sync with OpenBSD -current

lib/libpcap/gencode.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: gencode.c,v 1.66 2024/04/08 02:51:14 jsg Exp $	*/
+/*	$OpenBSD: gencode.c,v 1.67 2024/09/15 07:14:58 jsg Exp $	*/
 
 /*
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
@@ -175,7 +175,6 @@ static void *
 newchunk(size_t n)
 {
 	struct membag *m;
-	int k, size;
 	void *p;
 
 	m = &membag[cur_membag];

regress/lib/libssl/tlsfuzzer/tlsfuzzer.py

@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.54 2024/09/13 05:58:17 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.55 2024/09/14 07:11:34 tb Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -654,7 +654,7 @@ failing_groups = [
 ]
 
 class TestRunner:
-    """ Runs the given tests groups against a server and displays stats. """
+    """ Runs the given tests against a server and displays stats. """
 
     def __init__(
         self, timing=False, verbose=False, host="localhost", port=4433,

sbin/dump/traverse.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: traverse.c,v 1.42 2024/02/03 18:51:57 beck Exp $	*/
+/*	$OpenBSD: traverse.c,v 1.43 2024/09/15 07:14:58 jsg Exp $	*/
 /*	$NetBSD: traverse.c,v 1.17 1997/06/05 11:13:27 lukem Exp $	*/
 
 /*-
@@ -150,7 +150,6 @@ fs_mapinodes(ino_t maxino, int64_t *tapesize, int *anydirskipped)
 	int i, cg, inosused;
 	struct cg *cgp;
 	ino_t ino;
-	char *cp;
 
 	if ((cgp = malloc(sblock->fs_cgsize)) == NULL)
 		quit("fs_mapinodes: cannot allocate memory.\n");

sbin/fsck_ffs/pass1.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pass1.c,v 1.49 2024/02/03 18:51:57 beck Exp $	*/
+/*	$OpenBSD: pass1.c,v 1.50 2024/09/15 07:14:58 jsg Exp $	*/
 /*	$NetBSD: pass1.c,v 1.16 1996/09/27 22:45:15 christos Exp $	*/
 
 /*
@@ -71,7 +71,6 @@ pass1(void)
 	u_int c;
 	struct inodesc idesc;
 	daddr_t i, cgd;
-	u_int8_t *cp;
 
 	/*
 	 * Set file system reserved blocks in used block map.

sbin/fsck_ffs/pass5.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pass5.c,v 1.51 2024/02/03 18:51:57 beck Exp $	*/
+/*	$OpenBSD: pass5.c,v 1.52 2024/09/15 07:14:58 jsg Exp $	*/
 /*	$NetBSD: pass5.c,v 1.16 1996/09/27 22:45:18 christos Exp $	*/
 
 /*
@@ -67,7 +67,7 @@ pass5(void)
 	struct fs *fs = &sblock;
 	daddr_t dbase, dmax;
 	daddr_t d;
-	long i, k, rewritecg = 0;
+	long i, rewritecg = 0;
 	ino_t j;
 	struct csum *cs;
 	struct csum_total cstotal;

sbin/iked/config.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $	*/
+/*	$OpenBSD: config.c,v 1.99 2024/09/15 11:08:50 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -178,6 +178,7 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
 	ibuf_free(sa->sa_eap.id_buf);
 	free(sa->sa_eapid);
 	ibuf_free(sa->sa_eapmsk);
+	ibuf_free(sa->sa_eapclass);
 
 	free(sa->sa_cp_addr);
 	free(sa->sa_cp_addr6);

sbin/iked/iked.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $	*/
+/*	$OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -491,6 +491,7 @@ struct iked_sa {
 	char				*sa_eapid;	/* EAP identity */
 	struct iked_id			 sa_eap;	/* EAP challenge */
 	struct ibuf			*sa_eapmsk;	/* EAK session key */
+	struct ibuf			*sa_eapclass;	/* EAP/RADIUS class */
 
 	struct iked_proposals		 sa_proposals;	/* SA proposals */
 	struct iked_childsas		 sa_childsas;	/* IPsec Child SAs */

sbin/iked/ikev2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.388 2024/09/15 11:08:50 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -4774,6 +4774,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
 	/* sa_eapid needs to be set on both for radius accounting */
 	if (sa->sa_eapid)
 		nsa->sa_eapid = strdup(sa->sa_eapid);
+	if (sa->sa_eapclass)
+		nsa->sa_eapclass = ibuf_dup(sa->sa_eapclass);
 
 	log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)",
 	    SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),

sbin/iked/radius.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radius.c,v 1.12 2024/09/11 00:41:51 yasuoka Exp $	*/
+/*	$OpenBSD: radius.c,v 1.13 2024/09/15 11:08:50 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -270,6 +270,16 @@ iked_radius_on_event(int fd, short ev, void *ctx)
 			req->rr_sa->sa_eapid = req->rr_user;
 		req->rr_user = NULL;
 
+		if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_CLASS, &attrval,
+		    &attrlen) == 0) {
+			ibuf_free(req->rr_sa->sa_eapclass);
+			if ((req->rr_sa->sa_eapclass = ibuf_new(attrval,
+			    attrlen)) == NULL) {
+				log_info("%s: ibuf_new() failed: %s", __func__,
+				    strerror(errno));
+			}
+		}
+
 		sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
 
 		/* Map RADIUS attributes to cp */
@@ -748,6 +758,10 @@ iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
 
 	switch (stype) {
 	case RADIUS_ACCT_STATUS_TYPE_START:
+		if (req->rr_sa && req->rr_sa->sa_eapclass != NULL)
+			radius_put_raw_attr(pkt, RADIUS_TYPE_CLASS,
+			    ibuf_data(req->rr_sa->sa_eapclass),
+			    ibuf_size(req->rr_sa->sa_eapclass));
 		break;
 	case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
 	case RADIUS_ACCT_STATUS_TYPE_STOP:

sbin/quotacheck/quotacheck.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: quotacheck.c,v 1.42 2024/02/03 18:51:57 beck Exp $	*/
+/*	$OpenBSD: quotacheck.c,v 1.43 2024/09/15 07:14:58 jsg Exp $	*/
 /*	$NetBSD: quotacheck.c,v 1.12 1996/03/30 22:34:25 mark Exp $	*/
 
 /*
@@ -269,7 +269,6 @@ chkquota(const char *vfstype, const char *fsname, const char *mntpt,
 	int cg, i, mode, errs = 0, status;
 	ino_t ino, inosused;
 	pid_t pid;
-	char *cp;
 
 	switch (pid = fork()) {
 	case -1:	/* error */

sys/conf/files

@@ -1,4 +1,4 @@
-#	$OpenBSD: files,v 1.738 2024/09/09 03:50:14 jsg Exp $
+#	$OpenBSD: files,v 1.740 2024/09/14 11:06:48 jsg Exp $
 #	$NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
@@ -471,7 +471,7 @@ file	dev/usb/xhci.c			xhci	needs-flag
 
 # AMD Cryptographic Co-processor
 device	ccp {}
-file	dev/ic/ccp.c			ccp	needs-flag
+file	dev/ic/ccp.c			ccp
 
 # AMD Platform Security Processor
 device	psp
@@ -864,7 +864,7 @@ file net/if_vether.c			vether
 file net/if_rport.c			rport
 file net/if_pair.c			pair
 file net/if_pppx.c			pppx			needs-count
-file net/if_vxlan.c			vxlan			needs-count
+file net/if_vxlan.c			vxlan
 file net/if_wg.c			wg
 file net/wg_noise.c			wg
 file net/wg_cookie.c			wg

sys/dev/pv/files.pv

@@ -1,4 +1,4 @@
-#	$OpenBSD: files.pv,v 1.17 2023/04/20 19:28:31 jcs Exp $
+#	$OpenBSD: files.pv,v 1.18 2024/09/14 09:21:13 jsg Exp $
 #
 # Config file and device description for paravirtual devices.
 # Included by ports that need it.
@@ -11,7 +11,7 @@ file	dev/pv/pvbus.c			pvbus	needs-flag
 # KVM clock
 device	pvclock
 attach	pvclock at pvbus
-file	dev/pv/pvclock.c		pvclock	needs-flag
+file	dev/pv/pvclock.c		pvclock
 
 # VMware Tools
 device	vmt

usr.bin/calendar/calendars/calendar.history

@@ -1,7 +1,7 @@
 /*
  * History
  *
- * $OpenBSD: calendar.history,v 1.82 2020/04/19 21:08:39 jmc Exp $
+ * $OpenBSD: calendar.history,v 1.83 2024/09/14 20:15:24 schwarze Exp $
  */
 
 #ifndef _calendar_history_
@@ -433,7 +433,6 @@
 11/07	Lewis and Clark Expedition in sight of the Pacific Ocean, 1805
 11/08	Invasion of Sweden by Danish forces results in the
 	Stockholm Bloodbath, 1520
-11/09	Giant panda discovered (?!), China, 1927
 11/09	Jack the Ripper kills fifth and final victim, Jane Kelly, 1888
 11/10	Henry Stanley asks David Livingstone, "Dr. Livingstone, I presume?",
 	1871

usr.bin/rpcinfo/rpcinfo.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: rpcinfo.c,v 1.19 2024/08/16 16:00:30 florian Exp $	*/
+/*	$OpenBSD: rpcinfo.c,v 1.20 2024/09/15 07:14:58 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010, Oracle America, Inc.
@@ -489,7 +489,6 @@ void
 pmapdump(int argc, char **argv)
 {
 	struct sockaddr_in server_addr;
-	struct hostent *hp;
 	struct pmaplist *head = NULL;
 	int socket = RPC_ANYSOCK;
 	struct timeval minutetimeout;

usr.bin/ssh/auth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.161 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -421,6 +421,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
 
 	ci = server_get_connection_info(ssh, 1, options.use_dns);
 	ci->user = user;
+	ci->user_invalid = getpwnam(user) == NULL;
 	parse_server_match_config(&options, &includes, ci);
 	log_change_level(options.log_level);
 	log_verbose_reset();

usr.bin/ssh/kexsntrup761x25519.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: kexsntrup761x25519.c,v 1.2 2021/12/05 12:28:27 jsg Exp $ */
+/* $OpenBSD: kexsntrup761x25519.c,v 1.3 2024/09/15 02:20:51 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl.  All rights reserved.
  *
@@ -35,6 +35,10 @@
 #include "digest.h"
 #include "ssherr.h"
 
+volatile crypto_int16 crypto_int16_optblocker = 0;
+volatile crypto_int32 crypto_int32_optblocker = 0;
+volatile crypto_int64 crypto_int64_optblocker = 0;
+
 int
 kex_kem_sntrup761x25519_keypair(struct kex *kex)
 {

usr.bin/ssh/monitor.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.244 2024/09/15 01:09:40 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -81,6 +81,7 @@
 #include "match.h"
 #include "ssherr.h"
 #include "sk-api.h"
+#include "srclimit.h"
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -723,6 +724,15 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
 	ssh_packet_set_log_preamble(ssh, "%suser %s",
 	    authctxt->valid ? "authenticating" : "invalid ", authctxt->user);
 
+	if (options.refuse_connection) {
+		logit("administratively prohibited connection for "
+		    "%s%s from %.128s port %d",
+		    authctxt->valid ? "" : "invalid user ",
+		    authctxt->user, ssh_remote_ipaddr(ssh),
+		    ssh_remote_port(ssh));
+		cleanup_exit(EXIT_CONFIG_REFUSED);
+	}
+
 	/* Send active options to unpriv */
 	mm_encode_server_options(m);
 
@@ -1243,7 +1253,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 	}
 	auth2_record_key(authctxt, ret == 0, key);
 
-	if (key_blobtype == MM_USERKEY)
+	if (key_blobtype == MM_USERKEY && ret == 0)
 		auth_activate_options(ssh, key_opts);
 	monitor_reset_key_state();
 

usr.bin/ssh/readconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.389 2024/09/03 05:29:55 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -683,11 +683,11 @@ expand_match_exec_or_include_path(const char *path, Options *options,
  * Parse and execute a Match directive.
  */
 static int
-match_cfg_line(Options *options, char **condition, struct passwd *pw,
+match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
-    const char *host_arg, const char *original_host, int final_pass,
+    struct passwd *pw, const char *host_arg, const char *original_host,
-    int *want_final_pass, const char *filename, int linenum)
+    int final_pass, int *want_final_pass, const char *filename, int linenum)
 {
-	char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
+	char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
 	const char *ruser;
 	int r, this_result, result = 1, attributes = 0, negate;
 
@@ -707,11 +707,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 	}
 
 	debug2("checking match for '%s' host %s originally %s",
-	    cp, host, original_host);
+	    full_line, host, original_host);
-	while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
+	while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
 		/* Terminate on comment */
 		if (*attrib == '#') {
-			cp = NULL; /* mark all arguments consumed */
+			argv_consume(acp);
 			break;
 		}
 		arg = criteria = NULL;
@@ -720,7 +720,8 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 			attrib++;
 		/* Criterion "all" has no argument and must appear alone */
 		if (strcasecmp(attrib, "all") == 0) {
-			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
+			if (attributes > 1 ||
+			    ((arg = argv_next(acp, avp)) != NULL &&
 			    *arg != '\0' && *arg != '#')) {
 				error("%.200s line %d: '%s' cannot be combined "
 				    "with other Match attributes",
@@ -729,7 +730,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 				goto out;
 			}
 			if (arg != NULL && *arg == '#')
-				cp = NULL; /* mark all arguments consumed */
+				argv_consume(acp); /* consume remaining args */
 			if (result)
 				result = negate ? 0 : 1;
 			goto out;
@@ -754,7 +755,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 			continue;
 		}
 		/* All other criteria require an argument */
-		if ((arg = strdelim(&cp)) == NULL ||
+		if ((arg = argv_next(acp, avp)) == NULL ||
 		    *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
 			result = -1;
@@ -841,7 +842,6 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
  out:
 	if (result != -1)
 		debug2("match %sfound", result ? "" : "not ");
-	*condition = cp;
 	free(host);
 	return result;
 }
@@ -1784,8 +1784,8 @@ parse_pubkey_algos:
 			    "option");
 			goto out;
 		}
-		value = match_cfg_line(options, &str, pw, host, original_host,
+		value = match_cfg_line(options, str, &ac, &av, pw, host,
-		    flags & SSHCONF_FINAL, want_final_pass,
+		    original_host, flags & SSHCONF_FINAL, want_final_pass,
 		    filename, linenum);
 		if (value < 0) {
 			error("%.200s line %d: Bad Match condition", filename,
@@ -1793,13 +1793,6 @@ parse_pubkey_algos:
 			goto out;
 		}
 		*activep = (flags & SSHCONF_NEVERMATCH) ? 0 : value;
-		/*
-		 * If match_cfg_line() didn't consume all its arguments then
-		 * arrange for the extra arguments check below to fail.
-		 */
-
-		if (str == NULL || *str == '\0')
-			argv_consume(&ac);
 		break;
 
 	case oEscapeChar:

usr.bin/ssh/servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.413 2024/08/17 08:23:04 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options)
 	options->per_source_penalty.penalty_authfail = -1;
 	options->per_source_penalty.penalty_noauth = -1;
 	options->per_source_penalty.penalty_grace = -1;
+	options->per_source_penalty.penalty_refuseconnection = -1;
 	options->per_source_penalty.penalty_max = -1;
 	options->per_source_penalty.penalty_min = -1;
 	options->max_authtries = -1;
@@ -190,6 +191,7 @@ initialize_server_options(ServerOptions *options)
 	options->num_channel_timeouts = 0;
 	options->unused_connection_timeout = -1;
 	options->sshd_session_path = NULL;
+	options->refuse_connection = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -407,6 +409,8 @@ fill_default_server_options(ServerOptions *options)
 		options->per_source_penalty.penalty_authfail = 5;
 	if (options->per_source_penalty.penalty_noauth == -1)
 		options->per_source_penalty.penalty_noauth = 1;
+	if (options->per_source_penalty.penalty_refuseconnection == -1)
+		options->per_source_penalty.penalty_refuseconnection = 10;
 	if (options->per_source_penalty.penalty_min == -1)
 		options->per_source_penalty.penalty_min = 15;
 	if (options->per_source_penalty.penalty_max == -1)
@@ -457,6 +461,8 @@ fill_default_server_options(ServerOptions *options)
 		options->unused_connection_timeout = 0;
 	if (options->sshd_session_path == NULL)
 		options->sshd_session_path = xstrdup(_PATH_SSHD_SESSION);
+	if (options->refuse_connection == -1)
+		options->refuse_connection = 0;
 
 	assemble_algorithms(options);
 
@@ -536,7 +542,7 @@ typedef enum {
 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
 	sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
-	sSshdSessionPath,
+	sSshdSessionPath, sRefuseConnection,
 	sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
@@ -686,6 +692,7 @@ static struct {
 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
 	{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+	{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -962,43 +969,57 @@ match_test_missing_fatal(const char *criteria, const char *attrib)
  * not match.
  */
 static int
-match_cfg_line(char **condition, int line, struct connection_info *ci)
+match_cfg_line(const char *full_line, int *acp, char ***avp,
+    int line, struct connection_info *ci)
 {
 	int result = 1, attributes = 0, port;
-	char *arg, *attrib, *cp = *condition;
+	char *arg, *attrib;
 
 	if (ci == NULL)
-		debug3("checking syntax for 'Match %s'", cp);
+		debug3("checking syntax for 'Match %s'", full_line);
-	else
+	else {
-		debug3("checking match for '%s' user %s host %s addr %s "
+		debug3("checking match for '%s' user %s%s host %s addr %s "
-		    "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
+		    "laddr %s lport %d", full_line,
+		    ci->user ? ci->user : "(null)",
+		    ci->user_invalid ? " (invalid)" : "",
 		    ci->host ? ci->host : "(null)",
 		    ci->address ? ci->address : "(null)",
 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
+	}
 
-	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+	while ((attrib = argv_next(acp, avp)) != NULL) {
 		/* Terminate on comment */
 		if (*attrib == '#') {
-			cp = NULL; /* mark all arguments consumed */
+			argv_consume(acp); /* mark all arguments consumed */
 			break;
 		}
 		arg = NULL;
 		attributes++;
 		/* Criterion "all" has no argument and must appear alone */
 		if (strcasecmp(attrib, "all") == 0) {
-			if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
+			if (attributes > 1 ||
+			    ((arg = argv_next(acp, avp)) != NULL &&
 			    *arg != '\0' && *arg != '#')) {
 				error("'all' cannot be combined with other "
 				    "Match attributes");
 				return -1;
 			}
 			if (arg != NULL && *arg == '#')
-				cp = NULL; /* mark all arguments consumed */
+				argv_consume(acp); /* consume remaining args */
-			*condition = cp;
 			return 1;
 		}
+		/* Criterion "invalid-user" also has no argument */
+		if (strcasecmp(attrib, "invalid-user") == 0) {
+			if (ci == NULL)
+				continue;
+			if (ci->user_invalid == 0)
+				result = 0;
+			else
+				debug("matched invalid-user at line %d", line);
+			continue;
+		}
 		/* All other criteria require an argument */
-		if ((arg = strdelim(&cp)) == NULL ||
+		if ((arg = argv_next(acp, avp)) == NULL ||
 		    *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
 			return -1;
@@ -1129,7 +1150,6 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 	}
 	if (ci != NULL)
 		debug3("match %sfound", result ? "" : "not ");
-	*condition = cp;
 	return result;
 }
 
@@ -1972,6 +1992,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
 				p = arg + 15;
 				intptr = &options->per_source_penalty.penalty_grace;
+			} else if (strncmp(arg, "refuseconnection:", 17) == 0) {
+				p = arg + 17;
+				intptr = &options->per_source_penalty.penalty_refuseconnection;
 			} else if (strncmp(arg, "max:", 4) == 0) {
 				p = arg + 4;
 				intptr = &options->per_source_penalty.penalty_max;
@@ -2250,7 +2273,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		if (cmdline)
 			fatal("Match directive not supported as a command-line "
 			    "option");
-		value = match_cfg_line(&str, linenum,
+		value = match_cfg_line(str, &ac, &av, linenum,
 		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
 		if (value < 0)
 			fatal("%s line %d: Bad Match condition", filename,
@@ -2261,12 +2284,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		 * match block.
 		 */
 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
-		/*
-		 * If match_cfg_line() didn't consume all its arguments then
-		 * arrange for the extra arguments check below to fail.
-		 */
-		if (str == NULL || *str == '\0')
-			argv_consume(&ac);
 		break;
 
 	case sPermitListen:
@@ -2579,6 +2596,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		charptr = &options->sshd_session_path;
 		goto parse_filename;
 
+	case sRefuseConnection:
+		intptr = &options->refuse_connection;
+		multistate_ptr = multistate_flag;
+		goto parse_multistate;
+
 	case sDeprecated:
 	case sIgnore:
 	case sUnsupported:
@@ -2693,6 +2715,8 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec)
 				    " specification %s\n", p+6, p);
 				return -1;
 			}
+		} else if (strcmp(p, "invalid-user") == 0) {
+			ci->user_invalid = 1;
 		} else {
 			fprintf(stderr, "Invalid test mode specification %s\n",
 			    p);
@@ -2794,6 +2818,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(log_level);
 	M_CP_INTOPT(required_rsa_size);
 	M_CP_INTOPT(unused_connection_timeout);
+	M_CP_INTOPT(refuse_connection);
 
 	/*
 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -3116,6 +3141,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+	dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
 
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
@@ -3236,12 +3262,14 @@ dump_config(ServerOptions *o)
 
 	if (o->per_source_penalty.enabled) {
 		printf("persourcepenalties crash:%d authfail:%d noauth:%d "
-		    "grace-exceeded:%d max:%d min:%d max-sources4:%d "
+		    "grace-exceeded:%d refuseconnection:%d max:%d min:%d "
-		    "max-sources6:%d overflow:%s overflow6:%s\n",
+		    "max-sources4:%d max-sources6:%d "
+		    "overflow:%s overflow6:%s\n",
 		    o->per_source_penalty.penalty_crash,
 		    o->per_source_penalty.penalty_authfail,
 		    o->per_source_penalty.penalty_noauth,
 		    o->per_source_penalty.penalty_grace,
+		    o->per_source_penalty.penalty_refuseconnection,
 		    o->per_source_penalty.penalty_max,
 		    o->per_source_penalty.penalty_min,
 		    o->per_source_penalty.max_sources4,

usr.bin/ssh/servconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.168 2024/09/15 01:18:26 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -77,6 +77,7 @@ struct per_source_penalty {
 	int	penalty_grace;
 	int	penalty_authfail;
 	int	penalty_noauth;
+	int	penalty_refuseconnection;
 	int	penalty_max;
 	int	penalty_min;
 };
@@ -245,11 +246,14 @@ typedef struct {
 	int	unused_connection_timeout;
 
 	char   *sshd_session_path;
+
+	int	refuse_connection;
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
 struct connection_info {
 	const char *user;
+	int user_invalid;
 	const char *host;	/* possibly resolved hostname */
 	const char *address;	/* remote address */
 	const char *laddress;	/* local address */

usr.bin/ssh/sntrup761.sh

@@ -1,25 +1,18 @@
 #!/bin/sh
-#       $OpenBSD: sntrup761.sh,v 1.7 2023/01/11 02:13:52 djm Exp $
+#       $OpenBSD: sntrup761.sh,v 1.8 2024/09/15 02:20:51 djm Exp $
 #       Placed in the Public Domain.
 #
-AUTHOR="supercop-20201130/crypto_kem/sntrup761/ref/implementors"
+AUTHOR="supercop-20240808/crypto_kem/sntrup761/ref/implementors"
-FILES="
+FILES=" supercop-20240808/cryptoint/crypto_int16.h
-	supercop-20201130/crypto_sort/int32/portable4/int32_minmax.inc
+	supercop-20240808/cryptoint/crypto_int32.h
-	supercop-20201130/crypto_sort/int32/portable4/sort.c
+	supercop-20240808/cryptoint/crypto_int64.h
-	supercop-20201130/crypto_sort/uint32/useint32/sort.c
+	supercop-20240808/crypto_sort/int32/portable4/sort.c
-	supercop-20201130/crypto_kem/sntrup761/ref/uint32.c
+	supercop-20240808/crypto_sort/uint32/useint32/sort.c
-	supercop-20201130/crypto_kem/sntrup761/ref/int32.c
+	supercop-20240808/crypto_kem/sntrup761/compact/kem.c
-	supercop-20201130/crypto_kem/sntrup761/ref/paramsmenu.h
-	supercop-20201130/crypto_kem/sntrup761/ref/params.h
-	supercop-20201130/crypto_kem/sntrup761/ref/Decode.h
-	supercop-20201130/crypto_kem/sntrup761/ref/Decode.c
-	supercop-20201130/crypto_kem/sntrup761/ref/Encode.h
-	supercop-20201130/crypto_kem/sntrup761/ref/Encode.c
-	supercop-20201130/crypto_kem/sntrup761/ref/kem.c
 "
 ###
 
-set -e
+set -euo pipefail
 cd $1
 echo -n '/*  $'
 echo 'OpenBSD: $ */'
@@ -32,12 +25,19 @@ echo
 echo '#include <string.h>'
 echo '#include "crypto_api.h"'
 echo
+echo '#define crypto_declassify(x, y) do {} while (0)'
+echo
 # Map the types used in this code to the ones in crypto_api.h.  We use #define
 # instead of typedef since some systems have existing intXX types and do not
 # permit multiple typedefs even if they do not conflict.
 for t in int8 uint8 int16 uint16 int32 uint32 int64 uint64; do
 	echo "#define $t crypto_${t}"
 done
+
+for x in 16 32 64 ; do
+	echo "extern volatile crypto_int$x crypto_int${x}_optblocker;"
+done
+
 echo
 for i in $FILES; do
 	echo "/* from $i */"
@@ -57,14 +57,27 @@ for i in $FILES; do
 	    -e 's/[	 ]*$//' \
 	    $i | \
 	case "$i" in
-	# Use int64_t for intermediate values in int32_MINMAX to prevent signed
+	*/cryptoint/crypto_int16.h)
-	# 32-bit integer overflow when called by crypto_sort_uint32.
+	    sed -e "s/static void crypto_int16_store/void crypto_int16_store/" \
-	*/int32_minmax.inc)
+		-e "s/^[#]define crypto_int16_optblocker.*//" \
-	    sed -e "s/int32 ab = b ^ a/int64_t ab = (int64_t)b ^ (int64_t)a/" \
+	        -e "s/static void crypto_int16_minmax/void crypto_int16_minmax/"
-	        -e "s/int32 c = b - a/int64_t c = (int64_t)b - (int64_t)a/"
+	    ;;
+	*/cryptoint/crypto_int32.h)
+	    sed -e "s/static void crypto_int32_store/void crypto_int32_store/" \
+		-e "s/^[#]define crypto_int32_optblocker.*//" \
+	        -e "s/static void crypto_int32_minmax/void crypto_int32_minmax/"
+	    ;;
+	*/cryptoint/crypto_int64.h)
+	    sed -e "s/static void crypto_int64_store/void crypto_int64_store/" \
+		-e "s/^[#]define crypto_int64_optblocker.*//" \
+	        -e "s/static void crypto_int64_minmax/void crypto_int64_minmax/"
 	    ;;
 	*/int32/portable4/sort.c)
-	    sed -e "s/void crypto_sort/void crypto_sort_int32/g"
+	    sed -e "s/void crypto_sort[(]/void crypto_sort_int32(/g"
+	    ;;
+	*/int32/portable5/sort.c)
+	    sed -e "s/crypto_sort_smallindices/crypto_sort_int32_smallindices/"\
+	        -e "s/void crypto_sort[(]/void crypto_sort_int32(/g"
 	    ;;
 	*/uint32/useint32/sort.c)
 	    sed -e "s/void crypto_sort/void crypto_sort_uint32/g"

usr.bin/ssh/srclimit.c

@@ -379,6 +379,10 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
 		penalty_secs = penalty_cfg.penalty_noauth;
 		reason = "penalty: connections without attempting authentication";
 		break;
+	case SRCLIMIT_PENALTY_REFUSECONNECTION:
+		penalty_secs = penalty_cfg.penalty_refuseconnection;
+		reason = "penalty: connection prohibited by RefuseConnection";
+		break;
 	case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
 		penalty_secs = penalty_cfg.penalty_crash;
 		reason = "penalty: exceeded LoginGraceTime";

usr.bin/ssh/srclimit.h

@@ -22,16 +22,18 @@ void	srclimit_init(int, int, int, int,
 int	srclimit_check_allow(int, int);
 void	srclimit_done(int);
 
-#define SRCLIMIT_PENALTY_NONE		0
+#define SRCLIMIT_PENALTY_NONE			0
-#define SRCLIMIT_PENALTY_CRASH		1
+#define SRCLIMIT_PENALTY_CRASH			1
-#define SRCLIMIT_PENALTY_AUTHFAIL	2
+#define SRCLIMIT_PENALTY_AUTHFAIL		2
-#define SRCLIMIT_PENALTY_GRACE_EXCEEDED	3
+#define SRCLIMIT_PENALTY_GRACE_EXCEEDED		3
-#define SRCLIMIT_PENALTY_NOAUTH		4
+#define SRCLIMIT_PENALTY_NOAUTH			4
+#define SRCLIMIT_PENALTY_REFUSECONNECTION	5
 
 /* meaningful exit values, used by sshd listener for penalties */
 #define EXIT_LOGIN_GRACE	3	/* login grace period exceeded */
 #define EXIT_CHILD_CRASH	4	/* preauth child crashed */
 #define EXIT_AUTH_ATTEMPTED	5	/* at least one auth attempt made */
+#define EXIT_CONFIG_REFUSED	6	/* sshd_config RefuseConnection */
 
 void	srclimit_penalise(struct xaddr *, int);
 int	srclimit_penalty_check_allow(int, const char **);

usr.bin/ssh/ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.474 2024/09/04 05:33:34 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.475 2024/09/15 00:47:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -300,7 +300,7 @@ ask_filename(struct passwd *pw, const char *prompt)
 static struct sshkey *
 load_identity(const char *filename, char **commentp)
 {
-	char *pass;
+	char *prompt, *pass;
 	struct sshkey *prv;
 	int r;
 
@@ -312,8 +312,11 @@ load_identity(const char *filename, char **commentp)
 		fatal_r(r, "Load key \"%s\"", filename);
 	if (identity_passphrase)
 		pass = xstrdup(identity_passphrase);
-	else
+	else {
-		pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN);
+		xasprintf(&prompt, "Enter passphrase for \"%s\": ", filename);
+		pass = read_passphrase(prompt, RP_ALLOW_STDIN);
+		free(prompt);
+	}
 	r = sshkey_load_private(filename, pass, &prv, commentp);
 	freezero(pass, strlen(pass));
 	if (r != 0)
@@ -3110,17 +3113,22 @@ read_check_passphrase(const char *prompt1, const char *prompt2,
 }
 
 static char *
-private_key_passphrase(void)
+private_key_passphrase(const char *path)
 {
+	char *prompt, *ret;
+
 	if (identity_passphrase)
 		return xstrdup(identity_passphrase);
 	if (identity_new_passphrase)
 		return xstrdup(identity_new_passphrase);
 
-	return read_check_passphrase(
+	xasprintf(&prompt, "Enter passphrase for \"%s\" "
-	    "Enter passphrase (empty for no passphrase): ",
+	    "(empty for no passphrase): ", path);
+	ret = read_check_passphrase(prompt,
 	    "Enter same passphrase again: ",
 	    "Passphrases do not match.  Try again.");
+	free(prompt);
+	return ret;
 }
 
 static char *
@@ -3216,7 +3224,7 @@ do_download_sk(const char *skprovider, const char *device)
 
 		/* Save the key with the application string as the comment */
 		if (pass == NULL)
-			pass = private_key_passphrase();
+			pass = private_key_passphrase(path);
 		if ((r = sshkey_save_private(key, path, pass,
 		    key->sk_application, private_key_format,
 		    openssh_format_cipher, rounds)) != 0) {
@@ -3912,7 +3920,7 @@ main(int argc, char **argv)
 		exit(1);
 
 	/* Determine the passphrase for the private key */
-	passphrase = private_key_passphrase();
+	passphrase = private_key_passphrase(identity_file);
 	if (identity_comment) {
 		strlcpy(comment, identity_comment, sizeof(comment));
 	} else {

usr.bin/ssh/sshd.8

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.327 2024/09/15 01:19:56 djm Exp $
-.Dd $Mdocdate: June 17 2024 $
+.Dd $Mdocdate: September 15 2024 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -115,6 +115,10 @@ and
 .Dq rdomain
 and correspond to source address, user, resolved source host name,
 local address, local port number and routing domain respectively.
+Additionally the
+.Dq invalid-user
+flag (which does not take a value argument) may be specified to simulate
+a connection from an unrecognised username.
 .It Fl c Ar host_certificate_file
 Specifies a path to a certificate file to identify
 .Nm

usr.bin/ssh/sshd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.611 2024/09/12 00:36:27 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.612 2024/09/15 01:11:26 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  * Copyright (c) 2002 Niels Provos.  All rights reserved.
@@ -360,6 +360,13 @@ child_reap(struct early_child *child)
 			    (long)child->pid, child->id,
 			    child->early ? " (early)" : "");
 			break;
+		case EXIT_CONFIG_REFUSED:
+			penalty_type = SRCLIMIT_PENALTY_REFUSECONNECTION;
+			debug_f("preauth child %ld for %s prohibited by"
+			    "RefuseConnection %s",
+			    (long)child->pid, child->id,
+			    child->early ? " (early)" : "");
+			break;
 		default:
 			penalty_type = SRCLIMIT_PENALTY_NOAUTH;
 			debug_f("preauth child %ld for %s exited "

usr.bin/ssh/sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.370 2024/09/09 14:41:21 naddy Exp $
+.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
-.Dd $Mdocdate: September 9 2024 $
+.Dd $Mdocdate: September 15 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1238,9 +1238,11 @@ applied.
 .Pp
 The arguments to
 .Cm Match
-are one or more criteria-pattern pairs or the single token
+are one or more criteria-pattern pairs or one of the single token criteria:
-.Cm All
+.Cm All ,
-which matches all criteria.
+which matches all criteria, or
+.Cm Invalid-User ,
+which matches when the requested user-name does not match any known account.
 The available criteria are
 .Cm User ,
 .Cm Group ,
@@ -1324,6 +1326,7 @@ Available keywords are
 .Cm PubkeyAcceptedAlgorithms ,
 .Cm PubkeyAuthentication ,
 .Cm PubkeyAuthOptions ,
+.Cm RefuseConnection ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
 .Cm RDomain ,
@@ -1597,6 +1600,11 @@ Specifies how long to refuse clients that cause a crash of
 .It Cm authfail:duration
 Specifies how long to refuse clients that disconnect after making one or more
 unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specifies how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
 .It Cm noauth:duration
 Specifies how long to refuse clients that disconnect without attempting
 authentication (default: 1s).
@@ -1754,6 +1762,18 @@ options have any effect for other, non-FIDO, public key types.
 Specifies whether public key authentication is allowed.
 The default is
 .Cm yes .
+.It Cm RefuseConnection
+Indicates that
+.Xr sshd 8
+should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection if
+.Cm PerSourcePenalties
+are enabled.
+This option is only really useful in a
+.Cm Match
+block.
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum

usr.bin/w/w.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: w.c,v 1.69 2024/08/19 07:28:22 florian Exp $	*/
+/*	$OpenBSD: w.c,v 1.70 2024/09/15 07:14:58 jsg Exp $	*/
 
 /*-
  * Copyright (c) 1980, 1991, 1993, 1994
@@ -107,7 +107,6 @@ main(int argc, char *argv[])
 	struct kinfo_proc *kp;
 	struct stat *stp;
 	FILE *ut;
-	struct in_addr addr;
 	int ch, i, nentries, nusers, wcmd;
 	char *memf, *nlistf, *p, *x;
 	char buf[HOST_NAME_MAX+1], errbuf[_POSIX2_LINE_MAX];

usr.sbin/radiusctl/parser.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.5 2024/09/02 04:45:22 yasuoka Exp $	*/
+/*	$OpenBSD: parser.c,v 1.6 2024/09/15 05:26:05 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@@ -158,6 +158,7 @@ static const struct token t_ipcp[] = {
 	{ KEYWORD,	"dump",		IPCP_DUMP,	t_ipcp_flags },
 	{ KEYWORD,	"monitor",	IPCP_MONITOR,	t_ipcp_flags },
 	{ KEYWORD,	"disconnect",	IPCP_DISCONNECT,t_ipcp_session_seq },
+	{ KEYWORD,	"delete",	IPCP_DELETE,	t_ipcp_session_seq },
 	{ ENDTOKEN,	"",		NONE,		NULL }
 };
 

usr.sbin/radiusctl/parser.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.h,v 1.4 2024/07/24 08:27:20 yasuoka Exp $	*/
+/*	$OpenBSD: parser.h,v 1.5 2024/09/15 05:26:05 yasuoka Exp $	*/
 
 /* This file is derived from OpenBSD:src/usr.sbin/ikectl/parser.h 1.9 */
 /*
@@ -29,6 +29,7 @@ enum actions {
 	IPCP_SHOW,
 	IPCP_DUMP,
 	IPCP_MONITOR,
+	IPCP_DELETE,
 	IPCP_DISCONNECT
 };
 

usr.sbin/radiusctl/radiusctl.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: radiusctl.8,v 1.9 2024/07/24 08:27:20 yasuoka Exp $
+.\"	$OpenBSD: radiusctl.8,v 1.10 2024/09/15 05:26:05 yasuoka Exp $
 .\"
 .\" Copyright (c) YASUOKA Masahiko <yasuoka@yasuoka.net>
 .\"
@@ -15,7 +15,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: July 24 2024 $
+.Dd $Mdocdate: September 15 2024 $
 .Dt RADIUSCTL 8
 .Os
 .Sh NAME
@@ -114,6 +114,10 @@ shows the sessions in JSON format.
 .It Cm ipcp disconnect Ar sequence
 Request to disconnect the session specified by the
 .Ar sequence .
+.It Cm ipcp delete Ar sequence
+Request to delete the session specified by the
+.Ar sequence
+without requesting disconnection.
 .El
 .Sh EXAMPLES
 .Bd -literal -offset indent

usr.sbin/radiusctl/radiusctl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusctl.c,v 1.12 2024/07/24 08:27:20 yasuoka Exp $	*/
+/*	$OpenBSD: radiusctl.c,v 1.13 2024/09/15 05:26:05 yasuoka Exp $	*/
 /*
  * Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
  *
@@ -170,6 +170,7 @@ main(int argc, char *argv[])
 		    IMSG_RADIUSD_MODULE_IPCP_MONITOR :
 		    IMSG_RADIUSD_MODULE_IPCP_DUMP, 0, 0, -1, iov, niov);
 		break;
+	case IPCP_DELETE:
 	case IPCP_DISCONNECT:
 		memset(module_name, 0, sizeof(module_name));
 		strlcpy(module_name, "ipcp",
@@ -178,8 +179,10 @@ main(int argc, char *argv[])
 		iov[niov++].iov_len = RADIUSD_MODULE_NAME_LEN;
 		iov[niov].iov_base = &res->session_seq;
 		iov[niov++].iov_len = sizeof(res->session_seq);
-		imsg_composev(&ibuf, IMSG_RADIUSD_MODULE_IPCP_DISCONNECT, 0, 0,
+		imsg_composev(&ibuf,
-		    -1, iov, niov);
+		    (res->action == IPCP_DELETE)
+		    ? IMSG_RADIUSD_MODULE_IPCP_DELETE
+		    : IMSG_RADIUSD_MODULE_IPCP_DISCONNECT, 0, 0, -1, iov, niov);
 		break;
 	}
 	while (ibuf.w.queued) {
@@ -199,6 +202,7 @@ main(int argc, char *argv[])
 			case IPCP_SHOW:
 			case IPCP_DUMP:
 			case IPCP_MONITOR:
+			case IPCP_DELETE:
 			case IPCP_DISCONNECT:
 				done = ipcp_handle_imsg(res, &imsg, cnt++);
 				break;

usr.sbin/radiusd/eap2mschap_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: eap2mschap_local.h,v 1.2 2024/07/16 06:18:20 miod Exp $	*/
+/*	$OpenBSD: eap2mschap_local.h,v 1.3 2024/09/15 05:49:05 jsg Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -70,7 +70,7 @@ struct eap_mschap_challenge {
 	uint8_t		chall[16];
 	char		chap_name[0];
 } __packed;
-#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
 static_assert(sizeof(struct eap_mschap_challenge) == 26, "");
 static_assert(offsetof(struct eap_mschap_challenge, chap) == 5, "");
 static_assert(offsetof(struct eap_mschap_challenge, chall) == 10, "");
@@ -87,7 +87,7 @@ struct eap_mschap_response {
 	uint8_t		flags;
 	uint8_t		chap_name[0];
 } __packed;
-#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
 static_assert(sizeof(struct eap_mschap_response) == 59, "");
 static_assert(offsetof(struct eap_mschap_response, chap) == 5, "");
 static_assert(offsetof(struct eap_mschap_response, peerchall) == 10, "");

usr.sbin/radiusd/radiusd_eap2mschap.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd_eap2mschap.c,v 1.3 2024/08/16 09:52:16 yasuoka Exp $	*/
+/*	$OpenBSD: radiusd_eap2mschap.c,v 1.4 2024/09/15 05:31:23 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -427,19 +427,18 @@ eap_recv(struct eap2mschap *self, u_int q_id, RADIUS_PACKET *pkt)
 		goto fail;
 	case EAP_TYPE_MSCHAPV2:
 		if (msgsiz < offsetof(struct eap, value[1])) {
-			log_warnx(
+			log_warnx("q=%u EAP state=%s Received message has "
-			    "q=%u EAP state=%s Received message has wrong in "
+			    "wrong in size for EAP-MS-CHAPV2: received length "
-			    "size for EAP-MS-CHAPV2: received length %zu "
+			    "%zu eap.length=%u", q_id,
-			    "eap.length=%u", q_id, hex_string(state, statesiz,
+			    hex_string(state, statesiz, buf2, sizeof(buf2)),
-			    buf2, sizeof(buf2)), msgsiz, ntohs(eap->length));
+			    msgsiz, ntohs(eap->length));
 			goto fail;
 		}
 		req = eap_recv_mschap(self, req, pkt, (struct eap_chap *)eap);
 
 		break;
 	default:
-		log_warnx(
+		log_warnx("q=%u EAP state=%s EAP unknown type=%u receieved.",
-		    "q=%u EAP state=%s EAP unknown type=%u receieved.",
 		    q_id, hex_string(state, statesiz, buf2, sizeof(buf2)),
 		    eap->value[0]);
 		goto fail;
@@ -476,9 +475,8 @@ eap_recv_mschap(struct eap2mschap *self, struct access_req *req,
 		    htons(resp->chap.length) <
 		    sizeof(struct eap_mschap_response) -
 		    offsetof(struct eap_mschap_response, chap)) {
-			log_warnx(
+			log_warnx("q=%u EAP state=%s Received EAP message has "
-			    "q=%u EAP state=%s Received EAP message has wrong "
+			    "wrong in size: received length %zu eap.length=%u "
-			    "in size: received length %zu eap.length=%u "
 			    "chap.length=%u valuesize=%u", req->q_id,
 			    hex_string(req->state, sizeof(req->state), buf,
 			    sizeof(buf)), eapsiz, ntohs(resp->eap.length),

usr.sbin/radiusd/radiusd_ipcp.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd_ipcp.c,v 1.14 2024/08/27 06:06:14 florian Exp $	*/
+/*	$OpenBSD: radiusd_ipcp.c,v 1.17 2024/09/15 05:31:23 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -122,8 +122,10 @@ struct module_ipcp_dae {
 		struct sockaddr_in6	 sin6;
 	}				 nas_addr;
 	struct event			 ev_sock;
+	struct event			 ev_reqs;
 	TAILQ_ENTRY(module_ipcp_dae)	 next;
 	TAILQ_HEAD(, assigned_ipv4)	 reqs;
+	int				 ninflight;
 };
 
 struct module_ipcp {
@@ -178,6 +180,8 @@ struct assigned_ipv4
 		    struct in_addr);
 static struct assigned_ipv4
 		*ipcp_ipv4_find(struct module_ipcp *, struct in_addr);
+static void	 ipcp_ipv4_delete(struct module_ipcp *,
+		    struct assigned_ipv4 *, const char *);
 static void	 ipcp_ipv4_release(struct module_ipcp *,
 		    struct assigned_ipv4 *);
 static int	 assigned_ipv4_compar(struct assigned_ipv4 *,
@@ -198,6 +202,7 @@ static void	 ipcp_dae_send_disconnect_request(struct assigned_ipv4 *);
 static void	 ipcp_dae_request_on_timeout(int, short, void *);
 static void	 ipcp_dae_on_event(int, short, void *);
 static void	 ipcp_dae_reset_request(struct assigned_ipv4 *);
+static void	 ipcp_dae_send_pending_requests(int, short, void *);
 static struct ipcp_address
 		*parse_address_range(const char *);
 static const char
@@ -303,18 +308,20 @@ ipcp_start(void *ctx)
 	TAILQ_FOREACH(dae, &self->daes, next) {
 		if ((sock = socket(dae->nas_addr.sin4.sin_family,
 		    SOCK_DGRAM, IPPROTO_UDP)) == -1) {
-			log_warn("could not start dae: %s", strerror(errno));
+			log_warn("%s: could not start dae: socket()", __func__);
 			return;
 		}
 		if (connect(sock, (struct sockaddr *)&dae->nas_addr,
 		    dae->nas_addr.sin4.sin_len) == -1) {
-			log_warn("could not start dae: %s", strerror(errno));
+			log_warn("%s: could not start dae: connect()",
+			    __func__);
 			return;
 		}
 		dae->sock = sock;
 		event_set(&dae->ev_sock, sock, EV_READ | EV_PERSIST,
 		    ipcp_dae_on_event, dae);
 		event_add(&dae->ev_sock, NULL);
+		evtimer_set(&dae->ev_reqs, ipcp_dae_send_pending_requests, dae);
 	}
 
 	module_send_message(self->base, IMSG_OK, NULL);
@@ -334,6 +341,8 @@ ipcp_stop(void *ctx)
 			close(dae->sock);
 			dae->sock = -1;
 		}
+		if (evtimer_pending(&dae->ev_reqs, NULL))
+			event_del(&dae->ev_reqs);
 	}
 	if (evtimer_pending(&self->ev_timer, NULL))
 		evtimer_del(&self->ev_timer);
@@ -624,10 +633,14 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg)
 		freezero(dump ,dumpsiz);
 		break;
 	case IMSG_RADIUSD_MODULE_IPCP_DISCONNECT:
+	case IMSG_RADIUSD_MODULE_IPCP_DELETE:
 		if (datalen < sizeof(unsigned)) {
 			log_warn("%s: received "
-			    "IMSG_RADIUSD_MODULE_IPCP_DISCONNECT message size "
+			    "%s message size is wrong", __func__,
-			    "is wrong", __func__);
+			    (imsg->hdr.type ==
+			    IMSG_RADIUSD_MODULE_IPCP_DISCONNECT)
+			    ? "IMSG_RADIUSD_MODULE_IPCP_DISCONNECT"
+			    : "IMSG_RADIUSD_MODULE_IPCP_DELETE");
 			goto fail;
 		}
 		seq = *(unsigned *)imsg->data;
@@ -640,12 +653,19 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg)
 		}
 		if (assign == NULL) {
 			cause = "session not found";
-			log_warnx("Disconnect seq=%u requested, but the "
+			log_warnx("%s seq=%u requested, but the "
-			    "session is not found", seq);
+			    "session is not found",
+			    (imsg->hdr.type ==
+			    IMSG_RADIUSD_MODULE_IPCP_DISCONNECT)? "Disconnect"
+			    : "Delete", seq);
 			module_imsg_compose(self->base, IMSG_NG,
 			    imsg->hdr.peerid, 0, -1, cause, strlen(cause) + 1);
-		}
+		} else if (imsg->hdr.type == IMSG_RADIUSD_MODULE_IPCP_DELETE) {
-		else {
+			log_info("Delete seq=%u by request", assign->seq);
+			ipcp_ipv4_delete(self,  assign, "By control");
+			module_imsg_compose(self->base, IMSG_OK,
+			    imsg->hdr.peerid, 0, -1, NULL, 0);
+		} else {
 			if (assign->dae == NULL)
 				log_warnx("Disconnect seq=%u requested, but "
 				    "DAE is not configured", assign->seq);
@@ -1059,10 +1079,12 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
 			    !IN6_ARE_ADDR_EQUAL(&assign->nas_ipv6, &nas_ipv6) ||
 			    strcmp(assign->nas_id, nas_id) != 0)
 				continue;
-			log_info("Delete record for %s", inet_ntop(AF_INET,
+			log_info("q=%u Delete record for %s", q_id,
-			    &assign->ipv4, buf, sizeof(buf)));
+			    inet_ntop(AF_INET, &assign->ipv4, buf,
-			ipcp_del_db(self, assign);
+			    sizeof(buf)));
-			ipcp_ipv4_release(self, assign);
+			ipcp_ipv4_delete(self, assign,
+			    (type == RADIUS_ACCT_STATUS_TYPE_ACCT_ON)
+			    ? "Receive Acct-On" : "Receive Acct-Off");
 		}
 		return;
 	}
@@ -1144,9 +1166,9 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
 
 		if (ipcp_notice_startstop(self, assign, 1, NULL) != 0)
 			goto fail;
-		log_info("Start seq=%u user=%s duration=%dsec session=%s "
+		log_info("q=%u Start seq=%u user=%s duration=%dsec "
-		    "tunnel=%s from=%s auth=%s ip=%s", assign->seq,
+		    "session=%s tunnel=%s from=%s auth=%s ip=%s", q_id,
-		    assign->user->name, delay, assign->session_id,
+		    assign->seq, assign->user->name, delay, assign->session_id,
 		    assign->tun_type, print_addr((struct sockaddr *)
 		    &assign->tun_client, buf1, sizeof(buf1)),
 		    assign->auth_method, inet_ntop(AF_INET, &addr4, buf,
@@ -1180,10 +1202,10 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
 			strlcpy(stat.cause, radius_terminate_cause_string(uval),
 			    sizeof(stat.cause));
 
-		log_info("Stop seq=%u user=%s duration=%lldsec session=%s "
+		log_info("q=%u Stop seq=%u user=%s duration=%lldsec "
-		    "tunnel=%s from=%s auth=%s ip=%s datain=%"PRIu64"bytes,%"
+		    "session=%s tunnel=%s from=%s auth=%s ip=%s "
-		    PRIu32"packets dataout=%"PRIu64"bytes,%"PRIu32"packets "
+		    "datain=%"PRIu64"bytes,%" PRIu32"packets dataout=%"PRIu64
-		    "cause=\"%s\"",
+		    "bytes,%"PRIu32"packets cause=\"%s\"", q_id,
 		    assign->seq, assign->user->name, dur.tv_sec,
 		    assign->session_id, assign->tun_type, print_addr(
 		    (struct sockaddr *)&assign->tun_client, buf1, sizeof(buf1)),
@@ -1254,6 +1276,20 @@ ipcp_ipv4_find(struct module_ipcp *self, struct in_addr ina)
 	return (ret);
 }
 
+void
+ipcp_ipv4_delete(struct module_ipcp *self, struct assigned_ipv4 *assign,
+    const char *cause)
+{
+	static struct radiusd_ipcp_statistics stat = { 0 };
+
+	memset(stat.cause, 0, sizeof(stat.cause));
+	strlcpy(stat.cause, cause, sizeof(stat.cause));
+
+	ipcp_del_db(self, assign);
+	ipcp_notice_startstop(self, assign, 0, &stat);
+	ipcp_ipv4_release(self, assign);
+}
+
 void
 ipcp_ipv4_release(struct module_ipcp *self, struct assigned_ipv4 *assign)
 {
@@ -1567,22 +1603,27 @@ ipcp_dae_send_disconnect_request(struct assigned_ipv4 *assign)
 		radius_set_accounting_request_authenticator(reqpkt,
 		    assign->dae->secret);
 		assign->dae_reqpkt = reqpkt;
+		TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
 	}
 
 	if (assign->dae_ntry == 0) {
+		if (assign->dae->ninflight >= RADIUSD_IPCP_DAE_MAX_INFLIGHT)
+			return;
 		log_info("Sending Disconnect-Request seq=%u to %s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &assign->dae->nas_addr, buf, sizeof(buf)));
-		TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
 	}
 
 	if (radius_send(assign->dae->sock, assign->dae_reqpkt, 0) < 0)
 		log_warn("%s: sendto: %m", __func__);
 
-	tv.tv_sec = dae_request_timeouts[assign->dae_ntry++];
+	tv.tv_sec = dae_request_timeouts[assign->dae_ntry];
 	tv.tv_usec = 0;
 	evtimer_set(&assign->dae_evtimer, ipcp_dae_request_on_timeout, assign);
 	evtimer_add(&assign->dae_evtimer, &tv);
+	if (assign->dae_ntry == 0)
+		assign->dae->ninflight++;
+	assign->dae_ntry++;
 }
 
 void
@@ -1625,7 +1666,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 	if ((radres = radius_recv(dae->sock, 0)) == NULL) {
 		if (errno == EAGAIN)
 			return;
-		log_warn("Failed to receive from %s", print_addr(
+		log_warn("%s: Failed to receive from %s", __func__, print_addr(
 		    (struct sockaddr *)&dae->nas_addr, buf, sizeof(buf)));
 		return;
 	}
@@ -1634,16 +1675,16 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 			break;
 	}
 	if (assign == NULL) {
-		log_warnx("Received RADIUS packet from %s has unknown id=%d",
+		log_warnx("%s: Received RADIUS packet from %s has unknown "
-		    print_addr((struct sockaddr *)&dae->nas_addr, buf,
+		    "id=%d", __func__, print_addr((struct sockaddr *)
-		    sizeof(buf)), radius_get_id(radres));
+		    &dae->nas_addr, buf, sizeof(buf)), radius_get_id(radres));
 		goto out;
 	}
 
 	radius_set_request_packet(radres, assign->dae_reqpkt);
 	if ((radius_check_response_authenticator(radres, dae->secret)) != 0) {
-		log_warnx("Received RADIUS packet for seq=%u from %s has a bad "
+		log_warnx("%s: Received RADIUS packet for seq=%u from %s has "
-		    "authenticator", assign->seq, print_addr(
+		    "a bad authenticator", __func__, assign->seq, print_addr(
 			(struct sockaddr *)&dae->nas_addr, buf,
 		    sizeof(buf)));
 		goto out;
@@ -1667,13 +1708,13 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 		    &dae->nas_addr, buf, sizeof(buf)), cause);
 		break;
 	case RADIUS_CODE_DISCONNECT_NAK:
-		log_warnx("Received Disconnect-NAK for seq=%u from %s%s",
+		log_info("Received Disconnect-NAK for seq=%u from %s%s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &dae->nas_addr, buf, sizeof(buf)), cause);
 		break;
 	default:
-		log_warn("Received unknown code=%d for id=%u from %s",
+		log_warn("%s: Received unknown code=%d for id=%u from %s",
-		    code, assign->seq, print_addr((struct sockaddr *)
+		    __func__, code, assign->seq, print_addr((struct sockaddr *)
 		    &dae->nas_addr, buf, sizeof(buf)));
 		break;
 	}
@@ -1700,10 +1741,16 @@ void
 ipcp_dae_reset_request(struct assigned_ipv4 *assign)
 {
 	struct radiusctl_client		*client, *clientt;
+	const struct timeval		 zero = { 0, 0 };
 
 	if (assign->dae != NULL) {
-		if (assign->dae_ntry > 0)
+		if (assign->dae_reqpkt != NULL)
 			TAILQ_REMOVE(&assign->dae->reqs, assign, dae_next);
+		if (assign->dae_ntry > 0) {
+			assign->dae->ninflight--;
+			if (!evtimer_pending(&assign->dae->ev_reqs, NULL))
+				evtimer_add(&assign->dae->ev_reqs, &zero);
+		}
 	}
 	if (assign->dae_reqpkt != NULL)
 		radius_delete_packet(assign->dae_reqpkt);
@@ -1717,6 +1764,23 @@ ipcp_dae_reset_request(struct assigned_ipv4 *assign)
 	assign->dae_ntry = 0;
 }
 
+void
+ipcp_dae_send_pending_requests(int fd, short ev, void *ctx)
+{
+	struct module_ipcp_dae	*dae = ctx;
+	struct module_ipcp	*self = dae->ipcp;
+	struct assigned_ipv4	*assign, *assignt;
+
+	ipcp_update_time(self);
+
+	TAILQ_FOREACH_SAFE(assign, &dae->reqs, dae_next, assignt) {
+		if (dae->ninflight >= RADIUSD_IPCP_DAE_MAX_INFLIGHT)
+			break;
+		if (assign->dae_ntry == 0)	/* pending */
+			ipcp_dae_send_disconnect_request(assign);
+	}
+}
+
 /***********************************************************************
  * Miscellaneous functions
  ***********************************************************************/

usr.sbin/radiusd/radiusd_ipcp.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd_ipcp.h,v 1.1 2024/07/09 17:26:14 yasuoka Exp $	*/
+/*	$OpenBSD: radiusd_ipcp.h,v 1.3 2024/09/15 05:29:11 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -24,12 +24,15 @@
 
 #include "radiusd.h"
 
+#define	RADIUSD_IPCP_DAE_MAX_INFLIGHT	64
+
 enum imsg_module_ipcp_type {
 	IMSG_RADIUSD_MODULE_IPCP_DUMP = IMSG_RADIUSD_MODULE_MIN,
 	IMSG_RADIUSD_MODULE_IPCP_MONITOR,
 	IMSG_RADIUSD_MODULE_IPCP_DUMP_AND_MONITOR,
 	IMSG_RADIUSD_MODULE_IPCP_START,
 	IMSG_RADIUSD_MODULE_IPCP_STOP,
+	IMSG_RADIUSD_MODULE_IPCP_DELETE,
 	IMSG_RADIUSD_MODULE_IPCP_DISCONNECT
 };
 

usr.sbin/radiusd/radiusd_module.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd_module.c,v 1.19 2024/07/14 15:27:57 yasuoka Exp $	*/
+/*	$OpenBSD: radiusd_module.c,v 1.20 2024/09/15 05:14:32 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
@@ -643,9 +643,13 @@ module_on_event(int fd, short evmask, void *ctx)
 		if (ret > 0)
 			continue;
 		base->writeready = false;
-		if (ret == 0 && errno == EAGAIN)
+		if (ret == -1 && errno == EAGAIN)
 			break;
-		syslog(LOG_ERR, "%s: msgbuf_write: %m", __func__);
+		if (ret == 0)
+			syslog(LOG_ERR, "%s: connection is closed", __func__);
+		else
+			syslog(LOG_ERR, "%s: msgbuf_write: %d %m", __func__,
+			    ret);
 		module_stop(base);
 		return;
 	}