sync with OpenBSD -current

lib/libcrypto/man/EC_KEY_new.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_new.3,v 1.18 2023/08/29 10:07:42 tb Exp $
+.\" $OpenBSD: EC_KEY_new.3,v 1.19 2024/02/16 06:09:36 tb Exp $
 .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500
 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2023 $
+.Dd $Mdocdate: February 16 2024 $
 .Dt EC_KEY_NEW 3
 .Os
 .Sh NAME
@@ -324,6 +324,10 @@ object, the private key and the
 public key for the
 .Fa key ,
 respectively.
+The setters copy the group and key objects without sanity checks
+and it is the caller's responsibility to ensure that
+the resulting key is valid, for example using
+.Fn EC_KEY_check_key .
 .Pp
 The functions
 .Fn EC_KEY_get_enc_flags

sbin/iked/iked.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.c,v 1.69 2024/02/15 19:04:12 tobhe Exp $	*/
+/*	$OpenBSD: iked.c,v 1.70 2024/02/15 20:10:45 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -45,6 +45,7 @@ void	 parent_sig_handler(int, short, void *);
 int	 parent_dispatch_ca(int, struct privsep_proc *, struct imsg *);
 int	 parent_dispatch_control(int, struct privsep_proc *, struct imsg *);
 int	 parent_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
+void	 parent_connected(struct privsep *);
 int	 parent_configure(struct iked *);
 
 struct iked	*iked_env;
@@ -219,12 +220,9 @@ main(int argc, char *argv[])
 	signal_add(&ps->ps_evsigpipe, NULL);
 	signal_add(&ps->ps_evsigusr1, NULL);
 
-	proc_connect(ps);
-
 	vroute_init(env);
 
-	if (parent_configure(env) == -1)
-		fatalx("configuration failed");
+	proc_connect(ps, parent_connected);
 
 	event_dispatch();
 
@@ -234,6 +232,15 @@ main(int argc, char *argv[])
 	return (0);
 }
 
+void
+parent_connected(struct privsep *ps)
+{
+	struct iked	*env = ps->ps_env;
+
+	if (parent_configure(env) == -1)
+		fatalx("configuration failed");
+}
+
 int
 parent_configure(struct iked *env)
 {

sbin/iked/iked.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.228 2024/02/15 19:11:00 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.229 2024/02/15 20:10:45 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -730,6 +730,8 @@ struct privsep {
 	struct event			 ps_evsigusr1;
 
 	struct iked			*ps_env;
+	unsigned int			 ps_connecting;
+	void				(*ps_connected)(struct privsep *);
 };
 
 struct privsep_proc {
@@ -1192,7 +1194,7 @@ void	 timer_del(struct iked *, struct iked_timer *);
 void	 proc_init(struct privsep *, struct privsep_proc *, unsigned int, int,
 	    int, char **, enum privsep_procid);
 void	 proc_kill(struct privsep *);
-void	 proc_connect(struct privsep *);
+void	 proc_connect(struct privsep *, void (*)(struct privsep *));
 void	 proc_dispatch(int, short event, void *);
 void	 proc_run(struct privsep *, struct privsep_proc *,
 	    struct privsep_proc *, unsigned int,

sbin/iked/proc.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: proc.c,v 1.41 2024/02/15 19:04:12 tobhe Exp $	*/
+/*	$OpenBSD: proc.c,v 1.42 2024/02/15 20:10:45 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -155,14 +155,19 @@ proc_exec(struct privsep *ps, struct privsep_proc *procs, unsigned int nproc,
 }
 
 void
-proc_connect(struct privsep *ps)
+proc_connect(struct privsep *ps, void (*connected)(struct privsep *))
 {
 	struct imsgev		*iev;
 	unsigned int		 src, dst, inst;
 
 	/* Don't distribute any sockets if we are not really going to run. */
-	if (ps->ps_noaction)
+	if (ps->ps_noaction) {
+		if (connected == NULL)
+			fatalx("%s: missing callback", __func__);
+		connected(ps);
 		return;
+	}
+	ps->ps_connected = connected;
 
 	for (dst = 0; dst < PROC_MAX; dst++) {
 		/* We don't communicate with ourselves. */
@@ -187,6 +192,27 @@ proc_connect(struct privsep *ps)
 
 			proc_open(ps, src, dst);
 		}
+
+	/*
+	 * Finally, send a ready message to everyone:
+	 * When this message is processed by the receiver, it has
+	 * already processed all IMSG_CTL_PROCFD messages and all
+	 * pipes are ready.
+	 */
+	for (dst = 0; dst < PROC_MAX; dst++) {
+		if (dst == PROC_PARENT)
+			continue;
+		for (inst = 0; inst < ps->ps_instances[dst]; inst++) {
+			if (proc_compose_imsg(ps, dst, inst, IMSG_CTL_PROCREADY,
+			    -1, -1, NULL, 0) == -1)
+				fatal("%s: proc_compose_imsg", __func__);
+			ps->ps_connecting++;
+#if DEBUG
+			log_debug("%s: #%d %s %d", __func__,
+			    ps->ps_connecting, ps->ps_title[dst], inst + 1);
+#endif
+		}
+	}
 }
 
 void
@@ -663,6 +689,33 @@ proc_dispatch(int fd, short event, void *arg)
 			proc_accept(ps, imsg_get_fd(&imsg), pf.pf_procid,
 			    pf.pf_instance);
 			break;
+		case IMSG_CTL_PROCREADY:
+#if DEBUG
+			log_debug("%s: ready-%s: #%d %s %d -> %s %d", __func__,
+			    p->p_id == PROC_PARENT ? "req" : "ack",
+			    ps->ps_connecting, p->p_title, imsg.hdr.pid,
+			    title, ps->ps_instance + 1);
+#endif
+			if (p->p_id == PROC_PARENT) {
+				/* ack that we are ready */
+				if (proc_compose_imsg(ps, PROC_PARENT, 0,
+				    IMSG_CTL_PROCREADY, -1, -1, NULL, 0) == -1)
+					fatal("%s: proc_compose_imsg", __func__);
+			} else {
+				/* parent received ack */
+				if (ps->ps_connecting == 0)
+					fatalx("%s: wrong acks", __func__);
+				if (ps->ps_instance != 0)
+					fatalx("%s: wrong instance %d",
+					    __func__, ps->ps_instance);
+				if (ps->ps_connected == NULL)
+					fatalx("%s: missing callback", __func__);
+				if (--ps->ps_connecting == 0) {
+					log_debug("%s: all connected", __func__);
+					ps->ps_connected(ps);
+				}
+			}
+			break;
 		default:
 			fatalx("%s: %s %d got invalid imsg %d peerid %d "
 			    "from %s %d",

sbin/iked/types.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.53 2024/01/15 15:29:00 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.54 2024/02/15 20:10:45 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -132,6 +132,7 @@ enum imsg_type {
 	IMSG_CTL_SHOW_CERTSTORE,
 	IMSG_CTL_SHOW_STATS,
 	IMSG_CTL_PROCFD,
+	IMSG_CTL_PROCREADY,
 };
 
 enum privsep_procid {

usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.203 2024/02/03 14:30:47 job Exp $ */
+/*	$OpenBSD: extern.h,v 1.204 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -847,6 +847,7 @@ int		 x509_get_crl(X509 *, const char *, char **);
 char		*x509_crl_get_aki(X509_CRL *, const char *);
 char		*x509_crl_get_number(X509_CRL *, const char *);
 char		*x509_get_pubkey(X509 *, const char *);
+char		*x509_pubkey_get_ski(X509_PUBKEY *, const char *);
 enum cert_purpose	 x509_get_purpose(X509 *, const char *);
 int		 x509_get_time(const ASN1_TIME *, time_t *);
 char		*x509_convert_seqnum(const char *, const ASN1_INTEGER *);

usr.sbin/rpki-client/print.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: print.c,v 1.48 2024/02/13 20:40:17 job Exp $ */
+/*	$OpenBSD: print.c,v 1.49 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -83,28 +83,16 @@ void
 tal_print(const struct tal *p)
 {
 	char			*ski;
-	const unsigned char	*der, *pkey_der;
+	const unsigned char	*der;
 	X509_PUBKEY		*pubkey;
-	ASN1_OBJECT		*obj;
-	unsigned char		 md[SHA_DIGEST_LENGTH];
-	int			 nid, der_len;
 	size_t			 i;
 
-	pkey_der = p->pkey;
-	if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL)
+	der = p->pkey;
+	if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL)
 		errx(1, "d2i_X509_PUBKEY failed");
 
-	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey))
-		errx(1, "X509_PUBKEY_get0_param failed");
-
-	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption)
-		errx(1, "RFC 7935: wrong signature algorithm %s, want %s",
-		    nid2str(nid), LN_rsaEncryption);
-
-	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL))
-		errx(1, "EVP_Digest failed");
-
-	ski = hex_encode(md, SHA_DIGEST_LENGTH);
+	if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL)
+		errx(1, "x509_pubkey_get_ski failed");
 
 	if (outformats & FORMAT_JSON) {
 		json_do_string("type", "tal");

usr.sbin/rpki-client/tak.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tak.c,v 1.16 2024/02/13 22:44:21 job Exp $ */
+/*	$OpenBSD: tak.c,v 1.17 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey *takey)
 {
 	const ASN1_UTF8STRING	*comment;
 	const ASN1_IA5STRING	*certURI;
-	X509_PUBKEY		*pkey;
-	ASN1_OBJECT		*obj;
+	X509_PUBKEY		*pubkey;
 	struct takey		*res = NULL;
-	const unsigned char	*der;
-	unsigned char		*pkey_der = NULL;
-	unsigned char		 md[SHA_DIGEST_LENGTH];
+	unsigned char		*der = NULL;
 	size_t			 i;
-	int			 der_len, nid, pkey_der_len;
+	int			 der_len;
 
 	if ((res = calloc(1, sizeof(struct takey))) == NULL)
 		err(1, NULL);
@@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey *takey)
 			err(1, NULL);
 	}
 
-	pkey = takey->subjectPublicKeyInfo;
-	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) {
-		warnx("%s: X509_PUBKEY_get0_param failed", fn);
+	pubkey = takey->subjectPublicKeyInfo;
+	if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL)
 		goto err;
-	}
 
-	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
-		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, nid2str(nid), LN_rsaEncryption);
-		goto err;
-	}
-
-	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) {
-		warnx("%s: EVP_Digest failed", fn);
-		goto err;
-	}
-	res->ski = hex_encode(md, SHA_DIGEST_LENGTH);
-
-	if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) {
+	if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) {
 		warnx("%s: i2d_X509_PUBKEY failed", fn);
 		goto err;
 	}
-	res->pubkey = pkey_der;
-	res->pubkeysz = pkey_der_len;
+	res->pubkey = der;
+	res->pubkeysz = der_len;
 
 	return res;
 

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.79 2024/02/14 10:49:00 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.80 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -374,6 +374,38 @@ x509_get_pubkey(X509 *x, const char *fn)
 	return res;
 }
 
+/*
+ * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1.
+ * Returns allocated hex-encoded SKI on success, NULL on failure.
+ */
+char *
+x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn)
+{
+	ASN1_OBJECT		*obj;
+	const unsigned char	*der;
+	int			 der_len, nid;
+	unsigned char		 md[EVP_MAX_MD_SIZE];
+	unsigned int		 md_len = EVP_MAX_MD_SIZE;
+
+	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) {
+		warnx("%s: X509_PUBKEY_get0_param failed", fn);
+		return NULL;
+	}
+
+	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
+		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+		    fn, nid2str(nid), LN_rsaEncryption);
+		return NULL;
+	}
+
+	if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) {
+		warnx("%s: EVP_Digest failed", fn);
+		return NULL;
+	}
+
+	return hex_encode(md, md_len);
+}
+
 /*
  * Parse the Authority Information Access (AIA) extension
  * See RFC 6487, section 4.8.7 for details.

usr.sbin/vmctl/vmctl.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: vmctl.8,v 1.75 2024/01/12 23:50:11 mlarkin Exp $
+.\"	$OpenBSD: vmctl.8,v 1.76 2024/02/16 01:48:06 jsg Exp $
 .\"
 .\" Copyright (c) 2015-2024 Mike Larkin <mlarkin@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 12 2024 $
+.Dd $Mdocdate: February 16 2024 $
 .Dt VMCTL 8
 .Os
 .Sh NAME
@@ -122,9 +122,10 @@ Receive a VM from standard input and start it with the specified
 .Ar name .
 .It Cm reload
 Remove all stopped VMs and reload the configuration from the default
-configuration file. VMs that are currently running will not have their
-configuration reloaded. To reload configurations for currently running
-VMs, stop those VMs before issuing the reload command.
+configuration file.
+VMs that are currently running will not have their configuration reloaded.
+To reload configurations for currently running VMs, stop those VMs before
+issuing the reload command.
 .It Cm reset Op Cm all | switches | vms
 Reset the running state,
 reset
@@ -220,8 +221,10 @@ option.
 Memory
 .Ar size
 of the VM, rounded to megabytes.
-The default is 512M. The maximum amount of memory assignable to a VM is
-governed by the datasize parameter for the vmd user in /etc/login.conf.
+The default is 512M.
+The maximum amount of memory assignable to a VM is governed by the datasize
+parameter for the vmd user in
+.Pa /etc/login.conf .
 .It Fl n Ar switch
 Add a network interface that is attached to the specified virtual
 .Ar switch .