************************
* Support for new EAP (Extensible Authentication Protocol) methods:
- Support for EAP-TLS, from Jan Just Keijser and others
- Support for EAP-MSCHAPv2, from Eivind Næss, Thomas Omerzu, Tijs
Van Buggenhout and others
* New pppd options:
- chap-timeout
- chapms-strip-domain
- replacedefaultroute
- noreplacedefaultroute
- ipv6cp-accept-remote
- lcp-echo-adaptive
- ip-up-script
- ip-down-script
- ca
- capath
- cert
- key
- crl-dir
- crl
- max-tls-version
- need-peer-eap
* Fixes for CVE-2020-8597 and CVE-2015-3310.
* libpcap is now required when compiling on Linux (previously, if
libpcap was not present, pppd would be compiled without packet
filtering support).
* The rp-pppoe plugin has been renamed to pppoe, to distinguish it
from the upstream rp-pppoe code. Its options have changed names,
but the old names are kept as aliases.
* The configure script now supports cross-compilation.
* Many bug fixes and cleanups.
What was new in ppp-2.4.8.
**************************
* New pppd options have been added:
- ifname, to set the name for the PPP interface device
- defaultroute-metric, to set the metric for the default route
- defaultroute6, to add an IPv6 default route (with nodefaultroute6
to prevent adding an IPv6 default route)
- up_sdnotify, to have pppd notify systemd when the link is up.
* The rp-pppoe plugin has new options:
- host-uniq, to set the Host-Uniq value to send
- pppoe-padi-timeout, to set the timeout for discovery packets
- pppoe-padi-attempts, to set the number of discovery attempts.
* Added the CLASS attribute in radius packets.
* Sundry bug fixes.
* Fixed warnings and issues found by static analysis.
* Added Submitting-patches.md.
What was new in ppp-2.4.7.
**************************
* Fixed a potential security issue in parsing option files (CVE-2014-3158).
* There is a new "stop-bits" option, which takes an argument of 1 or 2,
indicating the number of stop bits to use for async serial ports.
* Various bug fixes.
What was new in ppp-2.4.6.
**************************
* Man page updates.
* Several bug fixes.
* Options files can now set and unset environment variables for
scripts.
* The timeout for chat scripts can now be taken from an environment
variable.
* There is a new option, master_detach, which allows pppd to detach
from the controlling terminal when it is the multilink bundle master
but its own link has terminated, even if the nodetach option has
been given.
Don't set BNF in all bold .Ic, instead use .Ar for "expr" and "var" so
that only the literal stuff that is being defined is bold. Arrange
for subscripts to actually be subscripted in PostScript. Make sure
meta-syntactic [] are set differently than literal (). Etc...
The length/scale example at the beginning is not all literal.
Fix remaining "quoted" words to use .Dq
Fix a few small inline code snippets to be literal.
While here, disable periodic scanning by default on NetBSD as it's
no longer needed.
The user can still enable it though with a positive number to the -U
option.
kardel@ So far I see no other issues from the pitfalls I know of
With the correct #defines mini_event.c and winsock_event.c are
compiled but practically unused.
What is exposed is not part of the public API, but appease the
peanut gallery.
Messages such as RTM_IFNFO or RTM_IFANNOUNCE could have been lost.
As such, sync the state of our internal driver to the state of the
system interfaces as reported by getifaddrs(2).
This change requires the routing socket be placed in non-blocking
mode. While here, set the routing and inet sockets to close on exec.
* DHCP: For anonymous, just use a generic ClientID
* link: Split hardware address randomisation out of anonymous option
* link: Only report hardware changes for active interfaces
* link: Report errors obtaining recv buffer size on overflow
* hooks: Add NOCARRIER_ROAMING reason
* hooks: interface_order now reflects priorities again
- Support continuing to install to /var/db/pkg if it exists and the
new pkgdb doesn't.
In the future, we can warn about this once we have tested advice that
we can give to users who want to move the location of pkgdb.
- Don't do anything about /var/db/pkg on non-NetBSD-base.
This creates conflicts with other package managers that also install to
/var/db/pkg.
hid_linux: return FIDO_OK if no devices are found.
hid_osx:
repair communication with U2F tokens, gh#166;
reliability fixes.
fido2-{assert,cred}: new options to explicitly toggle UP, UV.
Support for configurable report lengths.
New API calls:
fido_cbor_info_maxcredcntlst;
fido_cbor_info_maxcredidlen;
fido_cred_aaguid_len;
fido_cred_aaguid_ptr;
fido_dev_get_touch_begin;
fido_dev_get_touch_status.
Use COSE_ECDH_ES256 with CTAP_CBOR_CLIENT_PIN; gh#154.
Allow CTAP messages up to 2048 bytes; gh#171.
Ensure we only list USB devices by default.
Version 1.4.0 (2020-04-15)
hid_hidapi: hidapi backend; enable with -DUSE_HIDAPI=1.
Fall back to U2F if the key claims to, but does not support FIDO2.
FIDO2 credential protection (credprot) support.
New API calls:
fido_cbor_info_fwversion;
fido_cred_prot;
fido_cred_set_prot;
fido_dev_set_transport_functions;
fido_set_log_handler.
Support for FreeBSD.
Support for C++.
Support for MSYS.
Fixed EdDSA and RSA self-attestation.
Version 1.3.1 (2020-02-19)
fix zero-ing of le1 and le2 when talking to a U2F device.
dropping sk-libfido2 middleware, please find it in the openssh tree.
With the following changes:
* DHCP: If error adding the address in oneshot, exit with failure
* DHCP: Only listen to the address if we successfully added it
* DHCP6: Fix segfault introduced in dhcpcd-9.3.3
* DHCP6: Abort in test mode when an error is returned by server
* options: allow --ia_na=1 and --ia_pd=2 on the command line
* options: Allow duid to take a value
* dhcpcd: Don't create a launcher process if keeping in foreground
* dhcpcd: Add --noconfigure option
* control: Create an unpriv socket for non master mode
* options: Don't log unknown ones when printing pidfile location
Cherry-picked from upstream:
https://git.savannah.gnu.org/gitweb/?p=config.git;a=commit;h=1c4398015583eb77bc043234f5734be055e64bea
Everything except external/apache2/llvm/dist/llvm/cmake/config.guess
is patched, which is under vendor tag and cannot be modified. I expect
that this file is not actually used as we use hand-crafted version of
configure script instead of cmake for building LLVM.
Note that external/apache2/llvm/autoconf/autoconf/config.guess has
already been committed on Oct. 20, but commit message disappeared as
cvs aborted due to "permission denied" when trying to modify the file
mentioned above. Sorry for confusing you.
Also note that GMP uses its own config.guess Patch for
external/lgpl3/gmp/dist/config.guess is provided by ryo@. Thanks!
at least a few pkgsrc packages avoid base sqlite because it fails
this check, and it's probably a surprising performance penalty for
unsuspecting users
I have added a Makefile rule, indicating how to generate the manual
pages again. It has no dependency on the original file, in order to
avoid issues when building: the generation depends in asciidoc and
libxslt, which are not in tools or in the base tree anyway. It should
therefore never trigger, but should be used by the maintainer when
updating pam-u2f.
With this, I believe this PR can be closed.
Tested with "build.sh release" on amd64.
I have generated the manual pages and referenced them into the sets.
It would probably help to add a Makefile rule, indicating how to
generate the manual pages again.
Tested with "build.sh release" on amd64.
Reviewed by Tobias Nygren before the commit.
* Do not write after the end of the array and overwrite the stack when
colon-separated SGR sequences contain empty arguments.
CHANGES FROM 3.1a TO 3.1b
* Fix build on systems without sys/queue.h.
* Fix crash when allow-rename is on and an empty name is set.
CHANGES FROM 3.1 TO 3.1a
* Do not close stdout prematurely in control mode since it is needed to print
exit messages. Prevents hanging when detaching with iTerm2.
CHANGES FROM 3.0a TO 3.1
* Only search the visible part of the history when marking (highlighting)
search terms. This is much faster than searching the whole history and solves
problems with large histories. The count of matches shown is now the visible
matches rather than all matches.
* Search using regular expressions in copy mode. search-forward and
search-backward use regular expressions by default; the incremental versions
do not.
* Turn off mouse mode 1003 as well as the rest when exiting.
* Add selection_active format for when the selection is present but not moving
with the cursor.
* Fix dragging with modifier keys, so binding keys such as C-MouseDrag1Pane and
C-MouseDragEnd1Pane now work.
* Add -a to list-keys to also list keys without notes with -N.
* Do not jump to next word end if already on a word end when selecting a word;
fixes select-word with single character words and vi(1) keys.
* Fix top and bottom pane calculation with pane border status enabled.
* Add support for adding a note to a key binding (with bind-key -N) and use
this to add descriptions to the default key bindings. A new -N flag to
list-keys shows key bindings with notes. Change the default ? binding to use
this to show a readable summary of keys. Also extend command-prompt to return
the name of the key pressed and add a default binding (/) to show the note
for the next key pressed.
* Add support for the iTerm2 DSR 1337 sequence to get the terminal version.
* Treat plausible but invalid keys (like C-BSpace) as literal like any other
unrecognised string passed to send-keys.
* Detect iTerm2 and enable use of DECSLRM (much faster with horizontally split
windows).
* Add -Z to default switch-client command in tree mode.
* Add ~ to quoted characters for %%%.
* Document client exit messages in the manual page.
* Do not let read-only clients limit the size, unless all clients are
read-only.
* Add a number of new formats to inspect what sessions and clients a window is
present or active in.
* Change file reading and writing to go through the client if necessary. This
fixes commands like "tmux loadb /dev/fd/X". Also modify source-file to
support "-" for standard input, like load-buffer and save-buffer.
* Add ~/.config/tmux/tmux.conf to the default search path for configuration
files.
* Bump the escape sequence timeout to five seconds to allow for longer
legitimate sequences.
* Make a best effort to set xpixel and ypixel for each pane and add formats for
them.
* Add push-default to status-left and status-right in status-format[0].
* Do not clear search marks on cursor movement with vi(1) keys.
* Add p format modifier for padding to width and allow multiple substitutions
in a single format.
* Add -f for full size to join-pane (like split-window).
* Do not use bright when emulating 256 colours on an 8 colour terminal because
it is also bold on some terminals.
* Make select-pane -P set window-active-style also to match previous behaviour.
* Do not truncate list-keys output.
* Turn automatic-rename back on if the \033k rename escape sequence is used
with an empty name.
* Add support for percentage sizes for resize-pane ("-x 10%"). Also change
split-window and join-pane -l to accept similar percentages and deprecate the
-p flag.
* Add -F flag to send-keys to expand formats in search-backward and forward
copy mode commands and copy_cursor_word and copy_cursor_line formats for word
and line at cursor in copy mode. Use for default # and * binding with vi(1)
keys.
* Add formats for word and line at cursor position in copy mode.
* Add formats for cursor and selection position in copy mode.
* Support all the forms of RGB colour strings in OSC sequences rather than
requiring two digits.
* Limit lazy resize to panes in attached sessions only.
* Add an option to set the key sent by backspace for those whose system uses ^H
rather than ^?.
* Change new-session -A without a session name (that is, no -s option also) to
attach to the best existing session like attach-session rather than a new
one.
* Add a "latest" window-size option which tries to size windows based on the
most recently used client. This is now the default.
* Add simple support for OSC 7 (result is available in the pane_path format).
* Add push-default and pop-default for styles which change the colours and
attributes used for #[default]. These are used in status-format to restore
the behaviour of window-status-style being the default for
window-status-format.
* Add window_marked_flag.
* Add cursor-down-and-cancel in copy mode.
* Default to previous search string for search-forward and search-backward.
* Add -Z flag to rotate-window, select-pane, swap-pane, switch-client to
preserve zoomed state.
* Add -N to capture-pane to preserve trailing spaces.
* Add reverse sorting in tree, client and buffer modes.
* DHCP: Add support for IPv6-Only Preferred option, RFC 8925.
* BSD: `LINK_STATE_UNKNOWN` is treated as UP once again
* privsep: pass logging to the privileged actioneer
* privsep: allow logfile re-opening to work
* privsep: close BPF socket on ENXIO
* privsep: don't leave a BOOTP BPF listener rebooting in non master mode
* dhcpcd: carrier handling issue fixed from 9.3.0
* dhcpcd: log if interface type is unsupported in debug
* duid: memory leak fixed if UUID wanted but none available
* privsep: fix receiving inet and no BPF running
* privsep: allow gettimeofday for SECCOMP
* privsep: fix stderr redirection again
GCC 9.3 seems to be able to compile rtree.c with -O2:
- No new regressions in ATF.
- System survives over a night, at least, under heavy loads.
On the other hand, unfortunately, GCC 9.3 still miscompiles tcache.c
with -O2 or -O1. For example, even ``gcc -g hello.c'' fails with ICE
if tcache.c is compiled with -O[12] in libc.
* dhcpcd: Backticks have been removed from quoting filenames
* dhcpcd: Only manipulate stdin, stdout and stderr if they are valid
* duid: Adjust option so the type can be specified
* logerr: Don't leak logfile fd to scripts
* privsep: Run the launcher process in the sandbox
* BSD: Use `ifi_link_state` as the single source of truth about carrier
* BSD: Ignore vether(4) devices by default
into '_' to meet sh variable name rules) into a shell string processing
loop.
On my test system, this reduces the total elapsed time for the bin/sh ATF
tests from about 109 secs to about 102 (user cpu from 24.5 to 21, sys cpu
from 34 to 30) and the usr.bin/make tests elapsed time from 42.5 to 40
secs (user from a bit over 15 to a bit over 13, and sys from 16+ to 13+).
(Recorded on an AMD64 domU).
These probably exaggerate the effect, as there are a bunch of quite small
tests, which means the ATF overhead (which this change affects) is a greater
proportion of the total test time than for some other tests where most of
the time is spent actually testing.
But I am fairly confident that there will be at least some improvement.
This could be further improved by removing the cmdsub invocation method,
and instead passing the name of a variable containing the string to
normalise (with the result returned in that same var) - but that would
mean altering all the callers as well. Some other time maybe.
* route: ensure IPv4LL routes come last in priority
* DHCP: fix many issues with extending the last lease
* privsep: don't read control group from config in privsep
* privsep: only the master process responds to signals
* privsep: use a socketpair for stderr/stdin rather than dupping /dev/null
* privsep: right limit stdin/stderr/stdout
* privsep: dumping a lease is now run in a sandbox
* options: check if kernel supports INET or INET6 before enabling default
* options: let clientid override a prior duid
* options: allow -1 to represent infinity for requested lease time
* dhcpcd: fix a crash initing a new interface after route overflow
right now. new address-of-packed-member and format-overflow
warnings have new GCC_NO_ADDR_OF_PACKED_MEMBER amd
GCC_NO_FORMAT_OVERFLOW variables to remove these warnings.
apply to a bunch of the tree. mostly, these are real bugs that
should be fixed, but in many cases, only by removing the 'packed'
attribute from some structure that doesn't really need it. (i
looked at many different ones, and while perhaps 60-80% were
already properly aligned, it wasn't clear to me that the uses
were always coming from sane data vs network alignment, so it
doesn't seem safe to remove packed without careful research for
each affect struct.) clang already warned (and was not erroring)
for many of these cases, but gcc picked up dozens more.
Some highlights in no particular order:
%destructor was somehow lost from the list that follows, it should be
part of it.
Use .Ic for yacc directives when they are defined, .Ql otherwise.
Use explicit .Sq Li (instead of .Ql) in description of %destructor to
make sure the result is consistently quoted. It more readable that
way.
Use .Va and .Vt where appropriate.
C preprocessor directives are marked up with .No (a nop), so that it's
easy to switch them to something else if need be. For now just use
them as plain words.
If there is no matching interface given, but interface matching is enabled
then all interfaces on the system will try to be initialized.
Non wireless interfaces will fail and the loopback device will be one
of these, so just log a diagnostic rather than an error.
