 14:09:29 2023 UTC (11 months, 4 weeks ago) by claudio
Branch: MAIN
Changes since 1.142: +2 -3 lines
Diff to previous 1.142 (colored)
Replace the last few print_host() calls with print_addr() ones. In most cases print_host(addr, buf, buflen) can be replaced with strlcpy(buf, print_addr(addr), buflen). Some code was never fully adjusted to the full power of print_host() and there are remnants of times well before print_host() supported multiple internal buffers. With and OK tb@
Revision 1.142 / (download) - annotate - [select for diffs], Wed Apr 19 13:33:37 2023 UTC (13 months, 3 weeks ago) by jsg
Branch: MAIN
Changes since 1.141: +1 -2 lines
Diff to previous 1.141 (colored)
remove duplicate includes
Revision 1.141 / (download) - annotate - [select for diffs], Fri Jul 22 15:53:33 2022 UTC (22 months, 2 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.140: +9 -2 lines
Diff to previous 1.140 (colored)
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string "OpenIKED-" followed by the version number. Sending of the vendor ID payload can be disabled by specifying "set novendorid" in iked.conf(5). ok markus@ bluhm@
Revision 1.140 / (download) - annotate - [select for diffs], Mon Apr 11 20:41:21 2022 UTC (2 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.139: +2 -1 lines
Diff to previous 1.139 (colored)
Fix leak of esnxf if esn ore noesn are configured explicitly.
Revision 1.139 / (download) - annotate - [select for diffs], Thu Dec 23 09:15:59 2021 UTC (2 years, 5 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.138: +2 -2 lines
Diff to previous 1.138 (colored)
fix off by one in bounds test ok tobhe@
Revision 1.138 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:13 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.137: +3 -3 lines
Diff to previous 1.137 (colored)
whitespace cleanup during review read
Revision 1.137 / (download) - annotate - [select for diffs], Sat Nov 20 20:44:33 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.136: +4 -13 lines
Diff to previous 1.136 (colored)
Fix some strdup() leaks in ocsp config option. ok markus@
Revision 1.136 / (download) - annotate - [select for diffs], Tue Nov 16 21:43:36 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.135: +4 -2 lines
Diff to previous 1.135 (colored)
Zero all copies of pre-shared key. ok markus@
Revision 1.135 / (download) - annotate - [select for diffs], Tue Oct 26 17:31:22 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.134: +67 -28 lines
Diff to previous 1.134 (colored)
Make proto config option accept a list to allow specifying multiple
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
Revision 1.134 / (download) - annotate - [select for diffs], Fri Oct 15 15:01:27 2021 UTC (2 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.133: +8 -8 lines
Diff to previous 1.133 (colored)
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
Revision 1.133 / (download) - annotate - [select for diffs], Tue Oct 12 09:27:21 2021 UTC (2 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.132: +4 -2 lines
Diff to previous 1.132 (colored)
Make sure all copies of MSCHAPv2 passphrase are zeroed after use. ok patrick@
Revision 1.132 / (download) - annotate - [select for diffs], Sat Sep 18 16:45:52 2021 UTC (2 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.131: +2 -1 lines
Diff to previous 1.131 (colored)
upon length check or other failure, explicit_bzero an object, because it may contain a partially copied password ok tobhe
Revision 1.131 / (download) - annotate - [select for diffs], Fri May 28 18:01:39 2021 UTC (3 years ago) by tobhe
Branch: MAIN
Changes since 1.130: +2 -1 lines
Diff to previous 1.130 (colored)
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'. ok markus@ patrick@
Revision 1.130 / (download) - annotate - [select for diffs], Tue Mar 16 22:50:52 2021 UTC (3 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.129: +2 -1 lines
Diff to previous 1.129 (colored)
Add 'grp31' alias for curve25519 as documented in iked.conf(5).
Revision 1.129 / (download) - annotate - [select for diffs], Fri Mar 5 22:03:51 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.128: +1 -241 lines
Diff to previous 1.128 (colored)
Move policy printing code from parse.y to new print.c ok patrick@
Revision 1.128 / (download) - annotate - [select for diffs], Sat Feb 13 16:14:12 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.127: +27 -7 lines
Diff to previous 1.127 (colored)
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
Revision 1.127 / (download) - annotate - [select for diffs], Tue Feb 9 21:35:48 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.126: +11 -1 lines
Diff to previous 1.126 (colored)
Add optional 'group none' transform for child SAs and fix handling of 'group none'. We currently send no transform of type DH by default, which should be equivalent to explicitly sending a single DH transform of type 'none'. However, the proposal matching logic had a bug where these two would not match, effectively breaking the ability to negotiate optional PFS. This commit fixes the bug but continues to send no DH proposal by default to remain backwards compatible with older versions. ok patrick@
Revision 1.126 / (download) - annotate - [select for diffs], Sun Feb 7 00:51:53 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.125: +5 -3 lines
Diff to previous 1.125 (colored)
Fix address leaks in expand_flows(). ok patrick@
Revision 1.125 / (download) - annotate - [select for diffs], Mon Feb 1 15:13:15 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.124: +2 -2 lines
Diff to previous 1.124 (colored)
Whitespace
Revision 1.124 / (download) - annotate - [select for diffs], Tue Dec 29 19:49:38 2020 UTC (3 years, 5 months ago) by benno
Branch: MAIN
Changes since 1.123: +3 -2 lines
Diff to previous 1.123 (colored)
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
Revision 1.123 / (download) - annotate - [select for diffs], Sun Dec 27 21:07:32 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.122: +157 -50 lines
Diff to previous 1.122 (colored)
Fix "any" and "dynamic" keywords for flows and add proper IPv6 support. For traffic selectors with a keyword on either 'from' or 'to' side, install flow with address family of the opposite side. If both source and destination address are keywords, install flows for both address families. The 'dynamic' keyword is special as it will only install flows for the address family of the dynamically assigned address (specified with the 'config address' option). ok patrick@
Revision 1.122 / (download) - annotate - [select for diffs], Sun Dec 20 17:44:50 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.121: +2 -1 lines
Diff to previous 1.121 (colored)
Don't leak ipsec_hosts when building hosts_list. ok patrick@
Revision 1.121 / (download) - annotate - [select for diffs], Tue Dec 15 21:47:10 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.120: +2 -1 lines
Diff to previous 1.120 (colored)
Fix leak of REQUEST string.
Revision 1.120 / (download) - annotate - [select for diffs], Sun Dec 13 19:46:17 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.119: +6 -1 lines
Diff to previous 1.119 (colored)
Make sure flow src and dst addresses have the same address family. ok patrick@
Revision 1.119 / (download) - annotate - [select for diffs], Thu Dec 10 10:14:31 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.118: +28 -32 lines
Diff to previous 1.118 (colored)
Print valid ikesa/childsa configuration at startup. Comma seperated transforms are not supported. ok patrick@
Revision 1.118 / (download) - annotate - [select for diffs], Sun Nov 29 21:00:44 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.117: +9 -2 lines
Diff to previous 1.117 (colored)
Add 'set stickyaddress' option. If this option is enabled, iked will try to assign the same 'config address' when an IKESA is negotiated with the DSTID of an existing IKESA. The original IKESA will be closed and the address will be transferred to the new IKESA. ok patrick@
Revision 1.117 / (download) - annotate - [select for diffs], Tue Nov 3 16:45:40 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.116: +2 -2 lines
Diff to previous 1.116 (colored)
Add 'any' keyword for request to allow 'request address any'.
Revision 1.116 / (download) - annotate - [select for diffs], Sun Nov 1 09:50:24 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.115: +9 -2 lines
Diff to previous 1.115 (colored)
Add 'dynamic' keyword to configure flows to dynamically assigned addresses. The keyword is replaced at runtime with the address assigned from the pool in 'config address'. ok patrick@
Revision 1.115 / (download) - annotate - [select for diffs], Thu Oct 29 21:49:58 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.114: +16 -1 lines
Diff to previous 1.114 (colored)
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
Revision 1.114 / (download) - annotate - [select for diffs], Wed Sep 23 14:25:55 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.113: +9 -1 lines
Diff to previous 1.113 (colored)
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@
Revision 1.113 / (download) - annotate - [select for diffs], Sat Sep 19 20:12:11 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.112: +9 -3 lines
Diff to previous 1.112 (colored)
Add SHA2_384 and SHA2_512 to default proposals. ok patrick@
Revision 1.112 / (download) - annotate - [select for diffs], Fri Sep 18 17:38:19 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.111: +2 -1 lines
Diff to previous 1.111 (colored)
Fix memory leak in 'n->name'.
Revision 1.111 / (download) - annotate - [select for diffs], Wed Sep 16 21:21:23 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored)
Fix EAP authentication if the initiator sends no certificate request. The locally configured request is used as fallback to find a certificate or key to send. The local auth method for MSCHAP-V2 should be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of raw rsa keys. Tested with Strongswan, iPhone and Windows Found by and ok sthen@ ok patrick@
Revision 1.110 / (download) - annotate - [select for diffs], Sat Sep 5 19:14:32 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.109: +4 -1 lines
Diff to previous 1.109 (colored)
Initialize flow_dir and flow_saproto so policy_test() can find the policy on acquire.
Revision 1.109 / (download) - annotate - [select for diffs], Tue Aug 25 16:26:54 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
Fix undefined symbol.
Revision 1.108 / (download) - annotate - [select for diffs], Tue Aug 25 15:08:08 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.107: +12 -1 lines
Diff to previous 1.107 (colored)
Add dpd_check_interval configuration option. If for any IKE SA no IPsec or IKE message has been received within the specified time interval, iked will start sending DPD messages. ok patrick@
Revision 1.107 / (download) - annotate - [select for diffs], Sun Aug 23 19:16:08 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.106: +9 -1 lines
Diff to previous 1.106 (colored)
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted. ok patrick@
Revision 1.106 / (download) - annotate - [select for diffs], Tue Aug 18 21:02:49 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.105: +26 -1 lines
Diff to previous 1.105 (colored)
Add optional time-stamp validaten for ocsp. The new optional 'tolerate' parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maximum age of the `thisUpdate' OCSP attribute value. ok patrick@
Revision 1.105 / (download) - annotate - [select for diffs], Fri Aug 14 16:09:32 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.104: +3 -17 lines
Diff to previous 1.104 (colored)
Delete unused variable 'idtype'.
Revision 1.104 / (download) - annotate - [select for diffs], Mon Jul 20 21:24:46 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.103: +8 -9 lines
Diff to previous 1.103 (colored)
Fix dst/src port configuration bug with multiple flows. ok patrick@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Jul 20 13:15:24 2020 UTC (3 years, 10 months ago) by sthen
Branch: MAIN
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored)
iked: fix typo in fatalx
Revision 1.102 / (download) - annotate - [select for diffs], Thu Jun 25 13:05:58 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.101: +18 -192 lines
Diff to previous 1.101 (colored)
Rework 'ikeauth' configuration option. The key and cert checks in the config parser aren't needed as they are checked at runtime during the handshake. Moreover, these checks during startup of the daemon never worked properly when dstid was not explicitly configured. The dstid depends on the ID message payload which is only known after the initial handshake. ok patrick@
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jun 5 14:47:26 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.100: +184 -59 lines
Diff to previous 1.100 (colored)
Add default proposals for AES-GCM ciphers in IKE and ESP. ok patrick@
Revision 1.100 / (download) - annotate - [select for diffs], Tue May 26 20:24:31 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.99: +37 -6 lines
Diff to previous 1.99 (colored)
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
Revision 1.99 / (download) - annotate - [select for diffs], Thu Apr 30 21:11:13 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.98: +7 -1 lines
Diff to previous 1.98 (colored)
Add ECDH groups and higher order MODP DH groups to default proposal. ok sthen@, patrick@
Revision 1.98 / (download) - annotate - [select for diffs], Wed Apr 29 16:09:11 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
Remove trailing tab
Revision 1.97 / (download) - annotate - [select for diffs], Wed Apr 29 14:55:21 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
Missing whitespace.
Revision 1.96 / (download) - annotate - [select for diffs], Tue Apr 28 15:18:52 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.95: +1 -5 lines
Diff to previous 1.95 (colored)
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility. Feedback from sthen@ ok kn@
Revision 1.95 / (download) - annotate - [select for diffs], Sun Apr 26 16:55:47 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored)
Only print valid rdomains. '-1' is used as default value and should not be printed.
Revision 1.94 / (download) - annotate - [select for diffs], Thu Apr 23 20:17:48 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.93: +26 -9 lines
Diff to previous 1.93 (colored)
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in. The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error. ok markus@, patrick@
Revision 1.93 / (download) - annotate - [select for diffs], Tue Apr 14 11:30:15 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.92: +4 -1 lines
Diff to previous 1.92 (colored)
Print 'ipcomp' in print_policy() if configured.
Revision 1.92 / (download) - annotate - [select for diffs], Sun Apr 12 22:11:29 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.91: +1 -2 lines
Diff to previous 1.91 (colored)
No need to call lc_idtype(). idstr does not contain a leading type specifier (e.g. 'FQDN/').
Revision 1.91 / (download) - annotate - [select for diffs], Fri Apr 10 20:58:32 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored)
Only make the type part of the idstring lowercase when looking for certs in '/etc/iked', otherwise certs with SubjAltNames containing uppercase letters are not found. ok markus@
Revision 1.90 / (download) - annotate - [select for diffs], Sat Mar 28 21:05:19 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.89: +14 -1 lines
Diff to previous 1.89 (colored)
Plug some memory leaks.
Revision 1.89 / (download) - annotate - [select for diffs], Fri Feb 21 15:17:34 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.88: +13 -3 lines
Diff to previous 1.88 (colored)
Add transport mode for child SAs. This is useful for GRE over IPsec and similar settings to prevent double encapsulation. ok kn@
Revision 1.88 / (download) - annotate - [select for diffs], Tue Dec 3 12:38:34 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.87: +28 -24 lines
Diff to previous 1.87 (colored)
Correctly represent flows as traffic selectors as described in RFC 7296. This allows us to deduplicate the network ranges sent in the TS payload and saves some bytes on the wire. ok patrick@
Revision 1.87 / (download) - annotate - [select for diffs], Thu Nov 28 15:52:49 2019 UTC (4 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.86: +28 -85 lines
Diff to previous 1.86 (colored)
Merge host_v{4,6}() into host_ip(), simplify host()
Zap lots of duplicate code and unify address family specific code where
possible. There's probably more to improve, but this already cuts a lot.
This is the minimal version without any cosmetic fixes or logical
relocations to either improve the code or sync it with pfctl, bgpd, etc.
OK tobhe
Revision 1.86 / (download) - annotate - [select for diffs], Thu Nov 28 15:44:52 2019 UTC (4 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.85: +21 -14 lines
Diff to previous 1.85 (colored)
Introduce copy_sockaddrtoipa() and set_ipmask() bits from pfctl The new wrapper will be used in the upcoming diff, set_ipmask() will be called with -1. Both is in analogy to pfctl, bgpd and others where IP/host parsing has been made more AF agnostic already. copy_sockaddrtoipa() is not called copy_satoipa() to avoid confusion with IPSec terminology (SA) as suggested by tobhe. No functional change OK tobhe
Revision 1.85 / (download) - annotate - [select for diffs], Tue Nov 12 16:45:04 2019 UTC (4 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.84: +42 -3 lines
Diff to previous 1.84 (colored)
Add configuration options to explicitly specify ESN support for child SAs. The default behaviour remains unchanged. ok mikeb@ bluhm@
Revision 1.84 / (download) - annotate - [select for diffs], Thu Sep 26 07:33:36 2019 UTC (4 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.83: +38 -6 lines
Diff to previous 1.83 (colored)
Fix leaks by cleaning up after configuration parser. ok bluhm@
Revision 1.83 / (download) - annotate - [select for diffs], Mon Aug 26 16:41:08 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.82: +15 -14 lines
Diff to previous 1.82 (colored)
Fix file descriptor leak in config parser. Inspired by bgpd parse.y. ok patrick@
Revision 1.82 / (download) - annotate - [select for diffs], Fri Aug 16 07:42:13 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.81: +13 -5 lines
Diff to previous 1.81 (colored)
Fix segfault in parser when specifying an invalid transform. For all transforms the error case only printed the error but did not exit. YYERROR was added to exit gracefully instead of segfaulting later. ok benno@
Revision 1.81 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:44 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.80: +4 -4 lines
Diff to previous 1.80 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.80 / (download) - annotate - [select for diffs], Sat May 11 16:30:23 2019 UTC (5 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.79: +10 -1 lines
Diff to previous 1.79 (colored)
Add support for IKEv2 Message Fragmentation as defined in RFC 7383. ok sthen@
Revision 1.79 / (download) - annotate - [select for diffs], Tue Apr 2 09:42:55 2019 UTC (5 years, 2 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored)
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations. "this is the right time" deraadt@ "I like the idea" reyk@ If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
Revision 1.78 / (download) - annotate - [select for diffs], Wed Feb 13 22:57:07 2019 UTC (5 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.77: +3 -3 lines
Diff to previous 1.77 (colored)
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
Revision 1.77 / (download) - annotate - [select for diffs], Wed Nov 7 08:10:45 2018 UTC (5 years, 7 months ago) by miko
Branch: MAIN
Changes since 1.76: +3 -7 lines
Diff to previous 1.76 (colored)
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
Revision 1.76 / (download) - annotate - [select for diffs], Thu Nov 1 00:18:44 2018 UTC (5 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.75: +3 -2 lines
Diff to previous 1.75 (colored)
- odd condition/test in PF lexer
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
Revision 1.75 / (download) - annotate - [select for diffs], Wed Jul 11 07:39:22 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.74: +25 -25 lines
Diff to previous 1.74 (colored)
Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
Revision 1.74 / (download) - annotate - [select for diffs], Mon Jul 9 12:05:10 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
Changes since 1.73: +6 -6 lines
Diff to previous 1.73 (colored)
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
Revision 1.73 / (download) - annotate - [select for diffs], Sun Jul 8 17:15:07 2018 UTC (5 years, 11 months ago) by krw
Branch: MAIN
Changes since 1.72: +3 -3 lines
Diff to previous 1.72 (colored)
Be consistent in warn() and log_warn() usage when running out of memory. Next step, be correct *and* consistent. ok dennis@ tb@ benno@ schwarze@
Revision 1.72 / (download) - annotate - [select for diffs], Mon Jun 11 10:05:17 2018 UTC (6 years ago) by denis
Branch: MAIN
Changes since 1.71: +78 -47 lines
Diff to previous 1.71 (colored)
Fix an off-by-one line count when using include statements. Thanks to otto@ for the initial diff. OK benno@
Revision 1.71 / (download) - annotate - [select for diffs], Thu Apr 26 14:12:19 2018 UTC (6 years, 1 month ago) by krw
Branch: MAIN
Changes since 1.70: +3 -1 lines
Diff to previous 1.70 (colored)
Plug leak in error case of the common 'varset' implementations. ok benno@
Revision 1.70 / (download) - annotate - [select for diffs], Wed Jan 31 13:25:55 2018 UTC (6 years, 4 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.69: +121 -78 lines
Diff to previous 1.69 (colored)
Add support for specifying multiple transforms within a single proposal. This gives us more flexibilty for negotiating with other IKEv2 setups. Tested by and ok sthen@
Revision 1.69 / (download) - annotate - [select for diffs], Wed Jan 24 17:01:52 2018 UTC (6 years, 4 months ago) by patrick
Branch: MAIN
Changes since 1.68: +175 -103 lines
Diff to previous 1.68 (colored)
Implement support for specifying multiple proposals. This means we can have a higher flexibility in negotiating with other peers, or even ease migration from one proposal to a more secure one. ok sthen@
Revision 1.68 / (download) - annotate - [select for diffs], Fri Dec 1 20:19:05 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.67: +6 -3 lines
Diff to previous 1.67 (colored)
The RFC specifies that in an SA payload the proposals must be numbered starting with number 1. Subsequent proposals must be one more than the previous proposal. ok sthen@
Revision 1.67 / (download) - annotate - [select for diffs], Mon Nov 27 18:39:35 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.66: +9 -2 lines
Diff to previous 1.66 (colored)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
Revision 1.66 / (download) - annotate - [select for diffs], Wed Nov 15 15:45:02 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.65: +4 -1 lines
Diff to previous 1.65 (colored)
Reset the OCSP URL on config reload. Otherwise we end up not being able to disable OCSP without restarting iked. ok beck@ sthen@
Revision 1.65 / (download) - annotate - [select for diffs], Mon Apr 24 07:07:25 2017 UTC (7 years, 1 month ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.64: +6 -2 lines
Diff to previous 1.64 (colored)
Fix configuration of ASN1_DN IDs. Public key authentication uses public key files that are stored in the /etc/iked/pubkeys/ directory where the IKE IDs are encoded as filenames. This does not simply work with ASN1_DNs where the IDs include slashes and other special characters. Instead of breaking and failing when an ASN1_DN is configured, simply skip the public key lookup but allow to use it with certificates or PSKs. Reported and fix tested by Igor V. Gubenko - Thanks.
Revision 1.64 / (download) - annotate - [select for diffs], Tue Mar 28 16:56:39 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.63: +2 -3 lines
Diff to previous 1.63 (colored)
Remove RSA from the list of keywords, lookup is now done in a table. This lets us configure explicit old-style RSA again. OK mikeb@
Revision 1.63 / (download) - annotate - [select for diffs], Mon Mar 27 10:43:53 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.62: +2 -1 lines
Diff to previous 1.62 (colored)
Factor out flows into separate configuration messages We reach an imsg payload limit with just a few traffic selectors so in order to load more we need to split them up and send separately. Suggested and OK reyk
Revision 1.62 / (download) - annotate - [select for diffs], Mon Mar 27 10:06:41 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.61: +191 -32 lines
Diff to previous 1.61 (colored)
Add support for RFC4754 (ECDSA) and RFC7427 authentication. These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes. Original diff from markus@ with patches from mikeb@ and me. OK mikeb@ patrick@
Revision 1.61 / (download) - annotate - [select for diffs], Fri Jan 20 13:56:51 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.60: +13 -4 lines
Diff to previous 1.60 (colored)
Check bounds of the flows array when configuring traffic selectors From and OK markus@, OK reyk
Revision 1.60 / (download) - annotate - [select for diffs], Thu Jan 5 12:42:18 2017 UTC (7 years, 5 months ago) by krw
Branch: MAIN
Changes since 1.59: +7 -5 lines
Diff to previous 1.59 (colored)
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Jan 4 12:31:01 2017 UTC (7 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.58: +1 -8 lines
Diff to previous 1.58 (colored)
Remove modular exponential groups specified in RFC5114 Brought up by doug@, ok reyk, djm, doug
Revision 1.56.2.1 / (download) - annotate - [select for diffs], Sat Sep 17 20:36:34 2016 UTC (7 years, 8 months ago) by benno
Branch: OPENBSD_6_0
Changes since 1.56: +1 -2 lines
Diff to previous 1.56 (colored) next main 1.57 (colored)
During parsing of the iked(8) configuration, a variable is set to 0 by mistake, disabling Pre-Shared key authentication. MFC v 1.57 sbin/iked/parse.y from pascal@ ok florian@ pascal@ tj@
Revision 1.58 / (download) - annotate - [select for diffs], Sat Sep 3 09:20:07 2016 UTC (7 years, 9 months ago) by vgross
Branch: MAIN
Changes since 1.57: +13 -2 lines
Diff to previous 1.57 (colored)
Add the missing bits to have NAT on enc(4) support in iked. Ok mikeb@
Revision 1.57 / (download) - annotate - [select for diffs], Sat Aug 6 07:08:59 2016 UTC (7 years, 10 months ago) by pascal
Branch: MAIN
Changes since 1.56: +1 -2 lines
Diff to previous 1.56 (colored)
Unbreak PSK authentication, broken by previous. ok reyk@ florian@
Revision 1.56 / (download) - annotate - [select for diffs], Wed Jul 20 12:31:00 2016 UTC (7 years, 10 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE
Branch point for: OPENBSD_6_0
Changes since 1.55: +5 -1 lines
Diff to previous 1.55 (colored)
When parsing the configuration. initialize the auth structure correctly, as parse.y's $$ is not zero-initialized. Found by Rene Ammerlaan OK markus@ florian@
Revision 1.55 / (download) - annotate - [select for diffs], Tue Jun 21 21:35:24 2016 UTC (7 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.54: +9 -1 lines
Diff to previous 1.54 (colored)
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
Revision 1.54 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:49 2015 UTC (8 years, 6 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.53: +1 -2 lines
Diff to previous 1.53 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.53 / (download) - annotate - [select for diffs], Wed Nov 4 12:40:49 2015 UTC (8 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.52: +3 -1 lines
Diff to previous 1.52 (colored)
Support Chacha20-Poly1305 for Child SAs; ok reyk
Revision 1.52 / (download) - annotate - [select for diffs], Sat Oct 31 19:28:19 2015 UTC (8 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored)
RFC4754 specifies ECDSA-521 (sic), not -512. ok reyk@
Revision 1.51 / (download) - annotate - [select for diffs], Fri Oct 2 16:56:34 2015 UTC (8 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.50: +1 -3 lines
Diff to previous 1.50 (colored)
Remove MD5 from the default proposals. At least SHA1 seems to be the minimum out there. Even El Capitan announces 3DES and SHA1 instead of MD5. OK mikeb@
Revision 1.50 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:28 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.49: +69 -67 lines
Diff to previous 1.49 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.49 / (download) - annotate - [select for diffs], Wed Aug 19 14:12:43 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.48: +8 -5 lines
Diff to previous 1.48 (colored)
spacing (no binary change, verified with checksums)
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jul 3 17:46:52 2015 UTC (8 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.47: +3 -2 lines
Diff to previous 1.47 (colored)
Terminate 'config' keyword array with a NULL element. Reported by trondd at kagu-tsuchi ! com, thanks!
Revision 1.47 / (download) - annotate - [select for diffs], Wed Jun 3 02:24:36 2015 UTC (9 years ago) by millert
Branch: MAIN
Changes since 1.46: +7 -6 lines
Diff to previous 1.46 (colored)
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
Revision 1.46 / (download) - annotate - [select for diffs], Sun Feb 8 04:50:32 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.45: +2 -1 lines
Diff to previous 1.45 (colored)
Use AI_ADDRCONFIG when resolv hosts on startup. OK henning@
Revision 1.45 / (download) - annotate - [select for diffs], Mon Jan 19 14:42:42 2015 UTC (9 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.44: +1 -2 lines
Diff to previous 1.44 (colored)
Remove unnecessary <netinet/ip_ipsp.h> includes
Revision 1.44 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.43 / (download) - annotate - [select for diffs], Mon Jan 12 11:24:58 2015 UTC (9 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.42: +3 -1 lines
Diff to previous 1.42 (colored)
Don't forget about protocol specification when configuring flows. Tested by and OK claudio.
Revision 1.42 / (download) - annotate - [select for diffs], Thu Nov 20 05:51:20 2014 UTC (9 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.41: +4 -1 lines
Diff to previous 1.41 (colored)
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@
Revision 1.41 / (download) - annotate - [select for diffs], Fri Nov 14 03:22:47 2014 UTC (9 years, 6 months ago) by doug
Branch: MAIN
Changes since 1.40: +4 -16 lines
Diff to previous 1.40 (colored)
Add gcc printf format attributes to iked's parse.y and remove unused yywarn() definition. ok bluhm@
Revision 1.40 / (download) - annotate - [select for diffs], Wed Aug 27 10:28:57 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently. OK mikeb@ markus@
Revision 1.39 / (download) - annotate - [select for diffs], Mon Aug 25 14:36:10 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.38: +9 -1 lines
Diff to previous 1.38 (colored)
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto. ok markus@ mikeb@
Revision 1.38 / (download) - annotate - [select for diffs], Tue May 6 10:24:22 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.37: +23 -7 lines
Diff to previous 1.37 (colored)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
Revision 1.37 / (download) - annotate - [select for diffs], Mon Feb 17 15:07:23 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.36: +11 -2 lines
Diff to previous 1.36 (colored)
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Feb 14 09:00:03 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.35: +10 -4 lines
Diff to previous 1.35 (colored)
initial support for IPComp still experimental and rekeying needs some work; ok mikeb@
Revision 1.35 / (download) - annotate - [select for diffs], Wed Jan 22 00:21:16 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
Revision 1.34 / (download) - annotate - [select for diffs], Tue Dec 3 13:55:39 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.33: +13 -7 lines
Diff to previous 1.33 (colored)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Nov 28 20:21:17 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.32: +70 -1 lines
Diff to previous 1.32 (colored)
support raw pubkey authentication w/o x509 certificates; mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
Revision 1.32 / (download) - annotate - [select for diffs], Mon Nov 25 13:12:23 2013 UTC (10 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.31: +7 -7 lines
Diff to previous 1.31 (colored)
use u_char for buffers in yylex, for ctype calls found by millert@, from deraadt@
Revision 1.31 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:47 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.30: +3 -3 lines
Diff to previous 1.30 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.30 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.29: +1 -2 lines
Diff to previous 1.29 (colored)
remove excessive includes
Revision 1.29 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.28: +2 -3 lines
Diff to previous 1.28 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.28 / (download) - annotate - [select for diffs], Thu Oct 25 15:01:56 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.27: +34 -1 lines
Diff to previous 1.27 (colored)
Move the arrays of default IKE and ESP transforms into parse.y instead of generating them with genmap from ikev2.h. They're only really needed in parse.y and this diff also allows to simplify genmap.sh.
Revision 1.27 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.26 / (download) - annotate - [select for diffs], Sat Jun 30 14:51:31 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.25: +4 -2 lines
Diff to previous 1.25 (colored)
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@
Revision 1.25 / (download) - annotate - [select for diffs], Fri Jun 29 15:05:49 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.24: +2 -1 lines
Diff to previous 1.24 (colored)
Add missing ESN bits
Revision 1.24 / (download) - annotate - [select for diffs], Tue May 8 08:53:14 2012 UTC (12 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.23: +7 -7 lines
Diff to previous 1.23 (colored)
rename espxforms to ipsecxforms for clarity
Revision 1.23 / (download) - annotate - [select for diffs], Sat Mar 24 00:40:25 2012 UTC (12 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.22: +5 -3 lines
Diff to previous 1.22 (colored)
fix some leaks ok mikeb@
Revision 1.22 / (download) - annotate - [select for diffs], Fri May 27 12:01:02 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.21: +7 -7 lines
Diff to previous 1.21 (colored)
spacing
Revision 1.21 / (download) - annotate - [select for diffs], Mon Apr 18 08:45:43 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.20: +4 -4 lines
Diff to previous 1.20 (colored)
When the kernel wants to acquire an SA for an unknown flow, lookup a matching policy and init a new IKE SA. This adds support for "acquire mode" from static flows. ok mikeb@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Jan 21 11:56:00 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.19: +74 -27 lines
Diff to previous 1.19 (colored)
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Jan 17 17:16:43 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.18: +3 -64 lines
Diff to previous 1.18 (colored)
move mask2prefixlen functions to the util module; ok reyk
Revision 1.18 / (download) - annotate - [select for diffs], Thu Dec 23 16:39:38 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.17: +3 -1 lines
Diff to previous 1.17 (colored)
pick netmask instead of address when we mean it; found by dhill, ok reyk
Revision 1.17 / (download) - annotate - [select for diffs], Wed Dec 22 16:40:06 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.16: +16 -18 lines
Diff to previous 1.16 (colored)
Tweak the grammar a little bit by requiring a "bytes" keyword before the
bytes value ("lifetime 123 bytes 456" instead of "lifetime 123 456").
Revision 1.16 / (download) - annotate - [select for diffs], Wed Dec 22 16:22:27 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.15: +98 -9 lines
Diff to previous 1.15 (colored)
child sa rekeying revamp plus numerous bugfixes; with suggestions and OK from reyk
Revision 1.15 / (download) - annotate - [select for diffs], Tue Dec 21 14:28:58 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.14: +70 -11 lines
Diff to previous 1.14 (colored)
Convert netmask from sockaddr to prefixlen correctly as noticed by axel rau, axel dot rau at chaos1 dot de. The actual convert functions are taken from bgpd(8). OK reyk
Revision 1.14 / (download) - annotate - [select for diffs], Wed Nov 17 16:43:45 2010 UTC (13 years, 6 months ago) by ckuethe
Branch: MAIN
Changes since 1.13: +1 -2 lines
Diff to previous 1.13 (colored)
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
Revision 1.13 / (download) - annotate - [select for diffs], Thu Sep 23 11:42:36 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.12: +21 -6 lines
Diff to previous 1.12 (colored)
support for aes-gcm OK reyk
Revision 1.12 / (download) - annotate - [select for diffs], Thu Sep 9 13:06:46 2010 UTC (13 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.11: +18 -2 lines
Diff to previous 1.11 (colored)
- allow esp proposals without integrity and ah proposals without encryption; - add additional nonce length field, use that for the ciphers that require additional keying material; - setup right flow direction depending on the mode: fixes up iked working as an initiator against charon. tested by me and jsg. ok reyk
Revision 1.11 / (download) - annotate - [select for diffs], Tue Aug 3 18:42:40 2010 UTC (13 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.10: +4 -3 lines
Diff to previous 1.10 (colored)
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
Revision 1.10 / (download) - annotate - [select for diffs], Thu Jul 22 17:16:45 2010 UTC (13 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.9: +6 -4 lines
Diff to previous 1.9 (colored)
Don't deref a NULL pointer if tap or tag are not specified in the config file.
Revision 1.9 / (download) - annotate - [select for diffs], Thu Jul 1 02:15:08 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.8: +60 -12 lines
Diff to previous 1.8 (colored)
Add support for the tap extension (ikev2 ... tap "enc1") that will tell the kernel to send all IPsec traffic for derived SAs to the specified enc(4) interface instead of enc0.
Revision 1.8 / (download) - annotate - [select for diffs], Sat Jun 26 19:48:04 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.7: +5 -3 lines
Diff to previous 1.7 (colored)
mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatch
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jun 26 18:32:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.6: +4 -4 lines
Diff to previous 1.6 (colored)
Include the Id type in the generated SA tag that is passed to the kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc.
Revision 1.6 / (download) - annotate - [select for diffs], Wed Jun 23 11:26:13 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.5: +15 -15 lines
Diff to previous 1.5 (colored)
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
Revision 1.5 / (download) - annotate - [select for diffs], Tue Jun 15 00:41:04 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
fix keyword sort order
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 14 18:39:04 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)
the ikesa prf config option is currently broken
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 10 14:17:48 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.2: +4 -1 lines
Diff to previous 1.2 (colored)
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 10 14:08:37 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.1: +19 -2 lines
Diff to previous 1.1 (colored)
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@