openbsd
2 years agounwind/unbound: prepare for opaque DSA and RSA.
tb [Sun, 9 Jan 2022 18:46:56 +0000 (18:46 +0000)]
unwind/unbound: prepare for opaque DSA and RSA.

Use the OpenSSL 1.1 codepath using accessors that have been available
since LibreSSL 2.7 instead of reaching into the structs.

ok sthen

2 years agodo not call ranlib -t anymore because it does nothing except wasting time;
robert [Sun, 9 Jan 2022 16:39:06 +0000 (16:39 +0000)]
do not call ranlib -t anymore because it does nothing except wasting time;

ok jca@, millert@

2 years agossl_check_srvr_ecc_cert_and_alg() only returns 0/1 - test accordingly.
jsing [Sun, 9 Jan 2022 15:55:37 +0000 (15:55 +0000)]
ssl_check_srvr_ecc_cert_and_alg() only returns 0/1 - test accordingly.

2 years agoSwap arguments to ssl_check_srvr_ecc_cert_and_alg()
jsing [Sun, 9 Jan 2022 15:53:52 +0000 (15:53 +0000)]
Swap arguments to ssl_check_srvr_ecc_cert_and_alg()

If a libssl function takes an SSL *, it should normally be the first
argument.

2 years agoClean up ssl3_{send,get}_client_kex_gost()
jsing [Sun, 9 Jan 2022 15:40:13 +0000 (15:40 +0000)]
Clean up ssl3_{send,get}_client_kex_gost()

Fix leaks, use sizeof() instead of hardcoded sizes, actually check return
codes, explicit_bzero() the premaster secret on the server side and
generally try to kick the GOST kex code into some sort of shape.

ok inoguchi@ tb@

2 years agoReturn 0/1 from ssl3_{send,get}_client_kex_gost()
jsing [Sun, 9 Jan 2022 15:34:21 +0000 (15:34 +0000)]
Return 0/1 from ssl3_{send,get}_client_kex_gost()

Like other KEX handling functions, there is no need to return anything
other than failure/success here.

ok inoguchi@ tb@

2 years agoRemove a comment from Captain Obvious.
jsing [Sun, 9 Jan 2022 15:29:42 +0000 (15:29 +0000)]
Remove a comment from Captain Obvious.

2 years agoFix GOST skip certificate verify handling.
jsing [Sun, 9 Jan 2022 15:28:47 +0000 (15:28 +0000)]
Fix GOST skip certificate verify handling.

GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c
circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an
'extra special' value to indicate that the state machine should skip
certificate verify. Fix this by setting and checking the
TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the
client.

ok inoguchi@ tb@

2 years agoPrepare to provide EVP_MD_CTX{,_set}_pkey_ctx()
tb [Sun, 9 Jan 2022 15:15:25 +0000 (15:15 +0000)]
Prepare to provide EVP_MD_CTX{,_set}_pkey_ctx()

This API with very strange ownership handling is used by Ruby 3.1,
unfortunately.

For unclear reasons, it was decided that the caller retains ownership of
the pctx passed in.  EVP_PKEY_CTX aren't refcounted, so a flag was added to
make sure that md_ctx->pctx is not freed in EVP_MD_CTX_{cleanup,reset}().
Since EVP_MD_CTX_copy_ex() duplicates the md_ctx->pctx, the flag also needs
to be unset on the duplicated EVP_MD_CTX.

ok inoguchi jsing

2 years agoIndicate that mvpxa(4) depends on sdhc code.
visa [Sun, 9 Jan 2022 13:27:47 +0000 (13:27 +0000)]
Indicate that mvpxa(4) depends on sdhc code.

OK deraadt@ phessler@

2 years agoAdd attribute for indicating sdhc dependency.
visa [Sun, 9 Jan 2022 13:26:08 +0000 (13:26 +0000)]
Add attribute for indicating sdhc dependency.

OK deraadt@ phessler@

2 years agoClean up pkey handling in ssl3_get_server_key_exchange()
jsing [Sun, 9 Jan 2022 13:17:33 +0000 (13:17 +0000)]
Clean up pkey handling in ssl3_get_server_key_exchange()

With TLSv1.2 and earlier, the authentication algorithm used to sign the
ServerKeyExchange message is dependent on the cipher suite in use and has
nothing to do with the key exchange algorithm. As such, check the
authentication algorithm based on the cipher suite in
ssl3_get_server_key_exchange() and handle things accordingly.

ok inoguchi@ tb@

2 years agoAdd two test cases from semarie@ which are solved by the last unveil
claudio [Sun, 9 Jan 2022 10:36:52 +0000 (10:36 +0000)]
Add two test cases from semarie@ which are solved by the last unveil
commit.

2 years agoAdd an UNVEIL_USERSET flag which is set when a unveil node is added via
claudio [Sun, 9 Jan 2022 10:28:07 +0000 (10:28 +0000)]
Add an UNVEIL_USERSET flag which is set when a unveil node is added via
unveil(2). It is not set for nodes that are added as a result of a file
being added via unveil(2). Use this flag to test if backtracking should
be done or not. Also introduce UNVEIL_MASK which checks if any user flags
are set and is used to properly return EACCES vs ENOENT.

This fixes a problem where unveil("/", "r") & unveil("/usr/bin/id", "rx")
cause an error when read accessing "/usr/bin". It also makes sure that
unveil(path, "") will return ENOENT for any access of anything under path.

Reported by and OK semarie@

2 years agoIncrease the max size of allocations, in prep for a large cache implementation.
otto [Sun, 9 Jan 2022 07:18:50 +0000 (07:18 +0000)]
Increase the max size of allocations, in prep for a large cache implementation.

2 years agospelling
jsg [Sun, 9 Jan 2022 05:42:36 +0000 (05:42 +0000)]
spelling
feedback and ok tb@ jmc@ ok ratchov@

2 years ago__LDPGSZ hasn't been used here since rev 1.23 (2013).
guenther [Sat, 8 Jan 2022 22:54:49 +0000 (22:54 +0000)]
__LDPGSZ hasn't been used here since rev 1.23 (2013).
Delete comment referring to it

ok jsg@

2 years agoDon't download SHA256.sig unless it's needed
afresh1 [Sat, 8 Jan 2022 22:32:00 +0000 (22:32 +0000)]
Don't download SHA256.sig unless it's needed

This allows installing local files without network.

it *might* work now deraadt@

2 years agoPrepare to provide OBJ_length() and OBJ_get0_data()
tb [Sat, 8 Jan 2022 21:36:39 +0000 (21:36 +0000)]
Prepare to provide OBJ_length() and OBJ_get0_data()

OBJ_length() turns the int obj->length into a size_t, so add
an overflow check. While obj->length should never be negative,
who knows...

ok jsing

2 years agoarchdep.h needed for _dl_dcbf, on powerpc
deraadt [Sat, 8 Jan 2022 18:30:18 +0000 (18:30 +0000)]
archdep.h needed for _dl_dcbf, on powerpc

2 years agoneed "archdep.h" for _dl_md_plabel on hppa
deraadt [Sat, 8 Jan 2022 17:28:49 +0000 (17:28 +0000)]
need "archdep.h" for _dl_md_plabel on hppa

2 years agoUse ${.ALLSRC:M*.y} instead of ${.IMPSRC} as the input file for yacc,
patrick [Sat, 8 Jan 2022 17:05:30 +0000 (17:05 +0000)]
Use ${.ALLSRC:M*.y} instead of ${.IMPSRC} as the input file for yacc,
to fix a bug where ${.IMPSRC} (aka $<) is used in a context where it
is not neccessarily defined by OpenBSD make.  This would sometime show
up trying to build libpcap with the following error message:

Using $< in a non-suffix rule context is a GNUmake idiom (<bsd.dep.mk>:47)

The issue is with the rule for the grammar.h file that is generated
by yacc from grammar.c. You can easily reproduce the bug with the
following steps:

- build libpcap from scratch: cd src/lib/libpcap && make clean all
- remove the generated grammar.h file: rm obj*/grammar.h
- build libpcap again (incremental build): make

In normal builds this does not trigger as grammar.h is implicitly
generated by the rule for grammar.c and when make checks for
dependencies it simply finds grammar.h uptodate. However, incremental
or parallel builds might decide to make grammar.h from grammar.y.

Now, why is this only a problem for grammar.h but not for grammar.c?
The answer to this question is burried deeply in OpenBSD's mk files.

The snippet in bsd.dep.mk that triggers the error is a single rule
statement that generates foo.c and foo.h from foo.y with a call to
yacc -d. The rule is generated with a loop, i.e. it is not a prefix
rule. However, a prefix rule context is required for the use of
${.IMPSRC} aka $<. For the .c file such a prefix rule is provided by
bsd.sys.mk and this rule is in scope when make evaluates the yacc rule.
However, for .h file generation from a .y file there is no such prefix
rule defined in any of the Makefiles. Even if it were the .h suffix is
missing from .SUFFIXES and the rule would not be considered.

The obvious way to fix this would be to use $f instead of ${.IMPSRC}.
However, this does not work as $f is then missing the path prefix and
yacc won't find it if an obj directory is used. This is probably the
reason for the use of ${.IMPSRC} in the first place.

Committing on behalf of ehrhardt@
"I like the diff" deraadt@
ok guenther@

2 years agotiny whitespace tweak
tb [Sat, 8 Jan 2022 15:34:59 +0000 (15:34 +0000)]
tiny whitespace tweak

2 years agoRemove apldwusb(4). This driver is now unused.
kettenis [Sat, 8 Jan 2022 15:30:46 +0000 (15:30 +0000)]
Remove apldwusb(4).  This driver is now unused.

2 years agoOops, missed a compatible string in the previous commit.
kettenis [Sat, 8 Jan 2022 15:23:42 +0000 (15:23 +0000)]
Oops, missed a compatible string in the previous commit.

2 years agoMerge SESS_CERT into SSL_SESSION.
jsing [Sat, 8 Jan 2022 12:59:58 +0000 (12:59 +0000)]
Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

2 years agoRemove commented out CERT_* defines.
jsing [Sat, 8 Jan 2022 12:54:32 +0000 (12:54 +0000)]
Remove commented out CERT_* defines.

2 years agoRename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.
jsing [Sat, 8 Jan 2022 12:43:44 +0000 (12:43 +0000)]
Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.

Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@

2 years agoFix possible use after free with long lines
tobias [Sat, 8 Jan 2022 11:07:51 +0000 (11:07 +0000)]
Fix possible use after free with long lines

Files with very long lines on machines with tight memory restrictions
can provoke a failing realloc in expand_linebuf. This error condition
was improperly handled, which could lead to a user after free bug by
using the already freed linebuf variable again.

with input by and okay guenther@

2 years agoRemove errant "set -x" left over from debugging.
dtucker [Sat, 8 Jan 2022 07:55:26 +0000 (07:55 +0000)]
Remove errant "set -x" left over from debugging.

2 years agouse status error message to communicate ~user expansion failures;
djm [Sat, 8 Jan 2022 07:37:32 +0000 (07:37 +0000)]
use status error message to communicate ~user expansion failures;
provides better experience for scp in sftp mode, where ~user paths
are more likely to be used; spotted jsg, feedback jsg & deraadt
ok jsg & markus

2 years agofix some corner-case bugs in scp sftp-mode handling of ~-prefixed
djm [Sat, 8 Jan 2022 07:36:11 +0000 (07:36 +0000)]
fix some corner-case bugs in scp sftp-mode handling of ~-prefixed
paths; spotted by jsg; feedback jsg & deraadt, ok jsg & markus

2 years agomore idiomatic error messages; spotted by jsg & deraadt
djm [Sat, 8 Jan 2022 07:34:57 +0000 (07:34 +0000)]
more idiomatic error messages; spotted by jsg & deraadt
ok jsg & markus

2 years agoadd a variant of send_status() that allows overriding the default,
djm [Sat, 8 Jan 2022 07:33:54 +0000 (07:33 +0000)]
add a variant of send_status() that allows overriding the default,
generic error message. feedback/ok markus & jsg

2 years agorefactor tilde_expand_filename() and make it handle ~user paths with no
djm [Sat, 8 Jan 2022 07:32:45 +0000 (07:32 +0000)]
refactor tilde_expand_filename() and make it handle ~user paths with no
trailing slash; feedback/ok markus and jsg

2 years agox509_cpols.c will need to include x509_lcl.h soon
tb [Sat, 8 Jan 2022 07:25:52 +0000 (07:25 +0000)]
x509_cpols.c will need to include x509_lcl.h soon

2 years agoEnable all supported hostkey algorithms (but no others). Allows hostbased
dtucker [Sat, 8 Jan 2022 07:01:13 +0000 (07:01 +0000)]
Enable all supported hostkey algorithms (but no others).  Allows hostbased
test to pass when built without OpenSSL.

2 years agoPrep .c files for removing the #includes from */archdep.h
guenther [Sat, 8 Jan 2022 06:49:41 +0000 (06:49 +0000)]
Prep .c files for removing the #includes from */archdep.h
 * replace #include "archdep.h" with #includes of what is used, pulling in
   "syscall.h", "util.h", and "archdep.h" as needed
 * delete #include <sys/syscall.h> from syscall.h
 * only pull in <sys/stat.h> to the three files that use _dl_fstat(),
   forward declare struct stat in syscall.h for the others
 * NBBY is for <sys/select.h> macros; just use '8' in dl_printf.c
 * <machine/vmparam.h> is only needed on i386; conditionalize it
 * stop using __LDPGSZ: use _MAX_PAGE_SHIFT (already used by malloc.c)
   where necessary
 * delete other bogus #includes, order legit per style: <sys/*> then
   <*/*>, then <*>, then "*"

dir.c improvement from jsg@
ok and testing assistance deraadt@

2 years agoIndicate current default cipher
inoguchi [Sat, 8 Jan 2022 06:05:39 +0000 (06:05 +0000)]
Indicate current default cipher

2 years agoRemove verbose PCI and USB device info from BOOT
visa [Sat, 8 Jan 2022 05:40:19 +0000 (05:40 +0000)]
Remove verbose PCI and USB device info from BOOT

BOOT kernels do not print kernel messages, and currently there is no
way to change this at runtime. Remove the verbose device information
to save some space.

2 years agoAdjust debug printfs after pcitag_t type change.
visa [Sat, 8 Jan 2022 05:34:54 +0000 (05:34 +0000)]
Adjust debug printfs after pcitag_t type change.

2 years agoApply mpsafe changes from dwge(4) to dwxe(4):
jmatthew [Sat, 8 Jan 2022 00:20:10 +0000 (00:20 +0000)]
Apply mpsafe changes from dwge(4) to dwxe(4):

Rework the tx path to use the consumer and producer positions to work out
the number of slots available, and to put packets on the ring until fewer
than DWXE_NTXSEGS slots are left, making dwxe_start() and dwxe_txeof()
work independently.  While here, only write to DWXE_TX_CTL1 once
per call to dwxe_start() rather than once per packet.

Adjust the rx interrupt path to check the number of slots in use and
return slots once per interrupt.

Add interrupt and ifq barriers before taking the interface down.
With all of this done, we can mark dwxe(4) mpsafe.

tested on arm64 (a64 sopine) by mlarkin@ and armv7 (h2+) by me
ok dlg@

2 years agoAdd some workarounds to make build_addr_block_test_data const.
tb [Fri, 7 Jan 2022 22:46:05 +0000 (22:46 +0000)]
Add some workarounds to make build_addr_block_test_data const.

2 years agoPrepare to provide EVP_AEAD_CTX_{new,free}()
tb [Fri, 7 Jan 2022 21:58:17 +0000 (21:58 +0000)]
Prepare to provide EVP_AEAD_CTX_{new,free}()

ok jsing

2 years agoAdd code to initialize the PCIe host bridge hardware. We currently rely on
kettenis [Fri, 7 Jan 2022 19:03:57 +0000 (19:03 +0000)]
Add code to initialize the PCIe host bridge hardware.  We currently rely on
U-Boot to initialize the hardware for us,  but it is better if we can cope
with this ourselves.

ok patrick@

2 years agoRevert previous accidental commit
tb [Fri, 7 Jan 2022 17:17:02 +0000 (17:17 +0000)]
Revert previous accidental commit

2 years agoIf no date could be parsed, bail out early and fix an error return that
otto [Fri, 7 Jan 2022 17:14:42 +0000 (17:14 +0000)]
If no date could be parsed, bail out early and fix an error return that
leaked; ok florian@

2 years agoRename dh_tmp to dhe_params.
jsing [Fri, 7 Jan 2022 16:45:06 +0000 (16:45 +0000)]
Rename dh_tmp to dhe_params.

Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.

ok inoguchi@ tb@

2 years agoSIOCSIFXFLAGS drops into the SIOCSIFFLAGS to perform auto-up of the
deraadt [Fri, 7 Jan 2022 16:39:18 +0000 (16:39 +0000)]
SIOCSIFXFLAGS drops into the SIOCSIFFLAGS to perform auto-up of the
interface. If this operation fails (probably due to missing firmware),
we must undo changes to the SIOCSIFXFLAGS xflags.
ok stsp.

2 years agoStop attempting to duplicate the public and private key of dh_tmp.
jsing [Fri, 7 Jan 2022 15:56:33 +0000 (15:56 +0000)]
Stop attempting to duplicate the public and private key of dh_tmp.

Support for non-ephemeral DH was removed a very long time ago - the only
way that dh_tmp is set is via DHparams_dup(), hence the public and private
keys are always going to be NULL.

ok inoguchi@ tb@

2 years agoConvert legacy server to tls_key_share.
jsing [Fri, 7 Jan 2022 15:46:30 +0000 (15:46 +0000)]
Convert legacy server to tls_key_share.

This requires a few more additions to the DHE key share code - we need to
be able to either set the DHE parameters or specify the number of key bits
for use with auto DHE parameters. Additionally, we need to be able to
serialise the DHE parameters to send to the client.

This removes the infamous 'tmp' struct from ssl3_state_internal_st.

ok inoguchi@ tb@

2 years ago.glue_7 is used for arm code calling thumb code, and .glue_7t is used for
kevlo [Fri, 7 Jan 2022 13:56:54 +0000 (13:56 +0000)]
.glue_7 is used for arm code calling thumb code, and .glue_7t is used for
thumb code calling arm code, no need to put these input sections at the text
output section.

ok jsg@ kettenis@

2 years agoA few more files need asn1_locl.h.
tb [Fri, 7 Jan 2022 12:24:17 +0000 (12:24 +0000)]
A few more files need asn1_locl.h.

2 years agoinclude asn1_locl.h where it will be needed for the bump.
tb [Fri, 7 Jan 2022 11:13:54 +0000 (11:13 +0000)]
include asn1_locl.h where it will be needed for the bump.

discussed with jsing

2 years agoAdd missing dependency.
visa [Fri, 7 Jan 2022 10:48:59 +0000 (10:48 +0000)]
Add missing dependency.

2 years agoSomehow I always forget that the more global LC_ALL takes precedence over
martijn [Fri, 7 Jan 2022 10:20:11 +0000 (10:20 +0000)]
Somehow I always forget that the more global LC_ALL takes precedence over
the more specific LC_CTYPE. Things are weird that way.

The problem here was that "eval" and "LC_ALL=" were swapped, not the
priority of variables.

pointed out by naddy@
OK tb@

2 years agoPrepare to make RSA and RSA_METHOD opaque by including rsa_locl.h
tb [Fri, 7 Jan 2022 09:55:31 +0000 (09:55 +0000)]
Prepare to make RSA and RSA_METHOD opaque by including rsa_locl.h
where it will be needed in the upcoming bump.

discussed with jsing

2 years agoAdd an essentially empty ocsp_local.h and include it in the files
tb [Fri, 7 Jan 2022 09:45:52 +0000 (09:45 +0000)]
Add an essentially empty ocsp_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

2 years agogost needs to look into ecs_locl.h
tb [Fri, 7 Jan 2022 09:40:03 +0000 (09:40 +0000)]
gost needs to look into ecs_locl.h

2 years agoPrepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h by
tb [Fri, 7 Jan 2022 09:35:36 +0000 (09:35 +0000)]
Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h by
including the local header where it will be needed.

discussed with jsing

2 years agoAdd an essentially empty dh_local.h and include it in the files where
tb [Fri, 7 Jan 2022 09:27:13 +0000 (09:27 +0000)]
Add an essentially empty dh_local.h and include it in the files where
it will be needed in the upcoming bump.

discussed with jsing

2 years agozap trailing whitespace
tb [Fri, 7 Jan 2022 09:21:21 +0000 (09:21 +0000)]
zap trailing whitespace

2 years agofix aac build after -Wno-uninitialized was removed
jsg [Fri, 7 Jan 2022 09:08:15 +0000 (09:08 +0000)]
fix aac build after -Wno-uninitialized was removed

2 years agoLet dtlstest peek into bio_local.h
tb [Fri, 7 Jan 2022 09:07:00 +0000 (09:07 +0000)]
Let dtlstest peek into bio_local.h

2 years agoAdd a new, mostly empty, bio_local.h and include it in the files
tb [Fri, 7 Jan 2022 09:02:17 +0000 (09:02 +0000)]
Add a new, mostly empty, bio_local.h and include it in the files
that will need it in the upcoming bump.

discussed with jsing

2 years agoSync EVP_MD_CTX to heap switch from npppd.
tb [Fri, 7 Jan 2022 07:34:34 +0000 (07:34 +0000)]
Sync EVP_MD_CTX to heap switch from npppd.

ok millert

2 years agonpppd: convert to EVP_MD_CTX on heap
tb [Fri, 7 Jan 2022 07:33:35 +0000 (07:33 +0000)]
npppd: convert to EVP_MD_CTX on heap

In the upcoming libcrypto bump, EVP_MD_CTX will become opaque, so
all EVP_MD_CTX variables will need to be moved from the stack to
the heap. This is a mechanical conversion which also switches
from EVP_Digest{Init,Final}() to their _ex() versions as suggested
by millert.

We cannot do error checking since this code is structured in
several layers of void functions. This will have to be fixed
by someone else.

ok millert

2 years agohibernate_clear_signature() is only used by hibernate_resume(), so
guenther [Fri, 7 Jan 2022 02:47:06 +0000 (02:47 +0000)]
hibernate_clear_signature() is only used by hibernate_resume(), so
pass in the already read hibernate_info instead of reading it again.

ok deraadt@

2 years agoExtract the slice from the zeroth swap device instead of assuming
guenther [Fri, 7 Jan 2022 02:26:53 +0000 (02:26 +0000)]
Extract the slice from the zeroth swap device instead of assuming
it's the 'b' slice and (sanity) check against the partition count.
Also, make the "is union hibernate_info too large?" a compile time
check.

ok deraadt@

2 years agowhitespace
afresh1 [Fri, 7 Jan 2022 02:25:40 +0000 (02:25 +0000)]
whitespace

2 years agoregen
jsg [Fri, 7 Jan 2022 01:16:26 +0000 (01:16 +0000)]
regen

2 years agostop creating old drm device nodes
jsg [Fri, 7 Jan 2022 01:13:15 +0000 (01:13 +0000)]
stop creating old drm device nodes

2 years agomention radeondrm on riscv64
jsg [Fri, 7 Jan 2022 00:44:17 +0000 (00:44 +0000)]
mention radeondrm on riscv64

2 years agostop chowning old drm device nodes
jsg [Thu, 6 Jan 2022 23:44:21 +0000 (23:44 +0000)]
stop chowning old drm device nodes

2 years agoDon't explicitly set HostbasedAuthentication in sshd_config.
dtucker [Thu, 6 Jan 2022 22:14:25 +0000 (22:14 +0000)]
Don't explicitly set HostbasedAuthentication in sshd_config.
It defaults to "no", and not explicitly setting it allows us to enable
it for the (optional) hostbased test.

2 years agoallow hostbased auth to select RSA keys when only RSA/SHA2 are
djm [Thu, 6 Jan 2022 22:06:51 +0000 (22:06 +0000)]
allow hostbased auth to select RSA keys when only RSA/SHA2 are
configured (this is the default case); ok markus@

2 years agoadd a helper function to match a key type to a list of signature
djm [Thu, 6 Jan 2022 22:05:42 +0000 (22:05 +0000)]
add a helper function to match a key type to a list of signature
algorithms. RSA keys can make signatures with multiple algorithms,
so some special handling is required.
ok markus@

2 years agolog some details on hostkeys that ssh loads for hostbased authn
djm [Thu, 6 Jan 2022 22:04:20 +0000 (22:04 +0000)]
log some details on hostkeys that ssh loads for hostbased authn
ok markus@

2 years agolog signature algorithm during verification by monitor; ok markus
djm [Thu, 6 Jan 2022 22:03:59 +0000 (22:03 +0000)]
log signature algorithm during verification by monitor; ok markus

2 years agopiece of UpdateHostkeys client strictification: when updating known_hosts
djm [Thu, 6 Jan 2022 22:02:52 +0000 (22:02 +0000)]
piece of UpdateHostkeys client strictification: when updating known_hosts
with new keys, ignore NULL keys (forgot to include in prior commit)

2 years agoinclude rejected signature algorithm in error message and not the
djm [Thu, 6 Jan 2022 22:01:14 +0000 (22:01 +0000)]
include rejected signature algorithm in error message and not the
(useless) key type; ok markus

2 years agomake ssh-keysign use the requested signature algorithm and not the
djm [Thu, 6 Jan 2022 22:00:18 +0000 (22:00 +0000)]
make ssh-keysign use the requested signature algorithm and not the
default for the keytype. Part of unbreaking hostbased auth for RSA/SHA2
keys. ok markus@

2 years agostricter UpdateHostkey signature verification logic on the client-
djm [Thu, 6 Jan 2022 21:57:28 +0000 (21:57 +0000)]
stricter UpdateHostkey signature verification logic on the client-
side. Require RSA/SHA2 signatures for RSA hostkeys except when
RSA/SHA1 was explicitly negotiated during initial KEX; bz3375

ok markus@

2 years agoFix signature algorithm selection logic for UpdateHostkeys on the
djm [Thu, 6 Jan 2022 21:55:23 +0000 (21:55 +0000)]
Fix signature algorithm selection logic for UpdateHostkeys on the
server side. The previous code tried to prefer RSA/SHA2 for hostkey
proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in
initial KEX. bz3375

Mostly by Dmitry Belyavskiy with some tweaks by me.

ok markus@

2 years agoconvert ssh, sshd mainloops from select() to poll();
djm [Thu, 6 Jan 2022 21:48:38 +0000 (21:48 +0000)]
convert ssh, sshd mainloops from select() to poll();
feedback & ok deraadt@ and markus@
has been in snaps for a few months

2 years agoAdd test for hostbased auth. It requires some external setup (see
dtucker [Thu, 6 Jan 2022 21:46:56 +0000 (21:46 +0000)]
Add test for hostbased auth.  It requires some external setup (see
comments at the top) and thus is disabled unless TEST_SSH_HOSTBASED_AUTH
and SUDO are set.

2 years agoprepare for conversion of ssh, sshd mainloop from select() to poll()
djm [Thu, 6 Jan 2022 21:46:23 +0000 (21:46 +0000)]
prepare for conversion of ssh, sshd mainloop from select() to poll()
by moving FD_SET construction out of channel handlers into separate
functions. ok markus

2 years agorepair usage
deraadt [Thu, 6 Jan 2022 20:15:54 +0000 (20:15 +0000)]
repair usage

2 years agoSwitch fw_update -D to instead -F
afresh1 [Thu, 6 Jan 2022 19:27:01 +0000 (19:27 +0000)]
Switch fw_update -D to instead -F

The perl version of fw_update used -D for something else and although
the mneumonic isn't as good, the conflict was worse.

Requested by deraadt@

2 years agorefer to longindex as an argument, not a field;
jmc [Thu, 6 Jan 2022 18:58:24 +0000 (18:58 +0000)]
refer to longindex as an argument, not a field;
from uwe@netbsd -r1.22

ok millert

2 years agoRevise for change to tls_key_share_peer_public()
jsing [Thu, 6 Jan 2022 18:27:31 +0000 (18:27 +0000)]
Revise for change to tls_key_share_peer_public()

2 years agoConvert legacy TLS client to tls_key_share.
jsing [Thu, 6 Jan 2022 18:23:56 +0000 (18:23 +0000)]
Convert legacy TLS client to tls_key_share.

This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.

ok inoguchi@ tb@

2 years agoAllocate and free the EVP_AEAD_CTX struct in tls13_record_protection.
jsing [Thu, 6 Jan 2022 18:18:13 +0000 (18:18 +0000)]
Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.

This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.

Prompted by and ok tb@

2 years agoCleanup mft file handling, especially the stale mft bits.
claudio [Thu, 6 Jan 2022 16:06:30 +0000 (16:06 +0000)]
Cleanup mft file handling, especially the stale mft bits.
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@

2 years agoUse a 64-bit integer for pcitag_t and define PCITAG_NODE and PCITAG_OFFSET
deraadt [Thu, 6 Jan 2022 15:41:53 +0000 (15:41 +0000)]
Use a 64-bit integer for pcitag_t and define PCITAG_NODE and PCITAG_OFFSET
macros to make kernel build again, same diff as armv7.
ok kettenis visa

2 years agoAdd regress tests for ASN1_BIT_STRING.
jsing [Thu, 6 Jan 2022 15:21:33 +0000 (15:21 +0000)]
Add regress tests for ASN1_BIT_STRING.

2 years agoAdd a comment that explains why build_addr_block_tests isn't const
tb [Thu, 6 Jan 2022 14:55:52 +0000 (14:55 +0000)]
Add a comment that explains why build_addr_block_tests isn't const

2 years agoConvert SCT verification to CBB.
jsing [Thu, 6 Jan 2022 14:34:40 +0000 (14:34 +0000)]
Convert SCT verification to CBB.

ok inoguchi@ tb@

2 years agoSync from libssl.
jsing [Thu, 6 Jan 2022 14:32:55 +0000 (14:32 +0000)]
Sync from libssl.

2 years agoTest CBB_add_u64()
jsing [Thu, 6 Jan 2022 14:31:03 +0000 (14:31 +0000)]
Test CBB_add_u64()