OpenBSD src changes summary for 2016-12-06 ==========================================
distrib/sets distrib/sgi etc/netstart lib/libc lib/libcrypto lib/libssl regress/sbin sys/arch/mips64/include sys/dev/pci sys/dev/pv sys/net sys/net80211 usr.bin/ssh usr.sbin/syspatch == distrib =========================================================== 01/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib sets ~ lists/comp/mi > sync (deraadt@) sgi ~ ramdisk/Makefile > Use makefs to build bsd.rd; build & boot tested by visa (natano@) == etc =============================================================== 02/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc netstart ~ netstart > Do not lose the default route when netstart(8) is run a second time on > the interface pointed to by the default route. > Since the kernel no longer keep routes with dangling address pointer, > netstart(8) has to re-add the default route when the corresponding ifa > has been deleted and re-created. > deraadt@ points out that even if the previous semantic was not necessarily > better, a script like netstart(8) cannot totally fix the default route > problem. > Regression reported by and fix tested by Hrvoje Popovski. > ksh foo checked by halex@ (mpi@) == lib =============================================================== 03/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ net/linkaddr.c > CVE-2016-6559: fix potential buffer overflow(s) in link_ntoa(3). > A specially crafted struct sockaddr_dl argument can trigger a stack > overflow of a static buffer in libc. An attacker may be able to > use this to write to arbitrary locations in the data segment. > From FreeBSD (glebius); OK deraadt@ mestre@ (millert@) libcrypto ~ man/BIO_f_buffer.3 ~ man/BIO_s_bio.3 ~ man/BUF_MEM_new.3 ~ man/crypto.3 ~ man/lh_stats.3 > replace all references to BIO(3) with references to BIO_new(3) (schwarze@) - man/BIO.3 ~ man/BIO_new.3 ~ man/BIO_push.3 ~ man/Makefile > We don't want section 3 manual pages with names that do not correspond > to functions, so delete the BIO(3) manual page and merge its content > into BIO_new(3) and BIO_push(3). > Sort the content of BIO_new(3) into a logical order > and improve the wording in various ways. > Add the required cross references to BIO_push(3). (schwarze@) ~ man/BIO_new.3 > tweak previous; (jmc@) ~ man/crypto.3 > Add Copyright and license. > Mention AES, Chacha20, ECDSA, OCSP, OPENSSL_config. > Improve many cross references. > Convert the table into some real text and polish some wording. > Stop talking about SSL. > Drop vague references to undocumented internals (objects, stack, txt_db). > Delete verbiage that says nothing or is duplicate. > Ultimately, the content of this page should be merged into > OPENSSL_init_crypto(3), but we don't have that function yet, > so the merge has to wait. (schwarze@) ~ man/BIO_ctrl.3 ~ man/BIO_f_base64.3 ~ man/BIO_f_cipher.3 ~ man/BIO_f_md.3 ~ man/BIO_f_null.3 ~ man/BIO_find_type.3 ~ man/BIO_read.3 ~ man/BIO_s_accept.3 ~ man/BIO_s_connect.3 ~ man/BIO_s_fd.3 ~ man/BIO_s_file.3 ~ man/BIO_s_mem.3 ~ man/BIO_s_null.3 ~ man/BIO_s_socket.3 ~ man/BIO_set_callback.3 ~ man/BIO_should_retry.3 ~ man/PEM_read_bio_PrivateKey.3 ~ man/PEM_write_bio_PKCS7_stream.3 ~ man/d2i_PKCS8PrivateKey_bio.3 ~ man/i2d_PKCS7_bio_stream.3 > make sure that all the BIO pages point back to the master page BIO_new(3) > (schwarze@) ~ man/EC_GFp_simple_method.3 ~ man/EC_GROUP_copy.3 ~ man/EC_GROUP_new.3 ~ man/EC_KEY_new.3 ~ man/EC_POINT_add.3 ~ man/EC_POINT_new.3 ~ man/OCSP_REQUEST_new.3 ~ man/OCSP_cert_to_id.3 ~ man/OCSP_request_add1_nonce.3 ~ man/OCSP_resp_find_status.3 ~ man/OCSP_response_status.3 ~ man/OCSP_sendreq_new.3 ~ man/d2i_ECPKParameters.3 ~ man/d2i_PrivateKey.3 > Delete most references to crypto(3). That page isn't useful enough > to be pointed to from random individual pages. (schwarze@) ~ man/X509V3_get_d2i.3 > We don't support Certificate Transparency Extensions and > we don't define preprocessor constants for the related NIDs, > so delete the subsection discussing them. (schwarze@) ~ man/evp.3 > Copyright and license (schwarze@) ~ man/x509.3 > Copyright and license (schwarze@) libssl ~ man/DTLSv1_listen.3 ~ man/SSL_accept.3 ~ man/SSL_connect.3 ~ man/SSL_do_handshake.3 ~ man/SSL_get_fd.3 ~ man/SSL_get_rbio.3 ~ man/SSL_read.3 ~ man/SSL_set_bio.3 ~ man/SSL_set_fd.3 ~ man/SSL_shutdown.3 ~ man/SSL_write.3 > replace all references to BIO(3) with references to BIO_new(3) (schwarze@) ~ s3_both.c ~ s3_clnt.c ~ s3_lib.c ~ s3_srvr.c ~ ssl_locl.h > Convert certificate handshake message generation to CBB, with some clean > up and restructure. > This also adds CBB based variants of the ssl3_handshake_msg_{start,finish} > functions - for the time being these use a CBB to build the messages, then > copy back into the init_buf. > ok doug@ (jsing@) ~ d1_both.c ~ d1_clnt.c ~ d1_srvr.c ~ ssl_locl.h > Now that ssl3_send_{client,server}_certificate() are using the common > handshake functions, we can remove more copied code from DTLS. (jsing@) ~ s3_clnt.c > Convert ssl3_send_client_kex_rsa() to CBB. > ok doug@ (jsing@) ~ man/Makefile + man/SSL_SESSION_new.3 > New manual page SSL_SESSION_new(3) written from scratch. > The function prototype is listed in ssl(3) and <openssl/ssl.h>, so > it's clearly a public interface, but OpenSSL has no documentation > about it whatsoever. (schwarze@) ~ man/SSL_SESSION_free.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. > Delete useless cross reference to ssl(3). > Add cross reference to SSL_SESSION_new(3). (schwarze@) ~ man/SSL_CTX_get_ex_new_index.3 ~ man/SSL_CTX_set_tmp_rsa_callback.3 ~ man/SSL_SESSION_get_ex_new_index.3 ~ man/SSL_SESSION_get_time.3 ~ man/SSL_get_ex_data_X509_STORE_CTX_idx.3 ~ man/SSL_get_ex_new_index.3 > Copyright and license for the remaining manuals in this directory > (schwarze@) ~ man/SSL_CTX_set_tmp_rsa_callback.3 > s/SSL_CTX_need_tmp_rsa/SSL_CTX_need_tmp_RSA/ > because that's what <openssl/ssl.h> #defines. > That's likely a typo in the header file because all the other > functions are called *tmp_rsa*(). But it would be a bad idea to > fix such a bug in interfaces that are only provided for backward > compatibility in the first place, so i'm adjusting the manual to > be bug-compatible with the code, for now. > But, pretty please, for the next major bump, somebody go get Bob's > flensing knife and excise this part of the interface. Like, export > ciphers? Really? (schwarze@) ~ man/Makefile + man/SSL_SESSION_print.3 > An SSL_SESSION_print(3) manual written from scratch. It's clearly > a public interface since it's listed both in ssl(3) and in > <openssl/ssl.h>. Nothing to pilfer from OpenSSL in this case... > (schwarze@) == regress =========================================================== 04/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress sbin ~ route/rttest14.ok ~ route/rttest16.ok > Update to match recent changes. > IPv6 multicast "All Nodes Address" and "All Routers Address" routes are > now attached to the corresponding interface. > ok bluhm@ (mpi@) == sys =============================================================== 05/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/mips64/include ~ pmap.h > Get PTE shift using PTE_LOG. (visa@) dev/pci ~ if_iwm.c > Make sure iwm(4) only calls ieee80211_mira_choose() while in RUN state. > Should fix "panic: timeout_add: not initialized" reported by danj@ (stsp@) ~ ixgbe_x550.c > Let X552 SFP+ boot without a module plugged in > Due to insufficient error handling X552 SFP+ card isn't configured > properly on boot when an SFP+ module is not plugged in. As a side > effect the interface becomes completely unusable afterwards. > The issue was discovered and fix tested by Hrvoje Popovski, thanks! > (mikeb@) ~ if_ix.c > Improve error handling and don't fail if SFP module is not present; > tested by Hrvoje Popovski, thanks! (mikeb@) ~ ixgbe_x550.c > Don't forget to return an error (mikeb@) ~ pcidevs > X557 is the name of an external PHY not the PCI device > Rename 8086:15a[abce] back to X552, give 8086:15ad a proper moniker > X552/X557-AT and the yet-unreleased parts 8086:15c* are tentatively > named X553. (mikeb@) ~ pcidevs.h ~ pcidevs_data.h > regen (mikeb@) dev/pv ~ pvbus.c > The kvop is not mandatory to query the type, fixes hostctl -t on vmm(4) > VMs. > OK mikeb@ (reyk@) net ~ pf.c > Use the sizeof udphdr not the sizeof a pointer to it in the af-to > specific part of pf_test_state_icmp(). This worked by accident on LP64 > archs as the struct is eight bytes long. > ok mikeb@ bluhm@ krw@ jca@ (jsg@) net80211 ~ ieee80211_mira.c > avoid a potentially uninitialised return value > ok stsp@ (jsg@) == usr.bin =========================================================== 06/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin ssh ~ ssh.c > make IdentityFile successfully load and use certificates that have no > corresponding bare public key. E.g. just a private id_rsa and certificate > id_rsa-cert.pub (and no id_rsa.pub). > bz#2617 ok dtucker@ (djm@) == usr.sbin ========================================================== 07/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin syspatch ~ syspatch.sh > Tweak comment. (ajacoutot@) ~ syspatch.sh > Catch mtree(8) error; it's only run when applying patches and we already > check for read-only... in this case. (ajacoutot@) ~ syspatch.sh > Better matching and remove a useless use of sort(1). (ajacoutot@) ~ syspatch.sh > Missed in previous. (ajacoutot@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
