From 0095d6bf7170c8d25a69655b7bafdd5b9e2a2980 Mon Sep 17 00:00:00 2001 From: purplerain Date: Sun, 1 Oct 2023 01:27:07 +0000 Subject: [PATCH] sync code with last improvements from OpenBSD --- lib/libcrypto/man/ASIdentifiers_new.3 | 10 ++--- lib/libcrypto/man/IPAddressRange_new.3 | 14 +++--- lib/libcrypto/man/X509v3_addr_add_inherit.3 | 30 +++++++------ lib/libcrypto/man/X509v3_addr_get_range.3 | 16 +++---- lib/libcrypto/man/X509v3_addr_inherits.3 | 10 ++--- lib/libcrypto/man/X509v3_addr_subset.3 | 10 ++--- lib/libcrypto/man/X509v3_addr_validate_path.3 | 27 ++++++------ .../man/X509v3_asid_add_id_or_range.3 | 15 ++++--- usr.bin/kdump/kdump.1 | 44 +++++++++++++++---- usr.bin/ktrace/ktrace.1 | 5 ++- usr.bin/ktrace/ltrace.1 | 5 ++- 11 files changed, 108 insertions(+), 78 deletions(-) diff --git a/lib/libcrypto/man/ASIdentifiers_new.3 b/lib/libcrypto/man/ASIdentifiers_new.3 index c67a7c3f1..d8473b81a 100644 --- a/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/lib/libcrypto/man/ASIdentifiers_new.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: ASIdentifiers_new.3,v 1.9 2023/09/29 08:57:49 tb Exp $ +.\" $OpenBSD: ASIdentifiers_new.3,v 1.11 2023/09/30 18:16:44 tb Exp $ .\" -.\" Copyright (c) 2021 Theo Buehler +.\" Copyright (c) 2023 Theo Buehler .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 29 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt ASIDENTIFIERS_NEW 3 .Os .Sh NAME @@ -95,14 +95,14 @@ returns a new .Vt ASIdentifiers object or .Dv NULL -on if an error occurs. +if an error occurs. .Pp .Fn d2i_ASIdentifiers returns an .Vt ASIdentifiers object or .Dv NULL -on if a decoding or memory allocation error occurs. +if a decoding or memory allocation error occurs. .Pp .Fn i2d_ASIdentifiers returns the number of bytes successfully encoded diff --git a/lib/libcrypto/man/IPAddressRange_new.3 b/lib/libcrypto/man/IPAddressRange_new.3 index e15ff3450..6878000ef 100644 --- a/lib/libcrypto/man/IPAddressRange_new.3 +++ b/lib/libcrypto/man/IPAddressRange_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: IPAddressRange_new.3,v 1.5 2023/09/28 12:35:31 tb Exp $ +.\" $OpenBSD: IPAddressRange_new.3,v 1.6 2023/09/30 13:58:29 schwarze Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 28 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt IPADDRESSRANGE_NEW 3 .Os .Sh NAME @@ -240,7 +240,7 @@ typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; Since an .Vt IPAddressOrRanges object should be sorted in a specific way (see -.Xr X509v3_addr_canonize 3 Ns ), +.Xr X509v3_addr_canonize 3 ) , a comparison function is needed for a correct instantiation with .Xr sk_new 3 . @@ -383,7 +383,7 @@ and related functions. .Fn i2d_IPAddressChoice , .Fn d2i_IPAddressFamily , and -.Fn i2d_IPAddressFamily , +.Fn i2d_IPAddressFamily decode and encode ASN.1 .Vt IPAddressRange , .Vt IPAddressOrRange , @@ -428,12 +428,12 @@ object with allocated, empty members, or .Dv NULL if an error occurs. .Pp -The encoding functions +The decoding functions .Fn d2i_IPAddressRange , .Fn d2i_IPAddressOrRange , .Fn d2i_IPAddressChoice , and -.Fn d2i_IPAddressFamily , +.Fn d2i_IPAddressFamily return an .Vt IPAddressRange , an @@ -452,7 +452,7 @@ The encoding functions .Fn i2d_IPAddressOrRange , .Fn i2d_IPAddressChoice , and -.Fn i2d_IPAddressFamily , +.Fn i2d_IPAddressFamily return the number of bytes successfully encoded or a value <= 0 if an error occurs. .Sh SEE ALSO diff --git a/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/lib/libcrypto/man/X509v3_addr_add_inherit.3 index bdfb5c757..68923b515 100644 --- a/lib/libcrypto/man/X509v3_addr_add_inherit.3 +++ b/lib/libcrypto/man/X509v3_addr_add_inherit.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.7 2023/09/29 08:57:49 tb Exp $ +.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.9 2023/09/30 16:01:18 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 29 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_ADD_INHERIT 3 .Os .Sh NAME @@ -128,9 +128,11 @@ the call fails. is expected to be a byte array in network byte order. It should point at enough memory to accommodate .Fa prefixlen -bits and it is recommended that all the bits not covered by -the prefixlen be set to 0. -It is the caller's responsibility to ensure that the prefix +bits and it is recommended that all the bits not covered by the +.Fa prefixlen +be set to 0. +It is the caller's responsibility to ensure that the +.Fa prefix has no address in common with any of the prefixes or ranges already in the list. If @@ -281,7 +283,7 @@ hexdump(const unsigned char *buf, size_t len) size_t i; for (i = 1; i <= len; i++) - printf(" 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\en"); + printf(" 0x%02x,%s", buf[i \- 1], i % 8 ? "" : "\en"); if (len % 8) printf("\en"); } @@ -295,7 +297,7 @@ main(void) int der_len; size_t i; - if (pledge("stdio", NULL) == -1) + if (pledge("stdio", NULL) == \-1) err(1, "pledge"); /* @@ -319,7 +321,7 @@ main(void) len = inet_net_pton(AF_INET, prefixes[i], addr, sizeof(addr)); - if (len == -1) + if (len == \-1) errx(1, "inet_net_pton(%s)", prefixes[i]); if (!X509v3_addr_add_prefix(addrblocks, IANA_AFI_IPV4, &unicast, addr, len)) @@ -373,7 +375,7 @@ d2i_IPAddrBlocks(IPAddrBlocks **addrblocks, const unsigned char **in, if ((v3_addr = X509V3_EXT_get_nid(NID_sbgp_ipAddrBlock)) == NULL) return NULL; return (IPAddrBlocks *)ASN1_item_d2i((ASN1_VALUE **)addrblocks, - in, len, ASN1_ITEM_ptr(v3_addr->it)); + in, len, ASN1_ITEM_ptr(v3_addr\->it)); } int @@ -382,9 +384,9 @@ i2d_IPAddrBlocks(IPAddrBlocks *addrblocks, unsigned char **out) const X509V3_EXT_METHOD *v3_addr; if ((v3_addr = X509V3_EXT_get_nid(NID_sbgp_ipAddrBlock)) == NULL) - return -1; + return \-1; return ASN1_item_i2d((ASN1_VALUE *)addrblocks, out, - ASN1_ITEM_ptr(v3_addr->it)); + ASN1_ITEM_ptr(v3_addr\->it)); } .Ed .Pp @@ -415,12 +417,12 @@ RFC 7249: Internet Number Registries .Pp .Rs .%T Address Family Numbers -.%U https://www.iana.org/assignments/address-family-numbers +.%U https://www.iana.org/assignments/address\-family\-numbers .Re .Pp .Rs .%T Subsequent Address Family Identifiers (SAFI) Parameters -.%U https://www.iana.org/assignments/safi-namespace +.%U https://www.iana.org/assignments/safi\-namespace .Re .Sh HISTORY These functions first appeared in OpenSSL 0.9.8e @@ -441,7 +443,7 @@ with public API. .Fn X509v3_addr_add_range should check for inverted range bounds and overlaps on insertion and fail instead of creating a nonsensical -.Fa addr +.Fa addrblocks that fails to be canonized by .Fn X509v3_addr_canonize . .Pp diff --git a/lib/libcrypto/man/X509v3_addr_get_range.3 b/lib/libcrypto/man/X509v3_addr_get_range.3 index a84b7cd5f..e0d83b116 100644 --- a/lib/libcrypto/man/X509v3_addr_get_range.3 +++ b/lib/libcrypto/man/X509v3_addr_get_range.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_get_range.3,v 1.1 2023/09/26 18:35:34 tb Exp $ +.\" $OpenBSD: X509v3_addr_get_range.3,v 1.2 2023/09/30 14:12:40 schwarze Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 26 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_GET_RANGE 3 .Os .Sh NAME @@ -53,15 +53,13 @@ The .Fa length must be large enough to accommodate an address for .Fa afi , -which for -.Dv IANA_AFI_IPV4 , -is at least 4, -and for -.Dv IANA_AFI_IPV6 -at least 16. +which is at least 4 for +.Dv IANA_AFI_IPV4 +and at least 16 for +.Dv IANA_AFI_IPV6 . .Sh RETURN VALUES .Fn X509v3_addr_get_afi -returns the afi encoded in +returns the AFI encoded in .Fa af or 0 if .Fa af diff --git a/lib/libcrypto/man/X509v3_addr_inherits.3 b/lib/libcrypto/man/X509v3_addr_inherits.3 index 0c3c35d4a..8e3cecf7a 100644 --- a/lib/libcrypto/man/X509v3_addr_inherits.3 +++ b/lib/libcrypto/man/X509v3_addr_inherits.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_inherits.3,v 1.2 2023/09/27 08:46:46 tb Exp $ +.\" $OpenBSD: X509v3_addr_inherits.3,v 1.3 2023/09/30 14:21:57 schwarze Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 27 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_INHERITS 3 .Os .Sh NAME @@ -65,9 +65,7 @@ or the lists has .Fa type .Dv ASIdentifierChoice_inherit . -Otherwise -.Fn X509v3_asid_inherits 3 -returns 0. +Otherwise it returns 0. .Sh SEE ALSO .Xr ASIdentifiers_new 3 , .Xr ASRange_new 3 , @@ -102,5 +100,5 @@ There is no API that determines whether all lists contained in an .Vt ASIdentifiers or an .Vt IPAddrBlocks -objects inherit. +object inherit. See RFC 9287, 5.1.2 for an example where this is relevant. diff --git a/lib/libcrypto/man/X509v3_addr_subset.3 b/lib/libcrypto/man/X509v3_addr_subset.3 index 8107eb888..93714a26f 100644 --- a/lib/libcrypto/man/X509v3_addr_subset.3 +++ b/lib/libcrypto/man/X509v3_addr_subset.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_subset.3,v 1.1 2023/09/28 12:36:36 tb Exp $ +.\" $OpenBSD: X509v3_addr_subset.3,v 1.2 2023/09/30 14:24:00 schwarze Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 28 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_SUBSET 3 .Os .Sh NAME @@ -62,12 +62,12 @@ then .Fa child is a subset of .Fa parent . -(In particular, a +In particular, a .Dv NULL .Fa parent is allowed for a .Dv NULL -.Fa child Ns .) +.Fa child . .It If .Fa parent @@ -159,7 +159,7 @@ If both and .Fa parent are in canonical form, -they cannot fail. +these functions cannot fail. .Sh SEE ALSO .Xr ASIdentifiers_new 3 , .Xr ASRange_new 3 , diff --git a/lib/libcrypto/man/X509v3_addr_validate_path.3 b/lib/libcrypto/man/X509v3_addr_validate_path.3 index d3c088c91..fe6065d59 100644 --- a/lib/libcrypto/man/X509v3_addr_validate_path.3 +++ b/lib/libcrypto/man/X509v3_addr_validate_path.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.3 2023/09/29 15:41:06 tb Exp $ +.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.5 2023/09/30 19:07:38 tb Exp $ .\" .\" Copyright (c) 2023 Theo Buehler .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 29 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ADDR_VALIDATE_PATH 3 .Os .Sh NAME @@ -31,7 +31,7 @@ .Fo X509v3_addr_validate_resource_set .Fa "STACK_OF(X509) *chain" .Fa "IPAddrBlocks *addrblocks" -.Fa "int allow_inheritance" +.Fa "int allow_inherit" .Fc .Ft int .Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx" @@ -39,7 +39,7 @@ .Fo X509v3_asid_validate_resource_set .Fa "STACK_OF(X509) *chain" .Fa "ASIdentifiers *asid" -.Fa "int allow_inheritance" +.Fa "int allow_inherit" .Fc .Sh DESCRIPTION Both RFC 3779 extensions require additional checking in the certification @@ -49,19 +49,18 @@ path validation. The initial set of allowed IP address and AS number resources is defined in the trust anchor, where inheritance is not allowed. .It -All IP address delegation or AS number delegation extensions +An issuer may only delegate subsets of resources present in its +RFC 3779 extensions or subsets of resources inherited from its issuer. +.It +If an RFC 3779 extension is present in a certificate, +the same type of extension must also be present in its issuer. +.It +All RFC 3779 extensions appearing in the validation path must be in canonical form according to .Xr X509v3_addr_is_canonical 3 and .Xr X509v3_asid_is_canonical 3 . -.It -If the IP address delegation extension is present in a certificate, -it must also be present in its issuer. -Similarly for the AS identifiers delegation extension. -.It -An issuer may only delegate subsets of resources present in its -RFC 3779 extensions or subsets of resources inherited from its issuer. .El .Pp .Fn X509v3_addr_validate_path @@ -157,8 +156,8 @@ is .Dv NULL or empty. If -.Fa allow_inheritance -is 0 , +.Fa allow_inherit +is 0, .Fa addrblocks or .Fa asid diff --git a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index f6b1c0347..81221ca9b 100644 --- a/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 @@ -1,6 +1,6 @@ -.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.7 2023/09/29 08:57:49 tb Exp $ +.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.9 2023/09/30 18:16:44 tb Exp $ .\" -.\" Copyright (c) 2021-2023 Theo Buehler +.\" Copyright (c) 2023 Theo Buehler .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 29 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt X509V3_ASID_ADD_ID_OR_RANGE 3 .Os .Sh NAME @@ -163,6 +163,7 @@ Ranges must not overlap, .\" contain at least two elements, and adjacent ranges must be fully merged. .El +.Pp .Fn X509v3_asid_canonize merges adjacent ranges but refuses to merge overlapping ranges or to discard duplicates. @@ -286,8 +287,12 @@ arguments on failure. .Pp RFC 3779 does not explicitly disallow ranges where the minimum is equal to the maximum. -The isolated AS identifier a and -the AS range [a,a] where the minimum and the maximum are equal to a +The isolated AS identifier +.Fa min +and the AS range +.Bq Fa min , Ns Fa min +where the minimum and the maximum are equal to +.Fa min have the same semantics. .Fn X509v3_asid_is_canonical accepts both representations as valid and diff --git a/usr.bin/kdump/kdump.1 b/usr.bin/kdump/kdump.1 index 936c630a1..1c7455723 100644 --- a/usr.bin/kdump/kdump.1 +++ b/usr.bin/kdump/kdump.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: kdump.1,v 1.37 2023/04/17 05:43:12 jmc Exp $ +.\" $OpenBSD: kdump.1,v 1.38 2023/09/30 13:03:40 naddy Exp $ .\" .\" Copyright (c) 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)kdump.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: April 17 2023 $ +.Dd $Mdocdate: September 30 2023 $ .Dt KDUMP 1 .Os .Sh NAME @@ -100,13 +100,39 @@ Display absolute timestamps for each entry (seconds since the Epoch). If both options are specified, display timestamps relative to trace start. .It Fl t Ar trstr Select which tracepoints to display. -The argument can contain one or more of the letters -.Cm cinpstuxX+ . -See the -.Fl t -option of -.Xr ktrace 1 -for the meaning of the letters. +The argument can contain one or more of the following letters. +By default all trace points except for +.Cm X +are enabled. +.Pp +.Bl -tag -width flag -offset indent -compact +.\" Keep this list in sync with ktrace(1) and ltrace(1). +.It Cm c +trace system calls +.It Cm i +trace I/O +.It Cm n +trace namei translations +.It Cm p +trace violation of +.Xr pledge 2 +restrictions +.It Cm s +trace signal processing +.It Cm t +trace various structures +.It Cm u +trace user data coming from +.Xr utrace 2 +.It Cm x +trace argument vector in +.Xr execve 2 +.It Cm X +trace environment in +.Xr execve 2 +.It Cm + +trace the default points +.El .It Fl u Ar label Display .Xr utrace 2 diff --git a/usr.bin/ktrace/ktrace.1 b/usr.bin/ktrace/ktrace.1 index 45db14681..1bae9cd5e 100644 --- a/usr.bin/ktrace/ktrace.1 +++ b/usr.bin/ktrace/ktrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ktrace.1,v 1.32 2022/07/30 07:19:30 jsg Exp $ +.\" $OpenBSD: ktrace.1,v 1.33 2023/09/30 13:03:40 naddy Exp $ .\" .\" Copyright (c) 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" from: @(#)ktrace.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: July 30 2022 $ +.Dd $Mdocdate: September 30 2023 $ .Dt KTRACE 1 .Os .Sh NAME @@ -119,6 +119,7 @@ By default all trace points except for are enabled. .Pp .Bl -tag -width flag -offset indent -compact +.\" Keep this list in sync with kdump(1) and ltrace(1). .It Cm c trace system calls .It Cm i diff --git a/usr.bin/ktrace/ltrace.1 b/usr.bin/ktrace/ltrace.1 index 55717db6f..0d906a038 100644 --- a/usr.bin/ktrace/ltrace.1 +++ b/usr.bin/ktrace/ltrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ltrace.1,v 1.10 2016/07/18 09:36:50 guenther Exp $ +.\" $OpenBSD: ltrace.1,v 1.11 2023/09/30 13:03:40 naddy Exp $ .\" .\" Copyright (c) 2013 Miodrag Vallat. .\" @@ -43,7 +43,7 @@ .\" .\" from: @(#)ktrace.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: July 18 2016 $ +.Dd $Mdocdate: September 30 2023 $ .Dt LTRACE 1 .Os .Sh NAME @@ -107,6 +107,7 @@ The default is just The following table equates the letters with the trace points: .Pp .Bl -tag -width flag -offset indent -compact +.\" Keep this list in sync with kdump(1) and ktrace(1). .It Cm c trace system calls .It Cm i