| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Triggered by jmc@ apparently misunderstanding the intention of the
text and fixing a grammatical error in a way that wasn't ideal,
so i guess he wouldn't have been the only one to find the previous
version hard to understand.
OK jmc@
|
|
ok jsing@ tb@
|
|
related mbufs. Each mbuf(9) passed to these queues stores the pointer to
corresponding pipex(4) session referenced as `m_pkthdr.ph_cookie'. When
session was destroyed its reference can still be in these queues so we
have use after free issue while pipexintr() dereference it.
I removed `pipexinq', `pipexoutq' and pipexintr(). This not only allows
us to avoid issue described above, but also removes unnecessary context
switch in packet processing. Also it makes code simpler.
ok mpi@ yasuoka@
|
|
A client should only send a status_request as part of the CH.
Pointed out by Michael Forney
ok inoguchi jsing
|
|
The current code might cause a client to send a status_request
containing a CertificateStatusRequest with its certificate. This
makes no sense.
Pointed out by Michael Forney
ok inoguchi jsing
|
|
According to RFC 8446, 4.4.2.1, a server may request that a client
present an OCSP response with its certificate by sending an empty
status_request extension as part of the certificate request. The
current code expects a full CertificateStatus structure, which is
only sent if the server sends an OCSP response with its certificate.
This causes interoperability issues with Go's TLS server and with
newer GnuTLS where we would abort the handshake with a decode_error
alert and length mismatch error.
Issue reported and diagnosed by Michael Forney
Problem also found by Mikolaj Kucharski and inoguchi.
ok inoguchi jsing
|
|
changes with LLVM 10.
found by kettenis@
ok deraadt@
|
|
pointed out by tb@, who also provided the diff.
maybe someone should/could add a Symbols.list here?
ok tb@ deraadt@
|
|
the use of the sample keyword matches similar config in other
products.
NUM can be a number between 2 and 1048576, and is used to divide
0x100000000 into a threshold that is then compared against a randomly
generated number produced by a load of BPF_RND.
having sampling as part of the grammar means you can write things
like "icmp or sample 128". this lets you capture all icmp traffic
and a sample of the rest of the traffic.
ok jmatthew@ kn@ tb@
|
|
this adds "rnd" and "random" as keywords in the grammar, and handles
them as an arithmetic operator. the decoder recognises the load,
so tcpdump can print it as 'ld #random'. most of the handling is
copied from the "len"/"length" keywoard handling that generates and
decodes a load of the actual wire length of the packet.
ok jmatthew@ tb@ kn@
|
|
crank due to ABI change.
|
|
Clang 10 warns about the expression sizeof(cdata) / sizeof(uint64_t) as
cdata is an array of uint32_t and it expects that the intent of this is
to compute the number of array elements. Use BCRYPT_WORDS / 2 instead.
Same diff as millert's commit sys/lib/libsa/bcrypt_pbkdf.c -r1.2, which
was ok kettenis. deraadt confirms that this satisfies clang 10.
|
|
The write path can return a failure in the AEAD path and there is no reason
not to check a return value.
Spotted by tb@ during another review.
ok tb@
|
|
- Make the DTLS code much more consistent with the ssl3 code.
- Avoid assigning wr->input and wr->length just so they can be used as
arguments to memcpy().
- Remove the arc4random_buf() call for the explicit IV, since tls1_enc()
already does this for us.
ok tb@
|
|
ssl3_create_record().
ok tb@
|
|
ourselves.
Spotted by tb@ during a previous review.
|
|
This will allow for further changes to be made with less complexity and
easier review.
In particular, decide if we need an empty fragment early on and only do
the alignment calculation once (rather than in two separate parts of the
function.
ok tb@ inoguchi@
|
|
As abieber@ found the hard way, some python frameworks (twisted, synapse)
thought it a great idea to use the info callback mechanism (designed to
get state information about SSL objects) to modify state information such
as setting and verifying the SNI. The switch of TLS_method() to default
to TLSv1.3 broke these contraptions. Further bits of the info callback
mechanism will likely metastasize throughout the TLSv1.3 stack if we
need them, so we only do what's really necessary now.
Lots of debugging, crucial hint and testing by abieber
input & ok jsing
|
|
32-bit values.
ok gkoehler@, drahn@
|
|
Initialize __curbrk = &_end.
It's a 64-bit pointer, so use ld/std instead of lwz/stw.
ok drahn@
|
|
Reminder that unveil does not kill from brynet and gsoares.
Wording tweaks from jmc; feedback from deraadt.
ok jmc@, millert@, solene@, "fine with me" deraadt@
|
|
Both Perl's HTTP::Tiny and IO::Socket::SSL know about SSL_MODE_AUTO_RETRY
and try to work around the fact that OpenSSL enabled it by default.
However, this can lead to the mode being disabled prior to the TLSv1.3
handshake and then enabled after the handshake has completed.
In order to handle this correctly we have to check the mode and inform the
record layer prior to every read.
Issue reported and test case provided by Nathanael Rensen
<nathanael@polymorpheus.com>.
ok inoguchi@ tb@
|
|
that change nothing whatsoever, except making the code harder to read;
OK tb@
|
|
|
|
OK tb@
|
|
use-after-free and double-free issues in calling programs.
The bug was introduced in SSLeay-0.6.0 released on June 21, 1996
and has been present since OpenBSD 2.4.
I found the bug while documenting the function.
The bug could bite in two ways that looked quite different from the
perspective of the calling code:
* If a stack was passed in that already contained some X509_INFO
objects and an error occurred, all the objects passed in would be
freed, but without removing the freed pointers from the stack,
so the calling code would probable continue to access the freed
pointers and eventually free them a second time.
* If the input BIO contained at least two valid PEM objects followed by
at least one PEM object causing an error, at least one freed pointer
would be put onto the stack, even though the function would return NULL
rather than the stack. But the calling code would still have a pointer
to the stack, so it would be likely to access the new bogus pointers
sooner or later.
Fix all this by remembering the size of the input stack on entry
and cutting it back to exactly that size when exiting due to an
error, but no further.
While here, do some related cleanup:
* Garbage collect the automatic variables "error" and "i"
which were only used at one single place each.
* Use NULL rather than 0 for pointers.
I like bugfixes that make the code four lines shorter, reduce the
number of variables by one, reduce the number of brace-blocks by
one, reduce the number if if-statements by one, and reduce the
number of else-clauses by one.
Tweaks and OK tb@.
|
|
matthieu@ reported that asking tcpdump to look at ip or ip6 traffic
on a wg(4) interface caused all packets to be captured. this is
because pcap assumes that if your link type doesn't have a link
header then it is always ip or ip6 (which is weird anyway) and
captures everything.
there was already code to generate a filter for the DLT_LOOP link
header, it was just bypassed cos earlier code said that there wasn't
one.
debugged with and ok kn@
|
|
OK naddy@; no objections from kettenis@
|
|
Found by Jan Stary <hans at stare.cz>, discussed with jmc@
|
|
Tested by cwen@ and myself. Thanks to pirofti@ for creating the
userland timecounter feature.
ok kettenis@ pirofti@ deraadt@ cheloha@
|
|
|
|
|
|
Upstream removed it in 2004. From Jan Stary.
|
|
ok deraadt pirofti
|
|
ok naddy@
|
|
ok inoguchi@ tb@
|
|
This is no longer necessary since the TLS_method() now supports TLSv1.3.
Reverts r1.211 of ssl_lib.c.
ok beck@ inoguchi@ tb@
|
|
be 8 bytes in the 64-bit ABI just like in the 32-bit ABI. But that means
there is no "spare" word in the TCB that we can use to store a pointer
to our struct pthread. So we have to treat powerpc64 special.
Also recognize that the thread pointer points 0x7000 bytes after the TCB.
Since the TCB is 8 bytes this means that TCB_OFFSET should be 0x7008.
Pointed out by guenther@; ok deraadt@
|
|
|
|
|
|
list of "[size]n" includes "n" on it's own, thereby the "int" case is
described correctly.
ok schwarze
|
|
to properly show the (differing) syntaxes of all the conversion
specifications, and reduce the amount of forward references from
the list of modifiers to the list of specifiers.
While here, properly explain %lc and %ls.
Also correct RETURN VALUES, which incorrectly talked about
counting characters while actually bytes are counted.
Using feedback from millert@, deraadt@, tb@, and Martin Vahlensieck.
OK deraadt@, millert@, and tb@ on intermediate versions of this diff
and no objections from jmc@.
|
|
Brings arm64 in line with all the other architectures.
ok millert@
|
|
When we recompute the scaling factor during tc_windup() there is an
opportunity for arithmetic overflow if the active timecounter's
adjfreq(2) adjustment is too large. If we limit the adjustment to
[-500000, +500000] ppm the statement in question cannot overflow.
In particular, we are concerned with the following bit of code:
scale = (u_int64_t)1 << 63;
scale += \
((th->th_adjustment + th->th_counter->tc_freq_adj) / 1024) * 2199;
scale /= th->th_counter->tc_frequency;
th->th_scale = scale * 2;
where scale is an int64_t. Overflow when we do:
scale += (...) / 1024 * 2199;
as th->th_counter->tc_freq_adj is currently unbounded.
th->th_adjustment is limited to [-5000ppm, 5000ppm].
To see that overflow is prevented with the new bounds, consider the
new edge case where th->th_counter->tc_freq_adj is 500000ppm and
th->th_adjustment is 5000ppm. Both are of type int64_t. We have:
int64_t th_adjustment = (5000 * 1000) << 32; /* 21474836480000000 */
int64_t tc_freq_adj = 500000000LL << 32; /* 2147483648000000000 */
scale = (u_int64_t)1 << 63; /* 9223372036854775808 */
scale += (th_adjustment + tc_freq_adj) / 1024 * 2199;
/* scale += 2168958484480000000 / 1024 * 2199; */
/* scale += 4657753620480000000; */
9223372036854775808 + 4657753620480000000 = 13881125657334775808,
which less than 18446744073709551616, so we don't have overflow.
On the opposite end, if th->th_counter->tc_freq_adj is -500000ppm and
th->th_adjustment is -5000ppm we would have -4657753620480000000.
9223372036854775808 - 4657753620480000000 = 4565618416374775808.
Again, no overflow.
500000ppm and -500000ppm are extreme adjustments. otto@ says ntpd(8)
would never arrive at them naturally, so we are not at risk of breaking
a working setup by imposing these restrictions.
Documentation input from kettenis@.
No complaints from otto@.
|
|
ok deraadt@, pirofti@
|
|
* We don't need TC_LAST
* Make internal functions static to avoid namespace pollution in libc.a
* Use a switch statement to harmonize with architectures providing
multiple timecounters
ok deraadt@, pirofti@
|
|
ssl_version is completely unused and get_timeout is the same everywhere.
ok beck@ inoguchi@ tb@
|
|
This can be done now that we have both TLSv1.3 client and server.
ok beck@ inoguchi@ tb@
|
|
1. Clarify that %G uses %F, not %f; noticed by millert@.
2. Mention that %g originally meant "general notation", see:
https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/src/libc/stdio/doprnt.s
Triggered by a somewhat different patch from Ian <ropers at gmail dot com>.
Feedback and OK millert@ and jmc@.
|
