summaryrefslogtreecommitdiff
path: root/sbin/iked/parse.y
AgeCommit message (Collapse)Author
2024-11-04add a "natt" option that forces negotiation of nat-t (and udpencap).David Gwynne
this is like the -t command line option on iked itself, but you get to keep the ike listener on port 500 and you can enable this on specific policies instead of all of them. this is useful if you're dealing with an org that can't firewall ESP traffic well and so you need to force the traffic to be udp encapsulated even if there's no NAT involved. ok markus@ tobhe@
2024-07-13Add RADIUS support. Authentication, accounting, and "DynamicYASUOKA Masahiko
Authorization Extensions"(DAE) are supported. feedback markus stu ok tobhe
2024-04-25add fstat() call removed in 1.145 to avoid uninitialised var useJonathan Gray
ok tobhe@
2024-04-13check group and world permissions of iked psk filesjrick
Similar to the permission checks performed on iked.conf(5) due to the possibility of it containing inline psk strings, require psk files to not be group writable or world read-writable. ok tobhe@
2023-08-11Add iked support for route based sec(4) tunnels.Tobias Heider
To use sec(4) instead of policy based tunnels, create a sec(4) interface and add 'iface secXX' to your policy config. sec(4) interfaces also support auto configuration for dynamic client IPs via 'request any' like all other interfaces. The config won't work without traffic selectors, 'from any to any' should work for now but I plan to make this optional in the future. ok dlg@
2023-06-14Replace the last few print_host() calls with print_addr() ones.Claudio Jeker
In most cases print_host(addr, buf, buflen) can be replaced with strlcpy(buf, print_addr(addr), buflen). Some code was never fully adjusted to the full power of print_host() and there are remnants of times well before print_host() supported multiple internal buffers. With and OK tb@
2023-04-19remove duplicate includesJonathan Gray
2022-07-22Include an OpenIKED Vendor ID payload in the initial handshake. This willTobias Heider
make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string "OpenIKED-" followed by the version number. Sending of the vendor ID payload can be disabled by specifying "set novendorid" in iked.conf(5). ok markus@ bluhm@
2022-04-11Fix leak of esnxf if esn ore noesn are configured explicitly.Tobias Heider
2021-12-23fix off by one in bounds testJonathan Gray
ok tobhe@
2021-12-01whitespace cleanup during review readTheo de Raadt
2021-11-20Fix some strdup() leaks in ocsp config option.Tobias Heider
ok markus@
2021-11-16Zero all copies of pre-shared key.Tobias Heider
ok markus@
2021-10-26Make proto config option accept a list to allow specifying multipleTobias Heider
protocols for a single policy, e.g. "proto { ipencap, ipv6 }". feedback and ok benno@ ok patrick@
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-10-12Make sure all copies of MSCHAPv2 passphrase are zeroed after use.Tobias Heider
ok patrick@
2021-09-18upon length check or other failure, explicit_bzero an object, because it mayTheo de Raadt
contain a partially copied password ok tobhe
2021-05-28Add experimental post-quantum hybrid key exchange methodtobhe
based on Streamlined NTRU Prime (coupled with X25519). The sntrup761 implementation is imported from OpenSSH. It is public domain code originally distributed as part of the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). The method is not part of the default proposal, but can be enabled with 'ikesa group sntrup761x25519'. ok markus@ patrick@
2021-03-16Add 'grp31' alias for curve25519 as documented in iked.conf(5).tobhe
2021-03-05Move policy printing code from parse.y to new print.ctobhe
ok patrick@
2021-02-13Add dynamic address configuration for roadwarrior clients.tobhe
The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows. Input from sthen@ and claudio@ ok patrick@
2021-02-09Add optional 'group none' transform for child SAs and fix handling oftobhe
'group none'. We currently send no transform of type DH by default, which should be equivalent to explicitly sending a single DH transform of type 'none'. However, the proposal matching logic had a bug where these two would not match, effectively breaking the ability to negotiate optional PFS. This commit fixes the bug but continues to send no DH proposal by default to remain backwards compatible with older versions. ok patrick@
2021-02-07Fix address leaks in expand_flows().tobhe
ok patrick@
2021-02-01Whitespacetobhe
2020-12-29getifaddrs() can return entries where ifa_addr is NULL. Check for thisSebastian Benoit
before accessing anything in ifa_addr. ok claudio@
2020-12-27Fix "any" and "dynamic" keywords for flows and add proper IPv6 support.tobhe
For traffic selectors with a keyword on either 'from' or 'to' side, install flow with address family of the opposite side. If both source and destination address are keywords, install flows for both address families. The 'dynamic' keyword is special as it will only install flows for the address family of the dynamically assigned address (specified with the 'config address' option). ok patrick@
2020-12-20Don't leak ipsec_hosts when building hosts_list.tobhe
ok patrick@
2020-12-15Fix leak of REQUEST string.tobhe
2020-12-13Make sure flow src and dst addresses have the same address family.tobhe
ok patrick@
2020-12-10Print valid ikesa/childsa configuration at startup. Comma seperatedtobhe
transforms are not supported. ok patrick@
2020-11-29Add 'set stickyaddress' option. If this option is enabled, iked will trytobhe
to assign the same 'config address' when an IKESA is negotiated with the DSTID of an existing IKESA. The original IKESA will be closed and the address will be transferred to the new IKESA. ok patrick@
2020-11-03Add 'any' keyword for request to allow 'request address any'.tobhe
2020-11-01Add 'dynamic' keyword to configure flows to dynamically assigned addresses.tobhe
The keyword is replaced at runtime with the address assigned from the pool in 'config address'. ok patrick@
2020-10-29Add initial support to request IP addresses as IKEv2 initiator.tobhe
At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted. ok patrick@
2020-09-23Add new 'set cert_partial_chain' config option to allow verification oftobhe
partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/. ok patrick@
2020-09-19Add SHA2_384 and SHA2_512 to default proposals.tobhe
ok patrick@
2020-09-18Fix memory leak in 'n->name'.tobhe
2020-09-16Fix EAP authentication if the initiator sends no certificatetobhe
request. The locally configured request is used as fallback to find a certificate or key to send. The local auth method for MSCHAP-V2 should be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of raw rsa keys. Tested with Strongswan, iPhone and Windows Found by and ok sthen@ ok patrick@
2020-09-05Initialize flow_dir and flow_saproto so policy_test() can find the policytobhe
on acquire.
2020-08-25Fix undefined symbol.tobhe
2020-08-25Add dpd_check_interval configuration option. If for any IKE SA no IPsectobhe
or IKE message has been received within the specified time interval, iked will start sending DPD messages. ok patrick@
2020-08-23Add a new configuration option to limit the number of connections fortobhe
each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted. ok patrick@
2020-08-18Add optional time-stamp validaten for ocsp. The new optional 'tolerate'tobhe
parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maximum age of the `thisUpdate' OCSP attribute value. ok patrick@
2020-08-14Delete unused variable 'idtype'.tobhe
2020-07-20Fix dst/src port configuration bug with multiple flows.tobhe
ok patrick@
2020-07-20iked: fix typo in fatalxStuart Henderson
2020-06-25Rework 'ikeauth' configuration option. The key and cert checks in the configtobhe
parser aren't needed as they are checked at runtime during the handshake. Moreover, these checks during startup of the daemon never worked properly when dstid was not explicitly configured. The dstid depends on the ID message payload which is only known after the initial handshake. ok patrick@
2020-06-05Add default proposals for AES-GCM ciphers in IKE and ESP.tobhe
ok patrick@
2020-05-26Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.tobhe
They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
2020-04-30Add ECDH groups and higher order MODP DH groups to default proposal.tobhe
ok sthen@, patrick@