Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
221,596 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

843 Commits

Author SHA1 Message Date
jym c8b47a469d Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts 
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.
 2013-10-06 17:25:34 +00:00
christos 5ede7f76d1 add libcrypto; needed by new binutils 2013-09-29 13:34:37 +00:00
joerg 975a152cfc If a library needs a symbol from another library, pull that library in 
explicitly, even if the DT_NEEDED closure would normally already ensure
the presence.
 2013-09-11 23:04:09 +00:00
joerg a7c89b6e01 Add dependency on libz and libbz2. 2013-09-11 09:57:09 +00:00
riastradh 1239c2bb08 Publish explicit_memset and consttime_memequal in userland libc. 
Remove the double-underscore from the userland versions, and do the
weak alias dance instead, now that these are public parts of libc.

As discussed on tech-userlevel:

https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
(option 3)
 2013-08-28 17:47:07 +00:00
riastradh cc79193075 Fix sense of consttime_memequal and update all callers. 
Now it returns true (nonzero) to mean equal and false (zero) to mean
inequal, as the name suggests.

As promised on tech-userlevel back in June:

https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
 2013-08-28 15:24:41 +00:00
joerg 44ed6e91de Prefer "." for the current address and not the PPC specific "$". 2013-08-04 17:15:21 +00:00
tls 14b0477b50 Re-check the entropy level after we call RAND_poll(), so that we do 
not continuously suck data out of /dev/urandom if we receive a stream
of requests larger than the initial-entropy threshold (hi Roland!).
 2013-07-28 14:13:29 +00:00
wiz a5684d07dd Use Mt for email addresses. 2013-07-20 21:39:55 +00:00
joerg 9e69720425 Fix violations of the sequence point rule. 2013-06-28 15:04:35 +00:00
riastradh 82db4b9858 Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset. 
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
 2013-06-24 04:21:19 +00:00
elric 3966285084 AUTHCID is optional for the GSSAPI mechanism. 2013-05-16 13:02:12 +00:00
elric cdfc977bf0 principals have principles. 2013-05-14 15:33:21 +00:00
mlelstv 34b99be967 The previous patch didn't apply cleanly, because our code doesn't 
use #ifdef OPENSSL_HAS_ECC.
Apply manually.
Drop now unused len variable.
 2013-05-14 05:18:11 +00:00
christos c8fbe6c64a use explicit_bzero instead of memset to zero memory 2013-05-10 16:39:25 +00:00
christos 6fd620669a remove error(1) output. 2013-05-10 16:38:47 +00:00
mlelstv e976afb5c5 Identityfile warnings fixes. 
https://bugzilla.mindrot.org/show_bug.cgi?id=2084
 2013-04-29 17:59:50 +00:00
christos 90a83642c1 restore logging behavior: don't treat user disconnect messages as errors, 
just log them.
 2013-04-25 20:10:28 +00:00
joerg 8d7f62402c Use __dead. 2013-04-12 18:09:30 +00:00
joerg e29eeb0057 Add __printflike. 2013-04-12 18:09:19 +00:00
joerg f1ca729c04 Don't force pthread linkage. 2013-04-12 18:08:10 +00:00
christos ce11a51f1d welcome to openssh-6.2 2013-03-29 16:19:44 +00:00
christos d2a9b9efd7 from openbsd 2013-03-29 14:52:38 +00:00
agc ca99397396 fix some lint on i386, noticed by Greg Troxel, thanks! 2013-03-19 01:00:16 +00:00
riastradh 6641d1f9ad Touch e_aes.c to force a rebuild with new compiler flags for AES-NI. 2013-02-18 21:20:50 +00:00
riastradh 249c85457d Fix build goo for OpenSSL AES-NI support. 
OpenSSL now supports AES-NI in evp, not in an engine.  We can now get
rid of the no longer maintained aesni engine, which was broken last
summer.  Not only can OpenSSL now use AES-NI for everything it did
before we broke it last summer, but it can also use AES-NI for more
encryption modes than before, such as CTR.

Tested on amd64, both vanilla and in an i386 chroot.

ok christos
 2013-02-18 21:15:25 +00:00
christos 82e8c5f133 need bsd.own.mk 2013-02-12 20:55:37 +00:00
christos b261027db1 mv the MKCRYPTO protection higher; ideally should be at the top for this 2013-02-12 20:31:13 +00:00
christos a7c38cbf62 merge in 1.0.1e 2013-02-12 19:52:11 +00:00
christos 5f71164a5e Changes between 1.0.1d and 1.0.1e [11 Feb 2013] 
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]
 2013-02-12 19:10:49 +00:00
christos fdbbeac71e remove obsolete file 2013-02-08 22:37:14 +00:00
christos 6b8892b719 fix generation 2013-02-08 15:22:03 +00:00
matt e67266a84f Change bclr 14,2 to beqlr 2013-02-08 03:05:43 +00:00
christos 1e387e93ca descend! 2013-02-08 01:54:20 +00:00
christos a6b0cd16cd commit the new man page. 2013-02-07 17:30:08 +00:00
christos 0e9a2dbd88 one more page 2013-02-07 16:48:28 +00:00
christos f496c772c6 reorg and add missing file. 2013-02-06 17:03:51 +00:00
christos ffecf7319c bump and add extra file 2013-02-05 23:38:46 +00:00
christos 523f268b9f merge changes 2013-02-05 21:31:23 +00:00
christos 85e90c0ff3 regen 2013-02-05 19:21:27 +00:00
christos 44ce355adb regen! 2013-02-05 19:18:41 +00:00
christos 340218d9b9 import 1.0.1d for http://www.openssl.org/news/secadv_20130204.txt 2013-02-05 19:04:09 +00:00
manu 00e5ebee00 Pull multiple free bua fix from upstream: 
http://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=d21bf10dea6588b632a65b4fe594e04f288aad83;hp=d47c01a31a67ff4370b1883a58cabd0279752bb4

Multiple copies of the ENGINE will cause problems when it is cleaned up as
the methods are stored in static structures which will be overwritten and
freed up more than once.

Set static methods to NULL when the ENGINE is freed so it can be reloaded.
 2013-02-04 01:44:47 +00:00
christos 469af362c9 use the version in the source tree, instead of the build host 2013-02-01 21:02:48 +00:00
christos 387f092185 print only the version as the full version confuses pkgconfig. 2013-01-22 13:51:45 +00:00
apb 5950e8a8de FILESBUILD_<filename>=yes can replace both 
CLEANFILES+=<filename> and realall: <filename>
 2013-01-19 21:57:55 +00:00
christos 4aa8d00fa6 add a dependency to realall from Takeshi Nakayama 2013-01-19 21:05:46 +00:00
christos 98c3902e37 Add pkgconfig gluons 2013-01-18 18:09:55 +00:00
christos 9109786ace #!/bin/sh 2013-01-18 17:56:11 +00:00
martin 1c77afcb0e Compile bignum.c with -O1 only on ia64 to avoid a gcc bug 2012-12-27 14:16:16 +00:00