Commit Graph

677 Commits

Author SHA1 Message Date
christos 83da2f6968 don't throw const away for no reason. 2004-12-11 06:58:20 +00:00
christos fbed044c7e Grr, this was not updating lastlogx! 2004-11-11 22:08:39 +00:00
thorpej b454543f45 Apply patches as discussed on:
http://mail-index.netbsd.org/tech-net/2004/11/05/0004.html

Slightly modified to differentiate the version string from a stock racoon.

	* auth_gssapi.h (GSSAPI_DEF_NAME): Change from "ike" to "host".
	(gssapi_get_default_id): Rename to gssapi_get_id.
	(gssapi_get_default_gss_id): New prototype.
	* cfparse.y (GSSAPI_ID): Rename to GSS_ID.
	(GSS_ID_ENC, GSS_ID_ENCTYPE): New tokens.
	(gssenc_statement): New statement.
	(isakmpproposal_spec): Use GSS_ID token.
	(expand_isakmpspec): Fill in gssid in the new proposal only
	if authmethod is OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB.  If the
	GSS ID is not provided, call gssapi_get_default_gss_id() to
	place the default ID in the proposal.
	* cftoken.l (S_GSSENC): New start condition.
	(<S_RMTP>gss_id): New, return the GSS_ID token.
	(<S_RMTP>gssapi_id): Return the GSS_ID token.
	(<S_INI>gss_id_enc, <S_GSSENC>latin1, <S_GSSENC>utf-16le)
	(<S_GSSENC>{semi}): New, tokenize the "gss_id_enc enctype;"
	statement.
	* gssapi.c: Include <unistd.h>.
	(gssapi_get_default_gss_id): New function.
	(gssapi_init): Disable a broken debugging message.  Make
	printf formats consistent in their handling of non-NUL-terminated
	strings.
	(gssapi_get_default_id): Rename to...
	(gssapi_get_id): ...this.  If the proposal has a gssid, vdup()
	that and return it.  Disable a broken debugging message.  Make
	printf formats consistent in their handling of non-NUL-terminated
	strings.
	* ipsec_doi.c: Include <iconv.h>.
	(get_ph1approval): Make printf formats consistent in their handling
	of non-NUL-terminated strings.  Call gssapi_get_id() instead of
	gssapi_get_default_id(), and remove some complexity that has been
	pushed into that function.
	(t2isakmpsa): When parsing the OAKLEY_ATTR_GSS_ID attribute,
	check convert the attribute from UTF-16LE to ISO-Latin-1, unless
	we are configured to assume the attribute is already ISO-Latin-1
	encoded.
	(setph1attr): When setting the OAKLEY_ATTR_GSS_ID attribute,
	convert the attribute from ISO-Latin-1 to UTF-16LE, unless we
	are configured to encode the attribute in ISO-Latin-1.
	* localconf.c (setdefault): Set the default GSS ID encoding type
	to UTF-16LE.
	* localconf.h (LC_GSSENC_UTF16LE, LC_GSSENC_LATIN1)
	(LC_GSSENC_MAX): New constants.
	(struct localconf): Add gss_id_enc member.
	* main.c (RACOON_VERSION): Append " - NetBSD 20041110" to the
	version string.
	* racoon.conf.5: Document changes to GSS ID encoding and default
	GSS ID computation.  Document "gss_id_enc enctype;" statement.
	* samples/racoon.conf.sample-gssapi: Update and add comments to
	provide more information.
2004-11-10 20:23:28 +00:00
christos d08f4201ee For ptys of the form /dev/pts/n, print foo@pts/n instead of foo@n. Check
that strrchr() returns non null before using it.
2004-11-10 16:55:55 +00:00
dsl 1869f0e146 Add (unsigned char) cast to ctype functions 2004-11-05 21:56:01 +00:00
dsl 3d446c0f42 Add (unsigned char) cast to ctype functions 2004-11-03 21:01:45 +00:00
dsl e2f49bd9e2 Add (unsigned char) cast to ctype functions 2004-10-30 15:15:37 +00:00
dsl 8668419e38 Add (unsigned char) cast to ctype functions 2004-10-30 08:34:24 +00:00
lha 2c875217bb Merge in changes between 0.6.2 and 0.6.3 2004-09-14 08:08:19 +00:00
lha ac5d4384ae remove generated files 2004-09-14 07:50:24 +00:00
lha a53f6df83e Import heimdal 0.6.3
Changes in release 0.6.3

 * fix vulnerabilities in ftpd
 * support for linux AFS /proc "syscalls"
 * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
   kpasswdd
 * fix possible KDC denial of service
 * bug fixes
2004-09-14 07:45:53 +00:00
mycroft 6e317e9e72 Disable the "may kill you" message, because:
1) It's not documented anywhere.
2) The problem it's attempting to warn about is not documented anywhere.
3) There are no example configs (or any I found with Google) that use the
   "listen" directive.
4) In any event, it's poorly worded and unclear what it's talking about.
2004-08-06 13:57:05 +00:00
drochner 14c8904f79 rename local pow10 function to avoid conflicts with the C99 libm one;
while not implemented in NetBSD yet is is considered reserved by gcc-3.4
2004-08-05 16:55:34 +00:00
wiz e8e1e9c2fe Sync with Heimdal: krb5_set_password.3,v 1.7 (except for a reference to
a man page we don't have yet):
Document krb5_set_password_using_ccache and krb5_passwd_result_to_string.
Ok'd by lha.
2004-07-18 15:08:50 +00:00
wiz 258b1bfb2e Remove superfluous comma; grammar fixes; split sentence
in two for better understanding.
XXX: krb5_set_password_using_ccache not described.
2004-07-14 09:21:59 +00:00
jonathan 8045e967b9 Fix typo (space added at beginning of line in an editor window under
the shell where I retested the Makefile changes, sigh...)
2004-07-14 07:12:25 +00:00
jonathan f17171cf5d Restore Heimdal Id as $Heimdal:, add NetBSD ID. 2004-07-14 07:06:44 +00:00
jonathan 98b92eb4a5 Commit manpage for krb5_set_password(3), based on Heimdal-20040606,
with small revisions by myself, reviewed/approved by Love.
2004-07-14 07:02:07 +00:00
he 8416ac87c6 Print ssize_t-typed variables using %zd format, not just %d.
Fixes build problem observed when compiling for hpcarm.
2004-07-13 14:15:17 +00:00
jonathan e5f57f3a70 Commit changes from Heimdal-current, as per discussion with Love
(lha@NetBSD.ORG), to incorporate contemporary (last-year-ish)
set-password and change-password extensions derived RFC-3244
(Microsoft set-password/change-password extensions), and the
subsequent MIT-KRB5 APIs for changing and setting passwords.

Required for compatibility with recent (2002/2003-ish) open-source
code which uses the MIT KRB5 APIs for setting passwords, or for
joining Microsoft domains as a  "computer account".

Modified files (for pullup tracking purposes):
	lib/libasn1/Makefile
	crypto/dist/heimdal/lib/asn1/k5.asn1
 	crypto/dist/heimdal/lib/krb5/changepw.c
 	crypto/dist/heimdal/lib/krb5/krb5-protos.h
 	crypto/dist/heimdal/lib/krb5/krb5.h
2004-07-12 20:44:56 +00:00
christos 763b8e76a6 Now that we have addrlen, use it. 2004-07-06 02:59:55 +00:00
drochner c62dff1bf7 fix a const'ification inconsistency, noticed by gcc-3.4 2004-07-01 21:27:42 +00:00
drochner 5e420ba772 restore behaviour before the 0.9.7d import: fall back to /dev/urandom
if ~/.rnd is not present.
(This code is with #ifdef __OpenBSD__ in openssl now; this change just
generalizes it.)
(approved by tls)
2004-06-21 15:14:16 +00:00
itojun 166adfa9e5 sync w/ 20040617. 2004-06-17 03:42:55 +00:00
itojun f7968a3c82 version 20040617a, includes important fix about cert handling 2004-06-17 03:38:44 +00:00
lha 76164d845a Now that we have res_nsearch, use it. Thanks christos for adding it. 2004-05-25 11:15:43 +00:00
lha bba70dc29c Merge changes between Heimdal 0.6.1 and 0.6.2 2004-05-08 13:27:58 +00:00
lha 0575824546 Import of Heimdal release 0.6.2
* Fix possible buffer overrun in v4 kadmin (which now defaults to off)
2004-05-08 13:15:02 +00:00
jonb e0bc90b23e Set LoginGraceTime back to 600 like it used to be. This should
help slow machines with long keys to still work like they did with
NetBSD 1.6 and before.
2004-05-01 06:06:33 +00:00
itojun b4a3a9e6c1 properly validate phase 1 signature.
http://www.vuxml.org/freebsd/d8769838-8814-11d8-90d1-0020ed76ef5a.html
2004-04-12 03:34:05 +00:00
itojun 604a0b444a KAME racoon as of 2004/4/12 2004-04-12 03:26:57 +00:00
lha e4e583e45c From Heimdal, cast size_t to unsigned long for LP64 platforms. 2004-04-02 20:58:36 +00:00
lha 8aa367e8da more text how to do imports 2004-04-02 15:11:21 +00:00
lha 4d21efe5f7 Merge changes between heimdal-0.6 and heimdal-0.6.1 2004-04-02 14:59:46 +00:00
lha a08e247c98 Import heimdal-0.6.1
Changes in release 0.6.1
 * Fixed ARCFOUR suppport
 * Cross realm vulnerability
 * kdc: fix denial of service attack
 * kdc: stop clients from renewing kerberos 4 tickets into the future
 * bug fixes
2004-04-02 14:47:00 +00:00
itojun 7fba5a69cf reject packet with too big isakmp message length field. 2004-03-31 07:19:27 +00:00
groo 4b32eb44a7 Resolve conflicts. In particular, prefer OpenSSL's BIO_strl* and
BIO_strncpy over ours.
2004-03-20 04:32:34 +00:00
groo 5a374ad0ce Import OpenSSL 0.9.7d to address:
1. Null-pointer assignment during SSL handshake
	2. Out-of-bounds read affects Kerberos ciphersuites
2004-03-20 04:22:06 +00:00
groo 0684427439 Import OpenSSL 0.9.7d to address:
1. Null-pointer assignment during SSL handshake
	2. Out-of-bounds read affects Kerberos ciphersuites
2004-03-20 04:22:04 +00:00
wiz eec56f3b12 Bump date for previous. 2004-03-06 23:38:40 +00:00
itojun da6bd485cd add missing description of "EnableSshKeysign". 2004-03-06 14:33:08 +00:00
itojun c6a556a5b6 endian mismatch. from iij seil team 2004-01-16 02:25:14 +00:00
itojun 3c3791b847 validate hash on info exchange. bugtraq <20040113213940.GA1727@hzeroseven.org> 2004-01-14 09:17:42 +00:00
dyoung 4758291178 Fix the checkflist for builds without Kerberos 4 (MKKERBEROS4=no)
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.

* move kerberos- and kerberos 4-only files into new flists,
  distrib/sets/lists/*/krb.*

* make the flist generators grok MKKERBEROS{,4} variables

* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
  9 out of 10 experts agree that it is ludicrous to build w/
  KERBEROS4 and w/o KERBEROS5.

* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.

* omit some Kerberos-only subdirectories from the build as
  MKKERBEROS{,4} indicate

(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly.  That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles.  While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
2003-12-11 09:46:26 +00:00
itojun 2a85abd333 avoid memory leak. hint from Andrew Lunn 2003-11-23 08:33:13 +00:00
itojun 5451f8a14e do not malloc(0). Andrew Lunn 2003-11-23 08:23:02 +00:00
jonathan dedf78268d Patch OpenSSL to use opencrypto (aka /dev/crypto), if configured and
(per kernel policy) for crypto transforms for which hardware
acceleration is available. Affects:

   crypto/dist/openssl/crypto/engine/eng_all.c
   crypto/dist/openssl/crypto/engine/hw_cryptodev.c
   crypto/dist/openssl/crypto/evp/c_all.c

as posted to tech-crypto for review/comment on 2003-08-21.
2003-11-20 00:55:51 +00:00
wiz 4bbfee09ca Various typo fixes from Jonathon Gray via jmc@openbsd. 2003-11-17 11:16:10 +00:00
itojun 6de72ce0f8 typo. minoura 2003-11-13 10:35:40 +00:00
yamt 1356e8977e pfkey_dump_sadb: when it get an error using sysctl,
mimic an error msg from keysock so that caller can process it correctly.

PR/23122.
2003-11-09 15:37:24 +00:00