Age | Commit message (Collapse) | Author |
|
ok benno@
|
|
the regression test uncovered code paths in the TS and CP payload parser
that can trigger access to invalid memory locations. This changes the
TS and CP payload parsing to add additional length checks.
With hshoexer@ and markus@; OK sthen@
|
|
From Raf Czlonka, ok sthen@
|
|
their own functions. Makes it easier to extend with other timers that
work on established SAs and re-use the functionality in other places.
Also delete the timer before adding to fix a warning on config reload
in certain circumstances.
ok sthen@
|
|
This gives us more flexibilty for negotiating with other IKEv2 setups.
Tested by and ok sthen@
|
|
have a higher flexibility in negotiating with other peers, or even ease
migration from one proposal to a more secure one.
ok sthen@
|
|
exchange that we initiatiated, we are not allowed to respond to such
a msg. Also we don't need the DH check in ikev2_sa_initiator_dh() as
it's only called when we initiate, so the check would not run, or when
we get a Create Child SA response, where an error should only lead to
us having another attempt at an exchange.
Found by and ok markus@
|
|
ok jca@
|
|
allows us to select one of the peer's proposals (and not only the first).
ok sthen@ hshoexer@
|
|
are an initiator and store the information on the proposal, because we
only had one proposal so far. This changes the code to only create one
SA on the first proposal and then apply the SPI to all other proposals
as well.
ok markus@
|
|
condition is handled a line before.
|
|
replace "minimal" with "minimum".
|
|
|
|
then call the next one, which can then validate itself. Thing is, most
layers try to run validations on the upper layer, which is not useful
and rather confusing. This cleans it up.
First change is that the generic payload parser does not anymore pass
the length of the whole datagram, including all remaining payloads, but
passes only the length of the specific payload to the specific payload
parser. Second change is that the payload validators don't check the
length of the upper layer, but only verify their own lengths.
Diff discussed with hshoexer@ and sthen@
Tested by sthen@
|
|
|
|
flag in the SA header that there is another proposal coming. The "more"
attribute borrows its values, as specified in the RFC, from IKEv1.
ok sthen@
|
|
for each transform type. We do some sanity checks, for instance we do
require an encryption transform for ESP, but that's not enough. We need
to check that for every proposed transform type we have found a matching
transform in our own proposal.
ok sthen@
|
|
starting with number 1. Subsequent proposals must be one more than the
previous proposal.
ok sthen@
|
|
do PFS and is assumed to be secured using the DH exchange in the first
handshake. Thus there is no KE/N payload in the IKE_AUTH exchange and
we must not include a DH group other than None, which essentially means
we must not supply any DH transforms in the IKE_AUTH messages. So now
we skip adding the DH transforms for initiating and responding to
IKE_AUTH messages.
ok sthen@
|
|
to IKE SA INIT messages with no proposal chosen, as we already do for
Child SAs. For that the error "adding" is done in a new function shared
by both send error handlers. We need two "send error" functions because
the init error is unencrypted, while all later ones are not. Now we can
add more cases, like Child SA not found or that the DH group is not what
we expect.
Save the IKE SA INIT responses, even if it's an error message, so we can
retransmit it if the response is lost on the way back to the initiator
and he tries again. This also helps mitigate DoS attacks as specified
in the RFC. Only if it is indeed a new attempt, like after an INVALID
KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt
to create a new SA.
ok sthen@
|
|
instead return "unknown".
OK beck@
|
|
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
|
|
able to disable OCSP without restarting iked.
ok beck@ sthen@
|
|
From Klemens Nanni.
ok markus@
|
|
tunneled packets, otherwise every packet between the gateways will
be sent into the tunnel (e.g. ICMP, too).
ok markus@
|
|
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.
ok markus@
|
|
is none or until we find one that matches.
ok markus@
|
|
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.
ok markus@
|
|
|
|
okay millert@
|
|
instead of CLEANFILES += y.tab.h
okay millert@
|
|
identity (username). OK mikeb@
|
|
ok yasuoka mikeb
|
|
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb
|
|
Public key authentication uses public key files that are stored in the
/etc/iked/pubkeys/ directory where the IKE IDs are encoded as filenames.
This does not simply work with ASN1_DNs where the IDs include slashes
and other special characters. Instead of breaking and failing when an
ASN1_DN is configured, simply skip the public key lookup but allow
to use it with certificates or PSKs.
Reported and fix tested by Igor V. Gubenko - Thanks.
|
|
|
|
See RFC 5996, section 2.23, NAT Traversal:
In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start sending
keepalive packets as defined in [UDPENCAPS].
With markus@, ok reyk@
|
|
to make sure we do not run ikev2_msg_cleanup() on an unitialized stack
variable.
ok deraadt@ reyk@
|
|
This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.
OK claudio@ deraadt@
|
|
This lets us configure explicit old-style RSA again.
OK mikeb@
|
|
iked starts sending keepalive messages after authentication and after
successfully completing the handshake. Other implementations, like
we've seen on Microsoft Azure, start sending keepalive messages right
after receiving the first SA_INIT message when they set up the key
material, even before we received the SA_INIT response to complete the
DH exchange. The solution is to ignore early keepalive messages
before we're ready to encrypt our response, in the transition between
SA_INIT and AUTH. The peer should still accept one or more missed
keepalives.
OK mikeb@
|
|
-1 means "I didn't handle or know this imsg", it should not be used to
indicate an application error in this context.
OK mikeb@
|
|
When tearing IKE SA down, the DH group referred by it is destroyed,
however it remains cached in the policy. With the introduction of
IKE SA rekeying we have extended the life of this dangling pointer
by reusing it on new SAs. So instead of caching the pointer in the
policy we can store the DH group ID and create a DH group on demand
using this parameter if it's specified.
With and OK reyk
|
|
|
|
We reach an imsg payload limit with just a few traffic selectors
so in order to load more we need to split them up and send separately.
Suggested and OK reyk
|
|
|
|
Diff from markus@
OK mikeb@ patrick@
|
|
This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.
OK patrick@ mikeb@
|
|
These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.
Original diff from markus@ with patches from mikeb@ and me.
OK mikeb@ patrick@
|
|
ok mikeb@ reyk@
|