jym
c8b47a469d
Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
...
under NetBSD.org domain.
Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).
This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.
No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.
Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.
Notified on netbsd-users@, no objection after a week -- committed.
2013-10-06 17:25:34 +00:00
christos
5ede7f76d1
add libcrypto; needed by new binutils
2013-09-29 13:34:37 +00:00
joerg
975a152cfc
If a library needs a symbol from another library, pull that library in
...
explicitly, even if the DT_NEEDED closure would normally already ensure
the presence.
2013-09-11 23:04:09 +00:00
joerg
a7c89b6e01
Add dependency on libz and libbz2.
2013-09-11 09:57:09 +00:00
riastradh
1239c2bb08
Publish explicit_memset and consttime_memequal in userland libc.
...
Remove the double-underscore from the userland versions, and do the
weak alias dance instead, now that these are public parts of libc.
As discussed on tech-userlevel:
https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
(option 3)
2013-08-28 17:47:07 +00:00
riastradh
cc79193075
Fix sense of consttime_memequal and update all callers.
...
Now it returns true (nonzero) to mean equal and false (zero) to mean
inequal, as the name suggests.
As promised on tech-userlevel back in June:
https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
2013-08-28 15:24:41 +00:00
joerg
44ed6e91de
Prefer "." for the current address and not the PPC specific "$".
2013-08-04 17:15:21 +00:00
tls
14b0477b50
Re-check the entropy level after we call RAND_poll(), so that we do
...
not continuously suck data out of /dev/urandom if we receive a stream
of requests larger than the initial-entropy threshold (hi Roland!).
2013-07-28 14:13:29 +00:00
wiz
a5684d07dd
Use Mt for email addresses.
2013-07-20 21:39:55 +00:00
tteras
2d9f2eda4f
From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Export phase1
...
remote address as Radius Calling-Station-Id.
2013-07-19 10:54:52 +00:00
christos
a2f4868d2a
add RTM_LOSING, RTM_REDIRECT
2013-07-18 17:02:58 +00:00
tteras
4595769cee
From Sven Vermeulen <sven.vermeulen@siphos.be>: Moves ploginit() up,
...
allowing logging events from init_avc() to show up as well.
2013-07-12 13:11:50 +00:00
joerg
9e69720425
Fix violations of the sequence point rule.
2013-06-28 15:04:35 +00:00
riastradh
82db4b9858
Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
...
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.
Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
2013-06-24 04:21:19 +00:00
christos
c59ba37534
Add an option --enable-wildcard-match to enable wildcard matching and explain
...
why we might want it and why it is a bad idea in general that's why it is
not enabled by default. ok tteras@, manu@
2013-06-20 15:41:18 +00:00
tteras
4f62ef74bd
From Paul Barker: Remove redundant memset after calloc that caused compile
...
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.
2013-06-18 05:39:50 +00:00
christos
54da44c072
Accept - as stdin
...
Be nice and let the user know which file it could not open.
2013-06-14 16:29:14 +00:00
tteras
05fbc8efab
From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port
...
establish-sa for tunnel mode SAs.
2013-06-03 05:49:31 +00:00
tteras
fdd5bac4fc
From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Fix
...
SADB_X_EALG_CASTCBC definition to use system definition (which
differs at least on Linux).
------------------------
2013-05-23 05:42:29 +00:00
elric
3966285084
AUTHCID is optional for the GSSAPI mechanism.
2013-05-16 13:02:12 +00:00
elric
cdfc977bf0
principals have principles.
2013-05-14 15:33:21 +00:00
mlelstv
34b99be967
The previous patch didn't apply cleanly, because our code doesn't
...
use #ifdef OPENSSL_HAS_ECC.
Apply manually.
Drop now unused len variable.
2013-05-14 05:18:11 +00:00
christos
c8fbe6c64a
use explicit_bzero instead of memset to zero memory
2013-05-10 16:39:25 +00:00
christos
6fd620669a
remove error(1) output.
2013-05-10 16:38:47 +00:00
mbalmer
b1090dff8a
racoon default config is in /etc/racoon/racoon.conf
2013-05-08 20:03:02 +00:00
mlelstv
e976afb5c5
Identityfile warnings fixes.
...
https://bugzilla.mindrot.org/show_bug.cgi?id=2084
2013-04-29 17:59:50 +00:00
christos
90a83642c1
restore logging behavior: don't treat user disconnect messages as errors,
...
just log them.
2013-04-25 20:10:28 +00:00
joerg
8d7f62402c
Use __dead.
2013-04-12 18:09:30 +00:00
joerg
e29eeb0057
Add __printflike.
2013-04-12 18:09:19 +00:00
joerg
f1ca729c04
Don't force pthread linkage.
2013-04-12 18:08:10 +00:00
tteras
32d6075c95
From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Do not send out
...
illegal zero length MODE_CFG attributes.
2013-04-12 10:03:45 +00:00
tteras
3d2760a386
Some logging improvements.
2013-04-12 09:53:10 +00:00
christos
ce11a51f1d
welcome to openssh-6.2
2013-03-29 16:19:44 +00:00
christos
d2a9b9efd7
from openbsd
2013-03-29 14:52:38 +00:00
agc
ca99397396
fix some lint on i386, noticed by Greg Troxel, thanks!
2013-03-19 01:00:16 +00:00
riastradh
6641d1f9ad
Touch e_aes.c to force a rebuild with new compiler flags for AES-NI.
2013-02-18 21:20:50 +00:00
riastradh
249c85457d
Fix build goo for OpenSSL AES-NI support.
...
OpenSSL now supports AES-NI in evp, not in an engine. We can now get
rid of the no longer maintained aesni engine, which was broken last
summer. Not only can OpenSSL now use AES-NI for everything it did
before we broke it last summer, but it can also use AES-NI for more
encryption modes than before, such as CTR.
Tested on amd64, both vanilla and in an i386 chroot.
ok christos
2013-02-18 21:15:25 +00:00
christos
82e8c5f133
need bsd.own.mk
2013-02-12 20:55:37 +00:00
christos
b261027db1
mv the MKCRYPTO protection higher; ideally should be at the top for this
2013-02-12 20:31:13 +00:00
christos
a7c38cbf62
merge in 1.0.1e
2013-02-12 19:52:11 +00:00
christos
5f71164a5e
Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
...
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]
2013-02-12 19:10:49 +00:00
christos
fdbbeac71e
remove obsolete file
2013-02-08 22:37:14 +00:00
christos
6b8892b719
fix generation
2013-02-08 15:22:03 +00:00
matt
e67266a84f
Change bclr 14,2 to beqlr
2013-02-08 03:05:43 +00:00
christos
1e387e93ca
descend!
2013-02-08 01:54:20 +00:00
christos
a6b0cd16cd
commit the new man page.
2013-02-07 17:30:08 +00:00
christos
0e9a2dbd88
one more page
2013-02-07 16:48:28 +00:00
christos
f496c772c6
reorg and add missing file.
2013-02-06 17:03:51 +00:00
christos
ffecf7319c
bump and add extra file
2013-02-05 23:38:46 +00:00
christos
523f268b9f
merge changes
2013-02-05 21:31:23 +00:00