openbsd
8 weeks agobe more strict in parsing key type names. Only allow shortnames (e.g
djm [Wed, 4 Sep 2024 05:33:34 +0000 (05:33 +0000)]
be more strict in parsing key type names. Only allow shortnames (e.g
"rsa") in user-interface code and require full SSH protocol names (e.g.
"ssh-rsa") everywhere else.

Prompted by bz3725; ok markus@

8 weeks agofix RCSID in output
djm [Wed, 4 Sep 2024 05:11:33 +0000 (05:11 +0000)]
fix RCSID in output

8 weeks agoRemove openssl 1.1 regress
tb [Wed, 4 Sep 2024 04:36:14 +0000 (04:36 +0000)]
Remove openssl 1.1 regress

8 weeks agoUnlink OpenSSL 1.1 regress
tb [Wed, 4 Sep 2024 04:35:30 +0000 (04:35 +0000)]
Unlink OpenSSL 1.1 regress

8 weeks agoLink openssl 3.2 regress to build
tb [Wed, 4 Sep 2024 04:35:05 +0000 (04:35 +0000)]
Link openssl 3.2 regress to build

8 weeks agoAdd regress against OpenSSL 3.2
tb [Wed, 4 Sep 2024 04:34:14 +0000 (04:34 +0000)]
Add regress against OpenSSL 3.2

OpenSSL 1.1 is dead. This directory will use the default version in ports
(currently 3.2) for regress testing.

8 weeks agofix some typos; courtesy of codespell; ok gilles@
op [Tue, 3 Sep 2024 18:27:04 +0000 (18:27 +0000)]
fix some typos;  courtesy of codespell;  ok gilles@

8 weeks agotypo in comment; Effectivly -> Effectively; ok gilles@
op [Tue, 3 Sep 2024 18:21:55 +0000 (18:21 +0000)]
typo in comment; Effectivly -> Effectively; ok gilles@

8 weeks agotypo in comment; saveguard -> safeguard; ok gilles@
op [Tue, 3 Sep 2024 18:20:35 +0000 (18:20 +0000)]
typo in comment; saveguard -> safeguard; ok gilles@

8 weeks agoFor virtual addresses use fixed page frame without AMD SEV reduction.
bluhm [Tue, 3 Sep 2024 17:19:53 +0000 (17:19 +0000)]
For virtual addresses use fixed page frame without AMD SEV reduction.

When running as a SEV guest, page frame mask is calculated from the
CPUID provided "physical address bit reduction".  The amd64 pmap
code uses the variable pg_frame instead of the defined PG_FRAME
0x000ffffffffff000.
There was one instance in pmap code where pg_frame was applied to
virtual address, not physical address.  On some machines the address
bit reduction is rather large with six bits.  So the calculated
pg_frame is 0x00003fffffe00000.  However, on amd64 VM_MAX_ADDRESS
is defined as 0x00007fbfdfeff000.  Masking a such large address
with pg_frame caused havoc.  Therefore, when masking virtual
addresses, still use PG_FRAME.

from hshoexer@

8 weeks agowild white space
deraadt [Tue, 3 Sep 2024 17:05:59 +0000 (17:05 +0000)]
wild white space

8 weeks agoMake state file parsing errors more explicit. Also don't leak the deltas.
tb [Tue, 3 Sep 2024 15:37:03 +0000 (15:37 +0000)]
Make state file parsing errors more explicit. Also don't leak the deltas.

joint effort with/ok claudio

8 weeks agosync
deraadt [Tue, 3 Sep 2024 15:28:58 +0000 (15:28 +0000)]
sync

8 weeks agoAlso gate SPL statistics behind 'experimental' command line option
job [Tue, 3 Sep 2024 15:04:48 +0000 (15:04 +0000)]
Also gate SPL statistics behind 'experimental' command line option

This changes the JSON output, without -x some keys are missing from 'metadata'

OK tb@

8 weeks agovmm(4)/vmx: avoid VPID leakage by allocating at vcpu init.
dv [Tue, 3 Sep 2024 13:36:19 +0000 (13:36 +0000)]
vmm(4)/vmx: avoid VPID leakage by allocating at vcpu init.

VPID allocation being dependent on the host and guest config
(consequently pushing it into the reset register handler) creates
a leak where previous VPIDs are not freed if the hypervisor program
resets a vcpu's registers.

Recent SVM related changes pulled the VPID (ASID in AMD world)
allocation up into vcpu initialization. This change does the same
for VMX and cleans up appropriate logic. Minor changes to keep SVM
and VMX styles in line with each other.

ok bluhm@

8 weeks agoIn rrdp_session_parse() set the last_reset time to now if the .state file
claudio [Tue, 3 Sep 2024 13:31:31 +0000 (13:31 +0000)]
In rrdp_session_parse() set the last_reset time to now if the .state file
does not exist.
OK tb@

8 weeks agobump version
gilles [Tue, 3 Sep 2024 12:07:40 +0000 (12:07 +0000)]
bump version

8 weeks agoregen
bluhm [Tue, 3 Sep 2024 09:36:12 +0000 (09:36 +0000)]
regen

8 weeks agoFor AMD SEV create /dev/psp.
bluhm [Tue, 3 Sep 2024 09:35:46 +0000 (09:35 +0000)]
For AMD SEV create /dev/psp.

To call ioctl(2) for the platform security processor (PSP), vmd(8)
needs a device file.  It is currently linked to the cryptographic
co-processor ccp(4).  We may split this into a separate psp(4)
device.

from hshoexer@; input jsg@

8 weeks agocheck_sym: adjust logic not to exit 1 in the default dynamic mode
tb [Tue, 3 Sep 2024 08:49:16 +0000 (08:49 +0000)]
check_sym: adjust logic not to exit 1 in the default dynamic mode

ok guenther

8 weeks agoenvrionment -> environment;
jmc [Tue, 3 Sep 2024 06:17:48 +0000 (06:17 +0000)]
envrionment -> environment;

8 weeks agoregression test for Include variable expansion
djm [Tue, 3 Sep 2024 05:58:56 +0000 (05:58 +0000)]
regression test for Include variable expansion

8 weeks agoallow the "Include" directive to expand the same set of %-tokens
djm [Tue, 3 Sep 2024 05:29:55 +0000 (05:29 +0000)]
allow the "Include" directive to expand the same set of %-tokens
that "Match Exec" and environment variables.

ok dtucker@

8 weeks agoFix test_fork() prototype.
anton [Tue, 3 Sep 2024 04:59:03 +0000 (04:59 +0000)]
Fix test_fork() prototype.

8 weeks agoStop invoking diff(1) from C in access unveil regress, instead perform
anton [Tue, 3 Sep 2024 04:58:30 +0000 (04:58 +0000)]
Stop invoking diff(1) from C in access unveil regress, instead perform
the diffing from the make target.

8 weeks agoAdjust expected output after recent X_OK changes.
anton [Tue, 3 Sep 2024 04:58:00 +0000 (04:58 +0000)]
Adjust expected output after recent X_OK changes.

8 weeks agomove psp functions to psp.c and remove the ifdefs
jsg [Tue, 3 Sep 2024 00:23:05 +0000 (00:23 +0000)]
move psp functions to psp.c and remove the ifdefs
ok bluhm@ hshoexer@

8 weeks agosync
deraadt [Mon, 2 Sep 2024 16:39:03 +0000 (16:39 +0000)]
sync

8 weeks agoIn our fight against the cosmos, in the chaos of the source tree, we
deraadt [Mon, 2 Sep 2024 16:37:58 +0000 (16:37 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz.  Some people felt trauma, and called out our
hubris.  At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him!  After playing, I consider it the acme of
quizzes.
ok jmc mglocker

8 weeks agoIn our fight against the cosmos, in the chaos of the source tree, we
deraadt [Mon, 2 Sep 2024 16:34:44 +0000 (16:34 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz.  Some people felt trauma, and called out our
hubris.  At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him!  After playing, I consider it the acme of
quizzes.
ok jmc mglocker

8 weeks agomissing ifdef
djm [Mon, 2 Sep 2024 12:18:35 +0000 (12:18 +0000)]
missing ifdef

8 weeks agoAdd experimental support for hybrid post-quantum key exchange
djm [Mon, 2 Sep 2024 12:13:56 +0000 (12:13 +0000)]
Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03

This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.

Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.

ok markus@ deraadt@

8 weeks agoIncrease number of concurrent RRDP session handler slots
job [Mon, 2 Sep 2024 11:56:22 +0000 (11:56 +0000)]
Increase number of concurrent RRDP session handler slots

OK claudio@

8 weeks agosimplify ccp ifdef; ok bluhm@
jsg [Mon, 2 Sep 2024 11:08:41 +0000 (11:08 +0000)]
simplify ccp ifdef; ok bluhm@

8 weeks agovirtio: Move interrupt setup into separate function
sf [Mon, 2 Sep 2024 08:26:26 +0000 (08:26 +0000)]
virtio: Move interrupt setup into separate function

Put the MSIX vector into struct virtqueue and create a transport
specific function that feeds the vectors to the device. This will allow
child devices to influence which vectors are used for which virtqueues.
This will be used by multi-queue vio(4) to route corresponding rx/tx
queue interrupts to the same cpu.

The setup_intrs() function also sets the config interrupt MSIX vector
which fixes a bug that virtio_pci_set_msix_config_vector() would not
be called after a device reset.

OK bluhm@

8 weeks agovirtio_pci: Improve interrupt names
sf [Mon, 2 Sep 2024 08:22:08 +0000 (08:22 +0000)]
virtio_pci: Improve interrupt names

Make interrupt strings according to the child device. This gives names
like vio0:1, vioblk0 instead of virtio0, virtio1.  Also allocate array
of interrupt handlers dynamically. The current size will be too small
for vio multi-queue.

OK bluhm@

8 weeks agosync
tb [Mon, 2 Sep 2024 08:05:18 +0000 (08:05 +0000)]
sync

8 weeks agoRemove X509_check_trust documentation
tb [Mon, 2 Sep 2024 08:04:32 +0000 (08:04 +0000)]
Remove X509_check_trust documentation

8 weeks agosync
tb [Mon, 2 Sep 2024 07:58:05 +0000 (07:58 +0000)]
sync

8 weeks agoThe X509at_* manuals are no longer needed
tb [Mon, 2 Sep 2024 07:57:27 +0000 (07:57 +0000)]
The X509at_* manuals are no longer needed

8 weeks agoAlso remove .Xr to X509at_*
tb [Mon, 2 Sep 2024 07:56:28 +0000 (07:56 +0000)]
Also remove .Xr to X509at_*

8 weeks agoExcise X509at_* from X509_REQ_* documentation
tb [Mon, 2 Sep 2024 07:55:26 +0000 (07:55 +0000)]
Excise X509at_* from X509_REQ_* documentation

8 weeks agoRename lastpos to start_after to match other, similar manuals
tb [Mon, 2 Sep 2024 07:54:21 +0000 (07:54 +0000)]
Rename lastpos to start_after to match other, similar manuals

8 weeks agoMore X509at_* removal
tb [Mon, 2 Sep 2024 07:45:09 +0000 (07:45 +0000)]
More X509at_* removal

8 weeks agoRemove mention of the no longer public X509at_* functions
tb [Mon, 2 Sep 2024 07:43:07 +0000 (07:43 +0000)]
Remove mention of the no longer public X509at_* functions

8 weeks agoAdjust function signatures for const X509_LOOKUP_METHOD
tb [Mon, 2 Sep 2024 07:20:21 +0000 (07:20 +0000)]
Adjust function signatures for const X509_LOOKUP_METHOD

8 weeks agoCoding of the handling of errors for <sequence number> hadn't be completed.
yasuoka [Mon, 2 Sep 2024 04:45:22 +0000 (04:45 +0000)]
Coding of the handling of errors for <sequence number> hadn't be completed.

8 weeks agoregen
yasuoka [Mon, 2 Sep 2024 04:00:51 +0000 (04:00 +0000)]
regen

8 weeks agoAdd Intel X540 X550 virtual function devices. From Yuichiro NAITO.
yasuoka [Mon, 2 Sep 2024 03:59:40 +0000 (03:59 +0000)]
Add Intel X540 X550 virtual function devices.  From Yuichiro NAITO.

ok jmatthew

8 weeks agoRegarding previous commit, X_OK on unveil-permitted directories does
deraadt [Sun, 1 Sep 2024 23:26:10 +0000 (23:26 +0000)]
Regarding previous commit, X_OK on unveil-permitted directories does
not map nicely to UNVEIL_EXEC.  But we don't know before calling
namei() if the path is a directory.  Oh well, stick to UNVEIL_READ
for that case, it is going to be good enough for the typical case.
Worked out with jeremy after chrome/firefox Downloads directory issue.

8 weeks agodhcpleased: fix a sizeof for IMSG_REQUEST_REBOOT.
tb [Sun, 1 Sep 2024 20:24:42 +0000 (20:24 +0000)]
dhcpleased: fix a sizeof for IMSG_REQUEST_REBOOT.

"fatal in engine: engine_dispatch_frontend: invalid IMSG_REQUEST_REBOOT"
reported by qwer.ty tuta io

ok florian kn

8 weeks agoFor AMD SEV mention platform security processor in ccp(4) map page.
bluhm [Sun, 1 Sep 2024 19:32:48 +0000 (19:32 +0000)]
For AMD SEV mention platform security processor in ccp(4) map page.

from hshoexer@; input jsg@; ok mlarkin@

8 weeks agoFor AMD SEV provide ioctl(2) in cpp(4) to shutdown guest.
bluhm [Sun, 1 Sep 2024 19:25:06 +0000 (19:25 +0000)]
For AMD SEV provide ioctl(2) in cpp(4) to shutdown guest.

To shutdown a SEV-enabled guest, first deactivate the guest context
in ccp(4), then decommission the guest context.  Combine these two
operations in a single ioctl to simplify guest shutdown for vmd(8).
As this ioctl does not directly map to a single ccp command, use a
high number for the ioctl.  More ioctls like this one will come.

from hshoexer@; OK mlarkin@

8 weeks agosymbols: remove special case for cpuid_setup and cpu_caps
tb [Sun, 1 Sep 2024 17:20:37 +0000 (17:20 +0000)]
symbols: remove special case for cpuid_setup and cpu_caps

The former is gone and the latter is available in crypto.h.

8 weeks agoPledge "vmm" for ccp(4) ioctl(2).
bluhm [Sun, 1 Sep 2024 17:13:46 +0000 (17:13 +0000)]
Pledge "vmm" for ccp(4) ioctl(2).

Limit ccp ioctls to processes that pledge vmm.  Specific psp device
ioctls for AMD SEV will allowed for vmd(8).

from hshoexer@; input deraadt@ jsg@

8 weeks agoEnable warnings and fix style nits.
anton [Sun, 1 Sep 2024 06:05:11 +0000 (06:05 +0000)]
Enable warnings and fix style nits.

8 weeks agoMake unveil access regress work with objdir.
anton [Sun, 1 Sep 2024 05:48:20 +0000 (05:48 +0000)]
Make unveil access regress work with objdir.

8 weeks agoApls -> Alps
jsg [Sun, 1 Sep 2024 05:33:29 +0000 (05:33 +0000)]
Apls -> Alps

8 weeks agoequivalient -> equivalent
jsg [Sun, 1 Sep 2024 05:20:25 +0000 (05:20 +0000)]
equivalient -> equivalent

8 weeks agodladdr(3) is in POSIX-2024, though the structure type was renamed
guenther [Sun, 1 Sep 2024 04:27:45 +0000 (04:27 +0000)]
dladdr(3) is in POSIX-2024, though the structure type was renamed
to match Solaris and _not_ match glibc/BSDs and no one caught it
before publication.  Provide the new name but keep providing the
existing names under the same conditions as before.  Update #include
visibility and dlfcn(3) manpage and add restrict qualifiers.

ok deraadt@

8 weeks agospelling; checked by jmc@, ok miod@ mglocker@
jsg [Sun, 1 Sep 2024 03:14:48 +0000 (03:14 +0000)]
spelling; checked by jmc@, ok miod@ mglocker@

8 weeks agoregen
jsg [Sun, 1 Sep 2024 03:09:34 +0000 (03:09 +0000)]
regen

8 weeks agospelling; checked by jmc@, ok miod@ mglocker@ krw@
jsg [Sun, 1 Sep 2024 03:08:56 +0000 (03:08 +0000)]
spelling; checked by jmc@, ok miod@ mglocker@ krw@

8 weeks agoadd tests for linux kpi for rbtree
aisha [Sun, 1 Sep 2024 00:22:59 +0000 (00:22 +0000)]
add tests for linux kpi for rbtree

lots of cleanup and rewriting by jsg@

8 weeks agoAdd regression test for access(2)+unveil(2)
jeremy [Sat, 31 Aug 2024 20:03:03 +0000 (20:03 +0000)]
Add regression test for access(2)+unveil(2)

ok deraadt

8 weeks agosync x509v3_add_value with x509_utl.c
tb [Sat, 31 Aug 2024 18:39:25 +0000 (18:39 +0000)]
sync x509v3_add_value with x509_utl.c

8 weeks agoRewrite X509V3_add_value() to a single exit idiom
tb [Sat, 31 Aug 2024 18:38:46 +0000 (18:38 +0000)]
Rewrite X509V3_add_value() to a single exit idiom

ok jsing

8 weeks agoRemove redundant COPYRIGHT file.
jsing [Sat, 31 Aug 2024 16:28:49 +0000 (16:28 +0000)]
Remove redundant COPYRIGHT file.

This is already included at the top of each file in this directory.

Prompted by tb@

8 weeks agonet drivers may have mii children, but mii layer has no _activate
deraadt [Sat, 31 Aug 2024 16:23:09 +0000 (16:23 +0000)]
net drivers may have mii children, but mii layer has no _activate
functions.  similar operations are done via driver xx_stop/init functions
calling mii_ subfunctions directly at the right moments in time, and
are not anticipated to ever need the activate mechanism.  so for now,
delete all the config_activate_children() here
ok kettenis

8 weeks agoMake fcrypt_body() static and remove prototype.
jsing [Sat, 31 Aug 2024 16:22:18 +0000 (16:22 +0000)]
Make fcrypt_body() static and remove prototype.

8 weeks agoUnifdef DES_PTR, DES_RISC1 and DES_RISC2.
jsing [Sat, 31 Aug 2024 16:17:13 +0000 (16:17 +0000)]
Unifdef DES_PTR, DES_RISC1 and DES_RISC2.

These are all go fast knobs that convolute the code and can be dangerous.
Lets presume that we have a modern and somewhat capable C compiler instead.

ok tb@

8 weeks agoUnifdef OPENBSD_DES_ASM.
jsing [Sat, 31 Aug 2024 16:04:22 +0000 (16:04 +0000)]
Unifdef OPENBSD_DES_ASM.

There are no assembly implementations now.

ok tb@

8 weeks agoInline and remove spr.h.
jsing [Sat, 31 Aug 2024 16:01:18 +0000 (16:01 +0000)]
Inline and remove spr.h.

This is only included once in des_enc.c - inline the tables instead.

Prompted by tb@

8 weeks agoCombine DES code into a smaller set of files.
jsing [Sat, 31 Aug 2024 15:56:09 +0000 (15:56 +0000)]
Combine DES code into a smaller set of files.

Discussed with tb@

8 weeks agoIf FADT_POWER_S0_IDLE_CAPABLE feature is found, prefer S0ix style over S3.
deraadt [Sat, 31 Aug 2024 15:53:44 +0000 (15:53 +0000)]
If FADT_POWER_S0_IDLE_CAPABLE feature is found, prefer S0ix style over S3.
Commiting now so that tests can be done by more people before release.
At the last moment, we can pull this change out.

8 weeks agojeremy observed that access() on unveiled space was returning errors
deraadt [Sat, 31 Aug 2024 15:52:09 +0000 (15:52 +0000)]
jeremy observed that access() on unveiled space was returning errors
for valid requests.  This is because the nd.ni_unveil to namei() was
always UNVEIL_READ, regardless of the request amode.  Building a
correct ni_unveil passes a new regression test, producing expected
results.
ok beck jeremy

8 weeks agoMerge fcrypt_b.c into fcrypt.c.
jsing [Sat, 31 Aug 2024 15:39:33 +0000 (15:39 +0000)]
Merge fcrypt_b.c into fcrypt.c.

There is no need for these to be separate (presumably done due to assembly
implementations, even though there are #ifdef as well).

Discussed with tb@

8 weeks agoRemove now unused ncbc_enc.c.
jsing [Sat, 31 Aug 2024 14:31:20 +0000 (14:31 +0000)]
Remove now unused ncbc_enc.c.

8 weeks agoExpand DES_ncbc_encrypt() in des_enc.c.
jsing [Sat, 31 Aug 2024 14:29:15 +0000 (14:29 +0000)]
Expand DES_ncbc_encrypt() in des_enc.c.

Copy ncbc_enc.c where it was previously #included, then clean up with
`unifdef -m -UCBC_ENC_C__DONT_UPDATE_IV`.

Discussed with tb@

8 weeks agoExpand DES_cbc_encrypt() in cbc_enc.c.
jsing [Sat, 31 Aug 2024 14:25:04 +0000 (14:25 +0000)]
Expand DES_cbc_encrypt() in cbc_enc.c.

Copy ncbc_enc.c where it was previously #included, then clean up with
`unifdef -m -DCBC_ENC_C__DONT_UPDATE_IV`.

Discussed with tb@

8 weeks agoupdate the header; ok and error corrected by jsg
jmc [Sat, 31 Aug 2024 13:41:13 +0000 (13:41 +0000)]
update the header; ok and error corrected by jsg

8 weeks agogrammar tweaks; counter tweaked by dlg
jmc [Sat, 31 Aug 2024 13:39:36 +0000 (13:39 +0000)]
grammar tweaks; counter tweaked by dlg

8 weeks agoUpdate for OPENSSL_cpu_caps() now being machine independent.
jsing [Sat, 31 Aug 2024 12:47:24 +0000 (12:47 +0000)]
Update for OPENSSL_cpu_caps() now being machine independent.

8 weeks agoUpdate for OPENSSL_cpu_caps() now being machine independent.
jsing [Sat, 31 Aug 2024 12:46:55 +0000 (12:46 +0000)]
Update for OPENSSL_cpu_caps() now being machine independent.

ok tb@

8 weeks agoMake OPENSSL_cpu_caps() machine independent.
jsing [Sat, 31 Aug 2024 12:43:58 +0000 (12:43 +0000)]
Make OPENSSL_cpu_caps() machine independent.

OPENSSL_cpu_caps() is currently machine dependent and exposes CPUID data
on amd64 and i386. However, what it is really used for is to indicate
whether specific algorithms are accelerated on the given hardware. Change
OPENSSL_cpu_caps() so that it returns a machine indepent value, which
decouples it from amd64/i386 and will allow it to be used appropriately
on other platforms in the future.

ok tb@

8 weeks agoUndo workaround for EVP_PKEY_*check() removal
tb [Sat, 31 Aug 2024 11:14:58 +0000 (11:14 +0000)]
Undo workaround for EVP_PKEY_*check() removal

8 weeks agosync libressl bump
tb [Sat, 31 Aug 2024 10:55:42 +0000 (10:55 +0000)]
sync libressl bump

8 weeks agomajor bump for libcrypto libssl and libtls
tb [Sat, 31 Aug 2024 10:54:12 +0000 (10:54 +0000)]
major bump for libcrypto libssl and libtls

8 weeks agoBump LIBRESSL_VERSION_NUMBER
tb [Sat, 31 Aug 2024 10:52:43 +0000 (10:52 +0000)]
Bump LIBRESSL_VERSION_NUMBER

8 weeks agoRemove SSL_add_compression_method
tb [Sat, 31 Aug 2024 10:51:48 +0000 (10:51 +0000)]
Remove SSL_add_compression_method

8 weeks agoExpose X509_get_signature_info
tb [Sat, 31 Aug 2024 10:49:35 +0000 (10:49 +0000)]
Expose X509_get_signature_info

To compensate for all the removals, a single, small, constructive piece
of this bump: expose X509_get_signature_info() so that libssl's security
level API can handle RSA-PSS certificates correctly.

ok beck jsing

8 weeks agoMake X509at_* API internal
tb [Sat, 31 Aug 2024 10:46:40 +0000 (10:46 +0000)]
Make X509at_* API internal

The only consumer, yara, has been adjusted. It will be some more work
to remove this idiocy internally, but at least we will no longer have
to care about external consumers.

ok beck jsing

8 weeks agosync
tb [Sat, 31 Aug 2024 10:45:37 +0000 (10:45 +0000)]
sync

8 weeks agoUnexport OPENSSL_cpuid_setup and OPENSSL_ia32cap_P
tb [Sat, 31 Aug 2024 10:44:39 +0000 (10:44 +0000)]
Unexport OPENSSL_cpuid_setup and OPENSSL_ia32cap_P

This allows us in particular to get rid of the MD Symbols.list which
were needed on amd64 and i386 for llvm 16 a while back. OPENSSL_ia32cap_P
was never properly exported since the symbols were marked .hidden in the
asm.

ok beck jsing

8 weeks agoZap HMAC_Init
tb [Sat, 31 Aug 2024 10:42:21 +0000 (10:42 +0000)]
Zap HMAC_Init

Long deprecated, last users have been fixed.

ok beck jsing

8 weeks agoNuke the whrlpool (named after the galaxy) from orbit
tb [Sat, 31 Aug 2024 10:38:49 +0000 (10:38 +0000)]
Nuke the whrlpool (named after the galaxy) from orbit

It's just gross. Only used by a popular disk encryption utility on an
all-too-popular OS one or two decades back.

ok beck jsing

8 weeks agoRemove DES_enc_{read,write} and DES_rw_mode
tb [Sat, 31 Aug 2024 10:30:16 +0000 (10:30 +0000)]
Remove DES_enc_{read,write} and DES_rw_mode

Unfortunately we'll probably never be able to get rid of DES entirely.
One part of it that is old enough to be a grandparent can go, though.

ok beck jsing

8 weeks agoGarbage collec UI_UTIL remnants
tb [Sat, 31 Aug 2024 10:28:03 +0000 (10:28 +0000)]
Garbage collec UI_UTIL remnants

ok beck jsing

8 weeks agoRemove EVP_PKEY.*attr* API
tb [Sat, 31 Aug 2024 10:25:38 +0000 (10:25 +0000)]
Remove EVP_PKEY.*attr* API

I ranted enough about this recently. PKCS#12. Microsoft. 'nuff said.

ok beck jsing

8 weeks agoMove BIT_STRING_BITNAME tables to const
tb [Sat, 31 Aug 2024 10:23:13 +0000 (10:23 +0000)]
Move BIT_STRING_BITNAME tables to const

Another bunch of const correctness fixes for global tables. These are
used to map ns cert types, key usage types and CRL reasons to strings
and vice versa. By the looks of it, nobody ever figured out how to use
this (need I mention that it's convoluted?).

ok beck jsing