summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2010-06-29Replace enc(4) with a new implementation as a cloner device. We stillReyk Floeter
create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
2010-06-29add code to lookup the RSA public keys in /etc/iked/pubkeys/ as anReyk Floeter
alternative to X.509 CA verification. this will be needed to support public key authentication like isakmpd does; a few bits are still missing.
2010-06-29Replace the hand-crafted Diffie-Hellman implementation in isakmpd withReyk Floeter
the smaller implementation from iked that is using libcrypto instead. This allows to remove a lot of code (which is always good), get rid of some custom crypto code by using libcrypto, theoretically adds support for many new MODP and EC2N/ECP modes (but it is not configurable yet), and allows to share the dh.c/dh.h code in different codebases (it is identical in isakmpd and iked, but could also be used elsewhere). ok deraadt@
2010-06-29Add missing frees.Reyk Floeter
2010-06-29Fix use after free. Found by regress tests.Charles Longeau
ok henning@ krw@
2010-06-29list kern.rthreads as a knob you can but shouldn't turnTed Unangst
2010-06-28Clean up iterface stats handling:Ryan Thomas McBride
- 'make -Fi' reset ALL the interface statistics can be restricted with -i ifname - 'make -Fa -i ifname' fail (it's meaningless) - get rid of a silly little struct that's only used for one thing ok henning
2010-06-28A long time ago when wsconsctl was written it expected that ksym was uniq.Mats O Jansson
That isn't the case. eg thorn, Cyrillic_CHE, L2_tcedilla, L5_scedilla and L7_zcaron has the same (0xfe). So you have a 20% chance to get the right output from wsconsctl. Use the ksym name to decide which ksyms isn't Latin-1. Store that information in the ksym tables. The use the keyboard encoding to make an educated guess of which character to return. Let say your encoding is pl. You have Latin-2 characters in the map. Then check first for Latin-2 characters if none found try Latin-1. ok miod@ -moj
2010-06-27tweak previous; ok claudioJason McIntyre
2010-06-27Make 'route exec' emit error messages like xargs when execve() fails does.Philip Guenthe
ok claudio@
2010-06-27When a peer requests a certificate from the local gateway, we firstReyk Floeter
lookup a cert from /etc/iked/certs/ that is signed by a requested CA. As a second step we also compare the subjectAltName of any found certificate now to match the local srcid; this allows to have multiple certs for the same CA but different srcids in the certs/ directory but enforces that the subjectAltName has to be set correctly. requested by jsg@
2010-06-27fix possible double free of the initiator certReyk Floeter
2010-06-27fix the length check for ASN1_ID Ids.Reyk Floeter
2010-06-27Verify that the subjectAltName extension is present and matches theReyk Floeter
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it with the certificate subjectName (DN). This prevents the peer from using an arbitrary peer Id (it is signed by the CA in the cert) and qualifies the optional pf tag.
2010-06-27Instead of modifying and fiddling with the IKE SA in the payloadReyk Floeter
parsing routines directly, first parse the message and save the parsed elements in the temporary message struct before validating the information and taking any other actions on the actual SA. This needs more testing, but is the cleaner and better approach.
2010-06-27print the required bits as a stringReyk Floeter
2010-06-27cycle static buffers in print_bits()Reyk Floeter
2010-06-26malloc/strlcpy -> strdup. Apparently I forgot to commit this one withKenneth R Westerback
the similar changes to dhcpd.
2010-06-26Whitespace.Kenneth R Westerback
2010-06-26revert the files that have been accidentally committed with myReyk Floeter
previous parse.y change.
2010-06-26Add a way to enable and set the keepalive parameters for gre(4).Claudio Jeker
OK deraadt, reyk
2010-06-26mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatchReyk Floeter
2010-06-26Include the Id type in the generated SA tag that is passed to theReyk Floeter
kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc.
2010-06-26allow a user to set a -c count of 0.Peter Hessler
while here, change ping6 to use strtonum instead of strtol. OK claudio@
2010-06-25remove -m (merge).Henning Brauer
it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt
2010-06-24unbreak the ikectl log verbose/brief commands.Reyk Floeter
2010-06-23rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 orReyk Floeter
ec521 -> ecp521). this matches the common naming for ec groups better.
2010-06-23further cleanup of the dh code:Reyk Floeter
- remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
2010-06-22rename devname->devicename to prevent shadowing devname(3). ok marco jsingDarren Tucker
2010-06-18Make bioctl(8) disklabel UID friendly by attempting to open the deviceJoel Sing
using opendev(3) first and then trying /dev/bio if that failed. Also use opendev(3) when getting device numbers for softraid. ok marco@
2010-06-15When fsck_ffs is used with disklabel UIDs the hot root test fails inJoel Sing
blockcheck() since we try to stat() the UID. This means that we fail to reload the mount if we have indeed cleaned the read-only root file system. To avoid this, rerun blockcheck() if the real name is different to the original device name, once we have opened the device with opendev(3). ok krw@ thib@
2010-06-15fix keyword sort orderReyk Floeter
2010-06-15only compare the SPIi in the SA treeReyk Floeter
2010-06-14check if cert is available and validReyk Floeter
2010-06-14Initiator mode with certificates; needs more work but works.Reyk Floeter
2010-06-14Initial support for initiator mode which allows to run iked as aReyk Floeter
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
2010-06-14the ikesa prf config option is currently brokenReyk Floeter
2010-06-14fix block length for AESReyk Floeter
2010-06-14fix EAP responder modeReyk Floeter
2010-06-14NAT detection again: make it work in initiator and responder modeReyk Floeter
2010-06-14remove policy lookup debug messageReyk Floeter
2010-06-14NAT detection with SPIr is always 0Reyk Floeter
2010-06-14restructure code a bit to move closer to initiator mode:Reyk Floeter
- split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
2010-06-14cleanup messages and parsed information correctlyReyk Floeter
2010-06-14add define for saproto 0Reyk Floeter
2010-06-14More code for initiator mode (not finished yet)Reyk Floeter
2010-06-11add some infrastructure to support timers and initiator mode later.Reyk Floeter
2010-06-11tweak the code slightly so we can remove -lsslJonathan Gray
ok reyk@
2010-06-10don't print keywords as underlined arguments.Reyk Floeter
2010-06-10update usage()Reyk Floeter