![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.230 / (download) - annotate - [select for diffs], Sat Mar 2 16:16:07 2024 UTC (3 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.229: +5 -2 lines
Diff to previous 1.229 (colored)
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue. From RFC7383, 2.6.1: "[...] that even MUST only trigger a retransmission of the response message (fragmented or no) if the Fragment Number field in the received fragments is set to 1; otherwise, it MUST be ignored." from markus
Revision 1.229 / (download) - annotate - [select for diffs], Thu Feb 15 20:10:45 2024 UTC (3 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.228: +4 -2 lines
Diff to previous 1.228 (colored)
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes are set up by child processes. The parent sends a ping to all children and only starts once it has received an acknowledgement from all of them. This fixes a race condition on process startup when the parent starts running before all children are ready. From markus@
Revision 1.228 / (download) - annotate - [select for diffs], Thu Feb 15 19:11:00 2024 UTC (3 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.227: +2 -1 lines
Diff to previous 1.227 (colored)
Delay enabling sockets until ikev2 process is ready. from markus@
Revision 1.227 / (download) - annotate - [select for diffs], Thu Feb 15 19:04:12 2024 UTC (3 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.226: +1 -5 lines
Diff to previous 1.226 (colored)
Remove unused control_socks queue. from markus@
Revision 1.226 / (download) - annotate - [select for diffs], Wed Jan 24 10:09:07 2024 UTC (4 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.225: +2 -1 lines
Diff to previous 1.225 (colored)
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid between the processes so the reply can be sent on the matching connection. from markus@
Revision 1.225 / (download) - annotate - [select for diffs], Mon Jan 15 15:29:00 2024 UTC (4 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.224: +3 -5 lines
Diff to previous 1.224 (colored)
Include cert_partial_chain in iked_static instead of sending a separate message. from markus@
Revision 1.224 / (download) - annotate - [select for diffs], Fri Aug 11 11:24:55 2023 UTC (9 months, 3 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.223: +2 -1 lines
Diff to previous 1.223 (colored)
Add iked support for route based sec(4) tunnels. To use sec(4) instead of policy based tunnels, create a sec(4) interface and add 'iface secXX' to your policy config. sec(4) interfaces also support auto configuration for dynamic client IPs via 'request any' like all other interfaces. The config won't work without traffic selectors, 'from any to any' should work for now but I plan to make this optional in the future. ok dlg@
Revision 1.223 / (download) - annotate - [select for diffs], Fri Jul 28 11:23:03 2023 UTC (10 months ago) by claudio
Branch: MAIN
Changes since 1.222: +2 -1 lines
Diff to previous 1.222 (colored)
Implement print_hexbuf() to hexdump the contents of an ibuf. OK tb@
Revision 1.222 / (download) - annotate - [select for diffs], Tue Jul 18 15:07:41 2023 UTC (10 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.221: +1 -2 lines
Diff to previous 1.221 (colored)
Kill ibuf_cat() since there is now ibuf_add_buf() in the official API. OK tb@ tobhe@
Revision 1.221 / (download) - annotate - [select for diffs], Sun Jul 16 15:21:46 2023 UTC (10 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.220: +2 -3 lines
Diff to previous 1.220 (colored)
Merge ibuf_get() with ibuf_getdata() and rename it to ibuf_getdata(). Also replace a ibuf_reserve() call with ibuf_add_zero() and remove a buf->buf == NULL check in ibuf_length() since it is not necessary. OK tobhe@ tb@
Revision 1.220 / (download) - annotate - [select for diffs], Wed Jun 28 14:10:24 2023 UTC (11 months ago) by tobhe
Branch: MAIN
Changes since 1.219: +3 -1 lines
Diff to previous 1.219 (colored)
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert(). From markus@
Revision 1.219 / (download) - annotate - [select for diffs], Sun Jun 25 08:07:04 2023 UTC (11 months, 1 week ago) by op
Branch: MAIN
Changes since 1.218: +1 -2 lines
Diff to previous 1.218 (colored)
remove ca_sslinit() it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. spotted by tb, ok tb tobhe
Revision 1.218 / (download) - annotate - [select for diffs], Mon Jun 19 17:19:50 2023 UTC (11 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.217: +1 -2 lines
Diff to previous 1.217 (colored)
Improve the ibuf API by adding these functions: Functions extending ibuf_add to work with more specific data types ibuf_add_buf, ibuf_add_zero, ibuf_add_n8, ibuf_add_n16, ibuf_add_n32, ibuf_add_n64 Functions replacing ibuf_seek where data at a specific offset is modified ibuf_set, ibuf_set_n8, ibuf_set_n16, ibuf_set_n32, ibuf_set_n64 Functions to check, get and set the filedescriptor stored on the ibuf ibuf_fd_avail, ibuf_fd_get, ibuf_fd_set and ibuf_data() to access the data buffer, to be used together with ibuf_size() On top of this add an optimized imsg_compose_ibuf() where an ibuf is wrapped into an imsg in an efficent way. Finally remove msgbuf_drain since it is not used by anything outside of the ibuf code. Because of this removal bump the major of libutil. Remove ibuf_data() in iked since the same function is now provided by libutil. OK tb@
Revision 1.217 / (download) - annotate - [select for diffs], Fri Jun 16 10:28:43 2023 UTC (11 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.216: +1 -3 lines
Diff to previous 1.216 (colored)
Now that print_host() is unused, rename it to print_addr() and simplify. ok claudio tobhe
Revision 1.216 / (download) - annotate - [select for diffs], Tue Jun 13 12:34:12 2023 UTC (11 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.215: +3 -1 lines
Diff to previous 1.215 (colored)
iked: introduce and use print_addr() The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length. Cast and useless arguments lead to awkward line wrapping in many places. Clean this up by introducing a helper. Make this helper take a void pointer, so all casts go away. ok claudio kn tobhe
Revision 1.215 / (download) - annotate - [select for diffs], Mon Jun 12 09:02:31 2023 UTC (11 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.214: +2 -5 lines
Diff to previous 1.214 (colored)
Use stdio open_memstream(3) to build up log strings instead of trying to abuse ibufs for that. Using stdio for this has the benefit of using any stdio function to build up strings including fprintf(). With and OK tb@
Revision 1.214 / (download) - annotate - [select for diffs], Tue May 30 08:41:15 2023 UTC (12 months ago) by claudio
Branch: MAIN
Changes since 1.213: +1 -2 lines
Diff to previous 1.213 (colored)
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to msg_data (which is another footgun to disarm at some point). OK tb@
Revision 1.213 / (download) - annotate - [select for diffs], Tue May 23 13:57:14 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.212: +1 -2 lines
Diff to previous 1.212 (colored)
Replace ibuf_advance() with ibuf_reserve(). OK tobhe@ tb@ kn@
Revision 1.212 / (download) - annotate - [select for diffs], Tue May 23 13:12:19 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.211: +1 -2 lines
Diff to previous 1.211 (colored)
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
Revision 1.211 / (download) - annotate - [select for diffs], Tue May 23 12:43:26 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.210: +1 -2 lines
Diff to previous 1.210 (colored)
There is no need to ibuf_zero() or memset() any buffers. More cleanup will follow. OK tobhe@
Revision 1.210 / (download) - annotate - [select for diffs], Sun Mar 5 22:17:22 2023 UTC (14 months, 4 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.209: +4 -2 lines
Diff to previous 1.209 (colored)
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update. ok patrick@
Revision 1.209 / (download) - annotate - [select for diffs], Sat Mar 4 22:22:50 2023 UTC (14 months, 4 weeks ago) by tobhe
Branch: MAIN
Changes since 1.208: +21 -10 lines
Diff to previous 1.208 (colored)
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. ok bluhm@ patrick@
Revision 1.208 / (download) - annotate - [select for diffs], Sat Dec 3 22:34:35 2022 UTC (17 months, 4 weeks ago) by tobhe
Branch: MAIN
Changes since 1.207: +3 -3 lines
Diff to previous 1.207 (colored)
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
Revision 1.207 / (download) - annotate - [select for diffs], Mon Sep 19 20:54:02 2022 UTC (20 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.206: +38 -1 lines
Diff to previous 1.206 (colored)
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'. ok bluhm@ patrick@ from and ok markus@
Revision 1.206 / (download) - annotate - [select for diffs], Fri Jul 22 15:53:33 2022 UTC (22 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.205: +3 -1 lines
Diff to previous 1.205 (colored)
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string "OpenIKED-" followed by the version number. Sending of the vendor ID payload can be disabled by specifying "set novendorid" in iked.conf(5). ok markus@ bluhm@
Revision 1.205 / (download) - annotate - [select for diffs], Fri Jul 8 19:51:11 2022 UTC (22 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.204: +3 -1 lines
Diff to previous 1.204 (colored)
Support sending certificate chains with intermediate CAs in multiple CERT payloads. Local certificate chains as required with LetsEncrypt certs will work between iked and other IKEv2 implementations, iked to iked connections won't work yet because of missing support to receive multiple CERT payloads. from Katsuhiro Ueno tested by and ok sthen@
Revision 1.204 / (download) - annotate - [select for diffs], Mon Mar 14 12:58:55 2022 UTC (2 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.203: +16 -14 lines
Diff to previous 1.203 (colored)
Improve retransmission of message fragments. RFC 7383 states that loss of a single fragment results in a retransmit of all fragments belonging to the same message. Instead of treating each fragment as message with seperate retransmit timer, keep only a single timer for all fragments of a message and retransmit all fragments in order on timeout. Improves reliability in case of packet loss when fragmentation is enabled. Found by and diff from Daniel Herzinger ok patrick@
Revision 1.203 / (download) - annotate - [select for diffs], Thu Dec 9 13:49:45 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
Properly enable NAT-T without udpencap if mobike was negotiated without NAT. Fixes a bug where iked sent zero-prefixed NAT-T messages on port 500 causing parsing errors. ok markus@ patrick@
Revision 1.202 / (download) - annotate - [select for diffs], Thu Dec 9 13:36:59 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.201: +3 -1 lines
Diff to previous 1.201 (colored)
Move switch to NAT-T port and udpencap activation to ikev2_enable_natt(). ok patrick@
Revision 1.201 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:12 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.200: +3 -3 lines
Diff to previous 1.200 (colored)
whitespace cleanup during review read
Revision 1.200 / (download) - annotate - [select for diffs], Mon Nov 29 06:43:42 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.199: +5 -1 lines
Diff to previous 1.199 (colored)
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
Revision 1.199 / (download) - annotate - [select for diffs], Sat Nov 27 21:50:05 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.198: +2 -2 lines
Diff to previous 1.198 (colored)
Rename msg_id to msg_peerid now that we also have msg_localid. ok patrick@
Revision 1.198 / (download) - annotate - [select for diffs], Fri Nov 26 16:22:44 2021 UTC (2 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.197: +2 -1 lines
Diff to previous 1.197 (colored)
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup. ok tobhe@
Revision 1.197 / (download) - annotate - [select for diffs], Wed Nov 24 21:06:21 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.196: +2 -2 lines
Diff to previous 1.196 (colored)
Unregister event on pfkey socket during pfkey_reply(). Using events and poll() at the same time may lead to a race that locks up the process in recv(). ok bluhm@
Revision 1.196 / (download) - annotate - [select for diffs], Wed Nov 24 20:48:00 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.195: +10 -10 lines
Diff to previous 1.195 (colored)
Pass env to pfkey API. Consistently call pfkey file descriptor fd. ok bluhm@
Revision 1.195 / (download) - annotate - [select for diffs], Tue Oct 26 17:31:22 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.194: +6 -6 lines
Diff to previous 1.194 (colored)
Make proto config option accept a list to allow specifying multiple
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
Revision 1.194 / (download) - annotate - [select for diffs], Tue Oct 12 10:01:59 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.193: +2 -2 lines
Diff to previous 1.193 (colored)
Change responder to prefer DH group from KE payload. Without this change the responder would always prefer the first DH group configured in its policy. This would lead to invalid KE messages that cause an additional exchange which old implementations do not support correctly. Now we ignore the order of DH groups in the policy and prefer the group from the policy that matches the KE payload. from markus@ ok patrick@
Revision 1.193 / (download) - annotate - [select for diffs], Wed Sep 1 15:30:06 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.192: +6 -1 lines
Diff to previous 1.192 (colored)
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
Revision 1.192 / (download) - annotate - [select for diffs], Wed Jun 23 12:11:40 2021 UTC (2 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.191: +2 -1 lines
Diff to previous 1.191 (colored)
Factor out vroute_addr(). ok markus@
Revision 1.191 / (download) - annotate - [select for diffs], Thu May 13 15:20:48 2021 UTC (3 years ago) by tobhe
Branch: MAIN
Changes since 1.190: +3 -1 lines
Diff to previous 1.190 (colored)
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup. This makes sure that all flows, routes and addresses are deleted no matter which process is killed first. ok patrick@
Revision 1.190 / (download) - annotate - [select for diffs], Tue Apr 20 21:11:56 2021 UTC (3 years, 1 month ago) by dv
Branch: MAIN
Changes since 1.189: +1 -2 lines
Diff to previous 1.189 (colored)
Move TAILQ initialization to files where they are used. These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
Revision 1.189 / (download) - annotate - [select for diffs], Fri Mar 5 22:26:04 2021 UTC (3 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.188: +3 -1 lines
Diff to previous 1.188 (colored)
Print PFS group for rekeyed Child SAs. ok patrick@
Revision 1.188 / (download) - annotate - [select for diffs], Fri Mar 5 22:03:51 2021 UTC (3 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.187: +44 -4 lines
Diff to previous 1.187 (colored)
Move policy printing code from parse.y to new print.c ok patrick@
Revision 1.187 / (download) - annotate - [select for diffs], Thu Feb 25 20:13:24 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.186: +5 -5 lines
Diff to previous 1.186 (colored)
Constify cipher API. ok markus@
Revision 1.186 / (download) - annotate - [select for diffs], Mon Feb 22 21:58:12 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.185: +2 -2 lines
Diff to previous 1.185 (colored)
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
Revision 1.185 / (download) - annotate - [select for diffs], Sat Feb 13 16:14:12 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.184: +17 -1 lines
Diff to previous 1.184 (colored)
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
Revision 1.184 / (download) - annotate - [select for diffs], Thu Feb 4 20:38:26 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.183: +2 -2 lines
Diff to previous 1.183 (colored)
Rename 'struct group' to 'struct dh_group' for more clarity and to avoid name clashes. ok patrick@
Revision 1.183 / (download) - annotate - [select for diffs], Mon Feb 1 16:37:48 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.182: +2 -2 lines
Diff to previous 1.182 (colored)
Take flows into consideration for policy lookup as initiator. Fixes a bug where policies that only differ in their flow configuration lead to a handshake error. Found by claudio@ ok patrick@
Revision 1.182 / (download) - annotate - [select for diffs], Thu Jan 28 01:20:37 2021 UTC (3 years, 4 months ago) by mortimer
Branch: MAIN
Changes since 1.181: +2 -2 lines
Diff to previous 1.181 (colored)
Extern privsep_process. Fixes compilation with -fno-common. ok deraadt@
Revision 1.181 / (download) - annotate - [select for diffs], Tue Jan 26 23:06:23 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.180: +2 -1 lines
Diff to previous 1.180 (colored)
Add support for RSA-PSS PKCS1 signatures. Don't enable them by default for now because of interoperability issues. ok patrick@
Revision 1.180 / (download) - annotate - [select for diffs], Thu Jan 21 16:46:47 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.179: +4 -2 lines
Diff to previous 1.179 (colored)
Add support for INVALID_KE_PAYLOAD in CREATE_CHILD_SA exchange. In the case of an invalid KE error, retry CREATE_CHILD_SA exchange with different group instead of restarting the full IKE handshake. ok markus@
Revision 1.179 / (download) - annotate - [select for diffs], Mon Dec 21 22:49:36 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.178: +2 -1 lines
Diff to previous 1.178 (colored)
Use policy_test() to reassign existing SAs to updated policies after 'ikectl reload'. This prevents initiation of new additional SAs for each policy every time the config is reloaded. ok patrick@
Revision 1.178 / (download) - annotate - [select for diffs], Thu Dec 3 21:57:36 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.177: +4 -4 lines
Diff to previous 1.177 (colored)
Fix type mismatch. auth_method should be uint8_t. ok markus@
Revision 1.177 / (download) - annotate - [select for diffs], Mon Nov 30 21:52:47 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.176: +1 -2 lines
Diff to previous 1.176 (colored)
We need to rekey every child SA (even if acquired): Otherwise we can get out of sync with the peer and the peer would keep on using the expired SA because the lifetime is not negotiated. ok patrick@
Revision 1.176 / (download) - annotate - [select for diffs], Sun Nov 29 21:00:43 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.175: +3 -1 lines
Diff to previous 1.175 (colored)
Add 'set stickyaddress' option. If this option is enabled, iked will try to assign the same 'config address' when an IKESA is negotiated with the DSTID of an existing IKESA. The original IKESA will be closed and the address will be transferred to the new IKESA. ok patrick@
Revision 1.175 / (download) - annotate - [select for diffs], Thu Nov 26 22:24:06 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.174: +2 -1 lines
Diff to previous 1.174 (colored)
Use a counter instead of random IV for AES-GCM. Security depends on choosing a unique IV for every encryption operation, using a counter as IV eliminates the risk of random collisions. ok markus@ patrick@
Revision 1.174 / (download) - annotate - [select for diffs], Wed Nov 25 22:17:13 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.173: +3 -3 lines
Diff to previous 1.173 (colored)
Fix proposal error handling. If a proposal contains an unknown transform type or id, ignore the proposal instead of failing the exchange. ok patrick@
Revision 1.173 / (download) - annotate - [select for diffs], Sat Nov 21 19:23:53 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)
Clean up NATT hack. Pass 'frompeer' as parameter instead of manipulating msg header to get the correct addresses and spis. ok patrick@
Revision 1.172 / (download) - annotate - [select for diffs], Wed Nov 18 22:24:03 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.171: +3 -3 lines
Diff to previous 1.171 (colored)
Constify sa in ikev2_pld_eap(). The parser code must not change any sa or policy state, this should help make it clearer. ok patrick@
Revision 1.171 / (download) - annotate - [select for diffs], Fri Oct 30 23:05:39 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
style(9)
Revision 1.170 / (download) - annotate - [select for diffs], Thu Oct 29 21:49:58 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.169: +5 -1 lines
Diff to previous 1.169 (colored)
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
Revision 1.169 / (download) - annotate - [select for diffs], Sat Oct 24 20:27:59 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.168: +2 -1 lines
Diff to previous 1.168 (colored)
Don't modify sa in ikev2_pld_cp. Store cp_type in msg until message has passed all checks. ok patrick@
Revision 1.168 / (download) - annotate - [select for diffs], Mon Oct 19 17:02:57 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.167: +2 -1 lines
Diff to previous 1.167 (colored)
Handle NO_PROPOSAL_CHOSEN as IKE_AUTH initiator. ok markus@
Revision 1.167 / (download) - annotate - [select for diffs], Sat Oct 3 20:23:08 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.166: +5 -1 lines
Diff to previous 1.166 (colored)
React to DELETE notifications only in INFORMATIONAL messages and move the logic closer to the other INFORMATIONAL payloads. Add some more sanity checks while we're at it. ok patrick@
Revision 1.166 / (download) - annotate - [select for diffs], Wed Sep 23 14:25:55 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.165: +4 -1 lines
Diff to previous 1.165 (colored)
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@
Revision 1.165 / (download) - annotate - [select for diffs], Wed Sep 16 21:37:35 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.164: +29 -3 lines
Diff to previous 1.164 (colored)
Move all the EAP logic from a single branch in the message parsing code to somewhere past successful message verification, closer to where the other exchanges are handled. EAP is stll special, but this fits a lot better into the overall architecture. Tested with iOS, Stronswan and Windows ok patrick@ sthen@
Revision 1.164 / (download) - annotate - [select for diffs], Fri Aug 28 13:37:52 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.163: +4 -4 lines
Diff to previous 1.163 (colored)
Rename ikev2_*_sa() functions to make clear they handle Child SAs. ok patrick@
Revision 1.163 / (download) - annotate - [select for diffs], Wed Aug 26 14:49:48 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.162: +2 -1 lines
Diff to previous 1.162 (colored)
Allow disabling DPD liveness checks by setting dpd_check_interval to 0. ok patrick@
Revision 1.162 / (download) - annotate - [select for diffs], Tue Aug 25 15:08:08 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.161: +3 -1 lines
Diff to previous 1.161 (colored)
Add dpd_check_interval configuration option. If for any IKE SA no IPsec or IKE message has been received within the specified time interval, iked will start sending DPD messages. ok patrick@
Revision 1.161 / (download) - annotate - [select for diffs], Mon Aug 24 21:00:21 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.160: +16 -13 lines
Diff to previous 1.160 (colored)
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message. ok patrick@
Revision 1.160 / (download) - annotate - [select for diffs], Sun Aug 23 19:16:08 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.159: +17 -2 lines
Diff to previous 1.159 (colored)
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted. ok patrick@
Revision 1.159 / (download) - annotate - [select for diffs], Sun Aug 23 15:14:25 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
Rename natt_mode to sc_nattmode for consistency.
Revision 1.158 / (download) - annotate - [select for diffs], Fri Aug 21 14:30:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.157: +4 -4 lines
Diff to previous 1.157 (colored)
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf. ok patrick@
Revision 1.157 / (download) - annotate - [select for diffs], Tue Aug 18 21:02:49 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.156: +3 -1 lines
Diff to previous 1.156 (colored)
Add optional time-stamp validaten for ocsp. The new optional 'tolerate' parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maximum age of the `thisUpdate' OCSP attribute value. ok patrick@
Revision 1.156 / (download) - annotate - [select for diffs], Sun Aug 16 09:09:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.155: +4 -4 lines
Diff to previous 1.155 (colored)
Clean up unused parameters.
Revision 1.155 / (download) - annotate - [select for diffs], Tue Aug 11 20:51:06 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.154: +3 -3 lines
Diff to previous 1.154 (colored)
Prioritize incoming certificate requests by the order of CERTEQ payloads in the received message. ok patrick@
Revision 1.154 / (download) - annotate - [select for diffs], Tue Jul 21 08:03:38 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.153: +3 -1 lines
Diff to previous 1.153 (colored)
Handle TEMPORARY_FAILURE notification on IKESA rekeying. If we rekey both the IKESA and an CHILDSA in a small time window a strongswan peer might reposend with a TEMPORARY_FAILURE notification. In this case we retry the rekey of the IKESA after a short timeout and queue PFKEY expire messages (by returning -1 in ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed. ok markus@
Revision 1.153 / (download) - annotate - [select for diffs], Wed Jul 15 14:45:15 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.152: +2 -1 lines
Diff to previous 1.152 (colored)
Make CERT and CERTREQ payloads optional for public key authentication. When using certificate authentication the CERT payload is mandatory and as the name suggests is used to send a certificate containing a public key used for the authentication signature. For pubkey authentication the key is preshared and stored locally, but only the 'ca' process can read the local keys. The 'ikev2' process had to get the key from the received CERT payload to verify the authentication signature. The peer ID + raw key was then forwarded to the 'ca' process which compared the key against the contents of /etc/iked/pubkey and returned either CERTVALID or CERTINVALID. With this change a message containing only the ID may be sent from 'ikev2' to the 'ca' process if CERT was not included. In this case the CA process will try to find a local key matching the ID and return it to the 'ikev2' process. The auth verification happens after the 'ca' process has verified or found a key and returned it to the 'ikev2' process, eliminating the need for the CERT payload. Making CERTREQ optional is easier because we already have a fallback case if the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this same fallback. This should fix public key authentication interoperability with *swan and other IKEv2 implementations. ok and tested by kn@ ok patrick@
Revision 1.152 / (download) - annotate - [select for diffs], Wed Jun 3 17:56:42 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.151: +2 -3 lines
Diff to previous 1.151 (colored)
Pass sockaddr instead of sockaddr_storage to sa_address. ok patrick@
Revision 1.151 / (download) - annotate - [select for diffs], Tue May 26 20:24:31 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.150: +10 -2 lines
Diff to previous 1.150 (colored)
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
Revision 1.150 / (download) - annotate - [select for diffs], Thu May 14 15:08:30 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.149: +6 -6 lines
Diff to previous 1.149 (colored)
Stricter return value checking for EVP_Cipher* calls. ok patrick@
Revision 1.149 / (download) - annotate - [select for diffs], Wed May 13 18:28:51 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.148: +1 -2 lines
Diff to previous 1.148 (colored)
Remove dead 'iked_flow' member 'flow_type'.
Revision 1.148 / (download) - annotate - [select for diffs], Fri May 8 19:33:13 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.147: +1 -2 lines
Diff to previous 1.147 (colored)
Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf does the same thing. ok patrick@
Revision 1.147 / (download) - annotate - [select for diffs], Thu Apr 23 20:17:48 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.146: +3 -1 lines
Diff to previous 1.146 (colored)
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in. The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error. ok markus@, patrick@
Revision 1.146 / (download) - annotate - [select for diffs], Mon Apr 20 20:03:38 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.145: +1 -2 lines
Diff to previous 1.145 (colored)
Remove unused 'dsa_cert' variable. ok markus@
Revision 1.145 / (download) - annotate - [select for diffs], Mon Apr 13 19:10:32 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.144: +2 -1 lines
Diff to previous 1.144 (colored)
Try to send a DELETE message if the SA is reset with 'ikectl reset id'. This way the peer can delete its SAs and eventually reestablish the connection without having to wait for a timeout. ok markus@
Revision 1.144 / (download) - annotate - [select for diffs], Sat Apr 11 20:14:11 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.143: +3 -1 lines
Diff to previous 1.143 (colored)
If we haven't received any IKE message from our partner for some time, make sure to send a DPD packet to him so that we break up the connection faster if it's dead. ok patrick@
Revision 1.143 / (download) - annotate - [select for diffs], Fri Apr 10 20:58:32 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
Only make the type part of the idstring lowercase when looking for certs in '/etc/iked', otherwise certs with SubjAltNames containing uppercase letters are not found. ok markus@
Revision 1.142 / (download) - annotate - [select for diffs], Thu Apr 9 19:55:19 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.141: +8 -1 lines
Diff to previous 1.141 (colored)
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense. From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
Revision 1.141 / (download) - annotate - [select for diffs], Wed Apr 8 20:04:19 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)
Prevent multiple ibuf leaks. Clean up on proccess shutdown. ok markus@
Revision 1.140 / (download) - annotate - [select for diffs], Thu Apr 2 19:44:41 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.139: +2 -1 lines
Diff to previous 1.139 (colored)
Store USE_TRANSPORTMODE in iked_message until the full message was parsed and set the corresponding iked_sa field in ikev2_handle_notifies() like it is done for other NOTIFY payloads. ok markus@
Revision 1.139 / (download) - annotate - [select for diffs], Wed Apr 1 21:09:26 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.138: +2 -2 lines
Diff to previous 1.138 (colored)
Properly handle multiple CERTREQ payloads in CA process. Only for the last CERTREQ a mismatch should trigger the fallback case, otherwise the following CERTREQs are ignored. ok markus@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Mar 31 20:19:51 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.137: +2 -1 lines
Diff to previous 1.137 (colored)
Log summary of certificates in cert store when iked fails to find a certificate for the policy's 'srcid'. ok markus@
Revision 1.137 / (download) - annotate - [select for diffs], Tue Mar 24 19:14:53 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.136: +2 -1 lines
Diff to previous 1.136 (colored)
Add ikev2_print_static_id() to print static IDs in log_debug() output. ok markus@
Revision 1.136 / (download) - annotate - [select for diffs], Tue Mar 10 18:54:52 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.135: +3 -2 lines
Diff to previous 1.135 (colored)
Relookup policy based on received cryptographic parameter proposal. The IKEv2 responder does not know which policy is negotiated until the ID payload is received in the IKE_AUTH exchange. iked therefore chooses a default policy until the final policy is selected. This change adds a policy relookup during the IKE_SA_INIT. If the received proposal is not compatible with the default policy we switch to the next highest ranked policy that is compatible with the received proposal. ok kn@ markus@
Revision 1.135 / (download) - annotate - [select for diffs], Sun Mar 1 19:17:58 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.134: +3 -3 lines
Diff to previous 1.134 (colored)
When the proposals are first matched the responder does not yet know the initiators ID and thus does not know which policy applies. The policy is later updated based on the received ID payload. Make sure the policy looked up during IKE_AUTH is compatible with the negotiated proposal. ok kn@
Revision 1.134 / (download) - annotate - [select for diffs], Fri Feb 21 15:17:34 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.133: +5 -1 lines
Diff to previous 1.133 (colored)
Add transport mode for child SAs. This is useful for GRE over IPsec and similar settings to prevent double encapsulation. ok kn@
Revision 1.133 / (download) - annotate - [select for diffs], Thu Feb 13 16:27:02 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.132: +3 -3 lines
Diff to previous 1.132 (colored)
Constify "buf" argument in print_hex and print_hexval. ok patrick@
Revision 1.132 / (download) - annotate - [select for diffs], Thu Jan 16 20:05:00 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.131: +4 -1 lines
Diff to previous 1.131 (colored)
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited. ok sthen@
Revision 1.131 / (download) - annotate - [select for diffs], Tue Jan 14 22:28:29 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.130: +1 -2 lines
Diff to previous 1.130 (colored)
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning. ok kn@ bluhm@ phessler@
Revision 1.130 / (download) - annotate - [select for diffs], Tue Jan 7 15:08:28 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.129: +10 -10 lines
Diff to previous 1.129 (colored)
Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built solution for multi-SA flows. As a result we only need a single outgoing IPCOMP flow and can get rid of the two extra transport mode flows for ESP. ok bluhm@
Revision 1.129 / (download) - annotate - [select for diffs], Tue Dec 10 12:20:17 2019 UTC (4 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.128: +3 -1 lines
Diff to previous 1.128 (colored)
We can receive a delete and free an SA that is referenced in sa_nextr. Remove references when deleting the SA, otherwise we trigger a use-after-free. ok markus@
Revision 1.128 / (download) - annotate - [select for diffs], Tue Dec 3 12:38:34 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.127: +13 -1 lines
Diff to previous 1.127 (colored)
Correctly represent flows as traffic selectors as described in RFC 7296. This allows us to deduplicate the network ranges sent in the TS payload and saves some bytes on the wire. ok patrick@
Revision 1.127 / (download) - annotate - [select for diffs], Sat Nov 30 15:44:07 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.126: +3 -1 lines
Diff to previous 1.126 (colored)
Log loaded SPIs and flows. ok patrick@
Revision 1.126 / (download) - annotate - [select for diffs], Thu Nov 28 12:16:27 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.125: +26 -1 lines
Diff to previous 1.125 (colored)
Move Notify and Certreq payload handlers after the parser. Modify SA state only when the full message was parsed successfully. ok patrick@, "that's working for me" - sthen@
Revision 1.125 / (download) - annotate - [select for diffs], Wed Nov 13 12:24:40 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.124: +3 -1 lines
Diff to previous 1.124 (colored)
Log reason whenever a child SA is freed. This makes it easier to distinguish "valid" reasons to close an SA, such as rekeying, from errors. ok sthen@
Revision 1.124 / (download) - annotate - [select for diffs], Mon Nov 11 15:10:39 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.123: +7 -1 lines
Diff to previous 1.123 (colored)
Cleanup message retransmission handling with new helper functions. ok patrick@
Revision 1.123 / (download) - annotate - [select for diffs], Wed Aug 14 08:35:46 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.122: +2 -1 lines
Diff to previous 1.122 (colored)
Fix NAT traversal detection bug when "local" option is not explicitly set. ok patrick@
Revision 1.122 / (download) - annotate - [select for diffs], Mon Aug 12 07:40:45 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.121: +6 -1 lines
Diff to previous 1.121 (colored)
Prepend SPI to send and recv log messages to see which line belongs to which SA. Use IKE specific terms peer and local instead of to and from. ok reyk@ patrick@
Revision 1.121 / (download) - annotate - [select for diffs], Sat May 11 16:30:23 2019 UTC (5 years ago) by patrick
Branch: MAIN
Changes since 1.120: +24 -1 lines
Diff to previous 1.120 (colored)
Add support for IKEv2 Message Fragmentation as defined in RFC 7383. ok sthen@
Revision 1.120 / (download) - annotate - [select for diffs], Fri May 10 15:02:17 2019 UTC (5 years ago) by patrick
Branch: MAIN
Changes since 1.119: +3 -1 lines
Diff to previous 1.119 (colored)
Enforce messages after IKE_SA_INIT exchange to contain only encrypted payloads. Also increment message id only for valid messages. From Tobias Heider ok sthen@
Revision 1.119 / (download) - annotate - [select for diffs], Mon Aug 6 06:30:06 2018 UTC (5 years, 9 months ago) by mestre
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.118: +1 -2 lines
Diff to previous 1.118 (colored)
Remove cpath pledge(2) promise. We decided that not deleting the unix control sockets cause no harm and this way we close another attack surface by not allowing the daemon to create/delete any more files. OK kn@
Revision 1.118 / (download) - annotate - [select for diffs], Fri Mar 16 12:31:09 2018 UTC (6 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.117: +4 -4 lines
Diff to previous 1.117 (colored)
Consistently spell "IPsec" in comments and debug outputs. From Raf Czlonka, ok sthen@
Revision 1.117 / (download) - annotate - [select for diffs], Thu Nov 30 12:18:44 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.116: +2 -1 lines
Diff to previous 1.116 (colored)
Add support for rejecting IKE SA messages. This means that we can reply to IKE SA INIT messages with no proposal chosen, as we already do for Child SAs. For that the error "adding" is done in a new function shared by both send error handlers. We need two "send error" functions because the init error is unencrypted, while all later ones are not. Now we can add more cases, like Child SA not found or that the DH group is not what we expect. Save the IKE SA INIT responses, even if it's an error message, so we can retransmit it if the response is lost on the way back to the initiator and he tries again. This also helps mitigate DoS attacks as specified in the RFC. Only if it is indeed a new attempt, like after an INVALID KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt to create a new SA. ok sthen@
Revision 1.116 / (download) - annotate - [select for diffs], Mon Nov 27 18:39:35 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.115: +17 -1 lines
Diff to previous 1.115 (colored)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
Revision 1.115 / (download) - annotate - [select for diffs], Wed Apr 26 10:42:38 2017 UTC (7 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.114: +2 -1 lines
Diff to previous 1.114 (colored)
cope with IP address changes. before, we were trying to resend the msg with the no-longer-available address over and over and over, requiring iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule SA deletion so a new one is set up shortly thereafter. ok reyk mikeb
Revision 1.114 / (download) - annotate - [select for diffs], Thu Apr 13 07:04:09 2017 UTC (7 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.113: +5 -1 lines
Diff to previous 1.113 (colored)
Add a NAT-T keepalive timer in case we are behind a NAT gateway. See RFC 5996, section 2.23, NAT Traversal: In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it means that the system receiving the NAT_DETECTION_DESTINATION_IP payload is behind a NAT and that system SHOULD start sending keepalive packets as defined in [UDPENCAPS]. With markus@, ok reyk@
Revision 1.113 / (download) - annotate - [select for diffs], Mon Mar 27 17:17:49 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.112: +2 -2 lines
Diff to previous 1.112 (colored)
Don't cache the DH group in the policy When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified. With and OK reyk
Revision 1.112 / (download) - annotate - [select for diffs], Mon Mar 27 10:43:53 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.111: +4 -1 lines
Diff to previous 1.111 (colored)
Factor out flows into separate configuration messages We reach an imsg payload limit with just a few traffic selectors so in order to load more we need to split them up and send separately. Suggested and OK reyk
Revision 1.111 / (download) - annotate - [select for diffs], Mon Mar 27 10:21:19 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.110: +2 -1 lines
Diff to previous 1.110 (colored)
Add support to reflect the responder IKEv2 COOKIE. This fixes connecting to Azure VPN and other implementations that implement the IKEv2 COOKIE mechanism on the responder side. Azure decides to send you a responder COOKIE after too many connection attempts - we have to keep it and reflect it to establish a connection. This implementation is only for the initiator (client) side, we do not support sending COOKIEs on the responder (server) side yet. OK patrick@ mikeb@
Revision 1.110 / (download) - annotate - [select for diffs], Mon Mar 27 10:06:41 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.109: +2 -1 lines
Diff to previous 1.109 (colored)
Add support for RFC4754 (ECDSA) and RFC7427 authentication. These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes. Original diff from markus@ with patches from mikeb@ and me. OK mikeb@ patrick@
Revision 1.109 / (download) - annotate - [select for diffs], Mon Mar 13 18:49:20 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.108: +3 -2 lines
Diff to previous 1.108 (colored)
Resolve simultaneous Child SA rekeying From and OK markus, OK reyk
Revision 1.108 / (download) - annotate - [select for diffs], Mon Mar 13 18:48:16 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.107: +4 -2 lines
Diff to previous 1.107 (colored)
Resolve simultaneous IKE SA rekeying From and OK markus, OK reyk
Revision 1.107 / (download) - annotate - [select for diffs], Mon Mar 13 18:28:02 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
Make sure that proposal contains a DH group when rekeying with PFS enabled Via markus, OK mikeb@
Revision 1.106 / (download) - annotate - [select for diffs], Mon Mar 13 17:23:45 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.105: +2 -1 lines
Diff to previous 1.105 (colored)
Don't rekey acquired Child SAs From and OK markus, OK reyk
Revision 1.105 / (download) - annotate - [select for diffs], Mon Mar 13 15:06:51 2017 UTC (7 years, 2 months ago) by patrick
Branch: MAIN
Changes since 1.104: +2 -1 lines
Diff to previous 1.104 (colored)
When setting up IPcomp flows for the networks 'A' and 'B' between gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP flow between the gateways "a->b ESP". The later is now marked with flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying. When SAs get deleted we do an extra loop to figure out if matching IPcomp SAs can now be removed, too. This allows faster expiry of unused IPcomp SAs. Disable bytes lifetime for IP compression. ok markus@ reyk@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Mar 13 14:57:55 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.103: +4 -2 lines
Diff to previous 1.103 (colored)
Fix and improve the IKE SA rekeying timeout, add a randomized jitter. Diff from markus@ with a small tweak from me. OK mikeb@ patrick@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Mar 13 14:33:33 2017 UTC (7 years, 2 months ago) by patrick
Branch: MAIN
Changes since 1.102: +2 -1 lines
Diff to previous 1.102 (colored)
flow_cmp() must compare the same flow-attributes as the kernel, otherwise we never can keep the in-daemon and the in-kernel idea of flows in sync and iked ends up deleting flows that are still in use. Make use of flow_cmp() and a new flow_equal() instead of handcrafting the compare in an if. ok markus@ reyk@
Revision 1.102 / (download) - annotate - [select for diffs], Fri Feb 3 08:23:46 2017 UTC (7 years, 3 months ago) by guenther
Branch: MAIN
Changes since 1.101: +2 -1 lines
Diff to previous 1.101 (colored)
Stop assuming that in_{addr,port}_t are typedefed in <sys/types.h> and
instead pull in <netinet/in.h> or <arpa/inet.h> when those are needed.
ok florian@ beck@ millert@
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jan 20 14:10:05 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.100: +2 -2 lines
Diff to previous 1.100 (colored)
Constify the data argument for ibuf_new From and OK markus@, OK reyk
Revision 1.100 / (download) - annotate - [select for diffs], Mon Jan 9 14:49:21 2017 UTC (7 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.99: +3 -2 lines
Diff to previous 1.99 (colored)
Stop accessing verbose and debug variables from log.c directly. This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose(). Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
Revision 1.99 / (download) - annotate - [select for diffs], Tue Jan 3 17:51:38 2017 UTC (7 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.98: +8 -1 lines
Diff to previous 1.98 (colored)
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload. OK mikeb@
Revision 1.98 / (download) - annotate - [select for diffs], Sun Sep 4 10:26:02 2016 UTC (7 years, 8 months ago) by vgross
Branch: MAIN
Changes since 1.97: +3 -1 lines
Diff to previous 1.97 (colored)
Now that we have IP_SENDSRCADDR, add sendtofrom(). Ok jca@ and reyk@
Revision 1.97 / (download) - annotate - [select for diffs], Sat Sep 3 09:20:07 2016 UTC (7 years, 9 months ago) by vgross
Branch: MAIN
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored)
Add the missing bits to have NAT on enc(4) support in iked. Ok mikeb@
Revision 1.96 / (download) - annotate - [select for diffs], Wed Jun 1 11:16:41 2016 UTC (8 years ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.95: +7 -1 lines
Diff to previous 1.95 (colored)
Implement a second address pool specifically for IPv6, so that clients can be given an IPv4 and IPv6 address at the same time, thus enabling dual stack usage. ok markus@ mikeb@
Revision 1.95 / (download) - annotate - [select for diffs], Mon Dec 7 12:46:37 2015 UTC (8 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.94: +7 -3 lines
Diff to previous 1.94 (colored)
Sync proc.c, use shorter proc_compose[v]()
Revision 1.94 / (download) - annotate - [select for diffs], Mon Nov 23 19:28:34 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.93: +1 -2 lines
Diff to previous 1.93 (colored)
Replace socket_set_blockmode() and fcntl(fd, F_SETFL, O_NONBLOCK) calls with the SOCK_NONBLOCK flag to socket() and accept4(). OK claudio@ jung@
Revision 1.93 / (download) - annotate - [select for diffs], Sun Nov 22 13:27:13 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.92: +7 -4 lines
Diff to previous 1.92 (colored)
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging. OK benno@
Revision 1.92 / (download) - annotate - [select for diffs], Sat Nov 21 12:59:24 2015 UTC (8 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.91: +19 -9 lines
Diff to previous 1.91 (colored)
Move local logging functions to util.c (which is shared with ikectl), sync log.c with relayd and httpd - all three daemons are using a copy of the same file now. Nevertheless, adding "extern int debug/verbose" in util.c is not super nice but helps for now. No functional change.
Revision 1.91 / (download) - annotate - [select for diffs], Thu Oct 22 15:55:18 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.90: +2 -1 lines
Diff to previous 1.90 (colored)
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process. Committed in agreement with many but nobody was brave enough to OK it. Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
Revision 1.90 / (download) - annotate - [select for diffs], Mon Oct 19 11:25:35 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.89: +1 -4 lines
Diff to previous 1.89 (colored)
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs. OK mikeb@
Revision 1.89 / (download) - annotate - [select for diffs], Thu Oct 1 10:59:23 2015 UTC (8 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.88: +13 -11 lines
Diff to previous 1.88 (colored)
Fix interoperability with Apple iOS9: If we don't get a (valid) CERTREQ but a CERT, respond with a local CERT that was selected based on our own policy instead of leaving it out. This seems to be valid with the RFC that makes the CERTREQ optional and allows to ignore it or to apply an own policy. OK mikeb@ sthen@
Revision 1.88 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:27 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.87: +144 -143 lines
Diff to previous 1.87 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.87 / (download) - annotate - [select for diffs], Wed Aug 19 14:12:43 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)
spacing (no binary change, verified with checksums)
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jul 7 19:13:31 2015 UTC (8 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.85: +4 -8 lines
Diff to previous 1.85 (colored)
repair policy-ikesa-linking by replacing the broken RB_TREE w/TAILQ (e.g. the policy might be used-after-free on 'ikectl reconfig') ok mikeb@
Revision 1.85 / (download) - annotate - [select for diffs], Thu Jun 11 18:49:09 2015 UTC (8 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.84: +4 -4 lines
Diff to previous 1.84 (colored)
Use "compliant" header guards by avoiding the reserved '_' namespace. Pointed out by Markus Elfring OK mikeb@ millert@
Revision 1.84 / (download) - annotate - [select for diffs], Thu Mar 26 19:52:35 2015 UTC (9 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.83: +3 -2 lines
Diff to previous 1.83 (colored)
initial support for RFC 7427 signatures, so we are no longer restricted to SHA1 for RSA signatures. ok mikeb@
Revision 1.83 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.82: +4 -3 lines
Diff to previous 1.82 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.82 / (download) - annotate - [select for diffs], Mon Aug 18 09:43:02 2014 UTC (9 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored)
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process. ok mikeb@
Revision 1.81 / (download) - annotate - [select for diffs], Fri May 9 06:37:24 2014 UTC (10 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.80: +3 -7 lines
Diff to previous 1.80 (colored)
get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@
Revision 1.80 / (download) - annotate - [select for diffs], Fri May 9 06:29:46 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.79: +3 -3 lines
Diff to previous 1.79 (colored)
replace iked_transform pointer with xform id, since target of pointer might be freed (e.g. on ike sa rekey); ok mikeb@
Revision 1.79 / (download) - annotate - [select for diffs], Thu May 8 13:11:16 2014 UTC (10 years ago) by blambert
Branch: MAIN
Changes since 1.78: +5 -1 lines
Diff to previous 1.78 (colored)
match iked proc.c infrastructure with proc.c ok reyk@
Revision 1.78 / (download) - annotate - [select for diffs], Wed May 7 12:57:13 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.77: +2 -1 lines
Diff to previous 1.77 (colored)
make authentication work with X509 certificates that don't have a subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly; feedback & ok mikeb@
Revision 1.77 / (download) - annotate - [select for diffs], Tue May 6 14:10:53 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.76: +21 -9 lines
Diff to previous 1.76 (colored)
change the create-child-sa responder code, so it does not store any state in the ikesa structure. this way we can initiate a create-child-sa and process requests for the peer at the same time. ok mikeb@
Revision 1.76 / (download) - annotate - [select for diffs], Tue May 6 10:24:22 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.75: +10 -6 lines
Diff to previous 1.75 (colored)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
Revision 1.75 / (download) - annotate - [select for diffs], Tue May 6 07:24:37 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.74: +4 -2 lines
Diff to previous 1.74 (colored)
initial support for PFS; ok reyk@
Revision 1.74 / (download) - annotate - [select for diffs], Tue May 6 07:08:10 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.73: +1 -2 lines
Diff to previous 1.73 (colored)
retire IKED_REQ_DELETE and fix delete parsing; ok reyk@
Revision 1.73 / (download) - annotate - [select for diffs], Tue Apr 29 11:51:13 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.72: +9 -7 lines
Diff to previous 1.72 (colored)
make sure the state machine only advances if the AUTH payload has been verified; with & ok mikeb@
Revision 1.72 / (download) - annotate - [select for diffs], Tue Apr 22 12:00:03 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.71: +27 -9 lines
Diff to previous 1.71 (colored)
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit. ok mikeb@
Revision 1.71 / (download) - annotate - [select for diffs], Thu Apr 10 16:08:02 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
Add validation routines to ikev2_pld.c: For each payload type overall header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload or substructure so we can always ensure to not go beyond actual data. Also remove the quick parsing step as it does not provide a real benefit anymore. From Hans-Joerg Hoexer ok mikeb@ markus@
Revision 1.70 / (download) - annotate - [select for diffs], Fri Feb 21 20:52:38 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.69: +5 -1 lines
Diff to previous 1.69 (colored)
support rekeying for IPCOMP; ok mikeb@
Revision 1.69 / (download) - annotate - [select for diffs], Mon Feb 17 15:53:46 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.68: +8 -1 lines
Diff to previous 1.68 (colored)
interpret 'config address net/prefix' as a pool of addresses and randomly choose the address for CFG_REQUEST. this address will be used to replace 0.0.0.0/32 in the specified flow. e.g. > ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \ > config address 192.168.10.200/24 will assign an address between 192.168.10.200 and 192.168.10.254 and replace 0.0.0.0 with this address. ok mikeb@ on older version of this diff.
Revision 1.68 / (download) - annotate - [select for diffs], Mon Feb 17 15:07:23 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.67: +18 -1 lines
Diff to previous 1.67 (colored)
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
Revision 1.67 / (download) - annotate - [select for diffs], Fri Feb 14 10:23:43 2014 UTC (10 years, 3 months ago) by benno
Branch: MAIN
Changes since 1.66: +1 -2 lines
Diff to previous 1.66 (colored)
remove unused function that distracts from cleaning up the imsg_flush() mess ok krw, florian, henning
Revision 1.66 / (download) - annotate - [select for diffs], Fri Feb 14 09:00:03 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.65: +7 -1 lines
Diff to previous 1.65 (colored)
initial support for IPComp still experimental and rekeying needs some work; ok mikeb@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jan 24 07:31:25 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.64: +7 -7 lines
Diff to previous 1.64 (colored)
enable format-string checks for log_*(); ok mikeb
Revision 1.64 / (download) - annotate - [select for diffs], Fri Jan 24 05:58:52 2014 UTC (10 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.63: +4 -5 lines
Diff to previous 1.63 (colored)
use a bit saner timer api
Revision 1.63 / (download) - annotate - [select for diffs], Wed Jan 22 09:25:41 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.62: +4 -1 lines
Diff to previous 1.62 (colored)
implement DPD similar to isakmpd, but only send DPD-messages 'on-demand' (less aggressive, only if the ESP-SAs are actually used); feedback & ok mikeb@
Revision 1.62 / (download) - annotate - [select for diffs], Mon Dec 9 15:22:32 2013 UTC (10 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.61: +4 -3 lines
Diff to previous 1.61 (colored)
distingush between sa_msgid not set and 0; otherwise we start dropping messages if we usually are the initiator and the peer initiates rekeying first. ok mikeb@
Revision 1.61 / (download) - annotate - [select for diffs], Tue Dec 3 13:55:39 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.60: +3 -3 lines
Diff to previous 1.60 (colored)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
Revision 1.60 / (download) - annotate - [select for diffs], Thu Nov 28 20:26:04 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.59: +3 -3 lines
Diff to previous 1.59 (colored)
document sa_msgid & sa_reqid; ok mikeb@
Revision 1.59 / (download) - annotate - [select for diffs], Thu Nov 28 20:21:17 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.58: +3 -1 lines
Diff to previous 1.58 (colored)
support raw pubkey authentication w/o x509 certificates; mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
Revision 1.58 / (download) - annotate - [select for diffs], Thu Nov 21 17:46:17 2013 UTC (10 years, 6 months ago) by millert
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
Make the bit string u_char * in print_bits(). In practice we shouldn't have chars > 127 in these but it is better not to assume this. OK deraadt@
Revision 1.57 / (download) - annotate - [select for diffs], Thu Nov 14 12:38:20 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
pass caller to ca_sslerror for better error messages; ok mikeb
Revision 1.56 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.55: +2 -3 lines
Diff to previous 1.55 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.55 / (download) - annotate - [select for diffs], Thu Nov 29 15:08:08 2012 UTC (11 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.54: +3 -1 lines
Diff to previous 1.54 (colored)
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked. Thanks to Fernando Gont. ok mikeb@
Revision 1.54 / (download) - annotate - [select for diffs], Mon Oct 22 10:25:17 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.53: +6 -5 lines
Diff to previous 1.53 (colored)
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500. Tested by mikeb@ and me ok mikeb@
Revision 1.53 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.52 / (download) - annotate - [select for diffs], Mon Jul 2 13:03:24 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.51: +4 -2 lines
Diff to previous 1.51 (colored)
Don't close IKE SA immediately after creating a new one when rekeying. Instead set a timeout that will shut it down in case we don't get an SA delete notification.
Revision 1.51 / (download) - annotate - [select for diffs], Fri Jun 29 15:05:49 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored)
Add missing ESN bits
Revision 1.50 / (download) - annotate - [select for diffs], Tue Jun 26 11:00:28 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.49: +3 -2 lines
Diff to previous 1.49 (colored)
compare exchange types as well when looking up a message; proceed with a response only when the appropriate request is found.
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jun 22 16:28:20 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.48: +32 -2 lines
Diff to previous 1.48 (colored)
Add initial support for retransmition timeouts and response retries. This should still be considered an experimental work in progress.
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jun 22 16:06:31 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.47: +5 -3 lines
Diff to previous 1.47 (colored)
decouple timer initialization from timer_register
Revision 1.47 / (download) - annotate - [select for diffs], Wed May 30 16:17:20 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.46: +3 -2 lines
Diff to previous 1.46 (colored)
more timer changes
Revision 1.46 / (download) - annotate - [select for diffs], Wed May 30 09:18:13 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
pass a file descriptor in the msg_fd instead of a function argument
Revision 1.45 / (download) - annotate - [select for diffs], Tue May 29 15:09:12 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.44: +15 -5 lines
Diff to previous 1.44 (colored)
improve timer framework; will be needed soon
Revision 1.44 / (download) - annotate - [select for diffs], Wed May 23 14:54:04 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
factor out proposal matching code from ikev2_sa_negotiate and eliminate the protoid argument as a first step towards successful ah negotiation; make code a bit more readable while here.
Revision 1.43 / (download) - annotate - [select for diffs], Tue May 8 15:37:09 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.42: +2 -1 lines
Diff to previous 1.42 (colored)
When setting up NAT-T notify payloads, make sure to supply an actual source address so that a valid hash can be generated. Fixes a bug introduces some time ago that prevented iked from initiating if NAT-T wasn't disabled (via -T) and local address wasn't specified.
Revision 1.42 / (download) - annotate - [select for diffs], Thu Apr 5 17:31:36 2012 UTC (12 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.41: +2 -1 lines
Diff to previous 1.41 (colored)
rate-limit accepting of new connections while we are experiencing fd exhaustion. ok mikeb
Revision 1.41 / (download) - annotate - [select for diffs], Mon May 9 11:15:18 2011 UTC (13 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.40: +18 -21 lines
Diff to previous 1.40 (colored)
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
Revision 1.40 / (download) - annotate - [select for diffs], Thu May 5 12:59:31 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)
Small tweak - add direct pointer to env instead of using an indirect one.
Revision 1.39 / (download) - annotate - [select for diffs], Thu May 5 12:55:52 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.38: +45 -37 lines
Diff to previous 1.38 (colored)
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
Revision 1.38 / (download) - annotate - [select for diffs], Thu May 5 12:17:10 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.37: +27 -26 lines
Diff to previous 1.37 (colored)
rename iked_proc* to privsep_proc*. no functional change.
Revision 1.37 / (download) - annotate - [select for diffs], Mon May 2 12:39:18 2011 UTC (13 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.36: +3 -2 lines
Diff to previous 1.36 (colored)
store the peer address as it was specified in the policy in the tree that is used to figure out whether the policy is active or not. makes active sa lookup via policy work for nat traversal. problem was reported and fix was tested by sthen, ok sthen, reyk
Revision 1.36 / (download) - annotate - [select for diffs], Mon Apr 18 08:45:43 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.35: +7 -6 lines
Diff to previous 1.35 (colored)
When the kernel wants to acquire an SA for an unknown flow, lookup a matching policy and init a new IKE SA. This adds support for "acquire mode" from static flows. ok mikeb@
Revision 1.35 / (download) - annotate - [select for diffs], Fri Apr 15 13:10:49 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.34: +1 -2 lines
Diff to previous 1.34 (colored)
remove unused function ikev2_flows_delete()
Revision 1.34 / (download) - annotate - [select for diffs], Wed Jan 26 16:59:23 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.33: +11 -12 lines
Diff to previous 1.33 (colored)
get rid of acquire flows completely, as they tend to pass traffic when there's no sa established (as pointed out by reyk). instead use require mode feature to send acquires from the kernel. this allows us to get rid of the code that changes flow mode to acquire and keep all installed flows in the tree and save up on some code that deals with renegotiation. also several entities were renamed (iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas, ikev2_acquire -> ikev2_acquire_sa). ok reyk
Revision 1.33 / (download) - annotate - [select for diffs], Fri Jan 21 17:01:33 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.32: +6 -1 lines
Diff to previous 1.32 (colored)
don't use memcmp on comparing two iked_addrs but IKED_ADDR_EQ. ok mikeb@
Revision 1.32 / (download) - annotate - [select for diffs], Fri Jan 21 16:51:38 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.31: +1 -2 lines
Diff to previous 1.31 (colored)
- Fix traffic selector configuration that it is always "from $localnet to $peernet" and not depending on the initiator/responder mode. - Remove the flow hash calculated but not used anymore. ok mikeb@
Revision 1.31 / (download) - annotate - [select for diffs], Fri Jan 21 11:56:00 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.30: +27 -12 lines
Diff to previous 1.30 (colored)
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
Revision 1.30 / (download) - annotate - [select for diffs], Fri Jan 21 11:37:02 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.29: +4 -5 lines
Diff to previous 1.29 (colored)
split pfkey initialization into a privileged and unprivileged part to prevent a possible crash. ok mikeb@
Revision 1.29 / (download) - annotate - [select for diffs], Mon Jan 17 18:49:35 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.28: +9 -3 lines
Diff to previous 1.28 (colored)
Add initial acquire mode support and use it whenever Windows peers decide to drop Child SA based on the inactivity timer. In this case we instruct the kernel to send us an acquire message upon receiving a packet for those hosts and initiate a Child SA creation exchange ourselves. ok reyk
Revision 1.28 / (download) - annotate - [select for diffs], Mon Jan 17 17:16:43 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.27: +3 -1 lines
Diff to previous 1.27 (colored)
move mask2prefixlen functions to the util module; ok reyk
Revision 1.27 / (download) - annotate - [select for diffs], Wed Jan 12 14:35:45 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
postpone processing of pfkey messages received in pfkey_reply instead of just dropping them; ok reyk
Revision 1.26 / (download) - annotate - [select for diffs], Wed Jan 12 14:26:26 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.25: +3 -5 lines
Diff to previous 1.25 (colored)
decouple flow deletion from the ikev2_childsa_delete; ok reyk
Revision 1.25 / (download) - annotate - [select for diffs], Wed Dec 22 17:53:54 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because it is too specific to be in util.c. This will allow to link util.c into ikectl later without all the other dependencies of pritn_id().
Revision 1.24 / (download) - annotate - [select for diffs], Wed Dec 22 17:43:10 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.23: +14 -13 lines
Diff to previous 1.23 (colored)
split util.c into two files: imsg_util.c for ibuf/imsg stuff and util for everything else. we might need to include util.c in ikectl later. sure mikeb@
Revision 1.23 / (download) - annotate - [select for diffs], Wed Dec 22 16:22:27 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.22: +36 -9 lines
Diff to previous 1.22 (colored)
child sa rekeying revamp plus numerous bugfixes; with suggestions and OK from reyk
Revision 1.22 / (download) - annotate - [select for diffs], Wed Dec 1 12:01:25 2010 UTC (13 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (colored)
Clarify the internal ibuf API: rename ibuf_copy() to ibuf_get() because it returns a new buffer from the internal read offset like stdio get functions do and not the same buffer when it is called multiple times. Also rename the old ibuf_get() to ibuf_getdata() because it returns a "special" data type and it matches the stdio get* conventions. pointed out by mikeb@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Nov 17 16:43:45 2010 UTC (13 years, 6 months ago) by ckuethe
Branch: MAIN
Changes since 1.20: +2 -1 lines
Diff to previous 1.20 (colored)
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Sep 22 09:12:18 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.19: +3 -1 lines
Diff to previous 1.19 (colored)
support INVALID_KE_PAYLOAD notification sent by the responder in case the initiator chose wrong D-H group. in this case we throw away our SA and start over with a proper group. makes iked work as an initiator with strongswan/charon without any specific "ikesa" (phase 1) configuration. ok reyk
Revision 1.19 / (download) - annotate - [select for diffs], Thu Sep 9 13:06:46 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.18: +2 -1 lines
Diff to previous 1.18 (colored)
- allow esp proposals without integrity and ah proposals without encryption; - add additional nonce length field, use that for the ciphers that require additional keying material; - setup right flow direction depending on the mode: fixes up iked working as an initiator against charon. tested by me and jsg. ok reyk
Revision 1.18 / (download) - annotate - [select for diffs], Thu Jul 1 02:15:08 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
Add support for the tap extension (ikev2 ... tap "enc1") that will tell the kernel to send all IPsec traffic for derived SAs to the specified enc(4) interface instead of enc0.
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 29 21:04:42 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an alternative to X.509 CA verification. this will be needed to support public key authentication like isakmpd does; a few bits are still missing.
Revision 1.16 / (download) - annotate - [select for diffs], Sun Jun 27 05:49:05 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.15: +3 -3 lines
Diff to previous 1.15 (colored)
When a peer requests a certificate from the local gateway, we first lookup a cert from /etc/iked/certs/ that is signed by a requested CA. As a second step we also compare the subjectAltName of any found certificate now to match the local srcid; this allows to have multiple certs for the same CA but different srcids in the certs/ directory but enforces that the subjectAltName has to be set correctly. requested by jsg@
Revision 1.15 / (download) - annotate - [select for diffs], Sun Jun 27 01:03:22 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.14: +6 -2 lines
Diff to previous 1.14 (colored)
Instead of modifying and fiddling with the IKE SA in the payload parsing routines directly, first parse the message and save the parsed elements in the temporary message struct before validating the information and taking any other actions on the actual SA. This needs more testing, but is the cleaner and better approach.
Revision 1.14 / (download) - annotate - [select for diffs], Sat Jun 26 19:54:19 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.13: +0 -2 lines
Diff to previous 1.13 (colored)
revert the files that have been accidentally committed with my previous parse.y change.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Jun 26 19:48:04 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.12: +3 -1 lines
Diff to previous 1.12 (colored)
mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatch
Revision 1.12 / (download) - annotate - [select for diffs], Sat Jun 26 18:32:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.11: +4 -2 lines
Diff to previous 1.11 (colored)
Include the Id type in the generated SA tag that is passed to the kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jun 14 23:14:09 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.10: +3 -2 lines
Diff to previous 1.10 (colored)
Initiator mode with certificates; needs more work but works.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jun 14 21:12:56 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.9: +7 -3 lines
Diff to previous 1.9 (colored)
Initial support for initiator mode which allows to run iked as a "client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jun 14 14:03:15 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.8: +2 -3 lines
Diff to previous 1.8 (colored)
NAT detection again: make it work in initiator and responder mode
Revision 1.8 / (download) - annotate - [select for diffs], Mon Jun 14 11:33:55 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.7: +4 -1 lines
Diff to previous 1.7 (colored)
restructure code a bit to move closer to initiator mode: - split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 14 08:55:59 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
cleanup messages and parsed information correctly
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 14 08:10:32 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.5: +12 -2 lines
Diff to previous 1.5 (colored)
More code for initiator mode (not finished yet)
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jun 11 12:47:18 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.4: +6 -1 lines
Diff to previous 1.4 (colored)
add some infrastructure to support timers and initiator mode later.
Revision 1.4 / (download) - annotate - [select for diffs], Thu Jun 10 14:08:37 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.3: +8 -1 lines
Diff to previous 1.3 (colored)
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 10 12:06:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.2: +11 -1 lines
Diff to previous 1.2 (colored)
Add another tree to lookup policy SAs by peer address.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 10 08:29:47 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.1: +64 -5 lines
Diff to previous 1.1 (colored)
i don't like splitting source code in too many source files but ikev2.c has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@