CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/07 00:54:59 Modified files: sbin/route : route.8 Log message: mpls gateway clarification; from claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/07 00:01:35 Modified files: lib/libcrypto/ec: ec_ameth.c Log message: Fix another return value check for CMS_SharedInfo_encode() This should have been included in a previous diff/commit...
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 23:28:36 Modified files: lib/libcrypto/bn: bn_mont.c Log message: Limit bn_mul_mont() usage to sizes less than or equal to 8192 bits. The assembly bn_mul_mont() implementations effectively use alloca() to allocate space for computation (at up to 8x the input size), without any limitation. This means that sufficiently large inputs lead to the stack being blown. Prevent this by using the C based implementation instead. Thanks to Jiayi Lin for reporting this to us. ok beck@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 23:19:44 Modified files: lib/libcrypto/bn: bn_mont.c Log message: Implement bn_montgomery_multiply() Provide a constant-time-style Montgomery multiplication implementation. Use this in place of the assembly bn_mul_mont() on platforms that either do not have an assembly implementation or have not compiled it in. Also use this as the fallback version for bn_mul_mont(), rather than falling back to a non-constant time implementation. ok beck@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 23:15:10 Modified files: lib/libcrypto/bn: bn_mont.c Log message: Refactor BN_mod_mul_montgomery(). Pull out the simplistic implementation (using BN_mul() or BN_sqr()) into a bn_mod_mul_montgomery_simple() function. Provide bn_mod_mul_montgomery() with an implementation that changes depending on if the assembly bn_mul_mont() is available or not. Turn BN_mod_mul_montgomery() and BN_to_montgomery() into callers of bn_mod_mul_montgomery(). ok beck@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 23:15:07 Modified files: lib/libcrypto/man: DSA_get0_pqg.3 Log message: Make order of pub_key and priv_key the same everywhere
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 23:12:27 Modified files: lib/libcrypto/man: ECDSA_SIG_new.3 Log message: Fix OpenSSL version in HISTORY section
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dtuc...@cvs.openbsd.org 2023/03/06 23:09:14 Modified files: usr.bin/ssh: session.c Log message: Fix mem leak in environment setup. From jjelen at redhat.com via bz#2687, ok djm@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 23:05:06 Modified files: lib/libcrypto/bn: bn_mont.c Log message: Delete unused and unsafe bn_mul_mont() example code. This came from bn_asm.c and did not even compile until recently. ok beck@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:57:01 Modified files: lib/libcrypto/bn: bn_internal.h Log message: Fix comment for bn_mul2_mulw_addtw()
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:54:40 Modified files: lib/libcrypto/ec: ecp_smpl.c Log message: Move EC_GFp_simple_method() to the bottom of the file. Most of the implemeentation functions for EC_GFp_simple_method() are reused by other code, hence they cannot be made static. However, this keeps the pattern consistent. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 22:53:17 Modified files: usr.bin/openssl: asn1pars.c Log message: Basic cleanup in asn1pars.c Drop extra parentheses, unwrap some lines, compare pointers against NULL.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:50:59 Modified files: lib/libcrypto/ec: ec2_smpl.c ec_local.h Log message: Use static functions for EC_GF2m_simple_method() implementation. Move the EC_METHOD to the bottom of the file, which allows implementation functions to become static. Remove unneeded prototypes. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:45:14 Modified files: lib/libcrypto/ec: ec_local.h ecp_nist.c Log message: Use static functions for EC_GFp_nist_method() implementation. Move the EC_METHOD to the bottom of the file, which allows implementation functions to become static. Remove unneeded prototypes. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:41:18 Modified files: lib/libcrypto/ec: ec_local.h ecp_mont.c Log message: Use static functions for EC_GFp_mont_method() implementation. Move the EC_METHOD to the bottom of the file, which allows all implementation functions to become static. Remove unneeded prototypes. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/03/06 22:37:27 Modified files: usr.bin/ssh: sftp-server.c Log message: fix memory leak in process_read() path; Spotted by James Robinson in GHPR363; ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:35:13 Modified files: lib/libcrypto/ec: ec2_smpl.c Log message: Fix formatting of comments.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/03/06 22:28:12 Modified files: lib/libcrypto/ec: ecp_mont.c Log message: Consolidate clear code for EC_GFp_mont_method. Use a fang dangled thing (known as a function) to avoid duplicating the same code in five places. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/03/06 18:30:52 Modified files: usr.bin/ssh: umac.c Log message: correct size for array argument when changing UMAC_OUTPUT_LEN Coverity CID 291845; ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/03/06 14:16:50 Modified files: etc/etc.macppc : disktab Log message: Delete extraneous trailing blank line.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 14:00:41 Modified files: usr.sbin/rpki-client: x509.c Log message: Enforce X509v3 SKIs to be the SHA-1 hash of the Subject Public Key In the RPKI-context (RFC 6487 section 4.8.2), SKIs are not at all arbitary identifiers: they must be the SHA-1 hash of the 'Subject Public Key'. Add a SPK digest calculation and comparison to the X509v3 extension containing the SKI. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/03/06 13:34:35 Modified files: sys/dev/wscons : wsemul_vt100.c wsemul_sun.c Log message: Correctly account the number of bytes processed when outputting UTF-8 encoded characters.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 12:20:34 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: For conciseness sake' remove non-optional items in references in STANDARDS Discussed with deraadt@ tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs
Module name:src
Changes by: t...@cvs.openbsd.org2023/03/06 12:10:14
Modified files:
lib/libcrypto/asn1: bio_ndef.c
Log message:
Clean up ndef_{prefix,suffix}_free()
These functions are rather similar, so there's no need for the code to
be wildly different. Add a missing NULL check to ndef_prefix_free() since
that will be needed in a subsequent commit.
ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/03/06 11:12:48 Modified files: etc/etc.amd64 : disktab etc/etc.arm64 : disktab etc/etc.armv7 : disktab etc/etc.hppa : disktab etc/etc.i386 : disktab etc/etc.landisk: disktab etc/etc.loongson: disktab etc/etc.luna88k: disktab etc/etc.macppc : disktab etc/etc.octeon : disktab etc/etc.powerpc64: disktab etc/etc.riscv64: disktab etc/etc.sparc64: disktab Log message: Remove pointless ":ob#0:pb#0:[tb=swap:]" disktab lines. ok miod@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/03/06 10:42:39 Modified files: sbin/fdisk : part.c Log message: Use GPT_UUID_NBSD_UFS, not GPT_UUID_FBSD_DATA, for NetBSD GPT partition entries. Add GPT_UUID_LEGACY_MBR entry to list of known partition id's as it is defined in the UEFI Standard.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/03/06 10:39:54 Modified files: sbin/atactl: atactl.c Log message: Define a few more attributes for the sake of the readattr subcommand; curated and contributed by Brian Conway, thanks!
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/03/06 10:20:06 Modified files: sys/arch/amd64/amd64: conf.c sys/arch/arm64/arm64: conf.c sys/arch/i386/i386: conf.c sys/arch/riscv64/riscv64: conf.c Log message: In iskmemdev(), do not check for the minor of /dev/io. It has been deprecated more than 25 years ago and removed more than 20. >From Crystal Kolipe, thanks!
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/03/06 10:14:44 Modified files: sys/dev/wscons : wsemul_subr.c wsemul_sun.c wsemul_vt100.c wsemul_vt100var.h wsemulvar.h Log message: Replace old'n'wrong UTF-8 logic with a better one borrowed from Citrus; issue reported by Crystal Kolipe on tech@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 09:58:41 Modified files: usr.sbin/rpki-client: cert.c crl.c Log message: Ensure .cer and .crl outside-TBS signatures are sha256WithRSAEncryption Note: there is a potential for confusion in RFC 7935, the specification differentiates between 2 contexts: "in the certificate" and "CMS SignedData". In the CMS context, either rsaEncryption or sha256WithRSAEncryption can appear (and both *do* appear in the wild). However, RFC 7935 section 2 fourth paragraph starting with "In certificates, CRLs, ..." mandates that sha256WithRSAEncryption is used to sign .cer and .crl files: "The Object Identifier (OID) sha256WithRSAEncryption from RFC4055 MUST be used in these products." The above requirement matches observations on existing RPKI deployments. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2023/03/06 09:17:17 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: spelling
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 09:04:52 Modified files: usr.sbin/rpki-client: cert.c cms.c extern.h rpki-client.8 validate.c Log message: Add check for RSA key pair modulus & public exponent Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 08:50:33 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Fix URL to RFC
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: st...@cvs.openbsd.org 2023/03/06 06:57:45 Modified files: etc/examples : iked.conf Log message: tweak examples/iked.conf bits a little further following comments by aisha@ and Crystal Kolipe, ok aisha@ tobhe@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs
Module name:src
Changes by: t...@cvs.openbsd.org2023/03/06 06:34:53
Modified files:
lib/libcrypto/man: ECDSA_SIG_new.3
Log message:
Document ECDSA_SIG_get0_{r,s}()
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 06:25:46 Modified files: lib/libcrypto/man: DH_get0_pqg.3 Log message: Document DH_get0_* for individual DH members.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/03/06 06:24:40 Modified files: sbin/fdisk : gpt.c mbr.c Log message: Use nitems() of source and destination partition arrays rather than assuming they are the same size. Zero destination entries when no source partition available. No intentional functional change.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 06:18:38 Modified files: lib/libcrypto/man: DSA_get0_pqg.3 Log message: Document DSA_get0_* for individual DSA members
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 06:05:32 Modified files: lib/libcrypto/man: RSA_get0_key.3 Log message: Document RSA_get0_* for individual RSA members. Loosely based on OpenSSL commit 6692ff77. Prodded by job
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dtuc...@cvs.openbsd.org 2023/03/06 05:15:47 Modified files: regress/usr.bin/ssh/unittests/kex: test_proposal.c tests.c Log message: Unit test for kex_proposal_populate_entries.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dtuc...@cvs.openbsd.org 2023/03/06 05:14:48 Modified files: usr.bin/ssh: compat.c compat.h kex.c kex.h sshconnect2.c sshd.c Log message: Refactor creation of KEX proposal. This adds kex_proposal_populate_entries (and corresponding free) which populates the KEX proposal array with dynamically allocated strings. This replaces the previous mix of static and dynamic that has been the source of previous leaks and bugs. Remove unused compat functions. With & ok djm@.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 05:00:27 Modified files: lib/libcrypto/asn1: tasn_enc.c Log message: Rework asn1_item_flags_i2d() Flip the logic of NULL checks on out and *out to unindent, use calloc() instead of malloc() and check on assign. Also drop the newly added len2 again, it isn't needed. ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:53:24 Modified files: sys/dev/pci: if_iwxvar.h Log message: Switch all iwx(4) devices to -77 firmware images. New firmware versions address some security issues, as outlined here: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00621.html https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00699.html Firmware has been available in fw_update for some time so systems which track -current should already have the new -77 images. Tested: ax200: jmc, hrvoje, stsp ax201: Mikhail, Sven Wolf, stsp ax210: lraab, stsp ax211: Mikhail, dv
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:42:11 Modified files: sys/dev/pci: if_iwx.c Log message: Make iwx(4) get the primary channel number from AP beacon info, rather than assuming that it always matches our currently configured channel. Should prevent problems on 40/80Mhz channels if there is a mismatch.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:37:14 Modified files: sys/dev/pci: if_iwx.c Log message: fix previous: only ignore request to delete key while doing crypto in hardware
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:33:57 Modified files: sys/dev/pci: if_iwx.c Log message: Avoid trying to remove keys if the station is not active in iwx firmware. Fixes a firmware panic I encountered while working on firmware upgrades.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:30:46 Modified files: sys/dev/pci: if_iwx.c Log message: ignore iwx DATA_PATH group notification 0xf8 Undocumented and ignored by the Linux driver, too. Apparently only used by the Windows driver. Confirmed by Johannes Berg.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:28:02 Modified files: sys/dev/pci: if_iwx.c Log message: always provide a subset of STA info in the MAC context command We used to provide beacon-related information only once our station was associated. New firmware wants to see this information earlier, when are about to send an AUTH frame. Otherwise SYSASSERT 0x211A is raised. Problem diagnosed with help from Johannes Berg, thanks!
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:21:24 Modified files: sys/dev/pci: if_iwx.c Log message: fix iwx session protection event duration Firmware expects time in TU units. Use 900 TU for the session protection timeout, like the linux driver does. verified with Johannes Berg from Linux/Intel, thanks for the support!
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:18:37 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: support the new iwx SCD_QUEUE_CONFIG command Required for adding/removing Tx queues on new firmware versions. Semantics have changed yet again. Good old iwm(4) required manual removal of related Tx queues when a station is removed from firmware. At some point iwx(4) firmware removed this requirement and demanded that queue removal would be done implicitly by firmware instead. And now the firmware engineers at Intel have again changed their minds about this, and explicit queue removal is required again. It is sad that we are being driven through such a marathon of changes just in order to pick up some firmware security fixes...
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:08:56 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h if_iwxvar.h Log message: add support for the iwx BAID allocation config command This command is required to set up Rx aggregation on new firmware.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:03:29 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: implement support for iwx PHY context cmd version 4
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 04:00:41 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: support the new IWX_STA_MAC_DATA_API_S_VER_2 API MAC context command fields which firmware has been ignoring since the iwm hardware generation have been repurposed for information related to 11ax. Just set these fields to zero. Firmware -71 and up will panic otherwise.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:52:16 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: add support for the iwx RLC config command New firmware wants to be told about MIMO antenna configuration via a separate command, rather than via the good old PHY context command.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:48:05 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h if_iwxvar.h Log message: support iwx rate_n_flags API version 2 and delete fixed Tx rate support As of this commit iwx will ignore 'ifconfig media' commands where the user-specified Tx rate resolves to something other than 'autoselect'. The existing support for forcing a Tx rate was already only partially working in 11n and 11ac modes. I doubt anyone had a serious use case for this. If you really need to force a specific Tx rate for data frames sent by iwx then hack the driver instead of using 'ifconfig media'. The firmware interface was designed for Tx rate selection in firmware. Maintaining support for overriding the Tx rate with ifconfig in face of complicated firmware interface changes such as this rate_n_flags change is just not worth it. While trying to keep forced Tx rates working on top of the new rate_n_flags format I accidentally broke the Tx rate used for managment frames during regular operation, which caused much frustration.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:31:58 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: change current iwx rate_n_flag field names to indicate this is API version 1 also add some missing bits found in the Linux driver while here
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:28:04 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: add support for iwx TLC config command v4
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:24:15 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h Log message: add support for iwx firmware alive response version 6
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2023/03/06 03:16:17 Modified files: sys/dev/pci: if_iwx.c if_iwxreg.h if_iwxvar.h Log message: recognize more iwx ucode TLV sections which are present in newer fw images
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/03/06 02:14:29 Modified files: usr.sbin/rpki-client: cms.c Log message: Fix comment
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 01:37:24 Modified files: lib/libcrypto/ec: ec_ameth.c Log message: Fix some return checks in ecdh_cms_encrypt() i2d functions return <= 0 on error, so check for that instead of == 0. The issue with CMS_SharedInfo_encode() was found by Niels Dossche. OpenSSL review overlooked that they had turned penclen into a size_t. In principle the issue with i2d_X509_ALGOR() is purely cosmetic. Why do a strange check when there is an idiomatic check? Then again this is CMS... ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 01:31:34 Modified files: lib/libcrypto/rsa: rsa_pmeth.c Log message: Fix incorrect RSA_public_decrypt() return check RSA_public_decrypt() returns <= 0 on error. Assigning to a size_t and checking for == 0 is not the right thing to do here. Neither is blindly turning the check into <= 0... Found by Niels Dossche ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/03/06 01:08:31 Modified files: lib/libcrypto/asn1: tasn_enc.c Log message: ASN.1 enc: check ASN1_item_ex_i2d() consistency The i2d API design is: call a function first with a pointer to NULL, get the length, allocate a buffer, call the function passing the buffer in. Both calls should be checked since ther are still internal allocations. At the heart of ASN.1 encoding, this idiom is used and the second call is assumed to succeed after the length was determined. This is far from guaranteed. Check that the second call returns the same length and error otherwise. ok jsing
