summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2023-12-20Don't unset the SA tag set by ipsec_sa_tag in ipsec_sa_iface.Tobias Heider
Fixes SA tagging and a possible leak. from markus@
2023-08-08have a go at documenting the Interface config statement.David Gwynne
im not really happy with this, but it's a start.
2023-08-07support configuring interface SAs for route-based ipsec vpns.David Gwynne
add "Interface NUMBER" to the config parser to specify that once SAs have been negotiated with a peer, install the SAs with the sadb_x_iface extension set up, but skip installing the flows/SPD entries. this allows for the negotiation of multiple esp tunnels covering all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to do something useful with them using the routing table and sec(4) interfaces instead of having SPD entries fight over those packets in the kernel. this in turn allows interoperation with other ipsec/vpn solutions that require the negotiation of such tunnels. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
2023-03-31Add missing NULL check after group_get()Theo Buehler
Otherwise dh_getlen() will dereference ie->group and crash. looks correct to hshoexer
2023-03-31Guard use of GROUP_EC2N with #ifndef OPENSSL_NO_EC2MTheo Buehler
This allows compiling isakmpd with a libcrypto that has binary field support removed. Leave the enum value itself unguarded on claudio's request. ok beck claudio jsing
2023-03-28Avoid double free in isakmpdTheo Buehler
In the unlikely event that EC_KEY_check_key() in ec_init() fails, group->ec would be freed first in ec_init() then in group_free(). Same problem was fixed in iked/dh.c r1.31 (where it originally came from). ok jsg mbuhl
2023-03-08Delete obsolete /* ARGSUSED */ lint comments.Philip Guenther
ok miod@ millert@
2023-02-08isakmpd: add missing void to a function definitionTheo Buehler
Fixes -Wstrict-prototype warning seen with clang 15 on amd64 and arm64.
2022-12-04userspace: remove vestigial '?' cases from top-level getopt(3) loopsScott Soule Cheloha
getopt(3) returns '?' when it encounters a flag not present in the in the optstring or if a flag is missing its option argument. We can handle this case with the "default" failure case with no loss of legibility. Hence, remove all the redundant "case '?':" lines. Prompted by dlg@. With help from dlg@ and millert@. Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2 ok naddy@ millert@ dlg@
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-02-06remove please from manual pagesJonathan Gray
ok jmc@ sthen@ millert@
2022-01-31In isakmpd's pf_key_v2_enable_sa(), check if proto is NULL and if so,Stuart Henderson
log a warning rather than attempting to dereference it. Check suggested by millert@, ok "your fix shouldn't hurt" mpi@ This isn't fixing the root cause but I don't have a better idea and I'm hitting problems on several systems as I upgrade them, and I think in this case logging rather than dumping core is more helpful. Without this, in recent OpenBSD versions (I have seen it in since at least the snapshot from June 14 2021) I am often seeing isakmpd crashes after SAs come in shortly after isakmpd starts with my usual flags, although they don't seem to occur if I raise logs to heavy debug levels (-DA=90). With this, those connections will fail but isakmpd will stay running and after usually one retry things will be ok. Usually, perhaps always, seen associated with "responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute" logged previously. Pcap written by isakmpd -L shows a normal-looking proposal though, with proto/ids/group description set, yet printing *isa at the point that message is logged shows zeros in sport/dport/group_desc/etc. (I can give more info and/or test if someone has a better idea!)
2022-01-28When it's the possessive of 'it', it's spelled "its", without thePhilip Guenther
apostrophe.
2022-01-16isakmpd: fix -Wunused-but-set-variable warningsChristian Weisgerber
ok guenther@
2022-01-14isakmpd: convert modp to opaque DHTheo Buehler
2021-11-30isakmpd: convert modp_init() for opaque DH.Theo Buehler
ok jsing
2021-11-29the code in this file has reason to include any sys/*.h header files,Theo de Raadt
let alone sys/param.h, which it uses to get roundup(). make a local copy of the macro, and call it a day.
2021-11-19isakmpd: stop reaching into EVP_PKEY.Theo Buehler
Straightforward conversion to the OpenSSL 1.1 API as a step towards making EVP_PKEY opaque. EVP_PKEY_get0_RSA() can't fail if we know that the pkey type is RSA. ok sthen
2021-11-03Clarify that ANY can be used for several parameters of IPsec transform.YASUOKA Masahiko
ok jmc sthen
2021-10-31Now that X509_OBJECT is opaque, we need to allocate it on the heapTheo Buehler
instead of having it on the stack. Adjust code accordingly.
2021-10-24For open/openat, if the flags parameter does not contain O_CREAT, theTheo de Raadt
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
2021-10-22remove some bad punctuation;Jason McIntyre
2021-10-22After deleting hifn(4) the only provider for the LZS compressionAlexander Bluhm
algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
2021-10-21isakmpd: prepare for opaque X509_STORE_CTX struct.Theo Buehler
ok benno
2021-10-21isakmpd: prepare for opaque X509_EXTENSION struct. This needs to useTheo Buehler
an accessor instead of reaching directly into the struct. ok benno
2021-10-13isakmpd: remove #ifdefs for ancient OPENSSL_VERSIONs.Theo Buehler
No-one is going to build this with OpenSSL 0.9.7 or earlier, so we can remove this code. ok bluhm sthen (as part of a larger diff)
2021-10-13isakmpd: remove libcrypto.cTheo Buehler
All this does is a call to OpenSSL_add_all_algorithms(), which is no longer needed since libbcrypto initializes itself. ok bluhm sthen (part of a larger diff)
2021-10-09delete unneccessary arpa/nameser.h includesTheo de Raadt
ok millert
2021-07-02call the API function X509_NAME_cmp(3) instead of the obsolete,Ingo Schwarze
undocumented macro alias X509_name_cmp(3); no binary change; OK tb@
2021-05-13Use field independent versions of {get,set}_coordinates()Theo Buehler
ok tobhe
2021-02-11Link isakmpd dynamically. Mount /usr on NFS via IPsec does notAlexander Bluhm
work anyway. Dynamic binaries help building errata, reduce disk usage and make ROP harder. Also remove an unused bsd.subdir.mk include. OK sthen@ mvs@ deraadt@ tobhe@ patrick@
2021-01-28Extern transport_list. Fixed compilation with -fno-common.mortimer
ok deraadt@
2020-07-07Fix shared DH secret length in log message.tobhe
ok patrick@
2020-01-24Fix isakmpd monitor process to use the exit status of main processYASUOKA Masahiko
when exiting. "make sense" deraadt
2019-12-19The previous fix for creating isakmpd(8) IKE pcap file, weakenedAlexander Bluhm
the path sanitizer in the privsep parent. Bring back the checks in a way that works with new realpath(3). tested and OK hshoexer@
2019-12-10If a file or directory component does not exists, realpath(3) returnsAlexander Bluhm
ENOENT. In this case, try to open(2) the path. Then a non-existing file will be created, but a missing directory component still causes an error. This fixes isakmpd(8) IKE pcap file creation. from hshoexer@
2019-11-29Change the default security level for incoming IPsec flows fromtobhe
isakmpd and iked to REQUIRE. Filter policy violations earlier. ok sashan@ bluhm@
2019-11-14Do not print misleading error message about permission error forAlexander Bluhm
non existing isakmpd.conf(5) file. This was a result of the changed realpath(3) behavior. Now isakmpd(8) uses the errno from the system. reported by igor kos; OK deraadt@
2019-08-30mop up for the pcap.3 rename;Jason McIntyre
help/ok deraadt
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-02-19oops, bad Pp snuck in;Jason McIntyre
2019-02-18Rework the certificate generation examples a bit:Stuart Henderson
- show an example sed to substitute the $ENV::CERTIP/CERTFQDN strings while copying /etc/ssl/x509v3.cnf to a temp file - don't use /etc/ssl/x509v3.cnf on the command line when we've just told people to copy and edit - fix an instance of CERTIP that should have been CERTFQDN based on diffs from Sevan Janiyan, feedback/ok jmc@
2019-01-22PF_ROUTE -> AF_ROUTE in the scattered sock()/setsockopt() callsKenneth R Westerback
where the "wrong" #define was used. ok dlg@
2018-09-20add missing braces implied by indentationJonathan Gray
ok millert@ mpi@
2018-04-17Document how to avoid isakmpd(8) source IP address pitfalls by usingStefan Sperling
the Listen-on directive in isakmpd.conf(5). This directive can be necessary in multi-homed situations, and if isakmpd(8) is used with carp(4). ok sthen@ mpi@
2018-01-15Spacing, no object change.Martin Pieuchot
2018-01-04space -> tabMartin Pieuchot
No object change.
2017-12-07Set the correct ENCAPSULATION_MODE when doing NAT-T.Martin Pieuchot
Fix at least interoperability with Cisco when isakmpd(8) is initiating the connections, originally reported by sebastia@ in 2014. Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
2017-12-05Use clock_gettime(CLOCK_MONOTONIC) to schedule timersJeremie Courreges-Anglas
From Scott Cheloha, ok tb@