#
3e395450 |
| 11-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Prioritize incoming certificate requests by the order of CERTEQ payloads in the received message.
ok patrick@
|
#
38194102 |
| 21-Jul-2020 |
tobhe <tobhe@openbsd.org> |
Handle TEMPORARY_FAILURE notification on IKESA rekeying. If we rekey both the IKESA and an CHILDSA in a small time window a strongswan peer might reposend with a TEMPORARY_FAILURE notification. In th
Handle TEMPORARY_FAILURE notification on IKESA rekeying. If we rekey both the IKESA and an CHILDSA in a small time window a strongswan peer might reposend with a TEMPORARY_FAILURE notification. In this case we retry the rekey of the IKESA after a short timeout and queue PFKEY expire messages (by returning -1 in ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.
ok markus@
show more ...
|
#
adb74705 |
| 15-Jul-2020 |
tobhe <tobhe@openbsd.org> |
Make CERT and CERTREQ payloads optional for public key authentication.
When using certificate authentication the CERT payload is mandatory and as the name suggests is used to send a certificate cont
Make CERT and CERTREQ payloads optional for public key authentication.
When using certificate authentication the CERT payload is mandatory and as the name suggests is used to send a certificate containing a public key used for the authentication signature. For pubkey authentication the key is preshared and stored locally, but only the 'ca' process can read the local keys. The 'ikev2' process had to get the key from the received CERT payload to verify the authentication signature. The peer ID + raw key was then forwarded to the 'ca' process which compared the key against the contents of /etc/iked/pubkey and returned either CERTVALID or CERTINVALID.
With this change a message containing only the ID may be sent from 'ikev2' to the 'ca' process if CERT was not included. In this case the CA process will try to find a local key matching the ID and return it to the 'ikev2' process. The auth verification happens after the 'ca' process has verified or found a key and returned it to the 'ikev2' process, eliminating the need for the CERT payload.
Making CERTREQ optional is easier because we already have a fallback case if the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this same fallback.
This should fix public key authentication interoperability with *swan and other IKEv2 implementations.
ok and tested by kn@ ok patrick@
show more ...
|
#
2f3a6dc6 |
| 03-Jun-2020 |
tobhe <tobhe@openbsd.org> |
Pass sockaddr instead of sockaddr_storage to sa_address.
ok patrick@
|
#
15863c3a |
| 26-May-2020 |
tobhe <tobhe@openbsd.org> |
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
show more ...
|
#
81b8feca |
| 14-May-2020 |
tobhe <tobhe@openbsd.org> |
Stricter return value checking for EVP_Cipher* calls.
ok patrick@
|
#
0d71d9e6 |
| 13-May-2020 |
tobhe <tobhe@openbsd.org> |
Remove dead 'iked_flow' member 'flow_type'.
|
#
d38dc9a7 |
| 08-May-2020 |
tobhe <tobhe@openbsd.org> |
Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf does the same thing.
ok patrick@
|
#
0347364b |
| 23-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be conf
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in.
The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error.
ok markus@, patrick@
show more ...
|
#
602e97e0 |
| 20-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Remove unused 'dsa_cert' variable.
ok markus@
|
#
ea5b9487 |
| 13-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Try to send a DELETE message if the SA is reset with 'ikectl reset id'. This way the peer can delete its SAs and eventually reestablish the connection without having to wait for a timeout.
ok markus@
|
#
73192dba |
| 11-Apr-2020 |
tobhe <tobhe@openbsd.org> |
If we haven't received any IKE message from our partner for some time, make sure to send a DPD packet to him so that we break up the connection faster if it's dead.
ok patrick@
|
#
23e03483 |
| 10-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Only make the type part of the idstring lowercase when looking for certs in '/etc/iked', otherwise certs with SubjAltNames containing uppercase letters are not found.
ok markus@
|
#
1ae9ce49 |
| 09-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
show more ...
|
#
44afdd6c |
| 08-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Prevent multiple ibuf leaks. Clean up on proccess shutdown.
ok markus@
|
#
a1e428a3 |
| 02-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Store USE_TRANSPORTMODE in iked_message until the full message was parsed and set the corresponding iked_sa field in ikev2_handle_notifies() like it is done for other NOTIFY payloads.
ok markus@
|
#
12b74e23 |
| 01-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Properly handle multiple CERTREQ payloads in CA process. Only for the last CERTREQ a mismatch should trigger the fallback case, otherwise the following CERTREQs are ignored.
ok markus@
|
#
a9cab3fa |
| 31-Mar-2020 |
tobhe <tobhe@openbsd.org> |
Log summary of certificates in cert store when iked fails to find a certificate for the policy's 'srcid'.
ok markus@
|
#
7e28019f |
| 24-Mar-2020 |
tobhe <tobhe@openbsd.org> |
Add ikev2_print_static_id() to print static IDs in log_debug() output.
ok markus@
|
#
1b12ffc9 |
| 10-Mar-2020 |
tobhe <tobhe@openbsd.org> |
Relookup policy based on received cryptographic parameter proposal. The IKEv2 responder does not know which policy is negotiated until the ID payload is received in the IKE_AUTH exchange. iked theref
Relookup policy based on received cryptographic parameter proposal. The IKEv2 responder does not know which policy is negotiated until the ID payload is received in the IKE_AUTH exchange. iked therefore chooses a default policy until the final policy is selected. This change adds a policy relookup during the IKE_SA_INIT. If the received proposal is not compatible with the default policy we switch to the next highest ranked policy that is compatible with the received proposal.
ok kn@ markus@
show more ...
|
#
b0435d4d |
| 01-Mar-2020 |
tobhe <tobhe@openbsd.org> |
When the proposals are first matched the responder does not yet know the initiators ID and thus does not know which policy applies. The policy is later updated based on the received ID payload. Mak
When the proposals are first matched the responder does not yet know the initiators ID and thus does not know which policy applies. The policy is later updated based on the received ID payload. Make sure the policy looked up during IKE_AUTH is compatible with the negotiated proposal.
ok kn@
show more ...
|
#
1565ef62 |
| 21-Feb-2020 |
tobhe <tobhe@openbsd.org> |
Add transport mode for child SAs. This is useful for GRE over IPsec and similar settings to prevent double encapsulation.
ok kn@
|
#
e439be88 |
| 13-Feb-2020 |
tobhe <tobhe@openbsd.org> |
Constify "buf" argument in print_hex and print_hexval.
ok patrick@
|
#
59c69d76 |
| 16-Jan-2020 |
tobhe <tobhe@openbsd.org> |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
show more ...
|
#
53b41a44 |
| 14-Jan-2020 |
tobhe <tobhe@openbsd.org> |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
show more ...
|