| Age | Commit message (Collapse) | Author |
|---|
|
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
allocations fails.
looks right deraadt, krw
ok henning
|
|
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.
ok hshoexer@, todd@
|
|
lines later. No functional change.
ok grunk@, hshoexer@
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
(IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
|
|
|
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer
|
|
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
|
|
No functional change yet.
ok hshoexer
|
|
tested and ok hshoexer, grunk
|
|
pointed out by Prabhu Gurumurthy
ok deraadt@
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
ok deraadt@
|
|
Requested and OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
handle this in the parser. better range checks.
with and ok deraadt@
|
|
|
|
ok hshoexer, mpf
|
|
<ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
|
static flows have the correct ID, too. ok hshoexer, reyk
|
|
ok hshoexer@ and markus@
|
|
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!
ok markus@
|
|
asked for by deraadt@
|
|
Prabhu Gurumurthy <pgurumu () gmail ! com>
(http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2),
thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
|
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address.
ok itojun@, hshoexer@
|
|
|
|
hostname/prefixlen works only for IPv4-only hostname.
markus ok (regress tested)
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
ok msf@
|
|
fixes PR5262
ok hshoexer@
|
|
|
|
ok hshoexer
|
|
|
|
ok david msf
|
|
|
|
keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
|
not of correct size. Suggested by david@
|
|
|
|
|
|
"looks right" hshoexer@
|
