#
2117af45 |
| 02-Mar-2024 |
tobhe <tobhe@openbsd.org> |
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1: "[...] that even MUST only trigger a retran
Trigger retransmission only for fragment 1/x, otherwise each received fragment can trigger retransmission of the full fragment queue.
From RFC7383, 2.6.1: "[...] that even MUST only trigger a retransmission of the response message (fragmented or no) if the Fragment Number field in the received fragments is set to 1; otherwise, it MUST be ignored."
from markus
show more ...
|
#
eef6c82a |
| 04-Aug-2023 |
claudio <claudio@openbsd.org> |
Convert calls to ibuf_length() where it is clear that the ibuf is not NULL to ibuf_size(). In some cases it is clear that the ibuf pointer should just be checked for NULL since afterwards a new ibuf
Convert calls to ibuf_length() where it is clear that the ibuf is not NULL to ibuf_size(). In some cases it is clear that the ibuf pointer should just be checked for NULL since afterwards a new ibuf is allocated in its place. OK tb@
show more ...
|
#
dca9e784 |
| 28-Jul-2023 |
claudio <claudio@openbsd.org> |
Implement print_hexbuf() to hexdump the contents of an ibuf. OK tb@
|
#
a699afca |
| 28-Jul-2023 |
claudio <claudio@openbsd.org> |
Use ibuf_data() instead of accessing the ibuf buf pointer directly. Also convert some ibuf_add(() calls to ibuf_add_buf() where appropriate. OK tobhe@ tb@
|
#
f6f27851 |
| 18-Jul-2023 |
claudio <claudio@openbsd.org> |
Kill ibuf_cat() since there is now ibuf_add_buf() in the official API. OK tb@ tobhe@
|
#
a30a01d6 |
| 28-Jun-2023 |
tobhe <tobhe@openbsd.org> |
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted interme
Add support to verify X509 chain from CERT payloads. Encode cert and intermediate CAs in new cert bundle object, so the information can be passed to the ca process in one step. Pass untrusted intermediates to X509_verify_cert().
From markus@
show more ...
|
#
14e2a040 |
| 13-Jun-2023 |
tb <tb@openbsd.org> |
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length.
iked: introduce and use print_addr()
The vast majority of print_host() callers cast the first argument (usually a sockaddr_storage *) to (struct sockaddr *) and pass both a NULL buffer and 0 length. Cast and useless arguments lead to awkward line wrapping in many places. Clean this up by introducing a helper. Make this helper take a void pointer, so all casts go away.
ok claudio kn tobhe
show more ...
|
#
5001b11b |
| 06-Jun-2023 |
claudio <claudio@openbsd.org> |
Use ibuf_seek() instead of ibuf_data() + offset constructs. Effect is the same in these cases. OK tb@
|
#
37e80bc6 |
| 30-May-2023 |
claudio <claudio@openbsd.org> |
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to
Replace the one use of ibuf_prepend() using a similar ibuf_new() + ibuf_cat() method but instead of overwriting ibuf internals replace the buf a level up. Users of ikev2_msg_send() are not allowed to hold and reuse a pointer to msg_data (which is another footgun to disarm at some point). OK tb@
show more ...
|
#
56c4e216 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_advance() with ibuf_reserve(). OK tobhe@ tb@ kn@
|
#
be2b38f5 |
| 23-May-2023 |
claudio <claudio@openbsd.org> |
Replace ibuf_release() with ibuf_free() since the former just calls the latter OK kn@ tb@
|
#
0d262a08 |
| 06-Dec-2022 |
tobhe <tobhe@openbsd.org> |
Print size_t with %zu.
ok patrick@
|
#
520fa7a1 |
| 03-Dec-2022 |
tobhe <tobhe@openbsd.org> |
Include endian.h where needed for betohXX functions.
|
#
68468697 |
| 11-Nov-2022 |
mbuhl <mbuhl@openbsd.org> |
In case of an invalid SA resp is passed to ikev2_msg_cleanup without initialization where the msg_parent field is accessed. ok tobhe
|
#
f336206e |
| 21-Sep-2022 |
tobhe <tobhe@openbsd.org> |
Distinguish between retransmit ok and nothing to retransmit. This makes sure ikes_retransmit_response events don't also increase the ikes_msg_rcvd_busy counter.
ok markus@
|
#
b41cc0c8 |
| 19-Sep-2022 |
tobhe <tobhe@openbsd.org> |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stat
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
show more ...
|
#
6e264ad0 |
| 14-Mar-2022 |
tobhe <tobhe@openbsd.org> |
Improve retransmission of message fragments. RFC 7383 states that loss of a single fragment results in a retransmit of all fragments belonging to the same message. Instead of treating each fragment
Improve retransmission of message fragments. RFC 7383 states that loss of a single fragment results in a retransmit of all fragments belonging to the same message. Instead of treating each fragment as message with seperate retransmit timer, keep only a single timer for all fragments of a message and retransmit all fragments in order on timeout. Improves reliability in case of packet loss when fragmentation is enabled.
Found by and diff from Daniel Herzinger ok patrick@
show more ...
|
#
6ff0dc77 |
| 01-Dec-2021 |
deraadt <deraadt@openbsd.org> |
whitespace cleanup during review read
|
#
d8ea035b |
| 29-Nov-2021 |
deraadt <deraadt@openbsd.org> |
sys/param.h was included for MAX(), MIN() and roundup(). make local copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places, and also include a roundup() ok jsg
|
#
9ce164ed |
| 27-Nov-2021 |
tobhe <tobhe@openbsd.org> |
Rename msg_id to msg_peerid now that we also have msg_localid.
ok patrick@
|
#
e3f5cf2e |
| 26-Nov-2021 |
patrick <patrick@openbsd.org> |
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involve
A peer sends both his local id and remote id he expects us to be. So far we have only looked at the peer's local id, so that we can find a policy with the matching dstid set. Hence dstid is involved in the decision making. While we do send out our local id, which the peer will use to verify his policies, we do not yet make a decision based on the id the peer expects us to have. If you have two policies configured with only srcid set, we will always pick the same. To be able to choose a policy that matches the peer's expectations, save the local id the peer expects us to have and use it during policy lookup.
ok tobhe@
show more ...
|
#
8f4d0788 |
| 07-Sep-2021 |
tobhe <tobhe@openbsd.org> |
Fix leak of m if message initialization fails.
ok markus@
|
#
d56261e5 |
| 02-Sep-2021 |
tobhe <tobhe@openbsd.org> |
style
|
#
9ef39cf4 |
| 01-Sep-2021 |
tobhe <tobhe@openbsd.org> |
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first est
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection.
Automatic name server configuration is enabled by default for policies using the 'iface' option.
discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@
show more ...
|
#
52b3354c |
| 29-Oct-2020 |
tobhe <tobhe@openbsd.org> |
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be acce
Add initial support to request IP addresses as IKEv2 initiator. At the moment the address is only negotiated and printed to the log. If 'request addr 0.0.0.0' is configured, any address will be accepted.
ok patrick@
show more ...
|