summaryrefslogtreecommitdiff
path: root/sbin/iked
AgeCommit message (Collapse)Author
2018-04-26Plug leak in error case of the common 'varset' implementations.Kenneth R Westerback
ok benno@
2018-03-22The iked(8) fuzzer did not fuzz encrypted payloads. With that changedPatrick Wildt
the regression test uncovered code paths in the TS and CP payload parser that can trigger access to invalid memory locations. This changes the TS and CP payload parsing to add additional length checks. With hshoexer@ and markus@; OK sthen@
2018-03-16Consistently spell "IPsec" in comments and debug outputs.Martin Pieuchot
From Raf Czlonka, ok sthen@
2018-03-05Outsource enabling/disabling the DPD and keepalive timers for SAs intoPatrick Wildt
their own functions. Makes it easier to extend with other timers that work on established SAs and re-use the functionality in other places. Also delete the timer before adding to fix a warning on config reload in certain circumstances. ok sthen@
2018-01-31Add support for specifying multiple transforms within a single proposal.Patrick Wildt
This gives us more flexibilty for negotiating with other IKEv2 setups. Tested by and ok sthen@
2018-01-24Implement support for specifying multiple proposals. This means we canPatrick Wildt
have a higher flexibility in negotiating with other peers, or even ease migration from one proposal to a more secure one. ok sthen@
2017-12-23Since ikev2_init_recv() is supposed to only handle responses to anPatrick Wildt
exchange that we initiatiated, we are not allowed to respond to such a msg. Also we don't need the DH check in ikev2_sa_initiator_dh() as it's only called when we initiate, so the check would not run, or when we get a Create Child SA response, where an error should only lead to us having another attempt at an exchange. Found by and ok markus@
2017-12-13getsockname(2) needs to be passed the length of the input struct.Patrick Wildt
ok jca@
2017-12-07Change the SA payload parser to parse more than the first proposal. ThisPatrick Wildt
allows us to select one of the peer's proposals (and not only the first). ok sthen@ hshoexer@
2017-12-05When sending out a proposal we create an SA/SPI for the Child SAs if wePatrick Wildt
are an initiator and store the information on the proposal, because we only had one proposal so far. This changes the code to only create one SA on the first proposal and then apply the SPI to all other proposals as well. ok markus@
2017-12-04Remove duplicate check that never could execute because the exact samePatrick Wildt
condition is handled a line before.
2017-12-04Consistently log "malformed payload" instead of "payload malformed", andPatrick Wildt
replace "minimal" with "minimum".
2017-12-04Remove check that is now a duplicate due to recent refactoring.Patrick Wildt
2017-12-04The payloads are layered like onions, so you can validate one layer andPatrick Wildt
then call the next one, which can then validate itself. Thing is, most layers try to run validations on the upper layer, which is not useful and rather confusing. This cleans it up. First change is that the generic payload parser does not anymore pass the length of the whole datagram, including all remaining payloads, but passes only the length of the specific payload to the specific payload parser. Second change is that the payload validators don't check the length of the upper layer, but only verify their own lengths. Diff discussed with hshoexer@ and sthen@ Tested by sthen@
2017-12-04Initialize variable, otherwise the pointer might contain stack garbage.Patrick Wildt
2017-12-03If we wanted to send out more proposals than just one, we need to set aPatrick Wildt
flag in the SA header that there is another proposal coming. The "more" attribute borrows its values, as specified in the RFC, from IKEv1. ok sthen@
2017-12-03The RFC specifies that to accept a proposal, we must select a transformPatrick Wildt
for each transform type. We do some sanity checks, for instance we do require an encryption transform for ESP, but that's not enough. We need to check that for every proposed transform type we have found a matching transform in our own proposal. ok sthen@
2017-12-01The RFC specifies that in an SA payload the proposals must be numberedPatrick Wildt
starting with number 1. Subsequent proposals must be one more than the previous proposal. ok sthen@
2017-12-01Turns out that, as specified in the RFC, the initial Child SA does notPatrick Wildt
do PFS and is assumed to be secured using the DH exchange in the first handshake. Thus there is no KE/N payload in the IKE_AUTH exchange and we must not include a DH group other than None, which essentially means we must not supply any DH transforms in the IKE_AUTH messages. So now we skip adding the DH transforms for initiating and responding to IKE_AUTH messages. ok sthen@
2017-11-30Add support for rejecting IKE SA messages. This means that we can replyPatrick Wildt
to IKE SA INIT messages with no proposal chosen, as we already do for Child SAs. For that the error "adding" is done in a new function shared by both send error handlers. We need two "send error" functions because the init error is unencrypted, while all later ones are not. Now we can add more cases, like Child SA not found or that the DH group is not what we expect. Save the IKE SA INIT responses, even if it's an error message, so we can retransmit it if the response is lost on the way back to the initiator and he tries again. This also helps mitigate DoS attacks as specified in the RFC. Only if it is indeed a new attempt, like after an INVALID KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt to create a new SA. ok sthen@
2017-11-29Print_host is used mainly in printf style functions. So do not return NULLClaudio Jeker
instead return "unknown". OK beck@
2017-11-27Implement MOBIKE (RFC 4555) support in iked(8), with us acting asPatrick Wildt
responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all. ok sthen@ tweaks from jmc@ tested by a handful
2017-11-15Reset the OCSP URL on config reload. Otherwise we end up not beingPatrick Wildt
able to disable OCSP without restarting iked. ok beck@ sthen@
2017-11-08Do not accept superfluous arguments.Patrick Wildt
From Klemens Nanni. ok markus@
2017-11-08For IPcomp we need to load explicit ESP-flows for the IPIP or IPCOMPPatrick Wildt
tunneled packets, otherwise every packet between the gateways will be sent into the tunnel (e.g. ICMP, too). ok markus@
2017-10-30In the subjectAltName comparison, the bzero before the while-loop wasPatrick Wildt
lost while applying the diff. This is means sanid could be passed uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() could try to release a pointer which is essentially stack garbage. While there I realized that the bzero() in the loop is essentially fatal, since every mismatch leads to a silent leak of ibufs. Since ca_x509_subjectaltname_cmp() releases and initializes the passed iked_id, we can safely call it multiple times after initializing sanid once before the loop. ok markus@
2017-10-27Support multiple subjectAltNames by trying each existing until therePatrick Wildt
is none or until we find one that matches. ok markus@
2017-10-27In the final RFC 5903 the computation for the DH shared secret changed.Patrick Wildt
Instead of the full point, only the X point is included. Unfortunately this is a backwards incompatible change, so older ikeds won't be com- patible with this change. Of course only if you use ECP. Anyway, this change makes us follow the RFC correctly. ok markus@
2017-08-28fix char ** to const char ** conversion warning; ok mikeb@Otto Moerbeek
2017-07-19more depends gc / yacc rules overhaulMarc Espie
okay millert@
2017-07-03no need to generate y.tab.h if nothing uses it, set YFLAGS to nothingMarc Espie
instead of CLEANFILES += y.tab.h okay millert@
2017-06-01Expand $eapid in iked tags, allowing PF rules to be written based on EAPStuart Henderson
identity (username). OK mikeb@
2017-05-21A few more freezero() usesTheo de Raadt
ok yasuoka mikeb
2017-04-26cope with IP address changes. before, we were trying to resend the msgHenning Brauer
with the no-longer-available address over and over and over, requiring iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule SA deletion so a new one is set up shortly thereafter. ok reyk mikeb
2017-04-24Fix configuration of ASN1_DN IDs.Reyk Floeter
Public key authentication uses public key files that are stored in the /etc/iked/pubkeys/ directory where the IKE IDs are encoded as filenames. This does not simply work with ASN1_DNs where the IDs include slashes and other special characters. Instead of breaking and failing when an ASN1_DN is configured, simply skip the public key lookup but allow to use it with certificates or PSKs. Reported and fix tested by Igor V. Gubenko - Thanks.
2017-04-18use freezero()Theo de Raadt
2017-04-13Add a NAT-T keepalive timer in case we are behind a NAT gateway.Patrick Wildt
See RFC 5996, section 2.23, NAT Traversal: In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it means that the system receiving the NAT_DETECTION_DESTINATION_IP payload is behind a NAT and that system SHOULD start sending keepalive packets as defined in [UDPENCAPS]. With markus@, ok reyk@
2017-03-30Only close the SA if an error happens before ikev2_msg_init() was calledPatrick Wildt
to make sure we do not run ikev2_msg_cleanup() on an unitialized stack variable. ok deraadt@ reyk@
2017-03-28Add helpful debug messages to tell us why public key authentication failed.Reyk Floeter
This is currently only visible in debug mode (eg. iked -dvv), some debug messages will be turned into regular warnings later. OK claudio@ deraadt@
2017-03-28Remove RSA from the list of keywords, lookup is now done in a table.Reyk Floeter
This lets us configure explicit old-style RSA again. OK mikeb@
2017-03-28Don't send informational responses before we're having the key material.Reyk Floeter
iked starts sending keepalive messages after authentication and after successfully completing the handshake. Other implementations, like we've seen on Microsoft Azure, start sending keepalive messages right after receiving the first SA_INIT message when they set up the key material, even before we received the SA_INIT response to complete the DH exchange. The solution is to ignore early keepalive messages before we're ready to encrypt our response, in the transition between SA_INIT and AUTH. The peer should still accept one or more missed keepalives. OK mikeb@
2017-03-28Returning -1 in an imsg handler like ikev2_dispatch_cert aborts iked.Reyk Floeter
-1 means "I didn't handle or know this imsg", it should not be used to indicate an application error in this context. OK mikeb@
2017-03-27Don't cache the DH group in the policyMike Belopuhov
When tearing IKE SA down, the DH group referred by it is destroyed, however it remains cached in the policy. With the introduction of IKE SA rekeying we have extended the life of this dangling pointer by reusing it on new SAs. So instead of caching the pointer in the policy we can store the DH group ID and create a DH group on demand using this parameter if it's specified. With and OK reyk
2017-03-27correct verb pattern;Jason McIntyre
2017-03-27Factor out flows into separate configuration messagesMike Belopuhov
We reach an imsg payload limit with just a few traffic selectors so in order to load more we need to split them up and send separately. Suggested and OK reyk
2017-03-27spacingReyk Floeter
2017-03-27Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.Reyk Floeter
Diff from markus@ OK mikeb@ patrick@
2017-03-27Add support to reflect the responder IKEv2 COOKIE.Reyk Floeter
This fixes connecting to Azure VPN and other implementations that implement the IKEv2 COOKIE mechanism on the responder side. Azure decides to send you a responder COOKIE after too many connection attempts - we have to keep it and reflect it to establish a connection. This implementation is only for the initiator (client) side, we do not support sending COOKIEs on the responder (server) side yet. OK patrick@ mikeb@
2017-03-27Add support for RFC4754 (ECDSA) and RFC7427 authentication.Reyk Floeter
These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes. Original diff from markus@ with patches from mikeb@ and me. OK mikeb@ patrick@
2017-03-23set ps_noaction to not fork uneeded children when checking config with -nJonathan Gray
ok mikeb@ reyk@