#
1.15 |
|
28-May-2021 |
tobhe |
Add experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.14 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.13 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.12 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.11 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.10 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
#
1.8 |
|
19-Aug-2015 |
reyk |
spacing (no binary change, verified with checksums)
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.7 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.6 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.5 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.4 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.14 |
|
04-Feb-2021 |
tobhe |
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes.
ok patrick@
|
#
1.13 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.12 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.11 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.10 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
#
1.8 |
|
19-Aug-2015 |
reyk |
spacing (no binary change, verified with checksums)
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.7 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.6 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.5 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.4 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.13 |
|
28-Oct-2020 |
tobhe |
Refactor parts of the dh_* API.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.12 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.11 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.10 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
#
1.8 |
|
19-Aug-2015 |
reyk |
spacing (no binary change, verified with checksums)
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.7 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.6 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.5 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.4 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.12 |
|
28-Apr-2020 |
tobhe |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.11 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.10 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
#
1.8 |
|
19-Aug-2015 |
reyk |
spacing (no binary change, verified with checksums)
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.7 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.6 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.5 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.4 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.11 |
|
27-Oct-2017 |
patrick |
In the final RFC 5903 the computation for the DH shared secret changed. Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.10 |
|
27-Mar-2017 |
mikeb |
Don't cache the DH group in the policy
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified.
With and OK reyk
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
#
1.8 |
|
19-Aug-2015 |
reyk |
spacing (no binary change, verified with checksums)
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.7 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.6 |
|
27-Aug-2014 |
reyk |
Add support for Curve25519 using the public domain code that is found in OpenSSH. The "private use" DH group 1034 is based on the value that was picked by strongswan recently.
OK mikeb@ markus@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.5 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.4 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.3 |
|
23-Jun-2010 |
reyk |
rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or ec521 -> ecp521). this matches the common naming for ec groups better.
|
#
1.2 |
|
23-Jun-2010 |
reyk |
further cleanup of the dh code: - remove dh_selftest(), this should go into regress somewhere - remove any iked-specific dependencies from dh.c/dh.h which allows us to use this code in other projects as well.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|