Commit Graph

2013 Commits

Author SHA1 Message Date
christos f10f86e23c avoid unused variable warning. 2011-01-09 23:17:36 +00:00
stacktic 5df88f3e65 Fixed strvisx usage 2011-01-03 18:55:41 +00:00
agc 70fd33655d avoid a double free - from Anthony Bentley. 2011-01-03 05:34:53 +00:00
agc 61b29b3185 Fix a double free[*], pointed out by Anthony Bentley.
[*] This was actually a triple free. We go all the way to 11.
2011-01-02 18:13:10 +00:00
agc 03e4221328 clean up lint (on amd64) 2011-01-01 23:00:24 +00:00
agc 8f197579aa get rid of some lint on amd64 platform 2011-01-01 22:29:00 +00:00
agc f14b9450fa Fix a problem with overrunning a base64 decoded number when decoding ssh
keys, from Anthony Bentley.

	% netpgpkeys --ssh -l --hash=md5
	1 key found
	signature  1024/RSA (Encrypt or Sign) 666f47feddcdb77d 2002-07-02
	Key fingerprint: e1d6 b328 8126 e8e3 666f 47fe ddcd b77d
	uid              machinename.com (/home/user/.ssh/id_rsa.pub) <user@machinename.com>

	% ssh-keygen -l -f ~/.ssh/id_rsa.pub
	1024 e1:d6:b3:28:81:26:e8:e3:66:6f:47:fe:dd💿b7:7d /home/user/.ssh/id_rsa.pub (RSA)
	%

ssh keys and netpgp work as above.
2011-01-01 19:53:53 +00:00
tteras 785cabdaf2 From Roman Hoog Antink <rha@open.ch>: Fix config reload to not delete
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
2010-12-28 06:00:18 +00:00
christos 3a75b4abed obvious pasto from Anon Ymous 2010-12-18 18:22:24 +00:00
gdt f1cf9a1e3b When encountering a certificate where "ID mismatched with ASN1
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.

Patch sent for review long ago:
  http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
2010-12-16 16:59:05 +00:00
tteras 566286569e From Roman Hoog Antink <rha@open.ch>: Fix possible null derefence. 2010-12-14 17:57:31 +00:00
tteras 0303048b1e Use separate SA addresses for phase2's created by admin command. The
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
2010-12-08 07:38:35 +00:00
joerg 0d0af5032c ANSIfy 2010-12-08 01:55:12 +00:00
joerg 6536213d9e Don't format an error and pass it down as format string again. 2010-12-08 01:45:57 +00:00
joerg 5aa0f88941 Inline string that should have been const char [] in first place. 2010-12-07 22:50:37 +00:00
joerg 75ccf94c1f Remove useless conditional. 2010-12-07 22:08:27 +00:00
tteras 1246e1db41 Fix spacing and improve wording in some log messages. 2010-12-07 14:28:12 +00:00
drochner ee60145ccf fix bug introduced by last security patch, from upstream CVS:
Don't assume a decode error if session tlsext_ecpointformatlist is
not NULL: it can be legitimately set elsewhere.
2010-12-07 10:03:29 +00:00
drochner ad512a613f openssl security patch of the day:
Fix a flaw in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections. See
http://www.openssl.org/news/secadv_20101202.txt
(CVE-2010-4180)
2010-12-07 09:10:21 +00:00
plunky f33b316b63 Remove the do-external-lib and do-gnu-lib targets, along with
external/lib/Makefile and crypto/external/lib/Makefile, replacing
them all with SUBDIRs directly from lib/Makefile.

compat/compatsubdirs.mk becomes simpler now, as everything is built
from lib/Makefile, meaning all the libraries will now be built under
compat so update the set lists to account for that.
2010-12-03 21:38:46 +00:00
tteras b3dca9dae4 Recognize direction for Linux per-socket policies. 2010-12-03 15:01:11 +00:00
tteras 7d13a088be Support GRE key as upper layer protocol specifier (will be supported in
Linux kernel 2.6.38).
2010-12-03 14:32:52 +00:00
tteras 3a9671366f Netlink deletion notification does not guarentee actual address deletion:
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
2010-12-03 09:46:24 +00:00
he 1498aa522e Make this build for platforms which don't define HAVE_DLOPEN, notably
our sun2 port.  Eliminates "defined but not used" warnings turned into
errors by our setup.
2010-12-02 10:23:51 +00:00
he c9162fb054 Don't rely on the shared library dependencies to pull in the ssl and lber
libraries, for the benefit of static linking and our sun2 port.
2010-12-02 10:21:28 +00:00
agc e914232be0 avoid nameclash - call the generated user id variable "generated userid"
also keep the time of structure initialisation as an internal variable.
2010-12-01 22:14:52 +00:00
agc 735f63ec03 When generating a key, set the new key's userid (last 16 bytes of
fingerprint) as an internal netpgp variable.

This can then be queried using netpgp_getvar(netpgp, "userid") to find the
new key's id.
2010-12-01 22:01:41 +00:00
agc 2f97867c2d fastctype.[ch] source files are gone - use native <ctype.h> 2010-11-29 06:22:20 +00:00
agc fdfbba4976 I forgot that the fastctype.[ch] files were still in this directory, and
have no need to be here - remove them, and just use native <ctype.h>
2010-11-29 06:21:40 +00:00
agc ea16259905 Fix PR 44075 from Peter Pentchev, but do this by adding a
--numtries=<attempts> option to netpgp(1) to provide the maximum
number of attempts to retrieve the correct passphrase when signing or
decrypting, and use it in libnetpgp(3).  The default number of
attempts is 3, and a value of "unlimited" will loop until the correct
passphrase has been entered.
2010-11-29 04:20:12 +00:00
agc 231558cb25 Initial import of Mateusz Kociels SASL client library Summer of Code
project into the repository. The project was mentored by Christos
Zoulas, and written up here:

	http://netbsd-soc.sourceforge.net/projects/sasl_client_lib/

As discussed with Christos Zoulas.
2010-11-27 21:23:57 +00:00
adam 1d1ee67612 Removed roaming_common.c from COPTS sections 2010-11-23 07:12:01 +00:00
christos e0b2bf0fed - Remove ifdefs for roaming support, and enable by default
- Put roaming_dummy.c in libssh.a to satisfy linking needs for most programs
  other than ssh and sshd. ssh and sshd override the shared library (and static
  library) functions by linking in their own copy of the roaming functions.
- Bump libssh major.
- Fix compilation issue in evp hash buffer.
2010-11-22 22:19:53 +00:00
christos cfdd905320 add a missing GLOB_LIMIT to the new glob for completion. 2010-11-22 13:45:26 +00:00
adam b1f1f2bb9c Fix compiler warnings 2010-11-22 09:53:01 +00:00
adam 5db11ae917 Updated custom makefiles for OpenSSH 5.6 2010-11-21 19:19:21 +00:00
adam e2e742d499 We don't need dist/ssh-pkcs11-helper/Makefile 2010-11-21 19:11:09 +00:00
adam aef795aa71 Merge in our changes:
- Updated OpenSSH-HPN to hpn13v10
- Added OpenSSH-LPK patches to retrive pubkey from LDAP
- Replaced arc4random_buf() (which is not available on NetBSD) with arc4random
- Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
2010-11-21 18:59:04 +00:00
adam 34b27b53f1 Resolve conflicts 2010-11-21 18:29:48 +00:00
adam 264ec8a849 Imported openssh-5.6 2010-11-21 17:05:52 +00:00
drochner fe04c71aa0 apply patch from http://www.openssl.org/news/secadv_20101116.txt
to fix a race condition which can be exploited in a buffer
overrun attack (CVE-2010-3864)
2010-11-17 12:09:34 +00:00
tteras 6a6cffd67e Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
2010-11-17 10:40:41 +00:00
wiz 9d2172fc04 Remove trailing whitespace. 2010-11-15 21:29:21 +00:00
agc 6b3f11714a There were still some throwbacks with the prefix '_ops' - rectify that to
be the standard "pgp_" - no functional change.
2010-11-15 08:56:30 +00:00
agc e2c60ad188 Don't prefix function names with "pgp_" if the functions are static. 2010-11-15 08:50:32 +00:00
agc 451e742596 Use a regular expression to match the various ASCII-armoured headers we
may encounter - fixes PR 44074 from Peter Pentchev in a different way.
2010-11-15 08:27:40 +00:00
agc 05e6b0bbe6 Changes to help with netpgp key generation and interoperability:
+ use plain SHA1 for session key s2k negotiation
+ don't warn on some conditions when inflating (reading a compressed file)
  since the conditions don't hold for partial block lengths
+ prompt for a passphrase when generating a new key - used in the upcoming
  secret-sharing functionality for netpgp
2010-11-15 08:03:39 +00:00
tteras 939a5bdbb6 isakmp_post_acquire is now called from admin commands too, add a flag so
admin commands can be used to establish even passive links on demand.
2010-11-12 10:36:37 +00:00
tteras fafea48525 Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
2010-11-12 09:11:37 +00:00
tteras 3d7d638a63 Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
2010-11-12 09:09:47 +00:00