Hi,
Two diffs below. The first moves ecdsa_method declaration from
ecs_locl.h to ecdsa.h, as ecs_locl.h is not installed in
/usr/include/openssl/.
The second one adds DSA and ECDSA capabilities to relayd ca engine, and
also checks that when using a DSA certificate, we have enabled EDH in
the
On Wed, Jan 15, 2014 at 06:25:53PM +0200, MJ wrote:
I have long held the opinion that Theo is probably the best coder on this
planet. That?s not any sort of ass-kissing, either, it?s my objective,
unbiased opinion. And I know Henning personally, as in ?live and worked
together with him -
Hi tech@,
I've been using iked for some weeks to tunnel my laptop to home over 3G.
Sunday I upgraded my laptop to the latest snapshot; previous upgrade was
about 2 or 3 weeks ago. When I started iked, it crashed randomly, as in
one time it runs just fine and completes the handshake, the other it
On Thu, Jan 15, 2015 at 04:00:20PM +0100, Vincent Gross wrote:
Hello folks,
This patch brings nat capabilites into iked, the same way that mpf@ did
with isakmpd about 6 years ago.
Comments ?
bumpity bump bump.
Any comments on this ?
Tested with the following setup, with icmp, udp
Hello folks,
This patch brings nat capabilites into iked, the same way that mpf@ did
with isakmpd about 6 years ago.
Comments ?
Tested with the following setup, with icmp, udp and tcp:
Local pf.conf:
table homev4 { 172.23.0.0/23 }
set skip on lo
match out on enc0 from ! homev4 to homev4
On Mon, Apr 20, 2015 at 07:35:58PM +0059, Jason McIntyre wrote:
On Wed, Apr 15, 2015 at 05:13:13PM +0200, Vincent Gross wrote:
Hello,
iked.conf's man page is a bit fuzzy on how local and peer ip defaults
are set. This patch below attempts to fix that.
if you can specify one
Hi folks,
this patch makes iked clean its SAs on shutdown: for each existing IKE
SA, all of their Child SAs will be removed from the kernel, and a IKE
DELETE notification payload will be sent to the peer.
Comments ?
Cheers,
--
Vincent / dermiste
Index: iked.h
Hi folks,
crypto(9) describes functions and constants that are not part of
crypto/cryptodev.h anymore (see 1.58 - 1.60), this patch fixes that.
Cheers,
--
Vincent / dermiste
Index: crypto.9
===
RCS file:
Hello,
iked.conf's man page is a bit fuzzy on how local and peer ip defaults
are set. This patch below attempts to fix that.
Also, can you take a look at my previous nat-on-ipsec-on-iked patchset ?
see http://marc.info/?l=openbsd-techm=142662971007779w=2
Cheers,
Index: iked.conf.5
to run a handful of shell
commands over ssh ?
Cheers,
--
Vincent Gross
regress/sys/net/rdomains still passes with this diff.
Ok ?
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.398
diff -u -p -r1.398 if.c
--- net/if.c25 Oct 2015 21:58:04 - 1.398
+++ net/if.c
On 09/12/15 22:10, Claudio Jeker wrote:
> On Sat, Sep 12, 2015 at 02:40:59PM +0200, Vincent Gross wrote:
>> inpt_lastport is never read without being written before, and only
>> in_pcbbind()
>> and in6_pcbsetport() are using it. This diff removes inpt_lastport from
>>
On 09/13/15 10:37, Claudio Jeker wrote:
> On Sun, Sep 13, 2015 at 12:18:10AM +0200, Vincent Gross wrote:
>> On 09/12/15 22:10, Claudio Jeker wrote:
>>> On Sat, Sep 12, 2015 at 02:40:59PM +0200, Vincent Gross wrote:
>>>> inpt_lastport is never read without
inpt_lastport is never read without being written before, and only
in_pcbbind()
and in6_pcbsetport() are using it. This diff removes inpt_lastport from
struct inpcbtable and turns it into a local variable where it is used.
Ok ?
--
Vincent
Index: sys/netinet/in_pcb.c
hanges right now or should ipv4 be validated
first ?
--
Vincent Gross
Index: netinet/in_pcb.c
===
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.180
diff -u -p -r1.180 in_pcb.c
--- netinet/in_pcb.c22 Sep 2015
h remarks are true, but I think it is better to keep a more extensive
refactoring in a separate diff, refactoring that shall get rid of this
yucky code duplication.
--
Vincent Gross
On 09/13/15 11:49, Vincent Gross wrote:
> On 09/13/15 10:37, Claudio Jeker wrote:
>> On Sun, Sep 13, 2015 at 12:18:10AM +0200, Vincent Gross wrote:
>>> On 09/12/15 22:10, Claudio Jeker wrote:
>>>> On Sat, Sep 12, 2015 at 02:40:59PM +0200, Vincent Gross wrote:
>
On 09/18/15 23:39, David Hill wrote:
> On Fri, Sep 18, 2015 at 11:05:55PM +0200, Vincent Gross wrote:
>> On 09/18/15 15:18, David Hill wrote:
>>> Is this 'if (count)' statement needed? We know first > last, so count
>>> will always be positive. lastport will
When fed a broadcast address, ifa_ifwitaddr() returns the unicast ifa
whose broadcast address match the input. This is used mainly to select
ifa, and there can be trouble when you have 2 ifas on the same range
(e.g. 10.0.0.1/24@em0 & 10.0.0.20/24@em1) :
netinet/ip_mroute.c:814
net/route.c:785
On 12/02/15 20:06, Martin Pieuchot wrote:
> On 02/12/15(Wed) 16:18, Vincent Gross wrote:
>> When fed a broadcast address, ifa_ifwitaddr() returns the unicast ifa
>> whose broadcast address match the input. This is used mainly to select
>> ifa, and there can be trouble
On 12/03/15 10:21, Vincent Gross wrote:
> On 12/02/15 20:06, Martin Pieuchot wrote:
>> On 02/12/15(Wed) 16:18, Vincent Gross wrote:
>>> When fed a broadcast address, ifa_ifwitaddr() returns the unicast ifa
>>> whose broadcast address match the input. This is us
in_pcbbind and in6_pcbbind both extends SO_REUSEADDR for multicast
addresses so that it turns into a SO_REUSEPORT. But the check is done
in such a way that you cannot bind a SO_REUSEPORT-enabled socket to a
multicast address *after* you bound a SO_REUSEADDR-enabled socket to
the same address.
in6_selectsrc() uses two different rtalloc calls depending on whether or
not the destination address is multicast or not, but there is nothing to
explain why. I dug a bit and found this commit from itojun@ :
diff -u -r1.6 -r1.7
--- src/sys/netinet6/in6_src.c 2000/06/18 04:49:32 1.6
+++
On 12/07/15 14:57, Martin Pieuchot wrote:
> If the interface is gone that means you're dealing with a cached route
> so there's no need to try to remove it from the table.
>
> Better be explicit and do that before calling rtdeletemsg() rather than
> inside.
>
> ok?
ok vgross@
>
> Index:
On 12/21/15 11:36, Martin Pieuchot wrote:
> Currently if you try to configure the same IPv6 address twice via the
> SIOCAIFADDR_IN6 ioctl(2) the kernel will return EEXIST and the address
> will be unset:
>
> # ifconfig vether0 inet6 2001::1
> # ifconfig vether0 inet6 2001::1
> ifconfig:
in_pcbbind and in6_pcbbind have a lot in common, the only meaningful
differences are in the checks done to ensure a sockaddr is available.
This diff splits theses checks in their own functions, and merge the
remaining code in one single function. Aside from being easier to read,
it also makes it
On Wed, 8 Jun 2016 15:12:23 +0200
Martin Pieuchot <m...@openbsd.org> wrote:
> On 07/06/16(Tue) 22:02, Stuart Henderson wrote:
> > On 2016/06/07 21:49, Vincent Gross wrote:
> > >
> > > It's how henning@ set things up when integrating the new qu
Le Tue, 7 Jun 2016 10:48:22 +0200,
Martin Pieuchot <m...@openbsd.org> a écrit :
> On 06/06/16(Mon) 23:52, Vincent Gross wrote:
> > On Mon, 6 Jun 2016 17:33:36 +0100
> > Stuart Henderson <s...@spacehopper.org> wrote:
> >
> > > On 2016/06/06 16:15, Vince
When sending ARP requests, or when writing to a bpf handle (as when
sending DHCP Discover), we bypass pf(4) so we have no way to define
the priority (m->m_pkthdr.pf.prio) of the outgoing packets.
My ISP runs two vlans to separate the delivery of general-purpose
internet and TV/phone over fiber;
On Sun, 12 Jun 2016 15:00:14 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
Damn you autowrap ! get off my diff !
(thanks jca@ for spotting)
> This diff moves the cmsg handling code on top of udp_output(). I split
> the whole IP_SENDSRCADDR thung in two chunks so that it's easie
This diff moves the cmsg handling code on top of udp_output(). I split
the whole IP_SENDSRCADDR thung in two chunks so that it's easier to
audit.
ok ?
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 2db5998..1feea11 100644
--- a/sys/netinet/udp_usrreq.c
+++
This diff adds support for IP_SENDSRCADDR cmsg on UDP sockets. As for
udp6_output(), we check that the source address+port is available only
if inp_laddr != *
Ok ?
diff --git a/share/man/man4/ip.4 b/share/man/man4/ip.4
index 111432b..154b0d1 100644
--- a/share/man/man4/ip.4
+++
On Sun, 12 Jun 2016 15:29:32 +0200 (CEST)
Mark Kettenis <mark.kette...@xs4all.nl> wrote:
> > Date: Sun, 12 Jun 2016 14:59:55 +0200
> > From: Vincent Gross <vgr...@openbsd.org>
> >
> > This diff adds support for IP_SENDSRCADDR cmsg on UDP sockets
Le Mon, 13 Jun 2016 07:35:16 +0200,
j...@wxcvbn.org (Jérémie Courrèges-Anglas) a écrit :
> j...@wxcvbn.org (Jeremie Courreges-Anglas) writes:
>
> > cc'ing sthen since he also has interest in IP_SENDSRCADDR
> >
> > Jeremie Courreges-Anglas <j...@wxcvbn.org> writes:
On Mon, 13 Jun 2016 19:57:15 +0200
Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote:
> Vincent Gross <vgr...@openbsd.org> writes:
>
> > Le Mon, 13 Jun 2016 07:35:16 +0200,
> > j...@wxcvbn.org (Jeremie Courreges-Anglas) a écrit :
> >
> >> j...
On Mon, 6 Jun 2016 17:33:36 +0100
Stuart Henderson <s...@spacehopper.org> wrote:
> On 2016/06/06 16:15, Vincent Gross wrote:
> > When sending ARP requests, or when writing to a bpf handle (as when
> > sending DHCP Discover), we bypass pf(4) so we have no way to defin
On Tue, 31 May 2016 09:51:10 +0200
Martin Pieuchot wrote:
> On 19/04/16(Tue) 10:43, Martin Pieuchot wrote:
> > Mart Tõnso reported [0] a weird case related to the use of
> > ifa_ifwithnet().
> >
> > The problem is that ifa_ifwithroute() does not always use route
> > entries
On Mon, 13 Jun 2016 16:49:01 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
>
> While validating source address inside selection functions is the
> right direction, I don't think it would be a good thing to extend
> further in_selectsrc() prototype. However it is easy to a
Hello,
This diff moves the "are we binding to a privileged port while not being root ?"
check from in(6)_pcbaddrisavail() to in_pcbbind().
This way we have a cleaner separation between "is the resource available ?"
and "am I allowed to access the resource ?" (which may or may not get its own
in_pcblookup() is always called with *:0 for the remote side.
Remove the useless bits, shuffle the tests around and it's much
easier to audit.
Ok ?
Index: netinet/in_pcb.c
===
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving
When using raw ip6 socket, one can connect(2) then send(2), or
just sendto(2). The code below would try to find the non-connected
raw ip6 socket corresponding to an incoming icmp6 message, to deliver
the failure. This code has been disabled ever since it has been put
in-tree, justifiably so
The current use of in_pcblookup() in in6_pcbconnect() is suboptimal :
all of the addresses and ports are defined, we are only interested in
exact matches, and its v4 cousin in_pcbconnect() already uses
in_pcbhashlookup().
Ok ?
Index: sys/netinet6/in6_pcb.c
On 03/31/16 14:07, Alexander Bluhm wrote:
> On Wed, Mar 30, 2016 at 10:44:14PM +0200, Vincent Gross wrote:
>> This diff moves the "are we binding to a privileged port while not being
>> root ?"
>> check from in(6)_pcbaddrisavail() to in_pcbbind().
>
>> ---
On 03/31/16 14:07, Alexander Bluhm wrote:
> On Wed, Mar 30, 2016 at 10:44:14PM +0200, Vincent Gross wrote:
>> This diff moves the "are we binding to a privileged port while not being
>> root ?"
>> check from in(6)_pcbaddrisavail() to in_pcbbind().
>
>> ---
When fragmenting ipv4, we do not preserve DiffServ/ToS field.
Here is how to observe this :
[obsd1](vlan10) (vlan10)[obsd2](vlan20) --mtu600-- (vlan20)[obsd3]
root@obsd2 # sysctl net.inet.ip.forwarding=1
root@obsd2 # tcpdump -ni $VLAN20DEV
user@obsd3 $ nc -4ul
root@obsd1 $ echo "pass
On Sun, 1 May 2016 13:27:29 +0200
Patrick Wildt wrote:
> Hi,
>
> I updated the diff with the feedback received. This basically adds
> a tree-like topology by making mainbus FDT aware and implementing
> a simplebus that can span the tree's roots into more branches.
>
> Next
On Wed, 20 Jul 2016 12:36:45 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
> This is a completely mechanical diff to get rid of the 7-params
> madness in in6_selectsrc().
>
> I also apply the same treatment to in_selectsrc() for consistency.
>
> Ok?
... and of cours
This is a completely mechanical diff to get rid of the 7-params madness
in in6_selectsrc().
I also apply the same treatment to in_selectsrc() for consistency.
Ok?
Index: sys/netinet/in_pcb.c
===
RCS file:
d the diff with fixes, enhancements and regression tests.
All manners of testing and feedback are welcome !
--
Vincent Gross
Our IPSec stack rejects UDP-encapsulated traffic using a non
encapsulating SA, but not the other way around. This diff adds
the missing check and the corresponding stat counter.
Ok ?
Index: sys/netinet/ip_esp.h
===
RCS file:
This diff adds the missing bits to support NAT-on-enc in iked(8).
See OUTGOING NETWORK ADDRESS TRANSLATION in iked.conf(5), and also
http://undeadly.org/cgi?action=article=20090127205841.
Ok ?
diff --git sbin/iked/iked.h sbin/iked/iked.h
index aa40d70..dfa04ad 100644
--- sbin/iked/iked.h
+++
Objections anyone ?
On Wed, 31 Aug 2016 15:57:45 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
> On Wed, 31 Aug 2016 15:26:53 +0200
> Vincent Gross <vgr...@openbsd.org> wrote:
>
> > On Thu, 11 Aug 2016 16:57:27 +0100
> > Stuart Henderson <s...@spacehopper
in6_selectroute() checks whether the struct route it received contains
a valid route whose AF is not AF_INET6, "in case the cache is shared".
Well, is this cache shared or not ?
There's only two ways to get to in6_selectroute()
1) in6_pcbselsrc() -> in6_selectif() -> in6_selectroute()
It is
present when
opening NAT-T tunnels with iked ?
Cheers
> Would you mind looking at this issue also? :)
>
> Thanks!
>
> Claer
>
> On Thu, Sep 01 2016 at 31:10, Vincent Gross wrote:
>
> > Our IPSec stack rejects UDP-encapsulated traffic using a non
> > enc
On Wed, 31 Aug 2016 15:26:53 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
> On Thu, 11 Aug 2016 16:57:27 +0100
> Stuart Henderson <s...@spacehopper.org> wrote:
>
> > On 2016/06/27 13:00, Jérémie Courrèges-Anglas wrote:
> [...]
> > >
> > > I
On Thu, 11 Aug 2016 16:57:27 +0100
Stuart Henderson wrote:
> On 2016/06/27 13:00, Jérémie Courrèges-Anglas wrote:
[...]
> >
> > I also gave my ok to vgross by IM.
> >
> > I know that some concerns have been exposed privately, I was not
> > Cc'd, thus I have no idea what
On Wed, 31 Aug 2016 16:09:30 +0200
Reyk Floeter <r...@openbsd.org> wrote:
> On Wed, Aug 31, 2016 at 03:26:53PM +0200, Vincent Gross wrote:
> > On Thu, 11 Aug 2016 16:57:27 +0100
> > Stuart Henderson <s...@spacehopper.org> wrote:
> >
> > > On 2016/0
On Mon, 12 Sep 2016 10:49:03 +0200
Martin Pieuchot wrote:
> I'd like to use a write lock to serialize accesses to ip_output().
> This will be used to guarantee that atomic code sections in the
> socket layer stay atomic when the input/forwarding path won't run
> under
On Tue, 13 Sep 2016 14:19:24 +0200
j...@wxcvbn.org (Jeremie Courreges-Anglas) wrote:
> Since it has been introduced, ip6_setpktopt has only been called with
> (sticky=1, cmsg=0) or (sticky=0, cmsg=1). Let's simplify this code.
Ok vgross@
>
>
> Index: ip6_output.c
>
On Tue, 13 Sep 2016 10:08:13 +0200
Martin Pieuchot <m...@openbsd.org> wrote:
> On 12/09/16(Mon) 12:12, Vincent Gross wrote:
> > On Mon, 12 Sep 2016 10:49:03 +0200
> > Martin Pieuchot <m...@openbsd.org> wrote:
> >
> > > I'd like to use a wri
Hi,
As said in Subject:.
I would like to get comments on the m_adj/m_pullup dance at the end of
vxlan_lookup() ; I do this because ether_input() access the ethernet header
with mtod(), and under some conditions the mbuf handled would have its
first data chunk empty (mh_len == 0). What is the
On Mon, 26 Sep 2016 18:33:43 +0200
j...@wxcvbn.org (Jeremie Courreges-Anglas) wrote:
> Don't ignore the "flags" argument passed to recvfromto. Doesn't
> matter for now in iked (0 is passed), but this kind of code tends to
> be copied.
>
> ok?
>
ok vgross@
>
> Index: util.c
>
On Thu, 15 Sep 2016 16:29:45 +0200
Martin Pieuchot wrote:
> After discussing with a few people about a new "timed task" API I came
> to the conclusion that mixing timeouts and tasks will result in:
>
> - always including a 'struct timeout' in a 'struct task', or the
> other
On Sat, 24 Sep 2016 10:58:10 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
> Hi,
>
[snip]
>
> Aside from the mbuf issue, is this Ok ?
I will go back on the mbuff stuff later.
Diff rebased, ok anyone ?
Ind
On Fri, 4 Nov 2016 12:01:58 +0100
Martin Pieuchot wrote:
> Rather than trying to keep this old routing table like function alive
> by reimplementing rn_refines(), let's get rid of it.
>
> ok?
>
> Index: net/route.c
>
On Wed, 9 Nov 2016 13:16:46 +
Thomas Klute wrote:
> Hi tech@,
>
> this patch contains fixes for two bugs that break IKE rekeying
> initiated by iked. Please review, and apply or let me know what has to
> be changed! Both bugs are fixed by initializing the respective
On Sat, 5 Nov 2016 12:41:39 +0100
Vincent Gross <vgr...@openbsd.org> wrote:
> Updated diff, I reworked the logic to handle the if_get/if_put dance
> in vxlan_multicast_join(), and fixed an uninitialized variable.
>
> Ok ?
Anyone to comment or ok ? this blocks the submissio
Updated diff, I reworked the logic to handle the if_get/if_put dance in
vxlan_multicast_join(), and fixed an uninitialized variable.
Ok ?
Index: net/if_vxlan.c
===
RCS file: /cvs/src/sys/net/if_vxlan.c,v
retrieving revision 1.51
On Mon, 7 Nov 2016 08:59:53 +0100
Martin Pieuchot <m...@openbsd.org> wrote:
> On 04/11/16(Fri) 21:33, Vincent Gross wrote:
> > [...]
> > Why are you killing Strict Source Route Record ? Just as you did
> > with rtredirect(), you can check whether RTF_GATEW
On Thu, 10 Nov 2016 22:16:55 +0100
Vincent Gross <vgr...@openbsd.org> wrote:
> On Sat, 5 Nov 2016 12:41:39 +0100
> Vincent Gross <vgr...@openbsd.org> wrote:
>
> > Updated diff, I reworked the logic to handle the if_get/if_put dance
> > in vxlan_multicast_j
On Tue, 4 Oct 2016 01:07:51 +0200
Vincent Gross <vgr...@openbsd.org> wrote:
> On Sat, 24 Sep 2016 10:58:10 +0200
> Vincent Gross <vgr...@openbsd.org> wrote:
>
> > Hi,
> >
> [snip]
> >
> > Aside from the mbuf issue, is this Ok ?
>
&
On Tue, 1 Nov 2016 18:51:08 +0100
Mike Belopuhov <m...@belopuhov.com> wrote:
> On 1 November 2016 at 18:23, Vincent Gross <vincent.gr...@kilob.yt>
> wrote:
> > On Tue, 4 Oct 2016 01:07:51 +0200
> > Vincent Gross <vgr...@openbsd.org> wrote:
> >
up is never set in ifioctl().
Ok ?
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.463
diff -u -p -r1.463 if.c
--- net/if.c28 Nov 2016 11:18:02 - 1.463
+++ net/if.c1 Dec 2016 20:31:27
On Tue, 29 Nov 2016 15:13:16 +0100
Alexander Bluhm <alexander.bl...@gmx.net> wrote:
> On Sat, Nov 05, 2016 at 12:41:39PM +0100, Vincent Gross wrote:
> > Updated diff, I reworked the logic to handle the if_get/if_put
> > dance in vxlan_multicast_join(), and fixed an unini
On Tue, 29 Nov 2016 17:03:44 +0100
Martin Pieuchot wrote:
> Diff below removes the 'struct route_in6' argument from
> in6_selectsrc().
>
> It is only used by in6_pcbselsrc() so move the code there. This
> reduces differences with IPv4 and help me to get rid of 'struct
>
So a while back Alexander Markert sent a bug report regarding sendmsg()
behaviour with IP_SENDSRCADDR :
https://marc.info/?l=openbsd-tech=149276833923905=2
This impacts our dnsmasq port :
https://marc.info/?l=openbsd-tech=149234052220818=2
Alexander Markert shows in the first thread the
On Thu, 12 Jul 2018 19:54:26 +0200
Alexander Bluhm wrote:
>
> If it is a temporary problem, that will go away when the content
> of the socket buffer is sent away, we should block or return
> EWOULDBLOCK. For a permanent problem return EMSGSIZE. Non atomic
> operations can be split in smaller
Hello,
I am investigating a usb issue on my imx6-based novena, and I tried to
set a breakpoint to inspect the backtrace when the issue occurs. The
problem is, when resuming execution out of ddb, I get a uvm_fault and
then the only way forward is to reboot the system.
Am I missing a step ? or is
78 matches
Mail list logo