CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/12/27 00:17:39 Modified files: usr.sbin/rpki-client: rrdp_delta.c rrdp_notification.c rrdp_snapshot.c Log message: Mark rrdp debug logging functions as used in regress ok claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/12/27 00:15:55 Modified files: usr.sbin/rpki-client: as.c constraints.c extern.h ip.c validate.c Log message: Rework the warnings on internet resources Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages. ok claudio job
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2023/12/26 15:13:00 Modified files: lib/libcrypto/man: EVP_EncryptInit.3 EVP_CIPHER_CTX_init.3 Log message: Rename some argument placeholders to be less cryptic, in particular s/inl/in_len/ and s/outl/out_len/ as suggested by tb@. While here, also get rid of the "outm" placeholder that has been around since the file was added to OpenSSL in 2000, replacing it with the usual "out" in the four function prototypes affected; tb@ and myself suspect it was simply a typo followed by copy and paste. Slightly improve variable naming in the examples, too, for clarity and consistency, even though that doesn't turn the examples into good examples. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2023/12/26 12:09:08 Modified files: lib/libcrypto/man: EVP_CIPHER_CTX_init.3 Log message: Close some major gaps in the documentation of EVP_Cipher(3), and describe EVP_CIPHER_CTX_init(3) in a less misleading way. Joint work with and OK tb@.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/12/26 07:04:50 Modified files: sys/arch/macppc/dev: asms.c Log message: Update documentation URL
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/26 06:36:18 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Align the other RIRs with the recent clarifications from AFRINIC Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/12/26 04:03:27 Modified files: usr.sbin/rpki-client: rrdp_delta.c Log message: Do not accept empty delta elements Ties de Kock found RRDP content that doesn't match the XML schema, most likely generated by krill: https://github.com/NLnetLabs/krill/issues/1180 Use the state machine to mark a new delta element as empty and check at the end whether that state was changed (which means it contained publish or withdraw elements). If so, raise a parse failure. ok claudio job
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: kette...@cvs.openbsd.org2023/12/26 02:25:15 Modified files: sys/dev/fdt: sncodec.c tascodec.c Log message: Apple machines with multiple speakers typically have the shutdown pin of the digital amplifier codecs wired up to a single GPIO. This is apparently problematic for Linux and Asahi Linux changed their device trees to use a regulator instead to such that reference counting makes sure that shutdown isn't asserted until all codecs are ready for it. Follow suit, even though our regulator code doesn't do the proper reference counting yet. ok patrick@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: kette...@cvs.openbsd.org2023/12/26 02:19:15 Modified files: sys/arch/arm64/arm64: cpu.c exception.S trap.c sys/arch/arm64/include: cpu.h Log message: Improve handling of SError interrupts. Print some useful information and allow additional information to be printed for specific CPU types. Use this to print the L2C registers on Apple CPUs which can be very useful in tracking down the source of certain SError interrupts. ok miod@, dlg@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs
Module name:src
Changes by: t...@cvs.openbsd.org2023/12/26 02:04:30
Modified files:
lib/libcrypto/evp: evp_enc.c
Log message:
EVP_CipherInit(): remove cleanup call
There is a bizarre EVP_CIPHER_CTX_cleanup() call in EVP_CipherInit()
leading to a subtle behavior difference with EVP_CipherInit_ex().
The history is that before EVP_CIPHER_CTX was made opaque, a context would
often live on the stack (hello, MariaDB) and the EVP_CIPHER_CTX_cleanup()
call was in fact an EVP_CIPHER_CTX_init() which just zeroes out the struct.
The problem with doing this is that on context reuse there could be data
hanging off it, causing leaks. Attempts were made to clean up things in
EVP_CipherFinal*(), but that broke applications reaching into the context
afterward, so they were removed again. Later on, opacity allowed changing
the _init() to a _cleanup() since EVP_CIPHER_CTX could no longer live on
the stack, so it would no longer contain garbage. I have to correct myself:
it would no longer contain stack garbage.
Now: EVP_CipherInit_ex() does some extra dances to preserve the AES key
wrap flag, which is cleared unconditionally in EVP_CipherInit(). That's
annoying to document and very likely never going to be an issue in the
wild: you'd need to do key wrap and then use the same context for use
with a cipher that does not allow key wrap for this to make a difference.
This way, all our EVP_{Cipher,Decrypt,Encrypt}*_ex() functions are now
trivially wrapped by their non-_ex() versions.
ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/12/26 01:39:28 Modified files: lib/libcrypto/evp: evp_enc.c Log message: EVP_CipherInit_ex() merge two code paths Clean up the cipher context unconditionally if the cipher is being set. This allows doing the dance to retain the key wrap flag only once and makes it more obvious that allocating the cipher data doesn't leak. suggested by/ok jsing
