OpenBSD src changes summary for 2016-10-30 to 2016-11-06 inclusive ==================================================================
distrib/miniroot distrib/sets distrib/syspatch etc/Makefile etc/rc etc/skel/dot.cvsrc games/fortune lib/libc lib/libcrypto lib/libssl lib/libtls libexec/ld.so regress/lib regress/sys regress/usr.bin share/man sys/arch/alpha/compile sys/arch/amd64/amd64 sys/arch/amd64/compile sys/arch/amd64/stand sys/arch/armv7/compile sys/arch/armv7/stand/efiboot sys/arch/hppa/compile sys/arch/hppa/stand sys/arch/i386/compile sys/arch/i386/stand sys/arch/landisk/compile sys/arch/landisk/stand sys/arch/loongson/compile sys/arch/loongson/conf sys/arch/loongson/dev sys/arch/loongson/include sys/arch/loongson/loongson sys/arch/loongson/stand/boot sys/arch/loongson/stand/libsa sys/arch/luna88k/compile sys/arch/luna88k/stand/boot sys/arch/macppc/compile sys/arch/macppc/stand sys/arch/mips64/include sys/arch/octeon/compile sys/arch/octeon/dev sys/arch/octeon/stand/boot sys/arch/octeon/stand/libsa sys/arch/sgi/compile sys/arch/sgi/stand/boot sys/arch/sgi/stand/libsa sys/arch/socppc/compile sys/arch/socppc/stand/boot sys/arch/sparc64/compile sys/arch/sparc64/stand/bootblk sys/arch/sparc64/stand/libsa sys/arch/sparc64/stand/ofwboot sys/dev/pci sys/dev/pv sys/dev/usb sys/kern sys/net sys/netinet sys/sys usr.bin/at usr.bin/cvs usr.bin/ftp usr.bin/libtool usr.bin/nc usr.bin/ssh usr.bin/tmux usr.bin/units usr.bin/vi usr.sbin usr.sbin/acme-client usr.sbin/bgpd usr.sbin/httpd usr.sbin/makefs usr.sbin/switchd usr.sbin/syspatch usr.sbin/tcpdump usr.sbin/vmd == distrib =========================================================== 01/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib miniroot ~ install.sub > Search for and create a prefetch area only for nonlocal sources. > This enables the installer to verify local set files even if the > prefetch area would not fit on the local disk. > OK krw@ on a similar diff > Idea from and OK naddy@ > Feedback and OK tb@ (rpe@) ~ group ~ install.sub > Remove the obj, xobj and src directories from the base set. > The installer will create these directories during install. > So local setups will not get overwritten during upgrades. > idea from and OK deraadt@ > with help from and OK tb@ > feedback from and no objections halex@ (rpe@) sets ~ lists/base/mi > sync (sthen@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armv7 ~ lists/base/md.hppa ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc64 ~ lists/base/mi ~ lists/comp/mi ~ lists/man/mi > sync (deraadt@) ~ lists/base/mi > Remove the obj, xobj and src directories from the base set. > The installer will create these directories during install. > So local setups will not get overwritten during upgrades. > idea from and OK deraadt@ > with help from and OK tb@ > feedback from and no objections halex@ (rpe@) ~ lists/base/mi ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ makeetcset > Pass -peam to pax(1), so ownership and permissions that were set by > etc/Makefile during 'make distribution-etc-root-var' are explicitly > honored on the build machine. > ok rpe (tb@) ~ lists/base/md.alpha ~ lists/base/md.amd64 ~ lists/base/md.armv7 ~ lists/base/md.hppa ~ lists/base/md.i386 ~ lists/base/md.landisk ~ lists/base/md.loongson ~ lists/base/md.luna88k ~ lists/base/md.macppc ~ lists/base/md.octeon ~ lists/base/md.sgi ~ lists/base/md.socppc ~ lists/base/md.sparc64 > sync (deraadt@) syspatch ~ bsd.syspatch.mk > switch to using BUILDUSER and add more error checking (robert@) == etc =============================================================== 02/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc Makefile ~ Makefile > Remove the obj, xobj and src directories from the base set. > The installer will create these directories during install. > So local setups will not get overwritten during upgrades. > idea from and OK deraadt@ > with help from and OK tb@ > feedback from and no objections halex@ (rpe@) rc ~ rc > spacing (rpe@) skel/dot.cvsrc ~ skel/dot.cvsrc > Add the -d flag to the update command, so directories are created > with 'cvs up'. Prompted by a question by patrick keshishian, diff > by Raf Czlonka. > ok phessler, jca; mild opposition from schwarze (tb@) == games ============================================================= 03/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games fortune ~ datfiles/fortunes2 > spelling fix from eric van gyzen, freebsd r308293; (jmc@) == lib =============================================================== 04/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ stdio/vfscanf.c ~ stdio/vfwscanf.c > include float.h for the LDBL_MAX_EXP cpp test in floatio.h (jsg@) ~ stdlib/malloc.c > remove some old option letters and also make P non-settable. It has > been the default for ages, and I see no valid reason to be able to > disable it. ok natano@ (otto@) ~ stdlib/malloc.c > small tweak to also check canaries if F is in effect (otto@) ~ stdlib/malloc.c > MALLOC_STATS tweaks, by default not compiled in (otto@) libcrypto ~ opensslv.h > bump to LibreSSL 2.5.1 (bcook@) - doc/DES_set_key.pod - doc/DH_generate_key.pod - doc/DH_generate_parameters.pod - doc/DH_get_ex_new_index.pod - doc/DH_new.pod - doc/DH_set_method.pod - doc/DH_size.pod ~ man/Makefile + man/DES_set_key.3 + man/DH_generate_key.3 + man/DH_generate_parameters.3 + man/DH_get_ex_new_index.3 + man/DH_new.3 + man/DH_set_method.3 + man/DH_size.3 > convert DES and DH manuals from pod to mdoc (schwarze@) - doc/DSA_SIG_new.pod - doc/DSA_do_sign.pod - doc/DSA_dup_DH.pod - doc/DSA_generate_key.pod - doc/DSA_generate_parameters.pod - doc/DSA_get_ex_new_index.pod - doc/DSA_new.pod - doc/DSA_set_method.pod - doc/DSA_sign.pod - doc/DSA_size.pod - doc/EC_GFp_simple_method.pod - doc/EC_GROUP_copy.pod - doc/EC_GROUP_new.pod - doc/EC_KEY_new.pod - doc/EC_POINT_add.pod - doc/EC_POINT_new.pod ~ man/Makefile + man/DSA_SIG_new.3 + man/DSA_do_sign.3 + man/DSA_dup_DH.3 + man/DSA_generate_key.3 + man/DSA_generate_parameters.3 + man/DSA_get_ex_new_index.3 + man/DSA_new.3 + man/DSA_set_method.3 + man/DSA_sign.3 + man/DSA_size.3 + man/EC_GFp_simple_method.3 + man/EC_GROUP_copy.3 + man/EC_GROUP_new.3 + man/EC_KEY_new.3 + man/EC_POINT_add.3 + man/EC_POINT_new.3 > convert DSA and EC manuals from pod to mdoc (schwarze@) - doc/ERR.pod - doc/ERR_GET_LIB.pod - doc/ERR_clear_error.pod - doc/ERR_error_string.pod - doc/ERR_get_error.pod - doc/ERR_load_crypto_strings.pod - doc/ERR_load_strings.pod - doc/ERR_print_errors.pod - doc/ERR_put_error.pod - doc/ERR_remove_state.pod - doc/ERR_set_mark.pod ~ man/Makefile + man/ERR.3 + man/ERR_GET_LIB.3 + man/ERR_clear_error.3 + man/ERR_error_string.3 + man/ERR_get_error.3 + man/ERR_load_crypto_strings.3 + man/ERR_load_strings.3 + man/ERR_print_errors.3 + man/ERR_put_error.3 + man/ERR_remove_state.3 + man/ERR_set_mark.3 > convert ERR manuals from pod to mdoc; while reading this, > i wtfed, laughed, puked, and cried in more or less that order... > (schwarze@) - doc/EVP_BytesToKey.pod - doc/EVP_DigestInit.pod - doc/EVP_DigestSignInit.pod - doc/EVP_DigestVerifyInit.pod - doc/EVP_EncryptInit.pod - doc/EVP_OpenInit.pod - doc/EVP_PKEY_CTX_ctrl.pod - doc/EVP_PKEY_CTX_new.pod - doc/EVP_PKEY_cmp.pod - doc/EVP_PKEY_decrypt.pod - doc/EVP_PKEY_derive.pod - doc/EVP_PKEY_encrypt.pod - doc/EVP_PKEY_get_default_digest.pod - doc/EVP_PKEY_keygen.pod - doc/EVP_PKEY_new.pod - doc/EVP_PKEY_print_private.pod - doc/EVP_PKEY_set1_RSA.pod - doc/EVP_PKEY_sign.pod - doc/EVP_PKEY_verify.pod - doc/EVP_PKEY_verify_recover.pod - doc/EVP_SealInit.pod - doc/EVP_SignInit.pod - doc/EVP_VerifyInit.pod - doc/evp.pod ~ man/Makefile + man/EVP_BytesToKey.3 + man/EVP_DigestInit.3 + man/EVP_DigestSignInit.3 + man/EVP_DigestVerifyInit.3 + man/EVP_EncryptInit.3 + man/EVP_OpenInit.3 + man/EVP_PKEY_CTX_ctrl.3 + man/EVP_PKEY_CTX_new.3 + man/EVP_PKEY_cmp.3 + man/EVP_PKEY_decrypt.3 + man/EVP_PKEY_derive.3 + man/EVP_PKEY_encrypt.3 + man/EVP_PKEY_get_default_digest.3 + man/EVP_PKEY_keygen.3 + man/EVP_PKEY_new.3 + man/EVP_PKEY_print_private.3 + man/EVP_PKEY_set1_RSA.3 + man/EVP_PKEY_sign.3 + man/EVP_PKEY_verify.3 + man/EVP_PKEY_verify_recover.3 + man/EVP_SealInit.3 + man/EVP_SignInit.3 + man/EVP_VerifyInit.3 + man/evp.3 > convert EVP manuals from pod to mdoc (schwarze@) - doc/HMAC.pod - doc/MD5.pod ~ man/Makefile + man/HMAC.3 + man/MD5.3 > convert HMAC and MD5 manuals from pod to mdoc (schwarze@) - doc/OBJ_nid2obj.pod - doc/d2i_ASN1_OBJECT.pod ~ man/Makefile + man/OBJ_nid2obj.3 + man/d2i_ASN1_OBJECT.3 > convert remaining ASN1 object manuals from pod to mdoc (schwarze@) - doc/OPENSSL_VERSION_NUMBER.pod - doc/OPENSSL_config.pod - doc/OPENSSL_load_builtin_modules.pod - doc/OpenSSL_add_all_algorithms.pod ~ man/Makefile + man/OPENSSL_VERSION_NUMBER.3 + man/OPENSSL_config.3 + man/OPENSSL_load_builtin_modules.3 + man/OpenSSL_add_all_algorithms.3 > convert configuration manuals from pod to mdoc (schwarze@) - doc/PEM_read_bio_PrivateKey.pod - doc/PEM_write_bio_PKCS7_stream.pod - doc/PKCS12_create.pod - doc/PKCS12_parse.pod - doc/PKCS5_PBKDF2_HMAC.pod - doc/PKCS7_decrypt.pod - doc/PKCS7_encrypt.pod - doc/PKCS7_sign.pod - doc/PKCS7_sign_add_signer.pod - doc/PKCS7_verify.pod - doc/SMIME_read_PKCS7.pod - doc/SMIME_write_PKCS7.pod - doc/i2d_PKCS7_bio_stream.pod ~ man/Makefile + man/PEM_read_bio_PrivateKey.3 + man/PEM_write_bio_PKCS7_stream.3 + man/PKCS12_create.3 + man/PKCS12_parse.3 + man/PKCS5_PBKDF2_HMAC.3 + man/PKCS7_decrypt.3 + man/PKCS7_encrypt.3 + man/PKCS7_sign.3 + man/PKCS7_sign_add_signer.3 + man/PKCS7_verify.3 + man/SMIME_read_PKCS7.3 + man/SMIME_write_PKCS7.3 + man/i2d_PKCS7_bio_stream.3 > convert PEM and PKCS manuals from pod to mdoc (schwarze@) - doc/RAND.pod ~ man/Makefile > zap the overview manual page of the RAND subsystem > that contained nothing but duplicate and misleading information; > OK jsing@ (schwarze@) - doc/RAND_add.pod - doc/RAND_bytes.pod - doc/RAND_cleanup.pod - doc/RAND_load_file.pod - doc/RAND_set_rand_method.pod ~ man/Makefile + man/RAND_add.3 + man/RAND_bytes.3 + man/RAND_cleanup.3 + man/RAND_load_file.3 + man/RAND_set_rand_method.3 > convert RAND manuals from pod to mdoc (schwarze@) - doc/RSA_blinding_on.pod - doc/RSA_check_key.pod - doc/RSA_generate_key.pod - doc/RSA_get_ex_new_index.pod - doc/RSA_new.pod - doc/RSA_padding_add_PKCS1_type_1.pod - doc/RSA_print.pod - doc/RSA_private_encrypt.pod - doc/RSA_public_encrypt.pod - doc/RSA_set_method.pod - doc/RSA_sign.pod - doc/RSA_sign_ASN1_OCTET_STRING.pod - doc/RSA_size.pod - doc/d2i_RSAPublicKey.pod - doc/rsa.pod ~ man/Makefile + man/RSA_blinding_on.3 + man/RSA_check_key.3 + man/RSA_generate_key.3 + man/RSA_get_ex_new_index.3 + man/RSA_new.3 + man/RSA_padding_add_PKCS1_type_1.3 + man/RSA_print.3 + man/RSA_private_encrypt.3 + man/RSA_public_encrypt.3 + man/RSA_set_method.3 + man/RSA_sign.3 + man/RSA_sign_ASN1_OCTET_STRING.3 + man/RSA_size.3 + man/d2i_RSAPublicKey.3 + man/rsa.3 > convert RSA manuals from pod to mdoc (schwarze@) ~ x509/x_all.c ~ x509/x509.h > Add X509_up_ref, from boring > ok jsing@ (beck@) ~ x86cpuid.pl > In OPENSSL_wipe_cpu() on i386, which noone uses anyway, check the proper > flag for the presence of a FPU before deciding to wipe the fpu registers. > ok jsing@ (miod@) ~ cryptlib.c ~ md32_common.h ~ arch/alpha/opensslconf.h ~ arch/amd64/opensslconf.h ~ arch/arm/opensslconf.h ~ arch/hppa/opensslconf.h ~ arch/i386/opensslconf.h ~ arch/m88k/opensslconf.h ~ arch/mips64/opensslconf.h ~ arch/powerpc/opensslconf.h ~ arch/sh/opensslconf.h ~ arch/sparc/opensslconf.h ~ arch/sparc64/opensslconf.h ~ engine/eng_padlock.c ~ evp/e_aes.c ~ modes/gcm128.c ~ modes/modes_lcl.h ~ sha/sha512.c > Remove I386_ONLY define. It was only used to prefer a > faster-on-genuine-80386-but-slower-on-80486-onwards innstruction sequence > in > the SHA512 code, and had not been enabled in years, if at all. > ok tom@ bcook@ (miod@) ~ Makefile > No need to reach libssl private headers and to define TERMIOS anymore. > ok bcook@ (miod@) - doc/X509_NAME_ENTRY_get_object.pod - doc/X509_NAME_add_entry_by_txt.pod - doc/X509_NAME_get_index_by_NID.pod - doc/X509_NAME_print_ex.pod - doc/X509_STORE_CTX_get_error.pod - doc/X509_STORE_CTX_get_ex_new_index.pod - doc/X509_STORE_CTX_new.pod - doc/X509_STORE_CTX_set_verify_cb.pod - doc/X509_STORE_set_verify_cb_func.pod - doc/X509_VERIFY_PARAM_set_flags.pod - doc/X509_new.pod - doc/X509_verify_cert.pod - doc/d2i_X509.pod - doc/d2i_X509_ALGOR.pod - doc/d2i_X509_CRL.pod - doc/d2i_X509_NAME.pod - doc/d2i_X509_REQ.pod - doc/d2i_X509_SIG.pod - doc/x509.pod ~ man/Makefile + man/X509_NAME_ENTRY_get_object.3 + man/X509_NAME_add_entry_by_txt.3 + man/X509_NAME_get_index_by_NID.3 + man/X509_NAME_print_ex.3 + man/X509_STORE_CTX_get_error.3 + man/X509_STORE_CTX_get_ex_new_index.3 + man/X509_STORE_CTX_new.3 + man/X509_STORE_CTX_set_verify_cb.3 + man/X509_STORE_set_verify_cb_func.3 + man/X509_VERIFY_PARAM_set_flags.3 + man/X509_new.3 + man/X509_verify_cert.3 + man/d2i_X509.3 + man/d2i_X509_ALGOR.3 + man/d2i_X509_CRL.3 + man/d2i_X509_NAME.3 + man/d2i_X509_REQ.3 + man/d2i_X509_SIG.3 + man/x509.3 > convert X509 manuals from pod to mdoc (schwarze@) ~ cryptlib.c ~ cryptlib.h ~ x86_64cpuid.pl ~ x86cpuid.pl ~ aes/asm/aes-586.pl ~ aes/asm/aes-x86_64.pl ~ aes/asm/aesni-sha1-x86_64.pl ~ bn/asm/bn-586.pl ~ bn/asm/x86-gf2m.pl ~ bn/asm/x86-mont.pl ~ bn/asm/x86_64-gf2m.pl ~ engine/eng_aesni.c ~ evp/e_aes.c ~ evp/e_aes_cbc_hmac_sha1.c ~ evp/e_rc4_hmac_md5.c ~ modes/gcm128.c ~ perlasm/x86_64-xlate.pl ~ perlasm/x86asm.pl ~ perlasm/x86gas.pl ~ rc4/asm/rc4-586.pl ~ rc4/asm/rc4-x86_64.pl ~ sha/asm/sha1-586.pl ~ sha/asm/sha1-x86_64.pl ~ sha/asm/sha512-586.pl ~ whrlpool/wp_block.c + x86_arch.h > Replace all uses of magic numbers when operating on OPENSSL_ia32_P[] by > meaningful constants in a private header file, so that reviewers can > actually > get a chance to figure out what the code is attempting to do without > knowing > all cpuid bits. > While there, turn it from an array of two 32-bit ints into a properly > aligned > 64-bit int. > Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will > now always use OPENSSL_cpu_caps() and check for the proper bits in the > whole 64-bit word it returns. > i386 tests and ok jsing@ (miod@) ~ ec/ec.h ~ ec/ec_curve.c ~ ec/ec_lcl.h + ec/ecp_nistz256.c + ec/ecp_nistz256_table.h + ec/asm/ecp_nistz256-armv4.pl + ec/asm/ecp_nistz256-sparcv9.pl + ec/asm/ecp_nistz256-x86.pl + ec/asm/ecp_nistz256-x86_64.pl > Add assembler code for the nist 256-bit GFp curve, written initially by > Intel. Obtained from BoringSSL, with some integration work borrowed from > OpenSSL 1.0.2; assembler code for arm and sparc64 borrowed from OpenSSL > 1.1.0. > None of this code is enabled in libcrypto yet. > ok beck@ jsing@ (miod@) ~ shlib_version ~ asn1/a_time_tm.c ~ asn1/asn1.h ~ man/Makefile ~ ocsp/ocsp_cl.c ~ x509/x509_lcl.h ~ x509/x509_vfy.c + man/ASN1_time_parse.3 + x509/vpm_int.h > make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden > functions.. document with a man page. > bump majors on libtls, libssl, libcrypto > ok jsing@ guenther@ (beck@) ~ arch/amd64/Makefile.inc ~ arch/arm/Makefile.inc ~ arch/i386/Makefile.inc ~ arch/sparc64/Makefile.inc > Ride the current major bump and enable assembler code for nist 256p curve, > on amd64 only for now. Stanzas to enable it on arm, i386 and sparc64 are > provided but commented out for lack of testing due to the machine room > being currently in storage. > ok jsing@ (miod@) - krb5/krb5_asn.c - krb5/krb5_asn.h ~ Makefile > Nuke the KRB5 ASN.1 code from orbit. > ok beck@ (jsing@) ~ dh/dh.h ~ dh/dh_asn1.c ~ dsa/dsa.h ~ dsa/dsa_asn1.c ~ ocsp/ocsp.h ~ ocsp/ocsp_asn.c ~ ts/ts_asn1.c > Kill a bunch of OLD_ASN1 usage by replacing ASN1_{d2i,i2d}_* with > ASN1_item_{d2i,i2d}_* equivalents. > ok guenther@ miod@ (jsing@) ~ man/ASN1_time_parse.3 > tweak previous (schwarze@) ~ man/ASN1_time_parse.3 > further tweakage, with an improvement from joel; > ok jsing schwarze (jmc@) ~ bn/bn_mod.c > Stop abusing the ternary operator to decide which function to call in a > return statement. > ok beck@ jsing@ (miod@) ~ evp/e_aes_cbc_hmac_sha1.c ~ evp/e_rc4_hmac_md5.c > No need to duplicate definitions from evp.h locally. > ok bock@ jsing@ (miod@) ~ pem/pem_seal.c > Make sure PEM_SealInit() will correctly destroy the PEM_ENCODE_SEAL_CTX > upon error, as there is no way to do this outside of PEM_SealFinal(), which > can only work if PEM_SealInit() succeeded... > ok beck@ jsing@ (miod@) ~ pkcs12/p12_key.c > Do not leak the ressources possibly allocated by EVP_MD_CTX_init() in the > trivial error path of PKCS12_key_gen_uni(). > ok beck@ jsing@ (miod@) ~ ocsp/ocsp_vfy.c > X509_STORE_CTX_set_*() may fail, so check for errors. > ok beck@ (miod@) - doc/RC4.pod - doc/RIPEMD160.pod - doc/SHA1.pod - doc/bn.pod - doc/d2i_DHparams.pod - doc/d2i_DSAPublicKey.pod - doc/d2i_ECPKParameters.pod - doc/dh.pod - doc/dsa.pod - doc/ec.pod - doc/engine.pod - doc/lh_stats.pod ~ man/Makefile + man/RC4.3 + man/RIPEMD160.3 + man/SHA1.3 + man/bn.3 + man/d2i_DHparams.3 + man/d2i_DSAPublicKey.3 + man/d2i_ECPKParameters.3 + man/dh.3 + man/dsa.3 + man/ec.3 + man/engine.3 + man/lh_stats.3 > convert the remaining manual pages from pod to mdoc (schwarze@) ~ pkcs12/p12_utl.c > Stricter validation of inputs of OPENSSL_asc2uni() and OPENSSL_uni2asc(). > While there, try to make these slightly less obfuscated. > ok beck@ jsing@ (miod@) ~ man/PKCS7_decrypt.3 > add the missing content, sorry for committing an empty file (schwarze@) ~ man/ASN1_generate_nconf.3 ~ man/EVP_AEAD_CTX_init.3 ~ man/EVP_PKEY_verify_recover.3 > minor mandoc -Tlint nits (schwarze@) ~ Makefile + curve25519/curve25519-generic.c + curve25519/curve25519.c + curve25519/curve25519.h + curve25519/curve25519_internal.h > Add support for X25519. > This brings in code from BoringSSL, which is mostly taken from SUPERCOP. > ok beck@ bcook@ (jsing@) ~ Makefile ~ man/Makefile > after getting rid of the pod files, clean up the Makefiles; ok bcook@ > (schwarze@) ~ shlib_version > bump minors for symbol addition for ocsp and x25519 symbol additions > (beck@) ~ pkcs7/pk7_doit.c ~ pkcs7/pk7_smime.c ~ ts/ts_rsp_verify.c > More X509_STORE_CTX_set_*() return value checks. > ok beck@ jsing@ (miod@) ~ ocsp/ocsp_ht.c ~ x509v3/pcy_tree.c > Check BIO_new*() for failure. > ok beck@ jsing@ (miod@) ~ objects/obj_mac.num ~ objects/objects.txt > Add objects for X25519, X448, Ed25519 and Ed448. > ok miod@ (jsing@) ~ x509/vpm_int.h ~ x509/x509_vfy.h ~ x509/x509_vpm.c > Part one of the alt chains changes, bring in newer modifications to > VERIFY_PARAMS - based on boringssl. > ok jsing@ miod@ (beck@) ~ man/BN_add.3 ~ man/BN_set_bit.3 ~ man/BN_zero.3 ~ man/Makefile ~ man/bn.3 + man/BN_set_negative.3 > document BN_set_negative() and BN_is_negative(); > feedback and OK bcook@, OK jsing@ (schwarze@) ~ man/bn.3 > add an .Xr that was missing (schwarze@) ~ x509/x509_vpm.c > use the correct function for free > ok beck@ (bcook@) ~ x509/x509_vpm.c > Commit a reminder that the default is not the default. This needs to > be revisited. > ok jsing@ (beck@) ~ x509/x509_trs.c > The upcoming x509 alt chains diff tightens the trust requirements > for certificates. This (from OpenSSL) ensures that the current > "default" behaviour remains the same. We should revisit this > later > ok jsing@ (beck@) ~ x509/x509_vfy.c > Rework X509_verify_cert to support alt chains on certificate verification, > via boringssl. > ok jsing@ miod@ (beck@) ~ curve25519/curve25519.c > adjust guards to elide unused Bi array > ok jsing@ (bcook@) ~ curve25519/curve25519.c > Avoid compiling in an unused function. > Spotted by guenther@ (jsing@) ~ asn1/a_object.c > simplify error handling in c2i_ASN1_OBJECT > ok beck@, miod@ (bcook@) ~ man/rsa.3 > delete prototypes available in other pages and add two missing .Xr links > (schwarze@) ~ man/dsa.3 > delete prototypes available in other pages and add three missing .Xr links > (schwarze@) ~ man/ASN1_OBJECT_new.3 ~ man/ASN1_STRING_length.3 ~ man/ASN1_STRING_new.3 ~ man/ASN1_STRING_print_ex.3 ~ man/ASN1_generate_nconf.3 ~ man/BF_set_key.3 ~ man/BIO.3 ~ man/BIO_ctrl.3 ~ man/BIO_f_base64.3 ~ man/BIO_f_cipher.3 ~ man/BIO_f_md.3 ~ man/BIO_f_null.3 ~ man/BIO_find_type.3 ~ man/BIO_new.3 ~ man/BIO_push.3 ~ man/BIO_read.3 ~ man/BIO_s_accept.3 ~ man/BIO_s_bio.3 ~ man/BIO_s_connect.3 ~ man/BIO_s_fd.3 ~ man/BIO_s_file.3 ~ man/BIO_s_mem.3 ~ man/BIO_s_null.3 ~ man/BIO_s_socket.3 ~ man/BIO_set_callback.3 ~ man/BIO_should_retry.3 ~ man/BN_BLINDING_new.3 ~ man/BN_CTX_new.3 ~ man/BN_CTX_start.3 ~ man/BN_add.3 ~ man/BN_add_word.3 ~ man/BN_bn2bin.3 ~ man/BN_cmp.3 ~ man/BN_copy.3 ~ man/BN_generate_prime.3 ~ man/BN_mod_inverse.3 ~ man/BN_mod_mul_montgomery.3 ~ man/BN_mod_mul_reciprocal.3 ~ man/BN_new.3 ~ man/BN_num_bytes.3 ~ man/BN_rand.3 ~ man/BN_set_bit.3 ~ man/BN_swap.3 ~ man/BN_zero.3 ~ man/BUF_MEM_new.3 ~ man/CONF_modules_free.3 ~ man/CONF_modules_load_file.3 ~ man/CRYPTO_set_ex_data.3 ~ man/CRYPTO_set_locking_callback.3 ~ man/DES_set_key.3 ~ man/DH_generate_key.3 ~ man/DH_generate_parameters.3 ~ man/DH_get_ex_new_index.3 ~ man/DH_new.3 ~ man/DH_set_method.3 ~ man/DH_size.3 ~ man/DSA_SIG_new.3 ~ man/DSA_do_sign.3 ~ man/DSA_dup_DH.3 ~ man/DSA_generate_key.3 ~ man/DSA_generate_parameters.3 ~ man/DSA_get_ex_new_index.3 ~ man/DSA_new.3 ~ man/DSA_set_method.3 ~ man/DSA_sign.3 ~ man/DSA_size.3 ~ man/ECDSA_SIG_new.3 ~ man/EC_GFp_simple_method.3 ~ man/EC_GROUP_copy.3 ~ man/EC_GROUP_new.3 ~ man/EC_KEY_new.3 ~ man/EC_POINT_add.3 ~ man/EC_POINT_new.3 ~ man/ERR.3 ~ man/ERR_GET_LIB.3 ~ man/ERR_clear_error.3 ~ man/ERR_error_string.3 ~ man/ERR_get_error.3 ~ man/ERR_load_crypto_strings.3 ~ man/ERR_load_strings.3 ~ man/ERR_print_errors.3 ~ man/ERR_put_error.3 ~ man/ERR_remove_state.3 ~ man/ERR_set_mark.3 ~ man/EVP_BytesToKey.3 ~ man/EVP_DigestInit.3 ~ man/EVP_DigestSignInit.3 ~ man/EVP_DigestVerifyInit.3 ~ man/EVP_EncryptInit.3 ~ man/EVP_OpenInit.3 ~ man/EVP_PKEY_CTX_ctrl.3 ~ man/EVP_PKEY_CTX_new.3 ~ man/EVP_PKEY_cmp.3 ~ man/EVP_PKEY_decrypt.3 ~ man/EVP_PKEY_derive.3 ~ man/EVP_PKEY_encrypt.3 ~ man/EVP_PKEY_get_default_digest.3 ~ man/EVP_PKEY_keygen.3 ~ man/EVP_PKEY_new.3 ~ man/EVP_PKEY_print_private.3 ~ man/EVP_PKEY_set1_RSA.3 ~ man/EVP_PKEY_sign.3 ~ man/EVP_PKEY_verify.3 ~ man/EVP_PKEY_verify_recover.3 ~ man/EVP_SealInit.3 ~ man/EVP_SignInit.3 ~ man/EVP_VerifyInit.3 ~ man/HMAC.3 ~ man/MD5.3 ~ man/OBJ_nid2obj.3 ~ man/OPENSSL_VERSION_NUMBER.3 ~ man/OPENSSL_config.3 ~ man/OPENSSL_load_builtin_modules.3 ~ man/OpenSSL_add_all_algorithms.3 ~ man/PEM_read_bio_PrivateKey.3 ~ man/PEM_write_bio_PKCS7_stream.3 ~ man/PKCS12_create.3 ~ man/PKCS12_parse.3 ~ man/PKCS5_PBKDF2_HMAC.3 ~ man/PKCS7_decrypt.3 ~ man/PKCS7_encrypt.3 ~ man/PKCS7_sign.3 ~ man/PKCS7_sign_add_signer.3 ~ man/PKCS7_verify.3 ~ man/RAND_add.3 ~ man/RAND_bytes.3 ~ man/RAND_cleanup.3 ~ man/RAND_load_file.3 ~ man/RAND_set_rand_method.3 ~ man/RC4.3 ~ man/RIPEMD160.3 ~ man/RSA_blinding_on.3 ~ man/RSA_check_key.3 ~ man/RSA_generate_key.3 ~ man/RSA_get_ex_new_index.3 ~ man/RSA_new.3 ~ man/RSA_padding_add_PKCS1_type_1.3 ~ man/RSA_print.3 ~ man/RSA_private_encrypt.3 ~ man/RSA_public_encrypt.3 ~ man/RSA_set_method.3 ~ man/RSA_sign.3 ~ man/RSA_sign_ASN1_OCTET_STRING.3 ~ man/RSA_size.3 ~ man/SHA1.3 ~ man/SMIME_read_PKCS7.3 ~ man/SMIME_write_PKCS7.3 ~ man/UI_new.3 ~ man/X509_NAME_ENTRY_get_object.3 ~ man/X509_NAME_add_entry_by_txt.3 ~ man/X509_NAME_get_index_by_NID.3 ~ man/X509_NAME_print_ex.3 ~ man/X509_STORE_CTX_get_error.3 ~ man/X509_STORE_CTX_get_ex_new_index.3 ~ man/X509_STORE_CTX_new.3 ~ man/X509_STORE_CTX_set_verify_cb.3 ~ man/X509_STORE_set_verify_cb_func.3 ~ man/X509_VERIFY_PARAM_set_flags.3 ~ man/X509_new.3 ~ man/X509_verify_cert.3 ~ man/bn.3 ~ man/crypto.3 ~ man/d2i_ASN1_OBJECT.3 ~ man/d2i_DHparams.3 ~ man/d2i_DSAPublicKey.3 ~ man/d2i_ECPKParameters.3 ~ man/d2i_PKCS8PrivateKey_bio.3 ~ man/d2i_RSAPublicKey.3 ~ man/d2i_X509.3 ~ man/d2i_X509_ALGOR.3 ~ man/d2i_X509_CRL.3 ~ man/d2i_X509_NAME.3 ~ man/d2i_X509_REQ.3 ~ man/d2i_X509_SIG.3 ~ man/des_read_pw.3 ~ man/dh.3 ~ man/dsa.3 ~ man/ec.3 ~ man/engine.3 ~ man/evp.3 ~ man/i2d_PKCS7_bio_stream.3 ~ man/lh_new.3 ~ man/lh_stats.3 ~ man/rsa.3 ~ man/x509.3 > first pass; ok schwarze (jmc@) ~ man/EC_KEY_new.3 ~ man/d2i_ECPKParameters.3 ~ man/dh.3 ~ man/ec.3 > delete prototypes available in other pages and add two missing .Xr links > (schwarze@) ~ man/ERR.3 > delete prototypes available in other pages and add a missing .Xr link > (schwarze@) ~ man/BIO_s_fd.3 ~ man/BIO_s_socket.3 > document BIO_set_fd() and BIO_get_fd() in one manual page, not in two; > general direction discussed yesterday with bcook@ (schwarze@) ~ man/engine.3 > document ENGINE_add_conf_module(3) in one page, not in two (schwarze@) ~ man/EC_KEY_new.3 ~ man/d2i_ECPKParameters.3 > spacing between macro args and punctuation; (jmc@) ~ man/ASN1_OBJECT_new.3 ~ man/ASN1_STRING_length.3 ~ man/ASN1_STRING_new.3 ~ man/ASN1_STRING_print_ex.3 ~ man/ASN1_generate_nconf.3 > some minor cleanup; (jmc@) ~ man/EVP_PKEY_CTX_ctrl.3 ~ man/EVP_PKEY_get_default_digest.3 > document EVP_PKEY_get_default_digest_nid(3) in one page, not in two > (schwarze@) ~ asn1/a_object.c > don't dereference a if NULL (bcook@) ~ man/engine.3 > sort SEE ALSO; (jmc@) ~ man/BF_set_key.3 > some cleanup; (jmc@) libssl ~ ssl_sess.c > Wrap some >80 char lines. (jsing@) ~ ssl_lib.c > Expand IMPLEMENT_LHASH_COMP_FN/IMPLEMENT_LHASH_HASH_FN macros - the only > change to generated assembly results from a difference in line numbers. > (jsing@) ~ ssl.h > Expand DECLARE_PEM_rw macro. (jsing@) ~ ssl.h > Expand DECLARE_LHASH_OF and LHASH_OF macros. (jsing@) ~ ssl.h > Expand another LHASH_OF macro. (jsing@) ~ ssl_lib.c ~ ssl_sess.c > Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FN > macros. Only change in generated assembly is due to line numbering. > (jsing@) ~ ssl_locl.h ~ t1_enc.c > Clean up the TLS handshake digest handling - this refactors some of the > code for improved readability, however it also address two issues. > The first of these is a hard-to-hit double free that will occur if > EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure > that tls1_digest_cached_records() either completes successfully and sets > up all of the necessary digests, or it cleans up and frees everything > that was allocated. > The second issue is that EVP_DigestUpdate() can fail - detect and handle > this in tls1_finish_mac() and change the return type to an int so that a > failure can be propagated to the caller (the callers still need to be > fixed to handle this, in a later diff). > The double-free was reported by Matthew Dillon. > ok beck@ doug@ miod@ (jsing@) ~ s3_clnt.c > Split ssl3_get_key_exchange() into separate functions for DHE/ECDHE. > ok beck@ (who was struggling to keep lunch down while reviewing the diff) > (jsing@) ~ s3_pkt.c > In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) ~ src/ssl/s3_pkt.c TAGGED OPENBSD_5_9 > MFC: In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) ~ src/ssl/s3_pkt.c TAGGED OPENBSD_6_0 > MFC: In ssl3_read_bytes(), do not process more than three consecutive TLS > records, otherwise a peer can potentially cause us to loop indefinately. > Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose > when they want to handle further processing for this connection. > ok beck@ miod@ (jsing@) ~ s3_clnt.c TAGGED OPENBSD_6_0 > Convert ssl3_get_server_kex_dhe() to CBS. > ok beck@ (jsing@) ~ ssl_asn1.c TAGGED OPENBSD_6_0 > Completely rewrite the session handling ASN.1 code using CBB and CBS. This > addresses two 2038 related issues and also adds support for allocation in > the i2d function, which will allow for simplification in the callers. > ok beck@ miod@ (jsing@) ~ ssl.h TAGGED OPENBSD_6_0 > Fix some linewrapping glitches > ok jsing@ (guenther@) ~ ssl_locl.h ~ d1_pkt.c TAGGED OPENBSD_6_0 > Make do_dtls1_write() static to d1_pkt.c and delete declarations for > three functions that were removed a while ago > ok jsing@ (guenther@) ~ shlib_version TAGGED OPENBSD_6_0 > make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden > functions.. document with a man page. > bump majors on libtls, libssl, libcrypto > ok jsing@ guenther@ (beck@) ~ Makefile ~ bytestring.h ~ pqueue.h ~ ssl_locl.h + Symbols.list TAGGED OPENBSD_6_0 > Add an explict list of exported symbols with just the functions > declared in the public headers, and use __{BEGIN,END}_HIDDEN_DECLS > in the internal headers to optimize internal functions > ok jsing@ (guenther@) ~ d1_clnt.c ~ d1_meth.c ~ d1_srvr.c ~ t1_clnt.c ~ t1_meth.c ~ t1_srvr.c TAGGED OPENBSD_6_0 > The *_method_data structures can be static > ok jsing@ (guenther@) ~ d1_lib.c ~ s23_srvr.c TAGGED OPENBSD_6_0 > Mark a couple local functions as static > ok jsing@ beck@ (guenther@) ~ s3_clnt.c TAGGED OPENBSD_6_0 > Tidy up the usage of peer_ecdh_tmp, following the fixed ECDH removal. > ok beck@ (jsing@) ~ d1_clnt.c ~ s3_clnt.c ~ ssl_locl.h TAGGED OPENBSD_6_0 > Rename ssl3_get_key_exchange() to ssl3_get_server_key_exchange(), since > that's what it really is. > ok miod@ (jsing@) ~ Makefile TAGGED OPENBSD_6_0 > Remove generated Symbols.map on make clean. > ok guenther@ (jsing@) ~ s3_clnt.c ~ ssl_locl.h ~ t1_lib.c TAGGED OPENBSD_6_0 > Convert ssl3_get_server_kex_ecdhe() to CBS, simplifying tls1_check_curve() > in the process. This also fixes a long standing bug where > tls1_ec_curve_id2nid() is called with only one byte of the curve ID. > ok beck@ miod@ (jsing@) - man/Makefile ~ Makefile + doc/Makefile TAGGED OPENBSD_6_0 > after getting rid of the pod files, clean up the Makefiles; ok bcook@ > (schwarze@) ~ shlib_version TAGGED OPENBSD_6_0 > bump minors for symbol addition for ocsp and x25519 symbol additions > (beck@) - doc/BIO_f_ssl.3 - doc/Makefile - doc/SSL_CIPHER_get_name.3 - doc/SSL_COMP_add_compression_method.3 - doc/SSL_CTX_add_extra_chain_cert.3 - doc/SSL_CTX_add_session.3 - doc/SSL_CTX_ctrl.3 - doc/SSL_CTX_flush_sessions.3 - doc/SSL_CTX_free.3 - doc/SSL_CTX_get_ex_new_index.3 - doc/SSL_CTX_get_verify_mode.3 - doc/SSL_CTX_load_verify_locations.3 - doc/SSL_CTX_new.3 - doc/SSL_CTX_sess_number.3 - doc/SSL_CTX_sess_set_cache_size.3 - doc/SSL_CTX_sess_set_get_cb.3 - doc/SSL_CTX_sessions.3 - doc/SSL_CTX_set_cert_store.3 - doc/SSL_CTX_set_cert_verify_callback.3 - doc/SSL_CTX_set_cipher_list.3 - doc/SSL_CTX_set_client_CA_list.3 - doc/SSL_CTX_set_client_cert_cb.3 - doc/SSL_CTX_set_default_passwd_cb.3 - doc/SSL_CTX_set_generate_session_id.3 - doc/SSL_CTX_set_info_callback.3 - doc/SSL_CTX_set_max_cert_list.3 - doc/SSL_CTX_set_mode.3 - doc/SSL_CTX_set_msg_callback.3 - doc/SSL_CTX_set_options.3 - doc/SSL_CTX_set_psk_client_callback.3 - doc/SSL_CTX_set_quiet_shutdown.3 - doc/SSL_CTX_set_session_cache_mode.3 - doc/SSL_CTX_set_session_id_context.3 - doc/SSL_CTX_set_ssl_version.3 - doc/SSL_CTX_set_timeout.3 - doc/SSL_CTX_set_tmp_dh_callback.3 - doc/SSL_CTX_set_tmp_rsa_callback.3 - doc/SSL_CTX_set_verify.3 - doc/SSL_CTX_use_certificate.3 - doc/SSL_CTX_use_psk_identity_hint.3 - doc/SSL_SESSION_free.3 - doc/SSL_SESSION_get_ex_new_index.3 - doc/SSL_SESSION_get_time.3 - doc/SSL_accept.3 - doc/SSL_alert_type_string.3 - doc/SSL_clear.3 - doc/SSL_connect.3 - doc/SSL_do_handshake.3 - doc/SSL_free.3 - doc/SSL_get_SSL_CTX.3 - doc/SSL_get_ciphers.3 - doc/SSL_get_client_CA_list.3 - doc/SSL_get_current_cipher.3 - doc/SSL_get_default_timeout.3 - doc/SSL_get_error.3 - doc/SSL_get_ex_data_X509_STORE_CTX_idx.3 - doc/SSL_get_ex_new_index.3 - doc/SSL_get_fd.3 - doc/SSL_get_peer_cert_chain.3 - doc/SSL_get_peer_certificate.3 - doc/SSL_get_psk_identity.3 - doc/SSL_get_rbio.3 - doc/SSL_get_session.3 - doc/SSL_get_verify_result.3 - doc/SSL_get_version.3 - doc/SSL_library_init.3 - doc/SSL_load_client_CA_file.3 - doc/SSL_new.3 - doc/SSL_pending.3 - doc/SSL_read.3 - doc/SSL_rstate_string.3 - doc/SSL_session_reused.3 - doc/SSL_set_bio.3 - doc/SSL_set_connect_state.3 - doc/SSL_set_fd.3 - doc/SSL_set_session.3 - doc/SSL_set_shutdown.3 - doc/SSL_set_verify_result.3 - doc/SSL_shutdown.3 - doc/SSL_state_string.3 - doc/SSL_want.3 - doc/SSL_write.3 - doc/d2i_SSL_SESSION.3 - doc/ssl.3 ~ Makefile + man/BIO_f_ssl.3 + man/Makefile + man/SSL_CIPHER_get_name.3 + man/SSL_COMP_add_compression_method.3 + man/SSL_CTX_add_extra_chain_cert.3 + man/SSL_CTX_add_session.3 + man/SSL_CTX_ctrl.3 + man/SSL_CTX_flush_sessions.3 + man/SSL_CTX_free.3 + man/SSL_CTX_get_ex_new_index.3 + man/SSL_CTX_get_verify_mode.3 + man/SSL_CTX_load_verify_locations.3 + man/SSL_CTX_new.3 + man/SSL_CTX_sess_number.3 + man/SSL_CTX_sess_set_cache_size.3 + man/SSL_CTX_sess_set_get_cb.3 + man/SSL_CTX_sessions.3 + man/SSL_CTX_set_cert_store.3 + man/SSL_CTX_set_cert_verify_callback.3 + man/SSL_CTX_set_cipher_list.3 + man/SSL_CTX_set_client_CA_list.3 + man/SSL_CTX_set_client_cert_cb.3 + man/SSL_CTX_set_default_passwd_cb.3 + man/SSL_CTX_set_generate_session_id.3 + man/SSL_CTX_set_info_callback.3 + man/SSL_CTX_set_max_cert_list.3 + man/SSL_CTX_set_mode.3 + man/SSL_CTX_set_msg_callback.3 + man/SSL_CTX_set_options.3 + man/SSL_CTX_set_psk_client_callback.3 + man/SSL_CTX_set_quiet_shutdown.3 + man/SSL_CTX_set_session_cache_mode.3 + man/SSL_CTX_set_session_id_context.3 + man/SSL_CTX_set_ssl_version.3 + man/SSL_CTX_set_timeout.3 + man/SSL_CTX_set_tmp_dh_callback.3 + man/SSL_CTX_set_tmp_rsa_callback.3 + man/SSL_CTX_set_verify.3 + man/SSL_CTX_use_certificate.3 + man/SSL_CTX_use_psk_identity_hint.3 + man/SSL_SESSION_free.3 + man/SSL_SESSION_get_ex_new_index.3 + man/SSL_SESSION_get_time.3 + man/SSL_accept.3 + man/SSL_alert_type_string.3 + man/SSL_clear.3 + man/SSL_connect.3 + man/SSL_do_handshake.3 + man/SSL_free.3 + man/SSL_get_SSL_CTX.3 + man/SSL_get_ciphers.3 + man/SSL_get_client_CA_list.3 + man/SSL_get_current_cipher.3 + man/SSL_get_default_timeout.3 + man/SSL_get_error.3 + man/SSL_get_ex_data_X509_STORE_CTX_idx.3 + man/SSL_get_ex_new_index.3 + man/SSL_get_fd.3 + man/SSL_get_peer_cert_chain.3 + man/SSL_get_peer_certificate.3 + man/SSL_get_psk_identity.3 + man/SSL_get_rbio.3 + man/SSL_get_session.3 + man/SSL_get_verify_result.3 + man/SSL_get_version.3 + man/SSL_library_init.3 + man/SSL_load_client_CA_file.3 + man/SSL_new.3 + man/SSL_pending.3 + man/SSL_read.3 + man/SSL_rstate_string.3 + man/SSL_session_reused.3 + man/SSL_set_bio.3 + man/SSL_set_connect_state.3 + man/SSL_set_fd.3 + man/SSL_set_session.3 + man/SSL_set_shutdown.3 + man/SSL_set_verify_result.3 + man/SSL_shutdown.3 + man/SSL_state_string.3 + man/SSL_want.3 + man/SSL_write.3 + man/d2i_SSL_SESSION.3 + man/ssl.3 TAGGED OPENBSD_6_0 > move manual pages from doc/ to man/ for consistency with other > libraries, in particular considering that there are unrelated > files in doc/; requested by jsing@ and beck@ (schwarze@) ~ s3_srvr.c TAGGED OPENBSD_6_0 > Do a partial CBB conversion of ssl3_send_server_key_exchange(), which will > make it easier to do further clean up. > ok beck@ miod@ (jsing@) ~ ssl_asn1.c TAGGED OPENBSD_6_0 > One of the error paths would attempt to access not-yet-initialized locals. > Simply return since there is nothing more to do. > Spotted by coverity. ok jsing@ beck@ (miod@) ~ s3_clnt.c TAGGED OPENBSD_6_0 > remove unused variable (bcook@) ~ s3_lib.c ~ ssl_ciph.c TAGGED OPENBSD_6_0 > unifdef -m -UOPENSSL_NO_CHACHA -UOPENSSL_NO_POLY1305 > ok beck@ (jsing@) ~ s3_lib.c ~ ssl_algs.c ~ ssl_ciph.c TAGGED OPENBSD_6_0 > Remove the single IDEA cipher suite. There is no good reason to support > this. > ok beck@ bcook@ (jsing@) ~ s3_lib.c TAGGED OPENBSD_6_0 > Adjust cipher suite strengths - move MD5 to LOW, RC4 to LOW and 3DES to > MEDIUM. > ok beck@ bcook@ (jsing@) ~ s3_srvr.c TAGGED OPENBSD_6_0 > Split out the DHE and ECDHE code paths from > ssl3_send_server_key_exchange(). > ok beck@ bcook@ (jsing@) ~ s3_srvr.c TAGGED OPENBSD_6_0 > Remove pointless check - without fixed ECDH, there is only one way to reach > this code path. > ok beck@ bcook@ (jsing@) ~ s3_srvr.c TAGGED OPENBSD_6_0 > Split ssl3_get_client_key_exchange() into separate per algorithm functions. > ok beck@ (jsing@) ~ s3_cbc.c ~ ssl_locl.h ~ t1_enc.c TAGGED OPENBSD_6_0 > Remove unused SSLv3 from ssl3_cbc_record_digest_supported(). > From Markus Uhlin <markus.uhlin at bredband dot net> > ok beck@ bcooK@ (jsing@) libtls ~ Makefile ~ tls.c ~ tls.h ~ tls_client.c ~ tls_init.3 ~ tls_internal.h + tls_ocsp.c > Add OCSP client side support to libtls. > - Provide access to certificate OCSP URL > - Provide ability to check a raw OCSP reply against an > established TLS ctx > - Check and validate OCSP stapling info in the TLS handshake > if a stapled OCSP response is provided.` > Add example code to show OCSP URL and stapled info > into netcat. > ok jsing@ (beck@) ~ shlib_version > bump minor for ocsp api additions (beck@) ~ tls_init.3 > tweak previous; (jmc@) ~ tls_ocsp.c > Ensure handshake is complete before processing an ocsp response for a ctx > ok jsing@ (beck@) ~ tls_ocsp.c > fix shadow declaration of time in parameter list. > ok jsing@ (beck@) ~ tls_init.3 > bit more cleanup; (jmc@) ~ tls_ocsp.c > Fix handshake failures: > split out internals of OCSP verification to allow callback > to verify before TLS handshake is complete (beck@) ~ tls.c ~ tls_internal.h > Only set an error from libssl related code, if an error has not already > been set by libtls code. This avoids the situation where a libtls callback > has set an error, only to have it replaced by a less useful libssl based > error. > ok beck@ (jsing@) ~ tls_init.3 ~ tls_ocsp.c > Don't do OCSP validation when we have disabled certificate verification > or certificate validation. > ok jsing@ (beck@) ~ tls.h ~ tls_config.c ~ tls_init.3 ~ tls_internal.h ~ tls_ocsp.c > Add ocsp_require_stapling config option for tls - allows a connection > to indicate that it requires the peer to provide a stapled OCSP response > with the handshake. Provide a "-T muststaple" for nc that uses it. > ok jsing@, guenther@ (beck@) ~ shlib_version > bump minor for ocsp_require_stapling addition (beck@) ~ tls_bio_cb.c > There's not much point in casting a void * to a specific type just before > calling free(). > ok beck@ ingo@ (jsing@) ~ tls_bio_cb.c > Rename the internal bio related functions so that they have a common > prefix. Makes the code more readable and removes shadowing. (jsing@) ~ tls_bio_cb.c > Do not mix declarations and code. (jsing@) ~ tls_bio_cb.c > There's not much point having three static functions that do a cast and > assign a pointer, when we can just inline the three and do one cast > followed by three pointer assignments. (jsing@) ~ tls_verify.c > Avoid signed vs unsigned comparisons. > ok miod@ (jsing@) ~ tls_bio_cb.c > Use a consistent name for a BIO *, rather than having four different names > in the same file. (jsing@) ~ tls_bio_cb.c > Do not cast a pointer to a struct, to a char * when assigning to a void *. > (jsing@) ~ tls_bio_cb.c > Rename struct bio_cb_st to struct bio_cb. (jsing@) ~ tls_bio_cb.c > Use a consistent name for struct bio_cb * variables. (jsing@) ~ tls_bio_cb.c > Assign and test, as is consistent with the rest of the libtls code. > (jsing@) ~ tls_util.c > Address some signed vs unsigned warnings and check that an integer value > is positive before passing it to several functions as a size_t. > Additionally, in tls_load_file() there is not much point using calloc(), > when we're immediately reading into the buffer (having an extra byte for > NUL termination seems pointless given the API). > ok beck@ miod@ (jsing@) ~ shlib_version ~ tls_conninfo.c ~ tls_internal.h ~ tls_ocsp.c > make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hidden > functions.. document with a man page. > bump majors on libtls, libssl, libcrypto > ok jsing@ guenther@ (beck@) ~ Makefile ~ tls_internal.h + Symbols.list > Add an explict list of exported symbols with just the functions declared > in <tls.h>, and use __{BEGIN,END}_HIDDEN_DECLS in tls_internal.h to > optimize internal functions > ok jsing@ (guenther@) ~ tls_config.c > Avoid another signed vs unsigned comparison. > ok miod@ (jsing@) ~ tls_config.c > Make the tls_keypair_new() function a valid prototype. (jsing@) ~ tls_server.c > Avoid shadowing the socket global. > ok miod@ (jsing@) ~ Makefile > Build with WARNINGS=Yes. (jsing@) ~ Makefile > Remove generated Symbols.map on make clean. > ok guenther@ (jsing@) ~ tls.c ~ tls_internal.h ~ tls_ocsp.c > rename ocsp_ctx to ocsp > ok jsing@ (beck@) ~ Symbols.list ~ tls.h ~ tls_config.c ~ tls_init.3 ~ tls_internal.h ~ tls_ocsp.c ~ tls_server.c > Add support for server side OCSP stapling to libtls. > Add support for server side OCSP stapling to netcat. (beck@) ~ shlib_version > bump minors for symbol addition for ocsp and x25519 symbol additions > (beck@) ~ tls_init.3 > tweak previous; (jmc@) ~ tls_init.3 > fix misplaced quote by tls_peer_ocsp_this_update (bcook@) ~ tls_server.c > Set the callback on the correct ssl_ctx for the SNI case, instead of > the master only. > ok jsing@ (beck@) == libexec =========================================================== 05/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec ld.so ~ malloc.c > sync to libc: malloc_move is not an option anymore (otto@) ~ malloc.c > small tweak to also check canaries if F is in effect (otto@) == regress =========================================================== 06/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress lib ~ libssl/bytestring/Makefile ~ libssl/unit/Makefile ~ libtls/verify/Makefile + libssl/Makefile.inc > Some tests require internal symbols; have them link with the static > libssl or libtls so they can continue to see them after the shared > library namespace is cleaned up > ok jsing@ (guenther@) - libcrypto/pqueue/Makefile - libcrypto/pqueue/expected.txt - libcrypto/pqueue/pq_test.c ~ libcrypto/Makefile ~ libssl/Makefile + libssl/pqueue/Makefile + libssl/pqueue/expected.txt + libssl/pqueue/pq_test.c > Move pqueue regress from libcrypto to libssl, since that's where the pqueue > code now lives. Also unbreak the regress following the symbol hiding > changes in libssl. (jsing@) ~ libcrypto/ocsp/Makefile > Set PROG so that the binary correctly gets recompiled when the libraries > it is linked against change. > ok beck@ jsing@ (miod@) ~ libcrypto/Makefile + libcrypto/curve25519/Makefile + libcrypto/curve25519/x25519test.c > Add regress for X25519, converted from BoringSSL. (jsing@) ~ libssl/client/clienttest.c > Update regress for IDEA cipher suite removal. (jsing@) sys ~ net/vxlan/Makefile ~ net/vxlan/vxlan_subr + net/vxlan/vxlan_2.sh > Add regress tests for multicasts and dynamic vxlans (vgross@) usr.bin ~ make/Makefile > fix a few suspicious (according to emacs) lines (jasper@) ~ make/Makefile > MALLOC_OPTION 'A' no longer exists. (tb@) ~ ssh/Makefile ~ ssh/connect-privsep.sh ~ ssh/unittests/bitmap/Makefile ~ ssh/unittests/hostkeys/Makefile ~ ssh/unittests/kex/Makefile ~ ssh/unittests/match/Makefile ~ ssh/unittests/sshbuf/Makefile ~ ssh/unittests/sshkey/Makefile ~ ssh/unittests/utf8/Makefile > Remove the obsolete A and P flags from MALLOC_OPTIONS. > ok dtucker (tb@) ~ m4/Makefile > MALLOC_OPTIONS=A no longer exists. (tb@) ~ ssh/Makefile ~ ssh/connect-privsep.sh ~ ssh/unittests/Makefile.inc ~ ssh/unittests/bitmap/Makefile ~ ssh/unittests/hostkeys/Makefile ~ ssh/unittests/kex/Makefile ~ ssh/unittests/match/Makefile ~ ssh/unittests/sshbuf/Makefile ~ ssh/unittests/sshkey/Makefile ~ ssh/unittests/utf8/Makefile > Clean up MALLOC_OPTIONS. For the unittests, move MALLOC_OPTIONS and > TEST_ENV to unittets/Makefile.inc. > ok otto (tb@) + mandoc/db/mlinks/Makefile + mandoc/db/mlinks/mlinks.1 + mandoc/db/mlinks/mlinks.c > a new utility for bcook@: find mlinks for portable LibreSSL (schwarze@) ~ mandoc/db/mlinks/mlinks.1 > add EXAMPLES and tweak some wording (schwarze@) ~ mandoc/db/mlinks/mlinks.1 > update example directory (bcook@) ~ mandoc/db/mlinks/mlinks.c > don't skip names that match the beginning of the file name; > joint work with bcook@ (schwarze@) ~ mandoc/db/mlinks/mlinks.c > fix previous; looks good to bcook@ (schwarze@) ~ openssl/Makefile ~ openssl/README + openssl/appstest.sh > Add regress test script for openssl command. > ok beck@ (inoguchi@) == share ============================================================= 07/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man5/malloc.conf.5 > P is not settable enymore (otto@) ~ man8/release.8 > Update to reflect the changes necessary for noperm releases. Trim some > more fat and avoid introducing unnecessary variables. > with & ok tj, ok deraadt, prodded by robert (tb@) ~ man4/hyperv.4 > Document the KVP interface (mikeb@) ~ man7/hier.7 > Re-add the Xr macro to syspatch now that it's hooked up. (ajacoutot@) ~ man5/bsd.port.mk.5 > Add a proper annotation for portroach documentation link > OK schwarze@ (danj@) == sys =============================================================== 08/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/alpha/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/amd64/amd64 ~ lapic.c > Use x2APIC if it is enabled by BIOS. It is expected that this doesn't > change the behavior on the system whose x2apic is disabled by BIOS. > ok sf (yasuoka@) arch/amd64/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/amd64/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/armv7/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/armv7/stand/efiboot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/hppa/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/hppa/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/i386/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/i386/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/landisk/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/landisk/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/loongson/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/loongson/conf ~ files.loongson > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/dev ~ bonitoreg.h > Move the definition of REGVAL into a common header to make it usable > outside bonito(4). > ok miod@ (visa@) arch/loongson/include ~ autoconf.h > Move the definition of REGVAL into a common header to make it usable > outside bonito(4). > ok miod@ (visa@) ~ intr.h + loongson3.h > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/loongson + loongson3_intr.c > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/loongson/stand/boot ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/loongson/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/luna88k/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/luna88k/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/macppc/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/macppc/stand ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/mips64/include + loongson3.h > Add interrupt handling routines for Loongson 3A. > Feedback from miod@ (visa@) arch/octeon/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/octeon/dev ~ if_cnmac.c > Make possible to change the link layer address of a cnmac(4) interface. > Asked by and ok stsp@, ok jasper@ (visa@) ~ if_cnmac.c > Do not show a device unit number in the cnmac interrupt name. The same > interrupt drives all the cnmac ports. > ok stsp@ (visa@) ~ if_cnmac.c > Drop unnecessary #ifdef MBUF_TIMESTAMP. (visa@) arch/octeon/stand/boot ~ Makefile > when CONSPEED moved from libsa.h to Makefile it lost a leading '1', > reinstate the original of 115200 > spotted by brad (jasper@) ~ Makefile.inc > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/octeon/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sgi/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/sgi/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sgi/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/socppc/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/socppc/stand/boot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/compile ~ Makefile.inc > Two tweaks for compile/Makefile.inc: > 1) Replace '.elif !exists(${OBJDIR}/Makefile)' with just '.else'. espie > pointed out, that if the file existed, make wouldn't be reading this > file, so the check is superflous. Less clutter. > 2) Unconditionally define the 'clean' and 'cleandir' targets, also when > obj doesn't exist. This changes the behaviour of 'make clean' to be > successful (doing nothing) without obj@ or obj/. > ok tb millert deraadt (natano@) arch/sparc64/stand/bootblk ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/stand/libsa ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) arch/sparc64/stand/ofwboot ~ Makefile > Do not create machine@ symlinks in obj as root during includes:, but > defer their creation to later, so that they are owned by BUILDUSER. > This eliminates the last root-owned files in obj/ from 'make build'. > In addition, place a MACHINE == hppa test in hppa/stand/Makefile.inc > to avoid creating bogus symlinks on all other archs. > joint work with & ok natano, "let's try it" deraadt (tb@) dev/pci ~ if_myx.c > revert 1.97 where i moved myx to using the system pools > my early revision board doesnt like it at all (dlg@) ~ if_myx.c ~ if_myxreg.h > turns out these chips can handle buffers up to 9400 bytes in length. > raise the mtu to 9380 bytes so we can take advantage of the extra space. > i need to revisit the macro names at some point. (dlg@) ~ if_iwm.c > Reset the ucode interrupt flag in the softc before loading iwm(4) 8k > firmware. > Makes firmware load work reliably without the horrid tsleep() workaround > hack. > Patch by Imre Vadasz (stsp@) ~ mpii.c > dont issue sas config page requests against raid targets. > doing requests like that causes lockups on boot. > reported by and this fix test by simon mages (dlg@) dev/pv ~ hyperv.c > Fixup a wait channel used during VMBus channel discovery > Clang static analyser has found that a tsleep was using an uninitialised > pointer value as a wait channel. An associated wakeup wasn't doing the > right thing either. (mikeb@) ~ hyperv.c > Inline the macro that is used only once (mikeb@) ~ hypervreg.h > Add Windows 10 VMBus protocol version (mikeb@) ~ hypervic.c > Let Integrated Components allocate the receive buffer themselves > since they have a better clue how to size it. > While here, cleanup the kernel output a bit. (mikeb@) ~ hypervic.c ~ hypervicreg.h > Implement a Key-Value Pair exchange interface > The implemented abstraction allows us to query and set little > endian UTF-16 keys exchanged between the Host and the Guest via > a text based pvbus(4) interface. > All keys are attached to one of several key pools: Auto, Guest, > External or Guest/Parameters. The hostctl(8) is able to modify > values for keys in the Auto pool as well as set new keys in the > Guest pool while the Host provides its keys in External and > Guest/Parameters pools. > Discussed with reyk@ (mikeb@) ~ hyperv.c > Identify as an OSPlatformID 131 with a kernel version of 6 (mikeb@) ~ hypervic.c > Add locks to key-value pair pools > We need to ensure list and data consistency during concurrent > accesses since the interrupt handler is not executed under the > kernel lock and may add or modify entries while userland process > is reading the value or traversing the list. (mikeb@) ~ hypervic.c ~ hypervicreg.h > Support for key removal and value update operations > This change makes it possible for the Host to update the value > of an existing key via a Set operation as well as to remove the > key completely with a Delete message. (mikeb@) dev/usb ~ if_atu.c ~ if_cue.c ~ if_mos.c ~ if_otus.c ~ if_ral.c ~ if_uath.c ~ if_upgt.c ~ if_upl.c ~ if_url.c ~ uberry.c ~ udl.c ~ udsbr.c ~ uipaq.c ~ uow.c ~ usps.c > Avoid calling usbd_set_config_no() in *_attach() and let the stack do > it instead. > If anything bad happen due to a malformed descriptor it makes no sense > to try to attach a driver, and bail before probing. > This is similar to the change to avoid calling usbd_set_config_index(). > (mpi@) kern ~ subr_pool.c > add per cpu caches for free pool items. > this is modelled on whats described in the "Magazines and Vmem: > Extending the Slab Allocator to Many CPUs and Arbitrary Resources" > paper by Jeff Bonwick and Jonathan Adams. > the main semantic borrowed from the paper is the use of two lists > of free pool items on each cpu, and only moving one of the lists > in and out of a global depot of free lists to mitigate against a > cpu thrashing against that global depot. > unlike slabs, pools do not maintain or cache constructed items, > which allows us to use the items themselves to build the free list > rather than having to allocate arrays to point at constructed pool > items. > the per cpu caches are build on top of the cpumem api. > this has been kicked a bit by hrvoje popovski and simon mages (thank you). > im putting it in now so it is easier to work on and test. > ok jmatthew@ (dlg@) ~ subr_pool.c > use a TAILQ to maintain the list of item lists used by the percpu code. > it makes it more readable, and fixes a bug in pool_list_put where it > was returning the next item in the current list rather than the next > list to be freed. (dlg@) ~ subr_pool.c > add poisoning of items on the per cpu caches. > it copies the existing pool code, except it works on pool_list > structures instead of pool_item structures. > after this id like to poison the words used by the TAILQ_ENTRY in > the pool_list struct that arent used until a list of items is moved > into the global depot. (dlg@) ~ subr_pool.c > poison the TAILQ_ENTRY in items in the per cpu pool cache. (dlg@) net ~ bpf.h > add __BEGIN_DECLS/__END_DECLS to the public userland side of net/bpf.h, > so c++ programs can use them. > OK jca@ (phessler@) ~ switchofp.c > Change validation functions prototypes: use the parameter variable to > return the error code and the return value to signal if the validation > was successful or not. With this we can signal some errors in the spec > that uses the value 0 (zero). > ok reyk@ (rzalamena@) ~ switchofp.c > Improve ofp_error message accurateness: use parameterized error type > instead of hardcoding it. With this we can change the error type to > something else and get a more accurate description of what happened. > ok reyk@ (rzalamena@) ~ netisr.h > The networking code no longer runs off software interrupts. (mpi@) ~ switchofp.c > Always call if_put() during the interface iteration on port status > multipart > reply to avoid reference leaks. > ok mikeb@ (rzalamena@) ~ switchofp.c > Fix debug message to print the presence of more flag correctly. > ok mikeb@ (rzalamena@) netinet ~ udp_usrreq.c > Remove obsolete vxlan_lookup return value handling > With input from reyk@, OK mpi (mikeb@) sys ~ pool.h > add per cpu caches for free pool items. > this is modelled on whats described in the "Magazines and Vmem: > Extending the Slab Allocator to Many CPUs and Arbitrary Resources" > paper by Jeff Bonwick and Jonathan Adams. > the main semantic borrowed from the paper is the use of two lists > of free pool items on each cpu, and only moving one of the lists > in and out of a global depot of free lists to mitigate against a > cpu thrashing against that global depot. > unlike slabs, pools do not maintain or cache constructed items, > which allows us to use the items themselves to build the free list > rather than having to allocate arrays to point at constructed pool > items. > the per cpu caches are build on top of the cpumem api. > this has been kicked a bit by hrvoje popovski and simon mages (thank you). > im putting it in now so it is easier to work on and test. > ok jmatthew@ (dlg@) ~ pool.h > use a TAILQ to maintain the list of item lists used by the percpu code. > it makes it more readable, and fixes a bug in pool_list_put where it > was returning the next item in the current list rather than the next > list to be freed. (dlg@) ~ pool.h > poison the TAILQ_ENTRY in items in the per cpu pool cache. (dlg@) == usr.bin =========================================================== 09/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin at ~ at.c > Delete setlocale(LC_TIME, ""). > The only place where this could potentially get used was the > strftime(3) for fprintf(3) "job %s at %s\n" to stderr. We don't > want base system utilities to talk to users in foreign languages. > No functional change on OpenBSD which doesn't provide any non-standard > LC_TIME locale anyway. > Patch from Jan Stary <hans at stare dot cz>. > In main(), exit -> return while here. > OK millert@ (schwarze@) cvs ~ status.c > Don't use ce_time if we are running as a server, it won't be present. > (joris@) ftp ~ main.c > Bump ftp(1)'s cipher default from "all" to "legacy" - this really should > be "compat", but that will require further testing. > ok beck@ (jsing@) libtool ~ LT/Mode/Link.pm > Also ignore --no-undefined (we already ignore -no-undefined) which is > starting to show up more and more. > ok jasper@ (ajacoutot@) nc ~ netcat.c > Add OCSP client side support to libtls. > - Provide access to certificate OCSP URL > - Provide ability to check a raw OCSP reply against an > established TLS ctx > - Check and validate OCSP stapling info in the TLS handshake > if a stapled OCSP response is provided.` > Add example code to show OCSP URL and stapled info > into netcat. > ok jsing@ (beck@) ~ netcat.c > Make OCSP Stapling: only appear if there is stapling info present. (beck@) ~ netcat.c > make OCSP_URL only show up when an OCSP url is actually present in the cert > (beck@) ~ nc.1 ~ netcat.c > Add ocsp_require_stapling config option for tls - allows a connection > to indicate that it requires the peer to provide a stapled OCSP response > with the handshake. Provide a "-T muststaple" for nc that uses it. > ok jsing@, guenther@ (beck@) ~ nc.1 > new sentence, new line, and zap trailing whitespace; (jmc@) ~ nc.1 ~ netcat.c > Add support for server side OCSP stapling to libtls. > Add support for server side OCSP stapling to netcat. (beck@) ~ nc.1 ~ netcat.c > zap trailing whitespace, and add -o to usage() and help (-h); (jmc@) ~ nc.1 ~ netcat.c > rename tlslegacy to tlsall, and better describe what it does. > ok jsing@ (beck@) ~ nc.1 > tweak previous; (jmc@) ssh ~ auth.c ~ match.c ~ servconf.c > Validate address ranges for AllowUser/DenyUsers at configuration load > time and refuse to accept bad ones. It was previously possible to > specify invalid CIDR address ranges (e.g. [email protected]/55) and these > would always match. > Thanks to Laurence Parry for a detailed bug report. ok markus (for > a previous diff version) (djm@) tmux ~ alerts.c > Clear window alert flags after setting winlink alert flags, fixes problem > reported by Tommy Allen. (nicm@) ~ cmd.c > Make an empty state on error rather than leaving something partially > created (which now is now a fatal() later). (nicm@) ~ tmux.h > enum values need to fit in 32 bits; we only use enum for numbering and > Unicode characters fit in 24 bits, so we can leave key_code as 64 bits > and change KEYC_BASE down to 0x10000000. (nicm@) ~ cmd-set-option.c > Do not try to set the CHANGED flag on windows with no active pane, fixes > problem reported by Nelo-T Wallus. (nicm@) units ~ units.lib > update currency exchange rates; (jmc@) vi ~ build/recover > Remove syscall.ph from vi.recover > since perl-5.10 chdir supports fchdir > ok guenther@ (afresh1@) == usr.sbin ========================================================== 10/10 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin usr.sbin ~ Makefile > Hook up syspatch(8). > expectations elevation encouragement from deraadt@ (ajacoutot@) acme-client ~ http.c > Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher > suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher > suite - given who we're talking to one would hope that they meet these > requirements... > ok benno@ deraadt@ florian@ (jsing@) bgpd ~ bgpd.conf.5 > large-community needs to have an argument (phessler@) httpd ~ config.c ~ httpd.conf.5 ~ httpd.h ~ parse.y ~ server.c > Add OCSP stapling support to httpd > ok jsing@ bcook@ (beck@) ~ httpd.conf.5 > tweak previous; (jmc@) ~ parse.y > since ocsp stapling is optional, make sure we guard if we do not have it. > ok jsing@ (beck@) ~ server.c > conditionalize ocsp load properly > ok jsing@ (beck@) makefs ~ ffs.c ~ ffs.h > Remove unused fields from ffs_opt_t. (natano@) switchd ~ ofp.c ~ ofp13.c ~ ofp_common.c ~ switchd.h > Move ofp_output() into ofp_common.c and few function prototypes into > switchd.h. No functional change. (reyk@) ~ ofp13.c > Empty -> empty in log messages (reyk@) syspatch ~ syspatch.sh > We don't want to run on -stable (i.e. locally built release) but only on > official release. > Remove the half cooked rollback patch if we run into an error. (ajacoutot@) ~ syspatch.sh > install_patch -> apply_patch to remove confusion with install_kernel and > install_file. (ajacoutot@) ~ syspatch.sh > Add a few error messages so we know where we fail. > Regular operation is mostly quiet, i.e: > Applying syspatch-60-001_cp.tgz 100% |***********************| 65247 > 00:03 > Move trap after we create the temporary directory so that we can remove it > on failure and fix a typo in readonly vars. (ajacoutot@) ~ syspatch.sh > Simplify fetch_and_verify(), no need for a loop here. (ajacoutot@) ~ syspatch.sh > Add a cleanup function to remove non matching release content from > /var/syspatch and the rollback kernel if all kernel syspatches have been > reverted. > While here, make sure _RELINT and _REL are declared properly. (ajacoutot@) ~ syspatch.sh > Also remove non matching release rollback kernel. > Temporary unhook the cleanup function during tests. (ajacoutot@) ~ syspatch.sh > Only run sp_cleanup() when applying or reverting a patch (needs root). > (ajacoutot@) ~ syspatch.sh > Add an XXX. (ajacoutot@) ~ syspatch.sh > Tap SIGINT while install(1)ing so that we can properly rollback and not > be left in an inconsistent state. (ajacoutot@) ~ syspatch.sh > Simplify. (ajacoutot@) ~ syspatch.sh > Be verbose when reverting a patch. > committing now to please espie@ (ajacoutot@) ~ syspatch.sh > Simplify for loops; prompted by a comment from rpe@ (ajacoutot@) ~ syspatch.sh > Use hw.ncpufound. (ajacoutot@) ~ syspatch.sh > Merge ls_avail() into ls_missing(), it's only used once. > While here, cope with a missing index.txt or other ftp(1) error. > (ajacoutot@) ~ syspatch.sh > Make sure PATCH_PATH is an URL that ftp(1) can cope with. (ajacoutot@) ~ syspatch.sh > Hardlinks are properly handled; for the rest, we'll see if we need to care > or not (XXX). (ajacoutot@) ~ syspatch.sh > XXX match with installed sets (comp, x...)? (ajacoutot@) ~ syspatch.8 ~ syspatch.sh > rollback -> revert where it makes sense. (ajacoutot@) ~ syspatch.sh > Missing local. (ajacoutot@) ~ syspatch.sh > Use 'rm -f' to remove the rollback tarball if we have an errir; it may > be because we have a read-only /var. (ajacoutot@) ~ syspatch.sh > Make sure our filesystems are local and not read-only. (ajacoutot@) ~ syspatch.sh > Zap extra space. (ajacoutot@) ~ syspatch.sh > One more XXX. (ajacoutot@) ~ syspatch.sh > Be verbose when PATCH_PATH is not set (that is temporary until we agree on > a way to point to a syspatch mirror). (ajacoutot@) ~ syspatch.sh > Rework the cleanup trap handling using the EXIT trap; > trap 'cleanup; goes; here' EXIT > trap exit HUP INT TERM ERR FOO BAR BAZ > This makes sure the cleanup is always done (unless we exec), and > preserves the exit code, such as SIGINT => 130. > Also trap less signals. Special signals are special. > tested and OK ajacoutot@ (halex@) tcpdump ~ print-ip.c > Replace a snapend test in ip_print() with a call to TCHECK2 as there > is already a trunc label with the same printf in the function. (jsg@) ~ print-ip.c > If a length from an ip packet encapsulated in gre or etherip would cause > the position to go past snapend truncate. Found with afl. (jsg@) vmd ~ log.c > Pass the errno value to vfatal(), renaming it to vfatalc() to match, > intead of using errno as an implicit argument > ok reyk@ (guenther@) ~ config.c ~ parse.y ~ vmd.c ~ vmd.h ~ vmm.c > Update the config/register/get VM methods to match the config_set/get > style that is used in other places. Also keep the vmid from the parent. > OK edd@ (reyk@) ~ config.c ~ parse.y ~ vmd.c ~ vmd.h > Pass the internal vmid or 0 to vm_register() instead of changing it > once again after setting the next available id. > Suggested by edd@ (reyk@) =============================================================================== _______________________________________________ owc mailing list [email protected] http://www.squish.net/mailman/listinfo/owc
