b22ff73a10
Import OpenSSL 0.9.8e
2007-03-06 21:12:00 +00:00
17fe25abca
eliminate caddr_t
2007-03-04 08:21:34 +00:00
adf474a143
Add logic to allow ip address ids to be matched to ip subnet ids when
...
appropriate.
2007-02-28 05:36:45 +00:00
f1c1e37275
block variable declaration before code in ipsecdoi_id2str()
2007-02-21 11:01:06 +00:00
740b198715
Removed a debug printf....
2007-02-20 16:32:28 +00:00
bd81981229
Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting
2007-02-20 09:11:30 +00:00
1cb0c229b8
updated delete_spd() calls
2007-02-20 09:11:14 +00:00
19df9f5fcc
fills creation date of generated SPDs
2007-02-20 09:11:03 +00:00
57d8173408
added 'created' var
2007-02-20 09:10:47 +00:00
3c99a9f776
Removed a debug printf....
2007-02-19 13:08:47 +00:00
496e74bcde
From Olivier Warin: Fix a %zu in a printf.
2007-02-16 11:01:35 +00:00
834d2e72c5
Fixed a %zu in a printf
2007-02-16 11:01:34 +00:00
eac241862b
Missing SELinux file
2007-02-15 16:31:38 +00:00
1b2a464d38
Missing stuff for SELinux
2007-02-15 16:23:40 +00:00
6c4dc9e4c6
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
2007-02-15 13:01:26 +00:00
5f4b4e0b21
Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote()
2007-02-15 13:01:25 +00:00
6ced6eb0cd
Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory
2007-02-15 10:19:24 +00:00
b552802596
It's no longer basesrc.
2007-02-05 18:12:43 +00:00
5374d6ac89
Fixed a check of NAT-T support in libipsec
2007-02-02 13:42:28 +00:00
1634f1d295
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
2007-02-01 08:48:32 +00:00
e25ad0ee61
When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational
2007-02-01 08:48:31 +00:00
15b0193490
Refer to RFC 4716 in two more places (instead of "IETF SECSH").
...
From jmc@openbsd.
2007-01-23 22:21:54 +00:00
a740eb5ac0
CID-4268: `c' is EOF here, remove deadcode
2006-12-26 00:06:03 +00:00
bdf6fc4f47
CID-4167: check for 'iph1->approval != NULL'
2006-12-26 00:04:00 +00:00
a0a9492dc8
Talk of RFC 4716 SSH public key format instead of SECSH public key format.
...
From markus@openbsd via jmc@openbsd (rev 1.73).
2006-12-24 10:06:03 +00:00
7ce75c98d8
Mention RFC 4716. From markus@openbsd via jmc@openbsd (rev. 1.266).
2006-12-24 10:04:08 +00:00
9e2cc05c4b
Use even more macros.
2006-12-23 09:29:53 +00:00
710cf70831
Use more macros.
2006-12-23 09:29:01 +00:00
fc51d9d324
Serial comma, and bump date for previous.
2006-12-23 09:22:52 +00:00
1a38b96eff
From Joy Latten: fix a memory leak
2006-12-18 10:15:30 +00:00
591299b29f
fixed a memory leak in crypto_openssl
2006-12-18 10:15:29 +00:00
fcdf5459d0
branch 0.7 created
2006-12-10 22:36:06 +00:00
7c683c0b23
Bring back API and ABI backward compatibility with previous libipsec before
...
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
2006-12-10 18:46:39 +00:00
78f5cfece3
From Joy Latten: README.plainrsa documenting plain RSA auth
2006-12-10 05:51:14 +00:00
99a403e274
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
...
libipsec interface for adding and updating security associations.
2006-12-09 05:52:57 +00:00
10cadc281e
From Simon Chang: More hints about plain RSA authentication
2006-12-09 05:44:34 +00:00
3db7f7800e
Check keys length regarding proposal_check level
2006-12-05 13:38:40 +00:00
8ceadc3208
Correct issues associated with anonymous sainfo selection in racoon.
2006-11-16 00:30:55 +00:00
ea8336c632
As uwe points out, it looks like the L on the version constant was
...
accidentally removed. Add it back, especially as the documentation still
claims that the constant is a long.
2006-11-14 22:30:33 +00:00
1be366570b
From http://www.openssh.org/txt/release-4.5 : (CVE-2006-5794)
...
* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.
Bump __NETBSDSSH_VERSION
2006-11-14 21:52:09 +00:00
600680c6c3
merge conflicts.
2006-11-13 21:55:36 +00:00
4a5ea8ca2f
import 0.9.8d
2006-11-13 21:16:04 +00:00
9f3fa7dc87
eliminate the only variable stack array allocation.
2006-11-09 20:22:18 +00:00
94eb6e9da8
fix typo
2006-11-09 19:51:06 +00:00
f06f014bee
use malloc when ssp
2006-11-09 19:50:03 +00:00
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
05ad853be0
one more to catch up with the new location for sha2.h
2006-10-28 23:07:23 +00:00
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
9480ff5303
Change the default sshd configuration file so that only protocol version 2
...
is enabled by default. Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.
Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
2006-10-15 14:01:53 +00:00
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
f34e7857d3
keep len correct when substituting variables - fixes PR/24458
2006-10-08 22:21:14 +00:00
56f4977415
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
...
<okazaki@kick.gr.jp>
2006-10-06 12:02:26 +00:00
ee4546d741
unbreak gcc-3 builds.
2006-10-04 14:31:55 +00:00
a9fc92da63
PR/34681: Scott Ellis: Explicitly include <sys/socket.h>
2006-10-04 14:30:35 +00:00
1eafb02344
put back ignorerootrhosts
2006-10-04 14:26:31 +00:00
20d3dfdcfa
fix endianness issue introduced yesterday
2006-10-03 20:43:10 +00:00
2b72a4f236
remoteid/ph1id support
2006-10-03 08:04:31 +00:00
b45c893ef4
Added remoteid/ph1id syntax
2006-10-03 08:03:59 +00:00
7d2c6acefd
Parses remoteid/ph1id values
2006-10-03 08:03:33 +00:00
dd3c365568
Uses remoteid/ph1id values
2006-10-03 08:02:51 +00:00
80d5a8a518
Added remoteid/ph1id values
2006-10-03 08:01:56 +00:00
9547d0f260
avoid reusing free'd pointer (Coverity 2613)
2006-10-02 21:51:33 +00:00
1966cc3311
Check for NULL pointer (COverity 4175)
2006-10-02 21:47:32 +00:00
e1ade705e1
Remove dead code (Coverity 3451)
2006-10-02 21:41:59 +00:00
520ec462f7
Fix array overrun (Coverity 4172)
2006-10-02 21:33:14 +00:00
e5d24ec446
Fix memory leak (Coverity 2002)
2006-10-02 21:27:08 +00:00
cdb1e64a8c
Fix memory leak (Coverity 2001), refactor the code to use port get/set
...
functions
2006-10-02 21:19:43 +00:00
cd350eaf6d
Avoid reusing free'd pointer (Coverity 4200)
2006-10-02 20:52:17 +00:00
d564be9350
Don't use NULL pointer (Coverity 3443), reformat to 80 char/line
2006-10-02 18:54:46 +00:00
f54a9b4797
If you're going to initialize a pointer, you have to init it with a pointer
...
type, not an int.
2006-10-02 12:44:40 +00:00
68e9583818
Don't use NULL pointer (coverity 3439)
2006-10-02 12:04:53 +00:00
5227e9475b
Don't use NULL pointer (Coverity 1334)
2006-10-02 11:59:40 +00:00
41042afaf6
Don't use NULL pointer (Coverity 944)
2006-10-02 07:17:57 +00:00
01d5ad642c
Don't use NULL pointer (Coverity 941)
2006-10-02 07:15:09 +00:00
9a55720f5c
Don't use NULL pointer (Coverity 942)
2006-10-02 07:12:26 +00:00
bfd607cda0
Don't use null pointer (Coverity 863)
2006-10-02 07:08:25 +00:00
626d146a75
FIx memory leak (Coverity 4181)
2006-10-01 22:04:03 +00:00
7be862b0db
Check that iph1->remote is not NULL before using it (Coverity 3436)
2006-10-01 19:23:57 +00:00
c7242e7e9f
emove dead code (Coverity 4165)
2006-09-30 21:49:37 +00:00
07b750b745
Fix memory leak (Coverity 4179)
2006-09-30 21:38:39 +00:00
df69765a89
update the scripts for wrorking around routing problems on NetBSD
2006-09-30 21:22:21 +00:00
172675f3db
Reuse existing code for closing IKE sockets, and avoid screwing things by
...
setting p->sock = -1, which is not expected (Coverity 4173).
2006-09-30 16:14:18 +00:00
d5f44674f8
Do not free id and key, as they are used later
2006-09-30 15:51:42 +00:00
55269b80c3
Grab a couple of lines from OpenSSH-portable that allow PAM authentication
...
to succeed. I guess the default configuration of NetBSD wasn't tested
before the import...
2006-09-29 22:47:21 +00:00
efb59e1b32
Fix the fix: handle_recv closes the socket, so we must call com_init before
...
sending any data.
2006-09-29 21:39:35 +00:00
8da6ea8890
Check for cert being NULL too.
2006-09-29 17:07:32 +00:00
897b34d36d
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
...
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows
remote attackers to cause a denial of service (inifnite loop
and memory consumption) via malformed ASN.1 structures that
trigger an improperly handled error condition.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions allows attackers to cause a denial of service (CPU
consumption) via certain public keys that require extra time
to process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
Buffer overflow in the SSL_get_shared_ciphers function in
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions has unspecified impact and remote attack vectors
involving a long list of ciphers.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Unspecified vulnerability in the SSLv2 client code in OpenSSL
0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions
allows remote servers to cause a denial of service (client
crash) via unknown vectors.
2006-09-29 15:41:08 +00:00
f1afbc1ee7
Use PRIu64 instead of llu when printing an u_int64_t.
...
Fixes a build problem for our LP64 ports, where u_int64_t is
typically an unsigned long.
2006-09-29 14:36:34 +00:00
a4970f4ee7
The "success" field in Authctxt needs to be a sig_atomic_t, not an int,
...
so that we don't get a type conflict on dispatch_run() invocation. Found
while building for alpha and amd64.
2006-09-29 14:34:25 +00:00
229f040cb9
We need this again.
2006-09-28 21:23:13 +00:00
c5a8b87f73
Resolve conflicts
2006-09-28 21:22:14 +00:00
49b7694919
from www.openssh.org
2006-09-28 21:14:57 +00:00
ca09533497
Fix unchecked mallocs (Coverity 4176, 4174)
2006-09-28 20:30:13 +00:00
87b827ea10
Fix access after free (Coverity 4178)
2006-09-28 20:09:35 +00:00
eb5be25aad
Fix memory leak (Coverity)
2006-09-26 21:42:55 +00:00
8b9e0af1db
Fix memory leak (Coverity)
2006-09-26 21:25:52 +00:00
1d587602b5
Remove dead code (Coverity)
2006-09-26 21:10:55 +00:00
75ada6df8d
Fix memory leak (Coverity)
2006-09-26 21:06:54 +00:00
ab1354320a
One more memory leak
2006-09-26 20:58:03 +00:00
ea585e8293
Fix memory leak in racoonctl (coverity)
2006-09-26 20:51:43 +00:00
f693deda72
Fix buffer overflow
...
Also fix credits: SA bundle fix was contributed by Jeff Bailey, not
Matthew Grooms. Matthew updated the patch for current code, though.
2006-09-26 04:44:41 +00:00
e63f95d0e9
fix SA bundle (e.g.: for negotiating ESP+IPcomp)
2006-09-26 04:41:26 +00:00
e2a943b3df
From Yves-Alexis Perez: struct ip -> struct iphdr for Linux
2006-09-25 17:42:08 +00:00
0fa07a8062
struct ip -> struct iphdr for Linux
2006-09-25 17:42:07 +00:00
1127a06ee3
style (mostly for testing ipsec-tools-commits@netbsd.org)
2006-09-25 05:08:52 +00:00
22ddfb23b1
Fix double free, from Matthew Grooms
2006-09-25 04:49:39 +00:00
542839bac0
credit
2006-09-21 09:43:47 +00:00
3c6750b831
use sysdep_sa_len to make it compile on Linux
2006-09-21 09:42:08 +00:00
a7c4d7d4ac
Bump date for ike_frag force.
2006-09-19 18:55:11 +00:00
a5dc6b2e53
New sentence, new line.
2006-09-19 18:54:39 +00:00
5f831f347b
Remove trailing whitespace.
2006-09-19 18:53:12 +00:00
efd02bc82c
From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:10 +00:00
60cd4fed98
fixed default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:09 +00:00
51065440a5
various commits
2006-09-19 07:51:44 +00:00
7ea7300ed8
always include some headers, as they are required even without NAT-T
2006-09-19 07:51:37 +00:00
a2afb48bcf
From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
2006-09-19 07:51:31 +00:00
478aed1af7
From Larry Baird: some printf() -> plog()
2006-09-19 07:51:27 +00:00
c18d9daa6a
From Matthew Grooms:
...
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
2006-09-18 20:32:40 +00:00
504b73aa2f
removed generated files from the CVS
2006-09-18 09:11:06 +00:00
3992c65302
removed generated files from the CVS
2006-09-18 08:43:00 +00:00
90cc2f12b1
removed generated files from the CVS
2006-09-18 08:13:46 +00:00
f291901204
From Matthew Grooms:
...
handle IKE frag used in the first packet. That should not normally happen,
as the initiator does not know yet if the responder can handle IKE frag.
However, in some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.
racoon should have a setting in the remote section to do taht (something
like ike_frag force)
2006-09-18 08:05:47 +00:00
5a85c00571
Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms
2006-09-16 04:31:38 +00:00
2b7658dc54
Fix build on Linux
2006-09-15 09:40:44 +00:00
c8214a0a83
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
...
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
2006-09-09 16:22:08 +00:00
e3de131b63
Migrate ipsec-tools CVS to cvs.netbsd.org
2006-09-09 16:11:26 +00:00
8d13789c5a
Apply the third version of the patch from OpenSSL to address this issue.
...
- Rollback the updates for rsa.h, rsa_eay.c and rsa_err.c as they were
not necessary to address this vulnerability.
- Small update to the patch for rsa_sign.c for backward compatability so
the same patch can be applied to 0.9.[6-9]
2006-09-06 22:47:11 +00:00
90f5d4a3e0
Apply patch-CVE-2006-4339.txt
...
Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.
Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.
2006-09-05 12:24:08 +00:00
85f4c6eabf
Pull over OpenBSD v1.97, forwarded by jmc@openbsd:
...
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
2006-08-10 00:34:32 +00:00
444e690921
Remove various dotfiles that wandered their way in.
2006-06-18 08:59:39 +00:00
a697e6653a
Adapt to new return value from socket(2) for an unsupported
...
protocol/address family.
2006-06-14 15:36:00 +00:00
ed56312e8a
resolve conflicts.
2006-06-03 01:50:19 +00:00
387e0d89ab
ftp www.openssl.org
2006-06-03 01:43:51 +00:00
b8b11c345a
ftp www.openssl.org
2006-06-03 01:39:48 +00:00
4f500646a9
Add a missing ')' to fix the example code. Already fixed in openssl upstream.
2006-05-24 16:44:34 +00:00
d46617757a
XXX: GCC uninitialized variable
2006-05-14 02:40:03 +00:00
b943fcf792
XXX: GCC uninitialized variables
2006-05-14 02:17:32 +00:00
f8418c0954
use socklen_t where appropriate.
2006-05-11 11:54:14 +00:00
54e9f4ccbc
wait_until_can_do_something() wants u_int * for it's 4th argument.
2006-05-11 09:27:06 +00:00
965a873335
avoid lvalue casts.
2006-05-11 00:05:45 +00:00
4d2c417597
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 00:04:07 +00:00
084c052803
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
0c37c63edc
change (mostly) int to socklen_t. GCC 4 doesn't like that int and
...
socklen_t are different signness.
2006-05-09 20:18:05 +00:00
4cd8515cfc
Add a NetBSD RCS ID.
2006-04-15 13:43:11 +00:00
mjf