sys/net80211: announce 160MHz channels only when driver supports it
Support of 160Mhz window brings a regression for drivers which do not
supprot 160MHz window which leads to the wrong channel center.
It was tested on iwx with and without 160Mhz window support in the code
agaisnt 2.4Ghz network with 20Mhz and 40Mhz, and 5Ghz with 40Mhz, 60Mhz,
80Mhz and 160Mhz window.
Reported as iwm issue by martijn@
OK: stsp@
When in copy mode with a large scroll offset and the window is resized
so that history shrinks, data->oy can exceed screen_hsize causing an
unsigned integer underflow in the py computation. Clamp data->oy in
window_copy_resize and window_copy_cmd_refresh_from_pane before the
subtraction. From futpib at gmail dot com in GitHub issue 4958.
apply the same validity rules to usernames and hostnames set for
ProxyJump/-J on the commandline as we do for destination user/host
names.
Specifically, they are no longer allowed to contain most characters
that have special meaning for common shells. Special characters are
still allowed in ProxyJump commands that are specified in the config
files.
This _reduces_ the chance that shell characters from a hostile -J
option from ending up in a shell execution context.
Don't pass untrusted stuff to the ssh commandline, it's not intended
to be a security boundary. We try to make it safe where we can, but
we can't make guarantees, because we can't know the parsing rules
and special characters for all the shells in the world, nor can we
know what the user does with this data in their ssh_config wrt
percent expansion, LocalCommand, match exec, etc.
[4 lines not shown]
libssl regress: adjust golden numbers for RSASSA-PSS
Add the three RSASSA-PSS SignatureScheme 0x080b, 0x080a, 0x0809 in the
appropriate spots in (components of) the ClientHello and adjust various
length octets by adding 6.
libssl: announce support for RSASSA-PSS signature schemes
Announce the signature schemes for RSASSA-PSS with pubkey OID RSASSA-PSS
between RSASSA-PSS with pubkey OID rsaEncryption and RSASSA-PKCS1-v1_5.
This is the last step in the everlasting saga for making these signature
schemes and certificates with RSASSA-PSS OID work. Fortunately, these are
rarely used since they are extremely complex and inefficient also due to
the large size of the parameters. This addresses bug reports by Steffen
Ullrich and Tom Lane.
Tested by bluhm.
ok djm jsing kenjiro
ssl_sigalg_pkey_ok: allow RSASSA-PSS with pubkey OID RSASSA-PSS
This fixes a long-standing logic error that hasn't been noticed because
we never announced the rsa_pss_pss_sha{256,384,512} SignatureScheme. The
EVP_PKEY_id() of a RSA-PSS pubkey is EVP_PKEY_RSA_PSS, not EVP_PKEY_RSA.
Thanks to beck for helping me figure out how to fix this correctly. It
drove me nuts for a very long time. Problem also noticed by Tom Lane
due to some PostgreSQL regress failures.
ok djm jsing kenjiro
Improve OpenBSD::Unveil POD
The choice of variable names made it somewhat unclear what arguments
to pass and made it seem the interface might differ from unveil(2).
ok dgl@
Remove useless memory barriers in igmp and mld6 timer.
Multicast timers are protected by poper locks. The shortcut that
avoids locking when no timers are scheduled, does not need an
additional membar.
OK mvs@
sys/tmpfs: use getnanotime() like FFS and MFS
Editing files on tmpfs uses nanotime() to update mtime, and touch uses
utimensat(UTIME_NOW) which uses getnanotime() which is cached and which
can be smaller.
So, sed ... A && touch B leads to mtime(A) > mtime(B) which isn't excted.
"Yep" deraadt@
ML-KEM: ensure that key_768 is only dereferenced with 768-bit keys
This looks like a NULL dereference that should crash, but for some reason
it doesn't, even with -O0 with all compilers i tried. At the very least it
may result in compilers deducing that key_768 != NULL and lead to incorrect
optimizations.
ok claudio jsing kenjiro miod
After the kernel-writes-the-buffer changes to profil(2) a year ago, the
profil(2) call only works for stop/restart of profiling. So pledge no
longer interferes and it is available in "stdio".
Remove pthread rwlocks from vmd(8)'s qcow code.
The users of this code are single threaded today. The locks also
don't look to fully protect key state in qcow images. If/when virtio
block emulation ends up with multiple virtqueues, this will need
to be revisited.
ok mlarkin@, hshoexer@
Provide a crypto_assembly.h internal header.
This will contain defines and macros that we need for assembly code,
without polluting other headers that are primarily used for C code.
For now, this just unconditionally provides _CET_ENDBR on amd64.
ok kenjiro@ tb@
libtls: const workarounds for X509_NAME in OCSP for OpenSSL 4
The API to look up a cert by subject or issuer name clearly only needs to
do name comparisons in a collection of certs so should by all means take a
const X509_NAME * as an argument. However, this isn't all that easy to do
and hence it's only in OpenSSL 4 that this obvious step was reached.
This means that there is no way around casting for older code. One could
cast the return value of X509_get_issuer_name() or the argument passed to
the two lookups by subject. jsing slightly prefers the second approach,
so this is what we do here.
ok djm jsing kenjiro
libtls: simple cases of const for X509_NAME *
After the const sprinkling in OpenSSL 1.1, X509_get_{issuer,subject}_name()
still returned a non-const pointer for unclear reasons. In OpenSSL 4,
the return value also grew a const qualifier, so move the two "name" in
tls_conninfo.c and the "subject_name" in tls_verify.c to const. They are
only used for further processing by already const correct functions (at
least as far as X509_NAME is concerned).
ok djm jsing kenjiro
