Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.

from markus@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Rename sun to s_un for portability.

ok patrick@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Rename sun to s_un for portability.

ok patrick@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Rename sun to s_un for portability.

ok patrick@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Rename sun to s_un for portability.

ok patrick@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Move TAILQ initialization to files where they are used.

These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.

ok bluhm@, tb@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

More unused headers.

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Don't fallthrough in IMSG_CTL_RESET_ID case.

From Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp>
ok patrick@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

OK kn@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()

remove excessive includes

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

rate-limit accepting of new connections while we are experiencing
fd exhaustion.
ok mikeb

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

Fix a little control socket bug, as discussed with mikeb@

fixup log_warn and log_debug arguments; ok reyk

unbreak the ikectl log verbose/brief commands.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Nuke some whitespace that keeps poking me in the eye as I try to
steal code.

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing
"ikectl log verbose" and keeps the control process separated from the
cert process.

Thanks for the bug report to Wouter Clarie

OK vgross@

EAGAIN handling for imsg_read. OK henning@ benno@

Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls
with the SOCK_NONBLOCK flag to socket() and accept4().

OK claudio@ jung@

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Fix control_imsg_forward() by changing imsg_compose() to
imsg_compose_event(). This was done by pyr@ in relayd/control.c
-r1.32 (2009/06/05, ok eric@) but somehow didn't slip into other
daemons that imported control.c.

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Handle the event parameter of libevent callback function as a bit
mask. Also remove redundant imsg_event_add calls. Fixes come from
usr.sbin/ospfd/control.c

ok reyk

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Cope with the EAGAIN API change for msgbuf_write()