tb [Sun, 18 Feb 2018 12:58:25 +0000 (12:58 +0000)]
Provide BIO_{g,s}et_data() and BIO_set_init().
ok jsing
tb [Sun, 18 Feb 2018 12:57:14 +0000 (12:57 +0000)]
Provide RSA_{g,s}et0_crt_params()
ok jsing
tb [Sun, 18 Feb 2018 12:55:32 +0000 (12:55 +0000)]
Use usual order of RSA_{g,s}et0_key().
ok jsing
tb [Sun, 18 Feb 2018 12:53:46 +0000 (12:53 +0000)]
Provide RSA_{g,s}et0_factors()
ok jsing
tb [Sun, 18 Feb 2018 12:52:13 +0000 (12:52 +0000)]
Provide RSA_bits()
ok jsing
tb [Sun, 18 Feb 2018 12:51:31 +0000 (12:51 +0000)]
Provide DH_set0_pqg.
ok jsing
tb [Sun, 18 Feb 2018 12:50:58 +0000 (12:50 +0000)]
Provide DSA_set0_pqg.
ok jsing
jmc [Sun, 18 Feb 2018 07:45:39 +0000 (07:45 +0000)]
document "machine video"; requested by tinker
while here, put "directory" in the right place
jmc [Sun, 18 Feb 2018 07:43:55 +0000 (07:43 +0000)]
document s_client -groups;
kn [Sun, 18 Feb 2018 01:50:04 +0000 (01:50 +0000)]
Simplify interface listing.
Discussed with tb, rpe, feedback from and OK halex.
pd [Sun, 18 Feb 2018 01:00:25 +0000 (01:00 +0000)]
vmd: fix vmctl pause for non existing vm ids (never returns)
check if vm id is valid before sending to vmm for pausing. The 'lock' is caused
by vmm sending back ENOENT for a non existent vm but vmd drops the message
because it doesn't recogize the vmid vmm is talking about. This is an artifact
of the 'policy' don't trust any imsg from a sibling priv sep process and do
your own checking.
reported by Abel Abraham Camarillo Ojeda
ok mlarkin@ and ccardenas@
rpe [Sun, 18 Feb 2018 00:43:16 +0000 (00:43 +0000)]
Create interfaces before processing the hostname.if file in ifstart().
This ensures, that IPv6 is configured for dynamically created network
interfaces like 'vlan' which would otherwise not yet exist at the time
parse_hn_line() checks for IPv6 capability of an interface before
applying the inet6 configuration from the hostname.if.
Found out, tested and OK naddy
schwarze [Sat, 17 Feb 2018 23:24:38 +0000 (23:24 +0000)]
In bio.h rev. 1.31 2018/02/17 13:57:14, tb@ provided new functions
BIO_meth_*(). Import the documentation from OpenSSL, with extensive
tweaks by me.
kettenis [Sat, 17 Feb 2018 22:33:00 +0000 (22:33 +0000)]
Rename memhook to vmmap to match other archs.
ok millert@
schwarze [Sat, 17 Feb 2018 19:14:16 +0000 (19:14 +0000)]
Remove a warning about the dangers of X509_VERIFY_PARAM_set1_name(3)
because jsing@ points out that this follows a (dangerous) general
pattern in the library, and mentioning that everywhere would become
repetitive.
rpe [Sat, 17 Feb 2018 19:05:41 +0000 (19:05 +0000)]
Since rev 1.543 of dhclient it sends the 'host-name' by default.
- remove the leftover _hn variable from dhcp_request()
- remove the "$_name" parameter when using dhcp_request() in v4_config()
- change comments of v{4,6}_config() to reflect the purpose of _name
OK krw tb
schwarze [Sat, 17 Feb 2018 18:44:36 +0000 (18:44 +0000)]
document LIBRESSL_VERSION_NUMBER and LIBRESSL_VERSION_TEXT
schwarze [Sat, 17 Feb 2018 18:00:59 +0000 (18:00 +0000)]
Document OpenSSL_version_num(3) and OpenSSL_version(3) that jsing@
recently provided. Many minor improvements while here, and delete
ridiculous text about MS Windows.
tb [Sat, 17 Feb 2018 17:55:32 +0000 (17:55 +0000)]
sync
schwarze [Sat, 17 Feb 2018 16:59:48 +0000 (16:59 +0000)]
Merge documentation for {DH,DSA}_get0_{key,pqg}(3),
EVP_PKEY_get0_{DH,DSA,RSA}(3), and RSA_{g,s}et0_key(3)
that tb@ just provided.
jsing [Sat, 17 Feb 2018 16:54:08 +0000 (16:54 +0000)]
Provide EVP_CIPHER_CTX_reset().
Rides previous minor bump.
jsing [Sat, 17 Feb 2018 15:52:48 +0000 (15:52 +0000)]
sync
jsing [Sat, 17 Feb 2018 15:51:29 +0000 (15:51 +0000)]
Bump libcrypto/libssl/libtls minors due to symbol additions.
jsing [Sat, 17 Feb 2018 15:50:42 +0000 (15:50 +0000)]
Provide X509_get0_extensions() and X509_get0_signature()
jsing [Sat, 17 Feb 2018 15:32:20 +0000 (15:32 +0000)]
Provide SSL_SESSION_get_master_key()
jsing [Sat, 17 Feb 2018 15:19:43 +0000 (15:19 +0000)]
Provide SSL_get_client_random() and SSL_get_server_random()
jsing [Sat, 17 Feb 2018 15:13:12 +0000 (15:13 +0000)]
Provide SSL_CTX_get0_certificate()
jsing [Sat, 17 Feb 2018 15:08:21 +0000 (15:08 +0000)]
Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().
jsing [Sat, 17 Feb 2018 14:55:31 +0000 (14:55 +0000)]
Provide EVP_MD_CTX_new(), EVP_MD_CTX_free() and EVP_MD_CTX_reset().
jsing [Sat, 17 Feb 2018 14:53:58 +0000 (14:53 +0000)]
Provide HMAC_CTX_new(), HMAC_CTX_free(), HMAC_CTX_reset() and
HMAC_CTX_get_md().
jsing [Sat, 17 Feb 2018 14:35:40 +0000 (14:35 +0000)]
s/DH/DSA/
tb [Sat, 17 Feb 2018 13:57:14 +0000 (13:57 +0000)]
Provide BIO_meth_{free,new}() and BIO_meth_set_{create,crtl,destroy}()
and BIO_meth_set_{puts,read,write}().
ok jsing
tb [Sat, 17 Feb 2018 13:47:35 +0000 (13:47 +0000)]
Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(),
EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key().
ok jsing
rpe [Sat, 17 Feb 2018 13:11:03 +0000 (13:11 +0000)]
- Add descriptions for the new functions ifcreate() and vifscreate()
- In ifcreate() use the exit code of the {} block directly
- In vifscreate(), use the ifconfig -C output directly in the for _vif loop
- Remove superfluous and somewhat confusing comment
OK dlg kn sthen
jsing [Sat, 17 Feb 2018 06:56:12 +0000 (06:56 +0000)]
Fix behaviour of OpenSSL_version().
The constant values do not map 1:1 to SSLeay_version(), so implement it
separately.
Issue noted by schwarze@
eric [Fri, 16 Feb 2018 20:57:30 +0000 (20:57 +0000)]
bump max line length to 16K for incoming mail.
SMTP commands are still limited to LINE_MAX.
ok gilles@
schwarze [Fri, 16 Feb 2018 18:48:55 +0000 (18:48 +0000)]
typo fix s/issuserAltName/issuerAltName/
from Andrew Siplas <andrew at asiplas dot net>
via OpenSSL commit
36cf10cf Oct 4 02:11:08 2017 -0400
schwarze [Fri, 16 Feb 2018 18:38:51 +0000 (18:38 +0000)]
Copy all function names from the SYNOPSIS to the NAME section because
i found another page containing an .Xr to one of the functions that
were not in the NAME section. This manual page is ugly either way;
just ugly is better than broken links in addition to ugly.
schwarze [Fri, 16 Feb 2018 18:21:57 +0000 (18:21 +0000)]
Merge OpenSSL commit
a8c5ed81 Jul 18 13:57:25 2017 -0400
from <xemdetia at 808inorganic dot com>.
Original commit message:
"Document default section and library configuration.
It is talked around but not explicitly stated in one part of the
documentation that you should put library configuration lines at the
start of the configuration file."
schwarze [Fri, 16 Feb 2018 17:54:23 +0000 (17:54 +0000)]
Add missing RETURN VALUES sections; from Paul Yang
via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800 tweaked by me.
schwarze [Fri, 16 Feb 2018 17:24:33 +0000 (17:24 +0000)]
Add missing RETURN VALUES sections; from Paul Yang
via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800, tweaked by me.
fcambus [Fri, 16 Feb 2018 14:42:29 +0000 (14:42 +0000)]
Add sizes for free() in the i386 version of the Enhanced SpeedStep driver.
It was already done on amd64, but not on i386. Tested on an Atom N270.
OK mpi@
nicm [Fri, 16 Feb 2018 09:51:41 +0000 (09:51 +0000)]
Reflowing the grid in-place involved way too much memmove() for a big
performance cost with a large history. Instead change back to using a
second grid and copying modified lines over which is much faster (this
doesn't revert to the old code however which didn't support UTF-8
properly). GitHub issue 1249.
nicm [Fri, 16 Feb 2018 07:42:07 +0000 (07:42 +0000)]
Fix function argument names, from Abel Abraham Camarillo Ojeda via jmc@.
patrick [Fri, 16 Feb 2018 07:37:48 +0000 (07:37 +0000)]
Support card interrupts in imxesdhc(4). The code that was written
initially was never tested with SDIO, as there had been no user. With
bwfm(4) we now have the first SDIO card on that controller. Align the
code with the standard sdhc(4), so that it doesn't hang after the first
interrupt fires.
ok kettenis@
jmc [Fri, 16 Feb 2018 07:27:07 +0000 (07:27 +0000)]
simplify synopsis and text;
ok millert
jmc [Fri, 16 Feb 2018 07:24:26 +0000 (07:24 +0000)]
remove or adapt sendmail specific parts;
original diff from edgar pettijohn, tweaked with help from millert
ok millert
dlg [Fri, 16 Feb 2018 06:26:10 +0000 (06:26 +0000)]
make gre_encap prepend both the gre and tunnel ip headers.
makes the code a bit more straightforward
dtucker [Fri, 16 Feb 2018 04:43:11 +0000 (04:43 +0000)]
Don't send IUTF8 to servers that don't like them.
Some SSH servers eg "ConfD" drop the connection if the client sends the
new IUTF8 (RFC8160) terminal mode even if it's not set. Add a bug bit
for such servers and avoid sending IUTF8 to them. ok djm@
dlg [Fri, 16 Feb 2018 02:41:07 +0000 (02:41 +0000)]
put egre back in a tree
it's new so there's no existing configs to be compat with.
djm [Fri, 16 Feb 2018 02:40:45 +0000 (02:40 +0000)]
Mention recent DH KEX methods:
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
From Jakub Jelen via bz#2826
djm [Fri, 16 Feb 2018 02:32:40 +0000 (02:32 +0000)]
stop loading DSA keys by default, remove sshd_config stanza and manpage
bits; from Colin Watson via bz#2662, ok dtucker@
dlg [Fri, 16 Feb 2018 01:28:07 +0000 (01:28 +0000)]
allow wccp processing to be enabled per interface with the link0 flag.
this also changes the wccp handling to peek into it's payload to
determine whether it is wccp 1 or 2. wccp1 says the gre header is
followed by ipv4, while wccp2 says there's a small header before
the ipv4 packet. the wccp2 header cannot have 4 in the first nibble,
while ipv4 must have 4 in the first nibble. the code now looks at
the nibble to determine whether it should strip the wccp2 header
or not.
naddy [Thu, 15 Feb 2018 21:50:33 +0000 (21:50 +0000)]
sync
schwarze [Thu, 15 Feb 2018 19:55:59 +0000 (19:55 +0000)]
Merge the new RETURN VALUES section from Paul Yang,
OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800,
with a number of fixes by me.
Also include three earlier, minor improvements from OpenSSL.
schwarze [Thu, 15 Feb 2018 19:39:56 +0000 (19:39 +0000)]
Add missing RETURN VALUES section; from Paul Yang
via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800.
tb [Thu, 15 Feb 2018 19:01:39 +0000 (19:01 +0000)]
Zap a stray sentence that I should have removed in my previous commit.
schwarze [Thu, 15 Feb 2018 18:28:42 +0000 (18:28 +0000)]
Fix the STANDARDS section, but in a different way than in OpenSSL
because i see no indication that a 2016 revision of this standard
might exist. Instead, use information from:
https://www.iso.org/standard/39876.html and
https://www.iso.org/standard/60475.html
schwarze [Thu, 15 Feb 2018 16:47:26 +0000 (16:47 +0000)]
Quite absurdly, the OpenSSL folks have been actively mucking around
with their random subsystem in 2017 rather than relying on the
operating system, which made me check the changes to their manual
pages, which caused me to notice that they document another public
function as non-deprecated that we neutered: RAND_poll(3).
Mention it briefly.
schwarze [Thu, 15 Feb 2018 16:22:53 +0000 (16:22 +0000)]
Add missing RETURN VALUES section;
from Paul Yang via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800.
schwarze [Thu, 15 Feb 2018 15:36:04 +0000 (15:36 +0000)]
Document the additional public function OCSP_basic_sign(3);
from David Cooper <david.cooper@nist.gov>
via OpenSSL commit
cace14b8 Jan 24 11:47:23 2018 -0500.
schwarze [Thu, 15 Feb 2018 14:52:16 +0000 (14:52 +0000)]
Import the new manual page EVP_PKEY_meth_new(3) from OpenSSL,
removing parts that don't apply to OpenBSD.
schwarze [Thu, 15 Feb 2018 12:52:37 +0000 (12:52 +0000)]
In some EXAMPLES, correct calls to EVP_PKEY_CTX_new(3) that
lacked an argument; from Jakub Jelen <jjelen at redhat dot com>
via OpenSSL commit
9db6673a Jan 17 19:23:37 2018 -0500.
schwarze [Thu, 15 Feb 2018 12:09:55 +0000 (12:09 +0000)]
Import the new manual page EVP_PKEY_asn1_get_count(3) from OpenSSL,
fixing half a dozen bugs and typos and also tweaking the wording a bit.
schwarze [Thu, 15 Feb 2018 11:09:34 +0000 (11:09 +0000)]
In x509_vfy.h rev. 1.20 2018/02/14 17:06:34, jsing@ provided
X509_STORE_CTX_set0_untrusted(3), X509_STORE_CTX_set0_trusted_stack(3),
X509_STORE_CTX_get0_untrusted(3), and X509_STORE_CTX_get0_cert(3).
Merge the related documentation from OpenSSL.
schwarze [Thu, 15 Feb 2018 10:01:33 +0000 (10:01 +0000)]
In x509.h rev. 1.28 2018/02/14 16:57:25, jsing@
provided X509_get0_notBefore(3) and its three friends.
Write a manual page from scratch because what OpenSSL has
is confusing and incomplete.
By the way, providing two identical functions differing only
in the constness of the returned structure is crazy.
Are application programmers expected to be too stupid to write
const ASN1_TIME *notBefore = X509_getm_notBefore(x)
if that's what they want?
schwarze [Thu, 15 Feb 2018 09:28:59 +0000 (09:28 +0000)]
Fix typo: s/Vt strict tm/Vt struct tm/
jmc [Thu, 15 Feb 2018 09:17:13 +0000 (09:17 +0000)]
tweak previous; ok dlg
mlarkin [Thu, 15 Feb 2018 05:35:36 +0000 (05:35 +0000)]
vmd(8): Properly return the correct byte when doing byte-aligned PCI
config space reads.
ok kettenis@, ccardenas@
dlg [Thu, 15 Feb 2018 04:21:46 +0000 (04:21 +0000)]
update tunnelttl to talk about the "copy" argument
dlg [Thu, 15 Feb 2018 02:09:21 +0000 (02:09 +0000)]
say that the only optional header we support is the Key.
dlg [Thu, 15 Feb 2018 02:03:03 +0000 (02:03 +0000)]
there are more GRE rfcs
dlg [Thu, 15 Feb 2018 01:58:46 +0000 (01:58 +0000)]
make a start at documenting egre(4)
dlg [Thu, 15 Feb 2018 01:03:17 +0000 (01:03 +0000)]
take egre(4) packets out early in gre input
this lets us look up the gre(4) interface before looking at the
protocols it might be carrying.
schwarze [Thu, 15 Feb 2018 00:15:29 +0000 (00:15 +0000)]
In asn1.h rev. 1.44 2018/02/14 16:46:04, jsing@
provided ASN1_STRING_get0_data(3).
Merge the corresponding documentation from OpenSSL.
jsg [Thu, 15 Feb 2018 00:03:06 +0000 (00:03 +0000)]
use the arm64 openprom.c on arm64
ok patrick@
jsg [Wed, 14 Feb 2018 23:51:49 +0000 (23:51 +0000)]
prune files.* entries that refer to files not in tree
ok krw@ mpi@
schwarze [Wed, 14 Feb 2018 23:49:52 +0000 (23:49 +0000)]
In evp.h rev. 1.54 2018/02/14 16:40:42, jsing@ provided EVP_PKEY_up_ref(3).
Merge the documentation from OpenSSL commits
0c497e96 Dec 14 18:10:16
2015 +0000 and
c5ebfcab Mar 7 22:45:58 2016 +0100 with tweaks by me.
sthen [Wed, 14 Feb 2018 22:12:59 +0000 (22:12 +0000)]
sync
dlg [Wed, 14 Feb 2018 22:08:45 +0000 (22:08 +0000)]
create virtual interfaces before starting all interface config.
this resolves an ordering problem when adding pseudo interfaces to bridges
tweaks from kn@
ok mpi@ sthen@
schwarze [Wed, 14 Feb 2018 18:50:47 +0000 (18:50 +0000)]
In x509.h rev. 1.27 2018/02/14 16:18:10, jsing@ provided
X509_get_signature_nid(3). Add a new manual page for it
based on the relevant parts of OpenSSL X509_get0_signature.pod.
schwarze [Wed, 14 Feb 2018 18:09:13 +0000 (18:09 +0000)]
In ssl.h rev. 1.136 2018/02/14 17:08:44, jsing@ provided
SSL_CTX_up_ref(3). Merge the related documentation from OpenSSL,
but tweak the wording to be less confusing and simplify the RETURN
VALUES section.
otto [Wed, 14 Feb 2018 17:26:56 +0000 (17:26 +0000)]
Zero as (un)mount flag is valid; ok millert@
schwarze [Wed, 14 Feb 2018 17:20:29 +0000 (17:20 +0000)]
In ssl.h rev. 1.135 2018/02/14 16:16:10, jsing@ provided
SSL_CTX_get0_param(3) and SSL_get0_param(3).
Merge the related documentation from OpenSSL, with small tweaks.
jsing [Wed, 14 Feb 2018 17:17:43 +0000 (17:17 +0000)]
Sync.
jsing [Wed, 14 Feb 2018 17:16:21 +0000 (17:16 +0000)]
Bump lib{crypto,ssl,tls} minors due to symbol additions.
jsing [Wed, 14 Feb 2018 17:08:44 +0000 (17:08 +0000)]
Provide SSL_CTX_up_ref().
jsing [Wed, 14 Feb 2018 17:06:34 +0000 (17:06 +0000)]
Provide X509_STORE_CTX_get0_{cert,untrusted}() and
X509_STORE_CTX_set0_{trusted_stack,untrusted}().
jsing [Wed, 14 Feb 2018 16:57:25 +0000 (16:57 +0000)]
Provide X509_get{0,m}_not{Before,After}().
jsing [Wed, 14 Feb 2018 16:46:04 +0000 (16:46 +0000)]
Provide ASN1_STRING_get0_data().
jsing [Wed, 14 Feb 2018 16:40:42 +0000 (16:40 +0000)]
Provide EVP_PKEY_up_ref().
jsing [Wed, 14 Feb 2018 16:32:06 +0000 (16:32 +0000)]
Start providing parts of the OpenSSL 1.1 API.
This will ease the burden on ports and others trying to make software
work with LibreSSL, while avoiding #ifdef mazes. Note that we are not
removing 1.0.1 API or making things opaque, hence software written to
use the older APIs will continue to work, as will software written to
use the 1.1 API (as more functionality become available).
Discussed at length with deraadt@ and others.
jsing [Wed, 14 Feb 2018 16:27:24 +0000 (16:27 +0000)]
Ensure that D mod (P-1) and D mod (Q-1) are calculated in constant time.
This avoids a potential side channel timing leak.
ok djm@ markus@
jsing [Wed, 14 Feb 2018 16:18:10 +0000 (16:18 +0000)]
Provide X509_get_signature_nid().
jsing [Wed, 14 Feb 2018 16:16:10 +0000 (16:16 +0000)]
Provide SSL_CTX_get0_param() and SSL_get0_param().
Some applications that use X509_VERIFY_PARAM expect these to exist, since
they're also part of the OpenSSL 1.0.2 API.
jsing [Wed, 14 Feb 2018 16:03:32 +0000 (16:03 +0000)]
Some obvious freezero() conversions.
This also zeros an ed25519_pk when it was not being zeroed previously.
ok djm@ dtucker@
jsing [Wed, 14 Feb 2018 15:59:50 +0000 (15:59 +0000)]
Update keypair regress to match revised keypair hash handling.
Apparently I failed to commit this when I committed the libtls change...
rob [Wed, 14 Feb 2018 12:43:07 +0000 (12:43 +0000)]
whitespace
tb [Wed, 14 Feb 2018 11:43:05 +0000 (11:43 +0000)]
Localize _f in do_upgrade().
ok rpe
mpi [Wed, 14 Feb 2018 08:55:35 +0000 (08:55 +0000)]
kern_mutex.c is gone.