deraadt [Fri, 18 Apr 2014 15:38:16 +0000 (15:38 +0000)]
use the portable construct around asprintf; pointed out by halex
henning [Fri, 18 Apr 2014 15:20:00 +0000 (15:20 +0000)]
reaching into altq outside #ifdef ALTQ is bad, mmkay? ok claudio
henning [Fri, 18 Apr 2014 15:14:25 +0000 (15:14 +0000)]
tcp_respond: let the stack worry about the cksum instead of doing it
manually, ok naddy (in january)
henning [Fri, 18 Apr 2014 15:13:01 +0000 (15:13 +0000)]
pf_send_tcp: ask the stack to do the cksum instead of doing it manually
ok benno lteo naddy (back in january)
guenther [Fri, 18 Apr 2014 15:09:52 +0000 (15:09 +0000)]
It's been a quarter century: we can assume volatile is present with that name.
tedu [Fri, 18 Apr 2014 15:03:20 +0000 (15:03 +0000)]
Some dude named Tavis Ormandy reported a bug which has gone unfixed.
http://marc.info/?l=openssl-users&m=
138014120223264&w=2
Arguably a doc bug, but we argue not. If you parse a new cert into memory
occupied by a previously verified cert, the new cert will inherit that
state, bypassing future verification checks. To avoid this, we will always
start fresh with a new object.
grudging ok from guenther, after i threatened to make him read the code yet
again. "that ok was way more painful and tiring then it should have been"
henning [Fri, 18 Apr 2014 14:56:59 +0000 (14:56 +0000)]
reaching into altq unconditionally (and w/o ifdef ALTQ) is bad, mmkay?
deraadt [Fri, 18 Apr 2014 14:41:54 +0000 (14:41 +0000)]
since e_os.h is dead, and e_os2.h is installed, we can fetch from there.
This means we don't need the reach-around anymore.
guenther [Fri, 18 Apr 2014 14:38:21 +0000 (14:38 +0000)]
It's been a quarter century: we can assume volatile is present with that name.
deraadt [Fri, 18 Apr 2014 14:37:41 +0000 (14:37 +0000)]
Put the final pieces from e_os.h in the required places, and remove it.
"dance on it's grave" says beck
ok guenther beck
henning [Fri, 18 Apr 2014 14:34:24 +0000 (14:34 +0000)]
cut altq here
tedu [Fri, 18 Apr 2014 14:34:07 +0000 (14:34 +0000)]
blank lines between decls and code
reyk [Fri, 18 Apr 2014 14:32:22 +0000 (14:32 +0000)]
The RSA_FLAG_SIGN_VER is not yet supported and the current code uses
the rsa_priv_enc() and rsa_pub_dec() callbacks for sign and verify
operations.
A tale from OpenSSL's rsa.h:
New sign and verify functions: some libraries don't allow arbitrary
data to be signed/verified: this allows them to be used. Note: for
this to work the RSA_public_decrypt() and RSA_private_encrypt() should
*NOT* be used RSA_sign(), RSA_verify() should be used instead. Note:
for backwards compatibility this functionality is only enabled if the
RSA_FLAG_SIGN_VER option is set in 'flags'.
In OpenSSL, RSA engines should provide the rsa_sign() and rsa_verify()
callbacks and this should be the default. By the "default" is
disabled by default and RSA engines that provide extra sign and verify
callbacks have to set the non-default RSA_FLAG_SIGN_VER flag. This is
not used by OpenSSL's own RSA code and was only set by two non-default
RSA engines: IBM 4758 and Windows CAPI - both of them got removed from
our library. And btw., this comment about the new non-default default
was added in 1999.
Thanks to Piotr Sikora, who pointed out that I didn't handle the
sign/verify case.
schwarze [Fri, 18 Apr 2014 14:25:52 +0000 (14:25 +0000)]
We should probably thank OpenSSL.
They gave Theo another chance to be happy.
deraadt [Fri, 18 Apr 2014 14:05:01 +0000 (14:05 +0000)]
These files were never installed in the past, and are not generally
used. They can go away.
ok guenther reyk
reyk [Fri, 18 Apr 2014 13:55:26 +0000 (13:55 +0000)]
Introduce privsep for private keys:
- Move RSA private keys to a new separate process instead of copying
them to the relays. A custom RSA engine is used by the SSL/TLS code
of the relay processes to send RSA private key encryption/decryption
(also used for sign/verify) requests to the new "ca" processes instead
of operating on the private key directly.
- Each relay process gets its own related ca process. Setting
"prefork 5" in the config file will spawn 10 processes (5 relay, 5
ca). This diff also reduces the default number of relay processes
from 5 to 3 which should be suitable in most installations without a
very heavy load.
- Don't keep text versions of the keys in memory, parse them once and
keep the binary representation. This might still be the case in
OpenSSL's internals but will be fixed in the library.
This diff doesn't prevent something like "heartbleed" but adds an
additional mitigation to prevent leakage of the private keys from the
processes doing SSL/TLS.
With feedback from many
ok benno@
deraadt [Fri, 18 Apr 2014 13:41:20 +0000 (13:41 +0000)]
Use asprintf() for generating path, instead of multiple
return-value-not-checked strlcpy and strlcat
deraadt [Fri, 18 Apr 2014 13:38:31 +0000 (13:38 +0000)]
in CONF_get1_default_config_file(), don't calculate a buffer size,
malloc it, do unbounded strlcpy's to it... but instead of asnprintf.
While there, let's put a '/' between the two path components! Wonder
how old that bug is..
ok guenther
kettenis [Fri, 18 Apr 2014 13:35:31 +0000 (13:35 +0000)]
If somebody else is already processing the RPC requests on a stream socket,
don't panic, but just return.
tested by nicm@
ok tedu@
jsing [Fri, 18 Apr 2014 13:26:34 +0000 (13:26 +0000)]
More KNF.
tedu [Fri, 18 Apr 2014 13:19:03 +0000 (13:19 +0000)]
another round of chemo for the RAND code to provide clarity.
ok deraadt
jsing [Fri, 18 Apr 2014 13:14:31 +0000 (13:14 +0000)]
More KNF.
tedu [Fri, 18 Apr 2014 13:13:50 +0000 (13:13 +0000)]
egd support is too dangerous to leave where somebody might find it.
ok deraadt.
jsing [Fri, 18 Apr 2014 12:15:48 +0000 (12:15 +0000)]
More KNF.
reyk [Fri, 18 Apr 2014 12:02:37 +0000 (12:02 +0000)]
The proc.c code sets up some socketpair for the communication between
different privsep processes. The implementation is using
multi-dimensional arrays and and some complicated process to process
relations. This is the first attempt of cleaning it up and to allow
N:N communications for the upcoming "CA" processes.
Discussed with some, but nobody dared to comment on the code.
guenther [Fri, 18 Apr 2014 11:51:16 +0000 (11:51 +0000)]
Have each thread keeps its own (counted!) reference to the process's ucreds
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.
Inspired by FreeBSD and NetBSD
"right time" deraadt@
henning [Fri, 18 Apr 2014 11:41:10 +0000 (11:41 +0000)]
no more altq hier^Where either
henning [Fri, 18 Apr 2014 11:36:06 +0000 (11:36 +0000)]
no more altq
guenther [Fri, 18 Apr 2014 11:35:51 +0000 (11:35 +0000)]
Handle passing zero to a variable fieldwidth or precision.
ok deraadt@
deraadt [Fri, 18 Apr 2014 11:33:33 +0000 (11:33 +0000)]
unistd.h for protos where needed
deraadt [Fri, 18 Apr 2014 11:31:16 +0000 (11:31 +0000)]
define RFILE only in the file that needs it
jsing [Fri, 18 Apr 2014 11:20:32 +0000 (11:20 +0000)]
More KNF.
henning [Fri, 18 Apr 2014 11:19:45 +0000 (11:19 +0000)]
stop mentioning altq
henning [Fri, 18 Apr 2014 11:18:40 +0000 (11:18 +0000)]
stop talking about altq
this manpage needs a bigger sync with reality...
henning [Fri, 18 Apr 2014 11:15:21 +0000 (11:15 +0000)]
missed these
jsg [Fri, 18 Apr 2014 11:14:35 +0000 (11:14 +0000)]
add braces missed when fixing leaks
deraadt [Fri, 18 Apr 2014 11:14:08 +0000 (11:14 +0000)]
KNF, since this is no longer script generated
deraadt [Fri, 18 Apr 2014 10:53:17 +0000 (10:53 +0000)]
sync
jca [Fri, 18 Apr 2014 10:48:29 +0000 (10:48 +0000)]
Invert the signature logic of in{,6}_selectsrc, make them return the
error code and pass the resulting source address back to the caller
through a pointer, as suggested by chrisz. This gives us more readable
code, and eases the deletion of useless checks in the callers' error path.
Add a bunch of "0 -> NULL" conversions, while here.
ok chrisz@ mpi@
henning [Fri, 18 Apr 2014 10:48:23 +0000 (10:48 +0000)]
stop testing altq stuffz
how many tests I wrote back then... (of which the majority is pointless)
claudio [Fri, 18 Apr 2014 10:05:22 +0000 (10:05 +0000)]
Do not set RTF_DONE flag on route message, only the kernel is allowed to
set that to indicate that it processed the message. Also de-#ifdef the
RTF_MASK part, OpenBSD is not that archaic.
OK yasuoka@ long time ago
schwarze [Fri, 18 Apr 2014 10:00:48 +0000 (10:00 +0000)]
Switch to the new makewhatis(8)/apropos(1)/whatis(1) combo.
"commit the switch now" espie@ "go for it" deraadt@
See the apropos(1) manual for a description of what's new.
On machines where you want the full functionality,
run "sudo makewhatis" and put "MAKEWHATISARGS=' '" into weekly.local(8).
Otherwise, when upgrading via source, run "sudo makewhatis -Q".
ajacoutot [Fri, 18 Apr 2014 09:47:34 +0000 (09:47 +0000)]
Upgrade our KerberosV to Heimdal 1.5.3 (minor update).
- Fix leaking file descriptors in KDC
- Better socket/timeout handling in libkrb5
- General bug fixes
ok robert@
schwarze [Fri, 18 Apr 2014 09:46:41 +0000 (09:46 +0000)]
Fix a few lies; polish wording and formatting while here.
deraadt [Fri, 18 Apr 2014 09:38:42 +0000 (09:38 +0000)]
simplify file:file:... stuff
claudio [Fri, 18 Apr 2014 09:34:05 +0000 (09:34 +0000)]
Also match RTS5227 in rtsx(4). Works for me on the THinkPad X240.
This will give us basic support there are a few extra bits in the linux
driver we ignore for now. Something to look at in the future.
OK stsp@ mlarkin@ kettenis@
florian [Fri, 18 Apr 2014 08:44:25 +0000 (08:44 +0000)]
We are not ARCHAIC; no object change.
OK lteo@
jsing [Fri, 18 Apr 2014 07:09:23 +0000 (07:09 +0000)]
More KNF.
gilles [Fri, 18 Apr 2014 06:59:15 +0000 (06:59 +0000)]
support mailaddr lookup in table_db
jsing [Fri, 18 Apr 2014 05:37:44 +0000 (05:37 +0000)]
More KNF.
jmatthew [Fri, 18 Apr 2014 05:08:15 +0000 (05:08 +0000)]
Implement qle_fabric_plogo and let qle_fabric_plogi look at the response that
comes back, so later on we can work out what to do when logins fail
tedu [Fri, 18 Apr 2014 04:33:09 +0000 (04:33 +0000)]
whitespace normalization
tedu [Fri, 18 Apr 2014 04:23:53 +0000 (04:23 +0000)]
repair whitespace. this is what happens when functions take 20 params.
jsing [Fri, 18 Apr 2014 04:17:16 +0000 (04:17 +0000)]
Remove MAIN and PROG defines now that we do not compile non-monolithic.
ok tedu@
jsg [Fri, 18 Apr 2014 03:37:43 +0000 (03:37 +0000)]
igetest.c moved to regress we don't need another copy
ok miod@
jsg [Fri, 18 Apr 2014 03:28:12 +0000 (03:28 +0000)]
fix another potential double free
ok miod@ lteo@ jca@
tedu [Fri, 18 Apr 2014 02:56:48 +0000 (02:56 +0000)]
-netware
tedu [Fri, 18 Apr 2014 02:48:58 +0000 (02:48 +0000)]
undef NETWARE_CLIB and NETWARE_LIBC
tedu [Fri, 18 Apr 2014 02:45:58 +0000 (02:45 +0000)]
unterminated comment
tedu [Fri, 18 Apr 2014 02:45:26 +0000 (02:45 +0000)]
KaboomNF
tedu [Fri, 18 Apr 2014 02:35:57 +0000 (02:35 +0000)]
spelling fix from Micha Borrmann on openssl-dev
tedu [Fri, 18 Apr 2014 01:59:00 +0000 (01:59 +0000)]
blunt force knf
jmatthew [Fri, 18 Apr 2014 01:11:23 +0000 (01:11 +0000)]
Rework the command polling loop so it can handle multiple responses in a single
interrupt, as done in qla(4).
jsing [Fri, 18 Apr 2014 01:07:13 +0000 (01:07 +0000)]
Remove support for unwanted operating systems.
ok miod@
jsing [Fri, 18 Apr 2014 01:04:53 +0000 (01:04 +0000)]
Unifdef OPENSSL_FIPS.
ok miod@
tedu [Fri, 18 Apr 2014 00:58:49 +0000 (00:58 +0000)]
lob a few more knf grenades in here to soften things up.
tedu [Fri, 18 Apr 2014 00:10:08 +0000 (00:10 +0000)]
putting most of the braces in the right column is the very least we can do.
jmatthew [Thu, 17 Apr 2014 23:53:49 +0000 (23:53 +0000)]
When iterating through fabric ports, start at our own port ID, so we can
reliably tell when we've been through the whole list.
tedu [Thu, 17 Apr 2014 23:35:40 +0000 (23:35 +0000)]
whack a bunch of disabled code. ok beck lteo
jmatthew [Thu, 17 Apr 2014 23:17:18 +0000 (23:17 +0000)]
Copy out all mbox registers after a mailbox operation completes.
Simplifies things a bit and makes pre- and post- attach operations work
the same.
matthew [Thu, 17 Apr 2014 22:44:34 +0000 (22:44 +0000)]
Make MONOLITH the default and only option
ok deraadt
tedu [Thu, 17 Apr 2014 22:37:59 +0000 (22:37 +0000)]
stab at indentation
tedu [Thu, 17 Apr 2014 22:23:27 +0000 (22:23 +0000)]
don't fake up SSIZE_MAX
tedu [Thu, 17 Apr 2014 22:22:28 +0000 (22:22 +0000)]
more windows/netware leftovers
tedu [Thu, 17 Apr 2014 22:19:56 +0000 (22:19 +0000)]
delete if 0 code
giovanni [Thu, 17 Apr 2014 22:09:37 +0000 (22:09 +0000)]
more spring VMS cleanup
ok miod@ lteo@
sthen [Thu, 17 Apr 2014 22:08:45 +0000 (22:08 +0000)]
no need for a variable which is hardcoded and only used in an snprintf,
ok giovanni@. tidy comments nearby while there.
miod [Thu, 17 Apr 2014 22:06:19 +0000 (22:06 +0000)]
Use !defined() rather than empty().
deraadt [Thu, 17 Apr 2014 21:55:07 +0000 (21:55 +0000)]
oops, exit vs return; spotted by matthew
deraadt [Thu, 17 Apr 2014 21:45:45 +0000 (21:45 +0000)]
unistd.h exposed after -Wall after e_os.h stops doing so; spotted by matthew
tedu [Thu, 17 Apr 2014 21:41:12 +0000 (21:41 +0000)]
no longer need to fool emacs indentation and other if (0) oddities.
tedu [Thu, 17 Apr 2014 21:37:37 +0000 (21:37 +0000)]
always build in RSA and DSA. ok deraadt miod
deraadt [Thu, 17 Apr 2014 21:32:37 +0000 (21:32 +0000)]
kill REF_PRINT/REF_CHECK debugging framework noone would use
ok miod
giovanni [Thu, 17 Apr 2014 21:31:27 +0000 (21:31 +0000)]
Some VMS and WIN32 cleanup
ok miod@ lteo@
miod [Thu, 17 Apr 2014 21:17:11 +0000 (21:17 +0000)]
Get rid of MS Visual C compiler and Intel C compiler specific defines.
tedu [Thu, 17 Apr 2014 21:15:37 +0000 (21:15 +0000)]
SHA and AES (and sadly MD5) can't be considered optional. ok beck miod
matthew [Thu, 17 Apr 2014 21:11:28 +0000 (21:11 +0000)]
OpenBSD isn't NetWare or Windows, and it has SIGPIPE.
ok lteo miod
miod [Thu, 17 Apr 2014 21:10:59 +0000 (21:10 +0000)]
There are no plans to ever build this with the Metrojerks compiler.
miod [Thu, 17 Apr 2014 21:07:04 +0000 (21:07 +0000)]
Remove support for big-endian i386 and amd64.
Before someone suggests the OpenSSL people are junkies, here is what they
mention about this:
/* Most will argue that x86_64 is always little-endian. Well,
* yes, but then we have stratus.com who has modified gcc to
* "emulate" big-endian on x86. Is there evidence that they
* [or somebody else] won't do same for x86_64? Naturally no.
* And this line is waiting ready for that brave soul:-) */
So, yes, they are on drugs. But they are not alone, the stratus.com people are,
too.
sthen [Thu, 17 Apr 2014 21:04:32 +0000 (21:04 +0000)]
since we're replacing LIST_SEPARATOR_CHAR with ':', no point using %c
in the help printf
deraadt [Thu, 17 Apr 2014 20:58:07 +0000 (20:58 +0000)]
Mostly gut e_os.h:
USE_SOCKETS is unrelated to using sockets, but just pulls in .h files. It
makes every file buy a kitchen sink, because 11 files forgot to.
EXIT() is really exit(), a gentle surprise
but... OPENSSL_EXIT() is really just return(), because noone compiles the
openssl command non-monolithic anymore
miod [Thu, 17 Apr 2014 20:57:05 +0000 (20:57 +0000)]
malloc + memset 0 -> calloc
(not that it matters much as this is in disabled code, for we don't build with
zlib support)
tedu [Thu, 17 Apr 2014 20:47:22 +0000 (20:47 +0000)]
dead code
tedu [Thu, 17 Apr 2014 20:44:45 +0000 (20:44 +0000)]
unused variable
tedu [Thu, 17 Apr 2014 20:43:42 +0000 (20:43 +0000)]
-Wall
tedu [Thu, 17 Apr 2014 20:42:18 +0000 (20:42 +0000)]
a little less obfuscation
tedu [Thu, 17 Apr 2014 20:40:24 +0000 (20:40 +0000)]
fold prototypes into o_str.c. miod
tedu [Thu, 17 Apr 2014 20:34:24 +0000 (20:34 +0000)]
quick pass at removing ability to disable sha256 and sha512. ok miod
miod [Thu, 17 Apr 2014 20:30:46 +0000 (20:30 +0000)]
Aren't you glad to have this file tell you that ``C2.pl works''? Bonus point
if you can spot C2.pl.
miod [Thu, 17 Apr 2014 20:29:19 +0000 (20:29 +0000)]
Nuke BN_DEBUG_LEVITTE