| Age | Commit message (Collapse) | Author |
|---|
|
|
|
If csa_bundled is set, exactly two csas exist and they point to
each other. Therefore childsa_free already sets the bundled csa
pointer to NULL and it shouldn't be done after calling childsa_free.
ok tobhe@
|
|
possible use after free.
ok tobhe@
|
|
possible use after free.
ok tobhe@
|
|
initialization where the msg_parent field is accessed.
ok tobhe
|
|
When linking against libressl, OPENSSL_malloc() is just a wrapper around malloc()
so regular free() is safe. Other implementations allow switching to a different
allocator where free() could result in a possible heap corruption.
Report and initial fix by dropk1ck (gh #92)
ok tb@
|
|
string size that could lead to a buffer overflow in ikev2_print_id().
Found by and fix from dropk1ck on github (issue #90)
ok patrick@ mbuhl@
|
|
directly instead of calling group_get() and leaking the result.
ok markus@
|
|
In config_free_policy() the refcounting is unchanged and each SA linked to the
policy will trigger a call to policy_ref() and increase the references as
before the change. This allows unconditional calls to policy_ref() and
policy_unref() and the callers no longer have to check if IKED_POLICY_REFCNT
is set.
From and ok markus@
|
|
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.
ok markus@
|
|
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@
from and ok markus@
|
|
not differentiate between similar policies that only differ in srcnat. Also
include srcnat when logging flows or policies.
ok markus@
|
|
|
|
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string "OpenIKED-" followed by
the version number.
Sending of the vendor ID payload can be disabled by specifying
"set novendorid" in iked.conf(5).
ok markus@ bluhm@
|
|
From markus@
ok bluhm@
|
|
to RTP_PROPOSAL_SOLICIT. Fixes a crash when resolvd is restarted but
no name server is set.
|
|
payloads. Local certificate chains as required with LetsEncrypt certs will
work between iked and other IKEv2 implementations, iked to iked connections
won't work yet because of missing support to receive multiple CERT
payloads.
from Katsuhiro Ueno
tested by and ok sthen@
|
|
when more than one is received. The first CERT is always the leaf
certificate, additional payloads can be used to send intermediate certs
which iked can not handle at the moment.
This fixes exchanges where the certificate chain is still valid because
matching intermediate certs are available locally in /etc/iked.
Reported and tested by Loïc Revest <l.revest (at) apc.fr>
ok mbuhl@
|
|
SA shall be deleted. ni should be set to the minimum nonce for the
exchange intitiated by us while nr should be the smaller of the
nonces of the simultaneous exchange initiated by the peer, which
is stored in sa_simulat.
This fixes the ni < nr comparison below and makes sure our Child SA
is only deleted in the correct case as specified in RFC 7296.
Reported by and fix from Sibar Soumi <sibar.soumi (at) achelos.de>
ok mbuhl@
|
|
ok tobhe@
|
|
|
|
is to renew the timer every time sc_alive_timeout is reset after loading a new
config.
ok patrick@
|
|
it should really be marked ULL
ok bluhm tobhe
|
|
|
|
|
|
Fixes address autoconfiguration on octeon.
Found by and ok mbuhl@
|
|
a single fragment results in a retransmit of all fragments belonging
to the same message. Instead of treating each fragment as message with
seperate retransmit timer, keep only a single timer for all fragments of
a message and retransmit all fragments in order on timeout.
Improves reliability in case of packet loss when fragmentation is enabled.
Found by and diff from Daniel Herzinger
ok patrick@
|
|
|
|
ok jmc@ sthen@ millert@
|
|
apostrophe.
|
|
ok tobhe@
|
|
ok markus@
|
|
value for -1, not buf == NULL.
ok tobhe
|
|
allocating a buffer.
ok tobhe
|
|
In the unlikely event that EC_KEY_check_key() in ec_init() fails,
the group would be freed twice: once in ec_init(), and later in
group_free().
ok tobhe
|
|
before calling *_free() functions. Use 'get0' functions where it
makes sense to avoid some frees.
Feedback and ok tb@
|
|
Fixes a bug where iked sent zero-prefixed NAT-T messages on port 500 causing
parsing errors.
ok markus@ patrick@
|
|
ok patrick@
|
|
certificates. Check if we have a matching key before using a
certificate as local to prevent cryptic error messages later
when the signature is checked.
ok markus@ patrick@
|
|
iked(8). Local certificates are always trusted and preferred over certs
received over the wire.
ok patrick@ markus@
|
|
the initiator.
ok patrick@
|
|
the responder to match the correct policy if multiple are available.
ok patrick@
|
|
|
|
|
|
options list;
|
|
ok patrick@
|
|
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg
|
|
ok patrick@
|
|
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set. Hence dstid is involved in the decision making. While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have. If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.
ok tobhe@
|
|
parent SA.
|
