gilles [Sat, 19 Apr 2014 11:17:14 +0000 (11:17 +0000)]
it's ok for strlcpy to fail here though it can't, cast void
deraadt [Sat, 19 Apr 2014 11:15:37 +0000 (11:15 +0000)]
egd is gone
henning [Sat, 19 Apr 2014 11:01:37 +0000 (11:01 +0000)]
/*
* altq for loop is just for debugging.
* only used when called for loop interface (not for
* a simplex interface).
*/
bye bye!
guenther [Sat, 19 Apr 2014 10:59:54 +0000 (10:59 +0000)]
The internal ssl2_* functions and variables are gone
jsing [Sat, 19 Apr 2014 10:54:26 +0000 (10:54 +0000)]
More KNF.
guenther [Sat, 19 Apr 2014 10:51:37 +0000 (10:51 +0000)]
Add SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
Document that SSL_OP_NO_SSLv2 is a no-op now
henning [Sat, 19 Apr 2014 10:07:44 +0000 (10:07 +0000)]
-option ALTQ
ALTQ has served us well for years and was extremely important not just for
us, but for the entire bandwidth management arena. Back when we got altq,
the subject was not yet well researched and understood, which is why altq
is the framework with pluggable schedulers it is. Kenjiro Cho (kjc@) did an
amazing job there.
Now, more than 10 years later, we do have a good understanding and can use
a simpler framework with just one priority queueing and one bandwidth
shaping mechanism each - the new queueing subsystem. Last not least because
it is incredibly painful to maintain both in parallel, it is time for altq
to depart. Farewell, thanks for many years of good service. Everybody
using any form of "not just fifo" queueing owes Kenjiro a lot. At least
buy him a beer when you meet him.
And, allow me this personal note, thanks Kenjiro, working with you on the
topic has always been a great pleasure and I learned a lot from you. Thanks!
sobrado [Sat, 19 Apr 2014 09:28:20 +0000 (09:28 +0000)]
use an appropriate name for this variable.
ok millert@
sobrado [Sat, 19 Apr 2014 09:24:28 +0000 (09:24 +0000)]
do not mark od(1) as deprecated.
ok jmc@, millert@
guenther [Sat, 19 Apr 2014 08:52:32 +0000 (08:52 +0000)]
More KNF and style consistency tweaks
shadchin [Sat, 19 Apr 2014 07:28:00 +0000 (07:28 +0000)]
tiny fix: Remove duplicate rows, they appeared after importing less 444
suggested Daniel Dickman
jsing [Sat, 19 Apr 2014 07:20:59 +0000 (07:20 +0000)]
More KNF.
jsing [Sat, 19 Apr 2014 06:43:34 +0000 (06:43 +0000)]
More KNF.
jsing [Sat, 19 Apr 2014 06:15:56 +0000 (06:15 +0000)]
More KNF.
djm [Sat, 19 Apr 2014 05:54:59 +0000 (05:54 +0000)]
missing wildcard; pointed out by naddy@
jmatthew [Sat, 19 Apr 2014 05:05:43 +0000 (05:05 +0000)]
move scsi_xs_put after checks that use fields in the xs
ok dlg@
dlg [Sat, 19 Apr 2014 05:00:06 +0000 (05:00 +0000)]
implement emc_mpath_checksense() according to what my cx500 throws.
tested by jmatthew@
schwarze [Sat, 19 Apr 2014 02:55:44 +0000 (02:55 +0000)]
Two minor tweaks regarding the fallback from -u/-d to default mode:
(1) Use all files found on the command line, but do *not* use all stray
files found during fallback tree recursion.
(2) If the fallback works, call that success, i.e. exit(0).
As pointed out by naddy@, the latter is required for ports' happiness.
schwarze [Sat, 19 Apr 2014 02:29:12 +0000 (02:29 +0000)]
Properly handle symlinks (hardlinks and .so only files were already ok):
Use the file name of the symlink but the inode number of the file pointed to,
such that we get multiple mlinks records but not multiple mpages records.
Also make sure they do not point outside the tree we are processing.
Issue found by kili@ in desktop-file-edit(1), thanks!
beck [Sat, 19 Apr 2014 00:41:37 +0000 (00:41 +0000)]
use intrinsic strlcpy and strlcat everywhere so we only have one set of
funcitons to check for incorrect use. keep BUF_strlcpy and BUF_strlcat
for API comptibility only.
ok tedu@
djm [Fri, 18 Apr 2014 23:52:25 +0000 (23:52 +0000)]
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256@libssh.org KEX exchange method to fail
when connecting with something that implements the spec properly.
Disable this KEX method when speaking to one of the affected
versions.
reported by Aris Adamantiadis; ok markus@
deraadt [Fri, 18 Apr 2014 23:42:00 +0000 (23:42 +0000)]
OPENSSL_gmtime() is really just gmtime_r(); ok guenther
deraadt [Fri, 18 Apr 2014 23:19:01 +0000 (23:19 +0000)]
sync
tedu [Fri, 18 Apr 2014 22:39:08 +0000 (22:39 +0000)]
spacing
jmc [Fri, 18 Apr 2014 22:23:53 +0000 (22:23 +0000)]
tweak;
claudio [Fri, 18 Apr 2014 22:23:50 +0000 (22:23 +0000)]
There is no need to initialize globals to 0.
jmc [Fri, 18 Apr 2014 22:19:00 +0000 (22:19 +0000)]
flesh out STANDARDS;
jmc [Fri, 18 Apr 2014 22:11:57 +0000 (22:11 +0000)]
- merge two sections on error messages and interrupts
- move some non-standard sections into a more general CAVEATS
- some macro cleanup
jmc [Fri, 18 Apr 2014 22:04:54 +0000 (22:04 +0000)]
remove references to rshd;
tedu [Fri, 18 Apr 2014 21:57:17 +0000 (21:57 +0000)]
tone down some XXXXX to not appear in grep
jasper [Fri, 18 Apr 2014 21:55:23 +0000 (21:55 +0000)]
rename wd33c93 to wd33c93ctrl (but keep the filenames as is) so we can
add attributes to it later; as wd33c93 is not a valid device name.
ok miod@
schwarze [Fri, 18 Apr 2014 21:54:48 +0000 (21:54 +0000)]
In update mode, when opening the database fails, probably because it is
missing or corrupt, just rebuild it from scratch. This also helps when
installing the very first port on a freshly installed machine
and is similar to what espie@'s classical makewhatis(8) did.
Issue reported by naddy@ via kili@.
tedu [Fri, 18 Apr 2014 21:49:19 +0000 (21:49 +0000)]
XXXXXXXXXXXXXXXX -> XXX
XXXXXXXXXXXXXXXXXXXXXXX -> XXXX
jmc [Fri, 18 Apr 2014 21:42:04 +0000 (21:42 +0000)]
fix SEE ALSO;
tedu [Fri, 18 Apr 2014 21:41:15 +0000 (21:41 +0000)]
unifdef NO_SOCK
tedu [Fri, 18 Apr 2014 21:29:20 +0000 (21:29 +0000)]
round up some enemy sympathizers found calling RAND_seed().
ok beck reyk
tedu [Fri, 18 Apr 2014 21:19:20 +0000 (21:19 +0000)]
now that knf carpet bombing is finished, switch to hand to hand combat.
still not sure what to make of mysteries like this:
for (i = 7; i >= 0; i--) { /* increment */
guenther [Fri, 18 Apr 2014 21:18:50 +0000 (21:18 +0000)]
For the WSDISPLAY_COMPAT_USL protocol, send the synchronizing signals to
the process, not just the thread.
ok kettenis@
sthen [Fri, 18 Apr 2014 21:11:34 +0000 (21:11 +0000)]
Since we've been making heavy use of unifdef recently: update it to the
recent 2.10 release.
"This code was derived from software contributed to Berkeley by Dave Yost.
It was rewritten to support ANSI C by Tony Finch. The original version
of unifdef carried the 4-clause BSD copyright licence. None of its code
remains in this version (though some of the names remain) so it now
carries a more liberal licence."
ok deraadt@
beck [Fri, 18 Apr 2014 21:11:00 +0000 (21:11 +0000)]
Unsurprisingly, since <unistd.h> was so darn hard to find for OpenSSL developers
they had resorted to manually protyping read(2) instead of incredible amount of
preprocessor wizardry needed to find the ever illusive <unistd.h>. Let's just
include <unistd.h> and we don't need to do this.. While we're at it flense
out _OSD_POSIX and __DGJPP__ cruft.
ok krw@
miod [Fri, 18 Apr 2014 20:23:42 +0000 (20:23 +0000)]
ECDSA signature computation involves a random number. Remove the test trying to
force what RAND_bytes() will return and comparing it against known values -
I can't let you do this, Dave.
tedu [Fri, 18 Apr 2014 20:22:17 +0000 (20:22 +0000)]
raise file limit to something more web scale, but lower connections so
there are some files to spare for other things.
beck [Fri, 18 Apr 2014 20:01:31 +0000 (20:01 +0000)]
unbreak tree - this was not the rand.c I was looking for
tedu [Fri, 18 Apr 2014 19:58:42 +0000 (19:58 +0000)]
collateral damage
tedu [Fri, 18 Apr 2014 19:55:15 +0000 (19:55 +0000)]
no app_rand.c
tedu [Fri, 18 Apr 2014 19:54:57 +0000 (19:54 +0000)]
$HOME/.rnd will never be a good source of entropy. ok beck
miod [Fri, 18 Apr 2014 19:41:21 +0000 (19:41 +0000)]
Do not ask the user to pass either -DB_ENDIAN or -DL_ENDIAN to the compiler,
but rather figure out the endianness from <machine/endian.h> automagically;
help from guenther@
ok jca@ guenther@ beck@ and the rest of the `Buena SSL rampage club'
miod [Fri, 18 Apr 2014 19:38:26 +0000 (19:38 +0000)]
Shrink a local buffer to the size it really needs to be; this is the only
discrepancy found while checking proper {HEX,DECIMAL}_SIZE macro usage, which
is confusing enough.
tweaks and ok jca@, ok guenther@
okan [Fri, 18 Apr 2014 19:13:16 +0000 (19:13 +0000)]
remove bdes(1) so as to not encourage its use; if someone really
wants to use DES, there's another way.
ok deraadt sthen sobrado (and probably tedu)
jca [Fri, 18 Apr 2014 18:56:25 +0000 (18:56 +0000)]
Remove the dead KAME code that dealt with IPv4-mapped IPv6 addresses.
Add a check for IPv4-mapped IPv6 destination addresses, like in the most
recent KAME code, for non-connected sockets. This prevents packets from
reaching the wire through the default route, if a reject route
for ::ffff:0.0.0.0/96 isn't present. ok claudio@
jca [Fri, 18 Apr 2014 18:44:18 +0000 (18:44 +0000)]
This remnant comment doesn't belong here. ok claudio@
miod [Fri, 18 Apr 2014 18:38:45 +0000 (18:38 +0000)]
eroMgib dne- nai 68xtnetelca .s
miod [Fri, 18 Apr 2014 18:33:39 +0000 (18:33 +0000)]
Not welcome
miod [Fri, 18 Apr 2014 18:33:18 +0000 (18:33 +0000)]
typo
beck [Fri, 18 Apr 2014 18:25:04 +0000 (18:25 +0000)]
It seems a generation of programmers is aping OpenSSL. We need re-education
camps. RAND_ is considered hamful, we should not *re-implement* it here.
"fire bomb it" - tedu@, "dresdenizing" - beck@, "SSLaughterhouse five" miod@
lteo [Fri, 18 Apr 2014 18:08:36 +0000 (18:08 +0000)]
Use the cleaned up asprintf-based make_config_name() to make the name of
the config file instead of the malloc/BUF_strlcpy/BUF_strlcat calls with
no return value checks (that make_config_name() also used to do prior to
being cleaned up).
ok beck@
tedu [Fri, 18 Apr 2014 18:08:36 +0000 (18:08 +0000)]
first round of static config. ok miod
lteo [Fri, 18 Apr 2014 18:07:59 +0000 (18:07 +0000)]
Check the return value of make_config_name() before attempting to use
the config filename.
ok beck@
tedu [Fri, 18 Apr 2014 18:03:26 +0000 (18:03 +0000)]
another
tedu [Fri, 18 Apr 2014 18:01:06 +0000 (18:01 +0000)]
another "string to make the random number generator think it has entropy"
tedu [Fri, 18 Apr 2014 17:44:24 +0000 (17:44 +0000)]
delete "string to make the random number generator think it has entropy"
miod [Fri, 18 Apr 2014 17:32:31 +0000 (17:32 +0000)]
Put back i2d_ASN1_SET() and d2i_ASN1_SET() from the NO_ASN1_OLD prune, as there
are still some 3rd-party code using it, and fixing them is not trivial.
As an excuse gift, the memory leaks on failure in resurrected a_set.c have
been fixed.
beck [Fri, 18 Apr 2014 17:25:17 +0000 (17:25 +0000)]
RAND_xxx considered harmful. use arc4random_buf instead of nasty stuff.
ok tedu@
florian [Fri, 18 Apr 2014 17:01:47 +0000 (17:01 +0000)]
Wrap long lines.
OK lteo@, benno@
florian [Fri, 18 Apr 2014 17:01:06 +0000 (17:01 +0000)]
Move ident / perturb initialisation up, this is AF independent.
OK benno@
florian [Fri, 18 Apr 2014 17:00:07 +0000 (17:00 +0000)]
sync to traceroute6: use getnameinfo for destination ip
OK benno@
florian [Fri, 18 Apr 2014 16:58:02 +0000 (16:58 +0000)]
Declare socklen_t len in main, it's used in two places, no need
to declare it twice. We can get rid of a { } block.
OK benno@
florian [Fri, 18 Apr 2014 16:56:25 +0000 (16:56 +0000)]
Replace fprintf(stderr, ..); exit() with errx() and fprintf(stderr, ...)
with warnx()
OK lteo@, benno@
florian [Fri, 18 Apr 2014 16:48:19 +0000 (16:48 +0000)]
Drop rh0 support (-g), it doesn't work anyway.
OK benno@
florian [Fri, 18 Apr 2014 16:46:18 +0000 (16:46 +0000)]
Use getaddrinfo to resolve destination. I kept the inet_aton so the
great old ones can still traceroute 010.010.010.010.
OK benno@
beck [Fri, 18 Apr 2014 16:40:46 +0000 (16:40 +0000)]
RAND_egd is considered harmful. Unbreak the tree by making kerberos not use
it. The rest of the RAND_ horror in here needs checking.
ok deraadt@
claudio [Fri, 18 Apr 2014 16:38:28 +0000 (16:38 +0000)]
Introduce some regress tests against our routing table. At least that way
there is a chance that we do not break the network stack even more.
These regress tests already found a few issues.
The framework is ugly and does not properly recover from failures. Somebody
more skilled can come up with a better solution.
mpi@, blambert@ and sthen@ support this
deraadt [Fri, 18 Apr 2014 16:36:42 +0000 (16:36 +0000)]
this file is not relevant
florian [Fri, 18 Apr 2014 16:33:21 +0000 (16:33 +0000)]
We do have SO_SNDBUF.
OK benno@
florian [Fri, 18 Apr 2014 16:32:42 +0000 (16:32 +0000)]
We do have SO_SNDBUF and IP_HDRINCL.
OK benno@
florian [Fri, 18 Apr 2014 16:29:26 +0000 (16:29 +0000)]
replace perror(3) with err(3)/warn(3)
OK lteo@, benno@
florian [Fri, 18 Apr 2014 16:26:47 +0000 (16:26 +0000)]
Structure wait_for_reply() loop like traceroute, thereby moving the
loop body one indent layer up.
OK benno@
florian [Fri, 18 Apr 2014 16:24:41 +0000 (16:24 +0000)]
move cast from packet to ip up to avoid casts in print()
OK benno@
florian [Fri, 18 Apr 2014 16:23:00 +0000 (16:23 +0000)]
move ICMP6 code parsing to function
OK benno@
florian [Fri, 18 Apr 2014 16:22:18 +0000 (16:22 +0000)]
move ICMP code parsing to function
OK benno@
florian [Fri, 18 Apr 2014 16:20:56 +0000 (16:20 +0000)]
sync to traceroute:
* s/Dst/to/
* s/Src/from/
* drop Rcv
OK benno@
florian [Fri, 18 Apr 2014 16:19:11 +0000 (16:19 +0000)]
If -s is not given do a dummy connect to get outgoing ip,
unconditionally try to bind to this ip and get a source port for udp
this way, like traceroute6 is doing. This means you can no longer
traceroute from IPs not present on the system. (There are probably
better tools if you want to send traffic from spoofed IPs.)
OK benno@
reyk [Fri, 18 Apr 2014 16:13:02 +0000 (16:13 +0000)]
fix previous
florian [Fri, 18 Apr 2014 16:11:36 +0000 (16:11 +0000)]
Sync to tracroute: don't print source IP if -s is not given
OK benno@ (who wants it back in some form after the merge)
tedu [Fri, 18 Apr 2014 16:11:22 +0000 (16:11 +0000)]
guenther would prefer more separation
reyk [Fri, 18 Apr 2014 16:08:06 +0000 (16:08 +0000)]
spacing
florian [Fri, 18 Apr 2014 16:07:54 +0000 (16:07 +0000)]
Sync to tracroute: handle "time exceeded in transit" before the
switch and add a default case.
OK benno@
florian [Fri, 18 Apr 2014 16:04:39 +0000 (16:04 +0000)]
sync packet_ok signature to traceroute6
OK benno@
florian [Fri, 18 Apr 2014 16:02:08 +0000 (16:02 +0000)]
sync to traceroute: s/opacket/packetdata/
OK lteo@, benno@
florian [Fri, 18 Apr 2014 16:00:38 +0000 (16:00 +0000)]
Embed struct tv32 into struct opacket like traceroute.
This changes the data part of an icmp6 paket, before it only
contained the timestamp, now it contains a whole struct opacket.
Shouldn't be an issue as nobody looks at this data anyway.
OK benno@
tedu [Fri, 18 Apr 2014 15:59:36 +0000 (15:59 +0000)]
Malak: I think we made the merchant angry.
Conan: Are you surprised?
Malak: But we didn't steal everything he had!
Conan: We didn't have time.
florian [Fri, 18 Apr 2014 15:58:43 +0000 (15:58 +0000)]
Factor out build_probe{4,6} from send_probe; now send_probe is
AF independent. While there define outpacket as u_char and
cast as needed in traceroute6.
OK benno@
deraadt [Fri, 18 Apr 2014 15:58:18 +0000 (15:58 +0000)]
sync
tedu [Fri, 18 Apr 2014 15:57:12 +0000 (15:57 +0000)]
millert said i can kill rshd
tedu [Fri, 18 Apr 2014 15:53:49 +0000 (15:53 +0000)]
we need to crank
reyk [Fri, 18 Apr 2014 15:53:28 +0000 (15:53 +0000)]
Fix SSL client-only mode when no RSA private key is needed.
Found by andre@ with the args-ssl-server.pl regress test.
ok andre@
deraadt [Fri, 18 Apr 2014 15:53:24 +0000 (15:53 +0000)]
remove include files not needed
guenther [Fri, 18 Apr 2014 15:46:50 +0000 (15:46 +0000)]
Document support for "openssl s_client -starttls lmtp"
guenther [Fri, 18 Apr 2014 15:39:53 +0000 (15:39 +0000)]
Finish zapping SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION usage; only keep
the #define for compat, but document that it's a no-op now. Also, neuter
the -legacy_renegotiation option to "openssl s_{client,server}"
ok beck@
deraadt [Fri, 18 Apr 2014 15:38:16 +0000 (15:38 +0000)]
use the portable construct around asprintf; pointed out by halex