BSD Commit Log Search

   Enforce canonical encoding for ASPA eContent

   from draft-ietf-sidrops-aspa-profile-22:

   "An ASID value of 0 can only be encoded in the providers field as
    a single item list, i.e., an element for AS 0 MUST NOT appear
    alongside any other elements."

   with/OK tb@

   More ec_point_cmp() turd polishing

   jsing prefers doing all computations first and comparing at the end. This
   means we do more work when we fail and no longer (ab)use err as an out label.
   Also split out one more helper.

   ok jsing

   Make truncation in ASN1_BIT_STRING_set_bit() explicit

   Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused"
   bits on encoding, set them explicitly in abs->flags via a call to
   asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is
   now set on a bit string, which was previously explicitly cleared.

   This also means that the encoding of a non-zero ASN1_BIT_STRING
   populated by setting the bits individually will now go through the
   if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING().

   The most prominent usage of this function is in X.509 for the keyUsage
   extension or the CRL reason codes. There's also the NS cert type, TS
   PKIFailureInfo and general BITLIST config strings.

   The reason for the truncation logic comes from the DER for NamedBitLists
   X.690, 11.2.2 below:

     X.680, 22.7:

    [22 lines not shown]

   vmm: Expose pvclock only if tsc frequency is known

   If the tsc frequency is unknown, tsc_frequency == 0 and vmm will set
   vc_pvclock_system_tsc_mul = 0 which will cause the guest's pvclock to
   not advance until vmm updates the struct pvclock_time_info on the next
   vmentry.  tsc_frequency == 0 can happen in nested virtualization
   setups.

   Therefore, do not expose the pvclock feature bits if tsc_frequency == 0,
   both in the KVM and in the VMM hypervisor signature.

   ok mlarkin

   Fix typo: "never ever stick *you* hand in the toaster" -> "your"

   Verified against "Dave Barry's Greatest Hits".

   Remove sys/poll.h since we also have poll.h.

   Also removes one line of diff vs portable.

   Move setting of user, service and style earlier since -portable needs to
   use these when setting up PAM.  Removes two diffs vs portable.

   misc.h is needed for ForwardOptions in servconf.h.

   replace buggy strncmp with strcmp found with clang-tidy

   Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect.

   discussed w/ tb@ & beck@

   Also check for EWOULDBLOCK on system error.  This is the same as EAGAIN on
   OpenBSD so is a no-op but removes a diff making portable syncs easier.

   Move ssherr.h to where portable needs it.  Resyncs this chunk.

   Fix PSTL backend (names) in __config_site

   Upstream libc++ renamed these macros in the following commit:
   https://github.com/llvm/llvm-project/commit/d423d80

   We had the correct names in the libcxx* makefiles, so no ABI changes are
   required.

   Reported by c2qd and also provided the __config_site diff. OK robert@

   bit of webauthn support missed in previous commit

   Adjust Makefiles to include just-added ssherr_libcrypto where necessary.

   Fetch the error reason from libcrypto if available, append it to
   the corresponding ssh error message and optionall print the libcrypto
   full error stack (at debug1).  with & ok tb@ djm@ millert@ schwarze@

   Note that the quality of errors obtainable from libcrypto is somewhat
   variable, so these may be any of: useful, misleading, incomplete
   or missing entirely. As a result we reserve the right to change
   what is returned or even stop returning it if it does more harm than
   good.

   Typo fixes, mostly in comments.  From THE-Spellchecker via
   github PR#620.

   Allow for a reference to a "memory-region" instead of requiring a "reg"
   property.

   ok patrick@

   Prefix error message by device name.

   ok patrick@

   Backport fixes from libexpat version 2.7.4.

   Relevant for OpenBSD 7.7 are security fixes #1131 #1075, bug fixes
   #1073.  CVE-2026-24515 CVE-2026-25210

   OK tb

   this is errata/7.7/020_expat.patch.sig

   Backport fixes from libexpat version 2.7.4.

   Relevant for OpenBSD 7.8 are security fixes #1131 #1075, bug fixes
   #1073, other changes #1105 #1106 #1051.  CVE-2026-24515 CVE-2026-25210

   OK tb@

   this is errata/7.8/014_expat.patch.sig

   fix iwx(4) issues related to roaming and PMF and firmware crypto keys

   Avoid a fatal firmware error on Bz firmware (and perhaps MA?) by removing
   crypto keys from firmware before removing the AP firmware station.

   Also improve roaming behaviour when PMF is enabled. We must send the deauth
   frame to the old AP properly encrypted, so do this before keys get removed.

   Thanks to Johannes Berg for deciphering firmware SYSASSERT code 0x0000251B.

   ok kettenis@

   Some content improvements:
   * Describe more precisely how the FUSE open() operation works instead
   of vaguely hinting that there are differences to other operating systems.
   * Move the sentence about O_CREAT and O_TRUNC after the flags argument
   has been introduced, and mark it up properly.
   * Describe the symlink() operation more clearly.

   OK helg@

   break MODPY_PYBUILD list out to multiple lines and sort
   add poetry-dynamic-versioning to list

   Clear search counts when clearing marks in case of repeated search,
   reported by Daniel Pereira in GitHub issue 4817.

   Also check PANE_STATUSREADY for pane_dead format to match
   pane_dead_status. GitHub issue 4841 from Joshua Pollack.

   remove vestige of when we supported running without privsep

   Implement missing pieces of FIDO/webauthn signature support, mostly
   related to certificate handling and enable acceptance of this
   signature format by default.  bz3748 GHPR624 GHPR625

   Feedback tb / James Zhang; ok tb

   segement -> segment

   fix rcs tag

   revert "use pf_states to link mbufs/inpcbs and forwarded connections together"

   Pedro Caetano on bugs@ has a setup that triggers the kasserts in
   pf_state_link_reverse().