Control startup of PROC_CERT and PROC_IKEV2.
Currenly PROC_PARENT sends the configuration to both PROC_CERT and
PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.

However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know
the state of PROC_CERT: PROC_CERT might not have processed the
initial configuration while PROC_IKEV2 already sends requests to
PROC_CERT, causing failed requests, or even crashes (NULL deref of
ca_certs).

In order to make sure that PROC_CERT is ready before
IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol
is changed as follows:

(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2
(2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT
(3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT
(4) PROC_PARENT now knows that PROC_CERT is ready and has processed
all messages from step (1)
(5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that
IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all
messages from step (1)
(6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has
already processed IMSG_CTL_ACTIVE

from markus@

Pass struct iked directly to ca_reset() instead of passing it via ps

discussed with markus@

Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.

from markus@

Include cert_partial_chain in iked_static instead of sending a separate
message.

from markus@

Remove unneccessary id == NULL check after dereferencing it. id can never
be NULL here.

Found by tb@

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

remove ca_sslinit()

it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.

spotted by tb, ok tb tobhe

Fix leak of key.id_buf in pubkey auth case.

from markus

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

Move raw pubkey bytes to EVP_PKEY conversion to common function.

ok markus@

Fix asprintf() error check. Portable code should check the return
value for -1, not buf == NULL.

ok tobhe

Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically
allocating a buffer.

ok tobhe

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

The /etc/iked/certs/ directory is used for both local and peer
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.

ok markus@ patrick@

Fix locally stored peer certificates in /etc/iked/certs as documented in
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.

ok patrick@ markus@

whitespace cleanup during review read

Silence unitialized variable warnings.

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().

From Moritz Schmitt
ok patrick@

Free X509_STOREs in ca_shutdown().

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Make len unsigned.

ok patrick@

Add check for static id size.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.

ok patrick@

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.

ok patrick@

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.

ok patrick@

Clean up unused parameters.

Clean up unused variables.

Fix return value check for openssl API used during pubkey validation.

Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@

Make CERT and CERTREQ payloads optional for public key authentication.

When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.

With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.

Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.

This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.

ok and tested by kn@
ok patrick@

Silence ca_validate_pubkey() error message for cert type
IKEV2_CERT_X509_CERT.

Fix length check in ca_getreq().

ok patrick@

Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf
does the same thing.

ok patrick@

branches: 1.60.4;
"could not open public key" is an error and should be log_info.

Only make the type part of the idstring lowercase when looking for certs in
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Always prefer generic signature authentication (RFC 7427) , not just for RSA.

ok markus@

Fix pubkey leak in CA process for ASN1_DN IDs.

ok markus@

Properly handle multiple CERTREQ payloads in CA process. Only for the
last CERTREQ a mismatch should trigger the fallback case, otherwise the
following CERTREQs are ignored.

ok markus@

Log summary of certificates in cert store when iked fails to find a
certificate for the policy's 'srcid'.

ok markus@

Adjust cert type when choosing public key fallback.

ok patrick@

Add ikev2_print_static_id() to print static IDs in log_debug() output.

ok markus@

Make our CERTREQ payload handling less strict. If we can not find a
certificate or key matching the trust anchor sent in the CERTREQ, find
any certificate matching the peers ID or use the own public key.
The CERTRQ contentss should only be interpreted as a hint on what the
peer supports. It may still accept our certificate/key if it does
not match the CERTREQ.

ok markus@

Support multiple x509 extensions and extensions with multiple
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.

ok markus@

If we don't find a certificate signed by a trusted CA
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.

ok patrick@

branches: 1.48.2;
snprintf/vsnprintf return < 0 on error, rather than -1.

update RFC references, from tobias_heider at genua.de, ok claudio@

In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.

ok markus@

Support multiple subjectAltNames by trying each existing until there
is none or until we find one that matches.

ok markus@

Add helpful debug messages to tell us why public key authentication failed.

This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.

OK claudio@ deraadt@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

Make sure to free reference to the public key after decoding

From and OK markus@, OK reyk

Fix pledge of the ca process by calling the right function on startup.
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.

OK mikeb@

Sync proc.c, use shorter proc_compose[v]()

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Fix interoperability with Apple iOS9: If we don't get a (valid)
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.

OK mikeb@ sthen@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

unneeded getopt.h

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Specify correct number of iovecs when sending replies to the ikev2 proc

Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>;
patch from Pedro Martelletto, thanks!

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

make authentication work with X509 certificates that don't have a
subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly;
feedback & ok mikeb@

ca_x509_serialize: don't leak the bio buffer; ok reyk@

make the ca_pubkey_serialize() code similar to the private key code, and
fixes a leak of the rsa object in the error case. from hshoexer@; ok reyk@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

support raw pubkey authentication w/o x509 certificates;
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@

pass caller to ca_sslerror for better error messages; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

promote some debug messages to warnings; ok reyk

"If srcid is omitted, the default is to use the hostname of the local
machine." This has been broken when the subjectAltName certificate
check was introduced some time ago. Fix it by obtaining the hostname
source Id in the certificate request code as well.

ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

spacing

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Small tweak - add direct pointer to env instead of using an indirect one.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

rename iked_proc* to privsep_proc*. no functional change.

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

promote openssl errors to the warning level; ok reyk

add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an
alternative to X.509 CA verification. this will be needed to support public
key authentication like isakmpd does; a few bits are still missing.

When a peer requests a certificate from the local gateway, we first
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.

requested by jsg@

fix the length check for ASN1_ID Ids.

Verify that the subjectAltName extension is present and matches the
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it
with the certificate subjectName (DN). This prevents the peer from
using an arbitrary peer Id (it is signed by the CA in the cert) and
qualifies the optional pf tag.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

unbreak the ikectl log verbose/brief commands.

tweak the code slightly so we can remove -lssl

ok reyk@

move a bzero of the x509 store context higher up so the
cert validation does something useful.

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Pass struct iked directly to ca_reset() instead of passing it via ps

discussed with markus@

Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.

from markus@

Include cert_partial_chain in iked_static instead of sending a separate
message.

from markus@

Remove unneccessary id == NULL check after dereferencing it. id can never
be NULL here.

Found by tb@

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

remove ca_sslinit()

it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.

spotted by tb, ok tb tobhe

Fix leak of key.id_buf in pubkey auth case.

from markus

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

Move raw pubkey bytes to EVP_PKEY conversion to common function.

ok markus@

Fix asprintf() error check. Portable code should check the return
value for -1, not buf == NULL.

ok tobhe

Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically
allocating a buffer.

ok tobhe

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

The /etc/iked/certs/ directory is used for both local and peer
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.

ok markus@ patrick@

Fix locally stored peer certificates in /etc/iked/certs as documented in
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.

ok patrick@ markus@

whitespace cleanup during review read

Silence unitialized variable warnings.

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().

From Moritz Schmitt
ok patrick@

Free X509_STOREs in ca_shutdown().

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Make len unsigned.

ok patrick@

Add check for static id size.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.

ok patrick@

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.

ok patrick@

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.

ok patrick@

Clean up unused parameters.

Clean up unused variables.

Fix return value check for openssl API used during pubkey validation.

Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@

Make CERT and CERTREQ payloads optional for public key authentication.

When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.

With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.

Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.

This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.

ok and tested by kn@
ok patrick@

Silence ca_validate_pubkey() error message for cert type
IKEV2_CERT_X509_CERT.

Fix length check in ca_getreq().

ok patrick@

Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf
does the same thing.

ok patrick@

branches: 1.60.4;
"could not open public key" is an error and should be log_info.

Only make the type part of the idstring lowercase when looking for certs in
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Always prefer generic signature authentication (RFC 7427) , not just for RSA.

ok markus@

Fix pubkey leak in CA process for ASN1_DN IDs.

ok markus@

Properly handle multiple CERTREQ payloads in CA process. Only for the
last CERTREQ a mismatch should trigger the fallback case, otherwise the
following CERTREQs are ignored.

ok markus@

Log summary of certificates in cert store when iked fails to find a
certificate for the policy's 'srcid'.

ok markus@

Adjust cert type when choosing public key fallback.

ok patrick@

Add ikev2_print_static_id() to print static IDs in log_debug() output.

ok markus@

Make our CERTREQ payload handling less strict. If we can not find a
certificate or key matching the trust anchor sent in the CERTREQ, find
any certificate matching the peers ID or use the own public key.
The CERTRQ contentss should only be interpreted as a hint on what the
peer supports. It may still accept our certificate/key if it does
not match the CERTREQ.

ok markus@

Support multiple x509 extensions and extensions with multiple
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.

ok markus@

If we don't find a certificate signed by a trusted CA
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.

ok patrick@

branches: 1.48.2;
snprintf/vsnprintf return < 0 on error, rather than -1.

update RFC references, from tobias_heider at genua.de, ok claudio@

In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.

ok markus@

Support multiple subjectAltNames by trying each existing until there
is none or until we find one that matches.

ok markus@

Add helpful debug messages to tell us why public key authentication failed.

This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.

OK claudio@ deraadt@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

Make sure to free reference to the public key after decoding

From and OK markus@, OK reyk

Fix pledge of the ca process by calling the right function on startup.
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.

OK mikeb@

Sync proc.c, use shorter proc_compose[v]()

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Fix interoperability with Apple iOS9: If we don't get a (valid)
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.

OK mikeb@ sthen@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

unneeded getopt.h

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Specify correct number of iovecs when sending replies to the ikev2 proc

Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>;
patch from Pedro Martelletto, thanks!

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

make authentication work with X509 certificates that don't have a
subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly;
feedback & ok mikeb@

ca_x509_serialize: don't leak the bio buffer; ok reyk@

make the ca_pubkey_serialize() code similar to the private key code, and
fixes a leak of the rsa object in the error case. from hshoexer@; ok reyk@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

support raw pubkey authentication w/o x509 certificates;
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@

pass caller to ca_sslerror for better error messages; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

promote some debug messages to warnings; ok reyk

"If srcid is omitted, the default is to use the hostname of the local
machine." This has been broken when the subjectAltName certificate
check was introduced some time ago. Fix it by obtaining the hostname
source Id in the certificate request code as well.

ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

spacing

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Small tweak - add direct pointer to env instead of using an indirect one.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

rename iked_proc* to privsep_proc*. no functional change.

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

promote openssl errors to the warning level; ok reyk

add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an
alternative to X.509 CA verification. this will be needed to support public
key authentication like isakmpd does; a few bits are still missing.

When a peer requests a certificate from the local gateway, we first
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.

requested by jsg@

fix the length check for ASN1_ID Ids.

Verify that the subjectAltName extension is present and matches the
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it
with the certificate subjectName (DN). This prevents the peer from
using an arbitrary peer Id (it is signed by the CA in the cert) and
qualifies the optional pf tag.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

unbreak the ikectl log verbose/brief commands.

tweak the code slightly so we can remove -lssl

ok reyk@

move a bzero of the x509 store context higher up so the
cert validation does something useful.

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.

from markus@

Include cert_partial_chain in iked_static instead of sending a separate
message.

from markus@

Remove unneccessary id == NULL check after dereferencing it. id can never
be NULL here.

Found by tb@

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

remove ca_sslinit()

it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.

spotted by tb, ok tb tobhe

Fix leak of key.id_buf in pubkey auth case.

from markus

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

Move raw pubkey bytes to EVP_PKEY conversion to common function.

ok markus@

Fix asprintf() error check. Portable code should check the return
value for -1, not buf == NULL.

ok tobhe

Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically
allocating a buffer.

ok tobhe

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

The /etc/iked/certs/ directory is used for both local and peer
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.

ok markus@ patrick@

Fix locally stored peer certificates in /etc/iked/certs as documented in
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.

ok patrick@ markus@

whitespace cleanup during review read

Silence unitialized variable warnings.

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().

From Moritz Schmitt
ok patrick@

Free X509_STOREs in ca_shutdown().

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Make len unsigned.

ok patrick@

Add check for static id size.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.

ok patrick@

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.

ok patrick@

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.

ok patrick@

Clean up unused parameters.

Clean up unused variables.

Fix return value check for openssl API used during pubkey validation.

Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@

Make CERT and CERTREQ payloads optional for public key authentication.

When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.

With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.

Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.

This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.

ok and tested by kn@
ok patrick@

Silence ca_validate_pubkey() error message for cert type
IKEV2_CERT_X509_CERT.

Fix length check in ca_getreq().

ok patrick@

Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf
does the same thing.

ok patrick@

branches: 1.60.4;
"could not open public key" is an error and should be log_info.

Only make the type part of the idstring lowercase when looking for certs in
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Always prefer generic signature authentication (RFC 7427) , not just for RSA.

ok markus@

Fix pubkey leak in CA process for ASN1_DN IDs.

ok markus@

Properly handle multiple CERTREQ payloads in CA process. Only for the
last CERTREQ a mismatch should trigger the fallback case, otherwise the
following CERTREQs are ignored.

ok markus@

Log summary of certificates in cert store when iked fails to find a
certificate for the policy's 'srcid'.

ok markus@

Adjust cert type when choosing public key fallback.

ok patrick@

Add ikev2_print_static_id() to print static IDs in log_debug() output.

ok markus@

Make our CERTREQ payload handling less strict. If we can not find a
certificate or key matching the trust anchor sent in the CERTREQ, find
any certificate matching the peers ID or use the own public key.
The CERTRQ contentss should only be interpreted as a hint on what the
peer supports. It may still accept our certificate/key if it does
not match the CERTREQ.

ok markus@

Support multiple x509 extensions and extensions with multiple
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.

ok markus@

If we don't find a certificate signed by a trusted CA
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.

ok patrick@

branches: 1.48.2;
snprintf/vsnprintf return < 0 on error, rather than -1.

update RFC references, from tobias_heider at genua.de, ok claudio@

In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.

ok markus@

Support multiple subjectAltNames by trying each existing until there
is none or until we find one that matches.

ok markus@

Add helpful debug messages to tell us why public key authentication failed.

This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.

OK claudio@ deraadt@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

Make sure to free reference to the public key after decoding

From and OK markus@, OK reyk

Fix pledge of the ca process by calling the right function on startup.
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.

OK mikeb@

Sync proc.c, use shorter proc_compose[v]()

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Fix interoperability with Apple iOS9: If we don't get a (valid)
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.

OK mikeb@ sthen@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

unneeded getopt.h

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Specify correct number of iovecs when sending replies to the ikev2 proc

Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>;
patch from Pedro Martelletto, thanks!

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

make authentication work with X509 certificates that don't have a
subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly;
feedback & ok mikeb@

ca_x509_serialize: don't leak the bio buffer; ok reyk@

make the ca_pubkey_serialize() code similar to the private key code, and
fixes a leak of the rsa object in the error case. from hshoexer@; ok reyk@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

support raw pubkey authentication w/o x509 certificates;
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@

pass caller to ca_sslerror for better error messages; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

promote some debug messages to warnings; ok reyk

"If srcid is omitted, the default is to use the hostname of the local
machine." This has been broken when the subjectAltName certificate
check was introduced some time ago. Fix it by obtaining the hostname
source Id in the certificate request code as well.

ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

spacing

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Small tweak - add direct pointer to env instead of using an indirect one.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

rename iked_proc* to privsep_proc*. no functional change.

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

promote openssl errors to the warning level; ok reyk

add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an
alternative to X.509 CA verification. this will be needed to support public
key authentication like isakmpd does; a few bits are still missing.

When a peer requests a certificate from the local gateway, we first
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.

requested by jsg@

fix the length check for ASN1_ID Ids.

Verify that the subjectAltName extension is present and matches the
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it
with the certificate subjectName (DN). This prevents the peer from
using an arbitrary peer Id (it is signed by the CA in the cert) and
qualifies the optional pf tag.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

unbreak the ikectl log verbose/brief commands.

tweak the code slightly so we can remove -lssl

ok reyk@

move a bzero of the x509 store context higher up so the
cert validation does something useful.

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Include cert_partial_chain in iked_static instead of sending a separate
message.

from markus@

Remove unneccessary id == NULL check after dereferencing it. id can never
be NULL here.

Found by tb@

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

remove ca_sslinit()

it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.

spotted by tb, ok tb tobhe

Fix leak of key.id_buf in pubkey auth case.

from markus

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

Move raw pubkey bytes to EVP_PKEY conversion to common function.

ok markus@

Fix asprintf() error check. Portable code should check the return
value for -1, not buf == NULL.

ok tobhe

Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically
allocating a buffer.

ok tobhe

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

The /etc/iked/certs/ directory is used for both local and peer
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.

ok markus@ patrick@

Fix locally stored peer certificates in /etc/iked/certs as documented in
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.

ok patrick@ markus@

whitespace cleanup during review read

Silence unitialized variable warnings.

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().

From Moritz Schmitt
ok patrick@

Free X509_STOREs in ca_shutdown().

Upgrade to OpenSSL 1.1 compatible crypto API. Add additional
checks where needed.

ok markus@ patrick@

Make len unsigned.

ok patrick@

Add check for static id size.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matching
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.

ok patrick@

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.

ok patrick@

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.

ok patrick@

Clean up unused parameters.

Clean up unused variables.

Fix return value check for openssl API used during pubkey validation.

Found thanks to bug report by Michael Scheibel <m.Scheibel (at) tuvit (dot) de>
ok patrick@, markus@, tb@

Make CERT and CERTREQ payloads optional for public key authentication.

When using certificate authentication the CERT payload is mandatory and as the
name suggests is used to send a certificate containing a public key used for
the authentication signature.
For pubkey authentication the key is preshared and stored locally, but only
the 'ca' process can read the local keys. The 'ikev2' process had to get the
key from the received CERT payload to verify the authentication signature.
The peer ID + raw key was then forwarded to the 'ca' process which
compared the key against the contents of /etc/iked/pubkey and returned either
CERTVALID or CERTINVALID.

With this change a message containing only the ID may be sent from 'ikev2' to
the 'ca' process if CERT was not included. In this case the CA process will
try to find a local key matching the ID and return it to the 'ikev2' process.
The auth verification happens after the 'ca' process has verified or found a
key and returned it to the 'ikev2' process, eliminating the need for
the CERT payload.

Making CERTREQ optional is easier because we already have a fallback case if
the CERTREQ can not be fulfilled. If no CERTREQ was received we now use this
same fallback.

This should fix public key authentication interoperability with *swan and
other IKEv2 implementations.

ok and tested by kn@
ok patrick@

Silence ca_validate_pubkey() error message for cert type
IKEV2_CERT_X509_CERT.

Fix length check in ca_getreq().

ok patrick@

Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buf
does the same thing.

ok patrick@

branches: 1.60.4;
"could not open public key" is an error and should be log_info.

Only make the type part of the idstring lowercase when looking for certs in
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.

ok markus@

Prevent multiple ibuf leaks. Clean up on proccess shutdown.

ok markus@

Always prefer generic signature authentication (RFC 7427) , not just for RSA.

ok markus@

Fix pubkey leak in CA process for ASN1_DN IDs.

ok markus@

Properly handle multiple CERTREQ payloads in CA process. Only for the
last CERTREQ a mismatch should trigger the fallback case, otherwise the
following CERTREQs are ignored.

ok markus@

Log summary of certificates in cert store when iked fails to find a
certificate for the policy's 'srcid'.

ok markus@

Adjust cert type when choosing public key fallback.

ok patrick@

Add ikev2_print_static_id() to print static IDs in log_debug() output.

ok markus@

Make our CERTREQ payload handling less strict. If we can not find a
certificate or key matching the trust anchor sent in the CERTREQ, find
any certificate matching the peers ID or use the own public key.
The CERTRQ contentss should only be interpreted as a hint on what the
peer supports. It may still accept our certificate/key if it does
not match the CERTREQ.

ok markus@

Support multiple x509 extensions and extensions with multiple
subjectAltName fields. The new parser code is inspired by
tls_check_subject_altname() from libssl.

ok markus@

If we don't find a certificate signed by a trusted CA
with subjectAltName matching srcid, try certificate with
only matching subjectAltName.

ok patrick@

branches: 1.48.2;
snprintf/vsnprintf return < 0 on error, rather than -1.

update RFC references, from tobias_heider at genua.de, ok claudio@

In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.

ok markus@

Support multiple subjectAltNames by trying each existing until there
is none or until we find one that matches.

ok markus@

Add helpful debug messages to tell us why public key authentication failed.

This is currently only visible in debug mode (eg. iked -dvv), some
debug messages will be turned into regular warnings later.

OK claudio@ deraadt@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

Make sure to free reference to the public key after decoding

From and OK markus@, OK reyk

Fix pledge of the ca process by calling the right function on startup.
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.

OK mikeb@

Sync proc.c, use shorter proc_compose[v]()

iked hereby pledges that it will run with restricted system
operations. This adds pledge(2) too all processes, including the iked
parent process; the existing privsep design has been improved for
better pledgeability. There haven't been any serious problems as it
was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd
passing). The control socket moved to an independent process to
remove some abilities from the cert process.

Committed in agreement with many but nobody was brave enough to OK it.

Better testing will happen with having it in the tree.
"It's the truth" deraadt@
"Let's see what happens" benno@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Fix interoperability with Apple iOS9: If we don't get a (valid)
CERTREQ but a CERT, respond with a local CERT that was selected based
on our own policy instead of leaving it out. This seems to be valid
with the RFC that makes the CERTREQ optional and allows to ignore it
or to apply an own policy.

OK mikeb@ sthen@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

unneeded getopt.h

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Specify correct number of iovecs when sending replies to the ikev2 proc

Crash reported and fix tested by Vincent Gross <dermiste at kilob ! yt>;
patch from Pedro Martelletto, thanks!

add additional includes required to build with -DOPENSSL_NO_DEPRECATED
ok reyk@

make authentication work with X509 certificates that don't have a
subject-altname, i.e. support IKEV2_ID_ASN1_DN correctly;
feedback & ok mikeb@

ca_x509_serialize: don't leak the bio buffer; ok reyk@

make the ca_pubkey_serialize() code similar to the private key code, and
fixes a leak of the rsa object in the error case. from hshoexer@; ok reyk@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"'
ok mikeb@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

support raw pubkey authentication w/o x509 certificates;
mostly by Michael Cardell Widerkrantz, reyk@ and mikeb@; ok mike@

pass caller to ca_sslerror for better error messages; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

promote some debug messages to warnings; ok reyk

"If srcid is omitted, the default is to use the hostname of the local
machine." This has been broken when the subjectAltName certificate
check was introduced some time ago. Fix it by obtaining the hostname
source Id in the certificate request code as well.

ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

spacing

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

Small tweak - add direct pointer to env instead of using an indirect one.

Move the proc.c-specific runtime state out of struct iked into a sub-struct.
This removes iked-specific stuff from proc.c.

rename iked_proc* to privsep_proc*. no functional change.

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

promote openssl errors to the warning level; ok reyk

add code to lookup the RSA public keys in /etc/iked/pubkeys/ as an
alternative to X.509 CA verification. this will be needed to support public
key authentication like isakmpd does; a few bits are still missing.

When a peer requests a certificate from the local gateway, we first
lookup a cert from /etc/iked/certs/ that is signed by a requested CA.
As a second step we also compare the subjectAltName of any found
certificate now to match the local srcid; this allows to have multiple
certs for the same CA but different srcids in the certs/ directory but
enforces that the subjectAltName has to be set correctly.

requested by jsg@

fix the length check for ASN1_ID Ids.

Verify that the subjectAltName extension is present and matches the
peer Id if the Id type is not ASN1_DN. If it is ASN1_DN, compare it
with the certificate subjectName (DN). This prevents the peer from
using an arbitrary peer Id (it is signed by the CA in the cert) and
qualifies the optional pf tag.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

unbreak the ikectl log verbose/brief commands.

tweak the code slightly so we can remove -lssl

ok reyk@

move a bzero of the x509 store context higher up so the
cert validation does something useful.

ok reyk@

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove unneccessary id == NULL check after dereferencing it. id can never
be NULL here.

Found by tb@

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

remove ca_sslinit()

it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.

spotted by tb, ok tb tobhe

Fix leak of key.id_buf in pubkey auth case.

from markus

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.

ok patrick@

Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

Free objects that were dynamically allocated in libcrypto with OPENSSL_free().
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.

Report and initial fix by dropk1ck (gh #92)
ok tb@

Support sending certificate chains with intermediate CAs in multiple CERT
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.

from Katsuhiro Ueno
tested by and ok sthen@

Move raw pubkey bytes to EVP_PKEY conversion to common function.

ok markus@

Fix asprintf() error check. Portable code should check the return
value for -1, not buf == NULL.

ok tobhe

Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamically
allocating a buffer.

ok tobhe

Cleanup libcrypto memory management. Remove redundant NULL checks
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.

Feedback and ok tb@

The /etc/iked/certs/ directory is used for both local and peer
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.

ok markus@ patrick@

Fix locally stored peer certificates in /etc/iked/certs as documented in
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.

ok patrick@ markus@

whitespace cleanup during review read

Silence unitialized variable warnings.

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().

From Moritz Schmitt
ok patrick@