f06f014bee
use malloc when ssp
2006-11-09 19:50:03 +00:00
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
05ad853be0
one more to catch up with the new location for sha2.h
2006-10-28 23:07:23 +00:00
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
9480ff5303
Change the default sshd configuration file so that only protocol version 2
...
is enabled by default. Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.
Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
2006-10-15 14:01:53 +00:00
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
f34e7857d3
keep len correct when substituting variables - fixes PR/24458
2006-10-08 22:21:14 +00:00
56f4977415
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
...
<okazaki@kick.gr.jp>
2006-10-06 12:02:26 +00:00
ee4546d741
unbreak gcc-3 builds.
2006-10-04 14:31:55 +00:00
a9fc92da63
PR/34681: Scott Ellis: Explicitly include <sys/socket.h>
2006-10-04 14:30:35 +00:00
1eafb02344
put back ignorerootrhosts
2006-10-04 14:26:31 +00:00
20d3dfdcfa
fix endianness issue introduced yesterday
2006-10-03 20:43:10 +00:00
2b72a4f236
remoteid/ph1id support
2006-10-03 08:04:31 +00:00
b45c893ef4
Added remoteid/ph1id syntax
2006-10-03 08:03:59 +00:00
7d2c6acefd
Parses remoteid/ph1id values
2006-10-03 08:03:33 +00:00
dd3c365568
Uses remoteid/ph1id values
2006-10-03 08:02:51 +00:00
80d5a8a518
Added remoteid/ph1id values
2006-10-03 08:01:56 +00:00
9547d0f260
avoid reusing free'd pointer (Coverity 2613)
2006-10-02 21:51:33 +00:00
1966cc3311
Check for NULL pointer (COverity 4175)
2006-10-02 21:47:32 +00:00
e1ade705e1
Remove dead code (Coverity 3451)
2006-10-02 21:41:59 +00:00
520ec462f7
Fix array overrun (Coverity 4172)
2006-10-02 21:33:14 +00:00
e5d24ec446
Fix memory leak (Coverity 2002)
2006-10-02 21:27:08 +00:00
cdb1e64a8c
Fix memory leak (Coverity 2001), refactor the code to use port get/set
...
functions
2006-10-02 21:19:43 +00:00
cd350eaf6d
Avoid reusing free'd pointer (Coverity 4200)
2006-10-02 20:52:17 +00:00
d564be9350
Don't use NULL pointer (Coverity 3443), reformat to 80 char/line
2006-10-02 18:54:46 +00:00
f54a9b4797
If you're going to initialize a pointer, you have to init it with a pointer
...
type, not an int.
2006-10-02 12:44:40 +00:00
68e9583818
Don't use NULL pointer (coverity 3439)
2006-10-02 12:04:53 +00:00
5227e9475b
Don't use NULL pointer (Coverity 1334)
2006-10-02 11:59:40 +00:00
41042afaf6
Don't use NULL pointer (Coverity 944)
2006-10-02 07:17:57 +00:00
01d5ad642c
Don't use NULL pointer (Coverity 941)
2006-10-02 07:15:09 +00:00
9a55720f5c
Don't use NULL pointer (Coverity 942)
2006-10-02 07:12:26 +00:00
bfd607cda0
Don't use null pointer (Coverity 863)
2006-10-02 07:08:25 +00:00
626d146a75
FIx memory leak (Coverity 4181)
2006-10-01 22:04:03 +00:00
7be862b0db
Check that iph1->remote is not NULL before using it (Coverity 3436)
2006-10-01 19:23:57 +00:00
c7242e7e9f
emove dead code (Coverity 4165)
2006-09-30 21:49:37 +00:00
07b750b745
Fix memory leak (Coverity 4179)
2006-09-30 21:38:39 +00:00
df69765a89
update the scripts for wrorking around routing problems on NetBSD
2006-09-30 21:22:21 +00:00
172675f3db
Reuse existing code for closing IKE sockets, and avoid screwing things by
...
setting p->sock = -1, which is not expected (Coverity 4173).
2006-09-30 16:14:18 +00:00
d5f44674f8
Do not free id and key, as they are used later
2006-09-30 15:51:42 +00:00
55269b80c3
Grab a couple of lines from OpenSSH-portable that allow PAM authentication
...
to succeed. I guess the default configuration of NetBSD wasn't tested
before the import...
2006-09-29 22:47:21 +00:00
efb59e1b32
Fix the fix: handle_recv closes the socket, so we must call com_init before
...
sending any data.
2006-09-29 21:39:35 +00:00
8da6ea8890
Check for cert being NULL too.
2006-09-29 17:07:32 +00:00
897b34d36d
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
...
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows
remote attackers to cause a denial of service (inifnite loop
and memory consumption) via malformed ASN.1 structures that
trigger an improperly handled error condition.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions allows attackers to cause a denial of service (CPU
consumption) via certain public keys that require extra time
to process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
Buffer overflow in the SSL_get_shared_ciphers function in
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions has unspecified impact and remote attack vectors
involving a long list of ciphers.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Unspecified vulnerability in the SSLv2 client code in OpenSSL
0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions
allows remote servers to cause a denial of service (client
crash) via unknown vectors.
2006-09-29 15:41:08 +00:00
f1afbc1ee7
Use PRIu64 instead of llu when printing an u_int64_t.
...
Fixes a build problem for our LP64 ports, where u_int64_t is
typically an unsigned long.
2006-09-29 14:36:34 +00:00
a4970f4ee7
The "success" field in Authctxt needs to be a sig_atomic_t, not an int,
...
so that we don't get a type conflict on dispatch_run() invocation. Found
while building for alpha and amd64.
2006-09-29 14:34:25 +00:00
229f040cb9
We need this again.
2006-09-28 21:23:13 +00:00
c5a8b87f73
Resolve conflicts
2006-09-28 21:22:14 +00:00
49b7694919
from www.openssh.org
2006-09-28 21:14:57 +00:00
ca09533497
Fix unchecked mallocs (Coverity 4176, 4174)
2006-09-28 20:30:13 +00:00
87b827ea10
Fix access after free (Coverity 4178)
2006-09-28 20:09:35 +00:00
eb5be25aad
Fix memory leak (Coverity)
2006-09-26 21:42:55 +00:00
8b9e0af1db
Fix memory leak (Coverity)
2006-09-26 21:25:52 +00:00
1d587602b5
Remove dead code (Coverity)
2006-09-26 21:10:55 +00:00
75ada6df8d
Fix memory leak (Coverity)
2006-09-26 21:06:54 +00:00
ab1354320a
One more memory leak
2006-09-26 20:58:03 +00:00
ea585e8293
Fix memory leak in racoonctl (coverity)
2006-09-26 20:51:43 +00:00
f693deda72
Fix buffer overflow
...
Also fix credits: SA bundle fix was contributed by Jeff Bailey, not
Matthew Grooms. Matthew updated the patch for current code, though.
2006-09-26 04:44:41 +00:00
e63f95d0e9
fix SA bundle (e.g.: for negotiating ESP+IPcomp)
2006-09-26 04:41:26 +00:00
e2a943b3df
From Yves-Alexis Perez: struct ip -> struct iphdr for Linux
2006-09-25 17:42:08 +00:00
0fa07a8062
struct ip -> struct iphdr for Linux
2006-09-25 17:42:07 +00:00
1127a06ee3
style (mostly for testing ipsec-tools-commits@netbsd.org)
2006-09-25 05:08:52 +00:00
22ddfb23b1
Fix double free, from Matthew Grooms
2006-09-25 04:49:39 +00:00
542839bac0
credit
2006-09-21 09:43:47 +00:00
3c6750b831
use sysdep_sa_len to make it compile on Linux
2006-09-21 09:42:08 +00:00
a7c4d7d4ac
Bump date for ike_frag force.
2006-09-19 18:55:11 +00:00
a5dc6b2e53
New sentence, new line.
2006-09-19 18:54:39 +00:00
5f831f347b
Remove trailing whitespace.
2006-09-19 18:53:12 +00:00
efd02bc82c
From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:10 +00:00
60cd4fed98
fixed default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:09 +00:00
51065440a5
various commits
2006-09-19 07:51:44 +00:00
7ea7300ed8
always include some headers, as they are required even without NAT-T
2006-09-19 07:51:37 +00:00
a2afb48bcf
From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
2006-09-19 07:51:31 +00:00
478aed1af7
From Larry Baird: some printf() -> plog()
2006-09-19 07:51:27 +00:00
c18d9daa6a
From Matthew Grooms:
...
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
2006-09-18 20:32:40 +00:00
504b73aa2f
removed generated files from the CVS
2006-09-18 09:11:06 +00:00
3992c65302
removed generated files from the CVS
2006-09-18 08:43:00 +00:00
90cc2f12b1
removed generated files from the CVS
2006-09-18 08:13:46 +00:00
f291901204
From Matthew Grooms:
...
handle IKE frag used in the first packet. That should not normally happen,
as the initiator does not know yet if the responder can handle IKE frag.
However, in some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.
racoon should have a setting in the remote section to do taht (something
like ike_frag force)
2006-09-18 08:05:47 +00:00
5a85c00571
Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms
2006-09-16 04:31:38 +00:00
2b7658dc54
Fix build on Linux
2006-09-15 09:40:44 +00:00
c8214a0a83
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
...
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
2006-09-09 16:22:08 +00:00
e3de131b63
Migrate ipsec-tools CVS to cvs.netbsd.org
2006-09-09 16:11:26 +00:00
8d13789c5a
Apply the third version of the patch from OpenSSL to address this issue.
...
- Rollback the updates for rsa.h, rsa_eay.c and rsa_err.c as they were
not necessary to address this vulnerability.
- Small update to the patch for rsa_sign.c for backward compatability so
the same patch can be applied to 0.9.[6-9]
2006-09-06 22:47:11 +00:00
90f5d4a3e0
Apply patch-CVE-2006-4339.txt
...
Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.
Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.
2006-09-05 12:24:08 +00:00
85f4c6eabf
Pull over OpenBSD v1.97, forwarded by jmc@openbsd:
...
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
2006-08-10 00:34:32 +00:00
444e690921
Remove various dotfiles that wandered their way in.
2006-06-18 08:59:39 +00:00
a697e6653a
Adapt to new return value from socket(2) for an unsupported
...
protocol/address family.
2006-06-14 15:36:00 +00:00
ed56312e8a
resolve conflicts.
2006-06-03 01:50:19 +00:00
387e0d89ab
ftp www.openssl.org
2006-06-03 01:43:51 +00:00
b8b11c345a
ftp www.openssl.org
2006-06-03 01:39:48 +00:00
4f500646a9
Add a missing ')' to fix the example code. Already fixed in openssl upstream.
2006-05-24 16:44:34 +00:00
d46617757a
XXX: GCC uninitialized variable
2006-05-14 02:40:03 +00:00
b943fcf792
XXX: GCC uninitialized variables
2006-05-14 02:17:32 +00:00
f8418c0954
use socklen_t where appropriate.
2006-05-11 11:54:14 +00:00
54e9f4ccbc
wait_until_can_do_something() wants u_int * for it's 4th argument.
2006-05-11 09:27:06 +00:00
965a873335
avoid lvalue casts.
2006-05-11 00:05:45 +00:00
4d2c417597
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 00:04:07 +00:00
084c052803
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
0c37c63edc
change (mostly) int to socklen_t. GCC 4 doesn't like that int and
...
socklen_t are different signness.
2006-05-09 20:18:05 +00:00
4cd8515cfc
Add a NetBSD RCS ID.
2006-04-15 13:43:11 +00:00
83620ded04
Remove references to KerberosIV.
2006-03-23 19:58:03 +00:00
504a2dd02c
Pull in from djm@OpenBSD:
...
remove IV support from the CRC attack detector, OpenSSH has never used
it - it only applied to IDEA-CFB, which we don't support.
Thanks to deraadt@OpenBSD for looking into this one.
2006-03-22 23:04:39 +00:00
e13746b11b
Fix krb4 compilation (although krb4 is removed, this leaves the code compiling)
2006-03-21 00:01:29 +00:00
dc4926056e
plug leak, coverity cid 2014.
2006-03-20 16:42:34 +00:00
204152ace9
plug leak, coverity cid 2027.
2006-03-20 16:41:46 +00:00
04b503af06
plug leaks, coverity cids 2030, 2031.
2006-03-20 16:40:25 +00:00
3a008ccc30
plug leak, coverity cid 2019.
2006-03-20 16:39:05 +00:00
9266948705
plug leaks, coverity cids 2012, 2013.
2006-03-20 16:36:31 +00:00
14c3ee98a9
fix null deref, coverity cid 953.
2006-03-20 16:31:45 +00:00
85e611dd01
Goodbye KerberosIV
2006-03-20 04:03:10 +00:00
1db63daa9d
fix compilation after des.h change. The countdown to krb4 has started.
2006-03-20 02:18:59 +00:00
e4547e1148
Coverity CID 1904: Don't leak memory on error.
2006-03-19 22:49:59 +00:00
a09bebd7da
Don't forget to free reply on failure.
2006-03-19 22:45:03 +00:00
5ebcdaa51a
Add casts to compile again.
2006-03-19 21:45:33 +00:00
4ea32734dc
Make this compile again, before I nuke it from orbit.
2006-03-19 21:01:17 +00:00
2ff3564ba8
fix memory leak, coverity cid 2032.
2006-03-19 16:48:36 +00:00
0a2d3f7a19
fix memory leaks, coverity cid 2016.
2006-03-19 16:47:09 +00:00
f6bc7e7627
fix memory leaks, coverity cids 2028, 2029.
2006-03-19 16:40:32 +00:00
2741a951b4
fix fd leak, coverity cid 2015.
2006-03-19 16:33:26 +00:00
be71d6bbfd
fix null deref, coverity cid 1341.
2006-03-19 16:29:43 +00:00
8a41610291
fix null deref, coverity cid 1339.
2006-03-19 16:23:19 +00:00
28788b89c7
fix null deref, coverity cid 1340.
2006-03-19 16:20:47 +00:00
d5b9c02e8c
add a semi colon.
2006-03-19 08:00:19 +00:00
4fcb2eb6de
Coveriry CID 1998: Fix memory leak.
2006-03-18 22:17:48 +00:00
6c6e841e30
Don't dereference NULL pointer, found by Coverity, CID 954.
2006-03-18 21:09:57 +00:00
ccd53bd92b
reform a loop to be prettier and appease coverity CID 2618
2006-03-18 10:41:24 +00:00
79787ff03b
Fix Coverity run 5, issue 2021 -- memory leak.
...
Approved by christos@.
2006-03-18 10:22:46 +00:00
1f89beeb43
Fix Coverity run 5, issue 1966 -- memory leak
...
Approved by christos@.
2006-03-18 10:19:09 +00:00
2de2502171
Make sure the right error is reported later, if all socket() calls fail.
...
If we close the invalid sock, we'll report EBADF later in that case.
2006-03-01 15:39:00 +00:00
6aece482c0
On non-fatal errors (identified: EPROTONOTSUPPORT), don't output the
...
error message unless debugging - the error for the last address tried
will be shown anyway, and earlier errors without context are only confusing
the user.
2006-03-01 15:18:09 +00:00
dd8ccf5b99
Add a namespace.h to rename the most conflict inducing names from libssh.
...
Idea from thorpej.
2006-02-13 16:49:33 +00:00
e245f48109
The sig_atomic_t type is not guaranteed to be printf-compatible
...
with %d, so cast to int before printing it.
2006-02-08 23:08:13 +00:00
55c58b142d
bring in new file needed from the portable openssh.
2006-02-04 22:32:54 +00:00
fab0e5bf66
resolve conflicts
2006-02-04 22:32:13 +00:00
c7a1af8c71
From ftp.openbsd.org.
2006-02-04 22:22:31 +00:00
ef2fdd1d7f
qsieve(6) -> qsieve(1)
2006-01-24 19:16:53 +00:00
7e91ac6596
Sort SEE ALSO.
2006-01-22 00:33:27 +00:00
7db6fc6be2
xref qsieve(6).
2006-01-19 23:31:09 +00:00
7f50c0a531
make software behave as the documentation advertise for INTERNAL_NETMASK4.
...
Keep the old INTERNAL_MASK4 to avoid breaking backward compatibility.
2006-01-07 23:51:50 +00:00
aa419ec271
enable cryptodev.
2005-12-31 00:08:34 +00:00
e1a76ccb7e
netbsd has issetugid()
2005-12-31 00:07:26 +00:00
06b42f5e66
Redo previous rework to generate yacc/lex output again and remove generated
...
copies from the import as they don't compile clean across all archs.
2005-12-16 16:25:07 +00:00
07c3097258
Allow archs to override BF_PTR
2005-12-13 09:50:52 +00:00
3804e42335
Back out bn/bn.h rev. 1.9:
...
> use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
> breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
Instead define SIXTY_FOUR_BIT_LONG where apropriate.
Regression tests still pass on sparc64 and i386. Furthermore this allows
us to finaly close PR 28935 (thanks to christos for removing the local
hacks on last import).
2005-12-12 19:50:26 +00:00
christos