OpenBSD/src OnXNJbBusr.bin/ssh ssh-keygen.c ssh-keygen.1

   allow auto-incrementing certificate serial number for certs signed
   in a single commandline.
VersionDeltaFile
1.326+12-5usr.bin/ssh/ssh-keygen.c
1.156+7-1usr.bin/ssh/ssh-keygen.1
+19-62 files

OpenBSD/src BuLpMdyregress/lib/libssl/handshake handshake_table.c Makefile

   Add a regression test that builds up the handshake state table
   from graph information and cross-checks it against the state
   table in tls13_handshake.c.

   with help from jsing

OpenBSD/src crEE4hilib/libssl tls13_handshake.c

   Remove static from handshakes[][] so it is visible from regress/

   ok bcook
VersionDeltaFile
1.20+2-2lib/libssl/tls13_handshake.c
+2-21 files

OpenBSD/src 3QvqYwkusr.bin/ssh ssh-keygen.c

   move a bunch of global flag variables to main(); make the rest static
VersionDeltaFile
1.325+82-94usr.bin/ssh/ssh-keygen.c
+82-941 files

OpenBSD/src AAMRnJgusr.sbin/ldpd parse.y

   factor out parsing of ldp router ids by making it part of the grammar

   this way we do the inet_aton and bad address check in one place,
   and just reuse it in the router-id, neighbor, and pseudowire bits.

   ok claudio@
VersionDeltaFile
1.69+26-42usr.sbin/ldpd/parse.y
+26-421 files

OpenBSD/src zfqlakHusr.sbin/ldpd parse.y pfkey.c

   rework how tcp md5 signatures are configured.

   previously ldpd only allowed tcp md5 to be configured against a
   neighbor (by ldp router id), but other vendors supported configuring
   tcp md5sig by prefix as well as neighbor. this reworks the config
   so auth is maintained globally as a list of prefixes that you do
   and do not want to do tcp md5sig auth with.

   the config statements look more like what is in bgpd.conf now too.

   an example of the new config for interoperating with my baby cisco
   test network:

   on ios:

        mpls ldp password required for MPLS
        mpls ldp password option 1 for MPLS key-chain LDPAUTH

        key chain LDPAUTH
         key 1
          key-string secret

        interface Loopback0
         ip address 192.168.0.0 255.255.255.255
        end

    [16 lines not shown]

OpenBSD/src 4jH7o4pusr.bin/ssh ssh-pkcs11-helper.c

   switch mainloop from select(2) to poll(2); ok deraadt@
VersionDeltaFile
1.17+19-22usr.bin/ssh/ssh-pkcs11-helper.c
+19-221 files

OpenBSD/src MzT4Blrlib/libcrypto Makefile, lib/libssl Makefile

   No need to include <bsd.prog.mk> here.

   ok bcook
VersionDeltaFile
1.54+1-2lib/libssl/Makefile
1.32+1-2lib/libcrypto/Makefile
+2-42 files

OpenBSD/src vYMc8oPsys/kern vfs_syscalls.c

   futimens(2), futimes(2), utimensat(2), utimes(2): Validate input at copyin

   Currently we validate time input for all four of these syscalls in the
   workhorse function dovutimens().  This is bad because both futimes(2)
   and utimes(2) have input as timevals that need to be converted to
   timespecs.  This multiplication can overflow to create a "valid"
   input, e.g. if tv_usec is equal to 2^61 (invalid value) on a platform
   with 64-bit longs, the resulting tv_nsec is equal to zero (valid value).

   This is also a bit wasteful.  We aquire a vnode and do other work
   under KERNEL_LOCK only to release the vnode when the time input is
   invalid.

   So, duplicate a bit of code to validate the time inputs before we do
   any conversions or real VFS work.

   probably still ok tedu@ deraadt@
VersionDeltaFile
1.313+25-15sys/kern/vfs_syscalls.c
+25-151 files

OpenBSD/src Yb2nHvTusr.bin/ssh kexgen.c kexgexc.c

   pass most arguments to the KEX hash functions as sshbuf rather
   than pointer+length; ok markus@

OpenBSD/src EcUTQBcsys/sys exec_elf.h

   add some definitions used by elftoolchain's libelf
   ok guenther@
VersionDeltaFile
1.83+15-1sys/sys/exec_elf.h
+15-11 files

OpenBSD/src J3C4jJJusr.bin/ssh ssh-agent.c

   backoff reading messages from active connections when the input buffer
   is too full to read one, or if the output buffer is too full to enqueue
   a response; feedback & ok dtucker@
VersionDeltaFile
1.233+18-4usr.bin/ssh/ssh-agent.c
+18-41 files

OpenBSD/src dkxCgMwsys/nfs krpc_subr.c

   The kernel interpreted bogus lengths in RPC calls during NFS boot.
   A malicious rpc.bootparamd could corrupt memory, but the kernel has
   to trust the local network anyway in a diskless environment.  Now
   in case of an RPC error, the kernel will stop booting with a specific
   panic.
   OK claudio@ beck@
VersionDeltaFile
1.36+31-8sys/nfs/krpc_subr.c
+31-81 files

OpenBSD/src 3nzKIe7bin/mt mt.c

   Add file # and block # to the information "mt status" shows.

   diff from Oscar Endre Edvardsen via misc@ a long time ago.

   ok sthen@ dlg@
VersionDeltaFile
1.40+3-1bin/mt/mt.c
+3-11 files

OpenBSD/src 0pLhpWKusr.bin/ssh ssh-keygen.c

   add -m to usage(); reminded by jmc@
VersionDeltaFile
1.324+4-3usr.bin/ssh/ssh-keygen.c
+4-31 files

OpenBSD/src BOBSSSgsys/kern vfs_syscalls.c

   namei can return a null dvp on success. check this before access.
   ok beck

   Reported-by: syzbot+cc59412ed8429450a1ae at syzkaller.appspotmail.com
VersionDeltaFile
1.312+4-3sys/kern/vfs_syscalls.c
+4-31 files

OpenBSD/src uLQvbRrsys/dev/usb if_urndis.c

   Do not leak received mbufs if the NDIS appended a zero-byte padding.

   from aalm@
VersionDeltaFile
1.69+10-8sys/dev/usb/if_urndis.c
+10-81 files

OpenBSD/src Dnhniadsbin/dump optr.c

   Don't use dangerous idiom for qsort comparison function; ok deraadt@
VersionDeltaFile
1.40+3-2sbin/dump/optr.c
+3-21 files

OpenBSD/src V3CVLzGsys/dev/usb usb_subr.c

   Remove unused variable.
VersionDeltaFile
1.147+2-3sys/dev/usb/usb_subr.c
+2-31 files

OpenBSD/src ZWwCUT3usr.bin/ssh ssh-pkcs11.c

   Correct some bugs in PKCS#11 token PIN handling at initial login,
   the attempt at reading the PIN could be skipped in some cases
   especially on devices with integrated PIN readers.

   based on patch from Daniel Kucera in bz#2652; ok markus@
VersionDeltaFile
1.41+22-12usr.bin/ssh/ssh-pkcs11.c
+22-121 files

OpenBSD/src SmcMBWNusr.bin/ssh ssh-pkcs11.c

   Support keys that set the CKA_ALWAYS_AUTHENTICATE by requring a
   fresh login after the C_SignInit operation.

   based on patch from Jakub Jelen in bz#2638; ok markus
VersionDeltaFile
1.40+95-26usr.bin/ssh/ssh-pkcs11.c
+95-261 files

OpenBSD/src 5BQl1jiusr.bin/ssh ssh.1 ssh_config.5

   Mention that configuration for the destination host is not applied
   to any ProxyJump/-J hosts. This has confused a few people...
VersionDeltaFile
1.400+7-2usr.bin/ssh/ssh.1
1.289+7-1usr.bin/ssh/ssh_config.5
+14-32 files

OpenBSD/src 6gKa0e2usr.bin/ssh ssh-keygen.1

   Include -m in the synopsis for a few more commands that support it

   Be more explicit in the description of -m about where it may be used

   Prompted by Jakub Jelen in bz2904
VersionDeltaFile
1.155+10-4usr.bin/ssh/ssh-keygen.1
+10-41 files

OpenBSD/src pi2DiTTusr.bin/ssh auth2-pubkey.c

   print the full pubkey being attempted at loglevel >= debug2; bz2939
VersionDeltaFile
1.87+17-1usr.bin/ssh/auth2-pubkey.c
+17-11 files

OpenBSD/src 3nDdVaKusr.bin/ssh ssh-keygen.1

   clarify: ssh-keygen -e only writes public keys, never private
VersionDeltaFile
1.154+3-3usr.bin/ssh/ssh-keygen.1
+3-31 files

OpenBSD/src 7hIIwPXlib/libc/time strptime.c

   strptime(3): Disallow double leap second.

   POSIX allows for one extra second in a minute, i.e. "23:59:60", so that leap
   seconds can be parsed.  They don't allow for *two* extra seconds, i.e.
   "23:59:61", though.

   Typo introduced in NetBSD lib/libc/time/strptime.c,v1.3.

   ok krw@ bcook@ tedu@
VersionDeltaFile
1.24+2-2lib/libc/time/strptime.c
+2-21 files

OpenBSD/src zPvSNOgusr.bin/ssh ssh-keygen.1

   mention the new vs. old key formats in the introduction and give some
   hints on how keys may be converted or written in the old format.
VersionDeltaFile
1.153+17-5usr.bin/ssh/ssh-keygen.1
+17-51 files

OpenBSD/src ngET5GMusr.sbin/vmd virtio.c

   vmd: reorder PCI device assignment to fix Linux network interface numbering

   On some recent Linux guests, the virtio network interface is named based
   on its PCI slot assignment, eg "enp0s3".

   Prior to this change, vmd assigned disks first, meaning if you used a disk
   image to install Linux and then removed it after install, the network
   interface name would change from "enp0s3" to "enp0s2" (for example). This
   broke any autoconfiguration script config files written during the install
   and generally led to users just being confused about what was going on.

   This change reorders the vmd PCI device assignment to put network
   interfaces before disks, as disk devices don't seem to have the same
   naming issue. This means the slot for network interfaces won't change.

   IMPORTANT NOTE - if you have existing Linux guest VMs, you'll need to
   manually fixup your config files (once).

   ok ajacoutot, phessler, ccardenas, deraadt@
VersionDeltaFile
1.77+51-51usr.sbin/vmd/virtio.c
+51-511 files

OpenBSD/src 2gz6oh9sbin/slaacd slaacd.c, usr.sbin/ifstated ifstated.c

   PF_ROUTE -> AF_ROUTE in the scattered sock()/setsockopt() calls
   where the "wrong" #define was used.

   ok dlg@

OpenBSD/src TcDzYQWusr.bin/ssh scp.1 sftp.1

   tweak previous;
VersionDeltaFile
1.84+3-3usr.bin/ssh/scp.1
1.125+3-3usr.bin/ssh/sftp.1
+6-62 files

OpenBSD/src EnjTfrnbin/date date.1

   -p got changed to -f;
VersionDeltaFile
1.70+3-3bin/date/date.1
+3-31 files

OpenBSD/src qh63J55lib/libc/stdlib qsort.3

   sort sections, and add a missing verb to the EXAMPLES text;
VersionDeltaFile
1.24+25-25lib/libc/stdlib/qsort.3
+25-251 files

OpenBSD/src 0eFTAPllib/libc/stdlib qsort.3

   Wrap long line
VersionDeltaFile
1.23+3-3lib/libc/stdlib/qsort.3
+3-31 files

OpenBSD/src xi0sQg9share/zoneinfo Makefile

   Make zoneinfo directories have permissions 0755 instead of 0555
   so this matches the entries in 4.4BSD.dist that ware changed a
   while ago.

   from deraadt
VersionDeltaFile
1.13+2-2share/zoneinfo/Makefile
+2-21 files

OpenBSD/src 5NbGfASsbin/dhclient dhclient.c

   Simply the logic translating 'egress' into an interface name.
VersionDeltaFile
1.622+11-19sbin/dhclient/dhclient.c
+11-191 files

OpenBSD/src uyV0OQBsys/arch/amd64/include apmvar.h, sys/arch/arm/include apmvar.h

   flense more trailing whitespace

OpenBSD/src ShoCQ9Asys/dev/pci if_bnxt.c

   Increase max mtu to match the linux driver; tested against ixl, which can
   go larger still.
VersionDeltaFile
1.18+2-2sys/dev/pci/if_bnxt.c
+2-21 files

OpenBSD/src g2MlND3sys/dev/pci if_ixl.c

   Increase hardmtu to the maximum according to the datasheet and set the rx
   packet size limit to match so jumbos actually work.  Larger packets are
   split across multiple buffers on the ring, so the buffers themselves stay
   the same size.

   ok dlg@
VersionDeltaFile
1.16+4-4sys/dev/pci/if_ixl.c
+4-41 files

OpenBSD/src kEVL3Zcsys/dev/pci if_ixl.c

   Add and remove mac filters for multicast addresses.

   ok dlg@
VersionDeltaFile
1.15+43-7sys/dev/pci/if_ixl.c
+43-71 files

OpenBSD/src ARwqnTQsys/arch/amd64/include apmvar.h, sys/arch/arm/include apmvar.h

   remove trailing whitespace in the Laptop Package part of the license text.

   no words or punctation were modified.

OpenBSD/src MKyGMSAdistrib/sets/lists/base mi

   sync
VersionDeltaFile
1.928+4-4distrib/sets/lists/base/mi
+4-41 files

OpenBSD/src iRxBIIMlib/libcrypto shlib_version, lib/libssl shlib_version

   bump minors after symbol addition

OpenBSD/src 7qtZHsalib/libssl/man SSL_get_ciphers.3

   Document SSL_get1_supported_ciphers(3) and SSL_get_client_ciphers(3).
   The text comes from OpenSSL, where it was still published under a
   free license.

   from schwarze
VersionDeltaFile
1.7+61-7lib/libssl/man/SSL_get_ciphers.3
+61-71 files

OpenBSD/src XZmHJpDlib/libssl ssl_lib.c ssl.h

   Add a re-implementation of SSL_get1_supported_ciphers().
   Part of OpenSSL 1.1 API (pre-licence-change).

   input schwarze
   ok jsing
VersionDeltaFile
1.201+35-1lib/libssl/ssl_lib.c
1.164+2-1lib/libssl/ssl.h
1.25+1-0lib/libssl/Symbols.list
+38-23 files

OpenBSD/src eQjcWJGlib/libssl ssl_lib.c ssl.h

   Provide SSL_get_client_ciphers().
   Part of OpenSSL 1.1 API, pre-licence change.

   ok jsing
VersionDeltaFile
1.200+9-1lib/libssl/ssl_lib.c
1.163+2-1lib/libssl/ssl.h
1.24+1-0lib/libssl/Symbols.list
+12-23 files

OpenBSD/src AWn145Vlib/libcrypto Symbols.list

   Add missing symbols from the EC_KEY_METHOD port.

   Reported by bcook and sthen
VersionDeltaFile
1.85+8-0lib/libcrypto/Symbols.list
+8-01 files

OpenBSD/src fZxTvMysys/kern kern_pledge.c

   #ifdef video junk as required.
VersionDeltaFile
1.250+4-2sys/kern/kern_pledge.c
+4-21 files

OpenBSD/src UTGnTXylib/libcrypto/chacha chacha-merged.c chacha.c, lib/libcrypto/evp e_chacha20poly1305.c

   add support for xchacha20 and xchacha20-poly1305

   xchacha is a chacha stream that allows for an extended nonce, which
   in turn makes it feasible to use random nonces.

   ok tb@

OpenBSD/src MfjoB1llib/libc/sys sysctl.2

   Point people to ipcomp(4) instead of ipsecctl(8) for
   net.inet.ipcomp.enable.

   ok deraadt@ bluhm@
VersionDeltaFile
1.20+3-3lib/libc/sys/sysctl.2
+3-31 files

OpenBSD/src axrTLsyusr.bin/ssh scp.1

   Forgot to add -J to the synopsis.
VersionDeltaFile
1.83+3-2usr.bin/ssh/scp.1
+3-21 files