From 96ee847ebaf48bdbb013a412f5b4f9997ddb0f2b Mon Sep 17 00:00:00 2001 From: purplerain Date: Fri, 29 Sep 2023 20:20:09 +0000 Subject: [PATCH] sync code with last improvements from OpenBSD --- distrib/sets/lists/comp/md.armv7 | 2 + distrib/sets/lists/comp/mi | 2 + etc/skel/dot.version | 2 +- lib/libcrypto/evp/e_aes.c | 15 +- lib/libcrypto/evp/e_chacha20poly1305.c | 14 +- lib/libcrypto/evp/evp_lib.c | 17 +- lib/libcrypto/evp/evp_local.h | 8 +- lib/libcrypto/man/ASIdentifiers_new.3 | 16 +- lib/libcrypto/man/ASRange_new.3 | 7 +- lib/libcrypto/man/IPAddressRange_new.3 | 24 +- lib/libcrypto/man/Makefile | 4 +- lib/libcrypto/man/X509_new.3 | 6 +- lib/libcrypto/man/X509v3_addr_add_inherit.3 | 11 +- lib/libcrypto/man/X509v3_addr_subset.3 | 176 ++++++++++++ lib/libcrypto/man/X509v3_addr_validate_path.3 | 204 +++++++++++++ .../man/X509v3_asid_add_id_or_range.3 | 9 +- lib/libcrypto/x509/x509_constraints.c | 31 +- lib/libcrypto/x509/x509_internal.h | 4 +- lib/libutil/imsg_init.3 | 12 +- regress/lib/libcrypto/aead/aeadtest.c | 10 +- regress/lib/libcrypto/aes/aes_test.c | 6 +- regress/lib/libcrypto/evp/evp_test.c | 270 +++++++++++++++++- regress/lib/libcrypto/x509/constraints.c | 54 +++- sys/dev/fdt/rkclock.c | 20 +- sys/dev/fdt/rkclock_clocks.h | 4 + sys/dev/fdt/rkusbphy.c | 2 +- sys/kern/kern_exec.c | 6 +- sys/kern/kern_exit.c | 4 +- sys/kern/kern_pledge.c | 6 +- sys/kern/kern_sig.c | 16 +- sys/net/pfkeyv2.c | 10 +- sys/net/pfkeyv2_parsemessage.c | 14 +- sys/sys/proc.h | 17 +- usr.sbin/bgpd/control.c | 10 +- usr.sbin/bgpd/version.h | 4 +- usr.sbin/smtpd/smtpd.h | 4 +- 36 files changed, 904 insertions(+), 117 deletions(-) create mode 100644 lib/libcrypto/man/X509v3_addr_subset.3 create mode 100644 lib/libcrypto/man/X509v3_addr_validate_path.3 diff --git a/distrib/sets/lists/comp/md.armv7 b/distrib/sets/lists/comp/md.armv7 index 9f9d17c45..fe9f7b860 100644 --- a/distrib/sets/lists/comp/md.armv7 +++ b/distrib/sets/lists/comp/md.armv7 @@ -43,6 +43,7 @@ ./usr/include/arm/reloc.h ./usr/include/arm/setjmp.h ./usr/include/arm/signal.h +./usr/include/arm/simplebusvar.h ./usr/include/arm/softintr.h ./usr/include/arm/spinlock.h ./usr/include/arm/sysarch.h @@ -91,6 +92,7 @@ ./usr/include/armv7/reloc.h ./usr/include/armv7/setjmp.h ./usr/include/armv7/signal.h +./usr/include/armv7/simplebusvar.h ./usr/include/armv7/spinlock.h ./usr/include/armv7/sysarch.h ./usr/include/armv7/tcb.h diff --git a/distrib/sets/lists/comp/mi b/distrib/sets/lists/comp/mi index 4365dbc0f..95b91489e 100644 --- a/distrib/sets/lists/comp/mi +++ b/distrib/sets/lists/comp/mi @@ -2274,6 +2274,8 @@ ./usr/share/man/man3/X509v3_addr_add_inherit.3 ./usr/share/man/man3/X509v3_addr_get_range.3 ./usr/share/man/man3/X509v3_addr_inherits.3 +./usr/share/man/man3/X509v3_addr_subset.3 +./usr/share/man/man3/X509v3_addr_validate_path.3 ./usr/share/man/man3/X509v3_asid_add_id_or_range.3 ./usr/share/man/man3/X509v3_get_ext_by_NID.3 ./usr/share/man/man3/__tfork_thread.3 diff --git a/etc/skel/dot.version b/etc/skel/dot.version index 231b5829c..e2d2ae9f7 100644 --- a/etc/skel/dot.version +++ b/etc/skel/dot.version @@ -1 +1 @@ -# SecBSD 1.4-1a4ae3e: Thu Sep 28 00:00:00 UTC 2023 (Tezcatlipoca) +# SecBSD 1.4-f463301edc: Thu Sep 28 00:00:00 UTC 2023 (Tezcatlipoca) diff --git a/lib/libcrypto/evp/e_aes.c b/lib/libcrypto/evp/e_aes.c index 3d3b1a9d6..3d357f011 100644 --- a/lib/libcrypto/evp/e_aes.c +++ b/lib/libcrypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.53 2023/07/07 19:37:53 beck Exp $ */ +/* $OpenBSD: e_aes.c,v 1.54 2023/09/28 11:29:10 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -1305,7 +1305,11 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) gctx->tls_aad_len = -1; return 1; - case EVP_CTRL_GCM_SET_IVLEN: + case EVP_CTRL_AEAD_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; /* Allocate memory for IV if needed */ @@ -1631,6 +1635,7 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #define CUSTOM_FLAGS \ ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ + EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | \ EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) @@ -1968,7 +1973,11 @@ aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) cctx->len_set = 0; return 1; - case EVP_CTRL_CCM_SET_IVLEN: + case EVP_CTRL_AEAD_GET_IVLEN: + *(int *)ptr = 15 - cctx->L; + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: arg = 15 - arg; case EVP_CTRL_CCM_SET_L: diff --git a/lib/libcrypto/evp/e_chacha20poly1305.c b/lib/libcrypto/evp/e_chacha20poly1305.c index 33d09315e..4a393c245 100644 --- a/lib/libcrypto/evp/e_chacha20poly1305.c +++ b/lib/libcrypto/evp/e_chacha20poly1305.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.31 2023/08/24 04:33:08 tb Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.32 2023/09/28 11:29:10 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing @@ -18,6 +18,7 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include #include #include @@ -551,6 +552,12 @@ chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) cpx->nonce_len = sizeof(cpx->nonce); return 1; + case EVP_CTRL_AEAD_GET_IVLEN: + if (cpx->nonce_len > INT_MAX) + return 0; + *(int *)ptr = (int)cpx->nonce_len; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > sizeof(cpx->nonce)) return 0; @@ -592,8 +599,9 @@ static const EVP_CIPHER cipher_chacha20_poly1305 = { .key_len = 32, .iv_len = 12, .flags = EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | - EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_AEAD_CIPHER | - EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1, + EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_IV_LENGTH | + EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_CUSTOM_CIPHER | + EVP_CIPH_FLAG_DEFAULT_ASN1, .init = chacha20_poly1305_init, .do_cipher = chacha20_poly1305_cipher, .cleanup = chacha20_poly1305_cleanup, diff --git a/lib/libcrypto/evp/evp_lib.c b/lib/libcrypto/evp/evp_lib.c index 24ce1963d..f4e46aea4 100644 --- a/lib/libcrypto/evp/evp_lib.c +++ b/lib/libcrypto/evp/evp_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_lib.c,v 1.27 2023/07/07 19:37:53 beck Exp $ */ +/* $OpenBSD: evp_lib.c,v 1.28 2023/09/28 11:29:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -266,7 +266,20 @@ EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { - return ctx->cipher->iv_len; + int iv_length = 0; + + if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_IV_LENGTH) == 0) + return ctx->cipher->iv_len; + + /* + * XXX - sanity would suggest to pass the size of the pointer along, + * but unfortunately we have to match the other crowd. + */ + if (EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0, + &iv_length) != 1) + return -1; + + return iv_length; } unsigned char * diff --git a/lib/libcrypto/evp/evp_local.h b/lib/libcrypto/evp/evp_local.h index e0a8afd6b..015fbb50a 100644 --- a/lib/libcrypto/evp/evp_local.h +++ b/lib/libcrypto/evp/evp_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_local.h,v 1.4 2023/08/11 05:10:35 tb Exp $ */ +/* $OpenBSD: evp_local.h,v 1.5 2023/09/28 11:29:10 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,6 +61,12 @@ __BEGIN_HIDDEN_DECLS +/* XXX - move these to evp.h after unlock. */ +#define EVP_CTRL_GET_IVLEN 0x25 +#define EVP_CIPH_FLAG_CUSTOM_IV_LENGTH 0x400000 + +#define EVP_CTRL_AEAD_GET_IVLEN EVP_CTRL_GET_IVLEN + /* * Don't free md_ctx->pctx in EVP_MD_CTX_cleanup(). Needed for ownership * handling in EVP_MD_CTX_set_pkey_ctx(). diff --git a/lib/libcrypto/man/ASIdentifiers_new.3 b/lib/libcrypto/man/ASIdentifiers_new.3 index 4f6bf67f1..c67a7c3f1 100644 --- a/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/lib/libcrypto/man/ASIdentifiers_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASIdentifiers_new.3,v 1.7 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: ASIdentifiers_new.3,v 1.9 2023/09/29 08:57:49 tb Exp $ .\" .\" Copyright (c) 2021 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 29 2023 $ .Dt ASIDENTIFIERS_NEW 3 .Os .Sh NAME @@ -47,7 +47,7 @@ .Sh DESCRIPTION RFC 3779 defines two X.509v3 certificate extensions that allow the delegation of -IP address blocks and autonomous system (AS) identifiers +IP addresses and autonomous system (AS) identifiers from the issuer to the subject of the certificate. An .Vt ASIdentifiers @@ -112,8 +112,12 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr IPAddressRange_new 3 , .Xr X509_new 3 , -.Xr X509v3_asid_add_id_or_range 3 , -.Xr X509v3_asid_inherits 3 +.Xr X509v3_addr_add_inherit 3 , +.Xr X509v3_addr_get_range 3 , +.Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 , +.Xr X509v3_addr_validate_path 3 , +.Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact @@ -130,5 +134,5 @@ and have been available since .Ox 7.1 . .Sh BUGS There are no corresponding functions for the RFC 3779 -IP address blocks delegation extension represented by +IP address delegation extension represented by .Vt IPAddrBlocks . diff --git a/lib/libcrypto/man/ASRange_new.3 b/lib/libcrypto/man/ASRange_new.3 index 12eff2679..53da608cb 100644 --- a/lib/libcrypto/man/ASRange_new.3 +++ b/lib/libcrypto/man/ASRange_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ASRange_new.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: ASRange_new.3,v 1.6 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt ASRANGE_NEW 3 .Os .Sh NAME @@ -90,7 +90,7 @@ autonomous system identifier delegation extension. .Pp All .Vt ASN1_INTEGER Ns s -in this manual should be representable as unsigned 32-bit integers. +in this manual must be representable as unsigned 32-bit integers. The API performs no corresponding checks. The library provides no convenient way of setting the value of an .Vt ASN1_INTEGER @@ -358,6 +358,7 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr IPAddressRange_new 3 , .Xr s2i_ASN1_INTEGER 3 , +.Xr STACK_OF 3 , .Xr X509_new 3 , .Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS diff --git a/lib/libcrypto/man/IPAddressRange_new.3 b/lib/libcrypto/man/IPAddressRange_new.3 index 07c57f3e5..e15ff3450 100644 --- a/lib/libcrypto/man/IPAddressRange_new.3 +++ b/lib/libcrypto/man/IPAddressRange_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: IPAddressRange_new.3,v 1.4 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: IPAddressRange_new.3,v 1.5 2023/09/28 12:35:31 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt IPADDRESSRANGE_NEW 3 .Os .Sh NAME @@ -110,12 +110,12 @@ type representing the IP address delegation extension. Per RFC 3779, section 2.1.1, an IPv4 or an IPv6 address is encoded in network byte order in an ASN.1 BIT STRING of bit size 32 or 128 bits, respectively. -The bit size of a prefix is its prefix length. -In other words, all insignificant zero bits are omitted +The bit size of a prefix is its prefix length; +all insignificant zero bits are omitted from the encoding. An address range is expressed as a pair of BIT STRINGs -where all least significant zero bits of the lower bound -and the all least significant one bits of the upper bound are omitted. +where all the least significant zero bits of the lower bound +and all the least significant one bits of the upper bound are omitted. .Pp The library provides no API for directly converting an IP address or prefix (in any form) to and from an @@ -127,8 +127,11 @@ internals are subtle and directly manipulating them in the context of the RFC 3779 API is discouraged. The bit size of an .Vt ASN1_BIT_STRING -representing an IP address prefix or range is eight times its length -member minus the lowest three bits of its flags, provided the +representing an IP address prefix or range is eight times its +.Fa length +member minus the lowest three bits of its +.Fa flags , +provided the .Dv ASN1_STRING_FLAG_BITS_LEFT flag is set. .Pp @@ -460,7 +463,8 @@ or a value <= 0 if an error occurs. .Xr crypto 3 , .Xr X509_new 3 , .Xr X509v3_addr_add_inherit 3 , -.Xr X509v3_addr_inherits 3 +.Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact @@ -483,7 +487,7 @@ section 2.2.3.7: Type IPAddressOrRange .It section 2.2.3.8: Element addressPrefix and Type IPAddress .It -section 2.2.3.9: Elements addressRange and Type IPAddressRange +section 2.2.3.9: Element addressRange and Type IPAddressRange .El .Pp ITU-T Recommendation X.690, also known as ISO/IEC 8825-1: diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile index 9bf40343e..f42e9327a 100644 --- a/lib/libcrypto/man/Makefile +++ b/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.274 2023/09/26 20:42:45 tb Exp $ +# $OpenBSD: Makefile,v 1.276 2023/09/29 08:57:49 tb Exp $ .include @@ -395,6 +395,8 @@ MAN= \ X509v3_addr_add_inherit.3 \ X509v3_addr_get_range.3 \ X509v3_addr_inherits.3 \ + X509v3_addr_subset.3 \ + X509v3_addr_validate_path.3 \ X509v3_asid_add_id_or_range.3 \ X509v3_asid_add_id_or_range.3 \ X509v3_get_ext_by_NID.3 \ diff --git a/lib/libcrypto/man/X509_new.3 b/lib/libcrypto/man/X509_new.3 index dea1b256c..3e7fb0a79 100644 --- a/lib/libcrypto/man/X509_new.3 +++ b/lib/libcrypto/man/X509_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_new.3,v 1.41 2023/09/26 20:42:45 tb Exp $ +.\" $OpenBSD: X509_new.3,v 1.43 2023/09/29 08:57:49 tb Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 26 2023 $ +.Dd $Mdocdate: September 29 2023 $ .Dt X509_NEW 3 .Os .Sh NAME @@ -245,6 +245,8 @@ if an error occurs. .Xr X509v3_addr_add_inherit 3 , .Xr X509v3_addr_get_range 3 , .Xr X509v3_addr_inherits 3 , +.Xr X509v3_addr_subset 3 , +.Xr X509v3_addr_validate_path 3 , .Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 5280: Internet X.509 Public Key Infrastructure Certificate and diff --git a/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/lib/libcrypto/man/X509v3_addr_add_inherit.3 index 3ca9bc59a..bdfb5c757 100644 --- a/lib/libcrypto/man/X509v3_addr_add_inherit.3 +++ b/lib/libcrypto/man/X509v3_addr_add_inherit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.7 2023/09/29 08:57:49 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 29 2023 $ .Dt X509V3_ADDR_ADD_INHERIT 3 .Os .Sh NAME @@ -60,7 +60,7 @@ An .Vt IPAddrBlocks object represents the content of -an X509v3 IP address blocks delegation extension +an IP address delegation extension as defined in RFC 3779, section 2.2.3.1. It holds lists of IP address prefixes and IP address ranges delegated from the issuer to the subject of the certificate. @@ -399,8 +399,9 @@ is desired. .Xr inet_ntop 3 , .Xr IPAddressRange_new 3 , .Xr X509_new 3 , -.Xr X509v3_asid_add_id_or_range 3 , -.Xr X509v3_addr_get_range 3 +.Xr X509v3_addr_get_range 3 , +.Xr X509v3_addr_validate_path 3 , +.Xr X509v3_asid_add_id_or_range 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: .Bl -dash -compact diff --git a/lib/libcrypto/man/X509v3_addr_subset.3 b/lib/libcrypto/man/X509v3_addr_subset.3 new file mode 100644 index 000000000..8107eb888 --- /dev/null +++ b/lib/libcrypto/man/X509v3_addr_subset.3 @@ -0,0 +1,176 @@ +.\" $OpenBSD: X509v3_addr_subset.3,v 1.1 2023/09/28 12:36:36 tb Exp $ +.\" +.\" Copyright (c) 2023 Theo Buehler +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 28 2023 $ +.Dt X509V3_ADDR_SUBSET 3 +.Os +.Sh NAME +.Nm X509v3_addr_subset , +.Nm X509v3_asid_subset +.Nd RFC 3779 subset relationship +.Sh SYNOPSIS +.In openssl/x509v3.h +.Ft int +.Fn X509v3_addr_subset "IPAddrBlocks *child" "IPAddrBlocks *parent" +.Ft int +.Fn X509v3_asid_subset "ASIdentifiers *child" "ASIdentifiers *parent" +.Sh DESCRIPTION +.Fn X509v3_addr_subset +determines if all IP address resources present in +.Fa child +are contained in the corresponding resources in +.Fa parent . +.Pp +The implementation assumes but does not ensure that both +.Fa child +and +.Fa parent +are in canonical form as described in +.Xr X509v3_addr_is_canonical 3 . +In particular, both +.Fa child +and +.Fa parent +are sorted appropriately and they contain at most one +.Vt IPAddressFamily +object per address family identifier (AFI) and optional +subsequent address family identifier (SAFI). +.Pp +The checks are, in order: +.Bl -enum +.It +If +.Fa child +is +.Dv NULL +or identical to +.Fa parent +then +.Fa child +is a subset of +.Fa parent . +(In particular, a +.Dv NULL +.Fa parent +is allowed for a +.Dv NULL +.Fa child Ns .) +.It +If +.Fa parent +is +.Dv NULL +then +.Fa child +is not a subset of +.Fa parent . +.It +If +.Xr X509v3_addr_inherits 3 +determines that +.Fa child +inherits or that +.Fa parent +inherits +then +.Fa child +is not a subset of +.Fa parent . +.It +Each address prefix or range in +.Fa child +must be a subset of an address prefix or range in the +.Fa parent , +taking AFI and optional SAFI into account: +.Bl -bullet -compact +.It +For each +.Vt IPAddressFamily +of +.Fa child +there must be an +.Vt IPAddressFamily +of +.Fa parent +with the same AFI and optional SAFI. +.It +Since the address prefixes and ranges in corresponding +.Vt IPAddressFamily +objects in +.Fa child +and +.Fa parent +are sorted in ascending order, +and do not overlap, +they can be traversed simultaneously in linear time. +For each prefix or range in +.Fa child +there must be a prefix or range in +.Fa parent +whose minimal address is smaller +and whose maximal address is larger. +.El +If any of these steps fails, +.Fa child +is not a subset of +.Fa parent . +.El +.Pp +.Fn X509v3_asid_subset +determines if all AS identifier resources in +.Fa child +are contained in the corresponding resources in +.Fa parent . +.Pp +The description for +.Fn X509v3_addr_subset +applies mutatis mutandis. +In particular, +.Fa child +and +.Fa parent +must be in canonical form per +.Xr X509v3_asid_is_canonical 3 , +but this is not enforced. +.Sh RETURN VALUES +.Fn X509v3_addr_subset +and +.Fn X509v3_asid_subset +return 1 if and only if +.Fa child +is a subset of +.Fa parent , +otherwise they return 0. +If both +.Fa child +and +.Fa parent +are in canonical form, +they cannot fail. +.Sh SEE ALSO +.Xr ASIdentifiers_new 3 , +.Xr ASRange_new 3 , +.Xr crypto 3 , +.Xr IPAddressRange_new 3 , +.Xr X509_new 3 , +.Xr X509v3_addr_add_inherit 3 , +.Xr X509v3_asid_add_inherit 3 +.Sh STANDARDS +RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers. +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.8e +and have been available since +.Ox 7.1 . diff --git a/lib/libcrypto/man/X509v3_addr_validate_path.3 b/lib/libcrypto/man/X509v3_addr_validate_path.3 new file mode 100644 index 000000000..d3c088c91 --- /dev/null +++ b/lib/libcrypto/man/X509v3_addr_validate_path.3 @@ -0,0 +1,204 @@ +.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $ +.\" +.\" Copyright (c) 2023 Theo Buehler +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: September 29 2023 $ +.Dt X509V3_ADDR_VALIDATE_PATH 3 +.Os +.Sh NAME +.Nm X509v3_addr_validate_path , +.Nm X509v3_addr_validate_resource_set , +.Nm X509v3_asid_validate_path , +.Nm X509v3_asid_validate_resource_set +.Nd RFC 3779 path validation for IP address and AS number delegation +.Sh SYNOPSIS +.In openssl/x509v3.h +.Ft int +.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx" +.Ft int +.Fo X509v3_addr_validate_resource_set +.Fa "STACK_OF(X509) *chain" +.Fa "IPAddrBlocks *addrblocks" +.Fa "int allow_inheritance" +.Fc +.Ft int +.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx" +.Ft int +.Fo X509v3_asid_validate_resource_set +.Fa "STACK_OF(X509) *chain" +.Fa "ASIdentifiers *asid" +.Fa "int allow_inheritance" +.Fc +.Sh DESCRIPTION +Both RFC 3779 extensions require additional checking in the certification +path validation. +.Bl -enum +.It +The initial set of allowed IP address and AS number resources is defined in +the trust anchor, where inheritance is not allowed. +.It +All IP address delegation or AS number delegation extensions +appearing in the validation path must be in canonical form +according to +.Xr X509v3_addr_is_canonical 3 +and +.Xr X509v3_asid_is_canonical 3 . +.It +If the IP address delegation extension is present in a certificate, +it must also be present in its issuer. +Similarly for the AS identifiers delegation extension. +.It +An issuer may only delegate subsets of resources present in its +RFC 3779 extensions or subsets of resources inherited from its issuer. +.El +.Pp +.Fn X509v3_addr_validate_path +and +.Fn X509v3_asid_validate_path +are called from +.Xr X509_verify_cert 3 +as part of the verification chain building. +On encountering an error or a violation of the above rules, +.Fa error , +.Fa error_depth , +and +.Fa current_cert +are set on +.Fa ctx +and the verify callback is called with +.Fa ok +set to 0. +.Dv X509_V_ERR_INVALID_EXTENSION +indicates a non-canonical resource, +.Dv X509_V_ERR_UNNESTED_RESOURCE +indicates a violation of the other rules above. +In rare circumstances, the error can be +.Dv X509_V_ERR_UNSPECIFIED +and for IP address resources +.Dv X509_V_ERR_OUT_OF_MEM +is also possible. +.Pp +.Fn X509v3_addr_validate_resource_set +validates the resources in +.Fa addrblocks +against a specific certificate +.Fa chain . +After checking that +.Fa addrblocks +is canonical, its IP addresses are checked to be covered in +the certificate at depth 0, +then the chain is walked all the way to the trust anchor +until an error or a violation of the above rules is encountered. +.Fa addrblocks +is allowed to use inheritance according to +.Xr X509v3_addr_inherits 3 +if and only if +.Fa allow_inherit +is non-zero. +.Pp +.Fn X509v3_asid_validate_resource_set +performs similar checks as +.Fn X509v3_addr_validate_resource_set +for +.Fa asid . +.Sh RETURN VALUES +All these functions return 1 on successful validation and 0 otherwise. +.Pp +For +.Fn X509v3_addr_validate_path +and +.Fn X509v3_asid_validate_path +a non-empty +.Fa chain +and a +.Fa verify_cb +must be present on +.Fa ctx , +otherwise they fail and set the +.Fa error +on +.Fa ctx +to +.Dv X509_V_ERR_UNSPECIFIED . +The +.Fa verify_cb +is called with the error codes described above +on most errors encountered during validation. +Some malformed extensions can lead to an error +that cannot be intercepted by the callback. +With the exception of an allocation error, +no error codes are set on the error stack. +.Pp +.Fn X509v3_addr_validate_resource_set +accepts a +.Dv NULL +.Fa addrblocks +and +.Fn X509v3_asid_validate_resource_set +accepts a +.Dv NULL +.Fa asid +as valid. +They fail if +.Fa chain +is +.Dv NULL +or empty. +If +.Fa allow_inheritance +is 0 , +.Fa addrblocks +or +.Fa asid +is checked for inheritance with +.Xr X509v3_addr_inherits 3 +or +.Xr X509v3_asid_inherits 3 . +The remaining failure cases are the same as for +.Fn X509v3_addr_validate_path +and +.Fn X509v3_asid_validate_path . +They cannot and do not attempt to communicate +the cause of the error to the caller. +.Sh SEE ALSO +.Xr ASIdentifiers_new 3 , +.Xr crypto 3 , +.Xr IPAddressRange_new 3 , +.Xr X509_new 3 , +.Xr X509_STORE_CTX_get_error 3 , +.Xr X509_verify_cert 3 , +.Xr X509v3_addr_add_inherit 3 , +.Xr X509v3_addr_inherits 3 , +.Xr X509v3_asid_add_id_or_range 3 +.Sh STANDARDS +RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers: +.Bl -dash -compact +.It +section 2.3: IP Address Delegation Extension Certification Path Validation +.It +section 3.3: Autonomous System Identifier Delegation Extension Certification +Path Validation +.El +.Pp +RFC 5280: Internet X.509 Public Key Infrastructure Certificate +and Certificate Revocation List (CRL) Profile +.Bl -dash -compact +.It +section 6: Certification Path Validation +.El +.Sh HISTORY +These functions first appeared in OpenSSL 0.9.8e +and have been available since +.Ox 7.1 . diff --git a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index c9ff6bf13..f6b1c0347 100644 --- a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.5 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.7 2023/09/29 08:57:49 tb Exp $ .\" .\" Copyright (c) 2021-2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 29 2023 $ .Dt X509V3_ASID_ADD_ID_OR_RANGE 3 .Os .Sh NAME @@ -48,7 +48,7 @@ .Sh DESCRIPTION An .Vt ASIdentifiers -object represents the content of the X509v3 certificate extension +object represents the content of the certificate extension defined in RFC 3779, section 3.2.3.1. It can be instantiated with .Xr ASIdentifiers_new 3 @@ -242,7 +242,8 @@ failure. .Xr crypto 3 , .Xr s2i_ASN1_INTEGER 3 , .Xr X509_new 3 , -.Xr X509v3_addr_add_inherit 3 +.Xr X509v3_addr_add_inherit 3 , +.Xr X509v3_addr_validate_path 3 .Sh STANDARDS RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers, .Bl -dash -compact diff --git a/lib/libcrypto/x509/x509_constraints.c b/lib/libcrypto/x509/x509_constraints.c index 346cab0a4..0773d2ba7 100644 --- a/lib/libcrypto/x509/x509_constraints.c +++ b/lib/libcrypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.31 2022/12/26 07:18:53 jmc Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.32 2023/09/29 15:53:59 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -38,23 +38,23 @@ #define MAX_IP_ADDRESS_LENGTH (size_t)46 static int -cbs_is_ip_address(CBS *cbs) +cbs_is_ip_address(CBS *cbs, int *is_ip) { struct sockaddr_in6 sin6; struct sockaddr_in sin4; char *name = NULL; - int ret = 0; + *is_ip = 0; if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH) - return 0; + return 1; if (!CBS_strdup(cbs, &name)) return 0; if (inet_pton(AF_INET, name, &sin4) == 1 || inet_pton(AF_INET6, name, &sin6) == 1) - ret = 1; + *is_ip = 1; free(name); - return ret; + return 1; } struct x509_constraints_name * @@ -264,16 +264,21 @@ x509_constraints_valid_domain_internal(CBS *cbs, int wildcards) } int -x509_constraints_valid_host(CBS *cbs) +x509_constraints_valid_host(CBS *cbs, int permit_ip) { uint8_t first; + int is_ip; if (!CBS_peek_u8(cbs, &first)) return 0; if (first == '.') - return 0; /* leading . not allowed in a host name */ - if (cbs_is_ip_address(cbs)) - return 0; + return 0; /* leading . not allowed in a host name or IP */ + if (!permit_ip) { + if (!cbs_is_ip_address(cbs, &is_ip)) + return 0; + if (is_ip) + return 0; + } return x509_constraints_valid_domain_internal(cbs, 0); } @@ -441,7 +446,7 @@ x509_constraints_parse_mailbox(CBS *candidate, if (candidate_local == NULL || candidate_domain == NULL) goto bad; CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain)); - if (!x509_constraints_valid_host(&domain_cbs)) + if (!x509_constraints_valid_host(&domain_cbs, 0)) goto bad; if (name != NULL) { @@ -558,7 +563,7 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) if (host == NULL) host = authority; CBS_init(&host_cbs, host, hostlen); - if (!x509_constraints_valid_host(&host_cbs)) + if (!x509_constraints_valid_host(&host_cbs, 1)) return 0; if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) return 0; @@ -924,7 +929,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, goto err; } CBS_init(&cbs, aname->data, aname->length); - if (!x509_constraints_valid_host(&cbs)) + if (!x509_constraints_valid_host(&cbs, 0)) continue; /* ignore it if not a hostname */ if ((vname = x509_constraints_name_new()) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h index c4222bcfe..15efff609 100644 --- a/lib/libcrypto/x509/x509_internal.h +++ b/lib/libcrypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.25 2023/01/28 19:08:09 tb Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -111,7 +111,7 @@ struct x509_constraints_names *x509_constraints_names_new(size_t names_max); int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, size_t *len); void x509_constraints_names_free(struct x509_constraints_names *names); -int x509_constraints_valid_host(CBS *cbs); +int x509_constraints_valid_host(CBS *cbs, int permit_ip); int x509_constraints_valid_sandns(CBS *cbs); int x509_constraints_domain(char *domain, size_t dlen, char *constraint, size_t len); diff --git a/lib/libutil/imsg_init.3 b/lib/libutil/imsg_init.3 index 11915f377..3c6b96222 100644 --- a/lib/libutil/imsg_init.3 +++ b/lib/libutil/imsg_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: imsg_init.3,v 1.28 2023/06/20 06:53:29 jsg Exp $ +.\" $OpenBSD: imsg_init.3,v 1.30 2023/09/28 17:00:21 schwarze Exp $ .\" .\" Copyright (c) 2010 Nicholas Marriott .\" @@ -14,7 +14,7 @@ .\" IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING .\" OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 20 2023 $ +.Dd $Mdocdate: September 28 2023 $ .Dt IMSG_INIT 3 .Os .Sh NAME @@ -466,15 +466,17 @@ replaces a part of .Fa buf at offset .Fa pos -with the data of extent +with the +.Fa data +of extent .Fa len . 0 is returned on success and \-1 on failure. .Pp .Fn ibuf_set_n8 , .Fn ibuf_set_n16 , -.Fn ibuf_seek_set_n32 +.Fn ibuf_set_n32 and -.Fn ibuf_seek_set_n64 +.Fn ibuf_set_n64 replace a 1-byte, 2-byte, 4-byte or 8-byte .Fa value at offset diff --git a/regress/lib/libcrypto/aead/aeadtest.c b/regress/lib/libcrypto/aead/aeadtest.c index 4d24a8176..82fe72823 100644 --- a/regress/lib/libcrypto/aead/aeadtest.c +++ b/regress/lib/libcrypto/aead/aeadtest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aeadtest.c,v 1.24 2023/07/07 07:44:59 bcook Exp $ */ +/* $OpenBSD: aeadtest.c,v 1.26 2023/09/28 14:55:48 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing * Copyright (c) 2014, Google Inc. @@ -203,6 +203,7 @@ run_cipher_aead_encrypt_test(const EVP_CIPHER *cipher, EVP_CIPHER_CTX *ctx; size_t out_len; int len; + int ivlen; int ret = 0; if ((ctx = EVP_CIPHER_CTX_new()) == NULL) { @@ -220,6 +221,13 @@ run_cipher_aead_encrypt_test(const EVP_CIPHER *cipher, goto err; } + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + if (ivlen != (int)lengths[NONCE]) { + fprintf(stderr, "FAIL: ivlen %d != nonce length %d\n", ivlen, + (int)lengths[NONCE]); + goto err; + } + if (!EVP_EncryptInit_ex(ctx, NULL, NULL, bufs[KEY], NULL)) { fprintf(stderr, "FAIL: EVP_EncryptInit_ex with key\n"); goto err; diff --git a/regress/lib/libcrypto/aes/aes_test.c b/regress/lib/libcrypto/aes/aes_test.c index 2bbf6b2ee..37bee05ca 100644 --- a/regress/lib/libcrypto/aes/aes_test.c +++ b/regress/lib/libcrypto/aes/aes_test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_test.c,v 1.2 2022/11/07 23:09:25 joshua Exp $ */ +/* $OpenBSD: aes_test.c,v 1.3 2023/09/28 08:21:43 tb Exp $ */ /* * Copyright (c) 2022 Joshua Sing * @@ -913,8 +913,8 @@ aes_test(void) if (!aes_ecb_test(i, label, key_bits, at)) goto failed; break; - - /* CBC */ + + /* CBC */ case NID_aes_128_cbc: case NID_aes_192_cbc: case NID_aes_256_cbc: diff --git a/regress/lib/libcrypto/evp/evp_test.c b/regress/lib/libcrypto/evp/evp_test.c index 4a671d978..eff071fa5 100644 --- a/regress/lib/libcrypto/evp/evp_test.c +++ b/regress/lib/libcrypto/evp/evp_test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_test.c,v 1.4 2023/03/11 14:27:38 jsing Exp $ */ +/* $OpenBSD: evp_test.c,v 1.7 2023/09/29 06:53:05 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing * @@ -15,6 +15,9 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include +#include + #include #include @@ -137,6 +140,270 @@ evp_pkey_method_test(void) return failed; } +static const struct evp_iv_len_test { + const EVP_CIPHER *(*cipher)(void); + int iv_len; + int setlen; + int expect; +} evp_iv_len_tests[] = { + { + .cipher = EVP_aes_128_ccm, + .iv_len = 7, + .setlen = 11, + .expect = 1, + }, + { + .cipher = EVP_aes_128_ccm, + .iv_len = 7, + .setlen = 6, + .expect = 0, + }, + { + .cipher = EVP_aes_128_ccm, + .iv_len = 7, + .setlen = 13, + .expect = 1, + }, + { + .cipher = EVP_aes_128_ccm, + .iv_len = 7, + .setlen = 14, + .expect = 0, + }, + + { + .cipher = EVP_aes_192_ccm, + .iv_len = 7, + .setlen = 11, + .expect = 1, + }, + { + .cipher = EVP_aes_192_ccm, + .iv_len = 7, + .setlen = 6, + .expect = 0, + }, + { + .cipher = EVP_aes_192_ccm, + .iv_len = 7, + .setlen = 13, + .expect = 1, + }, + { + .cipher = EVP_aes_192_ccm, + .iv_len = 7, + .setlen = 14, + .expect = 0, + }, + + { + .cipher = EVP_aes_256_ccm, + .iv_len = 7, + .setlen = 11, + .expect = 1, + }, + { + .cipher = EVP_aes_256_ccm, + .iv_len = 7, + .setlen = 6, + .expect = 0, + }, + { + .cipher = EVP_aes_256_ccm, + .iv_len = 7, + .setlen = 13, + .expect = 1, + }, + { + .cipher = EVP_aes_256_ccm, + .iv_len = 7, + .setlen = 14, + .expect = 0, + }, + + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 16, + .expect = 1, + }, + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 0, + .expect = 0, + }, + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 1, + .expect = 1, + }, + /* XXX - GCM IV length isn't capped... */ + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 1024 * 1024, + .expect = 1, + }, + + { + .cipher = EVP_aes_192_gcm, + .iv_len = 12, + .setlen = 16, + .expect = 1, + }, + { + .cipher = EVP_aes_192_gcm, + .iv_len = 12, + .setlen = 0, + .expect = 0, + }, + { + .cipher = EVP_aes_192_gcm, + .iv_len = 12, + .setlen = 1, + .expect = 1, + }, + /* XXX - GCM IV length isn't capped... */ + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 1024 * 1024, + .expect = 1, + }, + + { + .cipher = EVP_aes_256_gcm, + .iv_len = 12, + .setlen = 16, + .expect = 1, + }, + { + .cipher = EVP_aes_256_gcm, + .iv_len = 12, + .setlen = 0, + .expect = 0, + }, + { + .cipher = EVP_aes_256_gcm, + .iv_len = 12, + .setlen = 1, + .expect = 1, + }, + /* XXX - GCM IV length isn't capped... */ + { + .cipher = EVP_aes_128_gcm, + .iv_len = 12, + .setlen = 1024 * 1024, + .expect = 1, + }, + + { + .cipher = EVP_aes_128_ecb, + .iv_len = 0, + .setlen = 11, + .expect = 0, + }, + + { + .cipher = EVP_chacha20_poly1305, + .iv_len = 12, + .setlen = 11, + .expect = 1, + }, + { + .cipher = EVP_chacha20_poly1305, + .iv_len = 12, + .setlen = 12, + .expect = 1, + }, + { + .cipher = EVP_chacha20_poly1305, + .iv_len = 12, + .setlen = 13, + .expect = 0, + }, + { + .cipher = EVP_chacha20_poly1305, + .iv_len = 12, + .setlen = 1, + .expect = 1, + }, + { + .cipher = EVP_chacha20_poly1305, + .iv_len = 12, + .setlen = 0, + .expect = 0, + }, +}; + +#define N_EVP_IV_LEN_TESTS \ + (sizeof(evp_iv_len_tests) / sizeof(evp_iv_len_tests[0])) + +static int +evp_pkey_iv_len_testcase(const struct evp_iv_len_test *test) +{ + const EVP_CIPHER *cipher = test->cipher(); + const char *name; + EVP_CIPHER_CTX *ctx; + int ret; + int failure = 1; + + assert(cipher != NULL); + name = OBJ_nid2ln(EVP_CIPHER_nid(cipher)); + assert(name != NULL); + + if ((ctx = EVP_CIPHER_CTX_new()) == NULL) { + fprintf(stderr, "FAIL: %s: EVP_CIPHER_CTX_new()\n", name); + goto failure; + } + + if ((ret = EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL)) <= 0) { + fprintf(stderr, "FAIL: %s: EVP_EncryptInit_ex:" + " want %d, got %d\n", name, 1, ret); + goto failure; + } + if ((ret = EVP_CIPHER_CTX_iv_length(ctx)) != test->iv_len) { + fprintf(stderr, "FAIL: %s EVP_CIPHER_CTX_iv_length (before set)" + " want %d, got %d\n", name, test->iv_len, ret); + goto failure; + } + if ((ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, + test->setlen, NULL)) != test->expect) { + fprintf(stderr, "FAIL: %s EVP_CIPHER_CTX_ctrl" + " want %d, got %d\n", name, test->expect, ret); + goto failure; + } + if (test->expect == 0) + goto done; + if ((ret = EVP_CIPHER_CTX_iv_length(ctx)) != test->setlen) { + fprintf(stderr, "FAIL: %s EVP_CIPHER_CTX_iv_length (after set)" + " want %d, got %d\n", name, test->setlen, ret); + goto failure; + } + + done: + failure = 0; + + failure: + EVP_CIPHER_CTX_free(ctx); + + return failure; +} + +static int +evp_pkey_iv_len_test(void) +{ + size_t i; + int failure = 0; + + for (i = 0; i < N_EVP_IV_LEN_TESTS; i++) + failure |= evp_pkey_iv_len_testcase(&evp_iv_len_tests[i]); + + return failure; +} + int main(int argc, char **argv) { @@ -144,6 +411,7 @@ main(int argc, char **argv) failed |= evp_asn1_method_test(); failed |= evp_pkey_method_test(); + failed |= evp_pkey_iv_len_test(); OPENSSL_cleanup(); diff --git a/regress/lib/libcrypto/x509/constraints.c b/regress/lib/libcrypto/x509/constraints.c index 8771367bd..90b7ffbae 100644 --- a/regress/lib/libcrypto/x509/constraints.c +++ b/regress/lib/libcrypto/x509/constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraints.c,v 1.15 2022/11/28 07:24:03 tb Exp $ */ +/* $OpenBSD: constraints.c,v 1.16 2023/09/29 15:53:59 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -154,6 +154,12 @@ unsigned char *invaliduri[] = { "https://.www.openbsd.org/", "https://www.ope|nbsd.org%", "https://www.openbsd.org.#", + "https://192.168.1.1./", + "https://192.168.1.1|/", + "https://.192.168.1.1/", + "https://192.168..1.1/", + "https://.2001:0DB8:AC10:FE01::/", + "https://.2001:0DB8:AC10:FE01::|/", "///", "//", "/", @@ -161,6 +167,15 @@ unsigned char *invaliduri[] = { NULL, }; +unsigned char *validuri[] = { + "https://www.openbsd.org/meep/meep/meep/", + "https://192.168.1.1/", + "https://2001:0DB8:AC10:FE01::/", + "https://192.168.1/", /* Not an IP, but valid component */ + "https://999.999.999.999/", /* Not an IP, but valid component */ + NULL, +}; + static int test_valid_hostnames(void) { @@ -169,7 +184,7 @@ test_valid_hostnames(void) for (i = 0; valid_hostnames[i] != NULL; i++) { CBS cbs; CBS_init(&cbs, valid_hostnames[i], strlen(valid_hostnames[i])); - if (!x509_constraints_valid_host(&cbs)) { + if (!x509_constraints_valid_host(&cbs, 0)) { FAIL("Valid hostname '%s' rejected\n", valid_hostnames[i]); failure = 1; @@ -183,6 +198,7 @@ test_valid_hostnames(void) goto done; } } + done: return failure; } @@ -202,6 +218,7 @@ test_valid_sandns_names(void) goto done; } } + done: return failure; } @@ -221,6 +238,7 @@ test_valid_domain_constraints(void) goto done; } } + done: return failure; } @@ -245,6 +263,7 @@ test_valid_mbox_names(void) free(name.local); name.local = NULL; } + done: return failure; } @@ -259,7 +278,7 @@ test_invalid_hostnames(void) for (i = 0; invalid_hostnames[i] != NULL; i++) { CBS_init(&cbs, invalid_hostnames[i], strlen(invalid_hostnames[i])); - if (x509_constraints_valid_host(&cbs)) { + if (x509_constraints_valid_host(&cbs, 0)) { FAIL("Invalid hostname '%s' accepted\n", invalid_hostnames[i]); failure = 1; @@ -267,7 +286,7 @@ test_invalid_hostnames(void) } } CBS_init(&cbs, nulhost, strlen(nulhost) + 1); - if (x509_constraints_valid_host(&cbs)) { + if (x509_constraints_valid_host(&cbs, 0)) { FAIL("hostname with NUL byte accepted\n"); failure = 1; goto done; @@ -278,6 +297,7 @@ test_invalid_hostnames(void) failure = 1; goto done; } + done: return failure; } @@ -297,6 +317,7 @@ test_invalid_sandns_names(void) goto done; } } + done: return failure; } @@ -321,6 +342,7 @@ test_invalid_mbox_names(void) free(name.local); name.local = NULL; } + done: return failure; } @@ -340,6 +362,7 @@ test_invalid_domain_constraints(void) goto done; } } + done: return failure; } @@ -365,6 +388,27 @@ test_invalid_uri(void) done: return failure; } +static int +test_valid_uri(void) +{ + int j, failure = 0; + char *hostpart = NULL; + + for (j = 0; validuri[j] != NULL; j++) { + if (x509_constraints_uri_host(validuri[j], + strlen(invaliduri[j]), &hostpart) == 0) { + FAIL("Valid URI '%s' NOT accepted\n", + validuri[j]); + failure = 1; + goto done; + } + free(hostpart); + hostpart = NULL; + } + + done: + return failure; +} static int test_constraints1(void) @@ -513,6 +557,7 @@ test_constraints1(void) failure = 1; goto done; } + done: return failure; } @@ -531,6 +576,7 @@ main(int argc, char **argv) failed |= test_valid_domain_constraints(); failed |= test_invalid_domain_constraints(); failed |= test_invalid_uri(); + failed |= test_valid_uri(); failed |= test_constraints1(); return (failed); diff --git a/sys/dev/fdt/rkclock.c b/sys/dev/fdt/rkclock.c index c93a152b4..98ad82579 100644 --- a/sys/dev/fdt/rkclock.c +++ b/sys/dev/fdt/rkclock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rkclock.c,v 1.82 2023/07/09 16:33:49 patrick Exp $ */ +/* $OpenBSD: rkclock.c,v 1.83 2023/09/29 15:51:48 kettenis Exp $ */ /* * Copyright (c) 2017, 2018 Mark Kettenis * @@ -2952,6 +2952,24 @@ rk3399_enable(void *cookie, uint32_t *cells, int on) } switch (idx) { + case RK3399_CLK_USB2PHY0_REF: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(6), (5 << 0) << 16); + break; + case RK3399_CLK_USB2PHY1_REF: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(6), (6 << 0) << 16); + break; + case RK3399_CLK_UPHY0_TCPDPHY_REF: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(13), (4 << 0) << 16); + break; + case RK3399_CLK_UPHY0_TCPDCORE: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(13), (5 << 0) << 16); + break; + case RK3399_CLK_UPHY1_TCPDPHY_REF: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(13), (6 << 0) << 16); + break; + case RK3399_CLK_UPHY1_TCPDCORE: + HWRITE4(sc, RK3399_CRU_CLKGATE_CON(13), (7 << 0) << 16); + break; case RK3399_ACLK_GMAC: HWRITE4(sc, RK3399_CRU_CLKGATE_CON(32), (1 << 0) << 16); break; diff --git a/sys/dev/fdt/rkclock_clocks.h b/sys/dev/fdt/rkclock_clocks.h index 55f696f19..d55078ec5 100644 --- a/sys/dev/fdt/rkclock_clocks.h +++ b/sys/dev/fdt/rkclock_clocks.h @@ -187,7 +187,11 @@ #define RK3399_CLK_MAC_RX 103 #define RK3399_CLK_MAC_TX 104 #define RK3399_CLK_MAC 105 +#define RK3399_CLK_USB2PHY0_REF 123 +#define RK3399_CLK_USB2PHY1_REF 124 +#define RK3399_CLK_UPHY0_TCPDPHY_REF 125 #define RK3399_CLK_UPHY0_TCPDCORE 126 +#define RK3399_CLK_UPHY1_TCPDPHY_REF 127 #define RK3399_CLK_UPHY1_TCPDCORE 128 #define RK3399_CLK_USB3OTG0_REF 129 #define RK3399_CLK_USB3OTG1_REF 130 diff --git a/sys/dev/fdt/rkusbphy.c b/sys/dev/fdt/rkusbphy.c index 2f30f97cd..7b2acad12 100644 --- a/sys/dev/fdt/rkusbphy.c +++ b/sys/dev/fdt/rkusbphy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rkusbphy.c,v 1.2 2023/04/03 01:21:31 dlg Exp $ */ +/* $OpenBSD: rkusbphy.c,v 1.4 2023/09/29 17:30:35 kettenis Exp $ */ /* * Copyright (c) 2023 David Gwynne diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 3f3112b01..a85010da5 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.250 2023/07/10 03:31:57 guenther Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.251 2023/09/29 12:47:34 claudio Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -284,7 +284,7 @@ sys_execve(struct proc *p, void *v, register_t *retval) } /* get other threads to stop */ - if ((error = single_thread_set(p, SINGLE_UNWIND, 1))) + if ((error = single_thread_set(p, SINGLE_UNWIND | SINGLE_DEEP))) return (error); /* @@ -444,7 +444,7 @@ sys_execve(struct proc *p, void *v, register_t *retval) * we're committed: any further errors will kill the process, so * kill the other threads now. */ - single_thread_set(p, SINGLE_EXIT, 1); + single_thread_set(p, SINGLE_EXIT); /* * Prepare vmspace for remapping. Note that uvmspace_exec can replace diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index f57d48415..ce6aea2aa 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exit.c,v 1.216 2023/09/21 13:49:25 claudio Exp $ */ +/* $OpenBSD: kern_exit.c,v 1.217 2023/09/29 12:47:34 claudio Exp $ */ /* $NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $ */ /* @@ -131,7 +131,7 @@ exit1(struct proc *p, int xexit, int xsig, int flags) } else { /* nope, multi-threaded */ if (flags == EXIT_NORMAL) - single_thread_set(p, SINGLE_EXIT, 1); + single_thread_set(p, SINGLE_EXIT); else if (flags == EXIT_THREAD) single_thread_check(p, 0); } diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 7f2446e63..2099db42f 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.308 2023/09/19 10:43:33 claudio Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.309 2023/09/29 12:47:34 claudio Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -578,9 +578,9 @@ pledge_fail(struct proc *p, int error, uint64_t code) p->p_p->ps_comm, p->p_p->ps_pid, codes, p->p_pledge_syscall); p->p_p->ps_acflag |= APLEDGE; - /* Stop threads immediately, because this process is suspect */ + /* Try to stop threads immediately, because this process is suspect */ if (P_HASSIBLING(p)) - single_thread_set(p, SINGLE_UNWIND, 1); + single_thread_set(p, SINGLE_UNWIND | SINGLE_DEEP); /* Send uncatchable SIGABRT for coredump */ sigabort(p); diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index cc6c786d2..8d1abf9e2 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.318 2023/09/19 10:43:33 claudio Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.319 2023/09/29 12:47:34 claudio Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -840,7 +840,7 @@ trapsignal(struct proc *p, int signum, u_long trapno, int code, signum != SIGKILL && (p->p_sigmask & mask) != 0) { int s; - single_thread_set(p, SINGLE_SUSPEND, 0); + single_thread_set(p, SINGLE_SUSPEND | SINGLE_NOWAIT); pr->ps_xsig = signum; SCHED_LOCK(s); @@ -1290,7 +1290,7 @@ cursig(struct proc *p, struct sigctx *sctx) */ if (((pr->ps_flags & (PS_TRACED | PS_PPWAIT)) == PS_TRACED) && signum != SIGKILL) { - single_thread_set(p, SINGLE_SUSPEND, 0); + single_thread_set(p, SINGLE_SUSPEND | SINGLE_NOWAIT); pr->ps_xsig = signum; SCHED_LOCK(s); @@ -1559,7 +1559,7 @@ sigexit(struct proc *p, int signum) /* if there are other threads, pause them */ if (P_HASSIBLING(p)) - single_thread_set(p, SINGLE_UNWIND, 1); + single_thread_set(p, SINGLE_UNWIND); if (coredump(p) == 0) signum |= WCOREFLAG; @@ -2066,16 +2066,16 @@ single_thread_check(struct proc *p, int deep) * - SINGLE_EXIT: unwind to kernel boundary and exit */ int -single_thread_set(struct proc *p, enum single_thread_mode mode, int wait) +single_thread_set(struct proc *p, int flags) { struct process *pr = p->p_p; struct proc *q; - int error, s; + int error, s, mode = flags & SINGLE_MASK; KASSERT(curproc == p); SCHED_LOCK(s); - error = single_thread_check_locked(p, (mode == SINGLE_UNWIND), s); + error = single_thread_check_locked(p, flags & SINGLE_DEEP, s); if (error) { SCHED_UNLOCK(s); return error; @@ -2146,7 +2146,7 @@ single_thread_set(struct proc *p, enum single_thread_mode mode, int wait) } SCHED_UNLOCK(s); - if (wait) + if ((flags & SINGLE_NOWAIT) == 0) single_thread_wait(pr, 1); return 0; diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 34117767a..84f997500 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.257 2023/08/07 03:35:06 dlg Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.258 2023/09/29 18:40:08 tobhe Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -1162,6 +1162,10 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) rdomain = kp->kcb_rdomain; + /* Validate message format */ + if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) + goto ret; + /* If we have any promiscuous listeners, send them a copy of the message */ if (promisc) { struct mbuf *packet; @@ -1208,10 +1212,6 @@ pfkeyv2_dosend(struct socket *so, void *message, int len) freeme_sz = 0; } - /* Validate message format */ - if ((rval = pfkeyv2_parsemessage(message, len, headers)) != 0) - goto ret; - /* use specified rdomain */ srdomain = (struct sadb_x_rdomain *) headers[SADB_X_EXT_RDOMAIN]; if (srdomain) { diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index edb1cc76c..ad1165162 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.61 2023/08/07 03:35:06 dlg Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.62 2023/09/29 18:45:42 tobhe Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -327,16 +327,8 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) } if (sadb_msg->sadb_msg_errno) { - if (left) { - DPRINTF("too-large error message"); - return (EINVAL); - } - return (0); - } - - if (sadb_msg->sadb_msg_type == SADB_X_PROMISC) { - DPRINTF("message type promiscuous"); - return (0); + DPRINTF("errno set"); + return (EINVAL); } allow = sadb_exts_allowed_in[sadb_msg->sadb_msg_type]; diff --git a/sys/sys/proc.h b/sys/sys/proc.h index e369267bb..452311610 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.351 2023/09/13 14:25:49 claudio Exp $ */ +/* $OpenBSD: proc.h,v 1.352 2023/09/29 12:47:34 claudio Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -571,12 +571,15 @@ refreshcreds(struct proc *p) dorefreshcreds(pr, p); } -enum single_thread_mode { - SINGLE_SUSPEND, /* other threads to stop wherever they are */ - SINGLE_UNWIND, /* other threads to unwind and stop */ - SINGLE_EXIT /* other threads to unwind and then exit */ -}; -int single_thread_set(struct proc *, enum single_thread_mode, int); +#define SINGLE_SUSPEND 0x01 /* other threads to stop wherever they are */ +#define SINGLE_UNWIND 0x02 /* other threads to unwind and stop */ +#define SINGLE_EXIT 0x03 /* other threads to unwind and then exit */ +#define SINGLE_MASK 0x0f +/* extra flags for single_thread_set */ +#define SINGLE_DEEP 0x10 /* call is in deep */ +#define SINGLE_NOWAIT 0x20 /* do not wait for other threads to stop */ + +int single_thread_set(struct proc *, int); int single_thread_wait(struct process *, int); void single_thread_clear(struct proc *, int); int single_thread_check(struct proc *, int); diff --git a/usr.sbin/bgpd/control.c b/usr.sbin/bgpd/control.c index 16195d1e8..d163be175 100644 --- a/usr.sbin/bgpd/control.c +++ b/usr.sbin/bgpd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.112 2023/08/04 09:20:12 claudio Exp $ */ +/* $OpenBSD: control.c,v 1.113 2023/09/28 07:01:26 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -388,14 +388,20 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) control_result(c, CTL_RES_OK); break; case IMSG_CTL_NEIGHBOR_DOWN: - p->conf.down = 1; + neighbor->reason[ + sizeof(neighbor->reason) - 1] = + '\0'; strlcpy(p->conf.reason, neighbor->reason, sizeof(p->conf.reason)); + p->conf.down = 1; session_stop(p, ERR_CEASE_ADMIN_DOWN); control_result(c, CTL_RES_OK); break; case IMSG_CTL_NEIGHBOR_CLEAR: + neighbor->reason[ + sizeof(neighbor->reason) - 1] = + '\0'; strlcpy(p->conf.reason, neighbor->reason, sizeof(p->conf.reason)); diff --git a/usr.sbin/bgpd/version.h b/usr.sbin/bgpd/version.h index d106917fa..5c8a4278b 100644 --- a/usr.sbin/bgpd/version.h +++ b/usr.sbin/bgpd/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.12 2023/07/11 15:18:31 claudio Exp $ */ +/* $OpenBSD: version.h,v 1.13 2023/09/28 07:02:50 claudio Exp $ */ -#define BGPD_VERSION "8.1" +#define BGPD_VERSION "8.2" diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index a253e74e2..678128692 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.677 2023/06/17 08:32:48 op Exp $ */ +/* $OpenBSD: smtpd.h,v 1.678 2023/09/29 18:30:14 op Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -55,7 +55,7 @@ #define SMTPD_QUEUE_EXPIRY (4 * 24 * 60 * 60) #define SMTPD_SOCKET "/var/run/smtpd.sock" #define SMTPD_NAME "OpenSMTPD" -#define SMTPD_VERSION "7.3.0" +#define SMTPD_VERSION "7.4.0" #define SMTPD_SESSION_TIMEOUT 300 #define SMTPD_BACKLOG 5