summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2009-01-29Improve logging:Hans-Joerg Hoexer
- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer sends us a delete message for an SA. However, to avoid spamming the log when SAs are deleted during re-keying, I only log_verbose, when the soft timeout of the SA is not expired yet. Thus only deletion of live SAs gets logged. - in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in hex as the addresses are already printed in CIDR. - while there, apply some KNF ok todd@, mpf@, bluhm@
2009-01-28cleaning up my tree: trivial KNF and a comment fix.Hans-Joerg Hoexer
2009-01-28Remove some dead (#if 0) code.Hans-Joerg Hoexer
2009-01-20Add support to isakmpd(8) and ipsecctl(8) to install SA's with aMarco Pfatschbacher
different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
2008-12-22mark log_fatal() and monitor_exit() as __dead, as they do not return.Hans-Joerg Hoexer
2008-11-11Use rfc2409 conform notification message when client identities areHans-Joerg Hoexer
not valid during phase 2. From Dirk Mast <condor2k at googlemail dot com>, thanks! ok markus@
2008-10-21do not listen on tentative (during DAD), duplicated (after DAD) orMarkus Friedl
detached addresses. bind(2) will not allow this. ok hshoexer, fries
2008-09-06adapt to API changes in OpenSSL 0.9.8hDamien Miller
2008-09-06adapt to sha2(3) API changes; ok millert@Damien Miller
2008-07-22If isakmpd is started with -4 or -6, virtual_get_default() mayAlexander Bluhm
return NULL. This happens if isakmpd is configured for the other address family. Add a NULL pointer check and initialize rv. ok hshoexer
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-06-10Arguments to fifo commands were limited to 80 bytes. That is tooAlexander Bluhm
short for IPv6. Increase the buffer size from 80 to 200 where appropriate. For the M command a buffer for 10 bytes is sufficient. ok hshoexer@ mpf@ grunk@
2008-06-10Fix implementation of IN6_IS_ADDR_FULL so that IPV6_ADDR is usedAlexander Bluhm
instead of IPV6_ADDR_SUBNET where appropriate. Then isakmpd has the same behaviour for IPv6 and IPv4. ok markus@
2008-05-12Error out with usage line if additional arguments are given after thePierre-Yves Ritschard
option parsing. Found out the hard way by jdixon on ifstated. ok sobrado@, jdixon@, millert@
2008-03-24msg_controllen has to be CMSG_SPACE so that the kernel can account forTheo de Raadt
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This works now that kernel fd passing has been fixed to accept a bit of sloppiness because of this ABI repair. lots of discussion with kettenis
2008-03-15Repair the simple cases for msg_controllen where it should just beTheo de Raadt
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because of alignment; ok kettenis hshoexer
2008-03-13Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due toTheo de Raadt
an extensive discussion with otto, kettenis, millert, and hshoexer
2008-03-02Use a union to ensure alignment of the cmsg.Hans-Joerg Hoexer
ok deraadt
2008-02-17Define default configurations for AES-192 and AES-256. From Mitja MuzenicHans-Joerg Hoexer
<mitja at muzenic dot net>, diff provided already quite some time ago, many many thanks. This should have gone in months ago but I was slacking, sorry for that.
2008-02-06Fix possible memory leaks when sending phase 1 IDs.Moritz Jodeit
From Igor Zinovik <zinovik@cs.karelia.ru> ok hshoexer@
2008-01-29fix race in makefileMarc Espie
2007-09-02more malloc(n * m) -> calloc(n, m); from Igor ZinovikTheo de Raadt
2007-09-02use calloc() to avoid malloc(n * m) overflows; checked by djm canacar jsgTheo de Raadt
2007-08-15Remove a superflous debug fprintf.Hans-Joerg Hoexer
2007-08-11Do not complain about being not able to read non-existing files. MinorHans-Joerg Hoexer
glitch introduced by previous commit. ok markus@
2007-08-07m_priv_req_readdir(): check file type after fstat, since d_typeMarkus Friedl
is not passed over NFS (unless readdir+ is used). fixes pr 5557 with and ok hshoexer@
2007-08-05Allow key exchange with RSA signature authentication to work withTom Cosgrove
Cisco IOS and other initiators that only send their certs in response to CERT_REQUEST. With input and help from cloder@, Stuart Henderson, mpf@, and several others who did lots of testing - thanks to all. ok hshoexer@
2007-07-31Use correct function name in log message. Noticed by Igor ZinovkHans-Joerg Hoexer
zinovik@cs.karelia.ru. Thanks!
2007-06-02safer snprintf construct with more paranoid length calculationPeter Valchev
ok millert
2007-06-01Let conf_trans_node() set all parts of the node, so that we don'tMoritz Jodeit
have to expose the node to the outside. Without this, conf_trans_node() created a node, linked it into the conf_trans queue and returned it to the caller. If something failed in one of the callers, the half-initialized node would still be linked in the queue and could get accessed later on. ok hshoexer@
2007-05-31convert to new .Dd format;Jason McIntyre
2007-05-27Don't include sys/mbuf.h it is not needed. OK mcbride@ msf@Claudio Jeker
2007-05-23Get rid of some obsolete exampels.Hans-Joerg Hoexer
ok and prodding @jmc
2007-05-07Bump crypto buffer logging (before crypto/after crypto) to level 70 fromChad Loder
level 30. This was a huge cause of log spam at level 30 and below, and is really not that useful.
2007-05-07It was possible for phase 1 negotiation to fail due to lifetime durationChad Loder
mismatch without any log message stating so. This diff makes sure that all phase 1 negotiation failures due to proposal attribute mismatch are logged. Also change these messages from LOG_NEGOTIATION debug level 70 to always be logged (not just with debug). General idea OK hshoexer, tested here in production.
2007-05-07Document "M active|passive" ui command.Joel Knight
ok jmc@ mpf@
2007-05-05Kill a log message which looks like an error message but is actuallyChad Loder
both meaningless and harmless. ("nat_t_check_vendor_payload: bad size") ok todd
2007-04-22Free allocated node in conf_set_now() before failing,Moritz Jodeit
so we do not leak memory. ok hshoexer@
2007-04-22Use conf_free_list() after calling conf_get_list().Moritz Jodeit
Otherwise we leak memory. ok ho@
2007-04-16There's no point in checking ptr for NULL before doing free(ptr)Moritz Jodeit
since free(NULL) is just fine. ok hshoexer@
2007-04-15Fix interop-issue with vpn peers that start reyking on port 4500 whenHans-Joerg Hoexer
NAT-T is used. Solves problems with cisco and openswan. Tested by todd@ (cisco interop), ok ho@ Original fix with Stefan Roth (stefan dot roth at siemens dot com), thanks!
2007-04-08Fix lint comments. s/Fall through/FALLTHROUGH/.Moritz Jodeit
ok hshoexer@
2007-04-08o Kill another strerror() from a call to log_error(),Moritz Jodeit
which already adds the errno string. o Avoid closing fd, if it's -1. o Don't replace illegal pathes with /dev/null in m_priv_local_sanitize_path(). All callers skip it anyways, in the failure case. ok hshoexer@
2007-04-02Don't append the errno string in a log_error() call,Moritz Jodeit
since it will be automatically be appended. ok hshoexer@
2007-04-02When setting all signals to their default handlers, startMoritz Jodeit
with signal 1, since there's no signal 0. ok hshoexer@
2007-04-02Don't let -r fall through to the next case block,Moritz Jodeit
if INSECURE_RAND is defined. ok hshoexer@
2007-03-26typo in initial RCS tag ($OpenBSD: -> $OpenBSD$)Pedro Martelletto
2007-03-18Fix usage of predefined lifetimes. "Default-phase-[12]-lifetime"Hans-Joerg Hoexer
just specifies the values to be used. However, the specifications are called "LIFE_MAIN_MODE" and "LIFE_QUICK_MODE". ok ho@ jmc@
2007-03-05Set pointer to NULL after freeing it, so callers ofMoritz Jodeit
key_from_printable() are not fooled into using it afterwards. OK hshoexer@
2007-03-03There may be more than one item in the subjectAltName (cropping upTom Cosgrove
with CACert certificates) so don't require the reported length to be exactly equal to the length of the data, but accept it if it's <= the length of the data (i.e. we just use the first alt name). The purpose of the check is to make sure we don't try to read beyond the data we actually have. ok cloder@ hshoexer@