This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.1,
7.2,
7.3,
7.4,
current.
Changes made between OpenBSD 6.0 and 6.1
- Disabled smtpd(8) client-initiated renegotiation.
- Used m_devget(9) to replace ure(4) code which incorrectly assumes a received packet must fit into a single mbuf cluster, potentially fixing observed pool corruption.
- Set the interface flag to VMIFF_UP when using the vmctl(8) -i option, making vmd(8) ensure the interfaces are up on startup.
- Allowed additional protocol matching to enable umodem(4) to attach to the serial console on the OverDrive 1000.
- Fixed a panic triggered by init(8) on the OverDrive 1000 with A1120 (Cortex A57 r1p2) after changing vfp state.
- Prevented editing messages in mail(1) from corrupting the mailbox.
- Stopped rejecting etherip(4) packets protected with ipsec(4).
- Added iked(8) support for RFC 4754 (ECDSA) and RFC 7427 authentication.
- Fixed the prefixlen sent by RTM_NEWADDR on new addresses without masks.
- Implemented a missing command in vioblk(4) and allowed > MAXPHYS transfers, allowing Ubuntu 14.04 amd64 guests to work.
- Added support for additional Allwinner H3 clocks to sxiccmu(4).
- Implemented TLS ticket support in httpd(8). This is off by default and can be enabled with a 2h ticket lifetime.
- Booted in vmd(8) using BIOS from /etc/firmware/vmm-bios by default. The "vmm" BIOS must be installed using fw_update(1).
- Updated to Mesa 13.0.6.
- Implemented mvxhci(4), a driver for Marvell's XHCI controller, and mvahci(4), for Marvell's AHCI controller. These enable use of USB and SATA, respectively, on devices like the SolidRun ClearFog or Omnia Turris.
- Prevented panics on the ClearFog by not loading the empty memory region mainline u-boot provides into uvm(9).
- Handled interrupts after retiring a cpuid instruction, allowing vmd(8) to proceed.
- Implemented kernel W^X for arm64.
- Added tmux(1) support for the strikethrough attribute (SGR 9).
- Prevented unusable configurations where both WEP and WPA are active by disabling one when a key for the other is set.
- Fixed errors in NS8250 (UART) vmm(4) emulation that had caused seabios not to be able to output data.
- Showed inet6 proposals in route(8) monitor.
- Read the free clusters bitmap in 1MB chunks, rather than attempting to read it all together, causing a panic in malloc(9) with large NTFS filesystems.
- Added sensorsd(8) command line option -f to specify an alternative config file.
- Released OpenSSH 7.5.
- Enabled snooping on Kaby Lake U/Y PCH HDA in azalia(4) to avoid audio glitches.
- Matched the Kaby Lake and Lewisburg (Skylake-EP PCH) MACs with I219 PHYs.
- Added Intel Kaby Lake and 3168/8265 wlan pci(4) device ids.
- Added AMD A1100 pci(4) ids and additional qemu and virtio devices.
- Introduced slaacd(8), a Stateless Address Autoconfiguration Daemon.
- Fixed brk(2) and synced the brk()/sbrk() aarch64 implementation with arm.
- Enabled dhcrelay6(8), implementing RFCs 3315, 4649 and 6221.
- Added h and l for collapse and expand in tmux(1) choose mode with vi(1) keys.
- Configured and applied the multitouch-tracking functions of wsmouse to ubcmtp(4).
- Handled various shutdown and reboot cases in vmmci(4), allowing powering off the VM even when unresponsive, stuck in ddb or shutdown on the VM guest side.
- Closed the tty when a vmd(8) VM is powered down.
- Added minimal support for deep linking into man(7) pages to mandoc(1).
- Fixed a segfault when sshd(8) attempts to load RSA1 keys and protocol v.1 support is enabled for the client.
- Updated LLVM to 4.0.0.
- Modified mg(1) to keep the current buffer instead of switching to scratch when aborting switch-to-buffer, bringing mg in line with emacs.
- Ported ctags-style, less(1) :t internal searching from terminal output to HTML output in mandoc(1).
- Printed title="..." in addition to id="..." attributes for macro keys in mandoc(1) that can be searched for by apropos(1), such that the semantic function appears in a tooltip when hovering with the mouse.
- Resolved simultaneous IKE and Child SA rekeying in iked(8).
- Made ifconfig(8) "scan" show WPA information for other APs correctly while the interface operates in hostap mode.
- Stopped limiting physmem to 2GB on arm64.
- Brought SROP mitigation to arm64.
- Added code to initialize the USB 3 PHY on Exynos 5.
- Allowed ssh(1) to use certificates accompanied by a private key file but no corresponding plain *.pub public key.
- Added support for RTL8153 devices.
- Made ifconfig(8) "scan" display AP encryption correctly if WEP is configured on the local wifi interface.
- Fixed a panic in pfsync(4) when the syncdev is destroyed.
- Disabled writing of autolinks in mandoc(1) to prevent writing of potentially dangerous raw HTML tags with markdown.
- Introduced "machdep.forceukbd" to force the first USB keyboard as console input, allowing use of a USB keyboard in ddb(4) even if the BIOS emulates a pckbd(4).
- Added a -Dsnap option to pkg_add(1) that forces %c to use snapshots.
- Fixed autoboot on the OverDrive 3000.
- Added exrtc(4), a driver for the RTC found on Samsung Exynos SoCs.
- Ensured that the mirror server ends up in installurl(5) when the distribution sets are fetched from a mirror and the siteXX.tgz file is fetched from a local server.
- Always created the installurl(5) file during installation and upgrade if not present.
- Fixed a use-after-free when sending usb(4) root hub control transfers.
- Made the armv7 kernel recognize all the memory on the Odroid XU4.
- Explicitly loaded bootaa64.efi on the ESP to allow the SoftIron OverDrive 3000 to load without manual intervention.
- Accepted RSA keys when updating ssh(1) hostkeys if HostkeyAlgorithms contains any RSA keytype.
- Fixed case insensitivity to hostname matching in ssh(1).
- Fixed a regression in ssh(1) 7.4 server-sig-algs where SHA2 RSA signature methods were excluded.
- Enabled amphy(4) for udav(4) and urlphy(4) for url(4).
- Plugged file descriptor leaks of auth_sock in ssh(1).
- Fixed ssh(1) hashing of hosts with a port number.
- Enabled syscon(4) on armv7, allowing reboot of the Odroid XU4.
- Fixed an off-by-one error in xnf(4) which led to ring stalls when the consumer index equaled the consumer event index.
- Added syscon(4), a driver providing reboot/poweroff functionality through the generic "regmap" interface.
- Added a "regmap" interface allowing devices to provide access to their registers to drivers elsewhere in the device tree.
- Corrected the TLS error message displayed by nc(1) if the handshake after accept fails.
- Fixed the logic in sq(4) preventing it from receiving broadcast frames before configuring an address, allowing use of dhclient(8).
- Added copying of the rpi3 u-boot to the installed disk to the arm64 ramdisk installer.
- Prevented mandoc(1) memory exhaustion due to user-defined macros exceeding the stack limit by discarding what remains in the open stack levels on abort.
- Used the target mask for the boot CPU upon ampintc(4) attachment to pick the target CPU interface when establishing an interrupt, allowing interrupts to work on machines that boot up on a CPU attached to a CPU interface that isn't zero.
- Changed priq enqueue policy to drop lower priority packets, allowing high priority traffic a place in the queue and low priority bulk traffic a chance to regulate its throughput.
- Corrected handling of TLS PRF with MD5+SHA1 in ssl(3).
- Introduced recallocarray(3), a blend of calloc(3) and reallocarray(3) which additionally clears released memory.
- Corrected tmux(1) collection of strings when on terminals not supporting UTF-8.
- Saved and restored the cursor in tmux(1) when redrawing a combined UTF-8 character in its existing position so the next character is added in the correct place.
- Attached exiic(4) and other exynos drivers using the FDT.
- Stopped copying the on-disk /etc/hosts file to the bsd.rd /tmp dir for use during upgrade, and switched to creating a minimal hosts file that does not risk filling the filesystem.
- Provided a rolling handshake hash in ssl(3) which starts when the cipher suite has been selected, and converted the final MAC to use this handshake hash.
- Updated to Unicode 8.
- In 11n hostap mode, dynamically adjusted HT protection settings based on the presence of non-HT nodes in the node cache. OpenBSD 11n APs will now disable HT protection if it is not necessary. Fixed display of HT protection settings in tcpdump(8).
- Allowed R (resize auto-partition) after A as well as when started with -A in disklabel(8).
- Sent VPLS MAC withdrawals in ldpd(8) as specified by RFC 4762, which can improve convergence time in VPLS networks.
- Implemented RFC 5561 (LDP Capabilities), RFC 5918 (Typed Wildcard FEC), RFC 6667 (Typed Wildcard FEC for PWid) and RFC 5919 (LDP End-of-LIB) in ldpd(8).
- Implemented support for PWid group wildcards in ldpd(8) as specified in RFC 4447.
- Allowed specification of an alternate control socket in ldpd(8), needed to run multiple instances. Additionally, allowed ldpd to run on a non-default rdomain.
- Introduced mandoc(1) -mdoc -Tmarkdown output mode.
- Fixed ssh-keygen(1) -H corrupting known_hosts containing entries which have already been hashed.
- Enabled FFS2 on armv7 and arm64 ramdisks.
- Added the new sysctl(2) machdep.lidaction to allow hibernating or suspending when the lid closes.
- Added a "locked lladdr" option in vm.conf(5) to prevent VMs from spoofing MAC addresses.
- Allowed MPLS switching and VPLS across rdomains.
- Fixed a bug allowing a man-in-the-middle attack against WPA wireless clients. A malicious AP could trick clients into connecting to itself rather than the desired AP, then all frames would be sent in the clear.
- Added an "owner" option to vm.conf(5) to set user/group ownership for pre-configured VMs, allowing matching users console access and the power to start/stop VMs.
- Dynamically attached edma(4) using the FDT.
- Created the /etc/installurl file during upgrade if a mirror was used and the file did not yet exist.
- Modified the installer logic to determine the default answer for the "Location of sets?" question. Presents "http" as the default answer if /etc/installurl exists, correcting an issue where "cd" was overriding "http".
- Handled touchpad input in wsmouse(4).
- Bumped block size for dd(1) for arm64, for a substantial speed increase.
- Added support to psci(4) for the older generation spec of PSCI, which supports shutdown and reset only if the function ID is explicitly provided in the device tree.
- Switched to xenodm(1).
- Updated Mesa to 13.0.5.
- Attached acpithinkpad(4) to LEN0268 HID, found on newer thinkpads.
- Implemented ampintcmsi(4) in ampintc(4) to support MSI for arm64.
- Implemented an API for establishing legacy PCI interrupts for amd64.
- Introduced pciecam(4), a driver for generic ECAM compatible PCI host controllers.
- Introduced the "e" command to dc(1), equivalent to "p" but writing to stderr.
- Added a generic ahci(4) frontend for FDT and enabled ahci(4) on arm64.
- Added acpisbs(4), an ACPI smart battery subsystem driver reading data over smbus.
- Added pledge(2) to man.cgi(8).
- Allowed specification of an alternate socket path in eigrpctl(8).
- Stopped grabbing the NET_LOCK() when using poll(2) on unix domain sockets, fixing the "X freeze" while scanning with wireless interfaces.
- Disabled BFD to allow continued work on unlocking the socket layer.
- Updated to unbound(8) 1.6.1 release.
- Bumped the default size of the MSDOS partition on octeon from 16MB to 32MB.
- Used memcpy(3) a character row at a time to the framebuffer in rasops(9), rather than sending pixel by pixel. This greatly speeds up the text framebuffer on some EFI implementations.
- Fixed asynchronous system traps on arm64, allowing processes to be killed using Ctrl-C.
- Restored a local change to xkeyboard-config(7) to handle Ctrl-Alt-Backspace to kill X by default.
- Removed trailing whitespace in the installer that ended up passing a bogus argument to ftp(1), disabling redirection and running ftp in the background.
- Added SMP config and IPI control logic for the Loongson 3A.
- Added an IPI counter to mips64.
- Added EDNS0 support, allowing for various DNS extensions, including UDP DNS packets larger than 512 bytes.
- Added miniroot and ramdisk hooks for the Raspberry Pi 3. The u-boot-aarch64 and raspberrypi-firmware packages are now required to run make release on arm64.
- Updated to nsd(8) 4.1.15.
- Updated to unbound(8) 1.6.1rc3.
- Implemented ddb(4) backtrace support for arm64.
- Fixed ipcomp(4) with IPv6 transport mode.
- Fixed a bug in chmod(1)'s symbolic mode without -h and -R flags where permissions on the symbolic link were nonetheless changed.
- Surrounded the host name with brackets in ssh(1) for ProxyJump/-J to allow use of literal IPv6 addresses.
- Increased UDP packet buffer to 4096 bytes from 512 to handle broken DNS servers not attempting to use EDNS0.
- Restored the keyboard backlight value on system resume for asmc(4).
- Added a new implementation of a standalone LMTP client to smtpd(8).
- Fixed powerdown with vmmci(4) VMs using a shutdown and no reset.
- Allowed negation of the authenticated keyword in smtpd(8), i.e.
accept ! authenticated [...]
.
- Created an empty /root/.ssh/authorized_keys file with correct permissions.
- Corrected handling of ldapd(8) requests to delete individual attribute values.
- Disabled aen handling on mfii(4), which led to excessive load.
- Introduced naming of tmux(1) session groups, allowing use of these names with -t instead of a target session.
- Fixed relayd(8) and relayctl(8) to show "send/expect failed" rather than "tcp read timeout" when appropriate.
- Correctly released the NET_LOCK() before calling unp_detach().
- Fit the installer to 80 columns.
- Updated to xkeyboard-config 2.20.
- Stopped potentially freeing a grant table entry still in use due to an incorrect test while allocating, which may allow a second allocation in xen(4).
- Used an additional poll(2) during tls_handshake() in nc(1) and respected the -w timeout option to avoid waiting in a busy loop. Applied the same fix to tls_close().
- Retried BS->ExitBootServices() if it fails on EFI boot for arm64, as in amd64.
- Correctly flushed and invalidated the instruction cache upon entering a page with pmap_enter(9), allowing use of the AMD Seattle.
- Raised ampintc(4) IRQs to the proper levels, allowing interrupts to work on the AMD Seattle SoC.
- Updated to terminfo-20170128.
- Enabled the short slot time feature in 802.11n mode.
- Improved parsing of the HTTP request line in httpd(8), allowing quick detection of non-ASCII requests.
- Enabled per-CPU caches on mbuf pools and stopped counting individual pool items, limiting mbufs by how much memory can be allocated for pages by the system.
- Handled physical disk state changes in mfii(4).
- Listed openfiles-max explicitly in default /etc/login.conf files to prevent raising openfiles-cur over the implicit -max value, resulting in the setting not being applied at all.
- Implemented Dynamic Profiling for i386.
- Implemented mfii(4) scsi command timeouts.
- Added the ability for MegaRAID SAS fusion chips to abort tasks in mfii(4).
- Implemented intr_barrier(9) for arm64.
- Updated libdrm to 2.4.75.
- Added support to nc(1) for IPv6 proxy addresses.
- Updated Perl to 5.24.1.
- Prevented a netlock-related deadlock with the X server during iwm(4) scans.
- Prevented arm64 efiboot failures by ensuring data are saved before turning off the MMU and removing cache contents.
- Added a connection username to ssh(1) packet log messages and a preamble string for disconnect messages.
- Added a window or pane id "tag" to each format tree and used it to separate jobs in tmux(1).
- Fixed 11b clients sending bogus ratesets in association requests and rates when an AP is selected after a scan.
- Fixed a bug in vmt(4) that led a "guest shutdown" to result in a reboot.
- Fixed httpd(8) support for HTTP pipelining by handling all requests in the buffer.
- Synced the video(4) V4L2 (Video for Linux Two) API with Linux kernel version 4.10-rc6.
- Prevented panics in hostap mode by removing unnecessary global counters from struct ieee80211com.
- Disabled client-initiated TLS renegotiation by default in relayd(8).
- Correctly skipped pages marked as unreadable rather an aborting a uvm(9) core dump.
- Fixed bioctl on mfi(4).
- Added AMRR support to rtwn(4).
- Implemented "all event" (1003) mouse mode in tmux(1).
- Disabled client-initiated renegotiation for libtls servers.
- Reimplemented httpd(8) support for byte ranges, preventing overuse of memory and applying the watermark and throttling mechanisms to range requests.
- Prevented athn(4) from using RTS for non-data frames and stopped athn 11n hostap from applying HT protection to non-11n clients.
- Built mkuboot(8) on arm64.
- Made MiRA handle out-of-range single frame error rate (SFER) values.
- Re-enabled cross-binutils now that parts can be built on aarch64.
- Added a fallback to treating a page as preformatted text if mandoc(1) parsing reveals that it is neither mdoc(7) nor man(7).
- Disabled pgt(4) and acx(4) on sparc64 due to kernel space constraints, allowing GENERIC.MP to boot again on the T5220.
- Fixed rtwn(4) IQ calibration code.
- Allowed selection of the routing domain to be used for kill states by host or by label by adding a "-V rdomain" option to pfctl(8).
- Prevented pkg_info(1)
-e spec
cases where the spec would be displayed rather than the name of the package.
- Fixed a failure of pkg_add(1) + signify(1).
- Enabled psci(4) and plrtc(4) for arm64.
- Enabled NET_LOCK().
- Constructed a BN-gcd_nonct to avoid the possibility of a sidechannel timing attack during RSA private key generation.
- Added the arm64 architecture.
- Added
-S no verifytime
to ftp(1) to permit an unvalidated TLS connection when the time is unknown.
- Prevented use of control and space characters in the answer to the "System hostname" installation question.
- Added support for SVM in vmd(8).
- Added a -groups option to openssl(1) s_client, allowing specification of supported EC curves as a colon-separated list.
- Added support for setting the openssl(1) supported EC curves, changing the default list of EC curves to be X25519, P-256 and P-384.
- Updated LLVM to 4.0.0 rc1.
- Prevented a deadlock by allocating a new file descriptor in accept(2) and accept4(2) before checking whether the socket head's queue is empty and possibly sleeping.
- Added the display of process groups to ddb(4)'s
ps /w
.
- Fixed the 6x_bootscript u-boot commands to work with SABRE Lite boards.
- Displayed the thread ID rather than the process group ID in ddb(4)'s default "ps" view, allowing easy use of
tr /p
.
- Added support for multiple transmit ifqueues per network interface.
- Introduced TLS ticket support.
- Renamed pfind into tfind(9) to reflect that it deals with threads.
- Fixed
make release
for use of the KEEPKERNELS setting by including make cleandir
right before building kernels.
- Fixed a race for multi-threaded processes by allocating all memory chunks (and potentially sleeping) before freeing the old array of open files.
- Added bcmdog(4), a watchdog timer for the Raspberry Pi.
- Enabled simplefb(4) on arm64.
- Added the openprom(4) interface to arm64.
- Switched spamd(8) to nonblocking descriptors so a short write can be obtained when the socket buffers are full, rather than blocking.
- For arm64 machines which don't load the kernel at the start of physical memory (e.g. Raspberry Pi 3), changed pmap(9) to avoid mapping memory outside kernel VA space.
- Added drivers for the Raspberry Pi 3.
- Built gpioctl(8) and hotplugd(8) on arm64.
- Added support for creating RAMDISK kernels for arm64.
- Built firmware for usb devices on arm64.
- Disabled TLS session cache and tickets by default.
- Provided clang(1) as cc, c++ and cpp, and lld as ld(1).
- Introduced the KEEPKERNELS variable: when set in mk.conf or the environment, "make cleandir" does not descend into kernel build directories, ensuring kernel object files survive "make build" on slower architectures.
- Added the build infrastructure for lld.
- Updated to xf86-input-vmmouse 13.1.0.
- Disabled the shader cache in Mesa (which relied on 64 bit operations) on powerpc, restoring 3D functionality.
- Fixed races of iwm(4) driver code against MiRA timeouts, which could lead to crashes in situations like changing channels while the interface is up.
- Added the acme-client(1) option
domain full chain certificate "path"
.
- Implemented acme-client(1) domain chain certificates.
- Added Allwinner A64 devices to OpenBSD/arm64, allowing use on the Pine64.
- Removed acme-client(1) command line arguments -a/c/f/k/s/C in favor of using these in the configuration file, specified by
-f configfile
and viewable with the new -n option. Also changed command line option -n to -A for a new account key and -N to -D for a new domain key.
- Added support for the Allwinner A64 PIO controller clock.
- Added support for the Allwinner A64 (sun50i-a64) to sxipio(4).
- Changed bsd.obj.mk to only chown(8) :wobj when the command will succeed, allowing use of bsd.prog.mk outside /usr/src by users not belonging to the wobj group.
- Implemented EHCI and MMC clock support for the Allwinner A64 SoC in sxiccmu(4).
- Started creating and using installurl(5), created during installation if an OpenBSD mirror server is used to download sets. This file is used by the installer, syspatch(8), and pkg_add(1). Retired use of the /etc/pkg.conf file.
- Added a warning in iked(8) when the address pool is exhausted.
- Added per-cpu counters for rtstat.
- Added output packet counters to the ifq structure.
- Changed
/etc/mirror.conf
to /etc/installurl
.
- Ceased sending IPv6 atomic fragments in response to CVE-2016-10142.
- Added a method by which the SABRE Lite/BD-SL-i.MX6 u-boot may load a dtb and bootarm.efi, then call bootefi.
- Updated Mesa to 13.0.3.
- Fixed a panic when removal of the BFD flag on a route(8) was attempted after deletion of the route.
- Enabled TKIP as pairwise cipher when the wpaprotos option for ifconfig(8) enables WPA1, fixing a problem where WPA1 could not be used without using the wpaciphers option to enable TKIP.
- Made mandoc(1) HTML output more human readable by introducing simple indentation and altering line break logic around tags.
- Allowed pflow(4) changing of receiver and sender ip/port without switching address family.
- Changed spamd(8) -l to use getaddrinfo(3) so that strings will provide useful error messages and IPs and hostnames may be parsed as an argument to bind(2).
- Added printing of the interface mtu of RTM_IFINFO messages in route(8) monitor mode.
- Fixed a panic when set-field with VLAN is set in switch(4), but no VLANs are classified in the packet.
- Updated to nsd(8) 4.1.14.
- Fixed a kernel crash associated with 11n hostap by resetting block ack state and canceling related timeouts when a HT node disassociates.
- Prevented a wireless frame injection attack where an attacker knowing the WPA group key might inject a unicast frame by sending a group-encrypted frame to the AP with particular addresses set, then forwarded by the AP as unicast.
- Updated the clang(1) build infrastructure for LLVM 3.9.1.
- Added HTTPS proxy support for ftp(1) with ssl.
- Made it possible to remove VMs from the internal queue in vmd(8).
- Added support for draft-ietf-idr-shutdown to bgpd(8).
- Fixed timeout in traceroute(8) when poll(2) returns after receiving a packet not intended for it.
- Disabled and locked the Silicon Debug feature on modern Intel CPUs. This implements a countermeasure against using Direct Connect Interface (DCI) to debug CPUs via USB3.
- Added vmmci(4), a simple guest-side driver for vmm(4) VMs.
- Updated to FreeType-2.7.1.
- Fixed the less(1) -t command for the case when it goes down by just a few lines, clearing the status before printing content on the last line of the screen.
- Finished initial 11n support for athn(4), supporting MCS 0-15 in client and hostap mode.
- Added an imsg communication channel between vmd(8) and individual virtual machines.
- Stopped an error message in the installer by checking whether /tmp/i/hosts exists before calling
sed -i
on it.
- Stopped ftp(1) from attempting to read .netrc when anonymous FTP is forced (-a).
- Removed mfc hash tables and used the OpenBSD routing table for multicast routes, allowing access to the multicast routes in route(8).
- Edited syspatch(8) checksum handling to match the installer.
- Prevented arm64 execution of kernel pages by userland and user pages by the kernel, and userland reads of executable pages that were not mapped explicitly with a read flag. Made a distinction between executing and reading pages.
- Increased strictness of the pledge(2) of the ramdisk version of the ftp(1) client, which operates only in URL mode.
- Added rd(4) to the arm64 list of devices.
- Added 64 bytes of entropy from Hyper-V hosts into the kernel entropy pool via acpihve(4).
- Added smfb(4) display of resolution and color depth when attaching.
- Stopped requiring 11n wireless drivers to provide an ic_ampdu_rx_start() function, fixing receiving A-MPDUs with an 11n-enabled athn(4) driver.
- Fixed audio distortion with azalia(4) on the Acer TravelMate B117-M.
- Used a verified list of distribution set files for installation extracted from the SHA256.sig file signed by the OpenBSD project.
- Converted multiple daemons to use a shared log.c file.
- Added sxirtc(4) support for the RTC found on the Allwinner H3.
- Added Intel Xeon E5v4 pci(4) ids.
- Avoided a side-channel cache-timing attack that could leak the ECSDA private keys when signing.
- Fixed boot(8) crashing on some amd64 machines when booting from softraid crypto.
- Highlighted all occurrences of the tmux(1) search string after searching in copy mode.
- Fixed a crash in sort(1) when
sort -m
is given no files.
- Enforced https for connections to ftplist.cgi and ftpinstall.cgi on platforms which have TLS-enabled ftp(1).
- Updated compiler-rt to version 3.9.1.
- Added the
-delete
option to find(1).
- Added simplefb(4), a driver to support the framebuffer set up by the firmware on some platforms that use device trees. Works on Allwinner (sunxi) and Raspberry Pi (broadcom) armv7 platforms.
- Added https support to the OpenBSD installer.
- Enabled listening on more than one listen address for UDP and TCP by syslogd(8), allowing acceptance of network input via both IPv4 and IPv6.
- Enabled the xbf(4) driver for the paravirtual disk interface "Blkfront," native to the Xen hypervisor.
- Added the Cortex A32 CPU.
- Wiped all WPA parameters, including the 802.1x configuration, when WPA is disabled on an interface.
- Connected to the syspatch(8) test repository over https.
- In passwd(1), cleared the buffer used when the user retypes the new password.
- Added ftp(1) SSL support, allowing the install script to perform https fetches.
- Fixed an ssh(1) deadlock when keys/principals commands produce a lot of output and a key is matched early.
- Updated to terminfo-20161126.
- Fixed EFI_CALL() to pass arguments properly in efiboot when the number of arguments is 0.
- Discarded the pf(4) packet statekey only if invalid, allowing its use to establish a reverse link.
- Converted a relative path to an absolute one with realpath(3) before chdir(2) when syslogd(8) has been started with a relative path. This allows the program to re-exec itself after startup of the privsep parent or when restarting after a SIGHUP.
- Added support for the second sxipio(4) device on the Allwinner A80.
- Allowed using 11n mode with APs not advertising support for all of MCS 0-7.
- Skipped rates not supported by both peers when calculating the set of MCS rates below a particular MCS.
- Passed through cacheline size information to vmm(4) guests, preventing failures running Java.
- Implemented booting from softraid on 4K sector disks.
- Added support for the second sxipio(4) device on the Allwinner H3.
- Added support for "arm,gic-400" to ampintc(4).
- Supported p2p links in ripd(8) where endpoints aren't in the same subnet.
- Updated and added wide character support types to arm64.
- Fixed efiboot to read disklabels on 4K sector size disks properly by converting the sector number in the partition table to the sector number in 512 byte blocks.
- Added a "muststaple" option to ftp(1), so that oscp stapling can be required for sites expected to provide it.
- Extended the size of user virtual address space from 2GB to 1TB on mips64, improving ASLR and complementing W^X added earlier on some systems, improving the architecture's security.
- Removed PIM support from the multicast stack.
- Added support for ECDHE with X25519 to ssl(3).
- Added octmmc(4), a driver for the OCTEON MMC host controller.
- Fixed a bug in pax(1) where archives smaller than 512 bytes would trigger a next volume prompt.
- Disabled TKIP (WPA1) by default.
- In ifconfig(8), made
ifconfig if0 wpa
and ifconfig if0 -wpa
reset WPA parameters to their defaults, and made ifconfig if0 wpaprotos
reset WPA crypto parameters to settings appropriate for the specified WPA protocol version.
- Compiled libc++ and libc++abi with clang by default, allowing our build system to self-host itself after the initial clang bootstrap.
- Added experimental support for xen(4) device hot-plugging.
- Prevented an "ifa == rt->rt_ifa" assertion panic by removing interface addresses in the case of a route add error.
- Extended the multicast sockets and multicast hash table support to multiple domains.
- Introduced the NET_LOCK(), a rwlock used to serialize accesses to the part of the network stack not yet ready to be executed in parallel or where new sleeping points are not possible.
- Released OpenSSH 7.4.
- Fixed an off by one when saving and restoring an array of registers in arm64.
- Implemented support for cross-compiling arm64 in Makefile.cross.
- Completed implementation of TKIP countermeasures in hostap mode.
- Prevented an mpath conflict for /32 RTF_CLONING routes by inserting a RTF_CLONED route at a higher priority than its parent.
- Imported OpenBSD/arm64.
- Fixed IO clock speed and system reset on Octeon III.
- Added a dhcrelay(8) command-line option for replacing Relay Agent Information on the incoming packets.
- Added the xp(4) driver for LUNA's I/O processor.
- Provided the "machdep.lidsuspend" sysctl on Loongson.
- Added support for Intel Bluetooth devices found on x250 and x260 Thinkpads.
- Allowed starting of disabled and pre-configured VMs by name to vmctl(8).
- Implemented support for cold reboot of a guest in vmm(4).
- Added the TSC timecounter and used it on Skylake machines.
- Disabled Unix-domain socket forwarding when privsep is disabled in ssh(1).
- Fixed dhcrelay(8) support on enc(4) interfaces.
- Printed the correct netmask instead of /0 when flushing a route(8).
- Made v6 tunnel address handling consider IPv6 scope.
- Implemented dhcrelay(8) support for layer 2 relaying and added further Relay Agent Information options per RFC 3046.
- Passed WSDISPLAYIO_{GET,SET}PARAM to ws_{get,set}_param in efifb(4), allowing the brightness on some machines to be adjusted through wsconsctl(8).
- Added support for the FTDI Suunto dive computers to uftdi(4).
- Added umsm(4) support for Option iCON 505 devices.
- Updated Mesa to 13.0.2.
- Corrected xbf(4) driver attachment failure when optional feature properties aren't found.
- Added support for MIMO Tx rates (MCS 8-15) to iwm(4).
- Stopped enabling HT protection (RTS) unconditionally in iwm(4) if the AP requires protection from 20Mhz-only STAs on a 40 Mhz channel, as we do not support 40Mhz channels.
- Fixed tmux(1) send-keys with UTF-8.
- Added fdt_attach_args and simplebus for implementing fdt-capable drivers on octeon.
- Made it possible to install patches with syspatch(8) even if not all sets are installed. Syspatch will skip the patch but continue to list it as available, allowing later use if sets are installed in the future.
- Supported relay of DHCP requests through multiple relays in dhcrelay(8), rather than dropping requests already relayed. A hop counter will be incremented with each relay, per RFC 1542, and requests with this value exceeding 16 silently dropped.
- Forwarded packets not only as L3 broadcasts, but also as L2, when the BROADCAST flag is set on a BOOTREPLY in dhcrelay(8).
- Applied pledge(2) to dhcrelay(8) with "stdio route".
- Added MiRA support to iwn(4).
- Cleaned up syspatch(8) directories not containing a tarball, meaning the syspatch was not applied properly.
- Added xbf(4), a driver for Xen Blkfront.
- Made prefix work in all tmux(1) tables, allowing C-b to be bound in the copy mode tables.
- Fixed potential buffer overflow(s) in link_ntoa(3) as described by CVE-2016-6559. This prevents stack overflow of a static buffer in libc through use of a particular struct sockaddr_dl argument, allowing write to arbitrary locations in the data segment.
- Allowed booting of X552 SFP+ without a module plugged in.
- Prevented loss of the default route when netstart(8) is run a second time on the interface pointed to by that route.
- Fixed a panic by ensuring iwm(4) calls ieee80211_mira_choose() only while in RUN state.
- Fixed hostctl(8) -t on vmm(4) VMs.
- Made ssh(1) IdentityFile successfully load and use certificates that have no corresponding bare public key.
- Generated an explicit error when running syspatch(1) on an unsupported release.
- Ensured syspatch(1) rollback tarballs created from empty lists of files result in errors, rather than attempting to patch installations with missing base sets and incomplete rollback tarballs.
- Harmonized battery state thresholds across platforms.
- Fixed ssh(1) public key authentication when multiple authentication is in use.
- Implemented the connection state machine for OpenFlow 1.0 and 1.3 in switchd(8) to detect invalid state transitions and invalid protocol version switching after the hello messages exchange.
- Added "lldp" to the ether protocol name database.
- Changed "menu-window" to display all windows in cwm(1), adding "menu-window-hidden" to recreate the original behavior.
- Replaced "bind" and "mousebind" options in cwm(1) with "bind-key" and "bind-mouse".
- Updated media types upon SFP module change in ix(4).
- Switched the iwm(4) driver to MiRA rate adaptation in 11n mode.
- Added a new implementation of MiRA, a rate scaling algorithm for 802.11n, designed for use with MIMO and Tx aggregation.
- Implemented usermod(8) -g =uid functionality to create a new group with a unique UID.
- Stopped overlaying DMA fragment descriptors with free list handling, decreasing the risk of races due to caching and/or prefetching between the HC and DMA engine.
- Added a sshd_config(5) DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding.
- In ssh(1), refused to accept a certificate forced-command when it also appears in an authorized keys/principals command= restriction unless they are identical.
- Made send -N work for all keys in tmux(1), not just in copy mode.
- Corrected a bit test in user(8) that made it impossible to set a password hash with usermod(8) if an additional flag was specified.
- Added support for the Allwinner sun7i-a20-mmc to sximmc(4).
- Implemented basic support for boot.conf(8) on the vmd(8) disk image.
- Set -m/memory size of a VM to 512M if not specified in vmctl(8).
- Added the vmctl(8)
start -n
option to add a network interface to the specified virtual switch.
- Fixed a potential double-free in vmd(8) whn ufs_open() has failed.
- Increased the default datasize limit in login.conf(5) on amd64 from 512M to 768M, allowing xenocara to be built with extra options in malloc.conf.
- Removed DHO_ROUTERS and DHO_STATIC_ROUTES options from the effective lease in dhclient(8) when DHO_CLASSLESS_[MS_]STATIC_ROUTES are present, in accordance with RFC 3442.
- Added AArch64 backend build infrastructure.
- Enabled support for the X550 family of 10 Gigabit controllers in ix(4).
- Stopped manually adding a route to an alias IP via 127.0.0.1 in the installer, as this is now automatically handled by the kernel.
- Fixed active media reporting for multi-speed fiber modules in ix(4).
- Added vmd(8) support for booting the kernel from the disk image, making the kernel/-k argument optional. If not specified, the /bsd kernel will be sought in the primary hd0a partition of the first disk image itself.
- Forbade combining af-to with route-to in pfctl(8).
- Fixed a switch(4) panic on detach hook when interfaces are destroyed.
- Implemented switchd(8) support for version negotiation using hello messages, preventing connections from switching the version in the middle of the operation.
- Used CPUID flags to allow hyperv(4) to determine working components and avoid attaching when Xen viridium emulation is turned on.
- Added disabled VMs into vmd(8)'s queues and allowed vmctl(8) to display them.
- Added support for Allwinner sun9i-a80-usb-mod-clk and sun9i-a80-usb-phy-clock compatible clocks to sxiccmu(4).
- Added the ability to change media type to ix(4).
- Disabled a code path on Loongson 2 that uses a MIPS64r2 register not implemented by the CPU, preventing boot failure.
- Turned on the ix(4) PHY power during attach, as it can be disabled by booting into another OS.
- Made "addlocal" an alias to "add" on bridge(4), as it does not distinguish between routing/forwarding ports.
- Made tcpdump(8) indicate basic rates listed in beacons with an asterisk.
- Set iwm(4)'s RTS retry limit to a more reasonable value, preventing small frames from getting stuck in the firmware's Tx queue.
- Enabled builds with a dedicated user that cannot elevate privileges or write to /usr/src or /usr/xenocara. Enabled builds with a dedicated user for xenocara.
- Updated libdrm to 2.4.73.
- Fixed "addlocal" ports on switch(4).
- Recognized active SPF+ DA modules as IFM_10G_SFP_CU in ix(4).
- Added support for multiple listening sockets to snmpd(8). The default is to listen on 0.0.0.0 and ::, allowing better handling of dual-stack setups.
- Added drivers for PCI host bridge and built-in UARTs on Loongson 3A.
- Made iwm(4) pass Tx/Rx MCS rates to bpf(4) to allow examination with tcpdump(8).
- Added an extra check that the hop-by-hop header is always the first extension header after the IPv6 header in pf(4).
- Inherited route(8) label when creating dynamic routes for path MTU.
- Fixed tmux(1) dragging not to stop when the wheel is pressed.
- Added support for the Sierra Wireless EM7455 LTE module.
- Serialized posts to the txstart register in re(4), preventing tx stall.
- Turned on margins in tmux(1).
- Added support for lid state detection in ykbec(4).
- Added a simple openflow client to switchctl(8) to dump switch(4) information.
- Checked for available space before installing a patch with syspatch(8).
- Copied mips64 memmove(3) data by using 64-bit loads and stores rather than 32-bit operations, roughly doubling the routine's throughput.
- Increased the number of TX descriptors to 256 in hvn(4), increasing the NVS message ring size and resulting in a performance improvement of about 30%.
- Reflected interface priorities when inserting RTF_CONNECTED routes, fixing a bug where bringing interfaces up and down when multiple RTF_CLONING routes exist for a given subnet could make it impossible to insert new ARP/NDP entries.
- Automatically created a default lo(4) per rdomain, with unit number matching the rdomain and index stored in the rtable/rdomain map.
- Added a type for counters to malloc(3) and added wrappers around common operations on percpu counters.
- Updated to xf86-video-ati 7.7.1.
- Fixed a crash in tmux(1) with run-shell -b and no window pane available.
- Added support for Allwinner sun9i-a80-apb1-clk compatible clocks to sxiccmu(4).
- Fixed truncated display of UTF-16 decoded elements in ifconfig(8).
- Added the Apple NVMe controller pci(4) id.
- Improved source IP address handling in snmpd(8) by sending replies using a source address equal to the destination address of queries and introducing a configuration option to snmpd.conf(5) to set the source address of packets sent to trap receivers.
- Stopped installing perl(1) .ph files.
- Respected -Ooffset for the disklabel location in makefs(8).
- Added support for sun9i-a80, the Allwinner A80, to sxiccmu(4) and sxipio(4).
- Added a disklabel(8) option creating a disklabel with the information provided by disktab(5).
- Taught switch(4) device read(2) operations to behave like a stream socket, allowing userland programs to use it without special treatment.
- Supported more than one tag entry for the same search term in mandoc(1).
- Only used the routing table for source address selection when processing IP options, and ensured the next hop is directly reachable when IPOPT_SSRR is set.
- Implemented support for flow-mod message validation in switchd(8).
- Split various kernel process IDs from TID, giving processes a PID unrelated to the TID of their initial threads.
- Bumped ftp(1)'s cipher default from "all" to "legacy."
- Added OCSP stapling support to httpd(8).
- Added interrupt handling routines for Loongson 3A.
- Added an auto-login mode to xenodm(1).
- Validated address ranges for AllowUser/DenyUsers at ssh(1) configuration load time and refused to accept bad ones, fixing a problem where invalid CIDR address ranges always matched.
- Added support for server side OCSP stapling to libtls and nc(1).
- Added crypto(3) support for X25519.
- Removed the obj, xobj and src directories from the base set, so local setups will not be overwritten during upgrades.
- Enabled crypto(3) assembler code for nist 256p curve on amd64.
- Stopped processing more than three consecutive TLS records in ssl3_read_bytes() to prevent a peer from causing a loop.
- Implemented a Key-Value Pair exchange interface via a text-based pvbus(4) interface.
- Fixed libtls OCSP handshakes.
- Corrected CONSPEED for octeon to the original 115200.
- Updated x11proto to 7.0.31.
- Added OCSP client side support to libtls.
- Required secure defaults for TLS with acme-client(1).
- Made it possible to change the link layer address on cnmac(4) interfaces.
- Used x2APIC if it is enabled by BIOS.
- Added the -d flag to the cvs(1) update command, so directories are created with "cvs up".
- Raised the mtu on myx(4) devices to 9380 bytes.
- Allowed the installer for verify local set files even if the prefetch area would not fit on the local disk by searching for and creating a prefetch area only for nonlocal sources.
- Truncated lengths of ip packets encapsulated in gre(4) or etherip(4) if they would cause the position to go past snapend in tcpdump(8).
- Fixed an issue where the installer was not able to fetch local sets without a SHA256.sig file in a directory unreachable by the unprivileged users.
- Improved the security model of vmm(4) by restricting pledged vmm processes to prevent use of vmm ioctls on other VMs.
- Updated to FreeType 2.7. Subpixel hinting, also known as ClearType hinting, is now enabled by default.
- Removed the option to set hints on pages in the malloc(3) cache.
- Prevented an integer underflow in tcpdump(8).
- Stopped forcing RTS for every frame in 11n mode on iwn(4).
- Stopped pf(4) once rules from attempting to remove their parent rules.
- Stopped using a bitfield in the vmm(4) msr store index structure to prevent VMABORTs during vmentry.
- Accepted carp(4) advertisements whose destination is not for multicast
- Deduplicated the CRS parsing code and handled acpi(4) implementations, fixing a problem where the wrong number of resources were defined inside the EC device, preventing initialization of acpiec(4).
- Fixed bind(2) of link local addresses to raw sockets.
- Masked and unmasked the interrupt source in an intx-specific interrupt handler, fixing lockups on nvme(4) controllers.
- Repaired ssh(1) port forwarding for non-privileged ports as a non-root user.
- Fixed issues with redundant dhcpd(8) servers and CARP-using interfaces by comparing server-identifiers and rejecting packets only after applying the value specified in dhcpd.conf(5).
- Disabled xterm(1) Tektronics 4014 emulation.
- Made the IPv6 network stack simply drop empty non-atomic fragments, rather than attempting to insert them into the queue.
- Updated nsd(8) to 4.1.13.
- Only attached sxitimer(4) on sun4i and sun5i, as the timers on later SoCs lack the 64 bit counter used as a timecounter here, and have generic timers instead.
- Removed short option names for
makefs -o
.
- Exited autoinstall in the case of missing or duplicate mountpoints, as well as when a template is rejected by disklabel(8).
- Added xenodm(1), a stripped down xdm (X Display Manager) for OpenBSD.
- Stopped disabling the external pl310 l2 cache on pandaboard.
- Taught tcpdump(8) how to read OpenFlow packets.
- Fixed a panic when using tmpfs when an Access Flag fault happens on a kernel page.
- Attached sxitimer(4) using the FDT.
- Used deterministic pseudo-random numbers when the -T flag is used with makefs(8), allowing repeatable builds.
- Stopped setting MIIF_AUTOTSLEEP in fec(4) and sxie(4), which had led to tsleep in an interrupt context, causing panics.
- Added support for the acpi(4) timer opcode.
- Implemented a driver for Marvell's Mbus bridge.
- Fixed the clock on the Olimux A10s OLinuXino-Micro board by running sxitimer(4) from the 24MHz clock.
- Added NetWM-compliant fullscreen support to video(1).
- Added generalized access to per cpu data structures and counters, cpumem_get(9) and counters_alloc(9).
- Added vmm(4) for i386.
- Mitigated against mpii(4) device attachment racing with mountroot.
- Removed support for fixed ECDH cipher suites.
- Stopped forcing iwm(4) to use RTS for all frames unless required by the AP.
- Fixed a mandoc(1) bug where macro searches returned pages containing only the first specified macro of a set.
- Fixed an ntpd(8) random termination bug by preserving child process IDs.
- Corrected early termination in bgpd(8) when a max-prefix of 1 in bgpd.conf(5) would close the session on the first prefix.
- Added the ddb(4) examine /m format, "display in unsigned hex with character dump at the end of each line."
- Corrected an issue when openbsd.randomdata was made readonly which led to poor random number generation in the kernel early on.
- Installed a signal handler for tty-generated signals and waited for the ssh(1) child to suspend before suspending ftp(1), allowing ssh to restore the terminal mode as needed when suspended at the password prompt.
- Randomized the MAC address in vmd(8) on the host side if not specified by the user. The prefix is incremented by one to differentiate from those addresses generated by OpenBSD in the kernel: fe:e1:bb:xx:xx:xx.
- Added the vmd(8) option to specify an interface group per virtual switch, to be added to all VM tap(4) interfaces in the switch.
- Removed the artificial maximum number of unix domain sockets in syslogd(8).
- Ensured mbufs are clean when a packet is reinserted to local input processing, and that the packet is in the routing domain of the interface where it is inserted.
- Rewrote tmux(1) command queue handling to add a global command queue and avoid multiple nested command queues.
- Imported makefs(8), a tool to create filesystem images from a directory, supporting cd9660, ffs and msdosfs. Used this to build bsd.rd.
- Updated libdrm to 2.4.71.
- Switched rebound(8) to a re-exec model to reduce sharing.
- Allowed adding an interface to a vmd(8) interface group with the group keyword.
- Fixed cvs(1) update -r and -A to correctly set or reset the sticky tags for files.
- Changed the default non -b behavior of config(8) to operate with the new compile behavior:
- create a Makefile including ../Makefile.inc
- run "make obj" to create the obj directory
- run "make config" to use the logic in ../Makefile.inc to re-run config with the correct -b options, creating a layout in obj/
- exit 0
- Moved kernel builds to compile/CONFIG/obj@ -> /usr/obj/... and committed stock GENERIC and RAMDISK kernels to ensure the src tree can be "readonly" during builds, de-escalating to $BUILDUSER as required.
- Added bgpd(8) and bgpctl(8) support for draft-ietf-idr-large-community (later RFC 8092).
- Displayed unknown attributes and information known about a prefix when looking at its details in bgpctl(8).
- Fixed revision lookups for cvs(1) branches.
- Added support for BCE (background color erase) to tmux(1).
- Fixed a logic issue in header parsing in smtpd(8) which could cause smtp(1) sessions to hang.
- Taught tcpdump(8) to decode bgp path attribute draft-ietf-idr-large-community.
- Added the hostname to the display in systat(1).
- Renamed the cdce(4) CDCE_ZAURUS option to CDCE_CRC32 for clarity.
- Added a -N flag to tmux(1) command-prompt to execute a command as soon as a non-number key is pressed in copy mode.
- Enabled vmm(4) on amd64.
- Allowed four vio(4) interfaces in each VM and fixed a bad interrupt assignment causing IRQ9 to be shared between the second disk device and the interfaces, causing poor network performance.
- Added "fattr" to the pledge(2) promises made by
make -t
, which uses utimes(2) for its touch(1) built-in.
- Added partial UTF-8 line editing support for ksh(1) vi input mode.
- Fixed an off by one error in sed(1) when no matches were found in a substitute.
- Added support for double and triple clicking in tmux(1) and used these for select-word and select-line in copy mode.
- Converted tmux(1) copy mode key bindings from vi-copy and emacs-copy to copy-mode or copy-mode-vi. Keys are bound to "send-keys -X copy-mode-command".
- Added support for UTF-8 in the tmux(1) command prompt.
- Enabled the noperm option for mount_mfs(8).
- Unregistered the ssh(1) KEXINIT handler after receipt of the message, preventing an unauthenticated peer from repeating the KEXINIT and causing allocation of up to 128MB until the connection is closed.
- Stopped echoing RFC 3046/Option 82/Relay Agent Information in dhcpd(8).
- Added psci(4), a driver for the reset and power down portion of the ARM Power State Coordination Interface (PCSI) specification.
- Updated to xkeyboard-config 2.19.
- Attached sxiccmu(4) using the FDT.
- Re-enabled fetching sets from local sources as root.
- Fixed a heap overflow in the sysctl(8) code.
- Stopped using MIPS64r2 instructions on Loongson 2.
- Prevented infinite loops for uvm_init(9) amap allocations with >=2^17 slots.
- Made iwn(4) write an MCS index into the radiotap rate field and enabled display of the MCS with tcpdump(8).
- Made sxidog(4) set cpuresetfn.
- Dynamically attached sysreg(4) and sxipio(4) using the FDT.
- Fixed SD/MMC on the Beaglebone Black and Pandaboard.
- Fixed large I/Os to RAID5 volumes with many chunks by setting the maximum number of CCBs in a work unit to the number of chunks.
- Implemented a driver for Marvell Armada's clock gates.
- Switched rebound(8) to read resolv.conf to find upstream name servers, automatically restarting if that file changes. Started listening on port 54 to avoid collisions with other DNS servers and used the dnsjackport sysctl(2) to steal DNS connections from libc.
- Introduced sysctl(2) KERN_DNSJACKPORT to hijack DNS sockets. When set to a port number, all DNS socket connections will be redirected to localhost:port.
- Supported the Marvell Armada's system controller to allow reset of the machine.
- Added switchd(8) support for multipart replies and implemented a simple ofp 1.3.5 error message sending function.
- Added a driver for the Marvell Armada 380 core clock.
- Fixed vxlan(4) to align 32 bit at the outer IP header and comply with the assumptions of ether_input().
- Honored the permissions of the root directory on mount(8) with the "noperm" option.
- Enabled pledge(2) in vmm(4) and the VM processes.
- Enabled switchd(8) and switchctl(8).
- Correctly terminated VMs on shutdown of vmd(8).
- Per RFC 6842, modified dhcpd(8) to echo the client-identifier value, disambiguating packets for relays and clients when chaddr is 0. Also forced dhclient(8) to drop packets when the server provides a client-identifier value not matching the value sent by the client.
- Enabled hardware VLAN tagging on hvn(4). A PowerShell command must be executed to configure trunk(4) mode on virtual interfaces.
- Used BUILDUSER as the owner of new links/directories created in "make obj" when started as root. Built kernels as root to avoid permission issues when the source tree is not owned by ${BUILDUSER}.
- Improved performance in hostap mode for rt2560 chips by disabling RTS for long frames in ral(4).
- Per RFC 5424, added millisecond precision timestamps to syslogd(8).
- Fixed the audio(4) condition used to decide whether to automatically start the device, preventing a device opened in full-duplex mode from starting with an empty play buffer.
- Made imxdog(4) set cpuresetfn and then removed the unneeded sections of the imx platform, including the imx board IDs.
- De-escalated to an unprivileged user during "make build" and "make release". DESTDIR must be on a partition with the noperm flag set for "make release" to work correctly as an unprivileged user.
- Added support to vm.conf(5) for enhanced networking configuration and virtual switches.
- Added cwm(1) CM-a for "nogroup".
- Allowed bgpd(8) route announcement based on a route-label.
- Determined mute status at the time of acpithinkpad(4) attach, to be used later by the audio subsystem.
- Switched syslogd(8) to use RFC 5424 ISO format for timestamps with -Z option, converting all logging to UTC.
- Added a new vmd(8) "priv" process, responsible for ioctls and restricted operations not allowed under pledge(2).
- Stopped supporting SUDO builds.
- Avoided a potential MITM in acme-client(1) by using a single tls_config.
- Converted timeouts needing a process context to timeout_set_proc(9) where use of rtalloc_mpath(9) inside ip_output() might require a write lock.
- Fixed an smtpd(8) smtp session logic bug which could lead to a server crash.
- Prevented two potential deadlocks by avoiding holding timeout_mutex while interacting with the scheduler.
- Disabled sitaracm and added the new ompinmux(4) driver for omap pin muxing/pad configuration that attaches with the FDT, handling 16- and 32-bit values.
- Set IFCAP_VLAN_MTU capability in cpsw(4), avoiding "ifconfig: SIOCSETVLAN: No buffer space available" when creating vlan interfaces without first lowering the mtu.
- Implemented switchd(8) socket server code, ofrelay, which properly handles async I/O, partial/multiple messages, connection limits and file descriptor accounting.
- Implemented ssh(1) proxy mux mode.
- Implemented fork+exec for vmd(8).
- Removed support for pre-authentication compression from ssh(1).
- Added logic for figuring out CPU clock rate and usable memory areas by using Loongson EFI.
- Fixed a kernel panic when destroying interfaces attached to the switch(4) without prior removal.
- Ran acpidump(8) at system startup and stored ACPI tables in the
/var/db/acpi
directory for later use by sendbug(1).
- Taught ntpd(8) how to use socket status to shut down the daemon and its constraint process to use exec*() instead of just forking, allowing use of pledge(2).
- Removed xscale support from arm.
- Taught switchd(8) how to create flows for new connections using OpenFlow 1.3.5 and implemented the OXM filters to use with flow matching and Set-Action.
- Added sysctl(2) kern.allowkmem (default 0) which controls the ability to open
/dev/mem
or /dev/kmem
at securelevel > 0.
- Introduced the hashfree(9) function to free hash tables.
- Attached imxocotp(4) using the FDT.
- Reworked Per Packet Info handling in hvn(4), bringing support for IP and protocol checksum offloading and initial code for hardware VLAN tagging and jumbo frames.
- Removed sqlite3.
- Added the Yamaha UR22 audio interface and a quirk to allow it to attach as uaudio(4).
- Added a fix to ssl(3) to avoid unbounded memory growth triggered by a TLS client repeatedly sending OCSP status request TLS extensions.
- Switched m88k to RELRO.
- Added the plain curve25519-sha256 KEX algorithm to ssh(1).
- Made various improvements to support for iwm(4) devices.
- Added an option to give syslogd(8) a server CA used to validate client certificates.
- Added support for the Sierra Wireless MC7455 umsm(4) modem.
- Completed bus_dmamap_load_raw(9) implementation for ARM.
- Added pledge(2) to pstat(8).
- Switched softraid crypto to bcrypt_pbkdf(3). New volumes will be created by bioctl(8) with bcrypt PBKDF, while existing ones continue to use PKCS5 PBKDF2 until a passphrase change is made.
- Allowed only standard dot notation for target IPv4 addresses in traceroute(8) and ping(8).
- Set the "triple" on arm to armv7-unknown-openbsdX.Y-gnueabi, making the compiler generate code for armv7 by default (providing proper atomic operations) and select the correct default ABI.
- Converted imxccm(4) and imxiomuxc(4) to attach to the fdt using the "early" locator.
- Used a locator to allow "early" attachment of designated drivers.
- Added bcrypt_pbkdf(3) support to the softraid(4) crypto boot loader code.
- Prevented a crash in ehci(4) when host controller drivers attempted to use invalid device descriptor bMaxPacketSize values.
- Merged ping6(8) into ping(8).
- Enabled Hyper-V guest drivers.
- Added omwugen(4), a driver for the TI logic that generates wakeup events and routes interrupts to the GIC/ampintc(4). Makes ommmc(4) interrupts work on pandaboard.
- Added RTM_INVALIDATE as a route(8) message.
- Added fork+exec to ntpd(8) and switchd(8).
- Always set the MAC address when initializing an axen(4) chip, making ifconfig(8) "axen0 lladdr" work.
- Limited the number of fonts which can be loaded.
- Added LSI/Avago SAS3 pci(4) ids and added support for these to mpii(4).
- Introduced rwsleep(9), equivalent to msleep(9) but for code protected by a write lock.
- Stopped creating a BFD descriptor when the route(8) is created.
- Added uwacom(4), a basic pointer driver for Wacom USB tablets.
- Switched amd64, i386 and sparc64 boot code to libsa machine-independent softraid.
- Introduced machine-independent softraid.{c,h} in lib/libsa.
- Used PLL6 as a parent clock for the SDx clocks for frequencies > 400 kHz, making sximmc(4) much faster.
- Deleted support for 32bit frame backtracing on sparc64.
- Tightened pledge(2) for fsdb(8).
- Removed
/dev/sound
in favor of /dev/audio
.
- Enabled -static -pie on arm.
- Only freed the old cached next hop route(4) when the new one is valid.
- Added full UTF-8 support to column(1).
- Removed CMS.
- Added ISRG Root X1, the letsencrypt CA root.
- Fixed system reboot seen on the Allwinner sun5i-r8.
- Removed support for tape block devices.
- Purged routes attached to an address when the address is removed.
- Improved the auto disk selection and applied it for installs as well as upgrades.
- Switched the cubie miniroot from the Allwinner A10-based Cubieboard1 to the Allwinner A20-based Cubieboard2.
- Introduced Dynamic Profiling, a ddb(4)-based and gprof(1)-compatible kernel profiling framework.
- Imported LLVM 3.8.1.
- Added infrastructure to build syspatch(8).
- Added new Intel 10GbE pci(4) ids.
- Made the SSP read-only on the sparc64 kernel by moving the randomdata section into RX text.
- Increased the socket buffer size limit from 256 KB to 2 MB.
- Added support for Bidirectional Forwarding Detection (RFC 5880/5881).
- Introduced a fork+exec privilege separation model in httpd(8) and relayd(8).
- Added support for a multipoint-to-multipoint mode in vxlan(4)
- Retired support for the zaurus platform.
- Switched signify(1) to SHA512/256.
- Enabled a limited version of doas(1) on the install media.
- Enabled PIE on arm.
- Used per-ifp tasks to process incoming packets.
- Added the necessary pieces to enable NAT on enc(4) in iked(8).
- Removed ping(8) reverse DNS lookups by default in preparation for the merge with ping6(8).
- Added the concept of "verified auth" to sessions, set via ioctl(2) and allowing user and parent process recording to use to bypass authorization requirements.
- Enabled SGI for iwm(4) and iwn(4).
- Added signify(1) -z option for signing gzip(1) archives.
- Worked to make log.c similar in all daemons.
- Provided an implementation of red black trees using functions.
- Added switch(4) support to ifconfig(8).
- Turned smtpd(8) server preference on for ciphers by default.
- Added ioctls(2) to get/set VCPU registers.
- Added a set of emulated vmd(8) legacy devices (PIT, PIC, RTC).
- Switched OpenBSD/armv7 to ARM EABI (soft-float).
- Switched relayd(8) to TLS session tickets to do TLS session resumption, no longer needing to store SSL session data on the server. Keys are rotated every two hours.
- Imported switch(4), a standalone in-kernel OpenFlow switch.
- Added iatp(4), a driver for the i2c touchpad and touchscreen found on the chromebook pixel.
- Displayed all route flags in route(8)
get
and show
and netstat(1) -r output.
- Retired support for the sparc platform.
- Converted openbsd.randomdata to read-only in userland and the amd64 and i386 kernels, allowing a read-only stack protector cookie, which will prevent spraying attacks.
- Imported acme-client(1).
- Removed SIGTRAP, SIGFPE, SIGBUS and SIGSEGV handlers from dump(8).
- Enabled cd9660 in efiboot.
- Split the gre(4) interface into gre(4) and mobileip(4).
- Stopped attempting to support IPv4-mapped IPv6 addresses in ftpd(8).
- Converted driver reports of RSSI in the 20-100 range via ieee80211_ioctl(9) to negative values to fix dBm values displayed by ifconfig(8) "scan" with several drivers.
- Added
admin -C
option to cvs(1) to set a revision's commitid.
- Added -E and -S options to rlog(1) to configure revision separators.
- Added Estonian keyboard mapping.
- Stopped flushing RTF_CLONED children when adding a new route(8).
- Drop gif(4) support in bridge(4) in favor of etherip(4).
- Enabled raspos24 for efifb(4), allowing qemu with UEFI.
- Fixed 32-bit time handling in openssl(1).
- Fixed "audio0: different play and record parameters" errors by setting i2s "msb" and "bps" fields for both play and record directions.
- Used a per-table rwlock to serialize ART updates and walks, rather than taking the kernel lock.
- Changed le(4) buffer address to enable support of I/O processor in the future.
- Updated to DejaVu fonts 2.37.
- Retired obsolete gre(4) ioctls.
- Enabled the use of the numpad Enter key on cwm(1) menus.
- Added support for the SD/MMC clock to the generic clock code and used it in sximmc(4).
- Added Allwinner H3 (xun8i-h3) support to sxipio(4).
- Removed pax(1) support for
-E none
.
- Made the full filesystem pkg_check(8) check optional and enabled bypass of a plist check for a file by doubling the use of -q.
- Stopped a tmux(1) crash when display-message is used without a client.
- Changed cpio(1)'s -t option to be a modifier of -i and simplified the recognition of -f- and TAPE=- to mean stdin/stdout.
- Added support for the usb clock on sun5i-a13.
- Re-enabled acpibkbd(4) by default.
- Fixed negated ssh(1) address matching for address lists consisting of a single negated match.
- Added a clock reset signal and frequency-setting APIs.
- Enabled SNI support in httpd(8).
- Provided an API that enables server-side SNI support, adding the ability to provide additional keypairs and allow the tls_server(3) to determine which servername the client requested.
- Implemented interfaces to disable clocks and to enable/disable all clocks for a device.
- Removed the hardcoded clock frequencies for specific armv7 hardware by using the new clock API to get clock frequencies from the device tree and hardware controlling the clocks.
- Added code to sxiccmu(4) to enable the PLL6 clock.
- Restored IO performance on Cortex A9 systems which explicitly needed the PL310 L2's store buffer drained.
- Added a minimal ofw clock framework on armv7.
- Dynamically attached exuart(4) using the FDT.
- Changed login(1) sleep to one second between retries.
- Replaced bcmmuart(4) with com(4).
- Marked armv7 device memory as execute-never to prevent a speculative instruction fetch to access it.
- Avoided overly large fragments on 4k disks by having disklabel(8) start with a default fragsize of 2048, double it for large disks and then cap based on sector size.
- Removed sshd_config(5) UseLogin option and support for having /bin/login manage login sessions.
- Used additional information from dhcp to autoinstall(8).
- Replaced sxiuart(4) with com(4).
- Added Ralink RT5392 and additional RT5390 chipsets to the ral(4) driver.
- Gave 5GHz APs a slight priority when a wireless device scans all bands at once and good matches exist in either band.
- Tracked SSIDs in the leases file and switched to only considering leases from the current SSID when starting up dhclient(8) on wifi interfaces.
- Eliminated caching for fuse(4).
- Changed default to a)bort rather than c)ontinue when attempting to commit to cvs(1) without a log message, and allowed these responses in uppercase.
- Added a version of doas(1) allowing only root to drop privileges.
- Ensured cleaning of caches on the Cortex-A7 and other armv7 CPUs, fixing SATA problems on Allwinner A20-based boards.
- Imported the sximmc(4) driver for the MMC/SD/SDIO controller integrated on Allwinner A1X/A20 SoCs.
- Prevented rgephy(4) from attaching twice to the RTL8211E PHY on the Banana Pi.
- Made httpd(8) stricter with respect to TLS configuration, not allowing TLS and non-TLS to be configured on the same port or TLS option specification without a TLS listener, and ensuring TLS options are the same when a server is specified on the same address/port.
- Removed the sshd(8) -k option and retired configuration keywords applying to protocol 1, as well as the "protocol" keyword.
- Fixed a hang seen on the Allwinner sun5i-r8 board during boot when the driver switches to interrupts and no terminal is attached.
- Aliased the deprecated qabs() and qdiv() to llabs(3) and lldiv(3) as part of the ongoing removal of quad operators.
- Added imxtemp(4), a temperature sensor for the i.MX6 SoC.
- Fixed setting the SMP bit in the auxiliary control register of the Cortex-A7, enabling it to use its caches consistently.
- Added the dwge(4) driver for the Synopsis Designware GMAC core used on the Allwinner A20 SoCs and later Allwinner SoCs.
- Added a minimal ofw regulator framework.
- Added ALPN support to libtls.
- Took TASKQ_CANTSLEEP away from the softnet taskq, which allows use of rw locks in the network stack.
- Began doing a TLB flush whenever an L1 slot is invalidated on armv7, fixing the pmap_fault_fixup issue on Cortex-A7 processors.
- Removed the user(8) encrypted password length check.
- Retired support for the armish platform.
- Dynamically attached agtimer(4), omgpio(4) and omehci(4).
- Fixed a serial console hang on the Allwinner sun5i-r8 by resetting the line speed when required in the sxiuart driver, now com(4).
- Fixed an ftp(1) crash when the window is resized.
- Added armv7 as an officially supported platform.
- Began mandatory enforcement of W^X, allowing violations only for binaries marked
wxneeded
executed from filesystems marked wxallowed
.
- Normalized received prefixes in ldpd(8).
- Implemented mmc power sequencing in imxesdhc(4), making the sdo interface on the cubox-i function and detect the BCM4330 wireless.
- Allowed iwm(4) to recover from fatal firmware errors by leaving the interface marked UP and scheduling the init task, as with iwn(4).
- Added initial support for Raspberry Pi 2/3.
- Added a generic ofw pinctrl framework.
- Implemented interrupt controller functionality in the i.MX6 GPIO driver imxgpio(4), allowing hookup of Ethernet interrupt on the Nitrogen6x, SABRE Lite and WandBoard.
- Fixed vxlan(4) multicast mode and added support for IPv6 tunnel endpoints.
- Dynamically attached virtio(4), plrtc(4), pluart(4) and intc(4) using the FDT.
- Renamed a1xintc to sxiintc(4).
- Dynamically attached sunxi drivers sxiahci(4), sxidog(4), sxirtc(4) and ehci(4).
- Tightened pledge(2) restrictions on route6d(8) and added a -u switch to log route insertions and deletions.
- Modified ampintc(4) to attach dynamically and register itself as an interrupt controller. Switched all i.MX6 devices to the new FDT-aware interrupt establish API and enabled imxgpc(4).
- Added imxgpc(4), a driver for the i.MX6 General Power Controller, operating as a transparent interrupt controller by handing interrupt handling to its parent, the Cortex-A9 GIC.
- Fixed autonegotiation at 100BaseTX for AR8035 routers.
- Added cnmac(4) jumbo frame support.
- Added mainbus(4) support for pre-registering interrupts on armv7, allowing device drivers to establish interrupts before their interrupt controller attaches, solving various dependency problems.
- Added a minimal tpm(4) 1.2 driver to acpi(4) to issue a "save state" command before suspending in order to fix suspend/resume on some newer amd64 machines.
- Prevented race conditions leading to missed notifications with xen(4) devices due to multiple CPUs accessing pending event bits.
- Fixed tmux(1) minimum size when pane status line is enabled.
- Switched TLB maintenance primitives on armv7 to operate on the unified TLB, reducing the number of primitives. Simplified TLB flush handling.
- Ensured initialization and reset of "lim" with each loop run in ndp(8), avoiding possible invalid memory access.
- Allowed specification of an alternate socket path in ripd(8) to allow running multiple ripd instances.
- Removed vi(1)'s "directory" option and TMPDIR support.
- Implemented an FDT-aware interrupt establish API for armv7.
- Released OpenSSH 7.3.
- Set SDEV_UMASS on all umass devices and began probing all the LUNs a device reports, rather than assuming any ATAPI and UFI device always has only one LUN.
- Edited pmap(9) on armv7 to flush TLB entries causing pmap_fault_fixup messages on Cortex-A53 and Cortex-A7.
- Set hotplugd(8) to close /dev/hotplug on exec() to ensure the daemon doesn't fail to restart due to a child process occupying the device.
- Adjusted dhclient(8) to ask for DHO_BOOTFILE_NAME and DHO_TFTP_SERVER by default, potentially useful for autoinstall and able to provide information about what the dhcp server has done with the desired server name and file name info.
- Used m_devget(9) to improve the smsc(4) driver.
- Added support for Xeon E3-1200 v5 host bridge and some Sunrise Point H PCH ids.
- Added recognition of Cortex A35 and Cortex A73 CPUs.
- Added checks to uvm_map(9) for potential overflows and underflows, and a check for wraparound before the 'commit' phase of uvm_map() and uvm_mapanon() to prevent hitting assertions or corrupting data structures during that phase.
- Added acpials(4), an acpi driver for ambient light sensors.
- Removed code paths associated with booting without an FDT in armv7.
- Disabled receive ring slot accounting and added a periodic timer to work around missing completion events in xnf(4).
- Moved xen(4) interrupt handlers to dedicated task queues.
- Added a check to uvm_map(9) that arguments to isavail don't overflow, preventing a possible panic.
- Reduced number of sent RX and TX producer notifications for xnf(4).
- Allowed vmd(8) to start a VM again after it has been terminated.
- Added support for common WebDAV methods in relayd(8).
- Modified smtpd(8) to log IP addresses during the authentication phase.
- Implemented a true rwlock(9) on i386.
- Improved boundary checking for iovcnt in ssh(1).
- Added support for interrupts to the Allwinner-R8 chip.
- Removed a feature allowing re-use of existing early bootstrap mappings to provide a physical address to bus_space_map(9) in armv7.
- Added an open firmware interface to facilitate iterating over GPIOs.
- Added a check for zero in the PTE to improve ARM pmap(9) page removal.
- Increased the size of forkstat fields in sysctl(8) and vmstat(8) to accommodate large values.
- Explicitly excluded firmware from the fuzzy auto-reinstall list in pkg_add(1).
- Modified relayd(8) to improve parsing of the host by following RFC 7230 Section 5.4 more strictly.
- Added rewriting of backlight level after system resume in acpi(4).
- Fixed signed char extension bugs in printf(1).
- Wrapped fpgetround(3) so internal calls go directly instead of through the PLT.
- Removed the restriction on armv7 that the kernel must be loaded at the bottom of physical memory, making it possible to boot on platforms with physical memory starting at 0x00000000, as the EFI bootloader will only attempt to load kernels at 0x10000000 and above.
- Moved to 6.0-current.