summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-09-11Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of aJoel Sing
ssl3_ prefix. ok beck@
2015-09-11fix unchecked mallocs - coverity 130454 and 130455Bob Beck
ok jsing@
2015-09-11Merge the remnants of s3_enc.c into t1_enc.c.Joel Sing
ok beck@
2015-09-11Hoist all the GPT header checks into gpt_chk_header(). Tweak remainingKenneth R Westerback
logic a bit so that an invalid primary header/partition entries table does not cause readgptlabel() to exit before the secondary header is tried.
2015-09-11Build actual boot code with -D_STANDALONE so that we do not include userlandMiod Vallat
headers by mistake.
2015-09-11Nuke ssl_set_peer_cert_type().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl_bad_method().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_default_timeout().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl_replace_hash().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_cbc_remove_padding().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_alert_code().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_cert_verify_mac() and ssl3_handshake_mac().Joel Sing
We also no longer need the ssl3_pad_1 and ssl3_pad_2 arrays... ok "flensing knife"
2015-09-11Nuke ssl3_final_finish_mac().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_change_cipher_state().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_generate_master_secret().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_setup_key_block() and ssl3_generate_key_block().Joel Sing
ok "flensing knife"
2015-09-11Introduce rtref(9) use it in rtable_lookup() before returning a routeMartin Pieuchot
entry. ok bluhm@, claudio@
2015-09-11Nuke n_ssl3_mac().Joel Sing
ok "flensing knife"
2015-09-11Nuke ssl3_enc().Joel Sing
ok "flensing knife"
2015-09-11Nuke SSLv3_enc_data.Joel Sing
ok "flensing knife"
2015-09-11Shuffle the code in ssl3_send_finished() to make it more logical/readable.Joel Sing
ok beck@
2015-09-11Replace dtls1_send_finished() with ssl3_send_finished() - they're nowJoel Sing
both essentially the same (in fact DTLS benefits from improvements previously made to the ssl3_send_finished() function). ok beck@
2015-09-11style(9), fix comments, wrap long lines and tweak whitespace.Joel Sing
2015-09-11syncTheo de Raadt
2015-09-11In `ifconfig media` output, stop advertising media with fixed dataStefan Sperling
rates on wireless interfaces. They are not needed by mere mortals. ok phessler miod kettenis deraadt mpi
2015-09-11Convert dtls1_send_finished() and ssl3_send_finished() toJoel Sing
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish(). ok beck@
2015-09-11fter fixing poll(2) semantics in dynamic TCP buffer size update,Alexander Bluhm
making netcat non-blocking and fixing ip6_forward() ICMP6 checksum, this test can be made more aggressive. Delete the path MTU route before sending TCP streams through the pf firewall. This checks that PMTU discovery works with outgoing interface MTU and router MTU. Test IPv4 and IPv6 protocols ICMP echo, UDP, TCP with pf nat-to, rdr-to, af-to, route-to, reply-to. Some af-to cases seem to be broken.
2015-09-11Add PROTO_WRAP() for (almost) all the syscalls that libpthread doesn'tPhilip Guenther
override so that internal calls go direct ok deraadt@
2015-09-11Apply the link state change hook to RTF_LOCAL routes.Martin Pieuchot
Checking for rt_ifp is currently not enough because RTF_LOCAL routes still use a hack introduced in 1991 and have lo0ifp as rt_ifp pointer. So also check for rt_ifa->ifa_ifp in this case. ok claudio@
2015-09-11Convert _TM_ flags to TAME_ flags, collapsing the entire mappingTheo de Raadt
layer because the strings select the right options. Mechanical conversion. ok guenther
2015-09-11rtfree(9) accepts NULL now.Martin Pieuchot
2015-09-11typoTheo de Raadt
2015-09-11When pf modifies a TCP packet, it sets the M_TCP_CSUM_OUT flag inAlexander Bluhm
the mbuf packet header. If the packet and is later dropped in ip6_forward(), the TCP mbuf is copied and passed to icmp6_error(). IPv6 uses m_copym() and M_PREPEND() which preserve the packet header. The inherited M_TCP_CSUM_OUT flag generates ICMP6 packets with an incorrect checksum. So reset the csum_flags when packets are generated by icmp6_reflect() or icmp6_redirect_output(). IPv4 does m_copydata() into a fresh mbuf. There m_inithdr() clears the packet header, so the problem does not occur. But setting the csum_flags explicitly also makes sense for icmp_send(). Do not or M_ICMP_CSUM_OUT to a value that is 0 because of some function calls before. OK mpi@ lteo@
2015-09-11Move all prototypes of gpt helper functions to top of file. RenameKenneth R Westerback
get_fstype() to gpt_get_fstype() as it moves.
2015-09-11Bring back the expansion-into-.byte-sequences routines removed in r1.9, butMiod Vallat
only define them if not building for the "openbsd" flavour. This way, non-obfuscated output can still be generated for analysis, by using the "openbsd" flavour (which OpenBSD HEAD will do), and obfuscated output, compatible with older as(1), will be generated for other platforms. The portable version of LibreSSL can then use "openbsd-portable" as the flavour for OpenBSD/amd64 so that generated files can be compiled with OpenBSD 5.7 and other older versions stuck with as(1) 2.15.
2015-09-11When ARIN prepared for the IPv4-pocolypse, they put aside a /10 forPeter Hessler
**smaller than /24 allocations**. Our default ruleset will not allow those, even though they will be for various pieces of critical dual-stack infrastructure to help IPv6-only systems survive. This adds a default rule to allow those blocks. With it, I see the RIPE announced test blocks on our AMS-IX peers. ARIN announced this block and policy at, enjoy https://www.arin.net/announcements/2014/20140130.html OK benno@, claudio@, sthen@, florian@
2015-09-11Shuffle some variables around, add a couple, and eliminate hordesKenneth R Westerback
of repeated lehto32() and lehtoh64() in readgptlabel() to make code more readable.
2015-09-11Put the *method* data structures and functions in the same place.Joel Sing
We can also now nuke ssl23_get_method() since it is the same as tls1_get_method(). And the empty file can bite the dust. ok bcook@ miod@
2015-09-11Pass "openbsd" instead of "openbsd-elf" as the "flavour" to the perl assemblerMiod Vallat
machinery. OpenBSD has never been not ELF on amd64, and changing this will actually make -portable life slightly easier in the near future.
2015-09-11Put the *server_method* data structures and functions in the same place.Joel Sing
We can also now nuke ssl23_get_server_method() since it is the same as tls1_get_server_method(). ok miod@
2015-09-11"Shutdown" should be "Shut down" in the usage for s_time's -no_shutdownLawrence Teo
flag. Pointed out by jmc@'s commit to the openssl(1) man page.
2015-09-11Merge delete-buffer into cmd-set-buffer.c and change the paste bufferNicholas Marriott
API so it has one paste_free() rather than free_top and free_name (everywhere that uses it already has the right pointer).
2015-09-11Put the *client_method* data structures and functions in the same place.Joel Sing
We can also now nuke ssl23_get_client_method() since it is the same as tls1_get_client_method(). ok bcook@ miod@
2015-09-11Increment the reference count of CLONING routes before flushing allMartin Pieuchot
their children to make sure they are still alive after rtfree(9)ing rt->rt_parent. Fix a use-after-fruit reported by stsp@ ok claudio@
2015-09-11Remove engine command and parameters from openssl(1).Brent Cook
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
2015-09-11Save/restore MSR_APICBASE during suspend/resumeStefan Fritsch
This register contains the x2apic enable bit. Restoring it re-enables x2apic on the application processors at resume. On the boot processor, the normal initialization code path is used. Tested by many OK mlarkin@ "Go for it" deraadt@
2015-09-11more for NAME;Jason McIntyre
2015-09-11more cleanup;Jason McIntyre
2015-09-11update NAME; various cleanupJason McIntyre
2015-09-11Move initialization of count of spoofed GPT partitions closerKenneth R Westerback
to use.