| Age | Commit message (Collapse) | Author |
|---|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
r1.39. Issue originally reported by Anton Kasimov via rob@.
OK claudio@
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
|
|
some objects at shutdown thereby allowing for a tighter unveil.
Feedbackup from deraadt@ and martijn@.
OK deraadt@
|
|
to privsep_procid.
ok mortimer
|
|
Tweak and ok martijn@
|
|
Suggested by martijn@, ok claudio@
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
This warning was present since an incorrect cast was removed in r1.11.
Add the cast to the correct place, i.e., cast to the wider type.
ok florian martijn
|
|
ldapd infers certificate and key paths from the configured certificate
string. It appends ".crt" and ".key", respectively, and in the case of
a relative path it also prepends "/etc/ldap/certs/". A logic error
results in prepending "/etc/ldap/certs/" also for absolute paths. Avoid
this by making the whole thing readable at the cost of a bit of verbosity.
Problem reported by Maksim Rodin on misc@, thanks!
Initial fix from me, committing an improved version on behalf of martijn.
ok jmatthew, tb
|
|
attribute that can be used to extend existing LDAP users with the
additional bsdAccount objectclass. The former is useful for
ypldap+ldapd setups without login_ldap and the latter makes it
easier to use sshd's AuthorizedKeysCommand.
Originally from reyk,
revived by Aisha Tammy,
with input from many, especially Robert Klein.
|
|
protocols and ciphers. So you get a TLS server speaking TLSv1.0 and
supporting cipher suites with RC4 and 3DES encryption, all of which should
be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in
ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both
protocols and ciphers. If compatibility with the insecure legacy protocols
and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in
ldapd.conf.
tested by abieber.
inoguchi agrees with the direction.
ok beck
|
|
Diff from roklein <at> roklein <dot> de
OK claudio@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
OK florian@
|
|
The handling of this changed with libutil/ber.c r1.12 resulting in starttls
failing.
Found by several.
Fix suggestion by roklein <at> roklein <dot> de
OK claudio@
|
|
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.
Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.
tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
ok millert nicm tb, etc
|
|
ok guenther@, claudio@
|
|
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.
This commit moves the BER API into /usr/lib/libutil. All current consumers
already link libutil. ldapd and snmpd regress passes, and release builds.
With help from tb@ and guenther@.
ok deraadt@, tb@
|
|
fixes a problem when handling large negative integers.
ok claudio@
|
|
descriptor keeps CLOEXEC flag then it will be closed unexpectedly by
exec().
ok tedu florian
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
results in a warning. Use either the original string value or use a cast.
This makes both clang and gcc happy.
OK guenther@
|
|
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
"looks good" gilles@ halex@
|
|
OK millert@ gsoares@
|
|
|
|
ok claudio@
|
|
possible stack overflow due to recursion in ber_free_elements().
ok claudio@
|
|
ok claudio@
|
|
ok claudio@
|
|
This way the size is the same on all archs and 32bit should be good enough.
OK rob@
|
|
api uses read and write buffers (byte streams) that are utilized by calling
applications which may or may not use sockets.
ok claudio@
buffer byte streams that applications then use for
|
|
ok claudio@, jca@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
After the removal of fd-based read/writes I could have trimmed the code
further.
- no socket-based reads so ber_read() doesn't need to loop until it gets
the desired amount of data
- return either the requested amount of data or -1/ECANCELED, the caller
shouldn't have to handle partial reads itself
- inline ber_readbuf() into ber_read()
ok rob@ claudio@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
|
|
|
|
can call ber_readbuf() in all cases. This resolves a problem previously
encountered with SNMPv3 authentication, simplifies the code, and completes a
full synchronization of all ber instances.
Proposed by claudio@. Problematic use case in snmpd tested by sthen@ and me.
ldap(s) appear happy as well.
looks good to claudio@
|
|
Ok benno@
|
