Module name: src
Changes by: deraadt@cvs.openbsd.org 2014/08/05 08:35:47

Modified files:
usr.sbin/httpd : config.c

Log message:
spaces

Module name: src
Changes by: deraadt@cvs.openbsd.org 2014/08/05 08:36:10

Modified files:
usr.sbin/httpd : server_http.c

Log message:
retire blink because this is serious software now; ok beck

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 09:36:59

Modified files:
usr.sbin/httpd : config.c httpd.c httpd.conf.5 httpd.h logger.c
parse.y server.c

Log message:
Improve logging to allow per- server/location log files. The log
files can also be owned by root now: they're opened by the parent and
send to the logger process with fd passing. This also works with reload.

ok deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 10:30:36

Modified files:
usr.sbin/httpd : httpd.h server_http.c

Log message:
Limit the number of (Keep-Alive) requests per connection to 100.
(Same default as in nginx and Apache).

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 10:34:03

Modified files:
sbin/iked : iked.conf.5

Log message:
Fix an example, nat-to requires to specify the "out" direction in pf rules.

From "Vigdis" via misc@
can go in deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 10:35:37

Modified files:
usr.sbin/hostapd: hostapd.conf.5

Log message:
Fix an example: hostapd table entries have to be comma-separated.

From "Vigdis" via misc@
can go in deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 10:46:35

Modified files:
usr.sbin/httpd : parse.y

Log message:
Add srv_conf helper variable to make the code more readable.
No functional change.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 11:03:21

Modified files:
usr.sbin/httpd : httpd.conf.5 parse.y

Log message:
Bring back the tcp/ip configuration options. This code was already
there and is from relayd. We can decide later which options should
be added or removed, but it shouldn't do any harm.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 11:13:16

Modified files:
usr.sbin/httpd : httpd.conf.5

Log message:
Tweak the httpd.conf manpage with "sub-lists".

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/05 12:01:11

Modified files:
etc/examples : httpd.conf
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y
server_http.c

Log message:
Add configuration options for the most-important connection limits:
max requests (per connection) and timeout. We don't want to add too
many button, and there are good defaults, but these ones are kind of
mandatory.

Module name: src
Changes by: mpi@cvs.openbsd.org 2014/08/05 14:26:15

Modified files:
sys/dev/usb : ehci.c ohci.c uhci.c

Log message:
Only check if the abort transfer is the interrupt one if the pipe is
opened with a callback.

If a driver opens an interrupt pipe without callback function, like
umct(4) does with one of its bulk in endpoints being reported as an
interrupt endpoint, then we can end up aborting a transfer which is
different from the interrupt one.

Issue reported by Roberto E. Vargas Caballero, ok deraadt@

Module name: www
Changes by: gonzalo@cvs.openbsd.org 2014/08/05 15:23:33

Modified files:
. : events.html

Log message:
Add BSDDay Argentina 2014

Module name: www
Changes by: nick@cvs.openbsd.org 2014/08/05 18:49:01

Modified files:
faq : faq11.html

Log message:
s=<a href="http://www.openbsd.org/cgi-bin/cvsweb=http://cvsweb.openbsd.org/cgi-bin/cvsweb=" rel="nofollow">http://www.openbsd.org/cgi-bin/cvsweb=http://cvsweb.openbsd.org/cgi-bin/cvsweb=</a>
(new domain for man pages). Lots more to come!

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/05 19:54:01

Modified files:
lib/libressl : ressl.c ressl.h ressl_config.c ressl_internal.h

Log message:
Add support for loading the public/private key from memory, rather than
directly from file.

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/05 20:04:42

Modified files:
usr.sbin/httpd : config.c httpd.8 httpd.h parse.y server.c

Log message:
Load the SSL public/private keys in the parent process, then provide them
to the privsep process via imsg. This allows the keys to be moved out of
the chroot (now /etc/ssl/server.crt, /etc/ssl/private/server.key).

ok reyk@

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/05 20:31:47

Modified files:
usr.sbin/httpd : httpd.8

Log message:
Explain the options in httpd.8

ok deraadt@

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/05 20:34:23

Modified files:
distrib/notes : INSTALL m4.common
distrib/notes/amd64: contents install xfer
distrib/notes/i386: contents install xfer

Log message:
Add signify instructions plus miniroot and install56.fs for amd64/i386

ok deraadt@

Module name: src
Changes by: guenther@cvs.openbsd.org 2014/08/05 22:28:21

Modified files:
lib/libssl/src/crypto/evp: evp_key.c

Log message:
Correct error checks in EVP_read_pw_string_min(): UI_add_input_string()
and UI_add_verify_string() return -1 (and maybe -2?) on failure and
&gt;=0 on success, instead of always zero on success

problem reported by Mark Patruck (mark (at) wrapped.cx)
ok miod@

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/05 22:39:50

Modified files:
usr.sbin/httpd : server.c

Log message:
add missing va_start/va_end calls
ok deraadt@ guenther@

Module name: www
Changes by: deraadt@cvs.openbsd.org 2014/08/05 23:26:43

Modified files:
. : events.html

Log message:
fix typo

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/05 23:47:40

Modified files:
usr.sbin/httpd : httpd.8

Log message:
Add an overview of the features for httpd in the description section.

"commit" deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 03:34:21

Modified files:
usr.sbin/httpd : server_http.c

Log message:
Add braces. Style-only change.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 03:36:31

Modified files:
usr.sbin/httpd : httpd.h server.c server_file.c

Log message:
Adjust the read/write watermarks according to the TCP send buffer.
This fixes sending of large files. Previously, httpd was reading the
input file too quickly and could run out of memory when filling the
input buffer.

Found by jsg@
OK florian@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 03:40:04

Modified files:
usr.sbin/httpd : server.c

Log message:
Bring back the last read (done) / last write (done) messages instead of just
"done" to simplify connection debugging.

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 05:24:12

Modified files:
usr.sbin/httpd : server.c server_file.c

Log message:
The watermark exposed a bug in server_write that broke keep-alive
support. Instead of calling server_close from server_write, we have
to proceed to the next connection by calling the error handler.

OK jsg@

http://undeadly.org/cgi?action=article&sid=20140806125308

Contributed by [phessler](http://www.openbsdfoundation.org/donations.html) on Wed Aug 6 12:42:48 2014 (GMT)
from the you know it's urgent dept.

Longtime Undeadly editor, Peter Hessler (phessler@) writes in:

> With the g2k14 hackathon starting on tuesday, I saw the commits and chatter from the hackathon. sadly, my original plan was to stay at work mostly since I am out of vacation days for the year. Thursday morning, I see that not only were a few more hackathon shirts being printed for attendees that wanted more, but also last-minute flights to Ljubljana were actually affordable. I nudged claudio@, who works at the desk next to me "hey, want to go to the hackathon for the weekend?"

> He nods yes, so we rush to book everything. The flights left Friday after work, and returned stupid early on Monday morning so we could go back to work. We arrive in the evening on Friday, and run into Bob et al, who were just returning from a celebratory dinner after the first release of LibreSSL portable.
>
> During the hackathon I worked mostly in the installer/upgrader. I wanted to be able to have one more [enter] to whack when upgrading a laptop with softraid crypto, so I had the upgrader detect if the first disk partition 'a' is of type RAID, and if it is, then skip it. I still need to test on strange arches, and to check for corner cases.
>
> Another project was to support installing onto softraid crypto directly from within the installer. I have a working prototype, but again, lots of corner cases and testing still remains. I did end up doing a clean install on my main laptop with it, so it does work for simple cases.
>
> I also talked with rpi@ about the ability to auto-upgrade entirely from the local system. This would entail booting from bsd.rd, and it detecting a specially named file on the root partition, and doing the upgrade blindly. Risky, but if you have a remotely hosted system, with no console or access to the network, you may not have many options.
>
> None of these will make it to 5.6, but I hope to have them in -current not long after unlock.
>
> There was a big grand discussion involving the network stack hackers, and some of the low-level kernel experts, about the status of the network stack and MP, and where we wanted to go, and how to get there. Most of the discussion was figuring out which pieces can be split up, and where we should put the fences.
>
> I was at the previous hackathon in Ljubljana, and just like last time, had a fantastic time. Many thanks to Mitja for organizing the event, and special thanks for getting things organized for us last minute slackers!

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/06 06:29:43

Modified files:
usr.sbin/httpd : logger.c

Log message:
avoid displaying a NULL pointer
ok deraadt@ reyk@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 06:56:58

Modified files:
usr.sbin/httpd : logger.c parse.y server.c

Log message:
spacing

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/06 07:40:18

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
Content-Length and Content-Type are transmitted as CONTENT_LENGTH and
CONTENT_TYPE environment variables to cgi scripts, without the HTTP_
prefix.
OK reyk@

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/06 09:08:04

Modified files:
usr.sbin/httpd : httpd.h server.c server_fcgi.c server_http.c

Log message:
http POST support
with &amp; OK reyk@

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/06 09:15:16

Modified files:
sys/arch/alpha/mcbus: mcbus.c

Log message:
fix an off by one
ok deraadt@

Module name: src
Changes by: jsg@cvs.openbsd.org 2014/08/06 09:40:40

Modified files:
sys/arch/vax/if: if_qe.c sgec.c

Log message:
Correct some dma cleanup error paths.

While the index variables were correct the arrays of
dma handles they indexed were swapped for rx and tx.

As there are a mismatched number of rx and tx descriptors
we'd walk off the end of the rx handle array by 30 items.

ok deraadt@

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/06 10:01:44

Modified files:
lib/libssl/src/crypto/evp: encode.c

Log message:
Allow B64_EOF to follow a base64 padding character. This restores previous
behaviour that allows a PEM block to be fed through the base64 decoder.

Reported by Dmitry Eremin-Solenikov on tech@

ok deraadt@ tedu@

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/06 10:09:02

Modified files:
usr.sbin/httpd : httpd.h parse.y server.c

Log message:
Configure the default SSL ciphers as HIGH:!aNULL.

ok deraadt@ reyk@

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/06 10:10:02

Modified files:
usr.sbin/httpd : server.c

Log message:
Also clean up the public key when it is no longer needed.

ok deraadt@ reyk@

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/06 10:11:34

Modified files:
usr.sbin/httpd : parse.y

Log message:
Provide configuration options that allow the SSL certificate, key and
ciphers to be specified for each server.

ok deraadt@ reyk@

Module name: src
Changes by: ajacoutot@cvs.openbsd.org 2014/08/06 10:13:48

Modified files:
distrib/zaurus/ramdisk: install.md

Log message:
sysctl machdep.ztsscale has been unused for 7 years, so stop handling it.
s/TAB/SPACE for the wsconsctl.conf comment like we do with sysctl.conf
in MI.

"get this in fast" deraadt@
ok ratchov@ who will test it in the next few hours

Module name: src
Changes by: jsing@cvs.openbsd.org 2014/08/06 10:31:09

Modified files:
usr.sbin/httpd : httpd.conf.5

Log message:
Document the SSL configuration for httpd (partly based on relayd.conf(5)).

Module name: xenocara
Changes by: jsg@cvs.openbsd.org 2014/08/06 11:00:09

Modified files:
lib/libpciaccess/src: openbsd_pci.c

Log message:
calloc the pci_sys struct before probing for PCI.
As the functions check if the member pointers are NULL but not the
pointer to the struct itself.

Reworked version of a diff from ratchov@ who created it to prevent a
xserver crash on zaurus where there is no PCI.

'looks ok' matthieu@, ok deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 12:21:14

Modified files:
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y
server_http.c

Log message:
Limit the body size in client requests (eg. POST data) to 1M by default;
add a configuration option to change the limit.

ok florian@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 12:38:11

Modified files:
usr.sbin/httpd : server.c server_fcgi.c

Log message:
Use memset(buf instead of memset(&amp;buf.

Pointed out by deraadt@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 12:40:15

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
Always zero-out the fcgi record header for STDIN data.

OK florian@

Module name: src
Changes by: guenther@cvs.openbsd.org 2014/08/06 13:31:30

Modified files:
sys/nfs : nfs_kq.c

Log message:
Support NOTE_EOF for kqueue EVFILT_READ filters on NFS files.

committing for jsg@, ok reyk@ tedu@ guenther@

Module name: src
Changes by: miod@cvs.openbsd.org 2014/08/06 14:11:09

Modified files:
lib/libssl/src/ssl: d1_srvr.c

Log message:
Prevent a possible use after free by mimicing the s3_srvr.c fixes contributed by
Adam Langley close to three years ago, which were commited in
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e7928282d0148af5f28fa3437a625a2006af0214" rel="nofollow">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e7928282d0148af5f28fa3437a625a2006af0214</a>

ok jsing@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 14:29:54

Modified files:
etc/examples : httpd.conf
usr.sbin/httpd : httpd.conf.5 parse.y

Log message:
Change grammar to remove a shift/reduce conflict that was introduced
with the ssl options.
"listen on $ip port 443 ssl" turns into "listen on $ip ssl port 443".

ok florian@

Module name: src
Changes by: florian@cvs.openbsd.org 2014/08/06 14:56:23

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
If the very first fcgi STDOUT record has length 0 the cgi script
didn't send anything back. This is an internal server error.
OK reyk@

Module name: src
Changes by: reyk@cvs.openbsd.org 2014/08/06 15:08:47

Modified files:
usr.sbin/httpd : server_fcgi.c

Log message:
Write STDERR from the CGI to the web server error log as intended.

OK florian@

Module name: src
Changes by: doug@cvs.openbsd.org 2014/08/06 16:33:08

Modified files:
usr.sbin/httpd : httpd.8

Log message:
Mention how httpd responds to SIGHUP and SIGUSR1.

Description from reyk@

Module name: src
Changes by: deraadt@cvs.openbsd.org 2014/08/06 17:16:16

Modified files:
lib/libssl/src/ssl: t1_lib.c

Log message:
merge fix for CVE-2014-3510
basically a missing s-&gt;hit check
ok guenther

Module name: src
Changes by: deraadt@cvs.openbsd.org 2014/08/06 19:24:10

Modified files:
lib/libssl/src/ssl: s3_clnt.c

Log message:
merge CVE-2014-3510; Fix DTLS anonymous EC(DH) denial of service
<a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=17160033765480453be0a41335fa6b833691c049" rel="nofollow">https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=17160033765480453be0a41335fa6b833691c049</a>
ok bcook