summaryrefslogtreecommitdiffstats
path: root/sbin/ipsecctl/pfkey.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Extend the ipsecctl(8) parser to set the udpencap flag and portbluhm2020-02-071-4/+19
| | | | | number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-2/+2
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* Rename all SA groups to bundles consistently. The first kernelbluhm2017-04-191-5/+5
| | | | | | | commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
* use freezero()deraadt2017-04-181-7/+4
|
* Depending on the addresses, ipsecctl(8) automatically groups sabluhm2017-02-281-2/+2
| | | | | | | | | | bundles together. Extend the kernel interface to export the bundle information to userland. Then ipsecctl -ss -v can show the internal relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it consistently. OK hshoexer@ markus@
* Remove NULL-checks before free(). ok tb@mmcc2015-12-101-5/+3
|
* Remove plain DES encryption from IPsec.naddy2015-12-091-4/+1
| | | | | | | | | | DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
* Use explicit_bzero() when the memory is freed directly afterward.mmcc2015-10-181-4/+4
| | | | ok deraadt@
* simple conversion from select() to poll()deraadt2014-11-031-15/+10
|
* enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESPnaddy2012-06-301-1/+4
| | | | ok mikeb@
* fix some leaksjsg2012-03-241-1/+2
| | | | ok miod@
* Retire Skipjackmikeb2010-10-061-4/+1
| | | | | | | | | | | There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
* Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMACmikeb2010-09-221-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (as aes-gmac) encryption transformations in the ipsec.conf(5). Available "enc" arguments denoting use of 1) AES-GCM-16: aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce) 2) ENCR_NULL_AUTH_AES_GMAC: aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce) Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support). Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only. Example configuration: ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. OK naddy
* Only warn about pfkey failures when errno is != EEXIST.hshoexer2008-12-221-3/+5
| | | | | | This avoids warnings about already existing manual flows when ipsec.conf is reloaded. From Mitja Muzenic <mitja at muzenic dot net>, thanks!
* move autodetection of the ID type to the parser. this way themarkus2007-03-161-3/+3
| | | | static flows have the correct ID, too. ok hshoexer, reyk
* Fix grouping for SAs. Now all combinations of SAs are possible,hshoexer2006-11-101-11/+30
| | | | not only ESP+AH (ie. ESP inside AH).
* can get EAGAIN when writing to the pfkey socket; same change as bgpd,henning2006-08-301-8/+6
| | | | ok hshoexer
* fix some indentation, noticed by david@hshoexer2006-06-081-2/+2
|
* pfkey bits needed for SA groupinghshoexer2006-06-011-1/+168
|
* Support flows with port modifiers for proto tcp/udp, e.g.naddy2006-06-011-7/+33
| | | | | | flow proto udp from 1.2.3.4 port ntp to 5.6.7.8 ok hshoexer@ msf@
* read the full reply from PFKEY even if sadb_errno is set; ok hshoexermarkus2006-06-011-7/+6
|
* correct error messages to match calloc where appropriatetodd2006-06-011-3/+3
| | | | ok hshoexer@
* whitespace cleanuphshoexer2006-05-311-3/+3
|
* implement monitor mode for ipsecctl. worked on with markus@msf2006-05-301-8/+83
| | | | ok hshoexer@
* kill trainling whitespacehshoexer2006-05-281-2/+2
|
* fill in AF_INET6 casestodd2006-05-281-20/+71
| | | | | this does not complete v6 support for ipsecctl, but makes progress ok hshoexer@
* "type" keyword to specify flow type (require, use, etc.)hshoexer2006-04-191-1/+7
|
* allow specification of encapsulated protocol for flows; ok hshoexermarkus2006-03-311-13/+17
|
* allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reykmarkus2006-03-301-14/+50
|
* add support for special "bypass" and "deny" flows.reyk2006-03-071-1/+7
| | | | ok hshoexer@, thanks jmc@
* ipip support: ip-in-ip w/o gif(4); ok hshoexermarkus2005-12-061-3/+12
|
* Remove old-style keyed sha1/md5. We only support hmac-sha1/md5.hshoexer2005-11-241-7/+1
| | | | Noticed the hard way by <raff at brodewicz dot pl>
* spacingderaadt2005-11-121-7/+7
|
* handle transport/tunnel modehshoexer2005-11-121-5/+9
|
* Improved address and address mask handling, derived from pfctl stuff.hshoexer2005-11-061-36/+19
|
* better handling of ip addresses, prepare for v6. Partially derived from diffhshoexer2005-11-061-18/+40
| | | | by todd@. Work in progress.
* add support for ipcomp.hshoexer2005-10-301-4/+23
|
* parse correctly flows using ipcomp. Glitch noticed by jared rr spiegel.hshoexer2005-10-171-1/+3
|
* cleanup messages generated by err(3)hshoexer2005-10-161-15/+15
|
* Teach ipsecctl to control isakmpd.hshoexer2005-08-221-5/+5
| | | | ok deraadt
* Rewrite handling of transforms. Now both ah and esp can be specified andhshoexer2005-08-091-16/+15
| | | | validated correctly. Unbreaks ah.
* pfkey pieces for static keying, enable static keyinghshoexer2005-08-081-23/+116
|
* prepare for static keyinghshoexer2005-08-081-2/+8
|
* prepare for authentication and encryption keys, not used yet.hshoexer2005-08-051-3/+3
|
* be more careful when using struct ipsec_auth, might be NULL now.hshoexer2005-08-031-1/+15
|
* Make use of struct ipsec_auth dynamic.hshoexer2005-08-021-20/+20
| | | | Do not pass IDs to kernel when deleting flows.
* also bail out when pfkey returns ESRCH (eg. trying to delete a non-existing SA)hshoexer2005-07-091-7/+7
|
* small cleanupshshoexer2005-07-091-19/+19
|
* Provide infrastructure for adding/deleting SAs, will be used by tcpmd5 andhshoexer2005-07-091-36/+180
| | | | manual keying. Not used yet.
* set flow type (use, require, etc.) when a rule is created. Up to now this washshoexer2005-07-071-7/+14
| | | | done while crafting the corresponding pfkey message.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.