sync with OpenBSD -current

lib/libcrypto/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.174 2024/03/02 13:39:28 tb Exp $
+# $OpenBSD: Makefile,v 1.175 2024/03/19 19:27:33 tb Exp $
 
 LIB=	crypto
 LIBREBUILD=y
@@ -69,7 +69,6 @@ SRCS+= malloc-wrapper.c
 SRCS+= mem_clr.c
 SRCS+= mem_dbg.c
 SRCS+= o_fips.c
-SRCS+= o_init.c
 SRCS+= o_str.c
 
 # aes/

lib/libcrypto/crypto_init.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_init.c,v 1.18 2024/01/25 12:22:31 tb Exp $ */
+/*	$OpenBSD: crypto_init.c,v 1.19 2024/03/19 19:27:33 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -37,6 +37,11 @@ static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT;
 static pthread_t crypto_init_thread;
 static int crypto_init_cleaned_up;
 
+void
+OPENSSL_init(void)
+{
+}
+
 static void
 OPENSSL_init_crypto_internal(void)
 {

lib/libcrypto/man/EVP_DigestInit.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestInit.3,v 1.32 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_DigestInit.3,v 1.33 2024/03/19 17:34:05 tb Exp $
 .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -70,7 +70,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: March 19 2024 $
 .Dt EVP_DIGESTINIT 3
 .Os
 .Sh NAME
@@ -547,7 +547,7 @@ main(int argc, char *argv[])
 .Xr OCSP_request_sign 3 ,
 .Xr PKCS5_PBKDF2_HMAC 3 ,
 .Xr PKCS7_sign_add_signer 3 ,
-.Xr X509_ALGOR_set_md 3 ,
+.Xr X509_ALGOR_set0 3 ,
 .Xr X509_digest 3 ,
 .Xr X509_sign 3
 .Sh HISTORY

lib/libcrypto/man/OPENSSL_malloc.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: OPENSSL_malloc.3,v 1.11 2023/11/16 20:27:43 schwarze Exp $
+.\"	$OpenBSD: OPENSSL_malloc.3,v 1.12 2024/03/19 17:48:57 tb Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,16 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: March 19 2024 $
 .Dt OPENSSL_MALLOC 3
 .Os
 .Sh NAME
 .Nm OPENSSL_malloc ,
-.Nm OPENSSL_realloc ,
 .Nm OPENSSL_free ,
 .Nm OPENSSL_strdup ,
 .Nm CRYPTO_malloc ,
-.Nm CRYPTO_realloc ,
 .Nm CRYPTO_free ,
 .Nm CRYPTO_strdup
 .Nd legacy OpenSSL memory allocation wrappers
@@ -33,11 +31,6 @@
 .Fo OPENSSL_malloc
 .Fa "size_t num"
 .Fc
-.Ft void *
-.Fo OPENSSL_realloc
-.Fa "void *addr"
-.Fa "size_t num"
-.Fc
 .Ft void
 .Fo OPENSSL_free
 .Fa "void *addr"
@@ -52,13 +45,6 @@
 .Fa "const char *file"
 .Fa "int line"
 .Fc
-.Ft void *
-.Fo CRYPTO_realloc
-.Fa "void *p"
-.Fa "size_t num"
-.Fa "const char *file"
-.Fa "int line"
-.Fc
 .Ft void
 .Fo CRYPTO_free
 .Fa "void *str"
@@ -78,7 +64,6 @@ They are provided purely for compatibility with legacy application code.
 All 8 of these functions are wrappers around the corresponding
 standard
 .Xr malloc 3 ,
-.Xr realloc 3 ,
 .Xr free 3 ,
 and
 .Xr strdup 3
@@ -93,15 +78,13 @@ standard functions.
 .Sh SEE ALSO
 .Xr crypto 3
 .Sh HISTORY
-.Fn CRYPTO_malloc ,
-.Fn CRYPTO_realloc ,
+.Fn CRYPTO_malloc
 and
 .Fn CRYPTO_free
 first appeared in SSLeay 0.6.4 and have been available since
 .Ox 2.4 .
 .Pp
-.Fn OPENSSL_malloc ,
-.Fn OPENSSL_realloc ,
+.Fn OPENSSL_malloc
 and
 .Fn OPENSSL_free
 first appeared in OpenSSL 0.9.6 and have been available since

lib/libcrypto/man/X509_ALGOR_dup.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: X509_ALGOR_dup.3,v 1.22 2023/10/13 05:49:34 tb Exp $
+.\"	$OpenBSD: X509_ALGOR_dup.3,v 1.23 2024/03/19 17:34:05 tb Exp $
 .\"	OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2023 $
+.Dd $Mdocdate: March 19 2024 $
 .Dt X509_ALGOR_DUP 3
 .Os
 .Sh NAME
@@ -75,7 +75,6 @@
 .Nm X509_ALGOR_dup ,
 .Nm X509_ALGOR_set0 ,
 .Nm X509_ALGOR_get0 ,
-.Nm X509_ALGOR_set_md ,
 .Nm X509_ALGOR_cmp
 .Nd create, change, and inspect algorithm identifiers
 .Sh SYNOPSIS
@@ -102,11 +101,6 @@
 .Fa "const void **ppval"
 .Fa "const X509_ALGOR *alg"
 .Fc
-.Ft void
-.Fo X509_ALGOR_set_md
-.Fa "X509_ALGOR *alg"
-.Fa "const EVP_MD *md"
-.Fc
 .Ft int
 .Fo X509_ALGOR_cmp
 .Fa "const X509_ALGOR *a"
@@ -240,22 +234,6 @@ then
 .Pf * Fa ppval Ns 's
 value is undefined.
 .Pp
-.Fn X509_ALGOR_set_md
-sets
-.Fa alg
-to appropriate values for the message digest
-.Fa md .
-If the
-.Dv EVP_MD_FLAG_DIGALGID_ABSENT
-flag is not set on
-.Fa md ,
-.Fn X509_ALGOR_set_md
-can leave
-.Fa alg
-in a corrupted state due to memory allocation failure.
-This problem can be avoided by preallocating with an error-checked call to
-.Fn X509_ALGOR_set0 alg NULL 0 NULL .
-.Pp
 .Fn X509_ALGOR_cmp
 compares
 .Fa a
@@ -317,10 +295,3 @@ first appeared in OpenSSL 0.9.8h and have been available since
 first appeared in OpenSSL 0.9.8zd, 1.0.0p, and 1.0.1k
 and has been available since
 .Ox 4.9 .
-.Pp
-.Fn X509_ALGOR_set_md
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
-.Sh BUGS
-.Fn X509_ALGOR_set_md
-can fail but cannot communicate failure to the caller.

lib/libcrypto/man/evp.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: evp.3,v 1.29 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: evp.3,v 1.30 2024/03/19 17:34:05 tb Exp $
 .\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: March 19 2024 $
 .Dt EVP 3
 .Os
 .Sh NAME
@@ -232,7 +232,7 @@ family of functions provides base64 encoding and decoding.
 .Xr PKCS7_sign 3 ,
 .Xr RSA_pkey_ctx_ctrl 3 ,
 .Xr SSL_CTX_set_tlsext_ticket_key_cb 3 ,
-.Xr X509_ALGOR_set_md 3 ,
+.Xr X509_ALGOR_set0 3 ,
 .Xr X509_check_private_key 3 ,
 .Xr X509_digest 3 ,
 .Xr X509_get_pubkey 3 ,

lib/libcrypto/o_init.c

@@ -1,10 +0,0 @@
-/* $OpenBSD: o_init.c,v 1.8 2014/06/12 15:49:27 deraadt Exp $ */
-/* Ted Unangst places this file in the public domain. */
-
-#include <openssl/crypto.h>
-
-void
-OPENSSL_init(void)
-{
-
-}

sys/net/if_sec.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_sec.c,v 1.10 2024/01/24 00:17:01 dlg Exp $ */
+/*	$OpenBSD: if_sec.c,v 1.11 2024/03/19 03:49:11 dlg Exp $ */
 
 /*
  * Copyright (c) 2022 The University of Queensland
@@ -327,7 +327,7 @@ sec_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
 
 	error = if_enqueue(ifp, m);
 	if (error != 0)
-		counters_inc(ifp->if_counters, ifc_oerrors);
+		counters_inc(ifp->if_counters, ifc_oqdrops);
 
 	return (error);
 

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.127 2024/02/16 14:48:47 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.128 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1198,7 +1198,7 @@ auth_find(struct auth_tree *auths, const char *aki)
 }
 
 struct auth *
-auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
+auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *issuer)
 {
 	struct auth *na;
 
@@ -1206,7 +1206,7 @@ auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
 	if (na == NULL)
 		err(1, NULL);
 
-	na->parent = parent;
+	na->issuer = issuer;
 	na->cert = cert;
 	na->any_inherits = x509_any_inherits(cert->x509);
 

usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.211 2024/03/17 01:44:59 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.212 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -26,7 +26,7 @@
 
 enum cert_as_type {
 	CERT_AS_ID, /* single identifier */
-	CERT_AS_INHERIT, /* inherit from parent */
+	CERT_AS_INHERIT, /* inherit from issuer */
 	CERT_AS_RANGE, /* range of identifiers */
 };
 
@@ -376,7 +376,7 @@ struct gbr {
  * A single ASPA record
  */
 struct aspa {
-	int			 valid; /* contained in parent auth */
+	int			 valid; /* contained in issuer auth */
 	int			 talid; /* TAL the ASPA is chained up to */
 	char			*aia; /* AIA */
 	char			*aki; /* AKI */
@@ -491,7 +491,7 @@ RB_HEAD(crl_tree, crl);
 struct auth {
 	RB_ENTRY(auth)	 entry;
 	struct cert	*cert; /* owner information */
-	struct auth	*parent; /* pointer to parent or NULL for TA cert */
+	struct auth	*issuer; /* pointer to issuer or NULL for TA cert */
 	int		 any_inherits;
 };
 /*

usr.sbin/rpki-client/filemode.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: filemode.c,v 1.38 2024/02/22 12:49:42 job Exp $ */
+/*	$OpenBSD: filemode.c,v 1.39 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -268,13 +268,13 @@ print_signature_path(const char *crl, const char *aia, const struct auth *a)
 	if (aia != NULL)
 		printf("                          %s\n", aia);
 
-	for (; a != NULL; a = a->parent) {
+	for (; a != NULL; a = a->issuer) {
 		if (a->cert->crl != NULL)
 			printf("                          %s\n", a->cert->crl);
-		if (a->parent != NULL && a->parent->cert != NULL &&
-		    a->parent->cert->mft != NULL)
+		if (a->issuer != NULL && a->issuer->cert != NULL &&
+		    a->issuer->cert->mft != NULL)
 			printf("                          %s\n",
-			    a->parent->cert->mft);
+			    a->issuer->cert->mft);
 		if (a->cert->aia != NULL)
 			printf("                          %s\n", a->cert->aia);
 	}

usr.sbin/rpki-client/ip.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip.c,v 1.32 2023/12/27 07:15:55 tb Exp $ */
+/*	$OpenBSD: ip.c,v 1.33 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -72,7 +72,7 @@ ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi)
  * specified in the "ips" array.
  * This means that the IP prefix must be strictly within the ranges or
  * singletons given in the array.
- * Return 0 if we're inheriting from the parent, >0 if we're covered,
+ * Return 0 if we're inheriting from the issuer, >0 if we're covered,
  * or <0 if we're not covered.
  */
 int

usr.sbin/rpki-client/parser.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.130 2024/03/01 08:10:09 tb Exp $ */
+/*	$OpenBSD: parser.c,v 1.131 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -670,7 +670,7 @@ proc_parser_tak(char *file, const unsigned char *der, size_t len,
 	}
 
 	/* TAK EE must be signed by self-signed CA */
-	if (a->parent != NULL)
+	if (a->issuer != NULL)
 		goto out;
 
 	tak->talid = a->cert->talid;

usr.sbin/rpki-client/validate.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.72 2024/02/22 12:49:42 job Exp $ */
+/*	$OpenBSD: validate.c,v 1.73 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -50,7 +50,7 @@ valid_as(struct auth *a, uint32_t min, uint32_t max)
 		return 0;
 
 	/* If it inherits, walk up the chain. */
-	return valid_as(a->parent, min, max);
+	return valid_as(a->issuer, min, max);
 }
 
 /*
@@ -76,13 +76,13 @@ valid_ip(struct auth *a, enum afi afi,
 		return 0;
 
 	/* If it inherits, walk up the chain. */
-	return valid_ip(a->parent, afi, min, max);
+	return valid_ip(a->issuer, afi, min, max);
 }
 
 /*
  * Make sure the AKI is the same as the AKI listed on the Manifest,
  * and that the SKI doesn't already exist.
- * Return the parent by its AKI, or NULL on failure.
+ * Return the issuer by its AKI, or NULL on failure.
  */
 struct auth *
 valid_ski_aki(const char *fn, struct auth_tree *auths,
@@ -357,7 +357,7 @@ build_chain(const struct auth *a, STACK_OF(X509) **intermediates,
 		err(1, "sk_X509_new_null");
 	if ((*root = sk_X509_new_null()) == NULL)
 		err(1, "sk_X509_new_null");
-	for (; a != NULL; a = a->parent) {
+	for (; a != NULL; a = a->issuer) {
 		assert(a->cert->x509 != NULL);
 		if (!a->any_inherits) {
 			if (!sk_X509_push(*root, a->cert->x509))

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.81 2024/02/22 12:49:42 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.82 2024/03/19 05:04:13 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -1046,7 +1046,7 @@ x509_find_expires(time_t notafter, struct auth *a, struct crl_tree *crlt)
 
 	expires = notafter;
 
-	for (; a != NULL; a = a->parent) {
+	for (; a != NULL; a = a->issuer) {
 		if (expires > a->cert->notafter)
 			expires = a->cert->notafter;
 		crl = crl_get(crlt, a);