summaryrefslogtreecommitdiff
path: root/sbin/iked/ikev2.c
AgeCommit message (Collapse)Author
2021-12-09Properly enable NAT-T without udpencap if mobike was negotiated without NAT.Tobias Heider
Fixes a bug where iked sent zero-prefixed NAT-T messages on port 500 causing parsing errors. ok markus@ patrick@
2021-12-09Move switch to NAT-T port and udpencap activation to ikev2_enable_natt().Tobias Heider
ok patrick@
2021-12-06Logging received addresses and DNS configuration only makes sense forTobias Heider
the initiator. ok patrick@
2021-12-04Send out dstid as initiator if configured. This makes it easier forTobias Heider
the responder to match the correct policy if multiple are available. ok patrick@
2021-12-01whitespace cleanup during review readTheo de Raadt
2021-11-30whitespaceTobias Heider
2021-11-29sys/param.h was included for MAX(), MIN() and roundup(). make localTheo de Raadt
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
2021-11-27Rename msg_id to msg_peerid now that we also have msg_localid.Tobias Heider
ok patrick@
2021-11-26Fix ikev2_child_sa_rekey() warnings. The SPI can't be printed without aTobias Heider
parent SA.
2021-11-24Pass env to pfkey API. Consistently call pfkey file descriptor fd.Tobias Heider
ok bluhm@
2021-11-23Add logging for rekey failures.Tobias Heider
ok patrick@
2021-11-22MOBIKE is RFC 4555.Tobias Heider
2021-11-16Zero all copies of pre-shared key.Tobias Heider
ok markus@
2021-11-15styleTobias Heider
2021-11-10Look for INVALID_KE group from IKE_SA_INIT in IKE transforms,Tobias Heider
not ESP transforms. Fixes broken key exchange negotiation with matching proposals. ok patrick@ markus@
2021-10-12Change responder to prefer DH group from KE payload.Tobias Heider
Without this change the responder would always prefer the first DH group configured in its policy. This would lead to invalid KE messages that cause an additional exchange which old implementations do not support correctly. Now we ignore the order of DH groups in the policy and prefer the group from the policy that matches the KE payload. from markus@ ok patrick@
2021-10-12Make sure all copies of MSCHAPv2 passphrase are zeroed after use.Tobias Heider
ok patrick@
2021-09-07Fix leak of msg_cert.id_buf. ikev2_msg_cleanup() frees id_buf if weTobias Heider
don't delete the pointer. ok markus@
2021-09-01Add client side support for DNS configuration. Use RTM_PROPOSAL_STATICTobias Heider
route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
2021-06-29Send AUTHENTICATION_FAILED in case of unexpected auth method or authtobhe
data not being accessible. From Claudia Priesterjahn @ achelos ok patrick@
2021-06-17Skip flows in ikev2_cp_addr() if they don't contain a dynamic (0.0.0.0)tobhe
address before checking sa_addrpool. Fixes a bug where no flows are added if a single address instead of a pool is configured in config address. Reported by Sebastien Leclerc ok patrick@
2021-06-11Revert previous change in ikev2_cp_fixaddr().tobhe
Fixes a regression found by landry@. ok patrick@
2021-05-31Don't fail hard in ikev2_cp_fixaddr() if no address pool is found.tobhe
Fixes a bug where no flows are loaded when a single config address without pool is configured. ok patrick@
2021-05-31Prevent address underflow with /32 config address prefix.tobhe
Only skip .0 address if the pool is big enough. ok patrick@
2021-05-13Refactor iked process shutdown and cleanup. Remember configuredtobhe
addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup. This makes sure that all flows, routes and addresses are deleted no matter which process is killed first. ok patrick@
2021-03-23Don't send DELETE notify if IKE SA is replaced because oftobhe
'enforcesingleikesa'. Fixes an interop problem with strongswan if make-before-break is enabled. ok patrick@
2021-03-15Ignore msg_ke in CREATE_CHILD_SA if DH negotiation results in grouptobhe
'none' (disabling PFS). Fixes a bug when the initiator sends a KE payload but the negotiation results in DH group "none". For other DH group mismatches we send an INVALID_KE notify, for 'none' we can just ignore the KE payload. ok patrick@
2021-03-14Log errors with log level info and SPI.tobhe
2021-03-09Also log transforms on IKE SA rekey.tobhe
2021-03-07Log ESN for child SAs if enabled.tobhe
2021-03-06whitespacetobhe
2021-03-05Print PFS group for rekeyed Child SAs.tobhe
ok patrick@
2021-03-05Log transforms of established IKE and Child SAs.tobhe
ok patrick@
2021-03-04Derive config netmask from address pool if not explicitly configured.tobhe
ok markus@
2021-02-20Fail on invalid address family.tobhe
2021-02-18Save one allocation by passing msg_nonce ownership instead of usingtobhe
ibuf_dup(). ok patrick@
2021-02-18Pass ownership instead of duplicating ibuf msg_ke.tobhe
ok patrick@
2021-02-13Add dynamic address configuration for roadwarrior clients.tobhe
The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
2021-02-11Explicitly unset IKED_REQ_CERTVALID before sending cert to ca process.tobhe
ok markus@
2021-02-10Delay deletion of IKE SAs on rekey when stickyaddress is enabled to maketobhe
sure peers can keep their previously assigned addresses. ok patrick@
2021-02-09Add optional 'group none' transform for child SAs and fix handling oftobhe
'group none'. We currently send no transform of type DH by default, which should be equivalent to explicitly sending a single DH transform of type 'none'. However, the proposal matching logic had a bug where these two would not match, effectively breaking the ability to negotiate optional PFS. This commit fixes the bug but continues to send no DH proposal by default to remain backwards compatible with older versions. ok patrick@
2021-02-04Rename 'struct group' to 'struct dh_group' for more clarity andtobhe
to avoid name clashes. ok patrick@
2021-02-04Upgrade to OpenSSL 1.1 compatible crypto API. Add additionaltobhe
checks where needed. ok markus@ patrick@
2021-02-01Take flows into consideration for policy lookup as initiator.tobhe
Fixes a bug where policies that only differ in their flow configuration lead to a handshake error. Found by claudio@ ok patrick@
2021-01-31Ignore addresses that are not 0/32 (dynamic) in ikev2_cp_fixaddr()tobhe
instead of throwing an error. Fixes a bug where flows without 'dynamic' were skipped when 'config/request address' is used. ok patrick@
2021-01-31Don't leak flows if ikev2_cp_fixflow() fails.tobhe
ok patrick@
2021-01-23Fix typos.tobhe
From Ryan Kavanagh ok patrick@
2021-01-21Handle NO_PROPOSAL_CHOSEN for CREATE_CHILD_SA.tobhe
ok markus@
2021-01-21Add support for INVALID_KE_PAYLOAD in CREATE_CHILD_SAtobhe
exchange. In the case of an invalid KE error, retry CREATE_CHILD_SA exchange with different group instead of restarting the full IKE handshake. ok markus@
2021-01-20Make sure to enforce matching dstid as initiator. Use policy lookuptobhe
to make sure the negotiated SA matches the selected policy. ok patrick@
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-29 23:16:33 +0000