summaryrefslogtreecommitdiffstats
path: root/sbin (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix policy lookup edge case for simultaneous transport and tunnel mode SAs.tobhe2020-05-113-27/+47
| | | | | | | | Only the initiator can use 'msg_policy' to determine if the policy is supposed to be transport mode, the responder has to check for a received USE_TRANSPORT notify to find a matching policy during the lookup. ok markus@
* sockaddr_rtdns does not guarantee alignment of the buffer. So firstotto2020-05-101-5/+10
| | | | | | memcpy the address into a local var before comparing it with code that reads ints using int *. at least sparc64 and landisk suffer from this. with and ok jca@
* Log error notifications other than NO_PROPOSAL_CHOSENtobhe2020-05-091-1/+3
| | | | ok markus@
* Shuffle and clarify logic creating the contents of resolv.conf.krw2020-05-091-80/+44
| | | | No intentional functional change.
* Use a union to ensure cmsg buffer is properly alignedjca2020-05-081-4/+10
| | | | | Fixes a crash on landisk (strict alignement arch) reported by otto@ ok deraadt@ otto@
* Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buftobhe2020-05-082-17/+3
| | | | | | does the same thing. ok patrick@
* Nuke unneeded 'inits' field in struct proposal. 'mtu' being 0 is enough of a cluekrw2020-05-083-6/+4
| | | | to avoid setting interface mtu.
* Nuke 'set but never used' addrs field in struct proposal.krw2020-05-082-11/+2
|
* Use gettimeofday() instead of CLOCK_MONOTONIC in gettime(). The return valuetobhe2020-05-021-5/+4
| | | | | | | is compared to one received via PFKEY which results in garbage. Found by Rene Ammerlaan <rj (dot) ammerlaan (at) sungai (dot) nl> ok patrick@
* When initiating IKE SA rekeying, make sure to send a key from a mutualtobhe2020-05-011-7/+10
| | | | | | | DH group (as negotiated by IKE_SA_INIT) instead of one from the configured policy. Not doing so may result in INVALID_KE errors. ok patrick@
* Clarify global 'set active' and 'set passive' options and how theytobhe2020-05-011-6/+18
| | | | | | interact with the per-policy active/passive options. ok kn@
* Add ECDH groups and higher order MODP DH groups to default proposal.tobhe2020-04-301-1/+7
| | | | ok sthen@, patrick@
* Remove trailing tabtobhe2020-04-291-2/+2
|
* Missing whitespace.tobhe2020-04-291-2/+2
|
* Add the 'nomimo' nwflag which disables MIMO in 11n mode.stsp2020-04-291-2/+9
| | | | | | | | | This flag restricts a wireless driver to MCS0 - MCS7 for both transmission and reception. It can be set to work around packet loss in 11n mode caused by unused antenna connectors on a MIMO-capable wireless network device. man page tweak from tracey@ ok deraadt@
* The order of arguments to proposals_negotiate makes a difference.tobhe2020-04-281-3/+3
| | | | | | | | 'key->pol_proposals' should be the peer proposal as it is derived from a received SA payload, 'p->p_proposal' comes from a locally configured policy. ok patrick@
* Remove support for insecure EC2N groups. Clarify which Diffie-Hellmantobhe2020-04-285-27/+15
| | | | | | | | groups are not recommended to use and are only supported for backwards compatibility. Feedback from sthen@ ok kn@
* Add curve25519 IANA group number.tobhe2020-04-271-3/+3
|
* Log with SPI_SA().tobhe2020-04-271-4/+5
|
* If the DHCP server disappears between OFFER'ing and ACK'ing a lease,krw2020-04-271-25/+20
| | | | | | | stop trying to get an ACK from that server after 'timeout' seconds. Give up and try to get another lease. Possible infinite loop pointed out by Alexander Markert on tech@.
* Fix leak of temporary ID ibufs on IKE SA rekey.tobhe2020-04-261-1/+5
| | | | ok markus@
* Only print valid rdomains. '-1' is used as default value and shouldtobhe2020-04-261-2/+2
| | | | not be printed.
* Tighten up NAK handling. Inform unwind when the active lease iskrw2020-04-261-18/+27
| | | | | | | | | discarded. Update leases file when active lease is discarded. Discard NAK'ed offers even if there is no active lease. Always transition to INIT. Issues discovered after inappropriate behaviour resported by Alexander Markert and Pierre Emeriaud.
* Reduce minimum allowed number of chunks in a CONCAT volume from 2 tokrw2020-04-252-7/+7
| | | | | | | | | | 1. This increases the number of volumes that can be created on a single disk from 7 to 15. i.e. a disk can be sliced into a maximum of 225 (15 * 15) filesystems instead of a mere 105 (7 * 15). ok deraadt@
* Add some useful log messages for the IKE handshake.tobhe2020-04-241-2/+5
| | | | ok patrick@
* Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful fortobhe2020-04-242-4/+9
| | | | | | debugging and fill up the logs. ok patrick@ kn@
* Stray whitespace.krw2020-04-241-2/+2
|
* SYNOPSIS had no matching Ek, but since it wasn;t needed, remove Bk;jmc2020-04-231-4/+2
| | | | while here, combine two Ar lines into one;
* ce examples of "Ar arg Ar arg" with "Ar arg arg" and stop the spread;jmc2020-04-2312-45/+45
|
* Add support for switching rdomain on IPsec encryption/decryption.tobhe2020-04-236-18/+151
| | | | | | | | | | | | | It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in. The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error. ok markus@, patrick@
* Support SADB_X_EXT_RDOMAIN extension in pfkey dump (-m).tobhe2020-04-231-1/+13
| | | | ok markus@, patrick@
* Fix leaks in signature validation.tobhe2020-04-221-1/+5
| | | | ok markus@
* Log authentication verification failure with "info" priority.tobhe2020-04-221-2/+3
| | | | ok markus@
* unwind(8) is supposed to work in all situations, it no longerflorian2020-04-211-3/+3
| | | | | | | | closes its service port when resolving is not working to give asr(3) a chance (because it falls back to asr(3) internally) Therefore it is ok to only list 127.0.0.1 in /etc/resolv.conf. Triggered by a question from Frantisek Holop. OK benno
* Send broadcast packets to INADDR_BROADCAST, not INADDR_ANY.krw2020-04-211-2/+2
| | | | | | | Should fix '-r' (a.k.a. release a lease) for leases without a valid DHCP_SERVER_IDENTIFIER. Spotted by Alexander Markert. Thanks!
* Remove unused 'dsa_cert' variable.tobhe2020-04-202-8/+2
| | | | ok markus@
* SPI_SA(sa, NULL) already prints a colon.tobhe2020-04-181-2/+2
|
* Log retransmits of sent requests and responses.tobhe2020-04-171-2/+15
| | | | ok markus@
* Only pay attention to interfaces in our routing domainflorian2020-04-171-5/+26
| | | | OK tohe
* Print SPI value of deleted SA.tobhe2020-04-161-4/+15
| | | | ok markus@
* Make the control socket name depend on the routing domain we are in.florian2020-04-161-3/+9
| | | | | | | | | That way, when slaacd gets started in a different rdomain with route exec things just work, no need to provide an alternative control socket. Pointed out by claudio Original diff by benno, but I like my bikeshed purple. OK benno, claudio
* Remove redundant 'sa == NULL' check.tobhe2020-04-151-2/+2
|
* Print 'ipcomp' in print_policy() if configured.tobhe2020-04-141-1/+4
|
* When slaacd is run in a routing domain (rdomain) other than the default (0) itflorian2020-04-141-3/+3
| | | | | | | | | | | | sends router solicitations and receives router advertisements only from interfaces that are in its own rdomain. It also only sees interfaces arriving, or departing in its own rdomain. However, for the default route there is rdomain cross-talk because slaacd configures the default route in the default rdomain (and fails). Make slaacd honour the rdomain it's running in as well. OK denis, phessler, benno
* Try to send a DELETE message if the SA is reset with 'ikectl reset id'.tobhe2020-04-133-5/+25
| | | | | | | This way the peer can delete its SAs and eventually reestablish the connection without having to wait for a timeout. ok markus@
* No need to call lc_idtype(). idstr does not contain a leading typetobhe2020-04-121-2/+1
| | | | specifier (e.g. 'FQDN/').
* "could not open public key" is an error and should be log_info.tobhe2020-04-121-2/+2
|
* DELETE payloads are common. Log with log_info instead of log_warnx.tobhe2020-04-111-2/+2
|
* If we haven't received any IKE message from our partner for sometobhe2020-04-112-7/+34
| | | | | | | time, make sure to send a DPD packet to him so that we break up the connection faster if it's dead. ok patrick@
* Only make the type part of the idstring lowercase when looking for certs intobhe2020-04-104-9/+9
| | | | | | | '/etc/iked', otherwise certs with SubjAltNames containing uppercase letters are not found. ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.