583275a951
Clean up notification payload handling. Handle INITIAL-CONTACT notification
...
in last main mode exchange (delayed) and during quick mode exchanges.
2008-07-14 05:40:13 +00:00
75bc4bd6cd
Original patch from Atis Elsts:
...
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.
2008-07-11 08:02:06 +00:00
7f51b6fe42
From Chong Peng:
...
fix a file descriptor and memory leak on configuration file reread
2008-07-09 12:16:50 +00:00
d20c6ed916
From Timo Teras: fix some %d to %zu (size_t values)
2008-07-02 14:46:27 +00:00
874968c865
fixed some %d to %zu (size_t values)
2008-07-02 14:46:26 +00:00
a494eea816
Add an ifdef to disable the AES_CTR_MT cipher because static binaries don't
...
work with -pthread, and /rescue is linked against libssh.
2008-06-23 14:51:31 +00:00
80a665de90
Add the HPN patch for ssh:
...
http://www.psc.edu/networking/projects/hpn-ssh/
2008-06-22 15:42:50 +00:00
bf3ddb193b
Bump date for previous.
2008-06-18 07:40:16 +00:00
93c1205f96
Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.
2008-06-18 07:12:04 +00:00
c47cb1615c
Add an admin port command to retrieve the peer certificate. Submitted by
...
Timmo Teras.
2008-06-18 07:12:03 +00:00
01e8cc1e5d
Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras.
2008-06-18 07:04:23 +00:00
5d397c5ba5
Set sockets to be closed on exec to avoid potential file descriptor
...
inheritance issues. Submitted by Timmo Teras.
2008-06-18 07:04:22 +00:00
7598372e37
Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.
2008-06-18 06:47:25 +00:00
2c40396f3a
Use utility functions to evaluate or manipulate network port values. No
...
functional changes. Submitted by Timmo Teras.
2008-06-18 06:47:24 +00:00
7dac642960
Admin port code cleanup. No functional changes. Submitted by Timo Teras.
2008-06-18 06:27:49 +00:00
18fc645e9a
Admin port code cleanup. No functional changes. Submitted by Timmo Teras.
2008-06-18 06:27:48 +00:00
9345b05cc4
Correct a phase2 status event. Submitted by Timo Teras.
2008-06-18 06:11:38 +00:00
b163716d45
Correct a phase2 status event. Submitted by Timmo Teras.
2008-06-18 06:11:37 +00:00
f5792c6ee8
Apply patch from Darryl Miles which adjusts SSL_shutdown's behavior for
...
non-blocking BIOs so that it is sane -- so that, in other words, -1 with
a meaningful library error code (WANT_READ or WANT_WRITE) is returned
when we would block for I/O. Without this change, you have to sleep or
spin -- you can't know how to put the underlying socket in your select
or poll set.
Patch from http://marc.info/?l=openssl-dev&m=115154030723033&w=2 and
rationale at http://marc.info/?l=openssl-dev&m=115153998821797&w=2 where
sadly they were overlooked by the OpenSSL team for some time. It is hoped
that now that we've brought this change to their attention they will
integrate it into their sources and we can lose the local change in
NetBSD.
2008-06-10 19:45:00 +00:00
31197b7671
Fix two Denial of Service vulnerabilities in OpenSSL:
...
- Fix flaw if server key exchange message is omitted from a TLS handshake
which could lead to a silent crash.
- Fix double free in TLS server name extensions which could lead to a
remote crash.
Fixes CVE-2008-1672.
2008-06-05 15:30:10 +00:00
90318d80f4
PR/38728: Tomoyuki Okazaki: Enable Camellia
2008-05-26 16:39:45 +00:00
a41e5a83be
Add coverity alloc comment.
2008-05-24 20:07:00 +00:00
cfb67f710f
add a coverity alloc comment.
2008-05-24 20:05:52 +00:00
e520f14ae6
Coverity CID 5003: Fix memory leak.
2008-05-24 20:00:07 +00:00
e3ee1b22da
Coverity CID 5004: Fix double free.
2008-05-24 19:58:01 +00:00
78dc0fbbfc
Add a coverity alloc comment.
2008-05-24 19:54:43 +00:00
13ebcc71fb
Add a coverity alloc comment
2008-05-24 19:52:36 +00:00
c2e438738f
Coverity CID 5007: Avoid double free.
2008-05-24 19:48:27 +00:00
677bd71b1f
Add a coverity allocation comment.
2008-05-24 19:46:32 +00:00
66009f62a3
Coverity CID 5010: Avoid buf[-1] = '\0' on error.
2008-05-24 19:32:28 +00:00
aa3b40a116
Coverity CID 5018: Fix double frees.
2008-05-24 18:39:40 +00:00
b6c10a6fe5
avoid using free_func as an argument because it is already a typedef.
2008-05-10 16:52:05 +00:00
33d34d249c
fix version string
2008-05-09 22:10:19 +00:00
2149db96e3
resolve conflicts
2008-05-09 21:49:39 +00:00
b69a53abf2
import today's snapshot! Hi <tls>
2008-05-09 21:34:04 +00:00
2a499f37b6
From Christian Hohnstaedt: allow out of tree building
2008-05-08 12:24:50 +00:00
11a6dbe728
Convert TNF licenses to new 2 clause variant
2008-04-30 13:10:46 +00:00
ce099b4099
Remove clause 3 and 4 from TNF licenses
2008-04-28 20:22:51 +00:00
098f566eb9
Do as in revision 1.26 of sshd_config: add a sample, commented-out line
...
for X.org's xauth.
2008-04-25 15:01:45 +00:00
ed9bfcd9c2
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().
2008-04-25 14:41:18 +00:00
c6898eabf6
extract ports information from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
2008-04-25 14:41:17 +00:00
795befa36d
namespace police to make it buildable (no, it still does not work),
...
add rcsid.
2008-04-20 15:01:14 +00:00
41de77d985
Sync SCM_RIGHTS passing code with the version used in racoon (i.e.
...
set message header and controll message size to the same value again)
2008-04-19 22:15:30 +00:00
57a7ea54be
for symmetry set controllen the same way we set it on the receiving side.
2008-04-13 21:45:19 +00:00
03409c55d7
Don't use variable size allocation on the stack.
2008-04-13 21:44:14 +00:00
c09e4a3a8c
Fix for CVE-2007-3108
...
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and
earlier does not properly perform Montgomery multiplication, which might
allow local users to conduct a side-channel attack and retrieve RSA
private keys.
2008-04-10 14:19:59 +00:00
1d2009704e
fix another build breaker
2008-04-07 07:37:07 +00:00
1f7a577d0e
re-add removed files.
2008-04-06 23:39:05 +00:00
cbdb6c7a40
resolve conflicts.
2008-04-06 23:38:19 +00:00
49d015609b
Import 5.0
2008-04-06 21:18:28 +00:00
fe2ff28dc6
Add no-user-rc option which disables execution of ~/.ssh/rc
...
(backport from OpenSSH 4.9)
2008-04-05 17:20:53 +00:00
11a00dfcb8
Fix two vulnerabilities in OpenSSH:
...
- X11 forwarding information disclosure (CVE-2008-1483)
- ForceCommand bypass vulnerability
2008-04-03 13:09:14 +00:00
1c3bd4b930
fix Linux build
2008-04-02 19:02:50 +00:00
5ae92982aa
properly fix the variable stack allocation code.
2008-03-28 21:18:45 +00:00
fe6642740b
Still from Cyrus Rahman: fix file descriptor leak introduced by previous
...
commit.
2008-03-28 20:28:14 +00:00
1d223a6207
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation
2008-03-28 04:18:52 +00:00
182dbe8881
From Cyrus Rahman <crahman@gmail.com>
...
Allow interface reconfiguration when running in privilege separation mode,
document privilege separation
2008-03-28 04:18:51 +00:00
eaec738d10
align cast with heimdal source
...
http://loka.it.su.se/fisheye/changelog/heimdal/?cs=22773
2008-03-24 20:05:57 +00:00
0b9b01afa9
Heimdal cannot easily detect wether the system uses kerberos or not
...
on a client. For now, turn on the hack, that causes heimdal to fail
when there is no config file. ok'd by lha.
2008-03-24 13:56:41 +00:00
d0bda29ecc
fix compilation on alpha.
2008-03-24 08:27:23 +00:00
b2156dc123
The sig_atomic_t type isn't necessarily compatible with %d printf format;
...
cast to int before printing.
2008-03-23 23:09:04 +00:00
7ae544fc2d
Remove computed source files that may confuse mkdep.
2008-03-22 19:15:21 +00:00
fcf1d7cd15
Remove computed source files that may confuse mkdep.
2008-03-22 16:17:50 +00:00
e160244ccb
match whitespace after RCSID
2008-03-22 13:08:21 +00:00
1ea66c56df
NetBSD uses __RCSID
2008-03-22 13:03:05 +00:00
5d9c8e15e0
Import Heimdal-1.1
...
one more missing file
2008-03-22 10:35:47 +00:00
d5be9e9c1d
Import Heimdal-1.1
...
more files
2008-03-22 09:39:22 +00:00
2370a334ab
Import Heimdal-1.1
...
more missing files
2008-03-22 09:29:55 +00:00
b0f88a0388
Import Heimdal-1.1
2008-03-22 08:36:48 +00:00
b5ae261d16
Generates a log if cert validation has been disabled by configuration
2008-03-06 17:00:03 +00:00
b6b6316484
From Cyrus Rahman <crahman@gmail.com>
...
privilegied instance exit when unprivilegied one terminates. Save PID in real root, not in chroot
2008-03-06 04:29:20 +00:00
1e1f81eb1d
Add the ability to initiate IPsec SA negotiations using the admin socket.
...
Submitted by Timo Teras.
2008-03-06 00:46:04 +00:00
3fd729ad89
Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.
2008-03-06 00:34:11 +00:00
089a95fdcd
Refactor admin socket event protocol to be less error prone. Backwards
...
compatibility is provided. Submitted by Timmo Teras.
2008-03-06 00:34:10 +00:00
5e5c5d5011
Properly initialize the unity network struct to prevent erroneous protocol
...
and port info from being transmitted.
2008-03-05 22:27:50 +00:00
f771df75b3
Reload SPD on SIGHUP or adminport reload. Also provide better handling for
...
pfkey socket read errors. Submitted by Timo Teras.
2008-03-05 22:09:44 +00:00
5ae99b01fd
Missing entries for last changes
2008-02-25 20:14:05 +00:00
6ee9ace370
From Brian Haley <brian.haley@hp.com>
...
There's a cut/paste error in cmp_aproppair_i(), it's supposed to be
checking spi_size but it's not. I'm not sure this patch is correct, but
what's there isn't either.
2008-02-25 20:06:55 +00:00
ebc590d76a
Fix address length, from Brian Haley
2008-02-22 18:50:03 +00:00
2bbccfb905
yyparse returns int, not void.
2008-02-16 18:29:39 +00:00
a91c432416
closes PR bin/37644
...
did not meet violent opposition ( :) ) on ipsec-tools-devel
2008-02-10 12:11:08 +00:00
8a85bb4332
remove Protocol=2 line; from Jukka Salmi
2008-01-28 13:57:02 +00:00
4781622c25
CRIOGET is gone. Saves one ioctl per session.
2008-01-26 20:46:21 +00:00
9675caff5e
Some minor opencrypto fixes, one with a major performance impact for
...
OpenSSL:
1) Fix extremely misleading text in crypto.4 manual page so it does not
appear to claim that a new cloned file descriptor is required for every
session.
2) Fix severe performance problem (and fd leak!) in openssl cryptodev
engine resulting from misunderstanding probably caused by said manual
page text.
3) Check for session-ID wraparound in kernel cryptodev provider. Also,
start allocating sessions at 1, not 0 -- this will be necessary when
we add ioctls for the creation of multiple sessions at once, so we
can tell which if any creations failed.
2008-01-25 07:09:56 +00:00
4aacbd15e1
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.
2008-01-11 14:27:34 +00:00
ca6b517233
reset iph1->dpd_r_u in the scheduler's callback, to avoid some access to freed memory
2008-01-11 14:27:33 +00:00
e0b7c2f9ec
reported somes fixes from Krzysztof Oledzki
2008-01-11 14:09:50 +00:00
90cd29a77c
From Krzysztof Oledzki: Fix compilation with IDEA and recent gcc.
2008-01-11 14:09:05 +00:00
5e3ace1c19
From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).
2008-01-11 14:08:29 +00:00
e8714f7763
From Krzysztof Oledzki: Only search for established ph1 handles in DPD (also reported new getph1byaddr() arg).
2008-01-11 14:07:39 +00:00
223c4f34ce
added an 'established' arg to getph1byaddr()
2008-01-11 14:06:56 +00:00
c825a8ee5f
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timo Teras.
2007-12-31 01:42:07 +00:00
e2eda5513a
Add GRE protocol number to racoonctl. Correct id wildcard matching for transport mode. Submitted by Timmo Teras.
2007-12-31 01:42:06 +00:00
c9b9889ada
add back #include <sys/socket.h> from Scott Ellis on current-users@
2007-12-21 20:42:03 +00:00
e9e5abe68c
fix typo in comment
2007-12-21 01:03:58 +00:00
53a105b083
Disable the umac-64 MAC for now, it needs to be rewritten from scractch.
...
Addresses PR bin/37562.
2007-12-20 14:14:04 +00:00
d642d06d3d
fixes for alpha: %ld -> %zd, signals are long.
2007-12-18 09:00:30 +00:00
ceafeaa9bc
Eliminate "endian_convert defined but not used" on big-endian platforms;
...
instead of using the "generic" functions for byteswapping in this file,
use le32toh() and friends.
2007-12-18 08:32:21 +00:00
4750a01617
on NetBSD, use %zu for sizeof()
2007-12-18 07:22:32 +00:00
512c2e7e60
merge conflicts
2007-12-18 02:35:25 +00:00
848569aa46
from ftp.openbsd.org
2007-12-17 20:15:38 +00:00
3a210f56fc
Add corrections submitted in a follow up patch for the nat-t oa support.
2007-12-12 05:08:28 +00:00
892304dffa
Add support for nat-t oa payload handling. Submitted by Timo Teras.
2007-12-12 04:45:59 +00:00
85c7ab0640
add a sample XAuthLocation for x.org users as discussed on pkgsrc-users@
2007-12-08 19:03:28 +00:00
4454243c5b
Add changelog entries missed in the last commit.
2007-12-04 19:54:24 +00:00
2ada148e80
Modify ipsecdoi_sockaddr2id() to obtain an id without specifying the exact prefix length. Correct a memory leak in phase2. Both submitted by Timo Teras.
2007-12-04 19:52:30 +00:00
e5326240e8
Fix typos. New sentence, new line.
2007-12-01 19:24:47 +00:00
3139da7ed3
From Natanael Copa: fixed a race condition when building yacc stuff.
2007-11-29 16:22:08 +00:00
45ebb13627
fixed a race condition when building yacc stuff
2007-11-29 16:22:07 +00:00
e76e80b28b
From Arnaud Ebalard: some sanity checks, debug, and a better matching of SPD entries in getsp_r()
2007-11-09 16:28:14 +00:00
faf3c4a53b
From Arnaud Ebalard: Some sanity checking in pk_recv()
2007-11-09 16:27:58 +00:00
70597b6cab
From Arnaud Ebalard: Better matching of SPD entries in getsp_r().
2007-11-09 16:27:47 +00:00
cd8d63d79e
From Arnaud Ebalard: Added some debug in get_proposal_r().
2007-11-09 16:27:42 +00:00
c9951c135d
Fix for CVE-2007-4995 from OpenSSL CVS
2007-10-21 20:34:14 +00:00
57c0ea0775
Add SPLITNET_{INCLUDR_LOCAL}_CIDR to hook scripts
2007-10-19 03:37:18 +00:00
702eac21e5
Try to increase the buffer size of the pfkey socket, this may help things when we have a huge SPD
2007-10-15 16:05:01 +00:00
657e6e5324
new plog macro
2007-10-02 09:48:08 +00:00
4e4df07d61
From Scott Lamb: include plog.h to work with the new plog macro.
2007-10-02 09:47:55 +00:00
400c6ca5a9
From Scott Lamb: plog changed to _plog to work with new plog macro
2007-10-02 09:47:45 +00:00
c12d0d481a
From Scott Lamb: new plog macro.
2007-10-02 09:47:40 +00:00
0e0b59826f
apply a patch from openssl CVS to fix a remaining off-by-one error
...
in an older security fix, see
http://www.securityfocus.com/archive/1/480855/30/0/threaded
2007-09-28 13:09:26 +00:00
26182f1f5d
Set REUSE option on sockets to prevent failures associated with closing and immediately re-opening. Submitted by Gabriel Somlo.
2007-09-19 19:29:36 +00:00
33e6656ef9
Prevent duplicate entries in splitnet list. Submitted by Gabriel Somlo.
2007-09-19 19:20:25 +00:00
8293a09746
Fix autoconf check for selinux support. Submitted by Joy Latten.
2007-09-13 00:26:14 +00:00
aca8e1eed2
Implement clientaddr sainfo remote id option and refine the sainfo man page syntax.
2007-09-12 23:39:49 +00:00
6dda4e3f48
Use poll(2) to wait for rnd(4). The initialisation of OpenSSL's RNG
...
now works reliably if the first FD_SETSIZE file descriptors are in use.
2007-09-07 08:10:00 +00:00
324a68d0b7
Sort sainfo sections on insert and improve matching logic.
2007-09-05 06:55:44 +00:00
edac7dae7c
Correct the syntax for wins4 in the man page and add nbns4 as an alias. Pointed out by Claas Langbehn.
2007-09-03 18:08:42 +00:00
1c79bc103b
src/racoon/isakmp_xauth.c: Don't mix up RADIUS authentication and
...
authorization ports. Allow interoperability with freeradius
2007-08-07 04:35:01 +00:00
9fcfdb104e
Apply a patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1306 .
...
Fix nasty "error: channel 0: chan_read_failed for istate 3" message.
2007-07-31 03:09:49 +00:00
8628a88239
Update NEWS file with additional 0.7 improvements.
2007-07-24 04:29:23 +00:00
9b7e05e155
Various racoon configuration manpage updates.
2007-07-18 22:50:47 +00:00
0878f17383
PR/36665: Matthias Scheler: Thread support is not enabled in NetBSD's OpenSSL
...
I enabled it.
2007-07-18 20:19:56 +00:00
c3bc7fe364
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues
2007-07-18 12:07:49 +00:00
9f7ae421ea
fixed a socket leak
2007-07-16 15:05:10 +00:00
0fd2ceaf72
indentation
2007-07-16 15:03:13 +00:00
4d0c78dab0
PR/36624: Edgar Fu: sshd should not check pw_{expire,change} if UsePam is
...
enabled. This is what the "portable" version of openssh does.
2007-07-10 15:48:56 +00:00
a39c84a8c3
PR/36623: Edgar Fu: ssh publickey authentification fails if homedir not present
...
Removed extra realpath check that was introduced by a bogus merge.
2007-07-10 14:56:25 +00:00
30638c77c3
PR/36562: Takeshi Nakayama: sshd(8) HostbasedAuthentication fails after
...
upgrading to 4.0_BETA
Remove $HOME test since this is also used by sshd.
2007-06-26 18:28:34 +00:00
d1cb3ec527
remove unused variable.
2007-06-25 01:42:31 +00:00
c6b86acffc
don't use __progname for the pam service name. Hard-code it to "sshd"
2007-06-24 23:48:30 +00:00
72fe4c3a84
From Paul Winder <Paul.Winder@tadpole.com>:
...
Fix ignored INTERNAL_DNS4_LIST
2007-06-07 20:04:26 +00:00
6ae0ffb7d9
From Rong-En Fan: fix compilation with gcc 4.2
2007-06-06 15:37:15 +00:00
cc41629a4c
fixed compilation with gcc 4.2
2007-06-06 15:37:14 +00:00
6817ea28d9
speeds up interfaces update when they changed
2007-06-06 09:47:30 +00:00
1ed22670fa
From Jianli Liu: speed up interfaces update when they change.
2007-06-06 09:47:29 +00:00
7c53bfe0b6
ignore obsolete lifebyte when validating reloaded configuration
2007-06-06 09:18:16 +00:00
a16fcccee0
From Joy Latten <latten@austin.ibm.com>
...
Fix file descriptor shortage when using labeled IPsec.
2007-05-31 19:54:54 +00:00
23326f5b62
From Jianli Liu <jlliu@nortel.com>:
...
In racoonctl, use the specified socket path instead of the default location
2007-05-30 21:02:39 +00:00
5d1825b2a1
Use RESCUEDIR if set.
2007-05-17 00:17:50 +00:00
538010e358
coverity CID 4168: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 21:00:40 +00:00
dc073934fe
coverity CID 4170: yyerror() does not return, so we proceed to de-reference
...
NULL. Make it return -1 instead like in other places.
2007-05-16 20:59:04 +00:00
5e29f1f1bb
search a ph1 by address if iph2->ph1 is NULL when validating the new config
2007-05-04 14:33:38 +00:00
79dfa780cb
...
2007-05-04 09:10:07 +00:00
0f20ab497d
added some debug in getph1byaddr() to track some port matching problems with NAT-T
2007-05-04 09:09:54 +00:00
e91f01072a
added some debug in isakmp_chkph1there() to track some port matching problems with NAT-T
2007-05-04 09:09:47 +00:00
ff0f36d165
added some debug for DELETE_SA process
2007-05-04 09:09:35 +00:00
ae24f5b259
Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator
2007-05-04 09:09:26 +00:00
e3a1867a4d
fix usage error: use type for .Ft
2007-04-13 18:22:08 +00:00
ace683e685
checks proto_id in ipsecdoi_chkcmpids()
2007-04-04 13:09:36 +00:00
f31c3aee8e
dumps peer's ID and peer's certificate subject /subjectaltname if they don't match
2007-04-04 13:07:31 +00:00
52c7a2891e
Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code
2007-03-26 15:58:07 +00:00
8f6921b522
PR/36069: Huang Yushuo: racoon can't work with pam_group
...
Set RUSER.
2007-03-24 02:07:42 +00:00
2af4eed892
From Joy Latten: fix a segfault when using security labels between 32bit and 64bit host.
2007-03-23 15:43:19 +00:00
38a126966c
fixed a segfault when using security labels between a 32bit and a 64bit host
2007-03-23 15:43:18 +00:00
27934310cd
expire zombie handlers in getph2byid(), to avoid situations where we'll never negociate a phase2 again
2007-03-23 15:34:31 +00:00
1046a9e619
From Cyrus Rahman: give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:29 +00:00
a1d41ca41d
give more details about what is checked when using certificates to authenticate
2007-03-23 09:57:28 +00:00
27187d08ab
fixed subnet check to generate IPV4_ADDRESS when needed in sockaddr2id()
2007-03-22 10:26:19 +00:00
002f3b4723
checks if arg is NULL in SCHED_KILL
2007-03-21 14:37:58 +00:00
452cfb7edf
NULL sched check is now done in SCHED_KILL
2007-03-21 14:29:22 +00:00
43c152a498
checks if arg is NULL in SCHED_KILL
2007-03-21 14:28:59 +00:00
a270a7afb9
From Yves-Alexis Perez: enable monitoring of ipv6 address changes on Linux.
2007-03-15 14:12:12 +00:00
7a26f531db
enable monitoring of ipv6 addresse changes on linux
2007-03-15 14:12:11 +00:00
0fca99dc2f
Consider a negociation timeout when retry_counter is <=0 instead of < 0
2007-03-15 10:37:44 +00:00
2cf8149db2
resurect files that we need and make things compile again.
2007-03-10 23:05:24 +00:00
06993fb381
resolve conflicts.
2007-03-10 22:52:04 +00:00
38f7168c16
PR/35965: Kazushi Marukawa: SSHD doesn't work under protocol 1
...
This is a manifestation of a bug in OpenSSL 0.9.8e, which breaks
certain ciphers in OpenSSH <= 4.5p1. See:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ssh2-aesctr-openssh.html
http://bugzilla.mindrot.org/show_bug.cgi?id=1291
2007-03-10 17:18:31 +00:00
f0f7c41448
enable RFC/3779, requested by George Michaelson
2007-03-10 00:49:47 +00:00
01abf44400
resolve the not-quite-resolved cvs conflicts (a missing #endif)
2007-03-07 02:34:59 +00:00
d774015c29
resolve conflicts
2007-03-06 23:47:18 +00:00
b22ff73a10
Import OpenSSL 0.9.8e
2007-03-06 21:12:00 +00:00
17fe25abca
eliminate caddr_t
2007-03-04 08:21:34 +00:00
adf474a143
Add logic to allow ip address ids to be matched to ip subnet ids when
...
appropriate.
2007-02-28 05:36:45 +00:00
f1c1e37275
block variable declaration before code in ipsecdoi_id2str()
2007-02-21 11:01:06 +00:00
740b198715
Removed a debug printf....
2007-02-20 16:32:28 +00:00
bd81981229
Only delete a generated SPD if it's creation date matches the creation date of the SA we are currently deleting
2007-02-20 09:11:30 +00:00
1cb0c229b8
updated delete_spd() calls
2007-02-20 09:11:14 +00:00
19df9f5fcc
fills creation date of generated SPDs
2007-02-20 09:11:03 +00:00
57d8173408
added 'created' var
2007-02-20 09:10:47 +00:00
3c99a9f776
Removed a debug printf....
2007-02-19 13:08:47 +00:00
496e74bcde
From Olivier Warin: Fix a %zu in a printf.
2007-02-16 11:01:35 +00:00
834d2e72c5
Fixed a %zu in a printf
2007-02-16 11:01:34 +00:00
eac241862b
Missing SELinux file
2007-02-15 16:31:38 +00:00
1b2a464d38
Missing stuff for SELinux
2007-02-15 16:23:40 +00:00
6c4dc9e4c6
From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().
2007-02-15 13:01:26 +00:00
5f4b4e0b21
Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote()
2007-02-15 13:01:25 +00:00
6ced6eb0cd
Fixed the way phase1/2 messages are sent/resent, to avoid zombie handles and acces to freed memory
2007-02-15 10:19:24 +00:00
b552802596
It's no longer basesrc.
2007-02-05 18:12:43 +00:00
5374d6ac89
Fixed a check of NAT-T support in libipsec
2007-02-02 13:42:28 +00:00
1634f1d295
From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.
2007-02-01 08:48:32 +00:00
e25ad0ee61
When receiving an Isakmp DELETE_SA, gets the cookie of the SA to be deleted from payload instead of just deleting the Isakmp SA used to protect the informational
2007-02-01 08:48:31 +00:00
15b0193490
Refer to RFC 4716 in two more places (instead of "IETF SECSH").
...
From jmc@openbsd.
2007-01-23 22:21:54 +00:00
a740eb5ac0
CID-4268: `c' is EOF here, remove deadcode
2006-12-26 00:06:03 +00:00
bdf6fc4f47
CID-4167: check for 'iph1->approval != NULL'
2006-12-26 00:04:00 +00:00
a0a9492dc8
Talk of RFC 4716 SSH public key format instead of SECSH public key format.
...
From markus@openbsd via jmc@openbsd (rev 1.73).
2006-12-24 10:06:03 +00:00
7ce75c98d8
Mention RFC 4716. From markus@openbsd via jmc@openbsd (rev. 1.266).
2006-12-24 10:04:08 +00:00
9e2cc05c4b
Use even more macros.
2006-12-23 09:29:53 +00:00
710cf70831
Use more macros.
2006-12-23 09:29:01 +00:00
fc51d9d324
Serial comma, and bump date for previous.
2006-12-23 09:22:52 +00:00
1a38b96eff
From Joy Latten: fix a memory leak
2006-12-18 10:15:30 +00:00
591299b29f
fixed a memory leak in crypto_openssl
2006-12-18 10:15:29 +00:00
fcdf5459d0
branch 0.7 created
2006-12-10 22:36:06 +00:00
7c683c0b23
Bring back API and ABI backward compatibility with previous libipsec before
...
recent interface change. Bump libipsec minor version. Remove ifdefs in
struct pfkey_send_sa_args to avoid ABI compatibility lossage.
Add a capability flags to detect missing optional feature in libipsec
2006-12-10 18:46:39 +00:00
78f5cfece3
From Joy Latten: README.plainrsa documenting plain RSA auth
2006-12-10 05:51:14 +00:00
99a403e274
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
...
libipsec interface for adding and updating security associations.
2006-12-09 05:52:57 +00:00
10cadc281e
From Simon Chang: More hints about plain RSA authentication
2006-12-09 05:44:34 +00:00
3db7f7800e
Check keys length regarding proposal_check level
2006-12-05 13:38:40 +00:00
8ceadc3208
Correct issues associated with anonymous sainfo selection in racoon.
2006-11-16 00:30:55 +00:00
ea8336c632
As uwe points out, it looks like the L on the version constant was
...
accidentally removed. Add it back, especially as the documentation still
claims that the constant is a long.
2006-11-14 22:30:33 +00:00
1be366570b
From http://www.openssh.org/txt/release-4.5 : (CVE-2006-5794)
...
* Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities.
Bump __NETBSDSSH_VERSION
2006-11-14 21:52:09 +00:00
600680c6c3
merge conflicts.
2006-11-13 21:55:36 +00:00
4a5ea8ca2f
import 0.9.8d
2006-11-13 21:16:04 +00:00
9f3fa7dc87
eliminate the only variable stack array allocation.
2006-11-09 20:22:18 +00:00
94eb6e9da8
fix typo
2006-11-09 19:51:06 +00:00
f06f014bee
use malloc when ssp
2006-11-09 19:50:03 +00:00
577883a31d
Don't define the deprecated IPV6_RECVDSTADDR if the "advanced IPv6 API" is
...
used because IPV6_RECVPKTINFO and IPV6_PKTINFO are used to prevent
potential bugs in the future just in case that the numeric value of the
socket option is ever recycled.
2006-10-31 00:17:21 +00:00
05ad853be0
one more to catch up with the new location for sha2.h
2006-10-28 23:07:23 +00:00
b0d7d1da89
From Michal Ruzicka: fix typos
2006-10-22 15:10:31 +00:00
df130f3c13
fixed typos
2006-10-22 15:10:30 +00:00
5328e8c78b
Added ipsecdoi_chkcmpids() function
2006-10-19 09:36:22 +00:00
3835b0b6a5
From Matthew Grooms: use ipsecdoi_chkcmpids() and changed src/dst to loc/rmt in getsainfo().
2006-10-19 09:35:51 +00:00
b0f2fc5ddb
From Matthew Grooms: Added ipsecdoi_chkcmpids() function.
2006-10-19 09:35:44 +00:00
9480ff5303
Change the default sshd configuration file so that only protocol version 2
...
is enabled by default. Users can manually add back support for protocol
version 1 in their sshd_config if they have a specific need for it.
Suggested by perry@ and ghen@. Ok'ed security-officer@ and christos@
2006-10-15 14:01:53 +00:00
966e3f130f
Fix memory leak (Coverity 3438 and 3437)
2006-10-09 06:32:59 +00:00
331d3b1287
List modified files for last commit
2006-10-09 06:21:11 +00:00
6eca4f09f3
Correctly check read() return value: it's signed (Coverity 1251)
2006-10-09 06:17:20 +00:00
f34e7857d3
keep len correct when substituting variables - fixes PR/24458
2006-10-08 22:21:14 +00:00
56f4977415
Camelia cipher support as in RFC 4312, from Tomoyuki Okazaki
...
<okazaki@kick.gr.jp>
2006-10-06 12:02:26 +00:00
ee4546d741
unbreak gcc-3 builds.
2006-10-04 14:31:55 +00:00
a9fc92da63
PR/34681: Scott Ellis: Explicitly include <sys/socket.h>
2006-10-04 14:30:35 +00:00
1eafb02344
put back ignorerootrhosts
2006-10-04 14:26:31 +00:00
20d3dfdcfa
fix endianness issue introduced yesterday
2006-10-03 20:43:10 +00:00
2b72a4f236
remoteid/ph1id support
2006-10-03 08:04:31 +00:00
b45c893ef4
Added remoteid/ph1id syntax
2006-10-03 08:03:59 +00:00
7d2c6acefd
Parses remoteid/ph1id values
2006-10-03 08:03:33 +00:00
dd3c365568
Uses remoteid/ph1id values
2006-10-03 08:02:51 +00:00
80d5a8a518
Added remoteid/ph1id values
2006-10-03 08:01:56 +00:00
9547d0f260
avoid reusing free'd pointer (Coverity 2613)
2006-10-02 21:51:33 +00:00
1966cc3311
Check for NULL pointer (COverity 4175)
2006-10-02 21:47:32 +00:00
e1ade705e1
Remove dead code (Coverity 3451)
2006-10-02 21:41:59 +00:00
520ec462f7
Fix array overrun (Coverity 4172)
2006-10-02 21:33:14 +00:00
e5d24ec446
Fix memory leak (Coverity 2002)
2006-10-02 21:27:08 +00:00
cdb1e64a8c
Fix memory leak (Coverity 2001), refactor the code to use port get/set
...
functions
2006-10-02 21:19:43 +00:00
cd350eaf6d
Avoid reusing free'd pointer (Coverity 4200)
2006-10-02 20:52:17 +00:00
d564be9350
Don't use NULL pointer (Coverity 3443), reformat to 80 char/line
2006-10-02 18:54:46 +00:00
f54a9b4797
If you're going to initialize a pointer, you have to init it with a pointer
...
type, not an int.
2006-10-02 12:44:40 +00:00
68e9583818
Don't use NULL pointer (coverity 3439)
2006-10-02 12:04:53 +00:00
5227e9475b
Don't use NULL pointer (Coverity 1334)
2006-10-02 11:59:40 +00:00
41042afaf6
Don't use NULL pointer (Coverity 944)
2006-10-02 07:17:57 +00:00
01d5ad642c
Don't use NULL pointer (Coverity 941)
2006-10-02 07:15:09 +00:00
9a55720f5c
Don't use NULL pointer (Coverity 942)
2006-10-02 07:12:26 +00:00
bfd607cda0
Don't use null pointer (Coverity 863)
2006-10-02 07:08:25 +00:00
626d146a75
FIx memory leak (Coverity 4181)
2006-10-01 22:04:03 +00:00
7be862b0db
Check that iph1->remote is not NULL before using it (Coverity 3436)
2006-10-01 19:23:57 +00:00
c7242e7e9f
emove dead code (Coverity 4165)
2006-09-30 21:49:37 +00:00
07b750b745
Fix memory leak (Coverity 4179)
2006-09-30 21:38:39 +00:00
df69765a89
update the scripts for wrorking around routing problems on NetBSD
2006-09-30 21:22:21 +00:00
172675f3db
Reuse existing code for closing IKE sockets, and avoid screwing things by
...
setting p->sock = -1, which is not expected (Coverity 4173).
2006-09-30 16:14:18 +00:00
d5f44674f8
Do not free id and key, as they are used later
2006-09-30 15:51:42 +00:00
55269b80c3
Grab a couple of lines from OpenSSH-portable that allow PAM authentication
...
to succeed. I guess the default configuration of NetBSD wasn't tested
before the import...
2006-09-29 22:47:21 +00:00
efb59e1b32
Fix the fix: handle_recv closes the socket, so we must call com_init before
...
sending any data.
2006-09-29 21:39:35 +00:00
8da6ea8890
Check for cert being NULL too.
2006-09-29 17:07:32 +00:00
897b34d36d
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
...
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows
remote attackers to cause a denial of service (inifnite loop
and memory consumption) via malformed ASN.1 structures that
trigger an improperly handled error condition.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions allows attackers to cause a denial of service (CPU
consumption) via certain public keys that require extra time
to process.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
Buffer overflow in the SSL_get_shared_ciphers function in
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier
versions has unspecified impact and remote attack vectors
involving a long list of ciphers.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Unspecified vulnerability in the SSLv2 client code in OpenSSL
0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions
allows remote servers to cause a denial of service (client
crash) via unknown vectors.
2006-09-29 15:41:08 +00:00
f1afbc1ee7
Use PRIu64 instead of llu when printing an u_int64_t.
...
Fixes a build problem for our LP64 ports, where u_int64_t is
typically an unsigned long.
2006-09-29 14:36:34 +00:00
a4970f4ee7
The "success" field in Authctxt needs to be a sig_atomic_t, not an int,
...
so that we don't get a type conflict on dispatch_run() invocation. Found
while building for alpha and amd64.
2006-09-29 14:34:25 +00:00
229f040cb9
We need this again.
2006-09-28 21:23:13 +00:00
c5a8b87f73
Resolve conflicts
2006-09-28 21:22:14 +00:00
49b7694919
from www.openssh.org
2006-09-28 21:14:57 +00:00
ca09533497
Fix unchecked mallocs (Coverity 4176, 4174)
2006-09-28 20:30:13 +00:00
87b827ea10
Fix access after free (Coverity 4178)
2006-09-28 20:09:35 +00:00
eb5be25aad
Fix memory leak (Coverity)
2006-09-26 21:42:55 +00:00
8b9e0af1db
Fix memory leak (Coverity)
2006-09-26 21:25:52 +00:00
1d587602b5
Remove dead code (Coverity)
2006-09-26 21:10:55 +00:00
75ada6df8d
Fix memory leak (Coverity)
2006-09-26 21:06:54 +00:00
ab1354320a
One more memory leak
2006-09-26 20:58:03 +00:00
ea585e8293
Fix memory leak in racoonctl (coverity)
2006-09-26 20:51:43 +00:00
f693deda72
Fix buffer overflow
...
Also fix credits: SA bundle fix was contributed by Jeff Bailey, not
Matthew Grooms. Matthew updated the patch for current code, though.
2006-09-26 04:44:41 +00:00
e63f95d0e9
fix SA bundle (e.g.: for negotiating ESP+IPcomp)
2006-09-26 04:41:26 +00:00
e2a943b3df
From Yves-Alexis Perez: struct ip -> struct iphdr for Linux
2006-09-25 17:42:08 +00:00
0fa07a8062
struct ip -> struct iphdr for Linux
2006-09-25 17:42:07 +00:00
1127a06ee3
style (mostly for testing ipsec-tools-commits@netbsd.org)
2006-09-25 05:08:52 +00:00
22ddfb23b1
Fix double free, from Matthew Grooms
2006-09-25 04:49:39 +00:00
542839bac0
credit
2006-09-21 09:43:47 +00:00
3c6750b831
use sysdep_sa_len to make it compile on Linux
2006-09-21 09:42:08 +00:00
a7c4d7d4ac
Bump date for ike_frag force.
2006-09-19 18:55:11 +00:00
a5dc6b2e53
New sentence, new line.
2006-09-19 18:54:39 +00:00
5f831f347b
Remove trailing whitespace.
2006-09-19 18:53:12 +00:00
efd02bc82c
From Yves-Alexis Perez: fixes default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:10 +00:00
60cd4fed98
fixed default value for encmodesv in set_proposal_from_policy()
2006-09-19 16:02:09 +00:00
51065440a5
various commits
2006-09-19 07:51:44 +00:00
7ea7300ed8
always include some headers, as they are required even without NAT-T
2006-09-19 07:51:37 +00:00
a2afb48bcf
From Larry Baird: define SADB_X_EALG_AESCBC as SADB_X_EALG_AES if needed
2006-09-19 07:51:31 +00:00
478aed1af7
From Larry Baird: some printf() -> plog()
2006-09-19 07:51:27 +00:00
c18d9daa6a
From Matthew Grooms:
...
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
2006-09-18 20:32:40 +00:00
504b73aa2f
removed generated files from the CVS
2006-09-18 09:11:06 +00:00
3992c65302
removed generated files from the CVS
2006-09-18 08:43:00 +00:00
90cc2f12b1
removed generated files from the CVS
2006-09-18 08:13:46 +00:00
f291901204
From Matthew Grooms:
...
handle IKE frag used in the first packet. That should not normally happen,
as the initiator does not know yet if the responder can handle IKE frag.
However, in some setups, the first packet is too big to get through, and
assuming the peer supports IKE frag is the only way to go.
racoon should have a setting in the remote section to do taht (something
like ike_frag force)
2006-09-18 08:05:47 +00:00
5a85c00571
Trivial bugfix in RFC2407 4.6.2 conformance, from Matthew Grooms
2006-09-16 04:31:38 +00:00
2b7658dc54
Fix build on Linux
2006-09-15 09:40:44 +00:00
c8214a0a83
Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
...
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.
2006-09-09 16:22:08 +00:00
e3de131b63
Migrate ipsec-tools CVS to cvs.netbsd.org
2006-09-09 16:11:26 +00:00
8d13789c5a
Apply the third version of the patch from OpenSSL to address this issue.
...
- Rollback the updates for rsa.h, rsa_eay.c and rsa_err.c as they were
not necessary to address this vulnerability.
- Small update to the patch for rsa_sign.c for backward compatability so
the same patch can be applied to 0.9.[6-9]
2006-09-06 22:47:11 +00:00
90f5d4a3e0
Apply patch-CVE-2006-4339.txt
...
Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.
Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.
2006-09-05 12:24:08 +00:00
85f4c6eabf
Pull over OpenBSD v1.97, forwarded by jmc@openbsd:
...
avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury;
ok deraadt
2006-08-10 00:34:32 +00:00
444e690921
Remove various dotfiles that wandered their way in.
2006-06-18 08:59:39 +00:00
a697e6653a
Adapt to new return value from socket(2) for an unsupported
...
protocol/address family.
2006-06-14 15:36:00 +00:00
ed56312e8a
resolve conflicts.
2006-06-03 01:50:19 +00:00
387e0d89ab
ftp www.openssl.org
2006-06-03 01:43:51 +00:00
b8b11c345a
ftp www.openssl.org
2006-06-03 01:39:48 +00:00
4f500646a9
Add a missing ')' to fix the example code. Already fixed in openssl upstream.
2006-05-24 16:44:34 +00:00
d46617757a
XXX: GCC uninitialized variable
2006-05-14 02:40:03 +00:00
b943fcf792
XXX: GCC uninitialized variables
2006-05-14 02:17:32 +00:00
f8418c0954
use socklen_t where appropriate.
2006-05-11 11:54:14 +00:00
54e9f4ccbc
wait_until_can_do_something() wants u_int * for it's 4th argument.
2006-05-11 09:27:06 +00:00
965a873335
avoid lvalue casts.
2006-05-11 00:05:45 +00:00
4d2c417597
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 00:04:07 +00:00
084c052803
quell GCC 4.1 uninitialised variable warnings.
...
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
0c37c63edc
change (mostly) int to socklen_t. GCC 4 doesn't like that int and
...
socklen_t are different signness.
2006-05-09 20:18:05 +00:00
4cd8515cfc
Add a NetBSD RCS ID.
2006-04-15 13:43:11 +00:00
83620ded04
Remove references to KerberosIV.
2006-03-23 19:58:03 +00:00
504a2dd02c
Pull in from djm@OpenBSD:
...
remove IV support from the CRC attack detector, OpenSSH has never used
it - it only applied to IDEA-CFB, which we don't support.
Thanks to deraadt@OpenBSD for looking into this one.
2006-03-22 23:04:39 +00:00
e13746b11b
Fix krb4 compilation (although krb4 is removed, this leaves the code compiling)
2006-03-21 00:01:29 +00:00
dc4926056e
plug leak, coverity cid 2014.
2006-03-20 16:42:34 +00:00
204152ace9
plug leak, coverity cid 2027.
2006-03-20 16:41:46 +00:00
04b503af06
plug leaks, coverity cids 2030, 2031.
2006-03-20 16:40:25 +00:00
3a008ccc30
plug leak, coverity cid 2019.
2006-03-20 16:39:05 +00:00
9266948705
plug leaks, coverity cids 2012, 2013.
2006-03-20 16:36:31 +00:00
14c3ee98a9
fix null deref, coverity cid 953.
2006-03-20 16:31:45 +00:00
85e611dd01
Goodbye KerberosIV
2006-03-20 04:03:10 +00:00
1db63daa9d
fix compilation after des.h change. The countdown to krb4 has started.
2006-03-20 02:18:59 +00:00
e4547e1148
Coverity CID 1904: Don't leak memory on error.
2006-03-19 22:49:59 +00:00
a09bebd7da
Don't forget to free reply on failure.
2006-03-19 22:45:03 +00:00
5ebcdaa51a
Add casts to compile again.
2006-03-19 21:45:33 +00:00
4ea32734dc
Make this compile again, before I nuke it from orbit.
2006-03-19 21:01:17 +00:00
2ff3564ba8
fix memory leak, coverity cid 2032.
2006-03-19 16:48:36 +00:00
0a2d3f7a19
fix memory leaks, coverity cid 2016.
2006-03-19 16:47:09 +00:00
f6bc7e7627
fix memory leaks, coverity cids 2028, 2029.
2006-03-19 16:40:32 +00:00
2741a951b4
fix fd leak, coverity cid 2015.
2006-03-19 16:33:26 +00:00
be71d6bbfd
fix null deref, coverity cid 1341.
2006-03-19 16:29:43 +00:00
8a41610291
fix null deref, coverity cid 1339.
2006-03-19 16:23:19 +00:00
28788b89c7
fix null deref, coverity cid 1340.
2006-03-19 16:20:47 +00:00
d5b9c02e8c
add a semi colon.
2006-03-19 08:00:19 +00:00
4fcb2eb6de
Coveriry CID 1998: Fix memory leak.
2006-03-18 22:17:48 +00:00
6c6e841e30
Don't dereference NULL pointer, found by Coverity, CID 954.
2006-03-18 21:09:57 +00:00
ccd53bd92b
reform a loop to be prettier and appease coverity CID 2618
2006-03-18 10:41:24 +00:00
79787ff03b
Fix Coverity run 5, issue 2021 -- memory leak.
...
Approved by christos@.
2006-03-18 10:22:46 +00:00
1f89beeb43
Fix Coverity run 5, issue 1966 -- memory leak
...
Approved by christos@.
2006-03-18 10:19:09 +00:00
2de2502171
Make sure the right error is reported later, if all socket() calls fail.
...
If we close the invalid sock, we'll report EBADF later in that case.
2006-03-01 15:39:00 +00:00
6aece482c0
On non-fatal errors (identified: EPROTONOTSUPPORT), don't output the
...
error message unless debugging - the error for the last address tried
will be shown anyway, and earlier errors without context are only confusing
the user.
2006-03-01 15:18:09 +00:00
dd8ccf5b99
Add a namespace.h to rename the most conflict inducing names from libssh.
...
Idea from thorpej.
2006-02-13 16:49:33 +00:00
e245f48109
The sig_atomic_t type is not guaranteed to be printf-compatible
...
with %d, so cast to int before printing it.
2006-02-08 23:08:13 +00:00
55c58b142d
bring in new file needed from the portable openssh.
2006-02-04 22:32:54 +00:00
fab0e5bf66
resolve conflicts
2006-02-04 22:32:13 +00:00
c7a1af8c71
From ftp.openbsd.org.
2006-02-04 22:22:31 +00:00
ef2fdd1d7f
qsieve(6) -> qsieve(1)
2006-01-24 19:16:53 +00:00
7e91ac6596
Sort SEE ALSO.
2006-01-22 00:33:27 +00:00
7db6fc6be2
xref qsieve(6).
2006-01-19 23:31:09 +00:00
7f50c0a531
make software behave as the documentation advertise for INTERNAL_NETMASK4.
...
Keep the old INTERNAL_MASK4 to avoid breaking backward compatibility.
2006-01-07 23:51:50 +00:00
aa419ec271
enable cryptodev.
2005-12-31 00:08:34 +00:00
e1a76ccb7e
netbsd has issetugid()
2005-12-31 00:07:26 +00:00
06b42f5e66
Redo previous rework to generate yacc/lex output again and remove generated
...
copies from the import as they don't compile clean across all archs.
2005-12-16 16:25:07 +00:00
07c3097258
Allow archs to override BF_PTR
2005-12-13 09:50:52 +00:00
3804e42335
Back out bn/bn.h rev. 1.9:
...
> use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
> breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
Instead define SIXTY_FOUR_BIT_LONG where apropriate.
Regression tests still pass on sparc64 and i386. Furthermore this allows
us to finaly close PR 28935 (thanks to christos for removing the local
hacks on last import).
2005-12-12 19:50:26 +00:00
a5b1c92448
Add NAT ports to SAD in setkey so that NAT SAD entries generated by
...
racoon can be removed by hand.
2005-12-04 20:46:40 +00:00
cb9321f06d
use intptr_t not U_LONG to cast from a pointer to an int.
2005-11-28 19:08:30 +00:00
bfae00e6c7
use explicitly sized types for U_LLONG U_LONG and LONG; otherwise bn
...
breaks on 64 bit platforms. The "LONG" openssl wants is really a 32 bit int.
2005-11-28 19:07:42 +00:00
ea39e380db
Adjust to the new openssl
2005-11-26 02:32:58 +00:00
b1d8541f7b
Add casts.
2005-11-25 22:28:31 +00:00
859fae516a
change back to match the openssl original prototype.
2005-11-25 22:22:44 +00:00
c4bfa0c238
XXX: This file does not really belong here.
...
Add ENGINESDIR define
2005-11-25 20:35:41 +00:00
50a9cbc98b
Resolve conflicts:
...
1. Instead of trying to cleanup the ugly ifdefs, we leave them alone so that
there are going to be fewer conflicts in the future.
2. Where we make changes to override things #ifdef __NetBSD__ around them
so that it is clear what we are changing. This is still missing in some
places, notably in opensslconf.h because it would make things messier.
2005-11-25 19:14:11 +00:00
8dc8acfeef
from http://www.openssl.org/source
2005-11-25 03:02:45 +00:00
11cf64bdd7
New sentence, new line. Remove trailing whitespace.
...
Mark up paths with .Pa.
2005-11-24 20:23:02 +00:00
7fc03cd9fa
Merge ipsec-tools 0.6.3 import
2005-11-21 14:20:29 +00:00
6e7df3c68b
From Yves-Alexis Perez: use sysdep_sa_len to make it compile on Linux
2005-11-21 14:20:28 +00:00
c263eb3142
Merge ipsec-tools 0.6.3 import
2005-11-21 14:20:28 +00:00
fdc9ad890d
Import IPsec-tools 0.6.3. This fixes several bugs, including bugs that
...
caused DoS.
2005-11-21 14:11:59 +00:00
982fc9c517
Merge ipsec-tools 0.6.2 import.
2005-10-14 14:01:34 +00:00
a37873eef0
Import ipsec-tools-0.6.2. Here is the ChangeLog since 0.6.1 (most of them
...
have already been pulled up in NetBSD CVS)
---------------------------------------------
0.6.2 released
2005-10-14 Yvan Vanhullebus <vanhu@netasq.com>
* src/racoon/ipsec_doi.c: don't allow NULL or empty FQDNs or
USER_FQDNs (problem reported by Bernhard Suttner).
---------------------------------------------
0.6.2.beta3 released
2005-09-05 Emmanuel Dreyfus <manu@netbsd.org>
From Andreas Hasenack <ahasenack@terra.com.br>
* configure.ac: More build fixes for Linux
---------------------------------------------
0.6.2.beta2 released
2005-09-04 Emmanuel Dreyfus <manu@netbsd.org>
From Wilfried Weissmann
* src/libipsec/policy_parse.y src/racoon/{ipsec_doi.c|oakley.c}
src/racoon/{sockmisc.c|sockmisc.h}: build fixes
---------------------------------------------
0.6.2.beta1 released
2005-09-03 Emmanuel Dreyfus <manu@netbsd.org>
From Francis Dupont <Francis.Dupont@enst-bretagne.fr>
* src/libipsec/pfkey.c src/racoon/pfkey.c: Cope with extensions
2005-08-26 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/cfparse.y: handle xauth_login correctly
* src/racoon/isakmp.c: catch internal error
* src/raccon/isakmp_agg.c: fix racoon as Xauth client
* src/raccon/{isakmp_agg.c|isakmp_base.c}: Proposal safety checks
* src/racoon/evt.c: Fix memory leak when event queue overflows
2005-08-23 Emmanuel Dreyfus <manu@netbsd.org>
* src/racoon/{isakmp_agg.c|isakmp_ident.c|isakmp_base.c}: Correctly
initialize NAT-T VID to avoid freeing unallocated stuff.
2005-08-21 Emmanuel Dreyfus <manu@netbsd.org>
From Matthias Scheler <matthias.scheler@tadpole.com>
* src/racoon/{isakmp_cfg.c|racoon.conf.5}: enable the use of
ISAKMP mode config without Xauth.
2005-09-16 Yvan Vanhullebus <vanhu@free.fr>
* src/racoon/policy.c: Do not parse all sptree in inssp() if we
don't use Policies priority.
2005-08-15 Emmanuel Dreyfus <manu@netbsd.org>
From: Thomas Klausner <wiz@netbsd.org>
src/setkey/setkey.8: Drop trailing spaces
2005-10-14 13:21:42 +00:00
decff3d730
Add a preprocessor symbol so we can distinguish fixed openssl
...
from the vanilla openssl. Thanks <jlam>.
2005-10-11 21:17:17 +00:00
ed304be38e
fix openssl 2.0 rollback, CAN-2005-2969
...
approved by: agc
2005-10-11 18:07:40 +00:00
e3886d37ea
Add "openssl_" to man page references if they are available.
...
Fixes part of PR security/13953. Fixing the rest of the PR requires
adding more man pages.
2005-10-05 23:47:30 +00:00
c557aaf18f
Fix bug when using hybrid auth in client mode
...
make xauth_login work again
add safety checks
2005-09-26 16:24:57 +00:00
e83e36d896
fix spelling from Liam Foy.
2005-09-24 22:45:51 +00:00
b9301b48d0
fix typos.
2005-09-24 17:34:17 +00:00
2192079ea8
use get*_r()
2005-09-24 14:40:59 +00:00
54a773e9d7
Can we please stop using caddr_t?
2005-09-24 14:40:39 +00:00
e904ea2e97
Drop trailing whitespace.
2005-09-23 19:58:28 +00:00
7e2e2c16ff
Correctly initialize NAT-T VID to avoid freeing unallocated space
2005-09-23 14:22:27 +00:00
3cc3e3c7a3
Correct documentation about Mode Config. It now works without XAuth, too.
...
Patch supplied by Emmanuel Dreyfus on the "ipsec-tools" mailing list.
2005-09-21 15:06:22 +00:00
dc5127a31e
Make "Mode Config" work if XAuth is not used.
2005-09-21 12:46:08 +00:00
a6040f634b
PR/13738: Johan Danielsson: ssh doesn't look at $HOME
2005-09-18 18:39:05 +00:00
5391e24af6
Make -D behave like -L (obey GatewayPorts). Before it defaulted to listen
...
to wildcard which is not secure.
2005-09-18 18:27:28 +00:00
218a95c0f2
Document that -D takes bind_address.
2005-09-18 16:22:35 +00:00
e6f32f6f02
Drop trailing whitespace.
2005-09-15 08:42:09 +00:00
5db1262f0e
PR/31261: Mark Davies: ssh invokes xauth with bogus argument
2005-09-09 12:24:37 +00:00
453555bc8b
PR/31243: Mark Davies: sshd uses pipes rather than socketpairs, making bash
...
not execute .bashrc. Since socketpairs work on all NetBSD systems, make it
the default.
2005-09-09 12:20:12 +00:00
8f1a245ebd
Use default_md = sha1 in ``req'' section too, so we don't fallback to MD5.
...
Noted by smb@.
2005-09-01 21:35:25 +00:00
98e0d8f19f
SHA1 is a better default than MD5.
...
Discussed with Steven M. Bellovin.
Closes PR/30395.
2005-08-27 12:32:15 +00:00
0b97cbeb71
Update to ipsec-tools 0.6.1
2005-08-20 00:57:06 +00:00
96ae7759c9
Import ipsec-tools 0.6.1
2005-08-20 00:40:43 +00:00
c8f5575b45
End sentence with a dot.
2005-08-14 09:25:08 +00:00
c91d1d213a
Drop trailing whitespace.
2005-08-07 11:19:35 +00:00
111c13fe24
Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
...
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.
2005-08-07 09:38:45 +00:00
df08b9e74a
Update ipsec-tools to 0.6.1rc1
...
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.
2005-08-07 08:46:11 +00:00
1a191ad79e
PR/29862: Denis Lagno: sshd segfaults with long keys
...
The problem was that the rsa fips validation code did not allocate long
enough buffers, so it was trashing the stack.
2005-07-30 00:38:40 +00:00
182dc837b5
Move a variable declaration to the variable declaration section of
...
the enclosing block from within the middle of active code, so that
this compiles with older gcc. Fixes build problem for vax.
2005-07-14 11:26:57 +00:00
b0602a2f44
Add safety checks for informational messages
2005-07-12 21:33:01 +00:00
50c09443b0
Backout botched patch, approved by Emmanuel Dreyfus.
2005-07-12 19:17:37 +00:00
132d72e25b
Add SHA2 support
2005-07-12 16:49:52 +00:00
7736ad81cf
Add comments on how to use the hook scripts without NAT-T
2005-07-12 16:33:27 +00:00
ecb971f5f8
Don't wipe out IKE ports for SA update as it breaks things: the SA is taken
...
from an existing SA and already has matching IKE ports.
2005-07-12 16:24:29 +00:00
91b9c188b3
Add support for alrogithms with non OpenSSL default key sizes
2005-07-12 14:51:07 +00:00
e0dd78cfbd
Don't use adminport when it is disabled
2005-07-12 14:15:39 +00:00
4c94bccce3
Set IKE ports to 0 in SA when NAT-T is not in use. This fixes problems
...
when NAT-T is disabled
2005-07-12 14:14:46 +00:00
929f80643d
Safety checks on informational messages
2005-07-12 14:13:10 +00:00
8bc1e3c0ac
pkcs7 support
2005-07-12 14:12:20 +00:00
d3544c4e45
Document that "aes" can be used for IKE and ESP encryption.
2005-07-07 12:34:17 +00:00
eb8e3b9ad4
Add proper casts. Fix a problem where (uint32_t < ~0). Cast both ~0's to
...
u_int, since this is what the author intended.
2005-06-28 16:12:41 +00:00
ca496ece2e
- Add lint comments
...
- Fix bad casts.
- Comment out unused variables.
2005-06-28 16:04:54 +00:00
a1625e9ee8
Fix an error I introduced in the previous commit. The length could be 0.
...
Also parenthesize an expression properly.
2005-06-28 16:03:09 +00:00
444efb36db
deal with casting/caddr_t stupidity. It is not 1980 anymore and people should
...
start using void *, instead of caddr_t.
2005-06-27 03:19:45 +00:00
983e538712
Collect externs into one file instead of duplicating them everywhere.
2005-06-26 23:49:31 +00:00
dd8cdde018
Fix compiler warnings.
2005-06-26 23:34:26 +00:00
fba8d9ce60
Fix some of the pointer abuse, and add some const. Not done yet.
2005-06-26 21:14:08 +00:00
dd3259cec0
NAT-T fix: We treat null ports in SPD as wildcard so that IKE ports
...
are used instead. This was done on phase 2 initiation from the kernel
(acquire message), but not on phase 2 initiation retries when the
phase 2 had been queued for a phase 1.
2005-06-22 21:28:18 +00:00
13ca728372
Consume NAT-T packets that have already been seen through MSG_PEEK
2005-06-15 07:29:20 +00:00
7bbdd188e1
appease gcc -Wuninitialized on hp700.
2005-06-05 19:08:28 +00:00
6ec5a5a9b7
Fix Xauth login with PAM authentication
2005-06-04 22:09:27 +00:00
2c39301c40
Endianness bug fix
2005-06-04 21:55:05 +00:00
311dff8be0
Missing 0th element in rm_idtype2doi array
2005-06-03 22:27:06 +00:00
d687f4502c
appease gcc -Wuninitialized
2005-06-02 04:59:17 +00:00
936a4cd73f
Don't attempt to close a random file descriptor upon error.
...
Detected with gcc -Wuninitialized.
2005-06-02 04:57:33 +00:00
08ef6270ca
appease gcc -Wuninitialized
2005-06-02 04:56:14 +00:00
89f4d29f7d
Appease gcc -Wuninitialized, in a similar method used elsewhere in the
...
same function.
2005-06-02 04:43:45 +00:00
6e3cdc676d
appease gcc -Wuninitialized
2005-06-01 12:07:00 +00:00
8bf012821a
Drop trailing whitespace.
2005-05-25 16:57:39 +00:00
bf77c4e4b3
Drop trailing whitespace and a grammar fix.
2005-05-25 10:09:36 +00:00
tteras