| Age | Commit message (Collapse) | Author |
|---|
|
calls on pf data to explicit_bzero().
ok mikeb@
|
|
if no CERTREQ were received. In conjunction with the previous iOS9 interop fix,
this may fix an interop problem seen by Denis Lapshin with BlackBerry OS 10.3.1
and one of a number with firebrick.co.uk's IKEv2 implementation diagnosed by
their developer Cliff Hones. ok reyk@
|
|
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.
OK mikeb@ sthen@
|
|
OK mikeb@
|
|
|
|
restricted to SHA1 for RSA signatures. ok mikeb@
|
|
|
|
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
|
|
events while we are busy initiating child-SAs; ok mikeb@
|
|
|
|
|
|
|
|
|
|
|
|
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.
From Hans-Joerg Hoexer
ok mikeb@ markus@
|
|
%zu for size_t.
From Andre de Oliveira
With input and OK from blambert@ markus@
|
|
still experimental and rekeying needs some work; ok mikeb@
|
|
|
|
|
|
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@
|
|
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
|
|
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@
|
|
|
|
to 2013 while I'm here... this is my way of saying "happy new year!".
|
|
|
|
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me
ok mikeb@
|
|
sure jsg@ mikeb@
|
|
|
|
|
|
|
|
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).
|
|
ok mikeb@
|
|
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk
|
|
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.
ok reyk
|
|
|
|
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().
|
|
with suggestions and OK from reyk
|
|
to actually parse it.
ok reyk
|
|
the initiator chose wrong D-H group. in this case we throw away our
SA and start over with a proper group.
makes iked work as an initiator with strongswan/charon without any
specific "ikesa" (phase 1) configuration.
ok reyk
|
|
id payloads as errors. Lets interop with strongSwan which sends
both IDi and IDr work again.
|
|
|
|
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.
requested by jsg@
|
|
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.
|
|
previous parse.y change.
|
|
|
|
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.
|
|
|
|
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.
It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...
|
