summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2020-12-29getifaddrs() can return entries where ifa_addr is NULL. Check for thisSebastian Benoit
before accessing anything in ifa_addr. ok claudio@
2020-11-05Enable support for ASN1_DN ipsec identifiers.Peter Hessler
Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
2020-06-01Fix "comparison of integers of different signs" warning.tobhe
ok patrick@
2020-04-23Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m).tobhe
ok markus@, patrick@
2020-02-16Quote variables in pf tag stringskn
Macros are expanded by the parser at parse time, whereas variables are read as ordinary strings and left unmodified; hence, quoted `"$domain"' gets passed to the daemon as is, which substitutes proper values before passing it to the kernel. `$domain' without quotes never makes it to the daemon, that is with `domain = foo' somewhere else "foo" is being eventually passed unmodified to the kernel. jmc prompted for a proper explanation and provided the final wording. OK tobhe jmc
2020-02-10briefly mention /etc/examples/ in the FILES section of all theIngo Schwarze
manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
2020-02-07Extend the ipsecctl(8) parser to set the udpencap flag and portAlexander Bluhm
number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
2019-11-10Consistently use _rcctl enable foo_ in examples, it's simpler and lessLandry Breuil
error prone than manually editing rc.conf.local, and also works to enable ipsec and accounting. tweak from schwarze@ to use the \(dq\(dq syntax for quotes in '.Dl foo_flags="" lines' instead of \&"\&". while at it, fix a reference to a bogus /dev/dhclient.conf file that recently snuck in. ok jmc@ deraadt@ schwarze@
2019-08-26Fix file descriptor leak due to popfile() never closing the main config file.tobhe
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8)) ok bluhm@
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2018-11-07sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@miko
2018-11-01- odd condition/test in PF lexerAlexandr Nedvedicky
(and other lexers too) This commit rectifies earlier change: in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). OK deraadt@, OK millert@
2018-09-07Remove unnused af argument from unmask(), sync with pfctlkn
Noted by jca, thanks. OK jca claudio
2018-08-28Display per-TDB counters in verbose mode.Martin Pieuchot
ok sthen@
2018-07-11Do for most running out of memory err() what was done for most runningKenneth R Westerback
out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition. ok henning@
2018-07-10Include <sys/queue.h> instead of relying on kernel headers to includeMartin Pieuchot
it. ok markus@ as part of a larger diff
2018-07-09No need to mention which memory allocation entry point failed (malloc,Kenneth R Westerback
calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
2018-07-08Be consistent in warn() and log_warn() usage whenKenneth R Westerback
running out of memory. Next step, be correct *and* consistent. ok dennis@ tb@ benno@ schwarze@
2018-04-26Plug leak in error case of the common 'varset' implementations.Kenneth R Westerback
ok benno@
2018-04-17Document how to avoid isakmpd(8) source IP address pitfalls by usingStefan Sperling
the Listen-on directive in isakmpd.conf(5). This directive can be necessary in multi-homed situations, and if isakmpd(8) is used with carp(4). ok sthen@ mpi@
2017-11-23in isakmpd(8), provide a hint: from scott chelohaJason McIntyre
also some minor tweaks while here...
2017-11-20Support collapsing flow outputs.Martin Pieuchot
Makes it easier to check live status of complex setups. ok hshoexer@
2017-10-27Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.Martin Pieuchot
ok visa@, markus@
2017-04-19Rename all SA groups to bundles consistently. The first kernelAlexander Bluhm
commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
2017-04-18use freezero()Theo de Raadt
2017-04-14Up to now ipsecctl(8) grouped SAs with identical src and dst to theAlexander Bluhm
flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
2017-04-10Found another len += snprintf...Theo de Raadt
ok mikeb
2017-03-02Now that the kernel provides information about IPsec SA bundles,Alexander Bluhm
print them by default. OK hshoexer@
2017-02-28Depending on the addresses, ipsecctl(8) automatically groups saAlexander Bluhm
bundles together. Extend the kernel interface to export the bundle information to userland. Then ipsecctl -ss -v can show the internal relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it consistently. OK hshoexer@ markus@
2017-01-05Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQKenneth R Westerback
with more modern TAILQ_FOREACH(). This what symget() was already doing. Add paranoia '{}' around body of symget()'s TAILQ_FOREACH(). No intentional functional change. ok bluhm@ otto@
2016-06-21do not allow whitespace in macro names, i.e. "this is" = "a variable".Sebastian Benoit
change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
2015-12-10Remove NULL-checks before free(). ok tb@mmcc
2015-12-09Remove plain DES encryption from IPsec.Christian Weisgerber
DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
2015-12-02remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@Christian Weisgerber
2015-11-04Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddyMike Belopuhov
2015-11-01replace "can not" with "cannot";Jason McIntyre
2015-10-18Use explicit_bzero() when the memory is freed directly afterward.mmcc
ok deraadt@
2015-06-03Do not assume that asprintf() clears the pointer on failure, whichTodd C. Miller
is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
2015-05-25bump up the default Diffie-Hellman group to modp3072; ok mikeb@ djm@Christian Weisgerber
2015-04-17Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexerMike Belopuhov
2015-04-14Remove support for storing credentials and auth information in the kernel.Mike Belopuhov
This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
2015-02-28Reduce usage of predefined strings in manpages.Anthony J. Bentley
Predefined strings are not very portable across troff implementations, and they make the source much harder to read. Usually the intended character can be written directly. No output changes, except for two instances where the incorrect escape was used in the first place. tweaks + ok schwarze@
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-10tell the truth about DES.Igor Sobrado
joint work with djm@ and jsing@, who suggested stronger words warning people away from single-DES. ok djm@
2015-01-02PFS stands for Perfect Forward Secrecy.Igor Sobrado
ok reyk@
2014-12-28Unbreak the tree. Looks like tedu did not tedu enough when killing KPDKClaudio Jeker
support.
2014-11-20Yet more #include de-duplication.Kenneth R Westerback
ok deraadt@ tedu@
2014-11-20Don't allow embedded nul characters in strings.Jonathan Gray
Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@