2cf8149db2
resurect files that we need and make things compile again.
2007-03-10 23:05:24 +00:00
06993fb381
resolve conflicts.
2007-03-10 22:52:04 +00:00
38f7168c16
PR/35965: Kazushi Marukawa: SSHD doesn't work under protocol 1
...
This is a manifestation of a bug in OpenSSL 0.9.8e, which breaks
certain ciphers in OpenSSH <= 4.5p1. See:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-aesctr-openssh.html
http://bugzilla.mindrot.org/show_bug.cgi?id=1291
2007-03-10 17:18:31 +00:00
f0f7c41448
enable RFC/3779, requested by George Michaelson
2007-03-10 00:49:47 +00:00
01abf44400
resolve the not-quite-resolved cvs conflicts (a missing #endif)
2007-03-07 02:34:59 +00:00
d774015c29
resolve conflicts
2007-03-06 23:47:18 +00:00
b22ff73a10
Import OpenSSL 0.9.8e
2007-03-06 21:12:00 +00:00
17fe25abca
eliminate caddr_t
2007-03-04 08:21:34 +00:00
adf474a143
Add logic to allow ip address ids to be matched to ip subnet ids when
...
appropriate.
2007-02-28 05:36:45 +00:00
f1c1e37275
block variable declaration before code in ipsecdoi_id2str()
2007-02-21 11:01:06 +00:00
740b198715
Removed a debug printf....
2007-02-20 16:32:28 +00:00
bd81981229
Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting
2007-02-20 09:11:30 +00:00
1cb0c229b8
updated delete_spd() calls
2007-02-20 09:11:14 +00:00
19df9f5fcc
fills creation date of generated SPDs
2007-02-20 09:11:03 +00:00
57d8173408
added 'created' var
2007-02-20 09:10:47 +00:00
3c99a9f776
Removed a debug printf....
2007-02-19 13:08:47 +00:00
496e74bcde
From Olivier Warin: Fix a %zu in a printf.
2007-02-16 11:01:35 +00:00
834d2e72c5
Fixed a %zu in a printf
2007-02-16 11:01:34 +00:00
eac241862b
Missing SELinux file
2007-02-15 16:31:38 +00:00
1b2a464d38
Missing stuff for SELinux
2007-02-15 16:23:40 +00:00
6c4dc9e4c6
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
2007-02-15 13:01:26 +00:00
5f4b4e0b21
Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote()
2007-02-15 13:01:25 +00:00
6ced6eb0cd
Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory
2007-02-15 10:19:24 +00:00
b552802596
It's no longer basesrc.
2007-02-05 18:12:43 +00:00
5374d6ac89
Fixed a check of NAT-T support in libipsec
2007-02-02 13:42:28 +00:00
1634f1d295
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
2007-02-01 08:48:32 +00:00
e25ad0ee61
When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational
2007-02-01 08:48:31 +00:00
15b0193490
Refer to RFC 4716 in two more places (instead of "IETF SECSH").
...
From jmc@openbsd.
2007-01-23 22:21:54 +00:00
a740eb5ac0
CID-4268: `c' is EOF here, remove deadcode
2006-12-26 00:06:03 +00:00
bdf6fc4f47
CID-4167: check for 'iph1->approval != NULL'
2006-12-26 00:04:00 +00:00
a0a9492dc8
Talk of RFC 4716 SSH public key format instead of SECSH public key format.
...
From markus@openbsd via jmc@openbsd (rev 1.73).
2006-12-24 10:06:03 +00:00
7ce75c98d8
Mention RFC 4716. From markus@openbsd via jmc@openbsd (rev. 1.266).
2006-12-24 10:04:08 +00:00
9e2cc05c4b
Use even more macros.
2006-12-23 09:29:53 +00:00
710cf70831
Use more macros.
2006-12-23 09:29:01 +00:00
fc51d9d324
Serial comma, and bump date for previous.
2006-12-23 09:22:52 +00:00
1a38b96eff
From Joy Latten: fix a memory leak
2006-12-18 10:15:30 +00:00
591299b29f
fixed a memory leak in crypto_openssl
2006-12-18 10:15:29 +00:00
fcdf5459d0
branch 0.7 created
2006-12-10 22:36:06 +00:00
7c683c0b23
Bring back API and ABI backward compatibility with previous libipsec before
...
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
2006-12-10 18:46:39 +00:00
78f5cfece3
From Joy Latten: README.plainrsa documenting plain RSA auth
2006-12-10 05:51:14 +00:00
99a403e274
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
...
libipsec interface for adding and updating security associations.
2006-12-09 05:52:57 +00:00
10cadc281e
From Simon Chang: More hints about plain RSA authentication
2006-12-09 05:44:34 +00:00
3db7f7800e
Check keys length regarding proposal_check level
2006-12-05 13:38:40 +00:00
8ceadc3208
Correct issues associated with anonymous sainfo selection in racoon.
2006-11-16 00:30:55 +00:00
ea8336c632
As uwe points out, it looks like the L on the version constant was
...
accidentally removed. Add it back, especially as the documentation still
claims that the constant is a long.
2006-11-14 22:30:33 +00:00
1be366570b
From http://www.openssh.org/txt/release-4.5 : (CVE-2006-5794)
...
* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.
Bump __NETBSDSSH_VERSION
2006-11-14 21:52:09 +00:00
600680c6c3
merge conflicts.
2006-11-13 21:55:36 +00:00
4a5ea8ca2f
import 0.9.8d
2006-11-13 21:16:04 +00:00
9f3fa7dc87
eliminate the only variable stack array allocation.
2006-11-09 20:22:18 +00:00
94eb6e9da8
fix typo
2006-11-09 19:51:06 +00:00
f06f014bee
use malloc when ssp
2006-11-09 19:50:03 +00:00
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
05ad853be0
one more to catch up with the new location for sha2.h
2006-10-28 23:07:23 +00:00
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
9480ff5303
Change the default sshd configuration file so that only protocol version 2
...
is enabled by default. Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.
Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
2006-10-15 14:01:53 +00:00
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
f34e7857d3
keep len correct when substituting variables - fixes PR/24458
2006-10-08 22:21:14 +00:00
56f4977415
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
...
<okazaki@kick.gr.jp>
2006-10-06 12:02:26 +00:00
ee4546d741
unbreak gcc-3 builds.
2006-10-04 14:31:55 +00:00
a9fc92da63
PR/34681: Scott Ellis: Explicitly include <sys/socket.h>
2006-10-04 14:30:35 +00:00
1eafb02344
put back ignorerootrhosts
2006-10-04 14:26:31 +00:00
20d3dfdcfa
fix endianness issue introduced yesterday
2006-10-03 20:43:10 +00:00
2b72a4f236
remoteid/ph1id support
2006-10-03 08:04:31 +00:00
b45c893ef4
Added remoteid/ph1id syntax
2006-10-03 08:03:59 +00:00
7d2c6acefd
Parses remoteid/ph1id values
2006-10-03 08:03:33 +00:00
dd3c365568
Uses remoteid/ph1id values
2006-10-03 08:02:51 +00:00
80d5a8a518
Added remoteid/ph1id values
2006-10-03 08:01:56 +00:00
9547d0f260
avoid reusing free'd pointer (Coverity 2613)
2006-10-02 21:51:33 +00:00
1966cc3311
Check for NULL pointer (COverity 4175)
2006-10-02 21:47:32 +00:00
e1ade705e1
Remove dead code (Coverity 3451)
2006-10-02 21:41:59 +00:00
520ec462f7
Fix array overrun (Coverity 4172)
2006-10-02 21:33:14 +00:00
e5d24ec446
Fix memory leak (Coverity 2002)
2006-10-02 21:27:08 +00:00
cdb1e64a8c
Fix memory leak (Coverity 2001), refactor the code to use port get/set
...
functions
2006-10-02 21:19:43 +00:00
cd350eaf6d
Avoid reusing free'd pointer (Coverity 4200)
2006-10-02 20:52:17 +00:00
d564be9350
Don't use NULL pointer (Coverity 3443), reformat to 80 char/line
2006-10-02 18:54:46 +00:00
f54a9b4797
If you're going to initialize a pointer, you have to init it with a pointer
...
type, not an int.
2006-10-02 12:44:40 +00:00
68e9583818
Don't use NULL pointer (coverity 3439)
2006-10-02 12:04:53 +00:00
5227e9475b
Don't use NULL pointer (Coverity 1334)
2006-10-02 11:59:40 +00:00
41042afaf6
Don't use NULL pointer (Coverity 944)
2006-10-02 07:17:57 +00:00
01d5ad642c
Don't use NULL pointer (Coverity 941)
2006-10-02 07:15:09 +00:00
9a55720f5c
Don't use NULL pointer (Coverity 942)
2006-10-02 07:12:26 +00:00
bfd607cda0
Don't use null pointer (Coverity 863)
2006-10-02 07:08:25 +00:00
626d146a75
FIx memory leak (Coverity 4181)
2006-10-01 22:04:03 +00:00
7be862b0db
Check that iph1->remote is not NULL before using it (Coverity 3436)
2006-10-01 19:23:57 +00:00
c7242e7e9f
emove dead code (Coverity 4165)
2006-09-30 21:49:37 +00:00
07b750b745
Fix memory leak (Coverity 4179)
2006-09-30 21:38:39 +00:00
df69765a89
update the scripts for wrorking around routing problems on NetBSD
2006-09-30 21:22:21 +00:00
172675f3db
Reuse existing code for closing IKE sockets, and avoid screwing things by
...
setting p->sock = -1, which is not expected (Coverity 4173).
2006-09-30 16:14:18 +00:00
d5f44674f8
Do not free id and key, as they are used later
2006-09-30 15:51:42 +00:00
55269b80c3
Grab a couple of lines from OpenSSH-portable that allow PAM authentication
...
to succeed. I guess the default configuration of NetBSD wasn't tested
before the import...
2006-09-29 22:47:21 +00:00
efb59e1b32
Fix the fix: handle_recv closes the socket, so we must call com_init before
...
sending any data.
2006-09-29 21:39:35 +00:00
8da6ea8890
Check for cert being NULL too.
2006-09-29 17:07:32 +00:00
897b34d36d
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
...
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows
remote attackers to cause a denial of service (inifnite loop
and memory consumption) via malformed ASN.1 structures that
trigger an improperly handled error condition.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions allows attackers to cause a denial of service (CPU
consumption) via certain public keys that require extra time
to process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
Buffer overflow in the SSL_get_shared_ciphers function in
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions has unspecified impact and remote attack vectors
involving a long list of ciphers.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Unspecified vulnerability in the SSLv2 client code in OpenSSL
0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions
allows remote servers to cause a denial of service (client
crash) via unknown vectors.
2006-09-29 15:41:08 +00:00
f1afbc1ee7
Use PRIu64 instead of llu when printing an u_int64_t.
...
Fixes a build problem for our LP64 ports, where u_int64_t is
typically an unsigned long.
2006-09-29 14:36:34 +00:00
christos