| Age | Commit message (Collapse) | Author |
|---|
|
thanks sobrado for verifying (and okaying this)
|
|
repeated use of tls_connect. ok jsing
|
|
The actual control flow is intentional while the indenting is incorrect.
This is intended to be a cosmetic change.
Verified that each of these was part of a KNF commit that wasn't intending
to change behavior. Also, double checked against the history of changes in
OpenSSL and BoringSSL.
Addresses Coverity CIDs: 78842, 78859, 78863.
ok tedu@
|
|
From OpenSSL commit 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.
ok guenther@, logan@
|
|
ok todd@
|
|
guenther@ and found out the hard way by landry@
ok guenther@
|
|
These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences
Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt
joint work with beck, doug, guenther, jsing, miod
|
|
|
|
lower VM_MIN_KERNEL_ADDRESS, since these systems are not crippled by the
Sun-4 MMU hole and have the real 4GB of address space.
Kernels running on Sun-4 MMU are not affected and will still be restricted
to the existing 128MB of kernel space, with 1GB - 128MB of user space.
Kernels running on SRMMU will now provide the low 3GB of address space to
userland, and use the top 1GB for the kernel, except when compiled with
option SMALL_KERNEL, in which case they will keep Sun-4 style the layout
(this is temporary to allow for people to boot bsd.rd to upgrade even when
not running 2.10 boot blocks, and will be removed eventually)
A consequence of this is that the top of the userland stack is no longer at
0xf0000000. But since nothing in userland uses USRSTACK anymore, this should
not be an issue.
Tested on sun4c and various sun4m, with physical memory sizes ranging from 32
to 448MB.
|
|
increased memory use is minimal.
ok deraadt logan
|
|
routines on hppa, the cause for sha512-parisc subtly misbehaving has been
found: despite having fallback pa1.1 code when running on a 32-bit cpu, the
shift constants used in the sigma computations in sha512 are >= 32 and are
silently truncated to 5 bits by the assembler, so there is no chance of
getting this code to work on a non-pa2.0 processor.
However, the pa1.1 fallback code for sha256 is safe, as it never attempts to
shift by more than 31, so reenable it again.
|
|
|
|
|
|
|
|
http://sqlite.org/changes.html#version_3_8_7_4
ok landry@
|
|
A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls
X509_PUBKEY_set() with pktmp.
OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public
details yet to confirm. Either way, we should fix this.
Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9
and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728.
"looks sane" beck@
ok miod@, bcook@
|
|
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@
|
|
max time zone length used by libc/time. Just use PATH_MAX for now
(since zone files are path names). This function is slated to be
removed at the next libc major bump.
|
|
Be clear that "standard" byte order means big endian.
Update struct ttinfo.
|
|
for overflow. stop talking about old broken systems, there's little use
for such info.
|
|
"and" and "or" to join sentence clauses, and you can use commas, but both hinders
reading;
|
|
|
|
variable
itself has bearing on _SETPERF;
many thanks to theo buehler who both supplied a diff and corrected various
issues with my diff;
|
|
From Ryan May.
|
|
|
|
spotted by miod. ok miod.
|
|
by a similar BoringSSL change, but raising the limit to 1024 bits.
ok jsing@ markus@ guenther@ deraadt@
|
|
regress tests but causes tls ciphersuite using sha386 to fail; found the
hard way by henning@.
I can't see anything wrong in the generated assembly code yet, but building
a libcrypto with no assembler code but sha512_block_data_order() is enough
to trigger Henning's issue, so the bug lies there.
No ABI change; ok deraadt@
|
|
time. Prodded by guenther@. Sorry.
|
|
|
|
|
|
ok millert@
|
|
|
|
data.
|
|
condition.
|
|
|
|
suggested and ok reyk@
|
|
Bump MAXADDRS/ALIASES to the original of 35, and silently ignore extras
instead of failing.
Noticed by markson on freenode.
OK eric@ "with revised diff", phessler@.
|
|
an additional 28 bytes of .rodata (or .data) is provided to the network. In
most cases this is a non-issue since the memory content is already public.
Issue found and reported by Felix Groebert of the Google Security Team.
ok bcook@ beck@
|
|
Predefined strings are not very portable across troff implementations,
and they make the source much harder to read. Usually the intended
character can be written directly.
No output changes, except for two instances where the incorrect escape
was used in the first place.
tweaks + ok schwarze@
|
|
OK guenther@
|
|
them guaranteed to not conflict per POSIX.
ok espie@ guenther@
|
|
See https://www.openssl.org/news/secadv_20150108.txt for a more detailed
discussion.
Original OpenSSL patch here:
https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0
The regression test is modified a little for KNF.
ok miod@
|
|
|
|
certificates without requiring a CertificateVerify message.
From OpenSSL commit:
https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3
Thanks to Karthikeyan Bhargavan for reporting this.
ok miod@
|
|
|
|
Printing strerror() in that case will say result too large, even if rounds is
actually too small. invalid is less specific, but less incorrect.
ok millert
|
|
While here, correctly mark up time_t as a variable type and use prettier
double quotes.
ok schwarze@
|
|
|
|
Discussed with/requested by deraadt@ at the conclusion of s2k15.
|
