OpenBSD src changes summary for 2017-11-08 ==========================================
regress/sys regress/usr.bin sbin/iked sbin/isakmpd sbin/ping share/man sys/dev/pv sys/netinet usr.sbin/ikectl == regress =========================================================== 01/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress sys ~ kern/sosplice/funcs.pl ~ kern/sosplice/scapy-oobinline-delay-connect.py ~ kern/sosplice/scapy-payload-delay-connect.py > Wait for the splicing syscall by grepping it in the relay log. This > ensures that scapy's SYN+ACK packet hits the TCP stack when it hurts. > (bluhm@) usr.bin + ctfdump/base_types_encoding.i386 > Enable this test on i386. (mpi@) == sbin ============================================================== 02/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin iked ~ ikev2.c > For IPcomp we need to load explicit ESP-flows for the IPIP or IPCOMP > tunneled packets, otherwise every packet between the gateways will > be sent into the tunnel (e.g. ICMP, too). > ok markus@ (patrick@) ~ iked.c > Do not accept superfluous arguments. > From Klemens Nanni. > ok markus@ (patrick@) isakmpd ~ dh.c ~ dh.h ~ ike_auth.c ~ ike_phase_1.c ~ ike_quick_mode.c ~ ipsec.h ~ vendor.c > In the final RFC 5903 the computation for the DH shared secret changed. > Instead of the full point, only the X point is included. > The member g_xy is always the shared secret but so far its buffer has > been allocated using the size of the public points. Since this is a > different size now, as the shared secret for EC Groups should only store > the x point, we need another member to specify the length of g_xy. > Since this is a backwards incompatible change older isakmpds won't be > able to negotiate if you use EC groups. Bump the version of our own > vendor tag so peers can try to keep compatibility based on the presen- > ted tag. This could be used to implement backwards compatibility to > older isakmpds. > Prompted by and ok mpi@ (patrick@) ping ~ ping.c > Add a type cast to force signed comparison. This fixes a loop > termination issue that can arise when parsing IP options. > The bug was found by Hrvoje Popovski with ping -R. > Fix tested by Hrvoje, OK millert@ (visa@) == share ============================================================= 03/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man7/hier.7 > /usr/share/compile -> relink; ok tb (jmc@) == sys =============================================================== 04/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys dev/pv ~ if_xnf.c > Fixup what looks like a merge mistake; no functional change (mikeb@) netinet ~ ip_ah.c ~ ip_ah.h ~ ip_esp.c ~ ip_esp.h ~ ip_input.c ~ ip_ipcomp.c ~ ip_ipcomp.h ~ ip_ipsp.h ~ ipsec_input.c ~ ipsec_output.c ~ udp_usrreq.c > Make {ah,esp,ipcomp}stat use percpu counters. > OK bluhm@, mpi@ (visa@) ~ tcp_input.c > The TF_BLOCKOUTPUT flag is set around all sorwakeup() and sowwakeup() > calls in tcp_input(). When I added this code for socket splicing, > I have missed that they may be called indirectly through functions. > Although not strictly necessary since we have the sosplice thread, > put that flag consistently when we want to prevent that tcp_output() > is called in the middle of tcp_input(). As soisconnected(), > soisdisconnected(), and socantrcvmore() call the wakeup functions > from tcp_input(), set the TF_BLOCKOUTPUT flag around them. > OK visa@ (bluhm@) == usr.sbin ========================================================== 05/05 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin ikectl ~ ikeca.c > Since r1.41 the extensions are included in the CSR. Thus ca_request() > already sets the extension values and returns. ca_sign() re-uses the > information to write out the extension file. Since ca_request() uses > strings stored on the stack, on return the pointers to those strings > will be unusable. To fix this, strdup() the strings passed ca_setenv() > so we can re-use them in another scope. And free() them when we clear > the environment in ca_clrenv(). > Initial report and diff from Andrei-Marius Radu. > ok markus@ (patrick@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
