deraadt
321acf802e
sync
9 years ago
deraadt
499c083200
openprom, just like eeprom; ok miod
9 years ago
deraadt
7b6b950c17
sync
9 years ago
deraadt
f06e3b71fd
eeprom(8) is only run by root now, so no need for kmem group
ok miod
9 years ago
krw
d5a7436248
'rc.firstime' -> 'rc.firsttime' in comment.
Diff from Navan Carson via tech@
9 years ago
millert
8567b6a47c
Set verbosity to 1 (the default is 0) so we log incoming notifies
and zone xfers. OK florian@ deraadt@
9 years ago
florian
ae32145624
Disable db file. It is believed to be a saner default for the common
use case.
sthen@ noticed a problem with missing records on shutdown.
OK sthen@
9 years ago
giovanni
f60bcf4eae
fix pkgnames version
ok deraadt@
9 years ago
aoyama
478bf6767c
sync
ok deraadt@
9 years ago
aoyama
543e7562fe
Add com(4) and wd(4) to use them on PCMCIA.
ok deraadt@
9 years ago
miod
64e337e151
Do not use sha512-parisc for now, as it is subtly bugged - passes the sha
regress tests but causes tls ciphersuite using sha386 to fail; found the
hard way by henning@.
I can't see anything wrong in the generated assembly code yet, but building
a libcrypto with no assembler code but sha512_block_data_order() is enough
to trigger Henning's issue, so the bug lies there.
No ABI change; ok deraadt@
9 years ago
millert
9b1817bc73
Update comment to match code; Caspar Schutijser
9 years ago
bcook
8448b71210
remove unused variable
ok reyk@
9 years ago
tedu
236787ace7
we don't let strtonum errors bleed through now.
9 years ago
tedu
6e172aaf1a
Set errno to EINVAL, instead of letting ERANGE escape out.
Printing strerror() in that case will say result too large, even if rounds is
actually too small. invalid is less specific, but less incorrect.
ok millert
9 years ago
jsing
c9efcf7f21
Bump libcrypto and libssl majors, due to various recent churn.
Discussed with/requested by deraadt@ at the conclusion of s2k15.
9 years ago
jsing
33ac287472
Rename tls_config_insecure_noverifyhost() to
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
9 years ago
jsing
a2efc33261
Set the TLS ciphers to "compat" mode, restoring the previous behaviour.
9 years ago
tedu
ade522ddbc
update siphash manpages to reflect change in return type spelling.
ok dlg
9 years ago
tedu
6b550eb5a9
Use standard spelling for types, and rename local variable from "free".
No actual change, but makes it easier to reuse the code elsewhere.
Suggested by Andre Smagin
9 years ago
sthen
128c8abdc7
Make sure to replace an existing /usr/include/ssl symlink, otherwise repeated
builds will have a bogus /usr/include/openssl/openssl as found by naddy. ok jca@
9 years ago
rpe
0e969b9afd
Remove old cruft, that make no sense at all on OpenBSD.
- comments relevant to other brands of UNIX
- the no-op KSH_VERSION case-block, we only have pdksh
- the case-block for setting aliases based on UNIX brand
together with a comment that falsely encourages to modify this
file instead of putting stuff in $HOME/.kshrc
OK krw@ halex@
9 years ago
sthen
28611e7e8a
Add class section for unbound, using openfiles-cur=512 rather
than the daemon class' default of 128. Reminded by/ok ajacoutot@
9 years ago
sthen
dc86b5bb95
Put the _unbound user in "unbound" login class; unbound uses setusercontext
to initialize the unprivileged user, so the usual rc.d mechanism to set the
class isn't used. Problem reported by otto, ok otto@ ajacoutout@
9 years ago
miod
ac5112d544
Fix library ordering on the link line for the sake of static arches. It's, in
that order, tls, crypto, ssl.
9 years ago
jmc
5a29dde418
some fixes from max fillinger, tweaked a little by myself;
ok reyk
9 years ago
tedu
e90ccb31ce
stop deleting the openssl include directory, causing unnecessary rebuilds.
ok jca sthen
10 years ago
reyk
19285c609b
Fix example, syntax is "constraint from www.example.com" (with "from").
Reported by Stefan Wollny.
10 years ago
tedu
f560a5c78d
lsearch and lfind return void *
10 years ago
reyk
57c6dae142
Allow constraints URL without leading path (eg. " https://www.openbsd.org ").
Fixes segfault on configuration load time, as reported by Donovan Watteau.
10 years ago
reyk
2c0d96f390
Use ntpd's deferred DNS resolving for constraints as well. This
allows to get constraint addresses even if network/DNS is not
available at startup (or system boot).
thumbs up & OK henning@
10 years ago
jmc
a4b14a72e4
use a width specifier for lists, and Sq rather than Dq for single letters
to avoid swamping it;
10 years ago
tedu
486708efb7
the possible algos for pref should be documented here
10 years ago
reyk
609076da6a
Remove dead code (IMSG_HOST_DNS has been moved from the parent to
ntp_dns some years ago).
OK henning@
10 years ago
reyk
f80fe4f691
Be less chatty on constraint errors.
OK deraadt@
10 years ago
jmc
4ea8526f95
tweak previous;
10 years ago
jsing
9282f51280
unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead.
ok beck@ guenther@
10 years ago
reyk
2a9806d4a4
spacing
10 years ago
jsing
71b2d0a64a
Remove RC5 code - this is not currently enabled and is not likely to ever
be enabled.
Removes one symbol from libcrypto, however there is no ABI change.
ok beck@ miod@ tedu@
10 years ago
reyk
61d9dff620
After successfully getting a constraint from an HTTPS server, there is
no need to request it ever again. The only exception is the
escalation of failed constraint checks that might lead into
re-requesting the constraint time from all servers. Adjust the states
accordingly.
OK henning@
10 years ago
reyk
65816fa1ac
Don't show the subseconds when displaying the constraint offset.
OK henning@ deraadt@
10 years ago
jsing
2b9dce95cd
Remove crypto/store - part of which is "currently highly experimental".
This code is not compiled in and OPENSSL_NO_STORE is already defined in
opensslfeatures.h. No symbol removal for libcrypto.
ok beck@
10 years ago
reyk
5f9d0ecf71
Move the constraints in a new section and add a preamble to explain
the functionality.
Requested by henning@
OK beck@ deraadt@
10 years ago
reyk
7433fa0bce
Add support for "constraints": when configured, ntpd(8) will query the
time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses. This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present. This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@
10 years ago
bcook
3885488dfe
be more verbose when logging privsep errors.
ok phessler@ deraadt@
10 years ago
bcook
948680b913
use correct formatters for s/size_t data types.
ok deraadt@
10 years ago
millert
cec1070829
Protect fgetwln(), wcslcat() and wcslcpy() with __BSD_VISIBLE
OK tedu@ kettenis@
10 years ago
reyk
a32a1a544c
Add a comment that ntpd MUST NOT use AI_ADDRCONFIG in host_dns()
OK henning@
10 years ago
tedu
e8e1175e68
add restrict to strtol like functions. ok guenther
10 years ago
jsing
e928a301f0
Crank major for libcrypto since symbols have been removed.
Requested by deraadt@
10 years ago