From 6d4aa64db69f4bb886c002cfebb9a7c273883b82 Mon Sep 17 00:00:00 2001 From: purplerain Date: Thu, 1 Feb 2024 02:39:06 +0000 Subject: [PATCH] sync with OpenBSD -current --- etc/skel/dot.version | 2 +- gnu/usr.bin/binutils/gdb/amd64obsd-tdep.c | 4 +- lib/libcrypto/man/EVP_CIPHER_do_all.3 | 97 ++++++++- lib/libcrypto/man/OBJ_NAME_add.3 | 45 +--- lib/libcrypto/man/OBJ_create.3 | 5 +- lib/libcrypto/man/OBJ_find_sigid_algs.3 | 5 +- lib/libcrypto/man/OBJ_nid2obj.3 | 7 +- share/man/man4/pfsync.4 | 10 +- sys/arch/amd64/amd64/trap.c | 22 +- sys/arch/amd64/amd64/vmm_machdep.c | 10 +- sys/arch/amd64/include/cpufunc.h | 8 +- sys/arch/amd64/include/frame.h | 14 +- sys/arch/arm/include/vmparam.h | 5 +- sys/dev/fdt/com_fdt.c | 7 +- sys/net/route.c | 45 +++- sys/net/route.h | 6 +- sys/netinet/in_pcb.c | 41 ++-- sys/netinet/in_pcb.h | 4 +- sys/netinet/ip_input.c | 16 +- sys/netinet/ip_output.c | 21 +- sys/netinet6/in6.h | 5 +- sys/netinet6/in6_pcb.c | 31 ++- sys/netinet6/ip6_output.c | 4 +- usr.sbin/bgpctl/bgpctl.c | 24 +-- usr.sbin/bgpctl/bgpctl.h | 4 +- usr.sbin/bgpctl/output.c | 241 +++++++++------------ usr.sbin/bgpctl/output_json.c | 246 +++++++++------------- usr.sbin/rpki-client/extern.h | 5 +- usr.sbin/rpki-client/mft.c | 26 ++- usr.sbin/rpki-client/parser.c | 94 ++++++--- usr.sbin/rpki-client/rpki-client.8 | 10 +- usr.sbin/rpki-client/x509.c | 4 +- 32 files changed, 551 insertions(+), 517 deletions(-) diff --git a/etc/skel/dot.version b/etc/skel/dot.version index 1bfb2254c..d5dbac8ef 100644 --- a/etc/skel/dot.version +++ b/etc/skel/dot.version @@ -1 +1 @@ -# SecBSD 1.4-266d9df: Thu Jan 18 08:15:34 UTC 2024 (Mictlantecuhtli) +# SecBSD 1.4-ddf4db4: Thu Feb 1 02:09:51 UTC 2024 (Mictlantecuhtli) diff --git a/gnu/usr.bin/binutils/gdb/amd64obsd-tdep.c b/gnu/usr.bin/binutils/gdb/amd64obsd-tdep.c index b845c2ec5..726d3e5df 100644 --- a/gnu/usr.bin/binutils/gdb/amd64obsd-tdep.c +++ b/gnu/usr.bin/binutils/gdb/amd64obsd-tdep.c @@ -362,7 +362,7 @@ static int amd64obsd_tf_reg_offset[] = { 14 * 8, /* %rax */ 13 * 8, /* %rbx */ - 3 * 8, /* %rcx */ + 6 * 8, /* %rcx */ 2 * 8, /* %rdx */ 1 * 8, /* %rsi */ 0 * 8, /* %rdi */ @@ -370,7 +370,7 @@ static int amd64obsd_tf_reg_offset[] = 20 * 8, /* %rsp */ 4 * 8, /* %r8 ... */ 5 * 8, - 6 * 8, + 3 * 8, 7 * 8, 8 * 8, 9 * 8, diff --git a/lib/libcrypto/man/EVP_CIPHER_do_all.3 b/lib/libcrypto/man/EVP_CIPHER_do_all.3 index 1d43d503d..9411a41f7 100644 --- a/lib/libcrypto/man/EVP_CIPHER_do_all.3 +++ b/lib/libcrypto/man/EVP_CIPHER_do_all.3 @@ -1,6 +1,7 @@ -.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.1 2023/08/30 00:58:57 tb Exp $ +.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.2 2024/01/31 08:02:53 tb Exp $ .\" -.\" Copyright (c) 2023 Theo Buehler +.\" Copyright (c) 2023,2024 Theo Buehler +.\" Copyright (c) 2021 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 30 2023 $ +.Dd $Mdocdate: January 31 2024 $ .Dt EVP_CIPHER_DO_ALL 3 .Os .Sh NAME @@ -49,6 +50,27 @@ const char *to, void *arg)" .Fa "void *arg" .Fc +.Bd -literal +typedef struct { + int type; + int alias; + const char *name; + const char *data; +} OBJ_NAME; +.Ed +.Pp +.Ft void +.Fo OBJ_NAME_do_all +.Fa "int type" +.Fa "void (*fn)(const OBJ_NAME *obj_name, void *arg)" +.Fa "void *arg" +.Fc +.Ft void +.Fo OBJ_NAME_do_all_sorted +.Fa "int type" +.Fa "void (*fn)(const OBJ_NAME *obj_name, void *arg)" +.Fa "void *arg" +.Fc .Sh DESCRIPTION .Fn EVP_CIPHER_do_all calls @@ -117,18 +139,71 @@ in lexicographic order of their .Fa from names as determined by .Xr strcmp 3 . +.Pp +.Vt OBJ_NAME +is an abstraction of the types underlying the lookup tables +for ciphers and their aliases, and digests and their aliases, respectively. +For a cipher, +.Fa type +is +.Dv OBJ_NAME_TYPE_CIPHER_METH , +.Fa alias +is 0, +.Fa name +is its lookup name and +.Fa data +is the +.Vt EVP_CIPHER +object it represents, cast to +.Vt const char * . +For a cipher alias, +.Fa type +is +.Dv OBJ_NAME_TYPE_CIPHER_METH , +.Fa alias +is +.Dv OBJ_NAME_ALIAS , +.Fa name +is its lookup name and +.Fa data +is the name it aliases. +Digests representing an +.Vt EVP_MD +object and their aliases are represented similarly, except that their type is +.Dv OBJ_NAME_TYPE_MD_METH . +.Pp +.Fn OBJ_NAME_do_all +calls +.Fa fn +on every +.Fa obj_name +in the table that has the given +.Fa type +(either +.Dv OBJ_NAME_TYPE_CIPHER_METH +or +.Dv OBJ_NAME_TYPE_MD_METH ) , +also passing the +.Fa arg +pointer. +.Fn OBJ_NAME_do_all_sorted +is similar except that it processes the +.Fa obj_name +in lexicographic order of their names as determined by +.Xr strcmp 3 . .Sh SEE ALSO .Xr evp 3 , -.Xr EVP_add_cipher 3 , -.Xr OBJ_NAME_do_all 3 +.Xr EVP_get_cipherbyname 3 , +.Xr EVP_get_digestbyname 3 .Sh HISTORY These functions first appeared in OpenSSL 1.0.0 and have been available since .Ox 4.9 . -.Sh BUGS -.Fn EVP_CIPHER_do_all_sorted +.Sh CAVEATS +.Fn EVP_CIPHER_do_all_sorted , +.Fn EVP_MD_do_all_sorted , and -.Fn EVP_MD_do_all_sorted -are wrappers of -.Xr OBJ_NAME_do_all_sorted 3 . -In particular, if memory allocation fails, they do nothing at all +.Fn OBJ_NAME_do_all_sorted +cannot report errors. +In some implementations they need to allocate internally and +if memory allocation fails they do nothing at all, without telling the caller about the problem. diff --git a/lib/libcrypto/man/OBJ_NAME_add.3 b/lib/libcrypto/man/OBJ_NAME_add.3 index ad2ba8089..0b46010c4 100644 --- a/lib/libcrypto/man/OBJ_NAME_add.3 +++ b/lib/libcrypto/man/OBJ_NAME_add.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OBJ_NAME_add.3,v 1.5 2023/09/01 12:13:13 schwarze Exp $ +.\" $OpenBSD: OBJ_NAME_add.3,v 1.6 2024/01/31 08:02:53 tb Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 1 2023 $ +.Dd $Mdocdate: January 31 2024 $ .Dt OBJ_NAME_ADD 3 .Os .Sh NAME @@ -23,9 +23,7 @@ .Nm OBJ_NAME_get , .Nm OBJ_NAME_new_index , .Nm OBJ_NAME_init , -.Nm OBJ_NAME_cleanup , -.Nm OBJ_NAME_do_all , -.Nm OBJ_NAME_do_all_sorted +.Nm OBJ_NAME_cleanup .Nd global associative array .Sh SYNOPSIS .In openssl/objects.h @@ -63,19 +61,6 @@ typedef struct { const char *data; } OBJ_NAME; .Ed -.Pp -.Ft void -.Fo OBJ_NAME_do_all -.Fa "int type" -.Fa "void (*fn)(const OBJ_NAME *pair, void *arg)" -.Fa "void *arg" -.Fc -.Ft void -.Fo OBJ_NAME_do_all_sorted -.Fa "int type" -.Fa "void (*fn)(const OBJ_NAME *pair, void *arg)" -.Fa "void *arg" -.Fc .Sh DESCRIPTION These functions implement a single, static associative array with the following properties: @@ -264,25 +249,6 @@ If the field is 0, the .Fa data field contains the value; otherwise, it contains the alias target name. -.Pp -.Fn OBJ_NAME_do_all -calls -.Fa fn -on every -.Fa pair -and alias in the array that has the given -.Fa type , -also passing the -.Fa arg -pointer. -.Fn OBJ_NAME_do_all_sorted -is similar except that it processes the pairs and aliases -in lexicographic order of their names as determined by -.Xr strcmp 3 , -ignoring any -.Fa cmp_func -that may be defined for the -.Fa type . .Sh RETURN VALUES .Fn OBJ_NAME_add and @@ -339,8 +305,3 @@ that requires more cleanup than merely calling .Xr free 3 on it, instances of the type need to begin with a magic number or string that cannot occur at the beginning of a name. -.Pp -.Fn OBJ_NAME_do_all_sorted -is unable to report errors. -If memory allocations fails, it does nothing at all -without telling the caller about the problem. diff --git a/lib/libcrypto/man/OBJ_create.3 b/lib/libcrypto/man/OBJ_create.3 index 6bc255e98..fa5bde3dd 100644 --- a/lib/libcrypto/man/OBJ_create.3 +++ b/lib/libcrypto/man/OBJ_create.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OBJ_create.3,v 1.9 2024/01/13 19:06:20 tb Exp $ +.\" $OpenBSD: OBJ_create.3,v 1.10 2024/01/31 08:02:53 tb Exp $ .\" full merge up to: .\" OpenSSL OBJ_nid2obj.pod 9b86974e Aug 17 15:21:33 2015 -0400 .\" selective merge up to: @@ -69,7 +69,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 13 2024 $ +.Dd $Mdocdate: January 31 2024 $ .Dt OBJ_CREATE 3 .Os .Sh NAME @@ -200,7 +200,6 @@ obj = OBJ_nid2obj(new_nid); .Ed .Sh SEE ALSO .Xr ASN1_OBJECT_new 3 , -.Xr OBJ_NAME_add 3 , .Xr OBJ_nid2obj 3 .Sh HISTORY .Fn OBJ_new_nid , diff --git a/lib/libcrypto/man/OBJ_find_sigid_algs.3 b/lib/libcrypto/man/OBJ_find_sigid_algs.3 index 9aeb54c90..1d7a2b649 100644 --- a/lib/libcrypto/man/OBJ_find_sigid_algs.3 +++ b/lib/libcrypto/man/OBJ_find_sigid_algs.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.1 2023/07/22 06:35:26 tb Exp $ +.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.2 2024/01/31 08:02:53 tb Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 22 2023 $ +.Dd $Mdocdate: January 31 2024 $ .Dt OBJ_FIND_SIGID_ALGS 3 .Os .Sh NAME @@ -82,7 +82,6 @@ is not built into the library. .Sh SEE ALSO .Xr EVP_cleanup 3 , .Xr OBJ_create 3 , -.Xr OBJ_NAME_add 3 , .Xr OBJ_nid2obj 3 .Sh HISTORY These functions first appeared in OpenSSL 1.0.0 diff --git a/lib/libcrypto/man/OBJ_nid2obj.3 b/lib/libcrypto/man/OBJ_nid2obj.3 index 4e420b831..ccab1ed30 100644 --- a/lib/libcrypto/man/OBJ_nid2obj.3 +++ b/lib/libcrypto/man/OBJ_nid2obj.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: OBJ_nid2obj.3,v 1.21 2023/09/05 13:50:22 schwarze Exp $ +.\" $OpenBSD: OBJ_nid2obj.3,v 1.22 2024/01/31 08:02:53 tb Exp $ .\" full merge up to: OpenSSL c264592d May 14 11:28:00 2006 +0000 .\" selective merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200 .\" @@ -67,7 +67,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 5 2023 $ +.Dd $Mdocdate: January 31 2024 $ .Dt OBJ_NID2OBJ 3 .Os .Sh NAME @@ -435,8 +435,7 @@ object = OBJ_txt2obj("1.2.3.4", 1); .Xr ASN1_OBJECT_new 3 , .Xr BIO_new 3 , .Xr d2i_ASN1_OBJECT 3 , -.Xr OBJ_create 3 , -.Xr OBJ_NAME_add 3 +.Xr OBJ_create 3 .Sh HISTORY .Fn OBJ_nid2obj , .Fn OBJ_nid2ln , diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4 index b978bc025..c5c2d3fc0 100644 --- a/share/man/man4/pfsync.4 +++ b/share/man/man4/pfsync.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfsync.4,v 1.38 2023/10/18 07:56:45 benno Exp $ +.\" $OpenBSD: pfsync.4,v 1.39 2024/01/31 06:50:16 jmc Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff .\" Copyright (c) 2003-2004 Ryan McBride @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 18 2023 $ +.Dd $Mdocdate: January 31 2024 $ .Dt PFSYNC 4 .Os .Sh NAME @@ -69,11 +69,9 @@ packet where possible. The maximum number of times a single state can be updated before a .Nm packet will be sent out is controlled by the -.Ar maxupd -parameter to ifconfig -(see .Xr ifconfig 8 -and the example below for more details). +.Ar maxupd +parameter. The sending out of a .Nm packet will be delayed by a maximum of one second. diff --git a/sys/arch/amd64/amd64/trap.c b/sys/arch/amd64/amd64/trap.c index d64f7c1af..4df17486b 100644 --- a/sys/arch/amd64/amd64/trap.c +++ b/sys/arch/amd64/amd64/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.103 2024/01/11 19:16:26 miod Exp $ */ +/* $OpenBSD: trap.c,v 1.104 2024/01/31 06:06:28 guenther Exp $ */ /* $NetBSD: trap.c,v 1.2 2003/05/04 23:51:56 fvdl Exp $ */ /*- @@ -553,7 +553,7 @@ syscall(struct trapframe *frame) const struct sysent *callp; struct proc *p; int error = ENOSYS; - register_t code, args[6], rval[2], *argp; + register_t code, *args, rval[2]; verify_smap(__func__); uvmexp.syscalls++; @@ -565,30 +565,16 @@ syscall(struct trapframe *frame) } code = frame->tf_rax; - argp = &args[0]; + args = (register_t *)&frame->tf_rdi; if (code <= 0 || code >= SYS_MAXSYSCALL) goto bad; callp = sysent + code; - switch (callp->sy_narg) { - case 6: - args[5] = frame->tf_r9; - case 5: - args[4] = frame->tf_r8; - case 4: - args[3] = frame->tf_r10; - case 3: - args[2] = frame->tf_rdx; - case 2: - args[1] = frame->tf_rsi; - case 1: - args[0] = frame->tf_rdi; - } rval[0] = 0; rval[1] = 0; - error = mi_syscall(p, code, callp, argp, rval); + error = mi_syscall(p, code, callp, args, rval); switch (error) { case 0: diff --git a/sys/arch/amd64/amd64/vmm_machdep.c b/sys/arch/amd64/amd64/vmm_machdep.c index 53f4424dc..0bbd2a407 100644 --- a/sys/arch/amd64/amd64/vmm_machdep.c +++ b/sys/arch/amd64/amd64/vmm_machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm_machdep.c,v 1.15 2024/01/11 17:13:48 jan Exp $ */ +/* $OpenBSD: vmm_machdep.c,v 1.16 2024/01/31 05:49:33 guenther Exp $ */ /* * Copyright (c) 2014 Mike Larkin * @@ -4187,7 +4187,7 @@ vcpu_run_vmx(struct vcpu *vcpu, struct vm_run_params *vrp) /* Restore any guest PKRU state. */ if (vmm_softc->sc_md.pkru_enabled) - wrpkru(vcpu->vc_pkru); + wrpkru(0, vcpu->vc_pkru); ret = vmx_enter_guest(&vcpu->vc_control_pa, &vcpu->vc_gueststate, @@ -4197,7 +4197,7 @@ vcpu_run_vmx(struct vcpu *vcpu, struct vm_run_params *vrp) /* Restore host PKRU state. */ if (vmm_softc->sc_md.pkru_enabled) { vcpu->vc_pkru = rdpkru(0); - wrpkru(PGK_VALUE); + wrpkru(0, PGK_VALUE); } lidt(&idtr); @@ -6500,7 +6500,7 @@ vcpu_run_svm(struct vcpu *vcpu, struct vm_run_params *vrp) /* Restore any guest PKRU state. */ if (vmm_softc->sc_md.pkru_enabled) - wrpkru(vcpu->vc_pkru); + wrpkru(0, vcpu->vc_pkru); KASSERT(vmcb->v_intercept1 & SVM_INTERCEPT_INTR); wrmsr(MSR_AMD_VM_HSAVE_PA, vcpu->vc_svm_hsa_pa); @@ -6511,7 +6511,7 @@ vcpu_run_svm(struct vcpu *vcpu, struct vm_run_params *vrp) /* Restore host PKRU state. */ if (vmm_softc->sc_md.pkru_enabled) { vcpu->vc_pkru = rdpkru(0); - wrpkru(PGK_VALUE); + wrpkru(0, PGK_VALUE); } /* diff --git a/sys/arch/amd64/include/cpufunc.h b/sys/arch/amd64/include/cpufunc.h index 5ed3f0a89..c47964ec8 100644 --- a/sys/arch/amd64/include/cpufunc.h +++ b/sys/arch/amd64/include/cpufunc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpufunc.h,v 1.39 2023/01/30 02:32:01 dv Exp $ */ +/* $OpenBSD: cpufunc.h,v 1.40 2024/01/31 05:49:33 guenther Exp $ */ /* $NetBSD: cpufunc.h,v 1.3 2003/05/08 10:27:43 fvdl Exp $ */ /*- @@ -241,10 +241,10 @@ rdpkru(u_int ecx) } static __inline void -wrpkru(uint32_t pkru) +wrpkru(u_int ecx, uint32_t pkru) { - uint32_t ecx = 0, edx = 0; - __asm volatile("wrpkru" : : "a" (pkru), "c" (ecx), "d" (edx)); + uint32_t edx = 0; + asm volatile("wrpkru" : : "a" (pkru), "c" (ecx), "d" (edx)); } static __inline void diff --git a/sys/arch/amd64/include/frame.h b/sys/arch/amd64/include/frame.h index 19691ff19..d9b043363 100644 --- a/sys/arch/amd64/include/frame.h +++ b/sys/arch/amd64/include/frame.h @@ -1,4 +1,4 @@ -/* $OpenBSD: frame.h,v 1.10 2018/07/10 08:57:44 guenther Exp $ */ +/* $OpenBSD: frame.h,v 1.11 2024/01/31 06:06:28 guenther Exp $ */ /* $NetBSD: frame.h,v 1.1 2003/04/26 18:39:40 fvdl Exp $ */ /*- @@ -82,13 +82,13 @@ * Exception/Trap Stack Frame */ struct trapframe { - int64_t tf_rdi; + int64_t tf_rdi; /* ordered by syscall args... */ int64_t tf_rsi; int64_t tf_rdx; - int64_t tf_rcx; - int64_t tf_r8; - int64_t tf_r9; int64_t tf_r10; + int64_t tf_r8; + int64_t tf_r9; /* ...to here */ + int64_t tf_rcx; int64_t tf_r11; int64_t tf_r12; int64_t tf_r13; @@ -115,10 +115,10 @@ struct intrframe { int64_t if_rdi; int64_t if_rsi; int64_t if_rdx; - int64_t if_rcx; + int64_t if_r10; int64_t if_r8; int64_t if_r9; - int64_t if_r10; + int64_t if_rcx; int64_t if_r11; int64_t if_r12; int64_t if_r13; diff --git a/sys/arch/arm/include/vmparam.h b/sys/arch/arm/include/vmparam.h index 5f086f89c..f3867dad3 100644 --- a/sys/arch/arm/include/vmparam.h +++ b/sys/arch/arm/include/vmparam.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vmparam.h,v 1.19 2018/03/05 01:39:13 deraadt Exp $ */ +/* $OpenBSD: vmparam.h,v 1.20 2024/02/01 00:39:57 deraadt Exp $ */ /* $NetBSD: vmparam.h,v 1.18 2003/05/21 18:04:44 thorpej Exp $ */ /* @@ -46,7 +46,8 @@ #define USRSTACK VM_MAXUSER_ADDRESS #define KERNBASE VM_MAXUSER_ADDRESS -#define MAXTSIZ (64*1024*1024) /* max text size */ +#define MAXTSIZ (128*1024*1024) /* max text size */ + #ifndef DFLDSIZ #define DFLDSIZ (128*1024*1024) /* initial data size limit */ #endif diff --git a/sys/dev/fdt/com_fdt.c b/sys/dev/fdt/com_fdt.c index 0b0c80fad..9415b3165 100644 --- a/sys/dev/fdt/com_fdt.c +++ b/sys/dev/fdt/com_fdt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: com_fdt.c,v 1.8 2023/08/15 07:56:27 miod Exp $ */ +/* $OpenBSD: com_fdt.c,v 1.9 2024/01/31 01:01:10 hastings Exp $ */ /* * Copyright (c) 2016 Patrick Wildt * @@ -55,6 +55,7 @@ com_fdt_init_cons(void) if ((node = fdt_find_cons("brcm,bcm2835-aux-uart")) == NULL && (node = fdt_find_cons("marvell,armada-38x-uart")) == NULL && + (node = fdt_find_cons("mediatek,mt6577-uart")) == NULL && (node = fdt_find_cons("ns16550a")) == NULL && (node = fdt_find_cons("snps,dw-apb-uart")) == NULL && (node = fdt_find_cons("ti,omap3-uart")) == NULL && @@ -96,6 +97,7 @@ com_fdt_match(struct device *parent, void *match, void *aux) return (OF_is_compatible(faa->fa_node, "brcm,bcm2835-aux-uart") || OF_is_compatible(faa->fa_node, "marvell,armada-38x-uart") || + OF_is_compatible(faa->fa_node, "mediatek,mt6577-uart") || OF_is_compatible(faa->fa_node, "ns16550a") || OF_is_compatible(faa->fa_node, "snps,dw-apb-uart") || OF_is_compatible(faa->fa_node, "ti,omap3-uart") || @@ -141,6 +143,9 @@ com_fdt_attach(struct device *parent, struct device *self, void *aux) sc->sc_reg_width = OF_getpropint(faa->fa_node, "reg-io-width", width); sc->sc_reg_shift = OF_getpropint(faa->fa_node, "reg-shift", shift); + if (OF_is_compatible(faa->fa_node, "mediatek,mt6577-uart")) + sc->sc_uarttype = COM_UART_16550A; + if (OF_is_compatible(faa->fa_node, "snps,dw-apb-uart") || OF_is_compatible(faa->fa_node, "marvell,armada-38x-uart")) { sc->sc_uarttype = COM_UART_DW_APB; diff --git a/sys/net/route.c b/sys/net/route.c index 0b9725476..991b4805a 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -1,4 +1,4 @@ -/* $OpenBSD: route.c,v 1.426 2023/11/13 17:18:27 bluhm Exp $ */ +/* $OpenBSD: route.c,v 1.427 2024/01/31 14:56:42 bluhm Exp $ */ /* $NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $ */ /* @@ -140,6 +140,7 @@ /* * Locks used to protect struct members: + * a atomic operations * I immutable after creation * L rtlabel_mtx * T rttimer_mtx @@ -152,8 +153,9 @@ static uint32_t rt_hashjitter; extern unsigned int rtmap_limit; -struct cpumem * rtcounters; -int rttrash; /* routes not in table but not freed */ +struct cpumem *rtcounters; +int rttrash; /* [a] routes not in table but not freed */ +u_long rtgeneration; /* [a] generation number, routes changed */ struct pool rtentry_pool; /* pool for rtentry structures */ struct pool rttimer_pool; /* pool for rttimer structures */ @@ -199,6 +201,33 @@ route_init(void) #endif } +void +route_cache(struct route *ro, struct in_addr addr, u_int rtableid) +{ + u_long gen; + + gen = atomic_load_long(&rtgeneration); + membar_consumer(); + + if (rtisvalid(ro->ro_rt) && + ro->ro_generation == gen && + ro->ro_tableid == rtableid && + ro->ro_dst.sa_family == AF_INET && + satosin(&ro->ro_dst)->sin_addr.s_addr == addr.s_addr) { + return; + } + + rtfree(ro->ro_rt); + ro->ro_rt = NULL; + ro->ro_generation = gen; + ro->ro_tableid = rtableid; + + memset(&ro->ro_dst, 0, sizeof(ro->ro_dst)); + satosin(&ro->ro_dst)->sin_family = AF_INET; + satosin(&ro->ro_dst)->sin_len = sizeof(struct sockaddr_in); + satosin(&ro->ro_dst)->sin_addr = addr; +} + /* * Returns 1 if the (cached) ``rt'' entry is still valid, 0 otherwise. */ @@ -824,6 +853,9 @@ rtrequest_delete(struct rt_addrinfo *info, u_int8_t prio, struct ifnet *ifp, else rtfree(rt); + membar_producer(); + atomic_inc_long(&rtgeneration); + return (0); } @@ -992,6 +1024,10 @@ rtrequest(int req, struct rt_addrinfo *info, u_int8_t prio, *ret_nrt = rt; else rtfree(rt); + + membar_producer(); + atomic_inc_long(&rtgeneration); + break; } @@ -1829,6 +1865,9 @@ rt_if_linkstate_change(struct rtentry *rt, void *arg, u_int id) } if_group_routechange(rt_key(rt), rt_plen2mask(rt, &sa_mask)); + membar_producer(); + atomic_inc_long(&rtgeneration); + return (error); } diff --git a/sys/net/route.h b/sys/net/route.h index 96a76d7ea..2d2a31d2e 100644 --- a/sys/net/route.h +++ b/sys/net/route.h @@ -1,4 +1,4 @@ -/* $OpenBSD: route.h,v 1.203 2023/11/12 17:51:40 bluhm Exp $ */ +/* $OpenBSD: route.h,v 1.204 2024/01/31 14:56:42 bluhm Exp $ */ /* $NetBSD: route.h,v 1.9 1996/02/13 22:00:49 christos Exp $ */ /* @@ -377,6 +377,7 @@ struct sockaddr_rtsearch { */ struct route { struct rtentry *ro_rt; + u_long ro_generation; u_long ro_tableid; /* u_long because of alignment */ struct sockaddr ro_dst; }; @@ -438,15 +439,18 @@ void rtlabel_unref(u_int16_t); #define RT_RESOLVE 1 extern struct rtstat rtstat; +extern u_long rtgeneration; struct mbuf; struct socket; struct ifnet; +struct in_addr; struct sockaddr_in6; struct if_ieee80211_data; struct bfd_config; void route_init(void); +void route_cache(struct route *, struct in_addr, u_int); void rtm_ifchg(struct ifnet *); void rtm_ifannounce(struct ifnet *, int); void rtm_bfd(struct bfd_config *); diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 20a5c5c97..36ff7553a 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.287 2024/01/28 20:34:25 bluhm Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.288 2024/01/31 12:27:57 bluhm Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -909,6 +909,11 @@ in_pcbrtentry(struct inpcb *inp) { struct route *ro; +#ifdef INET6 + if (ISSET(inp->inp_flags, INP_IPV6)) + in6_pcbrtentry(inp); +#endif + ro = &inp->inp_route; /* check if route is still valid */ @@ -921,34 +926,16 @@ in_pcbrtentry(struct inpcb *inp) * No route yet, so try to acquire one. */ if (ro->ro_rt == NULL) { -#ifdef INET6 - memset(ro, 0, sizeof(struct route_in6)); -#else memset(ro, 0, sizeof(struct route)); -#endif -#ifdef INET6 - if (ISSET(inp->inp_flags, INP_IPV6)) { - if (IN6_IS_ADDR_UNSPECIFIED(&inp->inp_faddr6)) - return (NULL); - ro->ro_dst.sa_family = AF_INET6; - ro->ro_dst.sa_len = sizeof(struct sockaddr_in6); - satosin6(&ro->ro_dst)->sin6_addr = inp->inp_faddr6; - ro->ro_tableid = inp->inp_rtableid; - ro->ro_rt = rtalloc_mpath(&ro->ro_dst, - &inp->inp_laddr6.s6_addr32[0], ro->ro_tableid); - } else -#endif /* INET6 */ - { - if (inp->inp_faddr.s_addr == INADDR_ANY) - return (NULL); - ro->ro_dst.sa_family = AF_INET; - ro->ro_dst.sa_len = sizeof(struct sockaddr_in); - satosin(&ro->ro_dst)->sin_addr = inp->inp_faddr; - ro->ro_tableid = inp->inp_rtableid; - ro->ro_rt = rtalloc_mpath(&ro->ro_dst, - &inp->inp_laddr.s_addr, ro->ro_tableid); - } + if (inp->inp_faddr.s_addr == INADDR_ANY) + return (NULL); + ro->ro_dst.sa_family = AF_INET; + ro->ro_dst.sa_len = sizeof(struct sockaddr_in); + satosin(&ro->ro_dst)->sin_addr = inp->inp_faddr; + ro->ro_tableid = inp->inp_rtableid; + ro->ro_rt = rtalloc_mpath(&ro->ro_dst, + &inp->inp_laddr.s_addr, ro->ro_tableid); } return (ro->ro_rt); } diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index a463d87dc..fd09f3696 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.149 2024/01/28 20:34:25 bluhm Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.150 2024/01/31 12:27:57 bluhm Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -367,6 +367,8 @@ struct rtentry * in_pcbrtentry(struct inpcb *); /* INET6 stuff */ +struct rtentry * + in6_pcbrtentry(struct inpcb *); void in6_pcbnotify(struct inpcbtable *, const struct sockaddr_in6 *, u_int, const struct sockaddr_in6 *, u_int, u_int, int, void *, void (*)(struct inpcb *, int)); diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 279252353..6bbbcf63c 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.387 2023/09/16 09:33:27 mpi Exp $ */ +/* $OpenBSD: ip_input.c,v 1.388 2024/01/31 14:56:42 bluhm Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1475,7 +1475,6 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct rtentry *rt, int srcrt) { struct mbuf mfake, *mcopy = NULL; struct ip *ip = mtod(m, struct ip *); - struct sockaddr_in *sin; struct route ro; int error = 0, type = 0, code = 0, destmtu = 0, fake = 0, len; u_int32_t dest; @@ -1491,15 +1490,11 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct rtentry *rt, int srcrt) goto freecopy; } - memset(&ro, 0, sizeof(ro)); - sin = satosin(&ro.ro_dst); - sin->sin_family = AF_INET; - sin->sin_len = sizeof(*sin); - sin->sin_addr = ip->ip_dst; - + ro.ro_rt = NULL; + route_cache(&ro, ip->ip_dst, m->m_pkthdr.ph_rtableid); if (!rtisvalid(rt)) { rtfree(rt); - rt = rtalloc_mpath(sintosa(sin), &ip->ip_src.s_addr, + rt = rtalloc_mpath(&ro.ro_dst, &ip->ip_src.s_addr, m->m_pkthdr.ph_rtableid); if (rt == NULL) { ipstat_inc(ips_noroute); @@ -1507,6 +1502,7 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct rtentry *rt, int srcrt) return; } } + ro.ro_rt = rt; /* * Save at most 68 bytes of the packet in case @@ -1557,8 +1553,6 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct rtentry *rt, int srcrt) } } - ro.ro_rt = rt; - ro.ro_tableid = m->m_pkthdr.ph_rtableid; error = ip_output(m, NULL, &ro, (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), NULL, NULL, 0); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 761d063dc..98d0cd54f 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.393 2024/01/18 11:03:16 claudio Exp $ */ +/* $OpenBSD: ip_output.c,v 1.394 2024/01/31 14:56:43 bluhm Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -159,28 +159,15 @@ reroute: */ if (ro == NULL) { ro = &iproute; - memset(ro, 0, sizeof(*ro)); + ro->ro_rt = NULL; } - dst = satosin(&ro->ro_dst); - /* * If there is a cached route, check that it is to the same * destination and is still up. If not, free it and try again. */ - if (!rtisvalid(ro->ro_rt) || - dst->sin_addr.s_addr != ip->ip_dst.s_addr || - ro->ro_tableid != m->m_pkthdr.ph_rtableid) { - rtfree(ro->ro_rt); - ro->ro_rt = NULL; - } - - if (ro->ro_rt == NULL) { - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = ip->ip_dst; - ro->ro_tableid = m->m_pkthdr.ph_rtableid; - } + route_cache(ro, ip->ip_dst, m->m_pkthdr.ph_rtableid); + dst = satosin(&ro->ro_dst); if ((IN_MULTICAST(ip->ip_dst.s_addr) || (ip->ip_dst.s_addr == INADDR_BROADCAST)) && diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 98384bfd3..909166c7a 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in6.h,v 1.112 2024/01/27 21:13:46 bluhm Exp $ */ +/* $OpenBSD: in6.h,v 1.113 2024/01/31 14:56:43 bluhm Exp $ */ /* $KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $ */ /* @@ -145,10 +145,11 @@ extern const struct in6_addr in6addr_linklocal_allrouters; #if __BSD_VISIBLE /* - * IPv6 route structure + * IPv6 route structure, keep fields in sync with struct route */ struct route_in6 { struct rtentry *ro_rt; + u_long ro_generation; u_long ro_tableid; /* padded to long for alignment */ struct sockaddr_in6 ro_dst; }; diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index 3561446e8..d447beb83 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_pcb.c,v 1.133 2024/01/28 20:34:25 bluhm Exp $ */ +/* $OpenBSD: in6_pcb.c,v 1.134 2024/01/31 12:27:57 bluhm Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -561,6 +561,35 @@ in6_pcbnotify(struct inpcbtable *table, const struct sockaddr_in6 *dst, rw_exit_write(&table->inpt_notify); } +struct rtentry * +in6_pcbrtentry(struct inpcb *inp) +{ + struct route_in6 *ro = &inp->inp_route6; + + /* check if route is still valid */ + if (!rtisvalid(ro->ro_rt)) { + rtfree(ro->ro_rt); + ro->ro_rt = NULL; + } + + /* + * No route yet, so try to acquire one. + */ + if (ro->ro_rt == NULL) { + memset(ro, 0, sizeof(struct route_in6)); + + if (IN6_IS_ADDR_UNSPECIFIED(&inp->inp_faddr6)) + return (NULL); + ro->ro_dst.sin6_family = AF_INET6; + ro->ro_dst.sin6_len = sizeof(struct sockaddr_in6); + ro->ro_dst.sin6_addr = inp->inp_faddr6; + ro->ro_tableid = inp->inp_rtableid; + ro->ro_rt = rtalloc_mpath(sin6tosa(&ro->ro_dst), + &inp->inp_laddr6.s6_addr32[0], ro->ro_tableid); + } + return (ro->ro_rt); +} + struct inpcb * in6_pcbhash_lookup(struct inpcbtable *table, uint64_t hash, u_int rdomain, const struct in6_addr *faddr, u_short fport, diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 370f15fef..f3da1972a 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.283 2024/01/18 11:03:16 claudio Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.284 2024/01/31 12:27:57 bluhm Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -1486,7 +1486,7 @@ do { \ if (!(so->so_state & SS_ISCONNECTED)) return (ENOTCONN); - rt = in_pcbrtentry(inp); + rt = in6_pcbrtentry(inp); if (!rtisvalid(rt)) return (EHOSTUNREACH); diff --git a/usr.sbin/bgpctl/bgpctl.c b/usr.sbin/bgpctl/bgpctl.c index 22032bf2f..35ec60804 100644 --- a/usr.sbin/bgpctl/bgpctl.c +++ b/usr.sbin/bgpctl/bgpctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpctl.c,v 1.303 2024/01/30 13:51:13 claudio Exp $ */ +/* $OpenBSD: bgpctl.c,v 1.304 2024/01/31 11:23:19 claudio Exp $ */ /* * Copyright (c) 2003 Henning Brauer @@ -471,7 +471,7 @@ show(struct imsg *imsg, struct parse_result *res) struct ctl_show_rib rib; struct rde_memstats stats; struct ibuf ibuf; - u_int rescode, ilen; + u_int rescode; switch (imsg->hdr.type) { case IMSG_CTL_SHOW_NEIGHBOR: @@ -542,14 +542,11 @@ show(struct imsg *imsg, struct parse_result *res) output->communities(&ibuf, res); break; case IMSG_CTL_SHOW_RIB_ATTR: - ilen = imsg->hdr.len - IMSG_HEADER_SIZE; - if (ilen < 3) { - warnx("bad IMSG_CTL_SHOW_RIB_ATTR received"); - break; - } if (output->attr == NULL) break; - output->attr(imsg->data, ilen, res->flags, 0); + if (imsg_get_ibuf(imsg, &ibuf) == -1) + err(1, "imsg_get_ibuf"); + output->attr(&ibuf, res->flags, 0); break; case IMSG_CTL_SHOW_RIB_MEM: if (output->rib_mem == NULL) @@ -1295,9 +1292,11 @@ show_mrt_dump(struct mrt_rib *mr, struct mrt_peer *mp, void *arg) ibuf_from_buffer(&ibuf, mre->aspath, mre->aspath_len); output->rib(&ctl, &ibuf, &res); if (req->flags & F_CTL_DETAIL) { - for (j = 0; j < mre->nattrs; j++) - output->attr(mre->attrs[j].attr, - mre->attrs[j].attr_len, req->flags, 0); + for (j = 0; j < mre->nattrs; j++) { + ibuf_from_buffer(&ibuf, mre->attrs[j].attr, + mre->attrs[j].attr_len); + output->attr(&ibuf, req->flags, 0); + } } } } @@ -1752,8 +1751,7 @@ show_mrt_update(u_char *p, uint16_t len, int reqflags, int addpath) if (ibuf_skip(&abuf, ibuf_size(&attrbuf)) == -1) goto trunc; - output->attr(ibuf_data(&attrbuf), ibuf_size(&attrbuf), - reqflags, addpath); + output->attr(&attrbuf, reqflags, addpath); } if (ibuf_size(b) > 0) { diff --git a/usr.sbin/bgpctl/bgpctl.h b/usr.sbin/bgpctl/bgpctl.h index 4ec108688..b70701720 100644 --- a/usr.sbin/bgpctl/bgpctl.h +++ b/usr.sbin/bgpctl/bgpctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpctl.h,v 1.23 2024/01/30 13:51:13 claudio Exp $ */ +/* $OpenBSD: bgpctl.h,v 1.24 2024/01/31 11:23:20 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker @@ -27,7 +27,7 @@ struct output { void (*flowspec)(struct flowspec *); void (*nexthop)(struct ctl_show_nexthop *); void (*interface)(struct ctl_show_interface *); - void (*attr)(u_char *, size_t, int, int); + void (*attr)(struct ibuf *, int, int); void (*communities)(struct ibuf *, struct parse_result *); void (*rib)(struct ctl_show_rib *, struct ibuf *, struct parse_result *); diff --git a/usr.sbin/bgpctl/output.c b/usr.sbin/bgpctl/output.c index 05f151a0f..d4a5fb9c6 100644 --- a/usr.sbin/bgpctl/output.c +++ b/usr.sbin/bgpctl/output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output.c,v 1.49 2024/01/30 13:51:13 claudio Exp $ */ +/* $OpenBSD: output.c,v 1.50 2024/01/31 11:23:20 claudio Exp $ */ /* * Copyright (c) 2003 Henning Brauer @@ -698,128 +698,103 @@ show_communities(struct ibuf *data, struct parse_result *res) } static void -show_community(u_char *data, uint16_t len) +show_community(struct ibuf *buf) { uint16_t a, v; - uint16_t i; - if (len & 0x3) { - printf("bad length"); - return; - } - - for (i = 0; i < len; i += 4) { - memcpy(&a, data + i, sizeof(a)); - memcpy(&v, data + i + 2, sizeof(v)); - a = ntohs(a); - v = ntohs(v); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n16(buf, &a) == -1 || + ibuf_get_n16(buf, &v) == -1) { + printf("bad length"); + return; + } printf("%s", fmt_community(a, v)); - if (i + 4 < len) + if (ibuf_size(buf) > 0) printf(" "); } } static void -show_large_community(u_char *data, uint16_t len) +show_large_community(struct ibuf *buf) { uint32_t a, l1, l2; - uint16_t i; - if (len % 12) { - printf("bad length"); - return; - } - - for (i = 0; i < len; i += 12) { - memcpy(&a, data + i, sizeof(a)); - memcpy(&l1, data + i + 4, sizeof(l1)); - memcpy(&l2, data + i + 8, sizeof(l2)); - a = ntohl(a); - l1 = ntohl(l1); - l2 = ntohl(l2); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n32(buf, &a) == -1 || + ibuf_get_n32(buf, &l1) == -1 || + ibuf_get_n32(buf, &l2) == -1) { + printf("bad length"); + return; + } printf("%s", fmt_large_community(a, l1, l2)); - if (i + 12 < len) + if (ibuf_size(buf) > 0) printf(" "); } } static void -show_ext_community(u_char *data, uint16_t len) +show_ext_community(struct ibuf *buf) { uint64_t ext; - uint16_t i; - if (len & 0x7) { - printf("bad length"); - return; - } - - for (i = 0; i < len; i += 8) { - memcpy(&ext, data + i, sizeof(ext)); - ext = be64toh(ext); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n64(buf, &ext) == -1) { + printf("bad length"); + return; + } printf("%s", fmt_ext_community(ext)); - if (i + 8 < len) + if (ibuf_size(buf) > 0) printf(" "); } } static void -show_attr(u_char *data, size_t len, int reqflags, int addpath) +show_attr(struct ibuf *buf, int reqflags, int addpath) { struct in_addr id; struct bgpd_addr prefix; - struct ibuf ibuf, *buf = &ibuf, asbuf, *path = NULL; + struct ibuf asbuf, *path = NULL; char *aspath; - uint32_t as, pathid; - uint16_t alen, ioff, short_as, afi; - uint8_t flags, type, safi, aid, prefixlen; - int i, e2, e4; + size_t i, alen; + uint32_t as, pathid, val; + uint16_t short_as, afi; + uint8_t flags, type, safi, aid, prefixlen, origin, b; + int e2, e4; - if (len < 3) { - warnx("Too short BGP attribute"); - return; - } - - flags = data[0]; - type = data[1]; + if (ibuf_get_n8(buf, &flags) == -1 || + ibuf_get_n8(buf, &type) == -1) + goto bad_len; /* get the attribute length */ if (flags & ATTR_EXTLEN) { - if (len < 4) { - warnx("Too short BGP attribute"); - return; - } - memcpy(&alen, data+2, sizeof(uint16_t)); - alen = ntohs(alen); - data += 4; - len -= 4; + uint16_t attr_len; + if (ibuf_get_n16(buf, &attr_len) == -1) + goto bad_len; + alen = attr_len; } else { - alen = data[2]; - data += 3; - len -= 3; + uint8_t attr_len; + if (ibuf_get_n8(buf, &attr_len) == -1) + goto bad_len; + alen = attr_len; } /* bad imsg len how can that happen!? */ - if (alen > len) { - warnx("Bad BGP attribute length"); - return; - } + if (alen > ibuf_size(buf)) + goto bad_len; printf(" %s: ", fmt_attr(type, flags)); switch (type) { case ATTR_ORIGIN: - if (alen == 1) - printf("%s", fmt_origin(*data, 0)); - else - printf("bad length"); + if (alen != 1 || ibuf_get_n8(buf, &origin) == -1) + goto bad_len; + printf("%s", fmt_origin(origin, 0)); break; case ATTR_ASPATH: case ATTR_AS4_PATH: - ibuf_from_buffer(buf, data, alen); /* prefer 4-byte AS here */ e4 = aspath_verify(buf, 1, 0); e2 = aspath_verify(buf, 0, 0); @@ -842,68 +817,48 @@ show_attr(u_char *data, size_t len, int reqflags, int addpath) ibuf_free(path); break; case ATTR_NEXTHOP: - if (alen == 4) { - memcpy(&id, data, sizeof(id)); - printf("%s", inet_ntoa(id)); - } else - printf("bad length"); + case ATTR_ORIGINATOR_ID: + if (alen != 4 || ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; + printf("%s", inet_ntoa(id)); break; case ATTR_MED: case ATTR_LOCALPREF: - if (alen == 4) { - uint32_t val; - memcpy(&val, data, sizeof(val)); - val = ntohl(val); - printf("%u", val); - } else - printf("bad length"); + if (alen != 4 || ibuf_get_n32(buf, &val) == -1) + goto bad_len; + printf("%u", val); break; case ATTR_AGGREGATOR: case ATTR_AS4_AGGREGATOR: if (alen == 8) { - memcpy(&as, data, sizeof(as)); - memcpy(&id, data + sizeof(as), sizeof(id)); - as = ntohl(as); + if (ibuf_get_n32(buf, &as) == -1 || + ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; } else if (alen == 6) { - memcpy(&short_as, data, sizeof(short_as)); - memcpy(&id, data + sizeof(short_as), sizeof(id)); - as = ntohs(short_as); + if (ibuf_get_n16(buf, &short_as) == -1 || + ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; + as = short_as; } else { - printf("bad length"); - break; + goto bad_len; } printf("%s [%s]", log_as(as), inet_ntoa(id)); break; case ATTR_COMMUNITIES: - show_community(data, alen); - break; - case ATTR_ORIGINATOR_ID: - if (alen == 4) { - memcpy(&id, data, sizeof(id)); - printf("%s", inet_ntoa(id)); - } else - printf("bad length"); + show_community(buf); break; case ATTR_CLUSTER_LIST: - for (ioff = 0; ioff + sizeof(id) <= alen; - ioff += sizeof(id)) { - memcpy(&id, data + ioff, sizeof(id)); + while (ibuf_size(buf) > 0) { + if (ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; printf(" %s", inet_ntoa(id)); } break; case ATTR_MP_REACH_NLRI: case ATTR_MP_UNREACH_NLRI: - if (alen < 3) { - bad_len: - printf("bad length"); - break; - } - memcpy(&afi, data, 2); - data += 2; - alen -= 2; - afi = ntohs(afi); - safi = *data++; - alen--; + if (ibuf_get_n16(buf, &afi) == -1 || + ibuf_get_n8(buf, &safi) == -1) + goto bad_len; if (afi2aid(afi, safi, &aid) == -1) { printf("bad AFI/SAFI pair"); @@ -914,11 +869,7 @@ show_attr(u_char *data, size_t len, int reqflags, int addpath) if (type == ATTR_MP_REACH_NLRI) { struct bgpd_addr nexthop; uint8_t nhlen; - if (len == 0) - goto bad_len; - nhlen = *data++; - alen--; - if (nhlen > len) + if (ibuf_get_n8(buf, &nhlen) == -1) goto bad_len; memset(&nexthop, 0, sizeof(nexthop)); switch (aid) { @@ -926,35 +877,39 @@ show_attr(u_char *data, size_t len, int reqflags, int addpath) nexthop.aid = aid; if (nhlen != 16 && nhlen != 32) goto bad_len; - memcpy(&nexthop.v6.s6_addr, data, 16); + if (ibuf_get(buf, &nexthop.v6, + sizeof(nexthop.v6)) == -1) + goto bad_len; break; case AID_VPN_IPv4: if (nhlen != 12) goto bad_len; nexthop.aid = AID_INET; - memcpy(&nexthop.v4, data + sizeof(uint64_t), - sizeof(nexthop.v4)); + if (ibuf_skip(buf, sizeof(uint64_t)) == -1 || + ibuf_get(buf, &nexthop.v4, + sizeof(nexthop.v4)) == -1) + goto bad_len; break; case AID_VPN_IPv6: if (nhlen != 24) goto bad_len; nexthop.aid = AID_INET6; - memcpy(&nexthop.v6, data + sizeof(uint64_t), - sizeof(nexthop.v6)); + if (ibuf_skip(buf, sizeof(uint64_t)) == -1 || + ibuf_get(buf, &nexthop.v6, + sizeof(nexthop.v6)) == -1) + goto bad_len; break; default: printf("unhandled AID #%u", aid); goto done; } /* ignore reserved (old SNPA) field as per RFC4760 */ - data += nhlen + 1; - alen -= nhlen + 1; + if (ibuf_skip(buf, 1) == -1) + goto bad_len; printf(" nexthop: %s", log_addr(&nexthop)); } - ibuf_from_buffer(buf, data, alen); - while (ibuf_size(buf) > 0) { if (addpath) if (ibuf_get_n32(buf, &pathid) == -1) @@ -985,32 +940,36 @@ show_attr(u_char *data, size_t len, int reqflags, int addpath) } break; case ATTR_EXT_COMMUNITIES: - show_ext_community(data, alen); + show_ext_community(buf); break; case ATTR_LARGE_COMMUNITIES: - show_large_community(data, alen); + show_large_community(buf); break; case ATTR_OTC: - if (alen == 4) { - memcpy(&as, data, sizeof(as)); - as = ntohl(as); - printf("%s", log_as(as)); - } else { - printf("bad length"); - } + if (alen != 4 || ibuf_get_n32(buf, &as) == -1) + goto bad_len; + printf("%s", log_as(as)); break; case ATTR_ATOMIC_AGGREGATE: default: - printf(" len %u", alen); + printf(" len %zu", alen); if (alen) { printf(":"); - for (i=0; i < alen; i++) - printf(" %02x", *(data+i)); + for (i = 0; i < alen; i++) { + if (ibuf_get_n8(buf, &b) == -1) + goto bad_len; + printf(" %02x", b); + } } break; } + done: printf("%c", EOL0(reqflags)); + return; + + bad_len: + printf("bad length%c", EOL0(reqflags)); } static void diff --git a/usr.sbin/bgpctl/output_json.c b/usr.sbin/bgpctl/output_json.c index d18672392..d108a642a 100644 --- a/usr.sbin/bgpctl/output_json.c +++ b/usr.sbin/bgpctl/output_json.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output_json.c,v 1.41 2024/01/30 13:51:13 claudio Exp $ */ +/* $OpenBSD: output_json.c,v 1.42 2024/01/31 11:23:20 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -512,22 +512,18 @@ json_communities(struct ibuf *data, struct parse_result *res) } static void -json_do_community(u_char *data, uint16_t len) +json_do_community(struct ibuf *buf) { - uint16_t a, v, i; - - if (len & 0x3) { - json_do_string("error", "bad length"); - return; - } + uint16_t a, v; json_do_array("communities"); - for (i = 0; i < len; i += 4) { - memcpy(&a, data + i, sizeof(a)); - memcpy(&v, data + i + 2, sizeof(v)); - a = ntohs(a); - v = ntohs(v); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n16(buf, &a) == -1 || + ibuf_get_n16(buf, &v) == -1) { + json_do_string("error", "bad length"); + return; + } json_do_string("community", fmt_community(a, v)); } @@ -535,49 +531,36 @@ json_do_community(u_char *data, uint16_t len) } static void -json_do_large_community(u_char *data, uint16_t len) +json_do_large_community(struct ibuf *buf) { uint32_t a, l1, l2; - uint16_t i; - - if (len % 12) { - json_do_string("error", "bad length"); - return; - } json_do_array("large_communities"); - for (i = 0; i < len; i += 12) { - memcpy(&a, data + i, sizeof(a)); - memcpy(&l1, data + i + 4, sizeof(l1)); - memcpy(&l2, data + i + 8, sizeof(l2)); - a = ntohl(a); - l1 = ntohl(l1); - l2 = ntohl(l2); - - json_do_string("community", - fmt_large_community(a, l1, l2)); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n32(buf, &a) == -1 || + ibuf_get_n32(buf, &l1) == -1 || + ibuf_get_n32(buf, &l2) == -1) { + json_do_string("error", "bad length"); + return; + } + json_do_string("community", fmt_large_community(a, l1, l2)); } json_do_end(); } static void -json_do_ext_community(u_char *data, uint16_t len) +json_do_ext_community(struct ibuf *buf) { uint64_t ext; - uint16_t i; - - if (len & 0x7) { - json_do_string("error", "bad length"); - return; - } - json_do_array("extended_communities"); - for (i = 0; i < len; i += 8) { - memcpy(&ext, data + i, sizeof(ext)); - ext = be64toh(ext); + while (ibuf_size(buf) > 0) { + if (ibuf_get_n64(buf, &ext) == -1) { + json_do_string("error", "bad length"); + return; + } json_do_string("community", fmt_ext_community(ext)); } @@ -585,66 +568,57 @@ json_do_ext_community(u_char *data, uint16_t len) } static void -json_attr(u_char *data, size_t len, int reqflags, int addpath) +json_attr(struct ibuf *buf, int reqflags, int addpath) { struct bgpd_addr prefix; struct in_addr id; - struct ibuf ibuf, *buf = &ibuf, asbuf, *path = NULL; + struct ibuf asbuf, *path = NULL; char *aspath; - uint32_t as, pathid; - uint16_t alen, afi, off, short_as; - uint8_t flags, type, safi, aid, prefixlen; + uint32_t as, pathid, val; + uint16_t alen, afi, short_as; + uint8_t flags, type, safi, aid, prefixlen, origin; int e4, e2; - if (len < 3) { - warnx("Too short BGP attribute"); - return; - } - - flags = data[0]; - type = data[1]; - if (flags & ATTR_EXTLEN) { - if (len < 4) { - warnx("Too short BGP attribute"); - return; - } - memcpy(&alen, data+2, sizeof(uint16_t)); - alen = ntohs(alen); - data += 4; - len -= 4; - } else { - alen = data[2]; - data += 3; - len -= 3; - } - - /* bad imsg len how can that happen!? */ - if (alen > len) { - warnx("Bad BGP attribute length"); - return; - } - json_do_array("attributes"); - json_do_object("attribute", 0); + + if (ibuf_get_n8(buf, &flags) == -1 || + ibuf_get_n8(buf, &type) == -1) + goto bad_len; + json_do_string("type", fmt_attr(type, -1)); - json_do_uint("length", alen); json_do_object("flags", 1); json_do_bool("partial", flags & ATTR_PARTIAL); json_do_bool("transitive", flags & ATTR_TRANSITIVE); json_do_bool("optional", flags & ATTR_OPTIONAL); json_do_end(); + if (flags & ATTR_EXTLEN) { + uint16_t attr_len; + if (ibuf_get_n16(buf, &attr_len) == -1) + goto bad_len; + alen = attr_len; + } else { + uint8_t attr_len; + if (ibuf_get_n8(buf, &attr_len) == -1) + goto bad_len; + alen = attr_len; + } + + json_do_uint("length", alen); + + /* bad imsg len how can that happen!? */ + if (alen > ibuf_size(buf)) + goto bad_len; + switch (type) { case ATTR_ORIGIN: - if (alen == 1) - json_do_string("origin", fmt_origin(*data, 0)); - else - json_do_string("error", "bad length"); + if (alen != 1 || ibuf_get_n8(buf, &origin) == -1) + goto bad_len; + json_do_string("origin", fmt_origin(origin, 0)); break; case ATTR_ASPATH: case ATTR_AS4_PATH: - ibuf_from_buffer(buf, data, alen); /* prefer 4-byte AS here */ e4 = aspath_verify(buf, 1, 0); e2 = aspath_verify(buf, 0, 0); @@ -668,70 +642,55 @@ json_attr(u_char *data, size_t len, int reqflags, int addpath) ibuf_free(path); break; case ATTR_NEXTHOP: - if (alen == 4) { - memcpy(&id, data, sizeof(id)); - json_do_string("nexthop", inet_ntoa(id)); - } else - json_do_string("error", "bad length"); + if (alen != 4 || ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; + json_do_string("nexthop", inet_ntoa(id)); break; case ATTR_MED: case ATTR_LOCALPREF: - if (alen == 4) { - uint32_t val; - memcpy(&val, data, sizeof(val)); - json_do_uint("metric", ntohl(val)); - } else - json_do_string("error", "bad length"); + if (alen != 4 || ibuf_get_n32(buf, &val) == -1) + goto bad_len; + json_do_uint("metric", val); break; case ATTR_AGGREGATOR: case ATTR_AS4_AGGREGATOR: if (alen == 8) { - memcpy(&as, data, sizeof(as)); - memcpy(&id, data + sizeof(as), sizeof(id)); - as = ntohl(as); + if (ibuf_get_n32(buf, &as) == -1 || + ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; } else if (alen == 6) { - memcpy(&short_as, data, sizeof(short_as)); - memcpy(&id, data + sizeof(short_as), sizeof(id)); - as = ntohs(short_as); + if (ibuf_get_n16(buf, &short_as) == -1 || + ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; + as = short_as; } else { - json_do_string("error", "bad AS-Path"); - break; + goto bad_len; } json_do_uint("AS", as); json_do_string("router_id", inet_ntoa(id)); break; case ATTR_COMMUNITIES: - json_do_community(data, alen); + json_do_community(buf); break; case ATTR_ORIGINATOR_ID: - if (alen == 4) { - memcpy(&id, data, sizeof(id)); - json_do_string("originator", inet_ntoa(id)); - } else - json_do_string("error", "bad length"); + if (alen != 4 || ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; + json_do_string("originator", inet_ntoa(id)); break; case ATTR_CLUSTER_LIST: json_do_array("cluster_list"); - for (off = 0; off + sizeof(id) <= alen; - off += sizeof(id)) { - memcpy(&id, data + off, sizeof(id)); + while (ibuf_size(buf) > 0) { + if (ibuf_get(buf, &id, sizeof(id)) == -1) + goto bad_len; json_do_string("cluster_id", inet_ntoa(id)); } json_do_end(); break; case ATTR_MP_REACH_NLRI: case ATTR_MP_UNREACH_NLRI: - if (alen < 3) { -bad_len: - json_do_string("error", "bad length"); - break; - } - memcpy(&afi, data, 2); - data += 2; - alen -= 2; - afi = ntohs(afi); - safi = *data++; - alen--; + if (ibuf_get_n16(buf, &afi) == -1 || + ibuf_get_n8(buf, &safi) == -1) + goto bad_len; if (afi2aid(afi, safi, &aid) == -1) { json_do_printf("error", "bad AFI/SAFI pair: %d/%d", @@ -743,11 +702,7 @@ bad_len: if (type == ATTR_MP_REACH_NLRI) { struct bgpd_addr nexthop; uint8_t nhlen; - if (len == 0) - goto bad_len; - nhlen = *data++; - alen--; - if (nhlen > len) + if (ibuf_get_n8(buf, &nhlen) == -1) goto bad_len; memset(&nexthop, 0, sizeof(nexthop)); switch (aid) { @@ -755,21 +710,27 @@ bad_len: nexthop.aid = aid; if (nhlen != 16 && nhlen != 32) goto bad_len; - memcpy(&nexthop.v6.s6_addr, data, 16); + if (ibuf_get(buf, &nexthop.v6, + sizeof(nexthop.v6)) == -1) + goto bad_len; break; case AID_VPN_IPv4: if (nhlen != 12) goto bad_len; nexthop.aid = AID_INET; - memcpy(&nexthop.v4, data + sizeof(uint64_t), - sizeof(nexthop.v4)); + if (ibuf_skip(buf, sizeof(uint64_t)) == -1 || + ibuf_get(buf, &nexthop.v4, + sizeof(nexthop.v4)) == -1) + goto bad_len; break; case AID_VPN_IPv6: if (nhlen != 24) goto bad_len; nexthop.aid = AID_INET6; - memcpy(&nexthop.v6, data + sizeof(uint64_t), - sizeof(nexthop.v6)); + if (ibuf_skip(buf, sizeof(uint64_t)) == -1 || + ibuf_get(buf, &nexthop.v6, + sizeof(nexthop.v6)) == -1) + goto bad_len; break; default: json_do_printf("error", "unhandled AID: %d", @@ -777,14 +738,12 @@ bad_len: return; } /* ignore reserved (old SNPA) field as per RFC4760 */ - data += nhlen + 1; - alen -= nhlen + 1; + if (ibuf_skip(buf, 1) == -1) + goto bad_len; json_do_string("nexthop", log_addr(&nexthop)); } - ibuf_from_buffer(buf, data, alen); - json_do_array("NLRI"); while (ibuf_size(buf) > 0) { json_do_object("prefix", 1); @@ -821,25 +780,26 @@ bad_len: json_do_end(); break; case ATTR_EXT_COMMUNITIES: - json_do_ext_community(data, alen); + json_do_ext_community(buf); break; case ATTR_LARGE_COMMUNITIES: - json_do_large_community(data, alen); + json_do_large_community(buf); break; case ATTR_OTC: - if (alen == 4) { - memcpy(&as, data, sizeof(as)); - as = ntohl(as); - json_do_uint("as", as); - } else - json_do_string("error", "bad length"); + if (alen != 4 || ibuf_get_n32(buf, &as) == -1) + goto bad_len; + json_do_uint("as", as); break; case ATTR_ATOMIC_AGGREGATE: default: if (alen) - json_do_hexdump("data", data, alen); + json_do_hexdump("data", ibuf_data(buf), ibuf_size(buf)); break; } + return; + + bad_len: + json_do_string("error", "bad length"); } static void diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 61527fdef..9912ebcf2 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.199 2024/01/18 14:34:26 job Exp $ */ +/* $OpenBSD: extern.h,v 1.201 2024/01/31 06:57:21 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -629,7 +629,8 @@ void mft_free(struct mft *); struct mft *mft_parse(X509 **, const char *, int, const unsigned char *, size_t); struct mft *mft_read(struct ibuf *); -int mft_compare(const struct mft *, const struct mft *); +int mft_compare_issued(const struct mft *, const struct mft *); +int mft_compare_seqnum(const struct mft *, const struct mft *); void roa_buffer(struct ibuf *, const struct roa *); void roa_free(struct roa *); diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 8fd3755f1..a98e6ac33 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.100 2023/12/11 15:50:23 job Exp $ */ +/* $OpenBSD: mft.c,v 1.102 2024/01/31 06:57:21 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -545,20 +545,26 @@ mft_read(struct ibuf *b) } /* - * Compare the manifestNumber of two MFT files. - * Returns 1 if first MFT should be used, 0 if both are equal, and -1 if the - * second MFT should be used. + * Compare the thisupdate time of two mft files. */ int -mft_compare(const struct mft *a, const struct mft *b) +mft_compare_issued(const struct mft *a, const struct mft *b) +{ + if (a->thisupdate > b->thisupdate) + return 1; + if (a->thisupdate < b->thisupdate) + return -1; + return 0; +} + +/* + * Compare the manifestNumber of two mft files. + */ +int +mft_compare_seqnum(const struct mft *a, const struct mft *b) { int r; - if (b == NULL) - return 1; - if (a == NULL) - return -1; - r = strlen(a->seqnum) - strlen(b->seqnum); if (r > 0) /* seqnum in a is longer -> higher */ return 1; diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 851b5c5f2..36924cdc6 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.108 2024/01/18 14:34:26 job Exp $ */ +/* $OpenBSD: parser.c,v 1.113 2024/01/31 06:57:21 tb Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -258,22 +258,28 @@ parse_load_crl_from_mft(struct entity *entp, struct mft *mft, enum location loc, */ static struct mft * proc_parser_mft_pre(struct entity *entp, enum location loc, char **file, - struct crl **crl, char **crlfile, const char **errstr) + struct crl **crl, char **crlfile, struct mft *cached_mft, + const char **errstr) { struct mft *mft; X509 *x509; struct auth *a; unsigned char *der; size_t len; + int issued_cmp, seqnum_cmp; *crl = NULL; *crlfile = NULL; *errstr = NULL; + /* XXX - pull this into proc_parser_mft. */ *file = parse_filepath(entp->repoid, entp->path, entp->file, loc); if (*file == NULL) return NULL; + if (noop && loc == DIR_TEMP) + return NULL; + der = load_file(*file, &len); if (der == NULL && errno != ENOENT) warn("parse file %s", *file); @@ -293,21 +299,63 @@ proc_parser_mft_pre(struct entity *entp, enum location loc, char **file, *crl = parse_load_crl_from_mft(entp, mft, DIR_VALID, crlfile); a = valid_ski_aki(*file, &auths, mft->ski, mft->aki, NULL); - if (!valid_x509(*file, ctx, x509, a, *crl, errstr)) { - X509_free(x509); - mft_free(mft); - crl_free(*crl); - *crl = NULL; - free(*crlfile); - *crlfile = NULL; - return NULL; - } + if (!valid_x509(*file, ctx, x509, a, *crl, errstr)) + goto err; X509_free(x509); + x509 = NULL; mft->repoid = entp->repoid; mft->talid = a->cert->talid; + if (cached_mft == NULL) + return mft; + + /* + * Check that the cached manifest is older in the sense that it was + * issued earlier and that it has a smaller sequence number. + */ + + if ((issued_cmp = mft_compare_issued(mft, cached_mft)) < 0) { + warnx("%s: unexpected manifest issuance time (want >= %lld, " + "got %lld)", *file, (long long)cached_mft->thisupdate, + (long long)mft->thisupdate); + goto err; + } + if ((seqnum_cmp = mft_compare_seqnum(mft, cached_mft)) < 0) { + warnx("%s: unexpected manifest number (want >= #%s, got #%s)", + *file, cached_mft->seqnum, mft->seqnum); + goto err; + } + if (issued_cmp > 0 && seqnum_cmp == 0) { + warnx("%s#%s: reissued manifest at %lld and %lld with same " + "sequence number", *file, cached_mft->seqnum, + (long long)mft->thisupdate, + (long long)cached_mft->thisupdate); + goto err; + } + if (issued_cmp == 0 && seqnum_cmp > 0) { + warnx("%s#%s: reissued manifest same issuance time %lld as #%s", + *file, mft->seqnum, (long long)mft->thisupdate, + cached_mft->seqnum); + goto err; + } + if (issued_cmp == 0 && seqnum_cmp == 0 && memcmp(mft->mfthash, + cached_mft->mfthash, SHA256_DIGEST_LENGTH) != 0) { + warnx("%s: manifest misissuance, #%s was recycled", + *file, mft->seqnum); + goto err; + } + return mft; + + err: + X509_free(x509); + mft_free(mft); + crl_free(*crl); + *crl = NULL; + free(*crlfile); + *crlfile = NULL; + return NULL; } /* @@ -367,32 +415,22 @@ proc_parser_mft(struct entity *entp, struct mft **mp, char **crlfile, struct crl *crl, *crl1, *crl2; char *file, *file1, *file2, *crl1file, *crl2file; const char *err1, *err2; - int r, warned = 0; + int warned = 0; *mp = NULL; *crlmtime = 0; - mft1 = proc_parser_mft_pre(entp, DIR_TEMP, &file1, &crl1, &crl1file, - &err1); mft2 = proc_parser_mft_pre(entp, DIR_VALID, &file2, &crl2, &crl2file, - &err2); + NULL, &err2); + mft1 = proc_parser_mft_pre(entp, DIR_TEMP, &file1, &crl1, &crl1file, + mft2, &err1); /* overload error from temp file if it is set */ if (mft1 == NULL && mft2 == NULL) - if (err2 != NULL) - err1 = err2; + if (err1 != NULL) + err2 = err1; - r = mft_compare(mft1, mft2); - if (r == -1 && mft1 != NULL && mft2 != NULL) - warnx("%s: unexpected manifest number (want >= #%s, got #%s)", - file1, mft2->seqnum, mft1->seqnum); - - if (r == 0 && memcmp(mft1->mfthash, mft2->mfthash, - SHA256_DIGEST_LENGTH) != 0) - warnx("%s: manifest misissuance, #%s was recycled", - file1, mft1->seqnum); - - if (!noop && r == 1) { + if (!noop && mft1 != NULL) { *mp = proc_parser_mft_post(file1, mft1, entp->path, err1, &warned); if (*mp == NULL) { diff --git a/usr.sbin/rpki-client/rpki-client.8 b/usr.sbin/rpki-client/rpki-client.8 index 47e56c0af..a7d2d0e27 100644 --- a/usr.sbin/rpki-client/rpki-client.8 +++ b/usr.sbin/rpki-client/rpki-client.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpki-client.8,v 1.99 2024/01/16 19:52:39 job Exp $ +.\" $OpenBSD: rpki-client.8,v 1.100 2024/01/31 17:19:02 job Exp $ .\" .\" Copyright (c) 2019 Kristaps Dzonsons .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 16 2024 $ +.Dd $Mdocdate: January 31 2024 $ .Dt RPKI-CLIENT 8 .Os .Sh NAME @@ -445,6 +445,12 @@ agreement regarding ARIN service restrictions. .%U https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors .%D September, 2023 .Re +.Pp +.Rs +.%T Detecting RRDP Session Desynchronization +.%U https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rrdp-desynchronization-00 +.%D Jan, 2024 +.Re .Sh HISTORY .Nm first appeared in diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 5a06568f2..38b1e5df1 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.75 2023/11/16 11:10:59 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.76 2024/01/31 15:01:13 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -956,7 +956,7 @@ x509_valid_subject(const char *fn, const X509 *x) return 0; default: warnx("%s: RFC 6487 section 4.5: unexpected attribute " - "%s", fn, OBJ_nid2sn(nid)); + "%d (%s)", fn, nid, OBJ_nid2ln(nid)); return 0; } }