OpenBSD src changes summary for 2016-11-03 ==========================================
distrib/syspatch lib/libc lib/libcrypto lib/libssl lib/libtls libexec/ld.so share/man sys/dev/pv sys/net sys/netinet usr.bin/cvs usr.bin/libtool usr.bin/nc usr.sbin usr.sbin/syspatch == distrib =========================================================== 01/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib syspatch ~ bsd.syspatch.mk > switch to using BUILDUSER and add more error checking (robert@) == lib =============================================================== 02/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ stdlib/malloc.c > small tweak to also check canaries if F is in effect (otto@) libcrypto - doc/EVP_BytesToKey.pod - doc/EVP_DigestInit.pod - doc/EVP_DigestSignInit.pod - doc/EVP_DigestVerifyInit.pod - doc/EVP_EncryptInit.pod - doc/EVP_OpenInit.pod - doc/EVP_PKEY_CTX_ctrl.pod - doc/EVP_PKEY_CTX_new.pod - doc/EVP_PKEY_cmp.pod - doc/EVP_PKEY_decrypt.pod - doc/EVP_PKEY_derive.pod - doc/EVP_PKEY_encrypt.pod - doc/EVP_PKEY_get_default_digest.pod - doc/EVP_PKEY_keygen.pod - doc/EVP_PKEY_new.pod - doc/EVP_PKEY_print_private.pod - doc/EVP_PKEY_set1_RSA.pod - doc/EVP_PKEY_sign.pod - doc/EVP_PKEY_verify.pod - doc/EVP_PKEY_verify_recover.pod - doc/EVP_SealInit.pod - doc/EVP_SignInit.pod - doc/EVP_VerifyInit.pod - doc/evp.pod ~ man/Makefile + man/EVP_BytesToKey.3 + man/EVP_DigestInit.3 + man/EVP_DigestSignInit.3 + man/EVP_DigestVerifyInit.3 + man/EVP_EncryptInit.3 + man/EVP_OpenInit.3 + man/EVP_PKEY_CTX_ctrl.3 + man/EVP_PKEY_CTX_new.3 + man/EVP_PKEY_cmp.3 + man/EVP_PKEY_decrypt.3 + man/EVP_PKEY_derive.3 + man/EVP_PKEY_encrypt.3 + man/EVP_PKEY_get_default_digest.3 + man/EVP_PKEY_keygen.3 + man/EVP_PKEY_new.3 + man/EVP_PKEY_print_private.3 + man/EVP_PKEY_set1_RSA.3 + man/EVP_PKEY_sign.3 + man/EVP_PKEY_verify.3 + man/EVP_PKEY_verify_recover.3 + man/EVP_SealInit.3 + man/EVP_SignInit.3 + man/EVP_VerifyInit.3 + man/evp.3 > convert EVP manuals from pod to mdoc (schwarze@) - doc/HMAC.pod - doc/MD5.pod ~ man/Makefile + man/HMAC.3 + man/MD5.3 > convert HMAC and MD5 manuals from pod to mdoc (schwarze@) - doc/OBJ_nid2obj.pod - doc/d2i_ASN1_OBJECT.pod ~ man/Makefile + man/OBJ_nid2obj.3 + man/d2i_ASN1_OBJECT.3 > convert remaining ASN1 object manuals from pod to mdoc (schwarze@) - doc/OPENSSL_VERSION_NUMBER.pod - doc/OPENSSL_config.pod - doc/OPENSSL_load_builtin_modules.pod - doc/OpenSSL_add_all_algorithms.pod ~ man/Makefile + man/OPENSSL_VERSION_NUMBER.3 + man/OPENSSL_config.3 + man/OPENSSL_load_builtin_modules.3 + man/OpenSSL_add_all_algorithms.3 > convert configuration manuals from pod to mdoc (schwarze@) - doc/PEM_read_bio_PrivateKey.pod - doc/PEM_write_bio_PKCS7_stream.pod - doc/PKCS12_create.pod - doc/PKCS12_parse.pod - doc/PKCS5_PBKDF2_HMAC.pod - doc/PKCS7_decrypt.pod - doc/PKCS7_encrypt.pod - doc/PKCS7_sign.pod - doc/PKCS7_sign_add_signer.pod - doc/PKCS7_verify.pod - doc/SMIME_read_PKCS7.pod - doc/SMIME_write_PKCS7.pod - doc/i2d_PKCS7_bio_stream.pod ~ man/Makefile + man/PEM_read_bio_PrivateKey.3 + man/PEM_write_bio_PKCS7_stream.3 + man/PKCS12_create.3 + man/PKCS12_parse.3 + man/PKCS5_PBKDF2_HMAC.3 + man/PKCS7_decrypt.3 + man/PKCS7_encrypt.3 + man/PKCS7_sign.3 + man/PKCS7_sign_add_signer.3 + man/PKCS7_verify.3 + man/SMIME_read_PKCS7.3 + man/SMIME_write_PKCS7.3 + man/i2d_PKCS7_bio_stream.3 > convert PEM and PKCS manuals from pod to mdoc (schwarze@) - doc/RAND.pod ~ man/Makefile > zap the overview manual page of the RAND subsystem > that contained nothing but duplicate and misleading information; > OK jsing@ (schwarze@) - doc/RAND_add.pod - doc/RAND_bytes.pod - doc/RAND_cleanup.pod - doc/RAND_load_file.pod - doc/RAND_set_rand_method.pod ~ man/Makefile + man/RAND_add.3 + man/RAND_bytes.3 + man/RAND_cleanup.3 + man/RAND_load_file.3 + man/RAND_set_rand_method.3 > convert RAND manuals from pod to mdoc (schwarze@) libssl ~ ssl_locl.h ~ t1_enc.c > Clean up the TLS handshake digest handling - this refactors some of the > code for improved readability, however it also address two issues. > The first of these is a hard-to-hit double free that will occur if > EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure > that tls1_digest_cached_records() either completes successfully and sets > up all of the necessary digests, or it cleans up and frees everything > that was allocated. > The second issue is that EVP_DigestUpdate() can fail - detect and handle > this in tls1_finish_mac() and change the return type to an int so that a > failure can be propagated to the caller (the callers still need to be > fixed to handle this, in a later diff). > The double-free was reported by Matthew Dillon. > ok beck@ doug@ miod@ (jsing@) ~ s3_clnt.c > Split ssl3_get_key_exchange() into separate functions for DHE/ECDHE. > ok beck@ (who was struggling to keep lunch down while reviewing the diff) > (jsing@) ~ s3_pkt.c > In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) ~ src/ssl/s3_pkt.c TAGGED OPENBSD_5_9 > MFC: In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) ~ src/ssl/s3_pkt.c TAGGED OPENBSD_6_0 > MFC: In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) libtls ~ tls_ocsp.c > Fix handshake failures: > split out internals of OCSP verification to allow callback > to verify before TLS handshake is complete (beck@) ~ tls.c ~ tls_internal.h > Only set an error from libssl related code, if an error has not already > been set by libtls code. This avoids the situation where a libtls callback > has set an error, only to have it replaced by a less useful libssl based > error. > ok beck@ (jsing@) ~ tls_init.3 ~ tls_ocsp.c > Don't do OCSP validation when we have disabled certificate verification > or certificate validation. > ok jsing@ (beck@) == libexec =========================================================== 03/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec ld.so ~ malloc.c > small tweak to also check canaries if F is in effect (otto@) == share ============================================================= 04/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man4/hyperv.4 > Document the KVP interface (mikeb@) ~ man7/hier.7 > Re-add the Xr macro to syspatch now that it's hooked up. (ajacoutot@) ~ man5/bsd.port.mk.5 > Add a proper annotation for portroach documentation link > OK schwarze@ (danj@) == sys =============================================================== 05/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys dev/pv ~ hypervic.c > Let Integrated Components allocate the receive buffer themselves > since they have a better clue how to size it. > While here, cleanup the kernel output a bit. (mikeb@) ~ hypervic.c ~ hypervicreg.h > Implement a Key-Value Pair exchange interface > The implemented abstraction allows us to query and set little > endian UTF-16 keys exchanged between the Host and the Guest via > a text based pvbus(4) interface. > All keys are attached to one of several key pools: Auto, Guest, > External or Guest/Parameters. The hostctl(8) is able to modify > values for keys in the Auto pool as well as set new keys in the > Guest pool while the Host provides its keys in External and > Guest/Parameters pools. > Discussed with reyk@ (mikeb@) ~ hyperv.c > Identify as an OSPlatformID 131 with a kernel version of 6 (mikeb@) ~ hypervic.c > Add locks to key-value pair pools > We need to ensure list and data consistency during concurrent > accesses since the interrupt handler is not executed under the > kernel lock and may add or modify entries while userland process > is reading the value or traversing the list. (mikeb@) ~ hypervic.c ~ hypervicreg.h > Support for key removal and value update operations > This change makes it possible for the Host to update the value > of an existing key via a Set operation as well as to remove the > key completely with a Delete message. (mikeb@) net ~ netisr.h > The networking code no longer runs off software interrupts. (mpi@) ~ switchofp.c > Always call if_put() during the interface iteration on port status > multipart > reply to avoid reference leaks. > ok mikeb@ (rzalamena@) ~ switchofp.c > Fix debug message to print the presence of more flag correctly. > ok mikeb@ (rzalamena@) netinet ~ udp_usrreq.c > Remove obsolete vxlan_lookup return value handling > With input from reyk@, OK mpi (mikeb@) == usr.bin =========================================================== 06/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin cvs ~ status.c > Don't use ce_time if we are running as a server, it won't be present. > (joris@) libtool ~ LT/Mode/Link.pm > Also ignore --no-undefined (we already ignore -no-undefined) which is > starting to show up more and more. > ok jasper@ (ajacoutot@) nc ~ netcat.c > Make OCSP Stapling: only appear if there is stapling info present. (beck@) ~ netcat.c > make OCSP_URL only show up when an OCSP url is actually present in the cert > (beck@) == usr.sbin ========================================================== 07/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin usr.sbin ~ Makefile > Hook up syspatch(8). > expectations elevation encouragement from deraadt@ (ajacoutot@) syspatch ~ syspatch.sh > Simplify for loops; prompted by a comment from rpe@ (ajacoutot@) ~ syspatch.sh > Use hw.ncpufound. (ajacoutot@) ~ syspatch.sh > Merge ls_avail() into ls_missing(), it's only used once. > While here, cope with a missing index.txt or other ftp(1) error. > (ajacoutot@) ~ syspatch.sh > Make sure PATCH_PATH is an URL that ftp(1) can cope with. (ajacoutot@) ~ syspatch.sh > Hardlinks are properly handled; for the rest, we'll see if we need to care > or not (XXX). (ajacoutot@) ~ syspatch.sh > XXX match with installed sets (comp, x...)? (ajacoutot@) ~ syspatch.8 ~ syspatch.sh > rollback -> revert where it makes sense. (ajacoutot@) ~ syspatch.sh > Missing local. (ajacoutot@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
