Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
287,364 Commits 606 Branches 0 Tags 3.1 GiB
c58fde1d88
Commit Graph

1629 Commits

Author SHA1 Message Date
christos
bd7ae6bd09 handle ctime returning NULL. 2010-04-02 15:13:26 +00:00
christos
fcbd1014fb PR/42363: Yasuoka Masahiko: Second part of the patch: iterate only on the 
phase2 handles that are bound by the given phase1 handle.
 2010-03-11 15:44:48 +00:00
tteras
e3413574b5 From Stefan Bauer: Fix multiple typoes and manpage formatting errors. 2010-03-05 06:47:58 +00:00
vanhu
709abc828e From Pierre POMES: fixed admin port initialization 2010-03-04 15:13:53 +00:00
snj
ccaf1e96be Fight the ever-increasing size of src checkouts by spelling "useful" 
without an extra l.
 2010-02-28 15:52:16 +00:00
wiz
8e35c759e7 Fix typo in comment. 2010-02-09 23:05:16 +00:00
christos
6439b76ce2 make the window size function return the lines and columns variables separately 
instead of depending on the existance of struct winsize. Technically I should
bump the library version or version the symbol, but nothing seems to use this
outside the library!
 2010-01-24 16:45:57 +00:00
christos
6e3a01841c don't expose struct winsize needlessly. 2010-01-24 16:42:12 +00:00
tsutsui
9357df271a Backout previous. 2010-01-20 19:54:07 +00:00
tsutsui
64cc3f120f Backout previous which breaks build on NetBSD. Pointed out by wiz@. 
Probably we have to add a check for HAVE_STRUCT_WINSIZE
in src/tools/configure as src/crypto/dist/heimdal/configure does.
 2010-01-20 15:03:50 +00:00
tsutsui
ad30688c11 Don't include src/include heimdal/roken.h on tools build because 
it's "an OS dependent, generated file" configured for the target NetBSD
as noted in itself.  Instead, include <roken-common.h>
(which is included from generated <roken.h> and required
for TRUE and fALSE definitions) and "nbtool_config.h" on tools build.

Fixes PR toolchain/41435 and makes cross build on Cygwin-1.7 work.
No particular comments in the PR.
 2010-01-20 12:54:17 +00:00
wiz
e15635055f Free strdeupped string after using it. Found by cppcheck. 2010-01-17 23:03:01 +00:00
wiz
44e3b1fff7 Close file handles after using them. Found by cppcheck. 2010-01-17 23:02:48 +00:00
joerg
0e901e0c61 Use .%U instead of .%O for URLs. 2010-01-15 19:18:51 +00:00
tteras
119e5ecd44 From Paul Wernau: vmbuf.h was defined twice in the headers. Remove the 
redundant entry so new install tool does not complain about overwriting
just installed file.
 2009-12-11 09:04:04 +00:00
christos
aabb31871d PR/42363: Yasuoka Masahiko: 
racoon uses a wrong IPsec-SA handle that is for other peer in case it
receives a ISAKMP message for IPsec-SA that has the same message-id as
the message-id that is received before.

racoon uses message-id to find the handle of IPsec-SA.  The message-id
is a unique number for each peer, but different peers may use the same
value.

Different Windows Vista or Windows 7 peers seem to use the same
message-id.  racoon can handle the first Windows's Phase-2, but it
cannot handle the second Windows.  Because racoon misunderstands the
message for the second Windows as the message for the first Windows.

>Category:       bin
>Synopsis:       racoon uses a wrong IPsec-SA that is for different peer
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 22 18:25:00 +0000 2009
>Originator:     yasuoka@iij.ad.jp
 2009-11-22 19:34:55 +00:00
christos
2853bbf4b7 use %option instead of #define YY_NO_... 2009-10-29 14:49:02 +00:00
christos
792f03d2b0 use %option noinput nounput 2009-10-29 14:34:27 +00:00
christos
cd2a002a7a no unput 2009-10-28 20:59:46 +00:00
wiz
02d06f301f Remove .Os argument. 
Remove ending dot in SEE ALSO.
Use Fl Fl for long options.
New sentence, new line.
Remove trailing whitespace.
 2009-10-25 10:30:47 +00:00
reed
06921da813 Fix section number for a man page reference. 
While here put the man pages in the SEE ALSO in order too.
(This was shared and now fixed upstream too.)
 2009-10-25 01:52:04 +00:00
reed
fa923fa9a7 Fix Nm macro usage. 
Fixed upstream in April:
9747de8132
 2009-10-24 11:12:56 +00:00
reed
638b376411 Fix Document Title. 
(I already report and it is fixed upstream.)
 2009-10-24 11:09:31 +00:00
joerg
d935d602c7 Fix redundancy. 2009-10-15 00:07:45 +00:00
joerg
addb345ac7 Do not work around ancient groff limits with .Xo/.Xc. 2009-10-14 23:37:33 +00:00
joerg
4467064d5b Do not use .Xo/.Xc to workaround ancient groff limits. 2009-10-14 23:36:55 +00:00
joerg
a453670196 Do not use .Xo/.Xc to work around ancient groff limits. 
Fix markup.
 2009-10-14 18:34:14 +00:00
joerg
0639ebde24 Don't use .Xo/.Xc to work around ancient groff limits. 
Set only one list type.
 2009-10-14 18:22:04 +00:00
joerg
2644011d38 Use proper markup. 2009-10-14 17:33:56 +00:00
joerg
68d56b9fdf Fix markup. 2009-10-13 22:49:34 +00:00
joerg
37aea36c2a Use sane logical markup and actual cross references. 2009-10-13 22:47:55 +00:00
joerg
951207a2a8 Fix markup. 2009-10-13 22:47:31 +00:00
tteras
ff2c7b7d5c From Tomas Mraz: Fix gssapi error checking. 2009-09-18 10:31:11 +00:00
tteras
63bcd231eb When rekeying phase2 use phase1 used to negotiate phase2 as a hint to 
select the phase1 for rekeying the new phase2.
 2009-09-03 09:29:07 +00:00
tteras
ae0beb16dc Check nat_traversal configuration from remote configuration candidates 
when acting as responder. Enable NAT-T if any of the remote candidates
have NAT-T enabled.
 2009-09-01 12:22:09 +00:00
tteras
5e74d5d98f Change remote conf matching level to matching score. This way one can 
override anonymous certificate block config with more exact "inhereted"
IP specific block.
 2009-09-01 09:49:59 +00:00
tteras
43e6802298 From Maik Broemme: export ISAKMP SA identity as REMOTE_ID for phase1 up 
script (trac #313).
 2009-09-01 09:24:21 +00:00
vanhu
b7f72d1283 fixed typo: algoriym -> algorithm 2009-08-24 09:33:03 +00:00
vanhu
a3d9e80f96 fixed address check in rmconf_match_type(), just check address with wildcard port 2009-08-19 13:54:07 +00:00
tteras
95f3bd08bb Have an enum for rmconf_match_type() return values to make the code a bit 
more readable.
 2009-08-19 12:20:02 +00:00
vanhu
e2ffc89458 typo: algoritym -> algorithm 2009-08-18 08:21:12 +00:00
vanhu
eb15fbb554 do not use SADB_X_NAT_T_NEW_MAPPING to check system support for NAT-T, as at least FreeBSD doesn't have this define anymore 2009-08-17 13:52:14 +00:00
vanhu
82dd0659f2 include stddef.h so we have a chance to get the system offsetof if present 2009-08-17 12:00:53 +00:00
vanhu
c2c64af1e8 removed a self include 2009-08-17 11:59:10 +00:00
vanhu
0667dd70bd fixed a potential DoS in oakley_do_decrypt(), reported by Orange Labs 2009-08-13 09:18:28 +00:00
tteras
ea830abf58 Don't print EAGAIN error from pfkey_handler(), it can occur normally 
under some code paths and is not a hard error in any case.
 2009-08-10 08:22:13 +00:00
tteras
c2919dd501 From Paul Wenau: Check fgets return value in setkey to make gcc happy. 2009-08-06 04:44:43 +00:00
tteras
4180506456 From Paul Wernau: Fix transport mode per-port security associations that 
got broke during NAT-T fixes.
 2009-08-05 13:16:01 +00:00
christos
e97383ebc1 Don't lets this linger around forever. Causes hidden bugs. 2009-07-20 22:55:47 +00:00
christos
71cfba1556 ssh has moved (a long time ago) 2009-07-20 17:39:01 +00:00
apb
87c0c2be33 Add missing va_start before varargs processing. 
Part of PR 41255 from Kurt Lidl.
 2009-07-14 20:54:25 +00:00
tteras
aab4a00722 From Arnaud Ebalard: Fix possible usage of uninitialized local variable 
(not sure if any code path triggers this, but this makes compiler happy).
 2009-07-07 12:25:22 +00:00
spz
1513d3badc fix break for non-64bit systems due to non-applying macro resp variable 
having crept in with the last patch.
ok martin, compile tested mbalmer and martin
 2009-07-05 11:35:53 +00:00
tonnerre
a75354f443 Fix various vulnerabilities in OpenSSL which have not previously been 
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.

Changes deal mostly with size checking of various elements and fixes
to various error paths.
 2009-07-04 19:52:10 +00:00
tteras
3d0db58d61 Get rid of the evil CMPSADDR macro. Trac #295. 2009-07-03 06:41:46 +00:00
tteras
edd4f79009 From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the 
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.
 2009-07-03 06:40:10 +00:00
tonnerre
f7384c4a6a Add special handling for CBC cipher modes to make them appear less favorable 
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from "Drop connection" to "Ignore
packets up to 256kB". This affects CBC mode ciphers only.

Patch from OpenBSD.
 2009-06-29 22:52:13 +00:00
tteras
a8d702d9b1 Fix a call to null pointer: in some cases, the unmonitor_fd can be called 
from another fd's callback. That could lead to still have callback pending
after unmonitoring the fd resulting in a call to null pointer.
This is fixed by making unmonitor_fd now clear the pending fd_set too.
Bug was introduced by my commit in 2008-12-23.
 2009-06-24 11:28:48 +00:00
christos
f48c7833ea PR/41628: Jukka Salmi: OpenSSL's c_rehash can't find openssl binary 2009-06-23 14:08:02 +00:00
martin
14c9b3749d Actually use the new (non-shortcut) functions for SHA224 2009-06-16 11:15:29 +00:00
joerg
a44a031cb3 Don't take short cuts and use the SHA224 functions to compute SHA224. 
At least for Final it makes a difference in some situation.
 2009-06-14 14:18:35 +00:00
stacktic
9cdc17cae0 Fixed strvisx usage (ok Christos@) 2009-05-23 14:43:36 +00:00
vanhu
f61fedc250 typo 2009-05-20 07:54:50 +00:00
tteras
68ab535bfd From Jukka Salmi: Fix couple of typos from previous commit. 2009-05-19 09:34:52 +00:00
tteras
0ab43f031c From Tomas Mraz: Introduce union sockaddr_any and use it to make code 
more readable. Related to trac #293.
 2009-05-18 17:40:38 +00:00
tteras
ef94861331 From Tomas Mraz: Remove variable that is not really used; only referenced 
while uninitialized causing valgrind error.
 2009-05-18 17:07:15 +00:00
tteras
5e83df8c82 From Tomas Mraz: Fix natt_flags check. 2009-05-18 17:00:42 +00:00
wiz
decd684ac0 Remove superfluous spaces around parentheses. 2009-05-04 22:28:30 +00:00
tteras
ec20a1edf8 From Ross Meng: Fix a memory leak in X509 certificate validation. 2009-04-29 10:50:01 +00:00
tteras
8bcee86f68 Reset nat_oa variables too when reusing phase two handler. Otherwise 
phase2 rekeying might fail in some scenarios.
 2009-04-28 13:54:07 +00:00
joerg
4287c61008 Apply rev 1.21 from src/lib/libcrypto/man/ssl.3: 
Fix typo.
 2009-04-22 13:10:33 +00:00
tteras
95b420bbeb From Neil Kettle: Fix a possible null pointer dereference in fragmentation 
code.
 2009-04-22 11:24:20 +00:00
tteras
fab62310e7 Fix strict_address to work again. The lists needs to be initialized 
before configuration is read, which happens before my_addr_init() call.
 2009-04-21 18:38:31 +00:00
tteras
7019ec4077 Fix a memory leak in certificate request generation. 2009-04-20 13:24:36 +00:00
tteras
f273c7c2bb Orignally from Bin Li: Fix possible memory corruption in binsanitize(). 2009-04-20 13:23:54 +00:00
tteras
a2f9e36ab3 From Stephen Bevan: Fix a x509 signature verification memory leak. 2009-04-20 13:22:41 +00:00
tteras
b1fd61f62f Originally from Bin Li: Fix a crash with racoonctl logout user. 2009-04-20 13:22:00 +00:00
tteras
8759a6c72c Fix a memory leak in nat-t keepalive code. 2009-04-20 13:17:35 +00:00
tteras
8c22b469e0 From Paul Moore: Phase2 message id's should be unique wrt phase1, not 
globally.
 2009-04-20 13:16:52 +00:00
lukem
0b173a25f2 Redo previous -- cast to (unsigned char) 2009-04-14 21:58:36 +00:00
apb
74214207d5 Fix two bugs in handling banners in sshconnect2: 
1) If the length of the banner is zero, don't bother printing it.
   This can happen if the remote server has a zero-length /etc/issue
   file.  Previously, ssh would die with "xmalloc: zero size".
2) strvisx() needs an extra byte for the nul terminator.
 2009-04-14 11:53:40 +00:00
lukem
e015e1d018 Call toupper() with an int argument. 2009-04-14 10:03:55 +00:00
yamt
cdc5fc06ff restore INETD_SUPPORT. PR/40722. 2009-04-09 06:34:34 +00:00
drochner
fb693f55f7 apply patches from upstream CVS to fix 3 security problems: 
-ASN1 printing crash (CVE-2009-0590)
-Incorrect Error Checking During CMS verification (CVE-2009-0591)
-Invalid ASN1 clearing check (CVE-2009-0789)
 2009-03-27 10:41:29 +00:00
perry
4bfc10355c add missing commas to .Dd fix, pointed out by wiz 2009-03-22 14:29:34 +00:00
perry
c8a35b6227 OpenBSD uses a custom CVS hack to handle Dd fields ($Mdocdate$) which 
we don't have. Replace ".Dd $Mdocdate" with ".Dd Month Day Year" so
that the date comes out right when man pages get built. This will
doubtless need hand conflict resolution whenever these pages are
re-imported.

Note that it would be interesting to have some similar facility for
NetBSD, but I don't think a custom rcs keyword is the right thing --
maybe we can teach groff to parse $Date$
 2009-03-21 00:15:52 +00:00
tteras
0c68acc1de From Arnaud Ebalard: Fix couple of problems with previous commit. 2009-03-13 04:49:16 +00:00
he
976380d183 When casting to/from a pointer to an integral type (a bad practice, 
if you ask me), you need to cast via intptr_t for portability.
 2009-03-12 23:05:27 +00:00
wiz
2df943f931 New sentence, new line. Avoid marking up punctuation. 2009-03-12 15:18:57 +00:00
wiz
0d4480d10a Bump date for previous. Sort options to establish-sa. 
Stop using Xo/Xc.
 2009-03-12 14:01:09 +00:00
tteras
983cc8fecf Support multiple anonymous remotes and decide remoteconf based on identity, 
received certificates and other information. General code clean up.
 2009-03-12 10:57:26 +00:00
joerg
997634fe14 Fix preamble to match order set out by mdoc(7). Discussed with wiz. 2009-03-09 19:24:26 +00:00
tteras
e3372d2f8f setkey: fix deleteall in Linux 
Linux requires SADB_DELETE message to have SPI. So send
a SADB_DELETE message for each matching SA. Trac #284.

From: Gabriel Somlo <somlo@cmu.edu>
 2009-03-06 11:45:03 +00:00
christos
ce563f1b55 CID 4960: Plug memory leak. 2009-02-18 20:10:23 +00:00
uebayasi
aa58ef4867 Revert previous for now. The hidden intent was to rewrite duplicate rules 
of ${TOOL_COMPILE_ET} seen in lib/*/Makefile, using make(1) suffix rule.
But I have not figured out the best way yet.

(The reason why I want to rewrite them is to strip absolute paths embedded in
/usr/include/krb5/*.h.)
 2009-02-18 01:18:57 +00:00
dogcow
0d280a6b94 sig_atomic_t is long on alpha (?!); use %ld and cast to long. 2009-02-17 05:28:32 +00:00
uebayasi
5b1f280b89 To name output files, replace only suffix part exactly. 2009-02-17 05:24:14 +00:00
christos
79290a1b6f remove extra args. 2009-02-16 22:50:17 +00:00
christos
9341d6b102 put back deleted files 2009-02-16 20:55:22 +00:00
christos
abbe9cc1c0 merge changes 2009-02-16 20:53:54 +00:00
tteras
b1ab726a1a From Paul Moore: Fix a heap corruption bug (yacc return non-null terminated 
buffer and sprintf writes over bounds).
 2009-02-16 18:36:21 +00:00
christos
9d3c9d9c55 from ftp.openbsd.org 2009-02-16 17:14:22 +00:00
jmmv
44d668a632 Fix build; need to constify the return value of a function. 2009-02-13 22:01:05 +00:00
vanhu
3723c0b8cf trac#301: fixed IPsec SAs flush in purge_remote() when NAT-T enabled but no NAT-T on tunnel 2009-02-11 15:18:59 +00:00
tteras
ee2923bc73 From: Phil Sutter. Fix script environment variables with IPv6 addresses. 2009-02-03 20:21:45 +00:00
tteras
98b638ac57 Argument parsing needs lcconf initialized. 2009-01-26 18:13:06 +00:00
wiz
58b2161948 Sort options in usage. 2009-01-24 10:43:47 +00:00
wiz
a8e14ecee0 Sort options. New sentence, new line. 2009-01-24 10:43:38 +00:00
wiz
86a90d6c4e Sort options. 2009-01-24 10:42:31 +00:00
tteras
e9d216a40d Update usage and manpage for racoonctl. 2009-01-23 11:44:08 +00:00
tteras
c6d64c37e0 Racoon -v to print version and compilation information. Update usage 
message.
 2009-01-23 11:28:27 +00:00
tteras
1f949d3b6c Update NEWS with major changes since 0.7 release. 2009-01-23 09:40:56 +00:00
tteras
731a29e03b Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise 
we can return negative timeout after spending time handling other events.
 2009-01-23 09:10:13 +00:00
tteras
7bc9f9e4ee From Arnaud Ebalard: 
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
 2009-01-23 08:32:58 +00:00
tteras
b9ba86c968 From Arnaud Ebalard: 
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
 2009-01-23 08:29:34 +00:00
tteras
54bcc916f5 From Arnaud Ebalard: Set phase2 spid when acting as responder. 2009-01-23 08:27:24 +00:00
tteras
5d5e4e2fa3 Detect if monotonic system clock is available, and use it for relative 
time measurements to avoid complite hang if time jumps backwards.
 2009-01-23 08:25:06 +00:00
tteras
49c6438a45 Fix authentication method ambiguity by internally using unique ID and 
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280.
 2009-01-23 08:23:51 +00:00
tteras
69697b4655 Introduce vendorid bitmask that can be used otherwhere to detect peer 
capabilities.
 2009-01-23 08:06:56 +00:00
tteras
2b7d4cd554 Remove "fastquit" configure option and make it the default behaviour. The 
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
 2009-01-23 08:05:58 +00:00
tteras
2b68c3a06a Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to 
ChangeLog.old.
 2009-01-20 14:36:07 +00:00
wiz
67cbe60826 Make ready for HTML output. 
Use proper escape for backslash ('\e').
 2009-01-10 21:58:38 +00:00
tteras
f7557f766d From Cyrus Rahman: 
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
 2009-01-10 19:08:40 +00:00
tteras
a0b1dc6be0 Fix a CPPLAGS typo to CPPFLAGS which was intended 2009-01-09 06:31:38 +00:00
tteras
9df0ec5c7e Fix a CPPLAGS type to CPPFLAGS which was intended 2009-01-09 06:31:37 +00:00
christos
10c9b70baa Correct error checking for DSA and ECDSA keys (from FreeBSD) 2009-01-07 23:05:07 +00:00
tteras
b264308e87 Remove obsolete configuration options, fix radius configuration block and 
add GRE as recognized protocol.
 2009-01-05 06:03:58 +00:00
tteras
328859aef7 Do not use counting in signal handling as it was unsafe by not using 
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
 2009-01-05 06:00:27 +00:00
tteras
a3c1a92d23 schedular() call can now modify fd mask so make the working copy just 
before calling select(); otherwise it can contain bad file descriptors
 2008-12-30 15:50:24 +00:00
mlelstv
e5b90a2fc2 support icmp codes. Fixes PR 39056. 2008-12-29 12:54:33 +00:00
christos
aa3382cd31 remove sin{6,}_len linux does not have it. From Timo Teras. 2008-12-24 20:20:52 +00:00
christos
6c532322d2 I was wrong. addr is actually set. 2008-12-24 19:05:48 +00:00
christos
16b17fbeab - make this compile by zeroing out the whole structure not just bogus fields. 
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
 2008-12-24 15:25:44 +00:00
wiz
c1e7a459ca Bump date for identity configuration option removal. 2008-12-23 19:28:18 +00:00
tteras
535280aca9 Remove the obsoleted global identity configuration option. 2008-12-23 14:04:42 +00:00
tteras
bd378f6dda rewrite local address detection 
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
 2008-12-23 14:03:12 +00:00
tteras
182f0b93be From Arnaud Ebalard: 
Delete larval ph2handles when expire with hard lifetime received
 2008-12-18 07:20:25 +00:00
tteras
50a2f2e6d0 Update README 2008-12-16 06:48:38 +00:00
tteras
b2b7434a10 Fix transport mode address selection in acquire handling. 
Some earlier fixes got lost on 2008-12-05 commit.
 2008-12-16 06:08:46 +00:00
vanhu
a75f34b133 Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff) 2008-12-11 15:45:24 +00:00
vanhu
cffd15164d Fixed compilation when DPD support is disabled 2008-12-11 15:33:59 +00:00
bad
f140528153 Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04. 2008-12-09 23:28:08 +00:00
tteras
dae665ff27 Do not cache pfkey sockets: it might cause to not handle some pfkey events 
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
 2008-12-08 06:00:53 +00:00
tteras
02f2a72861 From Arnaud Ebalard: 
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
 2008-12-05 06:02:20 +00:00
bad
3ef91ecea8 Fix typo in previous and use SIG_IGN as I intended. 2008-12-04 22:30:26 +00:00
tteras
22b0737f30 Explicitly ignore SIGPIPE. Default action on Linux is terminate. 2008-12-02 07:41:43 +00:00
wiz
659c30f2ba Remove empty line. Fix typo. New sentence, new line. 2008-11-28 22:37:44 +00:00
vanhu
0b0a39b9f9 ModeConfig fixes 2008-11-27 15:04:34 +00:00
vanhu
3a74e20575 Set up a default value for Mode Config Pool size if pool address specified but pool size not specified 2008-11-27 15:04:21 +00:00
vanhu
054e0e851d Fixed pool resizing 2008-11-27 15:04:16 +00:00
tteras
f863fa40c3 From Arnaud Ebalard: 
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
 2008-11-27 11:08:48 +00:00
tteras
1c6c2a3356 From: Matthew Krenzer 
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
 2008-11-27 10:53:48 +00:00
bad
e564489300 Document my changes from 2008-11-08 and today. 2008-11-25 22:39:20 +00:00
bad
f798cbf18b Avoid using MSG_NOSIGNAL as it is not available everywhere. 
Ignore SIGPIPE instead.
 2008-11-25 22:38:31 +00:00
bad
d9c51cbeae Ignore unspecified and looback addresses. Ignoring unspecified addresses 
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
 2008-11-25 22:00:15 +00:00
bad
e7c2314bc8 RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses. 
Ignore them silently.
 2008-11-25 21:54:05 +00:00
bad
6db1040de3 Ignoring an unsuitable address is not an error. Therefore log it as 
informational.
Make it clear from the log message that a route message is not interesting.
 2008-11-25 21:50:47 +00:00
bad
220cbdde75 Use insmyaddr() instead of open coding it. 2008-11-25 21:46:12 +00:00
bad
b8d42d186b Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU 
fails.
 2008-11-25 21:42:36 +00:00
bad
667107700d Keep myaddr.sock at -1 when no socket is opened. 2008-11-25 21:37:11 +00:00
bad
96020e15cb Preserve owner and permissions of original /etc/resolv.conf. 
Ensure that new /etc/resolv.conf isn't group or world writable.
 2008-11-08 13:41:09 +00:00
bad
447613dc6a Print and check INTERNAL_NETMASK4. 2008-11-08 13:38:46 +00:00
bad
aabe06ab2f Make the handling of NAT-T SPD entries automatic. 2008-11-08 13:36:35 +00:00
bad
5a8370eefd Ensure that the determination of the default gateway and the corresponding 
interface don't get confused by multiple, possibly non-IPv4  default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
 2008-11-08 13:31:23 +00:00
wiz
a4814aed6a The escape sequence for a backslash is "\e". 2008-11-07 16:51:27 +00:00
reed
a455765d91 Use line continuation for an example. It was too wide for my output 
so was cropped.

Already shared upstream and was told (in September) will be in next
major release.
 2008-11-07 15:50:38 +00:00
vanhu
33dafe234f fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR 2008-11-06 14:12:28 +00:00
tteras
66f152db75 Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place. 2008-11-01 06:55:10 +00:00
spz
334414e667 Changes to ipsecdoi_id2str(): 
struct sockaddr -> struct sockaddr_storage fixes a stack overflow

For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
 2008-10-29 18:49:45 +00:00
tteras
0c1f013cc5 Fix commit dates to reflect reality. 2008-10-28 19:03:27 +00:00
hubertf
11236c9878 Make sshd find the xauth program, even with the new /usr/X11R7. 
OK'd by christos@
 2008-10-27 08:27:04 +00:00
tteras
ed890caaae From Arnaud Ebalard: 
Add missing return to error path
 2008-10-27 06:27:05 +00:00
tteras
3ff331469e From Francis Dupont (sent by Arnaud Ebalard): 
recognize RTM_IFANNOUNCE
 2008-10-27 06:24:27 +00:00
tteras
a06fc42a2e From Arnaud Ebalard: 
Fix indentation issues for readability
 2008-10-27 06:21:29 +00:00
tteras
b186d55b63 From Arnaud Ebalard: 
initfds() needs to be called only if monitored file descriptor numbers
have changed
 2008-10-27 06:18:08 +00:00
tteras
38962f77a8 From Arnaud Ebalard: 
Remove duplicate declaration
 2008-10-27 06:14:04 +00:00
adrianp
1e802db977 Pull in a fix from the OpenSSL CVS: 
http://cvs.openssl.org/filediff?f=openssl/crypto/x509/x509_att.c&v1=1.14&v2=1.15
This should fix PR #39767 opened by Wolfgang Solfrank
 2008-10-25 12:11:47 +00:00
tteras
ede27c75ad From Krzysztof Piotr Oledzki <olel@ans.pl>: 
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
 2008-10-23 10:56:10 +00:00
apb
96230fab84 Use ${TOOL_AWK} instead of ${AWK} or plain "awk" in make commands. 
Pass AWK=${TOOL_AWK:Q} to shell scripts that use awk.
 2008-10-19 22:05:19 +00:00
tteras
ab610e81be Fix a spelling mistake in changelog 2008-10-09 16:44:31 +00:00
tteras
52d4b7db25 From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2() 2008-10-09 15:53:12 +00:00
tteras
c724d51982 From Arnoud Ebalard <arno@natisbad.org>: 
remove unnecessary unbindph12() call which is now done also in remph2()
 2008-10-09 15:53:11 +00:00
vanhu
105e5049b7 Fixed resending mechanism to have non-ESP marker for retransmitted packets 2008-09-25 09:34:13 +00:00
wiz
e829b0a440 New sentence, new line. 2008-09-19 17:33:24 +00:00
tteras
d1a09d5477 Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option 
in remote conf.
 2008-09-19 11:14:49 +00:00
tteras
fbf62026bb Change struct sched to be allocated be the caller to avoid some memory 
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
 2008-09-19 11:01:08 +00:00
christos
7a75c9a543 PR/39233: Taylor R Campbeel: OpenSSH fails to initialize tun(4) tunnels 
correctly.
 2008-09-17 15:45:50 +00:00
vanhu
b383a5b3e4 Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs 2008-09-17 12:39:07 +00:00
vanhu
954f7757c0 Some calls to set_port() were not correctly updated in the previous commit 2008-09-09 11:50:42 +00:00
vanhu
a20b313ea8 From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff. 2008-09-03 16:08:26 +00:00
vanhu
4ead39ef24 Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff 2008-09-03 16:08:25 +00:00
tteras
dbd3f137ba - Fix reloading of SPD (Linux satype check, handling of SPD dump responses) 
- Remove some spurious error log message from extract_port()
 2008-09-03 09:57:28 +00:00
lukem
b926b61a73 Comment out __RCSID; this is a host tool and we don't need the Id in the binary. 
Fixes cross-build issue on RHEL5-like Linux.

Arguably we shouldn't even #include <config.h> because that's been created
for the NetBSD target and not the (possibly non-NetBSD) host system,
but that hasn't caused problems so far so I'll leave it for now.
 2008-09-03 07:10:55 +00:00
gmcgarry
dc1f2ff2f9 Eliminate gcc-specific feature of empty structures. 2008-08-29 00:31:37 +00:00
gmcgarry
f3a85cb801 Eliminate superfluous semicolon. 2008-08-29 00:31:00 +00:00
gmcgarry
b4e2d1afdf Eliminate gcc-specific feature of unnamed structures added recently. 2008-08-29 00:30:15 +00:00
vanhu
163d7169c0 From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator. 2008-08-12 12:45:55 +00:00
vanhu
32468f64a1 Remove ph1handler if we received an invalid first exchange from initiator 2008-08-12 12:45:54 +00:00
tteras
191869cf2a From Krzysztof Piotr Oledzki: 
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
 2008-08-06 19:14:28 +00:00
simonb
5a3c2f6809 Revert the HPN changes that added verbose "Max throughput" summary 
after scp(1) finishes.
 2008-08-05 14:13:34 +00:00
veego
cca63e16c3 Restore .hx support for avoiding unneeded regeneration of header files 
Fix PR lib/39185

Partly restore the changes which were removed during the Heimdal 1.1 update:
src/lib/libasn1/Makefile 1.28 -> 1.29
src/lib/libhdb/Makefile 1.21 -> 1.22
src/crypto/dist/heimdal/lib/asn1/gen.c 1.8 -> 1.9

Add .hx support in 'new' heimdal libraries:
src/lib/libgssapi/Makefile
src/lib/libhx509/Makefile

Add a new entry in doc/HACKS for this changes.
 2008-08-03 07:16:58 +00:00
mgrooms
9ef0a25aeb Add some missing ifdefs required for non-radius enabled builds. 2008-07-23 17:36:00 +00:00
tteras
4521811287 Do not use GNU make specific extension. 2008-07-23 13:53:08 +00:00
tteras
28aa26f3de Do flex/bison invocation in a more standard way, and keep the generated 
files in the dist tarball.
 2008-07-23 09:06:51 +00:00
vanhu
826c52702d From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal. 2008-07-22 13:25:18 +00:00
vanhu
754d7776f7 fixed some memory leaks, when malloc fails or when peer sends invalid proposals 2008-07-22 13:25:17 +00:00
mgrooms
fd9755072f Add an optional radius configuration section to the racoon.conf file. This 
is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.
 2008-07-22 01:30:02 +00:00
tron
0cc0bec23e Correct typo to fix the build. 2008-07-21 09:43:03 +00:00
tteras
ca3b7c5a9f Separate generic vendor id handling to a new function and use it. 2008-07-21 06:26:06 +00:00
tteras
7a1c3cb1b8 Do not set default gss id if xauth is used, otherwise gss-id attribute 
might be sent even if it was not requested.
 2008-07-21 06:24:29 +00:00
mgrooms
879eeb1025 Fix an a typo that prevented racoon from building with hybrid enabled. 2008-07-15 02:16:58 +00:00
mgrooms
6353d50296 Update changelog which was missed in my previous commit. 2008-07-15 00:53:36 +00:00
mgrooms
8f0b3482bc Fix a conflict with the FreeBSD 8 system hexdump function. 2008-07-15 00:47:09 +00:00
tteras
56a42db6a6 Handle RESPONDER-LIFETIME notification in quick mode. 2008-07-14 05:45:15 +00:00
tteras
583275a951 Clean up notification payload handling. Handle INITIAL-CONTACT notification 
in last main mode exchange (delayed) and during quick mode exchanges.
 2008-07-14 05:40:13 +00:00
tteras
75bc4bd6cd Original patch from Atis Elsts: 
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
 2008-07-11 08:02:06 +00:00
tteras
7f51b6fe42 From Chong Peng: 
fix a file descriptor and memory leak on configuration file reread
 2008-07-09 12:16:50 +00:00
vanhu
d20c6ed916 From Timo Teras: fix some %d to %zu (size_t values) 2008-07-02 14:46:27 +00:00
vanhu
874968c865 fixed some %d to %zu (size_t values) 2008-07-02 14:46:26 +00:00
christos
a494eea816 Add an ifdef to disable the AES_CTR_MT cipher because static binaries don't 
work with -pthread, and /rescue is linked against libssh.
 2008-06-23 14:51:31 +00:00
christos
80a665de90 Add the HPN patch for ssh: 
http://www.psc.edu/networking/projects/hpn-ssh/
 2008-06-22 15:42:50 +00:00
wiz
bf3ddb193b Bump date for previous. 2008-06-18 07:40:16 +00:00
mgrooms
93c1205f96 Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras. 2008-06-18 07:12:04 +00:00
mgrooms
c47cb1615c Add an admin port command to retrieve the peer certificate. Submitted by 
Timmo Teras.
 2008-06-18 07:12:03 +00:00
mgrooms
01e8cc1e5d Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras. 2008-06-18 07:04:23 +00:00
mgrooms
5d397c5ba5 Set sockets to be closed on exec to avoid potential file descriptor 
inheritance issues. Submitted by Timmo Teras.
 2008-06-18 07:04:22 +00:00
mgrooms
7598372e37 Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras. 2008-06-18 06:47:25 +00:00
mgrooms
2c40396f3a Use utility functions to evaluate or manipulate network port values. No 
functional changes. Submitted by Timmo Teras.
 2008-06-18 06:47:24 +00:00
mgrooms
7dac642960 Admin port code cleanup. No functional changes. Submitted by Timo Teras. 2008-06-18 06:27:49 +00:00
mgrooms
18fc645e9a Admin port code cleanup. No functional changes. Submitted by Timmo Teras. 2008-06-18 06:27:48 +00:00
mgrooms
9345b05cc4 Correct a phase2 status event. Submitted by Timo Teras. 2008-06-18 06:11:38 +00:00
mgrooms
b163716d45 Correct a phase2 status event. Submitted by Timmo Teras. 2008-06-18 06:11:37 +00:00
tls
f5792c6ee8 Apply patch from Darryl Miles which adjusts SSL_shutdown's behavior for 
non-blocking BIOs so that it is sane -- so that, in other words, -1 with
a meaningful library error code (WANT_READ or WANT_WRITE) is returned
when we would block for I/O.  Without this change, you have to sleep or
spin -- you can't know how to put the underlying socket in your select
or poll set.

Patch from http://marc.info/?l=openssl-dev&m=115154030723033&w=2 and
rationale at http://marc.info/?l=openssl-dev&m=115153998821797&w=2 where
sadly they were overlooked by the OpenSSL team for some time.  It is hoped
that now that we've brought this change to their attention they will
integrate it into their sources and we can lose the local change in
NetBSD.
 2008-06-10 19:45:00 +00:00
tonnerre
31197b7671 Fix two Denial of Service vulnerabilities in OpenSSL: 
- Fix flaw if server key exchange message is omitted from a TLS handshake
   which could lead to a silent crash.
 - Fix double free in TLS server name extensions which could lead to a
   remote crash.

Fixes CVE-2008-1672.
 2008-06-05 15:30:10 +00:00
christos
90318d80f4 PR/38728: Tomoyuki Okazaki: Enable Camellia 2008-05-26 16:39:45 +00:00
christos
a41e5a83be Add coverity alloc comment. 2008-05-24 20:07:00 +00:00
christos
cfb67f710f add a coverity alloc comment. 2008-05-24 20:05:52 +00:00
christos
e520f14ae6 Coverity CID 5003: Fix memory leak. 2008-05-24 20:00:07 +00:00
christos
e3ee1b22da Coverity CID 5004: Fix double free. 2008-05-24 19:58:01 +00:00
christos
78dc0fbbfc Add a coverity alloc comment. 2008-05-24 19:54:43 +00:00
christos
13ebcc71fb Add a coverity alloc comment 2008-05-24 19:52:36 +00:00
christos
c2e438738f Coverity CID 5007: Avoid double free. 2008-05-24 19:48:27 +00:00
christos
677bd71b1f Add a coverity allocation comment. 2008-05-24 19:46:32 +00:00
christos
66009f62a3 Coverity CID 5010: Avoid buf[-1] = '\0' on error. 2008-05-24 19:32:28 +00:00
christos
aa3b40a116 Coverity CID 5018: Fix double frees. 2008-05-24 18:39:40 +00:00
christos
b6c10a6fe5 avoid using free_func as an argument because it is already a typedef. 2008-05-10 16:52:05 +00:00
christos
33d34d249c fix version string 2008-05-09 22:10:19 +00:00
christos
2149db96e3 resolve conflicts 2008-05-09 21:49:39 +00:00
christos
b69a53abf2 import today's snapshot! Hi <tls> 2008-05-09 21:34:04 +00:00
manu
2a499f37b6 From Christian Hohnstaedt: allow out of tree building 2008-05-08 12:24:50 +00:00