| Age | Commit message (Collapse) | Author |
|---|
|
Missed in the original commit.
|
|
ok schwarze@
|
|
|
|
|
|
|
|
according to POSIX. Bring regression test and kernel in line for
amd64 and i386. Other architectures have to follow.
OK deraadt@ kettenis@
|
|
Change FMT_SIZE to 1024+1 for consistency. Do not loop over the
format string if there is no output space left.
OK deraadt@ millert@
|
|
no objections deraadt@
|
|
|
|
Do the same in sendsyslog(2) and document the behavior.
reported by Ilja Van Sprundel; OK millert@ deraadt@
|
|
Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.
Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.
Discussed with beck@
ok inoguchi@
|
|
Reported by <dravion at ht-foss dot net>
|
|
longer tracks prefixes or default routers from router advertisements.
Pointed out by jmc.
ports tree grepping sthen, who only found nsh
OK mpi, sthen
|
|
this has no effect except to make ktrace output prettier.
ok bluhm mpi
|
|
okay millert@
|
|
definite value in the size == 0 case
|
|
ok jmc@ visa@
|
|
okay millert@
(forgot the obvious scanner.l tweak in my diff)
|
|
what the reader is using.
|
|
is not initialized. Problem spotted by Carlin Bingham; ok phessler@ tedu@
|
|
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
|
|
|
|
enable CRL checking for the full certificate chain.
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
Discussed with beck@
|
|
prefix if the character following it is a valid hex char. The C99
standard is clear that given the string "0xy" zero should be returned
and endptr set to point to the "x". OK deraadt@ espie@
|
|
|
|
on i386 and allows to compile the C++ test. Upstream dropped the
ULL in an insufficient attempt to make the siphash code C89 compatible.
Their fix will be more complicated.
No binary change.
|
|
exported symbols to the indended API. We do not need a Symbols.map
anymore. Major library bump is necessary as some internal functions
vanish from the ABI.
Discussed upstream with Sebastian Pipping; ports bulk build ajacoutot@;
OK deraadt@
|
|
TLS Server Name extension, however seemingly several clients (including
Python, Ruby and Safari) violate the RFC. Given that this is a fairly
widespread issue, if we receive a TLS Server Name extension that contains
an IP literal, pretend that we did not receive the extension rather than
causing a handshake failure.
Issue raised by jsg@
ok jsg@
|
|
|
|
From Klemens Nanni
|
|
|
|
2. point to getline (suggested by nicm@)
3. cross reference fgetc(3) rather than putc(3)
4. add missing error handling to the example code
OK nicm@
|
|
OK mpi@, deraadt@
|
|
OK espie@
|
|
problem noticed by deraadt@
|
|
|
|
libexpat. Remove obsolete header files, missed in previous commit.
|
|
- CVE-2017-9233 CVE-2016-9063 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 have been
addressed. Not all of them affect OpenBSD as we had fixes before.
- Upstream uses arc4random_buf(3) now. Delete all code for other
entropy sources to make sure to compile the correct one. Our
library already used arc4random(3) before.
- The overflow fixes in rev 1.11 and 1.12 of lib/xmlparse.c
have been commited upstream in a different way. Use the upstream
code to make maintenance easier.
- Although it should be ABI compatible, there is a new global
symbol align_limit_to_full_utf8_characters. As it is in
lib/internal.h, add a Symbols.map to restrict the export. Do not
bump the shared library version.
- Use the internal expat's siphash.h.
ports build ajacoutot@; move ahead deraadt@
|
|
event_pending, evtimer_pending, and signal_pending all write to the
timeval because that's how they tell the caller when the event is
meant to fire.
ok deraadt@ millert@ jmc@ schwarze@
|
|
just fall into the code. The .align created a FILL zone in the .init section,
which on i386 was filled with a NOP-sled, something we want to get away
from.
discussed with kettenis and tom
|
|
we can prevent libcrypto from going behind our back and trying to read
passwords from standard input (which we may not be permitted to do).
Found by jsg@ with httpd and password protected keys.
|
|
|
|
|
|
|
|
duplicating clean up code.
|
|
The certificate verification code has special cases for self-signed
certificates and without this change, self-issued certificates (which it
seems are common place with openvpn/easyrsa) were also being included in
this category.
Based on BoringSSL.
Thanks to Dale Ghent <daleg at elemental dot org> for assisting in
identifying the issue and testing this fix.
ok inoguchi@
|
|
src/lib/libc/gen/tree.c is a copy of src/sys/kern/subr_tree.c, but with
annotations for symbol visibility. changes to one should be reflected
in the other.
the malloc debug code that uses RB code is ported to RBT.
because libc provides the RBT code, procmap doesn't have to reach into
the kernel and build subr_tree.c itself now.
mild enthusiasm from many
ok guenther@
|
|
programs will build even without a make depend first.
okay tb@ millert@
|
|
|
|
|
