From a51405ccfffee3eb73be34d85956352b78c516fa Mon Sep 17 00:00:00 2001 From: purplerain Date: Sat, 13 Jan 2024 03:13:30 +0000 Subject: [PATCH] sync with OpenBSD -current --- lib/libcrypto/man/X509_STORE_CTX_set_flags.3 | 172 +++++-------------- regress/usr.bin/openssl/appstest.sh | 27 ++- sys/dev/pci/drm/include/linux/of_device.h | 7 + sys/kern/uipc_socket.c | 10 +- sys/nfs/nfs_syscalls.c | 9 +- usr.bin/openssl/openssl.1 | 48 +++++- usr.bin/openssl/x509.c | 131 +++++++++++--- usr.sbin/bgpd/session.c | 112 ++++++------ usr.sbin/vmctl/vmctl.8 | 13 +- 9 files changed, 301 insertions(+), 228 deletions(-) diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 index 2ac76951f..db991bd52 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.6 2021/11/17 16:08:32 schwarze Exp $ +.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.7 2024/01/12 19:28:02 tb Exp $ .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -67,7 +67,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 17 2021 $ +.Dd $Mdocdate: January 12 2024 $ .Dt X509_STORE_CTX_SET_FLAGS 3 .Os .Sh NAME @@ -76,7 +76,8 @@ .Nm X509_STORE_CTX_set_depth , .Nm X509_STORE_CTX_set_trust , .Nm X509_STORE_CTX_set_purpose , -.Nm X509_STORE_CTX_purpose_inherit , +.\" .Nm X509_STORE_CTX_purpose_inherit is intentionally undocumented +.\" because it will be removed in the next major bump. .Nm X509_STORE_CTX_get0_param , .Nm X509_STORE_CTX_set0_param , .Nm X509_STORE_CTX_set_default @@ -109,13 +110,6 @@ .Fa "X509_STORE_CTX *ctx" .Fa "int purpose" .Fc -.Ft int -.Fo X509_STORE_CTX_purpose_inherit -.Fa "X509_STORE_CTX *ctx" -.Fa "int def_purpose" -.Fa "int purpose" -.Fa "int trust" -.Fc .Ft X509_VERIFY_PARAM * .Fo X509_STORE_CTX_get0_param .Fa "X509_STORE_CTX *ctx" @@ -178,9 +172,6 @@ argument is 0 or invalid or the trust identifier is already set to a non-zero value in the .Vt X509_VERIFY_PARAM object, no action occurs. -Here and in the following, -.Dv X509_TRUST_DEFAULT -counts as invalid. .Pp .Fn X509_STORE_CTX_set_purpose sets the @@ -200,7 +191,7 @@ is called the .Pp The function fails if the .Fa purpose -argument or the associated trust is not 0 but invalid; otherwise, +argument or the associated trust is invalid but not 0; otherwise, .Fn X509_STORE_CTX_set_purpose also does the equivalent of calling .Fn X509_STORE_CTX_set_trust @@ -212,62 +203,6 @@ object, it is not changed, even if the .Fa purpose argument is valid, too. .Pp -.Fn X509_STORE_CTX_purpose_inherit -is similar to -.Fn X509_STORE_CTX_set_purpose , -with the following modifications: -.Bl -bullet -.It -If the -.Fa purpose -argument is 0, -.Fa def_purpose -is used instead. -.It -If the associated trust is -.Dv X509_TRUST_DEFAULT , -the trust associated with -.Fa def_purpose -is used instead, or if -.Fa def_purpose -is 0 or invalid, the function fails. -.It -If the -.Fa trust -argument is not 0, it is used instead of the associated trust, -and the equivalent of calling -.Fn X509_STORE_CTX_set_trust -is done even if both -.Fa purpose -and -.Fa def_purpose -are 0. -Even if the -.Fa trust -argument is not 0, if the (then unused) associated trust is -.Dv X509_TRUST_DEFAULT , -.Fa def_purpose -is still required to be valid. -.El -.Pp -Note that, even if all arguments are valid and the return value is 1, -it is possible that nothing changed, or that only either one of the -purpose and trust identifiers were set, or that both were set. -It can also happen that the purpose identifier gets set according to the -.Fa purpose -argument, but the trust identifier gets set according to the -.Fa def_purpose -argument in the same call. -.Pp -The intended way of using this function is to pass the purpose and -trust attributes of another structure of an arbitrary type as the -.Fa purpose -and -.Fa trust -arguments, and to provide -.Fa def_purpose -as a fallback in case the settings in the other structure are incomplete. -.Pp .Fn X509_STORE_CTX_get0_param retrieves an internal pointer to the verification parameters associated with @@ -293,7 +228,7 @@ and copies them using .Fn X509_STORE_CTX_set_trust returns 1 if the .Fa trust -argument is 0 or valid or 0 if it is not 0 but invalid. +argument is 0 or valid or 0 if it is invalid but not 0. A return value of 1 does .Em not imply that the trust identifier stored in the @@ -306,45 +241,9 @@ returns 1 if both the argument and the associated trust are 0 or valid. It returns 0 if either the .Fa purpose -argument or the associated trust is not 0 but invalid. +argument or the associated trust is invalid but not 0. A return value of 1 does not imply that any data was changed. .Pp -.Fn X509_STORE_CTX_purpose_inherit -returns 0 if: -.Bl -bullet -.It -The -.Fa purpose -argument is not 0 and invalid. -.It -The -.Fa purpose -argument is 0 and the -.Fa def_purpose -argument is not 0 and invalid. -.It -The associated trust is -.Dv X509_TRUST_DEFAULT -and the -.Fa def_purpose -argument is 0 or invalid, -or the trust identifier associated with it is not 0 but invalid. -.It -The -.Fa trust -argument is not 0 and invalid. -.It -The -.Fa trust -argument is 0 and the associated trust is neither 0 nor -.Dv X509_TRUST_DEFAULT -but invalid. -.El -.Pp -Otherwise, -.Fn X509_STORE_CTX_purpose_inherit -returns 1, which does not imply that any data was changed. -.Pp .Fn X509_STORE_CTX_get0_param returns a pointer to an .Vt X509_VERIFY_PARAM @@ -355,37 +254,26 @@ if an error occurred. .Fn X509_STORE_CTX_set_default returns 1 for success or 0 if an error occurred. .Sh ERRORS -For -.Fn X509_STORE_CTX_set_trust , -.Fn X509_STORE_CTX_set_purpose , -and -.Fn X509_STORE_CTX_purpose_inherit , -the following diagnostics can be retrieved with +The following diagnostics can be retrieved with .Xr ERR_get_error 3 , .Xr ERR_GET_REASON 3 , and .Xr ERR_reason_error_string 3 : .Bl -tag -width Ds .It Dv X509_R_UNKNOWN_TRUST_ID Qq "unknown trust id" -The +.Fn X509_STORE_CTX_set_trust +was called with a .Fa trust -argument or the trust identifier associated with +argument that is invalid but not 0. +Other implementations may also return this when +.Fn X509_STORE_CTX_set_purpose +is called with a .Fa purpose -or -.Fa def_purpose -is not 0 but invalid, +argument with invalid associated trust. .It Dv X509_R_UNKNOWN_PURPOSE_ID Qq "unknown purpose id" The .Fa purpose -argument is not 0 and invalid. -Or it is 0 and the -.Fa def_purpose -argument is not 0 and invalid. -Or the associated trust is -.Dv X509_TRUST_DEFAULT -and -.Fa def_purpose -is 0 or invalid. +argument is invalid but not 0. .El .Pp The other functions provide no diagnostics. @@ -405,10 +293,9 @@ The other functions provide no diagnostics. first appeared in OpenSSL 0.9.3 and has been available since .Ox 2.4 . .Pp -.Fn X509_STORE_CTX_set_trust , -.Fn X509_STORE_CTX_set_purpose , +.Fn X509_STORE_CTX_set_trust and -.Fn X509_STORE_CTX_purpose_inherit +.Fn X509_STORE_CTX_set_purpose first appeared in OpenSSL 0.9.5 and have been available since .Ox 2.7 . .Pp @@ -424,3 +311,26 @@ and .Fn X509_STORE_CTX_set_default first appeared in OpenSSL 0.9.8 and have been available since .Ox 4.5 . +.Sh CAVEATS +The precise effect of a successful call to +.Fn X509_STORE_CTX_set_trust +and +.Fn X509_STORE_CTX_set_purpose +is unclear unless only one of these functions is used immediately after +.Xr X509_STORE_CTX_init 3 . +It is therefore recommended to use +.Fn X509_STORE_CTX_get0_param , +.Xr X509_VERIFY_PARAM_set_trust 3 , +and +.Xr X509_VERIFY_PARAM_set_purpose 3 +instead. +.Pp +The confusingly named +.Dv X509_TRUST_DEFAULT +is less than +.Dv X509_TRUST_MIN +and different implementations treat it as valid or invalid +when used as an associated trust or as a +.Fa trust +argument for +.Fn X509_STORE_CTX_set_trust . diff --git a/regress/usr.bin/openssl/appstest.sh b/regress/usr.bin/openssl/appstest.sh index 3125a424e..500fae025 100755 --- a/regress/usr.bin/openssl/appstest.sh +++ b/regress/usr.bin/openssl/appstest.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# $OpenBSD: appstest.sh,v 1.58 2023/07/24 05:54:12 tb Exp $ +# $OpenBSD: appstest.sh,v 1.60 2024/01/12 13:16:48 tb Exp $ # # Copyright (c) 2016 Kinichiro Inoguchi # @@ -834,14 +834,39 @@ __EOF__ start_message "x509 ... issue cert for server csr#2" + $openssl_bin genrsa -out $server_dir/testkey.pem 2>&1 + check_exit_status $? + $openssl_bin rsa -in $server_dir/testkey.pem -pubout \ + -out $server_dir/testpubkey.pem 2>&1 + check_exit_status $? + revoke_cert=$server_dir/revoke_cert.pem $openssl_bin x509 -req -in $revoke_csr -CA $ca_cert -CAform pem \ -CAkey $ca_key -CAkeyform pem \ -CAserial $ca_dir/serial -set_serial 10 \ -passin pass:$ca_pass -CAcreateserial -out $revoke_cert \ + -set_issuer /CN=issuer -set_subject /CN=subject \ + -force_pubkey $server_dir/testpubkey.pem > $revoke_cert.log 2>&1 check_exit_status $? + start_message "x509 ... check if csr#2 cert has proper issuer & subject" + if [ "$($openssl_bin x509 -in $revoke_cert -issuer -noout)" != \ + "issuer= /CN=issuer" ]; then + exit 1 + fi + if [ "$($openssl_bin x509 -in $revoke_cert -subject -noout)" != \ + "subject= /CN=subject" ]; then + exit 1 + fi + check_exit_status 0 + + start_message "x509 ... check if csr#2 cert pubkey was forced" + $openssl_bin x509 -in $revoke_cert -pubkey -noout > $revoke_cert.pub + check_exit_status $? + diff $server_dir/testpubkey.pem $revoke_cert.pub + check_exit_status $? + start_message "ca ... issue cert for server csr#3" sv_ecdsa_cert=$server_dir/sv_ecdsa_cert.pem diff --git a/sys/dev/pci/drm/include/linux/of_device.h b/sys/dev/pci/drm/include/linux/of_device.h index 2a5fb2293..68cde3d92 100644 --- a/sys/dev/pci/drm/include/linux/of_device.h +++ b/sys/dev/pci/drm/include/linux/of_device.h @@ -1,3 +1,8 @@ +/* Public domain. */ + +#ifndef _LINUX_OF_DEVICE_H +#define _LINUX_OF_DEVICE_H + #include #include @@ -6,3 +11,5 @@ int __of_device_is_compatible(struct device_node *, const char *); __of_device_is_compatible(__of_node(n), (c)) int of_dma_configure(struct device *, struct device_node *, int); + +#endif diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 913649f1f..9da3bdd20 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.313 2024/01/11 14:15:11 bluhm Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.314 2024/01/12 10:48:03 bluhm Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -582,7 +582,7 @@ sosend(struct socket *so, struct mbuf *addr, struct uio *uio, struct mbuf *top, #define snderr(errno) { error = errno; goto release; } - solock(so); + solock_shared(so); restart: if ((error = sblock(so, &so->so_snd, SBLOCKWAIT(flags))) != 0) goto out; @@ -635,9 +635,9 @@ restart: if (flags & MSG_EOR) top->m_flags |= M_EOR; } else { - sounlock(so); + sounlock_shared(so); error = m_getuio(&top, atomic, space, uio); - solock(so); + solock_shared(so); if (error) goto release; space -= top->m_pkthdr.len; @@ -665,7 +665,7 @@ release: so->so_snd.sb_state &= ~SS_ISSENDING; sbunlock(so, &so->so_snd); out: - sounlock(so); + sounlock_shared(so); m_freem(top); m_freem(control); return (error); diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c index 61177bb84..d2012ba7b 100644 --- a/sys/nfs/nfs_syscalls.c +++ b/sys/nfs/nfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nfs_syscalls.c,v 1.119 2023/08/03 09:49:09 mvs Exp $ */ +/* $OpenBSD: nfs_syscalls.c,v 1.120 2024/01/12 08:47:46 ratchov Exp $ */ /* $NetBSD: nfs_syscalls.c,v 1.19 1996/02/18 11:53:52 fvdl Exp $ */ /* @@ -331,14 +331,15 @@ loop: slp = nfsd->nfsd_slp; if (ISSET(slp->ns_flag, SLP_VALID)) { - if (ISSET(slp->ns_flag, SLP_DISCONN)) { - nfsrv_zapsock(slp); - } else if (ISSET(slp->ns_flag, SLP_NEEDQ)) { + if ((slp->ns_flag & (SLP_DISCONN | SLP_NEEDQ)) == + SLP_NEEDQ) { CLR(slp->ns_flag, SLP_NEEDQ); nfs_sndlock(&slp->ns_solock, NULL); nfsrv_rcv(slp->ns_so, (caddr_t)slp, M_WAIT); nfs_sndunlock(&slp->ns_solock); } + if (ISSET(slp->ns_flag, SLP_DISCONN)) + nfsrv_zapsock(slp); error = nfsrv_dorec(slp, nfsd, &nd); SET(nfsd->nfsd_flag, NFSD_REQINPROG); diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 3c376f4b4..b608b1634 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.153 2023/12/29 12:06:48 tb Exp $ +.\" $OpenBSD: openssl.1,v 1.154 2024/01/12 11:24:03 job Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: December 29 2023 $ +.Dd $Mdocdate: January 12 2024 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -6100,6 +6100,7 @@ version. .Op Fl extensions Ar section .Op Fl extfile Ar file .Op Fl fingerprint +.Op Fl force_pubkey Ar key .Op Fl hash .Op Fl in Ar file .Op Fl inform Cm der | net | pem @@ -6109,6 +6110,7 @@ version. .Op Fl keyform Cm der | pem .Op Fl md5 | sha1 .Op Fl modulus +.Op Fl multivalue-rdn .Op Fl nameopt Ar option .Op Fl next_serial .Op Fl noout @@ -6121,7 +6123,9 @@ version. .Op Fl purpose .Op Fl req .Op Fl serial +.Op Fl set_issuer Ar name .Op Fl set_serial Ar n +.Op Fl set_subject Ar name .Op Fl setalias Ar arg .Op Fl signkey Ar file .Op Fl sigopt Ar nm:v @@ -6131,6 +6135,7 @@ version. .Op Fl subject_hash_old .Op Fl text .Op Fl trustout +.Op Fl utf8 .Op Fl x509toreq .Ek .El @@ -6254,6 +6259,16 @@ using the older algorithm as used by versions before 1.0.0. .It Fl modulus Print the value of the modulus of the public key contained in the certificate. +.It Fl multivalue-rdn +This option causes the +.Fl subj +argument to be interpreted with full support for multivalued RDNs, +for example +.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" . +If +.Fl multivalue-rdn +is not used, the UID value is set to +.Qq "123456+CN=John Doe" . .It Fl nameopt Ar option Customise how the subject or issuer names are displayed, either using a list of comma-separated options or by specifying @@ -6686,12 +6701,25 @@ which contains the section to use. .It Fl extfile Ar file File containing certificate extensions to use. If not specified, no extensions are added to the certificate. +.It Fl force_pubkey Ar key +Set the public key of the certificate to the public key contained in +.Ar key . .It Fl keyform Cm der | pem -The format of the private key file used in the +The format of the key file used in the +.Fl force_pubkey +and .Fl signkey -option. +options. .It Fl req Expect a certificate request on input instead of a certificate. +.It Fl set_issuer Ar name +The issuer name to use. +.Ar name +must be formatted as /type0=value0/type1=value1/type2=...; +characters may be escaped by +.Sq \e +(backslash); +no spaces are skipped. .It Fl set_serial Ar n The serial number to use. This option can be used with either the @@ -6710,6 +6738,14 @@ options) is not used. The serial number can be decimal or hex (if preceded by .Sq 0x ) . Negative serial numbers can also be specified but their use is not recommended. +.It Fl set_subject Ar name +The subject name to use. +.Ar name +must be formatted as /type0=value0/type1=value1/type2=...; +characters may be escaped by +.Sq \e +(backslash); +no spaces are skipped. .It Fl signkey Ar file Self-sign .Ar file @@ -6730,6 +6766,10 @@ option is supplied. If the input is a certificate request, a self-signed certificate is created using the supplied private key using the subject name in the request. +.It Fl utf8 +Interpret field values read from a terminal or obtained from a configuration +file as UTF-8 strings. +By default, they are interpreted as ASCII. .It Fl x509toreq Convert a certificate into a certificate request. The diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c index 7f60110c4..332399e7c 100644 --- a/usr.bin/openssl/x509.c +++ b/usr.bin/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.36 2024/01/12 11:24:03 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -81,11 +81,11 @@ static int callb(int ok, X509_STORE_CTX *ctx); static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, - const EVP_MD *digest, CONF *conf, char *section); + const EVP_MD *digest, CONF *conf, char *section, X509_NAME *issuer); static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, char *serial, int create, int days, int clrext, CONF *conf, char *section, - ASN1_INTEGER *sno); + ASN1_INTEGER *sno, X509_NAME *issuer); static int purpose_print(BIO *bio, X509 *cert, const X509_PURPOSE *pt); static struct { @@ -103,6 +103,7 @@ static struct { unsigned long certflag; int checkend; int checkoffset; + unsigned long chtype; int clrext; int clrreject; int clrtrust; @@ -113,6 +114,7 @@ static struct { char *extfile; char *extsect; int fingerprint; + char *force_pubkey; char *infile; int informat; int issuer; @@ -124,6 +126,7 @@ static struct { int keyformat; const EVP_MD *md_alg; int modulus; + int multirdn; int next_serial; unsigned long nmflag; int noout; @@ -139,6 +142,8 @@ static struct { STACK_OF(ASN1_OBJECT) *reject; int reqfile; int serial; + char *set_issuer; + char *set_subject; int sign_flag; STACK_OF(OPENSSL_STRING) *sigopts; ASN1_INTEGER *sno; @@ -312,6 +317,13 @@ x509_opt_sigopt(char *arg) return (0); } +static int +x509_opt_utf8(void) +{ + cfg.chtype = MBSTRING_UTF8; + return (0); +} + static const struct option x509_options[] = { { .name = "C", @@ -467,6 +479,13 @@ static const struct option x509_options[] = { .opt.order = &cfg.fingerprint, .order = &cfg.num, }, + { + .name = "force_pubkey", + .argname = "key", + .desc = "Force the public key to be put in the certificate", + .type = OPTION_ARG, + .opt.arg = &cfg.force_pubkey, + }, { .name = "hash", .desc = "Synonym for -subject_hash", @@ -525,6 +544,12 @@ static const struct option x509_options[] = { .opt.order = &cfg.modulus, .order = &cfg.num, }, + { + .name = "multivalue-rdn", + .desc = "Enable support for multivalued RDNs", + .type = OPTION_FLAG, + .opt.flag = &cfg.multirdn, + }, { .name = "nameopt", .argname = "option", @@ -608,6 +633,13 @@ static const struct option x509_options[] = { .opt.order = &cfg.serial, .order = &cfg.num, }, + { + .name = "set_issuer", + .argname = "name", + .desc = "Set the issuer name", + .type = OPTION_ARG, + .opt.arg = &cfg.set_issuer, + }, { .name = "set_serial", .argname = "n", @@ -615,6 +647,13 @@ static const struct option x509_options[] = { .type = OPTION_ARG_FUNC, .opt.argfunc = x509_opt_set_serial, }, + { + .name = "set_subject", + .argname = "name", + .desc = "Set the subject name", + .type = OPTION_ARG, + .opt.arg = &cfg.set_subject, + }, { .name = "setalias", .argname = "arg", @@ -643,6 +682,11 @@ static const struct option x509_options[] = { .opt.order = &cfg.startdate, .order = &cfg.num, }, + { + .name = "subj", + .type = OPTION_ARG, + .opt.arg = &cfg.set_subject, + }, { .name = "subject", .desc = "Print subject name", @@ -679,6 +723,12 @@ static const struct option x509_options[] = { .type = OPTION_FLAG, .opt.flag = &cfg.trustout, }, + { + .name = "utf8", + .desc = "Input characters are in UTF-8 (default ASCII)", + .type = OPTION_FUNC, + .opt.func = x509_opt_utf8, + }, { .name = "x509toreq", .desc = "Output a certification request object", @@ -704,16 +754,17 @@ x509_usage(void) " [-CAkeyform der | pem] [-CAserial file] [-certopt option]\n" " [-checkend arg] [-clrext] [-clrreject] [-clrtrust] [-dates]\n" " [-days arg] [-email] [-enddate] [-extensions section]\n" - " [-extfile file] [-fingerprint] [-hash] [-in file]\n" - " [-inform der | net | pem] [-issuer] [-issuer_hash]\n" - " [-issuer_hash_old] [-keyform der | pem] [-md5 | -sha1]\n" - " [-modulus] [-nameopt option] [-next_serial] [-noout]\n" - " [-ocsp_uri] [-ocspid] [-out file]\n" - " [-outform der | net | pem] [-passin arg] [-pubkey]\n" - " [-purpose] [-req] [-serial] [-set_serial n] [-setalias arg]\n" - " [-signkey file] [-sigopt nm:v] [-startdate] [-subject]\n" - " [-subject_hash] [-subject_hash_old] [-text] [-trustout]\n" - " [-x509toreq]\n"); + " [-extfile file] [-fingerprint] [-force_pubkey key] [-hash]\n" + " [-in file] [-inform der | net | pem] [-issuer]\n" + " [-issuer_hash] [-issuer_hash_old] [-keyform der | pem]\n" + " [-md5 | -sha1] [-modulus] [-multivalue-rdn]\n" + " [-nameopt option] [-next_serial] [-noout] [-ocsp_uri]\n" + " [-ocspid] [-out file] [-outform der | net | pem]\n" + " [-passin arg] [-pubkey] [-purpose] [-req] [-serial]\n" + " [-set_issuer name] [-set_serial n] [-set_subject name]\n" + " [-setalias arg] [-signkey file] [-sigopt nm:v] [-startdate]\n" + " [-subject] [-subject_hash] [-subject_hash_old] [-text]\n" + " [-trustout] [-utf8] [-x509toreq]\n"); fprintf(stderr, "\n"); options_usage(x509_options); fprintf(stderr, "\n"); @@ -725,7 +776,8 @@ x509_main(int argc, char **argv) int ret = 1; X509_REQ *req = NULL; X509 *x = NULL, *xca = NULL; - EVP_PKEY *Upkey = NULL, *CApkey = NULL; + X509_NAME *iname = NULL, *sname = NULL; + EVP_PKEY *Fpkey = NULL, *Upkey = NULL, *CApkey = NULL; int i; BIO *out = NULL; BIO *STDout = NULL; @@ -741,6 +793,7 @@ x509_main(int argc, char **argv) } memset(&cfg, 0, sizeof(cfg)); + cfg.chtype = MBSTRING_ASC; cfg.days = DEF_DAYS; cfg.informat = FORMAT_PEM; cfg.outformat = FORMAT_PEM; @@ -811,6 +864,11 @@ x509_main(int argc, char **argv) goto end; } } + if (cfg.force_pubkey != NULL) { + if ((Fpkey = load_pubkey(bio_err, cfg.force_pubkey, + cfg.keyformat, 0, NULL, "Forced key")) == NULL) + goto end; + } if (cfg.reqfile) { EVP_PKEY *pkey; BIO *in; @@ -875,9 +933,21 @@ x509_main(int argc, char **argv) } else if (!X509_set_serialNumber(x, cfg.sno)) goto end; - if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) + if (cfg.set_issuer != NULL) { + iname = parse_name(cfg.set_issuer, cfg.chtype, + cfg.multirdn); + if (iname == NULL) + goto end; + } + + if (cfg.set_subject != NULL) + sname = parse_name(cfg.set_subject, cfg.chtype, + cfg.multirdn); + else + sname = X509_NAME_dup(X509_REQ_get_subject_name(req)); + if (sname == NULL) goto end; - if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) + if (!X509_set_subject_name(x, sname)) goto end; if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) @@ -886,7 +956,9 @@ x509_main(int argc, char **argv) NULL) == NULL) goto end; - if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) + if ((pkey = Fpkey) == NULL) + pkey = X509_REQ_get0_pubkey(req); + if (pkey == NULL) goto end; if (!X509_set_pubkey(x, pkey)) goto end; @@ -1204,7 +1276,7 @@ x509_main(int argc, char **argv) } if (!sign(x, Upkey, cfg.days, cfg.clrext, cfg.digest, - extconf, cfg.extsect)) + extconf, cfg.extsect, iname)) goto end; } else if (cfg.CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); @@ -1218,7 +1290,7 @@ x509_main(int argc, char **argv) if (!x509_certify(ctx, cfg.CAfile, cfg.digest, x, xca, CApkey, cfg.sigopts, cfg.CAserial, cfg.CA_createserial, cfg.days, cfg.clrext, - extconf, cfg.extsect, cfg.sno)) + extconf, cfg.extsect, cfg.sno, iname)) goto end; } else if (cfg.x509req == i) { EVP_PKEY *pk; @@ -1302,10 +1374,13 @@ x509_main(int argc, char **argv) NCONF_free(extconf); BIO_free_all(out); BIO_free_all(STDout); + X509_NAME_free(iname); + X509_NAME_free(sname); X509_STORE_free(ctx); X509_REQ_free(req); X509_free(x); X509_free(xca); + EVP_PKEY_free(Fpkey); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); sk_OPENSSL_STRING_free(cfg.sigopts); @@ -1366,7 +1441,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, char *serialfile, int create, int days, int clrext, CONF *conf, - char *section, ASN1_INTEGER *sno) + char *section, ASN1_INTEGER *sno, X509_NAME *issuer) { int ret = 0; ASN1_INTEGER *bs = NULL; @@ -1405,8 +1480,14 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, "CA certificate and CA private key do not match\n"); goto end; } - if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) + + if (issuer == NULL) + issuer = X509_get_subject_name(xca); + if (issuer == NULL) goto end; + if (!X509_set_issuer_name(x, issuer)) + goto end; + if (!X509_set_serialNumber(x, bs)) goto end; @@ -1483,7 +1564,7 @@ callb(int ok, X509_STORE_CTX *ctx) /* self sign */ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, - CONF *conf, char *section) + CONF *conf, char *section, X509_NAME *issuer) { EVP_PKEY *pktmp; @@ -1493,7 +1574,11 @@ sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, EVP_PKEY_copy_parameters(pktmp, pkey); EVP_PKEY_save_parameters(pktmp, 1); - if (!X509_set_issuer_name(x, X509_get_subject_name(x))) + if (issuer == NULL) + issuer = X509_get_subject_name(x); + if (issuer == NULL) + goto err; + if (!X509_set_issuer_name(x, issuer)) goto err; if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) goto err; diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index c36fae41b..93e7ba421 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.458 2024/01/11 14:11:03 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.459 2024/01/12 11:19:51 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -2953,9 +2953,11 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) struct mrt *mrt; struct imsgbuf *i; struct peer *p; - struct listen_addr *la, *nla; - struct session_dependon *sdon; + struct listen_addr *la, *next, nla; + struct session_dependon sdon; + struct bgpd_config tconf; u_char *data; + uint32_t peerid; int n, fd, depend_ok, restricted; uint16_t t; uint8_t aid, errcode, subcode; @@ -2967,7 +2969,8 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) if (n == 0) break; - switch (imsg.hdr.type) { + peerid = imsg_get_id(&imsg); + switch (imsg_get_type(&imsg)) { case IMSG_SOCKET_CONN: case IMSG_SOCKET_CONN_CTL: if (idx != PFD_PIPE_MAIN) @@ -2980,7 +2983,7 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) if ((i = malloc(sizeof(struct imsgbuf))) == NULL) fatal(NULL); imsg_init(i, fd); - if (imsg.hdr.type == IMSG_SOCKET_CONN) { + if (imsg_get_type(&imsg) == IMSG_SOCKET_CONN) { if (ibuf_rde) { log_warnx("Unexpected imsg connection " "to RDE received"); @@ -3001,9 +3004,11 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) case IMSG_RECONF_CONF: if (idx != PFD_PIPE_MAIN) fatalx("reconf request not from parent"); - nconf = new_config(); + if (imsg_get_data(&imsg, &tconf, sizeof(tconf)) == -1) + fatal("imsg_get_data"); - copy_config(nconf, imsg.data); + nconf = new_config(); + copy_config(nconf, &tconf); pending_reconf = 1; break; case IMSG_RECONF_PEER: @@ -3011,7 +3016,9 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) fatalx("reconf request not from parent"); if ((p = calloc(1, sizeof(struct peer))) == NULL) fatal("new_peer"); - memcpy(&p->conf, imsg.data, sizeof(struct peer_config)); + if (imsg_get_data(&imsg, &p->conf, sizeof(p->conf)) == + -1) + fatal("imsg_get_data"); p->state = p->prev_state = STATE_NONE; p->reconf_action = RECONF_REINIT; if (RB_INSERT(peer_head, &nconf->peers, p) != NULL) @@ -3022,33 +3029,34 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) fatalx("reconf request not from parent"); if (nconf == NULL) fatalx("IMSG_RECONF_LISTENER but no config"); - nla = imsg.data; + if (imsg_get_data(&imsg, &nla, sizeof(nla)) == -1) + fatal("imsg_get_data"); TAILQ_FOREACH(la, conf->listen_addrs, entry) - if (!la_cmp(la, nla)) + if (!la_cmp(la, &nla)) break; if (la == NULL) { - if (nla->reconf != RECONF_REINIT) + if (nla.reconf != RECONF_REINIT) fatalx("king bula sez: " "expected REINIT"); - if ((nla->fd = imsg_get_fd(&imsg)) == -1) + if ((nla.fd = imsg_get_fd(&imsg)) == -1) log_warnx("expected to receive fd for " "%s but didn't receive any", log_sockaddr((struct sockaddr *) - &nla->sa, nla->sa_len)); + &nla.sa, nla.sa_len)); la = calloc(1, sizeof(struct listen_addr)); if (la == NULL) fatal(NULL); - memcpy(&la->sa, &nla->sa, sizeof(la->sa)); - la->flags = nla->flags; - la->fd = nla->fd; + memcpy(&la->sa, &nla.sa, sizeof(la->sa)); + la->flags = nla.flags; + la->fd = nla.fd; la->reconf = RECONF_REINIT; TAILQ_INSERT_TAIL(nconf->listen_addrs, la, entry); } else { - if (nla->reconf != RECONF_KEEP) + if (nla.reconf != RECONF_KEEP) fatalx("king bula sez: expected KEEP"); la->reconf = RECONF_KEEP; } @@ -3057,10 +3065,10 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) case IMSG_RECONF_CTRL: if (idx != PFD_PIPE_MAIN) fatalx("reconf request not from parent"); - if (imsg.hdr.len != IMSG_HEADER_SIZE + - sizeof(restricted)) - fatalx("RECONF_CTRL imsg with wrong len"); - memcpy(&restricted, imsg.data, sizeof(restricted)); + + if (imsg_get_data(&imsg, &restricted, + sizeof(restricted)) == -1) + fatal("imsg_get_data"); if ((fd = imsg_get_fd(&imsg)) == -1) { log_warnx("expected to receive fd for control " "socket but didn't receive any"); @@ -3103,9 +3111,8 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) merge_peers(conf, nconf); /* delete old listeners */ - for (la = TAILQ_FIRST(conf->listen_addrs); la != NULL; - la = nla) { - nla = TAILQ_NEXT(la, entry); + TAILQ_FOREACH_SAFE(la, conf->listen_addrs, entry, + next) { if (la->reconf == RECONF_NONE) { log_info("not listening on %s any more", log_sockaddr((struct sockaddr *) @@ -3134,14 +3141,12 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) case IMSG_SESSION_DEPENDON: if (idx != PFD_PIPE_MAIN) fatalx("IFINFO message not from parent"); - if (imsg.hdr.len != IMSG_HEADER_SIZE + - sizeof(struct session_dependon)) + if (imsg_get_data(&imsg, &sdon, sizeof(sdon)) == -1) fatalx("DEPENDON imsg with wrong len"); - sdon = imsg.data; - depend_ok = sdon->depend_state; + depend_ok = sdon.depend_state; RB_FOREACH(p, peer_head, &conf->peers) - if (!strcmp(p->conf.if_depend, sdon->ifname)) { + if (!strcmp(p->conf.if_depend, sdon.ifname)) { if (depend_ok && !p->depend_ok) { p->depend_ok = depend_ok; bgp_fsm(p, EVNT_START); @@ -3154,16 +3159,18 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) break; case IMSG_MRT_OPEN: case IMSG_MRT_REOPEN: - if (imsg.hdr.len > IMSG_HEADER_SIZE + - sizeof(struct mrt)) { - log_warnx("wrong imsg len"); + if (idx != PFD_PIPE_MAIN) + fatalx("mrt request not from parent"); + if (imsg_get_data(&imsg, &xmrt, sizeof(xmrt)) == -1) { + log_warnx("mrt open, wrong imsg len"); break; } - memcpy(&xmrt, imsg.data, sizeof(struct mrt)); - if ((xmrt.wbuf.fd = imsg_get_fd(&imsg)) == -1) + if ((xmrt.wbuf.fd = imsg_get_fd(&imsg)) == -1) { log_warnx("expected to receive fd for mrt dump " "but didn't receive any"); + break; + } mrt = mrt_get(&mrthead, &xmrt); if (mrt == NULL) { @@ -3181,13 +3188,13 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) } break; case IMSG_MRT_CLOSE: - if (imsg.hdr.len > IMSG_HEADER_SIZE + - sizeof(struct mrt)) { - log_warnx("wrong imsg len"); + if (idx != PFD_PIPE_MAIN) + fatalx("mrt request not from parent"); + if (imsg_get_data(&imsg, &xmrt, sizeof(xmrt)) == -1) { + log_warnx("mrt close, wrong imsg len"); break; } - memcpy(&xmrt, imsg.data, sizeof(struct mrt)); mrt = mrt_get(&mrthead, &xmrt); if (mrt != NULL) mrt_done(mrt); @@ -3206,7 +3213,7 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) case IMSG_CTL_SHOW_NEIGHBOR: if (idx != PFD_PIPE_ROUTE_CTL) fatalx("ctl rib request not from RDE"); - p = getpeerbyid(conf, imsg.hdr.peerid); + p = getpeerbyid(conf, peerid); control_imsg_relay(&imsg, p); break; case IMSG_CTL_SHOW_RIB: @@ -3285,33 +3292,29 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) case IMSG_REFRESH: if (idx != PFD_PIPE_ROUTE) fatalx("route refresh request not from RDE"); - if (imsg.hdr.len < IMSG_HEADER_SIZE + sizeof(rr)) { + if (imsg_get_data(&imsg, &rr, sizeof(rr)) == -1) { log_warnx("RDE sent invalid refresh msg"); break; } - if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) { - log_warnx("no such peer: id=%u", - imsg.hdr.peerid); + if ((p = getpeerbyid(conf, peerid)) == NULL) { + log_warnx("no such peer: id=%u", peerid); break; } - memcpy(&rr, imsg.data, sizeof(rr)); if (rr.aid >= AID_MAX) fatalx("IMSG_REFRESH: bad AID"); session_rrefresh(p, rr.aid, rr.subtype); break; case IMSG_SESSION_RESTARTED: if (idx != PFD_PIPE_ROUTE) - fatalx("update request not from RDE"); - if (imsg.hdr.len < IMSG_HEADER_SIZE + sizeof(aid)) { + fatalx("session restart not from RDE"); + if (imsg_get_data(&imsg, &aid, sizeof(aid)) == -1) { log_warnx("RDE sent invalid restart msg"); break; } - if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) { - log_warnx("no such peer: id=%u", - imsg.hdr.peerid); + if ((p = getpeerbyid(conf, peerid)) == NULL) { + log_warnx("no such peer: id=%u", peerid); break; } - memcpy(&aid, imsg.data, sizeof(aid)); if (aid >= AID_MAX) fatalx("IMSG_SESSION_RESTARTED: bad AID"); if (p->capa.neg.grestart.flags[aid] & @@ -3325,17 +3328,16 @@ session_dispatch_imsg(struct imsgbuf *imsgbuf, int idx, u_int *listener_cnt) /* signal back to RDE to cleanup stale routes */ if (imsg_rde(IMSG_SESSION_RESTARTED, - imsg.hdr.peerid, &aid, sizeof(aid)) == -1) + peerid, &aid, sizeof(aid)) == -1) fatal("imsg_compose: " "IMSG_SESSION_RESTARTED"); } break; case IMSG_SESSION_DOWN: if (idx != PFD_PIPE_ROUTE) - fatalx("update request not from RDE"); - if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == NULL) { - log_warnx("no such peer: id=%u", - imsg.hdr.peerid); + fatalx("session down not from RDE"); + if ((p = getpeerbyid(conf, peerid)) == NULL) { + log_warnx("no such peer: id=%u", peerid); break; } session_stop(p, ERR_CEASE_ADMIN_DOWN); diff --git a/usr.sbin/vmctl/vmctl.8 b/usr.sbin/vmctl/vmctl.8 index bb0470af8..7e23f2a4c 100644 --- a/usr.sbin/vmctl/vmctl.8 +++ b/usr.sbin/vmctl/vmctl.8 @@ -1,6 +1,6 @@ -.\" $OpenBSD: vmctl.8,v 1.74 2023/04/28 20:13:56 dv Exp $ +.\" $OpenBSD: vmctl.8,v 1.75 2024/01/12 23:50:11 mlarkin Exp $ .\" -.\" Copyright (c) 2015 Mike Larkin +.\" Copyright (c) 2015-2024 Mike Larkin .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: April 28 2023 $ +.Dd $Mdocdate: January 12 2024 $ .Dt VMCTL 8 .Os .Sh NAME @@ -122,7 +122,9 @@ Receive a VM from standard input and start it with the specified .Ar name . .It Cm reload Remove all stopped VMs and reload the configuration from the default -configuration file. +configuration file. VMs that are currently running will not have their +configuration reloaded. To reload configurations for currently running +VMs, stop those VMs before issuing the reload command. .It Cm reset Op Cm all | switches | vms Reset the running state, reset @@ -218,7 +220,8 @@ option. Memory .Ar size of the VM, rounded to megabytes. -The default is 512M. +The default is 512M. The maximum amount of memory assignable to a VM is +governed by the datasize parameter for the vmd user in /etc/login.conf. .It Fl n Ar switch Add a network interface that is attached to the specified virtual .Ar switch .