From bc7421a94777e151013e7b3c03e47aeab7c0688c Mon Sep 17 00:00:00 2001 From: purplerain Date: Sat, 13 Jul 2024 21:15:57 +0200 Subject: [PATCH] sync with OpenBSD -current --- bin/dd/dd.c | 10 +- bin/dd/extern.h | 8 +- bin/dd/misc.c | 49 +- bin/dd/position.c | 4 +- distrib/sets/lists/base/md.arm64 | 2 + distrib/sets/lists/comp/md.arm64 | 1 + etc/examples/vm.conf | 10 +- .../Platform/OpenBSD/PlatformOpenBSD.cpp | 3 + .../source/Plugins/Process/CMakeLists.txt | 1 + .../Process/OpenBSDKernel/CMakeLists.txt | 14 + .../OpenBSDKernel/ProcessOpenBSDKernel.cpp | 223 +++++ .../OpenBSDKernel/ProcessOpenBSDKernel.h | 53 + .../RegisterContextOpenBSDKernel_arm64.cpp | 107 ++ .../RegisterContextOpenBSDKernel_arm64.h | 41 + .../RegisterContextOpenBSDKernel_i386.cpp | 110 ++ .../RegisterContextOpenBSDKernel_i386.h | 41 + .../RegisterContextOpenBSDKernel_x86_64.cpp | 111 +++ .../RegisterContextOpenBSDKernel_x86_64.h | 41 + .../OpenBSDKernel/ThreadOpenBSDKernel.cpp | 86 ++ .../OpenBSDKernel/ThreadOpenBSDKernel.h | 50 + .../clang/liblldbPluginProcess/Makefile | 10 +- gnu/usr.bin/clang/lldb/Makefile | 4 +- lib/libc/gen/signal.3 | 50 +- lib/libc/sys/sigaction.2 | 50 +- lib/libcrypto/ct/ct_x509v3.c | 127 +-- lib/libcrypto/hidden/crypto_namespace.h | 6 +- lib/libcrypto/ocsp/ocsp_vfy.c | 6 +- lib/libcrypto/x509/x509_addr.c | 10 +- lib/libcrypto/x509/x509_akey.c | 10 +- lib/libcrypto/x509/x509_alt.c | 118 ++- lib/libcrypto/x509/x509_asid.c | 10 +- lib/libcrypto/x509/x509_bcons.c | 10 +- lib/libcrypto/x509/x509_bitst.c | 26 +- lib/libcrypto/x509/x509_cpols.c | 10 +- lib/libcrypto/x509/x509_crld.c | 48 +- lib/libcrypto/x509/x509_extku.c | 18 +- lib/libcrypto/x509/x509_ia5.c | 290 +++--- lib/libcrypto/x509/x509_info.c | 18 +- lib/libcrypto/x509/x509_int.c | 46 +- lib/libcrypto/x509/x509_lib.c | 175 ++-- lib/libcrypto/x509/x509_local.h | 53 +- lib/libcrypto/x509/x509_ncons.c | 10 +- lib/libcrypto/x509/x509_ocsp.c | 58 +- lib/libcrypto/x509/x509_pcons.c | 10 +- lib/libcrypto/x509/x509_pku.c | 10 +- lib/libcrypto/x509/x509_pmaps.c | 10 +- lib/libcrypto/x509/x509_purp.c | 4 +- lib/libcrypto/x509/x509_skey.c | 10 +- lib/libcrypto/x509/x509_trs.c | 121 +-- lib/libcrypto/x509/x509_v3.c | 183 ++-- lib/libssl/Makefile | 4 +- lib/libssl/hidden/ssl_namespace.h | 6 +- lib/libssl/man/ssl.3 | 19 +- lib/libssl/ssl.h | 10 +- lib/libssl/ssl2.h | 153 --- lib/libssl/ssl23.h | 82 -- lib/libssl/ssl_err.c | 10 +- sbin/iked/Makefile | 8 +- sbin/iked/config.c | 329 +++++- sbin/iked/eap.c | 11 +- sbin/iked/eap.h | 3 +- sbin/iked/iked.c | 5 +- sbin/iked/iked.conf.5 | 131 ++- sbin/iked/iked.h | 120 ++- sbin/iked/ikev2.c | 103 +- sbin/iked/ikev2_msg.c | 4 +- sbin/iked/ikev2_pld.c | 11 +- sbin/iked/parse.y | 245 ++++- sbin/iked/pfkey.c | 51 +- sbin/iked/policy.c | 7 +- sbin/iked/radius.c | 937 ++++++++++++++++++ sbin/iked/types.h | 10 +- sbin/slaacd/engine.c | 58 +- share/man/man4/bio.4 | 8 +- sys/arch/amd64/amd64/mptramp.S | 3 +- sys/conf/files | 4 +- sys/dev/ic/nvme.c | 2 +- sys/dev/pci/drm/amd/amdgpu/aldebaran.c | 2 +- sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +- sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c | 3 +- sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c | 8 + sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c | 3 +- sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c | 2 +- .../pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +- .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 +- .../pci/drm/amd/display/dc/core/dc_resource.c | 3 + .../dc/irq/dce110/irq_service_dce110.c | 8 +- .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 + sys/dev/pci/drm/amd/include/atomfirmware.h | 4 +- sys/dev/pci/drm/apple/apldcp.c | 37 +- sys/dev/pci/drm/drm_drv.c | 10 + sys/dev/pci/drm/drm_linux.c | 14 +- .../pci/drm/drm_panel_orientation_quirks.c | 7 + sys/dev/pci/drm/i915/gt/intel_gt_pm.c | 4 - sys/dev/pci/drm/include/generated/autoconf.h | 1 + sys/dev/pci/drm/include/linux/acpi.h | 3 + sys/dev/pci/drm/include/linux/suspend.h | 14 + sys/dev/pci/if_bwfm_pci.c | 50 +- sys/kern/uipc_socket.c | 35 +- sys/kern/uipc_socket2.c | 16 +- sys/kern/vfs_subr.c | 2 +- sys/miscfs/fifofs/fifo_vnops.c | 4 +- sys/net/pf.c | 4 +- sys/net/rtsock.c | 6 +- sys/netinet/in_pcb.c | 3 +- sys/netinet/in_pcb.h | 20 +- sys/netinet/in_proto.c | 34 +- sys/netinet/ip_divert.c | 31 +- sys/netinet/ip_divert.h | 5 +- sys/netinet/ip_gre.c | 8 +- sys/netinet/ip_icmp.c | 5 +- sys/netinet/ip_input.c | 17 +- sys/netinet/ip_var.h | 5 +- sys/netinet/raw_ip.c | 31 +- sys/netinet/udp_usrreq.c | 34 +- sys/netinet/udp_var.h | 5 +- sys/netinet6/in6_proto.c | 30 +- sys/netinet6/ip6_divert.c | 5 +- sys/netinet6/ip6_forward.c | 43 +- sys/netinet6/ip6_var.h | 5 +- sys/netinet6/raw_ip6.c | 31 +- sys/nfs/nfs_socket.c | 4 +- sys/sys/protosw.h | 28 +- sys/sys/socketvar.h | 16 +- sys/sys/vnode.h | 2 +- sys/ufs/ext2fs/ext2fs_inode.c | 2 +- sys/ufs/ufs/ufs_inode.c | 2 +- usr.bin/openssl/speed.c | 14 +- usr.bin/tmux/tmux.h | 3 +- usr.bin/tmux/tty-keys.c | 13 +- usr.bin/tmux/utf8.c | 24 +- usr.sbin/npppd/npppd/npppd_radius.c | 16 +- usr.sbin/radiusd/parse.y | 6 +- usr.sbin/radiusd/radiusd.c | 8 +- usr.sbin/radiusd/radiusd_ipcp.c | 4 +- usr.sbin/rpki-client/extern.h | 5 +- usr.sbin/rpki-client/main.c | 29 +- usr.sbin/rpki-client/repo.c | 54 +- usr.sbin/vmd/mmio.c | 0 usr.sbin/vmd/vionet.c | 11 +- usr.sbin/vmd/vmm.h | 1 + usr.sbin/vmd/x86_vm.c | 3 +- 142 files changed, 4267 insertions(+), 1365 deletions(-) create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/CMakeLists.txt create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.cpp create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.cpp create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.h create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.cpp create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.h create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.cpp create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.h create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.cpp create mode 100644 gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.h delete mode 100644 lib/libssl/ssl2.h delete mode 100644 lib/libssl/ssl23.h create mode 100644 sbin/iked/radius.c delete mode 100644 usr.sbin/vmd/mmio.c diff --git a/bin/dd/dd.c b/bin/dd/dd.c index d07d935bd..ef5c4b7a9 100644 --- a/bin/dd/dd.c +++ b/bin/dd/dd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dd.c,v 1.28 2021/10/24 21:24:21 deraadt Exp $ */ +/* $OpenBSD: dd.c,v 1.29 2024/07/12 14:30:27 deraadt Exp $ */ /* $NetBSD: dd.c,v 1.6 1996/02/20 19:29:06 jtc Exp $ */ /*- @@ -74,10 +74,10 @@ main(int argc, char *argv[]) jcl(argv); setup(); - (void)signal(SIGINFO, summaryx); - (void)signal(SIGINT, terminate); + (void)signal(SIGINFO, sig_summary); + (void)signal(SIGINT, sig_terminate); - atexit(summary); + atexit(exit_summary); if (cpy_cnt != (size_t)-1) { while (files_cnt--) @@ -265,7 +265,7 @@ dd_in(void) if (!(ddflags & C_NOERROR)) err(1, "%s", in.name); warn("%s", in.name); - summary(); + sig_summary(0); /* * If it's not a tape drive or a pipe, seek past the diff --git a/bin/dd/extern.h b/bin/dd/extern.h index 4b933ce28..aff85daf0 100644 --- a/bin/dd/extern.h +++ b/bin/dd/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.9 2014/03/27 15:32:13 tedu Exp $ */ +/* $OpenBSD: extern.h,v 1.10 2024/07/12 14:30:27 deraadt Exp $ */ /* $NetBSD: extern.h,v 1.7 1996/02/20 19:29:07 jtc Exp $ */ /*- @@ -44,9 +44,9 @@ void def_close(void); void jcl(char **); void pos_in(void); void pos_out(void); -void summary(void); -void summaryx(int); -void terminate(int); +void exit_summary(void); +void sig_summary(int); +void sig_terminate(int); void unblock(void); void unblock_close(void); diff --git a/bin/dd/misc.c b/bin/dd/misc.c index a0c201911..cd0ba9fa4 100644 --- a/bin/dd/misc.c +++ b/bin/dd/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.23 2018/04/07 18:52:39 cheloha Exp $ */ +/* $OpenBSD: misc.c,v 1.26 2024/07/12 19:11:25 florian Exp $ */ /* $NetBSD: misc.c,v 1.4 1995/03/21 09:04:10 cgd Exp $ */ /*- @@ -45,20 +45,32 @@ #include "dd.h" #include "extern.h" +/* SIGINFO handler */ void -summary(void) +sig_summary(int notused) { + int save_errno = errno; struct timespec elapsed, now; - double nanosecs; + unsigned long long bps, msec; if (ddflags & C_NOINFO) return; clock_gettime(CLOCK_MONOTONIC, &now); timespecsub(&now, &st.start, &elapsed); - nanosecs = ((double)elapsed.tv_sec * 1000000000) + elapsed.tv_nsec; - if (nanosecs == 0) - nanosecs = 1; + + if (elapsed.tv_sec > 600) + bps = st.bytes / elapsed.tv_sec; + else if (elapsed.tv_sec > 0) { + /* will overflow at ~ 30 exabytes / second */ + msec = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; + if (msec == 0) + msec = 1; + bps = st.bytes * 1000 / msec; + } else if (elapsed.tv_nsec > 0) + bps = st.bytes * 1000000000 / elapsed.tv_nsec; + else + bps = st.bytes; /* Be async safe: use dprintf(3). */ dprintf(STDERR_FILENO, "%zu+%zu records in\n%zu+%zu records out\n", @@ -75,24 +87,23 @@ summary(void) if (!(ddflags & C_NOXFER)) { dprintf(STDERR_FILENO, "%lld bytes transferred in %lld.%03ld secs " - "(%0.0f bytes/sec)\n", (long long)st.bytes, - (long long)elapsed.tv_sec, elapsed.tv_nsec / 1000000, - ((double)st.bytes * 1000000000) / nanosecs); + "(%llu bytes/sec)\n", (long long)st.bytes, + (long long)elapsed.tv_sec, elapsed.tv_nsec / 1000000, bps); } -} - -void -summaryx(int notused) -{ - int save_errno = errno; - - summary(); errno = save_errno; } +/* SIGINT handler */ void -terminate(int signo) +sig_terminate(int signo) { - summary(); + sig_summary(0); _exit(128 + signo); } + +/* atexit variation to summarize */ +void +exit_summary(void) +{ + sig_summary(0); +} diff --git a/bin/dd/position.c b/bin/dd/position.c index ee8b039bd..9e1b2ba02 100644 --- a/bin/dd/position.c +++ b/bin/dd/position.c @@ -1,4 +1,4 @@ -/* $OpenBSD: position.c,v 1.11 2019/06/28 13:34:59 deraadt Exp $ */ +/* $OpenBSD: position.c,v 1.12 2024/07/12 14:30:27 deraadt Exp $ */ /* $NetBSD: position.c,v 1.4 1995/03/21 09:04:12 cgd Exp $ */ /*- @@ -103,7 +103,7 @@ pos_in(void) if (!warned) { warn("%s", in.name); warned = 1; - summary(); + sig_summary(0); } continue; } diff --git a/distrib/sets/lists/base/md.arm64 b/distrib/sets/lists/base/md.arm64 index 8f7135bac..9077b06ae 100644 --- a/distrib/sets/lists/base/md.arm64 +++ b/distrib/sets/lists/base/md.arm64 @@ -432,6 +432,8 @@ ./usr/sbin/hotplugd ./usr/sbin/mkuboot ./usr/sbin/pcidump +./usr/sbin/vmctl +./usr/sbin/vmd ./usr/sbin/wsconscfg ./usr/sbin/wsfontload ./usr/sbin/wsmoused diff --git a/distrib/sets/lists/comp/md.arm64 b/distrib/sets/lists/comp/md.arm64 index 4633202c9..06a454922 100644 --- a/distrib/sets/lists/comp/md.arm64 +++ b/distrib/sets/lists/comp/md.arm64 @@ -53,6 +53,7 @@ ./usr/include/arm64/tcb.h ./usr/include/arm64/timetc.h ./usr/include/arm64/trap.h +./usr/include/arm64/vmmvar.h ./usr/include/arm64/vmparam.h ./usr/include/ieeefp.h ./usr/libdata/ldscripts diff --git a/etc/examples/vm.conf b/etc/examples/vm.conf index 458beefa0..535de76f1 100644 --- a/etc/examples/vm.conf +++ b/etc/examples/vm.conf @@ -1,4 +1,4 @@ -# $OpenBSD: vm.conf,v 1.11 2021/11/11 09:38:14 claudio Exp $ +# $OpenBSD: vm.conf,v 1.12 2024/07/12 12:35:32 florian Exp $ # # Macros @@ -10,13 +10,13 @@ sets="/var/www/htdocs/pub/OpenBSD/snapshots/amd64/" # switch "uplink" { - # This switch will use bridge0, defined by /etc/hostname.bridge0, as - # the underlying interface. veb(4) is also supported - interface bridge0 + # This switch will use veb0, defined by /etc/hostname.veb0, as + # the underlying interface. bridge(4) is also supported + interface veb0 } switch "local" { - interface bridge1 + interface veb1 down } diff --git a/gnu/llvm/lldb/source/Plugins/Platform/OpenBSD/PlatformOpenBSD.cpp b/gnu/llvm/lldb/source/Plugins/Platform/OpenBSD/PlatformOpenBSD.cpp index 7aa5620b1..4d284df3c 100644 --- a/gnu/llvm/lldb/source/Plugins/Platform/OpenBSD/PlatformOpenBSD.cpp +++ b/gnu/llvm/lldb/source/Plugins/Platform/OpenBSD/PlatformOpenBSD.cpp @@ -25,6 +25,7 @@ #include "lldb/Utility/State.h" #include "lldb/Utility/Status.h" #include "lldb/Utility/StreamString.h" +#include "Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h" // Define these constants from OpenBSD mman.h for use when targeting remote // openbsd systems even when host has different values. @@ -91,6 +92,7 @@ void PlatformOpenBSD::Initialize() { PlatformOpenBSD::GetPluginNameStatic(false), PlatformOpenBSD::GetPluginDescriptionStatic(false), PlatformOpenBSD::CreateInstance, nullptr); + ProcessOpenBSDKernel::Initialize(); } } @@ -98,6 +100,7 @@ void PlatformOpenBSD::Terminate() { if (g_initialize_count > 0) { if (--g_initialize_count == 0) { PluginManager::UnregisterPlugin(PlatformOpenBSD::CreateInstance); + ProcessOpenBSDKernel::Terminate(); } } diff --git a/gnu/llvm/lldb/source/Plugins/Process/CMakeLists.txt b/gnu/llvm/lldb/source/Plugins/Process/CMakeLists.txt index ec35a428a..687a7690a 100644 --- a/gnu/llvm/lldb/source/Plugins/Process/CMakeLists.txt +++ b/gnu/llvm/lldb/source/Plugins/Process/CMakeLists.txt @@ -22,3 +22,4 @@ add_subdirectory(elf-core) add_subdirectory(mach-core) add_subdirectory(minidump) add_subdirectory(FreeBSDKernel) +add_subdirectory(OpenBSDKernel) diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/CMakeLists.txt b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/CMakeLists.txt new file mode 100644 index 000000000..40976662f --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/CMakeLists.txt @@ -0,0 +1,14 @@ +add_lldb_library(lldbPluginProcessOpenBSDKernel PLUGIN + ProcessOpenBSDKernel.cpp + RegisterContextOpenBSDKernel_arm64.cpp + RegisterContextOpenBSDKernel_i386.cpp + RegisterContextOpenBSDKernel_x86_64.cpp + ThreadOpenBSDKernel.cpp + + LINK_LIBS + lldbCore + lldbTarget + kvm + LINK_COMPONENTS + Support + ) diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.cpp b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.cpp new file mode 100644 index 000000000..57724ca9e --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.cpp @@ -0,0 +1,223 @@ +//===-- ProcessOpenBSDKernel.cpp ------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include "lldb/Core/Module.h" +#include "lldb/Core/PluginManager.h" +#include "lldb/Target/DynamicLoader.h" + +#include "Plugins/DynamicLoader/Static/DynamicLoaderStatic.h" +#include "ProcessOpenBSDKernel.h" +#include "ThreadOpenBSDKernel.h" + +#if defined(__OpenBSD__) +#include +#define _KERNEL +#include +#include +#undef _KERNEL +#endif + +using namespace lldb; +using namespace lldb_private; + +LLDB_PLUGIN_DEFINE(ProcessOpenBSDKernel) + +namespace { + +#if defined(__OpenBSD__) +class ProcessOpenBSDKernelKVM : public ProcessOpenBSDKernel { +public: + ProcessOpenBSDKernelKVM(lldb::TargetSP target_sp, lldb::ListenerSP listener, + kvm_t *fvc); + + ~ProcessOpenBSDKernelKVM(); + + size_t DoReadMemory(lldb::addr_t addr, void *buf, size_t size, + lldb_private::Status &error) override; + +private: + kvm_t *m_kvm; + + const char *GetError(); +}; +#endif // defined(__OpenBSD__) + +} // namespace + +ProcessOpenBSDKernel::ProcessOpenBSDKernel(lldb::TargetSP target_sp, + ListenerSP listener_sp) + : PostMortemProcess(target_sp, listener_sp) {} + +lldb::ProcessSP ProcessOpenBSDKernel::CreateInstance(lldb::TargetSP target_sp, + ListenerSP listener_sp, + const FileSpec *crash_file, + bool can_connect) { + ModuleSP executable = target_sp->GetExecutableModule(); + if (crash_file && !can_connect && executable) { +#if defined(__OpenBSD__) + kvm_t *kvm = + kvm_open(executable->GetFileSpec().GetPath().c_str(), + crash_file->GetPath().c_str(), nullptr, O_RDONLY, nullptr); + if (kvm) + return std::make_shared(target_sp, listener_sp, + kvm); +#endif + } + return nullptr; +} + +void ProcessOpenBSDKernel::Initialize() { + static llvm::once_flag g_once_flag; + + llvm::call_once(g_once_flag, []() { + PluginManager::RegisterPlugin(GetPluginNameStatic(), + GetPluginDescriptionStatic(), CreateInstance); + }); +} + +void ProcessOpenBSDKernel::Terminate() { + PluginManager::UnregisterPlugin(ProcessOpenBSDKernel::CreateInstance); +} + +Status ProcessOpenBSDKernel::DoDestroy() { return Status(); } + +bool ProcessOpenBSDKernel::CanDebug(lldb::TargetSP target_sp, + bool plugin_specified_by_name) { + return true; +} + +void ProcessOpenBSDKernel::RefreshStateAfterStop() {} + +bool ProcessOpenBSDKernel::DoUpdateThreadList(ThreadList &old_thread_list, + ThreadList &new_thread_list) { + if (old_thread_list.GetSize(false) == 0) { + // Make up the thread the first time this is called so we can set our one + // and only core thread state up. + + // We cannot construct a thread without a register context as that crashes + // LLDB but we can construct a process without threads to provide minimal + // memory reading support. + switch (GetTarget().GetArchitecture().GetMachine()) { + case llvm::Triple::aarch64: + case llvm::Triple::x86: + case llvm::Triple::x86_64: + break; + default: + return false; + } + + Status error; + int32_t i; + lldb::addr_t dumppcb = FindSymbol("dumppcb"); + uint32_t offset_p_list = offsetof(proc, p_list); + uint32_t offset_p_addr = offsetof(proc, p_addr); + uint32_t offset_p_tid = offsetof(proc, p_tid); + uint32_t offset_p_p = offsetof(proc, p_p); + uint32_t offset_ps_comm = offsetof(process, ps_comm); + uint32_t offset_ps_pid = offsetof(process, ps_pid); + uint32_t offset_ci_curproc = offsetof(cpu_info, ci_curproc); + char comm[_MAXCOMLEN]; + + int32_t ncpu = ReadSignedIntegerFromMemory(FindSymbol("ncpus"), + 4, -1, error); + if (ncpu < 0) + return false; + + lldb::addr_t cpu_procs[ncpu]; + + if (dumppcb != LLDB_INVALID_ADDRESS) { + std::string thread_desc = llvm::formatv("Crashed Thread"); + ThreadSP thread_sp { + new ThreadOpenBSDKernel(*this, 0, dumppcb, thread_desc)}; + new_thread_list.AddThread(thread_sp); + } + + lldb::addr_t cpu_info = FindSymbol("cpu_info"); + lldb::addr_t cpu_info_array = (cpu_info == LLDB_INVALID_ADDRESS) ? + ReadPointerFromMemory(FindSymbol("cpu_info_list"), error) : cpu_info; + for (i = 0; i < ncpu ; i++) { + lldb::addr_t ci = + ReadPointerFromMemory(cpu_info_array + sizeof(void*) * i, error); + cpu_procs[i] = ReadPointerFromMemory(ci + offset_ci_curproc, error); + } + + for (lldb::addr_t proc = ReadPointerFromMemory(FindSymbol("allproc"), error); + proc != 0 && proc != LLDB_INVALID_ADDRESS; + proc = ReadPointerFromMemory(proc + offset_p_list, error)) { + + lldb::tid_t tid = ReadSignedIntegerFromMemory(proc + offset_p_tid, 4, -1, + error); + lldb::addr_t process = ReadPointerFromMemory(proc + offset_p_p, error); + ReadMemory(process + offset_ps_comm, &comm, sizeof(comm), error); + u_int32_t pid = ReadSignedIntegerFromMemory(process + offset_ps_pid, 4, + -1, error); + lldb::addr_t p_addr = ReadPointerFromMemory(proc + offset_p_addr, error); + for (i = 0; i < ncpu; i++) + if (cpu_procs[i] == proc) + break; + std::string thread_desc; + if (i == ncpu) + thread_desc = llvm::formatv("(pid:{0}) {1}", pid, comm); + else + thread_desc = llvm::formatv("(pid:{0}) {1} (cpu {2})", pid, comm, i); + ThreadSP thread_sp { + new ThreadOpenBSDKernel(*this, tid, p_addr, thread_desc)}; + new_thread_list.AddThread(thread_sp); + } + } else { + const uint32_t num_threads = old_thread_list.GetSize(false); + for (uint32_t i = 0; i < num_threads; ++i) + new_thread_list.AddThread(old_thread_list.GetThreadAtIndex(i, false)); + } + return new_thread_list.GetSize(false) > 0; +} + +Status ProcessOpenBSDKernel::DoLoadCore() { + // The core is already loaded by CreateInstance(). + return Status(); +} + +DynamicLoader *ProcessOpenBSDKernel::GetDynamicLoader() { + if (m_dyld_up.get() == nullptr) + m_dyld_up.reset(DynamicLoader::FindPlugin( + this, DynamicLoaderStatic::GetPluginNameStatic())); + return m_dyld_up.get(); +} + +lldb::addr_t ProcessOpenBSDKernel::FindSymbol(const char *name) { + ModuleSP mod_sp = GetTarget().GetExecutableModule(); + const Symbol *sym = mod_sp->FindFirstSymbolWithNameAndType(ConstString(name)); + return sym ? sym->GetLoadAddress(&GetTarget()) : LLDB_INVALID_ADDRESS; +} + +#if defined(__OpenBSD__) + +ProcessOpenBSDKernelKVM::ProcessOpenBSDKernelKVM(lldb::TargetSP target_sp, + ListenerSP listener_sp, + kvm_t *fvc) + : ProcessOpenBSDKernel(target_sp, listener_sp), m_kvm(fvc) {} + +ProcessOpenBSDKernelKVM::~ProcessOpenBSDKernelKVM() { + if (m_kvm) + kvm_close(m_kvm); +} + +size_t ProcessOpenBSDKernelKVM::DoReadMemory(lldb::addr_t addr, void *buf, + size_t size, Status &error) { + ssize_t rd = 0; + rd = kvm_read(m_kvm, addr, buf, size); + if (rd < 0 || static_cast(rd) != size) { + error.SetErrorStringWithFormat("Reading memory failed: %s", GetError()); + return rd > 0 ? rd : 0; + } + return rd; +} + +const char *ProcessOpenBSDKernelKVM::GetError() { return kvm_geterr(m_kvm); } + +#endif // defined(__OpenBSD__) diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h new file mode 100644 index 000000000..64d90a397 --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ProcessOpenBSDKernel.h @@ -0,0 +1,53 @@ +//===-- ProcessOpenBSDKernel.h ----------------------------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H +#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H + +#include "lldb/Target/PostMortemProcess.h" + +class ProcessOpenBSDKernel : public lldb_private::PostMortemProcess { +public: + ProcessOpenBSDKernel(lldb::TargetSP target_sp, lldb::ListenerSP listener); + + static lldb::ProcessSP + CreateInstance(lldb::TargetSP target_sp, lldb::ListenerSP listener, + const lldb_private::FileSpec *crash_file_path, + bool can_connect); + + static void Initialize(); + + static void Terminate(); + + static llvm::StringRef GetPluginNameStatic() { return "openbsd-kernel"; } + + static llvm::StringRef GetPluginDescriptionStatic() { + return "OpenBSD kernel vmcore debugging plug-in."; + } + + llvm::StringRef GetPluginName() override { return GetPluginNameStatic(); } + + lldb_private::Status DoDestroy() override; + + bool CanDebug(lldb::TargetSP target_sp, + bool plugin_specified_by_name) override; + + void RefreshStateAfterStop() override; + + lldb_private::Status DoLoadCore() override; + + lldb_private::DynamicLoader *GetDynamicLoader() override; + +protected: + bool DoUpdateThreadList(lldb_private::ThreadList &old_thread_list, + lldb_private::ThreadList &new_thread_list) override; + + lldb::addr_t FindSymbol(const char* name); +}; + +#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_PROCESSOPENBSDKERNEL_H diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.cpp b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.cpp new file mode 100644 index 000000000..1ebfc6a79 --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.cpp @@ -0,0 +1,107 @@ +//===-- RegisterContextOpenBSDKernel_arm64.cpp ----------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#if defined(__OpenBSD__) +#include +#include +#define _KERNEL +#include +#undef _KERNEL +#include +#include +#endif + +#include "RegisterContextOpenBSDKernel_arm64.h" +#include "Plugins/Process/Utility/lldb-arm64-register-enums.h" + +#include "lldb/Target/Process.h" +#include "lldb/Target/Thread.h" +#include "lldb/Utility/RegisterValue.h" +#include "llvm/Support/Endian.h" + +using namespace lldb; +using namespace lldb_private; + +RegisterContextOpenBSDKernel_arm64::RegisterContextOpenBSDKernel_arm64( + Thread &thread, std::unique_ptr register_info_up, + lldb::addr_t pcb_addr) + : RegisterContextPOSIX_arm64(thread, std::move(register_info_up)), + m_pcb_addr(pcb_addr) {} + +bool RegisterContextOpenBSDKernel_arm64::ReadGPR() { return true; } + +bool RegisterContextOpenBSDKernel_arm64::ReadFPR() { return true; } + +bool RegisterContextOpenBSDKernel_arm64::WriteGPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_arm64::WriteFPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_arm64::ReadRegister( + const RegisterInfo *reg_info, RegisterValue &value) { + if (m_pcb_addr == LLDB_INVALID_ADDRESS) + return false; + +#ifdef __aarch64__ + Status error; + struct pcb pcb; + size_t rd = m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb), + error); + if (rd != sizeof(pcb)) + return false; + + /* + Usually pcb is written in `cpu_switchto` function. This function writes + registers as same as the structure of `swichframe` in the stack. + We read the frame if it is. + */ + struct switchframe sf; + rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_sp, &sf, sizeof(sf), error); + if (rd != sizeof(sf)) + return false; + + uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB]; + switch (reg) { +#define REG(x) \ + case gpr_##x##_arm64: \ + value = (u_int64_t)sf.sf_##x; \ + return true; + + REG(x19); + REG(x20); + REG(x21); + REG(x22); + REG(x23); + REG(x24); + REG(x25); + REG(x26); + REG(x27); + REG(x28); + case gpr_fp_arm64: + value = (u_int64_t)sf.sf_x29; + return true; + case gpr_sp_arm64: + value = (u_int64_t)pcb.pcb_sp; + return true; + case gpr_pc_arm64: + value = (u_int64_t)sf.sf_lr; + return true; + } +#endif + return false; +} + +bool RegisterContextOpenBSDKernel_arm64::WriteRegister( + const RegisterInfo *reg_info, const RegisterValue &value) { + return false; +} diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.h b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.h new file mode 100644 index 000000000..96ab55b29 --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_arm64.h @@ -0,0 +1,41 @@ +//===-- RegisterContextOpenBSDKernel_arm64.h --------------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H +#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H + +#include "Plugins/Process/Utility/RegisterContextPOSIX_arm64.h" +#include "Plugins/Process/elf-core/RegisterUtilities.h" + +class RegisterContextOpenBSDKernel_arm64 : public RegisterContextPOSIX_arm64 { +public: + RegisterContextOpenBSDKernel_arm64( + lldb_private::Thread &thread, + std::unique_ptr register_info_up, + lldb::addr_t pcb_addr); + + bool ReadRegister(const lldb_private::RegisterInfo *reg_info, + lldb_private::RegisterValue &value) override; + + bool WriteRegister(const lldb_private::RegisterInfo *reg_info, + const lldb_private::RegisterValue &value) override; + +protected: + bool ReadGPR() override; + + bool ReadFPR() override; + + bool WriteGPR() override; + + bool WriteFPR() override; + +private: + lldb::addr_t m_pcb_addr; +}; + +#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_ARM64_H diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.cpp b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.cpp new file mode 100644 index 000000000..9a909a4e0 --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.cpp @@ -0,0 +1,110 @@ +//===-- RegisterContextOpenBSDKernel_i386.cpp -----------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#if defined(__OpenBSD__) +#include +#include +#define _KERNEL +#include +#undef _KERNEL +#include +#include +#endif + +#include "RegisterContextOpenBSDKernel_i386.h" + +#include "lldb/Target/Process.h" +#include "lldb/Target/Thread.h" +#include "lldb/Utility/RegisterValue.h" +#include "llvm/Support/Endian.h" + +using namespace lldb; +using namespace lldb_private; + +RegisterContextOpenBSDKernel_i386::RegisterContextOpenBSDKernel_i386( + Thread &thread, RegisterInfoInterface *register_info, lldb::addr_t pcb_addr) + : RegisterContextPOSIX_x86(thread, 0, register_info), m_pcb_addr(pcb_addr) { +} + +bool RegisterContextOpenBSDKernel_i386::ReadGPR() { return true; } + +bool RegisterContextOpenBSDKernel_i386::ReadFPR() { return true; } + +bool RegisterContextOpenBSDKernel_i386::WriteGPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_i386::WriteFPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_i386::ReadRegister( + const RegisterInfo *reg_info, RegisterValue &value) { + if (m_pcb_addr == LLDB_INVALID_ADDRESS) + return false; + +#ifdef __i386__ + struct pcb pcb; + + Status error; + size_t rd = + m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb), error); + if (rd != sizeof(pcb)) + return false; + + if ((pcb.pcb_flags & PCB_SAVECTX) != 0) { + uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB]; + switch (reg) { +#define PCBREG(x) \ + case lldb_##x##_i386: \ + value = pcb.pcb_##x; \ + return true; + PCBREG(ebp); + PCBREG(esp); + case lldb_eip_i386: + value = m_thread.GetProcess()->ReadPointerFromMemory(pcb.pcb_ebp + 4, + error); + return true; + } + return false; + } + + /* + Usually pcb is written in `cpu_switchto` function. This function writes + registers as same as the structure of `swichframe` in the stack. + We read the frame if it is. + */ + struct switchframe sf; + rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_esp, &sf, sizeof(sf), error); + if (rd != sizeof(sf)) + return false; + + uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB]; + switch (reg) { +#define SFREG(x) \ + case lldb_##x##_i386: \ + value = sf.sf_##x; \ + return true; + + SFREG(edi); + SFREG(esi); + SFREG(ebx); + SFREG(eip); + PCBREG(ebp); + PCBREG(esp); + } +#endif + return false; +} + +bool RegisterContextOpenBSDKernel_i386::WriteRegister( + const RegisterInfo *reg_info, const RegisterValue &value) { + return false; +} diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.h b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.h new file mode 100644 index 000000000..da6d9a7a0 --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_i386.h @@ -0,0 +1,41 @@ +//===-- RegisterContextOpenBSDKernel_i386.h ---------------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H +#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H + +#include "Plugins/Process/Utility/RegisterContextPOSIX_x86.h" +#include "Plugins/Process/elf-core/RegisterUtilities.h" + +class RegisterContextOpenBSDKernel_i386 : public RegisterContextPOSIX_x86 { +public: + RegisterContextOpenBSDKernel_i386( + lldb_private::Thread &thread, + lldb_private::RegisterInfoInterface *register_info, + lldb::addr_t pcb_addr); + + bool ReadRegister(const lldb_private::RegisterInfo *reg_info, + lldb_private::RegisterValue &value) override; + + bool WriteRegister(const lldb_private::RegisterInfo *reg_info, + const lldb_private::RegisterValue &value) override; + +protected: + bool ReadGPR() override; + + bool ReadFPR() override; + + bool WriteGPR() override; + + bool WriteFPR() override; + +private: + lldb::addr_t m_pcb_addr; +}; + +#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_I386_H diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.cpp b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.cpp new file mode 100644 index 000000000..501fa858a --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.cpp @@ -0,0 +1,111 @@ +//===-- RegisterContextOpenBSDKernel_x86_64.cpp ---------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#if defined(__OpenBSD__) +#include +#include +#define _KERNEL +#include +#undef _KERNEL +#include +#include +#endif + +#include "RegisterContextOpenBSDKernel_x86_64.h" + +#include "lldb/Target/Process.h" +#include "lldb/Target/Thread.h" +#include "lldb/Utility/RegisterValue.h" +#include "llvm/Support/Endian.h" + +using namespace lldb; +using namespace lldb_private; + +RegisterContextOpenBSDKernel_x86_64::RegisterContextOpenBSDKernel_x86_64( + Thread &thread, RegisterInfoInterface *register_info, + lldb::addr_t pcb) + : RegisterContextPOSIX_x86(thread, 0, register_info), + m_pcb_addr(pcb) { +} + +bool RegisterContextOpenBSDKernel_x86_64::ReadGPR() { return true; } + +bool RegisterContextOpenBSDKernel_x86_64::ReadFPR() { return true; } + +bool RegisterContextOpenBSDKernel_x86_64::WriteGPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_x86_64::WriteFPR() { + assert(0); + return false; +} + +bool RegisterContextOpenBSDKernel_x86_64::ReadRegister( + const RegisterInfo *reg_info, RegisterValue &value) { + Status error; + + if (m_pcb_addr == LLDB_INVALID_ADDRESS) + return false; + +#ifdef __amd64__ + struct pcb pcb; + size_t rd = m_thread.GetProcess()->ReadMemory(m_pcb_addr, &pcb, sizeof(pcb), + error); + if (rd != sizeof(pcb)) + return false; + + /* + Usually pcb is written in `cpu_switchto` function. This function writes + registers as same as the structure of `swichframe` in the stack. + We read the frame if it is. + */ + struct switchframe sf; + rd = m_thread.GetProcess()->ReadMemory(pcb.pcb_rsp, &sf, sizeof(sf), error); + if (rd != sizeof(sf)) + return false; + + uint32_t reg = reg_info->kinds[lldb::eRegisterKindLLDB]; + if (pcb.pcb_rbp == (u_int64_t)sf.sf_rbp) { +#define SFREG(x) \ + case lldb_##x##_x86_64: \ + value = (u_int64_t)sf.sf_##x; \ + return true; +#define PCBREG(x) \ + case lldb_##x##_x86_64: \ + value = pcb.pcb_##x; \ + return true; + switch (reg) { + SFREG(r15); + SFREG(r14); + SFREG(r13); + SFREG(r12); + SFREG(rbp); + SFREG(rbx); + SFREG(rip); + PCBREG(rsp); + } + } else { + switch (reg) { + PCBREG(rbp); + PCBREG(rsp); + case lldb_rip_x86_64: + value = m_thread.GetProcess()->ReadPointerFromMemory(pcb.pcb_rbp + 8, + error); + return true; + } + } +#endif + return false; +} + +bool RegisterContextOpenBSDKernel_x86_64::WriteRegister( + const RegisterInfo *reg_info, const RegisterValue &value) { + return false; +} diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.h b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.h new file mode 100644 index 000000000..7a7d26ffd --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/RegisterContextOpenBSDKernel_x86_64.h @@ -0,0 +1,41 @@ +//===-- RegisterContextOpenBSDKernel_x86_64.h -------------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H +#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H + +#include "Plugins/Process/Utility/RegisterContextPOSIX_x86.h" +#include "Plugins/Process/elf-core/RegisterUtilities.h" + +class RegisterContextOpenBSDKernel_x86_64 : public RegisterContextPOSIX_x86 { +public: + RegisterContextOpenBSDKernel_x86_64( + lldb_private::Thread &thread, + lldb_private::RegisterInfoInterface *register_info, + lldb::addr_t pcb); + + bool ReadRegister(const lldb_private::RegisterInfo *reg_info, + lldb_private::RegisterValue &value) override; + + bool WriteRegister(const lldb_private::RegisterInfo *reg_info, + const lldb_private::RegisterValue &value) override; + +protected: + bool ReadGPR() override; + + bool ReadFPR() override; + + bool WriteGPR() override; + + bool WriteFPR() override; + +private: + lldb::addr_t m_pcb_addr; +}; + +#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_REGISTERCONTEXTOPENBSDKERNEL_X86_64_H diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.cpp b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.cpp new file mode 100644 index 000000000..fec0b6cfc --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.cpp @@ -0,0 +1,86 @@ +//===-- ThreadOpenBSDKernel.cpp -------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include "ThreadOpenBSDKernel.h" + +#include "lldb/Target/Unwind.h" +#include "lldb/Utility/Log.h" + +#include "Plugins/Process/Utility/RegisterContextOpenBSD_i386.h" +#include "Plugins/Process/Utility/RegisterContextOpenBSD_x86_64.h" +#include "Plugins/Process/Utility/RegisterInfoPOSIX_arm64.h" +#include "ProcessOpenBSDKernel.h" +#include "RegisterContextOpenBSDKernel_arm64.h" +#include "RegisterContextOpenBSDKernel_i386.h" +#include "RegisterContextOpenBSDKernel_x86_64.h" +#include "ThreadOpenBSDKernel.h" + +using namespace lldb; +using namespace lldb_private; + +ThreadOpenBSDKernel::ThreadOpenBSDKernel(Process &process, lldb::tid_t tid, + lldb::addr_t pcb, + std::string thread_name) + : Thread(process, tid), m_thread_name(std::move(thread_name)), + m_pcb(pcb) {} + +ThreadOpenBSDKernel::~ThreadOpenBSDKernel() {} + +void ThreadOpenBSDKernel::RefreshStateAfterStop() {} + +lldb::RegisterContextSP ThreadOpenBSDKernel::GetRegisterContext() { + if (!m_reg_context_sp) + m_reg_context_sp = CreateRegisterContextForFrame(nullptr); + return m_reg_context_sp; +} + +lldb::RegisterContextSP +ThreadOpenBSDKernel::CreateRegisterContextForFrame(StackFrame *frame) { + RegisterContextSP reg_ctx_sp; + uint32_t concrete_frame_idx = 0; + + if (frame) + concrete_frame_idx = frame->GetConcreteFrameIndex(); + + if (concrete_frame_idx == 0) { + if (m_thread_reg_ctx_sp) + return m_thread_reg_ctx_sp; + + ProcessOpenBSDKernel *process = + static_cast(GetProcess().get()); + ArchSpec arch = process->GetTarget().GetArchitecture(); + + switch (arch.GetMachine()) { + case llvm::Triple::aarch64: + m_thread_reg_ctx_sp = + std::make_shared( + *this, std::make_unique(arch, 0), + m_pcb); + break; + case llvm::Triple::x86: + m_thread_reg_ctx_sp = std::make_shared( + *this, new RegisterContextOpenBSD_i386(arch), m_pcb); + break; + case llvm::Triple::x86_64: + m_thread_reg_ctx_sp = + std::make_shared( + *this, new RegisterContextOpenBSD_x86_64(arch), m_pcb); + break; + default: + assert(false && "Unsupported architecture passed to ThreadOpenBSDKernel"); + break; + } + + reg_ctx_sp = m_thread_reg_ctx_sp; + } else { + reg_ctx_sp = GetUnwinder().CreateRegisterContextForFrame(frame); + } + return reg_ctx_sp; +} + +bool ThreadOpenBSDKernel::CalculateStopInfo() { return false; } diff --git a/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.h b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.h new file mode 100644 index 000000000..5372e0afd --- /dev/null +++ b/gnu/llvm/lldb/source/Plugins/Process/OpenBSDKernel/ThreadOpenBSDKernel.h @@ -0,0 +1,50 @@ +//===-- ThreadOpenBSDKernel.h ------------------------------------- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H +#define LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H + +#include "lldb/Target/Thread.h" + +class ThreadOpenBSDKernel : public lldb_private::Thread { +public: + ThreadOpenBSDKernel(lldb_private::Process &process, lldb::tid_t tid, + lldb::addr_t pcb, std::string thread_name); + + ~ThreadOpenBSDKernel() override; + + void RefreshStateAfterStop() override; + + lldb::RegisterContextSP GetRegisterContext() override; + + lldb::RegisterContextSP + CreateRegisterContextForFrame(lldb_private::StackFrame *frame) override; + + const char *GetName() override { + if (m_thread_name.empty()) + return nullptr; + return m_thread_name.c_str(); + } + + void SetName(const char *name) override { + if (name && name[0]) + m_thread_name.assign(name); + else + m_thread_name.clear(); + } + +protected: + bool CalculateStopInfo() override; + +private: + std::string m_thread_name; + lldb::RegisterContextSP m_thread_reg_ctx_sp; + lldb::addr_t m_pcb; +}; + +#endif // LLDB_SOURCE_PLUGINS_PROCESS_OPENBSDKERNEL_THREADOPENBSDKERNEL_H diff --git a/gnu/usr.bin/clang/liblldbPluginProcess/Makefile b/gnu/usr.bin/clang/liblldbPluginProcess/Makefile index a075e152c..af448a42d 100644 --- a/gnu/usr.bin/clang/liblldbPluginProcess/Makefile +++ b/gnu/usr.bin/clang/liblldbPluginProcess/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.11 2023/11/11 18:35:39 robert Exp $ +# $OpenBSD: Makefile,v 1.12 2024/07/13 07:25:38 asou Exp $ LIB= lldbPluginProcess NOPIC= @@ -124,6 +124,13 @@ SRCS+= MinidumpTypes.cpp \ SRCS+= ScriptedProcess.cpp \ ScriptedThread.cpp +# Process/OpenBSDKernel +SRCS+= ProcessOpenBSDKernel.cpp \ + RegisterContextOpenBSDKernel_arm64.cpp \ + RegisterContextOpenBSDKernel_i386.cpp \ + RegisterContextOpenBSDKernel_x86_64.cpp \ + ThreadOpenBSDKernel.cpp + .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/OpenBSD .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/POSIX .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/gdb-remote @@ -132,6 +139,7 @@ SRCS+= ScriptedProcess.cpp \ .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/mach-core .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/minidump .PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/scripted +.PATH: ${.CURDIR}/../../../llvm/lldb/source/Plugins/Process/OpenBSDKernel install: @# Nothing here so far ... diff --git a/gnu/usr.bin/clang/lldb/Makefile b/gnu/usr.bin/clang/lldb/Makefile index 31a1ffc7b..9afc1efa7 100644 --- a/gnu/usr.bin/clang/lldb/Makefile +++ b/gnu/usr.bin/clang/lldb/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.16 2024/02/08 20:28:54 miod Exp $ +# $OpenBSD: Makefile,v 1.17 2024/07/13 07:25:38 asou Exp $ .include @@ -10,7 +10,7 @@ SRCS= Driver.cpp \ Platform.cpp \ Version.cpp -LDADD+= -lcurses -ledit -lpanel +LDADD+= -lcurses -ledit -lpanel -lkvm CPPFLAGS+= ${LLDB_INCLUDES} CPPFLAGS+= ${CLANG_INCLUDES} diff --git a/lib/libc/gen/signal.3 b/lib/libc/gen/signal.3 index 52de1a738..a3c4f065c 100644 --- a/lib/libc/gen/signal.3 +++ b/lib/libc/gen/signal.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: signal.3,v 1.57 2022/10/13 21:37:05 jmc Exp $ +.\" $OpenBSD: signal.3,v 1.58 2024/07/12 11:01:40 deraadt Exp $ .\" .\" Copyright (c) 1980, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: October 13 2022 $ +.Dd $Mdocdate: July 12 2024 $ .Dt SIGNAL 3 .Os .Sh NAME @@ -240,10 +240,22 @@ function; other ignored signals remain ignored. .Pp -The following functions are either reentrant or not interruptible -by signals and are async-signal-safe. -Therefore applications may -invoke them, without restriction, from signal-catching functions: +Signal handlers should be as minimal as possible, and use only signal-safe +operations. +The safest handlers only change a single variable of type +.Va volatile sig_atomic_t , +which is inspected by an event loop. +Other variables accessed inside the handler must be either const, or +local to the handler. +More complicated global variables (such as strings, structs, or lists) +will require external methods to gaurantee consistancy, such as +signal-blocking with +.Xr sigprocmask 2 . +.Pp +More complicated handlers must restrict themselves to calling only the following +list of signal-safe functions directly. +Avoid abstracting the work to helper functions which are also called from +other contexts because future coders will forget the signal-safe requirement. .Pp Standard Interfaces: .Pp @@ -418,21 +430,9 @@ Extension Interfaces: .Fn wait3 , .Fn wait4 . .Pp -In addition, access and updates to +Since signal-safe functions can encounter system call errors, .Va errno -are guaranteed to be safe. -Most functions not in the above lists are considered to be unsafe -with respect to signals. -That is to say, the behaviour of such functions when called from -a signal handler is undefined. -In general though, signal handlers should do little more than set a -flag, ideally of type volatile sig_atomic_t; most other actions are not safe. -.Pp -Additionally, it is advised that signal handlers guard against -modification of the external symbol -.Va errno -by the above functions, saving it at entry and restoring -it on return, thus: +should be protected inside the handler with the following pattern: .Bd -literal -offset indent void handler(int sig) @@ -444,10 +444,12 @@ handler(int sig) } .Ed .Pp -The functions below are async-signal-safe in -.Ox -except when used with floating-point arguments or directives, -but are probably unsafe on other systems: +On +.Ox , +a few more functions are signal-safe (except when the format string contains +floating-point arguments). +These functions are expected to be unsafe on other systems, so be very cautious of +the portability trap! .Pp .Bl -tag -offset indent -compact -width foofoofoofoo .It Fn dprintf diff --git a/lib/libc/sys/sigaction.2 b/lib/libc/sys/sigaction.2 index 7e821468c..edcd3e3ee 100644 --- a/lib/libc/sys/sigaction.2 +++ b/lib/libc/sys/sigaction.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sigaction.2,v 1.77 2022/10/13 21:37:05 jmc Exp $ +.\" $OpenBSD: sigaction.2,v 1.78 2024/07/12 11:01:40 deraadt Exp $ .\" $NetBSD: sigaction.2,v 1.7 1995/10/12 15:41:16 jtc Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)sigaction.2 8.2 (Berkeley) 4/3/94 .\" -.Dd $Mdocdate: October 13 2022 $ +.Dd $Mdocdate: July 12 2024 $ .Dt SIGACTION 2 .Os .Sh NAME @@ -471,10 +471,22 @@ and other signal interfaces may reject attempts to use or alter the handling of .Dv SIGTHR . .Pp -The following functions are either reentrant or not interruptible -by signals and are async-signal-safe. -Therefore applications may -invoke them, without restriction, from signal-catching functions: +Signal handlers should be as minimal as possible, and use only signal-safe +operations. +The safest handlers only change a single variable of type +.Va volatile sig_atomic_t , +which is inspected by an event loop. +Other variables accessed inside the handler must be either const, or +local to the handler. +More complicated global variables (such as strings, structs, or lists) +will require external methods to gaurantee consistancy, such as +signal-blocking with +.Xr sigprocmask 2 . +.Pp +More complicated handlers must restrict themselves to calling only the following +list of signal-safe functions directly. +Avoid abstracting the work to helper functions which are also called from +other contexts because future coders will forget the signal-safe requirement. .Pp Standard Interfaces: .Pp @@ -649,21 +661,9 @@ Extension Interfaces: .Fn wait3 , .Fn wait4 . .Pp -In addition, access and updates to +Since signal-safe functions can encounter system call errors, .Va errno -are guaranteed to be safe. -Most functions not in the above lists are considered to be unsafe -with respect to signals. -That is to say, the behaviour of such functions when called from -a signal handler is undefined. -In general though, signal handlers should do little more than set a -flag, ideally of type volatile sig_atomic_t; most other actions are not safe. -.Pp -Additionally, it is advised that signal handlers guard against -modification of the external symbol -.Va errno -by the above functions, saving it at entry and restoring -it on return, thus: +should be protected inside the handler with the following pattern: .Bd -literal -offset indent void handler(int sig) @@ -675,10 +675,12 @@ handler(int sig) } .Ed .Pp -The functions below are async-signal-safe in -.Ox -except when used with floating-point arguments or directives, -but are probably unsafe on other systems: +On +.Ox , +a few more functions are signal-safe (except when the format string contains +floating-point arguments). +These functions are expected to be unsafe on other systems, so be very cautious of +the portability trap! .Pp .Bl -tag -offset indent -compact -width foofoofoofoo .It Fn dprintf diff --git a/lib/libcrypto/ct/ct_x509v3.c b/lib/libcrypto/ct/ct_x509v3.c index 59f2975cd..b14ffc953 100644 --- a/lib/libcrypto/ct/ct_x509v3.c +++ b/lib/libcrypto/ct/ct_x509v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */ +/* $OpenBSD: ct_x509v3.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */ /* * Written by Rob Stradling (rob@comodo.com) and Stephen Henson * (steve@openssl.org) for the OpenSSL project 2014. @@ -128,59 +128,74 @@ ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) return s; } -/* Handlers for X509v3/OCSP Certificate Transparency extensions */ -const X509V3_EXT_METHOD v3_ct_scts[3] = { - /* X509v3 extension in certificates that contains SCTs */ - [0] = { - .ext_nid = NID_ct_precert_scts, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, - .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST, - .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, - .r2i = NULL, - .usr_data = NULL, - }, - - /* X509v3 extension to mark a certificate as a pre-certificate */ - [1] = { - .ext_nid = NID_ct_precert_poison, - .ext_flags = 0, - .it = &ASN1_NULL_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = i2s_poison, - .s2i = s2i_poison, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - - /* OCSP extension that contains SCTs */ - [2] = { - .ext_nid = NID_ct_cert_scts, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, - .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST, - .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, - .r2i = NULL, - .usr_data = NULL, - }, +/* X509v3 extension in certificates that contains SCTs */ +static const X509V3_EXT_METHOD x509v3_ext_ct_precert_scts = { + .ext_nid = NID_ct_precert_scts, + .ext_flags = 0, + .it = NULL, + .ext_new = NULL, + .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, + .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST, + .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = NULL, + .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, + .r2i = NULL, + .usr_data = NULL, }; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_precert_scts(void) +{ + return &x509v3_ext_ct_precert_scts; +} + +/* X509v3 extension to mark a certificate as a pre-certificate */ +static const X509V3_EXT_METHOD x509v3_ext_ct_precert_poison = { + .ext_nid = NID_ct_precert_poison, + .ext_flags = 0, + .it = &ASN1_NULL_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = i2s_poison, + .s2i = s2i_poison, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_precert_poison(void) +{ + return &x509v3_ext_ct_precert_poison; +} + +/* OCSP extension that contains SCTs */ +static const X509V3_EXT_METHOD x509v3_ext_ct_cert_scts = { + .ext_nid = NID_ct_cert_scts, + .ext_flags = 0, + .it = NULL, + .ext_new = NULL, + .ext_free = (X509V3_EXT_FREE)SCT_LIST_free, + .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST, + .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = NULL, + .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_ct_cert_scts(void) +{ + return &x509v3_ext_ct_cert_scts; +} diff --git a/lib/libcrypto/hidden/crypto_namespace.h b/lib/libcrypto/hidden/crypto_namespace.h index 3aec62f1f..741ad0854 100644 --- a/lib/libcrypto/hidden/crypto_namespace.h +++ b/lib/libcrypto/hidden/crypto_namespace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto_namespace.h,v 1.3 2024/03/30 10:09:43 tb Exp $ */ +/* $OpenBSD: crypto_namespace.h,v 1.4 2024/07/11 21:31:52 miod Exp $ */ /* * Copyright (c) 2016 Philip Guenther * @@ -31,7 +31,11 @@ typeof(x) x asm("_lcry_"#x) # define LCRYPTO_USED(x) __attribute__((visibility("hidden"))) \ typeof(x) x asm("_lcry_"#x) +# if defined(__hppa__) +# define LCRYPTO_ALIAS1(pre,x) asm("! .global "#pre#x" ! .set "#pre#x", _lcry_"#x) +#else # define LCRYPTO_ALIAS1(pre,x) asm(".global "#pre#x"; "#pre#x" = _lcry_"#x) +#endif # define LCRYPTO_ALIAS(x) LCRYPTO_ALIAS1(,x); LCRYPTO_ALIAS1(_libre_,x) #else # define LCRYPTO_UNUSED(x) typeof(x) x __attribute__((deprecated)) diff --git a/lib/libcrypto/ocsp/ocsp_vfy.c b/lib/libcrypto/ocsp/ocsp_vfy.c index d197fe4ea..27d2283ea 100644 --- a/lib/libcrypto/ocsp/ocsp_vfy.c +++ b/lib/libcrypto/ocsp/ocsp_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */ +/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -168,8 +168,8 @@ OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); - if (X509_check_trust(x, NID_OCSP_sign, 0) != - X509_TRUST_TRUSTED) { + if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) != + X509_TRUST_TRUSTED) { OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED); goto end; } diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 864b7bbf3..2208cc434 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.92 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1714,7 +1714,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, /* * OpenSSL dispatch */ -const X509V3_EXT_METHOD v3_addr = { +static const X509V3_EXT_METHOD x509v3_ext_sbgp_ipAddrBlock = { .ext_nid = NID_sbgp_ipAddrBlock, .ext_flags = 0, .it = &IPAddrBlocks_it, @@ -1731,6 +1731,12 @@ const X509V3_EXT_METHOD v3_addr = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sbgp_ipAddrBlock(void) +{ + return &x509v3_ext_sbgp_ipAddrBlock; +} + /* * Figure out whether extension uses inheritance. */ diff --git a/lib/libcrypto/x509/x509_akey.c b/lib/libcrypto/x509/x509_akey.c index f8c711335..b052d9598 100644 --- a/lib/libcrypto/x509/x509_akey.c +++ b/lib/libcrypto/x509/x509_akey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_akey.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_akey_id = { +static const X509V3_EXT_METHOD x509v3_ext_authority_key_identifier = { .ext_nid = NID_authority_key_identifier, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_KEYID_it, @@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_akey_id = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_authority_key_identifier(void) +{ + return &x509v3_ext_authority_key_identifier; +} + static STACK_OF(CONF_VALUE) * i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) diff --git a/lib/libcrypto/x509/x509_alt.c b/lib/libcrypto/x509/x509_alt.c index 59fa39fa6..8981e4c4f 100644 --- a/lib/libcrypto/x509/x509_alt.c +++ b/lib/libcrypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.16 2023/08/30 00:49:32 tb Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.17 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -74,57 +74,75 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); -const X509V3_EXT_METHOD v3_alt[] = { - { - .ext_nid = NID_subject_alt_name, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = (X509V3_EXT_V2I)v2i_subject_alt, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_issuer_alt_name, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = (X509V3_EXT_V2I)v2i_issuer_alt, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_certificate_issuer, - .ext_flags = 0, - .it = &GENERAL_NAMES_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, +static const X509V3_EXT_METHOD x509v3_ext_subject_alt_name = { + .ext_nid = NID_subject_alt_name, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = (X509V3_EXT_V2I)v2i_subject_alt, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_subject_alt_name(void) +{ + return &x509v3_ext_subject_alt_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_issuer_alt_name = { + .ext_nid = NID_issuer_alt_name, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = (X509V3_EXT_V2I)v2i_issuer_alt, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_issuer_alt_name(void) +{ + return &x509v3_ext_issuer_alt_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_certificate_issuer = { + .ext_nid = NID_certificate_issuer, + .ext_flags = 0, + .it = &GENERAL_NAMES_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_certificate_issuer(void) +{ + return &x509v3_ext_certificate_issuer; +} + STACK_OF(CONF_VALUE) * i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c index e3af67320..40ee201a9 100644 --- a/lib/libcrypto/x509/x509_asid.c +++ b/lib/libcrypto/x509/x509_asid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_asid.c,v 1.44 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -946,7 +946,7 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, /* * OpenSSL dispatch. */ -const X509V3_EXT_METHOD v3_asid = { +static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = { .ext_nid = NID_sbgp_autonomousSysNum, .ext_flags = 0, .it = &ASIdentifiers_it, @@ -963,6 +963,12 @@ const X509V3_EXT_METHOD v3_asid = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sbgp_autonomousSysNum(void) +{ + return &x509v3_ext_sbgp_autonomousSysNum; +} + /* * Figure out whether extension uses inheritance. */ diff --git a/lib/libcrypto/x509/x509_bcons.c b/lib/libcrypto/x509/x509_bcons.c index 7ad65231e..e44ff4d1c 100644 --- a/lib/libcrypto/x509/x509_bcons.c +++ b/lib/libcrypto/x509/x509_bcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_bcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_bcons = { +static const X509V3_EXT_METHOD x509v3_ext_basic_constraints = { .ext_nid = NID_basic_constraints, .ext_flags = 0, .it = &BASIC_CONSTRAINTS_it, @@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_bcons = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_basic_constraints(void) +{ + return &x509v3_ext_basic_constraints; +} + static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = { { .flags = ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_bitst.c b/lib/libcrypto/x509/x509_bitst.c index 4c36d31b0..0328310f0 100644 --- a/lib/libcrypto/x509/x509_bitst.c +++ b/lib/libcrypto/x509/x509_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */ +/* $OpenBSD: x509_bitst.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -102,7 +102,7 @@ static BIT_STRING_BITNAME crl_reasons[] = { {-1, NULL, NULL} }; -const X509V3_EXT_METHOD v3_nscert = { +static const X509V3_EXT_METHOD x509v3_ext_netscape_cert_type = { .ext_nid = NID_netscape_cert_type, .ext_flags = 0, .it = &ASN1_BIT_STRING_it, @@ -119,7 +119,13 @@ const X509V3_EXT_METHOD v3_nscert = { .usr_data = ns_cert_type_table, }; -const X509V3_EXT_METHOD v3_key_usage = { +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_cert_type(void) +{ + return &x509v3_ext_netscape_cert_type; +} + +static const X509V3_EXT_METHOD x509v3_ext_key_usage = { .ext_nid = NID_key_usage, .ext_flags = 0, .it = &ASN1_BIT_STRING_it, @@ -136,7 +142,13 @@ const X509V3_EXT_METHOD v3_key_usage = { .usr_data = key_usage_type_table, }; -const X509V3_EXT_METHOD v3_crl_reason = { +const X509V3_EXT_METHOD * +x509v3_ext_method_key_usage(void) +{ + return &x509v3_ext_key_usage; +} + +static const X509V3_EXT_METHOD x509v3_ext_crl_reason = { .ext_nid = NID_crl_reason, .ext_flags = 0, .it = &ASN1_ENUMERATED_it, @@ -153,6 +165,12 @@ const X509V3_EXT_METHOD v3_crl_reason = { .usr_data = crl_reasons, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_reason(void) +{ + return &x509v3_ext_crl_reason; +} + STACK_OF(CONF_VALUE) * i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index 34c9345a4..7a701ea65 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.12 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.13 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -82,7 +82,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org); static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); -const X509V3_EXT_METHOD v3_cpols = { +static const X509V3_EXT_METHOD x509v3_ext_certificate_policies = { .ext_nid = NID_certificate_policies, .ext_flags = 0, .it = &CERTIFICATEPOLICIES_it, @@ -99,6 +99,12 @@ const X509V3_EXT_METHOD v3_cpols = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_certificate_policies(void) +{ + return &x509v3_ext_certificate_policies; +} + static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, .tag = 0, diff --git a/lib/libcrypto/x509/x509_crld.c b/lib/libcrypto/x509/x509_crld.c index dfb5d27f6..e9252a247 100644 --- a/lib/libcrypto/x509/x509_crld.c +++ b/lib/libcrypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_crld.c,v 1.6 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -72,7 +72,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method, static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent); -const X509V3_EXT_METHOD v3_crld = { +static const X509V3_EXT_METHOD x509v3_ext_crl_distribution_points = { .ext_nid = NID_crl_distribution_points, .ext_flags = 0, .it = &CRL_DIST_POINTS_it, @@ -89,7 +89,13 @@ const X509V3_EXT_METHOD v3_crld = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_freshest_crl = { +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_distribution_points(void) +{ + return &x509v3_ext_crl_distribution_points; +} + +static const X509V3_EXT_METHOD x509v3_ext_freshest_crl = { .ext_nid = NID_freshest_crl, .ext_flags = 0, .it = &CRL_DIST_POINTS_it, @@ -106,6 +112,12 @@ const X509V3_EXT_METHOD v3_freshest_crl = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_freshest_crl(void) +{ + return &x509v3_ext_freshest_crl; +} + static STACK_OF(GENERAL_NAME) * gnames_from_sectname(X509V3_CTX *ctx, char *sect) { @@ -655,17 +667,29 @@ static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -const X509V3_EXT_METHOD v3_idp = { - NID_issuing_distribution_point, X509V3_EXT_MULTILINE, - &ISSUING_DIST_POINT_it, - 0, 0, 0, 0, - 0, 0, - 0, - v2i_idp, - i2r_idp, 0, - NULL +static const X509V3_EXT_METHOD x509v3_ext_issuing_distribution_point = { + .ext_nid = NID_issuing_distribution_point, + .ext_flags = X509V3_EXT_MULTILINE, + .it = &ISSUING_DIST_POINT_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = NULL, + .s2i = NULL, + .i2v = NULL, + .v2i = v2i_idp, + .i2r = i2r_idp, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_issuing_distribution_point(void) +{ + return &x509v3_ext_issuing_distribution_point; +} + static void * v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) diff --git a/lib/libcrypto/x509/x509_extku.c b/lib/libcrypto/x509/x509_extku.c index f0f8d44aa..6a69adabc 100644 --- a/lib/libcrypto/x509/x509_extku.c +++ b/lib/libcrypto/x509/x509_extku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_extku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_extku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE( const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist); -const X509V3_EXT_METHOD v3_ext_ku = { +static const X509V3_EXT_METHOD x509v3_ext_ext_key_usage = { .ext_nid = NID_ext_key_usage, .ext_flags = 0, .it = &EXTENDED_KEY_USAGE_it, @@ -85,8 +85,14 @@ const X509V3_EXT_METHOD v3_ext_ku = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_ext_key_usage(void) +{ + return &x509v3_ext_ext_key_usage; +} + /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ -const X509V3_EXT_METHOD v3_ocsp_accresp = { +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_acceptableResponses = { .ext_nid = NID_id_pkix_OCSP_acceptableResponses, .ext_flags = 0, .it = &EXTENDED_KEY_USAGE_it, @@ -103,6 +109,12 @@ const X509V3_EXT_METHOD v3_ocsp_accresp = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void) +{ + return &x509v3_ext_id_pkix_OCSP_acceptableResponses; +} + static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, .tag = 0, diff --git a/lib/libcrypto/x509/x509_ia5.c b/lib/libcrypto/x509/x509_ia5.c index 4113c3d3b..4f62a9134 100644 --- a/lib/libcrypto/x509/x509_ia5.c +++ b/lib/libcrypto/x509/x509_ia5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,137 +68,167 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_ns_ia5_list[] = { - { - .ext_nid = NID_netscape_base_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_revocation_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ca_revocation_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_renewal_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ca_policy_url, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_ssl_server_name, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = NID_netscape_comment, - .ext_flags = 0, - .it = &ASN1_IA5STRING_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, - .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, - { - .ext_nid = -1, - .ext_flags = 0, - .it = NULL, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = NULL, - }, +static const X509V3_EXT_METHOD x509v3_ext_netscape_base_url = { + .ext_nid = NID_netscape_base_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_base_url(void) +{ + return &x509v3_ext_netscape_base_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_revocation_url = { + .ext_nid = NID_netscape_revocation_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_revocation_url(void) +{ + return &x509v3_ext_netscape_revocation_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_revocation_url = { + .ext_nid = NID_netscape_ca_revocation_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ca_revocation_url(void) +{ + return &x509v3_ext_netscape_ca_revocation_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_renewal_url = { + .ext_nid = NID_netscape_renewal_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_renewal_url(void) +{ + return &x509v3_ext_netscape_renewal_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_policy_url = { + .ext_nid = NID_netscape_ca_policy_url, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ca_policy_url(void) +{ + return &x509v3_ext_netscape_ca_policy_url; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_ssl_server_name = { + .ext_nid = NID_netscape_ssl_server_name, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_ssl_server_name(void) +{ + return &x509v3_ext_netscape_ssl_server_name; +} + +static const X509V3_EXT_METHOD x509v3_ext_netscape_comment = { + .ext_nid = NID_netscape_comment, + .ext_flags = 0, + .it = &ASN1_IA5STRING_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, + .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, +}; + +const X509V3_EXT_METHOD * +x509v3_ext_method_netscape_comment(void) +{ + return &x509v3_ext_netscape_comment; +} + static char * i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5) { diff --git a/lib/libcrypto/x509/x509_info.c b/lib/libcrypto/x509/x509_info.c index 9372b066a..d1de346ee 100644 --- a/lib/libcrypto/x509/x509_info.c +++ b/lib/libcrypto/x509/x509_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_info.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -71,7 +71,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS( static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS( X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -const X509V3_EXT_METHOD v3_info = { +static const X509V3_EXT_METHOD x509v3_ext_info_access = { .ext_nid = NID_info_access, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_INFO_ACCESS_it, @@ -88,7 +88,13 @@ const X509V3_EXT_METHOD v3_info = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_sinfo = { +const X509V3_EXT_METHOD * +x509v3_ext_method_info_access(void) +{ + return &x509v3_ext_info_access; +} + +static const X509V3_EXT_METHOD x509v3_ext_sinfo_access = { .ext_nid = NID_sinfo_access, .ext_flags = X509V3_EXT_MULTILINE, .it = &AUTHORITY_INFO_ACCESS_it, @@ -105,6 +111,12 @@ const X509V3_EXT_METHOD v3_sinfo = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_sinfo_access(void) +{ + return &x509v3_ext_sinfo_access; +} + static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_int.c b/lib/libcrypto/x509/x509_int.c index 35c8853c1..2236bfe4c 100644 --- a/lib/libcrypto/x509/x509_int.c +++ b/lib/libcrypto/x509/x509_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_int.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -60,7 +60,7 @@ #include -const X509V3_EXT_METHOD v3_crl_num = { +static const X509V3_EXT_METHOD x509v3_ext_crl_number = { .ext_nid = NID_crl_number, .ext_flags = 0, .it = &ASN1_INTEGER_it, @@ -77,7 +77,13 @@ const X509V3_EXT_METHOD v3_crl_num = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_delta_crl = { +const X509V3_EXT_METHOD * +x509v3_ext_method_crl_number(void) +{ + return &x509v3_ext_crl_number; +} + +static const X509V3_EXT_METHOD x509v3_ext_delta_crl = { .ext_nid = NID_delta_crl, .ext_flags = 0, .it = &ASN1_INTEGER_it, @@ -94,17 +100,37 @@ const X509V3_EXT_METHOD v3_delta_crl = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_delta_crl(void) +{ + return &x509v3_ext_delta_crl; +} + static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) { return s2i_ASN1_INTEGER(meth, value); } -const X509V3_EXT_METHOD v3_inhibit_anyp = { - NID_inhibit_any_policy, 0, &ASN1_INTEGER_it, - 0, 0, 0, 0, - (X509V3_EXT_I2S)i2s_ASN1_INTEGER, - (X509V3_EXT_S2I)s2i_asn1_int, - 0, 0, 0, 0, - NULL +static const X509V3_EXT_METHOD x509v3_ext_inhibit_any_policy = { + .ext_nid = NID_inhibit_any_policy, + .ext_flags = 0, + .it = &ASN1_INTEGER_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + .s2i = (X509V3_EXT_S2I)s2i_asn1_int, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = NULL, }; + +const X509V3_EXT_METHOD * +x509v3_ext_method_inhibit_any_policy(void) +{ + return &x509v3_ext_inhibit_any_policy; +} diff --git a/lib/libcrypto/x509/x509_lib.c b/lib/libcrypto/x509/x509_lib.c index 8382babbd..6fa66ab88 100644 --- a/lib/libcrypto/x509/x509_lib.c +++ b/lib/libcrypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,89 +65,104 @@ #include "x509_local.h" -extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; -extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo; -extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; -extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; -extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; -extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern const X509V3_EXT_METHOD v3_crl_hold; -extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern const X509V3_EXT_METHOD v3_addr, v3_asid; -extern const X509V3_EXT_METHOD v3_ct_scts[3]; - -static const X509V3_EXT_METHOD *standard_exts[] = { - &v3_nscert, - &v3_ns_ia5_list[0], - &v3_ns_ia5_list[1], - &v3_ns_ia5_list[2], - &v3_ns_ia5_list[3], - &v3_ns_ia5_list[4], - &v3_ns_ia5_list[5], - &v3_ns_ia5_list[6], - &v3_skey_id, - &v3_key_usage, - &v3_pkey_usage_period, - &v3_alt[0], - &v3_alt[1], - &v3_bcons, - &v3_crl_num, - &v3_cpols, - &v3_akey_id, - &v3_crld, - &v3_ext_ku, - &v3_delta_crl, - &v3_crl_reason, -#ifndef OPENSSL_NO_OCSP - &v3_crl_invdate, -#endif - &v3_info, -#ifndef OPENSSL_NO_RFC3779 - &v3_addr, - &v3_asid, -#endif -#ifndef OPENSSL_NO_OCSP - &v3_ocsp_nonce, - &v3_ocsp_crlid, - &v3_ocsp_accresp, - &v3_ocsp_nocheck, - &v3_ocsp_acutoff, - &v3_ocsp_serviceloc, -#endif - &v3_sinfo, - &v3_policy_constraints, -#ifndef OPENSSL_NO_OCSP - &v3_crl_hold, -#endif - &v3_name_constraints, - &v3_policy_mappings, - &v3_inhibit_anyp, - &v3_idp, - &v3_alt[2], - &v3_freshest_crl, -#ifndef OPENSSL_NO_CT - &v3_ct_scts[0], - &v3_ct_scts[1], - &v3_ct_scts[2], -#endif -}; - -#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0])) - const X509V3_EXT_METHOD * X509V3_EXT_get_nid(int nid) { - size_t i; - - for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) { - if (standard_exts[i]->ext_nid == nid) - return standard_exts[i]; + switch (nid) { + case NID_authority_key_identifier: + return x509v3_ext_method_authority_key_identifier(); + case NID_basic_constraints: + return x509v3_ext_method_basic_constraints(); + case NID_certificate_issuer: + return x509v3_ext_method_certificate_issuer(); + case NID_certificate_policies: + return x509v3_ext_method_certificate_policies(); + case NID_crl_distribution_points: + return x509v3_ext_method_crl_distribution_points(); + case NID_crl_number: + return x509v3_ext_method_crl_number(); + case NID_crl_reason: + return x509v3_ext_method_crl_reason(); +#ifndef OPENSSL_NO_CT + case NID_ct_cert_scts: + return x509v3_ext_method_ct_cert_scts(); + case NID_ct_precert_poison: + return x509v3_ext_method_ct_precert_poison(); + case NID_ct_precert_scts: + return x509v3_ext_method_ct_precert_scts(); +#endif + case NID_delta_crl: + return x509v3_ext_method_delta_crl(); + case NID_ext_key_usage: + return x509v3_ext_method_ext_key_usage(); + case NID_freshest_crl: + return x509v3_ext_method_freshest_crl(); +#ifndef OPENSSL_NO_OCSP + case NID_hold_instruction_code: + return x509v3_ext_method_hold_instruction_code(); + case NID_id_pkix_OCSP_CrlID: + return x509v3_ext_method_id_pkix_OCSP_CrlID(); + case NID_id_pkix_OCSP_Nonce: + return x509v3_ext_method_id_pkix_OCSP_Nonce(); + case NID_id_pkix_OCSP_acceptableResponses: + return x509v3_ext_method_id_pkix_OCSP_acceptableResponses(); + case NID_id_pkix_OCSP_archiveCutoff: + return x509v3_ext_method_id_pkix_OCSP_archiveCutoff(); + case NID_id_pkix_OCSP_serviceLocator: + return x509v3_ext_method_id_pkix_OCSP_serviceLocator(); +#endif + case NID_info_access: + return x509v3_ext_method_info_access(); + case NID_inhibit_any_policy: + return x509v3_ext_method_inhibit_any_policy(); + case NID_invalidity_date: + return x509v3_ext_method_invalidity_date(); + case NID_issuer_alt_name: + return x509v3_ext_method_issuer_alt_name(); + case NID_issuing_distribution_point: + return x509v3_ext_method_issuing_distribution_point(); + case NID_key_usage: + return x509v3_ext_method_key_usage(); + case NID_name_constraints: + return x509v3_ext_method_name_constraints(); + case NID_netscape_base_url: + return x509v3_ext_method_netscape_base_url(); + case NID_netscape_ca_policy_url: + return x509v3_ext_method_netscape_ca_policy_url(); + case NID_netscape_ca_revocation_url: + return x509v3_ext_method_netscape_ca_revocation_url(); + case NID_netscape_cert_type: + return x509v3_ext_method_netscape_cert_type(); + case NID_netscape_comment: + return x509v3_ext_method_netscape_comment(); + case NID_netscape_renewal_url: + return x509v3_ext_method_netscape_renewal_url(); + case NID_netscape_revocation_url: + return x509v3_ext_method_netscape_revocation_url(); + case NID_netscape_ssl_server_name: + return x509v3_ext_method_netscape_ssl_server_name(); + case NID_policy_constraints: + return x509v3_ext_method_policy_constraints(); + case NID_policy_mappings: + return x509v3_ext_method_policy_mappings(); + case NID_private_key_usage_period: + return x509v3_ext_method_private_key_usage_period(); +#ifndef OPENSSL_NO_RFC3779 + case NID_sbgp_ipAddrBlock: + return x509v3_ext_method_sbgp_ipAddrBlock(); + case NID_sbgp_autonomousSysNum: + return x509v3_ext_method_sbgp_autonomousSysNum(); +#endif + case NID_sinfo_access: + return x509v3_ext_method_sinfo_access(); + case NID_subject_alt_name: + return x509v3_ext_method_subject_alt_name(); + case NID_subject_key_identifier: + return x509v3_ext_method_subject_key_identifier(); + default: + return NULL; } - - return NULL; -} +}; LCRYPTO_ALIAS(X509V3_EXT_get_nid); const X509V3_EXT_METHOD * diff --git a/lib/libcrypto/x509/x509_local.h b/lib/libcrypto/x509/x509_local.h index 5b74b0d1b..81a237d86 100644 --- a/lib/libcrypto/x509/x509_local.h +++ b/lib/libcrypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_local.h,v 1.24 2024/04/08 23:46:21 beck Exp $ */ +/* $OpenBSD: x509_local.h,v 1.26 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -71,6 +71,14 @@ __BEGIN_HIDDEN_DECLS #define X509_CRL_HASH_EVP EVP_sha512() #define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH +/* + * Used internally instead of the confusing X509_TRUST_DEFAULT, + * which is not the default for X509_check_trust. + * XXX Make X509_check_trust internal, and move the other + * X509_TRUST values here to clean up this mess. + */ +#define X509_TRUST_ACCEPT_ALL -1 + struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; @@ -410,6 +418,49 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int X509_PURPOSE_get_by_id(int id); int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); +const X509V3_EXT_METHOD *x509v3_ext_method_authority_key_identifier(void); +const X509V3_EXT_METHOD *x509v3_ext_method_basic_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_certificate_issuer(void); +const X509V3_EXT_METHOD *x509v3_ext_method_certificate_policies(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_distribution_points(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_number(void); +const X509V3_EXT_METHOD *x509v3_ext_method_crl_reason(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_cert_scts(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_poison(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_scts(void); +const X509V3_EXT_METHOD *x509v3_ext_method_delta_crl(void); +const X509V3_EXT_METHOD *x509v3_ext_method_ext_key_usage(void); +const X509V3_EXT_METHOD *x509v3_ext_method_freshest_crl(void); +const X509V3_EXT_METHOD *x509v3_ext_method_hold_instruction_code(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_CrlID(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_Nonce(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void); +const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_serviceLocator(void); +const X509V3_EXT_METHOD *x509v3_ext_method_info_access(void); +const X509V3_EXT_METHOD *x509v3_ext_method_inhibit_any_policy(void); +const X509V3_EXT_METHOD *x509v3_ext_method_invalidity_date(void); +const X509V3_EXT_METHOD *x509v3_ext_method_issuer_alt_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_issuing_distribution_point(void); +const X509V3_EXT_METHOD *x509v3_ext_method_key_usage(void); +const X509V3_EXT_METHOD *x509v3_ext_method_name_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_base_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_policy_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_revocation_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_cert_type(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_comment(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_renewal_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_revocation_url(void); +const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ssl_server_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_policy_constraints(void); +const X509V3_EXT_METHOD *x509v3_ext_method_policy_mappings(void); +const X509V3_EXT_METHOD *x509v3_ext_method_private_key_usage_period(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_ipAddrBlock(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_autonomousSysNum(void); +const X509V3_EXT_METHOD *x509v3_ext_method_sinfo_access(void); +const X509V3_EXT_METHOD *x509v3_ext_method_subject_alt_name(void); +const X509V3_EXT_METHOD *x509v3_ext_method_subject_key_identifier(void); + __END_HIDDEN_DECLS #endif /* !HEADER_X509_LOCAL_H */ diff --git a/lib/libcrypto/x509/x509_ncons.c b/lib/libcrypto/x509/x509_ncons.c index f8c63886a..148a66e88 100644 --- a/lib/libcrypto/x509/x509_ncons.c +++ b/lib/libcrypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ncons.c,v 1.10 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -81,7 +81,7 @@ static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base); -const X509V3_EXT_METHOD v3_name_constraints = { +static const X509V3_EXT_METHOD x509v3_ext_name_constraints = { .ext_nid = NID_name_constraints, .ext_flags = 0, .it = &NAME_CONSTRAINTS_it, @@ -98,6 +98,12 @@ const X509V3_EXT_METHOD v3_name_constraints = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_name_constraints(void) +{ + return &x509v3_ext_name_constraints; +} + static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_ocsp.c b/lib/libcrypto/x509/x509_ocsp.c index cc55d9390..11d1a1c9c 100644 --- a/lib/libcrypto/x509/x509_ocsp.c +++ b/lib/libcrypto/x509/x509_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ocsp.c,v 1.2 2022/01/07 09:45:52 tb Exp $ */ +/* $OpenBSD: x509_ocsp.c,v 1.3 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -95,7 +95,7 @@ static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); -const X509V3_EXT_METHOD v3_ocsp_crlid = { +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_CrlID = { .ext_nid = NID_id_pkix_OCSP_CrlID, .ext_flags = 0, .it = &OCSP_CRLID_it, @@ -112,7 +112,13 @@ const X509V3_EXT_METHOD v3_ocsp_crlid = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_acutoff = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_CrlID(void) +{ + return &x509v3_ext_id_pkix_OCSP_CrlID; +} + +const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_archiveCutoff = { .ext_nid = NID_id_pkix_OCSP_archiveCutoff, .ext_flags = 0, .it = &ASN1_GENERALIZEDTIME_it, @@ -129,7 +135,13 @@ const X509V3_EXT_METHOD v3_ocsp_acutoff = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_crl_invdate = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void) +{ + return &x509v3_ext_id_pkix_OCSP_archiveCutoff; +} + +static const X509V3_EXT_METHOD x509v3_ext_invalidity_date = { .ext_nid = NID_invalidity_date, .ext_flags = 0, .it = &ASN1_GENERALIZEDTIME_it, @@ -146,7 +158,13 @@ const X509V3_EXT_METHOD v3_crl_invdate = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_crl_hold = { +const X509V3_EXT_METHOD * +x509v3_ext_method_invalidity_date(void) +{ + return &x509v3_ext_invalidity_date; +} + +static const X509V3_EXT_METHOD x509v3_ext_hold_instruction_code = { .ext_nid = NID_hold_instruction_code, .ext_flags = 0, .it = &ASN1_OBJECT_it, @@ -163,7 +181,13 @@ const X509V3_EXT_METHOD v3_crl_hold = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_nonce = { +const X509V3_EXT_METHOD * +x509v3_ext_method_hold_instruction_code(void) +{ + return &x509v3_ext_hold_instruction_code; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_Nonce = { .ext_nid = NID_id_pkix_OCSP_Nonce, .ext_flags = 0, .it = NULL, @@ -180,7 +204,13 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_nocheck = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_Nonce(void) +{ + return &x509v3_ext_id_pkix_OCSP_Nonce; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_noCheck = { .ext_nid = NID_id_pkix_OCSP_noCheck, .ext_flags = 0, .it = &ASN1_NULL_it, @@ -197,7 +227,13 @@ const X509V3_EXT_METHOD v3_ocsp_nocheck = { .usr_data = NULL, }; -const X509V3_EXT_METHOD v3_ocsp_serviceloc = { +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_noCheck(void) +{ + return &x509v3_ext_id_pkix_OCSP_noCheck; +} + +static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_serviceLocator = { .ext_nid = NID_id_pkix_OCSP_serviceLocator, .ext_flags = 0, .it = &OCSP_SERVICELOC_it, @@ -214,6 +250,12 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_id_pkix_OCSP_serviceLocator(void) +{ + return &x509v3_ext_id_pkix_OCSP_serviceLocator; +} + static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind) { diff --git a/lib/libcrypto/x509/x509_pcons.c b/lib/libcrypto/x509/x509_pcons.c index 8f2109eaa..d6ee9d7e2 100644 --- a/lib/libcrypto/x509/x509_pcons.c +++ b/lib/libcrypto/x509/x509_pcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -71,7 +71,7 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -const X509V3_EXT_METHOD v3_policy_constraints = { +static const X509V3_EXT_METHOD x509v3_ext_policy_constraints = { .ext_nid = NID_policy_constraints, .ext_flags = 0, .it = &POLICY_CONSTRAINTS_it, @@ -88,6 +88,12 @@ const X509V3_EXT_METHOD v3_policy_constraints = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_policy_constraints(void) +{ + return &x509v3_ext_policy_constraints; +} + static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = { { .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_pku.c b/lib/libcrypto/x509/x509_pku.c index 05c9ff243..6753f0f73 100644 --- a/lib/libcrypto/x509/x509_pku.c +++ b/lib/libcrypto/x509/x509_pku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,7 +65,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); -const X509V3_EXT_METHOD v3_pkey_usage_period = { +static const X509V3_EXT_METHOD x509v3_ext_private_key_usage_period = { .ext_nid = NID_private_key_usage_period, .ext_flags = 0, .it = &PKEY_USAGE_PERIOD_it, @@ -82,6 +82,12 @@ const X509V3_EXT_METHOD v3_pkey_usage_period = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_private_key_usage_period(void) +{ + return &x509v3_ext_private_key_usage_period; +} + static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = { { .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, diff --git a/lib/libcrypto/x509/x509_pmaps.c b/lib/libcrypto/x509/x509_pmaps.c index b2d74dce1..7a91917f6 100644 --- a/lib/libcrypto/x509/x509_pmaps.c +++ b/lib/libcrypto/x509/x509_pmaps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pmaps.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */ +/* $OpenBSD: x509_pmaps.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -69,7 +69,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS( const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist); -const X509V3_EXT_METHOD v3_policy_mappings = { +static const X509V3_EXT_METHOD x509v3_ext_policy_mappings = { .ext_nid = NID_policy_mappings, .ext_flags = 0, .it = &POLICY_MAPPINGS_it, @@ -86,6 +86,12 @@ const X509V3_EXT_METHOD v3_policy_mappings = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_policy_mappings(void) +{ + return &x509v3_ext_policy_mappings; +} + static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = { { .flags = 0, diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index d2e927701..619a4b890 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.42 2024/05/15 18:10:03 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -150,7 +150,7 @@ static const X509_PURPOSE xstandard[] = { }, { .purpose = X509_PURPOSE_ANY, - .trust = X509_TRUST_DEFAULT, + .trust = X509_TRUST_ACCEPT_ALL, .check_purpose = no_check, .name = "Any Purpose", .sname = "any", diff --git a/lib/libcrypto/x509/x509_skey.c b/lib/libcrypto/x509/x509_skey.c index 245ba5158..d2c90b6f1 100644 --- a/lib/libcrypto/x509/x509_skey.c +++ b/lib/libcrypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -67,7 +67,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -const X509V3_EXT_METHOD v3_skey_id = { +static const X509V3_EXT_METHOD x509v3_ext_subject_key_identifier = { .ext_nid = NID_subject_key_identifier, .ext_flags = 0, .it = &ASN1_OCTET_STRING_it, @@ -84,6 +84,12 @@ const X509V3_EXT_METHOD v3_skey_id = { .usr_data = NULL, }; +const X509V3_EXT_METHOD * +x509v3_ext_method_subject_key_identifier(void) +{ + return &x509v3_ext_subject_key_identifier; +} + char * i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct) { diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c index f0f4eefb6..9ba8194ee 100644 --- a/lib/libcrypto/x509/x509_trs.c +++ b/lib/libcrypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.55 2024/03/26 22:43:42 tb Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.57 2024/07/12 18:15:10 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,6 +66,23 @@ #include "x509_internal.h" #include "x509_local.h" +static int +trust_if_self_signed(const X509 *x) +{ + /* Extensions already cached in X509_check_trust(). */ + if ((x->ex_flags & EXFLAG_SS) != 0) + return X509_TRUST_TRUSTED; + + return X509_TRUST_UNTRUSTED; +} + +static int +trust_was_set(const X509 *x) +{ + return x->aux != NULL && (x->aux->trust != NULL || + x->aux->reject != NULL); +} + static int obj_trust(int id, const X509 *x) { @@ -94,33 +111,31 @@ obj_trust(int id, const X509 *x) } static int -trust_compat(int nid, const X509 *x) +nid_from_trust_id(int trust_id) { - /* Extensions already cached in X509_check_trust(). */ - if ((x->ex_flags & EXFLAG_SS) != 0) - return X509_TRUST_TRUSTED; + OPENSSL_assert(trust_id == 0 || + (trust_id >= X509_TRUST_MIN && trust_id <= X509_TRUST_MAX)); - return X509_TRUST_UNTRUSTED; -} - -static int -trust_1oidany(int nid, const X509 *x) -{ - /* Inspect the certificate's trust settings if there are any. */ - if (x->aux != NULL && (x->aux->trust != NULL || x->aux->reject != NULL)) - return obj_trust(nid, x); - - /* For compatibility we return trusted if the cert is self signed. */ - return trust_compat(NID_undef, x); -} - -static int -trust_1oid(int nid, const X509 *x) -{ - if (x->aux != NULL) - return obj_trust(nid, x); - - return X509_TRUST_UNTRUSTED; + switch (trust_id) { + case X509_TRUST_COMPAT: + return NID_undef; + case X509_TRUST_SSL_CLIENT: + return NID_client_auth; + case X509_TRUST_SSL_SERVER: + return NID_server_auth; + case X509_TRUST_EMAIL: + return NID_email_protect; + case X509_TRUST_OBJECT_SIGN: + return NID_code_sign; + case X509_TRUST_OCSP_SIGN: + return NID_OCSP_sign; + case X509_TRUST_OCSP_REQUEST: + return NID_ad_OCSP; + case X509_TRUST_TSA: + return NID_time_stamp; + default: + return NID_undef; + } } int @@ -128,46 +143,36 @@ X509_check_trust(X509 *x, int trust_id, int flags) { int rv; - if (trust_id == -1) - return 1; - /* Call early so the trust handlers don't need to modify the certs. */ if (!x509v3_cache_extensions(x)) return X509_TRUST_UNTRUSTED; + /* + * XXX make X509_TRUST_ACCEPT_ALL a real boy once it does not + * need to have the same -1 value as X509_TRUST_DEFAULT + */ + if (trust_id == X509_TRUST_ACCEPT_ALL) + return 1; + switch (trust_id) { - case 0: - /* - * XXX beck/jsing This enables self signed certs to be trusted - * for an unspecified id/trust flag value (this is NOT the - * X509_TRUST_DEFAULT), which was the longstanding openssl - * behaviour. boringssl does not have this behaviour. - * - * This should be revisited, but changing the default - * "not default" may break things. - */ + case X509_TRUST_COMPAT: + return trust_if_self_signed(x); + case X509_TRUST_EMAIL: + case X509_TRUST_OBJECT_SIGN: + case X509_TRUST_SSL_SERVER: + case X509_TRUST_SSL_CLIENT: + case X509_TRUST_TSA: + if (trust_was_set(x)) + return obj_trust(nid_from_trust_id(trust_id), x); + return trust_if_self_signed(x); + case X509_TRUST_OCSP_SIGN: + case X509_TRUST_OCSP_REQUEST: + return obj_trust(nid_from_trust_id(trust_id), x); + default: rv = obj_trust(NID_anyExtendedKeyUsage, x); if (rv != X509_TRUST_UNTRUSTED) return rv; - return trust_compat(NID_undef, x); - case X509_TRUST_COMPAT: - return trust_compat(NID_undef, x); - case X509_TRUST_SSL_CLIENT: - return trust_1oidany(NID_client_auth, x); - case X509_TRUST_SSL_SERVER: - return trust_1oidany(NID_server_auth, x); - case X509_TRUST_EMAIL: - return trust_1oidany(NID_email_protect, x); - case X509_TRUST_OBJECT_SIGN: - return trust_1oidany(NID_code_sign, x); - case X509_TRUST_OCSP_SIGN: - return trust_1oid(NID_OCSP_sign, x); - case X509_TRUST_OCSP_REQUEST: - return trust_1oid(NID_ad_OCSP, x); - case X509_TRUST_TSA: - return trust_1oidany(NID_time_stamp, x); - default: - return obj_trust(trust_id, x); + return trust_if_self_signed(x); } } LCRYPTO_ALIAS(X509_check_trust); diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c index fcc689737..688aed15a 100644 --- a/lib/libcrypto/x509/x509_v3.c +++ b/lib/libcrypto/x509/x509_v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_v3.c,v 1.30 2024/05/23 02:00:38 tb Exp $ */ +/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,7 +60,6 @@ #include #include -#include #include #include #include @@ -69,182 +68,165 @@ #include "x509_local.h" int -X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *sk) +X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *exts) { - if (sk == NULL) + if (exts == NULL) return 0; - return sk_X509_EXTENSION_num(sk); + return sk_X509_EXTENSION_num(exts); } LCRYPTO_ALIAS(X509v3_get_ext_count); int -X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *sk, int nid, int lastpos) +X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *exts, int nid, int lastpos) { const ASN1_OBJECT *obj; if ((obj = OBJ_nid2obj(nid)) == NULL) return -2; - return X509v3_get_ext_by_OBJ(sk, obj, lastpos); + return X509v3_get_ext_by_OBJ(exts, obj, lastpos); } LCRYPTO_ALIAS(X509v3_get_ext_by_NID); int -X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, +X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *exts, const ASN1_OBJECT *obj, int lastpos) { - int n; - X509_EXTENSION *ext; - - if (sk == NULL) - return -1; - lastpos++; - if (lastpos < 0) + if (++lastpos < 0) lastpos = 0; - n = sk_X509_EXTENSION_num(sk); - for (; lastpos < n; lastpos++) { - ext = sk_X509_EXTENSION_value(sk, lastpos); + + for (; lastpos < X509v3_get_ext_count(exts); lastpos++) { + const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos); + if (OBJ_cmp(ext->object, obj) == 0) return lastpos; } + return -1; } LCRYPTO_ALIAS(X509v3_get_ext_by_OBJ); int -X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, +X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *exts, int critical, int lastpos) { - int n; - X509_EXTENSION *ext; + critical = (critical != 0); - if (sk == NULL) - return -1; - lastpos++; - if (lastpos < 0) + if (++lastpos < 0) lastpos = 0; - n = sk_X509_EXTENSION_num(sk); - for (; lastpos < n; lastpos++) { - ext = sk_X509_EXTENSION_value(sk, lastpos); - if ((ext->critical > 0 && crit) || - (ext->critical <= 0 && !crit)) + + for (; lastpos < X509v3_get_ext_count(exts); lastpos++) { + const X509_EXTENSION *ext = X509v3_get_ext(exts, lastpos); + + if (X509_EXTENSION_get_critical(ext) == critical) return lastpos; } + return -1; } LCRYPTO_ALIAS(X509v3_get_ext_by_critical); X509_EXTENSION * -X509v3_get_ext(const STACK_OF(X509_EXTENSION) *sk, int loc) +X509v3_get_ext(const STACK_OF(X509_EXTENSION) *exts, int loc) { - if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0) - return NULL; - - return sk_X509_EXTENSION_value(sk, loc); + return sk_X509_EXTENSION_value(exts, loc); } LCRYPTO_ALIAS(X509v3_get_ext); X509_EXTENSION * -X509v3_delete_ext(STACK_OF(X509_EXTENSION) *sk, int loc) +X509v3_delete_ext(STACK_OF(X509_EXTENSION) *exts, int loc) { - if (sk == NULL || sk_X509_EXTENSION_num(sk) <= loc || loc < 0) - return NULL; - - return sk_X509_EXTENSION_delete(sk, loc); + return sk_X509_EXTENSION_delete(exts, loc); } LCRYPTO_ALIAS(X509v3_delete_ext); STACK_OF(X509_EXTENSION) * -X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ext, int loc) +X509v3_add_ext(STACK_OF(X509_EXTENSION) **out_exts, X509_EXTENSION *ext, int loc) { + STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *new_ext = NULL; - int n; - STACK_OF(X509_EXTENSION) *sk = NULL; - if (x == NULL) { + /* + * XXX - Nonsense from the poorly reviewed OpenSSL c755c5fd8ba (2005). + * This check should have been joined with the next check, i.e., if no + * stack was passed in, a new one should be created and returned. + */ + if (out_exts == NULL) { X509error(ERR_R_PASSED_NULL_PARAMETER); - goto err2; + goto err; } - if (*x == NULL) { - if ((sk = sk_X509_EXTENSION_new_null()) == NULL) - goto err; - } else - sk= *x; - - n = sk_X509_EXTENSION_num(sk); - if (loc > n) - loc = n; - else if (loc < 0) - loc = n; + if ((exts = *out_exts) == NULL) + exts = sk_X509_EXTENSION_new_null(); + if (exts == NULL) { + X509error(ERR_R_MALLOC_FAILURE); + goto err; + } if ((new_ext = X509_EXTENSION_dup(ext)) == NULL) - goto err2; - if (!sk_X509_EXTENSION_insert(sk, new_ext, loc)) goto err; - if (*x == NULL) - *x = sk; - return sk; + if (!sk_X509_EXTENSION_insert(exts, new_ext, loc)) + goto err; + new_ext = NULL; + + *out_exts = exts; + + return exts; err: - X509error(ERR_R_MALLOC_FAILURE); - err2: - if (new_ext != NULL) - X509_EXTENSION_free(new_ext); - if (sk != NULL && x != NULL && sk != *x) - sk_X509_EXTENSION_free(sk); + X509_EXTENSION_free(new_ext); + if (out_exts != NULL && exts != *out_exts) + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + return NULL; } LCRYPTO_ALIAS(X509v3_add_ext); X509_EXTENSION * -X509_EXTENSION_create_by_NID(X509_EXTENSION **ext, int nid, int crit, +X509_EXTENSION_create_by_NID(X509_EXTENSION **out_ext, int nid, int critical, ASN1_OCTET_STRING *data) { - ASN1_OBJECT *obj; - X509_EXTENSION *ret; + const ASN1_OBJECT *obj; - obj = OBJ_nid2obj(nid); - if (obj == NULL) { + if ((obj = OBJ_nid2obj(nid)) == NULL) { X509error(X509_R_UNKNOWN_NID); return NULL; } - ret = X509_EXTENSION_create_by_OBJ(ext, obj, crit, data); - if (ret == NULL) - ASN1_OBJECT_free(obj); - return ret; + + return X509_EXTENSION_create_by_OBJ(out_ext, obj, critical, data); } LCRYPTO_ALIAS(X509_EXTENSION_create_by_NID); X509_EXTENSION * -X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ext, const ASN1_OBJECT *obj, - int crit, ASN1_OCTET_STRING *data) +X509_EXTENSION_create_by_OBJ(X509_EXTENSION **out_ext, const ASN1_OBJECT *obj, + int critical, ASN1_OCTET_STRING *data) { - X509_EXTENSION *ret; + X509_EXTENSION *ext; - if (ext == NULL || *ext == NULL) { - if ((ret = X509_EXTENSION_new()) == NULL) { - X509error(ERR_R_MALLOC_FAILURE); - return NULL; - } - } else - ret= *ext; + if (out_ext == NULL || (ext = *out_ext) == NULL) + ext = X509_EXTENSION_new(); + if (ext == NULL) { + X509error(ERR_R_MALLOC_FAILURE); + goto err; + } - if (!X509_EXTENSION_set_object(ret, obj)) + if (!X509_EXTENSION_set_object(ext, obj)) goto err; - if (!X509_EXTENSION_set_critical(ret, crit)) + if (!X509_EXTENSION_set_critical(ext, critical)) goto err; - if (!X509_EXTENSION_set_data(ret, data)) + if (!X509_EXTENSION_set_data(ext, data)) goto err; - if (ext != NULL && *ext == NULL) - *ext = ret; - return ret; + if (out_ext != NULL) + *out_ext = ext; + + return ext; err: - if (ext == NULL || ret != *ext) - X509_EXTENSION_free(ret); + if (out_ext == NULL || ext != *out_ext) + X509_EXTENSION_free(ext); + return NULL; } LCRYPTO_ALIAS(X509_EXTENSION_create_by_OBJ); @@ -256,19 +238,17 @@ X509_EXTENSION_set_object(X509_EXTENSION *ext, const ASN1_OBJECT *obj) return 0; ASN1_OBJECT_free(ext->object); - ext->object = OBJ_dup(obj); - - return ext->object != NULL; + return (ext->object = OBJ_dup(obj)) != NULL; } LCRYPTO_ALIAS(X509_EXTENSION_set_object); int -X509_EXTENSION_set_critical(X509_EXTENSION *ext, int crit) +X509_EXTENSION_set_critical(X509_EXTENSION *ext, int critical) { if (ext == NULL) return 0; - ext->critical = crit ? 0xFF : -1; + ext->critical = critical ? 0xFF : -1; return 1; } @@ -309,8 +289,7 @@ X509_EXTENSION_get_critical(const X509_EXTENSION *ext) { if (ext == NULL) return 0; - if (ext->critical > 0) - return 1; - return 0; + + return ext->critical > 0; } LCRYPTO_ALIAS(X509_EXTENSION_get_critical); diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile index 7d3b221db..1100b99ce 100644 --- a/lib/libssl/Makefile +++ b/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.83 2024/07/09 09:39:14 beck Exp $ +# $OpenBSD: Makefile,v 1.84 2024/07/13 18:33:18 tb Exp $ .include .ifndef NOMAN @@ -89,7 +89,7 @@ SRCS= \ tls_key_share.c \ tls_lib.c -HDRS= dtls1.h srtp.h ssl.h ssl2.h ssl23.h ssl3.h tls1.h +HDRS= dtls1.h srtp.h ssl.h ssl3.h tls1.h .PATH: ${.CURDIR} diff --git a/lib/libssl/hidden/ssl_namespace.h b/lib/libssl/hidden/ssl_namespace.h index 7a941a0e1..5d26516f3 100644 --- a/lib/libssl/hidden/ssl_namespace.h +++ b/lib/libssl/hidden/ssl_namespace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_namespace.h,v 1.2 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $ */ /* * Copyright (c) 2016 Philip Guenther * @@ -27,7 +27,11 @@ #define LSSL_UNUSED(x) typeof(x) x __attribute__((deprecated)) #define LSSL_USED(x) __attribute__((visibility("hidden"))) \ typeof(x) x asm("_lssl_"#x) +#if defined(__hppa__) +#define LSSL_ALIAS(x) asm("! .global "#x" ! .set "#x", _lssl_"#x) +#else #define LSSL_ALIAS(x) asm(".global "#x"; "#x" = _lssl_"#x) +#endif #else #define LSSL_UNUSED(x) #define LSSL_USED(x) diff --git a/lib/libssl/man/ssl.3 b/lib/libssl/man/ssl.3 index 0c793d780..5bceba724 100644 --- a/lib/libssl/man/ssl.3 +++ b/lib/libssl/man/ssl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.3,v 1.24 2024/05/09 17:57:36 jmc Exp $ +.\" $OpenBSD: ssl.3,v 1.25 2024/07/13 18:33:18 tb Exp $ .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 .\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800 .\" @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 9 2024 $ +.Dd $Mdocdate: July 13 2024 $ .Dt SSL 3 .Os .Sh NAME @@ -147,13 +147,6 @@ It internally includes both more private SSL headers and headers from the library. Whenever you need hardcore details on the internals of the SSL API, look inside this header file. -.It Pa ssl2.h -That's the sub header file dealing with the SSLv2 protocol only. -.Bf Em - Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef .It Pa ssl3.h That's the sub header file dealing with the SSLv3 protocol only. .Bf Em @@ -161,14 +154,6 @@ Usually you don't have to include it explicitly because it's already included by .Pa ssl.h . .Ef -.It Pa ssl23.h -That's the sub header file dealing with the combined use of the SSLv2 and SSLv3 -protocols. -.Bf Em -Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef .It Pa tls1.h That's the sub header file dealing with the TLSv1 protocol only. .Bf Em diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 22d480986..e63312a12 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.237 2024/05/27 09:12:31 jsg Exp $ */ +/* $OpenBSD: ssl.h,v 1.238 2024/07/13 18:33:18 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -653,11 +653,9 @@ void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb); } #endif -#include #include #include /* This is mostly sslv3 with a few tweaks */ #include /* Datagram TLS */ -#include #include /* Support for the use_srtp extension */ #ifdef __cplusplus @@ -2331,6 +2329,12 @@ void ERR_load_SSL_strings(void); int OPENSSL_init_ssl(uint64_t opts, const void *settings); int SSL_library_init(void); +/* + * A few things still use this without #ifdef guard. + */ + +#define SSL2_VERSION 0x0002 + #ifdef __cplusplus } #endif diff --git a/lib/libssl/ssl2.h b/lib/libssl/ssl2.h deleted file mode 100644 index 3a8d30072..000000000 --- a/lib/libssl/ssl2.h +++ /dev/null @@ -1,153 +0,0 @@ -/* $OpenBSD: ssl2.h,v 1.12 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_SSL2_H -#define HEADER_SSL2_H - -#ifdef __cplusplus -extern "C" { -#endif - -/* Protocol Version Codes */ -#define SSL2_VERSION 0x0002 -#define SSL2_VERSION_MAJOR 0x00 -#define SSL2_VERSION_MINOR 0x02 -/* #define SSL2_CLIENT_VERSION 0x0002 */ -/* #define SSL2_SERVER_VERSION 0x0002 */ - -/* Protocol Message Codes */ -#define SSL2_MT_ERROR 0 -#define SSL2_MT_CLIENT_HELLO 1 -#define SSL2_MT_CLIENT_MASTER_KEY 2 -#define SSL2_MT_CLIENT_FINISHED 3 -#define SSL2_MT_SERVER_HELLO 4 -#define SSL2_MT_SERVER_VERIFY 5 -#define SSL2_MT_SERVER_FINISHED 6 -#define SSL2_MT_REQUEST_CERTIFICATE 7 -#define SSL2_MT_CLIENT_CERTIFICATE 8 - -/* Error Message Codes */ -#define SSL2_PE_UNDEFINED_ERROR 0x0000 -#define SSL2_PE_NO_CIPHER 0x0001 -#define SSL2_PE_NO_CERTIFICATE 0x0002 -#define SSL2_PE_BAD_CERTIFICATE 0x0004 -#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006 - -/* Cipher Kind Values */ -#define SSL2_CK_NULL_WITH_MD5 0x02000000 /* v3 */ -#define SSL2_CK_RC4_128_WITH_MD5 0x02010080 -#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5 0x02020080 -#define SSL2_CK_RC2_128_CBC_WITH_MD5 0x02030080 -#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x02040080 -#define SSL2_CK_IDEA_128_CBC_WITH_MD5 0x02050080 -#define SSL2_CK_DES_64_CBC_WITH_MD5 0x02060040 -#define SSL2_CK_DES_64_CBC_WITH_SHA 0x02060140 /* v3 */ -#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5 0x020700c0 -#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA 0x020701c0 /* v3 */ -#define SSL2_CK_RC4_64_WITH_MD5 0x02080080 /* MS hack */ - -#define SSL2_CK_DES_64_CFB64_WITH_MD5_1 0x02ff0800 /* SSLeay */ -#define SSL2_CK_NULL 0x02ff0810 /* SSLeay */ - -#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1 "DES-CFB-M1" -#define SSL2_TXT_NULL_WITH_MD5 "NULL-MD5" -#define SSL2_TXT_RC4_128_WITH_MD5 "RC4-MD5" -#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 "EXP-RC4-MD5" -#define SSL2_TXT_RC2_128_CBC_WITH_MD5 "RC2-CBC-MD5" -#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5" -#define SSL2_TXT_IDEA_128_CBC_WITH_MD5 "IDEA-CBC-MD5" -#define SSL2_TXT_DES_64_CBC_WITH_MD5 "DES-CBC-MD5" -#define SSL2_TXT_DES_64_CBC_WITH_SHA "DES-CBC-SHA" -#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 "DES-CBC3-MD5" -#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA "DES-CBC3-SHA" -#define SSL2_TXT_RC4_64_WITH_MD5 "RC4-64-MD5" - -#define SSL2_TXT_NULL "NULL" - -/* Flags for the SSL_CIPHER.algorithm2 field */ -#define SSL2_CF_5_BYTE_ENC 0x01 -#define SSL2_CF_8_BYTE_ENC 0x02 - -/* Certificate Type Codes */ -#define SSL2_CT_X509_CERTIFICATE 0x01 - -/* Authentication Type Code */ -#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION 0x01 - -#define SSL2_MAX_SSL_SESSION_ID_LENGTH 32 - -/* Upper/Lower Bounds */ -#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ - -#define SSL2_CHALLENGE_LENGTH 16 -/*#define SSL2_CHALLENGE_LENGTH 32 */ -#define SSL2_MIN_CHALLENGE_LENGTH 16 -#define SSL2_MAX_CHALLENGE_LENGTH 32 -#define SSL2_CONNECTION_ID_LENGTH 16 -#define SSL2_MAX_CONNECTION_ID_LENGTH 16 -#define SSL2_SSL_SESSION_ID_LENGTH 16 -#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32 -#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16 -#define SSL2_MAX_KEY_MATERIAL_LENGTH 24 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/ssl23.h b/lib/libssl/ssl23.h deleted file mode 100644 index 570e4b017..000000000 --- a/lib/libssl/ssl23.h +++ /dev/null @@ -1,82 +0,0 @@ -/* $OpenBSD: ssl23.h,v 1.4 2014/12/14 15:30:50 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_SSL23_H -#define HEADER_SSL23_H - -#ifdef __cplusplus -extern "C" { -#endif - -/*client */ -/* write to server */ -#define SSL23_ST_CW_CLNT_HELLO_A (0x210|SSL_ST_CONNECT) -#define SSL23_ST_CW_CLNT_HELLO_B (0x211|SSL_ST_CONNECT) -/* read from server */ -#define SSL23_ST_CR_SRVR_HELLO_A (0x220|SSL_ST_CONNECT) -#define SSL23_ST_CR_SRVR_HELLO_B (0x221|SSL_ST_CONNECT) - -/* server */ -/* read from client */ -#define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT) -#define SSL23_ST_SR_CLNT_HELLO_B (0x211|SSL_ST_ACCEPT) - -#ifdef __cplusplus -} -#endif -#endif diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c index 5b130d45e..61d72fac6 100644 --- a/lib/libssl/ssl_err.c +++ b/lib/libssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.49 2024/06/24 06:50:07 tb Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.50 2024/07/13 17:42:13 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -67,7 +67,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason) /* See SSL_state_func_code below */ -static ERR_STRING_DATA SSL_str_functs[] = { +static const ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(1), "CONNECT_CW_FLUSH"}, {ERR_FUNC(2), "CONNECT_CW_CLNT_HELLO"}, {ERR_FUNC(3), "CONNECT_CW_CLNT_HELLO"}, @@ -153,7 +153,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {0, NULL} }; -static ERR_STRING_DATA SSL_str_reasons[]= { +static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) , "app data in handshake"}, {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"}, {ERR_REASON(SSL_R_BAD_ALERT_RECORD) , "bad alert record"}, @@ -476,8 +476,8 @@ ERR_load_SSL_strings(void) { #ifndef OPENSSL_NO_ERR if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) { - ERR_load_strings(0, SSL_str_functs); - ERR_load_strings(0, SSL_str_reasons); + ERR_load_strings(0, (ERR_STRING_DATA *)SSL_str_functs); + ERR_load_strings(0, (ERR_STRING_DATA *)SSL_str_reasons); } #endif } diff --git a/sbin/iked/Makefile b/sbin/iked/Makefile index 2d0f53658..783e2eb07 100644 --- a/sbin/iked/Makefile +++ b/sbin/iked/Makefile @@ -1,18 +1,18 @@ -# $OpenBSD: Makefile,v 1.22 2021/05/28 18:01:39 tobhe Exp $ +# $OpenBSD: Makefile,v 1.23 2024/07/13 12:22:46 yasuoka Exp $ PROG= iked SRCS= ca.c chap_ms.c config.c control.c crypto.c dh.c \ eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \ log.c ocsp.c pfkey.c policy.c print.c proc.c timer.c util.c \ - imsg_util.c smult_curve25519_ref.c vroute.c + imsg_util.c radius.c smult_curve25519_ref.c vroute.c SRCS+= eap_map.c ikev2_map.c SRCS+= crypto_hash.c sntrup761.c SRCS+= parse.y MAN= iked.conf.5 iked.8 #NOMAN= yes -LDADD= -lutil -levent -lcrypto -DPADD= ${LIBUTIL} ${LIBEVENT} ${LIBCRYPTO} +LDADD= -lutil -levent -lcrypto -lradius +DPADD= ${LIBUTIL} ${LIBEVENT} ${LIBCRYPTO} ${LIBRADIUS} CFLAGS+= -Wall -I${.CURDIR} CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes CFLAGS+= -Wmissing-declarations diff --git a/sbin/iked/config.c b/sbin/iked/config.c index ff24c4bcc..d42045095 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.97 2024/02/15 19:11:00 tobhe Exp $ */ +/* $OpenBSD: config.c,v 1.98 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -123,6 +123,8 @@ config_free_sa(struct iked *env, struct iked_sa *sa) sa_configure_iface(env, sa, 0); sa_free_flows(env, &sa->sa_flows); + iked_radius_acct_stop(env, sa); + if (sa->sa_addrpool) { (void)RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa); free(sa->sa_addrpool); @@ -187,6 +189,10 @@ config_free_sa(struct iked *env, struct iked_sa *sa) ikestat_dec(env, ikes_sa_established_current); ikestat_inc(env, ikes_sa_removed); + free(sa->sa_rad_addr); + free(sa->sa_rad_addr6); + iked_radius_request_free(env, sa->sa_radreq); + free(sa); } @@ -591,6 +597,48 @@ config_doreset(struct iked *env, unsigned int mode) } } + if (mode == RESET_ALL || mode == RESET_RADIUS) { + struct iked_radserver_req *req; + struct iked_radserver *rad, *radt; + struct iked_radcfgmap *cfg, *cfgt; + struct iked_raddae *dae, *daet; + struct iked_radclient *client, *clientt; + + TAILQ_FOREACH_SAFE(rad, &env->sc_radauthservers, rs_entry, + radt) { + close(rad->rs_sock); + event_del(&rad->rs_ev); + TAILQ_REMOVE(&env->sc_radauthservers, rad, rs_entry); + while ((req = TAILQ_FIRST(&rad->rs_reqs)) != NULL) + iked_radius_request_free(env, req); + freezero(rad, sizeof(*rad)); + } + TAILQ_FOREACH_SAFE(rad, &env->sc_radacctservers, rs_entry, + radt) { + close(rad->rs_sock); + event_del(&rad->rs_ev); + TAILQ_REMOVE(&env->sc_radacctservers, rad, rs_entry); + while ((req = TAILQ_FIRST(&rad->rs_reqs)) != NULL) + iked_radius_request_free(env, req); + freezero(rad, sizeof(*rad)); + } + TAILQ_FOREACH_SAFE(cfg, &env->sc_radcfgmaps, entry, cfgt) { + TAILQ_REMOVE(&env->sc_radcfgmaps, cfg, entry); + free(cfg); + } + TAILQ_FOREACH_SAFE(dae, &env->sc_raddaes, rd_entry, daet) { + close(dae->rd_sock); + event_del(&dae->rd_ev); + TAILQ_REMOVE(&env->sc_raddaes, dae, rd_entry); + free(dae); + } + TAILQ_FOREACH_SAFE(client, &env->sc_raddaeclients, rc_entry, + clientt) { + TAILQ_REMOVE(&env->sc_raddaeclients, client, rc_entry); + free(client); + } + } + return (0); } @@ -1092,3 +1140,282 @@ config_getkey(struct iked *env, struct imsg *imsg) return (0); } + +int +config_setradauth(struct iked *env) +{ + proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CFG_RADAUTH, + &env->sc_radauth, sizeof(env->sc_radauth)); + return (0); +} + +int +config_getradauth(struct iked *env, struct imsg *imsg) +{ + if (IMSG_DATA_SIZE(imsg) < sizeof(struct iked_radopts)) + fatalx("%s: invalid radauth message", __func__); + + memcpy(&env->sc_radauth, imsg->data, sizeof(struct iked_radopts)); + + return (0); +} + +int +config_setradacct(struct iked *env) +{ + proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CFG_RADACCT, + &env->sc_radacct, sizeof(env->sc_radacct)); + return (0); +} + +int +config_getradacct(struct iked *env, struct imsg *imsg) +{ + if (IMSG_DATA_SIZE(imsg) < sizeof(struct iked_radopts)) + fatalx("%s: invalid radacct message", __func__); + + memcpy(&env->sc_radacct, imsg->data, sizeof(struct iked_radopts)); + + return (0); +} + +int +config_setradserver(struct iked *env, struct sockaddr *sa, socklen_t salen, + char *secret, int isaccounting) +{ + int sock = -1; + struct iovec iov[2]; + struct iked_radserver server; + + if (env->sc_opts & IKED_OPT_NOACTION) + return (0); + memset(&server, 0, sizeof(server)); + memcpy(&server.rs_sockaddr, sa, salen); + server.rs_accounting = isaccounting; + if ((sock = socket(sa->sa_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) { + log_warn("%s: socket() failed", __func__); + goto error; + } + if (connect(sock, sa, salen) == -1) { + log_warn("%s: connect() failed", __func__); + goto error; + } + iov[0].iov_base = &server; + iov[0].iov_len = offsetof(struct iked_radserver, rs_secret[0]); + iov[1].iov_base = secret; + iov[1].iov_len = strlen(secret) + 1; + + proc_composev_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADSERVER, -1, + sock, iov, 2); + + return (0); + error: + if (sock >= 0) + close(sock); + return (-1); +} + +int +config_getradserver(struct iked *env, struct imsg *imsg) +{ + size_t len; + struct iked_radserver *server; + + len = IMSG_DATA_SIZE(imsg); + if (len <= sizeof(*server)) + fatalx("%s: invalid IMSG_CFG_RADSERVER message", __func__); + + if ((server = calloc(1, len)) == NULL) { + log_warn("%s: calloc() failed", __func__); + return (-1); + } + memcpy(server, imsg->data, len); + explicit_bzero(imsg->data, len); + TAILQ_INIT(&server->rs_reqs); + server->rs_sock = imsg_get_fd(imsg); + server->rs_env = env; + + if (!server->rs_accounting) + TAILQ_INSERT_TAIL(&env->sc_radauthservers, server, rs_entry); + else + TAILQ_INSERT_TAIL(&env->sc_radacctservers, server, rs_entry); + event_set(&server->rs_ev, server->rs_sock, EV_READ | EV_PERSIST, + iked_radius_on_event, server); + event_add(&server->rs_ev, NULL); + + return (0); +} + +int +config_setradcfgmap(struct iked *env, int cfg_type, uint32_t vendor_id, + uint8_t attr_type) +{ + struct iked_radcfgmap cfgmap; + + if (env->sc_opts & IKED_OPT_NOACTION) + return (0); + memset(&cfgmap, 0, sizeof(cfgmap)); + cfgmap.cfg_type = cfg_type; + cfgmap.vendor_id = vendor_id; + cfgmap.attr_type = attr_type; + + proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADCFGMAP, -1, + -1, &cfgmap, sizeof(cfgmap)); + + return (0); +} + +int +config_getradcfgmap(struct iked *env, struct imsg *imsg) +{ + int i; + size_t len; + struct iked_radcfgmap *cfgmap, *cfgmap0; + struct iked_radcfgmaps cfgmaps = TAILQ_HEAD_INITIALIZER(cfgmaps); + + len = IMSG_DATA_SIZE(imsg); + if (len < sizeof(*cfgmap)) + fatalx("%s: invalid IMSG_CFG_RADCFGMAP message", __func__); + + if (TAILQ_EMPTY(&env->sc_radcfgmaps)) { + /* no customized config map yet */ + for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) { + if ((cfgmap = calloc(1, len)) == NULL) { + while ((cfgmap = TAILQ_FIRST(&cfgmaps)) + != NULL) { + TAILQ_REMOVE(&cfgmaps, cfgmap, entry); + free(cfgmap); + } + return (-1); + } + *cfgmap = radius_cfgmaps[i]; + TAILQ_INSERT_TAIL(&cfgmaps, cfgmap, entry); + } + TAILQ_CONCAT(&env->sc_radcfgmaps, &cfgmaps, entry); + } + + cfgmap0 = (struct iked_radcfgmap *)imsg->data; + TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry) { + if (cfgmap->vendor_id == cfgmap0->vendor_id && + cfgmap->attr_type == cfgmap0->attr_type) { + /* override existing config map */ + cfgmap->cfg_type = cfgmap0->cfg_type; + break; + } + } + if (cfgmap == NULL) { + if ((cfgmap = calloc(1, len)) == NULL) { + log_warn("%s: calloc() failed", __func__); + return (-1); + } + memcpy(cfgmap, imsg->data, len); + TAILQ_INSERT_TAIL(&env->sc_radcfgmaps, cfgmap, entry); + } + return (0); +} + +int +config_setraddae(struct iked *env, struct sockaddr *sa, socklen_t salen) +{ + int sock, on; + struct iked_raddae dae; + + if (env->sc_opts & IKED_OPT_NOACTION) + return (0); + memset(&dae, 0, sizeof(dae)); + memcpy(&dae.rd_sockaddr, sa, salen); + if ((sock = socket(sa->sa_family, SOCK_DGRAM, IPPROTO_UDP)) == -1) { + log_warn("%s: socket() failed", __func__); + goto error; + } + on = 1; + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) + log_warn("%s: setsockopt(,,SO_REUSEADDR) failed", __func__); + /* REUSEPORT is needed because the old sockets may not be closed yet */ + on = 1; + if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) == -1) + log_warn("%s: setsockopt(,,SO_REUSEPORT) failed", __func__); + if (bind(sock, sa, salen) == -1) { + log_warn("%s: bind() failed", __func__); + goto error; + } + + proc_compose_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADDAE, -1, + sock, &dae, sizeof(dae)); + + return (0); + error: + if (sock >= 0) + close(sock); + return (-1); +} + +int +config_getraddae(struct iked *env, struct imsg *imsg) +{ + struct iked_raddae *dae; + + if (IMSG_DATA_SIZE(imsg) < sizeof(*dae)) + fatalx("%s: invalid IMSG_CFG_RADDAE message", __func__); + + if ((dae = calloc(1, sizeof(*dae))) == NULL) { + log_warn("%s: calloc() failed", __func__); + return (-1); + } + memcpy(dae, imsg->data, sizeof(*dae)); + dae->rd_sock = imsg_get_fd(imsg); + dae->rd_env = env; + + event_set(&dae->rd_ev, dae->rd_sock, EV_READ | EV_PERSIST, + iked_radius_dae_on_event, dae); + event_add(&dae->rd_ev, NULL); + + TAILQ_INSERT_TAIL(&env->sc_raddaes, dae, rd_entry); + + return (0); +} + +int +config_setradclient(struct iked *env, struct sockaddr *sa, socklen_t salen, + char *secret) +{ + struct iovec iov[2]; + struct iked_radclient client; + + if (salen > sizeof(client.rc_sockaddr)) + fatal("%s: invalid salen", __func__); + + memcpy(&client.rc_sockaddr, sa, salen); + + iov[0].iov_base = &client; + iov[0].iov_len = offsetof(struct iked_radclient, rc_secret[0]); + iov[1].iov_base = secret; + iov[1].iov_len = strlen(secret); + + proc_composev_imsg(&env->sc_ps, PROC_IKEV2, -1, IMSG_CFG_RADDAECLIENT, + -1, -1, iov, 2); + + return (0); +} + +int +config_getradclient(struct iked *env, struct imsg *imsg) +{ + struct iked_radclient *client; + u_int len; + + len = IMSG_DATA_SIZE(imsg); + + if (len < sizeof(*client)) + fatalx("%s: invalid IMSG_CFG_RADDAE message", __func__); + + if ((client = calloc(1, len + 1)) == NULL) { + log_warn("%s: calloc() failed", __func__); + return (-1); + } + memcpy(client, imsg->data, len); + + TAILQ_INSERT_TAIL(&env->sc_raddaeclients, client, rc_entry); + + return (0); +} diff --git a/sbin/iked/eap.c b/sbin/iked/eap.c index 40cbe627d..24d1a898b 100644 --- a/sbin/iked/eap.c +++ b/sbin/iked/eap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eap.c,v 1.26 2024/03/24 00:05:01 yasuoka Exp $ */ +/* $OpenBSD: eap.c,v 1.27 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -583,9 +583,12 @@ eap_parse(struct iked *env, const struct iked_sa *sa, struct iked_message *msg, return (eap_mschap(env, sa, msg, eap)); default: - log_debug("%s: unsupported EAP type %s", __func__, - print_map(eap->eap_type, eap_type_map)); - return (-1); + if (sa->sa_policy->pol_auth.auth_eap != EAP_TYPE_RADIUS) { + log_debug("%s: unsupported EAP type %s", __func__, + print_map(eap->eap_type, eap_type_map)); + return (-1); + } /* else, when RADIUS, pass it to the client */ + break; } return (0); diff --git a/sbin/iked/eap.h b/sbin/iked/eap.h index 509da7ac6..ef617c2f6 100644 --- a/sbin/iked/eap.h +++ b/sbin/iked/eap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: eap.h,v 1.6 2020/09/16 21:37:35 tobhe Exp $ */ +/* $OpenBSD: eap.h,v 1.7 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -93,6 +93,7 @@ extern struct iked_constmap eap_code_map[]; #define EAP_TYPE_PWD 52 /* RFC-harkins-emu-eap-pwd-12.txt */ #define EAP_TYPE_EXPANDED_TYPE 254 /* RFC3748 */ #define EAP_TYPE_EXPERIMENTAL 255 /* RFC3748 */ +#define EAP_TYPE_RADIUS 10001 /* internal use for EAP RADIUS */ extern struct iked_constmap eap_type_map[]; diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 00bd3f6e2..b69a35443 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.c,v 1.70 2024/02/15 20:10:45 tobhe Exp $ */ +/* $OpenBSD: iked.c,v 1.71 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -307,6 +307,8 @@ parent_configure(struct iked *env) config_setstatic(env); config_setcoupled(env, env->sc_decoupled ? 0 : 1); config_setocsp(env); + config_setradauth(env); + config_setradacct(env); /* Must be last */ config_setmode(env, env->sc_passive ? 1 : 0); @@ -324,6 +326,7 @@ parent_reload(struct iked *env, int reset, const char *filename) if (reset == RESET_RELOAD) { config_setreset(env, RESET_POLICY, PROC_IKEV2); + config_setreset(env, RESET_RADIUS, PROC_IKEV2); if (config_setkeys(env) == -1) fatalx("%s: failed to send keys", __func__); config_setreset(env, RESET_CA, PROC_CERT); diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5 index 053aee34f..c3c0fa7bb 100644 --- a/sbin/iked/iked.conf.5 +++ b/sbin/iked/iked.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.conf.5,v 1.96 2024/04/13 12:11:08 jmc Exp $ +.\" $OpenBSD: iked.conf.5,v 1.98 2024/07/13 12:58:51 jmc Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 13 2024 $ +.Dd $Mdocdate: July 13 2024 $ .Dt IKED.CONF 5 .Os .Sh NAME @@ -648,11 +648,18 @@ for more information. .Bl -tag -width $domain -compact -offset indent .It Ic eap Ar type Use EAP to authenticate the initiator. -The only supported EAP -.Ar type -is currently -.Ar MSCHAP-V2 . +Currently +.Ar MSCHAP-V2 +or +.Ar RADIUS +is supported for the EAP +.Ar type . The responder will use RSA public key authentication. +To use RADIUS for EAP, +at least one RADIUS server should be configured. +See the +.Sx RADIUS +section for RADIUS support. .It Ic ecdsa256 Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. .It Ic ecdsa384 @@ -780,6 +787,118 @@ The traffic will be blocked if the specified .Ar interface does not exist. .El +.Sh RADIUS CONFIGURATION +The configuration options for RADIUS are as follows: +.Bl -tag -width xxxx +.It Ic radius config Oo Ar af Oc Ar option Oo Ar vendor Oc Ar attr +Once RADIUS authentication has succeeded, +.Xr iked 8 +uses the RADIUS attributes containing the response from the RADIUS server to +construct IKEv2 configuration payloads (CP). +This configuration option defines a mapping from a RADIUS attribute to an IKE +CP with the following parameters: +.Pp +.Bl -tag -width "vendor attr" -compact +.It Op Ar af +Specify either +.Cm inet +or +.Cm inet6 +for the address family of the IKE CP option. +.It Ar option +Specify an IKE CP option. +Choose from +.Sx AUTOMATIC KEYING POLICIES +config options +.Po +.Cm address , +.Cm netmask , +.Cm name-server , +.Cm netbios-server , +.Cm dhcp-server , +and +.Cm access-server +.Pc +or use +.Cm none +to disable the existing or default mapping. +.It Ar attr +For a standard RADIUS attribute, +specify its Attribute-Type for +.Ar attr . +.It Ar vendor Ar attr +For a vendor specific RADIUS attribute, +specify its Vendor-ID for +.Ar vendor +and the Attribute-Type for +.Ar attr . +.El +.Pp +By default, +.Xr iked 8 +uses the following attributes for the options: +.Bl -column "inet6 netbios-server" "Vendor" "Type" "MS-Secondary-NBNS-Server" \ +-offset "XX" +.It Em "Option" Ta Em "Vendor" Ta Em "Type" Ta Em "Attribute Name" +.It Li "inet address" Ta "" Ta "8" Ta "Framed-IP-Address" +.It Li "inet netmask" Ta "" Ta "9" Ta "Framed-IP-Netmask" +.It Li "inet name-server" Ta "0x137" Ta "28" Ta "MS-Primary-DNS-Server" +.It Li "inet name-server" Ta "0x137" Ta "29" Ta "MS-Secondary-DNS-Server" +.It Li "inet netbios-server" Ta "0x137" Ta "30" Ta "MS-Primary-NBNS-Server" +.It Li "inet netbios-server" Ta "0x137" Ta "31" Ta "MS-Secondary-NBNS-Server" +.El +.It Ic radius Oo Ic accounting Oc Ic server Ar address Oo port Ar number Oc \ +secret Ar secret +Specify the RADIUS server's IP address and the shared secret with the server. +For a RADIUS accounting server, +use the +.Cm accounting +keyword. +Optionally specify the port number, +otherwise the default port number, +1812 for authentication or +1813 for accounting, +is used as the default. +.It Ic radius Oo Ic accounting Oc Ic max-tries Ar number +Specify the maximum number of retransmissions for a server. +.Xr iked 8 +will retransmit 2, 6, 14, 22, 30 seconds after the first transmission +and subsequent retransmissions will occur every 8 seconds. +If the number of retransmissions per server reaches this value, +the current server is marked as failed, +and the next server is used for subsequent requests. +For RADIUS accounting requests, +use the +.Cm accounting +keyword. +The default value is 3. +.It Ic radius Oo Ic accounting Oc Ic max-failovers Ar number +If a positive number is specified, +.Xr iked 8 +will failover to the next server when the current server is marked +.Dq fail . +This key and value specifies the maximum number of failovers. +For RADIUS accounting requests, +use the +.Cm accounting +keyword. +The default value is 0. +.It Ic radius dae listen on Ar address Oo port Ar number Oc +Specify the local +.Ar address +.Xr iked 8 +should listen on for the Dynamic Authorization Extensions +.Pq DAE, RFC 5176 +requests. +Optionally specify a port +.Ar number ; +the default port number is 3799. +.It Ic radius dae client Ar address Ic secret Ar secret +Specify an +.Ar address +for a DAE client and +.Ar secret . +.El .Sh PACKET FILTERING IPsec traffic appears unencrypted on the .Xr enc 4 diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 41720d397..5d95dd929 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.230 2024/03/02 16:16:07 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.231 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -217,8 +218,8 @@ struct iked_static_id { struct iked_auth { uint8_t auth_method; - uint8_t auth_eap; /* optional EAP */ uint8_t auth_length; /* zero if EAP */ + uint16_t auth_eap; /* optional EAP */ uint8_t auth_data[IKED_PSK_SIZE]; }; @@ -403,6 +404,15 @@ struct iked_ipcomp { uint8_t ic_transform; /* transform */ }; +struct iked_sastats { + uint64_t sas_ipackets; + uint64_t sas_opackets; + uint64_t sas_ibytes; + uint64_t sas_obytes; + uint64_t sas_idrops; + uint64_t sas_odrops; +}; + struct iked_sa { struct iked_sahdr sa_hdr; uint32_t sa_msgid; /* Last request rcvd */ @@ -485,6 +495,7 @@ struct iked_sa { struct iked_proposals sa_proposals; /* SA proposals */ struct iked_childsas sa_childsas; /* IPsec Child SAs */ struct iked_saflows sa_flows; /* IPsec flows */ + struct iked_sastats sa_stats; struct iked_sa *sa_nexti; /* initiated IKE SA */ struct iked_sa *sa_previ; /* matching back pointer */ @@ -533,6 +544,11 @@ struct iked_sa { RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ time_t sa_last_recvd; #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ + struct timespec sa_starttime; + + struct iked_radserver_req *sa_radreq; + struct iked_addr *sa_rad_addr; /* requested address */ + struct iked_addr *sa_rad_addr6; /* requested address */ }; RB_HEAD(iked_sas, iked_sa); RB_HEAD(iked_dstid_sas, iked_sa); @@ -648,6 +664,7 @@ struct iked_message { uint8_t msg_transform; uint16_t msg_flags; struct eap_msg msg_eap; + struct ibuf *msg_eapmsg; size_t msg_del_spisize; size_t msg_del_cnt; struct ibuf *msg_del_buf; @@ -702,6 +719,72 @@ struct iked_user { }; RB_HEAD(iked_users, iked_user); +struct iked_radserver_req; + +struct iked_radserver { + int rs_sock; + int rs_accounting; + struct event rs_ev; + struct iked *rs_env; + struct sockaddr_storage rs_sockaddr; + TAILQ_ENTRY(iked_radserver) rs_entry; + struct in_addr rs_nas_ipv4; + struct in6_addr rs_nas_ipv6; + unsigned int rs_reqseq; + TAILQ_HEAD(, iked_radserver_req) rs_reqs; + char rs_secret[]; +}; +TAILQ_HEAD(iked_radservers, iked_radserver); + +struct iked_raddae { + int rd_sock; + struct event rd_ev; + struct iked *rd_env; + struct sockaddr_storage rd_sockaddr; + TAILQ_ENTRY(iked_raddae) rd_entry; +}; +TAILQ_HEAD(iked_raddaes, iked_raddae); + +struct iked_radclient { + struct iked *rc_env; + struct sockaddr_storage rc_sockaddr; + TAILQ_ENTRY(iked_radclient) rc_entry; + char rc_secret[]; +}; +TAILQ_HEAD(iked_radclients , iked_radclient); + +struct iked_radopts { + int max_tries; + int max_failovers; +}; + +struct iked_radcfgmap { + uint16_t cfg_type; + uint32_t vendor_id; + uint8_t attr_type; + TAILQ_ENTRY(iked_radcfgmap) entry; +}; +TAILQ_HEAD(iked_radcfgmaps, iked_radcfgmap); + +extern const struct iked_radcfgmap radius_cfgmaps[]; + +struct iked_radserver_req { + struct iked_radserver *rr_server; + struct iked_sa *rr_sa; + struct iked_timer rr_timer; + int rr_reqid; + int rr_accounting; + struct timespec rr_accttime; + void *rr_reqpkt; + struct ibuf *rr_state; + char *rr_user; + int rr_ntry; + int rr_nfailover; + struct iked_cfg rr_cfg[IKED_CFG_MAX]; + unsigned int rr_ncfg; + TAILQ_ENTRY(iked_radserver_req) rr_entry; +}; + struct privsep_pipes { int *pp_pipes[PROC_MAX]; }; @@ -810,6 +893,14 @@ struct iked { struct iked_activesas sc_activesas; struct iked_flows sc_activeflows; struct iked_users sc_users; + struct iked_radopts sc_radauth; + struct iked_radopts sc_radacct; + int sc_radaccton; + struct iked_radservers sc_radauthservers; + struct iked_radservers sc_radacctservers; + struct iked_radcfgmaps sc_radcfgmaps; + struct iked_raddaes sc_raddaes; + struct iked_radclients sc_raddaeclients; struct iked_stats sc_stats; @@ -941,6 +1032,20 @@ int config_setkeys(struct iked *); int config_getkey(struct iked *, struct imsg *); int config_setstatic(struct iked *); int config_getstatic(struct iked *, struct imsg *); +int config_setradauth(struct iked *); +int config_getradauth(struct iked *, struct imsg *); +int config_setradacct(struct iked *); +int config_getradacct(struct iked *, struct imsg *); +int config_setradserver(struct iked *, struct sockaddr *, socklen_t, + char *, int); +int config_getradserver(struct iked *, struct imsg *); +int config_setradcfgmap(struct iked *, int, uint32_t, uint8_t); +int config_getradcfgmap(struct iked *, struct imsg *); +int config_setraddae(struct iked *, struct sockaddr *, socklen_t); +int config_getraddae(struct iked *, struct imsg *); +int config_setradclient(struct iked *, struct sockaddr *, socklen_t, + char *); +int config_getradclient(struct iked *, struct imsg *); /* policy.c */ void policy_init(struct iked *); @@ -1157,6 +1262,17 @@ int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, int eap_mschap_success(struct iked *, struct iked_sa *, int); int eap_challenge_request(struct iked *, struct iked_sa *, int); +/* radius.c */ +int iked_radius_request(struct iked *, struct iked_sa *, + struct iked_message *); +void iked_radius_request_free(struct iked *, struct iked_radserver_req *); +void iked_radius_on_event(int, short, void *); +void iked_radius_acct_on(struct iked *); +void iked_radius_acct_off(struct iked *); +void iked_radius_acct_start(struct iked *, struct iked_sa *); +void iked_radius_acct_stop(struct iked *, struct iked_sa *); +void iked_radius_dae_on_event(int, short, void *); + /* pfkey.c */ int pfkey_couple(struct iked *, struct iked_sas *, int); int pfkey_flow_add(struct iked *, struct iked_flow *); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index c0add7c38..ccbab9de1 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.386 2024/03/21 22:08:49 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.387 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -36,6 +36,7 @@ #include #include #include +#include #include #include @@ -284,6 +285,7 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) timer_add(env, &env->sc_inittmr, IKED_INITIATOR_INITIAL); } + iked_radius_acct_on(env); return (0); case IMSG_UDP_SOCKET: return (config_getsocket(env, imsg, ikev2_msg_cb)); @@ -295,6 +297,18 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) return (config_getflow(env, imsg)); case IMSG_CFG_USER: return (config_getuser(env, imsg)); + case IMSG_CFG_RADAUTH: + return (config_getradauth(env, imsg)); + case IMSG_CFG_RADACCT: + return (config_getradacct(env, imsg)); + case IMSG_CFG_RADSERVER: + return (config_getradserver(env, imsg)); + case IMSG_CFG_RADCFGMAP: + return (config_getradcfgmap(env, imsg)); + case IMSG_CFG_RADDAE: + return (config_getraddae(env, imsg)); + case IMSG_CFG_RADDAECLIENT: + return (config_getradclient(env, imsg)); case IMSG_COMPILE: return (config_getcompile(env)); case IMSG_CTL_STATIC: @@ -1782,6 +1796,7 @@ ikev2_init_done(struct iked *env, struct iked_sa *sa) ret = ikev2_childsa_enable(env, sa); if (ret == 0) { sa_state(env, sa, IKEV2_STATE_ESTABLISHED); + iked_radius_acct_start(env, sa); /* Delete exchange timeout. */ timer_del(env, &sa->sa_timer); ikev2_enable_timer(env, sa); @@ -2456,7 +2471,7 @@ ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf) struct ikev2_cp *cp; struct ikev2_cfg *cfg; struct iked_cfg *ikecfg; - unsigned int i; + unsigned int i, rad_ncfg = 0; uint32_t mask4; size_t len; struct sockaddr_in *in4; @@ -2479,8 +2494,15 @@ ikev2_add_cp(struct iked *env, struct iked_sa *sa, int type, struct ibuf *buf) return (-1); } - for (i = 0; i < pol->pol_ncfg; i++) { - ikecfg = &pol->pol_cfg[i]; + if (sa->sa_radreq != NULL) + rad_ncfg = sa->sa_radreq->rr_ncfg; + + for (i = 0; i < pol->pol_ncfg + rad_ncfg; i++) { + if (i < pol->pol_ncfg) + ikecfg = &pol->pol_cfg[i]; + else + ikecfg = &sa->sa_radreq->rr_cfg[i - pol->pol_ncfg]; + if (ikecfg->cfg_action != cp->cp_type) continue; /* only return one address in case of multiple pools */ @@ -3857,6 +3879,8 @@ ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa, switch (sa->sa_policy->pol_auth.auth_eap) { case EAP_TYPE_MSCHAP_V2: return ikev2_resp_ike_eap_mschap(env, sa, msg); + case EAP_TYPE_RADIUS: + return iked_radius_request(env, sa, msg); } return -1; } @@ -4012,6 +4036,7 @@ ikev2_resp_ike_auth(struct iked *env, struct iked_sa *sa) ret = ikev2_childsa_enable(env, sa); if (ret == 0) { sa_state(env, sa, IKEV2_STATE_ESTABLISHED); + iked_radius_acct_start(env, sa); /* Delete exchange timeout. */ timer_del(env, &sa->sa_timer); ikev2_enable_timer(env, sa); @@ -4746,10 +4771,10 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa) nsa->sa_tag = sa->sa_tag; sa->sa_tag = NULL; } - if (sa->sa_eapid) { - nsa->sa_eapid = sa->sa_eapid; - sa->sa_eapid = NULL; - } + /* sa_eapid needs to be set on both for radius accounting */ + if (sa->sa_eapid) + nsa->sa_eapid = strdup(sa->sa_eapid); + log_info("%srekeyed as new IKESA %s (enc %s%s%s group %s prf %s)", SPI_SA(sa, NULL), print_spi(nsa->sa_hdr.sh_ispi, 8), print_xf(nsa->sa_encr->encr_id, cipher_keylength(nsa->sa_encr) - @@ -4760,6 +4785,8 @@ ikev2_ikesa_enable(struct iked *env, struct iked_sa *sa, struct iked_sa *nsa) print_xf(nsa->sa_dhgroup->id, 0, groupxfs), print_xf(nsa->sa_prf->hash_id, hash_keylength(sa->sa_prf), prfxfs)); sa_state(env, nsa, IKEV2_STATE_ESTABLISHED); + clock_gettime(CLOCK_MONOTONIC, &nsa->sa_starttime); + iked_radius_acct_start(env, nsa); ikev2_enable_timer(env, nsa); ikestat_inc(env, ikes_sa_rekeyed); @@ -7028,6 +7055,7 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family) const char *errstr = NULL; int ret, pass, passes; size_t i; + struct sockaddr_in *in4; switch (family) { case AF_INET: @@ -7045,8 +7073,23 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family) return (0); /* default if no pool configured */ ret = 0; + + /* handle the special addresses from RADIUS */ + if (sa->sa_rad_addr != NULL) { + in4 = (struct sockaddr_in *)&sa->sa_rad_addr->addr; + /* 0xFFFFFFFF allows the user to select an address (RFC 2865) */ + if (in4->sin_addr.s_addr == htonl(0xFFFFFFFF)) + ;/* this is default behavior if the user selects */ + /* 0xFFFFFFFE indicated the NAS should select (RFC 2865) */ + else if (in4->sin_addr.s_addr == htonl(0xFFFFFFFE)) { + free(sa->sa_cp_addr); + sa->sa_cp_addr = NULL; + } + } + /* two passes if client requests from specific pool */ - passes = (sa->sa_cp_addr != NULL || sa->sa_cp_addr6 != NULL) ? 2 : 1; + passes = (sa->sa_cp_addr != NULL || sa->sa_cp_addr6 != NULL || + sa->sa_rad_addr != NULL || sa->sa_rad_addr6 != NULL) ? 2 : 1; for (pass = 0; pass < passes; pass++) { /* loop over all address pool configs (addr_net) */ for (i = 0; i < pol->pol_ncfg; i++) { @@ -7062,13 +7105,16 @@ ikev2_cp_setaddr(struct iked *env, struct iked_sa *sa, sa_family_t family) return (0); } } - if (sa->sa_cp_addr != NULL) { + if (family == AF_INET) { free(sa->sa_cp_addr); sa->sa_cp_addr = NULL; - } - if (sa->sa_cp_addr6 != NULL) { + free(sa->sa_rad_addr); + sa->sa_rad_addr = NULL; + } else { free(sa->sa_cp_addr6); sa->sa_cp_addr6 = NULL; + free(sa->sa_rad_addr6); + sa->sa_rad_addr6 = NULL; } } @@ -7088,7 +7134,7 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa, char idstr[IKED_ID_SIZE]; struct iked_addr addr; uint32_t mask, host, lower, upper, start, nhost; - int requested = 0; + int requested = 0, rad_requested = 0; /* * failure: pool configured, but not requested. @@ -7165,8 +7211,14 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa, case AF_INET: cfg4 = (struct sockaddr_in *)&ikecfg->cfg.address.addr; mask = prefixlen2mask(ikecfg->cfg.address.addr_mask); - if (sa->sa_cp_addr != NULL) { - memcpy(&addr, sa->sa_cp_addr, sizeof(addr)); + if (sa->sa_cp_addr != NULL || sa->sa_rad_addr != NULL) { + if (sa->sa_rad_addr != NULL) { + rad_requested = 1; + memcpy(&addr, sa->sa_rad_addr, sizeof(addr)); + } else { + requested = 1; + memcpy(&addr, sa->sa_cp_addr, sizeof(addr)); + } key.sa_addrpool = &addr; in4 = (struct sockaddr_in *)&addr.addr; if ((in4->sin_addr.s_addr & mask) != @@ -7179,10 +7231,16 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa, *errstr = "requested addr in use"; return (-1); } - sa->sa_addrpool = sa->sa_cp_addr; - sa->sa_cp_addr = NULL; + if (sa->sa_rad_addr != NULL) { + sa->sa_addrpool = sa->sa_rad_addr; + sa->sa_rad_addr = NULL; + } else { + sa->sa_addrpool = sa->sa_cp_addr; + sa->sa_cp_addr = NULL; + } + free(sa->sa_cp_addr); + free(sa->sa_rad_addr); RB_INSERT(iked_addrpool, &env->sc_addrpool, sa); - requested = 1; goto done; } in4 = (struct sockaddr_in *)&addr.addr; @@ -7194,7 +7252,7 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa, case AF_INET6: cfg6 = (struct sockaddr_in6 *)&ikecfg->cfg.address.addr; in6 = (struct sockaddr_in6 *)&addr.addr; - if (sa->sa_cp_addr6 != NULL) { + if (sa->sa_cp_addr6 != NULL || sa->sa_rad_addr6 != NULL) { /* XXX not yet supported */ } in6->sin6_family = AF_INET6; @@ -7280,9 +7338,10 @@ ikev2_cp_setaddr_pool(struct iked *env, struct iked_sa *sa, done: if (ikev2_print_id(IKESA_DSTID(sa), idstr, sizeof(idstr)) == -1) bzero(idstr, sizeof(idstr)); - log_info("%sassigned address %s to %s%s", SPI_SA(sa, NULL), + log_info("%sassigned address %s to %s%s%s", SPI_SA(sa, NULL), print_addr(&addr.addr), - idstr, requested ? " (requested by peer)" : ""); + idstr, requested ? " (requested by peer)" : "", + rad_requested? "(requested by RADIUS)" : ""); return (0); } @@ -7628,6 +7687,8 @@ ikev2_log_established(struct iked_sa *sa) { char dstid[IKED_ID_SIZE], srcid[IKED_ID_SIZE]; + clock_gettime(CLOCK_MONOTONIC, &sa->sa_starttime); + if (ikev2_print_id(IKESA_DSTID(sa), dstid, sizeof(dstid)) == -1) bzero(dstid, sizeof(dstid)); if (ikev2_print_id(IKESA_SRCID(sa), srcid, sizeof(srcid)) == -1) diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c index 15ef28251..12d801f45 100644 --- a/sbin/iked/ikev2_msg.c +++ b/sbin/iked/ikev2_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_msg.c,v 1.101 2024/03/02 16:16:07 tobhe Exp $ */ +/* $OpenBSD: ikev2_msg.c,v 1.102 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -203,6 +203,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg) ibuf_free(msg->msg_cookie); ibuf_free(msg->msg_cookie2); ibuf_free(msg->msg_del_buf); + ibuf_free(msg->msg_eapmsg); free(msg->msg_eap.eam_user); free(msg->msg_cp_addr); free(msg->msg_cp_addr6); @@ -219,6 +220,7 @@ ikev2_msg_cleanup(struct iked *env, struct iked_message *msg) msg->msg_cookie = NULL; msg->msg_cookie2 = NULL; msg->msg_del_buf = NULL; + msg->msg_eapmsg = NULL; msg->msg_eap.eam_user = NULL; msg->msg_cp_addr = NULL; msg->msg_cp_addr6 = NULL; diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index 27605039a..ac8635e79 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.135 2024/04/02 19:58:28 tobhe Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.136 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -2104,6 +2104,15 @@ ikev2_pld_eap(struct iked *env, struct ikev2_payload *pld, if (eap_parse(env, sa, msg, eap, msg->msg_response) == -1) return (-1); + if (msg->msg_parent->msg_eapmsg != NULL) { + log_info("%s: duplicate EAP in payload", __func__); + return (-1); + } + if ((msg->msg_parent->msg_eapmsg = ibuf_new(eap, eap_len)) + == NULL) { + log_debug("%s: failed to save eap", __func__); + return (-1); + } msg->msg_parent->msg_eap.eam_found = 1; } diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 613eb8fb4..970a9e334 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.146 2024/04/25 14:24:54 jsg Exp $ */ +/* $OpenBSD: parse.y,v 1.147 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -38,9 +38,12 @@ #include #include #include +#include #include #include +#include #include +#include #include #include #include @@ -107,6 +110,8 @@ static char *ocsp_url = NULL; static long ocsp_tolerate = 0; static long ocsp_maxage = -1; static int cert_partial_chain = 0; +static struct iked_radopts + radauth, radacct; struct iked_transform ikev2_default_ike_transforms[] = { { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, @@ -394,6 +399,8 @@ static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *); static struct ipsec_addr_wrap * expand_keyword(struct ipsec_addr_wrap *); +struct iked_radserver * + create_radserver(const char *, u_short, const char *); struct ipsec_transforms *ipsec_transforms; struct ipsec_filters *ipsec_filters; @@ -407,6 +414,7 @@ typedef struct { uint8_t ikemode; uint8_t dir; uint8_t satype; + uint8_t accounting; char *string; uint16_t port; struct ipsec_hosts *hosts; @@ -427,6 +435,10 @@ typedef struct { struct ipsec_transforms *transforms; struct ipsec_filters *filters; struct ipsec_mode *mode; + struct { + uint32_t vendorid; + uint8_t attrtype; + } radattr; } v; int lineno; } YYSTYPE; @@ -446,6 +458,8 @@ typedef struct { %token TOLERATE MAXAGE DYNAMIC %token CERTPARTIALCHAIN %token REQUEST IFACE +%token RADIUS ACCOUNTING SERVER SECRET MAX_TRIES MAX_FAILOVERS +%token CLIENT DAE LISTEN ON %token STRING %token NUMBER %type string @@ -453,7 +467,7 @@ typedef struct { %type proto proto_list protoval %type hosts hosts_list %type port -%type portval af rdomain +%type portval af rdomain hexdecnumber %type peers %type anyhost %type host host_spec @@ -470,6 +484,8 @@ typedef struct { %type name iface %type cfg ikecfg ikecfgvals %type transform_esn +%type accounting +%type radattr %% grammar : /* empty */ @@ -478,6 +494,7 @@ grammar : /* empty */ | grammar set '\n' | grammar user '\n' | grammar ikev2rule '\n' + | grammar radius '\n' | grammar varset '\n' | grammar otherrule skipline '\n' | grammar error '\n' { file->errors++; } @@ -1039,6 +1056,11 @@ ikeauth : /* empty */ { $$.auth_eap = 0; explicit_bzero(&$2, sizeof($2)); } + | EAP RADIUS { + $$.auth_method = IKEV2_AUTH_SIG_ANY; + $$.auth_eap = EAP_TYPE_RADIUS; + $$.auth_length = 0; + } | EAP STRING { unsigned int i; @@ -1046,7 +1068,11 @@ ikeauth : /* empty */ { if ($2[i] == '-') $2[i] = '_'; - if (strcasecmp("mschap_v2", $2) != 0) { + if (strcasecmp("mschap_v2", $2) == 0) + $$.auth_eap = EAP_TYPE_MSCHAP_V2; + else if (strcasecmp("radius", $2) == 0) + $$.auth_eap = EAP_TYPE_RADIUS; + else { yyerror("unsupported EAP method: %s", $2); free($2); YYERROR; @@ -1054,7 +1080,6 @@ ikeauth : /* empty */ { free($2); $$.auth_method = IKEV2_AUTH_SIG_ANY; - $$.auth_eap = EAP_TYPE_MSCHAP_V2; $$.auth_length = 0; } | STRING { @@ -1245,6 +1270,202 @@ string : string STRING | STRING ; +radius : RADIUS accounting SERVER STRING port SECRET STRING + { + int ret, gai_err; + struct addrinfo hints, *ai; + u_short port; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if ((gai_err = getaddrinfo($4, NULL, &hints, &ai)) + != 0) { + yyerror("could not parse the address: %s: %s", + $4, gai_strerror(gai_err)); + free($4); + explicit_bzero($7, strlen($7)); + free($7); + YYERROR; + } + port = $5; + if (port == 0) + port = htons((!$2)? RADIUS_DEFAULT_PORT : + RADIUS_ACCT_DEFAULT_PORT); + socket_af(ai->ai_addr, port); + if ((ret = config_setradserver(env, ai->ai_addr, + ai->ai_addrlen, $7, $2)) != 0) { + yyerror("could not set radius server"); + free($4); + explicit_bzero($7, strlen($7)); + free($7); + YYERROR; + } + explicit_bzero($7, strlen($7)); + freeaddrinfo(ai); + free($4); + free($7); + } + | RADIUS accounting MAX_TRIES NUMBER { + if ($4 <= 0) { + yyerror("max-tries must a positive value"); + YYERROR; + } + if ($2) + radacct.max_tries = $4; + else + radauth.max_tries = $4; + } + | RADIUS accounting MAX_FAILOVERS NUMBER { + if ($4 < 0) { + yyerror("max-failovers must be 0 or a " + "positive value"); + YYERROR; + } + if ($2) + radacct.max_failovers = $4; + else + radauth.max_failovers = $4; + } + | RADIUS CONFIG af STRING radattr { + const struct ipsec_xf *xf; + int af, cfgtype; + + af = $3; + if (af == AF_UNSPEC) + af = AF_INET; + if (strcmp($4, "none") == 0) + cfgtype = 0; + else { + if ((xf = parse_xf($4, af, cpxfs)) == NULL || + xf->id == IKEV2_CFG_INTERNAL_IP4_SUBNET || + xf->id == IKEV2_CFG_INTERNAL_IP6_SUBNET) { + yyerror("not a valid ikecfg option"); + free($4); + YYERROR; + } + cfgtype = xf->id; + } + free($4); + config_setradcfgmap(env, cfgtype, $5.vendorid, + $5.attrtype); + } + | RADIUS DAE LISTEN ON STRING port { + int ret, gai_err; + struct addrinfo hints, *ai; + u_short port; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if ((gai_err = getaddrinfo($5, NULL, &hints, &ai)) + != 0) { + yyerror("could not parse the address: %s: %s", + $5, gai_strerror(gai_err)); + free($5); + YYERROR; + } + port = $6; + if (port == 0) + port = htons(RADIUS_DAE_DEFAULT_PORT); + socket_af(ai->ai_addr, port); + if ((ret = config_setraddae(env, ai->ai_addr, + ai->ai_addrlen)) != 0) { + yyerror("could not set radius server"); + free($5); + YYERROR; + } + freeaddrinfo(ai); + free($5); + } + | RADIUS DAE CLIENT STRING SECRET STRING { + int gai_err; + struct addrinfo hints, *ai; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; + if ((gai_err = getaddrinfo($4, NULL, &hints, &ai)) + != 0) { + yyerror("could not parse the address: %s: %s", + $4, gai_strerror(gai_err)); + free($4); + explicit_bzero($6, strlen($6)); + free($6); + YYERROR; + } + config_setradclient(env, ai->ai_addr, ai->ai_addrlen, + $6); + free($4); + explicit_bzero($6, strlen($6)); + free($6); + freeaddrinfo(ai); + } + ; + +radattr : hexdecnumber hexdecnumber { + if ($1 < 0 || 0xffffffL < $1) { + yyerror("vendor-id must be in 0-0xffffff"); + YYERROR; + } + if ($2 < 0 || 256 <= $2) { + yyerror("attribute type must be in 0-255"); + YYERROR; + } + $$.vendorid = $1; + $$.attrtype = $2; + } + | hexdecnumber { + if ($1 < 0 || 256 <= $1) { + yyerror("attribute type must be in 0-255"); + YYERROR; + } + $$.vendorid = 0; + $$.attrtype = $1; + } + +hexdecnumber : STRING { + const char *errstr; + char *ep; + uintmax_t ul; + + if ($1[0] == '0' && $1[1] == 'x' && isxdigit($1[2])) { + ul = strtoumax($1 + 2, &ep, 16); + if (*ep != '\0') { + yyerror("`%s' is not a number", $1); + free($1); + YYERROR; + } + if (ul == UINTMAX_MAX || ul > UINT64_MAX) { + yyerror("`%s' is out-of-range", $1); + free($1); + YYERROR; + } + $$ = ul; + } else { + $$ = strtonum($1, 0, UINT64_MAX, &errstr); + if (errstr != NULL) { + yyerror("`%s' is %s", $1, errstr); + free($1); + YYERROR; + } + } + free($1); + } + | NUMBER + ; + +accounting : { + $$ = 0; + } + | ACCOUNTING { + $$ = 1; + } + ; + varset : STRING '=' string { char *s = $1; @@ -1336,6 +1557,7 @@ lookup(char *s) { /* this has to be sorted always */ static const struct keywords keywords[] = { + { "accounting", ACCOUNTING }, { "active", ACTIVE }, { "ah", AH }, { "any", ANY }, @@ -1343,8 +1565,10 @@ lookup(char *s) { "bytes", BYTES }, { "cert_partial_chain", CERTPARTIALCHAIN }, { "childsa", CHILDSA }, + { "client", CLIENT }, { "config", CONFIG }, { "couple", COUPLE }, + { "dae", DAE }, { "decouple", DECOUPLE }, { "default", DEFAULT }, { "dpd_check_interval", DPD_CHECK_INTERVAL }, @@ -1370,7 +1594,10 @@ lookup(char *s) { "inet6", INET6 }, { "ipcomp", IPCOMP }, { "lifetime", LIFETIME }, + { "listen", LISTEN }, { "local", LOCAL }, + { "max-failovers", MAX_FAILOVERS}, + { "max-tries", MAX_TRIES }, { "maxage", MAXAGE }, { "mobike", MOBIKE }, { "name", NAME }, @@ -1381,6 +1608,7 @@ lookup(char *s) { "nostickyaddress", NOSTICKYADDRESS }, { "novendorid", NOVENDORID }, { "ocsp", OCSP }, + { "on", ON }, { "passive", PASSIVE }, { "peer", PEER }, { "port", PORT }, @@ -1388,9 +1616,12 @@ lookup(char *s) { "proto", PROTO }, { "psk", PSK }, { "quick", QUICK }, + { "radius", RADIUS }, { "rdomain", RDOMAIN }, { "request", REQUEST }, { "sa", SA }, + { "secret", SECRET }, + { "server", SERVER }, { "set", SET }, { "skip", SKIP }, { "srcid", SRCID }, @@ -1792,6 +2023,10 @@ parse_config(const char *filename, struct iked *x_env) dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT; decouple = passive = 0; ocsp_url = NULL; + radauth.max_tries = 3; + radauth.max_failovers = 0; + radacct.max_tries = 3; + radacct.max_failovers = 0; if (env->sc_opts & IKED_OPT_PASSIVE) passive = 1; @@ -1812,6 +2047,8 @@ parse_config(const char *filename, struct iked *x_env) env->sc_ocsp_maxage = ocsp_maxage; env->sc_cert_partial_chain = cert_partial_chain; env->sc_vendorid = vendorid; + env->sc_radauth = radauth; + env->sc_radacct = radacct; if (!rules) log_warnx("%s: no valid configuration rules found", diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index ac9e79c20..02b6cd897 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.84 2023/08/14 12:02:02 tobhe Exp $ */ +/* $OpenBSD: pfkey.c,v 1.85 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -111,8 +111,11 @@ int pfkey_write(struct iked *, struct sadb_msg *, struct iovec *, int, uint8_t **, ssize_t *); int pfkey_reply(int, uint8_t **, ssize_t *); void pfkey_dispatch(int, short, void *); -int pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *); +int pfkey_sa_lookup(struct iked *, struct iked_childsa *, uint64_t *, + struct iked_sastats *); int pfkey_sa_check_exists(struct iked *, struct iked_childsa *); +int pfkey_sa_sastats(struct iked *, struct iked_childsa *, + struct iked_sastats *); struct sadb_ident * pfkey_id2ident(struct iked_id *, unsigned int); @@ -872,7 +875,8 @@ pfkey_sa(struct iked *env, uint8_t satype, uint8_t action, struct iked_childsa * } int -pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) +pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used, + struct iked_sastats *stats) { struct iked_policy *pol = sa->csa_ikesa->sa_policy; struct sadb_msg *msg, smsg; @@ -880,6 +884,7 @@ pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) struct sadb_sa sadb; struct sadb_x_rdomain sa_rdomain; struct sadb_lifetime *sa_life; + struct sadb_x_counter *sa_counter; struct sockaddr_storage ssrc, sdst; struct iovec iov[IOV_CNT]; uint64_t pad = 0; @@ -1012,6 +1017,20 @@ pfkey_sa_lookup(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) *last_used = sa_life->sadb_lifetime_usetime; log_debug("%s: last_used %llu", __func__, *last_used); } + if (stats) { + if ((sa_counter = pfkey_find_ext(data, n, + SADB_X_EXT_COUNTER)) == NULL) { + /* has never been used */ + ret = -1; + goto done; + } + stats->sas_ibytes = sa_counter->sadb_x_counter_ibytes; + stats->sas_obytes = sa_counter->sadb_x_counter_obytes; + stats->sas_ipackets = sa_counter->sadb_x_counter_ipackets; + stats->sas_opackets = sa_counter->sadb_x_counter_opackets; + stats->sas_idrops = sa_counter->sadb_x_counter_idrops; + stats->sas_odrops = sa_counter->sadb_x_counter_odrops; + } #undef PAD done: @@ -1022,13 +1041,20 @@ done: int pfkey_sa_last_used(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) { - return pfkey_sa_lookup(env, sa, last_used); + return pfkey_sa_lookup(env, sa, last_used, NULL); } int pfkey_sa_check_exists(struct iked *env, struct iked_childsa *sa) { - return pfkey_sa_lookup(env, sa, NULL); + return pfkey_sa_lookup(env, sa, NULL, NULL); +} + +int +pfkey_sa_sastats(struct iked *env, struct iked_childsa *sa, + struct iked_sastats *stats) +{ + return pfkey_sa_lookup(env, sa, NULL, stats); } int @@ -1582,7 +1608,8 @@ pfkey_sa_update_addresses(struct iked *env, struct iked_childsa *sa) int pfkey_sa_delete(struct iked *env, struct iked_childsa *sa) { - uint8_t satype; + uint8_t satype; + struct iked_sastats sas; if (!sa->csa_loaded || sa->csa_spi.spi == 0) return (0); @@ -1590,11 +1617,23 @@ pfkey_sa_delete(struct iked *env, struct iked_childsa *sa) if (pfkey_map(pfkey_satype, sa->csa_saproto, &satype) == -1) return (-1); + /* preserve the statistics */ + memset(&sas, 0, sizeof(sas)); + pfkey_sa_sastats(env, sa, &sas); + if (pfkey_sa(env, satype, SADB_DELETE, sa) == -1 && pfkey_sa_check_exists(env, sa) == 0) return (-1); sa->csa_loaded = 0; + + sa->csa_ikesa->sa_stats.sas_ipackets += sas.sas_ipackets; + sa->csa_ikesa->sa_stats.sas_opackets += sas.sas_opackets; + sa->csa_ikesa->sa_stats.sas_ibytes += sas.sas_ibytes; + sa->csa_ikesa->sa_stats.sas_obytes += sas.sas_obytes; + sa->csa_ikesa->sa_stats.sas_idrops += sas.sas_idrops; + sa->csa_ikesa->sa_stats.sas_odrops += sas.sas_odrops; + return (0); } diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index a9e783c82..836a454dc 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.98 2024/02/03 00:54:14 jsg Exp $ */ +/* $OpenBSD: policy.c,v 1.99 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2020-2021 Tobias Heider @@ -60,6 +60,11 @@ policy_init(struct iked *env) { TAILQ_INIT(&env->sc_policies); TAILQ_INIT(&env->sc_ocsp); + TAILQ_INIT(&env->sc_radauthservers); + TAILQ_INIT(&env->sc_radacctservers); + TAILQ_INIT(&env->sc_radcfgmaps); + TAILQ_INIT(&env->sc_raddaes); + TAILQ_INIT(&env->sc_raddaeclients); RB_INIT(&env->sc_users); RB_INIT(&env->sc_sas); RB_INIT(&env->sc_dstid_sas); diff --git a/sbin/iked/radius.c b/sbin/iked/radius.c new file mode 100644 index 000000000..ab2e6fb1e --- /dev/null +++ b/sbin/iked/radius.c @@ -0,0 +1,937 @@ +/* $OpenBSD: radius.c,v 1.7 2024/07/13 14:28:27 yasuoka Exp $ */ + +/* + * Copyright (c) 2024 Internet Initiative Japan Inc. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "iked.h" +#include "eap.h" +#include "ikev2.h" +#include "types.h" + +void iked_radius_request_send(struct iked *, void *); +void iked_radius_fill_attributes(struct iked_sa *, RADIUS_PACKET *); +void iked_radius_config(struct iked_radserver_req *, const RADIUS_PACKET *, + int, uint32_t, uint8_t); +void iked_radius_acct_request(struct iked *, struct iked_sa *, uint8_t); + +const struct iked_radcfgmap radius_cfgmaps[] = { + { IKEV2_CFG_INTERNAL_IP4_ADDRESS, 0, RADIUS_TYPE_FRAMED_IP_ADDRESS }, + { IKEV2_CFG_INTERNAL_IP4_NETMASK, 0, RADIUS_TYPE_FRAMED_IP_NETMASK }, + { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_PRIMARY_DNS_SERVER }, + { IKEV2_CFG_INTERNAL_IP4_DNS, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_SECONDARY_DNS_SERVER }, + { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_PRIMARY_NBNS_SERVER }, + { IKEV2_CFG_INTERNAL_IP4_NBNS, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_SECONDARY_NBNS_SERVER }, + { 0 } +}; + +int +iked_radius_request(struct iked *env, struct iked_sa *sa, + struct iked_message *msg) +{ + struct eap_message *eap; + RADIUS_PACKET *pkt; + size_t len; + + eap = ibuf_data(msg->msg_eapmsg); + len = betoh16(eap->eap_length); + if (eap->eap_code != EAP_CODE_RESPONSE) { + log_debug("%s: eap_code is not response %u", __func__, + (unsigned)eap->eap_code); + return -1; + } + + if (eap->eap_type == EAP_TYPE_IDENTITY) { + if ((sa->sa_radreq = calloc(1, + sizeof(struct iked_radserver_req))) == NULL) { + log_debug( + "%s: calloc failed for iked_radserver_req: %s", + __func__, strerror(errno)); + return (-1); + } + timer_set(env, &sa->sa_radreq->rr_timer, + iked_radius_request_send, sa->sa_radreq); + sa->sa_radreq->rr_user = strdup(msg->msg_eap.eam_identity); + } + + if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCESS_REQUEST)) + == NULL) { + log_debug("%s: radius_new_request_packet failed %s", __func__, + strerror(errno)); + return -1; + } + + radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME, + sa->sa_radreq->rr_user); + if (sa->sa_radreq->rr_state != NULL) + radius_put_raw_attr(pkt, RADIUS_TYPE_STATE, + ibuf_data(sa->sa_radreq->rr_state), + ibuf_size(sa->sa_radreq->rr_state)); + + if (radius_put_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, + (uint8_t *)eap, len) == -1) { + log_debug("%s: radius_put_raw_attr_cat failed %s", __func__, + strerror(errno)); + return -1; + } + + iked_radius_fill_attributes(sa, pkt); + + /* save the request, it'll be needed for message authentication */ + if (sa->sa_radreq->rr_reqpkt != NULL) + radius_delete_packet(sa->sa_radreq->rr_reqpkt); + sa->sa_radreq->rr_reqpkt = pkt; + sa->sa_radreq->rr_sa = sa; + sa->sa_radreq->rr_ntry = 0; + + iked_radius_request_send(env, sa->sa_radreq); + + return 0; +} + +void +iked_radius_request_free(struct iked *env, struct iked_radserver_req *req) +{ + if (req == NULL) + return; + timer_del(env, &req->rr_timer); + free(req->rr_user); + ibuf_free(req->rr_state); + if (req->rr_reqpkt) + radius_delete_packet(req->rr_reqpkt); + if (req->rr_sa) + req->rr_sa->sa_radreq = NULL; + if (req->rr_server) + TAILQ_REMOVE(&req->rr_server->rs_reqs, req, rr_entry); + free(req); +} + +void +iked_radius_on_event(int fd, short ev, void *ctx) +{ + struct iked *env; + struct iked_radserver *server = ctx; + struct iked_radserver_req *req; + const struct iked_radcfgmap *cfgmap; + RADIUS_PACKET *pkt; + int i, resid; + struct ibuf *e; + const void *attrval; + size_t attrlen; + uint8_t code; + char username[256]; + u_char eapmsk[128]; + /* RFC 3748 defines the MSK minimum size is 64 bytes */ + size_t eapmsksiz = sizeof(eapmsk); + + env = server->rs_env; + pkt = radius_recv(server->rs_sock, 0); + if (pkt == NULL) { + log_info("%s: receiving a RADIUS message failed: %s", __func__, + strerror(errno)); + return; + } + resid = radius_get_id(pkt); + + TAILQ_FOREACH(req, &server->rs_reqs, rr_entry) { + if (req->rr_reqid == resid) + break; + } + if (req == NULL) { + log_debug("%s: received an unknown RADIUS message: id=%u", + __func__, (unsigned)resid); + return; + } + + radius_set_request_packet(pkt, req->rr_reqpkt); + if (radius_check_response_authenticator(pkt, server->rs_secret) != 0) { + log_info("%s: received an invalid RADIUS message: bad " + "response authenticator", __func__); + return; + } + if (req->rr_accounting) { + /* accounting */ + code = radius_get_code(pkt); + switch (code) { + case RADIUS_CODE_ACCOUNTING_RESPONSE: /* Expected */ + break; + default: + log_info("%s: received an invalid RADIUS message: " + "code %u", __func__, (unsigned)code); + } + timer_del(env, &req->rr_timer); + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + free(req); + return; + } + + /* authentication */ + if (radius_check_message_authenticator(pkt, server->rs_secret) != 0) { + log_info("%s: received an invalid RADIUS message: bad " + "message authenticator", __func__); + return; + } + + timer_del(env, &req->rr_timer); + req->rr_ntry = 0; + + if (req->rr_sa == NULL) + goto fail; + + code = radius_get_code(pkt); + switch (code) { + case RADIUS_CODE_ACCESS_CHALLENGE: + if (radius_get_raw_attr_ptr(pkt, RADIUS_TYPE_STATE, &attrval, + &attrlen) != 0) { + log_info("%s: received an invalid RADIUS message: no " + "state attribute", __func__); + goto fail; + } + if ((req->rr_state != NULL && + ibuf_set(req->rr_state, 0, attrval, attrlen) != 0) || + (req->rr_state = ibuf_new(attrval, attrlen)) == NULL) { + log_info("%s: ibuf_new() failed: %s", __func__, + strerror(errno)); + goto fail; + } + break; + case RADIUS_CODE_ACCESS_ACCEPT: + log_info("%s: received Access-Accept for %s", + SPI_SA(req->rr_sa, __func__), req->rr_user); + /* Try to retrieve the EAP MSK from the RADIUS response */ + if (radius_get_eap_msk(pkt, eapmsk, &eapmsksiz, + server->rs_secret) == 0) { + ibuf_free(req->rr_sa->sa_eapmsk); + if ((req->rr_sa->sa_eapmsk = ibuf_new(eapmsk, + eapmsksiz)) == NULL) { + log_info("%s: ibuf_new() failed: %s", __func__, + strerror(errno)); + goto fail; + } + } else + log_debug("Could not retrieve the EAP MSK from the " + "RADIUS message"); + + free(req->rr_sa->sa_eapid); + /* The EAP identity might be protected (RFC 3748 7.3) */ + if (radius_get_string_attr(pkt, RADIUS_TYPE_USER_NAME, + username, sizeof(username)) == 0 && + strcmp(username, req->rr_user) != 0) { + /* + * The Access-Accept might have a User-Name. It + * should be used for Accouting (RFC 2865 5.1). + */ + free(req->rr_user); + req->rr_sa->sa_eapid = strdup(username); + } else + req->rr_sa->sa_eapid = req->rr_user; + req->rr_user = NULL; + + sa_state(env, req->rr_sa, IKEV2_STATE_AUTH_SUCCESS); + + /* Map RADIUS attributes to cp */ + if (TAILQ_EMPTY(&env->sc_radcfgmaps)) { + for (i = 0; radius_cfgmaps[i].cfg_type != 0; i++) { + cfgmap = &radius_cfgmaps[i]; + iked_radius_config(req, pkt, cfgmap->cfg_type, + cfgmap->vendor_id, cfgmap->attr_type); + } + } else { + TAILQ_FOREACH(cfgmap, &env->sc_radcfgmaps, entry) + iked_radius_config(req, pkt, cfgmap->cfg_type, + cfgmap->vendor_id, cfgmap->attr_type); + } + + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + break; + case RADIUS_CODE_ACCESS_REJECT: + log_info("%s: received Access-Reject for %s", + SPI_SA(req->rr_sa, __func__), req->rr_user); + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + break; + default: + log_debug("%s: received an invalid RADIUS message: code %u", + __func__, (unsigned)code); + break; + } + + /* get the length first */ + if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, NULL, + &attrlen) != 0) { + log_info("%s: failed to retrieve the EAP message", __func__); + goto fail; + } + /* allocate a buffer */ + if ((e = ibuf_new(NULL, attrlen)) == NULL) { + log_info("%s: ibuf_new() failed: %s", __func__, + strerror(errno)); + goto fail; + } + /* copy the message to the buffer */ + if (radius_get_raw_attr_cat(pkt, RADIUS_TYPE_EAP_MESSAGE, + ibuf_data(e), &attrlen) != 0) { + ibuf_free(e); + log_info("%s: failed to retrieve the EAP message", __func__); + goto fail; + } + ikev2_send_ike_e(env, req->rr_sa, e, IKEV2_PAYLOAD_EAP, + IKEV2_EXCHANGE_IKE_AUTH, 1); + return; + fail: + if (req->rr_server != NULL) + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + if (req->rr_sa != NULL) { + ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed"); + sa_free(env, req->rr_sa); + } +} + +void +iked_radius_request_send(struct iked *env, void *ctx) +{ + struct iked_radserver_req *req = ctx, *req0; + struct iked_radserver *server = req->rr_server; + const int timeouts[] = { 2, 4, 8 }; + uint8_t seq; + int i, max_tries, max_failovers; + struct sockaddr_storage ss; + socklen_t sslen; + struct iked_radservers *radservers; + struct timespec now; + + if (!req->rr_accounting) { + max_tries = env->sc_radauth.max_tries; + max_failovers = env->sc_radauth.max_failovers; + radservers = &env->sc_radauthservers; + } else { + max_tries = env->sc_radacct.max_tries; + max_failovers = env->sc_radacct.max_failovers; + radservers = &env->sc_radacctservers; + } + + if (req->rr_ntry > max_tries) { + req->rr_ntry = 0; + log_info("%s: RADIUS server %s failed", __func__, + print_addr(&server->rs_sockaddr)); + next_server: + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + if (req->rr_nfailover >= max_failovers || + TAILQ_NEXT(server, rs_entry) == NULL) { + log_info("%s: No more RADIUS server", __func__); + goto fail; + } else if (req->rr_state != NULL) { + log_info("%s: Can't change RADIUS server: " + "client has a state already", __func__); + goto fail; + } else { + TAILQ_REMOVE(radservers, server, rs_entry); + TAILQ_INSERT_TAIL(radservers, server, rs_entry); + server = TAILQ_FIRST(radservers); + log_info("%s: RADIUS server %s is active", + __func__, print_addr(&server->rs_sockaddr)); + } + req->rr_nfailover++; + } + + if (req->rr_server != NULL && + req->rr_server != TAILQ_FIRST(radservers)) { + /* Current server is marked fail */ + if (req->rr_state != NULL || req->rr_nfailover >= max_failovers) + goto fail; /* can't fail over */ + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + req->rr_nfailover++; + } + + if (req->rr_server == NULL) { + /* Select a new server */ + server = TAILQ_FIRST(radservers); + if (server == NULL) { + log_info("%s: No RADIUS server is configured", + __func__); + goto fail; + } + TAILQ_INSERT_TAIL(&server->rs_reqs, req, rr_entry); + req->rr_server = server; + + /* Prepare NAS-IP-Address */ + if (server->rs_nas_ipv4.s_addr == INADDR_ANY && + IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6)) { + sslen = sizeof(ss); + if (getsockname(server->rs_sock, (struct sockaddr *)&ss, + &sslen) == 0) { + if (ss.ss_family == AF_INET) + server->rs_nas_ipv4 = + ((struct sockaddr_in *)&ss) + ->sin_addr; + else + server->rs_nas_ipv6 = + ((struct sockaddr_in6 *)&ss) + ->sin6_addr; + } + } + } + if (req->rr_ntry == 0) { + /* decide the ID */ + seq = ++server->rs_reqseq; + for (i = 0; i < UCHAR_MAX; i++) { + TAILQ_FOREACH(req0, &server->rs_reqs, rr_entry) { + if (req0->rr_reqid == seq) + break; + } + if (req0 == NULL) + break; + seq++; + } + if (i >= UCHAR_MAX) { + log_info("%s: RADIUS server %s failed. Too many " + "pending requests", __func__, + print_addr(&server->rs_sockaddr)); + if (TAILQ_NEXT(server, rs_entry) != NULL) + goto next_server; + goto fail; + } + req->rr_reqid = seq; + radius_set_id(req->rr_reqpkt, req->rr_reqid); + } + + if (server->rs_nas_ipv4.s_addr != INADDR_ANY) + radius_put_ipv4_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IP_ADDRESS, + server->rs_nas_ipv4); + else if (!IN6_IS_ADDR_UNSPECIFIED(&server->rs_nas_ipv6)) + radius_put_ipv6_attr(req->rr_reqpkt, + RADIUS_TYPE_NAS_IPV6_ADDRESS, &server->rs_nas_ipv6); + /* Identifier */ + radius_put_string_attr(req->rr_reqpkt, RADIUS_TYPE_NAS_IDENTIFIER, + IKED_NAS_ID); + + if (req->rr_accounting) { + if (req->rr_ntry == 0 && req->rr_nfailover == 0) + radius_put_uint32_attr(req->rr_reqpkt, + RADIUS_TYPE_ACCT_DELAY_TIME, 0); + else { + clock_gettime(CLOCK_MONOTONIC, &now); + timespecsub(&now, &req->rr_accttime, &now); + radius_put_uint32_attr(req->rr_reqpkt, + RADIUS_TYPE_ACCT_DELAY_TIME, now.tv_sec); + } + radius_set_accounting_request_authenticator(req->rr_reqpkt, + server->rs_secret); + } else { + radius_put_message_authenticator(req->rr_reqpkt, + server->rs_secret); + } + + if (radius_send(server->rs_sock, req->rr_reqpkt, 0) < 0) + log_info("%s: sending a RADIUS message failed: %s", __func__, + strerror(errno)); + + if (req->rr_ntry >= (int)nitems(timeouts)) + timer_add(env, &req->rr_timer, timeouts[nitems(timeouts) - 1]); + else + timer_add(env, &req->rr_timer, timeouts[req->rr_ntry]); + req->rr_ntry++; + return; + fail: + if (req->rr_server != NULL) + TAILQ_REMOVE(&server->rs_reqs, req, rr_entry); + req->rr_server = NULL; + if (req->rr_sa != NULL) { + ikev2_ike_sa_setreason(req->rr_sa, "RADIUS request failed"); + sa_free(env, req->rr_sa); + } +} + +void +iked_radius_fill_attributes(struct iked_sa *sa, RADIUS_PACKET *pkt) +{ + /* NAS Port Type = Virtual */ + radius_put_uint32_attr(pkt, + RADIUS_TYPE_NAS_PORT_TYPE, RADIUS_NAS_PORT_TYPE_VIRTUAL); + /* Service Type = Framed */ + radius_put_uint32_attr(pkt, RADIUS_TYPE_SERVICE_TYPE, + RADIUS_SERVICE_TYPE_FRAMED); + /* Tunnel Type = EAP */ + radius_put_uint32_attr(pkt, RADIUS_TYPE_TUNNEL_TYPE, + RADIUS_TUNNEL_TYPE_ESP); + + radius_put_string_attr(pkt, RADIUS_TYPE_CALLED_STATION_ID, + print_addr(&sa->sa_local.addr)); + radius_put_string_attr(pkt, RADIUS_TYPE_CALLING_STATION_ID, + print_addr(&sa->sa_peer.addr)); +} + +void +iked_radius_config(struct iked_radserver_req *req, const RADIUS_PACKET *pkt, + int cfg_type, uint32_t vendor_id, uint8_t attr_type) +{ + unsigned int i; + struct iked_sa *sa = req->rr_sa; + struct in_addr ia4; + struct in6_addr ia6; + struct sockaddr_in *sin4; + struct sockaddr_in6 *sin6; + struct iked_addr *addr; + struct iked_cfg *ikecfg; + + for (i = 0; i < sa->sa_policy->pol_ncfg; i++) { + ikecfg = &sa->sa_policy->pol_cfg[i]; + if (ikecfg->cfg_type == cfg_type && + ikecfg->cfg_type != IKEV2_CFG_INTERNAL_IP4_ADDRESS) + return; /* use config rather than radius */ + } + switch (cfg_type) { + case IKEV2_CFG_INTERNAL_IP4_ADDRESS: + case IKEV2_CFG_INTERNAL_IP4_NETMASK: + case IKEV2_CFG_INTERNAL_IP4_DNS: + case IKEV2_CFG_INTERNAL_IP4_NBNS: + case IKEV2_CFG_INTERNAL_IP4_DHCP: + case IKEV2_CFG_INTERNAL_IP4_SERVER: + if (vendor_id == 0 && radius_has_attr(pkt, attr_type)) + radius_get_ipv4_attr(pkt, attr_type, &ia4); + else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id, + attr_type)) + radius_get_vs_ipv4_attr(pkt, vendor_id, attr_type, + &ia4); + else + break; /* no attribute contained */ + + if (cfg_type == IKEV2_CFG_INTERNAL_IP4_NETMASK) { + /* + * This assumes IKEV2_CFG_INTERNAL_IP4_ADDRESS is + * called before IKEV2_CFG_INTERNAL_IP4_NETMASK + */ + if (sa->sa_rad_addr == NULL) { + /* + * RFC 7296, IKEV2_CFG_INTERNAL_IP4_NETMASK + * must be used with + * IKEV2_CFG_INTERNAL_IP4_ADDRESS + */ + break; + } + if (ia4.s_addr == 0) { + log_debug("%s: netmask is wrong", __func__); + break; + } + if (ia4.s_addr == htonl(0)) + sa->sa_rad_addr->addr_mask = 0; + else + sa->sa_rad_addr->addr_mask = + 33 - ffs(ntohl(ia4.s_addr)); + if (sa->sa_rad_addr->addr_mask < 32) + sa->sa_rad_addr->addr_net = 1; + } + if (cfg_type == IKEV2_CFG_INTERNAL_IP4_ADDRESS) { + if ((addr = calloc(1, sizeof(*addr))) == NULL) { + log_warn("%s: calloc", __func__); + return; + } + sa->sa_rad_addr = addr; + } else { + req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY; + req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type; + addr = &req->rr_cfg[req->rr_ncfg].cfg.address; + req->rr_ncfg++; + } + addr->addr_af = AF_INET; + sin4 = (struct sockaddr_in *)&addr->addr; + sin4->sin_family = AF_INET; + sin4->sin_len = sizeof(struct sockaddr_in); + sin4->sin_addr = ia4; + break; + case IKEV2_CFG_INTERNAL_IP6_ADDRESS: + case IKEV2_CFG_INTERNAL_IP6_DNS: + case IKEV2_CFG_INTERNAL_IP6_NBNS: + case IKEV2_CFG_INTERNAL_IP6_DHCP: + case IKEV2_CFG_INTERNAL_IP6_SERVER: + if (vendor_id == 0 && radius_has_attr(pkt, attr_type)) + radius_get_ipv6_attr(pkt, attr_type, &ia6); + else if (vendor_id != 0 && radius_has_vs_attr(pkt, vendor_id, + attr_type)) + radius_get_vs_ipv6_attr(pkt, vendor_id, attr_type, + &ia6); + else + break; /* no attribute contained */ + + if (cfg_type == IKEV2_CFG_INTERNAL_IP6_ADDRESS) { + if ((addr = calloc(1, sizeof(*addr))) == NULL) { + log_warn("%s: calloc", __func__); + return; + } + sa->sa_rad_addr = addr; + } else { + req->rr_cfg[req->rr_ncfg].cfg_action = IKEV2_CP_REPLY; + req->rr_cfg[req->rr_ncfg].cfg_type = cfg_type; + addr = &req->rr_cfg[req->rr_ncfg].cfg.address; + req->rr_ncfg++; + } + addr->addr_af = AF_INET; + sin6 = (struct sockaddr_in6 *)&addr->addr; + sin6->sin6_family = AF_INET6; + sin6->sin6_len = sizeof(struct sockaddr_in6); + sin6->sin6_addr = ia6; + break; + } + return; +} + +void +iked_radius_acct_on(struct iked *env) +{ + if (TAILQ_EMPTY(&env->sc_radacctservers)) + return; + if (env->sc_radaccton == 0) { /* trigger once */ + iked_radius_acct_request(env, NULL, + RADIUS_ACCT_STATUS_TYPE_ACCT_ON); + env->sc_radaccton = 1; + } +} + +void +iked_radius_acct_off(struct iked *env) +{ + iked_radius_acct_request(env, NULL, RADIUS_ACCT_STATUS_TYPE_ACCT_OFF); +} + +void +iked_radius_acct_start(struct iked *env, struct iked_sa *sa) +{ + iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_START); +} + +void +iked_radius_acct_stop(struct iked *env, struct iked_sa *sa) +{ + iked_radius_acct_request(env, sa, RADIUS_ACCT_STATUS_TYPE_STOP); +} + +void +iked_radius_acct_request(struct iked *env, struct iked_sa *sa, uint8_t stype) +{ + struct iked_radserver_req *req; + RADIUS_PACKET *pkt; + struct iked_addr *addr4 = NULL; + struct iked_addr *addr6 = NULL; + struct in_addr mask4; + char sa_id[IKED_ID_SIZE]; + char sid[16 + 1]; + struct timespec now; + int cause; + + if (TAILQ_EMPTY(&env->sc_radacctservers)) + return; + /* + * In RFC2866 5.6, "Users who are delivered service without + * being authenticated SHOULD NOT generate Accounting records + */ + if (sa != NULL && sa->sa_eapid == NULL) { + /* fallback to IKEID for accounting */ + if (ikev2_print_id(IKESA_DSTID(sa), sa_id, sizeof(sa_id)) != -1) + sa->sa_eapid = strdup(sa_id); + if (sa->sa_eapid == NULL) + return; + } + + if ((req = calloc(1, sizeof(struct iked_radserver_req))) == NULL) { + log_debug("%s: calloc faile for iked_radserver_req: %s", + __func__, strerror(errno)); + return; + } + req->rr_accounting = 1; + clock_gettime(CLOCK_MONOTONIC, &now); + req->rr_accttime = now; + timer_set(env, &req->rr_timer, iked_radius_request_send, req); + + if ((pkt = radius_new_request_packet(RADIUS_CODE_ACCOUNTING_REQUEST)) + == NULL) { + log_debug("%s: radius_new_request_packet failed %s", __func__, + strerror(errno)); + return; + } + + /* RFC 2866 5.1. Acct-Status-Type */ + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE, stype); + + if (sa == NULL) { + /* ASSERT(stype == RADIUS_ACCT_STATUS_TYPE_ACCT_ON || + stype == RADIUS_ACCT_STATUS_TYPE_ACCT_OFF) */ + req->rr_reqpkt = pkt; + req->rr_ntry = 0; + iked_radius_request_send(env, req); + return; + } + + iked_radius_fill_attributes(sa, pkt); + + radius_put_string_attr(pkt, RADIUS_TYPE_USER_NAME, sa->sa_eapid); + + /* RFC 2866 5.5. Acct-Session-Id */ + snprintf(sid, sizeof(sid), "%016llx", + (unsigned long long)sa->sa_hdr.sh_ispi); + radius_put_string_attr(pkt, RADIUS_TYPE_ACCT_SESSION_ID, sid); + + /* Accounting Request must have Framed-IP-Address */ + addr4 = sa->sa_addrpool; + if (addr4 != NULL) { + radius_put_ipv4_attr(pkt, RADIUS_TYPE_FRAMED_IP_ADDRESS, + ((struct sockaddr_in *)&addr4->addr)->sin_addr); + if (addr4->addr_mask != 0) { + mask4.s_addr = htonl( + 0xFFFFFFFFUL << (32 - addr4->addr_mask)); + radius_put_ipv4_attr(pkt, + RADIUS_TYPE_FRAMED_IP_NETMASK, mask4); + } + } + addr6 = sa->sa_addrpool6; + if (addr6 != NULL) + radius_put_ipv6_attr(pkt, RADIUS_TYPE_FRAMED_IPV6_ADDRESS, + &((struct sockaddr_in6 *)&addr6->addr)->sin6_addr); + + /* RFC2866 5.6 Acct-Authentic */ + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_AUTHENTIC, + (sa->sa_radreq != NULL)? RADIUS_ACCT_AUTHENTIC_RADIUS : + RADIUS_ACCT_AUTHENTIC_LOCAL); + + switch (stype) { + case RADIUS_ACCT_STATUS_TYPE_START: + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_STATUS_TYPE, + RADIUS_ACCT_STATUS_TYPE_START); + break; + case RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE: + case RADIUS_ACCT_STATUS_TYPE_STOP: + /* RFC 2866 5.7. Acct-Session-Time */ + timespecsub(&now, &sa->sa_starttime, &now); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_SESSION_TIME, + now.tv_sec); + /* RFC 2866 5.10 Acct-Terminate-Cause */ + cause = RADIUS_TERMNATE_CAUSE_SERVICE_UNAVAIL; + if (sa->sa_reason) { + if (strcmp(sa->sa_reason, "received delete") == 0) { + cause = RADIUS_TERMNATE_CAUSE_USER_REQUEST; + } else if (strcmp(sa->sa_reason, "SA rekeyed") == 0) { + cause = RADIUS_TERMNATE_CAUSE_SESSION_TIMEOUT; + } else if (strncmp(sa->sa_reason, "retransmit", + strlen("retransmit")) == 0) { + cause = RADIUS_TERMNATE_CAUSE_LOST_SERVICE; + } else if (strcmp(sa->sa_reason, + "disconnect requested") == 0) { + cause = RADIUS_TERMNATE_CAUSE_ADMIN_RESET; + } + } + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_TERMINATE_CAUSE, + cause); + /* I/O statistics {Input,Output}-{Packets,Octets,Gigawords} */ + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_PACKETS, + sa->sa_stats.sas_ipackets); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_PACKETS, + sa->sa_stats.sas_opackets); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_OCTETS, + sa->sa_stats.sas_ibytes & 0xffffffffUL); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_OCTETS, + sa->sa_stats.sas_obytes & 0xffffffffUL); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_INPUT_GIGAWORDS, + sa->sa_stats.sas_ibytes >> 32); + radius_put_uint32_attr(pkt, RADIUS_TYPE_ACCT_OUTPUT_GIGAWORDS, + sa->sa_stats.sas_obytes >> 32); + break; + } + req->rr_reqpkt = pkt; + req->rr_ntry = 0; + iked_radius_request_send(env, req); +} + +void +iked_radius_dae_on_event(int fd, short ev, void *ctx) +{ + struct iked_raddae *dae = ctx; + struct iked *env = dae->rd_env; + RADIUS_PACKET *req = NULL, *res = NULL; + struct sockaddr_storage ss; + socklen_t sslen; + struct iked_radclient *client; + struct iked_sa *sa = NULL; + char attr[256], username[256]; + char *endp, *reason, *nakcause = NULL; + int code, n = 0; + uint64_t ispi = 0; + uint32_t u32, cause = 0; + struct iked_addr *addr4 = NULL; + + reason = "disconnect requested"; + + sslen = sizeof(ss); + req = radius_recvfrom(dae->rd_sock, 0, (struct sockaddr *)&ss, &sslen); + if (req == NULL) { + log_warn("%s: receiving a RADIUS message failed: %s", __func__, + strerror(errno)); + return; + } + TAILQ_FOREACH(client, &env->sc_raddaeclients, rc_entry) { + if (sockaddr_cmp((struct sockaddr *)&client->rc_sockaddr, + (struct sockaddr *)&ss, -1) == 0) + break; + } + if (client == NULL) { + log_warnx("%s: received RADIUS message from %s: " + "unknown client", __func__, print_addr(&ss)); + goto out; + } + + if (radius_check_accounting_request_authenticator(req, + client->rc_secret) != 0) { + log_warnx("%s: received an invalid RADIUS message from %s: bad " + "response authenticator", __func__, print_addr(&ss)); + goto out; + } + + if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) { + /* Code other than Disconnect-Request is not supported */ + if (code == RADIUS_CODE_COA_REQUEST) { + code = RADIUS_CODE_COA_NAK; + cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED; + nakcause = "Coa-Request is not supprted"; + goto send; + } + log_warnx("%s: received an invalid RADIUS message " + "from %s: unknown code %d", __func__, + print_addr(&ss), code); + goto out; + } + + log_info("received Disconnect-Request from %s", print_addr(&ss)); + + if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr, + sizeof(attr)) == 0 && strcmp(attr, IKED_NAS_ID) != 0) { + cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH; + nakcause = "NAS-Identifier is not matched"; + goto search_done; + } + + /* prepare User-Name attribute */ + memset(username, 0, sizeof(username)); + radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username, + sizeof(username)); + + if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr, + sizeof(attr)) == 0) { + /* the client is to disconnect a session */ + ispi = strtoull(attr, &endp, 16); + if (attr[0] == '\0' || *endp != '\0' || errno == ERANGE || + ispi == ULLONG_MAX) { + cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE; + nakcause = "Session-Id is wrong"; + goto search_done; + + } + RB_FOREACH(sa, iked_sas, &env->sc_sas) { + if (sa->sa_hdr.sh_ispi == ispi) + break; + } + if (sa == NULL) + goto search_done; + if (username[0] != '\0' && (sa->sa_eapid == NULL || + strcmp(username, sa->sa_eapid) != 0)) { + /* specified User-Name attribute is mismatched */ + cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE; + nakcause = "User-Name is not matched"; + goto search_done; + } + ikev2_ike_sa_setreason(sa, reason); + ikev2_ike_sa_delete(env, sa); + n++; + } else if (username[0] != '\0') { + RB_FOREACH(sa, iked_sas, &env->sc_sas) { + if (sa->sa_eapid != NULL && + strcmp(sa->sa_eapid, username) == 0) { + ikev2_ike_sa_setreason(sa, reason); + ikev2_ike_sa_delete(env, sa); + n++; + } + } + } else if (radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS, + &u32) == 0) { + RB_FOREACH(sa, iked_sas, &env->sc_sas) { + addr4 = sa->sa_addrpool; + if (addr4 != NULL) { + if (u32 == ((struct sockaddr_in *)&addr4->addr) + ->sin_addr.s_addr) { + ikev2_ike_sa_setreason(sa, reason); + ikev2_ike_sa_delete(env, sa); + n++; + } + } + } + } + search_done: + if (n > 0) + code = RADIUS_CODE_DISCONNECT_ACK; + else { + if (nakcause == NULL) + nakcause = "session not found"; + if (cause == 0) + cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND; + code = RADIUS_CODE_DISCONNECT_NAK; + } + send: + res = radius_new_response_packet(code, req); + if (res == NULL) { + log_warn("%s: radius_new_response_packet", __func__); + goto out; + } + if (cause != 0) + radius_put_uint32_attr(res, RADIUS_TYPE_ERROR_CAUSE, cause); + radius_set_response_authenticator(res, client->rc_secret); + if (radius_sendto(dae->rd_sock, res, 0, (struct sockaddr *)&ss, sslen) + == -1) + log_warn("%s: sendto", __func__); + log_info("send %s for %s%s%s", + (code == RADIUS_CODE_DISCONNECT_ACK)? "Disconnect-ACK" : + (code == RADIUS_CODE_DISCONNECT_NAK)? "Disconnect-NAK" : "CoA-NAK", + print_addr(&ss), (nakcause)? ": " : "", (nakcause)? nakcause : ""); + out: + radius_delete_packet(req); + if (res != NULL) + radius_delete_packet(res); +} diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 6690a4ab5..2f5b8b393 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.54 2024/02/15 20:10:45 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.55 2024/07/13 12:22:46 yasuoka Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -42,6 +42,7 @@ #define IKED_PUBKEY "local.pub" #define IKED_VENDOR_ID "OpenIKED-" +#define IKED_NAS_ID "OpenIKED" #define IKED_OCSP_RESPCERT "ocsp/responder.crt" @@ -112,6 +113,12 @@ enum imsg_type { IMSG_CFG_POLICY, IMSG_CFG_FLOW, IMSG_CFG_USER, + IMSG_CFG_RADAUTH, + IMSG_CFG_RADACCT, + IMSG_CFG_RADSERVER, + IMSG_CFG_RADCFGMAP, + IMSG_CFG_RADDAE, + IMSG_CFG_RADDAECLIENT, IMSG_CERTREQ, IMSG_CERT, IMSG_CERTVALID, @@ -150,6 +157,7 @@ enum flushmode { RESET_POLICY, RESET_SA, RESET_USER, + RESET_RADIUS, }; #ifndef nitems diff --git a/sbin/slaacd/engine.c b/sbin/slaacd/engine.c index fafeecf4d..f50fd6a82 100644 --- a/sbin/slaacd/engine.c +++ b/sbin/slaacd/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.90 2024/06/03 17:58:33 deraadt Exp $ */ +/* $OpenBSD: engine.c,v 1.91 2024/07/13 16:06:34 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser @@ -968,7 +968,6 @@ iface_state_transition(struct slaacd_iface *iface, enum if_state new_state) struct address_proposal *addr_proposal; struct dfr_proposal *dfr_proposal; struct rdns_proposal *rdns_proposal; - char ifnamebuf[IF_NAMESIZE], *if_name; iface->state = new_state; @@ -1025,10 +1024,13 @@ iface_state_transition(struct slaacd_iface *iface, enum if_state new_state) break; } - if_name = if_indextoname(iface->if_index, ifnamebuf); - log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ? - "?" : if_name, if_state_name(old_state), if_state_name(new_state), - iface->timo.tv_sec); + if (log_getverbose()) { + char ifnamebuf[IF_NAMESIZE], *if_name; + if_name = if_indextoname(iface->if_index, ifnamebuf); + log_debug("%s[%s] %s -> %s, timo: %lld", __func__, + if_name == NULL ? "?" : if_name, if_state_name(old_state), + if_state_name(new_state), iface->timo.tv_sec); + } if (iface->timo.tv_sec == -1) { if (evtimer_pending(&iface->timer, NULL)) @@ -1043,7 +1045,6 @@ void addr_proposal_state_transition(struct address_proposal *addr_proposal, enum proposal_state old_state = addr_proposal->state; struct slaacd_iface *iface; uint32_t lifetime; - char ifnamebuf[IF_NAMESIZE], *if_name; addr_proposal->state = new_state; @@ -1103,11 +1104,14 @@ void addr_proposal_state_transition(struct address_proposal *addr_proposal, break; } - if_name = if_indextoname(addr_proposal->if_index, ifnamebuf); - log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ? - "?" : if_name, proposal_state_name(old_state), - proposal_state_name(new_state), - addr_proposal->timo.tv_sec); + if (log_getverbose()) { + char ifnamebuf[IF_NAMESIZE], *if_name; + if_name = if_indextoname(addr_proposal->if_index, ifnamebuf); + log_debug("%s[%s] %s -> %s, timo: %lld", __func__, + if_name == NULL ? "?" : if_name, + proposal_state_name(old_state), + proposal_state_name(new_state), addr_proposal->timo.tv_sec); + } if (addr_proposal->timo.tv_sec == -1) { if (evtimer_pending(&addr_proposal->timer, NULL)) @@ -1122,7 +1126,6 @@ void dfr_proposal_state_transition(struct dfr_proposal *dfr_proposal, enum proposal_state old_state = dfr_proposal->state; struct slaacd_iface *iface; uint32_t lifetime; - char ifnamebuf[IF_NAMESIZE], *if_name; dfr_proposal->state = new_state; @@ -1176,11 +1179,15 @@ void dfr_proposal_state_transition(struct dfr_proposal *dfr_proposal, break; } - if_name = if_indextoname(dfr_proposal->if_index, ifnamebuf); - log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ? - "?" : if_name, proposal_state_name(old_state), - proposal_state_name(new_state), - dfr_proposal->timo.tv_sec); + if (log_getverbose()) { + char ifnamebuf[IF_NAMESIZE], *if_name; + + if_name = if_indextoname(dfr_proposal->if_index, ifnamebuf); + log_debug("%s[%s] %s -> %s, timo: %lld", __func__, + if_name == NULL ? "?" : if_name, + proposal_state_name(old_state), + proposal_state_name(new_state), dfr_proposal->timo.tv_sec); + } if (dfr_proposal->timo.tv_sec == -1) { if (evtimer_pending(&dfr_proposal->timer, NULL)) @@ -1196,7 +1203,6 @@ void rdns_proposal_state_transition(struct rdns_proposal *rdns_proposal, enum proposal_state old_state = rdns_proposal->state; struct slaacd_iface *iface; uint32_t lifetime; - char ifnamebuf[IF_NAMESIZE], *if_name; rdns_proposal->state = new_state; @@ -1250,11 +1256,15 @@ void rdns_proposal_state_transition(struct rdns_proposal *rdns_proposal, break; } - if_name = if_indextoname(rdns_proposal->if_index, ifnamebuf); - log_debug("%s[%s] %s -> %s, timo: %lld", __func__, if_name == NULL ? - "?" : if_name, proposal_state_name(old_state), - proposal_state_name(new_state), - rdns_proposal->timo.tv_sec); + if (log_getverbose()) { + char ifnamebuf[IF_NAMESIZE], *if_name; + + if_name = if_indextoname(rdns_proposal->if_index, ifnamebuf); + log_debug("%s[%s] %s -> %s, timo: %lld", __func__, + if_name == NULL ? "?" : if_name, + proposal_state_name(old_state), + proposal_state_name(new_state), rdns_proposal->timo.tv_sec); + } if (rdns_proposal->timo.tv_sec == -1) { if (evtimer_pending(&rdns_proposal->timer, NULL)) diff --git a/share/man/man4/bio.4 b/share/man/man4/bio.4 index 71a4cb8e6..46564cdb9 100644 --- a/share/man/man4/bio.4 +++ b/share/man/man4/bio.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bio.4,v 1.34 2016/11/26 16:29:33 jmc Exp $ +.\" $OpenBSD: bio.4,v 1.35 2024/07/13 15:28:42 krw Exp $ .\" .\" Copyright (c) 2002 Niklas Hallqvist .\" Copyright (c) 2006 Marco Peereboom @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: July 13 2024 $ .Dt BIO 4 .Os .Sh NAME @@ -70,6 +70,8 @@ Areca Technology Corporation SAS/SATA RAID controller Compaq Smart Array 2/3/4 SCSI RAID controller .It Xr ciss 4 Compaq Smart Array SAS/SATA/SCSI RAID controller +.It Xr gdt 4 +ICP-Vortex and Intel GDT SATA/SCSI RAID controller .It Xr ips 4 IBM SATA/SCSI ServeRAID controller .It Xr mfi 4 @@ -80,6 +82,8 @@ LSI Logic MegaRAID SAS Fusion RAID controller LSI Logic Fusion-MPT Message Passing Interface .It Xr mpii 4 LSI Logic Fusion-MPT Message Passing Interface II +.It Xr nvme 4 +NVMe storage controllers .It Xr softraid 4 Software RAID .El diff --git a/sys/arch/amd64/amd64/mptramp.S b/sys/arch/amd64/amd64/mptramp.S index 082f1d4a7..96247c8e8 100644 --- a/sys/arch/amd64/amd64/mptramp.S +++ b/sys/arch/amd64/amd64/mptramp.S @@ -1,4 +1,4 @@ -/* $OpenBSD: mptramp.S,v 1.22 2022/12/01 00:26:15 guenther Exp $ */ +/* $OpenBSD: mptramp.S,v 1.23 2024/07/12 13:10:58 deraadt Exp $ */ /* $NetBSD: mptramp.S,v 1.1 2003/04/26 18:39:30 fvdl Exp $ */ /*- @@ -233,6 +233,7 @@ GENTRY(cpu_spinup_finish) movl $CR0_DEFAULT,%eax movq %rax,%cr0 call cpu_hatch + movq $0,-8(%rsp) END(cpu_spinup_finish) /* NOTREACHED */ diff --git a/sys/conf/files b/sys/conf/files index 1be0a066e..a97e3ef22 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.733 2024/06/12 12:54:54 bluhm Exp $ +# $OpenBSD: files,v 1.734 2024/07/13 13:20:44 bluhm Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -898,7 +898,7 @@ file netinet/tcp_subr.c file netinet/tcp_timer.c file netinet/tcp_usrreq.c file netinet/udp_usrreq.c -file netinet/ip_gre.c +file netinet/ip_gre.c gre file netinet/ip_ipsp.c ipsec | tcp_signature file netinet/ip_spd.c ipsec | tcp_signature file netinet/ip_ipip.c diff --git a/sys/dev/ic/nvme.c b/sys/dev/ic/nvme.c index dcbf40187..a37f0f745 100644 --- a/sys/dev/ic/nvme.c +++ b/sys/dev/ic/nvme.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nvme.c,v 1.119 2024/07/08 16:07:36 krw Exp $ */ +/* $OpenBSD: nvme.c,v 1.121 2024/07/13 08:59:41 dv Exp $ */ /* * Copyright (c) 2014 David Gwynne diff --git a/sys/dev/pci/drm/amd/amdgpu/aldebaran.c b/sys/dev/pci/drm/amd/amdgpu/aldebaran.c index fa6193535..7fea4f0f4 100644 --- a/sys/dev/pci/drm/amd/amdgpu/aldebaran.c +++ b/sys/dev/pci/drm/amd/amdgpu/aldebaran.c @@ -100,7 +100,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev) adev->ip_blocks[i].status.hw = false; } - return r; + return 0; } static int diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c index 418ff7cd6..1c2c9ff9d 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_debugfs.c @@ -2052,12 +2052,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f, struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private; char reg_offset[11]; uint32_t *new = NULL, *tmp = NULL; - int ret, i = 0, len = 0; + unsigned int len = 0; + int ret, i = 0; do { memset(reg_offset, 0, 11); if (copy_from_user(reg_offset, buf + len, - min(10, ((int)size-len)))) { + min(10, (size-len)))) { ret = -EFAULT; goto error_free; } diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c index 435571881..c4b554486 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_gfx.c @@ -1187,7 +1187,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev, fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes); break; default: - break; + dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id); + return; } if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) { diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c index 10d43e720..10b1f659c 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_irq.c @@ -446,6 +446,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev, entry.ih = ih; entry.iv_entry = (const uint32_t *)&ih->ring[ring_index]; + + /* + * timestamp is not supported on some legacy SOCs (cik, cz, iceland, + * si and tonga), so initialize timestamp and timestamp_src to 0 + */ + entry.timestamp = 0; + entry.timestamp_src = 0; + amdgpu_ih_decode_iv(adev, &entry); trace_amdgpu_iv(ih - &adev->irq.ih, &entry); diff --git a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c index 6a5128bc3..d7ffec7b8 100644 --- a/sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c +++ b/sys/dev/pci/drm/amd/amdgpu/amdgpu_vce.c @@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, uint32_t created = 0; uint32_t allocated = 0; uint32_t tmp, handle = 0; - uint32_t *size = &tmp; + uint32_t dummy = 0xffffffff; + uint32_t *size = &dummy; unsigned int idx; int i, r = 0; diff --git a/sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c b/sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c index 8b8086d5c..896c7e434 100644 --- a/sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c +++ b/sys/dev/pci/drm/amd/amdgpu/sienna_cichlid.c @@ -93,7 +93,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev) adev->ip_blocks[i].status.hw = false; } - return r; + return 0; } static int diff --git a/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c index ab5cdb0ab..4aeaaa58f 100644 --- a/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -264,7 +264,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc) static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc, u32 *vbl, u32 *position) { - u32 v_blank_start, v_blank_end, h_position, v_position; + u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0; struct amdgpu_crtc *acrtc = NULL; if ((crtc < 0) || (crtc >= adev->mode_info.num_crtc)) @@ -801,7 +801,7 @@ static void dm_handle_hpd_work(struct work_struct *work) */ static void dm_dmub_outbox1_low_irq(void *interrupt_params) { - struct dmub_notification notify; + struct dmub_notification notify = {0}; struct common_irq_params *irq_params = interrupt_params; struct amdgpu_device *adev = irq_params->adev; struct amdgpu_display_manager *dm = &adev->dm; @@ -6899,7 +6899,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state, struct amdgpu_dm_connector *aconnector; struct dm_connector_state *dm_conn_state; int i, j, ret; - int vcpi, pbn_div, pbn, slot_num = 0; + int vcpi, pbn_div, pbn = 0, slot_num = 0; for_each_new_connector_in_state(state, connector, new_con_state, i) { @@ -10070,7 +10070,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev, struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state; struct drm_dp_mst_topology_mgr *mgr; struct drm_dp_mst_topology_state *mst_state; - struct dsc_mst_fairness_vars vars[MAX_PIPES]; + struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0}; trace_amdgpu_dm_atomic_check_begin(state); diff --git a/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c index c92b4bc99..ab33a266b 100644 --- a/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/sys/dev/pci/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -1219,7 +1219,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b size_t size, loff_t *pos) { int r; - uint8_t data[36]; + uint8_t data[36] = {0}; struct amdgpu_dm_connector *connector = file_inode(f)->i_private; struct dm_crtc_state *acrtc_state; uint32_t write_size = 36; @@ -2929,7 +2929,7 @@ static int psr_read_residency(void *data, u64 *val) { struct amdgpu_dm_connector *connector = data; struct dc_link *link = connector->dc_link; - u32 residency; + u32 residency = 0; link->dc->link_srv->edp_get_psr_residency(link, &residency); diff --git a/sys/dev/pci/drm/amd/display/dc/core/dc_resource.c b/sys/dev/pci/drm/amd/display/dc/core/dc_resource.c index efdd9b134..d0df36052 100644 --- a/sys/dev/pci/drm/amd/display/dc/core/dc_resource.c +++ b/sys/dev/pci/drm/amd/display/dc/core/dc_resource.c @@ -2385,6 +2385,9 @@ static struct audio *find_first_free_audio( { int i, available_audio_count; + if (id == ENGINE_ID_UNKNOWN) + return NULL; + available_audio_count = pool->audio_count; for (i = 0; i < available_audio_count; i++) { diff --git a/sys/dev/pci/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/sys/dev/pci/drm/amd/display/dc/irq/dce110/irq_service_dce110.c index 44649db5f..5646b7788 100644 --- a/sys/dev/pci/drm/amd/display/dc/irq/dce110/irq_service_dce110.c +++ b/sys/dev/pci/drm/amd/display/dc/irq/dce110/irq_service_dce110.c @@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service, info->ext_id); uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK; - struct timing_generator *tg = - dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; + struct timing_generator *tg; + + if (pipe_offset >= MAX_PIPES) + return false; + + tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg; if (enable) { if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) { diff --git a/sys/dev/pci/drm/amd/display/modules/hdcp/hdcp_ddc.c b/sys/dev/pci/drm/amd/display/modules/hdcp/hdcp_ddc.c index 352a94b48..0f345a2f8 100644 --- a/sys/dev/pci/drm/amd/display/modules/hdcp/hdcp_ddc.c +++ b/sys/dev/pci/drm/amd/display/modules/hdcp/hdcp_ddc.c @@ -158,6 +158,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, uint32_t cur_size = 0; uint32_t data_offset = 0; + if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { + return MOD_HDCP_STATUS_DDC_FAILURE; + } + if (is_dp_hdcp(hdcp)) { while (buf_len > 0) { cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); @@ -217,6 +221,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, uint32_t cur_size = 0; uint32_t data_offset = 0; + if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { + return MOD_HDCP_STATUS_DDC_FAILURE; + } + if (is_dp_hdcp(hdcp)) { while (buf_len > 0) { cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); diff --git a/sys/dev/pci/drm/amd/include/atomfirmware.h b/sys/dev/pci/drm/amd/include/atomfirmware.h index 90c9d574a..8a1702ff6 100644 --- a/sys/dev/pci/drm/amd/include/atomfirmware.h +++ b/sys/dev/pci/drm/amd/include/atomfirmware.h @@ -702,7 +702,7 @@ struct atom_gpio_pin_lut_v2_1 { struct atom_common_table_header table_header; /*the real number of this included in the structure is calcualted by using the (whole structure size - the header size)/size of atom_gpio_pin_lut */ - struct atom_gpio_pin_assignment gpio_pin[8]; + struct atom_gpio_pin_assignment gpio_pin[]; }; @@ -3551,7 +3551,7 @@ struct atom_gpio_voltage_object_v4 uint8_t phase_delay_us; // phase delay in unit of micro second uint8_t reserved; uint32_t gpio_mask_val; // GPIO Mask value - struct atom_voltage_gpio_map_lut voltage_gpio_lut[1]; + struct atom_voltage_gpio_map_lut voltage_gpio_lut[] __counted_by(gpio_entry_num); }; struct atom_svid2_voltage_object_v4 diff --git a/sys/dev/pci/drm/apple/apldcp.c b/sys/dev/pci/drm/apple/apldcp.c index c27bcd728..6ab379c6b 100644 --- a/sys/dev/pci/drm/apple/apldcp.c +++ b/sys/dev/pci/drm/apple/apldcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apldcp.c,v 1.1 2024/01/22 18:54:01 kettenis Exp $ */ +/* $OpenBSD: apldcp.c,v 1.2 2024/07/12 10:01:28 tobhe Exp $ */ /* * Copyright (c) 2023 Mark Kettenis * @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -103,14 +104,19 @@ apldcp_activate(struct device *self, int act) #include -struct apple_rtkit_ep { - struct apple_rtkit *rtk; - uint8_t ep; - +struct apple_rtkit_task { + struct apple_rtkit_ep *rtkep; struct task task; uint64_t msg; }; +struct apple_rtkit_ep { + struct apple_rtkit *rtk; + uint8_t ep; +}; + +static struct pool rtktask_pool; + struct apple_rtkit { struct rtkit_state *state; struct apple_rtkit_ep ep[64]; @@ -170,10 +176,12 @@ apple_rtkit_logmap(void *cookie, bus_addr_t addr) void apple_rtkit_do_recv(void *arg) { - struct apple_rtkit_ep *rtkep = arg; + struct apple_rtkit_task *rtktask = arg; + struct apple_rtkit_ep *rtkep = rtktask->rtkep; struct apple_rtkit *rtk = rtkep->rtk; - rtk->ops->recv_message(rtk->cookie, rtkep->ep, rtkep->msg); + rtk->ops->recv_message(rtk->cookie, rtkep->ep, rtktask->msg); + pool_put(&rtktask_pool, rtktask); } void @@ -181,9 +189,15 @@ apple_rtkit_recv(void *cookie, uint64_t msg) { struct apple_rtkit_ep *rtkep = cookie; struct apple_rtkit *rtk = rtkep->rtk; + struct apple_rtkit_task *rtktask; - rtkep->msg = msg; - task_add(rtk->tq, &rtkep->task); + rtktask = pool_get(&rtktask_pool, PR_NOWAIT | PR_ZERO); + KASSERT(rtktask != NULL); + + rtktask->rtkep = rtkep; + rtktask->msg = msg; + task_set(&rtktask->task, apple_rtkit_do_recv, rtktask); + task_add(rtk->tq, &rtktask->task); } int @@ -195,8 +209,6 @@ apple_rtkit_start_ep(struct apple_rtkit *rtk, uint8_t ep) rtkep = &rtk->ep[ep]; rtkep->rtk = rtk; rtkep->ep = ep; - task_set(&rtkep->task, apple_rtkit_do_recv, rtkep); - error = rtkit_start_endpoint(rtk->state, ep, apple_rtkit_recv, rtkep); return -error; } @@ -239,6 +251,9 @@ devm_apple_rtkit_init(struct device *dev, void *cookie, return ERR_PTR(ENOMEM); } + pool_init(&rtktask_pool, sizeof(struct apple_rtkit_task), 0, IPL_TTY, + 0, "apldcp_rtkit", NULL); + rk = malloc(sizeof(*rk), M_DEVBUF, M_WAITOK | M_ZERO); rk->rk_cookie = rtk; rk->rk_dmat = pdev->dmat; diff --git a/sys/dev/pci/drm/drm_drv.c b/sys/dev/pci/drm/drm_drv.c index 97358534e..6c0d74a47 100644 --- a/sys/dev/pci/drm/drm_drv.c +++ b/sys/dev/pci/drm/drm_drv.c @@ -47,6 +47,7 @@ #include #include #include +#include #include #include @@ -1548,10 +1549,19 @@ drm_activate(struct device *self, int act) switch (act) { case DVACT_QUIESCE: +#ifdef CONFIG_ACPI + if (acpi_softc && acpi_softc->sc_state == ACPI_STATE_S3) + pm_suspend_target_state = PM_SUSPEND_MEM; + else + pm_suspend_target_state = PM_SUSPEND_TO_IDLE; +#else + pm_suspend_target_state = PM_SUSPEND_TO_IDLE; +#endif drm_quiesce(dev); break; case DVACT_WAKEUP: drm_wakeup(dev); + pm_suspend_target_state = PM_SUSPEND_ON; break; } diff --git a/sys/dev/pci/drm/drm_linux.c b/sys/dev/pci/drm/drm_linux.c index 7a7cc942a..e85210506 100644 --- a/sys/dev/pci/drm/drm_linux.c +++ b/sys/dev/pci/drm/drm_linux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: drm_linux.c,v 1.114 2024/06/13 18:05:54 kettenis Exp $ */ +/* $OpenBSD: drm_linux.c,v 1.115 2024/07/13 15:38:21 kettenis Exp $ */ /* * Copyright (c) 2013 Jonathan Gray * Copyright (c) 2015, 2016 Mark Kettenis @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -1345,6 +1346,8 @@ vga_put(struct pci_dev *pdev, int rsrc) #endif +suspend_state_t pm_suspend_target_state; + /* * ACPI types and interfaces. */ @@ -1360,6 +1363,8 @@ vga_put(struct pci_dev *pdev, int rsrc) #include #include +struct acpi_fadt acpi_gbl_FADT; + acpi_status acpi_get_table(const char *sig, int instance, struct acpi_table_header **hdr) @@ -2851,6 +2856,13 @@ drm_linux_init(void) kmap_atomic_va = (vaddr_t)km_alloc(PAGE_SIZE, &kv_any, &kp_none, &kd_waitok); + +#if NACPI > 0 + if (acpi_softc) { + memcpy(&acpi_gbl_FADT, acpi_softc->sc_fadt, + sizeof(acpi_gbl_FADT)); + } +#endif } void diff --git a/sys/dev/pci/drm/drm_panel_orientation_quirks.c b/sys/dev/pci/drm/drm_panel_orientation_quirks.c index 518f71232..2edda9929 100644 --- a/sys/dev/pci/drm/drm_panel_orientation_quirks.c +++ b/sys/dev/pci/drm/drm_panel_orientation_quirks.c @@ -427,6 +427,13 @@ static const struct dmi_system_id orientation_data[] = { DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"), }, .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* Valve Steam Deck */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"), + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galileo"), + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, }, { /* VIOS LTH17 */ .matches = { DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"), diff --git a/sys/dev/pci/drm/i915/gt/intel_gt_pm.c b/sys/dev/pci/drm/i915/gt/intel_gt_pm.c index 84451257e..ad361eb56 100644 --- a/sys/dev/pci/drm/i915/gt/intel_gt_pm.c +++ b/sys/dev/pci/drm/i915/gt/intel_gt_pm.c @@ -326,7 +326,6 @@ void intel_gt_suspend_prepare(struct intel_gt *gt) wait_for_suspend(gt); } -#ifdef notyet static suspend_state_t pm_suspend_target(void) { #if IS_ENABLED(CONFIG_SUSPEND) && IS_ENABLED(CONFIG_PM_SLEEP) @@ -335,7 +334,6 @@ static suspend_state_t pm_suspend_target(void) return PM_SUSPEND_TO_IDLE; #endif } -#endif void intel_gt_suspend_late(struct intel_gt *gt) { @@ -361,10 +359,8 @@ void intel_gt_suspend_late(struct intel_gt *gt) * powermanagement enabled, but we also retain system state and so * it remains safe to keep on using our allocated memory. */ -#ifdef notyet if (pm_suspend_target() == PM_SUSPEND_TO_IDLE) return; -#endif with_intel_runtime_pm(gt->uncore->rpm, wakeref) { intel_rps_disable(>->rps); diff --git a/sys/dev/pci/drm/include/generated/autoconf.h b/sys/dev/pci/drm/include/generated/autoconf.h index adcef50e2..9c8565e78 100644 --- a/sys/dev/pci/drm/include/generated/autoconf.h +++ b/sys/dev/pci/drm/include/generated/autoconf.h @@ -93,5 +93,6 @@ #endif #if defined(SUSPEND) || defined(HIBERNATE) +#define CONFIG_SUSPEND 1 #define CONFIG_PM_SLEEP 1 #endif diff --git a/sys/dev/pci/drm/include/linux/acpi.h b/sys/dev/pci/drm/include/linux/acpi.h index b10d28eab..b15702c46 100644 --- a/sys/dev/pci/drm/include/linux/acpi.h +++ b/sys/dev/pci/drm/include/linux/acpi.h @@ -88,4 +88,7 @@ int unregister_acpi_notifier(struct notifier_block *); int acpi_target_system_state(void); +extern struct acpi_fadt acpi_gbl_FADT; +#define ACPI_FADT_LOW_POWER_S0 (1 << 21) + #endif diff --git a/sys/dev/pci/drm/include/linux/suspend.h b/sys/dev/pci/drm/include/linux/suspend.h index e69de29bb..223844e66 100644 --- a/sys/dev/pci/drm/include/linux/suspend.h +++ b/sys/dev/pci/drm/include/linux/suspend.h @@ -0,0 +1,14 @@ +/* Public domain. */ + +#ifndef _LINUX_SUSPEND_H +#define _LINUX_SUSPEND_H + +typedef int suspend_state_t; + +#define PM_SUSPEND_ON 0 +#define PM_SUSPEND_MEM 1 +#define PM_SUSPEND_TO_IDLE 2 + +extern suspend_state_t pm_suspend_target_state; + +#endif diff --git a/sys/dev/pci/if_bwfm_pci.c b/sys/dev/pci/if_bwfm_pci.c index 476f89a38..1124590da 100644 --- a/sys/dev/pci/if_bwfm_pci.c +++ b/sys/dev/pci/if_bwfm_pci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bwfm_pci.c,v 1.76 2024/05/24 06:02:53 jsg Exp $ */ +/* $OpenBSD: if_bwfm_pci.c,v 1.77 2024/07/12 08:33:25 kettenis Exp $ */ /* * Copyright (c) 2010-2016 Broadcom Corporation * Copyright (c) 2017 Patrick Wildt @@ -126,6 +126,10 @@ struct bwfm_pci_softc { bus_space_handle_t sc_reg_ioh; bus_size_t sc_reg_ios; + bus_space_tag_t sc_pcie_iot; + bus_space_handle_t sc_pcie_ioh; + bus_size_t sc_pcie_ios; + bus_space_tag_t sc_tcm_iot; bus_space_handle_t sc_tcm_ioh; bus_size_t sc_tcm_ios; @@ -371,6 +375,10 @@ bwfm_pci_attach(struct device *parent, struct device *self, void *aux) goto bar1; } + sc->sc_pcie_iot = sc->sc_reg_iot; + bus_space_subregion(sc->sc_reg_iot, sc->sc_reg_ioh, 0x2000, + sc->sc_reg_ios - 0x2000, &sc->sc_pcie_ioh); + sc->sc_pc = pa->pa_pc; sc->sc_tag = pa->pa_tag; sc->sc_id = pa->pa_id; @@ -450,11 +458,11 @@ bwfm_pci_preinit(struct bwfm_softc *bwfm) #endif bwfm_pci_select_core(sc, BWFM_AGENT_CORE_PCIE2); - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGADDR, 0x4e0); - reg = bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + reg = bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGDATA); - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGDATA, reg); switch (bwfm->sc_chip.ch_chip) { @@ -1430,10 +1438,10 @@ bwfm_pci_ring_bell(struct bwfm_pci_softc *sc, struct bwfm_pci_msgring *ring) { if (sc->sc_shared_flags & BWFM_SHARED_INFO_SHARED_DAR) - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_H2D_MAILBOX_0, 1); else - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_H2D_MAILBOX_0, 1); } @@ -1881,13 +1889,13 @@ bwfm_pci_buscore_reset(struct bwfm_softc *bwfm) }; for (i = 0; i < nitems(cfg_offset); i++) { - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGADDR, cfg_offset[i]); - reg = bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + reg = bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGDATA); DPRINTFN(3, ("%s: config offset 0x%04x, value 0x%04x\n", DEVNAME(sc), cfg_offset[i], reg)); - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_CONFIGDATA, reg); } } @@ -2381,11 +2389,11 @@ void bwfm_pci_intr_enable(struct bwfm_pci_softc *sc) { if (sc->sc_pcireg64) - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_MAILBOXMASK, BWFM_PCI_64_PCIE2REG_MAILBOXMASK_INT_D2H_DB); else - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_MAILBOXMASK, BWFM_PCI_PCIE2REG_MAILBOXMASK_INT_FN0_0 | BWFM_PCI_PCIE2REG_MAILBOXMASK_INT_FN0_1 | @@ -2396,10 +2404,10 @@ void bwfm_pci_intr_disable(struct bwfm_pci_softc *sc) { if (sc->sc_pcireg64) - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_MAILBOXMASK, 0); else - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_MAILBOXMASK, 0); } @@ -2407,10 +2415,10 @@ uint32_t bwfm_pci_intr_status(struct bwfm_pci_softc *sc) { if (sc->sc_pcireg64) - return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_MAILBOXINT); else - return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_MAILBOXINT); } @@ -2418,10 +2426,10 @@ void bwfm_pci_intr_ack(struct bwfm_pci_softc *sc, uint32_t status) { if (sc->sc_pcireg64) - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_MAILBOXINT, status); else - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_MAILBOXINT, status); } @@ -2429,10 +2437,10 @@ uint32_t bwfm_pci_intmask(struct bwfm_pci_softc *sc) { if (sc->sc_pcireg64) - return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_INTMASK); else - return bus_space_read_4(sc->sc_reg_iot, sc->sc_reg_ioh, + return bus_space_read_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_INTMASK); } @@ -2443,10 +2451,10 @@ bwfm_pci_hostready(struct bwfm_pci_softc *sc) return; if (sc->sc_shared_flags & BWFM_SHARED_INFO_SHARED_DAR) - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_64_PCIE2REG_H2D_MAILBOX_1, 1); else - bus_space_write_4(sc->sc_reg_iot, sc->sc_reg_ioh, + bus_space_write_4(sc->sc_pcie_iot, sc->sc_pcie_ioh, BWFM_PCI_PCIE2REG_H2D_MAILBOX_1, 1); } diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 12818fb70..a2dfc0105 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.336 2024/06/14 08:32:22 mvs Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.337 2024/07/12 17:20:18 mvs Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -158,9 +158,8 @@ soalloc(const struct protosw *prp, int wait) case AF_INET6: switch (prp->pr_type) { case SOCK_RAW: - so->so_snd.sb_flags |= SB_MTXLOCK; - /* FALLTHROUGH */ case SOCK_DGRAM: + so->so_snd.sb_flags |= SB_MTXLOCK; so->so_rcv.sb_flags |= SB_MTXLOCK; break; } @@ -628,7 +627,7 @@ restart: } else if (addr == NULL) snderr(EDESTADDRREQ); } - space = sbspace(so, &so->so_snd); + space = sbspace_locked(so, &so->so_snd); if (flags & MSG_OOB) space += 1024; if (so->so_proto->pr_domain->dom_family == AF_UNIX) { @@ -1414,9 +1413,12 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) /* Splice so and sosp together. */ mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); so->so_sp->ssp_socket = sosp; sosp->so_sp->ssp_soback = so; + mtx_leave(&sosp->so_snd.sb_mtx); mtx_leave(&so->so_rcv.sb_mtx); + so->so_splicelen = 0; so->so_splicemax = max; if (tv) @@ -1432,9 +1434,11 @@ sosplice(struct socket *so, int fd, off_t max, struct timeval *tv) */ if (somove(so, M_WAIT)) { mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); so->so_rcv.sb_flags |= SB_SPLICE; - mtx_leave(&so->so_rcv.sb_mtx); sosp->so_snd.sb_flags |= SB_SPLICE; + mtx_leave(&sosp->so_snd.sb_mtx); + mtx_leave(&so->so_rcv.sb_mtx); } release: @@ -1454,11 +1458,13 @@ sounsplice(struct socket *so, struct socket *sosp, int freeing) task_del(sosplice_taskq, &so->so_splicetask); timeout_del(&so->so_idleto); - sosp->so_snd.sb_flags &= ~SB_SPLICE; mtx_enter(&so->so_rcv.sb_mtx); + mtx_enter(&sosp->so_snd.sb_mtx); so->so_rcv.sb_flags &= ~SB_SPLICE; + sosp->so_snd.sb_flags &= ~SB_SPLICE; so->so_sp->ssp_socket = sosp->so_sp->ssp_soback = NULL; + mtx_leave(&sosp->so_snd.sb_mtx); mtx_leave(&so->so_rcv.sb_mtx); /* Do not wakeup a socket that is about to be freed. */ @@ -1571,21 +1577,26 @@ somove(struct socket *so, int wait) maxreached = 1; } } - space = sbspace(sosp, &sosp->so_snd); + mtx_enter(&sosp->so_snd.sb_mtx); + space = sbspace_locked(sosp, &sosp->so_snd); if (so->so_oobmark && so->so_oobmark < len && so->so_oobmark < space + 1024) space += 1024; if (space <= 0) { + mtx_leave(&sosp->so_snd.sb_mtx); maxreached = 0; goto release; } if (space < len) { maxreached = 0; - if (space < sosp->so_snd.sb_lowat) + if (space < sosp->so_snd.sb_lowat) { + mtx_leave(&sosp->so_snd.sb_mtx); goto release; + } len = space; } sosp->so_snd.sb_state |= SS_ISSENDING; + mtx_leave(&sosp->so_snd.sb_mtx); SBLASTRECORDCHK(&so->so_rcv, "somove 1"); SBLASTMBUFCHK(&so->so_rcv, "somove 1"); @@ -1780,9 +1791,12 @@ somove(struct socket *so, int wait) } } + mtx_enter(&sosp->so_snd.sb_mtx); /* Append all remaining data to drain socket. */ if (so->so_rcv.sb_cc == 0 || maxreached) sosp->so_snd.sb_state &= ~SS_ISSENDING; + mtx_leave(&sosp->so_snd.sb_mtx); + error = pru_send(sosp, m, NULL, NULL); if (error) { if (sosp->so_snd.sb_state & SS_CANTSENDMORE) @@ -1796,7 +1810,10 @@ somove(struct socket *so, int wait) goto nextpkt; release: + mtx_enter(&sosp->so_snd.sb_mtx); sosp->so_snd.sb_state &= ~SS_ISSENDING; + mtx_leave(&sosp->so_snd.sb_mtx); + if (!error && maxreached && so->so_splicemax == so->so_splicelen) error = EFBIG; if (error) @@ -2346,7 +2363,7 @@ filt_sowrite(struct knote *kn, long hint) if ((so->so_snd.sb_flags & SB_MTXLOCK) == 0) soassertlocked_readonly(so); - kn->kn_data = sbspace(so, &so->so_snd); + kn->kn_data = sbspace_locked(so, &so->so_snd); if (so->so_snd.sb_state & SS_CANTSENDMORE) { kn->kn_flags |= EV_EOF; if (kn->kn_flags & __EV_POLL) { diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index 27edd54af..2855feb61 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket2.c,v 1.156 2024/06/28 21:30:24 mvs Exp $ */ +/* $OpenBSD: uipc_socket2.c,v 1.158 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: uipc_socket2.c,v 1.11 1996/02/04 02:17:55 christos Exp $ */ /* @@ -365,7 +365,7 @@ solock_shared(struct socket *so) switch (so->so_proto->pr_domain->dom_family) { case PF_INET: case PF_INET6: - if (so->so_proto->pr_usrreqs->pru_lock != NULL) { + if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET)) { NET_LOCK_SHARED(); rw_enter_write(&so->so_lock); } else @@ -425,7 +425,7 @@ sounlock_shared(struct socket *so) switch (so->so_proto->pr_domain->dom_family) { case PF_INET: case PF_INET6: - if (so->so_proto->pr_usrreqs->pru_unlock != NULL) { + if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET)) { rw_exit_write(&so->so_lock); NET_UNLOCK_SHARED(); } else @@ -460,7 +460,7 @@ soassertlocked(struct socket *so) if (rw_status(&netlock) == RW_READ) { NET_ASSERT_LOCKED(); - if (splassert_ctl > 0 && pru_locked(so) == 0 && + if (splassert_ctl > 0 && rw_status(&so->so_lock) != RW_WRITE) splassert_fail(0, RW_WRITE, __func__); } else @@ -481,12 +481,12 @@ sosleep_nsec(struct socket *so, void *ident, int prio, const char *wmesg, switch (so->so_proto->pr_domain->dom_family) { case PF_INET: case PF_INET6: - if (so->so_proto->pr_usrreqs->pru_unlock != NULL && + if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET) && rw_status(&netlock) == RW_READ) { rw_exit_write(&so->so_lock); } ret = rwsleep_nsec(ident, &netlock, prio, wmesg, nsecs); - if (so->so_proto->pr_usrreqs->pru_lock != NULL && + if (ISSET(so->so_proto->pr_flags, PR_MPSOCKET) && rw_status(&netlock) == RW_READ) { rw_enter_write(&so->so_lock); } @@ -926,7 +926,7 @@ sbappendaddr(struct socket *so, struct sockbuf *sb, const struct sockaddr *asa, if (n->m_next == NULL) /* keep pointer to last control buf */ break; } - if (space > sbspace(so, sb)) + if (space > sbspace_locked(so, sb)) return (0); if (asa->sa_len > MLEN) return (0); @@ -984,7 +984,7 @@ sbappendcontrol(struct socket *so, struct sockbuf *sb, struct mbuf *m0, m->m_flags &= ~M_EOR; } } - if (space > sbspace(so, sb)) + if (space > sbspace_locked(so, sb)) return (0); n->m_next = m0; /* concatenate data to control */ diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index 05c114c65..201fcac8c 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_subr.c,v 1.320 2024/07/05 05:42:08 jsg Exp $ */ +/* $OpenBSD: vfs_subr.c,v 1.322 2024/07/13 14:37:55 beck Exp $ */ /* $NetBSD: vfs_subr.c,v 1.53 1996/04/22 01:39:13 christos Exp $ */ /* diff --git a/sys/miscfs/fifofs/fifo_vnops.c b/sys/miscfs/fifofs/fifo_vnops.c index aa04381db..a381fc454 100644 --- a/sys/miscfs/fifofs/fifo_vnops.c +++ b/sys/miscfs/fifofs/fifo_vnops.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fifo_vnops.c,v 1.106 2024/06/28 21:30:24 mvs Exp $ */ +/* $OpenBSD: fifo_vnops.c,v 1.107 2024/07/12 17:20:18 mvs Exp $ */ /* $NetBSD: fifo_vnops.c,v 1.18 1996/03/16 23:52:42 christos Exp $ */ /* @@ -564,7 +564,7 @@ filt_fifowrite(struct knote *kn, long hint) MUTEX_ASSERT_LOCKED(&so->so_snd.sb_mtx); - kn->kn_data = sbspace(so, &so->so_snd); + kn->kn_data = sbspace_locked(so, &so->so_snd); if (so->so_snd.sb_state & SS_CANTSENDMORE) { kn->kn_flags |= EV_EOF; rv = 1; diff --git a/sys/net/pf.c b/sys/net/pf.c index f22c31900..fb278db3b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1201 2024/07/04 12:50:08 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1202 2024/07/12 09:25:27 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7966,7 +7966,7 @@ done: if (pd.dir == PF_IN) { int flags = IP_REDIRECT; - switch (ip_forwarding) { + switch (atomic_load_int(&ip_forwarding)) { case 2: SET(flags, IP_FORWARDING_IPSEC); /* FALLTHROUGH */ diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 4031033b1..720333715 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.374 2024/06/14 08:32:22 mvs Exp $ */ +/* $OpenBSD: rtsock.c,v 1.375 2024/07/12 17:20:18 mvs Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -316,7 +316,7 @@ route_rcvd(struct socket *so) mtx_enter(&so->so_rcv.sb_mtx); if (((rop->rop_flags & ROUTECB_FLAG_FLUSH) != 0) && - ((sbspace(so, &so->so_rcv) == so->so_rcv.sb_hiwat))) + ((sbspace_locked(so, &so->so_rcv) == so->so_rcv.sb_hiwat))) rop->rop_flags &= ~ROUTECB_FLAG_FLUSH; mtx_leave(&so->so_rcv.sb_mtx); } @@ -603,7 +603,7 @@ rtm_sendup(struct socket *so, struct mbuf *m0) return (ENOMEM); mtx_enter(&so->so_rcv.sb_mtx); - if (sbspace(so, &so->so_rcv) < (2 * MSIZE) || + if (sbspace_locked(so, &so->so_rcv) < (2 * MSIZE) || sbappendaddr(so, &so->so_rcv, &route_src, m, NULL) == 0) send_desync = 1; mtx_leave(&so->so_rcv.sb_mtx); diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 1a6bc7166..0df7be797 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.302 2024/04/19 10:13:58 bluhm Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.303 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -239,7 +239,6 @@ in_pcballoc(struct socket *so, struct inpcbtable *table, int wait) inp->inp_table = table; inp->inp_socket = so; refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB); - mtx_init(&inp->inp_mtx, IPL_SOFTNET); inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT; inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT; inp->inp_seclevel.sl_esp_network = IPSEC_ESP_NETWORK_LEVEL_DEFAULT; diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 6e0b656b1..91a78e106 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.h,v 1.157 2024/04/19 10:13:58 bluhm Exp $ */ +/* $OpenBSD: in_pcb.h,v 1.158 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $ */ /* @@ -80,7 +80,6 @@ * N net lock * t inpt_mtx pcb table mutex * y inpt_notify pcb table rwlock for notify - * p inpcb_mtx pcb mutex * L pf_inp_mtx link pf to inp mutex * s so_lock socket rwlock */ @@ -94,8 +93,8 @@ * needed, so that socket layer input have a consistent view at these * values. * - * In soconnect() and sosend() pcb mutex cannot be used. They eventually - * can call IP output which takes pf lock which is a sleeping lock. + * In soconnect() and sosend() a per pcb mutex cannot be used. They + * eventually call IP output which takes pf lock which is a sleeping lock. * Also connect(2) does a route lookup for source selection. There * route resolve happens, which creates a route, which sends a route * message, which needs route lock, which is a rw-lock. @@ -106,15 +105,9 @@ * * So there are three locks. Table mutex is for writing inp_[lf]addr/port * and lookup, socket rw-lock to separate sockets in system calls, and - * pcb mutex to protect socket receive buffer. Changing inp_[lf]addr/port - * takes both per socket rw-lock and global table mutex. Protocol - * input only reads inp_[lf]addr/port during lookup and is safe. System - * call only reads when holding socket rw-lock and is safe. The socket - * layer needs pcb mutex only in soreceive(). - * - * Function pru_lock() grabs the pcb mutex and its existence indicates - * that a protocol is MP safe. Otherwise the exclusive net lock is - * used. + * socket buffer mutex to protect socket receive buffer. Changing + * inp_[lf]addr/port takes both per socket rw-lock and global table mutex. + * Protocol input only reads inp_[lf]addr/port during lookup and is safe. */ struct pf_state_key; @@ -149,7 +142,6 @@ struct inpcb { caddr_t inp_ppcb; /* pointer to per-protocol pcb */ struct route inp_route; /* cached route */ struct refcnt inp_refcnt; /* refcount PCB, delay memory free */ - struct mutex inp_mtx; /* protect PCB and socket members */ int inp_flags; /* generic IP/datagram flags */ union { /* Header prototype. */ struct ip hu_ip; diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index a7ba54e52..5f9a1fbd3 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.104 2024/04/14 20:46:27 bluhm Exp $ */ +/* $OpenBSD: in_proto.c,v 1.106 2024/07/13 12:00:11 bluhm Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -185,7 +185,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_DGRAM, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_UDP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_SPLICE, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_SPLICE|PR_MPSOCKET, .pr_input = udp_input, .pr_ctlinput = udp_ctlinput, .pr_ctloutput = ip_ctloutput, @@ -210,7 +210,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_RAW, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT|PR_MPSOCKET, .pr_input = rip_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -219,7 +219,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ICMP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = icmp_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -230,7 +230,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, #if NGIF > 0 .pr_input = in_gif_input, #else @@ -246,7 +246,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPV6, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, #if NGIF > 0 .pr_input = in_gif_input, #else @@ -261,7 +261,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_MPLS, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = in_gif_input, .pr_usrreqs = &rip_usrreqs, }, @@ -270,7 +270,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IGMP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = igmp_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -284,7 +284,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ah46_input, .pr_ctlinput = ah4_ctlinput, .pr_ctloutput = rip_ctloutput, @@ -295,7 +295,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = esp46_input, .pr_ctlinput = esp4_ctlinput, .pr_ctloutput = rip_ctloutput, @@ -306,7 +306,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ipcomp46_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -318,7 +318,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_GRE, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = gre_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &gre_usrreqs, @@ -330,7 +330,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_CARP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = carp_proto_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -342,7 +342,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_PFSYNC, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = pfsync_input4, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -354,7 +354,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_DIVERT, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &divert_usrreqs, .pr_init = divert_init, @@ -366,7 +366,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ETHERIP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ip_etherip_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, @@ -377,7 +377,7 @@ const struct protosw inetsw[] = { /* raw wildcard */ .pr_type = SOCK_RAW, .pr_domain = &inetdomain, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT|PR_MPSOCKET, .pr_input = rip_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs, diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 68c24d1ed..a78f5e0fb 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_divert.c,v 1.95 2024/03/05 09:45:13 bluhm Exp $ */ +/* $OpenBSD: ip_divert.c,v 1.96 2024/07/12 19:50:35 bluhm Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -65,9 +65,6 @@ const struct sysctl_bounded_args divertctl_vars[] = { const struct pr_usrreqs divert_usrreqs = { .pru_attach = divert_attach, .pru_detach = divert_detach, - .pru_lock = divert_lock, - .pru_unlock = divert_unlock, - .pru_locked = divert_locked, .pru_bind = divert_bind, .pru_shutdown = divert_shutdown, .pru_send = divert_send, @@ -296,32 +293,6 @@ divert_detach(struct socket *so) return (0); } -void -divert_lock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_enter(&inp->inp_mtx); -} - -void -divert_unlock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_leave(&inp->inp_mtx); -} - -int -divert_locked(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - return mtx_owned(&inp->inp_mtx); -} - int divert_bind(struct socket *so, struct mbuf *addr, struct proc *p) { diff --git a/sys/netinet/ip_divert.h b/sys/netinet/ip_divert.h index 2c09d5175..2a97639b1 100644 --- a/sys/netinet/ip_divert.h +++ b/sys/netinet/ip_divert.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_divert.h,v 1.25 2024/02/03 22:50:09 mvs Exp $ */ +/* $OpenBSD: ip_divert.h,v 1.26 2024/07/12 19:50:35 bluhm Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -72,9 +72,6 @@ void divert_packet(struct mbuf *, int, u_int16_t); int divert_sysctl(int *, u_int, void *, size_t *, void *, size_t); int divert_attach(struct socket *, int, int); int divert_detach(struct socket *); -void divert_lock(struct socket *); -void divert_unlock(struct socket *); -int divert_locked(struct socket *); int divert_bind(struct socket *, struct mbuf *, struct proc *); int divert_shutdown(struct socket *); int divert_send(struct socket *, struct mbuf *, struct mbuf *, diff --git a/sys/netinet/ip_gre.c b/sys/netinet/ip_gre.c index 9a27027be..6973b4c90 100644 --- a/sys/netinet/ip_gre.c +++ b/sys/netinet/ip_gre.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_gre.c,v 1.87 2023/12/15 00:24:56 bluhm Exp $ */ +/* $OpenBSD: ip_gre.c,v 1.88 2024/07/13 13:20:44 bluhm Exp $ */ /* $NetBSD: ip_gre.c,v 1.9 1999/10/25 19:18:11 drochner Exp $ */ /* @@ -36,10 +36,6 @@ * This currently handles IPPROTO_GRE, IPPROTO_MOBILE */ - -#include "gre.h" -#if NGRE > 0 - #include #include #include @@ -114,5 +110,3 @@ gre_send(struct socket *so, struct mbuf *m, struct mbuf *nam, #endif return rip_send(so, m, nam, control); } - -#endif /* if NGRE > 0 */ diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index a283bc2f8..baaa9a210 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.194 2024/06/20 19:25:04 bluhm Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.195 2024/07/12 09:25:27 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -589,7 +589,8 @@ reflect: struct sockaddr_in ssrc; struct rtentry *newrt = NULL; - if (icmp_rediraccept == 0 || ip_forwarding != 0) + if (icmp_rediraccept == 0 || + atomic_load_int(&ip_forwarding) != 0) goto freeit; if (code > 3) goto badcode; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 21221c149..8797a26b0 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.397 2024/07/02 18:33:47 bluhm Exp $ */ +/* $OpenBSD: ip_input.c,v 1.398 2024/07/12 09:25:27 bluhm Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -83,8 +83,15 @@ #include #endif +/* + * Locks used to protect global variables in this file: + * I immutable after creation + * a atomic operations + * N net lock + */ + /* values controllable via sysctl */ -int ip_forwarding = 0; +int ip_forwarding = 0; /* [a] */ int ipmforwarding = 0; int ipmultipath = 0; int ip_sendredirects = 1; @@ -108,7 +115,6 @@ const struct sysctl_bounded_args ipctl_vars[] = { #ifdef MROUTING { IPCTL_MRTPROTO, &ip_mrtproto, SYSCTL_INT_READONLY }, #endif - { IPCTL_FORWARDING, &ip_forwarding, 0, 2 }, { IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 }, { IPCTL_DEFTTL, &ip_defttl, 0, 255 }, { IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 }, @@ -465,7 +471,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp) SET(flags, IP_REDIRECT); #endif - switch (ip_forwarding) { + switch (atomic_load_int(&ip_forwarding)) { case 2: SET(flags, IP_FORWARDING_IPSEC); /* FALLTHROUGH */ @@ -1792,6 +1798,9 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, atomic_inc_long(&rtgeneration); NET_UNLOCK(); return (error); + case IPCTL_FORWARDING: + return (sysctl_int_bounded(oldp, oldlenp, newp, newlen, + &ip_forwarding, 0, 2)); default: NET_LOCK(); error = sysctl_bounded_arr(ipctl_vars, nitems(ipctl_vars), diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index df6f003d8..78a8ca4f4 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_var.h,v 1.119 2024/07/02 18:33:47 bluhm Exp $ */ +/* $OpenBSD: ip_var.h,v 1.120 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $ */ /* @@ -274,9 +274,6 @@ struct mbuf * rip_chkhdr(struct mbuf *, struct mbuf *); int rip_attach(struct socket *, int, int); int rip_detach(struct socket *); -void rip_lock(struct socket *); -void rip_unlock(struct socket *); -int rip_locked(struct socket *); int rip_bind(struct socket *, struct mbuf *, struct proc *); int rip_connect(struct socket *, struct mbuf *); int rip_disconnect(struct socket *); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 5481346b9..e9a7bf19e 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.159 2024/04/17 20:48:51 bluhm Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.160 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -106,9 +106,6 @@ struct inpcbtable rawcbtable; const struct pr_usrreqs rip_usrreqs = { .pru_attach = rip_attach, .pru_detach = rip_detach, - .pru_lock = rip_lock, - .pru_unlock = rip_unlock, - .pru_locked = rip_locked, .pru_bind = rip_bind, .pru_connect = rip_connect, .pru_disconnect = rip_disconnect, @@ -514,32 +511,6 @@ rip_detach(struct socket *so) return (0); } -void -rip_lock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_enter(&inp->inp_mtx); -} - -void -rip_unlock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_leave(&inp->inp_mtx); -} - -int -rip_locked(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - return mtx_owned(&inp->inp_mtx); -} - int rip_bind(struct socket *so, struct mbuf *nam, struct proc *p) { diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index ecf2a9081..bb85eb6d2 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.320 2024/04/17 20:48:51 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.321 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -125,9 +125,6 @@ u_int udp_recvspace = 40 * (1024 + sizeof(struct sockaddr_in)); const struct pr_usrreqs udp_usrreqs = { .pru_attach = udp_attach, .pru_detach = udp_detach, - .pru_lock = udp_lock, - .pru_unlock = udp_unlock, - .pru_locked = udp_locked, .pru_bind = udp_bind, .pru_connect = udp_connect, .pru_disconnect = udp_disconnect, @@ -142,9 +139,6 @@ const struct pr_usrreqs udp_usrreqs = { const struct pr_usrreqs udp6_usrreqs = { .pru_attach = udp_attach, .pru_detach = udp_detach, - .pru_lock = udp_lock, - .pru_unlock = udp_unlock, - .pru_locked = udp_locked, .pru_bind = udp_bind, .pru_connect = udp_connect, .pru_disconnect = udp_disconnect, @@ -1140,32 +1134,6 @@ udp_detach(struct socket *so) return (0); } -void -udp_lock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_enter(&inp->inp_mtx); -} - -void -udp_unlock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_leave(&inp->inp_mtx); -} - -int -udp_locked(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - return mtx_owned(&inp->inp_mtx); -} - int udp_bind(struct socket *so, struct mbuf *addr, struct proc *p) { diff --git a/sys/netinet/udp_var.h b/sys/netinet/udp_var.h index 5731cf4ef..ac506c66c 100644 --- a/sys/netinet/udp_var.h +++ b/sys/netinet/udp_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_var.h,v 1.51 2024/02/03 22:50:09 mvs Exp $ */ +/* $OpenBSD: udp_var.h,v 1.52 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: udp_var.h,v 1.12 1996/02/13 23:44:41 christos Exp $ */ /* @@ -145,9 +145,6 @@ int udp6_output(struct inpcb *, struct mbuf *, struct mbuf *, int udp_sysctl(int *, u_int, void *, size_t *, void *, size_t); int udp_attach(struct socket *, int, int); int udp_detach(struct socket *); -void udp_lock(struct socket *); -void udp_unlock(struct socket *); -int udp_locked(struct socket *); int udp_bind(struct socket *, struct mbuf *, struct proc *); int udp_connect(struct socket *, struct mbuf *); int udp_disconnect(struct socket *); diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index f73e00b4d..a737e995c 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_proto.c,v 1.114 2024/04/16 12:40:40 bluhm Exp $ */ +/* $OpenBSD: in6_proto.c,v 1.115 2024/07/12 19:50:35 bluhm Exp $ */ /* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */ /* @@ -136,7 +136,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_DGRAM, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_UDP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_SPLICE, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_SPLICE|PR_MPSOCKET, .pr_input = udp_input, .pr_ctlinput = udp6_ctlinput, .pr_ctloutput = ip6_ctloutput, @@ -158,7 +158,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_RAW, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT|PR_MPSOCKET, .pr_input = rip6_input, .pr_ctlinput = rip6_ctlinput, .pr_ctloutput = rip6_ctloutput, @@ -169,7 +169,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ICMPV6, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = icmp6_input, .pr_ctlinput = rip6_ctlinput, .pr_ctloutput = rip6_ctloutput, @@ -204,7 +204,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ah46_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -214,7 +214,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = esp46_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -224,7 +224,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ipcomp46_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -235,7 +235,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, #if NGIF > 0 .pr_input = in6_gif_input, #else @@ -248,7 +248,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPV6, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, #if NGIF > 0 .pr_input = in6_gif_input, #else @@ -262,7 +262,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_MPLS, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, #if NGIF > 0 .pr_input = in6_gif_input, #else @@ -277,7 +277,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_CARP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = carp6_proto_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -289,7 +289,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_DIVERT, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &divert6_usrreqs, .pr_init = divert6_init, @@ -301,7 +301,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ETHERIP, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = ip6_etherip_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -312,7 +312,7 @@ const struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_GRE, - .pr_flags = PR_ATOMIC|PR_ADDR, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, .pr_input = gre_input6, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, @@ -322,7 +322,7 @@ const struct protosw inet6sw[] = { /* raw wildcard */ .pr_type = SOCK_RAW, .pr_domain = &inet6domain, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPINPUT|PR_MPSOCKET, .pr_input = rip6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs, diff --git a/sys/netinet6/ip6_divert.c b/sys/netinet6/ip6_divert.c index 0bd114ba3..06111f6d3 100644 --- a/sys/netinet6/ip6_divert.c +++ b/sys/netinet6/ip6_divert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_divert.c,v 1.95 2024/02/13 12:22:09 bluhm Exp $ */ +/* $OpenBSD: ip6_divert.c,v 1.96 2024/07/12 19:50:35 bluhm Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -68,9 +68,6 @@ const struct sysctl_bounded_args divert6ctl_vars[] = { const struct pr_usrreqs divert6_usrreqs = { .pru_attach = divert6_attach, .pru_detach = divert_detach, - .pru_lock = divert_lock, - .pru_unlock = divert_unlock, - .pru_locked = divert_locked, .pru_bind = divert_bind, .pru_shutdown = divert_shutdown, .pru_send = divert6_send, diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 14c295690..5d2cf5559 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.121 2024/07/09 09:33:13 bluhm Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.123 2024/07/13 10:09:40 bluhm Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -45,6 +45,9 @@ #include #include #include +#if NPF > 0 +#include +#endif #include #include @@ -53,20 +56,15 @@ #include #include #include - -#if NPF > 0 -#include -#endif - +#include +#include +#include +#include #ifdef IPSEC #include #include #include -#include #endif -#include -#include -#include /* * Forward a packet. If some error occurs return the sender @@ -145,10 +143,33 @@ ip6_forward(struct mbuf *m, struct route *ro, int flags) * Thanks to M_EXT, in most cases copy will not occur. * For small packets copy original onto stack instead of mbuf. * + * For final protocol header like TCP or UDP, full header chain in + * ICMP6 packet is not necessary. In this case only copy small + * part of original packet and save it on stack instead of mbuf. + * Although this violates RFC 4443 2.4. (c), it avoids additional + * mbuf allocations. Also pf nat and rdr do not affect the shared + * mbuf cluster. + * * It is important to save it before IPsec processing as IPsec * processing may modify the mbuf. */ - icmp_len = min(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN); + switch (ip6->ip6_nxt) { + case IPPROTO_TCP: + icmp_len = sizeof(struct ip6_hdr) + sizeof(struct tcphdr) + + MAX_TCPOPTLEN; + break; + case IPPROTO_UDP: + icmp_len = sizeof(struct ip6_hdr) + sizeof(struct udphdr); + break; + case IPPROTO_ESP: + icmp_len = sizeof(struct ip6_hdr) + 2 * sizeof(u_int32_t); + break; + default: + icmp_len = ICMPV6_PLD_MAXLEN; + break; + } + if (icmp_len > m->m_pkthdr.len) + icmp_len = m->m_pkthdr.len; if (icmp_len <= sizeof(icmp_buf)) { mflags = m->m_flags; pfflags = m->m_pkthdr.pf.flags; diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index bbe59c744..1ddbb4b1c 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_var.h,v 1.119 2024/07/04 12:50:08 bluhm Exp $ */ +/* $OpenBSD: ip6_var.h,v 1.120 2024/07/12 19:50:35 bluhm Exp $ */ /* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */ /* @@ -354,9 +354,6 @@ int rip6_output(struct mbuf *, struct socket *, struct sockaddr *, struct mbuf *); int rip6_attach(struct socket *, int, int); int rip6_detach(struct socket *); -void rip6_lock(struct socket *); -void rip6_unlock(struct socket *); -int rip6_locked(struct socket *); int rip6_bind(struct socket *, struct mbuf *, struct proc *); int rip6_connect(struct socket *, struct mbuf *); int rip6_disconnect(struct socket *); diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index c16c69d53..7efbddfdd 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.184 2024/04/17 20:48:51 bluhm Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.185 2024/07/12 19:50:35 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -108,9 +108,6 @@ struct cpumem *rip6counters; const struct pr_usrreqs rip6_usrreqs = { .pru_attach = rip6_attach, .pru_detach = rip6_detach, - .pru_lock = rip6_lock, - .pru_unlock = rip6_unlock, - .pru_locked = rip6_locked, .pru_bind = rip6_bind, .pru_connect = rip6_connect, .pru_disconnect = rip6_disconnect, @@ -644,32 +641,6 @@ rip6_detach(struct socket *so) return (0); } -void -rip6_lock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_enter(&inp->inp_mtx); -} - -void -rip6_unlock(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - NET_ASSERT_LOCKED(); - mtx_leave(&inp->inp_mtx); -} - -int -rip6_locked(struct socket *so) -{ - struct inpcb *inp = sotoinpcb(so); - - return mtx_owned(&inp->inp_mtx); -} - int rip6_bind(struct socket *so, struct mbuf *nam, struct proc *p) { diff --git a/sys/nfs/nfs_socket.c b/sys/nfs/nfs_socket.c index d88109098..2ac95914c 100644 --- a/sys/nfs/nfs_socket.c +++ b/sys/nfs/nfs_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs_socket.c,v 1.150 2024/04/30 17:05:20 miod Exp $ */ +/* $OpenBSD: nfs_socket.c,v 1.151 2024/07/12 17:20:18 mvs Exp $ */ /* $NetBSD: nfs_socket.c,v 1.27 1996/04/15 20:20:00 thorpej Exp $ */ /* @@ -374,7 +374,9 @@ nfs_connect(struct nfsmount *nmp, struct nfsreq *rep) mtx_enter(&so->so_rcv.sb_mtx); so->so_rcv.sb_flags |= SB_NOINTR; mtx_leave(&so->so_rcv.sb_mtx); + mtx_enter(&so->so_snd.sb_mtx); so->so_snd.sb_flags |= SB_NOINTR; + mtx_leave(&so->so_snd.sb_mtx); sounlock(so); m_freem(mopt); diff --git a/sys/sys/protosw.h b/sys/sys/protosw.h index 7fae350d4..9d5a0f370 100644 --- a/sys/sys/protosw.h +++ b/sys/sys/protosw.h @@ -1,4 +1,4 @@ -/* $OpenBSD: protosw.h,v 1.66 2024/04/14 20:46:27 bluhm Exp $ */ +/* $OpenBSD: protosw.h,v 1.67 2024/07/12 19:50:35 bluhm Exp $ */ /* $NetBSD: protosw.h,v 1.10 1996/04/09 20:55:32 cgd Exp $ */ /*- @@ -67,9 +67,6 @@ struct ifnet; struct pr_usrreqs { int (*pru_attach)(struct socket *, int, int); int (*pru_detach)(struct socket *); - void (*pru_lock)(struct socket *); - void (*pru_unlock)(struct socket *); - int (*pru_locked)(struct socket *so); int (*pru_bind)(struct socket *, struct mbuf *, struct proc *); int (*pru_listen)(struct socket *); int (*pru_connect)(struct socket *, struct mbuf *); @@ -133,6 +130,7 @@ struct protosw { socket */ #define PR_SPLICE 0x0040 /* socket splicing is possible */ #define PR_MPINPUT 0x0080 /* input runs with shared netlock */ +#define PR_MPSOCKET 0x0100 /* socket uses shared netlock */ /* * The arguments to usrreq are: @@ -284,28 +282,6 @@ pru_detach(struct socket *so) return (*so->so_proto->pr_usrreqs->pru_detach)(so); } -static inline void -pru_lock(struct socket *so) -{ - if (so->so_proto->pr_usrreqs->pru_lock) - (*so->so_proto->pr_usrreqs->pru_lock)(so); -} - -static inline void -pru_unlock(struct socket *so) -{ - if (so->so_proto->pr_usrreqs->pru_unlock) - (*so->so_proto->pr_usrreqs->pru_unlock)(so); -} - -static inline int -pru_locked(struct socket *so) -{ - if (so->so_proto->pr_usrreqs->pru_locked) - return (*so->so_proto->pr_usrreqs->pru_locked)(so); - return (0); -} - static inline int pru_bind(struct socket *so, struct mbuf *nam, struct proc *p) { diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index d7587bafb..d116c07d8 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: socketvar.h,v 1.131 2024/05/17 19:11:14 mvs Exp $ */ +/* $OpenBSD: socketvar.h,v 1.132 2024/07/12 17:20:18 mvs Exp $ */ /* $NetBSD: socketvar.h,v 1.18 1996/02/09 18:25:38 christos Exp $ */ /*- @@ -237,7 +237,7 @@ sb_notify(struct socket *so, struct sockbuf *sb) */ static inline long -sbspace(struct socket *so, struct sockbuf *sb) +sbspace_locked(struct socket *so, struct sockbuf *sb) { if (sb->sb_flags & SB_MTXLOCK) sbmtxassertlocked(so, sb); @@ -247,6 +247,18 @@ sbspace(struct socket *so, struct sockbuf *sb) return lmin(sb->sb_hiwat - sb->sb_cc, sb->sb_mbmax - sb->sb_mbcnt); } +static inline long +sbspace(struct socket *so, struct sockbuf *sb) +{ + long ret; + + sb_mtx_lock(sb); + ret = sbspace_locked(so, sb); + sb_mtx_unlock(sb); + + return ret; +} + /* do we have to send all at once on a socket? */ #define sosendallatonce(so) \ ((so)->so_proto->pr_flags & PR_ATOMIC) diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h index b97d486f1..b8ca4563f 100644 --- a/sys/sys/vnode.h +++ b/sys/sys/vnode.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vnode.h,v 1.171 2024/07/05 05:42:08 jsg Exp $ */ +/* $OpenBSD: vnode.h,v 1.173 2024/07/13 14:37:55 beck Exp $ */ /* $NetBSD: vnode.h,v 1.38 1996/02/29 20:59:05 cgd Exp $ */ /* diff --git a/sys/ufs/ext2fs/ext2fs_inode.c b/sys/ufs/ext2fs/ext2fs_inode.c index 2962628f8..432dd5f12 100644 --- a/sys/ufs/ext2fs/ext2fs_inode.c +++ b/sys/ufs/ext2fs/ext2fs_inode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ext2fs_inode.c,v 1.66 2022/08/12 14:30:53 visa Exp $ */ +/* $OpenBSD: ext2fs_inode.c,v 1.68 2024/07/13 14:37:56 beck Exp $ */ /* $NetBSD: ext2fs_inode.c,v 1.24 2001/06/19 12:59:18 wiz Exp $ */ /* diff --git a/sys/ufs/ufs/ufs_inode.c b/sys/ufs/ufs/ufs_inode.c index 4ea385d04..5e66f0bf2 100644 --- a/sys/ufs/ufs/ufs_inode.c +++ b/sys/ufs/ufs/ufs_inode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ufs_inode.c,v 1.45 2024/02/03 18:51:58 beck Exp $ */ +/* $OpenBSD: ufs_inode.c,v 1.47 2024/07/13 14:37:56 beck Exp $ */ /* $NetBSD: ufs_inode.c,v 1.7 1996/05/11 18:27:52 mycroft Exp $ */ /* diff --git a/usr.bin/openssl/speed.c b/usr.bin/openssl/speed.c index f1916efe1..4e8814cea 100644 --- a/usr.bin/openssl/speed.c +++ b/usr.bin/openssl/speed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: speed.c,v 1.37 2024/07/09 11:21:44 deraadt Exp $ */ +/* $OpenBSD: speed.c,v 1.39 2024/07/13 16:43:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -193,10 +193,6 @@ static void sig_done(int sig); static void sig_done(int sig) { - int save_errno = errno; - - signal(SIGALRM, sig_done); - errno = save_errno; run = 0; } @@ -435,6 +431,7 @@ speed_main(int argc, char **argv) const EVP_MD *evp_md = NULL; int decrypt = 0; int multi = 0; + struct sigaction sa; const char *errstr = NULL; if (pledge("stdio proc", NULL) == -1) { @@ -935,7 +932,12 @@ speed_main(int argc, char **argv) memset(rsa_c, 0, sizeof(rsa_c)); #define COND(c) (run && count<0x7fffffff) #define COUNT(d) (count) - signal(SIGALRM, sig_done); + + memset(&sa, 0, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sa.sa_handler = sig_done; + sigaction(SIGALRM, &sa, NULL); #ifndef OPENSSL_NO_MD4 if (doit[D_MD4]) { diff --git a/usr.bin/tmux/tmux.h b/usr.bin/tmux/tmux.h index fa84e9f6b..cc6c014b5 100644 --- a/usr.bin/tmux/tmux.h +++ b/usr.bin/tmux/tmux.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tmux.h,v 1.1218 2024/06/24 08:30:50 nicm Exp $ */ +/* $OpenBSD: tmux.h,v 1.1219 2024/07/12 11:21:18 nicm Exp $ */ /* * Copyright (c) 2007 Nicholas Marriott @@ -3267,6 +3267,7 @@ void session_renumber_windows(struct session *); /* utf8.c */ enum utf8_state utf8_towc (const struct utf8_data *, wchar_t *); +enum utf8_state utf8_fromwc(wchar_t wc, struct utf8_data *); int utf8_in_table(wchar_t, const wchar_t *, u_int); utf8_char utf8_build_one(u_char); enum utf8_state utf8_from_data(const struct utf8_data *, utf8_char *); diff --git a/usr.bin/tmux/tty-keys.c b/usr.bin/tmux/tty-keys.c index 5027876bb..9b0a1d120 100644 --- a/usr.bin/tmux/tty-keys.c +++ b/usr.bin/tmux/tty-keys.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty-keys.c,v 1.174 2024/06/24 08:30:50 nicm Exp $ */ +/* $OpenBSD: tty-keys.c,v 1.175 2024/07/12 11:21:18 nicm Exp $ */ /* * Copyright (c) 2007 Nicholas Marriott @@ -911,6 +911,8 @@ tty_keys_extended_key(struct tty *tty, const char *buf, size_t len, cc_t bspace; key_code nkey; key_code onlykey; + struct utf8_data ud; + utf8_char uc; *size = 0; @@ -960,6 +962,15 @@ tty_keys_extended_key(struct tty *tty, const char *buf, size_t len, else nkey = number; + /* Convert UTF-32 codepoint into internal representation. */ + if (nkey & ~0x7f) { + if (utf8_fromwc(nkey, &ud) == UTF8_DONE && + utf8_from_data(&ud, &uc) == UTF8_DONE) + nkey = uc; + else + return (-1); + } + /* Update the modifiers. */ if (modifiers > 0) { modifiers--; diff --git a/usr.bin/tmux/utf8.c b/usr.bin/tmux/utf8.c index c5b775a53..e6ad34407 100644 --- a/usr.bin/tmux/utf8.c +++ b/usr.bin/tmux/utf8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: utf8.c,v 1.65 2024/05/24 12:41:24 nicm Exp $ */ +/* $OpenBSD: utf8.c,v 1.66 2024/07/12 11:21:18 nicm Exp $ */ /* * Copyright (c) 2008 Nicholas Marriott @@ -441,6 +441,28 @@ utf8_towc(const struct utf8_data *ud, wchar_t *wc) return (UTF8_DONE); } +/* Convert wide character to UTF-8 character. */ +enum utf8_state +utf8_fromwc(wchar_t wc, struct utf8_data *ud) +{ + int size, width; + + size = wctomb(ud->data, wc); + if (size < 0) { + log_debug("UTF-8 %d, wctomb() %d", wc, errno); + wctomb(NULL, 0); + return (UTF8_ERROR); + } + if (size == 0) + return (UTF8_ERROR); + ud->size = ud->have = size; + if (utf8_width(ud, &width) == UTF8_DONE) { + ud->width = width; + return (UTF8_DONE); + } + return (UTF8_ERROR); +} + /* * Open UTF-8 sequence. * diff --git a/usr.sbin/npppd/npppd/npppd_radius.c b/usr.sbin/npppd/npppd/npppd_radius.c index edc4c371d..af942902c 100644 --- a/usr.sbin/npppd/npppd/npppd_radius.c +++ b/usr.sbin/npppd/npppd/npppd_radius.c @@ -1,4 +1,4 @@ -/* $Id: npppd_radius.c,v 1.12 2024/07/11 14:05:59 yasuoka Exp $ */ +/* $Id: npppd_radius.c,v 1.13 2024/07/12 15:54:11 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. * All rights reserved. @@ -738,12 +738,9 @@ npppd_radius_dae_on_event(int fd, short ev, void *ctx) if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) { /* Code other than Disconnect-Request is not supported */ if (code == RADIUS_CODE_COA_REQUEST) { - log_printf(LOG_INFO, "received CoA-Request from %s", - addrport_tostring( - (struct sockaddr *)&ss, ss.ss_len, buf, - sizeof(buf))); code = RADIUS_CODE_COA_NAK; cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED; + nakcause = "Coa-Request is not supported"; goto send; } log_printf(LOG_WARNING, "radius received an invalid RADIUS " @@ -760,16 +757,15 @@ npppd_radius_dae_on_event(int fd, short ev, void *ctx) if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr, sizeof(attr)) == 0 && strcmp(attr, _this->conf.nas_id) != 0) { cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH; - nakcause = "NAS Identification is mimatch"; + nakcause = "NAS Identifier is not matched"; goto search_done; } /* prepare User-Name attribute */ - memset(&username, 0, sizeof(username)); + memset(username, 0, sizeof(username)); radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username, sizeof(username)); - cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND; /* Our Session-Id is represented in "%08X%08x" (boot_id, ppp_id) */ snprintf(buf, sizeof(buf), "%08X", _this->boot_id); if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr, @@ -793,7 +789,7 @@ npppd_radius_dae_on_event(int fd, short ev, void *ctx) strcmp(username, ppp->username) != 0) { /* specified User-Name attribute is mismatched */ cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE; - nakcause = "User-Name is mismatched"; + nakcause = "User-Name is not matched"; goto search_done; } ppp_stop(ppp, reason); @@ -827,6 +823,8 @@ npppd_radius_dae_on_event(int fd, short ev, void *ctx) else { if (nakcause == NULL) nakcause = "session not found"; + if (cause == 0) + cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND; code = RADIUS_CODE_DISCONNECT_NAK; } send: diff --git a/usr.sbin/radiusd/parse.y b/usr.sbin/radiusd/parse.y index c43cd506d..c1aac39f4 100644 --- a/usr.sbin/radiusd/parse.y +++ b/usr.sbin/radiusd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.22 2024/07/10 16:30:43 yasuoka Exp $ */ +/* $OpenBSD: parse.y,v 1.23 2024/07/13 13:06:47 yasuoka Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -135,7 +135,7 @@ include : INCLUDE STRING { listen : LISTEN ON listen_addr { struct radiusd_listen *n; - if ((n = malloc(sizeof(struct radiusd_listen))) + if ((n = calloc(1, sizeof(struct radiusd_listen))) == NULL) { outofmemory: yyerror("Out of memory: %s", strerror(errno)); @@ -917,7 +917,7 @@ parse_config(const char *filename, struct radiusd *radiusd) popfile(); if (TAILQ_EMPTY(&conf->listen)) { - if ((l = malloc(sizeof(struct radiusd_listen))) == NULL) { + if ((l = calloc(1, sizeof(struct radiusd_listen))) == NULL) { log_warn("Out of memory"); return (-1); } diff --git a/usr.sbin/radiusd/radiusd.c b/usr.sbin/radiusd/radiusd.c index 6825f8978..3409b25f2 100644 --- a/usr.sbin/radiusd/radiusd.c +++ b/usr.sbin/radiusd/radiusd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd.c,v 1.46 2024/07/10 16:30:43 yasuoka Exp $ */ +/* $OpenBSD: radiusd.c,v 1.47 2024/07/13 13:06:47 yasuoka Exp $ */ /* * Copyright (c) 2013, 2023 Internet Initiative Japan Inc. @@ -475,9 +475,9 @@ radiusd_listen_handle_packet(struct radiusd_listen *listn, } /* Check the request authenticator if accounting */ - if ((req_code == RADIUS_CODE_ACCOUNTING_REQUEST || - listn->accounting) && radius_check_accounting_request_authenticator( - packet, client->secret) != 0) { + if (req_code == RADIUS_CODE_ACCOUNTING_REQUEST && + radius_check_accounting_request_authenticator(packet, + client->secret) != 0) { log_warnx("Received %s(code=%d) from %s id=%d: bad request " "authenticator", radius_code_string(req_code), req_code, peerstr, req_id); diff --git a/usr.sbin/radiusd/radiusd_ipcp.c b/usr.sbin/radiusd/radiusd_ipcp.c index 581214590..1d28ddf65 100644 --- a/usr.sbin/radiusd/radiusd_ipcp.c +++ b/usr.sbin/radiusd/radiusd_ipcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_ipcp.c,v 1.3 2024/07/11 13:29:08 yasuoka Exp $ */ +/* $OpenBSD: radiusd_ipcp.c,v 1.4 2024/07/12 15:54:52 yasuoka Exp $ */ /* * Copyright (c) 2024 Internet Initiative Japan Inc. @@ -624,7 +624,7 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg) log_warnx("Disconnect seq=%u requested, but " "DAE is not configured", assign->seq); else { - log_info("Disconnect id=%u requested", + log_info("Disconnect seq=%u requested", assign->seq); if (assign->dae_ntry == 0) ipcp_dae_send_disconnect_request( diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index b811b485e..3f74142e4 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.224 2024/06/08 13:30:35 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.225 2024/07/12 09:27:32 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -831,7 +831,8 @@ void proc_http(char *, int) __attribute__((noreturn)); void proc_rrdp(int) __attribute__((noreturn)); /* Repository handling */ -int filepath_add(struct filepath_tree *, char *, int, time_t); +int filepath_add(struct filepath_tree *, char *, int, time_t, int); +int filepath_valid(struct filepath_tree *, char *, int); void rrdp_clear(unsigned int); void rrdp_session_save(unsigned int, struct rrdp_session *); void rrdp_session_free(struct rrdp_session *); diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index 342548ce3..f722f9e95 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.260 2024/06/08 13:31:38 tb Exp $ */ +/* $OpenBSD: main.c,v 1.262 2024/07/12 09:27:32 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -577,7 +577,7 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, time_t mtime; unsigned int id; int talid; - int c; + int ok = 1; /* * For most of these, we first read whether there's any content @@ -595,7 +595,7 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, if (filemode) goto done; - if (filepath_add(&fpt, file, talid, mtime) == 0) { + if (filepath_valid(&fpt, file, talid)) { warnx("%s: File already visited", file); goto done; } @@ -611,8 +611,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, tal_free(tal); break; case RTYPE_CER: - io_read_buf(b, &c, sizeof(c)); - if (c == 0) { + io_read_buf(b, &ok, sizeof(ok)); + if (ok == 0) { repo_stat_inc(rp, talid, type, STYPE_FAIL); break; } @@ -633,8 +633,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, cert_free(cert); break; case RTYPE_MFT: - io_read_buf(b, &c, sizeof(c)); - if (c == 0) { + io_read_buf(b, &ok, sizeof(ok)); + if (ok == 0) { repo_stat_inc(rp, talid, type, STYPE_FAIL); break; } @@ -647,8 +647,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, entity_queue++; break; case RTYPE_ROA: - io_read_buf(b, &c, sizeof(c)); - if (c == 0) { + io_read_buf(b, &ok, sizeof(ok)); + if (ok == 0) { repo_stat_inc(rp, talid, type, STYPE_FAIL); break; } @@ -662,8 +662,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, case RTYPE_GBR: break; case RTYPE_ASPA: - io_read_buf(b, &c, sizeof(c)); - if (c == 0) { + io_read_buf(b, &ok, sizeof(ok)); + if (ok == 0) { repo_stat_inc(rp, talid, type, STYPE_FAIL); break; } @@ -675,8 +675,8 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, aspa_free(aspa); break; case RTYPE_SPL: - io_read_buf(b, &c, sizeof(c)); - if (c == 0) { + io_read_buf(b, &ok, sizeof(ok)); + if (ok == 0) { if (experimental) repo_stat_inc(rp, talid, type, STYPE_FAIL); break; @@ -697,6 +697,9 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, break; } + if (filepath_add(&fpt, file, talid, mtime, ok) == 0) + errx(1, "%s: File already in tree", file); + done: free(file); entity_queue--; diff --git a/usr.sbin/rpki-client/repo.c b/usr.sbin/rpki-client/repo.c index 0dd47cd0b..ce97015ae 100644 --- a/usr.sbin/rpki-client/repo.c +++ b/usr.sbin/rpki-client/repo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: repo.c,v 1.60 2024/06/07 08:22:53 claudio Exp $ */ +/* $OpenBSD: repo.c,v 1.61 2024/07/12 09:27:32 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -133,7 +133,8 @@ RB_PROTOTYPE(filepath_tree, filepath, entry, filepathcmp); * Functions to lookup which files have been accessed during computation. */ int -filepath_add(struct filepath_tree *tree, char *file, int id, time_t mtime) +filepath_add(struct filepath_tree *tree, char *file, int id, time_t mtime, + int ok) { struct filepath *fp, *rfp; @@ -154,7 +155,8 @@ filepath_add(struct filepath_tree *tree, char *file, int id, time_t mtime) return 0; fp = rfp; } - fp->talmask |= (1 << id); + if (ok) + fp->talmask |= (1 << id); return 1; } @@ -179,6 +181,19 @@ filepath_exists(struct filepath_tree *tree, char *file) return filepath_find(tree, file) != NULL; } +/* + * Returns true if file exists and the id bit is set and ok flag is true. + */ +int +filepath_valid(struct filepath_tree *tree, char *file, int id) +{ + struct filepath *fp; + + if ((fp = filepath_find(tree, file)) == NULL) + return 0; + return (fp->talmask & (1 << id)) != 0; +} + /* * Remove entry from tree and free it. */ @@ -922,7 +937,7 @@ rrdp_handle_file(unsigned int id, enum publish_type pt, char *uri, /* write new content or mark uri as deleted. */ if (pt == PUB_DEL) { - filepath_add(&rr->deleted, uri, 0, 0); + filepath_add(&rr->deleted, uri, 0, 0, 1); } else { fp = filepath_find(&rr->deleted, uri); if (fp != NULL) { @@ -1630,7 +1645,7 @@ repo_cleanup_rrdp(struct filepath_tree *tree) static void repo_move_valid(struct filepath_tree *tree) { - struct filepath *fp, *nfp; + struct filepath *fp, *nfp, *ofp; size_t rsyncsz = strlen(".rsync/"); size_t rrdpsz = strlen(".rrdp/"); size_t tasz = strlen(".ta/"); @@ -1677,20 +1692,33 @@ repo_move_valid(struct filepath_tree *tree) if (repo_mkpath(AT_FDCWD, fn) == -1) continue; - if (rename(fp->file, fn) == -1) { - warn("rename %s", fp->file); - continue; - } - /* switch filepath node to new path */ RB_REMOVE(filepath_tree, tree, fp); base = fp->file; if ((fp->file = strdup(fn)) == NULL) err(1, NULL); + + again: + if ((ofp = RB_INSERT(filepath_tree, tree, fp)) != NULL) { + if (ofp->talmask == 0) { + /* conflicting path is not valid, drop it */ + filepath_put(tree, ofp); + goto again; + } + if (fp->talmask != 0) { + warnx("%s: file already present in " + "validated cache", fp->file); + } + free(fp->file); + free(fp); + free(base); + continue; + } + + if (rename(base, fp->file) == -1) + warn("rename to %s", fp->file); + free(base); - if (RB_INSERT(filepath_tree, tree, fp) != NULL) - errx(1, "%s: both possibilities of file present", - fp->file); } } diff --git a/usr.sbin/vmd/mmio.c b/usr.sbin/vmd/mmio.c deleted file mode 100644 index e69de29bb..000000000 diff --git a/usr.sbin/vmd/vionet.c b/usr.sbin/vmd/vionet.c index 4e4e2d98b..8a82e3022 100644 --- a/usr.sbin/vmd/vionet.c +++ b/usr.sbin/vmd/vionet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vionet.c,v 1.15 2024/07/09 18:49:05 jan Exp $ */ +/* $OpenBSD: vionet.c,v 1.16 2024/07/12 14:34:08 jan Exp $ */ /* * Copyright (c) 2023 Dave Voutila @@ -805,10 +805,8 @@ vionet_tx(struct virtio_dev *dev) } /* Check if we've got a minimum viable amount of data. */ - if (chain_len < VIONET_MIN_TXLEN) { - sz = chain_len; + if (chain_len < VIONET_MIN_TXLEN) goto drop; - } /* * Packet inspection for ethernet header (if using a "local" @@ -832,7 +830,6 @@ vionet_tx(struct virtio_dev *dev) log_warnx("%s: bad source address %s", __func__, ether_ntoa((struct ether_addr *) eh->ether_shost)); - sz = chain_len; goto drop; } } @@ -852,10 +849,10 @@ vionet_tx(struct virtio_dev *dev) log_warn("%s", __func__); goto reset; } - sz += sizeof(struct virtio_net_hdr); + chain_len += sizeof(struct virtio_net_hdr); drop: used->ring[used->idx & VIONET_QUEUE_MASK].id = hdr_idx; - used->ring[used->idx & VIONET_QUEUE_MASK].len = sz; + used->ring[used->idx & VIONET_QUEUE_MASK].len = chain_len; __sync_synchronize(); used->idx++; idx++; diff --git a/usr.sbin/vmd/vmm.h b/usr.sbin/vmd/vmm.h index 214d41d01..bda0ff266 100644 --- a/usr.sbin/vmd/vmm.h +++ b/usr.sbin/vmd/vmm.h @@ -1,3 +1,4 @@ +/* $OpenBSD: vmm.h,v 1.7 2024/07/13 16:13:45 dv Exp $ */ /* * Copyright (c) 2016 Mike Larkin * diff --git a/usr.sbin/vmd/x86_vm.c b/usr.sbin/vmd/x86_vm.c index c6c4b2a9e..d0caf98dd 100644 --- a/usr.sbin/vmd/x86_vm.c +++ b/usr.sbin/vmd/x86_vm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x86_vm.c,v 1.1 2024/07/10 10:41:19 dv Exp $ */ +/* $OpenBSD: x86_vm.c,v 1.2 2024/07/12 13:51:12 dv Exp $ */ /* * Copyright (c) 2015 Mike Larkin * @@ -674,7 +674,6 @@ vcpu_exit_eptviolation(struct vm_run_params *vrp) #endif /* MMIO_NOTYET */ switch (ve->vee.vee_fault_type) { case VEE_FAULT_HANDLED: - log_debug("%s: fault already handled", __func__); break; #if MMIO_NOTYET