Re: packets to bridged interfaces bypass input filter

2020-05-26 Thread Stephan Mending
On Tue, May 26, 2020 at 09:26:07PM +0200, Sven M. Hallberg wrote: > hi all, > > i sent the following question to misc@ on march 29th but received no > response. i hope you don't mind me retrying on tech@. > > while playing around with pf, i noticed that some connections that i > thought should be

Re: iked(8): AES_GCM ciphers for IKE

2020-05-16 Thread Stephan Mending
> + yyerror("cannot mix encryption transforms with " > + "implicit and non-implicit authentication"); > + goto done; > + } > + if (noauth && ike_sa->xfs[i]->nauthxf) { > + yyerror("authentication is implicit for given " > + "encryption transforms"); > + goto done; > + } > > if ((p = calloc(1, sizeof(*p))) == NULL) > err(1, "%s", __func__); > > xf = NULL; > xfi = 0; > - copy_transforms(IKEV2_XFORMTYPE_INTEGR, > - ike_sa->xfs[i]->authxf, > - ike_sa->xfs[i]->nauthxf, &xf, &xfi, > - ikev2_default_ike_transforms, > - ikev2_default_nike_transforms); > + if (!ike_sa->xfs[i]->nencxf || !noauth) > + copy_transforms(IKEV2_XFORMTYPE_INTEGR, > + ike_sa->xfs[i]->authxf, > + ike_sa->xfs[i]->nauthxf, &xf, &xfi, > + ikev2_default_ike_transforms, > + ikev2_default_nike_transforms); > copy_transforms(IKEV2_XFORMTYPE_ENCR, > ike_sa->xfs[i]->encxf, > ike_sa->xfs[i]->nencxf, &xf, &xfi, > Index: policy.c > === > RCS file: /cvs/src/sbin/iked/policy.c,v > retrieving revision 1.62 > diff -u -p -r1.62 policy.c > --- policy.c 13 May 2020 23:03:20 - 1.62 > +++ policy.c 14 May 2020 23:55:14 - > @@ -774,7 +774,7 @@ proposals_match(struct iked_proposal *lo > struct iked_transform **xforms, int rekey) > { > struct iked_transform *tpeer, *tlocal; > - unsigned int i, j, type, score, requiredh = 0; > + unsigned int i, j, type, score, requiredh = 0, noauth = 0; > uint8_t protoid = peer->prop_protoid; > uint8_t peerxfs[IKEV2_XFORMTYPE_MAX]; > > @@ -782,8 +782,18 @@ proposals_match(struct iked_proposal *lo > > for (i = 0; i < peer->prop_nxforms; i++) { > tpeer = peer->prop_xforms + i; > + /* If any of the ENC transforms is an AEAD, ignore auth */ > + if (tpeer->xform_type == IKEV2_XFORMTYPE_ENCR && > + encxf_noauth(tpeer->xform_id)) > + noauth = 1; > + } > + > + for (i = 0; i < peer->prop_nxforms; i++) { > + tpeer = peer->prop_xforms + i; > if (tpeer->xform_type > IKEV2_XFORMTYPE_MAX) > continue; > + if (noauth && tpeer->xform_type == IKEV2_XFORMTYPE_INTEGR) > + return (0); > > /* >* Record all transform types from the peer's proposal, > @@ -832,7 +842,8 @@ proposals_match(struct iked_proposal *lo > for (i = score = 0; i < IKEV2_XFORMTYPE_MAX; i++) { > if (protoid == IKEV2_SAPROTO_IKE && xforms[i] == NULL && > (i == IKEV2_XFORMTYPE_ENCR || i == IKEV2_XFORMTYPE_PRF || > - i == IKEV2_XFORMTYPE_INTEGR || i == IKEV2_XFORMTYPE_DH)) { > + (!noauth && i == IKEV2_XFORMTYPE_INTEGR) || > + i == IKEV2_XFORMTYPE_DH)) { > score = 0; > break; > } else if (protoid == IKEV2_SAPROTO_AH && xforms[i] == NULL && > Hi Tobias, your diff is working without a problem. Have been running on it since 1,5 days on different machines. Though my feedback won't be of big use for you. I only run on iked<-->iked and iked<-->strongswan connections. Anyway. Big thank you for implementing this diff! I greatly appreciate it being now able to have AEAD for IKE ! :) Have a nice day ! Best regards, Stephan

Re: iked(8): AES_GCM ciphers for IKE

2020-05-14 Thread Stephan Mending
if (noauth && noauth != ike_sa->xfs[i]->nencxf) { > + yyerror("cannot mix encryption transforms with " > + "implicit and non-implicit authentication"); > + goto done

Dead peer detection in iked

2020-05-07 Thread Stephan Mending
your time ! Best regards, Stephan

Re: iked(8): Removing SHA1 from default transforms

2020-05-03 Thread Stephan Mending
I know Theo, Tobias told me a few mails back. I was joking... On Sat, May 02, 2020 at 07:32:43AM -0600, Theo de Raadt wrote: > Stephan Mending wrote: > > > On 02/05/2020 02:58, Theo de Raadt wrote: > > > > > Stephan Mending wrote: > > > > > >&g

Re: iked(8): Removing SHA1 from default transforms

2020-05-02 Thread Stephan Mending
On 02/05/2020 02:58, Theo de Raadt wrote: Stephan Mending wrote: I don't get how this could be ? then go study. I think I've struck a nerve right here. I'm sorry to have caused you high blood pressure by sending this diff. I do not doubt the competency of you or the other

Re: iked(8): Removing SHA1 from default transforms

2020-05-02 Thread Stephan Mending
On 02/05/2020 01:45, Tobias Heider wrote: Hi Stephan, "Also: the mentioned sha1 transform is also a HMAC construction and technically safe to use (for now), same as the PRF." I don't get how this could be ? SHA-1 for signage and hash generation is colliding. How can it be th

Re: iked(8): Removing SHA1 from default transforms

2020-05-01 Thread Stephan Mending
On 02/05/2020 00:40, Stuart Henderson wrote: On 2020/05/02 00:23, Stephan Mending wrote: Hi, I actually read your thread. By what I understood you're at the moment trying to change a few defaults. That was the reason I wanted to add SHA1 for removal. I just thought it deserved a sep

Re: iked(8): Removing SHA1 from default transforms

2020-05-01 Thread Stephan Mending
n is colliding. How can it be that this doesn't apply for iked ? g, Stephan On 02/05/2020 00:03, Tobias Heider wrote: On Fri, May 01, 2020 at 11:35:23PM +0200, Stephan Mending wrote: Hi *, this diff removes SHA1 as default transform for integrity algorithms. It's been broken long e

iked(8): Removing SHA1 from default transforms

2020-05-01 Thread Stephan Mending
Hi *, this diff removes SHA1 as default transform for integrity algorithms. It's been broken long enough. Let's at least get rid of it in iked's defaults. SHA1 is officially broken since 2011 and there have been doubts about it since 2005. Though using SHA1 in combination with HAMC as pseu

Re: AEAD Suites in IKEX (iked) and Phase 1 (isakmpd)

2020-04-20 Thread Stephan Mending
Hi Tobias, *, thanks for the heads up. I'd see a security benefit by using those chiphers. (-> compared with CBC Ciphers) Thanks for your time. g, Stephan On Mon, Apr 20, 2020 at 01:36:47PM +0200, Tobias Heider wrote: > Date: Mon, 20 Apr 2020 13:36:47 +0200 > From: Tobias Hei

AEAD Suites in IKEX (iked) and Phase 1 (isakmpd)

2020-04-20 Thread Stephan Mending
that. Using GCM Suites and/or Chacha20Poly1305. Thanks for your time. Best regards, Stephan

ARP requests

2018-11-21 Thread stephan
Hey I am trying to create an Address Resolution Protocol (ARP) requester'er. I keep getting an unpack error. here is the code https://pastebin.com/GRh6Cr15 and I'm trying to do these functions in def getMAC(ip): send an ARP request, wait for an ARP response, send it to the NIC, and then receive

Mininet Topology

2018-10-26 Thread stephan
For some reason I am having a hard time running mininet which produces the forwarding rules. Anyways here is my code: import java.io.File; import java.io.PrintWriter; import java.io.FileWriter; import java.util.Collections; import java.util.LinkedList; public class Forwarding { static void d

Re: bge related crash on ftp.ini.uzh.ch

2010-08-19 Thread Stephan A. Rickauer
On Wed, 18 Aug 2010 16:32:24 +0200 (CEST) Mark Kettenis wrote: > > Date: Wed, 18 Aug 2010 13:40:08 +0200 > > From: "Stephan A. Rickauer" > > > > This is the mirror in Switzerland that crashes like once a night. > > Stuart already started traci

Fw: bge related crash on ftp.ini.uzh.ch

2010-08-18 Thread Stephan A. Rickauer
This is the mirror in Switzerland that crashes like once a night. Stuart already started tracing it (thanks!), but posting it here for broader audience. complete dmesg at the very end. The original trace can be viewed here: http://ftp.ini.uzh.ch/pub/INI/users/stephan/18082010046.jpg I can always

Re: httpd mod_proxy: ProxyPass negation

2009-08-15 Thread Stephan A. Rickauer
Any mod_proxy user who could have a look at this / finds this useful? Cheers, Stephan On Wed, 2009-08-05 at 14:40 +0200, Stephan A. Rickauer wrote: > This diff backports and documents the ProxyPass negation found in > apache2, useful for excluding subdirs from being proxie

httpd mod_proxy: ProxyPass negation

2009-08-05 Thread Stephan A. Rickauer
This diff backports and documents the ProxyPass negation found in apache2, useful for excluding subdirs from being proxied, e.g. ProxyPass /foo/bar ! ProxyPass /foo/ http://backend/foo/ I run this patch in production on a loaded i386 reverse proxy without any troubles. Spacing corrections by

new installer (snapshot may 12th)

2009-05-13 Thread Stephan A. Rickauer
d say 'none' but if I don't have a NIC at all, couldn't that step be skipped entirely? Cheers, Stephan