| Age | Commit message (Collapse) | Author |
|---|
|
ok bcook@
ok and "move it down two lines" jsing@
|
|
|
|
at the first non-option argument.
I had to read source code to figure it out.
|
|
ok jsing@ tb@
|
|
ok tb@
|
|
ok jsing@ tb@
|
|
the new function SSL_CTX_get_extra_chain_certs_only(3) and changed
the semantics of the existing SSL_CTX_get_extra_chain_certs(3) API
from the former OpenSSL 1.0.1 behaviour to the new, incompatible
OpenSSL 1.0.2 behaviour. Adjust the documentation.
OK jsing@ beck@ inoguchi@
|
|
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra
certs, unless there are none, in which case return the chain associated
with the certificate. If you really just want the extra certs, including
knowing if there are no extra certs, then you need to call
SSL_CTX_get_extra_chain_certs_only()! And to make this even more
entertaining, these functions are not documented in any OpenSSL release.
Reported by sephiroth-j on github, since the difference in behaviour
apparently breaks OCSP stapling with nginx.
ok beck@ inoguchi@ tb@
|
|
OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).
Issue noted by d3x0r on github.
ok inoguchi@ tb@
|
|
wild fits inside 32 elements, like UsmUserEntry objects.
OK rob@, claudio@
|
|
SunOS 4.0 based on text from the following papers.
"Two 4.2BSD system calls, madvise and mincore, remain unspecified,
madvise is intended to provide information to the system to influence
its management policies. Since a major rework of such policies was
deferred to a future release, we decided to defer full specification
and implementation of madvise until that time."
R. Gingell, J. Moran, W. Shannon
"Virtual Memory Architecture in SunOS"
Proceedings of USENIX Summer Conference, June 1987
AUUGN Volume 8 Number 5, October 1987
"Memory management related system calls based on the original 4.2BSD
specification that were implemented include mmap, munmap, mprotect,
madvise, and mincore."
J. Moran
"SunOS Virtual Memory Implementation"
Proceedings of the Spring 1988 European UNIX Users Group Conference,
April 1988
AUUGN Volume 9 Number 3, June 1988
and a reference in
"Global Index", Part Number: 800-1758-10, Revision A, of 9 May 1988
bitsavers pdf/sun/sunos/4.0/800-1758-10A_Global_Index_198805.pdf
discussed with an ok schwarze@
|
|
okay millert@, tb@
|
|
non-optional arguments to stop getopt(3) processing.
ok deraadt@
|
|
mmap(), munman(), madvise() and mprotect() are described as planned for
later releases.
A fully functional mmap(2) supporting shared libraries first appeared in
SunOS 4.0 along with msync(2). SunOS 4.1 added madvise(3) and replaced
msync(2) with mctl(2) which was was used to implement msync(3), mlock(3)
and munlock(3).
While some of these functions appear as empty or ifdef'd functions in
4.1cBSD and later it was not until the Mach VM was integrated with Net/2
that most of them were implemented. Though the CSRG releases never
supported shared libraries or madvise(). mlock()/munlock() were not in
Net/2 as they were added by hibler in 1993, but were in 4.4BSD.
madvise(2) was implemented for UVM in NetBSD 1.5 and ported to
OpenBSD 2.7.
For now instead of trying to accurately describe when interfaces
first appeared in other systems correct when they were first available
in CSRG or OpenBSD releases, retaining the text in mmap(2) discussing
SunOS 4.0.
madvise(2) 4.4BSD -> OpenBSD 2.7
mmap2(2) 4.4BSD -> 4.3BSD Net/2
mprotect(2) 4.4BSD -> 4.3BSD Net/2
msync(2) 4.4BSD -> 4.3BSD Net/2
munmap(2) 4.1cBSD -> 4.3BSD Net/2
|
|
From j@bitminer.ca with input from Andras Farkas, deraadt, joerg@netbsd
"fix however you feel best!" jmc
|
|
compiled with pie or profiling enabled. This was missed when the
independent depend target was removed. Align this target with the
inference rules in bsd.lib.mk. This now creates mcount.d as it should
and fixes 'make clean' which previously left mcount.po.d behind.
ok guenther
|
|
|
|
|
|
While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access. Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.
It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser. Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process. This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems. With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.
With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead. The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.
With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits
|
|
arguments were changed from int to size_t with the import of OpenSSL 0.9.8h
in 2008.
|
|
behavior.
noticed by hshoexer@; OK beck@
|
|
ps_xsig" (sysctl.h r1.198 and friends) FILL_KPROC requires W_EXITCODE from there.
cc -static -pie -o ps keyword.o nlist.o print.o ps.o utf8.o -lkvm
ld: error: undefined symbol: W_EXITCODE
>>> referenced by kvm_proc2.c:293 (/usr/src/lib/libkvm/kvm_proc2.c:293)
[...]
|
|
OK jca@
|
|
|
|
A fully functional mmap() system call first appeared in SunOS 4.0 and
has been available since 4.4BSD.
wording from and ok schwarze@ input from deraadt@
|
|
|
|
OpenBSD has timespec_get(3) and struct timespec/aligned_alloc(3).
ok kettenis@ jca@
|
|
where such packet is bound to. This check is enforced if and only
IP forwarding is disabled.
Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@
OK bluhm@, claudio@, tobhe@
|
|
|
|
Potential for misunderstanding noticed by Chris Rawnsley <chris at
puny dot agency>, wording proposed by deraadt@, patch sent by Chris
Rawnsley, OK deraadt@.
|
|
- minor tweaks while here
|
|
OK florian jmc
|
|
verification param flags of a context. While this function is marked as
likely to be deprecated in OpenSSL it seems that this may not happen.
This is why we decided to still document it.
OK and input from ingo@ tb@
|
|
|
|
Repair from Martin @ academicsolutions.ch
|
|
validation. Repair work mostly by markus and millert, first of all
solving the primary problem, then adding some additional validation
points. And then futher validation in login and su.
This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig
Reported by Qualys
|
|
validation. Repair work mostly by markus and millert, first of all
solving the primary problem, then adding some additional validation
points. And then futher validation in login and su.
This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig
Reported by Qualys
|
|
|
|
From Michael Forney, thanks!
|
|
ok guenther@ and deraadt
|
|
ok millert@ deraadt@
|
|
|
|
|
|
|
|
for unaligned accesses, requested by miod@
ok deraadt@
|
|
and drop NetBSD RCS tag apparently left over from copy & paste
|
|
where libc.so's text segment is, thereby allowing invocation of system
calls from that region. An upcoming change will kill the process if a
system call is invoked from addresses not explicitly permitted.
ok guenther kettenis mortimer
|
|
> commit 437896dcafc67d9596774c3bb9f97bfdb4810bb1
> Author: pedro martelletto <pedro@yubico.com>
> Date: Wed Nov 20 09:38:22 2019 +0100
>
> man: mop up dangling .Xr's; Jason McIntyre <jmc@openbsd.org>
|
|
tested against openssl 1.1's server.
ok jsing@ tb@
|
|
like mem{set,cpy,move} or __stack_smash_handler using asm() renaming. So
treat gcc3 like clang and mark such functions as protected instead.
ok ayoma@
|
