summaryrefslogtreecommitdiffstats
path: root/sbin/ipsecctl/pfkdump.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Enable support for ASN1_DN ipsec identifiers.phessler2020-11-051-1/+2
| | | | | | | Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
* Fix "comparison of integers of different signs" warning.tobhe2020-06-011-3/+3
| | | | ok patrick@
* Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m).tobhe2020-04-231-1/+13
| | | | ok markus@, patrick@
* snprintf/vsnprintf return < 0 on error, rather than -1.deraadt2019-07-031-4/+4
|
* Display per-TDB counters in verbose mode.mpi2018-08-281-41/+66
| | | | ok sthen@
* Include <sys/queue.h> instead of relying on kernel headers to includempi2018-07-101-1/+2
| | | | | | it. ok markus@ as part of a larger diff
* Rename all SA groups to bundles consistently. The first kernelbluhm2017-04-191-2/+2
| | | | | | | commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
* Found another len += snprintf...deraadt2017-04-101-3/+8
| | | | ok mikeb
* Now that the kernel provides information about IPsec SA bundles,bluhm2017-03-021-3/+37
| | | | | print them by default. OK hshoexer@
* Depending on the addresses, ipsecctl(8) automatically groups sabluhm2017-02-281-1/+11
| | | | | | | | | | bundles together. Extend the kernel interface to export the bundle information to userland. Then ipsecctl -ss -v can show the internal relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it consistently. OK hshoexer@ markus@
* Remove plain DES encryption from IPsec.naddy2015-12-091-5/+1
| | | | | | | | | | DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
* remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@naddy2015-12-021-8/+1
|
* Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddymikeb2015-11-041-1/+6
|
* Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexermikeb2015-04-171-2/+1
|
* Remove support for storing credentials and auth information in the kernel.mikeb2015-04-141-39/+1
| | | | | | | | | This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
* Replace <sys/param.h> with <limits.h> and other less dirty headers wherederaadt2015-01-161-2/+2
| | | | | | | | | possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
* Unbreak the tree. Looks like tedu did not tedu enough when killing KPDKclaudio2014-12-281-3/+1
| | | | support.
* fix printing of IPcomp SAs; ok mikeb@ & todd@markus2014-01-221-3/+3
|
* remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not setmarkus2012-09-181-4/+1
| | | | | anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code. ok mikeb@
* don't output "esn" string in the rule section as we can't use themikeb2012-07-051-9/+43
| | | | | | | keyword in the grammar to create a esn-enabled rule (no reason to do so for manual sa configuration). instead decode sa flags so that we can also watch changes happening in the realtime with the monitor mode. prompted and ok by naddy
* enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPnaddy2012-06-301-2/+12
| | | | ok mikeb@
* Print esn flag when dumping SAs with ESN enabledmikeb2012-06-291-1/+2
|
* print flags in hex; from hshoexer@; ok mikeb@ mpf@markus2011-04-131-4/+4
|
* Retire Skipjackmikeb2010-10-061-5/+1
| | | | | | | | | | | There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
* Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMACmikeb2010-09-221-1/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (as aes-gmac) encryption transformations in the ipsec.conf(5). Available "enc" arguments denoting use of 1) AES-GCM-16: aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce) 2) ENCR_NULL_AUTH_AES_GMAC: aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce) Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support). Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only. Example configuration: ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. OK naddy
* support dumping the new SADB_X_EXT_TAP extension.reyk2010-07-011-1/+11
|
* Don't use [] in function arguments when dealing with arraysjsg2009-11-131-5/+5
| | | | | | we don't know the size of, otherwise gcc >= 4 will error. ok markus@ deraadt@
* use the actual keysize from the SA to figure out which AES variantmarkus2008-08-191-12/+26
| | | | (aes-192, aes-256) is used; ok hshoexer@
* do not print secret keys by default, -k restores old behaviour; ok hshoexermarkus2007-01-031-2/+5
|
* add support to tag ipsec traffic belonging to specific IKE-initiatedreyk2006-11-241-1/+13
| | | | | | | | | | | phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
* sort SAs by spi; ok hshoexermarkus2006-09-191-3/+12
|
* partial backout of last commitmarkus2006-08-301-12/+1
|
* print extensions with type SADB_EXT_MAX, too; ok hshoexer, reyk, msfmarkus2006-08-301-4/+15
|
* Fix a typo that prevented ipsecctl -ss from showing authenticationnaddy2006-06-121-2/+2
| | | | information for AH SAs. ok markus@, hshoexer@
* print full information about tcpmd5 and ipcomp SAs, toomarkus2006-06-021-2/+19
|
* tiny style cleanup and white spaceshshoexer2006-06-021-7/+7
|
* fix the formatting for sadb_register messages in monitor mode.msf2006-06-021-3/+8
| | | | | | put back one mistakenly deleted newline. ok hshoexer@
* convert pfkey to ipsec_rule and use ipsecctl_print_rule() when dumpingmarkus2006-06-011-80/+154
| | | | | the in-kernel SAs. this way we produce the same output as rule loading ok hshoexer
* spacingderaadt2006-06-011-3/+3
|
* whitespace cleanuphshoexer2006-05-311-31/+31
|
* shuffle some newlines to make all the formatting work againmsf2006-05-311-15/+15
| | | | ok hshoexer@
* implement monitor mode for ipsecctl. worked on with markus@msf2006-05-301-6/+301
| | | | ok hshoexer@
* Userland programs should include <errno.h> not <sys/errno.h>millert2005-12-211-2/+2
| | | | OK deraadt@
* use ARGSUSED1 herehshoexer2005-12-121-1/+8
|
* spacingderaadt2005-11-131-3/+3
|
* handle transport/tunnel modehshoexer2005-11-121-3/+9
|
* add support for ipcomp.hshoexer2005-10-301-9/+8
|
* make sure, output of -ss is identical to syntax for SA ruleshshoexer2005-07-091-13/+17
|
* improve output for SAshshoexer2005-06-271-17/+37
| | | | | while around, do small whitesparce cleanup added a missing "static"
* parse local/remote credential payload types.hshoexer2005-06-061-1/+18
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.