sync with OpenBSD -current

bin/dd/dd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dd.c,v 1.28 2021/10/24 21:24:21 deraadt Exp $	*/
+/*	$OpenBSD: dd.c,v 1.29 2024/07/12 14:30:27 deraadt Exp $	*/
 /*	$NetBSD: dd.c,v 1.6 1996/02/20 19:29:06 jtc Exp $	*/
 
 /*-
@@ -74,10 +74,10 @@ main(int argc, char *argv[])
 	jcl(argv);
 	setup();
 
-	(void)signal(SIGINFO, summaryx);
-	(void)signal(SIGINT, terminate);
+	(void)signal(SIGINFO, sig_summary);
+	(void)signal(SIGINT, sig_terminate);
 
-	atexit(summary);
+	atexit(exit_summary);
 
 	if (cpy_cnt != (size_t)-1) {
 		while (files_cnt--)
@@ -265,7 +265,7 @@ dd_in(void)
 			if (!(ddflags & C_NOERROR))
 				err(1, "%s", in.name);
 			warn("%s", in.name);
-			summary();
+			sig_summary(0);
 
 			/*
 			 * If it's not a tape drive or a pipe, seek past the

bin/dd/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.9 2014/03/27 15:32:13 tedu Exp $	*/
+/*	$OpenBSD: extern.h,v 1.10 2024/07/12 14:30:27 deraadt Exp $	*/
 /*	$NetBSD: extern.h,v 1.7 1996/02/20 19:29:07 jtc Exp $	*/
 
 /*-
@@ -44,9 +44,9 @@ void def_close(void);
 void jcl(char **);
 void pos_in(void);
 void pos_out(void);
-void summary(void);
-void summaryx(int);
-void terminate(int);
+void exit_summary(void);
+void sig_summary(int);
+void sig_terminate(int);
 void unblock(void);
 void unblock_close(void);
 

bin/dd/misc.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: misc.c,v 1.23 2018/04/07 18:52:39 cheloha Exp $	*/
+/*	$OpenBSD: misc.c,v 1.26 2024/07/12 19:11:25 florian Exp $	*/
 /*	$NetBSD: misc.c,v 1.4 1995/03/21 09:04:10 cgd Exp $	*/
 
 /*-
@@ -45,20 +45,32 @@
 #include "dd.h"
 #include "extern.h"
 
+/* SIGINFO handler */
 void
-summary(void)
+sig_summary(int notused)
 {
+	int save_errno = errno;
 	struct timespec elapsed, now;
-	double nanosecs;
+	unsigned long long bps, msec;
 
 	if (ddflags & C_NOINFO)
 		return;
 
 	clock_gettime(CLOCK_MONOTONIC, &now);
 	timespecsub(&now, &st.start, &elapsed);
-	nanosecs = ((double)elapsed.tv_sec * 1000000000) + elapsed.tv_nsec;
-	if (nanosecs == 0)
-		nanosecs = 1;
+
+	if (elapsed.tv_sec > 600)
+		bps = st.bytes / elapsed.tv_sec;
+	else if (elapsed.tv_sec > 0) {
+		/* will overflow at ~ 30 exabytes / second */
+		msec = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000;
+		if (msec == 0)
+			msec = 1;
+		bps = st.bytes * 1000 / msec;
+	} else if (elapsed.tv_nsec > 0)
+		bps = st.bytes * 1000000000 / elapsed.tv_nsec;
+	else
+		bps = st.bytes;
 
 	/* Be async safe: use dprintf(3). */
 	dprintf(STDERR_FILENO, "%zu+%zu records in\n%zu+%zu records out\n",
@@ -75,24 +87,23 @@ summary(void)
 	if (!(ddflags & C_NOXFER)) {
 		dprintf(STDERR_FILENO,
 		    "%lld bytes transferred in %lld.%03ld secs "
-		    "(%0.0f bytes/sec)\n", (long long)st.bytes,
-		    (long long)elapsed.tv_sec, elapsed.tv_nsec / 1000000,
-		    ((double)st.bytes * 1000000000) / nanosecs);
+		    "(%llu bytes/sec)\n", (long long)st.bytes,
+		    (long long)elapsed.tv_sec, elapsed.tv_nsec / 1000000, bps);
 	}
-}
-
-void
-summaryx(int notused)
-{
-	int save_errno = errno;
-
-	summary();
 	errno = save_errno;
 }
 
+/* SIGINT handler */
 void
-terminate(int signo)
+sig_terminate(int signo)
 {
-	summary();
+	sig_summary(0);
 	_exit(128 + signo);
 }
+
+/* atexit variation to summarize */
+void
+exit_summary(void)
+{
+	sig_summary(0);
+}

bin/dd/position.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: position.c,v 1.11 2019/06/28 13:34:59 deraadt Exp $	*/
+/*	$OpenBSD: position.c,v 1.12 2024/07/12 14:30:27 deraadt Exp $	*/
 /*	$NetBSD: position.c,v 1.4 1995/03/21 09:04:12 cgd Exp $	*/
 
 /*-
@@ -103,7 +103,7 @@ pos_in(void)
 			if (!warned) {
 				warn("%s", in.name);
 				warned = 1;
-				summary();
+				sig_summary(0);
 			}
 			continue;
 		}

distrib/sets/lists/base/md.arm64

@@ -432,6 +432,8 @@
 ./usr/sbin/hotplugd
 ./usr/sbin/mkuboot
 ./usr/sbin/pcidump
+./usr/sbin/vmctl
+./usr/sbin/vmd
 ./usr/sbin/wsconscfg
 ./usr/sbin/wsfontload
 ./usr/sbin/wsmoused

distrib/sets/lists/comp/md.arm64

@@ -53,6 +53,7 @@
 ./usr/include/arm64/tcb.h
 ./usr/include/arm64/timetc.h
 ./usr/include/arm64/trap.h
+./usr/include/arm64/vmmvar.h
 ./usr/include/arm64/vmparam.h
 ./usr/include/ieeefp.h
 ./usr/libdata/ldscripts

etc/examples/vm.conf

@@ -1,4 +1,4 @@
-# $OpenBSD: vm.conf,v 1.11 2021/11/11 09:38:14 claudio Exp $
+# $OpenBSD: vm.conf,v 1.12 2024/07/12 12:35:32 florian Exp $
 
 #
 # Macros
@@ -10,13 +10,13 @@ sets="/var/www/htdocs/pub/OpenBSD/snapshots/amd64/"
 #
 
 switch "uplink" {
-	# This switch will use bridge0, defined by /etc/hostname.bridge0, as
-	# the underlying interface.  veb(4) is also supported
-	interface bridge0
+	# This switch will use veb0, defined by /etc/hostname.veb0, as
+	# the underlying interface.  bridge(4) is also supported
+	interface veb0
 }
 
 switch "local" {
-	interface bridge1
+	interface veb1
 	down
 }
 

gnu/llvm/lldb/source/Plugins/Platform/OpenBSD/PlatformOpenBSD.cpp

@@ -25,6 +25,7 @@
 #include "lldb/Utility/State.h"
 #include "lldb/Utility/Status.h"
 #include "lldb/Utility/StreamString.h"
+#include "Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h"
 
 // Define these constants from OpenBSD mman.h for use when targeting remote
 // openbsd systems even when host has different values.
@@ -91,6 +92,7 @@ void PlatformOpenBSD::Initialize() {
         PlatformOpenBSD::GetPluginNameStatic(false),
         PlatformOpenBSD::GetPluginDescriptionStatic(false),
         PlatformOpenBSD::CreateInstance, nullptr);
+	ProcessOpenBSDKernel::Initialize();
   }
 }
 
@@ -98,6 +100,7 @@ void PlatformOpenBSD::Terminate() {
   if (g_initialize_count > 0) {
     if (--g_initialize_count == 0) {
       PluginManager::UnregisterPlugin(PlatformOpenBSD::CreateInstance);
+      ProcessOpenBSDKernel::Terminate();
     }
   }
 

gnu/llvm/lldb/source/Plugins/Process/CMakeLists.txt

@@ -22,3 +22,4 @@ add_subdirectory(elf-core)
 add_subdirectory(mach-core)
 add_subdirectory(minidump)
 add_subdirectory(FreeBSDKernel)
+add_subdirectory(OpenBSDKernel)

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/CMakeLists.txt

@@ -0,0 +1,14 @@
+add_lldb_library(lldbPluginProcessOpenBSDKernel PLUGIN
+  ProcessOpenBSDKernel.cpp
+  RegisterContextOpenBSDKernel_arm64.cpp
+  RegisterContextOpenBSDKernel_i386.cpp
+  RegisterContextOpenBSDKernel_x86_64.cpp
+  ThreadOpenBSDKernel.cpp
+
+  LINK_LIBS
+    lldbCore
+    lldbTarget
+    kvm
+  LINK_COMPONENTS
+    Support
+  )

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.cpp

@@ -0,0 +1,223 @@
+//===-- ProcessOpenBSDKernel.cpp ------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "lldb/Core/Module.h"
+#include "lldb/Core/PluginManager.h"
+#include "lldb/Target/DynamicLoader.h"
+
+#include "Plugins/DynamicLoader/Static/DynamicLoaderStatic.h"
+#include "ProcessOpenBSDKernel.h"
+#include "ThreadOpenBSDKernel.h"
+
+#if defined(__OpenBSD__)
+#include <kvm.h>
+#define _KERNEL
+#include <machine/cpu.h>
+#include <sys/proc.h>
+#undef _KERNEL
+#endif
+
+using namespace lldb;
+using namespace lldb_private;
+
+LLDB_PLUGIN_DEFINE(ProcessOpenBSDKernel)
+
+namespace {
+
+#if defined(__OpenBSD__)
+class ProcessOpenBSDKernelKVM : public ProcessOpenBSDKernel {
+public:
+  ProcessOpenBSDKernelKVM(lldb::TargetSP target_sp, lldb::ListenerSP listener,
+			  kvm_t *fvc);
+
+  ~ProcessOpenBSDKernelKVM();
+
+  size_t DoReadMemory(lldb::addr_t addr, void *buf, size_t size,
+		      lldb_private::Status &error) override;
+
+private:
+  kvm_t *m_kvm;
+
+  const char *GetError();
+};
+#endif // defined(__OpenBSD__)
+
+} // namespace
+
+ProcessOpenBSDKernel::ProcessOpenBSDKernel(lldb::TargetSP target_sp,
+					   ListenerSP listener_sp)
+    : PostMortemProcess(target_sp, listener_sp) {}
+
+lldb::ProcessSP ProcessOpenBSDKernel::CreateInstance(lldb::TargetSP target_sp,
+						     ListenerSP listener_sp,
+						     const FileSpec *crash_file,
+						     bool can_connect) {
+  ModuleSP executable = target_sp->GetExecutableModule();
+  if (crash_file && !can_connect && executable) {
+#if defined(__OpenBSD__)
+    kvm_t *kvm =
+	kvm_open(executable->GetFileSpec().GetPath().c_str(),
+		 crash_file->GetPath().c_str(), nullptr, O_RDONLY, nullptr);
+    if (kvm)
+      return std::make_shared<ProcessOpenBSDKernelKVM>(target_sp, listener_sp,
+						       kvm);
+#endif
+  }
+  return nullptr;
+}
+
+void ProcessOpenBSDKernel::Initialize() {
+  static llvm::once_flag g_once_flag;
+
+  llvm::call_once(g_once_flag, []() {
+    PluginManager::RegisterPlugin(GetPluginNameStatic(),
+				  GetPluginDescriptionStatic(), CreateInstance);
+  });
+}
+
+void ProcessOpenBSDKernel::Terminate() {
+  PluginManager::UnregisterPlugin(ProcessOpenBSDKernel::CreateInstance);
+}
+
+Status ProcessOpenBSDKernel::DoDestroy() { return Status(); }
+
+bool ProcessOpenBSDKernel::CanDebug(lldb::TargetSP target_sp,
+				    bool plugin_specified_by_name) {
+  return true;
+}
+
+void ProcessOpenBSDKernel::RefreshStateAfterStop() {}
+
+bool ProcessOpenBSDKernel::DoUpdateThreadList(ThreadList &old_thread_list,
+					      ThreadList &new_thread_list) {
+  if (old_thread_list.GetSize(false) == 0) {
+    // Make up the thread the first time this is called so we can set our one
+    // and only core thread state up.
+
+    // We cannot construct a thread without a register context as that crashes
+    // LLDB but we can construct a process without threads to provide minimal
+    // memory reading support.
+    switch (GetTarget().GetArchitecture().GetMachine()) {
+    case llvm::Triple::aarch64:
+    case llvm::Triple::x86:
+    case llvm::Triple::x86_64:
+      break;
+    default:
+      return false;
+    }
+
+    Status error;
+    int32_t i;
+    lldb::addr_t dumppcb = FindSymbol("dumppcb");
+    uint32_t offset_p_list = offsetof(proc, p_list);
+    uint32_t offset_p_addr = offsetof(proc, p_addr);
+    uint32_t offset_p_tid = offsetof(proc, p_tid);
+    uint32_t offset_p_p = offsetof(proc, p_p);
+    uint32_t offset_ps_comm = offsetof(process, ps_comm);
+    uint32_t offset_ps_pid = offsetof(process, ps_pid);
+    uint32_t offset_ci_curproc = offsetof(cpu_info, ci_curproc);
+    char    comm[_MAXCOMLEN];
+
+    int32_t ncpu = ReadSignedIntegerFromMemory(FindSymbol("ncpus"),
+					       4, -1, error);
+    if (ncpu < 0)
+      return false;
+
+    lldb::addr_t cpu_procs[ncpu];
+
+    if (dumppcb != LLDB_INVALID_ADDRESS) {
+      std::string thread_desc = llvm::formatv("Crashed Thread");
+      ThreadSP thread_sp {
+		new ThreadOpenBSDKernel(*this, 0, dumppcb, thread_desc)};
+	new_thread_list.AddThread(thread_sp);
+    }
+
+    lldb::addr_t cpu_info = FindSymbol("cpu_info");
+    lldb::addr_t cpu_info_array = (cpu_info == LLDB_INVALID_ADDRESS) ?
+      ReadPointerFromMemory(FindSymbol("cpu_info_list"), error) : cpu_info;
+    for (i = 0; i < ncpu ; i++) {
+      lldb::addr_t ci =
+	ReadPointerFromMemory(cpu_info_array + sizeof(void*) * i, error);
+      cpu_procs[i] = ReadPointerFromMemory(ci + offset_ci_curproc, error);
+    }
+
+    for (lldb::addr_t proc = ReadPointerFromMemory(FindSymbol("allproc"), error);
+	 proc != 0 && proc != LLDB_INVALID_ADDRESS;
+	 proc = ReadPointerFromMemory(proc + offset_p_list, error)) {
+
+      lldb::tid_t tid = ReadSignedIntegerFromMemory(proc + offset_p_tid, 4, -1,
+						    error);
+      lldb::addr_t process = ReadPointerFromMemory(proc + offset_p_p, error);
+      ReadMemory(process + offset_ps_comm, &comm, sizeof(comm), error);
+      u_int32_t pid = ReadSignedIntegerFromMemory(process + offset_ps_pid, 4,
+						  -1, error);
+      lldb::addr_t p_addr = ReadPointerFromMemory(proc + offset_p_addr, error);
+      for (i = 0; i < ncpu; i++)
+	if (cpu_procs[i] == proc)
+	  break;
+      std::string thread_desc;
+      if (i == ncpu)
+	thread_desc = llvm::formatv("(pid:{0}) {1}", pid, comm);
+      else
+	thread_desc = llvm::formatv("(pid:{0}) {1} (cpu {2})", pid, comm, i);
+      ThreadSP thread_sp {
+		new ThreadOpenBSDKernel(*this, tid, p_addr, thread_desc)};
+	new_thread_list.AddThread(thread_sp);
+    }
+  } else {
+    const uint32_t num_threads = old_thread_list.GetSize(false);
+    for (uint32_t i = 0; i < num_threads; ++i)
+      new_thread_list.AddThread(old_thread_list.GetThreadAtIndex(i, false));
+  }
+  return new_thread_list.GetSize(false) > 0;
+}
+
+Status ProcessOpenBSDKernel::DoLoadCore() {
+  // The core is already loaded by CreateInstance().
+  return Status();
+}
+
+DynamicLoader *ProcessOpenBSDKernel::GetDynamicLoader() {
+  if (m_dyld_up.get() == nullptr)
+    m_dyld_up.reset(DynamicLoader::FindPlugin(
+	this, DynamicLoaderStatic::GetPluginNameStatic()));
+  return m_dyld_up.get();
+}
+
+lldb::addr_t ProcessOpenBSDKernel::FindSymbol(const char *name) {
+  ModuleSP mod_sp = GetTarget().GetExecutableModule();
+  const Symbol *sym = mod_sp->FindFirstSymbolWithNameAndType(ConstString(name));
+  return sym ? sym->GetLoadAddress(&GetTarget()) : LLDB_INVALID_ADDRESS;
+}
+
+#if defined(__OpenBSD__)
+
+ProcessOpenBSDKernelKVM::ProcessOpenBSDKernelKVM(lldb::TargetSP target_sp,
+						 ListenerSP listener_sp,
+						 kvm_t *fvc)
+    : ProcessOpenBSDKernel(target_sp, listener_sp), m_kvm(fvc) {}
+
+ProcessOpenBSDKernelKVM::~ProcessOpenBSDKernelKVM() {
+  if (m_kvm)
+    kvm_close(m_kvm);
+}
+
+size_t ProcessOpenBSDKernelKVM::DoReadMemory(lldb::addr_t addr, void *buf,
+					     size_t size, Status &error) {
+  ssize_t rd = 0;
+  rd = kvm_read(m_kvm, addr, buf, size);
+  if (rd < 0 || static_cast<size_t>(rd) != size) {
+    error.SetErrorStringWithFormat("Reading memory failed: %s", GetError());
+    return rd > 0 ? rd : 0;
+  }
+  return rd;
+}
+
+const char *ProcessOpenBSDKernelKVM::GetError() { return kvm_geterr(m_kvm); }
+
+#endif // defined(__OpenBSD__)

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h

@@ -0,0 +1,53 @@
+//===-- ProcessOpenBSDKernel.h ----------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H
+#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H
+
+#include "lldb/Target/PostMortemProcess.h"
+
+class ProcessOpenBSDKernel : public lldb_private::PostMortemProcess {
+public:
+  ProcessOpenBSDKernel(lldb::TargetSP target_sp, lldb::ListenerSP listener);
+
+  static lldb::ProcessSP
+  CreateInstance(lldb::TargetSP target_sp, lldb::ListenerSP listener,
+		 const lldb_private::FileSpec *crash_file_path,
+		 bool can_connect);
+
+  static void Initialize();
+
+  static void Terminate();
+
+  static llvm::StringRef GetPluginNameStatic() { return "openbsd-kernel"; }
+
+  static llvm::StringRef GetPluginDescriptionStatic() {
+	return "OpenBSD kernel vmcore debugging plug-in.";
+  }
+
+  llvm::StringRef GetPluginName() override { return GetPluginNameStatic(); }
+
+  lldb_private::Status DoDestroy() override;
+
+  bool CanDebug(lldb::TargetSP target_sp,
+		bool plugin_specified_by_name) override;
+
+  void RefreshStateAfterStop() override;
+
+  lldb_private::Status DoLoadCore() override;
+
+  lldb_private::DynamicLoader *GetDynamicLoader() override;
+
+protected:
+  bool DoUpdateThreadList(lldb_private::ThreadList &old_thread_list,
+			  lldb_private::ThreadList &new_thread_list) override;
+
+  lldb::addr_t FindSymbol(const char* name);
+};
+
+#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.cpp

@@ -0,0 +1,107 @@
+//===-- RegisterContextOpenBSDKernel_arm64.cpp ----------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#if defined(__OpenBSD__)
+#include <sys/types.h>
+#include <sys/time.h>
+#define _KERNEL
+#include <machine/cpu.h>
+#undef _KERNEL
+#include <machine/pcb.h>
+#include <frame.h>
+#endif
+
+#include "RegisterContextOpenBSDKernel_arm64.h"
+#include "Plugins/Process/Utility/lldb-arm64-register-enums.h"
+
+#include "lldb/Target/Process.h"
+#include "lldb/Target/Thread.h"
+#include "lldb/Utility/RegisterValue.h"
+#include "llvm/Support/Endian.h"
+
+using namespace lldb;
+using namespace lldb_private;
+
+RegisterContextOpenBSDKernel_arm64::RegisterContextOpenBSDKernel_arm64(
+    Thread &thread, std::unique_ptr<RegisterInfoPOSIX_arm64> register_info_up,
+    lldb::addr_t pcb_addr)
+    : RegisterContextPOSIX_arm64(thread, std::move(register_info_up)),
+      m_pcb_addr(pcb_addr) {}
+
+bool RegisterContextOpenBSDKernel_arm64::ReadGPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_arm64::ReadFPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_arm64::WriteGPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_arm64::WriteFPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_arm64::ReadRegister(
+    const RegisterInfo *reg_info, RegisterValue &value) {
+  if (m_pcb_addr == LLDB_INVALID_ADDRESS)
+    return false;
+
+#ifdef __aarch64__
+  Status error;
+  struct pcb pcb;
+  size_t rd = m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb),
+						error);
+  if (rd != sizeof(pcb))
+    return false;
+
+  /*
+    Usually pcb is written in `cpu_switchto` function. This function writes
+    registers as same as the structure of  `swichframe`  in the stack.
+    We read the frame if it is.
+   */
+  struct switchframe sf;
+  rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_sp, &sf, sizeof(sf), error);
+  if (rd != sizeof(sf))
+    return false;
+
+  uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB];
+  switch (reg) {
+#define REG(x)					\
+    case gpr_##x##_arm64:			\
+      value = (u_int64_t)sf.sf_##x;		\
+      return true;
+
+    REG(x19);
+    REG(x20);
+    REG(x21);
+    REG(x22);
+    REG(x23);
+    REG(x24);
+    REG(x25);
+    REG(x26);
+    REG(x27);
+    REG(x28);
+  case gpr_fp_arm64:
+    value = (u_int64_t)sf.sf_x29;
+    return true;
+  case gpr_sp_arm64:
+    value = (u_int64_t)pcb.pcb_sp;
+    return true;
+  case gpr_pc_arm64:
+    value = (u_int64_t)sf.sf_lr;
+    return true;
+  }
+#endif
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_arm64::WriteRegister(
+    const RegisterInfo *reg_info, const RegisterValue &value) {
+  return false;
+}

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.h

@@ -0,0 +1,41 @@
+//===-- RegisterContextOpenBSDKernel_arm64.h --------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H
+#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H
+
+#include "Plugins/Process/Utility/RegisterContextPOSIX_arm64.h"
+#include "Plugins/Process/elf-core/RegisterUtilities.h"
+
+class RegisterContextOpenBSDKernel_arm64 : public RegisterContextPOSIX_arm64 {
+public:
+  RegisterContextOpenBSDKernel_arm64(
+      lldb_private::Thread &thread,
+      std::unique_ptr<RegisterInfoPOSIX_arm64> register_info_up,
+      lldb::addr_t pcb_addr);
+
+  bool ReadRegister(const lldb_private::RegisterInfo *reg_info,
+		    lldb_private::RegisterValue &value) override;
+
+  bool WriteRegister(const lldb_private::RegisterInfo *reg_info,
+		     const lldb_private::RegisterValue &value) override;
+
+protected:
+  bool ReadGPR() override;
+
+  bool ReadFPR() override;
+
+  bool WriteGPR() override;
+
+  bool WriteFPR() override;
+
+private:
+  lldb::addr_t m_pcb_addr;
+};
+
+#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.cpp

@@ -0,0 +1,110 @@
+//===-- RegisterContextOpenBSDKernel_i386.cpp -----------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#if defined(__OpenBSD__)
+#include <sys/types.h>
+#include <sys/time.h>
+#define _KERNEL
+#include <machine/cpu.h>
+#undef _KERNEL
+#include <machine/pcb.h>
+#include <frame.h>
+#endif
+
+#include "RegisterContextOpenBSDKernel_i386.h"
+
+#include "lldb/Target/Process.h"
+#include "lldb/Target/Thread.h"
+#include "lldb/Utility/RegisterValue.h"
+#include "llvm/Support/Endian.h"
+
+using namespace lldb;
+using namespace lldb_private;
+
+RegisterContextOpenBSDKernel_i386::RegisterContextOpenBSDKernel_i386(
+    Thread &thread, RegisterInfoInterface *register_info, lldb::addr_t pcb_addr)
+    : RegisterContextPOSIX_x86(thread, 0, register_info), m_pcb_addr(pcb_addr) {
+}
+
+bool RegisterContextOpenBSDKernel_i386::ReadGPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_i386::ReadFPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_i386::WriteGPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_i386::WriteFPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_i386::ReadRegister(
+    const RegisterInfo *reg_info, RegisterValue &value) {
+  if (m_pcb_addr == LLDB_INVALID_ADDRESS)
+    return false;
+
+#ifdef __i386__
+  struct pcb pcb;
+
+  Status error;
+  size_t rd =
+      m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb), error);
+  if (rd != sizeof(pcb))
+    return false;
+
+  if ((pcb.pcb_flags & PCB_SAVECTX) != 0) {
+    uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB];
+    switch (reg) {
+#define PCBREG(x)							\
+    case lldb_##x##_i386:						\
+      value = pcb.pcb_##x;						\
+      return true;
+    PCBREG(ebp);
+    PCBREG(esp);
+    case lldb_eip_i386:
+      value = m_thread.GetProcess()->ReadPointerFromMemory(pcb.pcb_ebp + 4,
+							   error);
+      return true;
+    }
+    return false;
+  }
+
+  /*
+    Usually pcb is written in `cpu_switchto` function. This function writes
+    registers as same as the structure of  `swichframe`  in the stack.
+    We read the frame if it is.
+   */
+  struct switchframe sf;
+  rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_esp, &sf, sizeof(sf), error);
+  if (rd != sizeof(sf))
+    return false;
+
+  uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB];
+  switch (reg) {
+#define SFREG(x)							\
+    case lldb_##x##_i386:						\
+      value = sf.sf_##x;						\
+      return true;
+
+    SFREG(edi);
+    SFREG(esi);
+    SFREG(ebx);
+    SFREG(eip);
+    PCBREG(ebp);
+    PCBREG(esp);
+  }
+#endif
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_i386::WriteRegister(
+    const RegisterInfo *reg_info, const RegisterValue &value) {
+  return false;
+}

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.h

@@ -0,0 +1,41 @@
+//===-- RegisterContextOpenBSDKernel_i386.h ---------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H
+#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H
+
+#include "Plugins/Process/Utility/RegisterContextPOSIX_x86.h"
+#include "Plugins/Process/elf-core/RegisterUtilities.h"
+
+class RegisterContextOpenBSDKernel_i386 : public RegisterContextPOSIX_x86 {
+public:
+  RegisterContextOpenBSDKernel_i386(
+      lldb_private::Thread &thread,
+      lldb_private::RegisterInfoInterface *register_info,
+      lldb::addr_t pcb_addr);
+
+  bool ReadRegister(const lldb_private::RegisterInfo *reg_info,
+		    lldb_private::RegisterValue &value) override;
+
+  bool WriteRegister(const lldb_private::RegisterInfo *reg_info,
+		     const lldb_private::RegisterValue &value) override;
+
+protected:
+  bool ReadGPR() override;
+
+  bool ReadFPR() override;
+
+  bool WriteGPR() override;
+
+  bool WriteFPR() override;
+
+private:
+  lldb::addr_t m_pcb_addr;
+};
+
+#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.cpp

@@ -0,0 +1,111 @@
+//===-- RegisterContextOpenBSDKernel_x86_64.cpp ---------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#if defined(__OpenBSD__)
+#include <sys/types.h>
+#include <sys/time.h>
+#define _KERNEL
+#include <machine/cpu.h>
+#undef _KERNEL
+#include <machine/pcb.h>
+#include <frame.h>
+#endif
+
+#include "RegisterContextOpenBSDKernel_x86_64.h"
+
+#include "lldb/Target/Process.h"
+#include "lldb/Target/Thread.h"
+#include "lldb/Utility/RegisterValue.h"
+#include "llvm/Support/Endian.h"
+
+using namespace lldb;
+using namespace lldb_private;
+
+RegisterContextOpenBSDKernel_x86_64::RegisterContextOpenBSDKernel_x86_64(
+    Thread &thread, RegisterInfoInterface *register_info,
+    lldb::addr_t pcb)
+  : RegisterContextPOSIX_x86(thread, 0, register_info),
+    m_pcb_addr(pcb) {
+}
+
+bool RegisterContextOpenBSDKernel_x86_64::ReadGPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_x86_64::ReadFPR() { return true; }
+
+bool RegisterContextOpenBSDKernel_x86_64::WriteGPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_x86_64::WriteFPR() {
+  assert(0);
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_x86_64::ReadRegister(
+    const RegisterInfo *reg_info, RegisterValue &value) {
+  Status error;
+
+  if (m_pcb_addr == LLDB_INVALID_ADDRESS)
+    return false;
+
+#ifdef __amd64__
+  struct pcb pcb;
+  size_t rd = m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb),
+						error);
+  if (rd != sizeof(pcb))
+    return false;
+
+  /*
+    Usually pcb is written in `cpu_switchto` function. This function writes
+    registers as same as the structure of  `swichframe`  in the stack.
+    We read the frame if it is.
+   */
+  struct switchframe sf;
+  rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_rsp, &sf, sizeof(sf), error);
+  if (rd != sizeof(sf))
+    return false;
+
+  uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB];
+  if (pcb.pcb_rbp == (u_int64_t)sf.sf_rbp) {
+#define SFREG(x)				\
+    case lldb_##x##_x86_64:			\
+      value = (u_int64_t)sf.sf_##x;		\
+      return true;
+#define PCBREG(x)				\
+    case lldb_##x##_x86_64:			\
+      value = pcb.pcb_##x;			\
+      return true;
+    switch (reg) {
+      SFREG(r15);
+      SFREG(r14);
+      SFREG(r13);
+      SFREG(r12);
+      SFREG(rbp);
+      SFREG(rbx);
+      SFREG(rip);
+      PCBREG(rsp);
+    }
+  } else {
+    switch (reg) {
+      PCBREG(rbp);
+      PCBREG(rsp);
+    case lldb_rip_x86_64:
+      value = m_thread.GetProcess()->ReadPointerFromMemory(pcb.pcb_rbp + 8,
+							   error);
+      return true;
+    }
+  }
+#endif
+  return false;
+}
+
+bool RegisterContextOpenBSDKernel_x86_64::WriteRegister(
+    const RegisterInfo *reg_info, const RegisterValue &value) {
+  return false;
+}

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.h

@@ -0,0 +1,41 @@
+//===-- RegisterContextOpenBSDKernel_x86_64.h -------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H
+#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H
+
+#include "Plugins/Process/Utility/RegisterContextPOSIX_x86.h"
+#include "Plugins/Process/elf-core/RegisterUtilities.h"
+
+class RegisterContextOpenBSDKernel_x86_64 : public RegisterContextPOSIX_x86 {
+public:
+  RegisterContextOpenBSDKernel_x86_64(
+      lldb_private::Thread &thread,
+      lldb_private::RegisterInfoInterface *register_info,
+      lldb::addr_t pcb);
+
+  bool ReadRegister(const lldb_private::RegisterInfo *reg_info,
+		    lldb_private::RegisterValue &value) override;
+
+  bool WriteRegister(const lldb_private::RegisterInfo *reg_info,
+		     const lldb_private::RegisterValue &value) override;
+
+protected:
+  bool ReadGPR() override;
+
+  bool ReadFPR() override;
+
+  bool WriteGPR() override;
+
+  bool WriteFPR() override;
+
+private:
+  lldb::addr_t m_pcb_addr;
+};
+
+#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.cpp

@@ -0,0 +1,86 @@
+//===-- ThreadOpenBSDKernel.cpp -------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "ThreadOpenBSDKernel.h"
+
+#include "lldb/Target/Unwind.h"
+#include "lldb/Utility/Log.h"
+
+#include "Plugins/Process/Utility/RegisterContextOpenBSD_i386.h"
+#include "Plugins/Process/Utility/RegisterContextOpenBSD_x86_64.h"
+#include "Plugins/Process/Utility/RegisterInfoPOSIX_arm64.h"
+#include "ProcessOpenBSDKernel.h"
+#include "RegisterContextOpenBSDKernel_arm64.h"
+#include "RegisterContextOpenBSDKernel_i386.h"
+#include "RegisterContextOpenBSDKernel_x86_64.h"
+#include "ThreadOpenBSDKernel.h"
+
+using namespace lldb;
+using namespace lldb_private;
+
+ThreadOpenBSDKernel::ThreadOpenBSDKernel(Process &process, lldb::tid_t tid,
+					 lldb::addr_t pcb,
+					 std::string thread_name)
+    : Thread(process, tid), m_thread_name(std::move(thread_name)),
+      m_pcb(pcb) {}
+
+ThreadOpenBSDKernel::~ThreadOpenBSDKernel() {}
+
+void ThreadOpenBSDKernel::RefreshStateAfterStop() {}
+
+lldb::RegisterContextSP ThreadOpenBSDKernel::GetRegisterContext() {
+  if (!m_reg_context_sp)
+    m_reg_context_sp = CreateRegisterContextForFrame(nullptr);
+  return m_reg_context_sp;
+}
+
+lldb::RegisterContextSP
+ThreadOpenBSDKernel::CreateRegisterContextForFrame(StackFrame *frame) {
+  RegisterContextSP reg_ctx_sp;
+  uint32_t concrete_frame_idx = 0;
+
+  if (frame)
+    concrete_frame_idx = frame->GetConcreteFrameIndex();
+
+  if (concrete_frame_idx == 0) {
+    if (m_thread_reg_ctx_sp)
+      return m_thread_reg_ctx_sp;
+
+    ProcessOpenBSDKernel *process =
+	static_cast<ProcessOpenBSDKernel *>(GetProcess().get());
+    ArchSpec arch = process->GetTarget().GetArchitecture();
+
+    switch (arch.GetMachine()) {
+    case llvm::Triple::aarch64:
+      m_thread_reg_ctx_sp =
+	  std::make_shared<RegisterContextOpenBSDKernel_arm64>(
+	      *this, std::make_unique<RegisterInfoPOSIX_arm64>(arch, 0),
+	      m_pcb);
+      break;
+    case llvm::Triple::x86:
+      m_thread_reg_ctx_sp = std::make_shared<RegisterContextOpenBSDKernel_i386>(
+	  *this, new RegisterContextOpenBSD_i386(arch), m_pcb);
+      break;
+    case llvm::Triple::x86_64:
+      m_thread_reg_ctx_sp =
+	  std::make_shared<RegisterContextOpenBSDKernel_x86_64>(
+		  *this, new RegisterContextOpenBSD_x86_64(arch), m_pcb);
+      break;
+    default:
+      assert(false && "Unsupported architecture passed to ThreadOpenBSDKernel");
+      break;
+    }
+
+    reg_ctx_sp = m_thread_reg_ctx_sp;
+  } else {
+    reg_ctx_sp = GetUnwinder().CreateRegisterContextForFrame(frame);
+  }
+  return reg_ctx_sp;
+}
+
+bool ThreadOpenBSDKernel::CalculateStopInfo() { return false; }

gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.h

@@ -0,0 +1,50 @@
+//===-- ThreadOpenBSDKernel.h ------------------------------------- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H
+#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H
+
+#include "lldb/Target/Thread.h"
+
+class ThreadOpenBSDKernel : public lldb_private::Thread {
+public:
+  ThreadOpenBSDKernel(lldb_private::Process &process, lldb::tid_t tid,
+		      lldb::addr_t pcb, std::string thread_name);
+
+  ~ThreadOpenBSDKernel() override;
+
+  void RefreshStateAfterStop() override;
+
+  lldb::RegisterContextSP GetRegisterContext() override;
+
+  lldb::RegisterContextSP
+  CreateRegisterContextForFrame(lldb_private::StackFrame *frame) override;
+
+  const char *GetName() override {
+    if (m_thread_name.empty())
+      return nullptr;
+    return m_thread_name.c_str();
+  }
+
+  void SetName(const char *name) override {
+    if (name && name[0])
+      m_thread_name.assign(name);
+    else
+      m_thread_name.clear();
+  }
+
+protected:
+  bool CalculateStopInfo() override;
+
+private:
+  std::string m_thread_name;
+  lldb::RegisterContextSP m_thread_reg_ctx_sp;
+  lldb::addr_t m_pcb;
+};
+
+#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H

gnu/usr.bin/clang/liblldbPluginProcess/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.11 2023/11/11 18:35:39 robert Exp $
+# $OpenBSD: Makefile,v 1.12 2024/07/13 07:25:38 asou Exp $
 
 LIB=	lldbPluginProcess
 NOPIC=
@@ -124,6 +124,13 @@ SRCS+=	MinidumpTypes.cpp \
 SRCS+=	ScriptedProcess.cpp \
 	ScriptedThread.cpp
 
+# Process/OpenBSDKernel
+SRCS+=	ProcessOpenBSDKernel.cpp \
+	RegisterContextOpenBSDKernel_arm64.cpp \
+	RegisterContextOpenBSDKernel_i386.cpp \
+	RegisterContextOpenBSDKernel_x86_64.cpp \
+	ThreadOpenBSDKernel.cpp
+
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/OpenBSD
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/POSIX
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/gdb-remote
@@ -132,6 +139,7 @@ SRCS+=	ScriptedProcess.cpp \
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/mach-core
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/minidump
 .PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/scripted
+.PATH:	${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/OpenBSDKernel
 
 install:
 	@# Nothing here so far ...

gnu/usr.bin/clang/lldb/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.16 2024/02/08 20:28:54 miod Exp $
+# $OpenBSD: Makefile,v 1.17 2024/07/13 07:25:38 asou Exp $
 
 .include <bsd.own.mk>
 
@@ -10,7 +10,7 @@ SRCS=	Driver.cpp \
 	Platform.cpp \
 	Version.cpp
 
-LDADD+=		-lcurses -ledit -lpanel
+LDADD+=		-lcurses -ledit -lpanel -lkvm
 
 CPPFLAGS+=	${LLDB_INCLUDES}
 CPPFLAGS+=	${CLANG_INCLUDES}

lib/libc/gen/signal.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: signal.3,v 1.57 2022/10/13 21:37:05 jmc Exp $
+.\"	$OpenBSD: signal.3,v 1.58 2024/07/12 11:01:40 deraadt Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2022 $
+.Dd $Mdocdate: July 12 2024 $
 .Dt SIGNAL 3
 .Os
 .Sh NAME
@@ -240,10 +240,22 @@ function;
 other
 ignored signals remain ignored.
 .Pp
-The following functions are either reentrant or not interruptible
-by signals and are async-signal-safe.
-Therefore applications may
-invoke them, without restriction, from signal-catching functions:
+Signal handlers should be as minimal as possible, and use only signal-safe
+operations.
+The safest handlers only change a single variable of type
+.Va volatile sig_atomic_t ,
+which is inspected by an event loop.
+Other variables accessed inside the handler must be either const, or
+local to the handler.
+More complicated global variables (such as strings, structs, or lists)
+will require external methods to gaurantee consistancy, such as
+signal-blocking with
+.Xr sigprocmask 2 .
+.Pp
+More complicated handlers must restrict themselves to calling only the following
+list of signal-safe functions directly.
+Avoid abstracting the work to helper functions which are also called from
+other contexts because future coders will forget the signal-safe requirement.
 .Pp
 Standard Interfaces:
 .Pp
@@ -418,21 +430,9 @@ Extension Interfaces:
 .Fn wait3 ,
 .Fn wait4 .
 .Pp
-In addition, access and updates to
+Since signal-safe functions can encounter system call errors,
 .Va errno
-are guaranteed to be safe.
-Most functions not in the above lists are considered to be unsafe
-with respect to signals.
-That is to say, the behaviour of such functions when called from
-a signal handler is undefined.
-In general though, signal handlers should do little more than set a
-flag, ideally of type volatile sig_atomic_t; most other actions are not safe.
-.Pp
-Additionally, it is advised that signal handlers guard against
-modification of the external symbol
-.Va errno
-by the above functions, saving it at entry and restoring
-it on return, thus:
+should be protected inside the handler with the following pattern:
 .Bd -literal -offset indent
 void
 handler(int sig)
@@ -444,10 +444,12 @@ handler(int sig)
 }
 .Ed
 .Pp
-The functions below are async-signal-safe in
-.Ox
-except when used with floating-point arguments or directives,
-but are probably unsafe on other systems:
+On
+.Ox ,
+a few more functions are signal-safe (except when the format string contains
+floating-point arguments).
+These functions are expected to be unsafe on other systems, so be very cautious of
+the portability trap!
 .Pp
 .Bl -tag -offset indent -compact -width foofoofoofoo
 .It Fn dprintf

lib/libc/sys/sigaction.2

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sigaction.2,v 1.77 2022/10/13 21:37:05 jmc Exp $
+.\"	$OpenBSD: sigaction.2,v 1.78 2024/07/12 11:01:40 deraadt Exp $
 .\"	$NetBSD: sigaction.2,v 1.7 1995/10/12 15:41:16 jtc Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)sigaction.2	8.2 (Berkeley) 4/3/94
 .\"
-.Dd $Mdocdate: October 13 2022 $
+.Dd $Mdocdate: July 12 2024 $
 .Dt SIGACTION 2
 .Os
 .Sh NAME
@@ -471,10 +471,22 @@ and other signal interfaces may reject attempts to use or alter the
 handling of
 .Dv SIGTHR .
 .Pp
-The following functions are either reentrant or not interruptible
-by signals and are async-signal-safe.
-Therefore applications may
-invoke them, without restriction, from signal-catching functions:
+Signal handlers should be as minimal as possible, and use only signal-safe
+operations.
+The safest handlers only change a single variable of type
+.Va volatile sig_atomic_t ,
+which is inspected by an event loop.
+Other variables accessed inside the handler must be either const, or
+local to the handler.
+More complicated global variables (such as strings, structs, or lists)
+will require external methods to gaurantee consistancy, such as
+signal-blocking with
+.Xr sigprocmask 2 .
+.Pp
+More complicated handlers must restrict themselves to calling only the following
+list of signal-safe functions directly.
+Avoid abstracting the work to helper functions which are also called from
+other contexts because future coders will forget the signal-safe requirement.
 .Pp
 Standard Interfaces:
 .Pp
@@ -649,21 +661,9 @@ Extension Interfaces:
 .Fn wait3 ,
 .Fn wait4 .
 .Pp
-In addition, access and updates to
+Since signal-safe functions can encounter system call errors,
 .Va errno
-are guaranteed to be safe.
-Most functions not in the above lists are considered to be unsafe
-with respect to signals.
-That is to say, the behaviour of such functions when called from
-a signal handler is undefined.
-In general though, signal handlers should do little more than set a
-flag, ideally of type volatile sig_atomic_t; most other actions are not safe.
-.Pp
-Additionally, it is advised that signal handlers guard against
-modification of the external symbol
-.Va errno
-by the above functions, saving it at entry and restoring
-it on return, thus:
+should be protected inside the handler with the following pattern:
 .Bd -literal -offset indent
 void
 handler(int sig)
@@ -675,10 +675,12 @@ handler(int sig)
 }
 .Ed
 .Pp
-The functions below are async-signal-safe in
-.Ox
-except when used with floating-point arguments or directives,
-but are probably unsafe on other systems:
+On
+.Ox ,
+a few more functions are signal-safe (except when the format string contains
+floating-point arguments).
+These functions are expected to be unsafe on other systems, so be very cautious of
+the portability trap!
 .Pp
 .Bl -tag -offset indent -compact -width foofoofoofoo
 .It Fn dprintf

lib/libcrypto/ct/ct_x509v3.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */
+/*	$OpenBSD: ct_x509v3.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -128,59 +128,74 @@ ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
 	return s;
 }
 
-/* Handlers for X509v3/OCSP Certificate Transparency extensions */
-const X509V3_EXT_METHOD v3_ct_scts[3] = {
-	/* X509v3 extension in certificates that contains SCTs */
-	[0] = {
-		.ext_nid = NID_ct_precert_scts,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-		.d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
-		.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-
-	/* X509v3 extension to mark a certificate as a pre-certificate */
-	[1] = {
-		.ext_nid = NID_ct_precert_poison,
-		.ext_flags = 0,
-		.it = &ASN1_NULL_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = i2s_poison,
-		.s2i = s2i_poison,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-
-	/* OCSP extension that contains SCTs */
-	[2] = {
-		.ext_nid = NID_ct_cert_scts,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-		.d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
-		.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+/* X509v3 extension in certificates that contains SCTs */
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_scts = {
+	.ext_nid = NID_ct_precert_scts,
+	.ext_flags = 0,
+	.it = NULL,
+	.ext_new = NULL,
+	.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+	.d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
+	.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_scts(void)
+{
+	return &x509v3_ext_ct_precert_scts;
+}
+
+/* X509v3 extension to mark a certificate as a pre-certificate */
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_poison = {
+	.ext_nid = NID_ct_precert_poison,
+	.ext_flags = 0,
+	.it = &ASN1_NULL_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = i2s_poison,
+	.s2i = s2i_poison,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_poison(void)
+{
+	return &x509v3_ext_ct_precert_poison;
+}
+
+/* OCSP extension that contains SCTs */
+static const X509V3_EXT_METHOD x509v3_ext_ct_cert_scts = {
+	.ext_nid = NID_ct_cert_scts,
+	.ext_flags = 0,
+	.it = NULL,
+	.ext_new = NULL,
+	.ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+	.d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
+	.i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_cert_scts(void)
+{
+	return &x509v3_ext_ct_cert_scts;
+}

lib/libcrypto/hidden/crypto_namespace.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_namespace.h,v 1.3 2024/03/30 10:09:43 tb Exp $	*/
+/*	$OpenBSD: crypto_namespace.h,v 1.4 2024/07/11 21:31:52 miod Exp $	*/
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -31,7 +31,11 @@
 				typeof(x) x asm("_lcry_"#x)
 #  define LCRYPTO_USED(x)	__attribute__((visibility("hidden")))	\
 				typeof(x) x asm("_lcry_"#x)
+#  if defined(__hppa__)
+#  define LCRYPTO_ALIAS1(pre,x)	asm("! .global "#pre#x" ! .set "#pre#x", _lcry_"#x)
+#else
 #  define LCRYPTO_ALIAS1(pre,x)	asm(".global "#pre#x"; "#pre#x" = _lcry_"#x)
+#endif
 #  define LCRYPTO_ALIAS(x)	LCRYPTO_ALIAS1(,x); LCRYPTO_ALIAS1(_libre_,x)
 #else
 #  define LCRYPTO_UNUSED(x)	typeof(x) x __attribute__((deprecated))

lib/libcrypto/ocsp/ocsp_vfy.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
 			goto end;
 
 		x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-		if (X509_check_trust(x, NID_OCSP_sign, 0) !=
-			X509_TRUST_TRUSTED) {
+		if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
+		    X509_TRUST_TRUSTED) {
 			OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
 			goto end;
 		}

lib/libcrypto/x509/x509_addr.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.92 2024/07/08 14:47:44 beck Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1714,7 +1714,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
  * OpenSSL dispatch
  */
-const X509V3_EXT_METHOD v3_addr = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_ipAddrBlock = {
 	.ext_nid = NID_sbgp_ipAddrBlock,
 	.ext_flags = 0,
 	.it = &IPAddrBlocks_it,
@@ -1731,6 +1731,12 @@ const X509V3_EXT_METHOD v3_addr = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_ipAddrBlock(void)
+{
+	return &x509v3_ext_sbgp_ipAddrBlock;
+}
+
 /*
  * Figure out whether extension uses inheritance.
  */

lib/libcrypto/x509/x509_akey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_akey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_authority_key_identifier = {
 	.ext_nid = NID_authority_key_identifier,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_KEYID_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_akey_id = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_authority_key_identifier(void)
+{
+	return &x509v3_ext_authority_key_identifier;
+}
+
 static STACK_OF(CONF_VALUE) *
 i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
     STACK_OF(CONF_VALUE) *extlist)

lib/libcrypto/x509/x509_alt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.16 2023/08/30 00:49:32 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.17 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -74,57 +74,75 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
 
-const X509V3_EXT_METHOD v3_alt[] = {
-	{
-		.ext_nid = NID_subject_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_issuer_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_certificate_issuer,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+static const X509V3_EXT_METHOD x509v3_ext_subject_alt_name = {
+	.ext_nid = NID_subject_alt_name,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_alt_name(void)
+{
+	return &x509v3_ext_subject_alt_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_issuer_alt_name = {
+	.ext_nid = NID_issuer_alt_name,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuer_alt_name(void)
+{
+	return &x509v3_ext_issuer_alt_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_certificate_issuer = {
+	.ext_nid = NID_certificate_issuer,
+	.ext_flags = 0,
+	.it = &GENERAL_NAMES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_issuer(void)
+{
+	return &x509v3_ext_certificate_issuer;
+}
+
 STACK_OF(CONF_VALUE) *
 i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
     STACK_OF(CONF_VALUE) *ret)

lib/libcrypto/x509/x509_asid.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_asid.c,v 1.44 2024/07/08 14:47:44 beck Exp $ */
+/*	$OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -946,7 +946,7 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
  * OpenSSL dispatch.
  */
-const X509V3_EXT_METHOD v3_asid = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = {
 	.ext_nid = NID_sbgp_autonomousSysNum,
 	.ext_flags = 0,
 	.it = &ASIdentifiers_it,
@@ -963,6 +963,12 @@ const X509V3_EXT_METHOD v3_asid = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_autonomousSysNum(void)
+{
+	return &x509v3_ext_sbgp_autonomousSysNum;
+}
+
 /*
  * Figure out whether extension uses inheritance.
  */

lib/libcrypto/x509/x509_bcons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
 static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_bcons = {
+static const X509V3_EXT_METHOD x509v3_ext_basic_constraints = {
 	.ext_nid = NID_basic_constraints,
 	.ext_flags = 0,
 	.it = &BASIC_CONSTRAINTS_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_bcons = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_basic_constraints(void)
+{
+	return &x509v3_ext_basic_constraints;
+}
+
 static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_bitst.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -102,7 +102,7 @@ static BIT_STRING_BITNAME crl_reasons[] = {
 	{-1, NULL, NULL}
 };
 
-const X509V3_EXT_METHOD v3_nscert = {
+static const X509V3_EXT_METHOD x509v3_ext_netscape_cert_type = {
 	.ext_nid = NID_netscape_cert_type,
 	.ext_flags = 0,
 	.it = &ASN1_BIT_STRING_it,
@@ -119,7 +119,13 @@ const X509V3_EXT_METHOD v3_nscert = {
 	.usr_data = ns_cert_type_table,
 };
 
-const X509V3_EXT_METHOD v3_key_usage = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_cert_type(void)
+{
+	return &x509v3_ext_netscape_cert_type;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_key_usage = {
 	.ext_nid = NID_key_usage,
 	.ext_flags = 0,
 	.it = &ASN1_BIT_STRING_it,
@@ -136,7 +142,13 @@ const X509V3_EXT_METHOD v3_key_usage = {
 	.usr_data = key_usage_type_table,
 };
 
-const X509V3_EXT_METHOD v3_crl_reason = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_key_usage(void)
+{
+	return &x509v3_ext_key_usage;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_crl_reason = {
 	.ext_nid = NID_crl_reason,
 	.ext_flags = 0,
 	.it = &ASN1_ENUMERATED_it,
@@ -153,6 +165,12 @@ const X509V3_EXT_METHOD v3_crl_reason = {
 	.usr_data = crl_reasons,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_reason(void)
+{
+	return &x509v3_ext_crl_reason;
+}
+
 STACK_OF(CONF_VALUE) *
 i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
     STACK_OF(CONF_VALUE) *ret)

lib/libcrypto/x509/x509_cpols.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.12 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.13 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -82,7 +82,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *unot, int ia5org);
 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
 
-const X509V3_EXT_METHOD v3_cpols = {
+static const X509V3_EXT_METHOD x509v3_ext_certificate_policies = {
 	.ext_nid = NID_certificate_policies,
 	.ext_flags = 0,
 	.it = &CERTIFICATEPOLICIES_it,
@@ -99,6 +99,12 @@ const X509V3_EXT_METHOD v3_cpols = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_policies(void)
+{
+	return &x509v3_ext_certificate_policies;
+}
+
 static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
 	.flags = ASN1_TFLG_SEQUENCE_OF,
 	.tag = 0,

lib/libcrypto/x509/x509_crld.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.6 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -72,7 +72,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
     int indent);
 
-const X509V3_EXT_METHOD v3_crld = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_distribution_points = {
 	.ext_nid = NID_crl_distribution_points,
 	.ext_flags = 0,
 	.it = &CRL_DIST_POINTS_it,
@@ -89,7 +89,13 @@ const X509V3_EXT_METHOD v3_crld = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_freshest_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_distribution_points(void)
+{
+	return &x509v3_ext_crl_distribution_points;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_freshest_crl = {
 	.ext_nid = NID_freshest_crl,
 	.ext_flags = 0,
 	.it = &CRL_DIST_POINTS_it,
@@ -106,6 +112,12 @@ const X509V3_EXT_METHOD v3_freshest_crl = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_freshest_crl(void)
+{
+	return &x509v3_ext_freshest_crl;
+}
+
 static STACK_OF(GENERAL_NAME) *
 gnames_from_sectname(X509V3_CTX *ctx, char *sect)
 {
@@ -655,17 +667,29 @@ static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
 static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *nval);
 
-const X509V3_EXT_METHOD v3_idp = {
-	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
-	&ISSUING_DIST_POINT_it,
-	0, 0, 0, 0,
-	0, 0,
-	0,
-	v2i_idp,
-	i2r_idp, 0,
-	NULL
+static const X509V3_EXT_METHOD x509v3_ext_issuing_distribution_point = {
+	.ext_nid = NID_issuing_distribution_point,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &ISSUING_DIST_POINT_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = v2i_idp,
+	.i2r = i2r_idp,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuing_distribution_point(void)
+{
+	return &x509v3_ext_issuing_distribution_point;
+}
+
 static void *
 v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
     STACK_OF(CONF_VALUE) *nval)

lib/libcrypto/x509/x509_extku.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
     const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
 
-const X509V3_EXT_METHOD v3_ext_ku = {
+static const X509V3_EXT_METHOD x509v3_ext_ext_key_usage = {
 	.ext_nid = NID_ext_key_usage,
 	.ext_flags = 0,
 	.it = &EXTENDED_KEY_USAGE_it,
@@ -85,8 +85,14 @@ const X509V3_EXT_METHOD v3_ext_ku = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ext_key_usage(void)
+{
+	return &x509v3_ext_ext_key_usage;
+}
+
 /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
-const X509V3_EXT_METHOD v3_ocsp_accresp = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_acceptableResponses = {
 	.ext_nid = NID_id_pkix_OCSP_acceptableResponses,
 	.ext_flags = 0,
 	.it = &EXTENDED_KEY_USAGE_it,
@@ -103,6 +109,12 @@ const X509V3_EXT_METHOD v3_ocsp_accresp = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_acceptableResponses;
+}
+
 static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
 	.flags = ASN1_TFLG_SEQUENCE_OF,
 	.tag = 0,

lib/libcrypto/x509/x509_ia5.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,137 +68,167 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
 
-const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
-	{
-		.ext_nid = NID_netscape_base_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_renewal_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_policy_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ssl_server_name,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_comment,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = -1,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
+static const X509V3_EXT_METHOD x509v3_ext_netscape_base_url = {
+	.ext_nid = NID_netscape_base_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_base_url(void)
+{
+	return &x509v3_ext_netscape_base_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_revocation_url = {
+	.ext_nid = NID_netscape_revocation_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_revocation_url(void)
+{
+	return &x509v3_ext_netscape_revocation_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_revocation_url = {
+	.ext_nid = NID_netscape_ca_revocation_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_revocation_url(void)
+{
+	return &x509v3_ext_netscape_ca_revocation_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_renewal_url = {
+	.ext_nid = NID_netscape_renewal_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_renewal_url(void)
+{
+	return &x509v3_ext_netscape_renewal_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_policy_url = {
+	.ext_nid = NID_netscape_ca_policy_url,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_policy_url(void)
+{
+	return &x509v3_ext_netscape_ca_policy_url;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ssl_server_name = {
+	.ext_nid = NID_netscape_ssl_server_name,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ssl_server_name(void)
+{
+	return &x509v3_ext_netscape_ssl_server_name;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_netscape_comment = {
+	.ext_nid = NID_netscape_comment,
+	.ext_flags = 0,
+	.it = &ASN1_IA5STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_comment(void)
+{
+	return &x509v3_ext_netscape_comment;
+}
+
 static char *
 i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
 {

lib/libcrypto/x509/x509_info.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -71,7 +71,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
 static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
     X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
-const X509V3_EXT_METHOD v3_info = {
+static const X509V3_EXT_METHOD x509v3_ext_info_access = {
 	.ext_nid = NID_info_access,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_INFO_ACCESS_it,
@@ -88,7 +88,13 @@ const X509V3_EXT_METHOD v3_info = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_sinfo = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_info_access(void)
+{
+	return &x509v3_ext_info_access;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_sinfo_access = {
 	.ext_nid = NID_sinfo_access,
 	.ext_flags = X509V3_EXT_MULTILINE,
 	.it = &AUTHORITY_INFO_ACCESS_it,
@@ -105,6 +111,12 @@ const X509V3_EXT_METHOD v3_sinfo = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sinfo_access(void)
+{
+	return &x509v3_ext_sinfo_access;
+}
+
 static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_int.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_int.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,7 +60,7 @@
 
 #include <openssl/x509v3.h>
 
-const X509V3_EXT_METHOD v3_crl_num = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_number = {
 	.ext_nid = NID_crl_number,
 	.ext_flags = 0,
 	.it = &ASN1_INTEGER_it,
@@ -77,7 +77,13 @@ const X509V3_EXT_METHOD v3_crl_num = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_delta_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_number(void)
+{
+	return &x509v3_ext_crl_number;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_delta_crl = {
 	.ext_nid = NID_delta_crl,
 	.ext_flags = 0,
 	.it = &ASN1_INTEGER_it,
@@ -94,17 +100,37 @@ const X509V3_EXT_METHOD v3_delta_crl = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_delta_crl(void)
+{
+	return &x509v3_ext_delta_crl;
+}
+
 static void *
 s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
 {
 	return s2i_ASN1_INTEGER(meth, value);
 }
 
-const X509V3_EXT_METHOD v3_inhibit_anyp = {
-	NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
-	0, 0, 0, 0,
-	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-	(X509V3_EXT_S2I)s2i_asn1_int,
-	0, 0, 0, 0,
-	NULL
+static const X509V3_EXT_METHOD x509v3_ext_inhibit_any_policy = {
+	.ext_nid = NID_inhibit_any_policy,
+	.ext_flags = 0,
+	.it = &ASN1_INTEGER_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	.s2i = (X509V3_EXT_S2I)s2i_asn1_int,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
 };
+
+const X509V3_EXT_METHOD *
+x509v3_ext_method_inhibit_any_policy(void)
+{
+	return &x509v3_ext_inhibit_any_policy;
+}

lib/libcrypto/x509/x509_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,89 +65,104 @@
 
 #include "x509_local.h"
 
-extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
-extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
-extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
-extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern const X509V3_EXT_METHOD v3_crl_hold;
-extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern const X509V3_EXT_METHOD v3_addr, v3_asid;
-extern const X509V3_EXT_METHOD v3_ct_scts[3];
-
-static const X509V3_EXT_METHOD *standard_exts[] = {
-	&v3_nscert,
-	&v3_ns_ia5_list[0],
-	&v3_ns_ia5_list[1],
-	&v3_ns_ia5_list[2],
-	&v3_ns_ia5_list[3],
-	&v3_ns_ia5_list[4],
-	&v3_ns_ia5_list[5],
-	&v3_ns_ia5_list[6],
-	&v3_skey_id,
-	&v3_key_usage,
-	&v3_pkey_usage_period,
-	&v3_alt[0],
-	&v3_alt[1],
-	&v3_bcons,
-	&v3_crl_num,
-	&v3_cpols,
-	&v3_akey_id,
-	&v3_crld,
-	&v3_ext_ku,
-	&v3_delta_crl,
-	&v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_invdate,
-#endif
-	&v3_info,
-#ifndef OPENSSL_NO_RFC3779
-	&v3_addr,
-	&v3_asid,
-#endif
-#ifndef OPENSSL_NO_OCSP
-	&v3_ocsp_nonce,
-	&v3_ocsp_crlid,
-	&v3_ocsp_accresp,
-	&v3_ocsp_nocheck,
-	&v3_ocsp_acutoff,
-	&v3_ocsp_serviceloc,
-#endif
-	&v3_sinfo,
-	&v3_policy_constraints,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_hold,
-#endif
-	&v3_name_constraints,
-	&v3_policy_mappings,
-	&v3_inhibit_anyp,
-	&v3_idp,
-	&v3_alt[2],
-	&v3_freshest_crl,
-#ifndef OPENSSL_NO_CT
-	&v3_ct_scts[0],
-	&v3_ct_scts[1],
-	&v3_ct_scts[2],
-#endif
-};
-
-#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
-
 const X509V3_EXT_METHOD *
 X509V3_EXT_get_nid(int nid)
 {
-	size_t i;
-
-	for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
-		if (standard_exts[i]->ext_nid == nid)
-			return standard_exts[i];
+	switch (nid) {
+	case NID_authority_key_identifier:
+		return x509v3_ext_method_authority_key_identifier();
+	case NID_basic_constraints:
+		return x509v3_ext_method_basic_constraints();
+	case NID_certificate_issuer:
+		return x509v3_ext_method_certificate_issuer();
+	case NID_certificate_policies:
+		return x509v3_ext_method_certificate_policies();
+	case NID_crl_distribution_points:
+		return x509v3_ext_method_crl_distribution_points();
+	case NID_crl_number:
+		return x509v3_ext_method_crl_number();
+	case NID_crl_reason:
+		return x509v3_ext_method_crl_reason();
+#ifndef OPENSSL_NO_CT
+	case NID_ct_cert_scts:
+		return x509v3_ext_method_ct_cert_scts();
+	case NID_ct_precert_poison:
+		return x509v3_ext_method_ct_precert_poison();
+	case NID_ct_precert_scts:
+		return x509v3_ext_method_ct_precert_scts();
+#endif
+	case NID_delta_crl:
+		return x509v3_ext_method_delta_crl();
+	case NID_ext_key_usage:
+		return x509v3_ext_method_ext_key_usage();
+	case NID_freshest_crl:
+		return x509v3_ext_method_freshest_crl();
+#ifndef OPENSSL_NO_OCSP
+	case NID_hold_instruction_code:
+		return x509v3_ext_method_hold_instruction_code();
+	case NID_id_pkix_OCSP_CrlID:
+		return x509v3_ext_method_id_pkix_OCSP_CrlID();
+	case NID_id_pkix_OCSP_Nonce:
+		return x509v3_ext_method_id_pkix_OCSP_Nonce();
+	case NID_id_pkix_OCSP_acceptableResponses:
+		return x509v3_ext_method_id_pkix_OCSP_acceptableResponses();
+	case NID_id_pkix_OCSP_archiveCutoff:
+		return x509v3_ext_method_id_pkix_OCSP_archiveCutoff();
+	case NID_id_pkix_OCSP_serviceLocator:
+		return x509v3_ext_method_id_pkix_OCSP_serviceLocator();
+#endif
+	case NID_info_access:
+		return x509v3_ext_method_info_access();
+	case NID_inhibit_any_policy:
+		return x509v3_ext_method_inhibit_any_policy();
+	case NID_invalidity_date:
+		return x509v3_ext_method_invalidity_date();
+	case NID_issuer_alt_name:
+		return x509v3_ext_method_issuer_alt_name();
+	case NID_issuing_distribution_point:
+		return x509v3_ext_method_issuing_distribution_point();
+	case NID_key_usage:
+		return x509v3_ext_method_key_usage();
+	case NID_name_constraints:
+		return x509v3_ext_method_name_constraints();
+	case NID_netscape_base_url:
+		return x509v3_ext_method_netscape_base_url();
+	case NID_netscape_ca_policy_url:
+		return x509v3_ext_method_netscape_ca_policy_url();
+	case NID_netscape_ca_revocation_url:
+		return x509v3_ext_method_netscape_ca_revocation_url();
+	case NID_netscape_cert_type:
+		return x509v3_ext_method_netscape_cert_type();
+	case NID_netscape_comment:
+		return x509v3_ext_method_netscape_comment();
+	case NID_netscape_renewal_url:
+		return x509v3_ext_method_netscape_renewal_url();
+	case NID_netscape_revocation_url:
+		return x509v3_ext_method_netscape_revocation_url();
+	case NID_netscape_ssl_server_name:
+		return x509v3_ext_method_netscape_ssl_server_name();
+	case NID_policy_constraints:
+		return x509v3_ext_method_policy_constraints();
+	case NID_policy_mappings:
+		return x509v3_ext_method_policy_mappings();
+	case NID_private_key_usage_period:
+		return x509v3_ext_method_private_key_usage_period();
+#ifndef OPENSSL_NO_RFC3779
+	case NID_sbgp_ipAddrBlock:
+		return x509v3_ext_method_sbgp_ipAddrBlock();
+	case NID_sbgp_autonomousSysNum:
+		return x509v3_ext_method_sbgp_autonomousSysNum();
+#endif
+	case NID_sinfo_access:
+		return x509v3_ext_method_sinfo_access();
+	case NID_subject_alt_name:
+		return x509v3_ext_method_subject_alt_name();
+	case NID_subject_key_identifier:
+		return x509v3_ext_method_subject_key_identifier();
+	default:
+		return NULL;
 	}
-
-	return NULL;
-}
+};
 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
 
 const X509V3_EXT_METHOD *

lib/libcrypto/x509/x509_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */
+/*	$OpenBSD: x509_local.h,v 1.26 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2013.
  */
@@ -71,6 +71,14 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP	EVP_sha512()
 #define X509_CRL_HASH_LEN	SHA512_DIGEST_LENGTH
 
+/*
+ * Used internally instead of the confusing X509_TRUST_DEFAULT,
+ * which is not the default for X509_check_trust.
+ * XXX Make X509_check_trust internal, and move the other
+ * X509_TRUST values here to clean up this mess.
+ */
+#define X509_TRUST_ACCEPT_ALL	-1
+
 struct X509_pubkey_st {
 	X509_ALGOR *algor;
 	ASN1_BIT_STRING *public_key;
@@ -410,6 +418,49 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
 int X509_PURPOSE_get_by_id(int id);
 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
 
+const X509V3_EXT_METHOD *x509v3_ext_method_authority_key_identifier(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_basic_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_issuer(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_policies(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_distribution_points(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_number(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_reason(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_cert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_poison(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_delta_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ext_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_freshest_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_hold_instruction_code(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_CrlID(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_Nonce(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_serviceLocator(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_info_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_inhibit_any_policy(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_invalidity_date(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuer_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuing_distribution_point(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_name_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_base_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_policy_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_cert_type(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_comment(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_renewal_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ssl_server_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_mappings(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_private_key_usage_period(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_ipAddrBlock(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_autonomousSysNum(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sinfo_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_key_identifier(void);
+
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_X509_LOCAL_H */

lib/libcrypto/x509/x509_ncons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.10 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -81,7 +81,7 @@ static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
 static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
 static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
 
-const X509V3_EXT_METHOD v3_name_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_name_constraints = {
 	.ext_nid = NID_name_constraints,
 	.ext_flags = 0,
 	.it = &NAME_CONSTRAINTS_it,
@@ -98,6 +98,12 @@ const X509V3_EXT_METHOD v3_name_constraints = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_name_constraints(void)
+{
+	return &x509v3_ext_name_constraints;
+}
+
 static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_ocsp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.2 2022/01/07 09:45:52 tb Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.3 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -95,7 +95,7 @@ static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
     BIO *bp, int ind);
 
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_CrlID = {
 	.ext_nid = NID_id_pkix_OCSP_CrlID,
 	.ext_flags = 0,
 	.it = &OCSP_CRLID_it,
@@ -112,7 +112,13 @@ const X509V3_EXT_METHOD v3_ocsp_crlid = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_CrlID(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_CrlID;
+}
+
+const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_archiveCutoff = {
 	.ext_nid = NID_id_pkix_OCSP_archiveCutoff,
 	.ext_flags = 0,
 	.it = &ASN1_GENERALIZEDTIME_it,
@@ -129,7 +135,13 @@ const X509V3_EXT_METHOD v3_ocsp_acutoff = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_crl_invdate = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_archiveCutoff;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_invalidity_date = {
 	.ext_nid = NID_invalidity_date,
 	.ext_flags = 0,
 	.it = &ASN1_GENERALIZEDTIME_it,
@@ -146,7 +158,13 @@ const X509V3_EXT_METHOD v3_crl_invdate = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_crl_hold = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_invalidity_date(void)
+{
+	return &x509v3_ext_invalidity_date;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_hold_instruction_code = {
 	.ext_nid = NID_hold_instruction_code,
 	.ext_flags = 0,
 	.it = &ASN1_OBJECT_it,
@@ -163,7 +181,13 @@ const X509V3_EXT_METHOD v3_crl_hold = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_hold_instruction_code(void)
+{
+	return &x509v3_ext_hold_instruction_code;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_Nonce = {
 	.ext_nid = NID_id_pkix_OCSP_Nonce,
 	.ext_flags = 0,
 	.it = NULL,
@@ -180,7 +204,13 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_Nonce(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_Nonce;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_noCheck = {
 	.ext_nid = NID_id_pkix_OCSP_noCheck,
 	.ext_flags = 0,
 	.it = &ASN1_NULL_it,
@@ -197,7 +227,13 @@ const X509V3_EXT_METHOD v3_ocsp_nocheck = {
 	.usr_data = NULL,
 };
 
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_noCheck(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_noCheck;
+}
+
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_serviceLocator = {
 	.ext_nid = NID_id_pkix_OCSP_serviceLocator,
 	.ext_flags = 0,
 	.it = &OCSP_SERVICELOC_it,
@@ -214,6 +250,12 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_serviceLocator(void)
+{
+	return &x509v3_ext_id_pkix_OCSP_serviceLocator;
+}
+
 static int
 i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
 {

lib/libcrypto/x509/x509_pcons.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -71,7 +71,7 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
 static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
-const X509V3_EXT_METHOD v3_policy_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_constraints = {
 	.ext_nid = NID_policy_constraints,
 	.ext_flags = 0,
 	.it = &POLICY_CONSTRAINTS_it,
@@ -88,6 +88,12 @@ const X509V3_EXT_METHOD v3_policy_constraints = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_constraints(void)
+{
+	return &x509v3_ext_policy_constraints;
+}
+
 static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_pku.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,7 +65,7 @@
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
     PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
 
-const X509V3_EXT_METHOD v3_pkey_usage_period = {
+static const X509V3_EXT_METHOD x509v3_ext_private_key_usage_period = {
 	.ext_nid = NID_private_key_usage_period,
 	.ext_flags = 0,
 	.it = &PKEY_USAGE_PERIOD_it,
@@ -82,6 +82,12 @@ const X509V3_EXT_METHOD v3_pkey_usage_period = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_private_key_usage_period(void)
+{
+	return &x509v3_ext_private_key_usage_period;
+}
+
 static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
 	{
 		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,

lib/libcrypto/x509/x509_pmaps.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -69,7 +69,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
     const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
 
-const X509V3_EXT_METHOD v3_policy_mappings = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_mappings = {
 	.ext_nid = NID_policy_mappings,
 	.ext_flags = 0,
 	.it = &POLICY_MAPPINGS_it,
@@ -86,6 +86,12 @@ const X509V3_EXT_METHOD v3_policy_mappings = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_mappings(void)
+{
+	return &x509v3_ext_policy_mappings;
+}
+
 static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
 	{
 		.flags = 0,

lib/libcrypto/x509/x509_purp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.42 2024/05/15 18:10:03 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -150,7 +150,7 @@ static const X509_PURPOSE xstandard[] = {
 	},
 	{
 		.purpose = X509_PURPOSE_ANY,
-		.trust = X509_TRUST_DEFAULT,
+		.trust = X509_TRUST_ACCEPT_ALL,
 		.check_purpose = no_check,
 		.name = "Any Purpose",
 		.sname = "any",

lib/libcrypto/x509/x509_skey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -67,7 +67,7 @@
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
 
-const X509V3_EXT_METHOD v3_skey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_subject_key_identifier = {
 	.ext_nid = NID_subject_key_identifier,
 	.ext_flags = 0,
 	.it = &ASN1_OCTET_STRING_it,
@@ -84,6 +84,12 @@ const X509V3_EXT_METHOD v3_skey_id = {
 	.usr_data = NULL,
 };
 
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_key_identifier(void)
+{
+	return &x509v3_ext_subject_key_identifier;
+}
+
 char *
 i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
 {

lib/libcrypto/x509/x509_trs.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.55 2024/03/26 22:43:42 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -66,6 +66,23 @@
 #include "x509_internal.h"
 #include "x509_local.h"
 
+static int
+trust_if_self_signed(const X509 *x)
+{
+	/* Extensions already cached in X509_check_trust(). */
+	if ((x->ex_flags & EXFLAG_SS) != 0)
+		return X509_TRUST_TRUSTED;
+
+	return X509_TRUST_UNTRUSTED;
+}
+
+static int
+trust_was_set(const X509 *x)
+{
+	return x->aux != NULL && (x->aux->trust != NULL ||
+	    x->aux->reject != NULL);
+}
+
 static int
 obj_trust(int id, const X509 *x)
 {
@@ -94,33 +111,31 @@ obj_trust(int id, const X509 *x)
 }
 
 static int
-trust_compat(int nid, const X509 *x)
+nid_from_trust_id(int trust_id)
 {
-	/* Extensions already cached in X509_check_trust(). */
-	if ((x->ex_flags & EXFLAG_SS) != 0)
-		return X509_TRUST_TRUSTED;
+	OPENSSL_assert(trust_id == 0 ||
+	    (trust_id >= X509_TRUST_MIN && trust_id <= X509_TRUST_MAX));
 
-	return X509_TRUST_UNTRUSTED;
-}
-
-static int
-trust_1oidany(int nid, const X509 *x)
-{
-	/* Inspect the certificate's trust settings if there are any. */
-	if (x->aux != NULL && (x->aux->trust != NULL || x->aux->reject != NULL))
-		return obj_trust(nid, x);
-
-	/* For compatibility we return trusted if the cert is self signed. */
-	return trust_compat(NID_undef, x);
-}
-
-static int
-trust_1oid(int nid, const X509 *x)
-{
-	if (x->aux != NULL)
-		return obj_trust(nid, x);
-
-	return X509_TRUST_UNTRUSTED;
+	switch (trust_id) {
+	case X509_TRUST_COMPAT:
+		return NID_undef;
+	case X509_TRUST_SSL_CLIENT:
+		return NID_client_auth;
+	case X509_TRUST_SSL_SERVER:
+		return NID_server_auth;
+	case X509_TRUST_EMAIL:
+		return NID_email_protect;
+	case X509_TRUST_OBJECT_SIGN:
+		return NID_code_sign;
+	case X509_TRUST_OCSP_SIGN:
+		return NID_OCSP_sign;
+	case X509_TRUST_OCSP_REQUEST:
+		return NID_ad_OCSP;
+	case X509_TRUST_TSA:
+		return NID_time_stamp;
+	default:
+		return NID_undef;
+	}
 }
 
 int
@@ -128,46 +143,36 @@ X509_check_trust(X509 *x, int trust_id, int flags)
 {
 	int rv;
 
-	if (trust_id == -1)
-		return 1;
-
 	/* Call early so the trust handlers don't need to modify the certs. */
 	if (!x509v3_cache_extensions(x))
 		return X509_TRUST_UNTRUSTED;
 
+	/*
+	 * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not
+	 * need to have the same -1 value as X509_TRUST_DEFAULT
+	 */
+	if (trust_id == X509_TRUST_ACCEPT_ALL)
+		return 1;
+
 	switch (trust_id) {
-	case 0:
-		/*
-		 * XXX beck/jsing This enables self signed certs to be trusted
-		 * for an unspecified id/trust flag value (this is NOT the
-		 * X509_TRUST_DEFAULT), which was the longstanding openssl
-		 * behaviour. boringssl does not have this behaviour.
-		 *
-		 * This should be revisited, but changing the default
-		 * "not default" may break things.
-		 */
+	case X509_TRUST_COMPAT:
+		return trust_if_self_signed(x);
+	case X509_TRUST_EMAIL:
+	case X509_TRUST_OBJECT_SIGN:
+	case X509_TRUST_SSL_SERVER:
+	case X509_TRUST_SSL_CLIENT:
+	case X509_TRUST_TSA:
+		if (trust_was_set(x))
+			return obj_trust(nid_from_trust_id(trust_id), x);
+		return trust_if_self_signed(x);
+	case X509_TRUST_OCSP_SIGN:
+	case X509_TRUST_OCSP_REQUEST:
+		return obj_trust(nid_from_trust_id(trust_id), x);
+	default:
 		rv = obj_trust(NID_anyExtendedKeyUsage, x);
 		if (rv != X509_TRUST_UNTRUSTED)
 			return rv;
-		return trust_compat(NID_undef, x);
-	case X509_TRUST_COMPAT:
-		return trust_compat(NID_undef, x);
-	case X509_TRUST_SSL_CLIENT:
-		return trust_1oidany(NID_client_auth, x);
-	case X509_TRUST_SSL_SERVER:
-		return trust_1oidany(NID_server_auth, x);
-	case X509_TRUST_EMAIL:
-		return trust_1oidany(NID_email_protect, x);
-	case X509_TRUST_OBJECT_SIGN:
-		return trust_1oidany(NID_code_sign, x);
-	case X509_TRUST_OCSP_SIGN:
-		return trust_1oid(NID_OCSP_sign, x);
-	case X509_TRUST_OCSP_REQUEST:
-		return trust_1oid(NID_ad_OCSP, x);
-	case X509_TRUST_TSA:
-		return trust_1oidany(NID_time_stamp, x);
-	default:
-		return obj_trust(trust_id, x);
+		return trust_if_self_signed(x);
 	}
 }
 LCRYPTO_ALIAS(X509_check_trust);

lib/libcrypto/x509/x509_v3.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.30 2024/05/23 02:00:38 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,7 +60,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
@@ -69,182 +68,165 @@
 #include "x509_local.h"
 
 int
-X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *sk)
+X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *exts)
 {
-	if (sk == NULL)
+	if (exts == NULL)
 		return 0;
 
-	return sk_X509_EXTENSION_num(sk);
+	return sk_X509_EXTENSION_num(exts);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_count);
 
 int
-X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *sk, int nid, int lastpos)
+X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *exts, int nid, int lastpos)
 {
 	const ASN1_OBJECT *obj;
 
 	if ((obj = OBJ_nid2obj(nid)) == NULL)
 		return -2;
 
-	return X509v3_get_ext_by_OBJ(sk, obj, lastpos);
+	return X509v3_get_ext_by_OBJ(exts, obj, lastpos);
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_NID);
 
 int
-X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,
+X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *exts,
     const ASN1_OBJECT *obj, int lastpos)
 {
-	int n;
-	X509_EXTENSION *ext;
-
-	if (sk == NULL)
-		return -1;
-	lastpos++;
-	if (lastpos < 0)
+	if (++lastpos < 0)
 		lastpos = 0;
-	n = sk_X509_EXTENSION_num(sk);
-	for (; lastpos < n; lastpos++) {
-		ext = sk_X509_EXTENSION_value(sk, lastpos);
+
+	for (; lastpos < X509v3_get_ext_count(exts); lastpos++) {
+		const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos);
+
 		if (OBJ_cmp(ext->object, obj) == 0)
 			return lastpos;
 	}
+
 	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_OBJ);
 
 int
-X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
+X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *exts, int critical,
     int lastpos)
 {
-	int n;
-	X509_EXTENSION *ext;
+	critical = (critical != 0);
 
-	if (sk == NULL)
-		return -1;
-	lastpos++;
-	if (lastpos < 0)
+	if (++lastpos < 0)
 		lastpos = 0;
-	n = sk_X509_EXTENSION_num(sk);
-	for (; lastpos < n; lastpos++) {
-		ext = sk_X509_EXTENSION_value(sk, lastpos);
-		if ((ext->critical > 0 && crit) ||
-		    (ext->critical <= 0 && !crit))
+
+	for (; lastpos < X509v3_get_ext_count(exts); lastpos++) {
+		const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos);
+
+		if (X509_EXTENSION_get_critical(ext) == critical)
 			return lastpos;
 	}
+
 	return -1;
 }
 LCRYPTO_ALIAS(X509v3_get_ext_by_critical);
 
 X509_EXTENSION *
-X509v3_get_ext(const STACK_OF(X509_EXTENSION) *sk, int loc)
+X509v3_get_ext(const STACK_OF(X509_EXTENSION) *exts, int loc)
 {
-	if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0)
-		return NULL;
-
-	return sk_X509_EXTENSION_value(sk, loc);
+	return sk_X509_EXTENSION_value(exts, loc);
 }
 LCRYPTO_ALIAS(X509v3_get_ext);
 
 X509_EXTENSION *
-X509v3_delete_ext(STACK_OF(X509_EXTENSION) *sk, int loc)
+X509v3_delete_ext(STACK_OF(X509_EXTENSION) *exts, int loc)
 {
-	if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0)
-		return NULL;
-
-	return sk_X509_EXTENSION_delete(sk, loc);
+	return sk_X509_EXTENSION_delete(exts, loc);
 }
 LCRYPTO_ALIAS(X509v3_delete_ext);
 
 STACK_OF(X509_EXTENSION) *
-X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ext, int loc)
+X509v3_add_ext(STACK_OF(X509_EXTENSION) **out_exts, X509_EXTENSION *ext, int loc)
 {
+	STACK_OF(X509_EXTENSION) *exts = NULL;
 	X509_EXTENSION *new_ext = NULL;
-	int n;
-	STACK_OF(X509_EXTENSION) *sk = NULL;
 
-	if (x == NULL) {
+	/*
+	 * XXX - Nonsense from the poorly reviewed OpenSSL c755c5fd8ba (2005).
+	 * This check should have been joined with the next check, i.e., if no
+	 * stack was passed in, a new one should be created and returned.
+	 */
+	if (out_exts == NULL) {
 		X509error(ERR_R_PASSED_NULL_PARAMETER);
-		goto err2;
+		goto err;
 	}
 
-	if (*x == NULL) {
-		if ((sk = sk_X509_EXTENSION_new_null()) == NULL)
-			goto err;
-	} else
-		sk= *x;
-
-	n = sk_X509_EXTENSION_num(sk);
-	if (loc > n)
-		loc = n;
-	else if (loc < 0)
-		loc = n;
+	if ((exts = *out_exts) == NULL)
+		exts = sk_X509_EXTENSION_new_null();
+	if (exts == NULL) {
+		X509error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
 	if ((new_ext = X509_EXTENSION_dup(ext)) == NULL)
-		goto err2;
-	if (!sk_X509_EXTENSION_insert(sk, new_ext, loc))
 		goto err;
-	if (*x == NULL)
-		*x = sk;
-	return sk;
+	if (!sk_X509_EXTENSION_insert(exts, new_ext, loc))
+		goto err;
+	new_ext = NULL;
+
+	*out_exts = exts;
+
+	return exts;
 
  err:
-	X509error(ERR_R_MALLOC_FAILURE);
- err2:
-	if (new_ext != NULL)
-		X509_EXTENSION_free(new_ext);
-	if (sk != NULL && x != NULL && sk != *x)
-		sk_X509_EXTENSION_free(sk);
+	X509_EXTENSION_free(new_ext);
+	if (out_exts != NULL && exts != *out_exts)
+		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
 	return NULL;
 }
 LCRYPTO_ALIAS(X509v3_add_ext);
 
 X509_EXTENSION *
-X509_EXTENSION_create_by_NID(X509_EXTENSION **ext, int nid, int crit,
+X509_EXTENSION_create_by_NID(X509_EXTENSION **out_ext, int nid, int critical,
     ASN1_OCTET_STRING *data)
 {
-	ASN1_OBJECT *obj;
-	X509_EXTENSION *ret;
+	const ASN1_OBJECT *obj;
 
-	obj = OBJ_nid2obj(nid);
-	if (obj == NULL) {
+	if ((obj = OBJ_nid2obj(nid)) == NULL) {
 		X509error(X509_R_UNKNOWN_NID);
 		return NULL;
 	}
-	ret = X509_EXTENSION_create_by_OBJ(ext, obj, crit, data);
-	if (ret == NULL)
-		ASN1_OBJECT_free(obj);
-	return ret;
+
+	return X509_EXTENSION_create_by_OBJ(out_ext, obj, critical, data);
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_NID);
 
 X509_EXTENSION *
-X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ext, const ASN1_OBJECT *obj,
-    int crit, ASN1_OCTET_STRING *data)
+X509_EXTENSION_create_by_OBJ(X509_EXTENSION **out_ext, const ASN1_OBJECT *obj,
+    int critical, ASN1_OCTET_STRING *data)
 {
-	X509_EXTENSION *ret;
+	X509_EXTENSION *ext;
 
-	if (ext == NULL || *ext == NULL) {
-		if ((ret = X509_EXTENSION_new()) == NULL) {
-			X509error(ERR_R_MALLOC_FAILURE);
-			return NULL;
-		}
-	} else
-		ret= *ext;
+	if (out_ext == NULL || (ext = *out_ext) == NULL)
+		ext = X509_EXTENSION_new();
+	if (ext == NULL) {
+		X509error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
 
-	if (!X509_EXTENSION_set_object(ret, obj))
+	if (!X509_EXTENSION_set_object(ext, obj))
 		goto err;
-	if (!X509_EXTENSION_set_critical(ret, crit))
+	if (!X509_EXTENSION_set_critical(ext, critical))
 		goto err;
-	if (!X509_EXTENSION_set_data(ret, data))
+	if (!X509_EXTENSION_set_data(ext, data))
 		goto err;
 
-	if (ext != NULL && *ext == NULL)
-		*ext = ret;
-	return ret;
+	if (out_ext != NULL)
+		*out_ext = ext;
+
+	return ext;
 
  err:
-	if (ext == NULL || ret != *ext)
-		X509_EXTENSION_free(ret);
+	if (out_ext == NULL || ext != *out_ext)
+		X509_EXTENSION_free(ext);
+
 	return NULL;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_create_by_OBJ);
@@ -256,19 +238,17 @@ X509_EXTENSION_set_object(X509_EXTENSION *ext, const ASN1_OBJECT *obj)
 		return 0;
 
 	ASN1_OBJECT_free(ext->object);
-	ext->object = OBJ_dup(obj);
-
-	return ext->object != NULL;
+	return (ext->object = OBJ_dup(obj)) != NULL;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_set_object);
 
 int
-X509_EXTENSION_set_critical(X509_EXTENSION *ext, int crit)
+X509_EXTENSION_set_critical(X509_EXTENSION *ext, int critical)
 {
 	if (ext == NULL)
 		return 0;
 
-	ext->critical = crit ? 0xFF : -1;
+	ext->critical = critical ? 0xFF : -1;
 
 	return 1;
 }
@@ -309,8 +289,7 @@ X509_EXTENSION_get_critical(const X509_EXTENSION *ext)
 {
 	if (ext == NULL)
 		return 0;
-	if (ext->critical > 0)
-		return 1;
-	return 0;
+
+	return ext->critical > 0;
 }
 LCRYPTO_ALIAS(X509_EXTENSION_get_critical);

lib/libssl/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.83 2024/07/09 09:39:14 beck Exp $
+# $OpenBSD: Makefile,v 1.84 2024/07/13 18:33:18 tb Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -89,7 +89,7 @@ SRCS= \
 	tls_key_share.c \
 	tls_lib.c
 
-HDRS=	dtls1.h srtp.h ssl.h ssl2.h ssl23.h ssl3.h tls1.h
+HDRS=	dtls1.h srtp.h ssl.h ssl3.h tls1.h
 
 .PATH:	${.CURDIR}
 

lib/libssl/hidden/ssl_namespace.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_namespace.h,v 1.2 2023/02/16 08:38:17 tb Exp $	*/
+/*	$OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $	*/
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -27,7 +27,11 @@
 #define LSSL_UNUSED(x)		typeof(x) x __attribute__((deprecated))
 #define LSSL_USED(x)		__attribute__((visibility("hidden")))	\
 				typeof(x) x asm("_lssl_"#x)
+#if defined(__hppa__)
+#define LSSL_ALIAS(x)		asm("! .global "#x" ! .set "#x", _lssl_"#x)
+#else
 #define LSSL_ALIAS(x)		asm(".global "#x"; "#x" = _lssl_"#x)
+#endif
 #else
 #define LSSL_UNUSED(x)
 #define LSSL_USED(x)

lib/libssl/man/ssl.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.3,v 1.24 2024/05/09 17:57:36 jmc Exp $
+.\" $OpenBSD: ssl.3,v 1.25 2024/07/13 18:33:18 tb Exp $
 .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
 .\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 9 2024 $
+.Dd $Mdocdate: July 13 2024 $
 .Dt SSL 3
 .Os
 .Sh NAME
@@ -147,13 +147,6 @@ It internally includes both more private SSL headers and headers from the
 library.
 Whenever you need hardcore details on the internals of the SSL API, look inside
 this header file.
-.It Pa ssl2.h
-That's the sub header file dealing with the SSLv2 protocol only.
-.Bf Em
- Usually you don't have to include it explicitly because it's already included
-by
-.Pa ssl.h .
-.Ef
 .It Pa ssl3.h
 That's the sub header file dealing with the SSLv3 protocol only.
 .Bf Em
@@ -161,14 +154,6 @@ Usually you don't have to include it explicitly because it's already included
 by
 .Pa ssl.h .
 .Ef
-.It Pa ssl23.h
-That's the sub header file dealing with the combined use of the SSLv2 and SSLv3
-protocols.
-.Bf Em
-Usually you don't have to include it explicitly because it's already included
-by
-.Pa ssl.h .
-.Ef
 .It Pa tls1.h
 That's the sub header file dealing with the TLSv1 protocol only.
 .Bf Em

lib/libssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.237 2024/05/27 09:12:31 jsg Exp $ */
+/* $OpenBSD: ssl.h,v 1.238 2024/07/13 18:33:18 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -653,11 +653,9 @@ void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
 }
 #endif
 
-#include <openssl/ssl2.h>
 #include <openssl/ssl3.h>
 #include <openssl/tls1.h>	/* This is mostly sslv3 with a few tweaks */
 #include <openssl/dtls1.h>	/* Datagram TLS */
-#include <openssl/ssl23.h>
 #include <openssl/srtp.h>	/* Support for the use_srtp extension */
 
 #ifdef  __cplusplus
@@ -2331,6 +2329,12 @@ void ERR_load_SSL_strings(void);
 int OPENSSL_init_ssl(uint64_t opts, const void *settings);
 int SSL_library_init(void);
 
+/*
+ * A few things still use this without #ifdef guard.
+ */
+
+#define SSL2_VERSION	0x0002
+
 #ifdef  __cplusplus
 }
 #endif

lib/libssl/ssl2.h

@@ -1,153 +0,0 @@
-/* $OpenBSD: ssl2.h,v 1.12 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_SSL2_H
-#define HEADER_SSL2_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/* Protocol Version Codes */
-#define SSL2_VERSION		0x0002
-#define SSL2_VERSION_MAJOR	0x00
-#define SSL2_VERSION_MINOR	0x02
-/* #define SSL2_CLIENT_VERSION	0x0002 */
-/* #define SSL2_SERVER_VERSION	0x0002 */
-
-/* Protocol Message Codes */
-#define SSL2_MT_ERROR			0
-#define SSL2_MT_CLIENT_HELLO		1
-#define SSL2_MT_CLIENT_MASTER_KEY	2
-#define SSL2_MT_CLIENT_FINISHED		3
-#define SSL2_MT_SERVER_HELLO		4
-#define SSL2_MT_SERVER_VERIFY		5
-#define SSL2_MT_SERVER_FINISHED		6
-#define SSL2_MT_REQUEST_CERTIFICATE	7
-#define SSL2_MT_CLIENT_CERTIFICATE	8
-
-/* Error Message Codes */
-#define SSL2_PE_UNDEFINED_ERROR		0x0000
-#define SSL2_PE_NO_CIPHER		0x0001
-#define SSL2_PE_NO_CERTIFICATE		0x0002
-#define SSL2_PE_BAD_CERTIFICATE		0x0004
-#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
-
-/* Cipher Kind Values */
-#define SSL2_CK_NULL_WITH_MD5			0x02000000 /* v3 */
-#define SSL2_CK_RC4_128_WITH_MD5		0x02010080
-#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5	0x02020080
-#define SSL2_CK_RC2_128_CBC_WITH_MD5		0x02030080
-#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x02040080
-#define SSL2_CK_IDEA_128_CBC_WITH_MD5		0x02050080
-#define SSL2_CK_DES_64_CBC_WITH_MD5		0x02060040
-#define SSL2_CK_DES_64_CBC_WITH_SHA		0x02060140 /* v3 */
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5	0x020700c0
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA	0x020701c0 /* v3 */
-#define SSL2_CK_RC4_64_WITH_MD5			0x02080080 /* MS hack */
-
-#define SSL2_CK_DES_64_CFB64_WITH_MD5_1		0x02ff0800 /* SSLeay */
-#define SSL2_CK_NULL				0x02ff0810 /* SSLeay */
-
-#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1	"DES-CFB-M1"
-#define SSL2_TXT_NULL_WITH_MD5			"NULL-MD5"
-#define SSL2_TXT_RC4_128_WITH_MD5		"RC4-MD5"
-#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5	"EXP-RC4-MD5"
-#define SSL2_TXT_RC2_128_CBC_WITH_MD5		"RC2-CBC-MD5"
-#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5	"EXP-RC2-CBC-MD5"
-#define SSL2_TXT_IDEA_128_CBC_WITH_MD5		"IDEA-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_MD5		"DES-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_SHA		"DES-CBC-SHA"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5	"DES-CBC3-MD5"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA	"DES-CBC3-SHA"
-#define SSL2_TXT_RC4_64_WITH_MD5		"RC4-64-MD5"
-
-#define SSL2_TXT_NULL				"NULL"
-
-/* Flags for the SSL_CIPHER.algorithm2 field */
-#define SSL2_CF_5_BYTE_ENC			0x01
-#define SSL2_CF_8_BYTE_ENC			0x02
-
-/* Certificate Type Codes */
-#define SSL2_CT_X509_CERTIFICATE		0x01
-
-/* Authentication Type Code */
-#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION		0x01
-
-#define SSL2_MAX_SSL_SESSION_ID_LENGTH		32
-
-/* Upper/Lower Bounds */
-#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS	256
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER	32767u	/* 2^15-1 */
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER	16383	/* 2^14-1 */
-
-#define SSL2_CHALLENGE_LENGTH	16
-/*#define SSL2_CHALLENGE_LENGTH	32 */
-#define SSL2_MIN_CHALLENGE_LENGTH	16
-#define SSL2_MAX_CHALLENGE_LENGTH	32
-#define SSL2_CONNECTION_ID_LENGTH	16
-#define SSL2_MAX_CONNECTION_ID_LENGTH	16
-#define SSL2_SSL_SESSION_ID_LENGTH	16
-#define SSL2_MAX_CERT_CHALLENGE_LENGTH	32
-#define SSL2_MIN_CERT_CHALLENGE_LENGTH	16
-#define SSL2_MAX_KEY_MATERIAL_LENGTH	24
-
-#ifdef  __cplusplus
-}
-#endif
-#endif

lib/libssl/ssl23.h

@@ -1,82 +0,0 @@
-/* $OpenBSD: ssl23.h,v 1.4 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_SSL23_H
-#define HEADER_SSL23_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/*client */
-/* write to server */
-#define SSL23_ST_CW_CLNT_HELLO_A	(0x210|SSL_ST_CONNECT)
-#define SSL23_ST_CW_CLNT_HELLO_B	(0x211|SSL_ST_CONNECT)
-/* read from server */
-#define SSL23_ST_CR_SRVR_HELLO_A	(0x220|SSL_ST_CONNECT)
-#define SSL23_ST_CR_SRVR_HELLO_B	(0x221|SSL_ST_CONNECT)
-
-/* server */
-/* read from client */
-#define SSL23_ST_SR_CLNT_HELLO_A	(0x210|SSL_ST_ACCEPT)
-#define SSL23_ST_SR_CLNT_HELLO_B	(0x211|SSL_ST_ACCEPT)
-
-#ifdef  __cplusplus
-}
-#endif
-#endif

lib/libssl/ssl_err.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.49 2024/06/24 06:50:07 tb Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.50 2024/07/13 17:42:13 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -67,7 +67,7 @@
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
 
 /* See SSL_state_func_code below */
-static ERR_STRING_DATA SSL_str_functs[] = {
+static const ERR_STRING_DATA SSL_str_functs[] = {
 	{ERR_FUNC(1),  "CONNECT_CW_FLUSH"},
 	{ERR_FUNC(2),  "CONNECT_CW_CLNT_HELLO"},
 	{ERR_FUNC(3),  "CONNECT_CW_CLNT_HELLO"},
@@ -153,7 +153,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
 	{0, NULL}
 };
 
-static ERR_STRING_DATA SSL_str_reasons[]= {
+static const ERR_STRING_DATA SSL_str_reasons[] = {
 	{ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) , "app data in handshake"},
 	{ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"},
 	{ERR_REASON(SSL_R_BAD_ALERT_RECORD)      , "bad alert record"},
@@ -476,8 +476,8 @@ ERR_load_SSL_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 	if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) {
-		ERR_load_strings(0, SSL_str_functs);
-		ERR_load_strings(0, SSL_str_reasons);
+		ERR_load_strings(0, (ERR_STRING_DATA *)SSL_str_functs);
+		ERR_load_strings(0, (ERR_STRING_DATA *)SSL_str_reasons);
 	}
 #endif
 }

sbin/iked/Makefile

@@ -1,18 +1,18 @@
-# $OpenBSD: Makefile,v 1.22 2021/05/28 18:01:39 tobhe Exp $
+# $OpenBSD: Makefile,v 1.23 2024/07/13 12:22:46 yasuoka Exp $
 
 PROG=		iked
 SRCS=		ca.c chap_ms.c config.c control.c crypto.c dh.c \
 		eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \
 		log.c ocsp.c pfkey.c policy.c print.c proc.c timer.c util.c \
-		imsg_util.c smult_curve25519_ref.c vroute.c
+		imsg_util.c radius.c smult_curve25519_ref.c vroute.c
 SRCS+=		eap_map.c ikev2_map.c
 SRCS+=		crypto_hash.c sntrup761.c
 SRCS+=		parse.y
 MAN=		iked.conf.5 iked.8
 #NOMAN=		yes
 
-LDADD=		-lutil -levent -lcrypto
-DPADD=		${LIBUTIL} ${LIBEVENT} ${LIBCRYPTO}
+LDADD=		-lutil -levent -lcrypto -lradius
+DPADD=		${LIBUTIL} ${LIBEVENT} ${LIBCRYPTO} ${LIBRADIUS}
 CFLAGS+=	-Wall -I${.CURDIR}
 CFLAGS+=	-Wstrict-prototypes -Wmissing-prototypes
 CFLAGS+=	-Wmissing-declarations

sbin/iked/config.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.97 2024/02/15 19:11:00 tobhe Exp $	*/
+/*	$OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -123,6 +123,8 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
 	sa_configure_iface(env, sa, 0);
 	sa_free_flows(env, &sa->sa_flows);
 
+	iked_radius_acct_stop(env, sa);
+
 	if (sa->sa_addrpool) {
 		(void)RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa);
 		free(sa->sa_addrpool);
@@ -187,6 +189,10 @@ config_free_sa(struct iked *env, struct iked_sa *sa)
 		ikestat_dec(env, ikes_sa_established_current);
 	ikestat_inc(env, ikes_sa_removed);
 
+	free(sa->sa_rad_addr);
+	free(sa->sa_rad_addr6);
+	iked_radius_request_free(env, sa->sa_radreq);
+
 	free(sa);
 }
 
@@ -591,6 +597,48 @@ config_doreset(struct iked *env, unsigned int mode)
 		}
 	}
 
+	if (mode == RESET_ALL || mode == RESET_RADIUS) {
+		struct iked_radserver_req	*req;
+		struct iked_radserver		*rad, *radt;
+		struct iked_radcfgmap		*cfg, *cfgt;
+		struct iked_raddae		*dae, *daet;
+		struct iked_radclient		*client, *clientt;
+
+		TAILQ_FOREACH_SAFE(rad, &env->sc_radauthservers, rs_entry,
+		    radt) {
+			close(rad->rs_sock);
+			event_del(&rad->rs_ev);
+			TAILQ_REMOVE(&env->sc_radauthservers, rad, rs_entry);
+			while ((req = TAILQ_FIRST(&rad->rs_reqs)) != NULL)
+				iked_radius_request_free(env, req);
+			freezero(rad, sizeof(*rad));
+		}
+		TAILQ_FOREACH_SAFE(rad, &env->sc_radacctservers, rs_entry,
+		    radt) {
+			close(rad->rs_sock);
+			event_del(&rad->rs_ev);
+			TAILQ_REMOVE(&env->sc_radacctservers, rad, rs_entry);
+			while ((req = TAILQ_FIRST(&rad->rs_reqs)) != NULL)
+				iked_radius_request_free(env, req);
+			freezero(rad, sizeof(*rad));
+		}
+		TAILQ_FOREACH_SAFE(cfg, &env->sc_radcfgmaps, entry, cfgt) {
+			TAILQ_REMOVE(&env->sc_radcfgmaps, cfg, entry);
+			free(cfg);
+		}
+		TAILQ_FOREACH_SAFE(dae, &env->sc_raddaes, rd_entry, daet) {
+			close(dae->rd_sock);
+			event_del(&dae->rd_ev);
+			TAILQ_REMOVE(&env->sc_raddaes, dae, rd_entry);
+			free(dae);
+		}
+		TAILQ_FOREACH_SAFE(client, &env->sc_raddaeclients, rc_entry,
+		    clientt) {
+			TAILQ_REMOVE(&env->sc_raddaeclients, client, rc_entry);
+			free(client);
+		}
+	}
+
 	return (0);
 }
 
@@ -1092,3 +1140,282 @@ config_getkey(struct iked *env, struct imsg *imsg)
 
 	return (0);
 }
+
+int
+config_setradauth(struct iked *env)
+{
+	proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CFG_RADAUTH,
+	    &env->sc_radauth, sizeof(env->sc_radauth));
+	return (0);
+}
+
+int
+config_getradauth(struct iked *env, struct imsg *imsg)
+{
+	if (IMSG_DATA_SIZE(imsg) < sizeof(struct iked_radopts))
+		fatalx("%s: invalid radauth message", __func__);
+
+	memcpy(&env->sc_radauth, imsg->data, sizeof(struct iked_radopts));
+
+	return (0);
+}
+
+int
+config_setradacct(struct iked *env)
+{
+	proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CFG_RADACCT,
+	    &env->sc_radacct, sizeof(env->sc_radacct));
+	return (0);
+}
+
+int
+config_getradacct(struct iked *env, struct imsg *imsg)
+{
+	if (IMSG_DATA_SIZE(imsg) < sizeof(struct iked_radopts))
+		fatalx("%s: invalid radacct message", __func__);
+
+	memcpy(&env->sc_radacct, imsg->data, sizeof(struct iked_radopts));
+
+	return (0);
+}
+
+int
+config_setradserver(struct iked *env, struct sockaddr *sa, socklen_t salen,
+    char *secret, int isaccounting)
+{
+	int			 sock = -1;
+	struct iovec		 iov[2];
+	struct iked_radserver	 server;
+
+	if (env->sc_opts & IKED_OPT_NOACTION)
+		return (0);
+	memset(&server, 0, sizeof(server));
+	memcpy(&server.rs_sockaddr, sa, salen);
+	server.rs_accounting = isaccounting;
+	if ((sock = socket(sa->sa_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+		log_warn("%s: socket() failed", __func__);
+		goto error;
+	}
+	if (connect(sock, sa, salen) == -1) {
+		log_warn("%s: connect() failed", __func__);
+		goto error;
+	}
+	iov[0].iov_base = &server;
+	iov[0].iov_len = offsetof(struct iked_radserver, rs_secret[0]);
+	iov[1].iov_base = secret;
+	iov[1].iov_len = strlen(secret) + 1;
+
+	proc_composev_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADSERVER, -1,
+	    sock, iov, 2);
+
+	return (0);
+ error:
+	if (sock >= 0)
+		close(sock);
+	return (-1);
+}
+
+int
+config_getradserver(struct iked *env, struct imsg *imsg)
+{
+	size_t			 len;
+	struct iked_radserver	*server;
+
+	len = IMSG_DATA_SIZE(imsg);
+	if (len <= sizeof(*server))
+		fatalx("%s: invalid IMSG_CFG_RADSERVER message", __func__);
+
+	if ((server = calloc(1, len)) == NULL) {
+		log_warn("%s: calloc() failed", __func__);
+		return (-1);
+	}
+	memcpy(server, imsg->data, len);
+	explicit_bzero(imsg->data, len);
+	TAILQ_INIT(&server->rs_reqs);
+	server->rs_sock = imsg_get_fd(imsg);
+	server->rs_env = env;
+
+	if (!server->rs_accounting)
+		TAILQ_INSERT_TAIL(&env->sc_radauthservers, server, rs_entry);
+	else
+		TAILQ_INSERT_TAIL(&env->sc_radacctservers, server, rs_entry);
+	event_set(&server->rs_ev, server->rs_sock, EV_READ | EV_PERSIST,
+	    iked_radius_on_event, server);
+	event_add(&server->rs_ev, NULL);
+
+	return (0);
+}
+
+int
+config_setradcfgmap(struct iked *env, int cfg_type, uint32_t vendor_id,
+    uint8_t attr_type)
+{
+	struct iked_radcfgmap cfgmap;
+
+	if (env->sc_opts & IKED_OPT_NOACTION)
+		return (0);
+	memset(&cfgmap, 0, sizeof(cfgmap));
+	cfgmap.cfg_type = cfg_type;
+	cfgmap.vendor_id = vendor_id;
+	cfgmap.attr_type = attr_type;
+
+	proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADCFGMAP, -1,
+	    -1, &cfgmap, sizeof(cfgmap));
+
+	return (0);
+}
+
+int
+config_getradcfgmap(struct iked *env, struct imsg *imsg)
+{
+	int			 i;
+	size_t			 len;
+	struct iked_radcfgmap	*cfgmap, *cfgmap0;
+	struct iked_radcfgmaps	 cfgmaps = TAILQ_HEAD_INITIALIZER(cfgmaps);
+
+	len = IMSG_DATA_SIZE(imsg);
+	if (len < sizeof(*cfgmap))
+		fatalx("%s: invalid IMSG_CFG_RADCFGMAP message", __func__);
+
+	if (TAILQ_EMPTY(&env->sc_radcfgmaps)) {
+		/* no customized config map yet */
+		for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) {
+			if ((cfgmap = calloc(1, len)) == NULL) {
+				while ((cfgmap = TAILQ_FIRST(&cfgmaps))
+				    != NULL) {
+					TAILQ_REMOVE(&cfgmaps, cfgmap, entry);
+					free(cfgmap);
+				}
+				return (-1);
+			}
+			*cfgmap = radius_cfgmaps[i];
+			TAILQ_INSERT_TAIL(&cfgmaps, cfgmap, entry);
+		}
+		TAILQ_CONCAT(&env->sc_radcfgmaps, &cfgmaps, entry);
+	}
+
+	cfgmap0 = (struct iked_radcfgmap *)imsg->data;
+	TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry) {
+		if (cfgmap->vendor_id == cfgmap0->vendor_id &&
+		    cfgmap->attr_type == cfgmap0->attr_type) {
+			/* override existing config map */
+			cfgmap->cfg_type = cfgmap0->cfg_type;
+			break;
+		}
+	}
+	if (cfgmap == NULL) {
+		if ((cfgmap = calloc(1, len)) == NULL) {
+			log_warn("%s: calloc() failed", __func__);
+			return (-1);
+		}
+		memcpy(cfgmap, imsg->data, len);
+		TAILQ_INSERT_TAIL(&env->sc_radcfgmaps, cfgmap, entry);
+	}
+	return (0);
+}
+
+int
+config_setraddae(struct iked *env, struct sockaddr *sa, socklen_t salen)
+{
+	int			 sock, on;
+	struct iked_raddae	 dae;
+
+	if (env->sc_opts & IKED_OPT_NOACTION)
+		return (0);
+	memset(&dae, 0, sizeof(dae));
+	memcpy(&dae.rd_sockaddr, sa, salen);
+	if ((sock = socket(sa->sa_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+		log_warn("%s: socket() failed", __func__);
+		goto error;
+	}
+	on = 1;
+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
+		log_warn("%s: setsockopt(,,SO_REUSEADDR) failed", __func__);
+	/* REUSEPORT is needed because the old sockets may not be closed yet */
+	on = 1;
+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) == -1)
+		log_warn("%s: setsockopt(,,SO_REUSEPORT) failed", __func__);
+	if (bind(sock, sa, salen) == -1) {
+		log_warn("%s: bind() failed", __func__);
+		goto error;
+	}
+
+	proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADDAE, -1,
+	    sock, &dae, sizeof(dae));
+
+	return (0);
+ error:
+	if (sock >= 0)
+		close(sock);
+	return (-1);
+}
+
+int
+config_getraddae(struct iked *env, struct imsg *imsg)
+{
+	struct iked_raddae	*dae;
+
+	if (IMSG_DATA_SIZE(imsg) < sizeof(*dae))
+		fatalx("%s: invalid IMSG_CFG_RADDAE message", __func__);
+
+	if ((dae = calloc(1, sizeof(*dae))) == NULL) {
+		log_warn("%s: calloc() failed", __func__);
+		return (-1);
+	}
+	memcpy(dae, imsg->data, sizeof(*dae));
+	dae->rd_sock = imsg_get_fd(imsg);
+	dae->rd_env = env;
+
+	event_set(&dae->rd_ev, dae->rd_sock, EV_READ | EV_PERSIST,
+	    iked_radius_dae_on_event, dae);
+	event_add(&dae->rd_ev, NULL);
+
+	TAILQ_INSERT_TAIL(&env->sc_raddaes, dae, rd_entry);
+
+	return (0);
+}
+
+int
+config_setradclient(struct iked *env, struct sockaddr *sa, socklen_t salen,
+    char *secret)
+{
+	struct iovec		 iov[2];
+	struct iked_radclient	 client;
+
+	if (salen > sizeof(client.rc_sockaddr))
+		fatal("%s: invalid salen", __func__);
+
+	memcpy(&client.rc_sockaddr, sa, salen);
+
+	iov[0].iov_base = &client;
+	iov[0].iov_len = offsetof(struct iked_radclient, rc_secret[0]);
+	iov[1].iov_base = secret;
+	iov[1].iov_len = strlen(secret);
+
+	proc_composev_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADDAECLIENT,
+	    -1, -1, iov, 2);
+
+	return (0);
+}
+
+int
+config_getradclient(struct iked *env, struct imsg *imsg)
+{
+	struct iked_radclient	*client;
+	u_int			 len;
+
+	len = IMSG_DATA_SIZE(imsg);
+
+	if (len < sizeof(*client))
+		fatalx("%s: invalid IMSG_CFG_RADDAE message", __func__);
+
+	if ((client = calloc(1, len + 1)) == NULL) {
+		log_warn("%s: calloc() failed", __func__);
+		return (-1);
+	}
+	memcpy(client, imsg->data, len);
+
+	TAILQ_INSERT_TAIL(&env->sc_raddaeclients, client, rc_entry);
+
+	return (0);
+}

sbin/iked/eap.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: eap.c,v 1.26 2024/03/24 00:05:01 yasuoka Exp $	*/
+/*	$OpenBSD: eap.c,v 1.27 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -583,9 +583,12 @@ eap_parse(struct iked *env, const struct iked_sa *sa, struct iked_message *msg,
 
 		return (eap_mschap(env, sa, msg, eap));
 	default:
-		log_debug("%s: unsupported EAP type %s", __func__,
-		    print_map(eap->eap_type, eap_type_map));
-		return (-1);
+		if (sa->sa_policy->pol_auth.auth_eap != EAP_TYPE_RADIUS) {
+			log_debug("%s: unsupported EAP type %s", __func__,
+			    print_map(eap->eap_type, eap_type_map));
+			return (-1);
+		} /* else, when RADIUS, pass it to the client */
+		break;
 	}
 
 	return (0);

sbin/iked/eap.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: eap.h,v 1.6 2020/09/16 21:37:35 tobhe Exp $	*/
+/*	$OpenBSD: eap.h,v 1.7 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -93,6 +93,7 @@ extern struct iked_constmap eap_code_map[];
 #define EAP_TYPE_PWD		52	/* RFC-harkins-emu-eap-pwd-12.txt */
 #define EAP_TYPE_EXPANDED_TYPE	254	/* RFC3748 */
 #define EAP_TYPE_EXPERIMENTAL	255	/* RFC3748 */
+#define EAP_TYPE_RADIUS		10001	/* internal use for EAP RADIUS */
 
 extern struct iked_constmap eap_type_map[];
 

sbin/iked/iked.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.c,v 1.70 2024/02/15 20:10:45 tobhe Exp $	*/
+/*	$OpenBSD: iked.c,v 1.71 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -307,6 +307,8 @@ parent_configure(struct iked *env)
 	config_setstatic(env);
 	config_setcoupled(env, env->sc_decoupled ? 0 : 1);
 	config_setocsp(env);
+	config_setradauth(env);
+	config_setradacct(env);
 	/* Must be last */
 	config_setmode(env, env->sc_passive ? 1 : 0);
 
@@ -324,6 +326,7 @@ parent_reload(struct iked *env, int reset, const char *filename)
 
 	if (reset == RESET_RELOAD) {
 		config_setreset(env, RESET_POLICY, PROC_IKEV2);
+		config_setreset(env, RESET_RADIUS, PROC_IKEV2);
 		if (config_setkeys(env) == -1)
 			fatalx("%s: failed to send keys", __func__);
 		config_setreset(env, RESET_CA, PROC_CERT);

sbin/iked/iked.conf.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.96 2024/04/13 12:11:08 jmc Exp $
+.\" $OpenBSD: iked.conf.5,v 1.98 2024/07/13 12:58:51 jmc Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 13 2024 $
+.Dd $Mdocdate: July 13 2024 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -648,11 +648,18 @@ for more information.
 .Bl -tag -width $domain -compact -offset indent
 .It Ic eap Ar type
 Use EAP to authenticate the initiator.
-The only supported EAP
-.Ar type
-is currently
-.Ar MSCHAP-V2 .
+Currently
+.Ar MSCHAP-V2
+or
+.Ar RADIUS
+is supported for the EAP
+.Ar type .
 The responder will use RSA public key authentication.
+To use RADIUS for EAP,
+at least one RADIUS server should be configured.
+See the
+.Sx RADIUS
+section for RADIUS support.
 .It Ic ecdsa256
 Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication.
 .It Ic ecdsa384
@@ -780,6 +787,118 @@ The traffic will be blocked if the specified
 .Ar interface
 does not exist.
 .El
+.Sh RADIUS CONFIGURATION
+The configuration options for RADIUS are as follows:
+.Bl -tag -width xxxx
+.It Ic radius config Oo Ar af Oc Ar option Oo Ar vendor Oc Ar attr
+Once RADIUS authentication has succeeded,
+.Xr iked 8
+uses the RADIUS attributes containing the response from the RADIUS server to
+construct IKEv2 configuration payloads (CP).
+This configuration option defines a mapping from a RADIUS attribute to an IKE
+CP with the following parameters:
+.Pp
+.Bl -tag -width "vendor attr" -compact
+.It Op Ar af
+Specify either
+.Cm inet
+or
+.Cm inet6
+for the address family of the IKE CP option.
+.It Ar option
+Specify an IKE CP option.
+Choose from
+.Sx AUTOMATIC KEYING POLICIES
+config options
+.Po
+.Cm address ,
+.Cm netmask ,
+.Cm name-server ,
+.Cm netbios-server ,
+.Cm dhcp-server ,
+and
+.Cm access-server
+.Pc
+or use
+.Cm none
+to disable the existing or default mapping.
+.It Ar attr
+For a standard RADIUS attribute,
+specify its Attribute-Type for
+.Ar attr .
+.It Ar vendor Ar attr
+For a vendor specific RADIUS attribute,
+specify its Vendor-ID for
+.Ar vendor
+and the Attribute-Type for
+.Ar attr .
+.El
+.Pp
+By default,
+.Xr iked 8
+uses the following attributes for the options:
+.Bl -column "inet6 netbios-server" "Vendor" "Type" "MS-Secondary-NBNS-Server" \
+-offset "XX"
+.It Em "Option" Ta Em "Vendor" Ta Em "Type" Ta Em "Attribute Name"
+.It Li "inet address" Ta "" Ta "8" Ta "Framed-IP-Address"
+.It Li "inet netmask" Ta "" Ta "9" Ta "Framed-IP-Netmask"
+.It Li "inet name-server" Ta "0x137" Ta "28" Ta "MS-Primary-DNS-Server"
+.It Li "inet name-server" Ta "0x137" Ta "29" Ta "MS-Secondary-DNS-Server"
+.It Li "inet netbios-server" Ta "0x137" Ta "30" Ta "MS-Primary-NBNS-Server"
+.It Li "inet netbios-server" Ta "0x137" Ta "31" Ta "MS-Secondary-NBNS-Server"
+.El
+.It Ic radius Oo Ic accounting Oc Ic server Ar address Oo port Ar number Oc \
+secret Ar secret
+Specify the RADIUS server's IP address and the shared secret with the server.
+For a RADIUS accounting server,
+use the
+.Cm accounting
+keyword.
+Optionally specify the port number,
+otherwise the default port number,
+1812 for authentication or
+1813 for accounting,
+is used as the default.
+.It Ic radius Oo Ic accounting Oc Ic max-tries Ar number
+Specify the maximum number of retransmissions for a server.
+.Xr iked 8
+will retransmit 2, 6, 14, 22, 30 seconds after the first transmission
+and subsequent retransmissions will occur every 8 seconds.
+If the number of retransmissions per server reaches this value,
+the current server is marked as failed,
+and the next server is used for subsequent requests.
+For RADIUS accounting requests,
+use the
+.Cm accounting
+keyword.
+The default value is 3.
+.It Ic radius Oo Ic accounting Oc Ic max-failovers Ar number
+If a positive number is specified,
+.Xr iked 8
+will failover to the next server when the current server is marked
+.Dq fail .
+This key and value specifies the maximum number of failovers.
+For RADIUS accounting requests,
+use the
+.Cm accounting
+keyword.
+The default value is 0.
+.It Ic radius dae listen on Ar address Oo port Ar number Oc
+Specify the local
+.Ar address
+.Xr iked 8
+should listen on for the Dynamic Authorization Extensions
+.Pq DAE, RFC 5176
+requests.
+Optionally specify a port
+.Ar number ;
+the default port number is 3799.
+.It Ic radius dae client Ar address Ic secret Ar secret
+Specify an
+.Ar address
+for a DAE client and
+.Ar secret .
+.El
 .Sh PACKET FILTERING
 IPsec traffic appears unencrypted on the
 .Xr enc 4

sbin/iked/iked.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.230 2024/03/02 16:16:07 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -20,6 +20,7 @@
 #include <sys/types.h>
 #include <sys/tree.h>
 #include <sys/queue.h>
+#include <netinet/in.h>
 #include <arpa/inet.h>
 #include <limits.h>
 #include <imsg.h>
@@ -217,8 +218,8 @@ struct iked_static_id {
 
 struct iked_auth {
 	uint8_t		auth_method;
-	uint8_t		auth_eap;			/* optional EAP */
 	uint8_t		auth_length;			/* zero if EAP */
+	uint16_t	auth_eap;			/* optional EAP */
 	uint8_t		auth_data[IKED_PSK_SIZE];
 };
 
@@ -403,6 +404,15 @@ struct iked_ipcomp {
 	uint8_t				 ic_transform;	/* transform */
 };
 
+struct iked_sastats {
+	uint64_t			 sas_ipackets;
+	uint64_t			 sas_opackets;
+	uint64_t			 sas_ibytes;
+	uint64_t			 sas_obytes;
+	uint64_t			 sas_idrops;
+	uint64_t			 sas_odrops;
+};
+
 struct iked_sa {
 	struct iked_sahdr		 sa_hdr;
 	uint32_t			 sa_msgid;	/* Last request rcvd */
@@ -485,6 +495,7 @@ struct iked_sa {
 	struct iked_proposals		 sa_proposals;	/* SA proposals */
 	struct iked_childsas		 sa_childsas;	/* IPsec Child SAs */
 	struct iked_saflows		 sa_flows;	/* IPsec flows */
+	struct iked_sastats		 sa_stats;
 
 	struct iked_sa			*sa_nexti;	/* initiated IKE SA */
 	struct iked_sa			*sa_previ;	/* matching back pointer */
@@ -533,6 +544,11 @@ struct iked_sa {
 	RB_ENTRY(iked_sa)		 sa_addrpool6_entry;	/* pool entries */
 	time_t				 sa_last_recvd;
 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT	 300		/* 5 minutes */
+	struct timespec			 sa_starttime;
+
+	struct iked_radserver_req	*sa_radreq;
+	struct iked_addr		*sa_rad_addr;	/* requested address */
+	struct iked_addr		*sa_rad_addr6;	/* requested address */
 };
 RB_HEAD(iked_sas, iked_sa);
 RB_HEAD(iked_dstid_sas, iked_sa);
@@ -648,6 +664,7 @@ struct iked_message {
 	uint8_t			 msg_transform;
 	uint16_t		 msg_flags;
 	struct eap_msg		 msg_eap;
+	struct ibuf		*msg_eapmsg;
 	size_t			 msg_del_spisize;
 	size_t			 msg_del_cnt;
 	struct ibuf		*msg_del_buf;
@@ -702,6 +719,72 @@ struct iked_user {
 };
 RB_HEAD(iked_users, iked_user);
 
+struct iked_radserver_req;
+
+struct iked_radserver {
+	int				 rs_sock;
+	int				 rs_accounting;
+	struct event			 rs_ev;
+	struct iked			*rs_env;
+	struct sockaddr_storage		 rs_sockaddr;
+	TAILQ_ENTRY(iked_radserver)	 rs_entry;
+	struct in_addr			 rs_nas_ipv4;
+	struct in6_addr			 rs_nas_ipv6;
+	unsigned int			 rs_reqseq;
+	TAILQ_HEAD(, iked_radserver_req) rs_reqs;
+	char				 rs_secret[];
+};
+TAILQ_HEAD(iked_radservers, iked_radserver);
+
+struct iked_raddae {
+	int				 rd_sock;
+	struct event			 rd_ev;
+	struct iked			*rd_env;
+	struct sockaddr_storage		 rd_sockaddr;
+	TAILQ_ENTRY(iked_raddae)	 rd_entry;
+};
+TAILQ_HEAD(iked_raddaes, iked_raddae);
+
+struct iked_radclient {
+	struct iked			*rc_env;
+	struct sockaddr_storage		 rc_sockaddr;
+	TAILQ_ENTRY(iked_radclient)	 rc_entry;
+	char				 rc_secret[];
+};
+TAILQ_HEAD(iked_radclients , iked_radclient);
+
+struct iked_radopts {
+	int				 max_tries;
+	int				 max_failovers;
+};
+
+struct iked_radcfgmap {
+	uint16_t			 cfg_type;
+	uint32_t			 vendor_id;
+	uint8_t				 attr_type;
+	TAILQ_ENTRY(iked_radcfgmap)	 entry;
+};
+TAILQ_HEAD(iked_radcfgmaps, iked_radcfgmap);
+
+extern const struct iked_radcfgmap radius_cfgmaps[];
+
+struct iked_radserver_req {
+	struct iked_radserver		*rr_server;
+	struct iked_sa			*rr_sa;
+	struct iked_timer		 rr_timer;
+	int				 rr_reqid;
+	int				 rr_accounting;
+	struct timespec			 rr_accttime;
+	void				*rr_reqpkt;
+	struct ibuf			*rr_state;
+	char				*rr_user;
+	int				 rr_ntry;
+	int				 rr_nfailover;
+	struct iked_cfg			 rr_cfg[IKED_CFG_MAX];
+	unsigned int			 rr_ncfg;
+	TAILQ_ENTRY(iked_radserver_req)	 rr_entry;
+};
+
 struct privsep_pipes {
 	int				*pp_pipes[PROC_MAX];
 };
@@ -810,6 +893,14 @@ struct iked {
 	struct iked_activesas		 sc_activesas;
 	struct iked_flows		 sc_activeflows;
 	struct iked_users		 sc_users;
+	struct iked_radopts		 sc_radauth;
+	struct iked_radopts		 sc_radacct;
+	int				 sc_radaccton;
+	struct iked_radservers		 sc_radauthservers;
+	struct iked_radservers		 sc_radacctservers;
+	struct iked_radcfgmaps		 sc_radcfgmaps;
+	struct iked_raddaes		 sc_raddaes;
+	struct iked_radclients		 sc_raddaeclients;
 
 	struct iked_stats		 sc_stats;
 
@@ -941,6 +1032,20 @@ int	 config_setkeys(struct iked *);
 int	 config_getkey(struct iked *, struct imsg *);
 int	 config_setstatic(struct iked *);
 int	 config_getstatic(struct iked *, struct imsg *);
+int	 config_setradauth(struct iked *);
+int	 config_getradauth(struct iked *, struct imsg *);
+int	 config_setradacct(struct iked *);
+int	 config_getradacct(struct iked *, struct imsg *);
+int	 config_setradserver(struct iked *, struct sockaddr *, socklen_t,
+	    char *, int);
+int	 config_getradserver(struct iked *, struct imsg *);
+int	 config_setradcfgmap(struct iked *, int, uint32_t, uint8_t);
+int	 config_getradcfgmap(struct iked *, struct imsg *);
+int	 config_setraddae(struct iked *, struct sockaddr *, socklen_t);
+int	 config_getraddae(struct iked *, struct imsg *);
+int	 config_setradclient(struct iked *, struct sockaddr *, socklen_t,
+	    char *);
+int	 config_getradclient(struct iked *, struct imsg *);
 
 /* policy.c */
 void	 policy_init(struct iked *);
@@ -1157,6 +1262,17 @@ int	 eap_mschap_challenge(struct iked *, struct iked_sa *, int, int,
 int	 eap_mschap_success(struct iked *, struct iked_sa *, int);
 int	 eap_challenge_request(struct iked *, struct iked_sa *, int);
 
+/* radius.c */
+int	 iked_radius_request(struct iked *, struct iked_sa *,
+	    struct iked_message *);
+void	 iked_radius_request_free(struct iked *, struct iked_radserver_req *);
+void	 iked_radius_on_event(int, short, void *);
+void	 iked_radius_acct_on(struct iked *);
+void	 iked_radius_acct_off(struct iked *);
+void	 iked_radius_acct_start(struct iked *, struct iked_sa *);
+void	 iked_radius_acct_stop(struct iked *, struct iked_sa *);
+void	 iked_radius_dae_on_event(int, short, void *);
+
 /* pfkey.c */
 int	 pfkey_couple(struct iked *, struct iked_sas *, int);
 int	 pfkey_flow_add(struct iked *, struct iked_flow *);

sbin/iked/ikev2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.386 2024/03/21 22:08:49 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -36,6 +36,7 @@
 #include <errno.h>
 #include <err.h>
 #include <event.h>
+#include <time.h>
 
 #include <openssl/sha.h>
 #include <openssl/evp.h>
@@ -284,6 +285,7 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 			timer_add(env, &env->sc_inittmr,
 			    IKED_INITIATOR_INITIAL);
 		}
+		iked_radius_acct_on(env);
 		return (0);
 	case IMSG_UDP_SOCKET:
 		return (config_getsocket(env, imsg, ikev2_msg_cb));
@@ -295,6 +297,18 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 		return (config_getflow(env, imsg));
 	case IMSG_CFG_USER:
 		return (config_getuser(env, imsg));
+	case IMSG_CFG_RADAUTH:
+		return (config_getradauth(env, imsg));
+	case IMSG_CFG_RADACCT:
+		return (config_getradacct(env, imsg));
+	case IMSG_CFG_RADSERVER:
+		return (config_getradserver(env, imsg));
+	case IMSG_CFG_RADCFGMAP:
+		return (config_getradcfgmap(env, imsg));
+	case IMSG_CFG_RADDAE:
+		return (config_getraddae(env, imsg));
+	case IMSG_CFG_RADDAECLIENT:
+		return (config_getradclient(env, imsg));
 	case IMSG_COMPILE:
 		return (config_getcompile(env));
 	case IMSG_CTL_STATIC:
@@ -1782,6 +1796,7 @@ ikev2_init_done(struct iked *env, struct iked_sa *sa)
 		ret = ikev2_childsa_enable(env, sa);
 	if (ret == 0) {
 		sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
+		iked_radius_acct_start(env, sa);
 		/* Delete exchange timeout. */
 		timer_del(env, &sa->sa_timer);
 		ikev2_enable_timer(env, sa);
@@ -2456,7 +2471,7 @@ ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf)
 	struct ikev2_cp		*cp;
 	struct ikev2_cfg	*cfg;
 	struct iked_cfg		*ikecfg;
-	unsigned int		 i;
+	unsigned int		 i, rad_ncfg = 0;
 	uint32_t		 mask4;
 	size_t			 len;
 	struct sockaddr_in	*in4;
@@ -2479,8 +2494,15 @@ ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf)
 		return (-1);
 	}
 
-	for (i = 0; i < pol->pol_ncfg; i++) {
-		ikecfg = &pol->pol_cfg[i];
+	if (sa->sa_radreq != NULL)
+		rad_ncfg = sa->sa_radreq->rr_ncfg;
+
+	for (i = 0; i < pol->pol_ncfg + rad_ncfg; i++) {
+		if (i < pol->pol_ncfg)
+			ikecfg = &pol->pol_cfg[i];
+		else
+			ikecfg = &sa->sa_radreq->rr_cfg[i - pol->pol_ncfg];
+
 		if (ikecfg->cfg_action != cp->cp_type)
 			continue;
 		/* only return one address in case of multiple pools */
@@ -3857,6 +3879,8 @@ ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa,
 	switch (sa->sa_policy->pol_auth.auth_eap) {
 	case EAP_TYPE_MSCHAP_V2:
 		return ikev2_resp_ike_eap_mschap(env, sa, msg);
+	case EAP_TYPE_RADIUS:
+		return iked_radius_request(env, sa, msg);
 	}
 	return -1;
 }
@@ -4012,6 +4036,7 @@ ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa)
 		ret = ikev2_childsa_enable(env, sa);
 	if (ret == 0) {
 		sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
+		iked_radius_acct_start(env, sa);
 		/* Delete exchange timeout. */
 		timer_del(env, &sa->sa_timer);
 		ikev2_enable_timer(env, sa);
@@ -4746,10 +4771,10 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
 		nsa->sa_tag = sa->sa_tag;
 		sa->sa_tag = NULL;
 	}
-	if (sa->sa_eapid) {
-		nsa->sa_eapid = sa->sa_eapid;
-		sa->sa_eapid = NULL;
-	}
+	/* sa_eapid needs to be set on both for radius accounting */
+	if (sa->sa_eapid)
+		nsa->sa_eapid = strdup(sa->sa_eapid);
+
 	log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)",
 	    SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8),
 	    print_xf(nsa->sa_encr->encr_id, cipher_keylength(nsa->sa_encr) -
@@ -4760,6 +4785,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa)
 	    print_xf(nsa->sa_dhgroup->id, 0, groupxfs),
 	    print_xf(nsa->sa_prf->hash_id, hash_keylength(sa->sa_prf), prfxfs));
 	sa_state(env, nsa, IKEV2_STATE_ESTABLISHED);
+	clock_gettime(CLOCK_MONOTONIC, &nsa->sa_starttime);
+	iked_radius_acct_start(env, nsa);
 	ikev2_enable_timer(env, nsa);
 
 	ikestat_inc(env, ikes_sa_rekeyed);
@@ -7028,6 +7055,7 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family)
 	const char		*errstr = NULL;
 	int			 ret, pass, passes;
 	size_t			 i;
+	struct sockaddr_in	*in4;
 
 	switch (family) {
 	case AF_INET:
@@ -7045,8 +7073,23 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family)
 		return (0);
 	/* default if no pool configured */
 	ret = 0;
+
+	/* handle the special addresses from RADIUS */
+	if (sa->sa_rad_addr != NULL) {
+		in4 = (struct sockaddr_in *)&sa->sa_rad_addr->addr;
+		/* 0xFFFFFFFF allows the user to select an address (RFC 2865) */
+		if (in4->sin_addr.s_addr == htonl(0xFFFFFFFF))
+			;/* this is  default behavior if the user selects */
+		/* 0xFFFFFFFE indicated the NAS should select (RFC 2865) */
+		else if (in4->sin_addr.s_addr == htonl(0xFFFFFFFE)) {
+			free(sa->sa_cp_addr);
+			sa->sa_cp_addr = NULL;
+		}
+	}
+
 	/* two passes if client requests from specific pool */
-	passes = (sa->sa_cp_addr != NULL || sa->sa_cp_addr6 != NULL) ? 2 : 1;
+	passes = (sa->sa_cp_addr != NULL || sa->sa_cp_addr6 != NULL ||
+	    sa->sa_rad_addr != NULL || sa->sa_rad_addr6 != NULL) ? 2 : 1;
 	for (pass = 0; pass < passes; pass++) {
 		/* loop over all address pool configs (addr_net) */
 		for (i = 0; i < pol->pol_ncfg; i++) {
@@ -7062,13 +7105,16 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family)
 					return (0);
 			}
 		}
-		if (sa->sa_cp_addr != NULL) {
+		if (family == AF_INET) {
 			free(sa->sa_cp_addr);
 			sa->sa_cp_addr = NULL;
-		}
-		if (sa->sa_cp_addr6 != NULL) {
+			free(sa->sa_rad_addr);
+			sa->sa_rad_addr = NULL;
+		} else {
 			free(sa->sa_cp_addr6);
 			sa->sa_cp_addr6 = NULL;
+			free(sa->sa_rad_addr6);
+			sa->sa_rad_addr6 = NULL;
 		}
 	}
 
@@ -7088,7 +7134,7 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
 	char			 idstr[IKED_ID_SIZE];
 	struct iked_addr	 addr;
 	uint32_t		 mask, host, lower, upper, start, nhost;
-	int			 requested = 0;
+	int			 requested = 0, rad_requested = 0;
 
 	/*
 	 * failure: pool configured, but not requested.
@@ -7165,8 +7211,14 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
 	case AF_INET:
 		cfg4 = (struct sockaddr_in *)&ikecfg->cfg.address.addr;
 		mask = prefixlen2mask(ikecfg->cfg.address.addr_mask);
-		if (sa->sa_cp_addr != NULL) {
-			memcpy(&addr, sa->sa_cp_addr, sizeof(addr));
+		if (sa->sa_cp_addr != NULL || sa->sa_rad_addr != NULL) {
+			if (sa->sa_rad_addr != NULL) {
+				rad_requested = 1;
+				memcpy(&addr, sa->sa_rad_addr, sizeof(addr));
+			} else {
+				requested = 1;
+				memcpy(&addr, sa->sa_cp_addr, sizeof(addr));
+			}
 			key.sa_addrpool = &addr;
 			in4 = (struct sockaddr_in *)&addr.addr;
 			if ((in4->sin_addr.s_addr & mask) !=
@@ -7179,10 +7231,16 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
 				*errstr = "requested addr in use";
 				return (-1);
 			}
-			sa->sa_addrpool = sa->sa_cp_addr;
-			sa->sa_cp_addr = NULL;
+			if (sa->sa_rad_addr != NULL) {
+				sa->sa_addrpool = sa->sa_rad_addr;
+				sa->sa_rad_addr = NULL;
+			} else {
+				sa->sa_addrpool = sa->sa_cp_addr;
+				sa->sa_cp_addr = NULL;
+			}
+			free(sa->sa_cp_addr);
+			free(sa->sa_rad_addr);
 			RB_INSERT(iked_addrpool, &env->sc_addrpool, sa);
-			requested = 1;
 			goto done;
 		}
 		in4 = (struct sockaddr_in *)&addr.addr;
@@ -7194,7 +7252,7 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
 	case AF_INET6:
 		cfg6 = (struct sockaddr_in6 *)&ikecfg->cfg.address.addr;
 		in6 = (struct sockaddr_in6 *)&addr.addr;
-		if (sa->sa_cp_addr6 != NULL) {
+		if (sa->sa_cp_addr6 != NULL || sa->sa_rad_addr6 != NULL) {
 			/* XXX not yet supported */
 		}
 		in6->sin6_family = AF_INET6;
@@ -7280,9 +7338,10 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa,
  done:
 	if (ikev2_print_id(IKESA_DSTID(sa), idstr, sizeof(idstr)) == -1)
 		bzero(idstr, sizeof(idstr));
-	log_info("%sassigned address %s to %s%s", SPI_SA(sa, NULL),
+	log_info("%sassigned address %s to %s%s%s", SPI_SA(sa, NULL),
 	    print_addr(&addr.addr),
-	    idstr, requested ? " (requested by peer)" : "");
+	    idstr, requested ? " (requested by peer)" : "",
+	    rad_requested? "(requested by RADIUS)" : "");
 	return (0);
 }
 
@@ -7628,6 +7687,8 @@ ikev2_log_established(struct iked_sa *sa)
 {
 	char dstid[IKED_ID_SIZE], srcid[IKED_ID_SIZE];
 
+	clock_gettime(CLOCK_MONOTONIC, &sa->sa_starttime);
+
 	if (ikev2_print_id(IKESA_DSTID(sa), dstid, sizeof(dstid)) == -1)
 		bzero(dstid, sizeof(dstid));
 	if (ikev2_print_id(IKESA_SRCID(sa), srcid, sizeof(srcid)) == -1)

sbin/iked/ikev2_msg.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_msg.c,v 1.101 2024/03/02 16:16:07 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_msg.c,v 1.102 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -203,6 +203,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
 		ibuf_free(msg->msg_cookie);
 		ibuf_free(msg->msg_cookie2);
 		ibuf_free(msg->msg_del_buf);
+		ibuf_free(msg->msg_eapmsg);
 		free(msg->msg_eap.eam_user);
 		free(msg->msg_cp_addr);
 		free(msg->msg_cp_addr6);
@@ -219,6 +220,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg)
 		msg->msg_cookie = NULL;
 		msg->msg_cookie2 = NULL;
 		msg->msg_del_buf = NULL;
+		msg->msg_eapmsg = NULL;
 		msg->msg_eap.eam_user = NULL;
 		msg->msg_cp_addr = NULL;
 		msg->msg_cp_addr6 = NULL;

sbin/iked/ikev2_pld.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_pld.c,v 1.135 2024/04/02 19:58:28 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_pld.c,v 1.136 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -2104,6 +2104,15 @@ ikev2_pld_eap(struct iked *env, struct ikev2_payload *pld,
 
 		if (eap_parse(env, sa, msg, eap, msg->msg_response) == -1)
 			return (-1);
+		if (msg->msg_parent->msg_eapmsg != NULL) {
+			log_info("%s: duplicate EAP in payload", __func__);
+			return (-1);
+		}
+		if ((msg->msg_parent->msg_eapmsg = ibuf_new(eap, eap_len))
+		    == NULL) {
+			log_debug("%s: failed to save eap", __func__);
+			return (-1);
+		}
 		msg->msg_parent->msg_eap.eam_found = 1;
 	}
 

sbin/iked/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.146 2024/04/25 14:24:54 jsg Exp $	*/
+/*	$OpenBSD: parse.y,v 1.147 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -38,9 +38,12 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <ifaddrs.h>
+#include <inttypes.h>
 #include <limits.h>
 #include <netdb.h>
+#include <radius.h>
 #include <stdarg.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -107,6 +110,8 @@ static char		*ocsp_url = NULL;
 static long		 ocsp_tolerate = 0;
 static long		 ocsp_maxage = -1;
 static int		 cert_partial_chain = 0;
+static struct iked_radopts
+			 radauth, radacct;
 
 struct iked_transform ikev2_default_ike_transforms[] = {
 	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
@@ -394,6 +399,8 @@ static int		 expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *,
 			    struct ipsec_addr_wrap *);
 static struct ipsec_addr_wrap *
 			 expand_keyword(struct ipsec_addr_wrap *);
+struct iked_radserver *
+			 create_radserver(const char *, u_short, const char *);
 
 struct ipsec_transforms *ipsec_transforms;
 struct ipsec_filters *ipsec_filters;
@@ -407,6 +414,7 @@ typedef struct {
 		uint8_t			 ikemode;
 		uint8_t			 dir;
 		uint8_t			 satype;
+		uint8_t			 accounting;
 		char			*string;
 		uint16_t		 port;
 		struct ipsec_hosts	*hosts;
@@ -427,6 +435,10 @@ typedef struct {
 		struct ipsec_transforms	*transforms;
 		struct ipsec_filters	*filters;
 		struct ipsec_mode	*mode;
+		struct {
+			uint32_t	 vendorid;
+			uint8_t		 attrtype;
+		} radattr;
 	} v;
 	int lineno;
 } YYSTYPE;
@@ -446,6 +458,8 @@ typedef struct {
 %token	TOLERATE MAXAGE DYNAMIC
 %token	CERTPARTIALCHAIN
 %token	REQUEST IFACE
+%token	RADIUS ACCOUNTING SERVER SECRET MAX_TRIES MAX_FAILOVERS
+%token	CLIENT DAE LISTEN ON
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
 %type	<v.string>		string
@@ -453,7 +467,7 @@ typedef struct {
 %type	<v.proto>		proto proto_list protoval
 %type	<v.hosts>		hosts hosts_list
 %type	<v.port>		port
-%type	<v.number>		portval af rdomain
+%type	<v.number>		portval af rdomain hexdecnumber
 %type	<v.peers>		peers
 %type	<v.anyhost>		anyhost
 %type	<v.host>		host host_spec
@@ -470,6 +484,8 @@ typedef struct {
 %type	<v.string>		name iface
 %type	<v.cfg>			cfg ikecfg ikecfgvals
 %type	<v.string>		transform_esn
+%type	<v.accounting>		accounting
+%type	<v.radattr>		radattr
 %%
 
 grammar		: /* empty */
@@ -478,6 +494,7 @@ grammar		: /* empty */
 		| grammar set '\n'
 		| grammar user '\n'
 		| grammar ikev2rule '\n'
+		| grammar radius '\n'
 		| grammar varset '\n'
 		| grammar otherrule skipline '\n'
 		| grammar error '\n'		{ file->errors++; }
@@ -1039,6 +1056,11 @@ ikeauth		: /* empty */			{
 			$$.auth_eap = 0;
 			explicit_bzero(&$2, sizeof($2));
 		}
+		| EAP RADIUS			{
+			$$.auth_method = IKEV2_AUTH_SIG_ANY;
+			$$.auth_eap = EAP_TYPE_RADIUS;
+			$$.auth_length = 0;
+		}
 		| EAP STRING			{
 			unsigned int i;
 
@@ -1046,7 +1068,11 @@ ikeauth		: /* empty */			{
 				if ($2[i] == '-')
 					$2[i] = '_';
 
-			if (strcasecmp("mschap_v2", $2) != 0) {
+			if (strcasecmp("mschap_v2", $2) == 0)
+				$$.auth_eap = EAP_TYPE_MSCHAP_V2;
+			else if (strcasecmp("radius", $2) == 0)
+				$$.auth_eap = EAP_TYPE_RADIUS;
+			else {
 				yyerror("unsupported EAP method: %s", $2);
 				free($2);
 				YYERROR;
@@ -1054,7 +1080,6 @@ ikeauth		: /* empty */			{
 			free($2);
 
 			$$.auth_method = IKEV2_AUTH_SIG_ANY;
-			$$.auth_eap = EAP_TYPE_MSCHAP_V2;
 			$$.auth_length = 0;
 		}
 		| STRING			{
@@ -1245,6 +1270,202 @@ string		: string STRING
 		| STRING
 		;
 
+radius		: RADIUS accounting SERVER STRING port SECRET STRING
+		{
+			int		 ret, gai_err;
+			struct addrinfo	 hints, *ai;
+			u_short		 port;
+
+			memset(&hints, 0, sizeof(hints));
+			hints.ai_family = PF_UNSPEC;
+			hints.ai_socktype = SOCK_DGRAM;
+			hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+			if ((gai_err = getaddrinfo($4, NULL, &hints, &ai))
+			    != 0) {
+				yyerror("could not parse the address: %s: %s",
+				    $4, gai_strerror(gai_err));
+				free($4);
+				explicit_bzero($7, strlen($7));
+				free($7);
+				YYERROR;
+			}
+			port = $5;
+			if (port == 0)
+				port = htons((!$2)? RADIUS_DEFAULT_PORT :
+				    RADIUS_ACCT_DEFAULT_PORT);
+			socket_af(ai->ai_addr, port);
+			if ((ret = config_setradserver(env, ai->ai_addr,
+			    ai->ai_addrlen, $7, $2)) != 0) {
+				yyerror("could not set radius server");
+				free($4);
+				explicit_bzero($7, strlen($7));
+				free($7);
+				YYERROR;
+			}
+			explicit_bzero($7, strlen($7));
+			freeaddrinfo(ai);
+			free($4);
+			free($7);
+		}
+		| RADIUS accounting MAX_TRIES NUMBER {
+			if ($4 <= 0) {
+				yyerror("max-tries must a positive value");
+				YYERROR;
+			}
+			if ($2)
+				radacct.max_tries = $4;
+			else
+				radauth.max_tries = $4;
+		}
+		| RADIUS accounting MAX_FAILOVERS NUMBER {
+			if ($4 < 0) {
+				yyerror("max-failovers must be 0 or a "
+				    "positive value");
+				YYERROR;
+			}
+			if ($2)
+				radacct.max_failovers = $4;
+			else
+				radauth.max_failovers = $4;
+		}
+		| RADIUS CONFIG af STRING radattr {
+			const struct ipsec_xf	*xf;
+			int			 af, cfgtype;
+
+			af = $3;
+			if (af == AF_UNSPEC)
+				af = AF_INET;
+			if (strcmp($4, "none") == 0)
+				cfgtype = 0;
+			else {
+				if ((xf = parse_xf($4, af, cpxfs)) == NULL ||
+				    xf->id == IKEV2_CFG_INTERNAL_IP4_SUBNET ||
+				    xf->id == IKEV2_CFG_INTERNAL_IP6_SUBNET) {
+					yyerror("not a valid ikecfg option");
+					free($4);
+					YYERROR;
+				}
+				cfgtype = xf->id;
+			}
+			free($4);
+			config_setradcfgmap(env, cfgtype, $5.vendorid,
+			    $5.attrtype);
+		}
+		| RADIUS DAE LISTEN ON STRING port {
+			int		 ret, gai_err;
+			struct addrinfo	 hints, *ai;
+			u_short		 port;
+
+			memset(&hints, 0, sizeof(hints));
+			hints.ai_family = PF_UNSPEC;
+			hints.ai_socktype = SOCK_DGRAM;
+			hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+			if ((gai_err = getaddrinfo($5, NULL, &hints, &ai))
+			    != 0) {
+				yyerror("could not parse the address: %s: %s",
+				    $5, gai_strerror(gai_err));
+				free($5);
+				YYERROR;
+			}
+			port = $6;
+			if (port == 0)
+				port = htons(RADIUS_DAE_DEFAULT_PORT);
+			socket_af(ai->ai_addr, port);
+			if ((ret = config_setraddae(env, ai->ai_addr,
+			    ai->ai_addrlen)) != 0) {
+				yyerror("could not set radius server");
+				free($5);
+				YYERROR;
+			}
+			freeaddrinfo(ai);
+			free($5);
+		}
+		| RADIUS DAE CLIENT STRING SECRET STRING {
+			int		 gai_err;
+			struct addrinfo	 hints, *ai;
+
+			memset(&hints, 0, sizeof(hints));
+			hints.ai_family = PF_UNSPEC;
+			hints.ai_socktype = SOCK_DGRAM;
+			hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+			if ((gai_err = getaddrinfo($4, NULL, &hints, &ai))
+			    != 0) {
+				yyerror("could not parse the address: %s: %s",
+				    $4, gai_strerror(gai_err));
+				free($4);
+				explicit_bzero($6, strlen($6));
+				free($6);
+				YYERROR;
+			}
+			config_setradclient(env, ai->ai_addr, ai->ai_addrlen,
+			    $6);
+			free($4);
+			explicit_bzero($6, strlen($6));
+			free($6);
+			freeaddrinfo(ai);
+		}
+		;
+
+radattr		: hexdecnumber hexdecnumber {
+			if ($1 < 0 || 0xffffffL < $1) {
+				yyerror("vendor-id must be in 0-0xffffff");
+				YYERROR;
+			}
+			if ($2 < 0 || 256 <= $2) {
+				yyerror("attribute type must be in 0-255");
+				YYERROR;
+			}
+			$$.vendorid = $1;
+			$$.attrtype = $2;
+		}
+		| hexdecnumber {
+			if ($1 < 0 || 256 <= $1) {
+				yyerror("attribute type must be in 0-255");
+				YYERROR;
+			}
+			$$.vendorid = 0;
+			$$.attrtype = $1;
+		}
+
+hexdecnumber	: STRING {
+			const char	*errstr;
+			char		*ep;
+			uintmax_t	 ul;
+
+			if ($1[0] == '0' && $1[1] == 'x' && isxdigit($1[2])) {
+				ul = strtoumax($1 + 2, &ep, 16);
+				if (*ep != '\0') {
+					yyerror("`%s' is not a number", $1);
+					free($1);
+					YYERROR;
+				}
+				if (ul == UINTMAX_MAX || ul > UINT64_MAX) {
+					yyerror("`%s' is out-of-range", $1);
+					free($1);
+					YYERROR;
+				}
+				$$ = ul;
+			} else {
+				$$ = strtonum($1, 0, UINT64_MAX, &errstr);
+				if (errstr != NULL) {
+					yyerror("`%s' is %s", $1, errstr);
+					free($1);
+					YYERROR;
+				}
+			}
+			free($1);
+		}
+		| NUMBER
+		;
+
+accounting	: {
+			$$ = 0;
+		}
+		| ACCOUNTING {
+			$$ = 1;
+		}
+		;
+
 varset		: STRING '=' string
 		{
 			char *s = $1;
@@ -1336,6 +1557,7 @@ lookup(char *s)
 {
 	/* this has to be sorted always */
 	static const struct keywords keywords[] = {
+		{ "accounting",		ACCOUNTING },
 		{ "active",		ACTIVE },
 		{ "ah",			AH },
 		{ "any",		ANY },
@@ -1343,8 +1565,10 @@ lookup(char *s)
 		{ "bytes",		BYTES },
 		{ "cert_partial_chain",	CERTPARTIALCHAIN },
 		{ "childsa",		CHILDSA },
+		{ "client",		CLIENT },
 		{ "config",		CONFIG },
 		{ "couple",		COUPLE },
+		{ "dae",		DAE },
 		{ "decouple",		DECOUPLE },
 		{ "default",		DEFAULT },
 		{ "dpd_check_interval",	DPD_CHECK_INTERVAL },
@@ -1370,7 +1594,10 @@ lookup(char *s)
 		{ "inet6",		INET6 },
 		{ "ipcomp",		IPCOMP },
 		{ "lifetime",		LIFETIME },
+		{ "listen",		LISTEN },
 		{ "local",		LOCAL },
+		{ "max-failovers",	MAX_FAILOVERS},
+		{ "max-tries",		MAX_TRIES },
 		{ "maxage",		MAXAGE },
 		{ "mobike",		MOBIKE },
 		{ "name",		NAME },
@@ -1381,6 +1608,7 @@ lookup(char *s)
 		{ "nostickyaddress",	NOSTICKYADDRESS },
 		{ "novendorid",		NOVENDORID },
 		{ "ocsp",		OCSP },
+		{ "on",			ON },
 		{ "passive",		PASSIVE },
 		{ "peer",		PEER },
 		{ "port",		PORT },
@@ -1388,9 +1616,12 @@ lookup(char *s)
 		{ "proto",		PROTO },
 		{ "psk",		PSK },
 		{ "quick",		QUICK },
+		{ "radius",		RADIUS },
 		{ "rdomain",		RDOMAIN },
 		{ "request",		REQUEST },
 		{ "sa",			SA },
+		{ "secret",		SECRET },
+		{ "server",		SERVER },
 		{ "set",		SET },
 		{ "skip",		SKIP },
 		{ "srcid",		SRCID },
@@ -1792,6 +2023,10 @@ parse_config(const char *filename, struct iked *x_env)
 	dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT;
 	decouple = passive = 0;
 	ocsp_url = NULL;
+	radauth.max_tries = 3;
+	radauth.max_failovers = 0;
+	radacct.max_tries = 3;
+	radacct.max_failovers = 0;
 
 	if (env->sc_opts & IKED_OPT_PASSIVE)
 		passive = 1;
@@ -1812,6 +2047,8 @@ parse_config(const char *filename, struct iked *x_env)
 	env->sc_ocsp_maxage = ocsp_maxage;
 	env->sc_cert_partial_chain = cert_partial_chain;
 	env->sc_vendorid = vendorid;
+	env->sc_radauth = radauth;
+	env->sc_radacct = radacct;
 
 	if (!rules)
 		log_warnx("%s: no valid configuration rules found",

sbin/iked/pfkey.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.84 2023/08/14 12:02:02 tobhe Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.85 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -111,8 +111,11 @@ int	pfkey_write(struct iked *, struct sadb_msg *, struct iovec *, int,
 	    uint8_t **, ssize_t *);
 int	pfkey_reply(int, uint8_t **, ssize_t *);
 void	pfkey_dispatch(int, short, void *);
-int	pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *);
+int	pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *,
+	    struct iked_sastats *);
 int	pfkey_sa_check_exists(struct iked *, struct iked_childsa *);
+int	pfkey_sa_sastats(struct iked *, struct iked_childsa *,
+	    struct iked_sastats *);
 
 struct sadb_ident *
 	pfkey_id2ident(struct iked_id *, unsigned int);
@@ -872,7 +875,8 @@ pfkey_sa(struct iked *env, uint8_t satype, uint8_t action, struct iked_childsa *
 }
 
 int
-pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used)
+pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used,
+    struct iked_sastats *stats)
 {
 	struct iked_policy	*pol = sa->csa_ikesa->sa_policy;
 	struct sadb_msg		*msg, smsg;
@@ -880,6 +884,7 @@ pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used)
 	struct sadb_sa		 sadb;
 	struct sadb_x_rdomain	 sa_rdomain;
 	struct sadb_lifetime	*sa_life;
+	struct sadb_x_counter	*sa_counter;
 	struct sockaddr_storage	 ssrc, sdst;
 	struct iovec		 iov[IOV_CNT];
 	uint64_t		 pad = 0;
@@ -1012,6 +1017,20 @@ pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used)
 		*last_used = sa_life->sadb_lifetime_usetime;
 		log_debug("%s: last_used %llu", __func__, *last_used);
 	}
+	if (stats) {
+		if ((sa_counter = pfkey_find_ext(data, n,
+		    SADB_X_EXT_COUNTER)) == NULL) {
+			/* has never been used */
+			ret = -1;
+			goto done;
+		}
+		stats->sas_ibytes = sa_counter->sadb_x_counter_ibytes;
+		stats->sas_obytes = sa_counter->sadb_x_counter_obytes;
+		stats->sas_ipackets = sa_counter->sadb_x_counter_ipackets;
+		stats->sas_opackets = sa_counter->sadb_x_counter_opackets;
+		stats->sas_idrops = sa_counter->sadb_x_counter_idrops;
+		stats->sas_odrops = sa_counter->sadb_x_counter_odrops;
+	}
 
 #undef PAD
 done:
@@ -1022,13 +1041,20 @@ done:
 int
 pfkey_sa_last_used(struct iked *env, struct iked_childsa *sa, uint64_t *last_used)
 {
-	return pfkey_sa_lookup(env, sa, last_used);
+	return pfkey_sa_lookup(env, sa, last_used, NULL);
 }
 
 int
 pfkey_sa_check_exists(struct iked *env, struct iked_childsa *sa)
 {
-	return pfkey_sa_lookup(env, sa, NULL);
+	return pfkey_sa_lookup(env, sa, NULL, NULL);
+}
+
+int
+pfkey_sa_sastats(struct iked *env, struct iked_childsa *sa,
+    struct iked_sastats *stats)
+{
+	return pfkey_sa_lookup(env, sa, NULL, stats);
 }
 
 int
@@ -1582,7 +1608,8 @@ pfkey_sa_update_addresses(struct iked *env, struct iked_childsa *sa)
 int
 pfkey_sa_delete(struct iked *env, struct iked_childsa *sa)
 {
-	uint8_t		satype;
+	uint8_t			satype;
+	struct iked_sastats	sas;
 
 	if (!sa->csa_loaded || sa->csa_spi.spi == 0)
 		return (0);
@@ -1590,11 +1617,23 @@ pfkey_sa_delete(struct iked *env, struct iked_childsa *sa)
 	if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1)
 		return (-1);
 
+	/* preserve the statistics */
+	memset(&sas, 0, sizeof(sas));
+	pfkey_sa_sastats(env, sa, &sas);
+
 	if (pfkey_sa(env, satype, SADB_DELETE, sa) == -1 &&
 	    pfkey_sa_check_exists(env, sa) == 0)
 		return (-1);
 
 	sa->csa_loaded = 0;
+
+	sa->csa_ikesa->sa_stats.sas_ipackets += sas.sas_ipackets;
+	sa->csa_ikesa->sa_stats.sas_opackets += sas.sas_opackets;
+	sa->csa_ikesa->sa_stats.sas_ibytes += sas.sas_ibytes;
+	sa->csa_ikesa->sa_stats.sas_obytes += sas.sas_obytes;
+	sa->csa_ikesa->sa_stats.sas_idrops += sas.sas_idrops;
+	sa->csa_ikesa->sa_stats.sas_odrops += sas.sas_odrops;
+
 	return (0);
 }
 

sbin/iked/policy.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.98 2024/02/03 00:54:14 jsg Exp $	*/
+/*	$OpenBSD: policy.c,v 1.99 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2020-2021 Tobias Heider <tobhe@openbsd.org>
@@ -60,6 +60,11 @@ policy_init(struct iked *env)
 {
 	TAILQ_INIT(&env->sc_policies);
 	TAILQ_INIT(&env->sc_ocsp);
+	TAILQ_INIT(&env->sc_radauthservers);
+	TAILQ_INIT(&env->sc_radacctservers);
+	TAILQ_INIT(&env->sc_radcfgmaps);
+	TAILQ_INIT(&env->sc_raddaes);
+	TAILQ_INIT(&env->sc_raddaeclients);
 	RB_INIT(&env->sc_users);
 	RB_INIT(&env->sc_sas);
 	RB_INIT(&env->sc_dstid_sas);

sbin/iked/radius.c

@@ -0,0 +1,937 @@
+/*	$OpenBSD: radius.c,v 1.7 2024/07/13 14:28:27 yasuoka Exp $	*/
+
+/*
+ * Copyright (c) 2024 Internet Initiative Japan Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <netinet/ip_ipsp.h>
+
+#include <endian.h>
+#include <event.h>
+#include <errno.h>
+#include <imsg.h>
+#include <limits.h>
+#include <netinet/in.h>
+#include <radius.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <time.h>
+
+#include "iked.h"
+#include "eap.h"
+#include "ikev2.h"
+#include "types.h"
+
+void	 iked_radius_request_send(struct iked *, void *);
+void	 iked_radius_fill_attributes(struct iked_sa *, RADIUS_PACKET *);
+void	 iked_radius_config(struct iked_radserver_req *, const RADIUS_PACKET *,
+	    int, uint32_t, uint8_t);
+void	 iked_radius_acct_request(struct iked *, struct iked_sa *, uint8_t);
+
+const struct iked_radcfgmap radius_cfgmaps[] = {
+    { IKEV2_CFG_INTERNAL_IP4_ADDRESS, 0, RADIUS_TYPE_FRAMED_IP_ADDRESS },
+    { IKEV2_CFG_INTERNAL_IP4_NETMASK, 0, RADIUS_TYPE_FRAMED_IP_NETMASK },
+    { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
+	RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER },
+    { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT,
+	RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER },
+    { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
+	RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER },
+    { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT,
+	RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER },
+    { 0 }
+};
+
+int
+iked_radius_request(struct iked *env, struct iked_sa *sa,
+    struct iked_message *msg)
+{
+	struct eap_message		*eap;
+	RADIUS_PACKET			*pkt;
+	size_t				 len;
+
+	eap = ibuf_data(msg->msg_eapmsg);
+	len = betoh16(eap->eap_length);
+	if (eap->eap_code != EAP_CODE_RESPONSE) {
+		log_debug("%s: eap_code is not response %u", __func__,
+		    (unsigned)eap->eap_code);
+		return -1;
+	}
+
+	if (eap->eap_type == EAP_TYPE_IDENTITY) {
+		if ((sa->sa_radreq = calloc(1,
+		    sizeof(struct iked_radserver_req))) == NULL) {
+			log_debug(
+			    "%s: calloc failed for iked_radserver_req: %s",
+			    __func__, strerror(errno));
+			return (-1);
+		}
+		timer_set(env, &sa->sa_radreq->rr_timer,
+		    iked_radius_request_send, sa->sa_radreq);
+		sa->sa_radreq->rr_user = strdup(msg->msg_eap.eam_identity);
+	}
+
+	if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST))
+	    == NULL) {
+		log_debug("%s: radius_new_request_packet failed %s", __func__,
+		    strerror(errno));
+		return -1;
+	}
+
+	radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME,
+	    sa->sa_radreq->rr_user);
+	if (sa->sa_radreq->rr_state != NULL)
+		radius_put_raw_attr(pkt, RADIUS_TYPE_STATE,
+		    ibuf_data(sa->sa_radreq->rr_state),
+		    ibuf_size(sa->sa_radreq->rr_state));
+
+	if (radius_put_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
+	    (uint8_t *)eap, len) == -1) {
+		log_debug("%s: radius_put_raw_attr_cat failed %s", __func__,
+		    strerror(errno));
+		return -1;
+	}
+
+	iked_radius_fill_attributes(sa, pkt);
+
+	/* save the request, it'll be needed for message authentication */
+	if (sa->sa_radreq->rr_reqpkt != NULL)
+		radius_delete_packet(sa->sa_radreq->rr_reqpkt);
+	sa->sa_radreq->rr_reqpkt = pkt;
+	sa->sa_radreq->rr_sa = sa;
+	sa->sa_radreq->rr_ntry = 0;
+
+	iked_radius_request_send(env, sa->sa_radreq);
+
+	return 0;
+}
+
+void
+iked_radius_request_free(struct iked *env, struct iked_radserver_req *req)
+{
+	if (req == NULL)
+		return;
+	timer_del(env, &req->rr_timer);
+	free(req->rr_user);
+	ibuf_free(req->rr_state);
+	if (req->rr_reqpkt)
+		radius_delete_packet(req->rr_reqpkt);
+	if (req->rr_sa)
+		req->rr_sa->sa_radreq = NULL;
+	if (req->rr_server)
+		TAILQ_REMOVE(&req->rr_server->rs_reqs, req, rr_entry);
+	free(req);
+}
+
+void
+iked_radius_on_event(int fd, short ev, void *ctx)
+{
+	struct iked			*env;
+	struct iked_radserver		*server = ctx;
+	struct iked_radserver_req	*req;
+	const struct iked_radcfgmap	*cfgmap;
+	RADIUS_PACKET			*pkt;
+	int				 i, resid;
+	struct ibuf			*e;
+	const void			*attrval;
+	size_t				 attrlen;
+	uint8_t				 code;
+	char				 username[256];
+	u_char				 eapmsk[128];
+	/* RFC 3748 defines the MSK minimum size is 64 bytes */
+	size_t				 eapmsksiz = sizeof(eapmsk);
+
+	env = server->rs_env;
+	pkt = radius_recv(server->rs_sock, 0);
+	if (pkt == NULL) {
+		log_info("%s: receiving a RADIUS message failed: %s", __func__,
+		    strerror(errno));
+		return;
+	}
+	resid = radius_get_id(pkt);
+
+	TAILQ_FOREACH(req, &server->rs_reqs, rr_entry) {
+		if (req->rr_reqid == resid)
+			break;
+	}
+	if (req == NULL) {
+		log_debug("%s: received an unknown RADIUS message: id=%u",
+		    __func__, (unsigned)resid);
+		return;
+	}
+
+	radius_set_request_packet(pkt, req->rr_reqpkt);
+	if (radius_check_response_authenticator(pkt, server->rs_secret) != 0) {
+		log_info("%s: received an invalid RADIUS message: bad "
+		    "response authenticator", __func__);
+		return;
+	}
+	if (req->rr_accounting) {
+		/* accounting */
+		code = radius_get_code(pkt);
+		switch (code) {
+		case RADIUS_CODE_ACCOUNTING_RESPONSE: /* Expected */
+			break;
+		default:
+			log_info("%s: received an invalid RADIUS message: "
+			    "code %u", __func__, (unsigned)code);
+		}
+		timer_del(env, &req->rr_timer);
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+		req->rr_server = NULL;
+		free(req);
+		return;
+	}
+
+	/* authentication */
+	if (radius_check_message_authenticator(pkt, server->rs_secret) != 0) {
+		log_info("%s: received an invalid RADIUS message: bad "
+		    "message authenticator", __func__);
+		return;
+	}
+
+	timer_del(env, &req->rr_timer);
+	req->rr_ntry = 0;
+
+	if (req->rr_sa == NULL)
+		goto fail;
+
+	code = radius_get_code(pkt);
+	switch (code) {
+	case RADIUS_CODE_ACCESS_CHALLENGE:
+		if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_STATE, &attrval,
+		    &attrlen) != 0) {
+			log_info("%s: received an invalid RADIUS message: no "
+			    "state attribute", __func__);
+			goto fail;
+		}
+		if ((req->rr_state != NULL &&
+		    ibuf_set(req->rr_state, 0, attrval, attrlen) != 0) ||
+		    (req->rr_state = ibuf_new(attrval, attrlen)) == NULL) {
+			log_info("%s: ibuf_new() failed: %s", __func__,
+			    strerror(errno));
+			goto fail;
+		}
+		break;
+	case RADIUS_CODE_ACCESS_ACCEPT:
+		log_info("%s: received Access-Accept for %s",
+		    SPI_SA(req->rr_sa, __func__), req->rr_user);
+		/* Try to retrieve the EAP MSK from the RADIUS response */
+		if (radius_get_eap_msk(pkt, eapmsk, &eapmsksiz,
+		    server->rs_secret) == 0) {
+			ibuf_free(req->rr_sa->sa_eapmsk);
+			if ((req->rr_sa->sa_eapmsk = ibuf_new(eapmsk,
+			    eapmsksiz)) == NULL) {
+				log_info("%s: ibuf_new() failed: %s", __func__,
+				    strerror(errno));
+				goto fail;
+			}
+		} else
+			log_debug("Could not retrieve the EAP MSK from the "
+			    "RADIUS message");
+
+		free(req->rr_sa->sa_eapid);
+		/* The EAP identity might be protected (RFC 3748 7.3) */
+		if (radius_get_string_attr(pkt, RADIUS_TYPE_USER_NAME,
+		    username, sizeof(username)) == 0 &&
+		    strcmp(username, req->rr_user) != 0) {
+			/*
+			 * The Access-Accept might have a User-Name.  It
+			 * should be used for Accouting (RFC 2865 5.1).
+			 */
+			free(req->rr_user);
+			req->rr_sa->sa_eapid = strdup(username);
+		} else
+			req->rr_sa->sa_eapid = req->rr_user;
+		req->rr_user = NULL;
+
+		sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS);
+
+		/* Map RADIUS attributes to cp */
+		if (TAILQ_EMPTY(&env->sc_radcfgmaps)) {
+			for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) {
+				cfgmap = &radius_cfgmaps[i];
+				iked_radius_config(req, pkt, cfgmap->cfg_type,
+				    cfgmap->vendor_id, cfgmap->attr_type);
+			}
+		} else {
+			TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry)
+				iked_radius_config(req, pkt, cfgmap->cfg_type,
+				    cfgmap->vendor_id, cfgmap->attr_type);
+		}
+
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+		req->rr_server = NULL;
+		break;
+	case RADIUS_CODE_ACCESS_REJECT:
+		log_info("%s: received Access-Reject for %s",
+		    SPI_SA(req->rr_sa, __func__), req->rr_user);
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+		req->rr_server = NULL;
+		break;
+	default:
+		log_debug("%s: received an invalid RADIUS message: code %u",
+		    __func__, (unsigned)code);
+		break;
+	}
+
+	/* get the length first */
+	if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, NULL,
+	    &attrlen) != 0) {
+		log_info("%s: failed to retrieve the EAP message", __func__);
+		goto fail;
+	}
+	/* allocate a buffer */
+	if ((e = ibuf_new(NULL, attrlen)) == NULL) {
+		log_info("%s: ibuf_new() failed: %s", __func__,
+		    strerror(errno));
+		goto fail;
+	}
+	/* copy the message to the buffer */
+	if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE,
+	    ibuf_data(e), &attrlen) != 0) {
+		ibuf_free(e);
+		log_info("%s: failed to retrieve the EAP message", __func__);
+		goto fail;
+	}
+	ikev2_send_ike_e(env, req->rr_sa, e, IKEV2_PAYLOAD_EAP,
+	    IKEV2_EXCHANGE_IKE_AUTH, 1);
+	return;
+ fail:
+	if (req->rr_server != NULL)
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+	req->rr_server = NULL;
+	if (req->rr_sa != NULL) {
+		ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
+		sa_free(env, req->rr_sa);
+	}
+}
+
+void
+iked_radius_request_send(struct iked *env, void *ctx)
+{
+	struct iked_radserver_req	*req = ctx, *req0;
+	struct iked_radserver		*server = req->rr_server;
+	const int			 timeouts[] = { 2, 4, 8 };
+	uint8_t				 seq;
+	int				 i, max_tries, max_failovers;
+	struct sockaddr_storage		 ss;
+	socklen_t			 sslen;
+	struct iked_radservers		*radservers;
+	struct timespec			 now;
+
+	if (!req->rr_accounting) {
+		max_tries = env->sc_radauth.max_tries;
+		max_failovers = env->sc_radauth.max_failovers;
+		radservers = &env->sc_radauthservers;
+	} else {
+		max_tries = env->sc_radacct.max_tries;
+		max_failovers = env->sc_radacct.max_failovers;
+		radservers = &env->sc_radacctservers;
+	}
+
+	if (req->rr_ntry > max_tries) {
+		req->rr_ntry = 0;
+		log_info("%s: RADIUS server %s failed", __func__,
+		    print_addr(&server->rs_sockaddr));
+ next_server:
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+		req->rr_server = NULL;
+		if (req->rr_nfailover >= max_failovers ||
+		    TAILQ_NEXT(server, rs_entry) == NULL) {
+			log_info("%s: No more RADIUS server", __func__);
+			goto fail;
+		} else if (req->rr_state != NULL) {
+			log_info("%s: Can't change RADIUS server: "
+			    "client has a state already", __func__);
+			goto fail;
+		} else {
+			TAILQ_REMOVE(radservers, server, rs_entry);
+			TAILQ_INSERT_TAIL(radservers, server, rs_entry);
+			server = TAILQ_FIRST(radservers);
+			log_info("%s: RADIUS server %s is active",
+			    __func__, print_addr(&server->rs_sockaddr));
+		}
+		req->rr_nfailover++;
+	}
+
+	if (req->rr_server != NULL &&
+	    req->rr_server != TAILQ_FIRST(radservers)) {
+		/* Current server is marked fail */
+		if (req->rr_state != NULL || req->rr_nfailover >= max_failovers)
+			goto fail; /* can't fail over */
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+		req->rr_server = NULL;
+		req->rr_nfailover++;
+	}
+
+	if (req->rr_server == NULL) {
+		/* Select a new server */
+		server = TAILQ_FIRST(radservers);
+		if (server == NULL) {
+			log_info("%s: No RADIUS server is configured",
+			    __func__);
+			goto fail;
+		}
+		TAILQ_INSERT_TAIL(&server->rs_reqs, req, rr_entry);
+		req->rr_server = server;
+
+		/* Prepare NAS-IP-Address */
+		if (server->rs_nas_ipv4.s_addr == INADDR_ANY &&
+		    IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6)) {
+			sslen = sizeof(ss);
+			if (getsockname(server->rs_sock, (struct sockaddr *)&ss,
+			    &sslen) == 0) {
+				if (ss.ss_family == AF_INET)
+					server->rs_nas_ipv4 =
+					    ((struct sockaddr_in *)&ss)
+					    ->sin_addr;
+				else
+					server->rs_nas_ipv6 =
+					    ((struct sockaddr_in6 *)&ss)
+					    ->sin6_addr;
+			}
+		}
+	}
+	if (req->rr_ntry == 0) {
+		/* decide the ID */
+		seq = ++server->rs_reqseq;
+		for (i = 0; i < UCHAR_MAX; i++) {
+			TAILQ_FOREACH(req0, &server->rs_reqs, rr_entry) {
+				if (req0->rr_reqid == seq)
+					break;
+			}
+			if (req0 == NULL)
+				break;
+			seq++;
+		}
+		if (i >= UCHAR_MAX) {
+			log_info("%s: RADIUS server %s failed.  Too many "
+			    "pending requests", __func__,
+			    print_addr(&server->rs_sockaddr));
+			if (TAILQ_NEXT(server, rs_entry) != NULL)
+				goto next_server;
+			goto fail;
+		}
+		req->rr_reqid = seq;
+		radius_set_id(req->rr_reqpkt, req->rr_reqid);
+	}
+
+	if (server->rs_nas_ipv4.s_addr != INADDR_ANY)
+		radius_put_ipv4_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IP_ADDRESS,
+		    server->rs_nas_ipv4);
+	else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6))
+		radius_put_ipv6_attr(req->rr_reqpkt,
+		    RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6);
+	/* Identifier */
+	radius_put_string_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IDENTIFIER,
+	    IKED_NAS_ID);
+
+	if (req->rr_accounting) {
+		if (req->rr_ntry == 0 && req->rr_nfailover == 0)
+			radius_put_uint32_attr(req->rr_reqpkt,
+			    RADIUS_TYPE_ACCT_DELAY_TIME, 0);
+		else {
+			clock_gettime(CLOCK_MONOTONIC, &now);
+			timespecsub(&now, &req->rr_accttime, &now);
+			radius_put_uint32_attr(req->rr_reqpkt,
+			    RADIUS_TYPE_ACCT_DELAY_TIME, now.tv_sec);
+		}
+		radius_set_accounting_request_authenticator(req->rr_reqpkt,
+		    server->rs_secret);
+	} else {
+		radius_put_message_authenticator(req->rr_reqpkt,
+		    server->rs_secret);
+	}
+
+	if (radius_send(server->rs_sock, req->rr_reqpkt, 0) < 0)
+		log_info("%s: sending a RADIUS message failed: %s", __func__,
+		    strerror(errno));
+
+	if (req->rr_ntry >= (int)nitems(timeouts))
+		timer_add(env, &req->rr_timer, timeouts[nitems(timeouts) - 1]);
+	else
+		timer_add(env, &req->rr_timer, timeouts[req->rr_ntry]);
+	req->rr_ntry++;
+	return;
+ fail:
+	if (req->rr_server != NULL)
+		TAILQ_REMOVE(&server->rs_reqs, req, rr_entry);
+	req->rr_server = NULL;
+	if (req->rr_sa != NULL) {
+		ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed");
+		sa_free(env, req->rr_sa);
+	}
+}
+
+void
+iked_radius_fill_attributes(struct iked_sa *sa, RADIUS_PACKET *pkt)
+{
+	/* NAS Port Type = Virtual */
+	radius_put_uint32_attr(pkt,
+	    RADIUS_TYPE_NAS_PORT_TYPE, RADIUS_NAS_PORT_TYPE_VIRTUAL);
+	/* Service Type =  Framed */
+	radius_put_uint32_attr(pkt, RADIUS_TYPE_SERVICE_TYPE,
+	    RADIUS_SERVICE_TYPE_FRAMED);
+	/* Tunnel Type = EAP */
+	radius_put_uint32_attr(pkt, RADIUS_TYPE_TUNNEL_TYPE,
+	    RADIUS_TUNNEL_TYPE_ESP);
+
+	radius_put_string_attr(pkt, RADIUS_TYPE_CALLED_STATION_ID,
+	    print_addr(&sa->sa_local.addr));
+	radius_put_string_attr(pkt, RADIUS_TYPE_CALLING_STATION_ID,
+	    print_addr(&sa->sa_peer.addr));
+}
+
+void
+iked_radius_config(struct iked_radserver_req *req, const RADIUS_PACKET *pkt,
+    int cfg_type, uint32_t vendor_id, uint8_t attr_type)
+{
+	unsigned int		 i;
+	struct iked_sa		*sa = req->rr_sa;
+	struct in_addr		 ia4;
+	struct in6_addr		 ia6;
+	struct sockaddr_in	*sin4;
+	struct sockaddr_in6	*sin6;
+	struct iked_addr	*addr;
+	struct iked_cfg		*ikecfg;
+
+	for (i = 0; i < sa->sa_policy->pol_ncfg; i++) {
+		ikecfg = &sa->sa_policy->pol_cfg[i];
+		if (ikecfg->cfg_type == cfg_type &&
+		    ikecfg->cfg_type != IKEV2_CFG_INTERNAL_IP4_ADDRESS)
+			return;	/* use config rather than radius */
+	}
+	switch (cfg_type) {
+	case IKEV2_CFG_INTERNAL_IP4_ADDRESS:
+	case IKEV2_CFG_INTERNAL_IP4_NETMASK:
+	case IKEV2_CFG_INTERNAL_IP4_DNS:
+	case IKEV2_CFG_INTERNAL_IP4_NBNS:
+	case IKEV2_CFG_INTERNAL_IP4_DHCP:
+	case IKEV2_CFG_INTERNAL_IP4_SERVER:
+		if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
+			radius_get_ipv4_attr(pkt, attr_type, &ia4);
+		else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
+		    attr_type))
+			radius_get_vs_ipv4_attr(pkt, vendor_id, attr_type,
+			    &ia4);
+		else
+			break; /* no attribute contained */
+
+		if (cfg_type == IKEV2_CFG_INTERNAL_IP4_NETMASK) {
+			/*
+			 * This assumes IKEV2_CFG_INTERNAL_IP4_ADDRESS is
+			 * called before IKEV2_CFG_INTERNAL_IP4_NETMASK
+			 */
+			if (sa->sa_rad_addr == NULL) {
+				/*
+				 * RFC 7296, IKEV2_CFG_INTERNAL_IP4_NETMASK
+				 * must be used with
+				 * IKEV2_CFG_INTERNAL_IP4_ADDRESS
+				 */
+				break;
+			}
+			if (ia4.s_addr == 0) {
+				log_debug("%s: netmask is wrong", __func__);
+				break;
+			}
+			if (ia4.s_addr == htonl(0))
+				sa->sa_rad_addr->addr_mask = 0;
+			else
+				sa->sa_rad_addr->addr_mask =
+				    33 - ffs(ntohl(ia4.s_addr));
+			if (sa->sa_rad_addr->addr_mask < 32)
+				sa->sa_rad_addr->addr_net = 1;
+		}
+		if (cfg_type == IKEV2_CFG_INTERNAL_IP4_ADDRESS) {
+			if ((addr = calloc(1, sizeof(*addr))) == NULL) {
+				log_warn("%s: calloc", __func__);
+				return;
+			}
+			sa->sa_rad_addr = addr;
+		} else {
+			req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
+			req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
+			addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
+			req->rr_ncfg++;
+		}
+		addr->addr_af = AF_INET;
+		sin4 = (struct sockaddr_in *)&addr->addr;
+		sin4->sin_family = AF_INET;
+		sin4->sin_len = sizeof(struct sockaddr_in);
+		sin4->sin_addr = ia4;
+		break;
+	case IKEV2_CFG_INTERNAL_IP6_ADDRESS:
+	case IKEV2_CFG_INTERNAL_IP6_DNS:
+	case IKEV2_CFG_INTERNAL_IP6_NBNS:
+	case IKEV2_CFG_INTERNAL_IP6_DHCP:
+	case IKEV2_CFG_INTERNAL_IP6_SERVER:
+		if (vendor_id == 0 && radius_has_attr(pkt, attr_type))
+			radius_get_ipv6_attr(pkt, attr_type, &ia6);
+		else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id,
+		    attr_type))
+			radius_get_vs_ipv6_attr(pkt, vendor_id, attr_type,
+			    &ia6);
+		else
+			break; /* no attribute contained */
+
+		if (cfg_type == IKEV2_CFG_INTERNAL_IP6_ADDRESS) {
+			if ((addr = calloc(1, sizeof(*addr))) == NULL) {
+				log_warn("%s: calloc", __func__);
+				return;
+			}
+			sa->sa_rad_addr = addr;
+		} else {
+			req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY;
+			req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type;
+			addr = &req->rr_cfg[req->rr_ncfg].cfg.address;
+			req->rr_ncfg++;
+		}
+		addr->addr_af = AF_INET;
+		sin6 = (struct sockaddr_in6 *)&addr->addr;
+		sin6->sin6_family = AF_INET6;
+		sin6->sin6_len = sizeof(struct sockaddr_in6);
+		sin6->sin6_addr = ia6;
+		break;
+	}
+	return;
+}
+
+void
+iked_radius_acct_on(struct iked *env)
+{
+	if (TAILQ_EMPTY(&env->sc_radacctservers))
+		return;
+	if (env->sc_radaccton == 0) {	/* trigger once */
+		iked_radius_acct_request(env, NULL,
+		    RADIUS_ACCT_STATUS_TYPE_ACCT_ON);
+		env->sc_radaccton = 1;
+	}
+}
+
+void
+iked_radius_acct_off(struct iked *env)
+{
+	iked_radius_acct_request(env, NULL, RADIUS_ACCT_STATUS_TYPE_ACCT_OFF);
+}
+
+void
+iked_radius_acct_start(struct iked *env, struct iked_sa *sa)
+{
+	iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_START);
+}
+
+void
+iked_radius_acct_stop(struct iked *env, struct iked_sa *sa)
+{
+	iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_STOP);
+}
+
+void
+iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype)
+{
+	struct iked_radserver_req	*req;
+	RADIUS_PACKET			*pkt;
+	struct iked_addr		*addr4 = NULL;
+	struct iked_addr		*addr6 = NULL;
+	struct in_addr			 mask4;
+	char				 sa_id[IKED_ID_SIZE];
+	char				 sid[16 + 1];
+	struct timespec			 now;
+	int				 cause;
+
+	if (TAILQ_EMPTY(&env->sc_radacctservers))
+		return;
+	/*
+	 * In RFC2866 5.6, "Users who are delivered service without
+	 * being authenticated SHOULD NOT generate Accounting records
+	 */
+	if (sa != NULL && sa->sa_eapid == NULL) {
+		/* fallback to IKEID for accounting */
+		if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) != -1)
+			sa->sa_eapid = strdup(sa_id);
+		if (sa->sa_eapid == NULL)
+			return;
+	}
+
+	if ((req = calloc(1, sizeof(struct iked_radserver_req))) == NULL) {
+		log_debug("%s: calloc faile for iked_radserver_req: %s",
+		    __func__, strerror(errno));
+		return;
+	}
+	req->rr_accounting = 1;
+	clock_gettime(CLOCK_MONOTONIC, &now);
+	req->rr_accttime = now;
+	timer_set(env, &req->rr_timer, iked_radius_request_send, req);
+
+	if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCOUNTING_REQUEST))
+	    == NULL) {
+		log_debug("%s: radius_new_request_packet failed %s", __func__,
+		    strerror(errno));
+		return;
+	}
+
+	/* RFC 2866  5.1. Acct-Status-Type */
+	radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE, stype);
+
+	if (sa == NULL) {
+		/* ASSERT(stype == RADIUS_ACCT_STATUS_TYPE_ACCT_ON ||
+		    stype == RADIUS_ACCT_STATUS_TYPE_ACCT_OFF) */
+		req->rr_reqpkt = pkt;
+		req->rr_ntry = 0;
+		iked_radius_request_send(env, req);
+		return;
+	}
+
+	iked_radius_fill_attributes(sa, pkt);
+
+	radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME, sa->sa_eapid);
+
+	/* RFC 2866  5.5. Acct-Session-Id */
+	snprintf(sid, sizeof(sid), "%016llx",
+	    (unsigned long long)sa->sa_hdr.sh_ispi);
+	radius_put_string_attr(pkt, RADIUS_TYPE_ACCT_SESSION_ID, sid);
+
+	/* Accounting Request must have Framed-IP-Address */
+	addr4 = sa->sa_addrpool;
+	if (addr4 != NULL) {
+		radius_put_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS,
+		    ((struct sockaddr_in *)&addr4->addr)->sin_addr);
+		if (addr4->addr_mask != 0) {
+			mask4.s_addr = htonl(
+			    0xFFFFFFFFUL << (32 - addr4->addr_mask));
+			radius_put_ipv4_attr(pkt,
+			    RADIUS_TYPE_FRAMED_IP_NETMASK, mask4);
+		}
+	}
+	addr6 = sa->sa_addrpool6;
+	if (addr6 != NULL)
+		radius_put_ipv6_attr(pkt, RADIUS_TYPE_FRAMED_IPV6_ADDRESS,
+		    &((struct sockaddr_in6 *)&addr6->addr)->sin6_addr);
+
+	/* RFC2866 5.6 Acct-Authentic */
+	radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_AUTHENTIC,
+	    (sa->sa_radreq != NULL)? RADIUS_ACCT_AUTHENTIC_RADIUS :
+	    RADIUS_ACCT_AUTHENTIC_LOCAL);
+
+	switch (stype) {
+	case RADIUS_ACCT_STATUS_TYPE_START:
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE,
+		    RADIUS_ACCT_STATUS_TYPE_START);
+		break;
+	case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE:
+	case RADIUS_ACCT_STATUS_TYPE_STOP:
+		/* RFC 2866 5.7.  Acct-Session-Time */
+		timespecsub(&now, &sa->sa_starttime, &now);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_SESSION_TIME,
+		    now.tv_sec);
+		/* RFC 2866 5.10 Acct-Terminate-Cause */
+		cause = RADIUS_TERMNATE_CAUSE_SERVICE_UNAVAIL;
+		if (sa->sa_reason) {
+			if (strcmp(sa->sa_reason, "received delete") == 0) {
+				cause = RADIUS_TERMNATE_CAUSE_USER_REQUEST;
+			} else if (strcmp(sa->sa_reason, "SA rekeyed") == 0) {
+				cause = RADIUS_TERMNATE_CAUSE_SESSION_TIMEOUT;
+			} else if (strncmp(sa->sa_reason, "retransmit",
+			    strlen("retransmit")) == 0) {
+				cause = RADIUS_TERMNATE_CAUSE_LOST_SERVICE;
+			} else if (strcmp(sa->sa_reason,
+			    "disconnect requested") == 0) {
+				cause = RADIUS_TERMNATE_CAUSE_ADMIN_RESET;
+			}
+		}
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_TERMINATE_CAUSE,
+		    cause);
+		/* I/O statistics {Input,Output}-{Packets,Octets,Gigawords} */
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_PACKETS,
+		    sa->sa_stats.sas_ipackets);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_PACKETS,
+		    sa->sa_stats.sas_opackets);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_OCTETS,
+		    sa->sa_stats.sas_ibytes & 0xffffffffUL);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_OCTETS,
+		    sa->sa_stats.sas_obytes & 0xffffffffUL);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_GIGAWORDS,
+		    sa->sa_stats.sas_ibytes >> 32);
+		radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_GIGAWORDS,
+		    sa->sa_stats.sas_obytes >> 32);
+		break;
+	}
+	req->rr_reqpkt = pkt;
+	req->rr_ntry = 0;
+	iked_radius_request_send(env, req);
+}
+
+void
+iked_radius_dae_on_event(int fd, short ev, void *ctx)
+{
+	struct iked_raddae	*dae = ctx;
+	struct iked		*env = dae->rd_env;
+	RADIUS_PACKET		*req = NULL, *res = NULL;
+	struct sockaddr_storage	 ss;
+	socklen_t		 sslen;
+	struct iked_radclient	*client;
+	struct iked_sa		*sa = NULL;
+	char			 attr[256], username[256];
+	char			*endp, *reason, *nakcause = NULL;
+	int			 code, n = 0;
+	uint64_t		 ispi = 0;
+	uint32_t		 u32, cause = 0;
+	struct iked_addr	*addr4 = NULL;
+
+	reason = "disconnect requested";
+
+	sslen = sizeof(ss);
+	req = radius_recvfrom(dae->rd_sock, 0, (struct sockaddr *)&ss, &sslen);
+	if (req == NULL) {
+		log_warn("%s: receiving a RADIUS message failed: %s", __func__,
+		    strerror(errno));
+		return;
+	}
+	TAILQ_FOREACH(client, &env->sc_raddaeclients, rc_entry) {
+		if (sockaddr_cmp((struct sockaddr *)&client->rc_sockaddr,
+		    (struct sockaddr *)&ss, -1) == 0)
+			break;
+	}
+	if (client == NULL) {
+		log_warnx("%s: received RADIUS message from %s: "
+		    "unknown client", __func__, print_addr(&ss));
+		goto out;
+	}
+
+	if (radius_check_accounting_request_authenticator(req,
+	    client->rc_secret) != 0) {
+		log_warnx("%s: received an invalid RADIUS message from %s: bad "
+		    "response authenticator", __func__, print_addr(&ss));
+		goto out;
+	}
+
+	if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) {
+		/* Code other than Disconnect-Request is not supported */
+		if (code == RADIUS_CODE_COA_REQUEST) {
+			code = RADIUS_CODE_COA_NAK;
+			cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED;
+			nakcause = "Coa-Request is not supprted";
+			goto send;
+		}
+		log_warnx("%s: received an invalid RADIUS message "
+		    "from %s: unknown code %d", __func__,
+		    print_addr(&ss), code);
+		goto out;
+	}
+
+	log_info("received Disconnect-Request from %s", print_addr(&ss));
+
+	if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr,
+	    sizeof(attr)) == 0 && strcmp(attr, IKED_NAS_ID) != 0) {
+		cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH;
+		nakcause = "NAS-Identifier is not matched";
+		goto search_done;
+	}
+
+	/* prepare User-Name attribute */
+	memset(username, 0, sizeof(username));
+	radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username,
+	    sizeof(username));
+
+	if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr,
+	    sizeof(attr)) == 0) {
+		/* the client is to disconnect a session */
+		ispi = strtoull(attr, &endp, 16);
+		if (attr[0] == '\0' || *endp != '\0' || errno == ERANGE ||
+		    ispi == ULLONG_MAX) {
+			cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
+			nakcause = "Session-Id is wrong";
+			goto search_done;
+
+		}
+		RB_FOREACH(sa, iked_sas, &env->sc_sas) {
+			if (sa->sa_hdr.sh_ispi == ispi)
+				break;
+		}
+		if (sa == NULL)
+			goto search_done;
+		if (username[0] != '\0' && (sa->sa_eapid == NULL ||
+		    strcmp(username, sa->sa_eapid) != 0)) {
+			/* specified User-Name attribute is mismatched */
+			cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
+			nakcause = "User-Name is not matched";
+			goto search_done;
+		}
+		ikev2_ike_sa_setreason(sa, reason);
+		ikev2_ike_sa_delete(env, sa);
+		n++;
+	} else if (username[0] != '\0') {
+		RB_FOREACH(sa, iked_sas, &env->sc_sas) {
+			if (sa->sa_eapid != NULL &&
+			    strcmp(sa->sa_eapid, username) == 0) {
+				ikev2_ike_sa_setreason(sa, reason);
+				ikev2_ike_sa_delete(env, sa);
+				n++;
+			}
+		}
+	} else if (radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS,
+	    &u32) == 0) {
+		RB_FOREACH(sa, iked_sas, &env->sc_sas) {
+			addr4 = sa->sa_addrpool;
+			if (addr4 != NULL) {
+				if (u32 == ((struct sockaddr_in *)&addr4->addr)
+				    ->sin_addr.s_addr) {
+					ikev2_ike_sa_setreason(sa, reason);
+					ikev2_ike_sa_delete(env, sa);
+					n++;
+				}
+			}
+		}
+	}
+ search_done:
+	if (n > 0)
+		code = RADIUS_CODE_DISCONNECT_ACK;
+	else {
+		if (nakcause == NULL)
+			nakcause = "session not found";
+		if (cause == 0)
+			cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND;
+		code = RADIUS_CODE_DISCONNECT_NAK;
+	}
+ send:
+	res = radius_new_response_packet(code, req);
+	if (res == NULL) {
+		log_warn("%s: radius_new_response_packet", __func__);
+		goto out;
+	}
+	if (cause != 0)
+		radius_put_uint32_attr(res, RADIUS_TYPE_ERROR_CAUSE, cause);
+	radius_set_response_authenticator(res, client->rc_secret);
+	if (radius_sendto(dae->rd_sock, res, 0, (struct sockaddr *)&ss, sslen)
+	    == -1)
+		log_warn("%s: sendto", __func__);
+	log_info("send %s for %s%s%s",
+	    (code == RADIUS_CODE_DISCONNECT_ACK)? "Disconnect-ACK" :
+	    (code == RADIUS_CODE_DISCONNECT_NAK)? "Disconnect-NAK" : "CoA-NAK",
+	    print_addr(&ss), (nakcause)? ": " : "", (nakcause)? nakcause : "");
+ out:
+	radius_delete_packet(req);
+	if (res != NULL)
+		radius_delete_packet(res);
+}

sbin/iked/types.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.54 2024/02/15 20:10:45 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.55 2024/07/13 12:22:46 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -42,6 +42,7 @@
 #define IKED_PUBKEY		"local.pub"
 
 #define IKED_VENDOR_ID		"OpenIKED-"
+#define IKED_NAS_ID		"OpenIKED"
 
 #define IKED_OCSP_RESPCERT	"ocsp/responder.crt"
 
@@ -112,6 +113,12 @@ enum imsg_type {
 	IMSG_CFG_POLICY,
 	IMSG_CFG_FLOW,
 	IMSG_CFG_USER,
+	IMSG_CFG_RADAUTH,
+	IMSG_CFG_RADACCT,
+	IMSG_CFG_RADSERVER,
+	IMSG_CFG_RADCFGMAP,
+	IMSG_CFG_RADDAE,
+	IMSG_CFG_RADDAECLIENT,
 	IMSG_CERTREQ,
 	IMSG_CERT,
 	IMSG_CERTVALID,
@@ -150,6 +157,7 @@ enum flushmode {
 	RESET_POLICY,
 	RESET_SA,
 	RESET_USER,
+	RESET_RADIUS,
 };
 
 #ifndef nitems

sbin/slaacd/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.90 2024/06/03 17:58:33 deraadt Exp $	*/
+/*	$OpenBSD: engine.c,v 1.91 2024/07/13 16:06:34 florian Exp $	*/
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -968,7 +968,6 @@ iface_state_transition(struct slaacd_iface *iface, enum if_state new_state)
 	struct address_proposal	*addr_proposal;
 	struct dfr_proposal	*dfr_proposal;
 	struct rdns_proposal	*rdns_proposal;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
 	iface->state = new_state;
 
@@ -1025,10 +1024,13 @@ iface_state_transition(struct slaacd_iface *iface, enum if_state new_state)
 		break;
 	}
 
-	if_name = if_indextoname(iface->if_index, ifnamebuf);
-	log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ?
-	    "?" : if_name, if_state_name(old_state), if_state_name(new_state),
-	    iface->timo.tv_sec);
+	if (log_getverbose()) {
+		char	 ifnamebuf[IF_NAMESIZE], *if_name;
+		if_name = if_indextoname(iface->if_index, ifnamebuf);
+		log_debug("%s[%s] %s -> %s, timo: %lld", __func__,
+		    if_name == NULL ? "?" : if_name, if_state_name(old_state),
+		    if_state_name(new_state), iface->timo.tv_sec);
+	}
 
 	if (iface->timo.tv_sec == -1) {
 		if (evtimer_pending(&iface->timer, NULL))
@@ -1043,7 +1045,6 @@ void addr_proposal_state_transition(struct address_proposal *addr_proposal,
 	enum proposal_state	 old_state = addr_proposal->state;
 	struct slaacd_iface	*iface;
 	uint32_t		 lifetime;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
 	addr_proposal->state = new_state;
 
@@ -1103,11 +1104,14 @@ void addr_proposal_state_transition(struct address_proposal *addr_proposal,
 		break;
 	}
 
-	if_name = if_indextoname(addr_proposal->if_index, ifnamebuf);
-	log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ?
-	    "?" : if_name, proposal_state_name(old_state),
-	    proposal_state_name(new_state),
-	    addr_proposal->timo.tv_sec);
+	if (log_getverbose()) {
+		char	 ifnamebuf[IF_NAMESIZE], *if_name;
+		if_name = if_indextoname(addr_proposal->if_index, ifnamebuf);
+		log_debug("%s[%s] %s -> %s, timo: %lld", __func__,
+		    if_name == NULL ? "?" : if_name,
+		    proposal_state_name(old_state),
+		    proposal_state_name(new_state), addr_proposal->timo.tv_sec);
+	}
 
 	if (addr_proposal->timo.tv_sec == -1) {
 		if (evtimer_pending(&addr_proposal->timer, NULL))
@@ -1122,7 +1126,6 @@ void dfr_proposal_state_transition(struct dfr_proposal *dfr_proposal,
 	enum proposal_state	 old_state = dfr_proposal->state;
 	struct slaacd_iface	*iface;
 	uint32_t		 lifetime;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
 	dfr_proposal->state = new_state;
 
@@ -1176,11 +1179,15 @@ void dfr_proposal_state_transition(struct dfr_proposal *dfr_proposal,
 		break;
 	}
 
-	if_name = if_indextoname(dfr_proposal->if_index, ifnamebuf);
-	log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ?
-	    "?" : if_name, proposal_state_name(old_state),
-	    proposal_state_name(new_state),
-	    dfr_proposal->timo.tv_sec);
+	if (log_getverbose()) {
+		char	 ifnamebuf[IF_NAMESIZE], *if_name;
+
+		if_name = if_indextoname(dfr_proposal->if_index, ifnamebuf);
+		log_debug("%s[%s] %s -> %s, timo: %lld", __func__,
+		    if_name == NULL ? "?" : if_name,
+		    proposal_state_name(old_state),
+		    proposal_state_name(new_state), dfr_proposal->timo.tv_sec);
+	}
 
 	if (dfr_proposal->timo.tv_sec == -1) {
 		if (evtimer_pending(&dfr_proposal->timer, NULL))
@@ -1196,7 +1203,6 @@ void rdns_proposal_state_transition(struct rdns_proposal *rdns_proposal,
 	enum proposal_state	 old_state = rdns_proposal->state;
 	struct slaacd_iface	*iface;
 	uint32_t		 lifetime;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
 	rdns_proposal->state = new_state;
 
@@ -1250,11 +1256,15 @@ void rdns_proposal_state_transition(struct rdns_proposal *rdns_proposal,
 		break;
 	}
 
-	if_name = if_indextoname(rdns_proposal->if_index, ifnamebuf);
-	log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ?
-	    "?" : if_name, proposal_state_name(old_state),
-	    proposal_state_name(new_state),
-	    rdns_proposal->timo.tv_sec);
+	if (log_getverbose()) {
+		char	 ifnamebuf[IF_NAMESIZE], *if_name;
+
+		if_name = if_indextoname(rdns_proposal->if_index, ifnamebuf);
+		log_debug("%s[%s] %s -> %s, timo: %lld", __func__,
+		    if_name == NULL ? "?" : if_name,
+		    proposal_state_name(old_state),
+		    proposal_state_name(new_state), rdns_proposal->timo.tv_sec);
+	}
 
 	if (rdns_proposal->timo.tv_sec == -1) {
 		if (evtimer_pending(&rdns_proposal->timer, NULL))

share/man/man4/bio.4

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bio.4,v 1.34 2016/11/26 16:29:33 jmc Exp $
+.\"	$OpenBSD: bio.4,v 1.35 2024/07/13 15:28:42 krw Exp $
 .\"
 .\" Copyright (c) 2002 Niklas Hallqvist
 .\" Copyright (c) 2006 Marco Peereboom
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 26 2016 $
+.Dd $Mdocdate: July 13 2024 $
 .Dt BIO 4
 .Os
 .Sh NAME
@@ -70,6 +70,8 @@ Areca Technology Corporation SAS/SATA RAID controller
 Compaq Smart Array 2/3/4 SCSI RAID controller
 .It Xr ciss 4
 Compaq Smart Array SAS/SATA/SCSI RAID controller
+.It Xr gdt 4
+ICP-Vortex and Intel GDT SATA/SCSI RAID controller
 .It Xr ips 4
 IBM SATA/SCSI ServeRAID controller
 .It Xr mfi 4
@@ -80,6 +82,8 @@ LSI Logic MegaRAID SAS Fusion RAID controller
 LSI Logic Fusion-MPT Message Passing Interface
 .It Xr mpii 4
 LSI Logic Fusion-MPT Message Passing Interface II
+.It Xr nvme 4
+NVMe storage controllers
 .It Xr softraid 4
 Software RAID
 .El

sys/arch/amd64/amd64/mptramp.S

@@ -1,4 +1,4 @@
-/*	$OpenBSD: mptramp.S,v 1.22 2022/12/01 00:26:15 guenther Exp $	*/
+/*	$OpenBSD: mptramp.S,v 1.23 2024/07/12 13:10:58 deraadt Exp $	*/
 /*	$NetBSD: mptramp.S,v 1.1 2003/04/26 18:39:30 fvdl Exp $	*/
 
 /*-
@@ -233,6 +233,7 @@ GENTRY(cpu_spinup_finish)
 	movl	$CR0_DEFAULT,%eax
 	movq	%rax,%cr0
 	call	cpu_hatch
+	movq	$0,-8(%rsp)
 END(cpu_spinup_finish)
 	/* NOTREACHED */
 

sys/conf/files

@@ -1,4 +1,4 @@
-#	$OpenBSD: files,v 1.733 2024/06/12 12:54:54 bluhm Exp $
+#	$OpenBSD: files,v 1.734 2024/07/13 13:20:44 bluhm Exp $
 #	$NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
 
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93
@@ -898,7 +898,7 @@ file netinet/tcp_subr.c
 file netinet/tcp_timer.c
 file netinet/tcp_usrreq.c
 file netinet/udp_usrreq.c
-file netinet/ip_gre.c
+file netinet/ip_gre.c			gre
 file netinet/ip_ipsp.c			ipsec | tcp_signature
 file netinet/ip_spd.c			ipsec | tcp_signature
 file netinet/ip_ipip.c

sys/dev/ic/nvme.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: nvme.c,v 1.119 2024/07/08 16:07:36 krw Exp $ */
+/*	$OpenBSD: nvme.c,v 1.121 2024/07/13 08:59:41 dv Exp $ */
 
 /*
  * Copyright (c) 2014 David Gwynne <dlg@openbsd.org>

sys/dev/pci/drm/amd/amdgpu/aldebaran.c

@@ -100,7 +100,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev)
 		adev->ip_blocks[i].status.hw = false;
 	}
 
-	return r;
+	return 0;
 }
 
 static int

sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c

@@ -2052,12 +2052,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
 	struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
 	char reg_offset[11];
 	uint32_t *new = NULL, *tmp = NULL;
-	int ret, i = 0, len = 0;
+	unsigned int len = 0;
+	int ret, i = 0;
 
 	do {
 		memset(reg_offset, 0, 11);
 		if (copy_from_user(reg_offset, buf + len,
-					min(10, ((int)size-len)))) {
+					min(10, (size-len)))) {
 			ret = -EFAULT;
 			goto error_free;
 		}

sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c

@@ -1187,7 +1187,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev,
 		fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes);
 		break;
 	default:
-		break;
+		dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id);
+		return;
 	}
 
 	if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) {

sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c

@@ -446,6 +446,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev,
 
 	entry.ih = ih;
 	entry.iv_entry = (const uint32_t *)&ih->ring[ring_index];
+
+	/*
+	 * timestamp is not supported on some legacy SOCs (cik, cz, iceland,
+	 * si and tonga), so initialize timestamp and timestamp_src to 0
+	 */
+	entry.timestamp = 0;
+	entry.timestamp_src = 0;
+
 	amdgpu_ih_decode_iv(adev, &entry);
 
 	trace_amdgpu_iv(ih - &adev->irq.ih, &entry);

sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c

@@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
 	uint32_t created = 0;
 	uint32_t allocated = 0;
 	uint32_t tmp, handle = 0;
-	uint32_t *size = &tmp;
+	uint32_t dummy = 0xffffffff;
+	uint32_t *size = &dummy;
 	unsigned int idx;
 	int i, r = 0;
 

sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c

@@ -93,7 +93,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev)
 		adev->ip_blocks[i].status.hw = false;
 	}
 
-	return r;
+	return 0;
 }
 
 static int

sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c

@@ -264,7 +264,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc)
 static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc,
 				  u32 *vbl, u32 *position)
 {
-	u32 v_blank_start, v_blank_end, h_position, v_position;
+	u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0;
 	struct amdgpu_crtc *acrtc = NULL;
 
 	if ((crtc < 0) || (crtc >= adev->mode_info.num_crtc))
@@ -801,7 +801,7 @@ static void dm_handle_hpd_work(struct work_struct *work)
  */
 static void dm_dmub_outbox1_low_irq(void *interrupt_params)
 {
-	struct dmub_notification notify;
+	struct dmub_notification notify = {0};
 	struct common_irq_params *irq_params = interrupt_params;
 	struct amdgpu_device *adev = irq_params->adev;
 	struct amdgpu_display_manager *dm = &adev->dm;
@@ -6899,7 +6899,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state,
 	struct amdgpu_dm_connector *aconnector;
 	struct dm_connector_state *dm_conn_state;
 	int i, j, ret;
-	int vcpi, pbn_div, pbn, slot_num = 0;
+	int vcpi, pbn_div, pbn = 0, slot_num = 0;
 
 	for_each_new_connector_in_state(state, connector, new_con_state, i) {
 
@@ -10070,7 +10070,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
 	struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state;
 	struct drm_dp_mst_topology_mgr *mgr;
 	struct drm_dp_mst_topology_state *mst_state;
-	struct dsc_mst_fairness_vars vars[MAX_PIPES];
+	struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0};
 
 	trace_amdgpu_dm_atomic_check_begin(state);
 

sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c

@@ -1219,7 +1219,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b
 				 size_t size, loff_t *pos)
 {
 	int r;
-	uint8_t data[36];
+	uint8_t data[36] = {0};
 	struct amdgpu_dm_connector *connector = file_inode(f)->i_private;
 	struct dm_crtc_state *acrtc_state;
 	uint32_t write_size = 36;
@@ -2929,7 +2929,7 @@ static int psr_read_residency(void *data, u64 *val)
 {
 	struct amdgpu_dm_connector *connector = data;
 	struct dc_link *link = connector->dc_link;
-	u32 residency;
+	u32 residency = 0;
 
 	link->dc->link_srv->edp_get_psr_residency(link, &residency);
 

sys/dev/pci/drm/amd/display/dc/core/dc_resource.c

@@ -2385,6 +2385,9 @@ static struct audio *find_first_free_audio(
 {
 	int i, available_audio_count;
 
+	if (id == ENGINE_ID_UNKNOWN)
+		return NULL;
+
 	available_audio_count = pool->audio_count;
 
 	for (i = 0; i < available_audio_count; i++) {

sys/dev/pci/drm/amd/display/dc/irq/dce110/irq_service_dce110.c

@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service,
 						   info->ext_id);
 	uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK;
 
-	struct timing_generator *tg =
-			dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
+	struct timing_generator *tg;
+
+	if (pipe_offset >= MAX_PIPES)
+		return false;
+
+	tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
 
 	if (enable) {
 		if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) {

sys/dev/pci/drm/amd/display/modules/hdcp/hdcp_ddc.c

@@ -158,6 +158,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
 	uint32_t cur_size = 0;
 	uint32_t data_offset = 0;
 
+	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
+		return MOD_HDCP_STATUS_DDC_FAILURE;
+	}
+
 	if (is_dp_hdcp(hdcp)) {
 		while (buf_len > 0) {
 			cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
@@ -217,6 +221,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
 	uint32_t cur_size = 0;
 	uint32_t data_offset = 0;
 
+	if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
+		return MOD_HDCP_STATUS_DDC_FAILURE;
+	}
+
 	if (is_dp_hdcp(hdcp)) {
 		while (buf_len > 0) {
 			cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);

sys/dev/pci/drm/amd/include/atomfirmware.h

@@ -702,7 +702,7 @@ struct atom_gpio_pin_lut_v2_1
 {
   struct  atom_common_table_header  table_header;
   /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut  */
-  struct  atom_gpio_pin_assignment  gpio_pin[8];
+  struct  atom_gpio_pin_assignment  gpio_pin[];
 };
 
 
@@ -3551,7 +3551,7 @@ struct atom_gpio_voltage_object_v4
    uint8_t  phase_delay_us;                      // phase delay in unit of micro second
    uint8_t  reserved;
    uint32_t gpio_mask_val;                         // GPIO Mask value
-   struct atom_voltage_gpio_map_lut voltage_gpio_lut[1];
+   struct atom_voltage_gpio_map_lut voltage_gpio_lut[] __counted_by(gpio_entry_num);
 };
 
 struct  atom_svid2_voltage_object_v4

sys/dev/pci/drm/apple/apldcp.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: apldcp.c,v 1.1 2024/01/22 18:54:01 kettenis Exp $	*/
+/*	$OpenBSD: apldcp.c,v 1.2 2024/07/12 10:01:28 tobhe Exp $	*/
 /*
  * Copyright (c) 2023 Mark Kettenis <kettenis@openbsd.org>
  *
@@ -18,6 +18,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/device.h>
+#include <sys/pool.h>
 
 #include <machine/intr.h>
 #include <machine/bus.h>
@@ -103,14 +104,19 @@ apldcp_activate(struct device *self, int act)
 
 #include <arm64/dev/rtkit.h>
 
-struct apple_rtkit_ep {
-	struct apple_rtkit *rtk;
-	uint8_t ep;
-
+struct apple_rtkit_task {
+	struct apple_rtkit_ep *rtkep;
 	struct task task;
 	uint64_t msg;
 };
 
+struct apple_rtkit_ep {
+	struct apple_rtkit *rtk;
+	uint8_t ep;
+};
+
+static struct pool rtktask_pool;
+
 struct apple_rtkit {
 	struct rtkit_state *state;
 	struct apple_rtkit_ep ep[64];
@@ -170,10 +176,12 @@ apple_rtkit_logmap(void *cookie, bus_addr_t addr)
 void
 apple_rtkit_do_recv(void *arg)
 {
-	struct apple_rtkit_ep *rtkep = arg;
+	struct apple_rtkit_task *rtktask = arg;
+	struct apple_rtkit_ep *rtkep = rtktask->rtkep;
 	struct apple_rtkit *rtk = rtkep->rtk;
 
-	rtk->ops->recv_message(rtk->cookie, rtkep->ep, rtkep->msg);
+	rtk->ops->recv_message(rtk->cookie, rtkep->ep, rtktask->msg);
+	pool_put(&rtktask_pool, rtktask);
 }
 
 void
@@ -181,9 +189,15 @@ apple_rtkit_recv(void *cookie, uint64_t msg)
 {
 	struct apple_rtkit_ep *rtkep = cookie;
 	struct apple_rtkit *rtk = rtkep->rtk;
+	struct apple_rtkit_task *rtktask;
 
-	rtkep->msg = msg;
-	task_add(rtk->tq, &rtkep->task);
+	rtktask = pool_get(&rtktask_pool, PR_NOWAIT | PR_ZERO);
+	KASSERT(rtktask != NULL);
+
+	rtktask->rtkep = rtkep;
+	rtktask->msg = msg;
+	task_set(&rtktask->task, apple_rtkit_do_recv, rtktask);
+	task_add(rtk->tq, &rtktask->task);
 }
 
 int
@@ -195,8 +209,6 @@ apple_rtkit_start_ep(struct apple_rtkit *rtk, uint8_t ep)
 	rtkep = &rtk->ep[ep];
 	rtkep->rtk = rtk;
 	rtkep->ep = ep;
-	task_set(&rtkep->task, apple_rtkit_do_recv, rtkep);
-
 	error = rtkit_start_endpoint(rtk->state, ep, apple_rtkit_recv, rtkep);
 	return -error;
 }
@@ -239,6 +251,9 @@ devm_apple_rtkit_init(struct device *dev, void *cookie,
 		return ERR_PTR(ENOMEM);
 	}
 
+	pool_init(&rtktask_pool, sizeof(struct apple_rtkit_task), 0, IPL_TTY,
+	    0, "apldcp_rtkit", NULL);
+
 	rk = malloc(sizeof(*rk), M_DEVBUF, M_WAITOK | M_ZERO);
 	rk->rk_cookie = rtk;
 	rk->rk_dmat = pdev->dmat;

sys/dev/pci/drm/drm_drv.c

@@ -47,6 +47,7 @@
 #include <linux/pseudo_fs.h>
 #include <linux/slab.h>
 #include <linux/srcu.h>
+#include <linux/suspend.h>
 
 #include <drm/drm_accel.h>
 #include <drm/drm_cache.h>
@@ -1548,10 +1549,19 @@ drm_activate(struct device *self, int act)
 
 	switch (act) {
 	case DVACT_QUIESCE:
+#ifdef CONFIG_ACPI
+		if (acpi_softc && acpi_softc->sc_state == ACPI_STATE_S3)
+			pm_suspend_target_state = PM_SUSPEND_MEM;
+		else
+			pm_suspend_target_state = PM_SUSPEND_TO_IDLE;
+#else
+		pm_suspend_target_state = PM_SUSPEND_TO_IDLE;
+#endif
 		drm_quiesce(dev);
 		break;
 	case DVACT_WAKEUP:
 		drm_wakeup(dev);
+		pm_suspend_target_state = PM_SUSPEND_ON;
 		break;
 	}
 

sys/dev/pci/drm/drm_linux.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: drm_linux.c,v 1.114 2024/06/13 18:05:54 kettenis Exp $	*/
+/*	$OpenBSD: drm_linux.c,v 1.115 2024/07/13 15:38:21 kettenis Exp $	*/
 /*
  * Copyright (c) 2013 Jonathan Gray <jsg@openbsd.org>
  * Copyright (c) 2015, 2016 Mark Kettenis <kettenis@openbsd.org>
@@ -51,6 +51,7 @@
 #include <linux/kthread.h>
 #include <linux/processor.h>
 #include <linux/sync_file.h>
+#include <linux/suspend.h>
 
 #include <drm/drm_device.h>
 #include <drm/drm_connector.h>
@@ -1345,6 +1346,8 @@ vga_put(struct pci_dev *pdev, int rsrc)
 
 #endif
 
+suspend_state_t pm_suspend_target_state;
+
 /*
  * ACPI types and interfaces.
  */
@@ -1360,6 +1363,8 @@ vga_put(struct pci_dev *pdev, int rsrc)
 #include <dev/acpi/amltypes.h>
 #include <dev/acpi/dsdt.h>
 
+struct acpi_fadt acpi_gbl_FADT;
+
 acpi_status
 acpi_get_table(const char *sig, int instance,
     struct acpi_table_header **hdr)
@@ -2851,6 +2856,13 @@ drm_linux_init(void)
 
 	kmap_atomic_va =
 	    (vaddr_t)km_alloc(PAGE_SIZE, &kv_any, &kp_none, &kd_waitok);
+
+#if NACPI > 0
+	if (acpi_softc) {
+		memcpy(&acpi_gbl_FADT, acpi_softc->sc_fadt,
+		    sizeof(acpi_gbl_FADT));
+	}
+#endif
 }
 
 void

sys/dev/pci/drm/drm_panel_orientation_quirks.c

@@ -427,6 +427,13 @@ static const struct dmi_system_id orientation_data[] = {
 		  DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"),
 		},
 		.driver_data = (void *)&lcd800x1280_rightside_up,
+	}, {	/* Valve Steam Deck */
+		.matches = {
+		  DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"),
+		  DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galileo"),
+		  DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"),
+		},
+		.driver_data = (void *)&lcd800x1280_rightside_up,
 	}, {	/* VIOS LTH17 */
 		.matches = {
 		  DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),

sys/dev/pci/drm/i915/gt/intel_gt_pm.c

@@ -326,7 +326,6 @@ void intel_gt_suspend_prepare(struct intel_gt *gt)
 	wait_for_suspend(gt);
 }
 
-#ifdef notyet
 static suspend_state_t pm_suspend_target(void)
 {
 #if IS_ENABLED(CONFIG_SUSPEND) && IS_ENABLED(CONFIG_PM_SLEEP)
@@ -335,7 +334,6 @@ static suspend_state_t pm_suspend_target(void)
 	return PM_SUSPEND_TO_IDLE;
 #endif
 }
-#endif
 
 void intel_gt_suspend_late(struct intel_gt *gt)
 {
@@ -361,10 +359,8 @@ void intel_gt_suspend_late(struct intel_gt *gt)
 	 * powermanagement enabled, but we also retain system state and so
 	 * it remains safe to keep on using our allocated memory.
 	 */
-#ifdef notyet
 	if (pm_suspend_target() == PM_SUSPEND_TO_IDLE)
 		return;
-#endif
 
 	with_intel_runtime_pm(gt->uncore->rpm, wakeref) {
 		intel_rps_disable(&gt->rps);

sys/dev/pci/drm/include/generated/autoconf.h

@@ -93,5 +93,6 @@
 #endif
 
 #if defined(SUSPEND) || defined(HIBERNATE)
+#define CONFIG_SUSPEND				1
 #define CONFIG_PM_SLEEP				1
 #endif

sys/dev/pci/drm/include/linux/acpi.h

@@ -88,4 +88,7 @@ int unregister_acpi_notifier(struct notifier_block *);
 
 int acpi_target_system_state(void);
 
+extern struct acpi_fadt acpi_gbl_FADT;
+#define ACPI_FADT_LOW_POWER_S0		(1 << 21)
+
 #endif

sys/dev/pci/drm/include/linux/suspend.h

@@ -0,0 +1,14 @@
+/* Public domain. */
+
+#ifndef _LINUX_SUSPEND_H
+#define _LINUX_SUSPEND_H
+
+typedef int suspend_state_t;
+
+#define PM_SUSPEND_ON		0
+#define PM_SUSPEND_MEM		1
+#define PM_SUSPEND_TO_IDLE	2
+
+extern suspend_state_t pm_suspend_target_state;
+
+#endif

sys/dev/pci/if_bwfm_pci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bwfm_pci.c,v 1.76 2024/05/24 06:02:53 jsg Exp $	*/
+/*	$OpenBSD: if_bwfm_pci.c,v 1.77 2024/07/12 08:33:25 kettenis Exp $	*/
 /*
  * Copyright (c) 2010-2016 Broadcom Corporation
  * Copyright (c) 2017 Patrick Wildt <patrick@blueri.se>
@@ -126,6 +126,10 @@ struct bwfm_pci_softc {
 	bus_space_handle_t	 sc_reg_ioh;
 	bus_size_t		 sc_reg_ios;
 
+	bus_space_tag_t		 sc_pcie_iot;
+	bus_space_handle_t	 sc_pcie_ioh;
+	bus_size_t		 sc_pcie_ios;
+
 	bus_space_tag_t		 sc_tcm_iot;
 	bus_space_handle_t	 sc_tcm_ioh;
 	bus_size_t		 sc_tcm_ios;
@@ -371,6 +375,10 @@ bwfm_pci_attach(struct device *parent, struct device *self, void *aux)
 		goto bar1;
 	}
 
+	sc->sc_pcie_iot = sc->sc_reg_iot;
+	bus_space_subregion(sc->sc_reg_iot, sc->sc_reg_ioh, 0x2000,
+	    sc->sc_reg_ios - 0x2000, &sc->sc_pcie_ioh);
+
 	sc->sc_pc = pa->pa_pc;
 	sc->sc_tag = pa->pa_tag;
 	sc->sc_id = pa->pa_id;
@@ -450,11 +458,11 @@ bwfm_pci_preinit(struct bwfm_softc *bwfm)
 #endif
 
 	bwfm_pci_select_core(sc, BWFM_AGENT_CORE_PCIE2);
-	bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+	bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 	    BWFM_PCI_PCIE2REG_CONFIGADDR, 0x4e0);
-	reg = bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+	reg = bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 	    BWFM_PCI_PCIE2REG_CONFIGDATA);
-	bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+	bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 	    BWFM_PCI_PCIE2REG_CONFIGDATA, reg);
 
 	switch (bwfm->sc_chip.ch_chip) {
@@ -1430,10 +1438,10 @@ bwfm_pci_ring_bell(struct bwfm_pci_softc *sc,
     struct bwfm_pci_msgring *ring)
 {
 	if (sc->sc_shared_flags & BWFM_SHARED_INFO_SHARED_DAR)
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_H2D_MAILBOX_0, 1);
 	else
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_H2D_MAILBOX_0, 1);
 }
 
@@ -1881,13 +1889,13 @@ bwfm_pci_buscore_reset(struct bwfm_softc *bwfm)
 		};
 
 		for (i = 0; i < nitems(cfg_offset); i++) {
-			bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+			bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 			    BWFM_PCI_PCIE2REG_CONFIGADDR, cfg_offset[i]);
-			reg = bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+			reg = bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 			    BWFM_PCI_PCIE2REG_CONFIGDATA);
 			DPRINTFN(3, ("%s: config offset 0x%04x, value 0x%04x\n",
 			    DEVNAME(sc), cfg_offset[i], reg));
-			bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+			bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 			    BWFM_PCI_PCIE2REG_CONFIGDATA, reg);
 		}
 	}
@@ -2381,11 +2389,11 @@ void
 bwfm_pci_intr_enable(struct bwfm_pci_softc *sc)
 {
 	if (sc->sc_pcireg64)
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_MAILBOXMASK,
 		    BWFM_PCI_64_PCIE2REG_MAILBOXMASK_INT_D2H_DB);
 	else
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_MAILBOXMASK,
 		    BWFM_PCI_PCIE2REG_MAILBOXMASK_INT_FN0_0 |
 		    BWFM_PCI_PCIE2REG_MAILBOXMASK_INT_FN0_1 |
@@ -2396,10 +2404,10 @@ void
 bwfm_pci_intr_disable(struct bwfm_pci_softc *sc)
 {
 	if (sc->sc_pcireg64)
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_MAILBOXMASK, 0);
 	else
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_MAILBOXMASK, 0);
 }
 
@@ -2407,10 +2415,10 @@ uint32_t
 bwfm_pci_intr_status(struct bwfm_pci_softc *sc)
 {
 	if (sc->sc_pcireg64)
-		return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_MAILBOXINT);
 	else
-		return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_MAILBOXINT);
 }
 
@@ -2418,10 +2426,10 @@ void
 bwfm_pci_intr_ack(struct bwfm_pci_softc *sc, uint32_t status)
 {
 	if (sc->sc_pcireg64)
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_MAILBOXINT, status);
 	else
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_MAILBOXINT, status);
 }
 
@@ -2429,10 +2437,10 @@ uint32_t
 bwfm_pci_intmask(struct bwfm_pci_softc *sc)
 {
 	if (sc->sc_pcireg64)
-		return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_INTMASK);
 	else
-		return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_INTMASK);
 }
 
@@ -2443,10 +2451,10 @@ bwfm_pci_hostready(struct bwfm_pci_softc *sc)
 		return;
 
 	if (sc->sc_shared_flags & BWFM_SHARED_INFO_SHARED_DAR)
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_64_PCIE2REG_H2D_MAILBOX_1, 1);
 	else
-		bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh,
+		bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh,
 		    BWFM_PCI_PCIE2REG_H2D_MAILBOX_1, 1);
 }
 

sys/kern/uipc_socket.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket.c,v 1.336 2024/06/14 08:32:22 mvs Exp $	*/
+/*	$OpenBSD: uipc_socket.c,v 1.337 2024/07/12 17:20:18 mvs Exp $	*/
 /*	$NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $	*/
 
 /*
@@ -158,9 +158,8 @@ soalloc(const struct protosw *prp, int wait)
 	case AF_INET6:
 		switch (prp->pr_type) {
 		case SOCK_RAW:
-			so->so_snd.sb_flags |= SB_MTXLOCK;
-			/* FALLTHROUGH */
 		case SOCK_DGRAM:
+			so->so_snd.sb_flags |= SB_MTXLOCK;
 			so->so_rcv.sb_flags |= SB_MTXLOCK;
 			break;
 		}
@@ -628,7 +627,7 @@ restart:
 			} else if (addr == NULL)
 				snderr(EDESTADDRREQ);
 		}
-		space = sbspace(so, &so->so_snd);
+		space = sbspace_locked(so, &so->so_snd);
 		if (flags & MSG_OOB)
 			space += 1024;
 		if (so->so_proto->pr_domain->dom_family == AF_UNIX) {
@@ -1414,9 +1413,12 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 
 	/* Splice so and sosp together. */
 	mtx_enter(&so->so_rcv.sb_mtx);
+	mtx_enter(&sosp->so_snd.sb_mtx);
 	so->so_sp->ssp_socket = sosp;
 	sosp->so_sp->ssp_soback = so;
+	mtx_leave(&sosp->so_snd.sb_mtx);
 	mtx_leave(&so->so_rcv.sb_mtx);
+
 	so->so_splicelen = 0;
 	so->so_splicemax = max;
 	if (tv)
@@ -1432,9 +1434,11 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv)
 	 */
 	if (somove(so, M_WAIT)) {
 		mtx_enter(&so->so_rcv.sb_mtx);
+		mtx_enter(&sosp->so_snd.sb_mtx);
 		so->so_rcv.sb_flags |= SB_SPLICE;
-		mtx_leave(&so->so_rcv.sb_mtx);
 		sosp->so_snd.sb_flags |= SB_SPLICE;
+		mtx_leave(&sosp->so_snd.sb_mtx);
+		mtx_leave(&so->so_rcv.sb_mtx);
 	}
 
  release:
@@ -1454,11 +1458,13 @@ sounsplice(struct socket *so, struct socket *sosp, int freeing)
 
 	task_del(sosplice_taskq, &so->so_splicetask);
 	timeout_del(&so->so_idleto);
-	sosp->so_snd.sb_flags &= ~SB_SPLICE;
 
 	mtx_enter(&so->so_rcv.sb_mtx);
+	mtx_enter(&sosp->so_snd.sb_mtx);
 	so->so_rcv.sb_flags &= ~SB_SPLICE;
+	sosp->so_snd.sb_flags &= ~SB_SPLICE;
 	so->so_sp->ssp_socket = sosp->so_sp->ssp_soback = NULL;
+	mtx_leave(&sosp->so_snd.sb_mtx);
 	mtx_leave(&so->so_rcv.sb_mtx);
 
 	/* Do not wakeup a socket that is about to be freed. */
@@ -1571,21 +1577,26 @@ somove(struct socket *so, int wait)
 			maxreached = 1;
 		}
 	}
-	space = sbspace(sosp, &sosp->so_snd);
+	mtx_enter(&sosp->so_snd.sb_mtx);
+	space = sbspace_locked(sosp, &sosp->so_snd);
 	if (so->so_oobmark && so->so_oobmark < len &&
 	    so->so_oobmark < space + 1024)
 		space += 1024;
 	if (space <= 0) {
+		mtx_leave(&sosp->so_snd.sb_mtx);
 		maxreached = 0;
 		goto release;
 	}
 	if (space < len) {
 		maxreached = 0;
-		if (space < sosp->so_snd.sb_lowat)
+		if (space < sosp->so_snd.sb_lowat) {
+			mtx_leave(&sosp->so_snd.sb_mtx);
 			goto release;
+		}
 		len = space;
 	}
 	sosp->so_snd.sb_state |= SS_ISSENDING;
+	mtx_leave(&sosp->so_snd.sb_mtx);
 
 	SBLASTRECORDCHK(&so->so_rcv, "somove 1");
 	SBLASTMBUFCHK(&so->so_rcv, "somove 1");
@@ -1780,9 +1791,12 @@ somove(struct socket *so, int wait)
 		}
 	}
 
+	mtx_enter(&sosp->so_snd.sb_mtx);
 	/* Append all remaining data to drain socket. */
 	if (so->so_rcv.sb_cc == 0 || maxreached)
 		sosp->so_snd.sb_state &= ~SS_ISSENDING;
+	mtx_leave(&sosp->so_snd.sb_mtx);
+
 	error = pru_send(sosp, m, NULL, NULL);
 	if (error) {
 		if (sosp->so_snd.sb_state & SS_CANTSENDMORE)
@@ -1796,7 +1810,10 @@ somove(struct socket *so, int wait)
 		goto nextpkt;
 
  release:
+	mtx_enter(&sosp->so_snd.sb_mtx);
 	sosp->so_snd.sb_state &= ~SS_ISSENDING;
+	mtx_leave(&sosp->so_snd.sb_mtx);
+
 	if (!error && maxreached && so->so_splicemax == so->so_splicelen)
 		error = EFBIG;
 	if (error)
@@ -2346,7 +2363,7 @@ filt_sowrite(struct knote *kn, long hint)
 	if ((so->so_snd.sb_flags & SB_MTXLOCK) == 0)
 		soassertlocked_readonly(so);
 
-	kn->kn_data = sbspace(so, &so->so_snd);
+	kn->kn_data = sbspace_locked(so, &so->so_snd);
 	if (so->so_snd.sb_state & SS_CANTSENDMORE) {
 		kn->kn_flags |= EV_EOF;
 		if (kn->kn_flags & __EV_POLL) {

sys/kern/uipc_socket2.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket2.c,v 1.156 2024/06/28 21:30:24 mvs Exp $	*/
+/*	$OpenBSD: uipc_socket2.c,v 1.158 2024/07/12 19:50:35 bluhm Exp $	*/
 /*	$NetBSD: uipc_socket2.c,v 1.11 1996/02/04 02:17:55 christos Exp $	*/
 
 /*
@@ -365,7 +365,7 @@ solock_shared(struct socket *so)
 	switch (so->so_proto->pr_domain->dom_family) {
 	case PF_INET:
 	case PF_INET6:
-		if (so->so_proto->pr_usrreqs->pru_lock != NULL) {
+		if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET)) {
 			NET_LOCK_SHARED();
 			rw_enter_write(&so->so_lock);
 		} else
@@ -425,7 +425,7 @@ sounlock_shared(struct socket *so)
 	switch (so->so_proto->pr_domain->dom_family) {
 	case PF_INET:
 	case PF_INET6:
-		if (so->so_proto->pr_usrreqs->pru_unlock != NULL) {
+		if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET)) {
 			rw_exit_write(&so->so_lock);
 			NET_UNLOCK_SHARED();
 		} else
@@ -460,7 +460,7 @@ soassertlocked(struct socket *so)
 		if (rw_status(&netlock) == RW_READ) {
 			NET_ASSERT_LOCKED();
 
-			if (splassert_ctl > 0 && pru_locked(so) == 0 &&
+			if (splassert_ctl > 0 &&
 			    rw_status(&so->so_lock) != RW_WRITE)
 				splassert_fail(0, RW_WRITE, __func__);
 		} else
@@ -481,12 +481,12 @@ sosleep_nsec(struct socket *so, void *ident, int prio, const char *wmesg,
 	switch (so->so_proto->pr_domain->dom_family) {
 	case PF_INET:
 	case PF_INET6:
-		if (so->so_proto->pr_usrreqs->pru_unlock != NULL &&
+		if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET) &&
 		    rw_status(&netlock) == RW_READ) {
 			rw_exit_write(&so->so_lock);
 		}
 		ret = rwsleep_nsec(ident, &netlock, prio, wmesg, nsecs);
-		if (so->so_proto->pr_usrreqs->pru_lock != NULL &&
+		if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET) &&
 		    rw_status(&netlock) == RW_READ) {
 			rw_enter_write(&so->so_lock);
 		}
@@ -926,7 +926,7 @@ sbappendaddr(struct socket *so, struct sockbuf *sb, const struct sockaddr *asa,
 		if (n->m_next == NULL)	/* keep pointer to last control buf */
 			break;
 	}
-	if (space > sbspace(so, sb))
+	if (space > sbspace_locked(so, sb))
 		return (0);
 	if (asa->sa_len > MLEN)
 		return (0);
@@ -984,7 +984,7 @@ sbappendcontrol(struct socket *so, struct sockbuf *sb, struct mbuf *m0,
 				m->m_flags &= ~M_EOR;
 		}
 	}
-	if (space > sbspace(so, sb))
+	if (space > sbspace_locked(so, sb))
 		return (0);
 	n->m_next = m0;			/* concatenate data to control */