| Age | Commit message (Collapse) | Author |
|---|
|
ok markus
|
|
Authorization Extensions"(DAE) are supported.
feedback markus stu
ok tobhe
|
|
from markus@
|
|
Currenly PROC_PARENT sends the configuration to both PROC_CERT and
PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know
the state of PROC_CERT: PROC_CERT might not have processed the
initial configuration while PROC_IKEV2 already sends requests to
PROC_CERT, causing failed requests, or even crashes (NULL deref of
ca_certs).
In order to make sure that PROC_CERT is ready before
IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol
is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2
(2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT
(3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT
(4) PROC_PARENT now knows that PROC_CERT is ready and has processed
all messages from step (1)
(5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that
IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all
messages from step (1)
(6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has
already processed IMSG_CTL_ACTIVE
from markus@
|
|
proc_forward_imsg() does not need to forward file descriptors so just use
-1 there. In other places shuffle debug messages around or use a helper
variable since imsg_get_fd() can only be called once.
OK tb@ tobhe@
|
|
message.
from markus@
|
|
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@
|
|
OK kn@ tb@
|
|
|
|
If csa_bundled is set, exactly two csas exist and they point to
each other. Therefore childsa_free already sets the bundled csa
pointer to NULL and it shouldn't be done after calling childsa_free.
ok tobhe@
|
|
possible use after free.
ok tobhe@
|
|
In config_free_policy() the refcounting is unchanged and each SA linked to the
policy will trigger a call to policy_ref() and increase the references as
before the change. This allows unconditional calls to policy_ref() and
policy_unref() and the callers no longer have to check if IKED_POLICY_REFCNT
is set.
From and ok markus@
|
|
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@
from and ok markus@
|
|
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.
from Katsuhiro Ueno
tested by and ok sthen@
|
|
is to renew the timer every time sc_alive_timeout is reset after loading a new
config.
ok patrick@
|
|
|
|
ok bluhm@
|
|
ok patrick@
|
|
ok tobhe
|
|
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.
Automatic name server configuration is enabled by default for policies using
the 'iface' option.
discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@
|
|
addresses and routes in iked_vroute_sc to not depend on ikev2
process for cleanup.
This makes sure that all flows, routes and addresses are deleted
no matter which process is killed first.
ok patrick@
|
|
functions. config_setpfkey() is always called with id PROC_IKEV2.
|
|
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@
ok patrick@
|
|
Discussed with sthen@
ok patrick@
|
|
exchange. In the case of an invalid KE error, retry
CREATE_CHILD_SA exchange with different group instead
of restarting the full IKE handshake.
ok markus@
|
|
to assign the same 'config address' when an IKESA is negotiated with the
DSTID of an existing IKESA. The original IKESA will be closed and the
address will be transferred to the new IKESA.
ok patrick@
|
|
type or id, ignore the proposal instead of failing the exchange.
ok patrick@
|
|
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.
ok patrick@
|
|
Found by csszep <csszep (at) gmail (dot) com>
ok patrick@
|
|
|
|
|
|
ok patrick@
|
|
ok markus@
|
|
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
|
|
ok patrick@
|
|
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
|
|
grouping fixed-size values in 'struct iked_static' which is sent in
a single message.
ok patrick@
|
|
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
|
|
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
|
|
|
|
|
|
ok patrick@
|
|
This way the peer can delete its SAs and eventually reestablish the
connection without having to wait for a timeout.
ok markus@
|
|
for normal operation (UDP port 500) and one for NAT traversal (UDP 4500).
There are several command line options resulting in only one of the sockets
being created (-T, -t and -p). Add a new 'enum natt_mode' to make the
logic for those somewhat less complicated as well as some comments where
it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com>
ok patrick@
|
|
instead of the full iked_user struct to preserve the RB_TREE pointers.
From Bernardo Cunha Vieira <bernardo (dot) vieira (at) almg (dot) gov (dot) br>
ok patrick@
|
|
From Wataru <wataash at wataash dot com>
ok patrick@
|
|
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
|
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
|
|
allows us to deduplicate the network ranges sent in the TS payload and saves
some bytes on the wire.
ok patrick@
|
|
ok sthen@
|
