Age | Commit message (Collapse) | Author |
|
Fixes SA tagging and a possible leak.
from markus@
|
|
im not really happy with this, but it's a start.
|
|
add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_iface extension set up, but skip installing the flows/SPD
entries.
this allows for the negotiation of multiple esp tunnels covering
all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to
do something useful with them using the routing table and sec(4)
interfaces instead of having SPD entries fight over those packets
in the kernel.
this in turn allows interoperation with other ipsec/vpn solutions
that require the negotiation of such tunnels.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@
|
|
Otherwise dh_getlen() will dereference ie->group and crash.
looks correct to hshoexer
|
|
This allows compiling isakmpd with a libcrypto that has binary field
support removed. Leave the enum value itself unguarded on claudio's
request.
ok beck claudio jsing
|
|
In the unlikely event that EC_KEY_check_key() in ec_init() fails,
group->ec would be freed first in ec_init() then in group_free().
Same problem was fixed in iked/dh.c r1.31 (where it originally came
from).
ok jsg mbuhl
|
|
ok miod@ millert@
|
|
Fixes -Wstrict-prototype warning seen with clang 15 on amd64 and arm64.
|
|
getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.
Prompted by dlg@. With help from dlg@ and millert@.
Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2
ok naddy@ millert@ dlg@
|
|
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
|
ok jmc@ sthen@ millert@
|
|
log a warning rather than attempting to dereference it. Check suggested by
millert@, ok "your fix shouldn't hurt" mpi@
This isn't fixing the root cause but I don't have a better idea and I'm
hitting problems on several systems as I upgrade them, and I think in this
case logging rather than dumping core is more helpful.
Without this, in recent OpenBSD versions (I have seen it in since at least
the snapshot from June 14 2021) I am often seeing isakmpd crashes after
SAs come in shortly after isakmpd starts with my usual flags, although
they don't seem to occur if I raise logs to heavy debug levels (-DA=90).
With this, those connections will fail but isakmpd will stay running and
after usually one retry things will be ok.
Usually, perhaps always, seen associated with "responder_recv_HASH_SA_NONCE:
KEY_EXCH payload without a group desc. attribute" logged previously.
Pcap written by isakmpd -L shows a normal-looking proposal though, with
proto/ids/group description set, yet printing *isa at the point that message
is logged shows zeros in sport/dport/group_desc/etc.
(I can give more info and/or test if someone has a better idea!)
|
|
apostrophe.
|
|
ok guenther@
|
|
|
|
ok jsing
|
|
let alone sys/param.h, which it uses to get roundup(). make a local
copy of the macro, and call it a day.
|
|
Straightforward conversion to the OpenSSL 1.1 API as a step towards
making EVP_PKEY opaque. EVP_PKEY_get0_RSA() can't fail if we know
that the pkey type is RSA.
ok sthen
|
|
ok jmc sthen
|
|
instead of having it on the stack. Adjust code accordingly.
|
|
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert
|
|
|
|
algorithm is gone. Reomve all LZS references from the tree. The
v42bis in isakmpd also looks unsupported.
OK mvs@ patrick@ sthen@
|
|
ok benno
|
|
an accessor instead of reaching directly into the struct.
ok benno
|
|
No-one is going to build this with OpenSSL 0.9.7 or earlier, so we
can remove this code.
ok bluhm sthen (as part of a larger diff)
|
|
All this does is a call to OpenSSL_add_all_algorithms(), which is
no longer needed since libbcrypto initializes itself.
ok bluhm sthen (part of a larger diff)
|
|
ok millert
|
|
undocumented macro alias X509_name_cmp(3);
no binary change;
OK tb@
|
|
ok tobhe
|
|
work anyway. Dynamic binaries help building errata, reduce disk
usage and make ROP harder. Also remove an unused bsd.subdir.mk
include.
OK sthen@ mvs@ deraadt@ tobhe@ patrick@
|
|
ok deraadt@
|
|
ok patrick@
|
|
when exiting.
"make sense" deraadt
|
|
the path sanitizer in the privsep parent. Bring back the checks
in a way that works with new realpath(3).
tested and OK hshoexer@
|
|
ENOENT. In this case, try to open(2) the path. Then a non-existing
file will be created, but a missing directory component still causes
an error. This fixes isakmpd(8) IKE pcap file creation.
from hshoexer@
|
|
isakmpd and iked to REQUIRE. Filter policy violations earlier.
ok sashan@ bluhm@
|
|
non existing isakmpd.conf(5) file. This was a result of the changed
realpath(3) behavior. Now isakmpd(8) uses the errno from the system.
reported by igor kos; OK deraadt@
|
|
help/ok deraadt
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
|
|
- show an example sed to substitute the $ENV::CERTIP/CERTFQDN strings
while copying /etc/ssl/x509v3.cnf to a temp file
- don't use /etc/ssl/x509v3.cnf on the command line when we've just
told people to copy and edit
- fix an instance of CERTIP that should have been CERTFQDN
based on diffs from Sevan Janiyan, feedback/ok jmc@
|
|
where the "wrong" #define was used.
ok dlg@
|
|
ok millert@ mpi@
|
|
the Listen-on directive in isakmpd.conf(5). This directive can be necessary
in multi-homed situations, and if isakmpd(8) is used with carp(4).
ok sthen@ mpi@
|
|
|
|
No object change.
|
|
Fix at least interoperability with Cisco when isakmpd(8) is initiating
the connections, originally reported by sebastia@ in 2014.
Refreshed diff from and ok hshoexer@, ok sthen@, ok remi@
|
|
From Scott Cheloha, ok tb@
|