BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 6.1 released - Apr 11, 2016

------------------------------------------------------------------------
- OpenBSD 6.1 RELEASED -------------------------------------------------

April 11, 2017.

We are pleased to announce the official release of OpenBSD 6.1.
This is our 42nd release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.1 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o New arm64 platform, using clang(1) as the base system compiler.
    o The loongson platform now supports systems with Loongson 3A CPU
      and RS780E chipset.
    o The following platforms were retired: armish, sparc, zaurus.

 - Improved hardware support, including:
    o New acpials(4) driver for ACPI ambient light sensor devices.
    o New acpihve(4) driver for feeding Hyper-V entropy into the kernel
      pool.
    o New acpisbs(4) driver for ACPI Smart Battery devices.
    o New dwge(4) driver for Designware GMAC 10/100/Gigabit Ethernet
      devices.
    o New htb(4) driver for Loongson 3A PCI host bridges.
    o New hvn(4) driver for Hyper-V networking interfaces.
    o New hyperv(4) driver for the Hyper-V guest nexus device.
    o New iatp(4) driver for the Atmel maXTouch touchpad and
      touchscreen.
    o New imxtemp(4) driver for Freescale i.MX6 temperature sensors.
    o New leioc(4) driver for the Loongson 3A low-end IO controller.
    o New octmmc(4) driver for the OCTEON MMC host controller.
    o New ompinmux(4) driver for OMAP pin multiplexing.
    o New omwugen(4) driver for OMAP wake-up generators.
    o New psci(4) driver for the ARM Power State Coordination Interface.
    o New simplefb(4) driver for the simple frame buffer on systems
      using a device tree.
    o New sximmc(4) driver for Allwinner A1X/A20 MMC/SD/SDIO
      controllers.
    o New tpm(4) driver for Trusted Platform Module devices.
    o New uwacom(4) driver for Wacom USB tablets.
    o New vmmci(4) VMM control interface.
    o New xbf(4) driver for Xen Blkfront virtual disks.
    o New xp(4) driver for the LUNA-88K HD647180X I/O processor.
    o Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219
      PHYs has been added to the em(4) driver.
    o Support for RTL8153 USB 3.0 Gigabit Ethernet based devices has
      been added to the ure(4) driver.
    o Improved ACPI support for modern Apple hardware, including S3
      suspend and resume.
    o Support for X550 family of 10 Gigabit Ethernet based devices has
      been added to the ix(4) driver.

 - New vmm(4)/ vmd(8):
    o Support was partially integrated in 6.0, but disabled.
    o Support for amd64 and i386 hosts.
    o BIOS payload provided via vmm-firmware, delivered via
      fw_update(1).
    o Support for Linux guest VMs.
    o Better interrupt handling and legacy device emulation.
    o vmm(4) no longer requires VMX unrestricted guest capability
      (Nehalem and later CPUs are sufficient).
    o Removed bounce buffers previously used by vmd(8) for vio(4) and
      vioblk(4) devices.
    o Support VMs with > 2GB RAM.
    o vmd(8) uses pledge(2) and the fork+exec model.
    o vm.conf(5) expanded to include VM ownership rules (uid/gid).
    o vmd(8)/ vm.conf(5) supports automatic bridge(4) and switch(4)
      configuration for VM network interfaces.
    o vmctl(8) supports graceful VM shutdown via vmmci(4).

 - IEEE 802.11 wireless stack improvements:
    o The ral(4) driver now supports Ralink RT3900E (RT5390, RT3292)
      devices.
    o The iwm(4) and iwn(4) drivers now support the short guard interval
      (SGI) in 11n mode.
    o Added a new implementation of MiRa, a rate adapation algorithm
      designed for 802.11n.
    o The iwm(4) driver now supports 802.11n MIMO (MCS 0-15).
    o The athn(4) driver now supports 802.11n, featuring MIMO (MCS 0-15)
      and hostap mode.
    o The iwn(4) driver now receives MIMO frames in monitor mode.
    o The rtwn(4) and urtwn(4) drivers now use AMRR rate adaptation
      (8188EU and 8188CE devices only).
    o TKIP/WPA1 was disabled by default because of inherent weaknesses
      in this protocol.

 - Generic network stack improvements:
    o New switch(4) pseudo-device together with new switchd(8) and
      switchctl(8) programs.
    o New mobileip(4) operation mode for the gre(4) pseudo-device.
    o Multipoint-to-multipoint mode in vxlan(4).
    o route(8) and netstat -r display all routing flags correctly and
      they are completely documented in the netstat(1) man page.
    o When sending TCP streams they are locally stored in large mbuf
      clusters to improve memory management. The maximum TCP send and
      receive buffer size has been increased from 256KB to 2MB. Note
      that this results in a different pf(4) OS fingerprint for OpenBSD.
      The default limit for mbuf clusters has been increased. You can
      check the values with netstat(1) -m and adjust them with sysctl(8)
      kern.maxclusters.
    o Make the TCP_NOPUSH flag work for listen(2) sockets. It is
      inherited by the socket returned from accept(2).
    o A lot of code has been removed or simplified to make the
      transition to multi-processor easier. Redesign the interrupt and
      multi-processor locks in the network stack.
    o When passing packets from the network stack to the interface
      layer, make sure that they have no pointers to pf(4) which could
      result in a memory free operation at the wrong protection level.
    o Fix checksum calculation in pf(4) af-to ICMP packet conversions.
      Simplify af-to processing in and fix path MTU discovery in some
      corner cases.
    o Improve IPv6 fragment processing. Drop empty atomic fragments
      early. Be more paranoid when IPv6 hop-by-hop headers appear after
      fragment headers. Follow RFC 5722 "Handling of Overlapping IPv6
      Fragments" more strictly in pf(4). RFC 8021 "IPv6 Atomic Fragments
      Considered Harmful" deprecates generating atomic fragments, so do
      not send them anymore.
    o Depending on the addresses, ipsecctl(8) may automatically group SA
      bundles together. To make clear what is going on, the kernel
      provides this information and ipsecctl -s sa prints IPsec SA
      bundles.
    o A new routing socket message type, RTM_PROPOSAL, was added to
      facilitate future improvements to the network configuration
      process.

 - Installer improvements:
    o The installer now uses privilege separation for fetching and
      verifying the install sets.
    o Install sets are now fetched over an HTTPS connection by default
      when using a mirror that supports it.
    o The installer now considers all of the DHCP information in
      filename, bootfile-name, server-name, tftp-server-name, and
      next-server when attempting to do automatic installs or upgrades.
    o The installer no longer adds a route to an alias IP via 127.0.0.1,
      due to improvements in the kernel routing components.

 - Routing daemons and other userland network improvements:
    o ping(8) and ping6(8) are now the same binary and share the engine.
    o ripd(8) now supports p2p links with addresses in different
      subnets.
    o UDP speakers can specify an IPv4 source address using
      IP_SENDSRCADDR. iked(8) and snmpd(8) now use the proper source
      address when sending replies.
    o iked(8) now supports ECDSA and RFC 7427 signatures for
      authentication.
    o iked(8) now supports replying to IKEv2 responder cookies.
    o Many fixes and improvements for iked(8) and ikectl(8), including
      various fixes for rekeying.
    o ospfd(8) and ospf6d(8) now cope with interface MTU change at
      runtime.
    o bgpd(8) now supports BGP Large Communities (RFC 8092).
    o bgpd(8) now supports BGP Administrative Shutdown Communication
      (draft-ietf-idr-shutdown).

 - Security improvements:
    o Enforcement of userland W^X on OCTEON Plus and later.
    o All shared libraries, all dynamic and static-PIE executables, and
      ld.so(1) itself use the RELRO ("read-only after relocation")
      design such that more of the initial data is protected as
      read-only.
    o The size of user virtual address space has been increased from 2GB
      to 1TB on mips64.
    o PIE and -static -pie on arm.
    o route6d(8) now runs with fewer privileges.
    o For incoming TLS connections syslogd(8) can validate client
      certificates with a given CA file.
    o The privileged parent process of syslogd(8) calls exec(2) to
      reshuffle its random memory layout.
    o New function recallocarray(3) to reduce the risk of incorrect
      clearing of memory before and after reallocarray(3).
    o SHA512_256 family of functions added to libc.
    o arm added to the list of archs where the setjmp(3) family of
      functions apply XOR cookies to stack and return-address values in
      the jmpbuf.
    o printf(3) family of formatting functions now report to syslog when
      the %s format is used with a NULL pointer.
    o Heap buffer overflow detection has been improved when the C
      malloc(3) option is used. The existing S option now includes C.
    o Support for permitting non-root users to mount(8) filesystems has
      been removed.
    o bioctl(8) now uses bcrypt PBKDF to derive keys for crypto volumes.

 - dhclient(8)/ dhcpd(8)/ dhcrelay(8) improvements:
    o Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested
      by default.
    o Add support for RFC 6842 (Client Identifier Option in DHCP Server
      Replies).
    o Stop leaking option data received on the udp socket.
    o Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
    o Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options
      in the effective lease.
    o Use only leases from no SSID or the current SSID when restarting.
    o Reduce default values for various timeouts to something more
      appropriate to modern networks.
    o Fix issues with redundant dhcpd servers and CARP'd interfaces.
    o Switch to standard logging functions
    o Fix vis/unvis of strings in dhclient(8) leases files.

 - Assorted improvements:
    o New syspatch(8) utility for security and reliability binary
      updates to the base system.
    o acme-client(1), a privilege separated Automatic Certificate
      Management Environment (ACME) client written by Kristaps Dzonsons
      has been imported.
    o New, simplified xenodm(1) X11 display manager forked from xdm(1).
    o Unicode version 8 character properties in the C library.
    o Partial UTF-8 line editing support for ksh(1) Vi input mode.
    o UTF-8 support in column(1).
    o The performance and concurrency of the malloc(3) family in
      multi-threaded processes has been improved.
    o Estonian keyboard support.
    o read(2) on directories now fails instead of returning 0.
    o Support for the RES_USE_EDNS0 and RES_USE_DNSSEC flags has been
      added to the resolver(3) implementation.
    o syslogd(8) limits the socket buffer for TCP and TLS connections to
      64K to avoid wasting kernel memory.
    o syslogd(8) supports the option -Z to print the timestamp in RFC
      5424 ISO format. This logs everything in UTC including the year,
      timezone and fractions of seconds. The default is still RFC 3164
      BSD syslog time format.
    o When log files are rotated, newsyslog(8) writes the creation time
      in UTC ISO format into the first line.
    o The syslogd(8) options -a, -T, and -U can be given more than once
      to specify multiple input sources.
    o Improve the syslogd(8) output and diagnostics in case the klog
      buffer overflows.
    o Make SIGHUP handling in syslogd(8) more reliable.
    o Let syslogd(8) tolerate most errors on startup. Keep running and
      receive messages from all working subsystems, but do not die.
    o The syslog(3) priority of fatal and warning messages of various
      daemons has been adjusted.
    o An NMI sends the amd64 kernel into ddb(4) more reliably.
    o ld.so(1) now supports the DT_PREINITARRAY, DT_INITARRAY,
      DT_FINIARRAY, DT_FLAGS, and DT_RUNPATH dynamic tags.
    o kdump(1) now dumps the fds returned by pipe(2) and socketpair(2).
    o Added support to doas(1) for session-locked persistent
      authentication.
    o Use a hardware register for the thread pointer on arm for improved
      performance in multi-threaded processes.
    o SGI boot blocks now consult the OpenBSD disklabel(5) to locate the
      root filesystem. This reduces constraints on disk partitioning.
    o iec(4) no longer hangs when its transmit ring gets full.
    o sq(4) has been fixed to accept broadcast frames in non-promiscuous
      mode when no IP address is configured. This lets the interface
      work with DHCP.
    o Multiprocessor-safe PCI interrupt handlers are run without the
      kernel lock on OpenBSD/sgi.
    o fdisk(8) now unconditionally sets the size of the protective MBR's
      EFI GPT partition to UINT32_MAX.
    o fdisk(8) now respects the current MBR or GPT format when
      initializing a disk.
    o softraid(4) now uses sufficient parallel i/o's to efficiently
      rebuild RAID5 volumes.
    o asr now accepts UDP packets of up to 4096 bytes to account for
      broken DNS servers.
    o umass(4) no longer assumes that ATAPI or UFI devices have only 1
      LUN.
    o scsi(4) now correctly detects end of tape on LTO5 devices.
    o httpd(8) supports SNI via libtls to allow for multiple https sites
      on a single IP address.
    o ocspheck(8) has been added, and can be used to check the OCSP
      status of certificates. The corresponding responses can be saved
      for later use in OCSP stapling.
    o httpd(8) supports OCSP stapling via libtls to permit OCSP
      responses to be stapled to the tls handshake
    o nc(1) now also supports OCSP stapling server side, and will show
      the stapling information client side.
    o Both relayd(8) and httpd(8) support now TLS session resumption
      using TLS session tickets. See the respective configuration man
      page for more information.
    o With the -f option sensorsd(8) can use an alternative config file.

 - OpenSMTPD 6.0.0
    o Added support for providing an alternate subaddressing delimiter.
    o Made the daemon less verbose in logs when exiting.
    o Improved the io layer to simplify code accross the daemon.
    o Added support for matching authenticated sessions in the ruleset.
    o Assorted code and documentation cleanups.

 - OpenSSH 7.4
    o Security:
       - ssh-agent(1): Will now refuse to load PKCS#11 modules from
         paths outside a trusted whitelist (run-time configurable).
         Requests to load modules could be passed via agent forwarding
         and an attacker could attempt to load a hostile PKCS#11
         module across the forwarded agent channel: PKCS#11 modules
         are shared libraries, so this would result in code execution
         on the system running the ssh-agent if the attacker has
         control of the forwarded agent-socket (on the host running
         the sshd server) and the ability to write to the filesystem
         of the host running ssh-agent (usually the host running the
         ssh client).
       - sshd(8): When privilege separation is disabled, forwarded
         Unix- domain sockets would be created by sshd(8) with the
         privileges of 'root' instead of the authenticated user. This
         release refuses Unix-domain socket forwarding when privilege
         separation is disabled (Privilege separation has been enabled
         by default for 14 years).
       - sshd(8): Avoid theoretical leak of host private key material
         to privilege-separated child processes via realloc() when
         reading keys. No such leak was observed in practice for
         normal-sized keys, nor does a leak to the child processes
         directly expose key material to unprivileged users.
       - sshd(8): The shared memory manager used by pre-authentication
         compression support had a bounds checks that could be elided
         by some optimising compilers. Additionally, this memory
         manager was incorrectly accessible when pre-authentication
         compression was disabled. This could potentially allow
         attacks against the privileged monitor process from the
         sandboxed privilege-separation process (a compromise of the
         latter would be required first). This release removes support
         for pre-authentication compression from sshd(8).
       - sshd(8): Fix denial-of-service condition where an attacker
         who sends multiple KEXINIT messages may consume up to 128MB
         per connection.
       - sshd(8): Validate address ranges for AllowUser and DenyUsers
         directives at configuration load time and refuse to accept
         invalid ones. It was previously possible to specify invalid
         CIDR address ranges (e.g. user@127.1.2.3/55) and these would
         always match, possibly resulting in granting access where it
         was not intended.
       - ssh(1), sshd(8): Fix weakness in CBC padding oracle
         countermeasures that allowed a variant of the attack fixed in
         OpenSSH 7.3 to proceed.
    o New/changed features:
       - Server support for the SSH v.1 protocol has been removed.
       - ssh(1): Remove 3des-cbc from the client's default proposal.
         64-bit block ciphers are not safe in 2016 and we don't want
         to wait until attacks like SWEET32 are extended to SSH. As
         3des-cbc was the only mandatory cipher in the SSH RFCs, this
         may cause problems connecting to older devices using the
         default configuration, but it's highly likely that such
         devices already need explicit configuration for key exchange
         and hostkey algorithms already anyway.
       - sshd(8): Remove support for pre-authentication compression.
         Doing compression early in the protocol probably seemed
         reasonable in the 1990s, but today it's clearly a bad idea in
         terms of both cryptography (cf. multiple compression oracle
         attacks in TLS) and attack surface. Pre-auth compression
         support has been disabled by default for >10 years. Support
         remains in the client.
       - ssh-agent will refuse to load PKCS#11 modules outside a
         whitelist of trusted paths by default. The path whitelist may
         be specified at run-time.
       - sshd(8): When a forced-command appears in both a certificate
         and an authorized keys/principals command= restriction, sshd
         will now refuse to accept the certificate unless they are
         identical. The previous (documented) behaviour of having the
         certificate forced-command override the other could be a bit
         confusing and error-prone.
       - sshd(8): Remove the UseLogin configuration directive and
         support for having /bin/login manage login sessions.
       - ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
         the version in PuTTY by Simon Tatham. This allows a
         multiplexing client to communicate with the master process
         using a subset of the SSH packet and channels protocol over a
         Unix-domain socket, with the main process acting as a proxy
         that translates channel IDs, etc. This allows multiplexing
         mode to run on systems that lack file- descriptor passing
         (used by current multiplexing code) and potentially, in
         conjunction with Unix-domain socket forwarding, with the
         client and multiplexing master process on different machines.
         Multiplexing proxy mode may be invoked using "ssh -O proxy
         ..."
       - sshd(8): Add a sshd_config DisableForwarding option that
         disables X11, agent, TCP, tunnel and Unix domain socket
         forwarding, as well as anything else we might implement in
         the future. Like the 'restrict' authorized_keys flag, this is
         intended to be a simple and future-proof way of restricting
         an account.
       - sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
         method. This is identical to the currently-supported method
         named "curve25519-sha256@libssh.org".
       - sshd(8): Improve handling of SIGHUP by checking to see if
         sshd is already daemonised at startup and skipping the call
         to daemon(3) if it is. This ensures that a SIGHUP restart of
         sshd(8) will retain the same process-ID as the initial
         execution. sshd(8) will also now unlink the PidFile prior to
         SIGHUP restart and re-create it after a successful restart,
         rather than leaving a stale file in the case of a
         configuration error.
       - sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
         directives to appear in sshd_config Match blocks.
       - sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
         match those supported by AuthorizedKeysCommand (key, key
         type, fingerprint, etc.) and a few more to provide access to
         the contents of the certificate being offered.
       - Added regression tests for string matching, address matching
         and string sanitisation functions.
       - Improved the key exchange fuzzer harness.
       - Deprecate the sshd_config UsePrivilegeSeparation option,
         thereby making privilege separation mandatory. Privilege
         separation has been on by default for almost 15 years and
         sandboxing has been on by default for almost the last five.
       - ssh(1), sshd(8): Support "=-" syntax to easily remove methods
         from algorithm lists, e.g. Ciphers=-*cbc.
    o The following significant bugs have been fixed in this release:
       - ssh(1): Allow IdentityFile to successfully load and use
         certificates that have no corresponding bare public key.
         certificate id_rsa-cert.pub (and no id_rsa.pub).
       - ssh(1): Fix public key authentication when multiple
         authentication is in use and publickey is not just the first
         method attempted.
       - ssh-agent(1), ssh(1): improve reporting when attempting to
         load keys from PKCS#11 tokens with fewer useless log messages
         and more detail in debug messages.
       - ssh(1): When tearing down ControlMaster connections, don't
         pollute stderr when LogLevel=quiet.
       - sftp(1): On ^Z wait for underlying ssh(1) to suspend before
         suspending sftp(1) to ensure that ssh(1) restores the
         terminal mode correctly if suspended during a password
         prompt.
       - ssh(1): Avoid busy-wait when ssh(1) is suspended during a
         password prompt.
       - ssh(1), sshd(8): Correctly report errors during sending of
         ext- info messages.
       - sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
         sequence NEWKEYS message.
       - sshd(8): Correct list of supported signature algorithms sent
         in the server-sig-algs extension.
       - sshd(8): Fix sending ext_info message if privsep is disabled.
       - sshd(8): more strictly enforce the expected ordering of
         privilege separation monitor calls used for authentication
         and allow them only when their respective authentication
         methods are enabled in the configuration
       - sshd(8): Fix uninitialised optlen in getsockopt() call;
         harmless on Unix/BSD but potentially crashy on Cygwin.
       - Fix false positive reports caused by explicit_bzero(3) not
         being recognised as a memory initialiser when compiled with
         -fsanitize-memory.
       - sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
         for configuration examples.
       - sshd(1): Fix NULL dereference crash when key exchange start
         messages are sent out of sequence.
       - ssh(1), sshd(8): Allow form-feed characters to appear in
         configuration files.
       - sshd(8): Fix regression in OpenSSH 7.4 support for the
         server-sig-algs extension, where SHA2 RSA signature methods
         were not being correctly advertised.
       - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
         in known_hosts processing.
       - ssh(1): Allow ssh to use certificates accompanied by a
         private key file but no corresponding plain *.pub public key.
       - ssh(1): When updating hostkeys using the UpdateHostKeys
         option, accept RSA keys if HostkeyAlgorithms contains any RSA
         keytype. Previously, ssh could ignore RSA keys when only the
         ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
         not the old ssh-rsa method.
       - ssh(1): Detect and report excessively long configuration file
         lines.
       - Merge a number of fixes found by Coverity and reported via
         Redhat and FreeBSD. Includes fixes for some memory and file
         descriptor leaks in error paths.
       - ssh-keyscan(1): Correctly hash hosts with a port number.
       - ssh(1), sshd(8): When logging long messages to stderr, don't
         truncate "\r\n" if the length of the message exceeds the
         buffer.
       - ssh(1): Fully quote [host]:port in generated ProxyJump/-J
         command- line; avoid confusion over IPv6 addresses and shells
         that treat square bracket characters specially.
       - ssh-keygen(1): Fix corruption of known_hosts when running
         "ssh-keygen -H" on a known_hosts containing already-hashed
         entries.
       - Fix various fallout and sharp edges caused by removing SSH
         protocol 1 support from the server, including the server
         banner string being incorrectly terminated with only \n
         (instead of \r\n), confusing error messages from ssh-keyscan
         a segfault in sshd if protocol v.1 was enabled for the client
         and sshd_config contained references to legacy keys.
       - ssh(1), sshd(8): Free fd_set on connection timeout.
       - sshd(8): Fix Unix domain socket forwarding for root
         (regression in OpenSSH 7.4).
       - sftp(1): Fix division by zero crash in "df" output when
         server returns zero total filesystem blocks/inodes.
       - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
         errors encountered during key loading to more meaningful
         error codes.
       - ssh-keygen(1): Sanitise escape sequences in key comments sent
         to printf but preserve valid UTF-8 when the locale supports
         it.
       - ssh(1), sshd(8): Return reason for port forwarding failures
         where feasible rather than always "administratively
         prohibited".
       - sshd(8): Fix deadlock when AuthorizedKeysCommand or
         AuthorizedPrincipalsCommand produces a lot of output and a
         key is matched early.
       - ssh(1): Fix typo in ~C error message for bad port forward
         cancellation.
       - ssh(1): Show a useful error message when included config
         files can't be opened.
       - sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
         manual page (previously incorrectly) advertised.
       - sshd_config(5): Repair accidentally-deleted mention of %k
         token in AuthorizedKeysCommand.
       - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
       - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
         common 32-bit compatibility library directories.
       - sftp-client(1): Fix non-exploitable integer overflow in
         SSH2_FXP_NAME response handling.
       - ssh-agent(1): Fix regression in 7.4 of deleting
         PKCS#11-hosted keys. It was not possible to delete them
         except by specifying their full physical path.

 - LibreSSL 2.5.3
    o libtls now supports ALPN and SNI
    o libtls adds a new callback interface for integrating custom IO
      functions. Thanks to Tobias Pape.
    o libtls now handles 4 cipher suite groups:
       - "secure" (TLSv1.2+AEAD+PFS)
       - "compat" (HIGH:!aNULL)
       - "legacy" (HIGH:MEDIUM:!aNULL)
       - "insecure" (ALL:!aNULL:!eNULL)
      This allows for flexibility and finer grained control, rather than
      having two extremes (an issue raised by Marko Kreen some time
      ago).
    o Tightened error handling for tls_config_set_ciphers().
    o libtls now always loads CA, key and certificate files at the time
      the configuration function is called. This simplifies code and
      results in a single memory based code path being used to provide
      data to libssl.
    o Added support for OCSP intermediate certificates.
    o Added X509_check_host(), X509_check_email(), X509_check_ip(), and
      X509_check_ip_asc() functions, via BoringSSL.
    o Added initial support for iOS, thanks to Jacob Berkman.
    o Improved behavior of arc4random on Windows when using memory leak
      analysis software.
    o Correctly handle an EOF that occurs prior to the TLS handshake
      completing. Reported by Vasily Kolobkov, based on a diff from
      Marko Kreen.
    o Limit the support of the "backward compatible" SSLv2 handshake to
      only be used if TLS 1.0 is enabled.
    o Fix incorrect results in certain cases on 64-bit systems when
      BN_mod_word() can return incorrect results. BN_mod_word() now can
      return an error condition. Thanks to Brian Smith.
    o Added constant-time updates to address CVE-2016-0702.
    o Fixed undefined behavior in BN_GF2m_mod_arr().
    o Removed unused Cryptographic Message Support (CMS).
    o More conversions of long long idioms to time_t.
    o Improved compatibility by avoiding printing NULL strings with
      printf.
    o Reverted change that cleans up the EVP cipher context in
      EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on
      the previous behaviour.
    o Avoid unbounded memory growth in libssl, which can be triggered by
      a TLS client repeatedly renegotiating and sending OCSP Status
      Request TLS extensions.
    o Avoid falling back to a weak digest for (EC)DH when using SNI with
      libssl.
    o X509_cmp_time() now passes a malformed GeneralizedTime field as an
      error. Reported by Theofilos Petsios.
    o Check for and handle failure of HMAC_{Update,Final} or
      EVP_DecryptUpdate().
    o Massive update and normalization of manpages, conversion to mandoc
      format. Many pages were rewritten for clarity and accuracy.
      Portable doc links are up-to-date with a new conversion tool.
    o Curve25519 and TLS X25519 Key Exchange support.
    o Support for alternate chains for certificate verification.
    o Code cleanups, CBB conversions, further unification of DTLS/SSL
      handshake code, further ASN1 macro expansion and removal.
    o Private symbols are now hidden in libssl and libcrypto.
    o Friendly certificate verification error messages in libtls, peer
      verification is now always enabled.
    o Added OCSP stapling support to libtls and nc.
    o Added ocspcheck utility to validate a certificate against its OCSP
      responder and save the reply for stapling
    o Enhanced regression tests and error handling for libtls.
    o Added explicit constant and non-constant time BN functions,
      defaulting to constant time wherever possible.
    o Moved many leaked implementation details in public structs behind
      opaque pointers.
    o Added ticket support to libtls.
    o Added support for setting the supported EC curves via
      SSL{_CTX}_set1_groups{_list}() - also provide defines for the
      previous SSL{_CTX}_set1_curves{_list} names. This also changes the
      default list of curves to be X25519, P-256 and P-384. All other
      curves must be manually enabled.
    o Added -groups option to openssl(1) s_client for specifying the
      curves to be used in a colon-separated list.
    o Merged client/server version negotiation code paths into one,
      reducing much duplicate code.
    o Removed error function codes from libssl and libcrypto.
    o Fixed an issue where a truncated packet could crash via an OOB
      read.
    o Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
      client-initiated renegotiation. This is the default for libtls
      servers.
    o Avoid a side-channel cache-timing attack that can leak the ECDSA
      private keys when signing. This is due to BN_mod_inverse() being
      used without the constant time flag being set. Reported by Cesar
      Pereida Garcia and Billy Brumley (Tampere University of
      Technology). The fix was developed by Cesar Pereida Garcia.
    o iOS and MacOS compatibility updates from Simone Basso and Jacob
      Berkman.
    o Added the recallocarray(3) memory allocation function, and
      converted various places in the library to use it, such as CBB and
      BUF_MEM_grow. recallocarray(3) is similar to reallocarray. Newly
      allocated memory is cleared similar to calloc(3). Memory that
      becomes unallocated while shrinking or moving existing allocations
      is explicitly discarded by unmapping or clearing to 0.
    o Added new root CAs from SECOM Trust Systems / Security
      Communication of Japan.
    o Added EVP interface for MD5+SHA1 hashes.
    o Improved nc(1) TLS handshake CPU usage and server-side error
      reporting.
    o Added a constant time version of BN_gcd and use it default for
      BN_gcd to avoid the possibility of sidechannel timing attacks
      against RSA private key generation - Thanks to Alejandro Cabrera

 - mandoc 1.14.1
    o New mandoc.db(5) file format: man(1), apropos(1), and
      makewhatis(8) no longer need SQLite3.
    o Much improved HTML output and CSS.
    o In man(1), internal searching with less(1) :t has been improved.
    o New mandoc(1) -mdoc -T markdown output mode (already a post-1.14.1
      feature).

 - Ports and packages:
    o Many pre-built packages for each architecture:
       - alpha:  7413                  - mips64:   8072
       - amd64:  9714                  - mips64el: 6880
       - arm:    7501                  - powerpc:  7703
       - hppa:   6422                  - sparc64:  8606
       - i386:   9697

 - Some highlights:

    o Afl 2.39b                       o Mutt 1.8.0
    o Chromium 57.0.2987.133          o Node.js 6.10.1
    o Emacs 21.4 and 24.5             o Ocaml 4.03.0
    o GCC 4.9.4                       o OpenLDAP 2.3.43 and 2.4.44
    o GHC 7.10.3                      o PHP 5.5.38, 5.6.30 and 7.0.16
    o Gimp 2.8.18                     o Postfix 3.2.0 and 3.3-20170218
    o GNOME 3.22.2                    o PostgreSQL 9.6.2
    o Go 1.8                          o Python 2.7.13, 3.4.5, 3.5.2 and
    o Groff 1.22.3                      3.6.0
    o JDK 7u80 and 8u121              o R 3.3.3
    o KDE 3.5.10 and 4.14.3 (plus     o Ruby 1.8.7.374, 2.1.9, 2.2.6,
      KDE4 core updates)                2.3.3 and 2.4.1
    o LLVM/Clang 4.0.0                o Rust 1.16.0
    o LibreOffice 5.2.4.2             o Sendmail 8.15.2
    o Lua 5.1.5, 5.2.4, and 5.3.4     o SQLite 3.17.0
    o MariaDB 10.0.30                 o Sudo 1.8.19.2
    o Mono 4.6.2.6                    o Tcl/Tk 8.5.18 and 8.6.4
    o Mozilla Firefox 52.0.2esr and   o TeX Live 2015
      52.0.2                          o Vim 8.0.0388
    o Mozilla Thunderbird 45.8.0      o Xfce 4.12

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
      freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 4.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.24.1 (+ patches)
    o NSD 4.1.15
    o Unbound 1.6.1
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.1.1

If you'd like to see a list of what has changed between OpenBSD 6.0
and 6.1, look at

        http://www.OpenBSD.org/plus61.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        http://www.OpenBSD.org/mail.html

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

        http://www.OpenBSD.org/faq/

------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------

The OpenBSD Project is volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

        http://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.

------------------------------------------------------------------------
- RELEASE SONGS --------------------------------------------------------

Every OpenBSD release is accompanied by artwork and a song.  OpenBSD 6.1
comes with the song "Winter of 95".

Lyrics (and an explanation) of the song may be found at:

        http://www.OpenBSD.org/lyrics.html#61

------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------

OpenBSD can be easily installed via HTTP downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP.

1) Read either of the following two files for a list of HTTP
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        http://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of April 11, 2017, the following HTTP mirror sites have the 6.1 release:

        http://ftp.eu.openbsd.org/pub/OpenBSD/6.1/      Stockholm, Sweden
        http://ftp.bytemine.net/pub/OpenBSD/6.1/        Oldenburg, Germany
        http://ftp.ch.openbsd.org/pub/OpenBSD/6.1/      Zurich, Switzerland
        http://ftp.fr.openbsd.org/pub/OpenBSD/6.1/      Paris, France
        http://ftp5.eu.openbsd.org/pub/OpenBSD/6.1/     Vienna, Austria
        http://mirror.aarnet.edu.au/pub/OpenBSD/6.1/    Brisbane, Australia
        http://ftp.usa.openbsd.org/pub/OpenBSD/6.1/     CO, USA
        http://ftp5.usa.openbsd.org/pub/OpenBSD/6.1/    CA, USA
        http://mirror.esc7.net/pub/OpenBSD/6.1/         TX, USA

        The release is also available at the master site:

        http://ftp.openbsd.org/pub/OpenBSD/6.1/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP mirror site and go into the directory
   pub/OpenBSD/6.1/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     amd64/           luna88k/         sgi/
        Changelogs/      arm64/           macppc/          sparc64/
        README           armv7/           octeon/          src.tar.gz
        SHA256           hppa/            packages/        sys.tar.gz
        SHA256.sig       i386/            ports.tar.gz     tools/
        alpha/           landisk/         root.mail        xenocara.tar.gz

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy61.fs     pxeboot*
        BOOTX64.EFI*    bsd.mp*         game61.tgz      xbase61.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont61.tgz
        INSTALL.amd64   cd61.iso        install61.fs    xserv61.tgz
        SHA256          cdboot*         install61.iso   xshare61.tgz
        SHA256.sig      cdbr*           man61.tgz
        base61.tgz      comp61.tgz      miniroot61.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install61.iso.  The install61.iso file (roughly 220MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install61.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 6.1 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).

------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see http://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.1/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (http://ftp.OpenBSD.org/pub/OpenBSD/6.1/README) file explains
how to deal with these source files.

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber.  Base and X system builds by Kenji Aoyama,
Theo de Raadt, Jonathan Gray, and Visa Hankala.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Benoit Lecocq, Bob Beck, Brandon Mercer,
    Brent Cook, Bret Lambert, Bryan Steele, Can Erkin Acar,
    Charles Longeau, Chris Cappuccio, Christian Weisgerber,
    Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
    Daniel Boulet, Daniel Dickman, Daniel Jakots, Darren Tucker,
    David Coppa, David Gwynne, David Hill, Dmitrij Czarkoff, Doug Hogan,
    Edd Barrett, Eric Faurot, Florian Obser, Frederic Cambus,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin,
    Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro,
    James Turner, Jason McIntyre, Jasper Lievisse Adriaanse,
    Jeremie Courreges-Anglas, Jeremy Evans, Joel Sing, Joerg Jung,
    Jonathan Armani, Jonathan Gray, Jonathan Matthew, Joris Vink,
    Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
    Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
    Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo,
    Luke Tymowski, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky,
    Matthias Kilian, Matthieu Herrb, Michal Mazurek, Mike Belopuhov,
    Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott,
    Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
    Patrick Wildt, Paul Irofti, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Rafael Zalamena, Remi Pointel,
    Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
    Robert Nagy, Robert Peichaer, Sasano Takayoshi, Sebastian Benoit,
    Sebastian Reitenbach, Sebastien Marie, Stefan Fritsch, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Tim van der Molen, Tobias Stoeckmann, Todd C. Miller,
    Tom Cosgrove, Ulf Brosziewski, Vadim Zhukov, Vincent Gross,
    Visa Hankala, Yasuoka Masahiko, Yojiro Uo