SecBSD
/
src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with OpenBSD -current

This commit is contained in:
purplerain 2023-12-16 16:23:05 +00:00
parent 30cf31d90d
commit 8f3269c13c
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
27 changed files with 498 additions and 682 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
distrib/amd64/iso/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.46 2023/04/24 17:07:33 krw Exp $
# $OpenBSD: Makefile,v 1.47 2023/12/15 06:03:00 jmatthew Exp $
FS= install${OSrev}.img
FSSIZE= 1359872
@ -18,6 +18,8 @@ XBASE= ${RELXDIR}/xbase${OSrev}.tgz ${RELXDIR}/xfont${OSrev}.tgz \
${RELXDIR}/xshare${OSrev}.tgz ${RELXDIR}/xserv${OSrev}.tgz
EFIBOOT?= ${DESTDIR}/usr/mdec/BOOTX64.EFI ${DESTDIR}/usr/mdec/BOOTIA32.EFI
EFICDBOOT= eficdboot
EFICDBOOTSIZE= 350K
MSDOSSIZE= 960
TOTALSIZE!= expr ${FSSIZE} + ${MSDOSSIZE}
@ -55,7 +57,14 @@ ${FS}: ${BASE} ${XBASE} bsd.rd
vnconfig -u `cat vnd`
rm -f vnd
${CDROM}: ${BASE} ${XBASE}
${EFICDBOOT}: ${EFIBOOT}
rm -rf ${.OBJDIR}/eficdboot-dir
mkdir -p ${.OBJDIR}/eficdboot-dir/efi/boot
cp ${EFIBOOT} ${.OBJDIR}/eficdboot-dir/efi/boot
makefs -t msdos -o create_size=${EFICDBOOTSIZE} ${EFICDBOOT} \
${.OBJDIR}/eficdboot-dir
${CDROM}: ${BASE} ${XBASE} ${EFICDBOOT}
rm -rf ${.OBJDIR}/cd-dir
mkdir -p ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
mkdir -p ${.OBJDIR}/cd-dir/etc
@ -70,6 +79,7 @@ ${CDROM}: ${BASE} ${XBASE}
cp -p ${RELDIR}/cdbr ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
cp -p ${RELDIR}/cdboot ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}/cdboot
cp -p ${.OBJDIR}/${EFICDBOOT} ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
mkhybrid -a -R -T -L -l -d -D -N -o ${.OBJDIR}/${CDROM} \
-A "SecBSD ${OSREV} ${MACHINE} Install CD" \
@ -77,14 +87,15 @@ ${CDROM}: ${BASE} ${XBASE}
-p "Purple Rain <purplerain@secbsd.org>" \
-V "SecBSD/${MACHINE} ${OSREV} Install CD" \
-b ${OSREV}/${MACHINE}/cdbr -c ${OSREV}/${MACHINE}/boot.catalog \
-e ${OSREV}/${MACHINE}/${EFICDBOOT} \
${.OBJDIR}/cd-dir
install:
cp ${CDROM} ${FS} ${RELDIR}/
clean cleandir:
rm -f ${CDROM} ${FS}
rm -rf cd-dir
rm -f ${CDROM} ${FS} ${EFICDBOOT}
rm -rf cd-dir eficdboot-dir
bsd.rd: ${BSDRD}
cp ${BSDRD} bsd.rd

19
distrib/amd64/ramdisk_cd/Makefile
View File

@ -1,7 +1,9 @@
# $OpenBSD: Makefile,v 1.38 2023/04/28 08:45:25 krw Exp $
# $OpenBSD: Makefile,v 1.39 2023/12/15 06:03:00 jmatthew Exp $
FS= miniroot${OSrev}.img
FSSIZE= 11392
EFICDBOOT= eficdboot
EFICDBOOTSIZE= 350K
CDROM= cd${OSrev}.iso
MOUNT_POINT= /mnt
MTREE= ${UTILS}/mtree.conf
@ -37,7 +39,14 @@ ${FS}: bsd.gz
vnconfig -u `cat vnd`
rm -f vnd
${CDROM}: bsd.rd
${EFICDBOOT}: ${EFIBOOT}
rm -rf ${.OBJDIR}/eficdboot-dir
mkdir -p ${.OBJDIR}/eficdboot-dir/efi/boot
cp ${EFIBOOT} ${.OBJDIR}/eficdboot-dir/efi/boot
makefs -t msdos -o create_size=${EFICDBOOTSIZE} ${EFICDBOOT} \
${.OBJDIR}/eficdboot-dir
${CDROM}: bsd.rd ${EFICDBOOT}
rm -rf ${.OBJDIR}/cd-dir
mkdir -p ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
mkdir -p ${.OBJDIR}/cd-dir/etc
@ -45,12 +54,14 @@ ${CDROM}: bsd.rd
cp ${.OBJDIR}/bsd.rd ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
cp ${DESTDIR}/usr/mdec/cdbr ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
cp ${DESTDIR}/usr/mdec/cdboot ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}/cdboot
cp ${.OBJDIR}/${EFICDBOOT} ${.OBJDIR}/cd-dir/${OSREV}/${MACHINE}
mkhybrid -a -R -T -L -l -d -D -N -o ${.OBJDIR}/${CDROM} \
-A "SecBSD ${OSREV} ${MACHINE} bootonly CD" \
-P "Copyright (c) `date +%Y` Purple Rain, The SecBSD project" \
-p "Purple Rain <purplerain@secbsd.org>" \
-V "SecBSD/${MACHINE} ${OSREV} boot-only CD" \
-b ${OSREV}/${MACHINE}/cdbr -c ${OSREV}/${MACHINE}/boot.catalog \
-e ${OSREV}/${MACHINE}/${EFICDBOOT} \
${.OBJDIR}/cd-dir
MRDISKTYPE= rdrootb
@ -108,7 +119,7 @@ clean cleandir:
*.o *.lo *.c bsd bsd.rd bsd.gz bsd.strip floppy*.img \
lib*.a lib*.olist instbin.map boot instbin.conf ${FS}
rm -rf mr.fs.d
rm -f ${CDROM}
rm -rf cd-dir
rm -f ${CDROM} ${EFICDBOOT}
rm -rf cd-dir eficdboot-dir
.include <bsd.obj.mk>

2
distrib/sets/lists/comp/mi
View File

@ -1761,7 +1761,7 @@
./usr/share/man/man3/ASN1_NULL_new.3
./usr/share/man/man3/ASN1_OBJECT_new.3
./usr/share/man/man3/ASN1_PRINTABLE_type.3
./usr/share/man/man3/ASN1_STRING_TABLE_add.3
./usr/share/man/man3/ASN1_STRING_TABLE_get.3
./usr/share/man/man3/ASN1_STRING_length.3
./usr/share/man/man3/ASN1_STRING_new.3
./usr/share/man/man3/ASN1_STRING_print_ex.3

12
etc/rc.d/rc.subr
View File

@ -1,4 +1,4 @@
# $OpenBSD: rc.subr,v 1.160 2022/10/19 21:04:45 ajacoutot Exp $
# $OpenBSD: rc.subr,v 1.161 2023/12/15 16:59:48 jca Exp $
#
# Copyright (c) 2010, 2011, 2014-2022 Antoine Jacoutot <ajacoutot@openbsd.org>
# Copyright (c) 2010, 2011 Ingo Schwarze <schwarze@openbsd.org>
@ -166,7 +166,15 @@ rc_exec() {
[ "${daemon_rtable}" -eq "$(id -R)" ] ||
_rcexec="route -T ${daemon_rtable} exec ${_rcexec}"
${_rcexec} "${daemon_logger:+set -o pipefail; } \
local _set_monitor=":"
# Run non-daemons services in a different process group to avoid SIGHUP
# at boot.
if [ X"${rc_bg}" = X"YES" ]; then
_set_monitor="set -o monitor"
fi
${_rcexec} "${_set_monitor}; \
${daemon_logger:+set -o pipefail; } \
${daemon_execdir:+cd ${daemon_execdir} && } \
$@ \
${daemon_logger:+ 2>&1 |

151
lib/libcrypto/asn1/a_strnid.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: a_strnid.c,v 1.27 2023/07/05 21:23:36 beck Exp $ */
/* $OpenBSD: a_strnid.c,v 1.29 2023/12/16 12:56:20 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -65,20 +65,13 @@
#include <openssl/err.h>
#include <openssl/objects.h>
static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
static ASN1_STRING_TABLE *stable_get(int nid);
static void st_free(ASN1_STRING_TABLE *tbl);
static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
const ASN1_STRING_TABLE * const *b);
/*
* XXX - unprotected global state
*
* This is the global mask for the mbstring functions: this is used to
* mask out certain types (such as BMPString and UTF8String) because
* certain software (e.g. Netscape) has problems with them.
*/
static unsigned long global_mask = B_ASN1_UTF8STRING;
void
@ -171,12 +164,7 @@ ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, int inlen,
}
LCRYPTO_ALIAS(ASN1_STRING_set_by_NID);
/*
* Now the tables and helper functions for the string table:
*/
/* size limits: this stuff is taken straight from RFC3280 */
/* From RFC 5280, Appendix A.1. */
#define ub_name 32768
#define ub_common_name 64
#define ub_locality_name 128
@ -184,12 +172,9 @@ LCRYPTO_ALIAS(ASN1_STRING_set_by_NID);
#define ub_organization_name 64
#define ub_organization_unit_name 64
#define ub_title 64
#define ub_email_address 128
#define ub_email_address 128 /* XXX - bumped to 255 in RFC 5280 */
#define ub_serial_number 64
/* This table must be kept in NID order */
static const ASN1_STRING_TABLE tbl_standard[] = {
{
.nid = NID_commonName,
@ -326,138 +311,36 @@ static const ASN1_STRING_TABLE tbl_standard[] = {
},
};
static int
sk_table_cmp(const ASN1_STRING_TABLE * const *a,
const ASN1_STRING_TABLE * const *b)
{
return (*a)->nid - (*b)->nid;
}
static int table_cmp_BSEARCH_CMP_FN(const void *, const void *);
static int table_cmp(ASN1_STRING_TABLE const *, ASN1_STRING_TABLE const *);
static ASN1_STRING_TABLE *OBJ_bsearch_table(ASN1_STRING_TABLE *key, ASN1_STRING_TABLE const *base, int num);
static int
table_cmp(const ASN1_STRING_TABLE *a, const ASN1_STRING_TABLE *b)
{
return a->nid - b->nid;
}
static int
table_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
{
ASN1_STRING_TABLE const *a = a_;
ASN1_STRING_TABLE const *b = b_;
return table_cmp(a, b);
}
static ASN1_STRING_TABLE *
OBJ_bsearch_table(ASN1_STRING_TABLE *key, ASN1_STRING_TABLE const *base, int num)
{
return (ASN1_STRING_TABLE *)OBJ_bsearch_(key, base, num, sizeof(ASN1_STRING_TABLE),
table_cmp_BSEARCH_CMP_FN);
}
#define N_STRING_TABLE_ENTRIES (sizeof(tbl_standard) / sizeof(tbl_standard[0]))
/* XXX - const */
ASN1_STRING_TABLE *
ASN1_STRING_TABLE_get(int nid)
{
int idx;
ASN1_STRING_TABLE fnd;
size_t i;
fnd.nid = nid;
if (stable != NULL) {
idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
if (idx >= 0)
return sk_ASN1_STRING_TABLE_value(stable, idx);
for (i = 0; i < N_STRING_TABLE_ENTRIES; i++) {
const ASN1_STRING_TABLE *entry = &tbl_standard[i];
if (entry->nid == nid)
return (ASN1_STRING_TABLE *)entry;
}
return OBJ_bsearch_table(&fnd, tbl_standard,
sizeof(tbl_standard) / sizeof(tbl_standard[0]));
return NULL;
}
LCRYPTO_ALIAS(ASN1_STRING_TABLE_get);
/*
* Return a string table pointer which can be modified: either directly
* from table or a copy of an internal value added to the table.
*/
static ASN1_STRING_TABLE *
stable_get(int nid)
{
ASN1_STRING_TABLE *tmp, *rv;
/* Always need a string table so allocate one if NULL */
if (stable == NULL) {
stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
if (stable == NULL)
return NULL;
}
tmp = ASN1_STRING_TABLE_get(nid);
if (tmp != NULL && (tmp->flags & STABLE_FLAGS_MALLOC) != 0)
return tmp;
if ((rv = calloc(1, sizeof(*rv))) == NULL) {
ASN1error(ERR_R_MALLOC_FAILURE);
return NULL;
}
if (!sk_ASN1_STRING_TABLE_push(stable, rv)) {
free(rv);
return NULL;
}
if (tmp != NULL) {
rv->nid = tmp->nid;
rv->minsize = tmp->minsize;
rv->maxsize = tmp->maxsize;
rv->mask = tmp->mask;
rv->flags = tmp->flags | STABLE_FLAGS_MALLOC;
} else {
rv->nid = nid;
rv->minsize = -1;
rv->maxsize = -1;
rv->flags = STABLE_FLAGS_MALLOC;
}
return rv;
}
int
ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, unsigned long mask,
unsigned long flags)
{
ASN1_STRING_TABLE *tmp;
if ((tmp = stable_get(nid)) == NULL) {
ASN1error(ERR_R_MALLOC_FAILURE);
return 0;
}
if (minsize >= 0)
tmp->minsize = minsize;
if (maxsize >= 0)
tmp->maxsize = maxsize;
if (mask != 0)
tmp->mask = mask;
if (flags != 0)
tmp->flags = flags | STABLE_FLAGS_MALLOC;
return 1;
ASN1error(ERR_R_DISABLED);
return 0;
}
LCRYPTO_ALIAS(ASN1_STRING_TABLE_add);
void
ASN1_STRING_TABLE_cleanup(void)
{
STACK_OF(ASN1_STRING_TABLE) *tmp;
tmp = stable;
if (tmp == NULL)
return;
stable = NULL;
sk_ASN1_STRING_TABLE_pop_free(tmp, st_free);
ASN1error(ERR_R_DISABLED);
}
LCRYPTO_ALIAS(ASN1_STRING_TABLE_cleanup);
static void
st_free(ASN1_STRING_TABLE *tbl)
{
if (tbl->flags & STABLE_FLAGS_MALLOC)
free(tbl);
}

59
lib/libcrypto/asn1/ameth_lib.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ameth_lib.c,v 1.34 2023/11/29 21:35:57 tb Exp $ */
/* $OpenBSD: ameth_lib.c,v 1.37 2023/12/15 21:55:47 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -56,13 +56,11 @@
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include "asn1_local.h"
#include "evp_local.h"
@ -100,36 +98,21 @@ static const EVP_PKEY_ASN1_METHOD *asn1_methods[] = {
&x25519_asn1_meth,
};
static const size_t asn1_methods_count =
sizeof(asn1_methods) / sizeof(asn1_methods[0]);
DECLARE_STACK_OF(EVP_PKEY_ASN1_METHOD)
static STACK_OF(EVP_PKEY_ASN1_METHOD) *asn1_app_methods = NULL;
#define N_ASN1_METHODS (sizeof(asn1_methods) / sizeof(asn1_methods[0]))
int
EVP_PKEY_asn1_get_count(void)
{
int num = asn1_methods_count;
if (asn1_app_methods != NULL)
num += sk_EVP_PKEY_ASN1_METHOD_num(asn1_app_methods);
return num;
return N_ASN1_METHODS;
}
const EVP_PKEY_ASN1_METHOD *
EVP_PKEY_asn1_get0(int idx)
{
int num = asn1_methods_count;
if (idx < 0)
if (idx < 0 || idx >= N_ASN1_METHODS)
return NULL;
if (idx < num)
return asn1_methods[idx];
idx -= num;
return sk_EVP_PKEY_ASN1_METHOD_value(asn1_app_methods, idx);
return asn1_methods[idx];
}
static const EVP_PKEY_ASN1_METHOD *
@ -196,33 +179,15 @@ EVP_PKEY_asn1_find_str(ENGINE **pe, const char *str, int len)
int
EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
{
if (asn1_app_methods == NULL) {
asn1_app_methods = sk_EVP_PKEY_ASN1_METHOD_new(NULL);
if (asn1_app_methods == NULL)
return 0;
}
if (!sk_EVP_PKEY_ASN1_METHOD_push(asn1_app_methods, ameth))
return 0;
return 1;
EVPerror(ERR_R_DISABLED);
return 0;
}
int
EVP_PKEY_asn1_add_alias(int to, int from)
{
EVP_PKEY_ASN1_METHOD *ameth;
ameth = EVP_PKEY_asn1_new(from, ASN1_PKEY_ALIAS, NULL, NULL);
if (ameth == NULL)
return 0;
ameth->pkey_base_id = to;
if (!EVP_PKEY_asn1_add0(ameth)) {
EVP_PKEY_asn1_free(ameth);
return 0;
}
return 1;
EVPerror(ERR_R_DISABLED);
return 0;
}
int

5
lib/libcrypto/asn1/asn1.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: asn1.h,v 1.81 2023/11/13 12:46:07 beck Exp $ */
/* $OpenBSD: asn1.h,v 1.82 2023/12/16 12:25:02 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -217,10 +217,11 @@ typedef struct asn1_string_table_st {
unsigned long flags;
} ASN1_STRING_TABLE;
/* XXX - unused. Remove in next major bump. */
DECLARE_STACK_OF(ASN1_STRING_TABLE)
/* size limits: this stuff is taken straight from RFC2459 */
/* XXX - unused macros. A more complete version is in a_strnid.c. Remove? */
#define ub_name 32768
#define ub_common_name 64
#define ub_locality_name 128

9
lib/libcrypto/cmac/cmac.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cmac.c,v 1.16 2023/11/29 21:35:57 tb Exp $ */
/* $OpenBSD: cmac.c,v 1.17 2023/12/15 13:45:05 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
@ -191,6 +191,13 @@ CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
/* Initialise context. */
if (cipher != NULL) {
/*
* Disallow ciphers for which EVP_Cipher() behaves differently.
* These are AEAD ciphers (or AES keywrap) for which the CMAC
* construction makes little sense.
*/
if ((cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
return 0;
if (!EVP_EncryptInit_ex(&ctx->cctx, cipher, NULL, NULL, NULL))
return 0;
}

3
lib/libcrypto/crypto_init.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_init.c,v 1.12 2023/11/19 15:46:09 tb Exp $ */
/* $OpenBSD: crypto_init.c,v 1.13 2023/12/16 12:36:14 tb Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
*
@ -83,7 +83,6 @@ OPENSSL_cleanup(void)
CRYPTO_cleanup_all_ex_data();
EVP_cleanup();
ASN1_STRING_TABLE_cleanup();
X509V3_EXT_cleanup();
X509_PURPOSE_cleanup();
X509_TRUST_cleanup();

4
lib/libcrypto/evp/e_chacha20poly1305.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: e_chacha20poly1305.c,v 1.32 2023/09/28 11:29:10 tb Exp $ */
/* $OpenBSD: e_chacha20poly1305.c,v 1.33 2023/12/15 13:48:59 tb Exp $ */
/*
* Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
@ -477,7 +477,7 @@ chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
if (len > SIZE_MAX - cpx->in_len) {
EVPerror(EVP_R_TOO_LARGE);
return 0;
return -1;
}
/* Disallow authenticated data after plaintext/ciphertext. */

204
lib/libcrypto/evp/evp_enc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_enc.c,v 1.58 2023/12/03 11:18:30 tb Exp $ */
/* $OpenBSD: evp_enc.c,v 1.63 2023/12/16 17:40:22 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -246,11 +246,60 @@ EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
}
/*
* EVP_Cipher() is an implementation detail of EVP_Cipher{Update,Final}().
* Behavior depends on EVP_CIPH_FLAG_CUSTOM_CIPHER being set on ctx->cipher.
*
* If the flag is set, do_cipher() operates in update mode if in != NULL and
* in final mode if in == NULL. It returns the number of bytes written to out
* (which may be 0) or -1 on error.
*
* If the flag is not set, do_cipher() assumes properly aligned data and that
* padding is handled correctly by the caller. Most do_cipher() methods will
* silently produce garbage and succeed. Returns 1 on success, 0 on error.
*/
int
EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
unsigned int inl)
{
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
static int
evp_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len,
const unsigned char *in, int in_len)
{
int len;
*out_len = 0;
if (in_len < 0)
return 0;
if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) {
if ((len = ctx->cipher->do_cipher(ctx, out, in, in_len)) < 0)
return 0;
*out_len = len;
return 1;
}
if (!ctx->cipher->do_cipher(ctx, out, in, in_len))
return 0;
*out_len = in_len;
return 1;
}
int
EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
int i, j, bl;
const int block_size = ctx->cipher->block_size;
const int block_mask = ctx->block_mask;
int buf_offset = ctx->buf_len;
int len = 0, total_len = 0;
*outl = 0;
@ -260,71 +309,67 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
if (inl == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)
return 1;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
i = ctx->cipher->do_cipher(ctx, out, in, inl);
if (i < 0)
return 0;
else
*outl = i;
return 1;
}
if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
return evp_cipher(ctx, out, outl, in, inl);
if (ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) {
if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
*outl = inl;
return 1;
} else {
*outl = 0;
return 0;
}
}
i = ctx->buf_len;
bl = ctx->cipher->block_size;
if ((size_t)bl > sizeof(ctx->buf)) {
if (buf_offset == 0 && (inl & block_mask) == 0)
return evp_cipher(ctx, out, outl, in, inl);
/* XXX - check that block_size > buf_offset. */
if (block_size > sizeof(ctx->buf)) {
EVPerror(EVP_R_BAD_BLOCK_LENGTH);
*outl = 0;
return 0;
}
if (i != 0) {
if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
return 1;
} else {
j = bl - i;
/*
* Once we've processed the first j bytes from in, the
* amount of data left that is a multiple of the block
* length is (inl - j) & ~(bl - 1). Ensure this plus
* the block processed from ctx-buf doesn't overflow.
*/
if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
EVPerror(EVP_R_TOO_LARGE);
return 0;
}
memcpy(&(ctx->buf[i]), in, j);
if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
return 0;
inl -= j;
in += j;
out += bl;
*outl = bl;
if (buf_offset != 0) {
int buf_avail;
if ((buf_avail = block_size - buf_offset) > inl) {
memcpy(&ctx->buf[buf_offset], in, inl);
ctx->buf_len += inl;
return 1;
}
} else
*outl = 0;
i = inl&(bl - 1);
inl -= i;
if (inl > 0) {
if (!ctx->cipher->do_cipher(ctx, out, in, inl))
/*
* Once the first buf_avail bytes from in are processed, the
* amount of data left that is a multiple of the block length is
* (inl - buf_avail) & ~block_mask. Ensure that this plus the
* block processed from ctx->buf doesn't overflow.
*/
if (((inl - buf_avail) & ~block_mask) > INT_MAX - block_size) {
EVPerror(EVP_R_TOO_LARGE);
return 0;
*outl += inl;
}
memcpy(&ctx->buf[buf_offset], in, buf_avail);
len = 0;
if (!evp_cipher(ctx, out, &len, ctx->buf, block_size))
return 0;
total_len = len;
inl -= buf_avail;
in += buf_avail;
out += len;
}
if (i != 0)
memcpy(ctx->buf, &(in[inl]), i);
ctx->buf_len = i;
buf_offset = inl & block_mask;
if ((inl -= buf_offset) > 0) {
if (INT_MAX - inl < total_len)
return 0;
len = 0;
if (!evp_cipher(ctx, out, &len, in, inl))
return 0;
if (INT_MAX - len < total_len)
return 0;
total_len += len;
}
if (buf_offset != 0)
memcpy(ctx->buf, &in[inl], buf_offset);
ctx->buf_len = buf_offset;
*outl = total_len;
return 1;
}
@ -337,17 +382,13 @@ EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int
EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int n, ret;
int n;
unsigned int i, b, bl;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
if (ret < 0)
return 0;
else
*outl = ret;
return 1;
}
*outl = 0;
if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
return evp_cipher(ctx, out, outl, NULL, 0);
b = ctx->cipher->block_size;
if (b > sizeof ctx->buf) {
@ -371,13 +412,8 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
n = b - bl;
for (i = bl; i < b; i++)
ctx->buf[i] = n;
ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
if (ret)
*outl = b;
return ret;
return evp_cipher(ctx, out, outl, ctx->buf, b);
}
int
@ -395,15 +431,8 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
if (inl == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)
return 1;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
if (fix_len < 0) {
*outl = 0;
return 0;
} else
*outl = fix_len;
return 1;
}
if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
return evp_cipher(ctx, out, outl, in, inl);
if (ctx->flags & EVP_CIPH_NO_PADDING)
return EVP_EncryptUpdate(ctx, out, outl, in, inl);
@ -461,16 +490,11 @@ EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int i, n;
unsigned int b;
*outl = 0;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
if (i < 0)
return 0;
else
*outl = i;
return 1;
}
if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0)
return evp_cipher(ctx, out, outl, NULL, 0);
b = ctx->cipher->block_size;
if (ctx->flags & EVP_CIPH_NO_PADDING) {

9
lib/libcrypto/evp/evp_lib.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_lib.c,v 1.29 2023/11/18 09:37:15 tb Exp $ */
/* $OpenBSD: evp_lib.c,v 1.30 2023/12/15 13:28:30 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -197,13 +197,6 @@ EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx)
return ctx->cipher->block_size;
}
int
EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
unsigned int inl)
{
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
const EVP_CIPHER *
EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
{

360
lib/libcrypto/evp/evp_pbe.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: evp_pbe.c,v 1.29 2023/07/07 19:37:53 beck Exp $ */
/* $OpenBSD: evp_pbe.c,v 1.33 2023/12/16 14:09:33 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -70,54 +70,201 @@
/* Password based encryption (PBE) functions */
DECLARE_STACK_OF(EVP_PBE_CTL)
static STACK_OF(EVP_PBE_CTL) *pbe_algs;
/* Setup a cipher context from a PBE algorithm */
typedef struct {
int pbe_type;
struct pbe_config {
int pbe_nid;
int cipher_nid;
int md_nid;
EVP_PBE_KEYGEN *keygen;
} EVP_PBE_CTL;
static const EVP_PBE_CTL builtin_pbe[] = {
{EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndDES_CBC, NID_des_cbc, NID_md2, PKCS5_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndDES_CBC, NID_des_cbc, NID_md5, PKCS5_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC, NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen},
#ifndef OPENSSL_NO_HMAC
{EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
#endif
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4, NID_rc4, NID_sha1, PKCS12_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4, NID_rc4_40, NID_sha1, PKCS12_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And3_Key_TripleDES_CBC, NID_des_ede3_cbc, NID_sha1, PKCS12_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And2_Key_TripleDES_CBC, NID_des_ede_cbc, NID_sha1, PKCS12_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC2_CBC, NID_rc2_cbc, NID_sha1, PKCS12_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC2_CBC, NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen},
#ifndef OPENSSL_NO_HMAC
{EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen},
#endif
{EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndRC2_CBC, NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndRC2_CBC, NID_rc2_64_cbc, NID_md5, PKCS5_PBE_keyivgen},
{EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndDES_CBC, NID_des_cbc, NID_sha1, PKCS5_PBE_keyivgen},
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA1, -1, NID_sha1, 0},
{EVP_PBE_TYPE_PRF, NID_hmacWithMD5, -1, NID_md5, 0},
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA224, -1, NID_sha224, 0},
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA256, -1, NID_sha256, 0},
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0},
{EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
{EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
{EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_256, -1, NID_id_tc26_gost3411_2012_256, 0},
{EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_512, -1, NID_id_tc26_gost3411_2012_512, 0},
};
static const struct pbe_config pbe_outer[] = {
{
.pbe_nid = NID_pbeWithMD2AndDES_CBC,
.cipher_nid = NID_des_cbc,
.md_nid = NID_md2,
.keygen = PKCS5_PBE_keyivgen,
},
{
.pbe_nid = NID_pbeWithMD5AndDES_CBC,
.cipher_nid = NID_des_cbc,
.md_nid = NID_md5,
.keygen = PKCS5_PBE_keyivgen,
},
{
.pbe_nid = NID_pbeWithSHA1AndRC2_CBC,
.cipher_nid = NID_rc2_64_cbc,
.md_nid = NID_sha1,
.keygen = PKCS5_PBE_keyivgen,
},
#ifndef OPENSSL_NO_HMAC
{
.pbe_nid = NID_id_pbkdf2,
.cipher_nid = -1,
.md_nid = -1,
.keygen = PKCS5_v2_PBKDF2_keyivgen,
},
#endif
{
.pbe_nid = NID_pbe_WithSHA1And128BitRC4,
.cipher_nid = NID_rc4,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
{
.pbe_nid = NID_pbe_WithSHA1And40BitRC4,
.cipher_nid = NID_rc4_40,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
{
.pbe_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
.cipher_nid = NID_des_ede3_cbc,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
{
.pbe_nid = NID_pbe_WithSHA1And2_Key_TripleDES_CBC,
.cipher_nid = NID_des_ede_cbc,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
{
.pbe_nid = NID_pbe_WithSHA1And128BitRC2_CBC,
.cipher_nid = NID_rc2_cbc,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
{
.pbe_nid = NID_pbe_WithSHA1And40BitRC2_CBC,
.cipher_nid = NID_rc2_40_cbc,
.md_nid = NID_sha1,
.keygen = PKCS12_PBE_keyivgen,
},
#ifndef OPENSSL_NO_HMAC
{
.pbe_nid = NID_pbes2,
.cipher_nid = -1,
.md_nid = -1,
.keygen = PKCS5_v2_PBE_keyivgen,
},
#endif
{
.pbe_nid = NID_pbeWithMD2AndRC2_CBC,
.cipher_nid = NID_rc2_64_cbc,
.md_nid = NID_md2,
.keygen = PKCS5_PBE_keyivgen,
},
{
.pbe_nid = NID_pbeWithMD5AndRC2_CBC,
.cipher_nid = NID_rc2_64_cbc,
.md_nid = NID_md5,
.keygen = PKCS5_PBE_keyivgen,
},
{
.pbe_nid = NID_pbeWithSHA1AndDES_CBC,
.cipher_nid = NID_des_cbc,
.md_nid = NID_sha1,
.keygen = PKCS5_PBE_keyivgen,
},
};
#define N_PBE_OUTER (sizeof(pbe_outer) / sizeof(pbe_outer[0]))
static const struct pbe_config pbe_prf[] = {
{
.pbe_nid = NID_hmacWithSHA1,
.cipher_nid = -1,
.md_nid = NID_sha1,
},
{
.pbe_nid = NID_hmacWithMD5,
.cipher_nid = -1,
.md_nid = NID_md5,
},
{
.pbe_nid = NID_hmacWithSHA224,
.cipher_nid = -1,
.md_nid = NID_sha224,
},
{
.pbe_nid = NID_hmacWithSHA256,
.cipher_nid = -1,
.md_nid = NID_sha256,
},
{
.pbe_nid = NID_hmacWithSHA384,
.cipher_nid = -1,
.md_nid = NID_sha384,
},
{
.pbe_nid = NID_hmacWithSHA512,
.cipher_nid = -1,
.md_nid = NID_sha512,
},
{
.pbe_nid = NID_id_HMACGostR3411_94,
.cipher_nid = -1,
.md_nid = NID_id_GostR3411_94,
},
{
.pbe_nid = NID_id_tc26_hmac_gost_3411_12_256,
.cipher_nid = -1,
.md_nid = NID_id_tc26_gost3411_2012_256,
},
{
.pbe_nid = NID_id_tc26_hmac_gost_3411_12_512,
.cipher_nid = -1,
.md_nid = NID_id_tc26_gost3411_2012_512,
},
};
#define N_PBE_PRF (sizeof(pbe_prf) / sizeof(pbe_prf[0]))
int
EVP_PBE_find(int type, int pbe_nid, int *out_cipher_nid, int *out_md_nid,
EVP_PBE_KEYGEN **out_keygen)
{
const struct pbe_config *pbe = NULL;
size_t i;
if (out_cipher_nid != NULL)
*out_cipher_nid = NID_undef;
if (out_md_nid != NULL)
*out_md_nid = NID_undef;
if (out_keygen != NULL)
*out_keygen = NULL;
if (pbe_nid == NID_undef)
return 0;
if (type == EVP_PBE_TYPE_OUTER) {
for (i = 0; i < N_PBE_OUTER; i++) {
if (pbe_nid == pbe_outer[i].pbe_nid) {
pbe = &pbe_outer[i];
break;
}
}
} else if (type == EVP_PBE_TYPE_PRF) {
for (i = 0; i < N_PBE_PRF; i++) {
if (pbe_nid == pbe_prf[i].pbe_nid) {
pbe = &pbe_prf[i];
break;
}
}
}
if (pbe == NULL)
return 0;
if (out_cipher_nid != NULL)
*out_cipher_nid = pbe->cipher_nid;
if (out_md_nid != NULL)
*out_md_nid = pbe->md_nid;
if (out_keygen != NULL)
*out_keygen = pbe->keygen;
return 1;
}
int
EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
@ -171,142 +318,23 @@ EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
return 1;
}
static int pbe2_cmp_BSEARCH_CMP_FN(const void *, const void *);
static int pbe2_cmp(EVP_PBE_CTL const *, EVP_PBE_CTL const *);
static EVP_PBE_CTL *OBJ_bsearch_pbe2(EVP_PBE_CTL *key, EVP_PBE_CTL const *base, int num);
static int
pbe2_cmp(const EVP_PBE_CTL *pbe1, const EVP_PBE_CTL *pbe2)
{
int ret = pbe1->pbe_type - pbe2->pbe_type;
if (ret)
return ret;
else
return pbe1->pbe_nid - pbe2->pbe_nid;
}
static int
pbe2_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
{
EVP_PBE_CTL const *a = a_;
EVP_PBE_CTL const *b = b_;
return pbe2_cmp(a, b);
}
static EVP_PBE_CTL *
OBJ_bsearch_pbe2(EVP_PBE_CTL *key, EVP_PBE_CTL const *base, int num)
{
return (EVP_PBE_CTL *)OBJ_bsearch_(key, base, num, sizeof(EVP_PBE_CTL),
pbe2_cmp_BSEARCH_CMP_FN);
}
static int
pbe_cmp(const EVP_PBE_CTL * const *a, const EVP_PBE_CTL * const *b)
{
int ret = (*a)->pbe_type - (*b)->pbe_type;
if (ret)
return ret;
else
return (*a)->pbe_nid - (*b)->pbe_nid;
}
/* Add a PBE algorithm */
int
EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, int md_nid,
EVP_PBE_KEYGEN *keygen)
{
EVP_PBE_CTL *pbe_tmp;
if (pbe_algs == NULL) {
pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp);
if (pbe_algs == NULL) {
EVPerror(ERR_R_MALLOC_FAILURE);
return 0;
}
}
pbe_tmp = malloc(sizeof(EVP_PBE_CTL));
if (pbe_tmp == NULL) {
EVPerror(ERR_R_MALLOC_FAILURE);
return 0;
}
pbe_tmp->pbe_type = pbe_type;
pbe_tmp->pbe_nid = pbe_nid;
pbe_tmp->cipher_nid = cipher_nid;
pbe_tmp->md_nid = md_nid;
pbe_tmp->keygen = keygen;
if (sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp) == 0) {
free(pbe_tmp);
EVPerror(ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
EVPerror(ERR_R_DISABLED);
return 0;
}
int
EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
EVP_PBE_KEYGEN *keygen)
{
int cipher_nid, md_nid;
if (cipher)
cipher_nid = EVP_CIPHER_nid(cipher);
else
cipher_nid = -1;
if (md)
md_nid = EVP_MD_type(md);
else
md_nid = -1;
return EVP_PBE_alg_add_type(EVP_PBE_TYPE_OUTER, nid,
cipher_nid, md_nid, keygen);
}
int
EVP_PBE_find(int type, int pbe_nid,
int *pcnid, int *pmnid, EVP_PBE_KEYGEN **pkeygen)
{
EVP_PBE_CTL *pbetmp = NULL, pbelu;
int i;
if (pbe_nid == NID_undef)
return 0;
pbelu.pbe_type = type;
pbelu.pbe_nid = pbe_nid;
if (pbe_algs) {
i = sk_EVP_PBE_CTL_find(pbe_algs, &pbelu);
if (i != -1)
pbetmp = sk_EVP_PBE_CTL_value (pbe_algs, i);
}
if (pbetmp == NULL) {
pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL));
}
if (pbetmp == NULL)
return 0;
if (pcnid)
*pcnid = pbetmp->cipher_nid;
if (pmnid)
*pmnid = pbetmp->md_nid;
if (pkeygen)
*pkeygen = pbetmp->keygen;
return 1;
}
static void
free_evp_pbe_ctl(EVP_PBE_CTL *pbe)
{
free(pbe);
EVPerror(ERR_R_DISABLED);
return 0;
}
void
EVP_PBE_cleanup(void)
{
sk_EVP_PBE_CTL_pop_free(pbe_algs, free_evp_pbe_ctl);
pbe_algs = NULL;
}

3
lib/libcrypto/evp/names.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: names.c,v 1.21 2023/08/26 02:59:13 tb Exp $ */
/* $OpenBSD: names.c,v 1.22 2023/12/15 14:22:10 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -141,7 +141,6 @@ EVP_cleanup(void)
does that part. -- Richard Levitte */
OBJ_NAME_cleanup(-1);
EVP_PBE_cleanup();
if (obj_cleanup_defer == 2) {
obj_cleanup_defer = 0;
OBJ_cleanup();

4
lib/libcrypto/evp/p5_crpt2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: p5_crpt2.c,v 1.27 2023/07/07 19:37:54 beck Exp $ */
/* $OpenBSD: p5_crpt2.c,v 1.28 2023/12/16 13:23:20 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -270,7 +270,7 @@ PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
else
prf_nid = NID_hmacWithSHA1;
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, 0)) {
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, NULL)) {
EVPerror(EVP_R_UNSUPPORTED_PRF);
goto err;
}

92
lib/libcrypto/man/ASN1_STRING_TABLE_add.3 → lib/libcrypto/man/ASN1_STRING_TABLE_get.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_STRING_TABLE_add.3,v 1.9 2021/12/15 20:07:51 schwarze Exp $
.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.3 2023/12/16 19:14:56 tb Exp $
.\" checked up to:
.\" OpenSSL ASN1_STRING_TABLE_add.pod 7b608d08 Jul 27 01:18:50 2017 +0800
.\"
@ -16,38 +16,26 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: December 15 2021 $
.Dt ASN1_STRING_TABLE_ADD 3
.Dd $Mdocdate: December 16 2023 $
.Dt ASN1_STRING_TABLE_GET 3
.Os
.Sh NAME
.Nm ASN1_STRING_TABLE_add ,
.Nm ASN1_STRING_TABLE_get ,
.Nm ASN1_STRING_TABLE_cleanup
.Nd maintain the global ASN.1 string table
.Nm ASN1_STRING_TABLE_get
.Nd retrieve an entry from the global ASN.1 string table
.Sh SYNOPSIS
.In openssl/asn1.h
.Ft int
.Fo ASN1_STRING_TABLE_add
.Fa "int nid"
.Fa "long minsize"
.Fa "long maxsize"
.Fa "unsigned long mask"
.Fa "unsigned long flags"
.Fc
.Ft ASN1_STRING_TABLE *
.Fo ASN1_STRING_TABLE_get
.Fa "int nid"
.Fc
.Ft void
.Fn ASN1_STRING_TABLE_cleanup void
.Sh DESCRIPTION
The ASN.1 string table is a unique global object.
Each entry is of the type
.Vt ASN1_STRING_TABLE
and contains information about one NID object.
Some entries are predefined according to RFC 3280 appendix A.1.
The entries are predefined according to RFC 5280 appendix A.1.
.Pp
By default, the upper bounds for the number of characters in various kinds of
The upper bounds for the number of characters in various kinds of
.Vt ASN1_STRING
objects are:
.Pp
@ -68,58 +56,16 @@ objects are:
.El
.Pp
The function
.Fn ASN1_STRING_TABLE_add
changes the existing entry for
.Fa nid
or, if there is none, allocates a new entry.
The fields of the entry are overwritten with the function arguments
of the same name.
If
.Fa minsize
or
.Fa maxsize
is negative or
.Fa mask
is 0, that argument is ignored and the respective field remains unchanged,
or for a new entry, it is set to \-1, \-1, 0, or
.Dv STABLE_FLAGS_MALLOC ,
respectively.
.Pp
The bits set in the
.Fa flags
argument are OR'ed into the existing field rather than overwriting it.
The only useful flag is
.Dv STABLE_NO_MASK .
If it is set,
.Xr ASN1_STRING_set_by_NID 3
skips applying the global mask that can be set with
.Xr ASN1_STRING_set_default_mask 3 .
Otherwise, the table entry only accepts types
permitted by both the global mask and the
.Fa mask
argument.
Setting
.Dv STABLE_FLAGS_MALLOC
or any other bit in the
.Fa mask
argument has no effect.
.Pp
The function
.Fn ASN1_STRING_TABLE_get
retrieves the entry for
.Fa nid .
.Pp
The function
.Fn ASN1_STRING_TABLE_cleanup
removes and frees all entries except the predefined ones
and restores the predefined ones to their default state.
If the
.Dv STABLE_NO_MASK
flag is set,
.Xr ASN1_STRING_set_by_NID 3
skips applying the global mask that can be set with
.Xr ASN1_STRING_set_default_mask 3 .
.Sh RETURN VALUES
The
.Fn ASN1_STRING_TABLE_add
function returns 1 if successful; otherwise 0 is returned
and an error code can be retrieved with
.Xr ERR_get_error 3 .
.Pp
.Fn ASN1_STRING_TABLE_get
returns a valid
.Vt ASN1_STRING_TABLE
@ -132,11 +78,13 @@ if nothing is found.
.Xr OBJ_create 3 ,
.Xr OBJ_nid2obj 3
.Sh HISTORY
.Fn ASN1_STRING_TABLE_add ,
.Fn ASN1_STRING_TABLE_get ,
and
.Fn ASN1_STRING_TABLE_cleanup
first appeared in OpenSSL 0.9.5 and have been available since
.Fn ASN1_STRING_TABLE_get
first appeared in OpenSSL 0.9.5 and has been available since
.Ox 2.7 .
.Sh BUGS
Most aspects of the semantics considerably differ from OpenSSL.
.Pp
.Dv ub_email_address ,
which should really be called
.Dv ub_emailaddress_length ,
was changed in RFC 5280 from 128 to 255 to match PKCS#9 (RFC 2985).

4
lib/libcrypto/man/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.278 2023/12/01 10:40:21 schwarze Exp $
# $OpenBSD: Makefile,v 1.279 2023/12/16 10:26:10 tb Exp $
.include <bsd.own.mk>
@ -11,7 +11,7 @@ MAN= \
ASN1_NULL_new.3 \
ASN1_OBJECT_new.3 \
ASN1_PRINTABLE_type.3 \
ASN1_STRING_TABLE_add.3 \
ASN1_STRING_TABLE_get.3 \
ASN1_STRING_length.3 \
ASN1_STRING_new.3 \
ASN1_STRING_print_ex.3 \

2
libexec/ld.so/m88k/ld.script
View File

@ -5,7 +5,7 @@ PHDRS
btext PT_LOAD FLAGS (0x08000005);
data PT_LOAD;
random PT_OPENBSD_RANDOMIZE;
scalls PT_OPENBSD_SYSCALLS;
syscalls PT_OPENBSD_SYSCALLS;
relro PT_GNU_RELRO;
dynamic PT_DYNAMIC;
note PT_NOTE;

3
regress/lib/libcrypto/asn1/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.25 2023/10/11 12:49:00 tb Exp $
# $OpenBSD: Makefile,v 1.26 2023/12/15 22:24:15 tb Exp $
PROGS = \
asn1api \
@ -12,7 +12,6 @@ PROGS = \
asn1time \
asn1x509 \
rfc5280time \
string_table \
x509_algor
DPADD+= ${LIBCRYPTO}

128
regress/lib/libcrypto/asn1/string_table.c
View File

@ -1,128 +0,0 @@
/* $OpenBSD: string_table.c,v 1.1 2021/12/11 22:58:48 schwarze Exp $ */
/*
* Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <err.h>
#include <stdarg.h>
#include <openssl/asn1.h>
#include <openssl/objects.h>
static int errcount;
static void
report(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vwarnx(fmt, ap);
va_end(ap);
errcount++;
}
static void
stable_check(const char *testname, ASN1_STRING_TABLE *have,
ASN1_STRING_TABLE *want, unsigned long want_flags)
{
if (have == NULL) {
report("%s returned NULL", testname);
return;
}
if (have->nid != want->nid)
report("%s nid %d, expected %d", testname,
have->nid, want->nid);
if (have->minsize != want->minsize)
report("%s minsize %ld, expected %ld", testname,
have->minsize, want->minsize);
if (have->maxsize != want->maxsize)
report("%s maxsize %ld, expected %ld", testname,
have->maxsize, want->maxsize);
if (have->mask != want->mask)
report("%s mask %lu, expected %lu", testname,
have->mask, want->mask);
if (have->flags != want_flags)
report("%s flags %lu, expected %lu", testname,
have->flags, want_flags);
}
int
main(void)
{
ASN1_STRING_TABLE orig, mine, *have;
int irc;
orig.nid = NID_name;
orig.minsize = 1;
orig.maxsize = ub_name;
orig.mask = DIRSTRING_TYPE;
orig.flags = 0;
mine.nid = NID_name;
mine.minsize = 4;
mine.maxsize = 64;
mine.mask = B_ASN1_PRINTABLESTRING;
mine.flags = STABLE_NO_MASK;
/* Original entry. */
have = ASN1_STRING_TABLE_get(orig.nid);
stable_check("orig", have, &orig, 0);
/* Copy, but don't really change. */
irc = ASN1_STRING_TABLE_add(orig.nid, -1, -1, 0, 0);
if (irc != 1)
report("set noop returned %d, expected 1", irc);
have = ASN1_STRING_TABLE_get(orig.nid);
stable_check("noop", have, &orig, STABLE_FLAGS_MALLOC);
/* Change entry. */
irc = ASN1_STRING_TABLE_add(mine.nid, mine.minsize, mine.maxsize,
mine.mask, mine.flags);
if (irc != 1)
report("set returned %d, expected 1", irc);
have = ASN1_STRING_TABLE_get(mine.nid);
stable_check("set", have, &mine, STABLE_FLAGS_MALLOC | STABLE_NO_MASK);
/* New entry. */
mine.nid = NID_title;
irc = ASN1_STRING_TABLE_add(mine.nid, mine.minsize, mine.maxsize,
mine.mask, mine.flags);
if (irc != 1)
report("new returned %d, expected 1", irc);
have = ASN1_STRING_TABLE_get(mine.nid);
stable_check("new", have, &mine, STABLE_FLAGS_MALLOC | STABLE_NO_MASK);
/* Back to the initial state. */
ASN1_STRING_TABLE_cleanup();
have = ASN1_STRING_TABLE_get(orig.nid);
stable_check("back", have, &orig, 0);
if (ASN1_STRING_TABLE_get(mine.nid) != NULL)
report("deleted entry is not NULL");
switch (errcount) {
case 0:
return 0;
case 1:
errx(1, "one error");
default:
errx(1, "%d errors", errcount);
}
}

20
sys/kern/kern_ktrace.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kern_ktrace.c,v 1.113 2023/12/12 15:30:55 deraadt Exp $ */
/* $OpenBSD: kern_ktrace.c,v 1.114 2023/12/15 15:12:08 deraadt Exp $ */
/* $NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $ */
/*
@ -401,6 +401,24 @@ ktrpledge(struct proc *p, int error, uint64_t code, int syscall)
atomic_clearbits_int(&p->p_flag, P_INKTR);
}
void
ktrpinsyscall(struct proc *p, int error, int syscall, vaddr_t addr)
{
struct ktr_header kth;
struct ktr_pinsyscall kp;
atomic_setbits_int(&p->p_flag, P_INKTR);
ktrinitheader(&kth, p, KTR_PINSYSCALL);
kp.error = error;
kp.syscall = syscall;
kp.addr = addr;
KERNEL_LOCK();
ktrwrite(p, &kth, &kp, sizeof(kp));
KERNEL_UNLOCK();
atomic_clearbits_int(&p->p_flag, P_INKTR);
}
/* Interface and common routines */
int

14
sys/sys/ktrace.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ktrace.h,v 1.47 2023/12/12 15:30:55 deraadt Exp $ */
/* $OpenBSD: ktrace.h,v 1.48 2023/12/15 15:12:08 deraadt Exp $ */
/* $NetBSD: ktrace.h,v 1.12 1996/02/04 02:12:29 christos Exp $ */
/*
@ -166,6 +166,16 @@ struct ktr_pledge {
uint64_t code;
};
/*
* KTR_PINSYSCALL - details of pinsyscall violation
*/
#define KTR_PINSYSCALL 13
struct ktr_pinsyscall {
int error;
int syscall;
vaddr_t addr;
};
/*
* kernel trace points (in ps_traceflag)
*/
@ -180,6 +190,7 @@ struct ktr_pledge {
#define KTRFAC_EXECARGS (1<<KTR_EXECARGS)
#define KTRFAC_EXECENV (1<<KTR_EXECENV)
#define KTRFAC_PLEDGE (1<<KTR_PLEDGE)
#define KTRFAC_PINSYSCALL (1<<KTR_PINSYSCALL)
/*
* trace flags (also in ps_traceflag)
@ -212,6 +223,7 @@ void ktrsysret(struct proc *, register_t, int, const register_t [2]);
int ktruser(struct proc *, const char *, const void *, size_t);
void ktrexec(struct proc *, int, const char *, ssize_t);
void ktrpledge(struct proc *, int, uint64_t, int);
void ktrpinsyscall(struct proc *, int, int, vaddr_t);
void ktrcleartrace(struct process *);
void ktrsettrace(struct process *, int, struct vnode *, struct ucred *);

5
usr.bin/ftp/main.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: main.c,v 1.144 2023/12/12 22:00:43 kn Exp $ */
/* $OpenBSD: main.c,v 1.145 2023/12/15 10:28:57 kn Exp $ */
/* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */
/*
@ -627,7 +627,8 @@ main(volatile int argc, char *argv[])
}
rval = auto_fetch(argc, argv, outfile);
if (rval >= 0 || pipeout) /* -1 == connected and cd-ed */
/* -1 == connected and cd-ed */
if (rval >= 0 || outfile != NULL)
exit(rval);
} else {
#ifndef SMALL

7
usr.bin/kdump/kdump.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: kdump.1,v 1.39 2023/11/09 15:43:28 kn Exp $
.\" $OpenBSD: kdump.1,v 1.40 2023/12/15 15:12:08 deraadt Exp $
.\"
.\" Copyright (c) 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@ -29,7 +29,7 @@
.\"
.\" from: @(#)kdump.1 8.1 (Berkeley) 6/6/93
.\"
.Dd $Mdocdate: November 9 2023 $
.Dd $Mdocdate: December 15 2023 $
.Dt KDUMP 1
.Os
.Sh NAME
@ -124,6 +124,9 @@ trace violation of
restrictions
.It Cm s
trace signal processing
.It Cm S
trace violation of
.Xr pinsyscalls 2
.It Cm t
trace various structures
.It Cm u

30
usr.bin/kdump/kdump.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kdump.c,v 1.160 2023/12/12 15:30:55 deraadt Exp $ */
/* $OpenBSD: kdump.c,v 1.161 2023/12/15 15:12:08 deraadt Exp $ */
/*-
* Copyright (c) 1988, 1993
@ -133,6 +133,7 @@ static void ktrsysret(struct ktr_sysret *, size_t);
static void ktruser(struct ktr_user *, size_t);
static void ktrexec(const char*, size_t);
static void ktrpledge(struct ktr_pledge *, size_t);
static void ktrpinsyscall(struct ktr_pinsyscall *, size_t);
static void usage(void);
static void ioctldecode(int);
static void ptracedecode(int);
@ -309,6 +310,9 @@ main(int argc, char *argv[])
case KTR_PLEDGE:
ktrpledge(m, ktrlen);
break;
case KTR_PINSYSCALL:
ktrpinsyscall(m, ktrlen);
break;
default:
printf("\n");
break;
@ -369,6 +373,9 @@ dumpheader(struct ktr_header *kth)
case KTR_PLEDGE:
type = "PLDG";
break;
case KTR_PINSYSCALL:
type = "PINS";
break;
default:
/* htobe32() not guaranteed to work as case label */
if (kth->ktr_type == htobe32(KTR_START)) {
@ -1489,6 +1496,27 @@ ktrpledge(struct ktr_pledge *pledge, size_t len)
printf("\n");
}
static void
ktrpinsyscall(struct ktr_pinsyscall *pinsyscall, size_t len)
{
const char *name = "";
int i;
if (len < sizeof(struct ktr_pinsyscall))
errx(1, "invalid ktr pinsyscall length %zu", len);
if (pinsyscall->syscall >= SYS_MAXSYSCALL || pinsyscall->syscall < 0)
(void)printf("[%d]", pinsyscall->syscall);
else
(void)printf("%s", syscallnames[pinsyscall->syscall]);
(void)printf(", addr %lx, errno %d", pinsyscall->addr,
pinsyscall->error);
(void)printf(", errno %d", pinsyscall->error);
if (fancy)
(void)printf(" %s", strerror(pinsyscall->error));
printf("\n");
}
static void
usage(void)
{

7
usr.bin/ktrace/ktrace.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ktrace.1,v 1.33 2023/09/30 13:03:40 naddy Exp $
.\" $OpenBSD: ktrace.1,v 1.34 2023/12/15 15:12:08 deraadt Exp $
.\"
.\" Copyright (c) 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@ -29,7 +29,7 @@
.\"
.\" from: @(#)ktrace.1 8.1 (Berkeley) 6/6/93
.\"
.Dd $Mdocdate: September 30 2023 $
.Dd $Mdocdate: December 15 2023 $
.Dt KTRACE 1
.Os
.Sh NAME
@ -132,6 +132,9 @@ trace violation of
restrictions
.It Cm s
trace signal processing
.It Cm S
trace violation of
.Xr pinsyscalls 2
.It Cm t
trace various structures
.It Cm u

5
usr.bin/ktrace/subr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: subr.c,v 1.16 2022/02/22 17:35:01 deraadt Exp $ */
/* $OpenBSD: subr.c,v 1.17 2023/12/15 15:12:08 deraadt Exp $ */
/* $NetBSD: subr.c,v 1.6 1995/08/31 23:01:45 jtc Exp $ */
/*-
@ -65,6 +65,9 @@ getpoints(const char *s, int defpoints)
case 's':
facs |= KTRFAC_PSIG;
break;
case 'S':
facs |= KTRFAC_PINSYSCALL;
break;
case 't':
facs |= KTRFAC_STRUCT;
break;