tb [Sat, 31 Aug 2024 09:39:31 +0000 (09:39 +0000)]
const correct uses of CONF_METHOD
While not all of this is strictly needed, it was simply incorrect. This
way another global which was modifiable for no good reason becomes const.
ok beck jsing
tb [Sat, 31 Aug 2024 09:36:38 +0000 (09:36 +0000)]
Stop using conf->meth_data and make CONF_type_default const
Now that we no longer need to hang a poor man's ctype substitute off
the conf structure, we can get rid of the otherwise unused meth_data
member. This allows us to const correct CONF_type_default. Hopefully
we can remove it soon.
ok beck jsing
tb [Sat, 31 Aug 2024 09:34:05 +0000 (09:34 +0000)]
Remove NCONF_WIN32
Undocumented and entirely unused. Gets rid of a big, modifiable, global
table.
ok beck jsing
tb [Sat, 31 Aug 2024 09:29:32 +0000 (09:29 +0000)]
sync
tb [Sat, 31 Aug 2024 09:29:03 +0000 (09:29 +0000)]
Retire conf_api.h and the API therein
This makes the _CONF_* layer of the conf module internal and gets rid
of the entirely unused conf_api.h.
ok beck jsing
tb [Sat, 31 Aug 2024 09:26:18 +0000 (09:26 +0000)]
Unexport some conf layers unused outside of libcrypto
imodules are called imodules because they contain Information about
modules that have been Initialized. Which one of these two I it is
is anyone's best guess. Why anything outside of libcrypto would ever
possibly care will also remain a mystery.
Remove the old way of adding a conf module, user data, stop allowing
to set a method (it's opaque now, remember?) and drop a couple bits
more from the public api interface.
ok beck jsing
tb [Sat, 31 Aug 2024 09:21:44 +0000 (09:21 +0000)]
Make CONF_METHOD opaque
Much of conf is designed in such a way that you really have to reach into
its structs. This one piece can be hidden. It might even be removed soon.
ok beck jsing
tb [Sat, 31 Aug 2024 09:18:00 +0000 (09:18 +0000)]
Remove unused {,N}CONF_dump_{bio,fp}()
It's time to start removing some horrors from the conf/ garbage. If the
current top layer wasn't terrible enough, you could always slap another
one on top of it and it would then be truly marvellous.
ok beck jsing
tb [Sat, 31 Aug 2024 09:14:21 +0000 (09:14 +0000)]
Remove EVP_PKEY_*check again
This API turned out to be a really bad idea. OpenSSL 3 extended it, with
the result that basically every key type had its own DoS issues fixed in
a recent security release. We eschewed these by having some upper bounds
that kick in when keys get insanely large.
Initially added on tobhe's request who fortunately never used it in iked,
this was picked up only by ruby/openssl (one of the rare projects doing
proper configure checks rather than branching on VERSION defines) and of
course xca, since it uses everything it can. So it was easy to get rid of
this again.
ok beck jsing
tb [Sat, 31 Aug 2024 09:07:25 +0000 (09:07 +0000)]
sync
tb [Sat, 31 Aug 2024 08:24:02 +0000 (08:24 +0000)]
Retire the whirlpool test
tb [Sat, 31 Aug 2024 08:23:32 +0000 (08:23 +0000)]
unhook whirlpool from the tree
dlg [Sat, 31 Aug 2024 04:21:45 +0000 (04:21 +0000)]
rport(4) for p2p l3 connectivity between route domains.
dlg [Sat, 31 Aug 2024 04:17:14 +0000 (04:17 +0000)]
add rport(4) for p2p l3 connectivity between route domains.
you can basically plug rdomains together and route between them
over rport interfaces. people keep asking me if this is so you can
leak routes between rdomains, and the answer is yes.
this is like pair(4) but cheaper because it avoids all the mucking
around with putting an ethernet header on the mbuf just to take it
off again later, and is more efficient with address space because
it's a p2p ip interface.
it has a small tweak from mvs@
ok denis@ claudio@
dlg [Sat, 31 Aug 2024 00:51:29 +0000 (00:51 +0000)]
provide an example config for ikev1 with isakmpd and ipsecctl
jmc [Fri, 30 Aug 2024 20:08:05 +0000 (20:08 +0000)]
minor grammar fixes;
mglocker [Fri, 30 Aug 2024 18:22:41 +0000 (18:22 +0000)]
Spelling
tb [Fri, 30 Aug 2024 17:44:56 +0000 (17:44 +0000)]
Garbage collect the DH_check*_ex() API
This was only needed by the EVP_PKEY_*check() API, which was defanged. So
this silly garbage can now go: it translated flags to errors on the error
stack so that openssl *check could print ugly errors while DoS-ing the
user.
ok beck
tb [Fri, 30 Aug 2024 17:26:44 +0000 (17:26 +0000)]
Add and use local copy of X509V3_add_value()
The public API will be removed. This fixes its only consumer.
dlg [Fri, 30 Aug 2024 13:09:10 +0000 (13:09 +0000)]
a few people have bugged me for an example. hopefully this is enough.
dlg [Fri, 30 Aug 2024 09:39:07 +0000 (09:39 +0000)]
tweak the example to use veb instead of bridge.
dlg [Fri, 30 Aug 2024 08:37:59 +0000 (08:37 +0000)]
try and keep in line with language used in other manual pages.
while i'm here, try and unbundle some of the configuration and
concepts. etherip interfaces can work fine as point to point ethernet
tunnels, they do not need to be configured as part of bridge(4) to
work. ipsec can be configured to protect etherip traffic independently
of whether it's part of a bridge too.
dlg [Fri, 30 Aug 2024 07:25:55 +0000 (07:25 +0000)]
prefer "IPv4 and IPv6" over "IP[46]".
op [Fri, 30 Aug 2024 07:11:02 +0000 (07:11 +0000)]
use strtonum() to parse numeric option values instead of atoi()
looks reasonable to deraadt
ok/improvements bluhm@
tb [Fri, 30 Aug 2024 07:03:19 +0000 (07:03 +0000)]
Remove cross references to whirlpool
jmc [Fri, 30 Aug 2024 06:05:10 +0000 (06:05 +0000)]
zap line missed in previous removal; ok tb
tb [Fri, 30 Aug 2024 05:00:38 +0000 (05:00 +0000)]
Adjust freenull test for upcoming conf_api.h removal
jsg [Fri, 30 Aug 2024 04:25:22 +0000 (04:25 +0000)]
drm/amdgpu/vcn: not pause dpg for unified queue
From Boyuan Zhang
c6372cbd919b57d3b426938b7262ee1fb5be34e2 in linux-6.6.y/6.6.48
7d75ef3736a025db441be652c8cc8e84044a215f in mainline linux
jsg [Fri, 30 Aug 2024 04:22:59 +0000 (04:22 +0000)]
drm/amdgpu/vcn: identify unified queue in sw init
From Boyuan Zhang
44bb8f18a63b8f2c8e089558c00e8e45bc4b0346 in linux-6.6.y/6.6.48
ecfa23c8df7ef3ea2a429dfe039341bf792e95b4 in mainline linux
jsg [Fri, 30 Aug 2024 04:20:12 +0000 (04:20 +0000)]
drm/amdgpu: Validate TA binary size
From Candice Li
50553ea7cbd3344fbf40afb065f6a2d38171c1ad in linux-6.6.y/6.6.48
c99769bceab4ecb6a067b9af11f9db281eea3e2a in mainline linux
jsg [Fri, 30 Aug 2024 04:18:07 +0000 (04:18 +0000)]
drm/amdkfd: reserve the BO before validating it
From Lang Yu
9b707444bebce5326b8eae5401a2dce55626f8f2 in linux-6.6.y/6.6.48
0c93bd49576677ae1a18817d5ec000ef031d5187 in mainline linux
jsg [Fri, 30 Aug 2024 04:14:46 +0000 (04:14 +0000)]
drm/amd/amdgpu: command submission parser for JPEG
From David (Ming Qiang) Wu
114858d713825415de1099bc842cc4c615d89547 in linux-6.6.y/6.6.48
470516c2925493594a690bc4d05b1f4471d9f996 in mainline linux
jsg [Fri, 30 Aug 2024 04:10:43 +0000 (04:10 +0000)]
drm/amd/display: fix cursor offset on rotation 180
From Melissa Wen
a50a25dc0ce05cb3bdb1154fc7d64117a43de9f5 in linux-6.6.y/6.6.48
737222cebecbdbcdde2b69475c52bcb9ecfeb830 in mainline linux
jsg [Fri, 30 Aug 2024 04:07:57 +0000 (04:07 +0000)]
drm/amd/display: Enable otg synchronization logic for DCN321
From Loan Chen
6490f063d54b1a19bd97ac22e88ff8b8073cc271 in linux-6.6.y/6.6.48
0dbb81d44108a2a1004e5b485ef3fca5bc078424 in mainline linux
jsg [Fri, 30 Aug 2024 04:05:36 +0000 (04:05 +0000)]
drm/amd/display: Adjust cursor position
From Rodrigo Siqueira
d15fc910b618cc8c574e66adb29be7da9cb9c6e3 in linux-6.6.y/6.6.48
56fb276d0244d430496f249335a44ae114dd5f54 in mainline linux
jsg [Fri, 30 Aug 2024 04:03:30 +0000 (04:03 +0000)]
drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
From Jesse Zhang
3cc03d1dbdcf88d3c05578c286a2e8a07befac93 in linux-6.6.y/6.6.48
511a623fb46a6cf578c61d4f2755783c48807c77 in mainline linux
jsg [Fri, 30 Aug 2024 04:00:30 +0000 (04:00 +0000)]
drm/amdkfd: Move dma unmapping after TLB flush
From Philip Yang
14fafdfdadf987e260adb3f807f5f1b5b21f0170 in linux-6.6.y/6.6.48
101b8104307eac734f2dfa4d3511430b0b631c73 in mainline linux
jsg [Fri, 30 Aug 2024 03:56:55 +0000 (03:56 +0000)]
drm/amdgpu: access RLC_SPM_MC_CNTL through MMIO in SRIOV runtime
From ZhenGuo Yin
ec71cc24b0d4cd0091fbb427bef1a6d3655793ca in linux-6.6.y/6.6.48
9f05cfc78c6880e06940ea78fbc43f6392710f17 in mainline linux
jsg [Fri, 30 Aug 2024 03:52:18 +0000 (03:52 +0000)]
drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored
From Lee Jones
695f692bcd72b5bd188a9ae903d2a3ec99df467c in linux-6.6.y/6.6.48
a728342ae4ec2a7fdab0038b11427579424f133e in mainline linux
jsg [Fri, 30 Aug 2024 03:49:12 +0000 (03:49 +0000)]
drm/amd/pm: fix error flow in sensor fetching
From Alex Deucher
51e4630ef0d19ad7638762f06e1351c5dcc0c420 in linux-6.6.y/6.6.48
a5600853167aeba5cade81f184a382a0d1b14641 in mainline linux
jsg [Fri, 30 Aug 2024 03:46:49 +0000 (03:46 +0000)]
drm/amdgpu/jpeg4: properly set atomics vmid field
From Alex Deucher
09717678737b942159daebe6094134568dd28d1c in linux-6.6.y/6.6.48
e6c6bd6253e792cee6c5c065e106e87b9f0d9ae9 in mainline linux
guenther [Fri, 30 Aug 2024 03:44:48 +0000 (03:44 +0000)]
Revert commitid KcCtsA53F9UQzc0t:
"Make exit(), fclose(), fflush(), and freopen() comply with POSIX-2008
requirements for setting the underlying file position when flushing
read-mode streams, and make an fseek()-after-fflush() not change the
underlying file position."
Something isn't correct about it and it breaks at least initdb from
the postgresql-server package.
discussed with tb@, semarie@, and deraadt@
jsg [Fri, 30 Aug 2024 03:42:46 +0000 (03:42 +0000)]
drm/amdgpu/jpeg2: properly set atomics vmid field
From Alex Deucher
0e93fa4027cf2324b34b2158d58175c4cd4a2e01 in linux-6.6.y/6.6.48
e414a304f2c5368a84f03ad34d29b89f965a33c9 in mainline linux
jsg [Fri, 30 Aug 2024 03:39:16 +0000 (03:39 +0000)]
drm/amdgpu: Actually check flags for all context ops.
From Bas Nieuwenhuizen
2685a2b9e55db1d0f34dcab863c7cc0842e7df15 in linux-6.6.y/6.6.48
0573a1e2ea7e35bff08944a40f1adf2bb35cea61 in mainline linux
op [Thu, 29 Aug 2024 21:04:16 +0000 (21:04 +0000)]
fix handling of Return-Path
It doesn't handle angular brackets in Return-Path, which are fine
per RFC 5332 (section 3.6.7).
Diff from Sven M. Hallberg with a tiny change by me.
tb [Thu, 29 Aug 2024 20:26:08 +0000 (20:26 +0000)]
sync
tb [Thu, 29 Aug 2024 20:25:13 +0000 (20:25 +0000)]
Remove documentation of EVP_whirlpool
tb [Thu, 29 Aug 2024 20:23:21 +0000 (20:23 +0000)]
Remove documentation of ERR_add_error_{,v}data()
tb [Thu, 29 Aug 2024 20:21:53 +0000 (20:21 +0000)]
HMAC_Init() is dead. Long live HMAC_Init_ex()
tb [Thu, 29 Aug 2024 20:21:10 +0000 (20:21 +0000)]
Remove documentation of (caveat on) X509_TRUST_DEFAULT
Sadly, it's going to go away before ever having become the default.
dv [Thu, 29 Aug 2024 20:13:42 +0000 (20:13 +0000)]
Hide all EPT-related bits behind #ifdef in amd64 pmap.
A few functions and symbols were included in non-VMM builds. This
tucks more of them behind the "#ifdef NVMM > 0" check and cleans
up RAMDISK kernels.
ok mpi@, feedback from chris@
tb [Thu, 29 Aug 2024 17:16:40 +0000 (17:16 +0000)]
Disable hmac and pkey_ec tests until after the bump
tb [Thu, 29 Aug 2024 17:01:40 +0000 (17:01 +0000)]
Adjust documentation for check/pubcheck removal
ok beck
tb [Thu, 29 Aug 2024 17:01:02 +0000 (17:01 +0000)]
Remove check and pubcheck from openssl pkey and pkeyparam
The underlying API will be removed, so these commands have to go.
ok beck
tb [Thu, 29 Aug 2024 16:58:19 +0000 (16:58 +0000)]
Remove the pkey_{,public_,param_}check() handlers
This disables the EVP_PKEY_*check() API and makes it fail (more precisely
indicate lack of support) on all key types.
This is an intermediate step to full removal.
Removal is ok beck jsing
tb [Thu, 29 Aug 2024 16:43:52 +0000 (16:43 +0000)]
Remove evp_pkey_check test
The API it tests will be removed shortly
bluhm [Thu, 29 Aug 2024 16:42:30 +0000 (16:42 +0000)]
In m_pulldown() replace memmove() with memcpy().
The memmove() in m_pulldown() copied memory between different mbufs.
So data cannot overlap and memcpy() is enough.
OK claudio@ deraadt@
claudio [Thu, 29 Aug 2024 15:18:17 +0000 (15:18 +0000)]
Convert prototypes to new style.
OK millert@
claudio [Thu, 29 Aug 2024 15:16:43 +0000 (15:16 +0000)]
Use signal handler safe dprintf() instead of asprintf + write
OK millert@
tb [Thu, 29 Aug 2024 13:46:28 +0000 (13:46 +0000)]
Unify proc_parser_* as far as possible and reasonable
ok claudio job
claudio [Thu, 29 Aug 2024 12:58:57 +0000 (12:58 +0000)]
draft-ietf-v6ops-rfc3849-update turned into RFC9637, adjust comment
tb [Thu, 29 Aug 2024 11:04:02 +0000 (11:04 +0000)]
ocsp.c: zap trailing whitespace
bluhm [Thu, 29 Aug 2024 10:44:40 +0000 (10:44 +0000)]
Show expensive mbuf operations in netstat(1) statistics.
If the memory layout is not optimal, m_defrag(), m_prepend(),
m_pullup(), and m_pulldown() will allocate mbufs or copy memory.
Count these operations to find possible optimizations.
input dhill@; OK mvs@
job [Thu, 29 Aug 2024 09:54:13 +0000 (09:54 +0000)]
Improve warning message
Requested by claudio@
OK tb@
job [Thu, 29 Aug 2024 09:53:04 +0000 (09:53 +0000)]
Periodically reinitialize RRDP sessions to snapshot at random intervals
It is technically possible for a series of RRDP deltas and a snapshot
to diverge. An RRDP server could distribute files via Deltas and then
forget about those files, causing copies to remain stuck in the caches
of RRDP clients. Resetting RRDP sessions once every few weeks helps with
garbage collection.
In week 0 the probability of triggering re-initialization is ~0.025% and
doubles every week, in week 11 its 50% and always after week 12. Thus,
RPs will reinitialize at least once every 3 months.
OK tb@ claudio@
anton [Thu, 29 Aug 2024 07:33:50 +0000 (07:33 +0000)]
Fix regression introduced in previous migration to strtol() by
correcting the error condition, making it on par with the example in the
manual.
ok op@
florian [Thu, 29 Aug 2024 07:20:16 +0000 (07:20 +0000)]
Update root hints.
b.root-servers.net renumbered on 2023-11-27.
OK phessler, jsg, sthen, deraadt
jsg [Thu, 29 Aug 2024 03:57:35 +0000 (03:57 +0000)]
unstub pdev_to_i915()
jsg [Thu, 29 Aug 2024 03:38:13 +0000 (03:38 +0000)]
call pci_set_drvdata() on attach
deraadt [Thu, 29 Aug 2024 03:30:05 +0000 (03:30 +0000)]
repair bizzare indents; ok tb
bluhm [Wed, 28 Aug 2024 18:21:15 +0000 (18:21 +0000)]
If bounce buffers do not fit, defragment mbuf.
Some packets were dropped by vio_encap() when using bounce buffers.
These mbufs are too fragmented for the pre allocated bounce buffer
pages. By returing EFBIG the network driver will call m_defrag()
and try again. This fixes the problem.
OK sf@ hshoexer@
miod [Wed, 28 Aug 2024 17:37:12 +0000 (17:37 +0000)]
Enable per-cpu page cache.
op [Wed, 28 Aug 2024 15:51:01 +0000 (15:51 +0000)]
use the right FILE to parse the config, not stdin
I typoed the file argument to getline() in rev 1.14 when converting
fgetln remnants to getline back in aug 2022. guess not many people
are hosting hunt servers.
tb [Wed, 28 Aug 2024 15:48:33 +0000 (15:48 +0000)]
def_create(): switch from malloc() to calloc()
ok jsing
millert [Wed, 28 Aug 2024 14:32:02 +0000 (14:32 +0000)]
Add test for for the case where the pattern space is empty but does
not start with a NUL character, which might occur after using the
D command.
millert [Wed, 28 Aug 2024 14:30:26 +0000 (14:30 +0000)]
Fix the case where the pattern space is empty but does not start
with a NUL character, which might occur after using the D command.
From Mohamed Akram
naddy [Wed, 28 Aug 2024 14:22:36 +0000 (14:22 +0000)]
Stop printing the "syscall" bit in the header line, too.
ok deraadt@
claudio [Wed, 28 Aug 2024 13:21:39 +0000 (13:21 +0000)]
Introduce peer_is_up() and use it instead of peer->state == PEER_UP checks
also enqueue update and rrfresh imsgs only if the peer is up and flush them
once this is no longer the case.
OK tb@
claudio [Wed, 28 Aug 2024 13:18:11 +0000 (13:18 +0000)]
Check the max_prefix and max_out_prefix limit during config reload.
This is cheap and will trigger immediatly instead of waiting until
the next UPDATE happens (which could happen a lot later).
OK tb@ job@
claudio [Wed, 28 Aug 2024 13:14:39 +0000 (13:14 +0000)]
Extend maxprefix and maxprefixout tests to also check that the limits
are checked during reload.
sf [Wed, 28 Aug 2024 12:40:22 +0000 (12:40 +0000)]
vio: Fix allocation sizes
For both rx and tx, we need an array of bus_dmamap_t and mbuf pointers each.
This results in a size of
(rxqsize + txqsize) * (sizeof(bus_dmamap_t) + sizeof(struct mbuf *))
The factor 2 before the sizeof(bus_dmamap_t) was too much and we
allocated more than we needed.
OK bluhm@
djm [Wed, 28 Aug 2024 12:08:26 +0000 (12:08 +0000)]
fix test: -F is the argument to specify a non-default ssh_config,
not -f (this is sadly not a new bug)
op [Wed, 28 Aug 2024 11:41:42 +0000 (11:41 +0000)]
libpcap: replace atoi() usage with strtonum()
ok/improvements beck@
op [Wed, 28 Aug 2024 11:40:33 +0000 (11:40 +0000)]
libpcap: replace hand-rolled number parser with strtol
can't use strtonum here since it needs to handle octal and hex
notations as well. Part of a larger diff that's ok beck@
tb [Wed, 28 Aug 2024 09:39:17 +0000 (09:39 +0000)]
sync ibuf_realloc() copy with libutil
This pulls in an overflow check and the change from recallocarray() to
realloc(). claudio tells me that we might soon get rid of this copy.
ok claudio
tb [Wed, 28 Aug 2024 08:59:03 +0000 (08:59 +0000)]
Get rid of last use of db_meth
Nothing touches db_meth in ports. Thus only way a db_meth can be set is
now as a side effect X509V3_set_conf() in which case the db is an NCONF
database and the db_meth will be a thin wrapper of NCONF_get_section().
Make that explicit in the implementation, remove the guts of the unused
X509V3_get_string() and X509V3_string_free(), turn X509V3_section_free()
into a noop and replace several checks for ctx->db, ctx->db->meth, ...
with a simple ctx->db != NULL check.
ok beck jsing
tb [Wed, 28 Aug 2024 08:50:41 +0000 (08:50 +0000)]
Remove a few obvious comments, unwrap a few lines and annotate some
functions for removal
tb [Wed, 28 Aug 2024 08:43:55 +0000 (08:43 +0000)]
Turn X509V3_set_conf_lhash() into a noop
Another legacy turd that was only used by PHP 7.4 and 8.0.
ok beck jsing
tb [Wed, 28 Aug 2024 08:41:18 +0000 (08:41 +0000)]
Add LCRYPTO_USED(X509_get_signature_info)
tb [Wed, 28 Aug 2024 08:33:06 +0000 (08:33 +0000)]
Disable X509V3_EXT{,_CRL,_REQ}_add_conf()
These legacy interfaces were only used by PHP 7.4 and 8.0 and they will
be removed in an upcoming bump.
ok beck jsing
tb [Wed, 28 Aug 2024 08:22:57 +0000 (08:22 +0000)]
Annotate X509V3_CONF_CTX and its only instance for removal
A comment saying /* Maybe more here */ in a public also goes (yuck).
Of course the promise was fulfilled by OpenSSL 3.
ok beck jsing
tb [Wed, 28 Aug 2024 07:37:50 +0000 (07:37 +0000)]
Make use of X509_get_signature_info() in check_sig_level()
If an auth_level (i.e., security_level, but not quite, because Viktor) was
set on the X509_VERIFY_PARAM in the X509_STORE_CTX, the verifier would
reject RSA-PSS or EdDSA certificates for insufficient security bits due to
incorrect use of OBJ_find_sigid_algs() (this was also a bug in the initial
security level implementation in OpenSSL 1.1).
Using X509_get_signature_info() fixes this while preserving behavior for
all other algorithms.
Reported by Steffen Ullrich as one of multiple issues with RSA-PSS.
ok jsing
tb [Wed, 28 Aug 2024 07:18:55 +0000 (07:18 +0000)]
Document X509_get0_signature_info()
Loosely based on the OpenSSL 1.1 documentation but extended quite a bit to
explain what the flags mean and what info they do (and do not) convey. With
the usual valuable feedback from jmc.
ok jmc
tb [Wed, 28 Aug 2024 07:15:04 +0000 (07:15 +0000)]
Implement X509_get_signature_info()
This is a slightly strange combination of OBJ_find_sigid_algs() and the
security level API necessary because OBJ_find_sigid_algs() on its own
isn't smart enough for the special needs of RSA-PSS and EdDSA.
The API extracts the hash's NID and the pubkey's NID from the certificate's
signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA
for retrieving the corresponding information. This isn't entirely free
for RSA-PSS, but for now we don't cache this information.
The security bits calculation is a bit hand-wavy, but that's something
that comes along with this sort of numerology.
ok jsing
tb [Wed, 28 Aug 2024 06:53:24 +0000 (06:53 +0000)]
Fix underlying pkey of RSA-PSS
There are currently very few differences between the rsa_asn1_meth for
plain RSA and the rsa_pss_asn1_meth for RSA-PSS apart from the obviously
necessary differnces for base_method, pkey_id, pem_str and info (and the
fact that RSA has support for legacy private key encoding). This had the
lucky side effect that it didn't really matter which ameth one ended up
using after OBJ_find_sigid_algs().
With the upcoming support for X509_get_signature_infO() for RSA-PSS, this
needs to change as for RSA-PSS we need to decode the PSS parameters for
extracting the "security level", whereas for RSA we can just use the hash
length. Thus, for RSA-PSS switch pkey_id from the incorrect rsaEncryption
to rassaPss.
ok jsing
PS: OBJ_find_sigid_algs() manual is no longer entirely correct, but this
has been the case since we added
Ed25519 support to obj_xref.
tb [Wed, 28 Aug 2024 06:27:19 +0000 (06:27 +0000)]
Add a comment to OCSP_id_issuer_cmp() to make blind use of X509_ALGOR_cmp()
less likely.
ok jsing
tb [Wed, 28 Aug 2024 06:26:06 +0000 (06:26 +0000)]
Clean up and simplify OCSP_cert_id_new()
Use proper NULL checks, set hashAlgorithm with X509_ALGOR_set0_by_nid(),
and avoid a silly digerr label.
ok jsing
tb [Wed, 28 Aug 2024 06:18:44 +0000 (06:18 +0000)]
Avoid reaching into X509_ALGOR in ocsp_certid_print()
ok jsing
tb [Wed, 28 Aug 2024 06:17:06 +0000 (06:17 +0000)]
Avoid polluting the error stack when printing certificates
For a certificate serial number between LONG_MAX and ULONG_MAX, the call to
ASN1_INTEGER_get() fails and leaves an error on the stack because the check
bs->length <= sizeof(long) doesn't quite do what it's supposed to do (bs is
probably for bitstring, although the more common reading would be adequate,
too.)
Fix this by checking for non-negativity and using ASN1_INTEGER_get_uint64()
and add a lengthy comment to explain the nonsense per beck's request.
discussed with jsing
ok beck
jsg [Wed, 28 Aug 2024 06:09:36 +0000 (06:09 +0000)]
change dev_set_drvdata() call to pci_set_drvdata() to match linux
no functional change