On Thu, 26 Dec 2024 17:29:30 +0100,
Stuart Henderson wrote:
>
> Diff that can be applied with patch:
> (I added optional braces as it's multi line and I think clearer
> like that).
>
> ok?
>
Doesn't a user who runs validation need access to the keys in /etc/iked/private?
>
> Index: iked.c
> =
On 2024/12/26 10:50, William Rusnack wrote:
> >Synopsis:When printing the parsed policy iked erroneously prints config
> >when it should print request.
> >Category:bin
> >Description:
> The below example iked.conf has a request configuration payload.
> ```iked.conf
> ikev
On 2024/12/26 10:52, William Rusnack wrote:
> >Synopsis: The iked cli arg parser accepts the -I and -P options with no
> >documentation in iked(8) or in the src itself as to what these flags do.
> >Category: bin
> >Description:
> iked supports two undocumented flags, -I and -P, that appear t
On 2024/12/26 17:36, Kirill A. Korinsky wrote:
> On Thu, 26 Dec 2024 17:29:30 +0100,
> Stuart Henderson wrote:
> >
> > Diff that can be applied with patch:
> > (I added optional braces as it's multi line and I think clearer
> > like that).
> >
> > ok?
> >
>
> Doesn't a user who runs validation
> Synopsis: Failure to detect rewind(3) errors in certificate validation
> Category: bin
> Description:
In iked(8), the ca_validate_pubkey() function uses rewind(3) to retry
reading
a public key file in a different format after the first attempt fails.
However,
rew
>Synopsis: Refactor iked parser to separate config and request parsing
>logic
>Category: bin
>Description:
The current implementation in parse.y duplicates logic between CONFIG
and REQUEST handling in the ikecfgvals grammar rule. This refactor extracts the
common parsing logic
On 2024/12/26 10:15, William Rusnack wrote:
> > Synopsis: iked leaves behind pf state entries for NAT-T (UDP 4500) upon
> > stopping
> > Category: bin
> > Description:
> When stopping iked with `rcctl stop iked`, the service leaves behind pf state
> entries for NAT-T (UDP 4500) that prevent n
On 2024/12/26 10:35, William Rusnack wrote:
> > Synopsis: iked.conf(5) incompletely documents comment syntax and has
> > potentially problematic behavior where comments can be continued with line
> > continuations (\), leading to unexpected configuration parsing. Man page
> > also fails to doc
On 2024/12/26 10:47, William Rusnack wrote:
> >Synopsis:The iked(8) daemon currently requires root privileges even when
> >run with -n (configtest mode), which only validates the configuration file
> >syntax. This prevents system administrators from validating iked
> >configuration files fro
>Synopsis: The iked(8) daemon currently requires root privileges even when
>run with -n (configtest mode), which only validates the configuration file
>syntax. This prevents system administrators from validating iked configuration
>files from non-privileged accounts.
>Category: bin
>De
>Synopsis: When printing the parsed policy iked erroneously prints config
>when it should print request.
>Category: bin
>Description:
The below example iked.conf has a request configuration payload.
```iked.conf
ikev2 \
from dynamic to any \
>Synopsis: The ordering of the iked flags -d and -n erroneously changes
>the debug level.
>Category: bin
>Description:
I've found an issue with iked's command line flag processing where the
order of
the -d and -n flags affects the resulting debug level. This appears to
>Synopsis: iked allows for levels of debug and verbosity that is undocumented
>in iked(8)
>Category: bin
>Description:
Currently, iked(8) does not document that the -d and -v flags can be
specified multiple times.
>Fix:
Replace the iked(8) man text of
```txt
-d
>Synopsis: Update deprecated EVP_DigestInit/Final to _ex variants in iked
>Category: bin
>Description:
The OpenSSL EVP_DigestInit() and EVP_DigestFinal() functions have been
deprecated
in favor of their _ex variants. The old functions automatically reset
the context
>Synopsis: The iked cli arg parser accepts the -I and -P options with no
>documentation in iked(8) or in the src itself as to what these flags do.
>Category: bin
>Description:
iked supports two undocumented flags, -I and -P, that appear to be
testing/development flags.
Wh
26.12.2024 19:29, Stuart Henderson пишет:
> Diff that can be applied with patch:
> (I added optional braces as it's multi line and I think clearer
> like that).
OK kn
> Synopsis: iked leaves behind pf state entries for NAT-T (UDP 4500) upon
> stopping
> Category: bin
> Description:
When stopping iked with `rcctl stop iked`, the service leaves behind pf state
entries for NAT-T (UDP 4500) that prevent normal network connectivity until
they expire natura
On Thu, Dec 26, 2024 at 10:46:10AM -0500, William Rusnack wrote:
> >Synopsis:The ordering of the iked flags -d and -n erroneously changes
> >the debug level.
> >Category:bin
> >Description:
> I've found an issue with iked's command line flag processing where the
> order of
> t
> Synopsis: iked.conf(5) incompletely documents comment syntax and has
> potentially problematic behavior where comments can be continued with line
> continuations (\), leading to unexpected configuration parsing. Man page also
> fails to document that comments can have preceding whitespace
> Synopsis: util.c mask2prefixlen6() may read beyond the end of netmask
> structure
> Category: security
> Description:
The mask2prefixlen6() function in iked util.c uses the sin6_len field
from a
sockaddr_in6 structure to determine how many bytes to read when
calculatin
On Thu, Dec 26, 2024 at 04:29:30PM +, Stuart Henderson wrote:
> On 2024/12/26 10:47, William Rusnack wrote:
> > >Synopsis: The iked(8) daemon currently requires root privileges even when
> > >run with -n (configtest mode), which only validates the configuration file
> > >syntax. This prevent
On Thu, Dec 26, 2024 at 04:33:22PM +, Stuart Henderson wrote:
> On 2024/12/26 10:50, William Rusnack wrote:
> > >Synopsis: When printing the parsed policy iked erroneously prints config
> > >when it should print request.
> > >Category: bin
> > >Description:
> > The below example iked.con
22 matches
Mail list logo
