summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* fix two remotely triggerable memory leaks.OPENBSD_5_4tedu2014-10-192-1/+4
| | | | tested by jasper
* backport relevant security fixes from openssl 1.0.1itedu2014-08-0914-193/+296
| | | | tested by bcook jsg
* MFC DTLS buffer overflow fix (CVE-2014-0195)sthen2014-06-051-1/+7
| | | | | | "Avoid a buffer overflow that can be triggered by sending specially crafted DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL by Juri Aedla." From d1_both.c r1.19
* MFC DTLS "Hello Request" fix (CVE-2014-0221)sthen2014-06-051-2/+2
| | | | | | | | "Do not recurse when a 'Hello Request' message is received while getting DTLS fragments. A stream of 'Hello Request' messages will result in infinite recursion, eventually crashing the DTLS client or server. Fixes CVE-2014-0221, from OpenSSL. Reported to OpenSSL by Imre Rad." From d1_both.c r1.20
* MFC sess_cert fix (CVE-2014-3470)sthen2014-06-051-0/+8
| | | | | "Ensure that sess_cert is not NULL before trying to use it. Fixes CVE-2014-3470, from OpenSSL." From s3_clnt.c r1.66
* MFC ChangeCipherSpec fixes (CVE-2014-0224 and additional safeguard), ok jsing@sthen2014-06-054-4/+22
| | | | | | | | | | | | | "Be selective as to when ChangeCipherSpec messages will be accepted. Without this an early ChangeCipherSpec message would result in session keys being generated, along with the Finished hash for the handshake, using an empty master secret." From s3_clnt.c r1.64, s3_pkt.c r1.42, s3_srvr.c r1.59, ssl3.h r1.19 - note that the ssl3.h change has been applied to s3_locl.h instead to simplify patching. "Ensure that we do not process a ChangeCipherSpec with an empty master secret. This is an additional safeguard against early ChangeCipherSpec handling." From s3_pkt.c:1.43
* MFC, requested by deraadt@sthen2014-05-011-0/+4
| | | | | | | | | | | | | | | | | | -/-------------------------- revision 1.33 date: 2014/04/24 04:31:30; author: tedu; state: Exp; lines: +4 -0; on today's episode of things you didn't want to learn: do_ssl3_write() is recursive. and not in the simple, obvious way, but in the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this then has a decent chance of releasing the buffer that we thought we were going to use. check for this happening, and if the buffer has gone missing, put another one back in place. the direct recursive call is safe because it won't call ssl3_write_pending which is the function that actually does do the writing and releasing. as reported by David Ramos to openssl-dev: http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck -/--------------------------
* from head, will become 5.4 008_openssl.patchderaadt2014-04-121-1/+1
| | | | | | | | Changes by: tedu@cvs.openbsd.org 2014/04/10 13:01:37 Piotr Sikora pointed me at a more refined diff for the buffer release issue. Apply that version. Maybe someday upstream will wake up and then we can have the same code. https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest
* MFC:djm2014-04-082-13/+27
| | | | | cherrypick fix for CVE-2014-0160 "heartbleed" vulnerability from OpenSSL git; ok sthen@
* MFC: Reliability fix for SHA384 SSL/TLS ciphers on strict alignmentjca2013-12-201-1/+8
| | | | architectures. ok miod@ djm@
* This commit was manufactured by cvs2git to create branch 'OPENBSD_5_4'.cvs2svn2013-07-221001-357671/+0
|
* we now have IDEA and MDC2 in libcrypto, so don't disable them in openssl(1)naddy2013-07-221-3/+2
| | | | ok djm@
* HISTORY; tweaks and ok sobrado@ jmc@schwarze2013-07-183-9/+38
|
* more library historyschwarze2013-07-1711-29/+71
| | | | | facts checked by sobrado@ style tweaks and ok jmc@
* use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@schwarze2013-07-167-20/+20
|
* use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@schwarze2013-07-161-3/+3
|
* more macro simplification; from Jan Staryjmc2013-07-161-3/+2
|
* use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@schwarze2013-07-161-4/+4
|
* Remove no longer needed vax CFLAGS workarounds.miod2013-07-131-13/+1
|
* rfc 3493 obsoletes 2553. i spotted this after reading hiroki sato's changesjmc2013-07-101-5/+6
| | | | | | | | in freebsd src commit r253066. our man pages had been updated, but i must have missed the following: - getnameinfo.3: 2553 -> 3493 - ip6.4: we listed both. remove 2553.
* VAX ELF userland bits. Consists mostly of register prefix additions.miod2013-07-051-151/+151
|
* spacingderaadt2013-06-111-3/+2
|
* Fix parsing of ambiguous options, the whole loop must be processed.millert2013-06-081-15/+22
| | | | From FreeBSD. OK miod@
* Move _Exit() from the exit() manpage to the _exit() manpage, as it'sguenther2013-06-052-36/+10
| | | | | | just an alias of the latter. ok matthew@ tedu@
* Use the fancy .In macro for includes. From Jan Klemkow. ok jmc schwarzetedu2013-06-05113-379/+379
|
* remove some incredible lies about overlapping buffersderaadt2013-06-042-22/+10
| | | | ok guenther
* Two small cleanups to atexit: remove unneeded __atexit_invalid, andmatthew2013-06-022-12/+5
| | | | | | | move the call_depth decrement so it happens unconditionally and can still return to 0 when called with dso!=NULL. ok millert
* trailing whitespace makes 'make depend' sad. ok mpi@dtucker2013-06-021-2/+2
|
* Fix catopen(3) for UTF-8 locales and update the implementation to POSIX-2008.stsp2013-06-011-2/+2
| | | | | | | | | Catalogs had an arbitrary character set which was used regardless of locale. Add UTF-8-encoded catalogs for libc error messages, and rename existing ones to indicate their character sets. catopen(3) now chooses a catalog which matches the locale's encoding, if available. help & ok matthew, man page bits ok jmc, input from naddy and bluhm
* Switch to using unhyphenated VIA padlock mnemonics. VIA abandoned thematthew2013-05-302-4/+4
| | | | | | | | hyphen in their official programming guide sometime between 2003 and 2005, and Clang's integrated assembler does not support hyphenated mnemonics. ok jsg, deraadt
* Remove useless include.ajacoutot2013-05-301-2/+1
| | | | ok millert@
* typo: compare len against null needle, not haystackajacoutot2013-05-151-2/+2
| | | | | | from Alf Schlichting ok millert@
* Add an implementation of memmem() -- from FreeBSD with some tweaks.ajacoutot2013-05-133-4/+145
| | | | | | | | | Requires a libc minor bump, committing now so that we have up-to-date snapshots for the upcoming hackathon. joint work with millert@ man page bits ok jmc@ input and ok millert@, guenther@, deraadt@
* Hook up fmemopen and open_memstream tests.mpi2013-05-021-3/+4
|
* use FD_CLOEXEC instead of 1; from David Hillokan2013-04-291-2/+2
| | | | ok otto
* tweak a few commentstedu2013-04-211-5/+7
|
* this man page is mostly about password hashing now (you really don'ttedu2013-04-211-18/+5
| | | | | want to be using DES) and some of the notes about the export controls are no longer so relevant. ok deraadt jmc
* Xr encrypt(1) to give people a hint if they just want a password stringtedu2013-04-201-2/+3
|
* surround the error strings with quotes to clarify exactly which stringstedu2013-04-171-5/+5
| | | | the function is going to return.
* the tiniest of style tweakstedu2013-04-171-7/+7
|
* add some prototypes, casts, includes, parenthesis, and whatnot totedu2013-04-173-7/+10
| | | | silence some warnings.
* use CLOCK_MONOTONIC, and repair future time_t overflowderaadt2013-04-171-8/+8
| | | | ok millert guenther
* - Add comments regarding copies of these files also in libexec/ld.sokurt2013-04-051-1/+3
| | | | okay guenther@
* Update a comment about standards requirementsguenther2013-04-031-4/+4
|
* Set the stream orientation in open_{,w}memstream().guenther2013-04-031-1/+15
| | | | | | Check it in the regress test ok mpi@
* tweak makefile now that asr is built by default.eric2013-04-011-10/+10
|
* add hostnames which triggered some bugs.eric2013-04-011-2/+2
|
* getaddrinfo is now thread-safe.brad2013-03-311-6/+2
| | | | ok eric@
* Switch libc and libm to use strong aliases rather than weak aliasesmartynas2013-03-282-22/+4
| | | | | | | | | | | where appropriate. Among other things makes the symbols consistent across all architectures (notably where ldbl mantissa is 53 bits). While at it, kill unused LINTLIBRARY/PROTOLIB1 cruft which was there to trick lint into recording the right prototypes for aliased functions. Most of the work done at the awesome n2k13 hackathon. Agreed by kettenis@, guenther@, matthew@.
* add a test case for the icmpv6 issue spotted by naddyeric2013-03-284-10/+26
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-17 16:47:06 +0000