openbsd
2 years agoEnable commandl1, commandl2, and commandD1.
martijn [Wed, 12 Jan 2022 15:32:15 +0000 (15:32 +0000)]
Enable commandl1, commandl2, and commandD1.

D1 already worked.
l1 and l2 fixed after analysis by seL4 <at> disroot <dot> org

2 years agoMake lputs use psl instead of expecting it to be null-terminated.
martijn [Wed, 12 Jan 2022 15:13:36 +0000 (15:13 +0000)]
Make lputs use psl instead of expecting it to be null-terminated.
This allows us to enable the commandl1 and commandl2 regress tests.

Original analysis from seL4 <at> disroot <dot> org
OK millert@

2 years agotoggle hw.power based on the ACDI SMR key if available
robert [Wed, 12 Jan 2022 15:05:38 +0000 (15:05 +0000)]
toggle hw.power based on the ACDI SMR key if available

ok kettenis@

2 years agoset cpuspeed to 0 if hw.cpuspeed cannot be retrieved
robert [Wed, 12 Jan 2022 13:09:29 +0000 (13:09 +0000)]
set cpuspeed to 0 if hw.cpuspeed cannot be retrieved
ok kettenis@

2 years agoadd three new SMC sensors to get information about the power supply status
robert [Wed, 12 Jan 2022 13:08:06 +0000 (13:08 +0000)]
add three new SMC sensors to get information about the power supply status
and remaining time to battery full and empty and feed these values to
apm(4)

ok kettenis@

2 years agoFix array index. Spotted by robert@
kettenis [Wed, 12 Jan 2022 11:42:17 +0000 (11:42 +0000)]
Fix array index.  Spotted by robert@

2 years agoMake acpi_getpropint() return uint64_t, as ACPI integers are in fact that
patrick [Wed, 12 Jan 2022 11:18:30 +0000 (11:18 +0000)]
Make acpi_getpropint() return uint64_t, as ACPI integers are in fact that
wide and some _DSD properties depend on it.

ok kettenis@

2 years agoOnly evp_pkey_check needs static linking
tb [Wed, 12 Jan 2022 09:11:48 +0000 (09:11 +0000)]
Only evp_pkey_check needs static linking

2 years agoAdd a prototype for OBJ_bsearch_ so this test will keep working
tb [Wed, 12 Jan 2022 09:04:40 +0000 (09:04 +0000)]
Add a prototype for OBJ_bsearch_ so this test will keep working
after the bump. Since this tests the public interfaces, we do not
want to use LIBRESSL_INTERNAL/LIBRESSL_CRYPTO_INTERNAL here.

2 years agoRework ecdsatest to build after the bump and link statically for now
tb [Wed, 12 Jan 2022 09:02:34 +0000 (09:02 +0000)]
Rework ecdsatest to build after the bump and link statically for now

2 years agoRework dsatest to use accessors and link statically for now
tb [Wed, 12 Jan 2022 08:59:56 +0000 (08:59 +0000)]
Rework dsatest to use accessors and link statically for now

2 years agoRework dhtest to use accessors and link statically for now
tb [Wed, 12 Jan 2022 08:58:12 +0000 (08:58 +0000)]
Rework dhtest to use accessors and link statically for now

For some reason CVS didn't want to commit this the first time around.

2 years agoRework dhtest to use accessors and link statically for now
tb [Wed, 12 Jan 2022 08:56:49 +0000 (08:56 +0000)]
Rework dhtest to use accessors and link statically for now

2 years agoRework test to use EVP_AEAD_CTX_{new,free}() and link statically for now
tb [Wed, 12 Jan 2022 08:54:23 +0000 (08:54 +0000)]
Rework test to use EVP_AEAD_CTX_{new,free}() and link statically for now

2 years agoFix typo in header guard
tb [Wed, 12 Jan 2022 08:52:25 +0000 (08:52 +0000)]
Fix typo in header guard

2 years agoFix asn1x509 build with opaque structures. Link statically for now.
tb [Wed, 12 Jan 2022 08:45:09 +0000 (08:45 +0000)]
Fix asn1x509 build with opaque structures. Link statically for now.

2 years agoRemove ieee80211_find_node_for_beacon().
stsp [Wed, 12 Jan 2022 08:29:27 +0000 (08:29 +0000)]
Remove ieee80211_find_node_for_beacon().

The original purpose of ieee80211_find_node_for_beacon() was to avoid
storing duplicate nodes with the same source MAC address in a hash table.
Later on, our node table data structure was changed from a hash table
to an RB tree. The RB tree can only store a single node per MAC address.
However, find_node_for_beacon() was kept regardless, now documented to
serve a different purpose.

Its new purpose is to tell apart different nodes which happen to use
the same MAC address and hence cannot both be stored in the RB tree.
The idea is to filter such duplicate nodes out during a scan. But colliding
nodes are told apart by RSSI and channel, and either may change over time.
So this does not really prevent duplicate MAC addresses from causing issues.

The code which decides which node is "better" can erroneously match an
AP against itself, in case the AP uses a hidden SSID. This caused
workarounds for hidden SSID to pile up over time.
Just a bit further down, the code looks up the same node again and
performs all of the intended node state updates. Simply skipping the
ieee80211_find_node_for_beacon() check makes such state updates work.

ok tobhe@

2 years agoRework Makefile to use regress framework and link asn1basic statically.
tb [Wed, 12 Jan 2022 07:55:25 +0000 (07:55 +0000)]
Rework Makefile to use regress framework and link asn1basic statically.
It will need this for testing {d2i,i2d}_ASN1_BOOLEAN which will be
moved to internal-only in the upcoming bump.

2 years agoUse egrep when searching for an anchored string.
dtucker [Wed, 12 Jan 2022 07:18:37 +0000 (07:18 +0000)]
Use egrep when searching for an anchored string.

2 years agoMore accurately represent cells containing horizontal lines in -T tree
schwarze [Wed, 12 Jan 2022 04:53:57 +0000 (04:53 +0000)]
More accurately represent cells containing horizontal lines in -T tree
output.  In particular, do not represent "_" as "-", and distinguish "_"
from "\_" and "=" from "\=".
Output tweak following a related question from
Ted Bullock <tbullock at comlore dot com>.

2 years agoAccording to the tbl(7) manual, if a data cell contains only the
schwarze [Wed, 12 Jan 2022 04:43:21 +0000 (04:43 +0000)]
According to the tbl(7) manual, if a data cell contains only the
two character sequence "\_" or "\=", a single or double horizontal
line is supposed to be drawn inside the cell, not joining its
neighbours.

I am not aware of any way to do that with HTML and/or CSS.
Still, it seems closer to the intent of the document author to draw
a horizontal line with <hr/>, even though that line will join the
neighbour cells, rather than printing a literal '_' or '=' character.

Formatting tweak inspired by a related question from
Ted Bullock <tbullock at comlore dot com>.

2 years agoIn one of the examples, the tbl(7) source code displayed
schwarze [Wed, 12 Jan 2022 04:14:20 +0000 (04:14 +0000)]
In one of the examples, the tbl(7) source code displayed
contains a backslash that needs to be escaped, and the
missing escaping resulted in very misleading formatting.

Documentation bug found due to a question from
Ted Bullock <tbullock at comlore dot com>.

2 years agoDon't log NULL hostname in restricted agent code, printf("%s", NULL) is
dtucker [Wed, 12 Jan 2022 03:30:32 +0000 (03:30 +0000)]
Don't log NULL hostname in restricted agent code, printf("%s", NULL) is
not safe on all platforms.  with & ok djm

2 years agoBug fixes and performance improvements
afresh1 [Wed, 12 Jan 2022 02:21:15 +0000 (02:21 +0000)]
Bug fixes and performance improvements

Plus improving usage to match the man page

fine deraadt@

2 years agomaxumum -> maximum
jsg [Wed, 12 Jan 2022 01:19:24 +0000 (01:19 +0000)]
maxumum -> maximum

2 years agoRemove -target riscv64-unknown-openbsd from CMACHFLAGS.
kevlo [Wed, 12 Jan 2022 00:58:48 +0000 (00:58 +0000)]
Remove -target riscv64-unknown-openbsd from CMACHFLAGS.

ok kettenis@ deraadt@

2 years agospelling
jsg [Tue, 11 Jan 2022 23:59:55 +0000 (23:59 +0000)]
spelling

2 years agospelling
jsg [Tue, 11 Jan 2022 23:10:11 +0000 (23:10 +0000)]
spelling

2 years agoremove hardcoded domain and use window.location.host, so this can
djm [Tue, 11 Jan 2022 22:33:16 +0000 (22:33 +0000)]
remove hardcoded domain and use window.location.host, so this can
be run anywhere

2 years agoJasper Lake eMMC needs the same 0V quirk as Apollo Lake and Gemini Lake
jsg [Tue, 11 Jan 2022 21:41:15 +0000 (21:41 +0000)]
Jasper Lake eMMC needs the same 0V quirk as Apollo Lake and Gemini Lake

fixes accessing eMMC on Acer Swift 1 SF114-34
problem reported and fix tested by Sven Wolf

2 years agoMake sure 'out' is initialized to 0 before adding flags.
tobhe [Tue, 11 Jan 2022 20:34:22 +0000 (20:34 +0000)]
Make sure 'out' is initialized to 0 before adding flags.

ok dv@ mlarkin@

2 years agoforgot to zap some dead assignments
tb [Tue, 11 Jan 2022 19:27:35 +0000 (19:27 +0000)]
forgot to zap some dead assignments

2 years agoAdd regress for EVP_PKEY_{,public_,param_}check()
tb [Tue, 11 Jan 2022 19:20:36 +0000 (19:20 +0000)]
Add regress for EVP_PKEY_{,public_,param_}check()

2 years agoRevise for peer_cert.
jsing [Tue, 11 Jan 2022 19:08:08 +0000 (19:08 +0000)]
Revise for peer_cert.

2 years agoConvert relayd for opaque RSA_METHOD
tb [Tue, 11 Jan 2022 19:06:23 +0000 (19:06 +0000)]
Convert relayd for opaque RSA_METHOD

This is a mostly mechanical diff which will hopefully be superseded
soon by work in libtls.

ok jsing

2 years agoRemove peer_pkeys from SSL_SESSION.
jsing [Tue, 11 Jan 2022 19:03:15 +0000 (19:03 +0000)]
Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

2 years agoSimplify SSL_get_peer_certificate()
jsing [Tue, 11 Jan 2022 18:43:00 +0000 (18:43 +0000)]
Simplify SSL_get_peer_certificate()

ok inoguchi@ tb@

2 years agoRename 'peer' to 'peer_cert' in SSL_SESSION.
jsing [Tue, 11 Jan 2022 18:39:28 +0000 (18:39 +0000)]
Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

2 years agoRevise for changes to tls_key_share_peer_public()
jsing [Tue, 11 Jan 2022 18:29:10 +0000 (18:29 +0000)]
Revise for changes to tls_key_share_peer_public()

2 years agoPlumb decode errors through key share parsing code.
jsing [Tue, 11 Jan 2022 18:28:41 +0000 (18:28 +0000)]
Plumb decode errors through key share parsing code.

Distinguish between decode errors and other errors, so that we can send
a SSL_AD_DECODE_ERROR alert when appropriate.

Fixes a tlsfuzzer failure, due to it expecting a decode error alert and
not receiving one.

Prompted by anton@

ok tb@

2 years agoUse SSL_AD_INTERNAL_ERROR for non-decoding alerts when parsing keyshares.
jsing [Tue, 11 Jan 2022 18:24:03 +0000 (18:24 +0000)]
Use SSL_AD_INTERNAL_ERROR for non-decoding alerts when parsing keyshares.

ok tb@

2 years agoSimplify tlsext_keyshare_server_parse()
jsing [Tue, 11 Jan 2022 18:22:16 +0000 (18:22 +0000)]
Simplify tlsext_keyshare_server_parse()

SSL_AD_DECODE_ERROR is the default alert for a TLS extension parsing
failure - remove the various gotos and simply return 0 instead.

ok tb@

2 years agoBump KVA space up to 512MB (and a bit).
kettenis [Tue, 11 Jan 2022 16:54:58 +0000 (16:54 +0000)]
Bump KVA space up to 512MB (and a bit).

ok phessler@, deraadt@, miod@

2 years agoWrap long lines
inoguchi [Tue, 11 Jan 2022 16:06:48 +0000 (16:06 +0000)]
Wrap long lines

2 years agoCheck function return value
inoguchi [Tue, 11 Jan 2022 15:45:00 +0000 (15:45 +0000)]
Check function return value

2 years agoSuppress warning
inoguchi [Tue, 11 Jan 2022 15:05:58 +0000 (15:05 +0000)]
Suppress warning

2 years agoCompare pointer variable with NULL
inoguchi [Tue, 11 Jan 2022 15:02:34 +0000 (15:02 +0000)]
Compare pointer variable with NULL

2 years agoRemove space between '*' and pointer variable.
inoguchi [Tue, 11 Jan 2022 14:35:14 +0000 (14:35 +0000)]
Remove space between '*' and pointer variable.

2 years agoConvert openssl(1) smime option handling
inoguchi [Tue, 11 Jan 2022 14:23:05 +0000 (14:23 +0000)]
Convert openssl(1) smime option handling

Apply new option handling to openssl(1) smime and no functional changes.

input and ok jsing@

2 years agoChange the way the parser accesses files. It now builds the file path
claudio [Tue, 11 Jan 2022 13:06:07 +0000 (13:06 +0000)]
Change the way the parser accesses files. It now builds the file path
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@

2 years agoGarbage collect historical setting of dsa->write_params = 1.
tb [Tue, 11 Jan 2022 12:14:07 +0000 (12:14 +0000)]
Garbage collect historical setting of dsa->write_params = 1.
This is always 1 with modern libs and write_params will soon go away.

2 years agoadd Synopsys Degisnware UART (dw-apb-uart) support
uaa [Tue, 11 Jan 2022 11:51:14 +0000 (11:51 +0000)]
add Synopsys Degisnware UART (dw-apb-uart) support

To fix Allwinner H6's UART problem, need to add dw-apb-uart special code.
ok kettenis@

2 years agoRemove KASSERT(0) and default switch case. No other sc_ncm_format
claudio [Tue, 11 Jan 2022 10:34:13 +0000 (10:34 +0000)]
Remove KASSERT(0) and default switch case. No other sc_ncm_format
switch has a default case and umb_ncm_setup_format() ensures that
only 16 and 32bit formats are accepted. Fixes build error without
DIAGNOSTIC set.
Found by and OK robert@

2 years agofix RSB_DMCR_DEVICE_MODE_DATA value to enter RSB mode correctly
uaa [Tue, 11 Jan 2022 10:23:17 +0000 (10:23 +0000)]
fix RSB_DMCR_DEVICE_MODE_DATA value to enter RSB mode correctly
ok kettenis@ patrick@

2 years agospelling
jsg [Tue, 11 Jan 2022 09:21:34 +0000 (09:21 +0000)]
spelling

2 years agomove allocations in DIOCSADDRULE and DIOCHANGERULE outside of locks.
sashan [Tue, 11 Jan 2022 09:00:17 +0000 (09:00 +0000)]
move allocations in DIOCSADDRULE and DIOCHANGERULE outside of locks.
this diff lets pf_rule_copyin() to be called outside of PF_LOCK()/NET_LOCK().

OK bluhm@

2 years agoregen
mvs [Tue, 11 Jan 2022 08:10:03 +0000 (08:10 +0000)]
regen

2 years agoUnlock getpeername(2). For inet and unix sockets it follows the code
mvs [Tue, 11 Jan 2022 08:09:14 +0000 (08:09 +0000)]
Unlock getpeername(2). For inet and unix sockets it follows the code
which was unlocked with accept(2) unlocking. For key management and
route domain sockets it just copies the read-only data.

ok bluhm@

2 years agoProduce alive in-flight sockets with positive "f_count == unp_msgcount"
mvs [Tue, 11 Jan 2022 08:03:25 +0000 (08:03 +0000)]
Produce alive in-flight sockets with positive "f_count == unp_msgcount"
equation. Such sockets should not be killed by unp_gc() otherwise system
will panic.

tested by anton@; ok bluhm@

2 years agomove kern_unveil.c to use DPRINTF()
semarie [Tue, 11 Jan 2022 07:31:50 +0000 (07:31 +0000)]
move kern_unveil.c to use DPRINTF()

Changes the way printf debug is done in kern_unveil.c

Currently, each printf() is enclosed in #ifdef DEBUG_UNVEIL. It moves
to using DPRINTF(), and reduces the number of #ifdef inside the file.

Also changes some strings to use __func__ instead of using the
function name verbatim.

ok visa@

2 years agoRemove dead store to f and avoid use of unvalidated fd.
visa [Tue, 11 Jan 2022 06:35:03 +0000 (06:35 +0000)]
Remove dead store to f and avoid use of unvalidated fd.

Found by LLVM scan-build.

OK millert@ deraadt@

2 years agoAdd temporary verbose logging when remote coverage fails to attach.
anton [Tue, 11 Jan 2022 06:23:05 +0000 (06:23 +0000)]
Add temporary verbose logging when remote coverage fails to attach.
In the hopes of tracking down a rare bug seen on syzkaller.

2 years agono need to inspect the coverage for the dying test case
anton [Tue, 11 Jan 2022 06:01:15 +0000 (06:01 +0000)]
no need to inspect the coverage for the dying test case

2 years agoIn revision 1.43 of kcov.c, the redundant conditional of checking for
anton [Tue, 11 Jan 2022 06:00:41 +0000 (06:00 +0000)]
In revision 1.43 of kcov.c, the redundant conditional of checking for
an exising kcov descriptor with the given device minor was removed since
kcov is a cloning device; i.e. the device minor should always be unique.

However, there's one edge case to still consider in which one thread
have tracing enabled while another thread closes the same kcov
descriptor. The kcov descriptor is kept alive until thread with tracing
enabled exits to prevent usage after free. This does however cause the
spec file layer above to flag the device minor as unused. Any subsequent
open of /dev/kcov would trip on the assertion in kcovopen() until the
thread with tracing enabled exits.

Therefore unconditionally remove the kcov descriptor from the global
list of active descriptors which is fine since the same kcov descriptor
will later be freed in kcov_exit().

I have never seen this in the wild but realized while hunting another
bug.

2 years agospelling
jsg [Tue, 11 Jan 2022 05:34:32 +0000 (05:34 +0000)]
spelling

2 years agoTidy up some comments
afresh1 [Tue, 11 Jan 2022 03:25:52 +0000 (03:25 +0000)]
Tidy up some comments

requested by deraadt@

2 years agospelling
jsg [Tue, 11 Jan 2022 03:13:58 +0000 (03:13 +0000)]
spelling
ok jmc@

2 years ago"void" functions should not return anything. From Tim Rice via -portable.
dtucker [Tue, 11 Jan 2022 02:56:19 +0000 (02:56 +0000)]
"void" functions should not return anything.  From Tim Rice via -portable.

2 years agosuppress "Connection to xxx closed" messages at LogLevel >= error
djm [Tue, 11 Jan 2022 01:26:47 +0000 (01:26 +0000)]
suppress "Connection to xxx closed" messages at LogLevel >= error
bz3378; ok dtucker@

2 years agoIf the install media contains non-free /*firmware*.tgz files, use fw_update
deraadt [Tue, 11 Jan 2022 00:58:32 +0000 (00:58 +0000)]
If the install media contains non-free /*firmware*.tgz files, use fw_update
to install them.  This lets users usb-lift firmware on a preloaded install70.img
image like this:
    # vnconfig install70.img
    vnd0
    # (mount /dev/vnd0a /mnt && cd /mnt && fw_update -F iwm iwx iwn intel)
    # umount /mnt && vnconfig -u vnd0
The firmwares are installed after the sets, then all network drivers are
re-configured in the hope that new firmwares have showed up.  The install
script continues to attempt a network firmware install, which might pull/update
additional firmwares.
work done with afresh1

2 years agoSplit 2nd half of enable_network() into a sub-function enable_ifs().
deraadt [Tue, 11 Jan 2022 00:48:45 +0000 (00:48 +0000)]
Split 2nd half of enable_network() into a sub-function enable_ifs().
This is the piece which loops over hostname.* files and runs ifconfig
like the inner loop of base /etc/netstart

2 years agomatch on Intel Jasper Lake
jsg [Tue, 11 Jan 2022 00:37:23 +0000 (00:37 +0000)]
match on Intel Jasper Lake

cavs/hda is pci class multimedia subclass audio so not automatically
matched by azalia but confirmed to work after matched

tested by Sven Wolf on Acer Swift 1 SF114-34 with Pentium Silver N6000

2 years agoregen
jsg [Mon, 10 Jan 2022 23:41:12 +0000 (23:41 +0000)]
regen

2 years agoadd Intel Jasper Lake devices
jsg [Mon, 10 Jan 2022 23:40:37 +0000 (23:40 +0000)]
add Intel Jasper Lake devices
from Intel Pentium Silver and Intel Celeron Processors Datasheet 633935

2 years agoConvert tls_bio_cb for opaque BIO
tb [Mon, 10 Jan 2022 23:39:48 +0000 (23:39 +0000)]
Convert tls_bio_cb for opaque BIO

joint with jsing

2 years agoMechanical conversion of libcsi for opaque DH.
tb [Mon, 10 Jan 2022 23:03:07 +0000 (23:03 +0000)]
Mechanical conversion of libcsi for opaque DH.

ok jsing

2 years agoDocument EVP_AEAD_CTX_{new,free}() and adjust example code.
tb [Mon, 10 Jan 2022 22:44:22 +0000 (22:44 +0000)]
Document EVP_AEAD_CTX_{new,free}() and adjust example code.

looks good to jsing

2 years agofix SEE ALSO;
jmc [Mon, 10 Jan 2022 21:16:44 +0000 (21:16 +0000)]
fix SEE ALSO;

2 years agoUnbreak tree. Sorry about that.
tb [Mon, 10 Jan 2022 19:22:26 +0000 (19:22 +0000)]
Unbreak tree. Sorry about that.

2 years agoReturn ENOMEM on malloc errors to prevent use of uninitialized stack
tobhe [Mon, 10 Jan 2022 18:23:39 +0000 (18:23 +0000)]
Return ENOMEM on malloc errors to prevent use of uninitialized stack
memory. Cleanup error handling while here.

ok stsp@ visa@

2 years agoWhen rendering the \h (horizontal motion) low-level roff(7) escape
schwarze [Mon, 10 Jan 2022 17:59:45 +0000 (17:59 +0000)]
When rendering the \h (horizontal motion) low-level roff(7) escape
sequence in -T ps and -T pdf output mode, use an appropriate
horizontal distance by correctly using the term_len() utility
function.  Output from the -T ascii, -T utf8, and -T html modes
was already correct and remains unchanged.

Lennart Jablonka <hummsmith42 at gmail dot com> found and reported
this unit conversion bug (misinterpreting AFM units as if they were
en units) when rendering scdoc-generated manuals (which is a low
quality generator, but that's no excuse for mandoc misformatting \h)
on Alpine Linux.  Lennart also tested this patch.

2 years agosync
deraadt [Mon, 10 Jan 2022 16:45:09 +0000 (16:45 +0000)]
sync

2 years agoInitialize variables that are touched in the error path.
visa [Mon, 10 Jan 2022 16:21:19 +0000 (16:21 +0000)]
Initialize variables that are touched in the error path.

Reminded by LLVM scan-build.

2 years agoNULL out pointers after transferring them to the DSA object.
tb [Mon, 10 Jan 2022 15:14:27 +0000 (15:14 +0000)]
NULL out pointers after transferring them to the DSA object.

2 years agosync
deraadt [Mon, 10 Jan 2022 15:14:24 +0000 (15:14 +0000)]
sync

2 years agoDedup get_dsa*() code.
tb [Mon, 10 Jan 2022 15:04:06 +0000 (15:04 +0000)]
Dedup get_dsa*() code.

Pointed out by jsing

2 years agoConvert testdsa to accessors for opaque DSA
tb [Mon, 10 Jan 2022 14:47:09 +0000 (14:47 +0000)]
Convert testdsa to accessors for opaque DSA

ok inoguchi jsing

2 years agoRemove a few unused defines from x509.h
tb [Mon, 10 Jan 2022 14:13:03 +0000 (14:13 +0000)]
Remove a few unused defines from x509.h

As suggested by schwarze, this removes

X509_EX_V_{INIT,NETSCAPE_HACK} and X509_EXT_PACK_{STRING,UNKNOWN}

ok inoguchi jsing

2 years agoUse NULL instead of 0 for pointers.
jan [Mon, 10 Jan 2022 14:07:59 +0000 (14:07 +0000)]
Use NULL instead of 0 for pointers.

OK bluhm@

2 years agoPrepare to provide the EVP_MD_meth_* API
tb [Mon, 10 Jan 2022 13:42:28 +0000 (13:42 +0000)]
Prepare to provide the EVP_MD_meth_* API

This allows implementations to add their own EVP_MD_METHODs.
Only the setters are provided.

This is used by erlang for the otp_test_engine.

ok inoguchi jsing

2 years agospeeling
dlg [Mon, 10 Jan 2022 13:09:29 +0000 (13:09 +0000)]
speeling

2 years agothis should be most of the necessary info for this driver.
dlg [Mon, 10 Jan 2022 13:04:52 +0000 (13:04 +0000)]
this should be most of the necessary info for this driver.

2 years agoDocument openssl pkey -check,-pubcheck and param -check
tb [Mon, 10 Jan 2022 12:19:26 +0000 (12:19 +0000)]
Document openssl pkey -check,-pubcheck and param -check

2 years agoImplement openssl pkey -{,pub}check and pkeyparam -check
tb [Mon, 10 Jan 2022 12:17:49 +0000 (12:17 +0000)]
Implement openssl pkey -{,pub}check and pkeyparam -check

These expose EVP_PKEY_{,public_,param_}check() to the command line.
They are currently noops and will be enabled in the upcoming bump.

ok inoguchi jsing

2 years agoPrepare to provide EVP_PKEY_{public,param}_check
tb [Mon, 10 Jan 2022 12:10:26 +0000 (12:10 +0000)]
Prepare to provide EVP_PKEY_{public,param}_check

This implements checking of a public key and of key generation
parameters for DH and EC keys. With the same logic and setters
and const quirks as for EVP_PKEY_check().

There are a couple of quirks: For DH no default EVP_PKEY_check()
is implemented, instead EVP_PKEY_param_check() calls DH_check_ex()
even though DH_param_check_ex() was added for this purpose.
EVP_PKEY_public_check() for EC curves also checks the private key
if present.

ok inoguchi jsing

2 years agoProvide DH_check*_ex and many error codes
tb [Mon, 10 Jan 2022 12:00:52 +0000 (12:00 +0000)]
Provide DH_check*_ex and many error codes

DH_check{,_pub_key}_ex() wrap their non-ex versions to translate
the flags argument of the original functions into OpenSSL errors.
For this almost a dozen new error codes need to be added.

DH_params_check{,_ex}() is a new version of DH_check that only
performs a cheap subset of the checks.

They are needed to implement EVP_PKEY_{public,param}_check()
(observe the consistent naming) although the actual implementation
of EVP_PKEY_param_check() chose to use DH_check_ex().

As far as I can tell, the only raison d'ĂȘtre of the _ex functions
and error codes is to spew them to stderr in a couple of openssl(1)
commands. This couldn't have been solved differently...

These functions will not be exposed publicly.

ok inoguchi jsing

2 years agoPrepare to provide EVP_PKEY_check()
tb [Mon, 10 Jan 2022 11:52:43 +0000 (11:52 +0000)]
Prepare to provide EVP_PKEY_check()

This allows checking the validity of an EVP_PKEY. Only RSA and EC keys
are supported. If a check function is set the EVP_PKEY_METHOD, it will
be used, otherwise the check function on the EVP_PKEY_ASN1_METHOD is
used.  The default ASN.1 methods wrap RSA_check_key() and
EC_KEY_check_key(), respectively.

The corresponding setters are EVP_PKEY_{asn1,meth}_set_check().

It is unclear why the PKEY method has no const while the ASN.1 method
has const.

Requested by tobhe and used by PHP 8.1.
Based on OpenSSL commit 2aee35d3

ok inoguchi jsing

2 years agoadd a bit more.
dlg [Mon, 10 Jan 2022 10:54:54 +0000 (10:54 +0000)]
add a bit more.

2 years agoPrevent a double free in EVP_MD_CTX_copy_ex()
tb [Mon, 10 Jan 2022 10:51:31 +0000 (10:51 +0000)]
Prevent a double free in EVP_MD_CTX_copy_ex()

NULL out two pointer values after memcpy() to avoid a double free.
In the event that both in->pctx and in->md_data are non-NULL and
the calloc() of out->md_data fails, a double free could occur.

ok inoguchi jsing

2 years agotweak slightly
dlg [Mon, 10 Jan 2022 10:20:31 +0000 (10:20 +0000)]
tweak slightly