sync with OpenBSD -current

lib/libcrypto/bio/b_dump.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: b_dump.c,v 1.26 2023/07/29 02:32:00 tb Exp $ */
+/* $OpenBSD: b_dump.c,v 1.27 2024/02/01 17:04:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,21 +64,14 @@
 #include <string.h>
 
 #include <openssl/bio.h>
+#include <openssl/err.h>
 
 #define TRUNCATE
 #define DUMP_WIDTH	16
 #define DUMP_WIDTH_LESS_INDENT(i) (DUMP_WIDTH - ((i - (i > 6 ? 6 : i) + 3) / 4))
 
 int
-BIO_dump_cb(int (*cb)(const void *data, size_t len, void *u),
+BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
-    void *u, const char *s, int len)
-{
-	return BIO_dump_indent_cb(cb, u, s, len, 0);
-}
-
-int
-BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
-    void *u, const char *s, int len, int indent)
 {
 	char buf[288 + 1], tmp[20], str[128 + 1];
 	int i, j, rows, trc, written;
@@ -132,7 +125,7 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 		/* if this is the last call then update the ddt_dump thing so
 		 * that we will move the selection point in the debug window
 		 */
-		if ((written = cb((void *)buf, strlen(buf), u)) < 0)
+		if ((written = BIO_write(bio, buf, strlen(buf))) < 0)
 			return -1;
 		ret += written;
 
@@ -141,50 +134,54 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 	if (trc > 0) {
 		snprintf(buf, sizeof buf, "%s%04x - <SPACES/NULS>\n",
 		    str, len + trc);
-		if ((written = cb((void *)buf, strlen(buf), u)) < 0)
+		if ((written = BIO_write(bio, buf, strlen(buf))) < 0)
 			return -1;
 		ret += written;
 	}
 #endif
 	return (ret);
 }
+LCRYPTO_ALIAS(BIO_dump_indent);
 
-static int
+int
-write_fp(const void *data, size_t len, void *fp)
+BIO_dump(BIO *bio, const char *s, int len)
 {
-	return fwrite(data, 1, len, fp);
+	return BIO_dump_indent(bio, s, len, 0);
+}
+LCRYPTO_ALIAS(BIO_dump);
+
+/*
+ * XXX - remove the functions below in the next major bump.
+ */
+
+int
+BIO_dump_cb(int (*cb)(const void *data, size_t len, void *u),
+    void *u, const char *s, int len)
+{
+	BIOerror(ERR_R_DISABLED);
+	return -1;
+}
+
+int
+BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
+    void *u, const char *s, int len, int indent)
+{
+	BIOerror(ERR_R_DISABLED);
+	return -1;
 }
 
 int
 BIO_dump_fp(FILE *fp, const char *s, int len)
 {
-	return BIO_dump_cb(write_fp, fp, s, len);
+	BIOerror(ERR_R_DISABLED);
+	return -1;
 }
 LCRYPTO_ALIAS(BIO_dump_fp);
 
 int
 BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent)
 {
-	return BIO_dump_indent_cb(write_fp, fp, s, len, indent);
+	BIOerror(ERR_R_DISABLED);
+	return -1;
 }
 LCRYPTO_ALIAS(BIO_dump_indent_fp);
-
-static int
-write_bio(const void *data, size_t len, void *bp)
-{
-	return BIO_write((BIO *)bp, (const char *)data, len);
-}
-
-int
-BIO_dump(BIO *bp, const char *s, int len)
-{
-	return BIO_dump_cb(write_bio, bp, s, len);
-}
-LCRYPTO_ALIAS(BIO_dump);
-
-int
-BIO_dump_indent(BIO *bp, const char *s, int len, int indent)
-{
-	return BIO_dump_indent_cb(write_bio, bp, s, len, indent);
-}
-LCRYPTO_ALIAS(BIO_dump_indent);

lib/libcrypto/evp/evp_pbe.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.40 2024/01/27 17:20:20 tb Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.41 2024/02/01 17:11:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -72,14 +72,12 @@
 
 /* Password based encryption (PBE) functions */
 
-struct pbe_config {
+static const struct pbe_config {
 	int pbe_nid;
 	int cipher_nid;
 	int md_nid;
 	EVP_PBE_KEYGEN *keygen;
-};
+} pbe_outer[] = {
-
-static const struct pbe_config pbe_outer[] = {
 	{
 		.pbe_nid = NID_pbeWithMD2AndDES_CBC,
 		.cipher_nid = NID_des_cbc,
@@ -168,146 +166,28 @@ static const struct pbe_config pbe_outer[] = {
 
 #define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))
 
-static const struct pbe_config pbe_prf[] = {
-	{
-		.pbe_nid = NID_hmacWithSHA1,
-		.cipher_nid = -1,
-		.md_nid = NID_sha1,
-	},
-	{
-		.pbe_nid = NID_hmacWithMD5,
-		.cipher_nid = -1,
-		.md_nid = NID_md5,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA224,
-		.cipher_nid = -1,
-		.md_nid = NID_sha224,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA256,
-		.cipher_nid = -1,
-		.md_nid = NID_sha256,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA384,
-		.cipher_nid = -1,
-		.md_nid = NID_sha384,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA512,
-		.cipher_nid = -1,
-		.md_nid = NID_sha512,
-	},
-	{
-		.pbe_nid = NID_id_HMACGostR3411_94,
-		.cipher_nid = -1,
-		.md_nid = NID_id_GostR3411_94,
-	},
-	{
-		.pbe_nid = NID_id_tc26_hmac_gost_3411_12_256,
-		.cipher_nid = -1,
-		.md_nid = NID_id_tc26_gost3411_2012_256,
-	},
-	{
-		.pbe_nid = NID_id_tc26_hmac_gost_3411_12_512,
-		.cipher_nid = -1,
-		.md_nid = NID_id_tc26_gost3411_2012_512,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA512_224,
-		.cipher_nid = -1,
-		.md_nid = NID_sha512_224,
-	},
-	{
-		.pbe_nid = NID_hmacWithSHA512_256,
-		.cipher_nid = -1,
-		.md_nid = NID_sha512_256,
-	},
-	{
-		.pbe_nid = NID_hmac_sha3_224,
-		.cipher_nid = -1,
-		.md_nid = NID_sha3_224,
-	},
-	{
-		.pbe_nid = NID_hmac_sha3_256,
-		.cipher_nid = -1,
-		.md_nid = NID_sha3_256,
-	},
-	{
-		.pbe_nid = NID_hmac_sha3_384,
-		.cipher_nid = -1,
-		.md_nid = NID_sha3_384,
-	},
-	{
-		.pbe_nid = NID_hmac_sha3_512,
-		.cipher_nid = -1,
-		.md_nid = NID_sha3_512,
-	},
-};
-
-#define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
-
-int
-EVP_PBE_find(int type, int pbe_nid, int *out_cipher_nid, int *out_md_nid,
-    EVP_PBE_KEYGEN **out_keygen)
-{
-	const struct pbe_config *pbe = NULL;
-	size_t i;
-
-	if (out_cipher_nid != NULL)
-		*out_cipher_nid = NID_undef;
-	if (out_md_nid != NULL)
-		*out_md_nid = NID_undef;
-	if (out_keygen != NULL)
-		*out_keygen = NULL;
-
-	if (pbe_nid == NID_undef)
-		return 0;
-
-	if (type == EVP_PBE_TYPE_OUTER) {
-		for (i = 0; i < N_PBE_OUTER; i++) {
-			if (pbe_nid == pbe_outer[i].pbe_nid) {
-				pbe = &pbe_outer[i];
-				break;
-			}
-		}
-	} else if (type == EVP_PBE_TYPE_PRF) {
-		for (i = 0; i < N_PBE_PRF; i++) {
-			if (pbe_nid == pbe_prf[i].pbe_nid) {
-				pbe = &pbe_prf[i];
-				break;
-			}
-		}
-	}
-	if (pbe == NULL)
-		return 0;
-
-	if (out_cipher_nid != NULL)
-		*out_cipher_nid = pbe->cipher_nid;
-	if (out_md_nid != NULL)
-		*out_md_nid = pbe->md_nid;
-	if (out_keygen != NULL)
-		*out_keygen = pbe->keygen;
-
-	return 1;
-}
-
 int
 EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
     ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
 {
+	const struct pbe_config *cfg = NULL;
 	const EVP_CIPHER *cipher = NULL;
 	const EVP_MD *md = NULL;
-	int pbe_nid, cipher_nid, md_nid;
+	int pbe_nid;
-	EVP_PBE_KEYGEN *keygen;
+	size_t i;
 
 	if ((pbe_nid = OBJ_obj2nid(pbe_obj)) == NID_undef) {
 		EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
 		return 0;
 	}
-	if (!EVP_PBE_find(EVP_PBE_TYPE_OUTER, pbe_nid, &cipher_nid, &md_nid,
+
-	    &keygen)) {
+	for (i = 0; i < N_PBE_OUTER; i++) {
+		if (pbe_nid == pbe_outer[i].pbe_nid) {
+			cfg = &pbe_outer[i];
+			break;
+		}
+	}
+	if (cfg == NULL) {
 		EVPerror(EVP_R_UNKNOWN_PBE_ALGORITHM);
 		ERR_asprintf_error_data("NID=%d", pbe_nid);
 		return 0;
@@ -318,20 +198,20 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
 	if (passlen == -1)
 		passlen = strlen(pass);
 
-	if (cipher_nid != -1) {
+	if (cfg->cipher_nid != -1) {
-		if ((cipher = EVP_get_cipherbynid(cipher_nid)) == NULL) {
+		if ((cipher = EVP_get_cipherbynid(cfg->cipher_nid)) == NULL) {
 			EVPerror(EVP_R_UNKNOWN_CIPHER);
 			return 0;
 		}
 	}
-	if (md_nid != -1) {
+	if (cfg->md_nid != -1) {
-		if ((md = EVP_get_digestbynid(md_nid)) == NULL) {
+		if ((md = EVP_get_digestbynid(cfg->md_nid)) == NULL) {
 			EVPerror(EVP_R_UNKNOWN_DIGEST);
 			return 0;
 		}
 	}
 
-	if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
+	if (!cfg->keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
 		EVPerror(EVP_R_KEYGEN_FAILURE);
 		return 0;
 	}
@@ -575,6 +455,47 @@ PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	return ret;
 }
 
+static int
+md_nid_from_prf_nid(int nid)
+{
+	switch (nid) {
+	case NID_hmacWithMD5:
+		return NID_md5;
+	case NID_hmacWithSHA1:
+		return NID_sha1;
+	case NID_hmacWithSHA224:
+		return NID_sha224;
+	case NID_hmacWithSHA256:
+		return NID_sha256;
+	case NID_hmacWithSHA384:
+		return NID_sha384;
+	case NID_hmacWithSHA512:
+		return NID_sha512;
+	case NID_hmacWithSHA512_224:
+		return NID_sha512_224;
+	case NID_hmacWithSHA512_256:
+		return NID_sha512_256;
+	case NID_hmac_sha3_224:
+		return NID_sha3_224;
+	case NID_hmac_sha3_256:
+		return NID_sha3_256;
+	case NID_hmac_sha3_384:
+		return NID_sha3_384;
+	case NID_hmac_sha3_512:
+		return NID_sha3_512;
+#ifndef OPENSSL_NO_GOST
+	case NID_id_HMACGostR3411_94:
+		return NID_id_GostR3411_94;
+	case NID_id_tc26_hmac_gost_3411_12_256:
+		return NID_id_tc26_gost3411_2012_256;
+	case NID_id_tc26_hmac_gost_3411_12_512:
+		return NID_id_tc26_gost3411_2012_512;
+#endif
+	default:
+		return NID_undef;
+	}
+}
+
 int
 PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
     ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
@@ -626,7 +547,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	else
 		prf_nid = NID_hmacWithSHA1;
 
-	if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
+	if ((hmac_md_nid = md_nid_from_prf_nid(prf_nid)) == NID_undef) {
 		EVPerror(EVP_R_UNSUPPORTED_PRF);
 		goto err;
 	}
@@ -724,6 +645,14 @@ LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
  * XXX - remove the functions below in the next major bump
  */
 
+int
+EVP_PBE_find(int type, int pbe_nid, int *out_cipher_nid, int *out_md_nid,
+    EVP_PBE_KEYGEN **out_keygen)
+{
+	EVPerror(ERR_R_DISABLED);
+	return 0;
+}
+
 int
 EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
     EVP_PBE_KEYGEN *keygen)

lib/libcrypto/x509/x509_verify.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.67 2023/11/13 10:33:00 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.68 2024/02/01 23:16:38 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -287,6 +287,18 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
 
 	/* Check by lookup if we have a legacy xsc */
 	if (ctx->xsc != NULL) {
+		/*
+		 * "alternative" lookup method, using the "trusted" stack in the
+		 * xsc as the source for roots.
+		 */
+		if (ctx->xsc->trusted != NULL) {
+			for (i = 0; i < sk_X509_num(ctx->xsc->trusted); i++) {
+				if (X509_cmp(sk_X509_value(ctx->xsc->trusted,
+				    i), cert) == 0)
+					return x509_verify_check_chain_end(cert,
+					    full_chain);
+			}
+		}
 		if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
 		    cert)) != NULL) {
 			X509_free(match);

usr.bin/aucat/aucat.c

@@ -220,7 +220,7 @@ static int
 slot_new(char *path, int mode, struct aparams *par, int hdr,
     int cmin, int cmax, int rate, int dup, int vol, long long pos)
 {
-	struct slot *s;
+	struct slot *s, **ps;
 
 	s = xmalloc(sizeof(struct slot));
 	if (!afile_open(&s->afile, path, hdr,
@@ -273,8 +273,10 @@ slot_new(char *path, int mode, struct aparams *par, int hdr,
 		}
 		log_puts("\n");
 	}
-	s->next = slot_list;
+	for (ps = &slot_list; *ps != NULL; ps = &(*ps)->next)
-	slot_list = s;
+		;
+	s->next = NULL;
+	*ps = s;
 	return 1;
 }
 
@@ -801,6 +803,7 @@ dev_slotvol(int midich, int val)
 #endif
 			break;
 		}
+		midich--;
 	}
 }
 

usr.bin/ssh/gss-genr.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

usr.bin/ssh/kex.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.121 2023/12/18 14:45:49 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.122 2024/02/02 00:13:34 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -102,10 +102,10 @@ enum kex_exchange {
 #define KEX_INIT_SENT			0x0001
 #define KEX_INITIAL			0x0002
 #define KEX_HAS_PUBKEY_HOSTBOUND	0x0004
-#define KEX_RSA_SHA2_256_SUPPORTED 	0x0008 /* only set in server for now */
+#define KEX_RSA_SHA2_256_SUPPORTED	0x0008 /* only set in server for now */
-#define KEX_RSA_SHA2_512_SUPPORTED 	0x0010 /* only set in server for now */
+#define KEX_RSA_SHA2_512_SUPPORTED	0x0010 /* only set in server for now */
-#define KEX_HAS_PING		 	0x0020
+#define KEX_HAS_PING			0x0020
-#define KEX_HAS_EXT_INFO_IN_AUTH 	0x0040
+#define KEX_HAS_EXT_INFO_IN_AUTH	0x0040
 
 struct sshenc {
 	char	*name;

usr.bin/ssh/nchan.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: nchan.c,v 1.74 2022/02/01 23:32:51 djm Exp $ */
+/* $OpenBSD: nchan.c,v 1.75 2024/02/01 02:37:33 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *

usr.bin/ssh/session.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.336 2023/08/10 23:05:48 djm Exp $ */
+/* $OpenBSD: session.c,v 1.337 2024/02/01 02:37:33 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved

usr.bin/ssh/sftp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.236 2023/09/10 23:12:32 djm Exp $ */
+/* $OpenBSD: sftp.c,v 1.237 2024/02/01 02:37:33 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -156,24 +156,24 @@ struct CMD {
 #define LOCAL	2
 
 static const struct CMD cmds[] = {
-	{ "bye",	I_QUIT,		NOARGS, 	NOARGS	},
+	{ "bye",	I_QUIT,		NOARGS,		NOARGS	},
-	{ "cd",		I_CHDIR,	REMOTE, 	NOARGS	},
+	{ "cd",		I_CHDIR,	REMOTE,		NOARGS	},
-	{ "chdir",	I_CHDIR,	REMOTE, 	NOARGS	},
+	{ "chdir",	I_CHDIR,	REMOTE,		NOARGS	},
-	{ "chgrp",	I_CHGRP,	REMOTE, 	NOARGS	},
+	{ "chgrp",	I_CHGRP,	REMOTE,		NOARGS	},
-	{ "chmod",	I_CHMOD,	REMOTE, 	NOARGS	},
+	{ "chmod",	I_CHMOD,	REMOTE,		NOARGS	},
-	{ "chown",	I_CHOWN,	REMOTE, 	NOARGS	},
+	{ "chown",	I_CHOWN,	REMOTE,		NOARGS	},
-	{ "copy",	I_COPY,		REMOTE, 	LOCAL	},
+	{ "copy",	I_COPY,		REMOTE,		LOCAL	},
-	{ "cp",		I_COPY,		REMOTE, 	LOCAL	},
+	{ "cp",		I_COPY,		REMOTE,		LOCAL	},
-	{ "df",		I_DF,		REMOTE, 	NOARGS	},
+	{ "df",		I_DF,		REMOTE,		NOARGS	},
-	{ "dir",	I_LS,		REMOTE, 	NOARGS	},
+	{ "dir",	I_LS,		REMOTE,		NOARGS	},
-	{ "exit",	I_QUIT,		NOARGS, 	NOARGS	},
+	{ "exit",	I_QUIT,		NOARGS,		NOARGS	},
-	{ "get",	I_GET,		REMOTE, 	LOCAL	},
+	{ "get",	I_GET,		REMOTE,		LOCAL	},
-	{ "help",	I_HELP,		NOARGS, 	NOARGS	},
+	{ "help",	I_HELP,		NOARGS,		NOARGS	},
 	{ "lcd",	I_LCHDIR,	LOCAL,		NOARGS	},
 	{ "lchdir",	I_LCHDIR,	LOCAL,		NOARGS	},
 	{ "lls",	I_LLS,		LOCAL,		NOARGS	},
 	{ "lmkdir",	I_LMKDIR,	LOCAL,		NOARGS	},
-	{ "ln",		I_LINK,		REMOTE, 	REMOTE	},
+	{ "ln",		I_LINK,		REMOTE,		REMOTE	},
 	{ "lpwd",	I_LPWD,		LOCAL,		NOARGS	},
 	{ "ls",		I_LS,		REMOTE,		NOARGS	},
 	{ "lumask",	I_LUMASK,	NOARGS,		NOARGS	},
@@ -182,17 +182,17 @@ static const struct CMD cmds[] = {
 	{ "mput",	I_PUT,		LOCAL,		REMOTE	},
 	{ "progress",	I_PROGRESS,	NOARGS,		NOARGS	},
 	{ "put",	I_PUT,		LOCAL,		REMOTE	},
-	{ "pwd",	I_PWD,		REMOTE, 	NOARGS	},
+	{ "pwd",	I_PWD,		REMOTE,		NOARGS	},
-	{ "quit",	I_QUIT,		NOARGS, 	NOARGS	},
+	{ "quit",	I_QUIT,		NOARGS,		NOARGS	},
-	{ "reget",	I_REGET,	REMOTE, 	LOCAL	},
+	{ "reget",	I_REGET,	REMOTE,		LOCAL	},
-	{ "rename",	I_RENAME,	REMOTE, 	REMOTE	},
+	{ "rename",	I_RENAME,	REMOTE,		REMOTE	},
 	{ "reput",	I_REPUT,	LOCAL,		REMOTE	},
 	{ "rm",		I_RM,		REMOTE,		NOARGS	},
 	{ "rmdir",	I_RMDIR,	REMOTE,		NOARGS	},
 	{ "symlink",	I_SYMLINK,	REMOTE,		REMOTE	},
-	{ "version",	I_VERSION,	NOARGS, 	NOARGS	},
+	{ "version",	I_VERSION,	NOARGS,		NOARGS	},
-	{ "!",		I_SHELL,	NOARGS, 	NOARGS	},
+	{ "!",		I_SHELL,	NOARGS,		NOARGS	},
-	{ "?",		I_HELP,		NOARGS, 	NOARGS	},
+	{ "?",		I_HELP,		NOARGS,		NOARGS	},
 	{ NULL,		-1,		-1,		-1	}
 };
 

usr.bin/ssh/sshbuf-getput-crypto.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf-getput-crypto.c,v 1.10 2022/05/25 06:03:44 djm Exp $	*/
+/*	$OpenBSD: sshbuf-getput-crypto.c,v 1.11 2024/02/01 02:37:33 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *

usr.sbin/bgpctl/bgpctl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: bgpctl.c,v 1.304 2024/01/31 11:23:19 claudio Exp $ */
+/*	$OpenBSD: bgpctl.c,v 1.305 2024/02/01 11:37:10 claudio Exp $ */
 
 /*
  * Copyright (c) 2003 Henning Brauer <henning@openbsd.org>
@@ -1411,24 +1411,19 @@ show_mrt_state(struct mrt_bgp_state *ms, void *arg)
 }
 
 static void
-print_afi(u_char *p, uint8_t len)
+print_afi(struct ibuf *b)
 {
 	uint16_t afi;
 	uint8_t safi, aid;
 
-	if (len != 4) {
+	if (ibuf_get_n16(b, &afi) == -1 ||	/* afi, 2 byte */
+	    ibuf_skip(b, 1) == -1 ||		/* reserved, 1 byte */
+	    ibuf_get_n8(b, &safi) == -1 ||	/* safi, 1 byte */
+	    ibuf_size(b) != 0) {
 		printf("bad length");
 		return;
 	}
 
-	/* afi, 2 byte */
-	memcpy(&afi, p, sizeof(afi));
-	afi = ntohs(afi);
-	p += 2;
-	/* reserved, 1 byte */
-	p += 1;
-	/* safi, 1 byte */
-	memcpy(&safi, p, sizeof(safi));
 	if (afi2aid(afi, safi, &aid) == -1)
 		printf("unknown afi %u safi %u", afi, safi);
 	else
@@ -1436,12 +1431,14 @@ print_afi(u_char *p, uint8_t len)
 }
 
 static void
-print_capability(uint8_t capa_code, u_char *p, uint8_t len)
+print_capability(uint8_t capa_code, struct ibuf *b)
 {
+	uint32_t as;
+
 	switch (capa_code) {
 	case CAPA_MP:
 		printf("multiprotocol capability: ");
-		print_afi(p, len);
+		print_afi(b);
 		break;
 	case CAPA_REFRESH:
 		printf("route refresh capability");
@@ -1452,13 +1449,11 @@ print_capability(uint8_t capa_code, u_char *p, uint8_t len)
 		break;
 	case CAPA_AS4BYTE:
 		printf("4-byte AS num capability: ");
-		if (len == 4) {
+		if (ibuf_get_n32(b, &as) == -1 ||
-			uint32_t as;
+		    ibuf_size(b) != 0)
-			memcpy(&as, p, sizeof(as));
-			as = ntohl(as);
-			printf("AS %u", as);
-		} else
 			printf("bad length");
+		else
+			printf("AS %u", as);
 		break;
 	case CAPA_ADD_PATH:
 		printf("add-path capability");
@@ -1468,7 +1463,8 @@ print_capability(uint8_t capa_code, u_char *p, uint8_t len)
 		printf("enhanced route refresh capability");
 		break;
 	default:
-		printf("unknown capability %u length %u", capa_code, len);
+		printf("unknown capability %u length %zu",
+		    capa_code, ibuf_size(b));
 		break;
 	}
 }
@@ -1531,88 +1527,63 @@ print_notification(uint8_t errcode, uint8_t subcode)
 }
 
 static int
-show_mrt_capabilities(u_char *p, uint16_t len)
+show_mrt_capabilities(struct ibuf *b)
 {
-	uint16_t totlen = len;
 	uint8_t capa_code, capa_len;
+	struct ibuf cbuf;
 
-	while (len > 2) {
+	while (ibuf_size(b) > 0) {
-		memcpy(&capa_code, p, sizeof(capa_code));
+		if (ibuf_get_n8(b, &capa_code) == -1 ||
-		p += sizeof(capa_code);
+		    ibuf_get_n8(b, &capa_len) == -1 ||
-		len -= sizeof(capa_code);
+		    ibuf_get_ibuf(b, capa_len, &cbuf) == -1) {
-		memcpy(&capa_len, p, sizeof(capa_len));
+			printf("truncated capabilities");
-		p += sizeof(capa_len);
-		len -= sizeof(capa_len);
-		if (len < capa_len) {
-			printf("capa_len %u exceeds remaining length",
-			    capa_len);
 			return (-1);
 		}
 		printf("\n        ");
-		print_capability(capa_code, p, capa_len);
+		print_capability(capa_code, &cbuf);
-		p += capa_len;
-		len -= capa_len;
 	}
-	if (len != 0) {
+	return (0);
-		printf("length mismatch while capability parsing");
-		return (-1);
-	}
-	return (totlen);
 }
 
 static void
-show_mrt_open(u_char *p, uint16_t len)
+show_mrt_open(struct ibuf *b)
 {
 	uint16_t short_as, holdtime;
 	uint8_t version, optparamlen;
 	struct in_addr bgpid;
 
 	/* length check up to optparamlen already happened */
-	memcpy(&version, p, sizeof(version));
+	if (ibuf_get_n8(b, &version) == -1 ||
-	p += sizeof(version);
+	    ibuf_get_n16(b, &short_as) == -1 ||
-	len -= sizeof(version);
+	    ibuf_get_n16(b, &holdtime) == -1 ||
-	memcpy(&short_as, p, sizeof(short_as));
+	    ibuf_get(b, &bgpid, sizeof(bgpid)) == -1 ||
-	p += sizeof(short_as);
+	    ibuf_get_n8(b, &optparamlen) == -1) {
-	len -= sizeof(short_as);
+ trunc:
-	short_as = ntohs(short_as);
+		printf("truncated message");
-	memcpy(&holdtime, p, sizeof(holdtime));
+		return;
-	holdtime = ntohs(holdtime);
+	}
-	p += sizeof(holdtime);
-	len -= sizeof(holdtime);
-	memcpy(&bgpid, p, sizeof(bgpid));
-	p += sizeof(bgpid);
-	len -= sizeof(bgpid);
-	memcpy(&optparamlen, p, sizeof(optparamlen));
-	p += sizeof(optparamlen);
-	len -= sizeof(optparamlen);
 
 	printf("\n    ");
 	printf("Version: %d AS: %u Holdtime: %u BGP Id: %s Paramlen: %u",
 	    version, short_as, holdtime, inet_ntoa(bgpid), optparamlen);
-	if (optparamlen != len) {
+	if (optparamlen != ibuf_size(b)) {
+		/* XXX missing support for RFC9072 */
 		printf("optional parameter length mismatch");
 		return;
 	}
-	while (len > 2) {
+	while (ibuf_size(b) > 0) {
 		uint8_t op_type, op_len;
-		int r;
 
-		memcpy(&op_type, p, sizeof(op_type));
+		if (ibuf_get_n8(b, &op_type) == -1 ||
-		p += sizeof(op_type);
+		    ibuf_get_n8(b, &op_len) == -1)
-		len -= sizeof(op_type);
+			goto trunc;
-		memcpy(&op_len, p, sizeof(op_len));
-		p += sizeof(op_len);
-		len -= sizeof(op_len);
 
 		printf("\n    ");
 		switch (op_type) {
 		case OPT_PARAM_CAPABILITIES:
-			printf("Capabilities: size %u", op_len);
+			printf("Capabilities: %u bytes", op_len);
-			r = show_mrt_capabilities(p, op_len);
+			if (show_mrt_capabilities(b) == -1)
-			if (r == -1)
 				return;
-			p += r;
-			len -= r;
 			break;
 		case OPT_PARAM_AUTH:
 		default:
@@ -1621,89 +1592,71 @@ show_mrt_open(u_char *p, uint16_t len)
 			return;
 		}
 	}
-	if (len != 0) {
-		printf("optional parameter encoding error");
-		return;
-	}
 }
 
 static void
-show_mrt_notification(u_char *p, uint16_t len)
+show_mrt_notification(struct ibuf *b)
 {
-	uint16_t i;
-	uint8_t errcode, subcode;
-	size_t reason_len;
 	char reason[REASON_LEN];
+	uint8_t errcode, subcode, reason_len, c;
+	size_t i, len;
 
-	memcpy(&errcode, p, sizeof(errcode));
+	if (ibuf_get_n8(b, &errcode) == -1 ||
-	p += sizeof(errcode);
+	    ibuf_get_n8(b, &subcode) == -1) {
-	len -= sizeof(errcode);
+ trunc:
-
+		printf("truncated message");
-	memcpy(&subcode, p, sizeof(subcode));
+		return;
-	p += sizeof(subcode);
+	}
-	len -= sizeof(subcode);
 
 	printf("\n    ");
 	print_notification(errcode, subcode);
 
 	if (errcode == ERR_CEASE && (subcode == ERR_CEASE_ADMIN_DOWN ||
 	    subcode == ERR_CEASE_ADMIN_RESET)) {
-		if (len > 1) {
+		if (ibuf_size(b) > 1) {
-			reason_len = *p++;
+			if (ibuf_get_n8(b, &reason_len) == -1)
-			len--;
+				goto trunc;
-			if (len < reason_len) {
+			if (ibuf_get(b, reason, reason_len) == -1)
-				printf("truncated shutdown reason");
+				goto trunc;
-				return;
-			}
-			if (reason_len > REASON_LEN - 1) {
-				printf("overly long shutdown reason");
-				return;
-			}
-			memcpy(reason, p, reason_len);
 			reason[reason_len] = '\0';
 			printf("shutdown reason: \"%s\"",
 			    log_reason(reason));
-			p += reason_len;
-			len -= reason_len;
 		}
 	}
 	if (errcode == ERR_OPEN && subcode == ERR_OPEN_CAPA) {
-		int r;
+		if (show_mrt_capabilities(b) == -1)
-
-		r = show_mrt_capabilities(p, len);
-		if (r == -1)
 			return;
-		p += r;
-		len -= r;
 	}
 
-	if (len > 0) {
+	if (ibuf_size(b) > 0) {
-		printf("\n    additional data %u bytes", len);
+		len = ibuf_size(b);
+		printf("\n    additional data, %zu bytes", len);
 		for (i = 0; i < len; i++) {
 			if (i % 16 == 0)
 				printf("\n    ");
 			if (i % 8 == 0)
 				printf("   ");
-			printf(" %02X", *p++);
+			if (ibuf_get_n8(b, &c) == -1)
+				goto trunc;
+			printf(" %02X", c);
 		}
 	}
 }
 
 /* XXX this function does not handle JSON output */
 static void
-show_mrt_update(u_char *p, uint16_t len, int reqflags, int addpath)
+show_mrt_update(struct ibuf *b, int reqflags, int addpath)
 {
 	struct bgpd_addr prefix;
-	struct ibuf *b, buf, wbuf, abuf;
+	struct ibuf wbuf, abuf;
 	uint32_t pathid;
 	uint16_t wlen, alen;
 	uint8_t prefixlen;
 
-	ibuf_from_buffer(&buf, p, len);
-	b = &buf;
 	if (ibuf_get_n16(b, &wlen) == -1 ||
 	    ibuf_get_ibuf(b, wlen, &wbuf) == -1)
 		goto trunc;
+
 	if (wlen > 0) {
 		printf("\n     Withdrawn prefixes:");
 		while (ibuf_size(&wbuf) > 0) {
@@ -1780,35 +1733,34 @@ show_mrt_msg(struct mrt_bgp_msg *mm, void *arg)
 	static const uint8_t marker[MSGSIZE_HEADER_MARKER] = {
 	    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 	    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-	u_char *p;
+	uint8_t m[MSGSIZE_HEADER_MARKER];
+	struct ibuf *b;
 	uint16_t len;
 	uint8_t type;
 	struct ctl_show_rib_request *req = arg;
 
 	printf("%s %s[%u] -> ", fmt_time(&mm->time),
 	    log_addr(&mm->src), mm->src_as);
-	printf("%s[%u]: size %u%s ", log_addr(&mm->dst), mm->dst_as,
+	printf("%s[%u]: size %zu%s ", log_addr(&mm->dst), mm->dst_as,
-	    mm->msg_len, mm->add_path ? " addpath" : "");
+	    ibuf_size(&mm->msg), mm->add_path ? " addpath" : "");
-	p = mm->msg;
+	b = &mm->msg;
-	len = mm->msg_len;
 
-	if (len < MSGSIZE_HEADER) {
+	if (ibuf_get(b, m, sizeof(m)) == -1) {
-		printf("illegal header length: %u byte\n", len);
+		printf("bad message: short header\n");
 		return;
 	}
 
 	/* parse BGP message header */
-	if (memcmp(p, marker, sizeof(marker))) {
+	if (memcmp(m, marker, sizeof(marker))) {
 		printf("incorrect marker in BGP message\n");
 		return;
 	}
-	p += MSGSIZE_HEADER_MARKER;
 
-	memcpy(&len, p, 2);
+	if (ibuf_get_n16(b, &len) == -1 ||
-	len = ntohs(len);
+	    ibuf_get_n8(b, &type) == -1) {
-	p += 2;
+		printf("bad message: short header\n");
-	memcpy(&type, p, 1);
+		return;
-	p += 1;
+	}
 
 	if (len < MSGSIZE_HEADER || len > MAX_PKTSIZE) {
 		printf("illegal header length: %u byte\n", len);
@@ -1819,32 +1771,31 @@ show_mrt_msg(struct mrt_bgp_msg *mm, void *arg)
 	case OPEN:
 		printf("%s ", msgtypenames[type]);
 		if (len < MSGSIZE_OPEN_MIN) {
-			printf("illegal length: %u byte\n", len);
+			printf("bad length: %u bytes\n", len);
 			return;
 		}
-		show_mrt_open(p, len - MSGSIZE_HEADER);
+		show_mrt_open(b);
 		break;
 	case NOTIFICATION:
 		printf("%s ", msgtypenames[type]);
 		if (len < MSGSIZE_NOTIFICATION_MIN) {
-			printf("illegal length: %u byte\n", len);
+			printf("bad length: %u bytes\n", len);
 			return;
 		}
-		show_mrt_notification(p, len - MSGSIZE_HEADER);
+		show_mrt_notification(b);
 		break;
 	case UPDATE:
 		printf("%s ", msgtypenames[type]);
 		if (len < MSGSIZE_UPDATE_MIN) {
-			printf("illegal length: %u byte\n", len);
+			printf("bad length: %u bytes\n", len);
 			return;
 		}
-		show_mrt_update(p, len - MSGSIZE_HEADER, req->flags,
+		show_mrt_update(b, req->flags, mm->add_path);
-		    mm->add_path);
 		break;
 	case KEEPALIVE:
 		printf("%s ", msgtypenames[type]);
 		if (len != MSGSIZE_KEEPALIVE) {
-			printf("illegal length: %u byte\n", len);
+			printf("bad length: %u bytes\n", len);
 			return;
 		}
 		/* nothing */
@@ -1852,10 +1803,10 @@ show_mrt_msg(struct mrt_bgp_msg *mm, void *arg)
 	case RREFRESH:
 		printf("%s ", msgtypenames[type]);
 		if (len != MSGSIZE_RREFRESH) {
-			printf("illegal length: %u byte\n", len);
+			printf("bad length: %u bytes\n", len);
 			return;
 		}
-		print_afi(p, len);
+		print_afi(b);
 		break;
 	default:
 		printf("unknown type %u\n", type);

usr.sbin/bgpctl/mrtparser.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: mrtparser.h,v 1.6 2024/01/23 15:56:48 claudio Exp $ */
+/*	$OpenBSD: mrtparser.h,v 1.7 2024/02/01 11:37:10 claudio Exp $ */
 /*
  * Copyright (c) 2011 Claudio Jeker <claudio@openbsd.org>
  *
@@ -76,9 +76,8 @@ struct mrt_bgp_msg {
 	struct bgpd_addr dst;
 	uint32_t	 src_as;
 	uint32_t	 dst_as;
-	uint16_t	 msg_len;
 	uint8_t		 add_path;
-	void		*msg;
+	struct ibuf	 msg;
 };
 
 #define MRT_ATTR_ORIGIN		1

usr.sbin/pcidump/pcidump.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pcidump.c,v 1.69 2023/04/16 17:26:14 kettenis Exp $	*/
+/*	$OpenBSD: pcidump.c,v 1.70 2024/02/01 18:26:45 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2006, 2007 David Gwynne <loki@animata.net>
@@ -606,7 +606,10 @@ dump_msi(int bus, int dev, int func, u_int8_t ptr)
 	if (pci_read(bus, dev, func, ptr, &reg) != 0)
 		return;
 
-	printf("\t\tEnabled: %s\n", reg & PCI_MSI_MC_MSIE ? "yes" : "no");
+	printf("\t\tEnabled: %s; %d vectors (%d enabled)\n",
+	    reg & PCI_MSI_MC_MSIE ? "yes" : "no",
+	    (1 << ((reg & PCI_MSI_MC_MMC_MASK) >> PCI_MSI_MC_MMC_SHIFT)),
+	    (1 << ((reg & PCI_MSI_MC_MME_MASK) >> PCI_MSI_MC_MME_SHIFT)));
 }
 
 void

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.122 2024/01/11 11:55:14 job Exp $ */
+/*	$OpenBSD: cert.c,v 1.123 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -647,7 +647,7 @@ certificate_policies(struct parse *p, X509_EXTENSION *ext)
 
 	if ((nid = OBJ_obj2nid(qualifier->pqualid)) != NID_id_qt_cps) {
 		warnx("%s: RFC 7318 section 2: certificatePolicies: "
-		    "want CPS, got %d (%s)", p->fn, nid, OBJ_nid2sn(nid));
+		    "want CPS, got %s", p->fn, nid2str(nid));
 		goto out;
 	}
 
@@ -794,8 +794,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid),
+		    fn, nid2str(nid), LN_sha256WithRSAEncryption);
-		    OBJ_nid2ln(NID_sha256WithRSAEncryption));
 		goto out;
 	}
 
@@ -970,8 +969,8 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 	return p.res;
 
  dup:
-	warnx("%s: RFC 5280 section 4.2: duplicate %s extension", fn,
+	warnx("%s: RFC 5280 section 4.2: duplicate extension: %s", fn,
-	    OBJ_nid2sn(nid));
+	    nid2str(nid));
  out:
 	cert_free(p.res);
 	X509_free(x);

usr.sbin/rpki-client/cms.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.41 2023/12/10 14:18:23 job Exp $ */
+/*	$OpenBSD: cms.c,v 1.42 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -259,7 +259,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	nid = OBJ_obj2nid(obj);
 	if (nid != NID_sha256) {
 		warnx("%s: RFC 6488: wrong digest %s, want %s", fn,
-		    OBJ_nid2ln(nid), OBJ_nid2ln(NID_sha256));
+		    nid2str(nid), LN_sha256);
 		goto out;
 	}
 	X509_ALGOR_get0(&obj, NULL, NULL, psig);
@@ -271,7 +271,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	} else if (nid != NID_rsaEncryption &&
 	    nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 6488: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid), OBJ_nid2ln(NID_rsaEncryption));
+		    fn, nid2str(nid), LN_rsaEncryption);
 		goto out;
 	}
 

usr.sbin/rpki-client/crl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.31 2024/01/18 14:34:26 job Exp $ */
+/*	$OpenBSD: crl.c,v 1.32 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -68,8 +68,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid),
+		    fn, nid2str(nid), LN_sha256WithRSAEncryption);
-		    OBJ_nid2ln(NID_sha256WithRSAEncryption));
 		goto out;
 	}
 

usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.201 2024/01/31 06:57:21 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.202 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -861,6 +861,7 @@ int		 x509_valid_subject(const char *, const X509 *);
 time_t		 x509_find_expires(time_t, struct auth *, struct crl_tree *);
 
 /* printers */
+char		*nid2str(int);
 char		*time2str(time_t);
 void		 x509_print(const X509 *);
 void		 tal_print(const struct tal *);

usr.sbin/rpki-client/parser.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.113 2024/01/31 06:57:21 tb Exp $ */
+/*	$OpenBSD: parser.c,v 1.114 2024/02/01 09:50:15 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -327,7 +327,7 @@ proc_parser_mft_pre(struct entity *entp, enum location loc, char **file,
 		goto err;
 	}
 	if (issued_cmp > 0 && seqnum_cmp == 0) {
-		warnx("%s#%s: reissued manifest at %lld and %lld with same "
+		warnx("%s#%s: manifest issued at %lld and %lld with same "
 		    "sequence number", *file, cached_mft->seqnum,
 		    (long long)mft->thisupdate,
 		    (long long)cached_mft->thisupdate);

usr.sbin/rpki-client/print.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: print.c,v 1.45 2024/01/18 14:34:26 job Exp $ */
+/*	$OpenBSD: print.c,v 1.46 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -49,6 +49,22 @@ pretty_key_id(const char *hex)
 	return buf;
 }
 
+char *
+nid2str(int nid)
+{
+	static char buf[128];
+	const char *name;
+
+	if ((name = OBJ_nid2ln(nid)) == NULL)
+		name = OBJ_nid2sn(nid);
+	if (name == NULL)
+		name = "unknown";
+
+	snprintf(buf, sizeof(buf), "nid %d (%s)", nid, name);
+
+	return buf;
+}
+
 char *
 time2str(time_t t)
 {

usr.sbin/rpki-client/validate.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.70 2024/01/07 09:48:03 tb Exp $ */
+/*	$OpenBSD: validate.c,v 1.71 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -665,7 +665,7 @@ valid_ca_pkey_ec(const char *fn, EVP_PKEY *pkey)
 	nid = EC_GROUP_get_curve_name(group);
 	if (nid != NID_X9_62_prime256v1) {
 		if ((cname = EC_curve_nid2nist(nid)) == NULL)
-			cname = OBJ_nid2sn(nid);
+			cname = nid2str(nid);
 		warnx("%s: Expected P-256, got %s", fn, cname);
 		return 0;
 	}

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.76 2024/01/31 15:01:13 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.77 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -362,7 +362,7 @@ x509_get_pubkey(X509 *x, const char *fn)
 	nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
 	if (nid != NID_X9_62_prime256v1) {
 		if ((cname = EC_curve_nid2nist(nid)) == NULL)
-			cname = OBJ_nid2sn(nid);
+			cname = nid2str(nid);
 		warnx("%s: Expected P-256, got %s", fn, cname);
 		goto out;
 	}
@@ -955,8 +955,8 @@ x509_valid_subject(const char *fn, const X509 *x)
 			warnx("%s: OBJ_obj2nid failed", fn);
 			return 0;
 		default:
-			warnx("%s: RFC 6487 section 4.5: unexpected attribute "
+			warnx("%s: RFC 6487 section 4.5: unexpected attribute"
-			    "%d (%s)", fn, nid, OBJ_nid2ln(nid));
+			    " %s", fn, nid2str(nid));
 			return 0;
 		}
 	}