From 14e313b3c54ef0857fed49d1ad8c001a13f4a132 Mon Sep 17 00:00:00 2001 From: purplerain Date: Mon, 10 Jun 2024 01:10:37 +0000 Subject: [PATCH] sync with OpenBSD -current --- distrib/amd64/iso/Makefile | 4 ++-- distrib/arm64/iso/Makefile | 4 ++-- distrib/i386/iso/Makefile | 4 ++-- etc/skel/dot.version | 2 +- libexec/security/security | 5 ++++- sbin/ifconfig/ifconfig.8 | 7 +++++-- sbin/ifconfig/ifconfig.c | 4 ++-- sys/arch/amd64/include/cpu.h | 4 ++-- sys/arch/arm/include/cpu.h | 4 ++-- sys/arch/i386/include/cpu.h | 4 ++-- sys/dev/pv/if_vio.c | 8 ++++++-- sys/net/if.h | 3 ++- sys/net/if_vlan.c | 10 +++++++--- usr.sbin/smtpd/lka.c | 23 ++++++++++++++++++++++- usr.sbin/smtpd/smtpd-api.h | 5 +++-- usr.sbin/smtpd/smtpd-tables.7 | 8 ++++++-- usr.sbin/smtpd/table.c | 5 ++++- 17 files changed, 74 insertions(+), 30 deletions(-) diff --git a/distrib/amd64/iso/Makefile b/distrib/amd64/iso/Makefile index a8d18d9ad..104d389ff 100644 --- a/distrib/amd64/iso/Makefile +++ b/distrib/amd64/iso/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.48 2024/06/02 16:00:07 deraadt Exp $ +# $OpenBSD: Makefile,v 1.49 2024/06/09 17:24:19 deraadt Exp $ FS= install${OSrev}.img FSSIZE= 1425408 @@ -13,7 +13,7 @@ BSDRD= ${RELDIR}/bsd.rd BASE= ${RELDIR}/base${OSrev}.tgz ${RELDIR}/comp${OSrev}.tgz \ ${RELDIR}/game${OSrev}.tgz ${RELDIR}/man${OSrev}.tgz \ ${RELDIR}/bsd ${RELDIR}/bsd.rd ${RELDIR}/bsd.mp \ - ${RELDIR}/INSTALL.${MACHINE} + ${RELDIR}/INSTALL.${MACHINE} ${RELDIR}/BUILDINFO XBASE= ${RELXDIR}/xbase${OSrev}.tgz ${RELXDIR}/xfont${OSrev}.tgz \ ${RELXDIR}/xshare${OSrev}.tgz ${RELXDIR}/xserv${OSrev}.tgz diff --git a/distrib/arm64/iso/Makefile b/distrib/arm64/iso/Makefile index 5d54edd77..0051bf94d 100644 --- a/distrib/arm64/iso/Makefile +++ b/distrib/arm64/iso/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2024/02/10 16:47:46 deraadt Exp $ +# $OpenBSD: Makefile,v 1.10 2024/06/09 17:24:19 deraadt Exp $ FS= install${OSrev}.img FSSIZE= 1136400 @@ -12,7 +12,7 @@ RELDIR?= /home/rel-${MACHINE} BASE= ${RELDIR}/base${OSrev}.tgz ${RELDIR}/comp${OSrev}.tgz \ ${RELDIR}/game${OSrev}.tgz ${RELDIR}/man${OSrev}.tgz \ ${RELDIR}/bsd ${RELDIR}/bsd.mp ${RELDIR}/bsd.rd \ - ${RELDIR}/INSTALL.${MACHINE} + ${RELDIR}/INSTALL.${MACHINE} ${RELDIR}/BUILDINFO XBASE= ${RELXDIR}/xbase${OSrev}.tgz ${RELXDIR}/xfont${OSrev}.tgz \ ${RELXDIR}/xshare${OSrev}.tgz ${RELXDIR}/xserv${OSrev}.tgz diff --git a/distrib/i386/iso/Makefile b/distrib/i386/iso/Makefile index 6b9dbbc2b..fd288f3c8 100644 --- a/distrib/i386/iso/Makefile +++ b/distrib/i386/iso/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.34 2023/04/28 12:26:43 krw Exp $ +# $OpenBSD: Makefile,v 1.35 2024/06/09 17:24:19 deraadt Exp $ FS= install${OSrev}.img FSSIZE= 921600 @@ -14,7 +14,7 @@ BSDRD= ${RELDIR}/bsd.rd BASE= ${RELDIR}/base${OSrev}.tgz ${RELDIR}/comp${OSrev}.tgz \ ${RELDIR}/game${OSrev}.tgz ${RELDIR}/man${OSrev}.tgz \ ${RELDIR}/bsd ${RELDIR}/bsd.rd ${RELDIR}/bsd.mp \ - ${RELDIR}/INSTALL.${MACHINE} + ${RELDIR}/INSTALL.${MACHINE} ${RELDIR}/BUILDINFO XBASE= ${RELXDIR}/xbase${OSrev}.tgz ${RELXDIR}/xfont${OSrev}.tgz \ ${RELXDIR}/xshare${OSrev}.tgz ${RELXDIR}/xserv${OSrev}.tgz diff --git a/etc/skel/dot.version b/etc/skel/dot.version index 47315502f..0bef491c2 100644 --- a/etc/skel/dot.version +++ b/etc/skel/dot.version @@ -1 +1 @@ -# SecBSD 1.5-22ee75e: Fri May 3 00:00:00 UTC 2024 (Yatagarasu) +# SecBSD 1.5-c5d0954: Mon Jun 10 00:00:00 UTC 2024 (Yatagarasu) diff --git a/libexec/security/security b/libexec/security/security index dc7cdf084..ce82d14ea 100644 --- a/libexec/security/security +++ b/libexec/security/security @@ -1,6 +1,6 @@ #!/usr/bin/perl -T -# $OpenBSD: security,v 1.42 2024/03/05 18:54:29 kn Exp $ +# $OpenBSD: security,v 1.43 2024/06/09 18:31:17 afresh1 Exp $ # # Copyright (c) 2011, 2012, 2014, 2015 Ingo Schwarze # Copyright (c) 2011 Andrew Fresh @@ -30,6 +30,7 @@ require File::Find; use constant { BACKUP_DIR => '/var/backups/', + RELINK_DIR => '/usr/share/relink/', }; $ENV{PATH} = '/bin:/usr/bin:/sbin:/usr/sbin'; @@ -574,6 +575,7 @@ sub find_special_files { # SUID/SGID files my $file = {}; if (-f _ && $mode & (S_ISUID | S_ISGID)) { + return if -e RELINK_DIR . $_; $setuid_files->{$File::Find::name} = $file; $uudecode_is_setuid = 1 if basename($_) eq 'uudecode'; @@ -660,6 +662,7 @@ sub check_filelist { push @{$changed{additions}}, [ @{$files->{$f}}{@fields}, $f ]; } foreach my $f (sort keys %current) { + next if $mode eq 'setuid' && -e RELINK_DIR . $f; push @{$changed{deletions}}, [ @{$current{$f}}{@fields}, $f ]; }; diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index bc92b15c5..121bb1e8f 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ifconfig.8,v 1.399 2024/01/11 17:22:04 jan Exp $ +.\" $OpenBSD: ifconfig.8,v 1.400 2024/06/09 16:25:27 jan Exp $ .\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ .\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ .\" @@ -31,7 +31,7 @@ .\" .\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 .\" -.Dd $Mdocdate: January 11 2024 $ +.Dd $Mdocdate: June 9 2024 $ .Dt IFCONFIG 8 .Os .Sh NAME @@ -294,6 +294,9 @@ tag. On transmit, the device can add the .Xr vlan 4 tag. +.It Sy VLAN_HWOFFLOAD +On transmit, the device can handle checksum or TSO offload without +.Sy VLAN_HWTAGGING . .It Sy WOL The device supports Wake on LAN (WoL). .It Sy hardmtu diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c index 2c257a430..3e44dce71 100644 --- a/sbin/ifconfig/ifconfig.c +++ b/sbin/ifconfig/ifconfig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifconfig.c,v 1.472 2024/05/18 02:44:22 jsg Exp $ */ +/* $OpenBSD: ifconfig.c,v 1.473 2024/06/09 16:25:27 jan Exp $ */ /* $NetBSD: ifconfig.c,v 1.40 1997/10/01 02:19:43 enami Exp $ */ /* @@ -125,7 +125,7 @@ #define HWFEATURESBITS \ "\024\1CSUM_IPv4\2CSUM_TCPv4\3CSUM_UDPv4" \ - "\5VLAN_MTU\6VLAN_HWTAGGING\10CSUM_TCPv6" \ + "\5VLAN_MTU\6VLAN_HWTAGGING\7VLAN_HWOFFLOAD\10CSUM_TCPv6" \ "\11CSUM_UDPv6\15TSOv4\16TSOv6\17LRO\20WOL" struct ifencap { diff --git a/sys/arch/amd64/include/cpu.h b/sys/arch/amd64/include/cpu.h index 90f5dd9e9..82d3552c4 100644 --- a/sys/arch/amd64/include/cpu.h +++ b/sys/arch/amd64/include/cpu.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.h,v 1.172 2024/06/07 16:53:35 kettenis Exp $ */ +/* $OpenBSD: cpu.h,v 1.173 2024/06/09 21:15:29 jca Exp $ */ /* $NetBSD: cpu.h,v 1.1 2003/04/26 18:39:39 fvdl Exp $ */ /*- @@ -319,7 +319,7 @@ void cpu_unidle(struct cpu_info *); #define cpu_kick(ci) #define cpu_unidle(ci) -#define CPU_BUSY_CYCLE() do {} while (0) +#define CPU_BUSY_CYCLE() __asm volatile ("" ::: "memory") #endif diff --git a/sys/arch/arm/include/cpu.h b/sys/arch/arm/include/cpu.h index eedd7ad25..7d9452443 100644 --- a/sys/arch/arm/include/cpu.h +++ b/sys/arch/arm/include/cpu.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.h,v 1.66 2024/02/25 19:15:50 cheloha Exp $ */ +/* $OpenBSD: cpu.h,v 1.67 2024/06/09 21:15:29 jca Exp $ */ /* $NetBSD: cpu.h,v 1.34 2003/06/23 11:01:08 martin Exp $ */ /* @@ -251,7 +251,7 @@ extern struct cpu_info *cpu_info[MAXCPUS]; void cpu_boot_secondary_processors(void); #endif /* !MULTIPROCESSOR */ -#define CPU_BUSY_CYCLE() do {} while (0) +#define CPU_BUSY_CYCLE() __asm volatile ("" ::: "memory") #define curpcb curcpu()->ci_curpcb diff --git a/sys/arch/i386/include/cpu.h b/sys/arch/i386/include/cpu.h index 4eb710735..30f1aaf90 100644 --- a/sys/arch/i386/include/cpu.h +++ b/sys/arch/i386/include/cpu.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.h,v 1.190 2024/06/07 16:53:35 kettenis Exp $ */ +/* $OpenBSD: cpu.h,v 1.191 2024/06/09 21:15:29 jca Exp $ */ /* $NetBSD: cpu.h,v 1.35 1996/05/05 19:29:26 christos Exp $ */ /*- @@ -262,7 +262,7 @@ void cpu_unidle(struct cpu_info *); #define cpu_kick(ci) #define cpu_unidle(ci) -#define CPU_BUSY_CYCLE() do {} while (0) +#define CPU_BUSY_CYCLE() __asm volatile ("" ::: "memory") #endif diff --git a/sys/dev/pv/if_vio.c b/sys/dev/pv/if_vio.c index 8ce83ed05..945179681 100644 --- a/sys/dev/pv/if_vio.c +++ b/sys/dev/pv/if_vio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vio.c,v 1.37 2024/06/04 09:51:52 jan Exp $ */ +/* $OpenBSD: if_vio.c,v 1.38 2024/06/09 16:25:28 jan Exp $ */ /* * Copyright (c) 2012 Stefan Fritsch, Alexander Fiveg. @@ -604,7 +604,11 @@ vio_attach(struct device *parent, struct device *self, void *aux) ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST; ifp->if_start = vio_start; ifp->if_ioctl = vio_ioctl; - ifp->if_capabilities = IFCAP_VLAN_MTU; + ifp->if_capabilities = 0; +#if NVLAN > 0 + ifp->if_capabilities |= IFCAP_VLAN_MTU; + ifp->if_capabilities |= IFCAP_VLAN_HWOFFLOAD; +#endif if (virtio_has_feature(vsc, VIRTIO_NET_F_CSUM)) ifp->if_capabilities |= IFCAP_CSUM_TCPv4|IFCAP_CSUM_UDPv4| IFCAP_CSUM_TCPv6|IFCAP_CSUM_UDPv6; diff --git a/sys/net/if.h b/sys/net/if.h index ae50958ee..8552fff02 100644 --- a/sys/net/if.h +++ b/sys/net/if.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if.h,v 1.216 2024/04/11 15:08:18 bluhm Exp $ */ +/* $OpenBSD: if.h,v 1.217 2024/06/09 16:25:28 jan Exp $ */ /* $NetBSD: if.h,v 1.23 1996/05/07 02:40:27 thorpej Exp $ */ /* @@ -249,6 +249,7 @@ struct if_status_description { #define IFCAP_CSUM_UDPv4 0x00000004 /* can do IPv4/UDP csum */ #define IFCAP_VLAN_MTU 0x00000010 /* VLAN-compatible MTU */ #define IFCAP_VLAN_HWTAGGING 0x00000020 /* hardware VLAN tag support */ +#define IFCAP_VLAN_HWOFFLOAD 0x00000040 /* hw offload w/ inline tag */ #define IFCAP_CSUM_TCPv6 0x00000080 /* can do IPv6/TCP checksums */ #define IFCAP_CSUM_UDPv6 0x00000100 /* can do IPv6/UDP checksums */ #define IFCAP_TSOv4 0x00001000 /* IPv4/TCP segment offload */ diff --git a/sys/net/if_vlan.c b/sys/net/if_vlan.c index 9915a9439..9a0414f1b 100644 --- a/sys/net/if_vlan.c +++ b/sys/net/if_vlan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vlan.c,v 1.218 2023/12/23 10:52:54 bluhm Exp $ */ +/* $OpenBSD: if_vlan.c,v 1.219 2024/06/09 16:25:28 jan Exp $ */ /* * Copyright 1998 Massachusetts Institute of Technology @@ -523,7 +523,7 @@ vlan_up(struct vlan_softc *sc) /* * Note: In cases like vio(4) and em(4) where the offsets of the * csum can be freely defined, we could actually do csum offload - * for VLAN and QINQ packets. + * for QINQ packets. */ if (sc->sc_type != ETHERTYPE_VLAN) { /* @@ -531,10 +531,14 @@ vlan_up(struct vlan_softc *sc) * ethernet type (0x8100). */ ifp->if_capabilities = 0; - } else if (ISSET(ifp0->if_capabilities, IFCAP_VLAN_HWTAGGING)) { + } else if (ISSET(ifp0->if_capabilities, IFCAP_VLAN_HWTAGGING) || + ISSET(ifp0->if_capabilities, IFCAP_VLAN_HWOFFLOAD)) { /* * Chips that can do hardware-assisted VLAN encapsulation, can * calculate the correct checksum for VLAN tagged packets. + * + * Hardware which does checksum offloading, but not VLAN tag + * injection, have to set IFCAP_VLAN_HWOFFLOAD. */ ifp->if_capabilities = ifp0->if_capabilities & (IFCAP_CSUM_MASK | IFCAP_TSOv4 | IFCAP_TSOv6); diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c index 30c93afbd..c27fdba10 100644 --- a/usr.sbin/smtpd/lka.c +++ b/usr.sbin/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.248 2024/01/20 09:01:03 claudio Exp $ */ +/* $OpenBSD: lka.c,v 1.249 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -720,6 +720,7 @@ static int lka_authenticate(const char *tablename, const char *user, const char *password) { struct table *table; + char offloadkey[LINE_MAX]; union lookup lk; log_debug("debug: lka: authenticating for %s:%s", tablename, user); @@ -730,6 +731,26 @@ lka_authenticate(const char *tablename, const char *user, const char *password) return (LKA_TEMPFAIL); } + /* table backend supports authentication offloading */ + if (table_check_service(table, K_AUTH)) { + if (!bsnprintf(offloadkey, sizeof(offloadkey), "%s:%s", + user, password)) { + log_warnx("warn: key serialization failed for %s:%s", + tablename, user); + return (LKA_TEMPFAIL); + } + switch (table_match(table, K_AUTH, offloadkey)) { + case -1: + log_warnx("warn: user credentials lookup fail for %s:%s", + tablename, user); + return (LKA_TEMPFAIL); + case 0: + return (LKA_PERMFAIL); + default: + return (LKA_OK); + } + } + switch (table_lookup(table, K_CREDENTIALS, user, &lk)) { case -1: log_warnx("warn: user credentials lookup fail for %s:%s", diff --git a/usr.sbin/smtpd/smtpd-api.h b/usr.sbin/smtpd/smtpd-api.h index f83edd058..4f362dc7a 100644 --- a/usr.sbin/smtpd/smtpd-api.h +++ b/usr.sbin/smtpd/smtpd-api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd-api.h,v 1.36 2018/12/23 16:06:24 gilles Exp $ */ +/* $OpenBSD: smtpd-api.h,v 1.37 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2013 Eric Faurot @@ -135,8 +135,9 @@ enum table_service { K_RELAYHOST = 0x200, /* returns struct relayhost */ K_STRING = 0x400, K_REGEX = 0x800, + K_AUTH = 0x1000, }; -#define K_ANY 0xfff +#define K_ANY 0xffff enum { PROC_TABLE_OK, diff --git a/usr.sbin/smtpd/smtpd-tables.7 b/usr.sbin/smtpd/smtpd-tables.7 index c5cd954e2..42056f9ef 100644 --- a/usr.sbin/smtpd/smtpd-tables.7 +++ b/usr.sbin/smtpd/smtpd-tables.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd-tables.7,v 1.3 2024/05/23 17:10:00 op Exp $ +.\" $OpenBSD: smtpd-tables.7,v 1.4 2024/06/09 10:13:05 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson .\" Copyright (c) 2009 Jacek Masiulaniec @@ -18,7 +18,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: May 23 2024 $ +.Dd $Mdocdate: June 9 2024 $ .Dt SMTPD-TABLES 7 .Os .Sh NAME @@ -191,6 +191,10 @@ The services and their result format are as follows: .Bl -tag -width mailaddrmap -compact .It Ic alias One or more aliases separated by a comma. +.It Ic auth +Only usable for check. +Lookup key is username and cleartext password separated by +.Sq \&: . .It Ic domain A domain name. .\" XXX are wildcards allowed? diff --git a/usr.sbin/smtpd/table.c b/usr.sbin/smtpd/table.c index 2b9c9cf25..aca013deb 100644 --- a/usr.sbin/smtpd/table.c +++ b/usr.sbin/smtpd/table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: table.c,v 1.53 2024/05/28 07:10:30 op Exp $ */ +/* $OpenBSD: table.c,v 1.54 2024/06/09 10:13:05 gilles Exp $ */ /* * Copyright (c) 2013 Eric Faurot @@ -83,6 +83,7 @@ table_service_name(enum table_service s) case K_RELAYHOST: return "relayhost"; case K_STRING: return "string"; case K_REGEX: return "regex"; + case K_AUTH: return "auth"; } return "???"; } @@ -116,6 +117,8 @@ table_service_from_name(const char *service) return K_STRING; if (!strcmp(service, "regex")) return K_REGEX; + if (!strcmp(service, "auth")) + return K_AUTH; return (-1); }