diff --git a/regress/usr.bin/ssh/dropbear-ciphers.sh b/regress/usr.bin/ssh/dropbear-ciphers.sh index 7b0924ce7..1500fa0e7 100644 --- a/regress/usr.bin/ssh/dropbear-ciphers.sh +++ b/regress/usr.bin/ssh/dropbear-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dropbear-ciphers.sh,v 1.2 2024/06/19 10:15:51 dtucker Exp $ +# $OpenBSD: dropbear-ciphers.sh,v 1.3 2024/06/20 08:23:18 dtucker Exp $ # Placed in the Public Domain. tid="dropbear ciphers" @@ -14,15 +14,10 @@ PubkeyAcceptedAlgorithms $algs HostkeyAlgorithms $algs EOD -ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` -if [ -z "$ciphers" ]; then - trace dbclient query ciphers failed, making assumptions. - ciphers="chacha20-poly1305@openssh.com aes128-ctr aes256-ctr" -fi -macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` -if [ -z "$macs" ]; then - trace dbclient query macs failed, making assumptions. - macs="hmac-sha1 hmac-sha2-256" +ciphers=`$DBCLIENT -c help hst 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` +macs=`$DBCLIENT -m help hst 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` +if [ -z "$macs" ] || [ -z "$ciphers" ]; then + skip "dbclient query ciphers '$ciphers' or macs '$macs' failed" fi keytype=`(cd $OBJ/.dropbear && ls id_*)` diff --git a/regress/usr.bin/ssh/test-exec.sh b/regress/usr.bin/ssh/test-exec.sh index 7f532850d..9c15661cc 100644 --- a/regress/usr.bin/ssh/test-exec.sh +++ b/regress/usr.bin/ssh/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.118 2024/06/19 10:08:34 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.119 2024/06/20 08:18:34 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -646,17 +646,15 @@ esac if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then trace Create dropbear keys and add to authorized_keys - kt="ed25519" - if $SSH -Q key-plain | grep '^ssh-dss$' >/dev/null; then - kt="$kt dss" - fi - if $SSH -Q key-plain | grep '^ssh-rsa$' >/dev/null; then - kt="$kt rsa" - fi - if $SSH -Q key-plain | grep '^ecdsa-sha2' >/dev/null; then - kt="$kt ecdsa" - fi mkdir -p $OBJ/.dropbear + kt="ed25519" + for i in dss rsa ecdsa; do + if $SSH -Q key-plain | grep "$i" >/dev/null; then + kt="$kt $i" + else + rm -f "$OBJ/.dropbear/id_$i" + fi + done for i in $kt; do if [ ! -f "$OBJ/.dropbear/id_$i" ]; then verbose Create dropbear key type $i diff --git a/share/man/man5/ruby-module.5 b/share/man/man5/ruby-module.5 index 00e1826cc..56174f00d 100644 --- a/share/man/man5/ruby-module.5 +++ b/share/man/man5/ruby-module.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ruby-module.5,v 1.46 2023/12/27 23:46:42 jeremy Exp $ +.\" $OpenBSD: ruby-module.5,v 1.47 2024/06/20 22:43:16 jeremy Exp $ .\" .\" Copyright (c) 2011-2015, 2023 Jeremy Evans .\" Copyright (c) 2008, 2011 Marc Espie @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 27 2023 $ +.Dd $Mdocdate: June 20 2024 $ .Dt RUBY-MODULE 5 .Os .Sh NAME @@ -75,11 +75,11 @@ to use the .Ev FLAVOR Ns \- instead of ruby\- as the package prefix. .Pp -The ports system defaults to using Ruby 3.2 if the version of Ruby is not +The ports system defaults to using Ruby 3.3 if the version of Ruby is not specified. To specify a version for a gem port, use a specific .Ev FLAVOR , -such as ruby33 to use Ruby 3.3. +such as ruby32 to use Ruby 3.2. To specify the Ruby version to use for a non Ruby-gem port, set .Ev MODRUBY_REV to 3.1, 3.2, or 3.3. diff --git a/sys/arch/arm64/stand/efiboot/efiboot.c b/sys/arch/arm64/stand/efiboot/efiboot.c index 295b9ae27..564921d0c 100644 --- a/sys/arch/arm64/stand/efiboot/efiboot.c +++ b/sys/arch/arm64/stand/efiboot/efiboot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: efiboot.c,v 1.52 2024/06/17 09:36:04 kettenis Exp $ */ +/* $OpenBSD: efiboot.c,v 1.53 2024/06/20 21:52:08 kettenis Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko @@ -1135,8 +1135,6 @@ efi_fdt(void) return fdt_override ? fdt_override : fdt_sys; } -#define EXTRA_DT_SPACE (32 * 1024) - int fdt_load_override(char *file) { @@ -1164,7 +1162,8 @@ fdt_load_override(char *file) printf("cannot open %s\n", path); return 0; } - dt_size = sb.st_size + EXTRA_DT_SPACE; + dt_size = sb.st_size; +retry: if (efi_memprobe_find(EFI_SIZE_TO_PAGES(dt_size), PAGE_SIZE, EfiLoaderData, &addr) != EFI_SUCCESS) { printf("cannot allocate memory for %s\n", path); @@ -1180,6 +1179,12 @@ fdt_load_override(char *file) sz = dt_size; status = dt_fixup->Fixup(dt_fixup, (void *)addr, &sz, EFI_DT_APPLY_FIXUPS | EFI_DT_RESERVE_MEMORY); + if (status == EFI_BUFFER_TOO_SMALL) { + BS->FreePages(addr, EFI_SIZE_TO_PAGES(dt_size)); + lseek(fd, 0, SEEK_SET); + dt_size = sz; + goto retry; + } if (status != EFI_SUCCESS) panic("DT fixup failed: 0x%lx", status); } diff --git a/sys/arch/armv7/stand/efiboot/efiboot.c b/sys/arch/armv7/stand/efiboot/efiboot.c index 0e5ac7dca..ba34d5c51 100644 --- a/sys/arch/armv7/stand/efiboot/efiboot.c +++ b/sys/arch/armv7/stand/efiboot/efiboot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: efiboot.c,v 1.41 2024/06/17 09:12:45 kettenis Exp $ */ +/* $OpenBSD: efiboot.c,v 1.42 2024/06/20 22:03:23 kettenis Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko @@ -1006,8 +1006,6 @@ efi_fdt(void) return fdt_sys; } -#define EXTRA_DT_SPACE (32 * 1024) - int fdt_load_override(char *file) { @@ -1035,7 +1033,8 @@ fdt_load_override(char *file) printf("cannot open %s\n", path); return 0; } - dt_size = sb.st_size + EXTRA_DT_SPACE; + dt_size = sb.st_size; +retry: if (efi_memprobe_find(EFI_SIZE_TO_PAGES(dt_size), PAGE_SIZE, EfiLoaderData, &addr) != EFI_SUCCESS) { printf("cannot allocate memory for %s\n", path); @@ -1051,6 +1050,12 @@ fdt_load_override(char *file) sz = dt_size; status = dt_fixup->Fixup(dt_fixup, (void *)addr, &sz, EFI_DT_APPLY_FIXUPS | EFI_DT_RESERVE_MEMORY); + if (status == EFI_BUFFER_TOO_SMALL) { + BS->FreePages(addr, EFI_SIZE_TO_PAGES(dt_size)); + lseek(fd, 0, SEEK_SET); + dt_size = sz; + goto retry; + } if (status != EFI_SUCCESS) panic("DT fixup failed: 0x%lx", status); } diff --git a/sys/net/if.c b/sys/net/if.c index 7042c3c9d..310048b85 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.718 2024/02/06 00:18:53 bluhm Exp $ */ +/* $OpenBSD: if.c,v 1.719 2024/06/20 19:25:42 bluhm Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -3378,7 +3378,7 @@ ifnewlladdr(struct ifnet *ifp) * Update the link-local address. Don't do it if we're * a router to avoid confusing hosts on the network. */ - if (!ip6_forwarding) { + if (ip6_forwarding == 0) { ifa = &in6ifa_ifpforlinklocal(ifp, 0)->ia_ifa; if (ifa) { in6_purgeaddr(ifa); diff --git a/sys/net/pf.c b/sys/net/pf.c index ecc6bfef4..47ec92d4b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1197 2024/06/07 18:24:16 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1198 2024/06/20 19:25:42 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7974,12 +7974,15 @@ done: break; case AF_INET6: if (pd.dir == PF_IN) { + int flags; + if (ip6_forwarding == 0) { ip6stat_inc(ip6s_cantforward); action = PF_DROP; break; } - ip6_forward(pd.m, NULL, 1); + flags = IPV6_FORWARDING | IPV6_REDIRECT; + ip6_forward(pd.m, NULL, flags); } else ip6_output(pd.m, NULL, NULL, 0, NULL, NULL); break; diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 571dbf9d3..8799b845e 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.230 2024/04/22 13:30:22 bluhm Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.231 2024/06/20 19:25:42 bluhm Exp $ */ /* * Copyright 2001 Niels Provos @@ -1011,7 +1011,7 @@ pf_refragment6(struct mbuf **m0, struct m_tag *mtag, struct sockaddr_in6 *dst, while ((m = ml_dequeue(&ml)) != NULL) { m->m_pkthdr.pf.flags |= PF_TAG_REFRAGMENTED; if (ifp == NULL) { - ip6_forward(m, NULL, 0); + ip6_forward(m, NULL, IPV6_FORWARDING); } else if ((u_long)m->m_pkthdr.len <= ifp->if_mtu) { ifp->if_output(ifp, m, sin6tosa(dst), rt); } else { diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c index 41e9d34ce..c6e882f0b 100644 --- a/sys/netinet/ip_carp.c +++ b/sys/netinet/ip_carp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_carp.c,v 1.361 2024/02/13 12:22:09 bluhm Exp $ */ +/* $OpenBSD: ip_carp.c,v 1.362 2024/06/20 19:25:42 bluhm Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff. All rights reserved. @@ -1287,6 +1287,10 @@ carp_send_na(struct carp_softc *sc) struct ifaddr *ifa; struct in6_addr *in6; static struct in6_addr mcast = IN6ADDR_LINKLOCAL_ALLNODES_INIT; + int flags = ND_NA_FLAG_OVERRIDE; + + if (ip6_forwarding != 0) + flags |= ND_NA_FLAG_ROUTER; TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) { @@ -1294,9 +1298,7 @@ carp_send_na(struct carp_softc *sc) continue; in6 = &ifatoia6(ifa)->ia_addr.sin6_addr; - nd6_na_output(&sc->sc_if, &mcast, in6, - ND_NA_FLAG_OVERRIDE | - (ip6_forwarding ? ND_NA_FLAG_ROUTER : 0), 1, NULL); + nd6_na_output(&sc->sc_if, &mcast, in6, flags, 1, NULL); } } #endif /* INET6 */ diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 2d42796dc..a283bc2f8 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.193 2024/06/07 18:24:16 bluhm Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.194 2024/06/20 19:25:04 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -589,7 +589,7 @@ reflect: struct sockaddr_in ssrc; struct rtentry *newrt = NULL; - if (icmp_rediraccept == 0 || ip_forwarding == 1) + if (icmp_rediraccept == 0 || ip_forwarding != 0) goto freeit; if (code > 3) goto badcode; diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 058800bc5..2a8950d0a 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.252 2024/04/21 17:32:10 florian Exp $ */ +/* $OpenBSD: icmp6.c,v 1.253 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -1240,8 +1240,8 @@ icmp6_redirect_input(struct mbuf *m, int off) if (ifp == NULL) return; - /* XXX if we are router, we don't update route by icmp6 redirect */ - if (ip6_forwarding) + /* if we are router, we don't update route by icmp6 redirect */ + if (ip6_forwarding != 0) goto freeit; if (!(ifp->if_xflags & IFXF_AUTOCONF6)) goto freeit; @@ -1442,7 +1442,7 @@ icmp6_redirect_output(struct mbuf *m0, struct rtentry *rt) icmp6_errcount(ND_REDIRECT, 0); /* if we are not router, we don't send icmp6 redirect */ - if (!ip6_forwarding) + if (ip6_forwarding == 0) goto fail; /* sanity check */ diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 13e603754..9daf51f92 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.118 2024/06/07 18:24:16 bluhm Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.119 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -82,7 +82,7 @@ */ void -ip6_forward(struct mbuf *m, struct route *ro, int srcrt) +ip6_forward(struct mbuf *m, struct route *ro, int flags) { struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); struct route iproute; @@ -248,8 +248,8 @@ reroute: m_freem(m); goto freecopy; } - if (rt->rt_ifidx == m->m_pkthdr.ph_ifidx && !srcrt && - ip6_sendredirects && + if (rt->rt_ifidx == m->m_pkthdr.ph_ifidx && + ip6_sendredirects && !ISSET(flags, IPV6_REDIRECT) && (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) { if ((ifp->if_flags & IFF_POINTOPOINT) && nd6_is_addr_neighbor(&ro->ro_dstsin6, ifp)) { @@ -305,7 +305,7 @@ reroute: } else if (m->m_pkthdr.pf.flags & PF_TAG_REROUTE) { /* tag as generated to skip over pf_test on rerun */ m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; - srcrt = 1; + SET(flags, IPV6_REDIRECT); if (ro == &iproute) rtfree(ro->ro_rt); ro = NULL; diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 276a35d68..de9468ecc 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.262 2024/05/08 13:01:30 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.263 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -119,9 +119,9 @@ struct cpumem *ip6counters; uint8_t ip6_soiikey[IP6_SOIIKEY_LEN]; -int ip6_ours(struct mbuf **, int *, int, int); +int ip6_ours(struct mbuf **, int *, int, int, int); int ip6_check_rh0hdr(struct mbuf *, int *); -int ip6_hbhchcheck(struct mbuf **, int *, int *); +int ip6_hbhchcheck(struct mbuf **, int *, int *, int); int ip6_hopopts_input(struct mbuf **, int *, u_int32_t *, u_int32_t *); struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); int ip6_sysctl_soiikey(void *, size_t *, void *, size_t); @@ -172,11 +172,11 @@ ip6_init(void) * NET_LOCK_SHARED() and the transport layer needing it exclusively. */ int -ip6_ours(struct mbuf **mp, int *offp, int nxt, int af) +ip6_ours(struct mbuf **mp, int *offp, int nxt, int af, int flags) { /* ip6_hbhchcheck() may be run before, then off and nxt are set */ if (*offp == 0) { - nxt = ip6_hbhchcheck(mp, offp, NULL); + nxt = ip6_hbhchcheck(mp, offp, NULL, flags); if (nxt == IPPROTO_DONE) return IPPROTO_DONE; } @@ -365,7 +365,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) #if NPF > 0 struct in6_addr odst; #endif - int pfrdr = 0; + int flags = 0; KASSERT(*offp == 0); @@ -412,9 +412,13 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) goto bad; ip6 = mtod(m, struct ip6_hdr *); - pfrdr = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); + if (!IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst)) + SET(flags, IPV6_REDIRECT); #endif + if (ip6_forwarding != 0) + SET(flags, IPV6_FORWARDING); + /* * Without embedded scope ID we cannot find link-local * addresses in the routing table. @@ -445,7 +449,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) #if NPF > 0 if (pf_ouraddr(m) == 1) { - nxt = ip6_ours(mp, offp, nxt, af); + nxt = ip6_ours(mp, offp, nxt, af, flags); goto out; } #endif @@ -472,7 +476,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) if (ip6_mforwarding && ip6_mrouter[ifp->if_rdomain]) { int error; - nxt = ip6_hbhchcheck(&m, offp, &ours); + nxt = ip6_hbhchcheck(&m, offp, &ours, flags); if (nxt == IPPROTO_DONE) goto out; @@ -496,7 +500,8 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) if (ours) { if (af == AF_UNSPEC) - nxt = ip6_ours(mp, offp, nxt, af); + nxt = ip6_ours(mp, offp, nxt, af, + flags); goto out; } goto bad; @@ -508,7 +513,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) ip6stat_inc(ip6s_cantforward); goto bad; } - nxt = ip6_ours(mp, offp, nxt, af); + nxt = ip6_ours(mp, offp, nxt, af, flags); goto out; } @@ -526,7 +531,8 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) if (rt != NULL && ISSET(rt->rt_flags, RTF_LOCAL)) { struct in6_ifaddr *ia6 = ifatoia6(rt->rt_ifa); - if (ip6_forwarding == 0 && rt->rt_ifidx != ifp->if_index && + if (!ISSET(flags, IPV6_FORWARDING) && + rt->rt_ifidx != ifp->if_index && !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) || (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { @@ -567,7 +573,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) goto bad; } else { - nxt = ip6_ours(mp, offp, nxt, af); + nxt = ip6_ours(mp, offp, nxt, af, flags); goto out; } } @@ -582,18 +588,18 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) * Now there is no reason to process the packet if it's not our own * and we're not a router. */ - if (!ip6_forwarding) { + if (!ISSET(flags, IPV6_FORWARDING)) { ip6stat_inc(ip6s_cantforward); goto bad; } - nxt = ip6_hbhchcheck(&m, offp, &ours); + nxt = ip6_hbhchcheck(&m, offp, &ours, flags); if (nxt == IPPROTO_DONE) goto out; if (ours) { if (af == AF_UNSPEC) - nxt = ip6_ours(mp, offp, nxt, af); + nxt = ip6_ours(mp, offp, nxt, af, flags); goto out; } @@ -613,7 +619,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) } #endif /* IPSEC */ - ip6_forward(m, &ro, pfrdr); + ip6_forward(m, &ro, flags); *mp = NULL; rtfree(ro.ro_rt); return IPPROTO_DONE; @@ -627,7 +633,7 @@ ip6_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) /* On error free mbuf and return IPPROTO_DONE. */ int -ip6_hbhchcheck(struct mbuf **mp, int *offp, int *oursp) +ip6_hbhchcheck(struct mbuf **mp, int *offp, int *oursp, int flags) { struct ip6_hdr *ip6; u_int32_t plen, rtalert = ~0; @@ -680,7 +686,8 @@ ip6_hbhchcheck(struct mbuf **mp, int *offp, int *oursp) * accept the packet if a router alert option is included * and we act as an IPv6 router. */ - if (rtalert != ~0 && ip6_forwarding && oursp != NULL) + if (rtalert != ~0 && ISSET(flags, IPV6_FORWARDING) && + oursp != NULL) *oursp = 1; } else nxt = ip6->ip6_nxt; diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 598765301..47fca707d 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_var.h,v 1.117 2024/05/13 01:15:53 jsg Exp $ */ +/* $OpenBSD: ip6_var.h,v 1.118 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */ /* @@ -265,10 +265,11 @@ ip6stat_add(enum ip6stat_counters c, uint64_t v) counters_add(ip6counters, c, v); } -/* flags passed to ip6_output as last parameter */ -#define IPV6_UNSPECSRC 0x01 /* allow :: as the source address */ -#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ -#define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +/* flags passed to ip6_output or ip6_forward as last parameter */ +#define IPV6_UNSPECSRC 0x01 /* allow :: as the source address */ +#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ +#define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +#define IPV6_REDIRECT 0x08 /* redirected by pf */ extern int ip6_mtudisc_timeout; /* mtu discovery */ extern struct rttimer_queue icmp6_mtudisc_timeout_q; diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 8ddde1536..28bc1b91d 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6.c,v 1.280 2023/05/13 16:27:59 bluhm Exp $ */ +/* $OpenBSD: nd6.c,v 1.281 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */ /* @@ -671,7 +671,7 @@ nd6_free(struct rtentry *rt) ifp = if_get(rt->rt_ifidx); - if (!ip6_forwarding) { + if (ip6_forwarding == 0) { if (ln->ln_router) { /* * rt6_flush must be called whether or not the neighbor diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index e2fccc45c..b6747312d 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6_nbr.c,v 1.151 2023/07/30 12:52:03 krw Exp $ */ +/* $OpenBSD: nd6_nbr.c,v 1.152 2024/06/20 19:25:42 bluhm Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -108,7 +108,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len) struct ifaddr *ifa = NULL; int lladdrlen = 0; int anycast = 0, proxy = 0, tentative = 0; - int router = ip6_forwarding; + int i_am_router = (ip6_forwarding != 0); int tlladdr; struct nd_opts ndopts; struct sockaddr_dl *proxydl = NULL; @@ -244,7 +244,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len) if (ifa) { proxy = 1; proxydl = satosdl(rt->rt_gateway); - router = 0; /* XXX */ + i_am_router = 0; /* XXX */ } } if (rt) @@ -317,7 +317,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len) saddr6.s6_addr16[1] = htons(ifp->if_index); nd6_na_output(ifp, &saddr6, &taddr6, ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | - (router ? ND_NA_FLAG_ROUTER : 0), + (i_am_router ? ND_NA_FLAG_ROUTER : 0), tlladdr, sdltosa(proxydl)); goto freeit; } @@ -327,7 +327,7 @@ nd6_ns_input(struct mbuf *m, int off, int icmp6len) nd6_na_output(ifp, &saddr6, &taddr6, ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) | - (router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, + (i_am_router ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED, tlladdr, sdltosa(proxydl)); freeit: m_freem(m); @@ -559,6 +559,7 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) int is_override; char *lladdr = NULL; int lladdrlen = 0; + int i_am_router = (ip6_forwarding != 0); struct ifaddr *ifa; struct in6_ifaddr *ifa6; struct llinfo_nd6 *ln; @@ -684,7 +685,7 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) * If we are a router, we may create new stale cache entries upon * receiving Unsolicited Neighbor Advertisements. */ - if (rt == NULL && ip6_forwarding == 1) { + if (rt == NULL && i_am_router) { rt = nd6_lookup(&taddr6, 1, ifp, ifp->if_rdomain); if (rt == NULL || lladdr == NULL || ((sdl = satosdl(rt->rt_gateway)) == NULL)) @@ -837,7 +838,7 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) } if (ln->ln_router && !is_router) { - if (!ip6_forwarding) { + if (!i_am_router) { /* * The neighbor may be used * as a next hop for some destinations diff --git a/usr.sbin/rpki-client/rpki-client.8 b/usr.sbin/rpki-client/rpki-client.8 index c97b8bfee..f74d9dceb 100644 --- a/usr.sbin/rpki-client/rpki-client.8 +++ b/usr.sbin/rpki-client/rpki-client.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpki-client.8,v 1.106 2024/06/12 04:24:59 tb Exp $ +.\" $OpenBSD: rpki-client.8,v 1.107 2024/06/20 20:15:02 job Exp $ .\" .\" Copyright (c) 2019 Kristaps Dzonsons .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 12 2024 $ +.Dd $Mdocdate: June 20 2024 $ .Dt RPKI-CLIENT 8 .Os .Sh NAME @@ -42,8 +42,9 @@ .Sh DESCRIPTION The .Nm -utility queries the RPKI repository system with -a built-in HTTPS client and +utility queries the +.Em Resource Public Key Infrastructure Pq RPKI +repository system with a built-in HTTPS client and .Xr openrsync 1 to fetch all X.509 certificates, manifests, and revocation lists under a given .Em Trust Anchor . @@ -367,7 +368,7 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T Signed Object Template for the Resource Public Key Infrastructure (RPKI) +.%T Signed Object Template for the RPKI .%R RFC 6488 .Re .Pp @@ -412,6 +413,11 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs +.%T A Profile for RPKI Signed Checklists (RSCs) +.%R RFC 9323 +.Re +.Pp +.Rs .%T A Profile for Route Origin Authorizations (ROAs) .%R RFC 9582 .Re @@ -428,11 +434,6 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T A Profile for RPKI Signed Checklists (RSCs) -.%R RFC 9323 -.Re -.Pp -.Rs .%T A Profile for Autonomous System Provider Authorization (ASPA) .%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile .%D Jun, 2023 @@ -467,6 +468,12 @@ agreement regarding ARIN service restrictions. .%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin .%D June, 2024 .Re +.Pp +.Rs +.%T Tiebreaking RPKI Trust Anchors +.%U https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker +.%D June, 2024 +.Re .Sh HISTORY .Nm first appeared in diff --git a/usr.sbin/vmd/vm.c b/usr.sbin/vmd/vm.c index f8e01288f..6fbd1fe7a 100644 --- a/usr.sbin/vmd/vm.c +++ b/usr.sbin/vmd/vm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vm.c,v 1.100 2024/04/29 14:47:06 dv Exp $ */ +/* $OpenBSD: vm.c,v 1.101 2024/06/20 15:33:44 dv Exp $ */ /* * Copyright (c) 2015 Mike Larkin @@ -122,6 +122,8 @@ pthread_mutex_t vcpu_run_mtx[VMM_MAX_VCPUS_PER_VM]; pthread_barrier_t vm_pause_barrier; pthread_cond_t vcpu_unpause_cond[VMM_MAX_VCPUS_PER_VM]; pthread_mutex_t vcpu_unpause_mtx[VMM_MAX_VCPUS_PER_VM]; + +pthread_mutex_t vm_mtx; uint8_t vcpu_hlt[VMM_MAX_VCPUS_PER_VM]; uint8_t vcpu_done[VMM_MAX_VCPUS_PER_VM]; @@ -475,8 +477,15 @@ start_vm(struct vmd_vm *vm, int fd) "condition variable", __func__); return (ret); } - mutex_lock(&threadmutex); + ret = pthread_mutex_init(&vm_mtx, NULL); + if (ret) { + log_warn("%s: could not initialize vm state mutex", + __func__); + return (ret); + } + /* Lock thread mutex now. It's unlocked when waiting on threadcond. */ + mutex_lock(&threadmutex); /* * Finalize our communication socket with the vmm process. From here @@ -885,10 +894,14 @@ pause_vm(struct vmd_vm *vm) { unsigned int n; int ret; - if (vm->vm_state & VM_STATE_PAUSED) - return; + mutex_lock(&vm_mtx); + if (vm->vm_state & VM_STATE_PAUSED) { + mutex_unlock(&vm_mtx); + return; + } current_vm->vm_state |= VM_STATE_PAUSED; + mutex_unlock(&vm_mtx); ret = pthread_barrier_init(&vm_pause_barrier, NULL, vm->vm_params.vmc_params.vcp_ncpus + 1); @@ -931,10 +944,15 @@ unpause_vm(struct vmd_vm *vm) { unsigned int n; int ret; - if (!(vm->vm_state & VM_STATE_PAUSED)) - return; + mutex_lock(&vm_mtx); + if (!(vm->vm_state & VM_STATE_PAUSED)) { + mutex_unlock(&vm_mtx); + return; + } current_vm->vm_state &= ~VM_STATE_PAUSED; + mutex_unlock(&vm_mtx); + for (n = 0; n < vm->vm_params.vmc_params.vcp_ncpus; n++) { ret = pthread_cond_broadcast(&vcpu_unpause_cond[n]); if (ret) { @@ -1462,6 +1480,7 @@ run_vm(struct vmop_create_params *vmc, struct vcpu_reg_state *vrs) /* * Did a VCPU thread exit with an error? => return the first one */ + mutex_lock(&vm_mtx); for (i = 0; i < vcp->vcp_ncpus; i++) { if (vcpu_done[i] == 0) continue; @@ -1469,11 +1488,13 @@ run_vm(struct vmop_create_params *vmc, struct vcpu_reg_state *vrs) if (pthread_join(tid[i], &exit_status)) { log_warn("%s: failed to join thread %zd - " "exiting", __progname, i); + mutex_unlock(&vm_mtx); return (EIO); } ret = (intptr_t)exit_status; } + mutex_unlock(&vm_mtx); /* Did the event thread exit? => return with an error */ if (evdone) { @@ -1489,10 +1510,12 @@ run_vm(struct vmop_create_params *vmc, struct vcpu_reg_state *vrs) } /* Did all VCPU threads exit successfully? => return */ + mutex_lock(&vm_mtx); for (i = 0; i < vcp->vcp_ncpus; i++) { if (vcpu_done[i] == 0) break; } + mutex_unlock(&vm_mtx); if (i == vcp->vcp_ncpus) return (ret); @@ -1510,8 +1533,9 @@ event_thread(void *arg) ret = event_dispatch(); - mutex_lock(&threadmutex); *donep = 1; + + mutex_lock(&threadmutex); pthread_cond_signal(&threadcond); mutex_unlock(&threadmutex); @@ -1536,9 +1560,8 @@ vcpu_run_loop(void *arg) { struct vm_run_params *vrp = (struct vm_run_params *)arg; intptr_t ret = 0; - uint32_t n; - - n = vrp->vrp_vcpu_id; + uint32_t n = vrp->vrp_vcpu_id; + int paused = 0, halted = 0; for (;;) { ret = pthread_mutex_lock(&vcpu_run_mtx[n]); @@ -1549,8 +1572,13 @@ vcpu_run_loop(void *arg) return ((void *)ret); } + mutex_lock(&vm_mtx); + paused = (current_vm->vm_state & VM_STATE_PAUSED) != 0; + halted = vcpu_hlt[n]; + mutex_unlock(&vm_mtx); + /* If we are halted and need to pause, pause */ - if (vcpu_hlt[n] && (current_vm->vm_state & VM_STATE_PAUSED)) { + if (halted && paused) { ret = pthread_barrier_wait(&vm_pause_barrier); if (ret != 0 && ret != PTHREAD_BARRIER_SERIAL_THREAD) { log_warnx("%s: could not wait on pause barrier (%d)", @@ -1586,7 +1614,7 @@ vcpu_run_loop(void *arg) } /* If we are halted and not paused, wait */ - if (vcpu_hlt[n]) { + if (halted) { ret = pthread_cond_wait(&vcpu_run_cond[n], &vcpu_run_mtx[n]); @@ -1642,8 +1670,11 @@ vcpu_run_loop(void *arg) } } - mutex_lock(&threadmutex); + mutex_lock(&vm_mtx); vcpu_done[n] = 1; + mutex_unlock(&vm_mtx); + + mutex_lock(&threadmutex); pthread_cond_signal(&threadcond); mutex_unlock(&threadmutex); @@ -1893,19 +1924,9 @@ vcpu_exit(struct vm_run_params *vrp) break; case VMX_EXIT_HLT: case SVM_VMEXIT_HLT: - ret = pthread_mutex_lock(&vcpu_run_mtx[vrp->vrp_vcpu_id]); - if (ret) { - log_warnx("%s: can't lock vcpu mutex (%d)", - __func__, ret); - return (ret); - } + mutex_lock(&vm_mtx); vcpu_hlt[vrp->vrp_vcpu_id] = 1; - ret = pthread_mutex_unlock(&vcpu_run_mtx[vrp->vrp_vcpu_id]); - if (ret) { - log_warnx("%s: can't unlock vcpu mutex (%d)", - __func__, ret); - return (ret); - } + mutex_unlock(&vm_mtx); break; case VMX_EXIT_TRIPLE_FAULT: case SVM_VMEXIT_SHUTDOWN: @@ -2140,8 +2161,12 @@ vcpu_assert_pic_irq(uint32_t vm_id, uint32_t vcpu_id, int irq) if (i8259_is_pending()) { if (vcpu_pic_intr(vm_id, vcpu_id, 1)) fatalx("%s: can't assert INTR", __func__); - mutex_lock(&vcpu_run_mtx[vcpu_id]); + + mutex_lock(&vm_mtx); vcpu_hlt[vcpu_id] = 0; + mutex_unlock(&vm_mtx); + + mutex_lock(&vcpu_run_mtx[vcpu_id]); ret = pthread_cond_signal(&vcpu_run_cond[vcpu_id]); if (ret) fatalx("%s: can't signal (%d)", __func__, ret);