CVSROOT: /cvs
Module name: src
Changes by: patr...@cvs.openbsd.org 2017/11/30 05:18:44
Modified files:
sbin/iked : iked.h ikev2.c ikev2_pld.c
Log message:
Add support for rejecting IKE SA messages. This means that we can reply
to IKE SA INIT messages with no proposal chosen, as we already do for
Child SAs. For that the error "adding" is done in a new function shared
by both send error handlers. We need two "send error" functions because
the init error is unencrypted, while all later ones are not. Now we can
add more cases, like Child SA not found or that the DH group is not what
we expect.
Save the IKE SA INIT responses, even if it's an error message, so we can
retransmit it if the response is lost on the way back to the initiator
and he tries again. This also helps mitigate DoS attacks as specified
in the RFC. Only if it is indeed a new attempt, like after an INVALID
KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt
to create a new SA.
ok sthen@
