90cd29a77c
From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc.
2008-01-11 14:09:05 +00:00
5e3ace1c19
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
2008-01-11 14:08:29 +00:00
e8714f7763
From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg).
2008-01-11 14:07:39 +00:00
223c4f34ce
added an 'established' arg to getph1byaddr()
2008-01-11 14:06:56 +00:00
c825a8ee5f
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras.
2007-12-31 01:42:07 +00:00
e2eda5513a
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras.
2007-12-31 01:42:06 +00:00
c9b9889ada
add back #include <sys/socket.h> from Scott Ellis on current-users@
2007-12-21 20:42:03 +00:00
e9e5abe68c
fix typo in comment
2007-12-21 01:03:58 +00:00
53a105b083
Disable the umac-64 MAC for now, it needs to be rewritten from scractch.
...
Addresses PR bin/37562.
2007-12-20 14:14:04 +00:00
d642d06d3d
fixes for alpha: %ld -> %zd, signals are long.
2007-12-18 09:00:30 +00:00
ceafeaa9bc
Eliminate "endian_convert defined but not used" on big-endian platforms;
...
instead of using the "generic" functions for byteswapping in this file,
use le32toh() and friends.
2007-12-18 08:32:21 +00:00
4750a01617
on NetBSD, use %zu for sizeof()
2007-12-18 07:22:32 +00:00
512c2e7e60
merge conflicts
2007-12-18 02:35:25 +00:00
848569aa46
from ftp.openbsd.org
2007-12-17 20:15:38 +00:00
3a210f56fc
Add corrections submitted in a follow up patch for the nat-t oa support.
2007-12-12 05:08:28 +00:00
892304dffa
Add support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-12 04:45:59 +00:00
85c7ab0640
add a sample XAuthLocation for x.org users as discussed on pkgsrc-users@
2007-12-08 19:03:28 +00:00
4454243c5b
Add changelog entries missed in the last commit.
2007-12-04 19:54:24 +00:00
2ada148e80
Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras.
2007-12-04 19:52:30 +00:00
e5326240e8
Fix typos. New sentence, new line.
2007-12-01 19:24:47 +00:00
3139da7ed3
From Natanael Copa: fixed a race condition when building yacc stuff.
2007-11-29 16:22:08 +00:00
45ebb13627
fixed a race condition when building yacc stuff
2007-11-29 16:22:07 +00:00
e76e80b28b
From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r()
2007-11-09 16:28:14 +00:00
faf3c4a53b
From Arnaud Ebalard: Some sanity checking in pk_recv()
2007-11-09 16:27:58 +00:00
70597b6cab
From Arnaud Ebalard: Better matching of SPD entries in getsp_r().
2007-11-09 16:27:47 +00:00
cd8d63d79e
From Arnaud Ebalard: Added some debug in get_proposal_r().
2007-11-09 16:27:42 +00:00
c9951c135d
Fix for CVE-2007-4995 from OpenSSL CVS
2007-10-21 20:34:14 +00:00
57c0ea0775
Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-19 03:37:18 +00:00
702eac21e5
Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD
2007-10-15 16:05:01 +00:00
657e6e5324
new plog macro
2007-10-02 09:48:08 +00:00
4e4df07d61
From Scott Lamb: include plog.h to work with the new plog macro.
2007-10-02 09:47:55 +00:00
400c6ca5a9
From Scott Lamb: plog changed to _plog to work with new plog macro
2007-10-02 09:47:45 +00:00
c12d0d481a
From Scott Lamb: new plog macro.
2007-10-02 09:47:40 +00:00
0e0b59826f
apply a patch from openssl CVS to fix a remaining off-by-one error
...
in an older security fix, see
http://www.securityfocus.com/archive/1/480855/30/0/threaded
2007-09-28 13:09:26 +00:00
26182f1f5d
Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo.
2007-09-19 19:29:36 +00:00
33e6656ef9
Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo.
2007-09-19 19:20:25 +00:00
8293a09746
Fix autoconf check for selinux support. Submitted by Joy Latten.
2007-09-13 00:26:14 +00:00
aca8e1eed2
Implement clientaddr sainfo remote id option and refine the sainfo man page syntax.
2007-09-12 23:39:49 +00:00
6dda4e3f48
Use poll(2) to wait for rnd(4). The initialisation of OpenSSL's RNG
...
now works reliably if the first FD_SETSIZE file descriptors are in use.
2007-09-07 08:10:00 +00:00
324a68d0b7
Sort sainfo sections on insert and improve matching logic.
2007-09-05 06:55:44 +00:00
edac7dae7c
Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn.
2007-09-03 18:08:42 +00:00
1c79bc103b
src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
...
authorization ports. Allow interoperability with freeradius
2007-08-07 04:35:01 +00:00
9fcfdb104e
Apply a patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1306 .
...
Fix nasty "error: channel 0: chan_read_failed for istate 3" message.
2007-07-31 03:09:49 +00:00
8628a88239
Update NEWS file with additional 0.7 improvements.
2007-07-24 04:29:23 +00:00
9b7e05e155
Various racoon configuration manpage updates.
2007-07-18 22:50:47 +00:00
0878f17383
PR/36665: Matthias Scheler: Thread support is not enabled in NetBSD's OpenSSL
...
I enabled it.
2007-07-18 20:19:56 +00:00
c3bc7fe364
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
2007-07-18 12:07:49 +00:00
9f7ae421ea
fixed a socket leak
2007-07-16 15:05:10 +00:00
0fd2ceaf72
indentation
2007-07-16 15:03:13 +00:00
4d0c78dab0
PR/36624: Edgar Fu: sshd should not check pw_{expire,change} if UsePam is
...
enabled. This is what the "portable" version of openssh does.
2007-07-10 15:48:56 +00:00
a39c84a8c3
PR/36623: Edgar Fu: ssh publickey authentification fails if homedir not present
...
Removed extra realpath check that was introduced by a bogus merge.
2007-07-10 14:56:25 +00:00
30638c77c3
PR/36562: Takeshi Nakayama: sshd(8) HostbasedAuthentication fails after
...
upgrading to 4.0_BETA
Remove $HOME test since this is also used by sshd.
2007-06-26 18:28:34 +00:00
d1cb3ec527
remove unused variable.
2007-06-25 01:42:31 +00:00
c6b86acffc
don't use __progname for the pam service name. Hard-code it to "sshd"
2007-06-24 23:48:30 +00:00
72fe4c3a84
From Paul Winder <Paul.Winder@tadpole.com>:
...
Fix ignored INTERNAL_DNS4_LIST
2007-06-07 20:04:26 +00:00
6ae0ffb7d9
From Rong-En Fan: fix compilation with gcc 4.2
2007-06-06 15:37:15 +00:00
cc41629a4c
fixed compilation with gcc 4.2
2007-06-06 15:37:14 +00:00
6817ea28d9
speeds up interfaces update when they changed
2007-06-06 09:47:30 +00:00
1ed22670fa
From Jianli Liu: speed up interfaces update when they change.
2007-06-06 09:47:29 +00:00
7c53bfe0b6
ignore obsolete lifebyte when validating reloaded configuration
2007-06-06 09:18:16 +00:00
a16fcccee0
From Joy Latten <latten@austin.ibm.com>
...
Fix file descriptor shortage when using labeled IPsec.
2007-05-31 19:54:54 +00:00
23326f5b62
From Jianli Liu <jlliu@nortel.com>:
...
In racoonctl, use the specified socket path instead of the default location
2007-05-30 21:02:39 +00:00
5d1825b2a1
Use RESCUEDIR if set.
2007-05-17 00:17:50 +00:00
538010e358
coverity CID 4168: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 21:00:40 +00:00
dc073934fe
coverity CID 4170: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 20:59:04 +00:00
5e29f1f1bb
search a ph1 by address if iph2->ph1 is NULL when validating the new config
2007-05-04 14:33:38 +00:00
79dfa780cb
...
2007-05-04 09:10:07 +00:00
0f20ab497d
added some debug in getph1byaddr() to track some port matching problems with NAT-T
2007-05-04 09:09:54 +00:00
e91f01072a
added some debug in isakmp_chkph1there() to track some port matching problems with NAT-T
2007-05-04 09:09:47 +00:00
ff0f36d165
added some debug for DELETE_SA process
2007-05-04 09:09:35 +00:00
ae24f5b259
Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator
2007-05-04 09:09:26 +00:00
e3a1867a4d
fix usage error: use type for .Ft
2007-04-13 18:22:08 +00:00
ace683e685
checks proto_id in ipsecdoi_chkcmpids()
2007-04-04 13:09:36 +00:00
f31c3aee8e
dumps peer's ID and peer's certificate subject /subjectaltname if they don't match
2007-04-04 13:07:31 +00:00
52c7a2891e
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
2007-03-26 15:58:07 +00:00
8f6921b522
PR/36069: Huang Yushuo: racoon can't work with pam_group
...
Set RUSER.
2007-03-24 02:07:42 +00:00
2af4eed892
From Joy Latten: fix a segfault when using security labels between 32bit and 64bit host.
2007-03-23 15:43:19 +00:00
38a126966c
fixed a segfault when using security labels between a 32bit and a 64bit host
2007-03-23 15:43:18 +00:00
27934310cd
expire zombie handlers in getph2byid(), to avoid situations where we'll never negociate a phase2 again
2007-03-23 15:34:31 +00:00
1046a9e619
From Cyrus Rahman: give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:29 +00:00
a1d41ca41d
give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:28 +00:00
27187d08ab
fixed subnet check to generate IPV4_ADDRESS when needed in sockaddr2id()
2007-03-22 10:26:19 +00:00
002f3b4723
checks if arg is NULL in SCHED_KILL
2007-03-21 14:37:58 +00:00
452cfb7edf
NULL sched check is now done in SCHED_KILL
2007-03-21 14:29:22 +00:00
43c152a498
checks if arg is NULL in SCHED_KILL
2007-03-21 14:28:59 +00:00
a270a7afb9
From Yves-Alexis Perez: enable monitoring of ipv6 address changes on Linux.
2007-03-15 14:12:12 +00:00
7a26f531db
enable monitoring of ipv6 addresse changes on linux
2007-03-15 14:12:11 +00:00
0fca99dc2f
Consider a negociation timeout when retry_counter is <=0 instead of < 0
2007-03-15 10:37:44 +00:00
2cf8149db2
resurect files that we need and make things compile again.
2007-03-10 23:05:24 +00:00
06993fb381
resolve conflicts.
2007-03-10 22:52:04 +00:00
38f7168c16
PR/35965: Kazushi Marukawa: SSHD doesn't work under protocol 1
...
This is a manifestation of a bug in OpenSSL 0.9.8e, which breaks
certain ciphers in OpenSSH <= 4.5p1. See:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-aesctr-openssh.html
http://bugzilla.mindrot.org/show_bug.cgi?id=1291
2007-03-10 17:18:31 +00:00
f0f7c41448
enable RFC/3779, requested by George Michaelson
2007-03-10 00:49:47 +00:00
01abf44400
resolve the not-quite-resolved cvs conflicts (a missing #endif)
2007-03-07 02:34:59 +00:00
d774015c29
resolve conflicts
2007-03-06 23:47:18 +00:00
b22ff73a10
Import OpenSSL 0.9.8e
2007-03-06 21:12:00 +00:00
17fe25abca
eliminate caddr_t
2007-03-04 08:21:34 +00:00
adf474a143
Add logic to allow ip address ids to be matched to ip subnet ids when
...
appropriate.
2007-02-28 05:36:45 +00:00
f1c1e37275
block variable declaration before code in ipsecdoi_id2str()
2007-02-21 11:01:06 +00:00
740b198715
Removed a debug printf....
2007-02-20 16:32:28 +00:00
bd81981229
Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting
2007-02-20 09:11:30 +00:00
1cb0c229b8
updated delete_spd() calls
2007-02-20 09:11:14 +00:00
19df9f5fcc
fills creation date of generated SPDs
2007-02-20 09:11:03 +00:00
57d8173408
added 'created' var
2007-02-20 09:10:47 +00:00
3c99a9f776
Removed a debug printf....
2007-02-19 13:08:47 +00:00
496e74bcde
From Olivier Warin: Fix a %zu in a printf.
2007-02-16 11:01:35 +00:00
834d2e72c5
Fixed a %zu in a printf
2007-02-16 11:01:34 +00:00
eac241862b
Missing SELinux file
2007-02-15 16:31:38 +00:00
1b2a464d38
Missing stuff for SELinux
2007-02-15 16:23:40 +00:00
6c4dc9e4c6
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
2007-02-15 13:01:26 +00:00
5f4b4e0b21
Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote()
2007-02-15 13:01:25 +00:00
6ced6eb0cd
Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory
2007-02-15 10:19:24 +00:00
b552802596
It's no longer basesrc.
2007-02-05 18:12:43 +00:00
5374d6ac89
Fixed a check of NAT-T support in libipsec
2007-02-02 13:42:28 +00:00
1634f1d295
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
2007-02-01 08:48:32 +00:00
e25ad0ee61
When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational
2007-02-01 08:48:31 +00:00
15b0193490
Refer to RFC 4716 in two more places (instead of "IETF SECSH").
...
From jmc@openbsd.
2007-01-23 22:21:54 +00:00
a740eb5ac0
CID-4268: `c' is EOF here, remove deadcode
2006-12-26 00:06:03 +00:00
bdf6fc4f47
CID-4167: check for 'iph1->approval != NULL'
2006-12-26 00:04:00 +00:00
a0a9492dc8
Talk of RFC 4716 SSH public key format instead of SECSH public key format.
...
From markus@openbsd via jmc@openbsd (rev 1.73).
2006-12-24 10:06:03 +00:00
7ce75c98d8
Mention RFC 4716. From markus@openbsd via jmc@openbsd (rev. 1.266).
2006-12-24 10:04:08 +00:00
9e2cc05c4b
Use even more macros.
2006-12-23 09:29:53 +00:00
710cf70831
Use more macros.
2006-12-23 09:29:01 +00:00
fc51d9d324
Serial comma, and bump date for previous.
2006-12-23 09:22:52 +00:00
1a38b96eff
From Joy Latten: fix a memory leak
2006-12-18 10:15:30 +00:00
591299b29f
fixed a memory leak in crypto_openssl
2006-12-18 10:15:29 +00:00
fcdf5459d0
branch 0.7 created
2006-12-10 22:36:06 +00:00
7c683c0b23
Bring back API and ABI backward compatibility with previous libipsec before
...
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
2006-12-10 18:46:39 +00:00
78f5cfece3
From Joy Latten: README.plainrsa documenting plain RSA auth
2006-12-10 05:51:14 +00:00
99a403e274
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
...
libipsec interface for adding and updating security associations.
2006-12-09 05:52:57 +00:00
10cadc281e
From Simon Chang: More hints about plain RSA authentication
2006-12-09 05:44:34 +00:00
3db7f7800e
Check keys length regarding proposal_check level
2006-12-05 13:38:40 +00:00
8ceadc3208
Correct issues associated with anonymous sainfo selection in racoon.
2006-11-16 00:30:55 +00:00
ea8336c632
As uwe points out, it looks like the L on the version constant was
...
accidentally removed. Add it back, especially as the documentation still
claims that the constant is a long.
2006-11-14 22:30:33 +00:00
1be366570b
From http://www.openssh.org/txt/release-4.5 : (CVE-2006-5794)
...
* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.
Bump __NETBSDSSH_VERSION
2006-11-14 21:52:09 +00:00
600680c6c3
merge conflicts.
2006-11-13 21:55:36 +00:00
4a5ea8ca2f
import 0.9.8d
2006-11-13 21:16:04 +00:00
9f3fa7dc87
eliminate the only variable stack array allocation.
2006-11-09 20:22:18 +00:00
94eb6e9da8
fix typo
2006-11-09 19:51:06 +00:00
f06f014bee
use malloc when ssp
2006-11-09 19:50:03 +00:00
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
05ad853be0
one more to catch up with the new location for sha2.h
2006-10-28 23:07:23 +00:00
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
9480ff5303
Change the default sshd configuration file so that only protocol version 2
...
is enabled by default. Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.
Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
2006-10-15 14:01:53 +00:00
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
vanhu