#
1.70 |
|
15-Feb-2024 |
tobhe |
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes are set up by child processes. The parent sends a ping to all children and only starts once it has received an acknowledgement from all of them. This fixes a race condition on process startup when the parent starts running before all children are ready.
From markus@
|
#
1.69 |
|
15-Feb-2024 |
tobhe |
Remove unused control_socks queue.
from markus@
|
#
1.68 |
|
13-Feb-2024 |
tobhe |
Control startup of PROC_CERT and PROC_IKEV2. Currenly PROC_PARENT sends the configuration to both PROC_CERT and PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know the state of PROC_CERT: PROC_CERT might not have processed the initial configuration while PROC_IKEV2 already sends requests to PROC_CERT, causing failed requests, or even crashes (NULL deref of ca_certs).
In order to make sure that PROC_CERT is ready before IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2 (2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT (3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT (4) PROC_PARENT now knows that PROC_CERT is ready and has processed all messages from step (1) (5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all messages from step (1) (6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has already processed IMSG_CTL_ACTIVE
from markus@
|
#
1.67 |
|
15-Jan-2024 |
tobhe |
Include cert_partial_chain in iked_static instead of sending a separate message.
from markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.66 |
|
28-Jun-2023 |
gerhard |
Don't call daemon() after proc_init(), otherwise the child processes would lose their parent.
ok tobhe@
|
#
1.65 |
|
25-Jun-2023 |
op |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.64 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.63 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.68 |
|
13-Feb-2024 |
tobhe |
Control startup of PROC_CERT and PROC_IKEV2. Currenly PROC_PARENT sends the configuration to both PROC_CERT and PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know the state of PROC_CERT: PROC_CERT might not have processed the initial configuration while PROC_IKEV2 already sends requests to PROC_CERT, causing failed requests, or even crashes (NULL deref of ca_certs).
In order to make sure that PROC_CERT is ready before IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2 (2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT (3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT (4) PROC_PARENT now knows that PROC_CERT is ready and has processed all messages from step (1) (5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all messages from step (1) (6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has already processed IMSG_CTL_ACTIVE
from markus@
|
#
1.67 |
|
15-Jan-2024 |
tobhe |
Include cert_partial_chain in iked_static instead of sending a separate message.
from markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.66 |
|
28-Jun-2023 |
gerhard |
Don't call daemon() after proc_init(), otherwise the child processes would lose their parent.
ok tobhe@
|
#
1.65 |
|
25-Jun-2023 |
op |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.64 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.63 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.67 |
|
15-Jan-2024 |
tobhe |
Include cert_partial_chain in iked_static instead of sending a separate message.
from markus@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.66 |
|
28-Jun-2023 |
gerhard |
Don't call daemon() after proc_init(), otherwise the child processes would lose their parent.
ok tobhe@
|
#
1.65 |
|
25-Jun-2023 |
op |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.64 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.63 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.66 |
|
28-Jun-2023 |
gerhard |
Don't call daemon() after proc_init(), otherwise the child processes would lose their parent.
ok tobhe@
|
#
1.65 |
|
25-Jun-2023 |
op |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.64 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.63 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.64 |
|
05-Mar-2023 |
tobhe |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
1.63 |
|
04-Mar-2023 |
tobhe |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.62 |
|
01-Dec-2021 |
deraadt |
whitespace cleanup during review read
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.61 |
|
29-Nov-2021 |
jmc |
add -V to usage(), and list it before -v in both SYNOPSIS and the options list;
|
#
1.60 |
|
29-Nov-2021 |
tobhe |
Add command line option to show the version
ok patrick@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.59 |
|
25-Nov-2021 |
tobhe |
Silence unitialized variable warnings.
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.58 |
|
01-Sep-2021 |
tobhe |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.57 |
|
13-May-2021 |
tobhe |
Refactor iked process shutdown and cleanup. Remember configured addresses and routes in iked_vroute_sc to not depend on ikev2 process for cleanup.
This makes sure that all flows, routes and addresses are deleted no matter which process is killed first.
ok patrick@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.56 |
|
03-Mar-2021 |
tobhe |
Free sc_vroute on shutdown.
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.55 |
|
22-Feb-2021 |
tobhe |
Don't pass 'id' as argument to make function signature match similar functions. config_setpfkey() is always called with id PROC_IKEV2.
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.54 |
|
13-Feb-2021 |
tobhe |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.53 |
|
08-Feb-2021 |
tobhe |
Clean up kernel IPsec flows and security associations on shutdown.
Discussed with sthen@ ok patrick@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.52 |
|
17-Dec-2020 |
tobhe |
Use strtonum() instead of atoi() to parse port option.
|
#
1.51 |
|
17-Dec-2020 |
tobhe |
Sort command line options.
ok bluhm@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.50 |
|
20-Nov-2020 |
jmc |
add -s to synopsis and usage; -S before -s in options list;
|
#
1.49 |
|
20-Nov-2020 |
tobhe |
Add -s socket option to specify control socket. This can be useful if multiple iked instances running in different rdomains are used.
ok patrick@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.48 |
|
23-Sep-2020 |
tobhe |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.47 |
|
24-Aug-2020 |
tobhe |
Reduce the amount of boilerplate code and imsgs for config options by grouping fixed-size values in 'struct iked_static' which is sent in a single message.
ok patrick@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.46 |
|
23-Aug-2020 |
tobhe |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
|
#
1.45 |
|
23-Aug-2020 |
tobhe |
Rename natt_mode to sc_nattmode for consistency.
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.44 |
|
21-Aug-2020 |
tobhe |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.43 |
|
09-Apr-2020 |
tobhe |
Simplify socket creation logic. Normally iked needs two sockets, one for normal operation (UDP port 500) and one for NAT traversal (UDP 4500). There are several command line options resulting in only one of the sockets being created (-T, -t and -p). Add a new 'enum natt_mode' to make the logic for those somewhat less complicated as well as some comments where it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com> ok patrick@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.42 |
|
03-Apr-2020 |
tobhe |
Port set in 'sin_port' should be htons() not ntohs().
Found by Wataru Ashihara <wsh (at) iij (dot) ad (dot) jp> ok patrick@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.41 |
|
16-Jan-2020 |
tobhe |
Add '-p' command line option which allows to configure the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.40 |
|
15-Jan-2020 |
sthen |
s/deprecated/ignored/ in the warning message if -6 is used; the option is ignored (the behaviour previously behind -6 is now the default so if this flag was used, it can happily be removed.
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.39 |
|
14-Jan-2020 |
tobhe |
Remove IPsec flow blocking unencrypted IPv6 traffic which was meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.38 |
|
30-Nov-2019 |
tobhe |
The message sent in config_setmode starts the handshake in the ikev2 process and thus must be sent last.
ok reyk@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.37 |
|
11-May-2019 |
patrick |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.36 |
|
27-Nov-2017 |
patrick |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
|
#
1.35 |
|
08-Nov-2017 |
patrick |
Do not accept superfluous arguments.
From Klemens Nanni.
ok markus@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
23-Mar-2017 |
jsg |
set ps_noaction to not fork uneeded children when checking config with -n
ok mikeb@ reyk@
|
#
1.33 |
|
09-Jan-2017 |
reyk |
Stop accessing verbose and debug variables from log.c directly.
This replaces log_verbose() and "extern int verbose" with the two functions log_setverbose() and log_getverbose().
Pointed out by benno@ OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
#
1.32 |
|
03-Jan-2017 |
reyk |
Fix pledge of the ca process by calling the right function on startup. As a related change, load the local.pub and local.key keys after privsep and reload them on SIGHUP/reload.
OK mikeb@
|
#
1.31 |
|
04-Sep-2016 |
reyk |
Forward IMSG_CTL_VERBOSE via the parent; this fixes a crash when doing "ikectl log verbose" and keeps the control process separated from the cert process.
Thanks for the bug report to Wouter Clarie
OK vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.30 |
|
07-Dec-2015 |
reyk |
Sync proc.c, use shorter proc_compose[v]()
|
#
1.29 |
|
22-Nov-2015 |
reyk |
Update log.c: change fatal() and fatalx() into variadic functions, include the process name, and replace all calls of fatal*(NULL) with fatal(__func__) for better debugging.
OK benno@
|
#
1.28 |
|
22-Oct-2015 |
reyk |
iked hereby pledges that it will run with restricted system operations. This adds pledge(2) too all processes, including the iked parent process; the existing privsep design has been improved for better pledgeability. There haven't been any serious problems as it was already sane (eg. by receiving the PFKEYv2 and UDP sockets via fd passing). The control socket moved to an independent process to remove some abilities from the cert process.
Committed in agreement with many but nobody was brave enough to OK it.
Better testing will happen with having it in the tree. "It's the truth" deraadt@ "Let's see what happens" benno@
|
#
1.27 |
|
19-Oct-2015 |
reyk |
Remove the ikev1 stub - Since I started iked, it has an empty privsep process for ISAKMP+IKEv1. I kept it to let somebody either contribute the old protocol one day, I never intended to implement IKEv1 myself, or to add a new kind of pipe to isakmpd to hand off IKEv1 messages. As IKEv2 is widely supported by all major OS and networking vendors now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
#
1.26 |
|
15-Oct-2015 |
mmcc |
Remove some unnecessary NULL-checks before free(). Change two bzero() calls on pf data to explicit_bzero().
ok mikeb@
|
#
1.25 |
|
21-Aug-2015 |
reyk |
Switch iked to C99-style fixed-width integer types.
OK mikeb@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.24 |
|
03-Jun-2015 |
millert |
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.23 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.22 |
|
18-Aug-2014 |
reyk |
Sync proc.c with httpd. httpd needs SIGUSR1 but iked will ignore it now instead of terminating the process.
ok mikeb@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.21 |
|
08-May-2014 |
blambert |
match iked proc.c infrastructure with proc.c
ok reyk@
|
#
1.20 |
|
22-Apr-2014 |
reyk |
Update iked to use the same proc.c that relayd uses. Less differences, less code to audit.
ok mikeb@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.19 |
|
17-Feb-2014 |
markus |
basic OCSP support. enable with 'set ocsp "http://10.0.0.10:8888/"' ok mikeb@
|
#
1.18 |
|
24-Oct-2013 |
deraadt |
no need for netinet/ip_var.h (and friends)
|
Revision tags: OPENBSD_5_4_BASE
|
#
1.17 |
|
21-Mar-2013 |
deraadt |
remove excessive includes
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.16 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.15 |
|
15-Dec-2012 |
reyk |
Don't print an error if the process exited normally.
|
#
1.14 |
|
29-Nov-2012 |
reyk |
Prevent VPN traffic leakages in dual-stack hosts/networks. See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to ::/0 type deny" unless the protocol is used in any of the flows. Note that this will block any IPv6 traffic, superseding routes and pf, on the host by default when iked is running with IPv4 flows only. This auto-blocking feature can be disabled by specifying the "-6" command line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
|
#
1.13 |
|
22-Oct-2012 |
reyk |
Fix NAT-T support in iked, both on the initiator and the responder side. Also add a new command line option -t to optionally enforce NAT-T with UDP encapsulation on port 4500.
Tested by mikeb@ and me ok mikeb@
|
#
1.12 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.11 |
|
09-May-2011 |
reyk |
rename functions in proc.c to proc_* and move some code from imsg_util.c to proc.c. this is the first sync to what i did for relayd but does not include the multi-instance handling - so no functional change.
|
#
1.10 |
|
05-May-2011 |
reyk |
Move the proc.c-specific runtime state out of struct iked into a sub-struct. This removes iked-specific stuff from proc.c.
|
#
1.9 |
|
05-May-2011 |
reyk |
rename iked_proc* to privsep_proc*. no functional change.
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.8 |
|
21-Jan-2011 |
reyk |
Reimplement the iked(8) policy evaluation for incoming connections to use the last matching semantics of PF. The previous rbtree-based implementation was broken and tried to do a longest prefix match. But instead of prefix match and using radix-trees to fix it I decided with mikeb@ to implement it as last matching policy evaluation. The last matching policy wins; the "quick" keyword can enforce first matching; additional keywords like "skip" are specific to iked(8). See iked.conf(5) for more details.
The implementation also uses skip steps based on PF's code. It significantly speeds up the evaluation of many policies but also adds a little delay when loading them (only noticeable with thousands of policies). This allows iked(8) to scale well with thousands of configured policies but I also liked the fact to have skip steps in another piece of code.
ok dhartmei@ for using his skip step code under the ISC license in policy.c ok mikeb@, jmc@
|
#
1.7 |
|
17-Nov-2010 |
ckuethe |
Allow the -D command line flag to actually define macros. ok mikeb@ reyk@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.6 |
|
24-Jun-2010 |
reyk |
unbreak the ikectl log verbose/brief commands.
|
#
1.5 |
|
10-Jun-2010 |
reyk |
update usage()
|
#
1.4 |
|
10-Jun-2010 |
reyk |
Add the -S flag which does the same as "set passive" but matches the isakmpd flag.
|
#
1.3 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.2 |
|
07-Jun-2010 |
jmc |
various small tweaks; ok reyk
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|