On Mon, 5 May 2014, Jean-Philippe Ouellet wrote:
On Mon, May 05, 2014 at 11:12:00AM +1000, Joel Sing wrote:
- i = 0;
if (arg-count == 0) {
arg-count = 20;
- arg-data = (char **)malloc(sizeof(char *) * arg-count);
+ arg-data = calloc(arg-count
Thanks for the diff - I've committed a more comprehensive diff that makes it
clean with WARNINGS=Yes.
On Mon, 12 May 2014, bust...@gmail.com wrote:
From: Brent Cook bust...@gmail.com
---
base64/base64test.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
On Mon, 12 May 2014, bust...@gmail.com wrote:
From: Brent Cook bust...@gmail.com
---
rc4/rc4test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/rc4/rc4test.c b/rc4/rc4test.c
index a0b08a6..c4d34b1 100644
--- a/rc4/rc4test.c
+++ b/rc4/rc4test.c
@@ -60,6 +60,7 @@
#include
On Sat, 31 May 2014, Benjamin Baier wrote:
This one splits up the malloc parameter, taking full potential from calloc,
hurting readability a bit. which one is preferred? more
readable/maintainable or using the calloc overflow protection?
In this case I think readability wins. I do not believe
On Sun, 1 Jun 2014, Brent Cook wrote:
clang warning:
pem/pem_lib.c:472:6: error: variable 'i' is used uninitialized whenever
'if' condition is false [-Werror,-Wsometimes-uninitialized]
if (o)
^
pem/pem_lib.c:479:7: note: uninitialized use occurs here
j += i;
On Sun, 1 Jun 2014, Brent Cook wrote:
Since the random number generator no longer allows being seeded, remove
support for parsing the unused -rand option and the unused random buffer
variables. Better to fail than to be surprised when the RNG seed does not
function as expected.
This fixes
On Sat, 7 Jun 2014, John-Mark Gurney wrote:
Hello,
I've been doing some work recently on crypto code, and noticed that
there aren't many/any good clean implementations of performant crypto
code out there (or maybe I just don't know of them). Both OpenSSL's
and NSS's code has issues w/
Commited. Thanks.
On Sun, 1 Jun 2014, Benjamin Baier wrote:
On Sun, 1 Jun 2014 00:57:43 +1000
Joel Sing j...@sing.id.au wrote:
In this case I think readability wins. I do not believe that there is a
lot to gain from overflow protection given the numbers used in these
calculations
On Sun, 29 Jun 2014, Stuart Henderson wrote:
Does anyone have ideas about this before I start digging to find when
it got broken?
Still digging, but it looks like it will be caused by crypto/pkcs7/pk7_doit.c.
r1.20...
On -current:
| $ echo test message | openssl smime -sign -signer
On Mon, 30 Jun 2014, Joel Sing wrote:
On Sun, 29 Jun 2014, Stuart Henderson wrote:
Does anyone have ideas about this before I start digging to find when
it got broken?
Still digging, but it looks like it will be caused by
crypto/pkcs7/pk7_doit.c. r1.20...
The following diff resolves
On Thu, 31 Jul 2014, Joel Sing wrote:
On Thu, 31 Jul 2014, Dmitry Eremin-Solenikov wrote:
Hello,
I have spotted a problem with the patch of crypto/evp/encode.c done by
jsing on May 3.
Sometimes decoding of base64 will fail. For example the attached file
will fail decodiding
On Mon, 11 Aug 2014, Nicholas Wilson wrote:
Hi Ingo,
On 10 August 2014 15:54, Ingo Schwarze schwa...@usta.de wrote:
Portability goo clutters code and reduces readability, and hence
endangers correctness and security ...
Making a portable version is *impossible*
without some clutter
On Fri, 12 Sep 2014, Ted Unangst wrote:
On Wed, Sep 10, 2014 at 16:38, Ted Unangst wrote:
On Fri, Aug 15, 2014 at 13:06, Ted Unangst wrote:
Instead, ressl should copy all parameters as necessary and
free them. This does introduce an error case into formerly void
functions, but I think
On Wed, 1 Oct 2014, Stuart Henderson wrote:
Over the coming months, web browsers will progressively start to first
warn for certificate chains including SHA-1 hashes, then treat them
as insecure (including disabling certain content - scripts etc).
Chrome are initially doing this for certs
On Wed, 1 Oct 2014, Joel Sing wrote:
On Wed, 1 Oct 2014, Stuart Henderson wrote:
Over the coming months, web browsers will progressively start to first
warn for certificate chains including SHA-1 hashes, then treat them
as insecure (including disabling certain content - scripts etc
I should also add that the other obvious/easy fix is to initialise digest
in openssl/req.c to the SHA-256 EVP. That only changes 'openssl req'
though.
(and yes, clearly I've spent too much time in this code base recently...
:)
Index: openssl.cnf
On Fri, 31 Oct 2014, Ted Unangst wrote:
Don't need BUF_ and its NULL arg handling here.
Looks like you need to cvs up... beck@ nuked these and put BUF_strdup() under
LIBRESSL_INTERNAL about two weeks ago. He missed the comment (second chunk)
though.
Index: x509/x509_trs.c
On Thu, 30 Oct 2014, Jan Klemkow wrote:
Hello,
This diff enables libressl to use two file descriptors for read and
write. This is feature is necessary for communication over two pipes
like in the UCSPI protocol [1]. resslc[3] is a general ssl-client.
+---+ ++
On Sat, 1 Nov 2014, Jan Klemkow wrote:
On Fri, Oct 31, 2014 at 09:18:26PM -0700, Doug Hogan wrote:
On Sat, Nov 01, 2014 at 03:07:24AM +0100, Jan Klemkow wrote:
Index: tls_client.c
===
RCS file:
On Thu, 6 Nov 2014, Daniel wrote:
Looking over libtls it struck me that this is the best-designed TLS
API I've ever seen, so it was a bit disheartening to look at the code
and find that it was mainly just wrapping libssl and abstracting away
its fragile, haphazard design choices. Though even
On Mon, 8 Jul 2013, Damien Miller wrote:
On Sun, 7 Jul 2013, Aaron Stellman wrote:
On Tue, Apr 23, 2013 at 09:08:19AM +0200, Otto Moerbeek wrote:
If there is any interest, I might add the manual stuff, get ok's and
commit it.
I find it useful to have SSLHonorCipherOrder in OpenBSD's
On Fri, 4 Oct 2013, Philip Guenther wrote:
On Fri, 16 Aug 2013, Ted Unangst wrote:
As per http://research.swtch.com/macpprof
We deliver all prof signals to the main thread, which is unlikely to
result in accurate profiling info. I think the diff below fixes things.
How about we take an
On Wed, 27 Nov 2013, Cody Cutler wrote:
hello, the following is my attempt to add duid support to dump.
thanks!
From a quick glance, you should be able to use opendev(3) to open the disk
device (rather than using open), in which case you'll get DUID handling for
free. This also avoids the
On Sat, 8 Mar 2014, Theo de Raadt wrote:
I follow -current for several years but recently a thing puzzles me.
My x200 is a dual-boot system (Seven/OpenBSD -current) and since (I
think) the amd64/i386 installboot change, each time I upgrade via
bsd.rd, I have to generate a new openbsd.pbr
On Wednesday 16 February 2011, Steven R. Gerber wrote:
Sorry for cross posting?
I am trying to setup a decent RAID (0+1 or 1+0 or 5) and there SEEMS to
be no approved method. (4 disks -- I usually like stripe on top of
mirrors.)
I believe that I have done my homework.
What are my options?
On Friday 24 June 2011, Matthew Dempsky wrote:
On Thu, Jun 23, 2011 at 7:29 PM, Kenneth R Westerback
kwesterb...@rogers.com wrote:
I use neither but know people claim to be using one or the other,
but mostly raid(4), a.k.a. raidframe.
Then it sounds like the solution is to subtly break
On Saturday 25 June 2011, Christian Weisgerber wrote:
Matthew Dempsky matt...@dempsky.org wrote:
What should be done about ccd(4) and raid(4)? They both seem
superseded in functionality by softraid(4), which also has much more
developer interest and active development.
Is softraid ready
On Friday 24 June 2011, Benny Lofgren wrote:
On 2011-06-24 01.39, Matthew Dempsky wrote:
What should be done about ccd(4) and raid(4)? They both seem
superseded in functionality by softraid(4), which also has much more
developer interest and active development.
Never used ccd(4) so can't
Currently dkcsumattach() walks the alldevs list whilst performing
operations that will sleep. This is rather bad if the list happens to be
modified (i.e. a device detachs) whilst it is sleeping.
The following diff resolves this issue. The process is very similar to
that used for softraid - we
According to the sysctl(3) man page, calling sysctl with a NULL value for
oldp should result in the current size being returned. This works correctly
for sysctl_rdstring(), but not for sysctl__string().
ok?
Index: kern_sysctl.c
===
The amd64/i386 boot(8) code runs in protected mode, however switches back
to real mode for BIOS calls. The real mode code uses a scratch area located
in the BSS section to load/store registers across BIOS calls. However, once
the BSS moves beyond an offset of 0x (a logical address of 0x5
On Sun, 10 Feb 2013, Scott McEachern wrote:
Moving this to tech.
I tested the patch found at
http://marc.info/?l=openbsd-techm=133513662106783w=2 and can give you
some results.
As you've already discovered, that diff is broken. BIOCVOL does not behave how
the diff assumes - it will return
On Friday 14 January 2011, Ted Unangst wrote:
If I type the wrong password into bioctl at boot, disks don't exist,
filesystems don't get mounted, and generally lots of things go wrong. All
I need is a second chance to remind me to type the right password.
Huh? Both you and Marco rejected this
The following diff factors out the block I/O code that is used within
softraid(4) and also allows it to handle I/Os that exceeds MAXPHYS in
size. This is necessary for some upcoming work.
This diff needs extensive testing since the main purpose is to read and
write the softraid metadata. Bugs in
On Thursday 20 January 2011, Gregory Edigarov wrote:
On Wed, 19 Jan 2011 20:14:01 +1100
Joel Sing j...@sing.id.au wrote:
On Wednesday 19 January 2011, Gregory Edigarov wrote:
Hello,
I have my home system connected via pppoe(4) to a provider and
connection disapears very frequently
On Thursday 20 January 2011, Mike Belopuhov wrote:
On Thu, Jan 20, 2011 at 10:31 +0200, Gregory Edigarov wrote:
--- interrupt ---
end trace frame: 0x0, count: 245
0x8:
End of stack trace.
pppoe0: received unexpected PADO
pppoe0: chap failure
pppoe: GENERIC ERROR: RP-PPPoE: Child
On Tue, 25 Nov 2014, Bernard Spil wrote:
Hi,
Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1
$ /usr/local/bin/openssl version
LibreSSL 2.1
$ uname -a
FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0
r264324M: Tue Nov 11 13:46:58 CET 2014
On Thu, 27 Nov 2014, Manuel Schoelling wrote:
Hi,
I hope this is the right mailing list for discussing this issue. I could
not find any information about a mailing list on libressl.org.
Here is fine.
It currently looks like the libtls version does not set a list of secure
ciphers by
On Wed, 10 Dec 2014, Lukas Tribus wrote:
On 2014/12/09 07:37, Brent Cook wrote:
If an app calls a function, it should probably check if that function
exists during configuration time, rather than inferring if define A
exists, function B and C must exist. Especially things that are just
On Tuesday 06 January 2015, whoami toask wrote:
Hello,
isn't there too much SUID/SGID files on a default OpenBSD install?
Can this number be reduced?
Of course it can!
$ find / -perm -4000 -o -perm -2000 -exec chmod 0 {} \;
Example: why does wall, write, modstat need an SGID?
# uname -a
On Sunday 22 March 2015, Jiří Navrátil wrote:
Good morning Bob,
I did a quick fix
OpenBSD, FreeBSD[2] and many others
Where I can get list of supported operating systems, please? I will add
them.
The current list of platforms supported by LibreSSL portable is available at:
On Tuesday 31 March 2015, Tim van der Molen wrote:
httpd/server.c contains the following:
ret = tls_accept_socket(srv-srv_tls_ctx, clt-clt_tls_ctx,
clt-clt_s);
[...]
} else if (ret != 0) {
log_warnx(%s: TLS accept failed - %s, __func__,
On Tuesday 31 March 2015, Tim van der Molen wrote:
- Correct title.
- tls_accept_socket() also may return TLS_{READ,WRITE}_AGAIN.
I've committed a slightly different version of this and fixed the title -
thanks for the diff.
Index: tls_init.3
On Saturday 25 April 2015, Patrik Lundin wrote:
On Wed, Oct 29, 2014 at 01:24:30AM +1100, Joel Sing wrote:
On Wed, 29 Oct 2014, Joel Sing wrote:
A CRYPTO key disk is slightly special in that it has softraid metadata
but is not technically part of the same volume (well, it is in some
On Friday 15 May 2015, Kyle Thompson wrote:
Very basic patch to turn on server cipher preference in libtls. This
will allow us to always use our cipher preference over what the client
thinks is best. Tested with httpd as the server and openssl as the
client with two ciphers selected.
Should
For those not following source-changes@, I have just re-enabled the RAID 5
discipline for softraid(4).
During the last two hackathons in Dunedin, the RAID 5 implementation was
largely rewritten. As far as I am aware, the last missing part was the lack
of ability to resume a partial rebuild,
On Wednesday 01 April 2015, frantisek holop wrote:
Theo de Raadt, 30 Mar 2015 18:09:
IIRC 'bioctl -d' cannot deal with DUID's.
not a showstopper, just sayin'
Sounds like you might use this. Want to trial a diff that adds
support? If it is wrong, don't worry, someone will hate your bad
On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote:
Hello,
LibreSSL 2.2 (openbsd-current) fails to connect to
https://webdav.yandex.com.
OpenSSL 1.0.1m from OpenBSD packages does succeed.
Yandex is the largest search engine in Russia. The webdav.yandex.com
site is for
On Wednesday 17 June 2015, Karel Gardas wrote:
Hello,
I'm curious if anybody is working on implementing block-level
checksumming on softraid?
Not that I'm aware of.
Backgroud: I'm comming from Solaris 11/ZFS world and I like ZFS's
focus on data integrity from drive level up to the RAM.
On Tuesday 09 June 2015, Alexey Ivanov wrote:
On Jun 6, 2015, at 5:31 AM, Joel Sing j...@sing.id.au wrote:
On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote:
Hello,
LibreSSL 2.2 (openbsd-current) fails to connect to
https://webdav.yandex.com.
OpenSSL 1.0.1m
On Friday 29 May 2015, Benjamin Baier wrote:
Hello tech@
buf.data is not initialized up front, which may lead to free(3)'ing a
garbage pointer. Found by llvm/scan-build.
Also free(3) handles NULL. No need to check.
At first glance this is not actually a real problem - free_cont is
On Wednesday 15 July 2015 23:38:33 Jack Burton wrote:
In 5.7-stable -current, httpd, when listening for TLS, does not close
the client socket when tls_accept_socket() returns any non-recoverable
error. The problem manifests most often when a client connects but does
not attempt TLS handshake.
On Friday 10 July 2015 22:01:43 Karel Gardas wrote:
On Fri, Jul 10, 2015 at 9:34 PM, Chris Cappuccio ch...@nmedia.net wrote:
My first impression, offlining the drive after a single chunk failure
may be too aggressive as some errors are a result of issues other than
drive failures.
On Tuesday 25 August 2015 19:19:58 Edgar Pettijohn wrote:
I was curious if this issue is fixed in -current or if there is going to
be a patch available on the errata page?
Yes, this is fixed in -current (and will be in 5.8) - see r1.68 of server.c.
There may be back ports/commits of various
The following diff adds ALPN support to libtls via:
tls_config_set_alpn() - set the ALPN protocols supported by this client/server
tls_conn_alpn_selected() - get the ALPN protocol selected for this connection
ok?
Index: tls.c
===
The following enables SNI support within httpd.
It requires libtls to have server side support for SNI (diff previously
posted).
Index: server.c
===
RCS file: /cvs/src/usr.sbin/httpd/server.c,v
retrieving revision 1.85
diff -u -p
The following diff makes httpd stricter with respect to TLS configuration:
- Do not allow TLS and non-TLS to be configured on the same port.
- Do not allow TLS options to be specified without a TLS listener.
- Ensure that TLS options are the same when a server is specified on the
same
On Thursday 07 July 2016 00:32:04 Ian Mcwilliam wrote:
> Seems changes to pledge have made ntpd abort.
>
> ntpd(67855): syscall 5 "rpath"
> ntpd(81479): syscall 5 "rpath"
>
> Jul 7 10:29:23 ianm-openbsd ntpd[76119]: constraint
> 2404:6800:4006:800::2004; terminated with signal 6 (Abort trap)
On Monday 15 August 2016 13:04:43 Reyk Floeter wrote:
> On Sat, Aug 13, 2016 at 02:57:14AM +1000, Joel Sing wrote:
> > The following diff makes httpd stricter with respect to TLS configuration:
> >
> > - Do not allow TLS and non-TLS to be configured on the same port.
&
On Sunday 05 February 2017 17:05:40 Andreas Bartelt wrote:
> > - What type of public certificate are you using (RSA or ECDSA)?
>
> ECDSA with P-256. Certificate signed by letsencrypt (via RSA).
> Must-staple is enabled - that's why I'm also using the ocsp line for
> testing.
Ah, this was the
On Saturday 04 February 2017 15:51:02 Andreas Bartelt wrote:
> On 02/04/17 05:26, Joel Sing wrote:
> > On Wednesday 01 February 2017 15:41:29 Andreas Bartelt wrote:
> >> Hello,
> >>
> >> after reading the LibreSSL accouncement from today, I assumed that
On Monday 06 February 2017 20:18:48 Andreas Bartelt wrote:
> Yes, right - thanks. I wasn't aware that this is actually a MUST
> requirement from RFC 4492. I'm quite surprised that the "Supported
> Elliptic Curves Extension" is also used in order to specify any allowed
> curves for use in the
On Sunday 05 February 2017 11:13:16 Andreas Bartelt wrote:
> On 02/05/17 07:41, Joel Sing wrote:
> > You can just specify X25519 as a group - it will not appear in `openssl
> > ecparam -list_curves' since it is not a standard EC curve.
>
> thanks - I didn't notice that capita
Thanks for providing some patches, however a few things to note:
- Could you please resend the diffs inline - it makes them much easier to
review and provide feedback/discussion on.
- When generating diffs please create unified diffs (generally `diff -uNp').
- When sending a change, please
On Wednesday 01 February 2017 15:41:29 Andreas Bartelt wrote:
> Hello,
>
> after reading the LibreSSL accouncement from today, I assumed that
> specifying ecdhe "auto" in /etc/httpd.conf would enable X25519, P-256
> and P-384 on current.
This is correct.
> I've noticed that "auto" enables only
On Saturday 24 September 2016 00:13:47 Karel Gardas wrote:
> Hello,
>
> following patch fixes issue while attempting to attach SR RAID1 drive
> where not all chunks provide native metadata. I.e. one chunk is dd
> zeroed. The complain of SR is good one, but I'd think that force
> parameter should
As many of you will already be aware, the OpenSSL 1.1.0 release intentionally
introduced significant API changes from the previous release[0][1]. In summary,
a large number of data structures that were previously publically visible have
been made opaque, with accessor functions being added in
On Sunday 08 January 2017 07:59:34 Shuo Chen wrote:
> Valgrind finds out that conninfo->servername is not free()d by
> tls_conninfo_free().
>
> == HEAP SUMMARY:
> == in use at exit: 83,069 bytes in 2,690 blocks
> == total heap usage: 4,107 allocs, 1,417 frees,
> ==
On Thursday 06 April 2017 16:38:26 Tom Smyth wrote:
> Hello all,
>
> I was installing relayd as a loadbalancer (and ssl terminator) on
> OpenBSD6.0
> amd64 base install,
>
> I used the following configuration for my /etc/relayd.conf file
>
> http protocol https {
> match request header
On Saturday 29 July 2017 20:49:18 Jan Klemkow wrote:
> Hi Jack,
>
> On Fri, Jul 28, 2017 at 02:05:34AM +0930, Jack Burton wrote:
> > On Thu, 27 Jul 2017 13:10:14 +0200
> >
> > > But, I found a bug in the part of the FastCGI variables. The
> > > following condition is always false.
> > >
> > >
On Thursday 18 May 2017 07:03:31 Kyle J. McKay wrote:
> Some services are still provided using TLS 1.0 and older ciphers.
> It is possible to use the nc command to connect to these services
> using the "-T tlsall" option, but that also enables legacy and
> insecure ciphers and is not desirable.
>
On Friday 10 November 2017 11:58:04 Stuart Henderson wrote:
>
> From an irc contact using LibreSSL 2.6.3 on FreeBSD:
>
> 11:14 < matt> Nov 10 11:06:06 tao postfix/smtpd[77685]: Anonymous TLS
> connection established from email.morrisons.com[192.86.55.223]: TLSv1 with
> cipher DHE-RSA-AES256-SHA
On Monday 04 December 2017 15:54:35 Giovanni Bechis wrote:
> On 12/04/17 13:19, Giovanni Bechis wrote:
> > On 11/10/17 17:46, Joel Sing wrote:
> > [...]
> >
> >> I suspect this is going to be difficult to track down without being able
> >&
On Monday 04 December 2017 13:19:41 Giovanni Bechis wrote:
> On 11/10/17 17:46, Joel Sing wrote:
> [...]
>
> > I suspect this is going to be difficult to track down without being able
> > to see what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in
> > postfix)
On Wednesday 16 May 2018 17:32:56 Jack Burton wrote:
> My attempts to get this accepted last year stalled.
>
> As best I recall, the main stumbling block was agreeing on how much /
> exactly which client cert data to pass through to fastcgi (my view was
> that passing the whole client cert chain
The following diff converts the openssl(1) genpkey option handling to the
options handling framework.
ok?
Index: genpkey.c
===
RCS file: /cvs/src/usr.bin/openssl/genpkey.c,v
retrieving revision 1.11
diff -u -p -r1.11 genpkey.c
---
On Sunday 19 August 2018 08:44:24 Theo Buehler wrote:
> Coverity complains about the case where EVP_Digest() fails, but there
> are a couple more.
One thing worth mentioning... previously it would return -1 without setting an
error, whereas now it will always set RSA_R_OAEP_DECODING_ERROR (even
On Tuesday 06 November 2018 00:39:11 Luigi30 wrote:
> Hi,
>
> As someone with interests in kernel development and a lot of spare
> time, I want to work on OS patches. I just installed OpenBSD 6.4 in a
> clean development VM and started building the -current branch from CVS
> to get up to date
On 20-06-05 22:42:17, Klemens Nanni wrote:
> On Mon, Jun 01, 2020 at 11:48:05PM +0200, Klemens Nanni wrote:
> > Installing an unstripped boot loader on softraid on sparc64 fails
> > without proper error message.
> >
> > Make BIOCINSTALLBOOT return a proper errno, make installboot(8) use it
> > to
On 21-02-15 14:49:46, Jan Klemkow wrote:
> On Sat, Feb 13, 2021 at 03:53:48PM +0100, Theo Buehler wrote:
> > On Sat, Feb 13, 2021 at 11:58:04AM +0100, Jan Klemkow wrote:
> > > A coworker of mine has made tests with LibreSSL [1] and found some
> > > regressions. I took his test descriptions and
On 23-08-17 02:21:18, Klemens Nanni wrote:
> On Fri, Aug 11, 2023 at 03:44:46PM +, Klemens Nanni wrote:
> > On Wed, Aug 02, 2023 at 10:37:36AM +, Klemens Nanni wrote:
> > > Creating new volumes prompts
> > > Passphrase:
> > > Re-type passphrase:
> > > which is sane for interative
On 22-11-08 18:48:44, Tobias Heider wrote:
> nm.a is initialized to NULL until it gets alloced by x509_name_ex_new().
> The following 'goto err' should free nm.a before returning.
>
> ok?
Unless I'm missing something, I do not believe this is correct -
nm is a union and nm.a is the same pointer
82 matches
Mail list logo