CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/01 14:03:26
Modified files:
sbin/iked : Tag: OPENBSD_7_7 ikev2.c ikev2_pld.c
regress/sbin/iked/parser: Tag: OPENBSD_7_7 common.c
Log message:
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
If we receive a response it must have the exact same msgid as the last
request we sent, so make sure they match exactly rather than allowing
higher msgids.
We can't handle out of order responses and if we don't receive a response
in time we retransmit our request until we get one or run into a timeout.
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
this is errata/7.7/033_iked.patch.sig
