Commit graph

6290 commits

Author SHA1 Message Date
cinap_lenrek
c039b52fc3 libc: constant time implementation for encode(2) routines, fix base32
the string encoding functions touch secret key material
in a bunch of places (devtls, devcap), so make sure we do
not leak information by cache timing side channels, making
the encoding and decoding routines constant time.

we also expose the alphabets through encXchr()/decXchr()
functions so caller can find the end of a encoded string
before calling decode function (for libmp).

the base32 encoding was broken in several ways. inputs
lengths of len%5 == [2,3,4] had output truncated and
it was using non-standard alphabet. documenting the alphabet
change in the manpage.
2017-12-31 09:06:42 +01:00
cinap_lenrek
ee89c82dd3 wifi: get rid of custom hextob() routine, use dec16(), avoid copies in parsekey() 2017-12-31 01:49:58 +01:00
cinap_lenrek
8a64413eca aux/wpa: get rid of custom Hfmt() routine, just use encodefmt. use %E for mac addresses 2017-12-31 01:04:41 +01:00
cinap_lenrek
57f8b6ec75 libsec: implement SPKI fingerprinting for okCertificate()
Instead of only using a hash over the whole certificate for
white/black-listing, now we can also use a hash over the
Subject Public Key Info (SPKI) field of the certificate which
contians the public key algorithm and the public key itself.

This allows certificates to be renewed independendtly of the
public key.

X509dump() now prints the public key thumbprint in addition
to the certificate thumbprint.

tlsclient will print the certificate when run with -D flag.

okCertificate() will print the public key thumbprint in its
error string when no match has been found.
2017-12-30 03:07:47 +01:00
cinap_lenrek
b42d441a23 libsec: fix mistake: strnchr -> strchr 2017-12-30 02:47:02 +01:00
cinap_lenrek
582d2e664f libsec: avoid unneccesary memory copies and redundant code in x509
getting rid of some functions that take Byte* and instead
pass uchar* and length.

keeping the signature and public key fields in CertX509
as Bits* allows ownership transfer by swapping pointers.

use common code to copy CN from subject field.
2017-12-30 02:36:47 +01:00
cinap_lenrek
e3cad82680 libsec: get rid of dummy data[1] in Bytes and Ints types (thanks pr) 2017-12-29 20:04:42 +01:00
cinap_lenrek
ce2211b08c usbxhci: add missing pexit() in xhcirecover proc (thanks sam-d) 2017-12-29 06:10:25 +01:00
cinap_lenrek
a021f054b0 wifi: revert rate adoption divider, breaks arpunks wifi 2017-12-29 03:41:32 +01:00
cinap_lenrek
e313265eef /lib/bullshit: +converged 2017-12-29 01:58:47 +01:00
cinap_lenrek
8040a878de devtls, devssl: avoid ~0UL comparsion (from drawterm) 2017-12-28 19:13:53 +01:00
cinap_lenrek
80185daba9 devmnt: use u32int for tagmask, simplify alloctag() 2017-12-28 18:25:15 +01:00
cinap_lenrek
b9d2a9efd5 wifi: don't implicitely update lastseen timestamp on nodelookup()
in case we continue to send traffic (like ping) with the ap gone,
the sending would keep updating bss->lastseen which prevents the
timeout to happen to switch bss.
2017-12-28 04:34:03 +01:00
cinap_lenrek
d13142b3da etheriwl, etherwpi: limit transmit queue buffer bloat to 48k (at 22Mbit ≅ 20ms) 2017-12-28 01:24:38 +01:00
cinap_lenrek
ce9cc8a358 wifi: don't assume Wifi.rates[] is sorted, return net data rate for mbps (50% theoretical) 2017-12-28 01:19:14 +01:00
cinap_lenrek
9c6897e848 arch(3): document #P/realmodemem file 2017-12-23 04:45:22 +01:00
cinap_lenrek
96eb90fba1 devvga: removing #v/vgabios, use /dev/realmodemem instead 2017-12-23 04:26:50 +01:00
cinap_lenrek
50bea0348c kernel: convert textmode cga screen contents to kmesg only once
screeninit() might be called again by devvga when switching
to textmode, so only convert the text framebuffer to kmesg
the first time.
2017-12-23 03:56:12 +01:00
cinap_lenrek
19419329b2 auth(8): auth/debug tests both dp9ik and p9sk1 2017-12-23 03:21:01 +01:00
cinap_lenrek
02b6831fa5 kernel: remove Ipifc.mbps, unused. 2017-12-23 02:58:47 +01:00
cinap_lenrek
47f40d8e26 /lib/bullshit: blockchain 2017-12-22 18:26:54 +01:00
cinap_lenrek
3b7f73ccff ip/tinc: handle and set ethertype for ipv6 2017-12-21 04:11:02 +01:00
cinap_lenrek
21b5656d89 upas/fs: more bugs 2017-12-19 20:57:24 +01:00
cinap_lenrek
a84a5c21ce upas/fs: fix precedence bugs, compare digest pointer to nil 2017-12-19 20:44:15 +01:00
cinap_lenrek
417bdbb869 ether8169: add Macv45 for RTL8111HN, rename Macv45 -> Macv42 (thanks qeed, sam-d) 2017-12-19 00:03:54 +01:00
cinap_lenrek
3e22f7ef1d nusb/ether: dont forward loopback packets on bridges, remove read nonblocking hack 2017-12-18 20:50:25 +01:00
cinap_lenrek
c1eb4b8d68 devether: dont forward loopback packets on bridges 2017-12-18 20:47:55 +01:00
cinap_lenrek
1f80d31f41 devbridge: disable write blocking on ethernets 2017-12-18 20:44:53 +01:00
cinap_lenrek
e31934f9f3 bridge(3): clarify manpage, this is a layer2 bridge
yes, it peeks into IP packets to handle fragmentation when sending
onto tunnel ports and does mss clamping. but it can carry arbitrary
ethernet packets just fine (between ethernets).
2017-12-17 20:51:41 +01:00
cinap_lenrek
3e48a66665 pc, pc64: add devbridge to kernel configuration 2017-12-17 20:33:39 +01:00
cinap_lenrek
520c938f0b devbridge: fix mss clamping
- use protocol constants from ip/ip.h and ip/ipv6.h
- support mss clamping for ipv6
- fix padding bug on 64 bit machines (can't use sizeof(Tcphdr))
2017-12-17 20:30:24 +01:00
cinap_lenrek
0affe02b61 ip/tinc: handle single byte noop and end-of-option-list tcp options in clampmss() 2017-12-17 20:20:17 +01:00
cinap_lenrek
15ff38e818 wifi: use protocol constants from ip/ip.h and ip/ipv6.h for dmatproxy() 2017-12-17 17:17:26 +01:00
cinap_lenrek
070a9ef753 wifi: matt damon wifi bridging support 2017-12-16 21:43:47 +01:00
cinap_lenrek
9fd8894fec ether: allow spoofing of source mac address for bridges; used by vmx
to implement layer 2 bridges in userspace, we disable to auto filling
of the source mac address when bridge mode is enabled on the
connection.
2017-12-15 22:22:29 +01:00
aiju
4ad70e6055 vmx(1): fix virtio network bloomfilter 2017-12-13 22:20:12 +00:00
stanley lieber
e35616cb66 /sys/man/*/*: fix perms (sorry) 2017-12-11 19:58:06 -05:00
stanley lieber
c7eff88293 fortunes: Subject: [oss-security] nvi denial of service 2017-12-11 19:36:54 -05:00
stanley lieber
d057d67bed /sys/lib/rootstub 2017-12-11 19:34:15 -05:00
cinap_lenrek
35bc3ac573 devether: remove duplicated parseether() implementation (pull from libip) 2017-12-09 22:07:32 +01:00
cinap_lenrek
a7ac020664 libflate: force non-empty huffman table in mkzprecode() for deflate
busybox gunzip fails on empty (offset) huffman tables,
so force one entry.

gzip states in a comment:

The pkzip format requires that at least one distance code exists,
and that at least one bit should be sent even if there is only one
possible code.
2017-12-09 18:20:29 +01:00
cinap_lenrek
303fb49686 disk/edisk: allow printing and readonly inspection of hybrid MBR/GPT disks (thanks aiju)
dumping hybrid MBR/GPT disks is fine, which can sometimes be found
on USB sticks. but prohibit editing.

however, always barf on disks with dos partitions and missing
protecive MBR partition entry.
2017-12-05 23:44:43 +01:00
cinap_lenrek
a3c2819c50 realemu: fix precedence bug in argconv() format routine (thanks dan cross) 2017-12-04 05:14:31 +01:00
cinap_lenrek
e138750028 realemu: fix pit bcd mode 2017-12-04 05:09:13 +01:00
cinap_lenrek
d850c60121 plan9.ini(8): 9boot(8) is not a DOS program, remove outdated BUGS section 2017-12-03 19:23:55 +01:00
cinap_lenrek
65566dda8e devvga: properly handle physical screen size and panning
- remove arbitrary limits on screen size, just check with badrect()
- post resize when physgscreenr is changed (actualsize ctl command)
- preserve physgscreenr across softscreen flag toggle
- honor panning flag on resize
- fix nil dereference in panning ctl command when scr->gscreen == nil
- use clipr when drawing vga plan 9 console (vgascreenwin())
2017-12-03 18:54:25 +01:00
cinap_lenrek
a08727d9da screenlock: put position check back in grabmouse (thanks deuteron)
the check was there because changing te position causes another
mouse event to get posted resulting in grabmouse spinning.
2017-12-03 16:34:35 +01:00
cinap_lenrek
308407dc6e screenlock: have keyboard activity reset blank timeout 2017-12-03 06:41:41 +01:00
cinap_lenrek
61d4816102 screenlock: avoid continuous blanking, draw fullscreen over border 2017-12-03 06:27:18 +01:00
cinap_lenrek
e1c447bc11 screenlock: some improvements
check for "needkey " error string from auth_userpasswd() in case no
key is pesent in factotum. this used to be a common trap with stand
alone machines that do not have an authentication server setup.

indicate authentication in progress by drawing a white border.

delete unneccesary cruft and simplify the code.
2017-12-03 05:47:35 +01:00