OpenBSD src changes summary for 2016-11-27 to 2016-12-04 inclusive ==================================================================
distrib/armv7 distrib/macppc distrib/sets games/atc games/pom games/quiz gnu gnu/usr.bin/binutils-2.17 lib/libcrypto lib/libpcap lib/libssl libexec/spamd regress/lib regress/sys regress/usr.bin regress/usr.sbin sbin/bioctl sbin/disklabel sbin/ifconfig sbin/iked share/man sys/arch/alpha/conf sys/arch/amd64/conf sys/arch/armv7/conf sys/arch/armv7/sunxi sys/arch/hppa/conf sys/arch/hppa/stand/boot sys/arch/i386/conf sys/arch/landisk/conf sys/arch/landisk/stand/boot sys/arch/landisk/stand/xxboot sys/arch/loongson/conf sys/arch/loongson/loongson sys/arch/luna88k/conf sys/arch/luna88k/stand/boot sys/arch/macppc/conf sys/arch/octeon/conf sys/arch/octeon/dev sys/arch/sgi/conf sys/arch/sgi/dev sys/arch/sgi/hpc sys/arch/socppc/conf sys/arch/sparc64/conf sys/conf sys/dev/ic sys/dev/pci sys/dev/pv sys/dev/usb sys/kern sys/lib/libsa sys/net sys/net80211 sys/netinet sys/netinet6 sys/sys sys/ufs/ffs usr.bin/cal usr.bin/ftp usr.bin/nc usr.bin/ssh usr.bin/tmux usr.bin/units usr.sbin/arp usr.sbin/ldapd usr.sbin/ndp usr.sbin/ntpd usr.sbin/smtpd usr.sbin/spamdb usr.sbin/switchctl usr.sbin/switchd usr.sbin/syslogd usr.sbin/syspatch usr.sbin/tcpdump usr.sbin/user usr.sbin/vmd usr.sbin/ypldap == distrib =========================================================== 01/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib armv7 ~ ramdisk/Makefile > Use makefs to build bsd.rd on armv7 and macppc. > ok deraadt (natano@) macppc ~ ramdisk/Makefile > Use makefs to build bsd.rd on armv7 and macppc. > ok deraadt (natano@) sets ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/base/mi > sync (sthen@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) ~ lists/comp/mi > sync (deraadt@) == games ============================================================= 02/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games atc ~ def.h > Remove useless #ifndef in atc(6) and pom(6). > M_PI is always defined, so we can drop those directives. > OK deraadt@, millert@ (fcambus@) pom ~ pom.c > Remove useless #ifndef in atc(6) and pom(6). > M_PI is always defined, so we can drop those directives. > OK deraadt@, millert@ (fcambus@) quiz ~ datfiles/elements > elements 113, 115, 117, and 118; from pjanzen (jmc@) == gnu =============================================================== 03/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/gnu gnu ~ llvm/tools/clang/lib/Basic/Targets.cpp > Setup clang to use OpenBSD settings and defines for our AArch64 > (little-endian) target. > ok phessler@ (patrick@) usr.bin/binutils-2.17 ~ opcodes/mips-opc.c > Add Octeon coprocessor 2 instructions. > No objection from kettenis@ (visa@) == lib =============================================================== 04/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libcrypto ~ man/EVP_PKEY_CTX_new.3 > Add Copyright and license. > Mention that EVP_PKEY_CTX_free(3) accepts NULL. > Delete the useless statement that a void functions returns no value. > (schwarze@) ~ man/EVP_PKEY_cmp.3 > Add Copyright and license. > Merge one clarifying sentence from OpenSSL. (schwarze@) ~ man/EVP_PKEY_encrypt.3 ~ man/EVP_PKEY_keygen.3 > Add Copyright and license. > Merge improvements to EXAMPLES from OpenSSL. (schwarze@) ~ man/EVP_PKEY_new.3 > EVP_PKEY_new.3 > Add Copyright and license. > Mention that EVP_PKEY_free(3) accepts NULL. > Delete the useless statement that a void functions returns no value. > Merge HISTORY from OpenSSL. (schwarze@) ~ man/EVP_PKEY_set1_RSA.3 > Add Copyright and license. > Merge documentation of EVP_PKEY_id(3) and EVP_PKEY_base_id(3) from OpenSSL. > (schwarze@) ~ man/EVP_PKEY_sign.3 > Add Copyright and license. > Merge some additional text and improvements to EXAMPLES from OpenSSL. > (schwarze@) ~ man/EVP_PKEY_CTX_ctrl.3 ~ man/EVP_PKEY_decrypt.3 ~ man/EVP_PKEY_derive.3 ~ man/EVP_PKEY_get_default_digest_nid.3 ~ man/EVP_PKEY_print_private.3 ~ man/EVP_PKEY_verify.3 ~ man/EVP_PKEY_verify_recover.3 > Copyright and license (schwarze@) ~ man/HMAC.3 > Add Copyright and license. > Fix a typo in the NAME section. > Document HMAC_CTX_copy(3), HMAC_CTX_set_flags(3), HMAC_size(3), from > OpenSSL. > Drop the uselesss statement that void functions do not return values. > (schwarze@) ~ man/MD5.3 > Copyright and license (schwarze@) ~ man/OBJ_nid2obj.3 > Add Copyright and license. > Document i2t_ASN1_OBJECT(3), from OpenSSL. > Merge more info about what NIDs are from OpenSSL. (schwarze@) ~ man/Makefile + man/OCSP_REQUEST_new.3 + man/OCSP_cert_to_id.3 + man/OCSP_request_add1_nonce.3 + man/OCSP_resp_find_status.3 + man/OCSP_response_status.3 + man/OCSP_sendreq_new.3 > Import OCSP documentation from OpenSSL, leaving out some stuff > that we don't have, fixing some bugs and tweaking some parts for > readability. > P.S. > Why did some people write a HTTP client implementation and then > decide that the best place to publish it might be a crypto(3) > library? Oh never mind, to go easy on my sanity, i should probably > stop asking such questions and just document what i find. (schwarze@) ~ man/lh_new.3 ~ man/lh_stats.3 > Add Copyright and license. > This documentation is obviously incomplete and unintelligible. > However, as the interfaces are utterly ill-designed and contorted > to the point of absurdity, i refuse to even attempt improvements, > at least for now. (schwarze@) ~ man/OPENSSL_VERSION_NUMBER.3 > Copyright and license (schwarze@) ~ man/OPENSSL_config.3 > Add Copyright and license. > There are many recommendations in this page, and most of them were > changed in OpenSSL. I have no idea what makes sense, so i'm not > touching the content. (schwarze@) ~ man/OPENSSL_load_builtin_modules.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. (schwarze@) ~ man/Makefile + man/OPENSSL_malloc.3 > Document and discourage those wrappers that we have and that OpenSSL > documents, too. There are many additional undocumented ones in our > public OpenSSL headers, but advertising those would be a bad idea. > Nothing of the text from OPENSSL_malloc.pod remains, so use my own > Copyright and license. (schwarze@) ~ man/OpenSSL_add_all_algorithms.3 > Copyright and license (schwarze@) ~ man/Makefile + man/PEM_read.3 > import from OpenSSL with minor tweaks (schwarze@) ~ man/PEM_read_bio_PrivateKey.3 > For unknown reasons, this summer, OpenSSL added an additional manual > page PEM_read_CMS(3) to document a bunch of functions unrelated > among themselves, but very similar to those documented here. > Information in that page is scantier than for the functions documented > here - and besides, it is mostly wrong. Looks like they lost their > way in the vast forest of functions they autogenerated with chains > of macros... > Document those functions documented there which are relevant to us > in the present page instead, and with correct prototypes. Given > that i know too little about PEM formats, information about semantics > is almost certainly incomplete, but at least better than what OpenSSL > provides. > While here, add Copyright and license. (schwarze@) ~ man/PEM_write_bio_PKCS7_stream.3 > Add Copyright and license. > Remove one needless #include from the SYNOPSIS (from OpenSSL). (schwarze@) ~ man/CRYPTO_set_ex_data.3 > Add Copyright and license. > Merge the documentation of six additional functions from OpenSSL. > There are some differences between OpenSSL and LibreSSL, for example > we don't have CRYPTO_free_ex_index(), CRYPTO_EX_INDEX_EC_KEY, > and CRYPTO_EX_INDEX_APP. I hope i got the differences right. > "if you don;t get any feedback promptly i say just go ahead" jmc@ > (schwarze@) ~ man/PKCS12_create.3 ~ man/PKCS12_parse.3 > Copyright and license (schwarze@) ~ man/Makefile + man/PKCS12_newpass.3 > import PKCS12_newpass(3) from OpenSSL (schwarze@) ~ man/PKCS5_PBKDF2_HMAC.3 ~ man/PKCS7_decrypt.3 ~ man/PKCS7_encrypt.3 ~ man/PKCS7_sign.3 ~ man/PKCS7_sign_add_signer.3 ~ man/PKCS7_verify.3 > Copyright and license (schwarze@) - man/RAND_cleanup.3 ~ man/Makefile ~ man/RAND_add.3 ~ man/RAND_set_rand_method.3 > No text remains from OpenSSL, so use the standard OpenBSD license. > Mention the true author (Miod 2014). > Merge the useless page RAND_cleanup(3) into RAND_add(3). > Fix the return type of RAND_set_rand_method(3). > Mention the constant return values. (schwarze@) ~ man/RAND_bytes.3 > Add Copyright and license. > Add deprecation notice. > Delete useless cross references. (schwarze@) ~ man/RAND_load_file.3 > Add Copyright and license. > Adjust RETURN VALUES to match reality. > Delete the useless SEE ALSO section. (schwarze@) ~ man/CRYPTO_set_ex_data.3 ~ man/EVP_PKEY_set1_RSA.3 ~ man/OPENSSL_malloc.3 ~ man/PEM_read.3 ~ man/PEM_read_bio_PrivateKey.3 > minor cleanup; (jmc@) ~ man/RC4.3 ~ man/RIPEMD160.3 > Copyright and license (schwarze@) ~ man/RSA_check_key.3 ~ man/RSA_size.3 > Add Copyright, license, and very minor improvements from OpenSSL. > (schwarze@) ~ man/RSA_new.3 > Add Copyright and license. > Mention that RSA_free(3) accepts NULL. (schwarze@) ~ man/RSA_sign.3 > Add Copyright and license. > Merge various improvements from OpenSSL: > Clarify a reference to a standard. > Stop advertising ancient hash functions. > Remove incorrect statements about error return values. > Delete a cross reference to the non-existent page objects(3). (schwarze@) ~ man/RSA_blinding_on.3 ~ man/RSA_generate_key.3 ~ man/RSA_get_ex_new_index.3 ~ man/RSA_padding_add_PKCS1_type_1.3 ~ man/RSA_print.3 ~ man/RSA_private_encrypt.3 ~ man/RSA_public_encrypt.3 ~ man/RSA_set_method.3 ~ man/RSA_sign_ASN1_OCTET_STRING.3 > Copyright and license (schwarze@) ~ man/SHA1.3 > Add Copyright and license. > Merge SHA2 documentation from OpenSSL. > Fix the data type of the "n" argument of SHA1(3) > and the return type of SHA1_Update(3). > Merge a note about thread safety from OpenSSL. > We have two competing implementations of SHA2 in base: > in lib/libc/hash and in lib/libcrypto. > Both are now documented in their proper manual page. (schwarze@) ~ man/SMIME_read_PKCS7.3 ~ man/SMIME_write_PKCS7.3 > Copyright and license (schwarze@) ~ man/Makefile ~ man/OPENSSL_malloc.3 + man/CRYPTO_get_mem_functions.3 + man/OPENSSL_cleanse.3 > seperate these descriptions into seperate files to reduce confusion. > discussed with jsing > ok schwarze (deraadt@) ~ man/CRYPTO_get_mem_functions.3 ~ man/OPENSSL_cleanse.3 ~ man/OPENSSL_malloc.3 > tweak previous; (jmc@) ~ man/OCSP_REQUEST_new.3 ~ man/OCSP_cert_to_id.3 ~ man/OCSP_request_add1_nonce.3 ~ man/OCSP_sendreq_new.3 > various cleanup; (jmc@) ~ man/RSA_get_ex_new_index.3 ~ man/RSA_private_encrypt.3 ~ man/RSA_public_encrypt.3 ~ man/RSA_set_method.3 ~ man/SHA1.3 ~ man/UI_new.3 > minor cleanup; (jmc@) ~ man/X509_NAME_add_entry_by_txt.3 ~ man/X509_NAME_get_index_by_NID.3 ~ man/X509_NAME_print_ex.3 ~ man/X509_STORE_CTX_get_error.3 ~ man/X509_STORE_CTX_new.3 ~ man/X509_STORE_set_verify_cb_func.3 ~ man/X509_VERIFY_PARAM_set_flags.3 ~ man/X509_new.3 ~ man/X509_verify_cert.3 ~ man/bn_dump.3 ~ man/crypto.3 > various cleanup; (jmc@) ~ man/UI_new.3 > Add Copyright and license. > Mention that UI_free(3) accepts NULL. > One minor clarification from OpenSSL. (schwarze@) ~ man/Makefile + man/X509V3_get_d2i.3 + man/X509_ALGOR_dup.3 + man/X509_CRL_get0_by_serial.3 + man/X509_EXTENSION_set_object.3 + man/X509_LOOKUP_hash_dir.3 > import five newish X509 pages from OpenSSL (schwarze@) libpcap ~ nametoaddr.c ~ shlib_version > Stop exporting the eproto_db array, export a pointer to it instead. > tcpdump directly uses eproto_db even though it is not part of the > libpcap API. This means that we can't freely add members to this array, > else ld.so complains about size mismatches. Keep the data in a static > array instead and make it usable by tcpdump through a pointer whose size > won't change in the future. A minor bump is enough here for ld.so to > stop complaining. > While here, mark _eproto_db and llc_db as const, as they are meant to > be. > Suggested by and ok deraadt@ (jca@) ~ nametoaddr.c > add "lldp" to the ether protocol name db. > this lets me go "tcpdump ether proto lldp" to easily read lldp packets > off the wire without other noise getting in the way. > ok deraadt@ jca@ sthen@ (dlg@) libssl ~ man/Makefile + man/PEM_read_SSL_SESSION.3 > The OpenSSL file doc/man3/PEM_read_CMS.pod contains parts belonging > to libcrypto and parts belonging to libssl. Extract the parts > relevant for our libssl and import them with some tweaks. (schwarze@) ~ man/SSL_CIPHER_get_name.3 > Add Copyright and license. > SSLv2 and export ciphers are no longer supported, delete related text. > Sync SSL_CIPHER_description(3) return values with the source code. > Wording simplifications from OpenSSL. > Delete empty RETURN VALUES section. (schwarze@) ~ man/SSL_COMP_add_compression_method.3 > Replace all of the text by a deprecation notice: > LibreSSL was decompressed long ago. > Mention SSL_COMP_get_compression_methods(3) which is both available > in our public interface and documented by OpenSSL. (schwarze@) ~ man/SSL_CTX_add_extra_chain_cert.3 > Add Copyright and license. > Lots of improvements from OpenSSL: > Document SSL_CTX_clear_extra_chain_certs(3). > Correct SSL_CTX_add_extra_chain_cert(3) first argument type. > Add some new information and improve wording. (schwarze@) ~ man/SSL_CTX_flush_sessions.3 > Add Copyright and license. > Correct two typos while here. (schwarze@) ~ man/SSL_CTX_free.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_add_session.3 ~ man/SSL_CTX_ctrl.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_set1_param.3 > Import the relevant parts of SSL_CTX_get0_param(3) from OpenSSL. > Call it SSL_set1_param(3) since we don't have these get0 functions. > (schwarze@) ~ man/SSL_CTX_get_verify_mode.3 > Add Copyright and license. > Garbage collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_load_verify_locations.3 > Add Copyright and license. > Merge SSL_CTX_set_default_verify_paths(3) documentation from OpenSSL, > but do not talk about environment variables, which LibreSSL does > not appear to support, judging from the source code. > Rename WARNINGS section to CAVEATS. (schwarze@) ~ man/SSL_CTX_new.3 > Add Copyright and license. > Remove the last traces of SSLv3. > Add TLS_method(3), TLSv1_2_method(3), DTLSv1_method(3) and friends. > Add missing prototypes to the SYNOPSIS. > Merge additional information from OpenSSL. > Simplify description of TLSv1_method(3) and SSLv23_method(3), from OpenSSL. > Some additional minor fixes. (schwarze@) ~ man/ssl.3 > Purge some SSLv2 and SSLv3 stuff that no longer exists. (schwarze@) ~ man/SSL_CTX_sess_number.3 > Add Copyright and license. > Garbarge collect empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_sess_set_cache_size.3 > Add Copyright and license. > Correct the description of what happens when the session cache is full, > from OpenSSL. (schwarze@) ~ man/SSL_CTX_sess_set_get_cb.3 ~ man/SSL_CTX_sessions.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_CTX_set_alpn_select_cb.3 > import SSL_CTX_set_alpn_select_cb(3) from OpenSSL (schwarze@) ~ man/SSL_CTX_set_cert_store.3 > Add Copyright and license. > Remove the useless statement that a void function does not return a value. > (schwarze@) ~ man/SSL_CTX_set_cert_verify_callback.3 > Add Copyright and license. > Rename WARNINGS to CAVEATS and RETURN VALUES to BUGS, > the latter from OpenSSL. (schwarze@) ~ man/SSL_CTX_set_cipher_list.3 > Add Copyright and license. > Stop talking about export ciphers. > Remove two irrelevant cross references. (schwarze@) ~ man/SSL_CTX_set_client_CA_list.3 ~ man/SSL_CTX_set_client_cert_cb.3 > Copyright and license. (schwarze@) ~ man/SSL_CTX_set_default_passwd_cb.3 > Add Copyright and license. > Fix the declaration of pem_password_cb. > Simplify wording, mostly from OpenSSL. > Garbage collect the empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_set_generate_session_id.3 > Add Copyright and license. > Add markup for the declaration of GEN_SESSION_CB. > Garbage collect some remnants of SSLv2 and SSLv3. (schwarze@) ~ man/SSL_CTX_set_info_callback.3 > Add Copyright and license. > Correct prototypes. > Drop the useless statement that a void function does not return a value. > (schwarze@) ~ man/SSL_CTX_set_max_cert_list.3 ~ man/SSL_CTX_set_msg_callback.3 > Copyright and license (schwarze@) ~ man/SSL_CTX_set_mode.3 > Add Copyright and license. > Delete a sentence explaining exploit mitigation countermeasures > that have long been removed. (schwarze@) ~ man/SSL_CTX_set_options.3 > Add Copyright and license. > Delete explanation of SSL_OP_SINGLE_DH_USE, it is always on now. > Delete explanation of obsolete option SSL_OP_EPHEMERAL_RSA. > Delete various SSLv2 and SSLv3 remnants. > Delete excessive verbiage detailing each obsolete option individually; > instead, provide one concise list of obsolete options. > Delete HISTORY of individual options; it was incomplete anyway > and is not important enough to warrant so much bloat. > Garbage collect two useless cross references. (schwarze@) - man/SSL_CTX_set_psk_client_callback.3 - man/SSL_CTX_use_psk_identity_hint.3 - man/SSL_get_psk_identity.3 ~ man/Makefile ~ man/ssl.3 > garbage collect PSK remnants (schwarze@) ~ man/SSL_CTX_set_quiet_shutdown.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_CTX_set_read_ahead.3 > import SSL_CTX_set_read_ahead(3) from OpsenSSL, with considerable tweaks > (schwarze@) ~ man/Makefile + man/SSL_set_max_send_fragment.3 > import the parts of OpenSSL SSL_CTX_set_split_send_fragment(3) > relevant for us, calling the page SSL_set_max_send_fragment(3) (schwarze@) ~ man/SSL_CTX_set_session_cache_mode.3 ~ man/SSL_CTX_set_session_id_context.3 ~ man/SSL_CTX_set_ssl_version.3 ~ man/SSL_CTX_set_timeout.3 > Copyright and license (schwarze@) ~ man/Makefile + man/SSL_CTX_set_tlsext_status_cb.3 + man/SSL_CTX_set_tlsext_ticket_key_cb.3 > import tlsext documentation from OpenSSL (schwarze@) ~ man/SSL_CTX_set_tmp_dh_callback.3 > Add Copyright and license. > Merge various updates from OpenSSL, in particular stop talking about > what happens without SSL_OP_SINGLE_DH_USE, which is now always on. > (schwarze@) ~ man/SSL_CTX_set_verify.3 > Add Copyright and license. > Delete empty RETURN VALUES section. (schwarze@) ~ man/SSL_CTX_use_certificate.3 > Copyright and license (schwarze@) ~ man/SSL_clear.3 > Add Copyright and license. > Talk about TLS_method() rather than SSLv23_method(). > Rename WARNINGS section to CAVEATS. (schwarze@) ~ man/SSL_accept.3 ~ man/SSL_alert_type_string.3 ~ man/SSL_connect.3 ~ man/SSL_do_handshake.3 ~ man/SSL_free.3 > Copyright and license (schwarze@) ~ man/SSL_get_SSL_CTX.3 ~ man/SSL_get_error.3 ~ man/SSL_get_fd.3 ~ man/SSL_get_peer_certificate.3 ~ man/SSL_get_rbio.3 ~ man/SSL_get_verify_result.3 > Copyright and license (schwarze@) ~ man/SSL_get_ciphers.3 > Add Copyright and license. > Some additional explanations from OpenSSL. > Delete empty RETURN VALUES section. (schwarze@) ~ man/SSL_get_client_CA_list.3 > Add Copyright and license. > Delete the RETURN VALUES section. > The content is completely unrelated to the topic of the page - > that must have been a pasto in the original commit in OpenSSL. (schwarze@) ~ man/SSL_get_current_cipher.3 > Add Copyright and license. > Fix the prototype of SSL_get_current_cipher(3). > In the SYNOPSIS, show prototypes rather than #defines. > Some minor improvements from OpenSSL. (schwarze@) ~ man/SSL_get_default_timeout.3 > Add Copyright and license. > Delete empty RETURN VALUES section. (schwarze@) ~ man/SSL_get_peer_cert_chain.3 > Add Copyright and license. > Some additional explanations from OpenSSL. (schwarze@) ~ man/SSL_get_session.3 > Add Copyright and license. > Minor corrections while here. (schwarze@) ~ man/SSL_get_version.3 > Add Copyright and license. > Delete SSLv2 and SSLv3 remnants. (schwarze@) ~ bs_ber.c ~ s3_clnt.c ~ s3_srvr.c ~ ssl_asn1.c > Avoid signed vs unsigned warnings from clang by adding two casts, > slightly rewriting some code and changing the type of an array. > ok bcook@ doug@ (jsing@) ~ s3_clnt.c > Address a potential leak in ssl3_get_server_kex_ecdhe() - if we allocate > ngroup and the following EC_KEY_set_group() fails, ngroup will not be > freed. Avoid this by freeing on return. > ok millert@ (jsing@) ~ man/SSL_library_init.3 > Add Copyright and license. > In the SYNOPSIS, show prototypes, not #defines. > Delete a note about ancient OpenSSL versions. (schwarze@) ~ man/SSL_read.3 > Add Copyright and license. > Merge documentation of SSL_peek(3) from OpenSSL. > Stop taking about SSLv2. > Many wording improvements, most from OpenSSL. (schwarze@) ~ man/SSL_load_client_CA_file.3 ~ man/SSL_rstate_string.3 ~ man/SSL_session_reused.3 ~ man/SSL_set_bio.3 ~ man/SSL_set_connect_state.3 ~ man/SSL_set_fd.3 ~ man/SSL_set_session.3 ~ man/SSL_set_shutdown.3 ~ man/SSL_set_verify_result.3 ~ man/SSL_state_string.3 ~ man/SSL_want.3 > Copyright and license (schwarze@) ~ man/SSL_new.3 ~ man/SSL_shutdown.3 > Add Copyright and license. > Stop talking about SSLv2 and SSLv3. (schwarze@) ~ man/SSL_pending.3 > Add Copyright and license. > Wording improvements and a bit of additional information from OpenSSL. > (schwarze@) ~ man/SSL_write.3 > Add Copyright and license. > Stop talking about SSLv2 and SSLv3. > Some minor tweaks. (schwarze@) ~ s3_srvr.c > Convert ssl3_send_server_hello() to CBB. > ok beck@ doug@ (jsing@) ~ s3_clnt.c > Cleanup some of ssl3_send_client_kex_rsa() - tmp_buf is really the > premaster secret, so name it accordingly. Also, remove bogus assignment > of master_key_length - the correct value is assigned when the master_key > is set. > ok beck@ doug@ (jsing@) ~ s23_clnt.c ~ s3_clnt.c ~ ssl_lib.c ~ ssl_locl.h > Convert ssl_cipher_list_to_bytes() to CBB, changing the function to return > the number of bytes written via an explicit *outlen argument and retaining > the return value to indicate success or failure. > ok doug@ (jsing@) == libexec =========================================================== 05/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec spamd ~ spamd.c > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) == regress =========================================================== 06/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress lib ~ libssl/unit/cipher_list.c > Update regress test to handle change to ssl_cipher_list_to_bytes(). > (jsing@) sys ~ kern/setuid/Makefile > The setuid regression test builds and runs a binary that is setuid > or setgid nobody. Since /usr/obj is 0770, user nobody cannot access > other files there anymore. Install all programs into a temporary > directory and run them there. Check that /tmp is mounted without > nosuid. (bluhm@) ~ net/pf_forward/Makefile > Enable the pmtu and traceroute subtests with af-to. pf has been > fixed now. (bluhm@) ~ net/vxlan/Makefile ~ net/vxlan/vxlan_2.sh > Fix typos (vgross@) usr.bin ~ ssh/cert-userkey.sh > test new behaviour of cert force-command restriction vs. authorized_key/ > principals (djm@) usr.sbin ~ syslogd/Syslogd.pm > To test the pipe feature, a dd is started and writing into a log > file as user _syslogd. Since /usr/obj is 0770 now, user _syslogd > cannot access this file there anymore. Create pipe.log in temporary > directory in /tmp instead. (bluhm@) == sbin ============================================================== 07/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin bioctl ~ bioctl.8 > Document bioctl -d as a "detach" rather than a "delete" operation. > ok tb@ danj@ deraadt@ (stsp@) disklabel ~ disklabel.8 > provide missing unit suffixes; from ross l richardson (jmc@) ifconfig ~ brconfig.c ~ ifconfig.8 > Rename "flowmax" to "maxflow" and give each switch(4) ioctl a > dedicated number. Both changes for consistency. > OK rzalamena@ (reyk@) iked ~ iked.conf.5 > ikelifetime time spec is the same the one for lifetime (mikeb@) == share ============================================================= 08/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man8/release.8 > Remove some more verbiage. > looks alright to tj (tb@) ~ man4/switch.4 > catch up with ioctl rename; ok reyk (jmc@) ~ man4/options.4 ~ man8/crash.8 > Some tweaks reflecting that DEBUG=-g is the default for building kernels. > With jmc@ (mpi@) ~ man4/ix.4 > Update the manual page regarding recent changes > This adds a few new devices from the X550 family as well as a note that > fiber optics modules must be removed after the interface is brought down > as discussed on ICB. (mikeb@) ~ man4/pci.4 > update the ix(4) entry; (jmc@) ~ man4/options.4 > better text for makeoptions DEBUG; help/ok mpi (jmc@) ~ man4/axen.4 > list 'StarTech USB31000S' as supported; the driver already attached to it > for a while > also tested by yours truly (jasper@) == sys =============================================================== 09/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys arch/alpha/conf ~ Makefile.alpha > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/amd64/conf ~ Makefile.amd64 > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) ~ RAMDISK_CD > enable hvn(4) > ok mikeb@ (jsg@) arch/armv7/conf ~ Makefile.armv7 > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/armv7/sunxi ~ sximmc.c > Match on "allwinner,sun7i-a20-mmc". In linux 4.9 the device trees for > a31/a20/a23/a33/h3 mmc devices set this compatible string to denote the > presence of sample clocks and no longer set "allwinner,sun5i-a13-mmc". > ok kettenis@ (jsg@) arch/hppa/conf ~ Makefile.hppa > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/hppa/stand/boot ~ Makefile > ashldi3 is now needed (deraadt@) arch/i386/conf ~ Makefile.i386 > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/landisk/conf ~ Makefile.landisk > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/landisk/stand/boot ~ Makefile > need ashrdi3 (deraadt@) arch/landisk/stand/xxboot ~ Makefile > need ashrdi3 (deraadt@) arch/loongson/conf ~ Makefile.loongson > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/loongson/loongson ~ loongson3_intr.c > Fix memory leak. (visa@) arch/luna88k/conf ~ Makefile.luna88k > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/luna88k/stand/boot ~ Makefile > luna88k bootloader needs __ashldi3 to compile sys/lib/libsa/ufs.c 1.26. > (aoyama@) arch/macppc/conf ~ Makefile.macppc > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/octeon/conf ~ Makefile.octeon > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/octeon/dev ~ octeon_intr.c > Simplify interrupt dispatching by processing requests without > prioritization by IPL. (visa@) ~ octeon_intr.c > Drop stale prototypes and an outdated comment. (visa@) ~ octeon_intr.c > Implement octeon_intr_disestablish(). (visa@) ~ octeon_intr.c > Add handling for the second interrupt bank. > Needed by an upcoming driver. (visa@) arch/sgi/conf ~ Makefile.sgi > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/sgi/dev ~ if_iec.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) arch/sgi/hpc ~ if_sq.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) arch/socppc/conf ~ Makefile.socppc > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) arch/sparc64/conf ~ Makefile.sparc64 > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) conf ~ GENERIC > Build kernel with DEBUG=-g by default. > This will allow us to extract type informations from DWARF2 sections. It > also makes developer life easier as debug information are now included in > every object. > Resulting kernels will be stripped using strip(1) instead of ld(1). > Kernel build time increases by approximately 10%. However it is still > possible to disable this by defining DEBUG="". > ok kettenis@, bluhm@, natano@, jasper@, reyk@, deraadt@ (mpi@) ~ files > Enable mira in kernel builds. > For now, only build mira if the iwm(4) or iwn(4) drivers are also > built since other wifi drivers don't even have 11n support yet. > This limits platforms affected by this change to i386 and amd64. > make release on i386/amd64 platforms tested by tb@ (thanks!) > ok tb@ mpi@ kettenis@ (stsp@) dev/ic ~ ar5008.c ~ ar9003.c ~ dwc_gmac.c ~ pgt.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) dev/pci ~ hifn7751.c ~ if_alc.c ~ if_ixgb.c ~ if_jme.c ~ if_nfe.c ~ if_pcn.c ~ if_stge.c ~ if_xge.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) ~ if_iwn.c > Make iwn(4) receive MIMO frames in monitor mode. We can now sniff all > 802.11n > frames the hardware is able to receive. Use an xT3R device for best > results. > This change has not yet been tested on 1T1R devices due to lack of > hardware. > ok kettenis@ (stsp@) ~ if_iwm.c ~ if_iwmvar.h > Switch the iwm(4) driver to mira rate adaptation in 11n mode. > Only the rate adaptation algorithm changes, available data rates do not > (yet). > Please let me know about any regressions. > In 11a/b/g modes the driver still uses AMRR, so forcing one of these modes > with ifconfig's 'mode' subcommand will serve as a fallback if necessary. > ok tb@ mpi@ kettenis@ (stsp@) ~ if_ix.c > Update media types upon SFP module change > Tested by Hrvoje Popovski and myself. (mikeb@) ~ drm/drm.h ~ drm/drm_drv.c > Add noop drm SET_MASTER and DROP_MASTER ioctls. This will allow > reducing the local diff in libdrm. > We only handle a single master as xorg privdrop has already occurred at > the point where the ioctls are issued. (jsg@) ~ pcidevs > have a better go at naming xl710 devices > intel use xl710 to refer to 40 gig parts (and 20 for some reason), > and x710 to refer to 10g parts. there's allegedly going to be 25g > parts called xxv710. > i havent included the xl722 parts yet. > im naming the devices by the speed and connector rather than going for > actual intel product names like XL710-QDA1 because other vendors will > use the same chips in product with other names. > intel also put the XL710-QDA1 product id on the XL710-QDA2, which is > a good argument not to use product names too. (dlg@) ~ pcidevs.h ~ pcidevs_data.h > regen (dlg@) ~ if_ix.c > Disable the TX laser when interface is going down for all fiber modules > Previously only multi-rate fiber modules would disable the TX laser, but > newer Intel driver does it for single rate modules as well. Reminded by > kettenis@, tested by procter@ and Hrvoje Popovski. Thanks! (mikeb@) ~ ixgbe.c > Don't overwrite the selected flow control settings > procter@ has noticed that flow control settings survive module change > when they should be forgotten. It became clear that we're overwriting > the selected FC mode with the requested version instead of keeping > negotiated settings. Tested by procter@. (mikeb@) ~ pcidevs > 8086:154a is not a QSFP model, possibly just a quad port > Cleanup trailing whitespaces from the previous change while here. (mikeb@) ~ pcidevs.h ~ pcidevs_data.h > regen (mikeb@) dev/pv ~ xenstore.c > Replace the hand-rolled semaphore with a read-write lock > This was sitting in my tree for many a month and since the introduction > of interrupt threads, the interrupt vs. process context interlock became > irrelevant. Taking uncontended write locks while "cold" doesn't look > like a big deal as well. (mikeb@) ~ xen.c ~ xenstore.c ~ xenvar.h > Don't expose the xen_softc pointer in the XenStore transaction struct > (mikeb@) ~ if_xnf.c ~ xen.c ~ xenstore.c ~ xenvar.h > Stop exposing xen_softc to PV devices directly (mikeb@) ~ if_xnf.c > Sinc rings are created during attach memory allocations shouldn't sleep > (mikeb@) dev/usb ~ if_athn_usb.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) ~ usb_mem.c ~ usb_mem.h > Do not overlay DMA fragment decriptors with free list handling. > This "cleverness" increase the risk of races due to caching and/or > prefetching between the HC and DMA engine. Many of the bug reports > on bugs@ involving memory corruptions in usb_allocmem() should be > easier to diagnose when not avoided with this change. > From Marius Strobl, ok kettenis@ (mpi@) kern ~ uipc_syscalls.c > Remove NULL checks before m_free{m,}(). > ok reyk@, rzalamena@ (mpi@) ~ uipc_mbuf.c ~ uipc_socket.c ~ uipc_syscalls.c ~ uipc_usrreq.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) lib/libsa ~ ufs2.c ~ memcmp.c > Add missing OpenBSD CVS tags (reyk@) net ~ if_switch.c ~ switchofp.c > Rename "flowmax" to "maxflow" and give each switch(4) ioctl a > dedicated number. Both changes for consistency. > OK rzalamena@ (reyk@) ~ bpf.c > Make sure the descriptor has been removed from the interface list > before we call ifpromisc() and possibly sleep. > ok bluhm@ (mpi@) ~ if.c > Remove simple recursive splsoftnet() calls inside ifioctl(). (mpi@) ~ switchofp.c > Implement more validations for switch(4) groups handling: check for invalid > group-mod message sizes and validate bucket sizes and actions lists. > Discussed with reyk@: we should get this in as it is better to have some > validation than having none at all. (rzalamena@) ~ pf.c > Path MTU discovery and traceroute did not always work with pf af-to. > If an incoming packet is directly put into the output path, sending > the icmp error packet is never done. As this is basically forwarding, > calling ip_forward() for such packets does everything that is needed. > OK mikeb@ (bluhm@) ~ if_vether.c ~ if_vxlan.c ~ if_pair.c > For virtual Ethernet drivers that don't have a technical limit of the > hardmtu, pick a value of 65435 that leaves space for some > encapsulation and almost a complete max-IP packet. After some > discussion we picked this arbitrary value. > OK dlg@ (reyk@) ~ switchofp.c > Remove debugging code that was always enabled and printed parsed > OpenFlow packets: the new DLT_OPENFLOW bpf methods allows to monitor > the communication with a switch(4) device with tcpdump now. The > remaining debugging messages aren't compiled without DEBUG now. On > amd64, this shrinks the switchofp.o object by about 10k by default and > about 8k with DEBUG enabled. > OK rzalamena@ (reyk@) ~ pfkey.c ~ route.c ~ rtsock.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) ~ switchofp.c > Fix another free() with wrong size panic when handling group-mod buckets > size changes and add more sanity checks for group buckets payload. > (rzalamena@) ~ switchofp.c > Fix flow-removed OFP header xid value: use htonl() instead of htons() for > 32bit integers. (rzalamena@) ~ if_vxlan.c > Rremoves 'struct route_in6 *' argument from in6_selectsrc(). > Move the corresponding code in in6_pcbselsrc(). This reduces > differences with IPv4 and will help us to get rid of 'struct route*'. > ok vgross@ (mpi@) ~ route.c > Assert that rt_match() is always called at IPL_SOFTNET rather than > calling splsoftnet() recursively. (mpi@) ~ switchofp.c > Use the right variable for storing the maximum group table size and use > it to limit the amount of installable groups. (rzalamena@) ~ ofp.h > Fix some spelling errors in the OpenFlow header and update the tcpdump(8) > ofp_map.c file. > ok reyk@ (rzalamena@) ~ switchofp.c > Limit the amount of flows that can be installed on flow tables. > (rzalamena@) ~ if.c > Clean up leftovers from r1.442. > Local var 'up' is never set in ifioctl(). > OK mpi@ (vgross@) ~ route.c > Since net/route.c r1.337 interface priority factors into route priority > when RTF_CONNECTED routes are added to the routing table. > Specify a route priority calculated in the same way when deleting such > routes. > Makes route add and delete code paths consistent again. > ok mpi@ (stsp@) net80211 + ieee80211_mira.c + ieee80211_mira.h > Add a new implementation of MiRA, a rate scaling algorithm for 802.11n. > This algorithm was designed for use with MIMO and Tx aggregation. > This is joint work with tb@, who helped with all the tricky math bits. > Additional help with testing by phessler@, mpi@, and jmatthew@. > I believe this is now ready for wider testing, and for future work to > happen in-tree. > A paper which explains the algorithm can be found at: > http://www.cs.ucla.edu/wing/publication/papers/Pefkianakis.MOBICOM10.pdf > Roughly, this algorithm attempts to keep track of the current "goodput" > (the effective data rate) for each MCS. It converges towards a rate which > gets the most bits per second transmitted with least loss. > Occasionally, frames will be steered to different rates to probe for > changes. > (The algorithm does not send frames on its own. It only advances whenever > the driver has sent a frame.) > Time-based probing to adjacent MCS rates occurs periodically. > This is similar to what AMRR does, except that eventually mira will > try out multi-antenna modes as well. > Event-based probing happens when a sudden change in goodput is detected. > I've chosen to make downwards probing fast, and upwards probing slow. > (The paper does not specify such a preference.) > This means it should react quickly to worsening conditions and pull the > rate down (perhaps to the lowest possible rate). It should then raise > upwards slowly on a rate-per-rate basis as conditions improve again. > In my testing this works as intended as I keep moving a laptop outside > and inside the AP's range. > Not linked to the build yet. > ok mpi@ kettenis@ (stsp@) netinet ~ ip_output.c > Kill a micro optimization that no longer make sense since the two routing > blocks have been merged in r1.292. > ok claudio@ (mpi@) ~ udp_usrreq.c > Allow to build kernels without IPSEC but with PIPEX. (mpi@) ~ igmp.c ~ ip_input.c ~ tcp_timer.c > Assert that every slow/fast timeout routine is called at IPL_SOFTNET. > This removes multipe recursive splsoftnet()/splx() dances. (mpi@) ~ ip_icmp.c > Explicitly initialize rti_ifa when automagically adding a route. > This will allow to strengthen checks when userland adds a route. > ok phessler@, bluhm@ (mpi@) ~ ip_input.c ~ ip_var.h > Path MTU discovery and traceroute did not always work with pf af-to. > If an incoming packet is directly put into the output path, sending > the icmp error packet is never done. As this is basically forwarding, > calling ip_forward() for such packets does everything that is needed. > OK mikeb@ (bluhm@) ~ if_ether.h > For virtual Ethernet drivers that don't have a technical limit of the > hardmtu, pick a value of 65435 that leaves space for some > encapsulation and almost a complete max-IP packet. After some > discussion we picked this arbitrary value. > OK dlg@ (reyk@) ~ ip_mroute.c > m_free() and m_freem() test for NULL. Simplify callers which had their own > NULL tests. > ok mpi@ (jsg@) ~ ip_mroute.c ~ ip_mroute.h > Kill unused 'struct route'. (mpi@) netinet6 ~ ip6_input.c > Merge two "#ifdef MROUTING" blocks. > It's one more step towards splitting ip6_input() in two and it reduces > differences with v4. > ok bluhm@ (mpi@) ~ frag6.c > Assert that every slow/fast timeout routine is called at IPL_SOFTNET. > This removes multipe recursive splsoftnet()/splx() dances. (mpi@) ~ nd6.c ~ nd6.h ~ nd6_nbr.c ~ nd6_rtr.c > Remove multiple recursive splsoftnet(). > ok bluhm@ (mpi@) ~ icmp6.c ~ in6.c ~ nd6.c ~ nd6_rtr.c > Explicitly initialize rti_ifa when automagically adding a route. > This will allow to strengthen checks when userland adds a route. > ok phessler@, bluhm@ (mpi@) ~ in6_src.c ~ ip6_var.h > Rremoves 'struct route_in6 *' argument from in6_selectsrc(). > Move the corresponding code in in6_pcbselsrc(). This reduces > differences with IPv4 and will help us to get rid of 'struct route*'. > ok vgross@ (mpi@) sys ~ sockio.h > Rename "flowmax" to "maxflow" and give each switch(4) ioctl a > dedicated number. Both changes for consistency. > OK rzalamena@ (reyk@) ~ exec_elf.h > Add the ELF machine type for AArch64 as specified in the ELF spec for > the ARM 64-bit Architecture. > ok phessler@ (patrick@) ~ mbuf.h > Update comments in struct mbuf_ext to reflect the replacement of ext_free > by > ext_free_fn. > ok tedu@ (lteo@) ufs/ffs ~ fs.h > Fix signedness warnings with careful casts and replace a re-defined > variable. > (Missed this chunk as part of previous commit to libsa/ufs.c) > OK krw@ (reyk@) == usr.bin =========================================================== 10/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin cal ~ cal.1 > uppercase for "the Reformation"; (jmc@) ftp ~ main.c > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) nc ~ netcat.c > Check return value of tls_config_set_protocols(3) and > tls_config_set_ciphers(3) > and bail out in case of failure > Feedback and OK jsing@ (mestre@) ssh ~ sshd.c ~ sshpty.c ~ sshpty.h > Factor out code to disconnect from controlling terminal into its own > function. ok djm@ (dtucker@) ~ misc.c ~ misc.h ~ sshd.c > On startup, check to see if sshd is already daemonized and if so, > skip the call to daemon() and do not rewrite the PidFile. This > means that when sshd re-execs itself on SIGHUP the process ID will > no longer change. Should address bz#2641. ok djm@ markus@. (dtucker@) ~ auth-options.c ~ auth-options.h ~ auth2-pubkey.c ~ sshd.8 > When a forced-command appears in both a certificate and an > authorized keys/principals command= restriction, refuse to accept > the certificate unless they are identical. > The previous (documented) behaviour of having the certificate forced- > command override the other could be a bit confused and more error-prone. > Pointed out by Jann Horn of Project Zero; ok dtucker@ (djm@) ~ servconf.c ~ servconf.h ~ serverloop.c ~ session.c ~ sshd_config.5 > Add a sshd_config DisableForwaring option that disables X11, agent, > TCP, tunnel and Unix domain socket forwarding, as well as anything > else we might implement in the future. > This, like the 'restrict' authorized_keys flag, is intended to be a > simple and future-proof way of restricting an account. Suggested as > a complement to 'restrict' by Jann Horn; ok markus@ (djm@) ~ ssh-agent.1 ~ ssh-agent.c > add a whitelist of paths from which ssh-agent will load (via > ssh-pkcs11-helper) a PKCS#11 module; ok markus@ (djm@) ~ ssh-agent.1 > tweak previous; > while here fix up FILES and AUTHORS; (jmc@) ~ sshd.c > Unlink PidFile on SIGHUP and always recreate it when the new sshd starts. > Regression tests (and possibly other things) depend on the pidfile being > recreated after SIGHUP, and unlinking it means it won't contain a stale > pid if sshd fails to restart. ok djm@ markus@ (dtucker@) ~ sshconnect2.c > Fix public key authentication when multiple authentication is in use. > Instead of deleting and re-preparing the entire keys list, just reset > the 'used' flags; the keys list is already in a good order (with already- > tried keys at the back) > Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ (djm@) tmux ~ tty.c > When comparing ocy to orlower in tty_cmd_cell, there is no need to add > yoff (because they are both already relative to the pane). Also fix some > other minor nits. (nicm@) ~ cmd-send-keys.c ~ tmux.1 > Make send -N work for all keys, not just in copy mode. From Artem Fokin. > (nicm@) ~ tty.c > Fix check for cursor at end of line. (nicm@) units ~ units.lib > update currency exchange rates; (jmc@) == usr.sbin ========================================================== 11/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin arp ~ arp.c > Tweak output to keep it aligned when interfaces with big names, like > vether0 are used. > ok jca@, deraadt@ (mpi@) ldapd ~ parse.y > Check return value of tls_config_set_protocols(3) and bail out in case of > failure > Feedback and OK jsing@ (mestre@) ~ btree.c > Fix leaks by freeing 'path' and 'lru_queue' in btree_close(). > From Jon Mayo, via Tim Kuijsten > ok mikeb@ (jmatthew@) ndp ~ ndp.c > Tweak output to keep it aligned when interfaces with big names, like > vether0 are used. > ok jca@, deraadt@ (mpi@) ntpd ~ ntpd.c > Remove unused variable which was leaking memory, and while here remove 2 > other > variables that were also never used > OK otto@ (mestre@) smtpd ~ bounce.c ~ filter.c ~ ioev.c ~ ioev.h ~ mda.c ~ mta_session.c ~ smtp_session.c ~ smtpd.h > make struct io opaque: > - move struct io definition to ioev.c > - replace io_init/io_clear with io_new/io_free > - allocate an iobuf for each new io internally > - use struct io pointer in the rest of the code > - remove remaining uses of iobuf_* > ok gilles@ sunil@ (eric@) ~ ioev.c ~ ioev.h ~ mda.c ~ mta_session.c ~ smtp_session.c > hide internal io flags and rename IO_PAUSE_{IN,OUT} to IO_{IN,OUT} > ok gilles@ sunil@ (eric@) ~ smtpd.h ~ util.c > remove unused iobuf helpers (eric@) ~ ioev.c > embed the struct iobuf instead of using a pointer. > ok gilles@ sunil@ (eric@) spamdb ~ spamdb.c > When action == 0 (spamdb(8) without arguments) it only reads the DB so it > only > needs to pledge for "rpath" and for all other cases since it needs to write > as > well then give it "rpath wpath". > "seems right" deraadt@ (mestre@) switchctl ~ ofpclient.c > Implement the connection state machine for OpenFlow 1.0 and 1.3 to detect > invalid state transitions and invalid protocol version switching after the > hello messages exchange. > ok reyk@ (rzalamena@) switchd ~ switchd.8 > article fix; from rob pierce (jmc@) ~ ofp.c ~ ofp10.c ~ ofp13.c ~ ofp_common.c ~ ofrelay.c ~ switchd.h > Implement the connection state machine for OpenFlow 1.0 and 1.3 to detect > invalid state transitions and invalid protocol version switching after the > hello messages exchange. > ok reyk@ (rzalamena@) syslogd ~ syslogd.c > Wrap lines earlier on tls_config_set_protocols(3) > Feedback and OK jsing@ (mestre@) syspatch ~ syspatch.sh > Explicitely set umask. (ajacoutot@) ~ syspatch.sh > Remove the backup kernel in rollback_patch() instead of the cleanup > function. > Consistent use of install(1). (ajacoutot@) ~ syspatch.8 > Document the fact that *for now* syspatch only works on official releases > and > will always sync and apply all patches regardless of the installed sets. > (ajacoutot@) ~ syspatch.8 ~ syspatch.sh > Change the hierarchy under /var/syspatch/ so that the output of installed > or > missing patches matches the official names. > e.g. > $ doas syspatch -c > 015_libssl > Add a bit more output on what we are doing. > Tighten a few checks and rename some vars. > People playing with syspatch on 6.0 should update syspatch.sh asap from > current > as I will soon remove the temporary quirks glue. (ajacoutot@) ~ syspatch.sh > During early testing, hardcode the syspatch repo to 'syspatch.openbsd.org' > which points to ftp.fr. This will change once 6.1 is out. > discussed with deraadt@ (ajacoutot@) ~ syspatch.sh > Simplify: > - consistency in integer checks > - drop apply_patches(), better call ther actual apply_patch() function from > within the script itself (ajacoutot@) ~ syspatch.sh > Fix kernel matching installation: > bsd -> /bsd (sp) | /bsd.sp (mp) > bsd.mp -> /bsd (mp) | /bsd.mp (sp) > issue reported by Ossi Salmi, thanks! (ajacoutot@) ~ syspatch.sh > Few consistency fixes (no intended change in behaviour). > Fix logic in the error path of rollback_patch(). (ajacoutot@) ~ syspatch.sh > Simplify. (ajacoutot@) tcpdump ~ print-lldp.c ~ print-ofp.c > ether_ntoa -> etheraddr_string, like elsewhere in tcpdump > openflow part tested by rzalamena@, ok deraadt@ (jca@) ~ ofp_map.c > Fix some spelling errors in the OpenFlow header and update the tcpdump(8) > ofp_map.c file. > ok reyk@ (rzalamena@) user ~ group.8 ~ groupadd.8 ~ groupdel.8 ~ groupinfo.8 ~ groupmod.8 ~ main.c ~ user.8 ~ user.c ~ useradd.8 ~ userdel.8 ~ userinfo.8 ~ usermgmt.h ~ usermod.8 > Alistair Crooks rescinded the advertising clause of his user(8) > license in 2005 in NetBSD. > https://mail-index.netbsd.org/source-changes/2005/11/25/0002.html (jsg@) ~ user.c > Correct a bit test introduced in user.c rev 1.111 that made it impossible > to set a password hash with usermod if an additional flag was specified. > ok mestre@ tom@ jung@ (jsg@) ~ user.c > remove all the (void) casts which are irrelevant. The remaining ones > should be fixed to do error checks. > ok jsg (deraadt@) ~ user.c > According to usermod(8) manpage if -g =uid is used it should create a new > group > with an unique UID, if it's not already created (not in the manpage), but > this > wasn't implemented. > This implements that functionality similar to what NetBSD has, but with > some > corrections by adding a fd closure in case of failure and on the failure > message itself which they got it wrong. > OK tb@ (mestre@) ~ usermgmt.conf.5 ~ usermod.8 > note that no group is created if a group already exists when using =uid; > while here, clean the text up a bit; > from mestre and myself (jmc@) ~ user.c > Mitigate some fd leaks on user(8) > OK millert@ (mestre@) ~ user.c > Since pwp->pw_gid is equal to pwp->pw_uid then use the former instead in > creategid() function and in the failure message since it makes more sense > in > this chunck of code. > OK millert@ (mestre@) vmd ~ vmm.c > Always remove the local vm after calling terminate_vm(). (reyk@) ypldap ~ ldapclient.c ~ yp.c ~ ypldap.c ~ ypldap_dns.c > Use memset(3) instead of bzero(3) > OK deraadt@ (mestre@) =============================================================================== _______________________________________________ owc mailing list [email protected] http://www.squish.net/mailman/listinfo/owc
