SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2024-09-15 18:29:36 +00:00
parent 9f8f4295e0
commit 51a5102224
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
38 changed files with 2285 additions and 1213 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lib/libpcap/gencode.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: gencode.c,v 1.66 2024/04/08 02:51:14 jsg Exp $ */
/* $OpenBSD: gencode.c,v 1.67 2024/09/15 07:14:58 jsg Exp $ */
/*
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
@ -175,7 +175,6 @@ static void *
newchunk(size_t n)
{
struct membag *m;
int k, size;
void *p;
m = &membag[cur_membag];

4
regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
View file

@ -1,4 +1,4 @@
# $OpenBSD: tlsfuzzer.py,v 1.54 2024/09/13 05:58:17 tb Exp $
# $OpenBSD: tlsfuzzer.py,v 1.55 2024/09/14 07:11:34 tb Exp $
#
# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
#
@ -654,7 +654,7 @@ failing_groups = [
]
class TestRunner:
""" Runs the given tests groups against a server and displays stats. """
""" Runs the given tests against a server and displays stats. """
def __init__(
self, timing=False, verbose=False, host="localhost", port=4433,

3
sbin/dump/traverse.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: traverse.c,v 1.42 2024/02/03 18:51:57 beck Exp $ */
/* $OpenBSD: traverse.c,v 1.43 2024/09/15 07:14:58 jsg Exp $ */
/* $NetBSD: traverse.c,v 1.17 1997/06/05 11:13:27 lukem Exp $ */
/*-
@ -150,7 +150,6 @@ fs_mapinodes(ino_t maxino, int64_t *tapesize, int *anydirskipped)
int i, cg, inosused;
struct cg *cgp;
ino_t ino;
char *cp;
if ((cgp = malloc(sblock->fs_cgsize)) == NULL)
quit("fs_mapinodes: cannot allocate memory.\n");

3
sbin/fsck_ffs/pass1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pass1.c,v 1.49 2024/02/03 18:51:57 beck Exp $ */
/* $OpenBSD: pass1.c,v 1.50 2024/09/15 07:14:58 jsg Exp $ */
/* $NetBSD: pass1.c,v 1.16 1996/09/27 22:45:15 christos Exp $ */
/*
@ -71,7 +71,6 @@ pass1(void)
u_int c;
struct inodesc idesc;
daddr_t i, cgd;
u_int8_t *cp;
/*
* Set file system reserved blocks in used block map.

4
sbin/fsck_ffs/pass5.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pass5.c,v 1.51 2024/02/03 18:51:57 beck Exp $ */
/* $OpenBSD: pass5.c,v 1.52 2024/09/15 07:14:58 jsg Exp $ */
/* $NetBSD: pass5.c,v 1.16 1996/09/27 22:45:18 christos Exp $ */
/*
@ -67,7 +67,7 @@ pass5(void)
struct fs *fs = &sblock;
daddr_t dbase, dmax;
daddr_t d;
long i, k, rewritecg = 0;
long i, rewritecg = 0;
ino_t j;
struct csum *cs;
struct csum_total cstotal;

3
sbin/iked/config.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $ */
/* $OpenBSD: config.c,v 1.99 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@ -178,6 +178,7 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
ibuf_free(sa->sa_eap.id_buf);
free(sa->sa_eapid);
ibuf_free(sa->sa_eapmsk);
ibuf_free(sa->sa_eapclass);
free(sa->sa_cp_addr);
free(sa->sa_cp_addr6);

3
sbin/iked/iked.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $ */
/* $OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@ -491,6 +491,7 @@ struct iked_sa {
char *sa_eapid; /* EAP identity */
struct iked_id sa_eap; /* EAP challenge */
struct ibuf *sa_eapmsk; /* EAK session key */
struct ibuf *sa_eapclass; /* EAP/RADIUS class */
struct iked_proposals sa_proposals; /* SA proposals */
struct iked_childsas sa_childsas; /* IPsec Child SAs */

4
sbin/iked/ikev2.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $ */
/* $OpenBSD: ikev2.c,v 1.388 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@ -4774,6 +4774,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
/* sa_eapid needs to be set on both for radius accounting */
if (sa->sa_eapid)
nsa->sa_eapid = strdup(sa->sa_eapid);
if (sa->sa_eapclass)
nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass);
log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)",
SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),

16
sbin/iked/radius.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radius.c,v 1.12 2024/09/11 00:41:51 yasuoka Exp $ */
/* $OpenBSD: radius.c,v 1.13 2024/09/15 11:08:50 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -270,6 +270,16 @@ iked_radius_on_event(int fd, short ev, void *ctx)
req->rr_sa->sa_eapid = req->rr_user;
req->rr_user = NULL;
if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval,
&attrlen) == 0) {
ibuf_free(req->rr_sa->sa_eapclass);
if ((req->rr_sa->sa_eapclass = ibuf_new(attrval,
attrlen)) == NULL) {
log_info("%s: ibuf_new() failed: %s", __func__,
strerror(errno));
}
}
sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
/* Map RADIUS attributes to cp */
@ -748,6 +758,10 @@ iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
switch (stype) {
case RADIUS_ACCT_STATUS_TYPE_START:
if (req->rr_sa && req->rr_sa->sa_eapclass != NULL)
radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS,
ibuf_data(req->rr_sa->sa_eapclass),
ibuf_size(req->rr_sa->sa_eapclass));
break;
case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
case RADIUS_ACCT_STATUS_TYPE_STOP:

3
sbin/quotacheck/quotacheck.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: quotacheck.c,v 1.42 2024/02/03 18:51:57 beck Exp $ */
/* $OpenBSD: quotacheck.c,v 1.43 2024/09/15 07:14:58 jsg Exp $ */
/* $NetBSD: quotacheck.c,v 1.12 1996/03/30 22:34:25 mark Exp $ */
/*
@ -269,7 +269,6 @@ chkquota(const char *vfstype, const char *fsname, const char *mntpt,
int cg, i, mode, errs = 0, status;
ino_t ino, inosused;
pid_t pid;
char *cp;
switch (pid = fork()) {
case -1: /* error */

6
sys/conf/files
View file

@ -1,4 +1,4 @@
# $OpenBSD: files,v 1.738 2024/09/09 03:50:14 jsg Exp $
# $OpenBSD: files,v 1.740 2024/09/14 11:06:48 jsg Exp $
# $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@ -471,7 +471,7 @@ file dev/usb/xhci.c xhci needs-flag
# AMD Cryptographic Co-processor
device ccp {}
file dev/ic/ccp.c ccp needs-flag
file dev/ic/ccp.c ccp
# AMD Platform Security Processor
device psp
@ -864,7 +864,7 @@ file net/if_vether.c vether
file net/if_rport.c rport
file net/if_pair.c pair
file net/if_pppx.c pppx needs-count
file net/if_vxlan.c vxlan needs-count
file net/if_vxlan.c vxlan
file net/if_wg.c wg
file net/wg_noise.c wg
file net/wg_cookie.c wg

4
sys/dev/pv/files.pv
View file

@ -1,4 +1,4 @@
# $OpenBSD: files.pv,v 1.17 2023/04/20 19:28:31 jcs Exp $
# $OpenBSD: files.pv,v 1.18 2024/09/14 09:21:13 jsg Exp $
#
# Config file and device description for paravirtual devices.
# Included by ports that need it.
@ -11,7 +11,7 @@ file dev/pv/pvbus.c pvbus needs-flag
# KVM clock
device pvclock
attach pvclock at pvbus
file dev/pv/pvclock.c pvclock needs-flag
file dev/pv/pvclock.c pvclock
# VMware Tools
device vmt

3
usr.bin/calendar/calendars/calendar.history
View file

@ -1,7 +1,7 @@
/*
* History
*
* $OpenBSD: calendar.history,v 1.82 2020/04/19 21:08:39 jmc Exp $
* $OpenBSD: calendar.history,v 1.83 2024/09/14 20:15:24 schwarze Exp $
*/
#ifndef _calendar_history_
@ -433,7 +433,6 @@
11/07 Lewis and Clark Expedition in sight of the Pacific Ocean, 1805
11/08 Invasion of Sweden by Danish forces results in the
Stockholm Bloodbath, 1520
11/09 Giant panda discovered (?!), China, 1927
11/09 Jack the Ripper kills fifth and final victim, Jane Kelly, 1888
11/10 Henry Stanley asks David Livingstone, "Dr. Livingstone, I presume?",
1871

3
usr.bin/rpcinfo/rpcinfo.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rpcinfo.c,v 1.19 2024/08/16 16:00:30 florian Exp $ */
/* $OpenBSD: rpcinfo.c,v 1.20 2024/09/15 07:14:58 jsg Exp $ */
/*
* Copyright (c) 2010, Oracle America, Inc.
@ -489,7 +489,6 @@ void
pmapdump(int argc, char **argv)
{
struct sockaddr_in server_addr;
struct hostent *hp;
struct pmaplist *head = NULL;
int socket = RPC_ANYSOCK;
struct timeval minutetimeout;

3
usr.bin/ssh/auth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -421,6 +421,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
ci = server_get_connection_info(ssh, 1, options.use_dns);
ci->user = user;
ci->user_invalid = getpwnam(user) == NULL;
parse_server_match_config(&options, &includes, ci);
log_change_level(options.log_level);
log_verbose_reset();

6
usr.bin/ssh/kexsntrup761x25519.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: kexsntrup761x25519.c,v 1.2 2021/12/05 12:28:27 jsg Exp $ */
/* $OpenBSD: kexsntrup761x25519.c,v 1.3 2024/09/15 02:20:51 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl. All rights reserved.
*
@ -35,6 +35,10 @@
#include "digest.h"
#include "ssherr.h"
volatile crypto_int16 crypto_int16_optblocker = 0;
volatile crypto_int32 crypto_int32_optblocker = 0;
volatile crypto_int64 crypto_int64_optblocker = 0;
int
kex_kem_sntrup761x25519_keypair(struct kex *kex)
{

14
usr.bin/ssh/monitor.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@ -81,6 +81,7 @@
#include "match.h"
#include "ssherr.h"
#include "sk-api.h"
#include "srclimit.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
@ -723,6 +724,15 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
if (options.refuse_connection) {
logit("administratively prohibited connection for "
"%s%s from %.128s port %d",
authctxt->valid ? "" : "invalid user ",
authctxt->user, ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh));
cleanup_exit(EXIT_CONFIG_REFUSED);
}
/* Send active options to unpriv */
mm_encode_server_options(m);
@ -1243,7 +1253,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
}
auth2_record_key(authctxt, ret == 0, key);
if (key_blobtype == MM_USERKEY)
if (key_blobtype == MM_USERKEY && ret == 0)
auth_activate_options(ssh, key_opts);
monitor_reset_key_state();

35
usr.bin/ssh/readconf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.389 2024/09/03 05:29:55 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -683,11 +683,11 @@ expand_match_exec_or_include_path(const char *path, Options *options,
* Parse and execute a Match directive.
*/
static int
match_cfg_line(Options *options, char **condition, struct passwd *pw,
const char *host_arg, const char *original_host, int final_pass,
int *want_final_pass, const char *filename, int linenum)
match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@ -707,11 +707,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
}
debug2("checking match for '%s' host %s originally %s",
cp, host, original_host);
while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
full_line, host, original_host);
while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
/* Terminate on comment */
if (*attrib == '#') {
cp = NULL; /* mark all arguments consumed */
argv_consume(acp);
break;
}
arg = criteria = NULL;
@ -720,7 +720,8 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
attrib++;
/* Criterion "all" has no argument and must appear alone */
if (strcasecmp(attrib, "all") == 0) {
if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
if (attributes > 1 ||
((arg = argv_next(acp, avp)) != NULL &&
*arg != '\0' && *arg != '#')) {
error("%.200s line %d: '%s' cannot be combined "
"with other Match attributes",
@ -729,7 +730,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
goto out;
}
if (arg != NULL && *arg == '#')
cp = NULL; /* mark all arguments consumed */
argv_consume(acp); /* consume remaining args */
if (result)
result = negate ? 0 : 1;
goto out;
@ -754,7 +755,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
continue;
}
/* All other criteria require an argument */
if ((arg = strdelim(&cp)) == NULL ||
if ((arg = argv_next(acp, avp)) == NULL ||
*arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
@ -841,7 +842,6 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
*condition = cp;
free(host);
return result;
}
@ -1784,8 +1784,8 @@ parse_pubkey_algos:
"option");
goto out;
}
value = match_cfg_line(options, &str, pw, host, original_host,
flags & SSHCONF_FINAL, want_final_pass,
value = match_cfg_line(options, str, &ac, &av, pw, host,
original_host, flags & SSHCONF_FINAL, want_final_pass,
filename, linenum);
if (value < 0) {
error("%.200s line %d: Bad Match condition", filename,
@ -1793,13 +1793,6 @@ parse_pubkey_algos:
goto out;
}
*activep = (flags & SSHCONF_NEVERMATCH) ? 0 : value;
/*
* If match_cfg_line() didn't consume all its arguments then
* arrange for the extra arguments check below to fail.
*/
if (str == NULL || *str == '\0')
argv_consume(&ac);
break;
case oEscapeChar:

76
usr.bin/ssh/servconf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.413 2024/08/17 08:23:04 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = -1;
options->per_source_penalty.penalty_noauth = -1;
options->per_source_penalty.penalty_grace = -1;
options->per_source_penalty.penalty_refuseconnection = -1;
options->per_source_penalty.penalty_max = -1;
options->per_source_penalty.penalty_min = -1;
options->max_authtries = -1;
@ -190,6 +191,7 @@ initialize_server_options(ServerOptions *options)
options->num_channel_timeouts = 0;
options->unused_connection_timeout = -1;
options->sshd_session_path = NULL;
options->refuse_connection = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@ -407,6 +409,8 @@ fill_default_server_options(ServerOptions *options)
options->per_source_penalty.penalty_authfail = 5;
if (options->per_source_penalty.penalty_noauth == -1)
options->per_source_penalty.penalty_noauth = 1;
if (options->per_source_penalty.penalty_refuseconnection == -1)
options->per_source_penalty.penalty_refuseconnection = 10;
if (options->per_source_penalty.penalty_min == -1)
options->per_source_penalty.penalty_min = 15;
if (options->per_source_penalty.penalty_max == -1)
@ -457,6 +461,8 @@ fill_default_server_options(ServerOptions *options)
options->unused_connection_timeout = 0;
if (options->sshd_session_path == NULL)
options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
if (options->refuse_connection == -1)
options->refuse_connection = 0;
assemble_algorithms(options);
@ -536,7 +542,7 @@ typedef enum {
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
sSshdSessionPath,
sSshdSessionPath, sRefuseConnection,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@ -686,6 +692,7 @@ static struct {
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@ -962,43 +969,57 @@ match_test_missing_fatal(const char *criteria, const char *attrib)
* not match.
*/
static int
match_cfg_line(char **condition, int line, struct connection_info *ci)
match_cfg_line(const char *full_line, int *acp, char ***avp,
int line, struct connection_info *ci)
{
int result = 1, attributes = 0, port;
char *arg, *attrib, *cp = *condition;
char *arg, *attrib;
if (ci == NULL)
debug3("checking syntax for 'Match %s'", cp);
else
debug3("checking match for '%s' user %s host %s addr %s "
"laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
debug3("checking syntax for 'Match %s'", full_line);
else {
debug3("checking match for '%s' user %s%s host %s addr %s "
"laddr %s lport %d", full_line,
ci->user ? ci->user : "(null)",
ci->user_invalid ? " (invalid)" : "",
ci->host ? ci->host : "(null)",
ci->address ? ci->address : "(null)",
ci->laddress ? ci->laddress : "(null)", ci->lport);
}
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
while ((attrib = argv_next(acp, avp)) != NULL) {
/* Terminate on comment */
if (*attrib == '#') {
cp = NULL; /* mark all arguments consumed */
argv_consume(acp); /* mark all arguments consumed */
break;
}
arg = NULL;
attributes++;
/* Criterion "all" has no argument and must appear alone */
if (strcasecmp(attrib, "all") == 0) {
if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
if (attributes > 1 ||
((arg = argv_next(acp, avp)) != NULL &&
*arg != '\0' && *arg != '#')) {
error("'all' cannot be combined with other "
"Match attributes");
return -1;
}
if (arg != NULL && *arg == '#')
cp = NULL; /* mark all arguments consumed */
*condition = cp;
argv_consume(acp); /* consume remaining args */
return 1;
}
/* Criterion "invalid-user" also has no argument */
if (strcasecmp(attrib, "invalid-user") == 0) {
if (ci == NULL)
continue;
if (ci->user_invalid == 0)
result = 0;
else
debug("matched invalid-user at line %d", line);
continue;
}
/* All other criteria require an argument */
if ((arg = strdelim(&cp)) == NULL ||
if ((arg = argv_next(acp, avp)) == NULL ||
*arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
return -1;
@ -1129,7 +1150,6 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
}
if (ci != NULL)
debug3("match %sfound", result ? "" : "not ");
*condition = cp;
return result;
}
@ -1972,6 +1992,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
p = arg + 15;
intptr = &options->per_source_penalty.penalty_grace;
} else if (strncmp(arg, "refuseconnection:", 17) == 0) {
p = arg + 17;
intptr = &options->per_source_penalty.penalty_refuseconnection;
} else if (strncmp(arg, "max:", 4) == 0) {
p = arg + 4;
intptr = &options->per_source_penalty.penalty_max;
@ -2250,7 +2273,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
if (cmdline)
fatal("Match directive not supported as a command-line "
"option");
value = match_cfg_line(&str, linenum,
value = match_cfg_line(str, &ac, &av, linenum,
(*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
if (value < 0)
fatal("%s line %d: Bad Match condition", filename,
@ -2261,12 +2284,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
* match block.
*/
*inc_flags &= ~SSHCFG_MATCH_ONLY;
/*
* If match_cfg_line() didn't consume all its arguments then
* arrange for the extra arguments check below to fail.
*/
if (str == NULL || *str == '\0')
argv_consume(&ac);
break;
case sPermitListen:
@ -2579,6 +2596,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
charptr = &options->sshd_session_path;
goto parse_filename;
case sRefuseConnection:
intptr = &options->refuse_connection;
multistate_ptr = multistate_flag;
goto parse_multistate;
case sDeprecated:
case sIgnore:
case sUnsupported:
@ -2693,6 +2715,8 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec)
" specification %s\n", p+6, p);
return -1;
}
} else if (strcmp(p, "invalid-user") == 0) {
ci->user_invalid = 1;
} else {
fprintf(stderr, "Invalid test mode specification %s\n",
p);
@ -2794,6 +2818,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(log_level);
M_CP_INTOPT(required_rsa_size);
M_CP_INTOPT(unused_connection_timeout);
M_CP_INTOPT(refuse_connection);
/*
* The bind_mask is a mode_t that may be unsigned, so we can't use
@ -3116,6 +3141,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
@ -3236,12 +3262,14 @@ dump_config(ServerOptions *o)
if (o->per_source_penalty.enabled) {
printf("persourcepenalties crash:%d authfail:%d noauth:%d "
"grace-exceeded:%d max:%d min:%d max-sources4:%d "
"max-sources6:%d overflow:%s overflow6:%s\n",
"grace-exceeded:%d refuseconnection:%d max:%d min:%d "
"max-sources4:%d max-sources6:%d "
"overflow:%s overflow6:%s\n",
o->per_source_penalty.penalty_crash,
o->per_source_penalty.penalty_authfail,
o->per_source_penalty.penalty_noauth,
o->per_source_penalty.penalty_grace,
o->per_source_penalty.penalty_refuseconnection,
o->per_source_penalty.penalty_max,
o->per_source_penalty.penalty_min,
o->per_source_penalty.max_sources4,

6
usr.bin/ssh/servconf.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
/* $OpenBSD: servconf.h,v 1.168 2024/09/15 01:18:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -77,6 +77,7 @@ struct per_source_penalty {
int penalty_grace;
int penalty_authfail;
int penalty_noauth;
int penalty_refuseconnection;
int penalty_max;
int penalty_min;
};
@ -245,11 +246,14 @@ typedef struct {
int unused_connection_timeout;
char *sshd_session_path;
int refuse_connection;
} ServerOptions;
/* Information about the incoming connection as used by Match */
struct connection_info {
const char *user;
int user_invalid;
const char *host; /* possibly resolved hostname */
const char *address; /* remote address */
const char *laddress; /* local address */

2954
usr.bin/ssh/sntrup761.c
View file

File diff suppressed because it is too large Load diff

57
usr.bin/ssh/sntrup761.sh
View file

@ -1,25 +1,18 @@
#!/bin/sh
# $OpenBSD: sntrup761.sh,v 1.7 2023/01/11 02:13:52 djm Exp $
# $OpenBSD: sntrup761.sh,v 1.8 2024/09/15 02:20:51 djm Exp $
# Placed in the Public Domain.
#
AUTHOR="supercop-20201130/crypto_kem/sntrup761/ref/implementors"
FILES="
supercop-20201130/crypto_sort/int32/portable4/int32_minmax.inc
supercop-20201130/crypto_sort/int32/portable4/sort.c
supercop-20201130/crypto_sort/uint32/useint32/sort.c
supercop-20201130/crypto_kem/sntrup761/ref/uint32.c
supercop-20201130/crypto_kem/sntrup761/ref/int32.c
supercop-20201130/crypto_kem/sntrup761/ref/paramsmenu.h
supercop-20201130/crypto_kem/sntrup761/ref/params.h
supercop-20201130/crypto_kem/sntrup761/ref/Decode.h
supercop-20201130/crypto_kem/sntrup761/ref/Decode.c
supercop-20201130/crypto_kem/sntrup761/ref/Encode.h
supercop-20201130/crypto_kem/sntrup761/ref/Encode.c
supercop-20201130/crypto_kem/sntrup761/ref/kem.c
AUTHOR="supercop-20240808/crypto_kem/sntrup761/ref/implementors"
FILES=" supercop-20240808/cryptoint/crypto_int16.h
supercop-20240808/cryptoint/crypto_int32.h
supercop-20240808/cryptoint/crypto_int64.h
supercop-20240808/crypto_sort/int32/portable4/sort.c
supercop-20240808/crypto_sort/uint32/useint32/sort.c
supercop-20240808/crypto_kem/sntrup761/compact/kem.c
"
###
set -e
set -euo pipefail
cd $1
echo -n '/* $'
echo 'OpenBSD: $ */'
@ -32,12 +25,19 @@ echo
echo '#include <string.h>'
echo '#include "crypto_api.h"'
echo
echo '#define crypto_declassify(x, y) do {} while (0)'
echo
# Map the types used in this code to the ones in crypto_api.h. We use #define
# instead of typedef since some systems have existing intXX types and do not
# permit multiple typedefs even if they do not conflict.
for t in int8 uint8 int16 uint16 int32 uint32 int64 uint64; do
echo "#define $t crypto_${t}"
done
for x in 16 32 64 ; do
echo "extern volatile crypto_int$x crypto_int${x}_optblocker;"
done
echo
for i in $FILES; do
echo "/* from $i */"
@ -57,14 +57,27 @@ for i in $FILES; do
-e 's/[ ]*$//' \
$i | \
case "$i" in
# Use int64_t for intermediate values in int32_MINMAX to prevent signed
# 32-bit integer overflow when called by crypto_sort_uint32.
*/int32_minmax.inc)
sed -e "s/int32 ab = b ^ a/int64_t ab = (int64_t)b ^ (int64_t)a/" \
-e "s/int32 c = b - a/int64_t c = (int64_t)b - (int64_t)a/"
*/cryptoint/crypto_int16.h)
sed -e "s/static void crypto_int16_store/void crypto_int16_store/" \
-e "s/^[#]define crypto_int16_optblocker.*//" \
-e "s/static void crypto_int16_minmax/void crypto_int16_minmax/"
;;
*/cryptoint/crypto_int32.h)
sed -e "s/static void crypto_int32_store/void crypto_int32_store/" \
-e "s/^[#]define crypto_int32_optblocker.*//" \
-e "s/static void crypto_int32_minmax/void crypto_int32_minmax/"
;;
*/cryptoint/crypto_int64.h)
sed -e "s/static void crypto_int64_store/void crypto_int64_store/" \
-e "s/^[#]define crypto_int64_optblocker.*//" \
-e "s/static void crypto_int64_minmax/void crypto_int64_minmax/"
;;
*/int32/portable4/sort.c)
sed -e "s/void crypto_sort/void crypto_sort_int32/g"
sed -e "s/void crypto_sort[(]/void crypto_sort_int32(/g"
;;
*/int32/portable5/sort.c)
sed -e "s/crypto_sort_smallindices/crypto_sort_int32_smallindices/"\
-e "s/void crypto_sort[(]/void crypto_sort_int32(/g"
;;
*/uint32/useint32/sort.c)
sed -e "s/void crypto_sort/void crypto_sort_uint32/g"

4
usr.bin/ssh/srclimit.c
View file

@ -379,6 +379,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
penalty_secs = penalty_cfg.penalty_noauth;
reason = "penalty: connections without attempting authentication";
break;
case SRCLIMIT_PENALTY_REFUSECONNECTION:
penalty_secs = penalty_cfg.penalty_refuseconnection;
reason = "penalty: connection prohibited by RefuseConnection";
break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
penalty_secs = penalty_cfg.penalty_crash;
reason = "penalty: exceeded LoginGraceTime";

12
usr.bin/ssh/srclimit.h
View file

@ -22,16 +22,18 @@ void srclimit_init(int, int, int, int,
int srclimit_check_allow(int, int);
void srclimit_done(int);
#define SRCLIMIT_PENALTY_NONE 0
#define SRCLIMIT_PENALTY_CRASH 1
#define SRCLIMIT_PENALTY_AUTHFAIL 2
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
#define SRCLIMIT_PENALTY_NOAUTH 4
#define SRCLIMIT_PENALTY_NONE 0
#define SRCLIMIT_PENALTY_CRASH 1
#define SRCLIMIT_PENALTY_AUTHFAIL 2
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
#define SRCLIMIT_PENALTY_NOAUTH 4
#define SRCLIMIT_PENALTY_REFUSECONNECTION 5
/* meaningful exit values, used by sshd listener for penalties */
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
#define EXIT_CHILD_CRASH 4 /* preauth child crashed */
#define EXIT_AUTH_ATTEMPTED 5 /* at least one auth attempt made */
#define EXIT_CONFIG_REFUSED 6 /* sshd_config RefuseConnection */
void srclimit_penalise(struct xaddr *, int);
int srclimit_penalty_check_allow(int, const char **);

26
usr.bin/ssh/ssh-keygen.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.474 2024/09/04 05:33:34 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.475 2024/09/15 00:47:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -300,7 +300,7 @@ ask_filename(struct passwd *pw, const char *prompt)
static struct sshkey *
load_identity(const char *filename, char **commentp)
{
char *pass;
char *prompt, *pass;
struct sshkey *prv;
int r;
@ -312,8 +312,11 @@ load_identity(const char *filename, char **commentp)
fatal_r(r, "Load key \"%s\"", filename);
if (identity_passphrase)
pass = xstrdup(identity_passphrase);
else
pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN);
else {
xasprintf(&prompt, "Enter passphrase for \"%s\": ", filename);
pass = read_passphrase(prompt, RP_ALLOW_STDIN);
free(prompt);
}
r = sshkey_load_private(filename, pass, &prv, commentp);
freezero(pass, strlen(pass));
if (r != 0)
@ -3110,17 +3113,22 @@ read_check_passphrase(const char *prompt1, const char *prompt2,
}
static char *
private_key_passphrase(void)
private_key_passphrase(const char *path)
{
char *prompt, *ret;
if (identity_passphrase)
return xstrdup(identity_passphrase);
if (identity_new_passphrase)
return xstrdup(identity_new_passphrase);
return read_check_passphrase(
"Enter passphrase (empty for no passphrase): ",
xasprintf(&prompt, "Enter passphrase for \"%s\" "
"(empty for no passphrase): ", path);
ret = read_check_passphrase(prompt,
"Enter same passphrase again: ",
"Passphrases do not match. Try again.");
free(prompt);
return ret;
}
static char *
@ -3216,7 +3224,7 @@ do_download_sk(const char *skprovider, const char *device)
/* Save the key with the application string as the comment */
if (pass == NULL)
pass = private_key_passphrase();
pass = private_key_passphrase(path);
if ((r = sshkey_save_private(key, path, pass,
key->sk_application, private_key_format,
openssh_format_cipher, rounds)) != 0) {
@ -3912,7 +3920,7 @@ main(int argc, char **argv)
exit(1);
/* Determine the passphrase for the private key */
passphrase = private_key_passphrase();
passphrase = private_key_passphrase(identity_file);
if (identity_comment) {
strlcpy(comment, identity_comment, sizeof(comment));
} else {

8
usr.bin/ssh/sshd.8
View file

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
.Dd $Mdocdate: June 17 2024 $
.\" $OpenBSD: sshd.8,v 1.327 2024/09/15 01:19:56 djm Exp $
.Dd $Mdocdate: September 15 2024 $
.Dt SSHD 8
.Os
.Sh NAME
@ -115,6 +115,10 @@ and
.Dq rdomain
and correspond to source address, user, resolved source host name,
local address, local port number and routing domain respectively.
Additionally the
.Dq invalid-user
flag (which does not take a value argument) may be specified to simulate
a connection from an unrecognised username.
.It Fl c Ar host_certificate_file
Specifies a path to a certificate file to identify
.Nm

9
usr.bin/ssh/sshd.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
/*
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
* Copyright (c) 2002 Niels Provos. All rights reserved.
@ -360,6 +360,13 @@ child_reap(struct early_child *child)
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
case EXIT_CONFIG_REFUSED:
penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
debug_f("preauth child %ld for %s prohibited by"
"RefuseConnection %s",
(long)child->pid, child->id,
child->early ? " (early)" : "");
break;
default:
penalty_type = SRCLIMIT_PENALTY_NOAUTH;
debug_f("preauth child %ld for %s exited "

30
usr.bin/ssh/sshd_config.5
View file

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $
.Dd $Mdocdate: September 9 2024 $
.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -1238,9 +1238,11 @@ applied.
.Pp
The arguments to
.Cm Match
are one or more criteria-pattern pairs or the single token
.Cm All
which matches all criteria.
are one or more criteria-pattern pairs or one of the single token criteria:
.Cm All ,
which matches all criteria, or
.Cm Invalid-User ,
which matches when the requested user-name does not match any known account.
The available criteria are
.Cm User ,
.Cm Group ,
@ -1324,6 +1326,7 @@ Available keywords are
.Cm PubkeyAcceptedAlgorithms ,
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthOptions ,
.Cm RefuseConnection ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
@ -1597,6 +1600,11 @@ Specifies how long to refuse clients that cause a crash of
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s).
.It Cm refuseconnection:duration
Specifies how long to refuse clients that were administratively prohibited
connection via the
.Cm RefuseConnection
option (default: 10s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s).
@ -1754,6 +1762,18 @@ options have any effect for other, non-FIDO, public key types.
Specifies whether public key authentication is allowed.
The default is
.Cm yes .
.It Cm RefuseConnection
Indicates that
.Xr sshd 8
should unconditionally terminate the connection.
Additionally, a
.Cm refuseconnection
penalty may be recorded against the source of the connection if
.Cm PerSourcePenalties
are enabled.
This option is only really useful in a
.Cm Match
block.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum

3
usr.bin/w/w.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: w.c,v 1.69 2024/08/19 07:28:22 florian Exp $ */
/* $OpenBSD: w.c,v 1.70 2024/09/15 07:14:58 jsg Exp $ */
/*-
* Copyright (c) 1980, 1991, 1993, 1994
@ -107,7 +107,6 @@ main(int argc, char *argv[])
struct kinfo_proc *kp;
struct stat *stp;
FILE *ut;
struct in_addr addr;
int ch, i, nentries, nusers, wcmd;
char *memf, *nlistf, *p, *x;
char buf[HOST_NAME_MAX+1], errbuf[_POSIX2_LINE_MAX];

3
usr.sbin/radiusctl/parser.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.5 2024/09/02 04:45:22 yasuoka Exp $ */
/* $OpenBSD: parser.c,v 1.6 2024/09/15 05:26:05 yasuoka Exp $ */
/*
* Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@ -158,6 +158,7 @@ static const struct token t_ipcp[] = {
{ KEYWORD, "dump", IPCP_DUMP, t_ipcp_flags },
{ KEYWORD, "monitor", IPCP_MONITOR, t_ipcp_flags },
{ KEYWORD, "disconnect", IPCP_DISCONNECT,t_ipcp_session_seq },
{ KEYWORD, "delete", IPCP_DELETE, t_ipcp_session_seq },
{ ENDTOKEN, "", NONE, NULL }
};

3
usr.sbin/radiusctl/parser.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: parser.h,v 1.4 2024/07/24 08:27:20 yasuoka Exp $ */
/* $OpenBSD: parser.h,v 1.5 2024/09/15 05:26:05 yasuoka Exp $ */
/* This file is derived from OpenBSD:src/usr.sbin/ikectl/parser.h 1.9 */
/*
@ -29,6 +29,7 @@ enum actions {
IPCP_SHOW,
IPCP_DUMP,
IPCP_MONITOR,
IPCP_DELETE,
IPCP_DISCONNECT
};

8
usr.sbin/radiusctl/radiusctl.8
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: radiusctl.8,v 1.9 2024/07/24 08:27:20 yasuoka Exp $
.\" $OpenBSD: radiusctl.8,v 1.10 2024/09/15 05:26:05 yasuoka Exp $
.\"
.\" Copyright (c) YASUOKA Masahiko <yasuoka@yasuoka.net>
.\"
@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
.Dd $Mdocdate: July 24 2024 $
.Dd $Mdocdate: September 15 2024 $
.Dt RADIUSCTL 8
.Os
.Sh NAME
@ -114,6 +114,10 @@ shows the sessions in JSON format.
.It Cm ipcp disconnect Ar sequence
Request to disconnect the session specified by the
.Ar sequence .
.It Cm ipcp delete Ar sequence
Request to delete the session specified by the
.Ar sequence
without requesting disconnection.
.El
.Sh EXAMPLES
.Bd -literal -offset indent

10
usr.sbin/radiusctl/radiusctl.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusctl.c,v 1.12 2024/07/24 08:27:20 yasuoka Exp $ */
/* $OpenBSD: radiusctl.c,v 1.13 2024/09/15 05:26:05 yasuoka Exp $ */
/*
* Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
*
@ -170,6 +170,7 @@ main(int argc, char *argv[])
IMSG_RADIUSD_MODULE_IPCP_MONITOR :
IMSG_RADIUSD_MODULE_IPCP_DUMP, 0, 0, -1, iov, niov);
break;
case IPCP_DELETE:
case IPCP_DISCONNECT:
memset(module_name, 0, sizeof(module_name));
strlcpy(module_name, "ipcp",
@ -178,8 +179,10 @@ main(int argc, char *argv[])
iov[niov++].iov_len = RADIUSD_MODULE_NAME_LEN;
iov[niov].iov_base = &res->session_seq;
iov[niov++].iov_len = sizeof(res->session_seq);
imsg_composev(&ibuf, IMSG_RADIUSD_MODULE_IPCP_DISCONNECT, 0, 0,
-1, iov, niov);
imsg_composev(&ibuf,
(res->action == IPCP_DELETE)
? IMSG_RADIUSD_MODULE_IPCP_DELETE
: IMSG_RADIUSD_MODULE_IPCP_DISCONNECT, 0, 0, -1, iov, niov);
break;
}
while (ibuf.w.queued) {
@ -199,6 +202,7 @@ main(int argc, char *argv[])
case IPCP_SHOW:
case IPCP_DUMP:
case IPCP_MONITOR:
case IPCP_DELETE:
case IPCP_DISCONNECT:
done = ipcp_handle_imsg(res, &imsg, cnt++);
break;

6
usr.sbin/radiusd/eap2mschap_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: eap2mschap_local.h,v 1.2 2024/07/16 06:18:20 miod Exp $ */
/* $OpenBSD: eap2mschap_local.h,v 1.3 2024/09/15 05:49:05 jsg Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -70,7 +70,7 @@ struct eap_mschap_challenge {
uint8_t chall[16];
char chap_name[0];
} __packed;
#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
static_assert(sizeof(struct eap_mschap_challenge) == 26, "");
static_assert(offsetof(struct eap_mschap_challenge, chap) == 5, "");
static_assert(offsetof(struct eap_mschap_challenge, chall) == 10, "");
@ -87,7 +87,7 @@ struct eap_mschap_response {
uint8_t flags;
uint8_t chap_name[0];
} __packed;
#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
static_assert(sizeof(struct eap_mschap_response) == 59, "");
static_assert(offsetof(struct eap_mschap_response, chap) == 5, "");
static_assert(offsetof(struct eap_mschap_response, peerchall) == 10, "");

20
usr.sbin/radiusd/radiusd_eap2mschap.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_eap2mschap.c,v 1.3 2024/08/16 09:52:16 yasuoka Exp $ */
/* $OpenBSD: radiusd_eap2mschap.c,v 1.4 2024/09/15 05:31:23 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -427,19 +427,18 @@ eap_recv(struct eap2mschap *self, u_int q_id, RADIUS_PACKET *pkt)
goto fail;
case EAP_TYPE_MSCHAPV2:
if (msgsiz < offsetof(struct eap, value[1])) {
log_warnx(
"q=%u EAP state=%s Received message has wrong in "
"size for EAP-MS-CHAPV2: received length %zu "
"eap.length=%u", q_id, hex_string(state, statesiz,
buf2, sizeof(buf2)), msgsiz, ntohs(eap->length));
log_warnx("q=%u EAP state=%s Received message has "
"wrong in size for EAP-MS-CHAPV2: received length "
"%zu eap.length=%u", q_id,
hex_string(state, statesiz, buf2, sizeof(buf2)),
msgsiz, ntohs(eap->length));
goto fail;
}
req = eap_recv_mschap(self, req, pkt, (struct eap_chap *)eap);
break;
default:
log_warnx(
"q=%u EAP state=%s EAP unknown type=%u receieved.",
log_warnx("q=%u EAP state=%s EAP unknown type=%u receieved.",
q_id, hex_string(state, statesiz, buf2, sizeof(buf2)),
eap->value[0]);
goto fail;
@ -476,9 +475,8 @@ eap_recv_mschap(struct eap2mschap *self, struct access_req *req,
htons(resp->chap.length) <
sizeof(struct eap_mschap_response) -
offsetof(struct eap_mschap_response, chap)) {
log_warnx(
"q=%u EAP state=%s Received EAP message has wrong "
"in size: received length %zu eap.length=%u "
log_warnx("q=%u EAP state=%s Received EAP message has "
"wrong in size: received length %zu eap.length=%u "
"chap.length=%u valuesize=%u", req->q_id,
hex_string(req->state, sizeof(req->state), buf,
sizeof(buf)), eapsiz, ntohs(resp->eap.length),

128
usr.sbin/radiusd/radiusd_ipcp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_ipcp.c,v 1.14 2024/08/27 06:06:14 florian Exp $ */
/* $OpenBSD: radiusd_ipcp.c,v 1.17 2024/09/15 05:31:23 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -122,8 +122,10 @@ struct module_ipcp_dae {
struct sockaddr_in6 sin6;
} nas_addr;
struct event ev_sock;
struct event ev_reqs;
TAILQ_ENTRY(module_ipcp_dae) next;
TAILQ_HEAD(, assigned_ipv4) reqs;
int ninflight;
};
struct module_ipcp {
@ -178,6 +180,8 @@ struct assigned_ipv4
struct in_addr);
static struct assigned_ipv4
*ipcp_ipv4_find(struct module_ipcp *, struct in_addr);
static void ipcp_ipv4_delete(struct module_ipcp *,
struct assigned_ipv4 *, const char *);
static void ipcp_ipv4_release(struct module_ipcp *,
struct assigned_ipv4 *);
static int assigned_ipv4_compar(struct assigned_ipv4 *,
@ -198,6 +202,7 @@ static void ipcp_dae_send_disconnect_request(struct assigned_ipv4 *);
static void ipcp_dae_request_on_timeout(int, short, void *);
static void ipcp_dae_on_event(int, short, void *);
static void ipcp_dae_reset_request(struct assigned_ipv4 *);
static void ipcp_dae_send_pending_requests(int, short, void *);
static struct ipcp_address
*parse_address_range(const char *);
static const char
@ -303,18 +308,20 @@ ipcp_start(void *ctx)
TAILQ_FOREACH(dae, &self->daes, next) {
if ((sock = socket(dae->nas_addr.sin4.sin_family,
SOCK_DGRAM, IPPROTO_UDP)) == -1) {
log_warn("could not start dae: %s", strerror(errno));
log_warn("%s: could not start dae: socket()", __func__);
return;
}
if (connect(sock, (struct sockaddr *)&dae->nas_addr,
dae->nas_addr.sin4.sin_len) == -1) {
log_warn("could not start dae: %s", strerror(errno));
log_warn("%s: could not start dae: connect()",
__func__);
return;
}
dae->sock = sock;
event_set(&dae->ev_sock, sock, EV_READ | EV_PERSIST,
ipcp_dae_on_event, dae);
event_add(&dae->ev_sock, NULL);
evtimer_set(&dae->ev_reqs, ipcp_dae_send_pending_requests, dae);
}
module_send_message(self->base, IMSG_OK, NULL);
@ -334,6 +341,8 @@ ipcp_stop(void *ctx)
close(dae->sock);
dae->sock = -1;
}
if (evtimer_pending(&dae->ev_reqs, NULL))
event_del(&dae->ev_reqs);
}
if (evtimer_pending(&self->ev_timer, NULL))
evtimer_del(&self->ev_timer);
@ -624,10 +633,14 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg)
freezero(dump ,dumpsiz);
break;
case IMSG_RADIUSD_MODULE_IPCP_DISCONNECT:
case IMSG_RADIUSD_MODULE_IPCP_DELETE:
if (datalen < sizeof(unsigned)) {
log_warn("%s: received "
"IMSG_RADIUSD_MODULE_IPCP_DISCONNECT message size "
"is wrong", __func__);
"%s message size is wrong", __func__,
(imsg->hdr.type ==
IMSG_RADIUSD_MODULE_IPCP_DISCONNECT)
? "IMSG_RADIUSD_MODULE_IPCP_DISCONNECT"
: "IMSG_RADIUSD_MODULE_IPCP_DELETE");
goto fail;
}
seq = *(unsigned *)imsg->data;
@ -640,12 +653,19 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg)
}
if (assign == NULL) {
cause = "session not found";
log_warnx("Disconnect seq=%u requested, but the "
"session is not found", seq);
log_warnx("%s seq=%u requested, but the "
"session is not found",
(imsg->hdr.type ==
IMSG_RADIUSD_MODULE_IPCP_DISCONNECT)? "Disconnect"
: "Delete", seq);
module_imsg_compose(self->base, IMSG_NG,
imsg->hdr.peerid, 0, -1, cause, strlen(cause) + 1);
}
else {
} else if (imsg->hdr.type == IMSG_RADIUSD_MODULE_IPCP_DELETE) {
log_info("Delete seq=%u by request", assign->seq);
ipcp_ipv4_delete(self, assign, "By control");
module_imsg_compose(self->base, IMSG_OK,
imsg->hdr.peerid, 0, -1, NULL, 0);
} else {
if (assign->dae == NULL)
log_warnx("Disconnect seq=%u requested, but "
"DAE is not configured", assign->seq);
@ -1059,10 +1079,12 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
!IN6_ARE_ADDR_EQUAL(&assign->nas_ipv6, &nas_ipv6) ||
strcmp(assign->nas_id, nas_id) != 0)
continue;
log_info("Delete record for %s", inet_ntop(AF_INET,
&assign->ipv4, buf, sizeof(buf)));
ipcp_del_db(self, assign);
ipcp_ipv4_release(self, assign);
log_info("q=%u Delete record for %s", q_id,
inet_ntop(AF_INET, &assign->ipv4, buf,
sizeof(buf)));
ipcp_ipv4_delete(self, assign,
(type == RADIUS_ACCT_STATUS_TYPE_ACCT_ON)
? "Receive Acct-On" : "Receive Acct-Off");
}
return;
}
@ -1144,9 +1166,9 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
if (ipcp_notice_startstop(self, assign, 1, NULL) != 0)
goto fail;
log_info("Start seq=%u user=%s duration=%dsec session=%s "
"tunnel=%s from=%s auth=%s ip=%s", assign->seq,
assign->user->name, delay, assign->session_id,
log_info("q=%u Start seq=%u user=%s duration=%dsec "
"session=%s tunnel=%s from=%s auth=%s ip=%s", q_id,
assign->seq, assign->user->name, delay, assign->session_id,
assign->tun_type, print_addr((struct sockaddr *)
&assign->tun_client, buf1, sizeof(buf1)),
assign->auth_method, inet_ntop(AF_INET, &addr4, buf,
@ -1180,10 +1202,10 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
strlcpy(stat.cause, radius_terminate_cause_string(uval),
sizeof(stat.cause));
log_info("Stop seq=%u user=%s duration=%lldsec session=%s "
"tunnel=%s from=%s auth=%s ip=%s datain=%"PRIu64"bytes,%"
PRIu32"packets dataout=%"PRIu64"bytes,%"PRIu32"packets "
"cause=\"%s\"",
log_info("q=%u Stop seq=%u user=%s duration=%lldsec "
"session=%s tunnel=%s from=%s auth=%s ip=%s "
"datain=%"PRIu64"bytes,%" PRIu32"packets dataout=%"PRIu64
"bytes,%"PRIu32"packets cause=\"%s\"", q_id,
assign->seq, assign->user->name, dur.tv_sec,
assign->session_id, assign->tun_type, print_addr(
(struct sockaddr *)&assign->tun_client, buf1, sizeof(buf1)),
@ -1254,6 +1276,20 @@ ipcp_ipv4_find(struct module_ipcp *self, struct in_addr ina)
return (ret);
}
void
ipcp_ipv4_delete(struct module_ipcp *self, struct assigned_ipv4 *assign,
const char *cause)
{
static struct radiusd_ipcp_statistics stat = { 0 };
memset(stat.cause, 0, sizeof(stat.cause));
strlcpy(stat.cause, cause, sizeof(stat.cause));
ipcp_del_db(self, assign);
ipcp_notice_startstop(self, assign, 0, &stat);
ipcp_ipv4_release(self, assign);
}
void
ipcp_ipv4_release(struct module_ipcp *self, struct assigned_ipv4 *assign)
{
@ -1567,22 +1603,27 @@ ipcp_dae_send_disconnect_request(struct assigned_ipv4 *assign)
radius_set_accounting_request_authenticator(reqpkt,
assign->dae->secret);
assign->dae_reqpkt = reqpkt;
TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
}
if (assign->dae_ntry == 0) {
if (assign->dae->ninflight >= RADIUSD_IPCP_DAE_MAX_INFLIGHT)
return;
log_info("Sending Disconnect-Request seq=%u to %s",
assign->seq, print_addr((struct sockaddr *)
&assign->dae->nas_addr, buf, sizeof(buf)));
TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
}
if (radius_send(assign->dae->sock, assign->dae_reqpkt, 0) < 0)
log_warn("%s: sendto: %m", __func__);
tv.tv_sec = dae_request_timeouts[assign->dae_ntry++];
tv.tv_sec = dae_request_timeouts[assign->dae_ntry];
tv.tv_usec = 0;
evtimer_set(&assign->dae_evtimer, ipcp_dae_request_on_timeout, assign);
evtimer_add(&assign->dae_evtimer, &tv);
if (assign->dae_ntry == 0)
assign->dae->ninflight++;
assign->dae_ntry++;
}
void
@ -1625,7 +1666,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
if ((radres = radius_recv(dae->sock, 0)) == NULL) {
if (errno == EAGAIN)
return;
log_warn("Failed to receive from %s", print_addr(
log_warn("%s: Failed to receive from %s", __func__, print_addr(
(struct sockaddr *)&dae->nas_addr, buf, sizeof(buf)));
return;
}
@ -1634,16 +1675,16 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
break;
}
if (assign == NULL) {
log_warnx("Received RADIUS packet from %s has unknown id=%d",
print_addr((struct sockaddr *)&dae->nas_addr, buf,
sizeof(buf)), radius_get_id(radres));
log_warnx("%s: Received RADIUS packet from %s has unknown "
"id=%d", __func__, print_addr((struct sockaddr *)
&dae->nas_addr, buf, sizeof(buf)), radius_get_id(radres));
goto out;
}
radius_set_request_packet(radres, assign->dae_reqpkt);
if ((radius_check_response_authenticator(radres, dae->secret)) != 0) {
log_warnx("Received RADIUS packet for seq=%u from %s has a bad "
"authenticator", assign->seq, print_addr(
log_warnx("%s: Received RADIUS packet for seq=%u from %s has "
"a bad authenticator", __func__, assign->seq, print_addr(
(struct sockaddr *)&dae->nas_addr, buf,
sizeof(buf)));
goto out;
@ -1667,13 +1708,13 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
&dae->nas_addr, buf, sizeof(buf)), cause);
break;
case RADIUS_CODE_DISCONNECT_NAK:
log_warnx("Received Disconnect-NAK for seq=%u from %s%s",
log_info("Received Disconnect-NAK for seq=%u from %s%s",
assign->seq, print_addr((struct sockaddr *)
&dae->nas_addr, buf, sizeof(buf)), cause);
break;
default:
log_warn("Received unknown code=%d for id=%u from %s",
code, assign->seq, print_addr((struct sockaddr *)
log_warn("%s: Received unknown code=%d for id=%u from %s",
__func__, code, assign->seq, print_addr((struct sockaddr *)
&dae->nas_addr, buf, sizeof(buf)));
break;
}
@ -1700,10 +1741,16 @@ void
ipcp_dae_reset_request(struct assigned_ipv4 *assign)
{
struct radiusctl_client *client, *clientt;
const struct timeval zero = { 0, 0 };
if (assign->dae != NULL) {
if (assign->dae_ntry > 0)
if (assign->dae_reqpkt != NULL)
TAILQ_REMOVE(&assign->dae->reqs, assign, dae_next);
if (assign->dae_ntry > 0) {
assign->dae->ninflight--;
if (!evtimer_pending(&assign->dae->ev_reqs, NULL))
evtimer_add(&assign->dae->ev_reqs, &zero);
}
}
if (assign->dae_reqpkt != NULL)
radius_delete_packet(assign->dae_reqpkt);
@ -1717,6 +1764,23 @@ ipcp_dae_reset_request(struct assigned_ipv4 *assign)
assign->dae_ntry = 0;
}
void
ipcp_dae_send_pending_requests(int fd, short ev, void *ctx)
{
struct module_ipcp_dae *dae = ctx;
struct module_ipcp *self = dae->ipcp;
struct assigned_ipv4 *assign, *assignt;
ipcp_update_time(self);
TAILQ_FOREACH_SAFE(assign, &dae->reqs, dae_next, assignt) {
if (dae->ninflight >= RADIUSD_IPCP_DAE_MAX_INFLIGHT)
break;
if (assign->dae_ntry == 0) /* pending */
ipcp_dae_send_disconnect_request(assign);
}
}
/***********************************************************************
* Miscellaneous functions
***********************************************************************/

5
usr.sbin/radiusd/radiusd_ipcp.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_ipcp.h,v 1.1 2024/07/09 17:26:14 yasuoka Exp $ */
/* $OpenBSD: radiusd_ipcp.h,v 1.3 2024/09/15 05:29:11 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -24,12 +24,15 @@
#include "radiusd.h"
#define RADIUSD_IPCP_DAE_MAX_INFLIGHT 64
enum imsg_module_ipcp_type {
IMSG_RADIUSD_MODULE_IPCP_DUMP = IMSG_RADIUSD_MODULE_MIN,
IMSG_RADIUSD_MODULE_IPCP_MONITOR,
IMSG_RADIUSD_MODULE_IPCP_DUMP_AND_MONITOR,
IMSG_RADIUSD_MODULE_IPCP_START,
IMSG_RADIUSD_MODULE_IPCP_STOP,
IMSG_RADIUSD_MODULE_IPCP_DELETE,
IMSG_RADIUSD_MODULE_IPCP_DISCONNECT
};

10
usr.sbin/radiusd/radiusd_module.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_module.c,v 1.19 2024/07/14 15:27:57 yasuoka Exp $ */
/* $OpenBSD: radiusd_module.c,v 1.20 2024/09/15 05:14:32 yasuoka Exp $ */
/*
* Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
@ -643,9 +643,13 @@ module_on_event(int fd, short evmask, void *ctx)
if (ret > 0)
continue;
base->writeready = false;
if (ret == 0 && errno == EAGAIN)
if (ret == -1 && errno == EAGAIN)
break;
syslog(LOG_ERR, "%s: msgbuf_write: %m", __func__);
if (ret == 0)
syslog(LOG_ERR, "%s: connection is closed", __func__);
else
syslog(LOG_ERR, "%s: msgbuf_write: %d %m", __func__,
ret);
module_stop(base);
return;
}