}
+ }
+
if (srcid) {
pol.pol_localid.id_type = get_id_type(srcid);
pol.pol_localid.id_length = strlen(srcid);
diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c
index df7f2676dd1..a21099afe39 100644
--- a/sbin/iked/policy.c
+++ b/sbin
Hi,
while testing different x509 validator corner cases i found that a bunch of
errors are currently not handled in libcrypto.
In particular duplicate or undecodable extensions are ignored.
The diff below sets EXFLAG_INVALID whenever X509_get_ext_d2i() returns
an error (other than "not found") an
On Wed, Mar 03, 2021 at 05:36:12PM +0100, Theo Buehler wrote:
> On Thu, Feb 25, 2021 at 09:34:30PM +0100, Tobias Heider wrote:
> > Hi,
> >
> > while testing different x509 validator corner cases i found that a bunch of
> > errors are currently not handled in libcry
Hey,
the diff below adds FN key combos for Page Up, Page Down and some more
on the M2 keyboard. Most of the logic was copied from ukbd.
This makes scrolling tmux a lot more fun.
ok?
diff --git a/sys/arch/arm64/dev/apldc.c b/sys/arch/arm64/dev/apldc.c
index 82a17df59b5..a4db46d8a92 100644
--- a/
On Wed, Sep 14, 2022 at 11:56:48AM +, Miod Vallat wrote:
> > Hey,
> >
> > the diff below adds FN key combos for Page Up, Page Down and some more
> > on the M2 keyboard. Most of the logic was copied from ukbd.
>
> This means most of the munging logic should move from ukbd into hidkbd,
> but t
file mode 100644
index 000..f9774df20f2
--- /dev/null
+++ sys/dev/fdt/gpiobl.c
@@ -0,0 +1,127 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2022 Tobias Heider
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted
Hi,
the diff below adds a new mouse type WSMOUSE_TYPE_APPLE which emulates Apples
touchpad behaviour. Instead of mapping soft-buttons to an area on the pad,
the different mouse buttons are mapped to single-finger, two-finger and
three-finger clicks as is the default in macos.
The diff enables th
On Sun, Sep 18, 2022 at 02:21:06PM +0200, Tobias Heider wrote:
> Hi,
>
> the diff below adds a new mouse type WSMOUSE_TYPE_APPLE which emulates Apples
> touchpad behaviour. Instead of mapping soft-buttons to an area on the pad,
> the different mouse buttons are mapped to sin
If EVP_PKEY_set1_RSA() returns 0 we seem leak pk here.
ok?
Index: rsa/rsa_prn.c
===
RCS file: /cvs/src/lib/libcrypto/rsa/rsa_prn.c,v
retrieving revision 1.7
diff -u -p -r1.7 rsa_prn.c
--- rsa/rsa_prn.c 29 Jan 2017 17:49:23 -000
Same diff as for RSA_print(). Old version leaks when EVP_PKEY_set1_DSA()
fails.
ok?
Index: dsa/dsa_prn.c
===
RCS file: /cvs/src/lib/libcrypto/dsa/dsa_prn.c,v
retrieving revision 1.6
diff -u -p -r1.6 dsa_prn.c
--- dsa/dsa_prn.c
If ain == NULL then a points to newly malloced memory which should be
freed when BN_bin2bn() fails.
ok?
Index: bn/bn_mpi.c
===
RCS file: /cvs/src/lib/libcrypto/bn/bn_mpi.c,v
retrieving revision 1.8
diff -u -p -r1.8 bn_mpi.c
--- bn/bn
nm.a is initialized to NULL until it gets alloced by x509_name_ex_new().
The following 'goto err' should free nm.a before returning.
ok?
Index: asn1/x_name.c
===
RCS file: /cvs/src/lib/libcrypto/asn1/x_name.c,v
retrieving revision 1.
On Tue, Nov 08, 2022 at 11:06:43AM -0700, Todd C. Miller wrote:
> On Tue, 08 Nov 2022 18:33:48 +0100, Tobias Heider wrote:
>
> > If ain == NULL then a points to newly malloced memory which should be
> > freed when BN_bin2bn() fails.
>
> We don't have an "ain&quo
Hi all,
we are working on automated bootloader and device-tree updates for Apple
Silicon machines. This is necessary because both drivers and device trees
are moving targets and without a way to update both we end up in situations
where drivers suddenly stop working.
All of the fw_update(8) infr
Here is the promised last diff we need to enable Apple M* bootloader updates.
With this, installboot(8) will pick up apple-boot.bin from the firmware
directory and writes it to $ESP/m1n1/boot.bin if both file and target
directory exist.
Creation of the m1n1/ directory is expected to happen during
On Sat, Nov 19, 2022 at 06:33:51PM +0100, Mark Kettenis wrote:
> > Date: Sat, 19 Nov 2022 18:26:36 +0100
> > From: Tobias Heider
> >
> > Here is the promised last diff we need to enable Apple M* bootloader
> > updates.
> >
> > With this, installbo
On Sat, Nov 19, 2022 at 07:25:52PM +0100, Mark Kettenis wrote:
> > Date: Sat, 19 Nov 2022 18:44:19 +0100
> > From: Tobias Heider
> >
> > On Sat, Nov 19, 2022 at 06:33:51PM +0100, Mark Kettenis wrote:
> > > > Date: Sat, 19 Nov 2022 18:26:36 +0100
> > >
On Sat, Nov 19, 2022 at 08:27:18PM +0100, Tobias Heider wrote:
> On Sat, Nov 19, 2022 at 07:25:52PM +0100, Mark Kettenis wrote:
> > > Date: Sat, 19 Nov 2022 18:44:19 +0100
> > > From: Tobias Heider
> > >
> > > On Sat, Nov 19, 2022 at 06:33:51PM +0100, Mark
On Mon, Nov 21, 2022 at 03:09:25PM +, Klemens Nanni wrote:
> On Mon, Nov 21, 2022 at 03:42:37PM +0100, Tobias Heider wrote:
> > Here is a more cleaned up version of the previous diff. I moved all the
> > firmware logic to a new write_firmware() function. This should be easy
&
The diff below disables the screen backlight on apple silicon macs when the
lid is closed.
Normally, we suspend or hibernate depending on the value of machdep.lid_action.
Since suspend doesn't work reliably yet I think this is a good intermediate
solution to save some power while the laptop is idl
On Thu, Nov 24, 2022 at 08:36:48PM +0100, Mark Kettenis wrote:
> > Date: Thu, 24 Nov 2022 19:04:03 +0100
> > From: Tobias Heider
> >
> > The diff below disables the screen backlight on apple silicon macs when the
> > lid is closed.
>
> Can we distinguish l
This is the boilerplate code to route lid_action through to aplsmc(4) which I
previously sent as part of another diff. Depending on how we are going to use
it, the aplsmc(4) part might need a bit of refinement to distinguish between
LID_OPEN/CLOSE events.
Index: arch/arm64/arm64/acpi_machdep.c
=
On Tue, Jun 13, 2023 at 10:57:06AM +0200, Theo Buehler wrote:
> There are a lot of print_host() calls that have an explicit cast and
> pass NULL, 0 as second and third arguments. This is responsible for a
> lot of awkward line wrapping. The exlicit casts can be avoided by
> using a function with a
On Sat, Jun 24, 2023 at 08:40:01PM +0200, Theo Buehler wrote:
> On Sat, Jun 24, 2023 at 08:15:40PM +0200, Omar Polo wrote:
> > while talking about a related matter with tb and jsing, jsing noted
> > that ssl_init() in smtpd is completely useless. All its loading is
> > already done automatically b
On Wed, Jun 28, 2023 at 08:38:16AM +, Gerhard Roth wrote:
> Hi Tobi,
>
> a recent change to iked.c moved the call to daemon() behind proc_init().
> Now iked forks all its children and afterwards daemonizes itself into
> background leaving the kids behind orphaned.
>
> The patch below restores
On Wed, Jun 28, 2023 at 12:03:41AM +0200, Ulf Brosziewski wrote:
> This version of the diff adds a wsconsctl field, named "mouse.tp.
> mtbuttons", and an update to the wsmouse.4 page. Apart from that, it
> contains only stylistic changes.
>
> The new wsconsctl field is just a boolean, I don't thi
This diff optionally enables the new multi touch mouse button behaviour
for apldcms.
ok?
diff f3d7c2e4ca7de4e46cc3e888ef8fbfe71829307f
63e5d5edf5e8315206aa117b1d3a6be78e7fdd94
commit - f3d7c2e4ca7de4e46cc3e888ef8fbfe71829307f
commit + 63e5d5edf5e8315206aa117b1d3a6be78e7fdd94
blob - 7f4d8fb56f0b9
I am planning to restructure the APM/sleep APIs to make it easier to suspend
from more places like as a suspend keyboard shortcut.
The acpiioctl handler is x86 specific code which is currently built on all
platforms but only hooked up on i386 and amd64. It is also in the way of
my plans, so I'd p
On Wed, Jul 05, 2023 at 04:53:33PM +0200, Tobias Heider wrote:
> I am planning to restructure the APM/sleep APIs to make it easier to suspend
> from more places like as a suspend keyboard shortcut.
>
> The acpiioctl handler is x86 specific code which is currently built on all
> pla
For bigger changesets I have started experimenting with using got.
I don't like to have the whole tree on disk twice so I keep my got and CVS
checkouts in the same directory.
A downside of this approach is of course that got always lists all the unknown
CVS dirs in got status. Does anything speak a
On Fri, Jul 07, 2023 at 02:02:49PM +0200, Alexander Hall wrote:
> On July 7, 2023 12:50:55 PM GMT+02:00, Stefan Sperling wrote:
> >On Fri, Jul 07, 2023 at 12:26:16PM +0200, Tobias Heider wrote:
> >> For bigger changesets I have started experimenting with using got.
> >&g
This diff adds request_sleep(), a MI way of sending the machine to sleep in a
safe thread. Support is limited to amd64, i386 and arm64 at the moment, macppc
is currently an empty stub since it doesn't implement a sleep task (yet).
Once this works, my next plan is adding a Ks_Cmd_Sleep keybinding t
On July 8, 2023 11:36:21 AM GMT+03:00, Mark Kettenis
wrote:
>> Date: Sat, 8 Jul 2023 10:10:51 +0200
>> From: Tobias Heider
>>
>> This diff adds request_sleep(), a MI way of sending the machine to sleep in a
>> safe thread. Support is limited to amd64
Now that we have request_sleep() we can add a new internal KS_Cmd_Sleep
keycode, map it into the macbook keyboard, catch in wskbd and go to sleep.
ok?
diff 4cfcaa1dc85fba5c0672ef2787341ee6cc639979
16365606ee1145b5ae95e7bb74a7d9a411d0004a
commit - 4cfcaa1dc85fba5c0672ef2787341ee6cc639979
commit +
On Sat, Jul 08, 2023 at 04:06:33PM +, Miod Vallat wrote:
> > Now that we have request_sleep() we can add a new internal KS_Cmd_Sleep
> > keycode, map it into the macbook keyboard, catch in wskbd and go to sleep.
> >
> > ok?
>
> > --- sys/dev/usb/ukbdmap.c
> > +++ sys/dev/usb/ukbdmap.c
> > @@
On Sat, Jul 08, 2023 at 07:33:01PM +0200, Tobias Heider wrote:
> On Sat, Jul 08, 2023 at 04:06:33PM +, Miod Vallat wrote:
> > > Now that we have request_sleep() we can add a new internal KS_Cmd_Sleep
> > > keycode, map it into the macbook keyboard, catch in
On Thu, Jul 13, 2023 at 05:44:03AM +0200, Theo Buehler wrote:
> This is analogous to the change that op committed to smtpd a few days
> ago. Instead of using ENGINE to make RSA use privsep via imsg, create
> an RSA method that has custom priv_enc/priv_dec methods, replace the
> default RSA method.
On Fri, Jul 14, 2023 at 05:53:41PM +, jon@elytron.openbsd.amsterdam wrote:
> Hello everyone. After a tobhe@'s recent patch [1] to add suspend
> keysyms for other mac laptops, and a brief consultation with him,
> I am reposting an updated version of my keyboard backlight
> patch [2], which you c
On Sun, Jul 16, 2023 at 04:24:15PM +0200, Claudio Jeker wrote:
> Rename ibuf_get() to ibuf_getdata() by merging the two functions together.
> I want to use ibuf_get() as part of the ibuf API so this needs to move.
> Also use ibuf_add_zero() in a place of ibuf_reserve() and remove a check
> for buf-
On Tue, Jul 18, 2023 at 03:16:12PM +0200, Claudio Jeker wrote:
> ibuf_cat() is the same as ibuf_add_buf() so use the latter.
ok tobhe@
>
> --
> :wq Claudio
>
> Index: eap.c
> ===
> RCS file: /cvs/src/sbin/iked/eap.c,v
> retrieving
On Fri, Jul 14, 2023 at 09:17:20PM +0200, Tobias Heider wrote:
> On Fri, Jul 14, 2023 at 05:53:41PM +, jon@elytron.openbsd.amsterdam wrote:
> > Hello everyone. After a tobhe@'s recent patch [1] to add suspend
> > keysyms for other mac laptops, and a brief consultatio
On Sat, Jul 22, 2023 at 08:59:04PM -0400, George Koehler wrote:
> On Wed, 19 Jul 2023 02:03:26 +0200
> Tobias Heider wrote:
>
> > > ok anyone?
> >
> > No one interested in working keyboard backlight shortcuts?
> > Don't get scared by the powerbook
On Sun, Jul 23, 2023 at 09:16:40PM +, jon@elytron.openbsd.amsterdam wrote:
> If I'm not mistaken, all wskbd_{get,set}_backlight uses are in the
> following drivers: acpicbkbd, acpithinkpad, asmc, pwmleds, and now
> my implementation in adb. It is my impression that they are roughly
> the same c
On Wed, Aug 10, 2022 at 11:08:43AM +, jon@elytron.openbsd.amsterdam wrote:
> Hello everyone. The following diff adds support for
> switching the record.source with the macppc onyx
> driver. I'm still unsure how to get mixerctl or
> sndctl to set the volume, any hints appreciated.
>
> Drew som
On Thu, Jul 27, 2023 at 03:31:32PM +0200, Claudio Jeker wrote:
> Use ibuf_data() instead of direct access to ibuf->buf.
> In some cases use ibuf_add_buf().
>
> --
> :wq Claudio
ok tobhe@
>
> Index: crypto.c
> ===
> RCS file: /cvs/
On Fri, Jul 28, 2023 at 12:06:54PM +0200, Claudio Jeker wrote:
> As suggested by tb@ add print_hexbuf() to hexdump an ibuf.
> Use this in place where a full ibuf is dumped. In some cases
> print_hex() is still used because the length is not the full
> ibuf or an offset is used.
>
> --
> :wq Claud
On Mon, Aug 07, 2023 at 02:22:23PM +1000, David Gwynne wrote:
> tobhe@ wrote the iked bits, so he'll commit them when he's ready.
>
> your config looks pretty much the same as mine except you specify a lot
> more stuff around lifetimes and crypto than i do. maybe try without "tunnel
> esp"?
>
> d
On Sat, Aug 12, 2023 at 06:41:17PM -0400, Andrew Cagney wrote:
> On Sat, 12 Aug 2023 at 16:18, Stuart Henderson wrote:
>
> > > Is there a way to get an updated ISO or kernel with the fix?
> > > (we're already adding an installer config file to the ISO, so why not a
> > > kernel)
> > >
> > > Andr
On Sun, Aug 13, 2023 at 08:33:54AM -0400, Andrew Cagney wrote:
> > Hi Andrew,
> >
> > can you share the qemu cmd you are using in your tests?
> > I'd like to see if I can reproduce this.
>
> Here's pretty much everything. Thanks for looking at it.
Thank you, I managed to reproduce your crash.
I
On Mon, Aug 14, 2023 at 02:07:12AM +, Jason Tubnor wrote:
> Hi,
>
> Testing sec(4) between 2 end points with iperf3, iked has lost the associated
> iface for the sec(4) point to point link. Specifically:
>
> pfkey_sa: unsupported interface
Not sure how this can happen. Have you destroyed an
Hi,
I was looking at my authlog today and as expected on a server exposed on the
public internet it is filled with random scanners and brute force attacks.
One thing I noticed is that there is a lot of information we log multiple
times for a each failed connection.
Some examples below:
sshd[6216
On Fri, Aug 18, 2023 at 06:43:50PM +0100, Stuart Henderson wrote:
> On 2023/08/18 17:39, Tobias Heider wrote:
> > Hi,
> >
> > I was looking at my authlog today and as expected on a server exposed on the
> > public internet it is filled with random scanners and brute for
On Sun, Aug 20, 2023 at 12:23:49PM +0200, Stefan Fritsch wrote:
> Am 13.08.23 um 17:38 schrieb Tobias Heider:
> > On Sun, Aug 13, 2023 at 08:33:54AM -0400, Andrew Cagney wrote:
> > > > Hi Andrew,
> > > >
> > > > can you share the qemu cmd you are usin
Hi,
the diff below disables and restores the keyboard backlight together with
the screen on idle timeout to save a bit of battery.
ok?
diff 848795b17df6d7aac8fe7242132657e294ce39df
0bb6b11cdeac4d4755e336594acf830b859e9d34
commit - 848795b17df6d7aac8fe7242132657e294ce39df
commit + 0bb6b11cdeac4d
On Thu, Sep 07, 2023 at 09:04:43AM +0200, Walter Alejandro Iglesias wrote:
> Dear OpenBSD developers,
>
> On Aug 2 I reported this bug:
>
> https://marc.info/?l=openbsd-bugs&m=169100763926909&w=2
>
> After fiddling around I found a solution that works for both vi base and
> nvi from ports:
>
Like with route messages we should really only forward pfkey messages
that made it past the validation step. This fixes a lot of possible
crashes in ipsecctl -m.
ok?
diff /home/user/got/co/src
commit - 1ce2bc211dba4164679169b9248650fd1d6ba9d2
path + /home/user/got/co/src
blob - e750ae8bdbe6819473
The diff below adds pledge("stdio") calls for the pfkey dump subset
of ipsecctl commands.
In particular ipsecctl -s which prints all SAs or flows in the kernel
and more importantly ipsecctl -m which contiously parses and prints every
pfkey message forwarded by the kernel don't seem to need any add
On Mon, Oct 09, 2023 at 12:29:43AM +0200, Tobias Heider wrote:
> The diff below adds pledge("stdio") calls for the pfkey dump subset
> of ipsecctl commands.
>
> In particular ipsecctl -s which prints all SAs or flows in the kernel
> and more importantly ipsecctl -m wh
On Sun, Oct 08, 2023 at 07:42:54PM +0200, Mark Kettenis wrote:
> Hector Martin has added support for the BCM4388 that is found on the
> last generation of Apple Macs. Based on his commits I've managed to
> get it working on my M2 Pro mini. I still have to clean up some of
> that stuff, but here i
ipsecctl wrongly assumes that strings like the pf tag or
the identities are always null terminated.
The diff below fixes the cases that always kill my
ipsecctl -m when running a fuzzer.
ok?
Index: pfkdump.c
===
RCS file: /mount/openb
On Mon, Oct 09, 2023 at 11:24:19PM +0200, Theo Buehler wrote:
> On Mon, Oct 09, 2023 at 10:49:53PM +0200, Tobias Heider wrote:
> > ipsecctl wrongly assumes that strings like the pf tag or
> > the identities are always null terminated.
> > The diff below fixes the case
On Mon, Oct 09, 2023 at 11:55:36PM +0200, Theo Buehler wrote:
> On Mon, Oct 09, 2023 at 11:50:14PM +0200, Tobias Heider wrote:
> > On Mon, Oct 09, 2023 at 11:24:19PM +0200, Theo Buehler wrote:
> > > On Mon, Oct 09, 2023 at 10:49:53PM +0200, Tobias Heider wrote:
> > >
On Fri, Mar 06, 2020 at 10:47:44AM +0100, Stefan Sperling wrote:
> 802.11 frame sequence numbers are in the range 0x0 - 0xfff.
>
> Don't let internal representations of sequence numbers grow beyond 0xfff.
>
> ok?
>
> diff 582540bcd55abf4efa3abe8c23ebc7f3c247245d
> ba499e0f51b139f9ad6d4b4ea1
Hi,
if timeout_initialized() returns 0, enqueue_randomness() may use 'ts'
uninitialized. This is not really a problem because the value is
blended with other collected entropy. To make things clearer
I would still prefer to always initialize 'ts'.
ok?
Index: rnd.c
=
Hi Wataru,
On Mon, Mar 09, 2020 at 08:09:24PM +0900, Wataru Ashihara wrote:
> to improve readability.
>
> This is the first time of my commit to OpenBSD, so if I went something
> wrong, let me know that.
Thanks for sharing, committed!
>
> Index: sbin/iked/config.c
> ===
Hi,
there seems to be a nullptr dereference in if_hooks_run.
When the inner while loop is exited because 't == NULL' the next
line is an access to 't->t_func'.
Because 't==NULL' means the TAILQ is fully traversed I think we
should break and exit instead.
ok?
Index: if.c
=
sr_error takes a sr_softc and a printf like format string + varargs.
There's no need to pass DEVNAME(sc) here.
ok?
Index: softraid.c
===
RCS file: /mount/openbsd/cvs/src/sys/dev/softraid.c,v
retrieving revision 1.398
diff -u -p -r1.3
If 'm = ifq->ifq_ops->ifqop_deq_begin(ifq, &cookie)' is not NULL
the loop is exited and an uninitialized 'int error' is returned.
Several lines below error is checked for '!= 0', so i assume it
was meant to be initialized to '0'.
ok?
Index: ifq.c
=
On Tue, Mar 10, 2020 at 12:01:45AM +0100, Klemens Nanni wrote:
> On Mon, Mar 09, 2020 at 11:41:14PM +0100, Tobias Heider wrote:
> > sr_error takes a sr_softc and a printf like format string + varargs.
> > There's no need to pass DEVNAME(sc) here.
> Either that or embed
On Mon, Mar 09, 2020 at 11:56:09PM +0100, Klemens Nanni wrote:
> On Mon, Mar 09, 2020 at 10:33:17PM +0100, Tobias Heider wrote:
> > there seems to be a nullptr dereference in if_hooks_run.
> Did your kernel crash here or did you find reading alone?
Coverity Scan found it
> > Wh
vmm uses 'strncpy(vm->vm_name, vcp->vcp_name, VMM_MAX_NAME_LEN)' to copy
to buffers of size VMM_MAX_NAME_LEN, which can leave the resulting string
unterminated.
>From strncpy(3):
strncpy() only NUL terminates the destination string when the length of
the source string is less than the length pa
Using strncpy with sizeof(string) may result in a non-nul-terminated
string at 'dst'. This is not too problematic here because if_xname is the same
size as 'ifra_name' and should always be NUL terminated.
I would still like to replace strncpy with strlcpy which implicitly includes
the null byte in
In main() mail.lmtp checks 'if (argc == 0 && session.rcptto == NULL)'
after getopt(). If neither an 'r' nor an 'u' option was specified,
'session.rcptto' seems to be uninitialized.
The obvious solution would be to NULL initialize 'struct session'.
ok?
Index: mail.lmtp.c
=
On Mon, Mar 16, 2020 at 04:54:19PM -0600, Todd C. Miller wrote:
> On Mon, 16 Mar 2020 23:46:35 +0100, Tobias Heider wrote:
>
> > In main() mail.lmtp checks 'if (argc == 0 && session.rcptto == NULL)'
> > after getopt(). If neither an 'r' nor an '
m_get_string(m, &buf) may set 'buf == NULL', which would lead
to strlen(NULL) in m_get_envelope.
I chose fatalx because that's what seems to be the common way to handle
errors in mproc but I don't know the code base to well.
Index: mproc.c
Hi,
this diff adds a new command to ikectl(8) and iked(8) that allows to reset
SAs based on the peers ID, which is equivalent to resetting a single policy.
The expected ID format is the same as printed by 'ipsecctl -sf' in the
'dstid' field.
Example:
$ ikectl reset id FQDN/peer1
ok?
diff --gi
It seems that there is no way 'rtm' could actually be NULL here, which
means we can get rid of the check.
ok?
Index: net/rtsock.c
===
RCS file: /mount/openbsd/cvs/src/sys/net/rtsock.c,v
retrieving revision 1.297
diff -u -p -r1.297 rt
In alloc_all_jacks() the variables 'sc_in_jacks' and 'sc_out_checks'
are set to NULL if 'sc_in_num_jacks' and 'sc_out_num_jacks' are 0.
Further down both are dereferenced unconditionally. I added explicit NULL
checks where I think they belong.
I think 'sc_in_ep' and 'sc_out_ep' can also be NULL, bu
On Mon, Mar 23, 2020 at 05:53:00PM -0300, Bernardo Cunha Vieira wrote:
> Hi,
> This fixes the users' database corruption after an iked reload.
> The old code overwrites the pointers in the RB tree, losing users
> if a list of users is provided in config file.
> Regards,
> Bernardo
Good find, thank
sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be
NULL if the memory pool is depleted.
The result is used as 'dst' argument to memcpy() in the following call to
sr_raid5_regenerate(), resulting in a possible NULL dereference.
ok?
Index: softraid_raid5.c
==
On Fri, Mar 27, 2020 at 10:39:52AM -0300, Bernardo Vieira wrote:
> Hi,
> inside the function ikev2_ikesa_enable the atribute sa_eapid should
> be copied to the new sa.
> Regards,
> Bernardo
Looks correct, thank you. Committed!
>
> Index: ikev2.c
>
On Sat, Mar 28, 2020 at 05:33:05PM -0600, Theo de Raadt wrote:
> Pretty obvious why.
>
> The kernel doesn't check it's a string, before calling strlcpy
> which (correctly) runs off the array hunting for the terminal NUL,
> and into the next object, and I guess it finds a NUL in the next
> VA page
On Sat, Mar 28, 2020 at 06:47:47PM -0600, Theo de Raadt wrote:
> Or strncpy with length - 1 would be also good, since it won't copy
>foo\0bar\0
> fully, but only
>foo\0
> into the buffer and store it as
>foo\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> and gaurantee the \0 on the in-kern
On Fri, Apr 03, 2020 at 12:52:24AM +0900, Wataru Ashihara wrote:
> It would save our time of thinking and reading the source (i.e.
> eliminate the process of "what if the variable 'mobike' was 2 or more?
> ...aha it's just a bool").
>
> This is still work in progress. I would continue if you maint
Hi,
thank you, most of this diff looks good to me. I left some comments inline.
On Sun, Apr 05, 2020 at 01:58:04AM +0900, Wataru Ashihara wrote:
> The data wich sc_sock4 has is a little bit complicated:
>
>
>
Hi,
the diff below adds a new feature that allows the use of separate rdomains
for the encrypted and unencrypted side of ipsec(4) flows.
The idea is that an edge router that controls access to a private network
via ipsec can have its uplink in one rdomain and the private network in
another. The k
Hi,
the attached diff allows sdmmc(4) to use DMA for all commands instead of just
mem_read and mem_write.
There were problems in the past with some controllers not liking small DMA
transfers, so it would be nice to get this tested thorougly on different
hardware. So far I have successfully test
On Mon, Apr 13, 2020 at 11:56:36AM +0200, Tobias Heider wrote:
> Hi,
>
> the diff below adds a new feature that allows the use of separate rdomains
> for the encrypted and unencrypted side of ipsec(4) flows.
>
> The idea is that an edge router that controls access to a pri
On Mon, Apr 20, 2020 at 12:52:24PM +0200, Stephan Mending wrote:
> Hi,
> I was wondering if there was a reason why there are no AEAD Suites
> implemented for initial IKEX in iked or phase 1 in isamkmpd ? Even though
> iked's childSAs
> support it and Phase 2 in isakmpd does as well ? Is it just l
Hi,
the EC2N family of curves have been marked as insecure for at least 10 years.
In fact, IANA has stopped listing them altogether [1].
Their former IDs are now 'reserved'.
I think it's time for us to drop them as well.
ok?
[1]
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameter
On Tue, Apr 28, 2020 at 11:22:02AM +0100, Stuart Henderson wrote:
> On 2020/04/28 01:09, Tobias Heider wrote:
> > Hi,
> >
> > the EC2N family of curves have been marked as insecure for at least 10
> > years.
> > In fact, IANA has stopped listing them altogether
Hi,
I would like to modernize our crypto defaults a bit and add some of the
supported ECDH Diffie-Hellman groups to the default IKE crypto proposal.
There should be no downside to this, if they are not supported by the
other side one of the old MODP groups will be used.
The same for AEADs in the
On Thu, Apr 30, 2020 at 09:33:28PM +0100, Stuart Henderson wrote:
> On 2020/04/30 20:11, Tobias Heider wrote:
> > Hi,
> >
> > I would like to modernize our crypto defaults a bit and add some of the
> > supported ECDH Diffie-Hellman groups to the default IKE crypto propo
On Fri, May 01, 2020 at 11:35:23PM +0200, Stephan Mending wrote:
> Hi *,
>
> this diff removes SHA1 as default transform for integrity algorithms.
>
> It's been broken long enough. Let's at least get rid of it in iked's
> defaults.
>
> SHA1 is officially broken since 2011 and there have been dou
d
possible a trial period.
- Tobias
[1] https://tools.ietf.org/html/rfc2104
[2] https://cseweb.ucsd.edu/~mihir/papers/hmac-new.html
>
> On 02/05/2020 00:03, Tobias Heider wrote:
> > On Fri, May 01, 2020 at 11:35:23PM +0200, Stephan Mending wrote:
> > > Hi *,
> > >
On Sat, May 02, 2020 at 10:15:53AM +0200, René Ammerlaan wrote:
> Hi,
>
> I've found incorrect use of time in iked (-current). The event API doen’t use
> the monotonic clock, so this breaks the timer:
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x07409b52 last used
> 7466(gettime) - 15884
Hi,
thanks for the diff!
> SipHash and ChaCha20Poly1305 are already available in the kernel. The
> only modification here is add the short and simple chapoly AEAD
> construction alongside the existing AE one.
At first glance, I think you could use the crypto framework implementation for
the chac
Hi,
currently iked(8) supports AES-GCM only for ESP.
The diff below adds the ENCR_AES_GCM_16 and ENCR_AES_GCM_12 variants for IKE.
(for more information see [1] and [2]).
Both variants support the 128, 196, and 256 bit key lengths.
The new new ciphers can be configured with:
- aes-128-gcm, aes-19
On Thu, May 14, 2020 at 10:07:30PM +0200, Tobias Heider wrote:
> Hi,
>
> currently iked(8) supports AES-GCM only for ESP.
> The diff below adds the ENCR_AES_GCM_16 and ENCR_AES_GCM_12 variants for IKE.
> (for more information see [1] and [2]).
> Both variants support the 128, 19
Looks like you are missing the previous commit:
https://marc.info/?l=openbsd-cvs&m=158946893417378&w=2
1 - 100 of 260 matches
Mail list logo
