| Age | Commit message (Collapse) | Author |
|---|
|
bug noticed and fix tested by robert
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
prompted by reyk
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
|
|
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
also required to fix the mandoc build.
"fine. even if mandoc goes nowhere, it has found some bugs ;)" jmc@
ok sobrado@
|
|
we don't know the size of, otherwise gcc >= 4 will error.
ok markus@ deraadt@
|
|
|
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
allocations fails.
looks right deraadt, krw
ok henning
|
|
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.
ok hshoexer@, todd@
|
|
lines later. No functional change.
ok grunk@, hshoexer@
|
|
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
for easier debugging.
ok grunk@, hshoexer@, todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
This avoids warnings about already existing manual flows when
ipsec.conf is reloaded. From Mitja Muzenic <mitja at muzenic dot
net>, thanks!
|
|
Muzenic (mitja at muzenic dot net), many thanks!
|
|
(IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding
"/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other
IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
|
|
|
(aes-192, aes-256) is used; ok hshoexer@
|
|
the -n switch. This triggers malloc related bugs during the regress
tests.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
of all possible addresses from DNS and not only the first one. So
during expansion, the right address family can be chosen and
regression test ike56 passes again. There localhost resolves to
127.0.0.1 and ::1.
ok hshoexer
|
|
rule, the current to address is taken as peer during expansion.
This makes the broken regress test ikefail7 obsolete as address
family mismatch cannot happen anymore.
ok hshoexer
|
|
No functional change yet.
ok hshoexer
|
|
tested and ok hshoexer, grunk
|
|
pointed out by Prabhu Gurumurthy
ok deraadt@
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
text from ipsecadm(8), hshoexer, and myself
|
|
not accept the trailing '/32'.
Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
|
|
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@
|
|
ok deraadt@
|
|
Requested and OK deraadt@
|
|
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others
|
|
of the SA matching return traffic; it was already there for spi but
not authkey/enckey (all 3 are required).
assistance and ok from jmc@
|
|
handle this in the parser. better range checks.
with and ok deraadt@
|
|
|
|
|
|
ok hshoexer, mpf
|
|
|
|
<ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
