#
1.183 |
|
07-Aug-2023 |
dlg |
add support route based ipsec vpn negotiation with sec(4) via isakmpd.
this adds "interface secX" to the grammar that you can use instead of specifying tunnel/transport modes and traffic selectors.
if you have config like "ike interface sec0 local ... peer ...", ipsecctl will generate the right config for isakmpd to negotiate esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however, this also specifies that they should be set up as interface SAs in the kernel for use with sec(4).
this supports route-based instead of policy based ipsec encapsulation, and allows us to more easily operate with other vendors and products that also offer route-based vpns with opinions about the negotiated policy that doesnt fit with the SPD.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
|
#
1.182 |
|
19-Apr-2023 |
jsg |
remove duplicate includes
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.181 |
|
22-Oct-2021 |
bluhm |
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
|
#
1.180 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.179 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.182 |
|
19-Apr-2023 |
jsg |
remove duplicate includes
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.181 |
|
22-Oct-2021 |
bluhm |
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
|
#
1.180 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.179 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.181 |
|
22-Oct-2021 |
bluhm |
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
|
#
1.180 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.179 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.180 |
|
15-Oct-2021 |
naddy |
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain.
With help from millert@ ok benno@ deraadt@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.179 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.179 |
|
29-Dec-2020 |
benno |
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.178 |
|
07-Feb-2020 |
bluhm |
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.177 |
|
26-Aug-2019 |
tobhe |
Fix file descriptor leak due to popfile() never closing the main config file.
The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8))
ok bluhm@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.176 |
|
13-Feb-2019 |
deraadt |
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.175 |
|
07-Nov-2018 |
miko |
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.174 |
|
01-Nov-2018 |
sashan |
- odd condition/test in PF lexer (and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.173 |
|
11-Jul-2018 |
krw |
Do for most running out of memory err() what was done for most running out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition.
ok henning@
|
#
1.172 |
|
09-Jul-2018 |
krw |
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
#
1.171 |
|
08-Jul-2018 |
krw |
Be consistent in warn() and log_warn() usage when running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.170 |
|
26-Apr-2018 |
krw |
Plug leak in error case of the common 'varset' implementations.
ok benno@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|
#
1.169 |
|
27-Oct-2017 |
mpi |
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does.
ok visa@, markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.168 |
|
19-Apr-2017 |
bluhm |
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
|
#
1.167 |
|
14-Apr-2017 |
bluhm |
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.166 |
|
05-Jan-2017 |
krw |
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ with more modern TAILQ_FOREACH(). This what symget() was already doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.165 |
|
21-Jun-2016 |
benno |
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.164 |
|
09-Dec-2015 |
naddy |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
#
1.163 |
|
04-Nov-2015 |
mikeb |
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.162 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.161 |
|
20-Nov-2014 |
jsg |
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
#
1.160 |
|
04-Nov-2014 |
doug |
Add gcc format attributes to ipsecctl's parse.y. Also, fix a few format characters.
ok sthen@ naddy@ markus@
|
Revision tags: OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.159 |
|
22-Jan-2014 |
henning |
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
#
1.158 |
|
25-Nov-2013 |
benno |
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
|
#
1.157 |
|
22-Nov-2013 |
deraadt |
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.156 |
|
10-Jul-2012 |
lteo |
Rename "life" to "lifetime" to match iked.
ok mikeb naddy sthen; procedures ok henning
|
#
1.155 |
|
08-Jul-2012 |
naddy |
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for completeness sake.
ok mikeb@
|
#
1.154 |
|
07-Jul-2012 |
naddy |
copy&paste mistake in error message
|
#
1.153 |
|
30-Jun-2012 |
naddy |
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
|
Revision tags: OPENBSD_5_1_BASE
|
#
1.152 |
|
20-Dec-2011 |
mikeb |
unsigned long should use "%lu" format; from eric lax, thanks
|
Revision tags: OPENBSD_5_0_BASE
|
#
1.151 |
|
06-Jul-2011 |
deraadt |
For non-crypted flows (such as ipcomp and ipip), default their type (if not specified) to "use" instead of "require". (since they will not get a key...) ok mikeb claudio
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.150 |
|
06-Oct-2010 |
mikeb |
Retire Skipjack
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
|
#
1.149 |
|
22-Sep-2010 |
mikeb |
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.148 |
|
03-Aug-2010 |
henning |
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
|
#
1.147 |
|
10-May-2010 |
krw |
Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.146 |
|
04-Aug-2009 |
jsing |
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN.
ok hshoexer@ markus@ todd@
|
Revision tags: OPENBSD_4_6_BASE
|
#
1.145 |
|
31-Mar-2009 |
tobias |
Fixed memory leaks which would occur if the second of two memory allocations fails.
looks right deraadt, krw ok henning
|
Revision tags: OPENBSD_4_5_BASE
|
#
1.144 |
|
30-Jan-2009 |
bluhm |
If the "peer" address is not specified or derived from "to" for "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed.
ok hshoexer@, todd@
|
#
1.143 |
|
29-Jan-2009 |
bluhm |
After checking that peer == NULL do not assign peer = NULL a few lines later. No functional change.
ok grunk@, hshoexer@
|
#
1.142 |
|
28-Jan-2009 |
bluhm |
Allow to specify ike and flow explicitly without peer. The any keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
#
1.141 |
|
20-Jan-2009 |
mpf |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
|
#
1.140 |
|
14-Nov-2008 |
hshoexer |
When parsing v4 addresses mark them as network addresses (IPV4_ADDR_SUBNET) when they contain a '/'.
This allows to choose between IPV4_ADDR and IPV4_ADDR_SUBNET by adding "/32", ie. "a.b.c.d" vs. "a.b.c.d/32". This helps to interop with other IKE implementations.
From Mitja Muzenic <mitja at muzenic dot net>, thanks!
Idea supported by markus@ and jdixon@.
|
#
1.139 |
|
17-Oct-2008 |
henning |
findeol() fix from pfctl
|
Revision tags: OPENBSD_4_4_BASE
|
#
1.138 |
|
01-Jul-2008 |
bluhm |
If a rules contains a hostname instead of an address, use the list of all possible addresses from DNS and not only the first one. So during expansion, the right address family can be chosen and regression test ike56 passes again. There localhost resolves to 127.0.0.1 and ::1. ok hshoexer
|
#
1.137 |
|
01-Jul-2008 |
bluhm |
If multiple to addresses but no peer are given in an ike or flow rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
|
#
1.136 |
|
14-Jun-2008 |
bluhm |
Move ike and flow peer selection to common function. No functional change yet. ok hshoexer
|
#
1.135 |
|
11-Jun-2008 |
bluhm |
trivial code simplification tested and ok hshoexer, grunk
|
#
1.134 |
|
11-Apr-2008 |
reyk |
add support for the "include" directive using code from pfctl/parse.y.
pointed out by Prabhu Gurumurthy
ok deraadt@
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.133 |
|
22-Feb-2008 |
hshoexer |
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys!
ok todd@
|
#
1.132 |
|
12-Nov-2007 |
mpf |
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
|
#
1.131 |
|
22-Oct-2007 |
pyr |
sync with daemon parser code. ok deraadt@
|
#
1.130 |
|
16-Oct-2007 |
mpf |
Allow '=' to end a number in all lexers. Requested and OK deraadt@
|
#
1.129 |
|
16-Oct-2007 |
deraadt |
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
|
#
1.128 |
|
13-Oct-2007 |
deraadt |
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
|
#
1.127 |
|
11-Oct-2007 |
deraadt |
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
|
#
1.126 |
|
12-Sep-2007 |
hshoexer |
Here too: Add support to the lex for parsing number out of the stream. handle this in the parser. better range checks.
with and ok deraadt@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.125 |
|
10-Aug-2007 |
markus |
duplicate strdup; ok hshoexer
|
#
1.124 |
|
03-Jul-2007 |
markus |
allow proto esp/ah in flow specification (especially useful for bypass flows) ok hshoexer, mpf
|
#
1.123 |
|
10-May-2007 |
hshoexer |
Do not crash when lists include the "any" keyword. Reported by <ralf.horstmann at gmx.net>, thanks!
Slightly different fix. Also add a regression test.
ok mpf@
|
#
1.122 |
|
16-Mar-2007 |
markus |
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.121 |
|
26-Feb-2007 |
todd |
Really, we don't need two grp18's ;-) ok hshoexer@ and markus@
|
#
1.120 |
|
19-Feb-2007 |
hshoexer |
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks!
ok markus@
|
#
1.119 |
|
19-Feb-2007 |
hshoexer |
undo previous commit and keep the original behaviour of the parser.
asked for by deraadt@
|
#
1.118 |
|
16-Feb-2007 |
hshoexer |
Do not accept '\n' in quoted strings. Addresses issues noticed by Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks!
ok markus@ cloder@ (uhm, quite some time ago)
|
#
1.117 |
|
10-Jan-2007 |
markus |
allow rule if there is at least _one_ matching address family combination. this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
|
#
1.116 |
|
04-Jan-2007 |
markus |
don't pass -1 as a netmask; report vicviq at gmail.com
|
#
1.115 |
|
02-Jan-2007 |
itojun |
better support for IPv6 hostname/numeric representation. hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
|
#
1.114 |
|
24-Nov-2006 |
reyk |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
|
#
1.113 |
|
13-Nov-2006 |
mcbride |
Handle rules with addresses from mismatched address families correctly.
ok msf@
|
#
1.112 |
|
10-Nov-2006 |
msf |
check both rule sourace and destination when grouping sa's
fixes PR5262
ok hshoexer@
|
#
1.111 |
|
10-Nov-2006 |
hshoexer |
Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.
|
#
1.110 |
|
01-Nov-2006 |
mcbride |
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
|
#
1.109 |
|
22-Sep-2006 |
hshoexer |
typo in err(); from bret.lambert@gmail.com, thanks!
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.108 |
|
18-Jun-2006 |
hshoexer |
branches: 1.108.2; add group "none"; when choosen, pfs will be disabled.
ok david msf
|
#
1.107 |
|
16-Jun-2006 |
hshoexer |
report the correct line number on an error. Noticed by david@
|
#
1.106 |
|
11-Jun-2006 |
hshoexer |
As naddy@ pointed out RFC 3686 discourages use of AESCTR for static keying. markus@ seconds this, so use AES CBC as default.
ok naddy@
|
#
1.105 |
|
10-Jun-2006 |
hshoexer |
Better error message when a key file can not be opened or the provided key is not of correct size. Suggested by david@
|
#
1.104 |
|
10-Jun-2006 |
deraadt |
knf & careful data freeing, regression tested by todd
|
#
1.103 |
|
08-Jun-2006 |
hshoexer |
fix some indentation, noticed by david@
|
#
1.102 |
|
08-Jun-2006 |
naddy |
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
|
#
1.101 |
|
08-Jun-2006 |
todd |
turns out this really doesn't break what is in the tree; ok hshoexer@
|
#
1.100 |
|
07-Jun-2006 |
hshoexer |
make sure, we initialize unspecified keys and spis. Noticed by naddy@, ok naddy@.
|
#
1.99 |
|
07-Jun-2006 |
hshoexer |
Do not yet expand the "any" keyword to v6 addresses. ok todd@
|
#
1.98 |
|
07-Jun-2006 |
hshoexer |
remove unused prototype, ok todd@
|
#
1.97 |
|
02-Jun-2006 |
naddy |
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
|
#
1.96 |
|
02-Jun-2006 |
hshoexer |
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
|
#
1.95 |
|
02-Jun-2006 |
hshoexer |
simplify handling of peers.
|
#
1.94 |
|
02-Jun-2006 |
hshoexer |
some more cleanup and simplification, no functional change.
|
#
1.93 |
|
02-Jun-2006 |
hshoexer |
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
|
#
1.92 |
|
02-Jun-2006 |
hshoexer |
Simplify main/quick mode parsing and generation of the actual ike config.
|
#
1.91 |
|
02-Jun-2006 |
hshoexer |
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
|
#
1.90 |
|
02-Jun-2006 |
hshoexer |
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
|
#
1.89 |
|
01-Jun-2006 |
hshoexer |
Final bits for SA grouping.
|
#
1.88 |
|
01-Jun-2006 |
naddy |
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8
ok hshoexer@ msf@
|
#
1.87 |
|
01-Jun-2006 |
markus |
print actual key size when warning about the wrong key size; ok hshoexer
|
#
1.86 |
|
01-Jun-2006 |
deraadt |
spacing
|
#
1.85 |
|
01-Jun-2006 |
hshoexer |
knf
|
#
1.84 |
|
01-Jun-2006 |
todd |
add more v6 support, this round `any' expands additionally to ::/0 skip link-locals for now, to be handled separately later ok hshoexer@
|
#
1.83 |
|
01-Jun-2006 |
hshoexer |
When no peer is specified, make this rule a "catch-all" rule for any remote peer. Similar to isakmpd(8)s "Default=" tag.
|
#
1.82 |
|
31-May-2006 |
hshoexer |
white spaces
|
#
1.81 |
|
31-May-2006 |
todd |
add basic - IPv6 parsing for only v6 host addresses - checks for dst <-> src address family sanity ok hshoexer@
|
#
1.80 |
|
29-May-2006 |
hshoexer |
enable lists.
This allows rules like:
ike from em0 to { 192.168.7.0/24, 192.168.9.0/24 } peer 1.2.3.4
This will setup two tunnels to the networks 192.168.7.0/24 and 192.168.9.0/24.
|
#
1.79 |
|
29-May-2006 |
hshoexer |
Provide functions for copying members of rules. Implement copyrule() function to copy a single rule. Use that for rule expansion.
|
#
1.78 |
|
29-May-2006 |
hshoexer |
unify code a little bit (consistent variable names).
|
#
1.77 |
|
29-May-2006 |
hshoexer |
Also return proper list of addresses for interface groups.
As usual, this and the previous commit reused suitable code from the tree (pfctl).
|
#
1.76 |
|
29-May-2006 |
hshoexer |
As the rule expansion is now aware of host lists, host_if() has to return a proper list of addresses bound to an interface.
|
#
1.75 |
|
29-May-2006 |
hshoexer |
teach expand_rule() to iterate over host lists, not used yet.
|
#
1.74 |
|
29-May-2006 |
hshoexer |
fix rule numbering (for -vv) late ikerule also use expand_rule
|
#
1.73 |
|
29-May-2006 |
hshoexer |
merge expand_sa() and expand_rule().
|
#
1.72 |
|
29-May-2006 |
hshoexer |
move generation of reverse flow rules to seperat function.
|
#
1.71 |
|
29-May-2006 |
hshoexer |
unify expansion of SA rules. Needed for general rule expansion.
|
#
1.70 |
|
28-May-2006 |
hshoexer |
when parsing host specifications, initialize host address queue pointers, not used yet.
|
#
1.69 |
|
28-May-2006 |
hshoexer |
prepare for rule expansion. Get rid of addr_node, link struct ipsec_addr_wrap directly.
|
#
1.68 |
|
28-May-2006 |
todd |
add ERANGE error detection, found when looking at bgpd's parse.y ok hshoexer@
|
#
1.67 |
|
27-May-2006 |
hshoexer |
allow to specify groups to be used IKE
|
#
1.66 |
|
26-May-2006 |
deraadt |
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
|
#
1.65 |
|
15-May-2006 |
deraadt |
permit proto 0; ok hshoexer
|
#
1.64 |
|
11-May-2006 |
hshoexer |
fix some spelling; noticed by david@
|
#
1.63 |
|
20-Apr-2006 |
hshoexer |
constify char *infile here, too. noticed by lint.
|
#
1.62 |
|
19-Apr-2006 |
hshoexer |
add support for interface groups.
|
#
1.61 |
|
19-Apr-2006 |
hshoexer |
small cleanup: no need to strdup here.
|
#
1.60 |
|
19-Apr-2006 |
hshoexer |
"type" keyword to specify flow type (require, use, etc.)
|
#
1.59 |
|
19-Apr-2006 |
hshoexer |
add hostname resolver.
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
|
#
1.58 |
|
13-Apr-2006 |
hshoexer |
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords.
ok markus@
|
#
1.57 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for ike; ok hshoexer
|
#
1.56 |
|
31-Mar-2006 |
markus |
allow specification of encapsulated protocol for flows; ok hshoexer
|
#
1.55 |
|
30-Mar-2006 |
hshoexer |
when resolving interface names to ip adresses, set netmask to all bits 1
|
#
1.54 |
|
30-Mar-2006 |
markus |
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
|
#
1.53 |
|
22-Mar-2006 |
reyk |
add support for macros in ipsec.conf(5). some bits have already been there.
requested by david@ ok hshoexer@, msf@
|
#
1.52 |
|
07-Mar-2006 |
reyk |
add support for special "bypass" and "deny" flows.
ok hshoexer@, thanks jmc@
|
#
1.51 |
|
07-Mar-2006 |
reyk |
add an ike option for road warrior setups (hosts with dynamic ip addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
|
Revision tags: OPENBSD_3_9_BASE
|
#
1.50 |
|
20-Jan-2006 |
naddy |
initialize authtype->string in case of RSA to avoid bad free() ok reyk@ hshoexer@
|
#
1.49 |
|
17-Jan-2006 |
reyk |
wrap long lines (no binary change)
|
#
1.48 |
|
16-Jan-2006 |
reyk |
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default.
ok hshoexer@, manpage ok jmc@
|
#
1.47 |
|
12-Dec-2005 |
hshoexer |
Correctly copy interface names; fixes breakage noticed by naddy@
ok naddy@ cvs: ----------------------------------------------------------------------
|
#
1.46 |
|
06-Dec-2005 |
markus |
ipip support: ip-in-ip w/o gif(4); ok hshoexer
|
#
1.45 |
|
01-Dec-2005 |
deraadt |
spacing
|
#
1.44 |
|
27-Nov-2005 |
hshoexer |
sanity check constraints for transforms. ok deraadt@
|
#
1.43 |
|
27-Nov-2005 |
deraadt |
truly permit auth/enc/comp expressions to be in any order hshoexer will add back in the contraint language
|
#
1.42 |
|
26-Nov-2005 |
hshoexer |
allow specficiation of encryption and authentication algorithms to be swapped. Ie. both "enc 3des-cbc auth hmac-sha1" and " auth hmac-sha1 enc 3des-cbc" are valid.
|
#
1.41 |
|
24-Nov-2005 |
hshoexer |
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
|
#
1.40 |
|
12-Nov-2005 |
hshoexer |
spacing
|
#
1.39 |
|
12-Nov-2005 |
hshoexer |
add support for interface names as host specifications
|
#
1.38 |
|
12-Nov-2005 |
deraadt |
permit TO/FROM to be swapped (symmetry is good); ok hshoexermk
|
#
1.37 |
|
12-Nov-2005 |
deraadt |
simplify TAILQ walking code; ok hshoexer
|
#
1.36 |
|
12-Nov-2005 |
deraadt |
spacing
|
#
1.35 |
|
12-Nov-2005 |
deraadt |
do not stat() before open(); instead -- use fstat(); ok hshoexer
|
#
1.34 |
|
12-Nov-2005 |
hshoexer |
handle transport/tunnel mode
|
#
1.33 |
|
06-Nov-2005 |
hshoexer |
Improved address and address mask handling, derived from pfctl stuff.
|
#
1.32 |
|
06-Nov-2005 |
hshoexer |
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
|
#
1.31 |
|
30-Oct-2005 |
hshoexer |
prepare for more flexible hostname resolver. Right now just v4, more to come (if groups, v6, dns).
|
#
1.30 |
|
30-Oct-2005 |
hshoexer |
add support for ipcomp.
|
#
1.29 |
|
28-Oct-2005 |
hshoexer |
more error message cleanup
|
#
1.28 |
|
16-Oct-2005 |
hshoexer |
Prepare for better host specification parser: dns names, interfaces, etc. But for now, just ipv4. Derived from pfctl(8).
|
#
1.27 |
|
16-Oct-2005 |
hshoexer |
Unset debug flag.
|
#
1.26 |
|
16-Oct-2005 |
hshoexer |
Add keyword "any" for addresses, reduces to "0.0.0.0/0".
|
#
1.25 |
|
16-Oct-2005 |
hshoexer |
cleanup messages generated by err(3)
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.24 |
|
22-Aug-2005 |
hshoexer |
Teach ipsecctl to control isakmpd.
ok deraadt
|
#
1.23 |
|
19-Aug-2005 |
hshoexer |
more useful error message
|
#
1.22 |
|
09-Aug-2005 |
hshoexer |
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
|
#
1.21 |
|
09-Aug-2005 |
hshoexer |
Correct keysize for 3des-cbc
|
#
1.20 |
|
08-Aug-2005 |
hshoexer |
add crypto transforms and static keying rules
|
#
1.19 |
|
08-Aug-2005 |
hshoexer |
prepare for static keying
|
#
1.18 |
|
05-Aug-2005 |
hshoexer |
more key handling stuff.
|
#
1.17 |
|
05-Aug-2005 |
hshoexer |
prepare for authentication and encryption keys, not used yet.
|
#
1.16 |
|
05-Aug-2005 |
hshoexer |
simplify a bit.
|
#
1.15 |
|
02-Aug-2005 |
hshoexer |
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
|
#
1.14 |
|
24-Jul-2005 |
hshoexer |
use correct function names in error messages
|
#
1.13 |
|
24-Jul-2005 |
hshoexer |
prepare for combining SAs and flows in one single rule, no functional change yet.
|
#
1.12 |
|
23-Jul-2005 |
hshoexer |
add automatic creation of reverse SAs.
A tcpmd5 rule like: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x2000:0x2001 \ key 0xbeefdead:0xdeadbeef expands now to: tcpmd5 from 192.168.3.28 to 192.168.3.14 spi 0x00002000 key 0xbeefdead tcpmd5 from 192.168.3.14 to 192.168.3.28 spi 0x00002001 key 0xdeadbeef
|
#
1.11 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying both in and out key, not used yet.
|
#
1.10 |
|
23-Jul-2005 |
hshoexer |
prepare for specifying incoming and outgoing SPIs, not used yet.
|
#
1.9 |
|
10-Jul-2005 |
hshoexer |
allow reading key from a file
|
#
1.8 |
|
09-Jul-2005 |
hshoexer |
it's ok to not specify the key when deleting a tcpmd5 SA
|
#
1.7 |
|
09-Jul-2005 |
hshoexer |
add support tcpmd5
|
#
1.6 |
|
07-Jul-2005 |
hshoexer |
set flow type (use, require, etc.) when a rule is created. Up to now this was done while crafting the corresponding pfkey message.
|
#
1.5 |
|
07-Jul-2005 |
hshoexer |
add type for rules; will need this for tcpmd5
|
#
1.4 |
|
25-May-2005 |
hshoexer |
do not swap srcid/dstid for INOUT rules.
|
#
1.3 |
|
25-May-2005 |
hshoexer |
use bzero
|
#
1.2 |
|
04-Apr-2005 |
hshoexer |
fix cvs id tags
|
#
1.1 |
|
04-Apr-2005 |
hshoexer |
Add ipsecctl utility, work in progress
ok deraadt
|