sync code with last improvements from OpenBSD

distrib/sets/lists/comp/mi

@@ -1917,9 +1917,12 @@
 ./usr/share/man/man3/ESS_SIGNING_CERT_new.3
 ./usr/share/man/man3/EVP_AEAD_CTX_init.3
 ./usr/share/man/man3/EVP_BytesToKey.3
+./usr/share/man/man3/EVP_CIPHER_CTX_ctrl.3
 ./usr/share/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
+./usr/share/man/man3/EVP_CIPHER_CTX_set_flags.3
 ./usr/share/man/man3/EVP_CIPHER_do_all.3
 ./usr/share/man/man3/EVP_CIPHER_meth_new.3
+./usr/share/man/man3/EVP_CIPHER_nid.3
 ./usr/share/man/man3/EVP_DigestInit.3
 ./usr/share/man/man3/EVP_DigestSignInit.3
 ./usr/share/man/man3/EVP_DigestVerifyInit.3

lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3

@@ -0,0 +1,260 @@
+.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.1 2023/08/31 17:27:41 schwarze Exp $
+.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
+.\"
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2018, 2023 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2018 Damien Miller <djm@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 31 2023 $
+.Dt EVP_CIPHER_CTX_CTRL 3
+.Os
+.Sh NAME
+.Nm EVP_CIPHER_CTX_ctrl ,
+.Nm EVP_CIPHER_CTX_set_padding ,
+.Nm EVP_CIPHER_CTX_set_key_length ,
+.Nm EVP_CIPHER_CTX_key_length ,
+.Nm EVP_CIPHER_key_length ,
+.Nm EVP_CIPHER_CTX_iv_length ,
+.Nm EVP_CIPHER_iv_length ,
+.Nm EVP_CIPHER_CTX_set_iv ,
+.Nm EVP_CIPHER_CTX_get_iv
+.Nd configure EVP cipher contexts
+.Sh SYNOPSIS
+.In openssl/evp.h
+.Ft int
+.Fo EVP_CIPHER_CTX_ctrl
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "int type"
+.Fa "int arg"
+.Fa "void *ptr"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_set_padding
+.Fa "EVP_CIPHER_CTX *x"
+.Fa "int padding"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_set_key_length
+.Fa "EVP_CIPHER_CTX *x"
+.Fa "int keylen"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_key_length
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_key_length
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_iv_length
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_iv_length
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_set_iv
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "const unsigned char *iv"
+.Fa "size_t len"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_get_iv
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fa "unsigned char *iv"
+.Fa "size_t len"
+.Fc
+.Sh DESCRIPTION
+.Fn EVP_CIPHER_CTX_ctrl
+allows various cipher specific parameters to be determined and set.
+Currently only the RC2 effective key length can be set.
+.Pp
+.Fn EVP_CIPHER_CTX_set_padding
+enables or disables padding.
+This function should be called after the context is set up for
+encryption or decryption with
+.Xr EVP_EncryptInit_ex 3 ,
+.Xr EVP_DecryptInit_ex 3 ,
+or
+.Xr EVP_CipherInit_ex 3 .
+By default encryption operations are padded using standard block padding
+and the padding is checked and removed when decrypting.
+If the
+.Fa padding
+parameter is zero, then no padding is performed, the total amount of data
+encrypted or decrypted must then be a multiple of the block size or an
+error will occur.
+.Pp
+.Fn EVP_CIPHER_CTX_set_key_length
+sets the key length of the cipher ctx.
+If the cipher is a fixed length cipher, then attempting to set the key
+length to any value other than the fixed value is an error.
+.Pp
+.Fn EVP_CIPHER_CTX_key_length
+and
+.Fn EVP_CIPHER_key_length
+return the key length of a cipher when passed an
+.Vt EVP_CIPHER_CTX
+or
+.Vt EVP_CIPHER
+structure.
+The constant
+.Dv EVP_MAX_KEY_LENGTH
+is the maximum key length for all ciphers.
+Note: although
+.Fn EVP_CIPHER_key_length
+is fixed for a given cipher, the value of
+.Fn EVP_CIPHER_CTX_key_length
+may be different for variable key length ciphers.
+.Pp
+.Fn EVP_CIPHER_CTX_iv_length
+and
+.Fn EVP_CIPHER_iv_length
+return the IV length of a cipher when passed an
+.Vt EVP_CIPHER_CTX
+or
+.Vt EVP_CIPHER .
+It will return zero if the cipher does not use an IV.
+The constant
+.Dv EVP_MAX_IV_LENGTH
+is the maximum IV length for all ciphers.
+.Pp
+.Fn EVP_CIPHER_CTX_set_iv
+and
+.Fn EVP_CIPHER_CTX_get_iv
+set and retrieve the IV for an
+.Vt EVP_CIPHER_CTX ,
+respectively.
+In both cases, the specified IV length must exactly equal the expected
+IV length for the context as returned by
+.Fn EVP_CIPHER_CTX_iv_length .
+.Sh RETURN VALUES
+.Fn EVP_CIPHER_CTX_ctrl
+usually returns 1 for success, 0 for failure, or \-1 if the
+.Fa type
+is not supported by the
+.Fa ctx ,
+but there may be exceptions for some
+.Fa type
+arguments.
+.Pp
+.Fn EVP_CIPHER_CTX_set_padding
+always returns 1.
+.Pp
+.Fn EVP_CIPHER_CTX_set_key_length ,
+.Fn EVP_CIPHER_CTX_set_iv ,
+and
+.Fn EVP_CIPHER_CTX_get_iv
+return 1 for success or 0 for failure.
+.Pp
+.Fn EVP_CIPHER_CTX_key_length
+and
+.Fn EVP_CIPHER_key_length
+return the key length.
+.Pp
+.Fn EVP_CIPHER_CTX_iv_length
+and
+.Fn EVP_CIPHER_iv_length
+return the IV length or zero if the cipher does not use an IV.
+.Sh SEE ALSO
+.Xr evp 3 ,
+.Xr EVP_CIPHER_nid 3 ,
+.Xr EVP_EncryptInit 3
+.Sh HISTORY
+.Fn EVP_CIPHER_CTX_key_length ,
+.Fn EVP_CIPHER_key_length ,
+.Fn EVP_CIPHER_CTX_iv_length ,
+and
+.Fn EVP_CIPHER_iv_length
+first appeared in SSLeay 0.6.5 and have been available since
+.Ox 2.4 .
+.Pp
+.Fn EVP_CIPHER_CTX_ctrl
+and
+.Fn EVP_CIPHER_CTX_set_key_length
+first appeared in OpenSSL 0.9.6 and have been available since
+.Ox 2.9 .
+.Pp
+.Fn EVP_CIPHER_CTX_set_padding
+first appeared in OpenSSL 0.9.7 and has been available since
+.Ox 3.2 .
+.Pp
+.Fn EVP_CIPHER_CTX_set_iv
+and
+.Fn EVP_CIPHER_CTX_get_iv
+first appeared in LibreSSL 2.8.1 and have been available since
+.Ox 6.4 .
+.Sh BUGS
+.Dv EVP_MAX_KEY_LENGTH
+and
+.Dv EVP_MAX_IV_LENGTH
+only refer to the internal ciphers with default key lengths.
+If custom ciphers exceed these values, the results are unpredictable.
+This is because it has become standard practice to define a generic key
+as a fixed unsigned char array containing
+.Dv EVP_MAX_KEY_LENGTH
+bytes.

lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3

@@ -0,0 +1,228 @@
+.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.1 2023/08/31 17:27:41 schwarze Exp $
+.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
+.\"
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
+.\" and Patrick Steuer <patrick.steuer@de.ibm.com>.
+.\" Copyright (c) 2000, 2017 The OpenSSL Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 31 2023 $
+.Dt EVP_CIPHER_CTX_SET_FLAGS 3
+.Os
+.Sh NAME
+.Nm EVP_CIPHER_CTX_set_flags ,
+.Nm EVP_CIPHER_CTX_clear_flags ,
+.Nm EVP_CIPHER_CTX_test_flags ,
+.Nm EVP_CIPHER_CTX_rand_key ,
+.Nm EVP_CIPHER_param_to_asn1 ,
+.Nm EVP_CIPHER_asn1_to_param ,
+.Nm EVP_CIPHER_CTX_get_app_data ,
+.Nm EVP_CIPHER_CTX_set_app_data
+.Nd unusual EVP cipher context configuration
+.Sh SYNOPSIS
+.In openssl/evp.h
+.Ft void
+.Fo EVP_CIPHER_CTX_set_flags
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "int flags"
+.Fc
+.Ft void
+.Fo EVP_CIPHER_CTX_clear_flags
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "int flags"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_test_flags
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "int flags"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_rand_key
+.Fa "EVP_CIPHER_CTX *ctx"
+.Fa "unsigned char *key"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_param_to_asn1
+.Fa "EVP_CIPHER_CTX *c"
+.Fa "ASN1_TYPE *type"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_asn1_to_param
+.Fa "EVP_CIPHER_CTX *c"
+.Fa "ASN1_TYPE *type"
+.Fc
+.Ft void *
+.Fo EVP_CIPHER_CTX_get_app_data
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft void
+.Fo EVP_CIPHER_CTX_set_app_data
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fa "void *data"
+.Fc
+.Sh DESCRIPTION
+.Fn EVP_CIPHER_CTX_set_flags
+enables the given
+.Fa flags
+in
+.Fa ctx .
+.Fn EVP_CIPHER_CTX_clear_flags
+disables the given
+.Fa flags
+in
+.Fa ctx .
+.Fn EVP_CIPHER_CTX_test_flags
+checks whether any of the given
+.Fa flags
+are currently set in
+.Fa ctx ,
+returning the subset of the
+.Fa flags
+that are set, or 0 if none of them are set.
+Currently, the only supported cipher context flag is
+.Dv EVP_CIPHER_CTX_FLAG_WRAP_ALLOW ;
+see
+.Xr EVP_aes_128_wrap 3
+for details.
+.Pp
+.Fn EVP_CIPHER_CTX_rand_key
+generates a random key of the appropriate length based on the cipher
+context.
+The
+.Vt EVP_CIPHER
+can provide its own random key generation routine to support keys
+of a specific form.
+The
+.Fa key
+argument must point to a buffer at least as big as the value returned by
+.Xr EVP_CIPHER_CTX_key_length 3 .
+.Pp
+.Fn EVP_CIPHER_param_to_asn1
+sets the ASN.1
+.Vt AlgorithmIdentifier
+parameter based on the passed cipher.
+This will typically include any parameters and an IV.
+The cipher IV (if any) must be set when this call is made.
+This call should be made before the cipher is actually "used" (before any
+.Xr EVP_EncryptUpdate 3
+or
+.Xr EVP_DecryptUpdate 3
+calls, for example).
+This function may fail if the cipher does not have any ASN.1 support.
+.Pp
+.Fn EVP_CIPHER_asn1_to_param
+sets the cipher parameters based on an ASN.1
+.Vt AlgorithmIdentifier
+parameter.
+The precise effect depends on the cipher.
+In the case of RC2, for example, it will set the IV and effective
+key length.
+This function should be called after the base cipher type is set but
+before the key is set.
+For example
+.Xr EVP_CipherInit 3
+will be called with the IV and key set to
+.Dv NULL ,
+.Fn EVP_CIPHER_asn1_to_param
+will be called and finally
+.Xr EVP_CipherInit 3
+again with all parameters except the key set to
+.Dv NULL .
+It is possible for this function to fail if the cipher does not
+have any ASN.1 support or the parameters cannot be set (for example
+the RC2 effective key length is not supported).
+.Sh RETURN VALUES
+.Fn EVP_CIPHER_CTX_rand_key
+return 1 for success or 0 for failure.
+.Pp
+.Fn EVP_CIPHER_param_to_asn1
+and
+.Fn EVP_CIPHER_asn1_to_param
+return greater than zero for success and zero or a negative number
+for failure.
+.Sh SEE ALSO
+.Xr evp 3 ,
+.Xr EVP_CIPHER_CTX_ctrl 3 ,
+.Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
+.Xr EVP_CIPHER_nid 3 ,
+.Xr EVP_EncryptInit 3
+.Sh HISTORY
+.Fn EVP_CIPHER_CTX_set_app_data
+and
+.Fn EVP_CIPHER_CTX_get_app_data
+first appeared in SSLeay 0.8.0.
+.Fn EVP_CIPHER_param_to_asn1
+and
+.Fn EVP_CIPHER_asn1_to_param
+first appeared in SSLeay 0.9.0.
+These functions have been available since
+.Ox 2.4 .
+.Pp
+.Fn EVP_CIPHER_CTX_rand_key
+first appeared in OpenSSL 0.9.8 and has been available since
+.Ox 4.5 .
+.Sh BUGS
+The ASN.1 code is incomplete (and sometimes inaccurate).
+It has only been tested for certain common S/MIME ciphers
+(RC2, DES, triple DES) in CBC mode.

lib/libcrypto/man/EVP_CIPHER_nid.3

@@ -0,0 +1,215 @@
+.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.1 2023/08/31 17:27:41 schwarze Exp $
+.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
+.\"
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 31 2023 $
+.Dt EVP_CIPHER_NID 3
+.Os
+.Sh NAME
+.Nm EVP_CIPHER_nid ,
+.Nm EVP_CIPHER_CTX_nid ,
+.Nm EVP_CIPHER_type ,
+.Nm EVP_CIPHER_CTX_type ,
+.Nm EVP_CIPHER_block_size ,
+.Nm EVP_CIPHER_CTX_block_size ,
+.Nm EVP_CIPHER_flags ,
+.Nm EVP_CIPHER_CTX_flags ,
+.Nm EVP_CIPHER_mode ,
+.Nm EVP_CIPHER_CTX_mode
+.Nd inspect EVP_CIPHER objects
+.Sh SYNOPSIS
+.In openssl/evp.h
+.Ft int
+.Fo EVP_CIPHER_nid
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_nid
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_type
+.Fa "const EVP_CIPHER *ctx"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_type
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_block_size
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft int
+.Fo EVP_CIPHER_CTX_block_size
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft unsigned long
+.Fo EVP_CIPHER_flags
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft unsigned long
+.Fo EVP_CIPHER_CTX_flags
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Ft unsigned long
+.Fo EVP_CIPHER_mode
+.Fa "const EVP_CIPHER *e"
+.Fc
+.Ft unsigned long
+.Fo EVP_CIPHER_CTX_mode
+.Fa "const EVP_CIPHER_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+.Fn EVP_CIPHER_nid
+and
+.Fn EVP_CIPHER_CTX_nid
+return the NID of a cipher when passed an
+.Vt EVP_CIPHER
+or
+.Vt EVP_CIPHER_CTX
+structure.
+The actual NID value is an internal value which may not have a
+corresponding OBJECT IDENTIFIER.
+.Pp
+.Fn EVP_CIPHER_type
+and
+.Fn EVP_CIPHER_CTX_type
+return the type of the passed cipher or context.
+This "type" is the actual NID of the cipher OBJECT IDENTIFIER as such it
+ignores the cipher parameters and 40-bit RC2 and 128-bit RC2 have the
+same NID.
+If the cipher does not have an object identifier or does not
+have ASN.1 support, this function will return
+.Dv NID_undef .
+.Pp
+.Fn EVP_CIPHER_block_size
+and
+.Fn EVP_CIPHER_CTX_block_size
+return the block size of a cipher when passed an
+.Vt EVP_CIPHER
+or
+.Vt EVP_CIPHER_CTX
+structure.
+The constant
+.Dv EVP_MAX_BLOCK_LENGTH
+is also the maximum block length for all ciphers.
+.Pp
+.Fn EVP_CIPHER_mode
+and
+.Fn EVP_CIPHER_CTX_mode
+return the block cipher mode:
+.Dv EVP_CIPH_ECB_MODE ,
+.Dv EVP_CIPH_CBC_MODE ,
+.Dv EVP_CIPH_CFB_MODE ,
+.Dv EVP_CIPH_OFB_MODE ,
+.Dv EVP_CIPH_CTR_MODE ,
+or
+.Dv EVP_CIPH_XTS_MODE .
+If the cipher is a stream cipher then
+.Dv EVP_CIPH_STREAM_CIPHER
+is returned.
+.Sh RETURN VALUES
+.Fn EVP_CIPHER_nid
+and
+.Fn EVP_CIPHER_CTX_nid
+return a NID.
+.Pp
+.Fn EVP_CIPHER_type
+and
+.Fn EVP_CIPHER_CTX_type
+return the NID of the cipher's OBJECT IDENTIFIER or
+.Dv NID_undef
+if it has no defined OBJECT IDENTIFIER.
+.Pp
+.Fn EVP_CIPHER_block_size
+and
+.Fn EVP_CIPHER_CTX_block_size
+return the block size.
+.Sh SEE ALSO
+.Xr evp 3 ,
+.Xr EVP_CIPHER_CTX_ctrl 3 ,
+.Xr EVP_EncryptInit 3
+.Sh HISTORY
+.Fn EVP_CIPHER_type ,
+.Fn EVP_CIPHER_CTX_type ,
+.Fn EVP_CIPHER_block_size ,
+and
+.Fn EVP_CIPHER_CTX_block_size
+first appeared in SSLeay 0.6.5.
+.Fn EVP_CIPHER_nid
+and
+.Fn EVP_CIPHER_CTX_nid
+first appeared in SSLeay 0.8.0.
+All these functions have been available since
+.Ox 2.4 .
+.Pp
+.Fn EVP_CIPHER_flags ,
+.Fn EVP_CIPHER_CTX_flags ,
+.Fn EVP_CIPHER_mode ,
+and
+.Fn EVP_CIPHER_CTX_mode
+first appeared in OpenSSL 0.9.6 and have been available since
+.Ox 2.9 .

lib/libcrypto/man/EVP_EncryptInit.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_EncryptInit.3,v 1.47 2023/08/26 15:01:56 schwarze Exp $
+.\" $OpenBSD: EVP_EncryptInit.3,v 1.48 2023/08/31 17:27:41 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"   EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
 .\"   7c6d372a Nov 20 13:20:01 2018 +0000
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 26 2023 $
+.Dd $Mdocdate: August 31 2023 $
 .Dt EVP_ENCRYPTINIT 3
 .Os
 .Sh NAME
@@ -96,37 +96,10 @@
 .Nm EVP_CipherFinal ,
 .Nm EVP_Cipher ,
 .Nm EVP_CIPHER_CTX_encrypting ,
-.Nm EVP_CIPHER_CTX_set_flags ,
-.Nm EVP_CIPHER_CTX_clear_flags ,
-.Nm EVP_CIPHER_CTX_test_flags ,
-.Nm EVP_CIPHER_CTX_set_padding ,
-.Nm EVP_CIPHER_CTX_set_key_length ,
-.Nm EVP_CIPHER_CTX_ctrl ,
-.Nm EVP_CIPHER_CTX_rand_key ,
 .Nm EVP_get_cipherbyname ,
 .Nm EVP_get_cipherbynid ,
 .Nm EVP_get_cipherbyobj ,
-.Nm EVP_CIPHER_nid ,
-.Nm EVP_CIPHER_block_size ,
-.Nm EVP_CIPHER_key_length ,
-.Nm EVP_CIPHER_iv_length ,
-.Nm EVP_CIPHER_flags ,
-.Nm EVP_CIPHER_mode ,
-.Nm EVP_CIPHER_type ,
 .Nm EVP_CIPHER_CTX_cipher ,
-.Nm EVP_CIPHER_CTX_nid ,
-.Nm EVP_CIPHER_CTX_block_size ,
-.Nm EVP_CIPHER_CTX_key_length ,
-.Nm EVP_CIPHER_CTX_iv_length ,
-.Nm EVP_CIPHER_CTX_get_iv ,
-.Nm EVP_CIPHER_CTX_set_iv ,
-.Nm EVP_CIPHER_CTX_get_app_data ,
-.Nm EVP_CIPHER_CTX_set_app_data ,
-.Nm EVP_CIPHER_CTX_type ,
-.Nm EVP_CIPHER_CTX_flags ,
-.Nm EVP_CIPHER_CTX_mode ,
-.Nm EVP_CIPHER_param_to_asn1 ,
-.Nm EVP_CIPHER_asn1_to_param ,
 .Nm EVP_enc_null ,
 .Nm EVP_idea_cbc ,
 .Nm EVP_idea_ecb ,
@@ -294,43 +267,6 @@
 .Fo EVP_CIPHER_CTX_encrypting
 .Fa "const EVP_CIPHER_CTX *ctx"
 .Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_set_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_clear_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_test_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_padding
-.Fa "EVP_CIPHER_CTX *x"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_key_length
-.Fa "EVP_CIPHER_CTX *x"
-.Fa "int keylen"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_ctrl
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int type"
-.Fa "int arg"
-.Fa "void *ptr"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_rand_key
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *key"
-.Fc
 .Ft const EVP_CIPHER *
 .Fo EVP_get_cipherbyname
 .Fa "const char *name"
@@ -343,97 +279,10 @@
 .Fo EVP_get_cipherbyobj
 .Fa "const ASN1_OBJECT *a"
 .Fc
-.Ft int
-.Fo EVP_CIPHER_nid
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_block_size
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_key_length
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_iv_length
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_flags
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_mode
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_type
-.Fa "const EVP_CIPHER *ctx"
-.Fc
 .Ft const EVP_CIPHER *
 .Fo EVP_CIPHER_CTX_cipher
 .Fa "const EVP_CIPHER_CTX *ctx"
 .Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_nid
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_block_size
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_key_length
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_iv_length
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_get_iv
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *iv"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_iv
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const unsigned char *iv"
-.Fa "size_t len"
-.Fc
-.Ft void *
-.Fo EVP_CIPHER_CTX_get_app_data
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_set_app_data
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fa "void *data"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_type
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_CTX_flags
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_CTX_mode
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_param_to_asn1
-.Fa "EVP_CIPHER_CTX *c"
-.Fa "ASN1_TYPE *type"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_asn1_to_param
-.Fa "EVP_CIPHER_CTX *c"
-.Fa "ASN1_TYPE *type"
-.Fc
 .Sh DESCRIPTION
 The EVP cipher routines are a high level interface to certain symmetric
 ciphers.
@@ -492,7 +341,7 @@ and
 objects used by
 .Fa in
 and any application specific data set with
-.Fn EVP_CIPHER_CTX_set_app_data
+.Xr EVP_CIPHER_CTX_set_app_data 3
 are not copied and
 .Fa out
 will point to the same three objects.
@@ -507,7 +356,7 @@ If the bit
 .Dv EVP_CIPH_CUSTOM_COPY
 has been set with
 .Xr EVP_CIPHER_meth_set_flags 3 ,
-.Fn EVP_CIPHER_CTX_ctrl
+.Xr EVP_CIPHER_CTX_ctrl 3
 is called at the end with arguments
 .Fa in ,
 .Dv EVP_CTRL_COPY ,
@@ -690,123 +539,6 @@ structure when passed a cipher name, a NID or an
 .Vt ASN1_OBJECT
 structure.
 .Pp
-.Fn EVP_CIPHER_nid
-and
-.Fn EVP_CIPHER_CTX_nid
-return the NID of a cipher when passed an
-.Vt EVP_CIPHER
-or
-.Vt EVP_CIPHER_CTX
-structure.
-The actual NID value is an internal value which may not have a
-corresponding OBJECT IDENTIFIER.
-.Pp
-.Fn EVP_CIPHER_CTX_set_flags
-enables the given
-.Fa flags
-in
-.Fa ctx .
-.Fn EVP_CIPHER_CTX_clear_flags
-disables the given
-.Fa flags
-in
-.Fa ctx .
-.Fn EVP_CIPHER_CTX_test_flags
-checks whether any of the given
-.Fa flags
-are currently set in
-.Fa ctx ,
-returning the subset of the
-.Fa flags
-that are set, or 0 if none of them are set.
-Currently, the only supported cipher context flag is
-.Dv EVP_CIPHER_CTX_FLAG_WRAP_ALLOW ;
-see
-.Xr EVP_aes_128_wrap 3
-for details.
-.Pp
-.Fn EVP_CIPHER_CTX_set_padding
-enables or disables padding.
-This function should be called after the context is set up for
-encryption or decryption with
-.Fn EVP_EncryptInit_ex ,
-.Fn EVP_DecryptInit_ex ,
-or
-.Fn EVP_CipherInit_ex .
-By default encryption operations are padded using standard block padding
-and the padding is checked and removed when decrypting.
-If the
-.Fa padding
-parameter is zero, then no padding is performed, the total amount of data
-encrypted or decrypted must then be a multiple of the block size or an
-error will occur.
-.Pp
-.Fn EVP_CIPHER_key_length
-and
-.Fn EVP_CIPHER_CTX_key_length
-return the key length of a cipher when passed an
-.Vt EVP_CIPHER
-or
-.Vt EVP_CIPHER_CTX
-structure.
-The constant
-.Dv EVP_MAX_KEY_LENGTH
-is the maximum key length for all ciphers.
-Note: although
-.Fn EVP_CIPHER_key_length
-is fixed for a given cipher, the value of
-.Fn EVP_CIPHER_CTX_key_length
-may be different for variable key length ciphers.
-.Pp
-.Fn EVP_CIPHER_CTX_set_key_length
-sets the key length of the cipher ctx.
-If the cipher is a fixed length cipher, then attempting to set the key
-length to any value other than the fixed value is an error.
-.Pp
-.Fn EVP_CIPHER_iv_length
-and
-.Fn EVP_CIPHER_CTX_iv_length
-return the IV length of a cipher when passed an
-.Vt EVP_CIPHER
-or
-.Vt EVP_CIPHER_CTX .
-It will return zero if the cipher does not use an IV.
-The constant
-.Dv EVP_MAX_IV_LENGTH
-is the maximum IV length for all ciphers.
-.Pp
-.Fn EVP_CIPHER_CTX_get_iv
-and
-.Fn EVP_CIPHER_CTX_set_iv
-will respectively retrieve and set the IV for an
-.Vt EVP_CIPHER_CTX .
-In both cases, the specified IV length must exactly equal the expected
-IV length for the context as returned by
-.Fn EVP_CIPHER_CTX_iv_length .
-.Pp
-.Fn EVP_CIPHER_block_size
-and
-.Fn EVP_CIPHER_CTX_block_size
-return the block size of a cipher when passed an
-.Vt EVP_CIPHER
-or
-.Vt EVP_CIPHER_CTX
-structure.
-The constant
-.Dv EVP_MAX_BLOCK_LENGTH
-is also the maximum block length for all ciphers.
-.Pp
-.Fn EVP_CIPHER_type
-and
-.Fn EVP_CIPHER_CTX_type
-return the type of the passed cipher or context.
-This "type" is the actual NID of the cipher OBJECT IDENTIFIER as such it
-ignores the cipher parameters and 40-bit RC2 and 128-bit RC2 have the
-same NID.
-If the cipher does not have an object identifier or does not
-have ASN.1 support, this function will return
-.Dv NID_undef .
-.Pp
 .Fn EVP_CIPHER_CTX_cipher
 returns the
 .Vt EVP_CIPHER
@@ -814,72 +546,6 @@ structure when passed an
 .Vt EVP_CIPHER_CTX
 structure.
 .Pp
-.Fn EVP_CIPHER_mode
-and
-.Fn EVP_CIPHER_CTX_mode
-return the block cipher mode:
-.Dv EVP_CIPH_ECB_MODE ,
-.Dv EVP_CIPH_CBC_MODE ,
-.Dv EVP_CIPH_CFB_MODE ,
-.Dv EVP_CIPH_OFB_MODE ,
-.Dv EVP_CIPH_CTR_MODE ,
-or
-.Dv EVP_CIPH_XTS_MODE .
-If the cipher is a stream cipher then
-.Dv EVP_CIPH_STREAM_CIPHER
-is returned.
-.Pp
-.Fn EVP_CIPHER_param_to_asn1
-sets the ASN.1
-.Vt AlgorithmIdentifier
-parameter based on the passed cipher.
-This will typically include any parameters and an IV.
-The cipher IV (if any) must be set when this call is made.
-This call should be made before the cipher is actually "used" (before any
-.Fn EVP_EncryptUpdate
-or
-.Fn EVP_DecryptUpdate
-calls, for example).
-This function may fail if the cipher does not have any ASN.1 support.
-.Pp
-.Fn EVP_CIPHER_asn1_to_param
-sets the cipher parameters based on an ASN.1
-.Vt AlgorithmIdentifier
-parameter.
-The precise effect depends on the cipher.
-In the case of RC2, for example, it will set the IV and effective
-key length.
-This function should be called after the base cipher type is set but
-before the key is set.
-For example
-.Fn EVP_CipherInit
-will be called with the IV and key set to
-.Dv NULL ,
-.Fn EVP_CIPHER_asn1_to_param
-will be called and finally
-.Fn EVP_CipherInit
-again with all parameters except the key set to
-.Dv NULL .
-It is possible for this function to fail if the cipher does not
-have any ASN.1 support or the parameters cannot be set (for example
-the RC2 effective key length is not supported).
-.Pp
-.Fn EVP_CIPHER_CTX_ctrl
-allows various cipher specific parameters to be determined and set.
-Currently only the RC2 effective key length can be set.
-.Pp
-.Fn EVP_CIPHER_CTX_rand_key
-generates a random key of the appropriate length based on the cipher
-context.
-The
-.Vt EVP_CIPHER
-can provide its own random key generation routine to support keys
-of a specific form.
-The
-.Fa key
-argument must point to a buffer at least as big as the value returned by
-.Fn EVP_CIPHER_CTX_key_length .
-.Pp
 Where possible the EVP interface to symmetric ciphers should be
 used in preference to the low level interfaces.
 This is because the code then becomes transparent to the cipher used and
@@ -938,8 +604,6 @@ for failure.
 .Fn EVP_CIPHER_CTX_reset ,
 .Fn EVP_CIPHER_CTX_cleanup ,
 .Fn EVP_CIPHER_CTX_copy ,
-.Fn EVP_CIPHER_CTX_get_iv ,
-.Fn EVP_CIPHER_CTX_set_iv ,
 .Fn EVP_EncryptInit_ex ,
 .Fn EVP_EncryptUpdate ,
 .Fn EVP_EncryptFinal_ex ,
@@ -955,10 +619,8 @@ for failure.
 .Fn EVP_DecryptFinal ,
 .Fn EVP_CipherInit ,
 .Fn EVP_CipherFinal ,
-.Fn EVP_Cipher ,
-.Fn EVP_CIPHER_CTX_set_key_length ,
 and
-.Fn EVP_CIPHER_CTX_rand_key
+.Fn EVP_Cipher
 return 1 for success or 0 for failure.
 .Pp
 .Fn EVP_CIPHER_CTX_encrypting
@@ -967,18 +629,6 @@ returns 1 if
 is initialized for encryption or 0 otherwise, in which case
 it may be uninitialized or initialized for decryption.
 .Pp
-.Fn EVP_CIPHER_CTX_set_padding
-always returns 1.
-.Pp
-.Fn EVP_CIPHER_CTX_ctrl
-usually returns 1 for success, 0 for failure, or \-1 if the
-.Fa type
-is not supported by the
-.Fa ctx ,
-but there may be exceptions for some
-.Fa type
-arguments.
-.Pp
 .Fn EVP_get_cipherbyname ,
 .Fn EVP_get_cipherbynid ,
 and
@@ -989,43 +639,10 @@ structure or
 .Dv NULL
 on error.
 .Pp
-.Fn EVP_CIPHER_nid
-and
-.Fn EVP_CIPHER_CTX_nid
-return a NID.
-.Pp
-.Fn EVP_CIPHER_block_size
-and
-.Fn EVP_CIPHER_CTX_block_size
-return the block size.
-.Pp
-.Fn EVP_CIPHER_key_length
-and
-.Fn EVP_CIPHER_CTX_key_length
-return the key length.
-.Pp
-.Fn EVP_CIPHER_iv_length
-and
-.Fn EVP_CIPHER_CTX_iv_length
-return the IV length or zero if the cipher does not use an IV.
-.Pp
-.Fn EVP_CIPHER_type
-and
-.Fn EVP_CIPHER_CTX_type
-return the NID of the cipher's OBJECT IDENTIFIER or
-.Dv NID_undef
-if it has no defined OBJECT IDENTIFIER.
-.Pp
 .Fn EVP_CIPHER_CTX_cipher
 returns an
 .Vt EVP_CIPHER
 structure.
-.Pp
-.Fn EVP_CIPHER_param_to_asn1
-and
-.Fn EVP_CIPHER_asn1_to_param
-return greater than zero for success and zero or a negative number
-for failure.
 .Sh CIPHER LISTING
 All algorithms have a fixed key length unless otherwise stated.
 .Bl -tag -width Ds
@@ -1064,9 +681,9 @@ RC2 algorithm in CBC mode with a default key length and effective key
 length of 40 and 64 bits.
 These are obsolete and new code should use
 .Fn EVP_rc2_cbc ,
-.Fn EVP_CIPHER_CTX_set_key_length ,
+.Xr EVP_CIPHER_CTX_set_key_length 3 ,
 and
-.Fn EVP_CIPHER_CTX_ctrl
+.Xr EVP_CIPHER_CTX_ctrl 3
 to set the key length and effective key length.
 .It Xo
 .Fn EVP_bf_cbc ,
@@ -1310,7 +927,10 @@ do_crypt(FILE *in, FILE *out, int do_encrypt)
 .Xr EVP_aes_128_cbc 3 ,
 .Xr EVP_camellia_128_cbc 3 ,
 .Xr EVP_chacha20 3 ,
+.Xr EVP_CIPHER_CTX_ctrl 3 ,
 .Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
+.Xr EVP_CIPHER_CTX_set_flags 3 ,
+.Xr EVP_CIPHER_nid 3 ,
 .Xr EVP_des_cbc 3 ,
 .Xr EVP_OpenInit 3 ,
 .Xr EVP_rc4 3 ,
@@ -1339,16 +959,7 @@ first appeared in SSLeay 0.5.1.
 and
 .Fn EVP_rc2_ofb
 first appeared in SSLeay 0.5.2.
-.Fn EVP_Cipher ,
+.Fn EVP_Cipher
-.Fn EVP_CIPHER_block_size ,
-.Fn EVP_CIPHER_key_length ,
-.Fn EVP_CIPHER_iv_length ,
-.Fn EVP_CIPHER_type ,
-.Fn EVP_CIPHER_CTX_block_size ,
-.Fn EVP_CIPHER_CTX_key_length ,
-.Fn EVP_CIPHER_CTX_iv_length ,
-and
-.Fn EVP_CIPHER_CTX_type
 first appeared in SSLeay 0.6.5.
 .Fn EVP_bf_cbc ,
 .Fn EVP_bf_ecb ,
@@ -1358,20 +969,13 @@ and
 first appeared in SSLeay 0.6.6.
 .Fn EVP_CIPHER_CTX_cleanup ,
 .Fn EVP_get_cipherbyobj ,
-.Fn EVP_CIPHER_nid ,
 .Fn EVP_CIPHER_CTX_cipher ,
-.Fn EVP_CIPHER_CTX_nid ,
-.Fn EVP_CIPHER_CTX_get_app_data ,
-.Fn EVP_CIPHER_CTX_set_app_data ,
 and
 .Fn EVP_enc_null
 first appeared in SSLeay 0.8.0.
 .Fn EVP_get_cipherbynid
 first appeared in SSLeay 0.8.1.
-.Fn EVP_CIPHER_CTX_init ,
+.Fn EVP_CIPHER_CTX_init
-.Fn EVP_CIPHER_param_to_asn1 ,
-and
-.Fn EVP_CIPHER_asn1_to_param
 first appeared in SSLeay 0.9.0.
 All these functions have been available since
 .Ox 2.4 .
@@ -1379,30 +983,16 @@ All these functions have been available since
 .Fn EVP_rc2_40_cbc
 and
 .Fn EVP_rc2_64_cbc
-first appeared in SSL_eay 0.9.1.
+first appeared in SSLeay 0.9.1 and have been available since
-.Fn EVP_CIPHER_CTX_type
-first appeared in OpenSSL 0.9.3.
-These functions have been available since
 .Ox 2.6 .
 .Pp
-.Fn EVP_CIPHER_CTX_set_key_length ,
-.Fn EVP_CIPHER_CTX_ctrl ,
-.Fn EVP_CIPHER_flags ,
-.Fn EVP_CIPHER_mode ,
-.Fn EVP_CIPHER_CTX_flags ,
-and
-.Fn EVP_CIPHER_CTX_mode
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
 .Fn EVP_EncryptInit_ex ,
 .Fn EVP_EncryptFinal_ex ,
 .Fn EVP_DecryptInit_ex ,
 .Fn EVP_DecryptFinal_ex ,
 .Fn EVP_CipherInit_ex ,
-.Fn EVP_CipherFinal_ex ,
 and
-.Fn EVP_CIPHER_CTX_set_padding
+.Fn EVP_CipherFinal_ex
 first appeared in OpenSSL 0.9.7 and have been available since
 .Ox 3.2 .
 .Pp
@@ -1414,13 +1004,10 @@ and
 first appeared in OpenSSL 0.9.7e and have been available since
 .Ox 3.8 .
 .Pp
-.Fn EVP_CIPHER_CTX_rand_key
-first appeared in OpenSSL 0.9.8.
 .Fn EVP_CIPHER_CTX_new
 and
 .Fn EVP_CIPHER_CTX_free
-first appeared in OpenSSL 0.9.8b.
+first appeared in OpenSSL 0.9.8b and have been available since
-These functions have been available since
 .Ox 4.5 .
 .Pp
 .Fn EVP_CIPHER_CTX_copy
@@ -1435,27 +1022,7 @@ first appeared in OpenSSL 1.1.0 and has been available since
 .Fn EVP_CIPHER_CTX_encrypting
 first appeared in OpenSSL 1.1.0 and has been available since
 .Ox 6.4 .
-.Pp
-.Fn EVP_CIPHER_CTX_get_iv
-and
-.Fn EVP_CIPHER_CTX_set_iv
-first appeared in LibreSSL 2.8.1 and have been available since
-.Ox 6.4 .
 .Sh BUGS
-.Dv EVP_MAX_KEY_LENGTH
-and
-.Dv EVP_MAX_IV_LENGTH
-only refer to the internal ciphers with default key lengths.
-If custom ciphers exceed these values, the results are unpredictable.
-This is because it has become standard practice to define a generic key
-as a fixed unsigned char array containing
-.Dv EVP_MAX_KEY_LENGTH
-bytes.
-.Pp
-The ASN.1 code is incomplete (and sometimes inaccurate).
-It has only been tested for certain common S/MIME ciphers
-(RC2, DES, triple DES) in CBC mode.
-.Pp
 .Fn EVP_CIPHER_CTX_copy
 may already have cleared the data in
 .Fa out

lib/libcrypto/man/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.265 2023/08/30 00:58:57 tb Exp $
+# $OpenBSD: Makefile,v 1.266 2023/08/31 17:27:41 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -164,9 +164,12 @@ MAN=	\
 	ESS_SIGNING_CERT_new.3 \
 	EVP_AEAD_CTX_init.3 \
 	EVP_BytesToKey.3 \
+	EVP_CIPHER_CTX_ctrl.3 \
 	EVP_CIPHER_CTX_get_cipher_data.3 \
+	EVP_CIPHER_CTX_set_flags.3 \
 	EVP_CIPHER_do_all.3 \
 	EVP_CIPHER_meth_new.3 \
+	EVP_CIPHER_nid.3 \
 	EVP_DigestInit.3 \
 	EVP_DigestSignInit.3 \
 	EVP_DigestVerifyInit.3 \

lib/libcrypto/man/evp.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: evp.3,v 1.21 2023/08/30 00:58:57 tb Exp $
+.\" $OpenBSD: evp.3,v 1.22 2023/08/31 17:27:41 schwarze Exp $
 .\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 30 2023 $
+.Dd $Mdocdate: August 31 2023 $
 .Dt EVP 3
 .Os
 .Sh NAME
@@ -199,9 +199,12 @@ operations are more efficient using the high-level interfaces.
 .Xr EVP_BytesToKey 3 ,
 .Xr EVP_camellia_128_cbc 3 ,
 .Xr EVP_chacha20 3 ,
+.Xr EVP_CIPHER_CTX_ctrl 3 ,
 .Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
+.Xr EVP_CIPHER_CTX_set_flags 3 ,
 .Xr EVP_CIPHER_do_all 3 ,
 .Xr EVP_CIPHER_meth_new 3 ,
+.Xr EVP_CIPHER_nid 3 ,
 .Xr EVP_des_cbc 3 ,
 .Xr EVP_DigestInit 3 ,
 .Xr EVP_DigestSignInit 3 ,

regress/sbin/bioctl/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.7 2023/08/30 16:45:57 kn Exp $
+#	$OpenBSD: Makefile,v 1.9 2023/08/30 17:40:08 kn Exp $
 
 BIOCTL ?=		/sbin/bioctl
 
@@ -6,21 +6,27 @@ CHUNKFILE =		disk.img
 CHUNKDEVFILE =		chunk.txt
 VOLDEVFILE =		vol.txt
 ROUNDSFILE =		rounds.txt
+PASSFILE =		passphrase.txt
 
 OLDPW =			oldsecret
 NEWPW =			securenew
 NROUNDS ?=		17
 
-REGRESS_SETUP_ONCE =	create-chunk
+REGRESS_SETUP_ONCE =	create-chunk create-passfile
 
 create-chunk:
 	dd if=/dev/zero of=${CHUNKFILE} bs=512k count=0 seek=1 status=none
 	${SUDO} vnconfig -- ${CHUNKFILE} 1>${CHUNKDEVFILE}
 	echo 'RAID *' | ${SUDO} disklabel -wAT- -- "$$(<${CHUNKDEVFILE})"
 
+create-passfile:
+	${SUDO} install -o root -m u=rw,go= /dev/null ${PASSFILE}
+	printf '%s\n' '${OLDPW}' | ${SUDO} tee ${PASSFILE} 1>/dev/null
+
 
 SUCCESS_TESTS =			scripted-create-volume \
 				scripted-recreate-volume \
+				reopen-volume-with-passfile \
 				scripted-change-passphrase \
 				verify-increased-rounds
 REGRESS_TARGETS =		${SUCCESS_TESTS}
@@ -36,6 +42,10 @@ scripted-recreate-volume: detach-volume
 		${SUDO} ${BIOCTL} -s -Cforce -r${NROUNDS} -cC -l"$$(<${CHUNKDEVFILE})a" -- softraid0 | \
 		grep -o 'sd[0-9]*$$' -- 1>${VOLDEVFILE}
 
+reopen-volume-with-passfile: detach-volume
+	${SUDO} ${BIOCTL} -p${PASSFILE} -cC -l"$$(<${CHUNKDEVFILE})a" -- softraid0 | \
+		grep -o 'sd[0-9]*$$' -- 1>${VOLDEVFILE}
+
 scripted-change-passphrase:
 	printf '%s\n%s\n' '${OLDPW}' '${NEWPW}' | \
 		${SUDO} ${BIOCTL} -s -P -v -- "$$(<${VOLDEVFILE})" | \
@@ -49,6 +59,8 @@ verify-increased-rounds:
 
 
 FAILURE_TESTS =			reuse-active-chunk \
+				use-public-passfile \
+				use-foreign-passfile \
 				set-empty-passphrase
 REGRESS_EXPECTED_FAILURES +=	${FAILURE_TESTS}
 REGRESS_TARGETS +=		${FAILURE_TESTS}
@@ -57,6 +69,14 @@ REGRESS_ROOT_TARGETS +=		${FAILURE_TESTS}
 reuse-active-chunk:
 	${SUDO} ${BIOCTL} -cC -l"$$(<${CHUNKDEVFILE})a" -- softraid0
 
+use-public-passfile:
+	${SUDO} chmod a=rwx ${PASSFILE}
+	${SUDO} ${BIOCTL} -p${PASSFILE} -P -- "$$(<${VOLDEVFILE})"
+
+use-foreign-passfile:
+	${SUDO} chown build ${PASSFILE}
+	${SUDO} ${BIOCTL} -p${PASSFILE} -P -- "$$(<${VOLDEVFILE})"
+
 set-empty-passphrase:
 	printf '\n' | ${SUDO} ${BIOCTL} -s -P -- "$$(<${VOLDEVFILE})"
 

sys/dev/fdt/if_dwqe_fdt.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_dwqe_fdt.c,v 1.14 2023/07/08 08:18:30 kettenis Exp $	*/
+/*	$OpenBSD: if_dwqe_fdt.c,v 1.15 2023/08/30 19:08:48 kettenis Exp $	*/
 /*
  * Copyright (c) 2008, 2019 Mark Kettenis <kettenis@openbsd.org>
  * Copyright (c) 2017, 2022 Patrick Wildt <patrick@blueri.se>
@@ -64,6 +64,7 @@
 int	dwqe_fdt_match(struct device *, void *, void *);
 void	dwqe_fdt_attach(struct device *, struct device *, void *);
 void	dwqe_setup_jh7110(struct dwqe_softc *);
+void	dwqe_mii_statchg_jh7110(struct device *);
 void	dwqe_setup_rk3568(struct dwqe_softc *);
 void	dwqe_mii_statchg_rk3568(struct device *);
 void	dwqe_mii_statchg_rk3588(struct device *);
@@ -238,7 +239,10 @@ dwqe_fdt_attach(struct device *parent, struct device *self, void *aux)
 	if (dwqe_attach(sc) != 0)
 		return;
 
-	if (OF_is_compatible(faa->fa_node, "rockchip,rk3568-gmac"))
+	if (OF_is_compatible(faa->fa_node, "starfive,jh7110-dwmac") &&
+	    !OF_getpropbool(faa->fa_node, "starfive,tx-use-rgmii-clk"))
+		sc->sc_mii.mii_statchg = dwqe_mii_statchg_jh7110;
+	else if (OF_is_compatible(faa->fa_node, "rockchip,rk3568-gmac"))
 		sc->sc_mii.mii_statchg = dwqe_mii_statchg_rk3568;
 	else if (OF_is_compatible(faa->fa_node, "rockchip,rk3588-gmac"))
 		sc->sc_mii.mii_statchg = dwqe_mii_statchg_rk3588;
@@ -318,6 +322,7 @@ dwqe_reset_phy(struct dwqe_softc *sc, uint32_t phy)
 #define  RK3568_GMAC_TXCLK_DLY_SET(_v)		((1 << 0) << 16 | ((_v) << 0))
 #define  RK3568_GMAC_RXCLK_DLY_SET(_v)		((1 << 1) << 16 | ((_v) << 1))
 
+void	dwqe_mii_statchg_jh7110_task(void *);
 void	dwqe_mii_statchg_rk3568_task(void *);
 
 void
@@ -360,6 +365,38 @@ dwqe_setup_jh7110(struct dwqe_softc *sc)
 	reg &= ~(((1U << 3) - 1) << shift);
 	reg |= iface << shift;
 	regmap_write_4(rm, offset, reg);
+
+	task_set(&sc->sc_statchg_task,
+	    dwqe_mii_statchg_jh7110_task, sc);
+}
+
+void
+dwqe_mii_statchg_jh7110_task(void *arg)
+{
+	struct dwqe_softc *sc = arg;
+	struct ifnet *ifp = &sc->sc_ac.ac_if;
+
+	dwqe_mii_statchg(&sc->sc_dev);
+
+	switch (ifp->if_baudrate) {
+	case IF_Mbps(10):
+		clock_set_frequency(sc->sc_node, "tx", 2500000);
+		break;
+	case IF_Mbps(100):
+		clock_set_frequency(sc->sc_node, "tx", 25000000);
+		break;
+	case IF_Mbps(1000):
+		clock_set_frequency(sc->sc_node, "tx", 125000000);
+		break;
+	}
+}
+
+void
+dwqe_mii_statchg_jh7110(struct device *self)
+{
+	struct dwqe_softc *sc = (void *)self;
+
+	task_add(systq, &sc->sc_statchg_task);
 }
 
 void

sys/dev/pci/drm/drm_aperture.c

@@ -32,17 +32,13 @@
  *
  *	static int remove_conflicting_framebuffers(struct pci_dev *pdev)
  *	{
- *		bool primary = false;
  *		resource_size_t base, size;
  *		int ret;
  *
  *		base = pci_resource_start(pdev, 0);
  *		size = pci_resource_len(pdev, 0);
- *	#ifdef CONFIG_X86
- *		primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
- *	#endif
  *
- *		return drm_aperture_remove_conflicting_framebuffers(base, size, primary,
+ *		return drm_aperture_remove_conflicting_framebuffers(base, size,
  *		                                                    &example_driver);
  *	}
  *
@@ -165,7 +161,6 @@ EXPORT_SYMBOL(devm_aperture_acquire_from_firmware);
  * drm_aperture_remove_conflicting_framebuffers - remove existing framebuffers in the given range
  * @base: the aperture's base address in physical memory
  * @size: aperture size in bytes
- * @primary: also kick vga16fb if present
  * @req_driver: requesting DRM driver
  *
  * This function removes graphics device drivers which use the memory range described by
@@ -175,9 +170,9 @@ EXPORT_SYMBOL(devm_aperture_acquire_from_firmware);
  * 0 on success, or a negative errno code otherwise
  */
 int drm_aperture_remove_conflicting_framebuffers(resource_size_t base, resource_size_t size,
-						 bool primary, const struct drm_driver *req_driver)
+						 const struct drm_driver *req_driver)
 {
-	return aperture_remove_conflicting_devices(base, size, primary, req_driver->name);
+	return aperture_remove_conflicting_devices(base, size, false, req_driver->name);
 }
 EXPORT_SYMBOL(drm_aperture_remove_conflicting_framebuffers);
 

sys/dev/pci/drm/i915/gt/gen8_engine_cs.c

@@ -165,14 +165,60 @@ static u32 preparser_disable(bool state)
 	return MI_ARB_CHECK | 1 << 8 | state;
 }
 
-u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv_reg)
+static i915_reg_t gen12_get_aux_inv_reg(struct intel_engine_cs *engine)
 {
-	u32 gsi_offset = gt->uncore->gsi_offset;
+	switch (engine->id) {
+	case RCS0:
+		return GEN12_CCS_AUX_INV;
+	case BCS0:
+		return GEN12_BCS0_AUX_INV;
+	case VCS0:
+		return GEN12_VD0_AUX_INV;
+	case VCS2:
+		return GEN12_VD2_AUX_INV;
+	case VECS0:
+		return GEN12_VE0_AUX_INV;
+	case CCS0:
+		return GEN12_CCS0_AUX_INV;
+	default:
+		return INVALID_MMIO_REG;
+	}
+}
+
+static bool gen12_needs_ccs_aux_inv(struct intel_engine_cs *engine)
+{
+	i915_reg_t reg = gen12_get_aux_inv_reg(engine);
+
+	if (IS_PONTEVECCHIO(engine->i915))
+		return false;
+
+	/*
+	 * So far platforms supported by i915 having flat ccs do not require
+	 * AUX invalidation. Check also whether the engine requires it.
+	 */
+	return i915_mmio_reg_valid(reg) && !HAS_FLAT_CCS(engine->i915);
+}
+
+u32 *gen12_emit_aux_table_inv(struct intel_engine_cs *engine, u32 *cs)
+{
+	i915_reg_t inv_reg = gen12_get_aux_inv_reg(engine);
+	u32 gsi_offset = engine->gt->uncore->gsi_offset;
+
+	if (!gen12_needs_ccs_aux_inv(engine))
+		return cs;
 
 	*cs++ = MI_LOAD_REGISTER_IMM(1) | MI_LRI_MMIO_REMAP_EN;
 	*cs++ = i915_mmio_reg_offset(inv_reg) + gsi_offset;
 	*cs++ = AUX_INV;
-	*cs++ = MI_NOOP;
+
+	*cs++ = MI_SEMAPHORE_WAIT_TOKEN |
+		MI_SEMAPHORE_REGISTER_POLL |
+		MI_SEMAPHORE_POLL |
+		MI_SEMAPHORE_SAD_EQ_SDD;
+	*cs++ = 0;
+	*cs++ = i915_mmio_reg_offset(inv_reg) + gsi_offset;
+	*cs++ = 0;
+	*cs++ = 0;
 
 	return cs;
 }
@@ -181,7 +227,11 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
 {
 	struct intel_engine_cs *engine = rq->engine;
 
-	if (mode & EMIT_FLUSH) {
+	/*
+	 * On Aux CCS platforms the invalidation of the Aux
+	 * table requires quiescing memory traffic beforehand
+	 */
+	if (mode & EMIT_FLUSH || gen12_needs_ccs_aux_inv(engine)) {
 		u32 flags = 0;
 		u32 *cs;
 
@@ -236,10 +286,9 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
 		else if (engine->class == COMPUTE_CLASS)
 			flags &= ~PIPE_CONTROL_3D_ENGINE_FLAGS;
 
-		if (!HAS_FLAT_CCS(rq->engine->i915))
+		count = 8;
-			count = 8 + 4;
+		if (gen12_needs_ccs_aux_inv(rq->engine))
-		else
+			count += 8;
-			count = 8;
 
 		cs = intel_ring_begin(rq, count);
 		if (IS_ERR(cs))
@@ -254,11 +303,7 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
 
 		cs = gen8_emit_pipe_control(cs, flags, LRC_PPHWSP_SCRATCH_ADDR);
 
-		if (!HAS_FLAT_CCS(rq->engine->i915)) {
+		cs = gen12_emit_aux_table_inv(engine, cs);
-			/* hsdes: 1809175790 */
-			cs = gen12_emit_aux_table_inv(rq->engine->gt, cs,
-						      GEN12_CCS_AUX_INV);
-		}
 
 		*cs++ = preparser_disable(false);
 		intel_ring_advance(rq, cs);
@@ -269,21 +314,14 @@ int gen12_emit_flush_rcs(struct i915_request *rq, u32 mode)
 
 int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
 {
-	intel_engine_mask_t aux_inv = 0;
+	u32 cmd = 4;
-	u32 cmd, *cs;
+	u32 *cs;
 
-	cmd = 4;
 	if (mode & EMIT_INVALIDATE) {
 		cmd += 2;
 
-		if (!HAS_FLAT_CCS(rq->engine->i915) &&
+		if (gen12_needs_ccs_aux_inv(rq->engine))
-		    (rq->engine->class == VIDEO_DECODE_CLASS ||
+			cmd += 8;
-		     rq->engine->class == VIDEO_ENHANCEMENT_CLASS)) {
-			aux_inv = rq->engine->mask &
-				~GENMASK(_BCS(I915_MAX_BCS - 1), BCS0);
-			if (aux_inv)
-				cmd += 4;
-		}
 	}
 
 	cs = intel_ring_begin(rq, cmd);
@@ -314,14 +352,7 @@ int gen12_emit_flush_xcs(struct i915_request *rq, u32 mode)
 	*cs++ = 0; /* upper addr */
 	*cs++ = 0; /* value */
 
-	if (aux_inv) { /* hsdes: 1809175790 */
+	cs = gen12_emit_aux_table_inv(rq->engine, cs);
-		if (rq->engine->class == VIDEO_DECODE_CLASS)
-			cs = gen12_emit_aux_table_inv(rq->engine->gt,
-						      cs, GEN12_VD0_AUX_INV);
-		else
-			cs = gen12_emit_aux_table_inv(rq->engine->gt,
-						      cs, GEN12_VE0_AUX_INV);
-	}
 
 	if (mode & EMIT_INVALIDATE)
 		*cs++ = preparser_disable(false);

sys/dev/pci/drm/i915/gt/gen8_engine_cs.h

@@ -13,6 +13,7 @@
 #include "intel_gt_regs.h"
 #include "intel_gpu_commands.h"
 
+struct intel_engine_cs;
 struct intel_gt;
 struct i915_request;
 
@@ -46,7 +47,7 @@ u32 *gen8_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
 u32 *gen11_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
 u32 *gen12_emit_fini_breadcrumb_rcs(struct i915_request *rq, u32 *cs);
 
-u32 *gen12_emit_aux_table_inv(struct intel_gt *gt, u32 *cs, const i915_reg_t inv_reg);
+u32 *gen12_emit_aux_table_inv(struct intel_engine_cs *engine, u32 *cs);
 
 static inline u32 *
 __gen8_emit_pipe_control(u32 *batch, u32 flags0, u32 flags1, u32 offset)

sys/dev/pci/drm/i915/gt/intel_gpu_commands.h

@@ -120,6 +120,7 @@
 #define   MI_SEMAPHORE_TARGET(engine)	((engine)<<15)
 #define MI_SEMAPHORE_WAIT	MI_INSTR(0x1c, 2) /* GEN8+ */
 #define MI_SEMAPHORE_WAIT_TOKEN	MI_INSTR(0x1c, 3) /* GEN12+ */
+#define   MI_SEMAPHORE_REGISTER_POLL	(1 << 16)
 #define   MI_SEMAPHORE_POLL		(1 << 15)
 #define   MI_SEMAPHORE_SAD_GT_SDD	(0 << 12)
 #define   MI_SEMAPHORE_SAD_GTE_SDD	(1 << 12)

sys/dev/pci/drm/i915/gt/intel_lrc.c

@@ -1301,10 +1301,7 @@ gen12_emit_indirect_ctx_rcs(const struct intel_context *ce, u32 *cs)
 	    IS_DG2_G11(ce->engine->i915))
 		cs = gen8_emit_pipe_control(cs, PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE, 0);
 
-	/* hsdes: 1809175790 */
+	cs = gen12_emit_aux_table_inv(ce->engine, cs);
-	if (!HAS_FLAT_CCS(ce->engine->i915))
-		cs = gen12_emit_aux_table_inv(ce->engine->gt,
-					      cs, GEN12_CCS_AUX_INV);
 
 	/* Wa_16014892111 */
 	if (IS_DG2(ce->engine->i915))
@@ -1327,17 +1324,7 @@ gen12_emit_indirect_ctx_xcs(const struct intel_context *ce, u32 *cs)
 						    PIPE_CONTROL_INSTRUCTION_CACHE_INVALIDATE,
 						    0);
 
-	/* hsdes: 1809175790 */
+	return gen12_emit_aux_table_inv(ce->engine, cs);
-	if (!HAS_FLAT_CCS(ce->engine->i915)) {
-		if (ce->engine->class == VIDEO_DECODE_CLASS)
-			cs = gen12_emit_aux_table_inv(ce->engine->gt,
-						      cs, GEN12_VD0_AUX_INV);
-		else if (ce->engine->class == VIDEO_ENHANCEMENT_CLASS)
-			cs = gen12_emit_aux_table_inv(ce->engine->gt,
-						      cs, GEN12_VE0_AUX_INV);
-	}
-
-	return cs;
 }
 
 static void

sys/dev/pci/drm/i915/i915_driver.c

@@ -603,7 +603,6 @@ static int i915_pcode_init(struct drm_i915_private *i915)
 static int i915_driver_hw_probe(struct drm_i915_private *dev_priv)
 {
 	struct pci_dev *pdev = dev_priv->drm.pdev;
-	struct pci_dev *root_pdev;
 	int ret;
 
 	if (i915_inject_probe_failure(dev_priv))
@@ -715,17 +714,6 @@ static int i915_driver_hw_probe(struct drm_i915_private *dev_priv)
 
 	intel_bw_init_hw(dev_priv);
 
-	/*
-	 * FIXME: Temporary hammer to avoid freezing the machine on our DGFX
-	 * This should be totally removed when we handle the pci states properly
-	 * on runtime PM and on s2idle cases.
-	 */
-#ifdef notyet
-	root_pdev = pcie_find_root_port(pdev);
-	if (root_pdev)
-		pci_d3cold_disable(root_pdev);
-#endif
-
 	return 0;
 
 err_msi:
@@ -751,16 +739,11 @@ static void i915_driver_hw_remove(struct drm_i915_private *dev_priv)
 	STUB();
 #ifdef notyet
 	struct pci_dev *pdev = dev_priv->drm.pdev;
-	struct pci_dev *root_pdev;
 
 	i915_perf_fini(dev_priv);
 
 	if (pdev->msi_enabled)
 		pci_disable_msi(pdev);
-
-	root_pdev = pcie_find_root_port(pdev);
-	if (root_pdev)
-		pci_d3cold_enable(root_pdev);
 #endif
 }
 
@@ -1785,6 +1768,8 @@ static int intel_runtime_suspend(struct device *kdev)
 {
 	struct drm_i915_private *dev_priv = kdev_to_i915(kdev);
 	struct intel_runtime_pm *rpm = &dev_priv->runtime_pm;
+	struct pci_dev *pdev = to_pci_dev(dev_priv->drm.dev);
+	struct pci_dev *root_pdev;
 	struct intel_gt *gt;
 	int ret, i;
 
@@ -1834,6 +1819,15 @@ static int intel_runtime_suspend(struct device *kdev)
 		drm_err(&dev_priv->drm,
 			"Unclaimed access detected prior to suspending\n");
 
+	/*
+	 * FIXME: Temporary hammer to avoid freezing the machine on our DGFX
+	 * This should be totally removed when we handle the pci states properly
+	 * on runtime PM.
+	 */
+	root_pdev = pcie_find_root_port(pdev);
+	if (root_pdev)
+		pci_d3cold_disable(root_pdev);
+
 	rpm->suspended = true;
 
 	/*
@@ -1872,6 +1866,8 @@ static int intel_runtime_resume(struct device *kdev)
 {
 	struct drm_i915_private *dev_priv = kdev_to_i915(kdev);
 	struct intel_runtime_pm *rpm = &dev_priv->runtime_pm;
+	struct pci_dev *pdev = to_pci_dev(dev_priv->drm.dev);
+	struct pci_dev *root_pdev;
 	struct intel_gt *gt;
 	int ret, i;
 
@@ -1885,6 +1881,11 @@ static int intel_runtime_resume(struct device *kdev)
 
 	intel_opregion_notify_adapter(dev_priv, PCI_D0);
 	rpm->suspended = false;
+
+	root_pdev = pcie_find_root_port(pdev);
+	if (root_pdev)
+		pci_d3cold_enable(root_pdev);
+
 	if (intel_uncore_unclaimed_mmio(&dev_priv->uncore))
 		drm_dbg(&dev_priv->drm,
 			"Unclaimed access during suspend, bios?\n");

sys/dev/pci/drm/include/drm/display/drm_dp.h

@@ -1525,7 +1525,7 @@ enum drm_dp_phy {
 
 #define DP_BRANCH_OUI_HEADER_SIZE	0xc
 #define DP_RECEIVER_CAP_SIZE		0xf
-#define DP_DSC_RECEIVER_CAP_SIZE        0xf
+#define DP_DSC_RECEIVER_CAP_SIZE        0x10 /* DSC Capabilities 0x60 through 0x6F */
 #define EDP_PSR_RECEIVER_CAP_SIZE	2
 #define EDP_DISPLAY_CTL_CAP_SIZE	3
 #define DP_LTTPR_COMMON_CAP_SIZE	8

sys/dev/pci/drm/include/drm/drm_aperture.h

@@ -13,14 +13,13 @@ int devm_aperture_acquire_from_firmware(struct drm_device *dev, resource_size_t
 					resource_size_t size);
 
 int drm_aperture_remove_conflicting_framebuffers(resource_size_t base, resource_size_t size,
-						 bool primary, const struct drm_driver *req_driver);
+						 const struct drm_driver *req_driver);
 
 int drm_aperture_remove_conflicting_pci_framebuffers(struct pci_dev *pdev,
 						     const struct drm_driver *req_driver);
 
 /**
  * drm_aperture_remove_framebuffers - remove all existing framebuffers
- * @primary: also kick vga16fb if present
  * @req_driver: requesting DRM driver
  *
  * This function removes all graphics device drivers. Use this function on systems
@@ -30,9 +29,9 @@ int drm_aperture_remove_conflicting_pci_framebuffers(struct pci_dev *pdev,
  * 0 on success, or a negative errno code otherwise
  */
 static inline int
-drm_aperture_remove_framebuffers(bool primary, const struct drm_driver *req_driver)
+drm_aperture_remove_framebuffers(const struct drm_driver *req_driver)
 {
-	return drm_aperture_remove_conflicting_framebuffers(0, (resource_size_t)-1, primary,
+	return drm_aperture_remove_conflicting_framebuffers(0, (resource_size_t)-1,
 							    req_driver);
 }
 

usr.bin/make/cmd_exec.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cmd_exec.c,v 1.11 2020/01/16 16:07:18 espie Exp $ */
+/*	$OpenBSD: cmd_exec.c,v 1.12 2023/08/31 06:53:28 espie Exp $ */
 /*
  * Copyright (c) 2001 Marc Espie.
  *
@@ -28,6 +28,7 @@
 #include <sys/wait.h>
 #include <errno.h>
 #include <stdio.h>
+#include <string.h>
 #include <unistd.h>
 #include "config.h"
 #include "defines.h"
@@ -36,11 +37,93 @@
 #include "memory.h"
 #include "pathnames.h"
 #include "job.h"
+#include "str.h"
+
+/* The following array is used to make a fast determination of which
+ * characters are interpreted specially by the shell.  If a command
+ * contains any of these characters, it is executed by the shell, not
+ * directly by us.  */
+static char	    meta[256];
+
+void
+CmdExec_Init(void)
+{
+	char *p;
+
+	for (p = "#=|^(){};&<>*?[]:$`\\\n~"; *p != '\0'; p++)
+		meta[(unsigned char) *p] = 1;
+	/* The null character serves as a sentinel in the string.  */
+	meta[0] = 1;
+}
+
+static char **
+recheck_command_for_shell(char **av)
+{
+	char *runsh[] = {
+		"!", "alias", "cd", "eval", "exit", "read", "set", "ulimit",
+		"unalias", "unset", "wait", "umask", NULL
+	};
+
+	char **p;
+
+	/* optimization: if exec cmd, we avoid the intermediate shell */
+	if (strcmp(av[0], "exec") == 0)
+		av++;
+
+	if (!av[0])
+		return NULL;
+
+	for (p = runsh; *p; p++)
+		if (strcmp(av[0], *p) == 0)
+			return NULL;
+
+	return av;
+}
+
+void
+run_command(const char *cmd, bool errCheck)
+{
+	const char *p;
+	char *shargv[4];
+	char **todo;
+
+	shargv[0] = _PATH_BSHELL;
+
+	shargv[1] = errCheck ? "-ec" : "-c";
+	shargv[2] = (char *)cmd;
+	shargv[3] = NULL;
+
+	todo = shargv;
+
+
+	/* Search for meta characters in the command. If there are no meta
+	 * characters, there's no need to execute a shell to execute the
+	 * command.  */
+	for (p = cmd; !meta[(unsigned char)*p]; p++)
+		continue;
+	if (*p == '\0') {
+		char *bp;
+		char **av;
+		int argc;
+		/* No meta-characters, so probably no need to exec a shell.
+		 * Break the command into words to form an argument vector
+		 * we can execute.  */
+		av = brk_string(cmd, &argc, &bp);
+		av = recheck_command_for_shell(av);
+		if (av != NULL)
+			todo = av;
+	}
+	execvp(todo[0], todo);
+	if (errno == ENOENT)
+		fprintf(stderr, "%s: not found\n", todo[0]);
+	else
+		perror(todo[0]);
+	_exit(1);
+}
 
 char *
 Cmd_Exec(const char *cmd, char **err)
 {
-	char	*args[4];	/* Args for invoking the shell */
 	int 	fds[2]; 	/* Pipe streams */
 	pid_t 	cpid;		/* Child PID */
 	char	*result;	/* Result */
@@ -53,12 +136,6 @@ Cmd_Exec(const char *cmd, char **err)
 
 	*err = NULL;
 
-	/* Set up arguments for the shell. */
-	args[0] = "sh";
-	args[1] = "-c";
-	args[2] = (char *)cmd;
-	args[3] = NULL;
-
 	/* Open a pipe for retrieving shell's output. */
 	if (pipe(fds) == -1) {
 		*err = "Couldn't create pipe for \"%s\"";
@@ -82,8 +159,7 @@ Cmd_Exec(const char *cmd, char **err)
 			(void)close(fds[1]);
 		}
 
-		(void)execv(_PATH_BSHELL, args);
+		run_command(cmd, false);
-		_exit(1);
 		/*NOTREACHED*/
 
 	case -1:

usr.bin/make/cmd_exec.h

@@ -1,6 +1,6 @@
 #ifndef CMD_EXEC_H
 #define CMD_EXEC_H
-/*	$OpenBSD: cmd_exec.h,v 1.4 2010/07/19 19:46:43 espie Exp $ */
+/*	$OpenBSD: cmd_exec.h,v 1.5 2023/08/31 06:53:28 espie Exp $ */
 
 /*
  * Copyright (c) 2001 Marc Espie.
@@ -34,4 +34,6 @@
  *	The output result should always be freed by the caller.  */
 extern char *Cmd_Exec(const char *, char **);
 
+extern void CmdExec_Init(void);
+extern __dead void run_command(const char *, bool);
 #endif

usr.bin/make/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.71 2023/05/30 04:42:21 espie Exp $ */
+/*	$OpenBSD: engine.c,v 1.72 2023/08/31 06:53:28 espie Exp $ */
 /*
  * Copyright (c) 2012 Marc Espie.
  *
@@ -75,6 +75,7 @@
 #include <unistd.h>
 #include "config.h"
 #include "defines.h"
+#include "cmd_exec.h"
 #include "dir.h"
 #include "engine.h"
 #include "arch.h"
@@ -88,7 +89,6 @@
 #include "make.h"
 #include "pathnames.h"
 #include "error.h"
-#include "str.h"
 #include "memory.h"
 #include "buf.h"
 #include "job.h"
@@ -96,9 +96,6 @@
 
 static void MakeTimeStamp(void *, void *);
 static int rewrite_time(const char *);
-static void setup_meta(void);
-static void setup_engine(void);
-static char **recheck_command_for_shell(char **);
 static void list_parents(GNode *, FILE *);
 
 /* XXX due to a bug in make's logic, targets looking like *.a or -l*
@@ -508,88 +505,6 @@ Make_OODate(GNode *gn)
 	return oodate;
 }
 
-/* The following array is used to make a fast determination of which
- * characters are interpreted specially by the shell.  If a command
- * contains any of these characters, it is executed by the shell, not
- * directly by us.  */
-static char	    meta[256];
-
-void
-setup_meta(void)
-{
-	char *p;
-
-	for (p = "#=|^(){};&<>*?[]:$`\\\n~"; *p != '\0'; p++)
-		meta[(unsigned char) *p] = 1;
-	/* The null character serves as a sentinel in the string.  */
-	meta[0] = 1;
-}
-
-static char **
-recheck_command_for_shell(char **av)
-{
-	char *runsh[] = {
-		"!", "alias", "cd", "eval", "exit", "read", "set", "ulimit",
-		"unalias", "unset", "wait", "umask", NULL
-	};
-
-	char **p;
-
-	/* optimization: if exec cmd, we avoid the intermediate shell */
-	if (strcmp(av[0], "exec") == 0)
-		av++;
-
-	if (!av[0])
-		return NULL;
-
-	for (p = runsh; *p; p++)
-		if (strcmp(av[0], *p) == 0)
-			return NULL;
-
-	return av;
-}
-
-static void
-run_command(const char *cmd, bool errCheck)
-{
-	const char *p;
-	char *shargv[4];
-	char **todo;
-
-	shargv[0] = _PATH_BSHELL;
-
-	shargv[1] = errCheck ? "-ec" : "-c";
-	shargv[2] = (char *)cmd;
-	shargv[3] = NULL;
-
-	todo = shargv;
-
-
-	/* Search for meta characters in the command. If there are no meta
-	 * characters, there's no need to execute a shell to execute the
-	 * command.  */
-	for (p = cmd; !meta[(unsigned char)*p]; p++)
-		continue;
-	if (*p == '\0') {
-		char *bp;
-		char **av;
-		int argc;
-		/* No meta-characters, so probably no need to exec a shell.
-		 * Break the command into words to form an argument vector
-		 * we can execute.  */
-		av = brk_string(cmd, &argc, &bp);
-		av = recheck_command_for_shell(av);
-		if (av != NULL)
-			todo = av;
-	}
-	execvp(todo[0], todo);
-
-	if (errno == ENOENT)
-		fprintf(stderr, "%s: not found\n", todo[0]);
-	else
-		perror(todo[0]);
-	_exit(1);
-}
 
 void
 job_attach_node(Job *job, GNode *node)
@@ -696,17 +611,6 @@ run_gnode(GNode *gn)
 }
 
 
-static void
-setup_engine(void)
-{
-	static int already_setup = 0;
-
-	if (!already_setup) {
-		setup_meta();
-		already_setup = 1;
-	}
-}
-
 static bool
 do_run_command(Job *job, const char *pre)
 {
@@ -799,7 +703,6 @@ job_run_next(Job *job)
 	bool started;
 	GNode *gn = job->node;
 
-	setup_engine();
 	while (job->next_cmd != NULL) {
 		struct command *command = Lst_Datum(job->next_cmd);
 

usr.bin/make/init.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: init.c,v 1.8 2020/01/16 16:07:18 espie Exp $ */
+/*	$OpenBSD: init.c,v 1.9 2023/08/31 06:53:28 espie Exp $ */
 
 /*
  * Copyright (c) 2001 Marc Espie.
@@ -37,11 +37,13 @@
 #include "targ.h"
 #include "suff.h"
 #include "job.h"
+#include "cmd_exec.h"
 
 void
 Init(void)
 {
 	Sigset_Init();
+	CmdExec_Init();
 	Init_Timestamp();
 	Init_Stats();
 	Targ_Init();

usr.sbin/fw_update/fw_update.sh

@@ -1,7 +1,7 @@
 #!/bin/ksh
-#	$OpenBSD: fw_update.sh,v 1.44 2022/12/12 02:30:51 afresh1 Exp $
+#	$OpenBSD: fw_update.sh,v 1.45 2023/08/31 18:19:21 afresh1 Exp $
 #
-# Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org>
+# Copyright (c) 2021,2023 Andrew Hewus Fresh <afresh1@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -40,18 +40,39 @@ DELETE=false
 DOWNLOAD=true
 INSTALL=true
 LOCALSRC=
+ENABLE_SPINNER=false
+[ -t 1 ] && ENABLE_SPINNER=true
+
+integer STATUS_FD=1
+integer WARN_FD=2
+FD_DIR=
 
 unset FTPPID
 unset LOCKPID
 unset FWPKGTMP
 REMOVE_LOCALSRC=false
+
+status() { echo -n "$*" >&"$STATUS_FD"; }
+warn()   { echo    "$*" >&"$WARN_FD"; }
+
 cleanup() {
 	set +o errexit # ignore errors from killing ftp
+
+	if [ -d "$FD_DIR" ]; then
+		echo "" >&"$STATUS_FD"
+		exec 4>&-
+
+		[ -s "$FD_DIR/status" ] && cat "$FD_DIR/status"
+		[ -s "$FD_DIR/warn"   ] && cat "$FD_DIR/warn" >&2
+
+		rm -rf "$FD_DIR"
+	fi
+
 	[ "${FTPPID:-}" ] && kill -TERM -"$FTPPID" 2>/dev/null
 	[ "${LOCKPID:-}" ] && kill -TERM -"$LOCKPID" 2>/dev/null
 	[ "${FWPKGTMP:-}" ] && rm -rf "$FWPKGTMP"
 	"$REMOVE_LOCALSRC" && rm -rf "$LOCALSRC"
-	[ -e "${CFILE}" ] && [ ! -s "$CFILE" ] && rm -f "$CFILE"
+	[ -e "$CFILE" ] && [ ! -s "$CFILE" ] && rm -f "$CFILE"
 }
 trap cleanup EXIT
 
@@ -70,6 +91,20 @@ tmpdir() {
 	echo "$_dir"
 }
 
+spin() {
+	if ! "$ENABLE_SPINNER"; then
+		sleep 1
+		return 0
+	fi
+
+	{
+		for p in '/' '-' '\\' '|' '/' '-' '\\' '|'; do
+			echo -n "$p"'\010'
+			sleep 0.125
+		done
+	}>/dev/tty
+}
+
 fetch() {
 	local _src="${FWURL}/${1##*/}" _dst=$1 _user=_file _exit _error=''
 
@@ -99,13 +134,13 @@ fetch() {
 			if [[ $_last -ne $5 ]]; then
 				_last=$5
 				SECONDS=0
-				sleep 1
+				spin
 			else
 				kill -INT -"$FTPPID" 2>/dev/null
 				_error=" (timed out)"
 			fi
 		else
-			sleep 1
+			spin
 		fi
 	done
 
@@ -118,7 +153,7 @@ fetch() {
 
 	if [ "$_exit" -ne 0 ]; then
 		rm -f "$_dst"
-		echo "Cannot fetch $_src$_error" >&2
+		warn "Cannot fetch $_src$_error"
 		return 1
 	fi
 
@@ -133,7 +168,7 @@ check_cfile() {
 		[ -s "$CFILE" ] || return 1
 		return 0
 	fi
-	if ! fetch_cfile "$@"; then
+	if ! fetch_cfile; then
 		echo -n > "$CFILE"
 		return 1
 	fi
@@ -146,10 +181,10 @@ fetch_cfile() {
 		fetch "$CFILE" || return 1
 		set -o noclobber
 		! signify -qVep "$FWPUB_KEY" -x "$CFILE" -m "$CFILE" &&
-		    echo "Signature check of SHA256.sig failed" >&2 &&
+		    warn "Signature check of SHA256.sig failed" &&
 		    rm -f "$CFILE" && return 1
 	elif [ ! -e "$CFILE" ]; then
-		echo "${0##*/}: $CFILE: No such file or directory" >&2
+		warn "${0##*/}: $CFILE: No such file or directory"
 		return 1
 	fi
 
@@ -159,14 +194,25 @@ fetch_cfile() {
 verify() {
 	check_cfile || return 1
 	# The installer sha256 lacks -C, do it by hand
-	if ! fgrep -qx "SHA256 (${1##*/}) = $( /bin/sha256 -qb "$1" )" "$CFILE"; then
+	if ! grep -Fqx "SHA256 (${1##*/}) = $( /bin/sha256 -qb "$1" )" "$CFILE"
-		((VERBOSE != 1)) && echo "Checksum test for ${1##*/} failed." >&2
+	then
+		((VERBOSE != 1)) && warn "Checksum test for ${1##*/} failed."
 		return 1
 	fi
 
 	return 0
 }
 
+# When verifying existing files that we are going to re-download
+# if VERBOSE is 0, don't show the checksum failure of an existing file.
+verify_existing() {
+	local _v=$VERBOSE
+	check_cfile || return 1
+
+	((_v == 0)) && "$DOWNLOAD" && _v=1
+	( VERBOSE=$_v verify "$@" )
+}
+
 firmware_in_dmesg() {
 	local IFS
 	local _d _m _dmesgtail _last='' _nl='
@@ -187,7 +233,7 @@ firmware_in_dmesg() {
 
 		case $# in
 		    1|2|3) [[ $_dmesgtail = *$1*([!$_nl])${2-}*([!$_nl])${3-}* ]] || continue;;
-		    *) echo "${0##*/}: Bad pattern '${_m#$_nl}' in $FWPATTERNS" >&2; exit 1 ;;
+		    *) warn "${0##*/}: Bad pattern '${_m#$_nl}' in $FWPATTERNS"; exit 1 ;;
 		esac
 
 		echo "$_d"
@@ -329,7 +375,7 @@ delete_firmware() {
 
 	if [ ! -e "$_cwd/+CONTENTS" ] ||
 	    ! grep -Fxq '@option firmware' "$_cwd/+CONTENTS"; then
-		echo "${0##*/}: $_pkg does not appear to be firmware" >&2
+		warn "${0##*/}: $_pkg does not appear to be firmware"
 		return 2
 	fi
 
@@ -389,17 +435,20 @@ do
 	p) LOCALSRC="$OPTARG" ;;
 	v) ((++VERBOSE)) ;;
 	:)
-	    echo "${0##*/}: option requires an argument -- -$OPTARG" >&2
+	    warn "${0##*/}: option requires an argument -- -$OPTARG"
 	    usage
 	    ;;
 	?)
-	    echo "${0##*/}: unknown option -- -$OPTARG" >&2
+	    warn "${0##*/}: unknown option -- -$OPTARG"
 	    usage
 	    ;;
 	esac
 done
 shift $((OPTIND - 1))
 
+# Progress bars, not spinner When VERBOSE > 1
+((VERBOSE > 1)) && ENABLE_SPINNER=false
+
 if [ "$LOCALSRC" ]; then
 	if [[ $LOCALSRC = @(ftp|http?(s))://* ]]; then
 		FWURL="${LOCALSRC}"
@@ -407,7 +456,7 @@ if [ "$LOCALSRC" ]; then
 	else
 		LOCALSRC="${LOCALSRC#file:}"
 		! [ -d "$LOCALSRC" ] &&
-		    echo "The path must be a URL or an existing directory" >&2 &&
+		    warn "The path must be a URL or an existing directory" &&
 		    exit 1
 	fi
 fi
@@ -424,7 +473,7 @@ if [ "$OPT_F" ]; then
 			rm -f "$LOCALSRC/$CFILE-OLD"
 		else
 			mv "$LOCALSRC/$CFILE-OLD" "$LOCALSRC/$CFILE"
-			echo "Using existing $CFILE" >&2
+			warn "Using existing $CFILE"
 		fi
 	fi
 elif [ "$LOCALSRC" ]; then
@@ -432,14 +481,34 @@ elif [ "$LOCALSRC" ]; then
 fi
 
 if [ -x /usr/bin/id ] && [ "$(/usr/bin/id -u)" != 0 ]; then
-	echo "need root privileges" >&2
+	warn "need root privileges"
 	exit 1
 fi
 
 set -sA devices -- "$@"
 
+# In the normal case, we output the status line piecemeal
+# so we save warnings to output at the end to not disrupt
+# the single line status.
+# Actual errors from things like ftp will stil interrupt,
+# but it's impossible to know if it's a message people need
+# to see now or something that can wait.
+# In the verbose case, we instead print out single lines
+# or progress bars for each thing we are doing,
+# so instead we save up the final status line for the end.
+FD_DIR="$( tmpdir "${DESTDIR}/tmp/${0##*/}-fd" )"
+if ((VERBOSE)); then
+	exec 4>"${FD_DIR}/status"
+	STATUS_FD=4
+else
+	exec 4>"${FD_DIR}/warn"
+	WARN_FD=4
+fi
+
+status "${0##*/}:"
+
 if "$DELETE"; then
-	[ "$OPT_F" ] && echo "Cannot use -F and -d" >&2 && usage
+	[ "$OPT_F" ] && warn "Cannot use -F and -d" && usage
 	lock_db
 
 	# Show the "Uninstall" message when just deleting not upgrading
@@ -447,7 +516,7 @@ if "$DELETE"; then
 
 	set -A installed
 	if [ "${devices[*]:-}" ]; then
-		"$ALL" && echo "Cannot use -a and devices/files" >&2 && usage
+		"$ALL" && warn "Cannot use -a and devices/files" && usage
 
 		set -A installed -- $(
 		    for d in "${devices[@]}"; do
@@ -460,7 +529,7 @@ if "$DELETE"; then
 			if [ "${i[*]:-}" ]; then
 				echo "${i[@]}"
 			else
-				echo "No firmware found for '$d'" >&2
+				warn "No firmware found for '$d'"
 			fi
 		    done
 		)
@@ -468,20 +537,22 @@ if "$DELETE"; then
 		set -A installed -- $( installed_firmware '*' '-firmware-' '*' )
 	fi
 
-	deleted=''
+	status " delete "
+
+	comma=''
 	if [ "${installed:-}" ]; then
 		for fw in "${installed[@]}"; do
+			status "$comma$( firmware_devicename "$fw" )"
+			comma=,
 			if "$DRYRUN"; then
 				((VERBOSE)) && echo "Delete $fw"
 			else
 				delete_firmware "$fw" || continue
 			fi
-			deleted="$deleted,$( firmware_devicename "$fw" )"
 		done
 	fi
 
-	deleted="${deleted#,}"
+	[ "$comma" ] || status none
-	echo "${0:##*/}: deleted ${deleted:-none}";
 
 	exit
 fi
@@ -494,7 +565,7 @@ fi
 CFILE="$LOCALSRC/$CFILE"
 
 if [ "${devices[*]:-}" ]; then
-	"$ALL" && echo "Cannot use -a and devices/files" >&2 && usage
+	"$ALL" && warn "Cannot use -a and devices/files" && usage
 else
 	((VERBOSE > 1)) && echo -n "Detect firmware ..."
 	set -sA devices -- $( detect_firmware )
@@ -503,10 +574,11 @@ else
 fi
 
 
-added=''
+set -A add ''
-updated=''
+set -A update ''
 kept=''
 unregister=''
+
 if [ "${devices[*]:-}" ]; then
 	lock_db
 	for f in "${devices[@]}"; do
@@ -519,44 +591,53 @@ if [ "${devices[*]:-}" ]; then
 				if "$INSTALL" && unregister_firmware "$d"; then
 					unregister="$unregister,$d"
 				else
-					echo "Unable to find firmware for $d" >&2
+					warn "Unable to find firmware for $d"
 				fi
 				continue
 			fi
 			f="$LOCALSRC/$f"
 		elif ! "$INSTALL" && ! grep -Fq "($f)" "$CFILE" ; then
-			echo "Cannot download local file $f" >&2
+			warn "Cannot download local file $f"
 			exit 1
 		else
 			# Don't verify files specified on the command-line
 			verify_existing=false
 		fi
 
-		set -A installed -- $( installed_firmware '' "$d-firmware-" '*' )
+		set -A installed
+		if "$INSTALL"; then
+			set -A installed -- \
+			    $( installed_firmware '' "$d-firmware-" '*' )
 
-		if "$INSTALL" && [ "${installed[*]:-}" ]; then
+			if [ "${installed[*]:-}" ]; then
-			for i in "${installed[@]}"; do
+				for i in "${installed[@]}"; do
-				if [ "${f##*/}" = "$i.tgz" ]; then
+					if [ "${f##*/}" = "$i.tgz" ]; then
-					((VERBOSE > 2)) && echo "Keep $i"
+						((VERBOSE > 2)) \
-					kept="$kept,$d"
+						    && echo "Keep $i"
-					continue 2
+						kept="$kept,$d"
-				fi
+						continue 2
-			done
+					fi
+				done
+			fi
 		fi
 
-		pending_status=false
 		if "$verify_existing" && [ -e "$f" ]; then
+			pending_status=false
 			if ((VERBOSE == 1)); then
 				echo -n "Verify ${f##*/} ..."
 				pending_status=true
 			elif ((VERBOSE > 1)) && ! "$INSTALL"; then
-			    echo "Keep/Verify ${f##*/}"
+				echo "Keep/Verify ${f##*/}"
 			fi
 
-			if "$DRYRUN" || verify "$f"; then
+			if "$DRYRUN" || verify_existing "$f"; then
-				"$INSTALL" || kept="$kept,$d"
+				"$pending_status" && echo " done."
+				if ! "$INSTALL"; then
+					kept="$kept,$d"
+					continue
+				fi
 			elif "$DOWNLOAD"; then
-				((VERBOSE == 1)) && echo " failed."
+				"$pending_status" && echo " failed."
 				((VERBOSE > 1)) && echo "Refetching $f"
 				rm -f "$f"
 			else
@@ -565,67 +646,110 @@ if [ "${devices[*]:-}" ]; then
 			fi
 		fi
 
-		if [ -e "$f" ]; then
-			"$pending_status" && ! "$INSTALL" && echo " done."
-		elif "$DOWNLOAD"; then
-			if "$DRYRUN"; then
-				((VERBOSE)) && echo "Get/Verify ${f##*/}"
-			else
-				if ((VERBOSE == 1)); then
-					echo -n "Get/Verify ${f##*/} ..."
-					pending_status=true
-				fi
-				fetch  "$f" &&
-				verify "$f" || {
-					"$pending_status" && echo " failed."
-					continue
-				}
-				"$pending_status" && ! "$INSTALL" && echo " done."
-			fi
-			"$INSTALL" || added="$added,$d"
-		elif "$INSTALL"; then
-			echo "Cannot install ${f##*/}, not found" >&2
-			continue
-		fi
-
-		"$INSTALL" || continue
-
-		update="Install"
 		if [ "${installed[*]:-}" ]; then
-			update="Update"
+			set -A update -- "${update[@]}" "$f"
-			for i in "${installed[@]}"; do
+		else
-				"$DRYRUN" || delete_firmware "$i"
+			set -A add -- "${add[@]}" "$f"
-			done
 		fi
 
-		if "$DRYRUN"; then
-			((VERBOSE)) && echo "$update $f"
-		else
-			if ((VERBOSE == 1)) && ! "$pending_status"; then
-				echo -n "Install ${f##*/} ..."
-				pending_status=true
-			fi
-			add_firmware "$f" "$update"
-		fi
-
-		f="${f##*/}"
-		f="${f%.tgz}"
-		if [ "$update" = Install ]; then
-			"$pending_status" && echo " installed."
-			added="$added,$d"
-		else
-			"$pending_status" && echo " updated."
-			updated="$updated,$d"
-		fi
 	done
 fi
 
-added="${added:#,}"
-updated="${updated:#,}"
-kept="${kept:#,}"
-[ "${unregister:-}" ] && unregister="; unregistered ${unregister:#,}"
 if "$INSTALL"; then
-	echo  "${0##*/}: added ${added:-none}; updated ${updated:-none}; kept ${kept:-none}${unregister}"
+	status " add "
+	action=Install
 else
-	echo  "${0##*/}: downloaded ${added:-none}; kept ${kept:-none}${unregister}"
+	status " download "
+	action=Download
 fi
+
+comma=''
+[ "${add[*]}" ] || status none
+for f in "${add[@]}" _update_ "${update[@]}"; do
+	[ "$f" ] || continue
+	if [ "$f" = _update_ ]; then
+		comma=''
+		"$INSTALL" || continue
+		action=Update
+		status "; update "
+		[ "${update[*]}" ] || status none
+		continue
+	fi
+	d="$( firmware_devicename "$f" )"
+	status "$comma$d"
+	comma=,
+
+	pending_status=false
+	if [ -e "$f" ]; then
+		if "$DRYRUN"; then
+			((VERBOSE)) && echo "$action ${f##*/}"
+		else
+			if ((VERBOSE == 1)); then
+				echo -n "Install ${f##*/} ..."
+				pending_status=true
+			fi
+		fi
+	elif "$DOWNLOAD"; then
+		if "$DRYRUN"; then
+			((VERBOSE)) && echo "Get/Verify ${f##*/}"
+		else
+			if ((VERBOSE == 1)); then
+				echo -n "Get/Verify ${f##*/} ..."
+				pending_status=true
+			fi
+			fetch  "$f" &&
+			verify "$f" || {
+				if "$pending_status"; then
+					echo " failed."
+				elif ! ((VERBOSE)); then
+					status "failed (${f##*/})"
+				fi
+				continue
+			}
+		fi
+	elif "$INSTALL"; then
+		warn "Cannot install ${f##*/}, not found"
+		continue
+	fi
+
+	if ! "$INSTALL"; then
+		"$pending_status" && echo " done."
+		continue
+	fi
+
+	if ! "$DRYRUN"; then
+		if [ "$action" = Update ]; then
+			for i in $( installed_firmware '' "$d-firmware-" '*' )
+			do
+				delete_firmware "$i" || {
+					if "$pending_status"; then
+						echo " failed."
+					elif ! ((VERBOSE)); then
+						status "failed ($i)"
+					fi
+					continue
+				}
+			done
+		fi
+
+		add_firmware "$f" "$action" || {
+			if "$pending_status"; then
+				echo " failed."
+			elif ! ((VERBOSE)); then
+				status "failed (${f##*/})"
+			fi
+			continue
+		}
+	fi
+
+	if "$pending_status"; then
+		if [ "$action" = Install ]; then
+			echo " installed."
+		else
+			echo " updated."
+		fi
+	fi
+done
+
+[ "$unregister" ] && status "; unregister ${unregister:#,}"
+[ "$kept"       ] && status "; keep ${kept:#,}"