OpenBSD src changes summary for 2017-01-31 ==========================================
gnu lib/libcrypto lib/libssl lib/libtls regress/lib regress/usr.sbin sys/dev/ic sys/dev/pci sys/dev/pv sys/dev/usb sys/kern sys/net sys/net80211 sys/netinet sys/sys sys/uvm usr.bin/mandoc usr.sbin/httpd usr.sbin/ikectl usr.sbin/snmpd usr.sbin/switchctl == gnu =============================================================== 01/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu gnu ~ llvm/tools/lld/ELF/DriverUtils.cpp > Fix creation of the library name, as assigning a string to a StringRef > seems to cause bad behaviour. Instead call toStringRef() and use its > return value. > ok tom@ (patrick@) == lib =============================================================== 02/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ man/Makefile + man/get_rfc3526_prime_8192.3 > Document functions returning standard moduli for DH key exchange. > jsing@ confirmed that these are public and worth documenting. (schwarze@) ~ evp/e_aes.c ~ evp/e_rc4_hmac_md5.c > LibreSSL : Truncated packet could crash via OOB read > This patch is originally from master branch of OpenSSL. > - 2198b3a crypto/evp: harden AEAD ciphers. > - 8e20499 crypto/evp: harden RC4_MD5 cipher. > ok tom@ (inoguchi@) libssl ~ ssl.h ~ ssl_pkt.c > Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows > client-initiated renegotiation. The current default behaviour remains > unchanged. > ok beck@ reyk@ (jsing@) libtls ~ tls_server.c > Disable client-initiated renegotiation for libtls servers. > ok beck@ reyk@ (jsing@) ~ Symbols.list ~ shlib_version ~ tls.h ~ tls_config.c ~ man/tls_config_ocsp_require_stapling.3 ~ man/tls_load_file.3 > Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be > added associated to a keypair used for SNI, and are usable for more than > just the "main" certificate. Modify httpd to use this. > Bump libtls minor. > ok jsing@ (beck@) ~ man/tls_config_ocsp_require_stapling.3 ~ man/tls_load_file.3 > tweak previous; (jmc@) == regress =========================================================== 03/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress lib ~ libcrypto/bn/general/bntest.c > LibreSSL : regress for carry bug in mulx4x_mont and sqr8x_mont > This regress bntest.c patch is originally from master branch of OpenSSL. > - dca2e0e test/bntest.c: regression test for CVE-2016-7055. > - 3e7a496 test/bntest.c: regression test for carry bug in > bn_sqr8x_internal. > These tests were added for these commit. > - 2fac86d bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity). > - 3f4bcf5 bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal. > ok beck@ (inoguchi@) usr.sbin ~ syslogd/args-client-tls-fake.pl ~ syslogd/args-client-tls-tcp.pl ~ syslogd/args-server-tls-client-fake.pl ~ syslogd/args-server-tls-tcp.pl ~ syslogd/args-tls-cipher-null.pl > The libssl and libcrypto error messages have changed. Adapt the > regex for the expected output in the log files. (bluhm@) ~ relayd/Server.pm ~ syslogd/Server.pm > Mark the IO::Socket::SSL server socket with SSL_server to avoid > OCSP error messages. (bluhm@) == sys =============================================================== 04/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys dev/ic ~ r92creg.h ~ rtwn.c > Clean up code in rtwn(4)/urtwn(4) which handles EDCA parameters: > Get EDCA params from net80211 instead of hardcoding them. > Enable hardware management of EDCA AC queues. > Handling of frame collisions with EDCA involves random backoffs. > I found a register that looks like a seed for the pseudo-RNG involved in > computing backoffs. Feed it with arc4random() during initialization. > Add a comment to hint at the meaning of numbers written to SIFS registers, > and rename some SIFS registers to better names found in Linux. > ok mpi@ (stsp@) ~ rtwn.c > Configure rtwn's ACMHWCTRL register correctly. Bits in this register > correspond to the flag stored in our stack as ac->ac_acm. > ok mpi@ (stsp@) dev/pci ~ if_iwmreg.h > Update the struct iwm_scan_results_notif to FW Api version 3, and remove > the unused enum iwm_scan_complete_status status codes. > This corresponds to parts of the Linux iwlwifi commits > 1083fd7391e989be52022f0f338e9dadc048b063 and > 75118fdb63496e4611ab50380499ddd62b9de69f. > No functional change, since struct iwm_scan_results_notif isn't accessed > in iwm at the moment. > Patch by Imre Vadasz. (stsp@) dev/pv ~ xen.c > Issue a pause instruction in the busy-wait loop on SP kernels as well > (mikeb@) dev/usb ~ uaudio.c > Fix links to USB audio specs. > From Michael Reed (jca@) kern ~ kern_synch.c ~ sys_socket.c > Remove the inifioctl hack, checking for an unheld NET_LOCK() in > tsleep(9) & friends seem to only produce false positives and cannot > be easily disabled. (mpi@) net ~ rtsock.c > Use CTASSERT instead of KASSERT for a few sysctl that use the counters API > ok dlg@ mpi@ (jca@) ~ if.c > Remove the inifioctl hack, checking for an unheld NET_LOCK() in > tsleep(9) & friends seem to only produce false positives and cannot > be easily disabled. (mpi@) net80211 ~ ieee80211_output.c > When telling clients which EDCA parameters to use, copy these parameters > from the client parameter set, rather than from the AP parameter set. > ok mpi@ (stsp@) ~ ieee80211_output.c > In a comment inside ieee80211_up_to_ac(), update a reference section > number from the 802.11-2007 standard to the 802.11-2012 standard. (stsp@) netinet ~ igmp.c ~ ip_input.c ~ udp_usrreq.c > Use CTASSERT instead of KASSERT for a few sysctl that use the counters API > ok dlg@ mpi@ (jca@) sys ~ proc.h > Protect <sys/atomic.h> with #ifdef _KERNEL. This unbreaks userland > build on m88k, where the compiler has no notion of atomic built-ins. > Suggested by miod@ > OK mpi@ (visa@) uvm ~ uvm_amap.c ~ uvm_aobj.c > Sprinkle some free sizes in uvm/ > ok stefan@ visa@ (dhill@) == usr.bin =========================================================== 05/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin mandoc ~ apropos.1 ~ man.1 ~ mandoc.1 > add missing HISTORY information (schwarze@) == usr.sbin ========================================================== 06/06 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin httpd ~ server.c > Do not set EVBUFFER_EOF on read/write errors and handle EOF correctly. > Either libevent or the TLS callback can trigger an EOF when the > connection is closed. > OK sunil@ jung@ benno@ (reyk@) ~ httpd.h ~ server_http.c > The variable clt_done is used in too many places. > Introduce a new variable clt_headersdone in the async HTTP parser. > OK sunil@ benno@ (reyk@) ~ httpd.h ~ server_file.c ~ server_http.c > Reimplement httpd's support for byte ranges. > The previous implementation loaded all the output into a single output > buffer and used its size to determine the Content-Length of the body. > The new implementation calculates the body length first and writes the > individual ranges in an async way using the bufferevent mechanism. > This prevents httpd from using too much memory and applies the > watermark and throttling mechanisms to range requests. > Problem reported by Pierre Kim (pierre.kim.sec at gmail.com) > OK benno@ sunil@ (reyk@) ~ server.c > Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be > added associated to a keypair used for SNI, and are usable for more than > just the "main" certificate. Modify httpd to use this. > Bump libtls minor. > ok jsing@ (beck@) ~ server.c > Correct mistake I made when converting this to new funciton (beck@) ~ server.c > remove extra call setting OCSP staple now that it is done above > using keypair_ocsp.. > ok reyk@ (beck@) ~ server_file.c TAGGED OPENBSD_6_0 > A bug in the processing of range headers in httpd can lead to memory > exhaustion and possibly crash httpd. > This patch disables range header processing. > The problem is fixed in future versions of httpd (OpenBSD 6.1) > by changing the way the file size is determined. > found by Pierre Kim (pierre.kim.sec at gmail.com), thanks. > fix by sunil@ > ok reyk@ sunil@ and beck@ danj@ tb@ and tj@ on the errata. (benno@) ~ server_file.c TAGGED OPENBSD_5_9 > A bug in the processing of range headers in httpd can lead to memory > exhaustion and possibly crash httpd. > This patch disables range header processing. > The problem is fixed in future versions of httpd (OpenBSD 6.1) > by changing the way the file size is determined. > found by Pierre Kim (pierre.kim.sec at gmail.com), thanks. > fix by sunil@ > ok reyk@ sunil@ and beck@ danj@ tb@ and tj@ on the errata. (benno@) ikectl ~ ikeca.c ~ ikeca.cnf > Teach ikectl to include extensions in the CSR, rather than just adding them > when signing the certificates by the local CA. This can make things easier > if > you want to take a CSR from ikectl to another CA for signing, they often > copy > extensions from the request. ok reyk@ (sthen@) snmpd ~ mib.c > Don't include a literal "%" in the value for humidity sensorValue in > OPENBSD-SENSORS-MIB, % is the unit for this value and is already present > in sensorUnits, and it's harder for NMS to parse "100.00%" as a number. > From Joel Knight. (sthen@) switchctl ~ switchctl.c > Use the sizeof operator on a struct not a pointer to one. > ok rzalamena@ (jsg@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
