when trying to request certificates from letsencrypt,
their test api would reject our csr because of
"tuncated sequence" unless we force subectAltName
by passing multiple domains (as comma separated list).
apparently, we need to provide the context specific tag
"cont [ 0 ]" for the extensions even when we do have
any extensions for the csr (triggered when we need to
have subjectAltNames).
for this, we change mkcont() to take a Elist* instead,
which then can be nil when not used. also put the tag
number argument first, which makes it easier to read.
As checking for all zero has to be done in a timing-safe
way to avoid a side channel, it is best todo this here
instead of letting the caller deal with it.
This adds a return type of int to curve25519_dh_finish()
where returning 0 means we got a all zero shared key.
RFC7748 states:
The check for the all-zero value results from the fact
that the X25519 function produces that value if it
operates on an input corresponding to a point with small
order, where the order divides the cofactor of the curve.
1. add the curve x25519 to tls, both client and server.
it's more faster, immune to timing attacks by design,
does not require verifying if the public key is valid,
etc etc. server-side has to check if the client supports
the curve, so a new function has been introduced to parse
the client's extensions.
2. reject weak dhe primes that can be easily cracked with
the number field sieve algorithm. this avoids attacks like
logjam.
3. stop putting unix time to the first 4 bytes of client/
server random. it can allow fingerprinting, tls 1.3 doesn't
recommend it any more and there was a draft to deprecate
this behaviour earlier.[1]
4. simply prf code, remove useless cipher enums.
[1] https://datatracker.ietf.org/doc/html/draft-mathewson-no-gmtunixtime-00
term% cal -s1 2021
2021
Jan Feb Mar
M Tu W Th F Sa Su M Tu W Th F Sa Su M Tu W Th F Sa Su
1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7
4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14
11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21
18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28
25 26 27 28 29 30 31 29 30 31
…
Note how the days (i.e. ' M Tu W Th F Sa Su') for Feb and Mar
do not align with the day numbers.
This is because an extra space is left *before* adding the terminating
'\0' via the pointer `dayw`.
With the patch applied the calendar aligns nicely for the year view:
term% cal -s1 2021
2021
Jan Feb Mar
M Tu W Th F Sa Su M Tu W Th F Sa Su M Tu W Th F Sa Su
1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7
4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14
11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21
18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28
25 26 27 28 29 30 31 29 30 31
…
When switching a branch implicitly -- ie, creating a local
branch off of a remote branch -- we would get the list of
changed files before we would resolve the implicit branch
switch, leading to an empty list of changes.
All of these files appear to have been imported from sources in a
case-insensitive manner and consequently lost their original content.
- Hx, Hb, and Hi fonts should be narrow versions of Helvetica
- c[1-3] fonts should be condensed versions of Century Old Style
- the lH character should be a filled left hand symbol
- the rh character should be a stroked right hand symbol
- the rc character should be the right ceiling symbol
I've verified that these are the only files that collide with others
when ignoring case (aside from rc/bin/[Kk]ill but those are correct).
git/import expected a patch, however upas/fs serves
either a raw file without any of the mime decoding
and line joining, or a directory, with the headers
and body split out.
This makes it a pain to apply some mails.
So, here we teach git to import upas dirs natively,
making it easy to handle all patches that come in
as emails.
git/push died within a subshell, which prevented the
whole program from exiting, and lead to an incorrect
ref update line that confused people.
git/send would eventually error out, but would push
all the data before that happened; this was annoying.
When we plumb a file, we open it in the current working
directory if it exists. However, if it doesn't exist,
we end up opening it relative to the editor's working
directory.
Expanding the path to works around this issue.
It's not fatal for someone else to push a branch
with objects that we don't have. We should deal
with it gracefully, and act as though it doesn't
exist.
