sync with OpenBSD -current

lib/libcrypto/man/X509_STORE_CTX_set_flags.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.6 2021/11/17 16:08:32 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.7 2024/01/12 19:28:02 tb Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 17 2021 $
+.Dd $Mdocdate: January 12 2024 $
 .Dt X509_STORE_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -76,7 +76,8 @@
 .Nm X509_STORE_CTX_set_depth ,
 .Nm X509_STORE_CTX_set_trust ,
 .Nm X509_STORE_CTX_set_purpose ,
-.Nm X509_STORE_CTX_purpose_inherit ,
+.\" .Nm X509_STORE_CTX_purpose_inherit is intentionally undocumented
+.\" because it will be removed in the next major bump.
 .Nm X509_STORE_CTX_get0_param ,
 .Nm X509_STORE_CTX_set0_param ,
 .Nm X509_STORE_CTX_set_default
@@ -109,13 +110,6 @@
 .Fa "X509_STORE_CTX *ctx"
 .Fa "int purpose"
 .Fc
-.Ft int
-.Fo X509_STORE_CTX_purpose_inherit
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int def_purpose"
-.Fa "int purpose"
-.Fa "int trust"
-.Fc
 .Ft X509_VERIFY_PARAM *
 .Fo X509_STORE_CTX_get0_param
 .Fa "X509_STORE_CTX *ctx"
@@ -178,9 +172,6 @@ argument is 0 or invalid
 or the trust identifier is already set to a non-zero value in the
 .Vt X509_VERIFY_PARAM
 object, no action occurs.
-Here and in the following,
-.Dv X509_TRUST_DEFAULT
-counts as invalid.
 .Pp
 .Fn X509_STORE_CTX_set_purpose
 sets the
@@ -200,7 +191,7 @@ is called the
 .Pp
 The function fails if the
 .Fa purpose
-argument or the associated trust is not 0 but invalid; otherwise,
+argument or the associated trust is invalid but not 0; otherwise,
 .Fn X509_STORE_CTX_set_purpose
 also does the equivalent of calling
 .Fn X509_STORE_CTX_set_trust
@@ -212,62 +203,6 @@ object, it is not changed, even if the
 .Fa purpose
 argument is valid, too.
 .Pp
-.Fn X509_STORE_CTX_purpose_inherit
-is similar to
-.Fn X509_STORE_CTX_set_purpose ,
-with the following modifications:
-.Bl -bullet
-.It
-If the
-.Fa purpose
-argument is 0,
-.Fa def_purpose
-is used instead.
-.It
-If the associated trust is
-.Dv X509_TRUST_DEFAULT ,
-the trust associated with
-.Fa def_purpose
-is used instead, or if
-.Fa def_purpose
-is 0 or invalid, the function fails.
-.It
-If the
-.Fa trust
-argument is not 0, it is used instead of the associated trust,
-and the equivalent of calling
-.Fn X509_STORE_CTX_set_trust
-is done even if both
-.Fa purpose
-and
-.Fa def_purpose
-are 0.
-Even if the
-.Fa trust
-argument is not 0, if the (then unused) associated trust is
-.Dv X509_TRUST_DEFAULT ,
-.Fa def_purpose
-is still required to be valid.
-.El
-.Pp
-Note that, even if all arguments are valid and the return value is 1,
-it is possible that nothing changed, or that only either one of the
-purpose and trust identifiers were set, or that both were set.
-It can also happen that the purpose identifier gets set according to the
-.Fa purpose
-argument, but the trust identifier gets set according to the
-.Fa def_purpose
-argument in the same call.
-.Pp
-The intended way of using this function is to pass the purpose and
-trust attributes of another structure of an arbitrary type as the
-.Fa purpose
-and
-.Fa trust
-arguments, and to provide
-.Fa def_purpose
-as a fallback in case the settings in the other structure are incomplete.
-.Pp
 .Fn X509_STORE_CTX_get0_param
 retrieves an internal pointer to the verification parameters associated
 with
@@ -293,7 +228,7 @@ and copies them using
 .Fn X509_STORE_CTX_set_trust
 returns 1 if the
 .Fa trust
-argument is 0 or valid or 0 if it is not 0 but invalid.
+argument is 0 or valid or 0 if it is invalid but not 0.
 A return value of 1 does
 .Em not
 imply that the trust identifier stored in the
@@ -306,45 +241,9 @@ returns 1 if both the
 argument and the associated trust are 0 or valid.
 It returns 0 if either the
 .Fa purpose
-argument or the associated trust is not 0 but invalid.
+argument or the associated trust is invalid but not 0.
 A return value of 1 does not imply that any data was changed.
 .Pp
-.Fn X509_STORE_CTX_purpose_inherit
-returns 0 if:
-.Bl -bullet
-.It
-The
-.Fa purpose
-argument is not 0 and invalid.
-.It
-The
-.Fa purpose
-argument is 0 and the
-.Fa def_purpose
-argument is not 0 and invalid.
-.It
-The associated trust is
-.Dv X509_TRUST_DEFAULT
-and the
-.Fa def_purpose
-argument is 0 or invalid,
-or the trust identifier associated with it is not 0 but invalid.
-.It
-The
-.Fa trust
-argument is not 0 and invalid.
-.It
-The
-.Fa trust
-argument is 0 and the associated trust is neither 0 nor
-.Dv X509_TRUST_DEFAULT
-but invalid.
-.El
-.Pp
-Otherwise,
-.Fn X509_STORE_CTX_purpose_inherit
-returns 1, which does not imply that any data was changed.
-.Pp
 .Fn X509_STORE_CTX_get0_param
 returns a pointer to an
 .Vt X509_VERIFY_PARAM
@@ -355,37 +254,26 @@ if an error occurred.
 .Fn X509_STORE_CTX_set_default
 returns 1 for success or 0 if an error occurred.
 .Sh ERRORS
-For
-.Fn X509_STORE_CTX_set_trust ,
-.Fn X509_STORE_CTX_set_purpose ,
-and
-.Fn X509_STORE_CTX_purpose_inherit ,
-the following diagnostics can be retrieved with
+The following diagnostics can be retrieved with
 .Xr ERR_get_error 3 ,
 .Xr ERR_GET_REASON 3 ,
 and
 .Xr ERR_reason_error_string 3 :
 .Bl -tag -width Ds
 .It Dv X509_R_UNKNOWN_TRUST_ID Qq "unknown trust id"
-The
+.Fn X509_STORE_CTX_set_trust
+was called with a
 .Fa trust
-argument or the trust identifier associated with
+argument that is invalid but not 0.
+Other implementations may also return this when
+.Fn X509_STORE_CTX_set_purpose
+is called with a
 .Fa purpose
-or
-.Fa def_purpose
-is not 0 but invalid,
+argument with invalid associated trust.
 .It Dv X509_R_UNKNOWN_PURPOSE_ID Qq "unknown purpose id"
 The
 .Fa purpose
-argument is not 0 and invalid.
-Or it is 0 and the
-.Fa def_purpose
-argument is not 0 and invalid.
-Or the associated trust is
-.Dv X509_TRUST_DEFAULT
-and
-.Fa def_purpose
-is 0 or invalid.
+argument is invalid but not 0.
 .El
 .Pp
 The other functions provide no diagnostics.
@@ -405,10 +293,9 @@ The other functions provide no diagnostics.
 first appeared in OpenSSL 0.9.3 and has been available since
 .Ox 2.4 .
 .Pp
-.Fn X509_STORE_CTX_set_trust ,
-.Fn X509_STORE_CTX_set_purpose ,
+.Fn X509_STORE_CTX_set_trust
 and
-.Fn X509_STORE_CTX_purpose_inherit
+.Fn X509_STORE_CTX_set_purpose
 first appeared in OpenSSL 0.9.5 and have been available since
 .Ox 2.7 .
 .Pp
@@ -424,3 +311,26 @@ and
 .Fn X509_STORE_CTX_set_default
 first appeared in OpenSSL 0.9.8 and have been available since
 .Ox 4.5 .
+.Sh CAVEATS
+The precise effect of a successful call to
+.Fn X509_STORE_CTX_set_trust
+and
+.Fn X509_STORE_CTX_set_purpose
+is unclear unless only one of these functions is used immediately after
+.Xr X509_STORE_CTX_init 3 .
+It is therefore recommended to use
+.Fn X509_STORE_CTX_get0_param ,
+.Xr X509_VERIFY_PARAM_set_trust 3 ,
+and
+.Xr X509_VERIFY_PARAM_set_purpose 3
+instead.
+.Pp
+The confusingly named
+.Dv X509_TRUST_DEFAULT
+is less than
+.Dv X509_TRUST_MIN
+and different implementations treat it as valid or invalid
+when used as an associated trust or as a
+.Fa trust
+argument for
+.Fn X509_STORE_CTX_set_trust .

regress/usr.bin/openssl/appstest.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.58 2023/07/24 05:54:12 tb Exp $
+# $OpenBSD: appstest.sh,v 1.60 2024/01/12 13:16:48 tb Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -834,14 +834,39 @@ __EOF__
 
 	start_message "x509 ... issue cert for server csr#2"
 
+	$openssl_bin genrsa -out $server_dir/testkey.pem 2>&1
+	check_exit_status $?
+	$openssl_bin rsa -in $server_dir/testkey.pem -pubout \
+		-out $server_dir/testpubkey.pem 2>&1
+	check_exit_status $?
+
 	revoke_cert=$server_dir/revoke_cert.pem
 	$openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \
 		-CAkey $ca_key -CAkeyform pem \
 		-CAserial $ca_dir/serial -set_serial 10 \
 		-passin pass:$ca_pass -CAcreateserial -out $revoke_cert \
+		-set_issuer /CN=issuer -set_subject /CN=subject \
+		-force_pubkey $server_dir/testpubkey.pem
 		> $revoke_cert.log 2>&1
 	check_exit_status $?
 
+	start_message "x509 ... check if csr#2 cert has proper issuer & subject"
+	if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \
+		"issuer= /CN=issuer" ]; then
+		exit 1
+	fi
+	if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \
+		"subject= /CN=subject" ]; then
+		exit 1
+	fi
+	check_exit_status 0
+
+	start_message "x509 ... check if csr#2 cert pubkey was forced"
+	$openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub
+	check_exit_status $?
+	diff $server_dir/testpubkey.pem $revoke_cert.pub
+	check_exit_status $?
+
 	start_message "ca ... issue cert for server csr#3"
 
 	sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem

sys/dev/pci/drm/include/linux/of_device.h

@@ -1,3 +1,8 @@
+/* Public domain. */
+
+#ifndef _LINUX_OF_DEVICE_H
+#define _LINUX_OF_DEVICE_H
+
 #include <linux/of.h>
 #include <linux/of_platform.h>
 
@@ -6,3 +11,5 @@ int	__of_device_is_compatible(struct device_node *, const char *);
 	__of_device_is_compatible(__of_node(n), (c))
 
 int	of_dma_configure(struct device *, struct device_node *, int);
+
+#endif

sys/kern/uipc_socket.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_socket.c,v 1.313 2024/01/11 14:15:11 bluhm Exp $	*/
+/*	$OpenBSD: uipc_socket.c,v 1.314 2024/01/12 10:48:03 bluhm Exp $	*/
 /*	$NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $	*/
 
 /*
@@ -582,7 +582,7 @@ sosend(struct socket *so, struct mbuf *addr, struct uio *uio, struct mbuf *top,
 
 #define	snderr(errno)	{ error = errno; goto release; }
 
-	solock(so);
+	solock_shared(so);
 restart:
 	if ((error = sblock(so, &so->so_snd, SBLOCKWAIT(flags))) != 0)
 		goto out;
@@ -635,9 +635,9 @@ restart:
 				if (flags & MSG_EOR)
 					top->m_flags |= M_EOR;
 			} else {
-				sounlock(so);
+				sounlock_shared(so);
 				error = m_getuio(&top, atomic, space, uio);
-				solock(so);
+				solock_shared(so);
 				if (error)
 					goto release;
 				space -= top->m_pkthdr.len;
@@ -665,7 +665,7 @@ release:
 	so->so_snd.sb_state &= ~SS_ISSENDING;
 	sbunlock(so, &so->so_snd);
 out:
-	sounlock(so);
+	sounlock_shared(so);
 	m_freem(top);
 	m_freem(control);
 	return (error);

sys/nfs/nfs_syscalls.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: nfs_syscalls.c,v 1.119 2023/08/03 09:49:09 mvs Exp $	*/
+/*	$OpenBSD: nfs_syscalls.c,v 1.120 2024/01/12 08:47:46 ratchov Exp $	*/
 /*	$NetBSD: nfs_syscalls.c,v 1.19 1996/02/18 11:53:52 fvdl Exp $	*/
 
 /*
@@ -331,14 +331,15 @@ loop:
 		slp = nfsd->nfsd_slp;
 
 		if (ISSET(slp->ns_flag, SLP_VALID)) {
-			if (ISSET(slp->ns_flag, SLP_DISCONN)) {
-				nfsrv_zapsock(slp);
-			} else if (ISSET(slp->ns_flag, SLP_NEEDQ)) {
+			if ((slp->ns_flag & (SLP_DISCONN | SLP_NEEDQ)) ==
+			    SLP_NEEDQ) {
 				CLR(slp->ns_flag, SLP_NEEDQ);
 				nfs_sndlock(&slp->ns_solock, NULL);
 				nfsrv_rcv(slp->ns_so, (caddr_t)slp, M_WAIT);
 				nfs_sndunlock(&slp->ns_solock);
 			}
+			if (ISSET(slp->ns_flag, SLP_DISCONN))
+				nfsrv_zapsock(slp);
 
 			error = nfsrv_dorec(slp, nfsd, &nd);
 			SET(nfsd->nfsd_flag, NFSD_REQINPROG);

usr.bin/openssl/openssl.1

@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.153 2023/12/29 12:06:48 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.154 2024/01/12 11:24:03 job Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: January 12 2024 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -6100,6 +6100,7 @@ version.
 .Op Fl extensions Ar section
 .Op Fl extfile Ar file
 .Op Fl fingerprint
+.Op Fl force_pubkey Ar key
 .Op Fl hash
 .Op Fl in Ar file
 .Op Fl inform Cm der | net | pem
@@ -6109,6 +6110,7 @@ version.
 .Op Fl keyform Cm der | pem
 .Op Fl md5 | sha1
 .Op Fl modulus
+.Op Fl multivalue-rdn
 .Op Fl nameopt Ar option
 .Op Fl next_serial
 .Op Fl noout
@@ -6121,7 +6123,9 @@ version.
 .Op Fl purpose
 .Op Fl req
 .Op Fl serial
+.Op Fl set_issuer Ar name
 .Op Fl set_serial Ar n
+.Op Fl set_subject Ar name
 .Op Fl setalias Ar arg
 .Op Fl signkey Ar file
 .Op Fl sigopt Ar nm:v
@@ -6131,6 +6135,7 @@ version.
 .Op Fl subject_hash_old
 .Op Fl text
 .Op Fl trustout
+.Op Fl utf8
 .Op Fl x509toreq
 .Ek
 .El
@@ -6254,6 +6259,16 @@ using the older algorithm as used by
 versions before 1.0.0.
 .It Fl modulus
 Print the value of the modulus of the public key contained in the certificate.
+.It Fl multivalue-rdn
+This option causes the
+.Fl subj
+argument to be interpreted with full support for multivalued RDNs,
+for example
+.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .
+If
+.Fl multivalue-rdn
+is not used, the UID value is set to
+.Qq "123456+CN=John Doe" .
 .It Fl nameopt Ar option
 Customise how the subject or issuer names are displayed,
 either using a list of comma-separated options or by specifying
@@ -6686,12 +6701,25 @@ which contains the section to use.
 .It Fl extfile Ar file
 File containing certificate extensions to use.
 If not specified, no extensions are added to the certificate.
+.It Fl force_pubkey Ar key
+Set the public key of the certificate to the public key contained in
+.Ar key .
 .It Fl keyform Cm der | pem
-The format of the private key file used in the
+The format of the key file used in the
+.Fl force_pubkey
+and
 .Fl signkey
-option.
+options.
 .It Fl req
 Expect a certificate request on input instead of a certificate.
+.It Fl set_issuer Ar name
+The issuer name to use.
+.Ar name
+must be formatted as /type0=value0/type1=value1/type2=...;
+characters may be escaped by
+.Sq \e
+(backslash);
+no spaces are skipped.
 .It Fl set_serial Ar n
 The serial number to use.
 This option can be used with either the
@@ -6710,6 +6738,14 @@ options) is not used.
 The serial number can be decimal or hex (if preceded by
 .Sq 0x ) .
 Negative serial numbers can also be specified but their use is not recommended.
+.It Fl set_subject Ar name
+The subject name to use.
+.Ar name
+must be formatted as /type0=value0/type1=value1/type2=...;
+characters may be escaped by
+.Sq \e
+(backslash);
+no spaces are skipped.
 .It Fl signkey Ar file
 Self-sign
 .Ar file
@@ -6730,6 +6766,10 @@ option is supplied.
 If the input is a certificate request, a self-signed certificate
 is created using the supplied private key using the subject name in
 the request.
+.It Fl utf8
+Interpret field values read from a terminal or obtained from a configuration
+file as UTF-8 strings.
+By default, they are interpreted as ASCII.
 .It Fl x509toreq
 Convert a certificate into a certificate request.
 The

usr.bin/openssl/x509.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.36 2024/01/12 11:24:03 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -81,11 +81,11 @@
 
 static int callb(int ok, X509_STORE_CTX *ctx);
 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
-    const EVP_MD *digest, CONF *conf, char *section);
+    const EVP_MD *digest, CONF *conf, char *section, X509_NAME *issuer);
 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
     X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts,
     char *serial, int create, int days, int clrext, CONF *conf, char *section,
-    ASN1_INTEGER *sno);
+    ASN1_INTEGER *sno, X509_NAME *issuer);
 static int purpose_print(BIO *bio, X509 *cert, const X509_PURPOSE *pt);
 
 static struct {
@@ -103,6 +103,7 @@ static struct {
 	unsigned long certflag;
 	int checkend;
 	int checkoffset;
+	unsigned long chtype;
 	int clrext;
 	int clrreject;
 	int clrtrust;
@@ -113,6 +114,7 @@ static struct {
 	char *extfile;
 	char *extsect;
 	int fingerprint;
+	char *force_pubkey;
 	char *infile;
 	int informat;
 	int issuer;
@@ -124,6 +126,7 @@ static struct {
 	int keyformat;
 	const EVP_MD *md_alg;
 	int modulus;
+	int multirdn;
 	int next_serial;
 	unsigned long nmflag;
 	int noout;
@@ -139,6 +142,8 @@ static struct {
 	STACK_OF(ASN1_OBJECT) *reject;
 	int reqfile;
 	int serial;
+	char *set_issuer;
+	char *set_subject;
 	int sign_flag;
 	STACK_OF(OPENSSL_STRING) *sigopts;
 	ASN1_INTEGER *sno;
@@ -312,6 +317,13 @@ x509_opt_sigopt(char *arg)
 	return (0);
 }
 
+static int
+x509_opt_utf8(void)
+{
+	cfg.chtype = MBSTRING_UTF8;
+	return (0);
+}
+
 static const struct option x509_options[] = {
 	{
 		.name = "C",
@@ -467,6 +479,13 @@ static const struct option x509_options[] = {
 		.opt.order = &cfg.fingerprint,
 		.order = &cfg.num,
 	},
+	{
+		.name = "force_pubkey",
+		.argname = "key",
+		.desc = "Force the public key to be put in the certificate",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.force_pubkey,
+	},
 	{
 		.name = "hash",
 		.desc = "Synonym for -subject_hash",
@@ -525,6 +544,12 @@ static const struct option x509_options[] = {
 		.opt.order = &cfg.modulus,
 		.order = &cfg.num,
 	},
+	{
+		.name = "multivalue-rdn",
+		.desc = "Enable support for multivalued RDNs",
+		.type = OPTION_FLAG,
+		.opt.flag = &cfg.multirdn,
+	},
 	{
 		.name = "nameopt",
 		.argname = "option",
@@ -608,6 +633,13 @@ static const struct option x509_options[] = {
 		.opt.order = &cfg.serial,
 		.order = &cfg.num,
 	},
+	{
+		.name = "set_issuer",
+		.argname = "name",
+		.desc = "Set the issuer name",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.set_issuer,
+	},
 	{
 		.name = "set_serial",
 		.argname = "n",
@@ -615,6 +647,13 @@ static const struct option x509_options[] = {
 		.type = OPTION_ARG_FUNC,
 		.opt.argfunc = x509_opt_set_serial,
 	},
+	{
+		.name = "set_subject",
+		.argname = "name",
+		.desc = "Set the subject name",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.set_subject,
+	},
 	{
 		.name = "setalias",
 		.argname = "arg",
@@ -643,6 +682,11 @@ static const struct option x509_options[] = {
 		.opt.order = &cfg.startdate,
 		.order = &cfg.num,
 	},
+	{
+		.name = "subj",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.set_subject,
+	},
 	{
 		.name = "subject",
 		.desc = "Print subject name",
@@ -679,6 +723,12 @@ static const struct option x509_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &cfg.trustout,
 	},
+	{
+		.name = "utf8",
+		.desc = "Input characters are in UTF-8 (default ASCII)",
+		.type = OPTION_FUNC,
+		.opt.func = x509_opt_utf8,
+	},
 	{
 		.name = "x509toreq",
 		.desc = "Output a certification request object",
@@ -704,16 +754,17 @@ x509_usage(void)
 	    "    [-CAkeyform der | pem] [-CAserial file] [-certopt option]\n"
 	    "    [-checkend arg] [-clrext] [-clrreject] [-clrtrust] [-dates]\n"
 	    "    [-days arg] [-email] [-enddate] [-extensions section]\n"
-	    "    [-extfile file] [-fingerprint] [-hash] [-in file]\n"
-	    "    [-inform der | net | pem] [-issuer] [-issuer_hash]\n"
-	    "    [-issuer_hash_old] [-keyform der | pem] [-md5 | -sha1]\n"
-	    "    [-modulus] [-nameopt option] [-next_serial] [-noout]\n"
-	    "    [-ocsp_uri] [-ocspid] [-out file]\n"
-	    "    [-outform der | net | pem] [-passin arg] [-pubkey]\n"
-	    "    [-purpose] [-req] [-serial] [-set_serial n] [-setalias arg]\n"
-	    "    [-signkey file] [-sigopt nm:v] [-startdate] [-subject]\n"
-	    "    [-subject_hash] [-subject_hash_old] [-text] [-trustout]\n"
-	    "    [-x509toreq]\n");
+	    "    [-extfile file] [-fingerprint] [-force_pubkey key] [-hash]\n"
+	    "    [-in file] [-inform der | net | pem] [-issuer]\n"
+	    "    [-issuer_hash] [-issuer_hash_old] [-keyform der | pem]\n"
+	    "    [-md5 | -sha1] [-modulus] [-multivalue-rdn]\n"
+	    "    [-nameopt option] [-next_serial] [-noout] [-ocsp_uri]\n"
+	    "    [-ocspid] [-out file] [-outform der | net | pem]\n"
+	    "    [-passin arg] [-pubkey] [-purpose] [-req] [-serial]\n"
+	    "    [-set_issuer name] [-set_serial n] [-set_subject name]\n"
+	    "    [-setalias arg] [-signkey file] [-sigopt nm:v] [-startdate]\n"
+	    "    [-subject] [-subject_hash] [-subject_hash_old] [-text]\n"
+	    "    [-trustout] [-utf8] [-x509toreq]\n");
 	fprintf(stderr, "\n");
 	options_usage(x509_options);
 	fprintf(stderr, "\n");
@@ -725,7 +776,8 @@ x509_main(int argc, char **argv)
 	int ret = 1;
 	X509_REQ *req = NULL;
 	X509 *x = NULL, *xca = NULL;
-	EVP_PKEY *Upkey = NULL, *CApkey = NULL;
+	X509_NAME *iname = NULL, *sname = NULL;
+	EVP_PKEY *Fpkey = NULL, *Upkey = NULL, *CApkey = NULL;
 	int i;
 	BIO *out = NULL;
 	BIO *STDout = NULL;
@@ -741,6 +793,7 @@ x509_main(int argc, char **argv)
 	}
 
 	memset(&cfg, 0, sizeof(cfg));
+	cfg.chtype = MBSTRING_ASC;
 	cfg.days = DEF_DAYS;
 	cfg.informat = FORMAT_PEM;
 	cfg.outformat = FORMAT_PEM;
@@ -811,6 +864,11 @@ x509_main(int argc, char **argv)
 			goto end;
 		}
 	}
+	if (cfg.force_pubkey != NULL) {
+		if ((Fpkey = load_pubkey(bio_err, cfg.force_pubkey,
+		    cfg.keyformat, 0, NULL, "Forced key")) == NULL)
+			goto end;
+	}
 	if (cfg.reqfile) {
 		EVP_PKEY *pkey;
 		BIO *in;
@@ -875,9 +933,21 @@ x509_main(int argc, char **argv)
 		} else if (!X509_set_serialNumber(x, cfg.sno))
 			goto end;
 
-		if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
+		if (cfg.set_issuer != NULL) {
+			iname = parse_name(cfg.set_issuer, cfg.chtype,
+			    cfg.multirdn);
+			if (iname == NULL)
+				goto end;
+		}
+
+		if (cfg.set_subject != NULL)
+			sname = parse_name(cfg.set_subject, cfg.chtype,
+			    cfg.multirdn);
+		else
+			sname = X509_NAME_dup(X509_REQ_get_subject_name(req));
+		if (sname == NULL)
 			goto end;
-		if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
+		if (!X509_set_subject_name(x, sname))
 			goto end;
 
 		if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
@@ -886,7 +956,9 @@ x509_main(int argc, char **argv)
 		    NULL) == NULL)
 			goto end;
 
-		if ((pkey = X509_REQ_get0_pubkey(req)) == NULL)
+		if ((pkey = Fpkey) == NULL)
+			pkey = X509_REQ_get0_pubkey(req);
+		if (pkey == NULL)
 			goto end;
 		if (!X509_set_pubkey(x, pkey))
 			goto end;
@@ -1204,7 +1276,7 @@ x509_main(int argc, char **argv)
 				}
 				if (!sign(x, Upkey, cfg.days,
 				    cfg.clrext, cfg.digest,
-				    extconf, cfg.extsect))
+				    extconf, cfg.extsect, iname))
 					goto end;
 			} else if (cfg.CA_flag == i) {
 				BIO_printf(bio_err, "Getting CA Private Key\n");
@@ -1218,7 +1290,7 @@ x509_main(int argc, char **argv)
 				if (!x509_certify(ctx, cfg.CAfile, cfg.digest,
 				    x, xca, CApkey, cfg.sigopts, cfg.CAserial,
 				    cfg.CA_createserial, cfg.days, cfg.clrext,
-				    extconf, cfg.extsect, cfg.sno))
+				    extconf, cfg.extsect, cfg.sno, iname))
 					goto end;
 			} else if (cfg.x509req == i) {
 				EVP_PKEY *pk;
@@ -1302,10 +1374,13 @@ x509_main(int argc, char **argv)
 	NCONF_free(extconf);
 	BIO_free_all(out);
 	BIO_free_all(STDout);
+	X509_NAME_free(iname);
+	X509_NAME_free(sname);
 	X509_STORE_free(ctx);
 	X509_REQ_free(req);
 	X509_free(x);
 	X509_free(xca);
+	EVP_PKEY_free(Fpkey);
 	EVP_PKEY_free(Upkey);
 	EVP_PKEY_free(CApkey);
 	sk_OPENSSL_STRING_free(cfg.sigopts);
@@ -1366,7 +1441,7 @@ static int
 x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
     X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts,
     char *serialfile, int create, int days, int clrext, CONF *conf,
-    char *section, ASN1_INTEGER *sno)
+    char *section, ASN1_INTEGER *sno, X509_NAME *issuer)
 {
 	int ret = 0;
 	ASN1_INTEGER *bs = NULL;
@@ -1405,8 +1480,14 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
 		    "CA certificate and CA private key do not match\n");
 		goto end;
 	}
-	if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+
+	if (issuer == NULL)
+		issuer = X509_get_subject_name(xca);
+	if (issuer == NULL)
 		goto end;
+	if (!X509_set_issuer_name(x, issuer))
+		goto end;
+
 	if (!X509_set_serialNumber(x, bs))
 		goto end;
 
@@ -1483,7 +1564,7 @@ callb(int ok, X509_STORE_CTX *ctx)
 /* self sign */
 static int
 sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
-    CONF *conf, char *section)
+    CONF *conf, char *section, X509_NAME *issuer)
 {
 	EVP_PKEY *pktmp;
 
@@ -1493,7 +1574,11 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
 	EVP_PKEY_copy_parameters(pktmp, pkey);
 	EVP_PKEY_save_parameters(pktmp, 1);
 
-	if (!X509_set_issuer_name(x, X509_get_subject_name(x)))
+	if (issuer == NULL)
+		issuer = X509_get_subject_name(x);
+	if (issuer == NULL)
+		goto err;
+	if (!X509_set_issuer_name(x, issuer))
 		goto err;
 	if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
 		goto err;

usr.sbin/bgpd/session.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: session.c,v 1.458 2024/01/11 14:11:03 claudio Exp $ */
+/*	$OpenBSD: session.c,v 1.459 2024/01/12 11:19:51 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -2953,9 +2953,11 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 	struct mrt		*mrt;
 	struct imsgbuf		*i;
 	struct peer		*p;
-	struct listen_addr	*la, *nla;
-	struct session_dependon	*sdon;
+	struct listen_addr	*la, *next, nla;
+	struct session_dependon	 sdon;
+	struct bgpd_config	 tconf;
 	u_char			*data;
+	uint32_t		 peerid;
 	int			 n, fd, depend_ok, restricted;
 	uint16_t		 t;
 	uint8_t			 aid, errcode, subcode;
@@ -2967,7 +2969,8 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		if (n == 0)
 			break;
 
-		switch (imsg.hdr.type) {
+		peerid = imsg_get_id(&imsg);
+		switch (imsg_get_type(&imsg)) {
 		case IMSG_SOCKET_CONN:
 		case IMSG_SOCKET_CONN_CTL:
 			if (idx != PFD_PIPE_MAIN)
@@ -2980,7 +2983,7 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 			if ((i = malloc(sizeof(struct imsgbuf))) == NULL)
 				fatal(NULL);
 			imsg_init(i, fd);
-			if (imsg.hdr.type == IMSG_SOCKET_CONN) {
+			if (imsg_get_type(&imsg) == IMSG_SOCKET_CONN) {
 				if (ibuf_rde) {
 					log_warnx("Unexpected imsg connection "
 					    "to RDE received");
@@ -3001,9 +3004,11 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		case IMSG_RECONF_CONF:
 			if (idx != PFD_PIPE_MAIN)
 				fatalx("reconf request not from parent");
-			nconf = new_config();
+			if (imsg_get_data(&imsg, &tconf, sizeof(tconf)) == -1)
+				fatal("imsg_get_data");
 
-			copy_config(nconf, imsg.data);
+			nconf = new_config();
+			copy_config(nconf, &tconf);
 			pending_reconf = 1;
 			break;
 		case IMSG_RECONF_PEER:
@@ -3011,7 +3016,9 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 				fatalx("reconf request not from parent");
 			if ((p = calloc(1, sizeof(struct peer))) == NULL)
 				fatal("new_peer");
-			memcpy(&p->conf, imsg.data, sizeof(struct peer_config));
+			if (imsg_get_data(&imsg, &p->conf, sizeof(p->conf)) ==
+			    -1)
+				fatal("imsg_get_data");
 			p->state = p->prev_state = STATE_NONE;
 			p->reconf_action = RECONF_REINIT;
 			if (RB_INSERT(peer_head, &nconf->peers, p) != NULL)
@@ -3022,33 +3029,34 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 				fatalx("reconf request not from parent");
 			if (nconf == NULL)
 				fatalx("IMSG_RECONF_LISTENER but no config");
-			nla = imsg.data;
+			if (imsg_get_data(&imsg, &nla, sizeof(nla)) == -1)
+				fatal("imsg_get_data");
 			TAILQ_FOREACH(la, conf->listen_addrs, entry)
-				if (!la_cmp(la, nla))
+				if (!la_cmp(la, &nla))
 					break;
 
 			if (la == NULL) {
-				if (nla->reconf != RECONF_REINIT)
+				if (nla.reconf != RECONF_REINIT)
 					fatalx("king bula sez: "
 					    "expected REINIT");
 
-				if ((nla->fd = imsg_get_fd(&imsg)) == -1)
+				if ((nla.fd = imsg_get_fd(&imsg)) == -1)
 					log_warnx("expected to receive fd for "
 					    "%s but didn't receive any",
 					    log_sockaddr((struct sockaddr *)
-					    &nla->sa, nla->sa_len));
+					    &nla.sa, nla.sa_len));
 
 				la = calloc(1, sizeof(struct listen_addr));
 				if (la == NULL)
 					fatal(NULL);
-				memcpy(&la->sa, &nla->sa, sizeof(la->sa));
-				la->flags = nla->flags;
-				la->fd = nla->fd;
+				memcpy(&la->sa, &nla.sa, sizeof(la->sa));
+				la->flags = nla.flags;
+				la->fd = nla.fd;
 				la->reconf = RECONF_REINIT;
 				TAILQ_INSERT_TAIL(nconf->listen_addrs, la,
 				    entry);
 			} else {
-				if (nla->reconf != RECONF_KEEP)
+				if (nla.reconf != RECONF_KEEP)
 					fatalx("king bula sez: expected KEEP");
 				la->reconf = RECONF_KEEP;
 			}
@@ -3057,10 +3065,10 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		case IMSG_RECONF_CTRL:
 			if (idx != PFD_PIPE_MAIN)
 				fatalx("reconf request not from parent");
-			if (imsg.hdr.len != IMSG_HEADER_SIZE +
-			    sizeof(restricted))
-				fatalx("RECONF_CTRL imsg with wrong len");
-			memcpy(&restricted, imsg.data, sizeof(restricted));
+
+			if (imsg_get_data(&imsg, &restricted,
+			    sizeof(restricted)) == -1)
+				fatal("imsg_get_data");
 			if ((fd = imsg_get_fd(&imsg)) == -1) {
 				log_warnx("expected to receive fd for control "
 				    "socket but didn't receive any");
@@ -3103,9 +3111,8 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 			merge_peers(conf, nconf);
 
 			/* delete old listeners */
-			for (la = TAILQ_FIRST(conf->listen_addrs); la != NULL;
-			    la = nla) {
-				nla = TAILQ_NEXT(la, entry);
+			TAILQ_FOREACH_SAFE(la, conf->listen_addrs, entry,
+			    next) {
 				if (la->reconf == RECONF_NONE) {
 					log_info("not listening on %s any more",
 					    log_sockaddr((struct sockaddr *)
@@ -3134,14 +3141,12 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		case IMSG_SESSION_DEPENDON:
 			if (idx != PFD_PIPE_MAIN)
 				fatalx("IFINFO message not from parent");
-			if (imsg.hdr.len != IMSG_HEADER_SIZE +
-			    sizeof(struct session_dependon))
+			if (imsg_get_data(&imsg, &sdon, sizeof(sdon)) == -1)
 				fatalx("DEPENDON imsg with wrong len");
-			sdon = imsg.data;
-			depend_ok = sdon->depend_state;
+			depend_ok = sdon.depend_state;
 
 			RB_FOREACH(p, peer_head, &conf->peers)
-				if (!strcmp(p->conf.if_depend, sdon->ifname)) {
+				if (!strcmp(p->conf.if_depend, sdon.ifname)) {
 					if (depend_ok && !p->depend_ok) {
 						p->depend_ok = depend_ok;
 						bgp_fsm(p, EVNT_START);
@@ -3154,16 +3159,18 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 			break;
 		case IMSG_MRT_OPEN:
 		case IMSG_MRT_REOPEN:
-			if (imsg.hdr.len > IMSG_HEADER_SIZE +
-			    sizeof(struct mrt)) {
-				log_warnx("wrong imsg len");
+			if (idx != PFD_PIPE_MAIN)
+				fatalx("mrt request not from parent");
+			if (imsg_get_data(&imsg, &xmrt, sizeof(xmrt)) == -1) {
+				log_warnx("mrt open, wrong imsg len");
 				break;
 			}
 
-			memcpy(&xmrt, imsg.data, sizeof(struct mrt));
-			if ((xmrt.wbuf.fd = imsg_get_fd(&imsg)) == -1)
+			if ((xmrt.wbuf.fd = imsg_get_fd(&imsg)) == -1) {
 				log_warnx("expected to receive fd for mrt dump "
 				    "but didn't receive any");
+				break;
+			}
 
 			mrt = mrt_get(&mrthead, &xmrt);
 			if (mrt == NULL) {
@@ -3181,13 +3188,13 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 			}
 			break;
 		case IMSG_MRT_CLOSE:
-			if (imsg.hdr.len > IMSG_HEADER_SIZE +
-			    sizeof(struct mrt)) {
-				log_warnx("wrong imsg len");
+			if (idx != PFD_PIPE_MAIN)
+				fatalx("mrt request not from parent");
+			if (imsg_get_data(&imsg, &xmrt, sizeof(xmrt)) == -1) {
+				log_warnx("mrt close, wrong imsg len");
 				break;
 			}
 
-			memcpy(&xmrt, imsg.data, sizeof(struct mrt));
 			mrt = mrt_get(&mrthead, &xmrt);
 			if (mrt != NULL)
 				mrt_done(mrt);
@@ -3206,7 +3213,7 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		case IMSG_CTL_SHOW_NEIGHBOR:
 			if (idx != PFD_PIPE_ROUTE_CTL)
 				fatalx("ctl rib request not from RDE");
-			p = getpeerbyid(conf, imsg.hdr.peerid);
+			p = getpeerbyid(conf, peerid);
 			control_imsg_relay(&imsg, p);
 			break;
 		case IMSG_CTL_SHOW_RIB:
@@ -3285,33 +3292,29 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 		case IMSG_REFRESH:
 			if (idx != PFD_PIPE_ROUTE)
 				fatalx("route refresh request not from RDE");
-			if (imsg.hdr.len < IMSG_HEADER_SIZE + sizeof(rr)) {
+			if (imsg_get_data(&imsg, &rr, sizeof(rr)) == -1) {
 				log_warnx("RDE sent invalid refresh msg");
 				break;
 			}
-			if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) {
-				log_warnx("no such peer: id=%u",
-				    imsg.hdr.peerid);
+			if ((p = getpeerbyid(conf, peerid)) == NULL) {
+				log_warnx("no such peer: id=%u", peerid);
 				break;
 			}
-			memcpy(&rr, imsg.data, sizeof(rr));
 			if (rr.aid >= AID_MAX)
 				fatalx("IMSG_REFRESH: bad AID");
 			session_rrefresh(p, rr.aid, rr.subtype);
 			break;
 		case IMSG_SESSION_RESTARTED:
 			if (idx != PFD_PIPE_ROUTE)
-				fatalx("update request not from RDE");
-			if (imsg.hdr.len < IMSG_HEADER_SIZE + sizeof(aid)) {
+				fatalx("session restart not from RDE");
+			if (imsg_get_data(&imsg, &aid, sizeof(aid)) == -1) {
 				log_warnx("RDE sent invalid restart msg");
 				break;
 			}
-			if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) {
-				log_warnx("no such peer: id=%u",
-				    imsg.hdr.peerid);
+			if ((p = getpeerbyid(conf, peerid)) == NULL) {
+				log_warnx("no such peer: id=%u", peerid);
 				break;
 			}
-			memcpy(&aid, imsg.data, sizeof(aid));
 			if (aid >= AID_MAX)
 				fatalx("IMSG_SESSION_RESTARTED: bad AID");
 			if (p->capa.neg.grestart.flags[aid] &
@@ -3325,17 +3328,16 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt)
 
 				/* signal back to RDE to cleanup stale routes */
 				if (imsg_rde(IMSG_SESSION_RESTARTED,
-				    imsg.hdr.peerid, &aid, sizeof(aid)) == -1)
+				    peerid, &aid, sizeof(aid)) == -1)
 					fatal("imsg_compose: "
 					    "IMSG_SESSION_RESTARTED");
 			}
 			break;
 		case IMSG_SESSION_DOWN:
 			if (idx != PFD_PIPE_ROUTE)
-				fatalx("update request not from RDE");
-			if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) {
-				log_warnx("no such peer: id=%u",
-				    imsg.hdr.peerid);
+				fatalx("session down not from RDE");
+			if ((p = getpeerbyid(conf, peerid)) == NULL) {
+				log_warnx("no such peer: id=%u", peerid);
 				break;
 			}
 			session_stop(p, ERR_CEASE_ADMIN_DOWN);

usr.sbin/vmctl/vmctl.8

@@ -1,6 +1,6 @@
-.\"	$OpenBSD: vmctl.8,v 1.74 2023/04/28 20:13:56 dv Exp $
+.\"	$OpenBSD: vmctl.8,v 1.75 2024/01/12 23:50:11 mlarkin Exp $
 .\"
-.\" Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
+.\" Copyright (c) 2015-2024 Mike Larkin <mlarkin@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 28 2023 $
+.Dd $Mdocdate: January 12 2024 $
 .Dt VMCTL 8
 .Os
 .Sh NAME
@@ -122,7 +122,9 @@ Receive a VM from standard input and start it with the specified
 .Ar name .
 .It Cm reload
 Remove all stopped VMs and reload the configuration from the default
-configuration file.
+configuration file. VMs that are currently running will not have their
+configuration reloaded. To reload configurations for currently running
+VMs, stop those VMs before issuing the reload command.
 .It Cm reset Op Cm all | switches | vms
 Reset the running state,
 reset
@@ -218,7 +220,8 @@ option.
 Memory
 .Ar size
 of the VM, rounded to megabytes.
-The default is 512M.
+The default is 512M. The maximum amount of memory assignable to a VM is
+governed by the datasize parameter for the vmd user in /etc/login.conf.
 .It Fl n Ar switch
 Add a network interface that is attached to the specified virtual
 .Ar switch .