Re: ikectl errors

2017-11-05 Thread Patrick Wildt 
On Thu, Nov 02, 2017 at 11:25:18PM +, Andreas Thulin wrote:
> Hi again,
> 
> found this on cvsweb.openbsd.org:
> 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date
> 
> ”In the subjectAltName comparison, the bzero before the while-loop was
> lost while applying the diff. This is means sanid could be passed
> uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
> could try to release a pointer which is essentially stack garbage.
> While there I realized that the bzero() in the loop is essentially
> fatal, since every mismatch leads to a silent leak of ibufs. Since
> ca_x509_subjectaltname_cmp() releases and initializes the passed
> iked_id, we can safely call it multiple times after initializing
> sanid once before the loop.”
> 
> Ignorant question: Does this mean a) that I should (try and probably fail
> to) patch myself, b) that the change may become a syspatch, or c) that the
> next release will include the patch? I’m running 6.2-stable.

This is a fixup for a change in -current, 6.2-stable is all fine.  So
unless you were running -current, all good.

Patrick

> Thanks again for the tip!
> 
> BR, Andreas

Re: ikectl errors

2017-11-02 Thread Andreas Thulin 
Hi again,

found this on cvsweb.openbsd.org:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ca.c?sortby=date

”In the subjectAltName comparison, the bzero before the while-loop was
lost while applying the diff. This is means sanid could be passed
uninitialized to ca_x509_subjectaltname_cmp(), where ibuf_release()
could try to release a pointer which is essentially stack garbage.
While there I realized that the bzero() in the loop is essentially
fatal, since every mismatch leads to a silent leak of ibufs. Since
ca_x509_subjectaltname_cmp() releases and initializes the passed
iked_id, we can safely call it multiple times after initializing
sanid once before the loop.”

Ignorant question: Does this mean a) that I should (try and probably fail
to) patch myself, b) that the change may become a syspatch, or c) that the
next release will include the patch? I’m running 6.2-stable.

Thanks again for the tip!

BR, Andreas


tors 2 nov. 2017 kl. 08:25 skrev Andreas Thulin :

> Ah! Thank you!
>
> BR, Andreas
> ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin :
>
>> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote:
>> > Hi!
>> >
>> > I’m trying to set up iked on machine A, to create a tunnel between
>> machines
>> > A and B. ikectl produces errors when creating a certificate with my
>> ”test”
>> > ca, and I have failed to understans why:
>> >
>> > # ikectl ca test certificate 192.168.1.1 create
>> > Generating RSA private key, 2048 bit long modulus
>> > ..+++
>> > ..+++
>> > e is 65537 (0x10001)
>> > You are about to be asked to enter information that will be incorporated
>> > into your certificate request.
>> > What you are about to enter is what is called a Distinguished Name or a
>> DN.
>> > There are quite a few fields but you can leave some blankFor some fields
>> > there will be a default value,
>> > If you enter '.', the field will be left blank.
>> > -
>> > Country Name (2 letter code) [DE]:
>> > State or Province Name (full name) [Lower Saxony]:
>> > Locality Name (eg, city) [Hanover]:
>> > Organization Name (eg, company) [OpenBSD]:
>> > Organizational Unit Name (eg, section) [iked]:
>> > Common Name (eg, fully qualified host name) [192.168.1.1]:
>> > Email Address [r...@openbsd.org]:
>> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
>> > Check that the request matches the signature
>> > Signature ok
>> > The Subject's Distinguished Name is as follows
>> > countryName   :PRINTABLE:'DE'
>> > stateOrProvinceName   :ASN.1 12:'Lower Saxony'
>> > localityName  :ASN.1 12:'Hanover'
>> > organizationName  :ASN.1 12:'OpenBSD'
>> > organizationalUnitName:ASN.1 12:'iked'
>> > commonName:ASN.1 12:'192.168.1.1'
>> > emailAddress  :IA5STRING:'r...@openbsd.org'
>> > ERROR: adding extensions in section x509v3_IPAddr
>> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
>> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
>> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
>> >
>> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
>> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
>> >
>> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
>> > value=IP:
>> > #
>> >
>> > The machine is i386 running 6.2-stable.
>> >
>> > I assume I’m doing something wrong, or have missed something in previous
>> > steps (I followed the example steps from the ikectl man page). Any tips
>> on
>> > where to start digging/understanding/learning/fixing would be highly
>> > appreciated.
>> >
>> > BR, Andreas
>>
>> Search the archives, there's a diff to fix this from Oct 25 or so, but it
>> has not been committed yet.
>>
>> -ml
>>
>

Re: ikectl errors

2017-11-02 Thread Andreas Thulin 
Ah! Thank you!

BR, Andreas
ons 1 nov. 2017 kl. 20:36 skrev Mike Larkin :

> On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote:
> > Hi!
> >
> > I’m trying to set up iked on machine A, to create a tunnel between
> machines
> > A and B. ikectl produces errors when creating a certificate with my
> ”test”
> > ca, and I have failed to understans why:
> >
> > # ikectl ca test certificate 192.168.1.1 create
> > Generating RSA private key, 2048 bit long modulus
> > ..+++
> > ..+++
> > e is 65537 (0x10001)
> > You are about to be asked to enter information that will be incorporated
> > into your certificate request.
> > What you are about to enter is what is called a Distinguished Name or a
> DN.
> > There are quite a few fields but you can leave some blankFor some fields
> > there will be a default value,
> > If you enter '.', the field will be left blank.
> > -
> > Country Name (2 letter code) [DE]:
> > State or Province Name (full name) [Lower Saxony]:
> > Locality Name (eg, city) [Hanover]:
> > Organization Name (eg, company) [OpenBSD]:
> > Organizational Unit Name (eg, section) [iked]:
> > Common Name (eg, fully qualified host name) [192.168.1.1]:
> > Email Address [r...@openbsd.org]:
> > Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
> > Check that the request matches the signature
> > Signature ok
> > The Subject's Distinguished Name is as follows
> > countryName   :PRINTABLE:'DE'
> > stateOrProvinceName   :ASN.1 12:'Lower Saxony'
> > localityName  :ASN.1 12:'Hanover'
> > organizationName  :ASN.1 12:'OpenBSD'
> > organizationalUnitName:ASN.1 12:'iked'
> > commonName:ASN.1 12:'192.168.1.1'
> > emailAddress  :IA5STRING:'r...@openbsd.org'
> > ERROR: adding extensions in section x509v3_IPAddr
> > 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> > 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> >
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
> > 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
> > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> > value=IP:
> > #
> >
> > The machine is i386 running 6.2-stable.
> >
> > I assume I’m doing something wrong, or have missed something in previous
> > steps (I followed the example steps from the ikectl man page). Any tips
> on
> > where to start digging/understanding/learning/fixing would be highly
> > appreciated.
> >
> > BR, Andreas
>
> Search the archives, there's a diff to fix this from Oct 25 or so, but it
> has not been committed yet.
>
> -ml
>

Re: ikectl errors

2017-11-01 Thread Mike Larkin 
On Wed, Nov 01, 2017 at 09:08:08AM +, Andreas Thulin wrote:
> Hi!
> 
> I’m trying to set up iked on machine A, to create a tunnel between machines
> A and B. ikectl produces errors when creating a certificate with my ”test”
> ca, and I have failed to understans why:
> 
> # ikectl ca test certificate 192.168.1.1 create
> Generating RSA private key, 2048 bit long modulus
> ..+++
> ..+++
> e is 65537 (0x10001)
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blankFor some fields
> there will be a default value,
> If you enter '.', the field will be left blank.
> -
> Country Name (2 letter code) [DE]:
> State or Province Name (full name) [Lower Saxony]:
> Locality Name (eg, city) [Hanover]:
> Organization Name (eg, company) [OpenBSD]:
> Organizational Unit Name (eg, section) [iked]:
> Common Name (eg, fully qualified host name) [192.168.1.1]:
> Email Address [r...@openbsd.org]:
> Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName   :PRINTABLE:'DE'
> stateOrProvinceName   :ASN.1 12:'Lower Saxony'
> localityName  :ASN.1 12:'Hanover'
> organizationName  :ASN.1 12:'OpenBSD'
> organizationalUnitName:ASN.1 12:'iked'
> commonName:ASN.1 12:'192.168.1.1'
> emailAddress  :IA5STRING:'r...@openbsd.org'
> ERROR: adding extensions in section x509v3_IPAddr
> 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
> 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> value=IP:
> #
> 
> The machine is i386 running 6.2-stable.
> 
> I assume I’m doing something wrong, or have missed something in previous
> steps (I followed the example steps from the ikectl man page). Any tips on
> where to start digging/understanding/learning/fixing would be highly
> appreciated.
> 
> BR, Andreas

Search the archives, there's a diff to fix this from Oct 25 or so, but it
has not been committed yet.

-ml

ikectl errors

2017-11-01 Thread Andreas Thulin 
Hi!

I’m trying to set up iked on machine A, to create a tunnel between machines
A and B. ikectl produces errors when creating a certificate with my ”test”
ca, and I have failed to understans why:

# ikectl ca test certificate 192.168.1.1 create
Generating RSA private key, 2048 bit long modulus
..+++
..+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields
there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Lower Saxony]:
Locality Name (eg, city) [Hanover]:
Organization Name (eg, company) [OpenBSD]:
Organizational Unit Name (eg, section) [iked]:
Common Name (eg, fully qualified host name) [192.168.1.1]:
Email Address [r...@openbsd.org]:
Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName   :PRINTABLE:'DE'
stateOrProvinceName   :ASN.1 12:'Lower Saxony'
localityName  :ASN.1 12:'Hanover'
organizationName  :ASN.1 12:'OpenBSD'
organizationalUnitName:ASN.1 12:'iked'
commonName:ASN.1 12:'192.168.1.1'
emailAddress  :IA5STRING:'r...@openbsd.org'
ERROR: adding extensions in section x509v3_IPAddr
2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
value=IP:
#

The machine is i386 running 6.2-stable.

I assume I’m doing something wrong, or have missed something in previous
steps (I followed the example steps from the ikectl man page). Any tips on
where to start digging/understanding/learning/fixing would be highly
appreciated.

BR, Andreas