OpenBSD src changes summary for 2017-03-27 ==========================================
gnu/usr.bin/clang lib/libcrypto sbin/iked sbin/pfctl share/man sys/arch/amd64/amd64 sys/arch/i386/i386 sys/arch/loongson/dev sys/dev sys/dev/acpi sys/dev/fdt sys/dev/pci sys/kern sys/net sys/netinet usr.bin/mandoc usr.sbin/ocspcheck usr.sbin/vmd usr.sbin/ypldap == gnu =============================================================== 01/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu usr.bin/clang ~ clang/Makefile ~ lld/Makefile > Do not clobber the default compiler/linker links unless COMPILER_VERSION is > set to clang. > ok jsg@ (kettenis@) == lib =============================================================== 02/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ man/X509_cmp_time.3 > reinstate the capitalisation from previous, as advised by schwarze; (jmc@) == sbin ============================================================== 03/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin iked ~ ca.c ~ crypto.c ~ iked.8 ~ iked.conf.5 ~ iked.h ~ ikev2.c ~ ikev2.h ~ ikev2_msg.c ~ parse.y > Add support for RFC4754 (ECDSA) and RFC7427 authentication. > These modes provide stronger and more flexible ways for > authentication: while RSA public key auth relies on SHA-1 hashes, the > news modes use SHA2-256 and up to SHA2-512 hashes. > Original diff from markus@ with patches from mikeb@ and me. > OK mikeb@ patrick@ (reyk@) ~ iked.h ~ ikev2.c ~ ikev2_msg.c ~ ikev2_pld.c ~ types.h > Add support to reflect the responder IKEv2 COOKIE. > This fixes connecting to Azure VPN and other implementations that > implement the IKEv2 COOKIE mechanism on the responder side. Azure > decides to send you a responder COOKIE after too many connection > attempts - we have to keep it and reflect it to establish a > connection. This implementation is only for the initiator (client) > side, we do not support sending COOKIEs on the responder (server) side > yet. > OK patrick@ mikeb@ (reyk@) ~ config.c ~ ikev2.c ~ pfkey.c > Fix another iked leak of SAs in pfkey_sa(), copy tags correctly. > Diff from markus@ > OK mikeb@ patrick@ (reyk@) ~ config.c ~ crypto.c ~ ikev2.c ~ pfkey.c > spacing (reyk@) ~ config.c ~ iked.h ~ ikev2.c ~ parse.y ~ types.h > Factor out flows into separate configuration messages > We reach an imsg payload limit with just a few traffic selectors > so in order to load more we need to split them up and send separately. > Suggested and OK reyk (mikeb@) ~ iked.conf.5 > correct verb pattern; (jmc@) ~ dh.c ~ dh.h ~ iked.h ~ ikev2.c ~ ikev2_pld.c > Don't cache the DH group in the policy > When tearing IKE SA down, the DH group referred by it is destroyed, > however it remains cached in the policy. With the introduction of > IKE SA rekeying we have extended the life of this dangling pointer > by reusing it on new SAs. So instead of caching the pointer in the > policy we can store the DH group ID and create a DH group on demand > using this parameter if it's specified. > With and OK reyk (mikeb@) pfctl ~ pfctl.c > rather than printing the wrong function name, dont print it at all. > found by Klemens Nanni (benno@) == share ============================================================= 04/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man7/pkgpath.7 > Fix a typo: /usr/port => /usr/ports > OK sthen@ (fcambus@) ~ man4/inet6.4 > various fixes to bring this page up to date a little; > help/ok bluhm (jmc@) ~ man7/packages.7 > Fix broken PKG_PATH example link, ftp://ftp.openbsd.org is no more. > OK sthen@ (fcambus@) == sys =============================================================== 05/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/amd64/amd64 ~ acpi_machdep.c > hibernate_free() should not be called from MD code, acpi_sleep_state() > unwinds that. Upon hibernate fail, this was a collection of double-frees.. > ok claudio mlarkin (deraadt@) ~ acpi_machdep.c > add a newline to an error printf (mlarkin@) ~ vmm.c > typo in debug build (mlarkin@) arch/i386/i386 ~ acpi_machdep.c > hibernate_free() should not be called from MD code, acpi_sleep_state() > unwinds that. Upon hibernate fail, this was a collection of double-frees.. > ok claudio mlarkin (deraadt@) ~ acpi_machdep.c > add a newline to an error printf (mlarkin@) arch/loongson/dev ~ apm.c > hibernate_free() should not be called from MD code, acpi_sleep_state() > unwinds that. Upon hibernate fail, this was a collection of double-frees.. > ok claudio mlarkin (deraadt@) dev ~ softraid.c > If the sub-device of a softraid lacks a side-effect io function, return > failure as early as possible. > ok mlarkin claudio (deraadt@) dev/acpi ~ acpi.c > Now that hibernate_alloc() only has clean success/failure, don't > need to call hibernate_free() to clean up a partial mess. > ok mlarkin kettenis (deraadt@) dev/fdt ~ sxirtc.c > Reject times in the first year that can be represented by the clock to > catch > RTC clocks that aren't battery powered. > ok deraadt@, millert@, visa@, tom@ (kettenis@) dev/pci ~ pcidevs > shorten vmm strings > ok kettenis@ reyk@ (jsg@) ~ pcidevs.h ~ pcidevs_data.h > regen (jsg@) kern ~ kern_pledge.c > wrap bpf pledge code in #if BPFFILTER (deraadt@) ~ subr_log.c ~ uipc_syscalls.c > Reorder FREF() and FRELE() in a way that the the global variable > syslogf always points to a file object with increased reference > count. This makes the implementation independent from the fact > whether changing the reference counter may sleep. > pointed out by Mateusz Guzik; OK deraadt@ (bluhm@) ~ subr_hibernate.c > If hibernate_alloc() encounters a problem it should undo the partial > work. > ok mlarkin kettenis (deraadt@) net ~ if_etherip.c > Don't reject etherip packets if they are protected with IPsec. > This aligns code with documentation & matches what was available before > etherip(4) was split from gif(4). sysctl net.inet.etherip.allow=1 is > still needed to accept etherip packets not protected with IPsec. > Reported by at least Jason Tubnor, ok mikeb@ (jca@) netinet ~ in.c > Fix the prefixlen sent by RTM_NEWADDR on new addresses without masks: > calculate the prefixlen using the address before sending the RTM_NEWADDR > message. > ok claudio@ (rzalamena@) == usr.bin =========================================================== 06/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin mandoc ~ apropos.1 ~ man.1 ~ mandoc.1 > Simplify: mention at one place that -fkl override each other, > rather than stating it separately for each option. > Suggested, OKed, and tweaked by jmc@. (schwarze@) ~ mandoc.1 > For some options that are rarely needed in mandoc(1), > delete the descriptions and point to man(1) instead. > Inspired by apropos.1 rev. 1.35. (schwarze@) ~ apropos.1 ~ main.c ~ man.1 ~ mandoc.1 > simplify the SYNOPSIS as well, just like the option lists; > suggested by and OK jmc@ (schwarze@) == usr.sbin ========================================================== 07/07 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin ocspcheck ~ ocspcheck.c > Fail early if an ocep server returns a non-200 http response, there is no > point in trying to parse error pages as an ocsp response. (beck@) ~ ocspcheck.c > use a path of "/" if the URL does not include a trailing / - since > the web server probably doesn't like it, even though you published > the url without the trailing / in the certificate. (hello digicert!) > ok claudio@ (beck@) ~ ocspcheck.c > repair knf & whitespace that jumped out of the screen during review > ok beck (deraadt@) vmd ~ i8253.c ~ loadfile_elf.c ~ mc146818.c ~ parse.y ~ pci.c ~ proc.h ~ virtio.h ~ vm.c > die whitespace die die die (deraadt@) ypldap ~ aldap.c > simplify parseval() by allocating a buffer the size of the input string, > which will always be big enough to hold the output string. > ok dlg@ (jmatthew@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
