| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DST and TIMEZONE options(4) are incompatible with KARL, so we need
some other way to compensate for an RTC running with a known offset.
Enter kern.utc_offset, an offset in minutes East of UTC. TIMEZONE has
always been minutes West, but this is inconsistent with how everyone
else talks about timezones, hence the flip.
TIMEZONE has the advantage of being compiled into the binary. Our new
sysctl(2) has no such luck, so it needs to be set as early as possible
in boot, from sysctl.conf(5), so we can correct the kernel clock from
the RTC's local time to UTC before daemons like ntpd(8) and cron(8)
start. To encourage this, kern.utc_offset is made immutable after the
securelevel(7) is raised to 1.
Prompted by yasuoka@. Discussed with deraadt@, kettenis@, yasuoka@.
Additional testing by yasuoka@.
ok deraadt@, yasuoka@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
|
| |
|
|
|
|
| |
as in OpenSSL 1.1.1. I rewrote most of the text for clarity, precision,
and conciseness and added some additional information. A few sentences
from Paul Yang remain.
|
| |
|
|
| |
- Add static_ASN1_* macro. Patch was provided by steils AT gentoo.org
|
| |
|
|
|
|
|
|
|
| |
in OpenSSL 1.1.1 even though in general, letting random functions
accept NULL is not advisable because it can hide programming errors;
"yes please" tb@
"unfortunately I suspect you're right" jsing@
"oh well" deraadt@
|
| | |
|
| |
|
|
| |
feedback and OK tb@
|
| |
|
|
|
| |
all CMS pages are linked to CMS_ContentInfo_new(3) both ways
and that closely related pages reference each other.
|
| |
|
|
|
|
| |
* avoid jumping back and forth between use cases
* delete duplicate information
* and minor wording improvements
|
| |
|
|
|
|
|
| |
* add the missing STANDARDS sections
* mark up ASN.1 type names
* GOST does not need an ENGINE in LibreSSL, so don't use it as an example
* and minor wording improvements and typo fixes
|
| |
|
|
|
|
| |
* mark up ASN.1 type and field names
* move the RFC reference to STANDARDS
* and minor wording improvements
|
| |
|
|
|
|
|
|
|
|
| |
* do not jump back and forth among functions
* show data type - NID correspondance in a table
* make the difference between content type and embedded content clearer
* add the missing STANDARDS section
* mark up ASN.1 type names
* remove some text that says nothing
* and minor wording improvements
|
| |
|
|
|
|
|
|
| |
* add the missing STANDARDS section
* more precision below RETURN VALUES
* simplify some overly verbose text
* mark up ASN.1 type names
* and minor wording improvements and typo fixes
|
| |
|
|
|
|
|
|
| |
* add the missing STANDARDS section
* mark up ASN.1 type names
* avoid some repetitions
* make some lists more palatable in -column form
* and minor wording improvements and typo fixes
|
| |
|
|
| |
and mention a trap set by EC_KEY_copy(3)
|
| | |
|
| |
|
|
| |
and EC_KEY_set_ex_data(3)
|
| |
|
|
|
|
|
| |
* do not jump back and forth among different arguments and flags
* add the missing STANDARDS section
* mark up ASN.1 type names
* and several wording improvements
|
| |
|
|
|
|
| |
* add the missing STANDARDS section
* mark up ASN.1 type names
* and minor wording improvements and typo fixes
|
| |
|
|
|
|
| |
* add the missing STANDARDS section
* mark up ASN.1 type names
* and minor wording improvements
|
| |
|
|
|
|
|
|
| |
* do not jump back and forth between different arguments
* display the flags in a proper list
* add the missing STANDARDS section
* mark up ASN.1 type names
* and minor wording improvements
|
| |
|
|
|
| |
jsing@ provided crucial help regarding the content;
tweaks and OK tb@
|
| |
|
|
| |
missed during code scan.
|
| |
|
|
| |
OK claudio@
|
| | |
|
| |
|
|
|
|
|
| |
current ber element.
OK claudio@
Seems sensible to deraadt@
|
| |
|
|
|
|
|
|
| |
Right now all consumers use 'e' at the end of the list, so no regressions
should be introduced.
OK claudio@
Seems sensible to deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* avoid repetitions and jumping back and forth between the functions
* more precision regarding which ASN.1 types and fields are involved
* mark up the ASN.1 type and field names
* explain CMS_REUSE_DIGEST more precisely
* move the discussion of attributes to CMS_NOATTR where it belongs
* GOST does not need an ENGINE in LibreSSL, so don't use it as an example
* add the missing STANDARDS section
* and minor wording improvements
|
| |
|
|
| |
ok yasuoka@
|
| |
|
|
|
|
|
|
|
| |
where ber is utilized. This also allows us to remove the ber->be_next
check, which can cause weird behaviour, because a NULL be_next would result
in parsing the last element twice.
OK claudio@ on previous version
OK rob@
|
| |
|
|
|
|
|
|
| |
* state the common, general purpose up front
* more precision regarding which ASN.1 types and fields are involved
* mark up the ASN.1 type and field names
* add the missing STANDARDS section
* and minor wording improvements
|
| |
|
|
|
|
|
| |
* add missing STANDARDS section
* avoid repetitions and jumping back and forth among functions
* describe the difference between 0 and 1 more precisely and more concisely
* mark up the ASN.1 type and field names
|
| |
|
|
|
| |
It seems that the CMS code is currently the only code in existence that
uses this function.
|
| | |
|
| |
|
|
| |
it looks like this was the last bad .Xr in *CMS*(3)
|
| | |
|
| |
|
|
|
|
| |
names and documenting these two functions, CMS_decrypt_set1_pkey(3)
and CMS_decrypt_set1_key(3) right here in this same page.
While here, simplify and improve some wording.
|
| |
|
|
| |
actually documented, so write the documentation from scratch.
|
| |
|
|
|
|
|
|
|
|
| |
which is still under a free license:
* mention pem_password_cb in NAME and SYNOPSIS
* recommend -1 as pem_password_cb error return for OpenSSL compat
* minor improvements to the pass_cb() example code
* mention that the pass phrase is just a byte sequence
* and minor wording and markup improvements
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
|
|
| |
does exist -- execv(3). Still call this a family but without "Nm".
Adjust Xr in various pages to refer to the precise function used
rather than the family, in most cases the semantics of execve(2) are
being referenced, so change the Xr.
ok jmc
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
schwarze
cheloha
florian
inoguchi
martijn
jmc
asou
jsing
denis
deraadt