OpenBSD src changes summary for 2016-11-30 ==========================================
distrib/armv7 distrib/macppc distrib/sets lib/libcrypto lib/libssl libexec/spamd regress/sys regress/usr.bin share/man sys/conf sys/dev/pci sys/dev/usb sys/net sys/net80211 usr.bin/ftp usr.bin/nc usr.bin/ssh usr.bin/tmux usr.sbin/ldapd usr.sbin/smtpd usr.sbin/syslogd usr.sbin/syspatch usr.sbin/user usr.sbin/vmd == distrib =========================================================== 01/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib armv7 ~ ramdisk/Makefile > Use makefs to build bsd.rd on armv7 and macppc. > ok deraadt (natano@) macppc ~ ramdisk/Makefile > Use makefs to build bsd.rd on armv7 and macppc. > ok deraadt (natano@) sets ~ lists/base/mi > sync (sthen@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) == lib =============================================================== 02/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ man/OCSP_REQUEST_new.3 ~ man/OCSP_cert_to_id.3 ~ man/OCSP_request_add1_nonce.3 ~ man/OCSP_sendreq_new.3 > various cleanup; (jmc@) libssl ~ man/SSL_CTX_add_extra_chain_cert.3 > Add Copyright and license. > Lots of improvements from OpenSSL: > Document SSL_CTX_clear_extra_chain_certs(3). > Correct SSL_CTX_add_extra_chain_cert(3) first argument type. > Add some new information and improve wording. (schwarze@) ~ man/SSL_CTX_flush_sessions.3 > Add Copyright and license. > Correct two typos while here. (schwarze@) ~ man/SSL_CTX_free.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_add_session.3 ~ man/SSL_CTX_ctrl.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_set1_param.3 > Import the relevant parts of SSL_CTX_get0_param(3) from OpenSSL. > Call it SSL_set1_param(3) since we don't have these get0 functions. > (schwarze@) ~ man/SSL_CTX_get_verify_mode.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_load_verify_locations.3 > Add Copyright and license. > Merge SSL_CTX_set_default_verify_paths(3) documentation from OpenSSL, > but do not talk about environment variables, which LibreSSL does > not appear to support, judging from the source code. > Rename WARNINGS section to CAVEATS. (schwarze@) ~ man/SSL_CTX_new.3 > Add Copyright and license. > Remove the last traces of SSLv3. > Add TLS_method(3), TLSv1_2_method(3), DTLSv1_method(3) and friends. > Add missing prototypes to the SYNOPSIS. > Merge additional information from OpenSSL. > Simplify description of TLSv1_method(3) and SSLv23_method(3), from OpenSSL. > Some additional minor fixes. (schwarze@) ~ man/ssl.3 > Purge some SSLv2 and SSLv3 stuff that no longer exists. (schwarze@) ~ man/SSL_CTX_sess_number.3 > Add Copyright and license. > Garbarge collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_sess_set_cache_size.3 > Add Copyright and license. > Correct the description of what happens when the session cache is full, > from OpenSSL. (schwarze@) ~ man/SSL_CTX_sess_set_get_cb.3 ~ man/SSL_CTX_sessions.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_CTX_set_alpn_select_cb.3 > import SSL_CTX_set_alpn_select_cb(3) from OpenSSL (schwarze@) ~ man/SSL_CTX_set_cert_store.3 > Add Copyright and license. > Remove the useless statement that a void function does not return a value. > (schwarze@) ~ man/SSL_CTX_set_cert_verify_callback.3 > Add Copyright and license. > Rename WARNINGS to CAVEATS and RETURN VALUES to BUGS, > the latter from OpenSSL. (schwarze@) ~ man/SSL_CTX_set_cipher_list.3 > Add Copyright and license. > Stop talking about export ciphers. > Remove two irrelevant cross references. (schwarze@) ~ man/SSL_CTX_set_client_CA_list.3 ~ man/SSL_CTX_set_client_cert_cb.3 > Copyright and license. (schwarze@) ~ man/SSL_CTX_set_default_passwd_cb.3 > Add Copyright and license. > Fix the declaration of pem_password_cb. > Simplify wording, mostly from OpenSSL. > Garbage collect the empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_set_generate_session_id.3 > Add Copyright and license. > Add markup for the declaration of GEN_SESSION_CB. > Garbage collect some remnants of SSLv2 and SSLv3. (schwarze@) ~ man/SSL_CTX_set_info_callback.3 > Add Copyright and license. > Correct prototypes. > Drop the useless statement that a void function does not return a value. > (schwarze@) == libexec =========================================================== 03/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec spamd ~ spamd.c > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) == regress =========================================================== 04/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress sys ~ net/vxlan/Makefile ~ net/vxlan/vxlan_2.sh > Fix typos (vgross@) usr.bin ~ ssh/cert-userkey.sh > test new behaviour of cert force-command restriction vs. authorized_key/ > principals (djm@) == share ============================================================= 05/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man4/ix.4 > Update the manual page regarding recent changes > This adds a few new devices from the X550 family as well as a note that > fiber optics modules must be removed after the interface is brought down > as discussed on ICB. (mikeb@) ~ man4/pci.4 > update the ix(4) entry; (jmc@) ~ man4/options.4 > better text for makeoptions DEBUG; help/ok mpi (jmc@) ~ man4/axen.4 > list 'StarTech USB31000S' as supported; the driver already attached to it > for a while > also tested by yours truly (jasper@) == sys =============================================================== 06/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys conf ~ files > Enable mira in kernel builds. > For now, only build mira if the iwm(4) or iwn(4) drivers are also > built since other wifi drivers don't even have 11n support yet. > This limits platforms affected by this change to i386 and amd64. > make release on i386/amd64 platforms tested by tb@ (thanks!) > ok tb@ mpi@ kettenis@ (stsp@) dev/pci ~ if_iwn.c > Make iwn(4) receive MIMO frames in monitor mode. We can now sniff all > 802.11n > frames the hardware is able to receive. Use an xT3R device for best > results. > This change has not yet been tested on 1T1R devices due to lack of > hardware. > ok kettenis@ (stsp@) ~ if_iwm.c ~ if_iwmvar.h > Switch the iwm(4) driver to mira rate adaptation in 11n mode. > Only the rate adaptation algorithm changes, available data rates do not > (yet). > Please let me know about any regressions. > In 11a/b/g modes the driver still uses AMRR, so forcing one of these modes > with ifconfig's 'mode' subcommand will serve as a fallback if necessary. > ok tb@ mpi@ kettenis@ (stsp@) ~ if_ix.c > Update media types upon SFP module change > Tested by Hrvoje Popovski and myself. (mikeb@) dev/usb ~ usb_mem.c ~ usb_mem.h > Do not overlay DMA fragment decriptors with free list handling. > This "cleverness" increase the risk of races due to caching and/or > prefetching between the HC and DMA engine. Many of the bug reports > on bugs@ involving memory corruptions in usb_allocmem() should be > easier to diagnose when not avoided with this change. > From Marius Strobl, ok kettenis@ (mpi@) net ~ switchofp.c > Fix another free() with wrong size panic when handling group-mod buckets > size changes and add more sanity checks for group buckets payload. > (rzalamena@) net80211 + ieee80211_mira.c + ieee80211_mira.h > Add a new implementation of MiRA, a rate scaling algorithm for 802.11n. > This algorithm was designed for use with MIMO and Tx aggregation. > This is joint work with tb@, who helped with all the tricky math bits. > Additional help with testing by phessler@, mpi@, and jmatthew@. > I believe this is now ready for wider testing, and for future work to > happen in-tree. > A paper which explains the algorithm can be found at: > http://www.cs.ucla.edu/wing/publication/papers/Pefkianakis.MOBICOM10.pdf > Roughly, this algorithm attempts to keep track of the current "goodput" > (the effective data rate) for each MCS. It converges towards a rate which > gets the most bits per second transmitted with least loss. > Occasionally, frames will be steered to different rates to probe for > changes. > (The algorithm does not send frames on its own. It only advances whenever > the driver has sent a frame.) > Time-based probing to adjacent MCS rates occurs periodically. > This is similar to what AMRR does, except that eventually mira will > try out multi-antenna modes as well. > Event-based probing happens when a sudden change in goodput is detected. > I've chosen to make downwards probing fast, and upwards probing slow. > (The paper does not specify such a preference.) > This means it should react quickly to worsening conditions and pull the > rate down (perhaps to the lowest possible rate). It should then raise > upwards slowly on a rate-per-rate basis as conditions improve again. > In my testing this works as intended as I keep moving a laptop outside > and inside the AP's range. > Not linked to the build yet. > ok mpi@ kettenis@ (stsp@) == usr.bin =========================================================== 07/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin ftp ~ main.c > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) nc ~ netcat.c > Check return value of tls_config_set_protocols(3) and > tls_config_set_ciphers(3) > and bail out in case of failure > Feedback and OK jsing@ (mestre@) ssh ~ misc.c ~ misc.h ~ sshd.c > On startup, check to see if sshd is already daemonized and if so, > skip the call to daemon() and do not rewrite the PidFile. This > means that when sshd re-execs itself on SIGHUP the process ID will > no longer change. Should address bz#2641. ok djm@ markus@. (dtucker@) ~ auth-options.c ~ auth-options.h ~ auth2-pubkey.c ~ sshd.8 > When a forced-command appears in both a certificate and an > authorized keys/principals command= restriction, refuse to accept > the certificate unless they are identical. > The previous (documented) behaviour of having the certificate forced- > command override the other could be a bit confused and more error-prone. > Pointed out by Jann Horn of Project Zero; ok dtucker@ (djm@) ~ servconf.c ~ servconf.h ~ serverloop.c ~ session.c ~ sshd_config.5 > Add a sshd_config DisableForwaring option that disables X11, agent, > TCP, tunnel and Unix domain socket forwarding, as well as anything > else we might implement in the future. > This, like the 'restrict' authorized_keys flag, is intended to be a > simple and future-proof way of restricting an account. Suggested as > a complement to 'restrict' by Jann Horn; ok markus@ (djm@) ~ ssh-agent.1 ~ ssh-agent.c > add a whitelist of paths from which ssh-agent will load (via > ssh-pkcs11-helper) a PKCS#11 module; ok markus@ (djm@) ~ ssh-agent.1 > tweak previous; > while here fix up FILES and AUTHORS; (jmc@) tmux ~ tty.c > Fix check for cursor at end of line. (nicm@) == usr.sbin ========================================================== 08/08 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin ldapd ~ parse.y > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) smtpd ~ bounce.c ~ filter.c ~ ioev.c ~ ioev.h ~ mda.c ~ mta_session.c ~ smtp_session.c ~ smtpd.h > make struct io opaque: > - move struct io definition to ioev.c > - replace io_init/io_clear with io_new/io_free > - allocate an iobuf for each new io internally > - use struct io pointer in the rest of the code > - remove remaining uses of iobuf_* > ok gilles@ sunil@ (eric@) ~ ioev.c ~ ioev.h ~ mda.c ~ mta_session.c ~ smtp_session.c > hide internal io flags and rename IO_PAUSE_{IN,OUT} to IO_{IN,OUT} > ok gilles@ sunil@ (eric@) ~ smtpd.h ~ util.c > remove unused iobuf helpers (eric@) syslogd ~ syslogd.c > Wrap lines earlier on tls_config_set_protocols(3) > Feedback and OK jsing@ (mestre@) syspatch ~ syspatch.8 ~ syspatch.sh > Change the hierarchy under /var/syspatch/ so that the output of installed > or > missing patches matches the official names. > e.g. > $ doas syspatch -c > 015_libssl > Add a bit more output on what we are doing. > Tighten a few checks and rename some vars. > People playing with syspatch on 6.0 should update syspatch.sh asap from > current > as I will soon remove the temporary quirks glue. (ajacoutot@) ~ syspatch.sh > During early testing, hardcode the syspatch repo to 'syspatch.openbsd.org' > which points to ftp.fr. This will change once 6.1 is out. > discussed with deraadt@ (ajacoutot@) ~ syspatch.sh > Simplify: > - consistency in integer checks > - drop apply_patches(), better call ther actual apply_patch() function from > within the script itself (ajacoutot@) user ~ user.c > According to usermod(8) manpage if -g =uid is used it should create a new > group > with an unique UID, if it's not already created (not in the manpage), but > this > wasn't implemented. > This implements that functionality similar to what NetBSD has, but with > some > corrections by adding a fd closure in case of failure and on the failure > message itself which they got it wrong. > OK tb@ (mestre@) ~ usermgmt.conf.5 ~ usermod.8 > note that no group is created if a group already exists when using =uid; > while here, clean the text up a bit; > from mestre and myself (jmc@) ~ user.c > Mitigate some fd leaks on user(8) > OK millert@ (mestre@) ~ user.c > Since pwp->pw_gid is equal to pwp->pw_uid then use the former instead in > creategid() function and in the failure message since it makes more sense > in > this chunck of code. > OK millert@ (mestre@) vmd ~ vmm.c > Always remove the local vm after calling terminate_vm(). (reyk@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
