Hi again, found this on cvsweb.openbsd.org:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date ”In the subjectAltName comparison, the bzero before the while-loop was lost while applying the diff. This is means sanid could be passed uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() could try to release a pointer which is essentially stack garbage. While there I realized that the bzero() in the loop is essentially fatal, since every mismatch leads to a silent leak of ibufs. Since ca_x509_subjectaltname_cmp() releases and initializes the passed iked_id, we can safely call it multiple times after initializing sanid once before the loop.” Ignorant question: Does this mean a) that I should (try and probably fail to) patch myself, b) that the change may become a syspatch, or c) that the next release will include the patch? I’m running 6.2-stable. Thanks again for the tip! BR, Andreas tors 2 nov. 2017 kl. 08:25 skrev Andreas Thulin <andreasthu...@gmail.com>: > Ah! Thank you! > > BR, Andreas > ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin <mlar...@azathoth.net>: > >> On Wed, Nov 01, 2017 at 09:08:08AM +0000, Andreas Thulin wrote: >> > Hi! >> > >> > I’m trying to set up iked on machine A, to create a tunnel between >> machines >> > A and B. ikectl produces errors when creating a certificate with my >> ”test” >> > ca, and I have failed to understans why: >> > >> > # ikectl ca test certificate 192.168.1.1 create >> > Generating RSA private key, 2048 bit long modulus >> > ......................................+++ >> > ..........+++ >> > e is 65537 (0x10001) >> > You are about to be asked to enter information that will be incorporated >> > into your certificate request. >> > What you are about to enter is what is called a Distinguished Name or a >> DN. >> > There are quite a few fields but you can leave some blankFor some fields >> > there will be a default value, >> > If you enter '.', the field will be left blank. >> > ----- >> > Country Name (2 letter code) [DE]: >> > State or Province Name (full name) [Lower Saxony]: >> > Locality Name (eg, city) [Hanover]: >> > Organization Name (eg, company) [OpenBSD]: >> > Organizational Unit Name (eg, section) [iked]: >> > Common Name (eg, fully qualified host name) [192.168.1.1]: >> > Email Address [r...@openbsd.org]: >> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf >> > Check that the request matches the signature >> > Signature ok >> > The Subject's Distinguished Name is as follows >> > countryName :PRINTABLE:'DE' >> > stateOrProvinceName :ASN.1 12:'Lower Saxony' >> > localityName :ASN.1 12:'Hanover' >> > organizationName :ASN.1 12:'OpenBSD' >> > organizationalUnitName:ASN.1 12:'iked' >> > commonName :ASN.1 12:'192.168.1.1' >> > emailAddress :IA5STRING:'r...@openbsd.org' >> > ERROR: adding extensions in section x509v3_IPAddr >> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null >> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: >> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension >> > >> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: >> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in >> > >> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, >> > value=IP: >> > # >> > >> > The machine is i386 running 6.2-stable. >> > >> > I assume I’m doing something wrong, or have missed something in previous >> > steps (I followed the example steps from the ikectl man page). Any tips >> on >> > where to start digging/understanding/learning/fixing would be highly >> > appreciated. >> > >> > BR, Andreas >> >> Search the archives, there's a diff to fix this from Oct 25 or so, but it >> has not been committed yet. >> >> -ml >> >
