#
2117af45 |
| 02-Mar-2024 |
tobhe <tobhe@openbsd.org> |
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1: "[...] that even MUST only trigger a retran
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1: "[...] that even MUST only trigger a retransmission of the response message (fragmented or no) if the Fragment Number field in the received fragments is set to 1; otherwise, it MUST be ignored."
from markus
show more ...
|
#
8e8f56e9 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes are set up by child processes. The parent sends a ping to all children and only starts once it has received an acknowledgement
Introduce new IMSG_CTL_PROCREADY which is used to signal that all pipes are set up by child processes. The parent sends a ping to all children and only starts once it has received an acknowledgement from all of them. This fixes a race condition on process startup when the parent starts running before all children are ready.
From markus@
show more ...
|
#
ac16f2e6 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Delay enabling sockets until ikev2 process is ready.
from markus@
|
#
48f91964 |
| 15-Feb-2024 |
tobhe <tobhe@openbsd.org> |
Remove unused control_socks queue.
from markus@
|
#
0fbd6532 |
| 24-Jan-2024 |
tobhe <tobhe@openbsd.org> |
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid bet
Use per connection peerid for control replies instead of 'broadcasting' replies for 'ikectl show sa' and similar control requests, we now assign a uniq peerid to each request and pass this peerid between the processes so the reply can be sent on the matching connection.
from markus@
show more ...
|
#
73cd769d |
| 15-Jan-2024 |
tobhe <tobhe@openbsd.org> |
Include cert_partial_chain in iked_static instead of sending a separate message.
from markus@
|
#
1c18b693 |
| 11-Aug-2023 |
tobhe <tobhe@openbsd.org> |
Add iked support for route based sec(4) tunnels.
To use sec(4) instead of policy based tunnels, create a sec(4) interface and add 'iface secXX' to your policy config. sec(4) interfaces also support
Add iked support for route based sec(4) tunnels.
To use sec(4) instead of policy based tunnels, create a sec(4) interface and add 'iface secXX' to your policy config. sec(4) interfaces also support auto configuration for dynamic client IPs via 'request any' like all other interfaces. The config won't work without traffic selectors, 'from any to any' should work for now but I plan to make this optional in the future.
ok dlg@
show more ...
|
#
dca9e784 |
| 28-Jul-2023 |
claudio <claudio@openbsd.org> |
Implement print_hexbuf() to hexdump the contents of an ibuf. OK tb@
|
#
f6f27851 |
| 18-Jul-2023 |
claudio <claudio@openbsd.org> |
Kill ibuf_cat() since there is now ibuf_add_buf() in the official API. OK tb@ tobhe@
|
#
bd027751 |
| 16-Jul-2023 |
claudio <claudio@openbsd.org> |
Merge ibuf_get() with ibuf_getdata() and rename it to ibuf_getdata(). Also replace a ibuf_reserve() call with ibuf_add_zero() and remove a buf->buf == NULL check in ibuf_length() since it is not nece
Merge ibuf_get() with ibuf_getdata() and rename it to ibuf_getdata(). Also replace a ibuf_reserve() call with ibuf_add_zero() and remove a buf->buf == NULL check in ibuf_length() since it is not necessary. OK tobhe@ tb@
show more ...
|
#
a30a01d6 |
| 28-Jun-2023 |
tobhe <tobhe@openbsd.org> |
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted interme
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert().
From markus@
show more ...
|
#
8d3b03ab |
| 25-Jun-2023 |
op <op@openbsd.org> |
remove ca_sslinit()
it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything.
spotted by tb, ok tb tobhe
|
#
19778535 |
| 19-Jun-2023 |
claudio <claudio@openbsd.org> |
Improve the ibuf API by adding these functions: Functions extending ibuf_add to work with more specific data types ibuf_add_buf, ibuf_add_zero, ibuf_add_n8, ibuf_add_n16, ibuf_add_n32, ibuf_add_n
Improve the ibuf API by adding these functions: Functions extending ibuf_add to work with more specific data types ibuf_add_buf, ibuf_add_zero, ibuf_add_n8, ibuf_add_n16, ibuf_add_n32, ibuf_add_n64 Functions replacing ibuf_seek where data at a specific offset is modified ibuf_set, ibuf_set_n8, ibuf_set_n16, ibuf_set_n32, ibuf_set_n64 Functions to check, get and set the filedescriptor stored on the ibuf ibuf_fd_avail, ibuf_fd_get, ibuf_fd_set and ibuf_data() to access the data buffer, to be used together with ibuf_size()
On top of this add an optimized imsg_compose_ibuf() where an ibuf is wrapped into an imsg in an efficent way.
Finally remove msgbuf_drain since it is not used by anything outside of the ibuf code. Because of this removal bump the major of libutil.
Remove ibuf_data() in iked since the same function is now provided by libutil. OK tb@
show more ...
|
#
a8c4b3e4 |
| 16-Jun-2023 |
tb <tb@openbsd.org> |
Now that print_host() is unused, rename it to print_addr() and simplify.
ok claudio tobhe
|
#
14e2a040 |
| 13-Jun-2023 |
tb <tb@openbsd.org> |
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length.
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length. Cast and useless arguments lead to awkward line wrapping in many places. Clean this up by introducing a helper. Make this helper take a void pointer, so all casts go away.
ok claudio kn tobhe
show more ...
|
#
c308a74e |
| 12-Jun-2023 |
claudio <claudio@openbsd.org> |
Use stdio open_memstream(3) to build up log strings instead of trying to abuse ibufs for that. Using stdio for this has the benefit of using any stdio function to build up strings including fprintf()
Use stdio open_memstream(3) to build up log strings instead of trying to abuse ibufs for that. Using stdio for this has the benefit of using any stdio function to build up strings including fprintf(). With and OK tb@
show more ...
|
#
37e80bc6 |
| 30-May-2023 |
claudio <claudio@openbsd.org> |
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to msg_data (which is another footgun to disarm at some point). OK tb@
show more ...
|
#
56c4e216 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_advance() with ibuf_reserve(). OK tobhe@ tb@ kn@
|
#
be2b38f5 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
|
#
022b5824 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
There is no need to ibuf_zero() or memset() any buffers. More cleanup will follow. OK tobhe@
|
#
e8e9d77f |
| 05-Mar-2023 |
tobhe <tobhe@openbsd.org> |
Fix clean process shutdown by storing env globally like vmd and httpd do instead of getting it from p_ps. The old approach does not work anymore after the recent fork + exec update.
ok patrick@
|
#
a7dbf4ae |
| 04-Mar-2023 |
tobhe <tobhe@openbsd.org> |
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ pat
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector.
ok bluhm@ patrick@
show more ...
|
#
229c27f0 |
| 03-Dec-2022 |
tobhe <tobhe@openbsd.org> |
Consistently use uintXX_t from <stdint.h> instead of u_intXX_t.
|
#
b41cc0c8 |
| 19-Sep-2022 |
tobhe <tobhe@openbsd.org> |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stat
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
show more ...
|
#
87148674 |
| 22-Jul-2022 |
tobhe <tobhe@openbsd.org> |
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string "OpenIKED-" followed by the version number. Sending of the vendor ID payload can be disabled by specifying "set novendorid" in iked.conf(5).
ok markus@ bluhm@
show more ...
|