summaryrefslogtreecommitdiff
path: root/src/usr.bin (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* strip back openssl ca: in particular remove some excessively wordy sections,jmc2016-07-191-337/+120
| | | | | move some other sections into more relevant places, and remove the example ca file;
* strip back asn1parse; ok beck jsingjmc2016-07-171-108/+27
| | | | description of -out altered on jsing's advice
* since we no longer pull source directly from openssl, the time isjmc2016-07-161-427/+57
| | | | | | | | right to try and trim some of the excess from this page. begin now by cutting some of the fluff from the start. the section on pass phrase arguments goes to the end of the page: it;s in the way for now.
* Adjust existing tls_config_set_cipher() callers for TLS cipher groupjsing2016-07-131-2/+2
| | | | | | | changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
* Revert previous since the libtls change has been reverted.jsing2016-07-071-16/+24
|
* Remove manual file loading (now that libtls does this for us) and adjustjsing2016-07-061-24/+16
| | | | | pledge to match. Also use tls_config_error() to provide friendlier error messages.
* do not uppercase "hop limit";jmc2016-07-021-4/+4
|
* Simplify IP proto-specific sockopt error handling.bcook2016-07-011-34/+26
| | | | | | | This makes error messages more specific and simplifies masking compatible sections for the portable version. ok beck@
* Add -M and -m options to specify the outgoing and incoming minimum TTLjca2016-06-282-9/+52
| | | | Req by and ok blumh@
* If an error path if close() is called, save errno so that original errorderaadt2016-06-281-5/+13
| | | | | is shown by errx ok millert krw
* Be more careful initializing and tracking socket s through main, this isderaadt2016-06-271-7/+6
| | | | | so complicated that a future refactoring could easily in introduce a bug. ok millert krw
* whitespacederaadt2016-06-271-2/+2
|
* Fix a bug loading the default certificate path locations.bcook2016-06-211-9/+7
| | | | | | | | | The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL: https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 ok beck@
* Let netcat support the use of service names instead of port numbers.beck2016-06-022-18/+34
| | | | | based on a diff from Andras Farkas <deepbluemistake@gmail.com> ok deraadt@
* Fix pledge violation with -P s used and we need to supply a passwordbeck2016-05-281-3/+12
| | | | | | for an http proxy - we need tty in this case. Found and fixed by Anthony Coulter <bsd@anthonycoulter.name>. ok tb@
* Fix nc -verbose mode when used on a unix domain socket.beck2016-05-281-5/+11
| | | | Noticed by and a modified version of fix from <attila@stalphonsos.com>
* add "dns" to openssl ocspsemarie2016-04-261-2/+2
| | | | | | problem reported by Alexandre (kAworu) ok beck@ deraadt@ sthen@
* hexidecimal->hexadecimal; from mmccjmc2016-04-071-4/+4
| | | | ok beck
* word fix from previous; ok sthenjmc2016-02-121-3/+3
|
* sslv3 has been removed;jmc2016-02-081-16/+21
| | | | | prompted by a mail from jiri navratil help/ok sthen
* Use the correct values for TLS certificate / private key flags.bcook2016-01-041-5/+5
| | | | fix from Andreas Bartelt <obsd at bartula.de>
* include time.h over sys/time.h for ctime(3)bcook2015-12-281-2/+2
| | | | ok beck@
* more e-mail -> emailmmcc2015-12-242-5/+5
|
* remove NULL-check before free()mmcc2015-12-231-3/+2
|
* Add missing colon after "Peer name" in verbose output. Mentioned on themmcc2015-12-171-2/+2
| | | | lists recently.
* clean up some unused variables, and add the printing of the certificate validitybeck2015-12-161-4/+7
| | | | | to the verbose output when using tls - from rob@2keys.ca ok mmcc@ jsing@ deraadt@
* Specify SOCKS version in error messages. ok deraadt@mmcc2015-12-101-3/+3
|
* Map SOCKS error codes to error strings. With input from deraadt@mmcc2015-12-101-5/+61
|
* pledge nc better - Load the certificate into memory and then do the pledge,beck2015-12-081-5/+21
| | | | | this allows us to drop the rpath fromt the nc pledge. ok deraadt@, tedu@
* Get rid of modulo bias and replace the naive shuffle by thetb2015-12-071-20/+16
| | | | | | | | Knuth-Fisher-Yates shuffle to make the random sequence of ports less biased. Based on the implementation in sys/netinet/ip_id.c. With helpful input from daniel@ and beck@ ok beck@ despite eye twitching
* s_server also needs DNS; reported by tb@jca2015-12-011-2/+2
|
* Undo previous, pledge("dns") was already present. The problem was in s_server.jca2015-12-012-4/+4
|
* pledge dns so openssl can use dns.. noticed and fix by todd@beck2015-12-012-4/+4
| | | | ok jcs@ deraadt@ theo@
* rename variable 'sun' to allow building on Solarisbcook2015-11-231-13/+13
| | | | ok deraadt@
* In pledge(), put "dns" right after "inet".jca2015-11-212-4/+4
|
* Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.jca2015-11-212-4/+4
| | | | From todd@
* do not need sys/param.hderaadt2015-11-201-1/+0
|
* mutli -> multimiod2015-11-142-4/+4
|
* Since rtable was hoisted to the top with setrtable, it should have noderaadt2015-11-131-10/+7
| | | | | bearing on the following pledge setups anymore. ok benno
* with -V argument, dont set rtable on the socket, instead set if for the wholebenno2015-11-121-15/+4
| | | | | | | | | process, before pledge(). This way the rtable can be pledged too. the discussion about removing -V is postponed. diff from beck@, i wrote the same diff without seeing his, and various people at u2k15 agreed this is the right thing to do. ok phessler@
* KNF; from Rob Piercederaadt2015-11-011-3/+3
|
* Initial pledge of netcat - unfortunately flawed because fiddling the rtableidbeck2015-10-231-1/+27
| | | | | | | in a socket option can be pretty scary and there is no better interface for this. so if the -V option is used you get no pledge at all.. Otherwise, do what works for the various options. Still needs refinement for tls to drop rpath, and a better solution for the routing table stuff
* Exit if a pledge call fails in non-interactive mode.doug2015-10-1745-89/+179
| | | | ok semarie@
* add "tty" for several subcommands of opensslsemarie2015-10-1724-48/+48
| | | | | | | | | | | it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
* Implement real "flock" request and add it to userland programs thatmillert2015-10-161-2/+2
| | | | use pledge and file locking. OK deraadt@
* Userspace doesn't need to use SUN_LEN(): connect() and bind() must acceptguenther2015-10-111-8/+3
| | | | | | sizeof(struct sockaddr_un), so do the simple, portable thing ok beck@ deraadt@
* Initial support for pledges in openssl(1) commands.doug2015-10-1047-46/+281
| | | | | | | | | | | | | | | | openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
* normalize the ordering of tame requests (particularily, "rpath wpath cpath",deraadt2015-10-101-2/+2
| | | | | | | which i have put in that order). this is not important, but helps look for outliers which might be strange. it hints that "ioctl" should be reassessed in a few places, to see if "tty" is better; that "unix" may be used in some places where "route" could now work.
* Change all tame callers to namechange to pledge(2).deraadt2015-10-091-3/+3
|
* tame "stdio inet rpath cpath wpath proc" seems to be sufficient forderaadt2015-10-071-1/+7
| | | | | all the wading in here. "proc" is for the speed command, which fork()'s. ok doug
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 22:37:05 +0000