Trigger retransmission only for fragment 1/x, otherwise each received
fragment can trigger retransmission of the full fragment queue.

From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retran

Trigger retransmission only for fragment 1/x, otherwise each received
fragment can trigger retransmission of the full fragment queue.

From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retransmission of the response message
(fragmented or no) if the Fragment Number field in the received
fragments is set to 1; otherwise, it MUST be ignored."

from markus

show more ...

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

show more ...

Implement print_hexbuf() to hexdump the contents of an ibuf.
OK tb@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted interme

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

show more ...

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length.

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

show more ...

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

show more ...

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stat

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

show more ...

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

show more ...

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involve

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

show more ...

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
est

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

show more ...

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be acce

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

show more ...