| Age | Commit message (Collapse) | Author |
|---|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
ok sthen@
|
|
during rekeying to make sure that the response is not rejected.
From Tobias Heider
"much more stable" dhill@
|
|
encrypted payloads. Also increment message id only for valid
messages.
From Tobias Heider
ok sthen@
|
|
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.
|
|
|
|
IKEV2_CFG_INTERNAL_IP6_DHCP and IKEV2_CFG_INTERNAL_IP6_SERVER by using
the correct member in the iked_addr struct for the address.
From Aram Havarnean
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
Fix a problem reported by Mark Patruck and dhill@
ok markus@, dhill@
|
|
than 128 also fail hard when the mask is non contiguous.
OK remi@
|
|
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
OK kn@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
reference to RFC 7359.
Patch by David Dahlberg
|
|
Ok gsoares@
|
|
Thanks to otto@ for the initial diff.
OK benno@
|
|
ok benno@
|
|
the regression test uncovered code paths in the TS and CP payload parser
that can trigger access to invalid memory locations. This changes the
TS and CP payload parsing to add additional length checks.
With hshoexer@ and markus@; OK sthen@
|
|
From Raf Czlonka, ok sthen@
|
|
their own functions. Makes it easier to extend with other timers that
work on established SAs and re-use the functionality in other places.
Also delete the timer before adding to fix a warning on config reload
in certain circumstances.
ok sthen@
|
|
This gives us more flexibilty for negotiating with other IKEv2 setups.
Tested by and ok sthen@
|
|
have a higher flexibility in negotiating with other peers, or even ease
migration from one proposal to a more secure one.
ok sthen@
|
|
exchange that we initiatiated, we are not allowed to respond to such
a msg. Also we don't need the DH check in ikev2_sa_initiator_dh() as
it's only called when we initiate, so the check would not run, or when
we get a Create Child SA response, where an error should only lead to
us having another attempt at an exchange.
Found by and ok markus@
|
|
ok jca@
|
|
allows us to select one of the peer's proposals (and not only the first).
ok sthen@ hshoexer@
|
|
are an initiator and store the information on the proposal, because we
only had one proposal so far. This changes the code to only create one
SA on the first proposal and then apply the SPI to all other proposals
as well.
ok markus@
|
|
condition is handled a line before.
|
|
replace "minimal" with "minimum".
|
|
|
|
then call the next one, which can then validate itself. Thing is, most
layers try to run validations on the upper layer, which is not useful
and rather confusing. This cleans it up.
First change is that the generic payload parser does not anymore pass
the length of the whole datagram, including all remaining payloads, but
passes only the length of the specific payload to the specific payload
parser. Second change is that the payload validators don't check the
length of the upper layer, but only verify their own lengths.
Diff discussed with hshoexer@ and sthen@
Tested by sthen@
|
|
|
|
flag in the SA header that there is another proposal coming. The "more"
attribute borrows its values, as specified in the RFC, from IKEv1.
ok sthen@
|
|
for each transform type. We do some sanity checks, for instance we do
require an encryption transform for ESP, but that's not enough. We need
to check that for every proposed transform type we have found a matching
transform in our own proposal.
ok sthen@
|
|
starting with number 1. Subsequent proposals must be one more than the
previous proposal.
ok sthen@
|
|
do PFS and is assumed to be secured using the DH exchange in the first
handshake. Thus there is no KE/N payload in the IKE_AUTH exchange and
we must not include a DH group other than None, which essentially means
we must not supply any DH transforms in the IKE_AUTH messages. So now
we skip adding the DH transforms for initiating and responding to
IKE_AUTH messages.
ok sthen@
|
|
to IKE SA INIT messages with no proposal chosen, as we already do for
Child SAs. For that the error "adding" is done in a new function shared
by both send error handlers. We need two "send error" functions because
the init error is unencrypted, while all later ones are not. Now we can
add more cases, like Child SA not found or that the DH group is not what
we expect.
Save the IKE SA INIT responses, even if it's an error message, so we can
retransmit it if the response is lost on the way back to the initiator
and he tries again. This also helps mitigate DoS attacks as specified
in the RFC. Only if it is indeed a new attempt, like after an INVALID
KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt
to create a new SA.
ok sthen@
|
|
instead return "unknown".
OK beck@
|
|
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
|
|
able to disable OCSP without restarting iked.
ok beck@ sthen@
|
|
From Klemens Nanni.
ok markus@
|
|
tunneled packets, otherwise every packet between the gateways will
be sent into the tunnel (e.g. ICMP, too).
ok markus@
|
|
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.
ok markus@
|
|
is none or until we find one that matches.
ok markus@
|
|
Instead of the full point, only the X point is included. Unfortunately
this is a backwards incompatible change, so older ikeds won't be com-
patible with this change. Of course only if you use ECP. Anyway, this
change makes us follow the RFC correctly.
ok markus@
|
|
|
|
okay millert@
|
