guest - flak

openbsd changes of note 5

New year, old changes.

bluhm, mikeb, and mpi are continuing ongoing work to introduce the NET_LOCK. The plan is to replace splsoftnet() with an rwlock. However, unlike splsoftnet, rwlocks are not recursive, which requires some care in acquiring the lock once, only once, and in just the right spot. This is complicated by the fact that the network stack has many layers calling into each other. And in the case of NFS, even stranger dangers. In the mean time, some macros are used to allow switching between splsoftnet and rwlock until all the issues are solved.

kettenis is working to fix various warnings generated by the clang compiler. krw is also fixing a bunch of compiler warnings.

visa’s work on octeon now includes a MMC driver for the EdgeRouter Pro.

jsing, working with others, has fixed libcrypto to only export symbols listed in the Symbols.list. But don’t worry, with 3451 exported symbols you can probably find something in your size.

rzalamena has removed pim(4) support. Another routing protocol bytes the dust.

deraadt and rpe are working to bring https support to the installer. ftp on some ramdisks will have ssl support. Exercise for the reader: does this make the installer more or less secure? Actually, there are some serious questions, like what should happen if an https connection can’t be made or the cert is invalid. Refuse to install? Fall back to http? Make the user press enter one more time and then fall back to http?

visa has extended the virtual address range on mips64 (loongson, octeon, sgi) from 2GB to 1TB. That’s quite the improvement! Adding another level to page directories opens up the possibility of increasing the range of ASLR.

schwarze has written many new libcrypto manuals. Consult him for all your X.509 understanding needs. Though he’d probably prefer you read Guttman’s X59 style guide. But for serious, Ingo’s done an astounding job improving the documentation everybody loves to hate. You may even start to love it.

mlarkin fixed vmm to pass cacheline size to guests. Now even java runs.

In other awesome.509 news, I complained that cert failures weren’t pretty enough. 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed What does that even mean? I thought it was a bug, so I reported it, but it turns out the cert had actually expired. jsing fixed up libtls to use a verify callback (as in libtls sets a libssl callback; as a user of libtls you need do nothing and get this for free) to pretty print errors. Now you get certificate verification failed: certificate has expired.

This inadvertently exposed another bug. When alt chain support was added (because X.509 with one chain isn’t complicated enough), a bug was introduced that might allow verification to succeed (correctly), but leave an error sitting on the side in the context. libtls was looking at the context, saw the error, and would fail to verify certain sites (notably google.com used by ntpd constraints). beck came to the rescue and added even more code, increasing the aggregate awesomeness of X.509 to unprecendented levels.

jca deleted the uucp alias from the system. As a user, you should be aware this may result in receiving fewer offers of discount meds.

bluhm fixed syslogd to re-exec itself even with a relative path. Previously, as a result of chdir after startup, relative paths could not be found. Now realpath is used to create an absolute path.

miod has fixed gcc4 to produce somewhat reliable m88k code. Long live the risc.

tj has reduced mentions of 300mhz CPUs in the pf FAQ.

jsg switched gcc from generating code for armv5te to armv6k, which should generate some better inline assmebly.

sthen has updated cert.perm to sync with the Mozilla store.

stsp continues his five year mission to fix wifi. In last week’s episode, he negotiates with the standard violating APs at 33C3.

Posted 2017-01-03 18:55:28 by tedu Updated: 2017-01-03 19:26:58
Tagged: openbsd