Blame


1 3313bdf7 2021-03-24 deraadt <!doctype html>
2 3313bdf7 2021-03-24 deraadt <html lang=en id=release>
3 3313bdf7 2021-03-24 deraadt <meta charset=utf-8>
4 3313bdf7 2021-03-24 deraadt
5 3313bdf7 2021-03-24 deraadt <title>OpenBSD 6.9</title>
6 3313bdf7 2021-03-24 deraadt <meta name="description" content="OpenBSD 6.9">
7 3313bdf7 2021-03-24 deraadt <meta name="viewport" content="width=device-width, initial-scale=1">
8 3313bdf7 2021-03-24 deraadt <link rel="stylesheet" type="text/css" href="openbsd.css">
9 3313bdf7 2021-03-24 deraadt <link rel="canonical" href="https://www.openbsd.org/69.html">
10 3313bdf7 2021-03-24 deraadt
11 3313bdf7 2021-03-24 deraadt <h2 id=OpenBSD>
12 3313bdf7 2021-03-24 deraadt <a href="index.html">
13 3313bdf7 2021-03-24 deraadt <i>Open</i><b>BSD</b></a>
14 3313bdf7 2021-03-24 deraadt 6.9
15 3313bdf7 2021-03-24 deraadt </h2>
16 3313bdf7 2021-03-24 deraadt
17 3313bdf7 2021-03-24 deraadt <table>
18 3313bdf7 2021-03-24 deraadt <tr>
19 3313bdf7 2021-03-24 deraadt <td>
20 da80f837 2021-04-30 deraadt <a href="images/nice.png">
21 da80f837 2021-04-30 deraadt <img width="227" height="303" src="images/nice-s.gif" alt="Nice"></a>
22 3313bdf7 2021-03-24 deraadt <td>
23 15aba8b3 2021-04-23 deraadt Released May 1, 2021. (50th OpenBSD release)<br>
24 bbfc746c 2021-04-04 kn Copyright 1997-2021, Theo de Raadt.<br>
25 3313bdf7 2021-03-24 deraadt <br>
26 3313bdf7 2021-03-24 deraadt 6.9 Song:
27 89dd6819 2021-04-22 deraadt <a href="lyrics.html#69">"Vetera Novis"</a>.
28 3313bdf7 2021-03-24 deraadt <br>
29 e48553bd 2021-04-09 job Artwork by Joy San.
30 3313bdf7 2021-03-24 deraadt <br>
31 3313bdf7 2021-03-24 deraadt <ul>
32 3313bdf7 2021-03-24 deraadt <li>See the information on <a href="ftp.html">the FTP page</a> for
33 3313bdf7 2021-03-24 deraadt a list of mirror machines.
34 3313bdf7 2021-03-24 deraadt <li>Go to the <code class=reldir>pub/OpenBSD/6.9/</code> directory on
35 3313bdf7 2021-03-24 deraadt one of the mirror sites.
36 3313bdf7 2021-03-24 deraadt <li>Have a look at <a href="errata69.html">the 6.9 errata page</a> for a list
37 3313bdf7 2021-03-24 deraadt of bugs and workarounds.
38 3313bdf7 2021-03-24 deraadt <li>See a <a href="plus69.html">detailed log of changes</a> between the
39 3313bdf7 2021-03-24 deraadt 6.8 and 6.9 releases.
40 3313bdf7 2021-03-24 deraadt <p>
41 3313bdf7 2021-03-24 deraadt <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
42 3313bdf7 2021-03-24 deraadt pubkeys for this release:<p>
43 3313bdf7 2021-03-24 deraadt
44 3313bdf7 2021-03-24 deraadt <table class=signify>
45 3313bdf7 2021-03-24 deraadt <tr><td>
46 3313bdf7 2021-03-24 deraadt openbsd-69-base.pub:
47 3313bdf7 2021-03-24 deraadt <td>
48 3313bdf7 2021-03-24 deraadt <a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/openbsd-69-base.pub">
49 8e00de52 2021-05-01 deraadt RWQQsAemppS46LT4dNnAtVUZt51ResyNU35n4OH9yl/r7JcR3B75fO4V</a>
50 3313bdf7 2021-03-24 deraadt <tr><td>
51 3313bdf7 2021-03-24 deraadt openbsd-69-fw.pub:
52 3313bdf7 2021-03-24 deraadt <td>
53 8e00de52 2021-05-01 deraadt RWQmtywnZCJ0lWWc2wr0Ity/Ys498gmQksAi2dSmpW5IwkjEH/OXYPaF
54 3313bdf7 2021-03-24 deraadt <tr><td>
55 3313bdf7 2021-03-24 deraadt openbsd-69-pkg.pub:
56 3313bdf7 2021-03-24 deraadt <td>
57 8e00de52 2021-05-01 deraadt RWSG2ib5ZXSfQUmO/SK6MkA6wDVmjQ+7PHIUtEokG4TNnTghJnJ7NtkR
58 3313bdf7 2021-03-24 deraadt <tr><td>
59 3313bdf7 2021-03-24 deraadt openbsd-69-syspatch.pub:
60 3313bdf7 2021-03-24 deraadt <td>
61 8e00de52 2021-05-01 deraadt RWQukL+0K9o9dQ7z3X8mPAftyJDzxmsm9ojLck+Yi9Q+YGEPqdxDK4ke
62 3313bdf7 2021-03-24 deraadt </table>
63 3313bdf7 2021-03-24 deraadt </ul>
64 3313bdf7 2021-03-24 deraadt <p>
65 3313bdf7 2021-03-24 deraadt All applicable copyrights and credits are in the src.tar.gz,
66 3313bdf7 2021-03-24 deraadt sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
67 3313bdf7 2021-03-24 deraadt files fetched via <code>ports.tar.gz</code>.
68 3313bdf7 2021-03-24 deraadt </table>
69 3313bdf7 2021-03-24 deraadt
70 3313bdf7 2021-03-24 deraadt <hr>
71 3313bdf7 2021-03-24 deraadt
72 3313bdf7 2021-03-24 deraadt <section id=new>
73 3313bdf7 2021-03-24 deraadt <h3>What's New</h3>
74 3313bdf7 2021-03-24 deraadt <p>
75 3313bdf7 2021-03-24 deraadt This is a partial list of new features and systems included in OpenBSD 6.9.
76 3313bdf7 2021-03-24 deraadt For a comprehensive list, see the <a href="plus69.html">changelog</a> leading
77 3313bdf7 2021-03-24 deraadt to 6.9.
78 3313bdf7 2021-03-24 deraadt
79 3313bdf7 2021-03-24 deraadt <ul>
80 3313bdf7 2021-03-24 deraadt
81 3313bdf7 2021-03-24 deraadt <li>New/extended platforms:
82 3313bdf7 2021-03-24 deraadt <ul>
83 7557f135 2021-04-10 benno <li>Support for the <a href="powerpc64.html">powerpc64</a> platform was improved:
84 7557f135 2021-04-10 benno <ul>
85 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/astfb.4">astfb(4)</a>, a
86 7476d2f7 2021-04-05 benno driver for the framebuffer of the Aspeed BMC found on many POWER8 and
87 7476d2f7 2021-04-05 benno POWER9 systems.
88 7476d2f7 2021-04-05 benno <li>Added bsd.mp to powerpc64's installXX.{img,iso}.
89 7476d2f7 2021-04-05 benno <li>Added RETGUARD implementation for powerpc and powerpc64.
90 7476d2f7 2021-04-05 benno <li>Added a workaround for PCIO devices that cannot address the full
91 7476d2f7 2021-04-05 benno 64-bit PCI address space to powerpc64. Needed for <a
92 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> and <a
93 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> since Radeon
94 7476d2f7 2021-04-05 benno GPUs only implement 36, 40, or 44 bits of address space.
95 7476d2f7 2021-04-05 benno <li>Added limited emulation of unaligned access in the powerpc64 kernel.
96 e4087806 2021-04-15 kettenis <li>Added support for netbooting to the powerpc64 RAMDISK kernel.
97 d07c24c0 2021-04-07 benno <li>Fixed booting on powerpc64 machines with memory banks higher in
98 d07c24c0 2021-04-07 benno physical address space, needing a larger TCE table.
99 e4087806 2021-04-15 kettenis <li>Introduced power-saving mode on POWER9 CPUs.
100 bbfd61a9 2021-04-09 benno <li>Enabled floating-point exceptions on powerpc64.
101 753672c4 2021-04-09 benno <li>Added support for <a
102 753672c4 2021-04-09 benno href="https://man.openbsd.org/ipmi.4">ipmi(4)</a> on PowerNV systems.
103 7557f135 2021-04-10 benno </ul>
104 e4087806 2021-04-15 kettenis <li>Preliminary support was added for devices using the Apple M1 SoC:
105 7557f135 2021-04-10 benno <ul>
106 e4087806 2021-04-15 kettenis <li>Recognized Apple Icestorm/Firestorm cores on arm64.
107 e4087806 2021-04-15 kettenis <li>Added support for BCM4378 chips, as found on the Apple M1 SoCs, to
108 753672c4 2021-04-09 benno <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
109 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/exuart.4">exuart(4)</a>
110 a320f26f 2021-04-12 fcambus support for the UART found on the Apple M1 SoC.
111 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/apldog.4">apldog(4)</a>, a
112 753672c4 2021-04-09 benno driver for the watchdog on Apple M1 SoCs, allowing reboot of the
113 753672c4 2021-04-09 benno machine.
114 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>,
115 753672c4 2021-04-09 benno a driver for the interrupt controller found on Apple M1 SoCs.
116 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a>,
117 753672c4 2021-04-09 benno a driver for the PCIe host bridge on Apple M1 SoCs.
118 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a>,
119 753672c4 2021-04-09 benno a driver for the IOMMU on Apple M1 SoCs.
120 e4087806 2021-04-15 kettenis <li>Added support for CPUs with 8-bit ASIDs such as those on
121 7557f135 2021-04-10 benno Apple's M1 SoC.
122 7557f135 2021-04-10 benno </ul>
123 7557f135 2021-04-10 benno <li>The arm64 platform support was improved with the following changes:
124 7557f135 2021-04-10 benno <ul>
125 7557f135 2021-04-10 benno <li>Optimized arm64 <a
126 7557f135 2021-04-10 benno href="https://man.openbsd.org/copyin.9">copyin(9)</a>, <a
127 7557f135 2021-04-10 benno href="https://man.openbsd.org/copyout.9">copyout(9)</a> and <a
128 7557f135 2021-04-10 benno href="https://man.openbsd.org/kcopy.9">kcopy(9)</a> by doing 16-byte
129 7557f135 2021-04-10 benno copies if possible.
130 7557f135 2021-04-10 benno <li>Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
131 e4087806 2021-04-15 kettenis <li>Added clock support for i.MX8MP SoCs.
132 7557f135 2021-04-10 benno <li>Added support for the VF610 I2C controller to <a
133 7557f135 2021-04-10 benno href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
134 7557f135 2021-04-10 benno <li>Added <a href="https://man.openbsd.org/dwgpio.4">dwgpio(4)</a>, a
135 7557f135 2021-04-10 benno driver for the Synopsys DesignWare GPIO controller.
136 7557f135 2021-04-10 benno <li>Added <a
137 7557f135 2021-04-10 benno href="https://man.openbsd.org/amlpinctrl.4">amlpinctrl(4)</a> support
138 7557f135 2021-04-10 benno for the "Always On" GPIOs.
139 7557f135 2021-04-10 benno <li>Made large read and write transactions work in <a
140 7557f135 2021-04-10 benno href="https://man.openbsd.org/amliic.4">amliic(4)</a>.
141 e4087806 2021-04-15 kettenis <li>Added support for the PCIe controller found on Amlogic
142 e4087806 2021-04-15 kettenis G12A/G12B/SM1 SoCs to <a
143 e4087806 2021-04-15 kettenis href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
144 e4087806 2021-04-15 kettenis <li>Implemented legacy interrupt support to <a
145 7557f135 2021-04-10 benno href="https://man.openbsd.org/mvkpcie.4">mvkpcie(4)</a>.
146 7557f135 2021-04-10 benno <li>Added <a href="https://man.openbsd.org/cryptox.4">cryptox(4)</a>,
147 7557f135 2021-04-10 benno a driver for armv8 cryptographic extensions.
148 7557f135 2021-04-10 benno <li>Added support for PCIe on the NanoPi R4S to <a
149 7557f135 2021-04-10 benno href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a>.
150 fdf30ce7 2021-04-13 patrick <li>Added <a href="https://man.openbsd.org/smmu.4">smmu(4)</a>, a
151 fdf30ce7 2021-04-13 patrick driver for the ARM System MMU.
152 fdf30ce7 2021-04-13 patrick <li>Introduced an IOVA early-allocation scheme in <a
153 fdf30ce7 2021-04-13 patrick href="https://man.openbsd.org/smmu.4">smmu(4)</a>, mitigating the
154 fdf30ce7 2021-04-13 patrick performance penalty of typical IOVA allocation designs.
155 fdf30ce7 2021-04-13 patrick <li>Introduced Guard Pages in <a
156 fdf30ce7 2021-04-13 patrick href="https://man.openbsd.org/smmu.4">smmu(4)</a>, to spot misuse
157 fdf30ce7 2021-04-13 patrick and misconfiguration of I/O devices more easily.
158 e4087806 2021-04-15 kettenis <li>Added support for RK809 to <a
159 7557f135 2021-04-10 benno href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>, as seen on the
160 7557f135 2021-04-10 benno Rock Pi N10 with the rk3399pro.
161 7557f135 2021-04-10 benno <li>Added support for <a
162 7557f135 2021-04-10 benno href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> on the Raspberry Pi
163 7557f135 2021-04-10 benno in ACPI mode.
164 7557f135 2021-04-10 benno <li>Enabled <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> on arm64.
165 7557f135 2021-04-10 benno <li>Updated device-tree bindings for <a
166 7557f135 2021-04-10 benno href="https://man.openbsd.org/cwfg.4">cwfg(4)</a> battery capacity
167 7557f135 2021-04-10 benno driver to correct attaching and account for monitoring interval
168 7557f135 2021-04-10 benno change, making cwfg(4) export values under hw.sensors as expected when
169 7557f135 2021-04-10 benno using a Pinebook Pro.
170 7557f135 2021-04-10 benno <li>Added ARMv8-5 instruction set related CPU features to arm64.
171 7557f135 2021-04-10 benno </ul>
172 7557f135 2021-04-10 benno </ul>
173 7476d2f7 2021-04-05 benno
174 7557f135 2021-04-10 benno <li>Various kernel improvements:
175 3313bdf7 2021-03-24 deraadt <ul>
176 7557f135 2021-04-10 benno <li>Added the RAID1C (encrypted raid1) <a
177 7557f135 2021-04-10 benno href="https://man.openbsd.org/softraid.4">softraid(4)</a> discipline,
178 7557f135 2021-04-10 benno encrypting data like the CRYPTO discipline and accepting multiple
179 7557f135 2021-04-10 benno chunks during creation and assembly like the RAID1 discipline.
180 7557f135 2021-04-10 benno <li>Corrected raidlevel verification specified by the -c option in <a
181 7557f135 2021-04-10 benno href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
182 bbfd61a9 2021-04-09 benno
183 7557f135 2021-04-10 benno <li>Introduced kern.video.record for <a
184 7557f135 2021-04-10 benno href="https://man.openbsd.org/video.4">video(4)</a> devices, a privacy feature analog
185 7557f135 2021-04-10 benno to the kern.audio.record <a
186 7557f135 2021-04-10 benno href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> parameter for <a
187 7557f135 2021-04-10 benno href="https://man.openbsd.org/audio.4">audio(4)</a> devices. By
188 7557f135 2021-04-10 benno default, kern.video.record will be set to zero and blank all data
189 7557f135 2021-04-10 benno delivered by drivers attaching to <a
190 7557f135 2021-04-10 benno href="https://man.openbsd.org/video.4">video(4)</a>.
191 7557f135 2021-04-10 benno <li>Allowed a process to open a <a
192 7557f135 2021-04-10 benno href="https://man.openbsd.org/video.4">video(4)</a> device multiple
193 7557f135 2021-04-10 benno times. Fixes webcam usage with Firefox and BigBlueButton.
194 7557f135 2021-04-10 benno <li>Enabled multiple opens of a <a
195 7557f135 2021-04-10 benno href="https://man.openbsd.org/video.4">video(4)</a> device as
196 7557f135 2021-04-10 benno described in the V4L2 specification.
197 7557f135 2021-04-10 benno
198 7557f135 2021-04-10 benno <li>Added basic support for kclock timeouts to <a
199 7557f135 2021-04-10 benno href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
200 7557f135 2021-04-10 benno <li>Changed the <a href="https://man.openbsd.org/pool.9">pool(9)</a>
201 7557f135 2021-04-10 benno timeouts to use the system uptime instead of ticks.
202 bbfd61a9 2021-04-09 benno <li>Ensured <a href="https://man.openbsd.org/sleep.3">sleep(3)</a>
203 bbfd61a9 2021-04-09 benno calls <a href="https://man.openbsd.org/nanosleep.2">nanosleep(2)</a>
204 bbfd61a9 2021-04-09 benno if seconds is zero, now delegating all decisions about whether or not
205 bbfd61a9 2021-04-09 benno to yield the CPU.
206 d07c24c0 2021-04-07 benno <li>Added a top-level 'reboot' command to <a
207 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
208 d07c24c0 2021-04-07 benno <li>Added <a href="https://man.openbsd.org/witness.4">witness(4)</a>
209 d07c24c0 2021-04-07 benno check for uninitialized (or zeroed) lock usage.
210 d07c24c0 2021-04-07 benno <li>Added fd close notification for kqueue-based <a
211 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/poll.2">poll(2)</a> and <a
212 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/select.2">select(2)</a>.
213 d07c24c0 2021-04-07 benno <li>Added a global "nowake" channel for threads avoiding <a
214 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/wakeup.9">wakeup(9)</a> to <a
215 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/tsleep.9">tsleep(9)</a>.
216 7557f135 2021-04-10 benno
217 d07c24c0 2021-04-07 benno <li>Added trace points for <a
218 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/malloc.9">malloc(9)</a> and <a
219 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/free.9">free(9)</a>, making them
220 32e14492 2021-04-24 namn traceable via <a href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
221 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/btrace.8">btrace(8)</a>.
222 7557f135 2021-04-10 benno <li>Added <a href="https://man.openbsd.org/btrace.8">btrace(8)</a> -n
223 7557f135 2021-04-10 benno (no action) mode, which parses the program and then exits.
224 bbfd61a9 2021-04-09 benno <li>Fixed a boot-time crash on sparc64 due to mutex use during the
225 bbfd61a9 2021-04-09 benno message buffer initialization.
226 7557f135 2021-04-10 benno <li>Prevented a panic in some ACPI firmware that provided invalid
227 bbfd61a9 2021-04-09 benno memory regions in their reserved memory region reporting table.
228 7476d2f7 2021-04-05 benno
229 d07c24c0 2021-04-07 benno
230 753672c4 2021-04-09 benno <li>Added a barrier between reading the cqe flags and the command ID
231 32e14492 2021-04-24 namn to prevent completion of the wrong SCSI I/O for <a
232 753672c4 2021-04-09 benno href="https://man.openbsd.org/nvme.4">nvme(4)</a> drives.
233 da18eb33 2021-04-17 krw <li>Prevented attachment of <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
234 da18eb33 2021-04-17 krw devices of zero size.
235 bbfd61a9 2021-04-09 benno <li>Introduced new function <a
236 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/if_unit.9">if_unit(9)</a>, returning a
237 bbfd61a9 2021-04-09 benno pointer to the interface descriptor corresponding to the unique name.
238 753672c4 2021-04-09 benno <li>Clear interrupts on luna88k processors more efficiently at boot
239 753672c4 2021-04-09 benno time.
240 753672c4 2021-04-09 benno <li>Added <a
241 753672c4 2021-04-09 benno href="https://man.openbsd.org/acpiiort.4">acpiiort(4)</a>, a driver
242 753672c4 2021-04-09 benno for the ACPI I/O Remapping Table.
243 7557f135 2021-04-10 benno <li>Updated clock interrupt count atomically on mips64.
244 7557f135 2021-04-10 benno <li>Prevented an amd64 kernel crash with protection fault due to an
245 7557f135 2021-04-10 benno invalid offset when reading /dev/kmem.
246 7557f135 2021-04-10 benno <li>Permitted access to kern.somaxconn sysctl information when the
247 7557f135 2021-04-10 benno unix <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> is used,
248 7557f135 2021-04-10 benno allowing Go programs to use "unix" without also including "inet".
249 7557f135 2021-04-10 benno <li>Excluded the first page and added a guard page between I/O
250 7557f135 2021-04-10 benno virtual address space allocations on arm64.
251 da18eb33 2021-04-17 krw
252 da18eb33 2021-04-17 krw <li>Prevented attachment of SCSI devices that fail to provide
253 da18eb33 2021-04-17 krw adequate INQUIRY data.
254 22ac61ec 2021-04-11 benno </ul>
255 2dc94401 2021-04-11 benno
256 22ac61ec 2021-04-11 benno <li>SMP Improvements
257 22ac61ec 2021-04-11 benno <ul>
258 5e66edcf 2021-04-11 benno <li>Introduced "if_cloners_lock" rwlock and used it to serialize
259 5e66edcf 2021-04-11 benno if_clone_{create,destroy}(), avoiding multiple race conditions.
260 22ac61ec 2021-04-11 benno <li>Introduced a system-wide mutex that serializes msgbuf operations.
261 5e66edcf 2021-04-11 benno <li>Made <a
262 5e66edcf 2021-04-11 benno href="https://man.openbsd.org/uvm_pagealloc.9">uvm_pagealloc(9)</a> of
263 5e66edcf 2021-04-11 benno the physical memory allocator mp-safe.
264 22ac61ec 2021-04-11 benno <li>Unlocked <a href="https://man.openbsd.org/getppid.2">getppid(2)</a>.
265 22ac61ec 2021-04-11 benno <li>Introduced locking for amaps and anons, improving build performance.
266 5e66edcf 2021-04-11 benno <li>Moved UNIX domain sockets out of the kernel lock, using the new
267 5e66edcf 2021-04-11 benno "unp_lock" <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a> as
268 5e66edcf 2021-04-11 benno solock()'s backend to protect the whole layer.
269 22ac61ec 2021-04-11 benno <li>Unlocked <a href="https://man.openbsd.org/sendsyslog.2">sendsyslog(2)</a>.
270 22ac61ec 2021-04-11 benno <li>Used per-CPU counter for fault and stats counters reached in uvm_fault().
271 22ac61ec 2021-04-11 benno </ul>
272 2dc94401 2021-04-11 benno
273 22ac61ec 2021-04-11 benno <li>Direct Rendering Manager
274 22ac61ec 2021-04-11 benno <ul>
275 5e66edcf 2021-04-11 benno <li>Fixed <a
276 7dd354c0 2021-04-19 jsg href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>
277 7dd354c0 2021-04-19 jsg backlight commands when using
278 7dd354c0 2021-04-19 jsg <a href="https://man.openbsd.org/drm.4">drm(4)</a> drivers on
279 7dd354c0 2021-04-19 jsg macppc.
280 7dd354c0 2021-04-19 jsg <li>Fixed a <a
281 7dd354c0 2021-04-19 jsg href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a>
282 7dd354c0 2021-04-19 jsg panic on macppc with Powerbook5,6 and RV350.
283 5e66edcf 2021-04-11 benno <li>Fixed DRI3 support on <a
284 5e66edcf 2021-04-11 benno href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a
285 5e66edcf 2021-04-11 benno href="https://man.openbsd.org/ati.4">ati(4)</a>.
286 7dd354c0 2021-04-19 jsg <li>/dev/dri/ device nodes are created to be more compatible with Linux.
287 22ac61ec 2021-04-11 benno </ul>
288 2dc94401 2021-04-11 benno
289 22ac61ec 2021-04-11 benno <li>VMM/VMD improvements
290 22ac61ec 2021-04-11 benno <ul>
291 753672c4 2021-04-09 benno <li>Prevented memory corruption or improper page access in <a
292 753672c4 2021-04-09 benno href="https://man.openbsd.org/vmm.4">vmm(4)</a> due to improper TLB
293 753672c4 2021-04-09 benno flushing for now by wiring the pages used by virtual machines.
294 7557f135 2021-04-10 benno <li>Removed the ability of <a
295 7557f135 2021-04-10 benno href="https://man.openbsd.org/vmd.8">vmd(8)</a> to boot from kernels
296 7557f135 2021-04-10 benno in raw/qcow2 images.
297 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>
298 d7be3d62 2021-04-11 dv properly indicate VMs are stopping instead of "running" with "vmctl
299 7557f135 2021-04-10 benno status".
300 ac263705 2021-04-19 jsg <li>Simplify argument parsing of
301 ac263705 2021-04-19 jsg <code><a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> stop</code>
302 ac263705 2021-04-19 jsg thereby avoiding a
303 ac263705 2021-04-19 jsg <a href="https://man.openbsd.org/printf.3">printf(3)</a> "%s" NULL,
304 ac263705 2021-04-19 jsg a use of uninitialized and a dead else branch.
305 7557f135 2021-04-10 benno <li>Cleaned up events on <a
306 7557f135 2021-04-10 benno href="https://man.openbsd.org/vmd.8">vmd(8)</a> pause or resume and
307 7557f135 2021-04-10 benno fixed an issue leading to broken serial console by cleanly tearing
308 7557f135 2021-04-10 benno down and restoring emulated device state on vm send/receive.
309 7557f135 2021-04-10 benno <li>Propagated host-side <a
310 7557f135 2021-04-10 benno href="https://man.openbsd.org/tap.4">tap(4)</a> lladdr to guest vm
311 7557f135 2021-04-10 benno process to allow unicast dhcp and bootp renewals with <a
312 7557f135 2021-04-10 benno href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s built-in dhcp
313 7557f135 2021-04-10 benno server.
314 d7be3d62 2021-04-11 dv <li>Added <a href="https://man.openbsd.org/veb.4">veb(4)</a> to the
315 d7be3d62 2021-04-11 dv list of supported bridges for <a
316 d7be3d62 2021-04-11 dv href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
317 d7be3d62 2021-04-11 dv <li>Improved MSR exit handling in <a
318 d7be3d62 2021-04-11 dv href="https://man.openbsd.org/vmm.4">vmm(4)</a> on SVM and VMX
319 d7be3d62 2021-04-11 dv hosts preventing invalid reads and fixing support for 9front.
320 d7be3d62 2021-04-11 dv <li>Added ability to boot compressed ramdisks to <a
321 d7be3d62 2021-04-11 dv href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
322 3313bdf7 2021-03-24 deraadt </ul>
323 3313bdf7 2021-03-24 deraadt
324 3313bdf7 2021-03-24 deraadt <li>Various new userland features:
325 3313bdf7 2021-03-24 deraadt <ul>
326 7476d2f7 2021-04-05 benno <li>Added <a
327 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/doas.conf.5">doas.conf(5)</a> "nolog"
328 7476d2f7 2021-04-05 benno option to avoid <a
329 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/syslog.3">syslog(3)</a>.
330 7476d2f7 2021-04-05 benno <li>Allowed specific <a
331 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/sndio.7">sndio(7)</a> devices to be used
332 7476d2f7 2021-04-05 benno for play-only and rec-only modes.
333 bbfd61a9 2021-04-09 benno <li>Use an 8th order FIR low-pass filter for resampling in <a
334 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> and for <a
335 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/aucat.1">aucat(1)</a>, removing most of
336 bbfd61a9 2021-04-09 benno the aliasing noise during resampling.
337 753672c4 2021-04-09 benno <li>Disabled <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>
338 753672c4 2021-04-09 benno autovolume by default and set the default volume to 127. Setting "-w
339 753672c4 2021-04-09 benno on" will replicate the previous behavior of automatically decreasing
340 753672c4 2021-04-09 benno playback volume when new programs start playing.
341 753672c4 2021-04-09 benno <li>Allowed mixing of alternative devices (-F) with different
342 753672c4 2021-04-09 benno capabilities in <a
343 753672c4 2021-04-09 benno href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> by treating any
344 753672c4 2021-04-09 benno device as full-duplex.
345 7557f135 2021-04-10 benno <li>Fixed visibility of <a
346 7557f135 2021-04-10 benno href="https://man.openbsd.org/sndioctl.1">sndioctl(1)</a> output when
347 7557f135 2021-04-10 benno used through a pipe.
348 7557f135 2021-04-10 benno
349 753672c4 2021-04-09 benno <li>Enabled build and install of <a href="https://man.openbsd.org/lldb.1">lldb(1)</a>.
350 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/logger.1">logger(1)</a>
351 753672c4 2021-04-09 benno support to <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>, <a
352 753672c4 2021-04-09 benno href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> and <a
353 753672c4 2021-04-09 benno href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for daemons logging
354 753672c4 2021-04-09 benno to stdout/stderr.
355 7476d2f7 2021-04-05 benno
356 7557f135 2021-04-10 benno <li>Added a configurable button mapping for tap gestures on touchpads
357 7557f135 2021-04-10 benno to <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>.
358 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>
359 7557f135 2021-04-10 benno touchpad tap detection less restrictive for multi-finger taps and
360 7557f135 2021-04-10 benno improved tap detection.
361 7557f135 2021-04-10 benno <li>Enable <a
362 7557f135 2021-04-10 benno href="https://man.openbsd.org/man4/arm64/apm.4">apm(4)</a> on arm64 to
363 7557f135 2021-04-10 benno display meaningful information about battery use and capacity.
364 3313bdf7 2021-03-24 deraadt </ul>
365 3313bdf7 2021-03-24 deraadt
366 3313bdf7 2021-03-24 deraadt <li>Various bugfixes and tweaks in userland:
367 3313bdf7 2021-03-24 deraadt <ul>
368 7476d2f7 2021-04-05 benno <li>Fixed a pledge violation in <a
369 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/csh.1">csh(1)</a> where redirecting
370 7476d2f7 2021-04-05 benno input from a file containing ^T would cause csh(1) to perform a tty
371 7476d2f7 2021-04-05 benno ioctl operation against a non-tty.
372 ee9322f9 2021-04-10 tb <li>Made <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a> work
373 ee9322f9 2021-04-10 tb again when fewer than 3 patches are available.
374 7476d2f7 2021-04-05 benno <li>Stopped exempting file systems from <a
375 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/security.8">security(8)</a> on the basis
376 7476d2f7 2021-04-05 benno of nodev and nosuid options, which may not be used for file systems
377 7476d2f7 2021-04-05 benno mounted beneath.
378 7476d2f7 2021-04-05 benno <li>Modified <a href="https://man.openbsd.org/daily.8">daily(8)</a>
379 7476d2f7 2021-04-05 benno to stop reporting disk status and networking statistics.
380 7476d2f7 2021-04-05 benno <li>Made <a
381 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> specify
382 7476d2f7 2021-04-05 benno a version when it uses <a
383 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/fw_update.1">fw_update(1)</a> to avoid
384 7476d2f7 2021-04-05 benno the situation where upgrading a pre-6.8 snapshot to 6.8 release with
385 7476d2f7 2021-04-05 benno "-r" would install firmware packages from snapshots.
386 7476d2f7 2021-04-05 benno <li>Increased speed of the dependency check pass for <a
387 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
388 7476d2f7 2021-04-05 benno
389 7476d2f7 2021-04-05 benno <li>Prevented process exit in multithreaded programs from reporting
390 7476d2f7 2021-04-05 benno the wrong error code.
391 7476d2f7 2021-04-05 benno
392 da18eb33 2021-04-17 krw <li>Allowed booting of amd64/i386 from GPT formatted disks larger than 4TB.
393 7476d2f7 2021-04-05 benno
394 d07c24c0 2021-04-07 benno <li>When using the <a href="https://man.openbsd.org/cat.1">cat(1)</a>
395 d07c24c0 2021-04-07 benno -n flag, correctly enumerate files with more than INT_MAX lines.
396 d07c24c0 2021-04-07 benno <li>Fixed a memory leak in ld.so's malloc.
397 7557f135 2021-04-10 benno
398 bbfd61a9 2021-04-09 benno <li>Added a "xenodm" login class for <a
399 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> and increased
400 bbfd61a9 2021-04-09 benno openfiles to 512 to avoid running out of file descriptors with a busy
401 bbfd61a9 2021-04-09 benno desktop.
402 7557f135 2021-04-10 benno <li>Stopped <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
403 7557f135 2021-04-10 benno from adding authorizations for TCP connections by default and added
404 7557f135 2021-04-10 benno "listenTCP" to explicitly add authorizations for existing IP addresses
405 7557f135 2021-04-10 benno on startup.
406 32e14492 2021-04-24 namn <li>Skip adding the IPv6 link local addresses for TCP listener
407 32e14492 2021-04-24 namn authorizations in <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>,
408 32e14492 2021-04-24 namn matching what is done by
409 32e14492 2021-04-24 namn <a href="https://man.openbsd.org/startx.1">startx(1)</a>.
410 7557f135 2021-04-10 benno
411 bbfd61a9 2021-04-09 benno <li>Fixed -s option for <a href="https://man.openbsd.org/cmp.1">cmp(1)</a>.
412 bbfd61a9 2021-04-09 benno <li>Improve pledge in <a
413 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/doas.1">doas(1)</a>, specifically added
414 bbfd61a9 2021-04-09 benno pledge to the "-C" code path.
415 32e14492 2021-04-24 namn <li>Improved performance of <a
416 eabc5959 2021-04-09 otto href="https://man.openbsd.org/malloc.3">malloc(3)</a>'s cache.
417 753672c4 2021-04-09 benno <li>Made editing GPT in <a
418 753672c4 2021-04-09 benno href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> safer by
419 753672c4 2021-04-09 benno defaulting offset to the beginning of the largest free space and
420 753672c4 2021-04-09 benno preventing the creation of overlapping partitions.
421 753672c4 2021-04-09 benno <li>Fixed a crash that could occur in <a
422 c286d670 2021-04-19 jsg href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> when a USB
423 753672c4 2021-04-09 benno device is unplugged.
424 753672c4 2021-04-09 benno <li>Append .html suffixes to temporary files in <a
425 753672c4 2021-04-09 benno href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> to allow
426 753672c4 2021-04-09 benno recognition by browsers.
427 753672c4 2021-04-09 benno <li>Allow specification of a path to the <a
428 753672c4 2021-04-09 benno href="https://man.openbsd.org/mg.1">mg(1)</a> startup file on the
429 753672c4 2021-04-09 benno command line.
430 7557f135 2021-04-10 benno <li>Added a "batch" mode to <a
431 7557f135 2021-04-10 benno href="https://man.openbsd.org/mg.1">mg(1)</a> via the "-b" command
432 32e14492 2021-04-24 namn line option, which will initialize a pty, run the specified file of mg
433 7557f135 2021-04-10 benno commands and then exit.
434 7557f135 2021-04-10 benno <li>Inverted the <a href="https://man.openbsd.org/mg.1">mg(1)</a> "R"
435 7557f135 2021-04-10 benno indicator to mean that a "*" next to a file's name indicates that it
436 7557f135 2021-04-10 benno is read-only. Made the active buffer indicator more visible by
437 7557f135 2021-04-10 benno changing it to ">".
438 753672c4 2021-04-09 benno
439 7557f135 2021-04-10 benno <li>Fixed <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>
440 7557f135 2021-04-10 benno redrawing of a multiline PS1 prompt in vi mode and added support for
441 7557f135 2021-04-10 benno ^R (redraw) in insert mode.
442 7557f135 2021-04-10 benno <li>Used <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to
443 7557f135 2021-04-10 benno restrict filesystem access in <a
444 7557f135 2021-04-10 benno href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
445 7557f135 2021-04-10 benno <li>Removed the 30s minimum delay for <a
446 7557f135 2021-04-10 benno href="https://man.openbsd.org/xlock.1">xlock(1)</a> timeouts.
447 7557f135 2021-04-10 benno <li>Stopped deleting the control socket on exit in <a
448 add4ff3a 2021-04-19 jsg href="https://man.openbsd.org/apmd.8">apmd(8)</a>, as deleting
449 add4ff3a 2021-04-19 jsg the socket after calling <a
450 add4ff3a 2021-04-19 jsg href="https://man.openbsd.org/unveil.2">unveil(2)</a> would cause an
451 add4ff3a 2021-04-19 jsg unveil violation.
452 3313bdf7 2021-03-24 deraadt </ul>
453 3313bdf7 2021-03-24 deraadt
454 3313bdf7 2021-03-24 deraadt <li>Improved hardware support and driver bugfixes, including:
455 3313bdf7 2021-03-24 deraadt <ul>
456 7557f135 2021-04-10 benno <li>Corrected accounting of zero length Transfer Descriptors in <a
457 7557f135 2021-04-10 benno href="https://man.openbsd.org/xhci.4">xhci(4)</a>, preventing running
458 7557f135 2021-04-10 benno out of free Transfer Ring Blocks.
459 7476d2f7 2021-04-05 benno <li>Moved mfokclock(4) from loongson to make it available for other
460 7476d2f7 2021-04-05 benno platforms and renamed it to <a
461 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/mfokrtc.4">mfokrtc(4)</a>.
462 7476d2f7 2021-04-05 benno <li>Fixed brightness setting on MacBooks.
463 7476d2f7 2021-04-05 benno <li>Added AMD Vi and Intel VTD IOMMU support. This creates separate
464 7476d2f7 2021-04-05 benno domains for each PCI device and can provide protection against invalid
465 7476d2f7 2021-04-05 benno memory access.
466 7476d2f7 2021-04-05 benno <li>Enabled brightness keys on powerbooks where the keyboard attaches
467 7476d2f7 2021-04-05 benno as <a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
468 7476d2f7 2021-04-05 benno <li>Set initial default display brightness on macppc via
469 7476d2f7 2021-04-05 benno of_setbrightness() to ensure <a
470 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/wscons.4">wscons(4)</a> and ofw are in
471 7476d2f7 2021-04-05 benno sync.
472 7476d2f7 2021-04-05 benno <li>Added support for the PL2303HXN series chips to <a
473 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
474 7476d2f7 2021-04-05 benno <li>Added support for the PCA9547 I2C mux to <a
475 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>.
476 7476d2f7 2021-04-05 benno <li>Extended <a href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>
477 7476d2f7 2021-04-05 benno with ACPI support.
478 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/acpige.4">acpige(4)</a>, a
479 e4087806 2021-04-15 kettenis driver for ACPI generic event devices, used on various
480 2e4c8601 2021-04-19 jsg systems to implement power button handling.
481 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>,
482 7476d2f7 2021-04-05 benno a driver for the GPIO controllers found on modern Intel PCHs.
483 7476d2f7 2021-04-05 benno <li>Added ACPI support to <a
484 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/imxiic.4">imxiic(4)</a>.
485 7476d2f7 2021-04-05 benno <li>Fixed panics on the HoneyComb LX2K with <a
486 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a>.
487 7476d2f7 2021-04-05 benno <li>Fixed very old <a
488 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/umass.4">umass(4)</a> devices where the
489 7476d2f7 2021-04-05 benno INQUIRY command succeeds but with a residue equal to the requested
490 7476d2f7 2021-04-05 benno bytes.
491 d07c24c0 2021-04-07 benno <li>Added Gemini Lake I2C id to <a
492 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>, making the
493 d07c24c0 2021-04-07 benno touchpad work on the Teclast F7 Plus laptop.
494 753672c4 2021-04-09 benno <li>Introduced <a href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>, a
495 753672c4 2021-04-09 benno restricted subset of <a
496 753672c4 2021-04-09 benno href="https://man.openbsd.org/uhid.4">uhid(4)</a> for game controllers
497 753672c4 2021-04-09 benno which uses /dev/ujoy/* device nodes.
498 753672c4 2021-04-09 benno <li>Set up <a href="https://man.openbsd.org/ims.4">ims(4)</a> devices
499 753672c4 2021-04-09 benno in X11 to behave like touchpads.
500 753672c4 2021-04-09 benno <li>Stopped relying on USB devices to correctly present their
501 753672c4 2021-04-09 benno indices, instead searching for the correct interfaces. This fixes E+
502 753672c4 2021-04-09 benno Corp. DAC Audio devices.
503 753672c4 2021-04-09 benno <li>Introduced <a
504 753672c4 2021-04-09 benno href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>, a driver for
505 753672c4 2021-04-09 benno Logitech HID++ devices.
506 7557f135 2021-04-10 benno <li>Separated reading of general and touchpad-specific <a
507 7557f135 2021-04-10 benno href="https://man.openbsd.org/wsmouse.4">wsmouse(4)</a> settings and
508 7557f135 2021-04-10 benno corrected identification of device type when reading touchpad
509 7557f135 2021-04-10 benno parameters fails.
510 7476d2f7 2021-04-05 benno
511 7557f135 2021-04-10 benno <li>Added support for 30-bit color modes to <a
512 e4087806 2021-04-15 kettenis href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
513 e4087806 2021-04-15 kettenis and <a href="https://man.openbsd.org/wsfb.4">wsfb(4)</a>.
514 753672c4 2021-04-09 benno
515 7557f135 2021-04-10 benno <li>Made loongson kernels recognize Lynloong LM9002/9003 and LM9013 models.
516 7557f135 2021-04-10 benno <li>Use native display resolution 1368x768 for Lynloong all-in-one computers.
517 3313bdf7 2021-03-24 deraadt </ul>
518 3313bdf7 2021-03-24 deraadt
519 3313bdf7 2021-03-24 deraadt <li>New or improved network hardware support:
520 3313bdf7 2021-03-24 deraadt <ul>
521 7476d2f7 2021-04-05 benno <li>Fixed link state change behavior in 82598 <a
522 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/ix.4">ix(4)</a> chips.
523 7476d2f7 2021-04-05 benno <li>Fixed issues with network stopping after the first down/up cycle
524 7476d2f7 2021-04-05 benno in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> Marvel Armada
525 7476d2f7 2021-04-05 benno Ethernet device.
526 7476d2f7 2021-04-05 benno <li>Added SFP+ support to ofw, including support for direct attach cables.
527 7476d2f7 2021-04-05 benno <li>Added 10G media support to <a
528 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
529 7476d2f7 2021-04-05 benno <li>Added support for 1000base-x and 2500base-x connections to <a
530 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
531 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/mvsw.4">mvsw(4)</a>, a
532 7476d2f7 2021-04-05 benno driver for Marvel "SOHO" switches.
533 d07c24c0 2021-04-07 benno <li>Enabled auto-negotiation on the SerDes links, allowing
534 d07c24c0 2021-04-07 benno in-band-status to work between <a
535 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/mvpp.4">mvpp(4)</a> and <a
536 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/mvsw.4">mvsw(4)</a> on the ClearFog GT
537 d07c24c0 2021-04-07 benno 8K.
538 d07c24c0 2021-04-07 benno <li>Added support for the i.MX8MP PCIe clocks, USB clocks and second
539 d07c24c0 2021-04-07 benno ethernet.
540 d07c24c0 2021-04-07 benno <li>Added Wake on LAN support to <a
541 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/rge.4">rge(4)</a>.
542 d07c24c0 2021-04-07 benno <li>Enabled IPv4 and TCP/UDP checksum offload on transmission in <a
543 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/ogx.4">ogx(4)</a>.
544 753672c4 2021-04-09 benno <li>Raised the maximum number of queues/interrupts from 1 to 16 on <a
545 753672c4 2021-04-09 benno href="https://man.openbsd.org/mcx.4">mcx(4)</a> devices.
546 753672c4 2021-04-09 benno <li>Added support for the Netgear ProSecure UTM25 to octeon.
547 7557f135 2021-04-10 benno <li>Added vid/pid table to <a
548 7557f135 2021-04-10 benno href="https://man.openbsd.org/umb.4">umb(4)</a> allowing matching to
549 7557f135 2021-04-10 benno alternate configurations.
550 3313bdf7 2021-03-24 deraadt </ul>
551 3313bdf7 2021-03-24 deraadt
552 3313bdf7 2021-03-24 deraadt <li>Added or improved wireless network drivers:
553 3313bdf7 2021-03-24 deraadt <ul>
554 174761b9 2021-04-14 stsp <li>Fixed the <a href="https://man.openbsd.org/athn.4">athn(4)</a> and
555 174761b9 2021-04-14 stsp <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
556 174761b9 2021-04-14 stsp in client mode against access points which use WPA1/TKIP as
557 174761b9 2021-04-14 stsp the group cipher.
558 7476d2f7 2021-04-05 benno <li>Added multicast support to <a
559 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to allow IPv6.
560 7476d2f7 2021-04-05 benno <li>Fixed <a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a>
561 7476d2f7 2021-04-05 benno repeated DEAUTH and loss/restoration of link.
562 d07c24c0 2021-04-07 benno <li>Introduced a delay to work around an issue in <a
563 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> on the BCM43602 that
564 d07c24c0 2021-04-07 benno was triggering "unexpected pairwise key update" errors.
565 bbfd61a9 2021-04-09 benno <li>Enabled <a href="https://man.openbsd.org/athn.4">athn(4)</a> for arm64.
566 174761b9 2021-04-14 stsp <li>Implemented a new 802.11n Tx rate adaptation algorithm ("RA") for
567 2c309e0b 2021-04-15 stsp <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
568 2c309e0b 2021-04-15 stsp <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, and
569 2c309e0b 2021-04-15 stsp <a href="https://man.openbsd.org/athn.4">athn(4)</a>.
570 174761b9 2021-04-14 stsp <li>Fixed association problems with the <a
571 2c309e0b 2021-04-15 stsp href="https://man.openbsd.org/ipw.4">ipw(4)</a> and <a
572 2c309e0b 2021-04-15 stsp href="https://man.openbsd.org/iwi.4">iwi(4)</a> drivers.
573 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> attach to
574 51665615 2021-04-16 stsp AX201 devices with PCI IDs 0x34f0 and 0x06f0. Needs <a
575 7557f135 2021-04-10 benno href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
576 7557f135 2021-04-10 benno <li>Fixed a problem where <a
577 7557f135 2021-04-10 benno href="https://man.openbsd.org/iwn.4">iwn(4)</a> firmware would
578 7557f135 2021-04-10 benno generate bogus block ack requests and stall traffic.
579 2c309e0b 2021-04-15 stsp <li>Fixed automatic channel selection in the <a
580 2c309e0b 2021-04-15 stsp href="https://man.openbsd.org/athn.4">athn(4)</a> driver
581 2c309e0b 2021-04-15 stsp when running in hostap or monitor mode.
582 3313bdf7 2021-03-24 deraadt </ul>
583 3313bdf7 2021-03-24 deraadt
584 3313bdf7 2021-03-24 deraadt <li>IEEE 802.11 wireless stack improvements and bugfixes:
585 3313bdf7 2021-03-24 deraadt <ul>
586 174761b9 2021-04-14 stsp <li>Fixed length calculations in <a
587 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
588 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/iwx.4">iwx(4)</a> when there are
589 d07c24c0 2021-04-07 benno multiple MPDUs in one packet.
590 174761b9 2021-04-14 stsp <li>Fixed 802.11n interoperability with access points that offer
591 174761b9 2021-04-14 stsp management frame protection.
592 174761b9 2021-04-14 stsp <li>Flush the A-MPDU reorder buffer after gap timeout to prevent
593 174761b9 2021-04-14 stsp frames from remaining in the buffer until the next frame
594 174761b9 2021-04-14 stsp is received.
595 174761b9 2021-04-14 stsp <li>Avoid spurious "input packet decapsulations failed" errors in
596 d07c24c0 2021-04-07 benno <a href="https://man.openbsd.org/netstat.1">netstat(1)</a> -W with
597 d07c24c0 2021-04-07 benno A-MSDU enabled.
598 2c309e0b 2021-04-15 stsp <li>Fixed automatic selection of the 11a/b/g/n/ac operating mode when
599 53285ed7 2021-04-18 stsp the interface is running as an access point.
600 da18eb33 2021-04-17 krw <li>Ensured crypto keys are installed before the link is brought up.
601 3313bdf7 2021-03-24 deraadt </ul>
602 3313bdf7 2021-03-24 deraadt
603 3313bdf7 2021-03-24 deraadt <li>Generic network stack improvements and bugfixes:
604 3313bdf7 2021-03-24 deraadt <ul>
605 753672c4 2021-04-09 benno <li>Removed the maxburst feature from tcp_output().
606 75816ebe 2021-04-17 bluhm Sending out TCP segments was limited to 4 packets per burst.
607 2e4c8601 2021-04-19 jsg This did not scale well on high bandwidth, high latency links.
608 75816ebe 2021-04-17 bluhm Especially when the receiving side delays ACK packets
609 75816ebe 2021-04-17 bluhm aggressively, the maxburst limitation could seriously reduce
610 75816ebe 2021-04-17 bluhm TCP throughput per connection.
611 753672c4 2021-04-09 benno <li>Added a MONITOR feature to interfaces. Packets received on these
612 753672c4 2021-04-09 benno interfaces do not enter the network stack for further processing. This
613 753672c4 2021-04-09 benno can be used to watch traffic, for example with <a
614 753672c4 2021-04-09 benno href="https://man.openbsd.org/bpf.4">bpf(4)</a> without risk of the packets
615 753672c4 2021-04-09 benno interfering with the system.
616 7476d2f7 2021-04-05 benno
617 753672c4 2021-04-09 benno <li>Added etherbridge, the internals of a reusable learning bridge
618 753672c4 2021-04-09 benno interface providing common code reusable for other drivers needing a
619 753672c4 2021-04-09 benno mac learning bridge.
620 753672c4 2021-04-09 benno <li>Introduced <a href="https://man.openbsd.org/veb.4">veb(4)</a>, a
621 753672c4 2021-04-09 benno Virtual Ethernet Bridge driver.
622 7476d2f7 2021-04-05 benno
623 7557f135 2021-04-10 benno <li>Added the ability to force the selection of source IP address for
624 7557f135 2021-04-10 benno programs that do not specify a source IP, overriding the default
625 7557f135 2021-04-10 benno source IP selection algorithm. This is configurable via <a
626 7557f135 2021-04-10 benno href="https://man.openbsd.org/route.8">route(8)</a>
627 29903f23 2021-04-12 tb <code>sourceaddr</code> command.
628 753672c4 2021-04-09 benno
629 cfb1853e 2021-04-14 job <li>Bring interfaces up when autoconfiguration for inet or inet6 is
630 7557f135 2021-04-10 benno enabled (AUTOCONF4 or AUTOCONF6 flags).
631 7557f135 2021-04-10 benno <li>Adjust terminology in <a
632 7557f135 2021-04-10 benno href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to refer to
633 7557f135 2021-04-10 benno "temporary address extensions" rather than the former "privacy
634 7557f135 2021-04-10 benno extensions," including the addition of an AUTOCONF6TEMP flag (to
635 32e14492 2021-04-24 namn replace the negative flag "INET6_NOPRIVACY"). The autoconfprivacy
636 32e14492 2021-04-24 namn option in <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
637 7557f135 2021-04-10 benno has been deprecated.
638 7557f135 2021-04-10 benno <li>Made it possible to disable the "autoconf" flag but keep
639 7557f135 2021-04-10 benno "temporary" enabled in <a
640 7557f135 2021-04-10 benno href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
641 7557f135 2021-04-10 benno <li>For IPv6 addresses, added tracking of address proposal creation
642 7557f135 2021-04-10 benno times to be able to establish total lifetime. This information is used
643 7557f135 2021-04-10 benno to renew pltime/vltime of privacy addresse per RFC 4941.
644 753672c4 2021-04-09 benno
645 7557f135 2021-04-10 benno <li>Prevented kernel reuse of mbuf memory when generating the ICMP6
646 7557f135 2021-04-10 benno response to an IPv6 packet.
647 32e14492 2021-04-24 namn <li>Use the toeplitz hash algorithm to set a flowid for tcp packets,
648 7557f135 2021-04-10 benno which in turn is used to choose the tx ring on network cards with
649 7557f135 2021-04-10 benno multiple rings.
650 7557f135 2021-04-10 benno <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> on macppc
651 7557f135 2021-04-10 benno by keeping track of allowed ips pointer correctly.
652 7557f135 2021-04-10 benno <li>Fixed <a href="https://man.openbsd.org/wg.4">wg(4)</a> ioctl to
653 7557f135 2021-04-10 benno handle multiple wgpeers.
654 7557f135 2021-04-10 benno <li>Fixed a race between tx/rx handshakes in <a
655 7557f135 2021-04-10 benno href="https://man.openbsd.org/wg.4">wg(4)</a>.
656 7557f135 2021-04-10 benno <li>Prevented a potential hang when trying to remove a <a
657 7557f135 2021-04-10 benno href="https://man.openbsd.org/tun.4">tun(4)</a> interface.
658 7557f135 2021-04-10 benno <li>Used the correct rdomain when adding and deleting routes with <a
659 7557f135 2021-04-10 benno href="https://man.openbsd.org/mpip.4">mpip(4)</a> and <a
660 7557f135 2021-04-10 benno href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
661 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
662 7557f135 2021-04-10 benno "-mplslabel" work with <a
663 7557f135 2021-04-10 benno href="https://man.openbsd.org/mpw.4">mpw(4)</a>.
664 3313bdf7 2021-03-24 deraadt </ul>
665 3313bdf7 2021-03-24 deraadt
666 7557f135 2021-04-10 benno <li>Installer and upgrade improvements:
667 3313bdf7 2021-03-24 deraadt <ul>
668 d07c24c0 2021-04-07 benno <li>Prevented a race in <a
669 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> privsep
670 d07c24c0 2021-04-07 benno which could cause autoinstall to fail by calling <a
671 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/ftp.1">ftp(1)</a> without a local
672 d07c24c0 2021-04-07 benno address.
673 d07c24c0 2021-04-07 benno <li>Fixed hangs on amd64 bsd.rd due to misreported core clock
674 d07c24c0 2021-04-07 benno frequency on newer Intel Comet Lake models.
675 7557f135 2021-04-10 benno <li>Began distributing the gzip'd version of bsd.rd on all platforms
676 7557f135 2021-04-10 benno with boot methods supporting it.
677 7557f135 2021-04-10 benno <li>Fixed a problem which prevented use of <a
678 7557f135 2021-04-10 benno href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> when an
679 7557f135 2021-04-10 benno interface failed to come up and <a
680 7557f135 2021-04-10 benno href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> didn't
681 7557f135 2021-04-10 benno notice link-timeout expiration.
682 7557f135 2021-04-10 benno <li>Prevented <a
683 7557f135 2021-04-10 benno href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> from
684 7557f135 2021-04-10 benno adjusting the swap 'b' partition size if physmem is zero to keep the
685 7557f135 2021-04-10 benno auto-allocate code from putting a filesystem on that partition.
686 7557f135 2021-04-10 benno <li>Emulate "[inet] autoconf" <a
687 7557f135 2021-04-10 benno href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> lines
688 7557f135 2021-04-10 benno with "dhcp" so users testing <a
689 7557f135 2021-04-10 benno href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> will
690 7557f135 2021-04-10 benno still be able to upgrade manually while the installer uses only <a
691 7557f135 2021-04-10 benno href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
692 da18eb33 2021-04-17 krw <li>Restored <a
693 da18eb33 2021-04-17 krw href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a>
694 da18eb33 2021-04-17 krw to the group of network configuration files used during upgrades.
695 d07c24c0 2021-04-07 benno
696 3313bdf7 2021-03-24 deraadt </ul>
697 3313bdf7 2021-03-24 deraadt
698 3313bdf7 2021-03-24 deraadt <li>Security improvements:
699 3313bdf7 2021-03-24 deraadt <ul>
700 022f5897 2021-04-11 benno <li>Added notices to syslog whenever the "%n" format string component
701 022f5897 2021-04-11 benno of <a href="https://man.openbsd.org/printf.3">printf(3)</a> is used.
702 022f5897 2021-04-11 benno <li>Removed workaround permitting Go executables to do syscalls
703 022f5897 2021-04-11 benno directly, forcing them to use shared libc like all other dynamic
704 022f5897 2021-04-11 benno binaries.
705 3313bdf7 2021-03-24 deraadt </ul>
706 3313bdf7 2021-03-24 deraadt
707 3313bdf7 2021-03-24 deraadt <li>Routing daemons and other userland network improvements:
708 3313bdf7 2021-03-24 deraadt <ul>
709 7557f135 2021-04-10 benno <li>The <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> daemon saw the following changes:
710 7557f135 2021-04-10 benno <ul>
711 bc70522f 2021-04-21 claudio <li>Introduced <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
712 bc70522f 2021-04-21 claudio <code>rde evaluate all</code> to reduce path hiding in IXP
713 bc70522f 2021-04-21 claudio route-server environments.
714 bc70522f 2021-04-21 claudio <li>Added RTR support to <a href="https://man.openbsd.org/bgpd.8">OpenBGPD</a>.
715 d07c24c0 2021-04-07 benno <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
716 bc70522f 2021-04-21 claudio "show rtr" to display basic information about RTR sessions.
717 bc70522f 2021-04-21 claudio <li>Added <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
718 d07c24c0 2021-04-07 benno "show sets" to display information about the roa-set, as-sets and
719 d07c24c0 2021-04-07 benno prefix-sets loaded into <a
720 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
721 bc70522f 2021-04-21 claudio <li>Properly implemented "rde med compare strict" in <a
722 bc70522f 2021-04-21 claudio href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and ensured that the
723 bc70522f 2021-04-21 claudio order of prefixes is always correct.
724 bc70522f 2021-04-21 claudio <li>Introduced a send hold timer in <a
725 bc70522f 2021-04-21 claudio href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> to detect stalls on
726 bc70522f 2021-04-21 claudio the sending side of a TCP connection, acting as a last resort to
727 bc70522f 2021-04-21 claudio detect faulty peers.
728 753672c4 2021-04-09 benno <li>Introduced the <a
729 753672c4 2021-04-09 benno href="https://man.openbsd.org/bgpd.conf.5">bgpd.conf(5)</a> per
730 753672c4 2021-04-09 benno neighbor and global config option "reject as-set yes/no" to allow
731 753672c4 2021-04-09 benno rejection of received UPDATES with AS_SET segments. These rejected
732 753672c4 2021-04-09 benno prefixes can be viewed with <a
733 753672c4 2021-04-09 benno href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> "show rib in
734 753672c4 2021-04-09 benno error".
735 bc70522f 2021-04-21 claudio <li>No longer allow configuration of the same neighbor multiple
736 bc70522f 2021-04-21 claudio times in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>.
737 32e14492 2021-04-24 namn <li><a href="https://man.openbsd.org/pf.4">pf(4)</a> tables now track
738 bc70522f 2021-04-21 claudio prefixes correctly even when received by multiple sessions.
739 bc70522f 2021-04-21 claudio <li>Fixed a memory leak when parsing <a
740 bc70522f 2021-04-21 claudio href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa-set lists.
741 7557f135 2021-04-10 benno </ul>
742 d07c24c0 2021-04-07 benno
743 7557f135 2021-04-10 benno <li>The <a
744 7557f135 2021-04-10 benno href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and <a
745 32e14492 2021-04-24 namn href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> routing
746 32e14492 2021-04-24 namn daemons were refactored to keep the code similar to
747 32e14492 2021-04-24 namn changes in other routing daemons and to improve maintainability.<br>
748 ed87940d 2021-04-21 claudio Additionally, support for point-to-point interfaces in <a
749 32e14492 2021-04-24 namn href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> was fixed and <a
750 ed87940d 2021-04-21 claudio href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> now works with
751 ed87940d 2021-04-21 claudio point-to-point interfaces which use a common IP address.
752 753672c4 2021-04-09 benno
753 822e4650 2021-04-19 jsg <li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility:
754 7557f135 2021-04-10 benno <ul>
755 7557f135 2021-04-10 benno <li>Relaxed checks in <a
756 7557f135 2021-04-10 benno href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> and <a
757 7557f135 2021-04-10 benno href="https://man.openbsd.org/pf.4">pf(4)</a> to accept any valid
758 7557f135 2021-04-10 benno routing domain, even if it does not yet exist.
759 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
760 7557f135 2021-04-10 benno detect and reject bogus ranges before loading the ruleset to prevent a
761 7557f135 2021-04-10 benno panic.
762 7557f135 2021-04-10 benno <li>Changed route-to in <a
763 7557f135 2021-04-10 benno href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a> to send
764 7557f135 2021-04-10 benno packets to IPs instead of interfaces.
765 7557f135 2021-04-10 benno <li>Changed pf_route so <a
766 7557f135 2021-04-10 benno href="https://man.openbsd.org/pf.4">pf(4)</a> only runs when packets
767 7557f135 2021-04-10 benno enter and leave the stack. Running the same packet through pf multiple
768 7557f135 2021-04-10 benno times creates confusion for the state table. By default, pf states are
769 7557f135 2021-04-10 benno floating, meaning that packets are matched to states regardless of
770 7557f135 2021-04-10 benno which interface they're going over. This diff avoids multiple pf(4)
771 7557f135 2021-04-10 benno traversals of one packet causing confusion in the state table.
772 7557f135 2021-04-10 benno <li>Prevented the kernel from being stuck in an endless recursion
773 7557f135 2021-04-10 benno during TCP path MTU discovery when <a
774 7557f135 2021-04-10 benno href="https://man.openbsd.org/pf.4">pf(4)</a> changes the routing
775 7557f135 2021-04-10 benno table when sending packets.
776 7557f135 2021-04-10 benno <li>When cutting off the head of an overlapping fragment during <a
777 7557f135 2021-04-10 benno href="https://man.openbsd.org/pf.4">pf(4)</a> reassembly, reinserted
778 7557f135 2021-04-10 benno the fragment into the lookup table with the correct index.
779 da18eb33 2021-04-17 krw
780 da18eb33 2021-04-17 krw <li>Improved
781 71d2eb25 2024-04-20 bentley <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> logging to report the reasons
782 da18eb33 2021-04-17 krw a transfer failed.
783 da18eb33 2021-04-17 krw
784 7557f135 2021-04-10 benno </ul>
785 753672c4 2021-04-09 benno
786 7557f135 2021-04-10 benno <li>IPSEC support in the kernel and the <a href="https://man.openbsd.org/iked.8">iked(8)</a> userland daemon:
787 7557f135 2021-04-10 benno <ul>
788 7476d2f7 2021-04-05 benno <li>Added support to request IP addresses as IKEv2 initiator to <a
789 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.8">iked(8)</a>. If 'request addr
790 7476d2f7 2021-04-05 benno 0.0.0.0' is configured, any address will be accepted.
791 7476d2f7 2021-04-05 benno <li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> accept
792 7476d2f7 2021-04-05 benno ANY dynamic address with 'request addr 0.0.0.0'.
793 7476d2f7 2021-04-05 benno <li>Added 'dynamic' keyword to <a
794 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> to allow
795 7476d2f7 2021-04-05 benno configuration of flows to dynamically assigned addresses.
796 7476d2f7 2021-04-05 benno <li>Added the 'any' keyword to <a
797 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.conf.5">iked.conf(5)</a> for
798 7476d2f7 2021-04-05 benno requests to allow "request address any".
799 7476d2f7 2021-04-05 benno <li>Enabled <a href="https://man.openbsd.org/iked.8">iked(8)</a>
800 7476d2f7 2021-04-05 benno support for ASN1_DN ipsec identifiers.
801 7476d2f7 2021-04-05 benno <li>Implemented <a href="https://man.openbsd.org/iked.8">iked(8)</a>
802 7476d2f7 2021-04-05 benno "from dynamic," installing flows where "dynamic" is replaced by the
803 7476d2f7 2021-04-05 benno received dynamic IP address.
804 7476d2f7 2021-04-05 benno <li>Made sure not to replace 0.0.0.0 with a dynamic address in <a
805 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.8">iked(8)</a> if it is a network
806 7476d2f7 2021-04-05 benno address.
807 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> -s
808 7476d2f7 2021-04-05 benno socket option to specify a control socket.
809 7476d2f7 2021-04-05 benno <li>Used a counter instead of random IV for AES-GCM in <a
810 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.8">iked(8)</a>, eliminating the
811 7476d2f7 2021-04-05 benno risk of random collisions.
812 7476d2f7 2021-04-05 benno <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
813 7476d2f7 2021-04-05 benno support for multiple address pools.
814 7476d2f7 2021-04-05 benno <li>Added the <a href="https://man.openbsd.org/iked.8">iked(8)</a>
815 7476d2f7 2021-04-05 benno "set stickyaddress" option, which attempts to assign the same "config
816 7476d2f7 2021-04-05 benno address" when an IKESA is negotiated with the DSTID of an existing
817 7476d2f7 2021-04-05 benno IKESA.
818 7476d2f7 2021-04-05 benno <li>Ensured rekeying of every child SA in <a
819 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/iked.8">iked(8)</a>.
820 d07c24c0 2021-04-07 benno <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
821 d07c24c0 2021-04-07 benno for RSASSA-PSS signature verification (RFC 7427).
822 d07c24c0 2021-04-07 benno <li>Corrected the first packet of an <a
823 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> SA to have
824 d07c24c0 2021-04-07 benno sequence number 1.
825 d07c24c0 2021-04-07 benno <li>Accepted reject and blackhole routes for IPsec PMTU discovery.
826 d07c24c0 2021-04-07 benno <li>Prevented leaking of ipsec_hosts in <a
827 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/iked.8">iked(8)</a> when building
828 d07c24c0 2021-04-07 benno hosts_list.
829 d07c24c0 2021-04-07 benno <li>Prevented initiation of new additional SAs for each policy upon
830 d07c24c0 2021-04-07 benno every <a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a> config
831 d07c24c0 2021-04-07 benno reload.
832 d07c24c0 2021-04-07 benno <li>Fixed "any" and "dynamic" keywords for flows in <a
833 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/iked.8">iked(8)</a> and added proper
834 d07c24c0 2021-04-07 benno IPv6 support.
835 bbfd61a9 2021-04-09 benno <li>Created a path MTU host route for <a
836 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/ipsec.4">IPsec(4)</a> over IPv6.
837 753672c4 2021-04-09 benno <li>Added support for INVALID_KE_PAYLOAD in <a
838 753672c4 2021-04-09 benno href="https://man.openbsd.org/iked.8">iked(8)</a> CREATE_CHILD_SA
839 753672c4 2021-04-09 benno exchange.
840 753672c4 2021-04-09 benno <li>Added support for RSA-PSS PKCS1 signatures to <a
841 753672c4 2021-04-09 benno href="https://man.openbsd.org/iked.8">iked(8)</a>.
842 753672c4 2021-04-09 benno <li>Fixed path MTU discovery for ESP tunnels in IPv6.
843 753672c4 2021-04-09 benno <li>Upgraded to OpenSSL 1.1 compatible crypto API in <a
844 753672c4 2021-04-09 benno href="https://man.openbsd.org/iked.8">iked(8)</a>.
845 753672c4 2021-04-09 benno <li>Added an optional "group none" transform for child SAs in <a
846 753672c4 2021-04-09 benno href="https://man.openbsd.org/iked.8">iked(8)</a> to ensure the
847 753672c4 2021-04-09 benno ability to negotiate optional PFS.
848 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
849 753672c4 2021-04-09 benno dynamic address configuration for roadwarrior clients, with a new
850 753672c4 2021-04-09 benno "iface" config option which can be used to specify an interface for
851 753672c4 2021-04-09 benno the virtual addresses received from the peer.
852 7557f135 2021-04-10 benno <li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
853 7557f135 2021-04-10 benno interop problem with strongswan if make-before-break is enabled.
854 7557f135 2021-04-10 benno </ul>
855 7476d2f7 2021-04-05 benno
856 27cfc7c7 2021-04-11 tb <li>The <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> webserver saw numerous improvements:
857 7557f135 2021-04-10 benno <ul>
858 7557f135 2021-04-10 benno <li>Prevented a crash due to
859 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> listening on port
860 7557f135 2021-04-10 benno 443 with missing TLS certificates.
861 7557f135 2021-04-10 benno <li>Created a new "location (found|notfound)" option for
862 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a> to allow
863 7557f135 2021-04-10 benno testing for resource path existence.
864 7557f135 2021-04-10 benno <li>Fixed detection of duplicate locations in <a
865 7557f135 2021-04-10 benno href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
866 7557f135 2021-04-10 benno <li>Fixed leak of access and error log filenames on config reload in
867 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
868 7557f135 2021-04-10 benno <li>Avoid leaking the log message in
869 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>'s
870 7557f135 2021-04-10 benno server_sendlog.
871 7557f135 2021-04-10 benno <li>Incorrect order of
872 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/close.2">close(2)</a> and
873 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
874 27cfc7c7 2021-04-11 tb together with a bug in libssl led to leaking memory in
875 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
876 7557f135 2021-04-10 benno for each TLS connection.
877 7557f135 2021-04-10 benno <li>Fixed the <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
878 7557f135 2021-04-10 benno example configuration not to generate errors when running without TLS
879 7557f135 2021-04-10 benno keys already in place.
880 f3c3ea58 2021-04-12 tb <li>Optimized disk reads of
881 7557f135 2021-04-10 benno <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
882 7557f135 2021-04-10 benno by using st_blocksize as high water mark instead of
883 7557f135 2021-04-10 benno the socket buffer size.
884 f3c3ea58 2021-04-12 tb <li>Do not compare TLS config params for non-TLS servers.
885 f3c3ea58 2021-04-12 tb This allows using <code>listen on * port 80</code> and
886 f3c3ea58 2021-04-12 tb <code>listen on * port 443</code> in the same server block in
887 f3c3ea58 2021-04-12 tb <a href="https://man.openbsd.org/httpd.conf.5">httpd.conf(5)</a>.
888 7557f135 2021-04-10 benno </ul>
889 7476d2f7 2021-04-05 benno
890 cc7e5f7f 2021-04-11 benno <li><a
891 cc7e5f7f 2021-04-11 benno href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
892 cc7e5f7f 2021-04-11 benno received the following new features and bugfixes:
893 7557f135 2021-04-10 benno <ul>
894 b31f5713 2021-04-15 benno <li>Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support
895 b31f5713 2021-04-15 benno as a 'technology preview'. To use it, the "-r" flag needs to be used.
896 b4e3f406 2021-04-15 benno <li>Support the use of more than one URI in the TAL file,
897 7557f135 2021-04-10 benno sorting with a preference for https.
898 b4e3f406 2021-04-15 benno <li>Validation of ghostbuster records (RFC 6493).
899 b4e3f406 2021-04-15 benno <li>Fixed checks of the manifest validity interval.
900 b4e3f406 2021-04-15 benno <li>The rsync connection is now killed when the rsync server stalls.
901 b4e3f406 2021-04-15 benno <li>Limited the URL embedded in .cer files to
902 b4e3f406 2021-04-15 benno alphanumeric characters and punctuation.
903 b4e3f406 2021-04-15 benno <li>Added a "-V" option to show version.
904 7557f135 2021-04-10 benno <li>Included the default cert.pem file path in tls_load_file error
905 b4e3f406 2021-04-15 benno messages.
906 7557f135 2021-04-10 benno </ul>
907 7476d2f7 2021-04-05 benno
908 cc7e5f7f 2021-04-11 benno <li>The <a href="https://man.openbsd.org/dig.1">dig(1)</a> DNS
909 cc7e5f7f 2021-04-11 benno utility received the following updates:
910 7557f135 2021-04-10 benno <ul>
911 d07c24c0 2021-04-07 benno <li>Implemented RFC 8914 Extended DNS Errors for <a
912 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dig.1">dig(1)</a>.
913 d07c24c0 2021-04-07 benno <li>Fixed <a href="https://man.openbsd.org/dig.1">dig(1)</a> EDNS
914 d07c24c0 2021-04-07 benno Client Subnet option (+subnet=).
915 d07c24c0 2021-04-07 benno <li>Fixed IPv6 link-local address handling for nameservers to talk to
916 32e14492 2021-04-24 namn and for address to bind to in <a
917 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dig.1">dig(1)</a>.
918 7557f135 2021-04-10 benno <li>Implemented ZONEMD (RFC 8976) in <a
919 7557f135 2021-04-10 benno href="https://man.openbsd.org/dig.1">dig(1)</a> to convey a message
920 7557f135 2021-04-10 benno digest of the content of a DNS zone.
921 7557f135 2021-04-10 benno </ul>
922 d07c24c0 2021-04-07 benno
923 7557f135 2021-04-10 benno <li>Changes to <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>:
924 7557f135 2021-04-10 benno <ul>
925 d07c24c0 2021-04-07 benno <li>Fixed incorrect behavior when using <a
926 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dhclient.conf.5">dhclient.conf(5)</a> to
927 d07c24c0 2021-04-07 benno change the lease renew/rebind/expiry timing.
928 d07c24c0 2021-04-07 benno <li>Allowed the provision of <a
929 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> options on
930 d07c24c0 2021-04-07 benno "dhcp" lines in <a
931 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a> files.
932 da18eb33 2021-04-17 krw <li>Converted all timers from
933 da18eb33 2021-04-17 krw <a
934 da18eb33 2021-04-17 krw href="https://man.openbsd.org/time.3">time(3)</a> values
935 da18eb33 2021-04-17 krw to <a
936 da18eb33 2021-04-17 krw href="https://man.openbsd.org/clock_gettime.2">clock_gettime(2)</a>
937 da18eb33 2021-04-17 krw CLOCK_MONOTONIC values.
938 da18eb33 2021-04-17 krw <li>Removed -L command line option.
939 da18eb33 2021-04-17 krw <li>Improved debug output.
940 da18eb33 2021-04-17 krw <li>Improved re-acquisition of a previous address by immediately
941 da18eb33 2021-04-17 krw accepting any OFFER for the address, rather than waiting for
942 da18eb33 2021-04-17 krw 'select-timeout' to expire.
943 2e4c8601 2021-04-19 jsg <li>Exit immediately if the -c option specifies a non-existent file.
944 da18eb33 2021-04-17 krw <li>Exit immediately if the -i option contains invalid information.
945 da18eb33 2021-04-17 krw </ul>
946 7476d2f7 2021-04-05 benno
947 7557f135 2021-04-10 benno <li>Two new daemons, <a
948 7557f135 2021-04-10 benno href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
949 7557f135 2021-04-10 benno href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> were added.
950 7557f135 2021-04-10 benno These work alongside with <a
951 7557f135 2021-04-10 benno href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
952 7557f135 2021-04-10 benno href="https://man.openbsd.org/unwind.8">unwind(8)</a> to provide a
953 a320f26f 2021-04-12 fcambus coherent and simple automatic configuration of network interfaces and
954 7557f135 2021-04-10 benno DNS resolution.<br>
955 7557f135 2021-04-10 benno The two daemons are not enabled by default for now, but can be tested
956 a320f26f 2021-04-12 fcambus by enabling them with <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>.
957 7557f135 2021-04-10 benno <ul>
958 7557f135 2021-04-10 benno <li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>
959 7557f135 2021-04-10 benno implements the DHCP protocol to acquire IPv4 address leases from
960 7557f135 2021-04-10 benno servers.
961 7557f135 2021-04-10 benno <li><a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
962 7557f135 2021-04-10 benno manages the content of <a
963 7557f135 2021-04-10 benno href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> based
964 47aedd3b 2021-04-16 deraadt on nameserver proposals from
965 47aedd3b 2021-04-16 deraadt <a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>,
966 47aedd3b 2021-04-16 deraadt <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, and
967 47aedd3b 2021-04-16 deraadt drivers like <a href="https://man.openbsd.org/umb.4">umb(4)</a>.
968 7557f135 2021-04-10 benno </ul>
969 782aa9d7 2021-04-15 martijn
970 782aa9d7 2021-04-15 martijn <li>Changes to snmp related tools:
971 782aa9d7 2021-04-15 martijn <ul>
972 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/agentx.3">libagentx(3)</a> moved its
973 782aa9d7 2021-04-15 martijn API prefix from subagentx_ to agentx_.
974 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/agentx.3">agentx_varbind_integer(3)</a>
975 782aa9d7 2021-04-15 martijn now accepts an int32_t as per SMI/RFC 2578.
976 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/agentx.3">agentx_varbind_unsigned32(3)</a>
977 782aa9d7 2021-04-15 martijn has been added as an alias for
978 782aa9d7 2021-04-15 martijn <a href="https://man.openbsd.org/agentx.3">agentx_varbind_gauge32(3)</a>.
979 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a> no
980 782aa9d7 2021-04-15 martijn longer accepts the old <code>listen on address [tcp|udp]</code>
981 782aa9d7 2021-04-15 martijn syntax. Only the new <code>listen on [tcp|udp] address</code>
982 32e14492 2021-04-24 namn syntax is now supported.
983 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now fully
984 32e14492 2021-04-24 namn implements RFC3584 Trapv1 to Trapv2 conversion for the
985 32e14492 2021-04-24 namn <code>trap handle</code>.
986 782aa9d7 2021-04-15 martijn <li>sysUpTime and snmpTrapOID now respect
987 32e14492 2021-04-24 namn <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>'s -N flag,
988 32e14492 2021-04-24 namn similar to the other values sent by the <code>trap handle</code>.
989 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a> now
990 782aa9d7 2021-04-15 martijn accepts the <code>read</code>, <code>write</code>, and
991 32e14492 2021-04-24 namn <code>notify</code> keywords. This allows for request type
992 782aa9d7 2021-04-15 martijn filtering per <code>listen on</code> statement and custom
993 32e14492 2021-04-24 namn <code>trap handle</code> ports.
994 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a> now has initial
995 782aa9d7 2021-04-15 martijn support for SMI enums. For now only TruthValue is implemented
996 782aa9d7 2021-04-15 martijn on ifPromiscuousMode and ifConnectorPresent.
997 782aa9d7 2021-04-15 martijn <li><a href="https://man.openbsd.org/snmp.1">snmp(1)</a> now interprets
998 782aa9d7 2021-04-15 martijn the "u" data type as unsigned integer.
999 782aa9d7 2021-04-15 martijn </ul>
1000 782aa9d7 2021-04-15 martijn
1001 7557f135 2021-04-10 benno <li>Other userland network changes:
1002 7557f135 2021-04-10 benno <ul>
1003 7557f135 2021-04-10 benno <li>Fixed <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a> cert
1004 7557f135 2021-04-10 benno and key path inference for absolute paths.
1005 7557f135 2021-04-10 benno <li>Fixed incorrect cast in a
1006 a83b41e9 2023-12-14 sdk <a href="https://man.openbsd.org/vsnprintf.3">vsnprintf(3)</a>
1007 7557f135 2021-04-10 benno error check
1008 7557f135 2021-04-10 benno in <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1009 7557f135 2021-04-10 benno <li>Applied <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
1010 7557f135 2021-04-10 benno to <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>.
1011 7476d2f7 2021-04-05 benno
1012 7476d2f7 2021-04-05 benno <li>Changed <a href="https://man.openbsd.org/ping.8">ping(8)</a> to
1013 32e14492 2021-04-24 namn drain the raw socket of packets received before it is fully set up to
1014 7476d2f7 2021-04-05 benno avoid reporting ICMP responses intended for other instances of ping(8)
1015 7476d2f7 2021-04-05 benno running in parallel.
1016 753672c4 2021-04-09 benno <li>Added <a href="https://man.openbsd.org/ping.8">ping(8)</a> -g
1017 753672c4 2021-04-09 benno option to provide a visual display of packets received and lost.
1018 7476d2f7 2021-04-05 benno
1019 7476d2f7 2021-04-05 benno <li>Changed <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
1020 7476d2f7 2021-04-05 benno Duplicate Address Detection (DAD) to only generate a new address if we
1021 7476d2f7 2021-04-05 benno are using Semantically Opaque Interface Identifiers.
1022 7476d2f7 2021-04-05 benno <li>Handled an autoconf interface changing its rdomain in <a
1023 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
1024 7557f135 2021-04-10 benno <li>Completed <a
1025 7557f135 2021-04-10 benno href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> implementation
1026 7557f135 2021-04-10 benno of RFC 8981 temporary address extensions.
1027 7557f135 2021-04-10 benno
1028 ee9322f9 2021-04-10 tb <li>Do not leak the domains listed in
1029 ee9322f9 2021-04-10 tb <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>'s
1030 ee9322f9 2021-04-10 tb blocklist file on each config reload.
1031 ee9322f9 2021-04-10 tb <li>Do not leak duplicate domain nodes when loading the
1032 ee9322f9 2021-04-10 tb <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>
1033 ee9322f9 2021-04-10 tb config.
1034 7476d2f7 2021-04-05 benno <li>Fixed rare crashes of <a
1035 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/unwind.8">unwind(8)</a> when DNS answers
1036 7476d2f7 2021-04-05 benno are larger than the maximum imsg size.
1037 bbfd61a9 2021-04-09 benno <li>Implemented <a
1038 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/unwind.8">unwind(8)</a> listening on
1039 bbfd61a9 2021-04-09 benno TCP.
1040 753672c4 2021-04-09 benno <li>Implemented DNS64 synthesis in <a
1041 753672c4 2021-04-09 benno href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
1042 753672c4 2021-04-09 benno <li>Disabled logging to <a
1043 753672c4 2021-04-09 benno href="https://man.openbsd.org/syslog.3">syslog(3)</a> for libunbound
1044 753672c4 2021-04-09 benno with <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>. Does
1045 753672c4 2021-04-09 benno not prevent logging to stderr with "unwind -d".
1046 bbfd61a9 2021-04-09 benno
1047 7476d2f7 2021-04-05 benno <li>Added a simple --timeout implementation to <a
1048 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
1049 7557f135 2021-04-10 benno <li>Added the <a href="https://man.openbsd.org/rsync.1">rsync(1)</a>
1050 7557f135 2021-04-10 benno option --no-motd to suppress the information output by the client at
1051 7557f135 2021-04-10 benno the start of a daemon transfer.
1052 7476d2f7 2021-04-05 benno <li>Added support for the use of !command to <a
1053 7476d2f7 2021-04-05 benno href="https://man.openbsd.org/mygate.5">mygate(5)</a>, so that
1054 7476d2f7 2021-04-05 benno netstart has a late opportunity to perform network configuration.
1055 d07c24c0 2021-04-07 benno <li>Make <a href="https://man.openbsd.org/rad.8">rad(8)</a> to handle
1056 d07c24c0 2021-04-07 benno multiple rdomains in a single daemon (instead of running it in
1057 d07c24c0 2021-04-07 benno multiple rdomains).
1058 d07c24c0 2021-04-07 benno <li>Added a specific headline to <a
1059 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/netstat.1">netstat(1)</a> for TCP state
1060 d07c24c0 2021-04-07 benno and IP protocol.
1061 bbfd61a9 2021-04-09 benno <li>Handle permanent redirects (RFC 7538) in <a
1062 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch.
1063 753672c4 2021-04-09 benno <li>Introduced <a href="https://man.openbsd.org/ftp.1">ftp(1)</a>
1064 753672c4 2021-04-09 benno support for sending the If-Modified-Since header while fetching over
1065 753672c4 2021-04-09 benno http or https. Switched to using the timestamps from the remote
1066 753672c4 2021-04-09 benno server's Last-Modified header if available when saving local files and
1067 753672c4 2021-04-09 benno introduced the ftp "-u" flag to disable this behavior.
1068 7557f135 2021-04-10 benno <li>Made <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> set
1069 7557f135 2021-04-10 benno timestamps only on files.
1070 753672c4 2021-04-09 benno
1071 bbfd61a9 2021-04-09 benno <li>Added requests for a new certificate without requiring -F when <a
1072 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
1073 bbfd61a9 2021-04-09 benno detects an added or removed SAN in the config file not reflected in
1074 bbfd61a9 2021-04-09 benno the existing certificate on disk.
1075 bbfd61a9 2021-04-09 benno <li>Print rewritten addresses in <a
1076 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> logged with <a
1077 bbfd61a9 2021-04-09 benno href="https://man.openbsd.org/pflog.4">pflog(4)</a> for rdr-to, nat-to
1078 bbfd61a9 2021-04-09 benno and af-to rules.
1079 753672c4 2021-04-09 benno <li>When calling <a
1080 753672c4 2021-04-09 benno href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> with
1081 753672c4 2021-04-09 benno AI_ADDRCONFIG, consider the routing domain when checking for available
1082 753672c4 2021-04-09 benno address families. This ensures that name resolution is only performed
1083 753672c4 2021-04-09 benno for the address families available in the rdomain.
1084 753672c4 2021-04-09 benno <li>Implemented the <a href="https://man.openbsd.org/nc.1">nc(1)</a>
1085 753672c4 2021-04-09 benno -D socket debug option in <a
1086 753672c4 2021-04-09 benno href="https://man.openbsd.org/tcpbench.1">tcpbench(1)</a>, allowing
1087 753672c4 2021-04-09 benno analysis of TCP connections.
1088 ee9322f9 2021-04-10 tb <li>Avoid leaking the help text in
1089 ee9322f9 2021-04-10 tb <a href="https://man.openbsd.org/tcpbench.1">systat(8)</a>.
1090 7557f135 2021-04-10 benno <li>Increased the maximum length for CHAP challenges to 96 octets to
1091 7557f135 2021-04-10 benno ensure <a href="https://man.openbsd.org/npppd.8">npppd(8)</a> can
1092 7557f135 2021-04-10 benno handle longer challenges, such as those sent by Juniper.
1093 7557f135 2021-04-10 benno </ul>
1094 3313bdf7 2021-03-24 deraadt </ul>
1095 3313bdf7 2021-03-24 deraadt
1096 3313bdf7 2021-03-24 deraadt <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
1097 3313bdf7 2021-03-24 deraadt <ul>
1098 d07c24c0 2021-04-07 benno <li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> synchronize-panes a pane option and added set-option -U flag to unset an option on all panes.
1099 7557f135 2021-04-10 benno <li>Allowed use of ## and # in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> styles and added a "w" format modifier for width.
1100 7557f135 2021-04-10 benno <li>Added a -C flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> run-shell to use a tmux command rather than a shell command.
1101 7557f135 2021-04-10 benno <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -N flag to never start the server even if the command would normally do so.
1102 7557f135 2021-04-10 benno <li>Added the new <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> -S flag to new-window to select the existing window if one with the given name already exists, rather than failing.
1103 7557f135 2021-04-10 benno <li>Added support for X11 color names and other variations for OSC 10/11 and added OSC 110 and 111 to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
1104 7557f135 2021-04-10 benno <li>Removed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for popups where the content is provided directly to tmux.
1105 7557f135 2021-04-10 benno <li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> "absolute-centre" alignment to use the center of the total space instead of the available space.
1106 7557f135 2021-04-10 benno <li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> split-window -Z to start the pane zoomed.
1107 7557f135 2021-04-10 benno <li>Added client-detached notification in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> control mode.
1108 7557f135 2021-04-10 benno <li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> search-again with vi keys to work like <a href="https://man.openbsd.org/vi.1">vi(1)</a>.
1109 3313bdf7 2021-03-24 deraadt </ul>
1110 3313bdf7 2021-03-24 deraadt
1111 3313bdf7 2021-03-24 deraadt <li>OpenSMTPD 6.9.0
1112 3313bdf7 2021-03-24 deraadt <ul>
1113 d07c24c0 2021-04-07 benno <li>Introduced <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>
1114 d07c24c0 2021-04-07 benno -a to perform authentication before sending a message.
1115 d07c24c0 2021-04-07 benno <li>Fixed a memory leak in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> resolver.
1116 d07c24c0 2021-04-07 benno <li>Prevented a crash due to premature release of resources by the <a
1117 d07c24c0 2021-04-07 benno href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> filter state
1118 d07c24c0 2021-04-07 benno machine.
1119 f8fddfe7 2021-04-10 eric <li>Switch to libtls internally.
1120 f8fddfe7 2021-04-10 eric <li>Change the way SNI works in <a href="https://man.openbsd.org/smtpd.conf.5#pki~2">smtpd.conf(5)</a>.
1121 32e14492 2021-04-24 namn TLS listeners may be configured with multiple certificates.
1122 32e14492 2021-04-24 namn The matching is based on the names included in these certificates.
1123 f8fddfe7 2021-04-10 eric <li>Allow to specify tls protocols and ciphers per listener and relay action.
1124 3313bdf7 2021-03-24 deraadt </ul>
1125 3313bdf7 2021-03-24 deraadt
1126 67e09a0a 2021-04-20 tb <li>LibreSSL 3.3.2
1127 3313bdf7 2021-03-24 deraadt <ul>
1128 3313bdf7 2021-03-24 deraadt <li>New Features
1129 3313bdf7 2021-03-24 deraadt <ul>
1130 fd2a6fcc 2021-04-15 tb <li>Support for DTLSv1.2.
1131 fd2a6fcc 2021-04-15 tb <li>Continued rewrite of the record layer for the legacy stack.
1132 fd2a6fcc 2021-04-15 tb <li>Numerous bugs and interoperability issues were fixed in the new verifier.
1133 69ce99e8 2021-04-15 tb A few bugs and incompatibilities remain, so this release uses the old
1134 69ce99e8 2021-04-15 tb verifier by default.
1135 fd2a6fcc 2021-04-15 tb <li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
1136 fd2a6fcc 2021-04-15 tb </ul>
1137 7557f135 2021-04-10 benno
1138 fd2a6fcc 2021-04-15 tb <li>Portable Improvements
1139 fd2a6fcc 2021-04-15 tb <ul>
1140 fd2a6fcc 2021-04-15 tb <li>Added '--enable-libtls-only' build option, which builds and installs a
1141 fd2a6fcc 2021-04-15 tb statically-linked libtls, skipping libcrypto and libssl. This is useful
1142 fd2a6fcc 2021-04-15 tb for systems that ship with OpenSSL but wish to also package libtls.
1143 7557f135 2021-04-10 benno
1144 fd2a6fcc 2021-04-15 tb <li>Update getentropy on Windows to use Cryptography Next Generation
1145 fd2a6fcc 2021-04-15 tb (CNG). wincrypt is deprecated and no longer works with newer Windows
1146 fd2a6fcc 2021-04-15 tb environments, such as in Windows Store apps.
1147 3313bdf7 2021-03-24 deraadt </ul>
1148 3313bdf7 2021-03-24 deraadt
1149 3313bdf7 2021-03-24 deraadt <li>API and Documentation Enhancements
1150 3313bdf7 2021-03-24 deraadt <ul>
1151 fd2a6fcc 2021-04-15 tb <li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
1152 fd2a6fcc 2021-04-15 tb draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
1153 fd2a6fcc 2021-04-15 tb
1154 69ce99e8 2021-04-15 tb <li>Add support for
1155 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
1156 69ce99e8 2021-04-15 tb with TLSv1.3.
1157 fd2a6fcc 2021-04-15 tb
1158 fd2a6fcc 2021-04-15 tb <li>Add DTLSv1.2 methods.
1159 fd2a6fcc 2021-04-15 tb
1160 69ce99e8 2021-04-15 tb <li>Implement SSL_is_dtls(3) and use it internally in place of the
1161 fd2a6fcc 2021-04-15 tb SSL_IS_DTLS macro.
1162 fd2a6fcc 2021-04-15 tb
1163 69ce99e8 2021-04-15 tb <li>Provide
1164 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3">EVP_PKEY_new_CMAC_KEY(3)</a>.
1165 69ce99e8 2021-04-15 tb <li>Add missing prototype for
1166 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/d2i_DSAPrivateKey_fp.3">d2i_DSAPrivateKey_fp(3)</a>
1167 69ce99e8 2021-04-15 tb to x509.h.
1168 fd2a6fcc 2021-04-15 tb
1169 69ce99e8 2021-04-15 tb <li>Add DTLSv1.2 to
1170 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
1171 69ce99e8 2021-04-15 tb s_server and s_client protocol message logging.
1172 fd2a6fcc 2021-04-15 tb
1173 69ce99e8 2021-04-15 tb <li>Provide
1174 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
1175 fd2a6fcc 2021-04-15 tb
1176 69ce99e8 2021-04-15 tb <li>Provide
1177 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
1178 69ce99e8 2021-04-15 tb and
1179 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
1180 69ce99e8 2021-04-15 tb
1181 fd2a6fcc 2021-04-15 tb <li>Provide various DTLSv1.2 specific functions and defines.
1182 fd2a6fcc 2021-04-15 tb
1183 fd2a6fcc 2021-04-15 tb <li>Document meaning of '*' in the genrsa output.
1184 fd2a6fcc 2021-04-15 tb
1185 69ce99e8 2021-04-15 tb <li>Updated documentation for
1186 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>.
1187 fd2a6fcc 2021-04-15 tb
1188 69ce99e8 2021-04-15 tb <li>Add documentation for
1189 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get_finished.3">SSL_get_finished(3)</a>.
1190 fd2a6fcc 2021-04-15 tb
1191 69ce99e8 2021-04-15 tb <li>Document
1192 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3">EVP_PKEY_new_CMAC_key(3)</a>.
1193 fd2a6fcc 2021-04-15 tb
1194 fd2a6fcc 2021-04-15 tb
1195 69ce99e8 2021-04-15 tb <li>Document
1196 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>.
1197 fd2a6fcc 2021-04-15 tb
1198 69ce99e8 2021-04-15 tb <li>Document
1199 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a>
1200 69ce99e8 2021-04-15 tb and
1201 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>.
1202 69ce99e8 2021-04-15 tb
1203 69ce99e8 2021-04-15 tb <li>Update
1204 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_get_version.3">SSL_get_version(3)</a>
1205 69ce99e8 2021-04-15 tb manual for DTLSv.1.2 support.
1206 69ce99e8 2021-04-15 tb
1207 fd2a6fcc 2021-04-15 tb <li>Make supported protocols and options for DHE params more prominent
1208 69ce99e8 2021-04-15 tb in <a href="https://man.openbsd.org/tls_config_set_protocols.3">tls_config_set_protocols(3)</a>.
1209 fd2a6fcc 2021-04-15 tb
1210 fd2a6fcc 2021-04-15 tb <li>Various documentation improvements around TLS methods.
1211 3313bdf7 2021-03-24 deraadt </ul>
1212 3313bdf7 2021-03-24 deraadt
1213 3313bdf7 2021-03-24 deraadt <li>Compatibility Changes
1214 3313bdf7 2021-03-24 deraadt <ul>
1215 69ce99e8 2021-04-15 tb <li>Make <a href="https://man.openbsd.org/openssl.3">openssl(1)</a> s_server
1216 69ce99e8 2021-04-15 tb ignore -4 and -6 for compatibility with OpenSSL.
1217 fd2a6fcc 2021-04-15 tb
1218 69ce99e8 2021-04-15 tb <li>Set SO_REUSEADDR on the server socket in the
1219 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp command.
1220 fd2a6fcc 2021-04-15 tb
1221 69ce99e8 2021-04-15 tb <li>Send a host header with OCSP queries to make
1222 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp
1223 fd2a6fcc 2021-04-15 tb work with some widely used OCSP responders.
1224 fd2a6fcc 2021-04-15 tb
1225 69ce99e8 2021-04-15 tb <li>Add ability to
1226 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
1227 69ce99e8 2021-04-15 tb to parse a port in the specified OCSP URL.
1228 fd2a6fcc 2021-04-15 tb
1229 fd2a6fcc 2021-04-15 tb <li>Implement auto chain for the TLSv1.3 server since some software
1230 fd2a6fcc 2021-04-15 tb relies on this.
1231 fd2a6fcc 2021-04-15 tb
1232 fd2a6fcc 2021-04-15 tb <li>Implement key exporter for TLSv1.3.
1233 69ce99e8 2021-04-15 tb <li>Align <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>
1234 69ce99e8 2021-04-15 tb with OpenSSL. This takes into account that it never returned server
1235 69ce99e8 2021-04-15 tb ciphers, so now it will fail when called from the client side.
1236 fd2a6fcc 2021-04-15 tb
1237 fd2a6fcc 2021-04-15 tb <li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
1238 fd2a6fcc 2021-04-15 tb
1239 69ce99e8 2021-04-15 tb <li>Make
1240 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_CTX_get_min_proto_version.3">SSL{_CTX,}_get_{min,max}_proto_version(3)</a>
1241 69ce99e8 2021-04-15 tb return a version of zero if the minimum or maximum has been set to
1242 69ce99e8 2021-04-15 tb zero to match OpenSSL's behavior.
1243 fd2a6fcc 2021-04-15 tb
1244 69ce99e8 2021-04-15 tb <li>Add DTLSv1.2 support to
1245 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> s_client/s_server.
1246 3313bdf7 2021-03-24 deraadt </ul>
1247 3313bdf7 2021-03-24 deraadt
1248 3313bdf7 2021-03-24 deraadt <li>Testing and Proactive Security
1249 3313bdf7 2021-03-24 deraadt <ul>
1250 fd2a6fcc 2021-04-15 tb <li>Malformed ASN.1 in a certificate revocation list or a timestamp
1251 fd2a6fcc 2021-04-15 tb response token can lead to a NULL pointer dereference.
1252 3313bdf7 2021-03-24 deraadt
1253 69ce99e8 2021-04-15 tb <li>Pull in fix for
1254 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/EVP_CipherUpdate.3">EVP_CipherUpdate(3)</a>
1255 69ce99e8 2021-04-15 tb overflow from OpenSSL.
1256 3313bdf7 2021-03-24 deraadt
1257 fd2a6fcc 2021-04-15 tb <li>Use EXFLAG_INVALID to handle out of memory and parse errors in
1258 fd2a6fcc 2021-04-15 tb x509v3_cache_extensions().
1259 fd2a6fcc 2021-04-15 tb
1260 69ce99e8 2021-04-15 tb <li>Refactor and clean up
1261 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
1262 69ce99e8 2021-04-15 tb and add regression tests.
1263 3313bdf7 2021-03-24 deraadt </ul>
1264 3313bdf7 2021-03-24 deraadt
1265 fd2a6fcc 2021-04-15 tb <li>Internal Improvements
1266 fd2a6fcc 2021-04-15 tb <ul>
1267 fd2a6fcc 2021-04-15 tb <li>Further cleanup of the DTLS record handling.
1268 fd2a6fcc 2021-04-15 tb
1269 fd2a6fcc 2021-04-15 tb <li>Continue the replacement of the TLSv1.2 record layer by
1270 fd2a6fcc 2021-04-15 tb reimplementing the read side of the TLSv1.2 record handling.
1271 fd2a6fcc 2021-04-15 tb
1272 fd2a6fcc 2021-04-15 tb <li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
1273 fd2a6fcc 2021-04-15 tb
1274 fd2a6fcc 2021-04-15 tb <li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
1275 fd2a6fcc 2021-04-15 tb
1276 fd2a6fcc 2021-04-15 tb <li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
1277 fd2a6fcc 2021-04-15 tb .data.rel.ro and .rodata, respectively.
1278 fd2a6fcc 2021-04-15 tb
1279 fd2a6fcc 2021-04-15 tb <li>Add a const qualifier to srtp_known_profiles.
1280 fd2a6fcc 2021-04-15 tb
1281 fd2a6fcc 2021-04-15 tb <li>Simplify TLS method by removing the client and server specific
1282 fd2a6fcc 2021-04-15 tb methods internally.
1283 fd2a6fcc 2021-04-15 tb
1284 fd2a6fcc 2021-04-15 tb <li>Avoid casting away const in ssl_ctx_make_profiles().
1285 fd2a6fcc 2021-04-15 tb
1286 fd2a6fcc 2021-04-15 tb <li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
1287 fd2a6fcc 2021-04-15 tb the assert work for newer DTLS versions.
1288 fd2a6fcc 2021-04-15 tb
1289 fd2a6fcc 2021-04-15 tb <li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
1290 fd2a6fcc 2021-04-15 tb
1291 fd2a6fcc 2021-04-15 tb <li>Add a flag to mark DTLS methods as DTLS to have an easy way to
1292 fd2a6fcc 2021-04-15 tb recognize DTLS methods that avoids inspecting the version number.
1293 fd2a6fcc 2021-04-15 tb
1294 fd2a6fcc 2021-04-15 tb <li>Mark a few more internal static tables const.
1295 fd2a6fcc 2021-04-15 tb
1296 fd2a6fcc 2021-04-15 tb <li>Switch finish{,_peer}_md_len from an int to a size_t.
1297 fd2a6fcc 2021-04-15 tb
1298 fd2a6fcc 2021-04-15 tb <li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
1299 fd2a6fcc 2021-04-15 tb for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
1300 fd2a6fcc 2021-04-15 tb was a historical artefact.
1301 fd2a6fcc 2021-04-15 tb
1302 fd2a6fcc 2021-04-15 tb <li>Free struct members in tls13_record_layer_free() in their natural
1303 fd2a6fcc 2021-04-15 tb order for reviewability.
1304 fd2a6fcc 2021-04-15 tb
1305 fd2a6fcc 2021-04-15 tb <li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
1306 fd2a6fcc 2021-04-15 tb
1307 fd2a6fcc 2021-04-15 tb <li>Add tls13_secret_{init,cleanup}() and use them throughout the
1308 fd2a6fcc 2021-04-15 tb TLSv1.3 code base.
1309 fd2a6fcc 2021-04-15 tb
1310 fd2a6fcc 2021-04-15 tb <li>Move the read MAC key into the TLSv1.2 record layer.
1311 fd2a6fcc 2021-04-15 tb
1312 fd2a6fcc 2021-04-15 tb <li>Make tls12_record_layer_free() NULL safe.
1313 fd2a6fcc 2021-04-15 tb
1314 fd2a6fcc 2021-04-15 tb <li>Split the record protection from the TLSv1.2 record layer.
1315 fd2a6fcc 2021-04-15 tb
1316 fd2a6fcc 2021-04-15 tb <li>Clean up sequence number handling in the new TLSv1.2 record layer.
1317 fd2a6fcc 2021-04-15 tb
1318 fd2a6fcc 2021-04-15 tb <li>Clean up sequence number handling in DTLS.
1319 fd2a6fcc 2021-04-15 tb
1320 fd2a6fcc 2021-04-15 tb <li>Clean up dtls1_reset_seq_numbers().
1321 fd2a6fcc 2021-04-15 tb
1322 fd2a6fcc 2021-04-15 tb <li>Factor out code for explicit IV length, block size and MAC length
1323 fd2a6fcc 2021-04-15 tb from tls12_record_layer_open_record_protected_cipher().
1324 fd2a6fcc 2021-04-15 tb
1325 fd2a6fcc 2021-04-15 tb <li>Provide record layer overhead for DTLS.
1326 fd2a6fcc 2021-04-15 tb
1327 fd2a6fcc 2021-04-15 tb <li>Provide functions to determine if TLSv1.2 record protection is
1328 fd2a6fcc 2021-04-15 tb engaged.
1329 fd2a6fcc 2021-04-15 tb
1330 fd2a6fcc 2021-04-15 tb <li>Add code to handle change of cipher state in the new TLSv1.2 record
1331 fd2a6fcc 2021-04-15 tb layer.
1332 fd2a6fcc 2021-04-15 tb
1333 fd2a6fcc 2021-04-15 tb <li>Mop up now unused dtls1_build_sequence_numbers() function.
1334 fd2a6fcc 2021-04-15 tb
1335 fd2a6fcc 2021-04-15 tb <li>Allow setting a keypair on a tls context without specifying the
1336 fd2a6fcc 2021-04-15 tb private key, and fake it internally in libtls. This removes the
1337 fd2a6fcc 2021-04-15 tb need for privsep engines like relayd to use bogus keys.
1338 fd2a6fcc 2021-04-15 tb
1339 fd2a6fcc 2021-04-15 tb <li>Skip the private key check for fake private keys.
1340 fd2a6fcc 2021-04-15 tb
1341 fd2a6fcc 2021-04-15 tb <li>Move the private key setup from tls_configure_ssl_keypair() to a
1342 fd2a6fcc 2021-04-15 tb helper function with proper error checking.
1343 fd2a6fcc 2021-04-15 tb
1344 fd2a6fcc 2021-04-15 tb <li>Change the internal tls_configure_ssl_keypair() function to
1345 fd2a6fcc 2021-04-15 tb return -1 instead of 1 on failure.
1346 fd2a6fcc 2021-04-15 tb
1347 fd2a6fcc 2021-04-15 tb <li>Move sequence numbers into the new TLSv1.2 record layer.
1348 fd2a6fcc 2021-04-15 tb
1349 fd2a6fcc 2021-04-15 tb <li>Move AEAD handling into the new TLSv1.2 record layer.
1350 fd2a6fcc 2021-04-15 tb
1351 fd2a6fcc 2021-04-15 tb <li>Factor out legacy stack version checks.
1352 fd2a6fcc 2021-04-15 tb
1353 fd2a6fcc 2021-04-15 tb <li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
1354 fd2a6fcc 2021-04-15 tb were originally added with the default handshake MAC and PRF rather
1355 fd2a6fcc 2021-04-15 tb than the SHA256 handshake MAC and PRF.
1356 fd2a6fcc 2021-04-15 tb
1357 fd2a6fcc 2021-04-15 tb <li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
1358 fd2a6fcc 2021-04-15 tb
1359 fd2a6fcc 2021-04-15 tb <li>Use dtls1_record_retrieve_buffered_record() to load buffered
1360 fd2a6fcc 2021-04-15 tb application data.
1361 fd2a6fcc 2021-04-15 tb
1362 fd2a6fcc 2021-04-15 tb <li>Enforce read ahead with DTLS.
1363 fd2a6fcc 2021-04-15 tb
1364 fd2a6fcc 2021-04-15 tb <li>Remove bogus DTLS checks that disabled ECC and OCSP.
1365 fd2a6fcc 2021-04-15 tb
1366 fd2a6fcc 2021-04-15 tb <li>Clean up and simplify dtls1_get_cipher().
1367 fd2a6fcc 2021-04-15 tb
1368 fd2a6fcc 2021-04-15 tb <li>Group HelloVerifyRequest decoding and add missing check for trailing
1369 fd2a6fcc 2021-04-15 tb data.
1370 fd2a6fcc 2021-04-15 tb
1371 fd2a6fcc 2021-04-15 tb <li>Revise HelloVerifyRequest handling for DTLSv1.2.
1372 fd2a6fcc 2021-04-15 tb
1373 fd2a6fcc 2021-04-15 tb <li>Handle DTLS1_2_VERSION in various places.
1374 fd2a6fcc 2021-04-15 tb
1375 fd2a6fcc 2021-04-15 tb <li>Rename the "truncated" label into "decode_err" and the "f_err"
1376 fd2a6fcc 2021-04-15 tb label into "fatal_err".
1377 fd2a6fcc 2021-04-15 tb
1378 fd2a6fcc 2021-04-15 tb <li>Factor out and change some of the legacy client version code.
1379 fd2a6fcc 2021-04-15 tb
1380 fd2a6fcc 2021-04-15 tb <li>Simplify version checks in the TLSv1.3 client. Ensure that the
1381 fd2a6fcc 2021-04-15 tb server announced TLSv1.3 and nothing higher and check that the
1382 fd2a6fcc 2021-04-15 tb legacy_version is set to TLSv1.2 as required by RFC 8446.
1383 fd2a6fcc 2021-04-15 tb
1384 fd2a6fcc 2021-04-15 tb <li>Only use TLS versions internally rather than both TLS and DTLS
1385 fd2a6fcc 2021-04-15 tb versions since the latter are the one's complement of the human
1386 fd2a6fcc 2021-04-15 tb readable version numbers, which means that newer versions decrease
1387 fd2a6fcc 2021-04-15 tb in value.
1388 fd2a6fcc 2021-04-15 tb
1389 fd2a6fcc 2021-04-15 tb <li>Identify DTLS based on the version major value.
1390 fd2a6fcc 2021-04-15 tb
1391 fd2a6fcc 2021-04-15 tb <li>Move handling of cipher/hash based cipher suites into the new record
1392 fd2a6fcc 2021-04-15 tb layer.
1393 fd2a6fcc 2021-04-15 tb
1394 fd2a6fcc 2021-04-15 tb <li>Add tls12_record_protection_unused() and call it from CCS functions.
1395 fd2a6fcc 2021-04-15 tb
1396 fd2a6fcc 2021-04-15 tb <li>Move key/IV length checks closer to usage sites. Also add explicit
1397 69ce99e8 2021-04-15 tb checks against
1398 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/EVP_CIPHER_iv_length.3">EVP_CIPHER_{iv,key}_length()</a>.
1399 fd2a6fcc 2021-04-15 tb
1400 fd2a6fcc 2021-04-15 tb <li>Replace two handrolled tls12_record_protection_engaged().
1401 fd2a6fcc 2021-04-15 tb
1402 fd2a6fcc 2021-04-15 tb <li>Improve internal version handling: add handshake fields for our
1403 fd2a6fcc 2021-04-15 tb minimum version, our maximum version and the TLS version negotiated
1404 fd2a6fcc 2021-04-15 tb during the handshake. Convert most of the internal code to use these
1405 fd2a6fcc 2021-04-15 tb version fields.
1406 fd2a6fcc 2021-04-15 tb
1407 fd2a6fcc 2021-04-15 tb <li>Guard against future internal use of TLS1_get_{client,}_version()
1408 fd2a6fcc 2021-04-15 tb macros.
1409 fd2a6fcc 2021-04-15 tb
1410 fd2a6fcc 2021-04-15 tb <li>Remove the internal ssl_downgrade_max_version() function which is no
1411 fd2a6fcc 2021-04-15 tb longer needed.
1412 fd2a6fcc 2021-04-15 tb
1413 fd2a6fcc 2021-04-15 tb <li>Add support for DTLSv1.2 version handling.
1414 fd2a6fcc 2021-04-15 tb
1415 fd2a6fcc 2021-04-15 tb <li>Remove no longer needed read ahead workarounds in the s_client and
1416 fd2a6fcc 2021-04-15 tb s_server.
1417 fd2a6fcc 2021-04-15 tb
1418 fd2a6fcc 2021-04-15 tb <li>Split TLSv1.3 record protection from record layer.
1419 fd2a6fcc 2021-04-15 tb
1420 fd2a6fcc 2021-04-15 tb <li>Move the TLSv1.3 handshake struct inside the shared handshake
1421 fd2a6fcc 2021-04-15 tb struct.
1422 fd2a6fcc 2021-04-15 tb
1423 fd2a6fcc 2021-04-15 tb <li>Fully initialize rrec in tls12_record_layer_open_record_protected()
1424 fd2a6fcc 2021-04-15 tb to avoid confusing some static analyzers.
1425 fd2a6fcc 2021-04-15 tb
1426 fd2a6fcc 2021-04-15 tb <li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
1427 fd2a6fcc 2021-04-15 tb does not set errno.
1428 fd2a6fcc 2021-04-15 tb
1429 fd2a6fcc 2021-04-15 tb <li>Convert openssl(1) x509 to new option handling and do the usual
1430 fd2a6fcc 2021-04-15 tb clean up that goes along with it.
1431 fd2a6fcc 2021-04-15 tb
1432 fd2a6fcc 2021-04-15 tb <li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
1433 fd2a6fcc 2021-04-15 tb
1434 fd2a6fcc 2021-04-15 tb <li>Rename new_cipher to cipher to align naming with keyblock or other
1435 fd2a6fcc 2021-04-15 tb parts of the handshake data.
1436 fd2a6fcc 2021-04-15 tb
1437 fd2a6fcc 2021-04-15 tb <li>Move the TLSv1.2 record number increment into the new record layer.
1438 fd2a6fcc 2021-04-15 tb
1439 fd2a6fcc 2021-04-15 tb <li>Move finished and peer finished into the handshake struct.
1440 fd2a6fcc 2021-04-15 tb
1441 fd2a6fcc 2021-04-15 tb <li>Remove pointless assignment in SSL_get0_alpn_selected().
1442 fd2a6fcc 2021-04-15 tb
1443 fd2a6fcc 2021-04-15 tb <li>Add some error checking to openssl(1) x509.
1444 fd2a6fcc 2021-04-15 tb </ul>
1445 fd2a6fcc 2021-04-15 tb
1446 3313bdf7 2021-03-24 deraadt <li>Bug Fixes
1447 3313bdf7 2021-03-24 deraadt <ul>
1448 fd2a6fcc 2021-04-15 tb <li>Move point-on-curve check to set_affine_coordinates to avoid
1449 fd2a6fcc 2021-04-15 tb verifying ECDSA signatures with unchecked public keys.
1450 fd2a6fcc 2021-04-15 tb
1451 69ce99e8 2021-04-15 tb <li>Fix
1452 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_is_server.3">SSL_is_server(3)</a>
1453 69ce99e8 2021-04-15 tb to behave as documented by re-introducing the client-specific
1454 69ce99e8 2021-04-15 tb methods.
1455 fd2a6fcc 2021-04-15 tb
1456 fd2a6fcc 2021-04-15 tb <li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
1457 fd2a6fcc 2021-04-15 tb
1458 fd2a6fcc 2021-04-15 tb <li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
1459 fd2a6fcc 2021-04-15 tb
1460 fd2a6fcc 2021-04-15 tb <li>Correct the return value type from ERR_peek_error() to a long.
1461 fd2a6fcc 2021-04-15 tb
1462 fd2a6fcc 2021-04-15 tb <li>Avoid use of uninitialized in ASN1_time_parse() which could happen
1463 623c2403 2021-04-19 tb on parsing UTCTime if the caller did not initialize the passed
1464 fd2a6fcc 2021-04-15 tb struct tm.
1465 fd2a6fcc 2021-04-15 tb
1466 fd2a6fcc 2021-04-15 tb <li>Destroy the mutex in a tls_config object on tls_config_free().
1467 fd2a6fcc 2021-04-15 tb
1468 32e14492 2021-04-24 namn <li>Free alert_data and phh_data in tls13_record_layer_free().
1469 32e14492 2021-04-24 namn These could leak if
1470 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/SSL_shutdown.3">SSL_shutdown(3)</a>
1471 69ce99e8 2021-04-15 tb or <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a>
1472 69ce99e8 2021-04-15 tb were called after closing the underlying socket().
1473 fd2a6fcc 2021-04-15 tb
1474 fd2a6fcc 2021-04-15 tb <li>Gracefully handle root certificates being both trusted and
1475 fd2a6fcc 2021-04-15 tb untrusted.
1476 fd2a6fcc 2021-04-15 tb
1477 fd2a6fcc 2021-04-15 tb <li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
1478 fd2a6fcc 2021-04-15 tb verifier.
1479 fd2a6fcc 2021-04-15 tb
1480 fd2a6fcc 2021-04-15 tb <li>Use the legacy verifier when building auto chains for TLS.
1481 fd2a6fcc 2021-04-15 tb
1482 fd2a6fcc 2021-04-15 tb <li>Search the intermediates only after searching the root certs in the
1483 fd2a6fcc 2021-04-15 tb new verifier to avoid problems with the legacy callback.
1484 fd2a6fcc 2021-04-15 tb
1485 fd2a6fcc 2021-04-15 tb <li>Bail out early after finding a single chain in the new verifier, if
1486 fd2a6fcc 2021-04-15 tb we have been called via the legacy verifier API.
1487 fd2a6fcc 2021-04-15 tb
1488 fd2a6fcc 2021-04-15 tb <li>Set (invalid and likely incomplete) chain on the xsc on chain build
1489 fd2a6fcc 2021-04-15 tb failure prior to calling the callback. This is required by various
1490 fd2a6fcc 2021-04-15 tb callers, including auto chain.
1491 fd2a6fcc 2021-04-15 tb
1492 fd2a6fcc 2021-04-15 tb <li>Remove direct assignment of aead_ctx to avoid a leak.
1493 fd2a6fcc 2021-04-15 tb
1494 fd2a6fcc 2021-04-15 tb <li>Fail early in legacy exporter if the master secret is not available
1495 fd2a6fcc 2021-04-15 tb to avoid a segfault if it is called when the handshake is not
1496 fd2a6fcc 2021-04-15 tb completed.
1497 fd2a6fcc 2021-04-15 tb
1498 fd2a6fcc 2021-04-15 tb <li>Only print the certificate file once on verification failure.
1499 fd2a6fcc 2021-04-15 tb
1500 fd2a6fcc 2021-04-15 tb <li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
1501 fd2a6fcc 2021-04-15 tb the new validator checks for EXFLAG_CRITICAL in
1502 fd2a6fcc 2021-04-15 tb x509_vfy_check_chain_extension() for all untrusted certs in the
1503 fd2a6fcc 2021-04-15 tb chain. Take into account that the root is not necessarily trusted.
1504 fd2a6fcc 2021-04-15 tb
1505 fd2a6fcc 2021-04-15 tb <li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
1506 fd2a6fcc 2021-04-15 tb
1507 fd2a6fcc 2021-04-15 tb <li>Fix two bugs in the legacy verifier that resulted from refactoring
1508 69ce99e8 2021-04-15 tb of
1509 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
1510 69ce99e8 2021-04-15 tb for the new verifier: a return value was incorrectly treated as
1511 69ce99e8 2021-04-15 tb boolean, making it insufficient to decide whether validation should
1512 69ce99e8 2021-04-15 tb carry on or not.
1513 fd2a6fcc 2021-04-15 tb
1514 fd2a6fcc 2021-04-15 tb <li>Fix checks for memory caps of constraints names. There are internal
1515 fd2a6fcc 2021-04-15 tb caps on the number of name constraints and other names, that the new
1516 fd2a6fcc 2021-04-15 tb name constraints code allocates per cert chain. These limits were
1517 fd2a6fcc 2021-04-15 tb checked too late, making them only partially effective.
1518 fd2a6fcc 2021-04-15 tb
1519 fd2a6fcc 2021-04-15 tb <li>Fix a copy-paste error - skid was confused with an akid when
1520 fd2a6fcc 2021-04-15 tb checking for EXFLAG_INVALID. This broke OCSP validation with
1521 fd2a6fcc 2021-04-15 tb certain mirrors.
1522 fd2a6fcc 2021-04-15 tb
1523 fd2a6fcc 2021-04-15 tb <li>Avoid a use-after-scope in tls13_cert_add().
1524 fd2a6fcc 2021-04-15 tb
1525 fd2a6fcc 2021-04-15 tb <li>Avoid mangled output in BIO_debug_callback().
1526 fd2a6fcc 2021-04-15 tb
1527 fd2a6fcc 2021-04-15 tb <li>Fix client initiated renegotiation by replacing use of s->internal-type
1528 fd2a6fcc 2021-04-15 tb with s->server.
1529 fd2a6fcc 2021-04-15 tb
1530 fd2a6fcc 2021-04-15 tb <li>Avoid transcript initialization when sending a TLS HelloRequest,
1531 fd2a6fcc 2021-04-15 tb fixing server initiated renegotiation.
1532 fd2a6fcc 2021-04-15 tb
1533 fd2a6fcc 2021-04-15 tb <li>Avoid leaking param->name in x509_verify_param_zero().
1534 fd2a6fcc 2021-04-15 tb
1535 fd2a6fcc 2021-04-15 tb <li>Avoid a leak in an error path in openssl(1) x509.
1536 fd2a6fcc 2021-04-15 tb
1537 fd2a6fcc 2021-04-15 tb <li>When sending an alert in TLSv1.3, only set its error code when no
1538 fd2a6fcc 2021-04-15 tb other error was set previously. Certain clients rely on specific
1539 fd2a6fcc 2021-04-15 tb SSL_R_ error codes to identify that they are dealing with a self
1540 fd2a6fcc 2021-04-15 tb signed cert.
1541 fd2a6fcc 2021-04-15 tb
1542 fd2a6fcc 2021-04-15 tb <li>When switching from the TLSv1.3 stack to the legacy stack include
1543 fd2a6fcc 2021-04-15 tb a TLS record header. This is necessary if there is more than one
1544 fd2a6fcc 2021-04-15 tb handshake message in the TLS plaintext record.
1545 fd2a6fcc 2021-04-15 tb
1546 fd2a6fcc 2021-04-15 tb <li>Fix resource handling on error in OCSP_request_add0_id().
1547 fd2a6fcc 2021-04-15 tb
1548 fd2a6fcc 2021-04-15 tb <li>Make sure there is enough room for stashing the handshake message
1549 fd2a6fcc 2021-04-15 tb when switching to the legacy TLS stack.
1550 fd2a6fcc 2021-04-15 tb
1551 fd2a6fcc 2021-04-15 tb <li>Fix a memory leak in the openssl(1) s_client.
1552 fd2a6fcc 2021-04-15 tb
1553 fd2a6fcc 2021-04-15 tb <li>Unbreak DTLS retransmissions for flights that include a CCS.
1554 fd2a6fcc 2021-04-15 tb
1555 fd2a6fcc 2021-04-15 tb <li>If x509_verify() fails, ensure that the error is set on both
1556 fd2a6fcc 2021-04-15 tb the x509_verify_ctx() and its store context to make some failures
1557 fd2a6fcc 2021-04-15 tb visible from SSL_get_verify_result().
1558 fd2a6fcc 2021-04-15 tb
1559 fd2a6fcc 2021-04-15 tb <li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
1560 fd2a6fcc 2021-04-15 tb verifier to fix hashed certificate directories.
1561 fd2a6fcc 2021-04-15 tb
1562 69ce99e8 2021-04-15 tb <li>Only check
1563 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
1564 69ce99e8 2021-04-15 tb on read and
1565 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
1566 69ce99e8 2021-04-15 tb on write. Previously,
1567 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a>
1568 69ce99e8 2021-04-15 tb was also checked after read and
1569 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a>
1570 69ce99e8 2021-04-15 tb after write which could cause stalls in software that uses the same
1571 69ce99e8 2021-04-15 tb BIO for read and write.
1572 fd2a6fcc 2021-04-15 tb
1573 69ce99e8 2021-04-15 tb <li>In <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
1574 69ce99e8 2021-04-15 tb verify, also check for error on the store context since the return
1575 69ce99e8 2021-04-15 tb value of
1576 69ce99e8 2021-04-15 tb <a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a>
1577 69ce99e8 2021-04-15 tb is unreliable in presence of a callback that returns 1 too often.
1578 fd2a6fcc 2021-04-15 tb
1579 fd2a6fcc 2021-04-15 tb <li>Handle additional certificate error cases in the new X.509 verifier.
1580 fd2a6fcc 2021-04-15 tb Keep track of the errors encountered if a verify callback tells the
1581 fd2a6fcc 2021-04-15 tb verifier to continue and report them back via the error on the store
1582 fd2a6fcc 2021-04-15 tb context. This mimics the behavior of the old verifier that would
1583 fd2a6fcc 2021-04-15 tb persist the first error encountered while building the chain.
1584 fd2a6fcc 2021-04-15 tb
1585 fd2a6fcc 2021-04-15 tb <li>Report specific failures for "self signed certificates" in a way
1586 fd2a6fcc 2021-04-15 tb compatible with the old verifier since software relies on the
1587 fd2a6fcc 2021-04-15 tb error code.
1588 fd2a6fcc 2021-04-15 tb
1589 fd2a6fcc 2021-04-15 tb <li>Plug a large memory leak in the new verifier caused by calling
1590 69ce99e8 2021-04-15 tb X509_policy_check(3) repeatedly.
1591 fd2a6fcc 2021-04-15 tb
1592 fd2a6fcc 2021-04-15 tb <li>Avoid leaking memory in x509_verify_chain_dup().
1593 3313bdf7 2021-03-24 deraadt </ul>
1594 3313bdf7 2021-03-24 deraadt </ul>
1595 3313bdf7 2021-03-24 deraadt
1596 7557f135 2021-04-10 benno <li>OpenSSH 8.5
1597 3313bdf7 2021-03-24 deraadt <ul>
1598 33a75c6e 2021-04-13 benno <li>Security fixes
1599 33a75c6e 2021-04-13 benno <ul>
1600 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
1601 33a75c6e 2021-04-13 benno fixed a double-free memory corruption that was introduced in OpenSSH
1602 33a75c6e 2021-04-13 benno 8.2 . We treat all such memory faults as potentially exploitable. This
1603 33a75c6e 2021-04-13 benno bug could be reached by an attacker with access to the agent socket.<br>
1604 7476d2f7 2021-04-05 benno
1605 33a75c6e 2021-04-13 benno On modern operating systems where the OS can provide information
1606 33a75c6e 2021-04-13 benno about the user identity connected to a socket, OpenSSH ssh-agent and
1607 33a75c6e 2021-04-13 benno sshd limit agent socket access only to the originating user and root.
1608 33a75c6e 2021-04-13 benno Additional mitigation may be afforded by the system's
1609 33a75c6e 2021-04-13 benno malloc(3)/free(3) implementation, if it detects double-free
1610 33a75c6e 2021-04-13 benno conditions.<br>
1611 7476d2f7 2021-04-05 benno
1612 33a75c6e 2021-04-13 benno The most likely scenario for exploitation is a user forwarding an
1613 33a75c6e 2021-04-13 benno agent either to an account shared with a malicious user or to a host
1614 33a75c6e 2021-04-13 benno with an attacker holding root access.
1615 33a75c6e 2021-04-13 benno </ul>
1616 4a18afd7 2021-04-19 benno <li>Potentially incompatible changes
1617 3313bdf7 2021-03-24 deraadt <ul>
1618 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1619 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release
1620 33a75c6e 2021-04-13 benno changes the first-preference signature algorithm from ECDSA to
1621 33a75c6e 2021-04-13 benno ED25519.
1622 33a75c6e 2021-04-13 benno
1623 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1624 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set the TOS/DSCP
1625 33a75c6e 2021-04-13 benno specified in the configuration for interactive use prior to TCP
1626 33a75c6e 2021-04-13 benno connect. The connection phase of the SSH session is time-sensitive and
1627 33a75c6e 2021-04-13 benno often explicitly interactive. The ultimate interactive/bulk TOS/DSCP
1628 33a75c6e 2021-04-13 benno will be set after authentication completes.
1629 33a75c6e 2021-04-13 benno
1630 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1631 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove the
1632 33a75c6e 2021-04-13 benno pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias
1633 33a75c6e 2021-04-13 benno for aes256-cbc before it was standardized in RFC4253 (2006), has been
1634 33a75c6e 2021-04-13 benno deprecated and disabled by default since OpenSSH 7.2 (2016) and was
1635 33a75c6e 2021-04-13 benno only briefly documented in ssh.1 in 2001.
1636 33a75c6e 2021-04-13 benno
1637 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1638 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: update/replace the
1639 33a75c6e 2021-04-13 benno experimental post-quantum hybrid key exchange method based on
1640 33a75c6e 2021-04-13 benno Streamlined NTRU Prime coupled with X25519.<br>
1641 33a75c6e 2021-04-13 benno
1642 33a75c6e 2021-04-13 benno The previous sntrup4591761x25519-sha512@tinyssh.org method is
1643 33a75c6e 2021-04-13 benno replaced with sntrup761x25519-sha512@openssh.com. Per its designers,
1644 33a75c6e 2021-04-13 benno the sntrup4591761 algorithm was superseded almost two years ago by
1645 33a75c6e 2021-04-13 benno sntrup761.
1646 4a18afd7 2021-04-19 benno (Note that both the updated method and the one that it replaced are
1647 4a18afd7 2021-04-19 benno disabled by default.)
1648 33a75c6e 2021-04-13 benno
1649 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: disable
1650 33a75c6e 2021-04-13 benno CheckHostIP by default. It provides insignificant benefits while
1651 33a75c6e 2021-04-13 benno making key rotation significantly more difficult, especially for hosts
1652 33a75c6e 2021-04-13 benno behind IP-based load-balancers.
1653 3313bdf7 2021-03-24 deraadt </ul>
1654 3313bdf7 2021-03-24 deraadt <li>New Features
1655 3313bdf7 2021-03-24 deraadt <ul>
1656 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: this release
1657 33a75c6e 2021-04-13 benno enables UpdateHostkeys by default subject to some conservative
1658 33a75c6e 2021-04-13 benno preconditions:
1659 33a75c6e 2021-04-13 benno <ul>
1660 33a75c6e 2021-04-13 benno <li>The key was matched in the UserKnownHostsFile (and not in the
1661 33a75c6e 2021-04-13 benno GlobalKnownHostsFile).
1662 33a75c6e 2021-04-13 benno <li>The same key does not exist under another name.
1663 33a75c6e 2021-04-13 benno <li>A certificate host key is not in use.
1664 33a75c6e 2021-04-13 benno <li>known_hosts contains no matching wildcard hostname pattern.
1665 33a75c6e 2021-04-13 benno <li>VerifyHostKeyDNS is not enabled.
1666 33a75c6e 2021-04-13 benno <li>The default UserKnownHostsFile is in use.
1667 33a75c6e 2021-04-13 benno </ul>
1668 33a75c6e 2021-04-13 benno We expect some of these conditions will be modified or relaxed in
1669 33a75c6e 2021-04-13 benno future.
1670 33a75c6e 2021-04-13 benno
1671 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1672 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new
1673 33a75c6e 2021-04-13 benno LogVerbose configuration directive for that allows forcing maximum
1674 33a75c6e 2021-04-13 benno debug logging by file/function/line pattern-lists.
1675 33a75c6e 2021-04-13 benno
1676 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1677 33a75c6e 2021-04-13 benno prompting the user to accept a new hostkey, display any other host
1678 33a75c6e 2021-04-13 benno names/addresses already associated with the key.
1679 33a75c6e 2021-04-13 benno
1680 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow
1681 33a75c6e 2021-04-13 benno UserKnownHostsFile=none to indicate that no known_hosts file should be
1682 33a75c6e 2021-04-13 benno used to identify host keys.
1683 33a75c6e 2021-04-13 benno
1684 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1685 33a75c6e 2021-04-13 benno ssh_config KnownHostsCommand option that allows the client to obtain
1686 33a75c6e 2021-04-13 benno known_hosts data from a command in addition to the usual files.
1687 33a75c6e 2021-04-13 benno
1688 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a
1689 33a75c6e 2021-04-13 benno ssh_config PermitRemoteOpen option that allows the client to restrict
1690 33a75c6e 2021-04-13 benno the destination when RemoteForward is used with SOCKS.
1691 33a75c6e 2021-04-13 benno
1692 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: for FIDO
1693 33a75c6e 2021-04-13 benno keys, if a signature operation fails with a "incorrect PIN" reason and
1694 33a75c6e 2021-04-13 benno no PIN was initially requested from the user, then request a PIN and
1695 33a75c6e 2021-04-13 benno retry the operation. This supports some biometric devices that fall
1696 33a75c6e 2021-04-13 benno back to requiring PIN when reading of the biometric failed, and
1697 33a75c6e 2021-04-13 benno devices that require PINs for all hosted credentials.
1698 33a75c6e 2021-04-13 benno
1699 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: implement
1700 33a75c6e 2021-04-13 benno client address-based rate-limiting via new <a
1701 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
1702 33a75c6e 2021-04-13 benno PerSourceMaxStartups and PerSourceNetBlockSize directives that provide
1703 33a75c6e 2021-04-13 benno more fine-grained control on a per-origin address basis than the
1704 33a75c6e 2021-04-13 benno global MaxStartups limit.
1705 3313bdf7 2021-03-24 deraadt </ul>
1706 3313bdf7 2021-03-24 deraadt <li>Bugfixes
1707 3313bdf7 2021-03-24 deraadt <ul>
1708 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Prefix
1709 33a75c6e 2021-04-13 benno keyboard interactive prompts with "(user@host)" to make it easier to
1710 33a75c6e 2021-04-13 benno determine which connection they are associated with in cases like scp
1711 33a75c6e 2021-04-13 benno -3, ProxyJump, etc. bz#3224
1712 33a75c6e 2021-04-13 benno
1713 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix
1714 33a75c6e 2021-04-13 benno sshd_config SetEnv directives located inside Match blocks. GHPR#201
1715 33a75c6e 2021-04-13 benno
1716 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when
1717 33a75c6e 2021-04-13 benno requesting a FIDO token touch on stderr, inform the user once the
1718 33a75c6e 2021-04-13 benno touch has been recorded.
1719 33a75c6e 2021-04-13 benno
1720 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prevent
1721 33a75c6e 2021-04-13 benno integer overflow when ridiculously large ConnectTimeout values are
1722 33a75c6e 2021-04-13 benno specified, capping the effective value (for most platforms) at 24
1723 33a75c6e 2021-04-13 benno days. bz#3229
1724 33a75c6e 2021-04-13 benno
1725 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: consider the
1726 33a75c6e 2021-04-13 benno ECDSA key subtype when ordering host key algorithms in the client.
1727 33a75c6e 2021-04-13 benno
1728 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1729 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: rename the
1730 33a75c6e 2021-04-13 benno PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The
1731 33a75c6e 2021-04-13 benno previous name incorrectly suggested that it control allowed key
1732 33a75c6e 2021-04-13 benno algorithms, when this option actually specifies the signature
1733 33a75c6e 2021-04-13 benno algorithms that are accepted. The previous name remains available as
1734 33a75c6e 2021-04-13 benno an alias. bz#3253
1735 33a75c6e 2021-04-13 benno
1736 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1737 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: similarly, rename
1738 33a75c6e 2021-04-13 benno HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
1739 33a75c6e 2021-04-13 benno HostbasedAcceptedAlgorithms.
1740 33a75c6e 2021-04-13 benno
1741 33a75c6e 2021-04-13 benno <li><a
1742 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add
1743 33a75c6e 2021-04-13 benno missing lsetstat@openssh.com documentation and advertisement in the
1744 33a75c6e 2021-04-13 benno server's SSH2_FXP_VERSION hello packet.
1745 33a75c6e 2021-04-13 benno
1746 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1747 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly
1748 33a75c6e 2021-04-13 benno enforce KEX state-machine by banning packet types once they are
1749 33a75c6e 2021-04-13 benno received. Fixes memleak caused by duplicate
1750 33a75c6e 2021-04-13 benno SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
1751 33a75c6e 2021-04-13 benno
1752 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the
1753 33a75c6e 2021-04-13 benno full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of
1754 33a75c6e 2021-04-13 benno being limited by LONG_MAX. bz#3206
1755 33a75c6e 2021-04-13 benno
1756 33a75c6e 2021-04-13 benno <li>Minor man page fixes (capitalization, commas, etc.) bz#3223
1757 33a75c6e 2021-04-13 benno
1758 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: when doing
1759 33a75c6e 2021-04-13 benno an sftp recursive upload or download of a read-only directory, ensure
1760 33a75c6e 2021-04-13 benno that the directory is created with write and execute permissions in
1761 33a75c6e 2021-04-13 benno the interim so that the transfer can actually complete, then set the
1762 33a75c6e 2021-04-13 benno directory permission as the final step. bz#3222
1763 33a75c6e 2021-04-13 benno
1764 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:
1765 33a75c6e 2021-04-13 benno document the -Z, check the validity of its argument earlier and
1766 33a75c6e 2021-04-13 benno provide a better error message if it's not correct. bz#2879
1767 33a75c6e 2021-04-13 benno
1768 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ignore
1769 33a75c6e 2021-04-13 benno comments at the end of config lines in ssh_config, similar to what we
1770 33a75c6e 2021-04-13 benno already do for sshd_config. bz#2320
1771 33a75c6e 2021-04-13 benno
1772 33a75c6e 2021-04-13 benno <li><a
1773 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>:
1774 33a75c6e 2021-04-13 benno mention that DisableForwarding is valid in a sshd_config Match block.
1775 33a75c6e 2021-04-13 benno bz3239
1776 33a75c6e 2021-04-13 benno
1777 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix
1778 33a75c6e 2021-04-13 benno incorrect sorting of "ls -ltr" under some circumstances. bz3248.
1779 33a75c6e 2021-04-13 benno
1780 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a
1781 33a75c6e 2021-04-13 benno href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix potential
1782 33a75c6e 2021-04-13 benno integer truncation of (unlikely) timeout values. bz#3250
1783 33a75c6e 2021-04-13 benno
1784 33a75c6e 2021-04-13 benno <li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make
1785 33a75c6e 2021-04-13 benno hostbased authentication send the signature algorithm in its
1786 32e14492 2021-04-24 namn SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This makes
1787 33a75c6e 2021-04-13 benno HostbasedAcceptedAlgorithms do what it is supposed to - filter on
1788 33a75c6e 2021-04-13 benno signature algorithm and not key type.
1789 3313bdf7 2021-03-24 deraadt </ul>
1790 3313bdf7 2021-03-24 deraadt </ul>
1791 3313bdf7 2021-03-24 deraadt
1792 3313bdf7 2021-03-24 deraadt <li>Ports and packages:
1793 3313bdf7 2021-03-24 deraadt <p>Many pre-built packages for each architecture:
1794 3313bdf7 2021-03-24 deraadt <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
1795 3313bdf7 2021-03-24 deraadt <ul style="column-count: 3">
1796 dc34c482 2021-04-22 sthen <li>aarch64: 10943
1797 9c8461cf 2021-04-21 sthen <li>amd64: 11310
1798 66d4dfad 2021-06-02 naddy <li>arm: 8691
1799 9c8461cf 2021-04-21 sthen <li>i386: 10468
1800 9a1cfdff 2021-04-24 visa <li>mips64: 8182
1801 26bb37ed 2021-11-30 sthen <li>mips64el: 7493
1802 780a24b8 2021-05-05 sthen <li>powerpc: 9475
1803 e5d2413e 2021-04-27 sthen <li>powerpc64: 9341
1804 dc34c482 2021-04-22 sthen <li>sparc64: 9642
1805 95781392 2021-04-15 rsadowski </ul>
1806 95781392 2021-04-15 rsadowski
1807 95781392 2021-04-15 rsadowski <p>Some highlights:
1808 95781392 2021-04-15 rsadowski <ul style="column-count: 3">
1809 95781392 2021-04-15 rsadowski <li>Asterisk 18.3.0
1810 95781392 2021-04-15 rsadowski <li>Audacity 2.4.2
1811 95781392 2021-04-15 rsadowski <li>CMake 3.19.4
1812 3ba77e1a 2021-04-17 lteo <li>Chromium 90.0.4430.72
1813 95781392 2021-04-15 rsadowski <li>Emacs 27.2
1814 95781392 2021-04-15 rsadowski <li>FFmpeg 4.3.2
1815 95781392 2021-04-15 rsadowski <li>GCC 8.4.0
1816 95781392 2021-04-15 rsadowski <li>GHC 8.10.3
1817 95781392 2021-04-15 rsadowski <li>GNOME 3.38
1818 95781392 2021-04-15 rsadowski <li>Go 1.16.2
1819 95781392 2021-04-15 rsadowski <li>JDK 8u282 and 11.0.10
1820 95781392 2021-04-15 rsadowski <li>KDE Applications 20.12.3
1821 95781392 2021-04-15 rsadowski <li>KDE Frameworks 5.80.0
1822 95781392 2021-04-15 rsadowski <li>Krita 4.4.3
1823 c0618079 2021-04-15 sthen <li>LLVM/Clang 10.0.1
1824 95781392 2021-04-15 rsadowski <li>LibreOffice 7.0.5.2
1825 95781392 2021-04-15 rsadowski <li>Lua 5.1.5, 5.2.4 and 5.3.6
1826 95781392 2021-04-15 rsadowski <li>MariaDB 10.5.9
1827 95781392 2021-04-15 rsadowski <li>Mono 6.12.0.122
1828 1dfe63b3 2021-04-20 naddy <li>Mozilla Firefox 88.0 and ESR 78.10.0
1829 1dfe63b3 2021-04-20 naddy <li>Mozilla Thunderbird 78.10.0
1830 95781392 2021-04-15 rsadowski <li>Mutt 2.0.6 and NeoMutt 20210205
1831 95781392 2021-04-15 rsadowski <li>Node.js 12.16.1
1832 95781392 2021-04-15 rsadowski <li>OCaml 4.10.0
1833 8db9998a 2021-04-15 sthen <li>OpenLDAP 2.4.58
1834 8db9998a 2021-04-15 sthen <li>PHP 7.2.34, 7.3.27, 7.4.16 and 8.0.3
1835 8db9998a 2021-04-15 sthen <li>Postfix 3.5.10
1836 95781392 2021-04-15 rsadowski <li>PostgreSQL 13.2
1837 95781392 2021-04-15 rsadowski <li>Python 2.7.18, 3.8.8 and 3.9.2
1838 95781392 2021-04-15 rsadowski <li>Qt 5.15.2
1839 95781392 2021-04-15 rsadowski <li>R 4.0.5
1840 95781392 2021-04-15 rsadowski <li>Ruby 2.6.7, 2.7.3 and 3.0.1
1841 95781392 2021-04-15 rsadowski <li>Rust 1.51.0
1842 8db9998a 2021-04-15 sthen <li>SQLite 3.34.1
1843 95781392 2021-04-15 rsadowski <li>Shotcut 21.01.29
1844 95781392 2021-04-15 rsadowski <li>Sudo 1.9.6p1
1845 95781392 2021-04-15 rsadowski <li>Suricata 6.0.1
1846 95781392 2021-04-15 rsadowski <li>Tcl/Tk 8.5.19 and 8.6.8
1847 95781392 2021-04-15 rsadowski <li>TeX Live 2020
1848 95781392 2021-04-15 rsadowski <li>Vim 8.2.2580 and Neovim 0.4.4
1849 95781392 2021-04-15 rsadowski <li>Xfce 4.16
1850 3313bdf7 2021-03-24 deraadt </ul>
1851 95781392 2021-04-15 rsadowski <p>
1852 3313bdf7 2021-03-24 deraadt
1853 3313bdf7 2021-03-24 deraadt <li>As usual, steady improvements in manual pages and other documentation.
1854 3313bdf7 2021-03-24 deraadt
1855 3313bdf7 2021-03-24 deraadt <li>The system includes the following major components from outside suppliers:
1856 3313bdf7 2021-03-24 deraadt <ul>
1857 d07c24c0 2021-04-07 benno
1858 d07c24c0 2021-04-07 benno <li>Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
1859 8055af08 2021-04-13 matthieu freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 367,
1860 d07c24c0 2021-04-07 benno xkeyboard-config 2.20, fonttosfnt 1.2.1 and more)
1861 3313bdf7 2021-03-24 deraadt <li>LLVM/Clang 10.0.1 (+ patches)
1862 3313bdf7 2021-03-24 deraadt <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
1863 753672c4 2021-04-09 benno <li>Perl 5.32.1 (+ patches)
1864 78c13a26 2021-04-09 florian <li>NSD 4.3.6
1865 78c13a26 2021-04-09 florian <li>Unbound 1.13.1
1866 3313bdf7 2021-03-24 deraadt <li>Ncurses 5.7
1867 3313bdf7 2021-03-24 deraadt <li>Binutils 2.17 (+ patches)
1868 3313bdf7 2021-03-24 deraadt <li>Gdb 6.3 (+ patches)
1869 d07c24c0 2021-04-07 benno <li>Awk December 18, 2020 version
1870 d07c24c0 2021-04-07 benno <li>Expat 2.2.10
1871 3313bdf7 2021-03-24 deraadt </ul>
1872 3313bdf7 2021-03-24 deraadt
1873 3313bdf7 2021-03-24 deraadt </ul>
1874 3313bdf7 2021-03-24 deraadt </section>
1875 3313bdf7 2021-03-24 deraadt
1876 3313bdf7 2021-03-24 deraadt <hr>
1877 3313bdf7 2021-03-24 deraadt
1878 3313bdf7 2021-03-24 deraadt <section id=install>
1879 3313bdf7 2021-03-24 deraadt <h3>How to install</h3>
1880 3313bdf7 2021-03-24 deraadt <p>
1881 3313bdf7 2021-03-24 deraadt Please refer to the following files on the mirror site for
1882 3313bdf7 2021-03-24 deraadt extensive details on how to install OpenBSD 6.9 on your machine:
1883 3313bdf7 2021-03-24 deraadt
1884 3313bdf7 2021-03-24 deraadt <ul>
1885 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/alpha/INSTALL.alpha">
1886 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/alpha/INSTALL.alpha</a>
1887 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/amd64/INSTALL.amd64">
1888 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/amd64/INSTALL.amd64</a>
1889 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/arm64/INSTALL.arm64">
1890 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/arm64/INSTALL.arm64</a>
1891 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/armv7/INSTALL.armv7">
1892 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/armv7/INSTALL.armv7</a>
1893 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/hppa/INSTALL.hppa">
1894 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/hppa/INSTALL.hppa</a>
1895 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/i386/INSTALL.i386">
1896 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/i386/INSTALL.i386</a>
1897 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/landisk/INSTALL.landisk">
1898 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/landisk/INSTALL.landisk</a>
1899 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/loongson/INSTALL.loongson">
1900 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/loongson/INSTALL.loongson</a>
1901 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/luna88k/INSTALL.luna88k">
1902 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/luna88k/INSTALL.luna88k</a>
1903 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/macppc/INSTALL.macppc">
1904 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/macppc/INSTALL.macppc</a>
1905 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/octeon/INSTALL.octeon">
1906 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/octeon/INSTALL.octeon</a>
1907 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/powerpc64/INSTALL.powerpc64">
1908 8591d76c 2021-04-06 landry .../OpenBSD/6.9/powerpc64/INSTALL.powerpc64</a>
1909 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sgi/INSTALL.sgi">
1910 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/sgi/INSTALL.sgi</a>
1911 3313bdf7 2021-03-24 deraadt <li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.9/sparc64/INSTALL.sparc64">
1912 3313bdf7 2021-03-24 deraadt .../OpenBSD/6.9/sparc64/INSTALL.sparc64</a>
1913 3313bdf7 2021-03-24 deraadt </ul>
1914 3313bdf7 2021-03-24 deraadt </section>
1915 3313bdf7 2021-03-24 deraadt
1916 3313bdf7 2021-03-24 deraadt <hr>
1917 3313bdf7 2021-03-24 deraadt
1918 3313bdf7 2021-03-24 deraadt <section id=quickinstall>
1919 3313bdf7 2021-03-24 deraadt <p>
1920 3313bdf7 2021-03-24 deraadt Quick installer information for people familiar with OpenBSD, and the use of
1921 3313bdf7 2021-03-24 deraadt the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
1922 3313bdf7 2021-03-24 deraadt If you are at all confused when installing OpenBSD, read the relevant
1923 3313bdf7 2021-03-24 deraadt INSTALL.* file as listed above!
1924 3313bdf7 2021-03-24 deraadt
1925 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/alpha:</h3>
1926 3313bdf7 2021-03-24 deraadt
1927 3313bdf7 2021-03-24 deraadt <p>
1928 3313bdf7 2021-03-24 deraadt If your machine can boot from CD, you can write <i>install69.iso</i> or
1929 3313bdf7 2021-03-24 deraadt <i>cd69.iso</i> to a CD and boot from it.
1930 3313bdf7 2021-03-24 deraadt Refer to INSTALL.alpha for more details.
1931 3313bdf7 2021-03-24 deraadt
1932 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/amd64:</h3>
1933 3313bdf7 2021-03-24 deraadt
1934 3313bdf7 2021-03-24 deraadt <p>
1935 3313bdf7 2021-03-24 deraadt If your machine can boot from CD, you can write <i>install69.iso</i> or
1936 3313bdf7 2021-03-24 deraadt <i>cd69.iso</i> to a CD and boot from it.
1937 3313bdf7 2021-03-24 deraadt You may need to adjust your BIOS options first.
1938 3313bdf7 2021-03-24 deraadt
1939 3313bdf7 2021-03-24 deraadt <p>
1940 3313bdf7 2021-03-24 deraadt If your machine can boot from USB, you can write <i>install69.img</i> or
1941 3313bdf7 2021-03-24 deraadt <i>miniroot69.img</i> to a USB stick and boot from it.
1942 3313bdf7 2021-03-24 deraadt
1943 3313bdf7 2021-03-24 deraadt <p>
1944 3313bdf7 2021-03-24 deraadt If you can't boot from a CD, floppy disk, or USB,
1945 3313bdf7 2021-03-24 deraadt you can install across the network using PXE as described in the included
1946 3313bdf7 2021-03-24 deraadt INSTALL.amd64 document.
1947 3313bdf7 2021-03-24 deraadt
1948 3313bdf7 2021-03-24 deraadt <p>
1949 3313bdf7 2021-03-24 deraadt If you are planning to dual boot OpenBSD with another OS, you will need to
1950 3313bdf7 2021-03-24 deraadt read INSTALL.amd64.
1951 3313bdf7 2021-03-24 deraadt
1952 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/arm64:</h3>
1953 3313bdf7 2021-03-24 deraadt
1954 3313bdf7 2021-03-24 deraadt <p>
1955 1ba6a338 2021-04-19 jsg Write <i>install69.img</i> or <i>miniroot69.img</i> to a disk and boot from it
1956 1ba6a338 2021-04-19 jsg after connecting to the serial console. Refer to INSTALL.arm64 for more
1957 1ba6a338 2021-04-19 jsg details.
1958 3313bdf7 2021-03-24 deraadt
1959 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/armv7:</h3>
1960 3313bdf7 2021-03-24 deraadt
1961 3313bdf7 2021-03-24 deraadt <p>
1962 3313bdf7 2021-03-24 deraadt Write a system specific miniroot to an SD card and boot from it after connecting
1963 3313bdf7 2021-03-24 deraadt to the serial console. Refer to INSTALL.armv7 for more details.
1964 3313bdf7 2021-03-24 deraadt
1965 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/hppa:</h3>
1966 3313bdf7 2021-03-24 deraadt
1967 3313bdf7 2021-03-24 deraadt <p>
1968 3313bdf7 2021-03-24 deraadt Boot over the network by following the instructions in INSTALL.hppa or the
1969 3313bdf7 2021-03-24 deraadt <a href="hppa.html#install">hppa platform page</a>.
1970 3313bdf7 2021-03-24 deraadt
1971 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/i386:</h3>
1972 3313bdf7 2021-03-24 deraadt
1973 3313bdf7 2021-03-24 deraadt <p>
1974 3313bdf7 2021-03-24 deraadt If your machine can boot from CD, you can write <i>install69.iso</i> or
1975 3313bdf7 2021-03-24 deraadt <i>cd69.iso</i> to a CD and boot from it.
1976 3313bdf7 2021-03-24 deraadt You may need to adjust your BIOS options first.
1977 3313bdf7 2021-03-24 deraadt
1978 3313bdf7 2021-03-24 deraadt <p>
1979 3313bdf7 2021-03-24 deraadt If your machine can boot from USB, you can write <i>install69.img</i> or
1980 3313bdf7 2021-03-24 deraadt <i>miniroot69.img</i> to a USB stick and boot from it.
1981 3313bdf7 2021-03-24 deraadt
1982 3313bdf7 2021-03-24 deraadt <p>
1983 3313bdf7 2021-03-24 deraadt If you can't boot from a CD, floppy disk, or USB,
1984 3313bdf7 2021-03-24 deraadt you can install across the network using PXE as described in
1985 3313bdf7 2021-03-24 deraadt the included INSTALL.i386 document.
1986 3313bdf7 2021-03-24 deraadt
1987 3313bdf7 2021-03-24 deraadt <p>
1988 3313bdf7 2021-03-24 deraadt If you are planning on dual booting OpenBSD with another OS, you will need to
1989 3313bdf7 2021-03-24 deraadt read INSTALL.i386.
1990 3313bdf7 2021-03-24 deraadt
1991 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/landisk:</h3>
1992 3313bdf7 2021-03-24 deraadt
1993 3313bdf7 2021-03-24 deraadt <p>
1994 3313bdf7 2021-03-24 deraadt Write <i>miniroot69.img</i> to the start of the CF
1995 3313bdf7 2021-03-24 deraadt or disk, and boot normally.
1996 3313bdf7 2021-03-24 deraadt
1997 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/loongson:</h3>
1998 3313bdf7 2021-03-24 deraadt
1999 3313bdf7 2021-03-24 deraadt <p>
2000 3313bdf7 2021-03-24 deraadt Write <i>miniroot69.img</i> to a USB stick and boot bsd.rd from it
2001 3313bdf7 2021-03-24 deraadt or boot bsd.rd via tftp.
2002 3313bdf7 2021-03-24 deraadt Refer to the instructions in INSTALL.loongson for more details.
2003 3313bdf7 2021-03-24 deraadt
2004 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/luna88k:</h3>
2005 3313bdf7 2021-03-24 deraadt
2006 3313bdf7 2021-03-24 deraadt <p>
2007 3313bdf7 2021-03-24 deraadt Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
2008 3313bdf7 2021-03-24 deraadt from the PROM, and then bsd.rd from the bootloader.
2009 3313bdf7 2021-03-24 deraadt Refer to the instructions in INSTALL.luna88k for more details.
2010 3313bdf7 2021-03-24 deraadt
2011 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/macppc:</h3>
2012 3313bdf7 2021-03-24 deraadt
2013 3313bdf7 2021-03-24 deraadt <p>
2014 3313bdf7 2021-03-24 deraadt Burn the image from a mirror site to a CDROM, and power on your machine
2015 3313bdf7 2021-03-24 deraadt while holding down the <i>C</i> key until the display turns on and
2016 3313bdf7 2021-03-24 deraadt shows <i>OpenBSD/macppc boot</i>.
2017 3313bdf7 2021-03-24 deraadt
2018 3313bdf7 2021-03-24 deraadt <p>
2019 3313bdf7 2021-03-24 deraadt Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
2020 3313bdf7 2021-03-24 deraadt /6.9/macppc/bsd.rd</i>
2021 3313bdf7 2021-03-24 deraadt
2022 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/octeon:</h3>
2023 3313bdf7 2021-03-24 deraadt
2024 3313bdf7 2021-03-24 deraadt <p>
2025 3313bdf7 2021-03-24 deraadt After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
2026 3313bdf7 2021-03-24 deraadt Refer to the instructions in INSTALL.octeon for more details.
2027 3313bdf7 2021-03-24 deraadt
2028 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/powerpc64:</h3>
2029 3313bdf7 2021-03-24 deraadt
2030 3313bdf7 2021-03-24 deraadt <p>
2031 3313bdf7 2021-03-24 deraadt To install, write <i>install69.img</i> or <i>miniroot69.img</i> to a
2032 3313bdf7 2021-03-24 deraadt USB stick, plug it into the machine and choose the <i>OpenBSD
2033 3313bdf7 2021-03-24 deraadt install</i> menu item in Petitboot.
2034 3313bdf7 2021-03-24 deraadt Refer to the instructions in INSTALL.powerpc64 for more details.
2035 3313bdf7 2021-03-24 deraadt
2036 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/sgi:</h3>
2037 3313bdf7 2021-03-24 deraadt
2038 3313bdf7 2021-03-24 deraadt <p>
2039 3313bdf7 2021-03-24 deraadt To install, burn cd69.iso on a CD-R, put it in the CD drive of your
2040 3313bdf7 2021-03-24 deraadt machine and select <i>Install System Software</i> from the System Maintenance
2041 3313bdf7 2021-03-24 deraadt menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
2042 3313bdf7 2021-03-24 deraadt CD-ROM, and need a proper invocation from the PROM prompt.
2043 3313bdf7 2021-03-24 deraadt Refer to the instructions in INSTALL.sgi for more details.
2044 3313bdf7 2021-03-24 deraadt
2045 3313bdf7 2021-03-24 deraadt <p>
2046 3313bdf7 2021-03-24 deraadt If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
2047 3313bdf7 2021-03-24 deraadt server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
2048 3313bdf7 2021-03-24 deraadt system type. Refer to the instructions in INSTALL.sgi for more details.
2049 3313bdf7 2021-03-24 deraadt
2050 3313bdf7 2021-03-24 deraadt <h3>OpenBSD/sparc64:</h3>
2051 3313bdf7 2021-03-24 deraadt
2052 3313bdf7 2021-03-24 deraadt <p>
2053 3313bdf7 2021-03-24 deraadt Burn the image from a mirror site to a CDROM, boot from it, and type
2054 3313bdf7 2021-03-24 deraadt <i>boot cdrom</i>.
2055 3313bdf7 2021-03-24 deraadt
2056 3313bdf7 2021-03-24 deraadt <p>
2057 3313bdf7 2021-03-24 deraadt If this doesn't work, or if you don't have a CDROM drive, you can write
2058 3313bdf7 2021-03-24 deraadt <i>floppy69.img</i> or <i>floppyB69.img</i>
2059 3313bdf7 2021-03-24 deraadt (depending on your machine) to a floppy and boot it with <i>boot
2060 3313bdf7 2021-03-24 deraadt floppy</i>. Refer to INSTALL.sparc64 for details.
2061 3313bdf7 2021-03-24 deraadt
2062 3313bdf7 2021-03-24 deraadt <p>
2063 3313bdf7 2021-03-24 deraadt Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
2064 3313bdf7 2021-03-24 deraadt will most likely fail.
2065 3313bdf7 2021-03-24 deraadt
2066 3313bdf7 2021-03-24 deraadt <p>
2067 3313bdf7 2021-03-24 deraadt You can also write <i>miniroot69.img</i> to the swap partition on
2068 3313bdf7 2021-03-24 deraadt the disk and boot with <i>boot disk:b</i>.
2069 3313bdf7 2021-03-24 deraadt
2070 3313bdf7 2021-03-24 deraadt <p>
2071 3313bdf7 2021-03-24 deraadt If nothing works, you can boot over the network as described in INSTALL.sparc64.
2072 3313bdf7 2021-03-24 deraadt </section>
2073 3313bdf7 2021-03-24 deraadt
2074 3313bdf7 2021-03-24 deraadt <hr>
2075 3313bdf7 2021-03-24 deraadt
2076 3313bdf7 2021-03-24 deraadt <section id=upgrade>
2077 3313bdf7 2021-03-24 deraadt <h3>How to upgrade</h3>
2078 3313bdf7 2021-03-24 deraadt <p>
2079 2dc94401 2021-04-11 benno If you already have an OpenBSD 6.8 system, and do not want to reinstall,
2080 3313bdf7 2021-03-24 deraadt upgrade instructions and advice can be found in the
2081 3313bdf7 2021-03-24 deraadt <a href="faq/upgrade69.html">Upgrade Guide</a>.
2082 3313bdf7 2021-03-24 deraadt </section>
2083 3313bdf7 2021-03-24 deraadt
2084 3313bdf7 2021-03-24 deraadt <hr>
2085 3313bdf7 2021-03-24 deraadt
2086 3313bdf7 2021-03-24 deraadt <section id=sourcecode>
2087 3313bdf7 2021-03-24 deraadt <h3>Notes about the source code</h3>
2088 3313bdf7 2021-03-24 deraadt <p>
2089 3313bdf7 2021-03-24 deraadt <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
2090 3313bdf7 2021-03-24 deraadt This file contains everything you need except for the kernel sources,
2091 3313bdf7 2021-03-24 deraadt which are in a separate archive.
2092 3313bdf7 2021-03-24 deraadt To extract:
2093 3313bdf7 2021-03-24 deraadt <blockquote><pre>
2094 3313bdf7 2021-03-24 deraadt # <kbd>mkdir -p /usr/src</kbd>
2095 3313bdf7 2021-03-24 deraadt # <kbd>cd /usr/src</kbd>
2096 3313bdf7 2021-03-24 deraadt # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
2097 3313bdf7 2021-03-24 deraadt </pre></blockquote>
2098 3313bdf7 2021-03-24 deraadt <p>
2099 3313bdf7 2021-03-24 deraadt <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
2100 3313bdf7 2021-03-24 deraadt This file contains all the kernel sources you need to rebuild kernels.
2101 3313bdf7 2021-03-24 deraadt To extract:
2102 3313bdf7 2021-03-24 deraadt <blockquote><pre>
2103 3313bdf7 2021-03-24 deraadt # <kbd>mkdir -p /usr/src/sys</kbd>
2104 3313bdf7 2021-03-24 deraadt # <kbd>cd /usr/src</kbd>
2105 3313bdf7 2021-03-24 deraadt # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
2106 3313bdf7 2021-03-24 deraadt </pre></blockquote>
2107 3313bdf7 2021-03-24 deraadt <p>
2108 3313bdf7 2021-03-24 deraadt Both of these trees are a regular CVS checkout. Using these trees it
2109 3313bdf7 2021-03-24 deraadt is possible to get a head-start on using the anoncvs servers as
2110 3313bdf7 2021-03-24 deraadt described <a href="anoncvs.html">here</a>.
2111 3313bdf7 2021-03-24 deraadt Using these files
2112 3313bdf7 2021-03-24 deraadt results in a much faster initial CVS update than you could expect from
2113 3313bdf7 2021-03-24 deraadt a fresh checkout of the full OpenBSD source tree.
2114 3313bdf7 2021-03-24 deraadt </section>
2115 3313bdf7 2021-03-24 deraadt
2116 3313bdf7 2021-03-24 deraadt <hr>
2117 3313bdf7 2021-03-24 deraadt
2118 3313bdf7 2021-03-24 deraadt <section id=ports>
2119 3313bdf7 2021-03-24 deraadt <h3>Ports Tree</h3>
2120 3313bdf7 2021-03-24 deraadt <p>
2121 3313bdf7 2021-03-24 deraadt A ports tree archive is also provided. To extract:
2122 3313bdf7 2021-03-24 deraadt <blockquote><pre>
2123 3313bdf7 2021-03-24 deraadt # <kbd>cd /usr</kbd>
2124 3313bdf7 2021-03-24 deraadt # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
2125 3313bdf7 2021-03-24 deraadt </pre></blockquote>
2126 3313bdf7 2021-03-24 deraadt <p>
2127 3313bdf7 2021-03-24 deraadt Go read the <a href="faq/ports/index.html">ports</a> page
2128 3313bdf7 2021-03-24 deraadt if you know nothing about ports
2129 3313bdf7 2021-03-24 deraadt at this point. This text is not a manual of how to use ports.
2130 3313bdf7 2021-03-24 deraadt Rather, it is a set of notes meant to kickstart the user on the
2131 3313bdf7 2021-03-24 deraadt OpenBSD ports system.
2132 3313bdf7 2021-03-24 deraadt <p>
2133 3313bdf7 2021-03-24 deraadt The <i>ports/</i> directory represents a CVS checkout of our ports.
2134 3313bdf7 2021-03-24 deraadt As with our complete source tree, our ports tree is available via
2135 3313bdf7 2021-03-24 deraadt <a href="anoncvs.html">AnonCVS</a>.
2136 3313bdf7 2021-03-24 deraadt So, in order to keep up to date with the -stable branch, you must make
2137 3313bdf7 2021-03-24 deraadt the <i>ports/</i> tree available on a read-write medium and update the tree
2138 3313bdf7 2021-03-24 deraadt with a command like:
2139 3313bdf7 2021-03-24 deraadt <blockquote><pre>
2140 3313bdf7 2021-03-24 deraadt # <kbd>cd /usr/ports</kbd>
2141 3313bdf7 2021-03-24 deraadt # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_9</kbd>
2142 3313bdf7 2021-03-24 deraadt </pre></blockquote>
2143 3313bdf7 2021-03-24 deraadt <p>
2144 3313bdf7 2021-03-24 deraadt [Of course, you must replace the server name here with a nearby anoncvs
2145 3313bdf7 2021-03-24 deraadt server.]
2146 3313bdf7 2021-03-24 deraadt <p>
2147 3313bdf7 2021-03-24 deraadt Note that most ports are available as packages on our mirrors. Updated
2148 3313bdf7 2021-03-24 deraadt ports for the 6.9 release will be made available if problems arise.
2149 3313bdf7 2021-03-24 deraadt <p>
2150 3313bdf7 2021-03-24 deraadt If you're interested in seeing a port added, would like to help out, or just
2151 3313bdf7 2021-03-24 deraadt would like to know more, the mailing list
2152 3313bdf7 2021-03-24 deraadt <a href="mail.html">ports@openbsd.org</a> is a good place to know.
2153 3313bdf7 2021-03-24 deraadt </section>