From ca32125ea8b6d5be18c760a85aebdd1f81f54709 Mon Sep 17 00:00:00 2001 From: purplerain Date: Tue, 12 Sep 2023 16:38:01 +0000 Subject: [PATCH] sync code with last improvements from OpenBSD --- lib/libc/locale/mbrtowc.3 | 8 +-- lib/libc/locale/wcrtomb.3 | 6 +- lib/libcrypto/man/EVP_AEAD_CTX_init.3 | 28 ++++++-- lib/libcrypto/man/EVP_MD_meth_new.3 | 94 ++++++++++++++++++++------ lib/libcrypto/man/EVP_PKEY_size.3 | 25 +++++-- lib/libcrypto/man/EVP_chacha20.3 | 7 +- sbin/unwind/resolver.c | 7 +- share/man/man5/bsd.port.mk.5 | 6 +- sys/arch/arm64/dev/acpipci.c | 43 ++++++++---- sys/arch/arm64/dev/agintc.c | 4 +- sys/arch/arm64/include/intr.h | 3 +- sys/arch/arm64/stand/efiboot/efiacpi.c | 6 +- sys/dev/acpi/acpireg.h | 7 +- usr.sbin/pkg_add/OpenBSD/style.pod | 4 +- usr.sbin/rpki-client/cert.c | 13 ++-- usr.sbin/rpki-client/extern.h | 3 +- usr.sbin/rpki-client/x509.c | 82 +++++++++++++++++++++- 17 files changed, 271 insertions(+), 75 deletions(-) diff --git a/lib/libc/locale/mbrtowc.3 b/lib/libc/locale/mbrtowc.3 index 74e6e59b2..fada9f4a3 100644 --- a/lib/libc/locale/mbrtowc.3 +++ b/lib/libc/locale/mbrtowc.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mbrtowc.3,v 1.6 2023/08/20 15:02:51 schwarze Exp $ +.\" $OpenBSD: mbrtowc.3,v 1.7 2023/09/12 08:33:37 jsg Exp $ .\" $NetBSD: mbrtowc.3,v 1.5 2003/09/08 17:54:31 wiz Exp $ .\" .\" Copyright (c)2023 Ingo Schwarze @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt MBRTOWC 3 .Os .Sh NAME @@ -281,13 +281,13 @@ conforms to .St -isoC-2011 . .Sh HISTORY .Fn mbrtowc -has been available since since +has been available since .Ox 3.8 and has provided support for UTF-8 since .Ox 4.8 . .Pp .Fn mbrtoc32 -has been available since since +has been available since .Ox 7.4 . .Sh CAVEATS .Fn mbrtowc diff --git a/lib/libc/locale/wcrtomb.3 b/lib/libc/locale/wcrtomb.3 index 789425566..85e229476 100644 --- a/lib/libc/locale/wcrtomb.3 +++ b/lib/libc/locale/wcrtomb.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: wcrtomb.3,v 1.11 2023/08/20 15:02:51 schwarze Exp $ +.\" $OpenBSD: wcrtomb.3,v 1.12 2023/09/12 08:33:37 jsg Exp $ .\" $NetBSD: wcrtomb.3,v 1.4 2003/09/08 17:54:31 wiz Exp $ .\" .\" Copyright (c)2023 Ingo Schwarze @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: August 20 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt WCRTOMB 3 .Os .Sh NAME @@ -182,5 +182,5 @@ and has provided support for UTF-8 since .Ox 4.8 . .Pp .Fn c32rtomb -has been available since since +has been available since .Ox 7.4 . diff --git a/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/lib/libcrypto/man/EVP_AEAD_CTX_init.3 index ad37842cc..01692c93e 100644 --- a/lib/libcrypto/man/EVP_AEAD_CTX_init.3 +++ b/lib/libcrypto/man/EVP_AEAD_CTX_init.3 @@ -1,8 +1,9 @@ -.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.13 2023/08/24 04:33:08 tb Exp $ +.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.15 2023/09/12 13:58:06 schwarze Exp $ .\" .\" Copyright (c) 2014, Google Inc. .\" Parts of the text were written by Adam Langley and David Benjamin. .\" Copyright (c) 2015 Reyk Floeter +.\" Copyright (c) 2023 Ingo Schwarze .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -16,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 24 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt EVP_AEAD_CTX_INIT 3 .Os .Sh NAME @@ -147,7 +148,11 @@ argument must be for the default implementation; other values are currently not supported. Authentication tags may be truncated by passing a tag length. -A tag length of zero indicates the default tag length should be used. +A +.Fa tag_len +argument of +.Dv EVP_AEAD_DEFAULT_TAG_LENGTH , +which has the value 0, causes the default tag length to be used. .Pp .Fn EVP_AEAD_CTX_cleanup frees any data allocated for the context @@ -241,6 +246,18 @@ and provide information about the AEAD algorithm .Fa aead . .Pp +.Fn EVP_AEAD_max_tag_len +returns the maximum tag length that can be used with the given +.Fa aead . +This is the largest value that can be passed as the +.Fa tag_len +argument to +.Fn EVP_AEAD_CTX_init . +No built-in +.Vt EVP_AEAD +object has a maximum tag length larger than the constant +.Dv EVP_AEAD_MAX_TAG_LENGTH . +.Pp All cipher algorithms have a fixed key length unless otherwise stated. The following ciphers are available: .Bl -tag -width Ds -offset indent @@ -262,6 +279,9 @@ ChaCha20 with a Poly1305 authenticator, using a of 32 bytes and a .Fa nonce_len of 12 bytes. +The constant +.Dv EVP_CHACHAPOLY_TLS_TAG_LEN +specifies the length of the authentication tag in bytes and has a value of 16. .It Fn EVP_aead_xchacha20_poly1305 XChaCha20 with a Poly1305 authenticator, using a .Fa key_len @@ -310,8 +330,6 @@ sealing data with the AEAD. .Pp .Fn EVP_AEAD_max_tag_len returns the maximum tag length when using this AEAD. -This is the largest value that can be passed as a tag length to -.Fn EVP_AEAD_CTX_init . .Pp .Fn EVP_AEAD_nonce_length returns the length of the per-message nonce. diff --git a/lib/libcrypto/man/EVP_MD_meth_new.3 b/lib/libcrypto/man/EVP_MD_meth_new.3 index 0876312ac..37b55b9e0 100644 --- a/lib/libcrypto/man/EVP_MD_meth_new.3 +++ b/lib/libcrypto/man/EVP_MD_meth_new.3 @@ -1,8 +1,25 @@ -.\" $OpenBSD: EVP_MD_meth_new.3,v 1.3 2023/08/12 16:48:23 schwarze Exp $ +.\" $OpenBSD: EVP_MD_meth_new.3,v 1.4 2023/09/12 12:11:05 schwarze Exp $ .\" selective merge up to: .\" OpenSSL man3/EVP_MD_meth_new 0388d212 Dec 14 12:47:07 2018 -0800 .\" -.\" This file was written by Richard Levitte +.\" This file is a derived work. +.\" The changes are covered by the following Copyright and license: +.\" +.\" Copyright (c) 2023 Ingo Schwarze +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.\" The original file was written by Richard Levitte .\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -49,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 12 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt EVP_MD_METH_NEW 3 .Os .Sh NAME @@ -179,26 +196,59 @@ sets the flags to describe optional behaviours in the particular Several flags can be or'd together. The available flags are: .Bl -tag -width Ds -.It EVP_MD_FLAG_ONESHOT -This digest method can only handle one block of input. -.It EVP_MD_FLAG_DIGALGID_NULL -When setting up a DigestAlgorithmIdentifier, this flag will have the -parameter set to NULL by default. +.It Dv EVP_MD_FLAG_DIGALGID_NULL +When setting up a +.Vt DigestAlgorithmIdentifier +with +.Xr X509_ALGOR_set_md 3 , +set the parameter type to +.Dv V_ASN1_NULL +and the parameter value to +.Dv NULL . +This is the default, which means that it takes effect for +.Vt EVP_MD +objects that do not have +.Dv EVP_MD_FLAG_DIGALGID_ABSENT +set. Use this for PKCS#1. -.Em Note: if combined with EVP_MD_FLAG_DIGALGID_ABSENT, the latter will override. -.It EVP_MD_FLAG_DIGALGID_ABSENT -When setting up a DigestAlgorithmIdentifier, this flag will have the -parameter be left absent by default. -.Em Note: if combined with EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden. -.It EVP_MD_FLAG_DIGALGID_CUSTOM -Custom DigestAlgorithmIdentifier handling via ctrl, with -.Sy EVP_MD_FLAG_DIGALGID_ABSENT -as default. -.Em Note: if combined with EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden. -Currently unused. -.It EVP_MD_FLAG_FIPS -This digest method is suitable for use in FIPS mode. -Currently unused. +.It Dv EVP_MD_FLAG_DIGALGID_ABSENT +When setting up a +.Vt DigestAlgorithmIdentifier +with +.Xr X509_ALGOR_set_md 3 , +set the parameter type to +.Dv V_ASN1_UNDEF +and the parameter value to +.Dv NULL . +This is used by the +.Vt EVP_MD +objects documented in the manual page +.Xr EVP_sha3_224 3 +and by the objects returned from +.Xr EVP_sha512 3 , +.Xr EVP_sha512_256 3 , +.Xr EVP_sha512_224 3 , +.Xr EVP_sha384 3 , +.Xr EVP_sha256 3 , +.Xr EVP_sha224 3 , +.Xr EVP_sha1 3 , +and +.Xr EVP_sm3 3 . +.It Dv EVP_MD_FLAG_DIGALGID_CUSTOM +This flag is reserved for used-defined +.Vt EVP_MD +objects supporting custom +.Vt DigestAlgorithmIdentifier +handling via +.Xr EVP_MD_CTX_ctrl 3 , +but actually, it is ignored by both LibreSSL and OpenSSL +and such user-defined behaviour is not supported by the libraries. +.It Dv EVP_MD_FLAG_FIPS +Mark the digest method as suitable for FIPS mode. +This flag is ignored by both LibreSSL and OpenSSL. +.It Dv EVP_MD_FLAG_ONESHOT +Intended to indicate that the digest method can only handle one block +of input, but actually, this flag is ignored by both LibreSSL and OpenSSL. .El .Pp .Fn EVP_MD_meth_set_init diff --git a/lib/libcrypto/man/EVP_PKEY_size.3 b/lib/libcrypto/man/EVP_PKEY_size.3 index 3070aee01..b45cda7f9 100644 --- a/lib/libcrypto/man/EVP_PKEY_size.3 +++ b/lib/libcrypto/man/EVP_PKEY_size.3 @@ -1,10 +1,10 @@ -.\" $OpenBSD: EVP_PKEY_size.3,v 1.1 2022/07/13 19:10:40 schwarze Exp $ +.\" $OpenBSD: EVP_PKEY_size.3,v 1.2 2023/09/12 15:29:03 schwarze Exp $ .\" full merge up to: OpenSSL eed9d03b Jan 8 11:04:15 2020 +0100 .\" .\" This file is a derived work. .\" The changes are covered by the following Copyright and license: .\" -.\" Copyright (c) 2022 Ingo Schwarze +.\" Copyright (c) 2022, 2023 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 13 2022 $ +.Dd $Mdocdate: September 12 2023 $ .Dt EVP_PKEY_SIZE 3 .Os .Sh NAME @@ -137,17 +137,26 @@ where it's desirable to know the upper limit in advance. By default, .Fn EVP_PKEY_size is supported for the following algorithms: -.Bl -column GOST01 "EVP_MAX_BLOCK_LENGTH = 32" +.Bl -column ED25519 "EVP_MAX_BLOCK_LENGTH = 32" .It Ta same result as from: .It CMAC Ta Dv EVP_MAX_BLOCK_LENGTH No = 32 .It DH Ta Xr DH_size 3 .It DSA Ta Xr DSA_size 3 .It EC Ta Xr ECDSA_size 3 +.It ED25519 Ta 64, but see below .It GOST01 Ta 64 or 128 .It HMAC Ta Dv EVP_MAX_MD_SIZE No = 64 .It RSA Ta Xr RSA_size 3 +.It X25519 Ta Dv X25519_KEYLEN No = 32 .El .Pp +For +.Dv EVP_PKEY_ED25519 , +the situation is special: while the key size is +.Dv ED25519_KEYLEN No = 32 bytes , +.Fn EVP_PKEY_size +returns 64 because the signature is longer than the keys. +.Pp The application program can support additional algorithms by calling .Xr EVP_PKEY_asn1_set_public 3 . .Pp @@ -157,14 +166,16 @@ returns the cryptographic length of the cryptosystem to which the key in belongs, in bits. The definition of cryptographic length is specific to the key cryptosystem. By default, the following algorithms are supported: -.Bl -column GOST01 "the public domain parameter p" DSA_bits(3) +.Bl -column ED25519 "the public domain parameter p" DSA_bits(3) .It Ta cryptographic length = Ta same result as from: .It Ta significant bits in ... Ta .It DH Ta the public domain parameter Fa p Ta Xr DH_bits 3 .It DSA Ta the public domain parameter Fa p Ta Xr DSA_bits 3 .It EC Ta the order of the group Ta Xr EC_GROUP_order_bits 3 +.It ED25519 Ta 253 Ta \(em .It GOST01 Ta 256 or 512 Ta \(em .It RSA Ta the public modulus Ta Xr RSA_bits 3 +.It X25519 Ta 253 Ta \(em .El .Pp The application program can support additional algorithms by calling @@ -175,13 +186,15 @@ returns the security strength measured in bits of the given .Fa pkey as defined in NIST SP800-57. By default, the following algorithms are supported: -.Bl -column GOST01 DSA_security_bits(3) +.Bl -column ED25519 DSA_security_bits(3) .It Ta same result as from: .It DH Ta Xr DH_security_bits 3 .It DSA Ta Xr DSA_security_bits 3 .It EC Ta Xr EC_GROUP_order_bits 3 divided by 2 +.It ED25519 Ta 128 .It GOST01 Ta not supported, return value is \-2 .It RSA Ta Xr RSA_security_bits 3 +.It X25519 Ta 128 .El .Pp For EC keys, if the result is greater than 80, it is rounded down diff --git a/lib/libcrypto/man/EVP_chacha20.3 b/lib/libcrypto/man/EVP_chacha20.3 index 14a26b304..8d0be1ed6 100644 --- a/lib/libcrypto/man/EVP_chacha20.3 +++ b/lib/libcrypto/man/EVP_chacha20.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_chacha20.3,v 1.6 2023/08/24 04:33:08 tb Exp $ +.\" $OpenBSD: EVP_chacha20.3,v 1.7 2023/09/12 13:58:06 schwarze Exp $ .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 24 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt EVP_CHACHA20 3 .Os .Sh NAME @@ -135,6 +135,9 @@ argument of 32 bytes = 256 bits and an argument of 12 bytes = 96 bits. This supports additional authenticated data (AAD) and produces a 128-bit authentication tag. +The constant +.Dv EVP_CHACHAPOLY_TLS_TAG_LEN +specifies the length of the authentication tag in bytes and has a value of 16. .Pp The following .Fa type diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c index 9cd19b5ee..d017d3cf2 100644 --- a/sbin/unwind/resolver.c +++ b/sbin/unwind/resolver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: resolver.c,v 1.161 2023/09/11 06:00:23 florian Exp $ */ +/* $OpenBSD: resolver.c,v 1.162 2023/09/12 15:38:32 tb Exp $ */ /* @@ -920,8 +920,6 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode, uint8_t *p, *data; uint8_t answer_imsg[MAX_IMSGSIZE - IMSG_HEADER_SIZE]; - log_debug("%s: %d", __func__, rcode); - clock_gettime(CLOCK_MONOTONIC, &tp); query_imsg = (struct query_imsg *)arg; @@ -1076,17 +1074,14 @@ resolve_done(struct uw_resolver *res, void *arg, int rcode, goto out; servfail: - log_debug("%s: foo: 1", __func__); /* try_next_resolver() might free rq */ if (try_next_resolver(rq) != 0 && running_res == 0) { /* we are the last one, send SERVFAIL */ answer_header->srvfail = 1; - log_debug("%s: foo: 2", __func__); resolver_imsg_compose_frontend(IMSG_ANSWER, 0, answer_imsg, sizeof(*answer_header)); } out: - log_debug("%s: foo: 3", __func__); free(query_imsg); sldns_buffer_free(buf); regional_destroy(region); diff --git a/share/man/man5/bsd.port.mk.5 b/share/man/man5/bsd.port.mk.5 index feb74a4e5..73380a6f8 100644 --- a/share/man/man5/bsd.port.mk.5 +++ b/share/man/man5/bsd.port.mk.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bsd.port.mk.5,v 1.626 2023/09/09 14:15:42 bentley Exp $ +.\" $OpenBSD: bsd.port.mk.5,v 1.627 2023/09/12 08:54:04 jsg Exp $ .\" .\" Copyright (c) 2000-2008 Marc Espie .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 9 2023 $ +.Dd $Mdocdate: September 12 2023 $ .Dt BSD.PORT.MK 5 .Os .Sh NAME @@ -101,7 +101,7 @@ The output is formatted as package specification pairs, in a form suitable for .Xr tsort 1 . .Pp -Note that is is possible to obtain reverse dependency information by +Note that it is possible to obtain reverse dependency information by using .Nm show-reverse-deps from the diff --git a/sys/arch/arm64/dev/acpipci.c b/sys/arch/arm64/dev/acpipci.c index a4457825b..74fadd13f 100644 --- a/sys/arch/arm64/dev/acpipci.c +++ b/sys/arch/arm64/dev/acpipci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: acpipci.c,v 1.39 2023/04/18 12:39:32 kettenis Exp $ */ +/* $OpenBSD: acpipci.c,v 1.40 2023/09/12 08:32:58 jmatthew Exp $ */ /* * Copyright (c) 2018 Mark Kettenis * @@ -124,7 +124,10 @@ void *acpipci_intr_establish(void *, pci_intr_handle_t, int, struct cpu_info *, int (*)(void *), void *, char *); void acpipci_intr_disestablish(void *, void *); -uint32_t acpipci_iort_map_msi(pci_chipset_tag_t, pcitag_t); +uint32_t acpipci_iort_map_msi(pci_chipset_tag_t, pcitag_t, + struct interrupt_controller **); + +extern LIST_HEAD(, interrupt_controller) interrupt_controllers; int acpipci_match(struct device *parent, void *match, void *aux) @@ -190,7 +193,6 @@ acpipci_attach(struct device *parent, struct device *self, void *aux) sc->sc_bus_memt._space_map = acpipci_bs_map; sc->sc_bus_memt._space_mmap = acpipci_bs_mmap; - extern LIST_HEAD(, interrupt_controller) interrupt_controllers; LIST_FOREACH(ic, &interrupt_controllers, ic_list) { if (ic->ic_establish_msi) break; @@ -632,7 +634,7 @@ acpipci_intr_establish(void *v, pci_intr_handle_t ih, int level, KASSERT(ic); /* Map Requester ID through IORT to get sideband data. */ - data = acpipci_iort_map_msi(ih.ih_pc, ih.ih_tag); + data = acpipci_iort_map_msi(ih.ih_pc, ih.ih_tag, &ic); cookie = ic->ic_establish_msi(ic->ic_cookie, &addr, &data, level, ci, func, arg, name); if (cookie == NULL) @@ -797,11 +799,12 @@ pci_lookup_segment(int segment) * IORT support. */ -uint32_t acpipci_iort_map(struct acpi_iort *, uint32_t, uint32_t); +uint32_t acpipci_iort_map(struct acpi_iort *, uint32_t, uint32_t, + struct interrupt_controller **); uint32_t acpipci_iort_map_node(struct acpi_iort *iort, - struct acpi_iort_node *node, uint32_t id) + struct acpi_iort_node *node, uint32_t id, struct interrupt_controller **ic) { struct acpi_iort_mapping *map = (struct acpi_iort_mapping *)((char *)node + node->mapping_offset); @@ -812,14 +815,14 @@ acpipci_iort_map_node(struct acpi_iort *iort, if (map[i].flags & ACPI_IORT_MAPPING_SINGLE) { id = map[i].output_base; - return acpipci_iort_map(iort, offset, id); + return acpipci_iort_map(iort, offset, id, ic); } /* Mapping encodes number of IDs in the range minus one. */ if (map[i].input_base <= id && id <= map[i].input_base + map[i].number_of_ids) { id = map[i].output_base + (id - map[i].input_base); - return acpipci_iort_map(iort, offset, id); + return acpipci_iort_map(iort, offset, id, ic); } } @@ -827,24 +830,39 @@ acpipci_iort_map_node(struct acpi_iort *iort, } uint32_t -acpipci_iort_map(struct acpi_iort *iort, uint32_t offset, uint32_t id) +acpipci_iort_map(struct acpi_iort *iort, uint32_t offset, uint32_t id, + struct interrupt_controller **ic) { struct acpi_iort_node *node = (struct acpi_iort_node *)((char *)iort + offset); + struct interrupt_controller *icl; + struct acpi_iort_its_node *itsn; + int i; switch (node->type) { case ACPI_IORT_ITS: + itsn = (struct acpi_iort_its_node *)&node[1]; + LIST_FOREACH(icl, &interrupt_controllers, ic_list) { + for (i = 0; i < itsn->number_of_itss; i++) { + if (icl->ic_gic_its_id == itsn->its_ids[i]) { + *ic = icl; + break; + } + } + } + return id; case ACPI_IORT_SMMU: case ACPI_IORT_SMMU_V3: - return acpipci_iort_map_node(iort, node, id); + return acpipci_iort_map_node(iort, node, id, ic); } return id; } uint32_t -acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag) +acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag, + struct interrupt_controller **ic) { struct acpipci_softc *sc = pc->pc_intr_v; struct acpi_table_header *hdr; @@ -877,7 +895,8 @@ acpipci_iort_map_msi(pci_chipset_tag_t pc, pcitag_t tag) case ACPI_IORT_ROOT_COMPLEX: rc = (struct acpi_iort_rc_node *)&node[1]; if (rc->segment == sc->sc_seg) - return acpipci_iort_map_node(iort, node, rid); + return acpipci_iort_map_node(iort, node, rid, + ic); break; } offset += node->length; diff --git a/sys/arch/arm64/dev/agintc.c b/sys/arch/arm64/dev/agintc.c index be312fda0..14ca71458 100644 --- a/sys/arch/arm64/dev/agintc.c +++ b/sys/arch/arm64/dev/agintc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: agintc.c,v 1.52 2023/07/07 10:11:39 patrick Exp $ */ +/* $OpenBSD: agintc.c,v 1.53 2023/09/12 08:29:28 jmatthew Exp $ */ /* * Copyright (c) 2007, 2009, 2011, 2017 Dale Rahn * Copyright (c) 2018 Mark Kettenis @@ -1797,6 +1797,8 @@ agintc_msi_attach(struct device *parent, struct device *self, void *aux) sc->sc_ic.ic_establish_msi = agintc_intr_establish_msi; sc->sc_ic.ic_disestablish = agintc_intr_disestablish_msi; sc->sc_ic.ic_barrier = agintc_intr_barrier_msi; + sc->sc_ic.ic_gic_its_id = OF_getpropint(faa->fa_node, + "openbsd,gic-its-id", 0); arm_intr_register_fdt(&sc->sc_ic); return; diff --git a/sys/arch/arm64/include/intr.h b/sys/arch/arm64/include/intr.h index 0f1da4d05..a16218458 100644 --- a/sys/arch/arm64/include/intr.h +++ b/sys/arch/arm64/include/intr.h @@ -1,4 +1,4 @@ -/* $OpenBSD: intr.h,v 1.21 2022/12/21 22:30:42 kettenis Exp $ */ +/* $OpenBSD: intr.h,v 1.22 2023/09/12 08:29:28 jmatthew Exp $ */ /* * Copyright (c) 2001-2004 Opsycon AB (www.opsycon.se / www.opsycon.com) @@ -162,6 +162,7 @@ struct interrupt_controller { LIST_ENTRY(interrupt_controller) ic_list; uint32_t ic_phandle; uint32_t ic_cells; + uint32_t ic_gic_its_id; }; void arm_intr_init_fdt(void); diff --git a/sys/arch/arm64/stand/efiboot/efiacpi.c b/sys/arch/arm64/stand/efiboot/efiacpi.c index 3eed81630..4d2003119 100644 --- a/sys/arch/arm64/stand/efiboot/efiacpi.c +++ b/sys/arch/arm64/stand/efiboot/efiacpi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: efiacpi.c,v 1.14 2022/01/02 02:13:33 jsg Exp $ */ +/* $OpenBSD: efiacpi.c,v 1.15 2023/09/12 08:22:07 jmatthew Exp $ */ /* * Copyright (c) 2018 Mark Kettenis @@ -491,11 +491,13 @@ efi_acpi_madt_gic_its(struct acpi_madt_gic_its *its) static uint32_t phandle = 2; void *node, *child; uint64_t reg[2]; + uint32_t its_id; char name[32]; snprintf(name, sizeof(name), "gic-its@%llx", its->base_address); reg[0] = htobe64(its->base_address); reg[1] = htobe64(0x20000); + its_id = htobe32(its->gic_its_id); /* Create "gic-its" node. */ node = fdt_find_node("/interrupt-controller"); @@ -504,6 +506,8 @@ efi_acpi_madt_gic_its(struct acpi_madt_gic_its *its) fdt_node_add_property(child, "msi-controller", NULL, 0); fdt_node_add_property(child, "reg", reg, sizeof(reg)); fdt_node_add_property(child, "phandle", &phandle, sizeof(phandle)); + fdt_node_add_property(child, "openbsd,gic-its-id", &its_id, + sizeof(its_id)); phandle++; } diff --git a/sys/dev/acpi/acpireg.h b/sys/dev/acpi/acpireg.h index 4f743773b..8719ea336 100644 --- a/sys/dev/acpi/acpireg.h +++ b/sys/dev/acpi/acpireg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: acpireg.h,v 1.59 2022/11/24 04:04:39 jmatthew Exp $ */ +/* $OpenBSD: acpireg.h,v 1.60 2023/09/12 08:32:58 jmatthew Exp $ */ /* * Copyright (c) 2005 Thorsten Lockert * Copyright (c) 2005 Marco Peereboom @@ -718,6 +718,11 @@ struct acpi_iort_node { uint32_t mapping_offset; } __packed; +struct acpi_iort_its_node { + uint32_t number_of_itss; + uint32_t its_ids[]; +} __packed; + struct acpi_iort_nc_node { uint32_t node_flags; uint64_t memory_access_properties; diff --git a/usr.sbin/pkg_add/OpenBSD/style.pod b/usr.sbin/pkg_add/OpenBSD/style.pod index 96c262fef..3f29fc654 100644 --- a/usr.sbin/pkg_add/OpenBSD/style.pod +++ b/usr.sbin/pkg_add/OpenBSD/style.pod @@ -1,4 +1,4 @@ -$OpenBSD: style.pod,v 1.2 2023/05/18 16:30:01 espie Exp $ +$OpenBSD: style.pod,v 1.3 2023/09/12 09:01:04 jsg Exp $ =head1 NAME @@ -77,7 +77,7 @@ Anonymous subs should also use signatures arbitrary number of parameters for C<__DIE__> and C<__WARN__>. Mark the last expression at the end of a function with an explicit -B unless the function is is not intended to return anything, +B unless the function is not intended to return anything, or for "constant" methods sub isFile($) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index c1b12b10c..c123640f6 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.114 2023/06/29 10:28:25 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.115 2023/09/12 09:33:30 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -594,9 +594,8 @@ certificate_policies(struct parse *p, X509_EXTENSION *ext) } /* - * Lightweight version of cert_parse_pre() for ASPA, ROA, and RSC EE certs. - * This only parses the RFC 3779 extensions since these are necessary for - * validation. + * Lightweight version of cert_parse_pre() for EE certs. + * Parses the two RFC 3779 extensions, and performs some sanity checks. * Returns cert on success and NULL on failure. */ struct cert * @@ -616,6 +615,9 @@ cert_parse_ee_cert(const char *fn, X509 *x) goto out; } + if (!x509_valid_subject(fn, x)) + goto out; + if (X509_get_key_usage(x) != KU_DIGITAL_SIGNATURE) { warnx("%s: RFC 6487 section 4.8.4: KU must be digitalSignature", fn); @@ -727,6 +729,9 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; } + if (!x509_valid_subject(p.fn, x)) + goto out; + /* Look for X509v3 extensions. */ if ((extsz = X509_get_ext_count(x)) < 0) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index e41baff2f..dbef64d76 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.188 2023/06/29 14:33:35 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.189 2023/09/12 09:33:30 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -839,6 +839,7 @@ int x509_location(const char *, const char *, const char *, GENERAL_NAME *, char **); int x509_inherits(X509 *); int x509_any_inherits(X509 *); +int x509_valid_subject(const char *, const X509 *); time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); /* printers */ diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 5d63a8fb4..9a3b637a0 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.73 2023/06/23 15:32:15 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.74 2023/09/12 09:33:30 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -860,6 +860,86 @@ x509_location(const char *fn, const char *descr, const char *proto, return 1; } +/* + * Check that the subject only contains commonName and serialNumber. + * Return 0 on failure. + */ +int +x509_valid_subject(const char *fn, const X509 *x) +{ + const X509_NAME *xn; + const X509_NAME_ENTRY *ne; + const ASN1_OBJECT *ao; + const ASN1_STRING *as; + int cn = 0, sn = 0; + int i, nid; + + if ((xn = X509_get_subject_name(x)) == NULL) { + warnx("%s: X509_get_subject_name", fn); + return 0; + } + + for (i = 0; i < X509_NAME_entry_count(xn); i++) { + if ((ne = X509_NAME_get_entry(xn, i)) == NULL) { + warnx("%s: X509_NAME_get_entry", fn); + return 0; + } + if ((ao = X509_NAME_ENTRY_get_object(ne)) == NULL) { + warnx("%s: X509_NAME_ENTRY_get_object", fn); + return 0; + } + + nid = OBJ_obj2nid(ao); + switch (nid) { + case NID_commonName: + if (cn++ > 0) { + warnx("%s: duplicate commonName in subject", + fn); + return 0; + } + if ((as = X509_NAME_ENTRY_get_data(ne)) == NULL) { + warnx("%s: X509_NAME_ENTRY_get_data failed", + fn); + return 0; + } +/* + * The following check can be enabled after AFRINIC re-issues CA certs. + * https://lists.afrinic.net/pipermail/dbwg/2023-March/000436.html + */ +#if 0 + if (ASN1_STRING_type(as) != V_ASN1_PRINTABLESTRING) { + warnx("%s: RFC 6487 section 4.5: commonName is" + " not PrintableString", fn); + return 0; + } +#endif + break; + case NID_serialNumber: + if (sn++ > 0) { + warnx("%s: duplicate serialNumber in subject", + fn); + return 0; + } + break; + case NID_undef: + warnx("%s: OBJ_obj2nid failed", fn); + return 0; + default: + warnx("%s: RFC 6487 section 4.5: unexpected attribute " + "%s", fn, OBJ_nid2sn(nid)); + return 0; + } + } + + if (cn == 0) { + warnx("%s: RFC 6487 section 4.5: subject missing commonName", + fn); + return 0; + } + + return 1; +} + /* * Convert an ASN1_INTEGER into a hexstring. * Returned string needs to be freed by the caller.