On Tue, May 26, 2020 at 09:26:07PM +0200, Sven M. Hallberg wrote:
> hi all,
>
> i sent the following question to misc@ on march 29th but received no
> response. i hope you don't mind me retrying on tech@.
>
> while playing around with pf, i noticed that some connections that i
> thought should be
> + yyerror("cannot mix encryption transforms with "
> + "implicit and non-implicit authentication");
> + goto done;
> + }
> + if (noauth && ike_sa->xfs[i]->nauthxf) {
> + yyerror("authentication is implicit for given "
> + "encryption transforms");
> + goto done;
> + }
>
> if ((p = calloc(1, sizeof(*p))) == NULL)
> err(1, "%s", __func__);
>
> xf = NULL;
> xfi = 0;
> - copy_transforms(IKEV2_XFORMTYPE_INTEGR,
> - ike_sa->xfs[i]->authxf,
> - ike_sa->xfs[i]->nauthxf, &xf, &xfi,
> - ikev2_default_ike_transforms,
> - ikev2_default_nike_transforms);
> + if (!ike_sa->xfs[i]->nencxf || !noauth)
> + copy_transforms(IKEV2_XFORMTYPE_INTEGR,
> + ike_sa->xfs[i]->authxf,
> + ike_sa->xfs[i]->nauthxf, &xf, &xfi,
> + ikev2_default_ike_transforms,
> + ikev2_default_nike_transforms);
> copy_transforms(IKEV2_XFORMTYPE_ENCR,
> ike_sa->xfs[i]->encxf,
> ike_sa->xfs[i]->nencxf, &xf, &xfi,
> Index: policy.c
> ===
> RCS file: /cvs/src/sbin/iked/policy.c,v
> retrieving revision 1.62
> diff -u -p -r1.62 policy.c
> --- policy.c 13 May 2020 23:03:20 - 1.62
> +++ policy.c 14 May 2020 23:55:14 -
> @@ -774,7 +774,7 @@ proposals_match(struct iked_proposal *lo
> struct iked_transform **xforms, int rekey)
> {
> struct iked_transform *tpeer, *tlocal;
> - unsigned int i, j, type, score, requiredh = 0;
> + unsigned int i, j, type, score, requiredh = 0, noauth = 0;
> uint8_t protoid = peer->prop_protoid;
> uint8_t peerxfs[IKEV2_XFORMTYPE_MAX];
>
> @@ -782,8 +782,18 @@ proposals_match(struct iked_proposal *lo
>
> for (i = 0; i < peer->prop_nxforms; i++) {
> tpeer = peer->prop_xforms + i;
> + /* If any of the ENC transforms is an AEAD, ignore auth */
> + if (tpeer->xform_type == IKEV2_XFORMTYPE_ENCR &&
> + encxf_noauth(tpeer->xform_id))
> + noauth = 1;
> + }
> +
> + for (i = 0; i < peer->prop_nxforms; i++) {
> + tpeer = peer->prop_xforms + i;
> if (tpeer->xform_type > IKEV2_XFORMTYPE_MAX)
> continue;
> + if (noauth && tpeer->xform_type == IKEV2_XFORMTYPE_INTEGR)
> + return (0);
>
> /*
>* Record all transform types from the peer's proposal,
> @@ -832,7 +842,8 @@ proposals_match(struct iked_proposal *lo
> for (i = score = 0; i < IKEV2_XFORMTYPE_MAX; i++) {
> if (protoid == IKEV2_SAPROTO_IKE && xforms[i] == NULL &&
> (i == IKEV2_XFORMTYPE_ENCR || i == IKEV2_XFORMTYPE_PRF ||
> - i == IKEV2_XFORMTYPE_INTEGR || i == IKEV2_XFORMTYPE_DH)) {
> + (!noauth && i == IKEV2_XFORMTYPE_INTEGR) ||
> + i == IKEV2_XFORMTYPE_DH)) {
> score = 0;
> break;
> } else if (protoid == IKEV2_SAPROTO_AH && xforms[i] == NULL &&
>
Hi Tobias,
your diff is working without a problem. Have been running on it since 1,5 days
on different machines. Though my feedback
won't be of big use for you. I only run on iked<-->iked and iked<-->strongswan
connections.
Anyway. Big thank you for implementing this diff! I greatly appreciate it being
now able to have AEAD for IKE ! :)
Have a nice day !
Best regards,
Stephan
if (noauth && noauth != ike_sa->xfs[i]->nencxf) {
> + yyerror("cannot mix encryption transforms with "
> + "implicit and non-implicit authentication");
> + goto done
your time !
Best regards,
Stephan
I know Theo, Tobias told me a few mails back. I was joking...
On Sat, May 02, 2020 at 07:32:43AM -0600, Theo de Raadt wrote:
> Stephan Mending wrote:
>
> > On 02/05/2020 02:58, Theo de Raadt wrote:
> >
> > > Stephan Mending wrote:
> > >
> > >&g
On 02/05/2020 02:58, Theo de Raadt wrote:
Stephan Mending wrote:
I don't get how this could be ?
then go study.
I think I've struck a nerve right here. I'm sorry to have caused you
high blood pressure by sending this diff. I do not doubt the competency
of you or the other
On 02/05/2020 01:45, Tobias Heider wrote:
Hi Stephan,
"Also: the mentioned sha1 transform is also a HMAC construction and technically
safe to use (for now), same as the PRF."
I don't get how this could be ? SHA-1 for signage and hash generation is
colliding. How can it be th
On 02/05/2020 00:40, Stuart Henderson wrote:
On 2020/05/02 00:23, Stephan Mending wrote:
Hi,
I actually read your thread. By what I understood you're at the moment
trying to change a few defaults.
That was the reason I wanted to add SHA1 for removal. I just thought it
deserved a sep
n is
colliding. How can it be that this doesn't apply for iked ?
g,
Stephan
On 02/05/2020 00:03, Tobias Heider wrote:
On Fri, May 01, 2020 at 11:35:23PM +0200, Stephan Mending wrote:
Hi *,
this diff removes SHA1 as default transform for integrity algorithms.
It's been broken long e
Hi *,
this diff removes SHA1 as default transform for integrity algorithms.
It's been broken long enough. Let's at least get rid of it in iked's
defaults.
SHA1 is officially broken since 2011 and there have been doubts about it
since 2005.
Though using SHA1 in combination with HAMC as pseu
Hi Tobias, *,
thanks for the heads up.
I'd see a security benefit by using those chiphers. (-> compared with CBC
Ciphers)
Thanks for your time.
g,
Stephan
On Mon, Apr 20, 2020 at 01:36:47PM +0200, Tobias Heider wrote:
> Date: Mon, 20 Apr 2020 13:36:47 +0200
> From: Tobias Hei
that. Using GCM Suites
and/or
Chacha20Poly1305.
Thanks for your time.
Best regards,
Stephan
Hey I am trying to create an Address Resolution Protocol (ARP) requester'er.
I keep getting an unpack error.
here is the code https://pastebin.com/GRh6Cr15
and I'm trying to do these functions in def getMAC(ip):
send an ARP request, wait for an ARP response, send it to the NIC, and then
receive
For some reason I am having a hard time running mininet which produces the
forwarding rules.
Anyways here is my code:
import java.io.File;
import java.io.PrintWriter;
import java.io.FileWriter;
import java.util.Collections;
import java.util.LinkedList;
public class Forwarding {
static void d
On Wed, 18 Aug 2010 16:32:24 +0200 (CEST)
Mark Kettenis wrote:
> > Date: Wed, 18 Aug 2010 13:40:08 +0200
> > From: "Stephan A. Rickauer"
> >
> > This is the mirror in Switzerland that crashes like once a night.
> > Stuart already started traci
This is the mirror in Switzerland that crashes like once a night.
Stuart already started tracing it (thanks!), but posting it here for
broader audience. complete dmesg at the very end.
The original trace can be viewed here:
http://ftp.ini.uzh.ch/pub/INI/users/stephan/18082010046.jpg
I can always
Any mod_proxy user who could have a look at this / finds this useful?
Cheers,
Stephan
On Wed, 2009-08-05 at 14:40 +0200, Stephan A. Rickauer wrote:
> This diff backports and documents the ProxyPass negation found in
> apache2, useful for excluding subdirs from being proxie
This diff backports and documents the ProxyPass negation found in
apache2, useful for excluding subdirs from being proxied, e.g.
ProxyPass /foo/bar !
ProxyPass /foo/ http://backend/foo/
I run this patch in production on a loaded i386 reverse proxy without
any troubles. Spacing corrections by
d say 'none' but if I
don't have a NIC at all, couldn't that step be skipped entirely?
Cheers,
Stephan
19 matches
Mail list logo
