Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
172,392 Commits 606 Branches 0 Tags 3.1 GiB
95effdc79e
Commit Graph

1247 Commits

Author SHA1 Message Date
christos
17fe25abca eliminate caddr_t 2007-03-04 08:21:34 +00:00
mgrooms
adf474a143 Add logic to allow ip address ids to be matched to ip subnet ids when 
appropriate.
 2007-02-28 05:36:45 +00:00
vanhu
f1c1e37275 block variable declaration before code in ipsecdoi_id2str() 2007-02-21 11:01:06 +00:00
vanhu
740b198715 Removed a debug printf.... 2007-02-20 16:32:28 +00:00
vanhu
bd81981229 Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting 2007-02-20 09:11:30 +00:00
vanhu
1cb0c229b8 updated delete_spd() calls 2007-02-20 09:11:14 +00:00
vanhu
19df9f5fcc fills creation date of generated SPDs 2007-02-20 09:11:03 +00:00
vanhu
57d8173408 added 'created' var 2007-02-20 09:10:47 +00:00
vanhu
3c99a9f776 Removed a debug printf.... 2007-02-19 13:08:47 +00:00
vanhu
496e74bcde From Olivier Warin: Fix a %zu in a printf. 2007-02-16 11:01:35 +00:00
vanhu
834d2e72c5 Fixed a %zu in a printf 2007-02-16 11:01:34 +00:00
manu
eac241862b Missing SELinux file 2007-02-15 16:31:38 +00:00
manu
1b2a464d38 Missing stuff for SELinux 2007-02-15 16:23:40 +00:00
vanhu
6c4dc9e4c6 From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote(). 2007-02-15 13:01:26 +00:00
vanhu
5f4b4e0b21 Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote() 2007-02-15 13:01:25 +00:00
vanhu
6ced6eb0cd Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory 2007-02-15 10:19:24 +00:00
rpaulo
b552802596 It's no longer basesrc. 2007-02-05 18:12:43 +00:00
vanhu
5374d6ac89 Fixed a check of NAT-T support in libipsec 2007-02-02 13:42:28 +00:00
vanhu
1634f1d295 From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange. 2007-02-01 08:48:32 +00:00
vanhu
e25ad0ee61 When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational 2007-02-01 08:48:31 +00:00
wiz
15b0193490 Refer to RFC 4716 in two more places (instead of "IETF SECSH"). 
From jmc@openbsd.
 2007-01-23 22:21:54 +00:00
alc
a740eb5ac0 CID-4268: `c' is EOF here, remove deadcode 2006-12-26 00:06:03 +00:00
alc
bdf6fc4f47 CID-4167: check for 'iph1->approval != NULL' 2006-12-26 00:04:00 +00:00
wiz
a0a9492dc8 Talk of RFC 4716 SSH public key format instead of SECSH public key format. 
From markus@openbsd via jmc@openbsd (rev 1.73).
 2006-12-24 10:06:03 +00:00
wiz
7ce75c98d8 Mention RFC 4716. From markus@openbsd via jmc@openbsd (rev. 1.266). 2006-12-24 10:04:08 +00:00
wiz
9e2cc05c4b Use even more macros. 2006-12-23 09:29:53 +00:00
wiz
710cf70831 Use more macros. 2006-12-23 09:29:01 +00:00
wiz
fc51d9d324 Serial comma, and bump date for previous. 2006-12-23 09:22:52 +00:00
vanhu
1a38b96eff From Joy Latten: fix a memory leak 2006-12-18 10:15:30 +00:00
vanhu
591299b29f fixed a memory leak in crypto_openssl 2006-12-18 10:15:29 +00:00
manu
fcdf5459d0 branch 0.7 created 2006-12-10 22:36:06 +00:00
manu
7c683c0b23 Bring back API and ABI backward compatibility with previous libipsec before 
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
 2006-12-10 18:46:39 +00:00
manu
78f5cfece3 From Joy Latten: README.plainrsa documenting plain RSA auth 2006-12-10 05:51:14 +00:00
manu
99a403e274 From Joy Latten: Add support for SELinux security contexts. Also cleanup the 
libipsec interface for adding and updating security associations.
 2006-12-09 05:52:57 +00:00
manu
10cadc281e From Simon Chang: More hints about plain RSA authentication 2006-12-09 05:44:34 +00:00
vanhu
3db7f7800e Check keys length regarding proposal_check level 2006-12-05 13:38:40 +00:00
mgrooms
8ceadc3208 Correct issues associated with anonymous sainfo selection in racoon. 2006-11-16 00:30:55 +00:00
dogcow
ea8336c632 As uwe points out, it looks like the L on the version constant was 
accidentally removed. Add it back, especially as the documentation still
claims that the constant is a long.
 2006-11-14 22:30:33 +00:00
adrianp
1be366570b From http://www.openssh.org/txt/release-4.5: (CVE-2006-5794) 
* Fix a bug in the sshd privilege separation monitor that weakened its
  verification of successful authentication. This bug is not known to
  be exploitable in the absence of additional vulnerabilities.

Bump __NETBSDSSH_VERSION
 2006-11-14 21:52:09 +00:00
christos
600680c6c3 merge conflicts. 2006-11-13 21:55:36 +00:00
christos
4a5ea8ca2f import 0.9.8d 2006-11-13 21:16:04 +00:00
christos
9f3fa7dc87 eliminate the only variable stack array allocation. 2006-11-09 20:22:18 +00:00
christos
94eb6e9da8 fix typo 2006-11-09 19:51:06 +00:00
christos
f06f014bee use malloc when ssp 2006-11-09 19:50:03 +00:00
cbiere
577883a31d Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is 
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
 2006-10-31 00:17:21 +00:00
agc
05ad853be0 one more to catch up with the new location for sha2.h 2006-10-28 23:07:23 +00:00
vanhu
b0d7d1da89 From Michal Ruzicka: fix typos 2006-10-22 15:10:31 +00:00
vanhu
df130f3c13 fixed typos 2006-10-22 15:10:30 +00:00
vanhu
5328e8c78b Added ipsecdoi_chkcmpids() function 2006-10-19 09:36:22 +00:00
vanhu
3835b0b6a5 From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo(). 2006-10-19 09:35:51 +00:00
vanhu
b0f2fc5ddb From Matthew Grooms: Added ipsecdoi_chkcmpids() function. 2006-10-19 09:35:44 +00:00
adrianp
9480ff5303 Change the default sshd configuration file so that only protocol version 2 
is enabled by default.  Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.

Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
 2006-10-15 14:01:53 +00:00
manu
966e3f130f Fix memory leak (Coverity 3438 and 3437) 2006-10-09 06:32:59 +00:00
manu
331d3b1287 List modified files for last commit 2006-10-09 06:21:11 +00:00
manu
6eca4f09f3 Correctly check read() return value: it's signed (Coverity 1251) 2006-10-09 06:17:20 +00:00
kardel
f34e7857d3 keep len correct when substituting variables - fixes PR/24458 2006-10-08 22:21:14 +00:00
manu
56f4977415 Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki 
<okazaki@kick.gr.jp>
 2006-10-06 12:02:26 +00:00
christos
ee4546d741 unbreak gcc-3 builds. 2006-10-04 14:31:55 +00:00
christos
a9fc92da63 PR/34681: Scott Ellis: Explicitly include <sys/socket.h> 2006-10-04 14:30:35 +00:00
christos
1eafb02344 put back ignorerootrhosts 2006-10-04 14:26:31 +00:00
manu
20d3dfdcfa fix endianness issue introduced yesterday 2006-10-03 20:43:10 +00:00
vanhu
2b72a4f236 remoteid/ph1id support 2006-10-03 08:04:31 +00:00
vanhu
b45c893ef4 Added remoteid/ph1id syntax 2006-10-03 08:03:59 +00:00
vanhu
7d2c6acefd Parses remoteid/ph1id values 2006-10-03 08:03:33 +00:00
vanhu
dd3c365568 Uses remoteid/ph1id values 2006-10-03 08:02:51 +00:00
vanhu
80d5a8a518 Added remoteid/ph1id values 2006-10-03 08:01:56 +00:00
manu
9547d0f260 avoid reusing free'd pointer (Coverity 2613) 2006-10-02 21:51:33 +00:00
manu
1966cc3311 Check for NULL pointer (COverity 4175) 2006-10-02 21:47:32 +00:00
manu
e1ade705e1 Remove dead code (Coverity 3451) 2006-10-02 21:41:59 +00:00
manu
520ec462f7 Fix array overrun (Coverity 4172) 2006-10-02 21:33:14 +00:00
manu
e5d24ec446 Fix memory leak (Coverity 2002) 2006-10-02 21:27:08 +00:00
manu
cdb1e64a8c Fix memory leak (Coverity 2001), refactor the code to use port get/set 
functions
 2006-10-02 21:19:43 +00:00
manu
cd350eaf6d Avoid reusing free'd pointer (Coverity 4200) 2006-10-02 20:52:17 +00:00
manu
d564be9350 Don't use NULL pointer (Coverity 3443), reformat to 80 char/line 2006-10-02 18:54:46 +00:00
dogcow
f54a9b4797 If you're going to initialize a pointer, you have to init it with a pointer 
type, not an int.
 2006-10-02 12:44:40 +00:00
manu
68e9583818 Don't use NULL pointer (coverity 3439) 2006-10-02 12:04:53 +00:00
manu
5227e9475b Don't use NULL pointer (Coverity 1334) 2006-10-02 11:59:40 +00:00
manu
41042afaf6 Don't use NULL pointer (Coverity 944) 2006-10-02 07:17:57 +00:00
manu
01d5ad642c Don't use NULL pointer (Coverity 941) 2006-10-02 07:15:09 +00:00
manu
9a55720f5c Don't use NULL pointer (Coverity 942) 2006-10-02 07:12:26 +00:00
manu
bfd607cda0 Don't use null pointer (Coverity 863) 2006-10-02 07:08:25 +00:00
manu
626d146a75 FIx memory leak (Coverity 4181) 2006-10-01 22:04:03 +00:00
manu
7be862b0db Check that iph1->remote is not NULL before using it (Coverity 3436) 2006-10-01 19:23:57 +00:00
manu
c7242e7e9f emove dead code (Coverity 4165) 2006-09-30 21:49:37 +00:00
manu
07b750b745 Fix memory leak (Coverity 4179) 2006-09-30 21:38:39 +00:00
manu
df69765a89 update the scripts for wrorking around routing problems on NetBSD 2006-09-30 21:22:21 +00:00
manu
172675f3db Reuse existing code for closing IKE sockets, and avoid screwing things by 
setting p->sock = -1, which is not expected (Coverity 4173).
 2006-09-30 16:14:18 +00:00
manu
d5f44674f8 Do not free id and key, as they are used later 2006-09-30 15:51:42 +00:00
cube
55269b80c3 Grab a couple of lines from OpenSSH-portable that allow PAM authentication 
to succeed.  I guess the default configuration of NetBSD wasn't tested
before the import...
 2006-09-29 22:47:21 +00:00
manu
efb59e1b32 Fix the fix: handle_recv closes the socket, so we must call com_init before 
sending any data.
 2006-09-29 21:39:35 +00:00
christos
8da6ea8890 Check for cert being NULL too. 2006-09-29 17:07:32 +00:00
christos
897b34d36d http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows
    remote attackers to cause a denial of service (inifnite loop
    and memory consumption) via malformed ASN.1 structures that
    trigger an improperly handled error condition.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
    OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
    versions allows attackers to cause a denial of service (CPU
    consumption) via certain public keys that require extra time
    to process.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
    Buffer overflow in the SSL_get_shared_ciphers function in
    OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
    versions has unspecified impact and remote attack vectors
    involving a long list of ciphers.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
    Unspecified vulnerability in the SSLv2 client code in OpenSSL
    0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions
    allows remote servers to cause a denial of service (client
    crash) via unknown vectors.
 2006-09-29 15:41:08 +00:00
he
f1afbc1ee7 Use PRIu64 instead of llu when printing an u_int64_t. 
Fixes a build problem for our LP64 ports, where u_int64_t is
typically an unsigned long.
 2006-09-29 14:36:34 +00:00
he
a4970f4ee7 The "success" field in Authctxt needs to be a sig_atomic_t, not an int, 
so that we don't get a type conflict on dispatch_run() invocation.  Found
while building for alpha and amd64.
 2006-09-29 14:34:25 +00:00
christos
229f040cb9 We need this again. 2006-09-28 21:23:13 +00:00
christos
c5a8b87f73 Resolve conflicts 2006-09-28 21:22:14 +00:00
christos
49b7694919 from www.openssh.org 2006-09-28 21:14:57 +00:00
manu
ca09533497 Fix unchecked mallocs (Coverity 4176, 4174) 2006-09-28 20:30:13 +00:00
manu
87b827ea10 Fix access after free (Coverity 4178) 2006-09-28 20:09:35 +00:00
manu
eb5be25aad Fix memory leak (Coverity) 2006-09-26 21:42:55 +00:00
manu
8b9e0af1db Fix memory leak (Coverity) 2006-09-26 21:25:52 +00:00
manu
1d587602b5 Remove dead code (Coverity) 2006-09-26 21:10:55 +00:00
manu
75ada6df8d Fix memory leak (Coverity) 2006-09-26 21:06:54 +00:00
manu
ab1354320a One more memory leak 2006-09-26 20:58:03 +00:00
manu
ea585e8293 Fix memory leak in racoonctl (coverity) 2006-09-26 20:51:43 +00:00
manu
f693deda72 Fix buffer overflow 
Also fix credits: SA bundle fix was contributed by Jeff Bailey, not
Matthew Grooms. Matthew updated the patch for current code, though.
 2006-09-26 04:44:41 +00:00
manu
e63f95d0e9 fix SA bundle (e.g.: for negotiating ESP+IPcomp) 2006-09-26 04:41:26 +00:00
vanhu
e2a943b3df From Yves-Alexis Perez: struct ip -> struct iphdr for Linux 2006-09-25 17:42:08 +00:00
vanhu
0fa07a8062 struct ip -> struct iphdr for Linux 2006-09-25 17:42:07 +00:00
manu
1127a06ee3 style (mostly for testing ipsec-tools-commits@netbsd.org) 2006-09-25 05:08:52 +00:00
manu
22ddfb23b1 Fix double free, from Matthew Grooms 2006-09-25 04:49:39 +00:00
vanhu
542839bac0 credit 2006-09-21 09:43:47 +00:00
vanhu
3c6750b831 use sysdep_sa_len to make it compile on Linux 2006-09-21 09:42:08 +00:00
wiz
a7c4d7d4ac Bump date for ike_frag force. 2006-09-19 18:55:11 +00:00
wiz
a5dc6b2e53 New sentence, new line. 2006-09-19 18:54:39 +00:00
wiz
5f831f347b Remove trailing whitespace. 2006-09-19 18:53:12 +00:00
vanhu
efd02bc82c From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy() 2006-09-19 16:02:10 +00:00
vanhu
60cd4fed98 fixed default value for encmodesv in set_proposal_from_policy() 2006-09-19 16:02:09 +00:00
vanhu
51065440a5 various commits 2006-09-19 07:51:44 +00:00
vanhu
7ea7300ed8 always include some headers, as they are required even without NAT-T 2006-09-19 07:51:37 +00:00
vanhu
a2afb48bcf From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed 2006-09-19 07:51:31 +00:00
vanhu
478aed1af7 From Larry Baird: some printf() -> plog() 2006-09-19 07:51:27 +00:00
manu
c18d9daa6a From Matthew Grooms: 
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
 2006-09-18 20:32:40 +00:00
vanhu
504b73aa2f removed generated files from the CVS 2006-09-18 09:11:06 +00:00
vanhu
3992c65302 removed generated files from the CVS 2006-09-18 08:43:00 +00:00
vanhu
90cc2f12b1 removed generated files from the CVS 2006-09-18 08:13:46 +00:00
manu
f291901204 From Matthew Grooms: 
handle IKE frag used in the first packet. That should not normally happen,
as the initiator does not know yet if the responder can handle IKE frag.
However, in some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.

racoon should have a setting in the remote section to do taht (something
like ike_frag force)
 2006-09-18 08:05:47 +00:00
manu
5a85c00571 Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms 2006-09-16 04:31:38 +00:00
manu
2b7658dc54 Fix build on Linux 2006-09-15 09:40:44 +00:00
manu
c8214a0a83 Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts. 
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
 2006-09-09 16:22:08 +00:00
manu
e3de131b63 Migrate ipsec-tools CVS to cvs.netbsd.org 2006-09-09 16:11:26 +00:00
adrianp
8d13789c5a Apply the third version of the patch from OpenSSL to address this issue. 
- Rollback the updates for rsa.h, rsa_eay.c and rsa_err.c as they were
  not necessary to address this vulnerability.
- Small update to the patch for rsa_sign.c for backward compatability so
  the same patch can be applied to 0.9.[6-9]
 2006-09-06 22:47:11 +00:00
christos
90f5d4a3e0 Apply patch-CVE-2006-4339.txt 
Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.
 2006-09-05 12:24:08 +00:00
wiz
85f4c6eabf Pull over OpenBSD v1.97, forwarded by jmc@openbsd: 
avoid confusing wording in HashKnownHosts:

originally spotted by alan amesbury;
ok deraadt
 2006-08-10 00:34:32 +00:00
dogcow
444e690921 Remove various dotfiles that wandered their way in. 2006-06-18 08:59:39 +00:00
ginsbach
a697e6653a Adapt to new return value from socket(2) for an unsupported 
protocol/address family.
 2006-06-14 15:36:00 +00:00
christos
ed56312e8a resolve conflicts. 2006-06-03 01:50:19 +00:00
christos
387e0d89ab ftp www.openssl.org 2006-06-03 01:43:51 +00:00
christos
b8b11c345a ftp www.openssl.org 2006-06-03 01:39:48 +00:00
oster
4f500646a9 Add a missing ')' to fix the example code. Already fixed in openssl upstream. 2006-05-24 16:44:34 +00:00
christos
d46617757a XXX: GCC uninitialized variable 2006-05-14 02:40:03 +00:00
christos
b943fcf792 XXX: GCC uninitialized variables 2006-05-14 02:17:32 +00:00
mrg
f8418c0954 use socklen_t where appropriate. 2006-05-11 11:54:14 +00:00
mrg
54e9f4ccbc wait_until_can_do_something() wants u_int * for it's 4th argument. 2006-05-11 09:27:06 +00:00
mrg
965a873335 avoid lvalue casts. 2006-05-11 00:05:45 +00:00
mrg
4d2c417597 quell GCC 4.1 uninitialised variable warnings. 
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
 2006-05-11 00:04:07 +00:00
mrg
084c052803 quell GCC 4.1 uninitialised variable warnings. 
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
 2006-05-10 21:53:14 +00:00
mrg
0c37c63edc change (mostly) int to socklen_t. GCC 4 doesn't like that int and 
socklen_t are different signness.
 2006-05-09 20:18:05 +00:00
tsutsui
4cd8515cfc Add a NetBSD RCS ID. 2006-04-15 13:43:11 +00:00
wiz
83620ded04 Remove references to KerberosIV. 2006-03-23 19:58:03 +00:00
elad
504a2dd02c Pull in from djm@OpenBSD: 
remove IV support from the CRC attack detector, OpenSSH has never used
it - it only applied to IDEA-CFB, which we don't support.

Thanks to deraadt@OpenBSD for looking into this one.
 2006-03-22 23:04:39 +00:00
christos
e13746b11b Fix krb4 compilation (although krb4 is removed, this leaves the code compiling) 2006-03-21 00:01:29 +00:00
elad
dc4926056e plug leak, coverity cid 2014. 2006-03-20 16:42:34 +00:00
elad
204152ace9 plug leak, coverity cid 2027. 2006-03-20 16:41:46 +00:00
elad
04b503af06 plug leaks, coverity cids 2030, 2031. 2006-03-20 16:40:25 +00:00
elad
3a008ccc30 plug leak, coverity cid 2019. 2006-03-20 16:39:05 +00:00
elad
9266948705 plug leaks, coverity cids 2012, 2013. 2006-03-20 16:36:31 +00:00
elad
14c3ee98a9 fix null deref, coverity cid 953. 2006-03-20 16:31:45 +00:00
christos
85e611dd01 Goodbye KerberosIV 2006-03-20 04:03:10 +00:00
christos
1db63daa9d fix compilation after des.h change. The countdown to krb4 has started. 2006-03-20 02:18:59 +00:00
christos
e4547e1148 Coverity CID 1904: Don't leak memory on error. 2006-03-19 22:49:59 +00:00
christos
a09bebd7da Don't forget to free reply on failure. 2006-03-19 22:45:03 +00:00
christos
5ebcdaa51a Add casts to compile again. 2006-03-19 21:45:33 +00:00
christos
4ea32734dc Make this compile again, before I nuke it from orbit. 2006-03-19 21:01:17 +00:00
elad
2ff3564ba8 fix memory leak, coverity cid 2032. 2006-03-19 16:48:36 +00:00
elad
0a2d3f7a19 fix memory leaks, coverity cid 2016. 2006-03-19 16:47:09 +00:00
elad
f6bc7e7627 fix memory leaks, coverity cids 2028, 2029. 2006-03-19 16:40:32 +00:00
elad
2741a951b4 fix fd leak, coverity cid 2015. 2006-03-19 16:33:26 +00:00
elad
be71d6bbfd fix null deref, coverity cid 1341. 2006-03-19 16:29:43 +00:00
elad
8a41610291 fix null deref, coverity cid 1339. 2006-03-19 16:23:19 +00:00
elad
28788b89c7 fix null deref, coverity cid 1340. 2006-03-19 16:20:47 +00:00
christos
d5b9c02e8c add a semi colon. 2006-03-19 08:00:19 +00:00
christos
4fcb2eb6de Coveriry CID 1998: Fix memory leak. 2006-03-18 22:17:48 +00:00
elad
6c6e841e30 Don't dereference NULL pointer, found by Coverity, CID 954. 2006-03-18 21:09:57 +00:00
dan
ccd53bd92b reform a loop to be prettier and appease coverity CID 2618 2006-03-18 10:41:24 +00:00
jnemeth
79787ff03b Fix Coverity run 5, issue 2021 -- memory leak. 
Approved by christos@.
 2006-03-18 10:22:46 +00:00
jnemeth
1f89beeb43 Fix Coverity run 5, issue 1966 -- memory leak 
Approved by christos@.
 2006-03-18 10:19:09 +00:00
is
2de2502171 Make sure the right error is reported later, if all socket() calls fail. 
If we close the invalid sock, we'll report EBADF later in that case.
 2006-03-01 15:39:00 +00:00
is
6aece482c0 On non-fatal errors (identified: EPROTONOTSUPPORT), don't output the 
error message unless debugging - the error for the last address tried
will be shown anyway, and earlier errors without context are only confusing
the user.
 2006-03-01 15:18:09 +00:00
christos
dd8ccf5b99 Add a namespace.h to rename the most conflict inducing names from libssh. 
Idea from thorpej.
 2006-02-13 16:49:33 +00:00
he
e245f48109 The sig_atomic_t type is not guaranteed to be printf-compatible 
with %d, so cast to int before printing it.
 2006-02-08 23:08:13 +00:00
christos
55c58b142d bring in new file needed from the portable openssh. 2006-02-04 22:32:54 +00:00
christos
fab0e5bf66 resolve conflicts 2006-02-04 22:32:13 +00:00
christos
c7a1af8c71 From ftp.openbsd.org. 2006-02-04 22:22:31 +00:00
elad
ef2fdd1d7f qsieve(6) -> qsieve(1) 2006-01-24 19:16:53 +00:00
wiz
7e91ac6596 Sort SEE ALSO. 2006-01-22 00:33:27 +00:00
elad
7db6fc6be2 xref qsieve(6). 2006-01-19 23:31:09 +00:00
manu
7f50c0a531 make software behave as the documentation advertise for INTERNAL_NETMASK4. 
Keep the old INTERNAL_MASK4 to avoid breaking backward compatibility.
 2006-01-07 23:51:50 +00:00
christos
aa419ec271 enable cryptodev. 2005-12-31 00:08:34 +00:00
christos
e1a76ccb7e netbsd has issetugid() 2005-12-31 00:07:26 +00:00
jmc
06b42f5e66 Redo previous rework to generate yacc/lex output again and remove generated 
copies from the import as they don't compile clean across all archs.
 2005-12-16 16:25:07 +00:00
martin
07c3097258 Allow archs to override BF_PTR 2005-12-13 09:50:52 +00:00
martin
3804e42335 Back out bn/bn.h rev. 1.9: 
> use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
> breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.

Instead define SIXTY_FOUR_BIT_LONG where apropriate.
Regression tests still pass on sparc64 and i386. Furthermore this allows
us to finaly close PR 28935 (thanks to christos for removing the local
hacks on last import).
 2005-12-12 19:50:26 +00:00
manu
a5b1c92448 Add NAT ports to SAD in setkey so that NAT SAD entries generated by 
racoon can be removed by hand.
 2005-12-04 20:46:40 +00:00
christos
cb9321f06d use intptr_t not U_LONG to cast from a pointer to an int. 2005-11-28 19:08:30 +00:00
christos
bfae00e6c7 use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn 
breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
 2005-11-28 19:07:42 +00:00
christos
ea39e380db Adjust to the new openssl 2005-11-26 02:32:58 +00:00
christos
b1d8541f7b Add casts. 2005-11-25 22:28:31 +00:00
christos
859fae516a change back to match the openssl original prototype. 2005-11-25 22:22:44 +00:00
christos
c4bfa0c238 XXX: This file does not really belong here. 
Add ENGINESDIR define
 2005-11-25 20:35:41 +00:00
christos
50a9cbc98b Resolve conflicts: 
1. Instead of trying to cleanup the ugly ifdefs, we leave them alone so that
   there are going to be fewer conflicts in the future.
2. Where we make changes to override things #ifdef __NetBSD__ around them
   so that it is clear what we are changing. This is still missing in some
   places, notably in opensslconf.h because it would make things messier.
 2005-11-25 19:14:11 +00:00
christos
8dc8acfeef from http://www.openssl.org/source 2005-11-25 03:02:45 +00:00
wiz
11cf64bdd7 New sentence, new line. Remove trailing whitespace. 
Mark up paths with .Pa.
 2005-11-24 20:23:02 +00:00
manu
7fc03cd9fa Merge ipsec-tools 0.6.3 import 2005-11-21 14:20:29 +00:00
manu
6e7df3c68b From Yves-Alexis Perez: use sysdep_sa_len to make it compile on Linux 2005-11-21 14:20:28 +00:00
manu
c263eb3142 Merge ipsec-tools 0.6.3 import 2005-11-21 14:20:28 +00:00
manu
fdc9ad890d Import IPsec-tools 0.6.3. This fixes several bugs, including bugs that 
caused DoS.
 2005-11-21 14:11:59 +00:00
manu
982fc9c517 Merge ipsec-tools 0.6.2 import. 2005-10-14 14:01:34 +00:00
manu
a37873eef0 Import ipsec-tools-0.6.2. Here is the ChangeLog since 0.6.1 (most of them 
have already been pulled up in NetBSD CVS)
---------------------------------------------

        0.6.2 released

2005-10-14  Yvan Vanhullebus  <vanhu@netasq.com>

        * src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
          USER_FQDNs (problem reported by Bernhard Suttner).

---------------------------------------------

        0.6.2.beta3 released

2005-09-05   Emmanuel Dreyfus  <manu@netbsd.org>

        From Andreas Hasenack <ahasenack@terra.com.br>
        * configure.ac: More build fixes for Linux

---------------------------------------------

        0.6.2.beta2 released

2005-09-04  Emmanuel Dreyfus  <manu@netbsd.org>

        From Wilfried Weissmann
        * src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
          src/racoon/{sockmisc.c|sockmisc.h}: build fixes

---------------------------------------------

        0.6.2.beta1 released

2005-09-03  Emmanuel Dreyfus  <manu@netbsd.org>

        From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
        * src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions

2005-08-26  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/cfparse.y: handle xauth_login correctly
        * src/racoon/isakmp.c: catch internal error
        * src/raccon/isakmp_agg.c: fix racoon as Xauth client
        * src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
        * src/racoon/evt.c: Fix memory leak when event queue overflows

2005-08-23  Emmanuel Dreyfus  <manu@netbsd.org>

        * src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
          initialize NAT-T VID to avoid freeing unallocated stuff.

2005-08-21  Emmanuel Dreyfus  <manu@netbsd.org>

        From Matthias Scheler <matthias.scheler@tadpole.com>
        * src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
          ISAKMP mode config without Xauth.

2005-09-16  Yvan Vanhullebus  <vanhu@free.fr>

        * src/racoon/policy.c: Do not parse all sptree in inssp() if we
          don't use Policies priority.

2005-08-15  Emmanuel Dreyfus  <manu@netbsd.org>

        From: Thomas Klausner <wiz@netbsd.org>
        src/setkey/setkey.8: Drop trailing spaces
 2005-10-14 13:21:42 +00:00
gendalia
decff3d730 Add a preprocessor symbol so we can distinguish fixed openssl 
from the vanilla openssl.  Thanks <jlam>.
 2005-10-11 21:17:17 +00:00
gendalia
ed304be38e fix openssl 2.0 rollback, CAN-2005-2969 
approved by: agc
 2005-10-11 18:07:40 +00:00
rpaulo
e3886d37ea Add "openssl_" to man page references if they are available. 
Fixes part of PR security/13953. Fixing the rest of the PR requires
adding more man pages.
 2005-10-05 23:47:30 +00:00
manu
c557aaf18f Fix bug when using hybrid auth in client mode 
make xauth_login work again
add safety checks
 2005-09-26 16:24:57 +00:00
christos
e83e36d896 fix spelling from Liam Foy. 2005-09-24 22:45:51 +00:00
christos
b9301b48d0 fix typos. 2005-09-24 17:34:17 +00:00
christos
2192079ea8 use get*_r() 2005-09-24 14:40:59 +00:00
christos
54a773e9d7 Can we please stop using caddr_t? 2005-09-24 14:40:39 +00:00
wiz
e904ea2e97 Drop trailing whitespace. 2005-09-23 19:58:28 +00:00
manu
7e2e2c16ff Correctly initialize NAT-T VID to avoid freeing unallocated space 2005-09-23 14:22:27 +00:00
tron
3cc3e3c7a3 Correct documentation about Mode Config. It now works without XAuth, too. 
Patch supplied by Emmanuel Dreyfus on the "ipsec-tools" mailing list.
 2005-09-21 15:06:22 +00:00
tron
dc5127a31e Make "Mode Config" work if XAuth is not used. 2005-09-21 12:46:08 +00:00
christos
a6040f634b PR/13738: Johan Danielsson: ssh doesn't look at $HOME 2005-09-18 18:39:05 +00:00
christos
5391e24af6 Make -D behave like -L (obey GatewayPorts). Before it defaulted to listen 
to wildcard which is not secure.
 2005-09-18 18:27:28 +00:00
christos
218a95c0f2 Document that -D takes bind_address. 2005-09-18 16:22:35 +00:00
wiz
e6f32f6f02 Drop trailing whitespace. 2005-09-15 08:42:09 +00:00
christos
5db1262f0e PR/31261: Mark Davies: ssh invokes xauth with bogus argument 2005-09-09 12:24:37 +00:00
christos
453555bc8b PR/31243: Mark Davies: sshd uses pipes rather than socketpairs, making bash 
not execute .bashrc. Since socketpairs work on all NetBSD systems, make it
the default.
 2005-09-09 12:20:12 +00:00
elad
8f1a245ebd Use default_md = sha1 in ``req'' section too, so we don't fallback to MD5. 
Noted by smb@.
 2005-09-01 21:35:25 +00:00
elad
98e0d8f19f SHA1 is a better default than MD5. 
Discussed with Steven M. Bellovin.
Closes PR/30395.
 2005-08-27 12:32:15 +00:00
manu
0b97cbeb71 Update to ipsec-tools 0.6.1 2005-08-20 00:57:06 +00:00
manu
96ae7759c9 Import ipsec-tools 0.6.1 2005-08-20 00:40:43 +00:00
wiz
c8f5575b45 End sentence with a dot. 2005-08-14 09:25:08 +00:00
wiz
c91d1d213a Drop trailing whitespace. 2005-08-07 11:19:35 +00:00
manu
111c13fe24 Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering 
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.
 2005-08-07 09:38:45 +00:00
manu
df08b9e74a Update ipsec-tools to 0.6.1rc1 
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.
 2005-08-07 08:46:11 +00:00
christos
1a191ad79e PR/29862: Denis Lagno: sshd segfaults with long keys 
The problem was that the rsa fips validation code did not allocate long
enough buffers, so it was trashing the stack.
 2005-07-30 00:38:40 +00:00
he
182dc837b5 Move a variable declaration to the variable declaration section of 
the enclosing block from within the middle of active code, so that
this compiles with older gcc.  Fixes build problem for vax.
 2005-07-14 11:26:57 +00:00
manu
b0602a2f44 Add safety checks for informational messages 2005-07-12 21:33:01 +00:00
tron
50c09443b0 Backout botched patch, approved by Emmanuel Dreyfus. 2005-07-12 19:17:37 +00:00
manu
132d72e25b Add SHA2 support 2005-07-12 16:49:52 +00:00
manu
7736ad81cf Add comments on how to use the hook scripts without NAT-T 2005-07-12 16:33:27 +00:00
manu
ecb971f5f8 Don't wipe out IKE ports for SA update as it breaks things: the SA is taken 
from an existing SA and already has matching IKE ports.
 2005-07-12 16:24:29 +00:00
manu
91b9c188b3 Add support for alrogithms with non OpenSSL default key sizes 2005-07-12 14:51:07 +00:00
manu
e0dd78cfbd Don't use adminport when it is disabled 2005-07-12 14:15:39 +00:00
manu
4c94bccce3 Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems 
when NAT-T is disabled
 2005-07-12 14:14:46 +00:00
manu
929f80643d Safety checks on informational messages 2005-07-12 14:13:10 +00:00
manu
8bc1e3c0ac pkcs7 support 2005-07-12 14:12:20 +00:00
tron
d3544c4e45 Document that "aes" can be used for IKE and ESP encryption. 2005-07-07 12:34:17 +00:00
christos
eb8e3b9ad4 Add proper casts. Fix a problem where (uint32_t < ~0). Cast both ~0's to 
u_int, since this is what the author intended.
 2005-06-28 16:12:41 +00:00
christos
ca496ece2e - Add lint comments 
- Fix bad casts.
- Comment out unused variables.
 2005-06-28 16:04:54 +00:00