Trigger retransmission only for fragment 1/x, otherwise each received
fragment can trigger retransmission of the full fragment queue.

From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retransmission of the response message
(fragmented or no) if the Fragment Number field in the received
fragments is set to 1; otherwise, it MUST be ignored."

from markus

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Implement print_hexbuf() to hexdump the contents of an ibuf.
OK tb@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Always allocate hash_keylength() for buffers passed to hash_final() to
make sure there is enough space for the non truncated hash output.

React to DELETE notifications only in INFORMATIONAL messages
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.

ok patrick@

Cleanup msg_eap in ikev2_msg_cleanup().

Remove dead assignments.

Prioritize incoming certificate requests by the order of CERTEQ payloads
in the received message.

ok patrick@

Always try to retransmit on sendtofrom() errors to ensure the SA
is properly cleaned up in ikev2_msg_retransmit_timeout().

ok patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful for
debugging and fill up the logs.

ok patrick@ kn@

Log retransmits of sent requests and responses.

ok markus@

Delete dead code in ikev2_msg_valid_ike_sa().

ok markus@

Make sure 'e' is NULL initialized to prevent nullptr dereference in
ibuf_release().

ok gerhard@

delete wasteful ;;
ok tedu

Add '-p' command line option which allows to configure
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.

ok sthen@

Move Notify and Certreq payload handlers after the parser. Modify SA state
only when the full message was parsed successfully.

ok patrick@, "that's working for me" - sthen@

Fix error handling in ikev2_msg_send.

Check sa is not NULL before using it. Use sa consistently instead of
mixing sa and msg->msg_sa. In the error case, if sa is not NULL, save
the message for retransmission and return 0 instead of -1.

ok mikeb@

Log reason whenever a child SA is freed. This makes it easier to
distinguish "valid" reasons to close an SA, such as rekeying,
from errors.

ok sthen@

Cleanup message retransmission handling with new helper functions.

ok patrick@

Prepend SPI to send and recv log messages to see which line belongs to
which SA. Use IKE specific terms peer and local instead of to and from.

ok reyk@ patrick@

Add support for IKEv2 Message Fragmentation as defined in RFC 7383.

ok sthen@

Enforce messages after IKE_SA_INIT exchange to contain only
encrypted payloads. Also increment message id only for valid
messages.

From Tobias Heider
ok sthen@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

cope with IP address changes. before, we were trying to resend the msg
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb

Add support to reflect the responder IKEv2 COOKIE.

This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.

OK patrick@ mikeb@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

Reset various pointers in ikev2_msg_cleanup

From and OK markus@, OK reyk

Closed SAs should never be treated as valid

From and OK markus@, OK reyk

Now that we have IP_SENDSRCADDR, add sendtofrom().

Ok jca@ and reyk@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

convert bcmp to memcmp
ok doug millert miod

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Repair initiator with PSK auth

Attempt state transition to VALID (or EAP_VALID) in the
ikev2_ike_auth after we have completed authentication
synchronously (PSK) or asynchronously (X.509 and RSA)
eliminating the need to do so in multiple places and
restoring the correct order for PSK.

ok markus

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

print msgid for debugging; ok reyk & mikeb

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

the caller of ikev2_msg_retransmit_response already frees the sa; ok mikeb

make sure the state machine only advances if the AUTH payload has
been verified; with & ok mikeb@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.

From Hans-Joerg Hoexer

ok mikeb@ markus@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

use a bit saner timer api

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

After some manipulations with the buffer, ike message header (hdr)
might no longer point to the same memory as before.

The bug was reported and fix was tested by LEVAI Daniel. Thanks!

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

Fix NAT-T support in iked, both on the initiator and the responder
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.

Tested by mikeb@ and me
ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

leftover code re-enqueued the same item on the list multiple times

prevent an endless loop

improve ikev2_msg_retransmit_timeout

compare exchange types as well when looking up a message;
proceed with a response only when the appropriate request
is found.

Add initial support for retransmition timeouts and response retries.
This should still be considered an experimental work in progress.

pass a file descriptor in the msg_fd instead of a function argument

don't increment the next expected message id when sending a response back.
while it might look like a step backwards, this fixes up eap negotiation
and bigger changes to this code are in the pipe anyways.

Sync up several defines with RFC 5996. IANA has changed the existing
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

handle empty encrypted payloads (might happen with some informationals)

ok mikeb@

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

Instead of modifying and fiddling with the IKE SA in the payload
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.

check if cert is available and valid

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

restructure code a bit to move closer to initiator mode:
- split responder/initiator- specific code into different functions and use
shared functions for common stuff.
- first parse the received message and store information in the temporary
message struct instead of modifying the ike sa in the parsing code directly.

cleanup messages and parsed information correctly

More code for initiator mode (not finished yet)

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

Implement print_hexbuf() to hexdump the contents of an ibuf.
OK tb@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Always allocate hash_keylength() for buffers passed to hash_final() to
make sure there is enough space for the non truncated hash output.

React to DELETE notifications only in INFORMATIONAL messages
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.

ok patrick@

Cleanup msg_eap in ikev2_msg_cleanup().

Remove dead assignments.

Prioritize incoming certificate requests by the order of CERTEQ payloads
in the received message.

ok patrick@

Always try to retransmit on sendtofrom() errors to ensure the SA
is properly cleaned up in ikev2_msg_retransmit_timeout().

ok patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful for
debugging and fill up the logs.

ok patrick@ kn@

Log retransmits of sent requests and responses.

ok markus@

Delete dead code in ikev2_msg_valid_ike_sa().

ok markus@

Make sure 'e' is NULL initialized to prevent nullptr dereference in
ibuf_release().

ok gerhard@

delete wasteful ;;
ok tedu

Add '-p' command line option which allows to configure
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.

ok sthen@

Move Notify and Certreq payload handlers after the parser. Modify SA state
only when the full message was parsed successfully.

ok patrick@, "that's working for me" - sthen@

Fix error handling in ikev2_msg_send.

Check sa is not NULL before using it. Use sa consistently instead of
mixing sa and msg->msg_sa. In the error case, if sa is not NULL, save
the message for retransmission and return 0 instead of -1.

ok mikeb@

Log reason whenever a child SA is freed. This makes it easier to
distinguish "valid" reasons to close an SA, such as rekeying,
from errors.

ok sthen@

Cleanup message retransmission handling with new helper functions.

ok patrick@

Prepend SPI to send and recv log messages to see which line belongs to
which SA. Use IKE specific terms peer and local instead of to and from.

ok reyk@ patrick@

Add support for IKEv2 Message Fragmentation as defined in RFC 7383.

ok sthen@

Enforce messages after IKE_SA_INIT exchange to contain only
encrypted payloads. Also increment message id only for valid
messages.

From Tobias Heider
ok sthen@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

cope with IP address changes. before, we were trying to resend the msg
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb

Add support to reflect the responder IKEv2 COOKIE.

This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.

OK patrick@ mikeb@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

Reset various pointers in ikev2_msg_cleanup

From and OK markus@, OK reyk

Closed SAs should never be treated as valid

From and OK markus@, OK reyk

Now that we have IP_SENDSRCADDR, add sendtofrom().

Ok jca@ and reyk@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

convert bcmp to memcmp
ok doug millert miod

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Repair initiator with PSK auth

Attempt state transition to VALID (or EAP_VALID) in the
ikev2_ike_auth after we have completed authentication
synchronously (PSK) or asynchronously (X.509 and RSA)
eliminating the need to do so in multiple places and
restoring the correct order for PSK.

ok markus

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

print msgid for debugging; ok reyk & mikeb

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

the caller of ikev2_msg_retransmit_response already frees the sa; ok mikeb

make sure the state machine only advances if the AUTH payload has
been verified; with & ok mikeb@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.

From Hans-Joerg Hoexer

ok mikeb@ markus@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

use a bit saner timer api

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

After some manipulations with the buffer, ike message header (hdr)
might no longer point to the same memory as before.

The bug was reported and fix was tested by LEVAI Daniel. Thanks!

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

Fix NAT-T support in iked, both on the initiator and the responder
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.

Tested by mikeb@ and me
ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

leftover code re-enqueued the same item on the list multiple times

prevent an endless loop

improve ikev2_msg_retransmit_timeout

compare exchange types as well when looking up a message;
proceed with a response only when the appropriate request
is found.

Add initial support for retransmition timeouts and response retries.
This should still be considered an experimental work in progress.

pass a file descriptor in the msg_fd instead of a function argument

don't increment the next expected message id when sending a response back.
while it might look like a step backwards, this fixes up eap negotiation
and bigger changes to this code are in the pipe anyways.

Sync up several defines with RFC 5996. IANA has changed the existing
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

handle empty encrypted payloads (might happen with some informationals)

ok mikeb@

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

Instead of modifying and fiddling with the IKE SA in the payload
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.

check if cert is available and valid

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

restructure code a bit to move closer to initiator mode:
- split responder/initiator- specific code into different functions and use
shared functions for common stuff.
- first parse the received message and store information in the temporary
message struct instead of modifying the ike sa in the parsing code directly.

cleanup messages and parsed information correctly

More code for initiator mode (not finished yet)

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Implement print_hexbuf() to hexdump the contents of an ibuf.
OK tb@

Use ibuf_data() instead of accessing the ibuf buf pointer directly.
Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate.
OK tobhe@ tb@

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Always allocate hash_keylength() for buffers passed to hash_final() to
make sure there is enough space for the non truncated hash output.

React to DELETE notifications only in INFORMATIONAL messages
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.

ok patrick@

Cleanup msg_eap in ikev2_msg_cleanup().

Remove dead assignments.

Prioritize incoming certificate requests by the order of CERTEQ payloads
in the received message.

ok patrick@

Always try to retransmit on sendtofrom() errors to ensure the SA
is properly cleaned up in ikev2_msg_retransmit_timeout().

ok patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful for
debugging and fill up the logs.

ok patrick@ kn@

Log retransmits of sent requests and responses.

ok markus@

Delete dead code in ikev2_msg_valid_ike_sa().

ok markus@

Make sure 'e' is NULL initialized to prevent nullptr dereference in
ibuf_release().

ok gerhard@

delete wasteful ;;
ok tedu

Add '-p' command line option which allows to configure
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.

ok sthen@

Move Notify and Certreq payload handlers after the parser. Modify SA state
only when the full message was parsed successfully.

ok patrick@, "that's working for me" - sthen@

Fix error handling in ikev2_msg_send.

Check sa is not NULL before using it. Use sa consistently instead of
mixing sa and msg->msg_sa. In the error case, if sa is not NULL, save
the message for retransmission and return 0 instead of -1.

ok mikeb@

Log reason whenever a child SA is freed. This makes it easier to
distinguish "valid" reasons to close an SA, such as rekeying,
from errors.

ok sthen@

Cleanup message retransmission handling with new helper functions.

ok patrick@

Prepend SPI to send and recv log messages to see which line belongs to
which SA. Use IKE specific terms peer and local instead of to and from.

ok reyk@ patrick@

Add support for IKEv2 Message Fragmentation as defined in RFC 7383.

ok sthen@

Enforce messages after IKE_SA_INIT exchange to contain only
encrypted payloads. Also increment message id only for valid
messages.

From Tobias Heider
ok sthen@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

cope with IP address changes. before, we were trying to resend the msg
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb

Add support to reflect the responder IKEv2 COOKIE.

This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.

OK patrick@ mikeb@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

Reset various pointers in ikev2_msg_cleanup

From and OK markus@, OK reyk

Closed SAs should never be treated as valid

From and OK markus@, OK reyk

Now that we have IP_SENDSRCADDR, add sendtofrom().

Ok jca@ and reyk@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

convert bcmp to memcmp
ok doug millert miod

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Repair initiator with PSK auth

Attempt state transition to VALID (or EAP_VALID) in the
ikev2_ike_auth after we have completed authentication
synchronously (PSK) or asynchronously (X.509 and RSA)
eliminating the need to do so in multiple places and
restoring the correct order for PSK.

ok markus

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

print msgid for debugging; ok reyk & mikeb

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

the caller of ikev2_msg_retransmit_response already frees the sa; ok mikeb

make sure the state machine only advances if the AUTH payload has
been verified; with & ok mikeb@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.

From Hans-Joerg Hoexer

ok mikeb@ markus@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

use a bit saner timer api

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

After some manipulations with the buffer, ike message header (hdr)
might no longer point to the same memory as before.

The bug was reported and fix was tested by LEVAI Daniel. Thanks!

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

Fix NAT-T support in iked, both on the initiator and the responder
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.

Tested by mikeb@ and me
ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

leftover code re-enqueued the same item on the list multiple times

prevent an endless loop

improve ikev2_msg_retransmit_timeout

compare exchange types as well when looking up a message;
proceed with a response only when the appropriate request
is found.

Add initial support for retransmition timeouts and response retries.
This should still be considered an experimental work in progress.

pass a file descriptor in the msg_fd instead of a function argument

don't increment the next expected message id when sending a response back.
while it might look like a step backwards, this fixes up eap negotiation
and bigger changes to this code are in the pipe anyways.

Sync up several defines with RFC 5996. IANA has changed the existing
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

handle empty encrypted payloads (might happen with some informationals)

ok mikeb@

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

Instead of modifying and fiddling with the IKE SA in the payload
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.

check if cert is available and valid

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

restructure code a bit to move closer to initiator mode:
- split responder/initiator- specific code into different functions and use
shared functions for common stuff.
- first parse the received message and store information in the temporary
message struct instead of modifying the ike sa in the parsing code directly.

cleanup messages and parsed information correctly

More code for initiator mode (not finished yet)

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Always allocate hash_keylength() for buffers passed to hash_final() to
make sure there is enough space for the non truncated hash output.

React to DELETE notifications only in INFORMATIONAL messages
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.

ok patrick@

Cleanup msg_eap in ikev2_msg_cleanup().

Remove dead assignments.

Prioritize incoming certificate requests by the order of CERTEQ payloads
in the received message.

ok patrick@

Always try to retransmit on sendtofrom() errors to ensure the SA
is properly cleaned up in ikev2_msg_retransmit_timeout().

ok patrick@

Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2.
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.

Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@

Stricter return value checking for EVP_Cipher* calls.

ok patrick@

Log INFORMATIONAL messages with LOG_DEBUG. They are rarely useful for
debugging and fill up the logs.

ok patrick@ kn@

Log retransmits of sent requests and responses.

ok markus@

Delete dead code in ikev2_msg_valid_ike_sa().

ok markus@

Make sure 'e' is NULL initialized to prevent nullptr dereference in
ibuf_release().

ok gerhard@

delete wasteful ;;
ok tedu

Add '-p' command line option which allows to configure
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.

ok sthen@

Move Notify and Certreq payload handlers after the parser. Modify SA state
only when the full message was parsed successfully.

ok patrick@, "that's working for me" - sthen@

Fix error handling in ikev2_msg_send.

Check sa is not NULL before using it. Use sa consistently instead of
mixing sa and msg->msg_sa. In the error case, if sa is not NULL, save
the message for retransmission and return 0 instead of -1.

ok mikeb@

Log reason whenever a child SA is freed. This makes it easier to
distinguish "valid" reasons to close an SA, such as rekeying,
from errors.

ok sthen@

Cleanup message retransmission handling with new helper functions.

ok patrick@

Prepend SPI to send and recv log messages to see which line belongs to
which SA. Use IKE specific terms peer and local instead of to and from.

ok reyk@ patrick@

Add support for IKEv2 Message Fragmentation as defined in RFC 7383.

ok sthen@

Enforce messages after IKE_SA_INIT exchange to contain only
encrypted payloads. Also increment message id only for valid
messages.

From Tobias Heider
ok sthen@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

cope with IP address changes. before, we were trying to resend the msg
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb

Add support to reflect the responder IKEv2 COOKIE.

This fixes connecting to Azure VPN and other implementations that
implement the IKEv2 COOKIE mechanism on the responder side. Azure
decides to send you a responder COOKIE after too many connection
attempts - we have to keep it and reflect it to establish a
connection. This implementation is only for the initiator (client)
side, we do not support sending COOKIEs on the responder (server) side
yet.

OK patrick@ mikeb@

Add support for RFC4754 (ECDSA) and RFC7427 authentication.

These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.

Original diff from markus@ with patches from mikeb@ and me.

OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

Reset various pointers in ikev2_msg_cleanup

From and OK markus@, OK reyk

Closed SAs should never be treated as valid

From and OK markus@, OK reyk

Now that we have IP_SENDSRCADDR, add sendtofrom().

Ok jca@ and reyk@

Remove the ikev1 stub - Since I started iked, it has an empty privsep
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.

OK mikeb@

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

initial support for RFC 7427 signatures, so we are no longer
restricted to SHA1 for RSA signatures. ok mikeb@

convert bcmp to memcmp
ok doug millert miod

unneeded getopt.h

Remove unnecessary <netinet/ip_ipsp.h> includes

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Repair initiator with PSK auth

Attempt state transition to VALID (or EAP_VALID) in the
ikev2_ike_auth after we have completed authentication
synchronously (PSK) or asynchronously (X.509 and RSA)
eliminating the need to do so in multiple places and
restoring the correct order for PSK.

ok markus

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

print msgid for debugging; ok reyk & mikeb

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

the caller of ikev2_msg_retransmit_response already frees the sa; ok mikeb

make sure the state machine only advances if the AUTH payload has
been verified; with & ok mikeb@

Update iked to use the same proc.c that relayd uses.
Less differences, less code to audit.

ok mikeb@

Add validation routines to ikev2_pld.c: For each payload type overall
header structure is checked for sanity before copying the header.
Always pass down the number of remaining bytes in the payload or
substructure so we can always ensure to not go beyond actual data.
Also remove the quick parsing step as it does not provide a real
benefit anymore.

From Hans-Joerg Hoexer

ok mikeb@ markus@

Fix compiler warnings in the format strings: use %zd for ssize_t and
%zu for size_t.

From Andre de Oliveira
With input and OK from blambert@ markus@

use a bit saner timer api

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

After some manipulations with the buffer, ike message header (hdr)
might no longer point to the same memory as before.

The bug was reported and fix was tested by LEVAI Daniel. Thanks!

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Remove unused variables.

Fix NAT-T support in iked, both on the initiator and the responder
side. Also add a new command line option -t to optionally enforce
NAT-T with UDP encapsulation on port 4500.

Tested by mikeb@ and me
ok mikeb@

update email addresses to match reality.
sure jsg@ mikeb@

leftover code re-enqueued the same item on the list multiple times

prevent an endless loop

improve ikev2_msg_retransmit_timeout

compare exchange types as well when looking up a message;
proceed with a response only when the appropriate request
is found.

Add initial support for retransmition timeouts and response retries.
This should still be considered an experimental work in progress.

pass a file descriptor in the msg_fd instead of a function argument

don't increment the next expected message id when sending a response back.
while it might look like a step backwards, this fixes up eap negotiation
and bigger changes to this code are in the pipe anyways.

Sync up several defines with RFC 5996. IANA has changed the existing
IKEv2 Payload Type "Encrypted" (E) to "Encrypted and Authenticated" (SK).

rename functions in proc.c to proc_* and move some code from imsg_util.c to
proc.c. this is the first sync to what i did for relayd but does not include
the multi-instance handling - so no functional change.

handle empty encrypted payloads (might happen with some informationals)

ok mikeb@

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

disable padding correctly. therefore we no longer need to supply
additional space in the buffer and just pad input length up to the
block size. finalization is not needed for properly padded data.

kills a bunch of XXX's and an annoying error from openssl.

also, check a result from CipherUpdate while here.

ok reyk

Instead of modifying and fiddling with the IKE SA in the payload
parsing routines directly, first parse the message and save the parsed
elements in the temporary message struct before validating the
information and taking any other actions on the actual SA. This needs
more testing, but is the cleaner and better approach.

check if cert is available and valid

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

restructure code a bit to move closer to initiator mode:
- split responder/initiator- specific code into different functions and use
shared functions for common stuff.
- first parse the received message and store information in the temporary
message struct instead of modifying the ike sa in the parsing code directly.

cleanup messages and parsed information correctly

More code for initiator mode (not finished yet)

i don't like splitting source code in too many source files but ikev2.c
has grown too large, so split it in 3 files and rename a few functions
to organize the code a bit better.

Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().

From markus@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is
the same in these cases.
OK tb@

Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@

Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@

Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@

Print size_t with %zu.

ok patrick@

Include endian.h where needed for betohXX functions.

In case of an invalid SA resp is passed to ikev2_msg_cleanup without
initialization where the msg_parent field is accessed.
ok tobhe

Distinguish between retransmit ok and nothing to retransmit. This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Improve retransmission of message fragments. RFC 7383 states that loss of
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.

Found by and diff from Daniel Herzinger
ok patrick@

whitespace cleanup during review read

sys/param.h was included for MAX(), MIN() and roundup(). make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

A peer sends both his local id and remote id he expects us to be. So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

Fix leak of m if message initialization fails.

ok markus@

style

Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

Add initial support to request IP addresses as IKEv2 initiator.
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.

ok patrick@

More unused headers.

Remove unused "wait.h" includes.

Always allocate hash_keylength() for buffers passed to hash_final() to
make sure there is enough space for the non truncated hash output.

React to DELETE notifications only in INFORMATIONAL messages
and move the logic closer to the other INFORMATIONAL payloads.
Add some more sanity checks while we're at it.

ok patrick@