sync with OpenBSD -current

distrib/sets/lists/base/mi

@@ -2631,6 +2631,7 @@
 ./usr/sbin/cryptoadm
 ./usr/sbin/cryptoinit
 ./usr/sbin/dev_mkdb
+./usr/sbin/dhcp6leasectl
 ./usr/sbin/dhcpd
 ./usr/sbin/dhcpleasectl
 ./usr/sbin/dhcrelay

distrib/sets/lists/man/mi

@@ -2437,6 +2437,7 @@
 ./usr/share/man/man8/daily.8
 ./usr/share/man/man8/dev_mkdb.8
 ./usr/share/man/man8/dhclient.8
+./usr/share/man/man8/dhcp6leasectl.8
 ./usr/share/man/man8/dhcp6leased.8
 ./usr/share/man/man8/dhcpd.8
 ./usr/share/man/man8/dhcpleasectl.8

lib/libssl/ssl_tlsext.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.149 2024/04/16 17:46:30 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.150 2024/06/06 16:13:12 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1472,7 +1472,8 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	size_t i, j, client_groups_index;
 	int preferred_group_found = 0;
 	int decode_error;
-	uint16_t group, client_preferred_group;
+	uint16_t client_preferred_group = 0;
+	uint16_t group;
 	CBS client_shares, key_exchange;
 
 	/*

sbin/dhcp6leased/dhcp6leased.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dhcp6leased.h,v 1.7 2024/06/05 16:15:47 florian Exp $	*/
+/*	$OpenBSD: dhcp6leased.h,v 1.8 2024/06/06 15:15:44 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021 Florian Obser <florian@openbsd.org>
@@ -175,6 +175,13 @@ enum imsg_type {
 	IMSG_WRITE_LEASE,
 };
 
+struct prefix {
+	struct in6_addr	 prefix;
+	int		 prefix_len;
+	uint32_t	 vltime;
+	uint32_t	 pltime;
+};
+
 struct ctl_engine_info {
 	uint32_t		if_index;
 	int			running;
@@ -184,6 +191,7 @@ struct ctl_engine_info {
 	uint32_t		lease_time;
 	uint32_t		t1;
 	uint32_t		t2;
+	struct prefix		pds[MAX_IA];
 };
 
 struct iface_pd_conf {
@@ -213,13 +221,6 @@ struct dhcp6leased_conf {
 	int						rapid_commit;
 };
 
-struct prefix {
-	struct in6_addr	 prefix;
-	int		 prefix_len;
-	uint32_t	 vltime;
-	uint32_t	 pltime;
-};
-
 struct imsg_ifinfo {
 	uint32_t		if_index;
 	int			rdomain;

sbin/dhcp6leased/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.12 2024/06/05 16:15:47 florian Exp $	*/
+/*	$OpenBSD: engine.c,v 1.13 2024/06/06 15:15:44 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -572,6 +572,7 @@ send_interface_info(struct dhcp6leased_iface *iface, pid_t pid)
 	cei.lease_time = iface->lease_time;
 	cei.t1 = iface->t1;
 	cei.t2 = iface->t2;
+	memcpy(&cei.pds, &iface->pds, sizeof(cei.pds));
 	engine_imsg_compose_frontend(IMSG_CTL_SHOW_INTERFACE_INFO, pid, &cei,
 	    sizeof(cei));
 }

sbin/dhcp6leased/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.8 2024/06/05 16:15:47 florian Exp $	*/
+/*	$OpenBSD: parse.y,v 1.9 2024/06/06 06:26:14 florian Exp $	*/
 
 /*
  * Copyright (c) 2018, 2024 Florian Obser <florian@openbsd.org>
@@ -168,17 +168,17 @@ ia_pd		: REQUEST PREFIX DELEGATION ON STRING FOR {
 			SIMPLEQ_INIT(&iface_ia_conf->iface_pd_list);
 			SIMPLEQ_INSERT_TAIL(&iface_conf->iface_ia_list,
 			    iface_ia_conf, entry);
-		} '{' iface_block '}' {
+		} iface_block {
 			iface_conf = NULL;
 			iface_ia_conf = NULL;
 		}
 		;
 
-iface_block	: optnl ifaceopts_l
+iface_block	: '{' optnl ifaceopts_l '}'
-		| optnl
+		| ifaceoptsl
 		;
 
-ifaceopts_l	: ifaceopts_l ifaceoptsl nl
+ifaceopts_l	: ifaceopts_l ifaceoptsl optnl
 		| ifaceoptsl optnl
 		;
 

sys/arch/amd64/amd64/copy.S

@@ -1,4 +1,4 @@
-/*	$OpenBSD: copy.S,v 1.19 2023/07/28 06:18:35 guenther Exp $	*/
+/*	$OpenBSD: copy.S,v 1.20 2024/06/06 00:36:46 bluhm Exp $	*/
 /*	$NetBSD: copy.S,v 1.1 2003/04/26 18:39:26 fvdl Exp $	*/
 
 /*
@@ -189,6 +189,7 @@ ENTRY(_copyin)
 
 NENTRY(copy_fault)
 DECLARE_ONFAULT(copy_fault)
+	cld
 	SMAP_CLAC
 	movq	CPUVAR(CURPCB),%rdx
 	popq	PCB_ONFAULT(%rdx)

sys/arch/amd64/amd64/db_disasm.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: db_disasm.c,v 1.24 2023/04/22 18:26:17 guenther Exp $	*/
+/*	$OpenBSD: db_disasm.c,v 1.25 2024/06/06 12:36:41 bluhm Exp $	*/
 /*	$NetBSD: db_disasm.c,v 1.11 1996/05/03 19:41:58 christos Exp $	*/
 
 /*
@@ -793,7 +793,7 @@ struct inst db_inst_table[256] = {
 /*e6*/	{ "out",   0, BYTE,  op2(A, Ib),  0 },
 /*e7*/	{ "out",   0, LONG,  op2(A, Ib) , 0 },
 
-/*e8*/	{ "call",  0, QUAD,  op1(Dl),     0 },
+/*e8*/	{ "call",  0, NONE,  op1(Dl),     0 },
 /*e9*/	{ "jmp",   0, NONE,  op1(Dl),     0 },
 /*ea*/	{ "",      0, NONE,  op1(OS),     0 },
 /*eb*/	{ "jmp",   0, NONE,  op1(Db),     0 },

sys/arch/i386/i386/locore.s

@@ -1,4 +1,4 @@
-/*	$OpenBSD: locore.s,v 1.204 2023/12/12 07:37:20 deraadt Exp $	*/
+/*	$OpenBSD: locore.s,v 1.205 2024/06/06 00:36:46 bluhm Exp $	*/
 /*	$NetBSD: locore.s,v 1.145 1996/05/03 19:41:19 christos Exp $	*/
 
 /*-
@@ -555,6 +555,7 @@ ENTRY(_copyin)
 	ret
 
 ENTRY(copy_fault)
+	cld
 	SMAP_CLAC
 	GET_CURPCB(%edx)
 	popl	PCB_ONFAULT(%edx)

usr.sbin/Makefile

@@ -1,15 +1,15 @@
-#	$OpenBSD: Makefile,v 1.215 2022/06/28 18:47:54 claudio Exp $
+#	$OpenBSD: Makefile,v 1.216 2024/06/06 15:21:01 florian Exp $
 
 .include <bsd.own.mk>
 
 SUBDIR=	ac accton acme-client acpidump adduser amd apm apmd arp authpf \
 	bgpctl bgpd bgplgd btrace chroot config cron crunchgen dev_mkdb \
-	dhcpd dhcpleasectl dhcrelay dhcrelay6 dvmrpctl dvmrpd edquota eeprom \
+	dhcp6leasectl dhcpd dhcpleasectl dhcrelay dhcrelay6 dvmrpctl dvmrpd \
-	eigrpd eigrpctl fdformat ftp-proxy fw_update gpioctl hostapd hostctl \
+	edquota eeprom eigrpd eigrpctl fdformat ftp-proxy fw_update gpioctl \
-	hotplugd httpd identd ifstated ikectl inetd installboot iostat \
+	hostapd hostctl hotplugd httpd identd ifstated ikectl inetd \
-	iscsictl iscsid kgmon kvm_mkdb ldapd ldapctl ldomctl ldomd \
+	installboot iostat iscsictl iscsid kgmon kvm_mkdb ldapd ldapctl \
-	ldpd ldpctl lpr makefs mailwrapper map-mbone memconfig mksuncd \
+	ldomctl ldomd ldpd ldpctl lpr makefs mailwrapper map-mbone memconfig \
-	mkuboot mopd mrinfo mrouted mtrace mtree ndp netgroup_mkdb \
+	mksuncd mkuboot mopd mrinfo mrouted mtrace mtree ndp netgroup_mkdb \
 	npppctl npppd nsd ntpd ocspcheck ospfctl ospfd ospf6d ospf6ctl \
 	pcidump pkg_add portmap pppd procmap pstat pwd_mkdb \
 	quot quotaon ractl rad radiusctl radiusd rarpd rbootd \

usr.sbin/dhcp6leasectl/Makefile

@@ -0,0 +1,17 @@
+#	$OpenBSD: Makefile,v 1.1 2024/06/06 15:16:57 florian Exp $
+
+PROG=	dhcp6leasectl
+SRCS=	dhcp6leasectl.c
+
+MAN=	dhcp6leasectl.8
+
+CFLAGS+= -Wall
+CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes
+CFLAGS+= -Wmissing-declarations
+CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual
+CFLAGS+= -Wsign-compare
+CFLAGS+= -I${.CURDIR} -I${.CURDIR}/../../sbin/dhcp6leased
+LDADD=	-lutil
+DPADD=	${LIBUTIL}
+
+.include <bsd.prog.mk>

usr.sbin/dhcp6leasectl/dhcp6leasectl.8

@@ -0,0 +1,73 @@
+.\"	$OpenBSD: dhcp6leasectl.8,v 1.1 2024/06/06 15:16:57 florian Exp $
+.\"
+.\" Copyright (c) 2021 Florian Obser <florian@openbsd.org>
+.\" Copyright (c) 2016 Kenneth R Westerback <kwesterback@gmail.com>
+.\" Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 6 2024 $
+.Dt DHCP6LEASECTL 8
+.Os
+.Sh NAME
+.Nm dhcp6leasectl
+.Nd control the dhcp6leased client
+.Sh SYNOPSIS
+.Nm
+.Op Fl l
+.Op Fl s Ar socket
+.Op Fl w Ar maxwait
+.Ar interface
+.Sh DESCRIPTION
+The
+.Nm
+program instructs the
+.Xr dhcp6leased 8
+daemon to request a new lease.
+.Pp
+The following options are available:
+.Bl -tag -width Ds
+.It Fl l
+List the configured lease on
+.Ar interface
+instead of requesting a new lease.
+.It Fl s Ar socket
+Use
+.Ar socket
+instead of the default
+.Pa /dev/dhcp6leased.sock
+to communicate with
+.Xr dhcp6leased 8 .
+.It Fl w Ar maxwait
+Specify the maximum number of seconds to wait for
+.Ar interface
+to be configured.
+The default is to wait 10 seconds unless
+.Fl l
+is specified.
+.El
+.Sh FILES
+.Bl -tag -width "/dev/dhcp6leased.sockXX" -compact
+.It Pa /dev/dhcp6leased.sock
+.Ux Ns -domain
+socket used for communication with
+.Xr dhcp6leased 8 .
+.El
+.Sh SEE ALSO
+.Xr dhcp6leased.conf 5 ,
+.Xr dhcp6leased 8
+.Sh HISTORY
+The
+.Nm
+program first appeared in
+.Ox 7.6 .

usr.sbin/dhcp6leasectl/dhcp6leasectl.c

@@ -0,0 +1,240 @@
+/*	$OpenBSD: dhcp6leasectl.c,v 1.1 2024/06/06 15:16:57 florian Exp $	*/
+
+/*
+ * Copyright (c) 2021, 2024 Florian Obser <florian@openbsd.org>
+ * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org>
+ * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
+ * Copyright (c) 2003 Henning Brauer <henning@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <arpa/inet.h>
+
+#include <net/if.h>
+
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+
+#include <err.h>
+#include <errno.h>
+#include <event.h>
+#include <imsg.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "dhcp6leased.h"
+
+__dead void	 usage(void);
+void		 show_interface_msg(struct ctl_engine_info *);
+
+struct imsgbuf	*ibuf;
+
+__dead void
+usage(void)
+{
+	extern char *__progname;
+
+	fprintf(stderr, "usage: %s [-l] [-s socket] [-w maxwait] interface\n",
+	    __progname);
+	exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+	struct sockaddr_un	 sun;
+	struct imsg		 imsg;
+	struct ctl_engine_info	*cei;
+	int			 ctl_sock;
+	int			 n, lFlag = 0, maxwait_set = 0, didot = 0;
+	int			 ch, if_index = 0, maxwait = 10, bound = 0;
+	char			*sockname;
+	const char		*errstr;
+
+	sockname = _PATH_CTRL_SOCKET;
+	while ((ch = getopt(argc, argv, "ls:w:")) != -1) {
+		switch (ch) {
+		case 'l':
+			lFlag = 1;
+			break;
+		case 's':
+			sockname = optarg;
+			break;
+		case 'w':
+			maxwait_set = 1;
+			maxwait = strtonum(optarg, 1, INT_MAX, &errstr);
+			if (errstr)
+				errx(1, "maxwait value is %s: %s",
+				    errstr, optarg);
+			break;
+
+		default:
+			usage();
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	if (argc != 1)
+		usage();
+
+	if ((if_index = if_nametoindex(argv[0])) == 0)
+		errx(1, "unknown interface");
+
+	if (lFlag && !maxwait_set)
+		maxwait = 0;
+
+	/* Connect to control socket. */
+	if ((ctl_sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
+		err(1, "socket");
+
+	memset(&sun, 0, sizeof(sun));
+	sun.sun_family = AF_UNIX;
+	strlcpy(sun.sun_path, sockname, sizeof(sun.sun_path));
+
+	if (connect(ctl_sock, (struct sockaddr *)&sun, sizeof(sun)) == -1)
+		err(1, "connect: %s", sockname);
+
+	if (pledge("stdio", NULL) == -1)
+		err(1, "pledge");
+
+	if ((ibuf = malloc(sizeof(struct imsgbuf))) == NULL)
+		err(1, NULL);
+	imsg_init(ibuf, ctl_sock);
+
+	if (!lFlag) {
+		imsg_compose(ibuf, IMSG_CTL_SEND_REQUEST, 0, 0, -1,
+		    &if_index, sizeof(if_index));
+		while (ibuf->w.queued)
+			if (msgbuf_write(&ibuf->w) <= 0 && errno != EAGAIN)
+				err(1, "write error");
+
+	}
+
+	for(;;) {
+		imsg_compose(ibuf, IMSG_CTL_SHOW_INTERFACE_INFO, 0, 0, -1,
+		    &if_index, sizeof(if_index));
+
+		while (ibuf->w.queued)
+			if (msgbuf_write(&ibuf->w) <= 0 && errno != EAGAIN)
+				err(1, "write error");
+
+
+		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
+			errx(1, "imsg_read error");
+		if (n == 0)
+			errx(1, "pipe closed");
+
+		if ((n = imsg_get(ibuf, &imsg)) == -1)
+			errx(1, "imsg_get error");
+		if (n == 0)
+			break;
+
+		if (imsg.hdr.type == IMSG_CTL_END) {
+			if (lFlag)
+				errx(1, "non-autoconf interface %s", argv[0]);
+			else if (--maxwait < 0)
+				break;
+			else
+				continue;
+		}
+
+		cei = imsg.data;
+		if (strcmp(cei->state, "Bound") == 0)
+			bound = 1;
+
+		if (bound || --maxwait < 0) {
+			if (didot)
+				putchar('\n');
+			show_interface_msg(cei);
+			break;
+		} else {
+			didot = 1;
+			putchar('.');
+			fflush(stdout);
+		}
+		imsg_free(&imsg);
+		sleep(1);
+	}
+	close(ctl_sock);
+	free(ibuf);
+
+	return (0);
+}
+
+void
+show_interface_msg(struct ctl_engine_info *cei)
+{
+	struct timespec		 now, diff;
+	time_t			 d, h, m, s;
+	int			 i, has_pd = 0;
+	char			 buf[IF_NAMESIZE], *bufp;
+	char			 ntopbuf[INET6_ADDRSTRLEN];
+
+	bufp = if_indextoname(cei->if_index, buf);
+	printf("%s [%s]\n", bufp != NULL ? bufp : "unknown", cei->state);
+
+	for (i = 0; i < MAX_IA; i++) {
+		if (cei->pds[i].prefix_len == 0)
+			continue;
+		has_pd = 1;
+		printf ("\tIA_PD %d: %s/%d\n", i, inet_ntop(AF_INET6,
+		    &cei->pds[i], ntopbuf, INET6_ADDRSTRLEN),
+		    cei->pds[i].prefix_len);
+	}
+
+	if (has_pd) {
+		clock_gettime(CLOCK_MONOTONIC, &now);
+		timespecsub(&now, &cei->request_time, &diff);
+		s = cei->lease_time - diff.tv_sec;
+		if (s < 0)
+			s = 0;
+
+		if ( s > 86400 ) {
+			d = s / 86400;
+
+			/* round up */
+			if (s - d * 86400 > 43200)
+				d++;
+			printf("\tlease %lld day%s\n", d, d  > 1 ? "s" : "");
+		} else if (s > 3600) {
+			h = s / 3600;
+
+			/* round up */
+			if (s - h * 3600 > 1800)
+				h++;
+			printf("\tlease %lld hour%s\n", h, h > 1 ? "s" : "");
+		} else if (s > 60) {
+			m = s / 60;
+
+			/* round up */
+			if (s - m * 60 > 30)
+				m++;
+			printf("\tlease %lld minute%s\n", m, m > 1 ? "s" : "");
+		} else
+			printf("\tlease %lld second%s\n", s, s > 1 ? "s" : "");
+
+	}
+}

usr.sbin/dhcpleasectl/dhcpleasectl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dhcpleasectl.c,v 1.7 2021/09/16 06:23:01 jmc Exp $	*/
+/*	$OpenBSD: dhcpleasectl.c,v 1.8 2024/06/06 15:07:46 florian Exp $	*/
 
 /*
  * Copyright (c) 2021 Florian Obser <florian@openbsd.org>
@@ -287,23 +287,23 @@ show_interface_msg(struct ctl_engine_info *cei)
 			/* round up */
 			if (s - d * 86400 > 43200)
 				d++;
-			printf("\tlease %lld days\n", d);
+			printf("\tlease %lld day%s\n", d, d  > 1 ? "s" : "");
 		} else if (s > 3600) {
 			h = s / 3600;
 
 			/* round up */
 			if (s - h * 3600 > 1800)
 				h++;
-			printf("\tlease %lld hours\n", h);
+			printf("\tlease %lld hour%s\n", h, h > 1 ? "s" : "");
 		} else if (s > 60) {
 			m = s / 60;
 
 			/* round up */
 			if (s - m * 60 > 30)
 				m++;
-			printf("\tlease %lld minutes\n", m);
+			printf("\tlease %lld minute%s\n", m, m > 1 ? "s" : "");
 		} else
-			printf("\tlease %lld seconds\n", s);
+			printf("\tlease %lld second%s\n", s, s > 1 ? "s" : "");
 	}
 	if (cei->server_identifier.s_addr != INADDR_ANY) {
 		if (inet_ntop(AF_INET, &cei->server_identifier, ipbuf,

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.136 2024/06/04 14:10:53 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.140 2024/06/06 12:38:02 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -1073,7 +1073,6 @@ struct cert *
 ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
     size_t pkeysz)
 {
-	ASN1_TIME	*notBefore, *notAfter;
 	EVP_PKEY	*pk, *opk;
 	time_t		 now = get_current_time();
 
@@ -1095,35 +1094,26 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
 		    "pubkey does not match TAL pubkey", fn);
 		goto badcert;
 	}
-
+	if (p->notbefore >= now) {
-	if ((notBefore = X509_get_notBefore(p->x509)) == NULL) {
-		warnx("%s: certificate has invalid notBefore", fn);
-		goto badcert;
-	}
-	if ((notAfter = X509_get_notAfter(p->x509)) == NULL) {
-		warnx("%s: certificate has invalid notAfter", fn);
-		goto badcert;
-	}
-	if (X509_cmp_time(notBefore, &now) != -1) {
 		warnx("%s: certificate not yet valid", fn);
 		goto badcert;
 	}
-	if (X509_cmp_time(notAfter, &now) != 1) {
+	if (p->notafter <= now) {
 		warnx("%s: certificate has expired", fn);
 		goto badcert;
 	}
 	if (p->aki != NULL && strcmp(p->aki, p->ski)) {
-		warnx("%s: RFC 6487 section 8.4.2: "
+		warnx("%s: RFC 6487 section 4.8.3: "
 		    "trust anchor AKI, if specified, must match SKI", fn);
 		goto badcert;
 	}
 	if (p->aia != NULL) {
-		warnx("%s: RFC 6487 section 8.4.7: "
+		warnx("%s: RFC 6487 section 4.8.7: "
 		    "trust anchor must not have AIA", fn);
 		goto badcert;
 	}
 	if (p->crl != NULL) {
-		warnx("%s: RFC 6487 section 8.4.2: "
+		warnx("%s: RFC 6487 section 4.8.6: "
 		    "trust anchor may not specify CRL resource", fn);
 		goto badcert;
 	}
@@ -1131,6 +1121,14 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
 		warnx("%s: BGPsec cert cannot be a trust anchor", fn);
 		goto badcert;
 	}
+	/*
+	 * Do not replace with a <= 0 check since OpenSSL 3 broke that:
+	 * https://github.com/openssl/openssl/issues/24575
+	 */
+	if (X509_verify(p->x509, pk) != 1) {
+		warnx("%s: failed to verify signature", fn);
+		goto badcert;
+	}
 	if (x509_any_inherits(p->x509)) {
 		warnx("%s: Trust anchor IP/AS resources may not inherit", fn);
 		goto badcert;
@@ -1139,7 +1137,7 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey,
 	EVP_PKEY_free(pk);
 	return p;
 
-badcert:
+ badcert:
 	EVP_PKEY_free(pk);
 	cert_free(p);
 	return NULL;

usr.sbin/rpki-client/filemode.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: filemode.c,v 1.42 2024/05/20 15:51:43 claudio Exp $ */
+/*	$OpenBSD: filemode.c,v 1.43 2024/06/06 07:19:10 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -526,9 +526,15 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
 			constraints_validate(file, cert);
 		}
 	} else if (is_ta) {
+		expires = NULL;
+		notafter = NULL;
 		if ((tal = find_tal(cert)) != NULL) {
 			cert = ta_parse(file, cert, tal->pkey, tal->pkeysz);
 			status = (cert != NULL);
+			if (status) {
+				expires = &cert->expires;
+				notafter = &cert->notafter;
+			}
 			if (outformats & FORMAT_JSON)
 				json_do_string("tal", tal->descr);
 			else
@@ -538,7 +544,6 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
 		} else {
 			cert_free(cert);
 			cert = NULL;
-			expires = NULL;
 			status = 0;
 		}
 	}

usr.sbin/rpki-client/print.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: print.c,v 1.53 2024/05/29 13:26:24 tb Exp $ */
+/*	$OpenBSD: print.c,v 1.54 2024/06/06 05:57:36 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -211,7 +211,6 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz)
 	size_t i;
 	int sockt;
 
-
 	for (i = 0; i < ipsz; i++) {
 		if (outformats & FORMAT_JSON)
 			json_do_object("resource", 1);