sync with OpenBSD -current

lib/libcrypto/cryptlib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptlib.c,v 1.53 2024/08/31 12:43:58 jsing Exp $ */
+/* $OpenBSD: cryptlib.c,v 1.54 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -334,6 +334,12 @@ CRYPTO_THREADID_hash(const CRYPTO_THREADID *id)
 
 uint64_t OPENSSL_ia32cap_P;
 
+uint64_t
+crypto_cpu_caps_ia32(void)
+{
+	return OPENSSL_ia32cap_P;
+}
+
 #if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM)
 #define OPENSSL_CPUID_SETUP
 void
@@ -352,6 +358,12 @@ OPENSSL_cpuid_setup(void)
 }
 #endif
 
+#else
+uint64_t
+crypto_cpu_caps_ia32(void)
+{
+	return 0;
+}
 #endif
 
 #if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)

lib/libcrypto/crypto_internal.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_internal.h,v 1.11 2024/08/11 13:02:39 jsing Exp $ */
+/*	$OpenBSD: crypto_internal.h,v 1.12 2024/09/06 09:57:32 tb Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -220,4 +220,6 @@ crypto_ror_u64(uint64_t v, size_t shift)
 }
 #endif
 
+uint64_t crypto_cpu_caps_ia32(void);
+
 #endif

lib/libcrypto/evp/e_aes.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.58 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -55,6 +55,8 @@
 
 #include <openssl/opensslconf.h>
 
+#include "crypto_internal.h"
+
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
 #include <openssl/err.h>
@@ -154,7 +156,7 @@ void AES_xts_decrypt(const char *inp, char *out, size_t len,
 #include "x86_arch.h"
 
 #ifdef VPAES_ASM
-#define VPAES_CAPABLE	(OPENSSL_cpu_caps() & CPUCAP_MASK_SSSE3)
+#define VPAES_CAPABLE	(crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3)
 #endif
 #ifdef BSAES_ASM
 #define BSAES_CAPABLE	VPAES_CAPABLE
@@ -162,7 +164,7 @@ void AES_xts_decrypt(const char *inp, char *out, size_t len,
 /*
  * AES-NI section
  */
-#define	AESNI_CAPABLE	(OPENSSL_cpu_caps() & CPUCAP_MASK_AESNI)
+#define	AESNI_CAPABLE	(crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
 
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
     AES_KEY *key);

lib/libcrypto/man/X509_LOOKUP_new.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.11 2024/04/22 02:30:23 jsg Exp $
+.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 22 2024 $
+.Dd $Mdocdate: September 6 2024 $
 .Dt X509_LOOKUP_NEW 3
 .Os
 .Sh NAME
@@ -131,8 +131,6 @@ This lookup method is peculiar in so far as calling
 on a lookup object using it does not yet add any certificates to the associated
 .Vt X509_STORE
 object.
-They need to be added selectively using
-.Fn X509_LOOKUP_by_subject .
 .It Xr X509_LOOKUP_file 3
 The
 .Fa command
@@ -238,19 +236,6 @@ always ignores the
 .Fa ret
 argument.
 .Pp
-With LibreSSL,
-.Fn X509_LOOKUP_by_subject
-is only useful if
-.Fa lookup
-uses
-.Xr X509_LOOKUP_hash_dir 3 .
-It passes the
-.Fa name
-to
-.Xr X509_NAME_hash 3
-and converts the resulting hash to an eight-digit lower-case
-hexadecimal number.
-.Pp
 If the
 .Fa type
 is
@@ -284,28 +269,6 @@ returns 1 for success or 0 for failure.
 With library implementations other than LibreSSL,
 it might also return \-1 for internal errors.
 .Pp
-.Fn X509_LOOKUP_by_subject
-returns 1 for success or 0 for failure.
-In particular, it fails if
-.Fa lookup
-uses
-.Xr X509_LOOKUP_file 3
-or
-.Xr X509_LOOKUP_mem 3 ,
-if
-.Fa name
-is
-.Dv NULL ,
-if
-.Fa type
-is neither
-.Dv X509_LU_X509
-nor
-.Dv X509_LU_CRL ,
-if no match is found, or if memory allocation fails.
-With library implementations other than LibreSSL,
-it might also return negative values for internal errors.
-.Pp
 .Fn X509_get_default_cert_dir
 returns a pointer to the constant string
 .Qq /etc/ssl/certs ,
@@ -355,8 +318,7 @@ failed in
 was called with an invalid
 .Fa type .
 .It Dv ERR_R_BUF_LIB Qq "BUF lib"
-Memory allocation failed in
-.Fn X509_LOOKUP_by_subject .
+Memory allocation failed.
 .It Dv X509_R_INVALID_DIRECTORY Qq "invalid directory"
 The
 .Fa source
@@ -390,10 +352,7 @@ was called with
 and adding the certificates and revocation lists failed.
 This error is added after and in addition to a more specific diagnostic.
 .It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed in
-.Fn X509_LOOKUP_ctrl
-or
-.Fn X509_LOOKUP_by_subject .
+Memory allocation failed.
 .It Dv ERR_R_PEM_LIB Qq "PEM lib"
 .Xr PEM_X509_INFO_read_bio 3 ,
 .Xr PEM_read_bio_X509_AUX 3 ,
@@ -409,7 +368,7 @@ or
 failed in
 .Fn X509_LOOKUP_ctrl .
 .It Dv X509_R_WRONG_LOOKUP_TYPE Qq "wrong lookup type"
-.Fn X509_LOOKUP_by_subject
+.Xr X509_STORE_CTX_get_by_subject 3
 was called with an invalid
 .Fa type .
 .El
@@ -418,12 +377,6 @@ Passing an invalid
 .Fa command
 to
 .Fn X509_LOOKUP_ctrl
-or calling
-.Fn X509_LOOKUP_by_subject
-with a
-.Dv NULL
-.Fa name
-or with arguments that yield no match
 causes failure but provides no diagnostics.
 .Sh SEE ALSO
 .Xr d2i_X509_bio 3 ,

lib/libcrypto/modes/gcm128.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.26 2023/08/10 07:18:43 jsing Exp $ */
+/* $OpenBSD: gcm128.c,v 1.27 2024/09/06 09:57:32 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -50,10 +50,13 @@
 
 #define OPENSSL_FIPSAPI
 
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
 
+#include <openssl/crypto.h>
+
+#include "crypto_internal.h"
+#include "modes_local.h"
+
 #ifndef MODES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
@@ -660,7 +663,7 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
 # if	defined(GHASH_ASM_X86_OR_64)
 #  if	!defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
 	/* check FXSR and PCLMULQDQ bits */
-	if ((OPENSSL_cpu_caps() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
+	if ((crypto_cpu_caps_ia32() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
 	    (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) {
 		gcm_init_clmul(ctx->Htable, ctx->H.u);
 		ctx->gmult = gcm_gmult_clmul;
@@ -671,9 +674,9 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
 	gcm_init_4bit(ctx->Htable, ctx->H.u);
 #  if	defined(GHASH_ASM_X86)			/* x86 only */
 #   if	defined(OPENSSL_IA32_SSE2)
-	if (OPENSSL_cpu_caps() & CPUCAP_MASK_SSE) {	/* check SSE bit */
+	if (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSE) {	/* check SSE bit */
 #   else
-	if (OPENSSL_cpu_caps() & CPUCAP_MASK_MMX) {	/* check MMX bit */
+	if (crypto_cpu_caps_ia32() & CPUCAP_MASK_MMX) {	/* check MMX bit */
 #   endif
 		ctx->gmult = gcm_gmult_4bit_mmx;
 		ctx->ghash = gcm_ghash_4bit_mmx;