IABSD.fr/src

Branch :


Log

Author Commit Date CI Message
a7dbf4ae 2023-03-04 22:22:50 Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. ok bluhm@ patrick@
6bdbc113 2023-03-04 21:58:54 openssl enc doesn't really support AEAD ciphers and XTS mode Do not display such ciphers in the usage display and error out if they are given. As pointed out by Pauli Dale, the current situation is confusing. Fixes GH issues #786 and #819 ok jsing
94bb0884 2023-03-04 21:42:49 Simplify the consistency checks in old_dsa_priv_decode() We have long had expensive checks for DSA domain parameters in old_dsa_priv_decode(). These were implemented in a more complicated way than necesary. ok beck jsing
899e8679 2023-03-04 21:39:34 Enforce a lower bound of of EC group order so 80 bits for ECDSA This makes sure that the elliptic curve is not completely stupid. This is conservative enough: the smallest named groups that we support have an order of 112 bits. ok beck jsing
0e40a4a3 2023-03-04 21:37:37 Cap the number of iterations in ECDSA signing ECDSA is essentially the same thing as DSA, except that it is slightly less stupid. Signing specifies an infinite loop, which is only possible with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA in the wild is based on well-known groups, so it is known a priori that the loop is not infinite. Still, infinite loops are bad. A retry is unlikely, 32 retries have a probability of ~2^-8000. So it's pretty safe to error out. ok beck jsing
0d37be08 2023-03-04 21:30:23 Cap the number of iterations in DSA signing The DSA standard specifies an infinite loop: if either r or s is zero in the signature calculation, a new random number k shall be generated and the whole thing is to be redone. The rationale is that, as the standard puts it, "[i]t is extremely unlikely that r = 0 or s = 0 if signatures are generated properly." The problem is... There is no cheap way to know that the DSA domain parameters we are handed are actually DSA domain parameters, so even if all our calculations are carefully done to do all the checks needed, we cannot know if we generate the signatures properly. For this we would need to do two primality checks as well as various congruences and divisibility properties. Doing this easily leads to DoS, so nobody does it. Unfortunately, it is relatively easy to generate parameters that pass all sorts of sanity checks and will always compute s = 0 since g is nilpotent. Thus, as unlikely as it is, if we are in the mathematical model, in practice it is very possible to ensure that s = 0. Read David Benjamin's glorious commit message for more information https://boringssl-review.googlesource.com/c/boringssl/+/57228 Thanks to Guido Vranken for reporting this issue, also thanks to Hanno Boeck who apparently found and reported similar problems earlier. ok beck jsing
5f7fe693 2023-03-04 21:22:51 Use nitems() in the simple iterations over mbr->mbr_prt[]. No intentional functional change.
ad41f5e1 2023-03-04 21:08:14 Small readability tweak in old_dsa_priv_decode() Explicitly check against NULL and turn early return into goto err. ok beck jsing
83f09c76 2023-03-04 21:06:17 Call dsa_check_keys() before signing or verifying We already had some checks on both sides, but they were less precise and differed between the functions. The code here is messy enough, so any simplification is helpful... ok beck jsing
f1d158b4 2023-03-04 21:02:21 Add dsa_check_key() calls on DSA decoding When decoding a public or a private key, use dsa_check_key() to ensure consistency of the DSA parameters. We do not always have sufficient information to do that, so this is not always possible. This adds new checks and replaces incomplete existing ones. On decoding the private key we will now only calculate the corresponding public key, if the sizes are sensible. This avoids potentially expensive operations. ok beck jsing
3f42ce0a 2023-03-04 20:54:52 Provide dsa_check_key() This is a cheap check that ensures basid parameter consistency per FIPS 186-4: 1 < g < q, that q has the allowed bit sizes 160, 224, 256 and that p is neither too small nor too large. Unfortunately, enforcing the three allowed sizes for p is not possible since the default dsa key generation has not respected this limitation. Instead of checking that p and q are prime, we only check that they are odd. Check that public and private keys, if set, are in the proper range. In particular, disallow zero values. Various versions of these checks have been added to the dsa code over time. This consolidates and extends them and in a subsequent commit wewill replace the incomplete checks. BoringSSL has a similar function of the same name, thanks to David Benjamin for pointing it out. ok beck jsing
b8d827af 2023-03-04 20:47:04 Provide DSA_R_INVALID_PARAMETERS error code This has been missing for a while already and will be used in a few upcoming commits. ok beck jsing
30940658 2023-03-04 19:56:48 sync
17928426 2023-03-04 14:53:23 Mop up ECP_NISTZ256_ASM and OPENSSL_NO_EC_NISTP_64_GCC_128 leftovers. This is `unifdef -m -DOPENSSL_NO_EC_NISTP_64_GCC_128 -UECP_NISTZ256_ASM` and some manual tidy up.
194a64d3 2023-03-04 14:49:36 move to 7.3-beta
8c6d22ae 2023-03-04 14:47:18 Toss in some const's to ensure that static data pointed to by function return values is not fiddled with. No intentional functional change.
39a18741 2023-03-04 14:38:00 Rename field_data1 and field_data2. Rather than pretending that these "generic" variables are used for multiple things, rename them to reflect their actual usage and use appropriate types instead of void *. ok tb@
abbe4cfa 2023-03-04 12:13:11 bio_chain test: fix error message
b331eacb 2023-03-04 12:02:07 expand Nd (missed in previous); ok claudio
e31c4e69 2023-03-04 11:58:29 Avoid infinite loop in bio_asn1 state machine If the BIO_write() in the ASN1_STATE_DATA_COPY state fails, incorrect error handling will break out of the switch without changing the state, and the infinite for loop will immediately try the same write again, which is unlikely to succeed... Clearly this code intended to break out of the loop instead. Via OpenSSL 1.1 commit 723f616df81ea05f31407f7417f49eea89bb459a ok millert
58feb3ff 2023-03-04 10:55:37 pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only. Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail> OK bluhm@
ae94afbd 2023-03-04 10:42:26 Add mvortc(4) and mvodog(4) here too
66a74f82 2023-03-04 09:03:34 properly initialise LIST head This worked because the global head variable is zero-initialised, but one must not rely on that. OK mvs claudio
16954431 2023-03-04 06:25:42 openssl/req: garbage collect a pointless EVP_MD_CTX_init() Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new() aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero(). ok jsing
70244c22 2023-03-04 03:22:59 Use time_t instead of u_int for remaining x11 timeout checks for 64bit time_t safety. From Coverity CIDs 405197 and 405028, ok djm@
c6789160 2023-03-04 01:23:40 handle polling when cold in tipmic_thermal_opreg_handler(). this allows me to boot if acpitz is using tipmic instead of getting stuck. tipmic would spin on tsleep, which returns immediately with 0 when cold, waiting for a value to be set by the tipmic interrupt handler. cos the box is cold the interrupt is masked, so the tsleep loop never ended. patrick@ helped me find this ok kettenis@
ce7941a3 2023-03-04 00:00:25 tee(1): explicitly check read(2) return value for 0 and -1
d8920042 2023-03-03 20:16:44 initclocks: don't reinitialize ticks, jiffies at runtime Various drivers use ticks/jiffies before initclocks(). It isn't generally safe to reinitialize them at runtime. Hoist the conditional definition of HZ from param.c into sys/kernel.h so we can see it from kern_clock.c and statically initialize ticks/jiffies to the desired offset. With this change, timeouts scheduled before initclocks() do not all fire immediately during the first softclock(). With input from kettenis@. Link: https://marc.info/?l=openbsd-tech&m=167753870803378&w=2
693dc5e1 2023-03-03 16:22:57 Process accounting and lastcomm(1) can detect execve(2) violations of pinsyscall(2) policy. Report such findings in daily mail like other security violations. User has to turn on accounting=YES in rc.conf.local to utilize this feature. OK deraadt@
bb47adf3 2023-03-03 16:19:05 In filemode, print the certification path towards the Trust Anchor with and OK tb@
9183674a 2023-03-03 13:03:29 Use EXTRACT_16BITS() in default_print() instead of handrolling it. OK bluhm@
4bc7eee0 2023-03-03 10:23:42 Ensure ms_remain is always initialized, similar to what we do in ssh_packet_write_wait. bz#2687, from jjelen at redhat.com.
2749596c 2023-03-03 09:48:51 Check for non-NULL before string comparison. From jjelen at redhat.com via bz#2687.
cf0b80f8 2023-03-03 08:08:15 namservers -> nameservers
8135c598 2023-03-03 05:00:34 guard against getsockname(-1, ...) from Coverity CID 291832
5c3c37dc 2023-03-03 04:36:20 some options are not first-match-wins. Mention that there are exceptions at the start of the manpage and label some of them in the option description.
1dc49121 2023-03-03 04:34:49 actually print "channeltimeout none" in config dump mode; spotted via Coverity CID 405022
f1e0bb36 2023-03-03 03:12:24 Check return values of dup2. Spotted by Coverity, ok djm@
6f6ad909 2023-03-03 02:37:58 Use time_t for x11_refuse_time timeout. We need SSH_TIME_T_MAX for this, so move from misc.c to misc.h so it's available. Fixes a Coverity warning for 64bit time_t safety, ok djm@
93133fbe 2023-03-03 02:34:29 Check return value from fctnl and warn on failure. Spotted by Coverity, ok djm@
158724fb 2023-03-02 21:17:35 Simplify the ct Makefile slightly
7bd423d2 2023-03-02 21:15:14 Clean up the x509 regress make file a little
7eb1d99a 2023-03-02 21:08:14 Remove a few more unnecessary line continuations
167f52f3 2023-03-02 21:07:21 Nitpick error checks of BN_get_mem_data() BN_get_mem_data() returns a non-positive long on error, so assigning it to a size_t and displaying that in error messages is incorrect.
699253ff 2023-03-02 20:45:11 Some more Makefile cosmetics The verbose evp test actually depends on the evptest binary. Use consistent spacing and indentation.
d07f6944 2023-03-02 20:27:54 The evp_ecx_test no longer needs static linking
dd04dea9 2023-03-02 20:24:51 Hide the hexdumps behind a verbose flags. Should have been part of the previous commit.
84f5691e 2023-03-02 20:22:46 Simplify evp test Makefile. Make evptest silent by default: these pages of hexdumps are useless noise. Add a verbose target for debugging.
6832800c 2023-03-02 20:18:40 evp_pkey_check: make this test silent on success
2b0849fc 2023-03-02 20:04:42 Remove a few unnecessary line continuations
7ca6c2af 2023-03-02 17:11:33 restructure the page into one single list for all routing commands; while there, whack anything either out of date or not useful joint work with claudio
328c3f4b 2023-03-02 17:09:52 improve the Nd lines such that the format is consistent for the various *d, *conf, *ctl files (where relevant) and simple; also makes "man -k routing" more useful; help from claudio and florian ok claudio florian millert
49ae8db3 2023-03-02 17:08:02 sync
888a0b8c 2023-03-02 16:58:43 No need to protect exports from SIGHUP, the handler just sets a flag. The signal handlers in mountd.c were made safe in rev 1.34 from 2001. OK bluhm@ kn@
16d49339 2023-03-02 16:21:51 When parsing %s, the result should be in the local time zone. Based on a patch from enh@google. OK tb@
d103d2f2 2023-03-02 16:13:57 rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@
9eb80002 2023-03-02 11:56:25 add arch to Dt
a0eb7693 2023-03-02 11:49:45 mention eephy(4) ok jmatthew@
cc1408e1 2023-03-02 11:10:27 Remove SUDO in proxy command wrapper. Anything that needs sudo is already run by it, and it breaks if root isn't in sudoers.
c7ff23bc 2023-03-02 10:07:18 mvodog(4) and mvortc(4)
e5ce42d2 2023-03-02 09:59:29 Enable mvodog(4) and mvortc(4)
b6ff5396 2023-03-02 09:57:43 Add mvortc(4), a driver for the RTC on the ARMADA 38x series. ok kettenis@ patrick@
69b6280c 2023-03-02 09:56:52 Add mvodog(4), a driver for the watchdog on the ARMADA 38x series. ok kettenis@ patrick@
983ce4b9 2023-03-02 09:39:45 Add eephy(4), found on the Turris Omnia's WAN port
e1279ed8 2023-03-02 08:24:41 Fix breakage on dhgex test. This was due to the sshd logs being written to the wrong log file. While there, make save_debug_logs less verbose, write the name of the tarball to regress.log and use $SUDO to remove the old symlinks (which shouldn't be needed, but won't hurt). Initial problem spotted by anton@.
4bdbd313 2023-03-02 08:14:52 Quote grep and log message better.
74d38529 2023-03-02 06:41:56 Ensure we always call fclose when writing checkpoints. In the case of an fprintf failure we would not call fclose which would leak the FILE pointer. While we're there, try to clean up the temp file on failure. Spotted by Coverity, ok djm@
11666e1d 2023-03-01 23:27:46 Fix potentially uninitialized use of variable fsb on error. OK mbuhl@
dae58e70 2023-03-01 22:45:25 /etc/examples/iked.conf tweaks: - show a demo of a strong random string for psk, for some types of configuration psk makes sense. the previous example hinted at.not using it. - change the EAP MSCHAPv2 example so that more than one client can connect (previous used address config but with only a single address not a pool), and use the newer keywords to show how to route all traffic from dynamic-ip clients over the tunnel ok tobhe@
2669c8e8 2023-03-01 21:54:50 Remove old log symlinks before creating new ones. In -portable some platforms don't like overwriting existing symlinks.
b1668e29 2023-03-01 17:27:45 Bogus full stop.
fbca2b84 2023-03-01 12:34:12 Comment out glob for JSON webcrypto tests for now Allows test to pass with the old version of the wycheproof-testvectors package.
9fb10e5c 2023-03-01 11:28:30 Link evp/cipher_method_lib.c to the build ok jsing
cee51a3a 2023-03-01 11:27:37 Convert EVP_CIPHER_meth_dup() to using calloc() There is no reason for this to call EVP_CIPHER_meth_new(), as the flags will be copied a line later anyway. Simplify this. Requested by jsing
6a816b17 2023-03-01 11:25:25 Make cipher_method_lib.c compile with LibreSSL OPENSSL_zalloc() -> calloc(), OPENSSL_free() -> free() and a few assorted cosmetic tweaks to match our style better. ok jsing
f28dc7d0 2023-03-01 11:17:22 Add EVP_CIPHER_meth_* prototypes to evp.h As usual, this will be guarded by LIBRESSL_INTERNAL || LIBRESSL_NEXT_API until the next bump. ok jsing
d8fdceda 2023-03-01 11:16:06 Make the cleanup() method return an int again This partially reverts jsing's OpenBSD commit b8185953, but without adding back the error check that potentialy results in dumb leaks. No cleanup() method in the wild returns anything but 1. Since that's the signature in the EVP_CIPHER_meth_* API, we have no choice... ok jsing
48e299a7 2023-03-01 11:08:37 Fix line wrapping of function pointer arguments ok jsing
10427503 2023-03-01 11:07:25 First KNF approximation as per knfmt(1) ok jsing
b33a8133 2023-03-01 11:06:23 Drop the EVP_CIPHER_METH_get_* functions Nothing interesting uses them. There's a Debian SSH-1 module and corresponding ncrack bits. That's not reason enough to have this garbage. ok jsing
215c8ab0 2023-03-01 11:04:17 Add RCS tag
77bab3bb 2023-03-01 11:02:25 Revert OpenSSL commit aa6bb135 This reinstates the original license on this file. Don't bother bumping the copyright year. Nothing interesting has happened in here since the initial commit. (There was one interesting commit though: "Don't care openssl_zmalloc()", which is interesting due to the lack of care, not because it's copyright worthy) ok jsing
802d2d2b 2023-03-01 10:57:08 libcrypto: import a copy of OpenSSL 1.1's cmeth_lib.c This is the file as of OpenSSL 1.1.1 commit 82dfb986. Call the file cipher_method_lib.c since the short names in this directory are hard enough to read. This is a first step towards providing the poorly named EVP_CIPHER_meth_* API which is needed by some projects because of EVP_CIPHER opacity. ok jsing
f82bd1c6 2023-03-01 09:29:32 Rework logging for the regression tests. Previously we would log to ssh.log and sshd.log, but that is insufficient for tests that have more than one concurent ssh/sshd. Instead, we'll log to separate datestamped files in a $OBJ/log/ and leave a symlink at the previous location pointing at the most recent instance with an entry in regress.log showing which files were created at each point. This should be sufficient to reconstruct what happened even for tests that use multiple instances of each program. If the test fails, tar up all of the logs for later analysis. This will let us also capture the output from some of the other tools which was previously sent to /dev/null although most of those will be in future commits.
12bf74e7 2023-03-01 08:17:53 Change fatal() to fatalx() since the errno has no meaning here. OK tb@
93343522 2023-03-01 08:15:58 KNF, no functional change.
520304af 2023-02-28 21:31:50 fatal out if allocating banner string fails to avoid potential null deref later in sscanf. Spotted by Coverity, ok deraadt@
1729e143 2023-02-28 16:58:36 +sync
ffc3cc9d 2023-02-28 16:12:13 add 7.4 fw key
8c5f03ce 2023-02-28 12:29:57 Rewrite/simplify BN_from_montgomery_word() and BN_from_montgomery(). Rename BN_from_montgomery_word() to bn_montgomery_reduce() and rewrite it to be simpler and clearer, moving further towards constant time in the process. Clean up BN_from_montgomery() in the process. ok tb@
50b5a752 2023-02-28 10:46:27 Explicitly skip the json_web* tests now.
e02409e9 2023-02-28 10:45:46 Add a few missing NIDs for new Wycheproof tests.
ea0c8657 2023-02-28 10:43:21 Skip FRP256v1 curve in ECDH tests. We do not support it.
2b7cc9f7 2023-02-28 10:04:50 Adjust default_print() to not run over snapend. Kill default_print_unaligned() and adjust default_print() to also work with unaligned buffers. There is no need for two functions doing the same thing. Pass the right length in nsh_print to default_print(). Fixes on place that makes tcpdump crash. Reported by Peter J. Philipp (pjp at delphinusdns dot org) OK mbuhl@
a4a4354d 2023-02-28 08:45:24 Explicitly ignore return from fchmod similar to other calls to prevent warning.
deb51e2e 2023-02-27 22:12:40 Plug mem leak on globbed ls error path. Spotted by Coverity, ok deraadt@
c35fbcd4 2023-02-27 15:00:17 use the correct size of the execve syscall stub
c5cc3359 2023-02-27 14:59:33 Calculate the size of the static (and profiled static) execve syscall stub and store it in a const variable for use by crt0. help from kettenis and miod
b1faa4dd 2023-02-27 14:53:38 sort VEB and add "rules"; ok stsp
58958f7a 2023-02-27 13:30:59 Add missing documentation of veb(4) ioctls to the ifconfig(8) VEB section. These ifconfig commands are supported by veb(4) but were undocumented: deladdr flushrule maxaddr rule rulefile static timeout up As was done before, copy relevant prose from the BRIDGE section. ok jmc@