jsing [Sat, 4 Dec 2021 15:38:10 +0000 (15:38 +0000)]
Consolidate {d2i,i2d}_{pr,pu}.c
Currently there are two files for private key ASN.1 (d2i_pr.c, i2d_pr.c)
and two files for public key ASN.1 (d2i_pu.c, i2d_pu.c). All of the other
ASN.1 code has d2i and i2d in the same per-object file.
Consolidate d2i_pr.c/i2d_pr.c into a_pkey.c and consolidate
d2i_pu.c/i2d_pu.c into a_pubkey.c before making any further changes to
this code.
ok tb@
jsing [Sat, 4 Dec 2021 14:03:22 +0000 (14:03 +0000)]
Clean up and refactor server side DHE key exchange.
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.
Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.
ok inoguchi@ tb@
jsing [Sat, 4 Dec 2021 13:50:35 +0000 (13:50 +0000)]
Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
ok inoguchi@ tb@
jsing [Sat, 4 Dec 2021 13:15:10 +0000 (13:15 +0000)]
Check DH public key in ssl_kex_peer_public_dhe().
Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.
ok inoguchi@ tb@
tobhe [Sat, 4 Dec 2021 13:07:17 +0000 (13:07 +0000)]
Send out dstid as initiator if configured. This makes it easier for
the responder to match the correct policy if multiple are available.
ok patrick@
tb [Sat, 4 Dec 2021 09:04:36 +0000 (09:04 +0000)]
Free cert, key and ocsp_staple on exit of do_keypair_test().
Reported by Ilya Shipitsine, discussed with jsing
tb [Sat, 4 Dec 2021 08:15:16 +0000 (08:15 +0000)]
Convert main into single exit to appease asan.
tb [Sat, 4 Dec 2021 07:58:10 +0000 (07:58 +0000)]
Explicitly free EVP_MD_CTX to appease asan. Reported by Ilya Shipitsin.
jmc [Sat, 4 Dec 2021 07:31:38 +0000 (07:31 +0000)]
list backup files created by adduser; from leon fischer
adjust list width to make it all fit
jmc [Sat, 4 Dec 2021 07:27:38 +0000 (07:27 +0000)]
update the firmware file list, helped by stsp;
anton [Sat, 4 Dec 2021 07:01:59 +0000 (07:01 +0000)]
Consolidate error paths in usbd_new_device, shaving of 14 lines.
ok bluhm@
florian [Sat, 4 Dec 2021 06:52:58 +0000 (06:52 +0000)]
Do not setup pipes between SERVER processes, they don't talk to each
other. Since this generates a full mesh, the amount of filedescriptors
needed grows quadratically with the amount of configured prefork
processes.
Might fix an out of filedescriptor bug that beck is seeing.
OK benno
jsing [Sat, 4 Dec 2021 05:15:09 +0000 (05:15 +0000)]
Add regress for ECPKParameters ASN.1 encoding/decoding.
naddy [Sat, 4 Dec 2021 00:05:39 +0000 (00:05 +0000)]
RSA/SHA-1 is not used by default anymore on the server
uaa [Fri, 3 Dec 2021 19:22:42 +0000 (19:22 +0000)]
add Allwinner H6 support
ok kettenis@
uaa [Fri, 3 Dec 2021 19:17:27 +0000 (19:17 +0000)]
support AXP805 PMIC
ok kettenis@
uaa [Fri, 3 Dec 2021 19:16:29 +0000 (19:16 +0000)]
- support I2C connected PMIC, add "early 1" to sxitwi.
- support axppmic via iic
ok kettenis@
tobhe [Fri, 3 Dec 2021 19:04:49 +0000 (19:04 +0000)]
Add tdb_delete_locked() to replace duplicate tdb deletion code in
pfkey_flush().
ok bluhm@ mvs@
kettenis [Fri, 3 Dec 2021 18:23:41 +0000 (18:23 +0000)]
Perform DMA address translation if required.
ok patrick@
jsing [Fri, 3 Dec 2021 17:27:34 +0000 (17:27 +0000)]
Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a function.
Call the replacement asn1_tlc_invalidate() since it does not actually
clear the ASN1_TLC.
While here, name the ASN1_TLC variables consistently as ctx, remove a
pointless comment and simplify ASN1_item_d2i() slightly.
ok inoguchi@ tb@
jsing [Fri, 3 Dec 2021 17:23:16 +0000 (17:23 +0000)]
Group and sort includes.
jsing [Fri, 3 Dec 2021 17:22:10 +0000 (17:22 +0000)]
Call asn1_item_ex_d2i() directly from ASN1_item_d2i()
ASN1_item_ex_d2i() is just a wrapper around the internal asn1_item_ex_d2i()
function, so call asn1_item_ex_d2i() directly.
ok inoguchi@ tb@
bluhm [Fri, 3 Dec 2021 17:18:34 +0000 (17:18 +0000)]
Add TDB reference counting to ipsp_spd_lookup(). If an output
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@
jsing [Fri, 3 Dec 2021 17:10:49 +0000 (17:10 +0000)]
Convert ASN1_PCTX_new() to calloc().
Rather than using malloc() and then initialising all struct members to zero
values, use calloc().
ok schwarze@ tb@
jsing [Fri, 3 Dec 2021 17:07:53 +0000 (17:07 +0000)]
Use calloc() for X509_CRL_METHOD_new() instead of malloc().
This ensures that if any members are added to this struct, they will be
initialised.
ok schwarze@ tb@
jsing [Fri, 3 Dec 2021 17:03:54 +0000 (17:03 +0000)]
Rewrite ASN1_STRING_cmp().
This removes nested ifs and uses more sensible variable names.
ok schwarze@ tb@
jsing [Fri, 3 Dec 2021 17:01:07 +0000 (17:01 +0000)]
Convert ASN1_STRING_type_new() to calloc().
Rather than using malloc() and then initialising all struct members, use
calloc() and only initialise the single non-zero value member.
ok schwarze@ tb@
jsing [Fri, 3 Dec 2021 16:58:11 +0000 (16:58 +0000)]
Convert ASN1_OBJECT_new() to calloc().
Rather than using malloc() and then initialising all struct members, use
calloc() and only initialise the single non-zero value member.
ok schwarze@ tb@
jsing [Fri, 3 Dec 2021 16:46:50 +0000 (16:46 +0000)]
Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated ASN1
These functions previously used the old ASN1_{d2i,i2d}_{bio,fp}()
interfaces.
ok inoguchi@ tb@
deraadt [Fri, 3 Dec 2021 15:15:22 +0000 (15:15 +0000)]
Fixed-size NOFILE_MAX (from sys/param.h of course) array is crazy, so
rewrite to expand the array as needed.
ok tb
stsp [Fri, 3 Dec 2021 14:32:08 +0000 (14:32 +0000)]
Switch iwx(4) to new -67 firmware images.
iwx-firmware-
20211101 must be installed with fw_update(1) before
booting a new kernel. sysupgrade(8) will take care of this.
Intel has published a related security advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00509.html
iwx(4) devices which are using the iwx-Qu-c0-hr-b0-63 image did
not receive a firmware update. I have no idea why.
Tested:
ax200: jmc, stsp, Matthias Schmidt
ax201: fkr, stsp
tb [Fri, 3 Dec 2021 14:19:57 +0000 (14:19 +0000)]
Use calloc() in EVP_PKEY_meth_new() instead of malloc() and setting
almost all members to 0. Just set the two things that need setting.
ok jsing
tb [Fri, 3 Dec 2021 14:18:06 +0000 (14:18 +0000)]
Fix EVP_PKEY_{asn1,meth}_copy once and for all
It is very easy to forget to copy over newly added methods. Everyone
working in this corner has run into this. Instead, preserve what needs
preserving and use a struct copy, so all methods get copied from src
to dest.
tweak/ok jsing
kn [Fri, 3 Dec 2021 14:15:07 +0000 (14:15 +0000)]
Revert previous
Those scripts are not hooked up to the build yet;
I assumed they were without checking, my bad.
Reminded by deraadt
stsp [Fri, 3 Dec 2021 13:17:32 +0000 (13:17 +0000)]
Disable probe requests during scans in iwx(4) again.
While this is working well for many, some people see device timeouts
when using the device unless we disable probe requests during scans.
The issue was a lot more visible on iwx(4) with earlier firmware.
In fact, iwx(4) did ship with probe requests disabled for most of its
existence. I re-enabled them along with a firmware upgrade since I no
longer saw the problem. However, the issue prevails for other people.
I still have no idea what is causing this. I have already spent enough
time trying to track down a proper fix. Unless we receive help from
someone who knows about firmware internals the best we can do is trial
and error. The problem also existed on iwm(4) 9k devices which we now
run with probe requests disabled, too.
The only upside of probe requests is that scans can complete faster, with
the downside of a potential privacy leak (the previously selected SSID is
exposed). So, overall, we do not lose much here.
Patch tested for a week by Laurence Tratt who is no longer seeing device
timeouts which were relatively frequent before.
claudio [Fri, 3 Dec 2021 12:56:19 +0000 (12:56 +0000)]
Apply the same MAX_IP_SIZE limit to ROA files as it is done on certificates.
OK job@ tb@
stsp [Fri, 3 Dec 2021 12:43:17 +0000 (12:43 +0000)]
Implement a bgscan_done() handler for iwm(4).
Required to prevent breakage of roaming with new Intel firmware on 9k devices.
Tested:
8265: Aaron Poffenberger, stsp
9260: florian
9560: sthen
stsp [Fri, 3 Dec 2021 12:42:39 +0000 (12:42 +0000)]
Implement a bgscan_done() handler for iwx(4).
Fixes roaming-related hangs observed by jmc@.
Tested:
ax200: jmc, stsp
stsp [Fri, 3 Dec 2021 12:41:36 +0000 (12:41 +0000)]
Introduce an optional driver-specific bgscan_done() handler which
allows the driver to take control of the roaming teardown sequence.
This handler allows drivers to ensure that race conditions between
firmware state and net80211 state are avoided, and will be used by
the iwm(4) and iwx(4) drivers soon.
Split the existing roaming teardown sequence into two steps, one step
for tearing down Tx block ack sessions which sends a DELBA frame, and a
second step for flushing Tx rings followed by sending a DEAUTH frame.
We used to queue both frames, expecting to switch APs once both were sent.
Now we effectively expect everything to be sent before we queue a final
DEAUTH frame, and wait for just this frame to be sent before switching.
This already made issues on iwm/iwx less frequent but by itself this was
not enough to close all races for those drivers. It should however help
when adding background scan support to a non-firmware device driver.
Tested, with driver patches:
iwm 8265: Aaron Poffenberger, stsp
iwm 9260: florian
iwm 9560: sthen
iwx ax200: jmc, stsp
stsp [Fri, 3 Dec 2021 12:40:15 +0000 (12:40 +0000)]
Ignore ADDBA requests from our AP while we are roaming away from it.
Noticed while testing iwm/iwx roaming patches, where my AP would request
a new Rx BA session when we had already decided to roam away. There is no
need to set up a new Rx BA session with our old AP which we would have to
immediately tear down again anyway.
kn [Fri, 3 Dec 2021 11:47:23 +0000 (11:47 +0000)]
Ship mpi's helpers, see share/btrace/Makefile r1.1:
---
Provide common btrace(8) scripts
. kprofile.bt - to save kernel stackframces and produce flamegraphs
. runqlat.bt - to measure the latency of the scheduler runqueues
job [Fri, 3 Dec 2021 08:40:07 +0000 (08:40 +0000)]
Clarify manpage
OK claudio@
anton [Fri, 3 Dec 2021 06:44:46 +0000 (06:44 +0000)]
Dump more data in the hopes of figuring out why this test occasionally
fails.
anton [Fri, 3 Dec 2021 06:34:38 +0000 (06:34 +0000)]
Bring back the recently reverted change, this time without the inverted
conditional. Repeating the previous commit messsage:
Assert that at least one report id is claimed during multiple report ids
attachment. Should prevent uhidev drivers from doing the wrong thing in their
corresponding match routine.
Tested by dv@
djm [Thu, 2 Dec 2021 23:45:36 +0000 (23:45 +0000)]
hash full host:port when asked to hash output, fixes hashes for non-
default ports. bz3367 ok dtucker@
djm [Thu, 2 Dec 2021 23:23:13 +0000 (23:23 +0000)]
improve the testing of credentials against inserted FIDO keys a little
more: ask the token whether a particular key belongs to it in cases
where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
Motivated by bz3366; by Pedro Martelletto
djm [Thu, 2 Dec 2021 22:40:05 +0000 (22:40 +0000)]
move check_sk_options() up so we can use it earlier
dtucker [Thu, 2 Dec 2021 22:35:05 +0000 (22:35 +0000)]
ssh-rsa is no longer in the default for PubkeyAcceptedAlgorithms.
cheloha [Thu, 2 Dec 2021 20:58:01 +0000 (20:58 +0000)]
bsearch(3): support arrays with more than INT_MAX elements
The "lim" variable needs to be a size_t to match nmemb, otherwise we
get undefined behavior when nmemb exceeds INT_MAX.
Prompted by a blog post by Joshua Bloch:
https://ai.googleblog.com/2006/06/extra-extra-read-all-about-it-nearly.html
Fixed by Chris Torek a long time ago:
https://svnweb.freebsd.org/csrg/lib/libc/stdlib/bsearch.c?revision=51742&view=markup
ok millert@
deraadt [Thu, 2 Dec 2021 17:18:39 +0000 (17:18 +0000)]
unmount real root partition from /mnt before the cgi/random actions
which run asyncronously and can grab vnodes race to make the umount fail
spuriously
problem seen and diagnosed by Yuichiro NAITO
ok florian
kn [Thu, 2 Dec 2021 17:10:53 +0000 (17:10 +0000)]
Tell testers which packages to install right away (and why)
Other regress tests do it differently; just fix/thouch those that did not
mention any package name at all.
This helps grepping logs for SKIPPED to find instructions for the next run.
kn [Thu, 2 Dec 2021 17:09:46 +0000 (17:09 +0000)]
Log that kern.allowdt=1 is needed and where
This helps grepping logs for SKIPPED to find instructions for the next run.
kn [Thu, 2 Dec 2021 15:56:15 +0000 (15:56 +0000)]
Tell testers which packages to install right away
OK bluhm
jmc [Thu, 2 Dec 2021 15:15:29 +0000 (15:15 +0000)]
list uppercase options along with lower in SYNOPSIS/options list/usage;
suggested by/ok deraadt
deraadt [Thu, 2 Dec 2021 15:13:49 +0000 (15:13 +0000)]
firstc() and nextc() use an int of global static storage. Make this
a pointer to a local variable to allow concurrent use if that ever
needs to happen in the future.
ok mpi kettenis
bluhm [Thu, 2 Dec 2021 13:46:42 +0000 (13:46 +0000)]
ipsec_common_input_cb() extracted the inner IP header of IPsec
tunnels. It is never used, so this is useless code. Remove ipn
and ip6n IP header variables and the m_copydata() to fill them.
OK mvs@ kn@ sthen@
bluhm [Thu, 2 Dec 2021 12:39:15 +0000 (12:39 +0000)]
Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@
djm [Thu, 2 Dec 2021 02:44:44 +0000 (02:44 +0000)]
don't put the tty into raw mode when SessionType=none, avoids ^c being
unable to kill such a session. bz3360; ok dtucker@
krw [Wed, 1 Dec 2021 22:37:30 +0000 (22:37 +0000)]
Remove the MBR_init() "#ifdef defined(__macppc__) ||
defined(__mips__)" chunk that rounded the start of the default
OpenBSD partition to a cylinder boundary. The value has been
immediately re-rounded to a power of 2 block since r1.25 in 2009.
Eliminates wasted space when no /usr/mdec/mbr partition
0 information is available.
'-b' becomes available to architectures other than amd64 and
i386, taking precedence over /usr/mdec/mbr partition 0
information. The latter being present only in macppc and loongson
/usr/mdec/mbr files.
bluhm [Wed, 1 Dec 2021 22:34:31 +0000 (22:34 +0000)]
Reintroduce the TDBF_DELETED flag. Checking next pointer to figure
out whether the TDB is linked to the hash bucket does not work.
This fixes removal of SAs that could not be flushed with ipsecctl -F.
OK tobhe@
deraadt [Wed, 1 Dec 2021 21:48:00 +0000 (21:48 +0000)]
mention that the "flags" field in the enchdr is uses m_flags values
(see mbuf.h)
deraadt [Wed, 1 Dec 2021 21:45:19 +0000 (21:45 +0000)]
sys/core.h is not needed by these files, therefore sys/param.h isn't
needed for MAXCOMLEN either
deraadt [Wed, 1 Dec 2021 18:28:45 +0000 (18:28 +0000)]
we do not need 'struct mbuf; struct rtentry;' to satisfy some ancient unix
variant that made a header file mistake.
ok jsg
deraadt [Wed, 1 Dec 2021 18:21:23 +0000 (18:21 +0000)]
further improvements in sys/param.h annotation and removal.
kettenis [Wed, 1 Dec 2021 17:25:35 +0000 (17:25 +0000)]
Fix booting from an IDE block device on the Sun Blade 100. Apparently
writing to disk using the Open Firmware interfaces is buggy and causes
corruption of the disk. While it isn't entirely clear what versions
of Open Firmware are affected, but it seems to only affect IDE drives.
So if we detect an IDE drive, disable writing to it. This results in
a small lose of bootloader functionality (bsd.upgrade loop prevention
and flagging /etc/random.seed re-use) but that is better than losing
the ability to run OpenBSD at all.
Based on a diff by Ted Bullock (who did all the hard work of debugging
this and coming up with a viable fix).
ok deraadt@
deraadt [Wed, 1 Dec 2021 17:04:26 +0000 (17:04 +0000)]
late allocation of clist in putc() and b_to_q() hasn't been required in
a decade, because all tty drivers preallocate.
ok kettenis
deraadt [Wed, 1 Dec 2021 16:53:28 +0000 (16:53 +0000)]
Reduce use of sys/param.h, or annotate the reason why it is needed
(pretty much MAXCOMLEN for struct process or struct core), and remove
sys/vnode.h where not needed
deraadt [Wed, 1 Dec 2021 16:51:57 +0000 (16:51 +0000)]
Use system _ALIGN to reduce the reasons why this uses sys/param.h
deraadt [Wed, 1 Dec 2021 16:42:12 +0000 (16:42 +0000)]
whitespace cleanup during review read
bluhm [Wed, 1 Dec 2021 12:51:09 +0000 (12:51 +0000)]
Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@
jsg [Wed, 1 Dec 2021 10:50:23 +0000 (10:50 +0000)]
drm/amdgpu/gfx9: switch to golden tsc registers for renoir+
From Alex Deucher
45b42cd05391197d5426a9097043d5e77bdbefc9 in linux 5.10.y/5.10.83
53af98c091bc42fd9ec64cfabc40da4e5f3aae93 in mainline linux
jsg [Wed, 1 Dec 2021 10:47:39 +0000 (10:47 +0000)]
drm/amd/display: Set plane update flags for all planes in reset
From Nicholas Kazlauskas
3187623096091d8c60231de5ca0e020bfa5e6ee9 in linux 5.10.y/5.10.83
21431f70f6014f81b0d118ff4fcee12b00b9dd70 in mainline linux
mvs [Wed, 1 Dec 2021 10:24:40 +0000 (10:24 +0000)]
Make `sun' global variable. It used by threads and could be corrupted
when main() thread exited.
jsing [Wed, 1 Dec 2021 09:06:30 +0000 (09:06 +0000)]
Remove dead code.
claudio [Wed, 1 Dec 2021 09:03:19 +0000 (09:03 +0000)]
Add some RRDP specific regress tests.
OK benno@
patrick [Wed, 1 Dec 2021 07:36:03 +0000 (07:36 +0000)]
Build libfido2 after all other libraries, as it links against one of
the other libraries, so we have to build those first.
Initial report and diff from uaa@
ok anton@ deraadt@ millert@
tobias [Tue, 30 Nov 2021 20:08:15 +0000 (20:08 +0000)]
Improved error handling in config parser.
- Escaped newlines confused column counter
- An unclosed quote could have been logged multiple times
- Signed data types could overflow, which is undefined behavior
ok tedu
tb [Tue, 30 Nov 2021 18:34:35 +0000 (18:34 +0000)]
Add missing const qualifiers in a number of BN_* manuals.
ok schwarze
tb [Tue, 30 Nov 2021 18:32:55 +0000 (18:32 +0000)]
last whitespace diff for now.
tb [Tue, 30 Nov 2021 18:31:36 +0000 (18:31 +0000)]
KNF for BF_KEY
tb [Tue, 30 Nov 2021 18:27:04 +0000 (18:27 +0000)]
Fix some annoying whitespace inconsistencies.
tb [Tue, 30 Nov 2021 18:20:06 +0000 (18:20 +0000)]
Provide EVP_CTRL_AEAD_* defines.
This commit adds generic EVP_CTRL_AEAD_{SET,GET}_TAG and _SET_IVLEN
defines and aliases the GCM and CCM versions to those.
This is the publicly visible part of OpenSSL's
e640fa02005.
ok inoguchi jsing
tb [Tue, 30 Nov 2021 18:17:03 +0000 (18:17 +0000)]
Align ssl_kex_derive_ecdhe_ecp() with ssl_kex_derive_dhe()
sk is commonly used for a STACK_OF(), so call the shared key simply key.
ok jsing
tb [Tue, 30 Nov 2021 18:12:44 +0000 (18:12 +0000)]
isakmpd: convert modp_init() for opaque DH.
ok jsing
tobhe [Tue, 30 Nov 2021 17:47:30 +0000 (17:47 +0000)]
whitespace
deraadt [Tue, 30 Nov 2021 17:05:59 +0000 (17:05 +0000)]
add ixl(4)
jsing [Tue, 30 Nov 2021 15:58:08 +0000 (15:58 +0000)]
s/ECDHE/ECDH/
If we can provide an EC key that is used, then it is by definition
non-ephemeral.
ok tb@
millert [Tue, 30 Nov 2021 15:50:06 +0000 (15:50 +0000)]
Fix indentation of return in yy_try_NUL_trans().
M4_YY_NOOP_GUTS_VAR is a no-op in most cases but its indentation
remains, leading to double indentation of the return statement.
This fixes "misleading indentation" warnings from clang. OK tb@
bluhm [Tue, 30 Nov 2021 13:17:43 +0000 (13:17 +0000)]
Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@
jsing [Tue, 30 Nov 2021 07:34:29 +0000 (07:34 +0000)]
Add regress for {d2i,i2d}_{,DSA_,EC_,RSA_}PUBKEY{,_bio}().
visa [Tue, 30 Nov 2021 02:58:33 +0000 (02:58 +0000)]
Prevent select(2) from blocking if registering found pending events.
OK mpi@
deraadt [Tue, 30 Nov 2021 02:13:55 +0000 (02:13 +0000)]
enable uhid/fido
from Ashton Fagg
mvs [Mon, 29 Nov 2021 21:25:09 +0000 (21:25 +0000)]
Use nanosleep(3) instead of select(2) for test run time delay. Use ~10
years interval as operational infinity.
mvs [Mon, 29 Nov 2021 21:21:26 +0000 (21:21 +0000)]
Create socket within current directory instead of /tmp. Also remove it
with "make clean".
tb [Mon, 29 Nov 2021 20:13:25 +0000 (20:13 +0000)]
Crank the number of rounds of Miller-Rabin from 50 to 64
for DSA key generation.
From Kurt Roeckx, OpenSSL
74ee3796
ok bcook inoguchi jsing
tb [Mon, 29 Nov 2021 20:02:14 +0000 (20:02 +0000)]
Clean up DH_check_pub_key() and ensure that y^q (mod p) == 1.
This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation
for small subgroup attacks. This did not affect LibreSSL since we do
not support X9.42 style parameter files or RFC 5114.
The meat of this commit is from Matt Caswell, OpenSSL
b128abc3
ok inoguchi jsing
tb [Mon, 29 Nov 2021 19:54:07 +0000 (19:54 +0000)]
Increase number of iterations in Miller-Rabin checks for DH.
BN_prime_checks is only to be used for random input. Here, the
input isn't random, so increase the number of checks. According
to https://eprint.iacr.org/2019/032, 64 rounds is suitable.
From Jake Massimo, OpenSSL 1.1.1,
af6ce3b4
ok inoguchi jsing
tb [Mon, 29 Nov 2021 19:47:47 +0000 (19:47 +0000)]
Synchronize DH_check() mostly with OpenSSL 1.1.1 with some
simplifications and readability tweaks. This ensures in
particular that dh->q is suitable if present.
Based on work by Stephen Henson and Bernd Edlinger in OpenSSL.
Issues with the current implementation found via regression
tests in py-cryptography.
ok inoguchi jsing
tb [Mon, 29 Nov 2021 19:41:02 +0000 (19:41 +0000)]
Provide a version of DH_check_params() for internal use.
Based on the version in OpenSSL 1.1.1l with minor tweaks.
ok inoguchi jsing
tb [Mon, 29 Nov 2021 19:34:51 +0000 (19:34 +0000)]
Provide a number of flags for DH_check and DH_check_pubkey
that will be used in subsequent commits.
ok inoguchi jsing