From 9419b927005fe869df2ddc41cf7ce9c7047a3297 Mon Sep 17 00:00:00 2001 From: purplerain Date: Sat, 31 Aug 2024 09:00:55 +0000 Subject: [PATCH] sync with OpenBSD -current --- lib/libcrypto/dh/dh_check.c | 68 +-- lib/libcrypto/dh/dh_local.h | 11 +- regress/lib/libcrypto/Makefile | 3 +- regress/lib/libcrypto/whirlpool/Makefile | 9 - .../lib/libcrypto/whirlpool/whirlpool_test.c | 242 ---------- share/man/man4/Makefile | 4 +- share/man/man4/etherip.4 | 10 +- share/man/man4/rport.4 | 85 ++++ share/man/man4/sec.4 | 23 +- sys/conf/GENERIC | 3 +- sys/conf/files | 4 +- sys/dev/ic/ufshci.c | 8 +- sys/net/if_rport.c | 456 ++++++++++++++++++ usr.bin/openssl/ocsp.c | 43 +- 14 files changed, 620 insertions(+), 349 deletions(-) delete mode 100644 regress/lib/libcrypto/whirlpool/Makefile delete mode 100644 regress/lib/libcrypto/whirlpool/whirlpool_test.c create mode 100644 share/man/man4/rport.4 create mode 100644 sys/net/if_rport.c diff --git a/lib/libcrypto/dh/dh_check.c b/lib/libcrypto/dh/dh_check.c index db104cedf..f6d1cdeda 100644 --- a/lib/libcrypto/dh/dh_check.c +++ b/lib/libcrypto/dh/dh_check.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_check.c,v 1.28 2023/07/24 16:25:02 tb Exp $ */ +/* $OpenBSD: dh_check.c,v 1.29 2024/08/30 17:44:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,27 +68,10 @@ #define DH_NUMBER_ITERATIONS_FOR_PRIME 64 /* - * Check that p is odd and 1 < g < p - 1. The _ex version removes the need of - * inspecting flags and pushes errors on the stack instead. + * Check that p is odd and 1 < g < p - 1. */ -int -DH_check_params_ex(const DH *dh) -{ - int flags = 0; - - if (!DH_check_params(dh, &flags)) - return 0; - - if ((flags & DH_CHECK_P_NOT_PRIME) != 0) - DHerror(DH_R_CHECK_P_NOT_PRIME); - if ((flags & DH_NOT_SUITABLE_GENERATOR) != 0) - DHerror(DH_R_NOT_SUITABLE_GENERATOR); - - return flags == 0; -} - -int +static int DH_check_params(const DH *dh, int *flags) { BIGNUM *max_g = NULL; @@ -124,35 +107,8 @@ DH_check_params(const DH *dh, int *flags) /* * Check that p is a safe prime and that g is a suitable generator. - * The _ex version puts errors on the stack instead of returning flags. */ -int -DH_check_ex(const DH *dh) -{ - int flags = 0; - - if (!DH_check(dh, &flags)) - return 0; - - if ((flags & DH_NOT_SUITABLE_GENERATOR) != 0) - DHerror(DH_R_NOT_SUITABLE_GENERATOR); - if ((flags & DH_CHECK_Q_NOT_PRIME) != 0) - DHerror(DH_R_CHECK_Q_NOT_PRIME); - if ((flags & DH_CHECK_INVALID_Q_VALUE) != 0) - DHerror(DH_R_CHECK_INVALID_Q_VALUE); - if ((flags & DH_CHECK_INVALID_J_VALUE) != 0) - DHerror(DH_R_CHECK_INVALID_J_VALUE); - if ((flags & DH_UNABLE_TO_CHECK_GENERATOR) != 0) - DHerror(DH_R_UNABLE_TO_CHECK_GENERATOR); - if ((flags & DH_CHECK_P_NOT_PRIME) != 0) - DHerror(DH_R_CHECK_P_NOT_PRIME); - if ((flags & DH_CHECK_P_NOT_SAFE_PRIME) != 0) - DHerror(DH_R_CHECK_P_NOT_SAFE_PRIME); - - return flags == 0; -} - int DH_check(const DH *dh, int *flags) { @@ -229,24 +185,6 @@ DH_check(const DH *dh, int *flags) } LCRYPTO_ALIAS(DH_check); -int -DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) -{ - int flags = 0; - - if (!DH_check_pub_key(dh, pub_key, &flags)) - return 0; - - if ((flags & DH_CHECK_PUBKEY_TOO_SMALL) != 0) - DHerror(DH_R_CHECK_PUBKEY_TOO_SMALL); - if ((flags & DH_CHECK_PUBKEY_TOO_LARGE) != 0) - DHerror(DH_R_CHECK_PUBKEY_TOO_LARGE); - if ((flags & DH_CHECK_PUBKEY_INVALID) != 0) - DHerror(DH_R_CHECK_PUBKEY_INVALID); - - return flags == 0; -} - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *flags) { diff --git a/lib/libcrypto/dh/dh_local.h b/lib/libcrypto/dh/dh_local.h index 22e225690..fe7c12bb0 100644 --- a/lib/libcrypto/dh/dh_local.h +++ b/lib/libcrypto/dh/dh_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_local.h,v 1.4 2023/11/29 21:35:57 tb Exp $ */ +/* $OpenBSD: dh_local.h,v 1.5 2024/08/30 17:44:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -102,15 +102,6 @@ struct dh_st { const DH_METHOD *meth; }; -/* - * Public API in OpenSSL that we only want to use internally. - */ - -int DH_check_params_ex(const DH *dh); -int DH_check_params(const DH *dh, int *flags); -int DH_check_ex(const DH *dh); -int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key); - __END_HIDDEN_DECLS #endif /* !HEADER_DH_LOCAL_H */ diff --git a/regress/lib/libcrypto/Makefile b/regress/lib/libcrypto/Makefile index 01db7a5dc..d812cd9db 100644 --- a/regress/lib/libcrypto/Makefile +++ b/regress/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.58 2024/05/06 14:37:26 jsing Exp $ +# $OpenBSD: Makefile,v 1.59 2024/08/31 08:23:32 tb Exp $ SUBDIR += aead SUBDIR += aes @@ -50,7 +50,6 @@ SUBDIR += sm3 SUBDIR += sm4 SUBDIR += symbols SUBDIR += utf8 -SUBDIR += whirlpool SUBDIR += wycheproof SUBDIR += x509 diff --git a/regress/lib/libcrypto/whirlpool/Makefile b/regress/lib/libcrypto/whirlpool/Makefile deleted file mode 100644 index b57edd894..000000000 --- a/regress/lib/libcrypto/whirlpool/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2024/03/29 07:13:38 joshua Exp $ - -PROG = whirlpool_test -LDADD = -lcrypto -DPADD = ${LIBCRYPTO} -WARNINGS = Yes -CFLAGS += -DLIBRESSL_INTERNAL -Werror - -.include diff --git a/regress/lib/libcrypto/whirlpool/whirlpool_test.c b/regress/lib/libcrypto/whirlpool/whirlpool_test.c deleted file mode 100644 index 809edbba1..000000000 --- a/regress/lib/libcrypto/whirlpool/whirlpool_test.c +++ /dev/null @@ -1,242 +0,0 @@ -/* $OpenBSD: whirlpool_test.c,v 1.3 2024/04/09 18:12:11 tb Exp $ */ -/* - * Copyright (c) 2024 Joshua Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include - -struct whirlpool_test { - const uint8_t in[128]; - const size_t in_len; - const uint8_t out[EVP_MAX_MD_SIZE]; -}; - -static const struct whirlpool_test whirlpool_tests[] = { - { - .in = "", - .in_len = 0, - .out = { - 0x19, 0xfa, 0x61, 0xd7, 0x55, 0x22, 0xa4, 0x66, - 0x9b, 0x44, 0xe3, 0x9c, 0x1d, 0x2e, 0x17, 0x26, - 0xc5, 0x30, 0x23, 0x21, 0x30, 0xd4, 0x07, 0xf8, - 0x9a, 0xfe, 0xe0, 0x96, 0x49, 0x97, 0xf7, 0xa7, - 0x3e, 0x83, 0xbe, 0x69, 0x8b, 0x28, 0x8f, 0xeb, - 0xcf, 0x88, 0xe3, 0xe0, 0x3c, 0x4f, 0x07, 0x57, - 0xea, 0x89, 0x64, 0xe5, 0x9b, 0x63, 0xd9, 0x37, - 0x08, 0xb1, 0x38, 0xcc, 0x42, 0xa6, 0x6e, 0xb3, - }, - }, - { - .in = "a", - .in_len = 1, - .out = { - 0x8a, 0xca, 0x26, 0x02, 0x79, 0x2a, 0xec, 0x6f, - 0x11, 0xa6, 0x72, 0x06, 0x53, 0x1f, 0xb7, 0xd7, - 0xf0, 0xdf, 0xf5, 0x94, 0x13, 0x14, 0x5e, 0x69, - 0x73, 0xc4, 0x50, 0x01, 0xd0, 0x08, 0x7b, 0x42, - 0xd1, 0x1b, 0xc6, 0x45, 0x41, 0x3a, 0xef, 0xf6, - 0x3a, 0x42, 0x39, 0x1a, 0x39, 0x14, 0x5a, 0x59, - 0x1a, 0x92, 0x20, 0x0d, 0x56, 0x01, 0x95, 0xe5, - 0x3b, 0x47, 0x85, 0x84, 0xfd, 0xae, 0x23, 0x1a, - }, - }, - { - .in = "abc", - .in_len = 3, - .out = { - 0x4e, 0x24, 0x48, 0xa4, 0xc6, 0xf4, 0x86, 0xbb, - 0x16, 0xb6, 0x56, 0x2c, 0x73, 0xb4, 0x02, 0x0b, - 0xf3, 0x04, 0x3e, 0x3a, 0x73, 0x1b, 0xce, 0x72, - 0x1a, 0xe1, 0xb3, 0x03, 0xd9, 0x7e, 0x6d, 0x4c, - 0x71, 0x81, 0xee, 0xbd, 0xb6, 0xc5, 0x7e, 0x27, - 0x7d, 0x0e, 0x34, 0x95, 0x71, 0x14, 0xcb, 0xd6, - 0xc7, 0x97, 0xfc, 0x9d, 0x95, 0xd8, 0xb5, 0x82, - 0xd2, 0x25, 0x29, 0x20, 0x76, 0xd4, 0xee, 0xf5, - }, - }, - { - .in = "message digest", - .in_len = 14, - .out = { - 0x37, 0x8c, 0x84, 0xa4, 0x12, 0x6e, 0x2d, 0xc6, - 0xe5, 0x6d, 0xcc, 0x74, 0x58, 0x37, 0x7a, 0xac, - 0x83, 0x8d, 0x00, 0x03, 0x22, 0x30, 0xf5, 0x3c, - 0xe1, 0xf5, 0x70, 0x0c, 0x0f, 0xfb, 0x4d, 0x3b, - 0x84, 0x21, 0x55, 0x76, 0x59, 0xef, 0x55, 0xc1, - 0x06, 0xb4, 0xb5, 0x2a, 0xc5, 0xa4, 0xaa, 0xa6, - 0x92, 0xed, 0x92, 0x00, 0x52, 0x83, 0x8f, 0x33, - 0x62, 0xe8, 0x6d, 0xbd, 0x37, 0xa8, 0x90, 0x3e, - }, - }, - { - .in = "abcdefghijklmnopqrstuvwxyz", - .in_len = 26, - .out = { - 0xf1, 0xd7, 0x54, 0x66, 0x26, 0x36, 0xff, 0xe9, - 0x2c, 0x82, 0xeb, 0xb9, 0x21, 0x2a, 0x48, 0x4a, - 0x8d, 0x38, 0x63, 0x1e, 0xad, 0x42, 0x38, 0xf5, - 0x44, 0x2e, 0xe1, 0x3b, 0x80, 0x54, 0xe4, 0x1b, - 0x08, 0xbf, 0x2a, 0x92, 0x51, 0xc3, 0x0b, 0x6a, - 0x0b, 0x8a, 0xae, 0x86, 0x17, 0x7a, 0xb4, 0xa6, - 0xf6, 0x8f, 0x67, 0x3e, 0x72, 0x07, 0x86, 0x5d, - 0x5d, 0x98, 0x19, 0xa3, 0xdb, 0xa4, 0xeb, 0x3b, - }, - }, - { - .in = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", - .in_len = 62, - .out = { - 0xdc, 0x37, 0xe0, 0x08, 0xcf, 0x9e, 0xe6, 0x9b, - 0xf1, 0x1f, 0x00, 0xed, 0x9a, 0xba, 0x26, 0x90, - 0x1d, 0xd7, 0xc2, 0x8c, 0xde, 0xc0, 0x66, 0xcc, - 0x6a, 0xf4, 0x2e, 0x40, 0xf8, 0x2f, 0x3a, 0x1e, - 0x08, 0xeb, 0xa2, 0x66, 0x29, 0x12, 0x9d, 0x8f, - 0xb7, 0xcb, 0x57, 0x21, 0x1b, 0x92, 0x81, 0xa6, - 0x55, 0x17, 0xcc, 0x87, 0x9d, 0x7b, 0x96, 0x21, - 0x42, 0xc6, 0x5f, 0x5a, 0x7a, 0xf0, 0x14, 0x67, - }, - }, - { - .in = "12345678901234567890123456789012345678901234567890123456789012345678901234567890", - .in_len = 80, - .out = { - 0x46, 0x6e, 0xf1, 0x8b, 0xab, 0xb0, 0x15, 0x4d, - 0x25, 0xb9, 0xd3, 0x8a, 0x64, 0x14, 0xf5, 0xc0, - 0x87, 0x84, 0x37, 0x2b, 0xcc, 0xb2, 0x04, 0xd6, - 0x54, 0x9c, 0x4a, 0xfa, 0xdb, 0x60, 0x14, 0x29, - 0x4d, 0x5b, 0xd8, 0xdf, 0x2a, 0x6c, 0x44, 0xe5, - 0x38, 0xcd, 0x04, 0x7b, 0x26, 0x81, 0xa5, 0x1a, - 0x2c, 0x60, 0x48, 0x1e, 0x88, 0xc5, 0xa2, 0x0b, - 0x2c, 0X2A, 0X80, 0XCF, 0X3A, 0X9A, 0X08, 0X3B, - }, - }, - { - .in = "abcdbcdecdefdefgefghfghighijhijk", - .in_len = 32, - .out = { - 0x2a, 0x98, 0x7e, 0xa4, 0x0f, 0x91, 0x70, 0x61, - 0xf5, 0xd6, 0xf0, 0xa0, 0xe4, 0x64, 0x4f, 0x48, - 0x8a, 0x7a, 0x5a, 0x52, 0xde, 0xee, 0x65, 0x62, - 0x07, 0xc5, 0x62, 0xf9, 0x88, 0xe9, 0x5c, 0x69, - 0x16, 0xbd, 0xc8, 0x03, 0x1b, 0xc5, 0xbe, 0x1b, - 0x7b, 0x94, 0x76, 0x39, 0xfe, 0x05, 0x0b, 0x56, - 0x93, 0x9b, 0xaa, 0xa0, 0xad, 0xff, 0x9a, 0xe6, - 0x74, 0x5b, 0x7b, 0x18, 0x1c, 0x3b, 0xe3, 0xfd, - }, - }, -}; - -#define N_WHIRLPOOL_TESTS (sizeof(whirlpool_tests) / sizeof(whirlpool_tests[0])) - -static int -whirlpool_test(void) -{ - const struct whirlpool_test *wt; - EVP_MD_CTX *md_ctx = NULL; - const EVP_MD *md = EVP_whirlpool(); - uint8_t out[EVP_MAX_MD_SIZE]; - size_t i, l, in_len; - int failed = 1; - - if ((md_ctx = EVP_MD_CTX_new()) == NULL) { - fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n"); - goto failed; - } - - for (i = 0; i < N_WHIRLPOOL_TESTS; i++) { - wt = &whirlpool_tests[i]; - - /* Digest */ - memset(out, 0, sizeof(out)); - WHIRLPOOL(wt->in, wt->in_len, out); - if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) { - fprintf(stderr, "FAIL (%zu): digest mismatch\n", i); - goto failed; - } - - /* EVP single-shot digest */ - memset(out, 0, sizeof(out)); - if (!EVP_Digest(wt->in, wt->in_len, out, NULL, md, NULL)) { - fprintf(stderr, "FAIL (%zu): EVP_Digest failed\n", i); - goto failed; - } - - if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) { - fprintf(stderr, - "FAIL (%zu): EVP single-shot mismatch\n", i); - goto failed; - } - - /* EVP digest */ - memset(out, 0, sizeof(out)); - if (!EVP_DigestInit_ex(md_ctx, md, NULL)) { - fprintf(stderr, - "FAIL (%zu): EVP_DigestInit_ex failed\n", i); - goto failed; - } - - for (l = 0; l < wt->in_len;) { - in_len = 1; - if (wt->in_len > 1) - in_len = arc4random_uniform(wt->in_len / 2); - if (in_len < 1) - in_len = 1; - if (in_len > wt->in_len - l) - in_len = wt->in_len - l; - - if (!EVP_DigestUpdate(md_ctx, wt->in + l, in_len)) { - fprintf(stderr, - "FAIL(%zu, %zu): EVP_DigestUpdate failed\n", - i, l); - goto failed; - } - - l += in_len; - } - - if (!EVP_DigestFinal_ex(md_ctx, out, NULL)) { - fprintf(stderr, - "FAIL (%zu): EVP_DigestFinal_ex failed\n", - i); - goto failed; - } - - if (memcmp(wt->out, out, WHIRLPOOL_DIGEST_LENGTH) != 0) { - fprintf(stderr, "FAIL (%zu): EVP mismatch\n", i); - goto failed; - } - } - - failed = 0; - - failed: - EVP_MD_CTX_free(md_ctx); - - return failed; -} - -int -main(int argc, char **argv) -{ - int failed = 0; - - failed |= whirlpool_test(); - - return failed; -} diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index ffe533370..3d3ed3c51 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.849 2024/08/04 14:21:09 kettenis Exp $ +# $OpenBSD: Makefile,v 1.850 2024/08/31 04:21:45 dlg Exp $ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \ @@ -83,7 +83,7 @@ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ rkemmcphy.4 rkgpio.4 rkgrf.4 rkiic.4 rkiis.4 rkiovd.4 \ rkpcie.4 rkpciephy.4 rkpinctrl.4 rkpmic.4 rkpwm.4 \ rkrng.4 rkspi.4 rktcphy.4 rktemp.4 rkusbphy.4 rkvop.4 \ - rl.4 rlphy.4 route.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \ + rl.4 rlphy.4 route.4 rport.4 rsu.4 rtsx.4 rum.4 run.4 rtw.4 rtwn.4 \ safte.4 sbus.4 schsio.4 scmi.4 scsi.4 sd.4 \ sdmmc.4 sdhc.4 se.4 sec.4 ses.4 sf.4 sili.4 \ simpleamp.4 simpleaudio.4 simplefb.4 simplepanel.4 siop.4 sis.4 sk.4 \ diff --git a/share/man/man4/etherip.4 b/share/man/man4/etherip.4 index db6037354..7d3dfadb9 100644 --- a/share/man/man4/etherip.4 +++ b/share/man/man4/etherip.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: etherip.4,v 1.9 2024/08/30 09:39:07 dlg Exp $ +.\" $OpenBSD: etherip.4,v 1.10 2024/08/30 20:08:05 jmc Exp $ .\" .\" Copyright (c) 2015 YASUOKA Masahiko .\" @@ -55,11 +55,11 @@ must be set to 1, unless is being used to protect the traffic. .Pp .Nm -interfaces can configured as part of an Ethernet bridges such as +interfaces can configured as part of an Ethernet bridge, such as .Xr veb 4 , .Xr tpmr 4 , and -.Xr bridge 4 +.Xr bridge 4 , to extend the connectivity of Ethernet networks across IP networks, possibly across the Internet. .Pp @@ -73,7 +73,7 @@ public Internet. EtherIP encapsulated packets may be protected with IPsec by specifying the appropriate IPsec flows between the two endpoints. To only protect the encapsulated EtherIP traffic between the tunnel -enpoints the IP transport protocol 97 (etherip) selector may be used +endpoints, the IP transport protocol 97 (etherip) selector may be used in .Xr ipsec.conf 5 or @@ -88,7 +88,7 @@ to network1 on em1, and host gw2 has the external IP address 198.51.100.14 and is connected to network2 on ix1, the following configuration can be used to bridge network1 and network2. .Pp -First create the a bridge using a +First create a bridge using a .Xr veb 4 interface, adding the diff --git a/share/man/man4/rport.4 b/share/man/man4/rport.4 new file mode 100644 index 000000000..92b8f6ff9 --- /dev/null +++ b/share/man/man4/rport.4 @@ -0,0 +1,85 @@ +.\" $OpenBSD: rport.4,v 1.1 2024/08/31 04:21:45 dlg Exp $ +.\" +.\" Copyright (c) 2024 David Gwynne +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: August 31 2024 $ +.Dt RPORT 4 +.Os +.Sh NAME +.Nm rport +.Nd rdomain port interface pseudo-device +.Sh SYNOPSIS +.Cd "pseudo-device rport" +.Sh DESCRIPTION +The +.Nm +driver provides point-to-point interfaces for layer 3 connectivity +between +.Xr rdomain 4 +instances. +.Pp +Layer 3 connectivity between a pair of rdomains can be established +by creating a +.Nm +interface in each rdomain, and connecting them together by configuring +one of these interfaces as the parent of the other. +.Pp +.Nm +interfaces can be created at runtime using the +.Ic ifconfig rport Ns Ar N Ic create +command or by setting up a +.Xr hostname.if 5 +configuration file for +.Xr netstart 8 . +The interface itself can be configured with +.Xr ifconfig 8 ; +see its manual page for more information. +.Sh EXAMPLES +Create two +.Nm +interfaces in separate +.Xr rdomain 4 Ns s +and connect them together: +.Bd -literal -offset indent +# ifconfig rport0 create rdomain 0 up +# ifconfig rport1 create rdomain 1 parent rport0 up +# ifconfig rport0 inet 192.168.0.0/32 192.168.0.1 +# ifconfig rport1 inet 192.168.0.1/32 192.168.0.0 +.Ed +.Sh SEE ALSO +.Xr netintro 4 , +.Xr veb 4 , +.Xr hostname.if 5 , +.Xr pf.conf 5 , +.Xr ifconfig 8 , +.Xr netstart 8 +.Sh HISTORY +The +.Nm +driver first appeared in +.Ox 7.6 . +.Sh AUTHORS +.An David Gwynne Aq Mt dlg@openbsd.org . +.Sh CAVEATS +A pair of +.Nm +interfaces must be created for each connection between a pair of rdomains. +Alternatively, if peering between multiple +.Xr rdomain 4 +instances is required, a single +.Xr veb 4 +interface with a +.Xr vport 4 +interface for each rdomain can be used instead. diff --git a/share/man/man4/sec.4 b/share/man/man4/sec.4 index 79c86a6c8..60632ee06 100644 --- a/share/man/man4/sec.4 +++ b/share/man/man4/sec.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sec.4,v 1.3 2024/08/30 13:09:10 dlg Exp $ +.\" $OpenBSD: sec.4,v 1.4 2024/08/31 00:51:29 dlg Exp $ .\" .\" Copyright (c) 2023 David Gwynne .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 30 2024 $ +.Dd $Mdocdate: August 31 2024 $ .Dt SEC 4 .Os .Sh NAME @@ -112,10 +112,21 @@ ikev2 "s2s" active \\ iface sec0 .Ed .Pp -Once -.Xr iked 8 -is running with this configuration, communication between the -customer and provider gateways is enabled. +Alternatively, IKEv1 negotiation of the IPsec tunnel SAs is supported by +.Xr isakmpd 8 +and +.Xr ipsecctl 8 . +The equivalient +.Xr ipsec.conf 5 +configuration for the given parameters follows: +.Bd -literal -offset indent +ike interface sec0 \\ + local 192.0.2.8 peer 198.51.100.14 \\ + psk "7kA7evdkd50Q5YdCCF9t8eftgEgL4vk2" +.Ed +.Pp +Once the Security Associations are established, communication between +the customer and provider gateways is enabled. .Pp Routes to networks hosted by the provider can be added using the providers diff --git a/sys/conf/GENERIC b/sys/conf/GENERIC index 9ffe0fc34..c8a573ef9 100644 --- a/sys/conf/GENERIC +++ b/sys/conf/GENERIC @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC,v 1.296 2024/05/05 07:26:58 jsg Exp $ +# $OpenBSD: GENERIC,v 1.297 2024/08/31 04:17:14 dlg Exp $ # # Machine-independent option; used by all architectures for their # GENERIC kernel @@ -96,6 +96,7 @@ pseudo-device mpe # MPLS PE interface pseudo-device mpw # MPLS pseudowire support pseudo-device mpip # MPLS IP Layer2 pseudowire support pseudo-device bpe # Provider Backbone Bridge edge interface +pseudo-device rport # rdomain port interface pseudo-device pair # Virtual Ethernet interface pair pseudo-device ppp # PPP pseudo-device pppoe # PPP over Ethernet (RFC 2516) diff --git a/sys/conf/files b/sys/conf/files index e26cfb429..f6efcb0d7 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.735 2024/08/14 14:40:46 patrick Exp $ +# $OpenBSD: files,v 1.736 2024/08/31 04:17:14 dlg Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -568,6 +568,7 @@ pseudo-device msts: tty pseudo-device endrun: tty pseudo-device loop: ifnet +pseudo-device rport: ifnet pseudo-device pair: ifnet, ether pseudo-device ppp: ifnet pseudo-device tun: ifnet @@ -855,6 +856,7 @@ file net/if_mpw.c mpw file net/if_mpip.c mpip file net/if_bpe.c bpe needs-count file net/if_vether.c vether +file net/if_rport.c rport file net/if_pair.c pair file net/if_pppx.c pppx needs-count file net/if_vxlan.c vxlan needs-count diff --git a/sys/dev/ic/ufshci.c b/sys/dev/ic/ufshci.c index 61ae7ba0b..108013d2a 100644 --- a/sys/dev/ic/ufshci.c +++ b/sys/dev/ic/ufshci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ufshci.c,v 1.40 2024/08/20 05:36:38 jsg Exp $ */ +/* $OpenBSD: ufshci.c,v 1.41 2024/08/30 18:22:41 mglocker Exp $ */ /* * Copyright (c) 2022 Marcus Glocker @@ -1352,7 +1352,7 @@ ufshci_xfer_complete(struct ufshci_softc *sc) /* 7.2.3: Clear completion notification 3b) */ UFSHCI_WRITE_4(sc, UFSHCI_REG_UTRLCNR, (1U << i)); - /* 7.2.3: Mark software slot for re-use 3c) */ + /* 7.2.3: Mark software slot for reuse 3c) */ ccb->ccb_status = CCB_STATUS_READY2FREE; DPRINTF(3, "slot %d completed\n", i); @@ -1951,7 +1951,7 @@ ufshci_hibernate_io(dev_t dev, daddr_t blkno, vaddr_t addr, size_t size, /* Stop run queues and disable interrupts. */ ufshci_disable(my->sc); - /* Tell the controler the new hibernate UTRD address. */ + /* Tell the controller the new hibernate UTRD address. */ pmap_extract(pmap_kernel(), (vaddr_t)page, &page_phys); page_bus_phys = page_phys + ((void *)&my->utrd - page); UFSHCI_WRITE_4(my->sc, UFSHCI_REG_UTRLBA, @@ -2058,7 +2058,7 @@ ufshci_hibernate_io(dev_t dev, daddr_t blkno, vaddr_t addr, size_t size, return EIO; UFSHCI_WRITE_4(my->sc, UFSHCI_REG_UTRLCNR, (1U << slot)); - /* Check if the command was succesfully executed. */ + /* Check if the command was successfully executed. */ if (my->utrd.dw2 != UFSHCI_UTRD_DW2_OCS_SUCCESS) return EIO; diff --git a/sys/net/if_rport.c b/sys/net/if_rport.c new file mode 100644 index 000000000..8ad691e6d --- /dev/null +++ b/sys/net/if_rport.c @@ -0,0 +1,456 @@ +/* $OpenBSD: if_rport.c,v 1.1 2024/08/31 04:17:14 dlg Exp $ */ + +/* + * Copyright (c) 2023 David Gwynne + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#ifdef INET6 +#include +#include +#include +#endif /* INET6 */ + +#include "bpfilter.h" +#if NBPFILTER > 0 +#include +#endif + +#ifdef MPLS +#include +#endif + +#include "pf.h" +#if NPF > 0 +#include +#endif + +#define RPORT_MTU_MIN 1280 +#define RPORT_MTU_MAX 32768 /* LOMTU, but could be higher */ +#define RPORT_MTU_DEFAULT RPORT_MTU_MAX + +struct rport_softc { + struct ifnet sc_if; + + unsigned int sc_peer_idx; +}; + +static int rport_clone_create(struct if_clone *, int); +static int rport_clone_destroy(struct ifnet *); + +static int rport_ioctl(struct ifnet *, u_long, caddr_t); +static int rport_output(struct ifnet *, struct mbuf *, struct sockaddr *, + struct rtentry *); +static int rport_enqueue(struct ifnet *, struct mbuf *); +static void rport_start(struct ifqueue *); +static void rport_input(struct ifnet *, struct mbuf *); + +static int rport_up(struct rport_softc *); +static int rport_down(struct rport_softc *); + +static int rport_set_parent(struct rport_softc *, + const struct if_parent *); +static int rport_get_parent(struct rport_softc *, struct if_parent *); +static int rport_del_parent(struct rport_softc *); + +static struct if_clone rport_cloner = + IF_CLONE_INITIALIZER("rport", rport_clone_create, rport_clone_destroy); + +static struct rwlock rport_interfaces_lock = + RWLOCK_INITIALIZER("rports"); + +void +rportattach(int count) +{ + if_clone_attach(&rport_cloner); +} + +static int +rport_clone_create(struct if_clone *ifc, int unit) +{ + struct rport_softc *sc; + struct ifnet *ifp; + + sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); + ifp = &sc->sc_if; + + snprintf(ifp->if_xname, sizeof(ifp->if_xname), + "%s%d", ifc->ifc_name, unit); + + ifp->if_mtu = RPORT_MTU_DEFAULT; + ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; + ifp->if_xflags = IFXF_CLONED | IFXF_MPSAFE; + ifp->if_ioctl = rport_ioctl; + ifp->if_bpf_mtap = p2p_bpf_mtap; + ifp->if_output = rport_output; + ifp->if_enqueue = rport_enqueue; + ifp->if_qstart = rport_start; + ifp->if_input = rport_input; + ifp->if_rtrequest = p2p_rtrequest; + ifp->if_type = IFT_TUNNEL; + ifp->if_softc = sc; + + if_attach(ifp); + if_alloc_sadl(ifp); + if_counters_alloc(ifp); + +#if NBPFILTER > 0 + bpfattach(&ifp->if_bpf, ifp, DLT_LOOP, sizeof(uint32_t)); +#endif + + return (0); +} + +int +rport_clone_destroy(struct ifnet *ifp) +{ + struct rport_softc *sc = ifp->if_softc; + + NET_LOCK(); + if (ISSET(ifp->if_flags, IFF_RUNNING)) + rport_down(sc); + rport_del_parent(sc); + NET_UNLOCK(); + + if_detach(ifp); + + free(sc, M_DEVBUF, sizeof(*sc)); + + return (0); +} + +static int +rport_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +{ + struct m_tag *mtag; + int error = 0; + + if (!ISSET(ifp->if_flags, IFF_RUNNING)) { + error = ENETDOWN; + goto drop; + } + + switch (dst->sa_family) { + case AF_INET: +#ifdef INET6 + case AF_INET6: +#endif +#ifdef MPLS + case AF_MPLS: +#endif + break; + default: + error = EAFNOSUPPORT; + goto drop; + } + + /* Try to limit infinite recursion through misconfiguration. */ + mtag = NULL; + while ((mtag = m_tag_find(m, PACKET_TAG_GRE, mtag)) != NULL) { + if (*(int *)(mtag + 1) == ifp->if_index) { + error = EIO; + goto drop; + } + } + + mtag = m_tag_get(PACKET_TAG_GRE, sizeof(ifp->if_index), M_NOWAIT); + if (mtag == NULL) { + error = ENOBUFS; + goto drop; + } + *(int *)(mtag + 1) = ifp->if_index; + m_tag_prepend(m, mtag); + + m->m_flags &= ~(M_BCAST|M_MCAST); + m->m_pkthdr.ph_family = dst->sa_family; +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + + error = if_enqueue(ifp, m); + if (error) + counters_inc(ifp->if_counters, ifc_oerrors); + + return (error); + +drop: + m_freem(m); + return (error); +} + +static int +rport_enqueue(struct ifnet *ifp, struct mbuf *m) +{ + struct ifqueue *ifq = &ifp->if_snd; + int error; + + error = ifq_enqueue(ifq, m); + if (error) + return (error); + + /* + * always defer handover of packets to the peer to the ifq + * bundle task to provide control over the NET_LOCK scope. + */ + task_add(ifq->ifq_softnet, &ifq->ifq_bundle); + + return (0); +} + +static void +rport_start(struct ifqueue *ifq) +{ + struct ifnet *ifp = ifq->ifq_if; + struct rport_softc *sc = ifp->if_softc; + struct ifnet *ifp0; + struct mbuf *m; + + ifp0 = if_get(sc->sc_peer_idx); + if (ifp0 == NULL || !ISSET(ifp0->if_flags, IFF_RUNNING)) { + ifq_purge(ifq); + if_put(ifp0); + return; + } + + NET_LOCK_SHARED(); + while ((m = ifq_dequeue(ifq)) != NULL) { +#if NBPFILTER > 0 + caddr_t if_bpf = READ_ONCE(ifp->if_bpf); + if (if_bpf && bpf_mtap_af(if_bpf, m->m_pkthdr.ph_family, + m, BPF_DIRECTION_OUT)) { + m_freem(m); + continue; + } +#endif + + if_vinput(ifp0, m); + } + NET_UNLOCK_SHARED(); + + if_put(ifp0); +} + +static void +rport_input(struct ifnet *ifp, struct mbuf *m) +{ + switch (m->m_pkthdr.ph_family) { + case AF_INET: + ipv4_input(ifp, m); + break; +#ifdef INET6 + case AF_INET6: + ipv6_input(ifp, m); + break; +#endif +#ifdef MPLS + case AF_MPLS: + mpls_input(ifp, m); + break; +#endif + default: + counters_inc(ifp->if_counters, ifc_noproto); + m_freem(m); + break; + } +} + +static int +rport_up(struct rport_softc *sc) +{ + NET_ASSERT_LOCKED(); + + SET(sc->sc_if.if_flags, IFF_RUNNING); + + return (0); +} + +static int +rport_down(struct rport_softc *sc) +{ + NET_ASSERT_LOCKED(); + + CLR(sc->sc_if.if_flags, IFF_RUNNING); + + return (0); +} + +static int +rport_set_parent(struct rport_softc *sc, const struct if_parent *p) +{ + struct ifnet *ifp = &sc->sc_if; + struct ifnet *ifp0; + struct rport_softc *sc0; + int error; + + error = rw_enter(&rport_interfaces_lock, RW_WRITE | RW_INTR); + if (error != 0) + return (error); + + ifp0 = if_unit(p->ifp_parent); + if (ifp0 == NULL) { + error = EINVAL; + goto leave; + } + + if (ifp0 == ifp) { + error = EINVAL; + goto leave; + } + + if (ifp0->if_input != rport_input) { + error = EPROTONOSUPPORT; + goto put; + } + + sc0 = ifp0->if_softc; + + if (sc->sc_peer_idx == ifp0->if_index) { + /* nop */ + KASSERT(sc0->sc_peer_idx == ifp->if_index); + goto put; + } + + if (sc->sc_peer_idx != 0 || sc0->sc_peer_idx != 0) { + error = EBUSY; + goto put; + } + + /* commit */ + sc->sc_peer_idx = ifp0->if_index; + sc0->sc_peer_idx = ifp->if_index; + +put: + if_put(ifp0); +leave: + rw_exit(&rport_interfaces_lock); + + return (error); +} + +static int +rport_get_parent(struct rport_softc *sc, struct if_parent *p) +{ + struct ifnet *ifp0; + int error = 0; + + ifp0 = if_get(sc->sc_peer_idx); + if (ifp0 == NULL) + error = EADDRNOTAVAIL; + else { + if (strlcpy(p->ifp_parent, ifp0->if_xname, + sizeof(p->ifp_parent)) >= sizeof(p->ifp_parent)) + panic("%s strlcpy", __func__); + } + if_put(ifp0); + + return (error); +} + +static int +rport_del_parent(struct rport_softc *sc) +{ + struct rport_softc *sc0; + struct ifnet *ifp0; + int error; + + error = rw_enter(&rport_interfaces_lock, RW_WRITE | RW_INTR); + if (error != 0) + return (error); + + ifp0 = if_get(sc->sc_peer_idx); + sc->sc_peer_idx = 0; + + if (ifp0 != NULL) { + sc0 = ifp0->if_softc; + sc0->sc_peer_idx = 0; + } + if_put(ifp0); + + rw_exit(&rport_interfaces_lock); + + return (0); +} + +static int +rport_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) +{ + struct rport_softc *sc = ifp->if_softc; + struct ifreq *ifr = (struct ifreq *)data; + int error = 0; + + switch (cmd) { + case SIOCSIFADDR: + break; + case SIOCSIFFLAGS: + if (ISSET(ifp->if_flags, IFF_UP)) { + if (!ISSET(ifp->if_flags, IFF_RUNNING)) + error = rport_up(sc); + } else { + if (ISSET(ifp->if_flags, IFF_RUNNING)) + error = rport_down(sc); + } + break; + + case SIOCADDMULTI: + case SIOCDELMULTI: + break; + + case SIOCSIFMTU: + if (ifr->ifr_mtu < RPORT_MTU_MIN || + ifr->ifr_mtu > RPORT_MTU_MAX) { + error = EINVAL; + break; + } + + ifp->if_mtu = ifr->ifr_mtu; + break; + + case SIOCSIFPARENT: + error = rport_set_parent(sc, (struct if_parent *)data); + break; + case SIOCGIFPARENT: + error = rport_get_parent(sc, (struct if_parent *)data); + break; + case SIOCDIFPARENT: + error = rport_del_parent(sc); + break; + + default: + error = ENOTTY; + break; + } + + return (error); +} diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c index 945303c33..ace843cce 100644 --- a/usr.bin/openssl/ocsp.c +++ b/usr.bin/openssl/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.24 2024/08/29 11:04:02 tb Exp $ */ +/* $OpenBSD: ocsp.c,v 1.25 2024/08/30 17:26:44 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -70,6 +70,7 @@ #include "apps.h" #include +#include #include #include #include @@ -184,13 +185,51 @@ ocsp_opt_cert_id_md(int argc, char **argv, int *argsused) return (0); } +static int +x509v3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist) +{ + CONF_VALUE *vtmp = NULL; + STACK_OF(CONF_VALUE) *free_exts = NULL; + + if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL) + goto err; + if (name != NULL) { + if ((vtmp->name = strdup(name)) == NULL) + goto err; + } + if (value != NULL) { + if ((vtmp->value = strdup(value)) == NULL) + goto err; + } + + if (*extlist == NULL) { + if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL) + goto err; + } + + if (!sk_CONF_VALUE_push(*extlist, vtmp)) + goto err; + + return 1; + + err: + X509V3error(ERR_R_MALLOC_FAILURE); + X509V3_conf_free(vtmp); + if (free_exts != NULL) { + sk_CONF_VALUE_free(*extlist); + *extlist = NULL; + } + return 0; +} + static int ocsp_opt_header(int argc, char **argv, int *argsused) { if (argc < 3 || argv[1] == NULL || argv[2] == NULL) return (1); - if (!X509V3_add_value(argv[1], argv[2], &cfg.headers)) { + if (!x509v3_add_value(argv[1], argv[2], &cfg.headers)) { cfg.no_usage = 1; return (1); }