christos
f10f86e23c
avoid unused variable warning.
2011-01-09 23:17:36 +00:00
stacktic
5df88f3e65
Fixed strvisx usage
2011-01-03 18:55:41 +00:00
agc
70fd33655d
avoid a double free - from Anthony Bentley.
2011-01-03 05:34:53 +00:00
agc
61b29b3185
Fix a double free[*], pointed out by Anthony Bentley.
...
[*] This was actually a triple free. We go all the way to 11.
2011-01-02 18:13:10 +00:00
agc
03e4221328
clean up lint (on amd64)
2011-01-01 23:00:24 +00:00
agc
8f197579aa
get rid of some lint on amd64 platform
2011-01-01 22:29:00 +00:00
agc
f14b9450fa
Fix a problem with overrunning a base64 decoded number when decoding ssh
...
keys, from Anthony Bentley.
% netpgpkeys --ssh -l --hash=md5
1 key found
signature 1024/RSA (Encrypt or Sign) 666f47feddcdb77d 2002-07-02
Key fingerprint: e1d6 b328 8126 e8e3 666f 47fe ddcd b77d
uid machinename.com (/home/user/.ssh/id_rsa.pub) <user@machinename.com>
% ssh-keygen -l -f ~/.ssh/id_rsa.pub
1024 e1:d6:b3:28:81:26:e8:e3:66:6f:47:fe:dd💿 b7:7d /home/user/.ssh/id_rsa.pub (RSA)
%
ssh keys and netpgp work as above.
2011-01-01 19:53:53 +00:00
tteras
785cabdaf2
From Roman Hoog Antink <rha@open.ch>: Fix config reload to not delete
...
too many phase 2 handles, because wrong chain field is used when
enumerating the handles.
2010-12-28 06:00:18 +00:00
christos
3a75b4abed
obvious pasto from Anon Ymous
2010-12-18 18:22:24 +00:00
gdt
f1cf9a1e3b
When encountering a certificate where "ID mismatched with ASN1
...
SubjectName", and verify_identifier is off, don't raise an error.
This makes the behavior match the man page.
Patch sent for review long ago:
http://mail-index.netbsd.org/tech-security/2006/03/24/0000.html
with no negative feedback received to date.
2010-12-16 16:59:05 +00:00
tteras
566286569e
From Roman Hoog Antink <rha@open.ch>: Fix possible null derefence.
2010-12-14 17:57:31 +00:00
tteras
0303048b1e
Use separate SA addresses for phase2's created by admin command. The
...
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.
2010-12-08 07:38:35 +00:00
joerg
0d0af5032c
ANSIfy
2010-12-08 01:55:12 +00:00
joerg
6536213d9e
Don't format an error and pass it down as format string again.
2010-12-08 01:45:57 +00:00
joerg
5aa0f88941
Inline string that should have been const char [] in first place.
2010-12-07 22:50:37 +00:00
joerg
75ccf94c1f
Remove useless conditional.
2010-12-07 22:08:27 +00:00
tteras
1246e1db41
Fix spacing and improve wording in some log messages.
2010-12-07 14:28:12 +00:00
drochner
ee60145ccf
fix bug introduced by last security patch, from upstream CVS:
...
Don't assume a decode error if session tlsext_ecpointformatlist is
not NULL: it can be legitimately set elsewhere.
2010-12-07 10:03:29 +00:00
drochner
ad512a613f
openssl security patch of the day:
...
Fix a flaw in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections. See
http://www.openssl.org/news/secadv_20101202.txt
(CVE-2010-4180)
2010-12-07 09:10:21 +00:00
plunky
f33b316b63
Remove the do-external-lib and do-gnu-lib targets, along with
...
external/lib/Makefile and crypto/external/lib/Makefile, replacing
them all with SUBDIRs directly from lib/Makefile.
compat/compatsubdirs.mk becomes simpler now, as everything is built
from lib/Makefile, meaning all the libraries will now be built under
compat so update the set lists to account for that.
2010-12-03 21:38:46 +00:00
tteras
b3dca9dae4
Recognize direction for Linux per-socket policies.
2010-12-03 15:01:11 +00:00
tteras
7d13a088be
Support GRE key as upper layer protocol specifier (will be supported in
...
Linux kernel 2.6.38).
2010-12-03 14:32:52 +00:00
tteras
3a9671366f
Netlink deletion notification does not guarentee actual address deletion:
...
it might still exist on some other interface. Make sure we do not unbind
unless the address is really gone.
2010-12-03 09:46:24 +00:00
he
1498aa522e
Make this build for platforms which don't define HAVE_DLOPEN, notably
...
our sun2 port. Eliminates "defined but not used" warnings turned into
errors by our setup.
2010-12-02 10:23:51 +00:00
he
c9162fb054
Don't rely on the shared library dependencies to pull in the ssl and lber
...
libraries, for the benefit of static linking and our sun2 port.
2010-12-02 10:21:28 +00:00
agc
e914232be0
avoid nameclash - call the generated user id variable "generated userid"
...
also keep the time of structure initialisation as an internal variable.
2010-12-01 22:14:52 +00:00
agc
735f63ec03
When generating a key, set the new key's userid (last 16 bytes of
...
fingerprint) as an internal netpgp variable.
This can then be queried using netpgp_getvar(netpgp, "userid") to find the
new key's id.
2010-12-01 22:01:41 +00:00
agc
2f97867c2d
fastctype.[ch] source files are gone - use native <ctype.h>
2010-11-29 06:22:20 +00:00
agc
fdfbba4976
I forgot that the fastctype.[ch] files were still in this directory, and
...
have no need to be here - remove them, and just use native <ctype.h>
2010-11-29 06:21:40 +00:00
agc
ea16259905
Fix PR 44075 from Peter Pentchev, but do this by adding a
...
--numtries=<attempts> option to netpgp(1) to provide the maximum
number of attempts to retrieve the correct passphrase when signing or
decrypting, and use it in libnetpgp(3). The default number of
attempts is 3, and a value of "unlimited" will loop until the correct
passphrase has been entered.
2010-11-29 04:20:12 +00:00
agc
231558cb25
Initial import of Mateusz Kociels SASL client library Summer of Code
...
project into the repository. The project was mentored by Christos
Zoulas, and written up here:
http://netbsd-soc.sourceforge.net/projects/sasl_client_lib/
As discussed with Christos Zoulas.
2010-11-27 21:23:57 +00:00
adam
1d1ee67612
Removed roaming_common.c from COPTS sections
2010-11-23 07:12:01 +00:00
christos
e0b2bf0fed
- Remove ifdefs for roaming support, and enable by default
...
- Put roaming_dummy.c in libssh.a to satisfy linking needs for most programs
other than ssh and sshd. ssh and sshd override the shared library (and static
library) functions by linking in their own copy of the roaming functions.
- Bump libssh major.
- Fix compilation issue in evp hash buffer.
2010-11-22 22:19:53 +00:00
christos
cfdd905320
add a missing GLOB_LIMIT to the new glob for completion.
2010-11-22 13:45:26 +00:00
adam
b1f1f2bb9c
Fix compiler warnings
2010-11-22 09:53:01 +00:00
adam
5db11ae917
Updated custom makefiles for OpenSSH 5.6
2010-11-21 19:19:21 +00:00
adam
e2e742d499
We don't need dist/ssh-pkcs11-helper/Makefile
2010-11-21 19:11:09 +00:00
adam
aef795aa71
Merge in our changes:
...
- Updated OpenSSH-HPN to hpn13v10
- Added OpenSSH-LPK patches to retrive pubkey from LDAP
- Replaced arc4random_buf() (which is not available on NetBSD) with arc4random
- Disabled roaming reconnect (otherwise: problem with undef symbols in libssh)
2010-11-21 18:59:04 +00:00
adam
34b27b53f1
Resolve conflicts
2010-11-21 18:29:48 +00:00
adam
264ec8a849
Imported openssh-5.6
2010-11-21 17:05:52 +00:00
drochner
fe04c71aa0
apply patch from http://www.openssl.org/news/secadv_20101116.txt
...
to fix a race condition which can be exploited in a buffer
overrun attack (CVE-2010-3864)
2010-11-17 12:09:34 +00:00
tteras
6a6cffd67e
Fix my previous patch to not call purge_remote() twice. Change the place
...
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).
2010-11-17 10:40:41 +00:00
wiz
9d2172fc04
Remove trailing whitespace.
2010-11-15 21:29:21 +00:00
agc
6b3f11714a
There were still some throwbacks with the prefix '_ops' - rectify that to
...
be the standard "pgp_" - no functional change.
2010-11-15 08:56:30 +00:00
agc
e2c60ad188
Don't prefix function names with "pgp_" if the functions are static.
2010-11-15 08:50:32 +00:00
agc
451e742596
Use a regular expression to match the various ASCII-armoured headers we
...
may encounter - fixes PR 44074 from Peter Pentchev in a different way.
2010-11-15 08:27:40 +00:00
agc
05e6b0bbe6
Changes to help with netpgp key generation and interoperability:
...
+ use plain SHA1 for session key s2k negotiation
+ don't warn on some conditions when inflating (reading a compressed file)
since the conditions don't hold for partial block lengths
+ prompt for a passphrase when generating a new key - used in the upcoming
secret-sharing functionality for netpgp
2010-11-15 08:03:39 +00:00
tteras
939a5bdbb6
isakmp_post_acquire is now called from admin commands too, add a flag so
...
admin commands can be used to establish even passive links on demand.
2010-11-12 10:36:37 +00:00
tteras
fafea48525
Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted
...
by remote request and the phase1 rekeying is enabled (this will also
trigger the new phase1_dead script hook).
2010-11-12 09:11:37 +00:00
tteras
3d7d638a63
Improve DPD sequence checks to allow any reply within valid sequence window
...
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.
2010-11-12 09:09:47 +00:00