Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
Security update to mbedtls-3.6.6
Fixes for:
Client impersonation while resuming a TLS 1.3 session (CVE-2026-34873)
Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
PSA random generator cloning CVE-2026-25835
Compiler-induced constant-time violations (CVE-2025-66442)
Null pointer dereference when setting a distinguished name (CVE-2026-34874)
Buffer overflow in FFDH public key export (CVE-2026-34875)
FFDH: lack of contributory behaviour due to improper input validation (CVE-2026-34872)
Signature Algorithm Injection CVE-2026-25834
CCM multipart finish tag-length validation bypass (CVE-2026-34876)
Risk of insufficient protection of serialized session or context data
leading to potential memory safety issues (CVE-2026-34877)
Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
If we receive a response it must have the exact same msgid as the last
request we sent, so make sure they match exactly rather than allowing
higher msgids.
We can't handle out of order responses and if we don't receive a response
in time we retransmit our request until we get one or run into a timeout.
Found by Dirk Loss
ok markus@ hshoexer@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
ok markus@ hshoexer@
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
ok and discussed with markus@ stsp@
Do the unveil() after the daemon() call, because otherwise we wouldneed
"/dev/null" "rw" and "/" "r", in particular the second is ugly.
pointed out by bluhm, discussion also with dgl.
Restore the previous behaviour with maximum verification depth.
The maximum depth is not expected to include the leaf certificate - restore
the decrement prior to checking, which means the previous behaviour is
retained for the callback depth and the maximum depth. Reduce the maximum
depth by one in order to avoid the overwrite that could previously occur.
Thanks to anton@ for flagging the rust-openssl failure in regress.
ok tb@
