| Age | Commit message (Collapse) | Author |
|---|
|
|
|
This work was sparked by the topic posted on hn by wuch. I am still not
sure that this fixes the defect he claims to have observed because I was
not able to create a proper regress test for it to manifest.
To that end, a proof of concept is more than welcomed!
Thank you for the report!
Discussed with and OK kettenis@, tedu@.
|
|
"equality comparison with extraneous parentheses
[-Wparentheses-equality]" clang warning.
OK deraadt, kettenis
|
|
flag when compiling with gcc3.
ok espie@
|
|
based upon input being used unsafely (they are safe)
ok millert kettenis
|
|
then strays off the path to exec(). one common manifestation of this
problem occurs in pthread_join(), so we can add a little check there.
first person to hit this in real life gets to change the error message.
|
|
never get NUL-terminated and cause read buffer overruns.
This fixes for example segfaults in sftp(1) that could be triggered
by typing in an extremely long string (more than one line - the longer,
the likelier to crash), then hitting backspace once.
Problem reported and patch OK'ed by sthen@.
|
|
tricky, especially since the manpage is full of lies.
Try to make readers think twice before using them.
With oks and help from schwarze@, tedu@, sthen@, jmc@
|
|
tlsext_sni_serverhello_parse(). This also adds a check to ensure that
if we have an existing session, the name matches what we specified via
SNI.
ok doug@
|
|
and the new extension framework.
Feedback from doug@
ok inoguchi@
|
|
Missed in the original commit.
|
|
ok schwarze@
|
|
|
|
|
|
|
|
according to POSIX. Bring regression test and kernel in line for
amd64 and i386. Other architectures have to follow.
OK deraadt@ kettenis@
|
|
Change FMT_SIZE to 1024+1 for consistency. Do not loop over the
format string if there is no output space left.
OK deraadt@ millert@
|
|
no objections deraadt@
|
|
|
|
Do the same in sendsyslog(2) and document the behavior.
reported by Ilja Van Sprundel; OK millert@ deraadt@
|
|
Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.
Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.
Discussed with beck@
ok inoguchi@
|
|
Reported by <dravion at ht-foss dot net>
|
|
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen
|
|
this has no effect except to make ktrace output prettier.
ok bluhm mpi
|
|
okay millert@
|
|
definite value in the size == 0 case
|
|
ok jmc@ visa@
|
|
okay millert@
(forgot the obvious scanner.l tweak in my diff)
|
|
what the reader is using.
|
|
is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
|
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
|
|
|
|
enable CRL checking for the full certificate chain.
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
Discussed with beck@
|
|
prefix if the character following it is a valid hex char. The C99
standard is clear that given the string "0xy" zero should be returned
and endptr set to point to the "x". OK deraadt@ espie@
|
|
|
|
on i386 and allows to compile the C++ test. Upstream dropped the
ULL in an insufficient attempt to make the siphash code C89 compatible.
Their fix will be more complicated.
No binary change.
|
|
exported symbols to the indended API. We do not need a Symbols.map
anymore. Major library bump is necessary as some internal functions
vanish from the ABI.
Discussed upstream with Sebastian Pipping; ports bulk build ajacoutot@;
OK deraadt@
|
|
TLS Server Name extension, however seemingly several clients (including
Python, Ruby and Safari) violate the RFC. Given that this is a fairly
widespread issue, if we receive a TLS Server Name extension that contains
an IP literal, pretend that we did not receive the extension rather than
causing a handshake failure.
Issue raised by jsg@
ok jsg@
|
|
|
|
From Klemens Nanni
|
|
|
|
2. point to getline (suggested by nicm@)
3. cross reference fgetc(3) rather than putc(3)
4. add missing error handling to the example code
OK nicm@
|
|
OK mpi@, deraadt@
|
|
OK espie@
|
|
problem noticed by deraadt@
|
|
|
|
libexpat. Remove obsolete header files, missed in previous commit.
|
|
- CVE-2017-9233 CVE-2016-9063 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 have been
addressed. Not all of them affect OpenBSD as we had fixes before.
- Upstream uses arc4random_buf(3) now. Delete all code for other
entropy sources to make sure to compile the correct one. Our
library already used arc4random(3) before.
- The overflow fixes in rev 1.11 and 1.12 of lib/xmlparse.c
have been commited upstream in a different way. Use the upstream
code to make maintenance easier.
- Although it should be ABI compatible, there is a new global
symbol align_limit_to_full_utf8_characters. As it is in
lib/internal.h, add a Symbols.map to restrict the export. Do not
bump the shared library version.
- Use the internal expat's siphash.h.
ports build ajacoutot@; move ahead deraadt@
|
|
event_pending, evtimer_pending, and signal_pending all write to the
timeval because that's how they tell the caller when the event is
meant to fire.
ok deraadt@ millert@ jmc@ schwarze@
|
|
just fall into the code. The .align created a FILL zone in the .init section,
which on i386 was filled with a NOP-sled, something we want to get away
from.
discussed with kettenis and tom
|
