summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2012-08-12Use .Lk for HTTP hyperlinks, not .Pa.Ingo Schwarze
Most of the patch from Arto Jonsson <ajonsson at kapsi dot fi>. jmc@ agrees in principle that .Lk is the right macro to use. While here, update a few broken links, and add missing markup at a few places.
2012-07-13Support additional MODP DH groups in the Phase 1 and Phase 2.Mike Belopuhov
lteo@ noticed that ipsecctl allowed them within the ike rules while isakmpd failed to load the generated configuration. The fix was verified by hshoexer, ok naddy
2012-06-30enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPChristian Weisgerber
ok mikeb@
2012-06-04Rounding up a number of bytes in a bignum returned by the BN_num_bytes()Mike Belopuhov
has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
2012-03-24set the vendor string to OpenBSD-5.2; ok mikeb@Markus Friedl
2012-01-16import (and fix) net_addrcmp() from libc as a static function.Eric Faurot
It is going to get removed from libc and this file is the only one using it. discussed with deraadt@ guenther@ ok deraadt@
2011-12-12Allow using FQDN as a ID payload type. Some client (eg Windows XP)YASUOKA Masahiko
uses the FQDN type in NAT-T with transport mode. ok markus
2011-10-20For NAT-T with transport mode, use the ISAKMP's SA addresses for theYASUOKA Masahiko
flow instead of the ID payload. This will fix a part of problems of L2TP/IPsec from NAT'd clients. ok markus@ tested by markus@ and myself.
2011-09-29ssl.8: Certifying Authority -> Certificate AuthorityJason McIntyre
isakmpd.8: rsa:1024 -> rsa:2048 (ok markus) all: X509 -> X.509 from Lawrence Teo
2011-08-02add refcounting for "Configuration" section for acquire-mode SAsMarkus Friedl
ok mikeb@
2011-06-23Use a common text explaining how the various configuration parsers usingStuart Henderson
the standard OpenBSD-style parse.y handle continuing lines with backslashes, paying particular attention to how comments are handled (which can cause nasty side-effects if you're not expecting it). Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey, patrick keshishian and Florian Obser, ok jmc@.
2011-06-15When BN_bn2bin converts a bignum to the binary representationMike Belopuhov
it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves. Fixes PR 6601, tested by Pawel Wieleba, sthen, otto. Huge thanks to Pawel for spending nearly a week testing diffs. ok sthen
2011-06-06some improvements for the text on packet capture; from Lawrence TeoJason McIntyre
ok sthen
2011-05-13wrong id for UDP_ENCAP_TRANSPORT_DRAFT; ok mikeb@Markus Friedl
2011-04-23Indicate which side of the connection responded during phase 1 while using -v.lum
ok sthen@ markus@
2011-04-16Allow -v (verbose logging) to work if a -D option is supplied.Stuart Henderson
Previously, a specific check was made for any -D log option being used and, if so, *no* -v log entries are made, losing potentially useful log entries. ok lum@
2011-04-06Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'Miod Vallat
for chars.
2011-02-03When binding to addresses, ignore any IP address not in the currentPeter Hessler
routing domain. While here, update comment on what the ioctl is used for (from sthen@). OK mikeb@, sthen@
2010-12-09When looking up an SA based on peer address, also check the portMartin Hedenfal
number. Without this, isakmpd deletes SAs from the same IP on an INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels. Fixes PR 5562. Verified by Mikolaj Kucharski. ok mikeb@
2010-11-29make key exchange faster by not checking the predefined groups with DH_check()Markus Friedl
ok mikeb@, djm@
2010-10-19convert to fuse cast from the libcrypto. with a simplification nit fromMike Belopuhov
blambert, ok jsg, "seems ok" todd
2010-10-18as determined 4 years ago, FortiGate needs DOI of 0 responses to DPDTodd T. Fries
so, copy a small bit of logic to make DPD interop with FortiGate function tested by me, ok mikeb@, silence from 'the usual suspects'
2010-10-15Switch the remaining users of libdes in src to libcrypto,Jonathan Gray
telnet portion partially from the latest heimdal. ok mikeb@
2010-09-22Support for use of AES-GCM-16 (as AESGCM) and ENCR_NULL_AUTH_AES_GMACMike Belopuhov
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode). Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. ok naddy
2010-08-04fixup keylength for aes-128-cbc in quickmodeTheo de Raadt
from mikeb
2010-06-29Replace the hand-crafted Diffie-Hellman implementation in isakmpd withReyk Floeter
the smaller implementation from iked that is using libcrypto instead. This allows to remove a lot of code (which is always good), get rid of some custom crypto code by using libcrypto, theoretically adds support for many new MODP and EC2N/ECP modes (but it is not configurable yet), and allows to share the dh.c/dh.h code in different codebases (it is identical in isakmpd and iked, but could also be used elsewhere). ok deraadt@
2010-06-07make clearer the relationship between isakmpd and ikev1; and iked and ikev2;Jason McIntyre
ok reyk
2010-06-03update the manpages for isakmpd(8) and ipsec.conf(5) to point to iked(8)Reyk Floeter
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8) is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8) and not worked on, but maybe in the future - I want to get IKEv2 support first done right. So keep on using isakmpd(8) for IKEv1 for now... ok deraadt@
2010-05-10Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->Kenneth R Westerback
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
2010-04-15Log when isakmpd starts - patch from Toni Muellerlum
ok ho@ mpf@ krw@ sthen@ kjell@
2010-04-06fix some more dodgy "-indent"; aucat.1 has some too, but i'll leave that forJason McIntyre
ratchov, to avoid messing up his current diff...
2010-03-26dispense with some wacky escape sequences;Jason McIntyre
2010-03-04don't crash on invalid phase 2 IDs; from hshoexer; ok sthen@Markus Friedl
2010-01-10only substract ISAKMP_ID_DATA_OFF once. otherwise 'buf' might overflowMarkus Friedl
and/or ASN1-DNs get not parsed correctly; with and ok krw@; ok reyk@
2010-01-03Neither .Pp nor unqualified text are allowed at the top level of .Bl;Ingo Schwarze
instead, .It is required. Thus, move .Pp and text before the .Bl, and remove the .Pp altogether where it is not needed. Syntax errors found by mandoc(1), also required to fix the mandoc build; feedback and ok jmc@, and sobrado@ also supports the direction.
2009-11-13fix a few memory leaks found by parfait; ok hshoexerTheo de Raadt
2009-06-25Add missing RTM_VERSION check. This is needed before accessing other dataClaudio Jeker
from routing messages retrieved via routing socket or sysctl. Tested and OK sthen@, OK henning@
2009-06-05rtm->rtm_hdrlen conversionChris Cappuccio
ok claudio@, henning@
2009-01-29Improve logging:Hans-Joerg Hoexer
- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer sends us a delete message for an SA. However, to avoid spamming the log when SAs are deleted during re-keying, I only log_verbose, when the soft timeout of the SA is not expired yet. Thus only deletion of live SAs gets logged. - in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in hex as the addresses are already printed in CIDR. - while there, apply some KNF ok todd@, mpf@, bluhm@
2009-01-28cleaning up my tree: trivial KNF and a comment fix.Hans-Joerg Hoexer
2009-01-28Remove some dead (#if 0) code.Hans-Joerg Hoexer
2009-01-20Add support to isakmpd(8) and ipsecctl(8) to install SA's with aMarco Pfatschbacher
different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
2008-12-22mark log_fatal() and monitor_exit() as __dead, as they do not return.Hans-Joerg Hoexer
2008-11-11Use rfc2409 conform notification message when client identities areHans-Joerg Hoexer
not valid during phase 2. From Dirk Mast <condor2k at googlemail dot com>, thanks! ok markus@
2008-10-21do not listen on tentative (during DAD), duplicated (after DAD) orMarkus Friedl
detached addresses. bind(2) will not allow this. ok hshoexer, fries
2008-09-06adapt to API changes in OpenSSL 0.9.8hDamien Miller
2008-09-06adapt to sha2(3) API changes; ok millert@Damien Miller
2008-07-22If isakmpd is started with -4 or -6, virtual_get_default() mayAlexander Bluhm
return NULL. This happens if isakmpd is configured for the other address family. Add a NULL pointer check and initialize rv. ok hshoexer
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-06-10Arguments to fifo commands were limited to 80 bytes. That is tooAlexander Bluhm
short for IPv6. Increase the buffer size from 80 to 200 where appropriate. For the M command a buffer for 10 bytes is sufficient. ok hshoexer@ mpf@ grunk@