OpenBSD src changes summary for 2016-11-06 ==========================================
distrib/sets lib/libcrypto lib/libssl lib/libtls regress/lib regress/usr.bin sys/arch/amd64/stand sys/arch/armv7/stand/efiboot sys/arch/hppa/stand sys/arch/i386/stand sys/arch/landisk/stand sys/arch/loongson/conf sys/arch/loongson/include sys/arch/loongson/loongson sys/arch/loongson/stand/boot sys/arch/loongson/stand/libsa sys/arch/luna88k/stand/boot sys/arch/macppc/stand sys/arch/mips64/include sys/arch/octeon/stand/boot sys/arch/octeon/stand/libsa sys/arch/sgi/stand/boot sys/arch/sgi/stand/libsa sys/arch/socppc/stand/boot sys/arch/sparc64/stand/bootblk sys/arch/sparc64/stand/libsa sys/arch/sparc64/stand/ofwboot sys/dev/pci sys/dev/usb usr.bin/ftp usr.bin/nc usr.bin/ssh usr.sbin/httpd usr.sbin/makefs usr.sbin/syspatch == distrib =========================================================== 01/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib sets ~ makeetcset > Pass -peam to pax(1), so ownership and permissions that were set by > etc/Makefile during 'make distribution-etc-root-var' are explicitly > honored on the build machine. > ok rpe (tb@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armv7 ~ lists/base/md.hppa ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc64 > sync (deraadt@) == lib =============================================================== 02/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ man/bn.3 > add an .Xr that was missing (schwarze@) ~ x509/x509_vpm.c > use the correct function for free > ok beck@ (bcook@) ~ x509/x509_vpm.c > Commit a reminder that the default is not the default. This needs to > be revisited. > ok jsing@ (beck@) ~ x509/x509_trs.c > The upcoming x509 alt chains diff tightens the trust requirements > for certificates. This (from OpenSSL) ensures that the current > "default" behaviour remains the same. We should revisit this > later > ok jsing@ (beck@) ~ x509/x509_vfy.c > Rework X509_verify_cert to support alt chains on certificate verification, > via boringssl. > ok jsing@ miod@ (beck@) ~ curve25519/curve25519.c > adjust guards to elide unused Bi array > ok jsing@ (bcook@) ~ curve25519/curve25519.c > Avoid compiling in an unused function. > Spotted by guenther@ (jsing@) ~ asn1/a_object.c > simplify error handling in c2i_ASN1_OBJECT > ok beck@, miod@ (bcook@) ~ man/rsa.3 > delete prototypes available in other pages and add two missing .Xr links > (schwarze@) ~ man/dsa.3 > delete prototypes available in other pages and add three missing .Xr links > (schwarze@) ~ man/ASN1_OBJECT_new.3 ~ man/ASN1_STRING_length.3 ~ man/ASN1_STRING_new.3 ~ man/ASN1_STRING_print_ex.3 ~ man/ASN1_generate_nconf.3 ~ man/BF_set_key.3 ~ man/BIO.3 ~ man/BIO_ctrl.3 ~ man/BIO_f_base64.3 ~ man/BIO_f_cipher.3 ~ man/BIO_f_md.3 ~ man/BIO_f_null.3 ~ man/BIO_find_type.3 ~ man/BIO_new.3 ~ man/BIO_push.3 ~ man/BIO_read.3 ~ man/BIO_s_accept.3 ~ man/BIO_s_bio.3 ~ man/BIO_s_connect.3 ~ man/BIO_s_fd.3 ~ man/BIO_s_file.3 ~ man/BIO_s_mem.3 ~ man/BIO_s_null.3 ~ man/BIO_s_socket.3 ~ man/BIO_set_callback.3 ~ man/BIO_should_retry.3 ~ man/BN_BLINDING_new.3 ~ man/BN_CTX_new.3 ~ man/BN_CTX_start.3 ~ man/BN_add.3 ~ man/BN_add_word.3 ~ man/BN_bn2bin.3 ~ man/BN_cmp.3 ~ man/BN_copy.3 ~ man/BN_generate_prime.3 ~ man/BN_mod_inverse.3 ~ man/BN_mod_mul_montgomery.3 ~ man/BN_mod_mul_reciprocal.3 ~ man/BN_new.3 ~ man/BN_num_bytes.3 ~ man/BN_rand.3 ~ man/BN_set_bit.3 ~ man/BN_swap.3 ~ man/BN_zero.3 ~ man/BUF_MEM_new.3 ~ man/CONF_modules_free.3 ~ man/CONF_modules_load_file.3 ~ man/CRYPTO_set_ex_data.3 ~ man/CRYPTO_set_locking_callback.3 ~ man/DES_set_key.3 ~ man/DH_generate_key.3 ~ man/DH_generate_parameters.3 ~ man/DH_get_ex_new_index.3 ~ man/DH_new.3 ~ man/DH_set_method.3 ~ man/DH_size.3 ~ man/DSA_SIG_new.3 ~ man/DSA_do_sign.3 ~ man/DSA_dup_DH.3 ~ man/DSA_generate_key.3 ~ man/DSA_generate_parameters.3 ~ man/DSA_get_ex_new_index.3 ~ man/DSA_new.3 ~ man/DSA_set_method.3 ~ man/DSA_sign.3 ~ man/DSA_size.3 ~ man/ECDSA_SIG_new.3 ~ man/EC_GFp_simple_method.3 ~ man/EC_GROUP_copy.3 ~ man/EC_GROUP_new.3 ~ man/EC_KEY_new.3 ~ man/EC_POINT_add.3 ~ man/EC_POINT_new.3 ~ man/ERR.3 ~ man/ERR_GET_LIB.3 ~ man/ERR_clear_error.3 ~ man/ERR_error_string.3 ~ man/ERR_get_error.3 ~ man/ERR_load_crypto_strings.3 ~ man/ERR_load_strings.3 ~ man/ERR_print_errors.3 ~ man/ERR_put_error.3 ~ man/ERR_remove_state.3 ~ man/ERR_set_mark.3 ~ man/EVP_BytesToKey.3 ~ man/EVP_DigestInit.3 ~ man/EVP_DigestSignInit.3 ~ man/EVP_DigestVerifyInit.3 ~ man/EVP_EncryptInit.3 ~ man/EVP_OpenInit.3 ~ man/EVP_PKEY_CTX_ctrl.3 ~ man/EVP_PKEY_CTX_new.3 ~ man/EVP_PKEY_cmp.3 ~ man/EVP_PKEY_decrypt.3 ~ man/EVP_PKEY_derive.3 ~ man/EVP_PKEY_encrypt.3 ~ man/EVP_PKEY_get_default_digest.3 ~ man/EVP_PKEY_keygen.3 ~ man/EVP_PKEY_new.3 ~ man/EVP_PKEY_print_private.3 ~ man/EVP_PKEY_set1_RSA.3 ~ man/EVP_PKEY_sign.3 ~ man/EVP_PKEY_verify.3 ~ man/EVP_PKEY_verify_recover.3 ~ man/EVP_SealInit.3 ~ man/EVP_SignInit.3 ~ man/EVP_VerifyInit.3 ~ man/HMAC.3 ~ man/MD5.3 ~ man/OBJ_nid2obj.3 ~ man/OPENSSL_VERSION_NUMBER.3 ~ man/OPENSSL_config.3 ~ man/OPENSSL_load_builtin_modules.3 ~ man/OpenSSL_add_all_algorithms.3 ~ man/PEM_read_bio_PrivateKey.3 ~ man/PEM_write_bio_PKCS7_stream.3 ~ man/PKCS12_create.3 ~ man/PKCS12_parse.3 ~ man/PKCS5_PBKDF2_HMAC.3 ~ man/PKCS7_decrypt.3 ~ man/PKCS7_encrypt.3 ~ man/PKCS7_sign.3 ~ man/PKCS7_sign_add_signer.3 ~ man/PKCS7_verify.3 ~ man/RAND_add.3 ~ man/RAND_bytes.3 ~ man/RAND_cleanup.3 ~ man/RAND_load_file.3 ~ man/RAND_set_rand_method.3 ~ man/RC4.3 ~ man/RIPEMD160.3 ~ man/RSA_blinding_on.3 ~ man/RSA_check_key.3 ~ man/RSA_generate_key.3 ~ man/RSA_get_ex_new_index.3 ~ man/RSA_new.3 ~ man/RSA_padding_add_PKCS1_type_1.3 ~ man/RSA_print.3 ~ man/RSA_private_encrypt.3 ~ man/RSA_public_encrypt.3 ~ man/RSA_set_method.3 ~ man/RSA_sign.3 ~ man/RSA_sign_ASN1_OCTET_STRING.3 ~ man/RSA_size.3 ~ man/SHA1.3 ~ man/SMIME_read_PKCS7.3 ~ man/SMIME_write_PKCS7.3 ~ man/UI_new.3 ~ man/X509_NAME_ENTRY_get_object.3 ~ man/X509_NAME_add_entry_by_txt.3 ~ man/X509_NAME_get_index_by_NID.3 ~ man/X509_NAME_print_ex.3 ~ man/X509_STORE_CTX_get_error.3 ~ man/X509_STORE_CTX_get_ex_new_index.3 ~ man/X509_STORE_CTX_new.3 ~ man/X509_STORE_CTX_set_verify_cb.3 ~ man/X509_STORE_set_verify_cb_func.3 ~ man/X509_VERIFY_PARAM_set_flags.3 ~ man/X509_new.3 ~ man/X509_verify_cert.3 ~ man/bn.3 ~ man/crypto.3 ~ man/d2i_ASN1_OBJECT.3 ~ man/d2i_DHparams.3 ~ man/d2i_DSAPublicKey.3 ~ man/d2i_ECPKParameters.3 ~ man/d2i_PKCS8PrivateKey_bio.3 ~ man/d2i_RSAPublicKey.3 ~ man/d2i_X509.3 ~ man/d2i_X509_ALGOR.3 ~ man/d2i_X509_CRL.3 ~ man/d2i_X509_NAME.3 ~ man/d2i_X509_REQ.3 ~ man/d2i_X509_SIG.3 ~ man/des_read_pw.3 ~ man/dh.3 ~ man/dsa.3 ~ man/ec.3 ~ man/engine.3 ~ man/evp.3 ~ man/i2d_PKCS7_bio_stream.3 ~ man/lh_new.3 ~ man/lh_stats.3 ~ man/rsa.3 ~ man/x509.3 > first pass; ok schwarze (jmc@) ~ man/EC_KEY_new.3 ~ man/d2i_ECPKParameters.3 ~ man/dh.3 ~ man/ec.3 > delete prototypes available in other pages and add two missing .Xr links > (schwarze@) ~ man/ERR.3 > delete prototypes available in other pages and add a missing .Xr link > (schwarze@) ~ man/BIO_s_fd.3 ~ man/BIO_s_socket.3 > document BIO_set_fd() and BIO_get_fd() in one manual page, not in two; > general direction discussed yesterday with bcook@ (schwarze@) ~ man/engine.3 > document ENGINE_add_conf_module(3) in one page, not in two (schwarze@) ~ man/EC_KEY_new.3 ~ man/d2i_ECPKParameters.3 > spacing between macro args and punctuation; (jmc@) ~ man/ASN1_OBJECT_new.3 ~ man/ASN1_STRING_length.3 ~ man/ASN1_STRING_new.3 ~ man/ASN1_STRING_print_ex.3 ~ man/ASN1_generate_nconf.3 > some minor cleanup; (jmc@) ~ man/EVP_PKEY_CTX_ctrl.3 ~ man/EVP_PKEY_get_default_digest.3 > document EVP_PKEY_get_default_digest_nid(3) in one page, not in two > (schwarze@) ~ asn1/a_object.c > don't dereference a if NULL (bcook@) ~ man/engine.3 > sort SEE ALSO; (jmc@) ~ man/BF_set_key.3 > some cleanup; (jmc@) libssl ~ s3_clnt.c > remove unused variable (bcook@) ~ s3_lib.c ~ ssl_ciph.c > unifdef -m -UOPENSSL_NO_CHACHA -UOPENSSL_NO_POLY1305 > ok beck@ (jsing@) ~ s3_lib.c ~ ssl_algs.c ~ ssl_ciph.c > Remove the single IDEA cipher suite. There is no good reason to support > this. > ok beck@ bcook@ (jsing@) ~ s3_lib.c > Adjust cipher suite strengths - move MD5 to LOW, RC4 to LOW and 3DES to > MEDIUM. > ok beck@ bcook@ (jsing@) ~ s3_srvr.c > Split out the DHE and ECDHE code paths from > ssl3_send_server_key_exchange(). > ok beck@ bcook@ (jsing@) ~ s3_srvr.c > Remove pointless check - without fixed ECDH, there is only one way to reach > this code path. > ok beck@ bcook@ (jsing@) ~ s3_srvr.c > Split ssl3_get_client_key_exchange() into separate per algorithm functions. > ok beck@ (jsing@) ~ s3_cbc.c ~ ssl_locl.h ~ t1_enc.c > Remove unused SSLv3 from ssl3_cbc_record_digest_supported(). > From Markus Uhlin <markus.uhlin at bredband dot net> > ok beck@ bcooK@ (jsing@) libtls ~ tls_server.c > Set the callback on the correct ssl_ctx for the SNI case, instead of > the master only. > ok jsing@ (beck@) == regress =========================================================== 03/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress lib ~ libssl/client/clienttest.c > Update regress for IDEA cipher suite removal. (jsing@) usr.bin ~ openssl/Makefile ~ openssl/README + openssl/appstest.sh > Add regress test script for openssl command. > ok beck@ (inoguchi@) == sys =============================================================== 04/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/amd64/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/armv7/stand/efiboot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/hppa/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/i386/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/landisk/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/loongson/conf ~ files.loongson > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/include ~ intr.h + loongson3.h > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/loongson + loongson3_intr.c > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/stand/boot ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/loongson/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/luna88k/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/macppc/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/mips64/include + loongson3.h > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/octeon/stand/boot ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/octeon/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sgi/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sgi/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/socppc/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/stand/bootblk ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/stand/ofwboot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) dev/pci ~ mpii.c > dont issue sas config page requests against raid targets. > doing requests like that causes lockups on boot. > reported by and this fix test by simon mages (dlg@) dev/usb ~ if_atu.c ~ if_cue.c ~ if_mos.c ~ if_otus.c ~ if_ral.c ~ if_uath.c ~ if_upgt.c ~ if_upl.c ~ if_url.c ~ uberry.c ~ udl.c ~ udsbr.c ~ uipaq.c ~ uow.c ~ usps.c > Avoid calling usbd_set_config_no() in *_attach() and let the stack do > it instead. > If anything bad happen due to a malformed descriptor it makes no sense > to try to attach a driver, and bail before probing. > This is similar to the change to avoid calling usbd_set_config_index(). > (mpi@) == usr.bin =========================================================== 05/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin ftp ~ main.c > Bump ftp(1)'s cipher default from "all" to "legacy" - this really should > be "compat", but that will require further testing. > ok beck@ (jsing@) nc ~ nc.1 ~ netcat.c > rename tlslegacy to tlsall, and better describe what it does. > ok jsing@ (beck@) ~ nc.1 > tweak previous; (jmc@) ssh ~ auth.c ~ match.c ~ servconf.c > Validate address ranges for AllowUser/DenyUsers at configuration load > time and refuse to accept bad ones. It was previously possible to > specify invalid CIDR address ranges (e.g. [email protected]/55) and these > would always match. > Thanks to Laurence Parry for a detailed bug report. ok markus (for > a previous diff version) (djm@) == usr.sbin ========================================================== 06/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin httpd ~ config.c ~ httpd.conf.5 ~ httpd.h ~ parse.y ~ server.c > Add OCSP stapling support to httpd > ok jsing@ bcook@ (beck@) ~ httpd.conf.5 > tweak previous; (jmc@) ~ parse.y > since ocsp stapling is optional, make sure we guard if we do not have it. > ok jsing@ (beck@) ~ server.c > conditionalize ocsp load properly > ok jsing@ (beck@) makefs ~ ffs.c ~ ffs.h > Remove unused fields from ffs_opt_t. (natano@) syspatch ~ syspatch.sh > Rework the cleanup trap handling using the EXIT trap; > trap 'cleanup; goes; here' EXIT > trap exit HUP INT TERM ERR FOO BAR BAZ > This makes sure the cleanup is always done (unless we exec), and > preserves the exit code, such as SIGINT => 130. > Also trap less signals. Special signals are special. > tested and OK ajacoutot@ (halex@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
