summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2016-06-21do not allow whitespace in macro names, i.e. "this is" = "a variable".Sebastian Benoit
change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
2015-12-10Remove NULL-checks before free(). ok tb@mmcc
2015-12-09Remove plain DES encryption from IPsec.Christian Weisgerber
DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
2015-12-02remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@Christian Weisgerber
2015-11-04Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddyMike Belopuhov
2015-11-01replace "can not" with "cannot";Jason McIntyre
2015-10-18Use explicit_bzero() when the memory is freed directly afterward.mmcc
ok deraadt@
2015-06-03Do not assume that asprintf() clears the pointer on failure, whichTodd C. Miller
is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
2015-05-25bump up the default Diffie-Hellman group to modp3072; ok mikeb@ djm@Christian Weisgerber
2015-04-17Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexerMike Belopuhov
2015-04-14Remove support for storing credentials and auth information in the kernel.Mike Belopuhov
This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
2015-02-28Reduce usage of predefined strings in manpages.Anthony J. Bentley
Predefined strings are not very portable across troff implementations, and they make the source much harder to read. Usually the intended character can be written directly. No output changes, except for two instances where the incorrect escape was used in the first place. tweaks + ok schwarze@
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-10tell the truth about DES.Igor Sobrado
joint work with djm@ and jsing@, who suggested stronger words warning people away from single-DES. ok djm@
2015-01-02PFS stands for Perfect Forward Secrecy.Igor Sobrado
ok reyk@
2014-12-28Unbreak the tree. Looks like tedu did not tedu enough when killing KPDKClaudio Jeker
support.
2014-11-20Yet more #include de-duplication.Kenneth R Westerback
ok deraadt@ tedu@
2014-11-20Don't allow embedded nul characters in strings.Jonathan Gray
Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@
2014-11-04Add gcc format attributes to ipsecctl's parse.y. Also, fix a few formatDoug Hogan
characters. ok sthen@ naddy@ markus@
2014-11-03simple conversion from select() to poll()Theo de Raadt
2014-03-19Unify ipsec.conf(5)'s copy of the text dealing with multiline comments,Stuart Henderson
this was missed when unifying text in the other parse.y parsers (see e.g. pf.conf.5 r1.495). Noticed in a misc@ post by zeloff at zeloff/org.
2014-01-22fix printing of IPcomp SAs; ok mikeb@ & todd@Markus Friedl
2014-01-22relax the cfg file secrecy check slightly to allow group readabilityHenning Brauer
default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
2013-11-25use u_char for buffers in yylex, for ctype callsSebastian Benoit
found by millert@, ok deraadt@
2013-11-22Whole bunch of (unsigned char) casts carefully added for ctype calls.Theo de Raadt
Careful second audit by millert
2013-11-01altq -> new queue in examplesHenning Brauer
From: Arto Jonsson <ajonsson at kapsi.fi>
2013-08-25the comment that comma characters cannot be used in transformMike Belopuhov
names in ike_section_p2 applies to phase-1 transforms as well.
2013-06-29do not use Sx for sections outwith the page;Jason McIntyre
man4 still to go...
2012-09-18remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not setMarkus Friedl
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code. ok mikeb@
2012-09-17unbreak the last commit by making sure that the transform nameMarkus Friedl
does not include a "," character. ok otto@
2012-09-15Encode the transform parameters in the transform name, too.Markus Friedl
Only using p1name or p2name as a transform identifier (as in rev 1.74) breaks setups that allow multiple transforms for a connection, e.g. in ike passive esp from any to 1.1.1.1 quick enc aes-128 ike passive esp from any to 1.1.1.1 quick enc aes-192 the aes-128 will be overwritten. ok and feedback mikeb@
2012-08-30Do not issue a spurious "force" when "group none" is specified.Christian Weisgerber
Tweaked from his fix and ok mikeb@
2012-08-12Explicitly state that only two unit specifiers are recognized instead ofLawrence Teo
"several." Note: if anyone adds support for more unit specifiers in the future, please change this back to "several" (instead of using an exact number) so that it matches the iked.conf(5) man page. :) While here, fix a typo in the quick mode section: "phase 1 lifetime" -> "phase 2 lifetime" ok mikeb sthen jmc haesbaert henning
2012-07-13small tweak;Jason McIntyre
2012-07-13Change the configuration format fed to the isakmpd FIFO to be ableMike Belopuhov
to specify extended options like SA Lifetime. All the hard work was done by lteo@, while naddy@ and me have made sure that defaults and AH still work; sthen and jmc have looked over the diffs as well.
2012-07-10Rename "life" to "lifetime" to match iked.Lawrence Teo
ok mikeb naddy sthen; procedures ok henning
2012-07-09Fix typo in warning message.Lawrence Teo
ok mikeb sthen haesbaert henning
2012-07-08Disallow manual security associations that use AES-CTR, AES-GCM,Christian Weisgerber
or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations. Also include a tweak (with jmc@) to the key size explanation, for completeness sake. ok mikeb@
2012-07-07copy&paste mistake in error messageChristian Weisgerber
2012-07-05don't output "esn" string in the rule section as we can't use theMike Belopuhov
keyword in the grammar to create a esn-enabled rule (no reason to do so for manual sa configuration). instead decode sa flags so that we can also watch changes happening in the realtime with the monitor mode. prompted and ok by naddy
2012-06-30enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPChristian Weisgerber
ok mikeb@
2012-06-29Print esn flag when dumping SAs with ESN enabledMike Belopuhov
2012-04-24take a stab at documenting when arguments need quoted, and valid macroJason McIntyre
characters; prompted by a diff from robert peichaer org thanks gilles and henning for feedback ok deraadt zinke
2012-03-24fix some leaksJonathan Gray
ok miod@
2011-12-20unsigned long should use "%lu" format; from eric lax, thanksMike Belopuhov
2011-11-13provide a specific section reference; from Lawrence TeoJason McIntyre
2011-11-08- put -i in the right placeJason McIntyre
- prevent an erroneous space in the formatting of -D
2011-11-08mention default fifo path, sthen. previous manpage changes were ok jmc, plusHenning Brauer
reminder to adjust synopsis and usage (again...)
2011-11-08allow the path to isakmpd's fifo to be specified (aka changed) on theHenning Brauer
command line, ok mikeb sthen
2011-09-03make -column lists pretty again;Jason McIntyre
specifically, rewrite them to permit some markup in the column headers, and use "Ta" instead of literal tabs; mandoc does not currently match groff 100%, but a mandoc fix may be some time off, and we've gone enough releases with poorly formatting column lists. in some cases i have rewritten the lists as -tag, where -column made little sense.