Commit Graph

2419 Commits

Author SHA1 Message Date
jym
c8b47a469d Enable VerifyHostKeyDNS (SSHFP records verification) from DNS for hosts
under NetBSD.org domain.

Multiple TNF hosts have an up-to-date SSHFP record inside the DNS.
This offers a second channel verification for host key fingerprints
(weaker than known_hosts, but spoofing a host on first connect would
also require DNS forgery).

This can provide a trusted second channel (like DANE TLSA records) once
DNSSEC gets more widely used, but for now it is purely informational.

No regression expected, except that the ssh client will print a message
upon first connect to confirm/infirm that it got a correct SSHFP record
from DNS.

Only done for NetBSD.org domain, SSHFP are sadly more an exception than
the rule.

Notified on netbsd-users@, no objection after a week -- committed.
2013-10-06 17:25:34 +00:00
christos
5ede7f76d1 add libcrypto; needed by new binutils 2013-09-29 13:34:37 +00:00
joerg
975a152cfc If a library needs a symbol from another library, pull that library in
explicitly, even if the DT_NEEDED closure would normally already ensure
the presence.
2013-09-11 23:04:09 +00:00
joerg
a7c89b6e01 Add dependency on libz and libbz2. 2013-09-11 09:57:09 +00:00
riastradh
1239c2bb08 Publish explicit_memset and consttime_memequal in userland libc.
Remove the double-underscore from the userland versions, and do the
weak alias dance instead, now that these are public parts of libc.

As discussed on tech-userlevel:

https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
(option 3)
2013-08-28 17:47:07 +00:00
riastradh
cc79193075 Fix sense of consttime_memequal and update all callers.
Now it returns true (nonzero) to mean equal and false (zero) to mean
inequal, as the name suggests.

As promised on tech-userlevel back in June:

https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
2013-08-28 15:24:41 +00:00
joerg
44ed6e91de Prefer "." for the current address and not the PPC specific "$". 2013-08-04 17:15:21 +00:00
tls
14b0477b50 Re-check the entropy level after we call RAND_poll(), so that we do
not continuously suck data out of /dev/urandom if we receive a stream
of requests larger than the initial-entropy threshold (hi Roland!).
2013-07-28 14:13:29 +00:00
wiz
a5684d07dd Use Mt for email addresses. 2013-07-20 21:39:55 +00:00
tteras
2d9f2eda4f From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Export phase1
remote address as Radius Calling-Station-Id.
2013-07-19 10:54:52 +00:00
christos
a2f4868d2a add RTM_LOSING, RTM_REDIRECT 2013-07-18 17:02:58 +00:00
tteras
4595769cee From Sven Vermeulen <sven.vermeulen@siphos.be>: Moves ploginit() up,
allowing logging events from init_avc() to show up as well.
2013-07-12 13:11:50 +00:00
joerg
9e69720425 Fix violations of the sequence point rule. 2013-06-28 15:04:35 +00:00
riastradh
82db4b9858 Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
2013-06-24 04:21:19 +00:00
christos
c59ba37534 Add an option --enable-wildcard-match to enable wildcard matching and explain
why we might want it and why it is a bad idea in general that's why it is
not enabled by default. ok tteras@, manu@
2013-06-20 15:41:18 +00:00
tteras
4f62ef74bd From Paul Barker: Remove redundant memset after calloc that caused compile
failures with gcc 4.8 due to error: argument to 'sizeof' in 'memset' call
is the same expression as the destination; did you mean to dereference.
2013-06-18 05:39:50 +00:00
christos
54da44c072 Accept - as stdin
Be nice and let the user know which file it could not open.
2013-06-14 16:29:14 +00:00
tteras
05fbc8efab From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port
establish-sa for tunnel mode SAs.
2013-06-03 05:49:31 +00:00
tteras
fdd5bac4fc From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Fix
SADB_X_EALG_CASTCBC definition to use system definition (which
differs at least on Linux).
------------------------
2013-05-23 05:42:29 +00:00
elric
3966285084 AUTHCID is optional for the GSSAPI mechanism. 2013-05-16 13:02:12 +00:00
elric
cdfc977bf0 principals have principles. 2013-05-14 15:33:21 +00:00
mlelstv
34b99be967 The previous patch didn't apply cleanly, because our code doesn't
use #ifdef OPENSSL_HAS_ECC.
Apply manually.
Drop now unused len variable.
2013-05-14 05:18:11 +00:00
christos
c8fbe6c64a use explicit_bzero instead of memset to zero memory 2013-05-10 16:39:25 +00:00
christos
6fd620669a remove error(1) output. 2013-05-10 16:38:47 +00:00
mbalmer
b1090dff8a racoon default config is in /etc/racoon/racoon.conf 2013-05-08 20:03:02 +00:00
mlelstv
e976afb5c5 Identityfile warnings fixes.
https://bugzilla.mindrot.org/show_bug.cgi?id=2084
2013-04-29 17:59:50 +00:00
christos
90a83642c1 restore logging behavior: don't treat user disconnect messages as errors,
just log them.
2013-04-25 20:10:28 +00:00
joerg
8d7f62402c Use __dead. 2013-04-12 18:09:30 +00:00
joerg
e29eeb0057 Add __printflike. 2013-04-12 18:09:19 +00:00
joerg
f1ca729c04 Don't force pthread linkage. 2013-04-12 18:08:10 +00:00
tteras
32d6075c95 From Rainer Weikusat <rweikusat@mobileactivedefense.com>: Do not send out
illegal zero length MODE_CFG attributes.
2013-04-12 10:03:45 +00:00
tteras
3d2760a386 Some logging improvements. 2013-04-12 09:53:10 +00:00
christos
ce11a51f1d welcome to openssh-6.2 2013-03-29 16:19:44 +00:00
christos
d2a9b9efd7 from openbsd 2013-03-29 14:52:38 +00:00
agc
ca99397396 fix some lint on i386, noticed by Greg Troxel, thanks! 2013-03-19 01:00:16 +00:00
riastradh
6641d1f9ad Touch e_aes.c to force a rebuild with new compiler flags for AES-NI. 2013-02-18 21:20:50 +00:00
riastradh
249c85457d Fix build goo for OpenSSL AES-NI support.
OpenSSL now supports AES-NI in evp, not in an engine.  We can now get
rid of the no longer maintained aesni engine, which was broken last
summer.  Not only can OpenSSL now use AES-NI for everything it did
before we broke it last summer, but it can also use AES-NI for more
encryption modes than before, such as CTR.

Tested on amd64, both vanilla and in an i386 chroot.

ok christos
2013-02-18 21:15:25 +00:00
christos
82e8c5f133 need bsd.own.mk 2013-02-12 20:55:37 +00:00
christos
b261027db1 mv the MKCRYPTO protection higher; ideally should be at the top for this 2013-02-12 20:31:13 +00:00
christos
a7c38cbf62 merge in 1.0.1e 2013-02-12 19:52:11 +00:00
christos
5f71164a5e Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]
2013-02-12 19:10:49 +00:00
christos
fdbbeac71e remove obsolete file 2013-02-08 22:37:14 +00:00
christos
6b8892b719 fix generation 2013-02-08 15:22:03 +00:00
matt
e67266a84f Change bclr 14,2 to beqlr 2013-02-08 03:05:43 +00:00
christos
1e387e93ca descend! 2013-02-08 01:54:20 +00:00
christos
a6b0cd16cd commit the new man page. 2013-02-07 17:30:08 +00:00
christos
0e9a2dbd88 one more page 2013-02-07 16:48:28 +00:00
christos
f496c772c6 reorg and add missing file. 2013-02-06 17:03:51 +00:00
christos
ffecf7319c bump and add extra file 2013-02-05 23:38:46 +00:00
christos
523f268b9f merge changes 2013-02-05 21:31:23 +00:00