👁 Image
OpenBSD release(s):
1.99 (79 78 77 76),
1.97 (75),
1.93 (74),
1.91 (73),
1.87 (72),
1.84 (71),
1.81 (70),
1.78 (69),
1.67 (68),
1.57 (67),
1.50 (66),
1.49 (65 64 63),
1.48 (62),
1.47 (61),
1.42 (60),
1.41 (59),
1.36 (58),
1.35 (57),
1.31 (56),
1.26 (55),
1.20 (54),
1.19 (53),
1.15 (52),
1.13 (51 50),
1.9 (49),
1.4 (48),
Tags:
None
revision
1.99/
(Download) -
annotate -
Sun, 15 Sep 2024 11:08:50 UTC by yasuoka
OpenBSD release(s): 79 78 77 76
Changes since
1.98:
+2 -1
(diff)
Add handling of "Class" attribute. diff from markus
ok markus
revision
1.98/
(Download) -
annotate -
Sat, 13 Jul 2024 12:22:46 UTC by yasuoka
Changes since
1.97:
+328 -1
(diff)
Add RADIUS support. Authentication, accounting, and "Dynamic
Authorization Extensions"(DAE) are supported.
feedback markus stu
ok tobhe
revision
1.97/
(Download) -
annotate -
Thu, 15 Feb 2024 19:11:00 UTC by tobhe
OpenBSD release(s): 75
Changes since
1.96:
+15 -2
(diff)
Delay enabling sockets until ikev2 process is ready.
from markus@
revision
1.96/
(Download) -
annotate -
Tue, 13 Feb 2024 12:25:11 UTC by tobhe
Changes since
1.95:
+8 -2
(diff)
Control startup of PROC_CERT and PROC_IKEV2.
Currenly PROC_PARENT sends the configuration to both PROC_CERT and
PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know
the state of PROC_CERT: PROC_CERT might not have processed the
initial configuration while PROC_IKEV2 already sends requests to
PROC_CERT, causing failed requests, or even crashes (NULL deref of
ca_certs).
In order to make sure that PROC_CERT is ready before
IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol
is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2
(2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT
(3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT
(4) PROC_PARENT now knows that PROC_CERT is ready and has processed
all messages from step (1)
(5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that
IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all
messages from step (1)
(6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has
already processed IMSG_CTL_ACTIVE
from markus@
revision
1.95/
(Download) -
annotate -
Wed, 17 Jan 2024 08:25:02 UTC by claudio
Changes since
1.94:
+8 -6
(diff)
Convert to use imsg_get_fd()
proc_forward_imsg() does not need to forward file descriptors so just use
-1 there. In other places shuffle debug messages around or use a helper
variable since imsg_get_fd() can only be called once.
OK tb@ tobhe@
revision
1.94/
(Download) -
annotate -
Mon, 15 Jan 2024 15:29:00 UTC by tobhe
Changes since
1.93:
+3 -23
(diff)
Include cert_partial_chain in iked_static instead of sending a separate
message.
from markus@
revision
1.93/
(Download) -
annotate -
Fri, 04 Aug 2023 19:06:25 UTC by claudio
OpenBSD release(s): 74
Changes since
1.92:
+3 -3
(diff)
Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@
revision
1.92/
(Download) -
annotate -
Tue, 23 May 2023 13:12:19 UTC by claudio
Changes since
1.91:
+32 -32
(diff)
Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@
revision
1.91/
(Download) -
annotate -
Sat, 03 Dec 2022 22:34:35 UTC by tobhe
OpenBSD release(s): 73
Changes since
1.90:
+4 -4
(diff)
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
revision
1.90/
(Download) -
annotate -
Fri, 18 Nov 2022 18:56:39 UTC by mbuhl
Changes since
1.89:
+7 -10
(diff)
Revert my last two changes.
If csa_bundled is set, exactly two csas exist and they point to
each other. Therefore childsa_free already sets the bundled csa
pointer to NULL and it shouldn't be done after calling childsa_free.
ok tobhe@
revision
1.89/
(Download) -
annotate -
Sun, 13 Nov 2022 21:19:40 UTC by mbuhl
Changes since
1.88:
+10 -7
(diff)
Make sure csa->csa_bundled is NULL after freeing to prevent a
possible use after free.
ok tobhe@
revision
1.88/
(Download) -
annotate -
Mon, 10 Oct 2022 11:33:55 UTC by tobhe
Changes since
1.87:
+7 -2
(diff)
Move enabling the policy refcounting from policy_ref() to config_free_policy().
In config_free_policy() the refcounting is unchanged and each SA linked to the
policy will trigger a call to policy_ref() and increase the references as
before the change. This allows unconditional calls to policy_ref() and
policy_unref() and the callers no longer have to check if IKED_POLICY_REFCNT
is set.
From and ok markus@
revision
1.87/
(Download) -
annotate -
Mon, 19 Sep 2022 20:54:02 UTC by tobhe
OpenBSD release(s): 72
Changes since
1.86:
+8 -1
(diff)
Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@
from and ok markus@
revision
1.86/
(Download) -
annotate -
Fri, 08 Jul 2022 19:51:11 UTC by tobhe
Changes since
1.85:
+5 -1
(diff)
Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.
from Katsuhiro Ueno
tested by and ok sthen@
revision
1.85/
(Download) -
annotate -
Sun, 08 May 2022 20:26:31 UTC by tobhe
Changes since
1.84:
+3 -3
(diff)
Move ikev2_reset_alive_timer() to a place where it makes more sense. The idea
is to renew the timer every time sc_alive_timeout is reset after loading a new
config.
ok patrick@
revision
1.84/
(Download) -
annotate -
Thu, 25 Nov 2021 18:28:51 UTC by tobhe
OpenBSD release(s): 71
Changes since
1.83:
+2 -2
(diff)
Silence unitialized variable warnings.
revision
1.83/
(Download) -
annotate -
Wed, 24 Nov 2021 20:48:00 UTC by tobhe
Changes since
1.82:
+5 -5
(diff)
Pass env to pfkey API. Consistently call pfkey file descriptor fd.
ok bluhm@
revision
1.82/
(Download) -
annotate -
Tue, 12 Oct 2021 09:27:21 UTC by tobhe
Changes since
1.81:
+8 -6
(diff)
Make sure all copies of MSCHAPv2 passphrase are zeroed after use.
ok patrick@
revision
1.81/
(Download) -
annotate -
Sat, 18 Sep 2021 16:45:07 UTC by deraadt
OpenBSD release(s): 70
Changes since
1.80:
+2 -2
(diff)
freezero() instead of free(), because the object may contain a password
ok tobhe
revision
1.80/
(Download) -
annotate -
Wed, 01 Sep 2021 15:30:06 UTC by tobhe
Changes since
1.79:
+2 -1
(diff)
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.
Automatic name server configuration is enabled by default for policies using
the 'iface' option.
discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@
revision
1.79/
(Download) -
annotate -
Thu, 13 May 2021 15:20:48 UTC by tobhe
Changes since
1.78:
+14 -10
(diff)
Refactor iked process shutdown and cleanup. Remember configured
addresses and routes in iked_vroute_sc to not depend on ikev2
process for cleanup.
This makes sure that all flows, routes and addresses are deleted
no matter which process is killed first.
ok patrick@
revision
1.78/
(Download) -
annotate -
Mon, 22 Feb 2021 21:58:12 UTC by tobhe
OpenBSD release(s): 69
Changes since
1.77:
+3 -3
(diff)
Don't pass 'id' as argument to make function signature match similar
functions. config_setpfkey() is always called with id PROC_IKEV2.
revision
1.77/
(Download) -
annotate -
Sat, 13 Feb 2021 16:14:12 UTC by tobhe
Changes since
1.76:
+2 -1
(diff)
Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@
ok patrick@
revision
1.76/
(Download) -
annotate -
Mon, 08 Feb 2021 16:13:58 UTC by tobhe
Changes since
1.75:
+7 -4
(diff)
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@
ok patrick@
revision
1.75/
(Download) -
annotate -
Thu, 21 Jan 2021 16:46:47 UTC by tobhe
Changes since
1.74:
+14 -6
(diff)
Add support for INVALID_KE_PAYLOAD in CREATE_CHILD_SA
exchange. In the case of an invalid KE error, retry
CREATE_CHILD_SA exchange with different group instead
of restarting the full IKE handshake.
ok markus@
revision
1.74/
(Download) -
annotate -
Sun, 29 Nov 2020 21:00:43 UTC by tobhe
Changes since
1.73:
+3 -1
(diff)
Add 'set stickyaddress' option. If this option is enabled, iked will try
to assign the same 'config address' when an IKESA is negotiated with the
DSTID of an existing IKESA. The original IKESA will be closed and the
address will be transferred to the new IKESA.
ok patrick@
revision
1.73/
(Download) -
annotate -
Wed, 25 Nov 2020 22:17:13 UTC by tobhe
Changes since
1.72:
+17 -11
(diff)
Fix proposal error handling. If a proposal contains an unknown transform
type or id, ignore the proposal instead of failing the exchange.
ok patrick@
revision
1.72/
(Download) -
annotate -
Thu, 29 Oct 2020 21:49:58 UTC by tobhe
Changes since
1.71:
+4 -1
(diff)
Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.
ok patrick@
revision
1.71/
(Download) -
annotate -
Wed, 21 Oct 2020 17:47:36 UTC by tobhe
Changes since
1.70:
+3 -1
(diff)
Remove SAs from ike_dstid_sas on 'ikectl reset sa' to prevent use after free.
Found by csszep <csszep (at) gmail (dot) com>
ok patrick@
revision
1.70/
(Download) -
annotate -
Fri, 09 Oct 2020 08:59:15 UTC by tobhe
Changes since
1.69:
+1 -2
(diff)
More unused headers.
revision
1.69/
(Download) -
annotate -
Fri, 09 Oct 2020 08:54:24 UTC by tobhe
Changes since
1.68:
+1 -2
(diff)
Remove unused "wait.h" includes.
revision
1.68/
(Download) -
annotate -
Wed, 30 Sep 2020 16:52:08 UTC by tobhe
Changes since
1.67:
+2 -1
(diff)
Don't leak sa->sa_peerauth.id_buf.
ok patrick@
revision
1.67/
(Download) -
annotate -
Fri, 25 Sep 2020 10:38:05 UTC by tobhe
OpenBSD release(s): 68
Changes since
1.66:
+7 -12
(diff)
Simplify RB_TREE cleanup loops.
ok markus@
revision
1.66/
(Download) -
annotate -
Wed, 23 Sep 2020 14:25:55 UTC by tobhe
Changes since
1.65:
+23 -1
(diff)
Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
revision
1.65/
(Download) -
annotate -
Wed, 26 Aug 2020 14:49:48 UTC by tobhe
Changes since
1.64:
+3 -1
(diff)
Allow disabling DPD liveness checks by setting dpd_check_interval to 0.
ok patrick@
revision
1.64/
(Download) -
annotate -
Tue, 25 Aug 2020 15:08:07 UTC by tobhe
Changes since
1.63:
+2 -1
(diff)
Add dpd_check_interval configuration option. If for any IKE SA no IPsec
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
revision
1.63/
(Download) -
annotate -
Mon, 24 Aug 2020 21:00:21 UTC by tobhe
Changes since
1.62:
+11 -81
(diff)
Reduce the amount of boilerplate code and imsgs for config options by
grouping fixed-size values in 'struct iked_static' which is sent in
a single message.
ok patrick@
revision
1.62/
(Download) -
annotate -
Sun, 23 Aug 2020 19:16:07 UTC by tobhe
Changes since
1.61:
+25 -1
(diff)
Add a new configuration option to limit the number of connections for
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
revision
1.61/
(Download) -
annotate -
Tue, 18 Aug 2020 21:02:49 UTC by tobhe
Changes since
1.60:
+45 -9
(diff)
Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
revision
1.60/
(Download) -
annotate -
Sun, 16 Aug 2020 09:09:17 UTC by tobhe
Changes since
1.59:
+2 -2
(diff)
Clean up unused parameters.
revision
1.59/
(Download) -
annotate -
Fri, 14 Aug 2020 21:13:15 UTC by tobhe
Changes since
1.58:
+4 -4
(diff)
Clean up unused variables.
revision
1.58/
(Download) -
annotate -
Thu, 23 Jul 2020 22:01:08 UTC by tobhe
Changes since
1.57:
+2 -1
(diff)
Fix ibuf leak in sa_localauth when SA is freed.
ok patrick@
revision
1.57/
(Download) -
annotate -
Mon, 13 Apr 2020 19:10:32 UTC by tobhe
OpenBSD release(s): 67
Changes since
1.56:
+7 -3
(diff)
Try to send a DELETE message if the SA is reset with 'ikectl reset id'.
This way the peer can delete its SAs and eventually reestablish the
connection without having to wait for a timeout.
ok markus@
revision
1.56/
(Download) -
annotate -
Thu, 09 Apr 2020 19:55:19 UTC by tobhe
Changes since
1.55:
+18 -13
(diff)
Simplify socket creation logic. Normally iked needs two sockets, one
for normal operation (UDP port 500) and one for NAT traversal (UDP 4500).
There are several command line options resulting in only one of the sockets
being created (-T, -t and -p). Add a new 'enum natt_mode' to make the
logic for those somewhat less complicated as well as some comments where
it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com>
ok patrick@
revision
1.55/
(Download) -
annotate -
Tue, 24 Mar 2020 13:32:36 UTC by tobhe
Changes since
1.54:
+2 -2
(diff)
Fix user database corruption from 'ikectl reload'. Copy only the new password
instead of the full iked_user struct to preserve the RB_TREE pointers.
From Bernardo Cunha Vieira <bernardo (dot) vieira (at) almg (dot) gov (dot) br>
ok patrick@
revision
1.54/
(Download) -
annotate -
Mon, 09 Mar 2020 11:50:43 UTC by tobhe
Changes since
1.53:
+7 -13
(diff)
Use TAILQ_FOREACH_SAFE instead of hand rolled loops.
From Wataru <wataash at wataash dot com>
ok patrick@
revision
1.53/
(Download) -
annotate -
Thu, 16 Jan 2020 20:05:00 UTC by tobhe
Changes since
1.52:
+24 -1
(diff)
Add '-p' command line option which allows to configure
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
revision
1.52/
(Download) -
annotate -
Tue, 07 Jan 2020 15:08:28 UTC by tobhe
Changes since
1.51:
+8 -2
(diff)
Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
revision
1.51/
(Download) -
annotate -
Tue, 03 Dec 2019 12:38:34 UTC by tobhe
Changes since
1.50:
+14 -1
(diff)
Correctly represent flows as traffic selectors as described in RFC 7296. This
allows us to deduplicate the network ranges sent in the TS payload and saves
some bytes on the wire.
ok patrick@
revision
1.50/
(Download) -
annotate -
Sat, 11 May 2019 16:30:23 UTC by patrick
OpenBSD release(s): 66
Changes since
1.49:
+42 -1
(diff)
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
revision
1.49/
(Download) -
annotate -
Mon, 27 Nov 2017 18:39:35 UTC by patrick
OpenBSD release(s): 65 64 63
Changes since
1.48:
+24 -1
(diff)
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
revision
1.48/
(Download) -
annotate -
Thu, 13 Apr 2017 07:04:09 UTC by patrick
OpenBSD release(s): 62
Changes since
1.47:
+2 -1
(diff)
Add a NAT-T keepalive timer in case we are behind a NAT gateway.
See RFC 5996, section 2.23, NAT Traversal:
In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start sending
keepalive packets as defined in [UDPENCAPS].
With markus@, ok reyk@
revision
1.47/
(Download) -
annotate -
Mon, 27 Mar 2017 10:43:53 UTC by mikeb
OpenBSD release(s): 61
Changes since
1.46:
+74 -26
(diff)
Factor out flows into separate configuration messages
We reach an imsg payload limit with just a few traffic selectors
so in order to load more we need to split them up and send separately.
Suggested and OK reyk
revision
1.46/
(Download) -
annotate -
Mon, 27 Mar 2017 10:29:02 UTC by reyk
Changes since
1.45:
+1 -2
(diff)
spacing
revision
1.45/
(Download) -
annotate -
Mon, 27 Mar 2017 10:24:36 UTC by reyk
Changes since
1.44:
+3 -1
(diff)
Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.
Diff from markus@
OK mikeb@ patrick@
revision
1.44/
(Download) -
annotate -
Mon, 13 Mar 2017 18:49:20 UTC by mikeb
Changes since
1.43:
+3 -1
(diff)
Resolve simultaneous Child SA rekeying
From and OK markus, OK reyk
revision
1.43/
(Download) -
annotate -
Tue, 03 Jan 2017 17:51:38 UTC by reyk
Changes since
1.42:
+90 -1
(diff)
Fix pledge of the ca process by calling the right function on startup.
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.
OK mikeb@
revision
1.42/
(Download) -
annotate -
Wed, 01 Jun 2016 11:16:41 UTC by patrick
OpenBSD release(s): 60
Changes since
1.41:
+5 -1
(diff)
Implement a second address pool specifically for IPv6, so that
clients can be given an IPv4 and IPv6 address at the same time,
thus enabling dual stack usage.
ok markus@ mikeb@
revision
1.41/
(Download) -
annotate -
Mon, 07 Dec 2015 12:46:37 UTC by reyk
OpenBSD release(s): 59
Changes since
1.40:
+11 -15
(diff)
Sync proc.c, use shorter proc_compose[v]()
revision
1.40/
(Download) -
annotate -
Wed, 18 Nov 2015 16:46:30 UTC by reyk
Changes since
1.39:
+4 -6
(diff)
pledge exposed a simple bug: the unprivileged child tried to print the
policy after receiving it from the parent. print_policy ->
print_proto -> getprotobynumber -> pledge abort because it tried to
access /etc/protocols without rpath. It was just a debugging message
that can be moved to the parent (printing the policy on the sender
side and not the receiver side). The parent has rpath and dns.
Issue found by sthen@ with "proto etherip"
OK sthen@ benno@
revision
1.39/
(Download) -
annotate -
Mon, 19 Oct 2015 11:25:35 UTC by reyk
Changes since
1.38:
+1 -3
(diff)
Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.
OK mikeb@
revision
1.38/
(Download) -
annotate -
Thu, 15 Oct 2015 18:40:38 UTC by mmcc
Changes since
1.37:
+3 -5
(diff)
Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().
ok mikeb@
revision
1.37/
(Download) -
annotate -
Fri, 21 Aug 2015 11:59:27 UTC by reyk
Changes since
1.36:
+24 -23
(diff)
Switch iked to C99-style fixed-width integer types.
OK mikeb@
revision
1.36/
(Download) -
annotate -
Tue, 07 Jul 2015 19:13:31 UTC by markus
OpenBSD release(s): 58
Changes since
1.35:
+11 -5
(diff)
repair policy-ikesa-linking by replacing the broken RB_TREE w/TAILQ
(e.g. the policy might be used-after-free on 'ikectl reconfig')
ok mikeb@
revision
1.35/
(Download) -
annotate -
Fri, 06 Feb 2015 10:39:01 UTC by deraadt
OpenBSD release(s): 57
Changes since
1.34:
+1 -2
(diff)
unneeded getopt.h
revision
1.34/
(Download) -
annotate -
Fri, 16 Jan 2015 06:39:58 UTC by deraadt
Changes since
1.33:
+1 -2
(diff)
Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
revision
1.33/
(Download) -
annotate -
Wed, 03 Dec 2014 23:18:21 UTC by deraadt
Changes since
1.32:
+4 -4
(diff)
Init SPI using arc4random_buf, rather than (r << 32) | r
ok matthew
revision
1.32/
(Download) -
annotate -
Wed, 08 Oct 2014 05:47:03 UTC by deraadt
Changes since
1.31:
+3 -3
(diff)
trivial use of reallocarray()
revision
1.31/
(Download) -
annotate -
Tue, 06 May 2014 14:10:53 UTC by markus
OpenBSD release(s): 56
Changes since
1.30:
+18 -1
(diff)
change the create-child-sa responder code, so it does not store any
state in the ikesa structure. this way we can initiate a create-child-sa
and process requests for the peer at the same time. ok mikeb@
revision
1.30/
(Download) -
annotate -
Tue, 06 May 2014 10:24:22 UTC by markus
Changes since
1.29:
+2 -1
(diff)
initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@
revision
1.29/
(Download) -
annotate -
Tue, 06 May 2014 09:48:40 UTC by markus
Changes since
1.28:
+2 -3
(diff)
cleanup IKE-SA tree handling (fixes repeated-insert & double-remove)
sa_new() always re-inserts an SA into the SA tree. in case of a key
collision it would try to free the new SA. While doing that it would
accidentially free the existing SA, since config_free_sa() does
RB_REMOVE() uncoditionally. This change fixes this by:
a) moving the responsibility for RB_REMOVE() to CALLER of config_free_sa() and
b) by calling config_free_sa() instead of sa_free() from sa_new()
It also changes to code to NEVER re-add an SA to the tree. So
RB_INSERT() is ONLY called once per SA. The code also makes sure
that there is always a KEY defined for this tree (ispi).
ok mikeb@
revision
1.28/
(Download) -
annotate -
Tue, 06 May 2014 07:24:37 UTC by markus
Changes since
1.27:
+6 -2
(diff)
initial support for PFS; ok reyk@
revision
1.27/
(Download) -
annotate -
Tue, 22 Apr 2014 12:00:03 UTC by reyk
Changes since
1.26:
+19 -14
(diff)
Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.
ok mikeb@
revision
1.26/
(Download) -
annotate -
Mon, 17 Feb 2014 15:53:46 UTC by markus
OpenBSD release(s): 55
Changes since
1.25:
+6 -1
(diff)
interpret 'config address net/prefix' as a pool of addresses and
randomly choose the address for CFG_REQUEST. this address will be used
to replace 0.0.0.0/32 in the specified flow. e.g.
> ikev2 passive esp from 192.168.1.0/24 to 0.0.0.0 \
> config address 192.168.10.200/24
will assign an address between 192.168.10.200 and 192.168.10.254
and replace 0.0.0.0 with this address.
ok mikeb@ on older version of this diff.
revision
1.25/
(Download) -
annotate -
Mon, 17 Feb 2014 15:07:23 UTC by markus
Changes since
1.24:
+26 -1
(diff)
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@
revision
1.24/
(Download) -
annotate -
Fri, 24 Jan 2014 05:58:52 UTC by mikeb
Changes since
1.23:
+2 -2
(diff)
use a bit saner timer api
revision
1.23/
(Download) -
annotate -
Tue, 03 Dec 2013 13:55:39 UTC by markus
Changes since
1.22:
+3 -2
(diff)
never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@
revision
1.22/
(Download) -
annotate -
Thu, 28 Nov 2013 20:28:34 UTC by markus
Changes since
1.21:
+3 -2
(diff)
don't leak duplicate flows; ok mikeb@
revision
1.21/
(Download) -
annotate -
Thu, 24 Oct 2013 02:55:50 UTC by deraadt
Changes since
1.20:
+1 -8
(diff)
no need for netinet/ip_var.h (and friends)
revision
1.20/
(Download) -
annotate -
Thu, 21 Mar 2013 04:30:14 UTC by deraadt
OpenBSD release(s): 54
Changes since
1.19:
+1 -2
(diff)
remove excessive includes
revision
1.19/
(Download) -
annotate -
Tue, 08 Jan 2013 10:38:19 UTC by reyk
OpenBSD release(s): 53
Changes since
1.18:
+2 -3
(diff)
Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".
revision
1.18/
(Download) -
annotate -
Sat, 15 Dec 2012 23:20:17 UTC by reyk
Changes since
1.17:
+1 -2
(diff)
Remove unused variables.
revision
1.17/
(Download) -
annotate -
Mon, 22 Oct 2012 10:25:17 UTC by reyk
Changes since
1.16:
+9 -4
(diff)
Fix NAT-T support in iked, both on the initiator and the responder
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me
ok mikeb@
revision
1.16/
(Download) -
annotate -
Tue, 18 Sep 2012 12:07:59 UTC by reyk
Changes since
1.15:
+2 -2
(diff)
update email addresses to match reality.
sure jsg@ mikeb@
revision
1.15/
(Download) -
annotate -
Mon, 02 Jul 2012 13:03:24 UTC by mikeb
OpenBSD release(s): 52
Changes since
1.14:
+3 -1
(diff)
Don't close IKE SA immediately after creating a new one when rekeying.
Instead set a timeout that will shut it down in case we don't get an SA
delete notification.
revision
1.14/
(Download) -
annotate -
Fri, 22 Jun 2012 16:28:20 UTC by mikeb
Changes since
1.13:
+6 -1
(diff)
Add initial support for retransmition timeouts and response retries.
This should still be considered an experimental work in progress.
revision
1.13/
(Download) -
annotate -
Tue, 05 Jul 2011 19:59:00 UTC by tedu
OpenBSD release(s): 51 50
Changes since
1.12:
+2 -2
(diff)
fix memcpy sizeof. found by jsg. ok deraadt krw mikeb
revision
1.12/
(Download) -
annotate -
Mon, 09 May 2011 11:15:18 UTC by reyk
Changes since
1.11:
+11 -11
(diff)
rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.
revision
1.11/
(Download) -
annotate -
Thu, 05 May 2011 12:17:10 UTC by reyk
Changes since
1.10:
+7 -7
(diff)
rename iked_proc* to privsep_proc*. no functional change.
revision
1.10/
(Download) -
annotate -
Mon, 18 Apr 2011 08:45:43 UTC by reyk
Changes since
1.9:
+8 -13
(diff)
When the kernel wants to acquire an SA for an unknown flow, lookup a
matching policy and init a new IKE SA. This adds support for "acquire mode"
from static flows.
ok mikeb@
revision
1.9/
(Download) -
annotate -
Wed, 26 Jan 2011 16:59:23 UTC by mikeb
OpenBSD release(s): 49
Changes since
1.8:
+4 -2
(diff)
get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk
revision
1.8/
(Download) -
annotate -
Fri, 21 Jan 2011 11:56:00 UTC by reyk
Changes since
1.7:
+34 -15
(diff)
Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@
revision
1.7/
(Download) -
annotate -
Fri, 21 Jan 2011 11:37:02 UTC by reyk
Changes since
1.6:
+4 -8
(diff)
split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.
ok mikeb@
revision
1.6/
(Download) -
annotate -
Wed, 12 Jan 2011 14:35:45 UTC by mikeb
Changes since
1.5:
+2 -2
(diff)
postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk
revision
1.5/
(Download) -
annotate -
Wed, 22 Dec 2010 16:22:27 UTC by mikeb
Changes since
1.4:
+13 -10
(diff)
child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk
revision
1.4/
(Download) -
annotate -
Mon, 14 Jun 2010 08:10:32 UTC by reyk
OpenBSD release(s): 48
Changes since
1.3:
+17 -2
(diff)
More code for initiator mode (not finished yet)
revision
1.3/
(Download) -
annotate -
Thu, 10 Jun 2010 14:08:37 UTC by reyk
Changes since
1.2:
+50 -1
(diff)
add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.
revision
1.2/
(Download) -
annotate -
Thu, 10 Jun 2010 12:06:34 UTC by reyk
Changes since
1.1:
+8 -4
(diff)
Add another tree to lookup policy SAs by peer address.
revision
1.1/
(Download) -
annotate -
Thu, 03 Jun 2010 16:41:12 UTC by reyk
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.
with lots of help and debugging by jsg@
ok deraadt@
