1d223a6207
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
2008-03-28 04:18:52 +00:00
182dbe8881
From Cyrus Rahman <crahman@gmail.com>
...
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
2008-03-28 04:18:51 +00:00
eaec738d10
align cast with heimdal source
...
http://loka.it.su.se/fisheye/changelog/heimdal/?cs=22773
2008-03-24 20:05:57 +00:00
0b9b01afa9
Heimdal cannot easily detect wether the system uses kerberos or not
...
on a client. For now, turn on the hack, that causes heimdal to fail
when there is no config file. ok'd by lha.
2008-03-24 13:56:41 +00:00
d0bda29ecc
fix compilation on alpha.
2008-03-24 08:27:23 +00:00
b2156dc123
The sig_atomic_t type isn't necessarily compatible with %d printf format;
...
cast to int before printing.
2008-03-23 23:09:04 +00:00
7ae544fc2d
Remove computed source files that may confuse mkdep.
2008-03-22 19:15:21 +00:00
fcf1d7cd15
Remove computed source files that may confuse mkdep.
2008-03-22 16:17:50 +00:00
e160244ccb
match whitespace after RCSID
2008-03-22 13:08:21 +00:00
1ea66c56df
NetBSD uses __RCSID
2008-03-22 13:03:05 +00:00
5d9c8e15e0
Import Heimdal-1.1
...
one more missing file
2008-03-22 10:35:47 +00:00
d5be9e9c1d
Import Heimdal-1.1
...
more files
2008-03-22 09:39:22 +00:00
2370a334ab
Import Heimdal-1.1
...
more missing files
2008-03-22 09:29:55 +00:00
b0f88a0388
Import Heimdal-1.1
2008-03-22 08:36:48 +00:00
b5ae261d16
Generates a log if cert validation has been disabled by configuration
2008-03-06 17:00:03 +00:00
b6b6316484
From Cyrus Rahman <crahman@gmail.com>
...
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
2008-03-06 04:29:20 +00:00
1e1f81eb1d
Add the ability to initiate IPsec SA negotiations using the admin socket.
...
Submitted by Timo Teras.
2008-03-06 00:46:04 +00:00
3fd729ad89
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
2008-03-06 00:34:11 +00:00
089a95fdcd
Refactor admin socket event protocol to be less error prone. Backwards
...
compatibility is provided. Submitted by Timmo Teras.
2008-03-06 00:34:10 +00:00
5e5c5d5011
Properly initialize the unity network struct to prevent erroneous protocol
...
and port info from being transmitted.
2008-03-05 22:27:50 +00:00
f771df75b3
Reload SPD on SIGHUP or adminport reload. Also provide better handling for
...
pfkey socket read errors. Submitted by Timo Teras.
2008-03-05 22:09:44 +00:00
5ae99b01fd
Missing entries for last changes
2008-02-25 20:14:05 +00:00
6ee9ace370
From Brian Haley <brian.haley@hp.com>
...
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not. I'm not sure this patch is correct, but
what's there isn't either.
2008-02-25 20:06:55 +00:00
ebc590d76a
Fix address length, from Brian Haley
2008-02-22 18:50:03 +00:00
2bbccfb905
yyparse returns int, not void.
2008-02-16 18:29:39 +00:00
a91c432416
closes PR bin/37644
...
did not meet violent opposition ( :) ) on ipsec-tools-devel
2008-02-10 12:11:08 +00:00
8a85bb4332
remove Protocol=2 line; from Jukka Salmi
2008-01-28 13:57:02 +00:00
4781622c25
CRIOGET is gone. Saves one ioctl per session.
2008-01-26 20:46:21 +00:00
9675caff5e
Some minor opencrypto fixes, one with a major performance impact for
...
OpenSSL:
1) Fix extremely misleading text in crypto.4 manual page so it does not
appear to claim that a new cloned file descriptor is required for every
session.
2) Fix severe performance problem (and fd leak!) in openssl cryptodev
engine resulting from misunderstanding probably caused by said manual
page text.
3) Check for session-ID wraparound in kernel cryptodev provider. Also,
start allocating sessions at 1, not 0 -- this will be necessary when
we add ioctls for the creation of multiple sessions at once, so we
can tell which if any creations failed.
2008-01-25 07:09:56 +00:00
4aacbd15e1
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
2008-01-11 14:27:34 +00:00
ca6b517233
reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory
2008-01-11 14:27:33 +00:00
e0b7c2f9ec
reported somes fixes from Krzysztof Oledzki
2008-01-11 14:09:50 +00:00
90cd29a77c
From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc.
2008-01-11 14:09:05 +00:00
5e3ace1c19
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
2008-01-11 14:08:29 +00:00
e8714f7763
From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg).
2008-01-11 14:07:39 +00:00
223c4f34ce
added an 'established' arg to getph1byaddr()
2008-01-11 14:06:56 +00:00
c825a8ee5f
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras.
2007-12-31 01:42:07 +00:00
e2eda5513a
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras.
2007-12-31 01:42:06 +00:00
c9b9889ada
add back #include <sys/socket.h> from Scott Ellis on current-users@
2007-12-21 20:42:03 +00:00
e9e5abe68c
fix typo in comment
2007-12-21 01:03:58 +00:00
53a105b083
Disable the umac-64 MAC for now, it needs to be rewritten from scractch.
...
Addresses PR bin/37562.
2007-12-20 14:14:04 +00:00
d642d06d3d
fixes for alpha: %ld -> %zd, signals are long.
2007-12-18 09:00:30 +00:00
ceafeaa9bc
Eliminate "endian_convert defined but not used" on big-endian platforms;
...
instead of using the "generic" functions for byteswapping in this file,
use le32toh() and friends.
2007-12-18 08:32:21 +00:00
4750a01617
on NetBSD, use %zu for sizeof()
2007-12-18 07:22:32 +00:00
512c2e7e60
merge conflicts
2007-12-18 02:35:25 +00:00
848569aa46
from ftp.openbsd.org
2007-12-17 20:15:38 +00:00
3a210f56fc
Add corrections submitted in a follow up patch for the nat-t oa support.
2007-12-12 05:08:28 +00:00
892304dffa
Add support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-12 04:45:59 +00:00
85c7ab0640
add a sample XAuthLocation for x.org users as discussed on pkgsrc-users@
2007-12-08 19:03:28 +00:00
4454243c5b
Add changelog entries missed in the last commit.
2007-12-04 19:54:24 +00:00
2ada148e80
Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras.
2007-12-04 19:52:30 +00:00
e5326240e8
Fix typos. New sentence, new line.
2007-12-01 19:24:47 +00:00
3139da7ed3
From Natanael Copa: fixed a race condition when building yacc stuff.
2007-11-29 16:22:08 +00:00
45ebb13627
fixed a race condition when building yacc stuff
2007-11-29 16:22:07 +00:00
e76e80b28b
From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r()
2007-11-09 16:28:14 +00:00
faf3c4a53b
From Arnaud Ebalard: Some sanity checking in pk_recv()
2007-11-09 16:27:58 +00:00
70597b6cab
From Arnaud Ebalard: Better matching of SPD entries in getsp_r().
2007-11-09 16:27:47 +00:00
cd8d63d79e
From Arnaud Ebalard: Added some debug in get_proposal_r().
2007-11-09 16:27:42 +00:00
c9951c135d
Fix for CVE-2007-4995 from OpenSSL CVS
2007-10-21 20:34:14 +00:00
57c0ea0775
Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-19 03:37:18 +00:00
702eac21e5
Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD
2007-10-15 16:05:01 +00:00
657e6e5324
new plog macro
2007-10-02 09:48:08 +00:00
4e4df07d61
From Scott Lamb: include plog.h to work with the new plog macro.
2007-10-02 09:47:55 +00:00
400c6ca5a9
From Scott Lamb: plog changed to _plog to work with new plog macro
2007-10-02 09:47:45 +00:00
c12d0d481a
From Scott Lamb: new plog macro.
2007-10-02 09:47:40 +00:00
0e0b59826f
apply a patch from openssl CVS to fix a remaining off-by-one error
...
in an older security fix, see
http://www.securityfocus.com/archive/1/480855/30/0/threaded
2007-09-28 13:09:26 +00:00
26182f1f5d
Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo.
2007-09-19 19:29:36 +00:00
33e6656ef9
Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo.
2007-09-19 19:20:25 +00:00
8293a09746
Fix autoconf check for selinux support. Submitted by Joy Latten.
2007-09-13 00:26:14 +00:00
aca8e1eed2
Implement clientaddr sainfo remote id option and refine the sainfo man page syntax.
2007-09-12 23:39:49 +00:00
6dda4e3f48
Use poll(2) to wait for rnd(4). The initialisation of OpenSSL's RNG
...
now works reliably if the first FD_SETSIZE file descriptors are in use.
2007-09-07 08:10:00 +00:00
324a68d0b7
Sort sainfo sections on insert and improve matching logic.
2007-09-05 06:55:44 +00:00
edac7dae7c
Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn.
2007-09-03 18:08:42 +00:00
1c79bc103b
src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
...
authorization ports. Allow interoperability with freeradius
2007-08-07 04:35:01 +00:00
9fcfdb104e
Apply a patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1306 .
...
Fix nasty "error: channel 0: chan_read_failed for istate 3" message.
2007-07-31 03:09:49 +00:00
8628a88239
Update NEWS file with additional 0.7 improvements.
2007-07-24 04:29:23 +00:00
9b7e05e155
Various racoon configuration manpage updates.
2007-07-18 22:50:47 +00:00
0878f17383
PR/36665: Matthias Scheler: Thread support is not enabled in NetBSD's OpenSSL
...
I enabled it.
2007-07-18 20:19:56 +00:00
c3bc7fe364
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
2007-07-18 12:07:49 +00:00
9f7ae421ea
fixed a socket leak
2007-07-16 15:05:10 +00:00
0fd2ceaf72
indentation
2007-07-16 15:03:13 +00:00
4d0c78dab0
PR/36624: Edgar Fu: sshd should not check pw_{expire,change} if UsePam is
...
enabled. This is what the "portable" version of openssh does.
2007-07-10 15:48:56 +00:00
a39c84a8c3
PR/36623: Edgar Fu: ssh publickey authentification fails if homedir not present
...
Removed extra realpath check that was introduced by a bogus merge.
2007-07-10 14:56:25 +00:00
30638c77c3
PR/36562: Takeshi Nakayama: sshd(8) HostbasedAuthentication fails after
...
upgrading to 4.0_BETA
Remove $HOME test since this is also used by sshd.
2007-06-26 18:28:34 +00:00
d1cb3ec527
remove unused variable.
2007-06-25 01:42:31 +00:00
c6b86acffc
don't use __progname for the pam service name. Hard-code it to "sshd"
2007-06-24 23:48:30 +00:00
72fe4c3a84
From Paul Winder <Paul.Winder@tadpole.com>:
...
Fix ignored INTERNAL_DNS4_LIST
2007-06-07 20:04:26 +00:00
6ae0ffb7d9
From Rong-En Fan: fix compilation with gcc 4.2
2007-06-06 15:37:15 +00:00
cc41629a4c
fixed compilation with gcc 4.2
2007-06-06 15:37:14 +00:00
6817ea28d9
speeds up interfaces update when they changed
2007-06-06 09:47:30 +00:00
1ed22670fa
From Jianli Liu: speed up interfaces update when they change.
2007-06-06 09:47:29 +00:00
7c53bfe0b6
ignore obsolete lifebyte when validating reloaded configuration
2007-06-06 09:18:16 +00:00
a16fcccee0
From Joy Latten <latten@austin.ibm.com>
...
Fix file descriptor shortage when using labeled IPsec.
2007-05-31 19:54:54 +00:00
23326f5b62
From Jianli Liu <jlliu@nortel.com>:
...
In racoonctl, use the specified socket path instead of the default location
2007-05-30 21:02:39 +00:00
5d1825b2a1
Use RESCUEDIR if set.
2007-05-17 00:17:50 +00:00
538010e358
coverity CID 4168: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 21:00:40 +00:00
dc073934fe
coverity CID 4170: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 20:59:04 +00:00
5e29f1f1bb
search a ph1 by address if iph2->ph1 is NULL when validating the new config
2007-05-04 14:33:38 +00:00
79dfa780cb
...
2007-05-04 09:10:07 +00:00
0f20ab497d
added some debug in getph1byaddr() to track some port matching problems with NAT-T
2007-05-04 09:09:54 +00:00
manu