Sync code with last security fixes and improvements from OpenBSD

.gitignore

@@ -1,2 +0,0 @@
-**/obj
-**/tags

distrib/alpha/miniroot/Makefile

@@ -1,7 +1,7 @@
-#	$OpenBSD: Makefile,v 1.26 2023/04/28 12:26:43 krw Exp $
+#	$OpenBSD: Makefile,v 1.27 2023/04/30 22:44:18 krw Exp $
 
 FS=		miniroot${OSrev}.img
-FSSIZE=		5760
+FSSIZE=		6080
 FSDISKTYPE=	fakeramdisk
 CDROM=		cd${OSrev}.iso
 MOUNT_POINT=	/mnt

distrib/sets/lists/comp/mi

@@ -2019,7 +2019,6 @@
 ./usr/share/man/man3/PKCS8_pkey_set0.3
 ./usr/share/man/man3/PKEY_USAGE_PERIOD_new.3
 ./usr/share/man/man3/POLICYINFO_new.3
-./usr/share/man/man3/PROXY_POLICY_new.3
 ./usr/share/man/man3/RAND_add.3
 ./usr/share/man/man3/RAND_bytes.3
 ./usr/share/man/man3/RAND_load_file.3
@@ -2253,9 +2252,6 @@
 ./usr/share/man/man3/X509_load_cert_file.3
 ./usr/share/man/man3/X509_new.3
 ./usr/share/man/man3/X509_ocspid_print.3
-./usr/share/man/man3/X509_policy_check.3
-./usr/share/man/man3/X509_policy_tree_get0_policies.3
-./usr/share/man/man3/X509_policy_tree_level_count.3
 ./usr/share/man/man3/X509_print_ex.3
 ./usr/share/man/man3/X509_sign.3
 ./usr/share/man/man3/X509_signature_dump.3
@@ -2416,7 +2412,6 @@
 ./usr/share/man/man3/d2i_PKCS8_PRIV_KEY_INFO.3
 ./usr/share/man/man3/d2i_PKEY_USAGE_PERIOD.3
 ./usr/share/man/man3/d2i_POLICYINFO.3
-./usr/share/man/man3/d2i_PROXY_POLICY.3
 ./usr/share/man/man3/d2i_PrivateKey.3
 ./usr/share/man/man3/d2i_RSAPublicKey.3
 ./usr/share/man/man3/d2i_SSL_SESSION.3

etc/skel/dot.version

@@ -1 +1 @@
-# SecBSD 1.3-89f0212: Sun Apr 30 00:00:00 UTC 2023 (Quetzalcoatl)
+# SecBSD 1.3-5179fdb: Mon May 1 00:00:00 UTC 2023 (Quetzalcoatl)

lib/libcrypto/asn1/tasn_dec.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.85 2023/04/28 17:59:53 job Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.86 2023/04/30 16:46:49 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -736,7 +736,7 @@ static int
 asn1_item_d2i_sequence(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it,
     int tag_number, int tag_class, int optional, int depth)
 {
-	CBS cbs_seq, cbs_seq_content;
+	CBS cbs_seq, cbs_seq_content, cbs_object;
 	int constructed, indefinite, optional_field;
 	const ASN1_TEMPLATE *errat = NULL;
 	const ASN1_TEMPLATE *seqat, *at;
@@ -878,9 +878,14 @@ asn1_item_d2i_sequence(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it,
 		ASN1_template_free(pseqval, seqat);
 	}
 
-	if (!CBS_skip(cbs, CBS_offset(&cbs_seq)))
+	if (!CBS_get_bytes(cbs, &cbs_object, CBS_offset(&cbs_seq)))
 		goto err;
 
+	if (!asn1_enc_save(&aseq, &cbs_object, it)) {
+		ASN1error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
 	if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_POST, &aseq, it, NULL)) {
 		ASN1error(ASN1_R_AUX_ERROR);
 		goto err;

lib/libcrypto/asn1/tasn_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.30 2023/04/28 17:59:53 job Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.31 2023/04/30 16:46:49 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -210,6 +210,14 @@ ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
 		/* fall through */
 
 	case ASN1_ITYPE_SEQUENCE:
+		i = asn1_enc_restore(&seqcontlen, out, pval, it);
+		/* An error occurred */
+		if (i < 0)
+			return 0;
+		/* We have a valid cached encoding... */
+		if (i > 0)
+			return seqcontlen;
+		/* Otherwise carry on */
 		seqcontlen = 0;
 		/* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
 		if (tag == -1) {

lib/libcrypto/bn/bn_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.85 2023/04/25 19:57:59 tb Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.86 2023/04/30 19:15:48 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -601,12 +601,6 @@ BN_zero(BIGNUM *a)
 	a->top = 0;
 }
 
-void
-BN_zero_ex(BIGNUM *a)
-{
-	BN_zero(a);
-}
-
 int
 BN_one(BIGNUM *a)
 {

lib/libcrypto/bn/bn_mont.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.58 2023/04/25 17:20:24 tb Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.59 2023/04/30 05:21:20 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *

lib/libcrypto/crypto.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto.h,v 1.59 2023/04/28 21:40:14 tb Exp $ */
+/* $OpenBSD: crypto.h,v 1.60 2023/04/30 17:07:46 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -488,7 +488,7 @@ typedef int *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *);
 int CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
 /* die if we have to */
-__dead void OpenSSLDie(const char *file, int line, const char *assertion);
+void OpenSSLDie(const char *file, int line, const char *assertion);
 #define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
 
 uint64_t OPENSSL_cpu_caps(void);

lib/libcrypto/hidden/openssl/x509v3.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.3 2023/04/26 20:43:32 tb Exp $ */
+/* $OpenBSD: x509v3.h,v 1.4 2023/04/30 19:31:05 tb Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -21,14 +21,6 @@
 #include_next <openssl/x509v3.h>
 #include "crypto_namespace.h"
 
-LCRYPTO_USED(PROXY_POLICY_new);
-LCRYPTO_USED(PROXY_POLICY_free);
-LCRYPTO_USED(d2i_PROXY_POLICY);
-LCRYPTO_USED(i2d_PROXY_POLICY);
-LCRYPTO_USED(PROXY_CERT_INFO_EXTENSION_new);
-LCRYPTO_USED(PROXY_CERT_INFO_EXTENSION_free);
-LCRYPTO_USED(d2i_PROXY_CERT_INFO_EXTENSION);
-LCRYPTO_USED(i2d_PROXY_CERT_INFO_EXTENSION);
 LCRYPTO_USED(BASIC_CONSTRAINTS_new);
 LCRYPTO_USED(BASIC_CONSTRAINTS_free);
 LCRYPTO_USED(d2i_BASIC_CONSTRAINTS);

lib/libcrypto/man/BIO_accept.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_accept.3,v 1.1 2022/12/22 21:05:48 schwarze Exp $
+.\" $OpenBSD: BIO_accept.3,v 1.2 2023/04/30 13:38:48 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 22 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BIO_ACCEPT 3
 .Os
 .Sh NAME
@@ -32,6 +32,11 @@
 .Nm BIO_set_tcp_ndelay
 .\" deprecated in OpenSSL and unused anywhere, hence intentionally undocumented
 .\" .Nm BIO_gethostbyname
+.\" .Nm BIO_GHBN_CTRL_CACHE_SIZE
+.\" .Nm BIO_GHBN_CTRL_FLUSH
+.\" .Nm BIO_GHBN_CTRL_GET_ENTRY
+.\" .Nm BIO_GHBN_CTRL_HITS
+.\" .Nm BIO_GHBN_CTRL_MISSES
 .\" .Nm BIO_socket_ioctl
 .\" does almost nothing and used very rarely, hence intentionally undocumented
 .\" .Nm BIO_sock_init

lib/libcrypto/man/BIO_s_connect.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_connect.3,v 1.18 2023/04/29 13:06:10 schwarze Exp $
+.\" $OpenBSD: BIO_s_connect.3,v 1.19 2023/04/30 13:53:54 schwarze Exp $
 .\" full merge up to: OpenSSL 0e474b8b Nov 1 15:45:49 2015 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BIO_S_CONNECT 3
 .Os
 .Sh NAME
@@ -212,6 +212,40 @@ Usually, \-1 is used to indicate failure and return values less than
 or equal to zero abort the operation in question, whereas positive
 values indicate success and allow the operation to proceed.
 .Pp
+The
+.Fa state
+constants passed to the callback are named according to
+which operation needs to be performed next.
+They are listed here in the order the states are passed through:
+.Pp
+.Bl -tag -width BIO_CONN_S_BLOCKED_CONNECT -offset 3n -compact
+.It Dv BIO_CONN_S_BEFORE
+The BIO is idle and no connection has been initiated yet.
+.It Dv BIO_CONN_S_GET_IP
+The hostname to connect to needs to be converted to an IP address.
+.It Dv BIO_CONN_S_GET_PORT
+The service name to connect to needs to be converted to a TCP port number.
+.It Dv BIO_CONN_S_CREATE_SOCKET
+The TCP socket needs to be created with the
+.Xr socket 2
+system call.
+.It Dv BIO_CONN_S_NBIO
+Socket options may need to be set using
+.Xr fcntl 2
+and
+.Xr setsockopt 2 .
+.It Dv BIO_CONN_S_CONNECT
+The connection needs to be initiated with the
+.Xr connect 2
+system call.
+.It Dv BIO_CONN_S_BLOCKED_CONNECT
+The
+.Xr connect 2
+system call would have blocked and needs to be tried again.
+.It Dv BIO_CONN_S_OK
+The connection has been established and can now be used to transfer data.
+.El
+.Pp
 .Fn BIO_set_conn_hostname
 uses the string
 .Fa name

lib/libcrypto/man/BIO_set_callback.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_set_callback.3,v 1.11 2023/04/07 14:47:37 schwarze Exp $
+.\" $OpenBSD: BIO_set_callback.3,v 1.12 2023/04/30 13:57:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 7 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BIO_SET_CALLBACK 3
 .Os
 .Sh NAME
@@ -190,7 +190,14 @@ The arguments of the callback functions are as follows:
 .It Fa b
 The BIO the callback is attached to.
 .It Fa oper
-The operation being performed.
+The operation being performed, which is one of
+.Dv BIO_CB_CTRL ,
+.Dv BIO_CB_FREE ,
+.Dv BIO_CB_GETS ,
+.Dv BIO_CB_PUTS ,
+.Dv BIO_CB_READ ,
+or
+.Dv BIO_CB_WRITE .
 For some operations, the callback is called twice,
 once before and once after the actual operation.
 The latter case has

lib/libcrypto/man/BIO_should_retry.3

@@ -1,8 +1,25 @@
-.\" $OpenBSD: BIO_should_retry.3,v 1.10 2022/11/27 19:11:11 schwarze Exp $
+.\" $OpenBSD: BIO_should_retry.3,v 1.11 2023/04/30 14:03:47 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 57fd5170 May 13 11:24:11 2018 +0200
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2000, 2010, 2016 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -49,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 27 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BIO_SHOULD_RETRY 3
 .Os
 .Sh NAME
@@ -140,18 +157,50 @@ Current BIO types only set one of the flags at a time.
 .Pp
 .Fn BIO_get_retry_BIO
 determines the precise reason for the special condition.
-It returns the BIO that caused this condition and if
+It walks the BIO chain starting at
+.Fa bio
+and returns the BIO that caused this condition.
+If there is no special condition,
+.Fa bio
+itself is returned.
+If
 .Fa reason
-is not
+is not a
 .Dv NULL
-it contains the reason code.
-The meaning of the reason code and the action that should be taken
-depends on the type of BIO that resulted in this condition.
+pointer,
+.Pf * Fa reason
+is set to one of the following reason codes:
+.Bl -tag -width 1n -offset 3n
+.It 0
+There is no special condition.
+.It Dv BIO_RR_ACCEPT
+.Xr accept 2
+would have blocked.
+This can occur for BIOs created from
+.Xr BIO_s_accept 3
+or
+.Xr BIO_f_ssl 3 .
+.It Dv BIO_RR_CONNECT
+.Xr connect 2
+would have blocked.
+This can occur for BIOs created from
+.Xr BIO_s_connect 3
+or
+.Xr BIO_f_ssl 3 .
+.It Dv BIO_RR_SSL_X509_LOOKUP
+An application callback set by
+.Xr SSL_CTX_set_client_cert_cb 3
+has asked to be called again.
+This can occur for BIOs created from
+.Xr BIO_f_ssl 3 .
+.El
 .Pp
 .Fn BIO_get_retry_reason
-returns the reason for a special condition
-if passed the relevant BIO, for example as returned by
-.Fn BIO_get_retry_BIO .
+returns one of the above reason codes for a special condition that occurred in
+.Fa bio .
+It does not walk the chain and returns 0 if no special condition occurred in
+.Fa bio
+itself.
 .Pp
 .Fn BIO_set_retry_reason
 sets the retry reason for a special condition for the given

lib/libcrypto/man/BN_generate_prime.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_generate_prime.3,v 1.20 2022/11/24 19:06:38 schwarze Exp $
+.\" $OpenBSD: BN_generate_prime.3,v 1.22 2023/04/30 20:17:59 tb Exp $
 .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 24 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BN_GENERATE_PRIME 3
 .Os
 .Sh NAME
@@ -79,10 +79,7 @@
 .Nm BN_GENCB_free ,
 .Nm BN_GENCB_set ,
 .Nm BN_GENCB_get_arg ,
-.Nm BN_GENCB_set_old ,
-.Nm BN_generate_prime ,
-.Nm BN_is_prime ,
-.Nm BN_is_prime_fasttest
+.Nm BN_GENCB_set_old
 .\" Nm BN_prime_checks_for_size is intentionally undocumented
 .\" because it is no longer used by LibreSSL.
 .Nd generate primes and test for primality
@@ -143,33 +140,6 @@ Deprecated:
 .Fa "void (*cb_fp)(int, int, void *)"
 .Fa "void *cb_arg"
 .Fc
-.Ft BIGNUM *
-.Fo BN_generate_prime
-.Fa "BIGNUM *ret"
-.Fa "int num"
-.Fa "int safe"
-.Fa "BIGNUM *modulus"
-.Fa "BIGNUM *remainder"
-.Fa "void (*cb_fp)(int, int, void *)"
-.Fa "void *cb_arg"
-.Fc
-.Ft int
-.Fo BN_is_prime
-.Fa "const BIGNUM *a"
-.Fa "int checks"
-.Fa "void (*cb_fp)(int, int, void *)"
-.Fa "BN_CTX *ctx"
-.Fa "void *cb_arg"
-.Fc
-.Ft int
-.Fo BN_is_prime_fasttest
-.Fa "const BIGNUM *a"
-.Fa "int checks"
-.Fa "void (*cb_fp)(int, int, void *)"
-.Fa "BN_CTX *ctx"
-.Fa "void *cb_arg"
-.Fa "int do_trial_division"
-.Fc
 .Sh DESCRIPTION
 .Fn BN_is_prime_ex
 and
@@ -325,36 +295,10 @@ to use the old-style callback function pointer
 .Fa cb_fp
 and the additional callback argument
 .Fa cb_arg .
-.Pp
-.Fn BN_generate_prime
-is a deprecated wrapper around
-.Fn BN_GENCB_set_old
-and
-.Fn BN_generate_prime_ex .
-In contrast to
-.Fn BN_generate_prime_ex ,
-if
-.Dv NULL
-is passed for the
-.Fa ret
-argument, a new
-.Vt BIGNUM
-object is allocated and returned.
-.Pp
-Similarly,
-.Fn BN_is_prime
-and
-.Fn BN_is_prime_fasttest
-are deprecated wrappers around
-.Fn BN_GENCB_set_old
-and
-.Fn BN_is_prime_ex .
 .Sh RETURN VALUES
-.Fn BN_is_prime_ex ,
-.Fn BN_is_prime_fasttest_ex ,
-.Fn BN_is_prime ,
+.Fn BN_is_prime_ex
 and
-.Fn BN_is_prime_fasttest
+.Fn BN_is_prime_fasttest_ex
 return 0 if the number is composite, 1 if it is prime with a very small
 error probability, or \-1 on error.
 .Pp
@@ -390,11 +334,6 @@ using
 or
 .Fn BN_GENCB_set_old .
 .Pp
-.Fn BN_generate_prime
-returns the prime number on success or
-.Dv NULL
-on failure.
-.Pp
 In some cases, error codes can be obtained by
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
@@ -403,26 +342,6 @@ In some cases, error codes can be obtained by
 .Xr DSA_generate_parameters 3 ,
 .Xr RSA_generate_key 3
 .Sh HISTORY
-.Fn BN_generate_prime
-and
-.Fn BN_is_prime
-first appeared in SSLeay 0.5.1 and had their
-.Fa cb_arg
-argument added in SSLeay 0.9.0.
-These two functions have been available since
-.Ox 2.4 .
-.Pp
-The
-.Fa ret
-argument to
-.Fn BN_generate_prime
-was added in SSLeay 0.9.1 and
-.Ox 2.6 .
-.Pp
-.Fn BN_is_prime_fasttest
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
 .Fn BN_generate_prime_ex ,
 .Fn BN_is_prime_ex ,
 .Fn BN_is_prime_fasttest_ex ,

lib/libcrypto/man/BN_zero.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_zero.3,v 1.12 2022/11/22 19:02:07 schwarze Exp $
+.\" $OpenBSD: BN_zero.3,v 1.13 2023/04/30 19:23:54 tb Exp $
 .\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL b713c4ff Jan 22 14:41:09 2018 -0500
 .\"
@@ -67,11 +67,10 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt BN_ZERO 3
 .Os
 .Sh NAME
-.Nm BN_zero_ex ,
 .Nm BN_zero ,
 .Nm BN_one ,
 .Nm BN_value_one ,
@@ -80,10 +79,6 @@
 .Nd BIGNUM assignment operations
 .Sh SYNOPSIS
 .In openssl/bn.h
-.Ft void
-.Fo BN_zero_ex
-.Fa "BIGNUM *a"
-.Fc
 .Ft int
 .Fo BN_zero
 .Fa "BIGNUM *a"
@@ -117,7 +112,7 @@ platforms and
 .Vt unsigned int Pq = Vt uint32_t
 elsewhere.
 .Pp
-.Fn BN_zero_ex ,
+.Fn BN_zero ,
 .Fn BN_one ,
 and
 .Fn BN_set_word
@@ -126,16 +121,6 @@ set
 to the values 0, 1 and
 .Fa w
 respectively.
-.Fn BN_zero
-is a deprecated version of
-.Fn BN_zero_ex
-that may attempt to allocate memory; consequently, and in contrast to
-.Fn BN_zero_ex ,
-it may fail.
-.Fn BN_zero
-and
-.Fn BN_one
-are macros.
 .Pp
 .Fn BN_value_one
 returns a
@@ -174,10 +159,6 @@ first appeared in SSLeay 0.5.1.
 first appeared in SSLeay 0.6.0.
 These functions have been available since
 .Ox 2.4 .
-.Pp
-.Fn BN_zero_ex
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
 .Sh BUGS
 Someone might change the constant.
 .Pp

lib/libcrypto/man/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.248 2023/04/27 09:43:55 tb Exp $
+# $OpenBSD: Makefile,v 1.250 2023/04/30 19:40:23 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -265,7 +265,6 @@ MAN=	\
 	PKCS8_pkey_set0.3 \
 	PKEY_USAGE_PERIOD_new.3 \
 	POLICYINFO_new.3 \
-	PROXY_POLICY_new.3 \
 	RAND_add.3 \
 	RAND_bytes.3 \
 	RAND_load_file.3 \
@@ -377,9 +376,6 @@ MAN=	\
 	X509_load_cert_file.3 \
 	X509_new.3 \
 	X509_ocspid_print.3 \
-	X509_policy_check.3 \
-	X509_policy_tree_get0_policies.3 \
-	X509_policy_tree_level_count.3 \
 	X509_print_ex.3 \
 	X509_sign.3 \
 	X509_signature_dump.3 \
@@ -410,7 +406,6 @@ MAN=	\
 	d2i_PKCS8_PRIV_KEY_INFO.3 \
 	d2i_PKEY_USAGE_PERIOD.3 \
 	d2i_POLICYINFO.3 \
-	d2i_PROXY_POLICY.3 \
 	d2i_PrivateKey.3 \
 	d2i_RSAPublicKey.3 \
 	d2i_TS_REQ.3 \

lib/libcrypto/man/PROXY_POLICY_new.3

@@ -1,97 +0,0 @@
-.\"	$OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt PROXY_POLICY_NEW 3
-.Os
-.Sh NAME
-.Nm PROXY_POLICY_new ,
-.Nm PROXY_POLICY_free ,
-.Nm PROXY_CERT_INFO_EXTENSION_new ,
-.Nm PROXY_CERT_INFO_EXTENSION_free
-.Nd X.509 proxy certificate extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fn PROXY_POLICY_new void
-.Ft void
-.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fn PROXY_CERT_INFO_EXTENSION_new void
-.Ft void
-.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
-.Sh DESCRIPTION
-If a given non-CA certificate grants any privileges, using that
-certificate to issue a proxy certificate and handing that proxy
-certificate over to another person, organization, or service allows
-the bearer of the proxy certificate to exercise some or all of the
-privileges on behalf of the subject of the original certificate.
-.Pp
-.Fn PROXY_POLICY_new
-allocates and initializes an empty
-.Vt PROXY_POLICY
-object, representing an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-It defines which privileges are to be delegated.
-.Fn PROXY_POLICY_free
-frees
-.Fa pp .
-.Pp
-.Fn PROXY_CERT_INFO_EXTENSION_new
-allocates and initializes an empty
-.Vt PROXY_CERT_INFO_EXTENSION
-object, representing an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-It can contain a
-.Vt PROXY_POLICY
-object, and it can additionally restrict the maximum depth of the
-path of proxy certificates that can be signed by this proxy
-certificate.
-.Fn PROXY_CERT_INFO_EXTENSION_free
-frees
-.Fa pcie .
-.Pp
-If a non-CA certificate contains a
-.Vt PROXY_CERT_INFO_EXTENSION ,
-it is a proxy certificate; otherwise, it is an end entity certificate.
-.Sh RETURN VALUES
-.Fn PROXY_POLICY_new
-and
-.Fn PROXY_CERT_INFO_EXTENSION_new
-return the new
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_PROXY_POLICY 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .

lib/libcrypto/man/X509_EXTENSION_set_object.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.16 2023/04/25 18:48:32 tb Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -291,7 +291,6 @@ pointer.
 .Xr OCSP_SERVICELOC_new 3 ,
 .Xr PKEY_USAGE_PERIOD_new 3 ,
 .Xr POLICYINFO_new 3 ,
-.Xr PROXY_POLICY_new 3 ,
 .Xr TS_REQ_new 3 ,
 .Xr X509_check_ca 3 ,
 .Xr X509_check_host 3 ,

lib/libcrypto/man/X509_STORE_CTX_get_error.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.26 2023/04/21 06:45:56 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.27 2023/04/30 14:49:47 tb Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 21 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -86,8 +86,6 @@
 .Nm X509_STORE_CTX_get_chain ,
 .Nm X509_STORE_CTX_get1_chain ,
 .Nm X509_STORE_CTX_set0_verified_chain ,
-.Nm X509_STORE_CTX_get0_policy_tree ,
-.Nm X509_STORE_CTX_get_explicit_policy ,
 .Nm X509_verify_cert_error_string
 .Nd get or set certificate verification status information
 .Sh SYNOPSIS
@@ -152,14 +150,6 @@
 .Fa "X509_STORE_CTX *ctx"
 .Fa "STACK_OF(X509) *chain"
 .Fc
-.Ft X509_POLICY_TREE *
-.Fo X509_STORE_CTX_get0_policy_tree
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_get_explicit_policy
-.Fa "X509_STORE_CTX *ctx"
-.Fc
 .In openssl/x509.h
 .Ft const char *
 .Fo X509_verify_cert_error_string
@@ -337,24 +327,6 @@ return a pointer to a stack of certificates or
 .Dv NULL
 if an error occurs.
 .Pp
-.Fn X509_STORE_CTX_get0_policy_tree
-returns an internal pointer to the
-.Fa valid_policy_tree
-created by
-.Xr X509_policy_check 3
-or
-.Dv NULL
-if validation failed or the resulting tree was empty.
-.Pp
-.Fn X509_STORE_CTX_get_explicit_policy
-returns the
-.Pf * Fa pexplicit_policy
-output argument of
-.Xr X509_policy_check 3 .
-If validation succeeded, it is 1 if
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested or 0 otherwise.
-.Pp
 .Fn X509_verify_cert_error_string
 returns a human readable error string for verification error
 .Fa n .
@@ -576,8 +548,6 @@ This will never be returned unless explicitly set by an application.
 .\"  No CA signature digest algorithm too weak
 .El
 .Sh SEE ALSO
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_level_count 3 ,
 .Xr X509_STORE_CTX_new 3 ,
 .Xr X509_STORE_CTX_set_verify 3 ,
 .Xr X509_STORE_CTX_set_verify_cb 3 ,
@@ -599,12 +569,6 @@ first appeared in SSLeay 0.8.0 and have been available since
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Pp
-.Fn X509_STORE_CTX_get0_policy_tree
-and
-.Fn X509_STORE_CTX_get_explicit_policy
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
 .Fn X509_STORE_CTX_get0_current_issuer ,
 .Fn X509_STORE_CTX_get0_current_crl ,
 and

lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.27 2022/12/01 05:33:55 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 1 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the
 verification strictly apply X509 rules.
 .Pp
 .Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-enables proxy certificate verification.
+deprecated flag that used to
+enable proxy certificate verification.
+In LibreSSL, this flag has no effect.
 .Pp
 .Dv X509_V_FLAG_POLICY_CHECK
 enables certificate policy checking; by default no policy checking is
@@ -566,8 +568,6 @@ If
 .Dv X509_V_FLAG_NOTIFY_POLICY
 is set and policy checking is successful, a special status code is
 sent to the verification callback.
-This permits it to examine the valid policy tree and perform additional
-checks or simply log it for debugging purposes.
 .Pp
 By default some additional features such as indirect CRLs and CRLs
 signed by different keys are disabled.

lib/libcrypto/man/X509_check_purpose.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.9 2022/12/17 12:48:53 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.10 2023/04/30 14:49:47 tb Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 17 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -412,7 +412,6 @@ can be used as a CA for the
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr X509_check_trust 3 ,
 .Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
 .Xr X509_PURPOSE_set 3 ,
 .Xr X509V3_get_d2i 3 ,
 .Xr x509v3.cnf 5

lib/libcrypto/man/X509_check_trust.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_trust.3,v 1.7 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: X509_check_trust.3,v 1.8 2023/04/30 14:49:47 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_CHECK_TRUST 3
 .Os
 .Sh NAME
@@ -238,7 +238,6 @@ was never called before.
 .Xr X509_CERT_AUX_new 3 ,
 .Xr X509_check_purpose 3 ,
 .Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
 .Xr X509_TRUST_set 3 ,
 .Xr X509_VERIFY_PARAM_set_trust 3
 .Sh HISTORY

lib/libcrypto/man/X509_get_extension_flags.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.3 2021/11/11 13:58:59 schwarze Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 11 2021 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_GET_EXTENSION_FLAGS 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@ The certificate contains a basic constraints extension.
 The certificate contains basic constraints and asserts the CA flag.
 .It Dv EXFLAG_PROXY
 The certificate is a valid proxy certificate.
+In LibreSSL this flag is never set.
 .It Dv EXFLAG_SI
 The certificate is self issued (that is subject and issuer names match).
 .It Dv EXFLAG_SS
@@ -217,7 +218,6 @@ return sets of flags corresponding to the certificate extension values.
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr POLICYINFO_new 3 ,
-.Xr PROXY_CERT_INFO_EXTENSION_new 3 ,
 .Xr X509_check_ca 3 ,
 .Xr X509_check_purpose 3 ,
 .Xr X509_EXTENSION_new 3 ,

lib/libcrypto/man/X509_new.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.36 2021/11/18 10:09:24 schwarze Exp $
+.\" $OpenBSD: X509_new.3,v 1.37 2023/04/30 14:49:47 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 18 2021 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -229,8 +229,6 @@ if an error occurs.
 .Xr X509_NAME_new 3 ,
 .Xr X509_OBJECT_new 3 ,
 .Xr X509_PKEY_new 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_level_count 3 ,
 .Xr X509_print_ex 3 ,
 .Xr X509_PUBKEY_new 3 ,
 .Xr X509_PURPOSE_set 3 ,

lib/libcrypto/man/X509_policy_check.3

@@ -1,192 +0,0 @@
-.\" $OpenBSD: X509_policy_check.3,v 1.6 2021/11/11 12:06:25 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 11 2021 $
-.Dt X509_POLICY_CHECK 3
-.Os
-.Sh NAME
-.Nm X509_policy_check ,
-.Nm X509_policy_tree_free
-.Nd construct X.509 valid policy tree
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_policy_check
-.Fa "X509_POLICY_TREE **ptree"
-.Fa "int *pexplicit_policy"
-.Fa "STACK_OF(X509) *certs"
-.Fa "STACK_OF(ASN1_OBJECT) *policy_oids"
-.Fa "unsigned int flags"
-.Fc
-.Ft void
-.Fn X509_policy_tree_free "X509_POLICY_TREE *tree"
-.Sh DESCRIPTION
-.Fn X509_policy_check
-performs those parts of Basic Certification Path Validation
-described in RFC 5280 section 6.1 that are related to the
-construction of the valid policy tree.
-.Pp
-The
-.Fa certs
-input argument contains the prospective certification path
-according to RFC 5280 paragraph 6.1.1(a), starting with the
-target certificate and ending with the trust anchor.
-.Pp
-The
-.Fa policy_oids
-input argument contains the
-.Va user-initial-policy-set
-according to RFC 5280 section 6.1.1(c).
-It specifies a set of certificate policies acceptable to the certificate user.
-.Pp
-The
-.Fa flags
-argument can contain zero or more of the following constants, OR'ed together:
-.Bl -tag -width Ds
-.It Dv X509_V_FLAG_EXPLICIT_POLICY
-Set
-.Va initial-explicit-policy
-as defined by RFC 5280 paragraph 6.1.1(f).
-It requires the path to be valid for at least one of the
-.Fa policy_oids .
-.It Dv X509_V_FLAG_INHIBIT_ANY
-Set
-.Va initial-any-policy-inhibit
-as defined by RFC 5280 paragraph 6.1.1(g).
-It causes the
-.Sy anyPolicy
-OID to be skipped if it is encountered in a certificate.
-.It Dv X509_V_FLAG_INHIBIT_MAP
-Set
-.Va initial-policy-mapping-inhibit
-as defined by RFC 5280 paragraph 6.1.1(e).
-It disables policy mapping in the certification path.
-.El
-.Pp
-Upon success and in some cases of failure, the storage location pointed to by
-.Fa pexplicit_policy
-is set to 1 if
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested.
-Otherwise, it is set to 0.
-.Pp
-In many cases of success and in a few cases of failure, a pointer to the
-.Vt valid_policy_tree
-output value mentioned in RFC 5280 section 6.1.6 is returned in
-.Pf * Fa ptree .
-It contains one level for each of the
-.Fa certs ,
-in reverse order: level 0 corresponds to the trust anchor,
-the last level corresponds to the target certificate.
-Level 0 is initialized to contain a single node with a
-.Fa valid_policy
-of
-.Sy anyPolicy
-and an empty
-.Fa qualifier_set .
-.Pp
-If a policy tree is returned, the reference count of each of the
-.Fa certs
-is incremented by 1.
-In that case, the caller is responsible for calling
-.Fn X509_policy_tree_free
-to release all memory used by the
-.Fa tree
-and to decrement the reference counts
-of the certificates referenced from it by 1.
-If
-.Fa tree
-is a
-.Dv NULL
-pointer,
-.Fn X509_policy_tree_free
-has no effect.
-.Sh RETURN VALUES
-.Fn X509_policy_check
-returns these values:
-.Bl -tag -width 2n
-.It \-2
-Validation failed because
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was requested but the resulting policy tree
-or the resulting user policy set would have been empty.
-In this case,
-.Pf * Fa pexplicit_policy
-is set to 1.
-If the resulting tree is empty,
-.Pf * Fa ptree
-is set to
-.Dv NULL ;
-otherwise, it is set to the resulting tree.
-.It \-1
-At least one of the
-.Fa certs
-contains invalid or inconsistent extensions.
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-to 0.
-.It 0
-Internal error.
-For example, setting up the policy caches failed, or memory allocation
-failed while constructing the tree.
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-may or may not be set.
-.It 1
-Validation succeeded and
-.Pf * Fa ptree
-and
-.Pf * Fa pexplicit_policy
-have been set.
-In the special cases that the
-.Fa certs
-argument contains exactly one certificate or that
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-was not requested and at least one of the certificates contains no
-certificate policies or the resulting policy tree would have been empty,
-.Pf * Fa ptree
-is set to
-.Dv NULL
-and
-.Pf * Fa pexplicit_policy
-to 0.
-.El
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_check_trust 3 ,
-.Xr X509_new 3 ,
-.Xr X509_policy_tree_get0_policies 3 ,
-.Xr X509_policy_tree_level_count 3 ,
-.Xr X509_verify_cert 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-.Fn X509_policy_check
-and
-.Fn X509_policy_tree_free
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .

lib/libcrypto/man/X509_policy_tree_get0_policies.3

@@ -1,101 +0,0 @@
-.\" $OpenBSD: X509_policy_tree_get0_policies.3,v 1.1 2021/11/11 12:06:25 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 11 2021 $
-.Dt X509_POLICY_TREE_GET0_POLICIES 3
-.Os
-.Sh NAME
-.Nm X509_policy_tree_get0_policies ,
-.Nm X509_policy_tree_get0_user_policies
-.Nd retrieve arrays of policy tree nodes
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft STACK_OF(X509_POLICY_NODE) *
-.Fn X509_policy_tree_get0_policies "const X509_POLICY_TREE *tree"
-.Ft STACK_OF(X509_POLICY_NODE) *
-.Fn X509_policy_tree_get0_user_policies "const X509_POLICY_TREE *tree"
-.Sh DESCRIPTION
-The
-.Em authority set
-and the
-.Em user set
-are arrays of nodes from a policy
-.Fa tree .
-.Pp
-If the last level of a
-.Fa tree ,
-or equivalently, all levels of it, contain an
-.Sy anyPolicy
-node, the authority set contains
-only this anyPolicy node from the last level.
-Unless the array of
-.Fa policy_oids
-passed to
-.Xr X509_policy_check 3
-contained an anyPolicy object,
-the user set contains one node for each of the
-.Fa policy_oids ;
-specifically, the first matching node that is a child of an anyPolicy node.
-.Pp
-If the last level of the
-.Fa tree
-does not contain an
-.Sy anyPolicy
-node, the authority set contains
-all non-anyPolicy nodes that are children of anyPolicy nodes.
-For each element of the
-.Fa policy_oids ,
-the user set contains the first node from the authority set
-matching it, if any.
-.Pp
-These functions are intended to be called after
-.Xr X509_policy_check 3
-was called either directly or indirectly through
-.Xr X509_verify_cert 3 .
-.Sh RETURN VALUES
-.Fn X509_policy_tree_get0_policies
-returns an internal pointer to the authority set
-or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL .
-.Pp
-.Fn X509_policy_tree_get0_user_policies
-returns an internal pointer to the user set or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL
-or if the array of
-.Fa policy_oids
-passed to
-.Xr X509_policy_check 3
-was empty or contained an anyPolicy object.
-.Sh SEE ALSO
-.Xr STACK_OF 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_level_get0_node 3 ,
-.Xr X509_STORE_CTX_get0_policy_tree 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-These function first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .

lib/libcrypto/man/X509_policy_tree_level_count.3

@@ -1,178 +0,0 @@
-.\" $OpenBSD: X509_policy_tree_level_count.3,v 1.5 2022/09/10 08:50:53 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 10 2022 $
-.Dt X509_POLICY_TREE_LEVEL_COUNT 3
-.Os
-.Sh NAME
-.Nm X509_policy_tree_level_count ,
-.Nm X509_policy_tree_get0_level ,
-.Nm X509_policy_level_node_count ,
-.Nm X509_policy_level_get0_node ,
-.Nm X509_policy_node_get0_policy ,
-.Nm X509_policy_node_get0_qualifiers ,
-.Nm X509_policy_node_get0_parent
-.Nd inspect X.509 policy tree objects
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fn X509_policy_tree_level_count "const X509_POLICY_TREE *tree"
-.Ft X509_POLICY_LEVEL *
-.Fn X509_policy_tree_get0_level "const X509_POLICY_TREE *tree" "int index"
-.Ft int
-.Fn X509_policy_level_node_count "X509_POLICY_LEVEL *level"
-.Ft X509_POLICY_NODE *
-.Fn X509_policy_level_get0_node "X509_POLICY_LEVEL *level" "int index"
-.Ft const ASN1_OBJECT *
-.Fn X509_policy_node_get0_policy "const X509_POLICY_NODE *node"
-.Ft STACK_OF(POLICYQUALINFO) *
-.Fn X509_policy_node_get0_qualifiers "const X509_POLICY_NODE *node"
-.Ft const X509_POLICY_NODE *
-.Fn X509_policy_node_get0_parent "const X509_POLICY_NODE *node"
-.Sh DESCRIPTION
-The
-.Vt X509_POLICY_TREE
-object represents a
-.Vt valid_policy_tree
-as described in RFC 5280 section 6.1.
-.Pp
-The
-.Vt X509_POLICY_LEVEL
-object represents one level of such a tree,
-corresponding to one certificate.
-.Pp
-The
-.Vt X509_POLICY_NODE
-object represents one node in the tree.
-.Sh RETURN VALUES
-.Fn X509_policy_tree_level_count
-returns the number of levels in the
-.Fa tree
-or 0 if the
-.Fa tree
-argument is
-.Dv NULL .
-If it is not 0, it equals the number of certificates in the
-certification path the tree was created from, including both
-the target certificate and the trust anchor.
-.Pp
-.Fn X509_policy_tree_get0_level
-returns an internal pointer to the level of the
-.Fa tree
-with the given
-.Fa index
-or
-.Dv NULL
-if the
-.Fa tree
-argument is
-.Dv NULL
-or the
-.Fa index
-is less than 0 or greater than or equal to the number of levels in the
-.Fa tree .
-An
-.Fa index
-of 0 corresponds to the trust anchor
-and the last level corresponds to the target certificate.
-.Pp
-.Fn X509_policy_level_node_count
-returns the number of nodes on the
-.Fa level ,
-including an
-.Sy anyPolicy
-node if it is present, or 0 if the
-.Fa level
-argument is
-.Dv NULL .
-.Pp
-.Fn X509_policy_level_get0_node
-returns an internal pointer to the node on the
-.Fa level
-with the given
-.Fa index
-or
-.Dv NULL
-if the
-.Fa level
-argument is
-.Dv NULL
-or the
-.Fa index
-is less than 0 or greater than or equal to the number of nodes on the level.
-If an
-.Sy anyPolicy
-node is present on the level, it can be retrieved by passing an
-.Fa index
-of 0.
-.Pp
-.Fn X509_policy_node_get0_policy
-returns an internal pointer to the
-.Fa valid_policy
-child object of the node or
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL .
-It represents a single policy that is valid for the path
-from the trust anchor to the certificate corresponding
-to the level containing the
-.Fa node .
-.Pp
-.Fn X509_policy_node_get0_qualifiers
-returns an internal pointer to the
-.Fa qualifier_set
-child object of the node or
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL .
-It contains the policy qualifiers associated with the
-.Fa valid_policy
-of the
-.Fa node
-in the certificate corresponding to the level containing the
-.Fa node .
-.Pp
-.Fn X509_policy_node_get0_parent
-returns
-.Dv NULL
-if the
-.Fa node
-argument is
-.Dv NULL
-or located on level 0.
-Otherwise, it returns an internal pointer to the parent node of the
-.Fa node
-argument.
-The parent node is always located on the previous level.
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr OBJ_obj2txt 3 ,
-.Xr POLICYQUALINFO_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_policy_tree_get0_policies 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 6.1: Basic Path Validation
-.Sh HISTORY
-These function first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .

lib/libcrypto/man/d2i_PROXY_POLICY.3

@@ -1,97 +0,0 @@
-.\"	$OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt D2I_PROXY_POLICY 3
-.Os
-.Sh NAME
-.Nm d2i_PROXY_POLICY ,
-.Nm i2d_PROXY_POLICY ,
-.Nm d2i_PROXY_CERT_INFO_EXTENSION ,
-.Nm i2d_PROXY_CERT_INFO_EXTENSION
-.Nd decode and encode X.509 proxy certificate extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fo d2i_PROXY_POLICY
-.Fa "PROXY_POLICY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_POLICY
-.Fa "PROXY_POLICY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fo d2i_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions encode and decode X.509 extensions that decide
-whether a certificate is a proxy certificate, and which policies
-apply to it.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PROXY_POLICY
-and
-.Fn i2d_PROXY_POLICY
-decode and encode an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-.Pp
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-decode and encode an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-.Sh RETURN VALUES
-.Fn d2i_PROXY_POLICY
-and
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-return a
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PROXY_POLICY
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PROXY_POLICY_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .

lib/libcrypto/x509/x509_vfy.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.120 2023/04/30 14:59:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -156,14 +156,6 @@ null_callback(int ok, X509_STORE_CTX *e)
 	return ok;
 }
 
-#if 0
-static int
-x509_subject_cmp(X509 **a, X509 **b)
-{
-	return X509_subject_name_cmp(*a, *b);
-}
-#endif
-
 /* Return 1 if a certificate is self signed */
 static int
 cert_self_signed(X509 *x)
@@ -1743,7 +1735,6 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	return 1;
 }
 
-
 int
 x509_vfy_check_policy(X509_STORE_CTX *ctx)
 {

regress/lib/libcrypto/man/check_complete.pl

@@ -27,8 +27,8 @@ my %internal = (
     bn => [qw(
 	BN_BITS BN_BITS4 BN_BYTES
 	BN_DEC_CONV BN_DEC_FMT1 BN_DEC_FMT2 BN_DEC_NUM BN_LLONG BN_LONG
-	BN_MASK2 BN_MASK2h BN_MASK2h1 BN_MASK2l BN_MUL_COMBA
-	BN_RECURSION BN_SQR_COMBA BN_TBIT BN_ULLONG
+	BN_MASK2 BN_MASK2h BN_MASK2h1 BN_MASK2l
+	BN_TBIT BN_ULLONG
     )],
     objects => [qw(
 	OBJ_bsearch OBJ_bsearch_ OBJ_bsearch_ex OBJ_bsearch_ex_
@@ -58,9 +58,8 @@ my %obsolete = (
 	BIO_set_proxy_cb BIO_set_proxy_header BIO_set_url
     )],
     bn => [qw(
-	BN_FLG_EXP_CONSTTIME BN_FLG_FREE BN_get_params
 	BN_HEX_FMT1 BN_HEX_FMT2 BN_MASK
-	BN_options BN_prime_checks BN_set_params
+	BN_options BN_prime_checks
     )],
     objects => [qw(
 	_DECLARE_OBJ_BSEARCH_CMP_FN

regress/lib/libcrypto/x509/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.19 2023/04/28 09:11:35 beck Exp $
+#	$OpenBSD: Makefile,v 1.21 2023/04/30 05:02:59 tb Exp $
 
 PROGS =	constraints verify x509attribute x509name x509req_ext callback
 PROGS += expirecallback callbackfailures x509_asn1
@@ -13,7 +13,7 @@ CFLAGS +=	-DLIBRESSL_INTERNAL -Wall -Werror
 CFLAGS +=	-I${.CURDIR}/../../../../lib/libcrypto/x509
 CFLAGS += 	-I${.CURDIR}/../../../../lib/libcrypto/bytestring
 
-SUBDIR += bettertls rfc3779 policy
+SUBDIR += bettertls policy rfc3779
 
 CLEANFILES +=	x509name.result callback.out
 
@@ -24,9 +24,6 @@ CLEANFILES +=	x509name.result callback.out
 . endif
 .endif
 
-run-regress-x509_asn1: x509_asn1
-	./x509_asn1
-
 run-regress-verify: verify
 	perl ${.CURDIR}/make-dir-roots.pl ${.CURDIR}/../certs .
 	./verify ${.CURDIR}/../certs

regress/lib/libcrypto/x509/policy/Makefile

@@ -1,22 +1,15 @@
-#	$OpenBSD: Makefile,v 1.3 2023/04/28 16:18:17 tb Exp $
+#	$OpenBSD: Makefile,v 1.4 2023/04/30 04:55:30 tb Exp $
 
 PROGS =		policy
 
-LDADD =	-lcrypto
+LDADD =	${CRYPTO_INT}
 DPADD =	${LIBCRYPTO}
 
-LDADD_policy = ${CRYPTO_INT}
-
 WARNINGS =	Yes
 CFLAGS +=	-DLIBRESSL_INTERNAL -Wall -Werror
 CFLAGS +=	-I${.CURDIR}/../../../../../lib/libcrypto/x509
 CFLAGS += 	-I${.CURDIR}/../../../../../lib/libcrypto/bytestring
 CFLAGS += 	-DCERTSDIR=\"${.CURDIR}/../../../libcrypto/x509/policy\"
 
-REGRESS_TARGETS =  policy-test
-
-policy-test:	policy
-	./policy 
-
 .include "../../Makefile.inc"
 .include <bsd.regress.mk>

regress/lib/libcrypto/x509/x509_asn1.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_asn1.c,v 1.14 2023/04/28 18:32:40 job Exp $ */
+/* $OpenBSD: x509_asn1.c,v 1.15 2023/04/30 21:31:16 tb Exp $ */
 /*
  * Copyright (c) 2023 Job Snijders <job@openbsd.org>
  *
@@ -253,7 +253,7 @@ test_x509_setters(void)
 	x509_set_name(X509_set_issuer_name, &x, "NL");
 	x509_set_name(X509_set_subject_name, &x, "BE");
 
-	// one time creation of the original DER
+	/* one time creation of the original DER */
 	if (!X509_sign(x, pkey, EVP_sha256()))
 		errx(1, "X509_sign");
 	if ((dersz = i2d_X509(x, &der)) <= 0)
@@ -339,7 +339,7 @@ test_x509_crl_setters(void)
 	x509_crl_set_time(X509_CRL_set_nextUpdate, &xc, 60);
 	x509_crl_set_name(X509_CRL_set_issuer_name, &xc, "NL");
 
-	// one time creation of the original DER
+	/* one time creation of the original DER */
 	if (!X509_CRL_sign(xc, pkey, EVP_sha256()))
 		errx(1, "X509_CRL_sign");
 	if ((dersz = i2d_X509_CRL(xc, &der)) <= 0)
@@ -517,8 +517,8 @@ int main(void)
 	int failed = 0;
 
 	failed |= test_x509_setters();
-	failed |= test_x509_crl_setters();
-	failed |= test_x509_req_setters();
+	/* failed |= */ test_x509_crl_setters();
+	/* failed |= */ test_x509_req_setters();
 
 	OPENSSL_cleanup();
 

sbin/slaacd/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.84 2022/08/26 00:02:08 kn Exp $	*/
+/*	$OpenBSD: engine.c,v 1.85 2023/04/30 13:08:40 phessler Exp $	*/
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -1927,7 +1927,7 @@ update_iface_ra_prefix(struct slaacd_iface *iface, struct radv *ra,
     struct radv_prefix *prefix)
 {
 	struct address_proposal	*addr_proposal;
-	uint32_t		 remaining_lifetime, pltime, vltime;
+	uint32_t		 pltime, vltime;
 	int			 found, found_temporary, duplicate_found;
 
 	found = found_temporary = duplicate_found = 0;
@@ -1966,16 +1966,7 @@ update_iface_ra_prefix(struct slaacd_iface *iface, struct radv *ra,
 			continue;
 		}
 
-		remaining_lifetime = real_lifetime(&addr_proposal->uptime,
-			addr_proposal->vltime);
-
-		/* RFC 4862 5.5.3 two hours rule */
-#define TWO_HOURS 2 * 3600
-		if (prefix->vltime > TWO_HOURS ||
-		    prefix->vltime >= remaining_lifetime)
-			vltime = prefix->vltime;
-		else
-			vltime = TWO_HOURS;
+		vltime = prefix->vltime;
 
 		if (addr_proposal->temporary) {
 			struct timespec	now;

sbin/unwind/frontend.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: frontend.c,v 1.77 2023/02/08 08:01:25 tb Exp $	*/
+/*	$OpenBSD: frontend.c,v 1.78 2023/04/30 23:46:52 jsg Exp $	*/
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -1747,6 +1747,7 @@ tcp_response(int fd, short events, void *arg)
 		if (errno == EAGAIN || errno == EINTR)
 			return;
 		free_pending_query(pq);
+		return;
 	}
 	sldns_buffer_skip(pq->abuf, n);
 	if (sldns_buffer_remaining(pq->abuf) == 0)

sys/arch/amd64/amd64/efi_machdep.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efi_machdep.c,v 1.5 2023/01/14 12:11:10 kettenis Exp $	*/
+/*	$OpenBSD: efi_machdep.c,v 1.6 2023/04/30 17:24:24 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2022 Mark Kettenis <kettenis@openbsd.org>
@@ -40,8 +40,6 @@ const struct cfattach efi_ca = {
 };
 
 void	efi_map_runtime(struct efi_softc *);
-int	efi_gettime(struct todr_chip_handle *, struct timeval *);
-int	efi_settime(struct todr_chip_handle *, struct timeval *);
 
 label_t efi_jmpbuf;
 
@@ -67,8 +65,6 @@ efi_attach(struct device *parent, struct device *self, void *aux)
 	uint64_t system_table;
 	bus_space_handle_t memh;
 	EFI_SYSTEM_TABLE *st;
-	EFI_TIME time;
-	EFI_STATUS status;
 	uint16_t major, minor;
 	int i;
 
@@ -121,25 +117,6 @@ efi_attach(struct device *parent, struct device *self, void *aux)
 		printf(" rev 0x%x\n", st->FirmwareRevision);
 	}
 	efi_leave(sc);
-
-	if (efi_enter_check(sc))
-		return;
-	status = sc->sc_rs->GetTime(&time, NULL);
-	efi_leave(sc);
-	if (status != EFI_SUCCESS)
-		return;
-
-	/*
-	 * EDK II implementations provide an implementation of
-	 * GetTime() that returns a fixed compiled-in time on hardware
-	 * without a (supported) RTC.  So only use this interface as a
-	 * last resort.
-	 */
-	sc->sc_todr.cookie = sc;
-	sc->sc_todr.todr_gettime = efi_gettime;
-	sc->sc_todr.todr_settime = efi_settime;
-	sc->sc_todr.todr_quality = -1000;
-	todr_attach(&sc->sc_todr);
 }
 
 void
@@ -243,65 +220,3 @@ efi_leave(struct efi_softc *sc)
 	lcr3(sc->sc_cr3);
 	intr_restore(sc->sc_psw);
 }
-
-int
-efi_gettime(struct todr_chip_handle *handle, struct timeval *tv)
-{
-	struct efi_softc *sc = handle->cookie;
-	struct clock_ymdhms dt;
-	EFI_TIME time;
-	EFI_STATUS status;
-
-	if (efi_enter_check(sc))
-		return EFAULT;
-	status = sc->sc_rs->GetTime(&time, NULL);
-	efi_leave(sc);
-	if (status != EFI_SUCCESS)
-		return EIO;
-
-	dt.dt_year = time.Year;
-	dt.dt_mon = time.Month;
-	dt.dt_day = time.Day;
-	dt.dt_hour = time.Hour;
-	dt.dt_min = time.Minute;
-	dt.dt_sec = time.Second;
-
-	if (dt.dt_sec > 59 || dt.dt_min > 59 || dt.dt_hour > 23 ||
-	    dt.dt_day > 31 || dt.dt_day == 0 ||
-	    dt.dt_mon > 12 || dt.dt_mon == 0 ||
-	    dt.dt_year < POSIX_BASE_YEAR)
-		return EINVAL;
-
-	tv->tv_sec = clock_ymdhms_to_secs(&dt);
-	tv->tv_usec = 0;
-	return 0;
-}
-
-int
-efi_settime(struct todr_chip_handle *handle, struct timeval *tv)
-{
-	struct efi_softc *sc = handle->cookie;
-	struct clock_ymdhms dt;
-	EFI_TIME time;
-	EFI_STATUS status;
-
-	clock_secs_to_ymdhms(tv->tv_sec, &dt);
-
-	time.Year = dt.dt_year;
-	time.Month = dt.dt_mon;
-	time.Day = dt.dt_day;
-	time.Hour = dt.dt_hour;
-	time.Minute = dt.dt_min;
-	time.Second = dt.dt_sec;
-	time.Nanosecond = 0;
-	time.TimeZone = 0;
-	time.Daylight = 0;
-
-	if (efi_enter_check(sc))
-		return EFAULT;
-	status = sc->sc_rs->SetTime(&time);
-	efi_leave(sc);
-	if (status != EFI_SUCCESS)
-		return EIO;
-	return 0;
-}

sys/arch/octeon/stand/boot/Makefile

@@ -1,11 +1,11 @@
-#	$OpenBSD: Makefile,v 1.11 2023/04/28 08:45:26 krw Exp $
+#	$OpenBSD: Makefile,v 1.12 2023/04/30 22:28:27 krw Exp $
 
 NOMAN=
 #MAN=		boot.8
 
 RDBOOT=		${.CURDIR}/../rdboot/obj/rdboot
 
-MRDISKTYPE= rdroot
+MRDISKTYPE= rdboot
 MRMAKEFSARGS= -o disklabel=${MRDISKTYPE},minfree=0,density=1024
 
 .if ${MACHINE} == "octeon"

sys/dev/pci/drm/amd/amdgpu/amdgpu_devlist.h

@@ -205,7 +205,8 @@ static const struct pci_matchid amdgpu_devices[] = {
 	/* GC 11.0.0, DCN 3.2.0, dGPU, Radeon RX 7900 XT/XTX "Navi 31" */
 	{0x1002, 0x744c },
 
-	/* GC 11.0.1, DCN 3.1.4, APU */
+	/* GC 11.0.1, DCN 3.1.4, APU, Ryzen 7040 "Phoenix" */
+	{0x1002, 0x15bf },
 
 	/* GC 11.0.2, DCN 3.2.1, dGPU, "Navi 33" */
 	{0x1002, 0x7480 },

sys/dev/pci/pcidevs

@@ -1,4 +1,4 @@
-$OpenBSD: pcidevs,v 1.2032 2023/04/25 21:57:29 kettenis Exp $
+$OpenBSD: pcidevs,v 1.2033 2023/04/30 23:38:52 jsg Exp $
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
 
 /*
@@ -1278,6 +1278,7 @@ product ATI CYAN_SKILLFISH_2	0x143f	Cyan Skillfish
 product ATI PPB_1		0x1478	PCIE
 product ATI PPB_2		0x1479	PCIE
 product ATI MENDOCINO		0x1506	Mendocino
+product ATI PHOENIX		0x15bf	Phoenix
 product ATI PICASSO		0x15d8	Picasso
 product ATI RAVEN_VEGA		0x15dd	Radeon Vega
 product ATI RAVEN_VEGA_HDA	0x15de	Radeon Vega HD Audio

sys/dev/pci/pcidevs.h

@@ -2,7 +2,7 @@
  * THIS FILE AUTOMATICALLY GENERATED.  DO NOT EDIT.
  *
  * generated from:
- *	OpenBSD: pcidevs,v 1.2032 2023/04/25 21:57:29 kettenis Exp 
+ *	OpenBSD: pcidevs,v 1.2033 2023/04/30 23:38:52 jsg Exp 
  */
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
 
@@ -1283,6 +1283,7 @@
 #define	PCI_PRODUCT_ATI_PPB_1	0x1478		/* PCIE */
 #define	PCI_PRODUCT_ATI_PPB_2	0x1479		/* PCIE */
 #define	PCI_PRODUCT_ATI_MENDOCINO	0x1506		/* Mendocino */
+#define	PCI_PRODUCT_ATI_PHOENIX	0x15bf		/* Phoenix */
 #define	PCI_PRODUCT_ATI_PICASSO	0x15d8		/* Picasso */
 #define	PCI_PRODUCT_ATI_RAVEN_VEGA	0x15dd		/* Radeon Vega */
 #define	PCI_PRODUCT_ATI_RAVEN_VEGA_HDA	0x15de		/* Radeon Vega HD Audio */

sys/dev/pci/pcidevs_data.h

@@ -2,7 +2,7 @@
  * THIS FILE AUTOMATICALLY GENERATED.  DO NOT EDIT.
  *
  * generated from:
- *	OpenBSD: pcidevs,v 1.2032 2023/04/25 21:57:29 kettenis Exp 
+ *	OpenBSD: pcidevs,v 1.2033 2023/04/30 23:38:52 jsg Exp 
  */
 
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
@@ -3259,6 +3259,10 @@ static const struct pci_known_product pci_known_products[] = {
 	    PCI_VENDOR_ATI, PCI_PRODUCT_ATI_MENDOCINO,
 	    "Mendocino",
 	},
+	{
+	    PCI_VENDOR_ATI, PCI_PRODUCT_ATI_PHOENIX,
+	    "Phoenix",
+	},
 	{
 	    PCI_VENDOR_ATI, PCI_PRODUCT_ATI_PICASSO,
 	    "Picasso",

sys/msdosfs/msdosfs_fat.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: msdosfs_fat.c,v 1.34 2021/03/11 13:31:35 jsg Exp $	*/
+/*	$OpenBSD: msdosfs_fat.c,v 1.35 2023/04/30 17:16:36 sf Exp $	*/
 /*	$NetBSD: msdosfs_fat.c,v 1.26 1997/10/17 11:24:02 ws Exp $	*/
 
 /*-
@@ -409,6 +409,7 @@ updatefats(struct msdosfsmount *pmp, struct buf *bp, uint32_t fatbn)
 static __inline void
 usemap_alloc(struct msdosfsmount *pmp, uint32_t cn)
 {
+	KASSERT(cn <= pmp->pm_maxcluster);
 
 	pmp->pm_inusemap[cn / N_INUSEBITS] |= 1 << (cn % N_INUSEBITS);
 	pmp->pm_freeclustercount--;
@@ -417,6 +418,7 @@ usemap_alloc(struct msdosfsmount *pmp, uint32_t cn)
 static __inline void
 usemap_free(struct msdosfsmount *pmp, uint32_t cn)
 {
+	KASSERT(cn <= pmp->pm_maxcluster);
 
 	pmp->pm_freeclustercount++;
 	pmp->pm_inusemap[cn / N_INUSEBITS] &= ~(1 << (cn % N_INUSEBITS));
@@ -644,6 +646,8 @@ chainlength(struct msdosfsmount *pmp, uint32_t start, uint32_t count)
 	u_int map;
 	uint32_t len;
 
+	if (start > pmp->pm_maxcluster)
+	    return (0);
 	max_idx = pmp->pm_maxcluster / N_INUSEBITS;
 	idx = start / N_INUSEBITS;
 	start %= N_INUSEBITS;
@@ -651,11 +655,15 @@ chainlength(struct msdosfsmount *pmp, uint32_t start, uint32_t count)
 	map &= ~((1 << start) - 1);
 	if (map) {
 		len = ffs(map) - 1 - start;
-		return (len > count ? count : len);
+		len = MIN(len, count);
+		len = MIN(len, pmp->pm_maxcluster - start + 1);
+		return (len);
 	}
 	len = N_INUSEBITS - start;
-	if (len >= count)
-		return (count);
+	if (len >= count) {
+		len = MIN(count, pmp->pm_maxcluster - start + 1);
+		return (len);
+	}
 	while (++idx <= max_idx) {
 		if (len >= count)
 			break;
@@ -665,7 +673,9 @@ chainlength(struct msdosfsmount *pmp, uint32_t start, uint32_t count)
 		}
 		len += N_INUSEBITS;
 	}
-	return (len > count ? count : len);
+	len = MIN(len, count);
+	len = MIN(len, pmp->pm_maxcluster - start + 1);
+	return (len);
 }
 
 /*

usr.bin/ssh/sftp-client.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.170 2023/03/28 07:44:32 dtucker Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.171 2023/04/30 22:54:22 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -1580,7 +1580,7 @@ do_download(struct sftp_conn *conn, const char *remote_path,
 	u_char *handle;
 	int local_fd = -1, write_error;
 	int read_error, write_errno, lmodified = 0, reordered = 0, r;
-	u_int64_t offset = 0, size, highwater;
+	u_int64_t offset = 0, size, highwater = 0, maxack = 0;
 	u_int mode, id, buflen, num_req, max_req, status = SSH2_FX_OK;
 	off_t progress_counter;
 	size_t handle_len;
@@ -1627,7 +1627,6 @@ do_download(struct sftp_conn *conn, const char *remote_path,
 		error("open local \"%s\": %s", local_path, strerror(errno));
 		goto fail;
 	}
-	offset = highwater = 0;
 	if (resume_flag) {
 		if (fstat(local_fd, &st) == -1) {
 			error("stat local \"%s\": %s",
@@ -1648,7 +1647,7 @@ do_download(struct sftp_conn *conn, const char *remote_path,
 				close(local_fd);
 			return -1;
 		}
-		offset = highwater = st.st_size;
+		offset = highwater = maxack = st.st_size;
 	}
 
 	/* Read from remote and write to local */
@@ -1730,11 +1729,21 @@ do_download(struct sftp_conn *conn, const char *remote_path,
 				write_errno = errno;
 				write_error = 1;
 				max_req = 0;
+			} else {
+				/*
+				 * Track both the highest offset acknowledged
+				 * and the highest *contiguous* offset
+				 * acknowledged.
+				 * We'll need the latter for ftruncate()ing
+				 * interrupted transfers.
+				 */
+				if (maxack < req->offset + len)
+					maxack = req->offset + len;
+				if (!reordered && req->offset <= highwater)
+					highwater = maxack;
+				else if (!reordered && req->offset > highwater)
+					reordered = 1;
 			}
-			else if (!reordered && req->offset <= highwater)
-				highwater = req->offset + len;
-			else if (!reordered && req->offset > highwater)
-				reordered = 1;
 			progress_counter += len;
 			free(data);
 
@@ -1783,12 +1792,19 @@ do_download(struct sftp_conn *conn, const char *remote_path,
 	/* Sanity check */
 	if (TAILQ_FIRST(&requests) != NULL)
 		fatal("Transfer complete, but requests still in queue");
+
+	if (!read_error && !write_error && !interrupted) {
+		/* we got everything */
+		highwater = maxack;
+	}
+
 	/*
 	 * Truncate at highest contiguous point to avoid holes on interrupt,
 	 * or unconditionally if writing in place.
 	 */
 	if (inplace_flag || read_error || write_error || interrupted) {
-		if (reordered && resume_flag) {
+		if (reordered && resume_flag &&
+		    (read_error || write_error || interrupted)) {
 			error("Unable to resume download of \"%s\": "
 			    "server reordered requests", local_path);
 		}
@@ -1984,7 +2000,7 @@ do_upload(struct sftp_conn *conn, const char *local_path,
 	struct stat sb;
 	Attrib a, t, *c = NULL;
 	u_int32_t startid, ackid;
-	u_int64_t highwater = 0;
+	u_int64_t highwater = 0, maxack = 0;
 	struct request *ack = NULL;
 	struct requests acks;
 	size_t handle_len;
@@ -2125,8 +2141,16 @@ do_upload(struct sftp_conn *conn, const char *local_path,
 			    ack->id, ack->len, (unsigned long long)ack->offset);
 			++ackid;
 			progress_counter += ack->len;
+			/*
+			 * Track both the highest offset acknowledged and the
+			 * highest *contiguous* offset acknowledged.
+			 * We'll need the latter for ftruncate()ing
+			 * interrupted transfers.
+			 */
+			if (maxack < ack->offset + ack->len)
+				maxack = ack->offset + ack->len;
 			if (!reordered && ack->offset <= highwater)
-				highwater = ack->offset + ack->len;
+				highwater = maxack;
 			else if (!reordered && ack->offset > highwater) {
 				debug3_f("server reordered ACKs");
 				reordered = 1;
@@ -2143,6 +2167,10 @@ do_upload(struct sftp_conn *conn, const char *local_path,
 		stop_progress_meter();
 	free(data);
 
+	if (status == SSH2_FX_OK && !interrupted) {
+		/* we got everything */
+		highwater = maxack;
+	}
 	if (status != SSH2_FX_OK) {
 		error("write remote \"%s\": %s", remote_path, fx2txt(status));
 		status = SSH2_FX_FAILURE;

usr.sbin/rpki-client/rpki-client.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: rpki-client.8,v 1.94 2023/04/26 22:05:28 beck Exp $
+.\"	$OpenBSD: rpki-client.8,v 1.95 2023/04/30 20:10:38 benno Exp $
 .\"
 .\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 26 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt RPKI-CLIENT 8
 .Os
 .Sh NAME
@@ -63,7 +63,8 @@ in various formats.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl A
-Exclude the aspa-set in the OpenBGPD specific output file.
+Exclude the ASPA-set from the output files that support it (JSON and
+OpenBGPD).
 .It Fl B
 Create output in the files
 .Pa bird1v4 ,