Improve error message when if_indextoname() fails.

Add iked support for route based sec(4) tunnels.

To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support auto configuration for dynamic client
IPs via 'request any' like all other interfaces.
The config won't work without traffic selectors, 'from any to any'
should work for now but I plan to make this optional in the future.

ok dlg@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Fix potential leak of reply in error case.

From markus@
ok bluhm@

Remove unused variable fd.

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@

Remove dead 'iked_flow' member 'flow_type'.

Add support for switching rdomain on IPsec encryption/decryption.
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.

The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.

ok markus@, patrick@

Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.

ok kn@ bluhm@ phessler@

Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.

ok bluhm@

Change the default security level for incoming IPsec flows from
isakmpd and iked to REQUIRE. Filter policy violations earlier.

ok sashan@ bluhm@

Make sure the TAP extension is only added to the vector when needed.

Fix a problem reported by Mark Patruck and dhill@

ok markus@, dhill@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

use freezero()

spacing

Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.

Diff from markus@
OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

When setting up IPcomp flows for the networks 'A' and 'B' between
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.

When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.

Disable bytes lifetime for IP compression.

ok markus@ reyk@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

Add the missing bits to have NAT on enc(4) support in iked.

Ok mikeb@

http -> https for IETF/IANA URLs in comments

comment typo

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Support Chacha20-Poly1305 for Child SAs; ok reyk

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

use 0xffff not 0xfffff for a 16 bit port constant
ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Assign correct destination port value for the destination netmask.

This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.

ok markus

Fix coupling and decoupling operations.

With help and ok from mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

convert simple cases of select() to poll()
ok doug

Simple malloc() to reallocarray() conversion to potentially avoid integer
overflow.

ok deraadt@

expire IPcomp SAs too; ok mikeb (some time ago)

get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@

replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

try postponed requests first, so we do in-order processing; ok mikeb@

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

pfkey is unreliable, so add a select-timeout before MSG_PEEK;
similar code is in isakmpd; ok reyk@

don't leak on pid mismatch; ok mikeb

change surprisingly consistent mispelling of length ("lenght")

no change in md5 of resulting object file

ok markus@, reyk@

don't access a pointer till after the null check
ok mikeb@

support rekeying for IPCOMP; ok mikeb@

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

ignore messages for other daemons, like isakmpd does; ok mikeb

setup pfkey timer before use; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.

We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.

Thanks to Fernando Gont.

ok mikeb@

Change the order of variables just to shrink the diff to the (not yet
released) portable version a bit. No functional changes.

update email addresses to match reality.
sure jsg@ mikeb@

Add missing ESN bits

fix some leaks
ok mikeb@

spacing

rename iked_proc* to privsep_proc*. no functional change.

get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk

split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.

ok mikeb@

Add initial acquire mode support and use it whenever Windows peers decide
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.

ok reyk

postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

simplify the pfkey code by adding a pfkey_write() function

Fix NAT-T detection to enable UDP encapsulation. It was done before,
but not in the right order to run the IKEv2 NAT detection and check the
source port of the last IKE message which should be the NAT-T port 4500.

Tested with iked running on sparc64 and a NAT'ed windows box.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add iked support for route based sec(4) tunnels.

To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support auto configuration for dynamic client
IPs via 'request any' like all other interfaces.
The config won't work without traffic selectors, 'from any to any'
should work for now but I plan to make this optional in the future.

ok dlg@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Fix potential leak of reply in error case.

From markus@
ok bluhm@

Remove unused variable fd.

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@

Remove dead 'iked_flow' member 'flow_type'.

Add support for switching rdomain on IPsec encryption/decryption.
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.

The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.

ok markus@, patrick@

Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.

ok kn@ bluhm@ phessler@

Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.

ok bluhm@

Change the default security level for incoming IPsec flows from
isakmpd and iked to REQUIRE. Filter policy violations earlier.

ok sashan@ bluhm@

Make sure the TAP extension is only added to the vector when needed.

Fix a problem reported by Mark Patruck and dhill@

ok markus@, dhill@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

use freezero()

spacing

Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.

Diff from markus@
OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

When setting up IPcomp flows for the networks 'A' and 'B' between
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.

When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.

Disable bytes lifetime for IP compression.

ok markus@ reyk@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

Add the missing bits to have NAT on enc(4) support in iked.

Ok mikeb@

http -> https for IETF/IANA URLs in comments

comment typo

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Support Chacha20-Poly1305 for Child SAs; ok reyk

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

use 0xffff not 0xfffff for a 16 bit port constant
ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Assign correct destination port value for the destination netmask.

This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.

ok markus

Fix coupling and decoupling operations.

With help and ok from mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

convert simple cases of select() to poll()
ok doug

Simple malloc() to reallocarray() conversion to potentially avoid integer
overflow.

ok deraadt@

expire IPcomp SAs too; ok mikeb (some time ago)

get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@

replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

try postponed requests first, so we do in-order processing; ok mikeb@

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

pfkey is unreliable, so add a select-timeout before MSG_PEEK;
similar code is in isakmpd; ok reyk@

don't leak on pid mismatch; ok mikeb

change surprisingly consistent mispelling of length ("lenght")

no change in md5 of resulting object file

ok markus@, reyk@

don't access a pointer till after the null check
ok mikeb@

support rekeying for IPCOMP; ok mikeb@

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

ignore messages for other daemons, like isakmpd does; ok mikeb

setup pfkey timer before use; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.

We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.

Thanks to Fernando Gont.

ok mikeb@

Change the order of variables just to shrink the diff to the (not yet
released) portable version a bit. No functional changes.

update email addresses to match reality.
sure jsg@ mikeb@

Add missing ESN bits

fix some leaks
ok mikeb@

spacing

rename iked_proc* to privsep_proc*. no functional change.

get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk

split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.

ok mikeb@

Add initial acquire mode support and use it whenever Windows peers decide
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.

ok reyk

postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

simplify the pfkey code by adding a pfkey_write() function

Fix NAT-T detection to enable UDP encapsulation. It was done before,
but not in the right order to run the IKEv2 NAT detection and check the
source port of the last IKE message which should be the NAT-T port 4500.

Tested with iked running on sparc64 and a NAT'ed windows box.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

iked: introduce and use print_addr()

The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.

ok claudio kn tobhe

Fix potential leak of reply in error case.

From markus@
ok bluhm@

Remove unused variable fd.

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@

Remove dead 'iked_flow' member 'flow_type'.

Add support for switching rdomain on IPsec encryption/decryption.
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.

The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.

ok markus@, patrick@

Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.

ok kn@ bluhm@ phessler@

Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.

ok bluhm@

Change the default security level for incoming IPsec flows from
isakmpd and iked to REQUIRE. Filter policy violations earlier.

ok sashan@ bluhm@

Make sure the TAP extension is only added to the vector when needed.

Fix a problem reported by Mark Patruck and dhill@

ok markus@, dhill@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

use freezero()

spacing

Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.

Diff from markus@
OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

When setting up IPcomp flows for the networks 'A' and 'B' between
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.

When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.

Disable bytes lifetime for IP compression.

ok markus@ reyk@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

Add the missing bits to have NAT on enc(4) support in iked.

Ok mikeb@

http -> https for IETF/IANA URLs in comments

comment typo

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Support Chacha20-Poly1305 for Child SAs; ok reyk

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

use 0xffff not 0xfffff for a 16 bit port constant
ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Assign correct destination port value for the destination netmask.

This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.

ok markus

Fix coupling and decoupling operations.

With help and ok from mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

convert simple cases of select() to poll()
ok doug

Simple malloc() to reallocarray() conversion to potentially avoid integer
overflow.

ok deraadt@

expire IPcomp SAs too; ok mikeb (some time ago)

get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@

replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

try postponed requests first, so we do in-order processing; ok mikeb@

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

pfkey is unreliable, so add a select-timeout before MSG_PEEK;
similar code is in isakmpd; ok reyk@

don't leak on pid mismatch; ok mikeb

change surprisingly consistent mispelling of length ("lenght")

no change in md5 of resulting object file

ok markus@, reyk@

don't access a pointer till after the null check
ok mikeb@

support rekeying for IPCOMP; ok mikeb@

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

ignore messages for other daemons, like isakmpd does; ok mikeb

setup pfkey timer before use; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.

We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.

Thanks to Fernando Gont.

ok mikeb@

Change the order of variables just to shrink the diff to the (not yet
released) portable version a bit. No functional changes.

update email addresses to match reality.
sure jsg@ mikeb@

Add missing ESN bits

fix some leaks
ok mikeb@

spacing

rename iked_proc* to privsep_proc*. no functional change.

get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk

split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.

ok mikeb@

Add initial acquire mode support and use it whenever Windows peers decide
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.

ok reyk

postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

simplify the pfkey code by adding a pfkey_write() function

Fix NAT-T detection to enable UDP encapsulation. It was done before,
but not in the right order to run the IKEv2 NAT detection and check the
source port of the last IKE message which should be the NAT-T port 4500.

Tested with iked running on sparc64 and a NAT'ed windows box.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Fix potential leak of reply in error case.

From markus@
ok bluhm@

Remove unused variable fd.

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@

Remove dead 'iked_flow' member 'flow_type'.

Add support for switching rdomain on IPsec encryption/decryption.
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.

The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.

ok markus@, patrick@

Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.

ok kn@ bluhm@ phessler@

Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.

ok bluhm@

Change the default security level for incoming IPsec flows from
isakmpd and iked to REQUIRE. Filter policy violations earlier.

ok sashan@ bluhm@

Make sure the TAP extension is only added to the vector when needed.

Fix a problem reported by Mark Patruck and dhill@

ok markus@, dhill@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

use freezero()

spacing

Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.

Diff from markus@
OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

When setting up IPcomp flows for the networks 'A' and 'B' between
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.

When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.

Disable bytes lifetime for IP compression.

ok markus@ reyk@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

Add the missing bits to have NAT on enc(4) support in iked.

Ok mikeb@

http -> https for IETF/IANA URLs in comments

comment typo

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Support Chacha20-Poly1305 for Child SAs; ok reyk

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

use 0xffff not 0xfffff for a 16 bit port constant
ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Assign correct destination port value for the destination netmask.

This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.

ok markus

Fix coupling and decoupling operations.

With help and ok from mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

convert simple cases of select() to poll()
ok doug

Simple malloc() to reallocarray() conversion to potentially avoid integer
overflow.

ok deraadt@

expire IPcomp SAs too; ok mikeb (some time ago)

get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@

replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

try postponed requests first, so we do in-order processing; ok mikeb@

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

pfkey is unreliable, so add a select-timeout before MSG_PEEK;
similar code is in isakmpd; ok reyk@

don't leak on pid mismatch; ok mikeb

change surprisingly consistent mispelling of length ("lenght")

no change in md5 of resulting object file

ok markus@, reyk@

don't access a pointer till after the null check
ok mikeb@

support rekeying for IPCOMP; ok mikeb@

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

ignore messages for other daemons, like isakmpd does; ok mikeb

setup pfkey timer before use; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.

We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.

Thanks to Fernando Gont.

ok mikeb@

Change the order of variables just to shrink the diff to the (not yet
released) portable version a bit. No functional changes.

update email addresses to match reality.
sure jsg@ mikeb@

Add missing ESN bits

fix some leaks
ok mikeb@

spacing

rename iked_proc* to privsep_proc*. no functional change.

get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk

split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.

ok mikeb@

Add initial acquire mode support and use it whenever Windows peers decide
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.

ok reyk

postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

simplify the pfkey code by adding a pfkey_write() function

Fix NAT-T detection to enable UDP encapsulation. It was done before,
but not in the right order to run the IKEv2 NAT detection and check the
source port of the last IKE message which should be the NAT-T port 4500.

Tested with iked running on sparc64 and a NAT'ed windows box.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Remove unused variable fd.

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@

Remove dead 'iked_flow' member 'flow_type'.

Add support for switching rdomain on IPsec encryption/decryption.
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.

The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.

ok markus@, patrick@

Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.

ok kn@ bluhm@ phessler@

Link ESP-SA and IPcomp-SA using GRPSPIS instead of using a self-built
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.

ok bluhm@

Change the default security level for incoming IPsec flows from
isakmpd and iked to REQUIRE. Filter policy violations earlier.

ok sashan@ bluhm@

Make sure the TAP extension is only added to the vector when needed.

Fix a problem reported by Mark Patruck and dhill@

ok markus@, dhill@

Implement MOBIKE (RFC 4555) support in iked(8), with us acting as
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.

ok sthen@
tweaks from jmc@
tested by a handful

use freezero()

spacing

Fix another iked leak of SAs in pfkey_sa(), copy tags correctly.

Diff from markus@
OK mikeb@ patrick@

NAT-T improvements

Move repeated creation of the NAT-T payload into a function, remove
erroneous msg_offset, and improve NAT-T handling.

From and OK markus, OK mikeb

When setting up IPcomp flows for the networks 'A' and 'B' between
gateways 'a' and 'b', we replace the ESP flow "A->B ESP" with an
IPCOMP flow "A->B IPCOMP" and add a matching (transport mode) ESP
flow between the gateways "a->b ESP". The later is now marked with
flow_ipcomp so it is not translated into "a->b IPCOMP" on rekeying.

When SAs get deleted we do an extra loop to figure out if matching
IPcomp SAs can now be removed, too. This allows faster expiry of
unused IPcomp SAs.

Disable bytes lifetime for IP compression.

ok markus@ reyk@

Depending on the addresses, ipsecctl(8) automatically groups sa
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@

Add the missing bits to have NAT on enc(4) support in iked.

Ok mikeb@

http -> https for IETF/IANA URLs in comments

comment typo

Remove plain DES encryption from IPsec.

DES is insecure since brute force attacks are practical due to its
short key length.

This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).

ok mikeb@

remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@

Support Chacha20-Poly1305 for Child SAs; ok reyk

Remove some unnecessary NULL-checks before free(). Change two bzero()
calls on pf data to explicit_bzero().

ok mikeb@

use 0xffff not 0xfffff for a 16 bit port constant
ok mikeb@

Switch iked to C99-style fixed-width integer types.

OK mikeb@

Assign correct destination port value for the destination netmask.

This repairs setup of SPD flows that specify port only on the one
side of the from-to specification.

ok markus

Fix coupling and decoupling operations.

With help and ok from mikeb@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

convert simple cases of select() to poll()
ok doug

Simple malloc() to reallocarray() conversion to potentially avoid integer
overflow.

ok deraadt@

expire IPcomp SAs too; ok mikeb (some time ago)

get rid of redundant {csa,flow}_{src,dst}id pointers, so we don't need
to update it on rekey (fixes use-after-free); ok mikeb@

replace iked_transform pointer with xform id, since target of pointer
might be freed (e.g. on ike sa rekey); ok mikeb@

try postponed requests first, so we do in-order processing; ok mikeb@

initiate ike sa rekeying (ikesalifetime keyword), re-queue pfkey
events while we are busy initiating child-SAs; ok mikeb@

pfkey is unreliable, so add a select-timeout before MSG_PEEK;
similar code is in isakmpd; ok reyk@

don't leak on pid mismatch; ok mikeb

change surprisingly consistent mispelling of length ("lenght")

no change in md5 of resulting object file

ok markus@, reyk@

don't access a pointer till after the null check
ok mikeb@

support rekeying for IPCOMP; ok mikeb@

initial support for IPComp
still experimental and rekeying needs some work; ok mikeb@

implement DPD similar to isakmpd, but only send DPD-messages 'on-demand'
(less aggressive, only if the ESP-SAs are actually used);
feedback & ok mikeb@

never cast to sockaddr_storage, always cast to the abstract 'class' sockaddr
this fixes an out-of-bounds-memcpy in pfkey_process(); ok mikeb@

ignore messages for other daemons, like isakmpd does; ok mikeb

setup pfkey timer before use; ok mikeb

remove excessive includes

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.

We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.

Thanks to Fernando Gont.

ok mikeb@

Change the order of variables just to shrink the diff to the (not yet
released) portable version a bit. No functional changes.

update email addresses to match reality.
sure jsg@ mikeb@

Add missing ESN bits

fix some leaks
ok mikeb@

spacing

rename iked_proc* to privsep_proc*. no functional change.

get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk

split pfkey initialization into a privileged and unprivileged part to
prevent a possible crash.

ok mikeb@

Add initial acquire mode support and use it whenever Windows peers decide
to drop Child SA based on the inactivity timer. In this case we instruct
the kernel to send us an acquire message upon receiving a packet for those
hosts and initiate a Child SA creation exchange ourselves.

ok reyk

postpone processing of pfkey messages received in pfkey_reply instead of
just dropping them; ok reyk

move and rename util.c:print_id() to ikev2.c:ikev2_print_id() because
it is too specific to be in util.c. This will allow to link util.c
into ikectl later without all the other dependencies of pritn_id().

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

Initial support for initiator mode which allows to run iked as a
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs.

It currently only supports psk (pre-shared keys) and no certificates,
doesn't do any rekeying or SA timeouts, and needs more cleanup. So it
is not quite production ready yet - but ready for simple tests...

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

simplify the pfkey code by adding a pfkey_write() function

Fix NAT-T detection to enable UDP encapsulation. It was done before,
but not in the right order to run the IKEv2 NAT detection and check the
source port of the last IKE message which should be the NAT-T port 4500.

Tested with iked running on sparc64 and a NAT'ed windows box.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Unregister event on pfkey socket during pfkey_reply(). Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

Increase the size of iov in pfkey_sa() to be large enough for all
possible options.

ok tobhe@

Add proper padding for pfkey messages. Use ROUNDUP() for auth and
enc keys.

ok patrick@

Fix typos.

From Ryan Kavanagh
ok patrick@

Log pfkey type and message length on write failure.

Don't log ESRCH as warning.

Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

Delete dead code.

Rename ikev2_*_sa() functions to make clear they handle Child SAs.

ok patrick@

Properly set flow_saproto for aquire.

ok patrick@

Handle TEMPORARY_FAILURE notification on IKESA rekeying.
If we rekey both the IKESA and an CHILDSA in a small time
window a strongswan peer might reposend with a TEMPORARY_FAILURE
notification.
In this case we retry the rekey of the IKESA after a short
timeout and queue PFKEY expire messages (by returning -1 in
ikev2_rekey_sa()), so the CHILDSA rekeying gets delayed.

ok markus@

Try to deal with no reply from PF_KEY on pfkey_sa_add.

ok markus@

Replace SIMPLEQ concatenation loop with SIMPLEQ_CONCAT

OK florian@, kn@, millert@