#
1.51 |
|
23-Jan-2021 |
tobhe |
Handle write() errors.
ok patrick@
|
#
1.50 |
|
23-Jan-2021 |
tobhe |
Handle errors and truncated output from snprintf().
ok patrick@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.49 |
|
08-May-2019 |
tedu |
convert system() calls to an execv() like interface. avoids sh difficulties, etc. from Matthew Martin. ok deraadt reyk
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.48 |
|
26-Feb-2019 |
sthen |
ikectl's built-in CA command for simple configurations has a fixed certificate validity for the ca certificate. Raise this from 365 days to 4500 as expiry means installing new CA certificates on all client machines which can cause significant pain. This doesn't change the default validity for server certificates which remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate on these can be done easily without visiting all machines. ok deraadt@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.47 |
|
08-Nov-2017 |
patrick |
Since r1.41 the extensions are included in the CSR. Thus ca_request() already sets the extension values and returns. ca_sign() re-uses the information to write out the extension file. Since ca_request() uses strings stored on the stack, on return the pointers to those strings will be unusable. To fix this, strdup() the strings passed ca_setenv() so we can re-use them in another scope. And free() them when we clear the environment in ca_clrenv().
Initial report and diff from Andrei-Marius Radu.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.46 |
|
08-Jun-2017 |
jsg |
Invoke openssl with -passin file rather than -key in ca_revoke(). From Andrei-Marius Radu via sthen@
|
#
1.45 |
|
31-May-2017 |
jsg |
ca_revoke() gets called two ways. Directly from ca_opt() with keyname set to the cert to revoke, and indirectly from ca_create() with a keyname set to NULL.
ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname is NULL and the crl database is being initialised.
Avoids "REQ_EXT already set" when creating a CA error introduced in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
|
#
1.44 |
|
24-May-2017 |
jsg |
Set REQ_EXT in req section so ikectl ca certificate revoke will work again.
|
#
1.43 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.42 |
|
29-Mar-2017 |
sthen |
set REQ_EXT to x509v3_CA, fixing "ikectl ca XX create" inadvertently broken in r1.41. ok reyk deraadt
|
#
1.41 |
|
31-Jan-2017 |
sthen |
Teach ikectl to include extensions in the CSR, rather than just adding them when signing the certificates by the local CA. This can make things easier if you want to take a CSR from ikectl to another CA for signing, they often copy extensions from the request. ok reyk@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.40 |
|
02-Nov-2015 |
jsg |
switch from using sha1 to sha256
As the ca section of the cnf file requires a default_md line (unlike req) this change also requires updating the installed ikeca.cnf or equivalent files.
Requested by and ok reyk@ who also tested this against ios9 with iked.
|
#
1.39 |
|
02-Nov-2015 |
jsg |
sign csrs with openssl ca instead of x509 -req
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections.
Requested by and ok reyk@
|
#
1.38 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
#
1.37 |
|
19-Aug-2015 |
reyk |
ca_hier() und ca_newpass() abort on failure, return void instead of int.
Based on previous observation by semarie@
|
#
1.36 |
|
19-Aug-2015 |
reyk |
spacing
|
#
1.35 |
|
19-Aug-2015 |
reyk |
fcopy_env() should return void as it aborts on failure.
Pointed out by semarie@
|
#
1.34 |
|
19-Aug-2015 |
reyk |
Use C99 integer types in ikectl(8).
OK jsg@
|
#
1.33 |
|
19-Aug-2015 |
reyk |
Support for overwriting $ENV:: variables in OpenSSL .cnf files from the environment has been removed in LibreSSL. This was a good step but it unintentionally broke the "ikectl ca" commands. Rework the implementation for copying the .cnf files and expanding the $ENV:: variables ourselves before passing the generated .cnf file to the "openssl" command.
Reported and tested by Jona Joachim (thanks!) OK jsg@
|
#
1.32 |
|
15-Aug-2015 |
semarie |
correct mode_t 644 to 0644
ok sthen@
|
#
1.31 |
|
15-Aug-2015 |
semarie |
corrects three err() to errx() calls - a if condition don't set errno - strlcpy(3) don't set errno (no mention is man page) - ca_readpass() already manage errno error message with warn(3)
ok sthen@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.30 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.29 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.28 |
|
25-Aug-2014 |
doug |
Delete secret or secret-derived data with explicit_bzero.
concept ok deraadt@ diff looks ok tedu@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.27 |
|
20-Jul-2014 |
guenther |
Make sure the correct errno is reported by warn* or err* and not the errno of an intervening cleanup operation like close/unlink/etc.
Diff from Doug Hogan (doug (at) acyclic.org)
|
#
1.26 |
|
18-Apr-2014 |
tedu |
round up some enemy sympathizers found calling RAND_seed(). ok beck reyk
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.25 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.24 |
|
08-Dec-2012 |
mikeb |
don't forget to include a path separator after an SSLDIR; reported by david hill
|
#
1.23 |
|
23-Oct-2012 |
reyk |
Allow to overwrite a few more definitions like file paths from the Makefile. No functional change.
|
#
1.22 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.21 |
|
08-Jul-2012 |
deraadt |
if you use nitems() in userland, you must define it yourself discussed with guenther
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.20 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.19 |
|
08-Oct-2010 |
reyk |
set the client/server certificate options with all the common keyusage and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd.
ok phessler@
|
#
1.18 |
|
08-Oct-2010 |
jsg |
check if a directory exists before trying to create it in the export case as well, spotted by mikeb
|
#
1.17 |
|
08-Oct-2010 |
jsg |
if non absolute paths are specified in install commands assume they are relative to /etc
|
#
1.16 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.15 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.14 |
|
07-Oct-2010 |
jsg |
only try to setup a passfile when creating a CA
|
#
1.13 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.12 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
#
1.11 |
|
07-Oct-2010 |
phessler |
set saner permissions on the directory we export, so we don't change perms of /etc/iked when extracting
OK jsg@
|
#
1.10 |
|
07-Oct-2010 |
phessler |
When we create a new CA, also create an empty (but valid) CRL list. While here, set our used defaults in the config file.
OK reyk@, jsg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.9 |
|
23-Jun-2010 |
jsg |
fix the permissions on directories inside the exported tarball in the cert case.
|
#
1.8 |
|
23-Jun-2010 |
jsg |
More appropriate contents for the exported ca tarball.
|
#
1.7 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.6 |
|
21-Jun-2010 |
jsg |
use the full path to zip
|
#
1.5 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.4 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.3 |
|
07-Jun-2010 |
jsg |
switch iked pki files to /etc/iked, discussed with reyk.
|
#
1.2 |
|
04-Jun-2010 |
jsg |
Install the cert as well as the keys and make certs world readable as suggested by reyk@
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.49 |
|
08-May-2019 |
tedu |
convert system() calls to an execv() like interface. avoids sh difficulties, etc. from Matthew Martin. ok deraadt reyk
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.48 |
|
26-Feb-2019 |
sthen |
ikectl's built-in CA command for simple configurations has a fixed certificate validity for the ca certificate. Raise this from 365 days to 4500 as expiry means installing new CA certificates on all client machines which can cause significant pain. This doesn't change the default validity for server certificates which remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate on these can be done easily without visiting all machines. ok deraadt@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.47 |
|
08-Nov-2017 |
patrick |
Since r1.41 the extensions are included in the CSR. Thus ca_request() already sets the extension values and returns. ca_sign() re-uses the information to write out the extension file. Since ca_request() uses strings stored on the stack, on return the pointers to those strings will be unusable. To fix this, strdup() the strings passed ca_setenv() so we can re-use them in another scope. And free() them when we clear the environment in ca_clrenv().
Initial report and diff from Andrei-Marius Radu.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.46 |
|
08-Jun-2017 |
jsg |
Invoke openssl with -passin file rather than -key in ca_revoke(). From Andrei-Marius Radu via sthen@
|
#
1.45 |
|
31-May-2017 |
jsg |
ca_revoke() gets called two ways. Directly from ca_opt() with keyname set to the cert to revoke, and indirectly from ca_create() with a keyname set to NULL.
ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname is NULL and the crl database is being initialised.
Avoids "REQ_EXT already set" when creating a CA error introduced in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
|
#
1.44 |
|
24-May-2017 |
jsg |
Set REQ_EXT in req section so ikectl ca certificate revoke will work again.
|
#
1.43 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.42 |
|
29-Mar-2017 |
sthen |
set REQ_EXT to x509v3_CA, fixing "ikectl ca XX create" inadvertently broken in r1.41. ok reyk deraadt
|
#
1.41 |
|
31-Jan-2017 |
sthen |
Teach ikectl to include extensions in the CSR, rather than just adding them when signing the certificates by the local CA. This can make things easier if you want to take a CSR from ikectl to another CA for signing, they often copy extensions from the request. ok reyk@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.40 |
|
02-Nov-2015 |
jsg |
switch from using sha1 to sha256
As the ca section of the cnf file requires a default_md line (unlike req) this change also requires updating the installed ikeca.cnf or equivalent files.
Requested by and ok reyk@ who also tested this against ios9 with iked.
|
#
1.39 |
|
02-Nov-2015 |
jsg |
sign csrs with openssl ca instead of x509 -req
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections.
Requested by and ok reyk@
|
#
1.38 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
#
1.37 |
|
19-Aug-2015 |
reyk |
ca_hier() und ca_newpass() abort on failure, return void instead of int.
Based on previous observation by semarie@
|
#
1.36 |
|
19-Aug-2015 |
reyk |
spacing
|
#
1.35 |
|
19-Aug-2015 |
reyk |
fcopy_env() should return void as it aborts on failure.
Pointed out by semarie@
|
#
1.34 |
|
19-Aug-2015 |
reyk |
Use C99 integer types in ikectl(8).
OK jsg@
|
#
1.33 |
|
19-Aug-2015 |
reyk |
Support for overwriting $ENV:: variables in OpenSSL .cnf files from the environment has been removed in LibreSSL. This was a good step but it unintentionally broke the "ikectl ca" commands. Rework the implementation for copying the .cnf files and expanding the $ENV:: variables ourselves before passing the generated .cnf file to the "openssl" command.
Reported and tested by Jona Joachim (thanks!) OK jsg@
|
#
1.32 |
|
15-Aug-2015 |
semarie |
correct mode_t 644 to 0644
ok sthen@
|
#
1.31 |
|
15-Aug-2015 |
semarie |
corrects three err() to errx() calls - a if condition don't set errno - strlcpy(3) don't set errno (no mention is man page) - ca_readpass() already manage errno error message with warn(3)
ok sthen@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.30 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.29 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.28 |
|
25-Aug-2014 |
doug |
Delete secret or secret-derived data with explicit_bzero.
concept ok deraadt@ diff looks ok tedu@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.27 |
|
20-Jul-2014 |
guenther |
Make sure the correct errno is reported by warn* or err* and not the errno of an intervening cleanup operation like close/unlink/etc.
Diff from Doug Hogan (doug (at) acyclic.org)
|
#
1.26 |
|
18-Apr-2014 |
tedu |
round up some enemy sympathizers found calling RAND_seed(). ok beck reyk
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.25 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.24 |
|
08-Dec-2012 |
mikeb |
don't forget to include a path separator after an SSLDIR; reported by david hill
|
#
1.23 |
|
23-Oct-2012 |
reyk |
Allow to overwrite a few more definitions like file paths from the Makefile. No functional change.
|
#
1.22 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.21 |
|
08-Jul-2012 |
deraadt |
if you use nitems() in userland, you must define it yourself discussed with guenther
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.20 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.19 |
|
08-Oct-2010 |
reyk |
set the client/server certificate options with all the common keyusage and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd.
ok phessler@
|
#
1.18 |
|
08-Oct-2010 |
jsg |
check if a directory exists before trying to create it in the export case as well, spotted by mikeb
|
#
1.17 |
|
08-Oct-2010 |
jsg |
if non absolute paths are specified in install commands assume they are relative to /etc
|
#
1.16 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.15 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.14 |
|
07-Oct-2010 |
jsg |
only try to setup a passfile when creating a CA
|
#
1.13 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.12 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
#
1.11 |
|
07-Oct-2010 |
phessler |
set saner permissions on the directory we export, so we don't change perms of /etc/iked when extracting
OK jsg@
|
#
1.10 |
|
07-Oct-2010 |
phessler |
When we create a new CA, also create an empty (but valid) CRL list. While here, set our used defaults in the config file.
OK reyk@, jsg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.9 |
|
23-Jun-2010 |
jsg |
fix the permissions on directories inside the exported tarball in the cert case.
|
#
1.8 |
|
23-Jun-2010 |
jsg |
More appropriate contents for the exported ca tarball.
|
#
1.7 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.6 |
|
21-Jun-2010 |
jsg |
use the full path to zip
|
#
1.5 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.4 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.3 |
|
07-Jun-2010 |
jsg |
switch iked pki files to /etc/iked, discussed with reyk.
|
#
1.2 |
|
04-Jun-2010 |
jsg |
Install the cert as well as the keys and make certs world readable as suggested by reyk@
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.48 |
|
26-Feb-2019 |
sthen |
ikectl's built-in CA command for simple configurations has a fixed certificate validity for the ca certificate. Raise this from 365 days to 4500 as expiry means installing new CA certificates on all client machines which can cause significant pain. This doesn't change the default validity for server certificates which remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate on these can be done easily without visiting all machines. ok deraadt@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.47 |
|
08-Nov-2017 |
patrick |
Since r1.41 the extensions are included in the CSR. Thus ca_request() already sets the extension values and returns. ca_sign() re-uses the information to write out the extension file. Since ca_request() uses strings stored on the stack, on return the pointers to those strings will be unusable. To fix this, strdup() the strings passed ca_setenv() so we can re-use them in another scope. And free() them when we clear the environment in ca_clrenv().
Initial report and diff from Andrei-Marius Radu.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.46 |
|
08-Jun-2017 |
jsg |
Invoke openssl with -passin file rather than -key in ca_revoke(). From Andrei-Marius Radu via sthen@
|
#
1.45 |
|
31-May-2017 |
jsg |
ca_revoke() gets called two ways. Directly from ca_opt() with keyname set to the cert to revoke, and indirectly from ca_create() with a keyname set to NULL.
ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname is NULL and the crl database is being initialised.
Avoids "REQ_EXT already set" when creating a CA error introduced in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
|
#
1.44 |
|
24-May-2017 |
jsg |
Set REQ_EXT in req section so ikectl ca certificate revoke will work again.
|
#
1.43 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.42 |
|
29-Mar-2017 |
sthen |
set REQ_EXT to x509v3_CA, fixing "ikectl ca XX create" inadvertently broken in r1.41. ok reyk deraadt
|
#
1.41 |
|
31-Jan-2017 |
sthen |
Teach ikectl to include extensions in the CSR, rather than just adding them when signing the certificates by the local CA. This can make things easier if you want to take a CSR from ikectl to another CA for signing, they often copy extensions from the request. ok reyk@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.40 |
|
02-Nov-2015 |
jsg |
switch from using sha1 to sha256
As the ca section of the cnf file requires a default_md line (unlike req) this change also requires updating the installed ikeca.cnf or equivalent files.
Requested by and ok reyk@ who also tested this against ios9 with iked.
|
#
1.39 |
|
02-Nov-2015 |
jsg |
sign csrs with openssl ca instead of x509 -req
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections.
Requested by and ok reyk@
|
#
1.38 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
#
1.37 |
|
19-Aug-2015 |
reyk |
ca_hier() und ca_newpass() abort on failure, return void instead of int.
Based on previous observation by semarie@
|
#
1.36 |
|
19-Aug-2015 |
reyk |
spacing
|
#
1.35 |
|
19-Aug-2015 |
reyk |
fcopy_env() should return void as it aborts on failure.
Pointed out by semarie@
|
#
1.34 |
|
19-Aug-2015 |
reyk |
Use C99 integer types in ikectl(8).
OK jsg@
|
#
1.33 |
|
19-Aug-2015 |
reyk |
Support for overwriting $ENV:: variables in OpenSSL .cnf files from the environment has been removed in LibreSSL. This was a good step but it unintentionally broke the "ikectl ca" commands. Rework the implementation for copying the .cnf files and expanding the $ENV:: variables ourselves before passing the generated .cnf file to the "openssl" command.
Reported and tested by Jona Joachim (thanks!) OK jsg@
|
#
1.32 |
|
15-Aug-2015 |
semarie |
correct mode_t 644 to 0644
ok sthen@
|
#
1.31 |
|
15-Aug-2015 |
semarie |
corrects three err() to errx() calls - a if condition don't set errno - strlcpy(3) don't set errno (no mention is man page) - ca_readpass() already manage errno error message with warn(3)
ok sthen@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.30 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.29 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.28 |
|
25-Aug-2014 |
doug |
Delete secret or secret-derived data with explicit_bzero.
concept ok deraadt@ diff looks ok tedu@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.27 |
|
20-Jul-2014 |
guenther |
Make sure the correct errno is reported by warn* or err* and not the errno of an intervening cleanup operation like close/unlink/etc.
Diff from Doug Hogan (doug (at) acyclic.org)
|
#
1.26 |
|
18-Apr-2014 |
tedu |
round up some enemy sympathizers found calling RAND_seed(). ok beck reyk
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.25 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.24 |
|
08-Dec-2012 |
mikeb |
don't forget to include a path separator after an SSLDIR; reported by david hill
|
#
1.23 |
|
23-Oct-2012 |
reyk |
Allow to overwrite a few more definitions like file paths from the Makefile. No functional change.
|
#
1.22 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.21 |
|
08-Jul-2012 |
deraadt |
if you use nitems() in userland, you must define it yourself discussed with guenther
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.20 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.19 |
|
08-Oct-2010 |
reyk |
set the client/server certificate options with all the common keyusage and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd.
ok phessler@
|
#
1.18 |
|
08-Oct-2010 |
jsg |
check if a directory exists before trying to create it in the export case as well, spotted by mikeb
|
#
1.17 |
|
08-Oct-2010 |
jsg |
if non absolute paths are specified in install commands assume they are relative to /etc
|
#
1.16 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.15 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.14 |
|
07-Oct-2010 |
jsg |
only try to setup a passfile when creating a CA
|
#
1.13 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.12 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
#
1.11 |
|
07-Oct-2010 |
phessler |
set saner permissions on the directory we export, so we don't change perms of /etc/iked when extracting
OK jsg@
|
#
1.10 |
|
07-Oct-2010 |
phessler |
When we create a new CA, also create an empty (but valid) CRL list. While here, set our used defaults in the config file.
OK reyk@, jsg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.9 |
|
23-Jun-2010 |
jsg |
fix the permissions on directories inside the exported tarball in the cert case.
|
#
1.8 |
|
23-Jun-2010 |
jsg |
More appropriate contents for the exported ca tarball.
|
#
1.7 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.6 |
|
21-Jun-2010 |
jsg |
use the full path to zip
|
#
1.5 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.4 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.3 |
|
07-Jun-2010 |
jsg |
switch iked pki files to /etc/iked, discussed with reyk.
|
#
1.2 |
|
04-Jun-2010 |
jsg |
Install the cert as well as the keys and make certs world readable as suggested by reyk@
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.47 |
|
08-Nov-2017 |
patrick |
Since r1.41 the extensions are included in the CSR. Thus ca_request() already sets the extension values and returns. ca_sign() re-uses the information to write out the extension file. Since ca_request() uses strings stored on the stack, on return the pointers to those strings will be unusable. To fix this, strdup() the strings passed ca_setenv() so we can re-use them in another scope. And free() them when we clear the environment in ca_clrenv().
Initial report and diff from Andrei-Marius Radu.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.46 |
|
08-Jun-2017 |
jsg |
Invoke openssl with -passin file rather than -key in ca_revoke(). From Andrei-Marius Radu via sthen@
|
#
1.45 |
|
31-May-2017 |
jsg |
ca_revoke() gets called two ways. Directly from ca_opt() with keyname set to the cert to revoke, and indirectly from ca_create() with a keyname set to NULL.
ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname is NULL and the crl database is being initialised.
Avoids "REQ_EXT already set" when creating a CA error introduced in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().
|
#
1.44 |
|
24-May-2017 |
jsg |
Set REQ_EXT in req section so ikectl ca certificate revoke will work again.
|
#
1.43 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.42 |
|
29-Mar-2017 |
sthen |
set REQ_EXT to x509v3_CA, fixing "ikectl ca XX create" inadvertently broken in r1.41. ok reyk deraadt
|
#
1.41 |
|
31-Jan-2017 |
sthen |
Teach ikectl to include extensions in the CSR, rather than just adding them when signing the certificates by the local CA. This can make things easier if you want to take a CSR from ikectl to another CA for signing, they often copy extensions from the request. ok reyk@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.40 |
|
02-Nov-2015 |
jsg |
switch from using sha1 to sha256
As the ca section of the cnf file requires a default_md line (unlike req) this change also requires updating the installed ikeca.cnf or equivalent files.
Requested by and ok reyk@ who also tested this against ios9 with iked.
|
#
1.39 |
|
02-Nov-2015 |
jsg |
sign csrs with openssl ca instead of x509 -req
This way openssl will add valid signed certs to the index file which is required to use the builtin openssl OCSP server.
This change requires installing a new ikeca.cnf or updating the default cnf files with equivalent sections.
Requested by and ok reyk@
|
#
1.38 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
#
1.37 |
|
19-Aug-2015 |
reyk |
ca_hier() und ca_newpass() abort on failure, return void instead of int.
Based on previous observation by semarie@
|
#
1.36 |
|
19-Aug-2015 |
reyk |
spacing
|
#
1.35 |
|
19-Aug-2015 |
reyk |
fcopy_env() should return void as it aborts on failure.
Pointed out by semarie@
|
#
1.34 |
|
19-Aug-2015 |
reyk |
Use C99 integer types in ikectl(8).
OK jsg@
|
#
1.33 |
|
19-Aug-2015 |
reyk |
Support for overwriting $ENV:: variables in OpenSSL .cnf files from the environment has been removed in LibreSSL. This was a good step but it unintentionally broke the "ikectl ca" commands. Rework the implementation for copying the .cnf files and expanding the $ENV:: variables ourselves before passing the generated .cnf file to the "openssl" command.
Reported and tested by Jona Joachim (thanks!) OK jsg@
|
#
1.32 |
|
15-Aug-2015 |
semarie |
correct mode_t 644 to 0644
ok sthen@
|
#
1.31 |
|
15-Aug-2015 |
semarie |
corrects three err() to errx() calls - a if condition don't set errno - strlcpy(3) don't set errno (no mention is man page) - ca_readpass() already manage errno error message with warn(3)
ok sthen@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.30 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.29 |
|
26-Aug-2014 |
jsing |
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl.
ok deraadt@ miod@
|
#
1.28 |
|
25-Aug-2014 |
doug |
Delete secret or secret-derived data with explicit_bzero.
concept ok deraadt@ diff looks ok tedu@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.27 |
|
20-Jul-2014 |
guenther |
Make sure the correct errno is reported by warn* or err* and not the errno of an intervening cleanup operation like close/unlink/etc.
Diff from Doug Hogan (doug (at) acyclic.org)
|
#
1.26 |
|
18-Apr-2014 |
tedu |
round up some enemy sympathizers found calling RAND_seed(). ok beck reyk
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.25 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.24 |
|
08-Dec-2012 |
mikeb |
don't forget to include a path separator after an SSLDIR; reported by david hill
|
#
1.23 |
|
23-Oct-2012 |
reyk |
Allow to overwrite a few more definitions like file paths from the Makefile. No functional change.
|
#
1.22 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.21 |
|
08-Jul-2012 |
deraadt |
if you use nitems() in userland, you must define it yourself discussed with guenther
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.20 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.19 |
|
08-Oct-2010 |
reyk |
set the client/server certificate options with all the common keyusage and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd.
ok phessler@
|
#
1.18 |
|
08-Oct-2010 |
jsg |
check if a directory exists before trying to create it in the export case as well, spotted by mikeb
|
#
1.17 |
|
08-Oct-2010 |
jsg |
if non absolute paths are specified in install commands assume they are relative to /etc
|
#
1.16 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.15 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.14 |
|
07-Oct-2010 |
jsg |
only try to setup a passfile when creating a CA
|
#
1.13 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.12 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
#
1.11 |
|
07-Oct-2010 |
phessler |
set saner permissions on the directory we export, so we don't change perms of /etc/iked when extracting
OK jsg@
|
#
1.10 |
|
07-Oct-2010 |
phessler |
When we create a new CA, also create an empty (but valid) CRL list. While here, set our used defaults in the config file.
OK reyk@, jsg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.9 |
|
23-Jun-2010 |
jsg |
fix the permissions on directories inside the exported tarball in the cert case.
|
#
1.8 |
|
23-Jun-2010 |
jsg |
More appropriate contents for the exported ca tarball.
|
#
1.7 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.6 |
|
21-Jun-2010 |
jsg |
use the full path to zip
|
#
1.5 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.4 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.3 |
|
07-Jun-2010 |
jsg |
switch iked pki files to /etc/iked, discussed with reyk.
|
#
1.2 |
|
04-Jun-2010 |
jsg |
Install the cert as well as the keys and make certs world readable as suggested by reyk@
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|