| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
reported by Jeunder Yu
|
|
report from Jeunder Yu
|
|
ok jsing@, deraadt@, beck@
|
|
The recently-added EVP_aead_chacha20_poly1305_ietf() function, which implements
informational RFC 7539, "ChaCha20 and Poly1305 for IETF Protocols", needs a
64-bit counter to avoid truncation on 32-bit platforms.
The existing TLS ChaCha20-Poly1305 ciphersuite is not impacted by this, but
making this change requires an ABI bump.
ok jsing@, "Looks sane" beck@
|
|
From Craig Rodrigues.
ok tedu@
|
|
1. Optionally add random "canaries" to the end of an allocation. This
requires increasing the internal size of the allocation slightly, which
probably results in a large effective increase with current power of two
sizing. Therefore, this option is only enabled via 'C'.
2. When writing junk (0xdf) to freed chunks (current default behavior),
check that the junk is still intact when finally freeing the delayed chunk
to catch some potential use after free. This should be pretty cheap so
there's no option to control it separately.
ok deraadt tb
|
|
instead of trying to allocate "just enough" memory based on the size of the
file (which is mostly comments, in fact), allocate memory on demand.
i.e., save memory by wasting it. also be a little stricter about parsing.
after discussion with tobias. (with a bug fix from patrick keshishian)
descended from bug glibc bug 18660 via tobias.
|
|
In some cases sites signed by this are covered by the old "AddTrust External
CA Root" that we already had, but that depends on the site sending a fairly
large chain of intermediate certificates which most aren't doing (because
there's no need because this newer one is in browser stores..).
|
|
This enables ENGINE_get_digest to work again with SHA1.
noted by NARUSE, Yui, @nurse from github
|
|
just the dynamic tags are needed instead of reusing the generic elf_object_t
structure.
testing and feedback from miod@
ok kettenis@
|
|
with input by and ok schwarze@
|
|
caller and let him do another poll loop. This fixes spinning relayd
processes seen on busy TLS relays. OK benno@ henning@
|
|
ok djm@ jsing@
|
|
ok krw@
|
|
native language support was deleted a month ago at u2k15.
OK semarie@ deraadt@
|
|
files in /usr/share/terminfo/*. This removes a large difference from
upstream ncurses and other systems.
ok millert
|
|
|
|
OK deraadt@
|
|
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck
|
|
discussed with jsg
|
|
|
|
|
|
straight replace: thanks both to schwarze and maja for feedback
on how to rewrite parts;
i've snuck in an rcs id->openbsd id change in dev_mkdb too;
|
|
|
|
relayd and other programs manipulating the packet filter.
ok deraadt@
|
|
|
|
OK deraadt@ beck@
|
|
For years, it talked to stderr. That was wrong. Then it was converted
to opening /dev/tty, which is also wrong (pledge says so). Upon
reconsideration people in these more modern times have adapted to all
sorts of services not being available, so axe the alert and retry
silently.
ok beck
|
|
|
|
|
|
ok tedu@
|
|
ok millert@ kettenis@
|
|
|
|
string using simpler strings functions and use sendsyslog2() directly.
Also, use the LOG_CONS flag so that single-user reports are more clear.
Use a buffer size of 1024 (from bluhm)
discussed with guenther and matthew
ok millert
|
|
LOG_CONS to the kernel. As a result, the /dev/console opening code can
be removed.
ok kettenis millert beck
|
|
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@
|
|
Issue noticed by jmc@, OK jmc@.
|
|
|
|
|
|
ok millert@
|
|
ok jmc@
|
|
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns access is
enough for everyone, sorry if you were using that old SunOS 4.x style
mechanism, but it is now gone.
ok semarie millert florian
|
|
|
|
|
|
it to the *_open() functions. It's more flexible this way. No behaviour
change.
|
|
Do *not* install the CMS_* manuals for now given that the code is
currently disabled. Cluestick applied by jsing@.
|
|
|
