SecBSD/src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with OpenBSD -current

Browse Source
This commit is contained in:
purplerain 2024-01-28 04:29:33 +00:00
parent 8365991714
commit 20629a8b0d
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
27 changed files with 3030 additions and 694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/libcrypto/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.166 2024/01/13 12:18:52 tb Exp $
# $OpenBSD: Makefile,v 1.167 2024/01/27 17:14:33 tb Exp $
LIB= crypto
LIBREBUILD=y
@ -387,8 +387,6 @@ SRCS+= m_sigver.c
SRCS+= m_sm3.c
SRCS+= m_streebog.c
SRCS+= m_wp.c
SRCS+= p5_crpt.c
SRCS+= p5_crpt2.c
SRCS+= p_legacy.c
SRCS+= p_lib.c
SRCS+= p_sign.c
@ -485,7 +483,6 @@ SRCS+= pvkfmt.c
SRCS+= p12_add.c
SRCS+= p12_asn.c
SRCS+= p12_attr.c
SRCS+= p12_crpt.c
SRCS+= p12_crt.c
SRCS+= p12_decr.c
SRCS+= p12_init.c

4
lib/libcrypto/evp/evp_local.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_local.h,v 1.13 2024/01/04 17:38:36 tb Exp $ */
/* $OpenBSD: evp_local.h,v 1.14 2024/01/27 23:34:18 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
@ -278,8 +278,6 @@ struct evp_pkey_ctx_st {
int keygen_info_count;
} /* EVP_PKEY_CTX */;
#define EVP_PKEY_FLAG_DYNAMIC 1
struct evp_pkey_method_st {
int pkey_id;
int flags;

144
lib/libcrypto/evp/evp_names.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_names.c,v 1.7 2024/01/13 12:18:52 tb Exp $ */
/* $OpenBSD: evp_names.c,v 1.8 2024/01/27 18:12:27 tb Exp $ */
/*
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
*
@ -1104,6 +1104,13 @@ static const struct cipher_name cipher_names[] = {
*/
static const struct digest_name digest_names[] = {
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA1)
{
.name = SN_dsaWithSHA1,
.digest = EVP_sha1,
.alias = SN_sha1,
},
#endif
#ifndef OPENSSL_NO_GOST
{
.name = LN_id_Gost28147_89_MAC,
@ -1303,6 +1310,7 @@ static const struct digest_name digest_names[] = {
.digest = EVP_sha512_256,
},
#endif /* OPENSSL_NO_SHA512 */
#ifndef OPENSSL_NO_SM3
{
.name = SN_sm3,
@ -1310,6 +1318,68 @@ static const struct digest_name digest_names[] = {
},
#endif /* OPENSSL_NO_SM3 */
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA1)
{
.name = LN_dsaWithSHA1,
.digest = EVP_sha1,
.alias = SN_sha1,
},
#endif
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA256)
{
.name = LN_dsa_with_SHA224,
.digest = EVP_sha224,
.alias = SN_sha224,
},
{
.name = LN_dsa_with_SHA256,
.digest = EVP_sha256,
.alias = SN_sha256,
},
{
.name = LN_dsa_with_SHA384,
.digest = EVP_sha384,
.alias = SN_sha384,
},
{
.name = LN_dsa_with_SHA512,
.digest = EVP_sha512,
.alias = SN_sha512,
},
#endif /* OPENSSL_NO_DSA && OPENSSL_NO_SHA256 */
#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_EC)
{
.name = SN_ecdsa_with_SHA1,
.digest = EVP_sha1,
.alias = SN_sha1,
},
#endif
#if !defined(OPENSSL_NO_SHA256) && !defined(OPENSSL_NO_EC)
{
.name = SN_ecdsa_with_SHA224,
.digest = EVP_sha224,
.alias = SN_sha224,
},
{
.name = SN_ecdsa_with_SHA256,
.digest = EVP_sha256,
.alias = SN_sha256,
},
{
.name = SN_ecdsa_with_SHA384,
.digest = EVP_sha384,
.alias = SN_sha384,
},
{
.name = SN_ecdsa_with_SHA512,
.digest = EVP_sha512,
.alias = SN_sha512,
},
#endif /* OPENSSL_NO_SHA256 && OPENSSL_NO_EC */
#ifndef OPENSSL_NO_GOST
{
.name = SN_id_Gost28147_89_MAC,
@ -1317,6 +1387,78 @@ static const struct digest_name digest_names[] = {
},
#endif /* OPENSSL_NO_GOST */
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA256)
{
.name = SN_dsa_with_SHA224,
.digest = EVP_sha224,
.alias = SN_sha224,
},
{
.name = SN_dsa_with_SHA256,
.digest = EVP_sha256,
.alias = SN_sha256,
},
#endif /* OPENSSL_NO_DSA && OPENSSL_NO_SHA256 */
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA3)
{
.name = SN_dsa_with_SHA3_224,
.digest = EVP_sha3_224,
.alias = SN_sha3_224,
},
{
.name = SN_dsa_with_SHA3_256,
.digest = EVP_sha3_256,
.alias = SN_sha3_256,
},
{
.name = SN_dsa_with_SHA3_384,
.digest = EVP_sha3_384,
.alias = SN_sha3_384,
},
{
.name = SN_dsa_with_SHA3_512,
.digest = EVP_sha3_512,
.alias = SN_sha3_512,
},
#endif /* OPENSSL_NO_DSA && OPENSSL_NO_SHA3 */
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_SHA256)
{
.name = SN_dsa_with_SHA384,
.digest = EVP_sha384,
.alias = SN_sha384,
},
{
.name = SN_dsa_with_SHA512,
.digest = EVP_sha512,
.alias = SN_sha512,
},
#endif /* OPENSSL_NO_DSA && OPENSSL_NO_SHA256 */
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_SHA3)
{
.name = SN_ecdsa_with_SHA3_224,
.digest = EVP_sha3_224,
.alias = SN_sha3_224,
},
{
.name = SN_ecdsa_with_SHA3_256,
.digest = EVP_sha3_256,
.alias = SN_sha3_256,
},
{
.name = SN_ecdsa_with_SHA3_384,
.digest = EVP_sha3_384,
.alias = SN_sha3_384,
},
{
.name = SN_ecdsa_with_SHA3_512,
.digest = EVP_sha3_512,
.alias = SN_sha3_512,
},
#endif /* OPENSSL_NO_EC && OPENSSL_NO_SHA3 */
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_SHA3)
{
.name = SN_RSA_SHA3_224,

432
lib/libcrypto/evp/evp_pbe.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_pbe.c,v 1.34 2023/12/18 13:12:43 tb Exp $ */
/* $OpenBSD: evp_pbe.c,v 1.40 2024/01/27 17:20:20 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -59,14 +59,16 @@
#include <stdio.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/objects.h>
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
#include "evp_local.h"
#include "hmac_local.h"
/* Password based encryption (PBE) functions */
@ -96,14 +98,12 @@ static const struct pbe_config pbe_outer[] = {
.md_nid = NID_sha1,
.keygen = PKCS5_PBE_keyivgen,
},
#ifndef OPENSSL_NO_HMAC
{
.pbe_nid = NID_id_pbkdf2,
.cipher_nid = -1,
.md_nid = -1,
.keygen = PKCS5_v2_PBKDF2_keyivgen,
},
#endif
{
.pbe_nid = NID_pbe_WithSHA1And128BitRC4,
.cipher_nid = NID_rc4,
@ -140,14 +140,12 @@ static const struct pbe_config pbe_outer[] = {
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
#ifndef OPENSSL_NO_HMAC
{
.pbe_nid = NID_pbes2,
.cipher_nid = -1,
.md_nid = -1,
.keygen = PKCS5_v2_PBE_keyivgen,
},
#endif
{
.pbe_nid = NID_pbeWithMD2AndRC2_CBC,
.cipher_nid = NID_rc2_64_cbc,
@ -216,6 +214,36 @@ static const struct pbe_config pbe_prf[] = {
.cipher_nid = -1,
.md_nid = NID_id_tc26_gost3411_2012_512,
},
{
.pbe_nid = NID_hmacWithSHA512_224,
.cipher_nid = -1,
.md_nid = NID_sha512_224,
},
{
.pbe_nid = NID_hmacWithSHA512_256,
.cipher_nid = -1,
.md_nid = NID_sha512_256,
},
{
.pbe_nid = NID_hmac_sha3_224,
.cipher_nid = -1,
.md_nid = NID_sha3_224,
},
{
.pbe_nid = NID_hmac_sha3_256,
.cipher_nid = -1,
.md_nid = NID_sha3_256,
},
{
.pbe_nid = NID_hmac_sha3_384,
.cipher_nid = -1,
.md_nid = NID_sha3_384,
},
{
.pbe_nid = NID_hmac_sha3_512,
.cipher_nid = -1,
.md_nid = NID_sha3_512,
},
};
#define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
@ -311,6 +339,391 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
return 1;
}
int
PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
{
EVP_MD_CTX ctx;
unsigned char md_tmp[EVP_MAX_MD_SIZE];
unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
int i;
PBEPARAM *pbe;
int saltlen, iter;
unsigned char *salt;
const unsigned char *pbuf;
int mdsize;
int ret = 0;
/* Extract useful info from parameter */
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
mdsize = EVP_MD_size(md);
if (mdsize < 0)
return 0;
pbuf = param->value.sequence->data;
if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
if (!pbe->iter)
iter = 1;
else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
PBEPARAM_free(pbe);
return 0;
}
salt = pbe->salt->data;
saltlen = pbe->salt->length;
if (!pass)
passlen = 0;
else if (passlen == -1)
passlen = strlen(pass);
EVP_MD_CTX_init(&ctx);
if (!EVP_DigestInit_ex(&ctx, md, NULL))
goto err;
if (!EVP_DigestUpdate(&ctx, pass, passlen))
goto err;
if (!EVP_DigestUpdate(&ctx, salt, saltlen))
goto err;
if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
goto err;
for (i = 1; i < iter; i++) {
if (!EVP_DigestInit_ex(&ctx, md, NULL))
goto err;
if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
goto err;
if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
goto err;
}
if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
EVPerror(EVP_R_BAD_KEY_LENGTH);
goto err;
}
memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
EVPerror(EVP_R_IV_TOO_LARGE);
goto err;
}
memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
EVP_CIPHER_iv_length(cipher));
if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
goto err;
explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
explicit_bzero(key, EVP_MAX_KEY_LENGTH);
explicit_bzero(iv, EVP_MAX_IV_LENGTH);
ret = 1;
err:
EVP_MD_CTX_cleanup(&ctx);
PBEPARAM_free(pbe);
return ret;
}
/*
* PKCS#5 v2.0 password based encryption key derivation function PBKDF2.
*/
int
PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out)
{
unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
int cplen, j, k, tkeylen, mdlen;
unsigned long i = 1;
HMAC_CTX hctx_tpl, hctx;
mdlen = EVP_MD_size(digest);
if (mdlen < 0)
return 0;
HMAC_CTX_init(&hctx_tpl);
p = out;
tkeylen = keylen;
if (!pass)
passlen = 0;
else if (passlen == -1)
passlen = strlen(pass);
if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
while (tkeylen) {
if (tkeylen > mdlen)
cplen = mdlen;
else
cplen = tkeylen;
/*
* We are unlikely to ever use more than 256 blocks (5120 bits!)
* but just in case...
*/
itmp[0] = (unsigned char)((i >> 24) & 0xff);
itmp[1] = (unsigned char)((i >> 16) & 0xff);
itmp[2] = (unsigned char)((i >> 8) & 0xff);
itmp[3] = (unsigned char)(i & 0xff);
if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
if (!HMAC_Update(&hctx, salt, saltlen) ||
!HMAC_Update(&hctx, itmp, 4) ||
!HMAC_Final(&hctx, digtmp, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
HMAC_CTX_cleanup(&hctx);
return 0;
}
HMAC_CTX_cleanup(&hctx);
memcpy(p, digtmp, cplen);
for (j = 1; j < iter; j++) {
if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
if (!HMAC_Update(&hctx, digtmp, mdlen) ||
!HMAC_Final(&hctx, digtmp, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
HMAC_CTX_cleanup(&hctx);
return 0;
}
HMAC_CTX_cleanup(&hctx);
for (k = 0; k < cplen; k++)
p[k] ^= digtmp[k];
}
tkeylen -= cplen;
i++;
p += cplen;
}
HMAC_CTX_cleanup(&hctx_tpl);
return 1;
}
int
PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt,
int saltlen, int iter, int keylen, unsigned char *out)
{
return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
EVP_sha1(), keylen, out);
}
/*
* Now the key derivation function itself. This is a bit evil because
* it has to check the ASN1 parameters are valid: and there are quite a
* few of them...
*/
int
PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
{
const unsigned char *pbuf;
int plen;
PBE2PARAM *pbe2 = NULL;
const EVP_CIPHER *cipher;
int ret = 0;
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
EVPerror(EVP_R_DECODE_ERROR);
goto err;
}
pbuf = param->value.sequence->data;
plen = param->value.sequence->length;
if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
EVPerror(EVP_R_DECODE_ERROR);
goto err;
}
/* See if we recognise the key derivation function */
if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
goto err;
}
/* Let's see if we recognise the encryption algorithm. */
cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
if (!cipher) {
EVPerror(EVP_R_UNSUPPORTED_CIPHER);
goto err;
}
/* Fixup cipher based on AlgorithmIdentifier */
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
goto err;
if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
goto err;
}
ret = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
pbe2->keyfunc->parameter, c, md, en_de);
err:
PBE2PARAM_free(pbe2);
return ret;
}
int
PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
{
unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
const unsigned char *pbuf;
int saltlen, iter, plen;
unsigned int keylen = 0;
int prf_nid, hmac_md_nid;
PBKDF2PARAM *kdf = NULL;
const EVP_MD *prfmd;
int ret = 0;
if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
EVPerror(EVP_R_NO_CIPHER_SET);
return 0;
}
keylen = EVP_CIPHER_CTX_key_length(ctx);
if (keylen > sizeof key) {
EVPerror(EVP_R_BAD_KEY_LENGTH);
return 0;
}
/* Decode parameter */
if (!param || (param->type != V_ASN1_SEQUENCE)) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
pbuf = param->value.sequence->data;
plen = param->value.sequence->length;
if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
/* Now check the parameters of the kdf */
if (kdf->keylength &&
(ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
goto err;
}
if (kdf->prf)
prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
else
prf_nid = NID_hmacWithSHA1;
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
EVPerror(EVP_R_UNSUPPORTED_PRF);
goto err;
}
prfmd = EVP_get_digestbynid(hmac_md_nid);
if (prfmd == NULL) {
EVPerror(EVP_R_UNSUPPORTED_PRF);
goto err;
}
if (kdf->salt->type != V_ASN1_OCTET_STRING) {
EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
goto err;
}
/* it seems that its all OK */
salt = kdf->salt->value.octet_string->data;
saltlen = kdf->salt->value.octet_string->length;
if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
goto err;
}
if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
keylen, key))
goto err;
ret = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
err:
explicit_bzero(key, keylen);
PBKDF2PARAM_free(kdf);
return ret;
}
void
PKCS12_PBE_add(void)
{
}
LCRYPTO_ALIAS(PKCS12_PBE_add);
int
PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
{
PBEPARAM *pbe;
int saltlen, iter, ret;
unsigned char *salt;
const unsigned char *pbuf;
unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
/* Extract useful info from parameter */
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
PKCS12error(PKCS12_R_DECODE_ERROR);
return 0;
}
pbuf = param->value.sequence->data;
if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
PKCS12error(PKCS12_R_DECODE_ERROR);
return 0;
}
if (!pbe->iter)
iter = 1;
else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
PKCS12error(PKCS12_R_DECODE_ERROR);
PBEPARAM_free(pbe);
return 0;
}
salt = pbe->salt->data;
saltlen = pbe->salt->length;
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
iter, EVP_CIPHER_key_length(cipher), key, md)) {
PKCS12error(PKCS12_R_KEY_GEN_ERROR);
PBEPARAM_free(pbe);
return 0;
}
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
PKCS12error(PKCS12_R_IV_GEN_ERROR);
PBEPARAM_free(pbe);
return 0;
}
PBEPARAM_free(pbe);
ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
explicit_bzero(key, EVP_MAX_KEY_LENGTH);
explicit_bzero(iv, EVP_MAX_IV_LENGTH);
return ret;
}
LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);
/*
* XXX - remove the functions below in the next major bump
*/
int
EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
EVP_PBE_KEYGEN *keygen)
@ -331,3 +744,8 @@ void
EVP_PBE_cleanup(void)
{
}
void
PKCS5_PBE_add(void)
{
}

163
lib/libcrypto/evp/p5_crpt.c
View File

@ -1,163 +0,0 @@
/* $OpenBSD: p5_crpt.c,v 1.23 2023/07/07 19:37:54 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include "evp_local.h"
/* Doesn't do anything now: Builtin PBE algorithms in static table.
*/
void
PKCS5_PBE_add(void)
{
}
int
PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
{
EVP_MD_CTX ctx;
unsigned char md_tmp[EVP_MAX_MD_SIZE];
unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
int i;
PBEPARAM *pbe;
int saltlen, iter;
unsigned char *salt;
const unsigned char *pbuf;
int mdsize;
int rv = 0;
/* Extract useful info from parameter */
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
mdsize = EVP_MD_size(md);
if (mdsize < 0)
return 0;
pbuf = param->value.sequence->data;
if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
if (!pbe->iter)
iter = 1;
else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
PBEPARAM_free(pbe);
return 0;
}
salt = pbe->salt->data;
saltlen = pbe->salt->length;
if (!pass)
passlen = 0;
else if (passlen == -1)
passlen = strlen(pass);
EVP_MD_CTX_init(&ctx);
if (!EVP_DigestInit_ex(&ctx, md, NULL))
goto err;
if (!EVP_DigestUpdate(&ctx, pass, passlen))
goto err;
if (!EVP_DigestUpdate(&ctx, salt, saltlen))
goto err;
if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
goto err;
for (i = 1; i < iter; i++) {
if (!EVP_DigestInit_ex(&ctx, md, NULL))
goto err;
if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
goto err;
if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
goto err;
}
if ((size_t)EVP_CIPHER_key_length(cipher) > sizeof(md_tmp)) {
EVPerror(EVP_R_BAD_KEY_LENGTH);
goto err;
}
memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
if ((size_t)EVP_CIPHER_iv_length(cipher) > 16) {
EVPerror(EVP_R_IV_TOO_LARGE);
goto err;
}
memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
EVP_CIPHER_iv_length(cipher));
if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
goto err;
explicit_bzero(md_tmp, EVP_MAX_MD_SIZE);
explicit_bzero(key, EVP_MAX_KEY_LENGTH);
explicit_bzero(iv, EVP_MAX_IV_LENGTH);
rv = 1;
err:
EVP_MD_CTX_cleanup(&ctx);
PBEPARAM_free(pbe);
return rv;
}

307
lib/libcrypto/evp/p5_crpt2.c
View File

@ -1,307 +0,0 @@
/* $OpenBSD: p5_crpt2.c,v 1.28 2023/12/16 13:23:20 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
/* ====================================================================
* Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/x509.h>
#include "evp_local.h"
#include "hmac_local.h"
/* This is an implementation of PKCS#5 v2.0 password based encryption key
* derivation function PBKDF2.
* SHA1 version verified against test vectors posted by Peter Gutmann
* <pgut001@cs.auckland.ac.nz> to the PKCS-TNG <pkcs-tng@rsa.com> mailing list.
*/
int
PKCS5_PBKDF2_HMAC(const char *pass, int passlen, const unsigned char *salt,
int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out)
{
unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
int cplen, j, k, tkeylen, mdlen;
unsigned long i = 1;
HMAC_CTX hctx_tpl, hctx;
mdlen = EVP_MD_size(digest);
if (mdlen < 0)
return 0;
HMAC_CTX_init(&hctx_tpl);
p = out;
tkeylen = keylen;
if (!pass)
passlen = 0;
else if (passlen == -1)
passlen = strlen(pass);
if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
while (tkeylen) {
if (tkeylen > mdlen)
cplen = mdlen;
else
cplen = tkeylen;
/* We are unlikely to ever use more than 256 blocks (5120 bits!)
* but just in case...
*/
itmp[0] = (unsigned char)((i >> 24) & 0xff);
itmp[1] = (unsigned char)((i >> 16) & 0xff);
itmp[2] = (unsigned char)((i >> 8) & 0xff);
itmp[3] = (unsigned char)(i & 0xff);
if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
if (!HMAC_Update(&hctx, salt, saltlen) ||
!HMAC_Update(&hctx, itmp, 4) ||
!HMAC_Final(&hctx, digtmp, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
HMAC_CTX_cleanup(&hctx);
return 0;
}
HMAC_CTX_cleanup(&hctx);
memcpy(p, digtmp, cplen);
for (j = 1; j < iter; j++) {
if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
HMAC_CTX_cleanup(&hctx_tpl);
return 0;
}
if (!HMAC_Update(&hctx, digtmp, mdlen) ||
!HMAC_Final(&hctx, digtmp, NULL)) {
HMAC_CTX_cleanup(&hctx_tpl);
HMAC_CTX_cleanup(&hctx);
return 0;
}
HMAC_CTX_cleanup(&hctx);
for (k = 0; k < cplen; k++)
p[k] ^= digtmp[k];
}
tkeylen -= cplen;
i++;
p += cplen;
}
HMAC_CTX_cleanup(&hctx_tpl);
return 1;
}
int
PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt,
int saltlen, int iter, int keylen, unsigned char *out)
{
return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
EVP_sha1(), keylen, out);
}
/* Now the key derivation function itself. This is a bit evil because
* it has to check the ASN1 parameters are valid: and there are quite a
* few of them...
*/
int
PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
{
const unsigned char *pbuf;
int plen;
PBE2PARAM *pbe2 = NULL;
const EVP_CIPHER *cipher;
int rv = 0;
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
EVPerror(EVP_R_DECODE_ERROR);
goto err;
}
pbuf = param->value.sequence->data;
plen = param->value.sequence->length;
if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
EVPerror(EVP_R_DECODE_ERROR);
goto err;
}
/* See if we recognise the key derivation function */
if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
EVPerror(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
goto err;
}
/* lets see if we recognise the encryption algorithm.
*/
cipher = EVP_get_cipherbyobj(pbe2->encryption->algorithm);
if (!cipher) {
EVPerror(EVP_R_UNSUPPORTED_CIPHER);
goto err;
}
/* Fixup cipher based on AlgorithmIdentifier */
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
goto err;
if (EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
EVPerror(EVP_R_CIPHER_PARAMETER_ERROR);
goto err;
}
rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
pbe2->keyfunc->parameter, c, md, en_de);
err:
PBE2PARAM_free(pbe2);
return rv;
}
int
PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de)
{
unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
const unsigned char *pbuf;
int saltlen, iter, plen;
int rv = 0;
unsigned int keylen = 0;
int prf_nid, hmac_md_nid;
PBKDF2PARAM *kdf = NULL;
const EVP_MD *prfmd;
if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
EVPerror(EVP_R_NO_CIPHER_SET);
return 0;
}
keylen = EVP_CIPHER_CTX_key_length(ctx);
if (keylen > sizeof key) {
EVPerror(EVP_R_BAD_KEY_LENGTH);
return 0;
}
/* Decode parameter */
if (!param || (param->type != V_ASN1_SEQUENCE)) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
pbuf = param->value.sequence->data;
plen = param->value.sequence->length;
if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
EVPerror(EVP_R_DECODE_ERROR);
return 0;
}
/* Now check the parameters of the kdf */
if (kdf->keylength &&
(ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
EVPerror(EVP_R_UNSUPPORTED_KEYLENGTH);
goto err;
}
if (kdf->prf)
prf_nid = OBJ_obj2nid(kdf->prf->algorithm);
else
prf_nid = NID_hmacWithSHA1;
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
EVPerror(EVP_R_UNSUPPORTED_PRF);
goto err;
}
prfmd = EVP_get_digestbynid(hmac_md_nid);
if (prfmd == NULL) {
EVPerror(EVP_R_UNSUPPORTED_PRF);
goto err;
}
if (kdf->salt->type != V_ASN1_OCTET_STRING) {
EVPerror(EVP_R_UNSUPPORTED_SALT_TYPE);
goto err;
}
/* it seems that its all OK */
salt = kdf->salt->value.octet_string->data;
saltlen = kdf->salt->value.octet_string->length;
if ((iter = ASN1_INTEGER_get(kdf->iter)) <= 0) {
EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
goto err;
}
if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
keylen, key))
goto err;
rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
err:
explicit_bzero(key, keylen);
PBKDF2PARAM_free(kdf);
return rv;
}
#endif

1
lib/libcrypto/objects/obj_mac.num
View File

@ -1050,3 +1050,4 @@ RSA_SHA3_224 1049
RSA_SHA3_256 1050
RSA_SHA3_384 1051
RSA_SHA3_512 1052
acmeIdentifier 1053

22
lib/libcrypto/objects/obj_xref.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: obj_xref.c,v 1.13 2023/07/28 10:25:05 tb Exp $ */
/* $OpenBSD: obj_xref.c,v 1.14 2024/01/27 16:08:43 tb Exp $ */
/*
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@ -265,6 +265,26 @@ static const struct {
.hash_nid = NID_sha3_512,
.pkey_nid = NID_rsaEncryption,
},
{
.sign_nid = NID_ecdsa_with_SHA3_224,
.hash_nid = NID_sha3_224,
.pkey_nid = NID_X9_62_id_ecPublicKey,
},
{
.sign_nid = NID_ecdsa_with_SHA3_256,
.hash_nid = NID_sha3_256,
.pkey_nid = NID_X9_62_id_ecPublicKey,
},
{
.sign_nid = NID_ecdsa_with_SHA3_384,
.hash_nid = NID_sha3_384,
.pkey_nid = NID_X9_62_id_ecPublicKey,
},
{
.sign_nid = NID_ecdsa_with_SHA3_512,
.hash_nid = NID_sha3_512,
.pkey_nid = NID_X9_62_id_ecPublicKey,
},
};
#define N_NID_TRIPLES (sizeof(nid_triple) / sizeof(nid_triple[0]))

1
lib/libcrypto/objects/objects.txt
View File

@ -490,6 +490,7 @@ id-pe 14 : proxyCertInfo : Proxy Certificate Information
id-pe 24 : tlsfeature : TLS Feature
id-pe 28 : sbgp-ipAddrBlockv2
id-pe 29 : sbgp-autonomousSysNumv2
id-pe 31 : acmeIdentifier : ACME Identifier
# PKIX policyQualifiers for Internet policy qualifiers
id-qt 1 : id-qt-cps : Policy Qualifier CPS

123
lib/libcrypto/pkcs12/p12_crpt.c
View File

@ -1,123 +0,0 @@
/* $OpenBSD: p12_crpt.c,v 1.17 2023/02/16 08:38:17 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
/* PKCS#12 PBE algorithms now in static table */
void
PKCS12_PBE_add(void)
{
}
LCRYPTO_ALIAS(PKCS12_PBE_add);
int
PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
{
PBEPARAM *pbe;
int saltlen, iter, ret;
unsigned char *salt;
const unsigned char *pbuf;
unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
/* Extract useful info from parameter */
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
PKCS12error(PKCS12_R_DECODE_ERROR);
return 0;
}
pbuf = param->value.sequence->data;
if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
PKCS12error(PKCS12_R_DECODE_ERROR);
return 0;
}
if (!pbe->iter)
iter = 1;
else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) {
PKCS12error(PKCS12_R_DECODE_ERROR);
PBEPARAM_free(pbe);
return 0;
}
salt = pbe->salt->data;
saltlen = pbe->salt->length;
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
iter, EVP_CIPHER_key_length(cipher), key, md)) {
PKCS12error(PKCS12_R_KEY_GEN_ERROR);
PBEPARAM_free(pbe);
return 0;
}
if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
PKCS12error(PKCS12_R_IV_GEN_ERROR);
PBEPARAM_free(pbe);
return 0;
}
PBEPARAM_free(pbe);
ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
explicit_bzero(key, EVP_MAX_KEY_LENGTH);
explicit_bzero(iv, EVP_MAX_IV_LENGTH);
return ret;
}
LCRYPTO_ALIAS(PKCS12_PBE_keyivgen);

12
lib/libssl/tls13_internal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_internal.h,v 1.101 2022/07/24 14:28:16 jsing Exp $ */
/* $OpenBSD: tls13_internal.h,v 1.103 2024/01/27 14:31:01 jsing Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@ -87,7 +87,8 @@ __BEGIN_HIDDEN_DECLS
#define TLS13_INFO_ACCEPT_EXIT SSL_CB_ACCEPT_EXIT
#define TLS13_INFO_CONNECT_EXIT SSL_CB_CONNECT_EXIT
typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
typedef void (*tls13_alert_cb)(uint8_t _alert_level, uint8_t _alert_desc,
void *_cb_arg);
typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg);
typedef void (*tls13_phh_sent_cb)(void *_cb_arg);
typedef void (*tls13_handshake_message_cb)(void *_cb_arg);
@ -291,6 +292,8 @@ struct tls13_ctx {
int phh_count;
time_t phh_last_seen;
tls13_alert_cb alert_sent_cb;
tls13_alert_cb alert_recv_cb;
tls13_handshake_message_cb handshake_message_sent_cb;
tls13_handshake_message_cb handshake_message_recv_cb;
tls13_info_cb info_cb;
@ -309,8 +312,8 @@ void tls13_ctx_free(struct tls13_ctx *ctx);
const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher);
const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher);
void tls13_alert_received_cb(uint8_t alert_desc, void *arg);
void tls13_alert_sent_cb(uint8_t alert_desc, void *arg);
void tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg);
void tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg);
ssize_t tls13_phh_received_cb(void *cb_arg);
void tls13_phh_done_cb(void *cb_arg);
@ -323,7 +326,6 @@ int tls13_use_legacy_client(struct tls13_ctx *ctx);
int tls13_use_legacy_server(struct tls13_ctx *ctx);
int tls13_legacy_accept(SSL *ssl);
int tls13_legacy_connect(SSL *ssl);
int tls13_legacy_return_code(SSL *ssl, ssize_t ret);
ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg);
ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg);
ssize_t tls13_legacy_wire_flush_cb(void *arg);

39
lib/libssl/tls13_legacy.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_legacy.c,v 1.41 2023/11/28 13:19:04 tb Exp $ */
/* $OpenBSD: tls13_legacy.c,v 1.43 2024/01/27 14:34:28 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@ -159,7 +159,7 @@ tls13_legacy_error(SSL *ssl)
ctx->error.line);
}
int
static int
tls13_legacy_return_code(SSL *ssl, ssize_t ret)
{
if (ret > INT_MAX) {
@ -486,44 +486,45 @@ tls13_legacy_shutdown(SSL *ssl)
* We need to return 0 at the point that we have completed sending a
* close-notify. We return 1 when we have sent and received close-notify
* alerts. All other cases, including EOF, return -1 and set internal
* state appropriately.
* state appropriately. Note that all of this insanity can also be
* externally controlled by manipulating the shutdown flags.
*/
if (ctx == NULL || ssl->quiet_shutdown) {
ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
return 1;
}
if (!ctx->close_notify_sent) {
/* Enqueue and send close notify. */
if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) {
ssl->shutdown |= SSL_SENT_SHUTDOWN;
if ((ret = tls13_send_alert(ctx->rl,
TLS13_ALERT_CLOSE_NOTIFY)) < 0)
return tls13_legacy_return_code(ssl, ret);
}
ret = tls13_record_layer_send_pending(ctx->rl);
if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
ssl->shutdown |= SSL_SENT_SHUTDOWN;
ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
if (ret == TLS13_IO_EOF)
return -1;
if (ret != TLS13_IO_SUCCESS)
return tls13_legacy_return_code(ssl, ret);
} else if (!ctx->close_notify_recv) {
}
ret = tls13_record_layer_send_pending(ctx->rl);
if (ret == TLS13_IO_EOF)
return -1;
if (ret != TLS13_IO_SUCCESS)
return tls13_legacy_return_code(ssl, ret);
if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
/*
* If there is no application data pending, attempt to read more
* data in order to receive a close-notify. This should trigger
* a record to be read from the wire, which may be application
* handshake or alert data. Only one attempt is made to match
* previous semantics.
* handshake or alert data. Only one attempt is made with no
* error handling, in order to match previous semantics.
*/
if (tls13_pending_application_data(ctx->rl) == 0) {
if ((ret = tls13_read_application_data(ctx->rl, buf,
sizeof(buf))) < 0)
return tls13_legacy_return_code(ssl, ret);
(void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
if (!ctx->close_notify_recv)
return -1;
}
}
if (ctx->close_notify_recv)
if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN))
return 1;
return 0;

42
lib/libssl/tls13_lib.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */
/* $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@ -110,11 +110,42 @@ tls13_cipher_hash(const SSL_CIPHER *cipher)
return NULL;
}
static void
tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
void *arg)
{
uint8_t alert[] = {alert_level, alert_desc};
struct tls13_ctx *ctx = arg;
SSL *s = ctx->ssl;
CBS cbs;
if (s->msg_callback == NULL)
return;
CBS_init(&cbs, alert, sizeof(alert));
ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
}
static void
tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
{
tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
}
static void
tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
{
tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
}
void
tls13_alert_received_cb(uint8_t alert_desc, void *arg)
tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
{
struct tls13_ctx *ctx = arg;
if (ctx->alert_recv_cb != NULL)
ctx->alert_recv_cb(alert_level, alert_desc, arg);
if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
ctx->close_notify_recv = 1;
ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
@ -140,10 +171,13 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg)
}
void
tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
{
struct tls13_ctx *ctx = arg;
if (ctx->alert_sent_cb != NULL)
ctx->alert_sent_cb(alert_level, alert_desc, arg);
if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
ctx->close_notify_sent = 1;
return;
@ -514,6 +548,8 @@ tls13_ctx_new(int mode, SSL *ssl)
if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
goto err;
ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
ctx->info_cb = tls13_legacy_info_cb;

6
lib/libssl/tls13_record_layer.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */
/* $OpenBSD: tls13_record_layer.c,v 1.73 2024/01/27 14:23:51 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@ -327,7 +327,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
}
rl->cb.alert_recv(alert_desc, rl->cb_arg);
rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg);
return ret;
}
@ -361,7 +361,7 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl)
ret = TLS13_IO_ALERT;
}
rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
rl->cb.alert_sent(rl->alert_level, rl->alert_desc, rl->cb_arg);
return ret;
}

4
regress/lib/libssl/shutdown/shutdowntest.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: shutdowntest.c,v 1.1 2024/01/19 08:29:08 jsing Exp $ */
/* $OpenBSD: shutdowntest.c,v 1.2 2024/01/27 14:35:13 jsing Exp $ */
/*
* Copyright (c) 2020, 2021, 2024 Joel Sing <jsing@openbsd.org>
*
@ -489,12 +489,10 @@ struct ssl_version ssl_versions[] = {
.version = TLS1_2_VERSION,
.name = SSL_TXT_TLSV1_2,
},
#if 0
{
.version = TLS1_3_VERSION,
.name = SSL_TXT_TLSV1_3,
},
#endif
};
#define N_SSL_VERSIONS (sizeof(ssl_versions) / sizeof(*ssl_versions))

4
sys/arch/armv7/conf/Makefile.armv7
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.armv7,v 1.54 2023/09/06 01:47:36 jsg Exp $
# $OpenBSD: Makefile.armv7,v 1.55 2024/01/28 00:40:22 deraadt Exp $
# For instructions on building kernels consult the config(8) and options(4)
# manual pages.
@ -51,7 +51,7 @@ HOSTED_CPPFLAGS=${CPPFLAGS:S/^-nostdinc$//}
HOSTED_CFLAGS= ${CFLAGS}
HOSTED_C= ${HOSTCC} ${HOSTED_CFLAGS} ${HOSTED_CPPFLAGS} -c $<
NORMAL_C_NOP= ${CC} ${CFLAGS} ${CPPFLAGS} -c $<
NORMAL_C_NOP= ${CC} ${CFLAGS} ${CPPFLAGS} -fno-stack-protector -c $<
NORMAL_C= ${CC} ${CFLAGS} ${CPPFLAGS} ${PROF} -c $<
NORMAL_S= ${CC} ${AFLAGS} ${CPPFLAGS} ${PROF} -c $<

4
sys/arch/i386/conf/Makefile.i386
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.i386,v 1.144 2023/09/06 01:47:37 jsg Exp $
# $OpenBSD: Makefile.i386,v 1.145 2024/01/28 00:40:22 deraadt Exp $
# For instructions on building kernels consult the config(8) and options(4)
# manual pages.
@ -66,7 +66,7 @@ HOSTED_CPPFLAGS=${CPPFLAGS:S/^-nostdinc$//}
HOSTED_CFLAGS= ${CFLAGS}
HOSTED_C= ${HOSTCC} ${HOSTED_CFLAGS} ${HOSTED_CPPFLAGS} -c $<
NORMAL_C_NOP= ${CC} ${CFLAGS} ${CPPFLAGS} -c $<
NORMAL_C_NOP= ${CC} ${CFLAGS} ${CPPFLAGS} -fno-stack-protector -c $<
NORMAL_C= ${CC} ${CFLAGS} ${CPPFLAGS} ${PROF} -c $<
NORMAL_S= ${CC} ${AFLAGS} ${CPPFLAGS} ${PROF} -c $<

48
sys/dev/fdt/sxirtc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sxirtc.c,v 1.8 2022/10/17 19:09:46 kettenis Exp $ */
/* $OpenBSD: sxirtc.c,v 1.9 2024/01/27 11:22:16 kettenis Exp $ */
/*
* Copyright (c) 2008 Mark Kettenis
* Copyright (c) 2013 Artturi Alm
@ -58,6 +58,7 @@ struct sxirtc_softc {
uint32_t base_year;
uint32_t year_mask;
uint32_t leap_shift;
int linear_day;
};
int sxirtc_match(struct device *, void *, void *);
@ -85,7 +86,9 @@ sxirtc_match(struct device *parent, void *match, void *aux)
OF_is_compatible(faa->fa_node, "allwinner,sun7i-a20-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun6i-a31-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun8i-h3-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h5-rtc"));
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h5-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h616-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-r329-rtc"));
}
void
@ -109,7 +112,9 @@ sxirtc_attach(struct device *parent, struct device *self, void *aux)
if (OF_is_compatible(faa->fa_node, "allwinner,sun6i-a31-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun8i-h3-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h5-rtc")) {
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h5-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h616-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-r329-rtc")) {
sc->sc_yymmdd = SXIRTC_YYMMDD_A31;
sc->sc_hhmmss = SXIRTC_HHMMSS_A31;
} else {
@ -127,6 +132,17 @@ sxirtc_attach(struct device *parent, struct device *self, void *aux)
sc->leap_shift = 22;
}
/*
* Newer SoCs store the number of days since a fixed epoch
* instead of YYMMDD. Take this to be the number of days
* since the Unix epoch since that is what Linux does.
*/
if (OF_is_compatible(faa->fa_node, "allwinner,sun50i-h616-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-r329-rtc")) {
sc->base_year = 1970;
sc->linear_day = 1;
}
if (OF_is_compatible(faa->fa_node, "allwinner,sun8i-h3-rtc") ||
OF_is_compatible(faa->fa_node, "allwinner,sun50i-h5-rtc")) {
/* Switch to external oscillator. */
@ -199,17 +215,21 @@ sxirtc_gettime(todr_chip_handle_t handle, struct timeval *tv)
struct clock_ymdhms dt;
uint32_t reg;
reg = SXIREAD4(sc, sc->sc_yymmdd);
if (sc->linear_day) {
clock_secs_to_ymdhms(reg * SECDAY, &dt);
} else {
dt.dt_day = reg & 0x1f;
dt.dt_mon = reg >> 8 & 0x0f;
dt.dt_year = (reg >> 16 & sc->year_mask) + sc->base_year;
}
reg = SXIREAD4(sc, sc->sc_hhmmss);
dt.dt_sec = reg & 0x3f;
dt.dt_min = reg >> 8 & 0x3f;
dt.dt_hour = reg >> 16 & 0x1f;
dt.dt_wday = reg >> 29 & 0x07;
reg = SXIREAD4(sc, sc->sc_yymmdd);
dt.dt_day = reg & 0x1f;
dt.dt_mon = reg >> 8 & 0x0f;
dt.dt_year = (reg >> 16 & sc->year_mask) + sc->base_year;
if (dt.dt_sec > 59 || dt.dt_min > 59 ||
dt.dt_hour > 23 || dt.dt_wday > 6 ||
dt.dt_day > 31 || dt.dt_day == 0 ||
@ -247,10 +267,14 @@ sxirtc_settime(todr_chip_handle_t handle, struct timeval *tv)
dt.dt_sec | (dt.dt_min << 8) | (dt.dt_hour << 16) |
(dt.dt_wday << 29));
SXICMS4(sc, sc->sc_yymmdd, 0x00400000 | (sc->year_mask << 16) |
0x0f00 | 0x1f, dt.dt_day | (dt.dt_mon << 8) |
((dt.dt_year - sc->base_year) << 16) |
(LEAPYEAR(dt.dt_year) << sc->leap_shift));
if (sc->linear_day) {
SXICMS4(sc, sc->sc_yymmdd, 0xffff, tv->tv_sec / SECDAY);
} else {
SXICMS4(sc, sc->sc_yymmdd, 0x00400000 | (sc->year_mask << 16) |
0x0f00 | 0x1f, dt.dt_day | (dt.dt_mon << 8) |
((dt.dt_year - sc->base_year) << 16) |
(LEAPYEAR(dt.dt_year) << sc->leap_shift));
}
return 0;
}

30
sys/netinet/tcp_input.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tcp_input.c,v 1.398 2024/01/11 13:49:49 bluhm Exp $ */
/* $OpenBSD: tcp_input.c,v 1.399 2024/01/27 21:13:46 bluhm Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@ -201,8 +201,8 @@ int syn_cache_add(struct sockaddr *, struct sockaddr *, struct tcphdr *,
struct socket *syn_cache_get(struct sockaddr *, struct sockaddr *,
struct tcphdr *, unsigned int, unsigned int, struct socket *,
struct mbuf *, uint64_t);
struct syn_cache *syn_cache_lookup(struct sockaddr *, struct sockaddr *,
struct syn_cache_head **, u_int);
struct syn_cache *syn_cache_lookup(const struct sockaddr *,
const struct sockaddr *, struct syn_cache_head **, u_int);
/*
* Insert segment ti into reassembly queue of tcp with
@ -3109,9 +3109,9 @@ struct mutex syn_cache_mtx = MUTEX_INITIALIZER(IPL_SOFTNET);
#ifndef INET6
#define SYN_HASHALL(hash, src, dst, rand) \
do { \
hash = SYN_HASH(&satosin(src)->sin_addr, \
satosin(src)->sin_port, \
satosin(dst)->sin_port, (rand)); \
hash = SYN_HASH(&satosin_const(src)->sin_addr, \
satosin_const(src)->sin_port, \
satosin_const(dst)->sin_port, (rand)); \
} while (/*CONSTCOND*/ 0)
#else
#define SYN_HASH6(sa, sp, dp, rand) \
@ -3125,14 +3125,14 @@ do { \
do { \
switch ((src)->sa_family) { \
case AF_INET: \
hash = SYN_HASH(&satosin(src)->sin_addr, \
satosin(src)->sin_port, \
satosin(dst)->sin_port, (rand)); \
hash = SYN_HASH(&satosin_const(src)->sin_addr, \
satosin_const(src)->sin_port, \
satosin_const(dst)->sin_port, (rand)); \
break; \
case AF_INET6: \
hash = SYN_HASH6(&satosin6(src)->sin6_addr, \
satosin6(src)->sin6_port, \
satosin6(dst)->sin6_port, (rand)); \
hash = SYN_HASH6(&satosin6_const(src)->sin6_addr, \
satosin6_const(src)->sin6_port, \
satosin6_const(dst)->sin6_port, (rand)); \
break; \
default: \
hash = 0; \
@ -3423,7 +3423,7 @@ syn_cache_cleanup(struct tcpcb *tp)
* Find an entry in the syn cache.
*/
struct syn_cache *
syn_cache_lookup(struct sockaddr *src, struct sockaddr *dst,
syn_cache_lookup(const struct sockaddr *src, const struct sockaddr *dst,
struct syn_cache_head **headp, u_int rtableid)
{
struct syn_cache_set *sets[2];
@ -3709,8 +3709,8 @@ syn_cache_reset(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
}
void
syn_cache_unreach(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th,
u_int rtableid)
syn_cache_unreach(const struct sockaddr *src, const struct sockaddr *dst,
struct tcphdr *th, u_int rtableid)
{
struct syn_cache *sc;
struct syn_cache_head *scp;

6
sys/netinet/tcp_subr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tcp_subr.c,v 1.195 2024/01/11 13:49:49 bluhm Exp $ */
/* $OpenBSD: tcp_subr.c,v 1.196 2024/01/27 21:13:46 bluhm Exp $ */
/* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */
/*
@ -698,8 +698,8 @@ tcp6_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *d)
} else if (inet6ctlerrmap[cmd] == EHOSTUNREACH ||
inet6ctlerrmap[cmd] == ENETUNREACH ||
inet6ctlerrmap[cmd] == EHOSTDOWN)
syn_cache_unreach((struct sockaddr *)sa6_src,
sa, &th, rdomain);
syn_cache_unreach(sin6tosa_const(sa6_src), sa, &th,
rdomain);
in_pcbunref(inp);
} else {
in6_pcbnotify(&tcbtable, sa6, 0,

26
sys/netinet/tcp_timer.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tcp_timer.c,v 1.74 2024/01/11 13:49:49 bluhm Exp $ */
/* $OpenBSD: tcp_timer.c,v 1.75 2024/01/27 21:35:13 bluhm Exp $ */
/* $NetBSD: tcp_timer.c,v 1.14 1996/02/13 23:44:09 christos Exp $ */
/*
@ -198,30 +198,35 @@ void
tcp_timer_rexmt(void *arg)
{
struct tcpcb *otp = NULL, *tp = arg;
struct inpcb *inp;
uint32_t rto;
short ostate;
NET_LOCK();
inp = tp->t_inpcb;
/* Ignore canceled timeouts or timeouts that have been rescheduled. */
if (!ISSET((tp)->t_flags, TF_TMR_REXMT) ||
timeout_pending(&tp->t_timer[TCPT_REXMT]))
goto out;
CLR((tp)->t_flags, TF_TMR_REXMT);
if ((tp->t_flags & TF_PMTUD_PEND) && tp->t_inpcb &&
if ((tp->t_flags & TF_PMTUD_PEND) && inp &&
SEQ_GEQ(tp->t_pmtud_th_seq, tp->snd_una) &&
SEQ_LT(tp->t_pmtud_th_seq, (int)(tp->snd_una + tp->t_maxseg))) {
struct sockaddr_in sin;
struct icmp icmp;
/* TF_PMTUD_PEND is set in tcp_ctlinput() which is IPv4 only */
KASSERT(!ISSET(inp->inp_flags, INP_IPV6));
tp->t_flags &= ~TF_PMTUD_PEND;
/* XXX create fake icmp message with relevant entries */
icmp.icmp_nextmtu = tp->t_pmtud_nextmtu;
icmp.icmp_ip.ip_len = tp->t_pmtud_ip_len;
icmp.icmp_ip.ip_hl = tp->t_pmtud_ip_hl;
icmp.icmp_ip.ip_dst = tp->t_inpcb->inp_faddr;
icmp_mtudisc(&icmp, tp->t_inpcb->inp_rtableid);
icmp.icmp_ip.ip_dst = inp->inp_faddr;
icmp_mtudisc(&icmp, inp->inp_rtableid);
/*
* Notify all connections to the same peer about
@ -230,9 +235,9 @@ tcp_timer_rexmt(void *arg)
bzero(&sin, sizeof(sin));
sin.sin_len = sizeof(sin);
sin.sin_family = AF_INET;
sin.sin_addr = tp->t_inpcb->inp_faddr;
in_pcbnotifyall(&tcbtable, sintosa(&sin),
tp->t_inpcb->inp_rtableid, EMSGSIZE, tcp_mtudisc);
sin.sin_addr = inp->inp_faddr;
in_pcbnotifyall(&tcbtable, sintosa(&sin), inp->inp_rtableid,
EMSGSIZE, tcp_mtudisc);
goto out;
}
@ -244,7 +249,7 @@ tcp_timer_rexmt(void *arg)
tp->t_softerror : ETIMEDOUT);
goto out;
}
if (tp->t_inpcb->inp_socket->so_options & SO_DEBUG) {
if (inp->inp_socket->so_options & SO_DEBUG) {
otp = tp;
ostate = tp->t_state;
}
@ -265,10 +270,9 @@ tcp_timer_rexmt(void *arg)
* lots more sophisticated searching to find the right
* value here...
*/
if (ip_mtudisc && tp->t_inpcb &&
if (ip_mtudisc && inp &&
TCPS_HAVEESTABLISHED(tp->t_state) &&
tp->t_rxtshift > TCP_MAXRXTSHIFT / 6) {
struct inpcb *inp = tp->t_inpcb;
struct rtentry *rt = NULL;
/* No data to send means path mtu is not a problem */
@ -319,7 +323,7 @@ tcp_timer_rexmt(void *arg)
* retransmit times until then.
*/
if (tp->t_rxtshift > TCP_MAXRXTSHIFT / 4) {
in_losing(tp->t_inpcb);
in_losing(inp);
tp->t_rttvar += (tp->t_srtt >> TCP_RTT_SHIFT);
tp->t_srtt = 0;
}

4
sys/netinet/tcp_var.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tcp_var.h,v 1.174 2024/01/11 13:49:49 bluhm Exp $ */
/* $OpenBSD: tcp_var.h,v 1.175 2024/01/27 21:13:46 bluhm Exp $ */
/* $NetBSD: tcp_var.h,v 1.17 1996/02/13 23:44:24 christos Exp $ */
/*
@ -799,7 +799,7 @@ int tcp_signature(struct tdb *, int, struct mbuf *, struct tcphdr *,
#endif /* TCP_SIGNATURE */
void tcp_set_iss_tsm(struct tcpcb *);
void syn_cache_unreach(struct sockaddr *, struct sockaddr *,
void syn_cache_unreach(const struct sockaddr *, const struct sockaddr *,
struct tcphdr *, u_int);
void syn_cache_init(void);
void syn_cache_cleanup(struct tcpcb *);

8
sys/netinet6/in6.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: in6.h,v 1.111 2023/11/28 13:23:20 bluhm Exp $ */
/* $OpenBSD: in6.h,v 1.112 2024/01/27 21:13:46 bluhm Exp $ */
/* $KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $ */
/*
@ -459,6 +459,12 @@ sin6tosa(struct sockaddr_in6 *sin6)
return ((struct sockaddr *)(sin6));
}
static inline const struct sockaddr *
sin6tosa_const(const struct sockaddr_in6 *sin6)
{
return ((const struct sockaddr *)(sin6));
}
static inline struct in6_ifaddr *
ifatoia6(struct ifaddr *ifa)
{

3
usr.sbin/fw_update/patterns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: patterns.c,v 1.10 2023/07/22 03:46:09 jsg Exp $ */
/* $OpenBSD: patterns.c,v 1.11 2024/01/27 15:15:01 phessler Exp $ */
/*
* Copyright (c) 1995, 1996 Christopher G. Demetriou. All rights reserved.
@ -114,6 +114,7 @@ main(void)
printf("%s\n", "otus");
printf("%s\n", "pgt");
printf("%s\n", "qcpas");
printf("%s\n", "qwx");
printf("%s\n", "radeondrm");
print_devices("radeondrm", radeon_devices, nitems(radeon_devices));
printf("%s\n", "rsu");

8
usr.sbin/snmpd/Makefile
View File

@ -1,8 +1,8 @@
# $OpenBSD: Makefile,v 1.25 2023/11/12 16:07:34 martijn Exp $
# $OpenBSD: Makefile,v 1.26 2024/01/27 09:53:59 martijn Exp $
PROG= snmpd
MAN= snmpd.8 snmpd.conf.5
SRCS= parse.y log.c snmpe.c application.c application_blocklist.c \
SRCS= mib.y parse.y log.c snmpe.c application.c application_blocklist.c \
application_internal.c application_agentx.c ax.c \
trap.c smi.c snmpd.c \
proc.c usm.c traphandler.c util.c
@ -16,4 +16,8 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual
CFLAGS+= -Wsign-compare
YFLAGS=
mib.c: mib.y
${YACC.y} -pmib -o ${.TARGET} ${.IMPSRC}
.include <bsd.prog.mk>

18
usr.sbin/snmpd/mib.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mib.h,v 1.43 2023/12/21 13:54:05 martijn Exp $ */
/* $OpenBSD: mib.h,v 1.44 2024/01/27 09:53:59 martijn Exp $ */
/*
* Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org>
@ -19,6 +19,22 @@
#ifndef SNMPD_MIB_H
#define SNMPD_MIB_H
#include <stddef.h>
struct ber_oid;
enum mib_oidfmt {
MIB_OIDNUMERIC,
MIB_OIDSYMBOLIC
};
void mib_parsefile(const char *);
void mib_parsedir(const char *);
void mib_resolve(void);
void mib_clear(void);
char *mib_oid2string(struct ber_oid *, char *, size_t,
enum mib_oidfmt);
const char *mib_string2oid(const char *, struct ber_oid *);
#define MIBDECL(...) { { MIB_##__VA_ARGS__ }, \
(sizeof((uint32_t []) { MIB_##__VA_ARGS__ }) / sizeof(uint32_t))}, #__VA_ARGS__
#define MIBEND { { 0 } }, NULL

2260
usr.sbin/snmpd/mib.y Normal file
View File

File diff suppressed because it is too large Load Diff