eric [Sun, 11 Nov 2018 14:56:05 +0000 (14:56 +0000)]
Fix resolver_getaddrinfo(): use NULL strings in underlying messages
where appropriate and add missing check before freeaddrinfo().
This code path is currently unused.
eric [Sun, 11 Nov 2018 14:00:51 +0000 (14:00 +0000)]
accept NULL as a valid string in the proc message formating api.
ok gilles@
remi [Sun, 11 Nov 2018 13:55:07 +0000 (13:55 +0000)]
accept "interface ifX" without parameters. Extend the man page to show
an interface config example with and one without parameters.
comment and OK claudio@
dlg [Sun, 11 Nov 2018 12:47:04 +0000 (12:47 +0000)]
copy the mpls cos and use it as the ip dscp/tos/tclass thing.
bcook [Sun, 11 Nov 2018 07:57:44 +0000 (07:57 +0000)]
quiet warning on other compilers
ok beck@
bluhm [Sun, 11 Nov 2018 07:39:34 +0000 (07:39 +0000)]
Fix a race in libssl interop regress. The success messages from
the server child could be delayed. In this case wait a second and
check again.
tb [Sun, 11 Nov 2018 07:13:03 +0000 (07:13 +0000)]
Hook up sm3 regress tests.
tb [Sun, 11 Nov 2018 07:12:33 +0000 (07:12 +0000)]
Add sm3 regress tests.
tb [Sun, 11 Nov 2018 07:10:57 +0000 (07:10 +0000)]
Add sm3 to the 'openssl dgst' command.
ok beck inoguchi
tb [Sun, 11 Nov 2018 07:07:44 +0000 (07:07 +0000)]
Add EVP_sm3() to OpenSSL_add_all_digests_internal().
ok beck inoguchi
tb [Sun, 11 Nov 2018 07:01:59 +0000 (07:01 +0000)]
sync
tb [Sun, 11 Nov 2018 07:00:14 +0000 (07:00 +0000)]
bump minors after symbol addition.
tb [Sun, 11 Nov 2018 06:58:14 +0000 (06:58 +0000)]
Add SSL_set1_host(), a thin wrapper around X509_VERIFY_PARAM_set1_host().
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
tb [Sun, 11 Nov 2018 06:53:31 +0000 (06:53 +0000)]
Add Ribose Inc's implementation of the SM3 hashing function with
tweaks from jsing and myself. The SM2/SM3/SM4 algorithms are mandatory
for legal use of cryptography within China and [are] widely applied in
the country, covering identification/financial cards, contactless,
TPM 2.0 and PKI.
ok beck inoguchi jsing
beck [Sun, 11 Nov 2018 06:49:35 +0000 (06:49 +0000)]
Nuke trailing whitespace
bcook [Sun, 11 Nov 2018 06:41:28 +0000 (06:41 +0000)]
Add automatic threading initialization for libcrypto.
This implements automatic thread support initialization in libcrypto.
This does not remove any functions from the ABI, but does turn them into
no-ops. Stub implementations of pthread_mutex_(init|lock|unlock) are
provided for ramdisks.
This does not implement the new OpenSSL 1.1 thread API internally,
keeping the original CRYTPO_lock / CRYPTO_add_lock functions for library
locking. For -portable, crypto_lock.c can be reimplemented with
OS-specific primitives as needed.
ok beck@, tb@, looks sane guenther@
dlg [Sun, 11 Nov 2018 06:35:41 +0000 (06:35 +0000)]
when encapsulating mpls, map the mpls qos value to an ip tos.
bluhm [Sun, 11 Nov 2018 06:27:57 +0000 (06:27 +0000)]
Free the server tls transcript in case session reuse did not work.
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
dlg [Sun, 11 Nov 2018 06:05:53 +0000 (06:05 +0000)]
actually use the if_llprio to set the mbuf prio.
the llprio is already used to set the gre and eoip packet tos/tclass,
but it was queued at the default prio before this.
dlg [Sun, 11 Nov 2018 05:55:10 +0000 (05:55 +0000)]
use the llprio on gre(4) and eoip(4) interfaces for the keepalive tos
llprios are valued 0 to 7, while the ip tos/dscp/tclass is an 8 bit
value. fortunately the high 3 bits map nicely to the llprio values,
so we shift the llprio into place when generating the keepalive
frames. the llprio is defaulted to the value that cisco uses for
their gre keepalives.
bcook [Sun, 11 Nov 2018 03:27:56 +0000 (03:27 +0000)]
include crypto.h from the correct path, remove unused variable
beck [Sun, 11 Nov 2018 02:22:34 +0000 (02:22 +0000)]
Add support for RSA PSS algorithims being used in sigalgs.
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
beck [Sun, 11 Nov 2018 02:03:23 +0000 (02:03 +0000)]
Convert signatures and verifcation to use the EVP_DigestXXX api
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
deraadt [Sun, 11 Nov 2018 01:49:04 +0000 (01:49 +0000)]
in the magical language gcc, adding brackets allows correct code to compile.
dlg [Sun, 11 Nov 2018 01:40:31 +0000 (01:40 +0000)]
make all the setsockopt calls consistent.
do not cast the arguments unnecessarily, and always err() on failure.
an earlier diff just tweaking the v6 calls was oked by bluhm@ kn@ deraadt@
krw [Sun, 11 Nov 2018 00:55:11 +0000 (00:55 +0000)]
Sometimes autoindenting is too helpful.
krw [Sun, 11 Nov 2018 00:49:05 +0000 (00:49 +0000)]
As get_hw_address() is called early and unconditionally sets
VALID_LLADDR, there is longer much point to VALID_LLADDR. Nuke it.
Just check for lladdr changes when LINK_STATUS_IS_UP().
bluhm [Sun, 11 Nov 2018 00:15:04 +0000 (00:15 +0000)]
Reorganize libssl interop tests. Move netcat tests into separate
directory. Keep all log files for easier debugging. Name regress
target names consistently.
akoshibe [Sun, 11 Nov 2018 00:11:01 +0000 (00:11 +0000)]
Mention the default address (0.0.0.0) and port (6653) that switchd(8)
uses.
OK nayden@ kn@
dlg [Sat, 10 Nov 2018 23:44:53 +0000 (23:44 +0000)]
let -D work on ping6 too.
the manpage was discussed with many
kn [Sat, 10 Nov 2018 21:22:17 +0000 (21:22 +0000)]
Unbreak `-D macro=value' (r1.686 regression)
Zap trailing semicolon introduced with miko's cmdline_symset() leading to
unconditional err(3). Zap trailing tab while here.
anton [Sat, 10 Nov 2018 21:21:15 +0000 (21:21 +0000)]
use the LFPRINTF() debug macro consistently; ok mpi@
krw [Sat, 10 Nov 2018 21:04:01 +0000 (21:04 +0000)]
Use tick_msg(INT64_MAX) when LLADDR changes.
krw [Sat, 10 Nov 2018 20:51:13 +0000 (20:51 +0000)]
If tick_msg() is passed a start of INT64_MAX (a.k.a. the end of time)
stop ticking, end any partially emitted line with a "\n".
This will be used when dhclient is restarting itself due to events
beyond its control. e.g. new LLADDR
daniel [Sat, 10 Nov 2018 19:42:02 +0000 (19:42 +0000)]
Eliminate use of sbrk (was only used to print a diagnostic).
ok tb@
daniel [Sat, 10 Nov 2018 19:40:43 +0000 (19:40 +0000)]
remove mention of sbrk.
ok tb@
remi [Sat, 10 Nov 2018 19:12:34 +0000 (19:12 +0000)]
the default for triggered-updates is no.
OK claudio@
bluhm [Sat, 10 Nov 2018 18:40:34 +0000 (18:40 +0000)]
Do not translate the EACCES error from pf(4) to EHOSTUNREACH anymore.
It also translated a documented send(2) EACCES case erroneously.
This was too much magic and always prone to errors.
from Jan Klemkow; man page jmc@; OK claudio@
krw [Sat, 10 Nov 2018 18:25:59 +0000 (18:25 +0000)]
Eliminate single use variables 'tickstop' that confuse ticking and
protocol timing.
kn [Sat, 10 Nov 2018 18:14:47 +0000 (18:14 +0000)]
Fix vnetid range
0 and 4095 are reserved IDs as per 802.1Q and vlan(4), setting them will
fail.
OK denis
mpi [Sat, 10 Nov 2018 15:34:25 +0000 (15:34 +0000)]
free(9) sizes for endpoints array.
ok okan@, tedu@, visa@
mpi [Sat, 10 Nov 2018 15:29:22 +0000 (15:29 +0000)]
Pass free(9) sizes for port arrays.
ok tedu@, visa@
mpi [Sat, 10 Nov 2018 15:28:05 +0000 (15:28 +0000)]
Pass free(9) sizes for the tx descriptors.
ok tedu@, visa@, stsp@
krw [Sat, 10 Nov 2018 15:01:09 +0000 (15:01 +0000)]
Stop passing value+3 as the start time for tick_msg(). Just #define
GRACE_SECONDS 3 inside tick_msg() and use that.
Reduces number of pointless variables used to perform the arithmetic,
making it more obvious what tick_msg() invocations are doing.
krw [Sat, 10 Nov 2018 14:39:09 +0000 (14:39 +0000)]
The tick messages ("no link...", "no lease...") have had a hard
stop at ifi->startup_time + config->link_timeout for a while. So
just set that at startup and stop passing the fixed value to
tick_msg().
bru [Sat, 10 Nov 2018 14:27:51 +0000 (14:27 +0000)]
Remove the strong hysteresis filter.
It seems that the filter is obsolete, the default method is sufficient.
Simplify and clean up some related code in wsmouse.
ok mpi@
anton [Sat, 10 Nov 2018 11:58:50 +0000 (11:58 +0000)]
add tests covering negative lengths and positive overflows
anton [Sat, 10 Nov 2018 11:54:03 +0000 (11:54 +0000)]
Conform to POSIX-2001 in which the behavior of passing a negative length using
posix file locks is defined. Also, detect overflows when dealing with positive
lengths.
ok millert@ visa@
denis [Sat, 10 Nov 2018 11:19:01 +0000 (11:19 +0000)]
fix error message when querying a non-existent table
OK claudio@
denis [Sat, 10 Nov 2018 10:17:37 +0000 (10:17 +0000)]
unbreak VLAN filtering
OK dlg@
beck [Sat, 10 Nov 2018 08:42:39 +0000 (08:42 +0000)]
Remove dead code
ok jsing@
beck [Sat, 10 Nov 2018 08:35:43 +0000 (08:35 +0000)]
Speling
bluhm [Sat, 10 Nov 2018 08:33:45 +0000 (08:33 +0000)]
Regress client and server can do session reuse now. Test this with
all combinations of LibreSSL, OpenSSL 1.0.2, and OpenSSL 1.1. It
is currently disabled for TLS 1.3 as this needs more setup.
jsing [Sat, 10 Nov 2018 08:10:43 +0000 (08:10 +0000)]
Tweak and improve the TLSv1.3 state machine.
- Provide a tls13_handshake_active_action() function to reduce code
duplication and replace tls13_handshake_get_sender().
- Add an INVALID message_type, so we can explicitly detect invalid
conditions.
- Implement skeletons for the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions.
- OR in the NEGOTIATED value at the end of recving or sending a server
hello so that we switch to the next chain in the state table.
ok tb@
beck [Sat, 10 Nov 2018 08:10:31 +0000 (08:10 +0000)]
Make sure the interop test happen last (since they take a long time)
dlg [Sat, 10 Nov 2018 05:03:23 +0000 (05:03 +0000)]
add support for setting the traffic class on ipv6 packets.
it reuses the toskeyword handling that ipv4 uses for setting the
tos field, which is equiavlent to traffic class.
ok florian@ denis@
jsing [Sat, 10 Nov 2018 02:23:28 +0000 (02:23 +0000)]
Clean up and free objects at the completion of the regress test.
From Ben L <bobsayshilol at live dot co dot uk>.
tb [Sat, 10 Nov 2018 01:46:54 +0000 (01:46 +0000)]
fix a leak reported by Ben L (bobsayshilol () live ! co ! uk)
tb [Sat, 10 Nov 2018 01:43:03 +0000 (01:43 +0000)]
Fix a leak reported by Ben L bobsayshilol () live ! co ! uk.
tb [Sat, 10 Nov 2018 01:39:35 +0000 (01:39 +0000)]
fix a leak pointed out by Ben L (bobsayshi () live ! co ! uk)
jsing [Sat, 10 Nov 2018 01:34:02 +0000 (01:34 +0000)]
Avoid a double allocation and memory leak.
Reported by Ben L <bobsayshilol at live dot co dot uk>
beck [Sat, 10 Nov 2018 01:19:09 +0000 (01:19 +0000)]
Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@
beck [Sat, 10 Nov 2018 00:48:33 +0000 (00:48 +0000)]
More regress all the way to exporter_master
tb [Sat, 10 Nov 2018 00:38:31 +0000 (00:38 +0000)]
Use TLS13_HS_{CLIENT,SERVER} instead of using a redundant _SEND{,S}.
ok jsing
beck [Sat, 10 Nov 2018 00:18:25 +0000 (00:18 +0000)]
Fix last of the empty hash nonsense
ok jsing@
jsing [Fri, 9 Nov 2018 23:57:19 +0000 (23:57 +0000)]
Update key schedule regress to match API changes.
jsing [Fri, 9 Nov 2018 23:56:20 +0000 (23:56 +0000)]
Fix the TLSv1.3 key schedule implementation.
When the RFC refers to ("") for key derivation, it is referring to the
transcript hash of an empty string, not an empty string. Rename
tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD *
and calculate the hash of an empty string so that we have it available
for the "derived" and other steps. Merge tls13_secrets_init() into
the same function, remove the EVP_MD * from other functions and use the
empty string hash at the appropriate places.
ok beck@ tb@
tb [Fri, 9 Nov 2018 23:54:57 +0000 (23:54 +0000)]
Use "send" and "recv" consistently instead of mixing them with "read"
and "write". Use self-documenting C99 initializers.
ok bcook, jsing
tb [Fri, 9 Nov 2018 23:49:18 +0000 (23:49 +0000)]
Initialize priv_key and pub_key on first use instead of at the top.
While there, eliminate a flag that was only used once.
ok beck jsing mestre
tb [Fri, 9 Nov 2018 23:45:19 +0000 (23:45 +0000)]
Initialize priv_key and pub_key on first use instead of at the top.
ok beck jsing mestre
bluhm [Fri, 9 Nov 2018 23:44:32 +0000 (23:44 +0000)]
The Botan library from ports an be configured to use OpenSSL or
LibreSSL as crypto provider. When we run their regression tests,
we are actually testing our library. This is far from perfect. A
lot of LibreSSL features have not been implemented as Botan provider.
Even if provider openssl is specified, botan-test runs a lot of
non-openssl tests. This can be improved later.
tb [Fri, 9 Nov 2018 23:39:45 +0000 (23:39 +0000)]
Avoid dereferencing eckey before checking it for NULL.
CID 184282
ok beck jsing mestre
stsp [Fri, 9 Nov 2018 21:33:55 +0000 (21:33 +0000)]
Document interactions of rad(8), carp(4), and SOII:
When running rad(8) on top of carp(4), ifconfig carp0 -soii is a good idea.
ok florian@ jmc@
denis [Fri, 9 Nov 2018 20:36:04 +0000 (20:36 +0000)]
fix a typo
OK jca@ (from a long time ago...)
tb [Fri, 9 Nov 2018 19:31:50 +0000 (19:31 +0000)]
remove the not yet implemented "handshake" subdirectory
tb [Fri, 9 Nov 2018 19:24:50 +0000 (19:24 +0000)]
Add subdirectires with SUBDIR += instead of a single assignment with
line continuations.
jmc [Fri, 9 Nov 2018 19:04:15 +0000 (19:04 +0000)]
retuned -> returned;
brynet [Fri, 9 Nov 2018 18:39:34 +0000 (18:39 +0000)]
The 'recvfd' and 'inet' promises are no longer required by tcpdump(8)
This reduces the remaining runtime pledge(2) in the privsep monitor
process to "stdio rpath dns bpf":
- 'rpath' for /etc/{ethers,rpc}, also unveil(2)'d thanks to mestre@!
- 'dns' for DNS lookups
- 'bpf' BIOCGSTATS on ^C
The unprivileged packet parser process remains pledged just "stdio"
This depends on the previous commit that removed YP support from
ethers(5).
ok mestre@
brynet [Fri, 9 Nov 2018 17:49:32 +0000 (17:49 +0000)]
Remove ethers(5) YP support bits from libc as it makes it difficult to
effectively use pledge(2) in some programs.
approval from many, thanks!
idea by & ok deraadt@
jsing [Fri, 9 Nov 2018 17:43:31 +0000 (17:43 +0000)]
Ensure we free the handshake transcript upon session resumption.
Found the hard way by jmc@
ok tb@
krw [Fri, 9 Nov 2018 16:52:41 +0000 (16:52 +0000)]
Abstract a separate function to scan the list provided by getifaddrs()
for the interface's link information.
Makes the code easier to follow.
Suggestions and ok kn@
claudio [Fri, 9 Nov 2018 14:17:13 +0000 (14:17 +0000)]
Document m_leadingspace() and m_trailingspace() instead of the makros which
got removed. Also fix documentation of m_prepend and M_PREPEND. They are
the same quite some time and there is no longer the need to warn about
not using m_prepend directly.
OK krw@, mpi@
claudio [Fri, 9 Nov 2018 14:14:31 +0000 (14:14 +0000)]
M_LEADINGSPACE() and M_TRAILINGSPACE() are just wrappers for
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@
claudio [Fri, 9 Nov 2018 13:26:12 +0000 (13:26 +0000)]
Remove the last few XXX rdomain markers. Even those functions respect the
rdomain now and are therefor rdomain save.
OK mpi@
guenther [Fri, 9 Nov 2018 07:53:14 +0000 (07:53 +0000)]
Delete superfluous libc reach-around variables, left over from the
old syscall stubs. Prompted by miod@'s poke on m88k
ok visa@
bluhm [Fri, 9 Nov 2018 06:30:41 +0000 (06:30 +0000)]
The cert subdir is testing all combinations of certificate validation.
Having the three libraries, client and server certificates, missing
or invalid CA or certificates, and enforcing peer certificate results
in 1944 new test cases.
guenther [Fri, 9 Nov 2018 06:16:37 +0000 (06:16 +0000)]
Delete superfluous libc reacharounds.
Replace magic numbers with symbolic constants in ldasm.S
Let the kernel do the cacheflush optimization.
from miod@
beck [Fri, 9 Nov 2018 05:43:39 +0000 (05:43 +0000)]
Ensure we only choose sigalgs from our prefernce list, not the whole list
ok jsing@
guenther [Fri, 9 Nov 2018 05:31:57 +0000 (05:31 +0000)]
Delete support for obsolete BSS PLT format, which was last known to be
used by the dearly departed editors/emacs21 port.
Per naddy@, we'll keep an eye out for issues in the next ports bulk build
beck [Fri, 9 Nov 2018 05:02:53 +0000 (05:02 +0000)]
Add the ability to have a separate priority list for sigalgs.
Add a priority list for tls 1.2
ok jsing@
jsing [Fri, 9 Nov 2018 04:54:42 +0000 (04:54 +0000)]
Correct defines for writer tests in connect/accept loops.
ok tb@
jsing [Fri, 9 Nov 2018 04:53:28 +0000 (04:53 +0000)]
Correct function naming for tls13_handshake_advance_state_machine().
ok tb@
tb [Fri, 9 Nov 2018 04:35:09 +0000 (04:35 +0000)]
Avoid leak: free existing SRTP connection profiles before
setting it.
From Ben L <bobsayshilol () live ! co ! uk>.
tb [Fri, 9 Nov 2018 04:20:27 +0000 (04:20 +0000)]
Avoid leaking memory that was already allocated in ASN1_item_new().
From Ben L <bobsayshilol () live ! co ! uk>
tb [Fri, 9 Nov 2018 04:11:06 +0000 (04:11 +0000)]
Fix a buffer overrun in asn1_parse2().
From Ben L bobsayshilol () live ! co ! uk
Similar fixes in BoringSSL and OpensSSL.
bluhm [Fri, 9 Nov 2018 04:05:14 +0000 (04:05 +0000)]
In verbose mode netcat reports to stderr when the listen system
call has finished. This allows to write race free scripts as they
can check that the server is up and running.
OK sthen@ tb@
tb [Fri, 9 Nov 2018 03:42:30 +0000 (03:42 +0000)]
Add const to the data argument of ASN1_set{,_int}_octetstring().
From Ben L bobsayshilol () live ! co ! uk
ok jsing
jsing [Fri, 9 Nov 2018 03:17:24 +0000 (03:17 +0000)]
Add header guards and hidden declarations.
jsing [Fri, 9 Nov 2018 03:17:04 +0000 (03:17 +0000)]
Add header guards and hidden declarations.
jsing [Fri, 9 Nov 2018 03:07:26 +0000 (03:07 +0000)]
Add header guards and hidden declarations.