diff --git a/lib/libc/arch/aarch64/net/Makefile.inc b/lib/libc/arch/aarch64/net/Makefile.inc deleted file mode 100644 index ff4343545..000000000 --- a/lib/libc/arch/aarch64/net/Makefile.inc +++ /dev/null @@ -1,5 +0,0 @@ -# $OpenBSD: Makefile.inc,v 1.1 2017/01/11 18:09:24 patrick Exp $ -# $NetBSD: Makefile.inc,v 1.1 2000/12/29 20:13:53 bjh21 Exp $ - -# hton* and nto* functions provided by ../gen/byte_swap_*.S -SRCS+= diff --git a/lib/libc/arch/arm/gen/byte_swap_2.S b/lib/libc/arch/arm/gen/byte_swap_2.S deleted file mode 100644 index 161bdf959..000000000 --- a/lib/libc/arch/arm/gen/byte_swap_2.S +++ /dev/null @@ -1,46 +0,0 @@ -/* $OpenBSD: byte_swap_2.S,v 1.4 2022/05/24 17:15:23 guenther Exp $ */ -/* $NetBSD: byte_swap_2.S,v 1.3 2003/04/05 23:08:51 bjh21 Exp $ */ - -/*- - * Copyright (c) 1999 The NetBSD Foundation, Inc. - * All rights reserved. - * - * This code is derived from software contributed to The NetBSD Foundation - * by Charles M. Hannum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "DEFS.h" - -_ENTRY(__bswap16) -_ENTRY_NB(ntohs) -ENTRY_NB(htons) - and r1, r0, #0xff - mov r0, r0, lsr #8 - orr r0, r0, r1, lsl #8 - mov pc, lr -END(htons) -_END(ntohs) -_END(__bswap16) - .weak htons - .weak ntohs diff --git a/lib/libc/arch/arm/net/Makefile.inc b/lib/libc/arch/arm/net/Makefile.inc deleted file mode 100644 index 3d8131dd8..000000000 --- a/lib/libc/arch/arm/net/Makefile.inc +++ /dev/null @@ -1,5 +0,0 @@ -# $OpenBSD: Makefile.inc,v 1.2 2004/02/01 05:40:52 drahn Exp $ -# $NetBSD: Makefile.inc,v 1.1 2000/12/29 20:13:53 bjh21 Exp $ - -# hton* and nto* functions provided by ../gen/byte_swap_*.S -SRCS+= diff --git a/lib/libcrypto/cryptlib.c b/lib/libcrypto/cryptlib.c index ae3df35f5..dc62d8208 100644 --- a/lib/libcrypto/cryptlib.c +++ b/lib/libcrypto/cryptlib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cryptlib.c,v 1.50 2024/04/10 14:51:02 beck Exp $ */ +/* $OpenBSD: cryptlib.c,v 1.51 2024/04/21 13:41:14 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -277,8 +277,7 @@ CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)( LCRYPTO_ALIAS(CRYPTO_set_dynlock_destroy_callback); struct CRYPTO_dynlock_value * -(*CRYPTO_get_dynlock_create_callback(void))( - const char *file, int line) +(*CRYPTO_get_dynlock_create_callback(void))(const char *file, int line) { return NULL; } diff --git a/lib/libcrypto/man/X509_LOOKUP_new.3 b/lib/libcrypto/man/X509_LOOKUP_new.3 index 964594cde..1cb163404 100644 --- a/lib/libcrypto/man/X509_LOOKUP_new.3 +++ b/lib/libcrypto/man/X509_LOOKUP_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_LOOKUP_new.3,v 1.10 2024/04/14 10:56:18 tb Exp $ +.\" $OpenBSD: X509_LOOKUP_new.3,v 1.11 2024/04/22 02:30:23 jsg Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 14 2024 $ +.Dd $Mdocdate: April 22 2024 $ .Dt X509_LOOKUP_NEW 3 .Os .Sh NAME @@ -75,7 +75,7 @@ is a deprecated function that releases the memory used by .Fa lookup . -It is provided for compatibility only. +It is provided for compatibility only. If .Fa lookup is a diff --git a/regress/usr.sbin/rpki-client/rsc/c6938fc00af6496d9d4e6e2d876e4b4811887b60f4f1bc9cd0b3cdb7c57c6d5e.sig b/regress/usr.sbin/rpki-client/rsc/c6938fc00af6496d9d4e6e2d876e4b4811887b60f4f1bc9cd0b3cdb7c57c6d5e.sig deleted file mode 100644 index 1dc551108..000000000 Binary files a/regress/usr.sbin/rpki-client/rsc/c6938fc00af6496d9d4e6e2d876e4b4811887b60f4f1bc9cd0b3cdb7c57c6d5e.sig and /dev/null differ diff --git a/sbin/slaacd/engine.c b/sbin/slaacd/engine.c index 000a9fcf4..bb1036852 100644 --- a/sbin/slaacd/engine.c +++ b/sbin/slaacd/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.88 2024/02/11 21:29:12 bluhm Exp $ */ +/* $OpenBSD: engine.c,v 1.89 2024/04/21 17:33:05 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser @@ -2130,6 +2130,7 @@ configure_address(struct address_proposal *addr_proposal) address.if_index = addr_proposal->if_index; memcpy(&address.addr, &addr_proposal->addr, sizeof(address.addr)); + memcpy(&address.gw, &addr_proposal->from, sizeof(address.gw)); memcpy(&address.mask, &addr_proposal->mask, sizeof(address.mask)); address.vltime = addr_proposal->vltime; address.pltime = addr_proposal->pltime; diff --git a/sbin/slaacd/engine.h b/sbin/slaacd/engine.h index 7a8551d2c..cf4398849 100644 --- a/sbin/slaacd/engine.h +++ b/sbin/slaacd/engine.h @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.h,v 1.6 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: engine.h,v 1.7 2024/04/21 17:33:05 florian Exp $ */ /* * Copyright (c) 2004, 2005 Esben Norby @@ -19,6 +19,7 @@ struct imsg_configure_address { uint32_t if_index; struct sockaddr_in6 addr; + struct sockaddr_in6 gw; struct in6_addr mask; uint32_t vltime; uint32_t pltime; diff --git a/sbin/slaacd/slaacd.c b/sbin/slaacd/slaacd.c index 4d1786361..05af06e68 100644 --- a/sbin/slaacd/slaacd.c +++ b/sbin/slaacd/slaacd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: slaacd.c,v 1.68 2023/02/15 13:47:00 florian Exp $ */ +/* $OpenBSD: slaacd.c,v 1.69 2024/04/21 17:33:05 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser @@ -632,6 +632,8 @@ configure_interface(struct imsg_configure_address *address) memcpy(&in6_addreq.ifra_addr, &address->addr, sizeof(in6_addreq.ifra_addr)); + memcpy(&in6_addreq.ifra_dstaddr, &address->gw, + sizeof(in6_addreq.ifra_dstaddr)); memcpy(&in6_addreq.ifra_prefixmask.sin6_addr, &address->mask, sizeof(in6_addreq.ifra_prefixmask.sin6_addr)); in6_addreq.ifra_prefixmask.sin6_family = AF_INET6; diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 2ec50eb06..058800bc5 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.251 2023/12/03 20:36:24 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.252 2024/04/21 17:32:10 florian Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -1164,7 +1164,7 @@ icmp6_reflect(struct mbuf **mp, size_t off, struct sockaddr *sa) rtfree(rt); goto bad; } - ia6 = in6_ifawithscope(rt->rt_ifa->ifa_ifp, &t, rtableid); + ia6 = in6_ifawithscope(rt->rt_ifa->ifa_ifp, &t, rtableid, rt); if (ia6 != NULL) src = &ia6->ia_addr.sin6_addr; if (src == NULL) diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 50bceb006..e1a7a6209 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6.c,v 1.264 2024/04/17 08:36:30 florian Exp $ */ +/* $OpenBSD: in6.c,v 1.265 2024/04/21 17:32:10 florian Exp $ */ /* $KAME: in6.c,v 1.372 2004/06/14 08:14:21 itojun Exp $ */ /* @@ -562,13 +562,19 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, return (EINVAL); /* - * The destination address for a p2p link must have a family - * of AF_UNSPEC or AF_INET6. + * The destination address for a p2p link or the address of the + * announcing router for an autoconf address must have a family of + * AF_UNSPEC or AF_INET6. */ - if ((ifp->if_flags & IFF_POINTOPOINT) != 0 && - ifra->ifra_dstaddr.sin6_family != AF_INET6 && - ifra->ifra_dstaddr.sin6_family != AF_UNSPEC) - return (EAFNOSUPPORT); + if ((ifp->if_flags & IFF_POINTOPOINT) || + (ifp->if_flags & IFF_LOOPBACK) || + (ifra->ifra_flags & IN6_IFF_AUTOCONF)) { + if (ifra->ifra_dstaddr.sin6_family != AF_INET6 && + ifra->ifra_dstaddr.sin6_family != AF_UNSPEC) + return (EAFNOSUPPORT); + + } else if (ifra->ifra_dstaddr.sin6_family != AF_UNSPEC) + return (EINVAL); /* * validate ifra_prefixmask. don't check sin6_family, netmask @@ -597,27 +603,15 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, */ plen = in6_mask2len(&ia6->ia_prefixmask.sin6_addr, NULL); } - /* - * If the destination address on a p2p interface is specified, - * and the address is a scoped one, validate/set the scope - * zone identifier. - */ + dst6 = ifra->ifra_dstaddr; - if ((ifp->if_flags & (IFF_POINTOPOINT|IFF_LOOPBACK)) != 0 && - (dst6.sin6_family == AF_INET6)) { + if (dst6.sin6_family == AF_INET6) { error = in6_check_embed_scope(&dst6, ifp->if_index); if (error) return error; - } - /* - * The destination address can be specified only for a p2p or a - * loopback interface. If specified, the corresponding prefix length - * must be 128. - */ - if (ifra->ifra_dstaddr.sin6_family == AF_INET6) { - if ((ifp->if_flags & (IFF_POINTOPOINT|IFF_LOOPBACK)) == 0) - return (EINVAL); - if (plen != 128) + + if (((ifp->if_flags & IFF_POINTOPOINT) || + (ifp->if_flags & IFF_LOOPBACK)) && plen != 128) return (EINVAL); } /* lifetime consistency check */ @@ -652,7 +646,8 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, ia6->ia_addr.sin6_family = AF_INET6; ia6->ia_addr.sin6_len = sizeof(ia6->ia_addr); ia6->ia6_updatetime = getuptime(); - if ((ifp->if_flags & (IFF_POINTOPOINT | IFF_LOOPBACK)) != 0) { + if ((ifp->if_flags & IFF_POINTOPOINT) || + (ifp->if_flags & IFF_LOOPBACK)) { /* * XXX: some functions expect that ifa_dstaddr is not * NULL for p2p interfaces. @@ -686,10 +681,10 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, /* * If a new destination address is specified, scrub the old one and - * install the new destination. Note that the interface must be - * p2p or loopback (see the check above.) + * install the new destination. */ - if ((ifp->if_flags & IFF_POINTOPOINT) && dst6.sin6_family == AF_INET6 && + if (((ifp->if_flags & IFF_POINTOPOINT) || + (ifp->if_flags & IFF_LOOPBACK)) && dst6.sin6_family == AF_INET6 && !IN6_ARE_ADDR_EQUAL(&dst6.sin6_addr, &ia6->ia_dstaddr.sin6_addr)) { struct ifaddr *ifa = &ia6->ia_ifa; @@ -706,6 +701,13 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra, ia6->ia_dstaddr = dst6; } + if ((ifra->ifra_flags & IN6_IFF_AUTOCONF) && + dst6.sin6_family == AF_INET6 && + !IN6_ARE_ADDR_EQUAL(&dst6.sin6_addr, &ia6->ia_gwaddr.sin6_addr)) { + /* Set or update announcing router */ + ia6->ia_gwaddr = dst6; + } + /* * Set lifetimes. We do not refer to ia6t_expire and ia6t_preferred * to see if the address is deprecated or invalidated, but initialize @@ -1329,13 +1331,21 @@ in6_prefixlen2mask(struct in6_addr *maskp, int len) * return the best address out of the same scope */ struct in6_ifaddr * -in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain) +in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain, + struct rtentry *rt) { int dst_scope = in6_addrscope(dst), src_scope, best_scope = 0; int blen = -1; struct ifaddr *ifa; struct ifnet *ifp; struct in6_ifaddr *ia6_best = NULL; + struct in6_addr *gw6 = NULL; + + if (rt) { + if (rt->rt_gateway != NULL && + rt->rt_gateway->sa_family == AF_INET6) + gw6 = &(satosin6(rt->rt_gateway)->sin6_addr); + } if (oifp == NULL) { printf("%s: output interface is not specified\n", __func__); @@ -1460,8 +1470,16 @@ in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain) /* * Rule 5.5: Prefer addresses in a prefix advertised * by the next-hop. - * We do not track this information. */ + if (gw6) { + struct in6_addr *in6_bestgw, *in6_newgw; + + in6_bestgw = &ia6_best->ia_gwaddr.sin6_addr; + in6_newgw = &ifatoia6(ifa)->ia_gwaddr.sin6_addr; + if (!IN6_ARE_ADDR_EQUAL(in6_bestgw, gw6) && + IN6_ARE_ADDR_EQUAL(in6_newgw, gw6)) + goto replace; + } /* * Rule 6: Prefer matching label. diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 642a24b19..f4e99485d 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in6.h,v 1.116 2024/02/13 12:22:09 bluhm Exp $ */ +/* $OpenBSD: in6.h,v 1.117 2024/04/21 17:32:11 florian Exp $ */ /* $KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $ */ /* @@ -404,6 +404,7 @@ struct sockaddr_in6; struct ifaddr; struct in6_ifaddr; struct ifnet; +struct rtentry; void ipv6_input(struct ifnet *, struct mbuf *); struct mbuf * @@ -413,7 +414,8 @@ int in6_cksum(struct mbuf *, uint8_t, uint32_t, uint32_t); void in6_proto_cksum_out(struct mbuf *, struct ifnet *); int in6_localaddr(struct in6_addr *); int in6_addrscope(struct in6_addr *); -struct in6_ifaddr *in6_ifawithscope(struct ifnet *, struct in6_addr *, u_int); +struct in6_ifaddr *in6_ifawithscope(struct ifnet *, struct in6_addr *, u_int, + struct rtentry *); int in6_mask2len(struct in6_addr *, u_char *); int in6_nam2sin6(const struct mbuf *, struct sockaddr_in6 **); int in6_sa2sin6(struct sockaddr *, struct sockaddr_in6 **); diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index d6163d254..b7097b434 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_src.c,v 1.98 2024/03/31 15:53:12 bluhm Exp $ */ +/* $OpenBSD: in6_src.c,v 1.99 2024/04/21 17:32:11 florian Exp $ */ /* $KAME: in6_src.c,v 1.36 2001/02/06 04:08:17 itojun Exp $ */ /* @@ -162,7 +162,7 @@ in6_pcbselsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock, if (ifp == NULL) return (ENXIO); /* XXX: better error? */ - ia6 = in6_ifawithscope(ifp, dst, rtableid); + ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL); if_put(ifp); if (ia6 == NULL) @@ -192,7 +192,7 @@ in6_pcbselsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock, if (rt != NULL) { ifp = if_get(rt->rt_ifidx); if (ifp != NULL) { - ia6 = in6_ifawithscope(ifp, dst, rtableid); + ia6 = in6_ifawithscope(ifp, dst, rtableid, rt); if_put(ifp); } if (ia6 == NULL) /* xxx scope error ?*/ @@ -256,7 +256,7 @@ in6_selectsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock, if (ifp == NULL) return (ENXIO); /* XXX: better error? */ - ia6 = in6_ifawithscope(ifp, dst, rtableid); + ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL); if_put(ifp); if (ia6 == NULL) @@ -280,7 +280,7 @@ in6_selectsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock, ifp = if_get(htons(dstsock->sin6_scope_id)); if (ifp) { - ia6 = in6_ifawithscope(ifp, dst, rtableid); + ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL); if_put(ifp); if (ia6 == NULL) diff --git a/sys/netinet6/in6_var.h b/sys/netinet6/in6_var.h index 1323eee20..bd64239f2 100644 --- a/sys/netinet6/in6_var.h +++ b/sys/netinet6/in6_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_var.h,v 1.78 2022/11/23 07:57:39 kn Exp $ */ +/* $OpenBSD: in6_var.h,v 1.79 2024/04/21 17:32:11 florian Exp $ */ /* $KAME: in6_var.h,v 1.55 2001/02/16 12:49:45 itojun Exp $ */ /* @@ -93,6 +93,7 @@ struct in6_ifaddr { #define ia_flags ia_ifa.ifa_flags struct sockaddr_in6 ia_addr; /* interface address */ + struct sockaddr_in6 ia_gwaddr; /* router we learned address from */ struct sockaddr_in6 ia_dstaddr; /* space for destination addr */ struct sockaddr_in6 ia_prefixmask; /* prefix mask */ TAILQ_ENTRY(in6_ifaddr) ia_list; /* list of IP6 addresses */ diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index b5fbf3d56..c4f347f22 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.129 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: cert.c,v 1.130 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -773,7 +773,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) } X509_ALGOR_get0(&cobj, NULL, NULL, palg); nid = OBJ_obj2nid(cobj); - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 8b9485caa..c9d8ae5b4 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.42 2024/02/01 15:11:38 tb Exp $ */ +/* $OpenBSD: cms.c,v 1.44 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -30,7 +30,6 @@ extern ASN1_OBJECT *cnt_type_oid; extern ASN1_OBJECT *msg_dgst_oid; extern ASN1_OBJECT *sign_time_oid; -extern ASN1_OBJECT *bin_sign_time_oid; static int cms_extract_econtent(const char *fn, CMS_ContentInfo *cms, unsigned char **res, @@ -108,8 +107,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, EVP_PKEY *pkey; X509_ALGOR *pdig, *psig; int i, nattrs, nid; - int has_ct = 0, has_md = 0, has_st = 0, - has_bst = 0; + int has_ct = 0, has_md = 0, has_st = 0; time_t notafter; int rc = 0; @@ -218,12 +216,6 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, } if (!cms_get_signtime(fn, attr, signtime)) goto out; - } else if (OBJ_cmp(obj, bin_sign_time_oid) == 0) { - if (has_bst++ != 0) { - warnx("%s: RFC 6488: duplicate " - "signed attribute", fn); - goto out; - } } else { OBJ_obj2txt(buf, sizeof(buf), obj, 1); warnx("%s: RFC 6488: " @@ -239,11 +231,11 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, goto out; } - if (has_bst) - warnx("%s: unsupported CMS signing-time attribute", fn); - - if (!has_st) + if (!has_st) { + /* RFC-to-be draft-ietf-sidrops-cms-signing-time */ warnx("%s: missing CMS signing-time attribute", fn); + goto out; + } if (CMS_unsigned_get_attr_count(si) != -1) { warnx("%s: RFC 6488: CMS has unsignedAttrs", fn); @@ -265,7 +257,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, X509_ALGOR_get0(&obj, NULL, NULL, psig); nid = OBJ_obj2nid(obj); /* RFC7935 last paragraph of section 2 specifies the allowed psig */ - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_rsaEncryption && diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index c6ad99d28..1f6507376 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.33 2024/04/15 13:57:45 job Exp $ */ +/* $OpenBSD: crl.c,v 1.34 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -63,7 +63,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) } X509_ALGOR_get0(&cobj, NULL, NULL, palg); nid = OBJ_obj2nid(cobj); - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index f72b38372..9dd699717 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.216 2024/04/15 13:57:45 job Exp $ */ +/* $OpenBSD: extern.h,v 1.217 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -645,8 +645,10 @@ struct msgbuf; /* global variables */ extern int verbose; +extern int noop; extern int filemode; extern int excludeaspa; +extern int experimental; extern const char *tals[]; extern const char *taldescs[]; extern unsigned int talrepocnt[]; diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c index cd4baade1..5590079a2 100644 --- a/usr.sbin/rpki-client/filemode.c +++ b/usr.sbin/rpki-client/filemode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filemode.c,v 1.40 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: filemode.c,v 1.41 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -41,8 +41,6 @@ #include "extern.h" #include "json.h" -extern int verbose; - static X509_STORE_CTX *ctx; static struct auth_tree auths = RB_INITIALIZER(&auths); static struct crl_tree crlt = RB_INITIALIZER(&crlt); diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c index afea19f3f..bc0695ef8 100644 --- a/usr.sbin/rpki-client/output-json.c +++ b/usr.sbin/rpki-client/output-json.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-json.c,v 1.48 2024/04/08 14:02:13 tb Exp $ */ +/* $OpenBSD: output-json.c,v 1.49 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * @@ -23,8 +23,6 @@ #include "extern.h" #include "json.h" -extern int experimental; - static void outputheader_json(struct stats *st) { diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index d26d9c77d..f482d6768 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.134 2024/04/17 15:03:22 tb Exp $ */ +/* $OpenBSD: parser.c,v 1.135 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -38,10 +38,6 @@ #include "extern.h" -extern int noop; -extern int experimental; -extern int verbose; - static X509_STORE_CTX *ctx; static struct auth_tree auths = RB_INITIALIZER(&auths); static struct crl_tree crlt = RB_INITIALIZER(&crlt); diff --git a/usr.sbin/rpki-client/repo.c b/usr.sbin/rpki-client/repo.c index 7290dcfe4..14ea81dea 100644 --- a/usr.sbin/rpki-client/repo.c +++ b/usr.sbin/rpki-client/repo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: repo.c,v 1.56 2024/04/08 14:02:13 tb Exp $ */ +/* $OpenBSD: repo.c,v 1.57 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -38,7 +38,6 @@ #include "extern.h" extern struct stats stats; -extern int noop; extern int rrdpon; extern int repo_timeout; extern time_t deadline; diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 7d56f0c8b..8ce43b3df 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.86 2024/04/03 04:20:13 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.87 2024/04/21 09:03:22 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -39,7 +39,6 @@ ASN1_OBJECT *bgpsec_oid; /* id-kp-bgpsec-router Key Purpose */ ASN1_OBJECT *cnt_type_oid; /* pkcs-9 id-contentType */ ASN1_OBJECT *msg_dgst_oid; /* pkcs-9 id-messageDigest */ ASN1_OBJECT *sign_time_oid; /* pkcs-9 id-signingTime */ -ASN1_OBJECT *bin_sign_time_oid; /* pkcs-9 id-aa-binarySigningTime */ ASN1_OBJECT *rsc_oid; /* id-ct-signedChecklist */ ASN1_OBJECT *aspa_oid; /* id-ct-ASPA */ ASN1_OBJECT *tak_oid; /* id-ct-SignedTAL */ @@ -98,10 +97,6 @@ static const struct { .oid = "1.2.840.113549.1.9.5", .ptr = &sign_time_oid, }, - { - .oid = "1.2.840.113549.1.9.16.2.46", - .ptr = &bin_sign_time_oid, - }, { .oid = "1.2.840.113549.1.9.16.1.47", .ptr = &geofeed_oid,