sync code with last improvements from OpenBSD

lib/libc/locale/mbrtowc.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: mbrtowc.3,v 1.6 2023/08/20 15:02:51 schwarze Exp $
+.\" $OpenBSD: mbrtowc.3,v 1.7 2023/09/12 08:33:37 jsg Exp $
 .\" $NetBSD: mbrtowc.3,v 1.5 2003/09/08 17:54:31 wiz Exp $
 .\"
 .\" Copyright (c)2023 Ingo Schwarze <schwarze@openbsd.org>
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt MBRTOWC 3
 .Os
 .Sh NAME
@@ -281,13 +281,13 @@ conforms to
 .St -isoC-2011 .
 .Sh HISTORY
 .Fn mbrtowc
-has been available since since
+has been available since
 .Ox 3.8
 and has provided support for UTF-8 since
 .Ox 4.8 .
 .Pp
 .Fn mbrtoc32
-has been available since since
+has been available since
 .Ox 7.4 .
 .Sh CAVEATS
 .Fn mbrtowc

lib/libc/locale/wcrtomb.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: wcrtomb.3,v 1.11 2023/08/20 15:02:51 schwarze Exp $
+.\" $OpenBSD: wcrtomb.3,v 1.12 2023/09/12 08:33:37 jsg Exp $
 .\" $NetBSD: wcrtomb.3,v 1.4 2003/09/08 17:54:31 wiz Exp $
 .\"
 .\" Copyright (c)2023 Ingo Schwarze <schwarze@openbsd.org>
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt WCRTOMB 3
 .Os
 .Sh NAME
@@ -182,5 +182,5 @@ and has provided support for UTF-8 since
 .Ox 4.8 .
 .Pp
 .Fn c32rtomb
-has been available since since
+has been available since
 .Ox 7.4 .

lib/libcrypto/man/EVP_AEAD_CTX_init.3

@@ -1,8 +1,9 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.13 2023/08/24 04:33:08 tb Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.15 2023/09/12 13:58:06 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
+.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 24 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -147,7 +148,11 @@ argument must be
 for the default implementation;
 other values are currently not supported.
 Authentication tags may be truncated by passing a tag length.
-A tag length of zero indicates the default tag length should be used.
+A
+.Fa tag_len
+argument of
+.Dv EVP_AEAD_DEFAULT_TAG_LENGTH ,
+which has the value 0, causes the default tag length to be used.
 .Pp
 .Fn EVP_AEAD_CTX_cleanup
 frees any data allocated for the context
@@ -241,6 +246,18 @@ and
 provide information about the AEAD algorithm
 .Fa aead .
 .Pp
+.Fn EVP_AEAD_max_tag_len
+returns the maximum tag length that can be used with the given
+.Fa aead .
+This is the largest value that can be passed as the
+.Fa tag_len
+argument to
+.Fn EVP_AEAD_CTX_init .
+No built-in
+.Vt EVP_AEAD
+object has a maximum tag length larger than the constant
+.Dv EVP_AEAD_MAX_TAG_LENGTH .
+.Pp
 All cipher algorithms have a fixed key length unless otherwise stated.
 The following ciphers are available:
 .Bl -tag -width Ds -offset indent
@@ -262,6 +279,9 @@ ChaCha20 with a Poly1305 authenticator, using a
 of 32 bytes and a
 .Fa nonce_len
 of 12 bytes.
+The constant
+.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
+specifies the length of the authentication tag in bytes and has a value of 16.
 .It Fn EVP_aead_xchacha20_poly1305
 XChaCha20 with a Poly1305 authenticator, using a
 .Fa key_len
@@ -310,8 +330,6 @@ sealing data with the AEAD.
 .Pp
 .Fn EVP_AEAD_max_tag_len
 returns the maximum tag length when using this AEAD.
-This is the largest value that can be passed as a tag length to
-.Fn EVP_AEAD_CTX_init .
 .Pp
 .Fn EVP_AEAD_nonce_length
 returns the length of the per-message nonce.

lib/libcrypto/man/EVP_MD_meth_new.3

@@ -1,8 +1,25 @@
-.\" $OpenBSD: EVP_MD_meth_new.3,v 1.3 2023/08/12 16:48:23 schwarze Exp $
+.\" $OpenBSD: EVP_MD_meth_new.3,v 1.4 2023/09/12 12:11:05 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/EVP_MD_meth_new 0388d212 Dec 14 12:47:07 2018 -0800
 .\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Richard Levitte <levitte@openssl.org>
 .\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -49,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 12 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt EVP_MD_METH_NEW 3
 .Os
 .Sh NAME
@@ -179,26 +196,59 @@ sets the flags to describe optional behaviours in the particular
 Several flags can be or'd together.
 The available flags are:
 .Bl -tag -width Ds
-.It EVP_MD_FLAG_ONESHOT
-This digest method can only handle one block of input.
-.It EVP_MD_FLAG_DIGALGID_NULL
-When setting up a DigestAlgorithmIdentifier, this flag will have the
-parameter set to NULL by default.
+.It Dv EVP_MD_FLAG_DIGALGID_NULL
+When setting up a
+.Vt DigestAlgorithmIdentifier
+with
+.Xr X509_ALGOR_set_md 3 ,
+set the parameter type to
+.Dv V_ASN1_NULL
+and the parameter value to
+.Dv NULL .
+This is the default, which means that it takes effect for
+.Vt EVP_MD
+objects that do not have
+.Dv EVP_MD_FLAG_DIGALGID_ABSENT
+set.
 Use this for PKCS#1.
-.Em Note: if combined with EVP_MD_FLAG_DIGALGID_ABSENT, the latter will override.
-.It EVP_MD_FLAG_DIGALGID_ABSENT
-When setting up a DigestAlgorithmIdentifier, this flag will have the
-parameter be left absent by default.
-.Em Note: if combined with EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.
-.It EVP_MD_FLAG_DIGALGID_CUSTOM
-Custom DigestAlgorithmIdentifier handling via ctrl, with
-.Sy EVP_MD_FLAG_DIGALGID_ABSENT
-as default.
-.Em Note: if combined with EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.
-Currently unused.
-.It EVP_MD_FLAG_FIPS
-This digest method is suitable for use in FIPS mode.
-Currently unused.
+.It Dv EVP_MD_FLAG_DIGALGID_ABSENT
+When setting up a
+.Vt DigestAlgorithmIdentifier
+with
+.Xr X509_ALGOR_set_md 3 ,
+set the parameter type to
+.Dv V_ASN1_UNDEF
+and the parameter value to
+.Dv NULL .
+This is used by the
+.Vt EVP_MD
+objects documented in the manual page
+.Xr EVP_sha3_224 3
+and by the objects returned from
+.Xr EVP_sha512 3 ,
+.Xr EVP_sha512_256 3 ,
+.Xr EVP_sha512_224 3 ,
+.Xr EVP_sha384 3 ,
+.Xr EVP_sha256 3 ,
+.Xr EVP_sha224 3 ,
+.Xr EVP_sha1 3 ,
+and
+.Xr EVP_sm3 3 .
+.It Dv EVP_MD_FLAG_DIGALGID_CUSTOM
+This flag is reserved for used-defined
+.Vt EVP_MD
+objects supporting custom
+.Vt DigestAlgorithmIdentifier
+handling via
+.Xr EVP_MD_CTX_ctrl 3 ,
+but actually, it is ignored by both LibreSSL and OpenSSL
+and such user-defined behaviour is not supported by the libraries.
+.It Dv EVP_MD_FLAG_FIPS
+Mark the digest method as suitable for FIPS mode.
+This flag is ignored by both LibreSSL and OpenSSL.
+.It Dv EVP_MD_FLAG_ONESHOT
+Intended to indicate that the digest method can only handle one block
+of input, but actually, this flag is ignored by both LibreSSL and OpenSSL.
 .El
 .Pp
 .Fn EVP_MD_meth_set_init

lib/libcrypto/man/EVP_PKEY_size.3

@@ -1,10 +1,10 @@
-.\" $OpenBSD: EVP_PKEY_size.3,v 1.1 2022/07/13 19:10:40 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_size.3,v 1.2 2023/09/12 15:29:03 schwarze Exp $
 .\" full merge up to: OpenSSL eed9d03b Jan 8 11:04:15 2020 +0100
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt EVP_PKEY_SIZE 3
 .Os
 .Sh NAME
@@ -137,17 +137,26 @@ where it's desirable to know the upper limit in advance.
 By default,
 .Fn EVP_PKEY_size
 is supported for the following algorithms:
-.Bl -column GOST01 "EVP_MAX_BLOCK_LENGTH = 32"
+.Bl -column ED25519 "EVP_MAX_BLOCK_LENGTH = 32"
 .It        Ta same result as from:
 .It CMAC   Ta Dv EVP_MAX_BLOCK_LENGTH No = 32
 .It DH     Ta Xr DH_size 3
 .It DSA    Ta Xr DSA_size 3
 .It EC     Ta Xr ECDSA_size 3
+.It ED25519 Ta 64, but see below
 .It GOST01 Ta 64 or 128
 .It HMAC   Ta Dv EVP_MAX_MD_SIZE No = 64
 .It RSA    Ta Xr RSA_size 3
+.It X25519 Ta Dv X25519_KEYLEN No = 32
 .El
 .Pp
+For
+.Dv EVP_PKEY_ED25519 ,
+the situation is special: while the key size is
+.Dv ED25519_KEYLEN No = 32 bytes ,
+.Fn EVP_PKEY_size
+returns 64 because the signature is longer than the keys.
+.Pp
 The application program can support additional algorithms by calling
 .Xr EVP_PKEY_asn1_set_public 3 .
 .Pp
@@ -157,14 +166,16 @@ returns the cryptographic length of the cryptosystem to which the key in
 belongs, in bits.
 The definition of cryptographic length is specific to the key cryptosystem.
 By default, the following algorithms are supported:
-.Bl -column GOST01 "the public domain parameter p" DSA_bits(3)
+.Bl -column ED25519 "the public domain parameter p" DSA_bits(3)
 .It        Ta cryptographic length = Ta same result as from:
 .It        Ta significant bits in ... Ta
 .It DH     Ta the public domain parameter Fa p Ta Xr DH_bits 3
 .It DSA    Ta the public domain parameter Fa p Ta Xr DSA_bits 3
 .It EC     Ta the order of the group Ta Xr EC_GROUP_order_bits 3
+.It ED25519 Ta 253 Ta \(em
 .It GOST01 Ta 256 or 512 Ta \(em
 .It RSA    Ta the public modulus Ta Xr RSA_bits 3
+.It X25519 Ta 253 Ta \(em
 .El
 .Pp
 The application program can support additional algorithms by calling
@@ -175,13 +186,15 @@ returns the security strength measured in bits of the given
 .Fa pkey
 as defined in NIST SP800-57.
 By default, the following algorithms are supported:
-.Bl -column GOST01 DSA_security_bits(3)
+.Bl -column ED25519 DSA_security_bits(3)
 .It        Ta same result as from:
 .It DH     Ta Xr DH_security_bits 3
 .It DSA    Ta Xr DSA_security_bits 3
 .It EC     Ta Xr EC_GROUP_order_bits 3 divided by 2
+.It ED25519 Ta 128
 .It GOST01 Ta not supported, return value is \-2
 .It RSA    Ta Xr RSA_security_bits 3
+.It X25519 Ta 128
 .El
 .Pp
 For EC keys, if the result is greater than 80, it is rounded down

lib/libcrypto/man/EVP_chacha20.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.6 2023/08/24 04:33:08 tb Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.7 2023/09/12 13:58:06 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 24 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -135,6 +135,9 @@ argument of 32 bytes = 256 bits and an
 argument of 12 bytes = 96 bits.
 This supports additional authenticated data (AAD) and produces a 128-bit
 authentication tag.
+The constant
+.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
+specifies the length of the authentication tag in bytes and has a value of 16.
 .Pp
 The following
 .Fa type

sbin/unwind/resolver.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: resolver.c,v 1.161 2023/09/11 06:00:23 florian Exp $	*/
+/*	$OpenBSD: resolver.c,v 1.162 2023/09/12 15:38:32 tb Exp $	*/
 
 
 /*
@@ -920,8 +920,6 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode,
 	uint8_t			*p, *data;
 	uint8_t			 answer_imsg[MAX_IMSGSIZE - IMSG_HEADER_SIZE];
 
-	log_debug("%s: %d", __func__, rcode);
-
 	clock_gettime(CLOCK_MONOTONIC, &tp);
 
 	query_imsg = (struct query_imsg *)arg;
@@ -1076,17 +1074,14 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode,
 	goto out;
 
  servfail:
-	log_debug("%s: foo: 1", __func__);
 	/* try_next_resolver() might free rq */
 	if (try_next_resolver(rq) != 0 && running_res == 0) {
 		/* we are the last one, send SERVFAIL */
 		answer_header->srvfail = 1;
-		log_debug("%s: foo: 2", __func__);
 		resolver_imsg_compose_frontend(IMSG_ANSWER, 0,
 		    answer_imsg, sizeof(*answer_header));
 	}
  out:
-	log_debug("%s: foo: 3", __func__);
 	free(query_imsg);
 	sldns_buffer_free(buf);
 	regional_destroy(region);

share/man/man5/bsd.port.mk.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: bsd.port.mk.5,v 1.626 2023/09/09 14:15:42 bentley Exp $
+.\" $OpenBSD: bsd.port.mk.5,v 1.627 2023/09/12 08:54:04 jsg Exp $
 .\"
 .\" Copyright (c) 2000-2008 Marc Espie
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 9 2023 $
+.Dd $Mdocdate: September 12 2023 $
 .Dt BSD.PORT.MK 5
 .Os
 .Sh NAME
@@ -101,7 +101,7 @@ The output is formatted as package specification pairs, in a form suitable
 for
 .Xr tsort 1 .
 .Pp
-Note that is is possible to obtain reverse dependency information by
+Note that it is possible to obtain reverse dependency information by
 using
 .Nm show-reverse-deps
 from the

sys/arch/arm64/dev/acpipci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: acpipci.c,v 1.39 2023/04/18 12:39:32 kettenis Exp $	*/
+/*	$OpenBSD: acpipci.c,v 1.40 2023/09/12 08:32:58 jmatthew Exp $	*/
 /*
  * Copyright (c) 2018 Mark Kettenis
  *
@@ -124,7 +124,10 @@ void	*acpipci_intr_establish(void *, pci_intr_handle_t, int,
 	    struct cpu_info *, int (*)(void *), void *, char *);
 void	acpipci_intr_disestablish(void *, void *);
 
-uint32_t acpipci_iort_map_msi(pci_chipset_tag_t, pcitag_t);
+uint32_t acpipci_iort_map_msi(pci_chipset_tag_t, pcitag_t,
+	    struct interrupt_controller **);
+	
+extern LIST_HEAD(, interrupt_controller) interrupt_controllers;
 
 int
 acpipci_match(struct device *parent, void *match, void *aux)
@@ -190,7 +193,6 @@ acpipci_attach(struct device *parent, struct device *self, void *aux)
 	sc->sc_bus_memt._space_map = acpipci_bs_map;
 	sc->sc_bus_memt._space_mmap = acpipci_bs_mmap;
 
-	extern LIST_HEAD(, interrupt_controller) interrupt_controllers;
 	LIST_FOREACH(ic, &interrupt_controllers, ic_list) {
 		if (ic->ic_establish_msi)
 			break;
@@ -632,7 +634,7 @@ acpipci_intr_establish(void *v, pci_intr_handle_t ih, int level,
 		KASSERT(ic);
 
 		/* Map Requester ID through IORT to get sideband data. */
-		data = acpipci_iort_map_msi(ih.ih_pc, ih.ih_tag);
+		data = acpipci_iort_map_msi(ih.ih_pc, ih.ih_tag, &ic);
 		cookie = ic->ic_establish_msi(ic->ic_cookie, &addr,
 		    &data, level, ci, func, arg, name);
 		if (cookie == NULL)
@@ -797,11 +799,12 @@ pci_lookup_segment(int segment)
  * IORT support.
  */
 
-uint32_t acpipci_iort_map(struct acpi_iort *, uint32_t, uint32_t);
+uint32_t acpipci_iort_map(struct acpi_iort *, uint32_t, uint32_t,
+    struct interrupt_controller **);
 
 uint32_t
 acpipci_iort_map_node(struct acpi_iort *iort,
-    struct acpi_iort_node *node, uint32_t id)
+    struct acpi_iort_node *node, uint32_t id, struct interrupt_controller **ic)
 {
 	struct acpi_iort_mapping *map =
 	    (struct acpi_iort_mapping *)((char *)node + node->mapping_offset);
@@ -812,14 +815,14 @@ acpipci_iort_map_node(struct acpi_iort *iort,
 
 		if (map[i].flags & ACPI_IORT_MAPPING_SINGLE) {
 			id = map[i].output_base;
-			return acpipci_iort_map(iort, offset, id);
+			return acpipci_iort_map(iort, offset, id, ic);
 		}
 
 		/* Mapping encodes number of IDs in the range minus one. */
 		if (map[i].input_base <= id &&
 		    id <= map[i].input_base + map[i].number_of_ids) {
 			id = map[i].output_base + (id - map[i].input_base);
-			return acpipci_iort_map(iort, offset, id);
+			return acpipci_iort_map(iort, offset, id, ic);
 		}
 	}
 
@@ -827,24 +830,39 @@ acpipci_iort_map_node(struct acpi_iort *iort,
 }
 
 uint32_t
-acpipci_iort_map(struct acpi_iort *iort, uint32_t offset, uint32_t id)
+acpipci_iort_map(struct acpi_iort *iort, uint32_t offset, uint32_t id,
+    struct interrupt_controller **ic)
 {
 	struct acpi_iort_node *node =
 	    (struct acpi_iort_node *)((char *)iort + offset);
+	struct interrupt_controller *icl;
+	struct acpi_iort_its_node *itsn;
+	int i;
 
 	switch (node->type) {
 	case ACPI_IORT_ITS:
+		itsn = (struct acpi_iort_its_node *)&node[1];
+		LIST_FOREACH(icl, &interrupt_controllers, ic_list) {
+			for (i = 0; i < itsn->number_of_itss; i++) {
+				if (icl->ic_gic_its_id == itsn->its_ids[i]) {
+					*ic = icl;
+					break;
+				}
+			}
+		}
+
 		return id;
 	case ACPI_IORT_SMMU:
 	case ACPI_IORT_SMMU_V3:
-		return acpipci_iort_map_node(iort, node, id);
+		return acpipci_iort_map_node(iort, node, id, ic);
 	}
 
 	return id;
 }
 
 uint32_t
-acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag)
+acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag,
+    struct interrupt_controller **ic)
 {
 	struct acpipci_softc *sc = pc->pc_intr_v;
 	struct acpi_table_header *hdr;
@@ -877,7 +895,8 @@ acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag)
 		case ACPI_IORT_ROOT_COMPLEX:
 			rc = (struct acpi_iort_rc_node *)&node[1];
 			if (rc->segment == sc->sc_seg)
-				return acpipci_iort_map_node(iort, node, rid);
+				return acpipci_iort_map_node(iort, node, rid,
+				    ic);
 			break;
 		}
 		offset += node->length;

sys/arch/arm64/dev/agintc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: agintc.c,v 1.52 2023/07/07 10:11:39 patrick Exp $ */
+/* $OpenBSD: agintc.c,v 1.53 2023/09/12 08:29:28 jmatthew Exp $ */
 /*
  * Copyright (c) 2007, 2009, 2011, 2017 Dale Rahn <drahn@dalerahn.com>
  * Copyright (c) 2018 Mark Kettenis <kettenis@openbsd.org>
@@ -1797,6 +1797,8 @@ agintc_msi_attach(struct device *parent, struct device *self, void *aux)
 	sc->sc_ic.ic_establish_msi = agintc_intr_establish_msi;
 	sc->sc_ic.ic_disestablish = agintc_intr_disestablish_msi;
 	sc->sc_ic.ic_barrier = agintc_intr_barrier_msi;
+	sc->sc_ic.ic_gic_its_id = OF_getpropint(faa->fa_node,
+	    "openbsd,gic-its-id", 0);
 	arm_intr_register_fdt(&sc->sc_ic);
 	return;
 

sys/arch/arm64/include/intr.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: intr.h,v 1.21 2022/12/21 22:30:42 kettenis Exp $ */
+/*	$OpenBSD: intr.h,v 1.22 2023/09/12 08:29:28 jmatthew Exp $ */
 
 /*
  * Copyright (c) 2001-2004 Opsycon AB  (www.opsycon.se / www.opsycon.com)
@@ -162,6 +162,7 @@ struct interrupt_controller {
 	LIST_ENTRY(interrupt_controller) ic_list;
 	uint32_t ic_phandle;
 	uint32_t ic_cells;
+	uint32_t ic_gic_its_id;
 };
 
 void	 arm_intr_init_fdt(void);

sys/arch/arm64/stand/efiboot/efiacpi.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efiacpi.c,v 1.14 2022/01/02 02:13:33 jsg Exp $	*/
+/*	$OpenBSD: efiacpi.c,v 1.15 2023/09/12 08:22:07 jmatthew Exp $	*/
 
 /*
  * Copyright (c) 2018 Mark Kettenis <kettenis@openbsd.org>
@@ -491,11 +491,13 @@ efi_acpi_madt_gic_its(struct acpi_madt_gic_its *its)
 	static uint32_t phandle = 2;
 	void *node, *child;
 	uint64_t reg[2];
+	uint32_t its_id;
 	char name[32];
 
 	snprintf(name, sizeof(name), "gic-its@%llx", its->base_address);
 	reg[0] = htobe64(its->base_address);
 	reg[1] = htobe64(0x20000);
+	its_id = htobe32(its->gic_its_id);
 
 	/* Create "gic-its" node. */
 	node = fdt_find_node("/interrupt-controller");
@@ -504,6 +506,8 @@ efi_acpi_madt_gic_its(struct acpi_madt_gic_its *its)
 	fdt_node_add_property(child, "msi-controller", NULL, 0);
 	fdt_node_add_property(child, "reg", reg, sizeof(reg));
 	fdt_node_add_property(child, "phandle", &phandle, sizeof(phandle));
+	fdt_node_add_property(child, "openbsd,gic-its-id", &its_id,
+	    sizeof(its_id));
 	phandle++;
 }
 

sys/dev/acpi/acpireg.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: acpireg.h,v 1.59 2022/11/24 04:04:39 jmatthew Exp $	*/
+/*	$OpenBSD: acpireg.h,v 1.60 2023/09/12 08:32:58 jmatthew Exp $	*/
 /*
  * Copyright (c) 2005 Thorsten Lockert <tholo@sigmasoft.com>
  * Copyright (c) 2005 Marco Peereboom <marco@openbsd.org>
@@ -718,6 +718,11 @@ struct acpi_iort_node {
 	uint32_t	mapping_offset;
 } __packed;
 
+struct acpi_iort_its_node {
+	uint32_t	number_of_itss;
+	uint32_t	its_ids[];
+} __packed;
+
 struct acpi_iort_nc_node {
 	uint32_t	node_flags;
 	uint64_t	memory_access_properties;

usr.sbin/pkg_add/OpenBSD/style.pod

@@ -1,4 +1,4 @@
-$OpenBSD: style.pod,v 1.2 2023/05/18 16:30:01 espie Exp $
+$OpenBSD: style.pod,v 1.3 2023/09/12 09:01:04 jsg Exp $
 
 =head1 NAME
 
@@ -77,7 +77,7 @@ Anonymous subs should also use signatures
 arbitrary number of parameters for C<__DIE__> and C<__WARN__>.
 
 Mark the last expression at the end of a function with an explicit
-B<return> unless the function is is not intended to return anything,
+B<return> unless the function is not intended to return anything,
 or for "constant" methods
 
 	sub isFile($)

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.114 2023/06/29 10:28:25 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.115 2023/09/12 09:33:30 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -594,9 +594,8 @@ certificate_policies(struct parse *p, X509_EXTENSION *ext)
 }
 
 /*
- * Lightweight version of cert_parse_pre() for ASPA, ROA, and RSC EE certs.
- * This only parses the RFC 3779 extensions since these are necessary for
- * validation.
+ * Lightweight version of cert_parse_pre() for EE certs.
+ * Parses the two RFC 3779 extensions, and performs some sanity checks.
  * Returns cert on success and NULL on failure.
  */
 struct cert *
@@ -616,6 +615,9 @@ cert_parse_ee_cert(const char *fn, X509 *x)
 		goto out;
 	}
 
+	if (!x509_valid_subject(fn, x))
+		goto out;
+
 	if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) {
 		warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature",
 		    fn);
@@ -727,6 +729,9 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 
+	if (!x509_valid_subject(p.fn, x))
+		goto out;
+
 	/* Look for X509v3 extensions. */
 
 	if ((extsz = X509_get_ext_count(x)) < 0)

usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.188 2023/06/29 14:33:35 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.189 2023/09/12 09:33:30 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -839,6 +839,7 @@ int		 x509_location(const char *, const char *, const char *,
 		    GENERAL_NAME *, char **);
 int		 x509_inherits(X509 *);
 int		 x509_any_inherits(X509 *);
+int		 x509_valid_subject(const char *, const X509 *);
 time_t		 x509_find_expires(time_t, struct auth *, struct crl_tree *);
 
 /* printers */

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.73 2023/06/23 15:32:15 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.74 2023/09/12 09:33:30 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -860,6 +860,86 @@ x509_location(const char *fn, const char *descr, const char *proto,
 	return 1;
 }
 
+/*
+ * Check that the subject only contains commonName and serialNumber.
+ * Return 0 on failure.
+ */
+int
+x509_valid_subject(const char *fn, const X509 *x)
+{
+	const X509_NAME *xn;
+	const X509_NAME_ENTRY *ne;
+	const ASN1_OBJECT *ao;
+	const ASN1_STRING *as;
+	int cn = 0, sn = 0;
+	int i, nid;
+
+	if ((xn = X509_get_subject_name(x)) == NULL) {
+		warnx("%s: X509_get_subject_name", fn);
+		return 0;
+	}
+
+	for (i = 0; i < X509_NAME_entry_count(xn); i++) {
+		if ((ne = X509_NAME_get_entry(xn, i)) == NULL) {
+			warnx("%s: X509_NAME_get_entry", fn);
+			return 0;
+		}
+		if ((ao = X509_NAME_ENTRY_get_object(ne)) == NULL) {
+			warnx("%s: X509_NAME_ENTRY_get_object", fn);
+			return 0;
+		}
+
+		nid = OBJ_obj2nid(ao);
+		switch (nid) {
+		case NID_commonName:
+			if (cn++ > 0) {
+				warnx("%s: duplicate commonName in subject",
+				    fn);
+				return 0;
+			}
+			if ((as = X509_NAME_ENTRY_get_data(ne)) == NULL) {
+				warnx("%s: X509_NAME_ENTRY_get_data failed",
+				    fn);
+				return 0;
+			}
+/*
+ * The following check can be enabled after AFRINIC re-issues CA certs.
+ * https://lists.afrinic.net/pipermail/dbwg/2023-March/000436.html
+ */
+#if 0
+			if (ASN1_STRING_type(as) != V_ASN1_PRINTABLESTRING) {
+				warnx("%s: RFC 6487 section 4.5: commonName is"
+				    " not PrintableString", fn);
+				return 0;
+			}
+#endif
+			break;
+		case NID_serialNumber:
+			if (sn++ > 0) {
+				warnx("%s: duplicate serialNumber in subject",
+				    fn);
+				return 0;
+			}
+			break;
+		case NID_undef:
+			warnx("%s: OBJ_obj2nid failed", fn);
+			return 0;
+		default:
+			warnx("%s: RFC 6487 section 4.5: unexpected attribute "
+			    "%s", fn, OBJ_nid2sn(nid));
+			return 0;
+		}
+	}
+
+	if (cn == 0) {
+		warnx("%s: RFC 6487 section 4.5: subject missing commonName",
+		    fn);
+		return 0;
+	}
+
+	return 1;
+}
+
 /*
  * Convert an ASN1_INTEGER into a hexstring.
  * Returned string needs to be freed by the caller.