diff --git a/gnu/usr.bin/binutils-2.17/bfd/bfd-in2.h b/gnu/usr.bin/binutils-2.17/bfd/bfd-in2.h index e17a29d40..ed9a2b768 100644 --- a/gnu/usr.bin/binutils-2.17/bfd/bfd-in2.h +++ b/gnu/usr.bin/binutils-2.17/bfd/bfd-in2.h @@ -2699,6 +2699,7 @@ in the instruction. */ BFD_RELOC_386_TLS_GOTDESC, BFD_RELOC_386_TLS_DESC_CALL, BFD_RELOC_386_TLS_DESC, + BFD_RELOC_386_GOT32X, /* x86-64/elf relocations */ BFD_RELOC_X86_64_GOT32, diff --git a/gnu/usr.bin/binutils-2.17/bfd/elf32-i386.c b/gnu/usr.bin/binutils-2.17/bfd/elf32-i386.c index cecc7e8b7..1575771e6 100644 --- a/gnu/usr.bin/binutils-2.17/bfd/elf32-i386.c +++ b/gnu/usr.bin/binutils-2.17/bfd/elf32-i386.c @@ -136,9 +136,14 @@ static reloc_howto_type elf_howto_table[]= HOWTO(R_386_TLS_DESC, 0, 2, 32, FALSE, 0, complain_overflow_bitfield, bfd_elf_generic_reloc, "R_386_TLS_DESC", TRUE, 0xffffffff, 0xffffffff, FALSE), + EMPTY_HOWTO (42), /* R_386_IRELATIVE */ + HOWTO(R_386_GOT32X, 0, 2, 32, FALSE, 0, complain_overflow_bitfield, + bfd_elf_generic_reloc, "R_386_GOT32X", + TRUE, 0xffffffff, 0xffffffff, FALSE), /* Another gap. */ -#define R_386_tls (R_386_TLS_DESC + 1 - R_386_tls_offset) + /* XXX R_386_GOT32X isn't really a TLS relocation */ +#define R_386_tls (R_386_GOT32X + 1 - R_386_tls_offset) #define R_386_vt_offset (R_386_GNU_VTINHERIT - R_386_tls) /* GNU extension to record C++ vtable hierarchy. */ @@ -314,6 +319,10 @@ elf_i386_reloc_type_lookup (bfd *abfd ATTRIBUTE_UNUSED, TRACE ("BFD_RELOC_386_TLS_DESC"); return &elf_howto_table[R_386_TLS_DESC - R_386_tls_offset]; + case BFD_RELOC_386_GOT32X: + TRACE ("BFD_RELOC_386_GOT32X"); + return &elf_howto_table[R_386_GOT32X - R_386_tls_offset]; + case BFD_RELOC_VTABLE_INHERIT: TRACE ("BFD_RELOC_VTABLE_INHERIT"); return &elf_howto_table[R_386_GNU_VTINHERIT - R_386_vt_offset]; @@ -993,6 +1002,7 @@ elf_i386_check_relocs (bfd *abfd, /* Fall through */ case R_386_GOT32: + case R_386_GOT32X: case R_386_TLS_GD: case R_386_TLS_GOTDESC: case R_386_TLS_DESC_CALL: @@ -1004,6 +1014,7 @@ elf_i386_check_relocs (bfd *abfd, { default: case R_386_GOT32: tls_type = GOT_NORMAL; break; + case R_386_GOT32X: tls_type = GOT_NORMAL; break; case R_386_TLS_GD: tls_type = GOT_TLS_GD; break; case R_386_TLS_GOTDESC: case R_386_TLS_DESC_CALL: @@ -1392,6 +1403,7 @@ elf_i386_gc_sweep_hook (bfd *abfd, case R_386_TLS_IE: case R_386_TLS_GOTIE: case R_386_GOT32: + case R_386_GOT32X: if (h != NULL) { if (h->got.refcount > 0) @@ -2452,6 +2464,7 @@ elf_i386_relocate_section (bfd *output_bfd, switch (r_type) { case R_386_GOT32: + case R_386_GOT32X: /* Relocation is to the entry for this symbol in the global offset table. */ if (htab->sgot == NULL) diff --git a/gnu/usr.bin/binutils-2.17/bfd/libbfd.h b/gnu/usr.bin/binutils-2.17/bfd/libbfd.h index e7151a8ae..6bf1dd14a 100644 --- a/gnu/usr.bin/binutils-2.17/bfd/libbfd.h +++ b/gnu/usr.bin/binutils-2.17/bfd/libbfd.h @@ -1050,6 +1050,7 @@ static const char *const bfd_reloc_code_real_names[] = { "@@uninitialized@@", "BFD_RELOC_386_TLS_GOTDESC", "BFD_RELOC_386_TLS_DESC_CALL", "BFD_RELOC_386_TLS_DESC", + "BFD_RELOC_386_GOT32X", "BFD_RELOC_X86_64_GOT32", "BFD_RELOC_X86_64_PLT32", "BFD_RELOC_X86_64_COPY", diff --git a/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.c b/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.c index d0f3bb58d..2dcd133f1 100644 --- a/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.c +++ b/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.c @@ -1313,6 +1313,7 @@ tc_i386_fix_adjustable (fixP) if (fixP->fx_r_type == BFD_RELOC_386_GOTOFF || fixP->fx_r_type == BFD_RELOC_386_PLT32 || fixP->fx_r_type == BFD_RELOC_386_GOT32 + || fixP->fx_r_type == BFD_RELOC_386_GOT32X || fixP->fx_r_type == BFD_RELOC_386_TLS_GD || fixP->fx_r_type == BFD_RELOC_386_TLS_LDM || fixP->fx_r_type == BFD_RELOC_386_TLS_LDO_32 @@ -5142,6 +5143,7 @@ md_apply_fix (fixP, valP, seg) return; case BFD_RELOC_386_GOT32: + case BFD_RELOC_386_GOT32X: case BFD_RELOC_X86_64_GOT32: value = 0; /* Fully resolved at runtime. No addend. */ break; @@ -5708,6 +5710,7 @@ tc_gen_reloc (section, fixp) case BFD_RELOC_X86_64_GOTPCREL: case BFD_RELOC_386_PLT32: case BFD_RELOC_386_GOT32: + case BFD_RELOC_386_GOT32X: case BFD_RELOC_386_GOTOFF: case BFD_RELOC_386_GOTPC: case BFD_RELOC_386_TLS_GD: diff --git a/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.h b/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.h index c77420d6b..93e548582 100644 --- a/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.h +++ b/gnu/usr.bin/binutils-2.17/gas/config/tc-i386.h @@ -445,6 +445,7 @@ extern int tc_i386_fix_adjustable PARAMS ((struct fix *)); || (FIX)->fx_plt \ || (FIX)->fx_r_type == BFD_RELOC_386_PLT32 \ || (FIX)->fx_r_type == BFD_RELOC_386_GOT32 \ + || (FIX)->fx_r_type == BFD_RELOC_386_GOT32X \ || (FIX)->fx_r_type == BFD_RELOC_386_GOTPC \ || (FIX)->fx_r_type == BFD_RELOC_X86_64_GOTPCREL \ || TC_FORCE_RELOCATION (FIX)) diff --git a/gnu/usr.bin/binutils-2.17/include/elf/i386.h b/gnu/usr.bin/binutils-2.17/include/elf/i386.h index e167871f3..9033224ac 100644 --- a/gnu/usr.bin/binutils-2.17/include/elf/i386.h +++ b/gnu/usr.bin/binutils-2.17/include/elf/i386.h @@ -66,6 +66,7 @@ START_RELOC_NUMBERS (elf_i386_reloc_type) RELOC_NUMBER (R_386_TLS_GOTDESC, 39) RELOC_NUMBER (R_386_TLS_DESC_CALL,40) RELOC_NUMBER (R_386_TLS_DESC, 41) + RELOC_NUMBER (R_386_GOT32X, 43) /* 32 bit GOT entry */ /* Used by Intel. */ RELOC_NUMBER (R_386_USED_BY_INTEL_200, 200) diff --git a/regress/lib/libcrypto/evp/evp_test.c b/regress/lib/libcrypto/evp/evp_test.c index ec6a9435f..ef11089d2 100644 --- a/regress/lib/libcrypto/evp/evp_test.c +++ b/regress/lib/libcrypto/evp/evp_test.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_test.c,v 1.13 2023/12/31 01:31:07 tb Exp $ */ +/* $OpenBSD: evp_test.c,v 1.14 2024/01/11 16:45:26 tb Exp $ */ /* * Copyright (c) 2022 Joel Sing * Copyright (c) 2023 Theo Buehler @@ -260,42 +260,6 @@ evp_asn1_method_aliases_test(void) return failed; } -static int -evp_pkey_method_test(void) -{ - const EVP_PKEY_METHOD *method; - int pkey_id; - int failed = 1; - - if ((method = EVP_PKEY_meth_find(EVP_PKEY_RSA)) == NULL) { - fprintf(stderr, "FAIL: failed to find RSA method\n"); - goto failure; - } - EVP_PKEY_meth_get0_info(&pkey_id, NULL, method); - if (pkey_id != EVP_PKEY_RSA) { - fprintf(stderr, "FAIL: method ID mismatch (%d != %d)\n", - pkey_id, EVP_PKEY_RSA); - goto failure; - } - - if ((method = EVP_PKEY_meth_find(EVP_PKEY_RSA_PSS)) == NULL) { - fprintf(stderr, "FAIL: failed to find RSA-PSS method\n"); - goto failure; - } - EVP_PKEY_meth_get0_info(&pkey_id, NULL, method); - if (pkey_id != EVP_PKEY_RSA_PSS) { - fprintf(stderr, "FAIL: method ID mismatch (%d != %d)\n", - pkey_id, EVP_PKEY_RSA_PSS); - goto failure; - } - - failed = 0; - - failure: - - return failed; -} - static const struct evp_iv_len_test { const EVP_CIPHER *(*cipher)(void); int iv_len; @@ -789,7 +753,6 @@ main(int argc, char **argv) failed |= evp_asn1_method_test(); failed |= evp_asn1_method_aliases_test(); - failed |= evp_pkey_method_test(); failed |= evp_pkey_iv_len_test(); failed |= evp_do_all_test(); failed |= evp_aliases_test(); diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index b8da40afc..09870cd1a 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $ +# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $ OPENSSL?= yes @@ -168,24 +168,30 @@ t5: awk '{print $$2}' | diff - ${.CURDIR}/t5.ok t6: - ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1 - ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2 - chmod 600 t6.out1 - ssh-keygen -yf t6.out1 | diff - t6.out2 + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1 ; \ + ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2 ; \ + chmod 600 t6.out1 ; \ + ssh-keygen -yf t6.out1 | diff - t6.out2 ; \ + fi t7.out: - ssh-keygen -q -t rsa -N '' -f $@ + ssh-keygen -q -t rsa -N '' -f $@ ; \ t7: t7.out ssh-keygen -lf t7.out > /dev/null ssh-keygen -Bf t7.out > /dev/null t8.out: - ssh-keygen -q -t dsa -N '' -f $@ + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -q -t dsa -N '' -f $@ ; \ + fi t8: t8.out - ssh-keygen -lf t8.out > /dev/null - ssh-keygen -Bf t8.out > /dev/null + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -lf t8.out > /dev/null ; \ + ssh-keygen -Bf t8.out > /dev/null ; \ + fi t9.out: ssh-keygen -q -t ecdsa -N '' -f $@ diff --git a/regress/usr.bin/ssh/unittests/Makefile.inc b/regress/usr.bin/ssh/unittests/Makefile.inc index 623896ffa..98e280486 100644 --- a/regress/usr.bin/ssh/unittests/Makefile.inc +++ b/regress/usr.bin/ssh/unittests/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.15 2023/09/24 08:14:13 claudio Exp $ +# $OpenBSD: Makefile.inc,v 1.16 2024/01/11 01:45:58 djm Exp $ .include .include @@ -13,6 +13,11 @@ TEST_ENV?= MALLOC_OPTIONS=${MALLOC_OPTIONS} # XXX detect from ssh binary? OPENSSL?= yes +DSAKEY?= yes + +.if (${DSAKEY:L} == "yes") +CFLAGS+= -DWITH_DSA +.endif .if (${OPENSSL:L} == "yes") CFLAGS+= -DWITH_OPENSSL diff --git a/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c b/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c index 71f523bfe..e19b86f6f 100644 --- a/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c +++ b/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_iterate.c,v 1.8 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_iterate.c,v 1.9 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for hostfile.h hostkeys_foreach() * @@ -52,7 +52,7 @@ check(struct hostkey_foreach_line *l, void *_ctx) int parse_key = (ctx->flags & HKF_WANT_PARSE_KEY) != 0; const int matching = (ctx->flags & HKF_WANT_MATCH) != 0; u_int expected_status, expected_match; - int expected_keytype; + int expected_keytype, skip = 0; test_subtest_info("entry %zu/%zu, file line %ld", ctx->i + 1, ctx->nexpected, l->linenum); @@ -85,6 +85,17 @@ check(struct hostkey_foreach_line *l, void *_ctx) expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? expected->l.keytype : expected->no_parse_keytype; +#ifndef WITH_DSA + if (expected->l.keytype == KEY_DSA || + expected->no_parse_keytype == KEY_DSA) + skip = 1; +#endif + + if (skip) { + expected_status = HKF_STATUS_INVALID; + expected_keytype = KEY_UNSPEC; + parse_key = 0; + } UPDATE_MATCH_STATUS(match_host_p); UPDATE_MATCH_STATUS(match_host_s); UPDATE_MATCH_STATUS(match_ipv4); @@ -128,6 +139,10 @@ prepare_expected(struct expected *expected, size_t n) for (i = 0; i < n; i++) { if (expected[i].key_file == NULL) continue; +#ifndef WITH_DSA + if (expected[i].l.keytype == KEY_DSA) + continue; +#endif ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0); diff --git a/regress/usr.bin/ssh/unittests/kex/test_kex.c b/regress/usr.bin/ssh/unittests/kex/test_kex.c index 1cb5b2397..3cb30a7b0 100644 --- a/regress/usr.bin/ssh/unittests/kex/test_kex.c +++ b/regress/usr.bin/ssh/unittests/kex/test_kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_kex.c,v 1.6 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test KEX * @@ -170,7 +170,9 @@ static void do_kex(char *kex) { do_kex_with_key(kex, KEY_RSA, 2048); +#ifdef WITH_DSA do_kex_with_key(kex, KEY_DSA, 1024); +#endif do_kex_with_key(kex, KEY_ECDSA, 256); do_kex_with_key(kex, KEY_ED25519, 256); } diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_file.c b/regress/usr.bin/ssh/unittests/sshkey/test_file.c index 6a0fdbad0..6c22548d5 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_file.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_file.c,v 1.10 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_file.c,v 1.11 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -154,6 +154,7 @@ sshkey_file_tests(void) sshkey_free(k1); +#ifdef WITH_DSA TEST_START("parse DSA from private"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -244,6 +245,7 @@ sshkey_file_tests(void) TEST_DONE(); sshkey_free(k1); +#endif TEST_START("parse ECDSA from private"); buf = load_file("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c b/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c index 2c3ffc720..c839700ac 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_fuzz.c,v 1.13 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_fuzz.c,v 1.14 2024/01/11 01:45:58 djm Exp $ */ /* * Fuzz tests for key parsing * @@ -152,6 +152,7 @@ sshkey_fuzz_tests(void) fuzz_cleanup(fuzz); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA private"); buf = load_file("dsa_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), @@ -195,6 +196,7 @@ sshkey_fuzz_tests(void) sshbuf_free(fuzzed); fuzz_cleanup(fuzz); TEST_DONE(); +#endif TEST_START("fuzz ECDSA private"); buf = load_file("ecdsa_1"); @@ -276,6 +278,7 @@ sshkey_fuzz_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA public"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -289,6 +292,7 @@ sshkey_fuzz_tests(void) public_fuzz(k1); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("fuzz ECDSA public"); buf = load_file("ecdsa_1"); @@ -342,6 +346,7 @@ sshkey_fuzz_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA sig"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -349,6 +354,7 @@ sshkey_fuzz_tests(void) sig_fuzz(k1, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("fuzz ECDSA sig"); buf = load_file("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c index 84019a165..fe331d259 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.23 2023/01/04 22:48:57 tb Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.24 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -170,8 +170,9 @@ get_private(const char *n) void sshkey_tests(void) { - struct sshkey *k1, *k2, *k3, *k4, *kr, *kd, *ke, *kf; - struct sshbuf *b; + struct sshkey *k1 = NULL, *k2 = NULL, *k3 = NULL, *k4 = NULL; + struct sshkey *kr = NULL, *kd = NULL, *ke = NULL, *kf = NULL; + struct sshbuf *b = NULL; TEST_START("new invalid"); k1 = sshkey_new(-42); @@ -191,12 +192,14 @@ sshkey_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WiTH_DSA TEST_START("new/free KEY_DSA"); k1 = sshkey_new(KEY_DSA); ASSERT_PTR_NE(k1, NULL); ASSERT_PTR_NE(k1->dsa, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("new/free KEY_ECDSA"); k1 = sshkey_new(KEY_ECDSA); @@ -226,12 +229,14 @@ sshkey_tests(void) ASSERT_PTR_EQ(k1, NULL); TEST_DONE(); +#ifdef WITH_DSA TEST_START("generate KEY_DSA wrong bits"); ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), SSH_ERR_KEY_LENGTH); ASSERT_PTR_EQ(k1, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("generate KEY_ECDSA wrong bits"); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), @@ -252,6 +257,7 @@ sshkey_tests(void) ASSERT_INT_EQ(BN_num_bits(rsa_n(kr)), 1024); TEST_DONE(); +#ifdef WITH_DSA TEST_START("generate KEY_DSA"); ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0); ASSERT_PTR_NE(kd, NULL); @@ -259,6 +265,7 @@ sshkey_tests(void) ASSERT_PTR_NE(dsa_g(kd), NULL); ASSERT_PTR_NE(dsa_priv_key(kd), NULL); TEST_DONE(); +#endif TEST_START("generate KEY_ECDSA"); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &ke), 0); @@ -292,6 +299,7 @@ sshkey_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("demote KEY_DSA"); ASSERT_INT_EQ(sshkey_from_private(kd, &k1), 0); ASSERT_PTR_NE(k1, NULL); @@ -306,6 +314,7 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_equal(kd, k1), 1); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("demote KEY_ECDSA"); ASSERT_INT_EQ(sshkey_from_private(ke, &k1), 0); @@ -349,9 +358,6 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0); ASSERT_INT_EQ(sshkey_equal(kr, k1), 0); sshkey_free(k1); - ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0); - ASSERT_INT_EQ(sshkey_equal(kd, k1), 0); - sshkey_free(k1); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0); ASSERT_INT_EQ(sshkey_equal(ke, k1), 0); sshkey_free(k1); @@ -438,6 +444,7 @@ sshkey_tests(void) sshkey_free(k2); TEST_DONE(); +#ifdef WITH_DSA TEST_START("sign and verify DSA"); k1 = get_private("dsa_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2, @@ -446,6 +453,7 @@ sshkey_tests(void) sshkey_free(k1); sshkey_free(k2); TEST_DONE(); +#endif TEST_START("sign and verify ECDSA"); k1 = get_private("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshsig/tests.c b/regress/usr.bin/ssh/unittests/sshsig/tests.c index f1d7addae..4e17ccd20 100644 --- a/regress/usr.bin/ssh/unittests/sshsig/tests.c +++ b/regress/usr.bin/ssh/unittests/sshsig/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.3 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: tests.c,v 1.4 2024/01/11 01:45:59 djm Exp $ */ /* * Regress test for sshbuf.h buffer API * @@ -94,9 +94,11 @@ tests(void) check_sig("rsa.pub", "rsa.sig", msg, namespace); TEST_DONE(); +#ifdef WITH_DSA TEST_START("check DSA signature"); check_sig("dsa.pub", "dsa.sig", msg, namespace); TEST_DONE(); +#endif TEST_START("check ECDSA signature"); check_sig("ecdsa.pub", "ecdsa.sig", msg, namespace); diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index 52192356d..bc92b15c5 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ifconfig.8,v 1.398 2023/07/18 16:01:20 bluhm Exp $ +.\" $OpenBSD: ifconfig.8,v 1.399 2024/01/11 17:22:04 jan Exp $ .\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ .\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ .\" @@ -31,7 +31,7 @@ .\" .\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 .\" -.Dd $Mdocdate: July 18 2023 $ +.Dd $Mdocdate: January 11 2024 $ .Dt IFCONFIG 8 .Os .Sh NAME @@ -269,15 +269,6 @@ The device supports IPv4 checksum offload. As above, for TCP in IPv4 datagrams. .It Sy CSUM_UDPv4 As above, for UDP. -.It Sy VLAN_MTU -The device can handle full sized frames, plus the size -of the -.Xr vlan 4 -tag. -.It Sy VLAN_HWTAGGING -On transmit, the device can add the -.Xr vlan 4 -tag. .It Sy CSUM_TCPv6 As CSUM_TCPv4, but supports IPv6 datagrams. .It Sy CSUM_UDPv6 @@ -294,6 +285,15 @@ variable to disable this feature. .It Sy TSOv6 As above, for IPv6. +.It Sy VLAN_MTU +The device can handle full sized frames, plus the size +of the +.Xr vlan 4 +tag. +.It Sy VLAN_HWTAGGING +On transmit, the device can add the +.Xr vlan 4 +tag. .It Sy WOL The device supports Wake on LAN (WoL). .It Sy hardmtu diff --git a/share/misc/airport b/share/misc/airport index 27c8f94f0..2b3a12eb9 100644 --- a/share/misc/airport +++ b/share/misc/airport @@ -1,4 +1,4 @@ -# $OpenBSD: airport,v 1.92 2023/08/07 08:22:52 mbuhl Exp $ +# $OpenBSD: airport,v 1.93 2024/01/11 07:59:43 deraadt Exp $ # @(#)airport 8.1 (Berkeley) 6/8/93 # # Some of this information from the Airport Search Engine at @@ -1116,7 +1116,6 @@ MKL:Mc Kellar Field, Jackson, Tennessee, USA MKM:Mukah, Sarawak, Malaysia MKW:Rendani, Manokwari, Indonesia MKY:Mackay, Queensland, Australia -MLN:Melilla, Spain MLA:Luqa, Malta, Malta MLB:Melbourne, Florida, USA MLE:Male International, Maldives @@ -1124,6 +1123,7 @@ MLG:Malang, Indonesia MLH:Mulhouse/Basel Euroairport, France MLI:Moline Quad City, Alabama, USA MLM:Morelia Municipal, Michoacan, Mexico +MLN:Melilla, Spain MLO:Milos, Greece MLS:Miles City, Montana, USA MLU:Monroe, Louisiana, USA @@ -1859,6 +1859,7 @@ XDM:Drummondville, Quebec, Canada XFD:Stratford, Ontario, Canada XFW:Hamburg-Finkenwerder, Hamburg, Germany XIY:Xianyang, Xi An, China +XKH:Xieng Khouang, Phonsavan, Laos XLV:Niagara Falls, Ontario, Canada XLZ:Truro, Nova Scotia, Canada XMN:Xiamen International, China diff --git a/sys/arch/amd64/amd64/trap.c b/sys/arch/amd64/amd64/trap.c index bccc016f7..d64f7c1af 100644 --- a/sys/arch/amd64/amd64/trap.c +++ b/sys/arch/amd64/amd64/trap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: trap.c,v 1.102 2023/12/12 15:30:55 deraadt Exp $ */ +/* $OpenBSD: trap.c,v 1.103 2024/01/11 19:16:26 miod Exp $ */ /* $NetBSD: trap.c,v 1.2 2003/05/04 23:51:56 fvdl Exp $ */ /*- @@ -550,12 +550,10 @@ ast(struct trapframe *frame) void syscall(struct trapframe *frame) { - caddr_t params; const struct sysent *callp; struct proc *p; int error = ENOSYS; - size_t argsize, argoff; - register_t code, args[9], rval[2], *argp; + register_t code, args[6], rval[2], *argp; verify_smap(__func__); uvmexp.syscalls++; @@ -568,36 +566,23 @@ syscall(struct trapframe *frame) code = frame->tf_rax; argp = &args[0]; - argoff = 0; if (code <= 0 || code >= SYS_MAXSYSCALL) goto bad; callp = sysent + code; - argsize = (callp->sy_argsize >> 3) + argoff; - if (argsize) { - switch (MIN(argsize, 6)) { - case 6: - args[5] = frame->tf_r9; - case 5: - args[4] = frame->tf_r8; - case 4: - args[3] = frame->tf_r10; - case 3: - args[2] = frame->tf_rdx; - case 2: - args[1] = frame->tf_rsi; - case 1: - args[0] = frame->tf_rdi; - break; - default: - panic("impossible syscall argsize"); - } - if (argsize > 6) { - argsize -= 6; - params = (caddr_t)frame->tf_rsp + sizeof(register_t); - if ((error = copyin(params, &args[6], argsize << 3))) - goto bad; - } + switch (callp->sy_narg) { + case 6: + args[5] = frame->tf_r9; + case 5: + args[4] = frame->tf_r8; + case 4: + args[3] = frame->tf_r10; + case 3: + args[2] = frame->tf_rdx; + case 2: + args[1] = frame->tf_rsi; + case 1: + args[0] = frame->tf_rdi; } rval[0] = 0; diff --git a/sys/arch/amd64/amd64/vmm_machdep.c b/sys/arch/amd64/amd64/vmm_machdep.c index 0be59cb44..53f4424dc 100644 --- a/sys/arch/amd64/amd64/vmm_machdep.c +++ b/sys/arch/amd64/amd64/vmm_machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm_machdep.c,v 1.14 2024/01/10 04:13:59 dv Exp $ */ +/* $OpenBSD: vmm_machdep.c,v 1.15 2024/01/11 17:13:48 jan Exp $ */ /* * Copyright (c) 2014 Mike Larkin * @@ -158,7 +158,6 @@ static int vmx_remote_vmclear(struct cpu_info*, struct vcpu *); #endif #ifdef VMM_DEBUG -void dump_vcpu(struct vcpu *); void vmx_vcpu_dump_regs(struct vcpu *); void vmx_dump_vmcs(struct vcpu *); const char *msr_name_decode(uint32_t); diff --git a/sys/arch/arm64/arm64/syscall.c b/sys/arch/arm64/arm64/syscall.c index 675423d1c..21a77a019 100644 --- a/sys/arch/arm64/arm64/syscall.c +++ b/sys/arch/arm64/arm64/syscall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syscall.c,v 1.17 2023/12/13 15:57:22 miod Exp $ */ +/* $OpenBSD: syscall.c,v 1.18 2024/01/11 19:16:26 miod Exp $ */ /* * Copyright (c) 2015 Dale Rahn * @@ -26,16 +26,14 @@ #include -#define MAXARGS 8 - void svc_handler(trapframe_t *frame) { struct proc *p = curproc; const struct sysent *callp; int code, error = ENOSYS; - u_int nap = 8, nargs; - register_t *ap, *args, copyargs[MAXARGS], rval[2]; + u_int nargs; + register_t *args, rval[2]; uvmexp.syscalls++; @@ -47,24 +45,12 @@ svc_handler(trapframe_t *frame) frame->tf_elr += 8; code = frame->tf_x[8]; - - ap = &frame->tf_x[0]; - if (code <= 0 || code >= SYS_MAXSYSCALL) goto bad; callp = sysent + code; - nargs = callp->sy_argsize / sizeof(register_t); - if (nargs <= nap) { - args = ap; - } else { - KASSERT(nargs <= MAXARGS); - memcpy(copyargs, ap, nap * sizeof(register_t)); - if ((error = copyin((void *)frame->tf_sp, copyargs + nap, - (nargs - nap) * sizeof(register_t)))) - goto bad; - args = copyargs; - } + nargs = callp->sy_narg; + args = &frame->tf_x[0]; rval[0] = 0; rval[1] = 0; diff --git a/sys/dev/pci/if_qwx_pci.c b/sys/dev/pci/if_qwx_pci.c index bb52dd929..eb6776678 100644 --- a/sys/dev/pci/if_qwx_pci.c +++ b/sys/dev/pci/if_qwx_pci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_qwx_pci.c,v 1.1 2023/12/28 17:36:29 stsp Exp $ */ +/* $OpenBSD: if_qwx_pci.c,v 1.2 2024/01/11 09:52:19 stsp Exp $ */ /* * Copyright 2023 Stefan Sperling @@ -455,6 +455,7 @@ int qwx_mhi_await_device_ready(struct qwx_softc *); void qwx_mhi_ready_state_transition(struct qwx_pci_softc *); void qwx_mhi_ee_amss_state_transition(struct qwx_pci_softc *); void qwx_mhi_mission_mode_state_transition(struct qwx_pci_softc *); +void qwx_mhi_low_power_mode_state_transition(struct qwx_pci_softc *); void qwx_mhi_set_state(struct qwx_softc *, uint32_t); void qwx_mhi_init_mmio(struct qwx_pci_softc *); int qwx_mhi_fw_load_bhi(struct qwx_pci_softc *, uint8_t *, size_t); @@ -2920,6 +2921,14 @@ qwx_mhi_mission_mode_state_transition(struct qwx_pci_softc *psc) qwx_mhi_device_zzz(sc); } +void +qwx_mhi_low_power_mode_state_transition(struct qwx_pci_softc *psc) +{ + struct qwx_softc *sc = &psc->sc_sc; + + qwx_mhi_set_state(sc, MHI_STATE_M2); +} + void qwx_mhi_set_state(struct qwx_softc *sc, uint32_t state) { @@ -3397,6 +3406,12 @@ qwx_mhi_state_change(void *arg) psc->mhi_state = mhi_state; qwx_mhi_mission_mode_state_transition(psc); break; + case MHI_STATE_M1: + DNPRINTF(QWX_D_MHI, "%s: new MHI state M1\n", + sc->sc_dev.dv_xname); + psc->mhi_state = mhi_state; + qwx_mhi_low_power_mode_state_transition(psc); + break; case MHI_STATE_SYS_ERR: DNPRINTF(QWX_D_MHI, "%s: new MHI state SYS ERR\n", diff --git a/sys/dev/vmm/vmm.h b/sys/dev/vmm/vmm.h index 38b4a3f85..47f5e12cf 100644 --- a/sys/dev/vmm/vmm.h +++ b/sys/dev/vmm/vmm.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm.h,v 1.3 2023/05/13 23:15:28 dv Exp $ */ +/* $OpenBSD: vmm.h,v 1.4 2024/01/11 17:13:48 jan Exp $ */ /* * Copyright (c) 2014-2023 Mike Larkin * @@ -203,5 +203,9 @@ int vm_resetcpu(struct vm_resetcpu_params *); int vcpu_must_stop(struct vcpu *); int vm_share_mem(struct vm_sharemem_params *, struct proc *); +#ifdef VMM_DEBUG +void dump_vcpu(struct vcpu *); +#endif + #endif /* _KERNEL */ #endif /* DEV_VMM_H */ diff --git a/sys/kern/uipc_domain.c b/sys/kern/uipc_domain.c index 78ae0900a..da73a54b6 100644 --- a/sys/kern/uipc_domain.c +++ b/sys/kern/uipc_domain.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_domain.c,v 1.64 2023/05/18 10:23:19 mvs Exp $ */ +/* $OpenBSD: uipc_domain.c,v 1.65 2024/01/11 14:15:11 bluhm Exp $ */ /* $NetBSD: uipc_domain.c,v 1.14 1996/02/09 19:00:44 christos Exp $ */ /* @@ -62,7 +62,6 @@ const struct domain *const domains[] = { void pffasttimo(void *); void pfslowtimo(void *); -const struct domain * pffinddomain(int); void domaininit(void) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 5005fef09..913649f1f 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.312 2023/12/19 21:34:22 bluhm Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.313 2024/01/11 14:15:11 bluhm Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -148,7 +148,7 @@ soinit(void) } struct socket * -soalloc(int wait) +soalloc(const struct domain *dp, int wait) { struct socket *so; @@ -156,7 +156,7 @@ soalloc(int wait) PR_ZERO); if (so == NULL) return (NULL); - rw_init_flags(&so->so_lock, "solock", RWL_DUPOK); + rw_init_flags(&so->so_lock, dp->dom_name, RWL_DUPOK); refcnt_init(&so->so_refcnt); klist_init(&so->so_rcv.sb_klist, &socket_klistops, so); klist_init(&so->so_snd.sb_klist, &socket_klistops, so); @@ -190,7 +190,7 @@ socreate(int dom, struct socket **aso, int type, int proto) return (EPROTONOSUPPORT); if (prp->pr_type != type) return (EPROTOTYPE); - so = soalloc(M_WAIT); + so = soalloc(pffinddomain(dom), M_WAIT); so->so_type = type; if (suser(p) == 0) so->so_state = SS_PRIV; diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index 18f7746f6..5b55090dd 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket2.c,v 1.139 2023/12/18 13:11:20 bluhm Exp $ */ +/* $OpenBSD: uipc_socket2.c,v 1.140 2024/01/11 14:15:11 bluhm Exp $ */ /* $NetBSD: uipc_socket2.c,v 1.11 1996/02/04 02:17:55 christos Exp $ */ /* @@ -188,7 +188,7 @@ sonewconn(struct socket *head, int connstatus, int wait) return (NULL); if (head->so_qlen + head->so_q0len > head->so_qlimit * 3) return (NULL); - so = soalloc(wait); + so = soalloc(head->so_proto->pr_domain, wait); if (so == NULL) return (NULL); so->so_type = head->so_type; diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 318420545..d37803cba 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.259 2023/10/11 22:13:16 tobhe Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.260 2024/01/11 14:15:11 bluhm Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -225,7 +225,7 @@ const struct protosw pfkeysw[] = { const struct domain pfkeydomain = { .dom_family = PF_KEY, - .dom_name = "PF_KEY", + .dom_name = "pfkey", .dom_init = pfkey_init, .dom_protosw = pfkeysw, .dom_protoswNPROTOSW = &pfkeysw[nitems(pfkeysw)], diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index d2e67c61a..9748baff7 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.102 2023/07/06 04:55:05 dlg Exp $ */ +/* $OpenBSD: in_proto.c,v 1.103 2024/01/11 14:15:12 bluhm Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -387,7 +387,7 @@ const struct protosw inetsw[] = { const struct domain inetdomain = { .dom_family = AF_INET, - .dom_name = "internet", + .dom_name = "inet", .dom_init = in_init, .dom_protosw = inetsw, .dom_protoswNPROTOSW = &inetsw[nitems(inetsw)], diff --git a/sys/netinet/tcp_debug.c b/sys/netinet/tcp_debug.c index 0fa861400..ae784dcec 100644 --- a/sys/netinet/tcp_debug.c +++ b/sys/netinet/tcp_debug.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_debug.c,v 1.30 2022/02/22 01:15:02 guenther Exp $ */ +/* $OpenBSD: tcp_debug.c,v 1.31 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_debug.c,v 1.10 1996/02/13 23:43:36 christos Exp $ */ /* @@ -42,10 +42,10 @@ * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgements: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * This product includes software developed at the Information - * Technology Division, US Naval Research Laboratory. + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * This product includes software developed at the Information + * Technology Division, US Naval Research Laboratory. * 4. Neither the name of the NRL nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index ef2852520..875012821 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.397 2023/12/01 15:30:47 bluhm Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.398 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -3932,7 +3932,7 @@ syn_cache_add(struct sockaddr *src, struct sockaddr *dst, struct tcphdr *th, if (syn_cache_respond(sc, m, now) == 0) { mtx_enter(&syn_cache_mtx); /* - * XXXSMP Currently exclusive netlock prevents another insert + * XXXSMP Currently exclusive netlock prevents another insert * after our syn_cache_lookup() and before syn_cache_insert(). * Double insert should be handled and not rely on netlock. */ diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 4a81b3873..6d65aa849 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_subr.c,v 1.194 2023/11/29 18:30:48 bluhm Exp $ */ +/* $OpenBSD: tcp_subr.c,v 1.195 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */ /* @@ -42,10 +42,10 @@ * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgements: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * This product includes software developed at the Information - * Technology Division, US Naval Research Laboratory. + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * This product includes software developed at the Information + * Technology Division, US Naval Research Laboratory. * 4. Neither the name of the NRL nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. @@ -396,7 +396,7 @@ tcp_respond(struct tcpcb *tp, caddr_t template, struct tcphdr *th0, case AF_INET6: ip6->ip6_flow = htonl(0x60000000); ip6->ip6_nxt = IPPROTO_TCP; - ip6->ip6_hlim = in6_selecthlim(tp ? tp->t_inpcb : NULL); /*XXX*/ + ip6->ip6_hlim = in6_selecthlim(tp ? tp->t_inpcb : NULL); /*XXX*/ ip6->ip6_plen = tlen - sizeof(struct ip6_hdr); ip6->ip6_plen = htons(ip6->ip6_plen); ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL, diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c index 4f241bf2e..a2f9724f4 100644 --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_timer.c,v 1.73 2023/07/06 09:15:24 bluhm Exp $ */ +/* $OpenBSD: tcp_timer.c,v 1.74 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_timer.c,v 1.14 1996/02/13 23:44:09 christos Exp $ */ /* @@ -367,7 +367,9 @@ tcp_timer_rexmt(void *arg) * to go below this.) */ { - u_long win = ulmin(tp->snd_wnd, tp->snd_cwnd) / 2 / tp->t_maxseg; + u_long win; + + win = ulmin(tp->snd_wnd, tp->snd_cwnd) / 2 / tp->t_maxseg; if (win < 2) win = 2; tp->snd_cwnd = tp->t_maxseg; diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 5c4be640b..83f02631d 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_usrreq.c,v 1.227 2023/12/03 20:24:17 bluhm Exp $ */ +/* $OpenBSD: tcp_usrreq.c,v 1.228 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */ /* @@ -175,7 +175,7 @@ int tcp_fill_info(struct tcpcb *, struct socket *, struct mbuf *); int tcp_ident(void *, size_t *, void *, size_t, int); static inline int tcp_sogetpcb(struct socket *, struct inpcb **, - struct tcpcb **); + struct tcpcb **); static inline int tcp_sogetpcb(struct socket *so, struct inpcb **rinp, struct tcpcb **rtp) diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index b687d436d..6f4950679 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_var.h,v 1.173 2023/11/29 19:19:25 bluhm Exp $ */ +/* $OpenBSD: tcp_var.h,v 1.174 2024/01/11 13:49:49 bluhm Exp $ */ /* $NetBSD: tcp_var.h,v 1.17 1996/02/13 23:44:24 christos Exp $ */ /* @@ -43,7 +43,7 @@ struct sackblk { tcp_seq start; /* start seq no. of sack block */ - tcp_seq end; /* end seq no. */ + tcp_seq end; /* end seq no. */ }; struct sackhole { @@ -334,7 +334,8 @@ struct syn_cache_set { * is the same as the multiplier for rttvar. */ #define TCP_REXMTVAL(tp) \ - ((((tp)->t_srtt >> TCP_RTT_SHIFT) + (tp)->t_rttvar) >> TCP_RTT_BASE_SHIFT) + ((((tp)->t_srtt >> TCP_RTT_SHIFT) + (tp)->t_rttvar) \ + >> TCP_RTT_BASE_SHIFT) /* * TCP statistics. @@ -406,8 +407,8 @@ struct tcpstat { u_int32_t tcps_rcvbadsig; /* rcvd bad/missing TCP signatures */ u_int64_t tcps_rcvgoodsig; /* rcvd good TCP signatures */ - u_int32_t tcps_inswcsum; /* input software-checksummed packets */ - u_int32_t tcps_outswcsum; /* output software-checksummed packets */ + u_int32_t tcps_inswcsum; /* input software-checksummed pkts */ + u_int32_t tcps_outswcsum; /* output software-checksummed pkts */ /* ECN stats */ u_int32_t tcps_ecn_accepts; /* ecn connections accepted */ @@ -465,8 +466,8 @@ struct tcpstat { * Names for TCP sysctl objects. */ -#define TCPCTL_RFC1323 1 /* enable/disable RFC1323 timestamps/scaling */ -#define TCPCTL_KEEPINITTIME 2 /* TCPT_KEEP value */ +#define TCPCTL_RFC1323 1 /* enable RFC1323 timestamps/scaling */ +#define TCPCTL_KEEPINITTIME 2 /* TCPT_KEEP value */ #define TCPCTL_KEEPIDLE 3 /* allow tcp_keepidle to be changed */ #define TCPCTL_KEEPINTVL 4 /* allow tcp_keepintvl to be changed */ #define TCPCTL_SLOWHZ 5 /* return kernel idea of PR_SLOWHZ */ @@ -503,23 +504,23 @@ struct tcpstat { { "baddynamic", CTLTYPE_STRUCT }, \ { NULL, 0 }, \ { NULL, 0 }, \ - { "ident", CTLTYPE_STRUCT }, \ + { "ident", CTLTYPE_STRUCT }, \ { "sack", CTLTYPE_INT }, \ { "mssdflt", CTLTYPE_INT }, \ { "rstppslimit", CTLTYPE_INT }, \ { "ackonpush", CTLTYPE_INT }, \ - { "ecn", CTLTYPE_INT }, \ - { "syncachelimit", CTLTYPE_INT }, \ - { "synbucketlimit", CTLTYPE_INT }, \ - { "rfc3390", CTLTYPE_INT }, \ - { "reasslimit", CTLTYPE_INT }, \ - { "drop", CTLTYPE_STRUCT }, \ - { "sackholelimit", CTLTYPE_INT }, \ + { "ecn", CTLTYPE_INT }, \ + { "syncachelimit", CTLTYPE_INT }, \ + { "synbucketlimit", CTLTYPE_INT }, \ + { "rfc3390", CTLTYPE_INT }, \ + { "reasslimit", CTLTYPE_INT }, \ + { "drop", CTLTYPE_STRUCT }, \ + { "sackholelimit", CTLTYPE_INT }, \ { "stats", CTLTYPE_STRUCT }, \ { "always_keepalive", CTLTYPE_INT }, \ - { "synuselimit", CTLTYPE_INT }, \ + { "synuselimit", CTLTYPE_INT }, \ { "rootonly", CTLTYPE_STRUCT }, \ - { "synhashsize", CTLTYPE_INT }, \ + { "synhashsize", CTLTYPE_INT }, \ { "tso", CTLTYPE_INT }, \ } diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index 4e48a1e45..db218af06 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_proto.c,v 1.112 2022/11/23 14:48:28 kn Exp $ */ +/* $OpenBSD: in6_proto.c,v 1.113 2024/01/11 14:15:12 bluhm Exp $ */ /* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */ /* @@ -332,7 +332,7 @@ const struct protosw inet6sw[] = { const struct domain inet6domain = { .dom_family = AF_INET6, - .dom_name = "internet6", + .dom_name = "inet6", .dom_protosw = inet6sw, .dom_protoswNPROTOSW = &inet6sw[nitems(inet6sw)], .dom_sasize = sizeof(struct sockaddr_in6), diff --git a/sys/sys/domain.h b/sys/sys/domain.h index 478bc193d..87d662a6a 100644 --- a/sys/sys/domain.h +++ b/sys/sys/domain.h @@ -1,4 +1,4 @@ -/* $OpenBSD: domain.h,v 1.23 2022/11/23 14:50:59 kn Exp $ */ +/* $OpenBSD: domain.h,v 1.24 2024/01/11 14:15:12 bluhm Exp $ */ /* $NetBSD: domain.h,v 1.10 1996/02/09 18:25:07 christos Exp $ */ /* @@ -49,7 +49,7 @@ struct ifnet; struct domain { int dom_family; /* AF_xxx */ - char *dom_name; + const char *dom_name; void (*dom_init)(void); /* initialize domain data structures */ /* externalize access rights */ int (*dom_externalize)(struct mbuf *, socklen_t, int); diff --git a/sys/sys/protosw.h b/sys/sys/protosw.h index a53364757..786930624 100644 --- a/sys/sys/protosw.h +++ b/sys/sys/protosw.h @@ -1,4 +1,4 @@ -/* $OpenBSD: protosw.h,v 1.63 2023/12/18 13:11:20 bluhm Exp $ */ +/* $OpenBSD: protosw.h,v 1.64 2024/01/11 14:15:12 bluhm Exp $ */ /* $NetBSD: protosw.h,v 1.10 1996/04/09 20:55:32 cgd Exp $ */ /*- @@ -259,6 +259,7 @@ struct ifnet; struct sockaddr; const struct protosw *pffindproto(int, int, int); const struct protosw *pffindtype(int, int); +const struct domain *pffinddomain(int); void pfctlinput(int, struct sockaddr *); extern u_char ip_protox[]; diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 0290d6437..41403c00d 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: socketvar.h,v 1.120 2023/07/04 22:28:24 mvs Exp $ */ +/* $OpenBSD: socketvar.h,v 1.121 2024/01/11 14:15:12 bluhm Exp $ */ /* $NetBSD: socketvar.h,v 1.18 1996/02/09 18:25:38 christos Exp $ */ /*- @@ -346,7 +346,7 @@ int soconnect(struct socket *, struct mbuf *); int soconnect2(struct socket *, struct socket *); int socreate(int, struct socket **, int, int); int sodisconnect(struct socket *); -struct socket *soalloc(int); +struct socket *soalloc(const struct domain *, int); void sofree(struct socket *, int); int sogetopt(struct socket *, int, int, struct mbuf *); void sohasoutofband(struct socket *); diff --git a/usr.bin/ssh/Makefile.inc b/usr.bin/ssh/Makefile.inc index f5ea22530..84487e7c9 100644 --- a/usr.bin/ssh/Makefile.inc +++ b/usr.bin/ssh/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.88 2023/01/15 23:05:32 djm Exp $ +# $OpenBSD: Makefile.inc,v 1.89 2024/01/11 01:45:36 djm Exp $ .include @@ -34,6 +34,7 @@ WARNINGS=yes OPENSSL?= yes ZLIB?= yes +DSAKEY?= yes .if (${OPENSSL:L} == "yes") CFLAGS+= -DWITH_OPENSSL @@ -43,6 +44,10 @@ CFLAGS+= -DWITH_OPENSSL CFLAGS+= -DWITH_ZLIB .endif +.if (${DSAKEY:L} == "yes") +CFLAGS+= -DWITH_DSA +.endif + CFLAGS+= -DENABLE_PKCS11 .ifndef NOPIC CFLAGS+= -DHAVE_DLOPEN @@ -78,10 +83,12 @@ SRCS_KEY+= cipher.c SRCS_KEY+= chacha.c SRCS_KEY+= poly1305.c .if (${OPENSSL:L} == "yes") -SRCS_KEY+= ssh-dss.c SRCS_KEY+= ssh-ecdsa.c SRCS_KEY+= ssh-ecdsa-sk.c SRCS_KEY+= ssh-rsa.c +.if (${DSAKEY:L} == "yes") +SRCS_KEY+= ssh-dss.c +.endif SRCS_KEY+= sshbuf-getput-crypto.c SRCS_KEY+= digest-openssl.c SRCS_KEY+= cipher-chachapoly-libcrypto.c diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index f6dd72511..b3c8d626b 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.383 2023/10/12 02:18:18 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.384 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2686,7 +2686,9 @@ fill_default_options(Options * options) add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ED25519_SK, 0); add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); +#ifdef WITH_DSA add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); +#endif } if (options->escape_char == -1) options->escape_char = '~'; diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index ff7180cd0..b18536ab9 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.154 2023/10/12 02:18:18 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.155 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -87,7 +87,7 @@ typedef struct { char *sk_provider; /* Security key provider */ int verify_host_key_dns; /* Verify host key using DNS */ - int num_identity_files; /* Number of files for RSA/DSA identities. */ + int num_identity_files; /* Number of files for identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES]; diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index a84259164..c98442e47 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.171 2024/01/08 00:30:39 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.172 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -78,7 +78,9 @@ static char *default_files[] = { _PATH_SSH_CLIENT_ID_ED25519, _PATH_SSH_CLIENT_ID_ED25519_SK, _PATH_SSH_CLIENT_ID_XMSS, +#ifdef WITH_DSA _PATH_SSH_CLIENT_ID_DSA, +#endif NULL }; diff --git a/usr.bin/ssh/ssh-dss.c b/usr.bin/ssh/ssh-dss.c index 2fac7008f..5c135b309 100644 --- a/usr.bin/ssh/ssh-dss.c +++ b/usr.bin/ssh/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.49 2023/03/05 05:34:09 dtucker Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.50 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -36,6 +36,8 @@ #define SSHKEY_INTERNAL #include "sshkey.h" +#ifdef WITH_DSA + #define INTBLOB_LEN 20 #define SIGBLOB_LEN (2*INTBLOB_LEN) @@ -445,3 +447,5 @@ const struct sshkey_impl sshkey_dsa_cert_impl = { /* .keybits = */ 0, /* .funcs = */ &sshkey_dss_funcs, }; + +#endif /* WITH_DSA */ diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 56a11a6dd..844802650 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.471 2023/09/04 10:29:58 job Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.472 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -251,10 +251,12 @@ ask_filename(struct passwd *pw, const char *prompt) name = _PATH_SSH_CLIENT_ID_ED25519; else { switch (sshkey_type_from_name(key_type_name)) { +#ifdef WITH_DSA case KEY_DSA_CERT: case KEY_DSA: name = _PATH_SSH_CLIENT_ID_DSA; break; +#endif case KEY_ECDSA_CERT: case KEY_ECDSA: name = _PATH_SSH_CLIENT_ID_ECDSA; @@ -363,10 +365,12 @@ do_convert_to_pkcs8(struct sshkey *k) if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) fatal("PEM_write_RSA_PUBKEY failed"); break; +#ifdef WITH_DSA case KEY_DSA: if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; +#endif case KEY_ECDSA: if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); @@ -385,10 +389,12 @@ do_convert_to_pem(struct sshkey *k) if (!PEM_write_RSAPublicKey(stdout, k->rsa)) fatal("PEM_write_RSAPublicKey failed"); break; +#ifdef WITH_DSA case KEY_DSA: if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; +#endif case KEY_ECDSA: if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); @@ -461,8 +467,10 @@ do_convert_private_ssh2(struct sshbuf *b) u_int magic, i1, i2, i3, i4; size_t slen; u_long e; +#ifdef WITH_DSA BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; +#endif BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL; @@ -490,10 +498,12 @@ do_convert_private_ssh2(struct sshbuf *b) } free(cipher); - if (strstr(type, "dsa")) { - ktype = KEY_DSA; - } else if (strstr(type, "rsa")) { + if (strstr(type, "rsa")) { ktype = KEY_RSA; +#ifdef WITH_DSA + } else if (strstr(type, "dsa")) { + ktype = KEY_DSA; +#endif } else { free(type); return NULL; @@ -503,6 +513,7 @@ do_convert_private_ssh2(struct sshbuf *b) free(type); switch (key->type) { +#ifdef WITH_DSA case KEY_DSA: if ((dsa_p = BN_new()) == NULL || (dsa_q = BN_new()) == NULL || @@ -522,6 +533,7 @@ do_convert_private_ssh2(struct sshbuf *b) fatal_f("DSA_set0_key failed"); dsa_pub_key = dsa_priv_key = NULL; /* transferred */ break; +#endif case KEY_RSA: if ((r = sshbuf_get_u8(b, &e1)) != 0 || (e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) || @@ -685,12 +697,14 @@ do_convert_from_pkcs8(struct sshkey **k, int *private) (*k)->type = KEY_RSA; (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); break; +#ifdef WITH_DSA case EVP_PKEY_DSA: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); (*k)->type = KEY_DSA; (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); break; +#endif case EVP_PKEY_EC: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); @@ -758,10 +772,12 @@ do_convert_from(struct passwd *pw) fprintf(stdout, "\n"); } else { switch (k->type) { +#ifdef WITH_DSA case KEY_DSA: ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL); break; +#endif case KEY_ECDSA: ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, NULL, 0, NULL, NULL); @@ -3726,9 +3742,11 @@ main(int argc, char **argv) n += do_print_resource_record(pw, _PATH_HOST_RSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); +#ifdef WITH_DSA n += do_print_resource_record(pw, _PATH_HOST_DSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); +#endif n += do_print_resource_record(pw, _PATH_HOST_ECDSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c index b9586e8e4..825220fb1 100644 --- a/usr.bin/ssh/ssh-keyscan.c +++ b/usr.bin/ssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.154 2023/12/20 00:06:25 jsg Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.155 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -763,9 +763,11 @@ main(int argc, char **argv) int type = sshkey_type_from_name(tname); switch (type) { +#ifdef WITH_DSA case KEY_DSA: get_keytypes |= KT_DSA; break; +#endif case KEY_ECDSA: get_keytypes |= KT_ECDSA; break; diff --git a/usr.bin/ssh/ssh-keysign.c b/usr.bin/ssh/ssh-keysign.c index dc358785e..97a117ed9 100644 --- a/usr.bin/ssh/ssh-keysign.c +++ b/usr.bin/ssh/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.71 2022/08/01 11:09:26 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.73 2024/01/11 01:51:16 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -190,9 +190,14 @@ main(int argc, char **argv) if (fd > 2) close(fd); + for (i = 0; i < NUM_KEYTYPES; i++) + key_fd[i] = -1; + i = 0; /* XXX This really needs to read sshd_config for the paths */ +#ifdef WITH_DSA key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); +#endif key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_XMSS_KEY_FILE, O_RDONLY); diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index e6b1241ff..65fb522d5 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.600 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1666,11 +1666,15 @@ main(int ac, char **av) L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 0); L_CERT(_PATH_HOST_ED25519_KEY_FILE, 1); L_CERT(_PATH_HOST_RSA_KEY_FILE, 2); +#ifdef WITH_DSA L_CERT(_PATH_HOST_DSA_KEY_FILE, 3); +#endif L_PUBKEY(_PATH_HOST_ECDSA_KEY_FILE, 4); L_PUBKEY(_PATH_HOST_ED25519_KEY_FILE, 5); L_PUBKEY(_PATH_HOST_RSA_KEY_FILE, 6); +#ifdef WITH_DSA L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 7); +#endif L_CERT(_PATH_HOST_XMSS_KEY_FILE, 8); L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9); if (loaded == 0) diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index c8ee995b3..850372cba 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.365 2023/11/20 02:50:00 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.366 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1557,7 +1557,9 @@ show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) { int type[] = { KEY_RSA, +#ifdef WITH_DSA KEY_DSA, +#endif KEY_ECDSA, KEY_ED25519, KEY_XMSS, diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 22e6ad1e0..5203cc663 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.141 2023/12/20 00:06:25 jsg Exp $ */ +/* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -108,8 +108,10 @@ extern const struct sshkey_impl sshkey_rsa_sha256_impl; extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; extern const struct sshkey_impl sshkey_rsa_sha512_impl; extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; +# ifdef WITH_DSA extern const struct sshkey_impl sshkey_dss_impl; extern const struct sshkey_impl sshkey_dsa_cert_impl; +# endif #endif /* WITH_OPENSSL */ #ifdef WITH_XMSS extern const struct sshkey_impl sshkey_xmss_impl; @@ -131,8 +133,10 @@ const struct sshkey_impl * const keyimpls[] = { &sshkey_ecdsa_sk_impl, &sshkey_ecdsa_sk_cert_impl, &sshkey_ecdsa_sk_webauthn_impl, +# ifdef WITH_DSA &sshkey_dss_impl, &sshkey_dsa_cert_impl, +# endif &sshkey_rsa_impl, &sshkey_rsa_cert_impl, &sshkey_rsa_sha256_impl, @@ -3197,6 +3201,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, goto out; switch (key->type) { +#ifdef WITH_DSA case KEY_DSA: if (format == SSHKEY_PRIVATE_PEM) { success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, @@ -3205,6 +3210,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, success = EVP_PKEY_set1_DSA(pkey, key->dsa); } break; +#endif case KEY_ECDSA: if (format == SSHKEY_PRIVATE_PEM) { success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, @@ -3411,6 +3417,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, } if ((r = sshkey_check_rsa_length(prv, 0)) != 0) goto out; +#ifdef WITH_DSA } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && (type == KEY_UNSPEC || type == KEY_DSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { @@ -3421,6 +3428,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, prv->type = KEY_DSA; #ifdef DEBUG_PK DSA_print_fp(stderr, prv->dsa, 8); +#endif #endif } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && (type == KEY_UNSPEC || type == KEY_ECDSA)) { diff --git a/usr.sbin/bgpctl/output.c b/usr.sbin/bgpctl/output.c index f68b73d60..816e0b3d7 100644 --- a/usr.sbin/bgpctl/output.c +++ b/usr.sbin/bgpctl/output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output.c,v 1.44 2024/01/10 14:59:41 claudio Exp $ */ +/* $OpenBSD: output.c,v 1.46 2024/01/11 14:34:49 claudio Exp $ */ /* * Copyright (c) 2003 Henning Brauer @@ -388,10 +388,6 @@ show_neighbor_full(struct peer *p, struct parse_result *res) show_neighbor_msgstats(p); printf("\n"); - if (p->stats.last_reason[0]) { - printf(" Last received shutdown reason: \"%s\"\n", - log_reason(p->stats.last_reason)); - } errstr = fmt_errstr(p->stats.last_sent_errcode, p->stats.last_sent_suberr); @@ -401,6 +397,10 @@ show_neighbor_full(struct peer *p, struct parse_result *res) p->stats.last_rcvd_suberr); if (errstr) printf(" Last error received: %s\n", errstr); + if (p->stats.last_reason[0]) { + printf(" Last received shutdown reason: \"%s\"\n", + log_reason(p->stats.last_reason)); + } if (p->state >= STATE_OPENSENT) { printf(" Local host: %20s, Local port: %5u\n", @@ -1171,12 +1171,13 @@ show_rtr(struct ctl_show_rtr *rtr) printf("RTR neighbor is %s, port %u\n", log_addr(&rtr->remote_addr), rtr->remote_port); + printf(" State: %s\n", rtr->state); if (rtr->descr[0]) printf(" Description: %s\n", rtr->descr); if (rtr->local_addr.aid != AID_UNSPEC) printf(" Local Address: %s\n", log_addr(&rtr->local_addr)); if (rtr->session_id != -1) - printf("Version: %u Session ID: %d Serial #: %u\n", + printf(" Version: %u Session ID: %d Serial #: %u\n", rtr->version, rtr->session_id, rtr->serial); printf(" Refresh: %u, Retry: %u, Expire: %u\n", rtr->refresh, rtr->retry, rtr->expire); diff --git a/usr.sbin/bgpctl/output_json.c b/usr.sbin/bgpctl/output_json.c index eb049b09e..25c3950f9 100644 --- a/usr.sbin/bgpctl/output_json.c +++ b/usr.sbin/bgpctl/output_json.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output_json.c,v 1.37 2023/12/19 10:32:20 claudio Exp $ */ +/* $OpenBSD: output_json.c,v 1.38 2024/01/11 13:09:41 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -1007,6 +1007,7 @@ json_rtr(struct ctl_show_rtr *rtr) json_do_uint("remote_port", rtr->remote_port); if (rtr->local_addr.aid != AID_UNSPEC) json_do_string("local_addr", log_addr(&rtr->local_addr)); + json_do_string("state", rtr->state); if (rtr->session_id != -1) { json_do_uint("version", rtr->version); diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index 0c05c8310..a97920978 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.480 2024/01/10 13:31:09 claudio Exp $ */ +/* $OpenBSD: bgpd.h,v 1.481 2024/01/11 13:08:39 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -562,6 +562,7 @@ struct rtr_config { struct ctl_show_rtr { char descr[PEER_DESCR_LEN]; + char state[PEER_DESCR_LEN]; struct bgpd_addr remote_addr; struct bgpd_addr local_addr; uint32_t serial; diff --git a/usr.sbin/bgpd/control.c b/usr.sbin/bgpd/control.c index 300822ae7..43a9816cb 100644 --- a/usr.sbin/bgpd/control.c +++ b/usr.sbin/bgpd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.115 2024/01/10 11:08:04 claudio Exp $ */ +/* $OpenBSD: control.c,v 1.116 2024/01/11 15:46:25 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -145,9 +145,9 @@ control_fill_pfds(struct pollfd *pfd, size_t size) size_t i = 0; TAILQ_FOREACH(ctl_conn, &ctl_conns, entry) { - pfd[i].fd = ctl_conn->ibuf.fd; + pfd[i].fd = ctl_conn->imsgbuf.fd; pfd[i].events = POLLIN; - if (ctl_conn->ibuf.w.queued > 0) + if (ctl_conn->imsgbuf.w.queued > 0) pfd[i].events |= POLLOUT; i++; } @@ -181,7 +181,7 @@ control_accept(int listenfd, int restricted) return (0); } - imsg_init(&ctl_conn->ibuf, connfd); + imsg_init(&ctl_conn->imsgbuf, connfd); ctl_conn->restricted = restricted; TAILQ_INSERT_TAIL(&ctl_conns, ctl_conn, entry); @@ -195,7 +195,7 @@ control_connbyfd(int fd) struct ctl_conn *c; TAILQ_FOREACH(c, &ctl_conns, entry) { - if (c->ibuf.fd == fd) + if (c->imsgbuf.fd == fd) break; } @@ -208,7 +208,7 @@ control_connbypid(pid_t pid) struct ctl_conn *c; TAILQ_FOREACH(c, &ctl_conns, entry) { - if (c->ibuf.pid == pid) + if (c->imsgbuf.pid == pid) break; } @@ -218,13 +218,13 @@ control_connbypid(pid_t pid) int control_close(struct ctl_conn *c) { - if (c->terminate && c->ibuf.pid) - imsg_ctl_rde_msg(IMSG_CTL_TERMINATE, 0, c->ibuf.pid); + if (c->terminate && c->imsgbuf.pid) + imsg_ctl_rde_msg(IMSG_CTL_TERMINATE, 0, c->imsgbuf.pid); - msgbuf_clear(&c->ibuf.w); + msgbuf_clear(&c->imsgbuf.w); TAILQ_REMOVE(&ctl_conns, c, entry); - close(c->ibuf.fd); + close(c->imsgbuf.fd); free(c); pauseaccept = 0; return (1); @@ -249,10 +249,10 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) } if (pfd->revents & POLLOUT) { - if (msgbuf_write(&c->ibuf.w) <= 0 && errno != EAGAIN) + if (msgbuf_write(&c->imsgbuf.w) <= 0 && errno != EAGAIN) return control_close(c); - if (c->throttled && c->ibuf.w.queued < CTL_MSG_LOW_MARK) { - if (imsg_ctl_rde_msg(IMSG_XON, 0, c->ibuf.pid) != -1) + if (c->throttled && c->imsgbuf.w.queued < CTL_MSG_LOW_MARK) { + if (imsg_ctl_rde_msg(IMSG_XON, 0, c->imsgbuf.pid) != -1) c->throttled = 0; } } @@ -260,12 +260,12 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) if (!(pfd->revents & POLLIN)) return (0); - if (((n = imsg_read_nofd(&c->ibuf)) == -1 && errno != EAGAIN) || + if (((n = imsg_read_nofd(&c->imsgbuf)) == -1 && errno != EAGAIN) || n == 0) return control_close(c); for (;;) { - if ((n = imsg_get(&c->ibuf, &imsg)) == -1) + if ((n = imsg_get(&c->imsgbuf, &imsg)) == -1) return control_close(c); if (n == 0) @@ -301,7 +301,7 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) * The imsg.hdr.pid is from the remote end and should not * be trusted. */ - c->ibuf.pid = pid; + c->imsgbuf.pid = pid; switch (type) { case IMSG_NONE: /* message was filtered out, nothing to do */ @@ -312,9 +312,11 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) break; case IMSG_CTL_SHOW_TERSE: RB_FOREACH(p, peer_head, peers) - imsg_compose(&c->ibuf, IMSG_CTL_SHOW_NEIGHBOR, - 0, 0, -1, p, sizeof(struct peer)); - imsg_compose(&c->ibuf, IMSG_CTL_END, 0, 0, -1, NULL, 0); + imsg_compose(&c->imsgbuf, + IMSG_CTL_SHOW_NEIGHBOR, 0, 0, -1, + p, sizeof(struct peer)); + imsg_compose(&c->imsgbuf, IMSG_CTL_END, 0, 0, -1, + NULL, 0); break; case IMSG_CTL_SHOW_NEIGHBOR: if (imsg_get_data(&imsg, &neighbor, @@ -335,7 +337,7 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) time_t d; struct ctl_timer ct; - imsg_compose(&c->ibuf, + imsg_compose(&c->imsgbuf, IMSG_CTL_SHOW_NEIGHBOR, 0, 0, -1, p, sizeof(*p)); for (i = 1; i < Timer_Max; i++) { @@ -344,7 +346,7 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) continue; ct.type = i; ct.val = d; - imsg_compose(&c->ibuf, + imsg_compose(&c->imsgbuf, IMSG_CTL_SHOW_TIMER, 0, 0, -1, &ct, sizeof(ct)); } @@ -355,8 +357,8 @@ control_dispatch_msg(struct pollfd *pfd, struct peer_head *peers) } else if (!neighbor.show_timers) { imsg_ctl_rde_msg(IMSG_CTL_END, 0, pid); } else { - imsg_compose(&c->ibuf, IMSG_CTL_END, 0, 0, -1, - NULL, 0); + imsg_compose(&c->imsgbuf, IMSG_CTL_END, 0, 0, + -1, NULL, 0); } break; case IMSG_CTL_NEIGHBOR_UP: @@ -566,25 +568,26 @@ control_imsg_relay(struct imsg *imsg, struct peer *p) p->stats.pending_update = stats.pending_update; p->stats.pending_withdraw = stats.pending_withdraw; - return imsg_compose(&c->ibuf, type, 0, pid, -1, p, sizeof(*p)); + return imsg_compose(&c->imsgbuf, type, 0, pid, -1, + p, sizeof(*p)); } /* if command finished no need to send exit message */ if (type == IMSG_CTL_END || type == IMSG_CTL_RESULT) c->terminate = 0; - if (!c->throttled && c->ibuf.w.queued > CTL_MSG_HIGH_MARK) { + if (!c->throttled && c->imsgbuf.w.queued > CTL_MSG_HIGH_MARK) { if (imsg_ctl_rde_msg(IMSG_XOFF, 0, pid) != -1) c->throttled = 1; } - return (imsg_forward(&c->ibuf, imsg)); + return (imsg_forward(&c->imsgbuf, imsg)); } void control_result(struct ctl_conn *c, u_int code) { - imsg_compose(&c->ibuf, IMSG_CTL_RESULT, 0, c->ibuf.pid, -1, + imsg_compose(&c->imsgbuf, IMSG_CTL_RESULT, 0, c->imsgbuf.pid, -1, &code, sizeof(code)); } diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c index a3e5d9654..46a043408 100644 --- a/usr.sbin/bgpd/rtr_proto.c +++ b/usr.sbin/bgpd/rtr_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtr_proto.c,v 1.28 2024/01/10 16:08:36 claudio Exp $ */ +/* $OpenBSD: rtr_proto.c,v 1.31 2024/01/11 15:38:05 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -207,6 +207,7 @@ struct rtr_session { char last_sent_msg[REASON_LEN]; char last_recv_msg[REASON_LEN]; uint8_t version; + uint8_t prev_version; }; TAILQ_HEAD(, rtr_session) rtrs = TAILQ_HEAD_INITIALIZER(rtrs); @@ -434,11 +435,16 @@ rtr_parse_header(struct rtr_session *rs, struct ibuf *hdr, switch (rh.type) { case CACHE_RESPONSE: case CACHE_RESET: - case ERROR_REPORT: - if (rh.version < rs->version) + /* implicit downgrade */ + if (rh.version < rs->version) { + rs->prev_version = rs->version; rs->version = rh.version; + } rtr_fsm(rs, RTR_EVNT_NEGOTIATION_DONE); break; + case ERROR_REPORT: + /* version handled in rtr_parse_error() */ + break; case SERIAL_NOTIFY: /* ignore SERIAL_NOTIFY */ break; @@ -953,9 +959,14 @@ rtr_parse_error(struct rtr_session *rs, struct ibuf *pdu) if (errcode == NO_DATA_AVAILABLE) { rtr_fsm(rs, RTR_EVNT_NO_DATA); rv = 0; - } else if (errcode == UNSUPP_PROTOCOL_VERS) + } else if (errcode == UNSUPP_PROTOCOL_VERS) { + if (rh.version < rs->version) { + rs->prev_version = rs->version; + rs->version = rh.version; + } rtr_fsm(rs, RTR_EVNT_UNSUPP_PROTO_VERSION); - else + rv = 0; + } else rtr_fsm(rs, RTR_EVNT_RESET_AND_CLOSE); rs->last_recv_error = errcode; @@ -1062,45 +1073,28 @@ rtr_fsm(struct rtr_session *rs, enum rtr_event event) switch (event) { case RTR_EVNT_UNSUPP_PROTO_VERSION: - if (rs->state == RTR_STATE_NEGOTIATION) { - if (rs->version > 0) - rs->version--; - else { - /* - * can't downgrade anymore, fail connection - * RFC requires to send the error with our - * highest version number. - */ - rs->version = RTR_MAX_VERSION; - rtr_send_error(rs, NULL, UNSUPP_PROTOCOL_VERS, - "negotiation failed"); - return; - } - - if (rs->fd != -1) { - /* flush buffers */ - msgbuf_clear(&rs->w); - rs->r.wpos = 0; - close(rs->fd); - rs->fd = -1; - } - - /* retry connection with lower version */ - timer_set(&rs->timers, Timer_Rtr_Retry, rs->retry); - rtr_imsg_compose(IMSG_SOCKET_CONN, rs->id, 0, NULL, 0); - break; + if (rs->prev_version == rs->version) { + /* + * Can't downgrade anymore, fail connection. + * RFC requires sending the error with the + * highest supported version number. + */ + rs->version = RTR_MAX_VERSION; + rtr_send_error(rs, NULL, UNSUPP_PROTOCOL_VERS, + "negotiation failed"); + return; } - /* FALLTHROUGH */ + /* try again with new version */ + if (rs->session_id == -1) + rtr_send_reset_query(rs); + else + rtr_send_serial_query(rs); + break; case RTR_EVNT_RESET_AND_CLOSE: rtr_reset_cache(rs); rtr_recalc(); /* FALLTHROUGH */ case RTR_EVNT_CON_CLOSE: - if (rs->state == RTR_STATE_NEGOTIATION) { - /* consider any close event as a version failure. */ - rtr_fsm(rs, RTR_EVNT_UNSUPP_PROTO_VERSION); - break; - } if (rs->fd != -1) { /* flush buffers */ msgbuf_clear(&rs->w); @@ -1108,27 +1102,37 @@ rtr_fsm(struct rtr_session *rs, enum rtr_event event) close(rs->fd); rs->fd = -1; } - rs->state = RTR_STATE_CLOSED; /* try to reopen session */ timer_set(&rs->timers, Timer_Rtr_Retry, arc4random_uniform(10)); + /* + * A close event during version negotiation needs to remain + * in the negotiation state else the same error will happen + * over and over again. The RFC is utterly underspecified + * and some RTR caches close the connection after sending + * the error PDU. + */ + if (rs->state != RTR_STATE_NEGOTIATION) + rs->state = RTR_STATE_CLOSED; break; case RTR_EVNT_START: case RTR_EVNT_TIMER_RETRY: switch (rs->state) { case RTR_STATE_ERROR: rtr_fsm(rs, RTR_EVNT_CON_CLOSE); - return; + break; case RTR_STATE_CLOSED: + case RTR_STATE_NEGOTIATION: timer_set(&rs->timers, Timer_Rtr_Retry, rs->retry); rtr_imsg_compose(IMSG_SOCKET_CONN, rs->id, 0, NULL, 0); - return; + break; default: break; } - /* FALLTHROUGH */ + break; case RTR_EVNT_CON_OPEN: timer_stop(&rs->timers, Timer_Rtr_Retry); + rs->state = RTR_STATE_NEGOTIATION; if (rs->session_id == -1) rtr_send_reset_query(rs); else @@ -1140,7 +1144,6 @@ rtr_fsm(struct rtr_session *rs, enum rtr_event event) arc4random_uniform(10)); break; case RTR_EVNT_TIMER_REFRESH: - /* send serial query */ rtr_send_serial_query(rs); break; case RTR_EVNT_TIMER_EXPIRE: @@ -1171,6 +1174,11 @@ rtr_fsm(struct rtr_session *rs, enum rtr_event event) rtr_sem_release(rs->active_lock); rtr_recalc(); rs->active_lock = 0; + /* clear the last errors */ + rs->last_sent_error = NO_ERROR; + rs->last_recv_error = NO_ERROR; + rs->last_sent_msg[0] = '\0'; + rs->last_recv_msg[0] = '\0'; break; case RTR_EVNT_CACHE_RESET: rtr_reset_cache(rs); @@ -1279,8 +1287,6 @@ rtr_check_events(struct pollfd *pfds, size_t npfds) now = getmonotime(); TAILQ_FOREACH(rs, &rtrs, entry) if ((t = timer_nextisdue(&rs->timers, now)) != NULL) { - log_debug("rtr %s: %s triggered", log_rtr(rs), - timernames[t->type]); /* stop timer so it does not trigger again */ timer_stop(&rs->timers, t->type); switch (t->type) { @@ -1366,6 +1372,7 @@ rtr_new(uint32_t id, char *descr) rs->id = id; rs->session_id = -1; rs->version = RTR_MAX_VERSION; + rs->prev_version = RTR_MAX_VERSION; rs->refresh = RTR_DEFAULT_REFRESH; rs->retry = RTR_DEFAULT_RETRY; rs->expire = RTR_DEFAULT_EXPIRE; @@ -1417,11 +1424,12 @@ rtr_open(struct rtr_session *rs, int fd) rtr_fsm(rs, RTR_EVNT_CON_CLOSE); } - if (rs->state == RTR_STATE_CLOSED) + if (rs->state == RTR_STATE_CLOSED) { rs->version = RTR_MAX_VERSION; + rs->prev_version = RTR_MAX_VERSION; + } rs->fd = rs->w.fd = fd; - rs->state = RTR_STATE_NEGOTIATION; rtr_fsm(rs, RTR_EVNT_CON_OPEN); } @@ -1506,6 +1514,7 @@ rtr_show(struct rtr_session *rs, pid_t pid) msg.session_id = rs->session_id; msg.last_sent_error = rs->last_sent_error; msg.last_recv_error = rs->last_recv_error; + strlcpy(msg.state, rtr_statenames[rs->state], sizeof(msg.state)); strlcpy(msg.last_sent_msg, rs->last_sent_msg, sizeof(msg.last_sent_msg)); strlcpy(msg.last_recv_msg, rs->last_recv_msg, diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 8e77c4f02..c36fae41b 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.457 2024/01/10 11:08:04 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.458 2024/01/11 14:11:03 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -608,11 +608,6 @@ bgp_fsm(struct peer *peer, enum session_events event) /* init write buffer */ msgbuf_init(&peer->wbuf); - peer->stats.last_sent_errcode = 0; - peer->stats.last_sent_suberr = 0; - peer->stats.last_rcvd_errcode = 0; - peer->stats.last_rcvd_suberr = 0; - if (!peer->depend_ok) timer_stop(&peer->timers, Timer_ConnectRetry); else if (peer->passive || peer->conf.passive || @@ -3553,6 +3548,13 @@ session_up(struct peer *p) { struct session_up sup; + /* clear last errors, now that the session is up */ + p->stats.last_sent_errcode = 0; + p->stats.last_sent_suberr = 0; + p->stats.last_rcvd_errcode = 0; + p->stats.last_rcvd_suberr = 0; + memset(p->stats.last_reason, 0, sizeof(p->stats.last_reason)); + if (imsg_rde(IMSG_SESSION_ADD, p->conf.id, &p->conf, sizeof(p->conf)) == -1) fatalx("imsg_compose error"); diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h index dfe90943b..8c677c3d9 100644 --- a/usr.sbin/bgpd/session.h +++ b/usr.sbin/bgpd/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.165 2024/01/10 11:08:04 claudio Exp $ */ +/* $OpenBSD: session.h,v 1.166 2024/01/11 15:46:25 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -130,7 +130,7 @@ struct bgpd_sysdep { struct ctl_conn { TAILQ_ENTRY(ctl_conn) entry; - struct imsgbuf ibuf; + struct imsgbuf imsgbuf; int restricted; int throttled; int terminate; diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index f695f8370..9e113ce41 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.121 2023/12/14 07:52:53 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.122 2024/01/11 11:55:14 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -1016,6 +1016,7 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, { ASN1_TIME *notBefore, *notAfter; EVP_PKEY *pk, *opk; + time_t now = get_current_time(); if (p == NULL) return NULL; @@ -1044,11 +1045,11 @@ ta_parse(const char *fn, struct cert *p, const unsigned char *pkey, warnx("%s: certificate has invalid notAfter", fn); goto badcert; } - if (X509_cmp_current_time(notBefore) != -1) { + if (X509_cmp_time(notBefore, &now) != -1) { warnx("%s: certificate not yet valid", fn); goto badcert; } - if (X509_cmp_current_time(notAfter) != 1) { + if (X509_cmp_time(notAfter, &now) != 1) { warnx("%s: certificate has expired", fn); goto badcert; }