| Age | Commit message (Collapse) | Author |
|---|
|
Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.
ok inoguchi@ tb@
|
|
the responder to match the correct policy if multiple are available.
ok patrick@
|
|
Reported by Ilya Shipitsine, discussed with jsing
|
|
|
|
|
|
adjust list width to make it all fit
|
|
|
|
ok bluhm@
|
|
other. Since this generates a full mesh, the amount of filedescriptors
needed grows quadratically with the amount of configured prefork
processes.
Might fix an out of filedescriptor bug that beck is seeing.
OK benno
|
|
|
|
|
|
ok kettenis@
|
|
ok kettenis@
|
|
- support axppmic via iic
ok kettenis@
|
|
pfkey_flush().
ok bluhm@ mvs@
|
|
ok patrick@
|
|
Call the replacement asn1_tlc_invalidate() since it does not actually
clear the ASN1_TLC.
While here, name the ASN1_TLC variables consistently as ctx, remove a
pointless comment and simplify ASN1_item_d2i() slightly.
ok inoguchi@ tb@
|
|
|
|
ASN1_item_ex_d2i() is just a wrapper around the internal asn1_item_ex_d2i()
function, so call asn1_item_ex_d2i() directly.
ok inoguchi@ tb@
|
|
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@
|
|
Rather than using malloc() and then initialising all struct members to zero
values, use calloc().
ok schwarze@ tb@
|
|
This ensures that if any members are added to this struct, they will be
initialised.
ok schwarze@ tb@
|
|
This removes nested ifs and uses more sensible variable names.
ok schwarze@ tb@
|
|
Rather than using malloc() and then initialising all struct members, use
calloc() and only initialise the single non-zero value member.
ok schwarze@ tb@
|
|
Rather than using malloc() and then initialising all struct members, use
calloc() and only initialise the single non-zero value member.
ok schwarze@ tb@
|
|
These functions previously used the old ASN1_{d2i,i2d}_{bio,fp}()
interfaces.
ok inoguchi@ tb@
|
|
rewrite to expand the array as needed.
ok tb
|
|
iwx-firmware-20211101 must be installed with fw_update(1) before
booting a new kernel. sysupgrade(8) will take care of this.
Intel has published a related security advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00509.html
iwx(4) devices which are using the iwx-Qu-c0-hr-b0-63 image did
not receive a firmware update. I have no idea why.
Tested:
ax200: jmc, stsp, Matthias Schmidt
ax201: fkr, stsp
|
|
almost all members to 0. Just set the two things that need setting.
ok jsing
|
|
It is very easy to forget to copy over newly added methods. Everyone
working in this corner has run into this. Instead, preserve what needs
preserving and use a struct copy, so all methods get copied from src
to dest.
tweak/ok jsing
|
|
Those scripts are not hooked up to the build yet;
I assumed they were without checking, my bad.
Reminded by deraadt
|
|
While this is working well for many, some people see device timeouts
when using the device unless we disable probe requests during scans.
The issue was a lot more visible on iwx(4) with earlier firmware.
In fact, iwx(4) did ship with probe requests disabled for most of its
existence. I re-enabled them along with a firmware upgrade since I no
longer saw the problem. However, the issue prevails for other people.
I still have no idea what is causing this. I have already spent enough
time trying to track down a proper fix. Unless we receive help from
someone who knows about firmware internals the best we can do is trial
and error. The problem also existed on iwm(4) 9k devices which we now
run with probe requests disabled, too.
The only upside of probe requests is that scans can complete faster, with
the downside of a potential privacy leak (the previously selected SSID is
exposed). So, overall, we do not lose much here.
Patch tested for a week by Laurence Tratt who is no longer seeing device
timeouts which were relatively frequent before.
|
|
OK job@ tb@
|
|
Required to prevent breakage of roaming with new Intel firmware on 9k devices.
Tested:
8265: Aaron Poffenberger, stsp
9260: florian
9560: sthen
|
|
Fixes roaming-related hangs observed by jmc@.
Tested:
ax200: jmc, stsp
|
|
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.
Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.
Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp
|
|
Noticed while testing iwm/iwx roaming patches, where my AP would request
a new Rx BA session when we had already decided to roam away. There is no
need to set up a new Rx BA session with our old AP which we would have to
immediately tear down again anyway.
|
|
---
Provide common btrace(8) scripts
. kprofile.bt - to save kernel stackframces and produce flamegraphs
. runqlat.bt - to measure the latency of the scheduler runqueues
|
|
OK claudio@
|
|
fails.
|
|
conditional. Repeating the previous commit messsage:
Assert that at least one report id is claimed during multiple report ids
attachment. Should prevent uhidev drivers from doing the wrong thing in their
corresponding match routine.
Tested by dv@
|
|
default ports. bz3367 ok dtucker@
|
|
more: ask the token whether a particular key belongs to it in cases
where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
Motivated by bz3366; by Pedro Martelletto
|
|
|
|
|
|
The "lim" variable needs to be a size_t to match nmemb, otherwise we
get undefined behavior when nmemb exceeds INT_MAX.
Prompted by a blog post by Joshua Bloch:
https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html
Fixed by Chris Torek a long time ago:
https://svnweb.freebsd.org/csrg/lib/libc/stdlib/bsearch.c?revision=51742&view=markup
ok millert@
|
|
which run asyncronously and can grab vnodes race to make the umount fail
spuriously
problem seen and diagnosed by Yuichiro NAITO
ok florian
|
|
Other regress tests do it differently; just fix/thouch those that did not
mention any package name at all.
This helps grepping logs for SKIPPED to find instructions for the next run.
|
|
This helps grepping logs for SKIPPED to find instructions for the next run.
|
|
OK bluhm
|
