| #
2117af45 |
| 02-Mar-2024 |
tobhe <tobhe@openbsd.org> |
Trigger retransmission only for fragment 1/x, otherwise each received
fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retran
Trigger retransmission only for fragment 1/x, otherwise each received
fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1:
"[...] that even MUST only trigger a retransmission of the response message
(fragmented or no) if the Fragment Number field in the received
fragments is set to 1; otherwise, it MUST be ignored."
from markus
show more ...
|
| #
8e8f56e9 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes
are set up by child processes. The parent sends a ping to all children
and only starts once it has received an acknowledgement
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes
are set up by child processes. The parent sends a ping to all children
and only starts once it has received an acknowledgement from all of them.
This fixes a race condition on process startup when the parent starts
running before all children are ready.
From markus@
show more ...
|
| #
ac16f2e6 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Delay enabling sockets until ikev2 process is ready.
from markus@
|
| #
48f91964 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Remove unused control_socks queue.
from markus@
|
| #
0fbd6532 |
| 24-Jan-2024 |
tobhe <tobhe@openbsd.org> |
Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid bet
Use per connection peerid for control replies
instead of 'broadcasting' replies for 'ikectl show sa' and
similar control requests, we now assign a uniq peerid to each
request and pass this peerid between the processes so the reply
can be sent on the matching connection.
from markus@
show more ...
|
| #
73cd769d |
| 15-Jan-2024 |
tobhe <tobhe@openbsd.org> |
Include cert_partial_chain in iked_static instead of sending a separate
message.
from markus@
|
| #
1c18b693 |
| 11-Aug-2023 |
tobhe <tobhe@openbsd.org> |
Add iked support for route based sec(4) tunnels.
To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support
Add iked support for route based sec(4) tunnels.
To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support auto configuration for dynamic client
IPs via 'request any' like all other interfaces.
The config won't work without traffic selectors, 'from any to any'
should work for now but I plan to make this optional in the future.
ok dlg@
show more ...
|
| #
dca9e784 |
| 28-Jul-2023 |
claudio <claudio@openbsd.org> |
Implement print_hexbuf() to hexdump the contents of an ibuf.
OK tb@
|
| #
f6f27851 |
| 18-Jul-2023 |
claudio <claudio@openbsd.org> |
Kill ibuf_cat() since there is now ibuf_add_buf() in the official API.
OK tb@ tobhe@
|
| #
bd027751 |
| 16-Jul-2023 |
claudio <claudio@openbsd.org> |
Merge ibuf_get() with ibuf_getdata() and rename it to ibuf_getdata().
Also replace a ibuf_reserve() call with ibuf_add_zero() and
remove a buf->buf == NULL check in ibuf_length() since it is not nece
Merge ibuf_get() with ibuf_getdata() and rename it to ibuf_getdata().
Also replace a ibuf_reserve() call with ibuf_add_zero() and
remove a buf->buf == NULL check in ibuf_length() since it is not necessary.
OK tobhe@ tb@
show more ...
|
| #
a30a01d6 |
| 28-Jun-2023 |
tobhe <tobhe@openbsd.org> |
Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted interme
Add support to verify X509 chain from CERT payloads.
Encode cert and intermediate CAs in new cert bundle object,
so the information can be passed to the ca process in one step.
Pass untrusted intermediates to X509_verify_cert().
From markus@
show more ...
|
| #
8d3b03ab |
| 25-Jun-2023 |
op <op@openbsd.org> |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl
initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
| #
19778535 |
| 19-Jun-2023 |
claudio <claudio@openbsd.org> |
Improve the ibuf API by adding these functions:
Functions extending ibuf_add to work with more specific data types
ibuf_add_buf, ibuf_add_zero, ibuf_add_n8, ibuf_add_n16, ibuf_add_n32,
ibuf_add_n
Improve the ibuf API by adding these functions:
Functions extending ibuf_add to work with more specific data types
ibuf_add_buf, ibuf_add_zero, ibuf_add_n8, ibuf_add_n16, ibuf_add_n32,
ibuf_add_n64
Functions replacing ibuf_seek where data at a specific offset is modified
ibuf_set, ibuf_set_n8, ibuf_set_n16, ibuf_set_n32, ibuf_set_n64
Functions to check, get and set the filedescriptor stored on the ibuf
ibuf_fd_avail, ibuf_fd_get, ibuf_fd_set
and ibuf_data() to access the data buffer, to be used together with ibuf_size()
On top of this add an optimized imsg_compose_ibuf() where an ibuf is wrapped
into an imsg in an efficent way.
Finally remove msgbuf_drain since it is not used by anything outside of
the ibuf code. Because of this removal bump the major of libutil.
Remove ibuf_data() in iked since the same function is now provided by libutil.
OK tb@
show more ...
|
| #
a8c4b3e4 |
| 16-Jun-2023 |
tb <tb@openbsd.org> |
Now that print_host() is unused, rename it to print_addr() and simplify.
ok claudio tobhe
|
| #
14e2a040 |
| 13-Jun-2023 |
tb <tb@openbsd.org> |
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length.
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument
(usually a sockaddr_storage *) to (struct sockaddr *) and pass both
a NULL buffer and 0 length. Cast and useless arguments lead to
awkward line wrapping in many places. Clean this up by introducing a
helper. Make this helper take a void pointer, so all casts go away.
ok claudio kn tobhe
show more ...
|
| #
c308a74e |
| 12-Jun-2023 |
claudio <claudio@openbsd.org> |
Use stdio open_memstream(3) to build up log strings instead of trying to
abuse ibufs for that. Using stdio for this has the benefit of using any
stdio function to build up strings including fprintf()
Use stdio open_memstream(3) to build up log strings instead of trying to
abuse ibufs for that. Using stdio for this has the benefit of using any
stdio function to build up strings including fprintf().
With and OK tb@
show more ...
|
| #
37e80bc6 |
| 30-May-2023 |
claudio <claudio@openbsd.org> |
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat()
method but instead of overwriting ibuf internals replace the buf a level up.
Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to
msg_data (which is another footgun to disarm at some point).
OK tb@
show more ...
|
| #
56c4e216 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_advance() with ibuf_reserve().
OK tobhe@ tb@ kn@
|
| #
be2b38f5 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_release() with ibuf_free() since the former just calls the latter
OK kn@ tb@
|
| #
022b5824 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
There is no need to ibuf_zero() or memset() any buffers.
More cleanup will follow.
OK tobhe@
|
| #
e8e9d77f |
| 05-Mar-2023 |
tobhe <tobhe@openbsd.org> |
Fix clean process shutdown by storing env globally like vmd and httpd do
instead of getting it from p_ps. The old approach does not work anymore
after the recent fork + exec update.
ok patrick@
|
| #
a7dbf4ae |
| 04-Mar-2023 |
tobhe <tobhe@openbsd.org> |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.
ok bluhm@ pat
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.
ok bluhm@ patrick@
show more ...
|
| #
229c27f0 |
| 03-Dec-2022 |
tobhe <tobhe@openbsd.org> |
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
|
| #
b41cc0c8 |
| 19-Sep-2022 |
tobhe <tobhe@openbsd.org> |
Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stat
Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@
from and ok markus@
show more ...
|
| #
87148674 |
| 22-Jul-2022 |
tobhe <tobhe@openbsd.org> |
Include an OpenIKED Vendor ID payload in the initial handshake. This will
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string
Include an OpenIKED Vendor ID payload in the initial handshake. This will
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string "OpenIKED-" followed by
the version number.
Sending of the vendor ID payload can be disabled by specifying
"set novendorid" in iked.conf(5).
ok markus@ bluhm@
show more ...
|