| Age | Commit message (Collapse) | Author |
|---|
|
Large buffer sizes on 64-bit platforms cause the sum to wrap, leading
read(2) to fail later.
We check prior to this point that all buffer sizes are <= SSIZE_MAX.
SSIZE_MAX * 2 < SIZE_MAX on all platforms, so the addition here will
not overflow and cause a similar issue.
Discovered by tobias@ a while back.
ok deraadt millert tobias
|
|
is already sufficient. John Gardner tells me that "CSS selectors
should only contain what's necessary to target their subjects".
|
|
recommended by John Gardner <gardnerjohng at gmail dot com>
|
|
syn_cache_get() is not neccessary. Also make the abort label
consistent to resetandabort and free the mbuf there.
OK mpi@
|
|
|
|
|
|
configure. These are pins that should be configured to a sane
state and are not necessarily referenced by another node.
ok kettenis@
|
|
the C API in section 3.
OK millert jmc nicm, "the right idea" deraadt
|
|
tls_peer_ocsp_result_msg() in the documentation.
input & ok jsing
Reads fine to jmc and makes sense to schwarze
|
|
ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.
ok inoguchi, jsing
|
|
Since bignums use ints for the same purpose, this still uses an int
internally after an overflow check.
Suggested by and discussed with jsing.
ok inoguchi, jsing
|
|
changes made in OpenSSL by Davide Galassi and others, so that one can
actually follow what is going on. There is no performance impact from
this change as the code still does essentially the same thing. There's
a ton of work still to be done to make the BN code less terrible.
ok jsing, kn
|
|
and its associated appendix at https://support.google.com/faqs/answer/7625886
This should address at least some cases of "SpectreRSB" and earlier
Spectre variants; more commits to follow.
The refilling is done in the enter-kernel-from-userspace and
return-to-userspace-from-kernel paths, making sure to do it before
unblocking interrupts so that a successive interrupt can't get the
CPU to C code without doing this refill. Per the link above, it
also does it immediately after mwait, apparently in case the low-power
CPU states of idle-via-mwait flush the RSB.
ok mlarkin@ deraadt@
|
|
Based on an OpenSSL commit by David Benjamin.
Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library
reported that more than 200 "expected to fail" signatures among Project
Wycheproof's test vectors validated on LibreSSL. This patch makes them
all fail.
ok jsing
commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836
Author: David Benjamin <davidben@google.com>
Date: Sat Aug 20 13:35:17 2016 -0400
Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.
OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.
In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.
See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
|
|
leaves old ones behind. The IPv6 RFCs don't seem to offer guidance on
what to do in this case. (RFC 5220 discusses related issues, but not
exactly this.)
It seems a bit harsh to just delete old addresses - a naive
implementation can easily lead to flip-flopping between two prefixes.
Instead set the preferred lifetime to 0 for all addresses on an
interface when the link goes down, thus marking addresses as
deprecated but still usable. When the link comes back send a router
solicitation. If we are still on the old network and receive a router
advertisement the preferred lifetime will increase and the addresses
will no longer be deprecated.
If we moved to a new network we will get new router advertisements and
form new addresses. The old ones will stay deprecated and the address
selection algorithm will prefer new addresses.
Problem reported by many.
testing & OK phessler
|
|
|
|
OK tb, claudio
|
|
|
|
|
|
|
|
OK deraadt, phessler
|
|
Unhook rtadvd from build.
OK deraadt, phessler
|
|
Remove rtadvd(8) from rc(8).
OK deraadt, phessler
|
|
OK deraadt, phessler, jmc
|
|
We get notified when duplication is detected on the route socket. For
privacy addresses simply generate a new random address. If we have
soii enabled increase the dad counter on the prefix and generate a new
address. For eui64 addresses nothing can be done.
|
|
the way the man page says.
ok tb@
|
|
OK ratchov@ jmc@ (who are both busy)
|
|
from lauri tirkkonen;
ok sthen beck
|
|
This is good enough as a start but I guess output could be nicer.
OK benno@
|
|
them whereever possible. In some places (path_update, softreconfig_out
handler) the nexthop state is temporarily folded back into the rde_aspath.
Tested and OK benno@
|
|
functions in util.c. The idea is to make even debug messages as informative
as possible.
Before:
if_change: ifindex 1, ifi_rdomain 0
After:
if_change: em0: rdomain 0 UP, Ethernet, active, 1000 Mbps
OK benno@
|
|
as well. OK benno@
|
|
the start of the range of pages that we're changing. Prevents a panic from
a somewhat convoluted test case that anton@ came up with.
ok guenther@, anton@
|
|
is no longer enabled by default. Pointed out by Daniel A. Maierhofer,
ok jmc
|
|
Due to the missing "void", this
extern void pf_purge_expired_src_nodes();
is no prototype but a declaration. It is enough to suppress the
'implicit declaration' warning but it does not allow the compiler to
check the arguments passed to the calls of the function.
Fix the prototypes and don't pass the waslocked argument anymore. It has
been removed a year ago.
ok sashan henning
|
|
reality.
|
|
next option. Don't rely on truncated NULs being ignored because
NUL == DHO_PAD.
ok tb@
|
|
|
|
|
|
to a cloned device.
ok kettenis@
|
|
beyond the end. There was no access to it but still bad style.
OK tb@
|
|
extra byte is always there. Even if the byte contains
innocuous data that isn't used. Eeven if a particular
level of optimization of a particular compiler avoids
it by processing things backwards. Bad.
So simplify and correct logic. Perhaps even proof the
code against future generations of clever compilers.
Pointed out by Brandon Falk. Thanks!
ok millert@ tb@
|
|
|
|
|
|
does.
ok deraadt@ kettenis@
|
|
they are like that by default.
OK florian@
|
|
unconditionally and codepatching it out on CPUs that don't need/do
the mitigation.
Align the from-{kernel,userspace} targets in INTRENTRY with _ALIGN_TRAPS
Align x2apic_eoi using KUENTRY() instead of the artisinal
segment+label+.globl bits it uses currently
s/testq/testb/ for SEL_RPL checks
ok kettenis@ mlarkin@
|
|
directories exist. Create the path and file for test
vmd-fail-disk-path-too-long.
|
|
which can be resolved to either of the two values.
OK bluhm@
|
|
a bad/corrupt binary not returning ENOEXEC but some other error.
ok guenther kettenis bluhm
|
