Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | add "dns" to openssl ocsp | semarie | 2016-04-26 | 1 | -2/+2 |
| | | | | | | problem reported by Alexandre (kAworu) ok beck@ deraadt@ sthen@ | ||||
* | hexidecimal->hexadecimal; from mmcc | jmc | 2016-04-07 | 1 | -4/+4 |
| | | | | ok beck | ||||
* | word fix from previous; ok sthen | jmc | 2016-02-12 | 1 | -3/+3 |
| | |||||
* | sslv3 has been removed; | jmc | 2016-02-08 | 1 | -16/+21 |
| | | | | | prompted by a mail from jiri navratil help/ok sthen | ||||
* | Use the correct values for TLS certificate / private key flags. | bcook | 2016-01-04 | 1 | -5/+5 |
| | | | | fix from Andreas Bartelt <obsd at bartula.de> | ||||
* | include time.h over sys/time.h for ctime(3) | bcook | 2015-12-28 | 1 | -2/+2 |
| | | | | ok beck@ | ||||
* | more e-mail -> email | mmcc | 2015-12-24 | 2 | -5/+5 |
| | |||||
* | remove NULL-check before free() | mmcc | 2015-12-23 | 1 | -3/+2 |
| | |||||
* | Add missing colon after "Peer name" in verbose output. Mentioned on the | mmcc | 2015-12-17 | 1 | -2/+2 |
| | | | | lists recently. | ||||
* | clean up some unused variables, and add the printing of the certificate validity | beck | 2015-12-16 | 1 | -4/+7 |
| | | | | | to the verbose output when using tls - from rob@2keys.ca ok mmcc@ jsing@ deraadt@ | ||||
* | Specify SOCKS version in error messages. ok deraadt@ | mmcc | 2015-12-10 | 1 | -3/+3 |
| | |||||
* | Map SOCKS error codes to error strings. With input from deraadt@ | mmcc | 2015-12-10 | 1 | -5/+61 |
| | |||||
* | pledge nc better - Load the certificate into memory and then do the pledge, | beck | 2015-12-08 | 1 | -5/+21 |
| | | | | | this allows us to drop the rpath fromt the nc pledge. ok deraadt@, tedu@ | ||||
* | Get rid of modulo bias and replace the naive shuffle by the | tb | 2015-12-07 | 1 | -20/+16 |
| | | | | | | | | Knuth-Fisher-Yates shuffle to make the random sequence of ports less biased. Based on the implementation in sys/netinet/ip_id.c. With helpful input from daniel@ and beck@ ok beck@ despite eye twitching | ||||
* | s_server also needs DNS; reported by tb@ | jca | 2015-12-01 | 1 | -2/+2 |
| | |||||
* | Undo previous, pledge("dns") was already present. The problem was in s_server. | jca | 2015-12-01 | 2 | -4/+4 |
| | |||||
* | pledge dns so openssl can use dns.. noticed and fix by todd@ | beck | 2015-12-01 | 2 | -4/+4 |
| | | | | ok jcs@ deraadt@ theo@ | ||||
* | rename variable 'sun' to allow building on Solaris | bcook | 2015-11-23 | 1 | -13/+13 |
| | | | | ok deraadt@ | ||||
* | In pledge(), put "dns" right after "inet". | jca | 2015-11-21 | 2 | -4/+4 |
| | |||||
* | Unbreak s_client, which should be allowed by pledge(2) to do DNS requests. | jca | 2015-11-21 | 2 | -4/+4 |
| | | | | From todd@ | ||||
* | do not need sys/param.h | deraadt | 2015-11-20 | 1 | -1/+0 |
| | |||||
* | mutli -> multi | miod | 2015-11-14 | 2 | -4/+4 |
| | |||||
* | Since rtable was hoisted to the top with setrtable, it should have no | deraadt | 2015-11-13 | 1 | -10/+7 |
| | | | | | bearing on the following pledge setups anymore. ok benno | ||||
* | with -V argument, dont set rtable on the socket, instead set if for the whole | benno | 2015-11-12 | 1 | -15/+4 |
| | | | | | | | | | process, before pledge(). This way the rtable can be pledged too. the discussion about removing -V is postponed. diff from beck@, i wrote the same diff without seeing his, and various people at u2k15 agreed this is the right thing to do. ok phessler@ | ||||
* | KNF; from Rob Pierce | deraadt | 2015-11-01 | 1 | -3/+3 |
| | |||||
* | Initial pledge of netcat - unfortunately flawed because fiddling the rtableid | beck | 2015-10-23 | 1 | -1/+27 |
| | | | | | | | in a socket option can be pretty scary and there is no better interface for this. so if the -V option is used you get no pledge at all.. Otherwise, do what works for the various options. Still needs refinement for tls to drop rpath, and a better solution for the routing table stuff | ||||
* | Exit if a pledge call fails in non-interactive mode. | doug | 2015-10-17 | 45 | -89/+179 |
| | | | | ok semarie@ | ||||
* | add "tty" for several subcommands of openssl | semarie | 2015-10-17 | 24 | -48/+48 |
| | | | | | | | | | | | it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@ | ||||
* | Implement real "flock" request and add it to userland programs that | millert | 2015-10-16 | 1 | -2/+2 |
| | | | | use pledge and file locking. OK deraadt@ | ||||
* | Userspace doesn't need to use SUN_LEN(): connect() and bind() must accept | guenther | 2015-10-11 | 1 | -8/+3 |
| | | | | | | sizeof(struct sockaddr_un), so do the simple, portable thing ok beck@ deraadt@ | ||||
* | Initial support for pledges in openssl(1) commands. | doug | 2015-10-10 | 47 | -46/+281 |
| | | | | | | | | | | | | | | | | openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach. | ||||
* | normalize the ordering of tame requests (particularily, "rpath wpath cpath", | deraadt | 2015-10-10 | 1 | -2/+2 |
| | | | | | | | which i have put in that order). this is not important, but helps look for outliers which might be strange. it hints that "ioctl" should be reassessed in a few places, to see if "tty" is better; that "unix" may be used in some places where "route" could now work. | ||||
* | Change all tame callers to namechange to pledge(2). | deraadt | 2015-10-09 | 1 | -3/+3 |
| | |||||
* | tame "stdio inet rpath cpath wpath proc" seems to be sufficient for | deraadt | 2015-10-07 | 1 | -1/+7 |
| | | | | | all the wading in here. "proc" is for the speed command, which fork()'s. ok doug | ||||
* | these do not use ioctl.h | deraadt | 2015-10-06 | 2 | -4/+2 |
| | |||||
* | BIO_get_fd() could return fd 0; fix error condition. Found at | deraadt | 2015-10-03 | 1 | -2/+2 |
| | | | | | http://marc.info/?l=openssl-dev&m=144374015404899&w=2 ok doug | ||||
* | avoid sys/param.h, by using PATH_MAX | deraadt | 2015-10-02 | 1 | -1/+1 |
| | |||||
* | Another s/M_ASN1_INTEGER_free/ASN1_INTEGER_free/. | jsing | 2015-10-01 | 1 | -2/+2 |
| | | | | Found the hard way by Mark Patruck. | ||||
* | avoid trailing .Ns, reduce .Xo and .Sm, drop redundant .Bk | schwarze | 2015-09-25 | 1 | -12/+4 |
| | |||||
* | add a missing NULL check | bcook | 2015-09-21 | 1 | -1/+5 |
| | | | | noted by Bill Parker (dogbert2) on github | ||||
* | add a couple of missing NULL checks | bcook | 2015-09-21 | 1 | -3/+3 |
| | | | | noted by Bill Parker (dogbert2) on github | ||||
* | remove vestigial bits of sha-0 and md2 from openssl(1) | bcook | 2015-09-21 | 5 | -23/+17 |
| | | | | | | | | Noted by kinichiro on github. We probably need a better way to indicate the list of message digests that are allowed, as the current ones are nowhere near exhaustive (sigh - guenther@) OK guenther@ jmc@ | ||||
* | Pack the algorithm numbers, to avoid printing a useless (null) 0 0 0 0 | miod | 2015-09-20 | 1 | -34/+34 |
| | | | | line in the summary. | ||||
* | Temporarily revive MD4 for MS CHAP support. | doug | 2015-09-14 | 5 | -16/+49 |
| | |||||
* | Remove MD4 support from LibreSSL. | doug | 2015-09-13 | 5 | -48/+15 |
| | | | | | | | | MD4 should have been removed a long time ago. Also, RFC 6150 moved it to historic in 2011. Rides the major crank from removing SHA-0. Discussed with many including beck@, millert@, djm@, sthen@ ok jsing@, input + ok bcook@ | ||||
* | nc(1) seems worth an Xr in SEE ALSO now; | jmc | 2015-09-13 | 1 | -1/+2 |
| | |||||
* | Factor out setup_up / destroy_ui functions. | bcook | 2015-09-13 | 4 | -58/+58 |
| | | | | | | | | | This pulls out and renames setup_ui/destroy_ui so we have something that can be replaced as-needed, moving the the console setup code for Windows to app_win.c in -portable, instead of needing a local patch to enable binary console mode ui_read/write are also simplified. | ||||
* | document extra algorithms available with openssl speed command | bcook | 2015-09-13 | 1 | -1/+4 |
| | | | | ok jmc@ | ||||
* | display negotiated TLS version and cipher suite in verbose mode. | beck | 2015-09-13 | 1 | -2/+3 |
| | | | | ok jsing@ | ||||
* | tweak STANDARDS; | jmc | 2015-09-13 | 1 | -3/+3 |
| |