errata patch to disble sslv3
This patch disables the SSLv3 protocol for the forthcoming 5.6 release. untrusted comment: signature from openbsd 5.6 base private key RWR0EANmo9nqhqNRnZqpfGyXZORy+gN++chhlgejO0bmLmp81bJL1+Dhl3iP0bL1NnRopcGECX4QoUbsCCcnMOxkXAYeMYkmMgw= OpenBSD 5.6 errata 5, Oct 20, 2014 This patch disables the SSLv3 protocol by default. Applications depending on SSLv3 may need to be recompiled with SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3); but we recommend against the continued use of this obsolete protocol. Apply patch using: signify -Vep /etc/signify/openbsd-56-base.pub -x 005_nosslv3.patch.sig \ -m - | (cd /usr/src patch -p0) Then build and install libssl cd /usr/src/lib/libssl/ssl make obj make make install Index: lib/libssl/src/ssl/ssl_lib.c === RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v retrieving revision 1.78 diff -u -p -r1.78 ssl_lib.c --- lib/libssl/src/ssl/ssl_lib.c12 Jul 2014 22:33:39 - 1.78 +++ lib/libssl/src/ssl/ssl_lib.c19 Oct 2014 23:09:46 - @@ -1823,6 +1823,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret-options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret-options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW,
remove networks(5) support from netstat(1)
Hi,
i'm slowly working towards removing support for the networks(5)
database because networks(5) is broken by design. Nowadays, the
only meaningful way to translate names to numbers and vice versa
is via DNS. However, the networks(5) database isn't integrated
with DNS in any way, even less so than the hosts(5) database, which
at least maintains some relationship to the resolver(3) and
getaddrinfo(3) families of functions. Besides, even historically,
the networks(5) database was only used by a handful of programs and
never worked in the same comprehensive sense as DNS for host names.
While here, the gethostent(3) library interface should go away,
too, because enumerating hosts just isn't meaningful. There is no
reasonable way to implement this function, it has been broken since
the switch to libc/asr, and i remember only one complaint which
didn't sound very urgent. sethostent(3) and endhostent(3) can be
kept as stubs for now to prevent disruption to ports land.
As a first step, i propose to remove support from the relatively
few programs in the base system still using this. In the second
step, about a dozen ports would need looking into; i already have
a list. Some are likely to magically fix themselves when their
configure script doesn't find the functions. In the third step,
the interfaces would be removed as part of a libc major bump.
To show a specific example, here is the first part of the first
step: Remove networks(5) support from netstat(1).
OK?
Ingo
P.S.
I'm running a system with all this (except sethostent(3) and
endhostent(3)) removed right now, so some more patches are being
tested and can be sent out soon. The following programs require
minor tweaks: getent(1) systat(1) amd(8) ifconfig(8) mountd(8)
pppd(8) route(8) tcpdump(8) ypbind(8) ypinit(8) ypserv(8) ypxfr(8).
Index: inet.c
===
RCS file: /cvs/src/usr.bin/netstat/inet.c,v
retrieving revision 1.134
diff -u -p -r1.134 inet.c
--- inet.c 14 Aug 2014 12:55:50 - 1.134
+++ inet.c 21 Oct 2014 17:05:30 -
@@ -801,7 +801,6 @@ inetname(struct in_addr *inp)
char *cp;
static char line[50];
struct hostent *hp;
- struct netent *np;
static char domain[MAXHOSTNAMELEN];
static int first = 1;
@@ -818,12 +817,6 @@ inetname(struct in_addr *inp)
int net = inet_netof(*inp);
int lna = inet_lnaof(*inp);
- if (lna == INADDR_ANY) {
- np = getnetbyaddr(net, AF_INET);
- if (np)
- cp = np-n_name;
- }
- if (cp == NULL) {
hp = gethostbyaddr((char *)inp, sizeof (*inp), AF_INET);
if (hp) {
if ((cp = strchr(hp-h_name, '.'))
@@ -831,7 +824,6 @@ inetname(struct in_addr *inp)
*cp = '\0';
cp = hp-h_name;
}
- }
}
if (inp-s_addr == INADDR_ANY)
snprintf(line, sizeof line, *);
Index: main.c
===
RCS file: /cvs/src/usr.bin/netstat/main.c,v
retrieving revision 1.101
diff -u -p -r1.101 main.c
--- main.c 23 Jun 2014 03:46:17 - 1.101
+++ main.c 21 Oct 2014 17:05:31 -
@@ -372,13 +372,6 @@ main(int argc, char *argv[])
printproto(tp, tp-pr_name, af, tableid, pcbaddr);
exit(0);
}
- /*
-* Keep file descriptors open to avoid overhead
-* of open/close on each call to get* routines.
-*/
- sethostent(1);
- setnetent(1);
-
if (iflag) {
intpr(interval, repeatcount);
exit(0);
Index: netstat.1
===
RCS file: /cvs/src/usr.bin/netstat/netstat.1,v
retrieving revision 1.71
diff -u -p -r1.71 netstat.1
--- netstat.1 10 May 2014 23:31:40 - 1.71
+++ netstat.1 21 Oct 2014 17:05:31 -
@@ -312,12 +312,10 @@ Address formats are of the form
or
.Dq network.port
if a socket's address specifies a network but no specific host address.
-When known, the host and network addresses are displayed symbolically
-according to the databases
-.Pa /etc/hosts
-and
-.Pa /etc/networks ,
-respectively.
+When known, the host addresses are displayed symbolically
+according to the
+.Xr hosts 5
+database.
If a symbolic name for an address is unknown, or if the
.Fl n
option is specified, the address is printed numerically, according
@@ -427,7 +425,6 @@ Subsequent lines of output show values a
.Xr netintro 4 ,
.Xr route 4 ,
.Xr hosts 5 ,
-.Xr networks 5 ,
.Xr protocols 5 ,
.Xr services 5 ,
.Xr iostat 8 ,
Index: show.c
===
RCS file:
Re: pppoe(4), add example for ipv6
Stuart Henderson [st...@openbsd.org] wrote: Any comments on the diff in this? +#ifdef INET6 + sc-sc_sppp.pp_if.if_xflags = ~IFXF_NOINET6; +#endif Aside from what Stefan said, isn't this flag going to be removed in favor of a flag that explicitly enables INET6 for interfaces?
Reading 56.html
Minor nit: I have noticed some removals of SSLv3 mentioned on line but the LibreSSL stanza of 56.html only has SSLv2 noted as No support.. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: Reading 56.html
On Tue, Oct 21, 2014 at 9:52 PM, Rod Whitworth glis...@witworx.com wrote: Minor nit: I have noticed some removals of SSLv3 mentioned on line but the LibreSSL stanza of 56.html only has SSLv2 noted as No support.. SSLv3 was only disabled by default in LibreSSL within the last week or so. OpenBSD 5.6 was cut as a release a ways before that. Philip Guenther
\c for printf(1)
Hi,
today I stumbled upon a script (testssl.sh) which utilizes the \c escape
sequence for printf(1). As we are missing that escape sequence and - if
I am not mistaken - it is defined by POSIX (IEEE Std 1003.1) I thought I
give it a shot.
Please bare with me as I am not an experienced coder or POSIX reader but
I welcome feedback.
Firstly, here's a comparison of printf(1) in base and the patched printf:
$ /usr/bin/printf %s\n\cbar\n foo
foo
printf: unknown escape sequence `\c'
cbar
$
$ /usr/obj/usr.bin/printf/printf %s\n\cbar\n foo
foo
$
Secondly, the diff against a freshly checked out -current, I also
changed the order of \e in the man page so it fits into the otherwise
alphabetical order of the escape sequences.
Index: usr.bin/printf/printf.c
===
RCS file: /cvs/src/usr.bin/printf/printf.c,v
retrieving revision 1.22
diff -u -r1.22 printf.c
--- usr.bin/printf/printf.c 25 May 2014 07:36:36 - 1.22
+++ usr.bin/printf/printf.c 21 Oct 2014 21:27:47 -
@@ -214,7 +214,13 @@
break;
case '\\':
- fmt += print_escape(fmt);
+ nextch = *(fmt + 1);
+ switch (nextch) {
+ case 'c':
+ return (0);
+ default:
+ fmt += print_escape(fmt);
+ }
break;
default:
Index: usr.bin/printf/printf.1
===
RCS file: /cvs/src/usr.bin/printf/printf.1,v
retrieving revision 1.27
diff -u -r1.27 printf.1
--- usr.bin/printf/printf.1 25 May 2014 07:36:36 - 1.27
+++ usr.bin/printf/printf.1 21 Oct 2014 21:27:47 -
@@ -80,12 +80,14 @@
The characters and their meanings are as follows:
.Pp
.Bl -tag -width Ds -offset indent -compact
-.It Cm \ee
-Write an escape character.
.It Cm \ea
Write a bell character.
.It Cm \eb
Write a backspace character.
+.It Cm \ec
+Ignore remaining characters in this string.
+.It Cm \ee
+Write an escape character.
.It Cm \ef
Write a form-feed character.
.It Cm \en
Frank.
