![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.101 / (download) - annotate - [select for diffs], Tue Feb 13 12:25:11 2024 UTC (3 months, 3 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.100: +9 -1 lines
Diff to previous 1.100 (colored)
Control startup of PROC_CERT and PROC_IKEV2.
Currenly PROC_PARENT sends the configuration to both PROC_CERT and
PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know
the state of PROC_CERT: PROC_CERT might not have processed the
initial configuration while PROC_IKEV2 already sends requests to
PROC_CERT, causing failed requests, or even crashes (NULL deref of
ca_certs).
In order to make sure that PROC_CERT is ready before
IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol
is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2
(2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT
(3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT
(4) PROC_PARENT now knows that PROC_CERT is ready and has processed
all messages from step (1)
(5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that
IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all
messages from step (1)
(6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has
already processed IMSG_CTL_ACTIVE
from markus@
Revision 1.100 / (download) - annotate - [select for diffs], Tue Feb 6 13:10:56 2024 UTC (4 months ago) by tobhe
Branch: MAIN
Changes since 1.99: +4 -5 lines
Diff to previous 1.99 (colored)
Pass struct iked directly to ca_reset() instead of passing it via ps discussed with markus@
Revision 1.99 / (download) - annotate - [select for diffs], Wed Jan 24 10:09:07 2024 UTC (4 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.98: +11 -9 lines
Diff to previous 1.98 (colored)
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid between the processes so the reply can be sent on the matching connection. from markus@
Revision 1.98 / (download) - annotate - [select for diffs], Mon Jan 15 15:29:00 2024 UTC (4 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.97: +3 -3 lines
Diff to previous 1.97 (colored)
Include cert_partial_chain in iked_static instead of sending a separate message. from markus@
Revision 1.97 / (download) - annotate - [select for diffs], Sat Sep 2 18:16:02 2023 UTC (9 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.96: +2 -3 lines
Diff to previous 1.96 (colored)
Remove unneccessary id == NULL check after dereferencing it. id can never be NULL here. Found by tb@
Revision 1.96 / (download) - annotate - [select for diffs], Fri Aug 4 19:06:25 2023 UTC (10 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.95: +16 -16 lines
Diff to previous 1.95 (colored)
Convert calls to ibuf_length() where it is clear that the ibuf is not NULL to ibuf_size(). In some cases it is clear that the ibuf pointer should just be checked for NULL since afterwards a new ibuf is allocated in its place. OK tb@
Revision 1.95 / (download) - annotate - [select for diffs], Wed Jun 28 14:10:24 2023 UTC (11 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.94: +141 -8 lines
Diff to previous 1.94 (colored)
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert(). From markus@
Revision 1.94 / (download) - annotate - [select for diffs], Sun Jun 25 08:07:04 2023 UTC (11 months, 2 weeks ago) by op
Branch: MAIN
Changes since 1.93: +1 -13 lines
Diff to previous 1.93 (colored)
remove ca_sslinit() it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. spotted by tb, ok tb tobhe
Revision 1.93 / (download) - annotate - [select for diffs], Sat Jun 17 22:33:34 2023 UTC (11 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.92: +4 -4 lines
Diff to previous 1.92 (colored)
Fix leak of key.id_buf in pubkey auth case. from markus
Revision 1.92 / (download) - annotate - [select for diffs], Tue May 23 13:12:19 2023 UTC (12 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.91: +23 -23 lines
Diff to previous 1.91 (colored)
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
Revision 1.91 / (download) - annotate - [select for diffs], Sun Mar 5 22:17:22 2023 UTC (15 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.90: +10 -16 lines
Diff to previous 1.90 (colored)
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update. ok patrick@
Revision 1.90 / (download) - annotate - [select for diffs], Sat Mar 4 22:22:50 2023 UTC (15 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.89: +11 -7 lines
Diff to previous 1.89 (colored)
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. ok bluhm@ patrick@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Nov 7 22:39:52 2022 UTC (19 months ago) by tobhe
Branch: MAIN
Changes since 1.88: +12 -8 lines
Diff to previous 1.88 (colored)
Free objects that were dynamically allocated in libcrypto with OPENSSL_free(). When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc() so regular free() is safe. Other implementations allow switching to a different allocator where free() could result in a possible heap corruption. Report and initial fix by dropk1ck (gh #92) ok tb@
Revision 1.88 / (download) - annotate - [select for diffs], Fri Jul 8 19:51:11 2022 UTC (23 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.87: +82 -3 lines
Diff to previous 1.87 (colored)
Support sending certificate chains with intermediate CAs in multiple CERT payloads. Local certificate chains as required with LetsEncrypt certs will work between iked and other IKEv2 implementations, iked to iked connections won't work yet because of missing support to receive multiple CERT payloads. from Katsuhiro Ueno tested by and ok sthen@
Revision 1.87 / (download) - annotate - [select for diffs], Tue Dec 14 13:44:36 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.86: +15 -32 lines
Diff to previous 1.86 (colored)
Move raw pubkey bytes to EVP_PKEY conversion to common function. ok markus@
Revision 1.86 / (download) - annotate - [select for diffs], Mon Dec 13 19:47:40 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.85: +3 -3 lines
Diff to previous 1.85 (colored)
Fix asprintf() error check. Portable code should check the return value for -1, not buf == NULL. ok tobhe
Revision 1.85 / (download) - annotate - [select for diffs], Mon Dec 13 19:46:22 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.84: +5 -1 lines
Diff to previous 1.84 (colored)
Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically allocating a buffer. ok tobhe
Revision 1.84 / (download) - annotate - [select for diffs], Mon Dec 13 17:35:34 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.83: +34 -64 lines
Diff to previous 1.83 (colored)
Cleanup libcrypto memory management. Remove redundant NULL checks before calling *_free() functions. Use 'get0' functions where it makes sense to avoid some frees. Feedback and ok tb@
Revision 1.83 / (download) - annotate - [select for diffs], Wed Dec 8 19:17:35 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.82: +80 -4 lines
Diff to previous 1.82 (colored)
The /etc/iked/certs/ directory is used for both local and peer certificates. Check if we have a matching key before using a certificate as local to prevent cryptic error messages later when the signature is checked. ok markus@ patrick@
Revision 1.82 / (download) - annotate - [select for diffs], Tue Dec 7 17:03:01 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.81: +19 -2 lines
Diff to previous 1.81 (colored)
Fix locally stored peer certificates in /etc/iked/certs as documented in iked(8). Local certificates are always trusted and preferred over certs received over the wire. ok patrick@ markus@
Revision 1.81 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:12 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.80: +4 -4 lines
Diff to previous 1.80 (colored)
whitespace cleanup during review read
Revision 1.80 / (download) - annotate - [select for diffs], Thu Nov 25 18:28:51 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored)
Silence unitialized variable warnings.
Revision 1.79 / (download) - annotate - [select for diffs], Sun Nov 21 22:44:08 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.78: +57 -2 lines
Diff to previous 1.78 (colored)
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates. ok markus@
Revision 1.78 / (download) - annotate - [select for diffs], Wed Feb 24 22:17:48 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.77: +3 -3 lines
Diff to previous 1.77 (colored)
Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data(). From Moritz Schmitt ok patrick@
Revision 1.77 / (download) - annotate - [select for diffs], Sun Feb 7 00:56:06 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.76: +3 -1 lines
Diff to previous 1.76 (colored)
Free X509_STOREs in ca_shutdown().
Revision 1.76 / (download) - annotate - [select for diffs], Thu Feb 4 19:59:15 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.75: +97 -49 lines
Diff to previous 1.75 (colored)
Upgrade to OpenSSL 1.1 compatible crypto API. Add additional checks where needed. ok markus@ patrick@
Revision 1.75 / (download) - annotate - [select for diffs], Sat Dec 5 19:10:47 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.74: +3 -2 lines
Diff to previous 1.74 (colored)
Make len unsigned. ok patrick@
Revision 1.74 / (download) - annotate - [select for diffs], Wed Nov 4 15:32:10 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.73: +4 -3 lines
Diff to previous 1.73 (colored)
Add check for static id size. ok patrick@
Revision 1.73 / (download) - annotate - [select for diffs], Fri Oct 9 08:59:15 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.72: +1 -2 lines
Diff to previous 1.72 (colored)
More unused headers.
Revision 1.72 / (download) - annotate - [select for diffs], Fri Oct 9 08:54:24 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.71: +1 -2 lines
Diff to previous 1.71 (colored)
Remove unused "wait.h" includes.
Revision 1.71 / (download) - annotate - [select for diffs], Wed Sep 23 14:25:54 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.70: +6 -1 lines
Diff to previous 1.70 (colored)
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@
Revision 1.70 / (download) - annotate - [select for diffs], Tue Sep 8 20:20:30 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.69: +6 -2 lines
Diff to previous 1.69 (colored)
Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching the CERTREQ is found, don't wait for more requests. Correctly set type if cert was found as fallback. ok patrick@
Revision 1.69 / (download) - annotate - [select for diffs], Fri Aug 21 14:30:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.68: +25 -9 lines
Diff to previous 1.68 (colored)
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf. ok patrick@
Revision 1.68 / (download) - annotate - [select for diffs], Tue Aug 18 21:02:49 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
Add optional time-stamp validaten for ocsp. The new optional 'tolerate' parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maximum age of the `thisUpdate' OCSP attribute value. ok patrick@
Revision 1.67 / (download) - annotate - [select for diffs], Sun Aug 16 09:09:16 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored)
Clean up unused parameters.
Revision 1.66 / (download) - annotate - [select for diffs], Fri Aug 14 21:13:15 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.65: +2 -3 lines
Diff to previous 1.65 (colored)
Clean up unused variables.
Revision 1.60.4.1 / (download) - annotate - [select for diffs], Mon Jul 27 14:24:12 2020 UTC (3 years, 10 months ago) by deraadt
Branch: OPENBSD_6_7
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored) next main 1.61 (colored)
Fix return value check for openssl API used during pubkey validation. Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de> ok patrick@, markus@, tb@ this is errata 6.7/014_iked.patch
Revision 1.48.2.1 / (download) - annotate - [select for diffs], Mon Jul 27 14:23:39 2020 UTC (3 years, 10 months ago) by deraadt
Branch: OPENBSD_6_6
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored) next main 1.49 (colored)
Fix return value check for openssl API used during pubkey validation. Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de> ok patrick@, markus@, tb@ this is errata 6.6/036_iked.patch
Revision 1.65 / (download) - annotate - [select for diffs], Mon Jul 27 14:22:53 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.64: +2 -2 lines
Diff to previous 1.64 (colored)
Fix return value check for openssl API used during pubkey validation. Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de> ok patrick@, markus@, tb@
Revision 1.64 / (download) - annotate - [select for diffs], Wed Jul 15 14:45:15 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.63: +41 -21 lines
Diff to previous 1.63 (colored)
Make CERT and CERTREQ payloads optional for public key authentication. When using certificate authentication the CERT payload is mandatory and as the name suggests is used to send a certificate containing a public key used for the authentication signature. For pubkey authentication the key is preshared and stored locally, but only the 'ca' process can read the local keys. The 'ikev2' process had to get the key from the received CERT payload to verify the authentication signature. The peer ID + raw key was then forwarded to the 'ca' process which compared the key against the contents of /etc/iked/pubkey and returned either CERTVALID or CERTINVALID. With this change a message containing only the ID may be sent from 'ikev2' to the 'ca' process if CERT was not included. In this case the CA process will try to find a local key matching the ID and return it to the 'ikev2' process. The auth verification happens after the 'ca' process has verified or found a key and returned it to the 'ikev2' process, eliminating the need for the CERT payload. Making CERTREQ optional is easier because we already have a fallback case if the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this same fallback. This should fix public key authentication interoperability with *swan and other IKEv2 implementations. ok and tested by kn@ ok patrick@
Revision 1.63 / (download) - annotate - [select for diffs], Thu Jun 25 19:14:26 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.62: +5 -2 lines
Diff to previous 1.62 (colored)
Silence ca_validate_pubkey() error message for cert type IKEV2_CERT_X509_CERT.
Revision 1.62 / (download) - annotate - [select for diffs], Wed Jun 17 19:41:04 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.61: +14 -5 lines
Diff to previous 1.61 (colored)
Fix length check in ca_getreq(). ok patrick@
Revision 1.61 / (download) - annotate - [select for diffs], Fri May 8 19:33:13 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.60: +2 -15 lines
Diff to previous 1.60 (colored)
Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf does the same thing. ok patrick@
Revision 1.60 / (download) - annotate - [select for diffs], Sun Apr 12 20:18:45 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE
Branch point for: OPENBSD_6_7
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)
"could not open public key" is an error and should be log_info.
Revision 1.59 / (download) - annotate - [select for diffs], Fri Apr 10 20:58:32 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)
Only make the type part of the idstring lowercase when looking for certs in '/etc/iked', otherwise certs with SubjAltNames containing uppercase letters are not found. ok markus@
Revision 1.58 / (download) - annotate - [select for diffs], Wed Apr 8 20:04:19 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.57: +20 -1 lines
Diff to previous 1.57 (colored)
Prevent multiple ibuf leaks. Clean up on proccess shutdown. ok markus@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Apr 7 18:52:57 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.56: +18 -3 lines
Diff to previous 1.56 (colored)
Always prefer generic signature authentication (RFC 7427) , not just for RSA. ok markus@
Revision 1.56 / (download) - annotate - [select for diffs], Mon Apr 6 20:23:16 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.55: +13 -6 lines
Diff to previous 1.55 (colored)
Fix pubkey leak in CA process for ASN1_DN IDs. ok markus@
Revision 1.55 / (download) - annotate - [select for diffs], Wed Apr 1 21:09:26 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.54: +16 -8 lines
Diff to previous 1.54 (colored)
Properly handle multiple CERTREQ payloads in CA process. Only for the last CERTREQ a mismatch should trigger the fallback case, otherwise the following CERTREQs are ignored. ok markus@
Revision 1.54 / (download) - annotate - [select for diffs], Tue Mar 31 20:19:51 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.53: +52 -4 lines
Diff to previous 1.53 (colored)
Log summary of certificates in cert store when iked fails to find a certificate for the policy's 'srcid'. ok markus@
Revision 1.53 / (download) - annotate - [select for diffs], Fri Mar 27 12:53:31 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
Adjust cert type when choosing public key fallback. ok patrick@
Revision 1.52 / (download) - annotate - [select for diffs], Tue Mar 24 19:14:53 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.51: +6 -3 lines
Diff to previous 1.51 (colored)
Add ikev2_print_static_id() to print static IDs in log_debug() output. ok markus@
Revision 1.51 / (download) - annotate - [select for diffs], Tue Mar 24 19:11:46 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.50: +32 -9 lines
Diff to previous 1.50 (colored)
Make our CERTREQ payload handling less strict. If we can not find a certificate or key matching the trust anchor sent in the CERTREQ, find any certificate matching the peers ID or use the own public key. The CERTRQ contentss should only be interpreted as a hint on what the peer supports. It may still accept our certificate/key if it does not match the CERTREQ. ok markus@
Revision 1.50 / (download) - annotate - [select for diffs], Wed Jan 15 21:47:57 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.49: +117 -89 lines
Diff to previous 1.49 (colored)
Support multiple x509 extensions and extensions with multiple subjectAltName fields. The new parser code is inspired by tls_check_subject_altname() from libssl. ok markus@
Revision 1.49 / (download) - annotate - [select for diffs], Wed Jan 15 17:38:55 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.48: +35 -2 lines
Diff to previous 1.48 (colored)
If we don't find a certificate signed by a trusted CA with subjectAltName matching srcid, try certificate with only matching subjectAltName. ok patrick@
Revision 1.48 / (download) - annotate - [select for diffs], Wed Jul 3 03:24:01 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE
Branch point for: OPENBSD_6_6
Changes since 1.47: +4 -4 lines
Diff to previous 1.47 (colored)
snprintf/vsnprintf return < 0 on error, rather than -1.
Revision 1.47 / (download) - annotate - [select for diffs], Wed Feb 27 06:33:56 2019 UTC (5 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)
update RFC references, from tobias_heider at genua.de, ok claudio@
Revision 1.46 / (download) - annotate - [select for diffs], Mon Oct 30 09:53:27 2017 UTC (6 years, 7 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
In the subjectAltName comparison, the bzero before the while-loop was lost while applying the diff. This is means sanid could be passed uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() could try to release a pointer which is essentially stack garbage. While there I realized that the bzero() in the loop is essentially fatal, since every mismatch leads to a silent leak of ibufs. Since ca_x509_subjectaltname_cmp() releases and initializes the passed iked_id, we can safely call it multiple times after initializing sanid once before the loop. ok markus@
Revision 1.45 / (download) - annotate - [select for diffs], Fri Oct 27 14:28:07 2017 UTC (6 years, 7 months ago) by patrick
Branch: MAIN
Changes since 1.44: +18 -21 lines
Diff to previous 1.44 (colored)
Support multiple subjectAltNames by trying each existing until there is none or until we find one that matches. ok markus@
Revision 1.44 / (download) - annotate - [select for diffs], Tue Mar 28 19:52:03 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.43: +12 -4 lines
Diff to previous 1.43 (colored)
Add helpful debug messages to tell us why public key authentication failed. This is currently only visible in debug mode (eg. iked -dvv), some debug messages will be turned into regular warnings later. OK claudio@ deraadt@
Revision 1.43 / (download) - annotate - [select for diffs], Mon Mar 27 10:06:41 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.42: +140 -10 lines
Diff to previous 1.42 (colored)
Add support for RFC4754 (ECDSA) and RFC7427 authentication. These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes. Original diff from markus@ with patches from mikeb@ and me. OK mikeb@ patrick@
Revision 1.42 / (download) - annotate - [select for diffs], Fri Jan 20 14:08:08 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.41: +9 -4 lines
Diff to previous 1.41 (colored)
Make sure to free reference to the public key after decoding From and OK markus@, OK reyk
Revision 1.41 / (download) - annotate - [select for diffs], Tue Jan 3 17:51:38 2017 UTC (7 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.40: +51 -38 lines
Diff to previous 1.40 (colored)
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload. OK mikeb@
Revision 1.40 / (download) - annotate - [select for diffs], Mon Dec 7 12:46:37 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.39: +8 -13 lines
Diff to previous 1.39 (colored)
Sync proc.c, use shorter proc_compose[v]()
Revision 1.39 / (download) - annotate - [select for diffs], Thu Oct 22 15:55:18 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.38: +17 -1 lines
Diff to previous 1.38 (colored)
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process. Committed in agreement with many but nobody was brave enough to OK it. Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
Revision 1.38 / (download) - annotate - [select for diffs], Mon Oct 19 11:25:35 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.37: +1 -9 lines
Diff to previous 1.37 (colored)
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs. OK mikeb@
Revision 1.37 / (download) - annotate - [select for diffs], Thu Oct 1 10:59:23 2015 UTC (8 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.36: +6 -4 lines
Diff to previous 1.36 (colored)
Fix interoperability with Apple iOS9: If we don't get a (valid) CERTREQ but a CERT, respond with a local CERT that was selected based on our own policy instead of leaving it out. This seems to be valid with the RFC that makes the CERTREQ optional and allows to ignore it or to apply an own policy. OK mikeb@ sthen@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:27 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.35: +41 -41 lines
Diff to previous 1.35 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.35 / (download) - annotate - [select for diffs], Thu Mar 26 19:52:35 2015 UTC (9 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.34: +7 -1 lines
Diff to previous 1.34 (colored)
initial support for RFC 7427 signatures, so we are no longer restricted to SHA1 for RSA signatures. ok mikeb@
Revision 1.34 / (download) - annotate - [select for diffs], Fri Feb 6 10:39:01 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.33: +1 -2 lines
Diff to previous 1.33 (colored)
unneeded getopt.h
Revision 1.33 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.32: +2 -3 lines
Diff to previous 1.32 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.32 / (download) - annotate - [select for diffs], Fri Dec 5 07:24:45 2014 UTC (9 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.31: +6 -2 lines
Diff to previous 1.31 (colored)
Specify correct number of iovecs when sending replies to the ikev2 proc Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>; patch from Pedro Martelletto, thanks!
Revision 1.31 / (download) - annotate - [select for diffs], Thu Jul 10 12:50:05 2014 UTC (9 years, 11 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.30: +2 -1 lines
Diff to previous 1.30 (colored)
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok reyk@
Revision 1.30 / (download) - annotate - [select for diffs], Wed May 7 12:57:13 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.29: +134 -20 lines
Diff to previous 1.29 (colored)
make authentication work with X509 certificates that don't have a subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly; feedback & ok mikeb@
Revision 1.29 / (download) - annotate - [select for diffs], Mon May 5 18:56:42 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)
ca_x509_serialize: don't leak the bio buffer; ok reyk@
Revision 1.28 / (download) - annotate - [select for diffs], Mon May 5 18:54:17 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.27: +21 -15 lines
Diff to previous 1.27 (colored)
make the ca_pubkey_serialize() code similar to the private key code, and fixes a leak of the rsa object in the error case. from hshoexer@; ok reyk@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Apr 22 12:00:03 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.26: +15 -12 lines
Diff to previous 1.26 (colored)
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit. ok mikeb@
Revision 1.26 / (download) - annotate - [select for diffs], Mon Feb 17 15:07:23 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.25: +12 -1 lines
Diff to previous 1.25 (colored)
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
Revision 1.25 / (download) - annotate - [select for diffs], Mon Feb 17 11:00:14 2014 UTC (10 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.24: +3 -3 lines
Diff to previous 1.24 (colored)
Fix compiler warnings in the format strings: use %zd for ssize_t and %zu for size_t. From Andre de Oliveira With input and OK from blambert@ markus@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Nov 28 20:21:17 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.23: +141 -52 lines
Diff to previous 1.23 (colored)
support raw pubkey authentication w/o x509 certificates; mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
Revision 1.23 / (download) - annotate - [select for diffs], Thu Nov 14 12:38:20 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.22: +7 -7 lines
Diff to previous 1.22 (colored)
pass caller to ca_sslerror for better error messages; ok mikeb
Revision 1.22 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.21: +1 -2 lines
Diff to previous 1.21 (colored)
remove excessive includes
Revision 1.21 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.20: +2 -3 lines
Diff to previous 1.20 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.20 / (download) - annotate - [select for diffs], Fri Nov 16 14:39:00 2012 UTC (11 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.19: +4 -4 lines
Diff to previous 1.19 (colored)
promote some debug messages to warnings; ok reyk
Revision 1.19 / (download) - annotate - [select for diffs], Tue Oct 9 13:43:31 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)
"If srcid is omitted, the default is to use the hostname of the local machine." This has been broken when the subjectAltName certificate check was introduced some time ago. Fix it by obtaining the hostname source Id in the certificate request code as well. ok mikeb@
Revision 1.18 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.17 / (download) - annotate - [select for diffs], Fri May 27 12:01:02 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
spacing
Revision 1.16 / (download) - annotate - [select for diffs], Mon May 9 11:15:18 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.15: +7 -7 lines
Diff to previous 1.15 (colored)
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
Revision 1.15 / (download) - annotate - [select for diffs], Thu May 5 12:59:31 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.14: +3 -3 lines
Diff to previous 1.14 (colored)
Small tweak - add direct pointer to env instead of using an indirect one.
Revision 1.14 / (download) - annotate - [select for diffs], Thu May 5 12:55:52 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.13: +9 -8 lines
Diff to previous 1.13 (colored)
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
Revision 1.13 / (download) - annotate - [select for diffs], Thu May 5 12:17:10 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.12: +12 -12 lines
Diff to previous 1.12 (colored)
rename iked_proc* to privsep_proc*. no functional change.
Revision 1.12 / (download) - annotate - [select for diffs], Wed Dec 22 17:53:54 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.11: +4 -4 lines
Diff to previous 1.11 (colored)
move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because it is too specific to be in util.c. This will allow to link util.c into ikectl later without all the other dependencies of pritn_id().
Revision 1.11 / (download) - annotate - [select for diffs], Thu Sep 30 14:25:54 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.10: +2 -6 lines
Diff to previous 1.10 (colored)
promote openssl errors to the warning level; ok reyk
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jun 29 21:04:42 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.9: +109 -5 lines
Diff to previous 1.9 (colored)
add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an alternative to X.509 CA verification. this will be needed to support public key authentication like isakmpd does; a few bits are still missing.
Revision 1.9 / (download) - annotate - [select for diffs], Sun Jun 27 05:49:05 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.8: +89 -46 lines
Diff to previous 1.8 (colored)
When a peer requests a certificate from the local gateway, we first lookup a cert from /etc/iked/certs/ that is signed by a requested CA. As a second step we also compare the subjectAltName of any found certificate now to match the local srcid; this allows to have multiple certs for the same CA but different srcids in the certs/ directory but enforces that the subjectAltName has to be set correctly. requested by jsg@
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jun 27 01:37:56 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.7: +4 -2 lines
Diff to previous 1.7 (colored)
fix the length check for ASN1_ID Ids.
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jun 27 01:11:09 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.6: +143 -12 lines
Diff to previous 1.6 (colored)
Verify that the subjectAltName extension is present and matches the peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it with the certificate subjectName (DN). This prevents the peer from using an arbitrary peer Id (it is signed by the CA in the cert) and qualifies the optional pf tag.
Revision 1.6 / (download) - annotate - [select for diffs], Sat Jun 26 18:32:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.5: +3 -1 lines
Diff to previous 1.5 (colored)
Include the Id type in the generated SA tag that is passed to the kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc.
Revision 1.5 / (download) - annotate - [select for diffs], Thu Jun 24 20:15:30 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.4: +11 -3 lines
Diff to previous 1.4 (colored)
unbreak the ikectl log verbose/brief commands.
Revision 1.4 / (download) - annotate - [select for diffs], Fri Jun 11 10:15:31 2010 UTC (14 years ago) by jsg
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
tweak the code slightly so we can remove -lssl ok reyk@
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 10 14:09:19 2010 UTC (14 years ago) by jsg
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
move a bzero of the x509 store context higher up so the cert validation does something useful. ok reyk@
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 10 08:29:47 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.1: +3 -3 lines
Diff to previous 1.1 (colored)
i don't like splitting source code in too many source files but ikev2.c has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@