| Age | Commit message (Collapse) | Author |
|---|
|
Similar to the permission checks performed on iked.conf(5) due to the
possibility of it containing inline psk strings, require psk files to not be
group writable or world read-writable.
ok tobhe@
|
|
heavy lifting by & OK sthen
|
|
ok tobhe
|
|
redundant since we call daemon() earlier.
ok bluhm@
|
|
|
|
ok markus@ yasuoka@
|
|
|
|
ok tobhe
|
|
ok miod@, deraadt@, otto@ and bluhm@
|
|
from markus@
|
|
added.
OK millert@
|
|
fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retransmission of the response message
(fragmented or no) if the Fragment Number field in the received
fragments is set to 1; otherwise, it MUST be ignored."
from markus
|
|
|
|
This makes it possible to provision virtual machine images that
need a "BIOS Boot" partition.
Report, original diff and testing by Christian Ludwig. Thanks!
ok miod@
|
|
Problem spotted and diff from Einfach Jemand (rru.142 at gmail),
thanks!
OK phessler, jca
|
|
are set up by child processes. The parent sends a ping to all children
and only starts once it has received an acknowledgement from all of them.
This fixes a race condition on process startup when the parent starts
running before all children are ready.
From markus@
|
|
from markus@
|
|
from markus@
|
|
Both can be used to cause high CPU load and potentially denial of
service with specifically crafted DNSSEC responses.
This is a sync with unbound(8).
|
|
"RFC 2131 4.1 Constructing and sending DHCP messages" has this:
| Selecting a new 'xid' for each retransmission is an implementation
| decision. A client may choose to reuse the same 'xid' or select a new
| 'xid' for each retransmitted message.
We used to change xid for each request / response cycle but this ran
into problems with slow dhcp servers where we would change the xid too
frequently and would ignore late coming replies from the server.
Andre S points out that table 5 in "4.4.1 Initialization and
allocation of network address" says for the xid field in "DHCPREQUEST"
messages:
| 'xid' from server DHCPOFFER message
This seems to suggest that we need to use the same xid for the whole
DHCPDISCOVER / DHCPOFFER / DHCPREQUEST / DHCPACK exchange of messages.
Nothing else in the RFC is saying this though.
But since there are DHCP servers out there that depend on this, we
only generate a new xid when entering the INIT, REBOOTING and RENEWING
state.
I do wonder if we should just go with a static value of 0x04, which
was chosen by a fair dice roll, so guaranteed to be random.
Issue reported, initial diff and fix tested by Andre S
deraadt likes this version
OK tb
|
|
Currenly PROC_PARENT sends the configuration to both PROC_CERT and
PROC_IKEV2 and finishes by sending IMSG_CTL_ACTIVE to PROC_IKEV2.
However, when PROC_IKEV2 receives IMSG_CTL_ACTIVE it does not know
the state of PROC_CERT: PROC_CERT might not have processed the
initial configuration while PROC_IKEV2 already sends requests to
PROC_CERT, causing failed requests, or even crashes (NULL deref of
ca_certs).
In order to make sure that PROC_CERT is ready before
IMSG_CTL_ACTIVE is sent to PROC_IKEV2 that startup protocol
is changed as follows:
(1) PROC_PARENT sends configuration to both PROC_CERT and PROC_IKEV2
(2) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_CERT
(3) PROC_CERT acks IMSG_CTL_ACTIVE by sending it back to PROC_PARENT
(4) PROC_PARENT now knows that PROC_CERT is ready and has processed
all messages from step (1)
(5) PROC_PARENT sends IMSG_CTL_ACTIVE to PROC_IKEV2 and knows that
IMSG_CTL_ACTIVE will be processed by PROC_IKEV2 after all
messages from step (1)
(6) PROC_IKEV2 can now assume that PROC_CERT is ready because it has
already processed IMSG_CTL_ACTIVE
from markus@
|
|
OK millert@
|
|
found by "buffer overflow 'anchortypes' 10 <= 12" smatch error
feedback and ok sashan@, ok miod@ on an earlier version
|
|
discussed with markus@
|
|
input deraadt, ok tobhe
|
|
Softdep has been a no-op for some time now, this removes it to get
it out of the way.
Flensing mostly done in Talinn, with some help from krw@
ok deraadt@
|
|
From Stefan R. Filipek, thanks!
|
|
found by "buffer overflow 'peerxfs' 6 <= 6" smatch error
tobhe@ had a remote peer attempt a transform type of 6 and it is caught
by earlier checks before getting here.
ok tobhe@
|
|
found by "snprintf() is printing too much 8192 vs 1024" smatch error
ok tobhe@ stsp@
|
|
bluhm@ pointed out pfctl_net_kill_states() suffers from the
same copy'n'paste typo. Commit combines both fixes.
OK @bluhm, OK @kn
|
|
ok tobhe
|
|
Thus, dhcpleased accept non-calculated checksums which were verified by
hardware/hypervisor.
With tweaks from dlg@
ok bluhm@
mkay tobhe@
|
|
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.
from markus@
|
|
for other generic KMS drivers.
ok jsg@, matthieu@
|
|
proc_forward_imsg() does not need to forward file descriptors so just use
-1 there. In other places shuffle debug messages around or use a helper
variable since imsg_get_fd() can only be called once.
OK tb@ tobhe@
|
|
In this case iked would just silently drop incomming connections.
Thus, the user has a chance to figure out whats going on.
ok tobhe@
|
|
message.
from markus@
|
|
rules found in every anchor. This commit introduces the same behavior
for tables. Command 'pfctl -a "*" -sT' prints all tables attached to
every anchor loaded to pf(4).
Inconsistency has been noticed by Klemens (kn@).
OK @bluhm, OK @kn
|
|
ok jmc@
|
|
optimization. As observed by ali_farzanrad(at)riseup.net, support
for these was broken in the 5.5 release in early 2014 by the time_t
changes. No one noticed before now, so clearly this isn't something
we need to continue to support; rejecting in ffs_validate() is an
improvement.
Also: simplify DIRSIZ(), drop OLDDIRFMT and NEWDIRFMT, tests of
fs_maxsymlinklen against zero, #ifdef tests of FS_44INODEFMT, and
remove support for newfs -O0, last used in 2016.
ok miod@
|
|
|
|
Fixes SA tagging and a possible leak.
from markus@
|
|
|
|
Go ahead florian@ OK tb@
|
|
and breaks because ibuf_seek() now uses rpos itself. Now this is just
ibuf_get_ibuf() with an extra allocation done.
OK tobhe@ tb@
|
|
|
|
This lets dhcpleased(8) request "IPv6-only preferred". If the
server replies with this option dhcpleased stops and does not request
a lease and deconfigures IPv4 on the interface.
For now this is pretty much useless unless one dynamically configures
pf(4) to act as a CLAT. gelatod(8) from ports can help with this.
However, this helps me while hacking on a kernel based stateless CLAT
by moving dhcpleased out of the way while having an IPv6-mostly
network configured to compare behaviour with macOS.
Input jmc
OK phessler
Input & OK sthen
|
|
from markus@
|
|
this can be used to add static entries on interfaces like vxlan(4).
|
|
|
