#
1.33 |
|
28-Jul-2023 |
claudio |
Use ibuf_data() instead of accessing the ibuf buf pointer directly. Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate. OK tobhe@ tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.32 |
|
03-Dec-2022 |
tobhe |
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.31 |
|
13-Dec-2021 |
tb |
Avoid a potential double free in group_free()
In the unlikely event that EC_KEY_check_key() in ec_init() fails, the group would be freed twice: once in ec_init(), and later in group_free().
ok tobhe
|
#
1.30 |
|
29-Nov-2021 |
deraadt |
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.29 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.32 |
|
03-Dec-2022 |
tobhe |
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.31 |
|
13-Dec-2021 |
tb |
Avoid a potential double free in group_free()
In the unlikely event that EC_KEY_check_key() in ec_init() fails, the group would be freed twice: once in ec_init(), and later in group_free().
ok tobhe
|
#
1.30 |
|
29-Nov-2021 |
deraadt |
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.29 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.31 |
|
13-Dec-2021 |
tb |
Avoid a potential double free in group_free()
In the unlikely event that EC_KEY_check_key() in ec_init() fails, the group would be freed twice: once in ec_init(), and later in group_free().
ok tobhe
|
#
1.30 |
|
29-Nov-2021 |
deraadt |
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.29 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.30 |
|
29-Nov-2021 |
deraadt |
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.29 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.29 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.28 |
|
13-May-2021 |
tb |
Use field independent version of {get,set}_affine_coordinates.
ok tobhe
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.27 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.26 |
|
04-Feb-2021 |
tobhe |
EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m() do the same thing. Remove redundant check and always use the _GFp() variant.
discussed with tb@ ok patrick@
|
#
1.25 |
|
04-Feb-2021 |
tobhe |
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed.
ok markus@ patrick@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.24 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.23 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.22 |
|
02-Apr-2019 |
sthen |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.21 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.20 |
|
21-May-2017 |
deraadt |
A few more freezero() uses ok yasuoka mikeb
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.19 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
#
1.18 |
|
04-Jan-2017 |
mikeb |
Remove modular exponential groups specified in RFC5114
Brought up by doug@, ok reyk, djm, doug
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.17 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.16 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.15 |
|
12-Oct-2014 |
jsg |
DH_compute_key() returns -1 on error but this was not handled by testing the result with a negation.
Ralf Horstmann discovered iked would segfault when connecting from Strongswan on Android because of this and supplied the patch to fix the problem.
ok reyk@
|
#
1.14 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
#
1.13 |
|
25-Aug-2014 |
reyk |
Add support for DH groups 27-30 using the Brainpool curves which have previously been added to LibreSSL's libcrypto.
ok markus@ mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.12 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.11 |
|
14-Nov-2013 |
markus |
verify EC points; from hshoexer; ok mikeb
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.10 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.9 |
|
15-Dec-2012 |
reyk |
Plug two memory leaks when cleaning up the dh/dsa crypto structures.
|
#
1.8 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.7 |
|
04-Jun-2012 |
mikeb |
Rounding up a number of bytes in a bignum returned by the BN_num_bytes() has implications when dealing with leading zeroes. Prevent an incorrect conversion of the EC point to the binary representation by inferring the X and Y components' lengths from the EC group length and zeroing out the appropriate chunks of the target buffer. From hshoexer@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.6 |
|
03-Jul-2011 |
mikeb |
iked requires the same dh diff as isakmpd:
When BN_bn2bin converts a bignum to the binary representation it skips leading zeroes if there are any. To accommodate the difference with the protocol we need to prepend those zeroes ourselves.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.5 |
|
29-Nov-2010 |
markus |
make key exchange faster by not checking the predefined groups with DH_check() ok mikeb@, djm@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.4 |
|
29-Jun-2010 |
reyk |
Add missing frees.
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|