Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
188,688 Commits 606 Branches 0 Tags 3.1 GiB
141a7ffa73
Commit Graph

1735 Commits

Author SHA1 Message Date
martin
f20c48026a printf format fixes to make it compile 2009-12-05 17:23:39 +00:00
wiz
e34d48521a Correct Xref to libnetpgp(3). 2009-12-05 10:05:54 +00:00
agc
1e9d36d82d Update the manual page for the addition of ssh host keys. 2009-12-05 07:33:18 +00:00
agc
d6c0ee4fff One more thing in the "Done" section - add ssh host keys 2009-12-05 07:21:07 +00:00
agc
561d2d6ad0 Add new files into netpgp lib 2009-12-05 07:17:29 +00:00
agc
91c29c7450 Add the ability to use ssh host keys (on the fly) to provide RSA keys. 
These keys can be used in the same way as normal PGP keys - to sign, verify,
encrypt and decrypt files and data.

	% cp configure a
	% sudo netpgp --ssh-keys --sign --userid 1e00404a a
	Password:
	pub 1024/RSA (Encrypt or Sign) 040180871e00404a 2008-08-11
	Key fingerprint: c4aa b385 4796 e6ce 606c f0c2 0401 8087 1e00 404a
	% sudo chmod 644 a.gpg
	% netpgp --ssh-keys --verify a.gpg
	netpgp: default key set to "C0596823"
	can't open '/etc/ssh/ssh_host_rsa_key'
	Good signature for a.gpg made Fri Dec  4 23:04:36 2009
	using RSA (Encrypt or Sign) key 040180871e00404a
	pub 1024/RSA (Encrypt or Sign) 040180871e00404a 2008-08-11
	Key fingerprint: c4aa b385 4796 e6ce 606c f0c2 0401 8087 1e00 404a
	uid              osx-vm1.crowthorne.alistaircrooks.co.uk (/etc/ssh/ssh_host_rsa_key.pub) <root@osx-vm1.crowthorne.alistaircrooks.co.uk>
	% uname -a
	NetBSD osx-vm1.crowthorne.alistaircrooks.co.uk 5.99.20 NetBSD 5.99.20 (ISCSI) #0: Wed Oct  7 17:16:33 PDT 2009  agc@osx-vm1.crowthorne.alistaircrooks.co.uk:/usr/obj/i386/usr/src/sys/arch/i386/compile/ISCSI i386
	%

The ssh host keys do not need to be manipulated in any way - the information
is read from existing files.
 2009-12-05 07:08:18 +00:00
christos
4ab80ffe22 Disable SSL V3 session renegotiation since the protocol parameters of the 
old session are not cryptographically tied to the new session ones.
NB: Applications that require session re-negotiation will fail after this
update.
 2009-12-03 23:44:33 +00:00
agc
7d576ad983 Add python bindings for netpgp, via swig. 
When using python, always add the dumb symbolic link to the library name.
 2009-12-02 00:32:06 +00:00
agc
e5e6e15318 Re-instate perl taint checking by re-defining the possible taint check in 
swig. Fix a bug whereby the generated shlib_version file got appended to,
rather than rewritten.
 2009-12-01 20:44:50 +00:00
agc
f17a59eb6a Turns out that swig and tainted don't play well together - perl has no way 
of knowing whether the memory will be modified. For now, the gross hack is
to switch off tainting
 2009-12-01 08:02:50 +00:00
agc
e1d61885e2 Add language bindings for tcl and perl 2009-12-01 06:43:57 +00:00
agc
6b13238156 Use the right field for the prefix 2009-12-01 06:33:31 +00:00
agc
e502623fdd Add a swig interface file, and a wrapper script, for calling swig for 
various language bindings for netpgp.
 2009-12-01 05:19:51 +00:00
agc
b4d6642e10 Recognise the hash algorithm in a case-insensitive manner. 2009-12-01 02:36:32 +00:00
christos
aabb31871d PR/42363: Yasuoka Masahiko: 
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.

racoon uses message-id to find the handle of IPsec-SA.  The message-id
is a unique number for each peer, but different peers may use the same
value.

Different Windows Vista or Windows 7 peers seem to use the same
message-id.  racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows.  Because racoon misunderstands the
message for the second Windows as the message for the first Windows.

>Category:       bin
>Synopsis:       racoon uses a wrong IPsec-SA that is for different peer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 22 18:25:00 +0000 2009
>Originator:     yasuoka@iij.ad.jp
 2009-11-22 19:34:55 +00:00
agc
f8429fa3c9 Remove vestiges of debugging 2009-11-20 15:23:37 +00:00
agc
33ee8138ba When writing an ascii-armoured message, push the linebreak writer onto 
the write function stack for the body of the message as well as the
headers.

This means that an ascii-armoured signed file created by netpgp conforms
to RFC 4880 (and 2440, thanks, moof[1]), and can be verified by gpg now, as
well as netpgp.

[1] Are there any other RFCs which are superceded by their double?
 2009-11-20 15:21:18 +00:00
agc
632dc3ac9b Unbreak the creation of ascii-armoured signatures. 
Add automatic detection of ascii-armoured signatures.

Add tests for same - with small and large source files.
 2009-11-20 07:17:07 +00:00
agc
ad7bc21d21 Commit some changes that have been in a private tree for a while: 
+ add a netpgp library function - netpgp_get_key(3) - to print a
specific key
+ add functionality to call this function in netpgpkeys(1)
+ add test for netpgp_get_key
+ add a verbose switch to the tst script
+ add netpgp functions to expose the memory signing and verification
functions - netpgp_sign_memory(3) and netpgp_verify_memory(3)
+ coalesced signing and verification ops file functions
 2009-11-19 21:56:00 +00:00
christos
2853bbf4b7 use %option instead of #define YY_NO_... 2009-10-29 14:49:02 +00:00
christos
792f03d2b0 use %option noinput nounput 2009-10-29 14:34:27 +00:00
christos
cd2a002a7a no unput 2009-10-28 20:59:46 +00:00
wiz
02d06f301f Remove .Os argument. 
Remove ending dot in SEE ALSO.
Use Fl Fl for long options.
New sentence, new line.
Remove trailing whitespace.
 2009-10-25 10:30:47 +00:00
reed
06921da813 Fix section number for a man page reference. 
While here put the man pages in the SEE ALSO in order too.
(This was shared and now fixed upstream too.)
 2009-10-25 01:52:04 +00:00
reed
fa923fa9a7 Fix Nm macro usage. 
Fixed upstream in April:
9747de8132
 2009-10-24 11:12:56 +00:00
reed
638b376411 Fix Document Title. 
(I already report and it is fixed upstream.)
 2009-10-24 11:09:31 +00:00
agc
a2dd3398cd Add 'a' and 'a.sig' to CLEANFILES - from Marc Balmer 
Wrap long lines
 2009-10-19 05:17:46 +00:00
agc
5ea8497ecf Use LD_LIBRARY_PATH to manage the library path, and don't try to second 
guess from the lua driver program
 2009-10-19 01:07:08 +00:00
agc
9470081fd3 Use a lua for loop in preference to a while and increment in the lua 
example code - suggested by Marc Balmer.

	% make USETOOLS=no t
	cp Makefile a
	./netpgp.lua --sign --detached a
	netpgp: default key set to "C0596823"
	pub 2048/RSA (Encrypt or Sign) 1b68dcfcc0596823 2004-01-12
	Key fingerprint: d415 9deb 336d e4cc cdfa 00cd 1b68 dcfc c059 6823
	uid              Alistair Crooks <agc@netbsd.org>
	uid              Alistair Crooks <agc@pkgsrc.org>
	uid              Alistair Crooks <agc@alistaircrooks.com>
	uid              Alistair Crooks <alistair@hockley-crooks.com>
	netpgp passphrase:
	-rw-r--r--  1 agc  agc  287 Oct 17 15:58 a.sig
	./netpgp.lua --verify a.sig
	netpgp: default key set to "C0596823"
	netpgp: assuming signed data in "a"
	Good signature for a.sig made Sat Oct 17 15:58:09 2009
	using RSA (Encrypt or Sign) key 1b68dcfcc0596823
	pub 2048/RSA (Encrypt or Sign) 1b68dcfcc0596823 2004-01-12
	Key fingerprint: d415 9deb 336d e4cc cdfa 00cd 1b68 dcfc c059 6823
	uid              Alistair Crooks <alistair@hockley-crooks.com>
	uid              Alistair Crooks <agc@pkgsrc.org>
	uid              Alistair Crooks <agc@netbsd.org>
	uid              Alistair Crooks <agc@alistaircrooks.com>
	%
 2009-10-18 07:23:37 +00:00
agc
1f8267516a Minor changes to find lua glue library, and to set the home directory on 
the correct C/Lua structure
 2009-10-18 07:17:28 +00:00
agc
606ee0c668 Link in the netpgp shared library to the lua glue library 2009-10-18 07:15:43 +00:00
agc
faff2f64a8 Create .so from the lua interface library 2009-10-18 07:14:55 +00:00
agc
829fc7a59b Minor renaming of lua array 
Zero allocated storage after return from lua_newuserdata()
 2009-10-18 07:14:19 +00:00
joerg
d935d602c7 Fix redundancy. 2009-10-15 00:07:45 +00:00
joerg
addb345ac7 Do not work around ancient groff limits with .Xo/.Xc. 2009-10-14 23:37:33 +00:00
joerg
4467064d5b Do not use .Xo/.Xc to workaround ancient groff limits. 2009-10-14 23:36:55 +00:00
joerg
a453670196 Do not use .Xo/.Xc to work around ancient groff limits. 
Fix markup.
 2009-10-14 18:34:14 +00:00
joerg
0639ebde24 Don't use .Xo/.Xc to work around ancient groff limits. 
Set only one list type.
 2009-10-14 18:22:04 +00:00
joerg
2644011d38 Use proper markup. 2009-10-14 17:33:56 +00:00
joerg
37ee8ee594 Don't use .Xo/.Xc to work around ancient groff limits. 2009-10-14 17:33:20 +00:00
joerg
68d56b9fdf Fix markup. 2009-10-13 22:49:34 +00:00
joerg
37aea36c2a Use sane logical markup and actual cross references. 2009-10-13 22:47:55 +00:00
joerg
951207a2a8 Fix markup. 2009-10-13 22:47:31 +00:00
agc
eb8043c766 Add lua language bindings for netpgp 2009-10-12 02:55:46 +00:00
agc
0aa9bcca65 Add some checks for return value from allocation routines 2009-10-09 06:02:55 +00:00
agc
7affbacab9 More checking of allocation return values where not already done. 
Revamp hash initialisation to return a success/failure error code.

Document places where we prefer to continue with a NULL buffer,
rather than silently continue with possibly erroneous results.
 2009-10-07 16:19:51 +00:00
agc
e82f21eb7a More checks for the return value from memory allocation. 2009-10-07 04:56:51 +00:00
agc
83cfb9deb0 Clean up some Flexelint (issues pointed out by phk - many thanks!). 
Also make sure the return value for each memory allocation is checked - this
is still a WIP.
 2009-10-07 04:18:47 +00:00
agc
57036e7063 More Flexelint cleanup from issues pointed out by phk - thanks! - just easy 
low-hanging fruit for now.
 2009-10-06 05:54:24 +00:00
agc
b491010d02 More Flexelint cleanup from phk - many thanks! - low-hanging fruit for 
just now.
 2009-10-06 03:30:59 +00:00
agc
1603af0219 Clean up more Flexelint, from phk - many thanks! - just low-hanging fruit 
for just now.
 2009-10-06 02:46:17 +00:00
agc
814ccb85bf Clean up Flexelint warnings - from phk, many thanks - just low-hanging 
fruit for just now.
 2009-10-06 02:39:53 +00:00
agc
5a83dba05a More Flexelint fixes from phk - just low-hanging fruit for just now - 
many thanks!
 2009-10-06 02:26:05 +00:00
agc
3574ef6dec Get rid of some lint-style issues - pointed out by Poul-Henning Kamp 
and FlexeLint (many thanks!)
 2009-10-04 21:58:25 +00:00
agc
e8be961ca7 Get rid of multiple prototypes - pointed out by Poul-Henning Kamp and 
FlexeLint (many thanks!)
 2009-10-04 21:57:09 +00:00
agc
f462900c00 const poisoning - pointed out by Poul-Henning Kamp and FlexeLint (many 
thanks!)
 2009-10-04 21:55:55 +00:00
tls
be6d3543e4 Remove -I line for no longer extant directory. The OpenSSL libraries 
built here, unsurprisingly enough, still build and work exactly the
same.
 2009-09-23 04:02:28 +00:00
tteras
ff2c7b7d5c From Tomas Mraz: Fix gssapi error checking. 2009-09-18 10:31:11 +00:00
tteras
63bcd231eb When rekeying phase2 use phase1 used to negotiate phase2 as a hint to 
select the phase1 for rekeying the new phase2.
 2009-09-03 09:29:07 +00:00
tteras
ae0beb16dc Check nat_traversal configuration from remote configuration candidates 
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
 2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f Change remote conf matching level to matching score. This way one can 
override anonymous certificate block config with more exact "inhereted"
IP specific block.
 2009-09-01 09:49:59 +00:00
tteras
43e6802298 From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up 
script (trac #313).
 2009-09-01 09:24:21 +00:00
vanhu
b7f72d1283 fixed typo: algoriym -> algorithm 2009-08-24 09:33:03 +00:00
vanhu
a3d9e80f96 fixed address check in rmconf_match_type(), just check address with wildcard port 2009-08-19 13:54:07 +00:00
tteras
95f3bd08bb Have an enum for rmconf_match_type() return values to make the code a bit 
more readable.
 2009-08-19 12:20:02 +00:00
vanhu
e2ffc89458 typo: algoritym -> algorithm 2009-08-18 08:21:12 +00:00
dyoung
40ca2d34bc Delete trailing whitespace. 2009-08-17 22:58:28 +00:00
vanhu
eb15fbb554 do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore 2009-08-17 13:52:14 +00:00
vanhu
82dd0659f2 include stddef.h so we have a chance to get the system offsetof if present 2009-08-17 12:00:53 +00:00
vanhu
c2c64af1e8 removed a self include 2009-08-17 11:59:10 +00:00
christos
13492ada53 This code is really broken. It allocates struct sockaddr on the stack 
and expects to work with IPV6. Tell the hints that we only want IPV4
for now, so that we don't try to bind to an IPV6 address as returned
by getaddrinfo, and then we bash in V4 in the family!
jeez
 2009-08-15 01:25:54 +00:00
christos
e70d1f0896 don't try to free a buffer that came from the arguments, make a copy instead. 
This can happen if we specify --port
 2009-08-15 01:03:03 +00:00
vanhu
0667dd70bd fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs 2009-08-13 09:18:28 +00:00
tteras
ea830abf58 Don't print EAGAIN error from pfkey_handler(), it can occur normally 
under some code paths and is not a hard error in any case.
 2009-08-10 08:22:13 +00:00
tteras
c2919dd501 From Paul Wenau: Check fgets return value in setkey to make gcc happy. 2009-08-06 04:44:43 +00:00
christos
bb8cb2851b resolve conflicts 2009-08-05 18:38:21 +00:00
christos
86adef1b84 import 20090805 snapshot. 2009-08-05 18:31:57 +00:00
tteras
4180506456 From Paul Wernau: Fix transport mode per-port security associations that 
got broke during NAT-T fixes.
 2009-08-05 13:16:01 +00:00
joerg
15895248c1 Use OpenSSL's SHA256 support directly. 2009-08-03 20:56:25 +00:00
mrg
03f1126058 set SSHDIST to the new location. HI CHRISTOS! 2009-07-21 00:47:23 +00:00
christos
e97383ebc1 Don't lets this linger around forever. Causes hidden bugs. 2009-07-20 22:55:47 +00:00
christos
d7ed66ca45 make tests compile! 2009-07-20 20:41:05 +00:00
christos
71cfba1556 ssh has moved (a long time ago) 2009-07-20 17:39:01 +00:00
christos
75efea6592 bump libcrypto and friends; OpenSSL abi change: do_cipher last argument 
changed from u_int to size_t. Affects _LP64 only.
 2009-07-20 17:30:52 +00:00
christos
35bdca4d17 use the proper libcrypto 2009-07-20 15:48:16 +00:00
christos
58e8878cb5 use the proper libcrypto 2009-07-20 15:43:51 +00:00
christos
9610bc301c make sha256/512 binary compatible with the libc version which we now use. 2009-07-20 15:34:49 +00:00
christos
c9c3cfbcf5 catch up with openssl's abi change. do_cipher length changed from u_int to 
size_t.
 2009-07-20 15:33:44 +00:00
christos
22505a154a add openssl 2009-07-19 23:44:20 +00:00
christos
e3aebf9996 new openssl 2009-07-19 23:43:46 +00:00
christos
2e69c03e37 openssl moved 2009-07-19 23:34:00 +00:00
christos
75534b786a Add one more generated file and install in /usr/bin 2009-07-19 23:33:34 +00:00
christos
49d46fa3c8 - add build glue 
- apply our changes
 2009-07-19 23:30:37 +00:00
christos
a89c9211e5 import new openssl snapshot 2009-07-19 23:01:17 +00:00
apb
87c0c2be33 Add missing va_start before varargs processing. 
Part of PR 41255 from Kurt Lidl.
 2009-07-14 20:54:25 +00:00
tteras
aab4a00722 From Arnaud Ebalard: Fix possible usage of uninitialized local variable 
(not sure if any code path triggers this, but this makes compiler happy).
 2009-07-07 12:25:22 +00:00
agc
51e16c73a5 Move the null file checks for sign/verify/encrypt/decrypt down into the 
library itself. Update the regression test script to add some tests.
 2009-07-07 01:13:07 +00:00
agc
1eddadf4f7 Add two more items to the TODO list 2009-07-07 01:12:06 +00:00
spz
1513d3badc fix break for non-64bit systems due to non-applying macro resp variable 
having crept in with the last patch.
ok martin, compile tested mbalmer and martin
 2009-07-05 11:35:53 +00:00
tonnerre
a75354f443 Fix various vulnerabilities in OpenSSL which have not previously been 
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.

Changes deal mostly with size checking of various elements and fixes
to various error paths.
 2009-07-04 19:52:10 +00:00