Commit Graph

2079 Commits

Author SHA1 Message Date
agc a2e4cd88b7 fix a repeated typo 2011-03-29 21:43:17 +00:00
wiz f96ea8d1d8 Sort sections. 2011-03-22 09:42:00 +00:00
jruoho bed0d8a5ad * Remove saslc_strmech(), which does not appear in the sources.
Instead, document saslc_sess_getmech().

* Add FUNCTIONS and describe the functions in a list for readability.

* Sort SYNOPSIS in the order of appearance in FUNCTIONS.

* Split couple of long paragraphs for readability.

* Split the code example into EXAMPLES.

* Add missing prototypes to SYNOPSIS.

* Small markup improvements.

No contextual change.
2011-03-22 07:06:02 +00:00
njoly 6f070d3570 Add missing quotes. 2011-03-21 15:04:18 +00:00
vanhu 2337f22d7b fixed a memory leak in oakley_append_rmconf_cr() while generating plist. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:42:58 +00:00
vanhu 949304356c free name later, to avoid a memory use after free in oakley_check_certid(). also give iph1->remote to some plog() calls. patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:39:06 +00:00
vanhu ebfca0c74d fixed a memory leak in oakley_check_certid(). patch by Roman Hoog Antink <rha@open.ch> 2011-03-17 14:35:24 +00:00
vanhu 5279815e7c directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free 2011-03-15 13:20:14 +00:00
tteras 4e499ee605 Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.
2011-03-14 17:18:12 +00:00
vanhu fd67cc6416 avoid some memory leaks / free memory access when reloading conf and have inherited config. patch from Roman Hoog Antink <rha@open.ch> 2011-03-14 15:50:36 +00:00
vanhu ba228a2812 removed an useless comment 2011-03-14 14:54:07 +00:00
njoly a5664dbb36 Fix Kerberos prefix in xrefs (krb55 -> krb5). 2011-03-14 12:31:13 +00:00
vanhu 7683f452c1 check if we got RMCONF_ERR_MULTIPLE from getrmconf_by_ph1() in revalidate_ph1tree_rmconf() 2011-03-14 09:19:23 +00:00
njoly c35f59108f Fix compile_et section (3 -> 1). 2011-03-11 15:33:22 +00:00
vanhu ffa3b61f55 directly delete a ph1 in remove_ph1-) instead of scheduling it, to avoid (completely ?) a race condition when reloading configuration 2011-03-11 14:30:07 +00:00
tteras 349228b78c Quiet a gcc warning when strict-aliasing checks are enabled. Reported by
Stephen Clark.
2011-03-06 08:28:10 +00:00
vanhu 65023b30e4 flush sainfo list when closing session. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 15:09:16 +00:00
vanhu 7e1e999bc0 free rsa structures when deleting a struct rmconf. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 15:04:01 +00:00
vanhu 78c9c4b8d1 free spspec when deleting a rmconf struct. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:58:27 +00:00
vanhu 82409028c9 fixed some memory leaks in remoteconf. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:52:32 +00:00
vanhu ff2e315ab3 fixed some memory leaks during configuration parsing. patch by Roman Hoog Antink <rha@open.ch> 2011-03-02 14:49:21 +00:00
vanhu acd79fcecf plog text fixes, patch from M E Andersson <debian@gisladisker.se> 2011-03-01 14:33:58 +00:00
vanhu 3b9e5ba27f reset yyerrorcount before doing parse stuff. patch by Roman Hoog Antink <rha@open.ch> 2011-03-01 14:14:50 +00:00
joerg 9674b81ed9 Introduce __weakref_visible to handle the different required visibility
for weak references. GCC 4.2+ and Clang require static, older GCC wants
extern. Change __weak_reference to include sym. This requires changes
the existing users to not reuse the name of the symbol, but avoids
further differences between GCC 4.1 and GCC 4.2+/clang.
2011-02-22 05:45:05 +00:00
tteras 004dc7976f From Roman Hoog Antink <rha@open.ch>: Fix memory leak when using plain RSA
key authentication.
2011-02-20 17:32:02 +00:00
joerg 729a0eaa85 Include bsd.prog.mk to ensure that make includes actually works. 2011-02-20 05:42:34 +00:00
christos 743bf4fef9 Re-do using bsd.files.mk 2011-02-20 05:17:47 +00:00
christos 761d5d7e88 don't install dirs. 2011-02-20 02:14:42 +00:00
christos 0498c1530c Add example configuration file from Anon Ymous and a README file from me. 2011-02-20 02:12:31 +00:00
christos 09484ebb41 improve error handling, from Anon Ymous 2011-02-20 01:59:46 +00:00
christos acb231545c Property name change:
SASLC_PROP_SERVICENAME ("SERVICENAME")
to
  SASLC_PROP_SERVNAME ("SERVNAME")

Hopefully this will avoid confusion with SASLC_PROP_SERVICE ("SERVICE").
SERVNAME is also closer to the name used in the RFC2831 ("serv-name").
(Discussed with christos@.)

Change the hash parameters to keep that collision-less after the above
name change.

While here, go back to using .Sh in the manpage for unknown section
headers as the PostScript output from .Ss is slightly different.
(Discussed with wiz@.)
2011-02-16 02:14:22 +00:00
christos 1fa7e8d953 From Anon Ymous:
1) Fix a memory leak in cipher_context_create().
2) Fix a goof in the construction of the digest-uri.
3) Allow SASLC_PROP_SERVICENAME to be a hostname qualified comma
delimited list of service names to select from and update the manpage
to reflect this.
4) Make libsaslc.3 pass mdoclint(1).
2011-02-15 18:36:08 +00:00
christos d02347a68e fix the loop sentinel. 2011-02-14 12:45:31 +00:00
christos 561e85ba95 Make all mechanisms optional, so we can compile in only the ones we want. 2011-02-13 05:39:52 +00:00
christos beea8b97d4 Fix botched merges of the patch that Anon Ymous sent. From Anon Ymous 2011-02-12 23:21:32 +00:00
christos 16e81cb945 fix size_t inconsistencies. 2011-02-12 22:46:14 +00:00
matt 97519f2fe4 Fix some LP64/IPL32 issues 2011-02-12 22:24:01 +00:00
matt bb5019fabd Don't use DPADD/LDADD for libraries. Use LIBDPLIBS instead. 2011-02-12 22:23:11 +00:00
christos e9a3875280 glue in saslc 2011-02-12 19:07:35 +00:00
christos e43cceb285 just include <sys/types.h>; don't inclue stdbool.h because postfix does not
like it.
2011-02-12 19:03:39 +00:00
wiz 17646a9411 Various formatting fixes and a typo or two. 2011-02-12 16:08:18 +00:00
wiz 35a4803959 Remove trailing whitespace and superfluous Pp before new sections.
Use Nm instead of Xr'ing itself.
2011-02-12 15:58:03 +00:00
christos 1fca038b42 remove NULL check, can't happen. 2011-02-12 14:24:18 +00:00
christos 19c14409b9 Changes from Anon Ymous:
Make this library work.
- several API changes (see the manpage)
- take care to match the spec (hopefully)
- deal with comma delimited lists more systematically
- addition of the DIGEST-MD5 security layer
- syslog messages including debugging messages
- many coding simplifications, changes, rewrites, and additions (i.e.,
  stuff I can't recall at the moment)
- rewrite the manpage

The API changes have been heavily influenced by hooking this up to
postfix(1).

The ANONYMOUS, LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, and GSSAPI
authentication mechanisms have been tested and shown to work for
authentication with a postfix(1) server using the cyrus-sasl library.
(A postfix(1) libsaslc(3) client wrapper was used for the testing and
will be committed separately.)

The EXTERNAL authentication mechanism should work (it is pretty
simple), but it has not been tested with any servers.

The security layers of DIGEST-MD5 and GSSAPI have also not been tested
with any servers.  Do any SMTP servers really support these security
layers?  Postfix with cyrus-sasl does not, either as a client or
server, even though the cyrus-sasl library has support for the layers.

The new DIGEST-MD5 security layer encode/decode routines have been
tested against themselves (not terribly useful), but nothing else.  As
they use the openssl EVP_* routines (which aren't well documented) to
do the cryptography, the "auth-conf" layer may or may not actually
match the rfc2831 standard.  The "auth-int" layer is much more likely
to be in compliance.

Note: I have left support for a version of AES in the DIGEST-MD5 code
even though it is not part of rfc2831 (May 2000).  This flavor of AES
was in a later draft (June 2003) that was included in the cyrus-sasl
distribution, but changed to a different flavor of AES in subsequent
drafts (and DES disappeared).  AFAIKT, none of those drafts have been
accepted; the last I could find expired in Sept 2007.  rfc2831 is
still listed as standards track.  The AES support is very minor (some
table entries and a few lines of code to construct the IV) and I was
asked to leave it for now.

Hopefully there are not too many bugs, memory leaks, or
spelling/grammar errors.  My apologies in advance.

BTW, if you would prefer to use cyrus-sasl, install it (e.g., from
pkgsrc), and then rebuild postfix with HAVE_CYRUS_SASL defined.
2011-02-11 23:44:42 +00:00
tteras 093488593b From Mats E Andersson <debian@gisladisker.se>: Fix fprintf format specifier
usage from previous patch.
2011-02-11 10:07:19 +00:00
tteras 1f21513187 From Mats Erik Andersson <debian@gisladisker.se>: Implement importing of
RSA keys from PEM files.
2011-02-10 11:20:08 +00:00
tteras 6615d57c07 From M E Andersson <debian@gisladisker.se>: Fix parsing of restricted RSA
key addresses.
2011-02-10 11:17:17 +00:00
spz 03e283f07f fix for CVE-2011-0014 (OCSP stapling vulnerability in OpenSSL)
patch taken from http://www.openssl.org/news/secadv_20110208.txt
2011-02-10 06:04:54 +00:00
christos 8d527ef179 we have arc4random_buf and uniform now; no need for random.c 2011-02-05 16:01:57 +00:00
spz 0284f45be2 revert previous 2011-02-05 06:42:44 +00:00