efd02bc82c
From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:10 +00:00
60cd4fed98
fixed default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:09 +00:00
51065440a5
various commits
2006-09-19 07:51:44 +00:00
7ea7300ed8
always include some headers, as they are required even without NAT-T
2006-09-19 07:51:37 +00:00
a2afb48bcf
From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
2006-09-19 07:51:31 +00:00
478aed1af7
From Larry Baird: some printf() -> plog()
2006-09-19 07:51:27 +00:00
c18d9daa6a
From Matthew Grooms:
...
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
2006-09-18 20:32:40 +00:00
504b73aa2f
removed generated files from the CVS
2006-09-18 09:11:06 +00:00
3992c65302
removed generated files from the CVS
2006-09-18 08:43:00 +00:00
90cc2f12b1
removed generated files from the CVS
2006-09-18 08:13:46 +00:00
f291901204
From Matthew Grooms:
...
handle IKE frag used in the first packet. That should not normally happen,
as the initiator does not know yet if the responder can handle IKE frag.
However, in some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.
racoon should have a setting in the remote section to do taht (something
like ike_frag force)
2006-09-18 08:05:47 +00:00
5a85c00571
Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms
2006-09-16 04:31:38 +00:00
2b7658dc54
Fix build on Linux
2006-09-15 09:40:44 +00:00
c8214a0a83
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
...
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
2006-09-09 16:22:08 +00:00
e3de131b63
Migrate ipsec-tools CVS to cvs.netbsd.org
2006-09-09 16:11:26 +00:00
8d13789c5a
Apply the third version of the patch from OpenSSL to address this issue.
...
- Rollback the updates for rsa.h, rsa_eay.c and rsa_err.c as they were
not necessary to address this vulnerability.
- Small update to the patch for rsa_sign.c for backward compatability so
the same patch can be applied to 0.9.[6-9]
2006-09-06 22:47:11 +00:00
90f5d4a3e0
Apply patch-CVE-2006-4339.txt
...
Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.
Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.
2006-09-05 12:24:08 +00:00
85f4c6eabf
Pull over OpenBSD v1.97, forwarded by jmc@openbsd:
...
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
2006-08-10 00:34:32 +00:00
444e690921
Remove various dotfiles that wandered their way in.
2006-06-18 08:59:39 +00:00
a697e6653a
Adapt to new return value from socket(2) for an unsupported
...
protocol/address family.
2006-06-14 15:36:00 +00:00
ed56312e8a
resolve conflicts.
2006-06-03 01:50:19 +00:00
387e0d89ab
ftp www.openssl.org
2006-06-03 01:43:51 +00:00
b8b11c345a
ftp www.openssl.org
2006-06-03 01:39:48 +00:00
4f500646a9
Add a missing ')' to fix the example code. Already fixed in openssl upstream.
2006-05-24 16:44:34 +00:00
d46617757a
XXX: GCC uninitialized variable
2006-05-14 02:40:03 +00:00
b943fcf792
XXX: GCC uninitialized variables
2006-05-14 02:17:32 +00:00
f8418c0954
use socklen_t where appropriate.
2006-05-11 11:54:14 +00:00
54e9f4ccbc
wait_until_can_do_something() wants u_int * for it's 4th argument.
2006-05-11 09:27:06 +00:00
965a873335
avoid lvalue casts.
2006-05-11 00:05:45 +00:00
4d2c417597
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 00:04:07 +00:00
084c052803
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
0c37c63edc
change (mostly) int to socklen_t. GCC 4 doesn't like that int and
...
socklen_t are different signness.
2006-05-09 20:18:05 +00:00
4cd8515cfc
Add a NetBSD RCS ID.
2006-04-15 13:43:11 +00:00
83620ded04
Remove references to KerberosIV.
2006-03-23 19:58:03 +00:00
504a2dd02c
Pull in from djm@OpenBSD:
...
remove IV support from the CRC attack detector, OpenSSH has never used
it - it only applied to IDEA-CFB, which we don't support.
Thanks to deraadt@OpenBSD for looking into this one.
2006-03-22 23:04:39 +00:00
e13746b11b
Fix krb4 compilation (although krb4 is removed, this leaves the code compiling)
2006-03-21 00:01:29 +00:00
dc4926056e
plug leak, coverity cid 2014.
2006-03-20 16:42:34 +00:00
204152ace9
plug leak, coverity cid 2027.
2006-03-20 16:41:46 +00:00
04b503af06
plug leaks, coverity cids 2030, 2031.
2006-03-20 16:40:25 +00:00
3a008ccc30
plug leak, coverity cid 2019.
2006-03-20 16:39:05 +00:00
9266948705
plug leaks, coverity cids 2012, 2013.
2006-03-20 16:36:31 +00:00
14c3ee98a9
fix null deref, coverity cid 953.
2006-03-20 16:31:45 +00:00
85e611dd01
Goodbye KerberosIV
2006-03-20 04:03:10 +00:00
1db63daa9d
fix compilation after des.h change. The countdown to krb4 has started.
2006-03-20 02:18:59 +00:00
e4547e1148
Coverity CID 1904: Don't leak memory on error.
2006-03-19 22:49:59 +00:00
a09bebd7da
Don't forget to free reply on failure.
2006-03-19 22:45:03 +00:00
5ebcdaa51a
Add casts to compile again.
2006-03-19 21:45:33 +00:00
4ea32734dc
Make this compile again, before I nuke it from orbit.
2006-03-19 21:01:17 +00:00
2ff3564ba8
fix memory leak, coverity cid 2032.
2006-03-19 16:48:36 +00:00
0a2d3f7a19
fix memory leaks, coverity cid 2016.
2006-03-19 16:47:09 +00:00
f6bc7e7627
fix memory leaks, coverity cids 2028, 2029.
2006-03-19 16:40:32 +00:00
2741a951b4
fix fd leak, coverity cid 2015.
2006-03-19 16:33:26 +00:00
be71d6bbfd
fix null deref, coverity cid 1341.
2006-03-19 16:29:43 +00:00
8a41610291
fix null deref, coverity cid 1339.
2006-03-19 16:23:19 +00:00
28788b89c7
fix null deref, coverity cid 1340.
2006-03-19 16:20:47 +00:00
d5b9c02e8c
add a semi colon.
2006-03-19 08:00:19 +00:00
4fcb2eb6de
Coveriry CID 1998: Fix memory leak.
2006-03-18 22:17:48 +00:00
6c6e841e30
Don't dereference NULL pointer, found by Coverity, CID 954.
2006-03-18 21:09:57 +00:00
ccd53bd92b
reform a loop to be prettier and appease coverity CID 2618
2006-03-18 10:41:24 +00:00
79787ff03b
Fix Coverity run 5, issue 2021 -- memory leak.
...
Approved by christos@.
2006-03-18 10:22:46 +00:00
1f89beeb43
Fix Coverity run 5, issue 1966 -- memory leak
...
Approved by christos@.
2006-03-18 10:19:09 +00:00
2de2502171
Make sure the right error is reported later, if all socket() calls fail.
...
If we close the invalid sock, we'll report EBADF later in that case.
2006-03-01 15:39:00 +00:00
6aece482c0
On non-fatal errors (identified: EPROTONOTSUPPORT), don't output the
...
error message unless debugging - the error for the last address tried
will be shown anyway, and earlier errors without context are only confusing
the user.
2006-03-01 15:18:09 +00:00
dd8ccf5b99
Add a namespace.h to rename the most conflict inducing names from libssh.
...
Idea from thorpej.
2006-02-13 16:49:33 +00:00
e245f48109
The sig_atomic_t type is not guaranteed to be printf-compatible
...
with %d, so cast to int before printing it.
2006-02-08 23:08:13 +00:00
55c58b142d
bring in new file needed from the portable openssh.
2006-02-04 22:32:54 +00:00
fab0e5bf66
resolve conflicts
2006-02-04 22:32:13 +00:00
c7a1af8c71
From ftp.openbsd.org.
2006-02-04 22:22:31 +00:00
ef2fdd1d7f
qsieve(6) -> qsieve(1)
2006-01-24 19:16:53 +00:00
7e91ac6596
Sort SEE ALSO.
2006-01-22 00:33:27 +00:00
7db6fc6be2
xref qsieve(6).
2006-01-19 23:31:09 +00:00
7f50c0a531
make software behave as the documentation advertise for INTERNAL_NETMASK4.
...
Keep the old INTERNAL_MASK4 to avoid breaking backward compatibility.
2006-01-07 23:51:50 +00:00
aa419ec271
enable cryptodev.
2005-12-31 00:08:34 +00:00
e1a76ccb7e
netbsd has issetugid()
2005-12-31 00:07:26 +00:00
06b42f5e66
Redo previous rework to generate yacc/lex output again and remove generated
...
copies from the import as they don't compile clean across all archs.
2005-12-16 16:25:07 +00:00
07c3097258
Allow archs to override BF_PTR
2005-12-13 09:50:52 +00:00
3804e42335
Back out bn/bn.h rev. 1.9:
...
> use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
> breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
Instead define SIXTY_FOUR_BIT_LONG where apropriate.
Regression tests still pass on sparc64 and i386. Furthermore this allows
us to finaly close PR 28935 (thanks to christos for removing the local
hacks on last import).
2005-12-12 19:50:26 +00:00
a5b1c92448
Add NAT ports to SAD in setkey so that NAT SAD entries generated by
...
racoon can be removed by hand.
2005-12-04 20:46:40 +00:00
cb9321f06d
use intptr_t not U_LONG to cast from a pointer to an int.
2005-11-28 19:08:30 +00:00
bfae00e6c7
use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
...
breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
2005-11-28 19:07:42 +00:00
ea39e380db
Adjust to the new openssl
2005-11-26 02:32:58 +00:00
b1d8541f7b
Add casts.
2005-11-25 22:28:31 +00:00
859fae516a
change back to match the openssl original prototype.
2005-11-25 22:22:44 +00:00
c4bfa0c238
XXX: This file does not really belong here.
...
Add ENGINESDIR define
2005-11-25 20:35:41 +00:00
50a9cbc98b
Resolve conflicts:
...
1. Instead of trying to cleanup the ugly ifdefs, we leave them alone so that
there are going to be fewer conflicts in the future.
2. Where we make changes to override things #ifdef __NetBSD__ around them
so that it is clear what we are changing. This is still missing in some
places, notably in opensslconf.h because it would make things messier.
2005-11-25 19:14:11 +00:00
8dc8acfeef
from http://www.openssl.org/source
2005-11-25 03:02:45 +00:00
11cf64bdd7
New sentence, new line. Remove trailing whitespace.
...
Mark up paths with .Pa.
2005-11-24 20:23:02 +00:00
7fc03cd9fa
Merge ipsec-tools 0.6.3 import
2005-11-21 14:20:29 +00:00
6e7df3c68b
From Yves-Alexis Perez: use sysdep_sa_len to make it compile on Linux
2005-11-21 14:20:28 +00:00
c263eb3142
Merge ipsec-tools 0.6.3 import
2005-11-21 14:20:28 +00:00
fdc9ad890d
Import IPsec-tools 0.6.3. This fixes several bugs, including bugs that
...
caused DoS.
2005-11-21 14:11:59 +00:00
982fc9c517
Merge ipsec-tools 0.6.2 import.
2005-10-14 14:01:34 +00:00
a37873eef0
Import ipsec-tools-0.6.2. Here is the ChangeLog since 0.6.1 (most of them
...
have already been pulled up in NetBSD CVS)
---------------------------------------------
0.6.2 released
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
USER_FQDNs (problem reported by Bernhard Suttner).
---------------------------------------------
0.6.2.beta3 released
2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
From Andreas Hasenack <ahasenack@terra.com.br>
* configure.ac: More build fixes for Linux
---------------------------------------------
0.6.2.beta2 released
2005-09-04 Emmanuel Dreyfus <manu@netbsd.org>
From Wilfried Weissmann
* src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
---------------------------------------------
0.6.2.beta1 released
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/cfparse.y: handle xauth_login correctly
* src/racoon/isakmp.c: catch internal error
* src/raccon/isakmp_agg.c: fix racoon as Xauth client
* src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
* src/racoon/evt.c: Fix memory leak when event queue overflows
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
initialize NAT-T VID to avoid freeing unallocated stuff.
2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
From Matthias Scheler <matthias.scheler@tadpole.com>
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
ISAKMP mode config without Xauth.
2005-09-16 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/policy.c: Do not parse all sptree in inssp() if we
don't use Policies priority.
2005-08-15 Emmanuel Dreyfus <manu@netbsd.org>
From: Thomas Klausner <wiz@netbsd.org>
src/setkey/setkey.8: Drop trailing spaces
2005-10-14 13:21:42 +00:00
decff3d730
Add a preprocessor symbol so we can distinguish fixed openssl
...
from the vanilla openssl. Thanks <jlam>.
2005-10-11 21:17:17 +00:00
ed304be38e
fix openssl 2.0 rollback, CAN-2005-2969
...
approved by: agc
2005-10-11 18:07:40 +00:00
e3886d37ea
Add "openssl_" to man page references if they are available.
...
Fixes part of PR security/13953. Fixing the rest of the PR requires
adding more man pages.
2005-10-05 23:47:30 +00:00
c557aaf18f
Fix bug when using hybrid auth in client mode
...
make xauth_login work again
add safety checks
2005-09-26 16:24:57 +00:00
e83e36d896
fix spelling from Liam Foy.
2005-09-24 22:45:51 +00:00
b9301b48d0
fix typos.
2005-09-24 17:34:17 +00:00
2192079ea8
use get*_r()
2005-09-24 14:40:59 +00:00
54a773e9d7
Can we please stop using caddr_t?
2005-09-24 14:40:39 +00:00
e904ea2e97
Drop trailing whitespace.
2005-09-23 19:58:28 +00:00
7e2e2c16ff
Correctly initialize NAT-T VID to avoid freeing unallocated space
2005-09-23 14:22:27 +00:00
3cc3e3c7a3
Correct documentation about Mode Config. It now works without XAuth, too.
...
Patch supplied by Emmanuel Dreyfus on the "ipsec-tools" mailing list.
2005-09-21 15:06:22 +00:00
dc5127a31e
Make "Mode Config" work if XAuth is not used.
2005-09-21 12:46:08 +00:00
a6040f634b
PR/13738: Johan Danielsson: ssh doesn't look at $HOME
2005-09-18 18:39:05 +00:00
5391e24af6
Make -D behave like -L (obey GatewayPorts). Before it defaulted to listen
...
to wildcard which is not secure.
2005-09-18 18:27:28 +00:00
218a95c0f2
Document that -D takes bind_address.
2005-09-18 16:22:35 +00:00
e6f32f6f02
Drop trailing whitespace.
2005-09-15 08:42:09 +00:00
5db1262f0e
PR/31261: Mark Davies: ssh invokes xauth with bogus argument
2005-09-09 12:24:37 +00:00
453555bc8b
PR/31243: Mark Davies: sshd uses pipes rather than socketpairs, making bash
...
not execute .bashrc. Since socketpairs work on all NetBSD systems, make it
the default.
2005-09-09 12:20:12 +00:00
8f1a245ebd
Use default_md = sha1 in ``req'' section too, so we don't fallback to MD5.
...
Noted by smb@.
2005-09-01 21:35:25 +00:00
98e0d8f19f
SHA1 is a better default than MD5.
...
Discussed with Steven M. Bellovin.
Closes PR/30395.
2005-08-27 12:32:15 +00:00
0b97cbeb71
Update to ipsec-tools 0.6.1
2005-08-20 00:57:06 +00:00
96ae7759c9
Import ipsec-tools 0.6.1
2005-08-20 00:40:43 +00:00
c8f5575b45
End sentence with a dot.
2005-08-14 09:25:08 +00:00
c91d1d213a
Drop trailing whitespace.
2005-08-07 11:19:35 +00:00
111c13fe24
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
...
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.
2005-08-07 09:38:45 +00:00
df08b9e74a
Update ipsec-tools to 0.6.1rc1
...
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.
2005-08-07 08:46:11 +00:00
1a191ad79e
PR/29862: Denis Lagno: sshd segfaults with long keys
...
The problem was that the rsa fips validation code did not allocate long
enough buffers, so it was trashing the stack.
2005-07-30 00:38:40 +00:00
182dc837b5
Move a variable declaration to the variable declaration section of
...
the enclosing block from within the middle of active code, so that
this compiles with older gcc. Fixes build problem for vax.
2005-07-14 11:26:57 +00:00
b0602a2f44
Add safety checks for informational messages
2005-07-12 21:33:01 +00:00
50c09443b0
Backout botched patch, approved by Emmanuel Dreyfus.
2005-07-12 19:17:37 +00:00
132d72e25b
Add SHA2 support
2005-07-12 16:49:52 +00:00
7736ad81cf
Add comments on how to use the hook scripts without NAT-T
2005-07-12 16:33:27 +00:00
ecb971f5f8
Don't wipe out IKE ports for SA update as it breaks things: the SA is taken
...
from an existing SA and already has matching IKE ports.
2005-07-12 16:24:29 +00:00
91b9c188b3
Add support for alrogithms with non OpenSSL default key sizes
2005-07-12 14:51:07 +00:00
e0dd78cfbd
Don't use adminport when it is disabled
2005-07-12 14:15:39 +00:00
4c94bccce3
Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems
...
when NAT-T is disabled
2005-07-12 14:14:46 +00:00
929f80643d
Safety checks on informational messages
2005-07-12 14:13:10 +00:00
8bc1e3c0ac
pkcs7 support
2005-07-12 14:12:20 +00:00
d3544c4e45
Document that "aes" can be used for IKE and ESP encryption.
2005-07-07 12:34:17 +00:00
eb8e3b9ad4
Add proper casts. Fix a problem where (uint32_t < ~0). Cast both ~0's to
...
u_int, since this is what the author intended.
2005-06-28 16:12:41 +00:00
ca496ece2e
- Add lint comments
...
- Fix bad casts.
- Comment out unused variables.
2005-06-28 16:04:54 +00:00
a1625e9ee8
Fix an error I introduced in the previous commit. The length could be 0.
...
Also parenthesize an expression properly.
2005-06-28 16:03:09 +00:00
444efb36db
deal with casting/caddr_t stupidity. It is not 1980 anymore and people should
...
start using void *, instead of caddr_t.
2005-06-27 03:19:45 +00:00
983e538712
Collect externs into one file instead of duplicating them everywhere.
2005-06-26 23:49:31 +00:00
dd8cdde018
Fix compiler warnings.
2005-06-26 23:34:26 +00:00
fba8d9ce60
Fix some of the pointer abuse, and add some const. Not done yet.
2005-06-26 21:14:08 +00:00
dd3259cec0
NAT-T fix: We treat null ports in SPD as wildcard so that IKE ports
...
are used instead. This was done on phase 2 initiation from the kernel
(acquire message), but not on phase 2 initiation retries when the
phase 2 had been queued for a phase 1.
2005-06-22 21:28:18 +00:00
13ca728372
Consume NAT-T packets that have already been seen through MSG_PEEK
2005-06-15 07:29:20 +00:00
7bbdd188e1
appease gcc -Wuninitialized on hp700.
2005-06-05 19:08:28 +00:00
6ec5a5a9b7
Fix Xauth login with PAM authentication
2005-06-04 22:09:27 +00:00
2c39301c40
Endianness bug fix
2005-06-04 21:55:05 +00:00
311dff8be0
Missing 0th element in rm_idtype2doi array
2005-06-03 22:27:06 +00:00
d687f4502c
appease gcc -Wuninitialized
2005-06-02 04:59:17 +00:00
936a4cd73f
Don't attempt to close a random file descriptor upon error.
...
Detected with gcc -Wuninitialized.
2005-06-02 04:57:33 +00:00
08ef6270ca
appease gcc -Wuninitialized
2005-06-02 04:56:14 +00:00
89f4d29f7d
Appease gcc -Wuninitialized, in a similar method used elsewhere in the
...
same function.
2005-06-02 04:43:45 +00:00
6e3cdc676d
appease gcc -Wuninitialized
2005-06-01 12:07:00 +00:00
vanhu