From 76f27e90547a61061e8b9ba6552c95ced0b9d249 Mon Sep 17 00:00:00 2001 From: purplerain Date: Fri, 16 Feb 2024 07:19:11 +0000 Subject: [PATCH] sync with OpenBSD -current --- lib/libcrypto/man/EC_KEY_new.3 | 8 +++-- sbin/iked/iked.c | 17 +++++++--- sbin/iked/iked.h | 6 ++-- sbin/iked/proc.c | 59 ++++++++++++++++++++++++++++++++-- sbin/iked/types.h | 3 +- usr.sbin/rpki-client/extern.h | 3 +- usr.sbin/rpki-client/print.c | 24 ++++---------- usr.sbin/rpki-client/tak.c | 35 ++++++-------------- usr.sbin/rpki-client/x509.c | 34 +++++++++++++++++++- usr.sbin/vmctl/vmctl.8 | 17 ++++++---- 10 files changed, 140 insertions(+), 66 deletions(-) diff --git a/lib/libcrypto/man/EC_KEY_new.3 b/lib/libcrypto/man/EC_KEY_new.3 index 06afdd537..f415b91d6 100644 --- a/lib/libcrypto/man/EC_KEY_new.3 +++ b/lib/libcrypto/man/EC_KEY_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EC_KEY_new.3,v 1.18 2023/08/29 10:07:42 tb Exp $ +.\" $OpenBSD: EC_KEY_new.3,v 1.19 2024/02/16 06:09:36 tb Exp $ .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 29 2023 $ +.Dd $Mdocdate: February 16 2024 $ .Dt EC_KEY_NEW 3 .Os .Sh NAME @@ -324,6 +324,10 @@ object, the private key and the public key for the .Fa key , respectively. +The setters copy the group and key objects without sanity checks +and it is the caller's responsibility to ensure that +the resulting key is valid, for example using +.Fn EC_KEY_check_key . .Pp The functions .Fn EC_KEY_get_enc_flags diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 7e9f6adda..00bd3f6e2 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.c,v 1.69 2024/02/15 19:04:12 tobhe Exp $ */ +/* $OpenBSD: iked.c,v 1.70 2024/02/15 20:10:45 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -45,6 +45,7 @@ void parent_sig_handler(int, short, void *); int parent_dispatch_ca(int, struct privsep_proc *, struct imsg *); int parent_dispatch_control(int, struct privsep_proc *, struct imsg *); int parent_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); +void parent_connected(struct privsep *); int parent_configure(struct iked *); struct iked *iked_env; @@ -219,12 +220,9 @@ main(int argc, char *argv[]) signal_add(&ps->ps_evsigpipe, NULL); signal_add(&ps->ps_evsigusr1, NULL); - proc_connect(ps); - vroute_init(env); - if (parent_configure(env) == -1) - fatalx("configuration failed"); + proc_connect(ps, parent_connected); event_dispatch(); @@ -234,6 +232,15 @@ main(int argc, char *argv[]) return (0); } +void +parent_connected(struct privsep *ps) +{ + struct iked *env = ps->ps_env; + + if (parent_configure(env) == -1) + fatalx("configuration failed"); +} + int parent_configure(struct iked *env) { diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index f13e6a08d..5b65a16bc 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.228 2024/02/15 19:11:00 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.229 2024/02/15 20:10:45 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -730,6 +730,8 @@ struct privsep { struct event ps_evsigusr1; struct iked *ps_env; + unsigned int ps_connecting; + void (*ps_connected)(struct privsep *); }; struct privsep_proc { @@ -1192,7 +1194,7 @@ void timer_del(struct iked *, struct iked_timer *); void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, int, char **, enum privsep_procid); void proc_kill(struct privsep *); -void proc_connect(struct privsep *); +void proc_connect(struct privsep *, void (*)(struct privsep *)); void proc_dispatch(int, short event, void *); void proc_run(struct privsep *, struct privsep_proc *, struct privsep_proc *, unsigned int, diff --git a/sbin/iked/proc.c b/sbin/iked/proc.c index 69078840e..534427b2b 100644 --- a/sbin/iked/proc.c +++ b/sbin/iked/proc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.c,v 1.41 2024/02/15 19:04:12 tobhe Exp $ */ +/* $OpenBSD: proc.c,v 1.42 2024/02/15 20:10:45 tobhe Exp $ */ /* * Copyright (c) 2010 - 2016 Reyk Floeter @@ -155,14 +155,19 @@ proc_exec(struct privsep *ps, struct privsep_proc *procs, unsigned int nproc, } void -proc_connect(struct privsep *ps) +proc_connect(struct privsep *ps, void (*connected)(struct privsep *)) { struct imsgev *iev; unsigned int src, dst, inst; /* Don't distribute any sockets if we are not really going to run. */ - if (ps->ps_noaction) + if (ps->ps_noaction) { + if (connected == NULL) + fatalx("%s: missing callback", __func__); + connected(ps); return; + } + ps->ps_connected = connected; for (dst = 0; dst < PROC_MAX; dst++) { /* We don't communicate with ourselves. */ @@ -187,6 +192,27 @@ proc_connect(struct privsep *ps) proc_open(ps, src, dst); } + + /* + * Finally, send a ready message to everyone: + * When this message is processed by the receiver, it has + * already processed all IMSG_CTL_PROCFD messages and all + * pipes are ready. + */ + for (dst = 0; dst < PROC_MAX; dst++) { + if (dst == PROC_PARENT) + continue; + for (inst = 0; inst < ps->ps_instances[dst]; inst++) { + if (proc_compose_imsg(ps, dst, inst, IMSG_CTL_PROCREADY, + -1, -1, NULL, 0) == -1) + fatal("%s: proc_compose_imsg", __func__); + ps->ps_connecting++; +#if DEBUG + log_debug("%s: #%d %s %d", __func__, + ps->ps_connecting, ps->ps_title[dst], inst + 1); +#endif + } + } } void @@ -663,6 +689,33 @@ proc_dispatch(int fd, short event, void *arg) proc_accept(ps, imsg_get_fd(&imsg), pf.pf_procid, pf.pf_instance); break; + case IMSG_CTL_PROCREADY: +#if DEBUG + log_debug("%s: ready-%s: #%d %s %d -> %s %d", __func__, + p->p_id == PROC_PARENT ? "req" : "ack", + ps->ps_connecting, p->p_title, imsg.hdr.pid, + title, ps->ps_instance + 1); +#endif + if (p->p_id == PROC_PARENT) { + /* ack that we are ready */ + if (proc_compose_imsg(ps, PROC_PARENT, 0, + IMSG_CTL_PROCREADY, -1, -1, NULL, 0) == -1) + fatal("%s: proc_compose_imsg", __func__); + } else { + /* parent received ack */ + if (ps->ps_connecting == 0) + fatalx("%s: wrong acks", __func__); + if (ps->ps_instance != 0) + fatalx("%s: wrong instance %d", + __func__, ps->ps_instance); + if (ps->ps_connected == NULL) + fatalx("%s: missing callback", __func__); + if (--ps->ps_connecting == 0) { + log_debug("%s: all connected", __func__); + ps->ps_connected(ps); + } + } + break; default: fatalx("%s: %s %d got invalid imsg %d peerid %d " "from %s %d", diff --git a/sbin/iked/types.h b/sbin/iked/types.h index fd8add52a..6690a4ab5 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.53 2024/01/15 15:29:00 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.54 2024/02/15 20:10:45 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -132,6 +132,7 @@ enum imsg_type { IMSG_CTL_SHOW_CERTSTORE, IMSG_CTL_SHOW_STATS, IMSG_CTL_PROCFD, + IMSG_CTL_PROCREADY, }; enum privsep_procid { diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 2f472c9a1..2eb167dc2 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.203 2024/02/03 14:30:47 job Exp $ */ +/* $OpenBSD: extern.h,v 1.204 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -847,6 +847,7 @@ int x509_get_crl(X509 *, const char *, char **); char *x509_crl_get_aki(X509_CRL *, const char *); char *x509_crl_get_number(X509_CRL *, const char *); char *x509_get_pubkey(X509 *, const char *); +char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); int x509_get_time(const ASN1_TIME *, time_t *); char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index bbd478ce6..1e5503b2a 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.48 2024/02/13 20:40:17 job Exp $ */ +/* $OpenBSD: print.c,v 1.49 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -83,28 +83,16 @@ void tal_print(const struct tal *p) { char *ski; - const unsigned char *der, *pkey_der; + const unsigned char *der; X509_PUBKEY *pubkey; - ASN1_OBJECT *obj; - unsigned char md[SHA_DIGEST_LENGTH]; - int nid, der_len; size_t i; - pkey_der = p->pkey; - if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL) + der = p->pkey; + if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL) errx(1, "d2i_X509_PUBKEY failed"); - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) - errx(1, "X509_PUBKEY_get0_param failed"); - - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) - errx(1, "RFC 7935: wrong signature algorithm %s, want %s", - nid2str(nid), LN_rsaEncryption); - - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) - errx(1, "EVP_Digest failed"); - - ski = hex_encode(md, SHA_DIGEST_LENGTH); + if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL) + errx(1, "x509_pubkey_get_ski failed"); if (outformats & FORMAT_JSON) { json_do_string("type", "tal"); diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c index e786630a9..4273b6de6 100644 --- a/usr.sbin/rpki-client/tak.c +++ b/usr.sbin/rpki-client/tak.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tak.c,v 1.16 2024/02/13 22:44:21 job Exp $ */ +/* $OpenBSD: tak.c,v 1.17 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey *takey) { const ASN1_UTF8STRING *comment; const ASN1_IA5STRING *certURI; - X509_PUBKEY *pkey; - ASN1_OBJECT *obj; + X509_PUBKEY *pubkey; struct takey *res = NULL; - const unsigned char *der; - unsigned char *pkey_der = NULL; - unsigned char md[SHA_DIGEST_LENGTH]; + unsigned char *der = NULL; size_t i; - int der_len, nid, pkey_der_len; + int der_len; if ((res = calloc(1, sizeof(struct takey))) == NULL) err(1, NULL); @@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey *takey) err(1, NULL); } - pkey = takey->subjectPublicKeyInfo; - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) { - warnx("%s: X509_PUBKEY_get0_param failed", fn); + pubkey = takey->subjectPublicKeyInfo; + if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL) goto err; - } - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { - warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", - fn, nid2str(nid), LN_rsaEncryption); - goto err; - } - - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) { - warnx("%s: EVP_Digest failed", fn); - goto err; - } - res->ski = hex_encode(md, SHA_DIGEST_LENGTH); - - if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) { + if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) { warnx("%s: i2d_X509_PUBKEY failed", fn); goto err; } - res->pubkey = pkey_der; - res->pubkeysz = pkey_der_len; + res->pubkey = der; + res->pubkeysz = der_len; return res; diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 679fe5039..c9e340b6c 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.79 2024/02/14 10:49:00 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.80 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -374,6 +374,38 @@ x509_get_pubkey(X509 *x, const char *fn) return res; } +/* + * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1. + * Returns allocated hex-encoded SKI on success, NULL on failure. + */ +char * +x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn) +{ + ASN1_OBJECT *obj; + const unsigned char *der; + int der_len, nid; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_len = EVP_MAX_MD_SIZE; + + if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) { + warnx("%s: X509_PUBKEY_get0_param failed", fn); + return NULL; + } + + if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { + warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", + fn, nid2str(nid), LN_rsaEncryption); + return NULL; + } + + if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) { + warnx("%s: EVP_Digest failed", fn); + return NULL; + } + + return hex_encode(md, md_len); +} + /* * Parse the Authority Information Access (AIA) extension * See RFC 6487, section 4.8.7 for details. diff --git a/usr.sbin/vmctl/vmctl.8 b/usr.sbin/vmctl/vmctl.8 index 7e23f2a4c..146ef3da8 100644 --- a/usr.sbin/vmctl/vmctl.8 +++ b/usr.sbin/vmctl/vmctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vmctl.8,v 1.75 2024/01/12 23:50:11 mlarkin Exp $ +.\" $OpenBSD: vmctl.8,v 1.76 2024/02/16 01:48:06 jsg Exp $ .\" .\" Copyright (c) 2015-2024 Mike Larkin .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 12 2024 $ +.Dd $Mdocdate: February 16 2024 $ .Dt VMCTL 8 .Os .Sh NAME @@ -122,9 +122,10 @@ Receive a VM from standard input and start it with the specified .Ar name . .It Cm reload Remove all stopped VMs and reload the configuration from the default -configuration file. VMs that are currently running will not have their -configuration reloaded. To reload configurations for currently running -VMs, stop those VMs before issuing the reload command. +configuration file. +VMs that are currently running will not have their configuration reloaded. +To reload configurations for currently running VMs, stop those VMs before +issuing the reload command. .It Cm reset Op Cm all | switches | vms Reset the running state, reset @@ -220,8 +221,10 @@ option. Memory .Ar size of the VM, rounded to megabytes. -The default is 512M. The maximum amount of memory assignable to a VM is -governed by the datasize parameter for the vmd user in /etc/login.conf. +The default is 512M. +The maximum amount of memory assignable to a VM is governed by the datasize +parameter for the vmd user in +.Pa /etc/login.conf . .It Fl n Ar switch Add a network interface that is attached to the specified virtual .Ar switch .