![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / iked
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.98 / (download) - annotate - [select for diffs], Sat Feb 3 00:54:14 2024 UTC (3 months, 4 weeks ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
fix off-by-one in bounds test found by "buffer overflow 'peerxfs' 6 <= 6" smatch error tobhe@ had a remote peer attempt a transform type of 6 and it is caught by earlier checks before getting here. ok tobhe@
Revision 1.97 / (download) - annotate - [select for diffs], Fri Nov 10 08:03:02 2023 UTC (6 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.96: +2 -3 lines
Diff to previous 1.96 (colored)
Always prefer group from initial KE payload as responder if supported. from markus@
Revision 1.96 / (download) - annotate - [select for diffs], Mon Aug 14 11:55:03 2023 UTC (9 months, 2 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.95: +5 -1 lines
Diff to previous 1.95 (colored)
Add explicit NULL checks for sa_cp_addr and sa_cp_addr6.
Revision 1.95 / (download) - annotate - [select for diffs], Tue Jun 13 12:34:12 2023 UTC (11 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.94: +3 -5 lines
Diff to previous 1.94 (colored)
iked: introduce and use print_addr() The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length. Cast and useless arguments lead to awkward line wrapping in many places. Clean this up by introducing a helper. Make this helper take a void pointer, so all casts go away. ok claudio kn tobhe
Revision 1.94 / (download) - annotate - [select for diffs], Tue May 23 13:12:19 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.93: +3 -3 lines
Diff to previous 1.93 (colored)
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
Revision 1.93 / (download) - annotate - [select for diffs], Wed Feb 8 19:59:10 2023 UTC (15 months, 3 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.92: +1 -3 lines
Diff to previous 1.92 (colored)
iked: garbage collect an unused counter variable to make clang 15 happier ok tobhe
Revision 1.92 / (download) - annotate - [select for diffs], Mon Oct 10 11:33:55 2022 UTC (19 months, 3 weeks ago) by tobhe
Branch: MAIN
Changes since 1.91: +4 -9 lines
Diff to previous 1.91 (colored)
Move enabling the policy refcounting from policy_ref() to config_free_policy(). In config_free_policy() the refcounting is unchanged and each SA linked to the policy will trigger a call to policy_ref() and increase the references as before the change. This allows unconditional calls to policy_ref() and policy_unref() and the callers no longer have to check if IKED_POLICY_REFCNT is set. From and ok markus@
Revision 1.91 / (download) - annotate - [select for diffs], Mon Sep 19 20:54:02 2022 UTC (20 months, 1 week ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.90: +23 -1 lines
Diff to previous 1.90 (colored)
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'. ok bluhm@ patrick@ from and ok markus@
Revision 1.90 / (download) - annotate - [select for diffs], Wed Sep 14 13:07:50 2022 UTC (20 months, 2 weeks ago) by tobhe
Branch: MAIN
Changes since 1.89: +3 -1 lines
Diff to previous 1.89 (colored)
Compare 'srcnat' when comparing policies. Fixes a bug where policy lookup could not differentiate between similar policies that only differ in srcnat. Also include srcnat when logging flows or policies. ok markus@
Revision 1.89 / (download) - annotate - [select for diffs], Wed Dec 1 16:42:13 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.88: +2 -2 lines
Diff to previous 1.88 (colored)
whitespace cleanup during review read
Revision 1.88 / (download) - annotate - [select for diffs], Sat Nov 27 21:50:05 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.87: +4 -4 lines
Diff to previous 1.87 (colored)
Rename msg_id to msg_peerid now that we also have msg_localid. ok patrick@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Nov 26 16:22:44 2021 UTC (2 years, 6 months ago) by patrick
Branch: MAIN
Changes since 1.86: +10 -1 lines
Diff to previous 1.86 (colored)
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup. ok tobhe@
Revision 1.86 / (download) - annotate - [select for diffs], Wed Nov 24 20:48:00 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)
Pass env to pfkey API. Consistently call pfkey file descriptor fd. ok bluhm@
Revision 1.85 / (download) - annotate - [select for diffs], Tue Oct 26 17:31:22 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.84: +1 -7 lines
Diff to previous 1.84 (colored)
Make proto config option accept a list to allow specifying multiple
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
Revision 1.84 / (download) - annotate - [select for diffs], Tue Oct 12 10:01:59 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.83: +19 -6 lines
Diff to previous 1.83 (colored)
Change responder to prefer DH group from KE payload. Without this change the responder would always prefer the first DH group configured in its policy. This would lead to invalid KE messages that cause an additional exchange which old implementations do not support correctly. Now we ignore the order of DH groups in the policy and prefer the group from the policy that matches the KE payload. from markus@ ok patrick@
Revision 1.83 / (download) - annotate - [select for diffs], Wed Sep 1 15:30:06 2021 UTC (2 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.82: +8 -1 lines
Diff to previous 1.82 (colored)
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
Revision 1.82 / (download) - annotate - [select for diffs], Wed Jun 23 12:11:40 2021 UTC (2 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.81: +7 -53 lines
Diff to previous 1.81 (colored)
Factor out vroute_addr(). ok markus@
Revision 1.81 / (download) - annotate - [select for diffs], Fri Apr 9 09:15:04 2021 UTC (3 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.80: +4 -1 lines
Diff to previous 1.80 (colored)
Only modify routes if SA has a valid address lease. On IKE SA rekey sa_cp_addr and sa_cp_addr6 are moved to the new SA before the old SA is deleted. Fixes a bug where host routes were deleted on IKE SA rekey. ok patrick@
Revision 1.80 / (download) - annotate - [select for diffs], Mon Mar 15 22:32:44 2021 UTC (3 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.79: +13 -3 lines
Diff to previous 1.79 (colored)
We makes sure that a dh group is required if the local proposal contains an explicit group transform. Override requiredh if one of the local options is 'none' so that a proposal with no DH group and on with explicit group 'none' result in a match. ok patrick@
Revision 1.79 / (download) - annotate - [select for diffs], Mon Mar 1 16:38:07 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored)
Make sure sa_policy is not NULL in sa_configure_iface(). This can happen if the SA is deleted because of a failed policy lookup.
Revision 1.78 / (download) - annotate - [select for diffs], Sat Feb 13 16:14:12 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.77: +119 -1 lines
Diff to previous 1.77 (colored)
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Feb 12 19:30:34 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.76: +3 -3 lines
Diff to previous 1.76 (colored)
Fix local and peer addresses in policy lookup for dangling SAs after ikectl reload. ok patrick@
Revision 1.76 / (download) - annotate - [select for diffs], Tue Feb 9 21:35:48 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.75: +3 -2 lines
Diff to previous 1.75 (colored)
Add optional 'group none' transform for child SAs and fix handling of 'group none'. We currently send no transform of type DH by default, which should be equivalent to explicitly sending a single DH transform of type 'none'. However, the proposal matching logic had a bug where these two would not match, effectively breaking the ability to negotiate optional PFS. This commit fixes the bug but continues to send no DH proposal by default to remain backwards compatible with older versions. ok patrick@
Revision 1.75 / (download) - annotate - [select for diffs], Mon Feb 1 16:37:48 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.74: +6 -2 lines
Diff to previous 1.74 (colored)
Take flows into consideration for policy lookup as initiator. Fixes a bug where policies that only differ in their flow configuration lead to a handshake error. Found by claudio@ ok patrick@
Revision 1.74 / (download) - annotate - [select for diffs], Mon Dec 21 22:49:36 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.73: +104 -10 lines
Diff to previous 1.73 (colored)
Use policy_test() to reassign existing SAs to updated policies after 'ikectl reload'. This prevents initiation of new additional SAs for each policy every time the config is reloaded. ok patrick@
Revision 1.73 / (download) - annotate - [select for diffs], Wed Dec 2 16:47:45 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.72: +5 -5 lines
Diff to previous 1.72 (colored)
The skip steps must be set up for each attribute independently otherwise the wrong rules might me skipped, e.g. if you have policies with different listen addresses that are not sorted by address family. ok patrick@
Revision 1.72 / (download) - annotate - [select for diffs], Wed Nov 25 22:17:14 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)
Fix proposal error handling. If a proposal contains an unknown transform type or id, ignore the proposal instead of failing the exchange. ok patrick@
Revision 1.71 / (download) - annotate - [select for diffs], Wed Nov 18 22:24:03 2020 UTC (3 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)
Constify sa in ikev2_pld_eap(). The parser code must not change any sa or policy state, this should help make it clearer. ok patrick@
Revision 1.70 / (download) - annotate - [select for diffs], Wed Sep 9 21:25:42 2020 UTC (3 years, 8 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.69: +1 -13 lines
Diff to previous 1.69 (colored)
Delete dead code.
Revision 1.69 / (download) - annotate - [select for diffs], Sun Aug 23 19:16:08 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.68: +113 -1 lines
Diff to previous 1.68 (colored)
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted. ok patrick@
Revision 1.68 / (download) - annotate - [select for diffs], Sat Aug 15 11:31:17 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.67: +4 -4 lines
Diff to previous 1.67 (colored)
Remove dead assignments.
Revision 1.67 / (download) - annotate - [select for diffs], Thu Aug 6 22:04:04 2020 UTC (3 years, 9 months ago) by tobhe
Branch: MAIN
Changes since 1.66: +1 -2 lines
Diff to previous 1.66 (colored)
Delete commented out code.
Revision 1.66 / (download) - annotate - [select for diffs], Tue Jul 21 08:03:39 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.65: +5 -2 lines
Diff to previous 1.65 (colored)
Handle TEMPORARY_FAILURE notification on IKESA rekeying. If we rekey both the IKESA and an CHILDSA in a small time window a strongswan peer might reposend with a TEMPORARY_FAILURE notification. In this case we retry the rekey of the IKESA after a short timeout and queue PFKEY expire messages (by returning -1 in ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed. ok markus@
Revision 1.65 / (download) - annotate - [select for diffs], Thu Jul 16 17:16:17 2020 UTC (3 years, 10 months ago) by tobhe
Branch: MAIN
Changes since 1.64: +2 -2 lines
Diff to previous 1.64 (colored)
Make sure to update policy dependant SA fields after policy_lookup(). ok kn@ patrick@
Revision 1.64 / (download) - annotate - [select for diffs], Wed Jun 3 17:56:42 2020 UTC (3 years, 11 months ago) by tobhe
Branch: MAIN
Changes since 1.63: +5 -6 lines
Diff to previous 1.63 (colored)
Pass sockaddr instead of sockaddr_storage to sa_address. ok patrick@
Revision 1.63 / (download) - annotate - [select for diffs], Tue May 26 20:24:31 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.62: +14 -3 lines
Diff to previous 1.62 (colored)
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
Revision 1.62 / (download) - annotate - [select for diffs], Wed May 13 23:03:20 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.61: +2 -5 lines
Diff to previous 1.61 (colored)
Remove unnecessary logging messages.
Revision 1.61 / (download) - annotate - [select for diffs], Mon May 11 20:11:35 2020 UTC (4 years ago) by tobhe
Branch: MAIN
Changes since 1.60: +17 -2 lines
Diff to previous 1.60 (colored)
Fix policy lookup edge case for simultaneous transport and tunnel mode SAs. Only the initiator can use 'msg_policy' to determine if the policy is supposed to be transport mode, the responder has to check for a received USE_TRANSPORT notify to find a matching policy during the lookup. ok markus@
Revision 1.60 / (download) - annotate - [select for diffs], Tue Apr 28 17:56:45 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.59: +3 -3 lines
Diff to previous 1.59 (colored)
The order of arguments to proposals_negotiate makes a difference. 'key->pol_proposals' should be the peer proposal as it is derived from a received SA payload, 'p->p_proposal' comes from a locally configured policy. ok patrick@
Revision 1.59 / (download) - annotate - [select for diffs], Thu Apr 23 20:17:48 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.58: +3 -1 lines
Diff to previous 1.58 (colored)
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in. The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error. ok markus@, patrick@
Revision 1.58 / (download) - annotate - [select for diffs], Sat Apr 4 20:36:34 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
Changes since 1.57: +5 -7 lines
Diff to previous 1.57 (colored)
It makes no sense to fall back to original policy if the relookup with the received initiator ID fails. Send AUTH_FAILED message and exit instead. ok markus@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Mar 10 18:54:52 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.56: +7 -3 lines
Diff to previous 1.56 (colored)
Relookup policy based on received cryptographic parameter proposal. The IKEv2 responder does not know which policy is negotiated until the ID payload is received in the IKE_AUTH exchange. iked therefore chooses a default policy until the final policy is selected. This change adds a policy relookup during the IKE_SA_INIT. If the received proposal is not compatible with the default policy we switch to the next highest ranked policy that is compatible with the received proposal. ok kn@ markus@
Revision 1.56 / (download) - annotate - [select for diffs], Mon Mar 9 11:50:43 2020 UTC (4 years, 2 months ago) by tobhe
Branch: MAIN
Changes since 1.55: +3 -5 lines
Diff to previous 1.55 (colored)
Use TAILQ_FOREACH_SAFE instead of hand rolled loops. From Wataru <wataash at wataash dot com> ok patrick@
Revision 1.55 / (download) - annotate - [select for diffs], Sun Mar 1 19:17:58 2020 UTC (4 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.54: +204 -1 lines
Diff to previous 1.54 (colored)
When the proposals are first matched the responder does not yet know the initiators ID and thus does not know which policy applies. The policy is later updated based on the received ID payload. Make sure the policy looked up during IKE_AUTH is compatible with the negotiated proposal. ok kn@
Revision 1.54 / (download) - annotate - [select for diffs], Tue Jan 7 15:08:28 2020 UTC (4 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.53: +6 -51 lines
Diff to previous 1.53 (colored)
Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built solution for multi-SA flows. As a result we only need a single outgoing IPCOMP flow and can get rid of the two extra transport mode flows for ESP. ok bluhm@
Revision 1.53 / (download) - annotate - [select for diffs], Sat Dec 28 16:27:04 2019 UTC (4 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.52: +4 -1 lines
Diff to previous 1.52 (colored)
Refactor child SA cleanup. ok bluhm@
Revision 1.52 / (download) - annotate - [select for diffs], Tue Dec 10 12:20:17 2019 UTC (4 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.51: +29 -2 lines
Diff to previous 1.51 (colored)
We can receive a delete and free an SA that is referenced in sa_nextr. Remove references when deleting the SA, otherwise we trigger a use-after-free. ok markus@
Revision 1.51 / (download) - annotate - [select for diffs], Tue Dec 3 12:38:34 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.50: +47 -1 lines
Diff to previous 1.50 (colored)
Correctly represent flows as traffic selectors as described in RFC 7296. This allows us to deduplicate the network ranges sent in the TS payload and saves some bytes on the wire. ok patrick@
Revision 1.50 / (download) - annotate - [select for diffs], Sat Nov 30 15:44:07 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.49: +6 -4 lines
Diff to previous 1.49 (colored)
Log loaded SPIs and flows. ok patrick@
Revision 1.49 / (download) - annotate - [select for diffs], Wed Nov 13 12:24:40 2019 UTC (4 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.48: +8 -4 lines
Diff to previous 1.48 (colored)
Log reason whenever a child SA is freed. This makes it easier to distinguish "valid" reasons to close an SA, such as rekeying, from errors. ok sthen@
Revision 1.48 / (download) - annotate - [select for diffs], Mon Aug 12 07:40:45 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)
Prepend SPI to send and recv log messages to see which line belongs to which SA. Use IKE specific terms peer and local instead of to and from. ok reyk@ patrick@
Revision 1.47 / (download) - annotate - [select for diffs], Mon Nov 27 18:39:35 2017 UTC (6 years, 6 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.46: +43 -2 lines
Diff to previous 1.46 (colored)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
Revision 1.46 / (download) - annotate - [select for diffs], Mon Mar 13 18:48:16 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.45: +8 -4 lines
Diff to previous 1.45 (colored)
Resolve simultaneous IKE SA rekeying From and OK markus, OK reyk
Revision 1.45 / (download) - annotate - [select for diffs], Mon Mar 13 15:01:59 2017 UTC (7 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.44: +5 -1 lines
Diff to previous 1.44 (colored)
When freeing a Child SA make sure it's peer no longer points to it From and OK markus, OK reyk
Revision 1.44 / (download) - annotate - [select for diffs], Mon Mar 13 14:33:33 2017 UTC (7 years, 2 months ago) by patrick
Branch: MAIN
Changes since 1.43: +13 -5 lines
Diff to previous 1.43 (colored)
flow_cmp() must compare the same flow-attributes as the kernel, otherwise we never can keep the in-daemon and the in-kernel idea of flows in sync and iked ends up deleting flows that are still in use. Make use of flow_cmp() and a new flow_equal() instead of handcrafting the compare in an if. ok markus@ reyk@
Revision 1.43 / (download) - annotate - [select for diffs], Mon Mar 13 14:19:08 2017 UTC (7 years, 2 months ago) by patrick
Branch: MAIN
Changes since 1.42: +10 -2 lines
Diff to previous 1.42 (colored)
We need to call policy_ref() for policies that have refcounting enabled. Refcounting is enabled when a policy is removed during 'ikectl reload' and still has SAs point to it. On IKESA rekeying such a policy will be referenced by the new IKESA, so we need to adjust the refcount -- otherwise the policies get free()d too early and we will crash at some point. ok markus@ mikeb@ reyk@
Revision 1.42 / (download) - annotate - [select for diffs], Wed Jun 1 11:16:41 2016 UTC (8 years ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.41: +9 -1 lines
Diff to previous 1.41 (colored)
Implement a second address pool specifically for IPv6, so that clients can be given an IPv4 and IPv6 address at the same time, thus enabling dual stack usage. ok markus@ mikeb@
Revision 1.41 / (download) - annotate - [select for diffs], Tue Oct 20 06:42:59 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.40: +2 -1 lines
Diff to previous 1.40 (colored)
Fix ocsp by adding a missing TAILQ_INIT(). Confirmed by markus@ with an identical diff
Revision 1.40 / (download) - annotate - [select for diffs], Thu Oct 1 10:59:23 2015 UTC (8 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
Fix interoperability with Apple iOS9: If we don't get a (valid) CERTREQ but a CERT, respond with a local CERT that was selected based on our own policy instead of leaving it out. This seems to be valid with the RFC that makes the CERTREQ optional and allows to ignore it or to apply an own policy. OK mikeb@ sthen@
Revision 1.39 / (download) - annotate - [select for diffs], Fri Aug 21 11:59:28 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.38: +11 -11 lines
Diff to previous 1.38 (colored)
Switch iked to C99-style fixed-width integer types. OK mikeb@
Revision 1.38 / (download) - annotate - [select for diffs], Wed Aug 19 14:12:43 2015 UTC (8 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
spacing (no binary change, verified with checksums)
Revision 1.37 / (download) - annotate - [select for diffs], Tue Jul 7 19:13:31 2015 UTC (8 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.36: +15 -37 lines
Diff to previous 1.36 (colored)
repair policy-ikesa-linking by replacing the broken RB_TREE w/TAILQ (e.g. the policy might be used-after-free on 'ikectl reconfig') ok mikeb@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.35: +1 -2 lines
Diff to previous 1.35 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.35 / (download) - annotate - [select for diffs], Fri Nov 7 14:12:57 2014 UTC (9 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.34: +2 -3 lines
Diff to previous 1.34 (colored)
Fixup a few problems with EAP state transition First of all we don't need to satisfy valid EAP state flags for IKEV2_STATE_EAP as it's an initial EAP exchange state. Then when waiting for the "ca" process to construct our AUTH payload we need to bail while sa_localauth is not available. With this change Win7 is able to establish the the tunnel again. ok markus
Revision 1.34 / (download) - annotate - [select for diffs], Tue May 6 10:24:22 2014 UTC (10 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.33: +12 -6 lines
Diff to previous 1.33 (colored)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey events while we are busy initiating child-SAs; ok mikeb@
Revision 1.33 / (download) - annotate - [select for diffs], Tue May 6 09:48:40 2014 UTC (10 years ago) by markus
Branch: MAIN
Changes since 1.32: +23 -18 lines
Diff to previous 1.32 (colored)
cleanup IKE-SA tree handling (fixes repeated-insert & double-remove) sa_new() always re-inserts an SA into the SA tree. in case of a key collision it would try to free the new SA. While doing that it would accidentially free the existing SA, since config_free_sa() does RB_REMOVE() uncoditionally. This change fixes this by: a) moving the responsibility for RB_REMOVE() to CALLER of config_free_sa() and b) by calling config_free_sa() instead of sa_free() from sa_new() It also changes to code to NEVER re-add an SA to the tree. So RB_INSERT() is ONLY called once per SA. The code also makes sure that there is always a KEY defined for this tree (ispi). ok mikeb@
Revision 1.32 / (download) - annotate - [select for diffs], Tue Apr 29 11:51:13 2014 UTC (10 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.31: +15 -8 lines
Diff to previous 1.31 (colored)
make sure the state machine only advances if the AUTH payload has been verified; with & ok mikeb@
Revision 1.31 / (download) - annotate - [select for diffs], Fri Feb 21 20:52:38 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.30: +13 -5 lines
Diff to previous 1.30 (colored)
support rekeying for IPCOMP; ok mikeb@
Revision 1.30 / (download) - annotate - [select for diffs], Mon Feb 17 15:53:46 2014 UTC (10 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.29: +9 -1 lines
Diff to previous 1.29 (colored)
interpret 'config address net/prefix' as a pool of addresses and randomly choose the address for CFG_REQUEST. this address will be used to replace 0.0.0.0/32 in the specified flow. e.g. > ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \ > config address 192.168.10.200/24 will assign an address between 192.168.10.200 and 192.168.10.254 and replace 0.0.0.0 with this address. ok mikeb@ on older version of this diff.
Revision 1.29 / (download) - annotate - [select for diffs], Fri Jan 24 07:35:55 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.28: +21 -1 lines
Diff to previous 1.28 (colored)
re-lookup the policy as soon as we have the ID of the peer (destid) ok mikeb@
Revision 1.28 / (download) - annotate - [select for diffs], Fri Jan 24 07:30:48 2014 UTC (10 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.27: +5 -3 lines
Diff to previous 1.27 (colored)
make sure sa_lookup() can actually find SAs; ok mikeb
Revision 1.27 / (download) - annotate - [select for diffs], Tue Dec 3 13:55:40 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.26: +6 -4 lines
Diff to previous 1.26 (colored)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Nov 28 20:24:48 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.25: +2 -1 lines
Diff to previous 1.25 (colored)
sa_lookup: don't compare with sh_rspi if rspi is not set otherwise this can happen: initiator retransmits SA_INIT with rspi of zero, sa_lookup for responder fails, and it creates a new SA, that cannot be inserted in the SA tree
Revision 1.25 / (download) - annotate - [select for diffs], Thu Nov 28 20:23:28 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.24: +8 -2 lines
Diff to previous 1.24 (colored)
sa_new(): discard & free duplicate IKESAs; ok mibek@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Oct 24 02:55:50 2013 UTC (10 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.23: +1 -8 lines
Diff to previous 1.23 (colored)
no need for netinet/ip_var.h (and friends)
Revision 1.23 / (download) - annotate - [select for diffs], Tue Jan 8 10:38:19 2013 UTC (11 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.22: +2 -3 lines
Diff to previous 1.22 (colored)
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
Revision 1.22 / (download) - annotate - [select for diffs], Sat Dec 15 23:12:21 2012 UTC (11 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.21: +6 -10 lines
Diff to previous 1.21 (colored)
Don't dereference NULL pointers (and some cleanup here).
Revision 1.21 / (download) - annotate - [select for diffs], Tue Sep 18 12:07:59 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
update email addresses to match reality. sure jsg@ mikeb@
Revision 1.20 / (download) - annotate - [select for diffs], Wed May 30 09:39:35 2012 UTC (12 years ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)
when changing peer's address in the SA, remove the old entry from the tree before doing the actual change, otherwise we won't remove anything for real. also add the newly created SA to the peer's tree so that initiator timer will treat the ike policy as "in progress".
Revision 1.19 / (download) - annotate - [select for diffs], Mon May 2 12:39:18 2011 UTC (13 years, 1 month ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.18: +7 -5 lines
Diff to previous 1.18 (colored)
store the peer address as it was specified in the policy in the tree that is used to figure out whether the policy is active or not. makes active sa lookup via policy work for nat traversal. problem was reported and fix was tested by sthen, ok sthen, reyk
Revision 1.18 / (download) - annotate - [select for diffs], Mon Apr 18 09:54:41 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.17: +3 -6 lines
Diff to previous 1.17 (colored)
Improve the iked acquire mode peer <-> policy matching. This change picks the peer from the acquire message and allows to match masked peers in the policies like "peer any" or "peer 10.0.0.0/8" instead of requiring exactly matching peer specifications. ok mikeb@
Revision 1.17 / (download) - annotate - [select for diffs], Mon Apr 18 08:45:43 2011 UTC (13 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.16: +43 -5 lines
Diff to previous 1.16 (colored)
When the kernel wants to acquire an SA for an unknown flow, lookup a matching policy and init a new IKE SA. This adds support for "acquire mode" from static flows. ok mikeb@
Revision 1.16 / (download) - annotate - [select for diffs], Wed Jan 26 16:59:24 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.15: +5 -5 lines
Diff to previous 1.15 (colored)
get rid of acquire flows completely, as they tend to pass traffic when there's no sa established (as pointed out by reyk). instead use require mode feature to send acquires from the kernel. this allows us to get rid of the code that changes flow mode to acquire and keep all installed flows in the tree and save up on some code that deals with renegotiation. also several entities were renamed (iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas, ikev2_acquire -> ikev2_acquire_sa). ok reyk
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jan 21 11:56:00 2011 UTC (13 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.14: +83 -23 lines
Diff to previous 1.14 (colored)
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details. The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code. ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jan 18 11:34:44 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.13: +4 -4 lines
Diff to previous 1.13 (colored)
reyk noticed that my rb-tree-fu is not that great. fixup compare function to do exact matches; ok reyk
Revision 1.13 / (download) - annotate - [select for diffs], Mon Jan 17 18:49:35 2011 UTC (13 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.12: +38 -1 lines
Diff to previous 1.12 (colored)
Add initial acquire mode support and use it whenever Windows peers decide to drop Child SA based on the inactivity timer. In this case we instruct the kernel to send us an acquire message upon receiving a packet for those hosts and initiate a Child SA creation exchange ourselves. ok reyk
Revision 1.12 / (download) - annotate - [select for diffs], Wed Dec 22 16:22:27 2010 UTC (13 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.11: +32 -1 lines
Diff to previous 1.11 (colored)
child sa rekeying revamp plus numerous bugfixes; with suggestions and OK from reyk
Revision 1.11 / (download) - annotate - [select for diffs], Sat Jul 3 16:59:35 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.10: +17 -2 lines
Diff to previous 1.10 (colored)
Better non-debug logging messages when a session is established/closed.
Revision 1.10 / (download) - annotate - [select for diffs], Sun Jun 27 00:32:42 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.9: +4 -4 lines
Diff to previous 1.9 (colored)
print the required bits as a string
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jun 15 00:34:17 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.8: +16 -9 lines
Diff to previous 1.8 (colored)
only compare the SPIi in the SA tree
Revision 1.8 / (download) - annotate - [select for diffs], Mon Jun 14 23:14:09 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.7: +36 -18 lines
Diff to previous 1.7 (colored)
Initiator mode with certificates; needs more work but works.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 14 21:12:56 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.6: +18 -17 lines
Diff to previous 1.6 (colored)
Initial support for initiator mode which allows to run iked as a "client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 14 12:06:33 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.5: +1 -7 lines
Diff to previous 1.5 (colored)
remove policy lookup debug message
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 14 11:33:55 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.4: +19 -6 lines
Diff to previous 1.4 (colored)
restructure code a bit to move closer to initiator mode: - split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 14 08:10:32 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.3: +27 -16 lines
Diff to previous 1.3 (colored)
More code for initiator mode (not finished yet)
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 10 12:06:34 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.2: +48 -1 lines
Diff to previous 1.2 (colored)
Add another tree to lookup policy SAs by peer address.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 10 07:35:41 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.1: +1 -2 lines
Diff to previous 1.1 (colored)
only call RB_REMOVE once when removing an SA.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 3 16:41:12 2010 UTC (14 years ago) by reyk
Branch: MAIN
Import iked, a new implementation of the IKEv2 protocol. iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@