Add optimisations for specific Athlon models (recht@)
Avoid setting flags if DBG is set to -Os (to reduce size impact
when building contents of distrib on at least 1.6.x i386)
Add optimisations for specific Athlon models (recht@)
Avoid setting flags if DBG is set to -Os (to reduce size impact
when building contents of distrib on at least 1.6.x i386)
XXX I updated configure.ac, but I can't actually patch that without running
into severe automake lossage, so that patch is not named patch-?? right now.
the ususal: new features and fixes
notably:
New Thread Locking
Zoltan removed the big locks we had in the runtime, and now we have a
finely grained lock system in the runtime. Runtime hackers can read the
included lock matrix document which describes the requirements to use
the new fine grained locks in their code.
Ahead of Time Compiler Optimizations
Zoltan has worked extensively on the Mono ahead-of-time compilation
feature (AOT). The AOT code is now considered to be production quality,
and also for the first time precompiled code runs faster than JITed
code. This resulted in a 13% compilation speed up for the Mono C#
compiler, reducing the compile time to 3.185 seconds. A clear goal of
the team for the next release is to reach 3.1416 seconds.
for a complete list see: http://www.go-mono.com/archive/mono-0.28.html
* Fixed bug #972: The total value in the tooltip is now displayed with
fractional portion
* Fixed bug #962: Any errors about wrong configuration are now only
displayed in a dialog after changing configuration and not after
startup. This should help users whose network device is created after
dialing-in.
but I'm not sure what they are, and the freenet6 site does not
appear to have an easy way to get older versions of the files.
This is an INTERACTIVE_STAGES= fetch package also, so people might
have some difficulty without this update.
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
[Steve Henson]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification).
[Bodo Moeller; problem pointed out by Matthias Loepfe]
*) Change X509_certificate_type() to mark the key as exported/exportable
when it's 512 *bits* long, not 512 bytes.
[Richard Levitte]
Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from it's contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
be read through on certain media, for example a swap space on disk.
[Geoff Thorpe]
*) Bugfix: client side session caching did not work with external caching,
because the session->cipher setting was not restored when reloading
from the external cache. This problem was masked, when
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
(Found by Steve Haslam <steve@araqnid.ddts.net>.)
[Lutz Jaenicke]
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
[Zeev Lieber <zeev-l@yahoo.com>]
*) Undo an undocumented change introduced in 0.9.6e which caused
repeated calls to OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digests() to be ignored, even after calling
EVP_cleanup().
[Richard Levitte]
*) Change the default configuration reader to deal with last line not
being properly terminated.
[Richard Levitte]
*) Change X509_NAME_cmp() so it applies the special rules on handling
DN values that are of type PrintableString, as well as RDNs of type
emailAddress where the value has the type ia5String.
[stefank@valicert.com via Richard Levitte]
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
the bitwise-OR of the two for use by the majority of applications
wanting this behaviour, and update the docs. The documented
behaviour and actual behaviour were inconsistent and had been
changing anyway, so this is more a bug-fix than a behavioural
change.
[Geoff Thorpe, diagnosed by Nadav Har'El]
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
[Bodo Moeller]
*) Fix initialization code race conditions in
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
ssl2_get_cipher_by_char(),
ssl3_get_cipher_by_char().
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
the cached sessions are flushed, as the remove_cb() might use ex_data
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
(see [openssl.org #212]).
[Geoff Thorpe, Lutz Jaenicke]
*) Fix typo in OBJ_txt2obj which incorrectly passed the content
length, instead of the encoding length to d2i_ASN1_OBJECT.
[Steve Henson]
* play.samples is in bytes, not frames. (XXX I wonder if we can fix this or
it's too late??)
* Set blocksize much smaller so that xine thinks the pointer is "real-time".
patch provided in PR 22939 by Adrian Portelli
Version 2.0.2:
--------------
Cleanup of the RST mess in p0fr.fp and p0f.c parser.
Added isprint() text preview for -x mode.
[BUG] Fixed packet size reporting and matching for packets over 255 bytes
(_u8 -> _u16).
Extended RST+ACK to also cover plain RST, added some sane explanations
of the purpose of each mode. Clarification of the RST vs RST+ACK
occurences; test/sendack.c added.
Added -R option for RST+ACK fingerprinting. Created an empty database.
Moved databases from /etc to /etc/p0f/
Windows memory leak mystery solved.
No longer using pcap timeouts for anything. They suck. I first wanted
to use SIGALRM with no SA_RESTART, but it's broken on Linux on this
particular syscall. Fortunately, I spotted an mis-documented pcap_fileno and can now use select(). I just hope it won't break.
Note to self: despite of the documentation saying pcap_open_live with
timeout 0 will simply never timeout (which is irrelevant for
pcap_loop anyway), it does not work on FreeBSD, inhibiting all packet
processing instead. Works fine on Linux. Go figure.
Some minor p0fq fixes to prevent warnings.
Added some SYN+ACK signatures from rfp (p0fa.fp). Hooray!
p0fa.fp is now official. Moved from test/ to ., etc. README updated.
[BUG] Fixed the default TTL for IRIX and Tru64 (60), added a note to
p0f.fp, fixed TTL checker to also support %30 values.
[BUG] Fixed query mode lookup. The old code didn't handle reverse
lookups properly.
Masquerade scoring data is now available via the query interface.
P0fq utility updated to handle this.
Dropped /bin/bash from p0frep, /bin/sh would suffice.
Added a new -c option for -M and -Q cache size scaling, packet ratio
information on Ctrl-C to help estimate the right parameter.
Extra masquerade detection flags: -T for threshold, -V for detailed
flag breakdown; masquerade reporting now recognizes -r.
The new -w option writes all matching packets to a pcap file (regardless
of -K and -U settings).
Added -M option (unix only until p0f-query.c gets ported). This option
enables advanced masquerade detection based on the cyclic buffer
used by -Q. Added - signature flag to the config file. Some
documentation for the new functionality.
[BUG] Cleaned up the -K and -U semantics with -Q.
Replaced some single-character printfs with putchars in signature
reporting code (should be a tad faster). Added signature check
reporting, generic signature count and some other minor tweaks.
The new -x option provides a hexadecimal TCP/IP packet dump. Useful
when comparing two colliding fingerprints to find some differences
not covered by the current quirks set.
PPPoE interface is now handled correctly on NetBSD.
Added a shoddy manpage and updated makefiles.
Removed E quirk and added E to the regular options; removed needless EOL
append code from the parser. Breaks the old signature format in some
rare cases, but the old quirk is still recognized, and the user will be
advised to change it.
[BUG] Fixed ? option parsing bug that prevented RISC OS signature from
working (and would prevent all ? signatures from working, should there
be any other ;-).
New signatures and other database additions, of course.
[BUG] Fixed a very minor parser bug that could cause it to loop over
an unknown option with a declared length of zero. This is not a DoS
condition, because the parser would quit the loop after parsing max. 16
options anyway.
from the pkgsrc-wip pkg by Michal Pasternak
Psyco is a specializing compiler. In a few words let us first see:
What you can do with it
In short: run your existing Python software much faster, with no change in
your source.
Think of Psyco as a kind of just-in-time (JIT) compiler, a little bit like
Java's, that emit machine code on the fly instead of interpreting your Python
program step by step. The result is that your unmodified Python programs run
faster.
Benefits
2x to 100x speed-ups, typically 4x, with an unmodified Python interpreter and
unmodified source code, just a dynamically loadable C extension module.
Drawbacks
Psyco currently uses quite a lot of memory. It only runs on Intel
386-compatible processors (under any OS) right now. There are some subtle
semantic differences (i.e. bugs) with the way Python works; they should not be
apparent in most programs.
