| Age | Commit message (Collapse) | Author |
|---|
|
Move the EC_METHOD to the bottom of the file, which allows all
implementation functions to become static. Remove unneeded prototypes.
ok tb@
|
|
in GHPR363; ok markus@
|
|
|
|
Use a fang dangled thing (known as a function) to avoid duplicating the
same code in five places.
ok tb@
|
|
Coverity CID 291845; ok dtucker@
|
|
|
|
In the RPKI-context (RFC 6487 section 4.8.2), SKIs are not at all
arbitary identifiers: they must be the SHA-1 hash of the
'Subject Public Key'. Add a SPK digest calculation and comparison
to the X509v3 extension containing the SKI.
OK tb@
|
|
characters.
|
|
Discussed with deraadt@ tb@ claudio@
|
|
These functions are rather similar, so there's no need for the code to
be wildly different. Add a missing NULL check to ndef_prefix_free() since
that will be needed in a subsequent commit.
ok jsing
|
|
ok miod@
|
|
partition entries.
Add GPT_UUID_LEGACY_MBR entry to list of known partition id's as
it is defined in the UEFI Standard.
|
|
curated and contributed by Brian Conway, thanks!
|
|
deprecated more than 25 years ago and removed more than 20.
From Crystal Kolipe, thanks!
|
|
issue reported by Crystal Kolipe on tech@
|
|
Note: there is a potential for confusion in RFC 7935, the specification
differentiates between 2 contexts: "in the certificate" and "CMS SignedData".
In the CMS context, either rsaEncryption or sha256WithRSAEncryption can
appear (and both *do* appear in the wild).
However, RFC 7935 section 2 fourth paragraph starting with "In certificates,
CRLs, ..." mandates that sha256WithRSAEncryption is used to sign .cer and
.crl files:
"The Object Identifier (OID) sha256WithRSAEncryption from RFC4055 MUST
be used in these products."
The above requirement matches observations on existing RPKI deployments.
OK tb@
|
|
|
|
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS
must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
|
|
|
All the structs are static and we need to reach into them many times.
Having a shorter name is more concise and results in less visual clutter.
It also avoids many overlong lines and we will be able to get rid of some
unfortunate line wrapping down the road.
Discussed with jsing
|
|
aisha@ and Crystal Kolipe, ok aisha@ tobhe@
|
|
|
|
|
|
rather than assuming they are the same size. Zero
destination entries when no source partition available.
No intentional functional change.
|
|
|
|
Loosely based on OpenSSL commit 6692ff77.
Prodded by job
|
|
|
|
This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.
|
|
Flip the logic of NULL checks on out and *out to unindent, use calloc()
instead of malloc() and check on assign. Also drop the newly added len2
again, it isn't needed.
ok jsing
|
|
New firmware versions address some security issues, as outlined here:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00621.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html
Firmware has been available in fw_update for some time so systems which
track -current should already have the new -77 images.
Tested:
ax200: jmc, hrvoje, stsp
ax201: Mikhail, Sven Wolf, stsp
ax210: lraab, stsp
ax211: Mikhail, dv
|
|
than assuming that it always matches our currently configured channel.
Should prevent problems on 40/80Mhz channels if there is a mismatch.
|
|
|
|
Fixes a firmware panic I encountered while working on firmware upgrades.
|
|
Undocumented and ignored by the Linux driver, too.
Apparently only used by the Windows driver.
Confirmed by Johannes Berg.
|
|
We used to provide beacon-related information only once our station was
associated. New firmware wants to see this information earlier, when are
about to send an AUTH frame. Otherwise SYSASSERT 0x2000011A is raised.
Problem diagnosed with help from Johannes Berg, thanks!
|
|
Firmware expects time in TU units.
Use 900 TU for the session protection timeout, like the linux driver does.
verified with Johannes Berg from Linux/Intel, thanks for the support!
|
|
Required for adding/removing Tx queues on new firmware versions.
Semantics have changed yet again. Good old iwm(4) required manual
removal of related Tx queues when a station is removed from firmware.
At some point iwx(4) firmware removed this requirement and demanded
that queue removal would be done implicitly by firmware instead.
And now the firmware engineers at Intel have again changed their
minds about this, and explicit queue removal is required again.
It is sad that we are being driven through such a marathon of changes
just in order to pick up some firmware security fixes...
|
|
This command is required to set up Rx aggregation on new firmware.
|
|
|
|
MAC context command fields which firmware has been ignoring since the iwm
hardware generation have been repurposed for information related to 11ax.
Just set these fields to zero. Firmware -71 and up will panic otherwise.
|
|
New firmware wants to be told about MIMO antenna configuration via
a separate command, rather than via the good old PHY context command.
|
|
As of this commit iwx will ignore 'ifconfig media' commands where the
user-specified Tx rate resolves to something other than 'autoselect'.
The existing support for forcing a Tx rate was already only partially
working in 11n and 11ac modes. I doubt anyone had a serious use case for
this. If you really need to force a specific Tx rate for data frames
sent by iwx then hack the driver instead of using 'ifconfig media'.
The firmware interface was designed for Tx rate selection in firmware.
Maintaining support for overriding the Tx rate with ifconfig in face of
complicated firmware interface changes such as this rate_n_flags change
is just not worth it. While trying to keep forced Tx rates working on top
of the new rate_n_flags format I accidentally broke the Tx rate used for
managment frames during regular operation, which caused much frustration.
|
|
also add some missing bits found in the Linux driver while here
|
|
|
|
|
|
|
|
|
|
i2d functions return <= 0 on error, so check for that instead of == 0.
The issue with CMS_SharedInfo_encode() was found by Niels Dossche.
OpenSSL review overlooked that they had turned penclen into a size_t.
In principle the issue with i2d_X509_ALGOR() is purely cosmetic. Why do
a strange check when there is an idiomatic check? Then again this is CMS...
ok jsing
|
|
RSA_public_decrypt() returns <= 0 on error. Assigning to a size_t and
checking for == 0 is not the right thing to do here. Neither is blindly
turning the check into <= 0...
Found by Niels Dossche
ok jsing
|
|
The i2d API design is: call a function first with a pointer to NULL, get
the length, allocate a buffer, call the function passing the buffer in.
Both calls should be checked since ther are still internal allocations.
At the heart of ASN.1 encoding, this idiom is used and the second call
is assumed to succeed after the length was determined. This is far from
guaranteed. Check that the second call returns the same length and error
otherwise.
ok jsing
|
