| Age | Commit message (Collapse) | Author |
|---|
|
input deraadt, ok tobhe
|
|
ok tobhe
|
|
prevent out-of-bounds read in strlen().
ok tb@
|
|
ipsecctl -m and ipsecctl -s. Refactor ipsecctl_show_*() to setup all
sysctls first before dropping privileges and finally parsing and
printing IPsec SAs and flows.
feedback and ok mbuhl@
ok deraadt@
|
|
this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.
if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).
this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
|
|
|
|
ok claudio@ cheloha@ krw@ deraadt@ miod@ millert@
|
|
OK bluhm
|
|
pointed out by jmc
|
|
from jmc
|
|
correct "cast" in ipsec.conf.5 to "cast128", add missing
"chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some
places.
ok jmc sthen
|
|
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
This is useful for debugging replay window issues with 64 bit
sequence numbers in IPsec.
ok bluhm@
|
|
ok bluhm@ sthen@ mpi@
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.
OK tobhe@ sthen@ kn@
|
|
ok patrick@
|
|
ok markus@, patrick@
|
|
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified; hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel. `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.
jmc prompted for a proper explanation and provided the final wording.
OK tobhe jmc
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
number of an SA. This will be useful to test IPsec with NAT-T.
OK sthen@ tobhe@
|
|
error prone than manually editing rc.conf.local, and also works to
enable ipsec and accounting.
tweak from schwarze@ to use the \(dq\(dq syntax for quotes in '.Dl
foo_flags="" lines' instead of \&"\&".
while at it, fix a reference to a bogus /dev/dhclient.conf file that
recently snuck in.
ok jmc@ deraadt@ schwarze@
|
|
The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))
ok bluhm@
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
Noted by jca, thanks.
OK jca claudio
|
|
ok sthen@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
it.
ok markus@ as part of a larger diff
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
ok benno@
|
|
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@
|
|
also some minor tweaks while here...
|
|
Makes it easier to check live status of complex setups.
ok hshoexer@
|
|
ok visa@, markus@
|
|
commit in 2000 that introduced the features already called them SA
bundles. The word group is taken by Diffie-Hellman, reusing it
causes confusion.
OK hshoexer@
|
|
|
|
flow which the first SA matched by the flow type. This behaviour
was mostly undocumented and unexpected. Make SA bundles explicit
in ipsec.conf(5). Only group SAs that have the same src and dst
and also the same bundle identifier.
OK hshoexer@
|
|
ok mikeb
|
|
print them by default.
OK hshoexer@
|
|
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
