Commit graph

6335 commits

Author SHA1 Message Date
cinap_lenrek
98b1f2a75b ppp: mschapv2 support 2018-01-21 22:55:14 +01:00
cinap_lenrek
3004f058f6 libauth: add auth_respondAI() function to get AuthInfo for mschap/mschapv2 2018-01-21 22:37:45 +01:00
cinap_lenrek
a7974d96b7 factotum: implement mschapv2 role=server authentication (for ppp)
this implements the server part of mschapv2 with the new
authserver changes.

we also provide AuthInfo for the client now with the
MPPE secret and the authenticator.
2018-01-21 22:35:01 +01:00
cinap_lenrek
fd1e50d653 authsrv: implement mschapv2 authentication, include MPPE secret in the ticket
this adds new rpc for mschapv2 authentication (21)

deliver the MPPE secret not after the ticket/authenticator
response as cheartext, but include it in the first 128 bit
of the ticket key. and the authenticator in the first 160 bit
of the authenticator random field.
2018-01-21 22:32:34 +01:00
cinap_lenrek
9840c50a3e gre: don't drop pptp packets when smaller than v4 header 2018-01-20 15:13:11 +01:00
cinap_lenrek
9d0ba6f162 ip/ipconfig: use 2000::/3 instead of ::/0 for v6 default route
the ::/0 route has the bad side effect of breaking v4 connections
when theres no default route due to v6 mapped v4 addresses. this
might be temporary measure.
2018-01-16 23:27:23 +01:00
cinap_lenrek
12f27944a5 p/ipconfig: don't put automatic link-local address configuration in /net/ndb 2018-01-16 21:37:36 +01:00
cinap_lenrek
ccf72da47d set router R-flag when sendra is active for neighbor advertisement
windows 7 just drops the default router when it tries to
probe for router reachability but gets a neighbor avertisement
from the router with the router bit clear.

so set the R-flag when sendra is active, which implies that
we are a router.
2018-01-16 20:42:01 +01:00
cinap_lenrek
2bd59d9cb3 authsrv: fix chap
use OCHAPREPLYLEN instead of sizeof(reply) (no padding).

exit after sending ticket response to force eof as factotum
unconditionally reads tailing secret hash (as of mschap).
2018-01-15 01:31:27 +01:00
23hiro
87c2d23c8f ipconfig(8): remove dhcp mention from -6 example 2018-01-14 23:58:25 +01:00
cinap_lenrek
b85245f5d2 ip/ipconfig: add v6 deault route from router advertisements 2018-01-14 19:33:30 +01:00
cinap_lenrek
84e67ffa88 listen(8): add -a option to restrict announce address, document tcp17019 and tcp17020 2018-01-14 19:32:13 +01:00
cinap_lenrek
7b5cf8de2d ether79c970: dont disable promisc mode when multicast table is not empty 2018-01-13 11:41:37 +01:00
cinap_lenrek
ad36593a99 ether82557: don't turn off promisc mode when mcast table is not empty
the driver doesnt implement multicast filter, but just turns
on promiscuous mode when a multicast address is added. but this
breaks when one actually enables and then disables promiscuous
mode with say, running snoopy.

we have to keep promisc mode active as long as multicast table
is not empty.
2018-01-13 07:16:17 +01:00
cinap_lenrek
ba87e58876 wifi: learn target ip address from neighbor advertisements in dmat proxy 2018-01-12 18:28:50 +01:00
cinap_lenrek
2088f8c991 wifi: filter out loopback traffic from myself
broadcast traffic was received back on the wire causing
duplicate address detection to break with dmat proy as
the rewritten broadcasts where observable.

the fix is to just ignore packets from ourselfs received
from the air. devether already handles loopback.
2018-01-12 08:01:15 +01:00
cinap_lenrek
d682a6cb38 ip/ipconfig: set on-link flag in router advertisement prefix info (fixes windows7) 2018-01-10 18:28:23 +01:00
cinap_lenrek
17ef60cbb8 merge 2018-01-08 00:24:55 +01:00
cinap_lenrek
acb206859d ether8169: deal with kernel memory exhaution
when kernel memory is exhausted, rtl8169replenish() can fail
to plant more receive descriptors and rtl8169receive() would
run over the receive tail and crash on the nil ctlr->rb[x].

rtl8169receive() is called on "Receive Descriptor Unavailable"
and "Packet Underrun" so we will try to replenish descriptors
in the beginning first in case memory was exhausted and memory
is available again and make sure not to run over the tail.
2018-01-08 00:23:26 +01:00
cinap_lenrek
3be526d4b9 merge 2018-01-07 05:20:13 +01:00
cinap_lenrek
069230cd62 forgot to commit asn1dump.c... 2018-01-07 05:17:34 +01:00
23hiro
17291d91bb rconnect: support -t timeout for aan like in drawterm; also rcpu, rexport/import 2018-01-07 02:44:53 +01:00
cinap_lenrek
05f721e998 venti: fix wrong channel element size for amd64 (thanks mycroftiv) 2018-01-06 20:21:50 +01:00
cinap_lenrek
7776180407 tlssrv: remove usage reference to lost auth/secretpem 2018-01-06 08:44:12 +01:00
cinap_lenrek
1c3377a67f factotum: remove unused sshrsa.c 2018-01-06 08:37:32 +01:00
cinap_lenrek
8ff72ce20d libsec: remove asn1toDSApriv() 2018-01-06 08:34:25 +01:00
cinap_lenrek
a200ecd3a6 remove asn12dsa, dsa2pub, dsa2ssh and dsagen
was mostly usefull for old ssh.
2018-01-06 08:32:51 +01:00
cinap_lenrek
91a701747c auth/asn1dump: include in mkfile 2018-01-06 07:44:12 +01:00
cinap_lenrek
d4a830e2e1 tlsclient: allow dumping the server's certificate with new -d flag
usefull for debugging, like:

./8.tlsclient -d /fd/3 tcp!code.9front.org!https |[0=3] auth/asn1dump
2018-01-06 07:43:08 +01:00
cinap_lenrek
e548a86575 tlsclient: remove X509dump() call, writes to fd 1 2018-01-06 06:25:45 +01:00
cinap_lenrek
7e4b669393 /sys/lib/dist: split 9boot into 9bootproto, make *.386.iso and *.amd64.iso targets 2018-01-05 08:41:46 +01:00
cinap_lenrek
c197fede61 inst: determine kernel for bootsetup from $bootfile and $cputype 2018-01-05 08:38:23 +01:00
cinap_lenrek
af06c6fa34 sysinfo: #c/swap -> #¶/swap 2018-01-05 02:43:28 +01:00
cinap_lenrek
b437065950 stats: show amount of reclaimable pages (add -r flag)
reclaimable pages are user pages that are used for
caches like the image cache, mount cache and swap cache.
2018-01-05 00:52:14 +01:00
cinap_lenrek
d3e54ff2d9 pc kernel: fix wrong simd exception mask (fixes go bootstrap) 2018-01-04 04:38:31 +01:00
cinap_lenrek
743f65c878 ape/libauth: remove auth_wep.$O from mkfile 2018-01-02 06:05:47 +01:00
cinap_lenrek
e8b46f6972 ape: update auth.h header for APE 2018-01-02 04:59:44 +01:00
cinap_lenrek
f70ebd8e62 factotum(4): document dp9ik, update protocol list 2018-01-02 04:50:13 +01:00
cinap_lenrek
77ad456b31 libauth: simplify _attrfmt() using fmtprint() avoiding stack buffer 2018-01-02 04:47:42 +01:00
cinap_lenrek
e1ca49d625 libauth: remove auth_wep() function, and non-existing httpauth() declaration 2018-01-02 04:31:21 +01:00
cinap_lenrek
1d7bb80793 factotum: remove legacy wep protocol 2018-01-02 04:27:23 +01:00
cinap_lenrek
4edc761024 libauth: fix out of bounds memory access in _parseattr()
empty token would read ""[-1] accidentally in the AttrQuery case.
2018-01-01 23:23:55 +01:00
cinap_lenrek
f7b0cc7a64 factotum: replace custom hex parsing code with dec16() avoding timing side channels 2018-01-01 21:14:39 +01:00
cinap_lenrek
5cf5f6e9ac libmp: use constant time encode(2) routines instead of lookup tables
the encode(2) routines are constant time now, so
use them instead of using lookup table that can
leak information through cache timing side channel.
2017-12-31 10:59:01 +01:00
cinap_lenrek
ea212266a1 ape: make encXchr()/decXchr() functions available 2017-12-31 10:53:50 +01:00
cinap_lenrek
c039b52fc3 libc: constant time implementation for encode(2) routines, fix base32
the string encoding functions touch secret key material
in a bunch of places (devtls, devcap), so make sure we do
not leak information by cache timing side channels, making
the encoding and decoding routines constant time.

we also expose the alphabets through encXchr()/decXchr()
functions so caller can find the end of a encoded string
before calling decode function (for libmp).

the base32 encoding was broken in several ways. inputs
lengths of len%5 == [2,3,4] had output truncated and
it was using non-standard alphabet. documenting the alphabet
change in the manpage.
2017-12-31 09:06:42 +01:00
cinap_lenrek
ee89c82dd3 wifi: get rid of custom hextob() routine, use dec16(), avoid copies in parsekey() 2017-12-31 01:49:58 +01:00
cinap_lenrek
8a64413eca aux/wpa: get rid of custom Hfmt() routine, just use encodefmt. use %E for mac addresses 2017-12-31 01:04:41 +01:00
cinap_lenrek
57f8b6ec75 libsec: implement SPKI fingerprinting for okCertificate()
Instead of only using a hash over the whole certificate for
white/black-listing, now we can also use a hash over the
Subject Public Key Info (SPKI) field of the certificate which
contians the public key algorithm and the public key itself.

This allows certificates to be renewed independendtly of the
public key.

X509dump() now prints the public key thumbprint in addition
to the certificate thumbprint.

tlsclient will print the certificate when run with -D flag.

okCertificate() will print the public key thumbprint in its
error string when no match has been found.
2017-12-30 03:07:47 +01:00
cinap_lenrek
b42d441a23 libsec: fix mistake: strnchr -> strchr 2017-12-30 02:47:02 +01:00