Fetch the error reason from libcrypto if available, append it to
the corresponding ssh error message and optionall print the libcrypto
full error stack (at debug1). with & ok tb@ djm@ millert@ schwarze@
Note that the quality of errors obtainable from libcrypto is somewhat
variable, so these may be any of: useful, misleading, incomplete
or missing entirely. As a result we reserve the right to change
what is returned or even stop returning it if it does more harm than
good.
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.7 are security fixes #1131 #1075, bug fixes
#1073. CVE-2026-24515CVE-2026-25210
OK tb
this is errata/7.7/020_expat.patch.sig
Backport fixes from libexpat version 2.7.4.
Relevant for OpenBSD 7.8 are security fixes #1131 #1075, bug fixes
#1073, other changes #1105 #1106 #1051. CVE-2026-24515CVE-2026-25210
OK tb@
this is errata/7.8/014_expat.patch.sig
fix iwx(4) issues related to roaming and PMF and firmware crypto keys
Avoid a fatal firmware error on Bz firmware (and perhaps MA?) by removing
crypto keys from firmware before removing the AP firmware station.
Also improve roaming behaviour when PMF is enabled. We must send the deauth
frame to the old AP properly encrypted, so do this before keys get removed.
Thanks to Johannes Berg for deciphering firmware SYSASSERT code 0x0000251B.
ok kettenis@
Some content improvements:
* Describe more precisely how the FUSE open() operation works instead
of vaguely hinting that there are differences to other operating systems.
* Move the sentence about O_CREAT and O_TRUNC after the flags argument
has been introduced, and mark it up properly.
* Describe the symlink() operation more clearly.
OK helg@
Implement missing pieces of FIDO/webauthn signature support, mostly
related to certificate handling and enable acceptance of this
signature format by default. bz3748 GHPR624 GHPR625
Feedback tb / James Zhang; ok tb
revert "use pf_states to link mbufs/inpcbs and forwarded connections together"
Pedro Caetano on bugs@ has a setup that triggers the kasserts in
pf_state_link_reverse().
Retire ACTION_SET_NEXTHOP_REF, ACTION_PFTABLE_ID, and ACTION_RTLABEL_ID
With the filter_set & rde_filter_set_elm split there is no more need
to have extra types for nh_ref and id objects. Struct filter_set no
longer needs to hold nh_ref and id and rde_filter_set_elm only uses
id and nh_ref. rde_filterset_conv() takes care of the conversion.
Removes a lot of code that was just there to ensure that no unexpected
type sneaks through.
OK tb@
Improve rde_apply_set() performance by changing filter_sets in the RDE.
Switch away from a linked list of filter_set elements and instead use
an array of stripped down rde_filter_set_elm elements. As a result
rde_apply_set() becomes more efficent since the CPU is no longer waiting
all the time for memory accesses.
Introduce a new way to send and recv the imsgs for IMSG_FILTER_SET.
There is a send and receive function in the new bgpd_imsg.c file that
is also used by bgpctl. The receive function is a lot more strict
and on top of this add imsg_check_filterset() which validates messages
sent on the control socket before passing them on.
OK tb@
the advice about using sysconf(_SC_PAGESIZE) is nuts, noone should
actively go about changing existing code in such a pointless way.
also, remove the archaic reference to sbrk.
discussion with enh @ google
Use correct bit mask for mcu command field.
Both the vendor and Linux drivers store the mcu command in the cmd
field of the mcu tx descriptor, which is 7 bits wide.
ok hastings@
Export divert sockets from kernel to sysctl.
To show divert-packet sockets in netstat(1), the kernel has to
include the information about the divert and divert6 tables in
sysctl KERN_FILE_BYFILE.
reported by William B. OK mvs@ sthen@
rpki-client: rename cert_parse() into cert_parse_filemode()
Now that we added more specialized parsing functions, cert_parse() should
only be used in filemode. Make this more explicit by adjusting its name.
Keep the magic der == NUL check for now for consistency with the other API
parsing a cert from its DER.
ok claudio
Move more bits around to simplify the filter_set refactor.
Introduce rde_filter_dup() that takes care of duplicating a filter rule
with all depenencies.
Check that peer_apply_out_filter() does not return an old list for new
peers. This can't happen but it is one of those where a check makes
sense.
Move rde_l3vpn_import() to rde_filter.c since it works on a
struct filter_set to match against communities.
OK tb@
pfctl(9) with '-nvf ...' option must provide output which
matches pfctl grammar. This change fixes that for rules that
use source/state limiters.
The change also makes print_rule() to print the limiter name
instead of its numeric id to make output more human friendly.
Feedback and improvements from dlg@
OK dlg2
