eb0c1ab347
small cleanups:
...
1. lint annotations
2. some size_t
3. remove silly breaks
2009-01-24 19:42:20 +00:00
6568aa2748
No, our openssl _encrypt routines do not take a *size_t as the 6th
...
argument, they take an *int, and those are not necessarily compatible.
Papering that over with a cast just gets us a warning that
de-referencing a type-punned pointer will break strict-aliasing
rules, which is turned into an error by our WARNS setting.
Instead, change the "num" field in _opt_crypt_t from size_t to int, and
get rid of the now-redundant casts.
2009-01-24 12:51:11 +00:00
99bb07565a
Print size_t values using %zd printf format, not %d.
2009-01-24 12:07:44 +00:00
58b2161948
Sort options in usage.
2009-01-24 10:43:47 +00:00
a8e14ecee0
Sort options. New sentence, new line.
2009-01-24 10:43:38 +00:00
86a90d6c4e
Sort options.
2009-01-24 10:42:31 +00:00
df41ea2ee2
Add the build glue and sets information for the libopenpgpsdk library, and
...
the openpgp binary.
2009-01-24 01:15:24 +00:00
ea48522368
Forgot a file in big commit from yesterday:
...
when matching userid, cheecck if the given userid has a '@' in it.
If so, treat it as an email address, and search for a case-insensitivee
match for the text in between '<' and '>' delimiters.
Otherwise, look for a case insensitive match on the full name.
2009-01-23 17:30:52 +00:00
e9d216a40d
Update usage and manpage for racoonctl.
2009-01-23 11:44:08 +00:00
c6d64c37e0
Racoon -v to print version and compilation information. Update usage
...
message.
2009-01-23 11:28:27 +00:00
1f949d3b6c
Update NEWS with major changes since 0.7 release.
2009-01-23 09:40:56 +00:00
731a29e03b
Fix monotonic scheduler change, to not refresh 'now' before exit. Otherwise
...
we can return negative timeout after spending time handling other events.
2009-01-23 09:10:13 +00:00
7bc9f9e4ee
From Arnaud Ebalard:
...
Handle reception of MIGRATE message during Phase 1 and Phase 2 negotiation.
Also corrects some debugging statements.
2009-01-23 08:32:58 +00:00
b9ba86c968
From Arnaud Ebalard:
...
On the responder (for instance), there is a need to not only migrate local
and remote addresses of Phase 1 that match previous addresses but also
the local and remote addresses of a Phase 1 *associated* with a migrated
Phase 2. For instance, we have that need when receiving the first
MIGRATE/KMADDRESS message because the old addresses are still the HoA and
the address of the HA (while the peer has contacted us using the CoA and
we have negotiated this address as src attribute in Phase 2). The patch
fixes that by having migrate_ph1_ike_addresses() called from
migrate_ph2_ike_addresses() callback.
2009-01-23 08:29:34 +00:00
54bcc916f5
From Arnaud Ebalard: Set phase2 spid when acting as responder.
2009-01-23 08:27:24 +00:00
5d5e4e2fa3
Detect if monotonic system clock is available, and use it for relative
...
time measurements to avoid complite hang if time jumps backwards.
2009-01-23 08:25:06 +00:00
49c6438a45
Fix authentication method ambiguity by internally using unique ID and
...
setting/interpreting the wire format based on received vendor ID:s. Fixes
trac #280 .
2009-01-23 08:23:51 +00:00
69697b4655
Introduce vendorid bitmask that can be used otherwhere to detect peer
...
capabilities.
2009-01-23 08:06:56 +00:00
2b7d4cd554
Remove "fastquit" configure option and make it the default behaviour. The
...
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.
2009-01-23 08:05:58 +00:00
0306a7c61f
Massive overhaul of openpgp.c, the driver program for the openpgpsdk
...
library.
A good signature verification now shows the filename, time of signing,
and the public keys of the signatories.
Made the interface much more standard by using any argv components after
the options have been parsed to indicate files, rather than a single
--file=filename long option.
Get rid of all assert() calls in the program - dumping core when an
argument is missing is a trifle uncompromising.
When matching userids, if the given userid contains a '@' character,
consider all characters from the rightmost '<' to the terminating
'>' of the file-based userid to be an email address. If there's no
'@' character, consider the given name as a real name, and match
from the start of the file-based userid. All comparisons are done
using case-insensitive searching. I'll consider implementing regexp
matching when enough chocolate bribes are received.
Rework the internals to call a major internal function, rather than doing
everything in main().
Run the results of all this through indent, since the current sources
bear little resemblance to what went before.
2009-01-23 06:07:18 +00:00
d0750f9b83
Convert another commented out printf() to a debugging statement
2009-01-22 01:46:51 +00:00
29726fdfea
When reading a keyring, often the failure of the initial limited_read_mpi()
...
when parsing a DSA signature means that we've reached the end of the keyring,
so only print out the annoying error message if we're debugging.
2009-01-22 01:45:59 +00:00
c785cc907d
If the user hasn't passed the pass phrase in as a command line argument
...
(not such a great idea), use getpass() to get the passphrase.
Various debugging additions.
When verifying files, print out the file name which was verified, and exit
with either EXIT_FAILURE or EXIT_SUCCESS, depending upon the verification
result. This still needs to be reworked to print out the signatory to the
file, and the date of signing.
2009-01-22 01:43:35 +00:00
d26c2431dd
Don't rely on a convenience macro when expanding a macro definition.
2009-01-22 01:01:47 +00:00
dba5f8d52a
When listing keys, if a key ring has been specified, list the keys in
...
that key ring. If no key ring has been specified, list the keys in
the default public key ring, rather than dying with a usage message.
Matches gpg behaviour, and stops openpgp violating the POLA.
2009-01-22 00:59:12 +00:00
da7f9470ea
Convert commented out printf() statements into proper debugging statements
2009-01-22 00:56:13 +00:00
67c903aedc
Add more debugging information
2009-01-22 00:55:15 +00:00
0e88dfdc76
do the PRINTOBJDIR dance to find the (potentially uninstalled) library
...
in ../lib (just like we do many other apps)
2009-01-22 00:22:20 +00:00
9b100d5b4e
don't need LDADD here; LIBDPLIBS does the right thing
2009-01-22 00:20:58 +00:00
87e4630751
descend into lib first
2009-01-22 00:13:19 +00:00
b8a38f2310
update paths
2009-01-22 00:01:52 +00:00
b3b80bc7d6
Fix a typo when printing the type of trust
2009-01-21 22:29:04 +00:00
bbfe341047
gmtime(3) returns a pointer to a struct tm with a month value in the
...
range [0,11], so add 1 to this to get a useful value for human
interpretation.
2009-01-21 20:17:14 +00:00
1dbcf9a927
Avoid leaking storage in one function.
...
Set USE_FORT to yes, and fix the fallout.
2009-01-21 15:35:00 +00:00
c80363d779
WARNS=4 (w00t, no changes necessary)
2009-01-21 07:08:10 +00:00
644e4c1f7f
Build the openpgpsdk library with WARNS=3
2009-01-21 05:48:56 +00:00
1cf88afccb
Fix WARNS=2 warnings (shadow vars again), but don't switch WARNS=2 on for
...
the application, since WARNS=2 includes fatal warnings when linking, and we
get a warning about IDEA being a patented algorithm.
2009-01-21 03:37:12 +00:00
6dfd9b1804
WARNS=2 for the library build
2009-01-21 03:32:08 +00:00
5bc2794550
WARNS=2 (mainly shadow variable declarations)
2009-01-21 03:31:22 +00:00
2626a640dd
Previously debugging information seems to have been output by editing a
...
static variable and recompiling. Make this a bit more dynamic, adding a
--debug "filename" argument to the application, and by using a filename-
based debug framework to replicate previous behavior. Multiple filenames
can be provided.
In addition, add more debugging information by printing out the human
values of signature type and key algorithm when parsing packets.
2009-01-21 01:32:54 +00:00
84ce5f6759
Restore the exit semantics of the original. If success, the exit code is
...
EXIT_SUCCESS. If failure, exit code is EXIT_FAILURE. (Duh). If an error
has occurred, use an exit code of 2.
2009-01-21 01:27:55 +00:00
4442e07493
Add the dependent libs to the openpgpsdk library itself, rather than making
...
any program that uses the library specifically add them.
Install header files in the appropriate place
2009-01-20 19:48:23 +00:00
f6ab492fbf
Use EXIT_* error codes rather than numeric constants
2009-01-20 19:46:08 +00:00
35a399083a
Get rid of a file that's not used
2009-01-20 19:44:42 +00:00
c86c75ce57
Add a subdir Makefile to descend into openpgpsdk
2009-01-20 19:42:56 +00:00
68d230573c
The openpgp application breaks its own abstraction rules by including a
...
header file that is meant to be local, so that it can access the content
type of a packet. This change uses an accessor function to find the packet
content type.
2009-01-20 16:58:09 +00:00
2b68c3a06a
Autogenerate ChangeLog from NetBSD CVS. Put sourceforge.net changes to
...
ChangeLog.old.
2009-01-20 14:36:07 +00:00
0055cf2b60
Add a reachover framework for the openpgp application as well.
2009-01-20 07:50:54 +00:00
d4beb7925c
Remove duplicated functions
2009-01-20 07:35:26 +00:00
e4f17bf621
Also make shared lib
2009-01-20 07:34:42 +00:00
cba3672b08
Add a README file, derived form external/src/README, to describe the contents
...
of the tree rotted at this directory.
2009-01-20 07:15:30 +00:00
5e633613d2
Make this compile (WARNS=1) on NetBSD.
...
Add reachover library Makefile for the external framework.
2009-01-20 07:12:16 +00:00
9b993b5409
Missed this when removing old sources.
2009-01-20 06:49:14 +00:00
5c077856b5
Second initial import of openpgpsdk v0.9 into the external section of
...
the crypto sources, per conversation with core.
License is 3-clause BSD.
An OpenPGP library implementation (RSA and partial DSA), conformant
with RFC4880 "OpenPGP Message Format".
RSA Key Generation
* S2K Usage: ENCRYPTED_AND_HASHED
* S2K Specifier: SALTED
* Symmetric algorithm: CAST5
RSA Encryption
* Generates "Symmetrically Encrypted Integrity Protected
Data" packets (required by RFC)
* Hash: SHA1 (required by RFC)
* Symmetric Algorithm: CAST5 (hard-coded)
* Uses compression
* Optional ASCII armouring
RSA Decryption
* Symmetric Algorithm: CAST5, AES, AES256, 3DES
* Optional Compression: ZIP, ZLIB, BZIP2
* Optional ASCII armouring
RSA Signature
* Armoured, unarmoured or clearsigned
* Hash algorithm: SHA1
RSA Verification
* Armoured, unarmoured or clearsigned
* V3 or V4 signatures
* Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
DSA Signature
* Armoured, unarmoured or clearsigned
* Hash algorithms: SHA1
DSA Verification
* Armoured, unarmoured or clearsigned
* V3 or V4 signatures
* Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
2009-01-20 06:43:54 +00:00
32a7726202
Remove the botched import of the openpgpsdk sources. "They'll be back"
2009-01-20 06:36:37 +00:00
ca2dba9441
Make the library compile with WARNS=1
2009-01-12 23:00:00 +00:00
4ca3d4e421
Initial import of openpgpsdk v0.9 into the external section of the crypto
...
sources, per conversation with core.
License is 3-clause BSD.
An OpenPGP library implementation (RSA and partial DSA), conformant
with RFC4880 "OpenPGP Message Format".
RSA Key Generation
* S2K Usage: ENCRYPTED_AND_HASHED
* S2K Specifier: SALTED
* Symmetric algorithm: CAST5
RSA Encryption
* Generates "Symmetrically Encrypted Integrity Protected
Data" packets (required by RFC)
* Hash: SHA1 (required by RFC)
* Symmetric Algorithm: CAST5 (hard-coded)
* Uses compression
* Optional ASCII armouring
RSA Decryption
* Symmetric Algorithm: CAST5, AES, AES256, 3DES
* Optional Compression: ZIP, ZLIB, BZIP2
* Optional ASCII armouring
RSA Signature
* Armoured, unarmoured or clearsigned
* Hash algorithm: SHA1
RSA Verification
* Armoured, unarmoured or clearsigned
* V3 or V4 signatures
* Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
DSA Signature
* Armoured, unarmoured or clearsigned
* Hash algorithms: SHA1
DSA Verification
* Armoured, unarmoured or clearsigned
* V3 or V4 signatures
* Hash algorithms: SHA1, SHA256, SHA384, SHA512, SHA224
2009-01-12 22:55:41 +00:00
67cbe60826
Make ready for HTML output.
...
Use proper escape for backslash ('\e').
2009-01-10 21:58:38 +00:00
f7557f766d
From Cyrus Rahman:
...
Accept RFC2253 compliant escaped special characters for asn1dn identifier.
2009-01-10 19:08:40 +00:00
a0b1dc6be0
Fix a CPPLAGS typo to CPPFLAGS which was intended
2009-01-09 06:31:38 +00:00
9df0ec5c7e
Fix a CPPLAGS type to CPPFLAGS which was intended
2009-01-09 06:31:37 +00:00
10c9b70baa
Correct error checking for DSA and ECDSA keys (from FreeBSD)
2009-01-07 23:05:07 +00:00
b264308e87
Remove obsolete configuration options, fix radius configuration block and
...
add GRE as recognized protocol.
2009-01-05 06:03:58 +00:00
328859aef7
Do not use counting in signal handling as it was unsafe by not using
...
atomic functions (post increment is not necessarily atomic).
Instead reap all children on SIGCHLD as that was the only signal needing
signal counting.
2009-01-05 06:00:27 +00:00
a3c1a92d23
schedular() call can now modify fd mask so make the working copy just
...
before calling select(); otherwise it can contain bad file descriptors
2008-12-30 15:50:24 +00:00
e5b90a2fc2
support icmp codes. Fixes PR 39056.
2008-12-29 12:54:33 +00:00
aa3382cd31
remove sin{6,}_len linux does not have it. From Timo Teras.
2008-12-24 20:20:52 +00:00
6c532322d2
I was wrong. addr is actually set.
2008-12-24 19:05:48 +00:00
16b17fbeab
- make this compile by zeroing out the whole structure not just bogus fields.
...
- set length field of sockets appropriately.
- mark bogus no-op code (I don't understand what the author intended here).
2008-12-24 15:25:44 +00:00
c1e7a459ca
Bump date for identity configuration option removal.
2008-12-23 19:28:18 +00:00
535280aca9
Remove the obsoleted global identity configuration option.
2008-12-23 14:04:42 +00:00
bd378f6dda
rewrite local address detection
...
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()
2008-12-23 14:03:12 +00:00
182f0b93be
From Arnaud Ebalard:
...
Delete larval ph2handles when expire with hard lifetime received
2008-12-18 07:20:25 +00:00
50a2f2e6d0
Update README
2008-12-16 06:48:38 +00:00
b2b7434a10
Fix transport mode address selection in acquire handling.
...
Some earlier fixes got lost on 2008-12-05 commit.
2008-12-16 06:08:46 +00:00
a75f34b133
Fixed compilation on FreeBSD (RTM_IFINFO and RTM_OIFINFO stuff)
2008-12-11 15:45:24 +00:00
cffd15164d
Fixed compilation when DPD support is disabled
2008-12-11 15:33:59 +00:00
f140528153
Document my fix to src/racoon/privsep.c for the SIG_IGN typo on 2008-12-04.
2008-12-09 23:28:08 +00:00
dae665ff27
Do not cache pfkey sockets: it might cause to not handle some pfkey events
...
when select() has marked pfkey socket readable, but a timer callback first
calls pfkey_dump_sadb().
2008-12-08 06:00:53 +00:00
02f2a72861
From Arnaud Ebalard:
...
Improved Mobile IPv6 support per draft-ebalard-mext-pfkey-enhanced-migrate.
2008-12-05 06:02:20 +00:00
3ef91ecea8
Fix typo in previous and use SIG_IGN as I intended.
2008-12-04 22:30:26 +00:00
22b0737f30
Explicitly ignore SIGPIPE. Default action on Linux is terminate.
2008-12-02 07:41:43 +00:00
659c30f2ba
Remove empty line. Fix typo. New sentence, new line.
2008-11-28 22:37:44 +00:00
0b0a39b9f9
ModeConfig fixes
2008-11-27 15:04:34 +00:00
3a74e20575
Set up a default value for Mode Config Pool size if pool address specified but pool size not specified
2008-11-27 15:04:21 +00:00
054e0e851d
Fixed pool resizing
2008-11-27 15:04:16 +00:00
f863fa40c3
From Arnaud Ebalard:
...
Remove MAXNESTEDSA weirdness. It's probably meant for bundle support which
is not done. When someone actually writes bundle support, the nested SA
stuff would probably be reworked too anyway.
2008-11-27 11:08:48 +00:00
1c6c2a3356
From: Matthew Krenzer
...
Ability to set pfkey socket buffer size via configuration file directive.
(Indentation and minor fixes by me.)
2008-11-27 10:53:48 +00:00
e564489300
Document my changes from 2008-11-08 and today.
2008-11-25 22:39:20 +00:00
f798cbf18b
Avoid using MSG_NOSIGNAL as it is not available everywhere.
...
Ignore SIGPIPE instead.
2008-11-25 22:38:31 +00:00
d9c51cbeae
Ignore unspecified and looback addresses. Ignoring unspecified addresses
...
prevents racoon from trying to bind to the wildcard address and specific
addresses simultaneously after e.g. dhclient has changed an interface's
address to 0.0.0.0.
2008-11-25 22:00:15 +00:00
e7c2314bc8
RTM_DELETE and RTM_IFINFO don't carry info for added or deleted addresses.
...
Ignore them silently.
2008-11-25 21:54:05 +00:00
6db1040de3
Ignoring an unsuitable address is not an error. Therefore log it as
...
informational.
Make it clear from the log message that a route message is not interesting.
2008-11-25 21:50:47 +00:00
220cbdde75
Use insmyaddr() instead of open coding it.
2008-11-25 21:46:12 +00:00
b8d42d186b
Do not return erroneously from isakmp_open() when setting IPV6_USE_MIN_MTU
...
fails.
2008-11-25 21:42:36 +00:00
667107700d
Keep myaddr.sock at -1 when no socket is opened.
2008-11-25 21:37:11 +00:00
96020e15cb
Preserve owner and permissions of original /etc/resolv.conf.
...
Ensure that new /etc/resolv.conf isn't group or world writable.
2008-11-08 13:41:09 +00:00
447613dc6a
Print and check INTERNAL_NETMASK4.
2008-11-08 13:38:46 +00:00
aabe06ab2f
Make the handling of NAT-T SPD entries automatic.
2008-11-08 13:36:35 +00:00
5a8370eefd
Ensure that the determination of the default gateway and the corresponding
...
interface don't get confused by multiple, possibly non-IPv4 default routes.
Bring the NetBSD case of deleting the VPN routes and address in line with
the Linux case and delete the address after deleting the VPN routes.
2008-11-08 13:31:23 +00:00
a4814aed6a
The escape sequence for a backslash is "\e".
2008-11-07 16:51:27 +00:00
a455765d91
Use line continuation for an example. It was too wide for my output
...
so was cropped.
Already shared upstream and was told (in September) will be in next
major release.
2008-11-07 15:50:38 +00:00
33dafe234f
fixed delsainfo() to avoid a crash when iddst's value is SAINFO_CLIENTADDR
2008-11-06 14:12:28 +00:00
66f152db75
Add ChangeLog entry about S.P.Zeidler's commit. Fix my name in one place.
2008-11-01 06:55:10 +00:00
334414e667
Changes to ipsecdoi_id2str():
...
struct sockaddr -> struct sockaddr_storage fixes a stack overflow
For non-linklocal addresses the value in 'scope' is garbage and gets
set to zero instead.
2008-10-29 18:49:45 +00:00
0c1f013cc5
Fix commit dates to reflect reality.
2008-10-28 19:03:27 +00:00
11236c9878
Make sshd find the xauth program, even with the new /usr/X11R7.
...
OK'd by christos@
2008-10-27 08:27:04 +00:00
ed890caaae
From Arnaud Ebalard:
...
Add missing return to error path
2008-10-27 06:27:05 +00:00
3ff331469e
From Francis Dupont (sent by Arnaud Ebalard):
...
recognize RTM_IFANNOUNCE
2008-10-27 06:24:27 +00:00
a06fc42a2e
From Arnaud Ebalard:
...
Fix indentation issues for readability
2008-10-27 06:21:29 +00:00
b186d55b63
From Arnaud Ebalard:
...
initfds() needs to be called only if monitored file descriptor numbers
have changed
2008-10-27 06:18:08 +00:00
38962f77a8
From Arnaud Ebalard:
...
Remove duplicate declaration
2008-10-27 06:14:04 +00:00
1e802db977
Pull in a fix from the OpenSSL CVS:
...
http://cvs.openssl.org/filediff?f=openssl/crypto/x509/x509_att.c&v1=1.14&v2=1.15
This should fix PR #39767 opened by Wolfgang Solfrank
2008-10-25 12:11:47 +00:00
ede27c75ad
From Krzysztof Piotr Oledzki <olel@ans.pl>:
...
Revert parts of 2008-08-06 commit; the problem those changes address are
already handled in a sensible way by Cyrus Rahman's patch from 2008-03-06.
2008-10-23 10:56:10 +00:00
96230fab84
Use ${TOOL_AWK} instead of ${AWK} or plain "awk" in make commands.
...
Pass AWK=${TOOL_AWK:Q} to shell scripts that use awk.
2008-10-19 22:05:19 +00:00
ab610e81be
Fix a spelling mistake in changelog
2008-10-09 16:44:31 +00:00
52d4b7db25
From Arnaud Ebalard: remove unnecessary unbindph12() call which is now done in remph2()
2008-10-09 15:53:12 +00:00
c724d51982
From Arnoud Ebalard <arno@natisbad.org>:
...
remove unnecessary unbindph12() call which is now done also in remph2()
2008-10-09 15:53:11 +00:00
105e5049b7
Fixed resending mechanism to have non-ESP marker for retransmitted packets
2008-09-25 09:34:13 +00:00
e829b0a440
New sentence, new line.
2008-09-19 17:33:24 +00:00
d1a09d5477
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
...
in remote conf.
2008-09-19 11:14:49 +00:00
fbf62026bb
Change struct sched to be allocated be the caller to avoid some memory
...
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.
2008-09-19 11:01:08 +00:00
7a75c9a543
PR/39233: Taylor R Campbeel: OpenSSH fails to initialize tun(4) tunnels
...
correctly.
2008-09-17 15:45:50 +00:00
b383a5b3e4
Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs
2008-09-17 12:39:07 +00:00
954f7757c0
Some calls to set_port() were not correctly updated in the previous commit
2008-09-09 11:50:42 +00:00
a20b313ea8
From Tomas Mraz: Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff.
2008-09-03 16:08:26 +00:00
4ead39ef24
Duplicate addresses in pk_sendxxx functions, as they may be altered for NAT-T stuff
2008-09-03 16:08:25 +00:00
dbd3f137ba
- Fix reloading of SPD (Linux satype check, handling of SPD dump responses)
...
- Remove some spurious error log message from extract_port()
2008-09-03 09:57:28 +00:00
b926b61a73
Comment out __RCSID; this is a host tool and we don't need the Id in the binary.
...
Fixes cross-build issue on RHEL5-like Linux.
Arguably we shouldn't even #include <config.h> because that's been created
for the NetBSD target and not the (possibly non-NetBSD) host system,
but that hasn't caused problems so far so I'll leave it for now.
2008-09-03 07:10:55 +00:00
dc1f2ff2f9
Eliminate gcc-specific feature of empty structures.
2008-08-29 00:31:37 +00:00
f3a85cb801
Eliminate superfluous semicolon.
2008-08-29 00:31:00 +00:00
b4e2d1afdf
Eliminate gcc-specific feature of unnamed structures added recently.
2008-08-29 00:30:15 +00:00
163d7169c0
From Krzysztof Piotr Oledzki: Remove ph1handler if we received an invalid first exchange from initiator.
2008-08-12 12:45:55 +00:00
32468f64a1
Remove ph1handler if we received an invalid first exchange from initiator
2008-08-12 12:45:54 +00:00
191869cf2a
From Krzysztof Piotr Oledzki:
...
Make privileged process exit if unprivileged process is terminated and
some spelling fixes.
2008-08-06 19:14:28 +00:00
5a3c2f6809
Revert the HPN changes that added verbose "Max throughput" summary
...
after scp(1) finishes.
2008-08-05 14:13:34 +00:00
cca63e16c3
Restore .hx support for avoiding unneeded regeneration of header files
...
Fix PR lib/39185
Partly restore the changes which were removed during the Heimdal 1.1 update:
src/lib/libasn1/Makefile 1.28 -> 1.29
src/lib/libhdb/Makefile 1.21 -> 1.22
src/crypto/dist/heimdal/lib/asn1/gen.c 1.8 -> 1.9
Add .hx support in 'new' heimdal libraries:
src/lib/libgssapi/Makefile
src/lib/libhx509/Makefile
Add a new entry in doc/HACKS for this changes.
2008-08-03 07:16:58 +00:00
9ef0a25aeb
Add some missing ifdefs required for non-radius enabled builds.
2008-07-23 17:36:00 +00:00
4521811287
Do not use GNU make specific extension.
2008-07-23 13:53:08 +00:00
28aa26f3de
Do flex/bison invocation in a more standard way, and keep the generated
...
files in the dist tarball.
2008-07-23 09:06:51 +00:00
826c52702d
From Kohki Ohhira: fix some memory leaks, when malloc fails or when peer sends invalid proposal.
2008-07-22 13:25:18 +00:00
754d7776f7
fixed some memory leaks, when malloc fails or when peer sends invalid proposals
2008-07-22 13:25:17 +00:00
fd9755072f
Add an optional radius configuration section to the racoon.conf file. This
...
is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.
2008-07-22 01:30:02 +00:00
0cc0bec23e
Correct typo to fix the build.
2008-07-21 09:43:03 +00:00
ca3b7c5a9f
Separate generic vendor id handling to a new function and use it.
2008-07-21 06:26:06 +00:00
7a1c3cb1b8
Do not set default gss id if xauth is used, otherwise gss-id attribute
...
might be sent even if it was not requested.
2008-07-21 06:24:29 +00:00
879eeb1025
Fix an a typo that prevented racoon from building with hybrid enabled.
2008-07-15 02:16:58 +00:00
6353d50296
Update changelog which was missed in my previous commit.
2008-07-15 00:53:36 +00:00
8f0b3482bc
Fix a conflict with the FreeBSD 8 system hexdump function.
2008-07-15 00:47:09 +00:00
56a42db6a6
Handle RESPONDER-LIFETIME notification in quick mode.
2008-07-14 05:45:15 +00:00
583275a951
Clean up notification payload handling. Handle INITIAL-CONTACT notification
...
in last main mode exchange (delayed) and during quick mode exchanges.
2008-07-14 05:40:13 +00:00
75bc4bd6cd
Original patch from Atis Elsts:
...
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
2008-07-11 08:02:06 +00:00
7f51b6fe42
From Chong Peng:
...
fix a file descriptor and memory leak on configuration file reread
2008-07-09 12:16:50 +00:00
d20c6ed916
From Timo Teras: fix some %d to %zu (size_t values)
2008-07-02 14:46:27 +00:00
874968c865
fixed some %d to %zu (size_t values)
2008-07-02 14:46:26 +00:00
a494eea816
Add an ifdef to disable the AES_CTR_MT cipher because static binaries don't
...
work with -pthread, and /rescue is linked against libssh.
2008-06-23 14:51:31 +00:00
80a665de90
Add the HPN patch for ssh:
...
http://www.psc.edu/networking/projects/hpn-ssh/
2008-06-22 15:42:50 +00:00
bf3ddb193b
Bump date for previous.
2008-06-18 07:40:16 +00:00
93c1205f96
Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.
2008-06-18 07:12:04 +00:00
c47cb1615c
Add an admin port command to retrieve the peer certificate. Submitted by
...
Timmo Teras.
2008-06-18 07:12:03 +00:00
01e8cc1e5d
Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras.
2008-06-18 07:04:23 +00:00
5d397c5ba5
Set sockets to be closed on exec to avoid potential file descriptor
...
inheritance issues. Submitted by Timmo Teras.
2008-06-18 07:04:22 +00:00
7598372e37
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
2008-06-18 06:47:25 +00:00
2c40396f3a
Use utility functions to evaluate or manipulate network port values. No
...
functional changes. Submitted by Timmo Teras.
2008-06-18 06:47:24 +00:00
7dac642960
Admin port code cleanup. No functional changes. Submitted by Timo Teras.
2008-06-18 06:27:49 +00:00
18fc645e9a
Admin port code cleanup. No functional changes. Submitted by Timmo Teras.
2008-06-18 06:27:48 +00:00
9345b05cc4
Correct a phase2 status event. Submitted by Timo Teras.
2008-06-18 06:11:38 +00:00
b163716d45
Correct a phase2 status event. Submitted by Timmo Teras.
2008-06-18 06:11:37 +00:00
f5792c6ee8
Apply patch from Darryl Miles which adjusts SSL_shutdown's behavior for
...
non-blocking BIOs so that it is sane -- so that, in other words, -1 with
a meaningful library error code (WANT_READ or WANT_WRITE) is returned
when we would block for I/O. Without this change, you have to sleep or
spin -- you can't know how to put the underlying socket in your select
or poll set.
Patch from http://marc.info/?l=openssl-dev&m=115154030723033&w=2 and
rationale at http://marc.info/?l=openssl-dev&m=115153998821797&w=2 where
sadly they were overlooked by the OpenSSL team for some time. It is hoped
that now that we've brought this change to their attention they will
integrate it into their sources and we can lose the local change in
NetBSD.
2008-06-10 19:45:00 +00:00
31197b7671
Fix two Denial of Service vulnerabilities in OpenSSL:
...
- Fix flaw if server key exchange message is omitted from a TLS handshake
which could lead to a silent crash.
- Fix double free in TLS server name extensions which could lead to a
remote crash.
Fixes CVE-2008-1672.
2008-06-05 15:30:10 +00:00
90318d80f4
PR/38728: Tomoyuki Okazaki: Enable Camellia
2008-05-26 16:39:45 +00:00
a41e5a83be
Add coverity alloc comment.
2008-05-24 20:07:00 +00:00
cfb67f710f
add a coverity alloc comment.
2008-05-24 20:05:52 +00:00
e520f14ae6
Coverity CID 5003: Fix memory leak.
2008-05-24 20:00:07 +00:00
e3ee1b22da
Coverity CID 5004: Fix double free.
2008-05-24 19:58:01 +00:00
78dc0fbbfc
Add a coverity alloc comment.
2008-05-24 19:54:43 +00:00
13ebcc71fb
Add a coverity alloc comment
2008-05-24 19:52:36 +00:00
c2e438738f
Coverity CID 5007: Avoid double free.
2008-05-24 19:48:27 +00:00
677bd71b1f
Add a coverity allocation comment.
2008-05-24 19:46:32 +00:00
66009f62a3
Coverity CID 5010: Avoid buf[-1] = '\0' on error.
2008-05-24 19:32:28 +00:00
aa3b40a116
Coverity CID 5018: Fix double frees.
2008-05-24 18:39:40 +00:00
b6c10a6fe5
avoid using free_func as an argument because it is already a typedef.
2008-05-10 16:52:05 +00:00
33d34d249c
fix version string
2008-05-09 22:10:19 +00:00
2149db96e3
resolve conflicts
2008-05-09 21:49:39 +00:00
b69a53abf2
import today's snapshot! Hi <tls>
2008-05-09 21:34:04 +00:00
2a499f37b6
From Christian Hohnstaedt: allow out of tree building
2008-05-08 12:24:50 +00:00
11a6dbe728
Convert TNF licenses to new 2 clause variant
2008-04-30 13:10:46 +00:00
ce099b4099
Remove clause 3 and 4 from TNF licenses
2008-04-28 20:22:51 +00:00
098f566eb9
Do as in revision 1.26 of sshd_config: add a sample, commented-out line
...
for X.org's xauth.
2008-04-25 15:01:45 +00:00
ed9bfcd9c2
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
2008-04-25 14:41:18 +00:00
c6898eabf6
extract ports information from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
2008-04-25 14:41:17 +00:00
795befa36d
namespace police to make it buildable (no, it still does not work),
...
add rcsid.
2008-04-20 15:01:14 +00:00
41de77d985
Sync SCM_RIGHTS passing code with the version used in racoon (i.e.
...
set message header and controll message size to the same value again)
2008-04-19 22:15:30 +00:00
57a7ea54be
for symmetry set controllen the same way we set it on the receiving side.
2008-04-13 21:45:19 +00:00
03409c55d7
Don't use variable size allocation on the stack.
2008-04-13 21:44:14 +00:00
c09e4a3a8c
Fix for CVE-2007-3108
...
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and
earlier does not properly perform Montgomery multiplication, which might
allow local users to conduct a side-channel attack and retrieve RSA
private keys.
2008-04-10 14:19:59 +00:00
1d2009704e
fix another build breaker
2008-04-07 07:37:07 +00:00
1f7a577d0e
re-add removed files.
2008-04-06 23:39:05 +00:00
cbdb6c7a40
resolve conflicts.
2008-04-06 23:38:19 +00:00
49d015609b
Import 5.0
2008-04-06 21:18:28 +00:00
fe2ff28dc6
Add no-user-rc option which disables execution of ~/.ssh/rc
...
(backport from OpenSSH 4.9)
2008-04-05 17:20:53 +00:00
11a00dfcb8
Fix two vulnerabilities in OpenSSH:
...
- X11 forwarding information disclosure (CVE-2008-1483)
- ForceCommand bypass vulnerability
2008-04-03 13:09:14 +00:00
1c3bd4b930
fix Linux build
2008-04-02 19:02:50 +00:00
5ae92982aa
properly fix the variable stack allocation code.
2008-03-28 21:18:45 +00:00
fe6642740b
Still from Cyrus Rahman: fix file descriptor leak introduced by previous
...
commit.
2008-03-28 20:28:14 +00:00
1d223a6207
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
2008-03-28 04:18:52 +00:00
182dbe8881
From Cyrus Rahman <crahman@gmail.com>
...
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
2008-03-28 04:18:51 +00:00
eaec738d10
align cast with heimdal source
...
http://loka.it.su.se/fisheye/changelog/heimdal/?cs=22773
2008-03-24 20:05:57 +00:00
0b9b01afa9
Heimdal cannot easily detect wether the system uses kerberos or not
...
on a client. For now, turn on the hack, that causes heimdal to fail
when there is no config file. ok'd by lha.
2008-03-24 13:56:41 +00:00
d0bda29ecc
fix compilation on alpha.
2008-03-24 08:27:23 +00:00
b2156dc123
The sig_atomic_t type isn't necessarily compatible with %d printf format;
...
cast to int before printing.
2008-03-23 23:09:04 +00:00
7ae544fc2d
Remove computed source files that may confuse mkdep.
2008-03-22 19:15:21 +00:00
fcf1d7cd15
Remove computed source files that may confuse mkdep.
2008-03-22 16:17:50 +00:00
e160244ccb
match whitespace after RCSID
2008-03-22 13:08:21 +00:00
1ea66c56df
NetBSD uses __RCSID
2008-03-22 13:03:05 +00:00
5d9c8e15e0
Import Heimdal-1.1
...
one more missing file
2008-03-22 10:35:47 +00:00
d5be9e9c1d
Import Heimdal-1.1
...
more files
2008-03-22 09:39:22 +00:00
2370a334ab
Import Heimdal-1.1
...
more missing files
2008-03-22 09:29:55 +00:00
b0f88a0388
Import Heimdal-1.1
2008-03-22 08:36:48 +00:00
b5ae261d16
Generates a log if cert validation has been disabled by configuration
2008-03-06 17:00:03 +00:00
b6b6316484
From Cyrus Rahman <crahman@gmail.com>
...
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
2008-03-06 04:29:20 +00:00
1e1f81eb1d
Add the ability to initiate IPsec SA negotiations using the admin socket.
...
Submitted by Timo Teras.
2008-03-06 00:46:04 +00:00
3fd729ad89
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
2008-03-06 00:34:11 +00:00
089a95fdcd
Refactor admin socket event protocol to be less error prone. Backwards
...
compatibility is provided. Submitted by Timmo Teras.
2008-03-06 00:34:10 +00:00
5e5c5d5011
Properly initialize the unity network struct to prevent erroneous protocol
...
and port info from being transmitted.
2008-03-05 22:27:50 +00:00
f771df75b3
Reload SPD on SIGHUP or adminport reload. Also provide better handling for
...
pfkey socket read errors. Submitted by Timo Teras.
2008-03-05 22:09:44 +00:00
5ae99b01fd
Missing entries for last changes
2008-02-25 20:14:05 +00:00
6ee9ace370
From Brian Haley <brian.haley@hp.com>
...
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not. I'm not sure this patch is correct, but
what's there isn't either.
2008-02-25 20:06:55 +00:00
ebc590d76a
Fix address length, from Brian Haley
2008-02-22 18:50:03 +00:00
2bbccfb905
yyparse returns int, not void.
2008-02-16 18:29:39 +00:00
a91c432416
closes PR bin/37644
...
did not meet violent opposition ( :) ) on ipsec-tools-devel
2008-02-10 12:11:08 +00:00
8a85bb4332
remove Protocol=2 line; from Jukka Salmi
2008-01-28 13:57:02 +00:00
4781622c25
CRIOGET is gone. Saves one ioctl per session.
2008-01-26 20:46:21 +00:00
9675caff5e
Some minor opencrypto fixes, one with a major performance impact for
...
OpenSSL:
1) Fix extremely misleading text in crypto.4 manual page so it does not
appear to claim that a new cloned file descriptor is required for every
session.
2) Fix severe performance problem (and fd leak!) in openssl cryptodev
engine resulting from misunderstanding probably caused by said manual
page text.
3) Check for session-ID wraparound in kernel cryptodev provider. Also,
start allocating sessions at 1, not 0 -- this will be necessary when
we add ioctls for the creation of multiple sessions at once, so we
can tell which if any creations failed.
2008-01-25 07:09:56 +00:00
4aacbd15e1
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
2008-01-11 14:27:34 +00:00
ca6b517233
reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory
2008-01-11 14:27:33 +00:00
e0b7c2f9ec
reported somes fixes from Krzysztof Oledzki
2008-01-11 14:09:50 +00:00
90cd29a77c
From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc.
2008-01-11 14:09:05 +00:00
5e3ace1c19
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
2008-01-11 14:08:29 +00:00
e8714f7763
From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg).
2008-01-11 14:07:39 +00:00
223c4f34ce
added an 'established' arg to getph1byaddr()
2008-01-11 14:06:56 +00:00
c825a8ee5f
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras.
2007-12-31 01:42:07 +00:00
e2eda5513a
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras.
2007-12-31 01:42:06 +00:00
c9b9889ada
add back #include <sys/socket.h> from Scott Ellis on current-users@
2007-12-21 20:42:03 +00:00
e9e5abe68c
fix typo in comment
2007-12-21 01:03:58 +00:00
53a105b083
Disable the umac-64 MAC for now, it needs to be rewritten from scractch.
...
Addresses PR bin/37562.
2007-12-20 14:14:04 +00:00
d642d06d3d
fixes for alpha: %ld -> %zd, signals are long.
2007-12-18 09:00:30 +00:00
ceafeaa9bc
Eliminate "endian_convert defined but not used" on big-endian platforms;
...
instead of using the "generic" functions for byteswapping in this file,
use le32toh() and friends.
2007-12-18 08:32:21 +00:00
4750a01617
on NetBSD, use %zu for sizeof()
2007-12-18 07:22:32 +00:00
512c2e7e60
merge conflicts
2007-12-18 02:35:25 +00:00
848569aa46
from ftp.openbsd.org
2007-12-17 20:15:38 +00:00
3a210f56fc
Add corrections submitted in a follow up patch for the nat-t oa support.
2007-12-12 05:08:28 +00:00
892304dffa
Add support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-12 04:45:59 +00:00
85c7ab0640
add a sample XAuthLocation for x.org users as discussed on pkgsrc-users@
2007-12-08 19:03:28 +00:00
4454243c5b
Add changelog entries missed in the last commit.
2007-12-04 19:54:24 +00:00
2ada148e80
Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras.
2007-12-04 19:52:30 +00:00
e5326240e8
Fix typos. New sentence, new line.
2007-12-01 19:24:47 +00:00
3139da7ed3
From Natanael Copa: fixed a race condition when building yacc stuff.
2007-11-29 16:22:08 +00:00
45ebb13627
fixed a race condition when building yacc stuff
2007-11-29 16:22:07 +00:00
e76e80b28b
From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r()
2007-11-09 16:28:14 +00:00
faf3c4a53b
From Arnaud Ebalard: Some sanity checking in pk_recv()
2007-11-09 16:27:58 +00:00
70597b6cab
From Arnaud Ebalard: Better matching of SPD entries in getsp_r().
2007-11-09 16:27:47 +00:00
cd8d63d79e
From Arnaud Ebalard: Added some debug in get_proposal_r().
2007-11-09 16:27:42 +00:00
c9951c135d
Fix for CVE-2007-4995 from OpenSSL CVS
2007-10-21 20:34:14 +00:00
57c0ea0775
Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-19 03:37:18 +00:00
702eac21e5
Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD
2007-10-15 16:05:01 +00:00
657e6e5324
new plog macro
2007-10-02 09:48:08 +00:00
4e4df07d61
From Scott Lamb: include plog.h to work with the new plog macro.
2007-10-02 09:47:55 +00:00
400c6ca5a9
From Scott Lamb: plog changed to _plog to work with new plog macro
2007-10-02 09:47:45 +00:00
c12d0d481a
From Scott Lamb: new plog macro.
2007-10-02 09:47:40 +00:00
0e0b59826f
apply a patch from openssl CVS to fix a remaining off-by-one error
...
in an older security fix, see
http://www.securityfocus.com/archive/1/480855/30/0/threaded
2007-09-28 13:09:26 +00:00
26182f1f5d
Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo.
2007-09-19 19:29:36 +00:00
33e6656ef9
Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo.
2007-09-19 19:20:25 +00:00
8293a09746
Fix autoconf check for selinux support. Submitted by Joy Latten.
2007-09-13 00:26:14 +00:00
aca8e1eed2
Implement clientaddr sainfo remote id option and refine the sainfo man page syntax.
2007-09-12 23:39:49 +00:00
6dda4e3f48
Use poll(2) to wait for rnd(4). The initialisation of OpenSSL's RNG
...
now works reliably if the first FD_SETSIZE file descriptors are in use.
2007-09-07 08:10:00 +00:00
324a68d0b7
Sort sainfo sections on insert and improve matching logic.
2007-09-05 06:55:44 +00:00
edac7dae7c
Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn.
2007-09-03 18:08:42 +00:00
1c79bc103b
src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
...
authorization ports. Allow interoperability with freeradius
2007-08-07 04:35:01 +00:00
9fcfdb104e
Apply a patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1306 .
...
Fix nasty "error: channel 0: chan_read_failed for istate 3" message.
2007-07-31 03:09:49 +00:00
8628a88239
Update NEWS file with additional 0.7 improvements.
2007-07-24 04:29:23 +00:00
9b7e05e155
Various racoon configuration manpage updates.
2007-07-18 22:50:47 +00:00
0878f17383
PR/36665: Matthias Scheler: Thread support is not enabled in NetBSD's OpenSSL
...
I enabled it.
2007-07-18 20:19:56 +00:00
c3bc7fe364
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
2007-07-18 12:07:49 +00:00
9f7ae421ea
fixed a socket leak
2007-07-16 15:05:10 +00:00
0fd2ceaf72
indentation
2007-07-16 15:03:13 +00:00
4d0c78dab0
PR/36624: Edgar Fu: sshd should not check pw_{expire,change} if UsePam is
...
enabled. This is what the "portable" version of openssh does.
2007-07-10 15:48:56 +00:00
a39c84a8c3
PR/36623: Edgar Fu: ssh publickey authentification fails if homedir not present
...
Removed extra realpath check that was introduced by a bogus merge.
2007-07-10 14:56:25 +00:00
30638c77c3
PR/36562: Takeshi Nakayama: sshd(8) HostbasedAuthentication fails after
...
upgrading to 4.0_BETA
Remove $HOME test since this is also used by sshd.
2007-06-26 18:28:34 +00:00
d1cb3ec527
remove unused variable.
2007-06-25 01:42:31 +00:00
c6b86acffc
don't use __progname for the pam service name. Hard-code it to "sshd"
2007-06-24 23:48:30 +00:00
72fe4c3a84
From Paul Winder <Paul.Winder@tadpole.com>:
...
Fix ignored INTERNAL_DNS4_LIST
2007-06-07 20:04:26 +00:00
6ae0ffb7d9
From Rong-En Fan: fix compilation with gcc 4.2
2007-06-06 15:37:15 +00:00
cc41629a4c
fixed compilation with gcc 4.2
2007-06-06 15:37:14 +00:00
6817ea28d9
speeds up interfaces update when they changed
2007-06-06 09:47:30 +00:00
1ed22670fa
From Jianli Liu: speed up interfaces update when they change.
2007-06-06 09:47:29 +00:00
7c53bfe0b6
ignore obsolete lifebyte when validating reloaded configuration
2007-06-06 09:18:16 +00:00
a16fcccee0
From Joy Latten <latten@austin.ibm.com>
...
Fix file descriptor shortage when using labeled IPsec.
2007-05-31 19:54:54 +00:00
23326f5b62
From Jianli Liu <jlliu@nortel.com>:
...
In racoonctl, use the specified socket path instead of the default location
2007-05-30 21:02:39 +00:00
5d1825b2a1
Use RESCUEDIR if set.
2007-05-17 00:17:50 +00:00
christos