diff --git a/lib/libcrypto/asn1/a_object.c b/lib/libcrypto/asn1/a_object.c index a87e24395..ed9e9287c 100644 --- a/lib/libcrypto/asn1/a_object.c +++ b/lib/libcrypto/asn1/a_object.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_object.c,v 1.51 2023/07/05 21:23:36 beck Exp $ */ +/* $OpenBSD: a_object.c,v 1.54 2024/05/29 16:14:38 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -615,23 +615,34 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **out_aobj, const unsigned char **pp, long len) int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { - unsigned char *p; + unsigned char *buf, *p; int objsize; - if ((a == NULL) || (a->data == NULL)) - return (0); + if (a == NULL || a->data == NULL) + return -1; objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); + if (pp == NULL) return objsize; - p = *pp; + if ((buf = *pp) == NULL) + buf = calloc(1, objsize); + if (buf == NULL) + return -1; + + p = buf; ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); p += a->length; + /* If buf was allocated, return it, otherwise return the advanced p. */ + if (*pp == NULL) + p = buf; + *pp = p; - return (objsize); + + return objsize; } LCRYPTO_ALIAS(i2d_ASN1_OBJECT); diff --git a/share/man/man4/qwx.4 b/share/man/man4/qwx.4 index bf8cd1c85..db12ee130 100644 --- a/share/man/man4/qwx.4 +++ b/share/man/man4/qwx.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: qwx.4,v 1.4 2024/02/21 21:31:02 stsp Exp $ +.\" $OpenBSD: qwx.4,v 1.5 2024/05/29 09:04:12 stsp Exp $ .\" .\" Copyright (c) 2022 Martin Pieuchot .\" Copyright (c) 2024 Stefan Sperling @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 21 2024 $ +.Dd $Mdocdate: May 29 2024 $ .Dt QWX 4 .Os .Sh NAME @@ -88,3 +88,13 @@ The .Nm driver first appeared in .Ox 7.5 . +.Sh CAVEATS +The +.Nm +driver does not support any of the 802.11n, 802.11ac, and 802.11ax +capabilities offered by the hardware. +.Sh BUGS +Broadcast and Multicast frames are only received on networks which +do not use encryption or which use WPA2 with group cipher CCMP. +This prevents ARP and IPv6 from working correcly on other types of +networks. diff --git a/sys/arch/amd64/amd64/acpi_machdep.c b/sys/arch/amd64/amd64/acpi_machdep.c index 98d370daf..e7371833a 100644 --- a/sys/arch/amd64/amd64/acpi_machdep.c +++ b/sys/arch/amd64/amd64/acpi_machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpi_machdep.c,v 1.109 2024/05/26 13:37:31 kettenis Exp $ */ +/* $OpenBSD: acpi_machdep.c,v 1.110 2024/05/29 12:21:33 kettenis Exp $ */ /* * Copyright (c) 2005 Thorsten Lockert * @@ -377,6 +377,9 @@ acpi_attach_machdep(struct acpi_softc *sc) int acpi_sleep_cpu(struct acpi_softc *sc, int state) { + if (state == ACPI_STATE_S0) + return cpu_suspend_primary(); + rtcstop(); #if NLAPIC > 0 lapic_disable(); @@ -458,6 +461,9 @@ acpi_sleep_cpu(struct acpi_softc *sc, int state) void acpi_resume_cpu(struct acpi_softc *sc, int state) { + if (state == ACPI_STATE_S0) + return; + cpu_init_msrs(&cpu_info_primary); cpu_fix_msrs(&cpu_info_primary); diff --git a/sys/arch/amd64/amd64/cpu.c b/sys/arch/amd64/amd64/cpu.c index 652fe4d3c..670beb278 100644 --- a/sys/arch/amd64/amd64/cpu.c +++ b/sys/arch/amd64/amd64/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.188 2024/05/14 01:42:07 guenther Exp $ */ +/* $OpenBSD: cpu.c,v 1.189 2024/05/29 12:21:33 kettenis Exp $ */ /* $NetBSD: cpu.c,v 1.1 2003/04/26 18:39:26 fvdl Exp $ */ /*- @@ -1461,3 +1461,52 @@ wbinvd_on_all_cpus(void) return 0; } #endif + +int cpu_suspended; + +#ifdef SUSPEND + +void +cpu_suspend_cycle(void) +{ + cpu_idle_cycle_fcn(); +} + +int +cpu_suspend_primary(void) +{ + struct cpu_info *ci = curcpu(); + int count = 0; + + printf("suspend\n"); + + /* Mask clock interrupts. */ + local_pic.pic_hwmask(&local_pic, 0); + + /* + * All non-wakeup interrupts should be masked at this point; + * re-enable interrupts such that wakeup interrupts actually + * wake us up. Set a flag such that drivers can tell we're + * suspended and change their behaviour accordingly. They can + * wake us up by clearing the flag. + */ + cpu_suspended = 1; + ci->ci_ilevel = IPL_NONE; + intr_enable(); + + while (cpu_suspended) { + cpu_suspend_cycle(); + count++; + } + + intr_disable(); + ci->ci_ilevel = IPL_HIGH; + + /* Unmask clock interrupts. */ + local_pic.pic_hwunmask(&local_pic, 0); + + printf("resume %d\n", count); + return 0; +} + +#endif diff --git a/sys/arch/amd64/amd64/intr.c b/sys/arch/amd64/amd64/intr.c index 8bd6dbe68..b85d5a006 100644 --- a/sys/arch/amd64/amd64/intr.c +++ b/sys/arch/amd64/amd64/intr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: intr.c,v 1.57 2024/05/26 13:37:31 kettenis Exp $ */ +/* $OpenBSD: intr.c,v 1.58 2024/05/29 12:21:33 kettenis Exp $ */ /* $NetBSD: intr.c,v 1.3 2003/03/03 22:16:20 fvdl Exp $ */ /* @@ -524,12 +524,22 @@ intr_disestablish(struct intrhand *ih) int intr_handler(struct intrframe *frame, struct intrhand *ih) { + extern int cpu_suspended; struct cpu_info *ci = curcpu(); int floor; int rc; #ifdef MULTIPROCESSOR int need_lock; +#endif + /* + * We may not be able to mask MSIs, so block non-wakeup + * interrupts while we're suspended. + */ + if (cpu_suspended && (ih->ih_flags & IPL_WAKEUP) == 0) + return 0; + +#ifdef MULTIPROCESSOR if (ih->ih_flags & IPL_MPSAFE) need_lock = 0; else diff --git a/sys/arch/amd64/include/cpu.h b/sys/arch/amd64/include/cpu.h index 57e3c6221..fab34e5bd 100644 --- a/sys/arch/amd64/include/cpu.h +++ b/sys/arch/amd64/include/cpu.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.h,v 1.170 2024/05/21 23:16:06 jsg Exp $ */ +/* $OpenBSD: cpu.h,v 1.171 2024/05/29 12:21:33 kettenis Exp $ */ /* $NetBSD: cpu.h,v 1.1 2003/04/26 18:39:39 fvdl Exp $ */ /*- @@ -401,6 +401,8 @@ extern int cpu_meltdown; extern u_int cpu_mwait_size; extern u_int cpu_mwait_states; +int cpu_suspend_primary(void); + /* cacheinfo.c */ void x86_print_cacheinfo(struct cpu_info *); diff --git a/sys/arch/arm64/arm64/cpu.c b/sys/arch/arm64/arm64/cpu.c index 4683092f7..1abc8b2e6 100644 --- a/sys/arch/arm64/arm64/cpu.c +++ b/sys/arch/arm64/arm64/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.116 2024/05/27 06:20:59 kettenis Exp $ */ +/* $OpenBSD: cpu.c,v 1.117 2024/05/29 15:32:06 jsg Exp $ */ /* * Copyright (c) 2016 Dale Rahn @@ -87,6 +87,8 @@ #define CPU_PART_CORTEX_A720 0xd81 #define CPU_PART_CORTEX_X4 0xd82 #define CPU_PART_NEOVERSE_V3 0xd84 +#define CPU_PART_CORTEX_X925 0xd85 +#define CPU_PART_CORTEX_A725 0xd87 #define CPU_PART_CORTEX_A520AE 0xd88 #define CPU_PART_CORTEX_A720AE 0xd89 #define CPU_PART_NEOVERSE_N3 0xd8e @@ -159,11 +161,13 @@ struct cpu_cores cpu_cores_arm[] = { { CPU_PART_CORTEX_A715, "Cortex-A715" }, { CPU_PART_CORTEX_A720, "Cortex-A720" }, { CPU_PART_CORTEX_A720AE, "Cortex-A720AE" }, + { CPU_PART_CORTEX_A725, "Cortex-A725" }, { CPU_PART_CORTEX_X1, "Cortex-X1" }, { CPU_PART_CORTEX_X1C, "Cortex-X1C" }, { CPU_PART_CORTEX_X2, "Cortex-X2" }, { CPU_PART_CORTEX_X3, "Cortex-X3" }, { CPU_PART_CORTEX_X4, "Cortex-X4" }, + { CPU_PART_CORTEX_X925, "Cortex-X925" }, { CPU_PART_NEOVERSE_E1, "Neoverse E1" }, { CPU_PART_NEOVERSE_N1, "Neoverse N1" }, { CPU_PART_NEOVERSE_N2, "Neoverse N2" }, diff --git a/sys/arch/i386/i386/cpu.c b/sys/arch/i386/i386/cpu.c index 28a7099a7..3559b92ca 100644 --- a/sys/arch/i386/i386/cpu.c +++ b/sys/arch/i386/i386/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.114 2023/10/24 13:20:10 claudio Exp $ */ +/* $OpenBSD: cpu.c,v 1.115 2024/05/29 12:21:33 kettenis Exp $ */ /* $NetBSD: cpu.c,v 1.1.2.7 2000/06/26 02:04:05 sommerfeld Exp $ */ /*- @@ -925,3 +925,5 @@ wbinvd_on_all_cpus(void) return 0; } #endif + +int cpu_suspended; diff --git a/sys/conf/files b/sys/conf/files index 93392b223..dc2ecc291 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.731 2024/04/10 13:59:05 naddy Exp $ +# $OpenBSD: files,v 1.732 2024/05/29 13:56:49 mglocker Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -551,8 +551,7 @@ device qciic: i2cbus # UFS HC device ufshci: scsi -#device ufshci -file dev/ic/ufshci.c ufshci +file dev/ic/ufshci.c ufshci needs-flag # legitimate pseudo-devices pseudo-device vnd: disk diff --git a/sys/dev/acpi/acpi.c b/sys/dev/acpi/acpi.c index f53c84e14..71c30b59a 100644 --- a/sys/dev/acpi/acpi.c +++ b/sys/dev/acpi/acpi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpi.c,v 1.428 2024/05/13 19:56:37 kettenis Exp $ */ +/* $OpenBSD: acpi.c,v 1.429 2024/05/29 12:21:33 kettenis Exp $ */ /* * Copyright (c) 2005 Thorsten Lockert * Copyright (c) 2005 Jordan Hargrave @@ -2085,6 +2085,7 @@ acpi_powerdown_task(void *arg0, int dummy) int acpi_interrupt(void *arg) { + extern int cpu_suspended; struct acpi_softc *sc = (struct acpi_softc *)arg; uint32_t processed = 0, idx, jdx; uint16_t sts, en; @@ -2137,6 +2138,9 @@ acpi_interrupt(void *arg) ACPI_PM1_PWRBTN_STS); sts &= ~ACPI_PM1_PWRBTN_STS; + if (cpu_suspended) + cpu_suspended = 0; + acpi_addtask(sc, acpi_pbtn_task, sc, 0); } if (sts & ACPI_PM1_SLPBTN_STS) { diff --git a/sys/dev/acpi/acpi_x86.c b/sys/dev/acpi/acpi_x86.c index 6a439828d..dc7467cdd 100644 --- a/sys/dev/acpi/acpi_x86.c +++ b/sys/dev/acpi/acpi_x86.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpi_x86.c,v 1.20 2024/05/28 09:40:40 kettenis Exp $ */ +/* $OpenBSD: acpi_x86.c,v 1.21 2024/05/29 12:21:33 kettenis Exp $ */ /* * Copyright (c) 2005 Thorsten Lockert * Copyright (c) 2005 Jordan Hargrave @@ -31,13 +31,18 @@ int sleep_showstate(void *v, int sleepmode) { struct acpi_softc *sc = v; + int fallback_state = -1; switch (sleepmode) { case SLEEP_SUSPEND: sc->sc_state = ACPI_STATE_S3; +#ifdef __amd64__ + fallback_state = ACPI_STATE_S0; /* No S3, use S0 */ +#endif break; case SLEEP_HIBERNATE: sc->sc_state = ACPI_STATE_S4; + fallback_state = ACPI_STATE_S5; /* No S4, use S5 */ break; default: return (EOPNOTSUPP); @@ -45,10 +50,10 @@ sleep_showstate(void *v, int sleepmode) if (sc->sc_sleeptype[sc->sc_state].slp_typa == -1 || sc->sc_sleeptype[sc->sc_state].slp_typb == -1) { - if (sc->sc_state == ACPI_STATE_S4) { - sc->sc_state = ACPI_STATE_S5; /* No S4, use S5 */ - printf("%s: S4 unavailable, using S5\n", - sc->sc_dev.dv_xname); + if (fallback_state != -1) { + printf("%s: S%d unavailable, using S%d\n", + sc->sc_dev.dv_xname, sc->sc_state, fallback_state); + sc->sc_state = fallback_state; } else { printf("%s: state S%d unavailable\n", sc->sc_dev.dv_xname, sc->sc_state); @@ -57,8 +62,10 @@ sleep_showstate(void *v, int sleepmode) } /* 1st suspend AML step: _TTS(tostate) */ - if (aml_node_setval(sc, sc->sc_tts, sc->sc_state) != 0) - return (EINVAL); + if (sc->sc_state != ACPI_STATE_S0) { + if (aml_node_setval(sc, sc->sc_tts, sc->sc_state) != 0) + return (EINVAL); + } acpi_indicator(sc, ACPI_SST_WAKING); /* blink */ return 0; } @@ -69,8 +76,10 @@ sleep_setstate(void *v) struct acpi_softc *sc = v; /* 2nd suspend AML step: _PTS(tostate) */ - if (aml_node_setval(sc, sc->sc_pts, sc->sc_state) != 0) - return (EINVAL); + if (sc->sc_state != ACPI_STATE_S0) { + if (aml_node_setval(sc, sc->sc_pts, sc->sc_state) != 0) + return (EINVAL); + } acpi_indicator(sc, ACPI_SST_WAKING); /* blink */ return 0; } @@ -85,7 +94,8 @@ gosleep(void *v) acpi_indicator(sc, ACPI_SST_SLEEPING); /* 3rd suspend AML step: _GTS(tostate) */ - aml_node_setval(sc, sc->sc_gts, sc->sc_state); + if (sc->sc_state != ACPI_STATE_S0) + aml_node_setval(sc, sc->sc_gts, sc->sc_state); /* Clear fixed event status */ acpi_write_pmreg(sc, ACPIREG_PM1_STS, 0, ACPI_PM1_ALL_STS); @@ -110,8 +120,10 @@ sleep_resume(void *v) acpibtn_disable_psw(); /* disable _LID for wakeup */ /* 3rd resume AML step: _TTS(runstate) */ - if (aml_node_setval(sc, sc->sc_tts, ACPI_STATE_S0) != 0) - return (EINVAL); + if (sc->sc_state != ACPI_STATE_S0) { + if (aml_node_setval(sc, sc->sc_tts, ACPI_STATE_S0) != 0) + return (EINVAL); + } acpi_indicator(sc, ACPI_SST_WAKING); /* blink */ return 0; } diff --git a/sys/dev/acpi/tpm.c b/sys/dev/acpi/tpm.c index e4bf6dc60..9bd79fe2f 100644 --- a/sys/dev/acpi/tpm.c +++ b/sys/dev/acpi/tpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tpm.c,v 1.19 2024/05/13 01:15:50 jsg Exp $ */ +/* $OpenBSD: tpm.c,v 1.20 2024/05/29 12:21:33 kettenis Exp $ */ /* * Minimal interface to Trusted Platform Module chips implementing the @@ -376,6 +376,9 @@ tpm_suspend(struct tpm_softc *sc) uint8_t *command; size_t commandlen; + if (sc->sc_acpi->sc_state == ACPI_STATE_S0) + return 0; + DPRINTF(("%s: saving state preparing for suspend\n", sc->sc_dev.dv_xname)); diff --git a/sys/dev/ic/acxvar.h b/sys/dev/ic/acxvar.h index 6af4a3ab6..1d26cd1cc 100644 --- a/sys/dev/ic/acxvar.h +++ b/sys/dev/ic/acxvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: acxvar.h,v 1.19 2008/07/21 04:12:21 kevlo Exp $ */ +/* $OpenBSD: acxvar.h,v 1.20 2024/05/29 01:11:53 jsg Exp $ */ /* * Copyright (c) 2006 Jonathan Gray @@ -469,8 +469,6 @@ struct acx_softc { #define ACX_RADIO_RSSI_RADIA 78 /* 78db */ #define ACX_RADIO_RSSI_UNKN 0 /* unknown radio */ -extern const struct ieee80211_rateset acx_rates_11b; -extern const struct ieee80211_rateset acx_rates_11g; extern int acx_beacon_intvl; void acx100_set_param(struct acx_softc *); diff --git a/sys/dev/ic/aic79xx.h b/sys/dev/ic/aic79xx.h index f629fc666..291aef605 100644 --- a/sys/dev/ic/aic79xx.h +++ b/sys/dev/ic/aic79xx.h @@ -1,4 +1,4 @@ -/* $OpenBSD: aic79xx.h,v 1.30 2022/10/21 17:45:40 kn Exp $ */ +/* $OpenBSD: aic79xx.h,v 1.31 2024/05/29 00:48:15 jsg Exp $ */ /* * Copyright (c) 2004 Milos Urbanek, Kenneth R. Westerback & Marco Peereboom @@ -1329,8 +1329,6 @@ void ahd_unbusy_tcl(struct ahd_softc *ahd, u_int tcl); /***************************** PCI Front End *********************************/ const struct ahd_pci_identity * ahd_find_pci_device(pcireg_t, pcireg_t); -int ahd_pci_config(struct ahd_softc *, - struct ahd_pci_identity *); int ahd_pci_test_register_access(struct ahd_softc *); /************************** SCB and SCB queue management **********************/ @@ -1405,10 +1403,6 @@ int ahd_search_qinfifo(struct ahd_softc *ahd, int target, char channel, int lun, u_int tag, role_t role, uint32_t status, ahd_search_action action); -int ahd_search_disc_list(struct ahd_softc *ahd, int target, - char channel, int lun, u_int tag, - int stop_on_first, int remove, - int save_state); void ahd_freeze_devq(struct ahd_softc *ahd, struct scb *scb); int ahd_reset_channel(struct ahd_softc *ahd, char channel, int initiate_reset); diff --git a/sys/dev/ic/aic79xx_openbsd.h b/sys/dev/ic/aic79xx_openbsd.h index b3b703539..4e77e027c 100644 --- a/sys/dev/ic/aic79xx_openbsd.h +++ b/sys/dev/ic/aic79xx_openbsd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: aic79xx_openbsd.h,v 1.21 2020/07/28 21:33:14 krw Exp $ */ +/* $OpenBSD: aic79xx_openbsd.h,v 1.22 2024/05/29 00:48:15 jsg Exp $ */ /* * Copyright (c) 2004 Milos Urbanek, Kenneth R. Westerback & Marco Peereboom @@ -232,9 +232,6 @@ void aic_platform_scb_free(struct ahd_softc *, struct scb *); #define aic_get_pci_function(pci) ((pci)->pa_function) #define aic_get_pci_slot(pci) ((pci)->pa_device) #define aic_get_pci_bus(pci) ((pci)->pa_bus) - -int ahd_pci_map_registers(struct ahd_softc *); -int ahd_pci_map_int(struct ahd_softc *); /*#endif*/ typedef enum @@ -245,15 +242,11 @@ typedef enum AHD_POWER_STATE_D3 } ahd_power_state; -void ahd_power_state_change(struct ahd_softc *, ahd_power_state); - /********************************* Debug **************************************/ void ahd_print_path(struct ahd_softc *, struct scb *); void ahd_platform_dump_card_state(struct ahd_softc *ahd); /**************************** Transfer Settings *******************************/ -void ahd_notify_xfer_settings_change(struct ahd_softc *, - struct ahd_devinfo *); void ahd_platform_set_tags(struct ahd_softc *, struct ahd_devinfo *, ahd_queue_alg); diff --git a/sys/dev/ic/aic7xxx_openbsd.h b/sys/dev/ic/aic7xxx_openbsd.h index 38f7273c0..061a1b54c 100644 --- a/sys/dev/ic/aic7xxx_openbsd.h +++ b/sys/dev/ic/aic7xxx_openbsd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: aic7xxx_openbsd.h,v 1.31 2020/08/13 12:11:15 krw Exp $ */ +/* $OpenBSD: aic7xxx_openbsd.h,v 1.32 2024/05/29 00:48:15 jsg Exp $ */ /* $NetBSD: aic7xxx_osm.h,v 1.7 2003/11/02 11:07:44 wiz Exp $ */ /* @@ -357,10 +357,6 @@ typedef enum void ahc_power_state_change(struct ahc_softc *, ahc_power_state); #endif -/******************************** VL/EISA *************************************/ -int aic7770_map_registers(struct ahc_softc *, u_int); -int aic7770_map_int(struct ahc_softc *, int); - /********************************* Debug **************************************/ static __inline void ahc_print_path(struct ahc_softc *, struct scb *); static __inline void ahc_platform_dump_card_state(struct ahc_softc *); @@ -379,15 +375,11 @@ ahc_platform_dump_card_state(struct ahc_softc *ahc) ahc->features, ahc->flags, ahc->chip, ahc->bugs); } /**************************** Transfer Settings *******************************/ -void ahc_notify_xfer_settings_change(struct ahc_softc *, - struct ahc_devinfo *); void ahc_platform_set_tags(struct ahc_softc *, struct ahc_devinfo *, int); /************************* Initialization/Teardown ****************************/ -int ahc_map_int(struct ahc_softc *); int ahc_attach(struct ahc_softc *); int ahc_softc_comp(struct ahc_softc *, struct ahc_softc *); -int ahc_detach(struct device *, int); /****************************** Interrupts ************************************/ int ahc_platform_intr(void *); diff --git a/sys/dev/ic/aic7xxxvar.h b/sys/dev/ic/aic7xxxvar.h index 7e71fd984..ee9e88522 100644 --- a/sys/dev/ic/aic7xxxvar.h +++ b/sys/dev/ic/aic7xxxvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: aic7xxxvar.h,v 1.38 2022/10/21 17:45:40 kn Exp $ */ +/* $OpenBSD: aic7xxxvar.h,v 1.40 2024/05/29 01:11:53 jsg Exp $ */ /* * Core definitions and data structures shareable across OS platforms. * @@ -38,7 +38,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGES. * - * $Id: aic7xxxvar.h,v 1.38 2022/10/21 17:45:40 kn Exp $ + * $Id: aic7xxxvar.h,v 1.40 2024/05/29 01:11:53 jsg Exp $ * * $FreeBSD: src/sys/dev/aic7xxx/aic7xxx.h,v 1.50 2003/12/17 00:02:09 gibbs Exp $ */ @@ -1164,15 +1164,6 @@ struct ahc_pci_identity { extern const struct ahc_pci_identity ahc_pci_ident_table[]; /***************************** VL/EISA Declarations ***************************/ -struct aic7770_identity { - uint32_t full_id; - uint32_t id_mask; - const char *name; - ahc_device_setup_t *setup; -}; -extern struct aic7770_identity aic7770_ident_table[]; -extern const int ahc_num_aic7770_devs; - #define AHC_EISA_SLOT_OFFSET 0xc00 #define AHC_EISA_IOSIZE 0x100 @@ -1184,15 +1175,8 @@ void ahc_busy_tcl(struct ahc_softc *, u_int, u_int); /***************************** PCI Front End *********************************/ const struct ahc_pci_identity *ahc_find_pci_device(pcireg_t, pcireg_t, u_int); -int ahc_pci_config(struct ahc_softc *, - struct ahc_pci_identity *); int ahc_pci_test_register_access(struct ahc_softc *); -/*************************** EISA/VL Front End ********************************/ -struct aic7770_identity *aic7770_find_device(uint32_t); -int aic7770_config(struct ahc_softc *, - struct aic7770_identity *, u_int); - /************************** SCB and SCB queue management **********************/ int ahc_probe_scbs(struct ahc_softc *); void ahc_run_untagged_queues(struct ahc_softc *ahc); diff --git a/sys/dev/ic/comvar.h b/sys/dev/ic/comvar.h index 12a4ffddc..ff92e02d4 100644 --- a/sys/dev/ic/comvar.h +++ b/sys/dev/ic/comvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: comvar.h,v 1.60 2024/05/12 08:42:13 jsg Exp $ */ +/* $OpenBSD: comvar.h,v 1.61 2024/05/29 00:48:15 jsg Exp $ */ /* $NetBSD: comvar.h,v 1.5 1996/05/05 19:50:47 christos Exp $ */ /* @@ -147,7 +147,6 @@ void com_resume(struct com_softc *); void comdiag(void *); int comspeed(long, long); -u_char com_cflag2lcr(tcflag_t); /* XXX undefined */ int comparam(struct tty *, struct termios *); void comstart(struct tty *); void comsoft(void *); diff --git a/sys/dev/ic/dp8390var.h b/sys/dev/ic/dp8390var.h index 5132b6cdd..fa3b8f1f7 100644 --- a/sys/dev/ic/dp8390var.h +++ b/sys/dev/ic/dp8390var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dp8390var.h,v 1.13 2022/01/09 05:42:38 jsg Exp $ */ +/* $OpenBSD: dp8390var.h,v 1.14 2024/05/29 00:48:15 jsg Exp $ */ /* $NetBSD: dp8390var.h,v 1.8 1998/08/12 07:19:09 scottr Exp $ */ /* @@ -173,4 +173,3 @@ void dp8390_rint(struct dp8390_softc *); void dp8390_getmcaf(struct arpcom *, u_int8_t *); struct mbuf *dp8390_get(struct dp8390_softc *, int, u_short); -void dp8390_read(struct dp8390_softc *, int, u_short); diff --git a/sys/dev/ic/qwx.c b/sys/dev/ic/qwx.c index f8c475ed9..ecd69cf52 100644 --- a/sys/dev/ic/qwx.c +++ b/sys/dev/ic/qwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: qwx.c,v 1.61 2024/05/28 13:02:45 jsg Exp $ */ +/* $OpenBSD: qwx.c,v 1.62 2024/05/29 07:24:26 stsp Exp $ */ /* * Copyright 2023 Stefan Sperling @@ -157,6 +157,7 @@ int qwx_wmi_vdev_install_key(struct qwx_softc *, struct wmi_vdev_install_key_arg *, uint8_t); int qwx_dp_peer_rx_pn_replay_config(struct qwx_softc *, struct qwx_vif *, struct ieee80211_node *, struct ieee80211_key *, int); +void qwx_setkey_clear(struct qwx_softc *); int qwx_scan(struct qwx_softc *); void qwx_scan_abort(struct qwx_softc *); @@ -183,7 +184,45 @@ qwx_init(struct ifnet *ifp) struct ieee80211com *ic = &sc->sc_ic; sc->fw_mode = ATH11K_FIRMWARE_MODE_NORMAL; - sc->crypto_mode = ATH11K_CRYPT_MODE_HW; + /* + * There are several known hardware/software crypto issues + * on wcn6855 devices, firmware 0x1106196e. It is unclear + * if these are driver or firmware bugs. + * + * 1) Broadcast/Multicast frames will only be received on + * encrypted networks if hardware crypto is used and a + * CCMP group key is used. Otherwise such frames never + * even trigger an interrupt. This breaks ARP and IPv6. + * This issue is known to affect the Linux ath11k vendor + * driver when software crypto mode is selected. + * Workaround: Use hardware crypto on WPA2 networks. + * However, even with hardware crypto broadcast frames + * are never received if TKIP is used as the WPA2 group + * cipher and we have no workaround for this. + * + * 2) Adding WEP keys for hardware crypto crashes the firmware. + * Presumably, lack of WEP support is deliberate because the + * Linux ath11k vendor driver rejects attempts to install + * WEP keys to hardware. + * Workaround: Use software crypto if WEP is enabled. + * This suffers from the broadcast issues mentioned above. + * + * 3) A WPA1 group key handshake message from the AP is never + * received if hardware crypto is used. + * Workaround: Use software crypto if WPA1 is enabled. + * This suffers from the broadcast issues mentioned above, + * even on WPA2 networks when WPA1 and WPA2 are both enabled. + * On OpenBSD, WPA1 is disabled by default. + * + * The only known fully working configurations are unencrypted + * networks, and WPA2/CCMP-only networks provided WPA1 remains + * disabled. + */ + if ((ic->ic_flags & IEEE80211_F_WEPON) || + (ic->ic_rsnprotos & IEEE80211_PROTO_WPA)) + sc->crypto_mode = ATH11K_CRYPT_MODE_SW; + else + sc->crypto_mode = ATH11K_CRYPT_MODE_HW; sc->frame_mode = ATH11K_HW_TXRX_NATIVE_WIFI; ic->ic_state = IEEE80211_S_INIT; sc->ns_nstate = IEEE80211_S_INIT; @@ -291,6 +330,8 @@ qwx_stop(struct ifnet *ifp) qwx_del_task(sc, systq, &sc->setkey_task); refcnt_finalize(&sc->task_refs, "qwxstop"); + qwx_setkey_clear(sc); + clear_bit(ATH11K_FLAG_CRASH_FLUSH, sc->sc_flags); ifp->if_timer = sc->sc_tx_timer = 0; @@ -529,8 +570,8 @@ qwx_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, struct qwx_softc *sc = ic->ic_softc; if (test_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, sc->sc_flags) || - (k->k_cipher != IEEE80211_CIPHER_CCMP && - k->k_cipher != IEEE80211_CIPHER_TKIP)) + k->k_cipher == IEEE80211_CIPHER_WEP40 || + k->k_cipher == IEEE80211_CIPHER_WEP104) return ieee80211_set_key(ic, ni, k); return qwx_queue_setkey_cmd(ic, ni, k, QWX_ADD_KEY); @@ -543,8 +584,8 @@ qwx_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, struct qwx_softc *sc = ic->ic_softc; if (test_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, sc->sc_flags) || - (k->k_cipher != IEEE80211_CIPHER_CCMP && - k->k_cipher != IEEE80211_CIPHER_TKIP)) { + k->k_cipher == IEEE80211_CIPHER_WEP40 || + k->k_cipher == IEEE80211_CIPHER_WEP104) { ieee80211_delete_key(ic, ni, k); return; } @@ -757,6 +798,24 @@ qwx_setkey_task(void *arg) splx(s); } +void +qwx_setkey_clear(struct qwx_softc *sc) +{ + struct ieee80211com *ic = &sc->sc_ic; + struct qwx_setkey_task_arg *a; + + while (sc->setkey_nkeys > 0) { + a = &sc->setkey_arg[sc->setkey_tail]; + ieee80211_release_node(ic, a->ni); + a->ni = NULL; + sc->setkey_tail = (sc->setkey_tail + 1) % + nitems(sc->setkey_arg); + sc->setkey_nkeys--; + } + memset(sc->setkey_arg, 0, sizeof(sc->setkey_arg)); + sc->setkey_cur = sc->setkey_tail = sc->setkey_nkeys = 0; +} + int qwx_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg) { @@ -773,21 +832,11 @@ qwx_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg) nstate != IEEE80211_S_AUTH) return 0; if (ic->ic_state == IEEE80211_S_RUN) { - struct qwx_setkey_task_arg *a; #if 0 qwx_del_task(sc, systq, &sc->ba_task); #endif qwx_del_task(sc, systq, &sc->setkey_task); - while (sc->setkey_nkeys > 0) { - a = &sc->setkey_arg[sc->setkey_tail]; - ieee80211_release_node(ic, a->ni); - a->ni = NULL; - sc->setkey_tail = (sc->setkey_tail + 1) % - nitems(sc->setkey_arg); - sc->setkey_nkeys--; - } - memset(sc->setkey_arg, 0, sizeof(sc->setkey_arg)); - sc->setkey_cur = sc->setkey_tail = sc->setkey_nkeys = 0; + qwx_setkey_clear(sc); #if 0 qwx_del_task(sc, systq, &sc->bgscan_done_task); #endif @@ -16021,13 +16070,15 @@ qwx_dp_rx_h_reo_err(struct qwx_softc *sc, struct qwx_rx_msdu *msdu, int qwx_dp_rx_h_rxdma_err(struct qwx_softc *sc, struct qwx_rx_msdu *msdu) { + struct ieee80211com *ic = &sc->sc_ic; int drop = 0; #if 0 ar->ab->soc_stats.rxdma_error[rxcb->err_code]++; #endif switch (msdu->err_code) { case HAL_REO_ENTR_RING_RXDMA_ECODE_TKIP_MIC_ERR: - drop = 1; /* OpenBSD uses TKIP in software crypto mode only */ + ic->ic_stats.is_rx_locmicfail++; + drop = 1; break; default: /* TODO: Review other rxdma error code to check if anything is @@ -24193,7 +24244,7 @@ qwx_dp_tx(struct qwx_softc *sc, struct qwx_vif *arvif, uint8_t pdev_id, void *hal_tcl_desc; uint8_t pool_id; uint8_t hal_ring_id; - int ret, msdu_id; + int ret, msdu_id, off; uint32_t ring_selector = 0; uint8_t ring_map = 0; @@ -24238,22 +24289,34 @@ qwx_dp_tx(struct qwx_softc *sc, struct qwx_vif *arvif, uint8_t pdev_id, if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) && ti.encap_type == HAL_TCL_ENCAP_TYPE_RAW) { k = ieee80211_get_txkey(ic, wh, ni); - switch (k->k_cipher) { - case IEEE80211_CIPHER_CCMP: - ti.encrypt_type = HAL_ENCRYPT_TYPE_CCMP_128; - m->m_pkthdr.len += IEEE80211_CCMP_MICLEN; - break; - case IEEE80211_CIPHER_TKIP: - ti.encrypt_type = HAL_ENCRYPT_TYPE_TKIP_MIC; - m->m_pkthdr.len += IEEE80211_TKIP_MICLEN; - break; - default: - /* Fallback to software crypto for other ciphers. */ + if (test_bit(ATH11K_FLAG_HW_CRYPTO_DISABLED, sc->sc_flags)) { ti.encrypt_type = HAL_ENCRYPT_TYPE_OPEN; - break; + } else { + switch (k->k_cipher) { + case IEEE80211_CIPHER_CCMP: + ti.encrypt_type = HAL_ENCRYPT_TYPE_CCMP_128; + if (m_makespace(m, m->m_pkthdr.len, + IEEE80211_CCMP_MICLEN, &off) == NULL) { + m_freem(m); + return ENOSPC; + } + break; + case IEEE80211_CIPHER_TKIP: + ti.encrypt_type = HAL_ENCRYPT_TYPE_TKIP_MIC; + if (m_makespace(m, m->m_pkthdr.len, + IEEE80211_TKIP_MICLEN, &off) == NULL) { + m_freem(m); + return ENOSPC; + } + break; + default: + ti.encrypt_type = HAL_ENCRYPT_TYPE_OPEN; + break; + } } if (ti.encrypt_type == HAL_ENCRYPT_TYPE_OPEN) { + /* Using software crypto. */ if ((m = ieee80211_encrypt(ic, m, k)) == NULL) return ENOBUFS; /* 802.11 header may have moved. */ diff --git a/sys/dev/ic/stivar.h b/sys/dev/ic/stivar.h index 4c593088e..e694d4c5c 100644 --- a/sys/dev/ic/stivar.h +++ b/sys/dev/ic/stivar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: stivar.h,v 1.27 2021/05/01 20:04:33 kettenis Exp $ */ +/* $OpenBSD: stivar.h,v 1.28 2024/05/29 00:48:15 jsg Exp $ */ /* * Copyright (c) 2000-2003 Michael Shalayeff @@ -138,8 +138,6 @@ struct sti_softc { int sti_attach_common(struct sti_softc *, bus_space_tag_t, bus_space_tag_t, bus_space_handle_t, u_int); -int sti_cnattach(struct sti_rom *, struct sti_screen *, bus_space_tag_t, - bus_addr_t *, u_int); void sti_describe(struct sti_softc *); void sti_end_attach(void *); u_int sti_rom_size(bus_space_tag_t, bus_space_handle_t); diff --git a/sys/dev/ic/ufshcivar.h b/sys/dev/ic/ufshcivar.h index b2e15e683..bdd7a2101 100644 --- a/sys/dev/ic/ufshcivar.h +++ b/sys/dev/ic/ufshcivar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ufshcivar.h,v 1.8 2024/05/24 09:51:14 mglocker Exp $ */ +/* $OpenBSD: ufshcivar.h,v 1.9 2024/05/29 00:48:15 jsg Exp $ */ /* * Copyright (c) 2022 Marcus Glocker @@ -82,6 +82,5 @@ struct ufshci_softc { }; int ufshci_intr(void *); -void ufshci_attach_hook(struct device *); /* XXX: Only for testing */ int ufshci_attach(struct ufshci_softc *); int ufshci_activate(struct ufshci_softc *, int); diff --git a/sys/dev/ic/wdcvar.h b/sys/dev/ic/wdcvar.h index ac4e48b30..8f4b08d80 100644 --- a/sys/dev/ic/wdcvar.h +++ b/sys/dev/ic/wdcvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: wdcvar.h,v 1.57 2022/01/09 05:42:42 jsg Exp $ */ +/* $OpenBSD: wdcvar.h,v 1.58 2024/05/29 00:48:15 jsg Exp $ */ /* $NetBSD: wdcvar.h,v 1.17 1999/04/11 20:50:29 bouyer Exp $ */ /*- @@ -305,7 +305,6 @@ void wdc_delref(struct channel_softc *); void wdc_disable_intr(struct channel_softc *); void wdc_enable_intr(struct channel_softc *); -int wdc_select_drive(struct channel_softc *, int, int); void wdc_set_drive(struct channel_softc *, int drive); void wdc_output_bytes(struct ata_drive_datas *drvp, void *, unsigned int); void wdc_input_bytes(struct ata_drive_datas *drvp, void *, unsigned int); diff --git a/sys/dev/isa/gusvar.h b/sys/dev/isa/gusvar.h index 1d186dee4..ac99b5ca1 100644 --- a/sys/dev/isa/gusvar.h +++ b/sys/dev/isa/gusvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: gusvar.h,v 1.13 2022/11/02 10:41:34 kn Exp $ */ +/* $OpenBSD: gusvar.h,v 1.14 2024/05/29 00:48:14 jsg Exp $ */ /* $NetBSD: gus.c,v 1.51 1998/01/25 23:48:06 mycroft Exp $ */ /*- @@ -310,7 +310,6 @@ void gusmax_close(void *); int gusintr(void *); int gus_set_in_gain(caddr_t, u_int, u_char); int gus_get_in_gain(caddr_t); -int gus_set_out_gain(caddr_t, u_int, u_char); int gus_get_out_gain(caddr_t); int gus_set_params(void *, int, int, struct audio_params *, struct audio_params *); int gusmax_set_params(void *, int, int, struct audio_params *, struct audio_params *); diff --git a/sys/dev/usb/if_athn_usb.c b/sys/dev/usb/if_athn_usb.c index 4f2601b21..b69eccb8b 100644 --- a/sys/dev/usb/if_athn_usb.c +++ b/sys/dev/usb/if_athn_usb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_athn_usb.c,v 1.66 2024/05/23 03:21:08 jsg Exp $ */ +/* $OpenBSD: if_athn_usb.c,v 1.67 2024/05/29 07:27:33 stsp Exp $ */ /*- * Copyright (c) 2011 Damien Bergamini @@ -1640,6 +1640,11 @@ athn_usb_set_key(struct ieee80211com *ic, struct ieee80211_node *ni, (IFF_UP | IFF_RUNNING)) return (0); + if (k->k_cipher != IEEE80211_CIPHER_CCMP) { + /* Use software crypto for ciphers other than CCMP. */ + return ieee80211_set_key(ic, ni, k); + } + /* Do it in a process context. */ cmd.ni = (ni != NULL) ? ieee80211_ref_node(ni) : NULL; cmd.key = k; @@ -1682,6 +1687,11 @@ athn_usb_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni, ic->ic_state != IEEE80211_S_RUN) return; /* Nothing to do. */ + if (k->k_cipher != IEEE80211_CIPHER_CCMP) { + ieee80211_delete_key(ic, ni, k); + return; + } + /* Do it in a process context. */ cmd.ni = (ni != NULL) ? ieee80211_ref_node(ni) : NULL; cmd.key = k; diff --git a/sys/dev/usb/usbdevs b/sys/dev/usb/usbdevs index 88e5949ce..62eda2a80 100644 --- a/sys/dev/usb/usbdevs +++ b/sys/dev/usb/usbdevs @@ -1,4 +1,4 @@ -$OpenBSD: usbdevs,v 1.765 2024/05/23 08:06:22 kevlo Exp $ +$OpenBSD: usbdevs,v 1.766 2024/05/29 06:48:43 jsg Exp $ /* $NetBSD: usbdevs,v 1.322 2003/05/10 17:47:14 hamajima Exp $ */ /* @@ -1023,6 +1023,7 @@ product APPLE IPHONE_4S 0x12a0 iPhone 4S product APPLE IPHONE_6 0x12a8 iPhone 6 product APPLE ETHERNET 0x1402 Ethernet A1277 product APPLE BLUETOOTH2 0x8205 Bluetooth +product APPLE BLUETOOTH3 0x8207 Bluetooth product APPLE BLUETOOTH 0x8300 Bluetooth product APPLE ISIGHT_1 0x8501 iSight product APPLE ISIGHT 0x8502 iSight diff --git a/sys/dev/usb/usbdevs.h b/sys/dev/usb/usbdevs.h index 1be572907..c71d7908c 100644 --- a/sys/dev/usb/usbdevs.h +++ b/sys/dev/usb/usbdevs.h @@ -1,10 +1,10 @@ -/* $OpenBSD: usbdevs.h,v 1.777 2024/05/23 08:06:45 kevlo Exp $ */ +/* $OpenBSD: usbdevs.h,v 1.778 2024/05/29 06:49:38 jsg Exp $ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. * * generated from: - * OpenBSD: usbdevs,v 1.765 2024/05/23 08:06:22 kevlo Exp + * OpenBSD: usbdevs,v 1.766 2024/05/29 06:48:43 jsg Exp */ /* $NetBSD: usbdevs,v 1.322 2003/05/10 17:47:14 hamajima Exp $ */ @@ -1030,6 +1030,7 @@ #define USB_PRODUCT_APPLE_IPHONE_6 0x12a8 /* iPhone 6 */ #define USB_PRODUCT_APPLE_ETHERNET 0x1402 /* Ethernet A1277 */ #define USB_PRODUCT_APPLE_BLUETOOTH2 0x8205 /* Bluetooth */ +#define USB_PRODUCT_APPLE_BLUETOOTH3 0x8207 /* Bluetooth */ #define USB_PRODUCT_APPLE_BLUETOOTH 0x8300 /* Bluetooth */ #define USB_PRODUCT_APPLE_ISIGHT_1 0x8501 /* iSight */ #define USB_PRODUCT_APPLE_ISIGHT 0x8502 /* iSight */ diff --git a/sys/dev/usb/usbdevs_data.h b/sys/dev/usb/usbdevs_data.h index 77a1ca1f7..4c487fee2 100644 --- a/sys/dev/usb/usbdevs_data.h +++ b/sys/dev/usb/usbdevs_data.h @@ -1,10 +1,10 @@ -/* $OpenBSD: usbdevs_data.h,v 1.771 2024/05/23 08:06:45 kevlo Exp $ */ +/* $OpenBSD: usbdevs_data.h,v 1.772 2024/05/29 06:49:38 jsg Exp $ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. * * generated from: - * OpenBSD: usbdevs,v 1.765 2024/05/23 08:06:22 kevlo Exp + * OpenBSD: usbdevs,v 1.766 2024/05/29 06:48:43 jsg Exp */ /* $NetBSD: usbdevs,v 1.322 2003/05/10 17:47:14 hamajima Exp $ */ @@ -1001,6 +1001,10 @@ const struct usb_known_product usb_known_products[] = { USB_VENDOR_APPLE, USB_PRODUCT_APPLE_BLUETOOTH2, "Bluetooth", }, + { + USB_VENDOR_APPLE, USB_PRODUCT_APPLE_BLUETOOTH3, + "Bluetooth", + }, { USB_VENDOR_APPLE, USB_PRODUCT_APPLE_BLUETOOTH, "Bluetooth", diff --git a/sys/dev/wscons/wsmux.c b/sys/dev/wscons/wsmux.c index 5ae2755eb..f48345329 100644 --- a/sys/dev/wscons/wsmux.c +++ b/sys/dev/wscons/wsmux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wsmux.c,v 1.57 2024/03/25 13:01:49 mvs Exp $ */ +/* $OpenBSD: wsmux.c,v 1.58 2024/05/29 06:39:13 jsg Exp $ */ /* $NetBSD: wsmux.c,v 1.37 2005/04/30 03:47:12 augustss Exp $ */ /* @@ -216,7 +216,7 @@ wsmuxopen(dev_t dev, int flags, int mode, struct proc *p) error = wsmux_do_open(sc, evar); if (error) - wsevent_fini(evar); + wsevent_fini(evar); return (error); } diff --git a/sys/net/pipex_local.h b/sys/net/pipex_local.h index c77884661..679ddb98e 100644 --- a/sys/net/pipex_local.h +++ b/sys/net/pipex_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex_local.h,v 1.51 2024/01/23 17:57:21 mvs Exp $ */ +/* $OpenBSD: pipex_local.h,v 1.52 2024/05/29 00:48:15 jsg Exp $ */ /* * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -468,7 +468,6 @@ struct mbuf *ip_is_idle_packet (struct mbuf *, int *); void pipex_session_log (struct pipex_session *, int, const char *, ...) __attribute__((__format__(__printf__,3,4))); uint32_t pipex_sockaddr_hash_key(struct sockaddr *); int pipex_sockaddr_compar_addr(struct sockaddr *, struct sockaddr *); -int pipex_ppp_enqueue (struct mbuf *, struct pipex_session *, struct mbuf_queue *); void pipex_timer_start (void); void pipex_timer_stop (void); void pipex_timer (void *); diff --git a/sys/net80211/ieee80211_proto.h b/sys/net80211/ieee80211_proto.h index 83fa8a333..06978b0ba 100644 --- a/sys/net80211/ieee80211_proto.h +++ b/sys/net80211/ieee80211_proto.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_proto.h,v 1.48 2022/03/14 15:07:24 stsp Exp $ */ +/* $OpenBSD: ieee80211_proto.h,v 1.49 2024/05/29 00:48:15 jsg Exp $ */ /* $NetBSD: ieee80211_proto.h,v 1.3 2003/10/13 04:23:56 dyoung Exp $ */ /*- @@ -119,8 +119,6 @@ extern u_int8_t *ieee80211_add_capinfo(u_int8_t *, struct ieee80211com *, extern u_int8_t *ieee80211_add_ssid(u_int8_t *, const u_int8_t *, u_int); extern u_int8_t *ieee80211_add_rates(u_int8_t *, const struct ieee80211_rateset *); -extern u_int8_t *ieee80211_add_fh_params(u_int8_t *, struct ieee80211com *, - const struct ieee80211_node *); extern u_int8_t *ieee80211_add_ds_params(u_int8_t *, struct ieee80211com *, const struct ieee80211_node *); extern u_int8_t *ieee80211_add_tim(u_int8_t *, struct ieee80211com *); diff --git a/usr.sbin/bgpd/rde.h b/usr.sbin/bgpd/rde.h index d0bfb5d2d..5be48fd4c 100644 --- a/usr.sbin/bgpd/rde.h +++ b/usr.sbin/bgpd/rde.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.h,v 1.302 2024/05/22 08:41:14 claudio Exp $ */ +/* $OpenBSD: rde.h,v 1.303 2024/05/29 10:36:32 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker and @@ -680,7 +680,6 @@ void nexthop_update(struct kroute_nexthop *); struct nexthop *nexthop_get(struct bgpd_addr *); struct nexthop *nexthop_ref(struct nexthop *); int nexthop_unref(struct nexthop *); -int nexthop_compare(struct nexthop *, struct nexthop *); /* rde_update.c */ void up_generate_updates(struct rde_peer *, struct rib_entry *); diff --git a/usr.sbin/bgpd/rde_rib.c b/usr.sbin/bgpd/rde_rib.c index 04f7e63d0..3caaa3e9e 100644 --- a/usr.sbin/bgpd/rde_rib.c +++ b/usr.sbin/bgpd/rde_rib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_rib.c,v 1.261 2023/10/16 10:25:46 claudio Exp $ */ +/* $OpenBSD: rde_rib.c,v 1.262 2024/05/29 10:34:56 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker @@ -1644,7 +1644,10 @@ TAILQ_HEAD(nexthop_queue, nexthop) nexthop_runners = RB_HEAD(nexthop_tree, nexthop) nexthoptable = RB_INITIALIZER(&nexthoptree); -RB_GENERATE_STATIC(nexthop_tree, nexthop, entry, nexthop_compare); + +static inline int nexthop_cmp(struct nexthop *, struct nexthop *); + +RB_GENERATE_STATIC(nexthop_tree, nexthop, entry, nexthop_cmp); void nexthop_shutdown(void) @@ -1834,7 +1837,7 @@ nexthop_get(struct bgpd_addr *nexthop) if (nh == NULL) { nh = calloc(1, sizeof(*nh)); if (nh == NULL) - fatal("nexthop_alloc"); + fatal("nexthop_get"); rdemem.nexthop_cnt++; LIST_INIT(&nh->prefix_h); @@ -1882,8 +1885,8 @@ nexthop_unref(struct nexthop *nh) return (1); } -int -nexthop_compare(struct nexthop *na, struct nexthop *nb) +static inline int +nexthop_cmp(struct nexthop *na, struct nexthop *nb) { struct bgpd_addr *a, *b; diff --git a/usr.sbin/bgpd/rde_update.c b/usr.sbin/bgpd/rde_update.c index 2c2cf4c4a..2c81bbe21 100644 --- a/usr.sbin/bgpd/rde_update.c +++ b/usr.sbin/bgpd/rde_update.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_update.c,v 1.166 2024/01/23 16:13:35 claudio Exp $ */ +/* $OpenBSD: rde_update.c,v 1.167 2024/05/29 10:41:12 claudio Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -454,16 +454,18 @@ up_generate_default(struct rde_peer *peer, uint8_t aid) static struct bgpd_addr * up_get_nexthop(struct rde_peer *peer, struct filterstate *state, uint8_t aid) { - struct bgpd_addr *peer_local; + struct bgpd_addr *peer_local = NULL; switch (aid) { case AID_INET: case AID_VPN_IPv4: - peer_local = &peer->local_v4_addr; + if (peer->local_v4_addr.aid == AID_INET) + peer_local = &peer->local_v4_addr; break; case AID_INET6: case AID_VPN_IPv6: - peer_local = &peer->local_v6_addr; + if (peer->local_v4_addr.aid == AID_INET6) + peer_local = &peer->local_v6_addr; break; case AID_FLOWSPECv4: case AID_FLOWSPECv6: @@ -613,6 +615,8 @@ up_generate_attr(struct ibuf *buf, struct rde_peer *peer, case ATTR_NEXTHOP: switch (aid) { case AID_INET: + if (nh == NULL) + return -1; if (attr_writebuf(buf, ATTR_WELL_KNOWN, ATTR_NEXTHOP, &nh->exit_nexthop.v4, sizeof(nh->exit_nexthop.v4)) == -1) @@ -889,6 +893,8 @@ up_generate_mp_reach(struct ibuf *buf, struct rde_peer *peer, switch (aid) { case AID_INET6: + if (nh == NULL) + return -1; /* NH LEN */ if (ibuf_add_n8(buf, sizeof(struct in6_addr)) == -1) return -1; @@ -898,6 +904,8 @@ up_generate_mp_reach(struct ibuf *buf, struct rde_peer *peer, return -1; break; case AID_VPN_IPv4: + if (nh == NULL) + return -1; /* NH LEN */ if (ibuf_add_n8(buf, sizeof(uint64_t) + sizeof(struct in_addr)) == -1) @@ -911,6 +919,8 @@ up_generate_mp_reach(struct ibuf *buf, struct rde_peer *peer, return -1; break; case AID_VPN_IPv6: + if (nh == NULL) + return -1; /* NH LEN */ if (ibuf_add_n8(buf, sizeof(uint64_t) + sizeof(struct in6_addr)) == -1) @@ -1091,10 +1101,10 @@ up_dump_update(struct ibuf *buf, struct rde_peer *peer, uint8_t aid) fail: /* Not enough space. Drop prefix, it will never fit. */ pt_getaddr(p->pt, &addr); - log_peer_warnx(&peer->conf, "path attributes to large, " + log_peer_warnx(&peer->conf, "dump of path attributes failed, " "prefix %s/%d dropped", log_addr(&addr), p->pt->prefixlen); - up_prefix_free(&peer->updates[AID_INET], p, peer, 0); + up_prefix_free(&peer->updates[aid], p, peer, 0); /* XXX should probably send a withdraw for this prefix */ return -1; } diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 2658e44f4..ad60a17fe 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.478 2024/05/22 08:41:14 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.479 2024/05/29 10:38:24 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -2559,6 +2559,7 @@ parse_capabilities(struct peer *peer, struct ibuf *buf, uint32_t *as) "Received multi protocol capability: " " unknown AFI %u, safi %u pair", afi, safi); + peer->capa.peer.mp[AID_UNSPEC] = 1; break; } peer->capa.peer.mp[aid] = 1; @@ -2715,12 +2716,14 @@ capa_neg_calc(struct peer *p) (p->capa.ann.as4byte && p->capa.peer.as4byte) != 0; /* MP: both side must agree on the AFI,SAFI pair */ + if (p->capa.peer.mp[AID_UNSPEC]) + hasmp = 1; for (i = AID_MIN; i < AID_MAX; i++) { if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) p->capa.neg.mp[i] = 1; else p->capa.neg.mp[i] = 0; - if (p->capa.ann.mp[i]) + if (p->capa.ann.mp[i] || p->capa.peer.mp[i]) hasmp = 1; } /* if no MP capability present default to IPv4 unicast mode */ diff --git a/usr.sbin/bgpd/util.c b/usr.sbin/bgpd/util.c index 44513b929..c81d14316 100644 --- a/usr.sbin/bgpd/util.c +++ b/usr.sbin/bgpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.85 2024/03/22 15:41:34 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.86 2024/05/29 10:34:07 claudio Exp $ */ /* * Copyright (c) 2006 Claudio Jeker @@ -98,13 +98,15 @@ log_in6addr(const struct in6_addr *addr) const char * log_sockaddr(struct sockaddr *sa, socklen_t len) { - static char buf[NI_MAXHOST]; + static char buf[4][NI_MAXHOST]; + static int bufidx; - if (sa == NULL || getnameinfo(sa, len, buf, sizeof(buf), NULL, 0, - NI_NUMERICHOST)) + bufidx = (bufidx + 1) % 4; + if (sa == NULL || getnameinfo(sa, len, buf[bufidx], sizeof(buf[0]), + NULL, 0, NI_NUMERICHOST)) return ("(unknown)"); else - return (buf); + return (buf[bufidx]); } const char * diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index 1f6507376..45eaa623c 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.34 2024/04/21 19:27:44 claudio Exp $ */ +/* $OpenBSD: crl.c,v 1.35 2024/05/29 13:26:24 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -24,6 +24,142 @@ #include "extern.h" +/* + * Check that the CRL number extension is present and that it is non-critical. + * Otherwise ignore it per draft-spaghetti-sidrops-rpki-crl-numbers. + */ +static int +crl_has_crl_number(const char *fn, const X509_CRL *x509_crl) +{ + const X509_EXTENSION *ext; + int idx; + + if ((idx = X509_CRL_get_ext_by_NID(x509_crl, NID_crl_number, -1)) < 0) { + warnx("%s: RFC 6487, section 5: missing CRL number", fn); + return 0; + } + if ((ext = X509_CRL_get_ext(x509_crl, idx)) == NULL) { + warnx("%s: RFC 6487, section 5: failed to get CRL number", fn); + return 0; + } + if (X509_EXTENSION_get_critical(ext) != 0) { + warnx("%s: RFC 6487, section 5: CRL number not non-critical", + fn); + return 0; + } + + return 1; +} + +/* + * Parse X509v3 authority key identifier (AKI) from the CRL. + * Returns the AKI or NULL if it could not be parsed. + * The AKI is formatted as a hex string. + */ +static char * +crl_get_aki(const char *fn, X509_CRL *x509_crl) +{ + AUTHORITY_KEYID *akid = NULL; + ASN1_OCTET_STRING *os; + const unsigned char *d; + int dsz, crit; + char *res = NULL; + + if ((akid = X509_CRL_get_ext_d2i(x509_crl, NID_authority_key_identifier, + &crit, NULL)) == NULL) { + if (crit != -1) + warnx("%s: RFC 6487 section 4.8.3: AKI: " + "failed to parse CRL extension", fn); + else + warnx("%s: RFC 6487 section 4.8.3: AKI: " + "CRL extension missing", fn); + goto out; + } + if (crit != 0) { + warnx("%s: RFC 6487 section 4.8.3: " + "AKI: extension not non-critical", fn); + goto out; + } + if (akid->issuer != NULL || akid->serial != NULL) { + warnx("%s: RFC 6487 section 4.8.3: AKI: " + "authorityCertIssuer or authorityCertSerialNumber present", + fn); + goto out; + } + + os = akid->keyid; + if (os == NULL) { + warnx("%s: RFC 6487 section 4.8.3: AKI: " + "Key Identifier missing", fn); + goto out; + } + + d = os->data; + dsz = os->length; + + if (dsz != SHA_DIGEST_LENGTH) { + warnx("%s: RFC 6487 section 4.8.3: AKI: " + "want %d bytes SHA1 hash, have %d bytes", + fn, SHA_DIGEST_LENGTH, dsz); + goto out; + } + + res = hex_encode(d, dsz); + out: + AUTHORITY_KEYID_free(akid); + return res; +} + +/* + * Check that the list of revoked certificates contains only the specified + * two fields, Serial Number and Revocation Date, and that no extensions are + * present. + */ +static int +crl_check_revoked(const char *fn, X509_CRL *x509_crl) +{ + STACK_OF(X509_REVOKED) *list; + X509_REVOKED *revoked; + int count, i; + + /* If there are no revoked certificates, there's nothing to check. */ + if ((list = X509_CRL_get_REVOKED(x509_crl)) == NULL) + return 1; + + if ((count = sk_X509_REVOKED_num(list)) <= 0) { + /* + * XXX - as of May 2024, ~15% of RPKI CRLs fail this check due + * to a bug in rpki-rs/Krill. So silently accept this for now. + * https://github.com/NLnetLabs/krill/issues/1197 + */ + if (verbose > 0) + warnx("%s: RFC 5280, section 5.1.2.6: revoked " + "certificate list without entries disallowed", fn); + return 1; + } + + for (i = 0; i < count; i++) { + revoked = sk_X509_REVOKED_value(list, i); + + /* + * serialNumber and revocationDate are mandatory in the ASN.1 + * template, so no need to check their presence. + * + * XXX - due to an old bug in Krill, we can't enforce that + * revocationDate is in the past until at least mid-2025: + * https://github.com/NLnetLabs/krill/issues/788. + */ + + if (X509_REVOKED_get0_extensions(revoked) != NULL) { + warnx("%s: RFC 6487, section 5: CRL entry extensions " + "disallowed", fn); + return 0; + } + } + + return 1; +} + struct crl * crl_parse(const char *fn, const unsigned char *der, size_t len) { @@ -76,19 +212,15 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) * RFC 6487, section 5: AKI and crlNumber MUST be present, no other * CRL extensions are allowed. */ - if ((crl->aki = x509_crl_get_aki(crl->x509_crl, fn)) == NULL) { - warnx("%s: x509_crl_get_aki failed", fn); - goto out; - } - if ((crl->number = x509_crl_get_number(crl->x509_crl, fn)) == NULL) { - warnx("%s: x509_crl_get_number failed", fn); - goto out; - } if ((count = X509_CRL_get_ext_count(crl->x509_crl)) != 2) { warnx("%s: RFC 6487 section 5: unexpected number of extensions " "%d != 2", fn, count); goto out; } + if (!crl_has_crl_number(fn, crl->x509_crl)) + goto out; + if ((crl->aki = crl_get_aki(fn, crl->x509_crl)) == NULL) + goto out; at = X509_CRL_get0_lastUpdate(crl->x509_crl); if (at == NULL) { @@ -110,6 +242,9 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) goto out; } + if (!crl_check_revoked(fn, crl->x509_crl)) + goto out; + rc = 1; out: if (rc == 0) { @@ -178,7 +313,6 @@ crl_free(struct crl *crl) return; free(crl->aki); free(crl->mftpath); - free(crl->number); X509_CRL_free(crl->x509_crl); free(crl); } diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 6bdaab976..6a871baad 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.218 2024/05/20 15:51:43 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.219 2024/05/29 13:26:24 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -480,7 +480,6 @@ struct crl { RB_ENTRY(crl) entry; char *aki; char *mftpath; - char *number; X509_CRL *x509_crl; time_t thisupdate; /* do not use before */ time_t nextupdate; /* do not use after */ @@ -909,8 +908,6 @@ int x509_get_ski(X509 *, const char *, char **); int x509_get_notbefore(X509 *, const char *, time_t *); int x509_get_notafter(X509 *, const char *, time_t *); int x509_get_crl(X509 *, const char *, char **); -char *x509_crl_get_aki(X509_CRL *, const char *); -char *x509_crl_get_number(X509_CRL *, const char *); char *x509_get_pubkey(X509 *, const char *); char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index 9ef44b736..a88fbfba7 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.52 2024/02/26 10:02:37 job Exp $ */ +/* $OpenBSD: print.c,v 1.53 2024/05/29 13:26:24 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -324,6 +324,48 @@ cert_print(const struct cert *p) json_do_end(); } +/* + * XXX - dedup with x509_convert_seqnum()? + */ +static char * +crl_parse_number(const X509_CRL *x509_crl) +{ + ASN1_INTEGER *aint = NULL; + int crit; + BIGNUM *seqnum = NULL; + char *s = NULL; + + aint = X509_CRL_get_ext_d2i(x509_crl, NID_crl_number, &crit, NULL); + if (aint == NULL) { + if (crit != -1) + warnx("failed to parse CRL Number"); + else + warnx("CRL Number missing"); + goto out; + } + + if (ASN1_STRING_length(aint) > 20) + warnx("CRL Number should fit in 20 octets"); + + seqnum = ASN1_INTEGER_to_BN(aint, NULL); + if (seqnum == NULL) { + warnx("CRL Number: ASN1_INTEGER_to_BN error"); + goto out; + } + + if (BN_is_negative(seqnum)) + warnx("CRL Number should be positive"); + + s = BN_bn2hex(seqnum); + if (s == NULL) + warnx("CRL Number: BN_bn2hex error"); + + out: + ASN1_INTEGER_free(aint); + BN_free(seqnum); + return s; +} + void crl_print(const struct crl *p) { @@ -342,13 +384,20 @@ crl_print(const struct crl *p) xissuer = X509_CRL_get_issuer(p->x509_crl); issuer = X509_NAME_oneline(xissuer, NULL, 0); - if (issuer != NULL && p->number != NULL) { - if (outformats & FORMAT_JSON) { - json_do_string("crl_issuer", issuer); - json_do_string("crl_serial", p->number); - } else { - printf("CRL issuer: %s\n", issuer); - printf("CRL serial number: %s\n", p->number); + if (issuer != NULL) { + char *number; + + if ((number = crl_parse_number(p->x509_crl)) != NULL) { + if (outformats & FORMAT_JSON) { + json_do_string("crl_issuer", issuer); + json_do_string("crl_serial", number); + } else { + printf("CRL issuer: %s\n", + issuer); + printf("CRL serial number: %s\n", + number); + } + free(number); } } free(issuer); diff --git a/usr.sbin/rpki-client/rpki-client.8 b/usr.sbin/rpki-client/rpki-client.8 index 062f0fe44..55d1dcb41 100644 --- a/usr.sbin/rpki-client/rpki-client.8 +++ b/usr.sbin/rpki-client/rpki-client.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpki-client.8,v 1.104 2024/05/24 12:57:20 tb Exp $ +.\" $OpenBSD: rpki-client.8,v 1.105 2024/05/29 13:27:52 tb Exp $ .\" .\" Copyright (c) 2019 Kristaps Dzonsons .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 24 2024 $ +.Dd $Mdocdate: May 29 2024 $ .Dt RPKI-CLIENT 8 .Os .Sh NAME @@ -362,11 +362,6 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI) -.%R RFC 6485 -.Re -.Pp -.Rs .%T A Profile for X.509 PKIX Resource Certificates .%R RFC 6487 .Re @@ -377,17 +372,17 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T The Resource Public Key Infrastructure (RPKI) Ghostbusters Record +.%T The RPKI Ghostbusters Record .%R RFC 6493 .Re .Pp .Rs -.%T Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates +.%T Policy Qualifiers in RPKI Certificates .%R RFC 7318 .Re .Pp .Rs -.%T The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure +.%T The Profile for Algorithms and Key Sizes for Use in the RPKI .%R RFC 7935 .Re .Pp @@ -402,7 +397,7 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T Resource Public Key Infrastructure (RPKI) Trust Anchor Locator +.%T RPKI Trust Anchor Locator .%R RFC 8630 .Re .Pp @@ -412,7 +407,7 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T Manifests for the Resource Public Key Infrastructure (RPKI) +.%T Manifests for the RPKI .%R RFC 9286 .Re .Pp @@ -422,7 +417,7 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T On the use of the Cryptographic Message Syntax (CMS) Signing-Time Attribute in Resource Public Key Infrastructure (RPKI) Signed Objects +.%T On the use of the CMS Signing-Time Attribute in RPKI Signed Objects .%R RFC 9589 .Re .Pp @@ -456,10 +451,16 @@ agreement regarding ARIN service restrictions. .Re .Pp .Rs -.%T A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI) +.%T A profile for Signed Prefix Lists for Use in the RPKI .%U https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist-02 .%D Jan, 2024 .Re +.Pp +.Rs +.%T Relying Party Handling of RPKI CRL Number Extensions +.%U https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers +.%D May, 2024 +.Re .Sh HISTORY .Nm first appeared in diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 8ce43b3df..d3d3a6c6a 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.87 2024/04/21 09:03:22 job Exp $ */ +/* $OpenBSD: x509.c,v 1.88 2024/05/29 13:26:24 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -786,92 +786,6 @@ x509_get_crl(X509 *x, const char *fn, char **crl) return rsync_found; } -/* - * Parse X509v3 authority key identifier (AKI) from the CRL. - * This is matched against the string from x509_get_ski() above. - * Returns the AKI or NULL if it could not be parsed. - * The AKI is formatted as a hex string. - */ -char * -x509_crl_get_aki(X509_CRL *crl, const char *fn) -{ - const unsigned char *d; - AUTHORITY_KEYID *akid; - ASN1_OCTET_STRING *os; - int dsz, crit; - char *res = NULL; - - akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &crit, - NULL); - if (akid == NULL) { - warnx("%s: RFC 6487 section 4.8.3: AKI: extension missing", fn); - return NULL; - } - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.3: " - "AKI: extension not non-critical", fn); - goto out; - } - if (akid->issuer != NULL || akid->serial != NULL) { - warnx("%s: RFC 6487 section 4.8.3: AKI: " - "authorityCertIssuer or authorityCertSerialNumber present", - fn); - goto out; - } - - os = akid->keyid; - if (os == NULL) { - warnx("%s: RFC 6487 section 4.8.3: AKI: " - "Key Identifier missing", fn); - goto out; - } - - d = os->data; - dsz = os->length; - - if (dsz != SHA_DIGEST_LENGTH) { - warnx("%s: RFC 6487 section 4.8.2: AKI: " - "want %d bytes SHA1 hash, have %d bytes", - fn, SHA_DIGEST_LENGTH, dsz); - goto out; - } - - res = hex_encode(d, dsz); -out: - AUTHORITY_KEYID_free(akid); - return res; -} - -/* - * Retrieve CRL Number extension. Returns a printable hexadecimal representation - * of the number which has to be freed after use. - */ -char * -x509_crl_get_number(X509_CRL *crl, const char *fn) -{ - ASN1_INTEGER *aint; - int crit; - char *res = NULL; - - aint = X509_CRL_get_ext_d2i(crl, NID_crl_number, &crit, NULL); - if (aint == NULL) { - warnx("%s: RFC 6487 section 5: CRL Number missing", fn); - return NULL; - } - if (crit != 0) { - warnx("%s: RFC 5280, section 5.2.3: " - "CRL Number not non-critical", fn); - goto out; - } - - /* This checks that the number is non-negative and <= 20 bytes. */ - res = x509_convert_seqnum(fn, aint); - - out: - ASN1_INTEGER_free(aint); - return res; -} - /* * Convert passed ASN1_TIME to time_t *t. * Returns 1 on success and 0 on failure. @@ -1008,7 +922,8 @@ x509_valid_subject(const char *fn, const X509 *x) } /* - * Convert an ASN1_INTEGER into a hexstring. + * Convert an ASN1_INTEGER into a hexstring, enforcing that it is non-negative + * and representable by at most 20 octets (RFC 5280, section 4.1.2.2). * Returned string needs to be freed by the caller. */ char *