diff --git a/bin/ps/ps.1 b/bin/ps/ps.1 index 2f0010597..33db7dc1b 100644 --- a/bin/ps/ps.1 +++ b/bin/ps/ps.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ps.1,v 1.134 2024/02/03 18:51:57 beck Exp $ +.\" $OpenBSD: ps.1,v 1.135 2024/07/22 09:44:37 claudio Exp $ .\" $NetBSD: ps.1,v 1.16 1996/03/21 01:36:28 jtc Exp $ .\" .\" Copyright (c) 1980, 1990, 1991, 1993, 1994 @@ -30,7 +30,7 @@ .\" .\" @(#)ps.1 8.3 (Berkeley) 4/18/94 .\" -.Dd $Mdocdate: February 3 2024 $ +.Dd $Mdocdate: July 22 2024 $ .Dt PS 1 .Os .Sh NAME @@ -346,7 +346,7 @@ PS_SINGLEEXIT 0x1000 other threads must die PS_SINGLEUNWIND 0x2000 other threads must unwind PS_NOZOMBIE 0x4000 pid 1 waits for me instead of dad -PS_STOPPED 0x8000 just stopped, need to send +PS_STOPPING 0x8000 just stopped, need to send SIGCHLD PS_SYSTEM 0x10000 No signals, stats or swapping PS_EMBRYO 0x20000 New process, not yet fledged diff --git a/lib/libcrypto/man/DH_get0_pqg.3 b/lib/libcrypto/man/DH_get0_pqg.3 index 340d50757..eb012980f 100644 --- a/lib/libcrypto/man/DH_get0_pqg.3 +++ b/lib/libcrypto/man/DH_get0_pqg.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DH_get0_pqg.3,v 1.7 2023/03/06 13:25:46 tb Exp $ +.\" $OpenBSD: DH_get0_pqg.3,v 1.8 2024/07/21 08:36:43 tb Exp $ .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 6 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt DH_GET0_PQG 3 .Os .Sh NAME @@ -307,15 +307,8 @@ or 0 if none of the given are set. .Pp .Fn DH_get0_engine -returns a pointer to the -.Vt ENGINE -used by the -.Vt DH -object -.Fa dh , -or -.Dv NULL -if no engine was set for this object. +always returns +.Dv NULL . .Sh SEE ALSO .Xr DH_generate_key 3 , .Xr DH_generate_parameters 3 , diff --git a/lib/libcrypto/man/DSA_get0_pqg.3 b/lib/libcrypto/man/DSA_get0_pqg.3 index 8639b0115..b82affba6 100644 --- a/lib/libcrypto/man/DSA_get0_pqg.3 +++ b/lib/libcrypto/man/DSA_get0_pqg.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: DSA_get0_pqg.3,v 1.10 2023/12/29 22:37:47 tb Exp $ +.\" $OpenBSD: DSA_get0_pqg.3,v 1.11 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400 .\" .\" This file was written by Matt Caswell . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 29 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt DSA_GET0_PQG 3 .Os .Sh NAME @@ -283,15 +283,8 @@ or 0 if none of the given are set. .Pp .Fn DSA_get0_engine -returns a pointer to the -.Vt ENGINE -used by the -.Vt DSA -object -Fa d , -or -.Dv NULL -if no engine was set for this object. +always returns +.Dv NULL . .Sh SEE ALSO .Xr DSA_do_sign 3 , .Xr DSA_dup_DH 3 , diff --git a/lib/libcrypto/man/EC_KEY_METHOD_new.3 b/lib/libcrypto/man/EC_KEY_METHOD_new.3 index 489bd3ac6..79c16ef01 100644 --- a/lib/libcrypto/man/EC_KEY_METHOD_new.3 +++ b/lib/libcrypto/man/EC_KEY_METHOD_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.3 2023/08/29 10:07:42 tb Exp $ +.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.4 2024/07/21 08:36:43 tb Exp $ .\" Copyright (c) 2019 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 29 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EC_KEY_METHOD_NEW 3 .Os .Sh NAME @@ -262,17 +262,15 @@ is .Fn EC_KEY_new_method creates and initializes a new .Vt EC_KEY -object using the given -.Fa engine , -or the using the +object using the .Vt EC_KEY_METHOD set with -.Fn EC_KEY_set_default_method -if -.Fa engine -is -.Dv NULL , -or using the default EC_KEY implementation by default. +.Fn EC_KEY_set_default_method . +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EC_KEY_set_method dissociates the diff --git a/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/lib/libcrypto/man/EVP_AEAD_CTX_init.3 index 01692c93e..8b3b8adb0 100644 --- a/lib/libcrypto/man/EVP_AEAD_CTX_init.3 +++ b/lib/libcrypto/man/EVP_AEAD_CTX_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.15 2023/09/12 13:58:06 schwarze Exp $ +.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $ .\" .\" Copyright (c) 2014, Google Inc. .\" Parts of the text were written by Adam Langley and David Benjamin. @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 12 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_AEAD_CTX_INIT 3 .Os .Sh NAME @@ -51,7 +51,7 @@ .Fa "const unsigned char *key" .Fa "size_t key_len" .Fa "size_t tag_len" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft void .Fo EVP_AEAD_CTX_cleanup @@ -142,11 +142,11 @@ initializes the context for the given AEAD algorithm .Fa aead . The -.Fa impl +.Fa engine argument must be .Dv NULL for the default implementation; -other values are currently not supported. +other values are not supported. Authentication tags may be truncated by passing a tag length. A .Fa tag_len diff --git a/lib/libcrypto/man/EVP_DigestInit.3 b/lib/libcrypto/man/EVP_DigestInit.3 index bb7a847d4..c82572500 100644 --- a/lib/libcrypto/man/EVP_DigestInit.3 +++ b/lib/libcrypto/man/EVP_DigestInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestInit.3,v 1.33 2024/03/19 17:34:05 tb Exp $ +.\" $OpenBSD: EVP_DigestInit.3,v 1.34 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -70,7 +70,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 19 2024 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_DIGESTINIT 3 .Os .Sh NAME @@ -132,7 +132,7 @@ .Fo EVP_DigestInit_ex .Fa "EVP_MD_CTX *ctx" .Fa "const EVP_MD *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft int .Fo EVP_DigestUpdate @@ -153,7 +153,7 @@ .Fa "unsigned char *md" .Fa "unsigned int *s" .Fa "const EVP_MD *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft int .Fo EVP_MD_CTX_copy_ex @@ -249,21 +249,16 @@ respectively. sets up the digest context .Fa ctx to use a digest -.Fa type -from -.Vt ENGINE -.Fa impl . +.Fa type . The .Fa type will typically be supplied by a function such as .Fn EVP_sha512 . -If -.Fa impl -is -.Dv NULL , -then the default implementation of digest -.Fa type -is used. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_DigestUpdate hashes @@ -306,9 +301,6 @@ bytes of data at .Fa d using the digest .Fa type -from -.Vt ENGINE -.Fa impl in a one-shot operation and place the digest value into .Fa md , and, unless @@ -323,6 +315,11 @@ This wrapper uses a temporary digest context and passes its arguments to and .Fn EVP_DigestFinal_ex internally. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_MD_CTX_copy_ex can be used to copy the message digest state from @@ -335,8 +332,7 @@ differ in the last few bytes. .Fn EVP_DigestInit is a deprecated function behaving like .Fn EVP_DigestInit_ex -except that it always uses the default digest implementation -and that it requires +except that it requires .Fn EVP_MD_CTX_reset before it can be used on a context that was already used. .Pp @@ -399,11 +395,11 @@ in preference to the low-level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. .Pp -For most applications the -.Fa impl -parameter to -.Fn EVP_DigestInit_ex -will be set to NULL to use the default digest implementation. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp The functions .Fn EVP_DigestInit , @@ -418,8 +414,7 @@ New applications should use and .Fn EVP_MD_CTX_copy_ex because they can efficiently reuse a digest context instead of -initializing and cleaning it up on each call and allow non-default -implementations of digests to be specified. +initializing and cleaning it up on each call. .Pp If digest contexts are not cleaned up after use, memory leaks will occur. .Sh RETURN VALUES diff --git a/lib/libcrypto/man/EVP_DigestSignInit.3 b/lib/libcrypto/man/EVP_DigestSignInit.3 index de6e57c2c..92b656a10 100644 --- a/lib/libcrypto/man/EVP_DigestSignInit.3 +++ b/lib/libcrypto/man/EVP_DigestSignInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestSignInit.3,v 1.12 2022/01/15 09:08:51 tb Exp $ +.\" $OpenBSD: EVP_DigestSignInit.3,v 1.13 2024/07/21 08:36:43 tb Exp $ .\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 15 2022 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_DIGESTSIGNINIT 3 .Os .Sh NAME @@ -65,7 +65,7 @@ .Fa "EVP_MD_CTX *ctx" .Fa "EVP_PKEY_CTX **pctx" .Fa "const EVP_MD *type" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "EVP_PKEY *pkey" .Fc .Ft int @@ -97,11 +97,13 @@ sets up the signing context .Fa ctx to use the digest .Fa type -from -.Vt ENGINE -.Fa e and private key .Fa pkey . +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Fa ctx must be initialized with .Xr EVP_MD_CTX_init 3 diff --git a/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/lib/libcrypto/man/EVP_DigestVerifyInit.3 index 0eb314346..b3286bf20 100644 --- a/lib/libcrypto/man/EVP_DigestVerifyInit.3 +++ b/lib/libcrypto/man/EVP_DigestVerifyInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.14 2022/01/15 09:08:51 tb Exp $ +.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.15 2024/07/21 08:36:43 tb Exp $ .\" OpenSSL fb552ac6 Sep 30 23:43:01 2009 +0000 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 15 2022 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_DIGESTVERIFYINIT 3 .Os .Sh NAME @@ -65,7 +65,7 @@ .Fa "EVP_MD_CTX *ctx" .Fa "EVP_PKEY_CTX **pctx" .Fa "const EVP_MD *type" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "EVP_PKEY *pkey" .Fc .Ft int @@ -97,9 +97,6 @@ sets up verification context .Fa ctx to use digest .Fa type -from -.Vt ENGINE -.Fa e and public key .Fa pkey . .Fa ctx @@ -124,6 +121,11 @@ value returned must not be freed directly by the application. It will be freed automatically when the .Vt EVP_MD_CTX is freed. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_DigestVerifyUpdate hashes diff --git a/lib/libcrypto/man/EVP_EncryptInit.3 b/lib/libcrypto/man/EVP_EncryptInit.3 index e8d22d867..a0adfbab0 100644 --- a/lib/libcrypto/man/EVP_EncryptInit.3 +++ b/lib/libcrypto/man/EVP_EncryptInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_EncryptInit.3,v 1.51 2023/12/26 22:13:00 schwarze Exp $ +.\" $OpenBSD: EVP_EncryptInit.3,v 1.52 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800 .\" EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod .\" 7c6d372a Nov 20 13:20:01 2018 +0000 @@ -69,7 +69,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 26 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_ENCRYPTINIT 3 .Os .Sh NAME @@ -142,7 +142,7 @@ .Fo EVP_EncryptInit_ex .Fa "EVP_CIPHER_CTX *ctx" .Fa "const EVP_CIPHER *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fa "const unsigned char *key" .Fa "const unsigned char *iv" .Fc @@ -164,7 +164,7 @@ .Fo EVP_DecryptInit_ex .Fa "EVP_CIPHER_CTX *ctx" .Fa "const EVP_CIPHER *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fa "const unsigned char *key" .Fa "const unsigned char *iv" .Fc @@ -186,7 +186,7 @@ .Fo EVP_CipherInit_ex .Fa "EVP_CIPHER_CTX *ctx" .Fa "const EVP_CIPHER *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fa "const unsigned char *key" .Fa "const unsigned char *iv" .Fa "int enc" @@ -361,7 +361,7 @@ is the IV to use (if necessary). The actual number of bytes used for the key and IV depends on the cipher. The -.Fa ENGINE *impl +.Fa ENGINE *engine argument is always ignored and passing .Dv NULL is recommended. diff --git a/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/lib/libcrypto/man/EVP_PKEY_CTX_new.3 index 7a72ac18f..cc0f5f16d 100644 --- a/lib/libcrypto/man/EVP_PKEY_CTX_new.3 +++ b/lib/libcrypto/man/EVP_PKEY_CTX_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.13 2023/09/09 14:39:09 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.14 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 9 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_CTX_NEW 3 .Os .Sh NAME @@ -79,12 +79,12 @@ .Ft EVP_PKEY_CTX * .Fo EVP_PKEY_CTX_new .Fa "EVP_PKEY *pkey" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fc .Ft EVP_PKEY_CTX * .Fo EVP_PKEY_CTX_new_id .Fa "int id" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fc .Ft EVP_PKEY_CTX * .Fo EVP_PKEY_CTX_dup @@ -99,26 +99,23 @@ The .Fn EVP_PKEY_CTX_new function allocates a public key algorithm context using the algorithm specified in -.Fa pkey -and using -.Fa e -unless it is -.Dv NULL . -If -.Fa pkey -is associated with an engine, that engine is used and -.Fa e -is ignored. +.Fa pkey . +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp The .Fn EVP_PKEY_CTX_new_id function allocates a public key algorithm context using the algorithm specified by -.Fa id -and using -.Fa e -unless it is -.Dv NULL . +.Fa id . +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. It is normally used when no .Vt EVP_PKEY structure is associated with the operations, for example during diff --git a/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 index 85a6471ae..6e6c25e25 100644 --- a/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 +++ b/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.8 2023/12/21 21:32:01 tb Exp $ +.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.9 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 21 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_ASN1_GET_COUNT 3 .Os .Sh NAME @@ -90,12 +90,12 @@ .Fc .Ft const EVP_PKEY_ASN1_METHOD * .Fo EVP_PKEY_asn1_find -.Fa "ENGINE **pe" +.Fa "ENGINE **engine" .Fa "int type" .Fc .Ft const EVP_PKEY_ASN1_METHOD * .Fo EVP_PKEY_asn1_find_str -.Fa "ENGINE **pe" +.Fa "ENGINE **engine" .Fa "const char *str" .Fa "int len" .Fc @@ -130,14 +130,12 @@ and .Xr EVP_PKEY_id 3 may return. If -.Fa pe +.Fa engine is not .Dv NULL , -it first looks for an engine implementing a method for the NID -.Fa type . -If one is found, -.Pf * Fa pe -is set to that engine and the method from that engine is returned instead. +.Pf * Fa engine +is set to +.Dv NULL . .Pp .Fn EVP_PKEY_asn1_find_str looks up the method with the PEM type string given by the first @@ -157,10 +155,12 @@ manual page. Just like .Fn EVP_PKEY_asn1_find , if -.Fa pe +.Fa engine is not .Dv NULL , -methods from engines are preferred. +.Pf * Fa engine +is set to +.Dv NULL . .Pp .Fn EVP_PKEY_asn1_get0_info retrieves the public key ID as returned by diff --git a/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/lib/libcrypto/man/EVP_PKEY_decrypt.3 index af5ed93fb..2166003af 100644 --- a/lib/libcrypto/man/EVP_PKEY_decrypt.3 +++ b/lib/libcrypto/man/EVP_PKEY_decrypt.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.8 2022/03/31 17:27:17 naddy Exp $ +.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.9 2024/07/21 08:10:17 tb Exp $ .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_DECRYPT 3 .Os .Sh NAME @@ -130,16 +130,15 @@ Decrypt data using OAEP (for RSA keys): #include EVP_PKEY_CTX *ctx; -ENGINE *eng; unsigned char *out, *in; size_t outlen, inlen; EVP_PKEY *key; /* - * Assumes that key, eng, in, and inlen are already set up + * Assumes that key, in, and inlen are already set up * and that key is an RSA private key. */ -ctx = EVP_PKEY_CTX_new(key, eng); +ctx = EVP_PKEY_CTX_new(key, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_decrypt_init(ctx) <= 0) diff --git a/lib/libcrypto/man/EVP_PKEY_derive.3 b/lib/libcrypto/man/EVP_PKEY_derive.3 index 8940572d1..398540a5b 100644 --- a/lib/libcrypto/man/EVP_PKEY_derive.3 +++ b/lib/libcrypto/man/EVP_PKEY_derive.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_derive.3,v 1.10 2024/03/05 19:21:31 tb Exp $ +.\" $OpenBSD: EVP_PKEY_derive.3,v 1.11 2024/07/21 08:25:33 tb Exp $ .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 5 2024 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_DERIVE 3 .Os .Sh NAME @@ -209,13 +209,12 @@ Derive shared secret (for example DH or EC keys): #include EVP_PKEY_CTX *ctx; -ENGINE *eng; unsigned char *skey; size_t skeylen; EVP_PKEY *pkey, *peerkey; -/* Assumes that pkey, eng, and peerkey have already been set up. */ -ctx = EVP_PKEY_CTX_new(pkey, eng); +/* Assumes that pkey and peerkey have already been set up. */ +ctx = EVP_PKEY_CTX_new(pkey, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_derive_init(ctx) <= 0) diff --git a/lib/libcrypto/man/EVP_PKEY_keygen.3 b/lib/libcrypto/man/EVP_PKEY_keygen.3 index e86c04984..32ed4a15c 100644 --- a/lib/libcrypto/man/EVP_PKEY_keygen.3 +++ b/lib/libcrypto/man/EVP_PKEY_keygen.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.13 2023/09/10 04:05:26 jsg Exp $ +.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.14 2024/07/21 08:02:17 tb Exp $ .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 10 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_KEYGEN 3 .Os .Sh NAME @@ -286,11 +286,10 @@ Generate a key from a set of parameters: #include EVP_PKEY_CTX *ctx; -ENGINE *eng; EVP_PKEY *pkey = NULL, *param; -/* Assumes that param and eng are already set up. */ -ctx = EVP_PKEY_CTX_new(param, eng); +/* Assumes that param is already set up. */ +ctx = EVP_PKEY_CTX_new(param, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) diff --git a/lib/libcrypto/man/EVP_PKEY_new.3 b/lib/libcrypto/man/EVP_PKEY_new.3 index 3b9611990..36f388685 100644 --- a/lib/libcrypto/man/EVP_PKEY_new.3 +++ b/lib/libcrypto/man/EVP_PKEY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_PKEY_new.3,v 1.18 2022/12/14 22:37:07 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_new.3,v 1.19 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL 4dcfdfce May 27 11:50:05 2020 +0100 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 14 2022 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_PKEY_NEW 3 .Os .Sh NAME @@ -95,20 +95,20 @@ .Ft EVP_PKEY * .Fo EVP_PKEY_new_raw_private_key .Fa "int type" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "const unsigned char *rawpriv" .Fa "size_t rawlen" .Fc .Ft EVP_PKEY * .Fo EVP_PKEY_new_raw_public_key .Fa "int type" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "const unsigned char *rawpub" .Fa "size_t rawlen" .Fc .Ft EVP_PKEY * .Fo EVP_PKEY_new_CMAC_key -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "const unsigned char *rawpriv" .Fa "size_t rawlen" .Fa "const EVP_CIPHER *cipher" @@ -116,7 +116,7 @@ .Ft EVP_PKEY * .Fo EVP_PKEY_new_mac_key .Fa "int type" -.Fa "ENGINE *e" +.Fa "ENGINE *engine" .Fa "const unsigned char *rawpriv" .Fa "int rawlen" .Fc @@ -165,12 +165,6 @@ pointer, no action occurs. .Fn EVP_PKEY_new_raw_private_key allocates a new .Vt EVP_PKEY . -If -.Fa e -is -.Pf non- Dv NULL , -the new structure is associated with the engine -.Fa e . The NID of a public key algorithm that supports raw private keys, i.e.\& .Dv EVP_PKEY_HMAC , .Dv EVP_PKEY_X25519 , @@ -184,6 +178,11 @@ bytes of raw private key data of that type in .Fa rawpriv . The public key data is automatically derived from the given private key data, if appropriate for the algorithm type. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_PKEY_new_raw_public_key works in the same way as diff --git a/lib/libcrypto/man/EVP_SignInit.3 b/lib/libcrypto/man/EVP_SignInit.3 index dc042910b..6064bc794 100644 --- a/lib/libcrypto/man/EVP_SignInit.3 +++ b/lib/libcrypto/man/EVP_SignInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_SignInit.3,v 1.17 2023/11/16 20:27:43 schwarze Exp $ +.\" $OpenBSD: EVP_SignInit.3,v 1.19 2024/07/21 09:24:07 tb Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" selective merge up to: OpenSSL 79b49fb0 Mar 20 10:03:10 2018 +1000 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 16 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_SIGNINIT 3 .Os .Sh NAME @@ -65,7 +65,7 @@ .Fo EVP_SignInit_ex .Fa "EVP_MD_CTX *ctx" .Fa "const EVP_MD *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft int .Fo EVP_SignUpdate @@ -93,14 +93,16 @@ signatures. sets up a signing context .Fa ctx to use the digest -.Fa type -from -.Vt ENGINE -.Fa impl . +.Fa type . .Fa ctx must be initialized with .Xr EVP_MD_CTX_init 3 before calling this function. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_SignUpdate hashes diff --git a/lib/libcrypto/man/EVP_VerifyInit.3 b/lib/libcrypto/man/EVP_VerifyInit.3 index 90a774e51..dfebe8f2b 100644 --- a/lib/libcrypto/man/EVP_VerifyInit.3 +++ b/lib/libcrypto/man/EVP_VerifyInit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_VerifyInit.3,v 1.11 2023/11/16 20:27:43 schwarze Exp $ +.\" $OpenBSD: EVP_VerifyInit.3,v 1.12 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" selective merge up to: OpenSSL 79b49fb0 Mar 20 10:03:10 2018 +1000 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 16 2023 $ +.Dd $Mdocdate: July 21 2024 $ .Dt EVP_VERIFYINIT 3 .Os .Sh NAME @@ -65,7 +65,7 @@ .Fo EVP_VerifyInit_ex .Fa "EVP_MD_CTX *ctx" .Fa "const EVP_MD *type" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft int .Fo EVP_VerifyUpdate @@ -93,14 +93,16 @@ digital signatures. sets up a verification context .Fa ctx to use the digest -.Fa type -from -.Vt ENGINE -.Fa impl . +.Fa type . .Fa ctx must be initialized by calling .Xr EVP_MD_CTX_init 3 before calling this function. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn EVP_VerifyUpdate hashes diff --git a/lib/libcrypto/man/HMAC.3 b/lib/libcrypto/man/HMAC.3 index fa853bb4a..dc32a111b 100644 --- a/lib/libcrypto/man/HMAC.3 +++ b/lib/libcrypto/man/HMAC.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: HMAC.3,v 1.21 2024/05/26 09:54:16 tb Exp $ +.\" $OpenBSD: HMAC.3,v 1.22 2024/07/21 08:36:43 tb Exp $ .\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400 .\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400 .\" @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 26 2024 $ +.Dd $Mdocdate: July 21 2024 $ .Dt HMAC 3 .Os .Sh NAME @@ -97,7 +97,7 @@ .Fa "const void *key" .Fa "int key_len" .Fa "const EVP_MD *md" -.Fa "ENGINE *impl" +.Fa "ENGINE *engine" .Fc .Ft int .Fo HMAC_Init @@ -223,6 +223,11 @@ nor the same as the previous digest used by .Fa ctx , then an error is returned because reuse of an existing key with a different digest is not supported. +The +.Fa ENGINE *engine +argument is always ignored and passing +.Dv NULL +is recommended. .Pp .Fn HMAC_Init is a deprecated wrapper around diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 38e7ba7f1..d30eb6deb 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.256 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -171,12 +171,12 @@ /* list of available SSLv3 ciphers (sorted by id) */ const SSL_CIPHER ssl3_ciphers[] = { - /* The RSA ciphers */ - /* Cipher 01 */ + /* + * SSLv3 RSA cipher suites (RFC 6101, appendix A.6). + */ { - .valid = 1, + .value = 0x0001, .name = SSL3_TXT_RSA_NULL_MD5, - .id = SSL3_CK_RSA_NULL_MD5, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, @@ -187,12 +187,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher 02 */ { - .valid = 1, + .value = 0x0002, .name = SSL3_TXT_RSA_NULL_SHA, - .id = SSL3_CK_RSA_NULL_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, @@ -203,12 +200,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher 04 */ { - .valid = 1, + .value = 0x0004, .name = SSL3_TXT_RSA_RC4_128_MD5, - .id = SSL3_CK_RSA_RC4_128_MD5, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_RC4, @@ -219,12 +213,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 05 */ { - .valid = 1, + .value = 0x0005, .name = SSL3_TXT_RSA_RC4_128_SHA, - .id = SSL3_CK_RSA_RC4_128_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_RC4, @@ -235,12 +226,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 0A */ { - .valid = 1, + .value = 0x000a, .name = SSL3_TXT_RSA_DES_192_CBC3_SHA, - .id = SSL3_CK_RSA_DES_192_CBC3_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, @@ -253,14 +241,11 @@ const SSL_CIPHER ssl3_ciphers[] = { }, /* - * Ephemeral DH (DHE) ciphers. + * SSLv3 DHE cipher suites (RFC 6101, appendix A.6). */ - - /* Cipher 16 */ { - .valid = 1, + .value = 0x0016, .name = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, - .id = SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, @@ -271,12 +256,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 112, .alg_bits = 168, }, - - /* Cipher 18 */ { - .valid = 1, + .value = 0x0018, .name = SSL3_TXT_ADH_RC4_128_MD5, - .id = SSL3_CK_ADH_RC4_128_MD5, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, @@ -287,12 +269,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 1B */ { - .valid = 1, + .value = 0x001b, .name = SSL3_TXT_ADH_DES_192_CBC_SHA, - .id = SSL3_CK_ADH_DES_192_CBC_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, @@ -305,14 +284,11 @@ const SSL_CIPHER ssl3_ciphers[] = { }, /* - * AES ciphersuites. + * TLSv1.0 AES cipher suites (RFC 3268). */ - - /* Cipher 2F */ { - .valid = 1, + .value = 0x002f, .name = TLS1_TXT_RSA_WITH_AES_128_SHA, - .id = TLS1_CK_RSA_WITH_AES_128_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -323,12 +299,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 33 */ { - .valid = 1, + .value = 0x0033, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -339,12 +312,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 34 */ { - .valid = 1, + .value = 0x0034, .name = TLS1_TXT_ADH_WITH_AES_128_SHA, - .id = TLS1_CK_ADH_WITH_AES_128_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, @@ -355,12 +325,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 35 */ { - .valid = 1, + .value = 0x0035, .name = TLS1_TXT_RSA_WITH_AES_256_SHA, - .id = TLS1_CK_RSA_WITH_AES_256_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -371,12 +338,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 39 */ { - .valid = 1, + .value = 0x0039, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -387,12 +351,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 3A */ { - .valid = 1, + .value = 0x003a, .name = TLS1_TXT_ADH_WITH_AES_256_SHA, - .id = TLS1_CK_ADH_WITH_AES_256_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, @@ -404,12 +365,12 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* TLS v1.2 ciphersuites */ - /* Cipher 3B */ + /* + * TLSv1.2 RSA cipher suites (RFC 5246, appendix A.5). + */ { - .valid = 1, + .value = 0x003b, .name = TLS1_TXT_RSA_WITH_NULL_SHA256, - .id = TLS1_CK_RSA_WITH_NULL_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, @@ -420,12 +381,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher 3C */ { - .valid = 1, + .value = 0x003c, .name = TLS1_TXT_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_RSA_WITH_AES_128_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -436,12 +394,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 3D */ { - .valid = 1, + .value = 0x003d, .name = TLS1_TXT_RSA_WITH_AES_256_SHA256, - .id = TLS1_CK_RSA_WITH_AES_256_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -454,13 +409,12 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (128-bit portion) */ - - /* Cipher 41 */ + /* + * TLSv1.0 Camellia 128 bit cipher suites (RFC 4132). + */ { - .valid = 1, + .value = 0x0041, .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, @@ -471,12 +425,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 45 */ { - .valid = 1, + .value = 0x0045, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, @@ -487,12 +438,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 46 */ { - .valid = 1, + .value = 0x0046, .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, - .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA128, @@ -505,12 +453,12 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ - /* TLS v1.2 ciphersuites */ - /* Cipher 67 */ + /* + * TLSv1.2 DHE cipher suites (RFC 5246, appendix A.5). + */ { - .valid = 1, + .value = 0x0067, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -521,12 +469,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 6B */ { - .valid = 1, + .value = 0x006b, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -537,12 +482,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 6C */ { - .valid = 1, + .value = 0x006c, .name = TLS1_TXT_ADH_WITH_AES_128_SHA256, - .id = TLS1_CK_ADH_WITH_AES_128_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, @@ -553,12 +495,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 6D */ { - .valid = 1, + .value = 0x006d, .name = TLS1_TXT_ADH_WITH_AES_256_SHA256, - .id = TLS1_CK_ADH_WITH_AES_256_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, @@ -571,13 +510,12 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #ifndef OPENSSL_NO_CAMELLIA - /* Camellia ciphersuites from RFC4132 (256-bit portion) */ - - /* Cipher 84 */ + /* + * TLSv1.0 Camellia 256 bit cipher suites (RFC 4132). + */ { - .valid = 1, + .value = 0x0084, .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, @@ -588,12 +526,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 88 */ { - .valid = 1, + .value = 0x0088, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, @@ -604,12 +539,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 89 */ { - .valid = 1, + .value = 0x0089, .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, - .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA256, @@ -623,14 +555,11 @@ const SSL_CIPHER ssl3_ciphers[] = { #endif /* OPENSSL_NO_CAMELLIA */ /* - * GCM ciphersuites from RFC5288. + * TLSv1.2 AES GCM cipher suites (RFC 5288). */ - - /* Cipher 9C */ { - .valid = 1, + .value = 0x009c, .name = TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, @@ -641,12 +570,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 9D */ { - .valid = 1, + .value = 0x009d, .name = TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, @@ -657,12 +583,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 9E */ { - .valid = 1, + .value = 0x009e, .name = TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, @@ -673,12 +596,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 9F */ { - .valid = 1, + .value = 0x009f, .name = TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, @@ -689,12 +609,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher A6 */ { - .valid = 1, + .value = 0x00a6, .name = TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128GCM, @@ -705,12 +622,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher A7 */ { - .valid = 1, + .value = 0x00a7, .name = TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256GCM, @@ -723,13 +637,12 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #ifndef OPENSSL_NO_CAMELLIA - /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ - - /* Cipher BA */ + /* + * TLSv1.2 Camellia SHA-256 cipher suites (RFC 5932). + */ { - .valid = 1, + .value = 0x00ba, .name = TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, @@ -740,12 +653,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher BE */ { - .valid = 1, + .value = 0x000be, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA128, @@ -756,12 +666,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher BF */ { - .valid = 1, + .value = 0x00bf, .name = TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, - .id = TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA128, @@ -772,12 +679,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C0 */ { - .valid = 1, + .value = 0x00c0, .name = TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, .algorithm_mkey = SSL_kRSA, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, @@ -788,12 +692,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C4 */ { - .valid = 1, + .value = 0x00c4, .name = TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CAMELLIA256, @@ -804,12 +705,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C5 */ { - .valid = 1, + .value = 0x00c5, .name = TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, - .id = TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_CAMELLIA256, @@ -822,16 +720,13 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ - /* - * TLSv1.3 cipher suites. - */ - #ifdef LIBRESSL_HAS_TLS1_3 - /* Cipher 1301 */ + /* + * TLSv1.3 cipher suites (RFC 8446). + */ { - .valid = 1, + .value = 0x1301, .name = TLS1_3_RFC_AES_128_GCM_SHA256, - .id = TLS1_3_CK_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kTLS1_3, .algorithm_auth = SSL_aTLS1_3, .algorithm_enc = SSL_AES128GCM, @@ -842,12 +737,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher 1302 */ { - .valid = 1, + .value = 0x1302, .name = TLS1_3_RFC_AES_256_GCM_SHA384, - .id = TLS1_3_CK_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kTLS1_3, .algorithm_auth = SSL_aTLS1_3, .algorithm_enc = SSL_AES256GCM, @@ -858,12 +750,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher 1303 */ { - .valid = 1, + .value = 0x1303, .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, - .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, .algorithm_mkey = SSL_kTLS1_3, .algorithm_auth = SSL_aTLS1_3, .algorithm_enc = SSL_CHACHA20POLY1305, @@ -876,11 +765,12 @@ const SSL_CIPHER ssl3_ciphers[] = { }, #endif - /* Cipher C006 */ + /* + * TLSv1.0 Elliptic Curve cipher suites (RFC 4492, section 6). + */ { - .valid = 1, + .value = 0xc006, .name = TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_eNULL, @@ -891,12 +781,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher C007 */ { - .valid = 1, + .value = 0xc007, .name = TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_RC4, @@ -907,12 +794,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C008 */ { - .valid = 1, + .value = 0xc008, .name = TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_3DES, @@ -923,12 +807,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 112, .alg_bits = 168, }, - - /* Cipher C009 */ { - .valid = 1, + .value = 0xc009, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, @@ -939,12 +820,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C00A */ { - .valid = 1, + .value = 0xc00a, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, @@ -955,12 +833,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C010 */ { - .valid = 1, + .value = 0xc010, .name = TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_eNULL, @@ -971,12 +846,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher C011 */ { - .valid = 1, + .value = 0xc011, .name = TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_RC4, @@ -987,12 +859,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C012 */ { - .valid = 1, + .value = 0xc012, .name = TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_3DES, @@ -1003,12 +872,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 112, .alg_bits = 168, }, - - /* Cipher C013 */ { - .valid = 1, + .value = 0xc013, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -1019,12 +885,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C014 */ { - .valid = 1, + .value = 0xc014, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -1035,12 +898,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C015 */ { - .valid = 1, + .value = 0xc015, .name = TLS1_TXT_ECDH_anon_WITH_NULL_SHA, - .id = TLS1_CK_ECDH_anon_WITH_NULL_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_eNULL, @@ -1051,12 +911,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 0, .alg_bits = 0, }, - - /* Cipher C016 */ { - .valid = 1, + .value = 0xc016, .name = TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, - .id = TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_RC4, @@ -1067,12 +924,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C017 */ { - .valid = 1, + .value = 0xc017, .name = TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, - .id = TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_3DES, @@ -1083,12 +937,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 112, .alg_bits = 168, }, - - /* Cipher C018 */ { - .valid = 1, + .value = 0xc018, .name = TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, - .id = TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES128, @@ -1099,12 +950,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C019 */ { - .valid = 1, + .value = 0xc019, .name = TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, - .id = TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aNULL, .algorithm_enc = SSL_AES256, @@ -1116,14 +964,12 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ - - /* Cipher C023 */ + /* + * TLSv1.2 Elliptic Curve HMAC cipher suites (RFC 5289, section 3.1). + */ { - .valid = 1, + .value = 0xc023, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128, @@ -1134,12 +980,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C024 */ { - .valid = 1, + .value = 0xc024, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256, @@ -1150,12 +993,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C027 */ { - .valid = 1, + .value = 0xc027, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128, @@ -1166,12 +1006,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C028 */ { - .valid = 1, + .value = 0xc028, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256, @@ -1183,13 +1020,12 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ - - /* Cipher C02B */ + /* + * TLSv1.2 Elliptic Curve GCM cipher suites (RFC 5289, section 3.2). + */ { - .valid = 1, + .value = 0xc02b, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES128GCM, @@ -1200,12 +1036,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C02C */ { - .valid = 1, + .value = 0xc02c, .name = TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_AES256GCM, @@ -1216,12 +1049,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher C02F */ { - .valid = 1, + .value = 0xc02f, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES128GCM, @@ -1232,12 +1062,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 128, .alg_bits = 128, }, - - /* Cipher C030 */ { - .valid = 1, + .value = 0xc030, .name = TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - .id = TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_AES256GCM, @@ -1249,11 +1076,12 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher CCA8 */ + /* + * TLSv1.2 ChaCha20-Poly1305 cipher suites (RFC 7905). + */ { - .valid = 1, + .value = 0xcca8, .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, @@ -1264,12 +1092,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher CCA9 */ { - .valid = 1, + .value = 0xcca9, .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, .algorithm_mkey = SSL_kECDHE, .algorithm_auth = SSL_aECDSA, .algorithm_enc = SSL_CHACHA20POLY1305, @@ -1280,12 +1105,9 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* Cipher CCAA */ { - .valid = 1, + .value = 0xccaa, .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, - .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305, .algorithm_mkey = SSL_kDHE, .algorithm_auth = SSL_aRSA, .algorithm_enc = SSL_CHACHA20POLY1305, @@ -1296,8 +1118,6 @@ const SSL_CIPHER ssl3_ciphers[] = { .strength_bits = 256, .alg_bits = 256, }, - - /* end of list */ }; int @@ -1316,37 +1136,19 @@ ssl3_get_cipher(unsigned int u) } static int -ssl3_cipher_id_cmp(const void *id, const void *cipher) +ssl3_cipher_value_cmp(const void *value, const void *cipher) { - unsigned long a = *(const unsigned long *)id; - unsigned long b = ((const SSL_CIPHER *)cipher)->id; + uint16_t a = *(const uint16_t *)value; + uint16_t b = ((const SSL_CIPHER *)cipher)->value; return a < b ? -1 : a > b; } -const SSL_CIPHER * -ssl3_get_cipher_by_id(unsigned long id) -{ - const SSL_CIPHER *cipher; - - cipher = bsearch(&id, ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(*cipher), - ssl3_cipher_id_cmp); - if (cipher != NULL && cipher->valid == 1) - return cipher; - - return NULL; -} - const SSL_CIPHER * ssl3_get_cipher_by_value(uint16_t value) { - return ssl3_get_cipher_by_id(SSL3_CK_ID | value); -} - -uint16_t -ssl3_cipher_get_value(const SSL_CIPHER *c) -{ - return (c->id & SSL3_CK_VALUE_MASK); + return bsearch(&value, ssl3_ciphers, SSL3_NUM_CIPHERS, + sizeof(ssl3_ciphers[0]), ssl3_cipher_value_cmp); } int diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index ef34cbdb0..fcf4631a5 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.69 2024/07/22 14:47:15 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -51,7 +51,6 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; unsigned char *peer_cert_bytes = NULL; int len, rv = 0; - uint16_t cid; if (!CBB_init(&cbb, 0)) goto err; @@ -69,11 +68,10 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, if (!CBB_add_asn1_uint64(&session, s->ssl_version)) goto err; - /* Cipher suite ID. */ - cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK); + /* Cipher suite value. */ if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; - if (!CBB_add_u16(&cipher_suite, cid)) + if (!CBB_add_u16(&cipher_suite, s->cipher_value)) goto err; /* Session ID - zero length for a ticket. */ @@ -193,7 +191,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) if (ss == NULL) return 0; - if (ss->cipher_id == 0) + if (ss->cipher_value == 0) return 0; return SSL_SESSION_encode(ss, out, out_len, 1); @@ -209,7 +207,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) if (ss == NULL) return 0; - if (ss->cipher_id == 0) + if (ss->cipher_value == 0) return 0; if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) @@ -244,7 +242,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) CBS hostname, ticket; uint64_t version, tls_version, stime, timeout, verify_result, lifetime; const unsigned char *peer_cert_bytes; - uint16_t cipher_value; SSL_SESSION *s = NULL; size_t data_len; int present; @@ -277,14 +274,13 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) goto err; s->ssl_version = (int)tls_version; - /* Cipher suite. */ + /* Cipher suite value. */ if (!CBS_get_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; - if (!CBS_get_u16(&cipher_suite, &cipher_value)) + if (!CBS_get_u16(&cipher_suite, &s->cipher_value)) goto err; if (CBS_len(&cipher_suite) != 0) goto err; - s->cipher_id = SSL3_CK_ID | cipher_value; /* Session ID. */ if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 7c3235490..dce141101 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -373,21 +373,18 @@ static const SSL_CIPHER cipher_aliases[] = { /* cipher suite aliases */ #ifdef LIBRESSL_HAS_TLS1_3 { - .valid = 1, + .value = 0x1301, .name = "TLS_AES_128_GCM_SHA256", - .id = TLS1_3_CK_AES_128_GCM_SHA256, .algorithm_ssl = SSL_TLSV1_3, }, { - .valid = 1, + .value = 0x1302, .name = "TLS_AES_256_GCM_SHA384", - .id = TLS1_3_CK_AES_256_GCM_SHA384, .algorithm_ssl = SSL_TLSV1_3, }, { - .valid = 1, + .value = 0x1303, .name = "TLS_CHACHA20_POLY1305_SHA256", - .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, .algorithm_ssl = SSL_TLSV1_3, }, #endif @@ -619,7 +616,7 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, * Drop any invalid ciphers and any which use unavailable * algorithms. */ - if ((c != NULL) && c->valid && + if ((c != NULL) && !(c->algorithm_mkey & disabled_mkey) && !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -725,7 +722,7 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, } static void -ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, +ssl_cipher_apply_rule(uint16_t cipher_value, unsigned long alg_mkey, unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, unsigned long alg_ssl, unsigned long algo_strength, int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) @@ -757,7 +754,7 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, cp = curr->cipher; - if (cipher_id && cp->id != cipher_id) + if (cipher_value != 0 && cp->value != cipher_value) continue; /* @@ -882,7 +879,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; unsigned long algo_strength; int j, multi, found, rule, retval, ok, buflen; - unsigned long cipher_id = 0; + uint16_t cipher_value = 0; const char *l, *buf; char ch; @@ -974,7 +971,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, * '\0' terminated.) */ j = found = 0; - cipher_id = 0; + cipher_value = 0; while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && (ca_list[j]->name[buflen] == '\0')) { @@ -1047,13 +1044,13 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, SSL_STRONG_MASK; } - if (ca_list[j]->valid) { + if (ca_list[j]->value != 0) { /* * explicit ciphersuite found; its protocol * version does not become part of the search * pattern! */ - cipher_id = ca_list[j]->id; + cipher_value = ca_list[j]->value; if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3) *tls13_seen = 1; } else { @@ -1109,7 +1106,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, } else if (found) { if (alg_ssl == SSL_TLSV1_3) *tls13_seen = 1; - ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, + ssl_cipher_apply_rule(cipher_value, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, rule, -1, head_p, tail_p); } else { @@ -1470,24 +1467,23 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) LSSL_ALIAS(SSL_CIPHER_description); const char * -SSL_CIPHER_get_version(const SSL_CIPHER *c) +SSL_CIPHER_get_version(const SSL_CIPHER *cipher) { - if (c == NULL) - return("(NONE)"); - if ((c->id >> 24) == 3) - return("TLSv1/SSLv3"); - else - return("unknown"); + if (cipher == NULL) + return "(NONE)"; + + return "TLSv1/SSLv3"; } LSSL_ALIAS(SSL_CIPHER_get_version); /* return the actual cipher being used */ const char * -SSL_CIPHER_get_name(const SSL_CIPHER *c) +SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { - if (c != NULL) - return (c->name); - return("(NONE)"); + if (cipher == NULL) + return "(NONE)"; + + return cipher->name; } LSSL_ALIAS(SSL_CIPHER_get_name); @@ -1507,16 +1503,16 @@ SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) LSSL_ALIAS(SSL_CIPHER_get_bits); unsigned long -SSL_CIPHER_get_id(const SSL_CIPHER *c) +SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { - return c->id; + return SSL3_CK_ID | cipher->value; } LSSL_ALIAS(SSL_CIPHER_get_id); uint16_t -SSL_CIPHER_get_value(const SSL_CIPHER *c) +SSL_CIPHER_get_value(const SSL_CIPHER *cipher) { - return ssl3_cipher_get_value(c); + return cipher->value; } LSSL_ALIAS(SSL_CIPHER_get_value); diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 4ec1b099b..503ef9d03 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.18 2024/07/22 14:47:15 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -28,7 +28,7 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) int i; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { - if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id) + if (sk_SSL_CIPHER_value(ciphers, i)->value == cipher->value) return 1; } @@ -72,7 +72,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) continue; if (!ssl_security_cipher_check(s, cipher)) continue; - if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) + if (!CBB_add_u16(cbb, cipher->value)) return 0; num_ciphers++; @@ -165,34 +165,34 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) struct ssl_tls13_ciphersuite { const char *name; const char *alias; - unsigned long cid; + uint16_t value; }; static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { { .name = TLS1_3_RFC_AES_128_GCM_SHA256, .alias = TLS1_3_TXT_AES_128_GCM_SHA256, - .cid = TLS1_3_CK_AES_128_GCM_SHA256, + .value = 0x1301, }, { .name = TLS1_3_RFC_AES_256_GCM_SHA384, .alias = TLS1_3_TXT_AES_256_GCM_SHA384, - .cid = TLS1_3_CK_AES_256_GCM_SHA384, + .value = 0x1302, }, { .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256, .alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, - .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + .value = 0x1303, }, { .name = TLS1_3_RFC_AES_128_CCM_SHA256, .alias = TLS1_3_TXT_AES_128_CCM_SHA256, - .cid = TLS1_3_CK_AES_128_CCM_SHA256, + .value = 0x1304, }, { .name = TLS1_3_RFC_AES_128_CCM_8_SHA256, .alias = TLS1_3_TXT_AES_128_CCM_8_SHA256, - .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, + .value = 0x1305, }, { .name = NULL, @@ -234,7 +234,7 @@ ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) goto err; /* We know about the cipher suite, but it is not supported. */ - if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) + if ((cipher = ssl3_get_cipher_by_value(ciphersuite->value)) == NULL) continue; if (!sk_SSL_CIPHER_push(ciphers, cipher)) diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 8f097833f..d62d7cf6d 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.167 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.168 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -481,7 +481,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_FINISHED_A; s->init_num = 0; - s->session->cipher_id = s->s3->hs.cipher->id; + s->session->cipher_value = s->s3->hs.cipher->value; if (!tls1_setup_key_block(s)) { ret = -1; @@ -1016,13 +1016,13 @@ ssl3_get_server_hello(SSL *s) * and/or cipher_id values may not be set. Make sure that * cipher_id is set and use it for comparison. */ - if (s->hit && (s->session->cipher_id != cipher->id)) { + if (s->hit && (s->session->cipher_value != cipher->value)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto fatal_err; } s->s3->hs.cipher = cipher; - s->session->cipher_id = cipher->id; + s->session->cipher_value = cipher->value; if (!tls1_transcript_hash_init(s)) goto err; diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index 79f41e6dc..34197e592 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.21 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.22 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -339,9 +339,9 @@ struct ssl_comp_st { }; struct ssl_cipher_st { - int valid; + uint16_t value; /* Cipher suite value. */ + const char *name; /* text name */ - unsigned long id; /* id, 4 bytes, first is version */ unsigned long algorithm_mkey; /* key exchange algorithm */ unsigned long algorithm_auth; /* server authentication */ @@ -438,9 +438,7 @@ struct ssl_session_st { time_t time; int references; - unsigned long cipher_id; /* when ASN.1 loaded, this - * needs to be used to load - * the 'cipher' structure */ + uint16_t cipher_value; char *tlsext_hostname; @@ -1293,9 +1291,7 @@ int ssl3_get_req_cert_types(SSL *s, CBB *cbb); int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max); int ssl3_num_ciphers(void); const SSL_CIPHER *ssl3_get_cipher(unsigned int u); -const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned long id); const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value); -uint16_t ssl3_cipher_get_value(const SSL_CIPHER *c); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c index 7d6785a3d..740fe9719 100644 --- a/lib/libssl/ssl_pkt.c +++ b/lib/libssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.67 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.68 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1235,7 +1235,7 @@ ssl3_do_change_cipher_spec(SSL *s) return (0); } - s->session->cipher_id = s->s3->hs.cipher->id; + s->session->cipher_value = s->s3->hs.cipher->value; if (!tls1_setup_key_block(s)) return (0); diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index c2bd1bf13..5aea99027 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.128 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -287,7 +287,7 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) copy->time = sess->time; copy->references = 1; - copy->cipher_id = sess->cipher_id; + copy->cipher_value = sess->cipher_value; if (sess->tlsext_hostname != NULL) { copy->tlsext_hostname = strdup(sess->tlsext_hostname); @@ -984,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version); const SSL_CIPHER * SSL_SESSION_get0_cipher(const SSL_SESSION *s) { - return ssl3_get_cipher_by_id(s->cipher_id); + return ssl3_get_cipher_by_value(s->cipher_value); } LSSL_ALIAS(SSL_SESSION_get0_cipher); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index be6bd7402..302b6bdf0 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.164 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.165 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -651,7 +651,7 @@ ssl3_accept(SSL *s) goto end; s->s3->hs.state = SSL3_ST_SW_FINISHED_A; s->init_num = 0; - s->session->cipher_id = s->s3->hs.cipher->id; + s->session->cipher_value = s->s3->hs.cipher->value; if (!tls1_setup_key_block(s)) { ret = -1; @@ -781,7 +781,6 @@ ssl3_get_client_hello(SSL *s) uint8_t comp_method; int comp_null; int i, j, al, ret, cookie_valid = 0; - unsigned long id; SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *ciphers = NULL; const SSL_METHOD *method; @@ -978,11 +977,10 @@ ssl3_get_client_hello(SSL *s) /* XXX - CBS_len(&cipher_suites) will always be zero here... */ if (s->hit && CBS_len(&cipher_suites) > 0) { j = 0; - id = s->session->cipher_id; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { c = sk_SSL_CIPHER_value(ciphers, i); - if (c->id == id) { + if (c->value == s->session->cipher_value) { j = 1; break; } @@ -1127,9 +1125,9 @@ ssl3_get_client_hello(SSL *s) goto fatal_err; } s->s3->hs.cipher = c; - s->session->cipher_id = s->s3->hs.cipher->id; + s->session->cipher_value = s->s3->hs.cipher->value; } else { - s->s3->hs.cipher = ssl3_get_cipher_by_id(s->session->cipher_id); + s->s3->hs.cipher = ssl3_get_cipher_by_value(s->session->cipher_value); if (s->s3->hs.cipher == NULL) goto fatal_err; } @@ -1269,8 +1267,7 @@ ssl3_send_server_hello(SSL *s) goto err; /* Cipher suite. */ - if (!CBB_add_u16(&server_hello, - ssl3_cipher_get_value(s->s3->hs.cipher))) + if (!CBB_add_u16(&server_hello, s->s3->hs.cipher->value)) goto err; /* Compression method (null). */ diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index 26b631d5a..4ed76c95a 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.38 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.39 2024/07/22 14:47:15 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,9 +122,9 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) ssl_version_string(x->ssl_version)) <= 0) goto err; - if ((cipher = ssl3_get_cipher_by_id(x->cipher_id)) == NULL) { - if (BIO_printf(bp, " Cipher : %04lX\n", - x->cipher_id & SSL3_CK_VALUE_MASK) <= 0) + if ((cipher = ssl3_get_cipher_by_value(x->cipher_value)) == NULL) { + if (BIO_printf(bp, " Cipher : %04X\n", + x->cipher_value) <= 0) goto err; } else { const char *cipher_name = "unknown"; diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 8f6894fd8..901b38f86 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.103 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -347,7 +347,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) &shared_key_len)) goto err; - s->session->cipher_id = ctx->hs->cipher->id; + s->session->cipher_value = ctx->hs->cipher->value; s->session->ssl_version = ctx->hs->tls13.server_version; if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 6bd2993cf..63b7d9209 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.108 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -383,7 +383,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) &shared_key_len)) goto err; - s->session->cipher_id = ctx->hs->cipher->id; + s->session->cipher_value = ctx->hs->cipher->value; if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; diff --git a/regress/lib/libcrypto/asn1/asn1time.c b/regress/lib/libcrypto/asn1/asn1time.c index b11a89230..7223ad9c9 100644 --- a/regress/lib/libcrypto/asn1/asn1time.c +++ b/regress/lib/libcrypto/asn1/asn1time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1time.c,v 1.29 2024/05/25 18:59:03 tb Exp $ */ +/* $OpenBSD: asn1time.c,v 1.30 2024/07/21 13:25:11 tb Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2024 Google Inc. @@ -581,14 +581,16 @@ asn1_time_compare_families(const struct asn1_time_test *fam1, size_t fam1_size, asn1_cmp = ASN1_TIME_compare(t1, t2); if (time_cmp != asn1_cmp) { - fprintf(stderr, "%s vs. %s: want %d, got %d\n", + fprintf(stderr, "ASN1_TIME_compare - %s vs. %s: " + "want %d, got %d\n", att1->str, att2->str, time_cmp, asn1_cmp); comparison_failure |= 1; } time_cmp = ASN1_TIME_cmp_time_t(t1, att2->time); if (time_cmp != asn1_cmp) { - fprintf(stderr, "%s vs. %lld: want %d, got %d\n", + fprintf(stderr, "ASN1_TIME_cmp_time_t - %s vs. %lld: " + "want %d, got %d\n", att1->str, (long long)att2->time, asn1_cmp, time_cmp); comparison_failure |= 1; @@ -598,7 +600,8 @@ asn1_time_compare_families(const struct asn1_time_test *fam1, size_t fam1_size, if (t1->type != V_ASN1_UTCTIME) asn1_cmp = -2; if (time_cmp != asn1_cmp) { - fprintf(stderr, "%s vs. %lld: want %d, got %d\n", + fprintf(stderr, "ASN1_UTCTIME_cmp_time_t - %s vs. %lld: " + "want %d, got %d\n", att1->str, (long long)att2->time, asn1_cmp, time_cmp); comparison_failure |= 1; diff --git a/regress/lib/libssl/asn1/asn1test.c b/regress/lib/libssl/asn1/asn1test.c index 6e9362b3e..a81c50265 100644 --- a/regress/lib/libssl/asn1/asn1test.c +++ b/regress/lib/libssl/asn1/asn1test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1test.c,v 1.12 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: asn1test.c,v 1.13 2024/07/22 14:50:45 jsing Exp $ */ /* * Copyright (c) 2014, 2016 Joel Sing * @@ -82,7 +82,7 @@ unsigned char tlsext_tick[] = { struct ssl_asn1_test ssl_asn1_tests[] = { { .session = { - .cipher_id = 0x03000000L | 1, + .cipher_value = 1, .ssl_version = TLS1_2_VERSION, }, .asn1 = { @@ -94,7 +94,7 @@ struct ssl_asn1_test ssl_asn1_tests[] = { }, { .session = { - .cipher_id = 0x03000000L | 1, + .cipher_value = 1, .ssl_version = TLS1_2_VERSION, .master_key_length = 26, .session_id = "0123456789", @@ -119,7 +119,7 @@ struct ssl_asn1_test ssl_asn1_tests[] = { }, { .session = { - .cipher_id = 0x03000000L | 1, + .cipher_value = 1, .ssl_version = TLS1_2_VERSION, .master_key_length = 26, .session_id = "0123456789", @@ -232,7 +232,7 @@ struct ssl_asn1_test ssl_asn1_tests[] = { }, { .session = { - .cipher_id = 0x03000000L | 1, + .cipher_value = 1, .ssl_version = TLS1_2_VERSION, .timeout = -1, }, @@ -243,7 +243,7 @@ struct ssl_asn1_test ssl_asn1_tests[] = { }, { .session = { - .cipher_id = 0x03000000L | 1, + .cipher_value = 1, .ssl_version = TLS1_2_VERSION, .time = -1, }, @@ -276,9 +276,9 @@ session_cmp(SSL_SESSION *s1, SSL_SESSION *s2) s1->ssl_version, s2->ssl_version); return (1); } - if (s1->cipher_id != s2->cipher_id) { - fprintf(stderr, "cipher_id differs: %ld != %ld\n", - s1->cipher_id, s2->cipher_id); + if (s1->cipher_value != s2->cipher_value) { + fprintf(stderr, "cipher_value differs: %d != %d\n", + s1->cipher_value, s2->cipher_value); return (1); } diff --git a/regress/lib/libssl/client/Makefile b/regress/lib/libssl/client/Makefile index d07305692..7e2d7a3ec 100644 --- a/regress/lib/libssl/client/Makefile +++ b/regress/lib/libssl/client/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.5 2024/04/22 07:31:54 anton Exp $ +# $OpenBSD: Makefile,v 1.6 2024/07/20 18:37:38 tb Exp $ PROG= clienttest LDADD= ${SSL_INT} -lcrypto @@ -6,7 +6,4 @@ DPADD= ${LIBSSL} ${LIBCRYPTO} WARNINGS= Yes CFLAGS+= -DLIBRESSL_INTERNAL -Werror -# Disable for now for upcoming changes. This needs to be easier to deal with. -REGRESS_EXPECTED_FAILURES+=run-regress-clienttest - .include diff --git a/regress/lib/libssl/client/clienttest.c b/regress/lib/libssl/client/clienttest.c index 18cf2d0c9..0c526f38f 100644 --- a/regress/lib/libssl/client/clienttest.c +++ b/regress/lib/libssl/client/clienttest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clienttest.c,v 1.43 2024/02/03 15:58:34 beck Exp $ */ +/* $OpenBSD: clienttest.c,v 1.44 2024/07/20 18:37:38 tb Exp $ */ /* * Copyright (c) 2015 Joel Sing * @@ -36,8 +36,8 @@ #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2) #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34) #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69) -#define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 184) -#define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 98) +#define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 198) +#define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 112) #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000) @@ -116,9 +116,9 @@ static const uint8_t client_hello_dtls12[] = { 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, - 0x00, 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, - 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, - 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, + 0x00, 0x00, 0x34, 0x00, 0x0a, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, + 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, @@ -225,9 +225,9 @@ static const uint8_t client_hello_tls12[] = { 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34, - 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, - 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, + 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, + 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x0b, + 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, @@ -288,14 +288,14 @@ static const uint8_t client_hello_tls13[] = { 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x67, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, - 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, - 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, + 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x33, 0x00, + 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, @@ -323,14 +323,14 @@ static const uint8_t client_hello_tls13_only[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00, 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, - 0x04, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, - 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, - 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, + 0x04, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, + 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, diff --git a/regress/lib/libssl/tlsext/tlsexttest.c b/regress/lib/libssl/tlsext/tlsexttest.c index 18e800031..d5c8840e2 100644 --- a/regress/lib/libssl/tlsext/tlsexttest.c +++ b/regress/lib/libssl/tlsext/tlsexttest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tlsexttest.c,v 1.90 2024/03/30 09:53:41 tb Exp $ */ +/* $OpenBSD: tlsexttest.c,v 1.91 2024/07/22 14:50:45 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -1151,9 +1151,7 @@ test_tlsext_ecpf_server(void) errx(1, "failed to create session"); /* Setup the state so we can call needs. */ - if ((ssl->s3->hs.cipher = - ssl3_get_cipher_by_id(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305)) - == NULL) { + if ((ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xcca9)) == NULL) { FAIL("server cannot find cipher\n"); goto err; } @@ -3362,8 +3360,7 @@ test_tlsext_serverhello_build(void) ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; - ssl->s3->hs.cipher = - ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256); + ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0x003c); if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { FAIL("failed to build serverhello extensions\n"); @@ -3397,8 +3394,7 @@ test_tlsext_serverhello_build(void) /* Turn a few things on so we get extensions... */ ssl->s3->send_connection_binding = 1; - ssl->s3->hs.cipher = - ssl3_get_cipher_by_id(TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256); + ssl->s3->hs.cipher = ssl3_get_cipher_by_value(0xc027); ssl->tlsext_status_expected = 1; ssl->tlsext_ticket_expected = 1; if ((ssl->session->tlsext_ecpointformatlist = malloc(1)) == NULL) { diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c index 6672773a9..24df29b22 100644 --- a/sys/arch/amd64/amd64/cpu.c +++ b/sys/arch/amd64/amd64/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.190 2024/06/07 16:53:35 kettenis Exp $ */ +/* $OpenBSD: cpu.c,v 1.191 2024/07/21 19:41:31 bluhm Exp $ */ /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */ /*- @@ -157,6 +157,7 @@ int cpu_ebxfeature = 0; /* cpuid(1).ebx */ int cpu_ecxfeature = 0; /* INTERSECTION(cpuid(1).ecx) */ int cpu_feature = 0; /* cpuid(1).edx */ int ecpu_ecxfeature = 0; /* cpuid(0x80000001).ecx */ +int cpu_sev_guestmode = 0; int cpu_meltdown = 0; int cpu_use_xsaves = 0; int need_retpoline = 1; /* most systems need retpoline */ diff --git a/sys/arch/amd64/amd64/locore0.S b/sys/arch/amd64/amd64/locore0.S index bbfed3aa9..bc45eee7a 100644 --- a/sys/arch/amd64/amd64/locore0.S +++ b/sys/arch/amd64/amd64/locore0.S @@ -1,4 +1,4 @@ -/* $OpenBSD: locore0.S,v 1.24 2024/07/10 12:36:13 bluhm Exp $ */ +/* $OpenBSD: locore0.S,v 1.25 2024/07/21 19:41:31 bluhm Exp $ */ /* $NetBSD: locore.S,v 1.13 2004/03/25 18:33:17 drochner Exp $ */ /* @@ -268,6 +268,78 @@ bi_size_ok: cont: orl %edx, RELOC(cpu_feature) + /* + * Determine AMD SME and SEV capabilities. + */ + movl $RELOC(cpu_vendor),%ebp + cmpl $0x68747541, (%ebp) /* "Auth" */ + jne .Lno_smesev + cmpl $0x69746e65, 4(%ebp) /* "enti" */ + jne .Lno_smesev + cmpl $0x444d4163, 8(%ebp) /* "cAMD" */ + jne .Lno_smesev + + /* AMD CPU, check for SME and SEV. */ + movl $0x8000001f, %eax + cpuid + pushl %eax + andl $CPUIDEAX_SME, %eax /* SME */ + popl %eax + jz .Lno_smesev + andl $CPUIDEAX_SEV, %eax /* SEV */ + jz .Lno_smesev + + /* Are we in guest mode with SEV enabled? */ + movl $MSR_SEV_STATUS, %ecx + rdmsr + andl $SEV_STAT_ENABLED, %eax + jz .Lno_smesev + + /* Determine C bit position */ + movl %ebx, %ecx /* %ebx from previous cpuid */ + andl $0x3f, %ecx + cmpl $0x20, %ecx /* must be at least bit 32 (counting from 0) */ + jl .Lno_smesev + xorl %eax, %eax + movl %eax, RELOC(pg_crypt) + subl $0x20, %ecx + movl $0x1, %eax + shll %cl, %eax + movl %eax, RELOC((pg_crypt + 4)) + + /* + * Determine physical address reduction. Adjust page frame masks. + * + * The top 12 bits of a physical address are reserved and + * supposed to be 0. Thus PG_FRAME masks of the top 12 bits + * and low 10 bits (offset into page). PG_LGFRAME is defined + * similarly. + * + * According to the number of reduction bits we shrink the + * page frame masks beginning at bit 51. + * + * E.g. with a 5 bit reduction PG_FRAME will be reduced from + * 0x000ffffffffff000 to 0x00007ffffffff000. + * + * One of the now freed bits will be used as the C bit, e.g. + * bit 51. + */ + movl %ebx, %ecx /* %ebx from previous cpuid */ + andl $0xfc0, %ecx + shrl $6, %ecx /* number of bits to reduce */ + + movl $1, %eax /* calculate mask */ + shll $20, %eax + shrl %cl, %eax + decl %eax + + andl %eax, RELOC(pg_frame + 4) /* apply mask */ + andl %eax, RELOC(pg_lgframe + 4) + + movl $0x1, RELOC(cpu_sev_guestmode) /* we are a SEV guest */ + +.Lno_smesev: + /* * Finished with old stack; load new %esp now instead of later so we * can trace this code without having to worry about the trace trap diff --git a/sys/arch/amd64/amd64/pmap.c b/sys/arch/amd64/amd64/pmap.c index 0c3fe07cd..f8c4acea3 100644 --- a/sys/arch/amd64/amd64/pmap.c +++ b/sys/arch/amd64/amd64/pmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmap.c,v 1.169 2024/07/09 19:11:06 bluhm Exp $ */ +/* $OpenBSD: pmap.c,v 1.170 2024/07/21 19:41:31 bluhm Exp $ */ /* $NetBSD: pmap.c,v 1.3 2003/05/08 18:13:13 thorpej Exp $ */ /* @@ -660,6 +660,8 @@ pmap_bootstrap(paddr_t first_avail, paddr_t max_pa) vaddr_t kva, kva_end; pt_entry_t *pml3, *pml2; + KASSERT(((0x1000ULL | pg_crypt) & pg_frame) == 0x1000ULL); + /* * define the boundaries of the managed kernel virtual address * space. diff --git a/sys/arch/amd64/amd64/vector.S b/sys/arch/amd64/amd64/vector.S index de24a291f..c51f872f0 100644 --- a/sys/arch/amd64/amd64/vector.S +++ b/sys/arch/amd64/amd64/vector.S @@ -1,4 +1,4 @@ -/* $OpenBSD: vector.S,v 1.95 2024/02/12 01:18:17 guenther Exp $ */ +/* $OpenBSD: vector.S,v 1.96 2024/07/21 16:19:25 deraadt Exp $ */ /* $NetBSD: vector.S,v 1.5 2004/06/28 09:13:11 fvdl Exp $ */ /* @@ -145,6 +145,7 @@ INTRENTRY_LABEL(calltrap_specstk): SMAP_CLAC movq %rsp,%rdi call kerntrap + movq $0,-8(%rsp) movl $MSR_GSBASE,%ecx # restore GS.base movq %r12,%rax movq %r13,%rdx @@ -157,6 +158,7 @@ INTRENTRY_LABEL(calltrap_specstk): wrmsr CODEPATCH_END(CPTAG_IBPB_NOP) call pku_xonly + movq $0,-8(%rsp) popq %rdi popq %rsi popq %rdx @@ -199,6 +201,7 @@ INTRENTRY_LABEL(trap03): leaq dt_prov_kprobe, %rdi movq %rsp, %rsi call dt_prov_kprobe_hook + movq $0,-8(%rsp) cmpl $0, %eax je .Lreal_kern_trap @@ -451,6 +454,7 @@ GENTRY(alltraps) recall_trap: movq %rsp, %rdi call usertrap + movq $0,-8(%rsp) cli jmp intr_user_exit END(alltraps) @@ -476,6 +480,7 @@ GENTRY(alltraps_kern_meltdown) #endif /* DIAGNOSTIC */ movq %rsp, %rdi call kerntrap + movq $0,-8(%rsp) 2: cli #ifndef DIAGNOSTIC INTRFASTEXIT @@ -489,6 +494,7 @@ GENTRY(alltraps_kern_meltdown) movl %ebx,%edx xorq %rax,%rax call printf + movq $0,-8(%rsp) #ifdef DDB int $3 #endif /* DDB */ @@ -567,6 +573,7 @@ KIDTVEC_FALLTHROUGH(resume_lapic_ipi) SMAP_CLAC movq %rbx,IF_PPL(%rsp) call x86_ipi_handler + movq $0,-8(%rsp) jmp Xdoreti 2: movq $(1 << LIR_IPI),%rax @@ -775,6 +782,7 @@ KIDTVEC_FALLTHROUGH(resume_lapic_ltimer) movq %rbx,IF_PPL(%rsp) xorq %rdi,%rdi call lapic_clockintr + movq $0,-8(%rsp) jmp Xdoreti 2: movq $(1 << LIR_TIMER),%rax @@ -794,6 +802,7 @@ END(Xrecurse_xen_upcall) IDTVEC(intr_xen_upcall) INTRENTRY(intr_xen_upcall) call xen_intr_ack + movq $0,-8(%rsp) movl CPUVAR(ILEVEL),%ebx cmpl $IPL_NET,%ebx jae 2f @@ -808,6 +817,7 @@ KIDTVEC_FALLTHROUGH(resume_xen_upcall) SMAP_CLAC movq %rbx,IF_PPL(%rsp) call xen_intr + movq $0,-8(%rsp) jmp Xdoreti 2: movq $(1 << LIR_XEN),%rax @@ -841,6 +851,7 @@ KIDTVEC_FALLTHROUGH(resume_hyperv_upcall) SMAP_CLAC movq %rbx,IF_PPL(%rsp) call hv_intr + movq $0,-8(%rsp) jmp Xdoreti 2: movq $(1 << LIR_HYPERV),%rax @@ -898,6 +909,7 @@ IDTVEC(intr_##name##num) ;\ movq %rbx, %rsi ;\ movq %rsp, %rdi ;\ call intr_handler /* call it */ ;\ + movq $0,-8(%rsp) ;\ orl %eax,%eax /* should it be counted? */ ;\ jz 4f /* no, skip it */ ;\ incq IH_COUNT(%rbx) /* count the intrs */ ;\ @@ -1288,6 +1300,7 @@ KIDTVEC(softtty) incl CPUVAR(IDEPTH) movl $X86_SOFTINTR_SOFTTTY,%edi call softintr_dispatch + movq $0,-8(%rsp) decl CPUVAR(IDEPTH) CODEPATCH_START jmp retpoline_r13 @@ -1301,6 +1314,7 @@ KIDTVEC(softnet) incl CPUVAR(IDEPTH) movl $X86_SOFTINTR_SOFTNET,%edi call softintr_dispatch + movq $0,-8(%rsp) decl CPUVAR(IDEPTH) CODEPATCH_START jmp retpoline_r13 @@ -1314,6 +1328,7 @@ KIDTVEC(softclock) incl CPUVAR(IDEPTH) movl $X86_SOFTINTR_SOFTCLOCK,%edi call softintr_dispatch + movq $0,-8(%rsp) decl CPUVAR(IDEPTH) CODEPATCH_START jmp retpoline_r13 diff --git a/sys/arch/amd64/include/cpu.h b/sys/arch/amd64/include/cpu.h index 8bc757ccc..f5aada4d4 100644 --- a/sys/arch/amd64/include/cpu.h +++ b/sys/arch/amd64/include/cpu.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.h,v 1.174 2024/06/24 21:22:14 bluhm Exp $ */ +/* $OpenBSD: cpu.h,v 1.175 2024/07/21 19:41:31 bluhm Exp $ */ /* $NetBSD: cpu.h,v 1.1 2003/04/26 18:39:39 fvdl Exp $ */ /*- @@ -398,6 +398,7 @@ extern int cpu_feature; extern int cpu_ebxfeature; extern int cpu_ecxfeature; extern int ecpu_ecxfeature; +extern int cpu_sev_guestmode; extern int cpu_id; extern char cpu_vendor[]; extern int cpuid_level; diff --git a/sys/arch/amd64/include/specialreg.h b/sys/arch/amd64/include/specialreg.h index 7d1a0804a..a8a7e492a 100644 --- a/sys/arch/amd64/include/specialreg.h +++ b/sys/arch/amd64/include/specialreg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: specialreg.h,v 1.114 2024/07/14 07:57:42 dv Exp $ */ +/* $OpenBSD: specialreg.h,v 1.115 2024/07/21 19:41:31 bluhm Exp $ */ /* $NetBSD: specialreg.h,v 1.1 2003/04/26 18:39:48 fvdl Exp $ */ /* $NetBSD: x86/specialreg.h,v 1.2 2003/04/25 21:54:30 fvdl Exp $ */ @@ -713,6 +713,9 @@ #define NB_CFG_DISIOREQLOCK 0x0000000000000004ULL #define NB_CFG_DISDATMSK 0x0000001000000000ULL +#define MSR_SEV_STATUS 0xc0010131 +#define SEV_STAT_ENABLED 0x00000001 + #define MSR_LS_CFG 0xc0011020 #define LS_CFG_DIS_LS2_SQUISH 0x02000000 diff --git a/sys/arch/arm64/arm64/cpu.c b/sys/arch/arm64/arm64/cpu.c index ee5a405fa..3e28ba600 100644 --- a/sys/arch/arm64/arm64/cpu.c +++ b/sys/arch/arm64/arm64/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.128 2024/07/18 17:18:01 kettenis Exp $ */ +/* $OpenBSD: cpu.c,v 1.129 2024/07/21 18:57:31 kettenis Exp $ */ /* * Copyright (c) 2016 Dale Rahn @@ -742,10 +742,6 @@ cpu_identify(struct cpu_info *ci) printf("%sAtomic", sep); sep = ","; arm64_has_lse = 1; - /* - * XXX should be populated and sanitized like cpu_sysctl() does - */ - hwcap |= HWCAP_ATOMICS; } if (ID_AA64ISAR0_CRC32(id) >= ID_AA64ISAR0_CRC32_BASE) { @@ -1056,6 +1052,121 @@ cpu_identify_cleanup(void) value |= cpu_id_aa64pfr1 & ID_AA64PFR1_BT_MASK; value |= cpu_id_aa64pfr1 & ID_AA64PFR1_SSBS_MASK; cpu_id_aa64pfr1 = value; + + /* HWCAP */ + hwcap |= HWCAP_FP; /* OpenBSD assumes Floating-point support */ + hwcap |= HWCAP_ASIMD; /* OpenBSD assumes Advanced SIMD support */ + /* HWCAP_EVTSTRM: OpenBSD kernel doesn't configure event stream */ + if (ID_AA64ISAR0_AES(cpu_id_aa64isar0) >= ID_AA64ISAR0_AES_BASE) + hwcap |= HWCAP_AES; + if (ID_AA64ISAR0_AES(cpu_id_aa64isar0) >= ID_AA64ISAR0_AES_PMULL) + hwcap |= HWCAP_PMULL; + if (ID_AA64ISAR0_SHA1(cpu_id_aa64isar0) >= ID_AA64ISAR0_SHA1_BASE) + hwcap |= HWCAP_SHA1; + if (ID_AA64ISAR0_SHA2(cpu_id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE) + hwcap |= HWCAP_SHA2; + if (ID_AA64ISAR0_CRC32(cpu_id_aa64isar0) >= ID_AA64ISAR0_CRC32_BASE) + hwcap |= HWCAP_CRC32; + if (ID_AA64ISAR0_ATOMIC(cpu_id_aa64isar0) >= ID_AA64ISAR0_ATOMIC_IMPL) + hwcap |= HWCAP_ATOMICS; + /* HWCAP_FPHP */ + /* HWCAP_ASIMDHP */ + /* HWCAP_CPUID */ + if (ID_AA64ISAR0_RDM(cpu_id_aa64isar0) >= ID_AA64ISAR0_RDM_IMPL) + hwcap |= HWCAP_ASIMDRDM; + if (ID_AA64ISAR1_JSCVT(cpu_id_aa64isar1) >= ID_AA64ISAR1_JSCVT_IMPL) + hwcap |= HWCAP_JSCVT; + if (ID_AA64ISAR1_FCMA(cpu_id_aa64isar1) >= ID_AA64ISAR1_FCMA_IMPL) + hwcap |= HWCAP_FCMA; + if (ID_AA64ISAR1_LRCPC(cpu_id_aa64isar1) >= ID_AA64ISAR1_LRCPC_BASE) + hwcap |= HWCAP_LRCPC; + if (ID_AA64ISAR1_DPB(cpu_id_aa64isar1) >= ID_AA64ISAR1_DPB_IMPL) + hwcap |= HWCAP_DCPOP; + if (ID_AA64ISAR0_SHA3(cpu_id_aa64isar0) >= ID_AA64ISAR0_SHA3_IMPL) + hwcap |= HWCAP_SHA3; + if (ID_AA64ISAR0_SM3(cpu_id_aa64isar0) >= ID_AA64ISAR0_SM3_IMPL) + hwcap |= HWCAP_SM3; + if (ID_AA64ISAR0_SM4(cpu_id_aa64isar0) >= ID_AA64ISAR0_SM4_IMPL) + hwcap |= HWCAP_SM4; + if (ID_AA64ISAR0_DP(cpu_id_aa64isar0) >= ID_AA64ISAR0_DP_IMPL) + hwcap |= HWCAP_ASIMDDP; + if (ID_AA64ISAR0_SHA2(cpu_id_aa64isar0) >= ID_AA64ISAR0_SHA2_512) + hwcap |= HWCAP_SHA512; + /* HWCAP_SVE: OpenBSD kernel doesn't provide SVE support */ + if (ID_AA64ISAR0_FHM(cpu_id_aa64isar0) >= ID_AA64ISAR0_FHM_IMPL) + hwcap |= HWCAP_ASIMDFHM; + if (ID_AA64PFR0_DIT(cpu_id_aa64pfr0) >= ID_AA64PFR0_DIT_IMPL) + hwcap |= HWCAP_DIT; + /* HWCAP_USCAT */ + if (ID_AA64ISAR1_LRCPC(cpu_id_aa64isar1) >= ID_AA64ISAR1_LRCPC_LDAPUR) + hwcap |= HWCAP_ILRCPC; + if (ID_AA64ISAR0_TS(cpu_id_aa64isar0) >= ID_AA64ISAR0_TS_BASE) + hwcap |= HWCAP_FLAGM; + if (ID_AA64PFR1_SSBS(cpu_id_aa64pfr1) >= ID_AA64PFR1_SSBS_PSTATE_MSR) + hwcap |= HWCAP_SSBS; + if (ID_AA64ISAR1_SB(cpu_id_aa64isar1) >= ID_AA64ISAR1_SB_IMPL) + hwcap |= HWCAP_SB; + if (ID_AA64ISAR1_APA(cpu_id_aa64isar1) >= ID_AA64ISAR1_APA_BASE || + ID_AA64ISAR1_API(cpu_id_aa64isar1) >= ID_AA64ISAR1_API_BASE) + hwcap |= HWCAP_PACA; + if (ID_AA64ISAR1_GPA(cpu_id_aa64isar1) >= ID_AA64ISAR1_GPA_IMPL || + ID_AA64ISAR1_GPI(cpu_id_aa64isar1) >= ID_AA64ISAR1_GPI_IMPL) + hwcap |= HWCAP_PACG; + + /* HWCAP2 */ + /* HWCAP2_DCPODP */ + /* HWCAP2_SVE2: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEAES: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEPMULL: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEBITPERM: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVESHA3: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVESM4: OpenBSD kernel doesn't provide SVE support */ + if (ID_AA64ISAR0_TS(cpu_id_aa64isar0) >= ID_AA64ISAR0_TS_AXFLAG) + hwcap2 |= HWCAP2_FLAGM2; + if (ID_AA64ISAR1_FRINTTS(cpu_id_aa64isar1) >= ID_AA64ISAR1_FRINTTS_IMPL) + hwcap2 |= HWCAP2_FRINT; + /* HWCAP2_SVEI8MM: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEF32MM: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEF64MM: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SVEBF16: OpenBSD kernel doesn't provide SVE support */ + if (ID_AA64ISAR1_I8MM(cpu_id_aa64isar1) >= ID_AA64ISAR1_I8MM_IMPL) + hwcap2 |= HWCAP2_I8MM; + if (ID_AA64ISAR1_BF16(cpu_id_aa64isar1) >= ID_AA64ISAR1_BF16_BASE) + hwcap2 |= HWCAP2_BF16; + if (ID_AA64ISAR1_DGH(cpu_id_aa64isar1) >= ID_AA64ISAR1_DGH_IMPL) + hwcap2 |= HWCAP2_DGH; + if (ID_AA64ISAR0_RNDR(cpu_id_aa64isar0) >= ID_AA64ISAR0_RNDR_IMPL) + hwcap2 |= HWCAP2_RNG; + if (ID_AA64PFR1_BT(cpu_id_aa64pfr1) >= ID_AA64PFR1_BT_IMPL) + hwcap2 |= HWCAP2_BTI; + /* HWCAP2_MTE: OpenBSD kernel doesn't provide MTE support */ + /* HWCAP2_ECV */ + /* HWCAP2_AFP */ + /* HWCAP2_RPRES */ + /* HWCAP2_MTE3: OpenBSD kernel doesn't provide MTE support */ + /* HWCAP2_SME: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_I16I64: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_F64F64: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_I8I32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_F16F32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_B16F32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_F32F32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_FA64: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_WFXT */ + if (ID_AA64ISAR1_BF16(cpu_id_aa64isar1) >= ID_AA64ISAR1_BF16_EBF) + hwcap2 |= HWCAP2_EBF16; + /* HWCAP2_SVE_EBF16: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_CSSC */ + /* HWCAP2_RPRFM */ + /* HWCAP2_SVE2P1: OpenBSD kernel doesn't provide SVE support */ + /* HWCAP2_SME2: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME2P1: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_I16I32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_BI32I32: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_B16B16: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_SME_F16F16: OpenBSD kernel doesn't provide SME support */ + /* HWCAP2_MOPS */ + /* HWCAP2_HBC */ } void cpu_init(void); diff --git a/sys/dev/ata/wd.c b/sys/dev/ata/wd.c index e6d41d7e5..532819369 100644 --- a/sys/dev/ata/wd.c +++ b/sys/dev/ata/wd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wd.c,v 1.131 2024/05/26 10:01:01 jsg Exp $ */ +/* $OpenBSD: wd.c,v 1.132 2024/07/22 14:03:22 jsg Exp $ */ /* $NetBSD: wd.c,v 1.193 1999/02/28 17:15:27 explorer Exp $ */ /* @@ -116,7 +116,6 @@ int wdprobe(struct device *, void *, void *); void wdattach(struct device *, struct device *, void *); int wddetach(struct device *, int); int wdactivate(struct device *, int); -int wdprint(void *, char *); const struct cfattach wd_ca = { sizeof(struct wd_softc), wdprobe, wdattach, diff --git a/sys/dev/i2c/ipmi_i2c.c b/sys/dev/i2c/ipmi_i2c.c index d330fe7a7..d18590605 100644 --- a/sys/dev/i2c/ipmi_i2c.c +++ b/sys/dev/i2c/ipmi_i2c.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipmi_i2c.c,v 1.4 2022/04/06 18:59:28 naddy Exp $ */ +/* $OpenBSD: ipmi_i2c.c,v 1.5 2024/07/22 14:03:22 jsg Exp $ */ /* * Copyright (c) 2019 Mark Kettenis * @@ -52,8 +52,6 @@ struct ipmi_if ssif_if = { IPMI_MSG_DATARCV }; -extern void ipmi_attach(struct device *, struct device *, void *); - int ipmi_i2c_match(struct device *, void *, void *); void ipmi_i2c_attach(struct device *, struct device *, void *); diff --git a/sys/dev/pci/tga.c b/sys/dev/pci/tga.c index 49b10c9b2..361b0638e 100644 --- a/sys/dev/pci/tga.c +++ b/sys/dev/pci/tga.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tga.c,v 1.44 2024/06/22 10:22:29 jsg Exp $ */ +/* $OpenBSD: tga.c,v 1.45 2024/07/22 12:05:38 jsg Exp $ */ /* $NetBSD: tga.c,v 1.40 2002/03/13 15:05:18 ad Exp $ */ /* @@ -68,7 +68,6 @@ int tgamatch(struct device *, struct cfdata *, void *); void tgaattach(struct device *, struct device *, void *); -int tgaprint(void *, const char *); struct cfdriver tga_cd = { NULL, "tga", DV_DULL diff --git a/sys/dev/rasops/rasops32.c b/sys/dev/rasops/rasops32.c index 6040a4a23..ec189be00 100644 --- a/sys/dev/rasops/rasops32.c +++ b/sys/dev/rasops/rasops32.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rasops32.c,v 1.13 2023/01/18 11:08:49 nicm Exp $ */ +/* $OpenBSD: rasops32.c,v 1.14 2024/07/21 13:18:15 fcambus Exp $ */ /* $NetBSD: rasops32.c,v 1.7 2000/04/12 14:22:29 pk Exp $ */ /*- @@ -112,6 +112,17 @@ rasops32_putchar(void *cookie, int row, int col, u_int uc, uint32_t attr) /* double-pixel special cases for the common widths */ switch (width) { + case 6: + while (height--) { + fb = fr[0]; + rp[0] = u.q[fb >> 6]; + rp[1] = u.q[(fb >> 4) & 3]; + rp[2] = u.q[(fb >> 2) & 3]; + rp += step; + fr += 1; + } + break; + case 8: while (height--) { fb = fr[0]; diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index ba87dcd42..1e3347eef 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exit.c,v 1.224 2024/07/08 13:17:12 claudio Exp $ */ +/* $OpenBSD: kern_exit.c,v 1.225 2024/07/22 08:18:53 claudio Exp $ */ /* $NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $ */ /* @@ -69,7 +69,7 @@ #include #endif -void proc_finish_wait(struct proc *, struct proc *); +void proc_finish_wait(struct proc *, struct process *); void process_clear_orphan(struct process *); void process_zap(struct process *); void proc_free(struct proc *); @@ -546,7 +546,7 @@ loop: if (rusage != NULL) memcpy(rusage, pr->ps_ru, sizeof(*rusage)); if ((options & WNOWAIT) == 0) - proc_finish_wait(q, p); + proc_finish_wait(q, pr); return (0); } if ((options & WTRAPPED) && @@ -737,16 +737,15 @@ sys_waitid(struct proc *q, void *v, register_t *retval) } void -proc_finish_wait(struct proc *waiter, struct proc *p) +proc_finish_wait(struct proc *waiter, struct process *pr) { - struct process *pr, *tr; + struct process *tr; struct rusage *rup; /* * If we got the child via a ptrace 'attach', * we need to give it back to the old parent. */ - pr = p->p_p; if (pr->ps_oppid != 0 && (pr->ps_oppid != pr->ps_pptr->ps_pid) && (tr = prfind(pr->ps_oppid))) { pr->ps_oppid = 0; @@ -755,7 +754,7 @@ proc_finish_wait(struct proc *waiter, struct proc *p) prsignal(tr, SIGCHLD); wakeup(tr); } else { - scheduler_wait_hook(waiter, p); + scheduler_wait_hook(waiter, pr->ps_mainproc); rup = &waiter->p_p->ps_cru; ruadd(rup, pr->ps_ru); LIST_REMOVE(pr, ps_list); /* off zombprocess */ diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 23331f7d1..b360e31c7 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.332 2024/07/10 12:28:46 claudio Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.333 2024/07/22 09:43:47 claudio Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -1482,7 +1482,7 @@ proc_stop(struct proc *p, int sw) p->p_stat = SSTOP; atomic_clearbits_int(&pr->ps_flags, PS_WAITED); - atomic_setbits_int(&pr->ps_flags, PS_STOPPED); + atomic_setbits_int(&pr->ps_flags, PS_STOPPING); atomic_setbits_int(&p->p_flag, P_SUSPSIG); /* * We need this soft interrupt to be handled fast. @@ -1505,9 +1505,9 @@ proc_stop_sweep(void *v) struct process *pr; LIST_FOREACH(pr, &allprocess, ps_list) { - if ((pr->ps_flags & PS_STOPPED) == 0) + if ((pr->ps_flags & PS_STOPPING) == 0) continue; - atomic_clearbits_int(&pr->ps_flags, PS_STOPPED); + atomic_clearbits_int(&pr->ps_flags, PS_STOPPING); if ((pr->ps_pptr->ps_sigacts->ps_sigflags & SAS_NOCLDSTOP) == 0) prsignal(pr->ps_pptr, SIGCHLD); diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index a17ac58ea..52157918b 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.338 2024/07/14 15:42:23 bluhm Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.339 2024/07/20 17:26:19 mvs Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -324,31 +324,22 @@ sofree(struct socket *so, int keep_lock) sounlock(head); } - if (persocket) { + switch (so->so_proto->pr_domain->dom_family) { + case AF_INET: + case AF_INET6: + if (so->so_proto->pr_type == SOCK_STREAM) + break; + /* FALLTHROUGH */ + default: sounlock(so); refcnt_finalize(&so->so_refcnt, "sofinal"); solock(so); + break; } sigio_free(&so->so_sigio); klist_free(&so->so_rcv.sb_klist); klist_free(&so->so_snd.sb_klist); -#ifdef SOCKET_SPLICE - if (issplicedback(so)) { - int freeing = SOSP_FREEING_WRITE; - - if (so->so_sp->ssp_soback == so) - freeing |= SOSP_FREEING_READ; - sounsplice(so->so_sp->ssp_soback, so, freeing); - } - if (isspliced(so)) { - int freeing = SOSP_FREEING_READ; - - if (so == so->so_sp->ssp_socket) - freeing |= SOSP_FREEING_WRITE; - sounsplice(so, so->so_sp->ssp_socket, freeing); - } -#endif /* SOCKET_SPLICE */ mtx_enter(&so->so_snd.sb_mtx); sbrelease(so, &so->so_snd); @@ -458,6 +449,85 @@ discard: if (so->so_state & SS_NOFDREF) panic("soclose NOFDREF: so %p, so_type %d", so, so->so_type); so->so_state |= SS_NOFDREF; + +#ifdef SOCKET_SPLICE + if (so->so_sp) { + struct socket *soback; + + if (so->so_proto->pr_flags & PR_WANTRCVD) { + /* + * Copy - Paste, but can't relock and sleep in + * sofree() in tcp(4) case. That's why tcp(4) + * still rely on solock() for splicing and + * unsplicing. + */ + + if (issplicedback(so)) { + int freeing = SOSP_FREEING_WRITE; + + if (so->so_sp->ssp_soback == so) + freeing |= SOSP_FREEING_READ; + sounsplice(so->so_sp->ssp_soback, so, freeing); + } + if (isspliced(so)) { + int freeing = SOSP_FREEING_READ; + + if (so == so->so_sp->ssp_socket) + freeing |= SOSP_FREEING_WRITE; + sounsplice(so, so->so_sp->ssp_socket, freeing); + } + goto free; + } + + sounlock(so); + mtx_enter(&so->so_snd.sb_mtx); + /* + * Concurrent sounsplice() locks `sb_mtx' mutexes on + * both `so_snd' and `so_rcv' before unsplice sockets. + */ + if ((soback = so->so_sp->ssp_soback) == NULL) { + mtx_leave(&so->so_snd.sb_mtx); + goto notsplicedback; + } + soref(soback); + mtx_leave(&so->so_snd.sb_mtx); + + /* + * `so' can be only unspliced, and never spliced again. + * Thus if issplicedback(so) check is positive, socket is + * still spliced and `ssp_soback' points to the same + * socket that `soback'. + */ + sblock(&soback->so_rcv, SBL_WAIT | SBL_NOINTR); + if (issplicedback(so)) { + int freeing = SOSP_FREEING_WRITE; + + if (so->so_sp->ssp_soback == so) + freeing |= SOSP_FREEING_READ; + solock(soback); + sounsplice(so->so_sp->ssp_soback, so, freeing); + sounlock(soback); + } + sbunlock(&soback->so_rcv); + sorele(soback); + +notsplicedback: + sblock(&so->so_rcv, SBL_WAIT | SBL_NOINTR); + if (isspliced(so)) { + int freeing = SOSP_FREEING_READ; + + if (so == so->so_sp->ssp_socket) + freeing |= SOSP_FREEING_WRITE; + solock(so); + sounsplice(so, so->so_sp->ssp_socket, freeing); + sounlock(so); + } + sbunlock(&so->so_rcv); + + solock(so); + } +free: +#endif /* SOCKET_SPLICE */ /* sofree() calls sounlock(). */ sofree(so, 0); return (error); @@ -1411,14 +1481,6 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) goto release; } - /* Splice so and sosp together. */ - mtx_enter(&so->so_rcv.sb_mtx); - mtx_enter(&sosp->so_snd.sb_mtx); - so->so_sp->ssp_socket = sosp; - sosp->so_sp->ssp_soback = so; - mtx_leave(&sosp->so_snd.sb_mtx); - mtx_leave(&so->so_rcv.sb_mtx); - so->so_splicelen = 0; so->so_splicemax = max; if (tv) @@ -1429,9 +1491,20 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) task_set(&so->so_splicetask, sotask, so); /* - * To prevent softnet interrupt from calling somove() while - * we sleep, the socket buffers are not marked as spliced yet. + * To prevent sorwakeup() calling somove() before this somove() + * has finished, the socket buffers are not marked as spliced yet. */ + + /* Splice so and sosp together. */ + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + so->so_sp->ssp_socket = sosp; + sosp->so_sp->ssp_soback = so; + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); + + if ((so->so_proto->pr_flags & PR_WANTRCVD) == 0) + sounlock(so); if (somove(so, M_WAIT)) { mtx_enter(&so->so_rcv.sb_mtx); mtx_enter(&sosp->so_snd.sb_mtx); @@ -1440,6 +1513,8 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) mtx_leave(&sosp->so_snd.sb_mtx); mtx_leave(&so->so_rcv.sb_mtx); } + if ((so->so_proto->pr_flags & PR_WANTRCVD) == 0) + solock(so); release: sounlock(so); @@ -1454,6 +1529,8 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) void sounsplice(struct socket *so, struct socket *sosp, int freeing) { + if ((so->so_proto->pr_flags & PR_WANTRCVD) == 0) + sbassertlocked(&so->so_rcv); soassertlocked(so); task_del(sosplice_taskq, &so->so_splicetask); @@ -1479,32 +1556,51 @@ soidle(void *arg) { struct socket *so = arg; + sblock(&so->so_rcv, SBL_WAIT | SBL_NOINTR); solock(so); + /* + * Depending on socket type, sblock(&so->so_rcv) or solock() + * is always held while modifying SB_SPLICE and + * so->so_sp->ssp_socket. + */ if (so->so_rcv.sb_flags & SB_SPLICE) { so->so_error = ETIMEDOUT; sounsplice(so, so->so_sp->ssp_socket, 0); } sounlock(so); + sbunlock(&so->so_rcv); } void sotask(void *arg) { struct socket *so = arg; + int doyield = 0; + int sockstream = (so->so_proto->pr_flags & PR_WANTRCVD); + + /* + * sblock() on `so_rcv' protects sockets from beind unspliced + * for UDP case. TCP sockets still rely on solock(). + */ + + sblock(&so->so_rcv, SBL_WAIT | SBL_NOINTR); + if (sockstream) + solock(so); - solock(so); if (so->so_rcv.sb_flags & SB_SPLICE) { - /* - * We may not sleep here as sofree() and unsplice() may be - * called from softnet interrupt context. This would remove - * the socket during somove(). - */ + if (sockstream) + doyield = 1; somove(so, M_DONTWAIT); } - sounlock(so); - /* Avoid user land starvation. */ - yield(); + if (sockstream) + sounlock(so); + sbunlock(&so->so_rcv); + + if (doyield) { + /* Avoid user land starvation. */ + yield(); + } } /* @@ -1546,24 +1642,32 @@ somove(struct socket *so, int wait) struct mbuf *m, **mp, *nextrecord; u_long len, off, oobmark; long space; - int error = 0, maxreached = 0; + int error = 0, maxreached = 0, unsplice = 0; unsigned int rcvstate; + int sockdgram = ((so->so_proto->pr_flags & + PR_WANTRCVD) == 0); - soassertlocked(so); + if (sockdgram) + sbassertlocked(&so->so_rcv); + else + soassertlocked(so); + + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); nextpkt: - if (so->so_error) { - error = so->so_error; + if ((error = READ_ONCE(so->so_error))) goto release; - } if (sosp->so_snd.sb_state & SS_CANTSENDMORE) { error = EPIPE; goto release; } - if (sosp->so_error && sosp->so_error != ETIMEDOUT && - sosp->so_error != EFBIG && sosp->so_error != ELOOP) { - error = sosp->so_error; - goto release; + + error = READ_ONCE(sosp->so_error); + if (error) { + if (error != ETIMEDOUT && error != EFBIG && error != ELOOP) + goto release; + error = 0; } if ((sosp->so_state & SS_ISCONNECTED) == 0) goto release; @@ -1577,26 +1681,21 @@ somove(struct socket *so, int wait) maxreached = 1; } } - mtx_enter(&sosp->so_snd.sb_mtx); space = sbspace_locked(sosp, &sosp->so_snd); if (so->so_oobmark && so->so_oobmark < len && so->so_oobmark < space + 1024) space += 1024; if (space <= 0) { - mtx_leave(&sosp->so_snd.sb_mtx); maxreached = 0; goto release; } if (space < len) { maxreached = 0; - if (space < sosp->so_snd.sb_lowat) { - mtx_leave(&sosp->so_snd.sb_mtx); + if (space < sosp->so_snd.sb_lowat) goto release; - } len = space; } sosp->so_snd.sb_state |= SS_ISSENDING; - mtx_leave(&sosp->so_snd.sb_mtx); SBLASTRECORDCHK(&so->so_rcv, "somove 1"); SBLASTMBUFCHK(&so->so_rcv, "somove 1"); @@ -1618,8 +1717,13 @@ somove(struct socket *so, int wait) m = m->m_next; if (m == NULL) { sbdroprecord(so, &so->so_rcv); - if (so->so_proto->pr_flags & PR_WANTRCVD) + if (so->so_proto->pr_flags & PR_WANTRCVD) { + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); pru_rcvd(so); + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + } goto nextpkt; } @@ -1724,11 +1828,15 @@ somove(struct socket *so, int wait) } /* Send window update to source peer as receive buffer has changed. */ - if (so->so_proto->pr_flags & PR_WANTRCVD) + if (so->so_proto->pr_flags & PR_WANTRCVD) { + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); pru_rcvd(so); + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + } /* Receive buffer did shrink by len bytes, adjust oob. */ - mtx_enter(&so->so_rcv.sb_mtx); rcvstate = so->so_rcv.sb_state; so->so_rcv.sb_state &= ~SS_RCVATMARK; oobmark = so->so_oobmark; @@ -1739,7 +1847,6 @@ somove(struct socket *so, int wait) if (oobmark >= len) oobmark = 0; } - mtx_leave(&so->so_rcv.sb_mtx); /* * Handle oob data. If any malloc fails, ignore error. @@ -1755,7 +1862,12 @@ somove(struct socket *so, int wait) } else if (oobmark) { o = m_split(m, oobmark, wait); if (o) { + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); error = pru_send(sosp, m, NULL, NULL); + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + if (error) { if (sosp->so_snd.sb_state & SS_CANTSENDMORE) @@ -1773,7 +1885,13 @@ somove(struct socket *so, int wait) if (o) { o->m_len = 1; *mtod(o, caddr_t) = *mtod(m, caddr_t); + + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); error = pru_sendoob(sosp, o, NULL, NULL); + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + if (error) { if (sosp->so_snd.sb_state & SS_CANTSENDMORE) error = EPIPE; @@ -1791,15 +1909,25 @@ somove(struct socket *so, int wait) } } - mtx_enter(&sosp->so_snd.sb_mtx); /* Append all remaining data to drain socket. */ if (so->so_rcv.sb_cc == 0 || maxreached) sosp->so_snd.sb_state &= ~SS_ISSENDING; - mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); + + if (sockdgram) + solock_shared(sosp); error = pru_send(sosp, m, NULL, NULL); + if (sockdgram) + sounlock_shared(sosp); + + mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); + if (error) { - if (sosp->so_snd.sb_state & SS_CANTSENDMORE) + if (sosp->so_snd.sb_state & SS_CANTSENDMORE || + sosp->so_pcb == NULL) error = EPIPE; goto release; } @@ -1810,26 +1938,35 @@ somove(struct socket *so, int wait) goto nextpkt; release: - mtx_enter(&sosp->so_snd.sb_mtx); sosp->so_snd.sb_state &= ~SS_ISSENDING; - mtx_leave(&sosp->so_snd.sb_mtx); if (!error && maxreached && so->so_splicemax == so->so_splicelen) error = EFBIG; if (error) - so->so_error = error; + WRITE_ONCE(so->so_error, error); + if (((so->so_rcv.sb_state & SS_CANTRCVMORE) && so->so_rcv.sb_cc == 0) || (sosp->so_snd.sb_state & SS_CANTSENDMORE) || - maxreached || error) { + maxreached || error) + unsplice = 1; + + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); + + if (unsplice) { + if (sockdgram) + solock(so); sounsplice(so, sosp, 0); + if (sockdgram) + sounlock(so); + return (0); } if (timerisset(&so->so_idletv)) timeout_add_tv(&so->so_idleto, &so->so_idletv); return (1); } - #endif /* SOCKET_SPLICE */ void @@ -1839,22 +1976,16 @@ sorwakeup(struct socket *so) soassertlocked_readonly(so); #ifdef SOCKET_SPLICE - if (so->so_rcv.sb_flags & SB_SPLICE) { - /* - * TCP has a sendbuffer that can handle multiple packets - * at once. So queue the stream a bit to accumulate data. - * The sosplice thread will call somove() later and send - * the packets calling tcp_output() only once. - * In the UDP case, send out the packets immediately. - * Using a thread would make things slower. - */ - if (so->so_proto->pr_flags & PR_WANTRCVD) + if (so->so_proto->pr_flags & PR_SPLICE) { + sb_mtx_lock(&so->so_rcv); + if (so->so_rcv.sb_flags & SB_SPLICE) task_add(sosplice_taskq, &so->so_splicetask); - else - somove(so, M_DONTWAIT); + if (isspliced(so)) { + sb_mtx_unlock(&so->so_rcv); + return; + } + sb_mtx_unlock(&so->so_rcv); } - if (isspliced(so)) - return; #endif sowakeup(so, &so->so_rcv); if (so->so_upcall) @@ -1868,10 +1999,17 @@ sowwakeup(struct socket *so) soassertlocked_readonly(so); #ifdef SOCKET_SPLICE - if (so->so_snd.sb_flags & SB_SPLICE) - task_add(sosplice_taskq, &so->so_sp->ssp_soback->so_splicetask); - if (issplicedback(so)) - return; + if (so->so_proto->pr_flags & PR_SPLICE) { + sb_mtx_lock(&so->so_snd); + if (so->so_snd.sb_flags & SB_SPLICE) + task_add(sosplice_taskq, + &so->so_sp->ssp_soback->so_splicetask); + if (issplicedback(so)) { + sb_mtx_unlock(&so->so_snd); + return; + } + sb_mtx_unlock(&so->so_snd); + } #endif sowakeup(so, &so->so_snd); } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 0e4002a4c..15a048e40 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.322 2024/07/19 15:41:58 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.323 2024/07/20 17:26:19 mvs Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -1209,6 +1209,11 @@ udp_send(struct socket *so, struct mbuf *m, struct mbuf *addr, soassertlocked_readonly(so); + if (inp == NULL) { + /* PCB could be destroyed, but socket still spliced. */ + return (EINVAL); + } + #ifdef PIPEX if (inp->inp_pipex) { struct pipex_session *session; diff --git a/sys/sys/proc.h b/sys/sys/proc.h index fc19fd401..ee055bc8e 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.364 2024/07/17 09:54:14 claudio Exp $ */ +/* $OpenBSD: proc.h,v 1.365 2024/07/22 09:43:47 claudio Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -287,7 +287,7 @@ struct process { #define PS_SINGLEEXIT 0x00001000 /* Other threads must die. */ #define PS_SINGLEUNWIND 0x00002000 /* Other threads must unwind. */ #define PS_NOZOMBIE 0x00004000 /* No signal or zombie at exit. */ -#define PS_STOPPED 0x00008000 /* Just stopped, need sig to parent. */ +#define PS_STOPPING 0x00008000 /* Just stopped, need sig to parent. */ #define PS_SYSTEM 0x00010000 /* No sigs, stats or swapping. */ #define PS_EMBRYO 0x00020000 /* New process, not yet fledged */ #define PS_ZOMBIE 0x00040000 /* Dead and ready to be waited for */ diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index d116c07d8..c2a36ad52 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: socketvar.h,v 1.132 2024/07/12 17:20:18 mvs Exp $ */ +/* $OpenBSD: socketvar.h,v 1.133 2024/07/20 17:26:19 mvs Exp $ */ /* $NetBSD: socketvar.h,v 1.18 1996/02/09 18:25:38 christos Exp $ */ /*- @@ -51,6 +51,33 @@ typedef __socklen_t socklen_t; /* length type for network syscalls */ TAILQ_HEAD(soqhead, socket); +/* + * Locks used to protect global data and struct members: + * I immutable after creation + * mr sb_mxt of so_rcv buffer + * ms sb_mtx of so_snd buffer + * br sblock() of so_rcv buffer + * bs sblock() od so_snd buffer + * s solock() + */ + +/* + * XXXSMP: tcp(4) sockets rely on exclusive solock() for all the cases. + */ + +/* + * Variables for socket splicing, allocated only when needed. + */ +struct sosplice { + struct socket *ssp_socket; /* [mr ms] send data to drain socket */ + struct socket *ssp_soback; /* [ms ms] back ref to source socket */ + off_t ssp_len; /* [mr] number of bytes spliced */ + off_t ssp_max; /* [I] maximum number of bytes */ + struct timeval ssp_idletv; /* [I] idle timeout */ + struct timeout ssp_idleto; + struct task ssp_task; /* task for somove */ +}; + /* * Kernel structure per socket. * Contains send and receive buffer queues, @@ -89,18 +116,8 @@ struct socket { short so_timeo; /* connection timeout */ u_long so_oobmark; /* chars to oob mark */ u_int so_error; /* error affecting connection */ -/* - * Variables for socket splicing, allocated only when needed. - */ - struct sosplice { - struct socket *ssp_socket; /* send data to drain socket */ - struct socket *ssp_soback; /* back ref to source socket */ - off_t ssp_len; /* number of bytes spliced */ - off_t ssp_max; /* maximum number of bytes */ - struct timeval ssp_idletv; /* idle timeout */ - struct timeout ssp_idleto; - struct task ssp_task; /* task for somove */ - } *so_sp; + + struct sosplice *so_sp; /* [s br] */ /* * Variables for socket buffering. */ @@ -330,6 +347,12 @@ int sblock(struct sockbuf *, int); /* release lock on sockbuf sb */ void sbunlock(struct sockbuf *); +static inline void +sbassertlocked(struct sockbuf *sb) +{ + rw_assert_wrlock(&sb->sb_lock); +} + #define SB_EMPTY_FIXUP(sb) do { \ if ((sb)->sb_mb == NULL) { \ (sb)->sb_mbtail = NULL; \ diff --git a/usr.bin/rpcgen/rpc_main.c b/usr.bin/rpcgen/rpc_main.c index 3d04fdc7f..ef82a7344 100644 --- a/usr.bin/rpcgen/rpc_main.c +++ b/usr.bin/rpcgen/rpc_main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rpc_main.c,v 1.35 2019/06/28 13:35:03 deraadt Exp $ */ +/* $OpenBSD: rpc_main.c,v 1.36 2024/07/22 17:55:18 dv Exp $ */ /* $NetBSD: rpc_main.c,v 1.9 1996/02/19 11:12:43 pk Exp $ */ /* @@ -480,7 +480,10 @@ h_output(infile, define, extend, outfile) outfilename = extend ? extendfile(infile, outfile) : outfile; open_output(infile, outfilename); add_warning(); - guard = generate_guard(outfilename ? outfilename : infile); + if (outfilename || infile) + guard = generate_guard(outfilename ? outfilename : infile); + else + guard = generate_guard("STDIN"); fprintf(fout, "#ifndef _%s\n#define _%s\n\n", guard, guard); diff --git a/usr.bin/tmux/options.c b/usr.bin/tmux/options.c index f39e2d1a5..e47999422 100644 --- a/usr.bin/tmux/options.c +++ b/usr.bin/tmux/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.69 2022/06/17 07:28:05 nicm Exp $ */ +/* $OpenBSD: options.c,v 1.70 2024/07/22 15:27:42 nicm Exp $ */ /* * Copyright (c) 2008 Nicholas Marriott @@ -578,10 +578,28 @@ char * options_to_string(struct options_entry *o, int idx, int numeric) { struct options_array_item *a; + char *result = NULL; + char *last = NULL; + char *next; if (OPTIONS_IS_ARRAY(o)) { - if (idx == -1) - return (xstrdup("")); + if (idx == -1) { + RB_FOREACH(a, options_array, &o->value.array) { + next = options_value_to_string(o, &a->value, + numeric); + if (last == NULL) + result = next; + else { + xasprintf(&result, "%s %s", last, next); + free(last); + free(next); + } + last = result; + } + if (result == NULL) + return (xstrdup("")); + return (result); + } a = options_array_item(o, idx); if (a == NULL) return (xstrdup("")); diff --git a/usr.sbin/radiusctl/radiusctl.c b/usr.sbin/radiusctl/radiusctl.c index 9caaabe18..d3bc45eb8 100644 --- a/usr.sbin/radiusctl/radiusctl.c +++ b/usr.sbin/radiusctl/radiusctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusctl.c,v 1.10 2024/07/14 11:12:32 yasuoka Exp $ */ +/* $OpenBSD: radiusctl.c,v 1.11 2024/07/22 09:39:23 yasuoka Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko * @@ -180,7 +180,6 @@ main(int argc, char *argv[]) iov[niov++].iov_len = sizeof(res->session_seq); imsg_composev(&ibuf, IMSG_RADIUSD_MODULE_IPCP_DISCONNECT, 0, 0, -1, iov, niov); - done = 1; break; } while (ibuf.w.queued) { @@ -200,6 +199,7 @@ main(int argc, char *argv[]) case IPCP_SHOW: case IPCP_DUMP: case IPCP_MONITOR: + case IPCP_DISCONNECT: done = ipcp_handle_imsg(res, &imsg, cnt++); break; default: @@ -625,6 +625,13 @@ ipcp_handle_imsg(struct parse_result *res, struct imsg *imsg, int cnt) datalen = imsg->hdr.len - IMSG_HEADER_SIZE; switch (imsg->hdr.type) { + case IMSG_OK: + if (datalen > 0 && *((char *)imsg->data + datalen - 1) == '\0') + fprintf(stderr, "OK: %s\n", (char *)imsg->data); + else + fprintf(stderr, "OK\n"); + done = 1; + break; case IMSG_NG: if (datalen > 0 && *((char *)imsg->data + datalen - 1) == '\0') fprintf(stderr, "error: %s\n", (char *)imsg->data); diff --git a/usr.sbin/radiusd/radiusd.c b/usr.sbin/radiusd/radiusd.c index fad3ed14b..571d18dd1 100644 --- a/usr.sbin/radiusd/radiusd.c +++ b/usr.sbin/radiusd/radiusd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd.c,v 1.51 2024/07/17 11:05:11 yasuoka Exp $ */ +/* $OpenBSD: radiusd.c,v 1.52 2024/07/22 09:27:16 yasuoka Exp $ */ /* * Copyright (c) 2013, 2023 Internet Initiative Japan Inc. @@ -83,8 +83,8 @@ static struct radiusd_module_radpkt_arg * radiusd_module_recv_radpkt(struct radiusd_module *, struct imsg *, uint32_t, const char *); static void radiusd_module_on_imsg_io(int, short, void *); -void radiusd_module_start(struct radiusd_module *); -void radiusd_module_stop(struct radiusd_module *); +static void radiusd_module_start(struct radiusd_module *); +static void radiusd_module_stop(struct radiusd_module *); static void radiusd_module_close(struct radiusd_module *); static void radiusd_module_userpass(struct radiusd_module *, struct radius_query *); diff --git a/usr.sbin/radiusd/radiusd_ipcp.c b/usr.sbin/radiusd/radiusd_ipcp.c index d007067ec..c4b6ca7fe 100644 --- a/usr.sbin/radiusd/radiusd_ipcp.c +++ b/usr.sbin/radiusd/radiusd_ipcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_ipcp.c,v 1.5 2024/07/17 11:31:46 yasuoka Exp $ */ +/* $OpenBSD: radiusd_ipcp.c,v 1.7 2024/07/22 10:00:16 yasuoka Exp $ */ /* * Copyright (c) 2024 Internet Initiative Japan Inc. @@ -68,6 +68,11 @@ struct user { char name[0]; }; +struct radiusctl_client { + int peerid; + TAILQ_ENTRY(radiusctl_client) entry; +}; + struct module_ipcp_dae; struct assigned_ipv4 { @@ -98,6 +103,7 @@ struct assigned_ipv4 { TAILQ_ENTRY(assigned_ipv4) dae_next; int dae_ntry; struct event dae_evtimer; + TAILQ_HEAD(, radiusctl_client) dae_clients; }; struct module_ipcp_ctrlconn { @@ -517,6 +523,7 @@ ipcp_config_set(void *ctx, const char *name, int argc, char * const * argv) *dae0 = dae; TAILQ_INIT(&dae0->reqs); TAILQ_INSERT_TAIL(&module->daes, dae0, next); + dae0->ipcp = module; } else if (strcmp(name, "_debug") == 0) log_init(1); else if (strncmp(name, "_", 1) == 0) @@ -544,6 +551,8 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg) size_t dumpsiz; u_int datalen; unsigned seq; + struct radiusctl_client *client; + const char *cause; datalen = imsg->hdr.len - IMSG_HEADER_SIZE; switch (imsg->hdr.type) { @@ -616,9 +625,13 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg) if (assign->seq == seq) break; } - if (assign == NULL) + if (assign == NULL) { + cause = "session not found"; log_warnx("Disconnect seq=%u requested, but the " "session is not found", seq); + module_imsg_compose(self->base, IMSG_NG, + imsg->hdr.peerid, 0, -1, cause, strlen(cause) + 1); + } else { if (assign->dae == NULL) log_warnx("Disconnect seq=%u requested, but " @@ -626,9 +639,18 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg) else { log_info("Disconnect seq=%u requested", assign->seq); + if ((client = calloc(1, sizeof(struct + radiusctl_client))) == NULL) { + log_warn("%s: calloc: %m", + __func__); + goto fail; + } + client->peerid = imsg->hdr.peerid; if (assign->dae_ntry == 0) ipcp_dae_send_disconnect_request( assign); + TAILQ_INSERT_TAIL(&assign->dae_clients, + client, entry); } } break; @@ -1189,6 +1211,7 @@ ipcp_ipv4_assign(struct module_ipcp *self, struct user *user, ip->authtime = self->uptime; RB_INSERT(assigned_ipv4_tree, &self->ipv4s, ip); TAILQ_INSERT_TAIL(&user->ipv4s, ip, next); + TAILQ_INIT(&ip->dae_clients); self->nsessions++; ip->seq = self->seq++; @@ -1324,8 +1347,8 @@ ipcp_restore_from_db(struct module_ipcp *self) if ((assigned = ipcp_ipv4_assign(self, user, ipv4)) == NULL) return (-1); - self->seq = MAXIMUM(assigned->seq + 1, self->seq); assigned->seq = record->seq; + self->seq = MAXIMUM(assigned->seq + 1, self->seq); strlcpy(assigned->auth_method, record->auth_method, sizeof(assigned->auth_method)); strlcpy(assigned->session_id, record->session_id, @@ -1562,12 +1585,14 @@ void ipcp_dae_on_event(int fd, short ev, void *ctx) { struct module_ipcp_dae *dae = ctx; + struct module_ipcp *self = dae->ipcp; RADIUS_PACKET *radres = NULL; int code; uint32_t u32; struct assigned_ipv4 *assign; char buf[80], causestr[80]; const char *cause = ""; + struct radiusctl_client *client; if ((ev & EV_READ) == 0) return; @@ -1627,6 +1652,19 @@ ipcp_dae_on_event(int fd, short ev, void *ctx) &dae->nas_addr, buf, sizeof(buf))); break; } + + TAILQ_FOREACH(client, &assign->dae_clients, entry) { + if (*cause != '\0') + module_imsg_compose(self->base, + (code == RADIUS_CODE_DISCONNECT_ACK) + ? IMSG_OK : IMSG_NG, client->peerid, 0, -1, + cause + 1, strlen(cause + 1) + 1); + else + module_imsg_compose(self->base, + (code == RADIUS_CODE_DISCONNECT_ACK) + ? IMSG_OK : IMSG_NG, client->peerid, 0, -1, + NULL, 0); + } ipcp_dae_reset_request(assign); out: if (radres != NULL) @@ -1636,6 +1674,8 @@ ipcp_dae_on_event(int fd, short ev, void *ctx) void ipcp_dae_reset_request(struct assigned_ipv4 *assign) { + struct radiusctl_client *client, *clientt; + if (assign->dae != NULL) { if (assign->dae_ntry > 0) TAILQ_REMOVE(&assign->dae->reqs, assign, dae_next); @@ -1645,6 +1685,10 @@ ipcp_dae_reset_request(struct assigned_ipv4 *assign) assign->dae_reqpkt = NULL; if (evtimer_pending(&assign->dae_evtimer, NULL)) evtimer_del(&assign->dae_evtimer); + TAILQ_FOREACH_SAFE(client, &assign->dae_clients, entry, clientt) { + TAILQ_REMOVE(&assign->dae_clients, client, entry); + free(client); + } assign->dae_ntry = 0; }