SecBSD/src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync code with last improvements from OpenBSD

Browse Source
This commit is contained in:
purplerain 2023-10-13 19:11:38 +00:00
parent 2ec21d9c19
commit 5903cbe575
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
36 changed files with 1828 additions and 4203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/libcrypto/man/X509_ALGOR_dup.3
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: X509_ALGOR_dup.3,v 1.20 2023/10/11 06:08:57 tb Exp $
.\" $OpenBSD: X509_ALGOR_dup.3,v 1.22 2023/10/13 05:49:34 tb Exp $
.\" OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
.\"
.\" This file is a derived work.
@ -66,7 +66,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: October 11 2023 $
.Dd $Mdocdate: October 13 2023 $
.Dt X509_ALGOR_DUP 3
.Os
.Sh NAME
@ -157,9 +157,15 @@ is
no action occurs.
.Pp
.Fn X509_ALGOR_dup
copies
.Fa alg
by calling
creates a deep copy of
.Fa alg .
It is implemented by calling
.Xr ASN1_item_dup 3
with arguments of
.Dv X509_ALGOR_it
and
.Fa alg ,
which is equivalent to calling
.Xr i2d_X509_ALGOR 3
and
.Xr d2i_X509_ALGOR 3 .

4
regress/sys/fileops/Makefile.inc
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.inc,v 1.5 2023/10/10 18:17:25 anton Exp $
# $OpenBSD: Makefile.inc,v 1.6 2023/10/13 19:28:59 anton Exp $
PERL_REQUIRE != perl -e 'eval { require File::Slurp } or print $$@'
@ -27,7 +27,7 @@ mount: disk
REGRESS_CLEANUP+= umount
umount:
umount ${FILEOPS_MNT}
umount -f ${FILEOPS_MNT} || true
REGRESS_CLEANUP+= unconfig
unconfig:

22
regress/sys/mfs_noperm/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.1 2018/12/23 11:23:21 natano Exp $
# $OpenBSD: Makefile,v 1.2 2023/10/13 19:30:18 anton Exp $
PROG= nopermtest
CDIAGFLAGS= -Wall
@ -15,20 +15,24 @@ REGRESS_SETUP_ONCE= mount
REGRESS_CLEANUP= umount
REGRESS_TARGETS= run-regress-locked run-regress-unlocked
MNT= /mnt/regress-mfs_noperm
mount:
mount_mfs -s1M -o noperm swap /mnt
mkdir -p ${MNT}
mount_mfs -s1M -o noperm swap ${MNT}
umount:
umount -f /mnt
umount -f ${MNT} || true
rmdir ${MNT} || true
run-regress-locked: ${PROG}
chown root:wheel /mnt
chmod 700 /mnt
su build -c './${PROG} /mnt locked'
chown root:wheel ${MNT}
chmod 700 ${MNT}
su build -c './${PROG} ${MNT} locked'
run-regress-unlocked: ${PROG}
chown build /mnt
chmod 700 /mnt
su build -c './${PROG} /mnt unlocked'
chown build ${MNT}
chmod 700 ${MNT}
su build -c './${PROG} ${MNT} unlocked'
.include <bsd.regress.mk>

1
regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_1.conf
View File

@ -1,4 +1,5 @@
AS 1
router-id 192.0.2.11
listen on 192.0.2.11
neighbor 192.0.2.2 {

1
regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_2.conf
View File

@ -1,4 +1,5 @@
AS 2
router-id 192.0.2.21
listen on 192.0.2.21
socket "/var/run/bgpd.sock.12_2"

1
regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_3.conf
View File

@ -1,4 +1,5 @@
AS 3
router-id 192.0.2.31
listen on 192.0.2.31
socket "/var/run/bgpd.sock.12_3"

1
regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_4.conf
View File

@ -1,4 +1,5 @@
AS 4
router-id 192.0.2.41
listen on 192.0.2.41
socket "/var/run/bgpd.sock.12_4"

44
regress/usr.sbin/bgpd/integrationtests/ixp.rdomain1.ok
View File

@ -1,47 +1,47 @@
BGP routing table entry for 2.0.3.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs valid, avs unknown, external, valid, best
Ext. Communities: ovs valid
BGP routing table entry for 2.0.4.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs invalid, avs unknown, external, valid, best
Communities: 65520:0 65520:14 65524:2
Ext. Communities: ovs invalid rt 65524:2
BGP routing table entry for 2.0.5.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Ext. Communities: ovs not-found
BGP routing table entry for 2.0.6.0/24
2 2 2 2 2 2 2 2 2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:1 65524:2
Ext. Communities: ovs not-found rt 65524:2
BGP routing table entry for 2.0.7.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:3 65524:2
Ext. Communities: ovs not-found rt 65524:2
BGP routing table entry for 2.0.9.0/24
2
Nexthop 192.0.2.77 (via 192.0.2.77) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.77 (via 192.0.2.77) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:5 65524:2
Ext. Communities: ovs not-found rt 65524:2
BGP routing table entry for 2.0.11.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65530:4 BLACKHOLE
Ext. Communities: ovs not-found
@ -49,7 +49,7 @@ BGP routing table entry for 2.0.11.0/24
BGP routing table entry for 2.0.12.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65530:4 65534:0
Ext. Communities: ovs not-found
@ -57,7 +57,7 @@ BGP routing table entry for 2.0.12.0/24
BGP routing table entry for 2.0.13.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65530:4
Ext. Communities: ovs not-found
@ -65,48 +65,48 @@ BGP routing table entry for 2.0.13.0/24
BGP routing table entry for 2.0.14.0/25
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:13 65524:2
Ext. Communities: ovs not-found rt 65524:2
BGP routing table entry for 2.0.15.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Ext. Communities: ovs not-found
BGP routing table entry for 3.0.3.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65507:999
Ext. Communities: ovs not-found
BGP routing table entry for 3.0.4.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Ext. Communities: ovs not-found
Large Communities: 999:65508:999
BGP routing table entry for 3.0.5.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Ext. Communities: ovs not-found
Large Communities: 999:0:999
BGP routing table entry for 3.0.6.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 0:1
Ext. Communities: ovs not-found
BGP routing table entry for 3.0.7.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 0:999
Ext. Communities: ovs not-found
@ -114,42 +114,42 @@ BGP routing table entry for 3.0.7.0/24
BGP routing table entry for 3.0.8.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65521:1
Ext. Communities: ovs not-found
BGP routing table entry for 3.0.9.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Ext. Communities: ovs not-found
Large Communities: 999:65522:1
BGP routing table entry for 3.0.10.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65523:1
Ext. Communities: ovs not-found
BGP routing table entry for 3.0.11.0/24
3
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41)
Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.31)
Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65521:65521 65522:65522 65523:65523
Ext. Communities: ovs not-found
BGP routing table entry for 22.0.10.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:12 65524:2
Ext. Communities: ovs not-found rt 65524:2
BGP routing table entry for 192.168.8.0/24
2
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41)
Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.21)
Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best
Communities: 65520:0 65520:2 65524:2
Ext. Communities: ovs not-found rt 65524:2

34
regress/usr.sbin/rpki-client/Makefile.inc
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.inc,v 1.34 2023/06/29 10:29:18 tb Exp $
# $OpenBSD: Makefile.inc,v 1.35 2023/10/13 12:12:05 tb Exp $
.PATH: ${.CURDIR}/../../../../usr.sbin/rpki-client
@ -25,7 +25,8 @@ DPADD+= ${LIBCRYPTO} ${LIBUTIL}
CLEANFILES+= *.out *.err *.txt
SRCS_test-ip += test-ip.c ip.c io.c encoding.c print.c x509.c \
validate.c as.c cert.c cms.c crl.c mft.c json.c
validate.c as.c cert.c cms.c crl.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-ip: test-ip
./test-ip
@ -34,55 +35,64 @@ TALARGS += ta/apnic-rpki-root-iana-origin.cer tal/apnic.tal
TALARGS += ta/ripe-ncc-ta.cer tal/ripe.tal
SRCS_test-cert+= test-cert.c cert.c cms.c crl.c x509.c ip.c as.c io.c \
tal.c validate.c encoding.c print.c mft.c json.c
tal.c validate.c encoding.c print.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-cert: test-cert
./test-cert -v ${.CURDIR}/../cer/*.cer
./test-cert -vt ${TALARGS:S,,${.CURDIR}/../&,}
SRCS_test-mft+= test-mft.c mft.c crl.c cms.c x509.c ip.c io.c validate.c \
encoding.c print.c json.c cert.c as.c
encoding.c print.c json.c cert.c as.c \
constraints-dummy.c rfc3779.c
run-regress-test-mft: test-mft
./test-mft -v ${.CURDIR}/../mft/*.mft
SRCS_test-roa+= test-roa.c roa.c cms.c x509.c ip.c as.c io.c json.c \
encoding.c print.c validate.c cert.c crl.c mft.c repo-dummy.c
encoding.c print.c validate.c cert.c crl.c mft.c repo-dummy.c \
constraints-dummy.c rfc3779.c
run-regress-test-roa: test-roa
./test-roa -v ${.CURDIR}/../roa/*.roa
SRCS_test-rsc+= test-rsc.c rsc.c cms.c x509.c ip.c as.c io.c \
encoding.c print.c validate.c cert.c crl.c mft.c json.c
encoding.c print.c validate.c cert.c crl.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-rsc: test-rsc
./test-rsc -v ${.CURDIR}/../rsc/*.sig
SRCS_test-gbr+= test-gbr.c gbr.c cms.c crl.c x509.c ip.c io.c \
encoding.c print.c validate.c as.c cert.c mft.c json.c
encoding.c print.c validate.c as.c cert.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-gbr: test-gbr
./test-gbr -v ${.CURDIR}/../gbr/*.gbr
SRCS_test-geofeed+= test-geofeed.c geofeed.c cms.c x509.c ip.c io.c \
encoding.c print.c validate.c as.c cert.c crl.c mft.c json.c
encoding.c print.c validate.c as.c cert.c crl.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-geofeed: test-geofeed
./test-geofeed -v ${.CURDIR}/../geofeed/*.csv
SRCS_test-tal+= test-tal.c tal.c ip.c io.c validate.c cms.c \
encoding.c print.c crl.c x509.c json.c cert.c as.c mft.c
encoding.c print.c crl.c x509.c json.c cert.c as.c mft.c \
constraints-dummy.c rfc3779.c
run-regress-test-tal: test-tal
./test-tal -v ${.CURDIR}/../tal/*.tal
SRCS_test-aspa+= test-aspa.c aspa.c cms.c x509.c ip.c as.c io.c \
encoding.c print.c validate.c cert.c crl.c mft.c repo-dummy.c \
json.c
json.c constraints-dummy.c rfc3779.c
run-regress-test-aspa: test-aspa
./test-aspa -v ${.CURDIR}/../aspa/*.asa
SRCS_test-tak+= test-tak.c tak.c cms.c x509.c ip.c as.c io.c \
encoding.c print.c validate.c cert.c crl.c mft.c json.c
encoding.c print.c validate.c cert.c crl.c mft.c json.c \
constraints-dummy.c rfc3779.c
run-regress-test-tak: test-tak
./test-tak -v ${.CURDIR}/../tak/*.tak
SRCS_test-rrdp+= test-rrdp.c rrdp_delta.c rrdp_notification.c cms.c \
rrdp_snapshot.c rrdp_util.c cert.c as.c mft.c io.c \
encoding.c ip.c validate.c crl.c x509.c
encoding.c ip.c validate.c crl.c x509.c \
constraints-dummy.c rfc3779.c
LDADD_test-rrdp+= -lexpat ${LDADD}
DPADD_test-rrdp+= ${LIBEXPAT} ${DPADD}
run-regress-test-rrdp: test-rrdp

12
regress/usr.sbin/rpki-client/constraints-dummy.c Normal file
View File

@ -0,0 +1,12 @@
/*
* Public domain
* dummy shim for some tests.
*/
#include "extern.h"
int
constraints_validate(const char *fn, const struct cert *cert)
{
return 1;
}

8
share/man/man5/ruby-module.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ruby-module.5,v 1.44 2023/09/28 03:34:32 jsg Exp $
.\" $OpenBSD: ruby-module.5,v 1.45 2023/10/13 23:16:58 jeremy Exp $
.\"
.\" Copyright (c) 2011-2015, 2023 Jeremy Evans <jeremy@openbsd.org>
.\" Copyright (c) 2008, 2011 Marc Espie <espie@openbsd.org>
@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: September 28 2023 $
.Dd $Mdocdate: October 13 2023 $
.Dt RUBY-MODULE 5
.Os
.Sh NAME
@ -66,7 +66,7 @@ those via
.Ev CONFIGURE_STYLE Ns = Ns Qq ruby gem
and
.Ev CONFIGURE_STYLE Ns = Ns Qq ruby gem ext
both add ruby30, ruby31, and ruby32
both add ruby31 and ruby32
.Ev FLAVOR Ns s
to the port.
They also cause the
@ -82,7 +82,7 @@ To specify a version for a gem port, use a specific
such as ruby31 to use Ruby 3.1.
To specify the Ruby version to use for a non Ruby-gem port, set
.Ev MODRUBY_REV
to 3.0, 3.1, or 3.2.
to 3.1 or 3.2.
.Pp
To ensure that dependencies use the same Ruby implementation as the
current port, all Ruby gem dependencies specified in the port

3
sys/arch/amd64/conf/RAMDISK_CD
View File

@ -1,4 +1,4 @@
# $OpenBSD: RAMDISK_CD,v 1.202 2023/07/20 02:26:24 yasuoka Exp $
# $OpenBSD: RAMDISK_CD,v 1.203 2023/10/13 13:52:08 stsp Exp $
machine amd64
maxusers 4
@ -267,6 +267,7 @@ iavf* at pci? # Intel Ethernet Adaptive VF
aq* at pci? # Aquantia aQtion Ethernet
igc* at pci? # Intel I225 Ethernet
ngbe* at pci? # WangXun WX1860 Ethernet
dwqe* at pci? # Intel Elkhart Lake Ethernet
acx* at pci? # TI ACX100/ACX111 (802.11b/g)
acx* at cardbus? # TI ACX100/ACX111 (802.11b/g)

6
sys/dev/fdt/sxipio.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sxipio.c,v 1.16 2023/09/01 16:13:56 kettenis Exp $ */
/* $OpenBSD: sxipio.c,v 1.17 2023/10/13 15:41:25 kettenis Exp $ */
/*
* Copyright (c) 2010 Miodrag Vallat.
* Copyright (c) 2013 Artturi Alm
@ -182,6 +182,10 @@ const struct sxipio_pins sxipio_pins[] = {
"allwinner,sun9i-a80-r-pinctrl",
sun9i_a80_r_pins, nitems(sun9i_a80_r_pins)
},
{
"allwinner,sun20i-d1-pinctrl",
sun20i_d1_pins, nitems(sun20i_d1_pins)
},
{
"allwinner,sun50i-a64-pinctrl",
sun50i_a64_pins, nitems(sun50i_a64_pins)

877
sys/dev/fdt/sxipio_pins.h
View File

@ -8325,6 +8325,883 @@ const struct sxipio_pin sun9i_a80_r_pins[] = {
} },
};
const struct sxipio_pin sun20i_d1_pins[] = {
{ SXIPIO_PIN(B, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "pwm3", 2 },
{ "ir", 3 },
{ "i2c2", 4 },
{ "spi1", 5 },
{ "uart0", 6 },
{ "uart2", 7 },
{ "spdif", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "pwm4", 2 },
{ "i2s2_dout", 3 },
{ "i2c2", 4 },
{ "i2s2_din", 5 },
{ "uart0", 6 },
{ "uart2", 7 },
{ "ir", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2_dout", 3 },
{ "i2c0", 4 },
{ "i2s2_din", 5 },
{ "lcd0", 6 },
{ "uart4", 7 },
{ "can0", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2_dout", 3 },
{ "i2c0", 4 },
{ "i2s2_din", 5 },
{ "lcd0", 6 },
{ "uart4", 7 },
{ "can0", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2_dout", 3 },
{ "i2c1", 4 },
{ "i2s2_din", 5 },
{ "lcd0", 6 },
{ "uart5", 7 },
{ "can1", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2", 3 },
{ "i2c1", 4 },
{ "pwm0", 5 },
{ "lcd0", 6 },
{ "uart5", 7 },
{ "can1", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2", 3 },
{ "i2c3", 4 },
{ "pwm1", 5 },
{ "lcd0", 6 },
{ "uart3", 7 },
{ "bist0", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 7), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2s2", 3 },
{ "i2c3", 4 },
{ "ir", 5 },
{ "lcd0", 6 },
{ "uart3", 7 },
{ "bist1", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 8), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "dmic", 2 },
{ "pwm5", 3 },
{ "i2c2", 4 },
{ "spi1", 5 },
{ "uart0", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 9), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "dmic", 2 },
{ "pwm6", 3 },
{ "i2c2", 4 },
{ "spi1", 5 },
{ "uart0", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 10), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "dmic", 2 },
{ "pwm7", 3 },
{ "i2c0", 4 },
{ "spi1", 5 },
{ "clk", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 11), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "dmic", 2 },
{ "pwm2", 3 },
{ "i2c0", 4 },
{ "spi1", 5 },
{ "clk", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(B, 12), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "dmic", 2 },
{ "pwm0", 3 },
{ "spdif", 4 },
{ "spi1", 5 },
{ "clk", 6 },
{ "ir", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart2", 2 },
{ "i2c2", 3 },
{ "ledc", 4 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart2", 2 },
{ "i2c2", 3 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "boot", 4 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "boot", 4 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "uart3", 4 },
{ "i2c3", 5 },
{ "pll", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(C, 7), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spi0", 2 },
{ "mmc2", 3 },
{ "uart3", 4 },
{ "i2c3", 5 },
{ "tcon", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "i2c0", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart5", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart5", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 7), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 8), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "uart4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 9), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds0", 3 },
{ "dsi", 4 },
{ "pwm6", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 10), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 11), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 12), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "i2c0", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 13), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 14), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 15), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "spi1", 4 },
{ "ir", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 16), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "dmic", 4 },
{ "pwm0", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 17), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "dmic", 4 },
{ "pwm1", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 18), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "dmic", 4 },
{ "pwm2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 19), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "lvds1", 3 },
{ "dmic", 4 },
{ "pwm3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 20), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2c2", 3 },
{ "dmic", 4 },
{ "pwm4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 21), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "lcd0", 2 },
{ "i2c2", 3 },
{ "uart1", 4 },
{ "pwm5", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(D, 22), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spdif", 2 },
{ "ir", 3 },
{ "uart1", 4 },
{ "pwm7", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart2", 3 },
{ "i2c1", 4 },
{ "lcd0", 5 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart2", 3 },
{ "i2c1", 4 },
{ "lcd0", 5 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart2", 3 },
{ "i2c0", 4 },
{ "clk", 5 },
{ "uart0", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart2", 3 },
{ "i2c0", 4 },
{ "clk", 5 },
{ "uart0", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart4", 3 },
{ "i2c2", 4 },
{ "clk", 5 },
{ "d_jtag", 6 },
{ "r_jtag", 7 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart4", 3 },
{ "i2c2", 4 },
{ "ledc", 5 },
{ "d_jtag", 6 },
{ "r_jtag", 7 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart5", 3 },
{ "i2c3", 4 },
{ "spdif", 5 },
{ "d_jtag", 6 },
{ "r_jtag", 7 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 7), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart5", 3 },
{ "i2c3", 4 },
{ "spdif", 5 },
{ "d_jtag", 6 },
{ "r_jtag", 7 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 8), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart1", 3 },
{ "pwm2", 4 },
{ "uart3", 5 },
{ "jtag", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 9), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart1", 3 },
{ "pwm3", 4 },
{ "uart3", 5 },
{ "jtag", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 10), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart1", 3 },
{ "pwm4", 4 },
{ "ir", 5 },
{ "jtag", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 11), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ncsi0", 2 },
{ "uart1", 3 },
{ "i2s0_dout", 4 },
{ "i2s0_din", 5 },
{ "jtag", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 12), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c2", 2 },
{ "ncsi0", 3 },
{ "i2s0_dout", 4 },
{ "i2s0_din", 5 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 13), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c2", 2 },
{ "pwm5", 3 },
{ "i2s0_dout", 4 },
{ "i2s0_din", 5 },
{ "dmic", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 14), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c1", 2 },
{ "d_jtag", 3 },
{ "i2s0_dout", 4 },
{ "i2s0_din", 5 },
{ "dmic", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 15), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c1", 2 },
{ "d_jtag", 3 },
{ "pwm6", 4 },
{ "i2s0", 5 },
{ "dmic", 6 },
{ "emac", 8 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 16), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c3", 2 },
{ "d_jtag", 3 },
{ "pwm7", 4 },
{ "i2s0", 5 },
{ "dmic", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(E, 17), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2c3", 2 },
{ "d_jtag", 3 },
{ "ir", 4 },
{ "i2s0", 5 },
{ "dmic", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "jtag", 3 },
{ "r_jtag", 4 },
{ "i2s2_dout", 5 },
{ "i2s2_din", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "jtag", 3 },
{ "r_jtag", 4 },
{ "i2s2_dout", 5 },
{ "i2s2_din", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "uart0", 3 },
{ "i2c0", 4 },
{ "ledc", 5 },
{ "spdif", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "jtag", 3 },
{ "r_jtag", 4 },
{ "i2s2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "uart0", 3 },
{ "i2c0", 4 },
{ "pwm6", 5 },
{ "ir", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc0", 2 },
{ "jtag", 3 },
{ "r_jtag", 4 },
{ "i2s2", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(F, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "spdif", 3 },
{ "ir", 4 },
{ "i2s2", 5 },
{ "pwm5", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 0), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart3", 3 },
{ "emac", 4 },
{ "pwm7", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 1), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart3", 3 },
{ "emac", 4 },
{ "pwm6", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 2), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart3", 3 },
{ "emac", 4 },
{ "uart4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 3), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart3", 3 },
{ "emac", 4 },
{ "uart4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 4), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart5", 3 },
{ "emac", 4 },
{ "pwm5", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 5), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "mmc1", 2 },
{ "uart5", 3 },
{ "emac", 4 },
{ "pwm4", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 6), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart1", 2 },
{ "i2c2", 3 },
{ "emac", 4 },
{ "pwm1", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 7), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart1", 2 },
{ "i2c2", 3 },
{ "emac", 4 },
{ "spdif", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 8), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart1", 2 },
{ "i2c1", 3 },
{ "emac", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 9), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart1", 2 },
{ "i2c1", 3 },
{ "emac", 4 },
{ "uart3", 5 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 10), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "pwm3", 2 },
{ "i2c3", 3 },
{ "emac", 4 },
{ "clk", 5 },
{ "ir", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 11), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2s1", 2 },
{ "i2c3", 3 },
{ "emac", 4 },
{ "clk", 5 },
{ "tcon", 6 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 12), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2s1", 2 },
{ "i2c0", 3 },
{ "emac", 4 },
{ "clk", 5 },
{ "pwm0", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 13), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2s1", 2 },
{ "i2c0", 3 },
{ "emac", 4 },
{ "pwm2", 5 },
{ "ledc", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 14), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2s1_din", 2 },
{ "i2c2", 3 },
{ "emac", 4 },
{ "i2s1_dout", 5 },
{ "spi0", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 15), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "i2s1_dout", 2 },
{ "i2c2", 3 },
{ "emac", 4 },
{ "i2s1_din", 5 },
{ "spi0", 6 },
{ "uart1", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 16), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "ir", 2 },
{ "tcon", 3 },
{ "pwm5", 4 },
{ "clk", 5 },
{ "spdif", 6 },
{ "ledc", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 17), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart2", 2 },
{ "i2c3", 3 },
{ "pwm7", 4 },
{ "clk", 5 },
{ "ir", 6 },
{ "uart0", 7 },
{ "irq", 14 },
} },
{ SXIPIO_PIN(G, 18), {
{ "gpio_in", 0 },
{ "gpio_out", 1 },
{ "uart2", 2 },
{ "i2c3", 3 },
{ "pwm6", 4 },
{ "clk", 5 },
{ "spdif", 6 },
{ "uart0", 7 },
{ "irq", 14 },
} },
};
const struct sxipio_pin sun50i_a64_pins[] = {
{ SXIPIO_PIN(B, 0), {
{ "gpio_in", 0 },

4
sys/dev/fdt/sxipiovar.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sxipiovar.h,v 1.1 2017/01/21 08:26:49 patrick Exp $ */
/* $OpenBSD: sxipiovar.h,v 1.2 2023/10/13 15:41:25 kettenis Exp $ */
/*
* Copyright (c) 2013 Artturi Alm
*
@ -25,7 +25,7 @@ struct sxipio_func {
struct sxipio_pin {
const char *name;
int port, pin;
struct sxipio_func funcs[8];
struct sxipio_func funcs[10];
};
#define SXIPIO_PORT_A 0

4085
sys/dev/wsfont/bold8x16-iso1.h
View File

File diff suppressed because it is too large Load Diff

24
sys/dev/wsfont/wsfont.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: wsfont.c,v 1.62 2022/04/04 19:53:15 naddy Exp $ */
/* $OpenBSD: wsfont.c,v 1.63 2023/10/13 13:28:02 fcambus Exp $ */
/* $NetBSD: wsfont.c,v 1.17 2001/02/07 13:59:24 ad Exp $ */
/*-
@ -78,11 +78,6 @@
#define HAVE_FONT 1
#endif
#ifdef FONT_BOLD8x16_ISO1
#define HAVE_FONT 1
#include <dev/wsfont/bold8x16-iso1.h>
#endif
/*
* Make sure we always have at least one font.
* Unless otherwise configured, all platforms provide both a 8x16 font and a
@ -147,29 +142,26 @@ static struct font builtin_fonts[] = {
#ifdef FONT_BOLD8x16
BUILTIN_FONT(bold8x16, 1),
#endif
#ifdef FONT_BOLD8x16_ISO1
BUILTIN_FONT(bold8x16_iso1, 2),
#endif
#ifdef FONT_GALLANT12x22
BUILTIN_FONT(gallant12x22, 3),
BUILTIN_FONT(gallant12x22, 2),
#endif
#ifdef FONT_SPLEEN5x8
BUILTIN_FONT(spleen5x8, 4),
BUILTIN_FONT(spleen5x8, 3),
#endif
#ifdef FONT_SPLEEN6x12
BUILTIN_FONT(spleen6x12, 5),
BUILTIN_FONT(spleen6x12, 4),
#endif
#ifdef FONT_SPLEEN8x16
BUILTIN_FONT(spleen8x16, 6),
BUILTIN_FONT(spleen8x16, 5),
#endif
#ifdef FONT_SPLEEN12x24
BUILTIN_FONT(spleen12x24, 7),
BUILTIN_FONT(spleen12x24, 6),
#endif
#ifdef FONT_SPLEEN16x32
BUILTIN_FONT(spleen16x32, 8),
BUILTIN_FONT(spleen16x32, 7),
#endif
#ifdef FONT_SPLEEN32x64
BUILTIN_FONT(spleen32x64, 9),
BUILTIN_FONT(spleen32x64, 8),
#endif
#undef BUILTIN_FONT
};

6
usr.sbin/bgpd/bgpd.conf.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: bgpd.conf.5,v 1.236 2023/08/16 08:38:40 job Exp $
.\" $OpenBSD: bgpd.conf.5,v 1.237 2023/10/13 07:37:35 claudio Exp $
.\"
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: August 16 2023 $
.Dd $Mdocdate: October 13 2023 $
.Dt BGPD.CONF 5
.Os
.Sh NAME
@ -953,7 +953,7 @@ The neighbor properties are as follows:
.It Xo
.Ic announce
.Pq Ic IPv4 Ns | Ns Ic IPv6
.Pq Ic none Ns | Ns Ic unicast Ns | Ns Ic vpn | Ns Ic flowspec
.Pq Ic none Ns | Ns Ic unicast Ns | Ns Ic vpn Ns | Ns Ic flowspec
.Xc
For the given address family, control which
.Em subsequent address families

14
usr.sbin/rpki-client/Makefile
View File

@ -1,12 +1,12 @@
# $OpenBSD: Makefile,v 1.32 2023/06/29 10:28:25 tb Exp $
# $OpenBSD: Makefile,v 1.33 2023/10/13 12:06:49 job Exp $
PROG= rpki-client
SRCS= as.c aspa.c cert.c cms.c crl.c encoding.c filemode.c gbr.c geofeed.c \
http.c io.c ip.c json.c main.c mft.c mkdir.c ometric.c output.c \
output-bgpd.c output-bird.c output-csv.c output-json.c \
output-ometric.c parser.c print.c repo.c roa.c rrdp.c rrdp_delta.c \
rrdp_notification.c rrdp_snapshot.c rrdp_util.c rsc.c rsync.c tak.c \
tal.c validate.c x509.c
SRCS= as.c aspa.c cert.c cms.c constraints.c crl.c encoding.c filemode.c \
gbr.c geofeed.c http.c io.c ip.c json.c main.c mft.c mkdir.c ometric.c \
output.c output-bgpd.c output-bird.c output-csv.c output-json.c \
output-ometric.c parser.c print.c repo.c rfc3779.c roa.c \
rrdp.c rrdp_delta.c rrdp_notification.c rrdp_snapshot.c rrdp_util.c \
rsc.c rsync.c tak.c tal.c validate.c x509.c
MAN= rpki-client.8
LDADD+= -lexpat -ltls -lssl -lcrypto -lutil -lz

34
usr.sbin/rpki-client/as.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: as.c,v 1.12 2023/05/23 06:39:31 tb Exp $ */
/* $OpenBSD: as.c,v 1.13 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -45,7 +45,7 @@ as_id_parse(const ASN1_INTEGER *v, uint32_t *out)
*/
int
as_check_overlap(const struct cert_as *a, const char *fn,
const struct cert_as *as, size_t asz)
const struct cert_as *as, size_t asz, int quiet)
{
size_t i;
@ -53,6 +53,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
if (asz &&
(a->type == CERT_AS_INHERIT || as[0].type == CERT_AS_INHERIT)) {
if (quiet)
return 0;
warnx("%s: RFC 3779 section 3.2.3.3: "
"cannot have inheritance and multiple ASnum or "
"multiple inheritance", fn);
@ -68,6 +70,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
case CERT_AS_ID:
if (a->id != as[i].id)
break;
if (quiet)
return 0;
warnx("%s: RFC 3779 section 3.2.3.4: "
"cannot have overlapping ASnum", fn);
return 0;
@ -75,6 +79,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
if (as->range.min > as[i].id ||
as->range.max < as[i].id)
break;
if (quiet)
return 0;
warnx("%s: RFC 3779 section 3.2.3.4: "
"cannot have overlapping ASnum", fn);
return 0;
@ -88,6 +94,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
if (as[i].range.min > a->id ||
as[i].range.max < a->id)
break;
if (quiet)
return 0;
warnx("%s: RFC 3779 section 3.2.3.4: "
"cannot have overlapping ASnum", fn);
return 0;
@ -95,6 +103,8 @@ as_check_overlap(const struct cert_as *a, const char *fn,
if (a->range.max < as[i].range.min ||
a->range.min > as[i].range.max)
break;
if (quiet)
return 0;
warnx("%s: RFC 3779 section 3.2.3.4: "
"cannot have overlapping ASnum", fn);
return 0;
@ -135,3 +145,23 @@ as_check_covered(uint32_t min, uint32_t max,
return -1;
}
void
as_warn(const char *fn, const struct cert_as *cert, const char *msg)
{
switch (cert->type) {
case CERT_AS_ID:
warnx("%s: AS %u: %s", fn, cert->id, msg);
break;
case CERT_AS_INHERIT:
warnx("%s: AS (inherit): %s", fn, msg);
break;
case CERT_AS_RANGE:
warnx("%s: AS range %u--%u: %s", fn, cert->range.min,
cert->range.max, msg);
break;
default:
warnx("%s: corrupt cert", fn);
break;
}
}

4
usr.sbin/rpki-client/aspa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: aspa.c,v 1.23 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: aspa.c,v 1.24 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@ -215,7 +215,7 @@ aspa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if (!aspa_parse_econtent(cms, cmsz, &p))
goto out;
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
p.res->valid = valid_aspa(fn, cert, p.res);

19
usr.sbin/rpki-client/cert.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cert.c,v 1.117 2023/09/25 15:33:08 tb Exp $ */
/* $OpenBSD: cert.c,v 1.118 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@ -57,7 +57,7 @@ static int
append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz,
const struct cert_ip *ip)
{
if (!ip_addr_check_overlap(ip, fn, ips, *ipsz))
if (!ip_addr_check_overlap(ip, fn, ips, *ipsz, 0))
return 0;
ips[(*ipsz)++] = *ip;
return 1;
@ -72,7 +72,7 @@ static int
append_as(const char *fn, struct cert_as *ases, size_t *asz,
const struct cert_as *as)
{
if (!as_check_overlap(as, fn, ases, *asz))
if (!as_check_overlap(as, fn, ases, *asz, 0))
return 0;
ases[(*asz)++] = *as;
return 1;
@ -446,8 +446,8 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
static int
sbgp_ipaddrblk(struct parse *p, X509_EXTENSION *ext)
{
STACK_OF(IPAddressFamily) *addrblk = NULL;
int rc = 0;
IPAddrBlocks *addrblk = NULL;
int rc = 0;
if (!X509_EXTENSION_get_critical(ext)) {
warnx("%s: RFC 6487 section 4.8.10: sbgp-ipAddrBlock: "
@ -471,7 +471,7 @@ sbgp_ipaddrblk(struct parse *p, X509_EXTENSION *ext)
rc = 1;
out:
sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free);
IPAddrBlocks_free(addrblk);
return rc;
}
@ -641,7 +641,7 @@ certificate_policies(struct parse *p, X509_EXTENSION *ext)
* Returns cert on success and NULL on failure.
*/
struct cert *
cert_parse_ee_cert(const char *fn, X509 *x)
cert_parse_ee_cert(const char *fn, int talid, X509 *x)
{
struct parse p;
X509_EXTENSION *ext;
@ -690,6 +690,11 @@ cert_parse_ee_cert(const char *fn, X509 *x)
}
p.res->x509 = x;
p.res->talid = talid;
if (!constraints_validate(fn, p.res))
goto out;
return p.res;
out:

600
usr.sbin/rpki-client/constraints.c Normal file
View File

@ -0,0 +1,600 @@
/* $OpenBSD: constraints.c,v 1.1 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2023 Job Snijders <job@openbsd.org>
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/socket.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <openssl/asn1.h>
#include <openssl/x509v3.h>
#include "extern.h"
struct tal_constraints {
int fd; /* constraints file descriptor or -1. */
char *fn; /* constraints filename */
struct cert_ip *allow_ips; /* list of allowed IP address ranges */
size_t allow_ipsz; /* length of "allow_ips" */
struct cert_as *allow_as; /* allowed AS numbers and ranges */
size_t allow_asz; /* length of "allow_as" */
struct cert_ip *deny_ips; /* forbidden IP address ranges */
size_t deny_ipsz; /* length of "deny_ips" */
struct cert_as *deny_as; /* forbidden AS numbers and ranges */
size_t deny_asz; /* length of "deny_as" */
} tal_constraints[TALSZ_MAX];
/*
* If there is a .constraints file next to a .tal file, load its contents
* into into tal_constraints[talid]. The load function only opens the fd
* and stores the filename. The actual parsing happens in constraints_parse().
* Resources of EE certs can then be constrained using constraints_validate().
*/
static void
constraints_load_talid(int talid)
{
const char *tal = tals[talid];
char *constraints = NULL;
int fd;
size_t len;
int saved_errno;
tal_constraints[talid].fd = -1;
if (rtype_from_file_extension(tal) != RTYPE_TAL)
return;
/* Replace .tal suffix with .constraints. */
len = strlen(tal) - 4;
if (asprintf(&constraints, "%.*s.constraints", (int)len, tal) == -1)
errx(1, NULL);
saved_errno = errno;
fd = open(constraints, O_RDONLY);
if (fd == -1 && errno != ENOENT)
err(1, "failed to load constraints for %s", tal);
tal_constraints[talid].fn = constraints;
tal_constraints[talid].fd = fd;
errno = saved_errno;
}
/*
* Iterate over all TALs and load the corresponding constraints files.
*/
void
constraints_load(void)
{
int talid;
for (talid = 0; talid < talsz; talid++)
constraints_load_talid(talid);
}
void
constraints_unload(void)
{
int saved_errno, talid;
saved_errno = errno;
for (talid = 0; talid < talsz; talid++) {
if (tal_constraints[talid].fd != -1)
close(tal_constraints[talid].fd);
free(tal_constraints[talid].fn);
tal_constraints[talid].fd = -1;
tal_constraints[talid].fn = NULL;
}
errno = saved_errno;
}
/*
* Split a string at '-' and trim whitespace around the '-'.
* Assumes leading and trailing whitespace in p has already been trimmed.
*/
static int
constraints_split_range(char *p, const char **min, const char **max)
{
char *pp;
*min = p;
if ((*max = pp = strchr(p, '-')) == NULL)
return 0;
/* Trim whitespace before '-'. */
while (pp > *min && isspace((unsigned char)pp[-1]))
pp--;
*pp = '\0';
/* Skip past '-' and whitespace following it. */
(*max)++;
while (isspace((unsigned char)**max))
(*max)++;
return 1;
}
/*
* Helper functions to parse textual representations of IP prefixes or ranges.
* The RFC 3779 API has poor error reporting, so as a debugging aid, we call
* the prohibitively expensive X509v3_addr_canonize() in high verbosity mode.
*/
static void
constraints_parse_ip_prefix(const char *fn, const char *prefix, enum afi afi,
IPAddrBlocks *addrs)
{
unsigned char addr[16] = { 0 };
int af = afi == AFI_IPV4 ? AF_INET : AF_INET6;
int plen;
if ((plen = inet_net_pton(af, prefix, addr, sizeof(addr))) == -1)
errx(1, "%s: failed to parse %s", fn, prefix);
if (!X509v3_addr_add_prefix(addrs, afi, NULL, addr, plen))
errx(1, "%s: failed to add prefix %s", fn, prefix);
if (verbose < 3)
return;
if (!X509v3_addr_canonize(addrs))
errx(1, "%s: failed to canonize with prefix %s", fn, prefix);
}
static void
constraints_parse_ip_range(const char *fn, const char *min, const char *max,
enum afi afi, IPAddrBlocks *addrs)
{
unsigned char min_addr[16] = {0}, max_addr[16] = {0};
int af = afi == AFI_IPV4 ? AF_INET : AF_INET6;
if (inet_pton(af, min, min_addr) != 1)
errx(1, "%s: failed to parse %s", fn, min);
if (inet_pton(af, max, max_addr) != 1)
errx(1, "%s: failed to parse %s", fn, max);
if (!X509v3_addr_add_range(addrs, afi, NULL, min_addr, max_addr))
errx(1, "%s: failed to add range %s--%s", fn, min, max);
if (verbose < 3)
return;
if (!X509v3_addr_canonize(addrs))
errx(1, "%s: failed to canonize with range %s--%s", fn,
min, max);
}
static void
constraints_parse_ip(const char *fn, char *p, enum afi afi, IPAddrBlocks *addrs)
{
const char *min, *max;
if (strchr(p, '-') == NULL) {
constraints_parse_ip_prefix(fn, p, afi, addrs);
return;
}
if (!constraints_split_range(p, &min, &max))
errx(1, "%s: failed to split range: %s", fn, p);
constraints_parse_ip_range(fn, min, max, afi, addrs);
}
/*
* Helper functions to parse textual representations of AS numbers or ranges.
* The RFC 3779 API has poor error reporting, so as a debugging aid, we call
* the prohibitively expensive X509v3_asid_canonize() in high verbosity mode.
*/
static void
constraints_parse_asn(const char *fn, const char *asn, ASIdentifiers *asids)
{
ASN1_INTEGER *id;
if ((id = s2i_ASN1_INTEGER(NULL, asn)) == NULL)
errx(1, "%s: failed to parse AS %s", fn, asn);
if (!X509v3_asid_add_id_or_range(asids, V3_ASID_ASNUM, id, NULL))
errx(1, "%s: failed to add AS %s", fn, asn);
if (verbose < 3)
return;
if (!X509v3_asid_canonize(asids))
errx(1, "%s: failed to canonize with AS %s", fn, asn);
}
static void
constraints_parse_asn_range(const char *fn, const char *min, const char *max,
ASIdentifiers *asids)
{
ASN1_INTEGER *min_as, *max_as;
if ((min_as = s2i_ASN1_INTEGER(NULL, min)) == NULL)
errx(1, "%s: failed to parse AS %s", fn, min);
if ((max_as = s2i_ASN1_INTEGER(NULL, max)) == NULL)
errx(1, "%s: failed to parse AS %s", fn, max);
if (!X509v3_asid_add_id_or_range(asids, V3_ASID_ASNUM, min_as, max_as))
errx(1, "%s: failed to add AS range %s--%s", fn, min, max);
if (verbose < 3)
return;
if (!X509v3_asid_canonize(asids))
errx(1, "%s: failed to canonize with AS range %s--%s", fn,
min, max);
}
static void
constraints_parse_as(const char *fn, char *p, ASIdentifiers *asids)
{
const char *min, *max;
if (strchr(p, '-') == NULL) {
constraints_parse_asn(fn, p, asids);
return;
}
if (!constraints_split_range(p, &min, &max))
errx(1, "%s: failed to split range: %s", fn, p);
constraints_parse_asn_range(fn, min, max, asids);
}
/*
* Work around an annoying bug in X509v3_addr_add_range(). The upper bound
* of a range can have unused bits set in its ASN1_BIT_STRING representation.
* This triggers a check in ip_addr_parse(). A round trip through DER fixes
* this mess up. For extra special fun, {d2i,i2d}_IPAddrBlocks() isn't part
* of the API and implementing them for OpenSSL 3 is hairy, so do the round
* tripping once per address family.
*/
static void
constraints_normalize_ip_addrblocks(const char *fn, IPAddrBlocks **addrs)
{
IPAddrBlocks *new_addrs;
IPAddressFamily *af;
const unsigned char *p;
unsigned char *der;
int der_len, i;
if ((new_addrs = IPAddrBlocks_new()) == NULL)
err(1, NULL);
for (i = 0; i < sk_IPAddressFamily_num(*addrs); i++) {
af = sk_IPAddressFamily_value(*addrs, i);
der = NULL;
if ((der_len = i2d_IPAddressFamily(af, &der)) <= 0)
errx(1, "%s: failed to convert to DER", fn);
p = der;
if ((af = d2i_IPAddressFamily(NULL, &p, der_len)) == NULL)
errx(1, "%s: failed to convert from DER", fn);
free(der);
if (!sk_IPAddressFamily_push(new_addrs, af))
errx(1, "%s: failed to push constraints", fn);
}
IPAddrBlocks_free(*addrs);
*addrs = new_addrs;
}
/*
* If there is a constraints file for tals[talid], load it into a buffer
* and parse it line by line. Leverage the above parse helpers to build up
* IPAddrBlocks and ASIdentifiers. We use the RFC 3779 API to benefit from
* the limited abilities of X509v3_{addr,asid}_canonize() to sort and merge
* adjacent ranges. This doesn't deal with overlaps or duplicates, but it's
* better than nothing.
*/
static void
constraints_parse_talid(int talid)
{
IPAddrBlocks *allow_addrs, *deny_addrs;
ASIdentifiers *allow_asids, *deny_asids;
FILE *f;
char *fn, *p, *pp;
struct cert_as *allow_as = NULL, *deny_as = NULL;
struct cert_ip *allow_ips = NULL, *deny_ips = NULL;
size_t allow_asz = 0, allow_ipsz = 0,
deny_asz = 0, deny_ipsz = 0;
char *line = NULL;
size_t len = 0;
ssize_t n;
int fd, have_allow_as = 0, have_allow_ips = 0,
have_deny_as = 0, have_deny_ips = 0;
fd = tal_constraints[talid].fd;
fn = tal_constraints[talid].fn;
tal_constraints[talid].fd = -1;
tal_constraints[talid].fn = NULL;
if (fd == -1) {
free(fn);
return;
}
if ((f = fdopen(fd, "r")) == NULL)
err(1, "fdopen");
if ((allow_addrs = IPAddrBlocks_new()) == NULL)
err(1, NULL);
if ((allow_asids = ASIdentifiers_new()) == NULL)
err(1, NULL);
if ((deny_addrs = IPAddrBlocks_new()) == NULL)
err(1, NULL);
if ((deny_asids = ASIdentifiers_new()) == NULL)
err(1, NULL);
while ((n = getline(&line, &len, f)) != -1) {
if (line[n - 1] == '\n')
line[n - 1] = '\0';
p = line;
/* Zap leading whitespace */
while (isspace((unsigned char)*p))
p++;
/* Zap comments */
if ((pp = strchr(p, '#')) != NULL)
*pp = '\0';
/* Zap trailing whitespace */
if (pp == NULL)
pp = p + strlen(p);
while (pp > p && isspace((unsigned char)pp[-1]))
pp--;
*pp = '\0';
if (strlen(p) == 0)
continue;
if (strncmp(p, "allow", strlen("allow")) == 0) {
p += strlen("allow");
/* Ensure there's whitespace and jump over it. */
if (!isspace((unsigned char)*p))
errx(1, "%s: failed to parse %s", fn, p);
while (isspace((unsigned char)*p))
p++;
if (strchr(p, '.') != NULL) {
constraints_parse_ip(fn, p, AFI_IPV4,
allow_addrs);
have_allow_ips = 1;
} else if (strchr(p, ':') != NULL) {
constraints_parse_ip(fn, p, AFI_IPV6,
allow_addrs);
have_allow_ips = 1;
} else {
constraints_parse_as(fn, p, allow_asids);
have_allow_as = 1;
}
} else if (strncmp(p, "deny", strlen("deny")) == 0) {
p += strlen("deny");
/* Ensure there's whitespace and jump over it. */
if (!isspace((unsigned char)*p))
errx(1, "%s: failed to parse %s", fn, p);
/* Zap leading whitespace */
while (isspace((unsigned char)*p))
p++;
if (strchr(p, '.') != NULL) {
constraints_parse_ip(fn, p, AFI_IPV4,
deny_addrs);
have_deny_ips = 1;
} else if (strchr(p, ':') != NULL) {
constraints_parse_ip(fn, p, AFI_IPV6,
deny_addrs);
have_deny_ips = 1;
} else {
constraints_parse_as(fn, p, deny_asids);
have_deny_as = 1;
}
} else
errx(1, "%s: failed to parse %s", fn, p);
}
free(line);
if (ferror(f))
err(1, "%s", fn);
fclose(f);
if (!X509v3_addr_canonize(allow_addrs))
errx(1, "%s: failed to canonize IP addresses allowlist", fn);
if (!X509v3_asid_canonize(allow_asids))
errx(1, "%s: failed to canonize AS numbers allowlist", fn);
if (!X509v3_addr_canonize(deny_addrs))
errx(1, "%s: failed to canonize IP addresses denylist", fn);
if (!X509v3_asid_canonize(deny_asids))
errx(1, "%s: failed to canonize AS numbers denylist", fn);
if (have_allow_as) {
if (!sbgp_parse_assysnum(fn, allow_asids, &allow_as,
&allow_asz))
errx(1, "%s: failed to parse AS identifiers allowlist",
fn);
}
if (have_deny_as) {
if (!sbgp_parse_assysnum(fn, deny_asids, &deny_as,
&deny_asz))
errx(1, "%s: failed to parse AS identifiers denylist",
fn);
}
if (have_allow_ips) {
constraints_normalize_ip_addrblocks(fn, &allow_addrs);
if (!sbgp_parse_ipaddrblk(fn, allow_addrs, &allow_ips,
&allow_ipsz))
errx(1, "%s: failed to parse IP addresses allowlist",
fn);
}
if (have_deny_ips) {
constraints_normalize_ip_addrblocks(fn, &deny_addrs);
if (!sbgp_parse_ipaddrblk(fn, deny_addrs, &deny_ips,
&deny_ipsz))
errx(1, "%s: failed to parse IP addresses denylist",
fn);
}
tal_constraints[talid].allow_as = allow_as;
tal_constraints[talid].allow_asz = allow_asz;
tal_constraints[talid].allow_ips = allow_ips;
tal_constraints[talid].allow_ipsz = allow_ipsz;
tal_constraints[talid].deny_as = deny_as;
tal_constraints[talid].deny_asz = deny_asz;
tal_constraints[talid].deny_ips = deny_ips;
tal_constraints[talid].deny_ipsz = deny_ipsz;
IPAddrBlocks_free(allow_addrs);
IPAddrBlocks_free(deny_addrs);
ASIdentifiers_free(allow_asids);
ASIdentifiers_free(deny_asids);
free(fn);
}
/*
* Iterate over all TALs and parse the constraints files loaded previously.
*/
void
constraints_parse(void)
{
int talid;
for (talid = 0; talid < talsz; talid++)
constraints_parse_talid(talid);
}
static int
constraints_check_as(const char *fn, struct cert_as *cert,
const struct cert_as *allow_as, size_t allow_asz,
const struct cert_as *deny_as, size_t deny_asz)
{
uint32_t min, max;
/* Inheriting EE resources are not to be constrained. */
if (cert->type == CERT_AS_INHERIT)
return 1;
if (cert->type == CERT_AS_ID) {
min = cert->id;
max = cert->id;
} else {
min = cert->range.min;
max = cert->range.max;
}
if (deny_as != NULL) {
if (!as_check_overlap(cert, fn, deny_as, deny_asz, 1))
return 0;
}
if (allow_as != NULL) {
if (as_check_covered(min, max, allow_as, allow_asz) <= 0)
return 0;
}
return 1;
}
static int
constraints_check_ips(const char *fn, struct cert_ip *cert,
const struct cert_ip *allow_ips, size_t allow_ipsz,
const struct cert_ip *deny_ips, size_t deny_ipsz)
{
/* Inheriting EE resources are not to be constrained. */
if (cert->type == CERT_IP_INHERIT)
return 1;
if (deny_ips != NULL) {
if (!ip_addr_check_overlap(cert, fn, deny_ips, deny_ipsz, 1))
return 0;
}
if (allow_ips != NULL) {
if (ip_addr_check_covered(cert->afi, cert->min, cert->max,
allow_ips, allow_ipsz) <= 0)
return 0;
}
return 1;
}
/*
* Check whether an EE cert's resources are covered by its TAL's constraints.
* We accept certs with a negative talid as "unknown TAL" for filemode. The
* logic nearly duplicates valid_cert().
*/
int
constraints_validate(const char *fn, const struct cert *cert)
{
int talid = cert->talid;
struct cert_as *allow_as, *deny_as;
struct cert_ip *allow_ips, *deny_ips;
size_t i, allow_asz, allow_ipsz, deny_asz, deny_ipsz;
/* Accept negative talid to bypass validation. */
if (talid < 0)
return 1;
if (talid >= talsz)
errx(1, "%s: talid out of range %d", fn, talid);
allow_as = tal_constraints[talid].allow_as;
allow_asz = tal_constraints[talid].allow_asz;
deny_as = tal_constraints[talid].deny_as;
deny_asz = tal_constraints[talid].deny_asz;
for (i = 0; i < cert->asz; i++) {
if (constraints_check_as(fn, &cert->as[i], allow_as, allow_asz,
deny_as, deny_asz))
continue;
as_warn(fn, &cert->as[i], "violates trust anchor constraints");
return 0;
}
allow_ips = tal_constraints[talid].allow_ips;
allow_ipsz = tal_constraints[talid].allow_ipsz;
deny_ips = tal_constraints[talid].deny_ips;
deny_ipsz = tal_constraints[talid].deny_ipsz;
for (i = 0; i < cert->ipsz; i++) {
if (constraints_check_ips(fn, &cert->ips[i], allow_ips,
allow_ipsz, deny_ips, deny_ipsz))
continue;
ip_warn(fn, &cert->ips[i], "violates trust anchor constraints");
return 0;
}
return 1;
}

20
usr.sbin/rpki-client/extern.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: extern.h,v 1.192 2023/09/25 14:56:20 tb Exp $ */
/* $OpenBSD: extern.h,v 1.193 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -613,7 +613,7 @@ struct tal *tal_read(struct ibuf *);
void cert_buffer(struct ibuf *, const struct cert *);
void cert_free(struct cert *);
void auth_tree_free(struct auth_tree *);
struct cert *cert_parse_ee_cert(const char *, X509 *);
struct cert *cert_parse_ee_cert(const char *, int, X509 *);
struct cert *cert_parse_pre(const char *, const unsigned char *, size_t);
struct cert *cert_parse(const char *, struct cert *);
struct cert *ta_parse(const char *, struct cert *, const unsigned char *,
@ -712,11 +712,12 @@ void ip_addr_range_print(const struct ip_addr_range *, enum afi,
char *, size_t);
int ip_addr_cmp(const struct ip_addr *, const struct ip_addr *);
int ip_addr_check_overlap(const struct cert_ip *,
const char *, const struct cert_ip *, size_t);
const char *, const struct cert_ip *, size_t, int);
int ip_addr_check_covered(enum afi, const unsigned char *,
const unsigned char *, const struct cert_ip *, size_t);
int ip_cert_compose_ranges(struct cert_ip *);
void ip_roa_compose_ranges(struct roa_ip *);
void ip_warn(const char *, const struct cert_ip *, const char *);
int sbgp_addr(const char *, struct cert_ip *, size_t *,
enum afi, const ASN1_BIT_STRING *);
@ -730,9 +731,10 @@ int sbgp_parse_ipaddrblk(const char *, const IPAddrBlocks *,
int as_id_parse(const ASN1_INTEGER *, uint32_t *);
int as_check_overlap(const struct cert_as *, const char *,
const struct cert_as *, size_t);
const struct cert_as *, size_t, int);
int as_check_covered(uint32_t, uint32_t,
const struct cert_as *, size_t);
void as_warn(const char *, const struct cert_as *, const char *);
int sbgp_as_id(const char *, struct cert_as *, size_t *,
const ASN1_INTEGER *);
@ -742,6 +744,12 @@ int sbgp_as_range(const char *, struct cert_as *, size_t *,
int sbgp_parse_assysnum(const char *, const ASIdentifiers *,
struct cert_as **, size_t *);
/* Constraints-specific */
void constraints_load(void);
void constraints_unload(void);
void constraints_parse(void);
int constraints_validate(const char *, const struct cert *);
/* Parser-specific */
void entity_free(struct entity *);
void entity_read_req(struct ibuf *, struct entity *);
@ -864,6 +872,10 @@ void aspa_print(const X509 *, const struct aspa *);
void tak_print(const X509 *, const struct tak *);
void geofeed_print(const X509 *, const struct geofeed *);
/* Missing RFC 3779 API */
IPAddrBlocks *IPAddrBlocks_new(void);
void IPAddrBlocks_free(IPAddrBlocks *);
/* Output! */
extern int outformats;

14
usr.sbin/rpki-client/filemode.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: filemode.c,v 1.35 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: filemode.c,v 1.36 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -468,6 +468,17 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
break;
}
}
if (status && cert == NULL) {
struct cert *eecert;
eecert = cert_parse_ee_cert(file, a->cert->talid, x509);
if (eecert == NULL)
status = 0;
cert_free(eecert);
} else if (status) {
cert->talid = a->cert->talid;
status = constraints_validate(file, cert);
}
} else if (is_ta) {
if ((tal = find_tal(cert)) != NULL) {
cert = ta_parse(file, cert, tal->pkey, tal->pkeysz);
@ -648,6 +659,7 @@ proc_filemode(int fd)
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
x509_init_oid();
constraints_parse();
if ((ctx = X509_STORE_CTX_new()) == NULL)
err(1, "X509_STORE_CTX_new");

4
usr.sbin/rpki-client/gbr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: gbr.c,v 1.28 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: gbr.c,v 1.29 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
*
@ -88,7 +88,7 @@ gbr_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
goto out;
}
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
return p.res;

4
usr.sbin/rpki-client/geofeed.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: geofeed.c,v 1.14 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: geofeed.c,v 1.15 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -252,7 +252,7 @@ geofeed_parse(X509 **x509, const char *fn, int talid, char *buf, size_t len)
if (!x509_get_notafter(*x509, fn, &p.res->notafter))
goto out;
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
if (x509_any_inherits(*x509)) {

31
usr.sbin/rpki-client/ip.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ip.c,v 1.28 2023/09/25 08:48:14 job Exp $ */
/* $OpenBSD: ip.c,v 1.29 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -103,7 +103,7 @@ ip_addr_check_covered(enum afi afi,
*/
int
ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
const struct cert_ip *ips, size_t ipsz)
const struct cert_ip *ips, size_t ipsz, int quiet)
{
size_t i, sz = ip->afi == AFI_IPV4 ? 4 : 16;
int inherit_v4 = 0, inherit_v6 = 0;
@ -135,6 +135,8 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
ip->type == CERT_IP_INHERIT) ||
(has_v6 && ip->afi == AFI_IPV6 &&
ip->type == CERT_IP_INHERIT)) {
if (quiet)
return 0;
warnx("%s: RFC 3779 section 2.2.3.5: "
"cannot have multiple inheritance or inheritance and "
"addresses of the same class", fn);
@ -151,6 +153,8 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
if (memcmp(ips[i].max, ip->min, sz) <= 0 ||
memcmp(ips[i].min, ip->max, sz) >= 0)
continue;
if (quiet)
return 0;
socktype = (ips[i].afi == AFI_IPV4) ? AF_INET : AF_INET6,
warnx("%s: RFC 3779 section 2.2.3.5: "
"cannot have overlapping IP addresses", fn);
@ -342,3 +346,26 @@ ip_roa_compose_ranges(struct roa_ip *p)
if (sz > 0 && p->addr.prefixlen % 8 != 0)
p->max[sz - 1] |= (1 << (8 - p->addr.prefixlen % 8)) - 1;
}
void
ip_warn(const char *fn, const struct cert_ip *cert, const char *msg)
{
char buf[128];
switch (cert->type) {
case CERT_IP_ADDR:
ip_addr_print(&cert->ip, cert->afi, buf, sizeof(buf));
warnx("%s: %s: %s", fn, buf, msg);
break;
case CERT_IP_INHERIT:
warnx("%s: (inherit): %s", fn, msg);
break;
case CERT_IP_RANGE:
ip_addr_range_print(&cert->range, cert->afi, buf, sizeof(buf));
warnx("%s: %s: %s", fn, buf, msg);
break;
default:
warnx("%s: corrupt cert", fn);
break;
}
}

8
usr.sbin/rpki-client/main.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: main.c,v 1.246 2023/08/30 10:02:28 job Exp $ */
/* $OpenBSD: main.c,v 1.247 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -1094,6 +1094,9 @@ main(int argc, char *argv[])
if (talsz == 0)
err(1, "no TAL files found in %s", "/etc/rpki");
/* Load optional constraint files sitting next to the TALs. */
constraints_load();
/*
* Create the file reader as a jailed child process.
* It will be responsible for reading all of the files (ROAs,
@ -1108,6 +1111,9 @@ main(int argc, char *argv[])
proc_filemode(proc);
}
/* Constraints are only needed in the filemode and parser processes. */
constraints_unload();
/*
* Create a process that will do the rsync'ing.
* This process is responsible for making sure that all the

4
usr.sbin/rpki-client/mft.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mft.c,v 1.98 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: mft.c,v 1.99 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -428,7 +428,7 @@ mft_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if (mft_parse_econtent(cms, cmsz, &p) == 0)
goto out;
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
if (p.res->signtime > p.res->nextupdate) {

10
usr.sbin/rpki-client/parser.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.99 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: parser.c,v 1.100 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -441,6 +441,13 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len,
cert->talid = a->cert->talid;
if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
if (!constraints_validate(file, cert)) {
cert_free(cert);
return NULL;
}
}
/*
* Add validated CA certs to the RPKI auth tree.
*/
@ -813,6 +820,7 @@ proc_parser(int fd)
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
x509_init_oid();
constraints_parse();
if ((ctx = X509_STORE_CTX_new()) == NULL)
err(1, "X509_STORE_CTX_new");

52
usr.sbin/rpki-client/rfc3779.c Normal file
View File

@ -0,0 +1,52 @@
/* $OpenBSD: rfc3779.c,v 1.1 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <err.h>
#include <stddef.h>
#include <openssl/x509v3.h>
#include "extern.h"
/*
* These should really have been part of the public OpenSSL RFC 3779 API...
*/
IPAddrBlocks *
IPAddrBlocks_new(void)
{
IPAddrBlocks *addrs;
/*
* XXX The comparison function IPAddressFamily_cmp() isn't public.
* Install it using a side effect of the lovely X509v3_addr_canonize().
*/
if ((addrs = sk_IPAddressFamily_new_null()) == NULL)
return NULL;
if (!X509v3_addr_canonize(addrs)) {
IPAddrBlocks_free(addrs);
return NULL;
}
return addrs;
}
void
IPAddrBlocks_free(IPAddrBlocks *addr)
{
sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
}

4
usr.sbin/rpki-client/roa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: roa.c,v 1.70 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: roa.c,v 1.71 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -257,7 +257,7 @@ roa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
goto out;
}
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
if (cert->asz > 0) {

52
usr.sbin/rpki-client/rpki-client.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: rpki-client.8,v 1.97 2023/06/26 18:39:53 job Exp $
.\" $OpenBSD: rpki-client.8,v 1.98 2023/10/13 12:06:49 job Exp $
.\"
.\" Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: June 26 2023 $
.Dd $Mdocdate: October 13 2023 $
.Dt RPKI-CLIENT 8
.Os
.Sh NAME
@ -251,6 +251,44 @@ should be run hourly by
use
.Xr crontab 1
to uncomment the entry in root's crontab.
.Sh TRUST ANCHOR CONSTRAINTS
.Nm
can impose locally configured
.Em constraints
on cryptographic products subordinate to publicly-trusted
.Em Trust Anchors .
.Pp
Constraining a Trust Anchor's effective signing authority to a limited set of
.Em Internet Number Resources
allows Relying Parties to take advantage of the potential benefits of
assuming trust, while deriving trust within a bounded scope.
.Pp
Each
.Em .constraints
file imposes constraints on the Trust Anchor reachable via the same-named
.Em .tal
file.
One entry per line.
Entries can be IP prefixes, IP address ranges, AS identifiers, or AS identifier ranges.
Ranges are a minimum and maximum separated by a hyphen
.Pq Sq - .
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Em deny
entries may not overlap with other
.Em deny
entries.
.Em allow
entries may not overlap with other
.Em allow
entries.
.Pp
A given EE certificate's resources may not overlap with any
.Em deny
entry, and must be fully contained within the
.Em allow
entries.
.Sh ENVIRONMENT
.Nm
utilizes the following environment variables:
@ -264,6 +302,10 @@ URL of HTTP proxy to use.
default TAL files used unless
.Fl t Ar tal
is specified.
.It Pa /etc/rpki/*.constraints
files containing registry-specific constraints to restrict what IP addresses
and AS identifiers may or may not appear in EE certificates subordinate to the
same-named Trust Anchor.
.It Pa /etc/rpki/skiplist
default skiplist file, unless
.Fl S Ar skiplist
@ -397,6 +439,12 @@ agreement regarding ARIN service restrictions.
.%U https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-cms-signing-time
.%D June, 2023
.Re
.Pp
.Rs
.%T Constraining RPKI Trust Anchors
.%U https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors
.%D September, 2023
.Re
.Sh HISTORY
.Nm
first appeared in

4
usr.sbin/rpki-client/rsc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rsc.c,v 1.28 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: rsc.c,v 1.29 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2022 Job Snijders <job@fastly.com>
@ -423,7 +423,7 @@ rsc_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if (!rsc_parse_econtent(cms, cmsz, &p))
goto out;
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
p.res->valid = valid_rsc(fn, cert, p.res);

4
usr.sbin/rpki-client/tak.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: tak.c,v 1.12 2023/09/25 11:08:45 tb Exp $ */
/* $OpenBSD: tak.c,v 1.13 2023/10/13 12:06:49 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@ -274,7 +274,7 @@ tak_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if (!tak_parse_econtent(cms, cmsz, &p))
goto out;
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
if (strcmp(p.res->aki, p.res->current->ski) != 0) {