SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2024-08-29 19:02:09 +00:00
parent bf0d2e284c
commit c0feaae94d
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
70 changed files with 792 additions and 1025 deletions
Download patch file Download diff file Expand all files Collapse all files

4
etc/examples/bgpd.conf
View file

@ -1,4 +1,4 @@
# $OpenBSD: bgpd.conf,v 1.24 2024/07/24 19:28:37 job Exp $
# $OpenBSD: bgpd.conf,v 1.25 2024/08/29 12:58:57 claudio Exp $
# example bgpd configuration file, see bgpd.conf(5)
# define our own ASN as a macro
@ -39,7 +39,7 @@ prefix-set bogons {
2001:db8::/32 or-longer # docu range [RFC3849]
2002::/16 or-longer # 6to4 anycast relay [RFC7526]
3ffe::/16 or-longer # old 6bone
3fff::/20 or-longer # docu range [draft-ietf-v6ops-rfc3849-update]
3fff::/20 or-longer # docu range [RFC9637]
5f00::/16 or-longer # segment routing SRv6 SIDs [RFC9602]
fc00::/7 or-longer # unique local unicast
fe80::/10 or-longer # link local unicast

4
games/hunt/huntd/conf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: conf.c,v 1.14 2022/08/08 17:57:05 op Exp $ */
/* $OpenBSD: conf.c,v 1.15 2024/08/28 15:51:01 op Exp $ */
/* David Leonard <d@openbsd.org>, 1999. Public domain. */
#include <sys/select.h>
@ -252,7 +252,7 @@ load_config(FILE *f, char *fnm)
size_t linesize = 0;
ssize_t linelen;
while ((linelen = getline(&line, &linesize, stdin)) != -1) {
while ((linelen = getline(&line, &linesize, f)) != -1) {
lineno++;
if (line[linelen - 1] == '\n')
line[linelen - 1] = '\0';

3
lib/libcrypto/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.202 2024/08/10 06:41:49 tb Exp $
# $OpenBSD: Makefile,v 1.203 2024/08/28 07:15:04 tb Exp $
LIB= crypto
LIBREBUILD=y
@ -589,6 +589,7 @@ SRCS+= x509_purp.c
SRCS+= x509_r2x.c
SRCS+= x509_req.c
SRCS+= x509_set.c
SRCS+= x509_siginfo.c
SRCS+= x509_skey.c
SRCS+= x509_trs.c
SRCS+= x509_txt.c

8
lib/libcrypto/arch/aarch64/arm64cap.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: arm64cap.c,v 1.3 2023/07/26 09:57:34 jsing Exp $ */
/* $OpenBSD: arm64cap.c,v 1.4 2024/08/29 03:30:05 deraadt Exp $ */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -63,7 +63,11 @@ OPENSSL_cpuid_setup(void)
static sigset_t all_masked;
static sigjmp_buf ill_jmp;
static void ill_handler (int sig) { siglongjmp(ill_jmp, sig);
static void
ill_handler(int sig)
{
siglongjmp(ill_jmp, sig);
}
/*

8
lib/libcrypto/arch/arm/armcap.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: armcap.c,v 1.2 2023/07/26 09:57:34 jsing Exp $ */
/* $OpenBSD: armcap.c,v 1.3 2024/08/29 03:30:05 deraadt Exp $ */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -14,7 +14,11 @@ unsigned int OPENSSL_armcap_P;
static sigset_t all_masked;
static sigjmp_buf ill_jmp;
static void ill_handler (int sig) { siglongjmp(ill_jmp, sig);
static void
ill_handler(int sig)
{
siglongjmp(ill_jmp, sig);
}
/*

20
lib/libcrypto/asn1/t_x509.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: t_x509.c,v 1.45 2024/04/09 13:55:02 beck Exp $ */
/* $OpenBSD: t_x509.c,v 1.46 2024/08/28 06:17:06 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
#include <limits.h>
#include <stdio.h>
#include <openssl/opensslconf.h>
@ -155,8 +156,21 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
bs = X509_get_serialNumber(x);
l = -1;
if (bs->length <= (int)sizeof(long))
l = ASN1_INTEGER_get(bs);
/*
* For historical reasons, non-negative serial numbers are
* printed in decimal as long as they fit into a long. Using
* ASN1_INTEGER_get_uint64() avoids an error on the stack for
* numbers between LONG_MAX and ULONG_MAX. Otherwise fall back
* to hexadecimal, also for numbers that are non-conformant
* (negative or larger than 2^159 - 1).
*/
if (bs->length <= sizeof(long) && bs->type == V_ASN1_INTEGER) {
uint64_t u64;
if (ASN1_INTEGER_get_uint64(&u64, bs) && u64 <= LONG_MAX)
l = (long)u64;
}
if (l >= 0) {
if (BIO_printf(bp, " %ld (0x%lx)\n", l, l) <= 0)
goto err;

4
lib/libcrypto/conf/conf_def.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: conf_def.c,v 1.36 2024/08/24 12:08:49 tb Exp $ */
/* $OpenBSD: conf_def.c,v 1.37 2024/08/28 15:48:33 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -85,7 +85,7 @@ def_create(CONF_METHOD *meth)
{
CONF *ret;
ret = malloc(sizeof(CONF) + sizeof(unsigned short *));
ret = calloc(1, sizeof(CONF) + sizeof(unsigned short *));
if (ret)
if (meth->init(ret) == 0) {
free(ret);

32
lib/libcrypto/dh/dh_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_ameth.c,v 1.40 2024/01/04 17:01:26 tb Exp $ */
/* $OpenBSD: dh_ameth.c,v 1.41 2024/08/29 16:58:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -496,32 +496,6 @@ DHparams_print_fp(FILE *fp, const DH *x)
}
LCRYPTO_ALIAS(DHparams_print_fp);
static int
dh_pkey_public_check(const EVP_PKEY *pkey)
{
DH *dh = pkey->pkey.dh;
if (dh->pub_key == NULL) {
DHerror(DH_R_MISSING_PUBKEY);
return 0;
}
return DH_check_pub_key_ex(dh, dh->pub_key);
}
static int
dh_pkey_param_check(const EVP_PKEY *pkey)
{
DH *dh = pkey->pkey.dh;
/*
* It would have made more sense to support EVP_PKEY_check() for DH
* keys and call DH_check_ex() there and keeping this as a wrapper
* for DH_param_check_ex(). We follow OpenSSL's choice.
*/
return DH_check_ex(dh);
}
const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
.base_method = &dh_asn1_meth,
.pkey_id = EVP_PKEY_DH,
@ -550,8 +524,4 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
.param_print = dh_param_print,
.pkey_free = dh_free,
.pkey_check = NULL,
.pkey_public_check = dh_pkey_public_check,
.pkey_param_check = dh_pkey_param_check,
};

41
lib/libcrypto/ec/ec_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_ameth.c,v 1.68 2024/05/10 05:12:03 tb Exp $ */
/* $OpenBSD: ec_ameth.c,v 1.69 2024/08/29 16:58:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -689,41 +689,6 @@ ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
}
static int
ec_pkey_check(const EVP_PKEY *pkey)
{
EC_KEY *eckey = pkey->pkey.ec;
if (eckey->priv_key == NULL) {
ECerror(EC_R_MISSING_PRIVATE_KEY);
return 0;
}
return EC_KEY_check_key(eckey);
}
static int
ec_pkey_public_check(const EVP_PKEY *pkey)
{
EC_KEY *eckey = pkey->pkey.ec;
/* This also checks the private key, but oh, well... */
return EC_KEY_check_key(eckey);
}
static int
ec_pkey_param_check(const EVP_PKEY *pkey)
{
EC_KEY *eckey = pkey->pkey.ec;
if (eckey->group == NULL) {
ECerror(EC_R_MISSING_PARAMETERS);
return 0;
}
return EC_GROUP_check(eckey->group, NULL);
}
#ifndef OPENSSL_NO_CMS
static int
@ -1092,8 +1057,4 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
.pkey_ctrl = ec_pkey_ctrl,
.old_priv_decode = old_ec_priv_decode,
.old_priv_encode = old_ec_priv_encode,
.pkey_check = ec_pkey_check,
.pkey_public_check = ec_pkey_public_check,
.pkey_param_check = ec_pkey_param_check,
};

22
lib/libcrypto/ec/ecx_methods.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ecx_methods.c,v 1.13 2024/04/02 04:04:07 tb Exp $ */
/* $OpenBSD: ecx_methods.c,v 1.14 2024/08/28 07:15:04 tb Exp $ */
/*
* Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
*
@ -509,6 +509,24 @@ ecx_security_bits(const EVP_PKEY *pkey)
return 0;
}
static int
ecx_signature_info(const X509_ALGOR *algor, int *md_nid, int *pkey_nid,
int *security_bits, uint32_t *flags)
{
const ASN1_OBJECT *aobj;
X509_ALGOR_get0(&aobj, NULL, NULL, algor);
if (OBJ_obj2nid(aobj) != EVP_PKEY_ED25519)
return 0;
*md_nid = NID_undef;
*pkey_nid = NID_ED25519;
*security_bits = ED25519_SECURITY_BITS;
*flags = X509_SIG_INFO_TLS | X509_SIG_INFO_VALID;
return 1;
}
static int
ecx_param_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2)
{
@ -929,6 +947,8 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
.pkey_bits = ecx_bits,
.pkey_security_bits = ecx_security_bits,
.signature_info = ecx_signature_info,
.param_cmp = ecx_param_cmp,
.pkey_free = ecx_free,

13
lib/libcrypto/evp/evp_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: evp_local.h,v 1.23 2024/08/22 12:24:24 tb Exp $ */
/* $OpenBSD: evp_local.h,v 1.25 2024/08/29 16:58:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
@ -112,6 +112,9 @@ struct evp_pkey_asn1_method_st {
int (*pkey_bits)(const EVP_PKEY *pk);
int (*pkey_security_bits)(const EVP_PKEY *pk);
int (*signature_info)(const X509_ALGOR *sig_alg, int *out_md_nid,
int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags);
int (*param_decode)(EVP_PKEY *pkey, const unsigned char **pder,
int derlen);
int (*param_encode)(const EVP_PKEY *pkey, unsigned char **pder);
@ -137,10 +140,6 @@ struct evp_pkey_asn1_method_st {
int (*item_sign)(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig);
int (*pkey_check)(const EVP_PKEY *pk);
int (*pkey_public_check)(const EVP_PKEY *pk);
int (*pkey_param_check)(const EVP_PKEY *pk);
int (*set_priv_key)(EVP_PKEY *pk, const unsigned char *private_key,
size_t len);
int (*set_pub_key)(EVP_PKEY *pk, const unsigned char *public_key,
@ -319,10 +318,6 @@ struct evp_pkey_method_st {
const unsigned char *tbs, size_t tbslen);
int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen, const unsigned char *tbs, size_t tbslen);
int (*check)(EVP_PKEY *pkey);
int (*public_check)(EVP_PKEY *pkey);
int (*param_check)(EVP_PKEY *pkey);
} /* EVP_PKEY_METHOD */;
void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);

60
lib/libcrypto/evp/pmeth_gn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pmeth_gn.c,v 1.19 2024/04/17 08:24:11 tb Exp $ */
/* $OpenBSD: pmeth_gn.c,v 1.20 2024/08/29 16:58:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -226,68 +226,30 @@ merr:
}
LCRYPTO_ALIAS(EVP_PKEY_new_mac_key);
/*
* XXX - remove the API below in the next bump.
*/
int
EVP_PKEY_check(EVP_PKEY_CTX *ctx)
{
EVP_PKEY *pkey;
if ((pkey = ctx->pkey) == NULL) {
EVPerror(EVP_R_NO_KEY_SET);
return 0;
}
if (ctx->pmeth->check != NULL)
return ctx->pmeth->check(pkey);
if (pkey->ameth == NULL || pkey->ameth->pkey_check == NULL) {
EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
return pkey->ameth->pkey_check(pkey);
EVPerror(ERR_R_DISABLED);
return -2;
}
LCRYPTO_ALIAS(EVP_PKEY_check);
int
EVP_PKEY_public_check(EVP_PKEY_CTX *ctx)
{
EVP_PKEY *pkey;
if ((pkey = ctx->pkey) == NULL) {
EVPerror(EVP_R_NO_KEY_SET);
return 0;
}
if (ctx->pmeth->public_check != NULL)
return ctx->pmeth->public_check(pkey);
if (pkey->ameth == NULL || pkey->ameth->pkey_public_check == NULL) {
EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
return pkey->ameth->pkey_public_check(pkey);
EVPerror(ERR_R_DISABLED);
return -2;
}
LCRYPTO_ALIAS(EVP_PKEY_public_check);
int
EVP_PKEY_param_check(EVP_PKEY_CTX *ctx)
{
EVP_PKEY *pkey;
if ((pkey = ctx->pkey) == NULL) {
EVPerror(EVP_R_NO_KEY_SET);
return 0;
}
if (ctx->pmeth->param_check != NULL)
return ctx->pmeth->param_check(pkey);
if (pkey->ameth == NULL || pkey->ameth->pkey_param_check == NULL) {
EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return -2;
}
return pkey->ameth->pkey_param_check(pkey);
EVPerror(ERR_R_DISABLED);
return -2;
}
LCRYPTO_ALIAS(EVP_PKEY_param_check);

3
lib/libcrypto/hidden/openssl/x509.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509.h,v 1.9 2024/07/26 13:34:56 tb Exp $ */
/* $OpenBSD: x509.h,v 1.10 2024/08/28 08:41:18 tb Exp $ */
/*
* Copyright (c) 2022 Bob Beck <beck@openbsd.org>
*
@ -387,6 +387,7 @@ LCRYPTO_USED(X509_get_ex_data);
LCRYPTO_USED(i2d_X509_AUX);
LCRYPTO_USED(d2i_X509_AUX);
LCRYPTO_USED(i2d_re_X509_tbs);
LCRYPTO_USED(X509_get_signature_info);
LCRYPTO_USED(X509_get0_signature);
LCRYPTO_USED(X509_get_signature_nid);
LCRYPTO_USED(X509_alias_set1);

14
lib/libcrypto/hidden/openssl/x509v3.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509v3.h,v 1.9 2024/07/08 17:01:54 beck Exp $ */
/* $OpenBSD: x509v3.h,v 1.12 2024/08/28 08:59:03 tb Exp $ */
/*
* Copyright (c) 2022 Bob Beck <beck@openbsd.org>
*
@ -139,17 +139,17 @@ LCRYPTO_USED(X509V3_EXT_REQ_add_nconf);
LCRYPTO_USED(X509V3_EXT_CRL_add_nconf);
LCRYPTO_USED(X509V3_EXT_conf_nid);
LCRYPTO_USED(X509V3_EXT_conf);
LCRYPTO_USED(X509V3_EXT_add_conf);
LCRYPTO_USED(X509V3_EXT_REQ_add_conf);
LCRYPTO_USED(X509V3_EXT_CRL_add_conf);
LCRYPTO_UNUSED(X509V3_EXT_add_conf);
LCRYPTO_UNUSED(X509V3_EXT_REQ_add_conf);
LCRYPTO_UNUSED(X509V3_EXT_CRL_add_conf);
LCRYPTO_USED(X509V3_add_value_bool_nf);
LCRYPTO_USED(X509V3_get_value_bool);
LCRYPTO_USED(X509V3_get_value_int);
LCRYPTO_USED(X509V3_set_nconf);
LCRYPTO_USED(X509V3_set_conf_lhash);
LCRYPTO_USED(X509V3_get_string);
LCRYPTO_UNUSED(X509V3_set_conf_lhash);
LCRYPTO_UNUSED(X509V3_get_string);
LCRYPTO_USED(X509V3_get_section);
LCRYPTO_USED(X509V3_string_free);
LCRYPTO_UNUSED(X509V3_string_free);
LCRYPTO_USED(X509V3_section_free);
LCRYPTO_USED(X509V3_set_ctx);
LCRYPTO_USED(X509V3_add_value);

73
lib/libcrypto/man/X509_get0_signature.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: X509_get0_signature.3,v 1.8 2023/03/16 12:01:47 job Exp $
.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $
.\" selective merge up to:
.\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
.\"
@ -66,7 +66,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 16 2023 $
.Dd $Mdocdate: August 28 2024 $
.Dt X509_GET0_SIGNATURE 3
.Os
.Sh NAME
@ -78,7 +78,8 @@
.Nm X509_get_signature_type ,
.Nm X509_get_signature_nid ,
.Nm X509_REQ_get_signature_nid ,
.Nm X509_CRL_get_signature_nid
.Nm X509_CRL_get_signature_nid ,
.Nm X509_get_signature_info
.Nd signature information
.Sh SYNOPSIS
.In openssl/x509.h
@ -124,6 +125,14 @@
.Fo X509_CRL_get_signature_nid
.Fa "const X509_CRL *crl"
.Fc
.Ft int
.Fo X509_get_signature_info
.Fa "X509 *x"
.Fa "int *md_nid"
.Fa "int *pkey_nid"
.Fa "int *security_bits"
.Fa "uint32_t *flags"
.Fc
.Sh DESCRIPTION
.Fn X509_get0_signature ,
.Fn X509_REQ_get0_signature ,
@ -170,6 +179,51 @@ respectively, just like
.Xr EVP_PKEY_id 3
does.
.Pp
.Fn X509_get_signature_info
retrieves information about the signature of certificate
.Fa x .
The NID of the digest algorithm is written to
.Pf * Fa md_nid ,
the public key algorithm to
.Pf * Fa pkey_nid ,
the effective security bits to
.Pf * Fa security_bits ,
and flag details to
.Pf * Fa flags .
Any of the output parameters can be set to
.Dv NULL
if the information is not required.
If
.Fa flags
is not a
.Dv NULL
pointer,
.Pf * Fa flags
is set to the bitwise OR of:
.Bl -tag -width 1n -offset 3n
.It Dv X509_SIG_INFO_VALID
No error occurred.
This flag is set if
.Fn X509_get_signature_info
returns 1.
.It Dv X509_SIG_INFO_TLS
The signature algorithm is appropriate for use in TLS.
For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
this flag is always set.
For an RSASSA-PSS PSS algorithm this flag is set if
the parameters are DER encoded,
the digest algorithm is one of SHA256, SHA384, or SHA512,
the same digest algorithm is used in the mask generation function,
and the salt length is equal to the digest algorithm's output length.
For all other signature algorithms this flag is set if the digest
algorithm is one of SHA1, SHA256, SHA384, or SHA512.
.El
.Pp
.Fn X509_get_signature_info
returns 1 on success and 0 on failure.
Failure conditions include unsupported signature algorithms,
certificate parsing errors and memory allocation failure.
.Pp
These functions provide lower level access to the signature
for cases where an application wishes to analyse or generate a
signature in a form where
@ -211,3 +265,16 @@ All these functions have been available since
.Fn X509_CRL_get0_tbs_sigalg
first appeared in LibreSSL 3.7.1 and has been available since
.Ox 7.3 .
.Pp
.Fn X509_get_signature_info
first appeared in OpenSSL 1.1.1 and has been available since
.Ox 7.6 .
.Sh CAVEATS
The security bits returned by
.Fn X509_get_signature_info
refer to the information available from the certificate signature
(such as the signing digest).
In some cases the actual security of the signature is smaller
because the signing key is less secure.
For example in a certificate signed using SHA512
and a 1024-bit RSA key.

4
lib/libcrypto/objects/obj_xref.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: obj_xref.c,v 1.14 2024/01/27 16:08:43 tb Exp $ */
/* $OpenBSD: obj_xref.c,v 1.15 2024/08/28 06:53:24 tb Exp $ */
/*
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@ -178,7 +178,7 @@ static const struct {
{
.sign_nid = NID_rsassaPss,
.hash_nid = NID_undef,
.pkey_nid = NID_rsaEncryption,
.pkey_nid = NID_rsassaPss,
},
{
.sign_nid = NID_id_tc26_signwithdigest_gost3410_2012_256,

42
lib/libcrypto/ocsp/ocsp_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ocsp_lib.c,v 1.26 2023/07/08 10:44:00 beck Exp $ */
/* $OpenBSD: ocsp_lib.c,v 1.28 2024/08/28 06:27:19 tb Exp $ */
/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
* project. */
@ -75,6 +75,7 @@
#include <openssl/x509v3.h>
#include "ocsp_local.h"
#include "x509_local.h"
/* Convert a certificate and its issuer to an OCSP_CERTID */
@ -109,50 +110,44 @@ OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName,
{
int nid;
unsigned int i;
X509_ALGOR *alg;
OCSP_CERTID *cid = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
if (!(cid = OCSP_CERTID_new()))
if ((cid = OCSP_CERTID_new()) == NULL)
goto err;
alg = cid->hashAlgorithm;
if (alg->algorithm != NULL)
ASN1_OBJECT_free(alg->algorithm);
if ((nid = EVP_MD_type(dgst)) == NID_undef) {
OCSPerror(OCSP_R_UNKNOWN_NID);
goto err;
}
if (!(alg->algorithm = OBJ_nid2obj(nid)))
if (!X509_ALGOR_set0_by_nid(cid->hashAlgorithm, nid, V_ASN1_NULL, NULL))
goto err;
if ((alg->parameter = ASN1_TYPE_new()) == NULL)
goto err;
alg->parameter->type = V_ASN1_NULL;
if (!X509_NAME_digest(issuerName, dgst, md, &i))
goto digerr;
if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
if (!X509_NAME_digest(issuerName, dgst, md, &i)) {
OCSPerror(OCSP_R_DIGEST_ERR);
goto err;
}
if (!ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))
goto err;
/* Calculate the issuerKey hash, excluding tag and length */
if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
goto err;
if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
if (!ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))
goto err;
if (serialNumber) {
if (serialNumber != NULL) {
ASN1_INTEGER_free(cid->serialNumber);
if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
if ((cid->serialNumber = ASN1_INTEGER_dup(serialNumber)) == NULL)
goto err;
}
return cid;
digerr:
OCSPerror(OCSP_R_DIGEST_ERR);
err:
if (cid)
OCSP_CERTID_free(cid);
err:
OCSP_CERTID_free(cid);
return NULL;
}
LCRYPTO_ALIAS(OCSP_cert_id_new);
@ -162,6 +157,11 @@ OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
{
int ret;
/*
* XXX - should we really ignore parameters here? We probably need to
* consider omitted parameters and explicit ASN.1 NULL as equal for
* the SHAs, so don't blindly switch to X509_ALGOR_cmp().
*/
ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
if (ret)
return ret;

8
lib/libcrypto/ocsp/ocsp_prn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ocsp_prn.c,v 1.10 2023/07/08 10:44:00 beck Exp $ */
/* $OpenBSD: ocsp_prn.c,v 1.11 2024/08/28 06:18:44 tb Exp $ */
/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
* project. */
@ -65,16 +65,20 @@
#include <openssl/err.h>
#include <openssl/ocsp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include "ocsp_local.h"
static int
ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
{
const ASN1_OBJECT *aobj;
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
indent += 2;
BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
X509_ALGOR_get0(&aobj, NULL, NULL, a->hashAlgorithm);
i2a_ASN1_OBJECT(bp, aobj);
BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");

66
lib/libcrypto/rsa/rsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_ameth.c,v 1.58 2024/03/17 07:10:00 tb Exp $ */
/* $OpenBSD: rsa_ameth.c,v 1.60 2024/08/29 16:58:19 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -845,6 +845,58 @@ rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd,
return 1;
}
static int
rsa_pss_signature_info(const X509_ALGOR *alg, int *out_md_nid,
int *out_pkey_nid, int *out_security_bits, uint32_t *out_flags)
{
RSA_PSS_PARAMS *pss = NULL;
const ASN1_OBJECT *aobj;
const EVP_MD *md, *mgf1md;
int md_len, salt_len;
int md_nid = NID_undef, pkey_nid = NID_undef;
int security_bits = -1;
uint32_t flags = 0;
X509_ALGOR_get0(&aobj, NULL, NULL, alg);
if (OBJ_obj2nid(aobj) != EVP_PKEY_RSA_PSS)
goto err;
if ((pss = rsa_pss_decode(alg)) == NULL)
goto err;
if (!rsa_pss_get_param(pss, &md, &mgf1md, &salt_len))
goto err;
if ((md_nid = EVP_MD_type(md)) == NID_undef)
goto err;
if ((md_len = EVP_MD_size(md)) <= 0)
goto err;
/*
* RFC 8446, section 4.2.3 - restricts the digest algorithm:
* - it must be one of SHA256, SHA384, and SHA512;
* - the same digest must be used in the mask generation function;
* - the salt length must match the output length of the digest.
* XXX - consider separate flags for these checks.
*/
if (md_nid == NID_sha256 || md_nid == NID_sha384 || md_nid == NID_sha512) {
if (md_nid == EVP_MD_type(mgf1md) && salt_len == md_len)
flags |= X509_SIG_INFO_TLS;
}
security_bits = md_len * 4;
flags |= X509_SIG_INFO_VALID;
*out_md_nid = md_nid;
*out_pkey_nid = pkey_nid;
*out_security_bits = security_bits;
*out_flags = flags;
err:
RSA_PSS_PARAMS_free(pss);
return (flags & X509_SIG_INFO_VALID) != 0;
}
#ifndef OPENSSL_NO_CMS
static int
rsa_cms_verify(CMS_SignerInfo *si)
@ -1030,12 +1082,6 @@ rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
return 2;
}
static int
rsa_pkey_check(const EVP_PKEY *pkey)
{
return RSA_check_key(pkey->pkey.rsa);
}
#ifndef OPENSSL_NO_CMS
static RSA_OAEP_PARAMS *
rsa_oaep_decode(const X509_ALGOR *alg)
@ -1183,16 +1229,12 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
.old_priv_encode = old_rsa_priv_encode,
.item_verify = rsa_item_verify,
.item_sign = rsa_item_sign,
.pkey_check = rsa_pkey_check,
};
const EVP_PKEY_ASN1_METHOD rsa2_asn1_meth = {
.base_method = &rsa_asn1_meth,
.pkey_id = EVP_PKEY_RSA2,
.pkey_flags = ASN1_PKEY_ALIAS,
.pkey_check = rsa_pkey_check,
};
const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
@ -1216,6 +1258,8 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
.pkey_bits = rsa_bits,
.pkey_security_bits = rsa_security_bits,
.signature_info = rsa_pss_signature_info,
.sig_print = rsa_sig_print,
.pkey_free = rsa_free,

10
lib/libcrypto/x509/x509.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509.h,v 1.112 2024/06/12 03:55:46 tb Exp $ */
/* $OpenBSD: x509.h,v 1.113 2024/08/28 07:15:04 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -622,6 +622,14 @@ X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
int i2d_re_X509_tbs(X509 *x, unsigned char **pp);
#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
/* Flags returned by X509_get_signature_info(): valid and suitable for TLS. */
#define X509_SIG_INFO_VALID 1
#define X509_SIG_INFO_TLS 2
int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits,
uint32_t *flags);
#endif
void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg, const X509 *x);
int X509_get_signature_nid(const X509 *x);

125
lib/libcrypto/x509/x509_conf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_conf.c,v 1.18 2024/06/24 06:32:04 tb Exp $ */
/* $OpenBSD: x509_conf.c,v 1.22 2024/08/28 08:59:03 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -74,18 +74,11 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid,
int crit, const char *value);
static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int type, X509V3_CTX *ctx);
static char *conf_lhash_get_string(void *db, const char *section,
const char *value);
static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db,
const char *section);
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int nid,
int crit, void *ext_struct);
static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len);
/* CONF *conf: Config file */
/* char *name: Name */
/* char *value: Value */
X509_EXTENSION *
X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
const char *value)
@ -106,11 +99,8 @@ X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
}
LCRYPTO_ALIAS(X509V3_EXT_nconf);
/* CONF *conf: Config file */
/* char *value: Value */
X509_EXTENSION *
X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int nid,
const char *value)
X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int nid, const char *value)
{
int crit;
int ext_type;
@ -123,11 +113,8 @@ X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int nid,
}
LCRYPTO_ALIAS(X509V3_EXT_nconf_nid);
/* CONF *conf: Config file */
/* char *value: Value */
static X509_EXTENSION *
do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid, int crit,
const char *value)
do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid, int crit, const char *value)
{
const X509V3_EXT_METHOD *method;
X509_EXTENSION *ext;
@ -163,7 +150,7 @@ do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int nid, int crit,
} else if (method->s2i) {
ext_struct = method->s2i(method, ctx, value);
} else if (method->r2i) {
if (!ctx->db || !ctx->db_meth) {
if (ctx->db == NULL) {
X509V3error(X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
@ -232,7 +219,6 @@ do_ext_i2d(const X509V3_EXT_METHOD *method, int nid, int crit,
}
/* Given an internal structure, nid and critical flag create an extension */
X509_EXTENSION *
X509V3_EXT_i2d(int nid, int crit, void *ext_struct)
{
@ -347,7 +333,8 @@ generic_asn1(const char *value, X509V3_CTX *ctx, long *ext_len)
return ext_der;
}
/* This is the main function: add a bunch of extensions based on a config file
/*
* This is the main function: add a bunch of extensions based on a config file
* section to an extension STACK.
*/
@ -374,8 +361,6 @@ X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
}
LCRYPTO_ALIAS(X509V3_EXT_add_nconf_sk);
/* Convenience functions to add extensions to a certificate, CRL and request */
int
X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509 *cert)
@ -388,8 +373,6 @@ X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
}
LCRYPTO_ALIAS(X509V3_EXT_add_nconf);
/* Same as above but for a CRL */
int
X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_CRL *crl)
@ -402,8 +385,6 @@ X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
}
LCRYPTO_ALIAS(X509V3_EXT_CRL_add_nconf);
/* Add extensions to certificate request */
int
X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_REQ *req)
@ -422,73 +403,44 @@ X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
}
LCRYPTO_ALIAS(X509V3_EXT_REQ_add_nconf);
/* Config database functions */
/* XXX - remove in next bump. */
char *
X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
{
if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
}
return ctx->db_meth->get_string(ctx->db, name, section);
X509V3error(ERR_R_DISABLED);
return NULL;
}
LCRYPTO_ALIAS(X509V3_get_string);
STACK_OF(CONF_VALUE) *
X509V3_get_section(X509V3_CTX *ctx, const char *section)
{
if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
if (ctx->db == NULL) {
X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
}
return ctx->db_meth->get_section(ctx->db, section);
return NCONF_get_section(ctx->db, section);
}
LCRYPTO_ALIAS(X509V3_get_section);
/* XXX - remove in next bump. */
void
X509V3_string_free(X509V3_CTX *ctx, char *str)
{
if (!str)
return;
if (ctx->db_meth->free_string)
ctx->db_meth->free_string(ctx->db, str);
return;
}
LCRYPTO_ALIAS(X509V3_string_free);
void
X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
{
if (!section)
return;
if (ctx->db_meth->free_section)
ctx->db_meth->free_section(ctx->db, section);
return;
}
LCRYPTO_ALIAS(X509V3_section_free);
static char *
nconf_get_string(void *db, const char *section, const char *value)
{
return NCONF_get_string(db, section, value);
}
static STACK_OF(CONF_VALUE) *
nconf_get_section(void *db, const char *section)
{
return NCONF_get_section(db, section);
}
static X509V3_CONF_METHOD nconf_method = {
nconf_get_string,
nconf_get_section,
NULL,
NULL
};
void
X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
{
ctx->db_meth = &nconf_method;
ctx->db = conf;
}
LCRYPTO_ALIAS(X509V3_set_nconf);
@ -505,8 +457,6 @@ X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
}
LCRYPTO_ALIAS(X509V3_set_ctx);
/* Old conf compatibility functions */
X509_EXTENSION *
X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name,
const char *value)
@ -518,8 +468,6 @@ X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name,
}
LCRYPTO_ALIAS(X509V3_EXT_conf);
/* LHASH *conf: Config file */
/* char *value: Value */
X509_EXTENSION *
X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int nid,
const char *value)
@ -531,30 +479,13 @@ X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int nid,
}
LCRYPTO_ALIAS(X509V3_EXT_conf_nid);
static char *
conf_lhash_get_string(void *db, const char *section, const char *value)
{
return CONF_get_string(db, section, value);
}
static STACK_OF(CONF_VALUE) *
conf_lhash_get_section(void *db, const char *section)
{
return CONF_get_section(db, section);
}
static X509V3_CONF_METHOD conf_lhash_method = {
conf_lhash_get_string,
conf_lhash_get_section,
NULL,
NULL
};
/*
* XXX - remove everything below in the next bump.
*/
void
X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
{
ctx->db_meth = &conf_lhash_method;
ctx->db = lhash;
}
LCRYPTO_ALIAS(X509V3_set_conf_lhash);
@ -562,35 +493,25 @@ int
X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509 *cert)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
X509V3error(ERR_R_DISABLED);
return 0;
}
LCRYPTO_ALIAS(X509V3_EXT_add_conf);
/* Same as above but for a CRL */
int
X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509_CRL *crl)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
X509V3error(ERR_R_DISABLED);
return 0;
}
LCRYPTO_ALIAS(X509V3_EXT_CRL_add_conf);
/* Add extensions to certificate request */
int
X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
const char *section, X509_REQ *req)
{
CONF ctmp;
CONF_set_nconf(&ctmp, conf);
return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
X509V3error(ERR_R_DISABLED);
return 0;
}
LCRYPTO_ALIAS(X509V3_EXT_REQ_add_conf);

113
lib/libcrypto/x509/x509_siginfo.c Normal file
View file

@ -0,0 +1,113 @@
/* $OpenBSD: x509_siginfo.c,v 1.1 2024/08/28 07:15:04 tb Exp $ */
/*
* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "evp_local.h"
#include "x509_internal.h"
static int
x509_find_sigid_algs(const X509 *x509, int *out_md_nid, int *out_pkey_nid)
{
const ASN1_OBJECT *aobj;
int nid;
*out_md_nid = NID_undef;
*out_pkey_nid = NID_undef;
X509_ALGOR_get0(&aobj, NULL, NULL, x509->sig_alg);
if ((nid = OBJ_obj2nid(aobj)) == NID_undef)
return 0;
return OBJ_find_sigid_algs(nid, out_md_nid, out_pkey_nid);
}
int
X509_get_signature_info(X509 *x509, int *out_md_nid, int *out_pkey_nid,
int *out_security_bits, uint32_t *out_flags)
{
const EVP_MD *md;
int md_nid = NID_undef, pkey_nid = NID_undef, security_bits = -1;
uint32_t flags = 0;
if (out_md_nid != NULL)
*out_md_nid = md_nid;
if (out_pkey_nid != NULL)
*out_pkey_nid = pkey_nid;
if (out_security_bits != NULL)
*out_security_bits = security_bits;
if (out_flags != NULL)
*out_flags = flags;
if (!x509v3_cache_extensions(x509))
goto err;
if (!x509_find_sigid_algs(x509, &md_nid, &pkey_nid))
goto err;
/*
* If md_nid == NID_undef, this means we need to consult the ameth.
* Handlers are available for EdDSA and RSA-PSS. No other signature
* algorithm with NID_undef should appear in a certificate.
*/
if (md_nid == NID_undef) {
const EVP_PKEY_ASN1_METHOD *ameth;
if ((ameth = EVP_PKEY_asn1_find(NULL, pkey_nid)) == NULL ||
ameth->signature_info == NULL)
goto err;
if (!ameth->signature_info(x509->sig_alg, &md_nid, &pkey_nid,
&security_bits, &flags))
goto err;
goto done;
}
/* XXX - OpenSSL 3 special cases SHA-1 (63 bits) and MD5 (39 bits). */
if ((md = EVP_get_digestbynid(md_nid)) == NULL)
goto err;
/* Assume 4 bits of collision resistance per octet. */
if ((security_bits = EVP_MD_size(md)) <= 0)
goto err;
security_bits *= 4;
if (md_nid == NID_sha1 || md_nid == NID_sha256 ||
md_nid == NID_sha384 || md_nid == NID_sha512)
flags |= X509_SIG_INFO_TLS;
flags |= X509_SIG_INFO_VALID;
done:
if (out_md_nid != NULL)
*out_md_nid = md_nid;
if (out_pkey_nid != NULL)
*out_pkey_nid = pkey_nid;
if (out_security_bits != NULL)
*out_security_bits = security_bits;
if (out_flags != NULL)
*out_flags = flags;
err:
return (flags & X509_SIG_INFO_VALID) != 0;
}
LCRYPTO_ALIAS(X509_get_signature_info);

23
lib/libcrypto/x509/x509_vfy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509_vfy.c,v 1.144 2024/08/04 08:15:36 tb Exp $ */
/* $OpenBSD: x509_vfy.c,v 1.145 2024/08/28 07:37:50 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -2541,28 +2541,11 @@ check_key_level(X509_STORE_CTX *ctx, X509 *cert)
static int
check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
{
const EVP_MD *md;
int bits, nid, md_nid;
int bits;
if ((nid = X509_get_signature_nid(cert)) == NID_undef)
if (!X509_get_signature_info(cert, NULL, NULL, &bits, NULL))
return 0;
/*
* Look up signature algorithm digest.
*/
if (!OBJ_find_sigid_algs(nid, &md_nid, NULL))
return 0;
if (md_nid == NID_undef)
return 0;
if ((md = EVP_get_digestbynid(md_nid)) == NULL)
return 0;
/* Assume 4 bits of collision resistance for each hash octet. */
bits = EVP_MD_size(md) * 4;
return enough_bits_for_security_level(bits, ctx->param->security_level);
}

7
lib/libcrypto/x509/x509v3.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x509v3.h,v 1.29 2024/03/02 10:43:52 tb Exp $ */
/* $OpenBSD: x509v3.h,v 1.30 2024/08/28 08:22:57 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
@ -120,6 +120,7 @@ struct v3_ext_method {
void *usr_data; /* Any extension specific data */
};
/* XXX - remove in next bump. */
typedef struct X509V3_CONF_METHOD_st {
char *(*get_string)(void *db, const char *section, const char *value);
STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section);
@ -127,7 +128,6 @@ typedef struct X509V3_CONF_METHOD_st {
void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
} X509V3_CONF_METHOD;
/* Context specific info */
struct v3_ext_ctx {
#define CTX_TEST 0x1
int flags;
@ -135,9 +135,8 @@ struct v3_ext_ctx {
X509 *subject_cert;
X509_REQ *subject_req;
X509_CRL *crl;
X509V3_CONF_METHOD *db_meth;
X509V3_CONF_METHOD *db_meth; /* XXX - remove in next bump. */
void *db;
/* Maybe more here */
};
typedef struct v3_ext_method X509V3_EXT_METHOD;

17
lib/libpcap/fad-getad.c
View file

@ -61,7 +61,7 @@ dup_sockaddr(struct sockaddr *sa, size_t sa_length)
static int
get_instance(const char *name)
{
const char *cp, *endcp;
const char *cp, *endcp, *errstr;
int n;
if (strcmp(name, "any") == 0) {
@ -77,11 +77,10 @@ get_instance(const char *name)
for (cp = name; cp < endcp && !isdigit((unsigned char)*cp); ++cp)
continue;
if (isdigit((unsigned char)*cp))
n = atoi(cp);
else
n = 0;
return (n);
n = strtonum(cp, 0, INT_MAX, &errstr);
if (errstr != NULL)
return -1;
return n;
}
static int
@ -168,7 +167,11 @@ add_or_find_if(pcap_if_t **curdev_ret, pcap_if_t **alldevs, const char *name,
* Add it to the list, in the appropriate location.
* First, get the instance number of this interface.
*/
this_instance = get_instance(name);
if ((this_instance = get_instance(name)) == -1) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malformed device name: %s", name);
goto fail;
}
/*
* Now look for the last interface with an instance number

13
lib/libpcap/inet.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: inet.c,v 1.27 2024/04/05 18:01:56 deraadt Exp $ */
/* $OpenBSD: inet.c,v 1.28 2024/08/28 11:41:42 op Exp $ */
/*
* Copyright (c) 1994, 1995, 1996, 1997, 1998
@ -47,6 +47,7 @@
#include <ctype.h>
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@ -115,6 +116,7 @@ pcap_lookupdev(char *errbuf)
struct ifaddrs *ifap, *ifa, *mp;
int n, minunit;
char *cp;
const char *errstr;
static char device[IF_NAMESIZE + 1];
if (getifaddrs(&ifap) != 0) {
@ -132,7 +134,9 @@ pcap_lookupdev(char *errbuf)
continue;
for (cp = ifa->ifa_name; !isdigit((unsigned char)*cp); ++cp)
continue;
n = atoi(cp);
n = strtonum(cp, 0, INT_MAX, &errstr);
if (errstr != NULL)
continue;
if (n < minunit) {
minunit = n;
mp = ifa;
@ -151,6 +155,7 @@ pcap_lookupdev(char *errbuf)
#else
int fd, minunit, n;
char *cp;
const char *errstr;
struct ifreq *ifrp, *ifend, *ifnext, *mp;
struct ifconf ifc;
struct ifreq ibuf[16], ifr;
@ -216,7 +221,9 @@ pcap_lookupdev(char *errbuf)
for (cp = ifrp->ifr_name; !isdigit((unsigned char)*cp); ++cp)
continue;
n = atoi(cp);
n = strtonum(cp, 0, INT_MAX, &errstr);
if (errstr != NULL)
continue;
if (n < minunit) {
minunit = n;
mp = ifrp;

44
lib/libpcap/scanner.l
View file

@ -1,5 +1,5 @@
%{
/* $OpenBSD: scanner.l,v 1.30 2024/04/08 02:51:14 jsg Exp $ */
/* $OpenBSD: scanner.l,v 1.32 2024/08/29 07:33:50 anton Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@ -26,6 +26,7 @@
#include <sys/time.h>
#include <ctype.h>
#include <limits.h>
#include <string.h>
#include <unistd.h>
#include <vis.h>
@ -47,7 +48,6 @@
#include "grammar.h"
static int stoi(char *);
static inline int xdtoi(int);
#ifdef FLEX_SCANNER
#define YY_NO_UNPUT
@ -333,41 +333,23 @@ yywrap(void)
return 1;
}
/* Hex digit to integer. */
static inline int
xdtoi(int c)
{
if (isdigit(c))
return c - '0';
else if (islower(c))
return c - 'a' + 10;
else
return c - 'A' + 10;
}
/*
* Convert string to integer. Just like atoi(), but checks for
* preceding 0x or 0 and uses hex or octal instead of decimal.
* Convert string to integer supporting also octal and hex notations.
*/
static int
stoi(char *s)
{
int base = 10;
int n = 0;
long lval;
char *ep;
if (*s == '0') {
if (s[1] == 'x' || s[1] == 'X') {
s += 2;
base = 16;
}
else {
base = 8;
s += 1;
}
}
while (*s)
n = n * base + xdtoi(*s++);
errno = 0;
lval = strtol(s, &ep, 0);
if (*s == '\0' || *ep != '\0')
bpf_error("invalid number %s", s);
if ((errno == ERANGE && (lval == LONG_MAX || lval == LONG_MIN)) ||
(lval > INT_MAX || lval < INT_MIN))
bpf_error("out of range: %s", s);
return n;
return lval;
}

3
regress/lib/libcrypto/evp/Makefile
View file

@ -1,7 +1,6 @@
# $OpenBSD: Makefile,v 1.12 2023/03/02 20:45:11 tb Exp $
# $OpenBSD: Makefile,v 1.13 2024/08/29 16:43:52 tb Exp $
PROGS += evp_ecx_test
PROGS += evp_pkey_check
PROGS += evp_pkey_cleanup
PROGS += evp_test
PROGS += evptest

397
regress/lib/libcrypto/evp/evp_pkey_check.c
View file

@ -1,397 +0,0 @@
/* $OpenBSD: evp_pkey_check.c,v 1.4 2023/03/02 20:18:40 tb Exp $ */
/*
* Copyright (c) 2021-2022 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdio.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#define EVP_TEST_RSA_BITS 2048
static int
evp_pkey_check_rsa(void)
{
EVP_PKEY_CTX *pkey_ctx = NULL;
EVP_PKEY *pkey = NULL;
RSA *rsa = NULL;
BIGNUM *rsa_d;
int ret;
int fail_soft = 0;
int failed = 1;
/*
* Generate a run-off-the-mill RSA key.
*/
if ((pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_CTX_new_id()\n", __func__);
goto err;
}
if (EVP_PKEY_keygen_init(pkey_ctx) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_keygen_init\n", __func__);
goto err;
}
if (!EVP_PKEY_CTX_set_rsa_keygen_bits(pkey_ctx, EVP_TEST_RSA_BITS)) {
fprintf(stderr, "%s: EVP_PKEY_CTX_set_rsa_keygen_bits\n",
__func__);
goto err;
}
if (EVP_PKEY_keygen(pkey_ctx, &pkey) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_keygen\n", __func__);
goto err;
}
/* At this point, no pkey is set on pkey_ctx, we should fail with 0. */
if (EVP_PKEY_check(pkey_ctx) != 0) {
fprintf(stderr, "%s: EVP_PKEY_check() succeeded without pkey\n",
__func__);
ERR_print_errors_fp(stderr);
fail_soft = 1;
}
ERR_clear_error();
/*
* Create a new EVP_PKEY_CTX with pkey set.
*/
EVP_PKEY_CTX_free(pkey_ctx);
if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_CTX_new\n", __func__);
goto err;
}
/* The freshly generated pkey is set on pkey_ctx. We should succeed. */
if ((ret = EVP_PKEY_check(pkey_ctx)) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_check(), generated pkey: %d\n",
__func__, ret);
ERR_print_errors_fp(stderr);
ERR_clear_error();
fail_soft = 1;
}
/* Public key checking for RSA is not supported. */
if (EVP_PKEY_public_check(pkey_ctx) != -2) {
fprintf(stderr,
"%s: EVP_PKEY_public_check() supported for RSA?\n",
__func__);
goto err;
}
ERR_clear_error();
/* Parameter checking for RSA is not supported. */
if (EVP_PKEY_param_check(pkey_ctx) != -2) {
fprintf(stderr,
"%s: EVP_PKEY_param_check() supported for RSA?\n",
__func__);
goto err;
}
ERR_clear_error();
/*
* Now modify the RSA key a bit. The check should then fail.
*/
if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_get0_RSA\n", __func__);
goto err;
}
/* We're lazy and modify rsa->d directly, hence the ugly cast. */
if ((rsa_d = (BIGNUM *)RSA_get0_d(rsa)) == NULL) {
fprintf(stderr, "%s: RSA_get0_d()\n", __func__);
goto err;
}
if (!BN_add_word(rsa_d, 2)) {
fprintf(stderr, "%s: BN_add_word\n", __func__);
goto err;
}
/* Since (d+2) * e != 1 mod (p-1)*(q-1), we should fail */
if (EVP_PKEY_check(pkey_ctx) == 1) {
fprintf(stderr, "%s: EVP_PKEY_check success with modified d\n",
__func__);
fail_soft = 1;
}
if (ERR_peek_error() == 0) {
fprintf(stderr, "%s: expected some RSA errors\n", __func__);
fail_soft = 1;
}
ERR_clear_error();
failed = 0;
err:
EVP_PKEY_CTX_free(pkey_ctx);
EVP_PKEY_free(pkey);
return failed | fail_soft;
}
static int
evp_pkey_check_ec(void)
{
EVP_PKEY_CTX *pkey_ctx = NULL;
EVP_PKEY *pkey = NULL;
EC_KEY *eckey = NULL;
BIGNUM *private_key = NULL;
EC_GROUP *group;
const EC_POINT *generator;
BIGNUM *cofactor = NULL, *order = NULL;
int ret;
int fail_soft = 0;
int failed = 1;
/*
* Generate an elliptic curve key on secp384r1
*/
if ((pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_CTX_new_id\n", __func__);
goto err;
}
if (EVP_PKEY_keygen_init(pkey_ctx) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_keygen_init\n", __func__);
goto err;
}
if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pkey_ctx,
NID_secp384r1) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_CTX_set_ec_paramgen_curve_nid\n",
__func__);
goto err;
}
if (EVP_PKEY_keygen(pkey_ctx, &pkey) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_keygen\n", __func__);
goto err;
}
/* At this point, no pkey is set on pkey_ctx, we should fail with 0. */
if (EVP_PKEY_check(pkey_ctx) != 0) {
fprintf(stderr, "%s: EVP_PKEY_check() succeeded without pkey\n",
__func__);
ERR_print_errors_fp(stderr);
fail_soft = 1;
}
ERR_clear_error();
/*
* Create a new EVP_PKEY_CTX with pkey set.
*/
EVP_PKEY_CTX_free(pkey_ctx);
if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_CTX_new\n", __func__);
goto err;
}
/* The freshly generated pkey is set on pkey_ctx. We should succeed. */
if ((ret = EVP_PKEY_check(pkey_ctx)) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_check(), generated pkey: %d\n",
__func__, ret);
ERR_print_errors_fp(stderr);
ERR_clear_error();
fail_soft = 1;
}
/* We should also succeed the public check. */
if ((ret = EVP_PKEY_public_check(pkey_ctx)) <= 0) {
fprintf(stderr,
"%s: EVP_PKEY_public_check(), generated pkey: %d\n",
__func__, ret);
ERR_print_errors_fp(stderr);
ERR_clear_error();
fail_soft = 1;
}
/* We should also succeed the parameter check. */
if ((ret = EVP_PKEY_param_check(pkey_ctx)) <= 0) {
fprintf(stderr,
"%s: EVP_PKEY_param_check(), generated pkey: %d\n",
__func__, ret);
ERR_print_errors_fp(stderr);
ERR_clear_error();
fail_soft = 1;
}
/*
* Modify the private key slightly.
*/
if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
fprintf(stderr, "%s: EVP_PKEY_get0_EC_KEY\n", __func__);
goto err;
}
/* We're lazy and modify the private key directly. */
if ((private_key = (BIGNUM *)EC_KEY_get0_private_key(eckey)) == NULL) {
fprintf(stderr, "%s: EC_KEY_get0_private_key\n", __func__);
goto err;
}
/*
* The private key is a random number in [1, order). Preserve this
* property by adding 1 if it is equal to 1 and subtracting 1 otherwise.
*/
if (BN_cmp(private_key, BN_value_one()) == 0) {
if (!BN_add_word(private_key, 1)) {
fprintf(stderr, "%s: BN_add_word\n", __func__);
goto err;
}
} else {
if (!BN_sub_word(private_key, 1)) {
fprintf(stderr, "%s: BN_sub_word\n", __func__);
goto err;
}
}
/* Generator times private key will no longer be equal to public key. */
if (EVP_PKEY_check(pkey_ctx) == 1) {
fprintf(stderr, "%s: EVP_PKEY_check succeeded unexpectedly\n",
__func__);
fail_soft = 1;
}
if (ERR_peek_error() == 0) {
fprintf(stderr, "%s: expected a private key error\n", __func__);
fail_soft = 1;
}
ERR_clear_error();
/* EVP_PKEY_public_check checks the private key (sigh), so we fail. */
if (EVP_PKEY_public_check(pkey_ctx) == 1) {
fprintf(stderr,
"%s: EVP_PKEY_public_check succeeded unexpectedly\n",
__func__);
fail_soft = 1;
}
/* We should still succeed the parameter check. */
if ((ret = EVP_PKEY_param_check(pkey_ctx)) <= 0) {
fprintf(stderr,
"%s: EVP_PKEY_param_check(), modified privkey pkey: %d\n",
__func__, ret);
ERR_print_errors_fp(stderr);
ERR_clear_error();
fail_soft = 1;
}
/* Now set the private key to NULL. The API will think malloc failed. */
if (EC_KEY_set_private_key(eckey, NULL) != 0) {
fprintf(stderr, "%s: EC_KEY_set_private_key succeeded?!",
__func__);
goto err;
}
/*
* EVP_PKEY_public_check now only checks that the public key is on the
* curve. We should succeed again.
*/
if ((ret = EVP_PKEY_public_check(pkey_ctx)) <= 0) {
fprintf(stderr, "%s: EVP_PKEY_check(), generated pkey: %d\n",
__func__, ret);
fail_soft = 1;
}
ERR_clear_error();
/*
* Now let's modify the group to trip the parameter check.
*/
if ((group = (EC_GROUP *)EC_KEY_get0_group(eckey)) == NULL) {
fprintf(stderr, "%s: EC_KEY_get0_group() failed\n", __func__);
goto err;
}
if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
fprintf(stderr, "%s: EC_GROUP_get0_generator() failed\n",
__func__);
goto err;
}
if ((order = BN_new()) == NULL) {
fprintf(stderr, "%s: order = BN_new() failed\n", __func__);
goto err;
}
if ((cofactor = BN_new()) == NULL) {
fprintf(stderr, "%s: cofactor = BN_new() failed\n", __func__);
goto err;
}
if (!EC_GROUP_get_order(group, order, NULL)) {
fprintf(stderr, "%s: EC_GROUP_get_order() failed\n", __func__);
goto err;
}
if (!EC_GROUP_get_cofactor(group, cofactor, NULL)) {
fprintf(stderr, "%s: EC_GROUP_get_cofactor() failed\n",
__func__);
goto err;
}
/* Decrement order so order * generator != (point at infinity). */
if (!BN_sub_word(order, 1)) {
fprintf(stderr, "%s: BN_sub_word() failed\n", __func__);
goto err;
}
/* Now set this nonsense on the group. */
if (!EC_GROUP_set_generator(group, generator, order, cofactor)) {
fprintf(stderr, "%s: EC_GROUP_set_generator() failed\n",
__func__);
goto err;
}
/* We should now fail the parameter check. */
if (EVP_PKEY_param_check(pkey_ctx) == 1) {
fprintf(stderr,
"%s: EVP_PKEY_param_check(), succeeded unexpectedly\n",
__func__);
fail_soft = 1;
}
if (ERR_peek_error() == 0) {
fprintf(stderr, "%s: expected a group order error\n", __func__);
fail_soft = 1;
}
ERR_clear_error();
failed = 0;
err:
EVP_PKEY_CTX_free(pkey_ctx);
EVP_PKEY_free(pkey);
BN_free(order);
BN_free(cofactor);
return failed | fail_soft;
}
int
main(void)
{
int failed = 0;
failed |= evp_pkey_check_rsa();
failed |= evp_pkey_check_ec();
return failed;
}

22
regress/lib/libpthread/include/test.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: test.h,v 1.6 2012/04/13 10:15:49 guenther Exp $ */
/* $OpenBSD: test.h,v 1.7 2024/08/29 15:18:17 claudio Exp $ */
#ifndef _h_test_
#define _h_test_
@ -14,7 +14,8 @@
static void __vpanic(const char *, const char *, const char *,
int, const char *, va_list) __attribute__((__noreturn__));
static void __panic(const char *, const char *, const char *,
int, const char *, ...) __attribute__((__noreturn__));
int, const char *, ...) __attribute__((__noreturn__))
__attribute__((__format__ (printf, 5, 6)));
#if defined(__OpenBSD__) || defined(__FreeBSD__)
#include <pthread.h>
@ -33,13 +34,8 @@ void _thread_sys__exit(int) __attribute__((__noreturn__));
#endif
static void
__vpanic(type, errstr, filenm, lineno, fmt, ap)
const char *type;
const char *errstr;
const char *filenm;
int lineno;
const char *fmt;
va_list ap;
__vpanic(const char *type, const char *errstr, const char *filenm, int lineno,
const char *fmt, va_list ap)
{
char buf[1024];
@ -62,12 +58,8 @@ __vpanic(type, errstr, filenm, lineno, fmt, ap)
}
static void
__panic(type, errstr, filenm, lineno, fmt)
const char *type;
const char *errstr;
const char *filenm;
int lineno;
const char *fmt;
__panic(const char *type, const char *errstr, const char *filenm, int lineno,
const char *fmt, ...)
{
va_list ap;

12
regress/lib/libpthread/siginfo/siginfo.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: siginfo.c,v 1.11 2016/09/01 11:04:37 guenther Exp $ */
/* $OpenBSD: siginfo.c,v 1.12 2024/08/29 15:16:43 claudio Exp $ */
/* PUBLIC DOMAIN Oct 2002 <marc@snafu.org> */
/*
@ -19,16 +19,14 @@ static void
act_handler(int signal, siginfo_t *siginfo, void *context)
{
struct sigaction sa;
char * str;
CHECKe(sigaction(SIGSEGV, NULL, &sa));
ASSERT(sa.sa_handler == SIG_DFL);
ASSERT(siginfo != NULL);
asprintf(&str, "act_handler: signal %d, siginfo %p, context %p\n"
"addr %p, code %d, trap %d\n", signal, siginfo, context,
siginfo->si_addr, siginfo->si_code, siginfo->si_trapno);
write(STDOUT_FILENO, str, strlen(str));
free(str);
dprintf(STDOUT_FILENO, "act_handler: signal %d, siginfo %p, "
"context %p\naddr %p, code %d, trap %d\n", signal, siginfo,
context, siginfo->si_addr, siginfo->si_code,
siginfo->si_trapno);
ASSERT(siginfo->si_addr == BOGUS);
ASSERT(siginfo->si_code == SEGV_MAPERR ||
siginfo->si_code == SEGV_ACCERR);

5
regress/lib/libssl/openssl-ruby/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.12 2024/06/15 08:39:47 tb Exp $
# $OpenBSD: Makefile,v 1.13 2024/08/29 17:16:40 tb Exp $
OPENSSL_RUBY_TESTS = /usr/local/share/openssl-ruby-tests
.if exists(/usr/local/bin/ruby32)
@ -37,7 +37,8 @@ ${_BUILD_COOKIE}: ${_BUILDDIR_COOKIE}
make;
touch $@
OPENSSL_RUBY_TESTSRC = ${OPENSSL_RUBY_TESTS}/test/openssl/test_*.rb
# XXX - remove [^c] after bump
OPENSSL_RUBY_TESTSRC = ${OPENSSL_RUBY_TESTS}/test/openssl/test_*[^c].rb
${_TEST_COOKIE}: ${_BUILD_COOKIE} ${_BUILDDIR_COOKIE}
cd ${BUILDDIR} && \
env SKIP_EXPECTED_FAILURES=true ${RUBY} -I. \

9
regress/usr.bin/sed/Makefile
View file

@ -1,10 +1,11 @@
# $OpenBSD: Makefile,v 1.8 2022/01/12 15:32:15 martijn Exp $
# $OpenBSD: Makefile,v 1.9 2024/08/28 14:32:02 millert Exp $
# $NetBSD: Makefile,v 1.1 2005/04/04 16:48:45 peter Exp $
SED?= /usr/bin/sed
REGRESS_TARGETS= sedtest substitute hanoi math sierpinski negation \
inplace inplace2 inplace3 commandl1 commandl2 commandc1 commandD1
inplace inplace2 inplace3 commandl1 commandl2 commandc1 commandD1 \
commandD2
commandc1:
# New tests, currently failing, need fixes in sed.
@ -64,6 +65,10 @@ commandD1:
printf 'a\nbb\n' | ${SED} -f ${.CURDIR}/$@.sed > $@.out
diff ${.CURDIR}/$@.expected $@.out
commandD2:
printf 'a\nbb\n\n' | ${SED} -f ${.CURDIR}/$@.sed > $@.out
diff ${.CURDIR}/$@.expected $@.out
CLEANFILES+=*.out lines* script* *.txt
.include <bsd.regress.mk>

3
regress/usr.bin/sed/commandD2.expected Normal file
View file

@ -0,0 +1,3 @@
a
bb

1
regress/usr.bin/sed/commandD2.sed Normal file
View file

@ -0,0 +1 @@
s/^//p;$!N;D

6
regress/usr.bin/ssh/rekey.sh
View file

@ -1,4 +1,4 @@
# $OpenBSD: rekey.sh,v 1.29 2024/08/22 10:21:02 dtucker Exp $
# $OpenBSD: rekey.sh,v 1.30 2024/08/28 12:08:26 djm Exp $
# Placed in the Public Domain.
tid="rekey"
@ -184,7 +184,7 @@ for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
4g|4G) bytes=4294967296 ;;
8g|8G) bytes=8589934592 ;;
esac
b=`${SSH} -G -o "rekeylimit $size" -f $OBJ/ssh_proxy host | \
b=`${SSH} -G -o "rekeylimit $size" -F $OBJ/ssh_proxy host | \
awk '/rekeylimit/{print $2}'`
if [ "$bytes" != "$b" ]; then
fatal "rekeylimit size: expected $bytes bytes got $b"
@ -200,7 +200,7 @@ for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
1d|1D) seconds=86400 ;;
1w|1W) seconds=604800 ;;
esac
s=`${SSH} -G -o "rekeylimit default $time" -f $OBJ/ssh_proxy host | \
s=`${SSH} -G -o "rekeylimit default $time" -F $OBJ/ssh_proxy host | \
awk '/rekeylimit/{print $3}'`
if [ "$seconds" != "$s" ]; then
fatal "rekeylimit time: expected $time seconds got $s"

2
regress/usr.sbin/bgpd/integrationtests/bgpd.maxprefix.rdomain2.conf
View file

@ -7,7 +7,7 @@ log updates
neighbor 10.12.57.1 {
descr "RDOMAIN1"
remote-as 4200000001
max-prefix 2
#MAX-PREFIX#
}
deny from any

2
regress/usr.sbin/bgpd/integrationtests/bgpd.maxprefixout.rdomain1.conf
View file

@ -7,7 +7,7 @@ log updates
neighbor 10.12.57.2 {
descr "RDOMAIN2"
remote-as 4200000002
max-prefix 2 out
#MAX-PREFIX#
}
deny from any

45
regress/usr.sbin/bgpd/integrationtests/maxprefix.sh
View file

@ -1,5 +1,5 @@
#!/bin/ksh
# $OpenBSD: maxprefix.sh,v 1.3 2023/02/15 14:19:08 claudio Exp $
# $OpenBSD: maxprefix.sh,v 1.4 2024/08/28 13:14:39 claudio Exp $
set -e
@ -64,12 +64,14 @@ ifconfig ${PAIR1} patch ${PAIR2}
ifconfig lo${RDOMAIN1} inet 127.0.0.1/8
ifconfig lo${RDOMAIN2} inet 127.0.0.1/8
echo run bgpds
echo test1: run bgpds
sed -e 's/#MAX-PREFIX#/max-prefix 2/' \
${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain2.conf > \
./bgpd.maxprefix.rdomain2.conf
route -T ${RDOMAIN1} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain1.conf
route -T ${RDOMAIN2} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain2.conf
-v -f ./bgpd.maxprefix.rdomain2.conf
sleep 1
route -T ${RDOMAIN1} exec bgpctl nei RDOMAIN2 up
sleep 1
@ -87,3 +89,38 @@ route -T ${RDOMAIN1} exec bgpctl network add 10.12.60.0/24
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
grep '^ Last error received: Cease, received max-prefix exceeded'
echo test1: cleanup
pkill -T ${RDOMAIN1} bgpd || true
pkill -T ${RDOMAIN2} bgpd || true
sleep 1
echo test2: run bgpds
sed -e 's/#MAX-PREFIX#/max-prefix 10/' \
${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain2.conf > \
./bgpd.maxprefix.rdomain2.conf
route -T ${RDOMAIN1} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain1.conf
route -T ${RDOMAIN2} exec ${BGPD} \
-v -f ./bgpd.maxprefix.rdomain2.conf
sleep 1
route -T ${RDOMAIN1} exec bgpctl nei RDOMAIN2 up
sleep 1
echo test2: add three networks
route -T ${RDOMAIN1} exec bgpctl network add 10.12.58.0/24
route -T ${RDOMAIN1} exec bgpctl network add 10.12.59.0/24
route -T ${RDOMAIN1} exec bgpctl network add 10.12.60.0/24
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
awk '/^ Prefixes/ { if ($2 == "3") { print "ok"; ok=1; exit 0; } }
END { if (ok != 1) { print "bad bgpctl output"; exit 2; } }'
echo test2: reload config
sed -e 's/#MAX-PREFIX#/max-prefix 2/' \
${BGPDCONFIGDIR}/bgpd.maxprefix.rdomain2.conf > \
./bgpd.maxprefix.rdomain2.conf
route -T ${RDOMAIN2} exec bgpctl reload
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
grep '^ Last error received: Cease, received max-prefix exceeded'

45
regress/usr.sbin/bgpd/integrationtests/maxprefixout.sh
View file

@ -1,5 +1,5 @@
#!/bin/ksh
# $OpenBSD: maxprefixout.sh,v 1.2 2023/02/15 14:19:08 claudio Exp $
# $OpenBSD: maxprefixout.sh,v 1.3 2024/08/28 13:14:39 claudio Exp $
set -e
@ -64,9 +64,12 @@ ifconfig ${PAIR1} patch ${PAIR2}
ifconfig lo${RDOMAIN1} inet 127.0.0.1/8
ifconfig lo${RDOMAIN2} inet 127.0.0.1/8
echo run bgpds
echo test1: run bgpds
sed -e 's/#MAX-PREFIX#/max-prefix 2 out/' \
${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain1.conf > \
./bgpd.maxprefixout.rdomain1.conf
route -T ${RDOMAIN1} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain1.conf
-v -f ./bgpd.maxprefixout.rdomain1.conf
route -T ${RDOMAIN2} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain2.conf
@ -87,3 +90,39 @@ route -T ${RDOMAIN1} exec bgpctl network add 10.12.60.0/24
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
grep '^ Last error sent: Cease, sent max-prefix exceeded'
echo test1: cleanup
pkill -T ${RDOMAIN1} bgpd || true
pkill -T ${RDOMAIN2} bgpd || true
sleep 1
echo test2: run bgpds
sed -e 's/#MAX-PREFIX#/max-prefix 20 out/' \
${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain1.conf > \
./bgpd.maxprefixout.rdomain1.conf
route -T ${RDOMAIN1} exec ${BGPD} \
-v -f ./bgpd.maxprefixout.rdomain1.conf
route -T ${RDOMAIN2} exec ${BGPD} \
-v -f ${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain2.conf
sleep 1
route -T ${RDOMAIN1} exec bgpctl nei RDOMAIN2 up
sleep 1
echo test2: add three networks
route -T ${RDOMAIN1} exec bgpctl network add 10.12.58.0/24
route -T ${RDOMAIN1} exec bgpctl network add 10.12.59.0/24
route -T ${RDOMAIN1} exec bgpctl network add 10.12.60.0/24
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
awk '/^ Prefixes/ { if ($2 == "3") { print "ok"; ok=1; exit 0; } }
END { if (ok != 1) { print "bad bgpctl output"; exit 2; } }'
echo test2: reload config
sed -e 's/#MAX-PREFIX#/max-prefix 2 out/' \
${BGPDCONFIGDIR}/bgpd.maxprefixout.rdomain1.conf > \
./bgpd.maxprefixout.rdomain1.conf
route -T ${RDOMAIN1} exec bgpctl reload
sleep 1
route -T ${RDOMAIN1} exec bgpctl show nei | \
grep '^ Last error sent: Cease, sent max-prefix exceeded'

4
sys/arch/amd64/amd64/bus_dma.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bus_dma.c,v 1.57 2024/08/22 11:36:24 bluhm Exp $ */
/* $OpenBSD: bus_dma.c,v 1.58 2024/08/28 18:21:15 bluhm Exp $ */
/* $NetBSD: bus_dma.c,v 1.3 2003/05/07 21:33:58 fvdl Exp $ */
/*-
@ -726,7 +726,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
if (use_bounce_buffer) {
if (page >= map->_dm_npages)
return (ENOMEM);
return (EFBIG);
off = vaddr & PAGE_MASK;
pg = map->_dm_pages[page];

6
sys/dev/pci/drm/amd/amdgpu/amdgpu_acpi.c
View file

@ -1384,6 +1384,12 @@ bool amdgpu_acpi_should_gpu_reset(struct amdgpu_device *adev)
if (amdgpu_sriov_vf(adev))
return false;
#ifdef __OpenBSD__
/* XXX VEGA10 S3 fails if reset is done */
if (pm_suspend_target_state == PM_SUSPEND_MEM)
return false;
#endif
#if IS_ENABLED(CONFIG_SUSPEND)
return pm_suspend_target_state != PM_SUSPEND_TO_IDLE;
#else

7
sys/dev/pci/drm/amd/amdgpu/amdgpu_drv.c
View file

@ -3491,8 +3491,9 @@ amdgpu_init_backlight(struct amdgpu_device *adev)
void
amdgpu_attachhook(struct device *self)
{
struct amdgpu_device *adev = (struct amdgpu_device *)self;
struct drm_device *dev = &adev->ddev;
struct amdgpu_device *adev = (struct amdgpu_device *)self;
struct drm_device *dev = &adev->ddev;
struct pci_dev *pdev = adev->pdev;
int r, acpi_status;
struct rasops_info *ri = &adev->ro;
struct drm_fb_helper *fb_helper;
@ -3500,7 +3501,7 @@ amdgpu_attachhook(struct device *self)
struct drm_gem_object *obj;
struct amdgpu_bo *rbo;
dev_set_drvdata(self, dev);
pci_set_drvdata(pdev, dev);
r = amdgpu_driver_load_kms(adev, adev->flags);
if (r)

1
sys/dev/pci/drm/drm_drv.c
View file

@ -1407,6 +1407,7 @@ drm_attach(struct device *parent, struct device *self, void *aux)
dev->pdev->pc = pa->pa_pc;
dev->pdev->tag = pa->pa_tag;
dev->pdev->pci = (struct pci_softc *)parent->dv_parent;
dev->pdev->_dev = parent;
#ifdef CONFIG_ACPI
dev->pdev->dev.node = acpi_find_pci(pa->pa_pc, pa->pa_tag);

2
sys/dev/pci/drm/i915/i915_driver.c
View file

@ -2307,6 +2307,8 @@ inteldrm_attach(struct device *parent, struct device *self, void *aux)
return;
}
pci_set_drvdata(dev->pdev, dev_priv);
/* Device parameters start as a copy of module parameters. */
i915_params_copy(&dev_priv->params, &i915_modparams);
dev_priv->params.request_timeout_ms = 0;

4
sys/dev/pci/drm/i915/i915_drv.h
View file

@ -449,11 +449,7 @@ static inline struct drm_i915_private *kdev_to_i915(struct device *kdev)
static inline struct drm_i915_private *pdev_to_i915(struct pci_dev *pdev)
{
STUB();
return NULL;
#ifdef notyet
return pci_get_drvdata(pdev);
#endif
}
static inline struct intel_gt *to_gt(struct drm_i915_private *i915)

11
sys/dev/pci/drm/include/linux/pci.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pci.h,v 1.17 2024/08/16 10:46:46 kettenis Exp $ */
/* $OpenBSD: pci.h,v 1.18 2024/08/28 04:55:45 jsg Exp $ */
/*
* Copyright (c) 2015 Mark Kettenis
*
@ -33,6 +33,7 @@
#include <linux/kobject.h>
#include <linux/dma-mapping.h>
#include <linux/mod_devicetable.h>
#include <linux/device.h>
struct pci_dev;
@ -70,6 +71,7 @@ struct pci_dev {
uint8_t ltr_path;
struct pci_acpi dev;
struct device *_dev;
};
#define PCI_ANY_ID (uint16_t) (~0U)
@ -457,6 +459,13 @@ pci_is_thunderbolt_attached(struct pci_dev *pdev)
static inline void
pci_set_drvdata(struct pci_dev *pdev, void *data)
{
dev_set_drvdata(pdev->_dev, data);
}
static inline void *
pci_get_drvdata(struct pci_dev *pdev)
{
return dev_get_drvdata(pdev->_dev);
}
static inline int

9
sys/dev/pci/drm/radeon/radeon_drv.c
View file

@ -1273,10 +1273,11 @@ radeondrm_attachhook(struct device *self)
task_set(&rdev->switchtask, radeondrm_doswitch, ri);
/*
* in linux via radeon_pci_probe -> drm_get_pci_dev -> drm_dev_register
*/
drm_dev_register(rdev->ddev, rdev->flags);
/* from linux radeon_pci_probe() */
pci_set_drvdata(dev->pdev, dev);
drm_dev_register(dev, rdev->flags);
radeon_fbdev_setup(rdev);

6
sys/dev/pv/if_vio.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: if_vio.c,v 1.50 2024/08/27 19:11:20 sf Exp $ */
/* $OpenBSD: if_vio.c,v 1.51 2024/08/28 12:40:22 sf Exp $ */
/*
* Copyright (c) 2012 Stefan Fritsch, Alexander Fiveg.
@ -465,14 +465,14 @@ vio_alloc_mem(struct vio_softc *sc)
}
sc->sc_arrays = mallocarray(rxqsize + txqsize,
2 * sizeof(bus_dmamap_t) + sizeof(struct mbuf *), M_DEVBUF,
sizeof(bus_dmamap_t) + sizeof(struct mbuf *), M_DEVBUF,
M_WAITOK | M_CANFAIL | M_ZERO);
if (sc->sc_arrays == NULL) {
printf("unable to allocate mem for dmamaps\n");
goto err_hdr;
}
allocsize = (rxqsize + txqsize) *
(2 * sizeof(bus_dmamap_t) + sizeof(struct mbuf *));
(sizeof(bus_dmamap_t) + sizeof(struct mbuf *));
sc->sc_tx_dmamaps = sc->sc_arrays + rxqsize;
sc->sc_rx_mbufs = (void*) (sc->sc_tx_dmamaps + txqsize);

9
sys/kern/kern_sysctl.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: kern_sysctl.c,v 1.445 2024/08/26 08:24:25 mvs Exp $ */
/* $OpenBSD: kern_sysctl.c,v 1.446 2024/08/29 10:44:40 bluhm Exp $ */
/* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */
/*-
@ -530,7 +530,6 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
return (sysctl_rdstruct(oldp, oldlenp, newp, &bt, sizeof bt));
}
case KERN_MBSTAT: {
extern struct cpumem *mbstat;
uint64_t counters[MBSTAT_COUNT];
struct mbstat mbs;
unsigned int i;
@ -543,6 +542,12 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
mbs.m_drops = counters[MBSTAT_DROPS];
mbs.m_wait = counters[MBSTAT_WAIT];
mbs.m_drain = counters[MBSTAT_DRAIN];
mbs.m_defrag_alloc = counters[MBSTAT_DEFRAG_ALLOC];
mbs.m_prepend_alloc = counters[MBSTAT_PREPEND_ALLOC];
mbs.m_pullup_alloc = counters[MBSTAT_PULLUP_ALLOC];
mbs.m_pullup_copy = counters[MBSTAT_PULLUP_COPY];
mbs.m_pulldown_alloc = counters[MBSTAT_PULLDOWN_ALLOC];
mbs.m_pulldown_copy = counters[MBSTAT_PULLDOWN_COPY];
return (sysctl_rdstruct(oldp, oldlenp, newp,
&mbs, sizeof(mbs)));

25
sys/kern/uipc_mbuf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: uipc_mbuf.c,v 1.290 2024/03/05 18:52:41 bluhm Exp $ */
/* $OpenBSD: uipc_mbuf.c,v 1.291 2024/08/29 10:44:40 bluhm Exp $ */
/* $NetBSD: uipc_mbuf.c,v 1.15.4.1 1996/06/13 17:11:44 cgd Exp $ */
/*
@ -234,8 +234,6 @@ struct mbuf *
m_get(int nowait, int type)
{
struct mbuf *m;
struct counters_ref cr;
uint64_t *counters;
int s;
KASSERT(type >= 0 && type < MT_NTYPES);
@ -245,9 +243,7 @@ m_get(int nowait, int type)
return (NULL);
s = splnet();
counters = counters_enter(&cr, mbstat);
counters[type]++;
counters_leave(&cr, mbstat);
counters_inc(mbstat, type);
splx(s);
m->m_type = type;
@ -267,8 +263,6 @@ struct mbuf *
m_gethdr(int nowait, int type)
{
struct mbuf *m;
struct counters_ref cr;
uint64_t *counters;
int s;
KASSERT(type >= 0 && type < MT_NTYPES);
@ -278,9 +272,7 @@ m_gethdr(int nowait, int type)
return (NULL);
s = splnet();
counters = counters_enter(&cr, mbstat);
counters[type]++;
counters_leave(&cr, mbstat);
counters_inc(mbstat, type);
splx(s);
m->m_type = type;
@ -417,17 +409,13 @@ struct mbuf *
m_free(struct mbuf *m)
{
struct mbuf *n;
struct counters_ref cr;
uint64_t *counters;
int s;
if (m == NULL)
return (NULL);
s = splnet();
counters = counters_enter(&cr, mbstat);
counters[m->m_type]--;
counters_leave(&cr, mbstat);
counters_dec(mbstat, m->m_type);
splx(s);
n = m->m_next;
@ -557,6 +545,7 @@ m_defrag(struct mbuf *m, int how)
KASSERT(m->m_flags & M_PKTHDR);
counters_inc(mbstat, MBSTAT_DEFRAG_ALLOC);
if ((m0 = m_gethdr(how, m->m_type)) == NULL)
return (ENOBUFS);
if (m->m_pkthdr.len > MHLEN) {
@ -616,6 +605,7 @@ m_prepend(struct mbuf *m, int len, int how)
m->m_data -= len;
m->m_len += len;
} else {
counters_inc(mbstat, MBSTAT_PREPEND_ALLOC);
MGET(mn, how, m->m_type);
if (mn == NULL) {
m_freem(m);
@ -956,8 +946,8 @@ m_pullup(struct mbuf *m0, int len)
memmove(head, mtod(m0, caddr_t), m0->m_len);
m0->m_data = head;
}
len -= m0->m_len;
counters_inc(mbstat, MBSTAT_PULLUP_COPY);
} else {
/* the first mbuf is too small or read-only, make a new one */
space = adj + len;
@ -968,6 +958,7 @@ m_pullup(struct mbuf *m0, int len)
m0->m_next = m;
m = m0;
counters_inc(mbstat, MBSTAT_PULLUP_ALLOC);
MGET(m0, M_DONTWAIT, m->m_type);
if (m0 == NULL)
goto bad;

11
sys/kern/uipc_mbuf2.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: uipc_mbuf2.c,v 1.45 2020/12/12 11:48:54 jan Exp $ */
/* $OpenBSD: uipc_mbuf2.c,v 1.47 2024/08/29 16:42:30 bluhm Exp $ */
/* $KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $ */
/* $NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $ */
@ -66,6 +66,7 @@
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/pool.h>
#include <sys/percpu.h>
#include <sys/mbuf.h>
extern struct pool mtagpool;
@ -117,6 +118,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp)
if (len <= n->m_len - off) {
struct mbuf *mlast;
counters_inc(mbstat, MBSTAT_PULLDOWN_ALLOC);
o = m_dup1(n, off, n->m_len - off, M_DONTWAIT);
if (o == NULL) {
m_freem(m);
@ -158,6 +160,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp)
*/
if ((off == 0 || offp) && m_trailingspace(n) >= tlen &&
!sharedcluster) {
counters_inc(mbstat, MBSTAT_PULLDOWN_COPY);
m_copydata(n->m_next, 0, tlen, mtod(n, caddr_t) + n->m_len);
n->m_len += tlen;
m_adj(n->m_next, tlen);
@ -167,7 +170,8 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp)
!sharedcluster && n->m_next->m_len >= tlen) {
n->m_next->m_data -= hlen;
n->m_next->m_len += hlen;
memmove(mtod(n->m_next, caddr_t), mtod(n, caddr_t) + off, hlen);
counters_inc(mbstat, MBSTAT_PULLDOWN_COPY);
memcpy(mtod(n->m_next, caddr_t), mtod(n, caddr_t) + off, hlen);
n->m_len -= hlen;
n = n->m_next;
off = 0;
@ -182,6 +186,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp)
m_freem(m);
return (NULL);
}
counters_inc(mbstat, MBSTAT_PULLDOWN_ALLOC);
MGET(o, M_DONTWAIT, m->m_type);
if (o && len > MLEN) {
MCLGETL(o, M_DONTWAIT, len);
@ -196,7 +201,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp)
}
/* get hlen from <n, off> into <o, 0> */
o->m_len = hlen;
memmove(mtod(o, caddr_t), mtod(n, caddr_t) + off, hlen);
memcpy(mtod(o, caddr_t), mtod(n, caddr_t) + off, hlen);
n->m_len -= hlen;
/* get tlen from <n->m_next, 0> into <o, hlen> */
m_copydata(n->m_next, 0, tlen, mtod(o, caddr_t) + o->m_len);

27
sys/sys/mbuf.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: mbuf.h,v 1.263 2024/04/14 20:46:27 bluhm Exp $ */
/* $OpenBSD: mbuf.h,v 1.264 2024/08/29 10:44:40 bluhm Exp $ */
/* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */
/*
@ -363,11 +363,17 @@ u_int mextfree_register(void (*)(caddr_t, u_int, void *));
/* length to m_copy to copy all */
#define M_COPYALL 1000000000
#define MBSTAT_TYPES MT_NTYPES
#define MBSTAT_DROPS (MBSTAT_TYPES + 0)
#define MBSTAT_WAIT (MBSTAT_TYPES + 1)
#define MBSTAT_DRAIN (MBSTAT_TYPES + 2)
#define MBSTAT_COUNT (MBSTAT_TYPES + 3)
#define MBSTAT_TYPES MT_NTYPES
#define MBSTAT_DROPS (MBSTAT_TYPES + 0)
#define MBSTAT_WAIT (MBSTAT_TYPES + 1)
#define MBSTAT_DRAIN (MBSTAT_TYPES + 2)
#define MBSTAT_DEFRAG_ALLOC (MBSTAT_TYPES + 3)
#define MBSTAT_PREPEND_ALLOC (MBSTAT_TYPES + 4)
#define MBSTAT_PULLUP_ALLOC (MBSTAT_TYPES + 5)
#define MBSTAT_PULLUP_COPY (MBSTAT_TYPES + 6)
#define MBSTAT_PULLDOWN_ALLOC (MBSTAT_TYPES + 7)
#define MBSTAT_PULLDOWN_COPY (MBSTAT_TYPES + 8)
#define MBSTAT_COUNT (MBSTAT_TYPES + 9)
/*
* Mbuf statistics.
@ -378,8 +384,14 @@ struct mbstat {
u_long m_drops; /* times failed to find space */
u_long m_wait; /* times waited for space */
u_long m_drain; /* times drained protocols for space */
u_long m_mtypes[MBSTAT_COUNT];
u_long m_mtypes[MBSTAT_TYPES];
/* type specific mbuf allocations */
u_long m_defrag_alloc;
u_long m_prepend_alloc;
u_long m_pullup_alloc;
u_long m_pullup_copy;
u_long m_pulldown_alloc;
u_long m_pulldown_copy;
};
#include <sys/mutex.h>
@ -404,6 +416,7 @@ extern long nmbclust; /* limit on the # of clusters */
extern int max_linkhdr; /* largest link-level header */
extern int max_protohdr; /* largest protocol header */
extern int max_hdr; /* largest link+protocol header */
extern struct cpumem *mbstat; /* mbuf statistics counter */
void mbinit(void);
void mbcpuinit(void);

6
usr.bin/dig/dighost.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dighost.c,v 1.38 2024/04/23 13:34:50 jsg Exp $ */
/* $Id: dighost.c,v 1.39 2024/08/29 07:20:16 florian Exp $ */
/*! \file
* \note
@ -116,8 +116,8 @@ static const struct {
} root_hints[] = {
{ "198.41.0.4", AF_INET }, /* a.root-servers.net */
{ "2001:503:ba3e::2:30", AF_INET6 }, /* a.root-servers.net */
{ "199.9.14.201", AF_INET }, /* b.root-servers.net */
{ "2001:500:200::b", AF_INET6 }, /* b.root-servers.net */
{ "170.247.170.2", AF_INET }, /* b.root-servers.net */
{ "2801:1b8:10::b", AF_INET6 }, /* b.root-servers.net */
{ "192.33.4.12", AF_INET }, /* c.root-servers.net */
{ "2001:500:2::c", AF_INET6 }, /* c.root-servers.net */
{ "199.7.91.13", AF_INET }, /* d.root-servers.net */

12
usr.bin/netstat/mbuf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: mbuf.c,v 1.45 2023/07/16 03:01:31 yasuoka Exp $ */
/* $OpenBSD: mbuf.c,v 1.46 2024/08/29 10:44:40 bluhm Exp $ */
/* $NetBSD: mbuf.c,v 1.9 1996/05/07 02:55:03 thorpej Exp $ */
/*
@ -79,7 +79,7 @@ static struct mbtypes {
};
int nmbtypes = sizeof(mbstat.m_mtypes) / sizeof(u_long);
bool seen[MBSTAT_COUNT]; /* "have we seen this type yet?" */
bool seen[MBSTAT_TYPES]; /* "have we seen this type yet?" */
/*
* Print mbuf statistics.
@ -93,7 +93,7 @@ mbpr(void)
struct mbtypes *mp;
size_t size;
if (nmbtypes != MBSTAT_COUNT) {
if (nmbtypes != MBSTAT_TYPES) {
fprintf(stderr,
"%s: unexpected change to mbstat; check source\n",
__progname);
@ -205,4 +205,10 @@ mbpr(void)
printf("%lu requests for memory denied\n", mbstat.m_drops);
printf("%lu requests for memory delayed\n", mbstat.m_wait);
printf("%lu calls to protocol drain routines\n", mbstat.m_drain);
printf("%lu defrag mbuf allocation\n", mbstat.m_defrag_alloc);
printf("%lu prepend mbuf allocation\n", mbstat.m_prepend_alloc);
printf("%lu pullup mbuf allocation\n", mbstat.m_pullup_alloc);
printf("%lu pullup memory copy\n", mbstat.m_pullup_copy);
printf("%lu pulldown mbuf allocation\n", mbstat.m_pulldown_alloc);
printf("%lu pulldown memory copy\n", mbstat.m_pulldown_copy);
}

30
usr.bin/openssl/apps.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: apps.c,v 1.68 2024/08/18 20:24:11 tb Exp $ */
/* $OpenBSD: apps.c,v 1.69 2024/08/29 17:01:02 tb Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@ -2156,31 +2156,3 @@ show_cipher(const OBJ_NAME *name, void *arg)
fprintf(stderr, " -%-24s%s", name->name, (++*n % 3 != 0 ? "" : "\n"));
}
int
pkey_check(BIO *out, EVP_PKEY *pkey, int (check_fn)(EVP_PKEY_CTX *),
const char *desc)
{
EVP_PKEY_CTX *ctx;
if ((ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
ERR_print_errors(bio_err);
return 0;
}
if (check_fn(ctx) == 1) {
BIO_printf(out, "%s valid\n", desc);
} else {
unsigned long err;
BIO_printf(out, "%s invalid\n", desc);
while ((err = ERR_get_error()) != 0)
BIO_printf(out, "Detailed error: %s\n",
ERR_reason_error_string(err));
}
EVP_PKEY_CTX_free(ctx);
return 1;
}

5
usr.bin/openssl/apps.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: apps.h,v 1.37 2024/05/21 05:00:48 jsg Exp $ */
/* $OpenBSD: apps.h,v 1.38 2024/08/29 17:01:02 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -315,7 +315,4 @@ int options_parse(int argc, char **argv, const struct option *opts,
char **unnamed, int *argsused);
void show_cipher(const OBJ_NAME *name, void *arg);
int pkey_check(BIO *out, EVP_PKEY *pkey, int (check_fn)(EVP_PKEY_CTX *),
const char *desc);
#endif

2
usr.bin/openssl/ocsp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ocsp.c,v 1.23 2023/03/06 14:32:06 tb Exp $ */
/* $OpenBSD: ocsp.c,v 1.24 2024/08/29 11:04:02 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/

13
usr.bin/openssl/openssl.1
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: openssl.1,v 1.159 2024/08/22 12:15:07 tb Exp $
.\" $OpenBSD: openssl.1,v 1.160 2024/08/29 17:01:40 tb Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
@ -110,7 +110,7 @@
.\" copied and put under another distribution licence
.\" [including the GNU Public Licence.]
.\"
.Dd $Mdocdate: August 22 2024 $
.Dd $Mdocdate: August 29 2024 $
.Dt OPENSSL 1
.Os
.Sh NAME
@ -3282,7 +3282,6 @@ is equivalent to
.Bl -hang -width "openssl pkey"
.It Nm openssl pkey
.Bk -words
.Op Fl check
.Op Ar cipher
.Op Fl in Ar file
.Op Fl inform Cm der | pem
@ -3291,7 +3290,6 @@ is equivalent to
.Op Fl outform Cm der | pem
.Op Fl passin Ar arg
.Op Fl passout Ar arg
.Op Fl pubcheck
.Op Fl pubin
.Op Fl pubout
.Op Fl text
@ -3307,8 +3305,6 @@ and their components printed out.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl check
Check the validity of a key pair.
.It Ar cipher
Encrypt the private key with the specified cipher.
Any algorithm name accepted by
@ -3334,8 +3330,6 @@ The output format.
The key password source.
.It Fl passout Ar arg
The output file password source.
.It Fl pubcheck
Check the validity of a public key
or the public component of a key pair.
.It Fl pubin
Read in a public key, not a private key.
@ -3351,7 +3345,6 @@ even if a private key is being processed.
.Tg pkeyparam
.Sh PKEYPARAM
.Cm openssl pkeyparam
.Op Fl check
.Op Fl in Ar file
.Op Fl noout
.Op Fl out Ar file
@ -3364,8 +3357,6 @@ The key type is determined by the PEM headers.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl check
check the correctness of parameters.
.It Fl in Ar file
The input file to read from,
or standard input if not specified.

28
usr.bin/openssl/pkey.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pkey.c,v 1.20 2023/07/23 11:39:29 tb Exp $ */
/* $OpenBSD: pkey.c,v 1.21 2024/08/29 17:01:02 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006
*/
@ -66,7 +66,6 @@
#include <openssl/pem.h>
static struct {
int check;
const EVP_CIPHER *cipher;
char *infile;
int informat;
@ -75,7 +74,6 @@ static struct {
int outformat;
char *passargin;
char *passargout;
int pubcheck;
int pubin;
int pubout;
int pubtext;
@ -100,12 +98,6 @@ pkey_opt_cipher(int argc, char **argv, int *argsused)
}
static const struct option pkey_options[] = {
{
.name = "check",
.desc = "Check validity of key",
.type = OPTION_FLAG,
.opt.flag = &cfg.check,
},
{
.name = "in",
.argname = "file",
@ -154,12 +146,6 @@ static const struct option pkey_options[] = {
.type = OPTION_ARG,
.opt.arg = &cfg.passargout,
},
{
.name = "pubcheck",
.desc = "Check validity of public key",
.type = OPTION_FLAG,
.opt.flag = &cfg.pubcheck,
},
{
.name = "pubin",
.desc = "Expect a public key (default private key)",
@ -200,9 +186,9 @@ pkey_usage(void)
int n = 0;
fprintf(stderr,
"usage: pkey [-check] [-ciphername] [-in file] [-inform fmt] "
"usage: pkey [-ciphername] [-in file] [-inform fmt] "
"[-noout] [-out file]\n"
" [-outform fmt] [-passin src] [-passout src] [-pubcheck] "
" [-outform fmt] [-passin src] [-passout src] "
"[-pubin] [-pubout]\n"
" [-text] [-text_pub]\n\n");
options_usage(pkey_options);
@ -264,14 +250,6 @@ pkey_main(int argc, char **argv)
if (!pkey)
goto end;
if (cfg.check) {
if (!pkey_check(out, pkey, EVP_PKEY_check, "Key pair"))
goto end;
} else if (cfg.pubcheck) {
if (!pkey_check(out, pkey, EVP_PKEY_public_check, "Public key"))
goto end;
}
if (!cfg.noout) {
if (cfg.outformat == FORMAT_PEM) {
if (cfg.pubout)

17
usr.bin/openssl/pkeyparam.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: pkeyparam.c,v 1.18 2023/07/23 11:39:29 tb Exp $ */
/* $OpenBSD: pkeyparam.c,v 1.19 2024/08/29 17:01:02 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006
*/
@ -66,7 +66,6 @@
#include <openssl/pem.h>
static struct {
int check;
char *infile;
int noout;
char *outfile;
@ -74,12 +73,6 @@ static struct {
} cfg;
static const struct option pkeyparam_options[] = {
{
.name = "check",
.desc = "Check validity of key parameters",
.type = OPTION_FLAG,
.opt.flag = &cfg.check,
},
{
.name = "in",
.argname = "file",
@ -113,8 +106,7 @@ static void
pkeyparam_usage(void)
{
fprintf(stderr,
"usage: pkeyparam [-check] [-in file] [-noout] [-out file] "
"[-text]\n");
"usage: pkeyparam [-in file] [-noout] [-out file] [-text]\n");
options_usage(pkeyparam_options);
}
@ -163,11 +155,6 @@ pkeyparam_main(int argc, char **argv)
goto end;
}
if (cfg.check) {
if (!pkey_check(out, pkey, EVP_PKEY_param_check, "Parameters"))
goto end;
}
if (!cfg.noout)
PEM_write_bio_Parameters(out, pkey);

12
usr.bin/sed/process.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: process.c,v 1.37 2024/07/17 20:57:16 millert Exp $ */
/* $OpenBSD: process.c,v 1.38 2024/08/28 14:30:26 millert Exp $ */
/*-
* Copyright (c) 1992 Diomidis Spinellis.
@ -387,14 +387,12 @@ substitute(struct s_command *cp)
* and at the end of the line, terminate.
*/
if (match[0].rm_so == match[0].rm_eo) {
if (*s == '\0' || *s == '\n')
slen = -1;
else
slen--;
if (*s != '\0') {
if (slen > 0) {
cspace(&SS, s++, 1, APPEND);
slen--;
le++;
}
} else
slen = -1;
lastempty = 1;
} else
lastempty = 0;

39
usr.sbin/bgpd/rde.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rde.c,v 1.627 2024/08/20 11:59:39 claudio Exp $ */
/* $OpenBSD: rde.c,v 1.629 2024/08/28 13:21:39 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -398,7 +398,8 @@ rde_dispatch_imsg_session(struct imsgbuf *imsgbuf)
peerid);
break;
}
peer_imsg_push(peer, &imsg);
if (peer_is_up(peer))
peer_imsg_push(peer, &imsg);
break;
case IMSG_SESSION_ADD:
if (imsg_get_data(&imsg, &pconf, sizeof(pconf)) == -1)
@ -1311,13 +1312,16 @@ rde_dispatch_imsg_peer(struct rde_peer *peer, void *bula)
struct imsg imsg;
struct ibuf ibuf;
if (!peer_is_up(peer)) {
peer_imsg_flush(peer);
return;
}
if (!peer_imsg_pop(peer, &imsg))
return;
switch (imsg_get_type(&imsg)) {
case IMSG_UPDATE:
if (peer->state != PEER_UP)
break;
if (imsg_get_ibuf(&imsg, &ibuf) == -1)
log_warn("update: bad imsg");
else
@ -3332,7 +3336,7 @@ rde_update_queue_pending(void)
RB_FOREACH(peer, peer_tree, &peertable) {
if (peer->conf.id == 0)
continue;
if (peer->state != PEER_UP)
if (!peer_is_up(peer))
continue;
if (peer->throttled)
continue;
@ -3358,7 +3362,7 @@ rde_update_queue_runner(uint8_t aid)
RB_FOREACH(peer, peer_tree, &peertable) {
if (peer->conf.id == 0)
continue;
if (peer->state != PEER_UP)
if (!peer_is_up(peer))
continue;
if (peer->throttled)
continue;
@ -3387,7 +3391,7 @@ rde_update_queue_runner(uint8_t aid)
RB_FOREACH(peer, peer_tree, &peertable) {
if (peer->conf.id == 0)
continue;
if (peer->state != PEER_UP)
if (!peer_is_up(peer))
continue;
if (peer->throttled)
continue;
@ -3627,6 +3631,27 @@ rde_reload_done(void)
continue;
peer->reconf_out = 0;
peer->reconf_rib = 0;
/* max prefix checker */
if (peer->conf.max_prefix &&
peer->stats.prefix_cnt > peer->conf.max_prefix) {
log_peer_warnx(&peer->conf,
"prefix limit reached (>%u/%u)",
peer->stats.prefix_cnt, peer->conf.max_prefix);
rde_update_err(peer, ERR_CEASE, ERR_CEASE_MAX_PREFIX,
NULL);
}
/* max prefix checker outbound */
if (peer->conf.max_out_prefix &&
peer->stats.prefix_out_cnt > peer->conf.max_out_prefix) {
log_peer_warnx(&peer->conf,
"outbound prefix limit reached (>%u/%u)",
peer->stats.prefix_out_cnt,
peer->conf.max_out_prefix);
rde_update_err(peer, ERR_CEASE,
ERR_CEASE_MAX_SENT_PREFIX, NULL);
}
if (peer->export_type != peer->conf.export_type) {
log_peer_info(&peer->conf, "export type change, "
"reloading");

8
usr.sbin/bgpd/rde.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rde.h,v 1.304 2024/08/14 19:09:51 claudio Exp $ */
/* $OpenBSD: rde.h,v 1.305 2024/08/28 13:21:39 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Claudio Jeker <claudio@openbsd.org> and
@ -379,6 +379,12 @@ int peer_imsg_pop(struct rde_peer *, struct imsg *);
int peer_imsg_pending(void);
void peer_imsg_flush(struct rde_peer *);
static inline int
peer_is_up(struct rde_peer *peer)
{
return (peer->state == PEER_UP);
}
RB_PROTOTYPE(peer_tree, rde_peer, entry, peer_cmp);
/* rde_attr.c */

4
usr.sbin/bgpd/rde_peer.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rde_peer.c,v 1.37 2024/05/22 08:41:14 claudio Exp $ */
/* $OpenBSD: rde_peer.c,v 1.38 2024/08/28 13:21:39 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
@ -234,7 +234,7 @@ peer_generate_update(struct rde_peer *peer, struct rib_entry *re,
/* skip ourself */
if (peer == peerself)
return;
if (peer->state != PEER_UP)
if (!peer_is_up(peer))
return;
/* skip peers using a different rib */
if (peer->loc_rib_id != re->rib_id)

8
usr.sbin/procmap/procmap.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: procmap.c,v 1.72 2024/03/29 06:54:13 deraadt Exp $ */
/* $OpenBSD: procmap.c,v 1.73 2024/08/28 14:22:36 naddy Exp $ */
/* $NetBSD: pmap.c,v 1.1 2002/09/01 20:32:44 atatat Exp $ */
/*
@ -483,11 +483,11 @@ process_map(kvm_t *kd, pid_t pid, struct kinfo_proc *proc, struct sum *sum)
/* headers */
#ifdef DISABLED_HEADERS
if (print_map)
printf("%-*s %-*s rwxSe RWX CPY NCP I W A\n",
printf("%-*s %-*s rwxS RWX CPY NCP I W A\n",
(int)sizeof(long) * 2 + 2, "Start",
(int)sizeof(long) * 2 + 2, "End");
if (print_maps)
printf("%-*s %-*s rwxSep %-*s Dev Inode File\n",
printf("%-*s %-*s rwxSp %-*s Dev Inode File\n",
(int)sizeof(long) * 2 + 0, "Start",
(int)sizeof(long) * 2 + 0, "End",
(int)sizeof(long) * 2 + 0, "Offset");
@ -497,7 +497,7 @@ process_map(kvm_t *kd, pid_t pid, struct kinfo_proc *proc, struct sum *sum)
(int)sizeof(int) * 2 - 1, "Size ");
#endif
if (print_all)
printf("%-*s %-*s %*s %-*s rwxSeIpc RWX I/W/A Dev %*s - File\n",
printf("%-*s %-*s %*s %-*s rwxSIpc RWX I/W/A Dev %*s - File\n",
(int)sizeof(long) * 2, "Start",
(int)sizeof(long) * 2, "End",
(int)sizeof(int) * 2, "Size ",

5
usr.sbin/rpki-client/extern.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: extern.h,v 1.226 2024/08/21 19:35:31 job Exp $ */
/* $OpenBSD: extern.h,v 1.227 2024/08/29 09:53:04 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -985,6 +985,9 @@ int mkpathat(int, const char *);
#define DEFAULT_SKIPLIST_FILE "/etc/rpki/skiplist"
/* Interval in which random reinitialization to an RRDP snapshot happens. */
#define RRDP_RANDOM_REINIT_MAX 12 /* weeks */
/* Maximum number of TAL files we'll load. */
#define TALSZ_MAX 8
#define CERTID_MAX 1000000

7
usr.sbin/rpki-client/io.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: io.c,v 1.24 2023/12/12 15:54:18 claudio Exp $ */
/* $OpenBSD: io.c,v 1.25 2024/08/28 09:39:17 tb Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -151,14 +151,15 @@ ibuf_realloc(struct ibuf *buf, size_t len)
unsigned char *b;
/* on static buffers max is eq size and so the following fails */
if (buf->wpos + len > buf->max) {
if (len > SIZE_MAX - buf->wpos || buf->wpos + len > buf->max) {
errno = ERANGE;
return (-1);
}
b = recallocarray(buf->buf, buf->size, buf->wpos + len, 1);
b = realloc(buf->buf, buf->wpos + len);
if (b == NULL)
return (-1);
memset(b + buf->size, 0, buf->wpos + len - buf->size);
buf->buf = b;
buf->size = buf->wpos + len;

133
usr.sbin/rpki-client/parser.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.142 2024/08/20 13:31:49 claudio Exp $ */
/* $OpenBSD: parser.c,v 1.143 2024/08/29 13:46:28 tb Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -166,35 +166,37 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len,
const struct entity *entp)
{
struct roa *roa;
X509 *x509 = NULL;
struct auth *a;
struct crl *crl;
X509 *x509;
const char *errstr;
if ((roa = roa_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, roa->aki, entp->mftaki);
if (a == NULL) {
X509_free(x509);
roa_free(roa);
return NULL;
}
if (a == NULL)
goto out;
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
X509_free(x509);
roa_free(roa);
return NULL;
goto out;
}
X509_free(x509);
x509 = NULL;
roa->talid = a->cert->talid;
roa->expires = x509_find_expires(roa->notafter, a, &crlt);
return roa;
out:
roa_free(roa);
X509_free(x509);
return NULL;
}
/*
@ -206,35 +208,37 @@ proc_parser_spl(char *file, const unsigned char *der, size_t len,
const struct entity *entp)
{
struct spl *spl;
X509 *x509 = NULL;
struct auth *a;
struct crl *crl;
X509 *x509;
const char *errstr;
if ((spl = spl_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, spl->aki, entp->mftaki);
if (a == NULL) {
X509_free(x509);
spl_free(spl);
return NULL;
}
if (a == NULL)
goto out;
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
X509_free(x509);
spl_free(spl);
return NULL;
goto out;
}
X509_free(x509);
x509 = NULL;
spl->talid = a->cert->talid;
spl->expires = x509_find_expires(spl->notafter, a, &crlt);
return spl;
out:
spl_free(spl);
X509_free(x509);
return NULL;
}
/*
@ -556,30 +560,25 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len,
cert = cert_parse_pre(file, der, len);
cert = cert_parse(file, cert);
if (cert == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, cert->aki, entp->mftaki);
if (a == NULL) {
cert_free(cert);
return NULL;
}
if (a == NULL)
goto out;
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, cert->x509, a, crl, &errstr) ||
!valid_cert(file, a, cert)) {
if (errstr != NULL)
warnx("%s: %s", file, errstr);
cert_free(cert);
return NULL;
goto out;
}
cert->talid = a->cert->talid;
if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
if (!constraints_validate(file, cert)) {
cert_free(cert);
return NULL;
}
if (!constraints_validate(file, cert))
goto out;
}
/*
@ -589,6 +588,11 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len,
auth_insert(file, &auths, cert, a);
return cert;
out:
cert_free(cert);
return NULL;
}
static int
@ -696,33 +700,35 @@ proc_parser_gbr(char *file, const unsigned char *der, size_t len,
const struct entity *entp)
{
struct gbr *gbr;
X509 *x509;
X509 *x509 = NULL;
struct crl *crl;
struct auth *a;
const char *errstr;
if ((gbr = gbr_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, gbr->aki, entp->mftaki);
if (a == NULL) {
X509_free(x509);
gbr_free(gbr);
return NULL;
}
if (a == NULL)
goto out;
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
X509_free(x509);
gbr_free(gbr);
return NULL;
goto out;
}
X509_free(x509);
x509 = NULL;
gbr->talid = a->cert->talid;
return gbr;
out:
gbr_free(gbr);
X509_free(x509);
return NULL;
}
/*
@ -733,35 +739,37 @@ proc_parser_aspa(char *file, const unsigned char *der, size_t len,
const struct entity *entp)
{
struct aspa *aspa;
X509 *x509 = NULL;
struct auth *a;
struct crl *crl;
X509 *x509;
const char *errstr;
if ((aspa = aspa_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, aspa->aki, entp->mftaki);
if (a == NULL) {
X509_free(x509);
aspa_free(aspa);
return NULL;
}
if (a == NULL)
goto out;
crl = crl_get(&crlt, a);
if (!valid_x509(file, ctx, x509, a, crl, &errstr)) {
warnx("%s: %s", file, errstr);
X509_free(x509);
aspa_free(aspa);
return NULL;
goto out;
}
X509_free(x509);
x509 = NULL;
aspa->talid = a->cert->talid;
aspa->expires = x509_find_expires(aspa->notafter, a, &crlt);
return aspa;
out:
aspa_free(aspa);
X509_free(x509);
return NULL;
}
/*
@ -772,14 +780,13 @@ proc_parser_tak(char *file, const unsigned char *der, size_t len,
const struct entity *entp)
{
struct tak *tak;
X509 *x509;
X509 *x509 = NULL;
struct crl *crl;
struct auth *a;
const char *errstr;
int rc = 0;
if ((tak = tak_parse(&x509, file, entp->talid, der, len)) == NULL)
return NULL;
goto out;
a = find_issuer(file, entp->certid, tak->aki, entp->mftaki);
if (a == NULL)
@ -790,20 +797,22 @@ proc_parser_tak(char *file, const unsigned char *der, size_t len,
warnx("%s: %s", file, errstr);
goto out;
}
X509_free(x509);
x509 = NULL;
/* TAK EE must be signed by self-signed CA */
if (a->issuer != NULL)
goto out;
tak->talid = a->cert->talid;
rc = 1;
out:
if (rc == 0) {
tak_free(tak);
tak = NULL;
}
X509_free(x509);
return tak;
out:
tak_free(tak);
X509_free(x509);
return NULL;
}
/*

33
usr.sbin/rpki-client/repo.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: repo.c,v 1.62 2024/08/15 11:30:43 job Exp $ */
/* $OpenBSD: repo.c,v 1.64 2024/08/29 09:54:13 job Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -62,6 +62,7 @@ struct rrdprepo {
struct filepath_tree deleted;
unsigned int id;
enum repo_state state;
time_t last_reset;
};
static SLIST_HEAD(, rrdprepo) rrdprepos = SLIST_HEAD_INITIALIZER(rrdprepos);
@ -651,7 +652,7 @@ repo_alloc(int talid)
* based on that information.
*/
static struct rrdp_session *
rrdp_session_parse(const struct rrdprepo *rr)
rrdp_session_parse(struct rrdprepo *rr)
{
FILE *f;
struct rrdp_session *state;
@ -660,6 +661,9 @@ rrdp_session_parse(const struct rrdprepo *rr)
char *line = NULL, *file;
size_t len = 0;
ssize_t n;
time_t now, weeks;
now = time(NULL);
if ((state = calloc(1, sizeof(*state))) == NULL)
err(1, NULL);
@ -690,6 +694,11 @@ rrdp_session_parse(const struct rrdprepo *rr)
goto fail;
break;
case 2:
rr->last_reset = strtonum(line, 1, LLONG_MAX, &errstr);
if (errstr)
goto fail;
break;
case 3:
if (strcmp(line, "-") == 0)
break;
if ((state->last_mod = strdup(line)) == NULL)
@ -705,6 +714,17 @@ rrdp_session_parse(const struct rrdprepo *rr)
ln++;
}
/* check if it's time for reinitialization */
weeks = (now - rr->last_reset) / (86400 * 7);
if (now <= rr->last_reset || weeks > RRDP_RANDOM_REINIT_MAX) {
warnx("%s: reinitializing", rr->notifyuri);
goto reset;
}
if (arc4random_uniform(1 << RRDP_RANDOM_REINIT_MAX) < (1 << weeks)) {
warnx("%s: reinitializing", rr->notifyuri);
goto reset;
}
if (ferror(f))
goto fail;
fclose(f);
@ -712,12 +732,15 @@ rrdp_session_parse(const struct rrdprepo *rr)
return state;
fail:
warnx("%s: troubles reading state file", rr->basedir);
warnx("%s: corrupted state file, reinitializing", rr->basedir);
reset:
fclose(f);
free(line);
free(state->session_id);
free(state->last_mod);
memset(state, 0, sizeof(*state));
rr->last_reset = now;
return state;
}
@ -747,8 +770,8 @@ rrdp_session_save(unsigned int id, struct rrdp_session *state)
err(1, "fdopen");
/* write session state file out */
if (fprintf(f, "%s\n%lld\n", state->session_id,
state->serial) < 0)
if (fprintf(f, "%s\n%lld\n%lld\n", state->session_id,
state->serial, (long long)rr->last_reset) < 0)
goto fail;
if (state->last_mod != NULL) {