For a sentence spanning more than one line at the end of the file,
when the cursor is placed at the first character of any line except
for the last one, running '!)<cmd>' won't affect the last line.
From Walter Alejandro Iglesias
Fixes a problem where an extra line is printed at the end of the
output when the "number" command is given the "l" (literal display)
flag.
From Jeremy Mates Walter Alejandro Iglesias and
We check this for extensions we know about in cert_parse_extensions().
We keep doing it there since we need to keep track of the extensions we
encountered anyway.
While cert_parse_extensions() rejects certs with critical extensions we
don't know about, we allow duplicate non-critical ones mainly because
that's annoying to keep track of. LibreSSL's libcrypto checks for this
and rejects the cert when caching the extensions, OpenSSL 4 adds a new
EXFLAG_DUPLICATE flag and accepts the cert, and OpenSSL 3 simply ignores
duplicates. In short: we get to do it ourselves.
This check is basically lifted from libcrypto's x509_purp.c with a few
extra contortions due to const sprinkling and making things opaque. The
warnx is the same as the one already present in cert_parse_extensions().
We do not NULL check X509_EXTENSION_get_object() because the extension
parsed, so an OID is present.
ok job
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.
Pointed out and diff provided by Andrew Griffiths, thanks!
Valid Rsync URIs always contain a module component.
To avoid duplication of URI validation code, refactor rsync_base_uri()
to optionally allocate & dup the base URI portion.
Thanks to Ties de Kock for reporting.
OK tb@ claudio@
OpenBIOS reports QEMU IDE disks with an intermediate ide node, while the
sparc64 bootpath code only treats ata as a channel node.
The disk is attached as wd0, but the final disk component is not nailed
as the boot device, so the kernel asks for the root device.
No QEMU level option seems possible to enforce ata disk.
OK: claudio@
not enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
- Fix the active pane colour when only two panes and scrollbars enabled.
- Clip left and right scrollbars the same for floating panes.
- Do not subtract scrollbar width twice when working out width of status
line.
- Check if a character is inside a visible range correctly (do not
include the next position outside the range).
With the introduction of a secondary key share, we fail to ensure that the
HelloRetryRequest does not specify the group that was used for the
secondary key share. We also fail to free the secondary key share early in
this case, meaning that it lingers in memory until the SSL is reset or
freed. Fix both of these issues.
ok tb@
While we currently correctly handle the no-shared-group case, it currently
fails late when we try to create the key share. Improve detection and
handling so that we fail sooner and send an alert to the client when
processing client key shares.
While here rename preferred_group_found to shared_group_found - we look for
the client preferred group, but any group that we select will always be in
the client list (even if it's the last one).
Reported by the tlspuffin team.
ok tb@
Be more RFC compliant and send illegal parameter alerts when the client
receives a HelloRetryRequest that requests a group that we did not offer
or a group that we sent a key share for in the ClientHello. These were
annotated as missing, but not previously implemented.
Prompted by a report from the tlspuffin team.
ok tb@
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
Delete the entire "SECURE RENEGOTIATION" section that contained ancient
ramblings.
ok beck@ tb@
nicm