deraadt [Sun, 21 Jun 2015 18:13:11 +0000 (18:13 +0000)]
sync
deraadt [Sun, 21 Jun 2015 18:11:58 +0000 (18:11 +0000)]
sync
deraadt [Sun, 21 Jun 2015 18:10:02 +0000 (18:10 +0000)]
5.9 base key
doug [Sun, 21 Jun 2015 16:10:45 +0000 (16:10 +0000)]
Check for failure with CBB_init() in bs_ber.c.
From BoringSSL commit
3fa65f0f05f67615d9daf48940e07f84d094ac6e.
reyk [Sun, 21 Jun 2015 13:08:36 +0000 (13:08 +0000)]
When encoding the Location url, only encode the query and path
elements from the user input and not the constants from the
configuration. This makes it possible to specify chars like '?' in
the uri.
OK Sebastien Marie
claudio [Sun, 21 Jun 2015 12:16:29 +0000 (12:16 +0000)]
There is a race between sending notifications to the SE and getting a new
peer_up event in the RDE. This can be triggered by graceful restart. So
remove the panic and replace it with roughly what peer_down does.
OK phessler and henning
reyk [Sun, 21 Jun 2015 12:15:09 +0000 (12:15 +0000)]
Add .mkv (video/x-matroska).
From David Hill
ok halex@
claudio [Sun, 21 Jun 2015 12:11:13 +0000 (12:11 +0000)]
There is no need to include sys/ucred.h. Only sys/file.h is needed for the
DTYPE defines.
millert [Sun, 21 Jun 2015 03:20:56 +0000 (03:20 +0000)]
Just return if nmemb is 0. Avoids a NULL dereference and is
consistent with the behavior of the other libc sort functions.
OK deraadt@
deraadt [Sun, 21 Jun 2015 00:15:12 +0000 (00:15 +0000)]
memory leak on failure; from Maxime Villard
kettenis [Sat, 20 Jun 2015 20:20:08 +0000 (20:20 +0000)]
Fix a bug that causes uvm_pmr_get1page() to fail for allocations that
specify an address constraint even when free pages that meet the constraint
are still available. This happens because the old code was using the root
of the size tree as a starting point for a search down the address tree.
This meant only part of the address tree was searched, and that part could
very well not contain any of the pages that met the constraint. Instead,
always walk the address tree from its root if the list of single pages is
empty and the root of the size tree doesn't meet our constraints.
From Visa Hankala.
ok deraadt@
doug [Sat, 20 Jun 2015 18:19:56 +0000 (18:19 +0000)]
Convert ssl3_get_new_session_ticket to CBS.
tweak + ok miod@ jsing@
doug [Sat, 20 Jun 2015 17:04:07 +0000 (17:04 +0000)]
Convert ssl3_get_next_proto to CBS.
tweak + ok miod@ jsing@
doug [Sat, 20 Jun 2015 16:42:48 +0000 (16:42 +0000)]
Convert ssl_parse_serverhello_renegotiate_ext to CBS.
ok miod@ jsing@
jsing [Sat, 20 Jun 2015 14:24:49 +0000 (14:24 +0000)]
Handle NIST curve names in openssl(1) ecparam.
From OpenSSL.
jsing [Sat, 20 Jun 2015 14:19:39 +0000 (14:19 +0000)]
Handle NIST curve names.
From OpenSSL.
ok miod@ (a while ago)
jsing [Sat, 20 Jun 2015 14:17:07 +0000 (14:17 +0000)]
Have ECPKParameters_print() include the NIST curve name, if known.
From OpenSSL.
ok miod@ (a while ago).
jsing [Sat, 20 Jun 2015 13:51:52 +0000 (13:51 +0000)]
Less mdc2.
jsing [Sat, 20 Jun 2015 13:26:08 +0000 (13:26 +0000)]
Provide EC_curve_nid2nist() and EC_curve_nist2nid().
From OpenSSL.
Rides libcrypto bump.
ok miod@ (a while ago)
jsing [Sat, 20 Jun 2015 12:29:39 +0000 (12:29 +0000)]
Make SSL_OP_ALL readable.
ok deraadt@ doug@ millert@ miod@ sthen@
jsing [Sat, 20 Jun 2015 12:01:54 +0000 (12:01 +0000)]
Put CRYPTO_memcmp() under #ifndef LIBRESSL_INTERNAL.
ok doug@ deraadt@
jsing [Sat, 20 Jun 2015 12:01:14 +0000 (12:01 +0000)]
Replace remaining CRYPTO_memcmp() calls with timingsafe_memcmp().
ok doug@ deraadt@
mpi [Sat, 20 Jun 2015 11:35:27 +0000 (11:35 +0000)]
Only match devices with a valid configuration.
ok uaa@
jca [Sat, 20 Jun 2015 10:57:42 +0000 (10:57 +0000)]
sort +0n -> sort -n, the former is historical
doug [Sat, 20 Jun 2015 04:04:35 +0000 (04:04 +0000)]
Convert ssl_parse_clienthello_renegotiate_ext to CBS.
ok miod@, tweak + ok jsing@
deraadt [Sat, 20 Jun 2015 01:45:17 +0000 (01:45 +0000)]
sync
doug [Sat, 20 Jun 2015 01:21:51 +0000 (01:21 +0000)]
Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.
Suggested by jsing@.
ok jsing@ miod@
jca [Sat, 20 Jun 2015 01:17:34 +0000 (01:17 +0000)]
Bump major after {,asr_}print_sockaddr() renaming.
doug [Sat, 20 Jun 2015 01:17:27 +0000 (01:17 +0000)]
Fix warning on vax due to old gcc.
Old gcc warns when parameters have the same names as functions. Noticed
by deraadt@.
ok deraadt@ jsing@
jca [Sat, 20 Jun 2015 01:16:25 +0000 (01:16 +0000)]
Rename print_sockaddr() to avoid symbol visibility problems
print_sockaddr is internal to asr, and conflicts with ports/net/samba4.
ok eric@
doug [Sat, 20 Jun 2015 01:09:31 +0000 (01:09 +0000)]
Crank major for libcrypto, ssl and tls due to MDC-2DES removal.
ok miod@ jsing@
doug [Sat, 20 Jun 2015 01:07:24 +0000 (01:07 +0000)]
Remove obsolete MDC-2DES from libcrypto.
ok deraadt@ jsing@ miod@
jca [Fri, 19 Jun 2015 23:54:15 +0000 (23:54 +0000)]
Tweak whitespace and remove dangling, unneeded "else".
No functional change.
jmatthew [Fri, 19 Jun 2015 23:17:59 +0000 (23:17 +0000)]
remove a bit more isp(4), from brad
jmatthew [Fri, 19 Jun 2015 23:07:04 +0000 (23:07 +0000)]
isp(4) man page needs to go too, pointed out by jmc@
uaa [Fri, 19 Jun 2015 20:39:34 +0000 (20:39 +0000)]
Only match devices with a valid configuration.
ok by mpi@
millert [Fri, 19 Jun 2015 18:41:53 +0000 (18:41 +0000)]
Remove needless casts. There's no reason to cast delim to char *
when we can just make spanp const char * to match it. OK deraadt@
deraadt [Fri, 19 Jun 2015 15:57:11 +0000 (15:57 +0000)]
sync
jsing [Fri, 19 Jun 2015 15:06:51 +0000 (15:06 +0000)]
Add missing message digests to function table.
Diff from kinichiro via github.
ok doug@
phessler [Fri, 19 Jun 2015 14:54:12 +0000 (14:54 +0000)]
show the number of (currently) known prefixes and the max-prefix limit,
when we terminate the session.
since we terminate the session as soon as we go above the limit, show
'>' since there may be more that we haven't/won't process.
OK benno@
naddy [Fri, 19 Jun 2015 12:15:38 +0000 (12:15 +0000)]
add 5.9 packages key
jmatthew [Fri, 19 Jun 2015 11:12:24 +0000 (11:12 +0000)]
remove isp(4) now that the ql* family have replaced it
bcook [Fri, 19 Jun 2015 07:18:58 +0000 (07:18 +0000)]
Remove fallback dynamic engine loading support.
Since we no longer have dynamic engines, don't bother falling back to them
if a builtin engine is not found first.
Before:
$ openssl dgst -engine unknown
invalid engine "unknown"
27256010481532:error:
2606A074:engine routines:ENGINE_by_id:no such
engine:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/engine/eng_list.c:384:id=unknown
27256010481532:error:
2606A074:engine routines:ENGINE_by_id:no such
engine:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/engine/eng_list.c:384:id=dynamic
After:
$ openssl dgst -engine unknown
invalid engine "unknown"
27256010481532:error:
2606A074:engine routines:ENGINE_by_id:no such
engine:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/engine/eng_list.c:384:id=unknown
ok doug@
bcook [Fri, 19 Jun 2015 06:32:43 +0000 (06:32 +0000)]
Return the failing engine ID in the error stack.
Noted by doug@ in an earlier revision of the dynamic engine removal patch, but
I had forgotten to include it in the latest version.
bcook [Fri, 19 Jun 2015 06:20:11 +0000 (06:20 +0000)]
Add standard headers, C++ support to tls.h.
This makes using libtls easier to include by including dependent headers,
making something like this work as expected:
#include <iostream>
#include <tls.h>
int main()
{
std::cout << "tls_init: " << tls_init() << "\n";
}
This also makes building a standalone libtls-portable simpler.
ok doug@, jsing@
bcook [Fri, 19 Jun 2015 06:05:11 +0000 (06:05 +0000)]
Disable ENGINE_load_dynamic (dynamic engine support).
We do not build, test or ship any dynamic engines, so we can remove the dynamic
engine loader as well. This leaves a stub initialization function in its place.
ok beck@, reyk@, miod@
deraadt [Fri, 19 Jun 2015 05:51:01 +0000 (05:51 +0000)]
sync
doug [Fri, 19 Jun 2015 01:38:54 +0000 (01:38 +0000)]
Convert tls1_alpn_handle_client_hello() to CBS.
tweak + ok miod@ jsing@
doug [Fri, 19 Jun 2015 00:23:36 +0000 (00:23 +0000)]
Add CBS_dup() to initialize a new CBS with the same values.
This is useful for when you need to check the data ahead and then continue
on from the same spot.
input + ok jsing@ miod@
nicm [Thu, 18 Jun 2015 23:56:01 +0000 (23:56 +0000)]
Use the SRCDST define for usage.
nicm [Thu, 18 Jun 2015 23:55:24 +0000 (23:55 +0000)]
Use xsnprintf.
nicm [Thu, 18 Jun 2015 23:53:56 +0000 (23:53 +0000)]
Remove a stray : and tweak paragraph.
doug [Thu, 18 Jun 2015 23:25:07 +0000 (23:25 +0000)]
Extend the input types for CBB_add_*() to help catch bugs.
While the previous types were correct, they can silently accept bad data
via truncation or signed conversion. We now take size_t as input for
CBB_add_u*() and do a range check.
discussed with deraadt@
input + ok jsing@ miod@
doug [Thu, 18 Jun 2015 22:51:05 +0000 (22:51 +0000)]
Remove Microsoft Server Gated Crypto.
Another relic due to the old US crypto policy.
From OpenSSL commit
63eab8a620944a990ab3985620966ccd9f48d681 and
95275599399e277e71d064790a1f828a99fc661a.
ok jsing@ miod@
doug [Thu, 18 Jun 2015 22:30:47 +0000 (22:30 +0000)]
Change DTLS client cert request code to match TLS.
DTLS currently doesn't check whether a client cert is expected. This
change makes the logic in dtls1_accept() match that from ssl3_accept().
From OpenSSL commit
c8d710dc5f83d69d802f941a4cc5895eb5fe3d65
input + ok jsing@ miod@
miod [Thu, 18 Jun 2015 21:45:00 +0000 (21:45 +0000)]
I'm afraid it will be a sunday.
sthen [Thu, 18 Jun 2015 20:56:33 +0000 (20:56 +0000)]
add 5.9 firmware key
naddy [Thu, 18 Jun 2015 20:02:57 +0000 (20:02 +0000)]
For unsupported sample formats, don't return EINVAL but set the closest
available format. ok ratchov@
martynas [Thu, 18 Jun 2015 20:01:47 +0000 (20:01 +0000)]
Fix stack shuffle such that sj includes si and the last element actually
gets a chance to be reordered.
jmc [Thu, 18 Jun 2015 11:38:41 +0000 (11:38 +0000)]
spelling fixes from theo buehler;
jsg [Thu, 18 Jun 2015 10:47:44 +0000 (10:47 +0000)]
CP2110 is handled by uslhcom not uslcom
mpi [Thu, 18 Jun 2015 10:02:49 +0000 (10:02 +0000)]
Only match devices with a valid configuration.
Tested by jsg@
mpi [Thu, 18 Jun 2015 09:47:16 +0000 (09:47 +0000)]
Only match devices with a valid configuration.
mpi [Thu, 18 Jun 2015 09:28:54 +0000 (09:28 +0000)]
Only match devices with a valid configuration.
Most of the WiFi/Ethernet USB adapter only have one configuration and always
use its first interface. In order to improve USB descriptors parsing start
by reducing the number of places where a configuration is set.
Tested by jsg@
deraadt [Thu, 18 Jun 2015 00:14:42 +0000 (00:14 +0000)]
sync
deraadt [Wed, 17 Jun 2015 22:35:08 +0000 (22:35 +0000)]
my keyboard is conspiring against me
deraadt [Wed, 17 Jun 2015 22:32:08 +0000 (22:32 +0000)]
crank to 5.8-beta
nicm [Wed, 17 Jun 2015 20:50:10 +0000 (20:50 +0000)]
Use strdup in xstrdup; from Fritjof Bornebusch.
jcs [Wed, 17 Jun 2015 20:39:47 +0000 (20:39 +0000)]
when no fingers are down, send 0 for z
fixes tap-to-click
jcs [Wed, 17 Jun 2015 20:38:15 +0000 (20:38 +0000)]
fix compilation with UBCMTP_DEBUG
nicm [Wed, 17 Jun 2015 19:56:08 +0000 (19:56 +0000)]
Change break-pane to take target and source panes (-t and -s) in line
with other commands, from Thomas Adam.
deraadt [Wed, 17 Jun 2015 19:52:18 +0000 (19:52 +0000)]
move to 5.8-beta. This is a bit earlier than normal...
nicm [Wed, 17 Jun 2015 18:51:11 +0000 (18:51 +0000)]
Use strdup in xstrdup from Fritjof Bornebusch. While here, remove xfree
which is unused.
miod [Wed, 17 Jun 2015 17:15:07 +0000 (17:15 +0000)]
Make kernel text read-only and unreadable from userland, and remove the bogus
comment about the emulation code requiring kernel text to be readable from
userland.
Add a few DIAGNOSTIC checks for rogue ptes passed to rmpage().
Make sure the pte extent operations and update_pcbs() run at >= IPL_SCHED.
nicm [Wed, 17 Jun 2015 17:02:15 +0000 (17:02 +0000)]
Break cmdq_continue inner loop into a helper function.
nicm [Wed, 17 Jun 2015 16:50:28 +0000 (16:50 +0000)]
Move the shuffle code from new-window -a into a function and add a -a
flag for move-window too. From Thomas Adam.
nicm [Wed, 17 Jun 2015 16:44:49 +0000 (16:44 +0000)]
Use an explicit job state instead of avoid closing our side of the
socketpair and setting it to -1 to mark when the other side is
closed. This avoids closing it while the libevent bufferevent still has
it (it could try to add it to the polled set which some mechanisms don't
like). Fixes part a problem reported by Bruno Sutic.
sthen [Wed, 17 Jun 2015 15:06:28 +0000 (15:06 +0000)]
add DST Root CA X3 certificate, already present in most browser cert stores.
"O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing
the issuing intermediates for letsencrypt.org so is expected to be important
for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
jsing [Wed, 17 Jun 2015 14:30:39 +0000 (14:30 +0000)]
Clean up alert codes and add references.
jsing [Wed, 17 Jun 2015 14:27:56 +0000 (14:27 +0000)]
Keep alerts sorted by alert code.
jsing [Wed, 17 Jun 2015 14:14:20 +0000 (14:14 +0000)]
Remove pointless comments.
mpi [Wed, 17 Jun 2015 08:31:55 +0000 (08:31 +0000)]
Four new sensors, from David Higgs.
nicm [Wed, 17 Jun 2015 08:13:31 +0000 (08:13 +0000)]
Remove NULL check before free; Fritjof Bornebusch.
doug [Wed, 17 Jun 2015 07:52:22 +0000 (07:52 +0000)]
Convert ssl_next_proto_validate to CBS.
ok miod@, tweak + ok jsing@
ajacoutot [Wed, 17 Jun 2015 07:50:38 +0000 (07:50 +0000)]
Really make daemon_class read-only; it's set to "daemon" of a matching
login class.
doug [Wed, 17 Jun 2015 07:36:30 +0000 (07:36 +0000)]
Convert tls1_check_curve to CBS.
ok miod@ jsing@
doug [Wed, 17 Jun 2015 07:29:33 +0000 (07:29 +0000)]
KNF whitespace.
ok miod@ jsing@
doug [Wed, 17 Jun 2015 07:25:56 +0000 (07:25 +0000)]
Use explicit int in bs_cbs.c.
ok miod@ jsing@
doug [Wed, 17 Jun 2015 07:20:39 +0000 (07:20 +0000)]
Use explicit int in bs_ber.c.
ok miod@ jsing@
doug [Wed, 17 Jun 2015 07:15:52 +0000 (07:15 +0000)]
Add tests for CBS_offset() and CBS_write_bytes().
"no problem" miod@, tweak + ok jsing@
doug [Wed, 17 Jun 2015 07:06:22 +0000 (07:06 +0000)]
Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.
This is a common operation when dealing with CBS.
ok miod@ jsing@
doug [Wed, 17 Jun 2015 07:00:22 +0000 (07:00 +0000)]
Add a new function CBS_offset() to report the current offset in the data.
"why not" miod@, sure jsing@
doug [Wed, 17 Jun 2015 06:49:27 +0000 (06:49 +0000)]
Cleanup SSL_OP_* compat flags in ssl.h.
These were recently removed and are now set to 0:
SSL_OP_NETSCAPE_CA_DN_BUG
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
SSL_OP_SSLEAY_080_CLIENT_DH_BUG
The code associated with these was deleted in the past at some point
and these are also now 0:
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
SSL_OP_EPHEMERAL_RSA
SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
The SSL_OP_ALL macro has been updated to reflect the removals.
ok miod@ jsing@
mpi [Wed, 17 Jun 2015 06:24:46 +0000 (06:24 +0000)]
Move mbuf_list and mbuf_queue documentation in their own manual.
ok jmc@, deraadt@, dlg@
deraadt [Wed, 17 Jun 2015 03:59:12 +0000 (03:59 +0000)]
stray char jumped in
deraadt [Wed, 17 Jun 2015 03:49:29 +0000 (03:49 +0000)]
delete completely bogus (floating? was there an old variable decl
in the past?) comment about FILEC
noted by Peter Brottveit Bock
deraadt [Wed, 17 Jun 2015 03:48:21 +0000 (03:48 +0000)]
remove -DFILEC; code does not compile for the -UFILEC case, and anyways,
who wants csh without FILEC??
from Peter Brottveit Bock, but redone using unifdef
uebayasi [Wed, 17 Jun 2015 03:04:50 +0000 (03:04 +0000)]
Set FUNC symbol sizes of auto-generated and hand-written syscall wrappers.
Original diff from guenther@, adjusted by me.
OK guenther@
miod [Tue, 16 Jun 2015 20:30:24 +0000 (20:30 +0000)]
Typos in comments; Ville Valkonen
miod [Tue, 16 Jun 2015 20:25:35 +0000 (20:25 +0000)]
Do not provide extra _fdata and __data_start symbols; nothing in the non-mips32
world uses them.