openbsd
10 years agobfd-in2.h is generated from this; merge back a change that was made there
guenther [Sat, 9 Aug 2014 22:32:08 +0000 (22:32 +0000)]
bfd-in2.h is generated from this; merge back a change that was made there

10 years agoAfter a cleanup by deraadt I noticed the four-space-indent had started
halex [Sat, 9 Aug 2014 21:51:29 +0000 (21:51 +0000)]
After a cleanup by deraadt I noticed the four-space-indent had started
infesting the scripts. As we generally use a single tab for line
continuation indent in the scripts, let's reclaim 30 precious bytes!

ok rpe@ krw@

10 years agoFix readelf --debug-dump=frames-interp output: once a register is given
guenther [Sat, 9 Aug 2014 20:08:44 +0000 (20:08 +0000)]
Fix readelf --debug-dump=frames-interp output: once a register is given
a column, it needs to included in all rows, even after the register is
restored.

ok jsg@

10 years agoless chatty; ok ajacoutot
jmc [Sat, 9 Aug 2014 16:39:25 +0000 (16:39 +0000)]
less chatty; ok ajacoutot

10 years agommap(2) requires MAP_PRIVATE ^ MAP_SHARED for flags;
schwarze [Sat, 9 Aug 2014 14:24:49 +0000 (14:24 +0000)]
mmap(2) requires MAP_PRIVATE ^ MAP_SHARED for flags;
found by kristaps@ on Mac OS X

10 years agoExtend comment.
ajacoutot [Sat, 9 Aug 2014 12:46:51 +0000 (12:46 +0000)]
Extend comment.

10 years agoInitial support for handling configuration files from packages
ajacoutot [Sat, 9 Aug 2014 12:45:03 +0000 (12:45 +0000)]
Initial support for handling configuration files from packages
(aka @sample) -- `sysmerge -p`
Worked done at g2k14.
Committing early so we have plenty of time for testing.

with help from espie@
thanks to landry@ for feedback on initial testing

10 years agosysctl.conf is an example.
ajacoutot [Sat, 9 Aug 2014 12:34:05 +0000 (12:34 +0000)]
sysctl.conf is an example.
Tweak error output.
Mention that `-S' has no effect when sets aren't used.

10 years agoAdd support for non-root hubs now that uhub(4) can deal with them. For
mpi [Sat, 9 Aug 2014 10:32:36 +0000 (10:32 +0000)]
Add support for non-root hubs now that uhub(4) can deal with them.  For
the moment only Super and High Speed devices are properly recognized.

Some TT love is required for Full and Low speed devices.

10 years agoCorrectly recognize Super Speed devices, this is part of the work to
mpi [Sat, 9 Aug 2014 09:58:11 +0000 (09:58 +0000)]
Correctly recognize Super Speed devices, this is part of the work to
be able to use USB 3.0 devices behind an external hub.

This is a bit tricky because the SS status use a different power bit
that maps to the Low speed one.  So no longer accept devices without
power bit and fallback to the parent hub's speed in case the status
does not report any particular speed.

Note that xhci(4) root hubs still set the traditionnal UPS_PORT_POWER
bit with the correct device speed.

10 years agoHandle super speed hub descriptors.
mpi [Sat, 9 Aug 2014 09:48:32 +0000 (09:48 +0000)]
Handle super speed hub descriptors.

10 years agoDo not store the whole USB hub descriptor in the "struct usbd_hub"
mpi [Sat, 9 Aug 2014 09:45:14 +0000 (09:45 +0000)]
Do not store the whole USB hub descriptor in the "struct usbd_hub"
to help integrating super speed hubs that use a different descriptor.

10 years agosome minor tweaks;
jmc [Sat, 9 Aug 2014 09:07:14 +0000 (09:07 +0000)]
some minor tweaks;

10 years agosort "prefork", and remove a useless macro;
jmc [Sat, 9 Aug 2014 08:54:03 +0000 (08:54 +0000)]
sort "prefork", and remove a useless macro;

10 years agobasic cleanup;
jmc [Sat, 9 Aug 2014 08:49:48 +0000 (08:49 +0000)]
basic cleanup;

10 years agoAllow to inclue the types section anywhere in the configuration file.
reyk [Sat, 9 Aug 2014 07:35:45 +0000 (07:35 +0000)]
Allow to inclue the types section anywhere in the configuration file.

Found by chris@
OK doug@

10 years agoRemove support for the continuous reporting "any" mouse mode which never
nicm [Sat, 9 Aug 2014 07:33:37 +0000 (07:33 +0000)]
Remove support for the continuous reporting "any" mouse mode which never
really worked properly and is rarely used.

10 years agoBackport from 2.17: mark the _GLOBAL_OFFSET_TABLE_, _DYNAMIC, and
guenther [Sat, 9 Aug 2014 05:52:43 +0000 (05:52 +0000)]
Backport from 2.17: mark the _GLOBAL_OFFSET_TABLE_, _DYNAMIC, and
_PROCEDURE_LINKAGE_TABLE_ symbols as (at least) hidden.

10 years agoBackport from binutils-2.17 the correct i386/amd64 register->int assignments
guenther [Sat, 9 Aug 2014 04:59:02 +0000 (04:59 +0000)]
Backport from binutils-2.17 the correct i386/amd64 register->int assignments
for CFI.  This changes the unwind information generated on amd64.

10 years agoWe don't use the __openbsd_randomdata_{start,end} symbols, but rather
guenther [Sat, 9 Aug 2014 04:49:47 +0000 (04:49 +0000)]
We don't use the __openbsd_randomdata_{start,end} symbols, but rather
get that info via the PT_OPENBSD_RANDOM segment info, so kill the symbols
While here, delete the commented out lines for __DYNAMIC as the question
they ask is answered 'no'

ok matthew@ back in May

10 years agoMatch format width of symbol visibility to the column header
guenther [Sat, 9 Aug 2014 04:35:17 +0000 (04:35 +0000)]
Match format width of symbol visibility to the column header
This corrects the alignment of the columns of hidden symbols

10 years agoOnly need <stdint.h> and not <inttypes.h> here
guenther [Sat, 9 Aug 2014 03:29:35 +0000 (03:29 +0000)]
Only need <stdint.h> and not <inttypes.h> here

10 years agoupdate currency exchange rates;
jmc [Fri, 8 Aug 2014 20:51:43 +0000 (20:51 +0000)]
update currency exchange rates;

10 years agosome basic fixes;
jmc [Fri, 8 Aug 2014 20:50:28 +0000 (20:50 +0000)]
some basic fixes;

10 years agozap trailing whitespace;
jmc [Fri, 8 Aug 2014 20:49:38 +0000 (20:49 +0000)]
zap trailing whitespace;

10 years agoWhen opening directories, re-match the location after the index file
reyk [Fri, 8 Aug 2014 18:29:42 +0000 (18:29 +0000)]
When opening directories, re-match the location after the index file
has been appended.  This allows to use a fastcgi target as the default
index, for example index.php.

OK florian@

10 years agoNo events were added for DNS UDP so it stopped working after the first
reyk [Fri, 8 Aug 2014 18:26:50 +0000 (18:26 +0000)]
No events were added for DNS UDP so it stopped working after the first
request.  Additionally, the DNS code tried to use an invalid timeout.

Fix from mm@freebsd.org
Reported by Johan Schuijt

10 years agoAbsurdly, the return value of sqlite3_column_text()
schwarze [Fri, 8 Aug 2014 17:36:21 +0000 (17:36 +0000)]
Absurdly, the return value of sqlite3_column_text()
is "const unsigned char *", which causes warnings with GCC on Linux.
Explicitly cast to "const char *" to avoid this.
Issue noticed by kristaps@.

10 years agomansearch.h uses uint64_t, so it needs stdint.h; found on Linux
schwarze [Fri, 8 Aug 2014 17:17:42 +0000 (17:17 +0000)]
mansearch.h uses uint64_t, so it needs stdint.h; found on Linux

10 years agoDrop some useless verbiage.
ajacoutot [Fri, 8 Aug 2014 17:04:55 +0000 (17:04 +0000)]
Drop some useless verbiage.
sysctl.conf is an example now.

10 years agodrm/radeon: fix typo in radeon_connector_is_dp12_capable()
jsg [Fri, 8 Aug 2014 16:41:16 +0000 (16:41 +0000)]
drm/radeon: fix typo in radeon_connector_is_dp12_capable()

From Alex Deucher
94dfc49785ea1acc1dd2c086ffd8d61ea3a5ee8f in ubuntu 3.8
af5d36539dfe043f1cf0f8b7334d6bb12cd14e75 in mainline linux

10 years agoTweak verbiage.
ajacoutot [Fri, 8 Aug 2014 16:38:25 +0000 (16:38 +0000)]
Tweak verbiage.

10 years agodrm/radeon/dp: fix lane/clock setup for dp 1.2 capable devices
jsg [Fri, 8 Aug 2014 16:38:23 +0000 (16:38 +0000)]
drm/radeon/dp: fix lane/clock setup for dp 1.2 capable devices

From Alex Deucher
c9a1adc31f78a30f33c591b61171f02d13a5b1a7 in ubuntu 3.8
3b6d9fd23e015b5397c438fd3cd74147d2c805b6 in mainline linux

10 years agodrm/radeon/atom: fix dithering on certain panels
jsg [Fri, 8 Aug 2014 16:35:56 +0000 (16:35 +0000)]
drm/radeon/atom: fix dithering on certain panels

From Alex Deucher
9102ef0d290f01247918f5a519d8fa4a96eaf370 in ubuntu 3.8
642528355c694f5ed68f6bff9ff520326a249f99 in mainline linux

10 years agodrm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi
jsg [Fri, 8 Aug 2014 16:33:27 +0000 (16:33 +0000)]
drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi

From Alex Deucher
85cdd5e933c0f9fe3262067e707eed565db46378 in ubuntu 3.8
7d5ab3009a8ca777174f6f469277b3922d56fd4b in mainline linux

10 years agosome corrections and improvements with respect to prologue macros;
schwarze [Fri, 8 Aug 2014 16:32:17 +0000 (16:32 +0000)]
some corrections and improvements with respect to prologue macros;
found while working on mandoc(1) messages

10 years agoRemove redundant verbiage in the style of "a file is a file,
schwarze [Fri, 8 Aug 2014 16:25:15 +0000 (16:25 +0000)]
Remove redundant verbiage in the style of "a file is a file,
a line is a line, a column is a column"; suggested by jmc@

10 years agoBring the handling of defective prologues even closer to groff,
schwarze [Fri, 8 Aug 2014 16:17:09 +0000 (16:17 +0000)]
Bring the handling of defective prologues even closer to groff,
in particular relaxing the distinction between prologue and body
and further improving messages.
* The last .Dd wins and the last .Os wins, even in the body.
* The last .Dt before the first body macro wins.
* Missing title in .Dt defaults to UNTITLED.  Warn about it.
* Missing section in .Dt does not default to 1.  But warn about it.
* Do not warn multiple times about the same mdoc(7) prologue macro.
* Warn about missing .Os.
* Incomplete .TH defaults to empty strings.  Warn about it.

10 years agoSimplify by allowing only one post-handler.
schwarze [Fri, 8 Aug 2014 16:11:10 +0000 (16:11 +0000)]
Simplify by allowing only one post-handler.
Saves 36 static arrays and 10 lines of code
at the expense of only five new trivial static functions.
No functional change.

10 years agoSimplify by allowing only one pre-handler.
schwarze [Fri, 8 Aug 2014 16:08:19 +0000 (16:08 +0000)]
Simplify by allowing only one pre-handler.
Saves 12 static arrays and 19 lines of code.
No functional change.

10 years agoSimplify man(7) validation:
schwarze [Fri, 8 Aug 2014 16:05:42 +0000 (16:05 +0000)]
Simplify man(7) validation:
Drop pre-handlers, they were almost unused.
Drop the needless complexity of allowing more than one post-handler.

This saves one internal interface function, one static function, one
private struct definition, sixteen static arrays, and 45 lines of code.
No functional change.

10 years agoregen
jsg [Fri, 8 Aug 2014 16:03:08 +0000 (16:03 +0000)]
regen

10 years agoFix floating point handling: When converting double to size_t,
schwarze [Fri, 8 Aug 2014 16:02:55 +0000 (16:02 +0000)]
Fix floating point handling: When converting double to size_t,
properly round to the nearest M (=0.001m), which is the smallest
available unit.

This avoids weirdness like (size_t)(0.6 * 10.0) == 5
by instead calculating (size_t)(0.6 * 10.0 + 0.0005) == 6,
and so it fixes the indentation of the readline(3) manual.

10 years agoadd bochs and microsoft emulated vga
jsg [Fri, 8 Aug 2014 16:02:03 +0000 (16:02 +0000)]
add bochs and microsoft emulated vga

10 years agoClarity with respect to floating point handling:
schwarze [Fri, 8 Aug 2014 16:00:23 +0000 (16:00 +0000)]
Clarity with respect to floating point handling:
Write double constants as double rather than integer literals.
Remove useless explicit (double) cast done at one place and nowhere else.
No functional change.

10 years agodemacrify: get rid of man_nmsg(), man_pmsg(), mdoc_nmsg(), mdoc_pmsg()
schwarze [Fri, 8 Aug 2014 15:57:05 +0000 (15:57 +0000)]
demacrify: get rid of man_nmsg(), man_pmsg(), mdoc_nmsg(), mdoc_pmsg()

10 years agomention requests and macros in more messages
schwarze [Fri, 8 Aug 2014 15:54:10 +0000 (15:54 +0000)]
mention requests and macros in more messages

10 years agoDynamically allocate the stack of roff(7) .ie condition values
schwarze [Fri, 8 Aug 2014 15:48:43 +0000 (15:48 +0000)]
Dynamically allocate the stack of roff(7) .ie condition values
and thus get rid of the last useless fatal error.

10 years agoAllow to serve emtpy (0 bytes) files.
reyk [Fri, 8 Aug 2014 15:46:01 +0000 (15:46 +0000)]
Allow to serve emtpy (0 bytes) files.

Found by jasper@
OK florian@

10 years agoSplit MANDOCERR_IGNARGV into one message for .An and one for .Bl
schwarze [Fri, 8 Aug 2014 15:45:58 +0000 (15:45 +0000)]
Split MANDOCERR_IGNARGV into one message for .An and one for .Bl
and report the macro name and argument.

10 years agoIn .Bl -column, if some of the column width declarations are given
schwarze [Fri, 8 Aug 2014 15:42:39 +0000 (15:42 +0000)]
In .Bl -column, if some of the column width declarations are given
right after the -column argument and some at the very end of the
argument list, after some other arguments like -compact, concatenate
the column lists.
This gets rid of one of the last useless FATAL errors
and actually shortens the code by a few lines.

This fixes an issue introduced more than five years ago, at first
causing an assert() since bsd.lv mdoc_action.c rev. 1.14 (June 17, 2009),
then later a FATAL error since mdoc_validate rev. 1.130 (Nov. 30, 2010),
and marked as "TODO" ever since.

10 years agoRemove the useless FATAL error "argument count wrong, violates syntax".
schwarze [Fri, 8 Aug 2014 15:38:46 +0000 (15:38 +0000)]
Remove the useless FATAL error "argument count wrong, violates syntax".
The last remaining instance was .It in .Bl -column with more than one
excessive .Ta.  However, simply downgrading from FATAL to ERROR, it just
works fine, almost the same way as in groff, without any other changes.

10 years agoImprove handling of next-line scope broken by end of file.
schwarze [Fri, 8 Aug 2014 15:35:31 +0000 (15:35 +0000)]
Improve handling of next-line scope broken by end of file.
Detect the condition earlier, report in the error message
which block is broken, and delete the broken block.
Consequently, empty section headers can no longer happen.

10 years agoSimplify: replace one global flag by one local variable
schwarze [Fri, 8 Aug 2014 15:32:17 +0000 (15:32 +0000)]
Simplify: replace one global flag by one local variable
and remove three unused global flags.  No functional change.

10 years agoGet rid of the useless FATAL error "child violates parent syntax".
schwarze [Fri, 8 Aug 2014 15:26:28 +0000 (15:26 +0000)]
Get rid of the useless FATAL error "child violates parent syntax".
When finding items outside lists, simply skip them and throw an ERROR.
Handle subsections before the first section instead of bailing out.

10 years agoRemove two useless FATAL errors.
schwarze [Fri, 8 Aug 2014 15:21:17 +0000 (15:21 +0000)]
Remove two useless FATAL errors.
When a file contains neither text nor macros, treat it as an empty document.
When the mdoc(7) document prologue is incomplete, use some default values.

10 years agouse nitems() instead of various local constructs
jasper [Fri, 8 Aug 2014 15:16:39 +0000 (15:16 +0000)]
use nitems() instead of various local constructs

ok stsp@

10 years agobetter name and wording for the last two non-generic errors
schwarze [Fri, 8 Aug 2014 15:15:27 +0000 (15:15 +0000)]
better name and wording for the last two non-generic errors

10 years agoVarious improvements related to .Ex and .Rv:
schwarze [Fri, 8 Aug 2014 15:10:14 +0000 (15:10 +0000)]
Various improvements related to .Ex and .Rv:
* let .Nm fall back to the empty string, not to UNKNOWN
* never let .Rv copy an argument from .Nm
* avoid spurious \fR after empty .Nm in -Tman
* correct handling of .Ex and .Rv in -Tman
* correct the wording of the output for .Rv without arguments
* use non-breaking spaces in .Ex and .Rv output where required
* split MANDOCERR_NONAME into a warning for .Ex and an error for .Nm

10 years agoPartial implementation of .Bd -centered.
schwarze [Fri, 8 Aug 2014 15:03:24 +0000 (15:03 +0000)]
Partial implementation of .Bd -centered.

In groff, .Bd -centered operates in fill mode, which is relatively
hard to implement, while this implementation operates in non-fill
mode so far.  As long as you pay attention that your lines do not
overflow, it works.  To make sure that rendering is the same for
mandoc and groff, it is recommended to insert .br between lines
for now.  This implementation will need improvement later.

10 years ago* consistently use semantic mdoc(7) macros
schwarze [Fri, 8 Aug 2014 14:52:53 +0000 (14:52 +0000)]
* consistently use semantic mdoc(7) macros
* add HISTORY and AUTHORS
* some mdoc(7) style fixes
* some wording fixes and avoid stray future tense
feedback and ok rpe@ jmc@, ok jasper@

10 years agoMake sure asynchronous commands do not race with synchronous ones.
mpi [Fri, 8 Aug 2014 14:34:11 +0000 (14:34 +0000)]
Make sure asynchronous commands do not race with synchronous ones.

Since asynchronous commands can be submitted from interrupt context
it was possible to race with a process waiting for the completion of
a previously submitted command.  So stop relying on the per-softc
TRB pointer for asynchronous commands and simply get the address of
the command TRB from the event TRB.

10 years agoImprove the logic to determine the maximum endpoint service interface
mpi [Fri, 8 Aug 2014 14:28:02 +0000 (14:28 +0000)]
Improve the logic to determine the maximum endpoint service interface
time payload.  Super speed companion descriptor are still not used but
at least we can properly initialize super speed interrupt pipes.

10 years agoImplement polling.
mpi [Fri, 8 Aug 2014 14:22:45 +0000 (14:22 +0000)]
Implement polling.

10 years agoSuper Speed hub descriptor definition and routine, required for upcoming
mpi [Fri, 8 Aug 2014 14:20:05 +0000 (14:20 +0000)]
Super Speed hub descriptor definition and routine, required for upcoming
external USB 3.0 hub support.

10 years agoEven if the endpoint it reseted before the stack gets informed that a
mpi [Fri, 8 Aug 2014 14:17:52 +0000 (14:17 +0000)]
Even if the endpoint it reseted before the stack gets informed that a
transfer stalled, report that a stall happen because umass(4) relies
on this behavior...

10 years agoFix debug printfs.
mpi [Fri, 8 Aug 2014 14:16:43 +0000 (14:16 +0000)]
Fix debug printfs.

10 years agoAdd support for using - as shorthand for stdin/stdout in tradcpp.
jsg [Fri, 8 Aug 2014 12:40:26 +0000 (12:40 +0000)]
Add support for using - as shorthand for stdin/stdout in tradcpp.

When looking into switching the /usr/bin/cpp wrapper to
tradcpp I came across "| ${CPP} ${CPPFLAGS} -" in usr.bin/which.

gcc documents this behaviour for cpp here:
https://gcc.gnu.org/onlinedocs/cpp/Invocation.html

Versions of the John F. Reiser derived cpp in 32V and CSRG SCCS
accept this usage as well, as does the cpp in PCC.

10 years agoFix CVE-2014-3507, avoid allocating and then leaking a fresh fragment
guenther [Fri, 8 Aug 2014 05:06:56 +0000 (05:06 +0000)]
Fix CVE-2014-3507, avoid allocating and then leaking a fresh fragment
structure when a zero-length fragment is received.

Based on
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0a4b7d1a2948fce38515b8d862f43e7ba0ebf74

diff by miod@, ok guenther@ bcook@ deraadt@

10 years agoFix CVE-2014-3508, pretty printing and OID validation:
guenther [Fri, 8 Aug 2014 04:53:43 +0000 (04:53 +0000)]
Fix CVE-2014-3508, pretty printing and OID validation:
 - make sure the output buffer is always NUL terminated if buf_len
   was initially greater than zero.
 - reject OIDs that are too long, too short, or not in proper base-127

Based on
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0042fb5fd1c9d257d713b15a1f45da05cf5c1c87

ok bcook@

10 years agoCorrect test reversed during merge of fix for CVE-2014-3509
guenther [Thu, 7 Aug 2014 22:27:28 +0000 (22:27 +0000)]
Correct test reversed during merge of fix for CVE-2014-3509

pointed out by Watson Ladd (watson (at) matasano.com)
ok deraadt@

10 years agoFix CVE-2014-3506, DTLS handshake message size checks. From
guenther [Thu, 7 Aug 2014 20:24:12 +0000 (20:24 +0000)]
Fix CVE-2014-3506, DTLS handshake message size checks.  From
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1250f12613b61758675848f6600ebd914ccd7636
with comment/whitespace style tweaks

ok bcook@ miod@

10 years agoOops, revert changes commited by mistake. The previous commit was supposed
miod [Thu, 7 Aug 2014 20:02:23 +0000 (20:02 +0000)]
Oops, revert changes commited by mistake. The previous commit was supposed
to only apply to s23_srvr.c.

10 years agoWhen you expect a function to return a particular value, don't put a comment
miod [Thu, 7 Aug 2014 19:46:31 +0000 (19:46 +0000)]
When you expect a function to return a particular value, don't put a comment
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).

Instead, compare for the exact value it ought to return upon success.

ok deraadt@

10 years agoBump example pubkey filenames to /etc/signify/openbsd-56-base.pub for
lteo [Thu, 7 Aug 2014 19:03:38 +0000 (19:03 +0000)]
Bump example pubkey filenames to /etc/signify/openbsd-56-base.pub for
5.6.

ok deraadt@

10 years agoFix and simplify the description of httpd(8)'s signal handling. httpd
reyk [Thu, 7 Aug 2014 18:21:13 +0000 (18:21 +0000)]
Fix and simplify the description of httpd(8)'s signal handling.  httpd
does not re-executed itself on SIGHUP, it simply reload the
configuration and sends it to its child processes.

ok deraadt@

10 years agoDon't try to ouput FCGI_STDERR into error.log if there is no data.
florian [Thu, 7 Aug 2014 12:43:22 +0000 (12:43 +0000)]
Don't try to ouput FCGI_STDERR into error.log if there is no data.
Problem noticed by naddy@, OK reyk@

10 years agoOpportunistically try to parse "Status: $code" in the very first
florian [Thu, 7 Aug 2014 10:52:34 +0000 (10:52 +0000)]
Opportunistically try to parse "Status: $code" in the very first
response from the fcgi daemon and use that code as HTTP response
code. If it doesn't work out fall back to code 200.
This might fix naddy@'s issue with redirects in cvsweb.
To be revisited after unlock.
Discussed with & grudgingly OK reyk@

10 years agoshorten signal text a bit
deraadt [Thu, 7 Aug 2014 06:56:41 +0000 (06:56 +0000)]
shorten signal text a bit

10 years agoFix CVE-2014-3511; TLS downgrade, verbatim diff
deraadt [Thu, 7 Aug 2014 04:49:53 +0000 (04:49 +0000)]
Fix CVE-2014-3511; TLS downgrade, verbatim diff
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=280b1f1ad12131defcd986676a8fc9717aaa601b
ok guenther miod

10 years agomerge CVE-2014-3510; Fix DTLS anonymous EC(DH) denial of service
deraadt [Thu, 7 Aug 2014 01:24:10 +0000 (01:24 +0000)]
merge CVE-2014-3510; Fix DTLS anonymous EC(DH) denial of service
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=17160033765480453be0a41335fa6b833691c049
ok bcook

10 years agomerge fix for CVE-2014-3509 -- basically a missing s->hit check; ok guenther
deraadt [Wed, 6 Aug 2014 23:16:16 +0000 (23:16 +0000)]
merge fix for CVE-2014-3509 -- basically a missing s->hit check; ok guenther

10 years agoMention how httpd responds to SIGHUP and SIGUSR1.
doug [Wed, 6 Aug 2014 22:33:08 +0000 (22:33 +0000)]
Mention how httpd responds to SIGHUP and SIGUSR1.

Description from reyk@

10 years agoWrite STDERR from the CGI to the web server error log as intended.
reyk [Wed, 6 Aug 2014 21:08:47 +0000 (21:08 +0000)]
Write STDERR from the CGI to the web server error log as intended.

OK florian@

10 years agoIf the very first fcgi STDOUT record has length 0 the cgi script
florian [Wed, 6 Aug 2014 20:56:23 +0000 (20:56 +0000)]
If the very first fcgi STDOUT record has length 0 the cgi script
didn't send anything back. This is an internal server error.
OK reyk@

10 years agoChange grammar to remove a shift/reduce conflict that was introduced
reyk [Wed, 6 Aug 2014 20:29:54 +0000 (20:29 +0000)]
Change grammar to remove a shift/reduce conflict that was introduced
with the ssl options.
"listen on $ip port 443 ssl" turns into "listen on $ip ssl port 443".

ok florian@

10 years agoPrevent a possible use after free by mimicing the s3_srvr.c fixes contributed by
miod [Wed, 6 Aug 2014 20:11:09 +0000 (20:11 +0000)]
Prevent a possible use after free by mimicing the s3_srvr.c fixes contributed by
Adam Langley close to three years ago, which were commited in
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e7928282d0148af5f28fa3437a625a2006af0214

ok jsing@

10 years agoSupport NOTE_EOF for kqueue EVFILT_READ filters on NFS files.
guenther [Wed, 6 Aug 2014 19:31:30 +0000 (19:31 +0000)]
Support NOTE_EOF for kqueue EVFILT_READ filters on NFS files.

committing for jsg@,  ok reyk@ tedu@ guenther@

10 years agoAlways zero-out the fcgi record header for STDIN data.
reyk [Wed, 6 Aug 2014 18:40:15 +0000 (18:40 +0000)]
Always zero-out the fcgi record header for STDIN data.

OK florian@

10 years agoUse memset(buf instead of memset(&buf.
reyk [Wed, 6 Aug 2014 18:38:11 +0000 (18:38 +0000)]
Use memset(buf instead of memset(&buf.

Pointed out by deraadt@

10 years agoLimit the body size in client requests (eg. POST data) to 1M by default;
reyk [Wed, 6 Aug 2014 18:21:14 +0000 (18:21 +0000)]
Limit the body size in client requests (eg. POST data) to 1M by default;
add a configuration option to change the limit.

ok florian@

10 years agoDocument the SSL configuration for httpd (partly based on relayd.conf(5)).
jsing [Wed, 6 Aug 2014 16:31:09 +0000 (16:31 +0000)]
Document the SSL configuration for httpd (partly based on relayd.conf(5)).

10 years agosysctl machdep.ztsscale has been unused for 7 years, so stop handling it.
ajacoutot [Wed, 6 Aug 2014 16:13:48 +0000 (16:13 +0000)]
sysctl machdep.ztsscale has been unused for 7 years, so stop handling it.
s/TAB/SPACE for the wsconsctl.conf comment like we do with sysctl.conf
in MI.

"get this in fast" deraadt@
ok ratchov@ who will test it in the next few hours

10 years agoProvide configuration options that allow the SSL certificate, key and
jsing [Wed, 6 Aug 2014 16:11:34 +0000 (16:11 +0000)]
Provide configuration options that allow the SSL certificate, key and
ciphers to be specified for each server.

ok deraadt@ reyk@

10 years agoAlso clean up the public key when it is no longer needed.
jsing [Wed, 6 Aug 2014 16:10:02 +0000 (16:10 +0000)]
Also clean up the public key when it is no longer needed.

ok deraadt@ reyk@

10 years agoConfigure the default SSL ciphers as HIGH:!aNULL.
jsing [Wed, 6 Aug 2014 16:09:02 +0000 (16:09 +0000)]
Configure the default SSL ciphers as HIGH:!aNULL.

ok deraadt@ reyk@

10 years agoAllow B64_EOF to follow a base64 padding character. This restores previous
jsing [Wed, 6 Aug 2014 16:01:44 +0000 (16:01 +0000)]
Allow B64_EOF to follow a base64 padding character. This restores previous
behaviour that allows a PEM block to be fed through the base64 decoder.

Reported by Dmitry Eremin-Solenikov on tech@

ok deraadt@ tedu@

10 years agoCorrect some dma cleanup error paths.
jsg [Wed, 6 Aug 2014 15:40:40 +0000 (15:40 +0000)]
Correct some dma cleanup error paths.

While the index variables were correct the arrays of
dma handles they indexed were swapped for rx and tx.

As there are a mismatched number of rx and tx descriptors
we'd walk off the end of the rx handle array by 30 items.

ok deraadt@

10 years agofix an off by one
jsg [Wed, 6 Aug 2014 15:15:16 +0000 (15:15 +0000)]
fix an off by one
ok deraadt@

10 years agohttp POST support
florian [Wed, 6 Aug 2014 15:08:04 +0000 (15:08 +0000)]
http POST support
with & OK reyk@