summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2017-02-28Depending on the addresses, ipsecctl(8) automatically groups saAlexander Bluhm
bundles together. Extend the kernel interface to export the bundle information to userland. Then ipsecctl -ss -v can show the internal relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it consistently. OK hshoexer@ markus@
2017-02-03Stop assuming that in_{addr,port}_t are typedefed in <sys/types.h> andPhilip Guenther
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed. ok florian@ beck@ millert@
2017-01-04Remove modular exponential groups specified in RFC5114Mike Belopuhov
Brought up by doug@, ok reyk, djm, doug
2017-01-01Hyphenate compound adjectives 'up-to-date', 'out-of-date' and 'well-known'Theo Buehler
if they precede the noun and omit hyphens otherwise. ok tj
2016-09-03A commented block starts withTheo de Raadt
# If you have ElectricFence available, you can spot abuses of the heap." Or, uhm you can simply use our malloc.
2016-09-02move links from http to https://www.openbsd.org/Theo Buehler
ok beck
2016-08-26Pull in <sys/select.h> for fd_setPhilip Guenther
ok deraadt@
2016-04-04Fix memory leak. Call proto_free() always to free proto.YASUOKA Masahiko
Diff from Yuuichi Someya. ok reyk markus
2016-04-02Another use for fcntl() and thus of the superfluous 3rd parameterKenneth R Westerback
is when sanitising standard fd's before calling daemon(). Use a tweaked version of the ssh(1) function in all three places found using fcntl() this way. ok jca@ beck@
2016-03-16More "(<blah> *)0" -> NULL, avoiding any stdarg functions.Kenneth R Westerback
Feedback millert@ kettenis@
2016-03-10Don't retransmit responses for unauthenticated messages.YASUOKA Masahiko
Base on diff from Yuuichi Someya ok markus reyk mikeb
2016-03-05fix steps for cert creation;Jason McIntyre
issue reported by igor.kos (temporary) fix entirely provided by sthen
2016-02-29Print ssize_t with %zd; ok deraadt@ mmcc@Jeremie Courreges-Anglas
2016-01-11typo fix; from julian hsiaoJason McIntyre
2016-01-08tweak; from julian hsiaoJason McIntyre
2015-12-10Remove NULL-checks before free(). ok tb@mmcc
2015-12-09Remove plain DES encryption from IPsec.Christian Weisgerber
DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
2015-10-15A classic case for bzero() -> explicit_bzero()mmcc
ok deraadt@
2015-09-25drop useless .Xo and .Bk, and shorten by avoiding some .SmIngo Schwarze
2015-08-20Do not cast a size_t to (unsigned long) to pass it as an argument to malloc.Theo de Raadt
Like really, who does??!
2015-08-20<stdlib.h> is included, so do not need to cast result fromTheo de Raadt
malloc, calloc, realloc* ok krw millert
2015-06-03Do not assume that asprintf() clears the pointer on failure, whichTodd C. Miller
is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
2015-04-21No need to do "size = (size_t)sb.st_size" both before and afterJonathan Gray
a fstat() call. ok mikeb@ markus@
2015-04-20Log if we refuse to continue the exchange when another one that correspondsMike Belopuhov
to the same policy is already active. OK markus, hshoexer
2015-04-17Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexerMike Belopuhov
2015-04-14Remove support for storing credentials and auth information in the kernel.Mike Belopuhov
This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
2015-03-26Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?Mike Belopuhov
ok markus, hshoexer
2015-02-15convert bcmp to memcmpTed Unangst
ok doug millert miod
2015-02-07When getopt processing flags, many should be flag=1 instead of flag++Theo de Raadt
ok tedu miod
2015-01-16Arguments are just ".Ar", not ".Brq Ar" or even ".Ns { Ns Ar ... Ns }".Ingo Schwarze
The .Ar macro already causes distinctive formatting in a standard way, so there is no need for additional braces. This also fixes the only mandoc warning in src/sbin.
2015-01-16Tweak previous: Do not put punctuation on its own line, put it at the endIngo Schwarze
of the preceding macro line; no output change with mandoc, fixes output with groff. Also, if you want spacing back after .Sm off, do not add an argument containing a blank character, simply rely on .Sm on.
2015-01-16Clean up macros in isakmpd(8).Anthony J. Bentley
- Fix mandoc warnings ("WARNING: skipping empty macro: No") - Mark up arguments with Ar, not Aq Ic - Mark up pathnames with Pa ok jmc@
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-13-/* Backwards compatibility. */Theo de Raadt
-#ifndef NI_MAXHOST -#define NI_MAXHOST 1025 -#endif Disappointing.
2014-12-01memcpy abort found an overlap. from dsp at 2f30. ok deraadtTed Unangst
2014-11-19Nuke yet more obvious #include duplications.Kenneth R Westerback
ok deraadt@
2014-10-29convert simple cases of select() to poll()Theo de Raadt
ok doug
2014-10-25Remove unnecessary netinet/in_systm.h include.Lawrence Teo
ok millert@
2014-10-22Fix error reporting when reallocarray() fails. OK miod@Todd C. Miller
2014-10-18Convert malloc() with a size var using multiplication to reallocarray().Doug Hogan
Avoid assigning the size unless reallocarray() succeeds to avoid overflow. ok deraadt@
2014-10-12DH_compute_key() returns -1 on error but this was notJonathan Gray
handled by testing the result with a negation. Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem. ok reyk@
2014-10-09obvious reallocarray() conversionsTheo de Raadt
2014-08-25Sync dh.[ch] from iked. The files are identical, so any change inReyk Floeter
either iked or isakmpd should be synced to the other daemon. The previous changes from iked include: plug two memory leaks, verify EC points and add the Brainpool curves. All tests in regress/sbin/isakmpd/dh passed OKAY. ok markus@ mikeb@
2014-08-25Fix a few fd leaks in isakmpd.Doug Hogan
The latter close is from a sweep of the tree looking for fdopen problems. While reviewing the patch, gerhard@ fixed another leak. ok gerhard@
2014-08-23Fix double free in ike_auth.cdoug
ok jca@
2014-08-22fix memory leak in isakmpddoug
ok gerhard@ (also corrected first version)
2014-07-11add additional includes required to build with -DOPENSSL_NO_DEPRECATEDJonathan Gray
2014-05-01Correct a test for X509_get_notAfter() failing or returningJonathan Gray
an unsupported time type when passing data to keynote. Problem introduced by angelos in 1.41 though the code has been reformatted a few times since then. ok otto@ miod@
2014-03-11For CA generation, go back to using a two-step procedure to create a CSR andStuart Henderson
then self-sign it rather than using the "openssl req" shortcut. This allows us to specify -extfile and thus set the correct certificate extensions so that stricter SSL implementations will trust this as a CA cert, and matches how things are done in ssl(8). This is basically a partial revert of r1.77. Researched by chrisz@, tweak/ok jmc@ ok beck@
2014-03-07If allocation of 'id' fails, don't try to deref it after 'goto fail'.Gerhard Roth
ok millert@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-18 14:06:31 +0000