summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.bcook2016-06-216-176/+92
| | | | | | | Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@
* Fix a bug loading the default certificate path locations.bcook2016-06-211-9/+7
| | | | | | | | | The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL: https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 ok beck@
* Set BN_FLG_CONSTTIME on the correct variable. beck committed wrong fix.libressl-v2.4.1tedu2016-06-062-4/+4
| | | | Mistake noted by Billy Brumley. Many thanks.
* Correct a problem that prevents the DSA signing algorithm from runningbeck2016-06-062-8/+12
| | | | | | | in constant time even if the flag BN_FLG_CONSTTIME is set. This issue was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by Cesar Pereida.
* LibreSSL 2.4.1bcook2016-06-062-6/+6
|
* Fix typo; the period should be outside the parens. From Michael McConvillemillert2016-06-021-3/+3
|
* Let netcat support the use of service names instead of port numbers.beck2016-06-022-18/+34
| | | | | based on a diff from Andras Farkas <deepbluemistake@gmail.com> ok deraadt@
* Gix misleading indent pointed out by GCC 6.1.libressl-v2.4.0bcook2016-05-301-4/+4
| | | | ok beck@ jsing@
* deprecate internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.beck2016-05-308-24/+40
| | | | | | | 14 years ago these were changed in OpenSSL to be the same as the _ex functions. We use the _ex functions only internally to ensure it is obvious the ctx must be cleared. ok bcook@
* The icdb magic number doesn't need to be visible to static linksguenther2016-05-301-2/+2
| | | | ok tedu@
* Remove dead support for changing BDB hash algorithm and cache of alternativesguenther2016-05-291-5/+4
| | | | ok natano@ millert@ deraadt@
* Nuke sigret.cbeck2016-05-292-198/+0
| | | | ok deraadt@ kettenis@
* We don't have sigreturn anymorebeck2016-05-291-2/+2
|
* Prefer AF_* over PF_* and 'address family' over 'protocol family'guenther2016-05-291-9/+9
| | | | ok jung@
* Fix pledge violation with -P s used and we need to supply a passwordbeck2016-05-281-3/+12
| | | | | | for an http proxy - we need tty in this case. Found and fixed by Anthony Coulter <bsd@anthonycoulter.name>. ok tb@
* Fix nc -verbose mode when used on a unix domain socket.beck2016-05-281-5/+11
| | | | Noticed by and a modified version of fix from <attila@stalphonsos.com>
* rcmd(3) and rcmdsh(3) use getaddrinfo(3) not gethostbyname(3).millert2016-05-282-9/+9
|
* Use getaddrinfo() instead of the non-standard gethostbyname2().millert2016-05-281-5/+14
| | | | OK deraadt@ jca@ jung@ florian@
* Rename some of the internal error setting functions to more closely followjsing2016-05-273-14/+48
| | | | | | existing naming standards. Also provide functions for setting a struct tls_error * directly (rather than having to have a struct tls * or a struct tls_config *).
* Avoid leaking ca_mem when freeing a tls_config.jsing2016-05-271-1/+2
|
* Fix function parameters that do not have an underscore prefix.jsing2016-05-271-10/+10
|
* typo fixes; Anthony Coultersthen2016-05-271-3/+3
|
* The destination string is declared as "s" but referred to as "dst"millert2016-05-261-5/+5
| | | | | in some cases. Be consistent and use "dst" everywhere like for strlcat(3) and strncat(3). From Tim Kuijsten.
* tests for the two segfaults in backref() that were just fixedschwarze2016-05-261-1/+4
|
* Fix an oversight that caused the test program to segfault:schwarze2016-05-261-2/+2
| | | | Don't try to calculate strlen(NULL).
* systematically test all combinations of REG_STARTEND, REG_NEWLINE,schwarze2016-05-261-9/+85
| | | | and REG_NOTBOL with line and word anchors
* support for testing REG_STARTEND together with REG_NOTBOLschwarze2016-05-261-1/+4
|
* use -nameopt esc_msb so "NetLock Kft" cert has the non-asciijsg2016-05-251-2/+2
| | | | | | and non-utf8 bytes escaped. ok sthen@
* Remove iruserok(_sa)? and __ivaliduser(sa)?guenther2016-05-232-90/+20
| | | | ok millert@ deraadt@
* Eliminate __check_rhosts_file and __rcmd_errstr: they were only used byguenther2016-05-231-5/+1
| | | | | | rlogind and rshd (remember them?) ok deraadt@
* Stop exposing <sys/localedef.h> and various symbols internal to the libcguenther2016-05-231-0/+106
| | | | | | | locale implementation: _{Current,Default}*Locale, __[mn]locale_changed, __mb_len_max_runtime ok millert@ schwarze@ deraadt@
* Fix a short-read bug in the previous version of asn1_d2i_read_biobcook2016-05-202-52/+56
| | | | The outer while() loop is missing, so we only read up to chunk_max bytes.
* remove hppa64 port, which we never got going beyond broken single users.deraadt2016-05-112-314/+0
| | | | | | hppa reverse-stack gives us a valuable test case, but most developers don't have a 2nd one to proceed further with this. ok kettenis
* Add RETURN VALUES section and .Xr to memmem(3).schwarze2016-05-111-3/+4
| | | | | From Michal Mazurek <akfaew at jasminek dot net>. OK tedu@
* Oops: the caching of TCB address in single-threaded processes on archs withguenther2016-05-101-2/+2
| | | | slow TCB_GET (alpha, arm, mips64, sh) was broken when I switched CPP symbols.
* Fix mangled function signatures.jsing2016-05-091-5/+5
| | | | From Carlin Bingham <cb at viennan dot net>, thanks!
* Use a Thread Information Block in both single and multi-threaded programs.guenther2016-05-073-135/+252
| | | | | | | | | | | | | | | | | This stores errno, the cancelation flags, and related bits for each thread and is allocated by ld.so or libc.a. This is an ABI break from 5.9-stable! Make libpthread dlopen'able by moving the cancelation wrappers into libc and doing locking and fork/errno handling via callbacks that libpthread registers when it first initializes. 'errno' *must* be declared via <errno.h> now! Clean up libpthread's symbol exports like libc. On powerpc, offset the TIB/TCB/TLS data from the register per the ELF spec. Testing by various, particularly sthen@ and patrick@ ok kettenis@
* fix for integer overflow in encode and encrypt update functions.tedu2016-05-044-12/+22
| | | | | | additionally, in EncodeUpdate, if the amount written would overflow, return 0 instead to prevent bugs in the caller. CVE-2016-2105 and CVE-2016-2106 from openssl.
* fix a padding oracle in aesni cbc mac check. there must be enough datatedu2016-05-042-2/+8
| | | | | for both the mac and padding bytes. CVE-2016-2107 from openssl
* internal only negative types should not be handled here.tedu2016-05-046-18/+6
| | | | CVE-2016-2108 from openssl.
* be careful about consuming excessive memory by reading in chunks.tedu2016-05-042-28/+74
| | | | CVE-2016-2109 from openssl.
* revert the big change from yesterday to prepare for smaller commits.tedu2016-05-0414-110/+60
|
* prefer limits.h over sys/limits.hbcook2016-05-032-4/+4
|
* patch from openssl for multiple issues:tedu2016-05-0316-60/+530
| | | | | | | missing padding check in aesni functions overflow in evp encode functions use of invalid negative asn.1 types ok beck
* Remove a vax remnant (that was really a no-op anyway).millert2016-05-021-3/+1
|
* Remove old NeXT-specific cruft. From mmcc@millert2016-05-011-13/+1
|
* spelling fix;jmc2016-04-281-2/+2
|
* Crank majors for lib{crypto,ssl,tls} due to symbol removals, symboljsing2016-04-285-5/+5
| | | | additions and functionality changes.
* Factor our the keypair handling in libtls. This results in more readablejsing2016-04-287-52/+164
| | | | | | | | | and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
* Rework the error handling in libtls so that we can associate errors withjsing2016-04-285-28/+90
| | | | | | | | | | | both configuration and contexts. This allows us to propagate errors that occur during configuration, rather than either just failing with no reason or delaying the failure until it can be propagated via the tls context. Also provide a tls_config_error() function for retrieving the last error from a tls_config *. ok bcook@