Reyk Floeter (reyk@) has committed support for simple request rewrites to httpd(8)/ httpd.conf(5) [in -current]:

CVSROOT:        /cvs
Module name:    src
Changes by:     r...@cvs.openbsd.org    2018/06/20 10:43:05

Modified files:
        usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y 
                         server_http.c 

Log message:
Add support for simple one-off internal rewrites.

For example:

location match "/page/(%d+)/.*" {
request rewrite "/static/index.php?id=%1&$QUERY_STRING"
}

Requested by many.

Ok benno@

As part of ongoing mitigations against CPU vulnerabilities, -current has gained a new sysctl, "hw.smt", to control Simultaneous Multi Threading (SMT). This is disabled by default (only on Intel® CPUs, for now).

There have been more developments in the continuing work mitigating against (Intel®, and potentially other) CPU vulnerabilities…

Philip Guenther (guenther@) committed the following:

Reyk Floeter (reyk@) has committed a simple LDAP client to -current:

CVSROOT:	/cvs
Module name:	src
Changes by:	reyk@cvs.openbsd.org	2018/06/13 09:45:58

Log message:
    Import ldap(1), a simple ldap search client.

Earlier this month, Philip Guenther (guenther@) committed (to amd64 -current) a change from lazy to semi-eager FPU switching to mitigate against rumored FPU state leakage in Intel® CPUs.

Theo de Raadt (deraadt@) discussed this in his BSDCan 2018 session.

Using information disclosed in Theo's talk, Colin Percival developed a proof-of-concept exploit in around 5 hours. This seems to have prompted an early end to an embargo (in which OpenBSD was not involved), and the official announcement of the vulnerability.

BSDCan 2018 has concluded, and materials for (some of) the OpenBSD-related tutorials and talks can be found in the usual place.

Highlights include the unveiling of unveil(), hinted at by Bob Beck (beck@) in his p2k18 report, and "Speculating about Intel", by Theo de Raadt (deraadt@). [An unofficial video of the latter presentation is available.]

At the time of writing, official video recordings are not yet available.

Todd Mortimer (mortimer@) has committed "RETGUARD" for clang (for amd64).

This is a new anti-ROP security mechanism, which uses random per-function cookies to protect return addresses on the stack.

Joel Sing (jsing@) has committed Crypto Simplified Interface (CSI) to -current:

CVSROOT:	/cvs
Module name:	src
Changes by:	jsing@cvs.openbsd.org	2018/06/02 11:40:33

Added files:
	lib/libcsi     : Makefile Symbols.list csi.c csi.h csi_dh.c 
	                 csi_dh_groups.c csi_internal.h csi_util.c 
	                 shlib_version 

Log message:
Initial version of Crypto Simplified Interface (CSI).

This is a code base that intends on providing a simplified interface for
mid-level cryptographic operations. In due course various applications and
libraries will be able to benefit from a clean and robust API, rather than
using libcrypto or other similar APIs directly.

Discussed at length with deraadt@, djm@, markus@, beck@ and others.

This parallels the addition of libtls.

Gilles Chehade (gilles@) has committed (to -current) the new smtpd.conf grammar discussed in his p2k18 hackathon report.