| Age | Commit message (Collapse) | Author |
|---|
|
ok guenther tb millert
|
|
|
|
|
|
other composite clocks. With this we can get the frequency for the OCOTP.
|
|
|
|
Fixes build on powerpc
|
|
|
|
ok deraadt@ kettenis@
|
|
may modify the string buffer. From Joerg Sonnenberger for DragonFly BSD.
ok millert@
|
|
may modify the string buffer. ok millert@
|
|
|
|
The breakage was caused by the removal of #include <sys/systm.h>
from <uvm/uvm_map.h>.
OK deraadt@, mpi@, beck@
|
|
suggested by tb@
|
|
deprecated methods to a separate table. Simplify and shorten the
surrounding verbiage.
Joint work with tb@.
|
|
Improves readability and reduces the difference with NetBSD without
compromising debuggability on RAMDISK.
While here also use local variables to help with future locking and
reference counting.
ok semarie@
|
|
sshconnect.c r1.241 from 2013 made it unused; found while reading code.
OK djm
|
|
From Brad.
|
|
From Brad.
Tweak by myself.
|
|
Stop UpdateHostkeys from automatically removing deprecated keys from
known_hosts files if the same keys exist under a different name or
address to the host that is being connected to.
This avoids UpdateHostkeys from making known_hosts inconsistent in
some cases. For example, multiple host aliases sharing address-based
known_hosts on different lines, or hosts that resolves to multiple
addresses.
ok markus@
|
|
When preparing to update the known_hosts file, fully check both
entries for both the host and the address (if CheckHostIP enabled)
and ensure that, at the end of the operation, entries for both are
recorded.
Make sure this works with HashKnownHosts too, which requires maintaining
a list of entry-types seen across the whole file for each key.
ok markus@
|
|
Disable UpdateHostkeys if the known_hosts line has more than two
entries in the pattern-list. ssh(1) only writes "host" or "host,ip"
lines so anything else was added by a different tool or by a human.
ok markus@
|
|
Fixes instances where a mount point uses the nodev and nosuid options
but another file system mounted inside that hierarchy does not.
OK schwarze@
|
|
and *_client_method(3). Adjust the documentation.
While here, delete most of the verbiage regarding the deprecated
functions SSLv23_*(3) and add the missing entry to RETURN VALUES.
OK tb@
|
|
ok deraadt@
|
|
with #defines for the per-version initializers instead of extern
globals. Add SSL_USE_SHA256_PRF() to complete the abstraction.
ok tb@ jsing@
|
|
The URI are sorted which results in preferrence of https URI.
To make rpki-client's handling easier enforce that all URI use the same
filename.
OK benno@
|
|
path to that resource. This will be needed for future RRDP support.
Additionally support more then one TAL URI and select the rsync URI
in that list. Finally queue_add_from_cert() got modified to include
both the rsync URI and the RRDP notify URI (which is still unused).
OK benno@
|
|
The struct keeps track of the end point of an event queue scan by
persisting the end marker. This will be needed when kqueue_scan() is
called repeatedly to complete a scan in a piecewise fashion.
Extracted from a previous diff from visa@.
ok visa@, anton@
|
|
Pointed by and ok jsg@
|
|
SLAB_HWCACHE_ALIGN flag.
tested by semarie@
|
|
This condition previously existed for DTLS BAD_VER, which has long been
removed. Furthermore, conditioning on DTLS1_VERSION means this is broken
for any newer DTLS version. While here roll up two assertions into one.
ok tb@
|
|
There is a soft fail mechanism to handle missing certs for seamless
interaction with acme-client. Move this to the config parser. This is
simpler than server.c r1.117 and avoids a crash due to listening on
port 443 without having set up the TLS context first. More precisely,
the crash happens if a server with missing certificate is visited via
https in a configuration where there is a second server with valid
certificate and key.
From Joshua Sing (joshua at hypera dot dev)
ok benno
|
|
When transitioning from the TLSv1.3 stack to the legacy stack, grow
init_buf before stashing the handshake message. The TLSv1.3 stack has
already received the handshake message (potentially from multiple TLS
records) and validated its size, however the default allocation is only
for a single plaintext record, which can result in the handshake message
failing to fit in certain cases.
Issue noted by tb@ via tlsfuzzer.
ok tb@
|
|
|
|
There is no reason (and there never was any) for profile_name to be
non-const, it was always just passed to strncmp(). Changing this
allows removing an ugly instance of casting away const.
ok guenther jsing
|
|
|
|
Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.
Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.
ok tb@
|
|
|
|
ok tb@ jsing@
|
|
.data.rel.ro and .rodata respectively.
ok tb@ jsing@
|
|
|
|
|
|
ok patrick@, deraadt@
|
|
|
|
|
|
|
|
|
|
kcov device. Prevents a use-after-free, note I've never seen this one in
practice.
|
|
|
|
OK jmc@ nicm@, agreement from schwarze@
|
