summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-01-22bump minors after symbol additionTheo Buehler
2019-01-22Document SSL_get1_supported_ciphers(3) and SSL_get_client_ciphers(3).Theo Buehler
The text comes from OpenSSL, where it was still published under a free license. from schwarze
2019-01-22Add a re-implementation of SSL_get1_supported_ciphers().Theo Buehler
Part of OpenSSL 1.1 API (pre-licence-change). input schwarze ok jsing
2019-01-22Provide SSL_get_client_ciphers().Theo Buehler
Part of OpenSSL 1.1 API, pre-licence change. ok jsing
2019-01-22Add missing symbols from the EC_KEY_METHOD port.Theo Buehler
Reported by bcook and sthen
2019-01-22#ifdef video junk as required.Theo de Raadt
2019-01-22add support for xchacha20 and xchacha20-poly1305David Gwynne
xchacha is a chacha stream that allows for an extended nonce, which in turn makes it feasible to use random nonces. ok tb@
2019-01-22Point people to ipcomp(4) instead of ipsecctl(8) forAntoine Jacoutot
net.inet.ipcomp.enable. ok deraadt@ bluhm@
2019-01-21Forgot to add -J to the synopsis.Theo Buehler
2019-01-21Don't return 1 if we rollback and there's no installed patches.Antoine Jacoutot
2019-01-21this driver does actually workJonathan Matthew
2019-01-21Warn user to reboot the machine when a new kernel is installed and let him knowAntoine Jacoutot
where to look on the local machine for errata (/var/syspatch) so one can decide if a reboot is needed. ok Theos (tb@ deraadt@)
2019-01-21select(2), pselect(2), poll(2), ppoll(2): Support full timeout range.cheloha
Remove the arbitrary and undocumented 24hr limits for timeouts from these interfaces. To do so, loop tsleep(9) to chip away at timeouts larger than what tsleep(9) can handle in one call. Use timerisvalid(3)/timespecisvalid() for input validation instead of itimerfix()/timespecfix() to avoid the 100 million second upper bounds those functions introduce. POSIX requires support for timeouts of at least 31 days for select(2) and pselect(2), so these changes make our implementation more compliant. Other improvements here include better variable names for the time stuff and more consolidated timeout logic with less backwards goto jumping, all of which made dopselect() and doppoll() a bear to read. Naming improvements prompted by tedu@ in a prior patch for nanosleep(2). With input from deraadt@. Validation bug spotted by matthew@ in an earlier version. ok visa@
2019-01-21lenght -> lengthJonathan Gray
2019-01-21lenght -> lengthJonathan Gray
2019-01-21Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)Theo Buehler
to match ssh(1)'s interface. ok djm
2019-01-21switch sntrup implementation source from supercop to libpqcrypto;Damien Miller
the latter is almost identical but doesn't rely on signed underflow to implement an optimised integer sort; from markus@
2019-01-21add a -f pformat flag to parse the given time with strptime.Ted Unangst
2019-01-21strftime can print epoch seconds with %s, so allow strptime to parse it.Ted Unangst
ok cheloha
2019-01-21sometimes we don't call unveil_add, which means memory allocated by nameiTed Unangst
doesn't get freed. move the free calls into the same function as namei. fixed bug report from Dariusz Sendkowski ok beck
2019-01-21a few tweaksTed Unangst
2019-01-21Add example showing a proper comparison function, as many examples showOtto Moerbeek
the wrong idiom. ok tedu@ but probably needs some tweakin
2019-01-21Document 'video' promise.Landry Breuil
looks fine to jmc@
2019-01-21Add "video" promise.Landry Breuil
Allows a subset of ioctls on video(4) devices, subset selected from video(1) and firefox webrtc implementation. ok semarie@ deraadt@
2019-01-21Introduce a dedicated entry point data structure for file locks. This new dataanton
structure allows for better tracking of pending lock operations which is essential in order to prevent a use-after-free once the underlying vnode is gone. Inspired by the lockf implementation in FreeBSD. ok visa@ Reported-by: syzbot+d5540a236382f50f1dac@syzkaller.appspotmail.com
2019-01-21Use the actual handshake message type in the certificate request handler.Joel Sing
2019-01-21Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() toTheo Buehler
a more appropriately licenced file. jsing and doug have rewritten these functions (including the comments) over the past years. ok jsing
2019-01-21Provide the initial TLSv1.3 client implementation.Joel Sing
Move tls13_connect() to a new tls13_client.c file and provide a legacy wrapper to it, which allocates a struct tls_ctx if necessary. Also move tls13_client_hello_send() to tls13_client.c and actual implement the building of a client hello. ok tb@
2019-01-21Wire up the handshake message send and recv actions.Joel Sing
This means that we actually receive and send handshake messages to and from the record layer. ok tb@
2019-01-21add "-v" flags to ssh-add and ssh-pkcs11-helper to turn up debugDamien Miller
verbosity. Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run in debug mode ("ssh-agent -d"), so we get to see errors from the PKCS#11 code. ok markus@
2019-01-21adapt to changes in KEX APIs and file removalsDamien Miller
2019-01-21In ssl_lib.c rev. 1.197, jsing@ added TLSv1.3 support to SSL_get_version(3).Ingo Schwarze
Document it.
2019-01-21adapt to changes in KEX API and file removalsDamien Miller
2019-01-21adapt to bignum1 API removal and bignum2 API changeDamien Miller
2019-01-21fix reversed arguments to kex_load_hostkey(); manifested as errors inDamien Miller
cert-hostkey.sh regress failures.
2019-01-21Allocate buffer before using it.Kenneth R Westerback
Encountered, diagnosed, fix tested and ok jca@
2019-01-21While using buffered stdio over a socket, fflush(3) command beforeSunil Nimmagadda
reading the response. Ok eric@ jung@
2019-01-21Adapt to allwinner device tree changes in linux >= 5.0-rc1Jonathan Gray
"allwinner,sun6i-a31-rtc" has been removed from h3/h5/r40/a64 ok kettenis@
2019-01-21forgot to cvs add this file in previous series of commits; grrrDamien Miller
2019-01-21Improve logging for TLS certificate validity checking.Joel Sing
Actually specify whether the certificate is not yet valid or has expired, and log the actual time values to hopefully save some head scratching. ok deraadt@ tb@
2019-01-21Explicitly check timegm() return value.Joel Sing
Spotted by tb@ ok deraadt@ tb@
2019-01-21nothing shall escape this purgeDamien Miller
2019-01-21The main handshake loop can be shared between client and server.Joel Sing
Pull the shared code up into a function and call it from tls13_connect() and tls13_accept() instead of duplicating it. "Yes, please!" tb@
2019-01-21rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamedDamien Miller
to kexgen from markus@ ok djm@
2019-01-21merge kexkem[cs] into kexgenDamien Miller
from markus@ ok djm@
2019-01-21pass values used in KEX hash computation as sshbuf rather thanDamien Miller
pointer+len suggested by me; implemented by markus@ ok me
2019-01-21remove kex_derive_keys_bn wrapper; no unused since the DH-like KEXDamien Miller
methods have moved to KEM from markus@ ok djm@
2019-01-21Use ssl_cipher_is_permitted() in ssl_cipher_list_to_bytes().Theo Buehler
ok jsing
2019-01-21use KEM API for vanilla ECDHDamien Miller
from markus@ ok djm@
2019-01-21Add ssl_cipher_is_permitted(), an internal helper function thatTheo Buehler
will be used in a few places shortly, e.g. in ssl_cipher_list_to_bytes(). ok jsing
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-01 00:11:41 +0000