openssl x509: Remove legacy call to OBJ_create()
The OID 2.99999.3 is not required for x509 output handling and
is not referenced elsewhere. Remove the OBJ_create() call.
ok tb jsing
openssl x509: send -text output to the file specified by -out
In the x509 command, `-text` output is not written to the file specified
by `-out`, whereas in other OpenSSL/LibreSSL subcommands it is.
With this change, STDout is removed, and `-text` output is written
entirely to the file specified by `-out`, making the behavior consistent
with other subcommands.
Fix https://github.com/libressl/portable/issues/1228
ok tb jsing
Make ssh optionally build with Kerberos 5 against the Heimdal port.
This updates the Makefiles and repairs some bitrot in headers,
resyncing them against Portable. To do this, "pkg_add heimdal" then
"make KERBEROS5=yes". ok djm@
Enforce canonical encoding for ASPA eContent
from draft-ietf-sidrops-aspa-profile-22:
"An ASID value of 0 can only be encoded in the providers field as
a single item list, i.e., an element for AS 0 MUST NOT appear
alongside any other elements."
with/OK tb@
More ec_point_cmp() turd polishing
jsing prefers doing all computations first and comparing at the end. This
means we do more work when we fail and no longer (ab)use err as an out label.
Also split out one more helper.
ok jsing
Make truncation in ASN1_BIT_STRING_set_bit() explicit
Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused"
bits on encoding, set them explicitly in abs->flags via a call to
asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is
now set on a bit string, which was previously explicitly cleared.
This also means that the encoding of a non-zero ASN1_BIT_STRING
populated by setting the bits individually will now go through the
if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING().
The most prominent usage of this function is in X.509 for the keyUsage
extension or the CRL reason codes. There's also the NS cert type, TS
PKIFailureInfo and general BITLIST config strings.
The reason for the truncation logic comes from the DER for NamedBitLists
X.690, 11.2.2 below:
X.680, 22.7:
[22 lines not shown]
vmm: Expose pvclock only if tsc frequency is known
If the tsc frequency is unknown, tsc_frequency == 0 and vmm will set
vc_pvclock_system_tsc_mul = 0 which will cause the guest's pvclock to
not advance until vmm updates the struct pvclock_time_info on the next
vmentry. tsc_frequency == 0 can happen in nested virtualization
setups.
Therefore, do not expose the pvclock feature bits if tsc_frequency == 0,
both in the KVM and in the VMM hypervisor signature.
ok mlarkin
replace buggy strncmp with strcmp found with clang-tidy
Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect.
discussed w/ tb@ & beck@
Fix PSTL backend (names) in __config_site
Upstream libc++ renamed these macros in the following commit:
https://github.com/llvm/llvm-project/commit/d423d80
We had the correct names in the libcxx* makefiles, so no ABI changes are
required.
Reported by c2qd and also provided the __config_site diff. OK robert@
Fetch the error reason from libcrypto if available, append it to
the corresponding ssh error message and optionall print the libcrypto
full error stack (at debug1). with & ok tb@ djm@ millert@ schwarze@
Note that the quality of errors obtainable from libcrypto is somewhat
variable, so these may be any of: useful, misleading, incomplete
or missing entirely. As a result we reserve the right to change
what is returned or even stop returning it if it does more harm than
good.
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.7 are security fixes #1131 #1075, bug fixes
#1073. CVE-2026-24515CVE-2026-25210
OK tb
this is errata/7.7/020_expat.patch.sig
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.8 are security fixes #1131 #1075, bug fixes
#1073, other changes #1105 #1106 #1051. CVE-2026-24515CVE-2026-25210
OK tb@
this is errata/7.8/014_expat.patch.sig
fix iwx(4) issues related to roaming and PMF and firmware crypto keys
Avoid a fatal firmware error on Bz firmware (and perhaps MA?) by removing
crypto keys from firmware before removing the AP firmware station.
Also improve roaming behaviour when PMF is enabled. We must send the deauth
frame to the old AP properly encrypted, so do this before keys get removed.
Thanks to Johannes Berg for deciphering firmware SYSASSERT code 0x0000251B.
ok kettenis@
Some content improvements:
* Describe more precisely how the FUSE open() operation works instead
of vaguely hinting that there are differences to other operating systems.
* Move the sentence about O_CREAT and O_TRUNC after the flags argument
has been introduced, and mark it up properly.
* Describe the symlink() operation more clearly.
OK helg@
