![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.44 / (download) - annotate - [select for diffs], Tue Apr 9 15:48:01 2024 UTC (2 months ago) by tobhe
Branch: MAIN
CVS Tags: HEAD
Changes since 1.43: +4 -21 lines
Diff to previous 1.43 (colored)
Sync removal of setsid(), setpgid() and a few dup2() from relayd. They are redundant since we call daemon() earlier. ok bluhm@
Revision 1.43 / (download) - annotate - [select for diffs], Mon Apr 8 12:50:05 2024 UTC (2 months ago) by tobhe
Branch: MAIN
Changes since 1.42: +3 -2 lines
Diff to previous 1.42 (colored)
Move daemon() after proc_setup() to sync with other proc.c daemons.
Revision 1.42 / (download) - annotate - [select for diffs], Thu Feb 15 20:10:45 2024 UTC (3 months, 3 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.41: +56 -3 lines
Diff to previous 1.41 (colored)
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes are set up by child processes. The parent sends a ping to all children and only starts once it has received an acknowledgement from all of them. This fixes a race condition on process startup when the parent starts running before all children are ready. From markus@
Revision 1.41 / (download) - annotate - [select for diffs], Thu Feb 15 19:04:12 2024 UTC (3 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.40: +1 -8 lines
Diff to previous 1.40 (colored)
Remove unused control_socks queue. from markus@
Revision 1.40 / (download) - annotate - [select for diffs], Wed Jan 17 08:25:02 2024 UTC (4 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
Convert to use imsg_get_fd() proc_forward_imsg() does not need to forward file descriptors so just use -1 there. In other places shuffle debug messages around or use a helper variable since imsg_get_fd() can only be called once. OK tb@ tobhe@
Revision 1.39 / (download) - annotate - [select for diffs], Wed Jun 28 12:31:19 2023 UTC (11 months, 2 weeks ago) by gerhard
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.38: +3 -1 lines
Diff to previous 1.38 (colored)
Don't call daemon() after proc_init(), otherwise the child processes would lose their parent. ok tobhe@
Revision 1.38 / (download) - annotate - [select for diffs], Sun Mar 5 22:17:22 2023 UTC (15 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update. ok patrick@
Revision 1.37 / (download) - annotate - [select for diffs], Sat Mar 4 22:22:51 2023 UTC (15 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.36: +410 -217 lines
Diff to previous 1.36 (colored)
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. ok bluhm@ patrick@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Feb 15 20:44:01 2023 UTC (15 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.35: +1 -14 lines
Diff to previous 1.35 (colored)
proc_ispeer() is not used anywhere anymore so remove it everywhere. ok florian@ bluhm@ ok for vmd mlarkin@
Revision 1.35 / (download) - annotate - [select for diffs], Tue Apr 20 21:11:56 2021 UTC (3 years, 1 month ago) by dv
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.34: +1 -2 lines
Diff to previous 1.34 (colored)
Move TAILQ initialization to files where they are used. These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
Revision 1.34 / (download) - annotate - [select for diffs], Thu Jan 28 01:20:37 2021 UTC (3 years, 4 months ago) by mortimer
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.33: +3 -1 lines
Diff to previous 1.33 (colored)
Extern privsep_process. Fixes compilation with -fno-common. ok deraadt@
Revision 1.33 / (download) - annotate - [select for diffs], Wed Nov 11 18:24:55 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.32: +16 -2 lines
Diff to previous 1.32 (colored)
Cleanup after proc_init() in proc_close().
Revision 1.32 / (download) - annotate - [select for diffs], Wed Apr 8 20:04:19 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)
Prevent multiple ibuf leaks. Clean up on proccess shutdown. ok markus@
Revision 1.31 / (download) - annotate - [select for diffs], Mon Aug 6 06:30:06 2018 UTC (5 years, 10 months ago) by mestre
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.30: +1 -4 lines
Diff to previous 1.30 (colored)
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files. OK kn@
Revision 1.30 / (download) - annotate - [select for diffs], Mon Jan 9 14:49:21 2017 UTC (7 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
Stop accessing verbose and debug variables from log.c directly. This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
Revision 1.29 / (download) - annotate - [select for diffs], Mon Dec 7 16:05:56 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.28: +6 -4 lines
Diff to previous 1.28 (colored)
Add imsg "peerid" to debug messages (only within -DDEBUG).
Revision 1.28 / (download) - annotate - [select for diffs], Mon Dec 7 12:46:37 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.27: +22 -12 lines
Diff to previous 1.27 (colored)
Sync proc.c, use shorter proc_compose[v]()
Revision 1.27 / (download) - annotate - [select for diffs], Sat Dec 5 13:09:46 2015 UTC (8 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
EAGAIN handling for imsg_read. OK henning@ benno@
Revision 1.26 / (download) - annotate - [select for diffs], Mon Nov 23 19:28:34 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.25: +3 -5 lines
Diff to previous 1.25 (colored)
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4(). OK claudio@ jung@
Revision 1.25 / (download) - annotate - [select for diffs], Sun Nov 22 13:27:13 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.24: +11 -9 lines
Diff to previous 1.24 (colored)
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging. OK benno@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Oct 22 15:55:18 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.23: +13 -4 lines
Diff to previous 1.23 (colored)
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process. Committed in agreement with many but nobody was brave enough to OK it. Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:28 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.22: +19 -18 lines
Diff to previous 1.22 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.22 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.21: +1 -2 lines
Diff to previous 1.21 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.21 / (download) - annotate - [select for diffs], Tue Dec 16 03:35:49 2014 UTC (9 years, 5 months ago) by millert
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
Replace setpgrp(0, getpid()) with setpgid(0, 0). OK deraadt@ tedu@
Revision 1.20 / (download) - annotate - [select for diffs], Sat Oct 25 03:18:13 2014 UTC (9 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.19: +1 -2 lines
Diff to previous 1.19 (colored)
Remove unnecessary netinet/in_systm.h include. ok millert@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Aug 18 09:43:02 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.18: +5 -4 lines
Diff to previous 1.18 (colored)
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process. ok mikeb@
Revision 1.18 / (download) - annotate - [select for diffs], Sat Jul 12 14:15:04 2014 UTC (9 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
Sync msgbuf_write() changes from relayd. Please note that proc.c should be kept identical in relayd, iked and snmpd (currently without the includes). ok benno@
Revision 1.17 / (download) - annotate - [select for diffs], Thu May 8 13:11:16 2014 UTC (10 years, 1 month ago) by blambert
Branch: MAIN
Changes since 1.16: +12 -5 lines
Diff to previous 1.16 (colored)
match iked proc.c infrastructure with proc.c ok reyk@
Revision 1.16 / (download) - annotate - [select for diffs], Tue May 6 06:40:03 2014 UTC (10 years, 1 month ago) by jsg
Branch: MAIN
Changes since 1.15: +1 -2 lines
Diff to previous 1.15 (colored)
no need to include rand.h now the RAND_seed() calls are gone. ok reyk@
Revision 1.15 / (download) - annotate - [select for diffs], Sun May 4 10:35:24 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.14: +1 -13 lines
Diff to previous 1.14 (colored)
With the recent change by deraadt@ to introduce kern.nosuidcoredump=3, we don't need the horrible debug hack anymore that disabled privdrop and chroot to get core dumps of privsep processes. No functional change for the normal binary, only if it is compiled with the non-default -DDEBUG option.
Revision 1.14 / (download) - annotate - [select for diffs], Tue Apr 22 12:00:03 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.13: +310 -87 lines
Diff to previous 1.13 (colored)
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit. ok mikeb@
Revision 1.13 / (download) - annotate - [select for diffs], Fri Apr 18 21:29:20 2014 UTC (10 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.12: +1 -6 lines
Diff to previous 1.12 (colored)
round up some enemy sympathizers found calling RAND_seed(). ok beck reyk
Revision 1.12 / (download) - annotate - [select for diffs], Mon Apr 14 07:18:05 2014 UTC (10 years, 2 months ago) by blambert
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
Fix the following idiom in the following way:
arc4random_buf(seed, sizeof(seed));
RAND_seed(seed, sizeof(seed));
+ explicit_bzero(seed, sizeof(seed));
ok reyk@
Revision 1.11 / (download) - annotate - [select for diffs], Fri Feb 14 10:23:43 2014 UTC (10 years, 3 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.10: +1 -7 lines
Diff to previous 1.10 (colored)
remove unused function that distracts from cleaning up the imsg_flush() mess ok krw, florian, henning
Revision 1.10 / (download) - annotate - [select for diffs], Fri Nov 15 12:30:19 2013 UTC (10 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
Cope with the EAGAIN API change for msgbuf_write()
Revision 1.9 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.8: +2 -3 lines
Diff to previous 1.8 (colored)
remove excessive includes
Revision 1.8 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.7 / (download) - annotate - [select for diffs], Mon May 9 11:27:08 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.6: +2 -3 lines
Diff to previous 1.6 (colored)
bump copyright
Revision 1.6 / (download) - annotate - [select for diffs], Mon May 9 11:15:18 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.5: +125 -36 lines
Diff to previous 1.5 (colored)
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
Revision 1.5 / (download) - annotate - [select for diffs], Thu May 5 12:59:31 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored)
Small tweak - add direct pointer to env instead of using an indirect one.
Revision 1.4 / (download) - annotate - [select for diffs], Thu May 5 12:55:52 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.3: +74 -74 lines
Diff to previous 1.3 (colored)
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
Revision 1.3 / (download) - annotate - [select for diffs], Thu May 5 12:17:10 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.2: +15 -15 lines
Diff to previous 1.2 (colored)
rename iked_proc* to privsep_proc*. no functional change.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 16 09:27:35 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.1: +7 -7 lines
Diff to previous 1.1 (colored)
pass proper argument to the proc_sig_handler and check env for NULL before dereferencing. fixes an annoying crash. ok reyk
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@