Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.135 / (download) - annotate - [select for diffs], Tue Apr 2 19:58:28 2024 UTC (2 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: HEAD
Changes since 1.134: +11 -5 lines
Diff to previous 1.134 (colored)
Add check to make sure EAP header length matches expected payload length. ok markus@ yasuoka@
Revision 1.134 / (download) - annotate - [select for diffs], Sat Mar 2 16:16:07 2024 UTC (3 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.133: +77 -1 lines
Diff to previous 1.133 (colored)
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue. From RFC7383, 2.6.1: "[...] that even MUST only trigger a retransmission of the response message (fragmented or no) if the Fragment Number field in the received fragments is set to 1; otherwise, it MUST be ignored." from markus
Revision 1.133 / (download) - annotate - [select for diffs], Sat Sep 2 18:36:30 2023 UTC (9 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.132: +5 -1 lines
Diff to previous 1.132 (colored)
Make sure cert_type is not 0 to prevent leak of certid->id_buf. Found by David Linder ok patrick@
Revision 1.132 / (download) - annotate - [select for diffs], Fri Aug 4 19:06:25 2023 UTC (10 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.131: +4 -4 lines
Diff to previous 1.131 (colored)
Convert calls to ibuf_length() where it is clear that the ibuf is not NULL to ibuf_size(). In some cases it is clear that the ibuf pointer should just be checked for NULL since afterwards a new ibuf is allocated in its place. OK tb@
Revision 1.131 / (download) - annotate - [select for diffs], Wed Jun 28 14:10:24 2023 UTC (11 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.130: +20 -4 lines
Diff to previous 1.130 (colored)
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert(). From markus@
Revision 1.130 / (download) - annotate - [select for diffs], Wed Jun 14 14:09:29 2023 UTC (11 months, 4 weeks ago) by claudio
Branch: MAIN
Changes since 1.129: +38 -35 lines
Diff to previous 1.129 (colored)
Replace the last few print_host() calls with print_addr() ones. In most cases print_host(addr, buf, buflen) can be replaced with strlcpy(buf, print_addr(addr), buflen). Some code was never fully adjusted to the full power of print_host() and there are remnants of times well before print_host() supported multiple internal buffers. With and OK tb@
Revision 1.129 / (download) - annotate - [select for diffs], Tue Jun 6 16:09:35 2023 UTC (12 months ago) by claudio
Branch: MAIN
Changes since 1.128: +5 -3 lines
Diff to previous 1.128 (colored)
Use same pattern to work with offset by using a uint8_t pointer that is loaded with ibuf_data(). This is by no means better but allows to switch ibuf_data() to return void *. OK tb@
Revision 1.128 / (download) - annotate - [select for diffs], Tue May 23 13:12:19 2023 UTC (12 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.127: +12 -12 lines
Diff to previous 1.127 (colored)
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
Revision 1.127 / (download) - annotate - [select for diffs], Tue Dec 6 09:07:33 2022 UTC (18 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.126: +2 -2 lines
Diff to previous 1.126 (colored)
Print size_t with %zu. ok patrick@
Revision 1.126 / (download) - annotate - [select for diffs], Sat Dec 3 21:02:27 2022 UTC (18 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.125: +2 -1 lines
Diff to previous 1.125 (colored)
Include endian.h where needed for betohXX functions.
Revision 1.125 / (download) - annotate - [select for diffs], Mon Sep 19 20:54:02 2022 UTC (20 months, 3 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.124: +15 -1 lines
Diff to previous 1.124 (colored)
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'. ok bluhm@ patrick@ from and ok markus@
Revision 1.124 / (download) - annotate - [select for diffs], Mon Jul 4 09:23:15 2022 UTC (23 months, 1 week ago) by tobhe
Branch: MAIN
Changes since 1.123: +3 -3 lines
Diff to previous 1.123 (colored)
Ignore any CERT payload after the first instead of failing the exchange when more than one is received. The first CERT is always the leaf certificate, additional payloads can be used to send intermediate certs which iked can not handle at the moment. This fixes exchanges where the certificate chain is still valid because matching intermediate certs are available locally in /etc/iked. Reported and tested by Loïc Revest <l.revest (at) apc.fr> ok mbuhl@
Revision 1.123 / (download) - annotate - [select for diffs], Mon Mar 14 12:58:55 2022 UTC (2 years, 2 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.122: +7 -1 lines
Diff to previous 1.122 (colored)
Improve retransmission of message fragments. RFC 7383 states that loss of a single fragment results in a retransmit of all fragments belonging to the same message. Instead of treating each fragment as message with seperate retransmit timer, keep only a single timer for all fragments of a message and retransmit all fragments in order on timeout. Improves reliability in case of packet loss when fragmentation is enabled. Found by and diff from Daniel Herzinger ok patrick@
Revision 1.122 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:13 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.121: +6 -6 lines
Diff to previous 1.121 (colored)
whitespace cleanup during review read
Revision 1.121 / (download) - annotate - [select for diffs], Sat Nov 27 21:50:05 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.120: +2 -2 lines
Diff to previous 1.120 (colored)
Rename msg_id to msg_peerid now that we also have msg_localid. ok patrick@
Revision 1.120 / (download) - annotate - [select for diffs], Fri Nov 26 16:22:44 2021 UTC (2 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.119: +7 -4 lines
Diff to previous 1.119 (colored)
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup. ok tobhe@
Revision 1.119 / (download) - annotate - [select for diffs], Fri Nov 12 14:18:54 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.118: +25 -21 lines
Diff to previous 1.118 (colored)
Refactor order of checks when handling IKEv2 message fragments. Only modify SA after sucessful ikev2_msg_decrypt(). ok patrick@
Revision 1.118 / (download) - annotate - [select for diffs], Wed Sep 1 15:30:06 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.117: +55 -10 lines
Diff to previous 1.117 (colored)
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Feb 19 21:52:53 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.116: +5 -2 lines
Diff to previous 1.116 (colored)
Fail on duplicate nonce payload. ok patrick@
Revision 1.116 / (download) - annotate - [select for diffs], Thu Feb 18 21:39:36 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.115: +1 -2 lines
Diff to previous 1.115 (colored)
Remove redundant ibuf_release. msg_ke is always NULL because of the duplicate check above.
Revision 1.115 / (download) - annotate - [select for diffs], Tue Feb 16 21:07:43 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.114: +5 -1 lines
Diff to previous 1.114 (colored)
Fail on duplicate KE payload. ok patrick@
Revision 1.114 / (download) - annotate - [select for diffs], Wed Nov 25 22:17:14 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.113: +27 -9 lines
Diff to previous 1.113 (colored)
Fix proposal error handling. If a proposal contains an unknown transform type or id, ignore the proposal instead of failing the exchange. ok patrick@
Revision 1.113 / (download) - annotate - [select for diffs], Mon Nov 23 19:20:08 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.112: +9 -5 lines
Diff to previous 1.112 (colored)
Ignore duplicate sigsha2 notify, don't fail the exchange.
Revision 1.112 / (download) - annotate - [select for diffs], Sun Nov 22 17:47:50 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored)
Fix comment typo.
Revision 1.111 / (download) - annotate - [select for diffs], Sat Nov 21 19:23:53 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.110: +3 -2 lines
Diff to previous 1.110 (colored)
Clean up NATT hack. Pass 'frompeer' as parameter instead of manipulating msg header to get the correct addresses and spis. ok patrick@
Revision 1.110 / (download) - annotate - [select for diffs], Thu Nov 19 15:00:43 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.109: +13 -11 lines
Diff to previous 1.109 (colored)
More sa cleanup + constify. ok patrick@
Revision 1.109 / (download) - annotate - [select for diffs], Wed Nov 18 22:24:03 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
Constify sa in ikev2_pld_eap(). The parser code must not change any sa or policy state, this should help make it clearer. ok patrick@
Revision 1.108 / (download) - annotate - [select for diffs], Thu Oct 29 21:49:58 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.107: +70 -1 lines
Diff to previous 1.107 (colored)
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
Revision 1.107 / (download) - annotate - [select for diffs], Sat Oct 24 20:27:59 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.106: +2 -4 lines
Diff to previous 1.106 (colored)
Don't modify sa in ikev2_pld_cp. Store cp_type in msg until message has passed all checks. ok patrick@
Revision 1.106 / (download) - annotate - [select for diffs], Thu Oct 22 17:11:27 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.105: +1 -6 lines
Diff to previous 1.105 (colored)
Handle NO_PROPOSAL_CHOSEN for initiator in IKE_SA_INIT exchange. This NOTIFY payload is not encryted, remove check. ok patrick@
Revision 1.105 / (download) - annotate - [select for diffs], Thu Oct 22 17:06:09 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.104: +2 -1 lines
Diff to previous 1.104 (colored)
Add missing break. ok patrick@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Oct 19 17:02:57 2020 UTC (3 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.103: +8 -1 lines
Diff to previous 1.103 (colored)
Handle NO_PROPOSAL_CHOSEN as IKE_AUTH initiator. ok markus@
Revision 1.103 / (download) - annotate - [select for diffs], Fri Oct 9 08:59:16 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.102: +1 -2 lines
Diff to previous 1.102 (colored)
More unused headers.
Revision 1.102 / (download) - annotate - [select for diffs], Fri Oct 9 08:54:24 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.101: +1 -2 lines
Diff to previous 1.101 (colored)
Remove unused "wait.h" includes.
Revision 1.101 / (download) - annotate - [select for diffs], Sat Oct 3 20:23:08 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.100: +24 -152 lines
Diff to previous 1.100 (colored)
React to DELETE notifications only in INFORMATIONAL messages and move the logic closer to the other INFORMATIONAL payloads. Add some more sanity checks while we're at it. ok patrick@
Revision 1.100 / (download) - annotate - [select for diffs], Thu Oct 1 18:38:49 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.99: +4 -3 lines
Diff to previous 1.99 (colored)
Skip DELETE payload responses only after they are validated. ok patrick@
Revision 1.99 / (download) - annotate - [select for diffs], Wed Sep 30 16:59:09 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.98: +7 -1 lines
Diff to previous 1.98 (colored)
Don't accept AUTH payloads with invalid auth_method 0. Fixes duplicate AUTH payload detection. ok patrick@
Revision 1.98 / (download) - annotate - [select for diffs], Wed Sep 30 16:55:16 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.97: +7 -1 lines
Diff to previous 1.97 (colored)
Don't accept ID payloads with ID type IKEV2_ID_NONE. 0 is not a valid type and triggers undesired edge cases. ok patrick@
Revision 1.97 / (download) - annotate - [select for diffs], Tue Sep 29 14:51:40 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.96: +8 -2 lines
Diff to previous 1.96 (colored)
Check ibuf_seek() return value. ok patrick@
Revision 1.96 / (download) - annotate - [select for diffs], Mon Sep 21 20:13:49 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.95: +5 -2 lines
Diff to previous 1.95 (colored)
Fix reassembly of out-of-order fragments. Always take the nextpld field from the IKE header of fragment #1, not the first received fragment. ok patrick@
Revision 1.95 / (download) - annotate - [select for diffs], Wed Sep 16 21:37:35 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
Changes since 1.94: +3 -2 lines
Diff to previous 1.94 (colored)
Move all the EAP logic from a single branch in the message parsing code to somewhere past successful message verification, closer to where the other exchanges are handled. EAP is stll special, but this fits a lot better into the overall architecture. Tested with iOS, Stronswan and Windows ok patrick@ sthen@
Revision 1.94 / (download) - annotate - [select for diffs], Thu Aug 20 19:28:01 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.93: +39 -40 lines
Diff to previous 1.93 (colored)
Remove redundant variable.
Revision 1.93 / (download) - annotate - [select for diffs], Wed Aug 19 19:09:26 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.92: +126 -73 lines
Diff to previous 1.92 (colored)
Restructure traffic selector payload parsing. Add additional size and sanity checks. Feedback and ok patrick@
Revision 1.92 / (download) - annotate - [select for diffs], Sun Aug 16 09:09:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.91: +4 -5 lines
Diff to previous 1.91 (colored)
Clean up unused parameters.
Revision 1.91 / (download) - annotate - [select for diffs], Tue Aug 11 20:51:06 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored)
Prioritize incoming certificate requests by the order of CERTEQ payloads in the received message. ok patrick@
Revision 1.90 / (download) - annotate - [select for diffs], Mon Aug 10 19:35:39 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.89: +2 -2 lines
Diff to previous 1.89 (colored)
Reduce log spam.
Revision 1.89 / (download) - annotate - [select for diffs], Mon Aug 10 19:33:58 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.88: +7 -7 lines
Diff to previous 1.88 (colored)
Remove unused argument. ok patrick@
Revision 1.88 / (download) - annotate - [select for diffs], Tue Jul 21 08:03:39 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.87: +9 -1 lines
Diff to previous 1.87 (colored)
Handle TEMPORARY_FAILURE notification on IKESA rekeying. If we rekey both the IKESA and an CHILDSA in a small time window a strongswan peer might reposend with a TEMPORARY_FAILURE notification. In this case we retry the rekey of the IKESA after a short timeout and queue PFKEY expire messages (by returning -1 in ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed. ok markus@
Revision 1.87 / (download) - annotate - [select for diffs], Tue Jun 9 21:53:26 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.86: +1 -6 lines
Diff to previous 1.86 (colored)
Move AUTH_REQUEST SA state change from parser to IKE_AUTH exchange handler. ok patrick@
Revision 1.86 / (download) - annotate - [select for diffs], Mon May 11 20:11:35 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.85: +7 -5 lines
Diff to previous 1.85 (colored)
Fix policy lookup edge case for simultaneous transport and tunnel mode SAs. Only the initiator can use 'msg_policy' to determine if the policy is supposed to be transport mode, the responder has to check for a received USE_TRANSPORT notify to find a matching policy during the lookup. ok markus@
Revision 1.85 / (download) - annotate - [select for diffs], Mon Apr 27 19:28:13 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.84: +5 -4 lines
Diff to previous 1.84 (colored)
Log with SPI_SA().
Revision 1.84 / (download) - annotate - [select for diffs], Sat Apr 18 19:47:45 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
SPI_SA(sa, NULL) already prints a colon.
Revision 1.83 / (download) - annotate - [select for diffs], Thu Apr 16 19:28:22 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.82: +15 -4 lines
Diff to previous 1.82 (colored)
Print SPI value of deleted SA. ok markus@
Revision 1.82 / (download) - annotate - [select for diffs], Sat Apr 11 21:11:22 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)
DELETE payloads are common. Log with log_info instead of log_warnx.
Revision 1.81 / (download) - annotate - [select for diffs], Wed Apr 8 20:04:19 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.80: +4 -1 lines
Diff to previous 1.80 (colored)
Prevent multiple ibuf leaks. Clean up on proccess shutdown. ok markus@
Revision 1.80 / (download) - annotate - [select for diffs], Thu Apr 2 19:44:41 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored)
Store USE_TRANSPORTMODE in iked_message until the full message was parsed and set the corresponding iked_sa field in ikev2_handle_notifies() like it is done for other NOTIFY payloads. ok markus@
Revision 1.79 / (download) - annotate - [select for diffs], Mon Mar 16 09:13:01 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.78: +6 -2 lines
Diff to previous 1.78 (colored)
Handle allocation failure in reallocarry. Print errors with log_info. Reported by Hiltjo Posthuma <hiltjo (at) codemadness (dot) org> ok patrick@
Revision 1.78 / (download) - annotate - [select for diffs], Tue Mar 10 10:07:46 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.77: +2 -1 lines
Diff to previous 1.77 (colored)
Fix memory leak of 'cr' if allocation of 'cr->data' fails. ok markus@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Feb 21 15:17:34 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.76: +19 -1 lines
Diff to previous 1.76 (colored)
Add transport mode for child SAs. This is useful for GRE over IPsec and similar settings to prevent double encapsulation. ok kn@
Revision 1.76 / (download) - annotate - [select for diffs], Thu Nov 28 12:16:28 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.75: +52 -86 lines
Diff to previous 1.75 (colored)
Move Notify and Certreq payload handlers after the parser. Modify SA state only when the full message was parsed successfully. ok patrick@, "that's working for me" - sthen@
Revision 1.75 / (download) - annotate - [select for diffs], Wed Nov 13 12:24:40 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.74: +3 -1 lines
Diff to previous 1.74 (colored)
Log reason whenever a child SA is freed. This makes it easier to distinguish "valid" reasons to close an SA, such as rekeying, from errors. ok sthen@
Revision 1.74 / (download) - annotate - [select for diffs], Sat Aug 24 13:09:38 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.73: +10 -1 lines
Diff to previous 1.73 (colored)
Fix conflict when IKE SA and Child SA rekeying happen at the same time. If the IKE SA changes during an ongoing rekey exchange, messages may be lost because they were inteded for the old SA. An iked instance that is waiting for a rekey Child SA response will no longer reply to IKE SA rekey requests until the ongoing Child SA exchange has completed or timed out. ok sthen@
Revision 1.73 / (download) - annotate - [select for diffs], Wed Aug 14 08:35:46 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.72: +5 -11 lines
Diff to previous 1.72 (colored)
Fix NAT traversal detection bug when "local" option is not explicitly set. ok patrick@
Revision 1.72 / (download) - annotate - [select for diffs], Mon Aug 12 07:40:45 2019 UTC (4 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)
Prepend SPI to send and recv log messages to see which line belongs to which SA. Use IKE specific terms peer and local instead of to and from. ok reyk@ patrick@
Revision 1.71 / (download) - annotate - [select for diffs], Sat May 11 16:30:23 2019 UTC (5 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.70: +194 -3 lines
Diff to previous 1.70 (colored)
Add support for IKEv2 Message Fragmentation as defined in RFC 7383. ok sthen@
Revision 1.70 / (download) - annotate - [select for diffs], Thu Mar 22 21:11:49 2018 UTC (6 years, 2 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.69: +61 -23 lines
Diff to previous 1.69 (colored)
The iked(8) fuzzer did not fuzz encrypted payloads. With that changed the regression test uncovered code paths in the TS and CP payload parser that can trigger access to invalid memory locations. This changes the TS and CP payload parsing to add additional length checks. With hshoexer@ and markus@; OK sthen@
Revision 1.69 / (download) - annotate - [select for diffs], Thu Dec 7 22:47:28 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.68: +79 -81 lines
Diff to previous 1.68 (colored)
Change the SA payload parser to parse more than the first proposal. This allows us to select one of the peer's proposals (and not only the first). ok sthen@ hshoexer@
Revision 1.68 / (download) - annotate - [select for diffs], Mon Dec 4 17:22:39 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.67: +1 -6 lines
Diff to previous 1.67 (colored)
Remove duplicate check that never could execute because the exact same condition is handled a line before.
Revision 1.67 / (download) - annotate - [select for diffs], Mon Dec 4 17:03:43 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.66: +11 -11 lines
Diff to previous 1.66 (colored)
Consistently log "malformed payload" instead of "payload malformed", and replace "minimal" with "minimum".
Revision 1.66 / (download) - annotate - [select for diffs], Mon Dec 4 16:57:40 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.65: +1 -11 lines
Diff to previous 1.65 (colored)
Remove check that is now a duplicate due to recent refactoring.
Revision 1.65 / (download) - annotate - [select for diffs], Mon Dec 4 16:52:16 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.64: +64 -212 lines
Diff to previous 1.64 (colored)
The payloads are layered like onions, so you can validate one layer and then call the next one, which can then validate itself. Thing is, most layers try to run validations on the upper layer, which is not useful and rather confusing. This cleans it up. First change is that the generic payload parser does not anymore pass the length of the whole datagram, including all remaining payloads, but passes only the length of the specific payload to the specific payload parser. Second change is that the payload validators don't check the length of the upper layer, but only verify their own lengths. Diff discussed with hshoexer@ and sthen@ Tested by sthen@
Revision 1.64 / (download) - annotate - [select for diffs], Thu Nov 30 12:18:44 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.63: +2 -1 lines
Diff to previous 1.63 (colored)
Add support for rejecting IKE SA messages. This means that we can reply to IKE SA INIT messages with no proposal chosen, as we already do for Child SAs. For that the error "adding" is done in a new function shared by both send error handlers. We need two "send error" functions because the init error is unencrypted, while all later ones are not. Now we can add more cases, like Child SA not found or that the DH group is not what we expect. Save the IKE SA INIT responses, even if it's an error message, so we can retransmit it if the response is lost on the way back to the initiator and he tries again. This also helps mitigate DoS attacks as specified in the RFC. Only if it is indeed a new attempt, like after an INVALID KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt to create a new SA. ok sthen@
Revision 1.63 / (download) - annotate - [select for diffs], Mon Nov 27 18:39:35 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.62: +63 -1 lines
Diff to previous 1.62 (colored)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
Revision 1.62 / (download) - annotate - [select for diffs], Thu Apr 13 07:04:09 2017 UTC (7 years, 2 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.61: +4 -1 lines
Diff to previous 1.61 (colored)
Add a NAT-T keepalive timer in case we are behind a NAT gateway. See RFC 5996, section 2.23, NAT Traversal: In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it means that the system receiving the NAT_DETECTION_DESTINATION_IP payload is behind a NAT and that system SHOULD start sending keepalive packets as defined in [UDPENCAPS]. With markus@, ok reyk@
Revision 1.61 / (download) - annotate - [select for diffs], Mon Mar 27 17:17:49 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.60: +5 -5 lines
Diff to previous 1.60 (colored)
Don't cache the DH group in the policy When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified. With and OK reyk
Revision 1.60 / (download) - annotate - [select for diffs], Mon Mar 27 10:21:19 2017 UTC (7 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.59: +22 -1 lines
Diff to previous 1.59 (colored)
Add support to reflect the responder IKEv2 COOKIE. This fixes connecting to Azure VPN and other implementations that implement the IKEv2 COOKIE mechanism on the responder side. Azure decides to send you a responder COOKIE after too many connection attempts - we have to keep it and reflect it to establish a connection. This implementation is only for the initiator (client) side, we do not support sending COOKIEs on the responder (server) side yet. OK patrick@ mikeb@
Revision 1.59 / (download) - annotate - [select for diffs], Mon Mar 13 18:48:16 2017 UTC (7 years, 3 months ago) by mikeb
Branch: MAIN
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)
Resolve simultaneous IKE SA rekeying From and OK markus, OK reyk
Revision 1.58 / (download) - annotate - [select for diffs], Mon Mar 13 14:50:52 2017 UTC (7 years, 3 months ago) by mikeb
Branch: MAIN
Changes since 1.57: +31 -1 lines
Diff to previous 1.57 (colored)
Improve reporting of authentication errors From and OK markus, OK reyk
Revision 1.57 / (download) - annotate - [select for diffs], Fri Jan 20 13:49:48 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.56: +3 -1 lines
Diff to previous 1.56 (colored)
Include only found SPIs into the PAYLOAD_DELETE message From and OK markus@, OK reyk
Revision 1.56 / (download) - annotate - [select for diffs], Fri Jan 20 13:47:17 2017 UTC (7 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.55: +2 -2 lines
Diff to previous 1.55 (colored)
Minor formatting fix From and OK markus@, OK reyk
Revision 1.55 / (download) - annotate - [select for diffs], Thu Oct 15 18:40:38 2015 UTC (8 years, 7 months ago) by mmcc
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.54: +3 -5 lines
Diff to previous 1.54 (colored)
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero(). ok mikeb@
Revision 1.54 / (download) - annotate - [select for diffs], Thu Oct 1 13:57:29 2015 UTC (8 years, 8 months ago) by sthen
Branch: MAIN
Changes since 1.53: +4 -2 lines
Diff to previous 1.53 (colored)
Don't reject an "empty" CERTREQ (one with no CA hashes), instead treat it as if no CERTREQ were received. In conjunction with the previous iOS9 interop fix, this may fix an interop problem seen by Denis Lapshin with BlackBerry OS 10.3.1 and one of a number with firebrick.co.uk's IKEv2 implementation diagnosed by their developer Cliff Hones. ok reyk@
Revision 1.53 / (download) - annotate - [select for diffs], Thu Oct 1 10:59:23 2015 UTC (8 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
Fix interoperability with Apple iOS9: If we don't get a (valid) CERTREQ but a CERT, respond with a local CERT that was selected based on our own policy instead of leaving it out. This seems to be valid with the RFC that makes the CERTREQ optional and allows to ignore it or to apply an own policy. OK mikeb@ sthen@
Revision 1.52 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:27 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.51: +59 -59 lines
Diff to previous 1.51 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.51 / (download) - annotate - [select for diffs], Wed Aug 19 14:12:43 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.50: +5 -2 lines
Diff to previous 1.50 (colored)
spacing (no binary change, verified with checksums)
Revision 1.50 / (download) - annotate - [select for diffs], Thu Mar 26 19:52:35 2015 UTC (9 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.49: +32 -1 lines
Diff to previous 1.49 (colored)
initial support for RFC 7427 signatures, so we are no longer restricted to SHA1 for RSA signatures. ok mikeb@
Revision 1.49 / (download) - annotate - [select for diffs], Fri Feb 6 10:39:01 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.48: +1 -2 lines
Diff to previous 1.48 (colored)
unneeded getopt.h
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jan 19 14:42:42 2015 UTC (9 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.47: +1 -2 lines
Diff to previous 1.47 (colored)
Remove unnecessary <netinet/ip_ipsp.h> includes
Revision 1.47 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.46: +1 -2 lines
Diff to previous 1.46 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.46 / (download) - annotate - [select for diffs], Fri Nov 7 14:05:58 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.45: +4 -4 lines
Diff to previous 1.45 (colored)
Run eap_parse on the actual message and only when the length is right
Revision 1.45 / (download) - annotate - [select for diffs], Tue May 6 10:24:22 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.44: +7 -3 lines
Diff to previous 1.44 (colored)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
Revision 1.44 / (download) - annotate - [select for diffs], Tue May 6 09:21:50 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.43: +3 -3 lines
Diff to previous 1.43 (colored)
don't sa_free() in the receive path (prevents use-after-free); ok mikeb@
Revision 1.43 / (download) - annotate - [select for diffs], Tue May 6 07:45:17 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.42: +21 -1 lines
Diff to previous 1.42 (colored)
make sure some notify payloads are encrypted; ok mikeb@
Revision 1.42 / (download) - annotate - [select for diffs], Tue May 6 07:24:37 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.41: +3 -1 lines
Diff to previous 1.41 (colored)
initial support for PFS; ok reyk@
Revision 1.41 / (download) - annotate - [select for diffs], Mon May 5 15:21:20 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.40: +7 -1 lines
Diff to previous 1.40 (colored)
validate the attribute length, too; from hshoexer; ok mikeb
Revision 1.40 / (download) - annotate - [select for diffs], Mon Apr 28 11:21:02 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
spacing
Revision 1.39 / (download) - annotate - [select for diffs], Thu Apr 10 16:08:02 2014 UTC (10 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.38: +705 -148 lines
Diff to previous 1.38 (colored)
Add validation routines to ikev2_pld.c: For each payload type overall header structure is checked for sanity before copying the header. Always pass down the number of remaining bytes in the payload or substructure so we can always ensure to not go beyond actual data. Also remove the quick parsing step as it does not provide a real benefit anymore. From Hans-Joerg Hoexer ok mikeb@ markus@
Revision 1.38 / (download) - annotate - [select for diffs], Mon Feb 17 11:00:14 2014 UTC (10 years, 3 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.37: +9 -9 lines
Diff to previous 1.37 (colored)
Fix compiler warnings in the format strings: use %zd for ssize_t and %zu for size_t. From Andre de Oliveira With input and OK from blambert@ markus@
Revision 1.37 / (download) - annotate - [select for diffs], Fri Feb 14 09:00:03 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.36: +20 -1 lines
Diff to previous 1.36 (colored)
initial support for IPComp still experimental and rekeying needs some work; ok mikeb@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Feb 12 12:59:44 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.35: +3 -3 lines
Diff to previous 1.35 (colored)
make sure to set the msg_responded flag on the original message; ok mikeb@
Revision 1.35 / (download) - annotate - [select for diffs], Fri Jan 24 05:58:52 2014 UTC (10 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.34: +3 -4 lines
Diff to previous 1.34 (colored)
use a bit saner timer api
Revision 1.34 / (download) - annotate - [select for diffs], Wed Jan 22 09:25:41 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.33: +3 -1 lines
Diff to previous 1.33 (colored)
implement DPD similar to isakmpd, but only send DPD-messages 'on-demand' (less aggressive, only if the ESP-SAs are actually used); feedback & ok mikeb@
Revision 1.33 / (download) - annotate - [select for diffs], Tue Dec 3 13:55:39 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.32: +5 -5 lines
Diff to previous 1.32 (colored)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
Revision 1.32 / (download) - annotate - [select for diffs], Thu Nov 28 20:21:17 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.31: +14 -6 lines
Diff to previous 1.31 (colored)
support raw pubkey authentication w/o x509 certificates; mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
Revision 1.31 / (download) - annotate - [select for diffs], Thu Mar 21 04:30:14 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.30: +1 -2 lines
Diff to previous 1.30 (colored)
remove excessive includes
Revision 1.30 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.29: +2 -3 lines
Diff to previous 1.29 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.29 / (download) - annotate - [select for diffs], Sat Dec 15 23:12:21 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.28: +3 -5 lines
Diff to previous 1.28 (colored)
Don't dereference NULL pointers (and some cleanup here).
Revision 1.28 / (download) - annotate - [select for diffs], Mon Oct 22 10:25:17 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500. Tested by mikeb@ and me ok mikeb@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.26 / (download) - annotate - [select for diffs], Fri Jun 22 16:06:31 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.25: +4 -3 lines
Diff to previous 1.25 (colored)
decouple timer initialization from timer_register
Revision 1.25 / (download) - annotate - [select for diffs], Wed May 30 16:17:20 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
more timer changes
Revision 1.24 / (download) - annotate - [select for diffs], Tue May 29 15:09:12 2012 UTC (12 years ago) by mikeb
Branch: MAIN
Changes since 1.23: +3 -2 lines
Diff to previous 1.23 (colored)
improve timer framework; will be needed soon
Revision 1.23 / (download) - annotate - [select for diffs], Mon May 7 10:58:38 2012 UTC (12 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.22: +3 -3 lines
Diff to previous 1.22 (colored)
Sync up several defines with RFC 5996. IANA has changed the existing IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).
Revision 1.22 / (download) - annotate - [select for diffs], Sat Mar 24 00:40:25 2012 UTC (12 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)
fix some leaks ok mikeb@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jan 26 16:59:24 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.20: +3 -5 lines
Diff to previous 1.20 (colored)
get rid of acquire flows completely, as they tend to pass traffic when there's no sa established (as pointed out by reyk). instead use require mode feature to send acquires from the kernel. this allows us to get rid of the code that changes flow mode to acquire and keep all installed flows in the tree and save up on some code that deals with renegotiation. also several entities were renamed (iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas, ikev2_acquire -> ikev2_acquire_sa). ok reyk
Revision 1.20 / (download) - annotate - [select for diffs], Mon Jan 17 18:49:35 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.19: +6 -2 lines
Diff to previous 1.19 (colored)
Add initial acquire mode support and use it whenever Windows peers decide to drop Child SA based on the inactivity timer. In this case we instruct the kernel to send us an acquire message upon receiving a packet for those hosts and initiate a Child SA creation exchange ourselves. ok reyk
Revision 1.19 / (download) - annotate - [select for diffs], Wed Jan 12 14:26:26 2011 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.18: +5 -3 lines
Diff to previous 1.18 (colored)
decouple flow deletion from the ikev2_childsa_delete; ok reyk
Revision 1.18 / (download) - annotate - [select for diffs], Wed Dec 22 17:53:54 2010 UTC (13 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because it is too specific to be in util.c. This will allow to link util.c into ikectl later without all the other dependencies of pritn_id().
Revision 1.17 / (download) - annotate - [select for diffs], Wed Dec 22 16:22:27 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.16: +104 -58 lines
Diff to previous 1.16 (colored)
child sa rekeying revamp plus numerous bugfixes; with suggestions and OK from reyk
Revision 1.16 / (download) - annotate - [select for diffs], Thu Sep 30 12:54:24 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.15: +3 -2 lines
Diff to previous 1.15 (colored)
check that there are transforms in the proposal before trying to actually parse it. ok reyk
Revision 1.15 / (download) - annotate - [select for diffs], Wed Sep 22 09:12:18 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.14: +29 -3 lines
Diff to previous 1.14 (colored)
support INVALID_KE_PAYLOAD notification sent by the responder in case the initiator chose wrong D-H group. in this case we throw away our SA and start over with a proper group. makes iked work as an initiator with strongswan/charon without any specific "ikesa" (phase 1) configuration. ok reyk
Revision 1.14 / (download) - annotate - [select for diffs], Wed Jul 28 15:45:04 2010 UTC (13 years, 10 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
Change back to the pre rev 1.11 behaviour of not treating unexpected id payloads as errors. Lets interop with strongSwan which sends both IDi and IDr work again.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Jul 3 16:59:35 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Better non-debug logging messages when a session is established/closed.
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jun 27 05:49:05 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.11: +3 -2 lines
Diff to previous 1.11 (colored)
When a peer requests a certificate from the local gateway, we first lookup a cert from /etc/iked/certs/ that is signed by a requested CA. As a second step we also compare the subjectAltName of any found certificate now to match the local srcid; this allows to have multiple certs for the same CA but different srcids in the certs/ directory but enforces that the subjectAltName has to be set correctly. requested by jsg@
Revision 1.11 / (download) - annotate - [select for diffs], Sun Jun 27 01:03:22 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.10: +34 -92 lines
Diff to previous 1.10 (colored)
Instead of modifying and fiddling with the IKE SA in the payload parsing routines directly, first parse the message and save the parsed elements in the temporary message struct before validating the information and taking any other actions on the actual SA. This needs more testing, but is the cleaner and better approach.
Revision 1.10 / (download) - annotate - [select for diffs], Sat Jun 26 19:54:19 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.9: +15 -10 lines
Diff to previous 1.9 (colored)
revert the files that have been accidentally committed with my previous parse.y change.
Revision 1.9 / (download) - annotate - [select for diffs], Sat Jun 26 19:48:04 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.8: +11 -16 lines
Diff to previous 1.8 (colored)
mixing any (AF_UNSPEC) with AF_INET/INET6 is not an address family mismatch
Revision 1.8 / (download) - annotate - [select for diffs], Sat Jun 26 18:32:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.7: +4 -4 lines
Diff to previous 1.7 (colored)
Include the Id type in the generated SA tag that is passed to the kernel, just like isakmpd does it. In difference to isakmpd, the Id type is printed in capital letters, eg. FQDN/foo.example.com, because it is using the existing print_map() API. For consistency, rename a few Id types in grammar and code from the RFC-names to the OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just IPV4, DER_ASN1_DN to ASN1_DN etc.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 14 23:14:09 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.6: +9 -6 lines
Diff to previous 1.6 (colored)
Initiator mode with certificates; needs more work but works.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 14 21:12:56 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.5: +11 -3 lines
Diff to previous 1.5 (colored)
Initial support for initiator mode which allows to run iked as a "client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 14 14:03:15 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.4: +2 -3 lines
Diff to previous 1.4 (colored)
NAT detection again: make it work in initiator and responder mode
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 14 12:05:32 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.3: +5 -2 lines
Diff to previous 1.3 (colored)
NAT detection with SPIr is always 0
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jun 14 11:33:55 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.2: +12 -32 lines
Diff to previous 1.2 (colored)
restructure code a bit to move closer to initiator mode: - split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 14 08:10:32 2010 UTC (14 years ago) by reyk
Branch: MAIN
Changes since 1.1: +20 -29 lines
Diff to previous 1.1 (colored)
More code for initiator mode (not finished yet)
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 10 08:29:47 2010 UTC (14 years ago) by reyk
Branch: MAIN
i don't like splitting source code in too many source files but ikev2.c has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better.