Switch LibreSSL to use

2021-11-09 Thread Brent Cook
This switches libcrypto and libssl to use endian.h over machine/endian.h, easing some portability contortions. The Austin group works in mysterious ways, but endian.h also might be a POSIX standard in the wings, whatever 'Applied' means. https://www.austingroupbugs.net/view.php?id=162 ok? diff

Re: update explicit_bzero test to not assume SIGSTKSZ to be constant

2021-03-27 Thread Brent Cook
On Fri, Mar 26, 2021 at 1:56 PM Alexander Bluhm wrote: > > On Mon, Mar 22, 2021 at 08:38:23PM -0500, Brent Cook wrote: > > In the next version of Linux glibc, SIGSTKSZ is defined at runtime if > > source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to >

update explicit_bzero test to not assume SIGSTKSZ to be constant

2021-03-22 Thread Brent Cook
In the next version of Linux glibc, SIGSTKSZ is defined at runtime if source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to bring in asprintf/vasprintf, which causes the explicit_bzero test to fail to compile since the size of SIGSTKSZ is no longer known at compile time. This

Update Windows getentropy implementation

2020-11-09 Thread Brent Cook
This updates the getentropy implementation for Windows to use the newer "Cryptography Next Generation APIs", replacing CryptGenRandom, which already has been removed from applications built for the Windows Store. Tested with libressl-portable, it passes all regression tests. Details of the API

Re: bgpd: fix last few common symbols

2020-11-05 Thread Brent Cook
ok bcook@ On Thu, Nov 5, 2020 at 6:16 AM Claudio Jeker wrote: > > Since newer compilers default to -fno-common fix bgpd to not depend on > common symbols. The last few ones can just be converted to static symbols > since these are only used in the RDE or SE main code. > With the previous diffs

Re: zero tmpkeyiv in openssl enc

2019-07-25 Thread Brent Cook
Sure, looks fine in this micro context so maybe someone copying code from here as an example will do better. Though note that wider-scoped key/iv still contain the key material after EVP_CipherInit_ex and so on. Doesn't appear we've sprinkled many explicit_bzero's into openssl(1) in general given

OCSP Stapling with Nginx in LibreSSL 2.9.x

2019-06-20 Thread Brent Cook
Hi, I haven’t looked deeply into this, but there was a reported issue with OCSP stapling with Nginx between the LibreSSL portable releases 2.9.0 and 2.9.1 (which would have been between December 15th, 2018 and April 21st, 2019) Reposting here for visibility:

Re: dd conv=fsync

2019-02-15 Thread Brent Cook
On Thu, Feb 14, 2019 at 4:21 PM Ted Unangst wrote: > Alexander Bluhm wrote: > > GNU dd has the conv=fsync feature which does an fsync(2) after final > > write to output. I find this useful for write performance measurement > > through the file system without buffer cache optimization. Others >

Re: Fix length checks in AES_{un,}wrap_key()

2018-10-17 Thread Brent Cook
This makes sense, ok bcook@ On Wed, Oct 17, 2018 at 6:28 PM Theo Buehler wrote: > The spec, https://tools.ietf.org/html/rfc3394, section 2, states that > we need at least two 64 bit blocks for wrapping and, accordingly, three > 64 bit blocks for unwrapping. That is: we need at least 16 bytes

Re: Change CMakeLists.txt in LibreSSL to use target_include_directores

2018-06-13 Thread Brent Cook
a > compiler define like -D HAVE_CLOCK_GETTIME in the linking project to avoid > a conflict. > > > On 29 May 2018, at 12:48, Brent Cook wrote: > > > > On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote: > >> It is beneficial for projects that

Re: add const to the return value of BIO_s_file()

2018-05-29 Thread Brent Cook
ok bcook@ On Mon, May 28, 2018 at 3:23 PM, Theo Buehler wrote: > This is the first trivial part of the last batch of diffs catching up > with OpenSSL's const additions. > > As usual, sthen kindly ran the whole diff through a ports bulk build. > > Only this small change caused some fallout,

Re: Libressl question

2018-05-29 Thread Brent Cook
On Mon, Feb 12, 2018 at 09:27:16AM -0600, ed...@pettijohn-web.com wrote: > Has there been any discussion of packaging libtls separately from libressl > for portable use? With my limited skills I was able to write a program to > talk to smtpd and starttls using nothing but the manuals. I

Re: Change CMakeLists.txt in LibreSSL to use target_include_directores

2018-05-29 Thread Brent Cook
On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote: > It is beneficial for projects that depend on LibreSSL libraries and are built > with CMake to use target_link_libraries and automatically receive the PUBLIC > or INTERFACE headers without needing to specify include_directories.

Re: EVP_PKEY_asn1_{new,copy}(): pointless zeroing + a tiny bug

2018-05-23 Thread Brent Cook
ok bcook@ On Wed, May 23, 2018 at 2:11 AM, Theo Buehler wrote: > Very minor polishing, really: > > Since we converted EVP_PKEY_asn1_new() to using calloc(), there's no > need to set the structure to zero manually with an odd spelling of NULL. > Besides, the list of zeroed

Re: const for X509_CRL_* functions

2018-05-18 Thread Brent Cook
ok bcook@ On Fri, May 18, 2018 at 9:13 AM, Theo Buehler wrote: > On Fri, May 18, 2018 at 04:03:16PM +0200, Theo Buehler wrote: > > Simple diff that adds const qualifiers to the X509_CRL *x and > > ASN1_OBJECT *obj arguments of X509_CRL_get_ext_count(3), > >

Re: some const for libcrypto

2018-04-25 Thread Brent Cook
Looks good, ok bcook@ On Wed, Apr 25, 2018 at 3:22 AM, Theo Buehler wrote: > This is the second, larger part of the diff that was part of sthen's > i386 bulk and it had no fallout. It adds const like OpenSSL to most of > the public API exposed in asn1.h and needs some

Re: sprinkle some const over libssl

2018-04-25 Thread Brent Cook
Nice to see the "const unsigned char *p = d;" hackery going away. ok bcook@ On Tue, Apr 24, 2018 at 2:50 PM, Theo Buehler wrote: > OpenSSL started adding const to functions all over the place. The patch > below makes all our libssl functions match theirs wrt const, except for

Re: make X509_CRL_METHOD_free() NULL-safe

2018-04-23 Thread Brent Cook
OK bcook@ On Mon, Apr 23, 2018 at 3:27 AM, Theo Buehler wrote: > This is a practically unused function (both in our tree and globally), > but it is the only remaining public *_free() function in libcrypto that > segfaults on being passed NULL. I'll of course add it to the

Re: plug memory leak in ASN1_item_digest

2018-04-06 Thread Brent Cook
ok bcook@ On Thu, Apr 5, 2018 at 12:06 PM, Theo Buehler wrote: > If EVP_Digest() fails, str is leaked. > > This is part of the combo-diff 83b4049ab75e9da1815e9c854a9297bca3d4af6b > some more of which may also apply to us, but I'm still disentangling it. > See also

Re: openssl s_time, speed: use monotime for absolute interval measurement

2017-11-25 Thread Brent Cook
Thanks guys. This will make enabling this on the odder platforms in portable easier. On Fri, Nov 24, 2017 at 7:03 AM, Scott Cheloha wrote: > > On Nov 24, 2017, at 6:58 AM, Jeremie Courreges-Anglas > wrote: > > > > On Wed, Nov 22 2017, Scott Cheloha

Re: libressl: crash in DES_fcrypt

2017-10-29 Thread Brent Cook
Thank you Jan. This is a good thing to fix, but I had a hard time envisioning a security issue with it. Will see about backporting it though. Regards - Brent > On Oct 26, 2017, at 6:50 PM, Jan Engelhardt wrote: > > > libressl-2.6.2 is susceptible to an out-of-bounds read: >

[libcrypto] Don't build empty ecp_nistp* objects

2017-07-17 Thread Brent Cook
OPENSSL_NO_EC_NISTP_64_GCC_128 has been defined in opensslfeatures.h for a long time, which effectively means that ecp_nistp* are all empty files. So, there is no reason to build them in the first place. OK? Index: Makefile === RCS

OpenNTPD 6.1p1, 6.2p1 released

2017-07-13 Thread Brent Cook
We have made two new portable OpenNTPD releases today. These should be arriving soon in the OpenNTPD directory of an OpenBSD mirror near you. OpenNTPD 6.1p1 represents the version shipped with OpenBSD 6.1. It provides a number of new features and reliability improvements. OpenNTPD 6.2p1 is the

OpenNTPD 6.1p1, 6.2p1 released

2017-07-13 Thread Brent Cook
announce at openbsd.org Thu, 13 Jul 2017 10:41:48 -0500

Re: libcrypto: fix assembly for clang

2017-01-04 Thread Brent Cook
On Wed, Jan 4, 2017 at 5:12 AM, Mark Kettenis wrote: > > Date: Wed, 4 Jan 2017 11:04:43 +0100 > > From: Patrick Wildt > > > > On Tue, Jan 03, 2017 at 02:16:25PM -0500, Ted Unangst wrote: > > > Patrick Wildt wrote: > > > > > > > > Maybe they want to

Re: [s...@spacehopper.org: Re: cert.pem: Re-add mistakenly removed GlobalSign R2]

2017-01-01 Thread Brent Cook
Looks good to me, ok bcook@ On Sat, Dec 31, 2016 at 2:45 PM, Stuart Henderson wrote: > Since there wasn't much interest in that (which unbreaks e.g. > https://www.nginx.com), > here's a longer diff that syncs with Mozilla's release branch for those CA > organisations >

Re: ntpd(8): use stack instead of heap

2016-12-05 Thread Brent Cook
OK bcook@ On Fri, Dec 2, 2016 at 10:29 AM, Rafael Zalamena wrote: > On Sat, Oct 01, 2016 at 07:05:51PM +0200, Rafael Zalamena wrote: > > The ntpd(8) constraint fork+exec diff changed the way the constraint > > processes are created, but then it introduced new calloc()s to

Re: libcrypto: get rid of I386_ONLY

2016-11-04 Thread Brent Cook
OK bcook@, looks fine for portable too. > On Nov 4, 2016, at 11:02 AM, Tom Cosgrove > wrote: > Miod Vallat 4-Nov-16 08:53 >>> >> >> I386_ONLY was used to prefer a different assembler sequence in the >> sha512 code, which would be faster on 80386

Re: Explicitly cast the return variable in tls_load_file()

2016-10-02 Thread Brent Cook
On Sun, Oct 02, 2016 at 08:50:39AM -0500, Brent Cook wrote: > On Sat, Oct 1, 2016 at 7:12 PM, Ted Unangst <t...@tedunangst.com> wrote: > > > Kinichiro Inoguchi wrote: > > > I would like to cast the return variable explicitly in tls_load_file(). > > > This

Re: Explicitly cast the return variable in tls_load_file()

2016-10-02 Thread Brent Cook
On Sat, Oct 1, 2016 at 7:12 PM, Ted Unangst wrote: > Kinichiro Inoguchi wrote: > > I would like to cast the return variable explicitly in tls_load_file(). > > This fix also avoiding Intel C++ compiler "assertion failed" described > here. > >

Re: EVP_CipherFinal_ex for snmpd

2016-10-02 Thread Brent Cook
ok On Sun, Oct 2, 2016 at 12:34 AM, David Gwynne wrote: > this gets rid of a linker warning. > > the impression i get is that EVP_CipherFinal_ex explicitely does > not do cleanup of the cipher context thing, while EVP_CipherFinal > could if it wanted to. > > ok? > > Index:

Re: LibreSSL selects weak digest for (EC)DH

2016-09-18 Thread Brent Cook
Looks fine to me. Shall I commit it? On Thu, Sep 15, 2016 at 2:32 AM, Kinichiro Inoguchi < kinichiro.inogu...@gmail.com> wrote: > Sorry, I attached wrong patch file. > I re-post the patch file again. > > On Thu, Sep 15, 2016 at 04:10:55PM +0900, Kinichiro Inoguchi wrote: > > Hi, > > > > I would

Re: [PATCH] Callback-based interface to libtls

2016-09-14 Thread Brent Cook
On Wed, Sep 14, 2016 at 6:41 AM, Tobias Pape <tob...@netshed.de> wrote: > Hi > > On 14.09.2016, at 13:37, Brent Cook <bust...@gmail.com> wrote: > > > > > ​Once the expectations of the callbacks are finalized, this needs a good > explanation in the manual.​

Re: [PATCH] Callback-based interface to libtls

2016-09-14 Thread Brent Cook
​Thanks!​ On Wed, Sep 14, 2016 at 4:48 AM, wrote: > Hi again, > > On 07.09.2016, at 18:08, tob...@netshed.de wrote: > [..] > >> On 05.09.2016, at 15:50, bust...@gmail.com wrote: > >> > >>> Hey, the typedef came in handy :) Ok bcook@ > >>> > >>> On Sep 5, 2016, at 11:52 AM,

Re: [PATCH] Callback-based interface to libtls

2016-09-04 Thread Brent Cook
On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote: > Brent Cook wrote: > > @@ -246,14 +252,18 @@ An already existing socket can be upgrad > > .Fn tls_connect_socket . > > Alternatively, a secure connection can be established over a pair of > > existing >

Re: [PATCH] Callback-based interface to libtls

2016-09-04 Thread Brent Cook
On Sun, Jul 17, 2016 at 01:32:43PM +0200, Tobias Pape wrote: > Hi all, > > I'm Tobias and fond of using libtls. > I have a certain use case, where I want to do TLS/SSL but > can only work with buffers/callbacks and not sockets or FDs. > In p(l)ain openssl, this is doable, but not nice. Libtls >

Re: Enable Camellia ciphers with SHA-2 family HMAC

2016-08-25 Thread Brent Cook
No objection here. Anyone else? > On Aug 25, 2016, at 8:54 AM, Guenther Niess wrote: > > Hi, > > is there a reason why the Camellia cipher suits with SHA2 HMAC is not > supported? > > I added them and tested the result with an Nginx server and the s_client > command. > > I

LibreSSL 2.4.2 and 2.3.7 released

2016-08-01 Thread Brent Cook
We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is now the current stable version. LibreSSL 2.3.7 is based on the previous OpenBSD 5.9 release, and

Re: initialize variables patch for bn_nist.c

2016-07-17 Thread Brent Cook
I didn't notice it at first, because the patch wasn't inline, but the union here needed to be initialized with memset or use a different kind of initializer. I went with the memset on top of your patch: --- bn_nist.c 17 Jul 2016 21:21:40 - 1.16 +++ bn_nist.c 17 Jul 2016 22:00:45

Re: libcrypto: explicitly initialize constant

2016-07-12 Thread Brent Cook
On Tue, Jul 12, 2016 at 6:41 AM, Miod Vallat wrote: > >> Noted by VS2013, const values should be initialized (though I think > >> the 'static' should also implicitly zero). > > > > this sounds like the compiler doesn't know C? > > He is talking about Visual Studio. The C part of

libcrypto: explicitly initialize constant

2016-07-11 Thread Brent Cook
Noted by VS2013, const values should be initialized (though I think the 'static' should also implicitly zero). This also removes some unused code that also contained uninitialized static consts. ok? Index: evp/e_chacha20poly1305.c

Re: add error check to ocsp_test.c

2016-07-07 Thread Brent Cook
sure, this makes it easier to patch in the right path in portable as well On Thu, Jul 7, 2016 at 7:23 AM, Kinichiro Inoguchi < kinichiro.inogu...@gmail.com> wrote: > Hi, > > I would like to add error check for CAfile loading > since some OS doesn't have /etc/ssl/cert.pem. > > Best regards, >

Re: libcrypto: fix BN_mod_word bug

2016-07-04 Thread Brent Cook
I copied some of the commit text here from BoringSSL, but it's wrong for LibreSSL it seems. BN_ULLONG is not defined on all 64-bit systems as far as I can tell. So, this fix is more widely applicable than Win64 for LibreSSL. Any comments? - Brent > On Jun 30, 2016, at 8:40 AM, Brent C

libcrypto: fix BN_mod_word bug

2016-06-30 Thread Brent Cook
On systems where we do not have BN_ULLONG (notably Win64), BN_mod_word() can return incorrect results if the supplied modulus is too big. Note now that BN_mod_word may fail, like BN_div_word. Handle this properly and document in the man page. Thanks to Brian Smith for pointing out these fixes

netcat: simplify and enhance IP proto-specific sockopt error handling

2016-06-30 Thread Brent Cook
As a precedent, nc has a conversational, specific style of error reporting when a socketopt fails. With the IPv4/6-specific options, we refactored the code to the point that the error messages are less specific and maybe misleading (e.g. setting ToS on an IPv6 socket). This patch makes the

tighten behavior of _rs_allocate for portable arc4random implementations

2016-06-30 Thread Brent Cook
This is something I noticed while reviewing this report: https://github.com/libressl-portable/portable/issues/200 In the event of a failure in _rs_allocate for rsx, we still return the freed memory for rs. Not a huge deal since we subsequently abort in _rs_init, but it looks strange on its own.

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-29 Thread Brent Cook
On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote: > On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote: > > > > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote: > > > > > Hmm, on second review, someth

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-26 Thread Brent Cook
On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote: > > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote: > > > Hmm, on second review, something seems odd. > > > > César, why does this patch also replace all of the stack-allocated >

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-25 Thread Brent Cook
On Sun, Jun 26, 2016 at 12:00:51AM -0500, Brent Cook wrote: > On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote: > > If we are going to delete it, lets just do so > > > > IMO we can commit this removing the define. bets are we see nothing in > > ports for fallou

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-25 Thread Brent Cook
On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote: > If we are going to delete it, lets just do so > > IMO we can commit this removing the define. bets are we see nothing in > ports for fallout so lets just blow it away > Sounds good, I'll commit this: Index: src/crypto/dh/dh.h

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-25 Thread Brent Cook
can probably #ifndef > LIBRESSL_INTERNAL - and failing that should > we nuke them and bump majors? > > > On Wed, Jun 22, 2016 at 7:44 AM, Brent Cook <bust...@gmail.com> wrote: > > This is another patch from César Pereida that disables the DH and RSA > > non-constant-time f

Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

2016-06-22 Thread Brent Cook
This is another patch from César Pereida that disables the DH and RSA non-constant-time flags as well. ok? Index: src/crypto/dh/dh.h === RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v retrieving revision 1.16 diff -u -p -u -p

Re: Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior

2016-06-20 Thread Brent Cook
No problem, I undid that bit. Thanks all. On Mon, Jun 20, 2016 at 11:32 AM, Ted Unangst <t...@tedunangst.com> wrote: > Brent Cook wrote: > > diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c > b/src/lib/libssl/src/crypto/dsa/dsa_key.c > > index 2968fa2..e01bacb

openssl(1): fix bug loading default certificate path locations

2016-06-20 Thread Brent Cook
This fixes a bug where the default certificate path locations would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL: https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 Noted here on the LibreSSL-portable

Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior

2016-06-20 Thread Brent Cook
Hi, This is a patch from Cesar Pereida, removing support for DSA_FLAG_NO_EXP_CONSTTIME by making DSA always operate in constant time. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok? diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h

LibreSSL 2.4.0/2.3.5/2.2.8 Released

2016-05-31 Thread Brent Cook
We have released a first development snapshot of LibreSSL 2.4.0 along with two stable builds, 2.3.5 and 2.2.8. These should be arriving in the LibreSSL directory of your local OpenBSD mirror soon. The 2.3.5 and 2.2.8 releases contain a reliability fix, correcting an error when parsing certain

libcrypto errata update

2016-05-29 Thread Brent Cook
A bug in the previous libcrypto errata caused an error when reading ASN.1 elements over 16kb. Patches for OpenBSD are available. Updated LibreSSL-portable releases will be available later. http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/009_crypto.patch.sig

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

2016-05-20 Thread Brent Cook
On Tue, May 17, 2016 at 2:56 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2016/05/17 08:27, Brent Cook wrote: > > This patch came by way of the openntpd github. Linux (and possibly > others) > > will attempt to bind to 0.0.0.0 when binding to '::' and return an

[libcrypto] fix short ASN1 reads

2016-05-20 Thread Brent Cook
Hi, Our errata patch for fixing large memory allocations in asn1_d2i_read_bio dropped the while (want > 0) loop, causing the function to only read chunk_max bytes once. This limits the max size read to 16k. This patch restores the outer loop. Noted on misc@ ftp

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

2016-05-17 Thread Brent Cook
> On May 17, 2016, at 10:21 AM, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2016/05/17 08:27, Brent Cook wrote: >> This patch came by way of the openntpd github. Linux (and possibly others) >> will attempt to bind to 0.0.0.0 when binding to '::' and ret

[ntpd] Simultaneously listen on IPv4 and IPv6

2016-05-17 Thread Brent Cook
This patch came by way of the openntpd github. Linux (and possibly others) will attempt to bind to 0.0.0.0 when binding to '::' and return an error if it can't, unless IPV6_V6ONLY is set. See https://github.com/openntpd-portable/openntpd-portable/issues/19 OK as an in-tree patch? OpenBSD seems to

Re: [PATCH]: remove references to "outlen" from tls_init.3.

2016-04-24 Thread Brent Cook
yes, that is correct - ok bcook@ On Sun, Apr 24, 2016 at 2:06 AM, Jason McIntyre wrote: > On Sat, Apr 23, 2016 at 06:24:58PM +0200, Remco wrote: > > Index: tls_init.3 > > > > === > > > > i think your diff is

Fix examples for EVP_PKEY_CTX_set_rsa_padding

2016-03-12 Thread Brent Cook
Noted here, https://github.com/libressl-portable/portable/issues/161, we document a non-existent constant in the examples for EVP_PKEY_CTX_set_rsa_padding. Is this the correct one to use? Index: EVP_PKEY_decrypt.pod === RCS file:

Re: ntpd: really enable debug messages

2016-01-24 Thread Brent Cook
On Sat, Jan 23, 2016 at 08:48:22PM +0100, Reyk Floeter wrote: > On Sat, Jan 23, 2016 at 12:39:19PM -0600, Brent Cook wrote: > > I'm going with this instead. That way it works like the manual > > specifies already (-v enables logging debug messages) > > > > Yes, the -v fl

Re: ntpd: really enable debug messages

2016-01-23 Thread Brent Cook
un -d to get lots of > output. check main() there? > > i think thats more intuitive, but maybe i'm just used to it. > > Brent Cook(bust...@gmail.com) on 2016.01.20 06:31:44 -0600: >> Since the relatively recent logging unification, log_init needs a >> debug level > 1 i

ntpd: really enable debug messages

2016-01-20 Thread Brent Cook
Since the relatively recent logging unification, log_init needs a debug level > 1 in order for log_debug to print anything. This change makes it so 'ntpd -d' stays in the foreground but doesn't log much (the current behavior, different than previous releases though), 'ntpd -dd' actually prints

Re: nc(1) - fix use of certificates for TLS

2016-01-03 Thread Brent Cook
Applied, thanks Andreas! On Sun, Jan 3, 2016 at 7:01 PM, Andreas Bartelt wrote: > Hello, > > the use of certificates for TLS didn't work with nc(1). Fix is attached. > > Best regards > Andreas

[nc] rename sun to s_un (for building on Solaris)

2015-11-22 Thread Brent Cook
Finally getting around to trying out nc on some more platforms for LibreSSL-portable, and ran into Sun/Oracle's silly definition of 'sun' in the system headers. OK to rename the local sockaddr_un variables? Portable contains a patch full of #ifdef's around other systems-specific nc features

openssl.cnf req defaults -> default_md sha256

2015-10-20 Thread Brent Cook
U On Tue, Oct 20, 2015 at 12:12 AM, Jonathan Gray > wrote: > On Wed, Oct 01, 2014 at 10:53:34AM +0100, Stuart Henderson wrote: >> On 2014/10/01 19:05, Joel Sing wrote: >> > > I should also add that the other obvious/easy "fix" is to initialise digest >> > > in

Re: minor reallocarray() change

2015-09-19 Thread Brent Cook
It be significant that this patch slowed me browser because o' it's length. Methinks you deserve t' be keelhauled for such transgressions.

Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015

2015-09-17 Thread Brent Cook
I think this is the right thing to do for now. ok bcook@ On Thu, Sep 17, 2015 at 5:19 PM, Stuart Henderson wrote: > CC'ing tech@. > > The last commit to bn_print.c is wrong, it dereferences t while it's still > NULL. > > Backout diff below. > > > On 2015/09/17 22:42, Mikolaj

Re: openssl(1) remove redundant defines

2015-09-10 Thread Brent Cook
On Wed, Sep 9, 2015 at 9:43 PM, Lawrence Teo <l...@openbsd.org> wrote: > On Wed, Sep 09, 2015 at 11:17:55AM -0500, Brent Cook wrote: >> On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller >> <todd.mil...@courtesan.com> wrote: >> > On Wed, 09 Sep 201

Re: openssl(1) remove redundant defines

2015-09-09 Thread Brent Cook
On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller wrote: > On Wed, 09 Sep 2015 10:02:17 -0400, Lawrence Teo wrote: > >> This diff removes redundant defines in two files. >> >> In s_socket.c, SOCKET_PROTOCOL is defined as IPPROTO_TCP, but it's only >> used once. > > OK. >

LibreSSL 2.2.3 Prerelease available for testing

2015-08-28 Thread Brent Cook
We have put together a prerelease of LibreSSL 2.2.3. This release primarily targets a bug that causes connections with some SSL clients to fail during the initial handshake. Preliminary release notes and a tarball are available at the following link:

Re: LibreSSL 2.2.2 release

2015-08-19 Thread Brent Cook
On Wed, Aug 12, 2015 at 1:29 PM, Mark Kettenis mark.kette...@xs4all.nl wrote: Date: Tue, 11 Aug 2015 09:15:43 -0600 From: Bob Beck b...@obtuse.com I'm wondering out loud if these versions should follow the openbsd shlib major minor numbers. That is where we are careful about semantic

Re: LibreSSL 2.2.2 release

2015-08-10 Thread Brent Cook
On Mon, Aug 10, 2015 at 5:10 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: Jan Engelhardt schreef op 2015-08-10 10:29: On Monday 2015-08-10 02:38, Brent Cook wrote: On Aug 9, 2015, at 10:07 AM, Jan Engelhardt jeng...@inai.de wrote: We have released LibreSSL 2.2.2, which will be arriving

LibreSSL 2.2.2 released

2015-08-05 Thread Brent Cook
We have released LibreSSL 2.2.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release marks the end of the OpenBSD 5.8 development cycle, featuring expanded portable build support, code improvements, removal of obsolete workarounds. SSLv3 deprecation

LibreSSL-portable 2.2.2 test release

2015-08-02 Thread Brent Cook
I have posted a test release of LibreSSL-portable 2.2.2 for testing here: https://github.com/libressl-portable/portable/releases/tag/v2.2.2-test Let me know if I have missed anything in the Changelog, or if you run into any issues. Thanks - Brent

OpenNTPD: Remove _PATH_DEVNULL

2015-07-17 Thread Brent Cook
/dev/null will be available on any POSIX system, but _PATH_DEVNULL may not, e.g. Solaris. There doesn't seem to be any advantage to using the define (and we don't use it much in the tree either.) http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap10.html --- src/usr.sbin/ntpd/ntp.c

OpenNTPD: replace bzero with memset

2015-07-17 Thread Brent Cook
This diff converts bzero calls to memset, which is more portable and compilers can optimize as well. --- src/usr.sbin/ntpd/client.c | 2 +- src/usr.sbin/ntpd/config.c | 6 +++--- src/usr.sbin/ntpd/control.c | 2 +- src/usr.sbin/ntpd/ntp.c | 6 +++--- src/usr.sbin/ntpd/ntpd.c| 4 ++--

Bump LIBRESSL_VERSION defines

2015-07-16 Thread Brent Cook
Up to now, we have only bumped the LIBRESSL_VERSION_TEXT for each portable release in the portable tree, and the VERSION_NUMBER has never incremented. This change establishes a policy of bumping the number for each portable release, and syncs the version string between the portable and in-tree

Re: LibreSSL 2.2.1 released - Windows version clarification

2015-07-09 Thread Brent Cook
On Wed, Jul 8, 2015 at 7:49 AM, Brent Cook bust...@gmail.com wrote: We have released LibreSSL 2.2.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release continues from the OpenBSD 5.8 development tree, featuring expanded OS support, code

LibreSSL 2.2.1 released

2015-07-08 Thread Brent Cook
We have released LibreSSL 2.2.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release continues from the OpenBSD 5.8 development tree, featuring expanded OS support, code improvements, and feature removal. Also note that SSLv3 support has not been

Re: error:0906D064:PEM routines:PEM_read_bio:bad base64

2015-07-03 Thread Brent Cook
: https://github.com/libressl-portable/openbsd/commit/d1114a9633e1f7004537f5238a5f1f111898ebeb Would you be comfortable adding some extra output to the various failure points in EVP_DecodeUpdate to see where we are bailing out? Br //mxb On 30 jun 2015, at 05:25, Brent Cook bust...@gmail.com

Re: error:0906D064:PEM routines:PEM_read_bio:bad base64

2015-06-29 Thread Brent Cook
On Mon, Jun 29, 2015 at 1:22 AM, mxb m...@alumni.chalmers.se wrote: Hey, getting following error on OpenBSD-current as of yesterdays 'cvs up’: Does this imply that it worked in some earlier version of OpenBSD-current? If so, what was the version that worked? unable to load Private Key

LibreSSL 2.1.7 and 2.2.0 released

2015-06-11 Thread Brent Cook
We have released LibreSSL 2.2.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release is the first from the OpenBSD 5.8 development tree and features mainly on build system improvements and new OS support. We have also released LibreSSL 2.1.7, which

Re: Thread-safe libcrypto by using weak symbols to pthread

2015-06-02 Thread Brent Cook
On Sun, Mar 29, 2015 at 4:51 AM, Carlos Martín Nieto c...@dwim.me wrote: On Sat, Mar 28, 2015 at 09:59:57PM -0700, Philip Guenther wrote: On Sat, 28 Mar 2015, Carlos Mart?n Nieto wrote: I?ve been looking into making libcrypto automatically thread-safe. The obvious solution is to use pthread

Re: Code coverage report for LibreSSL tests

2015-05-07 Thread Brent Cook
On Wed, May 6, 2015 at 2:54 PM, Harri Porten por...@froglogic.com wrote: Hi! We've started to generate code coverage reports for test suites of some projects on a regular basis. You'll find on overview for LibreSSL (Portable) here:

Re: Code coverage report for LibreSSL tests

2015-05-06 Thread Brent Cook
On Wed, May 6, 2015 at 2:54 PM, Harri Porten por...@froglogic.com wrote: Hi! We've started to generate code coverage reports for test suites of some projects on a regular basis. You'll find on overview for LibreSSL (Portable) here:

Re: libressl-2.1.6 on AIX

2015-04-08 Thread Brent Cook
Thanks Michael, I have incorporated some initial AIX patches - can you please check out the latest tree? https://github.com/libressl-portable/portable/commit/fe3f7fc6365bfaac3418a72256b8c11603e80cbf https://github.com/libressl-portable/openbsd/commit/37d8e3c080e7c73158093f253d8e06fa1906dc03

Re: Remove useless lock around opendir/readdir

2015-03-30 Thread Brent Cook
On Mar 30, 2015, at 12:11 AM, Philip Guenther guent...@gmail.com wrote: On Fri, Mar 27, 2015 at 2:50 AM, Carlos Martín Nieto c...@dwim.me wrote: A call to opendir thread-safe and the readdir calls only share the buffer within the same directory stream, which is local to this function.

Re: ntpd:support adjusting initial time = y2k36 on 32-bit time_t platforms

2015-03-27 Thread Brent Cook
On Mon, Mar 23, 2015 at 10:42 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: Brent Cook busterb at gmail.com writes: + T4 += (uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec; snip + return ((uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec); snip

ntpd:support adjusting initial time = y2k36 on 32-bit time_t platforms

2015-03-21 Thread Brent Cook
This came up in the OpenNTPD issue tracker: https://github.com/openntpd-portable/openntpd-openbsd/pull/4 The issue is an overflow when calculating time offsets with a 32-bit time_t in early 2036. The main reason to fix it in now, in 2015, is that OpenNTPD fails to adjust time if such a system

LibreSSL 2.1.6 released

2015-03-19 Thread Brent Cook
We have released LibreSSL 2.1.6, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release primarily addresses a number of security issues in coordination with the OpenSSL project. Fixes for the following issues are integrated into LibreSSL 2.1.6: *

Enable libtls in LibreSSL by default

2015-03-18 Thread Brent Cook
The API/ABI for the LibreSSL 2.1.x series is now stable, so we can safely enable libtls it by default. This is useful for new OpenNTPD and OpenSMTPD releases as well. I would like to apply this to the OPENBSD_5_7 / 2.1.x and master branches on the portable tree. Building with libtls has been the

LibreSSL 2.1.5 released

2015-03-16 Thread Brent Cook
We have released LibreSSL 2.1.5, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release is relatively small, focused on bug fixes before 2.2.x development begins along-side OpenBSD 5.8. This or earlier LibreSSL releases may also address issues that are

Re: LibreSSL 2.1.4 released

2015-03-06 Thread Brent Cook
On Mar 6, 2015, at 10:40 AM, Martin Hecht he...@hlrs.de wrote: I have tested it on a few linux platforms I have at hand: SLES 11 SP3 Ubuntu 14.04.2 LTS Scientific Linux 6.6 Testsuite summary for libressl

Testing LibreSSL Windows binaries

2015-03-03 Thread Brent Cook
Hi, Based on difficulty people have had building LibreSSL on Windows and desire for integration with Visual Studio, I have made a test package with LibreSSL Windows binaries available here: https://github.com/libressl-portable/portable/releases/tag/untagged-1124b2dee438a382b881 These should

Re: Testing LibreSSL Windows binaries

2015-03-03 Thread Brent Cook
On Mar 3, 2015, at 9:22 AM, Brent Cook bust...@gmail.com wrote: Hi, Based on difficulty people have had building LibreSSL on Windows and desire for integration with Visual Studio, I have made a test package with LibreSSL Windows binaries available here: https://github.com/libressl

LibreSSL 2.1.4 released

2015-03-03 Thread Brent Cook
We have released LibreSSL 2.1.4, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This release adds a number of new security features, makes building privilege-separated programs simpler, and improves the libtls API. This release also includes a binary package

  1   2   >