sync with OpenBSD -current

lib/libcrypto/dh/dh_check.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_check.c,v 1.28 2023/07/24 16:25:02 tb Exp $ */
+/* $OpenBSD: dh_check.c,v 1.29 2024/08/30 17:44:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,27 +68,10 @@
 #define DH_NUMBER_ITERATIONS_FOR_PRIME 64
 
 /*
- * Check that p is odd and 1 < g < p - 1. The _ex version removes the need of
- * inspecting flags and pushes errors on the stack instead.
+ * Check that p is odd and 1 < g < p - 1.
  */
 
-int
-DH_check_params_ex(const DH *dh)
-{
-	int flags = 0;
-
-	if (!DH_check_params(dh, &flags))
-		return 0;
-
-	if ((flags & DH_CHECK_P_NOT_PRIME) != 0)
-		DHerror(DH_R_CHECK_P_NOT_PRIME);
-	if ((flags & DH_NOT_SUITABLE_GENERATOR) != 0)
-		DHerror(DH_R_NOT_SUITABLE_GENERATOR);
-
-	return flags == 0;
-}
-
-int
+static int
 DH_check_params(const DH *dh, int *flags)
 {
 	BIGNUM *max_g = NULL;
@@ -124,35 +107,8 @@ DH_check_params(const DH *dh, int *flags)
 
 /*
  * Check that p is a safe prime and that g is a suitable generator.
- * The _ex version puts errors on the stack instead of returning flags.
  */
 
-int
-DH_check_ex(const DH *dh)
-{
-	int flags = 0;
-
-	if (!DH_check(dh, &flags))
-		return 0;
-
-	if ((flags & DH_NOT_SUITABLE_GENERATOR) != 0)
-		DHerror(DH_R_NOT_SUITABLE_GENERATOR);
-	if ((flags & DH_CHECK_Q_NOT_PRIME) != 0)
-		DHerror(DH_R_CHECK_Q_NOT_PRIME);
-	if ((flags & DH_CHECK_INVALID_Q_VALUE) != 0)
-		DHerror(DH_R_CHECK_INVALID_Q_VALUE);
-	if ((flags & DH_CHECK_INVALID_J_VALUE) != 0)
-		DHerror(DH_R_CHECK_INVALID_J_VALUE);
-	if ((flags & DH_UNABLE_TO_CHECK_GENERATOR) != 0)
-		DHerror(DH_R_UNABLE_TO_CHECK_GENERATOR);
-	if ((flags & DH_CHECK_P_NOT_PRIME) != 0)
-		DHerror(DH_R_CHECK_P_NOT_PRIME);
-	if ((flags & DH_CHECK_P_NOT_SAFE_PRIME) != 0)
-		DHerror(DH_R_CHECK_P_NOT_SAFE_PRIME);
-
-	return flags == 0;
-}
-
 int
 DH_check(const DH *dh, int *flags)
 {
@@ -229,24 +185,6 @@ DH_check(const DH *dh, int *flags)
 }
 LCRYPTO_ALIAS(DH_check);
 
-int
-DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
-{
-	int flags = 0;
-
-	if (!DH_check_pub_key(dh, pub_key, &flags))
-		return 0;
-
-	if ((flags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
-		DHerror(DH_R_CHECK_PUBKEY_TOO_SMALL);
-	if ((flags & DH_CHECK_PUBKEY_TOO_LARGE) != 0)
-		DHerror(DH_R_CHECK_PUBKEY_TOO_LARGE);
-	if ((flags & DH_CHECK_PUBKEY_INVALID) != 0)
-		DHerror(DH_R_CHECK_PUBKEY_INVALID);
-
-	return flags == 0;
-}
-
 int
 DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *flags)
 {

lib/libcrypto/dh/dh_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_local.h,v 1.4 2023/11/29 21:35:57 tb Exp $ */
+/* $OpenBSD: dh_local.h,v 1.5 2024/08/30 17:44:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -102,15 +102,6 @@ struct dh_st {
 	const DH_METHOD *meth;
 };
 
-/*
- * Public API in OpenSSL that we only want to use internally.
- */
-
-int DH_check_params_ex(const DH *dh);
-int DH_check_params(const DH *dh, int *flags);
-int DH_check_ex(const DH *dh);
-int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key);
-
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_DH_LOCAL_H */

regress/lib/libcrypto/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.58 2024/05/06 14:37:26 jsing Exp $
+#	$OpenBSD: Makefile,v 1.59 2024/08/31 08:23:32 tb Exp $
 
 SUBDIR += aead
 SUBDIR += aes
@@ -50,7 +50,6 @@ SUBDIR += sm3
 SUBDIR += sm4
 SUBDIR += symbols
 SUBDIR += utf8
-SUBDIR += whirlpool
 SUBDIR += wycheproof
 SUBDIR += x509
 

regress/lib/libcrypto/whirlpool/Makefile

@@ -1,9 +0,0 @@
-#	$OpenBSD: Makefile,v 1.1 2024/03/29 07:13:38 joshua Exp $
-
-PROG =          whirlpool_test
-LDADD =         -lcrypto
-DPADD =         ${LIBCRYPTO}
-WARNINGS =      Yes
-CFLAGS +=       -DLIBRESSL_INTERNAL -Werror
-
-.include <bsd.regress.mk>

regress/lib/libcrypto/whirlpool/whirlpool_test.c

@@ -1,242 +0,0 @@
-/*	$OpenBSD: whirlpool_test.c,v 1.3 2024/04/09 18:12:11 tb Exp $ */
-/*
- * Copyright (c) 2024 Joshua Sing <joshua@joshuasing.dev>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <openssl/evp.h>
-#include <openssl/whrlpool.h>
-
-#include <stdint.h>
-#include <string.h>
-
-struct whirlpool_test {
-	const uint8_t in[128];
-	const size_t in_len;
-	const uint8_t out[EVP_MAX_MD_SIZE];
-};
-
-static const struct whirlpool_test whirlpool_tests[] = {
-	{
-		.in = "",
-		.in_len = 0,
-		.out = {
-			0x19, 0xfa, 0x61, 0xd7, 0x55, 0x22, 0xa4, 0x66,
-			0x9b, 0x44, 0xe3, 0x9c, 0x1d, 0x2e, 0x17, 0x26,
-			0xc5, 0x30, 0x23, 0x21, 0x30, 0xd4, 0x07, 0xf8,
-			0x9a, 0xfe, 0xe0, 0x96, 0x49, 0x97, 0xf7, 0xa7,
-			0x3e, 0x83, 0xbe, 0x69, 0x8b, 0x28, 0x8f, 0xeb,
-			0xcf, 0x88, 0xe3, 0xe0, 0x3c, 0x4f, 0x07, 0x57,
-			0xea, 0x89, 0x64, 0xe5, 0x9b, 0x63, 0xd9, 0x37,
-			0x08, 0xb1, 0x38, 0xcc, 0x42, 0xa6, 0x6e, 0xb3,
-		},
-	},
-	{
-		.in = "a",
-		.in_len = 1,
-		.out = {
-			0x8a,  0xca,  0x26,  0x02,  0x79,  0x2a,  0xec,  0x6f,
-			0x11,  0xa6,  0x72,  0x06,  0x53,  0x1f,  0xb7,  0xd7,
-			0xf0,  0xdf,  0xf5,  0x94,  0x13,  0x14,  0x5e,  0x69,
-			0x73,  0xc4,  0x50,  0x01,  0xd0,  0x08,  0x7b,  0x42,
-			0xd1,  0x1b,  0xc6,  0x45,  0x41,  0x3a,  0xef,  0xf6,
-			0x3a,  0x42,  0x39,  0x1a,  0x39,  0x14,  0x5a,  0x59,
-			0x1a,  0x92,  0x20,  0x0d,  0x56,  0x01,  0x95,  0xe5,
-			0x3b,  0x47,  0x85,  0x84,  0xfd,  0xae,  0x23,  0x1a,
-		},
-	},
-	{
-		.in = "abc",
-		.in_len = 3,
-		.out = {
-			0x4e,  0x24,  0x48,  0xa4,  0xc6,  0xf4,  0x86,  0xbb,
-			0x16,  0xb6,  0x56,  0x2c,  0x73,  0xb4,  0x02,  0x0b,
-			0xf3,  0x04,  0x3e,  0x3a,  0x73,  0x1b,  0xce,  0x72,
-			0x1a,  0xe1,  0xb3,  0x03,  0xd9,  0x7e,  0x6d,  0x4c,
-			0x71,  0x81,  0xee,  0xbd,  0xb6,  0xc5,  0x7e,  0x27,
-			0x7d,  0x0e,  0x34,  0x95,  0x71,  0x14,  0xcb,  0xd6,
-			0xc7,  0x97,  0xfc,  0x9d,  0x95,  0xd8,  0xb5,  0x82,
-			0xd2,  0x25,  0x29,  0x20,  0x76,  0xd4,  0xee,  0xf5,
-		},
-	},
-	{
-		.in = "message digest",
-		.in_len = 14,
-		.out = {
-			0x37,  0x8c,  0x84,  0xa4,  0x12,  0x6e,  0x2d,  0xc6,
-			0xe5,  0x6d,  0xcc,  0x74,  0x58,  0x37,  0x7a,  0xac,
-			0x83,  0x8d,  0x00,  0x03,  0x22,  0x30,  0xf5,  0x3c,
-			0xe1,  0xf5,  0x70,  0x0c,  0x0f,  0xfb,  0x4d,  0x3b,
-			0x84,  0x21,  0x55,  0x76,  0x59,  0xef,  0x55,  0xc1,
-			0x06,  0xb4,  0xb5,  0x2a,  0xc5,  0xa4,  0xaa,  0xa6,
-			0x92,  0xed,  0x92,  0x00,  0x52,  0x83,  0x8f,  0x33,
-			0x62,  0xe8,  0x6d,  0xbd,  0x37,  0xa8,  0x90,  0x3e,
-		},
-	},
-	{
-		.in = "abcdefghijklmnopqrstuvwxyz",
-		.in_len = 26,
-		.out = {
-			0xf1,  0xd7,  0x54,  0x66,  0x26,  0x36,  0xff,  0xe9,
-			0x2c,  0x82,  0xeb,  0xb9,  0x21,  0x2a,  0x48,  0x4a,
-			0x8d,  0x38,  0x63,  0x1e,  0xad,  0x42,  0x38,  0xf5,
-			0x44,  0x2e,  0xe1,  0x3b,  0x80,  0x54,  0xe4,  0x1b,
-			0x08,  0xbf,  0x2a,  0x92,  0x51,  0xc3,  0x0b,  0x6a,
-			0x0b,  0x8a,  0xae,  0x86,  0x17,  0x7a,  0xb4,  0xa6,
-			0xf6,  0x8f,  0x67,  0x3e,  0x72,  0x07,  0x86,  0x5d,
-			0x5d,  0x98,  0x19,  0xa3,  0xdb,  0xa4,  0xeb,  0x3b,
-		},
-	},
-	{
-		.in = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
-		.in_len = 62,
-		.out = {
-			0xdc,  0x37,  0xe0,  0x08,  0xcf,  0x9e,  0xe6,  0x9b,
-			0xf1,  0x1f,  0x00,  0xed,  0x9a,  0xba,  0x26,  0x90,
-			0x1d,  0xd7,  0xc2,  0x8c,  0xde,  0xc0,  0x66,  0xcc,
-			0x6a,  0xf4,  0x2e,  0x40,  0xf8,  0x2f,  0x3a,  0x1e,
-			0x08,  0xeb,  0xa2,  0x66,  0x29,  0x12,  0x9d,  0x8f,
-			0xb7,  0xcb,  0x57,  0x21,  0x1b,  0x92,  0x81,  0xa6,
-			0x55,  0x17,  0xcc,  0x87,  0x9d,  0x7b,  0x96,  0x21,
-			0x42,  0xc6,  0x5f,  0x5a,  0x7a,  0xf0,  0x14,  0x67,
-		},
-	},
-	{
-		.in = "12345678901234567890123456789012345678901234567890123456789012345678901234567890",
-		.in_len = 80,
-		.out = {
-			0x46,  0x6e,  0xf1,  0x8b,  0xab,  0xb0,  0x15,  0x4d,
-			0x25,  0xb9,  0xd3,  0x8a,  0x64,  0x14,  0xf5,  0xc0,
-			0x87,  0x84,  0x37,  0x2b,  0xcc,  0xb2,  0x04,  0xd6,
-			0x54,  0x9c,  0x4a,  0xfa,  0xdb,  0x60,  0x14,  0x29,
-			0x4d,  0x5b,  0xd8,  0xdf,  0x2a,  0x6c,  0x44,  0xe5,
-			0x38,  0xcd,  0x04,  0x7b,  0x26,  0x81,  0xa5,  0x1a,
-			0x2c,  0x60,  0x48,  0x1e,  0x88,  0xc5,  0xa2,  0x0b,
-			0x2c,  0X2A,  0X80,  0XCF,  0X3A,  0X9A,  0X08,  0X3B,
-		},
-	},
-	{
-		.in = "abcdbcdecdefdefgefghfghighijhijk",
-		.in_len = 32,
-		.out = {
-			0x2a,  0x98,  0x7e,  0xa4,  0x0f,  0x91,  0x70,  0x61,
-			0xf5,  0xd6,  0xf0,  0xa0,  0xe4,  0x64,  0x4f,  0x48,
-			0x8a,  0x7a,  0x5a,  0x52,  0xde,  0xee,  0x65,  0x62,
-			0x07,  0xc5,  0x62,  0xf9,  0x88,  0xe9,  0x5c,  0x69,
-			0x16,  0xbd,  0xc8,  0x03,  0x1b,  0xc5,  0xbe,  0x1b,
-			0x7b,  0x94,  0x76,  0x39,  0xfe,  0x05,  0x0b,  0x56,
-			0x93,  0x9b,  0xaa,  0xa0,  0xad,  0xff,  0x9a,  0xe6,
-			0x74,  0x5b,  0x7b,  0x18,  0x1c,  0x3b,  0xe3,  0xfd,
-		},
-	},
-};
-
-#define N_WHIRLPOOL_TESTS (sizeof(whirlpool_tests) / sizeof(whirlpool_tests[0]))
-
-static int
-whirlpool_test(void)
-{
-	const struct whirlpool_test *wt;
-	EVP_MD_CTX *md_ctx = NULL;
-	const EVP_MD *md = EVP_whirlpool();
-	uint8_t out[EVP_MAX_MD_SIZE];
-	size_t i, l, in_len;
-	int failed = 1;
-
-	if ((md_ctx = EVP_MD_CTX_new()) == NULL) {
-		fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
-		goto failed;
-	}
-
-	for (i = 0; i < N_WHIRLPOOL_TESTS; i++) {
-		wt = &whirlpool_tests[i];
-
-		/* Digest */
-		memset(out, 0, sizeof(out));
-		WHIRLPOOL(wt->in, wt->in_len, out);
-		if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) {
-			fprintf(stderr, "FAIL (%zu): digest mismatch\n", i);
-			goto failed;
-		}
-
-		/* EVP single-shot digest */
-		memset(out, 0, sizeof(out));
-		if (!EVP_Digest(wt->in, wt->in_len, out, NULL, md, NULL)) {
-			fprintf(stderr, "FAIL (%zu): EVP_Digest failed\n", i);
-			goto failed;
-		}
-
-		if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) {
-			fprintf(stderr,
-			    "FAIL (%zu): EVP single-shot mismatch\n", i);
-			goto failed;
-		}
-
-		/* EVP digest */
-		memset(out, 0, sizeof(out));
-		if (!EVP_DigestInit_ex(md_ctx, md, NULL)) {
-			fprintf(stderr,
-			    "FAIL (%zu): EVP_DigestInit_ex failed\n", i);
-			goto failed;
-		}
-
-		for (l = 0; l < wt->in_len;) {
-			in_len = 1;
-			if (wt->in_len > 1)
-				in_len = arc4random_uniform(wt->in_len / 2);
-			if (in_len < 1)
-				in_len = 1;
-			if (in_len > wt->in_len - l)
-				in_len = wt->in_len - l;
-
-			if (!EVP_DigestUpdate(md_ctx, wt->in + l, in_len)) {
-				fprintf(stderr,
-				    "FAIL(%zu, %zu): EVP_DigestUpdate failed\n",
-				    i, l);
-				goto failed;
-			}
-
-			l += in_len;
-		}
-
-		if (!EVP_DigestFinal_ex(md_ctx, out, NULL)) {
-			fprintf(stderr,
-			    "FAIL (%zu): EVP_DigestFinal_ex failed\n",
-			    i);
-			goto failed;
-		}
-
-		if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) {
-			fprintf(stderr, "FAIL (%zu): EVP mismatch\n", i);
-			goto failed;
-		}
-	}
-
-	failed = 0;
-
- failed:
-	EVP_MD_CTX_free(md_ctx);
-
-	return failed;
-}
-
-int
-main(int argc, char **argv)
-{
-	int failed = 0;
-
-	failed |= whirlpool_test();
-
-	return failed;
-}

share/man/man4/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.849 2024/08/04 14:21:09 kettenis Exp $
+#	$OpenBSD: Makefile,v 1.850 2024/08/31 04:21:45 dlg Exp $
 
 MAN=	aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \
 	acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \
@@ -83,7 +83,7 @@ MAN=	aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \
 	rkemmcphy.4 rkgpio.4 rkgrf.4 rkiic.4 rkiis.4 rkiovd.4 \
 	rkpcie.4 rkpciephy.4 rkpinctrl.4 rkpmic.4 rkpwm.4 \
 	rkrng.4 rkspi.4 rktcphy.4 rktemp.4 rkusbphy.4 rkvop.4 \
-	rl.4 rlphy.4 route.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \
+	rl.4 rlphy.4 route.4 rport.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \
 	safte.4 sbus.4 schsio.4 scmi.4 scsi.4 sd.4 \
 	sdmmc.4 sdhc.4 se.4 sec.4 ses.4 sf.4 sili.4 \
 	simpleamp.4 simpleaudio.4 simplefb.4 simplepanel.4 siop.4 sis.4 sk.4 \

share/man/man4/etherip.4

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: etherip.4,v 1.9 2024/08/30 09:39:07 dlg Exp $
+.\"	$OpenBSD: etherip.4,v 1.10 2024/08/30 20:08:05 jmc Exp $
 .\"
 .\" Copyright (c) 2015 YASUOKA Masahiko <yasuoka@openbsd.org>
 .\"
@@ -55,11 +55,11 @@ must be set to 1, unless
 is being used to protect the traffic.
 .Pp
 .Nm
-interfaces can configured as part of an Ethernet bridges such as
+interfaces can configured as part of an Ethernet bridge, such as
 .Xr veb 4 ,
 .Xr tpmr 4 ,
 and
-.Xr bridge 4
+.Xr bridge 4 ,
 to extend the connectivity of Ethernet networks across IP networks,
 possibly across the Internet.
 .Pp
@@ -73,7 +73,7 @@ public Internet.
 EtherIP encapsulated packets may be protected with IPsec by specifying
 the appropriate IPsec flows between the two endpoints.
 To only protect the encapsulated EtherIP traffic between the tunnel
-enpoints the IP transport protocol 97 (etherip) selector may be used
+endpoints, the IP transport protocol 97 (etherip) selector may be used
 in
 .Xr ipsec.conf 5
 or
@@ -88,7 +88,7 @@ to network1 on em1, and host gw2 has the external IP address
 198.51.100.14 and is connected to network2 on ix1, the following
 configuration can be used to bridge network1 and network2.
 .Pp
-First create the a bridge using a
+First create a bridge using a
 .Xr veb 4
 interface,
 adding the

share/man/man4/rport.4

@@ -0,0 +1,85 @@
+.\" $OpenBSD: rport.4,v 1.1 2024/08/31 04:21:45 dlg Exp $
+.\"
+.\" Copyright (c) 2024 David Gwynne <dlg@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: August 31 2024 $
+.Dt RPORT 4
+.Os
+.Sh NAME
+.Nm rport
+.Nd rdomain port interface pseudo-device
+.Sh SYNOPSIS
+.Cd "pseudo-device rport"
+.Sh DESCRIPTION
+The
+.Nm
+driver provides point-to-point interfaces for layer 3 connectivity
+between
+.Xr rdomain 4
+instances.
+.Pp
+Layer 3 connectivity between a pair of rdomains can be established
+by creating a
+.Nm
+interface in each rdomain, and connecting them together by configuring
+one of these interfaces as the parent of the other.
+.Pp
+.Nm
+interfaces can be created at runtime using the
+.Ic ifconfig rport Ns Ar N Ic create
+command or by setting up a
+.Xr hostname.if 5
+configuration file for
+.Xr netstart 8 .
+The interface itself can be configured with
+.Xr ifconfig 8 ;
+see its manual page for more information.
+.Sh EXAMPLES
+Create two
+.Nm
+interfaces in separate
+.Xr rdomain 4 Ns s
+and connect them together:
+.Bd -literal -offset indent
+# ifconfig rport0 create rdomain 0 up
+# ifconfig rport1 create rdomain 1 parent rport0 up
+# ifconfig rport0 inet 192.168.0.0/32 192.168.0.1
+# ifconfig rport1 inet 192.168.0.1/32 192.168.0.0
+.Ed
+.Sh SEE ALSO
+.Xr netintro 4 ,
+.Xr veb 4 ,
+.Xr hostname.if 5 ,
+.Xr pf.conf 5 ,
+.Xr ifconfig 8 ,
+.Xr netstart 8
+.Sh HISTORY
+The
+.Nm
+driver first appeared in
+.Ox 7.6 .
+.Sh AUTHORS
+.An David Gwynne Aq Mt dlg@openbsd.org .
+.Sh CAVEATS
+A pair of
+.Nm
+interfaces must be created for each connection between a pair of rdomains.
+Alternatively, if peering between multiple
+.Xr rdomain 4
+instances is required, a single
+.Xr veb 4
+interface with a
+.Xr vport 4
+interface for each rdomain can be used instead.

share/man/man4/sec.4

@@ -1,4 +1,4 @@
-.\" $OpenBSD: sec.4,v 1.3 2024/08/30 13:09:10 dlg Exp $
+.\" $OpenBSD: sec.4,v 1.4 2024/08/31 00:51:29 dlg Exp $
 .\"
 .\" Copyright (c) 2023 David Gwynne <dlg@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 30 2024 $
+.Dd $Mdocdate: August 31 2024 $
 .Dt SEC 4
 .Os
 .Sh NAME
@@ -112,10 +112,21 @@ ikev2 "s2s" active \\
 	iface sec0
 .Ed
 .Pp
-Once
-.Xr iked 8
-is running with this configuration, communication between the
-customer and provider gateways is enabled.
+Alternatively, IKEv1 negotiation of the IPsec tunnel SAs is supported by
+.Xr isakmpd 8
+and
+.Xr ipsecctl 8 .
+The equivalient
+.Xr ipsec.conf 5
+configuration for the given parameters follows:
+.Bd -literal -offset indent
+ike interface sec0 \\
+	local 192.0.2.8 peer 198.51.100.14 \\
+	psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2"
+.Ed
+.Pp
+Once the Security Associations are established, communication between
+the customer and provider gateways is enabled.
 .Pp
 Routes to networks hosted by the provider can be added using the
 providers

sys/conf/GENERIC

@@ -1,4 +1,4 @@
-#	$OpenBSD: GENERIC,v 1.296 2024/05/05 07:26:58 jsg Exp $
+#	$OpenBSD: GENERIC,v 1.297 2024/08/31 04:17:14 dlg Exp $
 #
 #	Machine-independent option; used by all architectures for their
 #	GENERIC kernel
@@ -96,6 +96,7 @@ pseudo-device	mpe		# MPLS PE interface
 pseudo-device	mpw		# MPLS pseudowire support
 pseudo-device	mpip		# MPLS IP Layer2 pseudowire support
 pseudo-device	bpe		# Provider Backbone Bridge edge interface
+pseudo-device	rport		# rdomain port interface
 pseudo-device	pair		# Virtual Ethernet interface pair
 pseudo-device	ppp		# PPP
 pseudo-device	pppoe		# PPP over Ethernet (RFC 2516)

sys/conf/files

@@ -1,4 +1,4 @@
-#	$OpenBSD: files,v 1.735 2024/08/14 14:40:46 patrick Exp $
+#	$OpenBSD: files,v 1.736 2024/08/31 04:17:14 dlg Exp $
 #	$NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
@@ -568,6 +568,7 @@ pseudo-device msts: tty
 pseudo-device endrun: tty
 
 pseudo-device loop: ifnet
+pseudo-device rport: ifnet
 pseudo-device pair: ifnet, ether
 pseudo-device ppp: ifnet
 pseudo-device tun: ifnet
@@ -855,6 +856,7 @@ file net/if_mpw.c			mpw
 file net/if_mpip.c			mpip
 file net/if_bpe.c			bpe			needs-count
 file net/if_vether.c			vether
+file net/if_rport.c			rport
 file net/if_pair.c			pair
 file net/if_pppx.c			pppx			needs-count
 file net/if_vxlan.c			vxlan			needs-count

sys/dev/ic/ufshci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ufshci.c,v 1.40 2024/08/20 05:36:38 jsg Exp $ */
+/*	$OpenBSD: ufshci.c,v 1.41 2024/08/30 18:22:41 mglocker Exp $ */
 
 /*
  * Copyright (c) 2022 Marcus Glocker <mglocker@openbsd.org>
@@ -1352,7 +1352,7 @@ ufshci_xfer_complete(struct ufshci_softc *sc)
 		/* 7.2.3: Clear completion notification 3b) */
 		UFSHCI_WRITE_4(sc, UFSHCI_REG_UTRLCNR, (1U << i));
 
-		/* 7.2.3: Mark software slot for re-use 3c) */
+		/* 7.2.3: Mark software slot for reuse 3c) */
 		ccb->ccb_status = CCB_STATUS_READY2FREE;
 
 		DPRINTF(3, "slot %d completed\n", i);
@@ -1951,7 +1951,7 @@ ufshci_hibernate_io(dev_t dev, daddr_t blkno, vaddr_t addr, size_t size,
 		/* Stop run queues and disable interrupts. */
 		ufshci_disable(my->sc);
 
-		/* Tell the controler the new hibernate UTRD address. */
+		/* Tell the controller the new hibernate UTRD address. */
 		pmap_extract(pmap_kernel(), (vaddr_t)page, &page_phys);
 		page_bus_phys = page_phys + ((void *)&my->utrd - page);
 		UFSHCI_WRITE_4(my->sc, UFSHCI_REG_UTRLBA,
@@ -2058,7 +2058,7 @@ ufshci_hibernate_io(dev_t dev, daddr_t blkno, vaddr_t addr, size_t size,
 		return EIO;
 	UFSHCI_WRITE_4(my->sc, UFSHCI_REG_UTRLCNR, (1U << slot));
 
-	/* Check if the command was succesfully executed. */
+	/* Check if the command was successfully executed. */
 	if (my->utrd.dw2 != UFSHCI_UTRD_DW2_OCS_SUCCESS)
 		return EIO;
 

sys/net/if_rport.c

@@ -0,0 +1,456 @@
+/*	$OpenBSD: if_rport.c,v 1.1 2024/08/31 04:17:14 dlg Exp $ */
+
+/*
+ * Copyright (c) 2023 David Gwynne <dlg@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/mbuf.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/syslog.h>
+#include <sys/queue.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+#include <net/if_types.h>
+#include <net/route.h>
+
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/ip_ipip.h>
+#include <netinet/ip_ecn.h>
+
+#ifdef INET6
+#include <netinet6/in6_var.h>
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+#endif /* INET6 */
+
+#include "bpfilter.h"
+#if NBPFILTER > 0
+#include <net/bpf.h>
+#endif
+
+#ifdef MPLS
+#include <netmpls/mpls.h>
+#endif
+
+#include "pf.h"
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
+#define RPORT_MTU_MIN		1280
+#define RPORT_MTU_MAX		32768 /* LOMTU, but could be higher */
+#define RPORT_MTU_DEFAULT	RPORT_MTU_MAX
+
+struct rport_softc {
+	struct ifnet			 sc_if;
+
+	unsigned int			 sc_peer_idx;
+};
+
+static int	rport_clone_create(struct if_clone *, int);
+static int	rport_clone_destroy(struct ifnet *);
+
+static int	rport_ioctl(struct ifnet *, u_long, caddr_t);
+static int	rport_output(struct ifnet *, struct mbuf *, struct sockaddr *,
+		    struct rtentry *);
+static int	rport_enqueue(struct ifnet *, struct mbuf *);
+static void	rport_start(struct ifqueue *);
+static void	rport_input(struct ifnet *, struct mbuf *);
+
+static int	rport_up(struct rport_softc *);
+static int	rport_down(struct rport_softc *);
+
+static int	rport_set_parent(struct rport_softc *,
+		    const struct if_parent *);
+static int	rport_get_parent(struct rport_softc *, struct if_parent *);
+static int	rport_del_parent(struct rport_softc *);
+
+static struct if_clone rport_cloner =
+    IF_CLONE_INITIALIZER("rport", rport_clone_create, rport_clone_destroy);
+
+static struct rwlock rport_interfaces_lock =
+    RWLOCK_INITIALIZER("rports");
+
+void
+rportattach(int count)
+{
+	if_clone_attach(&rport_cloner);
+}
+
+static int
+rport_clone_create(struct if_clone *ifc, int unit)
+{
+	struct rport_softc *sc;
+	struct ifnet *ifp;
+
+	sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
+	ifp = &sc->sc_if;
+
+	snprintf(ifp->if_xname, sizeof(ifp->if_xname),
+	    "%s%d", ifc->ifc_name, unit);
+
+	ifp->if_mtu = RPORT_MTU_DEFAULT;
+	ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
+	ifp->if_xflags = IFXF_CLONED | IFXF_MPSAFE;
+	ifp->if_ioctl = rport_ioctl;
+	ifp->if_bpf_mtap = p2p_bpf_mtap;
+	ifp->if_output = rport_output;
+	ifp->if_enqueue = rport_enqueue;
+	ifp->if_qstart = rport_start;
+	ifp->if_input = rport_input;
+	ifp->if_rtrequest = p2p_rtrequest;
+	ifp->if_type = IFT_TUNNEL;
+	ifp->if_softc = sc;
+
+	if_attach(ifp);
+	if_alloc_sadl(ifp);
+	if_counters_alloc(ifp);
+
+#if NBPFILTER > 0
+	bpfattach(&ifp->if_bpf, ifp, DLT_LOOP, sizeof(uint32_t));
+#endif
+
+	return (0);
+}
+
+int
+rport_clone_destroy(struct ifnet *ifp)
+{
+	struct rport_softc *sc = ifp->if_softc;
+
+	NET_LOCK();
+	if (ISSET(ifp->if_flags, IFF_RUNNING))
+		rport_down(sc);
+	rport_del_parent(sc);
+	NET_UNLOCK();
+
+	if_detach(ifp);
+
+	free(sc, M_DEVBUF, sizeof(*sc));
+
+	return (0);
+}
+
+static int
+rport_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+    struct rtentry *rt)
+{
+	struct m_tag *mtag;
+	int error = 0;
+
+	if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
+		error = ENETDOWN;
+		goto drop;
+	}
+
+	switch (dst->sa_family) {
+	case AF_INET:
+#ifdef INET6
+	case AF_INET6:
+#endif
+#ifdef MPLS
+	case AF_MPLS:
+#endif
+		break;
+	default:
+		error = EAFNOSUPPORT;
+		goto drop;
+	}
+
+	/* Try to limit infinite recursion through misconfiguration. */
+	mtag = NULL;
+	while ((mtag = m_tag_find(m, PACKET_TAG_GRE, mtag)) != NULL) {
+		if (*(int *)(mtag + 1) == ifp->if_index) {
+			error = EIO;
+			goto drop;
+		}
+	}
+
+	mtag = m_tag_get(PACKET_TAG_GRE, sizeof(ifp->if_index), M_NOWAIT);
+	if (mtag == NULL) {
+		error = ENOBUFS;
+		goto drop;
+	}
+	*(int *)(mtag + 1) = ifp->if_index;
+	m_tag_prepend(m, mtag);
+
+	m->m_flags &= ~(M_BCAST|M_MCAST);
+	m->m_pkthdr.ph_family = dst->sa_family;
+#if NPF > 0
+	pf_pkt_addr_changed(m);
+#endif
+
+	error = if_enqueue(ifp, m);
+	if (error)
+		counters_inc(ifp->if_counters, ifc_oerrors);
+
+	return (error);
+
+drop:
+	m_freem(m);
+	return (error);
+}
+
+static int
+rport_enqueue(struct ifnet *ifp, struct mbuf *m)
+{
+	struct ifqueue *ifq = &ifp->if_snd;
+	int error;
+
+	error = ifq_enqueue(ifq, m);
+	if (error)
+		return (error);
+
+	/*
+	 * always defer handover of packets to the peer to the ifq
+	 * bundle task to provide control over the NET_LOCK scope.
+	 */
+	task_add(ifq->ifq_softnet, &ifq->ifq_bundle);
+
+	return (0);
+}
+
+static void
+rport_start(struct ifqueue *ifq)
+{
+	struct ifnet *ifp = ifq->ifq_if;
+	struct rport_softc *sc = ifp->if_softc;
+	struct ifnet *ifp0;
+	struct mbuf *m;
+
+	ifp0 = if_get(sc->sc_peer_idx);
+	if (ifp0 == NULL || !ISSET(ifp0->if_flags, IFF_RUNNING)) {
+		ifq_purge(ifq);
+		if_put(ifp0);
+		return;
+	}
+
+	NET_LOCK_SHARED();
+	while ((m = ifq_dequeue(ifq)) != NULL) {
+#if NBPFILTER > 0
+		caddr_t if_bpf = READ_ONCE(ifp->if_bpf);
+		if (if_bpf && bpf_mtap_af(if_bpf, m->m_pkthdr.ph_family,
+		    m, BPF_DIRECTION_OUT)) {
+			m_freem(m);
+			continue;
+		}
+#endif
+
+		if_vinput(ifp0, m);
+	}
+	NET_UNLOCK_SHARED();
+
+	if_put(ifp0);
+}
+
+static void
+rport_input(struct ifnet *ifp, struct mbuf *m)
+{
+        switch (m->m_pkthdr.ph_family) {
+        case AF_INET:
+                ipv4_input(ifp, m);
+                break;
+#ifdef INET6
+        case AF_INET6:
+                ipv6_input(ifp, m);
+                break;
+#endif
+#ifdef MPLS
+        case AF_MPLS:
+                mpls_input(ifp, m);
+                break;
+#endif
+        default:
+		counters_inc(ifp->if_counters, ifc_noproto);
+                m_freem(m);
+                break;
+        }
+}
+
+static int
+rport_up(struct rport_softc *sc)
+{
+	NET_ASSERT_LOCKED();
+
+	SET(sc->sc_if.if_flags, IFF_RUNNING);
+
+	return (0);
+}
+
+static int
+rport_down(struct rport_softc *sc)
+{
+	NET_ASSERT_LOCKED();
+
+	CLR(sc->sc_if.if_flags, IFF_RUNNING);
+
+	return (0);
+}
+
+static int
+rport_set_parent(struct rport_softc *sc, const struct if_parent *p)
+{
+	struct ifnet *ifp = &sc->sc_if;
+	struct ifnet *ifp0;
+	struct rport_softc *sc0;
+	int error;
+
+	error = rw_enter(&rport_interfaces_lock, RW_WRITE | RW_INTR);
+	if (error != 0)
+		return (error);
+
+	ifp0 = if_unit(p->ifp_parent);
+	if (ifp0 == NULL) {
+		error = EINVAL;
+		goto leave;
+	}
+
+	if (ifp0 == ifp) {
+		error = EINVAL;
+		goto leave;
+	}
+
+	if (ifp0->if_input != rport_input) {
+		error = EPROTONOSUPPORT;
+		goto put;
+	}
+
+	sc0 = ifp0->if_softc;
+
+	if (sc->sc_peer_idx == ifp0->if_index) {
+		/* nop */
+		KASSERT(sc0->sc_peer_idx == ifp->if_index);
+		goto put;
+	}
+
+	if (sc->sc_peer_idx != 0 || sc0->sc_peer_idx != 0) {
+		error = EBUSY;
+		goto put;
+	}
+
+	/* commit */
+	sc->sc_peer_idx = ifp0->if_index;
+	sc0->sc_peer_idx = ifp->if_index;
+
+put:
+	if_put(ifp0);
+leave:
+	rw_exit(&rport_interfaces_lock);
+
+	return (error);
+}
+
+static int
+rport_get_parent(struct rport_softc *sc, struct if_parent *p)
+{
+	struct ifnet *ifp0;
+	int error = 0;
+
+	ifp0 = if_get(sc->sc_peer_idx);
+	if (ifp0 == NULL)
+		error = EADDRNOTAVAIL;
+	else {
+		if (strlcpy(p->ifp_parent, ifp0->if_xname,
+		    sizeof(p->ifp_parent)) >= sizeof(p->ifp_parent))
+			panic("%s strlcpy", __func__);
+	}
+	if_put(ifp0);
+
+	return (error);
+}
+
+static int
+rport_del_parent(struct rport_softc *sc)
+{
+	struct rport_softc *sc0;
+	struct ifnet *ifp0;
+	int error;
+
+	error = rw_enter(&rport_interfaces_lock, RW_WRITE | RW_INTR);
+	if (error != 0)
+		return (error);
+
+	ifp0 = if_get(sc->sc_peer_idx);
+	sc->sc_peer_idx = 0;
+
+	if (ifp0 != NULL) {
+		sc0 = ifp0->if_softc;
+		sc0->sc_peer_idx = 0;
+	}
+	if_put(ifp0);
+
+	rw_exit(&rport_interfaces_lock);
+
+	return (0);
+}
+
+static int
+rport_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+	struct rport_softc *sc = ifp->if_softc;
+	struct ifreq *ifr = (struct ifreq *)data;
+	int error = 0;
+
+	switch (cmd) {
+	case SIOCSIFADDR:
+		break;
+	case SIOCSIFFLAGS:
+		if (ISSET(ifp->if_flags, IFF_UP)) {
+			if (!ISSET(ifp->if_flags, IFF_RUNNING))
+				error = rport_up(sc);
+		} else {
+			if (ISSET(ifp->if_flags, IFF_RUNNING))
+				error = rport_down(sc);
+		}
+		break;
+
+	case SIOCADDMULTI:
+	case SIOCDELMULTI:
+		break;
+
+	case SIOCSIFMTU:
+		if (ifr->ifr_mtu < RPORT_MTU_MIN ||
+		    ifr->ifr_mtu > RPORT_MTU_MAX) {
+			error = EINVAL;
+			break;
+		}
+
+		ifp->if_mtu = ifr->ifr_mtu;
+		break;
+
+	case SIOCSIFPARENT:
+		error = rport_set_parent(sc, (struct if_parent *)data);
+		break;
+	case SIOCGIFPARENT:
+		error = rport_get_parent(sc, (struct if_parent *)data);
+		break;
+	case SIOCDIFPARENT:
+		error = rport_del_parent(sc);
+		break;
+
+	default:
+		error = ENOTTY;
+		break;
+	}
+
+	return (error);
+}

usr.bin/openssl/ocsp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.24 2024/08/29 11:04:02 tb Exp $ */
+/* $OpenBSD: ocsp.c,v 1.25 2024/08/30 17:26:44 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -70,6 +70,7 @@
 #include "apps.h"
 
 #include <openssl/bn.h>
+#include <openssl/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -184,13 +185,51 @@ ocsp_opt_cert_id_md(int argc, char **argv, int *argsused)
 	return (0);
 }
 
+static int
+x509v3_add_value(const char *name, const char *value,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	CONF_VALUE *vtmp = NULL;
+	STACK_OF(CONF_VALUE) *free_exts = NULL;
+
+	if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL)
+		goto err;
+	if (name != NULL) {
+		if ((vtmp->name = strdup(name)) == NULL)
+			goto err;
+	}
+	if (value != NULL) {
+		if ((vtmp->value = strdup(value)) == NULL)
+			goto err;
+	}
+
+	if (*extlist == NULL) {
+		if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL)
+			goto err;
+	}
+
+	if (!sk_CONF_VALUE_push(*extlist, vtmp))
+		goto err;
+
+	return 1;
+
+ err:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	X509V3_conf_free(vtmp);
+	if (free_exts != NULL) {
+		sk_CONF_VALUE_free(*extlist);
+		*extlist = NULL;
+	}
+	return 0;
+}
+
 static int
 ocsp_opt_header(int argc, char **argv, int *argsused)
 {
 	if (argc < 3 || argv[1] == NULL || argv[2] == NULL)
 		return (1);
 
-	if (!X509V3_add_value(argv[1], argv[2], &cfg.headers)) {
+	if (!x509v3_add_value(argv[1], argv[2], &cfg.headers)) {
 		cfg.no_usage = 1;
 		return (1);
 	}