tteras
ae0beb16dc
Check nat_traversal configuration from remote configuration candidates
...
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f
Change remote conf matching level to matching score. This way one can
...
override anonymous certificate block config with more exact "inhereted"
IP specific block.
2009-09-01 09:49:59 +00:00
tteras
43e6802298
From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up
...
script (trac #313 ).
2009-09-01 09:24:21 +00:00
vanhu
b7f72d1283
fixed typo: algoriym -> algorithm
2009-08-24 09:33:03 +00:00
vanhu
a3d9e80f96
fixed address check in rmconf_match_type(), just check address with wildcard port
2009-08-19 13:54:07 +00:00
tteras
95f3bd08bb
Have an enum for rmconf_match_type() return values to make the code a bit
...
more readable.
2009-08-19 12:20:02 +00:00
vanhu
e2ffc89458
typo: algoritym -> algorithm
2009-08-18 08:21:12 +00:00
dyoung
40ca2d34bc
Delete trailing whitespace.
2009-08-17 22:58:28 +00:00
vanhu
eb15fbb554
do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore
2009-08-17 13:52:14 +00:00
vanhu
82dd0659f2
include stddef.h so we have a chance to get the system offsetof if present
2009-08-17 12:00:53 +00:00
vanhu
c2c64af1e8
removed a self include
2009-08-17 11:59:10 +00:00
christos
13492ada53
This code is really broken. It allocates struct sockaddr on the stack
...
and expects to work with IPV6. Tell the hints that we only want IPV4
for now, so that we don't try to bind to an IPV6 address as returned
by getaddrinfo, and then we bash in V4 in the family!
jeez
2009-08-15 01:25:54 +00:00
christos
e70d1f0896
don't try to free a buffer that came from the arguments, make a copy instead.
...
This can happen if we specify --port
2009-08-15 01:03:03 +00:00
vanhu
0667dd70bd
fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs
2009-08-13 09:18:28 +00:00
tteras
ea830abf58
Don't print EAGAIN error from pfkey_handler(), it can occur normally
...
under some code paths and is not a hard error in any case.
2009-08-10 08:22:13 +00:00
tteras
c2919dd501
From Paul Wenau: Check fgets return value in setkey to make gcc happy.
2009-08-06 04:44:43 +00:00
christos
bb8cb2851b
resolve conflicts
2009-08-05 18:38:21 +00:00
christos
86adef1b84
import 20090805 snapshot.
2009-08-05 18:31:57 +00:00
tteras
4180506456
From Paul Wernau: Fix transport mode per-port security associations that
...
got broke during NAT-T fixes.
2009-08-05 13:16:01 +00:00
joerg
15895248c1
Use OpenSSL's SHA256 support directly.
2009-08-03 20:56:25 +00:00
mrg
03f1126058
set SSHDIST to the new location. HI CHRISTOS!
2009-07-21 00:47:23 +00:00
christos
e97383ebc1
Don't lets this linger around forever. Causes hidden bugs.
2009-07-20 22:55:47 +00:00
christos
d7ed66ca45
make tests compile!
2009-07-20 20:41:05 +00:00
christos
71cfba1556
ssh has moved (a long time ago)
2009-07-20 17:39:01 +00:00
christos
75efea6592
bump libcrypto and friends; OpenSSL abi change: do_cipher last argument
...
changed from u_int to size_t. Affects _LP64 only.
2009-07-20 17:30:52 +00:00
christos
35bdca4d17
use the proper libcrypto
2009-07-20 15:48:16 +00:00
christos
58e8878cb5
use the proper libcrypto
2009-07-20 15:43:51 +00:00
christos
9610bc301c
make sha256/512 binary compatible with the libc version which we now use.
2009-07-20 15:34:49 +00:00
christos
c9c3cfbcf5
catch up with openssl's abi change. do_cipher length changed from u_int to
...
size_t.
2009-07-20 15:33:44 +00:00
christos
22505a154a
add openssl
2009-07-19 23:44:20 +00:00
christos
e3aebf9996
new openssl
2009-07-19 23:43:46 +00:00
christos
2e69c03e37
openssl moved
2009-07-19 23:34:00 +00:00
christos
75534b786a
Add one more generated file and install in /usr/bin
2009-07-19 23:33:34 +00:00
christos
49d46fa3c8
- add build glue
...
- apply our changes
2009-07-19 23:30:37 +00:00
christos
a89c9211e5
import new openssl snapshot
2009-07-19 23:01:17 +00:00
apb
87c0c2be33
Add missing va_start before varargs processing.
...
Part of PR 41255 from Kurt Lidl.
2009-07-14 20:54:25 +00:00
tteras
aab4a00722
From Arnaud Ebalard: Fix possible usage of uninitialized local variable
...
(not sure if any code path triggers this, but this makes compiler happy).
2009-07-07 12:25:22 +00:00
agc
51e16c73a5
Move the null file checks for sign/verify/encrypt/decrypt down into the
...
library itself. Update the regression test script to add some tests.
2009-07-07 01:13:07 +00:00
agc
1eddadf4f7
Add two more items to the TODO list
2009-07-07 01:12:06 +00:00
spz
1513d3badc
fix break for non-64bit systems due to non-applying macro resp variable
...
having crept in with the last patch.
ok martin, compile tested mbalmer and martin
2009-07-05 11:35:53 +00:00
tonnerre
a75354f443
Fix various vulnerabilities in OpenSSL which have not previously been
...
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.
Changes deal mostly with size checking of various elements and fixes
to various error paths.
2009-07-04 19:52:10 +00:00
tteras
3d0db58d61
Get rid of the evil CMPSADDR macro. Trac #295 .
2009-07-03 06:41:46 +00:00
tteras
edd4f79009
From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
...
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
2009-07-03 06:40:10 +00:00
agc
0ff3383f59
Check that a filename has been given, where one has required. Fixes a bug
...
reported by Mark Kirby.
2009-06-30 18:54:20 +00:00
tonnerre
f7384c4a6a
Add special handling for CBC cipher modes to make them appear less favorable
...
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from "Drop connection" to "Ignore
packets up to 256kB". This affects CBC mode ciphers only.
Patch from OpenBSD.
2009-06-29 22:52:13 +00:00
tteras
a8d702d9b1
Fix a call to null pointer: in some cases, the unmonitor_fd can be called
...
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
2009-06-24 11:28:48 +00:00
christos
f48c7833ea
PR/41628: Jukka Salmi: OpenSSL's c_rehash can't find openssl binary
2009-06-23 14:08:02 +00:00
martin
14c9b3749d
Actually use the new (non-shortcut) functions for SHA224
2009-06-16 11:15:29 +00:00
joerg
a44a031cb3
Don't take short cuts and use the SHA224 functions to compute SHA224.
...
At least for Final it makes a difference in some situation.
2009-06-14 14:18:35 +00:00
agc
f72138f83a
Don't complain if $HOME/.gnupg does not exist (and using --homedir).
...
Don't require a userid to be set in the gpg.conf file - it can be set
on the command line when it's needed (for signing and encryption, the
other operations in netpgp(1) will take the userid from the
signed/encrypted file).
Add tests for the lack of a default userid in the config file.
2009-06-13 05:25:08 +00:00