Commit Graph

1563 Commits

Author SHA1 Message Date
tteras
49c6438a45 Fix authentication method ambiguity by internally using unique ID and
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280.
2009-01-23 08:23:51 +00:00
tteras
69697b4655 Introduce vendorid bitmask that can be used otherwhere to detect peer
capabilities.
2009-01-23 08:06:56 +00:00
tteras
2b7d4cd554 Remove "fastquit" configure option and make it the default behaviour. The
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
agc
0306a7c61f Massive overhaul of openpgp.c, the driver program for the openpgpsdk
library.

A good signature verification now shows the filename, time of signing,
and the public keys of the signatories.

Made the interface much more standard by using any argv components after
the options have been parsed to indicate files, rather than a single
--file=filename long option.

Get rid of all assert() calls in the program - dumping core when an
argument is missing is a trifle uncompromising.

When matching userids, if the given userid contains a '@' character,
consider all characters from the rightmost '<' to the terminating
'>' of the file-based userid to be an email address. If there's no
'@' character, consider the given name as a real name, and match
from the start of the file-based userid. All comparisons are done
using case-insensitive searching. I'll consider implementing regexp
matching when enough chocolate bribes are received.

Rework the internals to call a major internal function, rather than doing
everything in main().

Run the results of all this through indent, since the current sources
bear little resemblance to what went before.
2009-01-23 06:07:18 +00:00
agc
d0750f9b83 Convert another commented out printf() to a debugging statement 2009-01-22 01:46:51 +00:00
agc
29726fdfea When reading a keyring, often the failure of the initial limited_read_mpi()
when parsing a DSA signature means that we've reached the end of the keyring,
so only print out the annoying error message if we're debugging.
2009-01-22 01:45:59 +00:00
agc
c785cc907d If the user hasn't passed the pass phrase in as a command line argument
(not such a great idea), use getpass() to get the passphrase.

Various debugging additions.

When verifying files, print out the file name which was verified, and exit
with either EXIT_FAILURE or EXIT_SUCCESS, depending upon the verification
result. This still needs to be reworked to print out the signatory to the
file, and the date of signing.
2009-01-22 01:43:35 +00:00
agc
d26c2431dd Don't rely on a convenience macro when expanding a macro definition. 2009-01-22 01:01:47 +00:00
agc
dba5f8d52a When listing keys, if a key ring has been specified, list the keys in
that key ring.  If no key ring has been specified, list the keys in
the default public key ring, rather than dying with a usage message.
Matches gpg behaviour, and stops openpgp violating the POLA.
2009-01-22 00:59:12 +00:00
agc
da7f9470ea Convert commented out printf() statements into proper debugging statements 2009-01-22 00:56:13 +00:00
agc
67c903aedc Add more debugging information 2009-01-22 00:55:15 +00:00
lukem
0e88dfdc76 do the PRINTOBJDIR dance to find the (potentially uninstalled) library
in ../lib  (just like we do many other apps)
2009-01-22 00:22:20 +00:00
lukem
9b100d5b4e don't need LDADD here; LIBDPLIBS does the right thing 2009-01-22 00:20:58 +00:00
lukem
87e4630751 descend into lib first 2009-01-22 00:13:19 +00:00
lukem
b8a38f2310 update paths 2009-01-22 00:01:52 +00:00
agc
b3b80bc7d6 Fix a typo when printing the type of trust 2009-01-21 22:29:04 +00:00
agc
bbfe341047 gmtime(3) returns a pointer to a struct tm with a month value in the
range [0,11], so add 1 to this to get a useful value for human
interpretation.
2009-01-21 20:17:14 +00:00
agc
1dbcf9a927 Avoid leaking storage in one function.
Set USE_FORT to yes, and fix the fallout.
2009-01-21 15:35:00 +00:00
agc
c80363d779 WARNS=4 (w00t, no changes necessary) 2009-01-21 07:08:10 +00:00
agc
644e4c1f7f Build the openpgpsdk library with WARNS=3 2009-01-21 05:48:56 +00:00
agc
1cf88afccb Fix WARNS=2 warnings (shadow vars again), but don't switch WARNS=2 on for
the application, since WARNS=2 includes fatal warnings when linking, and we
get a warning about IDEA being a patented algorithm.
2009-01-21 03:37:12 +00:00
agc
6dfd9b1804 WARNS=2 for the library build 2009-01-21 03:32:08 +00:00
agc
5bc2794550 WARNS=2 (mainly shadow variable declarations) 2009-01-21 03:31:22 +00:00
agc
2626a640dd Previously debugging information seems to have been output by editing a
static variable and recompiling. Make this a bit more dynamic, adding a
--debug "filename" argument to the application, and by using a filename-
based debug framework to replicate previous behavior. Multiple filenames
can be provided.

In addition, add more debugging information by printing out the human
values of signature type and key algorithm when parsing packets.
2009-01-21 01:32:54 +00:00
agc
84ce5f6759 Restore the exit semantics of the original. If success, the exit code is
EXIT_SUCCESS. If failure, exit code is EXIT_FAILURE. (Duh). If an error
has occurred, use an exit code of 2.
2009-01-21 01:27:55 +00:00
agc
4442e07493 Add the dependent libs to the openpgpsdk library itself, rather than making
any program that uses the library specifically add them.

Install header files in the appropriate place
2009-01-20 19:48:23 +00:00
agc
f6ab492fbf Use EXIT_* error codes rather than numeric constants 2009-01-20 19:46:08 +00:00
agc
35a399083a Get rid of a file that's not used 2009-01-20 19:44:42 +00:00
agc
c86c75ce57 Add a subdir Makefile to descend into openpgpsdk 2009-01-20 19:42:56 +00:00
agc
68d230573c The openpgp application breaks its own abstraction rules by including a
header file that is meant to be local, so that it can access the content
type of a packet. This change uses an accessor function to find the packet
content type.
2009-01-20 16:58:09 +00:00
tteras
2b68c3a06a Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
ChangeLog.old.
2009-01-20 14:36:07 +00:00
agc
0055cf2b60 Add a reachover framework for the openpgp application as well. 2009-01-20 07:50:54 +00:00
agc
d4beb7925c Remove duplicated functions 2009-01-20 07:35:26 +00:00
agc
e4f17bf621 Also make shared lib 2009-01-20 07:34:42 +00:00
agc
cba3672b08 Add a README file, derived form external/src/README, to describe the contents
of the tree rotted at this directory.
2009-01-20 07:15:30 +00:00
agc
5e633613d2 Make this compile (WARNS=1) on NetBSD.
Add reachover library Makefile for the external framework.
2009-01-20 07:12:16 +00:00
agc
9b993b5409 Missed this when removing old sources. 2009-01-20 06:49:14 +00:00
agc
5c077856b5 Second initial import of openpgpsdk v0.9 into the external section of
the crypto sources, per conversation with core.

License is 3-clause BSD.

        An OpenPGP library implementation (RSA and partial DSA), conformant
        with RFC4880 "OpenPGP Message Format".

        RSA Key Generation
            * S2K Usage: ENCRYPTED_AND_HASHED
            * S2K Specifier: SALTED
            * Symmetric algorithm: CAST5

        RSA Encryption
            * Generates "Symmetrically Encrypted Integrity Protected
              Data" packets (required by RFC)
            * Hash: SHA1 (required by RFC)
            * Symmetric Algorithm: CAST5 (hard-coded)
            * Uses compression
            * Optional ASCII armouring

        RSA Decryption
            * Symmetric Algorithm: CAST5, AES, AES256, 3DES
            * Optional Compression: ZIP, ZLIB, BZIP2
            * Optional ASCII armouring

        RSA Signature
            * Armoured, unarmoured or clearsigned
            * Hash algorithm: SHA1

        RSA Verification
            * Armoured, unarmoured or clearsigned
            * V3 or V4 signatures
            * Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224

        DSA Signature
            * Armoured, unarmoured or clearsigned
            * Hash algorithms: SHA1

        DSA Verification
            * Armoured, unarmoured or clearsigned
            * V3 or V4 signatures
            * Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
2009-01-20 06:43:54 +00:00
agc
32a7726202 Remove the botched import of the openpgpsdk sources. "They'll be back" 2009-01-20 06:36:37 +00:00
agc
ca2dba9441 Make the library compile with WARNS=1 2009-01-12 23:00:00 +00:00
agc
4ca3d4e421 Initial import of openpgpsdk v0.9 into the external section of the crypto
sources, per conversation with core.

License is 3-clause BSD.

	An OpenPGP library implementation (RSA and partial DSA), conformant
	with RFC4880 "OpenPGP Message Format".

	RSA Key Generation
	    * S2K Usage: ENCRYPTED_AND_HASHED
	    * S2K Specifier: SALTED
	    * Symmetric algorithm: CAST5

	RSA Encryption
	    * Generates "Symmetrically Encrypted Integrity Protected
	      Data" packets (required by RFC)
	    * Hash: SHA1 (required by RFC)
	    * Symmetric Algorithm: CAST5 (hard-coded)
	    * Uses compression
	    * Optional ASCII armouring

	RSA Decryption
	    * Symmetric Algorithm: CAST5, AES, AES256, 3DES
	    * Optional Compression: ZIP, ZLIB, BZIP2
	    * Optional ASCII armouring

	RSA Signature
	    * Armoured, unarmoured or clearsigned
	    * Hash algorithm: SHA1

	RSA Verification
	    * Armoured, unarmoured or clearsigned
	    * V3 or V4 signatures
	    * Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224

	DSA Signature
	    * Armoured, unarmoured or clearsigned
	    * Hash algorithms: SHA1

	DSA Verification
	    * Armoured, unarmoured or clearsigned
	    * V3 or V4 signatures
	    * Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
2009-01-12 22:55:41 +00:00
wiz
67cbe60826 Make ready for HTML output.
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
tteras
f7557f766d From Cyrus Rahman:
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
tteras
a0b1dc6be0 Fix a CPPLAGS typo to CPPFLAGS which was intended 2009-01-09 06:31:38 +00:00
tteras
9df0ec5c7e Fix a CPPLAGS type to CPPFLAGS which was intended 2009-01-09 06:31:37 +00:00
christos
10c9b70baa Correct error checking for DSA and ECDSA keys (from FreeBSD) 2009-01-07 23:05:07 +00:00
tteras
b264308e87 Remove obsolete configuration options, fix radius configuration block and
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
tteras
328859aef7 Do not use counting in signal handling as it was unsafe by not using
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00
tteras
a3c1a92d23 schedular() call can now modify fd mask so make the working copy just
before calling select(); otherwise it can contain bad file descriptors
2008-12-30 15:50:24 +00:00
mlelstv
e5b90a2fc2 support icmp codes. Fixes PR 39056. 2008-12-29 12:54:33 +00:00
christos
aa3382cd31 remove sin{6,}_len linux does not have it. From Timo Teras. 2008-12-24 20:20:52 +00:00
christos
6c532322d2 I was wrong. addr is actually set. 2008-12-24 19:05:48 +00:00
christos
16b17fbeab - make this compile by zeroing out the whole structure not just bogus fields.
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
2008-12-24 15:25:44 +00:00
wiz
c1e7a459ca Bump date for identity configuration option removal. 2008-12-23 19:28:18 +00:00
tteras
535280aca9 Remove the obsoleted global identity configuration option. 2008-12-23 14:04:42 +00:00
tteras
bd378f6dda rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
2008-12-23 14:03:12 +00:00
tteras
182f0b93be From Arnaud Ebalard:
Delete larval ph2handles when expire with hard lifetime received
2008-12-18 07:20:25 +00:00
tteras
50a2f2e6d0 Update README 2008-12-16 06:48:38 +00:00
tteras
b2b7434a10 Fix transport mode address selection in acquire handling.
Some earlier fixes got lost on 2008-12-05 commit.
2008-12-16 06:08:46 +00:00
vanhu
a75f34b133 Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff) 2008-12-11 15:45:24 +00:00
vanhu
cffd15164d Fixed compilation when DPD support is disabled 2008-12-11 15:33:59 +00:00
bad
f140528153 Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04. 2008-12-09 23:28:08 +00:00
tteras
dae665ff27 Do not cache pfkey sockets: it might cause to not handle some pfkey events
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
2008-12-08 06:00:53 +00:00
tteras
02f2a72861 From Arnaud Ebalard:
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
2008-12-05 06:02:20 +00:00
bad
3ef91ecea8 Fix typo in previous and use SIG_IGN as I intended. 2008-12-04 22:30:26 +00:00
tteras
22b0737f30 Explicitly ignore SIGPIPE. Default action on Linux is terminate. 2008-12-02 07:41:43 +00:00
wiz
659c30f2ba Remove empty line. Fix typo. New sentence, new line. 2008-11-28 22:37:44 +00:00
vanhu
0b0a39b9f9 ModeConfig fixes 2008-11-27 15:04:34 +00:00
vanhu
3a74e20575 Set up a default value for Mode Config Pool size if pool address specified but pool size not specified 2008-11-27 15:04:21 +00:00
vanhu
054e0e851d Fixed pool resizing 2008-11-27 15:04:16 +00:00
tteras
f863fa40c3 From Arnaud Ebalard:
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
2008-11-27 11:08:48 +00:00
tteras
1c6c2a3356 From: Matthew Krenzer
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
2008-11-27 10:53:48 +00:00
bad
e564489300 Document my changes from 2008-11-08 and today. 2008-11-25 22:39:20 +00:00
bad
f798cbf18b Avoid using MSG_NOSIGNAL as it is not available everywhere.
Ignore SIGPIPE instead.
2008-11-25 22:38:31 +00:00
bad
d9c51cbeae Ignore unspecified and looback addresses. Ignoring unspecified addresses
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
2008-11-25 22:00:15 +00:00
bad
e7c2314bc8 RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses.
Ignore them silently.
2008-11-25 21:54:05 +00:00
bad
6db1040de3 Ignoring an unsuitable address is not an error. Therefore log it as
informational.
Make it clear from the log message that a route message is not interesting.
2008-11-25 21:50:47 +00:00
bad
220cbdde75 Use insmyaddr() instead of open coding it. 2008-11-25 21:46:12 +00:00
bad
b8d42d186b Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU
fails.
2008-11-25 21:42:36 +00:00
bad
667107700d Keep myaddr.sock at -1 when no socket is opened. 2008-11-25 21:37:11 +00:00
bad
96020e15cb Preserve owner and permissions of original /etc/resolv.conf.
Ensure that new /etc/resolv.conf isn't group or world writable.
2008-11-08 13:41:09 +00:00
bad
447613dc6a Print and check INTERNAL_NETMASK4. 2008-11-08 13:38:46 +00:00
bad
aabe06ab2f Make the handling of NAT-T SPD entries automatic. 2008-11-08 13:36:35 +00:00
bad
5a8370eefd Ensure that the determination of the default gateway and the corresponding
interface don't get confused by multiple, possibly non-IPv4  default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
2008-11-08 13:31:23 +00:00
wiz
a4814aed6a The escape sequence for a backslash is "\e". 2008-11-07 16:51:27 +00:00
reed
a455765d91 Use line continuation for an example. It was too wide for my output
so was cropped.

Already shared upstream and was told (in September) will be in next
major release.
2008-11-07 15:50:38 +00:00
vanhu
33dafe234f fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR 2008-11-06 14:12:28 +00:00
tteras
66f152db75 Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place. 2008-11-01 06:55:10 +00:00
spz
334414e667 Changes to ipsecdoi_id2str():
struct sockaddr -> struct sockaddr_storage fixes a stack overflow

For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
2008-10-29 18:49:45 +00:00
tteras
0c1f013cc5 Fix commit dates to reflect reality. 2008-10-28 19:03:27 +00:00
hubertf
11236c9878 Make sshd find the xauth program, even with the new /usr/X11R7.
OK'd by christos@
2008-10-27 08:27:04 +00:00
tteras
ed890caaae From Arnaud Ebalard:
Add missing return to error path
2008-10-27 06:27:05 +00:00
tteras
3ff331469e From Francis Dupont (sent by Arnaud Ebalard):
recognize RTM_IFANNOUNCE
2008-10-27 06:24:27 +00:00
tteras
a06fc42a2e From Arnaud Ebalard:
Fix indentation issues for readability
2008-10-27 06:21:29 +00:00
tteras
b186d55b63 From Arnaud Ebalard:
initfds() needs to be called only if monitored file descriptor numbers
have changed
2008-10-27 06:18:08 +00:00
tteras
38962f77a8 From Arnaud Ebalard:
Remove duplicate declaration
2008-10-27 06:14:04 +00:00
adrianp
1e802db977 Pull in a fix from the OpenSSL CVS:
http://cvs.openssl.org/filediff?f=openssl/crypto/x509/x509_att.c&v1=1.14&v2=1.15
This should fix PR #39767 opened by Wolfgang Solfrank
2008-10-25 12:11:47 +00:00
tteras
ede27c75ad From Krzysztof Piotr Oledzki <olel@ans.pl>:
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
2008-10-23 10:56:10 +00:00
apb
96230fab84 Use ${TOOL_AWK} instead of ${AWK} or plain "awk" in make commands.
Pass AWK=${TOOL_AWK:Q} to shell scripts that use awk.
2008-10-19 22:05:19 +00:00
tteras
ab610e81be Fix a spelling mistake in changelog 2008-10-09 16:44:31 +00:00
tteras
52d4b7db25 From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2() 2008-10-09 15:53:12 +00:00
tteras
c724d51982 From Arnoud Ebalard <arno@natisbad.org>:
remove unnecessary unbindph12() call which is now done also in remph2()
2008-10-09 15:53:11 +00:00
vanhu
105e5049b7 Fixed resending mechanism to have non-ESP marker for retransmitted packets 2008-09-25 09:34:13 +00:00
wiz
e829b0a440 New sentence, new line. 2008-09-19 17:33:24 +00:00
tteras
d1a09d5477 Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.
2008-09-19 11:14:49 +00:00
tteras
fbf62026bb Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
2008-09-19 11:01:08 +00:00
christos
7a75c9a543 PR/39233: Taylor R Campbeel: OpenSSH fails to initialize tun(4) tunnels
correctly.
2008-09-17 15:45:50 +00:00
vanhu
b383a5b3e4 Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs 2008-09-17 12:39:07 +00:00
vanhu
954f7757c0 Some calls to set_port() were not correctly updated in the previous commit 2008-09-09 11:50:42 +00:00
vanhu
a20b313ea8 From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff. 2008-09-03 16:08:26 +00:00
vanhu
4ead39ef24 Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff 2008-09-03 16:08:25 +00:00
tteras
dbd3f137ba - Fix reloading of SPD (Linux satype check, handling of SPD dump responses)
- Remove some spurious error log message from extract_port()
2008-09-03 09:57:28 +00:00
lukem
b926b61a73 Comment out __RCSID; this is a host tool and we don't need the Id in the binary.
Fixes cross-build issue on RHEL5-like Linux.

Arguably we shouldn't even #include <config.h> because that's been created
for the NetBSD target and not the (possibly non-NetBSD) host system,
but that hasn't caused problems so far so I'll leave it for now.
2008-09-03 07:10:55 +00:00
gmcgarry
dc1f2ff2f9 Eliminate gcc-specific feature of empty structures. 2008-08-29 00:31:37 +00:00
gmcgarry
f3a85cb801 Eliminate superfluous semicolon. 2008-08-29 00:31:00 +00:00
gmcgarry
b4e2d1afdf Eliminate gcc-specific feature of unnamed structures added recently. 2008-08-29 00:30:15 +00:00
vanhu
163d7169c0 From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator. 2008-08-12 12:45:55 +00:00
vanhu
32468f64a1 Remove ph1handler if we received an invalid first exchange from initiator 2008-08-12 12:45:54 +00:00
tteras
191869cf2a From Krzysztof Piotr Oledzki:
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
2008-08-06 19:14:28 +00:00
simonb
5a3c2f6809 Revert the HPN changes that added verbose "Max throughput" summary
after scp(1) finishes.
2008-08-05 14:13:34 +00:00
veego
cca63e16c3 Restore .hx support for avoiding unneeded regeneration of header files
Fix PR lib/39185

Partly restore the changes which were removed during the Heimdal 1.1 update:
src/lib/libasn1/Makefile 1.28 -> 1.29
src/lib/libhdb/Makefile 1.21 -> 1.22
src/crypto/dist/heimdal/lib/asn1/gen.c 1.8 -> 1.9

Add .hx support in 'new' heimdal libraries:
src/lib/libgssapi/Makefile
src/lib/libhx509/Makefile

Add a new entry in doc/HACKS for this changes.
2008-08-03 07:16:58 +00:00
mgrooms
9ef0a25aeb Add some missing ifdefs required for non-radius enabled builds. 2008-07-23 17:36:00 +00:00
tteras
4521811287 Do not use GNU make specific extension. 2008-07-23 13:53:08 +00:00
tteras
28aa26f3de Do flex/bison invocation in a more standard way, and keep the generated
files in the dist tarball.
2008-07-23 09:06:51 +00:00
vanhu
826c52702d From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal. 2008-07-22 13:25:18 +00:00
vanhu
754d7776f7 fixed some memory leaks, when malloc fails or when peer sends invalid proposals 2008-07-22 13:25:17 +00:00
mgrooms
fd9755072f Add an optional radius configuration section to the racoon.conf file. This
is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.
2008-07-22 01:30:02 +00:00
tron
0cc0bec23e Correct typo to fix the build. 2008-07-21 09:43:03 +00:00
tteras
ca3b7c5a9f Separate generic vendor id handling to a new function and use it. 2008-07-21 06:26:06 +00:00
tteras
7a1c3cb1b8 Do not set default gss id if xauth is used, otherwise gss-id attribute
might be sent even if it was not requested.
2008-07-21 06:24:29 +00:00
mgrooms
879eeb1025 Fix an a typo that prevented racoon from building with hybrid enabled. 2008-07-15 02:16:58 +00:00
mgrooms
6353d50296 Update changelog which was missed in my previous commit. 2008-07-15 00:53:36 +00:00
mgrooms
8f0b3482bc Fix a conflict with the FreeBSD 8 system hexdump function. 2008-07-15 00:47:09 +00:00
tteras
56a42db6a6 Handle RESPONDER-LIFETIME notification in quick mode. 2008-07-14 05:45:15 +00:00
tteras
583275a951 Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.
2008-07-14 05:40:13 +00:00
tteras
75bc4bd6cd Original patch from Atis Elsts:
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
2008-07-11 08:02:06 +00:00
tteras
7f51b6fe42 From Chong Peng:
fix a file descriptor and memory leak on configuration file reread
2008-07-09 12:16:50 +00:00
vanhu
d20c6ed916 From Timo Teras: fix some %d to %zu (size_t values) 2008-07-02 14:46:27 +00:00
vanhu
874968c865 fixed some %d to %zu (size_t values) 2008-07-02 14:46:26 +00:00
christos
a494eea816 Add an ifdef to disable the AES_CTR_MT cipher because static binaries don't
work with -pthread, and /rescue is linked against libssh.
2008-06-23 14:51:31 +00:00
christos
80a665de90 Add the HPN patch for ssh:
http://www.psc.edu/networking/projects/hpn-ssh/
2008-06-22 15:42:50 +00:00
wiz
bf3ddb193b Bump date for previous. 2008-06-18 07:40:16 +00:00
mgrooms
93c1205f96 Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras. 2008-06-18 07:12:04 +00:00
mgrooms
c47cb1615c Add an admin port command to retrieve the peer certificate. Submitted by
Timmo Teras.
2008-06-18 07:12:03 +00:00
mgrooms
01e8cc1e5d Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras. 2008-06-18 07:04:23 +00:00
mgrooms
5d397c5ba5 Set sockets to be closed on exec to avoid potential file descriptor
inheritance issues. Submitted by Timmo Teras.
2008-06-18 07:04:22 +00:00
mgrooms
7598372e37 Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras. 2008-06-18 06:47:25 +00:00
mgrooms
2c40396f3a Use utility functions to evaluate or manipulate network port values. No
functional changes. Submitted by Timmo Teras.
2008-06-18 06:47:24 +00:00
mgrooms
7dac642960 Admin port code cleanup. No functional changes. Submitted by Timo Teras. 2008-06-18 06:27:49 +00:00
mgrooms
18fc645e9a Admin port code cleanup. No functional changes. Submitted by Timmo Teras. 2008-06-18 06:27:48 +00:00
mgrooms
9345b05cc4 Correct a phase2 status event. Submitted by Timo Teras. 2008-06-18 06:11:38 +00:00
mgrooms
b163716d45 Correct a phase2 status event. Submitted by Timmo Teras. 2008-06-18 06:11:37 +00:00
tls
f5792c6ee8 Apply patch from Darryl Miles which adjusts SSL_shutdown's behavior for
non-blocking BIOs so that it is sane -- so that, in other words, -1 with
a meaningful library error code (WANT_READ or WANT_WRITE) is returned
when we would block for I/O.  Without this change, you have to sleep or
spin -- you can't know how to put the underlying socket in your select
or poll set.

Patch from http://marc.info/?l=openssl-dev&m=115154030723033&w=2 and
rationale at http://marc.info/?l=openssl-dev&m=115153998821797&w=2 where
sadly they were overlooked by the OpenSSL team for some time.  It is hoped
that now that we've brought this change to their attention they will
integrate it into their sources and we can lose the local change in
NetBSD.
2008-06-10 19:45:00 +00:00
tonnerre
31197b7671 Fix two Denial of Service vulnerabilities in OpenSSL:
- Fix flaw if server key exchange message is omitted from a TLS handshake
   which could lead to a silent crash.
 - Fix double free in TLS server name extensions which could lead to a
   remote crash.

Fixes CVE-2008-1672.
2008-06-05 15:30:10 +00:00
christos
90318d80f4 PR/38728: Tomoyuki Okazaki: Enable Camellia 2008-05-26 16:39:45 +00:00
christos
a41e5a83be Add coverity alloc comment. 2008-05-24 20:07:00 +00:00
christos
cfb67f710f add a coverity alloc comment. 2008-05-24 20:05:52 +00:00
christos
e520f14ae6 Coverity CID 5003: Fix memory leak. 2008-05-24 20:00:07 +00:00
christos
e3ee1b22da Coverity CID 5004: Fix double free. 2008-05-24 19:58:01 +00:00
christos
78dc0fbbfc Add a coverity alloc comment. 2008-05-24 19:54:43 +00:00
christos
13ebcc71fb Add a coverity alloc comment 2008-05-24 19:52:36 +00:00
christos
c2e438738f Coverity CID 5007: Avoid double free. 2008-05-24 19:48:27 +00:00
christos
677bd71b1f Add a coverity allocation comment. 2008-05-24 19:46:32 +00:00
christos
66009f62a3 Coverity CID 5010: Avoid buf[-1] = '\0' on error. 2008-05-24 19:32:28 +00:00
christos
aa3b40a116 Coverity CID 5018: Fix double frees. 2008-05-24 18:39:40 +00:00
christos
b6c10a6fe5 avoid using free_func as an argument because it is already a typedef. 2008-05-10 16:52:05 +00:00
christos
33d34d249c fix version string 2008-05-09 22:10:19 +00:00
christos
2149db96e3 resolve conflicts 2008-05-09 21:49:39 +00:00
christos
b69a53abf2 import today's snapshot! Hi <tls> 2008-05-09 21:34:04 +00:00
manu
2a499f37b6 From Christian Hohnstaedt: allow out of tree building 2008-05-08 12:24:50 +00:00
martin
11a6dbe728 Convert TNF licenses to new 2 clause variant 2008-04-30 13:10:46 +00:00
martin
ce099b4099 Remove clause 3 and 4 from TNF licenses 2008-04-28 20:22:51 +00:00
jmmv
098f566eb9 Do as in revision 1.26 of sshd_config: add a sample, commented-out line
for X.org's xauth.
2008-04-25 15:01:45 +00:00
vanhu
ed9bfcd9c2 From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi(). 2008-04-25 14:41:18 +00:00
vanhu
c6898eabf6 extract ports information from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi() 2008-04-25 14:41:17 +00:00
martin
795befa36d namespace police to make it buildable (no, it still does not work),
add rcsid.
2008-04-20 15:01:14 +00:00
martin
41de77d985 Sync SCM_RIGHTS passing code with the version used in racoon (i.e.
set message header and controll message size to the same value again)
2008-04-19 22:15:30 +00:00
christos
57a7ea54be for symmetry set controllen the same way we set it on the receiving side. 2008-04-13 21:45:19 +00:00
christos
03409c55d7 Don't use variable size allocation on the stack. 2008-04-13 21:44:14 +00:00
adrianp
c09e4a3a8c Fix for CVE-2007-3108
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and
earlier does not properly perform Montgomery multiplication, which might
allow local users to conduct a side-channel attack and retrieve RSA
private keys.
2008-04-10 14:19:59 +00:00
jnemeth
1d2009704e fix another build breaker 2008-04-07 07:37:07 +00:00
christos
1f7a577d0e re-add removed files. 2008-04-06 23:39:05 +00:00
christos
cbdb6c7a40 resolve conflicts. 2008-04-06 23:38:19 +00:00
christos
49d015609b Import 5.0 2008-04-06 21:18:28 +00:00
adrianp
fe2ff28dc6 Add no-user-rc option which disables execution of ~/.ssh/rc
(backport from OpenSSH 4.9)
2008-04-05 17:20:53 +00:00
adrianp
11a00dfcb8 Fix two vulnerabilities in OpenSSH:
- X11 forwarding information disclosure (CVE-2008-1483)
- ForceCommand bypass vulnerability
2008-04-03 13:09:14 +00:00
manu
1c3bd4b930 fix Linux build 2008-04-02 19:02:50 +00:00
christos
5ae92982aa properly fix the variable stack allocation code. 2008-03-28 21:18:45 +00:00
manu
fe6642740b Still from Cyrus Rahman: fix file descriptor leak introduced by previous
commit.
2008-03-28 20:28:14 +00:00
manu
1d223a6207 From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation 2008-03-28 04:18:52 +00:00
manu
182dbe8881 From Cyrus Rahman <crahman@gmail.com>
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
2008-03-28 04:18:51 +00:00
mlelstv
eaec738d10 align cast with heimdal source
http://loka.it.su.se/fisheye/changelog/heimdal/?cs=22773
2008-03-24 20:05:57 +00:00
mlelstv
0b9b01afa9 Heimdal cannot easily detect wether the system uses kerberos or not
on a client. For now, turn on the hack, that causes heimdal to fail
when there is no config file. ok'd by lha.
2008-03-24 13:56:41 +00:00
dogcow
d0bda29ecc fix compilation on alpha. 2008-03-24 08:27:23 +00:00
he
b2156dc123 The sig_atomic_t type isn't necessarily compatible with %d printf format;
cast to int before printing.
2008-03-23 23:09:04 +00:00
mlelstv
7ae544fc2d Remove computed source files that may confuse mkdep. 2008-03-22 19:15:21 +00:00
mlelstv
fcf1d7cd15 Remove computed source files that may confuse mkdep. 2008-03-22 16:17:50 +00:00
mlelstv
e160244ccb match whitespace after RCSID 2008-03-22 13:08:21 +00:00
mlelstv
1ea66c56df NetBSD uses __RCSID 2008-03-22 13:03:05 +00:00
mlelstv
5d9c8e15e0 Import Heimdal-1.1
one more missing file
2008-03-22 10:35:47 +00:00
mlelstv
d5be9e9c1d Import Heimdal-1.1
more files
2008-03-22 09:39:22 +00:00
mlelstv
2370a334ab Import Heimdal-1.1
more missing files
2008-03-22 09:29:55 +00:00
mlelstv
b0f88a0388 Import Heimdal-1.1 2008-03-22 08:36:48 +00:00
vanhu
b5ae261d16 Generates a log if cert validation has been disabled by configuration 2008-03-06 17:00:03 +00:00
manu
b6b6316484 From Cyrus Rahman <crahman@gmail.com>
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
2008-03-06 04:29:20 +00:00
mgrooms
1e1f81eb1d Add the ability to initiate IPsec SA negotiations using the admin socket.
Submitted by Timo Teras.
2008-03-06 00:46:04 +00:00
mgrooms
3fd729ad89 Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras. 2008-03-06 00:34:11 +00:00
mgrooms
089a95fdcd Refactor admin socket event protocol to be less error prone. Backwards
compatibility is provided. Submitted by Timmo Teras.
2008-03-06 00:34:10 +00:00
mgrooms
5e5c5d5011 Properly initialize the unity network struct to prevent erroneous protocol
and port info from being transmitted.
2008-03-05 22:27:50 +00:00
mgrooms
f771df75b3 Reload SPD on SIGHUP or adminport reload. Also provide better handling for
pfkey socket read errors. Submitted by Timo Teras.
2008-03-05 22:09:44 +00:00
manu
5ae99b01fd Missing entries for last changes 2008-02-25 20:14:05 +00:00
manu
6ee9ace370 From Brian Haley <brian.haley@hp.com>
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not.  I'm not sure this patch is correct, but
what's there isn't either.
2008-02-25 20:06:55 +00:00
manu
ebc590d76a Fix address length, from Brian Haley 2008-02-22 18:50:03 +00:00
matt
2bbccfb905 yyparse returns int, not void. 2008-02-16 18:29:39 +00:00
spz
a91c432416 closes PR bin/37644
did not meet violent opposition ( :) ) on ipsec-tools-devel
2008-02-10 12:11:08 +00:00
christos
8a85bb4332 remove Protocol=2 line; from Jukka Salmi 2008-01-28 13:57:02 +00:00
tls
4781622c25 CRIOGET is gone. Saves one ioctl per session. 2008-01-26 20:46:21 +00:00
tls
9675caff5e Some minor opencrypto fixes, one with a major performance impact for
OpenSSL:

1) Fix extremely misleading text in crypto.4 manual page so it does not
   appear to claim that a new cloned file descriptor is required for every
   session.

2) Fix severe performance problem (and fd leak!) in openssl cryptodev
   engine resulting from misunderstanding probably caused by said manual
   page text.

3) Check for session-ID wraparound in kernel cryptodev provider.  Also,
   start allocating sessions at 1, not 0 -- this will be necessary when
   we add ioctls for the creation of multiple sessions at once, so we
   can tell which if any creations failed.
2008-01-25 07:09:56 +00:00
vanhu
4aacbd15e1 From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory. 2008-01-11 14:27:34 +00:00
vanhu
ca6b517233 reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory 2008-01-11 14:27:33 +00:00
vanhu
e0b7c2f9ec reported somes fixes from Krzysztof Oledzki 2008-01-11 14:09:50 +00:00
vanhu
90cd29a77c From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc. 2008-01-11 14:09:05 +00:00
vanhu
5e3ace1c19 From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg). 2008-01-11 14:08:29 +00:00
vanhu
e8714f7763 From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg). 2008-01-11 14:07:39 +00:00
vanhu
223c4f34ce added an 'established' arg to getph1byaddr() 2008-01-11 14:06:56 +00:00
mgrooms
c825a8ee5f Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras. 2007-12-31 01:42:07 +00:00
mgrooms
e2eda5513a Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras. 2007-12-31 01:42:06 +00:00
jnemeth
c9b9889ada add back #include <sys/socket.h> from Scott Ellis on current-users@ 2007-12-21 20:42:03 +00:00
tnn
e9e5abe68c fix typo in comment 2007-12-21 01:03:58 +00:00
martin
53a105b083 Disable the umac-64 MAC for now, it needs to be rewritten from scractch.
Addresses PR bin/37562.
2007-12-20 14:14:04 +00:00
dogcow
d642d06d3d fixes for alpha: %ld -> %zd, signals are long. 2007-12-18 09:00:30 +00:00
dogcow
ceafeaa9bc Eliminate "endian_convert defined but not used" on big-endian platforms;
instead of using the "generic" functions for byteswapping in this file,
use le32toh() and friends.
2007-12-18 08:32:21 +00:00
dogcow
4750a01617 on NetBSD, use %zu for sizeof() 2007-12-18 07:22:32 +00:00
christos
512c2e7e60 merge conflicts 2007-12-18 02:35:25 +00:00
christos
848569aa46 from ftp.openbsd.org 2007-12-17 20:15:38 +00:00
mgrooms
3a210f56fc Add corrections submitted in a follow up patch for the nat-t oa support. 2007-12-12 05:08:28 +00:00
mgrooms
892304dffa Add support for nat-t oa payload handling. Submitted by Timo Teras. 2007-12-12 04:45:59 +00:00
jnemeth
85c7ab0640 add a sample XAuthLocation for x.org users as discussed on pkgsrc-users@ 2007-12-08 19:03:28 +00:00
mgrooms
4454243c5b Add changelog entries missed in the last commit. 2007-12-04 19:54:24 +00:00
mgrooms
2ada148e80 Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras. 2007-12-04 19:52:30 +00:00
wiz
e5326240e8 Fix typos. New sentence, new line. 2007-12-01 19:24:47 +00:00
vanhu
3139da7ed3 From Natanael Copa: fixed a race condition when building yacc stuff. 2007-11-29 16:22:08 +00:00
vanhu
45ebb13627 fixed a race condition when building yacc stuff 2007-11-29 16:22:07 +00:00
vanhu
e76e80b28b From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r() 2007-11-09 16:28:14 +00:00
vanhu
faf3c4a53b From Arnaud Ebalard: Some sanity checking in pk_recv() 2007-11-09 16:27:58 +00:00
vanhu
70597b6cab From Arnaud Ebalard: Better matching of SPD entries in getsp_r(). 2007-11-09 16:27:47 +00:00
vanhu
cd8d63d79e From Arnaud Ebalard: Added some debug in get_proposal_r(). 2007-11-09 16:27:42 +00:00
adrianp
c9951c135d Fix for CVE-2007-4995 from OpenSSL CVS 2007-10-21 20:34:14 +00:00
manu
57c0ea0775 Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts 2007-10-19 03:37:18 +00:00
vanhu
702eac21e5 Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD 2007-10-15 16:05:01 +00:00