From 2d0895064a661460c5f3ea622a34672a22c43bce Mon Sep 17 00:00:00 2001 From: purplerain Date: Fri, 7 Jun 2024 18:32:47 +0000 Subject: [PATCH] sync with OpenBSD -current --- distrib/sets/lists/base/mi | 1 + distrib/sets/lists/man/mi | 1 + lib/libssl/ssl_tlsext.c | 5 +- sbin/dhcp6leased/dhcp6leased.h | 17 +- sbin/dhcp6leased/engine.c | 3 +- sbin/dhcp6leased/parse.y | 10 +- sys/arch/amd64/amd64/copy.S | 3 +- sys/arch/amd64/amd64/db_disasm.c | 4 +- sys/arch/i386/i386/locore.s | 3 +- usr.sbin/Makefile | 14 +- usr.sbin/dhcp6leasectl/Makefile | 17 ++ usr.sbin/dhcp6leasectl/dhcp6leasectl.8 | 73 ++++++++ usr.sbin/dhcp6leasectl/dhcp6leasectl.c | 240 +++++++++++++++++++++++++ usr.sbin/dhcpleasectl/dhcpleasectl.c | 10 +- usr.sbin/rpki-client/cert.c | 32 ++-- usr.sbin/rpki-client/filemode.c | 9 +- usr.sbin/rpki-client/print.c | 3 +- 17 files changed, 392 insertions(+), 53 deletions(-) create mode 100644 usr.sbin/dhcp6leasectl/Makefile create mode 100644 usr.sbin/dhcp6leasectl/dhcp6leasectl.8 create mode 100644 usr.sbin/dhcp6leasectl/dhcp6leasectl.c diff --git a/distrib/sets/lists/base/mi b/distrib/sets/lists/base/mi index f4cb4f658..7e00b9687 100644 --- a/distrib/sets/lists/base/mi +++ b/distrib/sets/lists/base/mi @@ -2631,6 +2631,7 @@ ./usr/sbin/cryptoadm ./usr/sbin/cryptoinit ./usr/sbin/dev_mkdb +./usr/sbin/dhcp6leasectl ./usr/sbin/dhcpd ./usr/sbin/dhcpleasectl ./usr/sbin/dhcrelay diff --git a/distrib/sets/lists/man/mi b/distrib/sets/lists/man/mi index 944da9dbc..5e32cc264 100644 --- a/distrib/sets/lists/man/mi +++ b/distrib/sets/lists/man/mi @@ -2437,6 +2437,7 @@ ./usr/share/man/man8/daily.8 ./usr/share/man/man8/dev_mkdb.8 ./usr/share/man/man8/dhclient.8 +./usr/share/man/man8/dhcp6leasectl.8 ./usr/share/man/man8/dhcp6leased.8 ./usr/share/man/man8/dhcpd.8 ./usr/share/man/man8/dhcpleasectl.8 diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 64fa52e20..62bb3d737 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.149 2024/04/16 17:46:30 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.150 2024/06/06 16:13:12 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -1472,7 +1472,8 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) size_t i, j, client_groups_index; int preferred_group_found = 0; int decode_error; - uint16_t group, client_preferred_group; + uint16_t client_preferred_group = 0; + uint16_t group; CBS client_shares, key_exchange; /* diff --git a/sbin/dhcp6leased/dhcp6leased.h b/sbin/dhcp6leased/dhcp6leased.h index 040cf8cbb..f2855759d 100644 --- a/sbin/dhcp6leased/dhcp6leased.h +++ b/sbin/dhcp6leased/dhcp6leased.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcp6leased.h,v 1.7 2024/06/05 16:15:47 florian Exp $ */ +/* $OpenBSD: dhcp6leased.h,v 1.8 2024/06/06 15:15:44 florian Exp $ */ /* * Copyright (c) 2017, 2021 Florian Obser @@ -175,6 +175,13 @@ enum imsg_type { IMSG_WRITE_LEASE, }; +struct prefix { + struct in6_addr prefix; + int prefix_len; + uint32_t vltime; + uint32_t pltime; +}; + struct ctl_engine_info { uint32_t if_index; int running; @@ -184,6 +191,7 @@ struct ctl_engine_info { uint32_t lease_time; uint32_t t1; uint32_t t2; + struct prefix pds[MAX_IA]; }; struct iface_pd_conf { @@ -213,13 +221,6 @@ struct dhcp6leased_conf { int rapid_commit; }; -struct prefix { - struct in6_addr prefix; - int prefix_len; - uint32_t vltime; - uint32_t pltime; -}; - struct imsg_ifinfo { uint32_t if_index; int rdomain; diff --git a/sbin/dhcp6leased/engine.c b/sbin/dhcp6leased/engine.c index 6f9ccf161..180847406 100644 --- a/sbin/dhcp6leased/engine.c +++ b/sbin/dhcp6leased/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.12 2024/06/05 16:15:47 florian Exp $ */ +/* $OpenBSD: engine.c,v 1.13 2024/06/06 15:15:44 florian Exp $ */ /* * Copyright (c) 2017, 2021, 2024 Florian Obser @@ -572,6 +572,7 @@ send_interface_info(struct dhcp6leased_iface *iface, pid_t pid) cei.lease_time = iface->lease_time; cei.t1 = iface->t1; cei.t2 = iface->t2; + memcpy(&cei.pds, &iface->pds, sizeof(cei.pds)); engine_imsg_compose_frontend(IMSG_CTL_SHOW_INTERFACE_INFO, pid, &cei, sizeof(cei)); } diff --git a/sbin/dhcp6leased/parse.y b/sbin/dhcp6leased/parse.y index 3b60e7726..9a5e845f0 100644 --- a/sbin/dhcp6leased/parse.y +++ b/sbin/dhcp6leased/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.8 2024/06/05 16:15:47 florian Exp $ */ +/* $OpenBSD: parse.y,v 1.9 2024/06/06 06:26:14 florian Exp $ */ /* * Copyright (c) 2018, 2024 Florian Obser @@ -168,17 +168,17 @@ ia_pd : REQUEST PREFIX DELEGATION ON STRING FOR { SIMPLEQ_INIT(&iface_ia_conf->iface_pd_list); SIMPLEQ_INSERT_TAIL(&iface_conf->iface_ia_list, iface_ia_conf, entry); - } '{' iface_block '}' { + } iface_block { iface_conf = NULL; iface_ia_conf = NULL; } ; -iface_block : optnl ifaceopts_l - | optnl +iface_block : '{' optnl ifaceopts_l '}' + | ifaceoptsl ; -ifaceopts_l : ifaceopts_l ifaceoptsl nl +ifaceopts_l : ifaceopts_l ifaceoptsl optnl | ifaceoptsl optnl ; diff --git a/sys/arch/amd64/amd64/copy.S b/sys/arch/amd64/amd64/copy.S index d95e09e30..e83360a29 100644 --- a/sys/arch/amd64/amd64/copy.S +++ b/sys/arch/amd64/amd64/copy.S @@ -1,4 +1,4 @@ -/* $OpenBSD: copy.S,v 1.19 2023/07/28 06:18:35 guenther Exp $ */ +/* $OpenBSD: copy.S,v 1.20 2024/06/06 00:36:46 bluhm Exp $ */ /* $NetBSD: copy.S,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */ /* @@ -189,6 +189,7 @@ ENTRY(_copyin) NENTRY(copy_fault) DECLARE_ONFAULT(copy_fault) + cld SMAP_CLAC movq CPUVAR(CURPCB),%rdx popq PCB_ONFAULT(%rdx) diff --git a/sys/arch/amd64/amd64/db_disasm.c b/sys/arch/amd64/amd64/db_disasm.c index 38d8c7a79..02d831256 100644 --- a/sys/arch/amd64/amd64/db_disasm.c +++ b/sys/arch/amd64/amd64/db_disasm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: db_disasm.c,v 1.24 2023/04/22 18:26:17 guenther Exp $ */ +/* $OpenBSD: db_disasm.c,v 1.25 2024/06/06 12:36:41 bluhm Exp $ */ /* $NetBSD: db_disasm.c,v 1.11 1996/05/03 19:41:58 christos Exp $ */ /* @@ -793,7 +793,7 @@ struct inst db_inst_table[256] = { /*e6*/ { "out", 0, BYTE, op2(A, Ib), 0 }, /*e7*/ { "out", 0, LONG, op2(A, Ib) , 0 }, -/*e8*/ { "call", 0, QUAD, op1(Dl), 0 }, +/*e8*/ { "call", 0, NONE, op1(Dl), 0 }, /*e9*/ { "jmp", 0, NONE, op1(Dl), 0 }, /*ea*/ { "", 0, NONE, op1(OS), 0 }, /*eb*/ { "jmp", 0, NONE, op1(Db), 0 }, diff --git a/sys/arch/i386/i386/locore.s b/sys/arch/i386/i386/locore.s index b25acfaab..feb8fa4ed 100644 --- a/sys/arch/i386/i386/locore.s +++ b/sys/arch/i386/i386/locore.s @@ -1,4 +1,4 @@ -/* $OpenBSD: locore.s,v 1.204 2023/12/12 07:37:20 deraadt Exp $ */ +/* $OpenBSD: locore.s,v 1.205 2024/06/06 00:36:46 bluhm Exp $ */ /* $NetBSD: locore.s,v 1.145 1996/05/03 19:41:19 christos Exp $ */ /*- @@ -555,6 +555,7 @@ ENTRY(_copyin) ret ENTRY(copy_fault) + cld SMAP_CLAC GET_CURPCB(%edx) popl PCB_ONFAULT(%edx) diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index a54077f9c..f9d3fc853 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -1,15 +1,15 @@ -# $OpenBSD: Makefile,v 1.215 2022/06/28 18:47:54 claudio Exp $ +# $OpenBSD: Makefile,v 1.216 2024/06/06 15:21:01 florian Exp $ .include SUBDIR= ac accton acme-client acpidump adduser amd apm apmd arp authpf \ bgpctl bgpd bgplgd btrace chroot config cron crunchgen dev_mkdb \ - dhcpd dhcpleasectl dhcrelay dhcrelay6 dvmrpctl dvmrpd edquota eeprom \ - eigrpd eigrpctl fdformat ftp-proxy fw_update gpioctl hostapd hostctl \ - hotplugd httpd identd ifstated ikectl inetd installboot iostat \ - iscsictl iscsid kgmon kvm_mkdb ldapd ldapctl ldomctl ldomd \ - ldpd ldpctl lpr makefs mailwrapper map-mbone memconfig mksuncd \ - mkuboot mopd mrinfo mrouted mtrace mtree ndp netgroup_mkdb \ + dhcp6leasectl dhcpd dhcpleasectl dhcrelay dhcrelay6 dvmrpctl dvmrpd \ + edquota eeprom eigrpd eigrpctl fdformat ftp-proxy fw_update gpioctl \ + hostapd hostctl hotplugd httpd identd ifstated ikectl inetd \ + installboot iostat iscsictl iscsid kgmon kvm_mkdb ldapd ldapctl \ + ldomctl ldomd ldpd ldpctl lpr makefs mailwrapper map-mbone memconfig \ + mksuncd mkuboot mopd mrinfo mrouted mtrace mtree ndp netgroup_mkdb \ npppctl npppd nsd ntpd ocspcheck ospfctl ospfd ospf6d ospf6ctl \ pcidump pkg_add portmap pppd procmap pstat pwd_mkdb \ quot quotaon ractl rad radiusctl radiusd rarpd rbootd \ diff --git a/usr.sbin/dhcp6leasectl/Makefile b/usr.sbin/dhcp6leasectl/Makefile new file mode 100644 index 000000000..0af424ace --- /dev/null +++ b/usr.sbin/dhcp6leasectl/Makefile @@ -0,0 +1,17 @@ +# $OpenBSD: Makefile,v 1.1 2024/06/06 15:16:57 florian Exp $ + +PROG= dhcp6leasectl +SRCS= dhcp6leasectl.c + +MAN= dhcp6leasectl.8 + +CFLAGS+= -Wall +CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes +CFLAGS+= -Wmissing-declarations +CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual +CFLAGS+= -Wsign-compare +CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../sbin/dhcp6leased +LDADD= -lutil +DPADD= ${LIBUTIL} + +.include diff --git a/usr.sbin/dhcp6leasectl/dhcp6leasectl.8 b/usr.sbin/dhcp6leasectl/dhcp6leasectl.8 new file mode 100644 index 000000000..f5ebd9a08 --- /dev/null +++ b/usr.sbin/dhcp6leasectl/dhcp6leasectl.8 @@ -0,0 +1,73 @@ +.\" $OpenBSD: dhcp6leasectl.8,v 1.1 2024/06/06 15:16:57 florian Exp $ +.\" +.\" Copyright (c) 2021 Florian Obser +.\" Copyright (c) 2016 Kenneth R Westerback +.\" Copyright (c) 2004, 2005 Esben Norby +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 6 2024 $ +.Dt DHCP6LEASECTL 8 +.Os +.Sh NAME +.Nm dhcp6leasectl +.Nd control the dhcp6leased client +.Sh SYNOPSIS +.Nm +.Op Fl l +.Op Fl s Ar socket +.Op Fl w Ar maxwait +.Ar interface +.Sh DESCRIPTION +The +.Nm +program instructs the +.Xr dhcp6leased 8 +daemon to request a new lease. +.Pp +The following options are available: +.Bl -tag -width Ds +.It Fl l +List the configured lease on +.Ar interface +instead of requesting a new lease. +.It Fl s Ar socket +Use +.Ar socket +instead of the default +.Pa /dev/dhcp6leased.sock +to communicate with +.Xr dhcp6leased 8 . +.It Fl w Ar maxwait +Specify the maximum number of seconds to wait for +.Ar interface +to be configured. +The default is to wait 10 seconds unless +.Fl l +is specified. +.El +.Sh FILES +.Bl -tag -width "/dev/dhcp6leased.sockXX" -compact +.It Pa /dev/dhcp6leased.sock +.Ux Ns -domain +socket used for communication with +.Xr dhcp6leased 8 . +.El +.Sh SEE ALSO +.Xr dhcp6leased.conf 5 , +.Xr dhcp6leased 8 +.Sh HISTORY +The +.Nm +program first appeared in +.Ox 7.6 . diff --git a/usr.sbin/dhcp6leasectl/dhcp6leasectl.c b/usr.sbin/dhcp6leasectl/dhcp6leasectl.c new file mode 100644 index 000000000..9398612e8 --- /dev/null +++ b/usr.sbin/dhcp6leasectl/dhcp6leasectl.c @@ -0,0 +1,240 @@ +/* $OpenBSD: dhcp6leasectl.c,v 1.1 2024/06/06 15:16:57 florian Exp $ */ + +/* + * Copyright (c) 2021, 2024 Florian Obser + * Copyright (c) 2005 Claudio Jeker + * Copyright (c) 2004, 2005 Esben Norby + * Copyright (c) 2003 Henning Brauer + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include + +#include + +#include + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "dhcp6leased.h" + +__dead void usage(void); +void show_interface_msg(struct ctl_engine_info *); + +struct imsgbuf *ibuf; + +__dead void +usage(void) +{ + extern char *__progname; + + fprintf(stderr, "usage: %s [-l] [-s socket] [-w maxwait] interface\n", + __progname); + exit(1); +} + +int +main(int argc, char *argv[]) +{ + struct sockaddr_un sun; + struct imsg imsg; + struct ctl_engine_info *cei; + int ctl_sock; + int n, lFlag = 0, maxwait_set = 0, didot = 0; + int ch, if_index = 0, maxwait = 10, bound = 0; + char *sockname; + const char *errstr; + + sockname = _PATH_CTRL_SOCKET; + while ((ch = getopt(argc, argv, "ls:w:")) != -1) { + switch (ch) { + case 'l': + lFlag = 1; + break; + case 's': + sockname = optarg; + break; + case 'w': + maxwait_set = 1; + maxwait = strtonum(optarg, 1, INT_MAX, &errstr); + if (errstr) + errx(1, "maxwait value is %s: %s", + errstr, optarg); + break; + + default: + usage(); + } + } + argc -= optind; + argv += optind; + + if (argc != 1) + usage(); + + if ((if_index = if_nametoindex(argv[0])) == 0) + errx(1, "unknown interface"); + + if (lFlag && !maxwait_set) + maxwait = 0; + + /* Connect to control socket. */ + if ((ctl_sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) + err(1, "socket"); + + memset(&sun, 0, sizeof(sun)); + sun.sun_family = AF_UNIX; + strlcpy(sun.sun_path, sockname, sizeof(sun.sun_path)); + + if (connect(ctl_sock, (struct sockaddr *)&sun, sizeof(sun)) == -1) + err(1, "connect: %s", sockname); + + if (pledge("stdio", NULL) == -1) + err(1, "pledge"); + + if ((ibuf = malloc(sizeof(struct imsgbuf))) == NULL) + err(1, NULL); + imsg_init(ibuf, ctl_sock); + + if (!lFlag) { + imsg_compose(ibuf, IMSG_CTL_SEND_REQUEST, 0, 0, -1, + &if_index, sizeof(if_index)); + while (ibuf->w.queued) + if (msgbuf_write(&ibuf->w) <= 0 && errno != EAGAIN) + err(1, "write error"); + + } + + for(;;) { + imsg_compose(ibuf, IMSG_CTL_SHOW_INTERFACE_INFO, 0, 0, -1, + &if_index, sizeof(if_index)); + + while (ibuf->w.queued) + if (msgbuf_write(&ibuf->w) <= 0 && errno != EAGAIN) + err(1, "write error"); + + + if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) + errx(1, "imsg_read error"); + if (n == 0) + errx(1, "pipe closed"); + + if ((n = imsg_get(ibuf, &imsg)) == -1) + errx(1, "imsg_get error"); + if (n == 0) + break; + + if (imsg.hdr.type == IMSG_CTL_END) { + if (lFlag) + errx(1, "non-autoconf interface %s", argv[0]); + else if (--maxwait < 0) + break; + else + continue; + } + + cei = imsg.data; + if (strcmp(cei->state, "Bound") == 0) + bound = 1; + + if (bound || --maxwait < 0) { + if (didot) + putchar('\n'); + show_interface_msg(cei); + break; + } else { + didot = 1; + putchar('.'); + fflush(stdout); + } + imsg_free(&imsg); + sleep(1); + } + close(ctl_sock); + free(ibuf); + + return (0); +} + +void +show_interface_msg(struct ctl_engine_info *cei) +{ + struct timespec now, diff; + time_t d, h, m, s; + int i, has_pd = 0; + char buf[IF_NAMESIZE], *bufp; + char ntopbuf[INET6_ADDRSTRLEN]; + + bufp = if_indextoname(cei->if_index, buf); + printf("%s [%s]\n", bufp != NULL ? bufp : "unknown", cei->state); + + for (i = 0; i < MAX_IA; i++) { + if (cei->pds[i].prefix_len == 0) + continue; + has_pd = 1; + printf ("\tIA_PD %d: %s/%d\n", i, inet_ntop(AF_INET6, + &cei->pds[i], ntopbuf, INET6_ADDRSTRLEN), + cei->pds[i].prefix_len); + } + + if (has_pd) { + clock_gettime(CLOCK_MONOTONIC, &now); + timespecsub(&now, &cei->request_time, &diff); + s = cei->lease_time - diff.tv_sec; + if (s < 0) + s = 0; + + if ( s > 86400 ) { + d = s / 86400; + + /* round up */ + if (s - d * 86400 > 43200) + d++; + printf("\tlease %lld day%s\n", d, d > 1 ? "s" : ""); + } else if (s > 3600) { + h = s / 3600; + + /* round up */ + if (s - h * 3600 > 1800) + h++; + printf("\tlease %lld hour%s\n", h, h > 1 ? "s" : ""); + } else if (s > 60) { + m = s / 60; + + /* round up */ + if (s - m * 60 > 30) + m++; + printf("\tlease %lld minute%s\n", m, m > 1 ? "s" : ""); + } else + printf("\tlease %lld second%s\n", s, s > 1 ? "s" : ""); + + } +} diff --git a/usr.sbin/dhcpleasectl/dhcpleasectl.c b/usr.sbin/dhcpleasectl/dhcpleasectl.c index ddaec5996..6b2627785 100644 --- a/usr.sbin/dhcpleasectl/dhcpleasectl.c +++ b/usr.sbin/dhcpleasectl/dhcpleasectl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcpleasectl.c,v 1.7 2021/09/16 06:23:01 jmc Exp $ */ +/* $OpenBSD: dhcpleasectl.c,v 1.8 2024/06/06 15:07:46 florian Exp $ */ /* * Copyright (c) 2021 Florian Obser @@ -287,23 +287,23 @@ show_interface_msg(struct ctl_engine_info *cei) /* round up */ if (s - d * 86400 > 43200) d++; - printf("\tlease %lld days\n", d); + printf("\tlease %lld day%s\n", d, d > 1 ? "s" : ""); } else if (s > 3600) { h = s / 3600; /* round up */ if (s - h * 3600 > 1800) h++; - printf("\tlease %lld hours\n", h); + printf("\tlease %lld hour%s\n", h, h > 1 ? "s" : ""); } else if (s > 60) { m = s / 60; /* round up */ if (s - m * 60 > 30) m++; - printf("\tlease %lld minutes\n", m); + printf("\tlease %lld minute%s\n", m, m > 1 ? "s" : ""); } else - printf("\tlease %lld seconds\n", s); + printf("\tlease %lld second%s\n", s, s > 1 ? "s" : ""); } if (cei->server_identifier.s_addr != INADDR_ANY) { if (inet_ntop(AF_INET, &cei->server_identifier, ipbuf, diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 76d4e4eb8..0b0794412 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.136 2024/06/04 14:10:53 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1073,7 +1073,6 @@ struct cert * ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, size_t pkeysz) { - ASN1_TIME *notBefore, *notAfter; EVP_PKEY *pk, *opk; time_t now = get_current_time(); @@ -1095,35 +1094,26 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, "pubkey does not match TAL pubkey", fn); goto badcert; } - - if ((notBefore = X509_get_notBefore(p->x509)) == NULL) { - warnx("%s: certificate has invalid notBefore", fn); - goto badcert; - } - if ((notAfter = X509_get_notAfter(p->x509)) == NULL) { - warnx("%s: certificate has invalid notAfter", fn); - goto badcert; - } - if (X509_cmp_time(notBefore, &now) != -1) { + if (p->notbefore >= now) { warnx("%s: certificate not yet valid", fn); goto badcert; } - if (X509_cmp_time(notAfter, &now) != 1) { + if (p->notafter <= now) { warnx("%s: certificate has expired", fn); goto badcert; } if (p->aki != NULL && strcmp(p->aki, p->ski)) { - warnx("%s: RFC 6487 section 8.4.2: " + warnx("%s: RFC 6487 section 4.8.3: " "trust anchor AKI, if specified, must match SKI", fn); goto badcert; } if (p->aia != NULL) { - warnx("%s: RFC 6487 section 8.4.7: " + warnx("%s: RFC 6487 section 4.8.7: " "trust anchor must not have AIA", fn); goto badcert; } if (p->crl != NULL) { - warnx("%s: RFC 6487 section 8.4.2: " + warnx("%s: RFC 6487 section 4.8.6: " "trust anchor may not specify CRL resource", fn); goto badcert; } @@ -1131,6 +1121,14 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: BGPsec cert cannot be a trust anchor", fn); goto badcert; } + /* + * Do not replace with a <= 0 check since OpenSSL 3 broke that: + * https://github.com/openssl/openssl/issues/24575 + */ + if (X509_verify(p->x509, pk) != 1) { + warnx("%s: failed to verify signature", fn); + goto badcert; + } if (x509_any_inherits(p->x509)) { warnx("%s: Trust anchor IP/AS resources may not inherit", fn); goto badcert; @@ -1139,7 +1137,7 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, EVP_PKEY_free(pk); return p; -badcert: + badcert: EVP_PKEY_free(pk); cert_free(p); return NULL; diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c index 7ebeaeafe..630b633b2 100644 --- a/usr.sbin/rpki-client/filemode.c +++ b/usr.sbin/rpki-client/filemode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filemode.c,v 1.42 2024/05/20 15:51:43 claudio Exp $ */ +/* $OpenBSD: filemode.c,v 1.43 2024/06/06 07:19:10 tb Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -526,9 +526,15 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) constraints_validate(file, cert); } } else if (is_ta) { + expires = NULL; + notafter = NULL; if ((tal = find_tal(cert)) != NULL) { cert = ta_parse(file, cert, tal->pkey, tal->pkeysz); status = (cert != NULL); + if (status) { + expires = &cert->expires; + notafter = &cert->notafter; + } if (outformats & FORMAT_JSON) json_do_string("tal", tal->descr); else @@ -538,7 +544,6 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) } else { cert_free(cert); cert = NULL; - expires = NULL; status = 0; } } diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index a88fbfba7..3fbf35537 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.53 2024/05/29 13:26:24 tb Exp $ */ +/* $OpenBSD: print.c,v 1.54 2024/06/06 05:57:36 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -211,7 +211,6 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz) size_t i; int sockt; - for (i = 0; i < ipsz; i++) { if (outformats & FORMAT_JSON) json_do_object("resource", 1);