Re: ikectl errors
On Thu, Nov 02, 2017 at 11:25:18PM +, Andreas Thulin wrote: > Hi again, > > found this on cvsweb.openbsd.org: > > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date > > ”In the subjectAltName comparison, the bzero before the while-loop was > lost while applying the diff. This is means sanid could be passed > uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() > could try to release a pointer which is essentially stack garbage. > While there I realized that the bzero() in the loop is essentially > fatal, since every mismatch leads to a silent leak of ibufs. Since > ca_x509_subjectaltname_cmp() releases and initializes the passed > iked_id, we can safely call it multiple times after initializing > sanid once before the loop.” > > Ignorant question: Does this mean a) that I should (try and probably fail > to) patch myself, b) that the change may become a syspatch, or c) that the > next release will include the patch? I’m running 6.2-stable. This is a fixup for a change in -current, 6.2-stable is all fine. So unless you were running -current, all good. Patrick > Thanks again for the tip! > > BR, Andreas
Re: ikectl errors
Hi again, found this on cvsweb.openbsd.org: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date ”In the subjectAltName comparison, the bzero before the while-loop was lost while applying the diff. This is means sanid could be passed uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release() could try to release a pointer which is essentially stack garbage. While there I realized that the bzero() in the loop is essentially fatal, since every mismatch leads to a silent leak of ibufs. Since ca_x509_subjectaltname_cmp() releases and initializes the passed iked_id, we can safely call it multiple times after initializing sanid once before the loop.” Ignorant question: Does this mean a) that I should (try and probably fail to) patch myself, b) that the change may become a syspatch, or c) that the next release will include the patch? I’m running 6.2-stable. Thanks again for the tip! BR, Andreas tors 2 nov. 2017 kl. 08:25 skrev Andreas Thulin: > Ah! Thank you! > > BR, Andreas > ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin : > >> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote: >> > Hi! >> > >> > I’m trying to set up iked on machine A, to create a tunnel between >> machines >> > A and B. ikectl produces errors when creating a certificate with my >> ”test” >> > ca, and I have failed to understans why: >> > >> > # ikectl ca test certificate 192.168.1.1 create >> > Generating RSA private key, 2048 bit long modulus >> > ..+++ >> > ..+++ >> > e is 65537 (0x10001) >> > You are about to be asked to enter information that will be incorporated >> > into your certificate request. >> > What you are about to enter is what is called a Distinguished Name or a >> DN. >> > There are quite a few fields but you can leave some blankFor some fields >> > there will be a default value, >> > If you enter '.', the field will be left blank. >> > - >> > Country Name (2 letter code) [DE]: >> > State or Province Name (full name) [Lower Saxony]: >> > Locality Name (eg, city) [Hanover]: >> > Organization Name (eg, company) [OpenBSD]: >> > Organizational Unit Name (eg, section) [iked]: >> > Common Name (eg, fully qualified host name) [192.168.1.1]: >> > Email Address [r...@openbsd.org]: >> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf >> > Check that the request matches the signature >> > Signature ok >> > The Subject's Distinguished Name is as follows >> > countryName :PRINTABLE:'DE' >> > stateOrProvinceName :ASN.1 12:'Lower Saxony' >> > localityName :ASN.1 12:'Hanover' >> > organizationName :ASN.1 12:'OpenBSD' >> > organizationalUnitName:ASN.1 12:'iked' >> > commonName:ASN.1 12:'192.168.1.1' >> > emailAddress :IA5STRING:'r...@openbsd.org' >> > ERROR: adding extensions in section x509v3_IPAddr >> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null >> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: >> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension >> > >> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: >> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in >> > >> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, >> > value=IP: >> > # >> > >> > The machine is i386 running 6.2-stable. >> > >> > I assume I’m doing something wrong, or have missed something in previous >> > steps (I followed the example steps from the ikectl man page). Any tips >> on >> > where to start digging/understanding/learning/fixing would be highly >> > appreciated. >> > >> > BR, Andreas >> >> Search the archives, there's a diff to fix this from Oct 25 or so, but it >> has not been committed yet. >> >> -ml >> >
Re: ikectl errors
Ah! Thank you! BR, Andreas ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin: > On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote: > > Hi! > > > > I’m trying to set up iked on machine A, to create a tunnel between > machines > > A and B. ikectl produces errors when creating a certificate with my > ”test” > > ca, and I have failed to understans why: > > > > # ikectl ca test certificate 192.168.1.1 create > > Generating RSA private key, 2048 bit long modulus > > ..+++ > > ..+++ > > e is 65537 (0x10001) > > You are about to be asked to enter information that will be incorporated > > into your certificate request. > > What you are about to enter is what is called a Distinguished Name or a > DN. > > There are quite a few fields but you can leave some blankFor some fields > > there will be a default value, > > If you enter '.', the field will be left blank. > > - > > Country Name (2 letter code) [DE]: > > State or Province Name (full name) [Lower Saxony]: > > Locality Name (eg, city) [Hanover]: > > Organization Name (eg, company) [OpenBSD]: > > Organizational Unit Name (eg, section) [iked]: > > Common Name (eg, fully qualified host name) [192.168.1.1]: > > Email Address [r...@openbsd.org]: > > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf > > Check that the request matches the signature > > Signature ok > > The Subject's Distinguished Name is as follows > > countryName :PRINTABLE:'DE' > > stateOrProvinceName :ASN.1 12:'Lower Saxony' > > localityName :ASN.1 12:'Hanover' > > organizationName :ASN.1 12:'OpenBSD' > > organizationalUnitName:ASN.1 12:'iked' > > commonName:ASN.1 12:'192.168.1.1' > > emailAddress :IA5STRING:'r...@openbsd.org' > > ERROR: adding extensions in section x509v3_IPAddr > > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null > > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: > > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension > > > string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: > > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in > > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, > > value=IP: > > # > > > > The machine is i386 running 6.2-stable. > > > > I assume I’m doing something wrong, or have missed something in previous > > steps (I followed the example steps from the ikectl man page). Any tips > on > > where to start digging/understanding/learning/fixing would be highly > > appreciated. > > > > BR, Andreas > > Search the archives, there's a diff to fix this from Oct 25 or so, but it > has not been committed yet. > > -ml >
Re: ikectl errors
On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote: > Hi! > > I’m trying to set up iked on machine A, to create a tunnel between machines > A and B. ikectl produces errors when creating a certificate with my ”test” > ca, and I have failed to understans why: > > # ikectl ca test certificate 192.168.1.1 create > Generating RSA private key, 2048 bit long modulus > ..+++ > ..+++ > e is 65537 (0x10001) > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blankFor some fields > there will be a default value, > If you enter '.', the field will be left blank. > - > Country Name (2 letter code) [DE]: > State or Province Name (full name) [Lower Saxony]: > Locality Name (eg, city) [Hanover]: > Organization Name (eg, company) [OpenBSD]: > Organizational Unit Name (eg, section) [iked]: > Common Name (eg, fully qualified host name) [192.168.1.1]: > Email Address [r...@openbsd.org]: > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'DE' > stateOrProvinceName :ASN.1 12:'Lower Saxony' > localityName :ASN.1 12:'Hanover' > organizationName :ASN.1 12:'OpenBSD' > organizationalUnitName:ASN.1 12:'iked' > commonName:ASN.1 12:'192.168.1.1' > emailAddress :IA5STRING:'r...@openbsd.org' > ERROR: adding extensions in section x509v3_IPAddr > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension > string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, > value=IP: > # > > The machine is i386 running 6.2-stable. > > I assume I’m doing something wrong, or have missed something in previous > steps (I followed the example steps from the ikectl man page). Any tips on > where to start digging/understanding/learning/fixing would be highly > appreciated. > > BR, Andreas Search the archives, there's a diff to fix this from Oct 25 or so, but it has not been committed yet. -ml
ikectl errors
Hi! I’m trying to set up iked on machine A, to create a tunnel between machines A and B. ikectl produces errors when creating a certificate with my ”test” ca, and I have failed to understans why: # ikectl ca test certificate 192.168.1.1 create Generating RSA private key, 2048 bit long modulus ..+++ ..+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [DE]: State or Province Name (full name) [Lower Saxony]: Locality Name (eg, city) [Hanover]: Organization Name (eg, company) [OpenBSD]: Organizational Unit Name (eg, section) [iked]: Common Name (eg, fully qualified host name) [192.168.1.1]: Email Address [r...@openbsd.org]: Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :ASN.1 12:'Lower Saxony' localityName :ASN.1 12:'Hanover' organizationName :ASN.1 12:'OpenBSD' organizationalUnitName:ASN.1 12:'iked' commonName:ASN.1 12:'192.168.1.1' emailAddress :IA5STRING:'r...@openbsd.org' ERROR: adding extensions in section x509v3_IPAddr 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355: 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP: 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName, value=IP: # The machine is i386 running 6.2-stable. I assume I’m doing something wrong, or have missed something in previous steps (I followed the example steps from the ikectl man page). Any tips on where to start digging/understanding/learning/fixing would be highly appreciated. BR, Andreas