replace buggy strncmp with strcmp found with clang-tidy
Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect.
discussed w/ tb@ & beck@
Fix PSTL backend (names) in __config_site
Upstream libc++ renamed these macros in the following commit:
https://github.com/llvm/llvm-project/commit/d423d80
We had the correct names in the libcxx* makefiles, so no ABI changes are
required.
Reported by c2qd and also provided the __config_site diff. OK robert@
Fetch the error reason from libcrypto if available, append it to
the corresponding ssh error message and optionall print the libcrypto
full error stack (at debug1). with & ok tb@ djm@ millert@ schwarze@
Note that the quality of errors obtainable from libcrypto is somewhat
variable, so these may be any of: useful, misleading, incomplete
or missing entirely. As a result we reserve the right to change
what is returned or even stop returning it if it does more harm than
good.
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.7 are security fixes #1131 #1075, bug fixes
#1073. CVE-2026-24515CVE-2026-25210
OK tb
this is errata/7.7/020_expat.patch.sig
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.8 are security fixes #1131 #1075, bug fixes
#1073, other changes #1105 #1106 #1051. CVE-2026-24515CVE-2026-25210
OK tb@
this is errata/7.8/014_expat.patch.sig
fix iwx(4) issues related to roaming and PMF and firmware crypto keys
Avoid a fatal firmware error on Bz firmware (and perhaps MA?) by removing
crypto keys from firmware before removing the AP firmware station.
Also improve roaming behaviour when PMF is enabled. We must send the deauth
frame to the old AP properly encrypted, so do this before keys get removed.
Thanks to Johannes Berg for deciphering firmware SYSASSERT code 0x0000251B.
ok kettenis@
Some content improvements:
* Describe more precisely how the FUSE open() operation works instead
of vaguely hinting that there are differences to other operating systems.
* Move the sentence about O_CREAT and O_TRUNC after the flags argument
has been introduced, and mark it up properly.
* Describe the symlink() operation more clearly.
OK helg@
Implement missing pieces of FIDO/webauthn signature support, mostly
related to certificate handling and enable acceptance of this
signature format by default. bz3748 GHPR624 GHPR625
Feedback tb / James Zhang; ok tb
revert "use pf_states to link mbufs/inpcbs and forwarded connections together"
Pedro Caetano on bugs@ has a setup that triggers the kasserts in
pf_state_link_reverse().
Retire ACTION_SET_NEXTHOP_REF, ACTION_PFTABLE_ID, and ACTION_RTLABEL_ID
With the filter_set & rde_filter_set_elm split there is no more need
to have extra types for nh_ref and id objects. Struct filter_set no
longer needs to hold nh_ref and id and rde_filter_set_elm only uses
id and nh_ref. rde_filterset_conv() takes care of the conversion.
Removes a lot of code that was just there to ensure that no unexpected
type sneaks through.
OK tb@
Improve rde_apply_set() performance by changing filter_sets in the RDE.
Switch away from a linked list of filter_set elements and instead use
an array of stripped down rde_filter_set_elm elements. As a result
rde_apply_set() becomes more efficent since the CPU is no longer waiting
all the time for memory accesses.
Introduce a new way to send and recv the imsgs for IMSG_FILTER_SET.
There is a send and receive function in the new bgpd_imsg.c file that
is also used by bgpctl. The receive function is a lot more strict
and on top of this add imsg_check_filterset() which validates messages
sent on the control socket before passing them on.
OK tb@
