#
1.38 |
|
24-Jan-2024 |
tobhe |
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid between the processes so the reply can be sent on the matching connection.
from markus@
|
Revision tags: OPENBSD_7_3_BASE OPENBSD_7_4_BASE
|
#
1.37 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.36 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.35 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
#
1.34 |
|
04-Dec-2022 |
tobhe |
Rename sun to s_un for portability.
ok patrick@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.33 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.37 |
|
08-Mar-2023 |
guenther |
Delete obsolete /* ARGSUSED */ lint comments.
ok miod@ millert@
|
#
1.36 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.35 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
#
1.34 |
|
04-Dec-2022 |
tobhe |
Rename sun to s_un for portability.
ok patrick@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.33 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.36 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.35 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
#
1.34 |
|
04-Dec-2022 |
tobhe |
Rename sun to s_un for portability.
ok patrick@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.33 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.34 |
|
04-Dec-2022 |
tobhe |
Rename sun to s_un for portability.
ok patrick@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.33 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.33 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.32 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.31 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.30 |
|
09-Oct-2020 |
tobhe |
More unused headers.
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.29 |
|
03-Apr-2020 |
tobhe |
Don't fallthrough in IMSG_CTL_RESET_ID case.
From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.28 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.27 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.26 |
|
06-Aug-2018 |
mestre |
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files.
OK kn@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.25 |
|
17-Jan-2017 |
krw |
Nuke some whitespace that keeps poking me in the eye as I try to steal code.
|
#
1.24 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.23 |
|
09-Jan-2017 |
krw |
Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with TAILQ_FOREACH().
No intentional functional change.
ok reyk@
|
#
1.22 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.21 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.20 |
|
23-Nov-2015 |
reyk |
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4().
OK claudio@ jung@
|
#
1.19 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.18 |
|
19-Oct-2015 |
reyk |
Fix control_imsg_forward() by changing imsg_compose() to imsg_compose_event(). This was done by pyr@ in relayd/control.c -r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other daemons that imported control.c.
|
#
1.17 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.15 |
|
03-Jun-2014 |
yasuoka |
Handle the event parameter of libevent callback function as a bit mask. Also remove redundant imsg_event_add calls. Fixes come from usr.sbin/ospfd/control.c
ok reyk
|
#
1.14 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.13 |
|
15-Nov-2013 |
mikeb |
Cope with the EAGAIN API change for msgbuf_write()
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.12 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
#
1.11 |
|
11-Mar-2013 |
deraadt |
handle ECONNABORTED errors from accept(). In many code blocks they can be ignored silently and without aborting, much like EINTR and EWOULDBLOCK are. ok's from various maintainers of these directories...
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.8 |
|
05-Apr-2012 |
deraadt |
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.7 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.6 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
22-Dec-2010 |
reyk |
Fix a little control socket bug, as discussed with mikeb@
|
#
1.4 |
|
21-Dec-2010 |
mikeb |
fixup log_warn and log_debug arguments; ok reyk
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.3 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|