summaryrefslogtreecommitdiffstats
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Avoid leak in error path of dh_priv_decodeinoguchi2020-01-041-1/+2
| | | | ok jsing@ tb@
* In ssl.h rev. 1.167 and s3_lib.c rev. 1.188, jsing@ providedschwarze2020-01-021-4/+21
| | | | | | | | the new function SSL_CTX_get_extra_chain_certs_only(3) and changed the semantics of the existing SSL_CTX_get_extra_chain_certs(3) API from the former OpenSSL 1.0.1 behaviour to the new, incompatible OpenSSL 1.0.2 behaviour. Adjust the documentation. OK jsing@ beck@ inoguchi@
* Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour.jsing2020-01-022-8/+23
| | | | | | | | | | | | | | In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra certs, unless there are none, in which case return the chain associated with the certificate. If you really just want the extra certs, including knowing if there are no extra certs, then you need to call SSL_CTX_get_extra_chain_certs_only()! And to make this even more entertaining, these functions are not documented in any OpenSSL release. Reported by sephiroth-j on github, since the difference in behaviour apparently breaks OCSP stapling with nginx. ok beck@ inoguchi@ tb@
* Provide TLSEXT_TYPE_* aliases for TLS 1.3.jsing2020-01-021-1/+10
| | | | | | | | | | | OpenSSL decided to use their own names for two of the TLS 1.3 extensions, rather than using the names given in the RFC. Provide aliases for these so that code written to work with OpenSSL also works with LibreSSL (otherwise everyone gets to provide their own workarounds). Issue noted by d3x0r on github. ok inoguchi@ tb@
* Increase BER_MAX_OID_LEN from 32 to 64. Not every snmp OID found in themartijn2019-12-313-6/+6
| | | | | | wild fits inside 32 elements, like UsmUserEntry objects. OK rob@, claudio@
* It is believed that an implementation of madvise was available injsg2019-12-261-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SunOS 4.0 based on text from the following papers. "Two 4.2BSD system calls, madvise and mincore, remain unspecified, madvise is intended to provide information to the system to influence its management policies. Since a major rework of such policies was deferred to a future release, we decided to defer full specification and implementation of madvise until that time." R. Gingell, J. Moran, W. Shannon "Virtual Memory Architecture in SunOS" Proceedings of USENIX Summer Conference, June 1987 AUUGN Volume 8 Number 5, October 1987 "Memory management related system calls based on the original 4.2BSD specification that were implemented include mmap, munmap, mprotect, madvise, and mincore." J. Moran "SunOS Virtual Memory Implementation" Proceedings of the Spring 1988 European UNIX Users Group Conference, April 1988 AUUGN Volume 9 Number 3, June 1988 and a reference in "Global Index", Part Number: 800-1758-10, Revision A, of 9 May 1988 bitsavers pdf/sun/sunos/4.0/800-1758-10A_Global_Index_198805.pdf discussed with an ok schwarze@
* a few depend:-related thingies that were still in.espie2019-12-211-3/+1
| | | | okay millert@, tb@
* Warn that auth_call(3) users should include a "--" argument beforejsg2019-12-211-2/+7
| | | | | | non-optional arguments to stop getopt(3) processing. ok deraadt@
* In "4.2BSD System Manual" (/usr/doc/sysman in 4.2BSD source)jsg2019-12-215-20/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | mmap(), munman(), madvise() and mprotect() are described as planned for later releases. A fully functional mmap(2) supporting shared libraries first appeared in SunOS 4.0 along with msync(2). SunOS 4.1 added madvise(3) and replaced msync(2) with mctl(2) which was was used to implement msync(3), mlock(3) and munlock(3). While some of these functions appear as empty or ifdef'd functions in 4.1cBSD and later it was not until the Mach VM was integrated with Net/2 that most of them were implemented. Though the CSRG releases never supported shared libraries or madvise(). mlock()/munlock() were not in Net/2 as they were added by hibler in 1993, but were in 4.4BSD. madvise(2) was implemented for UVM in NetBSD 1.5 and ported to OpenBSD 2.7. For now instead of trying to accurately describe when interfaces first appeared in other systems correct when they were first available in CSRG or OpenBSD releases, retaining the text in mmap(2) discussing SunOS 4.0. madvise(2) 4.4BSD -> OpenBSD 2.7 mmap2(2) 4.4BSD -> 4.3BSD Net/2 mprotect(2) 4.4BSD -> 4.3BSD Net/2 msync(2) 4.4BSD -> 4.3BSD Net/2 munmap(2) 4.1cBSD -> 4.3BSD Net/2
* drand48(3) returns values in [0.0, 1.0).tb2019-12-201-3/+3
| | | | | | From j@bitminer.ca with input from Andras Farkas, deraadt, joerg@netbsd "fix however you feel best!" jmc
* The mcount.po target is special cased here since mcount.c should not betb2019-12-201-2/+3
| | | | | | | | | compiled with pie or profiling enabled. This was missed when the independent depend target was removed. Align this target with the inference rules in bsd.lib.mk. This now creates mcount.d as it should and fixes 'make clean' which previously left mcount.po.d behind. ok guenther
* spelling; from bryan stensonjmc2019-12-191-3/+3
|
* Fix bogus ".It .Cm"jca2019-12-171-3/+3
|
* Add fido(4), a HID driver for FIDO/U2F security keysreyk2019-12-172-76/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | While FIDO/U2F keys were already supported by the generic uhid(4) driver, this driver adds the first step to tighten the security of FIDO/U2F access. Specifically, users don't need read/write access to all USB/HID devices anymore and the driver also improves integration with pledge(2) and unveil(2): It is pledge-friendly because it doesn't require any ioctls to discover the device and unveil-friendly because it uses a single /dev/fido/* directory for its device nodes. It also allows to support FIDO/U2F in firefox without further weakening the "sandbox" of the browser. Firefox does not have a proper privsep design and many operations, such as U2F access, are handled directly by the main process. This means that the browser's "fat" main process needs direct read/write access to all USB HID devices, at least on other operating systems. With fido(4) we can support security keys in Firefox under OpenBSD without such a compromise. With this change, libfido2 stops using the ioctl to query the device vendor/product and just assumes "OpenBSD" "fido(4)" instead. The ioctl is still supported but there was no benefit in obtaining the vendor product or name; it also allows to use libfido2 under pledge. With feedback from deraadt@ and many others OK kettenis@ djm@ and jmc@ for the manpage bits
* Fix documented signatures of HMAC(3) and HMAC_Update(3). The n and lentb2019-12-141-4/+4
| | | | | arguments were changed from int to size_t with the import of OpenSSL 0.9.8h in 2008.
* The file passed to realpath(3) must exists, adjust man page to newbluhm2019-12-111-3/+3
| | | | | behavior. noticed by hshoexer@; OK beck@
* add sys/wait.h to unbreak builds; following "Replace p_xstat with ps_xexit andsthen2019-12-111-1/+2
| | | | | | | | | ps_xsig" (sysctl.h r1.198 and friends) FILL_KPROC requires W_EXITCODE from there. cc -static -pie -o ps keyword.o nlist.o print.o ps.o utf8.o -lkvm ld: error: undefined symbol: W_EXITCODE >>> referenced by kvm_proc2.c:293 (/usr/src/lib/libkvm/kvm_proc2.c:293) [...]
* Remove includes that are no longer neeed after tedu's simplification.millert2019-12-101-4/+1
| | | | OK jca@
* The msync interface first appeared in SunOS 4.0.jsg2019-12-101-3/+4
|
* Adjust history text.jsg2019-12-101-5/+8
| | | | | | | A fully functional mmap() system call first appeared in SunOS 4.0 and has been available since 4.4BSD. wording from and ok schwarze@ input from deraadt@
* tweak previous;jmc2019-12-081-13/+13
|
* define _LIBCPP_HAS_TIMESPEC_GET and _LIBCPP_HAS_C11_FEATURESjsg2019-12-081-0/+3
| | | | | OpenBSD has timespec_get(3) and struct timespec/aligned_alloc(3). ok kettenis@ jca@
* Make sure packet destination address matches interface address,sashan2019-12-081-2/+12
| | | | | | | | | where such packet is bound to. This check is enforced if and only IP forwarding is disabled. Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@ OK bluhm@, claudio@, tobhe@
* replace links to uvm(9) to uvm_init(9); ok mpijmc2019-12-061-3/+3
|
* Explicitly say that *permissions can be "".schwarze2019-12-061-3/+4
| | | | | | Potential for misunderstanding noticed by Chris Rawnsley <chris at puny dot agency>, wording proposed by deraadt@, patch sent by Chris Rawnsley, OK deraadt@.
* - fix some Xr; from martinjmc2019-12-053-15/+13
| | | | - minor tweaks while here
* Document IP6_SOIIKEY_LENkn2019-12-051-3/+6
| | | | OK florian jmc
* Document X509_STORE_CTX_set_flags() which is a handy way to change theclaudio2019-12-051-3/+18
| | | | | | | verification param flags of a context. While this function is marked as likely to be deprecated in OpenSSL it seems that this may not happen. This is why we decided to still document it. OK and input from ingo@ tb@
* some minor tweaks;jmc2019-12-041-7/+5
|
* I accidentally smashed wrong contents into this file.deraadt2019-12-041-43/+348
| | | | Repair from Martin @ academicsolutions.ch
* libc's authentication privsep layer performed insufficient usernamederaadt2019-12-041-1/+5
| | | | | | | | validation. Repair work mostly by markus and millert, first of all solving the primary problem, then adding some additional validation points. And then futher validation in login and su. This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig Reported by Qualys
* libc's authentication privsep layer performed insufficient usernamederaadt2019-12-042-10/+39
| | | | | | | | validation. Repair work mostly by markus and millert, first of all solving the primary problem, then adding some additional validation points. And then futher validation in login and su. This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig Reported by Qualys
* Add missing RCS tag.tb2019-12-031-0/+1
|
* Fix typo: ECHD -> ECDH.tb2019-12-031-4/+4
| | | | From Michael Forney, thanks!
* fwide() does not unlock if error was occurred.asou2019-12-031-2/+4
| | | | ok guenther@ and deraadt
* comply with POSIX and make execve() return EACCES for directoriesnaddy2019-12-011-4/+2
| | | | ok millert@ deraadt@
* crank libelf major for exec_elf.h changesjsg2019-12-011-1/+1
|
* bump libcbor after symbol addition; ok deraadt@naddy2019-11-281-1/+1
|
* Fix typo in comment in struct pcap_pkthdrakoshibe2019-11-281-2/+2
|
* update to libcbor rev 56a43b1e799; this includes a number of fixesdjm2019-11-2840-3396/+3347
| | | | | | for unaligned accesses, requested by miod@ ok deraadt@
* tweak previous: add missing name after .Fn, delete stray .Pp,schwarze2019-11-271-4/+2
| | | | and drop NetBSD RCS tag apparently left over from copy & paste
* Document msyscall(2): ld.so can use this (once only) to tell the kernelderaadt2019-11-272-2/+76
| | | | | | | where libc.so's text segment is, thereby allowing invocation of system calls from that region. An upcoming change will kill the process if a system call is invoked from addresses not explicitly permitted. ok guenther kettenis mortimer
* sync upstream commit with manpage fixes from jmc@djm2019-11-2717-59/+59
| | | | | | | | > commit 437896dcafc67d9596774c3bb9f97bfdb4810bb1 > Author: pedro martelletto <pedro@yubico.com> > Date: Wed Nov 20 09:38:22 2019 +0100 > > man: mop up dangling .Xr's; Jason McIntyre <jmc@openbsd.org>
* Add support for TLS 1.3 post handshake messages and key updating.beck2019-11-263-20/+217
| | | | | | tested against openssl 1.1's server. ok jsing@ tb@
* gcc3, like clang and unlike our gcc4, doesn't support redirecting builtinsguenther2019-11-251-6/+12
| | | | | | | like mem{set,cpy,move} or __stack_smash_handler using asm() renaming. So treat gcc3 like clang and mark such functions as protected instead. ok ayoma@
* A touch of style(9)tim2019-11-211-6/+6
| | | | OK tb@ tedu@
* Use explicit_bzero() to clear key materialtim2019-11-211-1/+2
| | | | OK tb@ tedu@
* zero tmpout too. reminded by related diff from timtedu2019-11-211-1/+2
|
* overwrite the key in failure modes in case the caller doesn't check.tedu2019-11-212-7/+17
| | | | ok deraadt
* Add accessors to change the buffer in a handshake message.beck2019-11-203-3/+20
| | | | | | Needed for doing TLS 1.3 Post Handshake Handshake messages. ok jsing@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.