diff options
| author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2019-09-23 12:49:10 +0200 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2019-09-23 15:07:12 +0200 |
| commit | 37323bb8196bb2d865115a976d6d972fedd498de (patch) | |
| tree | 42007e9e2f64c470dfbe42f321fec1bd1d54c2c7 | |
| parent | Add pselect() (diff) | |
| download | rtems-libbsd-37323bb8196bb2d865115a976d6d972fedd498de.tar.bz2 | |
Update to FreeBSD stable/12 2019-09-23
Git mirror commit 7e8d1444023128d34fb9aa4e4515928a4f794d1b.
304 files changed, 5685 insertions, 2228 deletions
diff --git a/freebsd-org b/freebsd-org -Subproject 621e7bafbf6857451f23ba11b0495c7ac69aff8 +Subproject 7e8d1444023128d34fb9aa4e4515928a4f794d1 diff --git a/freebsd/contrib/tcpdump/tcpdump.c b/freebsd/contrib/tcpdump/tcpdump.c index d48ad1b0..3b68ed51 100644 --- a/freebsd/contrib/tcpdump/tcpdump.c +++ b/freebsd/contrib/tcpdump/tcpdump.c @@ -775,7 +775,7 @@ capdns_setup(void) if (capdnsloc == NULL) error("unable to open system.dns service"); /* Limit system.dns to reverse DNS lookups. */ - types[0] = "ADDR"; + types[0] = "ADDR2NAME"; if (cap_dns_type_limit(capdnsloc, types, 1) < 0) error("unable to limit access to system.dns service"); families[0] = AF_INET; diff --git a/freebsd/contrib/wpa/src/ap/ap_config.h b/freebsd/contrib/wpa/src/ap/ap_config.h index 509677a4..ea581a82 100644 --- a/freebsd/contrib/wpa/src/ap/ap_config.h +++ b/freebsd/contrib/wpa/src/ap/ap_config.h @@ -15,6 +15,7 @@ #include "common/wpa_common.h" #include "common/ieee802_11_defs.h" #include "common/ieee802_11_common.h" +#include "crypto/sha256.h" #include "wps/wps.h" #include "fst/fst.h" #include "vlan.h" @@ -252,6 +253,18 @@ struct sae_password_entry { int vlan_id; }; +struct dpp_controller_conf { + struct dpp_controller_conf *next; + u8 pkhash[SHA256_MAC_LEN]; + struct hostapd_ip_addr ipaddr; +}; + +struct airtime_sta_weight { + struct airtime_sta_weight *next; + unsigned int weight; + u8 addr[ETH_ALEN]; +}; + /** * struct hostapd_bss_config - Per-BSS configuration */ @@ -288,6 +301,7 @@ struct hostapd_bss_config { int radius_request_cui; struct hostapd_radius_attr *radius_auth_req_attr; struct hostapd_radius_attr *radius_acct_req_attr; + char *radius_req_attr_sqlite; int radius_das_port; unsigned int radius_das_time_window; int radius_das_require_event_timestamp; @@ -390,8 +404,11 @@ struct hostapd_bss_config { char *ca_cert; char *server_cert; + char *server_cert2; char *private_key; + char *private_key2; char *private_key_passwd; + char *private_key_passwd2; char *check_cert_subject; int check_crl; int check_crl_strict; @@ -410,7 +427,10 @@ struct hostapd_bss_config { int eap_fast_prov; int pac_key_lifetime; int pac_key_refresh_time; + int eap_teap_auth; + int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; int fragment_size; u16 pwd_group; @@ -570,6 +590,7 @@ struct hostapd_bss_config { int osen; int proxy_arp; int na_mcast_to_ucast; + #ifdef CONFIG_HS20 int hs20; int hs20_release; @@ -692,6 +713,9 @@ struct hostapd_bss_config { struct wpabuf *dpp_netaccesskey; unsigned int dpp_netaccesskey_expiry; struct wpabuf *dpp_csign; +#ifdef CONFIG_DPP2 + struct dpp_controller_conf *dpp_controller; +#endif /* CONFIG_DPP2 */ #endif /* CONFIG_DPP */ #ifdef CONFIG_OWE @@ -709,6 +733,100 @@ struct hostapd_bss_config { #define BACKHAUL_BSS 1 #define FRONTHAUL_BSS 2 int multi_ap; /* bitmap of BACKHAUL_BSS, FRONTHAUL_BSS */ + +#ifdef CONFIG_AIRTIME_POLICY + unsigned int airtime_weight; + int airtime_limit; + struct airtime_sta_weight *airtime_weight_list; +#endif /* CONFIG_AIRTIME_POLICY */ + +#ifdef CONFIG_MACSEC + /** + * macsec_policy - Determines the policy for MACsec secure session + * + * 0: MACsec not in use (default) + * 1: MACsec enabled - Should secure, accept key server's advice to + * determine whether to use a secure session or not. + */ + int macsec_policy; + + /** + * macsec_integ_only - Determines how MACsec are transmitted + * + * This setting applies only when MACsec is in use, i.e., + * - macsec_policy is enabled + * - the key server has decided to enable MACsec + * + * 0: Encrypt traffic (default) + * 1: Integrity only + */ + int macsec_integ_only; + + /** + * macsec_replay_protect - Enable MACsec replay protection + * + * This setting applies only when MACsec is in use, i.e., + * - macsec_policy is enabled + * - the key server has decided to enable MACsec + * + * 0: Replay protection disabled (default) + * 1: Replay protection enabled + */ + int macsec_replay_protect; + + /** + * macsec_replay_window - MACsec replay protection window + * + * A window in which replay is tolerated, to allow receipt of frames + * that have been misordered by the network. + * + * This setting applies only when MACsec replay protection active, i.e., + * - macsec_replay_protect is enabled + * - the key server has decided to enable MACsec + * + * 0: No replay window, strict check (default) + * 1..2^32-1: number of packets that could be misordered + */ + u32 macsec_replay_window; + + /** + * macsec_port - MACsec port (in SCI) + * + * Port component of the SCI. + * + * Range: 1-65534 (default: 1) + */ + int macsec_port; + + /** + * mka_priority - Priority of MKA Actor + * + * Range: 0-255 (default: 255) + */ + int mka_priority; + + /** + * mka_ckn - MKA pre-shared CKN + */ +#define MACSEC_CKN_MAX_LEN 32 + size_t mka_ckn_len; + u8 mka_ckn[MACSEC_CKN_MAX_LEN]; + + /** + * mka_cak - MKA pre-shared CAK + */ +#define MACSEC_CAK_MAX_LEN 32 + size_t mka_cak_len; + u8 mka_cak[MACSEC_CAK_MAX_LEN]; + +#define MKA_PSK_SET_CKN BIT(0) +#define MKA_PSK_SET_CAK BIT(1) +#define MKA_PSK_SET (MKA_PSK_SET_CKN | MKA_PSK_SET_CAK) + /** + * mka_psk_set - Whether mka_ckn and mka_cak are set + */ + u8 mka_psk_set; +#endif /* CONFIG_MACSEC */ }; /** @@ -727,7 +845,20 @@ struct he_operation { u8 he_bss_color; u8 he_default_pe_duration; u8 he_twt_required; - u8 he_rts_threshold; + u16 he_rts_threshold; + u16 he_basic_mcs_nss_set; +}; + +/** + * struct spatial_reuse - Spatial reuse + */ +struct spatial_reuse { + u8 sr_control; + u8 non_srg_obss_pd_max_offset; + u8 srg_obss_pd_min_offset; + u8 srg_obss_pd_max_offset; + u8 srg_obss_color_bitmap; + u8 srg_obss_color_partial_bitmap; }; /** @@ -852,6 +983,10 @@ struct hostapd_config { struct he_phy_capabilities_info he_phy_capab; struct he_operation he_op; struct ieee80211_he_mu_edca_parameter_set he_mu_edca; + struct spatial_reuse spr; + u8 he_oper_chwidth; + u8 he_oper_centr_freq_seg0_idx; + u8 he_oper_centr_freq_seg1_idx; #endif /* CONFIG_IEEE80211AX */ /* VHT enable/disable config from CHAN_SWITCH */ @@ -861,12 +996,87 @@ struct hostapd_config { int rssi_reject_assoc_rssi; int rssi_reject_assoc_timeout; + +#ifdef CONFIG_AIRTIME_POLICY + enum { + AIRTIME_MODE_OFF = 0, + AIRTIME_MODE_STATIC = 1, + AIRTIME_MODE_DYNAMIC = 2, + AIRTIME_MODE_LIMIT = 3, + __AIRTIME_MODE_MAX, + } airtime_mode; + unsigned int airtime_update_interval; +#define AIRTIME_MODE_MAX (__AIRTIME_MODE_MAX - 1) +#endif /* CONFIG_AIRTIME_POLICY */ }; +static inline u8 hostapd_get_oper_chwidth(struct hostapd_config *conf) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + return conf->he_oper_chwidth; +#endif /* CONFIG_IEEE80211AX */ + return conf->vht_oper_chwidth; +} + +static inline void +hostapd_set_oper_chwidth(struct hostapd_config *conf, u8 oper_chwidth) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + conf->he_oper_chwidth = oper_chwidth; +#endif /* CONFIG_IEEE80211AX */ + conf->vht_oper_chwidth = oper_chwidth; +} + +static inline u8 +hostapd_get_oper_centr_freq_seg0_idx(struct hostapd_config *conf) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + return conf->he_oper_centr_freq_seg0_idx; +#endif /* CONFIG_IEEE80211AX */ + return conf->vht_oper_centr_freq_seg0_idx; +} + +static inline void +hostapd_set_oper_centr_freq_seg0_idx(struct hostapd_config *conf, + u8 oper_centr_freq_seg0_idx) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + conf->he_oper_centr_freq_seg0_idx = oper_centr_freq_seg0_idx; +#endif /* CONFIG_IEEE80211AX */ + conf->vht_oper_centr_freq_seg0_idx = oper_centr_freq_seg0_idx; +} + +static inline u8 +hostapd_get_oper_centr_freq_seg1_idx(struct hostapd_config *conf) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + return conf->he_oper_centr_freq_seg1_idx; +#endif /* CONFIG_IEEE80211AX */ + return conf->vht_oper_centr_freq_seg1_idx; +} + +static inline void +hostapd_set_oper_centr_freq_seg1_idx(struct hostapd_config *conf, + u8 oper_centr_freq_seg1_idx) +{ +#ifdef CONFIG_IEEE80211AX + if (conf->ieee80211ax) + conf->he_oper_centr_freq_seg1_idx = oper_centr_freq_seg1_idx; +#endif /* CONFIG_IEEE80211AX */ + conf->vht_oper_centr_freq_seg1_idx = oper_centr_freq_seg1_idx; +} + + int hostapd_mac_comp(const void *a, const void *b); struct hostapd_config * hostapd_config_defaults(void); void hostapd_config_defaults_bss(struct hostapd_bss_config *bss); +void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr); void hostapd_config_free_eap_user(struct hostapd_eap_user *user); void hostapd_config_free_eap_users(struct hostapd_eap_user *user); void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **p); @@ -885,6 +1095,7 @@ const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id); struct hostapd_radius_attr * hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type); +struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value); int hostapd_config_check(struct hostapd_config *conf, int full_config); void hostapd_set_security_params(struct hostapd_bss_config *bss, int full_config); diff --git a/freebsd/contrib/wpa/src/ap/ap_drv_ops.c b/freebsd/contrib/wpa/src/ap/ap_drv_ops.c index 09a61882..1ea015fb 100644 --- a/freebsd/contrib/wpa/src/ap/ap_drv_ops.c +++ b/freebsd/contrib/wpa/src/ap/ap_drv_ops.c @@ -415,6 +415,8 @@ int hostapd_sta_add(struct hostapd_data *hapd, u16 listen_interval, const struct ieee80211_ht_capabilities *ht_capab, const struct ieee80211_vht_capabilities *vht_capab, + const struct ieee80211_he_capabilities *he_capab, + size_t he_capab_len, u32 flags, u8 qosinfo, u8 vht_opmode, int supp_p2p_ps, int set) { @@ -434,6 +436,8 @@ int hostapd_sta_add(struct hostapd_data *hapd, params.listen_interval = listen_interval; params.ht_capabilities = ht_capab; params.vht_capabilities = vht_capab; + params.he_capab = he_capab; + params.he_capab_len = he_capab_len; params.vht_opmode_enabled = !!(flags & WLAN_STA_VHT_OPMODE_ENABLED); params.vht_opmode = vht_opmode; params.flags = hostapd_sta_flags_to_drv(flags); @@ -539,17 +543,20 @@ int hostapd_flush(struct hostapd_data *hapd) int hostapd_set_freq(struct hostapd_data *hapd, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, int vht_enabled, - int sec_channel_offset, int vht_oper_chwidth, + int he_enabled, + int sec_channel_offset, int oper_chwidth, int center_segment0, int center_segment1) { struct hostapd_freq_params data; + struct hostapd_hw_modes *cmode = hapd->iface->current_mode; if (hostapd_set_freq_params(&data, mode, freq, channel, ht_enabled, - vht_enabled, sec_channel_offset, - vht_oper_chwidth, + vht_enabled, he_enabled, sec_channel_offset, + oper_chwidth, center_segment0, center_segment1, - hapd->iface->current_mode ? - hapd->iface->current_mode->vht_capab : 0)) + cmode ? cmode->vht_capab : 0, + cmode ? + &cmode->he_capab[IEEE80211_MODE_AP] : NULL)) return -1; if (hapd->driver == NULL) @@ -585,6 +592,16 @@ int hostapd_sta_set_flags(struct hostapd_data *hapd, u8 *addr, } +int hostapd_sta_set_airtime_weight(struct hostapd_data *hapd, const u8 *addr, + unsigned int weight) +{ + if (!hapd->driver || !hapd->driver->sta_set_airtime_weight) + return 0; + return hapd->driver->sta_set_airtime_weight(hapd->drv_priv, addr, + weight); +} + + int hostapd_set_country(struct hostapd_data *hapd, const char *country) { if (hapd->driver == NULL || @@ -777,14 +794,16 @@ int hostapd_drv_send_action_addr3_ap(struct hostapd_data *hapd, int hostapd_start_dfs_cac(struct hostapd_iface *iface, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, int vht_enabled, - int sec_channel_offset, int vht_oper_chwidth, + int he_enabled, + int sec_channel_offset, int oper_chwidth, int center_segment0, int center_segment1) { struct hostapd_data *hapd = iface->bss[0]; struct hostapd_freq_params data; int res; + struct hostapd_hw_modes *cmode = iface->current_mode; - if (!hapd->driver || !hapd->driver->start_dfs_cac) + if (!hapd->driver || !hapd->driver->start_dfs_cac || !cmode) return 0; if (!iface->conf->ieee80211h) { @@ -794,10 +813,11 @@ int hostapd_start_dfs_cac(struct hostapd_iface *iface, } if (hostapd_set_freq_params(&data, mode, freq, channel, ht_enabled, - vht_enabled, sec_channel_offset, - vht_oper_chwidth, center_segment0, + vht_enabled, he_enabled, sec_channel_offset, + oper_chwidth, center_segment0, center_segment1, - iface->current_mode->vht_capab)) { + cmode->vht_capab, + &cmode->he_capab[IEEE80211_MODE_AP])) { wpa_printf(MSG_ERROR, "Can't set freq params"); return -1; } @@ -921,15 +941,17 @@ int hostapd_drv_do_acs(struct hostapd_data *hapd) if (hapd->iface->conf->ieee80211n && params.ht40_enabled) params.ch_width = 40; - /* Note: VHT20 is defined by combination of ht_capab & vht_oper_chwidth + /* Note: VHT20 is defined by combination of ht_capab & oper_chwidth */ - if (hapd->iface->conf->ieee80211ac && params.ht40_enabled) { - if (hapd->iface->conf->vht_oper_chwidth == VHT_CHANWIDTH_80MHZ) + if ((hapd->iface->conf->ieee80211ax || + hapd->iface->conf->ieee80211ac) && + params.ht40_enabled) { + u8 oper_chwidth = hostapd_get_oper_chwidth(hapd->iface->conf); + + if (oper_chwidth == CHANWIDTH_80MHZ) params.ch_width = 80; - else if (hapd->iface->conf->vht_oper_chwidth == - VHT_CHANWIDTH_160MHZ || - hapd->iface->conf->vht_oper_chwidth == - VHT_CHANWIDTH_80P80MHZ) + else if (oper_chwidth == CHANWIDTH_160MHZ || + oper_chwidth == CHANWIDTH_80P80MHZ) params.ch_width = 160; } @@ -938,3 +960,13 @@ int hostapd_drv_do_acs(struct hostapd_data *hapd) return ret; } + + +int hostapd_drv_update_dh_ie(struct hostapd_data *hapd, const u8 *peer, + u16 reason_code, const u8 *ie, size_t ielen) +{ + if (!hapd->driver || !hapd->driver->update_dh_ie || !hapd->drv_priv) + return 0; + return hapd->driver->update_dh_ie(hapd->drv_priv, peer, reason_code, + ie, ielen); +} diff --git a/freebsd/contrib/wpa/src/ap/ap_drv_ops.h b/freebsd/contrib/wpa/src/ap/ap_drv_ops.h index de40171e..ca7f7abe 100644 --- a/freebsd/contrib/wpa/src/ap/ap_drv_ops.h +++ b/freebsd/contrib/wpa/src/ap/ap_drv_ops.h @@ -41,6 +41,8 @@ int hostapd_sta_add(struct hostapd_data *hapd, u16 listen_interval, const struct ieee80211_ht_capabilities *ht_capab, const struct ieee80211_vht_capabilities *vht_capab, + const struct ieee80211_he_capabilities *he_capab, + size_t he_capab_len, u32 flags, u8 qosinfo, u8 vht_opmode, int supp_p2p_ps, int set); int hostapd_set_privacy(struct hostapd_data *hapd, int enabled); @@ -61,12 +63,14 @@ int hostapd_get_seqnum(const char *ifname, struct hostapd_data *hapd, int hostapd_flush(struct hostapd_data *hapd); int hostapd_set_freq(struct hostapd_data *hapd, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, int vht_enabled, - int sec_channel_offset, int vht_oper_chwidth, + int he_enabled, int sec_channel_offset, int oper_chwidth, int center_segment0, int center_segment1); int hostapd_set_rts(struct hostapd_data *hapd, int rts); int hostapd_set_frag(struct hostapd_data *hapd, int frag); int hostapd_sta_set_flags(struct hostapd_data *hapd, u8 *addr, int total_flags, int flags_or, int flags_and); +int hostapd_sta_set_airtime_weight(struct hostapd_data *hapd, const u8 *addr, + unsigned int weight); int hostapd_set_country(struct hostapd_data *hapd, const char *country); int hostapd_set_tx_queue_params(struct hostapd_data *hapd, int queue, int aifs, int cw_min, int cw_max, int burst_time); @@ -122,9 +126,12 @@ int hostapd_add_tspec(struct hostapd_data *hapd, const u8 *addr, int hostapd_start_dfs_cac(struct hostapd_iface *iface, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, int vht_enabled, - int sec_channel_offset, int vht_oper_chwidth, + int he_enabled, + int sec_channel_offset, int oper_chwidth, int center_segment0, int center_segment1); int hostapd_drv_do_acs(struct hostapd_data *hapd); +int hostapd_drv_update_dh_ie(struct hostapd_data *hapd, const u8 *peer, + u16 reason_code, const u8 *ie, size_t ielen); #include "drivers/driver.h" diff --git a/freebsd/contrib/wpa/src/ap/hostapd.h b/freebsd/contrib/wpa/src/ap/hostapd.h index 790d3775..518c7f10 100644 --- a/freebsd/contrib/wpa/src/ap/hostapd.h +++ b/freebsd/contrib/wpa/src/ap/hostapd.h @@ -9,6 +9,10 @@ #ifndef HOSTAPD_H #define HOSTAPD_H +#ifdef CONFIG_SQLITE +#include <sqlite3.h> +#endif /* CONFIG_SQLITE */ + #include "common/defs.h" #include "utils/list.h" #include "ap_config.h" @@ -232,6 +236,10 @@ struct hostapd_data { struct wps_stat wps_stats; #endif /* CONFIG_WPS */ +#ifdef CONFIG_MACSEC + struct ieee802_1x_kay *kay; +#endif /* CONFIG_MACSEC */ + struct hostapd_probereq_cb *probereq_cb; size_t num_probereq_cb; @@ -379,6 +387,17 @@ struct hostapd_data { unsigned int dpp_ignore_netaccesskey_mismatch:1; #endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_DPP */ + +#ifdef CONFIG_AIRTIME_POLICY + unsigned int num_backlogged_sta; + unsigned int airtime_weight; +#endif /* CONFIG_AIRTIME_POLICY */ + + u8 last_1x_eapol_key_replay_counter[8]; + +#ifdef CONFIG_SQLITE + sqlite3 *rad_attr_db; +#endif /* CONFIG_SQLITE */ }; @@ -541,6 +560,12 @@ struct hostapd_iface { unsigned int num_sta_seen; u8 dfs_domain; +#ifdef CONFIG_AIRTIME_POLICY + unsigned int airtime_quantum; +#endif /* CONFIG_AIRTIME_POLICY */ + + /* Previous WMM element information */ + struct hostapd_wmm_ac_params prev_wmm[WMM_AC_NUM]; }; /* hostapd.c */ @@ -607,7 +632,8 @@ int hostapd_probe_req_rx(struct hostapd_data *hapd, const u8 *sa, const u8 *da, const u8 *bssid, const u8 *ie, size_t ie_len, int ssi_signal); void hostapd_event_ch_switch(struct hostapd_data *hapd, int freq, int ht, - int offset, int width, int cf1, int cf2); + int offset, int width, int cf1, int cf2, + int finished); struct survey_results; void hostapd_event_get_survey(struct hostapd_iface *iface, struct survey_results *survey_results); diff --git a/freebsd/contrib/wpa/src/ap/ieee802_11.h b/freebsd/contrib/wpa/src/ap/ieee802_11.h index db7badcf..b8453c99 100644 --- a/freebsd/contrib/wpa/src/ap/ieee802_11.h +++ b/freebsd/contrib/wpa/src/ap/ieee802_11.h @@ -18,6 +18,7 @@ struct ieee80211_vht_capabilities; struct ieee80211_mgmt; struct vlan_description; struct hostapd_sta_wpa_psk_short; +enum ieee80211_op_mode; int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, struct hostapd_frame_info *fi); @@ -57,9 +58,11 @@ u8 * hostapd_eid_vht_operation(struct hostapd_data *hapd, u8 *eid); u8 * hostapd_eid_vendor_vht(struct hostapd_data *hapd, u8 *eid); u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid); u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid); -u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid); +u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid, + enum ieee80211_op_mode opmode); u8 * hostapd_eid_he_operation(struct hostapd_data *hapd, u8 *eid); u8 * hostapd_eid_he_mu_edca_parameter_set(struct hostapd_data *hapd, u8 *eid); +u8 * hostapd_eid_spatial_reuse(struct hostapd_data *hapd, u8 *eid); int hostapd_ht_operation_update(struct hostapd_iface *iface); void ieee802_11_send_sa_query_req(struct hostapd_data *hapd, @@ -70,6 +73,10 @@ void hostapd_get_ht_capab(struct hostapd_data *hapd, void hostapd_get_vht_capab(struct hostapd_data *hapd, struct ieee80211_vht_capabilities *vht_cap, struct ieee80211_vht_capabilities *neg_vht_cap); +void hostapd_get_he_capab(struct hostapd_data *hapd, + const struct ieee80211_he_capabilities *he_cap, + struct ieee80211_he_capabilities *neg_he_cap, + size_t he_capab_len); int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta); u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta, const u8 *ht_capab); @@ -85,6 +92,9 @@ u16 copy_sta_vht_oper(struct hostapd_data *hapd, struct sta_info *sta, const u8 *vht_oper); u16 set_sta_vht_opmode(struct hostapd_data *hapd, struct sta_info *sta, const u8 *vht_opmode); +u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta, + enum ieee80211_op_mode opmode, const u8 *he_capab, + size_t he_capab_len); void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr, const u8 *buf, size_t len, int ack); void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst, @@ -153,6 +163,12 @@ void ieee802_11_finish_fils_auth(struct hostapd_data *hapd, u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta, const u8 *owe_dh, u8 owe_dh_len, u8 *owe_buf, size_t owe_buf_len, u16 *reason); +u16 owe_process_rsn_ie(struct hostapd_data *hapd, struct sta_info *sta, + const u8 *rsn_ie, size_t rsn_ie_len, + const u8 *owe_dh, size_t owe_dh_len); +u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer, + const u8 *rsn_ie, size_t rsn_ie_len, + const u8 *owe_dh, size_t owe_dh_len); void fils_hlp_timeout(void *eloop_ctx, void *eloop_data); void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta); void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, diff --git a/freebsd/contrib/wpa/src/ap/sta_info.h b/freebsd/contrib/wpa/src/ap/sta_info.h index ece0c60a..5456a63a 100644 --- a/freebsd/contrib/wpa/src/ap/sta_info.h +++ b/freebsd/contrib/wpa/src/ap/sta_info.h @@ -37,6 +37,7 @@ #define WLAN_STA_VENDOR_VHT BIT(21) #define WLAN_STA_PENDING_FILS_ERP BIT(22) #define WLAN_STA_MULTI_AP BIT(23) +#define WLAN_STA_HE BIT(24) #define WLAN_STA_PENDING_DISASSOC_CB BIT(29) #define WLAN_STA_PENDING_DEAUTH_CB BIT(30) #define WLAN_STA_NONERP BIT(31) @@ -119,6 +120,7 @@ struct sta_info { unsigned int agreed_to_steer:1; unsigned int hs20_t_c_filtering:1; unsigned int ft_over_ds:1; + unsigned int external_dh_updated:1; u16 auth_alg; @@ -166,6 +168,8 @@ struct sta_info { struct ieee80211_vht_capabilities *vht_capabilities; struct ieee80211_vht_operation *vht_operation; u8 vht_opmode; + struct ieee80211_he_capabilities *he_capab; + size_t he_capab_len; #ifdef CONFIG_IEEE80211W int sa_query_count; /* number of pending SA Query requests; @@ -275,6 +279,10 @@ struct sta_info { u8 last_tk[WPA_TK_MAX_LEN]; size_t last_tk_len; #endif /* CONFIG_TESTING_OPTIONS */ +#ifdef CONFIG_AIRTIME_POLICY + unsigned int airtime_weight; + struct os_reltime backlogged_until; +#endif /* CONFIG_AIRTIME_POLICY */ }; diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth.c b/freebsd/contrib/wpa/src/ap/wpa_auth.c index 5a1b250c..47028b52 100644 --- a/freebsd/contrib/wpa/src/ap/wpa_auth.c +++ b/freebsd/contrib/wpa/src/ap/wpa_auth.c @@ -936,6 +936,7 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); + forced_memzero(&PTK, sizeof(PTK)); sm->PTK_valid = TRUE; return 0; @@ -1409,6 +1410,8 @@ static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, #endif /* CONFIG_SHA256 */ #endif /* CONFIG_SHA384 */ + forced_memzero(data, sizeof(data)); + return ret; } @@ -2048,7 +2051,7 @@ SM_STATE(WPA_PTK, INITPMK) sm->Disconnect = TRUE; return; } - os_memset(msk, 0, sizeof(msk)); + forced_memzero(msk, sizeof(msk)); sm->req_replay_counter_used = 0; /* IEEE 802.11i does not set keyRun to FALSE, but not doing this @@ -2287,12 +2290,12 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); - os_memset(fils_ft, 0, sizeof(fils_ft)); + forced_memzero(fils_ft, sizeof(fils_ft)); res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder, sm->addr, sm->pmk_r1_name, use_sha384); - os_memset(pmk_r0, 0, PMK_LEN_MAX); + forced_memzero(pmk_r0, PMK_LEN_MAX); if (res < 0) return -1; wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name, @@ -2310,7 +2313,7 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, sm->wpa_key_mgmt, sm->fils_key_auth_sta, sm->fils_key_auth_ap, &sm->fils_key_auth_len); - os_memset(ick, 0, sizeof(ick)); + forced_memzero(ick, sizeof(ick)); /* Store nonces for (Re)Association Request/Response frame processing */ os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); @@ -2612,7 +2615,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { wpa_printf(MSG_DEBUG, "FILS: Not enough room for FILS elements"); - wpabuf_free(plain); + wpabuf_clear_free(plain); return -1; } @@ -2622,7 +2625,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, wpabuf_head(plain), wpabuf_len(plain), 5, aad, aad_len, pos) < 0) { - wpabuf_free(plain); + wpabuf_clear_free(plain); return -1; } @@ -2630,7 +2633,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, "FILS: Encrypted Association Response elements", pos, AES_BLOCK_SIZE + wpabuf_len(plain)); current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; - wpabuf_free(plain); + wpabuf_clear_free(plain); sm->fils_completed = 1; @@ -2684,7 +2687,7 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, * of GTK in the BSS. */ if (random_get_bytes(dummy_gtk, gtk_len) < 0) { - wpabuf_free(plain); + wpabuf_clear_free(plain); return NULL; } gtk = dummy_gtk; @@ -2711,13 +2714,13 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, if (wpa_channel_info(sm->wpa_auth, &ci) != 0) { wpa_printf(MSG_WARNING, "FILS: Failed to get channel info for OCI element"); - wpabuf_free(plain); + wpabuf_clear_free(plain); return NULL; } pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN); if (ocv_insert_extended_oci(&ci, pos) < 0) { - wpabuf_free(plain); + wpabuf_clear_free(plain); return NULL; } } @@ -2780,7 +2783,7 @@ u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, (unsigned int) wpabuf_len(plain)); - wpabuf_free(plain); + wpabuf_clear_free(plain); sm->fils_completed = 1; return pos; } @@ -3032,6 +3035,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) sm->MICVerified = TRUE; os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); + forced_memzero(&PTK, sizeof(PTK)); sm->PTK_valid = TRUE; } @@ -4248,8 +4252,12 @@ int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) /* Private MIB */ ret = os_snprintf(buf + len, buflen - len, + "wpa=%d\n" + "AKMSuiteSelector=" RSN_SUITE "\n" "hostapdWPAPTKState=%d\n" "hostapdWPAPTKGroupState=%d\n", + sm->wpa, + RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)), sm->wpa_ptk_state, sm->wpa_ptk_group_state); if (os_snprintf_error(buflen - len, ret)) @@ -4361,6 +4369,15 @@ int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, sm->wpa_auth->conf.disable_pmksa_caching) return -1; +#ifdef CONFIG_IEEE80211R_AP + if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) && + wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && + !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { + /* Cache MPMK/XXKey instead of initial part from MSK */ + pmk = pmk + PMK_LEN; + pmk_len = PMK_LEN; + } else +#endif /* CONFIG_IEEE80211R_AP */ if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { if (pmk_len > PMK_LEN_SUITE_B_192) pmk_len = PMK_LEN_SUITE_B_192; @@ -4368,6 +4385,7 @@ int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, pmk_len = PMK_LEN; } + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len); if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, sm->PTK.kck, sm->PTK.kck_len, sm->wpa_auth->addr, sm->addr, session_timeout, @@ -4386,6 +4404,7 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, if (wpa_auth == NULL) return -1; + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len); if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, NULL, 0, wpa_auth->addr, @@ -4403,6 +4422,7 @@ int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, if (wpa_auth->conf.disable_pmksa_caching) return -1; + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN); if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, NULL, 0, wpa_auth->addr, addr, 0, NULL, @@ -4427,6 +4447,7 @@ int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, if (wpa_auth->conf.disable_pmksa_caching) return -1; + wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN); if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, NULL, 0, wpa_auth->addr, addr, session_timeout, NULL, akmp)) diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth.h b/freebsd/contrib/wpa/src/ap/wpa_auth.h index df1e17a0..a348bc25 100644 --- a/freebsd/contrib/wpa/src/ap/wpa_auth.h +++ b/freebsd/contrib/wpa/src/ap/wpa_auth.h @@ -475,6 +475,9 @@ void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk, u8 * wpa_auth_write_assoc_resp_owe(struct wpa_state_machine *sm, u8 *pos, size_t max_len, const u8 *req_ies, size_t req_ies_len); +u8 * wpa_auth_write_assoc_resp_fils(struct wpa_state_machine *sm, + u8 *pos, size_t max_len, + const u8 *req_ies, size_t req_ies_len); void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg); void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z); diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c b/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c index e2eaacbd..619f0566 100644 --- a/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c +++ b/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c @@ -27,6 +27,7 @@ #include "wmm.h" #include "wpa_auth.h" #include "wpa_auth_i.h" +#include "pmksa_cache_auth.h" #ifdef CONFIG_IEEE80211R_AP @@ -2096,8 +2097,16 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk) const u8 *identity, *radius_cui; size_t identity_len, radius_cui_len; int session_timeout; - - if (sm->xxkey_len == 0) { + const u8 *mpmk; + size_t mpmk_len; + + if (sm->xxkey_len > 0) { + mpmk = sm->xxkey; + mpmk_len = sm->xxkey_len; + } else if (sm->pmksa) { + mpmk = sm->pmksa->pmk; + mpmk_len = sm->pmksa->pmk_len; + } else { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " "derivation"); return -1; @@ -2114,7 +2123,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk) &radius_cui); session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr); - if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, + if (wpa_derive_pmk_r0(mpmk, mpmk_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name, wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) < 0) @@ -2219,6 +2228,7 @@ static u8 * wpa_ft_gtk_subelem(struct wpa_state_machine *sm, size_t *len) return NULL; } + forced_memzero(keybuf, sizeof(keybuf)); *len = subelem_len; return subelem; } @@ -3092,8 +3102,9 @@ void wpa_ft_process_auth(struct wpa_state_machine *sm, const u8 *bssid, status = res; wpa_printf(MSG_DEBUG, "FT: FT authentication response: dst=" MACSTR - " auth_transaction=%d status=%d", - MAC2STR(sm->addr), auth_transaction + 1, status); + " auth_transaction=%d status=%u (%s)", + MAC2STR(sm->addr), auth_transaction + 1, status, + status2str(status)); wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len); cb(ctx, sm->addr, bssid, auth_transaction + 1, status, resp_ies, resp_ies_len); @@ -3451,8 +3462,9 @@ static int wpa_ft_send_rrb_auth_resp(struct wpa_state_machine *sm, u8 *pos; wpa_printf(MSG_DEBUG, "FT: RRB authentication response: STA=" MACSTR - " CurrentAP=" MACSTR " status=%d", - MAC2STR(sm->addr), MAC2STR(current_ap), status); + " CurrentAP=" MACSTR " status=%u (%s)", + MAC2STR(sm->addr), MAC2STR(current_ap), status, + status2str(status)); wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len); /* RRB - Forward action frame response to the Current AP */ @@ -3558,7 +3570,7 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, pmk_r0->vlan, src_addr, type, packet, packet_len); - os_memset(pmk_r1, 0, sizeof(pmk_r1)); + forced_memzero(pmk_r1, sizeof(pmk_r1)); return ret; } @@ -3884,10 +3896,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, ret = 0; out: - if (plain) { - os_memset(plain, 0, plain_len); - os_free(plain); - } + bin_clear_free(plain, plain_len); return ret; diff --git a/freebsd/contrib/wpa/src/common/dpp.h b/freebsd/contrib/wpa/src/common/dpp.h index 5a6d8cc7..db640efe 100644 --- a/freebsd/contrib/wpa/src/common/dpp.h +++ b/freebsd/contrib/wpa/src/common/dpp.h @@ -18,9 +18,11 @@ #include "crypto/sha256.h" struct crypto_ecdh; +struct hostapd_ip_addr; struct dpp_global; #define DPP_HDR_LEN (4 + 2) /* OUI, OUI Type, Crypto Suite, DPP frame type */ +#define DPP_TCP_PORT 7871 enum dpp_public_action_frame_type { DPP_PA_AUTHENTICATION_REQ = 0, @@ -259,6 +261,22 @@ struct dpp_introduction { size_t pmk_len; }; +struct dpp_relay_config { + const struct hostapd_ip_addr *ipaddr; + const u8 *pkhash; + + void *cb_ctx; + void (*tx)(void *ctx, const u8 *addr, unsigned int freq, const u8 *msg, + size_t len); + void (*gas_resp_tx)(void *ctx, const u8 *addr, u8 dialog_token, int prot, + struct wpabuf *buf); +}; + +struct dpp_controller_config { + const char *configurator_params; + int tcp_port; +}; + #ifdef CONFIG_TESTING_OPTIONS enum dpp_test_behavior { DPP_TEST_DISABLED = 0, @@ -497,7 +515,26 @@ int dpp_configurator_add(struct dpp_global *dpp, const char *cmd); int dpp_configurator_remove(struct dpp_global *dpp, const char *id); int dpp_configurator_get_key_id(struct dpp_global *dpp, unsigned int id, char *buf, size_t buflen); -struct dpp_global * dpp_global_init(void); +int dpp_relay_add_controller(struct dpp_global *dpp, + struct dpp_relay_config *config); +int dpp_relay_rx_action(struct dpp_global *dpp, const u8 *src, const u8 *hdr, + const u8 *buf, size_t len, unsigned int freq, + const u8 *i_bootstrap, const u8 *r_bootstrap); +int dpp_relay_rx_gas_req(struct dpp_global *dpp, const u8 *src, const u8 *data, + size_t data_len); +int dpp_controller_start(struct dpp_global *dpp, + struct dpp_controller_config *config); +void dpp_controller_stop(struct dpp_global *dpp); +int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth, + const struct hostapd_ip_addr *addr, int port); + +struct dpp_global_config { + void *msg_ctx; + void *cb_ctx; + int (*process_conf_obj)(void *ctx, struct dpp_authentication *auth); +}; + +struct dpp_global * dpp_global_init(struct dpp_global_config *config); void dpp_global_clear(struct dpp_global *dpp); void dpp_global_deinit(struct dpp_global *dpp); diff --git a/freebsd/contrib/wpa/src/common/hw_features_common.c b/freebsd/contrib/wpa/src/common/hw_features_common.c index 33d0d879..b9e0ada3 100644 --- a/freebsd/contrib/wpa/src/common/hw_features_common.c +++ b/freebsd/contrib/wpa/src/common/hw_features_common.c @@ -363,30 +363,35 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode, int hostapd_set_freq_params(struct hostapd_freq_params *data, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, - int vht_enabled, int sec_channel_offset, - int vht_oper_chwidth, int center_segment0, - int center_segment1, u32 vht_caps) + int vht_enabled, int he_enabled, + int sec_channel_offset, + int oper_chwidth, int center_segment0, + int center_segment1, u32 vht_caps, + struct he_capabilities *he_cap) { + if (!he_cap) + he_enabled = 0; os_memset(data, 0, sizeof(*data)); data->mode = mode; data->freq = freq; data->channel = channel; data->ht_enabled = ht_enabled; data->vht_enabled = vht_enabled; + data->he_enabled = he_enabled; data->sec_channel_offset = sec_channel_offset; data->center_freq1 = freq + sec_channel_offset * 10; data->center_freq2 = 0; data->bandwidth = sec_channel_offset ? 40 : 20; - if (data->vht_enabled) switch (vht_oper_chwidth) { - case VHT_CHANWIDTH_USE_HT: + if (data->vht_enabled) switch (oper_chwidth) { + case CHANWIDTH_USE_HT: if (center_segment1 || (center_segment0 != 0 && 5000 + center_segment0 * 5 != data->center_freq1 && 2407 + center_segment0 * 5 != data->center_freq1)) return -1; break; - case VHT_CHANWIDTH_80P80MHZ: + case CHANWIDTH_80P80MHZ: if (!(vht_caps & VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)) { wpa_printf(MSG_ERROR, "80+80 channel width is not supported!"); @@ -397,11 +402,11 @@ int hostapd_set_freq_params(struct hostapd_freq_params *data, return -1; data->center_freq2 = 5000 + center_segment1 * 5; /* fall through */ - case VHT_CHANWIDTH_80MHZ: + case CHANWIDTH_80MHZ: data->bandwidth = 80; - if ((vht_oper_chwidth == VHT_CHANWIDTH_80MHZ && + if ((oper_chwidth == CHANWIDTH_80MHZ && center_segment1) || - (vht_oper_chwidth == VHT_CHANWIDTH_80P80MHZ && + (oper_chwidth == CHANWIDTH_80P80MHZ && !center_segment1) || !sec_channel_offset) return -1; @@ -434,7 +439,7 @@ int hostapd_set_freq_params(struct hostapd_freq_params *data, return -1; } break; - case VHT_CHANWIDTH_160MHZ: + case CHANWIDTH_160MHZ: data->bandwidth = 160; if (!(vht_caps & (VHT_CAP_SUPP_CHAN_WIDTH_160MHZ | VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) { diff --git a/freebsd/contrib/wpa/src/common/hw_features_common.h b/freebsd/contrib/wpa/src/common/hw_features_common.h index eb1f1c57..2d2a5399 100644 --- a/freebsd/contrib/wpa/src/common/hw_features_common.h +++ b/freebsd/contrib/wpa/src/common/hw_features_common.h @@ -32,9 +32,11 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode, int hostapd_set_freq_params(struct hostapd_freq_params *data, enum hostapd_hw_mode mode, int freq, int channel, int ht_enabled, - int vht_enabled, int sec_channel_offset, - int vht_oper_chwidth, int center_segment0, - int center_segment1, u32 vht_caps); + int vht_enabled, int he_enabled, + int sec_channel_offset, + int oper_chwidth, int center_segment0, + int center_segment1, u32 vht_caps, + struct he_capabilities *he_caps); void set_disable_ht40(struct ieee80211_ht_capabilities *htcaps, int disabled); int ieee80211ac_cap_check(u32 hw, u32 conf); diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_common.c b/freebsd/contrib/wpa/src/common/ieee802_11_common.c index c6fc9019..a7f7a5a5 100644 --- a/freebsd/contrib/wpa/src/common/ieee802_11_common.c +++ b/freebsd/contrib/wpa/src/common/ieee802_11_common.c @@ -276,6 +276,10 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen, elems->he_capabilities = pos; elems->he_capabilities_len = elen; break; + case WLAN_EID_EXT_HE_OPERATION: + elems->he_operation = pos; + elems->he_operation_len = elen; + break; case WLAN_EID_EXT_OCV_OCI: elems->oci = pos; elems->oci_len = elen; @@ -704,7 +708,7 @@ enum hostapd_hw_mode ieee80211_freq_to_chan(int freq, u8 *channel) { u8 op_class; - return ieee80211_freq_to_channel_ext(freq, 0, VHT_CHANWIDTH_USE_HT, + return ieee80211_freq_to_channel_ext(freq, 0, CHANWIDTH_USE_HT, &op_class, channel); } @@ -714,7 +718,7 @@ enum hostapd_hw_mode ieee80211_freq_to_chan(int freq, u8 *channel) * for HT40 and VHT. DFS channels are not covered. * @freq: Frequency (MHz) to convert * @sec_channel: 0 = non-HT40, 1 = sec. channel above, -1 = sec. channel below - * @vht: VHT channel width (VHT_CHANWIDTH_*) + * @vht: VHT channel width (CHANWIDTH_*) * @op_class: Buffer for returning operating class * @channel: Buffer for returning channel number * Returns: hw_mode on success, NUM_HOSTAPD_MODES on failure @@ -769,13 +773,13 @@ enum hostapd_hw_mode ieee80211_freq_to_channel_ext(unsigned int freq, } switch (vht) { - case VHT_CHANWIDTH_80MHZ: + case CHANWIDTH_80MHZ: vht_opclass = 128; break; - case VHT_CHANWIDTH_160MHZ: + case CHANWIDTH_160MHZ: vht_opclass = 129; break; - case VHT_CHANWIDTH_80P80MHZ: + case CHANWIDTH_80P80MHZ: vht_opclass = 130; break; default: @@ -894,16 +898,16 @@ int ieee80211_chaninfo_to_channel(unsigned int freq, enum chan_width chanwidth, case CHAN_WIDTH_20_NOHT: case CHAN_WIDTH_20: case CHAN_WIDTH_40: - vht = VHT_CHANWIDTH_USE_HT; + vht = CHANWIDTH_USE_HT; break; case CHAN_WIDTH_80: - vht = VHT_CHANWIDTH_80MHZ; + vht = CHANWIDTH_80MHZ; break; case CHAN_WIDTH_80P80: - vht = VHT_CHANWIDTH_80P80MHZ; + vht = CHANWIDTH_80P80MHZ; break; case CHAN_WIDTH_160: - vht = VHT_CHANWIDTH_160MHZ; + vht = CHANWIDTH_160MHZ; break; } @@ -1317,6 +1321,185 @@ const char * fc2str(u16 fc) } +const char * reason2str(u16 reason) +{ +#define R2S(r) case WLAN_REASON_ ## r: return #r; + switch (reason) { + R2S(UNSPECIFIED) + R2S(PREV_AUTH_NOT_VALID) + R2S(DEAUTH_LEAVING) + R2S(DISASSOC_DUE_TO_INACTIVITY) + R2S(DISASSOC_AP_BUSY) + R2S(CLASS2_FRAME_FROM_NONAUTH_STA) + R2S(CLASS3_FRAME_FROM_NONASSOC_STA) + R2S(DISASSOC_STA_HAS_LEFT) + R2S(STA_REQ_ASSOC_WITHOUT_AUTH) + R2S(PWR_CAPABILITY_NOT_VALID) + R2S(SUPPORTED_CHANNEL_NOT_VALID) + R2S(BSS_TRANSITION_DISASSOC) + R2S(INVALID_IE) + R2S(MICHAEL_MIC_FAILURE) + R2S(4WAY_HANDSHAKE_TIMEOUT) + R2S(GROUP_KEY_UPDATE_TIMEOUT) + R2S(IE_IN_4WAY_DIFFERS) + R2S(GROUP_CIPHER_NOT_VALID) + R2S(PAIRWISE_CIPHER_NOT_VALID) + R2S(AKMP_NOT_VALID) + R2S(UNSUPPORTED_RSN_IE_VERSION) + R2S(INVALID_RSN_IE_CAPAB) + R2S(IEEE_802_1X_AUTH_FAILED) + R2S(CIPHER_SUITE_REJECTED) + R2S(TDLS_TEARDOWN_UNREACHABLE) + R2S(TDLS_TEARDOWN_UNSPECIFIED) + R2S(SSP_REQUESTED_DISASSOC) + R2S(NO_SSP_ROAMING_AGREEMENT) + R2S(BAD_CIPHER_OR_AKM) + R2S(NOT_AUTHORIZED_THIS_LOCATION) + R2S(SERVICE_CHANGE_PRECLUDES_TS) + R2S(UNSPECIFIED_QOS_REASON) + R2S(NOT_ENOUGH_BANDWIDTH) + R2S(DISASSOC_LOW_ACK) + R2S(EXCEEDED_TXOP) + R2S(STA_LEAVING) + R2S(END_TS_BA_DLS) + R2S(UNKNOWN_TS_BA) + R2S(TIMEOUT) + R2S(PEERKEY_MISMATCH) + R2S(AUTHORIZED_ACCESS_LIMIT_REACHED) + R2S(EXTERNAL_SERVICE_REQUIREMENTS) + R2S(INVALID_FT_ACTION_FRAME_COUNT) + R2S(INVALID_PMKID) + R2S(INVALID_MDE) + R2S(INVALID_FTE) + R2S(MESH_PEERING_CANCELLED) + R2S(MESH_MAX_PEERS) + R2S(MESH_CONFIG_POLICY_VIOLATION) + R2S(MESH_CLOSE_RCVD) + R2S(MESH_MAX_RETRIES) + R2S(MESH_CONFIRM_TIMEOUT) + R2S(MESH_INVALID_GTK) + R2S(MESH_INCONSISTENT_PARAMS) + R2S(MESH_INVALID_SECURITY_CAP) + R2S(MESH_PATH_ERROR_NO_PROXY_INFO) + R2S(MESH_PATH_ERROR_NO_FORWARDING_INFO) + R2S(MESH_PATH_ERROR_DEST_UNREACHABLE) + R2S(MAC_ADDRESS_ALREADY_EXISTS_IN_MBSS) + R2S(MESH_CHANNEL_SWITCH_REGULATORY_REQ) + R2S(MESH_CHANNEL_SWITCH_UNSPECIFIED) + } + return "UNKNOWN"; +#undef R2S +} + + +const char * status2str(u16 status) +{ +#define S2S(s) case WLAN_STATUS_ ## s: return #s; + switch (status) { + S2S(SUCCESS) + S2S(UNSPECIFIED_FAILURE) + S2S(TDLS_WAKEUP_ALTERNATE) + S2S(TDLS_WAKEUP_REJECT) + S2S(SECURITY_DISABLED) + S2S(UNACCEPTABLE_LIFETIME) + S2S(NOT_IN_SAME_BSS) + S2S(CAPS_UNSUPPORTED) + S2S(REASSOC_NO_ASSOC) + S2S(ASSOC_DENIED_UNSPEC) + S2S(NOT_SUPPORTED_AUTH_ALG) + S2S(UNKNOWN_AUTH_TRANSACTION) + S2S(CHALLENGE_FAIL) + S2S(AUTH_TIMEOUT) + S2S(AP_UNABLE_TO_HANDLE_NEW_STA) + S2S(ASSOC_DENIED_RATES) + S2S(ASSOC_DENIED_NOSHORT) + S2S(SPEC_MGMT_REQUIRED) + S2S(PWR_CAPABILITY_NOT_VALID) + S2S(SUPPORTED_CHANNEL_NOT_VALID) + S2S(ASSOC_DENIED_NO_SHORT_SLOT_TIME) + S2S(ASSOC_DENIED_NO_HT) + S2S(R0KH_UNREACHABLE) + S2S(ASSOC_DENIED_NO_PCO) + S2S(ASSOC_REJECTED_TEMPORARILY) + S2S(ROBUST_MGMT_FRAME_POLICY_VIOLATION) + S2S(UNSPECIFIED_QOS_FAILURE) + S2S(DENIED_INSUFFICIENT_BANDWIDTH) + S2S(DENIED_POOR_CHANNEL_CONDITIONS) + S2S(DENIED_QOS_NOT_SUPPORTED) + S2S(REQUEST_DECLINED) + S2S(INVALID_PARAMETERS) + S2S(REJECTED_WITH_SUGGESTED_CHANGES) + S2S(INVALID_IE) + S2S(GROUP_CIPHER_NOT_VALID) + S2S(PAIRWISE_CIPHER_NOT_VALID) + S2S(AKMP_NOT_VALID) + S2S(UNSUPPORTED_RSN_IE_VERSION) + S2S(INVALID_RSN_IE_CAPAB) + S2S(CIPHER_REJECTED_PER_POLICY) + S2S(TS_NOT_CREATED) + S2S(DIRECT_LINK_NOT_ALLOWED) + S2S(DEST_STA_NOT_PRESENT) + S2S(DEST_STA_NOT_QOS_STA) + S2S(ASSOC_DENIED_LISTEN_INT_TOO_LARGE) + S2S(INVALID_FT_ACTION_FRAME_COUNT) + S2S(INVALID_PMKID) + S2S(INVALID_MDIE) + S2S(INVALID_FTIE) + S2S(REQUESTED_TCLAS_NOT_SUPPORTED) + S2S(INSUFFICIENT_TCLAS_PROCESSING_RESOURCES) + S2S(TRY_ANOTHER_BSS) + S2S(GAS_ADV_PROTO_NOT_SUPPORTED) + S2S(NO_OUTSTANDING_GAS_REQ) + S2S(GAS_RESP_NOT_RECEIVED) + S2S(STA_TIMED_OUT_WAITING_FOR_GAS_RESP) + S2S(GAS_RESP_LARGER_THAN_LIMIT) + S2S(REQ_REFUSED_HOME) + S2S(ADV_SRV_UNREACHABLE) + S2S(REQ_REFUSED_SSPN) + S2S(REQ_REFUSED_UNAUTH_ACCESS) + S2S(INVALID_RSNIE) + S2S(U_APSD_COEX_NOT_SUPPORTED) + S2S(U_APSD_COEX_MODE_NOT_SUPPORTED) + S2S(BAD_INTERVAL_WITH_U_APSD_COEX) + S2S(ANTI_CLOGGING_TOKEN_REQ) + S2S(FINITE_CYCLIC_GROUP_NOT_SUPPORTED) + S2S(CANNOT_FIND_ALT_TBTT) + S2S(TRANSMISSION_FAILURE) + S2S(REQ_TCLAS_NOT_SUPPORTED) + S2S(TCLAS_RESOURCES_EXCHAUSTED) + S2S(REJECTED_WITH_SUGGESTED_BSS_TRANSITION) + S2S(REJECT_WITH_SCHEDULE) + S2S(REJECT_NO_WAKEUP_SPECIFIED) + S2S(SUCCESS_POWER_SAVE_MODE) + S2S(PENDING_ADMITTING_FST_SESSION) + S2S(PERFORMING_FST_NOW) + S2S(PENDING_GAP_IN_BA_WINDOW) + S2S(REJECT_U_PID_SETTING) + S2S(REFUSED_EXTERNAL_REASON) + S2S(REFUSED_AP_OUT_OF_MEMORY) + S2S(REJECTED_EMERGENCY_SERVICE_NOT_SUPPORTED) + S2S(QUERY_RESP_OUTSTANDING) + S2S(REJECT_DSE_BAND) + S2S(TCLAS_PROCESSING_TERMINATED) + S2S(TS_SCHEDULE_CONFLICT) + S2S(DENIED_WITH_SUGGESTED_BAND_AND_CHANNEL) + S2S(MCCAOP_RESERVATION_CONFLICT) + S2S(MAF_LIMIT_EXCEEDED) + S2S(MCCA_TRACK_LIMIT_EXCEEDED) + S2S(DENIED_DUE_TO_SPECTRUM_MANAGEMENT) + S2S(ASSOC_DENIED_NO_VHT) + S2S(ENABLEMENT_DENIED) + S2S(RESTRICTION_FROM_AUTHORIZED_GDB) + S2S(AUTHORIZATION_DEENABLED) + S2S(FILS_AUTHENTICATION_FAILURE) + S2S(UNKNOWN_AUTHENTICATION_SERVER) + S2S(UNKNOWN_PASSWORD_IDENTIFIER) + } + return "UNKNOWN"; +#undef S2S +} + + int mb_ies_info_by_ies(struct mb_ies_info *info, const u8 *ies_buf, size_t ies_len) { diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_common.h b/freebsd/contrib/wpa/src/common/ieee802_11_common.h index d41bd39e..9b045b41 100644 --- a/freebsd/contrib/wpa/src/common/ieee802_11_common.h +++ b/freebsd/contrib/wpa/src/common/ieee802_11_common.h @@ -94,6 +94,7 @@ struct ieee802_11_elems { const u8 *oci; const u8 *multi_ap; const u8 *he_capabilities; + const u8 *he_operation; u8 ssid_len; u8 supp_rates_len; @@ -143,6 +144,7 @@ struct ieee802_11_elems { u8 oci_len; u8 multi_ap_len; u8 he_capabilities_len; + u8 he_operation_len; struct mb_ies_info mb_ies; }; @@ -185,6 +187,8 @@ int mb_ies_info_by_ies(struct mb_ies_info *info, const u8 *ies_buf, struct wpabuf * mb_ies_by_info(struct mb_ies_info *info); const char * fc2str(u16 fc); +const char * reason2str(u16 reason); +const char * status2str(u16 status); struct oper_class_map { enum hostapd_hw_mode mode; diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_defs.h b/freebsd/contrib/wpa/src/common/ieee802_11_defs.h index adaa8931..b0aa913b 100644 --- a/freebsd/contrib/wpa/src/common/ieee802_11_defs.h +++ b/freebsd/contrib/wpa/src/common/ieee802_11_defs.h @@ -468,6 +468,7 @@ #define WLAN_EID_EXT_HE_CAPABILITIES 35 #define WLAN_EID_EXT_HE_OPERATION 36 #define WLAN_EID_EXT_HE_MU_EDCA_PARAMS 38 +#define WLAN_EID_EXT_SPATIAL_REUSE 39 #define WLAN_EID_EXT_OCV_OCI 54 /* Extended Capabilities field */ @@ -1274,10 +1275,12 @@ struct ieee80211_ampe_ie { #define VHT_RX_NSS_MAX_STREAMS 8 /* VHT channel widths */ -#define VHT_CHANWIDTH_USE_HT 0 -#define VHT_CHANWIDTH_80MHZ 1 -#define VHT_CHANWIDTH_160MHZ 2 -#define VHT_CHANWIDTH_80P80MHZ 3 +#define CHANWIDTH_USE_HT 0 +#define CHANWIDTH_80MHZ 1 +#define CHANWIDTH_160MHZ 2 +#define CHANWIDTH_80P80MHZ 3 + +#define HE_NSS_MAX_STREAMS 8 #define OUI_MICROSOFT 0x0050f2 /* Microsoft (also used in Wi-Fi specs) * 00:50:F2 */ @@ -2091,7 +2094,7 @@ enum phy_type { /* * IEEE P802.11-REVmc/D5.0 Table 9-152 - HT/VHT Operation Information * subfields. - * Note: These definitions are not the same as other VHT_CHANWIDTH_*. + * Note: These definitions are not the same as other CHANWIDTH_*. */ enum nr_chan_width { NR_CHAN_WIDTH_20 = 0, @@ -2104,21 +2107,46 @@ enum nr_chan_width { struct ieee80211_he_capabilities { u8 he_mac_capab_info[6]; u8 he_phy_capab_info[11]; - u8 he_txrx_mcs_support[12]; /* TODO: 4, 8, or 12 octets */ - /* PPE Thresholds (optional) */ + /* Followed by 4, 8, or 12 octets of Supported HE-MCS And NSS Set field + * and optional variable length PPE Thresholds field. */ + u8 optional[]; } STRUCT_PACKED; struct ieee80211_he_operation { - u32 he_oper_params; /* HE Operation Parameters[3] and - * BSS Color Information[1] */ - u8 he_mcs_nss_set[2]; + le32 he_oper_params; /* HE Operation Parameters[3] and + * BSS Color Information[1] */ + le16 he_mcs_nss_set; u8 vht_op_info_chwidth; u8 vht_op_info_chan_center_freq_seg0_idx; u8 vht_op_info_chan_center_freq_seg1_idx; /* Followed by conditional MaxBSSID Indicator subfield (u8) */ } STRUCT_PACKED; +/* + * IEEE P802.11ax/D4.0, 9.4.2.246 Spatial Reuse Parameter Set element + */ +struct ieee80211_spatial_reuse { + u8 sr_ctrl; /* SR Control */ + /* Up to 19 octets of parameters: + * Non-SRG OBSS PD Max Offset[0 or 1] + * SRG OBSS PD Min Offset[0 or 1] + * SRG OBSS PD Max Offset[0 or 1] + * SRG BSS Color Bitmap[0 or 8] + * SRG Partial BSSID Bitmap[0 or 8] + */ + u8 params[19]; +} STRUCT_PACKED; + /* HE Capabilities Information defines */ + +#define HE_PHYCAP_CHANNEL_WIDTH_SET_IDX 0 +#define HE_PHYCAP_CHANNEL_WIDTH_MASK ((u8) (BIT(1) | BIT(2) | \ + BIT(3) | BIT(4))) +#define HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_IN_2G ((u8) BIT(1)) +#define HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G ((u8) BIT(2)) +#define HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G ((u8) BIT(3)) +#define HE_PHYCAP_CHANNEL_WIDTH_SET_80PLUS80MHZ_IN_5G ((u8) BIT(4)) + #define HE_PHYCAP_SU_BEAMFORMER_CAPAB_IDX 3 #define HE_PHYCAP_SU_BEAMFORMER_CAPAB ((u8) BIT(7)) #define HE_PHYCAP_SU_BEAMFORMEE_CAPAB_IDX 4 @@ -2126,23 +2154,39 @@ struct ieee80211_he_operation { #define HE_PHYCAP_MU_BEAMFORMER_CAPAB_IDX 4 #define HE_PHYCAP_MU_BEAMFORMER_CAPAB ((u8) BIT(1)) +#define HE_PHYCAP_PPE_THRESHOLD_PRESENT_IDX 6 +#define HE_PHYCAP_PPE_THRESHOLD_PRESENT ((u8) BIT(7)) + +/* HE PPE Threshold define */ +#define HE_PPE_THRES_RU_INDEX_BITMASK_MASK 0xf +#define HE_PPE_THRES_RU_INDEX_BITMASK_SHIFT 3 +#define HE_PPE_THRES_NSS_MASK 0x7 + /* HE Operation defines */ /* HE Operation Parameters and BSS Color Information fields */ -#define HE_OPERATION_BSS_COLOR_MASK ((u32) (BIT(0) | BIT(1) | \ - BIT(2) | BIT(3) | \ - BIT(4) | BIT(5))) -#define HE_OPERATION_PARTIAL_BSS_COLOR ((u32) BIT(6)) -#define HE_OPERATION_BSS_COLOR_DISABLED ((u32) BIT(7)) -#define HE_OPERATION_DFLT_PE_DURATION_MASK ((u32) (BIT(8) | BIT(9) | \ - BIT(10))) -#define HE_OPERATION_DFLT_PE_DURATION_OFFSET 8 -#define HE_OPERATION_TWT_REQUIRED ((u32) BIT(11)) -#define HE_OPERATION_RTS_THRESHOLD_MASK ((u32) (BIT(12) | BIT(13) | \ - BIT(14) | BIT(15) | \ - BIT(16) | BIT(17) | \ - BIT(18) | BIT(19) | \ - BIT(20) | BIT(21))) -#define HE_OPERATION_RTS_THRESHOLD_OFFSET 12 +#define HE_OPERATION_DFLT_PE_DURATION_MASK ((u32) (BIT(0) | BIT(1) | \ + BIT(2))) +#define HE_OPERATION_DFLT_PE_DURATION_OFFSET 0 +#define HE_OPERATION_TWT_REQUIRED ((u32) BIT(3)) +#define HE_OPERATION_RTS_THRESHOLD_MASK ((u32) (BIT(4) | BIT(5) | \ + BIT(6) | BIT(7) | \ + BIT(8) | BIT(9) | \ + BIT(10) | BIT(11) | \ + BIT(12) | BIT(13))) +#define HE_OPERATION_RTS_THRESHOLD_OFFSET 4 +#define HE_OPERATION_BSS_COLOR_MASK ((u32) (BIT(24) | BIT(25) | \ + BIT(26) | BIT(27) | \ + BIT(28) | BIT(29))) +#define HE_OPERATION_PARTIAL_BSS_COLOR ((u32) BIT(30)) +#define HE_OPERATION_BSS_COLOR_DISABLED ((u32) BIT(31)) +#define HE_OPERATION_BSS_COLOR_OFFSET 24 + +/* Spatial Reuse defines */ +#define SPATIAL_REUSE_SRP_DISALLOWED BIT(0) +#define SPATIAL_REUSE_NON_SRG_OBSS_PD_SR_DISALLOWED BIT(1) +#define SPATIAL_REUSE_NON_SRG_OFFSET_PRESENT BIT(2) +#define SPATIAL_REUSE_SRG_INFORMATION_PRESENT BIT(3) +#define SPATIAL_REUSE_HESIGA_SR_VAL15_ALLOWED BIT(4) struct ieee80211_he_mu_edca_parameter_set { u8 he_qos_info; diff --git a/freebsd/contrib/wpa/src/common/qca-vendor.h b/freebsd/contrib/wpa/src/common/qca-vendor.h index c34a3bc1..ff8c22a7 100644 --- a/freebsd/contrib/wpa/src/common/qca-vendor.h +++ b/freebsd/contrib/wpa/src/common/qca-vendor.h @@ -1,7 +1,7 @@ /* * Qualcomm Atheros OUI and vendor specific assignments * Copyright (c) 2014-2017, Qualcomm Atheros, Inc. - * Copyright (c) 2018, The Linux Foundation + * Copyright (c) 2018-2019, The Linux Foundation * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -98,6 +98,9 @@ enum qca_radiotap_vendor_ids { * which supports DFS offloading, to indicate a radar pattern has been * detected. The channel is now unusable. * + * @QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO: Get information from the driver. + * Attributes defined in enum qca_wlan_vendor_attr_get_wifi_info. + * * @QCA_NL80211_VENDOR_SUBCMD_GET_LOGGER_FEATURE_SET: Get the feature bitmap * based on enum wifi_logger_supported_features. Attributes defined in * enum qca_wlan_vendor_attr_get_logger_features. @@ -373,7 +376,9 @@ enum qca_radiotap_vendor_ids { * @QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START: Start spectral scan. The scan * parameters are specified by enum qca_wlan_vendor_attr_spectral_scan. * This returns a cookie (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COOKIE) - * identifying the operation in success case. + * identifying the operation in success case. In failure cases an + * error code (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE) + * describing the reason for the failure is returned. * * @QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_STOP: Stop spectral scan. This uses * a cookie (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COOKIE) from @@ -524,6 +529,65 @@ enum qca_radiotap_vendor_ids { * parameters including Zigbee state and specific WLAN periods to enhance * PTA master. All these parameters are delivered by the attributes * defined in enum qca_mpta_helper_vendor_attr. + * @QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING: This sub command is used to + * implement Beacon frame reporting feature. + * + * Userspace can request the driver/firmware to periodically report + * received Beacon frames whose BSSID is same as the current connected + * BSS's MAC address. + * + * In case the STA seamlessly (without sending disconnect indication to + * userspace) roams to a different BSS, Beacon frame reporting will be + * automatically enabled for the Beacon frames whose BSSID is same as the + * MAC address of the new BSS. Beacon reporting will be stopped when the + * STA is disconnected (when the disconnect indication is sent to + * userspace) and need to be explicitly enabled by userspace for next + * connection. + * + * When a Beacon frame matching configured conditions is received, and if + * userspace has requested to send asynchronous beacon reports, the + * driver/firmware will encapsulate the details of the Beacon frame in an + * event and send it to userspace along with updating the BSS information + * in cfg80211 scan cache, otherwise driver will only update the cfg80211 + * scan cache with the information from the received Beacon frame but will + * not send any active report to userspace. + * + * The userspace can request the driver/firmware to stop reporting Beacon + * frames. If the driver/firmware is not able to receive Beacon frames due + * to other Wi-Fi operations such as off-channel activities, etc., the + * driver/firmware will send a pause event to userspace and stop reporting + * Beacon frames. Whether the beacon reporting will be automatically + * resumed or not by the driver/firmware later will be reported to + * userspace using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES + * flag. The beacon reporting shall be resumed for all the cases except + * either when userspace sets + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_DO_NOT_RESUME flag in the command + * which triggered the current beacon reporting or during any disconnection + * case as indicated by setting + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON to + * QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED by the + * driver. + * + * After QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_PAUSE event is received + * by userspace with QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES + * flag not set, the next first + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO event from the driver + * shall be considered as un-pause event. + * + * All the attributes used with this command are defined in + * enum qca_wlan_vendor_attr_beacon_reporting_params. + * @QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP: In practice, some APs have + * interop issues with the DUT. This sub command is used to transfer the + * AP info between the driver and user space. This works both as a command + * and an event. As a command, it configures the stored list of APs from + * user space to firmware; as an event, it indicates the AP info detected + * by the firmware to user space for persistent storage. The attributes + * defined in enum qca_vendor_attr_interop_issues_ap are used to deliver + * the parameters. + * @QCA_NL80211_VENDOR_SUBCMD_OEM_DATA: This command is used to send OEM data + * binary blobs from application/service to firmware. The attributes + * defined in enum qca_wlan_vendor_attr_oem_data_params are used to deliver + * the parameters. */ enum qca_nl80211_vendor_subcmds { QCA_NL80211_VENDOR_SUBCMD_UNSPEC = 0, @@ -692,6 +756,9 @@ enum qca_nl80211_vendor_subcmds { QCA_NL80211_VENDOR_SUBCMD_GET_FW_STATE = 177, QCA_NL80211_VENDOR_SUBCMD_PEER_STATS_CACHE_FLUSH = 178, QCA_NL80211_VENDOR_SUBCMD_MPTA_HELPER_CONFIG = 179, + QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING = 180, + QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP = 181, + QCA_NL80211_VENDOR_SUBCMD_OEM_DATA = 182, }; enum qca_wlan_vendor_attr { @@ -1788,6 +1855,30 @@ enum qca_wlan_vendor_attr_config { */ QCA_WLAN_VENDOR_ATTR_CONFIG_GTX = 57, + /* Attribute to configure disconnect IEs to the driver. + * This carries an array of unsigned 8-bit characters. + * + * If this is configured, driver shall fill the IEs in disassoc/deauth + * frame. + * These IEs are expected to be considered only for the next + * immediate disconnection (disassoc/deauth frame) originated by + * the DUT, irrespective of the entity (user space/driver/firmware) + * triggering the disconnection. + * The host drivers are not expected to use the IEs set through + * this interface for further disconnections after the first immediate + * disconnection initiated post the configuration. + * If the IEs are also updated through cfg80211 interface (after the + * enhancement to cfg80211_disconnect), host driver is expected to + * take the union of IEs from both of these interfaces and send in + * further disassoc/deauth frames. + */ + QCA_WLAN_VENDOR_ATTR_DISCONNECT_IES = 58, + + /* 8-bit unsigned value for ELNA bypass. + * 1-Enable, 0-Disable + */ + QCA_WLAN_VENDOR_ATTR_CONFIG_ELNA_BYPASS = 59, + /* keep last */ QCA_WLAN_VENDOR_ATTR_CONFIG_AFTER_LAST, QCA_WLAN_VENDOR_ATTR_CONFIG_MAX = @@ -3204,11 +3295,28 @@ enum qca_vendor_attr_sar_limits { /** * enum qca_wlan_vendor_attr_get_wifi_info: Attributes for data used by * QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO sub command. + * + * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_DRIVER_VERSION: In a request this attribute + * should be set to any U8 value to indicate that the driver version + * should be returned. When enabled in this manner, in a response this + * attribute will contain a string representation of the driver version. + * + * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_FIRMWARE_VERSION: In a request this attribute + * should be set to any U8 value to indicate that the firmware version + * should be returned. When enabled in this manner, in a response this + * attribute will contain a string representation of the firmware version. + * + * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX: In a request this attribute + * should be set to any U32 value to indicate that the current radio + * index should be returned. When enabled in this manner, in a response + * this attribute will contain a U32 radio index value. + * */ enum qca_wlan_vendor_attr_get_wifi_info { QCA_WLAN_VENDOR_ATTR_WIFI_INFO_GET_INVALID = 0, QCA_WLAN_VENDOR_ATTR_WIFI_INFO_DRIVER_VERSION = 1, QCA_WLAN_VENDOR_ATTR_WIFI_INFO_FIRMWARE_VERSION = 2, + QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX = 3, /* keep last */ QCA_WLAN_VENDOR_ATTR_WIFI_INFO_GET_AFTER_LAST, @@ -4481,6 +4589,44 @@ enum qca_wlan_vendor_attr_spectral_scan { * qca_wlan_vendor_attr_spectral_scan_request_type. */ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_REQUEST_TYPE = 23, + /* This specifies the frequency span over which spectral + * scan would be carried out. Its value depends on the + * value of QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE and + * the relation is as follows. + * QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL + * Not applicable. Spectral scan would happen in the + * operating span. + * QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE + * Center frequency (in MHz) of the span of interest or + * for convenience, center frequency (in MHz) of any channel + * in the span of interest. If agile spectral scan is initiated + * without setting a valid frequency it returns the error code + * (QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED). + * u32 attribute. + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY = 24, + /* Spectral scan mode. u32 attribute. + * It uses values defined in enum qca_wlan_vendor_spectral_scan_mode. + * If this attribute is not present, it is assumed to be + * normal mode (QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL). + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE = 25, + /* Spectral scan error code. u32 attribute. + * It uses values defined in enum + * qca_wlan_vendor_spectral_scan_error_code. + * This attribute is included only in failure scenarios. + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE = 26, + /* 8-bit unsigned value to enable/disable debug of the + * Spectral DMA ring. + * 1-enable, 0-disable + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_RING_DEBUG = 27, + /* 8-bit unsigned value to enable/disable debug of the + * Spectral DMA buffers. + * 1-enable, 0-disable + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_BUFFER_DEBUG = 28, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_AFTER_LAST, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_MAX = @@ -4559,6 +4705,8 @@ enum qca_wlan_vendor_attr_spectral_cap { * u8 attribute. */ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_DEFAULT_AGC_MAX_GAIN = 10, + /* Flag attribute to indicate agile spectral scan capability */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_AGILE_SPECTRAL = 11, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_AFTER_LAST, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_MAX = @@ -4575,6 +4723,13 @@ enum qca_wlan_vendor_attr_spectral_scan_status { QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_IS_ENABLED = 1, /* Flag attribute to indicate whether spectral scan is in progress*/ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_IS_ACTIVE = 2, + /* Spectral scan mode. u32 attribute. + * It uses values defined in enum qca_wlan_vendor_spectral_scan_mode. + * If this attribute is not present, normal mode + * (QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL is assumed to be + * requested. + */ + QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MODE = 3, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_AFTER_LAST, QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MAX = @@ -4600,6 +4755,43 @@ enum qca_wlan_vendor_attr_spectral_scan_request_type { }; /** + * qca_wlan_vendor_spectral_scan_mode: Attribute values for + * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE in the vendor subcmd + * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START and + * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MODE in the vendor subcmd + * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_GET_STATUS. This represents the + * spectral scan modes. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL: Normal spectral scan: + * spectral scan in the current operating span. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE: Agile spectral scan: + * spectral scan in the configured agile span. + */ +enum qca_wlan_vendor_spectral_scan_mode { + QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL = 0, + QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE = 1, +}; + +/** + * qca_wlan_vendor_spectral_scan_error_code: Attribute values for + * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE in the vendor subcmd + * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_UNSUPPORTED: Changing the value + * of a parameter is not supported. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_MODE_UNSUPPORTED: Requested spectral scan + * mode is not supported. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_INVALID_VALUE: A parameter + * has invalid value. + * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED: A parameter + * is not initialized. + */ +enum qca_wlan_vendor_spectral_scan_error_code { + QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_UNSUPPORTED = 0, + QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_MODE_UNSUPPORTED = 1, + QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_INVALID_VALUE = 2, + QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED = 3, +}; + +/** * qca_wlan_vendor_spectral_scan_cap_hw_gen: Attribute values for * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_HW_GEN to the vendor subcmd * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_GET_CAP_INFO. This represents the @@ -6709,4 +6901,251 @@ enum qca_mpta_helper_vendor_attr { QCA_MPTA_HELPER_VENDOR_ATTR_AFTER_LAST - 1 }; +/** + * enum qca_wlan_vendor_beacon_reporting_op_types - Defines different types of + * operations for which %QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING can be used. + * Will be used by %QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE. + * + * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START: Sent by userspace to the driver + * to request the driver to start reporting Beacon frames. + * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP: Sent by userspace to the driver to + * request the driver to stop reporting Beacon frames. + * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO: Sent by the driver to + * userspace to report received Beacon frames. + * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE: Sent by the driver to userspace + * to indicate that the driver is going to pause reporting Beacon frames. + */ +enum qca_wlan_vendor_beacon_reporting_op_types { + QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START = 0, + QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP = 1, + QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO = 2, + QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE = 3, +}; + +/** + * enum qca_wlan_vendor_beacon_reporting_pause_reasons - Defines different types + * of reasons for which the driver is pausing reporting Beacon frames. Will be + * used by %QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON. + * + * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_UNSPECIFIED: For unspecified + * reasons. + * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_SCAN_STARTED: When the + * driver/firmware is starting a scan. + * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED: When the + * driver/firmware disconnects from the ESS and indicates the disconnection to + * userspace (non-seamless roaming case). This reason code will be used by the + * driver/firmware to indicate stopping of beacon report events. Userspace will + * need to start beacon reporting again (if desired) by sending vendor command + * QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING with + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START after the next connection is + * completed. + */ +enum qca_wlan_vendor_beacon_reporting_pause_reasons { + QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_UNSPECIFIED = 0, + QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_SCAN_STARTED = 1, + QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED = 2, +}; + +/* + * enum qca_wlan_vendor_attr_beacon_reporting_params - List of attributes used + * in vendor sub-command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING. + */ +enum qca_wlan_vendor_attr_beacon_reporting_params { + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_INVALID = 0, + /* Specifies the type of operation that the vendor command/event is + * intended for. Possible values for this attribute are defined in + * enum qca_wlan_vendor_beacon_reporting_op_types. u32 attribute. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE = 1, + /* Optionally set by userspace to request the driver to report Beacon + * frames using asynchronous vendor events when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START. NLA_FLAG attribute. + * If this flag is not set, the driver will only update Beacon frames in + * cfg80211 scan cache but not send any vendor events. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_ACTIVE_REPORTING = 2, + /* Optionally used by userspace to request the driver/firmware to report + * Beacon frames periodically when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START. + * u32 attribute, indicates the period of Beacon frames to be reported + * and in the units of beacon interval. + * If this attribute is missing in the command, then the default value + * of 1 will be assumed by driver, i.e., to report every Beacon frame. + * Zero is an invalid value. + * If a valid value is received for this attribute, the driver will + * update the cfg80211 scan cache periodically as per the value received + * in this attribute in addition to updating the cfg80211 scan cache + * when there is significant change in Beacon frame IEs. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PERIOD = 3, + /* Used by the driver to encapsulate the SSID when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. + * u8 array with a maximum size of 32. + * + * When generating beacon report from non-MBSSID Beacon frame, the SSID + * will be taken from the SSID element of the received Beacon frame. + * + * When generating beacon report from Multiple BSSID Beacon frame and if + * the BSSID of the current connected BSS matches the BSSID of the + * transmitting BSS, the SSID will be taken from the SSID element of the + * received Beacon frame. + * + * When generating beacon report from Multiple BSSID Beacon frame and if + * the BSSID of the current connected BSS matches the BSSID of one of + * the* nontransmitting BSSs, the SSID will be taken from the SSID field + * included in the nontransmitted BSS profile whose derived BSSID is + * same as the BSSID of the current connected BSS. When there is no + * nontransmitted BSS profile whose derived BSSID is same as the BSSID + * of current connected* BSS, this attribute will not be present. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_SSID = 4, + /* Used by the driver to encapsulate the BSSID of the AP to which STA is + * currently connected to when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u8 array with a + * fixed size of 6 bytes. + * + * When generating beacon report from a Multiple BSSID beacon and the + * current connected BSSID matches one of the nontransmitted BSSIDs in a + * Multiple BSSID set, this BSSID will be that particular nontransmitted + * BSSID and not the transmitted BSSID (i.e., the transmitting address + * of the Beacon frame). + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BSSID = 5, + /* Used by the driver to encapsulate the frequency in MHz on which + * the Beacon frame was received when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is + * set to QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. + * u32 attribute. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_FREQ = 6, + /* Used by the driver to encapsulate the Beacon interval + * when the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. + * u16 attribute. The value will be copied from the Beacon frame and the + * units are TUs. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BI = 7, + /* Used by the driver to encapsulate the Timestamp field from the Beacon + * frame when the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set + * to QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. + * u64 attribute. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_TSF = 8, + /* Used by the driver to encapsulate the CLOCK_BOOTTIME when this + * Beacon frame is received in the driver when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u64 attribute, in + * the units of nanoseconds. This value is expected to have accuracy of + * about 10 ms. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BOOTTIME_WHEN_RECEIVED = 9, + /* Used by the driver to encapsulate the IEs of the Beacon frame from + * which this event is generated when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u8 array. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_IES = 10, + /* Used by the driver to specify the reason for the driver/firmware to + * pause sending beacons to userspace when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE. Possible values are + * defined in enum qca_wlan_vendor_beacon_reporting_pause_reasons, u32 + * attribute. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON = 11, + /* Used by the driver to specify whether the driver will automatically + * resume reporting beacon events to userspace later (for example after + * the ongoing off-channel activity is completed etc.) when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE. NLA_FLAG attribute. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES = 12, + /* Optionally set by userspace to request the driver not to resume + * beacon reporting after a pause is completed, when the + * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START. NLA_FLAG attribute. + * If this flag is set, the driver will not resume beacon reporting + * after any pause in beacon reporting is completed. Userspace has to + * send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START command again in order + * to initiate beacon reporting again. If this flag is set in the recent + * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START command, then in the + * subsequent QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE event (if any) + * the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES shall not be + * set by the driver. Setting this flag until and unless there is a + * specific need is not recommended as there is a chance of some beacons + * received after pause command and next start command being not + * reported. + */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_DO_NOT_RESUME = 13, + + /* Keep last */ + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_LAST, + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_MAX = + QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_LAST - 1 +}; + +/** + * enum qca_vendor_interop_issues_ap_type - Interop issue types + * This enum defines the valid set of values of interop issue types. These + * values are used by attribute %QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE. + * + * @QCA_VENDOR_INTEROP_ISSUES_AP_ON_STA_PS: The AP has power save interop issue + * when the STA's Qpower feature is enabled. + */ +enum qca_vendor_interop_issues_ap_type { + QCA_VENDOR_INTEROP_ISSUES_AP_INVALID = 0, + QCA_VENDOR_INTEROP_ISSUES_AP_ON_STA_PS = 1, +}; + +/** + * enum qca_vendor_attr_interop_issues_ap - attribute for AP with interop issues + * Values are used by %QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP. + * + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_INVALID: Invalid value + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE: Interop issue type + * 32-bit unsigned value. The values defined in enum + * qca_vendor_interop_issues_ap_type are used. + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST: APs' BSSID container + * array of nested QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID attributes. + * It is present and mandatory for the command but is not used for the event + * since only a single BSSID is reported in an event. + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID: AP's BSSID 6-byte MAC address. + * It is used within the nested QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST + * attribute in command case and without such encapsulation in the event case. + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST: last value + * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_MAX: max value + */ +enum qca_vendor_attr_interop_issues_ap { + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_INVALID, + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE, + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST, + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID, + /* keep last */ + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST, + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_MAX = + QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST - 1 +}; + +/* + * enum qca_wlan_vendor_attr_oem_data_params - Used by the vendor command + * QCA_NL80211_VENDOR_SUBCMD_OEM_DATA. + * + * @QCA_WLAN_VENDOR_ATTR_OEM_DATA_CMD_DATA: The binary blob for the vendor + * command QCA_NL80211_VENDOR_SUBCMD_OEM_DATA are carried through this attribute. + * NLA_BINARY attribute, the max size is 1024 bytes. + */ +enum qca_wlan_vendor_attr_oem_data_params { + QCA_WLAN_VENDOR_ATTR_OEM_DATA_INVALID = 0, + QCA_WLAN_VENDOR_ATTR_OEM_DATA_CMD_DATA = 1, + + /* keep last */ + QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_AFTER_LAST, + QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_MAX = + QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_AFTER_LAST - 1 +}; #endif /* QCA_VENDOR_H */ diff --git a/freebsd/contrib/wpa/src/common/sae.h b/freebsd/contrib/wpa/src/common/sae.h index 3eb6e323..10f9302e 100644 --- a/freebsd/contrib/wpa/src/common/sae.h +++ b/freebsd/contrib/wpa/src/common/sae.h @@ -33,6 +33,7 @@ struct sae_temporary_data { struct crypto_bignum *sae_rand; struct crypto_ec *ec; int prime_len; + int order_len; const struct dh_group *dh; const struct crypto_bignum *prime; const struct crypto_bignum *order; diff --git a/freebsd/contrib/wpa/src/common/version.h b/freebsd/contrib/wpa/src/common/version.h index 06fc5e4d..c2a3a80d 100644 --- a/freebsd/contrib/wpa/src/common/version.h +++ b/freebsd/contrib/wpa/src/common/version.h @@ -9,6 +9,6 @@ #define GIT_VERSION_STR_POSTFIX "" #endif /* GIT_VERSION_STR_POSTFIX */ -#define VERSION_STR "2.8" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX +#define VERSION_STR "2.9" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX #endif /* VERSION_H */ diff --git a/freebsd/contrib/wpa/src/common/wpa_common.c b/freebsd/contrib/wpa/src/common/wpa_common.c index b2b58793..6fcbf20c 100644 --- a/freebsd/contrib/wpa/src/common/wpa_common.c +++ b/freebsd/contrib/wpa/src/common/wpa_common.c @@ -2077,6 +2077,16 @@ u32 wpa_akm_to_suite(int akm) return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256; if (akm & WPA_KEY_MGMT_FT_FILS_SHA384) return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384; + if (akm & WPA_KEY_MGMT_SAE) + return RSN_AUTH_KEY_MGMT_SAE; + if (akm & WPA_KEY_MGMT_FT_SAE) + return RSN_AUTH_KEY_MGMT_FT_SAE; + if (akm & WPA_KEY_MGMT_OWE) + return RSN_AUTH_KEY_MGMT_OWE; + if (akm & WPA_KEY_MGMT_DPP) + return RSN_AUTH_KEY_MGMT_DPP; + if (akm & WPA_KEY_MGMT_OSEN) + return RSN_AUTH_KEY_MGMT_OSEN; return 0; } diff --git a/freebsd/contrib/wpa/src/common/wpa_ctrl.h b/freebsd/contrib/wpa/src/common/wpa_ctrl.h index f65077e0..b24ae63e 100644 --- a/freebsd/contrib/wpa/src/common/wpa_ctrl.h +++ b/freebsd/contrib/wpa/src/common/wpa_ctrl.h @@ -87,6 +87,9 @@ extern "C" { #define WPA_EVENT_BEACON_LOSS "CTRL-EVENT-BEACON-LOSS " /** Regulatory domain channel */ #define WPA_EVENT_REGDOM_CHANGE "CTRL-EVENT-REGDOM-CHANGE " +/** Channel switch started (followed by freq=<MHz> and other channel parameters) + */ +#define WPA_EVENT_CHANNEL_SWITCH_STARTED "CTRL-EVENT-STARTED-CHANNEL-SWITCH " /** Channel switch (followed by freq=<MHz> and other channel parameters) */ #define WPA_EVENT_CHANNEL_SWITCH "CTRL-EVENT-CHANNEL-SWITCH " /** SAE authentication failed due to unknown password identifier */ diff --git a/freebsd/contrib/wpa/src/crypto/crypto.h b/freebsd/contrib/wpa/src/crypto/crypto.h index 12109ce8..15f8ad04 100644 --- a/freebsd/contrib/wpa/src/crypto/crypto.h +++ b/freebsd/contrib/wpa/src/crypto/crypto.h @@ -645,13 +645,6 @@ int crypto_bignum_cmp(const struct crypto_bignum *a, const struct crypto_bignum *b); /** - * crypto_bignum_bits - Get size of a bignum in bits - * @a: Bignum - * Returns: Number of bits in the bignum - */ -int crypto_bignum_bits(const struct crypto_bignum *a); - -/** * crypto_bignum_is_zero - Is the given bignum zero * @a: Bignum * Returns: 1 if @a is zero or 0 if not diff --git a/freebsd/contrib/wpa/src/crypto/crypto_openssl.c b/freebsd/contrib/wpa/src/crypto/crypto_openssl.c index 5b4c41a9..d8014022 100644 --- a/freebsd/contrib/wpa/src/crypto/crypto_openssl.c +++ b/freebsd/contrib/wpa/src/crypto/crypto_openssl.c @@ -572,8 +572,8 @@ int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, failed = !q || !ctx || !tmp || !BN_mod_exp(tmp, pub, q, p, ctx) || !BN_is_one(tmp); - BN_clear(q); - BN_clear(tmp); + BN_clear_free(q); + BN_clear_free(tmp); BN_CTX_free(ctx); if (failed) goto fail; @@ -582,8 +582,8 @@ int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len, prime, prime_len, secret, len); fail: - BN_clear(pub); - BN_clear(p); + BN_clear_free(pub); + BN_clear_free(p); return res; } @@ -1305,6 +1305,18 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a, if (padlen > buflen) return -1; + if (padlen) { +#ifdef OPENSSL_IS_BORINGSSL + if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0) + return -1; + return padlen; +#else /* OPENSSL_IS_BORINGSSL */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + return BN_bn2binpad((const BIGNUM *) a, buf, padlen); +#endif +#endif + } + num_bytes = BN_num_bytes((const BIGNUM *) a); if ((size_t) num_bytes > buflen) return -1; @@ -1478,12 +1490,6 @@ int crypto_bignum_cmp(const struct crypto_bignum *a, } -int crypto_bignum_bits(const struct crypto_bignum *a) -{ - return BN_num_bits((const BIGNUM *) a); -} - - int crypto_bignum_is_zero(const struct crypto_bignum *a) { return BN_is_zero((const BIGNUM *) a); @@ -1872,7 +1878,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group) { struct crypto_ecdh *ecdh; EVP_PKEY *params = NULL; - EC_KEY *ec_params; + EC_KEY *ec_params = NULL; EVP_PKEY_CTX *kctx = NULL; ecdh = os_zalloc(sizeof(*ecdh)); @@ -1915,6 +1921,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group) } done: + EC_KEY_free(ec_params); EVP_PKEY_free(params); EVP_PKEY_CTX_free(kctx); @@ -2054,13 +2061,17 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, secret = wpabuf_alloc(secret_len); if (!secret) goto fail; - if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len), - &secret_len) != 1) { + if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) { wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_derive(2) failed: %s", ERR_error_string(ERR_get_error(), NULL)); goto fail; } + if (secret->size != secret_len) + wpa_printf(MSG_DEBUG, + "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d", + (int) secret->size, (int) secret_len); + wpabuf_put(secret, secret_len); done: BN_free(x); diff --git a/freebsd/contrib/wpa/src/crypto/sha1-prf.c b/freebsd/contrib/wpa/src/crypto/sha1-prf.c index 004260d7..0351a39e 100644 --- a/freebsd/contrib/wpa/src/crypto/sha1-prf.c +++ b/freebsd/contrib/wpa/src/crypto/sha1-prf.c @@ -63,7 +63,7 @@ int sha1_prf(const u8 *key, size_t key_len, const char *label, } counter++; } - os_memset(hash, 0, sizeof(hash)); + forced_memzero(hash, sizeof(hash)); return 0; } diff --git a/freebsd/contrib/wpa/src/crypto/sha1.c b/freebsd/contrib/wpa/src/crypto/sha1.c index de751fb9..7916c567 100644 --- a/freebsd/contrib/wpa/src/crypto/sha1.c +++ b/freebsd/contrib/wpa/src/crypto/sha1.c @@ -88,7 +88,8 @@ int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, _addr[1] = mac; _len[1] = SHA1_MAC_LEN; ret = sha1_vector(2, _addr, _len, mac); - os_memset(k_pad, 0, sizeof(k_pad)); + forced_memzero(k_pad, sizeof(k_pad)); + forced_memzero(tk, sizeof(tk)); return ret; } diff --git a/freebsd/contrib/wpa/src/crypto/sha256-prf.c b/freebsd/contrib/wpa/src/crypto/sha256-prf.c index e2150e21..aa8d09f9 100644 --- a/freebsd/contrib/wpa/src/crypto/sha256-prf.c +++ b/freebsd/contrib/wpa/src/crypto/sha256-prf.c @@ -104,7 +104,7 @@ int sha256_prf_bits(const u8 *key, size_t key_len, const char *label, buf[pos - 1] &= mask; } - os_memset(hash, 0, sizeof(hash)); + forced_memzero(hash, sizeof(hash)); return 0; } diff --git a/freebsd/contrib/wpa/src/crypto/sha256.h b/freebsd/contrib/wpa/src/crypto/sha256.h index 5219022e..8054bbe5 100644 --- a/freebsd/contrib/wpa/src/crypto/sha256.h +++ b/freebsd/contrib/wpa/src/crypto/sha256.h @@ -20,9 +20,9 @@ int sha256_prf(const u8 *key, size_t key_len, const char *label, int sha256_prf_bits(const u8 *key, size_t key_len, const char *label, const u8 *data, size_t data_len, u8 *buf, size_t buf_len_bits); -void tls_prf_sha256(const u8 *secret, size_t secret_len, - const char *label, const u8 *seed, size_t seed_len, - u8 *out, size_t outlen); +int tls_prf_sha256(const u8 *secret, size_t secret_len, + const char *label, const u8 *seed, size_t seed_len, + u8 *out, size_t outlen); int hmac_sha256_kdf(const u8 *secret, size_t secret_len, const char *label, const u8 *seed, size_t seed_len, u8 *out, size_t outlen); diff --git a/freebsd/contrib/wpa/src/crypto/tls.h b/freebsd/contrib/wpa/src/crypto/tls.h index 8bdb91ff..c8b1a824 100644 --- a/freebsd/contrib/wpa/src/crypto/tls.h +++ b/freebsd/contrib/wpa/src/crypto/tls.h @@ -48,6 +48,18 @@ enum tls_fail_reason { #define TLS_MAX_ALT_SUBJECT 10 +struct tls_cert_data { + int depth; + const char *subject; + const struct wpabuf *cert; + const u8 *hash; + size_t hash_len; + const char *altsubject[TLS_MAX_ALT_SUBJECT]; + int num_altsubject; + const char *serial_num; + int tod; +}; + union tls_event_data { struct { int depth; @@ -57,16 +69,7 @@ union tls_event_data { const struct wpabuf *cert; } cert_fail; - struct { - int depth; - const char *subject; - const struct wpabuf *cert; - const u8 *hash; - size_t hash_len; - const char *altsubject[TLS_MAX_ALT_SUBJECT]; - int num_altsubject; - const char *serial_num; - } peer_cert; + struct tls_cert_data peer_cert; struct { int is_local; @@ -108,6 +111,7 @@ struct tls_config { #define TLS_CONN_ENABLE_TLSv1_0 BIT(14) #define TLS_CONN_ENABLE_TLSv1_1 BIT(15) #define TLS_CONN_ENABLE_TLSv1_2 BIT(16) +#define TLS_CONN_TEAP_ANON_DH BIT(17) /** * struct tls_connection_params - Parameters for TLS connection @@ -184,12 +188,15 @@ struct tls_connection_params { const char *suffix_match; const char *domain_match; const char *client_cert; + const char *client_cert2; const u8 *client_cert_blob; size_t client_cert_blob_len; const char *private_key; + const char *private_key2; const u8 *private_key_blob; size_t private_key_blob_len; const char *private_key_passwd; + const char *private_key_passwd2; const char *dh_file; const u8 *dh_blob; size_t dh_blob_len; @@ -643,4 +650,24 @@ tls_connection_get_success_data(struct tls_connection *conn); void tls_connection_remove_session(struct tls_connection *conn); +/** + * tls_get_tls_unique - Fetch "tls-unique" for channel binding + * @conn: Connection context data from tls_connection_init() + * @buf: Buffer for returning the value + * @max_len: Maximum length of the buffer in bytes + * Returns: Number of bytes written to buf or -1 on error + * + * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which + * is the first TLS Finished message sent in the most recent TLS handshake of + * the TLS connection. + */ +int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len); + +/** + * tls_connection_get_cipher_suite - Get current TLS cipher suite + * @conn: Connection context data from tls_connection_init() + * Returns: TLS cipher suite of the current connection or 0 on error + */ +u16 tls_connection_get_cipher_suite(struct tls_connection *conn); + #endif /* TLS_H */ diff --git a/freebsd/contrib/wpa/src/drivers/driver.h b/freebsd/contrib/wpa/src/drivers/driver.h index e7c8f318..2a8459ae 100644 --- a/freebsd/contrib/wpa/src/drivers/driver.h +++ b/freebsd/contrib/wpa/src/drivers/driver.h @@ -102,6 +102,20 @@ enum reg_type { }; /** + * struct hostapd_wmm_rule - WMM regulatory rule + * @min_cwmin: Lower bound of CW_min value + * @min_cwmax: Lower bound of CW_max value + * @min_aifs: Lower bound of AIFS value + * @max_txop: Upper bound of TXOP, value in units of 32 usec + */ +struct hostapd_wmm_rule { + int min_cwmin; + int min_cwmax; + int min_aifs; + int max_txop; +}; + +/** * struct hostapd_channel_data - Channel information */ struct hostapd_channel_data { @@ -156,34 +170,48 @@ struct hostapd_channel_data { * dfs_cac_ms - DFS CAC time in milliseconds */ unsigned int dfs_cac_ms; -}; -#define HE_MAX_NUM_SS 8 -#define HE_MAX_PHY_CAPAB_SIZE 3 + /** + * wmm_rules_valid - Indicates wmm_rules state + */ + int wmm_rules_valid; -/** - * struct he_ppe_threshold - IEEE 802.11ax HE PPE Threshold - */ -struct he_ppe_threshold { - u32 numss_m1; - u32 ru_count; - u32 ppet16_ppet8_ru3_ru0[HE_MAX_NUM_SS]; + /** + * wmm_rules - WMM regulatory rules + */ + struct hostapd_wmm_rule wmm_rules[WMM_AC_NUM]; }; +#define HE_MAX_MAC_CAPAB_SIZE 6 +#define HE_MAX_PHY_CAPAB_SIZE 11 +#define HE_MAX_MCS_CAPAB_SIZE 12 +#define HE_MAX_PPET_CAPAB_SIZE 25 + /** * struct he_capabilities - IEEE 802.11ax HE capabilities */ struct he_capabilities { u8 he_supported; - u32 phy_cap[HE_MAX_PHY_CAPAB_SIZE]; - u32 mac_cap; - u32 mcs; - struct he_ppe_threshold ppet; + u8 phy_cap[HE_MAX_PHY_CAPAB_SIZE]; + u8 mac_cap[HE_MAX_MAC_CAPAB_SIZE]; + u8 mcs[HE_MAX_MCS_CAPAB_SIZE]; + u8 ppet[HE_MAX_PPET_CAPAB_SIZE]; }; #define HOSTAPD_MODE_FLAG_HT_INFO_KNOWN BIT(0) #define HOSTAPD_MODE_FLAG_VHT_INFO_KNOWN BIT(1) + +enum ieee80211_op_mode { + IEEE80211_MODE_INFRA = 0, + IEEE80211_MODE_IBSS = 1, + IEEE80211_MODE_AP = 2, + IEEE80211_MODE_MESH = 5, + + /* only add new entries before IEEE80211_MODE_NUM */ + IEEE80211_MODE_NUM +}; + /** * struct hostapd_hw_modes - Supported hardware mode information */ @@ -243,15 +271,10 @@ struct hostapd_hw_modes { /** * he_capab - HE (IEEE 802.11ax) capabilities */ - struct he_capabilities he_capab; + struct he_capabilities he_capab[IEEE80211_MODE_NUM]; }; -#define IEEE80211_MODE_INFRA 0 -#define IEEE80211_MODE_IBSS 1 -#define IEEE80211_MODE_AP 2 -#define IEEE80211_MODE_MESH 5 - #define IEEE80211_CAP_ESS 0x0001 #define IEEE80211_CAP_IBSS 0x0002 #define IEEE80211_CAP_PRIVACY 0x0010 @@ -699,6 +722,11 @@ struct hostapd_freq_params { int vht_enabled; /** + * he_enabled - Whether HE is enabled + */ + int he_enabled; + + /** * center_freq1 - Segment 0 center frequency in MHz * * Valid for both HT and VHT. @@ -1046,6 +1074,14 @@ struct wpa_driver_associate_params { int req_key_mgmt_offload; /** + * req_handshake_offload - Request EAPOL handshake offload + * + * Request EAPOL handshake offload for this connection if the device + * supports it. + */ + int req_handshake_offload; + + /** * Flag for indicating whether this association includes support for * RRM (Radio Resource Measurements) */ @@ -1122,6 +1158,11 @@ enum hide_ssid { HIDDEN_SSID_ZERO_CONTENTS }; +enum ch_switch_state { + CH_SW_STARTED, + CH_SW_FINISHED +}; + struct wowlan_triggers { u8 any; u8 disconnect; @@ -1752,6 +1793,7 @@ struct hostapd_data; struct hostap_sta_driver_data { unsigned long rx_packets, tx_packets; unsigned long long rx_bytes, tx_bytes; + unsigned long long rx_airtime, tx_airtime; int bytes_64bit; /* whether 64-bit byte counters are supported */ unsigned long current_tx_rate; unsigned long current_rx_rate; @@ -1761,6 +1803,8 @@ struct hostap_sta_driver_data { unsigned long tx_retry_failed; unsigned long tx_retry_count; s8 last_ack_rssi; + unsigned long backlog_packets; + unsigned long backlog_bytes; s8 signal; u8 rx_vhtmcs; u8 tx_vhtmcs; @@ -1781,6 +1825,8 @@ struct hostapd_sta_add_params { const struct ieee80211_vht_capabilities *vht_capabilities; int vht_opmode_enabled; u8 vht_opmode; + const struct ieee80211_he_capabilities *he_capab; + size_t he_capab_len; u32 flags; /* bitmask of WPA_STA_* flags */ u32 flags_mask; /* unset bits in flags */ #ifdef CONFIG_MESH @@ -2337,7 +2383,7 @@ struct wpa_driver_ops { * * Returns: 0 on success, -1 on failure */ - int (*deauthenticate)(void *priv, const u8 *addr, int reason_code); + int (*deauthenticate)(void *priv, const u8 *addr, u16 reason_code); /** * associate - Request driver to associate @@ -2806,7 +2852,7 @@ struct wpa_driver_ops { * a Deauthentication frame to be sent to it. */ int (*sta_deauth)(void *priv, const u8 *own_addr, const u8 *addr, - int reason); + u16 reason); /** * sta_disassoc - Disassociate a station (AP only) @@ -2820,7 +2866,7 @@ struct wpa_driver_ops { * a Disassociation frame to be sent to it. */ int (*sta_disassoc)(void *priv, const u8 *own_addr, const u8 *addr, - int reason); + u16 reason); /** * sta_remove - Remove a station entry (AP only) @@ -2938,6 +2984,16 @@ struct wpa_driver_ops { unsigned int flags_and); /** + * sta_set_airtime_weight - Set station airtime weight (AP only) + * @priv: Private driver interface data + * @addr: Station address + * @weight: New weight for station airtime assignment + * Returns: 0 on success, -1 on failure + */ + int (*sta_set_airtime_weight)(void *priv, const u8 *addr, + unsigned int weight); + + /** * set_tx_queue_params - Set TX queue parameters * @priv: Private driver interface data * @queue: Queue number (0 = VO, 1 = VI, 2 = BE, 3 = BK) @@ -3975,6 +4031,18 @@ struct wpa_driver_ops { int (*leave_mesh)(void *priv); /** + * probe_mesh_link - Inject a frame over direct mesh link to a given + * peer skipping the next_hop lookup from mpath table. + * @priv: Private driver interface data + * @addr: Peer MAC address + * @eth: Ethernet frame to be sent + * @len: Ethernet frame lengtn in bytes + * Returns 0 on success, -1 on failure + */ + int (*probe_mesh_link)(void *priv, const u8 *addr, const u8 *eth, + size_t len); + + /** * do_acs - Automatically select channel * @priv: Private driver interface data * @params: Parameters for ACS @@ -4167,6 +4235,21 @@ struct wpa_driver_ops { * Returns: 0 on success, < 0 on failure */ int (*set_4addr_mode)(void *priv, const char *bridge_ifname, int val); + + /** + * update_dh_ie - Update DH IE + * @priv: Private driver interface data + * @peer_mac: Peer MAC address + * @reason_code: Reacon code + * @ie: DH IE + * @ie_len: DH IE length in bytes + * Returns: 0 on success, -1 on failure + * + * This callback is used to let the driver know the DH processing result + * and DH IE for a pending association. + */ + int (*update_dh_ie)(void *priv, const u8 *peer_mac, u16 reason_code, + const u8 *ie, size_t ie_len); }; /** @@ -4541,6 +4624,15 @@ enum wpa_event_type { EVENT_CH_SWITCH, /** + * EVENT_CH_SWITCH_STARTED - AP or GO started to switch channels + * + * This is a pre-switch event indicating the shortly following switch + * of operating channels. + * + * Described in wpa_event_data.ch_switch + */ + EVENT_CH_SWITCH_STARTED, + /** * EVENT_WNM - Request WNM operation * * This event can be used to request a WNM operation to be performed. @@ -4703,6 +4795,11 @@ enum wpa_event_type { * This event is emitted when an interface is added/removed for WDS STA. */ EVENT_WDS_STA_INTERFACE_STATUS, + + /** + * EVENT_UPDATE_DH - Notification of updated DH information + */ + EVENT_UPDATE_DH, }; @@ -5536,6 +5633,15 @@ union wpa_event_data { INTERFACE_REMOVED } istatus; } wds_sta_interface; + + /** + * struct update_dh - Data for EVENT_UPDATE_DH + */ + struct update_dh { + const u8 *peer; + const u8 *ie; + size_t ie_len; + } update_dh; }; /** diff --git a/freebsd/contrib/wpa/src/drivers/driver_bsd.c b/freebsd/contrib/wpa/src/drivers/driver_bsd.c index 3ef49fd7..213c52ea 100644 --- a/freebsd/contrib/wpa/src/drivers/driver_bsd.c +++ b/freebsd/contrib/wpa/src/drivers/driver_bsd.c @@ -664,7 +664,7 @@ rtbuf_len(void) #undef WPA_OUI_TYPE static int bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, - int reason_code); + u16 reason_code); static const char * ether_sprintf(const u8 *addr) @@ -756,7 +756,7 @@ bsd_read_sta_driver_data(void *priv, struct hostap_sta_driver_data *data, } static int -bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, int reason_code) +bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, u16 reason_code) { return bsd_send_mlme_param(priv, IEEE80211_MLME_DEAUTH, reason_code, addr); @@ -764,7 +764,7 @@ bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, int reason_code) static int bsd_sta_disassoc(void *priv, const u8 *own_addr, const u8 *addr, - int reason_code) + u16 reason_code) { return bsd_send_mlme_param(priv, IEEE80211_MLME_DISASSOC, reason_code, addr); @@ -1027,7 +1027,7 @@ wpa_driver_bsd_set_drop_unencrypted(void *priv, int enabled) } static int -wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, int reason_code) +wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, u16 reason_code) { return bsd_send_mlme_param(priv, IEEE80211_MLME_DEAUTH, reason_code, addr); diff --git a/freebsd/contrib/wpa/src/drivers/driver_common.c b/freebsd/contrib/wpa/src/drivers/driver_common.c index be9ff3f6..672f022e 100644 --- a/freebsd/contrib/wpa/src/drivers/driver_common.c +++ b/freebsd/contrib/wpa/src/drivers/driver_common.c @@ -69,6 +69,7 @@ const char * event_to_string(enum wpa_event_type event) E2S(DRIVER_CLIENT_POLL_OK); E2S(EAPOL_TX_STATUS); E2S(CH_SWITCH); + E2S(CH_SWITCH_STARTED); E2S(WNM); E2S(CONNECT_FAILED_REASON); E2S(DFS_RADAR_DETECTED); @@ -89,6 +90,7 @@ const char * event_to_string(enum wpa_event_type event) E2S(STATION_OPMODE_CHANGED); E2S(INTERFACE_MAC_CHANGED); E2S(WDS_STA_INTERFACE_STATUS); + E2S(UPDATE_DH); } return "UNKNOWN"; diff --git a/freebsd/contrib/wpa/src/drivers/driver_ndis.c b/freebsd/contrib/wpa/src/drivers/driver_ndis.c index 7e0db265..a04604ca 100644 --- a/freebsd/contrib/wpa/src/drivers/driver_ndis.c +++ b/freebsd/contrib/wpa/src/drivers/driver_ndis.c @@ -722,7 +722,7 @@ static int wpa_driver_ndis_disconnect(struct wpa_driver_ndis_data *drv) static int wpa_driver_ndis_deauthenticate(void *priv, const u8 *addr, - int reason_code) + u16 reason_code) { struct wpa_driver_ndis_data *drv = priv; return wpa_driver_ndis_disconnect(drv); diff --git a/freebsd/contrib/wpa/src/drivers/driver_nl80211.h b/freebsd/contrib/wpa/src/drivers/driver_nl80211.h index 1e7fe7a9..74982694 100644 --- a/freebsd/contrib/wpa/src/drivers/driver_nl80211.h +++ b/freebsd/contrib/wpa/src/drivers/driver_nl80211.h @@ -83,6 +83,12 @@ struct i802_bss { u8 rand_addr[ETH_ALEN]; }; +struct drv_nl80211_if_info { + int ifindex; + /* the AP/AP_VLAN iface that is in this bridge */ + int reason; +}; + struct wpa_driver_nl80211_data { struct nl80211_global *global; struct dl_list list; @@ -163,7 +169,6 @@ struct wpa_driver_nl80211_data { unsigned int scan_vendor_cmd_avail:1; unsigned int connect_reassoc:1; unsigned int set_wifi_conf_vendor_cmd_avail:1; - unsigned int he_capab_vendor_cmd_avail:1; unsigned int fetch_bss_trans_status:1; unsigned int roam_vendor_cmd_avail:1; unsigned int get_supported_akm_suites_avail:1; @@ -188,11 +193,8 @@ struct wpa_driver_nl80211_data { struct nl_handle *rtnl_sk; /* nl_sock for NETLINK_ROUTE */ - int default_if_indices[16]; - /* the AP/AP_VLAN iface that is in this bridge */ - int default_if_indices_reason[16]; - int *if_indices; - int *if_indices_reason; + struct drv_nl80211_if_info default_if_indices[16]; + struct drv_nl80211_if_info *if_indices; int num_if_indices; /* From failed authentication command */ @@ -215,8 +217,6 @@ struct wpa_driver_nl80211_data { * (NL80211_CMD_VENDOR). 0 if no pending scan request. */ int last_scan_cmd; - - struct he_capabilities he_capab; }; struct nl_msg; diff --git a/freebsd/contrib/wpa/src/eap_common/eap_defs.h b/freebsd/contrib/wpa/src/eap_common/eap_defs.h index 54f26ca3..bc3047c7 100644 --- a/freebsd/contrib/wpa/src/eap_common/eap_defs.h +++ b/freebsd/contrib/wpa/src/eap_common/eap_defs.h @@ -92,6 +92,7 @@ typedef enum { EAP_TYPE_GPSK = 51 /* RFC 5433 */, EAP_TYPE_PWD = 52 /* RFC 5931 */, EAP_TYPE_EKE = 53 /* RFC 6124 */, + EAP_TYPE_TEAP = 55 /* RFC 7170 */, EAP_TYPE_EXPANDED = 254 /* RFC 3748 */ } EapType; diff --git a/freebsd/contrib/wpa/src/eap_peer/eap.c b/freebsd/contrib/wpa/src/eap_peer/eap.c index c682b063..5d43af4d 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap.c +++ b/freebsd/contrib/wpa/src/eap_peer/eap.c @@ -2099,12 +2099,8 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, } } - sm->eapol_cb->notify_cert(sm->eapol_ctx, - data->peer_cert.depth, - data->peer_cert.subject, - data->peer_cert.altsubject, - data->peer_cert.num_altsubject, - hash_hex, data->peer_cert.cert); + sm->eapol_cb->notify_cert(sm->eapol_ctx, &data->peer_cert, + hash_hex); break; case TLS_ALERT: if (data->alert.is_local) @@ -2609,7 +2605,7 @@ static int eap_allowed_phase2_type(int vendor, int type) if (vendor != EAP_VENDOR_IETF) return 0; return type != EAP_TYPE_PEAP && type != EAP_TYPE_TTLS && - type != EAP_TYPE_FAST; + type != EAP_TYPE_FAST && type != EAP_TYPE_TEAP; } diff --git a/freebsd/contrib/wpa/src/eap_peer/eap.h b/freebsd/contrib/wpa/src/eap_peer/eap.h index d0837e37..acd70d05 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap.h +++ b/freebsd/contrib/wpa/src/eap_peer/eap.h @@ -16,6 +16,7 @@ struct eap_sm; struct wpa_config_blob; struct wpabuf; +struct tls_cert_data; struct eap_method_type { int vendor; @@ -226,16 +227,11 @@ struct eapol_callbacks { /** * notify_cert - Notification of a peer certificate * @ctx: eapol_ctx from eap_peer_sm_init() call - * @depth: Depth in certificate chain (0 = server) - * @subject: Subject of the peer certificate - * @altsubject: Select fields from AltSubject of the peer certificate - * @num_altsubject: Number of altsubject values + * @cert: Certificate information * @cert_hash: SHA-256 hash of the certificate - * @cert: Peer certificate */ - void (*notify_cert)(void *ctx, int depth, const char *subject, - const char *altsubject[], int num_altsubject, - const char *cert_hash, const struct wpabuf *cert); + void (*notify_cert)(void *ctx, struct tls_cert_data *cert, + const char *cert_hash); /** * notify_status - Notification of the current EAP state diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_config.h b/freebsd/contrib/wpa/src/eap_peer/eap_config.h index 3a88f2ab..148c9066 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_config.h +++ b/freebsd/contrib/wpa/src/eap_peer/eap_config.h @@ -816,6 +816,8 @@ struct eap_peer_config { EXT_CERT_CHECK_GOOD, EXT_CERT_CHECK_BAD, } pending_ext_cert_check; + + int teap_anon_dh; }; diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_leap.c b/freebsd/contrib/wpa/src/eap_peer/eap_leap.c index 5f087bf5..e94c60e3 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_leap.c +++ b/freebsd/contrib/wpa/src/eap_peer/eap_leap.c @@ -392,8 +392,8 @@ static u8 * eap_leap_getKey(struct eap_sm *sm, void *priv, size_t *len) wpa_hexdump_key(MSG_DEBUG, "EAP-LEAP: master key", key, LEAP_KEY_LEN); *len = LEAP_KEY_LEN; - os_memset(pw_hash, 0, sizeof(pw_hash)); - os_memset(pw_hash_hash, 0, sizeof(pw_hash_hash)); + forced_memzero(pw_hash, sizeof(pw_hash)); + forced_memzero(pw_hash_hash, sizeof(pw_hash_hash)); return key; } diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_methods.h b/freebsd/contrib/wpa/src/eap_peer/eap_methods.h index b96b211d..09e08d3c 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_methods.h +++ b/freebsd/contrib/wpa/src/eap_peer/eap_methods.h @@ -97,6 +97,7 @@ int eap_peer_psk_register(void); int eap_peer_aka_register(void); int eap_peer_aka_prime_register(void); int eap_peer_fast_register(void); +int eap_peer_teap_register(void); int eap_peer_pax_register(void); int eap_peer_sake_register(void); int eap_peer_gpsk_register(void); diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_peap.c b/freebsd/contrib/wpa/src/eap_peer/eap_peap.c index 74bc2653..10892c53 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_peap.c +++ b/freebsd/contrib/wpa/src/eap_peer/eap_peap.c @@ -297,7 +297,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) res = peap_prfplus(data->peap_version, tk, 40, "Inner Methods Compound Keys", isk, sizeof(isk), imck, sizeof(imck)); - os_memset(isk, 0, sizeof(isk)); + forced_memzero(isk, sizeof(isk)); if (res < 0) return -1; wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", @@ -307,7 +307,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); os_memcpy(data->cmk, imck + 40, 20); wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); - os_memset(imck, 0, sizeof(imck)); + forced_memzero(imck, sizeof(imck)); return 0; } @@ -1269,7 +1269,7 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) os_memcpy(key, csk, EAP_TLS_KEY_LEN); wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", key, EAP_TLS_KEY_LEN); - os_memset(csk, 0, sizeof(csk)); + forced_memzero(csk, sizeof(csk)); } else os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c index 37d7f57f..16927d72 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c +++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c @@ -176,6 +176,9 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data, struct eap_method_ret *ret) { const char *label; + const u8 eap_tls13_context[] = { EAP_TYPE_TLS }; + const u8 *context = NULL; + size_t context_len = 0; wpa_printf(MSG_DEBUG, "EAP-TLS: Done"); @@ -186,6 +189,8 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data, if (data->ssl.tls_v13) { label = "EXPORTER_EAP_TLS_Key_Material"; + context = eap_tls13_context; + context_len = 1; /* A possible NewSessionTicket may be received before * EAP-Success, so need to allow it to be received. */ @@ -200,7 +205,7 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data, eap_tls_free_key(data); data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label, - NULL, 0, + context, context_len, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (data->key_data) { @@ -293,6 +298,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv, return NULL; } + if (res == 2) { + /* Application data included in the handshake message (used by + * EAP-TLS 1.3 to indicate conclusion of the exchange). */ + wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data", + resp); + wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data", + data->ssl.tls_out); + eap_peer_tls_reset_output(&data->ssl); + /* Send an ACK to allow the server to complete exchange */ + res = 1; + } + if (tls_connection_established(data->ssl_ctx, data->ssl.conn)) eap_tls_success(sm, data, ret); diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c index d8b0f47f..61abb529 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c +++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c @@ -161,7 +161,8 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, struct eap_peer_config *config, int phase2) { os_memset(params, 0, sizeof(*params)); - if (sm->workaround && data->eap_type != EAP_TYPE_FAST) { + if (sm->workaround && data->eap_type != EAP_TYPE_FAST && + data->eap_type != EAP_TYPE_TEAP) { /* * Some deployed authentication servers seem to be unable to * handle the TLS Session Ticket extension (they are supposed @@ -173,7 +174,15 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, */ params->flags |= TLS_CONN_DISABLE_SESSION_TICKET; } + if (data->eap_type == EAP_TYPE_TEAP) { + /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */ + params->flags |= TLS_CONN_DISABLE_TLSv1_0 | + TLS_CONN_DISABLE_TLSv1_1; + if (config->teap_anon_dh) + params->flags |= TLS_CONN_TEAP_ANON_DH; + } if (data->eap_type == EAP_TYPE_FAST || + data->eap_type == EAP_TYPE_TEAP || data->eap_type == EAP_TYPE_TTLS || data->eap_type == EAP_TYPE_PEAP) { /* The current EAP peer implementation is not yet ready for the @@ -406,17 +415,18 @@ u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm, if (eap_type == EAP_TYPE_TLS && data->tls_v13) { u8 *id, *method_id; + const u8 context[] = { EAP_TYPE_TLS }; /* Session-Id = <EAP-Type> || Method-Id * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", - * "", 64) + * Type-Code, 64) */ *len = 1 + 64; id = os_malloc(*len); if (!id) return NULL; method_id = eap_peer_tls_derive_key( - sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64); + sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64); if (!method_id) { os_free(id); return NULL; diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h index 5f825294..d96eff1c 100644 --- a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h +++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h @@ -70,7 +70,8 @@ struct eap_ssl_data { void *ssl_ctx; /** - * eap_type - EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST) + * eap_type - EAP method used in Phase 1 + * (EAP_TYPE_TLS/PEAP/TTLS/FAST/TEAP) */ u8 eap_type; @@ -85,6 +86,7 @@ struct eap_ssl_data { #define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80 #define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40 #define EAP_TLS_FLAGS_START 0x20 +#define EAP_TEAP_FLAGS_OUTER_TLV_LEN 0x10 #define EAP_TLS_VERSION_MASK 0x07 /* could be up to 128 bytes, but only the first 64 bytes are used */ diff --git a/freebsd/contrib/wpa/src/eap_server/eap_methods.h b/freebsd/contrib/wpa/src/eap_server/eap_methods.h index 3bf1495f..fdbea7a7 100644 --- a/freebsd/contrib/wpa/src/eap_server/eap_methods.h +++ b/freebsd/contrib/wpa/src/eap_server/eap_methods.h @@ -41,6 +41,7 @@ int eap_server_sake_register(void); int eap_server_gpsk_register(void); int eap_server_vendor_test_register(void); int eap_server_fast_register(void); +int eap_server_teap_register(void); int eap_server_wsc_register(void); int eap_server_ikev2_register(void); int eap_server_tnc_register(void); diff --git a/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h b/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h index 44f3f31c..bcdd5097 100644 --- a/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h +++ b/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h @@ -36,7 +36,10 @@ struct eapol_auth_config { int eap_fast_prov; int pac_key_lifetime; int pac_key_refresh_time; + int eap_teap_auth; + int eap_teap_pac_no_inner; int eap_sim_aka_result_ind; + int eap_sim_id; int tnc; struct wps_context *wps; int fragment_size; diff --git a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c index c69f815e..51c17039 100644 --- a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c +++ b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c @@ -2000,15 +2000,12 @@ static void eapol_sm_eap_param_needed(void *ctx, enum wpa_ctrl_req_type field, #define eapol_sm_eap_param_needed NULL #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */ -static void eapol_sm_notify_cert(void *ctx, int depth, const char *subject, - const char *altsubject[], - int num_altsubject, const char *cert_hash, - const struct wpabuf *cert) +static void eapol_sm_notify_cert(void *ctx, struct tls_cert_data *cert, + const char *cert_hash) { struct eapol_sm *sm = ctx; if (sm->ctx->cert_cb) - sm->ctx->cert_cb(sm->ctx->ctx, depth, subject, altsubject, - num_altsubject, cert_hash, cert); + sm->ctx->cert_cb(sm->ctx->ctx, cert, cert_hash); } diff --git a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h index 74f40bb1..c9d7522d 100644 --- a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h +++ b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h @@ -11,6 +11,8 @@ #include "common/defs.h" +struct tls_cert_data; + typedef enum { Unauthorized, Authorized } PortStatus; typedef enum { Auto, ForceUnauthorized, ForceAuthorized } PortControl; @@ -246,16 +248,11 @@ struct eapol_ctx { /** * cert_cb - Notification of a peer certificate * @ctx: Callback context (ctx) - * @depth: Depth in certificate chain (0 = server) - * @subject: Subject of the peer certificate - * @altsubject: Select fields from AltSubject of the peer certificate - * @num_altsubject: Number of altsubject values + * @cert: Certificate information * @cert_hash: SHA-256 hash of the certificate - * @cert: Peer certificate */ - void (*cert_cb)(void *ctx, int depth, const char *subject, - const char *altsubject[], int num_altsubject, - const char *cert_hash, const struct wpabuf *cert); + void (*cert_cb)(void *ctx, struct tls_cert_data *cert, + const char *cert_hash); /** * cert_in_cb - Include server certificates in callback diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa.c b/freebsd/contrib/wpa/src/rsn_supp/wpa.c index c2ebec54..df99fc9d 100644 --- a/freebsd/contrib/wpa/src/rsn_supp/wpa.c +++ b/freebsd/contrib/wpa/src/rsn_supp/wpa.c @@ -307,6 +307,9 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, #endif /* CONFIG_IEEE80211R */ } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { int res, pmk_len; +#ifdef CONFIG_IEEE80211R + u8 buf[2 * PMK_LEN]; +#endif /* CONFIG_IEEE80211R */ if (wpa_key_mgmt_sha384(sm->key_mgmt)) pmk_len = PMK_LEN_SUITE_B_192; @@ -322,24 +325,42 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); pmk_len = 16; } - } else { + } #ifdef CONFIG_IEEE80211R - u8 buf[2 * PMK_LEN]; - if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) - { - if (wpa_key_mgmt_sha384(sm->key_mgmt)) { - os_memcpy(sm->xxkey, buf, - SHA384_MAC_LEN); - sm->xxkey_len = SHA384_MAC_LEN; - } else { - os_memcpy(sm->xxkey, buf + PMK_LEN, - PMK_LEN); - sm->xxkey_len = PMK_LEN; - } - os_memset(buf, 0, sizeof(buf)); + if (res == 0 && + eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) { + if (wpa_key_mgmt_sha384(sm->key_mgmt)) { + os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN); + sm->xxkey_len = SHA384_MAC_LEN; + } else { + os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); + sm->xxkey_len = PMK_LEN; + } + forced_memzero(buf, sizeof(buf)); + if (sm->proto == WPA_PROTO_RSN && + wpa_key_mgmt_ft(sm->key_mgmt)) { + struct rsn_pmksa_cache_entry *sa = NULL; + const u8 *fils_cache_id = NULL; + +#ifdef CONFIG_FILS + if (sm->fils_cache_id_set) + fils_cache_id = sm->fils_cache_id; +#endif /* CONFIG_FILS */ + wpa_hexdump_key(MSG_DEBUG, + "FT: Cache XXKey/MPMK", + sm->xxkey, sm->xxkey_len); + sa = pmksa_cache_add(sm->pmksa, + sm->xxkey, sm->xxkey_len, + NULL, NULL, 0, + src_addr, sm->own_addr, + sm->network_ctx, + sm->key_mgmt, + fils_cache_id); + if (!sm->cur_pmksa) + sm->cur_pmksa = sa; } -#endif /* CONFIG_IEEE80211R */ } +#endif /* CONFIG_IEEE80211R */ if (res == 0) { struct rsn_pmksa_cache_entry *sa = NULL; const u8 *fils_cache_id = NULL; @@ -630,7 +651,7 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, os_memcpy(buf, &ptk->tk[16], 8); os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); os_memcpy(&ptk->tk[24], buf, 8); - os_memset(buf, 0, sizeof(buf)); + forced_memzero(buf, sizeof(buf)); } sm->tptk_set = 1; @@ -904,7 +925,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: Failed to set GTK to the driver " "(Group only)"); - os_memset(gtk_buf, 0, sizeof(gtk_buf)); + forced_memzero(gtk_buf, sizeof(gtk_buf)); return -1; } } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr, @@ -914,10 +935,10 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm, "WPA: Failed to set GTK to " "the driver (alg=%d keylen=%d keyidx=%d)", gd->alg, gd->gtk_len, gd->keyidx); - os_memset(gtk_buf, 0, sizeof(gtk_buf)); + forced_memzero(gtk_buf, sizeof(gtk_buf)); return -1; } - os_memset(gtk_buf, 0, sizeof(gtk_buf)); + forced_memzero(gtk_buf, sizeof(gtk_buf)); if (wnm_sleep) { sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; @@ -1023,10 +1044,10 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Failed to install GTK"); - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); return -1; } - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); return 0; } @@ -1695,12 +1716,12 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); os_memcpy(gd->gtk, key_data, key_data_len); if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) { - os_memset(ek, 0, sizeof(ek)); + forced_memzero(ek, sizeof(ek)); wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, "WPA: RC4 failed"); return -1; } - os_memset(ek, 0, sizeof(ek)); + forced_memzero(ek, sizeof(ek)); #endif /* CONFIG_NO_RC4 */ } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { if (maxkeylen % 8) { @@ -1849,7 +1870,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) goto failed; - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); if (rekey) { wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying " @@ -1868,7 +1889,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, return; failed: - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); } @@ -1982,12 +2003,12 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, os_memcpy(ek, key->key_iv, 16); os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { - os_memset(ek, 0, sizeof(ek)); + forced_memzero(ek, sizeof(ek)); wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, "WPA: RC4 failed"); return -1; } - os_memset(ek, 0, sizeof(ek)); + forced_memzero(ek, sizeof(ek)); #endif /* CONFIG_NO_RC4 */ } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || @@ -3427,12 +3448,12 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", gd.gtk, gd.gtk_len); if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); wpa_printf(MSG_DEBUG, "Failed to install the GTK in " "WNM mode"); return -1; } - os_memset(&gd, 0, sizeof(gd)); + forced_memzero(&gd, sizeof(gd)); #ifdef CONFIG_IEEE80211W } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { const struct wpa_igtk_kde *igtk; @@ -3862,7 +3883,7 @@ int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, dh_ss ? wpabuf_head(dh_ss) : NULL, dh_ss ? wpabuf_len(dh_ss) : 0, sm->pmk, &sm->pmk_len); - os_memset(rmsk, 0, sizeof(rmsk)); + forced_memzero(rmsk, sizeof(rmsk)); /* Don't use DHss in PTK derivation if PMKSA caching is not * used. */ @@ -3937,7 +3958,7 @@ int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, sm->fils_key_auth_ap, &sm->fils_key_auth_len); wpabuf_free(pub); - os_memset(ick, 0, sizeof(ick)); + forced_memzero(ick, sizeof(ick)); return res; fail: wpabuf_free(pub); @@ -4301,6 +4322,26 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) sm->fils_session, FILS_SESSION_LEN); } + if (!elems.rsn_ie) { + wpa_printf(MSG_DEBUG, + "FILS: No RSNE in (Re)Association Response"); + /* As an interop workaround, allow this for now since IEEE Std + * 802.11ai-2016 did not include all the needed changes to make + * a FILS AP include RSNE in the frame. This workaround might + * eventually be removed and replaced with rejection (goto fail) + * to follow a strict interpretation of the standard. */ + } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), + sm->ap_rsn_ie, sm->ap_rsn_ie_len, + elems.rsn_ie - 2, elems.rsn_ie_len + 2)) { + wpa_msg(sm->ctx->msg_ctx, MSG_INFO, + "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response"); + wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response", + sm->ap_rsn_ie, sm->ap_rsn_ie_len); + wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response", + elems.rsn_ie, elems.rsn_ie_len); + goto fail; + } + /* TODO: FILS Public Key */ if (!elems.fils_key_confirm) { @@ -4441,9 +4482,11 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); sm->fils_completed = 1; + forced_memzero(&gd, sizeof(gd)); return 0; fail: + forced_memzero(&gd, sizeof(gd)); return -1; } @@ -4655,7 +4698,7 @@ int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, else if (group == 21) res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, os_strlen(info), sm->pmk, hash_len); - os_memset(prk, 0, SHA512_MAC_LEN); + forced_memzero(prk, SHA512_MAC_LEN); if (res < 0) { sm->pmk_len = 0; return -1; diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa.h b/freebsd/contrib/wpa/src/rsn_supp/wpa.h index 8903f8e1..ae9cd648 100644 --- a/freebsd/contrib/wpa/src/rsn_supp/wpa.h +++ b/freebsd/contrib/wpa/src/rsn_supp/wpa.h @@ -26,7 +26,7 @@ struct wpa_sm_ctx { void (*set_state)(void *ctx, enum wpa_states state); enum wpa_states (*get_state)(void *ctx); - void (*deauthenticate)(void * ctx, int reason_code); + void (*deauthenticate)(void * ctx, u16 reason_code); int (*set_key)(void *ctx, enum wpa_alg alg, const u8 *addr, int key_idx, int set_tx, const u8 *seq, size_t seq_len, diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c b/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c index 6738b05b..e30e910e 100644 --- a/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c +++ b/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c @@ -20,6 +20,7 @@ #include "drivers/driver.h" #include "wpa.h" #include "wpa_i.h" +#include "pmksa_cache.h" #ifdef CONFIG_IEEE80211R @@ -29,15 +30,23 @@ int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr, u8 ptk_name[WPA_PMK_NAME_LEN]; const u8 *anonce = key->key_nonce; int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); - - if (sm->xxkey_len == 0) { + const u8 *mpmk; + size_t mpmk_len; + + if (sm->xxkey_len > 0) { + mpmk = sm->xxkey; + mpmk_len = sm->xxkey_len; + } else if (sm->cur_pmksa) { + mpmk = sm->cur_pmksa->pmk; + mpmk_len = sm->cur_pmksa->pmk_len; + } else { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " "derivation"); return -1; } sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; - if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, sm->ssid, + if (wpa_derive_pmk_r0(mpmk, mpmk_len, sm->ssid, sm->ssid_len, sm->mobility_domain, sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) @@ -821,10 +830,10 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem, igtk_elem + 2, 6, igtk, igtk_len) < 0) { wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the " "driver."); - os_memset(igtk, 0, sizeof(igtk)); + forced_memzero(igtk, sizeof(igtk)); return -1; } - os_memset(igtk, 0, sizeof(igtk)); + forced_memzero(igtk, sizeof(igtk)); return 0; } diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h b/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h index 0c5955c6..d86734b0 100644 --- a/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h +++ b/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h @@ -188,7 +188,7 @@ static inline enum wpa_states wpa_sm_get_state(struct wpa_sm *sm) return sm->ctx->get_state(sm->ctx->ctx); } -static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, int reason_code) +static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code) { WPA_ASSERT(sm->ctx->deauthenticate); sm->ctx->deauthenticate(sm->ctx->ctx, reason_code); diff --git a/freebsd/contrib/wpa/src/utils/common.c b/freebsd/contrib/wpa/src/utils/common.c index a1fdfae7..0eb8bc66 100644 --- a/freebsd/contrib/wpa/src/utils/common.c +++ b/freebsd/contrib/wpa/src/utils/common.c @@ -232,6 +232,16 @@ void inc_byte_array(u8 *counter, size_t len) } +void buf_shift_right(u8 *buf, size_t len, size_t bits) +{ + size_t i; + + for (i = len - 1; i > 0; i--) + buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits); + buf[0] >>= bits; +} + + void wpa_get_ntp_timestamp(u8 *buf) { struct os_time now; @@ -962,7 +972,7 @@ void str_clear_free(char *str) { if (str) { size_t len = os_strlen(str); - os_memset(str, 0, len); + forced_memzero(str, len); os_free(str); } } @@ -971,7 +981,7 @@ void str_clear_free(char *str) void bin_clear_free(void *bin, size_t len) { if (bin) { - os_memset(bin, 0, len); + forced_memzero(bin, len); os_free(bin); } } @@ -1251,3 +1261,22 @@ char * get_param(const char *cmd, const char *param) val[len] = '\0'; return val; } + + +/* Try to prevent most compilers from optimizing out clearing of memory that + * becomes unaccessible after this function is called. This is mostly the case + * for clearing local stack variables at the end of a function. This is not + * exactly perfect, i.e., someone could come up with a compiler that figures out + * the pointer is pointing to memset and then end up optimizing the call out, so + * try go a bit further by storing the first octet (now zero) to make this even + * a bit more difficult to optimize out. Once memset_s() is available, that + * could be used here instead. */ +static void * (* const volatile memset_func)(void *, int, size_t) = memset; +static u8 forced_memzero_val; + +void forced_memzero(void *ptr, size_t len) +{ + memset_func(ptr, 0, len); + if (len) + forced_memzero_val = ((u8 *) ptr)[0]; +} diff --git a/freebsd/contrib/wpa/src/utils/common.h b/freebsd/contrib/wpa/src/utils/common.h index 924a8fee..037876ac 100644 --- a/freebsd/contrib/wpa/src/utils/common.h +++ b/freebsd/contrib/wpa/src/utils/common.h @@ -469,6 +469,7 @@ int hwaddr_aton2(const char *txt, u8 *addr); int hex2byte(const char *hex); int hexstr2bin(const char *hex, u8 *buf, size_t len); void inc_byte_array(u8 *counter, size_t len); +void buf_shift_right(u8 *buf, size_t len, size_t bits); void wpa_get_ntp_timestamp(u8 *buf); int wpa_scnprintf(char *buf, size_t size, const char *fmt, ...); int wpa_snprintf_hex_sep(char *buf, size_t buf_size, const u8 *data, size_t len, @@ -561,6 +562,8 @@ int str_starts(const char *str, const char *start); u8 rssi_to_rcpi(int rssi); char * get_param(const char *cmd, const char *param); +void forced_memzero(void *ptr, size_t len); + /* * gcc 4.4 ends up generating strict-aliasing warnings about some very common * networking socket uses that do not really result in a real problem and diff --git a/freebsd/contrib/wpa/src/utils/wpa_debug.c b/freebsd/contrib/wpa/src/utils/wpa_debug.c index 66596999..a7b8d599 100644 --- a/freebsd/contrib/wpa/src/utils/wpa_debug.c +++ b/freebsd/contrib/wpa/src/utils/wpa_debug.c @@ -146,6 +146,7 @@ int wpa_debug_open_linux_tracing(void) printf("failed to read /proc/mounts\n"); return -1; } + buf[buflen] = '\0'; line = strtok_r(buf, "\n", &tmp1); while (line) { diff --git a/freebsd/contrib/wpa/src/wps/wps.h b/freebsd/contrib/wpa/src/wps/wps.h index 14ce8632..9963c468 100644 --- a/freebsd/contrib/wpa/src/wps/wps.h +++ b/freebsd/contrib/wpa/src/wps/wps.h @@ -733,7 +733,7 @@ struct wps_context { * uses this when acting as an Enrollee to notify Registrar of the * current configuration. * - * When using WPA/WPA2-Person, this key can be either the ASCII + * When using WPA/WPA2-Personal, this key can be either the ASCII * passphrase (8..63 characters) or the 32-octet PSK (64 hex * characters). When this is set to the ASCII passphrase, the PSK can * be provided in the psk buffer and used per-Enrollee to control which diff --git a/freebsd/contrib/wpa/wpa_supplicant/ap.h b/freebsd/contrib/wpa/wpa_supplicant/ap.h index 447b5518..6c6e94cd 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/ap.h +++ b/freebsd/contrib/wpa/wpa_supplicant/ap.h @@ -54,7 +54,7 @@ int ap_switch_channel(struct wpa_supplicant *wpa_s, struct csa_settings *settings); int ap_ctrl_iface_chanswitch(struct wpa_supplicant *wpa_s, const char *txtaddr); void wpas_ap_ch_switch(struct wpa_supplicant *wpa_s, int freq, int ht, - int offset, int width, int cf1, int cf2); + int offset, int width, int cf1, int cf2, int finished); struct wpabuf * wpas_ap_wps_nfc_config_token(struct wpa_supplicant *wpa_s, int ndef); #ifdef CONFIG_AP diff --git a/freebsd/contrib/wpa/wpa_supplicant/bss.c b/freebsd/contrib/wpa/wpa_supplicant/bss.c index f9b703bb..5b080a3a 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/bss.c +++ b/freebsd/contrib/wpa/wpa_supplicant/bss.c @@ -433,6 +433,7 @@ static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s, struct os_reltime *fetch_time) { struct wpa_bss *bss; + char extra[50]; bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len); if (bss == NULL) @@ -458,10 +459,15 @@ static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s, dl_list_add_tail(&wpa_s->bss, &bss->list); dl_list_add_tail(&wpa_s->bss_id, &bss->list_id); wpa_s->num_bss++; + if (!is_zero_ether_addr(bss->hessid)) + os_snprintf(extra, sizeof(extra), " HESSID " MACSTR, + MAC2STR(bss->hessid)); + else + extra[0] = '\0'; wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR - " SSID '%s' freq %d", + " SSID '%s' freq %d%s", bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len), - bss->freq); + bss->freq, extra); wpas_notify_bss_added(wpa_s, bss->bssid, bss->id); return bss; } diff --git a/freebsd/contrib/wpa/wpa_supplicant/config.c b/freebsd/contrib/wpa/wpa_supplicant/config.c index 0eac7a9e..ce10b431 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/config.c +++ b/freebsd/contrib/wpa/wpa_supplicant/config.c @@ -2242,8 +2242,8 @@ static const struct parse_data ssid_fields[] = { { INT_RANGE(ht, 0, 1) }, { INT_RANGE(vht, 0, 1) }, { INT_RANGE(ht40, -1, 1) }, - { INT_RANGE(max_oper_chwidth, VHT_CHANWIDTH_USE_HT, - VHT_CHANWIDTH_80P80MHZ) }, + { INT_RANGE(max_oper_chwidth, CHANWIDTH_USE_HT, + CHANWIDTH_80P80MHZ) }, { INT(vht_center_freq1) }, { INT(vht_center_freq2) }, #ifdef IEEE8021X_EAPOL @@ -2409,6 +2409,7 @@ static const struct parse_data ssid_fields[] = { { INT_RANGE(owe_group, 0, 65535) }, { INT_RANGE(owe_only, 0, 1) }, { INT_RANGE(multi_ap_backhaul_sta, 0, 1) }, + { INT_RANGE(ft_eap_pmksa_caching, 0, 1) }, }; #undef OFFSET @@ -4870,6 +4871,9 @@ static const struct global_parse_data global_fields[] = { { INT_RANGE(gas_rand_mac_addr, 0, 2), 0 }, { INT_RANGE(dpp_config_processing, 0, 2), 0 }, { INT_RANGE(coloc_intf_reporting, 0, 1), 0 }, +#ifdef CONFIG_WNM + { INT_RANGE(disable_btm, 0, 1), CFG_CHANGED_DISABLE_BTM }, +#endif /* CONFIG_WNM */ }; #undef FUNC diff --git a/freebsd/contrib/wpa/wpa_supplicant/config.h b/freebsd/contrib/wpa/wpa_supplicant/config.h index a617ea18..e27b8695 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/config.h +++ b/freebsd/contrib/wpa/wpa_supplicant/config.h @@ -377,6 +377,7 @@ struct wpa_cred { #define CFG_CHANGED_P2P_PASSPHRASE_LEN BIT(16) #define CFG_CHANGED_SCHED_SCAN_PLANS BIT(17) #define CFG_CHANGED_WOWLAN_TRIGGERS BIT(18) +#define CFG_CHANGED_DISABLE_BTM BIT(19) /** * struct wpa_config - wpa_supplicant configuration data @@ -1530,6 +1531,15 @@ struct wpa_config { * By default, permanent MAC address is used. */ int p2p_interface_random_mac_addr; + + /** + * disable_btm - Disable BSS transition management in STA + * - Set to 0 to enable BSS transition management + * - Set to 1 to disable BSS transition management + * + * By default BSS transition management is enabled + */ + int disable_btm; }; diff --git a/freebsd/contrib/wpa/wpa_supplicant/config_file.c b/freebsd/contrib/wpa/wpa_supplicant/config_file.c index e3e17e01..8f812e1d 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/config_file.c +++ b/freebsd/contrib/wpa/wpa_supplicant/config_file.c @@ -896,6 +896,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT(owe_group); INT(owe_only); INT(multi_ap_backhaul_sta); + INT(ft_eap_pmksa_caching); #ifdef CONFIG_HT_OVERRIDES INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); @@ -1546,6 +1547,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config) if (config->p2p_interface_random_mac_addr) fprintf(f, "p2p_interface_random_mac_addr=%d\n", config->p2p_interface_random_mac_addr); + if (config->disable_btm) + fprintf(f, "disable_btm=1\n"); } #endif /* CONFIG_NO_CONFIG_WRITE */ diff --git a/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h b/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h index 1b2b1f1a..d5c5c00a 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h +++ b/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h @@ -48,6 +48,15 @@ struct psk_list_entry { u8 p2p; }; +enum wpas_mode { + WPAS_MODE_INFRA = 0, + WPAS_MODE_IBSS = 1, + WPAS_MODE_AP = 2, + WPAS_MODE_P2P_GO = 3, + WPAS_MODE_P2P_GROUP_FORMATION = 4, + WPAS_MODE_MESH = 5, +}; + /** * struct wpa_ssid - Network configuration data * @@ -394,14 +403,7 @@ struct wpa_ssid { * CCMP, but not both), and psk must also be set (either directly or * using ASCII passphrase). */ - enum wpas_mode { - WPAS_MODE_INFRA = 0, - WPAS_MODE_IBSS = 1, - WPAS_MODE_AP = 2, - WPAS_MODE_P2P_GO = 3, - WPAS_MODE_P2P_GROUP_FORMATION = 4, - WPAS_MODE_MESH = 5, - } mode; + enum wpas_mode mode; /** * pbss - Whether to use PBSS. Relevant to DMG networks only. @@ -1005,6 +1007,16 @@ struct wpa_ssid { * 1 = Multi-AP backhaul station */ int multi_ap_backhaul_sta; + + /** + * ft_eap_pmksa_caching - Whether FT-EAP PMKSA caching is allowed + * 0 = do not try to use PMKSA caching with FT-EAP + * 1 = try to use PMKSA caching with FT-EAP + * + * This controls whether to try to use PMKSA caching with FT-EAP for the + * FT initial mobility domain association. + */ + int ft_eap_pmksa_caching; }; #endif /* CONFIG_SSID_H */ diff --git a/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c b/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c index c7bcfef1..b9c92d40 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c +++ b/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c @@ -10,10 +10,10 @@ #include "utils/includes.h" #ifdef CONFIG_TESTING_OPTIONS -#include <net/ethernet.h> #include <netinet/ip.h> #endif /* CONFIG_TESTING_OPTIONS */ +#include <net/ethernet.h> #include "utils/common.h" #include "utils/eloop.h" #include "utils/uuid.h" @@ -3131,6 +3131,49 @@ static int wpa_supplicant_ctrl_iface_mesh_peer_add( return wpas_mesh_peer_add(wpa_s, addr, duration); } + +static int wpa_supplicant_ctrl_iface_mesh_link_probe( + struct wpa_supplicant *wpa_s, char *cmd) +{ + struct ether_header *eth; + u8 addr[ETH_ALEN]; + u8 *buf; + char *pos; + size_t payload_len = 0, len; + int ret = -1; + + if (hwaddr_aton(cmd, addr)) + return -1; + + pos = os_strstr(cmd, " payload="); + if (pos) { + pos = pos + 9; + payload_len = os_strlen(pos); + if (payload_len & 1) + return -1; + + payload_len /= 2; + } + + len = ETH_HLEN + payload_len; + buf = os_malloc(len); + if (!buf) + return -1; + + eth = (struct ether_header *) buf; + os_memcpy(eth->ether_dhost, addr, ETH_ALEN); + os_memcpy(eth->ether_shost, wpa_s->own_addr, ETH_ALEN); + eth->ether_type = htons(ETH_P_802_3); + + if (payload_len && hexstr2bin(pos, buf + ETH_HLEN, payload_len) < 0) + goto fail; + + ret = wpa_drv_mesh_link_probe(wpa_s, addr, buf, len); +fail: + os_free(buf); + return -ret; +} + #endif /* CONFIG_MESH */ @@ -5550,17 +5593,17 @@ static int parse_freq(int chwidth, int freq2) if (freq2 < 0) return -1; if (freq2) - return VHT_CHANWIDTH_80P80MHZ; + return CHANWIDTH_80P80MHZ; switch (chwidth) { case 0: case 20: case 40: - return VHT_CHANWIDTH_USE_HT; + return CHANWIDTH_USE_HT; case 80: - return VHT_CHANWIDTH_80MHZ; + return CHANWIDTH_80MHZ; case 160: - return VHT_CHANWIDTH_160MHZ; + return CHANWIDTH_160MHZ; default: wpa_printf(MSG_DEBUG, "Unknown max oper bandwidth: %d", chwidth); @@ -9585,59 +9628,10 @@ static int wpas_ctrl_iface_mac_rand_scan(struct wpa_supplicant *wpa_s, return -1; } - if (!enable) { - wpas_mac_addr_rand_scan_clear(wpa_s, type); - if (wpa_s->pno) { - if (type & MAC_ADDR_RAND_PNO) { - wpas_stop_pno(wpa_s); - wpas_start_pno(wpa_s); - } - } else if (wpa_s->sched_scanning && - (type & MAC_ADDR_RAND_SCHED_SCAN)) { - wpas_scan_restart_sched_scan(wpa_s); - } - return 0; - } - - if ((addr && !mask) || (!addr && mask)) { - wpa_printf(MSG_INFO, - "CTRL: MAC_RAND_SCAN invalid addr/mask combination"); - return -1; - } - - if (addr && mask && (!(mask[0] & 0x01) || (addr[0] & 0x01))) { - wpa_printf(MSG_INFO, - "CTRL: MAC_RAND_SCAN cannot allow multicast address"); - return -1; - } - - if (type & MAC_ADDR_RAND_SCAN) { - if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCAN, - addr, mask)) - return -1; - } + if (!enable) + return wpas_disable_mac_addr_randomization(wpa_s, type); - if (type & MAC_ADDR_RAND_SCHED_SCAN) { - if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCHED_SCAN, - addr, mask)) - return -1; - - if (wpa_s->sched_scanning && !wpa_s->pno) - wpas_scan_restart_sched_scan(wpa_s); - } - - if (type & MAC_ADDR_RAND_PNO) { - if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_PNO, - addr, mask)) - return -1; - - if (wpa_s->pno) { - wpas_stop_pno(wpa_s); - wpas_start_pno(wpa_s); - } - } - - return 0; + return wpas_enable_mac_addr_randomization(wpa_s, type, addr, mask); } @@ -10173,6 +10167,9 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, } else if (os_strncmp(buf, "MESH_PEER_ADD ", 14) == 0) { if (wpa_supplicant_ctrl_iface_mesh_peer_add(wpa_s, buf + 14)) reply_len = -1; + } else if (os_strncmp(buf, "MESH_LINK_PROBE ", 16) == 0) { + if (wpa_supplicant_ctrl_iface_mesh_link_probe(wpa_s, buf + 16)) + reply_len = -1; #endif /* CONFIG_MESH */ #ifdef CONFIG_P2P } else if (os_strncmp(buf, "P2P_FIND ", 9) == 0) { @@ -10747,6 +10744,16 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, } else if (os_strncmp(buf, "DPP_PKEX_REMOVE ", 16) == 0) { if (wpas_dpp_pkex_remove(wpa_s, buf + 16) < 0) reply_len = -1; +#ifdef CONFIG_DPP2 + } else if (os_strncmp(buf, "DPP_CONTROLLER_START ", 21) == 0) { + if (wpas_dpp_controller_start(wpa_s, buf + 20) < 0) + reply_len = -1; + } else if (os_strcmp(buf, "DPP_CONTROLLER_START") == 0) { + if (wpas_dpp_controller_start(wpa_s, NULL) < 0) + reply_len = -1; + } else if (os_strcmp(buf, "DPP_CONTROLLER_STOP") == 0) { + dpp_controller_stop(wpa_s->dpp); +#endif /* CONFIG_DPP2 */ #endif /* CONFIG_DPP */ } else { os_memcpy(reply, "UNKNOWN COMMAND\n", 16); diff --git a/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h b/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h index ecb7a7d6..9ba315f5 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h +++ b/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h @@ -25,5 +25,6 @@ int wpas_dpp_init(struct wpa_supplicant *wpa_s); void wpas_dpp_deinit(struct wpa_supplicant *wpa_s); int wpas_dpp_check_connect(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, struct wpa_bss *bss); +int wpas_dpp_controller_start(struct wpa_supplicant *wpa_s, const char *cmd); #endif /* DPP_SUPPLICANT_H */ diff --git a/freebsd/contrib/wpa/wpa_supplicant/driver_i.h b/freebsd/contrib/wpa/wpa_supplicant/driver_i.h index 4a9f472e..cf9972a6 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/driver_i.h +++ b/freebsd/contrib/wpa/wpa_supplicant/driver_i.h @@ -87,6 +87,16 @@ static inline int wpa_drv_leave_mesh(struct wpa_supplicant *wpa_s) return -1; } +static inline int wpa_drv_mesh_link_probe(struct wpa_supplicant *wpa_s, + const u8 *addr, + const u8 *eth, size_t len) +{ + if (wpa_s->driver->probe_mesh_link) + return wpa_s->driver->probe_mesh_link(wpa_s->drv_priv, addr, + eth, len); + return -1; +} + static inline int wpa_drv_scan(struct wpa_supplicant *wpa_s, struct wpa_driver_scan_params *params) { @@ -168,7 +178,7 @@ static inline int wpa_drv_get_seqnum(struct wpa_supplicant *wpa_s, } static inline int wpa_drv_sta_deauth(struct wpa_supplicant *wpa_s, - const u8 *addr, int reason_code) + const u8 *addr, u16 reason_code) { if (wpa_s->driver->sta_deauth) { return wpa_s->driver->sta_deauth(wpa_s->drv_priv, @@ -179,7 +189,7 @@ static inline int wpa_drv_sta_deauth(struct wpa_supplicant *wpa_s, } static inline int wpa_drv_deauthenticate(struct wpa_supplicant *wpa_s, - const u8 *addr, int reason_code) + const u8 *addr, u16 reason_code) { if (wpa_s->driver->deauthenticate) { return wpa_s->driver->deauthenticate(wpa_s->drv_priv, addr, diff --git a/freebsd/contrib/wpa/wpa_supplicant/eap_register.c b/freebsd/contrib/wpa/wpa_supplicant/eap_register.c index ee31c519..711f4b90 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/eap_register.c +++ b/freebsd/contrib/wpa/wpa_supplicant/eap_register.c @@ -104,6 +104,11 @@ int eap_register_methods(void) ret = eap_peer_fast_register(); #endif /* EAP_FAST */ +#ifdef EAP_TEAP + if (ret == 0) + ret = eap_peer_teap_register(); +#endif /* EAP_TEAP */ + #ifdef EAP_PAX if (ret == 0) ret = eap_peer_pax_register(); @@ -239,6 +244,11 @@ int eap_register_methods(void) ret = eap_server_fast_register(); #endif /* EAP_SERVER_FAST */ +#ifdef EAP_SERVER_TEAP + if (ret == 0) + ret = eap_server_teap_register(); +#endif /* EAP_SERVER_TEAP */ + #ifdef EAP_SERVER_WSC if (ret == 0) ret = eap_server_wsc_register(); diff --git a/freebsd/contrib/wpa/wpa_supplicant/events.c b/freebsd/contrib/wpa/wpa_supplicant/events.c index 8673d09c..06f37a32 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/events.c +++ b/freebsd/contrib/wpa/wpa_supplicant/events.c @@ -1224,7 +1224,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, continue; } - if (ssid->mode != IEEE80211_MODE_MESH && !bss_is_ess(bss) && + if (ssid->mode != WPAS_MODE_MESH && !bss_is_ess(bss) && !bss_is_pbss(bss)) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, @@ -1248,7 +1248,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s, } #ifdef CONFIG_MESH - if (ssid->mode == IEEE80211_MODE_MESH && ssid->frequency > 0 && + if (ssid->mode == WPAS_MODE_MESH && ssid->frequency > 0 && ssid->frequency != bss->freq) { if (debug_print) wpa_dbg(wpa_s, MSG_DEBUG, @@ -1617,9 +1617,9 @@ wpa_supplicant_pick_new_network(struct wpa_supplicant *wpa_s) continue; } #endif /* !CONFIG_IBSS_RSN */ - if (ssid->mode == IEEE80211_MODE_IBSS || - ssid->mode == IEEE80211_MODE_AP || - ssid->mode == IEEE80211_MODE_MESH) + if (ssid->mode == WPAS_MODE_IBSS || + ssid->mode == WPAS_MODE_AP || + ssid->mode == WPAS_MODE_MESH) return ssid; } } @@ -2841,7 +2841,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s, if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE || wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE || (wpa_s->current_ssid && - wpa_s->current_ssid->mode == IEEE80211_MODE_IBSS)) { + wpa_s->current_ssid->mode == WPAS_MODE_IBSS)) { if (wpa_s->current_ssid && wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE && (wpa_s->drv_flags & @@ -3598,8 +3598,9 @@ static void wpas_event_disassoc(struct wpa_supplicant *wpa_s, ie_len = info->ie_len; reason_code = info->reason_code; locally_generated = info->locally_generated; - wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u%s", reason_code, - locally_generated ? " (locally generated)" : ""); + wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u (%s)%s", reason_code, + reason2str(reason_code), + locally_generated ? " locally_generated=1" : ""); if (addr) wpa_dbg(wpa_s, MSG_DEBUG, " * address " MACSTR, MAC2STR(addr)); @@ -3652,9 +3653,9 @@ static void wpas_event_deauth(struct wpa_supplicant *wpa_s, ie_len = info->ie_len; reason_code = info->reason_code; locally_generated = info->locally_generated; - wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u%s", - reason_code, - locally_generated ? " (locally generated)" : ""); + wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u (%s)%s", + reason_code, reason2str(reason_code), + locally_generated ? " locally_generated=1" : ""); if (addr) { wpa_dbg(wpa_s, MSG_DEBUG, " * address " MACSTR, MAC2STR(addr)); @@ -4060,9 +4061,18 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s, union wpa_event_data *data) { const u8 *bssid = data->assoc_reject.bssid; +#ifdef CONFIG_MBO + struct wpa_bss *reject_bss; +#endif /* CONFIG_MBO */ if (!bssid || is_zero_ether_addr(bssid)) bssid = wpa_s->pending_bssid; +#ifdef CONFIG_MBO + if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) + reject_bss = wpa_s->current_bss; + else + reject_bss = wpa_bss_get_bssid(wpa_s, bssid); +#endif /* CONFIG_MBO */ if (data->assoc_reject.bssid) wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_ASSOC_REJECT @@ -4113,8 +4123,7 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s, #ifdef CONFIG_MBO if (data->assoc_reject.status_code == WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS && - wpa_s->current_bss && data->assoc_reject.bssid && - data->assoc_reject.resp_ies) { + reject_bss && data->assoc_reject.resp_ies) { const u8 *rssi_rej; rssi_rej = mbo_get_attr_from_ies( @@ -4125,13 +4134,12 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s, wpa_printf(MSG_DEBUG, "OCE: RSSI-based association rejection from " MACSTR " (Delta RSSI: %u, Retry Delay: %u)", - MAC2STR(data->assoc_reject.bssid), + MAC2STR(reject_bss->bssid), rssi_rej[2], rssi_rej[3]); wpa_bss_tmp_disallow(wpa_s, - data->assoc_reject.bssid, + reject_bss->bssid, rssi_rej[3], - rssi_rej[2] + - wpa_s->current_bss->level); + rssi_rej[2] + reject_bss->level); } } #endif /* CONFIG_MBO */ @@ -4463,18 +4471,24 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event, data->rx_from_unknown.wds); break; #endif /* CONFIG_AP */ + + case EVENT_CH_SWITCH_STARTED: case EVENT_CH_SWITCH: if (!data || !wpa_s->current_ssid) break; - wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_CHANNEL_SWITCH - "freq=%d ht_enabled=%d ch_offset=%d ch_width=%s cf1=%d cf2=%d", + wpa_msg(wpa_s, MSG_INFO, + "%sfreq=%d ht_enabled=%d ch_offset=%d ch_width=%s cf1=%d cf2=%d", + event == EVENT_CH_SWITCH ? WPA_EVENT_CHANNEL_SWITCH : + WPA_EVENT_CHANNEL_SWITCH_STARTED, data->ch_switch.freq, data->ch_switch.ht_enabled, data->ch_switch.ch_offset, channel_width_to_string(data->ch_switch.ch_width), data->ch_switch.cf1, data->ch_switch.cf2); + if (event == EVENT_CH_SWITCH_STARTED) + break; wpa_s->assoc_freq = data->ch_switch.freq; wpa_s->current_ssid->frequency = data->ch_switch.freq; @@ -4490,7 +4504,8 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event, data->ch_switch.ch_offset, data->ch_switch.ch_width, data->ch_switch.cf1, - data->ch_switch.cf2); + data->ch_switch.cf2, + 1); } #endif /* CONFIG_AP */ @@ -4703,6 +4718,7 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event, wpa_dbg(wpa_s, MSG_DEBUG, "Interface was enabled"); if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) { wpa_supplicant_update_mac_addr(wpa_s); + wpa_supplicant_set_default_scan_ies(wpa_s); if (wpa_s->p2p_mgmt) { wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED); diff --git a/freebsd/contrib/wpa/wpa_supplicant/interworking.c b/freebsd/contrib/wpa/wpa_supplicant/interworking.c index 44829a66..805e31c7 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/interworking.c +++ b/freebsd/contrib/wpa/wpa_supplicant/interworking.c @@ -1390,6 +1390,9 @@ static struct wpa_cred * interworking_credentials_available_roaming_consortium( cred->num_roaming_consortiums == 0) continue; + if (!cred->eap_method) + continue; + if ((cred->roaming_consortium_len == 0 || !roaming_consortium_match(ie, anqp, cred->roaming_consortium, @@ -2671,7 +2674,8 @@ static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s) found++; bss->flags |= WPA_BSS_ANQP_FETCH_TRIED; wpa_msg(wpa_s, MSG_INFO, "Starting ANQP fetch for " - MACSTR, MAC2STR(bss->bssid)); + MACSTR " (HESSID " MACSTR ")", + MAC2STR(bss->bssid), MAC2STR(bss->hessid)); interworking_anqp_send_req(wpa_s, bss); break; } diff --git a/freebsd/contrib/wpa/wpa_supplicant/notify.c b/freebsd/contrib/wpa/wpa_supplicant/notify.c index c1fb8aed..cc01893e 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/notify.c +++ b/freebsd/contrib/wpa/wpa_supplicant/notify.c @@ -20,6 +20,7 @@ #include "dbus/dbus_new.h" #include "rsn_supp/wpa.h" #include "fst/fst.h" +#include "crypto/tls.h" #include "driver_i.h" #include "scan.h" #include "p2p_supplicant.h" @@ -788,42 +789,41 @@ void wpas_notify_sta_authorized(struct wpa_supplicant *wpa_s, } -void wpas_notify_certification(struct wpa_supplicant *wpa_s, int depth, - const char *subject, const char *altsubject[], - int num_altsubject, const char *cert_hash, - const struct wpabuf *cert) +void wpas_notify_certification(struct wpa_supplicant *wpa_s, + struct tls_cert_data *cert, + const char *cert_hash) { + int i; + wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT - "depth=%d subject='%s'%s%s", - depth, subject, cert_hash ? " hash=" : "", - cert_hash ? cert_hash : ""); + "depth=%d subject='%s'%s%s%s", + cert->depth, cert->subject, cert_hash ? " hash=" : "", + cert_hash ? cert_hash : "", + cert->tod ? " tod=1" : ""); - if (cert) { + if (cert->cert) { char *cert_hex; - size_t len = wpabuf_len(cert) * 2 + 1; + size_t len = wpabuf_len(cert->cert) * 2 + 1; cert_hex = os_malloc(len); if (cert_hex) { - wpa_snprintf_hex(cert_hex, len, wpabuf_head(cert), - wpabuf_len(cert)); + wpa_snprintf_hex(cert_hex, len, wpabuf_head(cert->cert), + wpabuf_len(cert->cert)); wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT "depth=%d subject='%s' cert=%s", - depth, subject, cert_hex); + cert->depth, cert->subject, cert_hex); os_free(cert_hex); } } - if (altsubject) { - int i; - - for (i = 0; i < num_altsubject; i++) - wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT - "depth=%d %s", depth, altsubject[i]); - } + for (i = 0; i < cert->num_altsubject; i++) + wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT + "depth=%d %s", cert->depth, cert->altsubject[i]); /* notify the new DBus API */ - wpas_dbus_signal_certification(wpa_s, depth, subject, altsubject, - num_altsubject, cert_hash, cert); + wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject, + cert->altsubject, cert->num_altsubject, + cert_hash, cert->cert); } @@ -903,7 +903,7 @@ void wpas_notify_mesh_group_started(struct wpa_supplicant *wpa_s, void wpas_notify_mesh_group_removed(struct wpa_supplicant *wpa_s, const u8 *meshid, u8 meshid_len, - int reason_code) + u16 reason_code) { if (wpa_s->p2p_mgmt) return; @@ -924,7 +924,7 @@ void wpas_notify_mesh_peer_connected(struct wpa_supplicant *wpa_s, void wpas_notify_mesh_peer_disconnected(struct wpa_supplicant *wpa_s, - const u8 *peer_addr, int reason_code) + const u8 *peer_addr, u16 reason_code) { if (wpa_s->p2p_mgmt) return; diff --git a/freebsd/contrib/wpa/wpa_supplicant/notify.h b/freebsd/contrib/wpa/wpa_supplicant/notify.h index 65f513ea..e843aa12 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/notify.h +++ b/freebsd/contrib/wpa/wpa_supplicant/notify.h @@ -14,6 +14,7 @@ struct wps_credential; struct wps_event_m2d; struct wps_event_fail; +struct tls_cert_data; int wpas_notify_supplicant_initialized(struct wpa_global *global); void wpas_notify_supplicant_deinitialized(struct wpa_global *global); @@ -130,10 +131,9 @@ void wpas_notify_persistent_group_removed(struct wpa_supplicant *wpa_s, void wpas_notify_p2p_wps_failed(struct wpa_supplicant *wpa_s, struct wps_event_fail *fail); -void wpas_notify_certification(struct wpa_supplicant *wpa_s, int depth, - const char *subject, const char *altsubject[], - int num_altsubject, const char *cert_hash, - const struct wpabuf *cert); +void wpas_notify_certification(struct wpa_supplicant *wpa_s, + struct tls_cert_data *cert, + const char *cert_hash); void wpas_notify_preq(struct wpa_supplicant *wpa_s, const u8 *addr, const u8 *dst, const u8 *bssid, const u8 *ie, size_t ie_len, u32 ssi_signal); @@ -151,10 +151,10 @@ void wpas_notify_mesh_group_started(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid); void wpas_notify_mesh_group_removed(struct wpa_supplicant *wpa_s, const u8 *meshid, u8 meshid_len, - int reason_code); + u16 reason_code); void wpas_notify_mesh_peer_connected(struct wpa_supplicant *wpa_s, const u8 *peer_addr); void wpas_notify_mesh_peer_disconnected(struct wpa_supplicant *wpa_s, - const u8 *peer_addr, int reason_code); + const u8 *peer_addr, u16 reason_code); #endif /* NOTIFY_H */ diff --git a/freebsd/contrib/wpa/wpa_supplicant/op_classes.c b/freebsd/contrib/wpa/wpa_supplicant/op_classes.c index 8b517af7..f0fd7905 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/op_classes.c +++ b/freebsd/contrib/wpa/wpa_supplicant/op_classes.c @@ -350,7 +350,7 @@ size_t wpas_supp_op_class_ie(struct wpa_supplicant *wpa_s, * TODO: Use the secondary channel and VHT channel width that will be * used after association. */ - if (ieee80211_freq_to_channel_ext(freq, 0, VHT_CHANWIDTH_USE_HT, + if (ieee80211_freq_to_channel_ext(freq, 0, CHANWIDTH_USE_HT, ¤t, &chan) == NUM_HOSTAPD_MODES) return 0; diff --git a/freebsd/contrib/wpa/wpa_supplicant/rrm.c b/freebsd/contrib/wpa/wpa_supplicant/rrm.c index 8cff1253..4dcd8b92 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/rrm.c +++ b/freebsd/contrib/wpa/wpa_supplicant/rrm.c @@ -719,20 +719,20 @@ static int wpas_get_op_chan_phy(int freq, const u8 *ies, size_t ies_len, seg0 = vht_oper->vht_op_info_chan_center_freq_seg0_idx; seg1 = vht_oper->vht_op_info_chan_center_freq_seg1_idx; if (seg1 && abs(seg1 - seg0) == 8) - vht = VHT_CHANWIDTH_160MHZ; + vht = CHANWIDTH_160MHZ; else if (seg1) - vht = VHT_CHANWIDTH_80P80MHZ; + vht = CHANWIDTH_80P80MHZ; else - vht = VHT_CHANWIDTH_80MHZ; + vht = CHANWIDTH_80MHZ; break; case 2: - vht = VHT_CHANWIDTH_160MHZ; + vht = CHANWIDTH_160MHZ; break; case 3: - vht = VHT_CHANWIDTH_80P80MHZ; + vht = CHANWIDTH_80P80MHZ; break; default: - vht = VHT_CHANWIDTH_USE_HT; + vht = CHANWIDTH_USE_HT; break; } } diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c index 1bc62ce6..2d4c6740 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c +++ b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c @@ -38,6 +38,7 @@ #include "rsn_supp/preauth.h" #include "rsn_supp/pmksa_cache.h" #include "common/wpa_ctrl.h" +#include "common/ieee802_11_common.h" #include "common/ieee802_11_defs.h" #include "common/hw_features_common.h" #include "common/gas_server.h" @@ -1418,9 +1419,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X-SHA384"); - if (pmksa_cache_get_current(wpa_s->wpa)) { - /* PMKSA caching with FT is not fully functional, so - * disable the case for now. */ + if (!ssid->ft_eap_pmksa_caching && + pmksa_cache_get_current(wpa_s->wpa)) { + /* PMKSA caching with FT may have interoperability + * issues, so disable that case by default for now. */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Disable PMKSA caching for FT/802.1X connection"); pmksa_cache_clear_current(wpa_s->wpa); @@ -1459,9 +1461,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, } else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X"); - if (pmksa_cache_get_current(wpa_s->wpa)) { - /* PMKSA caching with FT is not fully functional, so - * disable the case for now. */ + if (!ssid->ft_eap_pmksa_caching && + pmksa_cache_get_current(wpa_s->wpa)) { + /* PMKSA caching with FT may have interoperability + * issues, so disable that case by default for now. */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Disable PMKSA caching for FT/802.1X connection"); pmksa_cache_clear_current(wpa_s->wpa); @@ -1710,7 +1713,8 @@ static void wpas_ext_capab_byte(struct wpa_supplicant *wpa_s, u8 *pos, int idx) case 2: /* Bits 16-23 */ #ifdef CONFIG_WNM *pos |= 0x02; /* Bit 17 - WNM-Sleep Mode */ - *pos |= 0x08; /* Bit 19 - BSS Transition */ + if (!wpa_s->conf->disable_btm) + *pos |= 0x08; /* Bit 19 - BSS Transition */ #endif /* CONFIG_WNM */ break; case 3: /* Bits 24-31 */ @@ -2064,7 +2068,7 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s, #endif /* CONFIG_TDLS */ if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) && - ssid->mode == IEEE80211_MODE_INFRA) { + ssid->mode == WPAS_MODE_INFRA) { sme_authenticate(wpa_s, bss, ssid); return; } @@ -2138,6 +2142,7 @@ void ibss_mesh_setup_freq(struct wpa_supplicant *wpa_s, const struct wpa_ssid *ssid, struct hostapd_freq_params *freq) { + int ieee80211_mode = wpas_mode_to_ieee80211_mode(ssid->mode); enum hostapd_hw_mode hw_mode; struct hostapd_hw_modes *mode = NULL; int ht40plus[] = { 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157, @@ -2201,6 +2206,9 @@ void ibss_mesh_setup_freq(struct wpa_supplicant *wpa_s, if (!mode) return; + /* HE can work without HT + VHT */ + freq->he_enabled = mode->he_capab[ieee80211_mode].he_supported; + #ifdef CONFIG_HT_OVERRIDES if (ssid->disable_ht) { freq->ht_enabled = 0; @@ -2354,11 +2362,11 @@ skip_ht40: return; } - chwidth = VHT_CHANWIDTH_80MHZ; + chwidth = CHANWIDTH_80MHZ; seg0 = vht80[j] + 6; seg1 = 0; - if (ssid->max_oper_chwidth == VHT_CHANWIDTH_80P80MHZ) { + if (ssid->max_oper_chwidth == CHANWIDTH_80P80MHZ) { /* setup center_freq2, bandwidth */ for (k = 0; k < ARRAY_SIZE(vht80); k++) { /* Only accept 80 MHz segments separated by a gap */ @@ -2377,27 +2385,27 @@ skip_ht40: continue; /* Found a suitable second segment for 80+80 */ - chwidth = VHT_CHANWIDTH_80P80MHZ; + chwidth = CHANWIDTH_80P80MHZ; vht_caps |= VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ; seg1 = vht80[k] + 6; } - if (chwidth == VHT_CHANWIDTH_80P80MHZ) + if (chwidth == CHANWIDTH_80P80MHZ) break; } - } else if (ssid->max_oper_chwidth == VHT_CHANWIDTH_160MHZ) { + } else if (ssid->max_oper_chwidth == CHANWIDTH_160MHZ) { if (freq->freq == 5180) { - chwidth = VHT_CHANWIDTH_160MHZ; + chwidth = CHANWIDTH_160MHZ; vht_caps |= VHT_CAP_SUPP_CHAN_WIDTH_160MHZ; seg0 = 50; } else if (freq->freq == 5520) { - chwidth = VHT_CHANWIDTH_160MHZ; + chwidth = CHANWIDTH_160MHZ; vht_caps |= VHT_CAP_SUPP_CHAN_WIDTH_160MHZ; seg0 = 114; } - } else if (ssid->max_oper_chwidth == VHT_CHANWIDTH_USE_HT) { - chwidth = VHT_CHANWIDTH_USE_HT; + } else if (ssid->max_oper_chwidth == CHANWIDTH_USE_HT) { + chwidth = CHANWIDTH_USE_HT; seg0 = vht80[j] + 2; #ifdef CONFIG_HT_OVERRIDES if (ssid->disable_ht40) @@ -2407,9 +2415,10 @@ skip_ht40: if (hostapd_set_freq_params(&vht_freq, mode->mode, freq->freq, freq->channel, freq->ht_enabled, - vht_freq.vht_enabled, + vht_freq.vht_enabled, freq->he_enabled, freq->sec_channel_offset, - chwidth, seg0, seg1, vht_caps) != 0) + chwidth, seg0, seg1, vht_caps, + &mode->he_capab[ieee80211_mode]) != 0) return; *freq = vht_freq; @@ -3222,7 +3231,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit) params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B || params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) - params.req_key_mgmt_offload = 1; + params.req_handshake_offload = 1; if (wpa_s->conf->key_mgmt_offload) { if (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X || @@ -3423,16 +3432,17 @@ static void wpa_supplicant_clear_connection(struct wpa_supplicant *wpa_s, * current AP. */ void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s, - int reason_code) + u16 reason_code) { u8 *addr = NULL; union wpa_event_data event; int zero_addr = 0; wpa_dbg(wpa_s, MSG_DEBUG, "Request to deauthenticate - bssid=" MACSTR - " pending_bssid=" MACSTR " reason=%d state=%s", + " pending_bssid=" MACSTR " reason=%d (%s) state=%s", MAC2STR(wpa_s->bssid), MAC2STR(wpa_s->pending_bssid), - reason_code, wpa_supplicant_state_txt(wpa_s->wpa_state)); + reason_code, reason2str(reason_code), + wpa_supplicant_state_txt(wpa_s->wpa_state)); if (!is_zero_ether_addr(wpa_s->pending_bssid) && (wpa_s->wpa_state == WPA_AUTHENTICATING || @@ -3474,7 +3484,7 @@ void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s, if (addr) { wpa_drv_deauthenticate(wpa_s, addr, reason_code); os_memset(&event, 0, sizeof(event)); - event.deauth_info.reason_code = (u16) reason_code; + event.deauth_info.reason_code = reason_code; event.deauth_info.locally_generated = 1; wpa_supplicant_event(wpa_s, EVENT_DEAUTH, &event); if (zero_addr) @@ -4229,7 +4239,7 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr, !wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) || wpa_s->wpa_state != WPA_COMPLETED) && (wpa_s->current_ssid == NULL || - wpa_s->current_ssid->mode != IEEE80211_MODE_IBSS)) { + wpa_s->current_ssid->mode != WPAS_MODE_IBSS)) { /* Timeout for completing IEEE 802.1X and WPA authentication */ int timeout = 10; @@ -6621,6 +6631,9 @@ void wpa_supplicant_update_config(struct wpa_supplicant *wpa_s) wpa_s->conf->wowlan_triggers); } + if (wpa_s->conf->changed_parameters & CFG_CHANGED_DISABLE_BTM) + wpa_supplicant_set_default_scan_ies(wpa_s); + #ifdef CONFIG_WPS wpas_wps_update_config(wpa_s); #endif /* CONFIG_WPS */ @@ -7468,3 +7481,66 @@ int wpa_is_bss_tmp_disallowed(struct wpa_supplicant *wpa_s, return 1; } + + +int wpas_enable_mac_addr_randomization(struct wpa_supplicant *wpa_s, + unsigned int type, const u8 *addr, + const u8 *mask) +{ + if ((addr && !mask) || (!addr && mask)) { + wpa_printf(MSG_INFO, + "MAC_ADDR_RAND_SCAN invalid addr/mask combination"); + return -1; + } + + if (addr && mask && (!(mask[0] & 0x01) || (addr[0] & 0x01))) { + wpa_printf(MSG_INFO, + "MAC_ADDR_RAND_SCAN cannot allow multicast address"); + return -1; + } + + if (type & MAC_ADDR_RAND_SCAN) { + if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCAN, + addr, mask)) + return -1; + } + + if (type & MAC_ADDR_RAND_SCHED_SCAN) { + if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCHED_SCAN, + addr, mask)) + return -1; + + if (wpa_s->sched_scanning && !wpa_s->pno) + wpas_scan_restart_sched_scan(wpa_s); + } + + if (type & MAC_ADDR_RAND_PNO) { + if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_PNO, + addr, mask)) + return -1; + + if (wpa_s->pno) { + wpas_stop_pno(wpa_s); + wpas_start_pno(wpa_s); + } + } + + return 0; +} + + +int wpas_disable_mac_addr_randomization(struct wpa_supplicant *wpa_s, + unsigned int type) +{ + wpas_mac_addr_rand_scan_clear(wpa_s, type); + if (wpa_s->pno) { + if (type & MAC_ADDR_RAND_PNO) { + wpas_stop_pno(wpa_s); + wpas_start_pno(wpa_s); + } + } else if (wpa_s->sched_scanning && (type & MAC_ADDR_RAND_SCHED_SCAN)) { + wpas_scan_restart_sched_scan(wpa_s); + } + + return 0; +} diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h index 16e4db62..8a4bdf8c 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h +++ b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h @@ -802,7 +802,9 @@ struct wpa_supplicant { int sae_group_index; unsigned int sae_pmksa_caching:1; u16 seq_num; - struct external_auth ext_auth; + u8 ext_auth_bssid[ETH_ALEN]; + u8 ext_auth_ssid[SSID_MAX_LEN]; + size_t ext_auth_ssid_len; #endif /* CONFIG_SAE */ } sme; #endif /* CONFIG_SME */ @@ -821,6 +823,7 @@ struct wpa_supplicant { unsigned int mesh_if_created:1; unsigned int mesh_ht_enabled:1; unsigned int mesh_vht_enabled:1; + unsigned int mesh_he_enabled:1; struct wpa_driver_mesh_join_params *mesh_params; #ifdef CONFIG_PMKSA_CACHE_EXTERNAL /* struct external_pmksa_cache::list */ @@ -1291,7 +1294,7 @@ struct wpa_ssid * wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s); const char * wpa_supplicant_get_eap_mode(struct wpa_supplicant *wpa_s); void wpa_supplicant_cancel_auth_timeout(struct wpa_supplicant *wpa_s); void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s, - int reason_code); + u16 reason_code); struct wpa_ssid * wpa_supplicant_add_network(struct wpa_supplicant *wpa_s); int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id); @@ -1415,6 +1418,12 @@ size_t wpas_supp_op_class_ie(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid, int freq, u8 *pos, size_t len); +int wpas_enable_mac_addr_randomization(struct wpa_supplicant *wpa_s, + unsigned int type, const u8 *addr, + const u8 *mask); +int wpas_disable_mac_addr_randomization(struct wpa_supplicant *wpa_s, + unsigned int type); + /** * wpa_supplicant_ctrl_iface_ctrl_rsp_handle - Handle a control response * @wpa_s: Pointer to wpa_supplicant data @@ -1462,6 +1471,25 @@ static inline int network_is_persistent_group(struct wpa_ssid *ssid) return ssid->disabled == 2 && ssid->p2p_persistent_group; } + +static inline int wpas_mode_to_ieee80211_mode(enum wpas_mode mode) +{ + switch (mode) { + default: + case WPAS_MODE_INFRA: + return IEEE80211_MODE_INFRA; + case WPAS_MODE_IBSS: + return IEEE80211_MODE_IBSS; + case WPAS_MODE_AP: + case WPAS_MODE_P2P_GO: + case WPAS_MODE_P2P_GROUP_FORMATION: + return IEEE80211_MODE_AP; + case WPAS_MODE_MESH: + return IEEE80211_MODE_MESH; + } +} + + int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid); int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid); diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c b/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c index 3dc6a216..fa88bd85 100644 --- a/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c +++ b/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c @@ -466,7 +466,7 @@ static enum wpa_states _wpa_supplicant_get_state(void *wpa_s) } -static void _wpa_supplicant_deauthenticate(void *wpa_s, int reason_code) +static void _wpa_supplicant_deauthenticate(void *wpa_s, u16 reason_code) { wpa_supplicant_deauthenticate(wpa_s, reason_code); /* Schedule a scan to make sure we continue looking for networks */ @@ -1019,15 +1019,12 @@ static void wpa_supplicant_port_cb(void *ctx, int authorized) } -static void wpa_supplicant_cert_cb(void *ctx, int depth, const char *subject, - const char *altsubject[], int num_altsubject, - const char *cert_hash, - const struct wpabuf *cert) +static void wpa_supplicant_cert_cb(void *ctx, struct tls_cert_data *cert, + const char *cert_hash) { struct wpa_supplicant *wpa_s = ctx; - wpas_notify_certification(wpa_s, depth, subject, altsubject, - num_altsubject, cert_hash, cert); + wpas_notify_certification(wpa_s, cert, cert_hash); } diff --git a/freebsd/crypto/openssl/apps/apps.c b/freebsd/crypto/openssl/apps/apps.c index 4b27a74c..69c22694 100644 --- a/freebsd/crypto/openssl/apps/apps.c +++ b/freebsd/crypto/openssl/apps/apps.c @@ -50,7 +50,6 @@ #endif #include <openssl/bn.h> #include <openssl/ssl.h> -#include "s_apps.h" #include "apps.h" #ifdef _WIN32 @@ -58,6 +57,14 @@ static int WIN32_rename(const char *from, const char *to); # define rename(from,to) WIN32_rename((from),(to)) #endif +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) +# include <conio.h> +#endif + +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) +# define _kbhit kbhit +#endif + typedef struct { const char *name; unsigned long flag; diff --git a/freebsd/crypto/openssl/apps/apps.h b/freebsd/crypto/openssl/apps/apps.h index d9eb650e..4a3e1a88 100644 --- a/freebsd/crypto/openssl/apps/apps.h +++ b/freebsd/crypto/openssl/apps/apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -444,11 +444,9 @@ void destroy_ui_method(void); const UI_METHOD *get_ui_method(void); int chopup_args(ARGS *arg, char *buf); -# ifdef HEADER_X509_H int dump_cert_text(BIO *out, X509 *x); void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags); -# endif void print_bignum_var(BIO *, const BIGNUM *, const char*, int, unsigned char *); void print_array(BIO *, const char *, int, const unsigned char *); diff --git a/freebsd/crypto/openssl/apps/ca.c b/freebsd/crypto/openssl/apps/ca.c index f0761efd..4bf0ce13 100644 --- a/freebsd/crypto/openssl/apps/ca.c +++ b/freebsd/crypto/openssl/apps/ca.c @@ -6,7 +6,7 @@ #endif /* __rtems__ */ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -729,7 +729,7 @@ end_of_options: /*****************************************************************/ if (req || gencrl) { - if (spkac_file != NULL) { + if (spkac_file != NULL && outfile != NULL) { output_der = 1; batch = 1; } diff --git a/freebsd/crypto/openssl/apps/dgst.c b/freebsd/crypto/openssl/apps/dgst.c index 9f1b907e..a5a4744d 100644 --- a/freebsd/crypto/openssl/apps/dgst.c +++ b/freebsd/crypto/openssl/apps/dgst.c @@ -6,7 +6,7 @@ #endif /* __rtems__ */ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -428,7 +428,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, size_t len; int i; - for (;;) { + while (BIO_pending(bp) || !BIO_eof(bp)) { i = BIO_read(bp, (char *)buf, BUFSIZE); if (i < 0) { BIO_printf(bio_err, "Read Error in %s\n", file); diff --git a/freebsd/crypto/openssl/apps/enc.c b/freebsd/crypto/openssl/apps/enc.c index 35200315..b2cd74c9 100644 --- a/freebsd/crypto/openssl/apps/enc.c +++ b/freebsd/crypto/openssl/apps/enc.c @@ -598,7 +598,7 @@ int enc_main(int argc, char **argv) if (benc != NULL) wbio = BIO_push(benc, wbio); - for (;;) { + while (BIO_pending(rbio) || !BIO_eof(rbio)) { inl = BIO_read(rbio, (char *)buff, bsize); if (inl <= 0) break; diff --git a/freebsd/crypto/openssl/apps/ocsp.c b/freebsd/crypto/openssl/apps/ocsp.c index 2aaf3b9f..7ff6a20c 100644 --- a/freebsd/crypto/openssl/apps/ocsp.c +++ b/freebsd/crypto/openssl/apps/ocsp.c @@ -1423,9 +1423,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, *q = '\0'; /* - * Skip "GET / HTTP..." requests often used by load-balancers + * Skip "GET / HTTP..." requests often used by load-balancers. Note: + * 'p' was incremented above to point to the first byte *after* the + * leading slash, so with 'GET / ' it is now an empty string. */ - if (p[1] == '\0') + if (p[0] == '\0') goto out; len = urldecode(p); diff --git a/freebsd/crypto/openssl/apps/openssl.c b/freebsd/crypto/openssl/apps/openssl.c index a658a252..31ec58d8 100644 --- a/freebsd/crypto/openssl/apps/openssl.c +++ b/freebsd/crypto/openssl/apps/openssl.c @@ -6,7 +6,7 @@ #endif /* __rtems__ */ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -33,7 +33,6 @@ # include <openssl/engine.h> #endif #include <openssl/err.h> -#include "s_apps.h" /* Needed to get the other O_xxx flags. */ #ifdef OPENSSL_SYS_VMS # include <unixio.h> diff --git a/freebsd/crypto/openssl/apps/pkcs12.c b/freebsd/crypto/openssl/apps/pkcs12.c index 66993dcc..c3111ee3 100644 --- a/freebsd/crypto/openssl/apps/pkcs12.c +++ b/freebsd/crypto/openssl/apps/pkcs12.c @@ -845,7 +845,7 @@ static int alg_print(const X509_ALGOR *alg) goto done; } BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, " - "Block size(r): %ld, Paralelizm(p): %ld", + "Block size(r): %ld, Parallelism(p): %ld", ASN1_STRING_length(kdf->salt), ASN1_INTEGER_get(kdf->costParameter), ASN1_INTEGER_get(kdf->blockSize), diff --git a/freebsd/crypto/openssl/apps/req.c b/freebsd/crypto/openssl/apps/req.c index 2fc7e790..546c80a5 100644 --- a/freebsd/crypto/openssl/apps/req.c +++ b/freebsd/crypto/openssl/apps/req.c @@ -6,7 +6,7 @@ #endif /* __rtems__ */ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -888,9 +888,19 @@ int req_main(int argc, char **argv) if (text) { if (x509) - X509_print_ex(out, x509ss, get_nameopt(), reqflag); + ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag); else - X509_REQ_print_ex(out, req, get_nameopt(), reqflag); + ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); + + if (ret == 0) { + if (x509) + BIO_printf(bio_err, "Error printing certificate\n"); + else + BIO_printf(bio_err, "Error printing certificate request\n"); + + ERR_print_errors(bio_err); + goto end; + } } if (subject) { diff --git a/freebsd/crypto/openssl/apps/s_apps.h b/freebsd/crypto/openssl/apps/s_apps.h index 0a3bc962..f94e659e 100644 --- a/freebsd/crypto/openssl/apps/s_apps.h +++ b/freebsd/crypto/openssl/apps/s_apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,13 +9,7 @@ #include <openssl/opensslconf.h> -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) -# include <conio.h> -#endif - -#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) -# define _kbhit kbhit -#endif +#include <openssl/ssl.h> #define PORT "4433" #define PROTOCOL "tcp" @@ -24,17 +18,15 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context); int do_server(int *accept_sock, const char *host, const char *port, int family, int type, int protocol, do_server_cb cb, unsigned char *context, int naccept, BIO *bio_s_out); -#ifdef HEADER_X509_H + int verify_callback(int ok, X509_STORE_CTX *ctx); -#endif -#ifdef HEADER_SSL_H + int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain, int build_chain); int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_point_formats(BIO *out, SSL *s); int ssl_print_groups(BIO *out, SSL *s, int noshared); -#endif int ssl_print_tmp_key(BIO *out, SSL *s); int init_client(int *sock, const char *host, const char *port, const char *bindhost, const char *bindport, @@ -44,13 +36,11 @@ int should_retry(int i); long bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); -#ifdef HEADER_SSL_H void apps_ssl_info_callback(const SSL *s, int where, int ret); void msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data, int len, void *arg); -#endif int generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len); @@ -75,7 +65,6 @@ int args_excert(int option, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc); void print_verify_detail(SSL *s, BIO *bio); void print_ssl_summary(SSL *s); -#ifdef HEADER_SSL_H int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); @@ -86,4 +75,3 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); int set_keylog_file(SSL_CTX *ctx, const char *keylog_file); void print_ca_names(BIO *bio, SSL *s); -#endif diff --git a/freebsd/crypto/openssl/apps/s_cb.c b/freebsd/crypto/openssl/apps/s_cb.c index 3df95478..7b60c2d6 100644 --- a/freebsd/crypto/openssl/apps/s_cb.c +++ b/freebsd/crypto/openssl/apps/s_cb.c @@ -1537,7 +1537,8 @@ void print_ca_names(BIO *bio, SSL *s) int i; if (sk == NULL || sk_X509_NAME_num(sk) == 0) { - BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs); + if (!SSL_is_server(s)) + BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs); return; } diff --git a/freebsd/crypto/openssl/apps/s_client.c b/freebsd/crypto/openssl/apps/s_client.c index 4c052ef5..78105741 100644 --- a/freebsd/crypto/openssl/apps/s_client.c +++ b/freebsd/crypto/openssl/apps/s_client.c @@ -2367,7 +2367,7 @@ int s_client_main(int argc, char **argv) (void)BIO_flush(fbio); /* * The first line is the HTTP response. According to RFC 7230, - * it's formated exactly like this: + * it's formatted exactly like this: * * HTTP/d.d ddd Reason text\r\n */ diff --git a/freebsd/crypto/openssl/apps/speed.c b/freebsd/crypto/openssl/apps/speed.c index 02eb30a6..47e1a2f8 100644 --- a/freebsd/crypto/openssl/apps/speed.c +++ b/freebsd/crypto/openssl/apps/speed.c @@ -1809,7 +1809,7 @@ int speed_main(int argc, char **argv) } buflen = lengths[size_num - 1]; - if (buflen < 36) /* size of random vector in RSA bencmark */ + if (buflen < 36) /* size of random vector in RSA benchmark */ buflen = 36; buflen += MAX_MISALIGNMENT + 1; loopargs[i].buf_malloc = app_malloc(buflen, "input buffer"); diff --git a/freebsd/crypto/openssl/crypto/asn1/a_time.c b/freebsd/crypto/openssl/crypto/asn1/a_time.c index 1031b369..ad8c9164 100644 --- a/freebsd/crypto/openssl/crypto/asn1/a_time.c +++ b/freebsd/crypto/openssl/crypto/asn1/a_time.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,7 @@ static void determine_days(struct tm *tm) } c = y / 100; y %= 100; - /* Zeller's congruance */ + /* Zeller's congruence */ tm->tm_wday = (d + (13 * m) / 5 + y + y / 4 + c / 4 + 5 * c + 6) % 7; } @@ -81,7 +81,11 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) char *a; int n, i, i2, l, o, min_l = 11, strict = 0, end = 6, btz = 5, md; struct tm tmp; - +#if defined(CHARSET_EBCDIC) + const char upper_z = 0x5A, num_zero = 0x30, period = 0x2E, minus = 0x2D, plus = 0x2B; +#else + const char upper_z = 'Z', num_zero = '0', period = '.', minus = '-', plus = '+'; +#endif /* * ASN1_STRING_FLAG_X509_TIME is used to enforce RFC 5280 * time string format, in which: @@ -122,20 +126,20 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) if (l < min_l) goto err; for (i = 0; i < end; i++) { - if (!strict && (i == btz) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) { + if (!strict && (i == btz) && ((a[o] == upper_z) || (a[o] == plus) || (a[o] == minus))) { i++; break; } - if (!ossl_isdigit(a[o])) + if (!ascii_isdigit(a[o])) goto err; - n = a[o] - '0'; + n = a[o] - num_zero; /* incomplete 2-digital number */ if (++o == l) goto err; - if (!ossl_isdigit(a[o])) + if (!ascii_isdigit(a[o])) goto err; - n = (n * 10) + a[o] - '0'; + n = (n * 10) + a[o] - num_zero; /* no more bytes to read, but we haven't seen time-zone yet */ if (++o == l) goto err; @@ -187,14 +191,14 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) * Optional fractional seconds: decimal point followed by one or more * digits. */ - if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == '.') { + if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == period) { if (strict) /* RFC 5280 forbids fractional seconds */ goto err; if (++o == l) goto err; i = o; - while ((o < l) && ossl_isdigit(a[o])) + while ((o < l) && ascii_isdigit(a[o])) o++; /* Must have at least one digit after decimal point */ if (i == o) @@ -209,10 +213,10 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) * 'o' can point to '\0' is either the subsequent if or the first * else if is true. */ - if (a[o] == 'Z') { + if (a[o] == upper_z) { o++; - } else if (!strict && ((a[o] == '+') || (a[o] == '-'))) { - int offsign = a[o] == '-' ? 1 : -1; + } else if (!strict && ((a[o] == plus) || (a[o] == minus))) { + int offsign = a[o] == minus ? 1 : -1; int offset = 0; o++; @@ -225,13 +229,13 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) if (o + 4 != l) goto err; for (i = end; i < end + 2; i++) { - if (!ossl_isdigit(a[o])) + if (!ascii_isdigit(a[o])) goto err; - n = a[o] - '0'; + n = a[o] - num_zero; o++; - if (!ossl_isdigit(a[o])) + if (!ascii_isdigit(a[o])) goto err; - n = (n * 10) + a[o] - '0'; + n = (n * 10) + a[o] - num_zero; i2 = (d->type == V_ASN1_UTCTIME) ? i + 1 : i; if ((n < min[i2]) || (n > max[i2])) goto err; @@ -302,7 +306,7 @@ ASN1_TIME *asn1_time_from_tm(ASN1_TIME *s, struct tm *ts, int type) ts->tm_mday, ts->tm_hour, ts->tm_min, ts->tm_sec); -#ifdef CHARSET_EBCDIC_not +#ifdef CHARSET_EBCDIC ebcdic2ascii(tmps->data, tmps->data, tmps->length); #endif return tmps; @@ -469,6 +473,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) char *v; int gmt = 0, l; struct tm stm; + const char upper_z = 0x5A, period = 0x2E; if (!asn1_time_to_tm(&stm, tm)) { /* asn1_time_to_tm will check the time type */ @@ -477,7 +482,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) l = tm->length; v = (char *)tm->data; - if (v[l - 1] == 'Z') + if (v[l - 1] == upper_z) gmt = 1; if (tm->type == V_ASN1_GENERALIZEDTIME) { @@ -488,10 +493,10 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) * Try to parse fractional seconds. '14' is the place of * 'fraction point' in a GeneralizedTime string. */ - if (tm->length > 15 && v[14] == '.') { + if (tm->length > 15 && v[14] == period) { f = &v[14]; f_len = 1; - while (14 + f_len < l && ossl_isdigit(f[f_len])) + while (14 + f_len < l && ascii_isdigit(f[f_len])) ++f_len; } diff --git a/freebsd/crypto/openssl/crypto/asn1/a_type.c b/freebsd/crypto/openssl/crypto/asn1/a_type.c index b72396c1..61663971 100644 --- a/freebsd/crypto/openssl/crypto/asn1/a_type.c +++ b/freebsd/crypto/openssl/crypto/asn1/a_type.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,9 @@ int ASN1_TYPE_get(const ASN1_TYPE *a) { - if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL)) + if (a->type == V_ASN1_BOOLEAN + || a->type == V_ASN1_NULL + || a->value.ptr != NULL) return a->type; else return 0; @@ -25,7 +27,9 @@ int ASN1_TYPE_get(const ASN1_TYPE *a) void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value) { - if (a->value.ptr != NULL) { + if (a->type != V_ASN1_BOOLEAN + && a->type != V_ASN1_NULL + && a->value.ptr != NULL) { ASN1_TYPE **tmp_a = &a; asn1_primitive_free((ASN1_VALUE **)tmp_a, NULL, 0); } diff --git a/freebsd/crypto/openssl/crypto/asn1/x_bignum.c b/freebsd/crypto/openssl/crypto/asn1/x_bignum.c index f4068dbb..0cf718d7 100644 --- a/freebsd/crypto/openssl/crypto/asn1/x_bignum.c +++ b/freebsd/crypto/openssl/crypto/asn1/x_bignum.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -132,9 +132,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { - if (!*pval) - bn_secure_new(pval, it); - return bn_c2i(pval, cont, len, utype, free_cont, it); + int ret; + BIGNUM *bn; + + if (!*pval && !bn_secure_new(pval, it)) + return 0; + + ret = bn_c2i(pval, cont, len, utype, free_cont, it); + if (!ret) + return 0; + + /* Set constant-time flag for all secure BIGNUMS */ + bn = (BIGNUM *)*pval; + BN_set_flags(bn, BN_FLG_CONSTTIME); + return ret; } static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, diff --git a/freebsd/crypto/openssl/crypto/bio/b_addr.c b/freebsd/crypto/openssl/crypto/bio/b_addr.c index 5a672da6..eca19cd0 100644 --- a/freebsd/crypto/openssl/crypto/bio/b_addr.c +++ b/freebsd/crypto/openssl/crypto/bio/b_addr.c @@ -677,7 +677,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, if (1) { #ifdef AI_PASSIVE - int gai_ret = 0; + int gai_ret = 0, old_ret = 0; struct addrinfo hints; memset(&hints, 0, sizeof(hints)); @@ -685,12 +685,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, hints.ai_family = family; hints.ai_socktype = socktype; hints.ai_protocol = protocol; -#ifdef AI_ADDRCONFIG -#ifdef AF_UNSPEC +# ifdef AI_ADDRCONFIG +# ifdef AF_UNSPEC if (family == AF_UNSPEC) -#endif +# endif hints.ai_flags |= AI_ADDRCONFIG; -#endif +# endif if (lookup_type == BIO_LOOKUP_SERVER) hints.ai_flags |= AI_PASSIVE; @@ -698,6 +698,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, /* Note that |res| SHOULD be a 'struct addrinfo **' thanks to * macro magic in bio_lcl.h */ + retry: switch ((gai_ret = getaddrinfo(host, service, &hints, res))) { # ifdef EAI_SYSTEM case EAI_SYSTEM: @@ -705,12 +706,25 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB); break; # endif +# ifdef EAI_MEMORY + case EAI_MEMORY: + BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE); + break; +# endif case 0: ret = 1; /* Success */ break; default: +# if defined(AI_ADDRCONFIG) && defined(AI_NUMERICHOST) + if (hints.ai_flags & AI_ADDRCONFIG) { + hints.ai_flags &= ~AI_ADDRCONFIG; + hints.ai_flags |= AI_NUMERICHOST; + old_ret = gai_ret; + goto retry; + } +# endif BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB); - ERR_add_error_data(1, gai_strerror(gai_ret)); + ERR_add_error_data(1, gai_strerror(old_ret ? old_ret : gai_ret)); break; } } else { diff --git a/freebsd/crypto/openssl/crypto/bio/bss_dgram.c b/freebsd/crypto/openssl/crypto/bio/bss_dgram.c index 160a7c8d..e94a27d5 100644 --- a/freebsd/crypto/openssl/crypto/bio/bss_dgram.c +++ b/freebsd/crypto/openssl/crypto/bio/bss_dgram.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -786,7 +786,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) * reasons. When BIO_CTRL_DGRAM_SET_PEEK_MODE was first defined its value * was incorrectly clashing with BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. The * value has been updated to a non-clashing value. However to preserve - * binary compatiblity we now respond to both the old value and the new one + * binary compatibility we now respond to both the old value and the new one */ case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE: case BIO_CTRL_DGRAM_SET_PEEK_MODE: diff --git a/freebsd/crypto/openssl/crypto/bio/bss_file.c b/freebsd/crypto/openssl/crypto/bio/bss_file.c index 14117448..e4c7e277 100644 --- a/freebsd/crypto/openssl/crypto/bio/bss_file.c +++ b/freebsd/crypto/openssl/crypto/bio/bss_file.c @@ -9,10 +9,7 @@ * https://www.openssl.org/source/license.html */ -#ifndef HEADER_BSS_FILE_C -# define HEADER_BSS_FILE_C - -# if defined(__linux) || defined(__sun) || defined(__hpux) +#if defined(__linux) || defined(__sun) || defined(__hpux) /* * Following definition aliases fopen to fopen64 on above mentioned * platforms. This makes it possible to open and sequentially access files @@ -25,17 +22,17 @@ * of 32-bit platforms which allow for sequential access of large files * without extra "magic" comprise *BSD, Darwin, IRIX... */ -# ifndef _FILE_OFFSET_BITS -# define _FILE_OFFSET_BITS 64 -# endif +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 # endif +#endif -# include <stdio.h> -# include <errno.h> -# include "bio_lcl.h" -# include <openssl/err.h> +#include <stdio.h> +#include <errno.h> +#include "bio_lcl.h" +#include <openssl/err.h> -# if !defined(OPENSSL_NO_STDIO) +#if !defined(OPENSSL_NO_STDIO) static int file_write(BIO *h, const char *buf, int num); static int file_read(BIO *h, char *buf, int size); @@ -74,9 +71,9 @@ BIO *BIO_new_file(const char *filename, const char *mode) SYSerr(SYS_F_FOPEN, get_last_sys_error()); ERR_add_error_data(5, "fopen('", filename, "','", mode, "')"); if (errno == ENOENT -# ifdef ENXIO +#ifdef ENXIO || errno == ENXIO -# endif +#endif ) BIOerr(BIO_F_BIO_NEW_FILE, BIO_R_NO_SUCH_FILE); else @@ -214,33 +211,33 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown = (int)num & BIO_CLOSE; b->ptr = ptr; b->init = 1; -# if BIO_FLAGS_UPLINK!=0 -# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES) -# define _IOB_ENTRIES 20 -# endif +# if BIO_FLAGS_UPLINK!=0 +# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES) +# define _IOB_ENTRIES 20 +# endif /* Safety net to catch purely internal BIO_set_fp calls */ -# if defined(_MSC_VER) && _MSC_VER>=1900 +# if defined(_MSC_VER) && _MSC_VER>=1900 if (ptr == stdin || ptr == stdout || ptr == stderr) BIO_clear_flags(b, BIO_FLAGS_UPLINK); -# elif defined(_IOB_ENTRIES) +# elif defined(_IOB_ENTRIES) if ((size_t)ptr >= (size_t)stdin && (size_t)ptr < (size_t)(stdin + _IOB_ENTRIES)) BIO_clear_flags(b, BIO_FLAGS_UPLINK); -# endif # endif -# ifdef UP_fsetmod +# endif +# ifdef UP_fsetmod if (b->flags & BIO_FLAGS_UPLINK) UP_fsetmod(b->ptr, (char)((num & BIO_FP_TEXT) ? 't' : 'b')); else -# endif +# endif { -# if defined(OPENSSL_SYS_WINDOWS) +# if defined(OPENSSL_SYS_WINDOWS) int fd = _fileno((FILE *)ptr); if (num & BIO_FP_TEXT) _setmode(fd, _O_TEXT); else _setmode(fd, _O_BINARY); -# elif defined(OPENSSL_SYS_MSDOS) +# elif defined(OPENSSL_SYS_MSDOS) int fd = fileno((FILE *)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) @@ -253,11 +250,11 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) } else _setmode(fd, _O_BINARY); } -# elif defined(OPENSSL_SYS_WIN32_CYGWIN) +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) int fd = fileno((FILE *)ptr); if (!(num & BIO_FP_TEXT)) setmode(fd, O_BINARY); -# endif +# endif } break; case BIO_C_SET_FILENAME: @@ -279,15 +276,15 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) if (!(num & BIO_FP_TEXT)) OPENSSL_strlcat(p, "b", sizeof(p)); else OPENSSL_strlcat(p, "t", sizeof(p)); -# elif defined(OPENSSL_SYS_WIN32_CYGWIN) +# elif defined(OPENSSL_SYS_WIN32_CYGWIN) if (!(num & BIO_FP_TEXT)) OPENSSL_strlcat(p, "b", sizeof(p)); -# endif +# endif fp = openssl_fopen(ptr, p); if (fp == NULL) { SYSerr(SYS_F_FOPEN, get_last_sys_error()); @@ -424,6 +421,4 @@ BIO *BIO_new_file(const char *filename, const char *mode) return NULL; } -# endif /* OPENSSL_NO_STDIO */ - -#endif /* HEADER_BSS_FILE_C */ +#endif /* OPENSSL_NO_STDIO */ diff --git a/freebsd/crypto/openssl/crypto/bio/bss_mem.c b/freebsd/crypto/openssl/crypto/bio/bss_mem.c index 8f14d790..be61400b 100644 --- a/freebsd/crypto/openssl/crypto/bio/bss_mem.c +++ b/freebsd/crypto/openssl/crypto/bio/bss_mem.c @@ -261,9 +261,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) bm = bbm->buf; if (bm->data != NULL) { if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) { - if (b->flags & BIO_FLAGS_NONCLEAR_RST) { - bm->length = bm->max; - } else { + if (!(b->flags & BIO_FLAGS_NONCLEAR_RST)) { memset(bm->data, 0, bm->max); bm->length = 0; } diff --git a/freebsd/crypto/openssl/crypto/bn/bn_div.c b/freebsd/crypto/openssl/crypto/bn/bn_div.c index efb71427..684264e6 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_div.c +++ b/freebsd/crypto/openssl/crypto/bn/bn_div.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -260,7 +260,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, * * - availability of constant-time bn_div_3_words; * - dividend is at least as "wide" as divisor, limb-wise, zero-padded - * if so requied, which shouldn't be a privacy problem, because + * if so required, which shouldn't be a privacy problem, because * divisor's length is considered public; */ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, diff --git a/freebsd/crypto/openssl/crypto/bn/bn_lcl.h b/freebsd/crypto/openssl/crypto/bn/bn_lcl.h index 8a36db2e..7f823a61 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_lcl.h +++ b/freebsd/crypto/openssl/crypto/bn/bn_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -295,7 +295,7 @@ struct bn_gencb_st { (b) > 23 ? 3 : 1) /* - * BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache + * BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache * line width of the target processor is at least the following value. */ # define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 ) diff --git a/freebsd/crypto/openssl/crypto/bn/bn_lib.c b/freebsd/crypto/openssl/crypto/bn/bn_lib.c index e900e4ae..611db290 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_lib.c +++ b/freebsd/crypto/openssl/crypto/bn/bn_lib.c @@ -134,20 +134,66 @@ int BN_num_bits_word(BN_ULONG l) return bits; } +/* + * This function still leaks `a->dmax`: it's caller's responsibility to + * expand the input `a` in advance to a public length. + */ +static ossl_inline +int bn_num_bits_consttime(const BIGNUM *a) +{ + int j, ret; + unsigned int mask, past_i; + int i = a->top - 1; + bn_check_top(a); + + for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) { + mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */ + + ret += BN_BITS2 & (~mask & ~past_i); + ret += BN_num_bits_word(a->d[j]) & mask; + + past_i |= mask; /* past_i will become 0xff..ff after i==j */ + } + + /* + * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the + * final result. + */ + mask = ~(constant_time_eq_int(i, ((int)-1))); + + return ret & mask; +} + int BN_num_bits(const BIGNUM *a) { int i = a->top - 1; bn_check_top(a); + if (a->flags & BN_FLG_CONSTTIME) { + /* + * We assume that BIGNUMs flagged as CONSTTIME have also been expanded + * so that a->dmax is not leaking secret information. + * + * In other words, it's the caller's responsibility to ensure `a` has + * been preallocated in advance to a public length if we hit this + * branch. + * + */ + return bn_num_bits_consttime(a); + } + if (BN_is_zero(a)) return 0; + return ((i * BN_BITS2) + BN_num_bits_word(a->d[i])); } -static void bn_free_d(BIGNUM *a) +static void bn_free_d(BIGNUM *a, int clear) { if (BN_get_flags(a, BN_FLG_SECURE)) - OPENSSL_secure_free(a->d); + OPENSSL_secure_clear_free(a->d, a->dmax * sizeof(a->d[0])); + else if (clear != 0) + OPENSSL_clear_free(a->d, a->dmax * sizeof(a->d[0])); else OPENSSL_free(a->d); } @@ -157,10 +203,8 @@ void BN_clear_free(BIGNUM *a) { if (a == NULL) return; - if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) { - OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); - bn_free_d(a); - } + if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) + bn_free_d(a, 1); if (BN_get_flags(a, BN_FLG_MALLOCED)) { OPENSSL_cleanse(a, sizeof(*a)); OPENSSL_free(a); @@ -172,7 +216,7 @@ void BN_free(BIGNUM *a) if (a == NULL) return; if (!BN_get_flags(a, BN_FLG_STATIC_DATA)) - bn_free_d(a); + bn_free_d(a, 0); if (a->flags & BN_FLG_MALLOCED) OPENSSL_free(a); } @@ -250,10 +294,8 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) BN_ULONG *a = bn_expand_internal(b, words); if (!a) return NULL; - if (b->d) { - OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0])); - bn_free_d(b); - } + if (b->d != NULL) + bn_free_d(b, 1); b->d = a; b->dmax = words; } @@ -418,8 +460,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) return ret; } +typedef enum {big, little} endianess_t; + /* ignore negative */ -static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +static +int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess) { int n; size_t i, lasti, j, atop, mask; @@ -451,10 +496,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) lasti = atop - 1; atop = a->top * BN_BYTES; - for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) { + if (endianess == big) + to += tolen; /* start from the end of the buffer */ + for (i = 0, j = 0; j < (size_t)tolen; j++) { + unsigned char val; l = a->d[i / BN_BYTES]; mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); - *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + if (endianess == big) + *--to = val; + else + *to++ = val; i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ } @@ -465,12 +517,12 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { if (tolen < 0) return -1; - return bn2binpad(a, to, tolen); + return bn2binpad(a, to, tolen, big); } int BN_bn2bin(const BIGNUM *a, unsigned char *to) { - return bn2binpad(a, to, -1); + return bn2binpad(a, to, -1, big); } BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) @@ -522,22 +574,9 @@ BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) { - int i; - BN_ULONG l; - bn_check_top(a); - i = BN_num_bytes(a); - if (tolen < i) + if (tolen < 0) return -1; - /* Add trailing zeroes if necessary */ - if (tolen > i) - memset(to + i, 0, tolen - i); - to += i; - while (i--) { - l = a->d[i / BN_BYTES]; - to--; - *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; - } - return tolen; + return bn2binpad(a, to, tolen, little); } int BN_ucmp(const BIGNUM *a, const BIGNUM *b) diff --git a/freebsd/crypto/openssl/crypto/bn/bn_prime.c b/freebsd/crypto/openssl/crypto/bn/bn_prime.c index c379eab8..f5d8fab7 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_prime.c +++ b/freebsd/crypto/openssl/crypto/bn/bn_prime.c @@ -65,8 +65,12 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, /* There are no prime numbers this small. */ BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); return 0; - } else if (bits == 2 && safe) { - /* The smallest safe prime (7) is three bits. */ + } else if (add == NULL && safe && bits < 6 && bits != 3) { + /* + * The smallest safe prime (7) is three bits. + * But the following two safe primes with less than 6 bits (11, 23) + * are unreachable for BN_rand with BN_RAND_TOP_TWO. + */ BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); return 0; } diff --git a/freebsd/crypto/openssl/crypto/bn/bn_rand.c b/freebsd/crypto/openssl/crypto/bn/bn_rand.c index 68ded7c3..f4d7eec6 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_rand.c +++ b/freebsd/crypto/openssl/crypto/bn/bn_rand.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,8 +227,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ - todo = sizeof(priv->d[0]) * priv->top; - if (todo > sizeof(private_bytes)) { + if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -237,8 +236,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } - memcpy(private_bytes, priv->d, todo); - memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1) diff --git a/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c b/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c index 7e6f0b72..e6f424c4 100644 --- a/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c +++ b/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -127,7 +127,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) * = a. * * (This is due to A.O.L. Atkin, - * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>, + * Subject: Square Roots and Cognate Matters modulo p=8n+5. + * URL: https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind9211&L=NMBRTHRY&P=4026 * November 1992.) */ diff --git a/freebsd/crypto/openssl/crypto/cms/cms_att.c b/freebsd/crypto/openssl/crypto/cms/cms_att.c index b5043b7d..252f596d 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_att.c +++ b/freebsd/crypto/openssl/crypto/cms/cms_att.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,6 +15,56 @@ #include <openssl/err.h> #include <openssl/cms.h> #include "cms_lcl.h" +#include "internal/nelem.h" + +/*- + * Attribute flags. + * CMS attribute restrictions are discussed in + * - RFC 5652 Section 11. + * ESS attribute restrictions are discussed in + * - RFC 2634 Section 1.3.4 AND + * - RFC 5035 Section 5.4 + */ +/* This is a signed attribute */ +#define CMS_ATTR_F_SIGNED 0x01 +/* This is an unsigned attribute */ +#define CMS_ATTR_F_UNSIGNED 0x02 +/* Must be present if there are any other attributes of the same type */ +#define CMS_ATTR_F_REQUIRED_COND 0x10 +/* There can only be one instance of this attribute */ +#define CMS_ATTR_F_ONLY_ONE 0x20 +/* The Attribute's value must have exactly one entry */ +#define CMS_ATTR_F_ONE_ATTR_VALUE 0x40 + +/* Attributes rules for different attributes */ +static const struct { + int nid; /* The attribute id */ + int flags; +} cms_attribute_properties[] = { + /* See RFC Section 11 */ + { NID_pkcs9_contentType, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE + | CMS_ATTR_F_REQUIRED_COND }, + { NID_pkcs9_messageDigest, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE + | CMS_ATTR_F_REQUIRED_COND }, + { NID_pkcs9_signingTime, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE }, + { NID_pkcs9_countersignature, CMS_ATTR_F_UNSIGNED }, + /* ESS */ + { NID_id_smime_aa_signingCertificate, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE }, + { NID_id_smime_aa_signingCertificateV2, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE }, + { NID_id_smime_aa_receiptRequest, CMS_ATTR_F_SIGNED + | CMS_ATTR_F_ONLY_ONE + | CMS_ATTR_F_ONE_ATTR_VALUE } +}; /* CMS SignedData Attribute utilities */ @@ -151,4 +201,86 @@ void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type); } -/* Specific attribute cases */ +/* + * Retrieve an attribute by nid from a stack of attributes starting at index + * *lastpos + 1. + * Returns the attribute or NULL if there is no attribute. + * If an attribute was found *lastpos returns the index of the found attribute. + */ +static X509_ATTRIBUTE *cms_attrib_get(int nid, + const STACK_OF(X509_ATTRIBUTE) *attrs, + int *lastpos) +{ + X509_ATTRIBUTE *at; + int loc; + + loc = X509at_get_attr_by_NID(attrs, nid, *lastpos); + if (loc < 0) + return NULL; + + at = X509at_get_attr(attrs, loc); + *lastpos = loc; + return at; +} + +static int cms_check_attribute(int nid, int flags, int type, + const STACK_OF(X509_ATTRIBUTE) *attrs, + int have_attrs) +{ + int lastpos = -1; + X509_ATTRIBUTE *at = cms_attrib_get(nid, attrs, &lastpos); + + if (at != NULL) { + int count = X509_ATTRIBUTE_count(at); + + /* Is this attribute allowed? */ + if (((flags & type) == 0) + /* check if multiple attributes of the same type are allowed */ + || (((flags & CMS_ATTR_F_ONLY_ONE) != 0) + && cms_attrib_get(nid, attrs, &lastpos) != NULL) + /* Check if attribute should have exactly one value in its set */ + || (((flags & CMS_ATTR_F_ONE_ATTR_VALUE) != 0) + && count != 1) + /* There should be at least one value */ + || count == 0) + return 0; + } else { + /* fail if a required attribute is missing */ + if (have_attrs + && ((flags & CMS_ATTR_F_REQUIRED_COND) != 0) + && (flags & type) != 0) + return 0; + } + return 1; +} + +/* + * Check that the signerinfo attributes obey the attribute rules which includes + * the following checks + * - If any signed attributes exist then there must be a Content Type + * and Message Digest attribute in the signed attributes. + * - The countersignature attribute is an optional unsigned attribute only. + * - Content Type, Message Digest, and Signing time attributes are signed + * attributes. Only one instance of each is allowed, with each of these + * attributes containing a single attribute value in its set. + */ +int CMS_si_check_attributes(const CMS_SignerInfo *si) +{ + int i; + int have_signed_attrs = (CMS_signed_get_attr_count(si) > 0); + int have_unsigned_attrs = (CMS_unsigned_get_attr_count(si) > 0); + + for (i = 0; i < (int)OSSL_NELEM(cms_attribute_properties); ++i) { + int nid = cms_attribute_properties[i].nid; + int flags = cms_attribute_properties[i].flags; + + if (!cms_check_attribute(nid, flags, CMS_ATTR_F_SIGNED, + si->signedAttrs, have_signed_attrs) + || !cms_check_attribute(nid, flags, CMS_ATTR_F_UNSIGNED, + si->unsignedAttrs, have_unsigned_attrs)) { + CMSerr(CMS_F_CMS_SI_CHECK_ATTRIBUTES, CMS_R_ATTRIBUTE_ERROR); + return 0; + } + } + return 1; +} diff --git a/freebsd/crypto/openssl/crypto/cms/cms_env.c b/freebsd/crypto/openssl/crypto/cms/cms_env.c index 171c0968..098a504f 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_env.c +++ b/freebsd/crypto/openssl/crypto/cms/cms_env.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -365,6 +365,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, unsigned char *ek = NULL; size_t eklen; int ret = 0; + size_t fixlen = 0; CMS_EncryptedContentInfo *ec; ec = cms->d.envelopedData->encryptedContentInfo; @@ -373,6 +374,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, return 0; } + if (cms->d.envelopedData->encryptedContentInfo->havenocert + && !cms->d.envelopedData->encryptedContentInfo->debug) { + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm); + + if (ciph == NULL) { + CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER); + return 0; + } + + fixlen = EVP_CIPHER_key_length(ciph); + } + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); if (ktri->pctx == NULL) return 0; @@ -403,7 +417,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) { + ktri->encryptedKey->length) <= 0 + || eklen == 0 + || (fixlen != 0 && eklen != fixlen)) { CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB); goto err; } diff --git a/freebsd/crypto/openssl/crypto/cms/cms_err.c b/freebsd/crypto/openssl/crypto/cms/cms_err.c index 1a24220d..aa21204f 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_err.c +++ b/freebsd/crypto/openssl/crypto/cms/cms_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -148,6 +148,8 @@ static const ERR_STRING_DATA CMS_str_functs[] = { {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 0), "CMS_SignerInfo_verify_content"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGN_RECEIPT, 0), "CMS_sign_receipt"}, + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SI_CHECK_ATTRIBUTES, 0), + "CMS_si_check_attributes"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_STREAM, 0), "CMS_stream"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_UNCOMPRESS, 0), "CMS_uncompress"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_VERIFY, 0), "CMS_verify"}, @@ -157,6 +159,7 @@ static const ERR_STRING_DATA CMS_str_functs[] = { static const ERR_STRING_DATA CMS_str_reasons[] = { {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ATTRIBUTE_ERROR), "attribute error"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT), "certificate already present"}, {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID), diff --git a/freebsd/crypto/openssl/crypto/cms/cms_lcl.h b/freebsd/crypto/openssl/crypto/cms/cms_lcl.h index 916fcbfb..68aa0127 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_lcl.h +++ b/freebsd/crypto/openssl/crypto/cms/cms_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st { size_t keylen; /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ int debug; + /* Set to 1 if we have no cert and need extra safety measures for MMA */ + int havenocert; }; struct CMS_RecipientInfo_st { @@ -317,8 +319,6 @@ struct CMS_OtherKeyAttribute_st { /* ESS structures */ -# ifdef HEADER_X509V3_H - struct CMS_ReceiptRequest_st { ASN1_OCTET_STRING *signedContentIdentifier; CMS_ReceiptsFrom *receiptsFrom; @@ -332,7 +332,6 @@ struct CMS_ReceiptsFrom_st { STACK_OF(GENERAL_NAMES) *receiptList; } d; }; -# endif struct CMS_Receipt_st { int32_t version; @@ -416,6 +415,8 @@ int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, /* PWRI routines */ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, int en_de); +/* SignerInfo routines */ +int CMS_si_check_attributes(const CMS_SignerInfo *si); DECLARE_ASN1_ITEM(CMS_CertificateChoices) DECLARE_ASN1_ITEM(CMS_DigestedData) diff --git a/freebsd/crypto/openssl/crypto/cms/cms_sd.c b/freebsd/crypto/openssl/crypto/cms/cms_sd.c index cac5a516..d5328985 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_sd.c +++ b/freebsd/crypto/openssl/crypto/cms/cms_sd.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,27 @@ static void cms_sd_set_version(CMS_SignedData *sd) } +/* + * RFC 5652 Section 11.1 Content Type + * The content-type attribute within signed-data MUST + * 1) be present if there are signed attributes + * 2) match the content type in the signed-data, + * 3) be a signed attribute. + * 4) not have more than one copy of the attribute. + * + * Note that since the CMS_SignerInfo_sign() always adds the "signing time" + * attribute, the content type attribute MUST be added also. + * Assumptions: This assumes that the attribute does not already exist. + */ +static int cms_set_si_contentType_attr(CMS_ContentInfo *cms, CMS_SignerInfo *si) +{ + ASN1_OBJECT *ctype = cms->d.signedData->encapContentInfo->eContentType; + + /* Add the contentType attribute */ + return CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, ctype, -1) > 0; +} + /* Copy an existing messageDigest value */ static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) @@ -330,6 +351,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, if (flags & CMS_REUSE_DIGEST) { if (!cms_copy_messageDigest(cms, si)) goto err; + if (!cms_set_si_contentType_attr(cms, si)) + goto err; if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) && !CMS_SignerInfo_sign(si)) goto err; @@ -560,8 +583,6 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, */ if (CMS_signed_get_attr_count(si) >= 0) { - ASN1_OBJECT *ctype = - cms->d.signedData->encapContentInfo->eContentType; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen; if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) @@ -570,9 +591,9 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, V_ASN1_OCTET_STRING, md, mdlen)) goto err; /* Copy content type across */ - if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, ctype, -1) <= 0) + if (!cms_set_si_contentType_attr(cms, si)) goto err; + if (!CMS_SignerInfo_sign(si)) goto err; } else if (si->pctx) { @@ -652,6 +673,9 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) goto err; } + if (!CMS_si_check_attributes(si)) + goto err; + if (si->pctx) pctx = si->pctx; else { @@ -698,7 +722,6 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) OPENSSL_free(abuf); EVP_MD_CTX_reset(mctx); return 0; - } int CMS_SignerInfo_verify(CMS_SignerInfo *si) @@ -713,6 +736,9 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) return -1; } + if (!CMS_si_check_attributes(si)) + return -1; + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); if (md == NULL) return -1; diff --git a/freebsd/crypto/openssl/crypto/cms/cms_smime.c b/freebsd/crypto/openssl/crypto/cms/cms_smime.c index 587923ee..1b623312 100644 --- a/freebsd/crypto/openssl/crypto/cms/cms_smime.c +++ b/freebsd/crypto/openssl/crypto/cms/cms_smime.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -745,6 +745,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, cms->d.envelopedData->encryptedContentInfo->debug = 1; else cms->d.envelopedData->encryptedContentInfo->debug = 0; + if (!cert) + cms->d.envelopedData->encryptedContentInfo->havenocert = 1; + else + cms->d.envelopedData->encryptedContentInfo->havenocert = 0; if (!pk && !cert && !dcont && !out) return 1; if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) diff --git a/freebsd/crypto/openssl/crypto/conf/conf_sap.c b/freebsd/crypto/openssl/crypto/conf/conf_sap.c index 5010574b..51ec0447 100644 --- a/freebsd/crypto/openssl/crypto/conf/conf_sap.c +++ b/freebsd/crypto/openssl/crypto/conf/conf_sap.c @@ -44,7 +44,7 @@ void OPENSSL_config(const char *appname) int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings) { - int ret; + int ret = 0; const char *filename; const char *appname; unsigned long flags; diff --git a/freebsd/crypto/openssl/crypto/ctype.c b/freebsd/crypto/openssl/crypto/ctype.c index 1eb6a261..bd650777 100644 --- a/freebsd/crypto/openssl/crypto/ctype.c +++ b/freebsd/crypto/openssl/crypto/ctype.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -274,3 +274,9 @@ int ossl_toupper(int c) { return ossl_islower(c) ? c ^ case_change : c; } + +int ascii_isdigit(const char inchar) { + if (inchar > 0x2F && inchar < 0x3A) + return 1; + return 0; +} diff --git a/freebsd/crypto/openssl/crypto/dh/dh_check.c b/freebsd/crypto/openssl/crypto/dh/dh_check.c index 0ff2d5f7..f53940c6 100644 --- a/freebsd/crypto/openssl/crypto/dh/dh_check.c +++ b/freebsd/crypto/openssl/crypto/dh/dh_check.c @@ -26,7 +26,8 @@ int DH_check_params_ex(const DH *dh) { int errflags = 0; - (void)DH_check_params(dh, &errflags); + if (!DH_check_params(dh, &errflags)) + return 0; if ((errflags & DH_CHECK_P_NOT_PRIME) != 0) DHerr(DH_F_DH_CHECK_PARAMS_EX, DH_R_CHECK_P_NOT_PRIME); @@ -69,18 +70,14 @@ int DH_check_params(const DH *dh, int *ret) /*- * Check that p is a safe prime and - * if g is 2, 3 or 5, check that it is a suitable generator - * where - * for 2, p mod 24 == 11 - * for 3, p mod 12 == 5 - * for 5, p mod 10 == 3 or 7 - * should hold. + * g is a suitable generator. */ int DH_check_ex(const DH *dh) { int errflags = 0; - (void)DH_check(dh, &errflags); + if (!DH_check(dh, &errflags)) + return 0; if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0) DHerr(DH_F_DH_CHECK_EX, DH_R_NOT_SUITABLE_GENERATOR); @@ -104,10 +101,11 @@ int DH_check(const DH *dh, int *ret) { int ok = 0, r; BN_CTX *ctx = NULL; - BN_ULONG l; BIGNUM *t1 = NULL, *t2 = NULL; - *ret = 0; + if (!DH_check_params(dh, ret)) + return 0; + ctx = BN_CTX_new(); if (ctx == NULL) goto err; @@ -141,21 +139,7 @@ int DH_check(const DH *dh, int *ret) *ret |= DH_CHECK_INVALID_Q_VALUE; if (dh->j && BN_cmp(dh->j, t1)) *ret |= DH_CHECK_INVALID_J_VALUE; - - } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { - l = BN_mod_word(dh->p, 24); - if (l == (BN_ULONG)-1) - goto err; - if (l != 11) - *ret |= DH_NOT_SUITABLE_GENERATOR; - } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { - l = BN_mod_word(dh->p, 10); - if (l == (BN_ULONG)-1) - goto err; - if ((l != 3) && (l != 7)) - *ret |= DH_NOT_SUITABLE_GENERATOR; - } else - *ret |= DH_UNABLE_TO_CHECK_GENERATOR; + } r = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL); if (r < 0) @@ -182,7 +166,8 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) { int errflags = 0; - (void)DH_check(dh, &errflags); + if (!DH_check_pub_key(dh, pub_key, &errflags)) + return 0; if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0) DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_SMALL); diff --git a/freebsd/crypto/openssl/crypto/dh/dh_gen.c b/freebsd/crypto/openssl/crypto/dh/dh_gen.c index 74c9cdbb..0348fa94 100644 --- a/freebsd/crypto/openssl/crypto/dh/dh_gen.c +++ b/freebsd/crypto/openssl/crypto/dh/dh_gen.c @@ -32,30 +32,33 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, /*- * We generate DH parameters as follows - * find a prime q which is prime_len/2 bits long. - * p=(2*q)+1 or (p-1)/2 = q - * For this case, g is a generator if - * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1. - * Since the factors of p-1 are q and 2, we just need to check - * g^2 mod p != 1 and g^q mod p != 1. + * find a prime p which is prime_len bits long, + * where q=(p-1)/2 is also prime. + * In the following we assume that g is not 0, 1 or p-1, since it + * would generate only trivial subgroups. + * For this case, g is a generator of the order-q subgroup if + * g^q mod p == 1. + * Or in terms of the Legendre symbol: (g/p) == 1. * * Having said all that, * there is another special case method for the generators 2, 3 and 5. - * for 2, p mod 24 == 11 - * for 3, p mod 12 == 5 <<<<< does not work for safe primes. - * for 5, p mod 10 == 3 or 7 + * Using the quadratic reciprocity law it is possible to solve + * (g/p) == 1 for the special values 2, 3, 5: + * (2/p) == 1 if p mod 8 == 1 or 7. + * (3/p) == 1 if p mod 12 == 1 or 11. + * (5/p) == 1 if p mod 5 == 1 or 4. + * See for instance: https://en.wikipedia.org/wiki/Legendre_symbol * - * Thanks to Phil Karn for the pointers about the - * special generators and for answering some of my questions. + * Since all safe primes > 7 must satisfy p mod 12 == 11 + * and all safe primes > 11 must satisfy p mod 5 != 1 + * we can further improve the condition for g = 2, 3 and 5: + * for 2, p mod 24 == 23 + * for 3, p mod 12 == 11 + * for 5, p mod 60 == 59 * - * I've implemented the second simple method :-). - * Since DH should be using a safe prime (both p and q are prime), - * this generator function can take a very very long time to run. - */ -/* - * Actually there is no reason to insist that 'generator' be a generator. - * It's just as OK (and in some sense better) to use a generator of the - * order-q subgroup. + * However for compatibilty with previous versions we use: + * for 2, p mod 24 == 11 + * for 5, p mod 60 == 23 */ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) @@ -90,13 +93,10 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, goto err; g = 2; } else if (generator == DH_GENERATOR_5) { - if (!BN_set_word(t1, 10)) + if (!BN_set_word(t1, 60)) goto err; - if (!BN_set_word(t2, 3)) + if (!BN_set_word(t2, 23)) goto err; - /* - * BN_set_word(t3,7); just have to miss out on these ones :-( - */ g = 5; } else { /* @@ -104,9 +104,9 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, * not: since we are using safe primes, it will generate either an * order-q or an order-2q group, which both is OK */ - if (!BN_set_word(t1, 2)) + if (!BN_set_word(t1, 12)) goto err; - if (!BN_set_word(t2, 1)) + if (!BN_set_word(t2, 11)) goto err; g = generator; } diff --git a/freebsd/crypto/openssl/crypto/dh/dh_key.c b/freebsd/crypto/openssl/crypto/dh/dh_key.c index 64d6e7da..06cdeed9 100644 --- a/freebsd/crypto/openssl/crypto/dh/dh_key.c +++ b/freebsd/crypto/openssl/crypto/dh/dh_key.c @@ -127,6 +127,15 @@ static int generate_key(DH *dh) l = dh->length ? dh->length : BN_num_bits(dh->p) - 1; if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) goto err; + /* + * We handle just one known case where g is a quadratic non-residue: + * for g = 2: p % 8 == 3 + */ + if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) { + /* clear bit 0, since it won't be a secret anyway */ + if (!BN_clear_bit(priv_key, 0)) + goto err; + } } } @@ -138,11 +147,11 @@ static int generate_key(DH *dh) BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) { - BN_free(prk); + BN_clear_free(prk); goto err; } /* We MUST free prk before any further use of priv_key */ - BN_free(prk); + BN_clear_free(prk); } dh->pub_key = pub_key; diff --git a/freebsd/crypto/openssl/crypto/dh/dh_lib.c b/freebsd/crypto/openssl/crypto/dh/dh_lib.c index ee65d4cf..2451c3c1 100644 --- a/freebsd/crypto/openssl/crypto/dh/dh_lib.c +++ b/freebsd/crypto/openssl/crypto/dh/dh_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -236,11 +236,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { if (pub_key != NULL) { - BN_free(dh->pub_key); + BN_clear_free(dh->pub_key); dh->pub_key = pub_key; } if (priv_key != NULL) { - BN_free(dh->priv_key); + BN_clear_free(dh->priv_key); dh->priv_key = priv_key; } diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c b/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c index 82ca2b14..d613b6cb 100644 --- a/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c +++ b/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -505,7 +505,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; - return 2; + return 1; default: return -2; diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_err.c b/freebsd/crypto/openssl/crypto/dsa/dsa_err.c index 2e944be6..587e2b30 100644 --- a/freebsd/crypto/openssl/crypto/dsa/dsa_err.c +++ b/freebsd/crypto/openssl/crypto/dsa/dsa_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -54,6 +54,8 @@ static const ERR_STRING_DATA DSA_str_reasons[] = { "invalid digest type"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c b/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c index b6834f5d..4b2501aa 100644 --- a/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -74,6 +74,10 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) reason = DSA_R_MISSING_PARAMETERS; goto err; } + if (dsa->priv_key == NULL) { + reason = DSA_R_MISSING_PRIVATE_KEY; + goto err; + } ret = DSA_SIG_new(); if (ret == NULL) @@ -197,6 +201,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS); return 0; } + if (dsa->priv_key == NULL) { + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PRIVATE_KEY); + return 0; + } k = BN_new(); l = BN_new(); @@ -250,7 +258,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, * one bit longer than the modulus. * * There are some concerns about the efficacy of doing this. More - * specificly refer to the discussion starting with: + * specifically refer to the discussion starting with: * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 * The fix is to rework BN so these gymnastics aren't required. */ diff --git a/freebsd/crypto/openssl/crypto/ec/ec_asn1.c b/freebsd/crypto/openssl/crypto/ec/ec_asn1.c index 1862e26d..26b9e5d8 100644 --- a/freebsd/crypto/openssl/crypto/ec/ec_asn1.c +++ b/freebsd/crypto/openssl/crypto/ec/ec_asn1.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -570,10 +570,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group, EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) { int ok = 0, tmp; - EC_GROUP *ret = NULL; + EC_GROUP *ret = NULL, *dup = NULL; BIGNUM *p = NULL, *a = NULL, *b = NULL; EC_POINT *point = NULL; long field_bits; + int curve_name = NID_undef; + BN_CTX *ctx = NULL; if (!params->fieldID || !params->fieldID->fieldType || !params->fieldID->p.ptr) { @@ -791,18 +793,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) goto err; } + /* + * Check if the explicit parameters group just created matches one of the + * built-in curves. + * + * We create a copy of the group just built, so that we can remove optional + * fields for the lookup: we do this to avoid the possibility that one of + * the optional parameters is used to force the library into using a less + * performant and less secure EC_METHOD instead of the specialized one. + * In any case, `seed` is not really used in any computation, while a + * cofactor different from the one in the built-in table is just + * mathematically wrong anyway and should not be used. + */ + if ((ctx = BN_CTX_new()) == NULL) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB); + goto err; + } + if ((dup = EC_GROUP_dup(ret)) == NULL + || EC_GROUP_set_seed(dup, NULL, 0) != 1 + || !EC_GROUP_set_generator(dup, point, a, NULL)) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB); + goto err; + } + if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) { + /* + * The input explicit parameters successfully matched one of the + * built-in curves: often for built-in curves we have specialized + * methods with better performance and hardening. + * + * In this case we replace the `EC_GROUP` created through explicit + * parameters with one created from a named group. + */ + EC_GROUP *named_group = NULL; + +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for + * the same curve, we prefer the SECP nid when matching explicit + * parameters as that is associated with a specialized EC_METHOD. + */ + if (curve_name == NID_wap_wsg_idm_ecid_wtls12) + curve_name = NID_secp224r1; +#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) { + ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB); + goto err; + } + EC_GROUP_free(ret); + ret = named_group; + + /* + * Set the flag so that EC_GROUPs created from explicit parameters are + * serialized using explicit parameters by default. + */ + EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE); + } + ok = 1; err: if (!ok) { - EC_GROUP_clear_free(ret); + EC_GROUP_free(ret); ret = NULL; } + EC_GROUP_free(dup); BN_free(p); BN_free(a); BN_free(b); EC_POINT_free(point); + + BN_CTX_free(ctx); + return ret; } @@ -863,7 +926,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) } if (a) { - EC_GROUP_clear_free(*a); + EC_GROUP_free(*a); *a = group; } @@ -911,7 +974,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) ret = *a; if (priv_key->parameters) { - EC_GROUP_clear_free(ret->group); + EC_GROUP_free(ret->group); ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters); } diff --git a/freebsd/crypto/openssl/crypto/ec/ec_curve.c b/freebsd/crypto/openssl/crypto/ec/ec_curve.c index 7ffd2eb1..017455f4 100644 --- a/freebsd/crypto/openssl/crypto/ec/ec_curve.c +++ b/freebsd/crypto/openssl/crypto/ec/ec_curve.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -3199,3 +3199,115 @@ int EC_curve_nist2nid(const char *name) } return NID_undef; } + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const EC_METHOD *meth; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + meth = EC_GROUP_method_of(group); + if (meth == NULL) + return -1; + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_METHOD_get_field_type(meth); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = EC_GROUP_get0_cofactor(group); + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(group->order); + len = BN_num_bytes(group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; +} diff --git a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h index 119255f1..fbdb04ea 100644 --- a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h +++ b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h @@ -154,7 +154,7 @@ struct ec_method_st { int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); /*- - * 'field_inv' computes the multipicative inverse of a in the field, + * 'field_inv' computes the multiplicative inverse of a in the field, * storing the result in r. * * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. @@ -595,6 +595,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey); int ec_key_simple_generate_public_key(EC_KEY *eckey); int ec_key_simple_check_key(const EC_KEY *eckey); +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + /* EC_METHOD definitions */ struct ec_key_method_st { diff --git a/freebsd/crypto/openssl/crypto/ec/ec_lib.c b/freebsd/crypto/openssl/crypto/ec/ec_lib.c index 6da3f8b7..d86e22d5 100644 --- a/freebsd/crypto/openssl/crypto/ec/ec_lib.c +++ b/freebsd/crypto/openssl/crypto/ec/ec_lib.c @@ -267,6 +267,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth) static int ec_precompute_mont_data(EC_GROUP *); +/*- + * Try computing cofactor from the generator order (n) and field cardinality (q). + * This works for all curves of cryptographic interest. + * + * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q) + * h_min = (q + 1 - 2*sqrt(q))/n + * h_max = (q + 1 + 2*sqrt(q))/n + * h_max - h_min = 4*sqrt(q)/n + * So if n > 4*sqrt(q) holds, there is only one possible value for h: + * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil + * + * Otherwise, zero cofactor and return success. + */ +static int ec_guess_cofactor(EC_GROUP *group) { + int ret = 0; + BN_CTX *ctx = NULL; + BIGNUM *q = NULL; + + /*- + * If the cofactor is too large, we cannot guess it. + * The RHS of below is a strict overestimate of lg(4 * sqrt(q)) + */ + if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) { + /* default to 0 */ + BN_zero(group->cofactor); + /* return success */ + return 1; + } + + if ((ctx = BN_CTX_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + if ((q = BN_CTX_get(ctx)) == NULL) + goto err; + + /* set q = 2**m for binary fields; q = p otherwise */ + if (group->meth->field_type == NID_X9_62_characteristic_two_field) { + BN_zero(q); + if (!BN_set_bit(q, BN_num_bits(group->field) - 1)) + goto err; + } else { + if (!BN_copy(q, group->field)) + goto err; + } + + /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */ + if (!BN_rshift1(group->cofactor, group->order) /* n/2 */ + || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */ + /* q + 1 + n/2 */ + || !BN_add(group->cofactor, group->cofactor, BN_value_one()) + /* (q + 1 + n/2)/n */ + || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx)) + goto err; + ret = 1; + err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} + int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) { @@ -275,6 +336,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, return 0; } + /* require group->field >= 1 */ + if (group->field == NULL || BN_is_zero(group->field) + || BN_is_negative(group->field)) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD); + return 0; + } + + /*- + * - require order >= 1 + * - enforce upper bound due to Hasse thm: order can be no more than one bit + * longer than field cardinality + */ + if (order == NULL || BN_is_zero(order) || BN_is_negative(order) + || BN_num_bits(order) > BN_num_bits(group->field) + 1) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER); + return 0; + } + + /*- + * Unfortunately the cofactor is an optional field in many standards. + * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor". + * So accept cofactor == NULL or cofactor >= 0. + */ + if (cofactor != NULL && BN_is_negative(cofactor)) { + ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR); + return 0; + } + if (group->generator == NULL) { group->generator = EC_POINT_new(group); if (group->generator == NULL) @@ -283,17 +372,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, if (!EC_POINT_copy(group->generator, generator)) return 0; - if (order != NULL) { - if (!BN_copy(group->order, order)) - return 0; - } else - BN_zero(group->order); + if (!BN_copy(group->order, order)) + return 0; - if (cofactor != NULL) { + /* Either take the provided positive cofactor, or try to compute it */ + if (cofactor != NULL && !BN_is_zero(cofactor)) { if (!BN_copy(group->cofactor, cofactor)) return 0; - } else + } else if (!ec_guess_cofactor(group)) { BN_zero(group->cofactor); + return 0; + } /* * Some groups have an order with diff --git a/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c b/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c index 6d641991..97a26eef 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c +++ b/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c @@ -60,7 +60,7 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, priv_key = EC_KEY_get0_private_key(ecdh); if (priv_key == NULL) { - ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE); + ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_MISSING_PRIVATE_KEY); goto err; } diff --git a/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c b/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c index e173047e..dbf5dba0 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c +++ b/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,11 +43,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, const EC_GROUP *group; int ret = 0; int order_bits; + const BIGNUM *priv_key; if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) { + ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_MISSING_PRIVATE_KEY); + return 0; + } if (!EC_KEY_can_sign(eckey)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); @@ -85,8 +90,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, /* get random k */ do { if (dgst != NULL) { - if (!BN_generate_dsa_nonce(k, order, - EC_KEY_get0_private_key(eckey), + if (!BN_generate_dsa_nonce(k, order, priv_key, dgst, dlen, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_RANDOM_NUMBER_GENERATION_FAILED); @@ -164,10 +168,14 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); - if (group == NULL || priv_key == NULL) { + if (group == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER); return NULL; } + if (priv_key == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY); + return NULL; + } if (!EC_KEY_can_sign(eckey)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c index badd762a..0dcba532 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c +++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c @@ -326,34 +326,21 @@ static void felem_to_bin28(u8 out[28], const felem in) } } -/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ -static void flip_endian(u8 *out, const u8 *in, unsigned len) -{ - unsigned i; - for (i = 0; i < len; ++i) - out[i] = in[len - 1 - i]; -} - /* From OpenSSL BIGNUM to internal representation */ static int BN_to_felem(felem out, const BIGNUM *bn) { - felem_bytearray b_in; felem_bytearray b_out; - unsigned num_bytes; + int num_bytes; - /* BN_bn2bin eats leading zeroes */ - memset(b_out, 0, sizeof(b_out)); - num_bytes = BN_num_bytes(bn); - if (num_bytes > sizeof(b_out)) { + if (BN_is_negative(bn)) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - if (BN_is_negative(bn)) { + num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); + if (num_bytes < 0) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - num_bytes = BN_bn2bin(bn, b_in); - flip_endian(b_out, b_in, num_bytes); bin28_to_felem(out, b_out); return 1; } @@ -361,10 +348,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn) /* From internal representation to OpenSSL BIGNUM */ static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) { - felem_bytearray b_in, b_out; - felem_to_bin28(b_in, in); - flip_endian(b_out, b_in, sizeof(b_out)); - return BN_bin2bn(b_out, sizeof(b_out), out); + felem_bytearray b_out; + felem_to_bin28(b_out, in); + return BN_lebin2bn(b_out, sizeof(b_out), out); } /******************************************************************************/ @@ -1404,8 +1390,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, felem_bytearray *secrets = NULL; felem (*pre_comp)[17][3] = NULL; felem *tmp_felems = NULL; - felem_bytearray tmp; - unsigned num_bytes; + int num_bytes; int have_pre_comp = 0; size_t num_points = num; felem x_in, y_in, z_in, x_out, y_out, z_out; @@ -1480,14 +1465,12 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, * i.e., they contribute nothing to the linear combination */ for (i = 0; i < num_points; ++i) { - if (i == num) + if (i == num) { /* the generator */ - { p = EC_GROUP_get0_generator(group); p_scalar = scalar; - } else + } else { /* the i^th point */ - { p = points[i]; p_scalar = scalars[i]; } @@ -1503,10 +1486,16 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(p_scalar, tmp); - flip_endian(secrets[i], tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, + secrets[i], sizeof(secrets[i])); + } else { + num_bytes = BN_bn2lebinpad(p_scalar, + secrets[i], sizeof(secrets[i])); + } + if (num_bytes < 0) { + ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); + goto err; + } /* precompute multiples */ if ((!BN_to_felem(x_out, p->X)) || (!BN_to_felem(y_out, p->Y)) || @@ -1549,20 +1538,21 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(scalar, tmp); - flip_endian(g_secret, tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); + } else { + num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); + } /* do the multiplication with generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, g_secret, mixed, (const felem(*)[17][3])pre_comp, g_pre_comp); - } else + } else { /* do the multiplication without generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); + } /* reduce the output to its unique minimal representation */ felem_contract(x_in, x_out); felem_contract(y_in, y_out); diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c index 4bfebe68..a8269f13 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c +++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c @@ -148,34 +148,21 @@ static void smallfelem_to_bin32(u8 out[32], const smallfelem in) *((u64 *)&out[24]) = in[3]; } -/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ -static void flip_endian(u8 *out, const u8 *in, unsigned len) -{ - unsigned i; - for (i = 0; i < len; ++i) - out[i] = in[len - 1 - i]; -} - /* BN_to_felem converts an OpenSSL BIGNUM into an felem */ static int BN_to_felem(felem out, const BIGNUM *bn) { - felem_bytearray b_in; felem_bytearray b_out; - unsigned num_bytes; + int num_bytes; - /* BN_bn2bin eats leading zeroes */ - memset(b_out, 0, sizeof(b_out)); - num_bytes = BN_num_bytes(bn); - if (num_bytes > sizeof(b_out)) { + if (BN_is_negative(bn)) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - if (BN_is_negative(bn)) { + num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); + if (num_bytes < 0) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - num_bytes = BN_bn2bin(bn, b_in); - flip_endian(b_out, b_in, num_bytes); bin32_to_felem(out, b_out); return 1; } @@ -183,10 +170,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn) /* felem_to_BN converts an felem into an OpenSSL BIGNUM */ static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in) { - felem_bytearray b_in, b_out; - smallfelem_to_bin32(b_in, in); - flip_endian(b_out, b_in, sizeof(b_out)); - return BN_bin2bn(b_out, sizeof(b_out), out); + felem_bytearray b_out; + smallfelem_to_bin32(b_out, in); + return BN_lebin2bn(b_out, sizeof(b_out), out); } /*- @@ -2026,8 +2012,8 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, felem_bytearray *secrets = NULL; smallfelem (*pre_comp)[17][3] = NULL; smallfelem *tmp_smallfelems = NULL; - felem_bytearray tmp; - unsigned i, num_bytes; + unsigned i; + int num_bytes; int have_pre_comp = 0; size_t num_points = num; smallfelem x_in, y_in, z_in; @@ -2104,17 +2090,15 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, memset(secrets, 0, sizeof(*secrets) * num_points); memset(pre_comp, 0, sizeof(*pre_comp) * num_points); for (i = 0; i < num_points; ++i) { - if (i == num) + if (i == num) { /* * we didn't have a valid precomputation, so we pick the * generator */ - { p = EC_GROUP_get0_generator(group); p_scalar = scalar; - } else + } else { /* the i^th point */ - { p = points[i]; p_scalar = scalars[i]; } @@ -2130,10 +2114,16 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(p_scalar, tmp); - flip_endian(secrets[i], tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, + secrets[i], sizeof(secrets[i])); + } else { + num_bytes = BN_bn2lebinpad(p_scalar, + secrets[i], sizeof(secrets[i])); + } + if (num_bytes < 0) { + ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); + goto err; + } /* precompute multiples */ if ((!BN_to_felem(x_out, p->X)) || (!BN_to_felem(y_out, p->Y)) || @@ -2178,20 +2168,21 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(scalar, tmp); - flip_endian(g_secret, tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); + } else { + num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); + } /* do the multiplication with generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, g_secret, mixed, (const smallfelem(*)[17][3])pre_comp, g_pre_comp); - } else + } else { /* do the multiplication without generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, NULL, mixed, (const smallfelem(*)[17][3])pre_comp, NULL); + } /* reduce the output to its unique minimal representation */ felem_contract(x_in, x_out); felem_contract(y_in, y_out); diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c index 2fd19dd0..3642bc1d 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c +++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c @@ -171,34 +171,21 @@ static void felem_to_bin66(u8 out[66], const felem in) (*((limb *) & out[58])) = in[8]; } -/* To preserve endianness when using BN_bn2bin and BN_bin2bn */ -static void flip_endian(u8 *out, const u8 *in, unsigned len) -{ - unsigned i; - for (i = 0; i < len; ++i) - out[i] = in[len - 1 - i]; -} - /* BN_to_felem converts an OpenSSL BIGNUM into an felem */ static int BN_to_felem(felem out, const BIGNUM *bn) { - felem_bytearray b_in; felem_bytearray b_out; - unsigned num_bytes; + int num_bytes; - /* BN_bn2bin eats leading zeroes */ - memset(b_out, 0, sizeof(b_out)); - num_bytes = BN_num_bytes(bn); - if (num_bytes > sizeof(b_out)) { + if (BN_is_negative(bn)) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - if (BN_is_negative(bn)) { + num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); + if (num_bytes < 0) { ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); return 0; } - num_bytes = BN_bn2bin(bn, b_in); - flip_endian(b_out, b_in, num_bytes); bin66_to_felem(out, b_out); return 1; } @@ -206,10 +193,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn) /* felem_to_BN converts an felem into an OpenSSL BIGNUM */ static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) { - felem_bytearray b_in, b_out; - felem_to_bin66(b_in, in); - flip_endian(b_out, b_in, sizeof(b_out)); - return BN_bin2bn(b_out, sizeof(b_out), out); + felem_bytearray b_out; + felem_to_bin66(b_out, in); + return BN_lebin2bn(b_out, sizeof(b_out), out); } /*- @@ -1271,7 +1257,7 @@ static void point_add(felem x3, felem y3, felem z3, * ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb * 71e913863f7, in that case the penultimate intermediate is -9G and * the final digit is also -9G. Since this only happens for a single - * scalar, the timing leak is irrelevent. (Any attacker who wanted to + * scalar, the timing leak is irrelevant. (Any attacker who wanted to * check whether a secret scalar was that exact value, can already do * so.) */ @@ -1868,8 +1854,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, felem_bytearray *secrets = NULL; felem (*pre_comp)[17][3] = NULL; felem *tmp_felems = NULL; - felem_bytearray tmp; - unsigned i, num_bytes; + unsigned i; + int num_bytes; int have_pre_comp = 0; size_t num_points = num; felem x_in, y_in, z_in, x_out, y_out, z_out; @@ -1944,17 +1930,15 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, * i.e., they contribute nothing to the linear combination */ for (i = 0; i < num_points; ++i) { - if (i == num) + if (i == num) { /* * we didn't have a valid precomputation, so we pick the * generator */ - { p = EC_GROUP_get0_generator(group); p_scalar = scalar; - } else + } else { /* the i^th point */ - { p = points[i]; p_scalar = scalars[i]; } @@ -1970,10 +1954,16 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(p_scalar, tmp); - flip_endian(secrets[i], tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, + secrets[i], sizeof(secrets[i])); + } else { + num_bytes = BN_bn2lebinpad(p_scalar, + secrets[i], sizeof(secrets[i])); + } + if (num_bytes < 0) { + ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); + goto err; + } /* precompute multiples */ if ((!BN_to_felem(x_out, p->X)) || (!BN_to_felem(y_out, p->Y)) || @@ -2016,21 +2006,22 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); goto err; } - num_bytes = BN_bn2bin(tmp_scalar, tmp); - } else - num_bytes = BN_bn2bin(scalar, tmp); - flip_endian(g_secret, tmp, num_bytes); + num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); + } else { + num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); + } /* do the multiplication with generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, g_secret, mixed, (const felem(*)[17][3])pre_comp, (const felem(*)[3])g_pre_comp); - } else + } else { /* do the multiplication without generator precomputation */ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets, num_points, NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); + } /* reduce the output to its unique minimal representation */ felem_contract(x_in, x_out); felem_contract(y_in, y_out); diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c index cca7082c..6e8397fa 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c +++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -160,13 +160,13 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, * of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1 * by using bit-wise subtraction as follows: * - * b_k b_(k-1) ... b_2 b_1 b_0 - * - b_k ... b_3 b_2 b_1 b_0 - * ------------------------------------- - * s_k b_(k-1) ... s_3 s_2 s_1 s_0 + * b_k b_(k-1) ... b_2 b_1 b_0 + * - b_k ... b_3 b_2 b_1 b_0 + * ----------------------------------------- + * s_(k+1) s_k ... s_3 s_2 s_1 s_0 * * A left-shift followed by subtraction of the original value yields a new - * representation of the same value, using signed bits s_i = b_(i+1) - b_i. + * representation of the same value, using signed bits s_i = b_(i-1) - b_i. * This representation from Booth's paper has since appeared in the * literature under a variety of different names including "reversed binary * form", "alternating greedy expansion", "mutual opposite form", and @@ -190,7 +190,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, * (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five * signed bits into a signed digit: * - * s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j) + * s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j) * * The sign-alternating property implies that the resulting digit values are * integers from -16 to 16. @@ -198,14 +198,14 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, * Of course, we don't actually need to compute the signed digits s_i as an * intermediate step (that's just a nice way to see how this scheme relates * to the wNAF): a direct computation obtains the recoded digit from the - * six bits b_(4j + 4) ... b_(4j - 1). + * six bits b_(5j + 4) ... b_(5j - 1). * - * This function takes those five bits as an integer (0 .. 63), writing the + * This function takes those six bits as an integer (0 .. 63), writing the * recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute - * value, in the range 0 .. 8). Note that this integer essentially provides the - * input bits "shifted to the left" by one position: for example, the input to - * compute the least significant recoded digit, given that there's no bit b_-1, - * has to be b_4 b_3 b_2 b_1 b_0 0. + * value, in the range 0 .. 16). Note that this integer essentially provides + * the input bits "shifted to the left" by one position: for example, the input + * to compute the least significant recoded digit, given that there's no bit + * b_-1, has to be b_4 b_3 b_2 b_1 b_0 0. * */ void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, diff --git a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c index f00aba43..f80aa128 100644 --- a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c +++ b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c @@ -534,7 +534,7 @@ static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL); if (alg2) X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL); - /* Algorithm idetifiers set: carry on as normal */ + /* Algorithm identifiers set: carry on as normal */ return 3; } diff --git a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c index 528d0bde..5ffbeea2 100644 --- a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c +++ b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c @@ -26,7 +26,7 @@ #include "internal/engine.h" -#ifdef CRYPTO_ALGORITHM_MIN +#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX # define CHECK_BSD_STYLE_MACROS #endif diff --git a/freebsd/crypto/openssl/crypto/engine/eng_openssl.c b/freebsd/crypto/openssl/crypto/engine/eng_openssl.c index 5a094a1d..986d65ee 100644 --- a/freebsd/crypto/openssl/crypto/engine/eng_openssl.c +++ b/freebsd/crypto/openssl/crypto/engine/eng_openssl.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -31,12 +31,14 @@ */ #define TEST_ENG_OPENSSL_RC4 #ifndef OPENSSL_NO_STDIO -#define TEST_ENG_OPENSSL_PKEY +# define TEST_ENG_OPENSSL_PKEY #endif /* #define TEST_ENG_OPENSSL_HMAC */ /* #define TEST_ENG_OPENSSL_HMAC_INIT */ /* #define TEST_ENG_OPENSSL_RC4_OTHERS */ -#define TEST_ENG_OPENSSL_RC4_P_INIT +#ifndef OPENSSL_NO_STDIO +# define TEST_ENG_OPENSSL_RC4_P_INIT +#endif /* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */ #define TEST_ENG_OPENSSL_SHA /* #define TEST_ENG_OPENSSL_SHA_OTHERS */ diff --git a/freebsd/crypto/openssl/crypto/err/err.c b/freebsd/crypto/openssl/crypto/err/err.c index 806dae3f..001cdaa3 100644 --- a/freebsd/crypto/openssl/crypto/err/err.c +++ b/freebsd/crypto/openssl/crypto/err/err.c @@ -186,8 +186,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d) } #ifndef OPENSSL_NO_ERR -/* A measurement on Linux 2018-11-21 showed about 3.5kib */ -# define SPACE_SYS_STR_REASONS 4 * 1024 +/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ +# define SPACE_SYS_STR_REASONS 8 * 1024 # define NUM_SYS_STR_REASONS 127 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; @@ -221,21 +221,23 @@ static void build_SYS_str_reasons(void) ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; str->error = ERR_PACK(ERR_LIB_SYS, 0, i); - if (str->string == NULL) { + /* + * If we have used up all the space in strerror_pool, + * there's no point in calling openssl_strerror_r() + */ + if (str->string == NULL && cnt < sizeof(strerror_pool)) { if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) { size_t l = strlen(cur); str->string = cur; cnt += l; - if (cnt > sizeof(strerror_pool)) - cnt = sizeof(strerror_pool); cur += l; /* * VMS has an unusual quirk of adding spaces at the end of - * some (most? all?) messages. Lets trim them off. + * some (most? all?) messages. Lets trim them off. */ - while (ossl_isspace(cur[-1])) { + while (cur > strerror_pool && ossl_isspace(cur[-1])) { cur--; cnt--; } diff --git a/freebsd/crypto/openssl/crypto/evp/bio_ok.c b/freebsd/crypto/openssl/crypto/evp/bio_ok.c index 1d21bd0b..c350befe 100644 --- a/freebsd/crypto/openssl/crypto/evp/bio_ok.c +++ b/freebsd/crypto/openssl/crypto/evp/bio_ok.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -40,9 +40,9 @@ of memory. BIO_f_reliable splits data stream into blocks. Each block is prefixed - with it's length and suffixed with it's digest. So you need only + with its length and suffixed with its digest. So you need only several Kbytes of memory to buffer single block before verifying - it's digest. + its digest. BIO_f_reliable goes further and adds several important capabilities: diff --git a/freebsd/crypto/openssl/crypto/evp/e_aes.c b/freebsd/crypto/openssl/crypto/evp/e_aes.c index 1d025fe1..434bd46d 100644 --- a/freebsd/crypto/openssl/crypto/evp/e_aes.c +++ b/freebsd/crypto/openssl/crypto/evp/e_aes.c @@ -178,7 +178,7 @@ static void ctr64_inc(unsigned char *counter) # define HWAES_xts_decrypt aes_p8_xts_decrypt #endif -#if defined(AES_ASM) && !defined(I386_ONLY) && ( \ +#if !defined(OPENSSL_NO_ASM) && ( \ ((defined(__i386) || defined(__i386__) || \ defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ defined(__x86_64) || defined(__x86_64__) || \ @@ -385,10 +385,25 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); + if (!iv && !key) return 1; if (key) { + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + + /* + * Verify that the two keys are different. + * + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ + if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + /* key_len is two AES keys */ if (enc) { aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, @@ -789,11 +804,26 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); + if (!iv && !key) return 1; if (key) { - int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + const int bits = bytes * 8; + + /* + * Verify that the two keys are different. + * + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ + if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + xctx->stream = NULL; /* key_len is two AES keys */ if (enc) { @@ -1580,7 +1610,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_INIT: - ivlen = EVP_CIPHER_CTX_iv_length(c); + ivlen = EVP_CIPHER_iv_length(c->cipher); iv = EVP_CIPHER_CTX_iv_noconst(c); gctx->key_set = 0; gctx->iv_set = 0; @@ -1591,6 +1621,10 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) gctx->tls_aad_len = -1; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -2301,6 +2335,10 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) cctx->aes.ccm.tls_aad_len = -1; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = 15 - cctx->aes.ccm.l; + return 1; + case EVP_CTRL_AEAD_TLS1_AAD: if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; @@ -2819,13 +2857,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_INIT: gctx->key_set = 0; gctx->iv_set = 0; - gctx->ivlen = c->cipher->iv_len; + gctx->ivlen = EVP_CIPHER_iv_length(c->cipher); gctx->iv = c->iv; gctx->taglen = -1; gctx->iv_gen = 0; gctx->tls_aad_len = -1; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -3275,7 +3317,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY) + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) @@ -3286,10 +3328,12 @@ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { - EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c); + EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c); + if (type == EVP_CTRL_COPY) { EVP_CIPHER_CTX *out = ptr; EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out); + if (xctx->xts.key1) { if (xctx->xts.key1 != &xctx->ks1) return 0; @@ -3313,11 +3357,36 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); + if (!iv && !key) return 1; if (key) do { + /* The key is two half length keys in reality */ + const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; + + /* + * Verify that the two keys are different. + * + * This addresses the vulnerability described in Rogaway's + * September 2004 paper: + * + * "Efficient Instantiations of Tweakable Blockciphers and + * Refinements to Modes OCB and PMAC". + * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf) + * + * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states + * that: + * "The check for Key_1 != Key_2 shall be done at any place + * BEFORE using the keys in the XTS-AES algorithm to process + * data with them." + */ + if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } + #ifdef AES_XTS_ASM xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; #else @@ -3450,7 +3519,9 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) cctx->len_set = 0; cctx->tls_aad_len = -1; return 1; - + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = 15 - cctx->L; + return 1; case EVP_CTRL_AEAD_TLS1_AAD: /* Save the AAD for later use */ if (arg != EVP_AEAD_TLS1_AAD_LEN) @@ -3899,13 +3970,17 @@ static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_INIT: octx->key_set = 0; octx->iv_set = 0; - octx->ivlen = EVP_CIPHER_CTX_iv_length(c); + octx->ivlen = EVP_CIPHER_iv_length(c->cipher); octx->iv = EVP_CIPHER_CTX_iv_noconst(c); octx->taglen = 16; octx->data_buf_len = 0; octx->aad_buf_len = 0; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = octx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: /* IV len must be 1 to 15 */ if (arg <= 0 || arg > 15) diff --git a/freebsd/crypto/openssl/crypto/evp/e_aria.c b/freebsd/crypto/openssl/crypto/evp/e_aria.c index 6a9d5dee..df13346d 100644 --- a/freebsd/crypto/openssl/crypto/evp/e_aria.c +++ b/freebsd/crypto/openssl/crypto/evp/e_aria.c @@ -254,7 +254,7 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_INIT: gctx->key_set = 0; gctx->iv_set = 0; - gctx->ivlen = EVP_CIPHER_CTX_iv_length(c); + gctx->ivlen = EVP_CIPHER_iv_length(c->cipher); gctx->iv = EVP_CIPHER_CTX_iv_noconst(c); gctx->taglen = -1; gctx->iv_gen = 0; @@ -276,6 +276,10 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) gctx->ivlen = arg; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_TAG: if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c)) return 0; @@ -575,6 +579,10 @@ static int aria_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg); return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = 15 - cctx->L; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: arg = 15 - arg; /* fall thru */ @@ -744,7 +752,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER) + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER \ + | EVP_CIPH_CUSTOM_IV_LENGTH) #define BLOCK_CIPHER_aead(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ static const EVP_CIPHER aria_##keylen##_##mode = { \ diff --git a/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c b/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c index 4eeb7bc3..8569e682 100644 --- a/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c +++ b/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c @@ -536,6 +536,10 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, } return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = actx->nonce_len; + return 1; + case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) return 0; @@ -615,7 +619,8 @@ static EVP_CIPHER chacha20_poly1305 = { 12, /* iv_len, 96-bit nonce in the context */ EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | - EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER, + EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER | + EVP_CIPH_CUSTOM_IV_LENGTH, chacha20_poly1305_init_key, chacha20_poly1305_cipher, chacha20_poly1305_cleanup, diff --git a/freebsd/crypto/openssl/crypto/evp/evp_err.c b/freebsd/crypto/openssl/crypto/evp/evp_err.c index 94adca99..03487671 100644 --- a/freebsd/crypto/openssl/crypto/evp/evp_err.c +++ b/freebsd/crypto/openssl/crypto/evp/evp_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,11 +17,15 @@ static const ERR_STRING_DATA EVP_str_functs[] = { {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), + "aes_t4_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, @@ -151,6 +155,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = { {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0), + "r_32_12_16_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, {0, NULL} @@ -162,6 +168,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ARIA_KEY_SETUP_FAILED), "aria key setup failed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_DECRYPT), "bad decrypt"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_KEY_LENGTH), "bad key length"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "buffer too small"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CAMELLIA_KEY_SETUP_FAILED), "camellia key setup failed"}, @@ -268,6 +275,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, {0, NULL} }; diff --git a/freebsd/crypto/openssl/crypto/evp/evp_lib.c b/freebsd/crypto/openssl/crypto/evp/evp_lib.c index 280e7dad..8c085c4d 100644 --- a/freebsd/crypto/openssl/crypto/evp/evp_lib.c +++ b/freebsd/crypto/openssl/crypto/evp/evp_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -244,6 +244,13 @@ int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { + int i, rv; + + if ((EVP_CIPHER_flags(ctx->cipher) & EVP_CIPH_CUSTOM_IV_LENGTH) != 0) { + rv = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, + 0, &i); + return (rv == 1) ? i : -1; + } return ctx->cipher->iv_len; } diff --git a/freebsd/crypto/openssl/crypto/evp/m_sha3.c b/freebsd/crypto/openssl/crypto/evp/m_sha3.c index bbe306f9..49aec6a9 100644 --- a/freebsd/crypto/openssl/crypto/evp/m_sha3.c +++ b/freebsd/crypto/openssl/crypto/evp/m_sha3.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -110,6 +110,9 @@ static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md) size_t bsz = ctx->block_size; size_t num = ctx->num; + if (ctx->md_size == 0) + return 1; + /* * Pad the data with 10*1. Note that |num| can be |bsz - 1| * in which case both byte operations below are performed on diff --git a/freebsd/crypto/openssl/crypto/include/internal/ctype.h b/freebsd/crypto/openssl/crypto/include/internal/ctype.h index a35b12bf..9f3a5833 100644 --- a/freebsd/crypto/openssl/crypto/include/internal/ctype.h +++ b/freebsd/crypto/openssl/crypto/include/internal/ctype.h @@ -1,5 +1,5 @@ /* - * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,6 +57,8 @@ int ossl_ctype_check(int c, unsigned int mask); int ossl_tolower(int c); int ossl_toupper(int c); +int ascii_isdigit(const char inchar); + # define ossl_isalnum(c) (ossl_ctype_check((c), CTYPE_MASK_alnum)) # define ossl_isalpha(c) (ossl_ctype_check((c), CTYPE_MASK_alpha)) # ifdef CHARSET_EBCDIC diff --git a/freebsd/crypto/openssl/crypto/include/internal/rand_int.h b/freebsd/crypto/openssl/crypto/include/internal/rand_int.h index 888cab1b..10347ab0 100644 --- a/freebsd/crypto/openssl/crypto/include/internal/rand_int.h +++ b/freebsd/crypto/openssl/crypto/include/internal/rand_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,6 @@ typedef struct rand_pool_st RAND_POOL; void rand_cleanup_int(void); void rand_drbg_cleanup_int(void); void drbg_delete_thread_state(void); -void rand_fork(void); /* Hardware-based seeding functions. */ size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool); @@ -52,7 +51,8 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); /* * RAND_POOL functions */ -RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len); +RAND_POOL *rand_pool_new(int entropy_requested, int secure, + size_t min_len, size_t max_len); RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, size_t entropy); void rand_pool_free(RAND_POOL *pool); diff --git a/freebsd/crypto/openssl/crypto/include/internal/sm2err.h b/freebsd/crypto/openssl/crypto/include/internal/sm2err.h index a4db1b73..09edfab7 100644 --- a/freebsd/crypto/openssl/crypto/include/internal/sm2err.h +++ b/freebsd/crypto/openssl/crypto/include/internal/sm2err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_SM2ERR_H # define HEADER_SM2ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_SM2 diff --git a/freebsd/crypto/openssl/crypto/init.c b/freebsd/crypto/openssl/crypto/init.c index e1d27815..0275ecb3 100644 --- a/freebsd/crypto/openssl/crypto/init.c +++ b/freebsd/crypto/openssl/crypto/init.c @@ -42,7 +42,7 @@ static int stopped = 0; * destructor for threads terminating before libcrypto is initialized or * after it's de-initialized. Access to the key doesn't have to be * serialized for the said threads, because they didn't use libcrypto - * and it doesn't matter if they pick "impossible" or derefernce real + * and it doesn't matter if they pick "impossible" or dereference real * key value and pull NULL past initialization in the first thread that * intends to use libcrypto. */ @@ -863,6 +863,5 @@ void OPENSSL_fork_parent(void) void OPENSSL_fork_child(void) { - rand_fork(); } #endif diff --git a/freebsd/crypto/openssl/crypto/lhash/lhash.c b/freebsd/crypto/openssl/crypto/lhash/lhash.c index bb109a17..107b7bd0 100644 --- a/freebsd/crypto/openssl/crypto/lhash/lhash.c +++ b/freebsd/crypto/openssl/crypto/lhash/lhash.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,14 +21,14 @@ /* * A hashing implementation that appears to be based on the linear hashing - * alogrithm: + * algorithm: * https://en.wikipedia.org/wiki/Linear_hashing * * Litwin, Witold (1980), "Linear hashing: A new tool for file and table * addressing", Proc. 6th Conference on Very Large Databases: 212-223 - * http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf + * https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf * - * From the wikipedia article "Linear hashing is used in the BDB Berkeley + * From the Wikipedia article "Linear hashing is used in the BDB Berkeley * database system, which in turn is used by many software systems such as * OpenLDAP, using a C implementation derived from the CACM article and first * published on the Usenet in 1988 by Esmond Pitt." diff --git a/freebsd/crypto/openssl/crypto/o_str.c b/freebsd/crypto/openssl/crypto/o_str.c index 79d72a2c..6de7e7f5 100644 --- a/freebsd/crypto/openssl/crypto/o_str.c +++ b/freebsd/crypto/openssl/crypto/o_str.c @@ -233,7 +233,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) * buf is left unused. */ err = strerror_r(errnum, buf, buflen); - if (err == NULL) + if (err == NULL || buflen == 0) return 0; /* * If err is statically allocated, err != buf and we need to copy the data. diff --git a/freebsd/crypto/openssl/crypto/pem/pvkfmt.c b/freebsd/crypto/openssl/crypto/pem/pvkfmt.c index 4533cd54..68e3d019 100644 --- a/freebsd/crypto/openssl/crypto/pem/pvkfmt.c +++ b/freebsd/crypto/openssl/crypto/pem/pvkfmt.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -276,6 +276,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, if (!read_lebn(&p, 20, &priv_key)) goto memerr; + /* Set constant time flag before public key calculation */ + BN_set_flags(priv_key, BN_FLG_CONSTTIME); + /* Calculate public key */ pub_key = BN_new(); if (pub_key == NULL) diff --git a/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c b/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c index 357e5c12..9078d37d 100644 --- a/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -139,7 +139,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, } static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, - PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) + PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey, + size_t fixlen) { EVP_PKEY_CTX *pctx = NULL; unsigned char *ek = NULL; @@ -172,7 +173,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, } if (EVP_PKEY_decrypt(pctx, ek, &eklen, - ri->enc_key->data, ri->enc_key->length) <= 0) { + ri->enc_key->data, ri->enc_key->length) <= 0 + || eklen == 0 + || (fixlen != 0 && eklen != fixlen)) { ret = 0; PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); goto err; @@ -501,13 +504,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { ri = sk_PKCS7_RECIP_INFO_value(rsk, i); - if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) + if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, + EVP_CIPHER_key_length(evp_cipher)) < 0) goto err; ERR_clear_error(); } } else { /* Only exit on fatal errors, not decrypt failure */ - if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) + if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) goto err; ERR_clear_error(); } diff --git a/freebsd/crypto/openssl/crypto/rand/drbg_lib.c b/freebsd/crypto/openssl/crypto/rand/drbg_lib.c index 48f941ba..ffa03069 100644 --- a/freebsd/crypto/openssl/crypto/rand/drbg_lib.c +++ b/freebsd/crypto/openssl/crypto/rand/drbg_lib.c @@ -199,7 +199,7 @@ static RAND_DRBG *rand_drbg_new(int secure, } drbg->secure = secure && CRYPTO_secure_allocated(drbg); - drbg->fork_count = rand_fork_count; + drbg->fork_id = openssl_get_fork_id(); drbg->parent = parent; if (parent == NULL) { @@ -320,7 +320,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, /* * NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy * and nonce in 1 call by increasing the entropy with 50% and increasing - * the minimum length to accomadate the length of the nonce. + * the minimum length to accommodate the length of the nonce. * We do this in case a nonce is require and get_nonce is NULL. */ if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) { @@ -580,6 +580,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen, int prediction_resistance, const unsigned char *adin, size_t adinlen) { + int fork_id; int reseed_required = 0; if (drbg->state != DRBG_READY) { @@ -605,8 +606,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen, return 0; } - if (drbg->fork_count != rand_fork_count) { - drbg->fork_count = rand_fork_count; + fork_id = openssl_get_fork_id(); + + if (drbg->fork_id != fork_id) { + drbg->fork_id = fork_id; reseed_required = 1; } @@ -666,7 +669,7 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen) if (drbg->adin_pool == NULL) { if (drbg->type == 0) goto err; - drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen); + drbg->adin_pool = rand_pool_new(0, 0, 0, drbg->max_adinlen); if (drbg->adin_pool == NULL) goto err; } diff --git a/freebsd/crypto/openssl/crypto/rand/rand_err.c b/freebsd/crypto/openssl/crypto/rand/rand_err.c index c8f2e67c..61f2989e 100644 --- a/freebsd/crypto/openssl/crypto/rand/rand_err.c +++ b/freebsd/crypto/openssl/crypto/rand/rand_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -49,6 +49,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = { {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ATTACH, 0), "rand_pool_attach"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_BYTES_NEEDED, 0), "rand_pool_bytes_needed"}, + {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_GROW, 0), "rand_pool_grow"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"}, {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"}, {0, NULL} diff --git a/freebsd/crypto/openssl/crypto/rand/rand_lcl.h b/freebsd/crypto/openssl/crypto/rand/rand_lcl.h index c3e9804d..306c59f6 100644 --- a/freebsd/crypto/openssl/crypto/rand/rand_lcl.h +++ b/freebsd/crypto/openssl/crypto/rand/rand_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -45,7 +45,6 @@ # define DRBG_MAX_LENGTH INT32_MAX - /* * Maximum allocation size for RANDOM_POOL buffers * @@ -72,6 +71,24 @@ * 1.5 * (RAND_DRBG_STRENGTH / 8)) */ +/* + * Initial allocation minimum. + * + * There is a distinction between the secure and normal allocation minimums. + * Ideally, the secure allocation size should be a power of two. The normal + * allocation size doesn't have any such restriction. + * + * The secure value is based on 128 bits of secure material, which is 16 bytes. + * Typically, the DRBGs will set a minimum larger than this so optimal + * allocation ought to take place (for full quality seed material). + * + * The normal value has been chosed by noticing that the rand_drbg_get_nonce + * function is usually the largest of the built in allocation (twenty four + * bytes and then appending another sixteen bytes). This means the buffer ends + * with 40 bytes. The value of forty eight is comfortably above this which + * allows some slack in the platform specific values used. + */ +# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48) /* DRBG status values */ typedef enum drbg_status_e { @@ -150,9 +167,11 @@ struct rand_pool_st { size_t len; /* current number of random bytes contained in the pool */ int attached; /* true pool was attached to existing buffer */ + int secure; /* 1: allocated on the secure heap, 0: otherwise */ size_t min_len; /* minimum number of random bytes requested */ size_t max_len; /* maximum number of random bytes (allocated buffer size) */ + size_t alloc_len; /* current number of bytes allocated */ size_t entropy; /* current entropy count in bits */ size_t entropy_requested; /* requested entropy count in bits */ }; @@ -167,12 +186,12 @@ struct rand_drbg_st { int secure; /* 1: allocated on the secure heap, 0: otherwise */ int type; /* the nid of the underlying algorithm */ /* - * Stores the value of the rand_fork_count global as of when we last - * reseeded. The DRBG reseeds automatically whenever drbg->fork_count != - * rand_fork_count. Used to provide fork-safety and reseed this DRBG in - * the child process. + * Stores the return value of openssl_get_fork_id() as of when we last + * reseeded. The DRBG reseeds automatically whenever drbg->fork_id != + * openssl_get_fork_id(). Used to provide fork-safety and reseed this + * DRBG in the child process. */ - int fork_count; + int fork_id; unsigned short flags; /* various external flags */ /* @@ -264,19 +283,6 @@ struct rand_drbg_st { /* The global RAND method, and the global buffer and DRBG instance. */ extern RAND_METHOD rand_meth; -/* - * A "generation count" of forks. Incremented in the child process after a - * fork. Since rand_fork_count is increment-only, and only ever written to in - * the child process of the fork, which is guaranteed to be single-threaded, no - * locking is needed for normal (read) accesses; the rest of pthread fork - * processing is assumed to introduce the necessary memory barriers. Sibling - * children of a given parent will produce duplicate values, but this is not - * problematic because the reseeding process pulls input from the system CSPRNG - * and/or other global sources, so the siblings will end up generating - * different output streams. - */ -extern int rand_fork_count; - /* DRBG helpers */ int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *buffer, size_t len, size_t entropy); diff --git a/freebsd/crypto/openssl/crypto/rand/rand_lib.c b/freebsd/crypto/openssl/crypto/rand/rand_lib.c index ea07ac6c..e9cf8938 100644 --- a/freebsd/crypto/openssl/crypto/rand/rand_lib.c +++ b/freebsd/crypto/openssl/crypto/rand/rand_lib.c @@ -28,8 +28,6 @@ static CRYPTO_RWLOCK *rand_meth_lock; static const RAND_METHOD *default_RAND_meth; static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT; -int rand_fork_count; - static CRYPTO_RWLOCK *rand_nonce_lock; static int rand_nonce_count; @@ -152,7 +150,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, pool = drbg->seed_pool; pool->entropy_requested = entropy; } else { - pool = rand_pool_new(entropy, min_len, max_len); + pool = rand_pool_new(entropy, drbg->secure, min_len, max_len); if (pool == NULL) return 0; } @@ -165,7 +163,9 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, size_t bytes = 0; /* - * Get random from parent, include our state as additional input. + * Get random data from parent. Include our address as additional input, + * in order to provide some additional distinction between different + * DRBG child instances. * Our lock is already held, but we need to lock our parent before * generating bits from it. (Note: taking the lock will be a no-op * if locking if drbg->parent->lock == NULL.) @@ -174,7 +174,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, if (RAND_DRBG_generate(drbg->parent, buffer, bytes_needed, prediction_resistance, - NULL, 0) != 0) + (unsigned char *)&drbg, sizeof(drbg)) != 0) bytes = bytes_needed; drbg->reseed_next_counter = tsan_load(&drbg->parent->reseed_prop_counter); @@ -218,8 +218,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen) { - if (drbg->seed_pool == NULL) - OPENSSL_secure_clear_free(out, outlen); + if (drbg->seed_pool == NULL) { + if (drbg->secure) + OPENSSL_secure_clear_free(out, outlen); + else + OPENSSL_clear_free(out, outlen); + } } @@ -237,9 +241,10 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, struct { void * instance; int count; - } data = { NULL, 0 }; + } data; - pool = rand_pool_new(0, min_len, max_len); + memset(&data, 0, sizeof(data)); + pool = rand_pool_new(0, 0, min_len, max_len); if (pool == NULL) return 0; @@ -268,7 +273,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, unsigned char *out, size_t outlen) { - OPENSSL_secure_clear_free(out, outlen); + OPENSSL_clear_free(out, outlen); } /* @@ -300,11 +305,6 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) rand_pool_reattach(pool, out); } -void rand_fork(void) -{ - rand_fork_count++; -} - DEFINE_RUN_ONCE_STATIC(do_rand_init) { #ifndef OPENSSL_NO_ENGINE @@ -364,7 +364,7 @@ void rand_cleanup_int(void) } /* - * RAND_close_seed_files() ensures that any seed file decriptors are + * RAND_close_seed_files() ensures that any seed file descriptors are * closed after use. */ void RAND_keep_random_devices_open(int keep) @@ -403,7 +403,7 @@ int RAND_poll(void) } else { /* fill random pool and seed the current legacy RNG */ - pool = rand_pool_new(RAND_DRBG_STRENGTH, + pool = rand_pool_new(RAND_DRBG_STRENGTH, 1, (RAND_DRBG_STRENGTH + 7) / 8, RAND_POOL_MAX_LENGTH); if (pool == NULL) @@ -430,9 +430,11 @@ err: * Allocate memory and initialize a new random pool */ -RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) +RAND_POOL *rand_pool_new(int entropy_requested, int secure, + size_t min_len, size_t max_len) { RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool)); + size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure); if (pool == NULL) { RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); @@ -442,14 +444,22 @@ RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len) pool->min_len = min_len; pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ? RAND_POOL_MAX_LENGTH : max_len; + pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len; + if (pool->alloc_len > pool->max_len) + pool->alloc_len = pool->max_len; + + if (secure) + pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len); + else + pool->buffer = OPENSSL_zalloc(pool->alloc_len); - pool->buffer = OPENSSL_secure_zalloc(pool->max_len); if (pool->buffer == NULL) { RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE); goto err; } pool->entropy_requested = entropy_requested; + pool->secure = secure; return pool; @@ -484,7 +494,7 @@ RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len, pool->attached = 1; - pool->min_len = pool->max_len = pool->len; + pool->min_len = pool->max_len = pool->alloc_len = pool->len; pool->entropy = entropy; return pool; @@ -504,8 +514,13 @@ void rand_pool_free(RAND_POOL *pool) * to rand_pool_attach() as `const unsigned char*`. * (see corresponding comment in rand_pool_attach()). */ - if (!pool->attached) - OPENSSL_secure_clear_free(pool->buffer, pool->max_len); + if (!pool->attached) { + if (pool->secure) + OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); + else + OPENSSL_clear_free(pool->buffer, pool->alloc_len); + } + OPENSSL_free(pool); } @@ -598,6 +613,42 @@ size_t rand_pool_entropy_needed(RAND_POOL *pool) return 0; } +/* Increase the allocation size -- not usable for an attached pool */ +static int rand_pool_grow(RAND_POOL *pool, size_t len) +{ + if (len > pool->alloc_len - pool->len) { + unsigned char *p; + const size_t limit = pool->max_len / 2; + size_t newlen = pool->alloc_len; + + if (pool->attached || len > pool->max_len - pool->len) { + RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR); + return 0; + } + + do + newlen = newlen < limit ? newlen * 2 : pool->max_len; + while (len > newlen - pool->len); + + if (pool->secure) + p = OPENSSL_secure_zalloc(newlen); + else + p = OPENSSL_zalloc(newlen); + if (p == NULL) { + RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(p, pool->buffer, pool->len); + if (pool->secure) + OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len); + else + OPENSSL_clear_free(pool->buffer, pool->alloc_len); + pool->buffer = p; + pool->alloc_len = newlen; + } + return 1; +} + /* * Returns the number of bytes needed to fill the pool, assuming * the input has 1 / |entropy_factor| entropy bits per data bit. @@ -627,6 +678,24 @@ size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor) /* to meet the min_len requirement */ bytes_needed = pool->min_len - pool->len; + /* + * Make sure the buffer is large enough for the requested amount + * of data. This guarantees that existing code patterns where + * rand_pool_add_begin, rand_pool_add_end or rand_pool_add + * are used to collect entropy data without any error handling + * whatsoever, continue to be valid. + * Furthermore if the allocation here fails once, make sure that + * we don't fall back to a less secure or even blocking random source, + * as that could happen by the existing code patterns. + * This is not a concern for additional data, therefore that + * is not needed if rand_pool_grow fails in other places. + */ + if (!rand_pool_grow(pool, bytes_needed)) { + /* persistent error for this pool */ + pool->max_len = pool->len = 0; + return 0; + } + return bytes_needed; } @@ -659,6 +728,27 @@ int rand_pool_add(RAND_POOL *pool, } if (len > 0) { + /* + * This is to protect us from accidentally passing the buffer + * returned from rand_pool_add_begin. + * The check for alloc_len makes sure we do not compare the + * address of the end of the allocated memory to something + * different, since that comparison would have an + * indeterminate result. + */ + if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) { + RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); + return 0; + } + /* + * We have that only for cases when a pool is used to collect + * additional data. + * For entropy data, as long as the allocation request stays within + * the limits given by rand_pool_bytes_needed this rand_pool_grow + * below is guaranteed to succeed, thus no allocation happens. + */ + if (!rand_pool_grow(pool, len)) + return 0; memcpy(pool->buffer + pool->len, buffer, len); pool->len += len; pool->entropy += entropy; @@ -694,6 +784,18 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) return NULL; } + /* + * As long as the allocation request stays within the limits given + * by rand_pool_bytes_needed this rand_pool_grow below is guaranteed + * to succeed, thus no allocation happens. + * We have that only for cases when a pool is used to collect + * additional data. Then the buffer might need to grow here, + * and of course the caller is responsible to check the return + * value of this function. + */ + if (!rand_pool_grow(pool, len)) + return NULL; + return pool->buffer + pool->len; } @@ -708,7 +810,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) */ int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) { - if (len > pool->max_len - pool->len) { + if (len > pool->alloc_len - pool->len) { RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW); return 0; } diff --git a/freebsd/crypto/openssl/crypto/rand/rand_unix.c b/freebsd/crypto/openssl/crypto/rand/rand_unix.c index a5d658e0..d92cea7a 100644 --- a/freebsd/crypto/openssl/crypto/rand/rand_unix.c +++ b/freebsd/crypto/openssl/crypto/rand/rand_unix.c @@ -16,14 +16,19 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/rand.h> +#include <openssl/crypto.h> #include "rand_lcl.h" #include "internal/rand_int.h" #include <stdio.h> #include "internal/dso.h" -#if defined(__linux) -# include <asm/unistd.h> +#ifdef __linux +# include <sys/syscall.h> +# ifdef DEVRANDOM_WAIT +# include <sys/shm.h> +# include <sys/utsname.h> +# endif #endif -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI) # include <sys/types.h> # include <sys/sysctl.h> # include <sys/param.h> @@ -277,6 +282,17 @@ static ssize_t sysctl_random(char *buf, size_t buflen) # endif # if defined(OPENSSL_RAND_SEED_GETRANDOM) + +# if defined(__linux) && !defined(__NR_getrandom) +# if defined(__arm__) && defined(__NR_SYSCALL_BASE) +# define __NR_getrandom (__NR_SYSCALL_BASE+384) +# elif defined(__i386__) +# define __NR_getrandom 355 +# elif defined(__x86_64__) && !defined(__ILP32__) +# define __NR_getrandom 318 +# endif +# endif + /* * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. @@ -348,6 +364,91 @@ static struct random_device { } random_devices[OSSL_NELEM(random_device_paths)]; static int keep_random_devices_open = 1; +# if defined(__linux) && defined(DEVRANDOM_WAIT) +static void *shm_addr; + +static void cleanup_shm(void) +{ + shmdt(shm_addr); +} + +/* + * Ensure that the system randomness source has been adequately seeded. + * This is done by having the first start of libcrypto, wait until the device + * /dev/random becomes able to supply a byte of entropy. Subsequent starts + * of the library and later reseedings do not need to do this. + */ +static int wait_random_seeded(void) +{ + static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0; + static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL }; + int kernel[2]; + int shm_id, fd, r; + char c, *p; + struct utsname un; + fd_set fds; + + if (!seeded) { + /* See if anything has created the global seeded indication */ + if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) { + /* + * Check the kernel's version and fail if it is too recent. + * + * Linux kernels from 4.8 onwards do not guarantee that + * /dev/urandom is properly seeded when /dev/random becomes + * readable. However, such kernels support the getentropy(2) + * system call and this should always succeed which renders + * this alternative but essentially identical source moot. + */ + if (uname(&un) == 0) { + kernel[0] = atoi(un.release); + p = strchr(un.release, '.'); + kernel[1] = p == NULL ? 0 : atoi(p + 1); + if (kernel[0] > kernel_version[0] + || (kernel[0] == kernel_version[0] + && kernel[1] >= kernel_version[1])) { + return 0; + } + } + /* Open /dev/random and wait for it to be readable */ + if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) { + if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) { + FD_ZERO(&fds); + FD_SET(fd, &fds); + while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0 + && errno == EINTR); + } else { + while ((r = read(fd, &c, 1)) < 0 && errno == EINTR); + } + close(fd); + if (r == 1) { + seeded = 1; + /* Create the shared memory indicator */ + shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, + IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH); + } + } + } + if (shm_id != -1) { + seeded = 1; + /* + * Map the shared memory to prevent its premature destruction. + * If this call fails, it isn't a big problem. + */ + shm_addr = shmat(shm_id, NULL, SHM_RDONLY); + if (shm_addr != (void *)-1) + OPENSSL_atexit(&cleanup_shm); + } + } + return seeded; +} +# else /* defined __linux */ +static int wait_random_seeded(void) +{ + return 1; +} +# endif + /* * Verify that the file descriptor associated with the random source is * still valid. The rationale for doing this is the fact that it is not @@ -474,12 +575,12 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) # if defined(OPENSSL_RAND_SEED_NONE) return rand_pool_entropy_available(pool); # else - size_t bytes_needed; - size_t entropy_available = 0; - unsigned char *buffer; + size_t entropy_available; # if defined(OPENSSL_RAND_SEED_GETRANDOM) { + size_t bytes_needed; + unsigned char *buffer; ssize_t bytes; /* Maximum allowed number of consecutive unsuccessful attempts */ int attempts = 3; @@ -509,36 +610,16 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) # endif # if defined(OPENSSL_RAND_SEED_DEVRANDOM) - bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); - { + if (wait_random_seeded()) { + size_t bytes_needed; + unsigned char *buffer; size_t i; -#ifdef DEVRANDOM_WAIT - static int wait_done = 0; - /* - * On some implementations reading from /dev/urandom is possible - * before it is initialized. Therefore we wait for /dev/random - * to be readable to make sure /dev/urandom is initialized. - */ - if (!wait_done && bytes_needed > 0) { - int f = open(DEVRANDOM_WAIT, O_RDONLY); - - if (f >= 0) { - fd_set fds; - - FD_ZERO(&fds); - FD_SET(f, &fds); - while (select(f+1, &fds, NULL, NULL, NULL) < 0 - && errno == EINTR); - close(f); - } - wait_done = 1; - } -#endif - - for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) { + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); + i++) { ssize_t bytes = 0; - /* Maximum allowed number of consecutive unsuccessful attempts */ + /* Maximum number of consecutive unsuccessful attempts */ int attempts = 3; const int fd = get_random_device(i); @@ -552,7 +633,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; - attempts = 3; /* reset counter after successful attempt */ + attempts = 3; /* reset counter on successful attempt */ } else if (bytes < 0 && errno != EINTR) { break; } @@ -560,7 +641,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) if (bytes < 0 || !keep_random_devices_open) close_random_device(i); - bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + bytes_needed = rand_pool_bytes_needed(pool, 1); } entropy_available = rand_pool_entropy_available(pool); if (entropy_available > 0) @@ -581,26 +662,29 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool) # endif # if defined(OPENSSL_RAND_SEED_EGD) - bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); - if (bytes_needed > 0) { + { static const char *paths[] = { DEVRANDOM_EGD, NULL }; + size_t bytes_needed; + unsigned char *buffer; int i; - for (i = 0; paths[i] != NULL; i++) { + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) { + size_t bytes = 0; + int num; + buffer = rand_pool_add_begin(pool, bytes_needed); - if (buffer != NULL) { - size_t bytes = 0; - int num = RAND_query_egd_bytes(paths[i], - buffer, (int)bytes_needed); - if (num == (int)bytes_needed) - bytes = bytes_needed; + num = RAND_query_egd_bytes(paths[i], + buffer, (int)bytes_needed); + if (num == (int)bytes_needed) + bytes = bytes_needed; - rand_pool_add_end(pool, bytes, 8 * bytes); - entropy_available = rand_pool_entropy_available(pool); - } - if (entropy_available > 0) - return entropy_available; + rand_pool_add_end(pool, bytes, 8 * bytes); + bytes_needed = rand_pool_bytes_needed(pool, 1); } + entropy_available = rand_pool_entropy_available(pool); + if (entropy_available > 0) + return entropy_available; } # endif @@ -634,15 +718,18 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) int rand_pool_add_additional_data(RAND_POOL *pool) { struct { + int fork_id; CRYPTO_THREAD_ID tid; uint64_t time; } data = { 0 }; /* * Add some noise from the thread id and a high resolution timer. + * The fork_id adds some extra fork-safety. * The thread id adds a little randomness if the drbg is accessed * concurrently (which is the case for the <master> drbg). */ + data.fork_id = openssl_get_fork_id(); data.tid = CRYPTO_THREAD_get_current_id(); data.time = get_timer_bits(); diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c index a23e2483..6ab1c140 100644 --- a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c +++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c @@ -460,6 +460,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { @@ -499,6 +502,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) #endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerr(0, ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } *(int *)arg2 = NID_sha256; return 1; diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_err.c b/freebsd/crypto/openssl/crypto/rsa/rsa_err.c index 3000019c..e7a3c06b 100644 --- a/freebsd/crypto/openssl/crypto/rsa/rsa_err.c +++ b/freebsd/crypto/openssl/crypto/rsa/rsa_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -176,6 +176,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = { {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "last octet invalid"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MGF1_DIGEST_NOT_ALLOWED), "mgf1 digest not allowed"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R), "mp coefficient not inverse of r"}, diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c b/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c index 22d99bb4..86b0efce 100644 --- a/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c +++ b/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c @@ -252,7 +252,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, * * This strategy has the following goals: * - * 1. 1024-bit factors are effcient when using 3072 and 4096-bit key + * 1. 1024-bit factors are efficient when using 3072 and 4096-bit key * 2. stay the same logic with normal 2-prime key */ bitse -= bitsr[i]; diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c b/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c index c0edd05e..cf2abaec 100644 --- a/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -200,6 +200,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) if (d != NULL) { BN_clear_free(r->d); r->d = d; + BN_set_flags(r->d, BN_FLG_CONSTTIME); } return 1; @@ -217,10 +218,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) if (p != NULL) { BN_clear_free(r->p); r->p = p; + BN_set_flags(r->p, BN_FLG_CONSTTIME); } if (q != NULL) { BN_clear_free(r->q); r->q = q; + BN_set_flags(r->q, BN_FLG_CONSTTIME); } return 1; @@ -239,14 +242,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if (dmp1 != NULL) { BN_clear_free(r->dmp1); r->dmp1 = dmp1; + BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); } if (dmq1 != NULL) { BN_clear_free(r->dmq1); r->dmq1 = dmq1; + BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); } if (iqmp != NULL) { BN_clear_free(r->iqmp); r->iqmp = iqmp; + BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); } return 1; @@ -278,12 +284,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], if (pinfo == NULL) goto err; if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) { - BN_free(pinfo->r); - BN_free(pinfo->d); - BN_free(pinfo->t); + BN_clear_free(pinfo->r); + BN_clear_free(pinfo->d); + BN_clear_free(pinfo->t); pinfo->r = primes[i]; pinfo->d = exps[i]; pinfo->t = coeffs[i]; + BN_set_flags(pinfo->r, BN_FLG_CONSTTIME); + BN_set_flags(pinfo->d, BN_FLG_CONSTTIME); + BN_set_flags(pinfo->t, BN_FLG_CONSTTIME); } else { rsa_multip_info_free(pinfo); goto err; diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c index 2c9ded71..2c67ac2a 100644 --- a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c +++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c @@ -323,6 +323,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); goto err; } + if (rsa->d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY); + BN_free(d); + goto err; + } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, @@ -440,6 +445,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); goto err; } + if (rsa->d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY); + BN_free(d); + goto err; + } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) diff --git a/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c b/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c index 1f912dba..2d36d2ab 100644 --- a/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c +++ b/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -315,12 +315,12 @@ static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig, /* * B1: verify whether r' in [1,n-1], verification failed if not - * B2: vefify whether s' in [1,n-1], verification failed if not + * B2: verify whether s' in [1,n-1], verification failed if not * B3: set M'~=ZA || M' * B4: calculate e'=Hv(M'~) * B5: calculate t = (r' + s') modn, verification failed if t=0 * B6: calculate the point (x1', y1')=[s']G + [t]PA - * B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed + * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed */ ECDSA_SIG_get0(sig, &r, &s); diff --git a/freebsd/crypto/openssl/crypto/store/loader_file.c b/freebsd/crypto/openssl/crypto/store/loader_file.c index f2887bbe..8485e460 100644 --- a/freebsd/crypto/openssl/crypto/store/loader_file.c +++ b/freebsd/crypto/openssl/crypto/store/loader_file.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,7 +174,7 @@ typedef OSSL_STORE_INFO *(*file_try_decode_fn)(const char *pem_name, typedef int (*file_eof_fn)(void *handler_ctx); /* * The destroy_ctx function is used to destroy the handler_ctx that was - * intiated by a repeatable try_decode fuction. This is only used when + * initiated by a repeatable try_decode function. This is only used when * the handler is marked repeatable. */ typedef void (*file_destroy_ctx_fn)(void **handler_ctx); @@ -472,7 +472,7 @@ static FILE_HANDLER PrivateKey_handler = { }; /* - * Public key decoder. Only supports SubjectPublicKeyInfo formated keys. + * Public key decoder. Only supports SubjectPublicKeyInfo formatted keys. */ static OSSL_STORE_INFO *try_decode_PUBKEY(const char *pem_name, const char *pem_header, @@ -862,10 +862,10 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, if (ctx->_.dir.last_entry == NULL) { if (ctx->_.dir.last_errno != 0) { char errbuf[256]; - errno = ctx->_.dir.last_errno; - openssl_strerror_r(errno, errbuf, sizeof(errbuf)); OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, ERR_R_SYS_LIB); - ERR_add_error_data(1, errbuf); + errno = ctx->_.dir.last_errno; + if (openssl_strerror_r(errno, errbuf, sizeof(errbuf))) + ERR_add_error_data(1, errbuf); goto err; } ctx->_.dir.end_reached = 1; @@ -1262,11 +1262,11 @@ static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx, if (!ctx->_.dir.end_reached) { char errbuf[256]; assert(ctx->_.dir.last_errno != 0); + OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_SYS_LIB); errno = ctx->_.dir.last_errno; ctx->errcnt++; - openssl_strerror_r(errno, errbuf, sizeof(errbuf)); - OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_SYS_LIB); - ERR_add_error_data(1, errbuf); + if (openssl_strerror_r(errno, errbuf, sizeof(errbuf))) + ERR_add_error_data(1, errbuf); } return NULL; } diff --git a/freebsd/crypto/openssl/crypto/store/store_lib.c b/freebsd/crypto/openssl/crypto/store/store_lib.c index 7c6b55ea..5c83260c 100644 --- a/freebsd/crypto/openssl/crypto/store/store_lib.c +++ b/freebsd/crypto/openssl/crypto/store/store_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -230,7 +230,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx) * Functions to generate OSSL_STORE_INFOs, one function for each type we * support having in them as well as a generic constructor. * - * In all cases, ownership of the object is transfered to the OSSL_STORE_INFO + * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO * and will therefore be freed when the OSSL_STORE_INFO is freed. */ static OSSL_STORE_INFO *store_info_new(int type, void *data) diff --git a/freebsd/crypto/openssl/crypto/threads_none.c b/freebsd/crypto/openssl/crypto/threads_none.c index 988210f7..223f736d 100644 --- a/freebsd/crypto/openssl/crypto/threads_none.c +++ b/freebsd/crypto/openssl/crypto/threads_none.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,11 @@ #if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG) +# if defined(OPENSSL_SYS_UNIX) +# include <sys/types.h> +# include <unistd.h> +# endif + CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void) { CRYPTO_RWLOCK *lock; @@ -135,4 +140,12 @@ int openssl_init_fork_handlers(void) return 0; } +int openssl_get_fork_id(void) +{ +# if defined(OPENSSL_SYS_UNIX) + return getpid(); +# else + return return 0; +# endif +} #endif diff --git a/freebsd/crypto/openssl/crypto/threads_pthread.c b/freebsd/crypto/openssl/crypto/threads_pthread.c index 9a4514f3..89f74ae5 100644 --- a/freebsd/crypto/openssl/crypto/threads_pthread.c +++ b/freebsd/crypto/openssl/crypto/threads_pthread.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,11 @@ #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) +# if defined(OPENSSL_SYS_UNIX) +# include <sys/types.h> +# include <unistd.h> +#endif + # ifdef PTHREAD_RWLOCK_INITIALIZER # define USE_RWLOCK # endif @@ -196,4 +201,9 @@ int openssl_init_fork_handlers(void) # endif return 0; } + +int openssl_get_fork_id(void) +{ + return getpid(); +} #endif diff --git a/freebsd/crypto/openssl/crypto/ui/ui_lib.c b/freebsd/crypto/openssl/crypto/ui/ui_lib.c index 3f01a4e3..aab30542 100644 --- a/freebsd/crypto/openssl/crypto/ui/ui_lib.c +++ b/freebsd/crypto/openssl/crypto/ui/ui_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -502,6 +502,7 @@ int UI_process(UI *ui) if (ui->meth->ui_flush != NULL) switch (ui->meth->ui_flush(ui)) { case -1: /* Interrupt/Cancel/something... */ + ui->flags &= ~UI_FLAG_REDOABLE; ok = -2; goto err; case 0: /* Errors */ @@ -519,6 +520,7 @@ int UI_process(UI *ui) sk_UI_STRING_value(ui->strings, i))) { case -1: /* Interrupt/Cancel/something... */ + ui->flags &= ~UI_FLAG_REDOABLE; ok = -2; goto err; case 0: /* Errors */ diff --git a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c index 5edcec16..03596eee 100644 --- a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c +++ b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c @@ -81,7 +81,7 @@ * systems that require something different. * * Note: we do not use SGTTY unless it's defined by the configuration. We - * may eventually opt to remove it's use entirely. + * may eventually opt to remove its use entirely. */ # if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY) diff --git a/freebsd/crypto/openssl/crypto/uid.c b/freebsd/crypto/openssl/crypto/uid.c index b51a6856..3b59944d 100644 --- a/freebsd/crypto/openssl/crypto/uid.c +++ b/freebsd/crypto/openssl/crypto/uid.c @@ -12,20 +12,20 @@ #include <openssl/crypto.h> #include <openssl/opensslconf.h> -#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) - -# include OPENSSL_UNISTD +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) int OPENSSL_issetugid(void) { - return issetugid(); + return 0; } -#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) +#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) + +# include OPENSSL_UNISTD int OPENSSL_issetugid(void) { - return 0; + return issetugid(); } #else diff --git a/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c b/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c index 69e8486c..924d0c1e 100644 --- a/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c +++ b/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,6 +89,7 @@ typedef unsigned long long u64; #ifndef PEDANTIC # if defined(_MSC_VER) # if defined(_WIN64) /* applies to both IA-64 and AMD64 */ +# include <stdlib.h> # pragma intrinsic(_rotl64) # define ROTATE(a,n) _rotl64((a),n) # endif diff --git a/freebsd/crypto/openssl/crypto/x509/by_dir.c b/freebsd/crypto/openssl/crypto/x509/by_dir.c index e05e72ae..6d9f3f42 100644 --- a/freebsd/crypto/openssl/crypto/x509/by_dir.c +++ b/freebsd/crypto/openssl/crypto/x509/by_dir.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -329,10 +329,10 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, /* * we have added it to the cache so now pull it out again */ - CRYPTO_THREAD_write_lock(ctx->lock); + X509_STORE_lock(xl->store_ctx); j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp); tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); - CRYPTO_THREAD_unlock(ctx->lock); + X509_STORE_unlock(xl->store_ctx); /* If a CRL, update the last file suffix added for this */ diff --git a/freebsd/crypto/openssl/crypto/x509/t_req.c b/freebsd/crypto/openssl/crypto/x509/t_req.c index b0d261fb..f6cc6d6a 100644 --- a/freebsd/crypto/openssl/crypto/x509/t_req.c +++ b/freebsd/crypto/openssl/crypto/x509/t_req.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -129,6 +129,10 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) { ii = 0; count = X509_ATTRIBUTE_count(a); + if (count == 0) { + X509err(X509_F_X509_REQ_PRINT_EX, X509_R_INVALID_ATTRIBUTES); + return 0; + } get_next: at = X509_ATTRIBUTE_get0_type(a, ii); type = at->type; diff --git a/freebsd/crypto/openssl/crypto/x509/x509_att.c b/freebsd/crypto/openssl/crypto/x509/x509_att.c index 921ff6ff..37afa34e 100644 --- a/freebsd/crypto/openssl/crypto/x509/x509_att.c +++ b/freebsd/crypto/openssl/crypto/x509/x509_att.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -316,7 +316,9 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, ttmp = X509_ATTRIBUTE_get0_type(attr, idx); if (!ttmp) return NULL; - if (atrtype != ASN1_TYPE_get(ttmp)) { + if (atrtype == V_ASN1_BOOLEAN + || atrtype == V_ASN1_NULL + || atrtype != ASN1_TYPE_get(ttmp)) { X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE); return NULL; } diff --git a/freebsd/crypto/openssl/crypto/x509/x509_cmp.c b/freebsd/crypto/openssl/crypto/x509/x509_cmp.c index 74838f53..ba348f8a 100644 --- a/freebsd/crypto/openssl/crypto/x509/x509_cmp.c +++ b/freebsd/crypto/openssl/crypto/x509/x509_cmp.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -452,9 +452,17 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) STACK_OF(X509) *ret; int i; ret = sk_X509_dup(chain); + if (ret == NULL) + return NULL; for (i = 0; i < sk_X509_num(ret); i++) { X509 *x = sk_X509_value(ret, i); - X509_up_ref(x); + if (!X509_up_ref(x)) + goto err; } return ret; + err: + while (i-- > 0) + X509_free (sk_X509_value(ret, i)); + sk_X509_free(ret); + return NULL; } diff --git a/freebsd/crypto/openssl/crypto/x509/x509_err.c b/freebsd/crypto/openssl/crypto/x509/x509_err.c index 9509fc14..8a6ff0da 100644 --- a/freebsd/crypto/openssl/crypto/x509/x509_err.c +++ b/freebsd/crypto/openssl/crypto/x509/x509_err.c @@ -2,7 +2,7 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -125,6 +125,8 @@ static const ERR_STRING_DATA X509_str_reasons[] = { {ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE), "crl verify failure"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_IDP_MISMATCH), "idp mismatch"}, + {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_ATTRIBUTES), + "invalid attributes"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_DIRECTORY), "invalid directory"}, {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_FIELD_NAME), "invalid field name"}, diff --git a/freebsd/crypto/openssl/crypto/x509/x509_lu.c b/freebsd/crypto/openssl/crypto/x509/x509_lu.c index 42010e62..b4a76166 100644 --- a/freebsd/crypto/openssl/crypto/x509/x509_lu.c +++ b/freebsd/crypto/openssl/crypto/x509/x509_lu.c @@ -291,24 +291,25 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, X509_NAME *name, X509_OBJECT *ret) { - X509_STORE *ctx = vs->ctx; + X509_STORE *store = vs->ctx; X509_LOOKUP *lu; X509_OBJECT stmp, *tmp; int i, j; - if (ctx == NULL) + if (store == NULL) return 0; stmp.type = X509_LU_NONE; stmp.data.ptr = NULL; - CRYPTO_THREAD_write_lock(ctx->lock); - tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); - CRYPTO_THREAD_unlock(ctx->lock); + + X509_STORE_lock(store); + tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name); + X509_STORE_unlock(store); if (tmp == NULL || type == X509_LU_CRL) { - for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { - lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); + for (i = 0; i < sk_X509_LOOKUP_num(store->get_cert_methods); i++) { + lu = sk_X509_LOOKUP_value(store->get_cert_methods, i); j = X509_LOOKUP_by_subject(lu, type, name, &stmp); if (j) { tmp = &stmp; @@ -319,15 +320,16 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return 0; } + if (!X509_OBJECT_up_ref_count(tmp)) + return 0; + ret->type = tmp->type; ret->data.ptr = tmp->data.ptr; - X509_OBJECT_up_ref_count(ret); - return 1; } -static int x509_store_add(X509_STORE *ctx, void *x, int crl) { +static int x509_store_add(X509_STORE *store, void *x, int crl) { X509_OBJECT *obj; int ret = 0, added = 0; @@ -344,18 +346,20 @@ static int x509_store_add(X509_STORE *ctx, void *x, int crl) { obj->type = X509_LU_X509; obj->data.x509 = (X509 *)x; } - X509_OBJECT_up_ref_count(obj); - - CRYPTO_THREAD_write_lock(ctx->lock); + if (!X509_OBJECT_up_ref_count(obj)) { + obj->type = X509_LU_NONE; + X509_OBJECT_free(obj); + return 0; + } - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { + X509_STORE_lock(store); + if (X509_OBJECT_retrieve_match(store->objs, obj)) { ret = 1; } else { - added = sk_X509_OBJECT_push(ctx->objs, obj); + added = sk_X509_OBJECT_push(store->objs, obj); ret = added != 0; } - - CRYPTO_THREAD_unlock(ctx->lock); + X509_STORE_unlock(store); if (added == 0) /* obj not pushed */ X509_OBJECT_free(obj); @@ -536,12 +540,13 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) STACK_OF(X509) *sk = NULL; X509 *x; X509_OBJECT *obj; + X509_STORE *store = ctx->ctx; - if (ctx->ctx == NULL) + if (store == NULL) return NULL; - CRYPTO_THREAD_write_lock(ctx->ctx->lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); + X509_STORE_lock(store); + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { /* * Nothing found in cache: do lookup to possibly add new objects to @@ -549,7 +554,8 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) */ X509_OBJECT *xobj = X509_OBJECT_new(); - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); + if (xobj == NULL) return NULL; if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) { @@ -557,27 +563,31 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) return NULL; } X509_OBJECT_free(xobj); - CRYPTO_THREAD_write_lock(ctx->ctx->lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); + X509_STORE_lock(store); + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); return NULL; } } sk = sk_X509_new_null(); for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + obj = sk_X509_OBJECT_value(store->objs, idx); x = obj->data.x509; - X509_up_ref(x); + if (!X509_up_ref(x)) { + X509_STORE_unlock(store); + sk_X509_pop_free(sk, X509_free); + return NULL; + } if (!sk_X509_push(sk, x)) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); X509_free(x); sk_X509_pop_free(sk, X509_free); return NULL; } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); return sk; } @@ -587,37 +597,42 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); X509_CRL *x; X509_OBJECT *obj, *xobj = X509_OBJECT_new(); + X509_STORE *store = ctx->ctx; /* Always do lookup to possibly add new CRLs to cache */ if (sk == NULL || xobj == NULL - || ctx->ctx == NULL + || store == NULL || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { X509_OBJECT_free(xobj); sk_X509_CRL_free(sk); return NULL; } X509_OBJECT_free(xobj); - CRYPTO_THREAD_write_lock(ctx->ctx->lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); + X509_STORE_lock(store); + idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); sk_X509_CRL_free(sk); return NULL; } for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + obj = sk_X509_OBJECT_value(store->objs, idx); x = obj->data.crl; - X509_CRL_up_ref(x); + if (!X509_CRL_up_ref(x)) { + X509_STORE_unlock(store); + sk_X509_CRL_pop_free(sk, X509_CRL_free); + return NULL; + } if (!sk_X509_CRL_push(sk, x)) { - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); X509_CRL_free(x); sk_X509_CRL_pop_free(sk, X509_CRL_free); return NULL; } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); + X509_STORE_unlock(store); return sk; } @@ -665,6 +680,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { X509_NAME *xn; X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL; + X509_STORE *store = ctx->ctx; int i, ok, idx, ret; if (obj == NULL) @@ -680,25 +696,28 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) if (ctx->check_issued(ctx, x, obj->data.x509)) { if (x509_check_cert_time(ctx, obj->data.x509, -1)) { *issuer = obj->data.x509; - X509_up_ref(*issuer); + if (!X509_up_ref(*issuer)) { + *issuer = NULL; + ok = -1; + } X509_OBJECT_free(obj); - return 1; + return ok; } } X509_OBJECT_free(obj); - if (ctx->ctx == NULL) + if (store == NULL) return 0; /* Else find index of first cert accepted by 'check_issued' */ ret = 0; - CRYPTO_THREAD_write_lock(ctx->ctx->lock); - idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); + X509_STORE_lock(store); + idx = X509_OBJECT_idx_by_subject(store->objs, X509_LU_X509, xn); if (idx != -1) { /* should be true as we've had at least one * match */ /* Look through all matching certs for suitable issuer */ - for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) { - pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); + for (i = idx; i < sk_X509_OBJECT_num(store->objs); i++) { + pobj = sk_X509_OBJECT_value(store->objs, i); /* See if we've run past the matches */ if (pobj->type != X509_LU_X509) break; @@ -719,9 +738,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } } } - CRYPTO_THREAD_unlock(ctx->ctx->lock); - if (*issuer) - X509_up_ref(*issuer); + if (*issuer && !X509_up_ref(*issuer)) { + *issuer = NULL; + ret = -1; + } + X509_STORE_unlock(store); return ret; } diff --git a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c index 7614e8ab..036d0d85 100644 --- a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c +++ b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1790,7 +1790,11 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1; ASN1_TIME *asn1_cmp_time = NULL; int i, day, sec, ret = 0; - +#ifdef CHARSET_EBCDIC + const char upper_z = 0x5A; +#else + const char upper_z = 'Z'; +#endif /* * Note that ASN.1 allows much more slack in the time format than RFC5280. * In RFC5280, the representation is fixed: @@ -1821,10 +1825,10 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) * Digit and date ranges will be verified in the conversion methods. */ for (i = 0; i < ctm->length - 1; i++) { - if (!ossl_isdigit(ctm->data[i])) + if (!ascii_isdigit(ctm->data[i])) return 0; } - if (ctm->data[ctm->length - 1] != 'Z') + if (ctm->data[ctm->length - 1] != upper_z) return 0; /* diff --git a/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c b/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c index cf02a773..d749f080 100644 --- a/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c +++ b/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -159,15 +159,18 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) break; case GEN_EMAIL: - BIO_printf(out, "email:%s", gen->d.ia5->data); + BIO_printf(out, "email:"); + ASN1_STRING_print(out, gen->d.ia5); break; case GEN_DNS: - BIO_printf(out, "DNS:%s", gen->d.ia5->data); + BIO_printf(out, "DNS:"); + ASN1_STRING_print(out, gen->d.ia5); break; case GEN_URI: - BIO_printf(out, "URI:%s", gen->d.ia5->data); + BIO_printf(out, "URI:"); + ASN1_STRING_print(out, gen->d.ia5); break; case GEN_DIRNAME: diff --git a/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c b/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c index a23a0ed1..56f82850 100644 --- a/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -873,6 +873,20 @@ const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x) return (x->akid != NULL ? x->akid->keyid : NULL); } +const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x) +{ + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(x, -1, -1); + return (x->akid != NULL ? x->akid->issuer : NULL); +} + +const ASN1_INTEGER *X509_get0_authority_serial(X509 *x) +{ + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(x, -1, -1); + return (x->akid != NULL ? x->akid->serial : NULL); +} + long X509_get_pathlen(X509 *x) { /* Called for side effect of caching extensions */ diff --git a/freebsd/crypto/openssl/e_os.h b/freebsd/crypto/openssl/e_os.h index e9ce6c9c..858bc40c 100644 --- a/freebsd/crypto/openssl/e_os.h +++ b/freebsd/crypto/openssl/e_os.h @@ -28,8 +28,34 @@ * default, we will try to read at least one of these files */ # define DEVRANDOM "/dev/urandom", "/dev/random", "/dev/hwrng", "/dev/srandom" -# ifdef __linux -# define DEVRANDOM_WAIT "/dev/random" +# if defined(__linux) && !defined(__ANDROID__) +# ifndef DEVRANDOM_WAIT +# define DEVRANDOM_WAIT "/dev/random" +# endif +/* + * Linux kernels 4.8 and later changes how their random device works and there + * is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2) + * should be used instead. + */ +# ifndef DEVRANDOM_SAFE_KERNEL +# define DEVRANDOM_SAFE_KERNEL 4, 8 +# endif +/* + * Some operating systems do not permit select(2) on their random devices, + * defining this to zero will force the used of read(2) to extract one byte + * from /dev/random. + */ +# ifndef DEVRANDM_WAIT_USE_SELECT +# define DEVRANDM_WAIT_USE_SELECT 1 +# endif +/* + * Define the shared memory identifier used to indicate if the operating + * system has properly seeded the DEVRANDOM source. + */ +# ifndef OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID +# define OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID 114 +# endif + # endif # endif # if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD) diff --git a/freebsd/crypto/openssl/include/internal/constant_time_locl.h b/freebsd/crypto/openssl/include/internal/constant_time_locl.h index cde30f40..0193a653 100644 --- a/freebsd/crypto/openssl/include/internal/constant_time_locl.h +++ b/freebsd/crypto/openssl/include/internal/constant_time_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -213,18 +213,72 @@ static ossl_inline unsigned char constant_time_eq_int_8(int a, int b) return constant_time_eq_8((unsigned)(a), (unsigned)(b)); } +/* + * Returns the value unmodified, but avoids optimizations. + * The barriers prevent the compiler from narrowing down the + * possible value range of the mask and ~mask in the select + * statements, which avoids the recognition of the select + * and turning it into a conditional load or branch. + */ +static ossl_inline unsigned int value_barrier(unsigned int a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) + unsigned int r; + __asm__("" : "=r"(r) : "0"(a)); +#else + volatile unsigned int r = a; +#endif + return r; +} + +/* Convenience method for uint32_t. */ +static ossl_inline uint32_t value_barrier_32(uint32_t a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) + uint32_t r; + __asm__("" : "=r"(r) : "0"(a)); +#else + volatile uint32_t r = a; +#endif + return r; +} + +/* Convenience method for uint64_t. */ +static ossl_inline uint64_t value_barrier_64(uint64_t a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) + uint64_t r; + __asm__("" : "=r"(r) : "0"(a)); +#else + volatile uint64_t r = a; +#endif + return r; +} + +/* Convenience method for size_t. */ +static ossl_inline size_t value_barrier_s(size_t a) +{ +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) + size_t r; + __asm__("" : "=r"(r) : "0"(a)); +#else + volatile size_t r = a; +#endif + return r; +} + static ossl_inline unsigned int constant_time_select(unsigned int mask, unsigned int a, unsigned int b) { - return (mask & a) | (~mask & b); + return (value_barrier(mask) & a) | (value_barrier(~mask) & b); } static ossl_inline size_t constant_time_select_s(size_t mask, size_t a, size_t b) { - return (mask & a) | (~mask & b); + return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b); } static ossl_inline unsigned char constant_time_select_8(unsigned char mask, @@ -249,13 +303,13 @@ static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b) static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a, uint32_t b) { - return (mask & a) | (~mask & b); + return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b); } static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a, uint64_t b) { - return (mask & a) | (~mask & b); + return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b); } /* diff --git a/freebsd/crypto/openssl/include/internal/cryptlib.h b/freebsd/crypto/openssl/include/internal/cryptlib.h index b4d76d5f..23e17e55 100644 --- a/freebsd/crypto/openssl/include/internal/cryptlib.h +++ b/freebsd/crypto/openssl/include/internal/cryptlib.h @@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[]; void OPENSSL_showfatal(const char *fmta, ...); void crypto_cleanup_all_ex_data_int(void); int openssl_init_fork_handlers(void); +int openssl_get_fork_id(void); char *ossl_safe_getenv(const char *name); diff --git a/freebsd/crypto/openssl/include/internal/dsoerr.h b/freebsd/crypto/openssl/include/internal/dsoerr.h index 0edf277f..5f4511c4 100644 --- a/freebsd/crypto/openssl/include/internal/dsoerr.h +++ b/freebsd/crypto/openssl/include/internal/dsoerr.h @@ -11,7 +11,9 @@ #ifndef HEADER_DSOERR_H # define HEADER_DSOERR_H -# include <openssl/opensslconf.h> +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif # ifdef __cplusplus extern "C" diff --git a/freebsd/crypto/openssl/include/internal/refcount.h b/freebsd/crypto/openssl/include/internal/refcount.h index d2364c62..6e1a840e 100644 --- a/freebsd/crypto/openssl/include/internal/refcount.h +++ b/freebsd/crypto/openssl/include/internal/refcount.h @@ -105,7 +105,7 @@ static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock) # if _WIN32_WCE >= 0x600 extern long __cdecl _InterlockedExchangeAdd(long volatile*, long); # else - // under Windows CE we still have old-style Interlocked* functions + /* under Windows CE we still have old-style Interlocked* functions */ extern long __cdecl InterlockedExchangeAdd(long volatile*, long); # define _InterlockedExchangeAdd InterlockedExchangeAdd # endif diff --git a/freebsd/crypto/openssl/include/internal/thread_once.h b/freebsd/crypto/openssl/include/internal/thread_once.h index 8a25d04d..8f8aa6e1 100644 --- a/freebsd/crypto/openssl/include/internal/thread_once.h +++ b/freebsd/crypto/openssl/include/internal/thread_once.h @@ -72,7 +72,7 @@ * function defined via DEFINE_ONCE_STATIC where both functions use the same * CRYPTO_ONCE object to synchronise. Where an alternative initialiser function * is used only one of the primary or the alternative initialiser function will - * ever be called - and that function will be called exactly once. Definitition + * ever be called - and that function will be called exactly once. Definition * of an alternative initialiser function MUST occur AFTER the definition of the * primary initialiser function. * diff --git a/freebsd/crypto/openssl/include/internal/tsan_assist.h b/freebsd/crypto/openssl/include/internal/tsan_assist.h index d41ebb34..cc30162e 100644 --- a/freebsd/crypto/openssl/include/internal/tsan_assist.h +++ b/freebsd/crypto/openssl/include/internal/tsan_assist.h @@ -18,7 +18,7 @@ * if (var == NOT_YET_INITIALIZED) * var = function_returning_same_value(); * - * This does work provided that loads and stores are single-instuction + * This does work provided that loads and stores are single-instruction * operations (and integer ones are on *all* supported platforms), but * it upsets Thread Sanitizer. Suggested solution is * diff --git a/freebsd/crypto/openssl/include/openssl/asn1err.h b/freebsd/crypto/openssl/include/openssl/asn1err.h index 5a91126d..faed5a55 100644 --- a/freebsd/crypto/openssl/include/openssl/asn1err.h +++ b/freebsd/crypto/openssl/include/openssl/asn1err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_ASN1ERR_H # define HEADER_ASN1ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/asyncerr.h b/freebsd/crypto/openssl/include/openssl/asyncerr.h index 5497ba75..91afbbb2 100644 --- a/freebsd/crypto/openssl/include/openssl/asyncerr.h +++ b/freebsd/crypto/openssl/include/openssl/asyncerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_ASYNCERR_H # define HEADER_ASYNCERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/bio.h b/freebsd/crypto/openssl/include/openssl/bio.h index 2888b42d..e1fddfb7 100644 --- a/freebsd/crypto/openssl/include/openssl/bio.h +++ b/freebsd/crypto/openssl/include/openssl/bio.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,10 +20,6 @@ # include <openssl/crypto.h> # include <openssl/bioerr.h> -# ifndef OPENSSL_NO_SCTP -# include <openssl/e_os2.h> -# endif - #ifdef __cplusplus extern "C" { #endif diff --git a/freebsd/crypto/openssl/include/openssl/bioerr.h b/freebsd/crypto/openssl/include/openssl/bioerr.h index f119a59c..46e2c96e 100644 --- a/freebsd/crypto/openssl/include/openssl/bioerr.h +++ b/freebsd/crypto/openssl/include/openssl/bioerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_BIOERR_H # define HEADER_BIOERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/bnerr.h b/freebsd/crypto/openssl/include/openssl/bnerr.h index 8a022cc0..9f3c7cfa 100644 --- a/freebsd/crypto/openssl/include/openssl/bnerr.h +++ b/freebsd/crypto/openssl/include/openssl/bnerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_BNERR_H # define HEADER_BNERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/buffererr.h b/freebsd/crypto/openssl/include/openssl/buffererr.h index 3aee1323..04f6ff7a 100644 --- a/freebsd/crypto/openssl/include/openssl/buffererr.h +++ b/freebsd/crypto/openssl/include/openssl/buffererr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_BUFERR_H # define HEADER_BUFERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/cms.h b/freebsd/crypto/openssl/include/openssl/cms.h index ddf37e56..c7627968 100644 --- a/freebsd/crypto/openssl/include/openssl/cms.h +++ b/freebsd/crypto/openssl/include/openssl/cms.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -284,8 +284,6 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, int type); -# ifdef HEADER_X509V3_H - int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, @@ -298,7 +296,6 @@ void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, STACK_OF(GENERAL_NAMES) **prto); -# endif int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, X509_ALGOR **palg, ASN1_OCTET_STRING **pukm); diff --git a/freebsd/crypto/openssl/include/openssl/cmserr.h b/freebsd/crypto/openssl/include/openssl/cmserr.h index 3f8ae26d..7dbc13dc 100644 --- a/freebsd/crypto/openssl/include/openssl/cmserr.h +++ b/freebsd/crypto/openssl/include/openssl/cmserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_CMSERR_H # define HEADER_CMSERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_CMS @@ -101,6 +105,7 @@ int ERR_load_CMS_strings(void); # define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 153 # define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 154 # define CMS_F_CMS_SIGN_RECEIPT 163 +# define CMS_F_CMS_SI_CHECK_ATTRIBUTES 183 # define CMS_F_CMS_STREAM 155 # define CMS_F_CMS_UNCOMPRESS 156 # define CMS_F_CMS_VERIFY 157 @@ -110,6 +115,7 @@ int ERR_load_CMS_strings(void); * CMS reason codes. */ # define CMS_R_ADD_SIGNER_ERROR 99 +# define CMS_R_ATTRIBUTE_ERROR 161 # define CMS_R_CERTIFICATE_ALREADY_PRESENT 175 # define CMS_R_CERTIFICATE_HAS_NO_KEYID 160 # define CMS_R_CERTIFICATE_VERIFY_ERROR 100 diff --git a/freebsd/crypto/openssl/include/openssl/comperr.h b/freebsd/crypto/openssl/include/openssl/comperr.h index edea63a6..90231e9a 100644 --- a/freebsd/crypto/openssl/include/openssl/comperr.h +++ b/freebsd/crypto/openssl/include/openssl/comperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_COMPERR_H # define HEADER_COMPERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_COMP diff --git a/freebsd/crypto/openssl/include/openssl/conferr.h b/freebsd/crypto/openssl/include/openssl/conferr.h index d1c92f45..32b92291 100644 --- a/freebsd/crypto/openssl/include/openssl/conferr.h +++ b/freebsd/crypto/openssl/include/openssl/conferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_CONFERR_H # define HEADER_CONFERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/cryptoerr.h b/freebsd/crypto/openssl/include/openssl/cryptoerr.h index 10723d04..3db5a4ee 100644 --- a/freebsd/crypto/openssl/include/openssl/cryptoerr.h +++ b/freebsd/crypto/openssl/include/openssl/cryptoerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,12 +11,13 @@ #ifndef HEADER_CRYPTOERR_H # define HEADER_CRYPTOERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif - -# include <openssl/symhacks.h> - int ERR_load_CRYPTO_strings(void); /* diff --git a/freebsd/crypto/openssl/include/openssl/cterr.h b/freebsd/crypto/openssl/include/openssl/cterr.h index 764e1a22..feb7bc56 100644 --- a/freebsd/crypto/openssl/include/openssl/cterr.h +++ b/freebsd/crypto/openssl/include/openssl/cterr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_CTERR_H # define HEADER_CTERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_CT diff --git a/freebsd/crypto/openssl/include/openssl/dherr.h b/freebsd/crypto/openssl/include/openssl/dherr.h index 81e73f75..916b3bed 100644 --- a/freebsd/crypto/openssl/include/openssl/dherr.h +++ b/freebsd/crypto/openssl/include/openssl/dherr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_DHERR_H # define HEADER_DHERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_DH diff --git a/freebsd/crypto/openssl/include/openssl/dsaerr.h b/freebsd/crypto/openssl/include/openssl/dsaerr.h index d94f97bb..495a1ac8 100644 --- a/freebsd/crypto/openssl/include/openssl/dsaerr.h +++ b/freebsd/crypto/openssl/include/openssl/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_DSAERR_H # define HEADER_DSAERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_DSA @@ -57,6 +61,7 @@ int ERR_load_DSA_strings(void); # define DSA_R_INVALID_DIGEST_TYPE 106 # define DSA_R_INVALID_PARAMETERS 112 # define DSA_R_MISSING_PARAMETERS 101 +# define DSA_R_MISSING_PRIVATE_KEY 111 # define DSA_R_MODULUS_TOO_LARGE 103 # define DSA_R_NO_PARAMETERS_SET 107 # define DSA_R_PARAMETER_ENCODING_ERROR 105 diff --git a/freebsd/crypto/openssl/include/openssl/ec.h b/freebsd/crypto/openssl/include/openssl/ec.h index 347cfb6d..5af9ebdc 100644 --- a/freebsd/crypto/openssl/include/openssl/ec.h +++ b/freebsd/crypto/openssl/include/openssl/ec.h @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -142,7 +142,7 @@ const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); */ int EC_METHOD_get_field_type(const EC_METHOD *meth); -/** Sets the generator and it's order/cofactor of a EC_GROUP object. +/** Sets the generator and its order/cofactor of a EC_GROUP object. * \param group EC_GROUP object * \param generator EC_POINT object with the generator. * \param order the order of the group generated by the generator. @@ -1138,7 +1138,8 @@ void ECDSA_SIG_free(ECDSA_SIG *sig); * (*pp += length of the DER encoded signature)). * \param sig pointer to the ECDSA_SIG object * \param pp pointer to a unsigned char pointer for the output or NULL - * \return the length of the DER encoded ECDSA_SIG object or 0 + * \return the length of the DER encoded ECDSA_SIG object or a negative value + * on error */ int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); diff --git a/freebsd/crypto/openssl/include/openssl/ecerr.h b/freebsd/crypto/openssl/include/openssl/ecerr.h index be313d28..f7b91834 100644 --- a/freebsd/crypto/openssl/include/openssl/ecerr.h +++ b/freebsd/crypto/openssl/include/openssl/ecerr.h @@ -11,6 +11,10 @@ #ifndef HEADER_ECERR_H # define HEADER_ECERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_EC diff --git a/freebsd/crypto/openssl/include/openssl/engineerr.h b/freebsd/crypto/openssl/include/openssl/engineerr.h index b4c036b2..05e84bd2 100644 --- a/freebsd/crypto/openssl/include/openssl/engineerr.h +++ b/freebsd/crypto/openssl/include/openssl/engineerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_ENGINEERR_H # define HEADER_ENGINEERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_ENGINE diff --git a/freebsd/crypto/openssl/include/openssl/evp.h b/freebsd/crypto/openssl/include/openssl/evp.h index dd1117d0..545654a9 100644 --- a/freebsd/crypto/openssl/include/openssl/evp.h +++ b/freebsd/crypto/openssl/include/openssl/evp.h @@ -260,6 +260,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, # define EVP_CIPH_RAND_KEY 0x200 /* cipher has its own additional copying logic */ # define EVP_CIPH_CUSTOM_COPY 0x400 +/* Don't use standard iv length function */ +# define EVP_CIPH_CUSTOM_IV_LENGTH 0x800 /* Allow use default ASN1 get/set iv */ # define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 /* Buffer length in bits not bytes: CFB1 mode only */ @@ -349,6 +351,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, /* Set the input buffer lengths to use for a pipelined operation */ # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24 +# define EVP_CTRL_GET_IVLEN 0x25 + /* Padding modes */ #define EVP_PADDING_PKCS7 1 #define EVP_PADDING_ISO7816_4 2 diff --git a/freebsd/crypto/openssl/include/openssl/evperr.h b/freebsd/crypto/openssl/include/openssl/evperr.h index 84f03eb3..6a651f55 100644 --- a/freebsd/crypto/openssl/include/openssl/evperr.h +++ b/freebsd/crypto/openssl/include/openssl/evperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_EVPERR_H # define HEADER_EVPERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif @@ -20,11 +24,14 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 +# define EVP_F_AESNI_XTS_INIT_KEY 207 # define EVP_F_AES_GCM_CTRL 196 # define EVP_F_AES_INIT_KEY 133 # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 +# define EVP_F_AES_T4_XTS_INIT_KEY 208 # define EVP_F_AES_WRAP_CIPHER 170 +# define EVP_F_AES_XTS_INIT_KEY 209 # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 @@ -115,6 +122,7 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKEY_SET_TYPE 158 # define EVP_F_RC2_MAGIC_TO_METH 109 # define EVP_F_RC5_CTRL 125 +# define EVP_F_R_32_12_16_INIT_KEY 242 # define EVP_F_S390X_AES_GCM_CTRL 201 # define EVP_F_UPDATE 173 @@ -124,6 +132,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_AES_KEY_SETUP_FAILED 143 # define EVP_R_ARIA_KEY_SETUP_FAILED 176 # define EVP_R_BAD_DECRYPT 100 +# define EVP_R_BAD_KEY_LENGTH 195 # define EVP_R_BUFFER_TOO_SMALL 155 # define EVP_R_CAMELLIA_KEY_SETUP_FAILED 157 # define EVP_R_CIPHER_PARAMETER_ERROR 122 @@ -190,5 +199,6 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +# define EVP_R_XTS_DUPLICATED_KEYS 183 #endif diff --git a/freebsd/crypto/openssl/include/openssl/kdferr.h b/freebsd/crypto/openssl/include/openssl/kdferr.h index 6437c271..3f51bd02 100644 --- a/freebsd/crypto/openssl/include/openssl/kdferr.h +++ b/freebsd/crypto/openssl/include/openssl/kdferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_KDFERR_H # define HEADER_KDFERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/objectserr.h b/freebsd/crypto/openssl/include/openssl/objectserr.h index 02308dfa..02e166f1 100644 --- a/freebsd/crypto/openssl/include/openssl/objectserr.h +++ b/freebsd/crypto/openssl/include/openssl/objectserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_OBJERR_H # define HEADER_OBJERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/ocsperr.h b/freebsd/crypto/openssl/include/openssl/ocsperr.h index 7d93b12d..8dd9e01a 100644 --- a/freebsd/crypto/openssl/include/openssl/ocsperr.h +++ b/freebsd/crypto/openssl/include/openssl/ocsperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_OCSPERR_H # define HEADER_OCSPERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_OCSP diff --git a/freebsd/crypto/openssl/include/openssl/opensslv.h b/freebsd/crypto/openssl/include/openssl/opensslv.h index e4f3ffe9..b5452472 100644 --- a/freebsd/crypto/openssl/include/openssl/opensslv.h +++ b/freebsd/crypto/openssl/include/openssl/opensslv.h @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010103fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c-freebsd 28 May 2019" +# define OPENSSL_VERSION_NUMBER 0x1010104fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1d-freebsd 10 Sep 2019" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/freebsd/crypto/openssl/include/openssl/pemerr.h b/freebsd/crypto/openssl/include/openssl/pemerr.h index cd61b823..0c45918f 100644 --- a/freebsd/crypto/openssl/include/openssl/pemerr.h +++ b/freebsd/crypto/openssl/include/openssl/pemerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_PEMERR_H # define HEADER_PEMERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/pkcs12err.h b/freebsd/crypto/openssl/include/openssl/pkcs12err.h index c7184ffe..eff5eb26 100644 --- a/freebsd/crypto/openssl/include/openssl/pkcs12err.h +++ b/freebsd/crypto/openssl/include/openssl/pkcs12err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_PKCS12ERR_H # define HEADER_PKCS12ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/pkcs7err.h b/freebsd/crypto/openssl/include/openssl/pkcs7err.h index 0ba418d7..02e0299a 100644 --- a/freebsd/crypto/openssl/include/openssl/pkcs7err.h +++ b/freebsd/crypto/openssl/include/openssl/pkcs7err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_PKCS7ERR_H # define HEADER_PKCS7ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/randerr.h b/freebsd/crypto/openssl/include/openssl/randerr.h index 599a2a18..70d1a17a 100644 --- a/freebsd/crypto/openssl/include/openssl/randerr.h +++ b/freebsd/crypto/openssl/include/openssl/randerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,8 @@ #ifndef HEADER_RANDERR_H # define HEADER_RANDERR_H +# include <openssl/symhacks.h> + # ifdef __cplusplus extern "C" # endif @@ -42,6 +44,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_POOL_ADD_END 114 # define RAND_F_RAND_POOL_ATTACH 124 # define RAND_F_RAND_POOL_BYTES_NEEDED 115 +# define RAND_F_RAND_POOL_GROW 125 # define RAND_F_RAND_POOL_NEW 116 # define RAND_F_RAND_WRITE_FILE 112 diff --git a/freebsd/crypto/openssl/include/openssl/rsaerr.h b/freebsd/crypto/openssl/include/openssl/rsaerr.h index d5bc01c1..59b15e13 100644 --- a/freebsd/crypto/openssl/include/openssl/rsaerr.h +++ b/freebsd/crypto/openssl/include/openssl/rsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_RSAERR_H # define HEADER_RSAERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif @@ -126,6 +130,7 @@ int ERR_load_RSA_strings(void); # define RSA_R_KEY_PRIME_NUM_INVALID 165 # define RSA_R_KEY_SIZE_TOO_SMALL 120 # define RSA_R_LAST_OCTET_INVALID 134 +# define RSA_R_MISSING_PRIVATE_KEY 179 # define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 # define RSA_R_MODULUS_TOO_LARGE 105 # define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R 168 diff --git a/freebsd/crypto/openssl/include/openssl/ssl.h b/freebsd/crypto/openssl/include/openssl/ssl.h index f93dc68f..6724ccf2 100644 --- a/freebsd/crypto/openssl/include/openssl/ssl.h +++ b/freebsd/crypto/openssl/include/openssl/ssl.h @@ -1364,24 +1364,24 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_CTX_set1_chain_cert_store(ctx,st) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) -# define SSL_set0_chain(ctx,sk) \ - SSL_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk)) -# define SSL_set1_chain(ctx,sk) \ - SSL_ctrl(ctx,SSL_CTRL_CHAIN,1,(char *)(sk)) -# define SSL_add0_chain_cert(ctx,x509) \ - SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509)) -# define SSL_add1_chain_cert(ctx,x509) \ - SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)(x509)) -# define SSL_get0_chain_certs(ctx,px509) \ - SSL_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERTS,0,px509) -# define SSL_clear_chain_certs(ctx) \ - SSL_set0_chain(ctx,NULL) +# define SSL_set0_chain(s,sk) \ + SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk)) +# define SSL_set1_chain(s,sk) \ + SSL_ctrl(s,SSL_CTRL_CHAIN,1,(char *)(sk)) +# define SSL_add0_chain_cert(s,x509) \ + SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,0,(char *)(x509)) +# define SSL_add1_chain_cert(s,x509) \ + SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,1,(char *)(x509)) +# define SSL_get0_chain_certs(s,px509) \ + SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERTS,0,px509) +# define SSL_clear_chain_certs(s) \ + SSL_set0_chain(s,NULL) # define SSL_build_cert_chain(s, flags) \ SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL) -# define SSL_select_current_cert(ctx,x509) \ - SSL_ctrl(ctx,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509)) -# define SSL_set_current_cert(ctx,op) \ - SSL_ctrl(ctx,SSL_CTRL_SET_CURRENT_CERT, op, NULL) +# define SSL_select_current_cert(s,x509) \ + SSL_ctrl(s,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509)) +# define SSL_set_current_cert(s,op) \ + SSL_ctrl(s,SSL_CTRL_SET_CURRENT_CERT, op, NULL) # define SSL_set0_verify_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st)) # define SSL_set1_verify_cert_store(s,st) \ @@ -1390,34 +1390,34 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st)) # define SSL_set1_chain_cert_store(s,st) \ SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st)) -# define SSL_get1_groups(ctx, s) \ - SSL_ctrl(ctx,SSL_CTRL_GET_GROUPS,0,(char *)(s)) +# define SSL_get1_groups(s, glist) \ + SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist)) # define SSL_CTX_set1_groups(ctx, glist, glistlen) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) # define SSL_CTX_set1_groups_list(ctx, s) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s)) -# define SSL_set1_groups(ctx, glist, glistlen) \ - SSL_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) -# define SSL_set1_groups_list(ctx, s) \ - SSL_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s)) +# define SSL_set1_groups(s, glist, glistlen) \ + SSL_ctrl(s,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist)) +# define SSL_set1_groups_list(s, str) \ + SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str)) # define SSL_get_shared_group(s, n) \ SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL) # define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist)) # define SSL_CTX_set1_sigalgs_list(ctx, s) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s)) -# define SSL_set1_sigalgs(ctx, slist, slistlen) \ - SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist)) -# define SSL_set1_sigalgs_list(ctx, s) \ - SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s)) +# define SSL_set1_sigalgs(s, slist, slistlen) \ + SSL_ctrl(s,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist)) +# define SSL_set1_sigalgs_list(s, str) \ + SSL_ctrl(s,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(str)) # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist)) # define SSL_CTX_set1_client_sigalgs_list(ctx, s) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s)) -# define SSL_set1_client_sigalgs(ctx, slist, slistlen) \ - SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)(slist)) -# define SSL_set1_client_sigalgs_list(ctx, s) \ - SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s)) +# define SSL_set1_client_sigalgs(s, slist, slistlen) \ + SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist)) +# define SSL_set1_client_sigalgs_list(s, str) \ + SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(str)) # define SSL_get0_certificate_types(s, clist) \ SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist)) # define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \ diff --git a/freebsd/crypto/openssl/include/openssl/sslerr.h b/freebsd/crypto/openssl/include/openssl/sslerr.h index a50a075b..3d6850de 100644 --- a/freebsd/crypto/openssl/include/openssl/sslerr.h +++ b/freebsd/crypto/openssl/include/openssl/sslerr.h @@ -11,6 +11,10 @@ #ifndef HEADER_SSLERR_H # define HEADER_SSLERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/store.h b/freebsd/crypto/openssl/include/openssl/store.h index 7b43e8bd..a40a7339 100644 --- a/freebsd/crypto/openssl/include/openssl/store.h +++ b/freebsd/crypto/openssl/include/openssl/store.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -85,7 +85,7 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx); int OSSL_STORE_eof(OSSL_STORE_CTX *ctx); /* - * Check if an error occured + * Check if an error occurred * Returns 1 if it did, 0 otherwise. */ int OSSL_STORE_error(OSSL_STORE_CTX *ctx); @@ -117,7 +117,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx); * Functions to generate OSSL_STORE_INFOs, one function for each type we * support having in them, as well as a generic constructor. * - * In all cases, ownership of the object is transfered to the OSSL_STORE_INFO + * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO * and will therefore be freed when the OSSL_STORE_INFO is freed. */ OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name); diff --git a/freebsd/crypto/openssl/include/openssl/storeerr.h b/freebsd/crypto/openssl/include/openssl/storeerr.h index 33d0ab79..190eab07 100644 --- a/freebsd/crypto/openssl/include/openssl/storeerr.h +++ b/freebsd/crypto/openssl/include/openssl/storeerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_OSSL_STOREERR_H # define HEADER_OSSL_STOREERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/tls1.h b/freebsd/crypto/openssl/include/openssl/tls1.h index e13b5dd4..76d9fda4 100644 --- a/freebsd/crypto/openssl/include/openssl/tls1.h +++ b/freebsd/crypto/openssl/include/openssl/tls1.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1222,7 +1222,7 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) /* * extended master secret */ -# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x63\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" +# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x6e\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" # endif /* TLS Session Ticket extension struct */ diff --git a/freebsd/crypto/openssl/include/openssl/tserr.h b/freebsd/crypto/openssl/include/openssl/tserr.h index 3e049256..07f23339 100644 --- a/freebsd/crypto/openssl/include/openssl/tserr.h +++ b/freebsd/crypto/openssl/include/openssl/tserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_TSERR_H # define HEADER_TSERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # include <openssl/opensslconf.h> # ifndef OPENSSL_NO_TS diff --git a/freebsd/crypto/openssl/include/openssl/uierr.h b/freebsd/crypto/openssl/include/openssl/uierr.h index 72fd9a9d..bd68864d 100644 --- a/freebsd/crypto/openssl/include/openssl/uierr.h +++ b/freebsd/crypto/openssl/include/openssl/uierr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_UIERR_H # define HEADER_UIERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/include/openssl/x509err.h b/freebsd/crypto/openssl/include/openssl/x509err.h index b1d6a870..02738531 100644 --- a/freebsd/crypto/openssl/include/openssl/x509err.h +++ b/freebsd/crypto/openssl/include/openssl/x509err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_X509ERR_H # define HEADER_X509ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif @@ -93,6 +97,7 @@ int ERR_load_X509_strings(void); # define X509_R_CRL_ALREADY_DELTA 127 # define X509_R_CRL_VERIFY_FAILURE 131 # define X509_R_IDP_MISMATCH 128 +# define X509_R_INVALID_ATTRIBUTES 138 # define X509_R_INVALID_DIRECTORY 113 # define X509_R_INVALID_FIELD_NAME 119 # define X509_R_INVALID_TRUST 123 diff --git a/freebsd/crypto/openssl/include/openssl/x509v3.h b/freebsd/crypto/openssl/include/openssl/x509v3.h index 9ea20275..6c6eca38 100644 --- a/freebsd/crypto/openssl/include/openssl/x509v3.h +++ b/freebsd/crypto/openssl/include/openssl/x509v3.h @@ -661,6 +661,8 @@ uint32_t X509_get_key_usage(X509 *x); uint32_t X509_get_extended_key_usage(X509 *x); const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x); const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x); +const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x); +const ASN1_INTEGER *X509_get0_authority_serial(X509 *x); int X509_PURPOSE_get_count(void); X509_PURPOSE *X509_PURPOSE_get0(int idx); diff --git a/freebsd/crypto/openssl/include/openssl/x509v3err.h b/freebsd/crypto/openssl/include/openssl/x509v3err.h index 6b3df12b..5f25442f 100644 --- a/freebsd/crypto/openssl/include/openssl/x509v3err.h +++ b/freebsd/crypto/openssl/include/openssl/x509v3err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,10 @@ #ifndef HEADER_X509V3ERR_H # define HEADER_X509V3ERR_H +# ifndef HEADER_SYMHACKS_H +# include <openssl/symhacks.h> +# endif + # ifdef __cplusplus extern "C" # endif diff --git a/freebsd/crypto/openssl/ssl/d1_msg.c b/freebsd/crypto/openssl/ssl/d1_msg.c index feae6cac..341fefd6 100644 --- a/freebsd/crypto/openssl/ssl/d1_msg.c +++ b/freebsd/crypto/openssl/ssl/d1_msg.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -54,8 +54,7 @@ int dtls1_dispatch_alert(SSL *s) s->s3->alert_dispatch = 1; /* fprintf( stderr, "not done with alert\n" ); */ } else { - if (s->s3->send_alert[0] == SSL3_AL_FATAL) - (void)BIO_flush(s->wbio); + (void)BIO_flush(s->wbio); if (s->msg_callback) s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, diff --git a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c index 6b63d215..d7bf210e 100644 --- a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c +++ b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c @@ -376,6 +376,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, s->rlayer.wnum = 0; /* + * If we are supposed to be sending a KeyUpdate then go into init unless we + * have writes pending - in which case we should finish doing that first. + */ + if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE) + ossl_statem_set_in_init(s, 1); + + /* * When writing early data on the server side we could be "in_init" in * between receiving the EoED and the CF - but we don't want to handle those * messages yet. @@ -630,8 +637,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, */ s->s3->empty_fragment_done = 0; - if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS && - !SSL_IS_DTLS(s)) + if (tmpwrit == n + && (s->mode & SSL_MODE_RELEASE_BUFFERS) != 0 + && !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); *written = tot + tmpwrit; diff --git a/freebsd/crypto/openssl/ssl/s3_lib.c b/freebsd/crypto/openssl/ssl/s3_lib.c index 02e12361..41b47245 100644 --- a/freebsd/crypto/openssl/ssl/s3_lib.c +++ b/freebsd/crypto/openssl/ssl/s3_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -3569,6 +3569,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CHAIN_CERTS: *(STACK_OF(X509) **)parg = s->cert->key->chain; + ret = 1; break; case SSL_CTRL_SELECT_CURRENT_CERT: @@ -3603,8 +3604,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (!s->session) return 0; - clist = s->session->ext.supportedgroups; - clistlen = s->session->ext.supportedgroups_len; + clist = s->ext.peer_supportedgroups; + clistlen = s->ext.peer_supportedgroups_len; if (parg) { size_t i; int *cptr = parg; @@ -3718,13 +3719,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { - SSL_SESSION *sess = s->session; const unsigned char **pformat = parg; - if (sess == NULL || sess->ext.ecpointformats == NULL) + if (s->ext.peer_ecpointformats == NULL) return 0; - *pformat = sess->ext.ecpointformats; - return (int)sess->ext.ecpointformats_len; + *pformat = s->ext.peer_ecpointformats; + return (int)s->ext.peer_ecpointformats_len; } #endif diff --git a/freebsd/crypto/openssl/ssl/ssl_cert.c b/freebsd/crypto/openssl/ssl/ssl_cert.c index c78097a7..b76c68d4 100644 --- a/freebsd/crypto/openssl/ssl/ssl_cert.c +++ b/freebsd/crypto/openssl/ssl/ssl_cert.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -156,8 +156,6 @@ CERT *ssl_cert_dup(CERT *cert) ret->client_sigalgslen = cert->client_sigalgslen; } else ret->client_sigalgs = NULL; - /* Shared sigalgs also NULL */ - ret->shared_sigalgs = NULL; /* Copy any custom client certificate types */ if (cert->ctype) { ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len); @@ -242,7 +240,6 @@ void ssl_cert_free(CERT *c) ssl_cert_clear_certs(c); OPENSSL_free(c->conf_sigalgs); OPENSSL_free(c->client_sigalgs); - OPENSSL_free(c->shared_sigalgs); OPENSSL_free(c->ctype); X509_STORE_free(c->verify_store); X509_STORE_free(c->chain_store); diff --git a/freebsd/crypto/openssl/ssl/ssl_ciph.c b/freebsd/crypto/openssl/ssl/ssl_ciph.c index 9328d543..2f764a14 100644 --- a/freebsd/crypto/openssl/ssl/ssl_ciph.c +++ b/freebsd/crypto/openssl/ssl/ssl_ciph.c @@ -1379,24 +1379,25 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); - if (ret && ctx->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ + if (ret && ctx->cipher_list != NULL) return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id, ctx->tls13_ciphersuites); - } return ret; } int SSL_set_ciphersuites(SSL *s, const char *str) { + STACK_OF(SSL_CIPHER) *cipher_list; int ret = set_ciphersuites(&(s->tls13_ciphersuites), str); - if (ret && s->cipher_list != NULL) { - /* We already have a cipher_list, so we need to update it */ + if (s->cipher_list == NULL) { + if ((cipher_list = SSL_get_ciphers(s)) != NULL) + s->cipher_list = sk_SSL_CIPHER_dup(cipher_list); + } + if (ret && s->cipher_list != NULL) return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id, s->tls13_ciphersuites); - } return ret; } diff --git a/freebsd/crypto/openssl/ssl/ssl_lib.c b/freebsd/crypto/openssl/ssl/ssl_lib.c index 9c2c9dac..0a0818f3 100644 --- a/freebsd/crypto/openssl/ssl/ssl_lib.c +++ b/freebsd/crypto/openssl/ssl/ssl_lib.c @@ -630,6 +630,11 @@ int SSL_clear(SSL *s) /* Clear the verification result peername */ X509_VERIFY_PARAM_move_peername(s->param, NULL); + /* Clear any shared connection state */ + OPENSSL_free(s->shared_sigalgs); + s->shared_sigalgs = NULL; + s->shared_sigalgslen = 0; + /* * Check to see if we were changed into a different method, if so, revert * back. @@ -869,7 +874,7 @@ int SSL_up_ref(SSL *s) int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { - if (sid_ctx_len > sizeof(ctx->sid_ctx)) { + if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; @@ -1162,6 +1167,7 @@ void SSL_free(SSL *s) sk_SSL_CIPHER_free(s->cipher_list); sk_SSL_CIPHER_free(s->cipher_list_by_id); sk_SSL_CIPHER_free(s->tls13_ciphersuites); + sk_SSL_CIPHER_free(s->peer_ciphers); /* Make the next call work :-) */ if (s->session != NULL) { @@ -1174,13 +1180,16 @@ void SSL_free(SSL *s) clear_ciphers(s); ssl_cert_free(s->cert); + OPENSSL_free(s->shared_sigalgs); /* Free up if allocated */ OPENSSL_free(s->ext.hostname); SSL_CTX_free(s->session_ctx); #ifndef OPENSSL_NO_EC OPENSSL_free(s->ext.ecpointformats); + OPENSSL_free(s->ext.peer_ecpointformats); OPENSSL_free(s->ext.supportedgroups); + OPENSSL_free(s->ext.peer_supportedgroups); #endif /* OPENSSL_NO_EC */ sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free); #ifndef OPENSSL_NO_OCSP @@ -2439,9 +2448,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s) { - if ((s == NULL) || (s->session == NULL) || !s->server) + if ((s == NULL) || !s->server) return NULL; - return s->session->ciphers; + return s->peer_ciphers; } STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) @@ -2580,13 +2589,12 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) int i; if (!s->server - || s->session == NULL - || s->session->ciphers == NULL + || s->peer_ciphers == NULL || size < 2) return NULL; p = buf; - clntsk = s->session->ciphers; + clntsk = s->peer_ciphers; srvrsk = SSL_get_ciphers(s); if (clntsk == NULL || srvrsk == NULL) return NULL; diff --git a/freebsd/crypto/openssl/ssl/ssl_locl.h b/freebsd/crypto/openssl/ssl/ssl_locl.h index 0cf3893e..25875c9f 100644 --- a/freebsd/crypto/openssl/ssl/ssl_locl.h +++ b/freebsd/crypto/openssl/ssl/ssl_locl.h @@ -552,7 +552,6 @@ struct ssl_session_st { const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to * load the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* * These are used to make removal of session-ids more efficient and to @@ -562,13 +561,7 @@ struct ssl_session_st { struct { char *hostname; -# ifndef OPENSSL_NO_EC - size_t ecpointformats_len; - unsigned char *ecpointformats; /* peer's list */ -# endif /* OPENSSL_NO_EC */ - size_t supportedgroups_len; - uint16_t *supportedgroups; /* peer's list */ - /* RFC4507 info */ + /* RFC4507 info */ unsigned char *tick; /* Session ticket */ size_t ticklen; /* Session ticket length */ /* Session lifetime hint in seconds */ @@ -1137,6 +1130,7 @@ struct ssl_st { /* Per connection DANE state */ SSL_DANE dane; /* crypto */ + STACK_OF(SSL_CIPHER) *peer_ciphers; STACK_OF(SSL_CIPHER) *cipher_list; STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* TLSv1.3 specific ciphersuites */ @@ -1300,10 +1294,19 @@ struct ssl_st { size_t ecpointformats_len; /* our list */ unsigned char *ecpointformats; + + size_t peer_ecpointformats_len; + /* peer's list */ + unsigned char *peer_ecpointformats; # endif /* OPENSSL_NO_EC */ size_t supportedgroups_len; /* our list */ uint16_t *supportedgroups; + + size_t peer_supportedgroups_len; + /* peer's list */ + uint16_t *peer_supportedgroups; + /* TLS Session Ticket extension override */ TLS_SESSION_TICKET_EXT *session_ticket; /* TLS Session Ticket extension callback */ @@ -1459,7 +1462,6 @@ struct ssl_st { size_t block_padding; CRYPTO_RWLOCK *lock; - RAND_DRBG *drbg; /* The number of TLS1.3 tickets to automatically send */ size_t num_tickets; @@ -1471,6 +1473,13 @@ struct ssl_st { /* Callback to determine if early_data is acceptable or not */ SSL_allow_early_data_cb_fn allow_early_data_cb; void *allow_early_data_cb_data; + + /* + * Signature algorithms shared by client and server: cached because these + * are used most often. + */ + const struct sigalg_lookup_st **shared_sigalgs; + size_t shared_sigalgslen; }; /* @@ -1905,12 +1914,6 @@ typedef struct cert_st { /* Size of above array */ size_t client_sigalgslen; /* - * Signature algorithms shared by client and server: cached because these - * are used most often. - */ - const SIGALG_LOOKUP **shared_sigalgs; - size_t shared_sigalgslen; - /* * Certificate setup callback: if set is called whenever a certificate * may be required (client or server). the callback can then examine any * appropriate parameters and setup any certificates required. This @@ -2240,8 +2243,8 @@ static ossl_inline int ssl_has_cert(const SSL *s, int idx) static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups, size_t *pgroupslen) { - *pgroups = s->session->ext.supportedgroups; - *pgroupslen = s->session->ext.supportedgroups_len; + *pgroups = s->ext.peer_supportedgroups; + *pgroupslen = s->ext.peer_supportedgroups_len; } # ifndef OPENSSL_UNIT_TEST diff --git a/freebsd/crypto/openssl/ssl/ssl_sess.c b/freebsd/crypto/openssl/ssl/ssl_sess.c index 9a5141ba..69b6aee3 100644 --- a/freebsd/crypto/openssl/ssl/ssl_sess.c +++ b/freebsd/crypto/openssl/ssl/ssl_sess.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -123,12 +123,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->psk_identity_hint = NULL; dest->psk_identity = NULL; #endif - dest->ciphers = NULL; dest->ext.hostname = NULL; -#ifndef OPENSSL_NO_EC - dest->ext.ecpointformats = NULL; - dest->ext.supportedgroups = NULL; -#endif dest->ext.tick = NULL; dest->ext.alpn_selected = NULL; #ifndef OPENSSL_NO_SRP @@ -178,12 +173,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) } #endif - if (src->ciphers != NULL) { - dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); - if (dest->ciphers == NULL) - goto err; - } - if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &dest->ex_data, &src->ex_data)) { goto err; @@ -195,23 +184,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } } -#ifndef OPENSSL_NO_EC - if (src->ext.ecpointformats) { - dest->ext.ecpointformats = - OPENSSL_memdup(src->ext.ecpointformats, - src->ext.ecpointformats_len); - if (dest->ext.ecpointformats == NULL) - goto err; - } - if (src->ext.supportedgroups) { - dest->ext.supportedgroups = - OPENSSL_memdup(src->ext.supportedgroups, - src->ext.supportedgroups_len - * sizeof(*src->ext.supportedgroups)); - if (dest->ext.supportedgroups == NULL) - goto err; - } -#endif if (ticket != 0 && src->ext.tick != NULL) { dest->ext.tick = @@ -792,17 +764,8 @@ void SSL_SESSION_free(SSL_SESSION *ss) OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id)); X509_free(ss->peer); sk_X509_pop_free(ss->peer_chain, X509_free); - sk_SSL_CIPHER_free(ss->ciphers); OPENSSL_free(ss->ext.hostname); OPENSSL_free(ss->ext.tick); -#ifndef OPENSSL_NO_EC - OPENSSL_free(ss->ext.ecpointformats); - ss->ext.ecpointformats = NULL; - ss->ext.ecpointformats_len = 0; - OPENSSL_free(ss->ext.supportedgroups); - ss->ext.supportedgroups = NULL; - ss->ext.supportedgroups_len = 0; -#endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_PSK OPENSSL_free(ss->psk_identity_hint); OPENSSL_free(ss->psk_identity); diff --git a/freebsd/crypto/openssl/ssl/statem/extensions.c b/freebsd/crypto/openssl/ssl/statem/extensions.c index 91c3fd56..33df9084 100644 --- a/freebsd/crypto/openssl/ssl/statem/extensions.c +++ b/freebsd/crypto/openssl/ssl/statem/extensions.c @@ -1042,18 +1042,18 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) */ if (s->ext.ecpointformats != NULL && s->ext.ecpointformats_len > 0 - && s->session->ext.ecpointformats != NULL - && s->session->ext.ecpointformats_len > 0 + && s->ext.peer_ecpointformats != NULL + && s->ext.peer_ecpointformats_len > 0 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; - unsigned char *list = s->session->ext.ecpointformats; + unsigned char *list = s->ext.peer_ecpointformats; - for (i = 0; i < s->session->ext.ecpointformats_len; i++) { + for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) break; } - if (i == s->session->ext.ecpointformats_len) { + if (i == s->ext.peer_ecpointformats_len) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); return 0; @@ -1450,8 +1450,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; unsigned char *early_secret; +#ifdef CHARSET_EBCDIC + static const unsigned char resumption_label[] = { 0x72, 0x65, 0x64, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; + static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; +#else static const unsigned char resumption_label[] = "res binder"; static const unsigned char external_label[] = "ext binder"; +#endif const unsigned char *label; size_t bindersize, labelsize, hashsize; int hashsizei = EVP_MD_size(md); @@ -1650,9 +1655,9 @@ static int final_early_data(SSL *s, unsigned int context, int sent) || s->early_data_state != SSL_EARLY_DATA_ACCEPTING || !s->ext.early_data_ok || s->hello_retry_request != SSL_HRR_NONE - || (s->ctx->allow_early_data_cb != NULL - && !s->ctx->allow_early_data_cb(s, - s->ctx->allow_early_data_cb_data))) { + || (s->allow_early_data_cb != NULL + && !s->allow_early_data_cb(s, + s->allow_early_data_cb_data))) { s->ext.early_data = SSL_EARLY_DATA_REJECTED; } else { s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; diff --git a/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c b/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c index ead0dde9..49835ac8 100644 --- a/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c +++ b/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c @@ -1373,19 +1373,19 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, return 0; } - s->session->ext.ecpointformats_len = 0; - OPENSSL_free(s->session->ext.ecpointformats); - s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len); - if (s->session->ext.ecpointformats == NULL) { + s->ext.peer_ecpointformats_len = 0; + OPENSSL_free(s->ext.peer_ecpointformats); + s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); + if (s->ext.peer_ecpointformats == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); return 0; } - s->session->ext.ecpointformats_len = ecpointformats_len; + s->ext.peer_ecpointformats_len = ecpointformats_len; if (!PACKET_copy_bytes(&ecptformatlist, - s->session->ext.ecpointformats, + s->ext.peer_ecpointformats, ecpointformats_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); @@ -1860,8 +1860,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } - skey = ssl_generate_pkey(ckey); - if (skey == NULL) { + skey = EVP_PKEY_new(); + if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); return 0; diff --git a/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c b/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c index a2c2ebe4..f68b6d88 100644 --- a/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c +++ b/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c @@ -256,8 +256,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, if (!s->hit) { if (!PACKET_memdup(&ec_point_format_list, - &s->session->ext.ecpointformats, - &s->session->ext.ecpointformats_len)) { + &s->ext.peer_ecpointformats, + &s->ext.peer_ecpointformats_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); return 0; @@ -964,12 +964,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, } if (!s->hit || SSL_IS_TLS13(s)) { - OPENSSL_free(s->session->ext.supportedgroups); - s->session->ext.supportedgroups = NULL; - s->session->ext.supportedgroups_len = 0; + OPENSSL_free(s->ext.peer_supportedgroups); + s->ext.peer_supportedgroups = NULL; + s->ext.peer_supportedgroups_len = 0; if (!tls1_save_u16(&supported_groups_list, - &s->session->ext.supportedgroups, - &s->session->ext.supportedgroups_len)) { + &s->ext.peer_supportedgroups, + &s->ext.peer_supportedgroups_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); @@ -1378,7 +1378,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) - && (s->session->ext.ecpointformats != NULL); + && (s->ext.peer_ecpointformats != NULL); const unsigned char *plist; size_t plistlen; @@ -1489,6 +1489,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { + /* We don't currently support this extension inside a CertificateRequest */ + if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) + return EXT_RETURN_NOT_SENT; + if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; diff --git a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c index ec82e6d3..760b6dbd 100644 --- a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c +++ b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c @@ -475,12 +475,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_CR_KEY_UPDATE: - if (s->key_update != SSL_KEY_UPDATE_NONE) { - st->hand_state = TLS_ST_CW_KEY_UPDATE; - return WRITE_TRAN_CONTINUE; - } - /* Fall through */ - case TLS_ST_CW_KEY_UPDATE: case TLS_ST_CR_SESSION_TICKET: case TLS_ST_CW_FINISHED: diff --git a/freebsd/crypto/openssl/ssl/statem/statem_lib.c b/freebsd/crypto/openssl/ssl/statem/statem_lib.c index 74d380a7..70ff8dbd 100644 --- a/freebsd/crypto/openssl/ssl/statem/statem_lib.c +++ b/freebsd/crypto/openssl/ssl/statem/statem_lib.c @@ -170,9 +170,19 @@ int tls_setup_handshake(SSL *s) static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, void **hdata, size_t *hdatalen) { +#ifdef CHARSET_EBCDIC + static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; + static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; +#else static const char *servercontext = "TLS 1.3, server CertificateVerify"; static const char *clientcontext = "TLS 1.3, client CertificateVerify"; - +#endif if (SSL_IS_TLS13(s)) { size_t hashlen; @@ -647,12 +657,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) /* * If we get a request for us to update our sending keys too then, we need * to additionally send a KeyUpdate message. However that message should - * not also request an update (otherwise we get into an infinite loop). We - * ignore a request for us to update our sending keys too if we already - * sent close_notify. + * not also request an update (otherwise we get into an infinite loop). */ - if (updatetype == SSL_KEY_UPDATE_REQUESTED - && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) + if (updatetype == SSL_KEY_UPDATE_REQUESTED) s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; if (!tls13_update_key(s, 0)) { diff --git a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c index de1a6c77..11c937e3 100644 --- a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c +++ b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c @@ -504,12 +504,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SR_KEY_UPDATE: - if (s->key_update != SSL_KEY_UPDATE_NONE) { - st->hand_state = TLS_ST_SW_KEY_UPDATE; - return WRITE_TRAN_CONTINUE; - } - /* Fall through */ - case TLS_ST_SW_KEY_UPDATE: st->hand_state = TLS_ST_OK; return WRITE_TRAN_CONTINUE; @@ -1929,14 +1923,14 @@ static int tls_early_post_process_client_hello(SSL *s) && master_key_length > 0) { s->session->master_key_length = master_key_length; s->hit = 1; - s->session->ciphers = ciphers; + s->peer_ciphers = ciphers; s->session->verify_result = X509_V_OK; ciphers = NULL; /* check if some cipher was preferred by call back */ if (pref_cipher == NULL) - pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s)); if (pref_cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, @@ -1947,9 +1941,9 @@ static int tls_early_post_process_client_hello(SSL *s) s->session->cipher = pref_cipher; sk_SSL_CIPHER_free(s->cipher_list); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers); sk_SSL_CIPHER_free(s->cipher_list_by_id); - s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers); } } @@ -2049,12 +2043,12 @@ static int tls_early_post_process_client_hello(SSL *s) #endif /* - * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher + * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher */ if (!s->hit || SSL_IS_TLS13(s)) { - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->peer_ciphers); + s->peer_ciphers = ciphers; if (ciphers == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, @@ -2070,6 +2064,10 @@ static int tls_early_post_process_client_hello(SSL *s) #else s->session->compress_meth = (comp == NULL) ? 0 : comp->id; #endif + if (!tls1_set_server_sigalgs(s)) { + /* SSLfatal() already called */ + goto err; + } } sk_SSL_CIPHER_free(ciphers); @@ -2237,31 +2235,25 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) if (wst == WORK_MORE_B) { if (!s->hit || SSL_IS_TLS13(s)) { /* Let cert callback update server certificates if required */ - if (!s->hit) { - if (s->cert->cert_cb != NULL) { - int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); - if (rv == 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CERT_CB_ERROR); - goto err; - } - if (rv < 0) { - s->rwstate = SSL_X509_LOOKUP; - return WORK_MORE_B; - } - s->rwstate = SSL_NOTHING; - } - if (!tls1_set_server_sigalgs(s)) { - /* SSLfatal already called */ + if (!s->hit && s->cert->cert_cb != NULL) { + int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); + if (rv == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CERT_CB_ERROR); goto err; } + if (rv < 0) { + s->rwstate = SSL_X509_LOOKUP; + return WORK_MORE_B; + } + s->rwstate = SSL_NOTHING; } /* In TLSv1.3 we selected the ciphersuite before resumption */ if (!SSL_IS_TLS13(s)) { cipher = - ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s)); if (cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, diff --git a/freebsd/crypto/openssl/ssl/t1_lib.c b/freebsd/crypto/openssl/ssl/t1_lib.c index 087fd0be..edb557e7 100644 --- a/freebsd/crypto/openssl/ssl/t1_lib.c +++ b/freebsd/crypto/openssl/ssl/t1_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,6 +23,8 @@ #include "ssl_locl.h" #include <openssl/ct.h> +static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey); + SSL3_ENC_METHOD const TLSv1_enc_data = { tls1_enc, tls1_mac, @@ -467,11 +469,11 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) * If point formats extension present check it, otherwise everything is * supported (see RFC4492). */ - if (s->session->ext.ecpointformats == NULL) + if (s->ext.peer_ecpointformats == NULL) return 1; - for (i = 0; i < s->session->ext.ecpointformats_len; i++) { - if (s->session->ext.ecpointformats[i] == comp_id) + for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { + if (s->ext.peer_ecpointformats[i] == comp_id) return 1; } return 0; @@ -580,7 +582,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) if (check_ee_md && tls1_suiteb(s)) { int check_md; size_t i; - CERT *c = s->cert; /* Check to see we have necessary signing algorithm */ if (group_id == TLSEXT_curve_P_256) @@ -589,8 +590,8 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md) check_md = NID_ecdsa_with_SHA384; else return 0; /* Should never happen */ - for (i = 0; i < c->shared_sigalgslen; i++) { - if (check_md == c->shared_sigalgs[i]->sigandhash) + for (i = 0; i < s->shared_sigalgslen; i++) { + if (check_md == s->shared_sigalgs[i]->sigandhash) return 1;; } return 0; @@ -1217,9 +1218,9 @@ int tls1_set_server_sigalgs(SSL *s) size_t i; /* Clear any shared signature algorithms */ - OPENSSL_free(s->cert->shared_sigalgs); - s->cert->shared_sigalgs = NULL; - s->cert->shared_sigalgslen = 0; + OPENSSL_free(s->shared_sigalgs); + s->shared_sigalgs = NULL; + s->shared_sigalgslen = 0; /* Clear certificate validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) s->s3->tmp.valid_flags[i] = 0; @@ -1254,7 +1255,7 @@ int tls1_set_server_sigalgs(SSL *s) SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR); return 0; } - if (s->cert->shared_sigalgs != NULL) + if (s->shared_sigalgs != NULL) return 1; /* Fatal error if no shared signature algorithms */ @@ -1726,9 +1727,9 @@ static int tls1_set_shared_sigalgs(SSL *s) CERT *c = s->cert; unsigned int is_suiteb = tls1_suiteb(s); - OPENSSL_free(c->shared_sigalgs); - c->shared_sigalgs = NULL; - c->shared_sigalgslen = 0; + OPENSSL_free(s->shared_sigalgs); + s->shared_sigalgs = NULL; + s->shared_sigalgslen = 0; /* If client use client signature algorithms if not NULL */ if (!s->server && c->client_sigalgs && !is_suiteb) { conf = c->client_sigalgs; @@ -1759,8 +1760,8 @@ static int tls1_set_shared_sigalgs(SSL *s) } else { salgs = NULL; } - c->shared_sigalgs = salgs; - c->shared_sigalgslen = nmatch; + s->shared_sigalgs = salgs; + s->shared_sigalgslen = nmatch; return 1; } @@ -1821,7 +1822,6 @@ int tls1_process_sigalgs(SSL *s) { size_t i; uint32_t *pvalid = s->s3->tmp.valid_flags; - CERT *c = s->cert; if (!tls1_set_shared_sigalgs(s)) return 0; @@ -1829,8 +1829,8 @@ int tls1_process_sigalgs(SSL *s) for (i = 0; i < SSL_PKEY_NUM; i++) pvalid[i] = 0; - for (i = 0; i < c->shared_sigalgslen; i++) { - const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i]; + for (i = 0; i < s->shared_sigalgslen; i++) { + const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i]; int idx = sigptr->sig_idx; /* Ignore PKCS1 based sig algs in TLSv1.3 */ @@ -1877,12 +1877,12 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, unsigned char *rsig, unsigned char *rhash) { const SIGALG_LOOKUP *shsigalgs; - if (s->cert->shared_sigalgs == NULL + if (s->shared_sigalgs == NULL || idx < 0 - || idx >= (int)s->cert->shared_sigalgslen - || s->cert->shared_sigalgslen > INT_MAX) + || idx >= (int)s->shared_sigalgslen + || s->shared_sigalgslen > INT_MAX) return 0; - shsigalgs = s->cert->shared_sigalgs[idx]; + shsigalgs = s->shared_sigalgs[idx]; if (phash != NULL) *phash = shsigalgs->hash; if (psign != NULL) @@ -1893,7 +1893,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, *rsig = (unsigned char)(shsigalgs->sigalg & 0xff); if (rhash != NULL) *rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff); - return (int)s->cert->shared_sigalgslen; + return (int)s->shared_sigalgslen; } /* Maximum possible number of unique entries in sigalgs array */ @@ -2074,18 +2074,36 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client) return 0; } -static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid) +static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) { - int sig_nid; + int sig_nid, use_pc_sigalgs = 0; size_t i; + const SIGALG_LOOKUP *sigalg; + size_t sigalgslen; if (default_nid == -1) return 1; sig_nid = X509_get_signature_nid(x); if (default_nid) return sig_nid == default_nid ? 1 : 0; - for (i = 0; i < c->shared_sigalgslen; i++) - if (sig_nid == c->shared_sigalgs[i]->sigandhash) + + if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) { + /* + * If we're in TLSv1.3 then we only get here if we're checking the + * chain. If the peer has specified peer_cert_sigalgs then we use them + * otherwise we default to normal sigalgs. + */ + sigalgslen = s->s3->tmp.peer_cert_sigalgslen; + use_pc_sigalgs = 1; + } else { + sigalgslen = s->shared_sigalgslen; + } + for (i = 0; i < sigalgslen; i++) { + sigalg = use_pc_sigalgs + ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) + : s->shared_sigalgs[i]; + if (sig_nid == sigalg->sigandhash) return 1; + } return 0; } @@ -2242,14 +2260,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, } } /* Check signature algorithm of each cert in chain */ - if (!tls1_check_sig_alg(c, x, default_nid)) { + if (SSL_IS_TLS13(s)) { + /* + * We only get here if the application has called SSL_check_chain(), + * so check_flags is always set. + */ + if (find_sig_alg(s, x, pk) != NULL) + rv |= CERT_PKEY_EE_SIGNATURE; + } else if (!tls1_check_sig_alg(s, x, default_nid)) { if (!check_flags) goto end; } else rv |= CERT_PKEY_EE_SIGNATURE; rv |= CERT_PKEY_CA_SIGNATURE; for (i = 0; i < sk_X509_num(chain); i++) { - if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) { + if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) { if (check_flags) { rv &= ~CERT_PKEY_CA_SIGNATURE; break; @@ -2530,44 +2555,33 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) } /* - * Returns true if |s| has a usable certificate configured for use - * with signature scheme |sig|. - * "Usable" includes a check for presence as well as applying - * the signature_algorithm_cert restrictions sent by the peer (if any). - * Returns false if no usable certificate is found. + * Checks the given cert against signature_algorithm_cert restrictions sent by + * the peer (if any) as well as whether the hash from the sigalg is usable with + * the key. + * Returns true if the cert is usable and false otherwise. */ -static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) +static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, + EVP_PKEY *pkey) { const SIGALG_LOOKUP *lu; int mdnid, pknid, default_mdnid; - int mandatory_md = 0; size_t i; - /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */ - if (idx == -1) - idx = sig->sig_idx; - if (!ssl_has_cert(s, idx)) - return 0; /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */ ERR_set_mark(); - switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey, - &default_mdnid)) { - case 2: - mandatory_md = 1; - break; - case 1: - break; - default: /* If it didn't report a mandatory NID, for whatever reasons, - * just clear the error and allow all hashes to be used. */ - ERR_pop_to_mark(); - } + if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 && + sig->hash != default_mdnid) + return 0; + + /* If it didn't report a mandatory NID, for whatever reasons, + * just clear the error and allow all hashes to be used. */ + ERR_pop_to_mark(); + if (s->s3->tmp.peer_cert_sigalgs != NULL) { for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) { lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); if (lu == NULL - || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid, - &pknid, NULL, NULL) - || (mandatory_md && mdnid != default_mdnid)) + || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL)) continue; /* * TODO this does not differentiate between the @@ -2580,7 +2594,104 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) } return 0; } - return !mandatory_md || sig->hash == default_mdnid; + return 1; +} + +/* + * Returns true if |s| has a usable certificate configured for use + * with signature scheme |sig|. + * "Usable" includes a check for presence as well as applying + * the signature_algorithm_cert restrictions sent by the peer (if any). + * Returns false if no usable certificate is found. + */ +static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) +{ + /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */ + if (idx == -1) + idx = sig->sig_idx; + if (!ssl_has_cert(s, idx)) + return 0; + + return check_cert_usable(s, sig, s->cert->pkeys[idx].x509, + s->cert->pkeys[idx].privatekey); +} + +/* + * Returns true if the supplied cert |x| and key |pkey| is usable with the + * specified signature scheme |sig|, or false otherwise. + */ +static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x, + EVP_PKEY *pkey) +{ + size_t idx; + + if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL) + return 0; + + /* Check the key is consistent with the sig alg */ + if ((int)idx != sig->sig_idx) + return 0; + + return check_cert_usable(s, sig, x, pkey); +} + +/* + * Find a signature scheme that works with the supplied certificate |x| and key + * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our + * available certs/keys to find one that works. + */ +static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey) +{ + const SIGALG_LOOKUP *lu = NULL; + size_t i; +#ifndef OPENSSL_NO_EC + int curve = -1; +#endif + EVP_PKEY *tmppkey; + + /* Look for a shared sigalgs matching possible certificates */ + for (i = 0; i < s->shared_sigalgslen; i++) { + lu = s->shared_sigalgs[i]; + + /* Skip SHA1, SHA224, DSA and RSA if not PSS */ + if (lu->hash == NID_sha1 + || lu->hash == NID_sha224 + || lu->sig == EVP_PKEY_DSA + || lu->sig == EVP_PKEY_RSA) + continue; + /* Check that we have a cert, and signature_algorithms_cert */ + if (!tls1_lookup_md(lu, NULL)) + continue; + if ((pkey == NULL && !has_usable_cert(s, lu, -1)) + || (pkey != NULL && !is_cert_usable(s, lu, x, pkey))) + continue; + + tmppkey = (pkey != NULL) ? pkey + : s->cert->pkeys[lu->sig_idx].privatekey; + + if (lu->sig == EVP_PKEY_EC) { +#ifndef OPENSSL_NO_EC + if (curve == -1) { + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey); + curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + } + if (lu->curve != NID_undef && curve != lu->curve) + continue; +#else + continue; +#endif + } else if (lu->sig == EVP_PKEY_RSA_PSS) { + /* validate that key is large enough for the signature algorithm */ + if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu)) + continue; + } + break; + } + + if (i == s->shared_sigalgslen) + return NULL; + + return lu; } /* @@ -2603,48 +2714,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) s->s3->tmp.sigalg = NULL; if (SSL_IS_TLS13(s)) { - size_t i; -#ifndef OPENSSL_NO_EC - int curve = -1; -#endif - - /* Look for a certificate matching shared sigalgs */ - for (i = 0; i < s->cert->shared_sigalgslen; i++) { - lu = s->cert->shared_sigalgs[i]; - sig_idx = -1; - - /* Skip SHA1, SHA224, DSA and RSA if not PSS */ - if (lu->hash == NID_sha1 - || lu->hash == NID_sha224 - || lu->sig == EVP_PKEY_DSA - || lu->sig == EVP_PKEY_RSA) - continue; - /* Check that we have a cert, and signature_algorithms_cert */ - if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1)) - continue; - if (lu->sig == EVP_PKEY_EC) { -#ifndef OPENSSL_NO_EC - if (curve == -1) { - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey); - - curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); - } - if (lu->curve != NID_undef && curve != lu->curve) - continue; -#else - continue; -#endif - } else if (lu->sig == EVP_PKEY_RSA_PSS) { - /* validate that key is large enough for the signature algorithm */ - EVP_PKEY *pkey; - - pkey = s->cert->pkeys[lu->sig_idx].privatekey; - if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu)) - continue; - } - break; - } - if (i == s->cert->shared_sigalgslen) { + lu = find_sig_alg(s, NULL, NULL); + if (lu == NULL) { if (!fatalerrs) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG, @@ -2677,8 +2748,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) * Find highest preference signature algorithm matching * cert type */ - for (i = 0; i < s->cert->shared_sigalgslen; i++) { - lu = s->cert->shared_sigalgs[i]; + for (i = 0; i < s->shared_sigalgslen; i++) { + lu = s->shared_sigalgs[i]; if (s->server) { if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) @@ -2705,7 +2776,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) #endif break; } - if (i == s->cert->shared_sigalgslen) { + if (i == s->shared_sigalgslen) { if (!fatalerrs) return 1; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, diff --git a/freebsd/crypto/openssl/ssl/tls13_enc.c b/freebsd/crypto/openssl/ssl/tls13_enc.c index d3062e7b..e1896cb1 100644 --- a/freebsd/crypto/openssl/ssl/tls13_enc.c +++ b/freebsd/crypto/openssl/ssl/tls13_enc.c @@ -32,7 +32,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, const unsigned char *data, size_t datalen, unsigned char *out, size_t outlen, int fatal) { +#ifdef CHARSET_EBCDIC + static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; +#else static const unsigned char label_prefix[] = "tls13 "; +#endif EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); int ret; size_t hkdflabellen; @@ -114,7 +118,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *key, size_t keylen) { - static const unsigned char keylabel[] = "key"; +#ifdef CHARSET_EBCDIC + static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; +#else + static const unsigned char keylabel[] = "key"; +#endif return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, NULL, 0, key, keylen, 1); @@ -127,7 +135,11 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *iv, size_t ivlen) { - static const unsigned char ivlabel[] = "iv"; +#ifdef CHARSET_EBCDIC + static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; +#else + static const unsigned char ivlabel[] = "iv"; +#endif return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, NULL, 0, iv, ivlen, 1); @@ -137,7 +149,11 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *fin, size_t finlen) { - static const unsigned char finishedlabel[] = "finished"; +#ifdef CHARSET_EBCDIC + static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; +#else + static const unsigned char finishedlabel[] = "finished"; +#endif return tls13_hkdf_expand(s, md, secret, finishedlabel, sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); @@ -158,7 +174,11 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, int mdleni; int ret; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); +#ifdef CHARSET_EBCDIC + static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; +#else static const char derived_secret_label[] = "derived"; +#endif unsigned char preextractsec[EVP_MAX_MD_SIZE]; if (pctx == NULL) { @@ -411,6 +431,16 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, int tls13_change_cipher_state(SSL *s, int which) { +#ifdef CHARSET_EBCDIC + static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; + static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; + static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; + static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; + static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; + static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; + static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; + static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; +#else static const unsigned char client_early_traffic[] = "c e traffic"; static const unsigned char client_handshake_traffic[] = "c hs traffic"; static const unsigned char client_application_traffic[] = "c ap traffic"; @@ -419,6 +449,7 @@ int tls13_change_cipher_state(SSL *s, int which) static const unsigned char exporter_master_secret[] = "exp master"; static const unsigned char resumption_master_secret[] = "res master"; static const unsigned char early_exporter_master_secret[] = "e exp master"; +#endif unsigned char *iv; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char hashval[EVP_MAX_MD_SIZE]; @@ -686,7 +717,11 @@ int tls13_change_cipher_state(SSL *s, int which) int tls13_update_key(SSL *s, int sending) { - static const unsigned char application_traffic[] = "traffic upd"; +#ifdef CHARSET_EBCDIC + static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; +#else + static const unsigned char application_traffic[] = "traffic upd"; +#endif const EVP_MD *md = ssl_handshake_md(s); size_t hashlen = EVP_MD_size(md); unsigned char *insecret, *iv; @@ -743,7 +778,11 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, size_t contextlen, int use_context) { unsigned char exportsecret[EVP_MAX_MD_SIZE]; +#ifdef CHARSET_EBCDIC + static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; +#else static const unsigned char exporterlabel[] = "exporter"; +#endif unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; const EVP_MD *md = ssl_handshake_md(s); EVP_MD_CTX *ctx = EVP_MD_CTX_new(); @@ -780,7 +819,11 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, const unsigned char *context, size_t contextlen) { - static const unsigned char exporterlabel[] = "exporter"; +#ifdef CHARSET_EBCDIC + static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; +#else + static const unsigned char exporterlabel[] = "exporter"; +#endif unsigned char exportsecret[EVP_MAX_MD_SIZE]; unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; const EVP_MD *md; diff --git a/freebsd/include/rpcsvc/yp_prot.h b/freebsd/include/rpcsvc/yp_prot.h index a0090ac6..61cddd1a 100644 --- a/freebsd/include/rpcsvc/yp_prot.h +++ b/freebsd/include/rpcsvc/yp_prot.h @@ -81,7 +81,7 @@ typedef u_int bool; #define YPPROG ((u_long)100004) #define YPVERS ((u_long)2) #define YPVERS_ORIG ((u_long)1) -#define YPMAXRECORD ((u_long)1024) +#define YPMAXRECORD ((u_long)16 * 1024 * 1024) #define YPMAXDOMAIN ((u_long)64) #define YPMAXMAP ((u_long)64) #define YPMAXPEER ((u_long)256) diff --git a/freebsd/lib/libc/nameser/ns_name.c b/freebsd/lib/libc/nameser/ns_name.c index 50946fab..0e764359 100644 --- a/freebsd/lib/libc/nameser/ns_name.c +++ b/freebsd/lib/libc/nameser/ns_name.c @@ -686,7 +686,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) { const u_char *cp; u_int n; - int l; + int l = 0; cp = *ptrptr; while (cp < eom && (n = *cp++) != 0) { @@ -696,7 +696,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom) cp += n; continue; case NS_TYPE_ELT: /*%< EDNS0 extended label */ - if ((l = labellen(cp - 1)) < 0) { + if (cp < eom && (l = labellen(cp - 1)) < 0) { errno = EMSGSIZE; /*%< XXX */ return (-1); } diff --git a/freebsd/lib/libc/net/gethostbynis.c b/freebsd/lib/libc/net/gethostbynis.c index 5cf4b2e0..9a715b1c 100644 --- a/freebsd/lib/libc/net/gethostbynis.c +++ b/freebsd/lib/libc/net/gethostbynis.c @@ -60,7 +60,7 @@ _gethostbynis(const char *name, char *map, int af, struct hostent *he, char *cp, **q; char *result; int resultlen, size, addrok = 0; - char ypbuf[YPMAXRECORD + 2]; + char *ypbuf; res_state statp; statp = __res_state(); @@ -90,10 +90,11 @@ _gethostbynis(const char *name, char *map, int af, struct hostent *he, } /* avoid potential memory leak */ - bcopy((char *)result, (char *)&ypbuf, resultlen); + ypbuf = alloca(resultlen + 2); + bcopy(result, ypbuf, resultlen); ypbuf[resultlen] = '\0'; free(result); - result = (char *)&ypbuf; + result = ypbuf; if ((cp = strchr(result, '\n'))) *cp = '\0'; diff --git a/freebsd/lib/libc/net/getnetbynis.c b/freebsd/lib/libc/net/getnetbynis.c index cb7f1a6e..a643c8d4 100644 --- a/freebsd/lib/libc/net/getnetbynis.c +++ b/freebsd/lib/libc/net/getnetbynis.c @@ -60,7 +60,7 @@ _getnetbynis(const char *name, char *map, int af, struct netent *ne, char *cp, **q; char *result; int resultlen, len; - char ypbuf[YPMAXRECORD + 2]; + char *ypbuf; switch(af) { case AF_INET: @@ -79,10 +79,11 @@ _getnetbynis(const char *name, char *map, int af, struct netent *ne, &resultlen)) return (-1); - bcopy((char *)result, (char *)&ypbuf, resultlen); + ypbuf = alloca(resultlen + 2); + bcopy(result, ypbuf, resultlen); ypbuf[resultlen] = '\0'; free(result); - result = (char *)&ypbuf; + result = ypbuf; if ((cp = strchr(result, '\n'))) *cp = '\0'; diff --git a/freebsd/lib/libc/net/getservent.c b/freebsd/lib/libc/net/getservent.c index 5358093d..6e33f363 100644 --- a/freebsd/lib/libc/net/getservent.c +++ b/freebsd/lib/libc/net/getservent.c @@ -666,7 +666,7 @@ nis_servent(void *retval, void *mdata, va_list ap) { char *resultbuf, *lastkey; int resultbuflen; - char buf[YPMAXRECORD + 2]; + char *buf; struct nis_state *st; int rv; @@ -683,6 +683,7 @@ nis_servent(void *retval, void *mdata, va_list ap) name = NULL; proto = NULL; + buf = NULL; how = (enum nss_lookup_type)mdata; switch (how) { case nss_lt_name: @@ -718,7 +719,10 @@ nis_servent(void *retval, void *mdata, va_list ap) do { switch (how) { case nss_lt_name: - snprintf(buf, sizeof(buf), "%s/%s", name, proto); + free(buf); + asprintf(&buf, "%s/%s", name, proto); + if (buf == NULL) + return (NS_TRYAGAIN); if (yp_match(st->yp_domain, "services.byname", buf, strlen(buf), &resultbuf, &resultbuflen)) { rv = NS_NOTFOUND; @@ -726,8 +730,10 @@ nis_servent(void *retval, void *mdata, va_list ap) } break; case nss_lt_id: - snprintf(buf, sizeof(buf), "%d/%s", ntohs(port), - proto); + free(buf); + asprintf(&buf, "%d/%s", ntohs(port), proto); + if (buf == NULL) + return (NS_TRYAGAIN); /* * We have to be a little flexible @@ -793,6 +799,7 @@ nis_servent(void *retval, void *mdata, va_list ap) } while (!(rv & NS_TERMINATE) && how == nss_lt_all); fin: + free(buf); if (rv == NS_SUCCESS && retval != NULL) *(struct servent **)retval = serv; diff --git a/freebsd/lib/libc/rpc/getrpcent.c b/freebsd/lib/libc/rpc/getrpcent.c index d287d0be..bcac0308 100644 --- a/freebsd/lib/libc/rpc/getrpcent.c +++ b/freebsd/lib/libc/rpc/getrpcent.c @@ -402,7 +402,7 @@ nis_rpcent(void *retval, void *mdata, va_list ap) char *lastkey; char *resultbuf; int resultbuflen; - char buf[YPMAXRECORD + 2]; + char *buf; struct nis_state *st; int rv; @@ -424,6 +424,7 @@ nis_rpcent(void *retval, void *mdata, va_list ap) return (NS_NOTFOUND); } + buf = NULL; rpc = va_arg(ap, struct rpcent *); buffer = va_arg(ap, char *); bufsize = va_arg(ap, size_t); @@ -447,7 +448,10 @@ nis_rpcent(void *retval, void *mdata, va_list ap) case nss_lt_name: if (!st->no_name_map) { - snprintf(buf, sizeof buf, "%s", name); + free(buf); + asprintf(&buf, "%s", name); + if (buf == NULL) + return (NS_TRYAGAIN); rv = yp_match(st->domain, "rpc.byname", buf, strlen(buf), &resultbuf, &resultbuflen); @@ -475,7 +479,10 @@ nis_rpcent(void *retval, void *mdata, va_list ap) } break; case nss_lt_id: - snprintf(buf, sizeof buf, "%d", number); + free(buf); + asprintf(&buf, "%d", number); + if (buf == NULL) + return (NS_TRYAGAIN); if (yp_match(st->domain, "rpc.bynumber", buf, strlen(buf), &resultbuf, &resultbuflen)) { rv = NS_NOTFOUND; @@ -562,6 +569,7 @@ done: } while (!(rv & NS_TERMINATE) && (how == nss_lt_all)); fin: + free(buf); if ((rv == NS_SUCCESS) && (retval != NULL)) *((struct rpcent **)retval) = rpc; diff --git a/freebsd/lib/libcapsicum/capsicum_helpers.h b/freebsd/lib/libcapsicum/capsicum_helpers.h index d1c46e74..3064438f 100644 --- a/freebsd/lib/libcapsicum/capsicum_helpers.h +++ b/freebsd/lib/libcapsicum/capsicum_helpers.h @@ -51,6 +51,7 @@ __BEGIN_DECLS static __inline int caph_limit_stream(int fd, int flags) { +#ifndef __rtems__ cap_rights_t rights; unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ, FIODTYPE }; @@ -75,6 +76,7 @@ caph_limit_stream(int fd, int flags) if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) return (-1); +#endif /* __rtems__ */ return (0); } @@ -123,7 +125,9 @@ static __inline void caph_cache_catpages(void) { +#ifndef __rtems__ (void)catopen("libc", NL_CAT_LOCALE); +#endif /* __rtems__ */ } static __inline int diff --git a/freebsd/sbin/ping/ping.c b/freebsd/sbin/ping/ping.c index d3eafd7e..71976058 100644 --- a/freebsd/sbin/ping/ping.c +++ b/freebsd/sbin/ping/ping.c @@ -103,16 +103,20 @@ __FBSDID("$FreeBSD$"); #include <errno.h> #include <math.h> #include <netdb.h> +#include <stddef.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sysexits.h> +#include <time.h> #include <unistd.h> #ifdef __rtems__ #include "rtems-bsd-ping-ping-data.h" #endif /* __rtems__ */ +#include "utils.h" + #define INADDR_LEN ((int)sizeof(in_addr_t)) #define TIMEVAL_LEN ((int)sizeof(struct tv32)) #define MASK_LEN (ICMP_MASKLEN - ICMP_MINLEN) @@ -134,7 +138,7 @@ __FBSDID("$FreeBSD$"); struct tv32 { int32_t tv32_sec; - int32_t tv32_usec; + int32_t tv32_nsec; }; /* various options */ @@ -234,7 +238,6 @@ static char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN]; #endif /* __rtems__ */ static void fill(char *, char *); -static u_short in_cksum(u_short *, int); #ifndef __rtems__ static cap_channel_t *capdns_setup(void); #endif /* __rtems__ */ @@ -243,15 +246,14 @@ static void finish(void) __dead2; static void pinger(void); static char *pr_addr(struct in_addr); static char *pr_ntime(n_time); -static void pr_icmph(struct icmp *); +static void pr_icmph(struct icmp *, struct ip *, const u_char *const); static void pr_iph(struct ip *); -static void pr_pack(char *, int, struct sockaddr_in *, struct timeval *); -static void pr_retip(struct ip *); +static void pr_pack(char *, ssize_t, struct sockaddr_in *, struct timespec *); +static void pr_retip(struct ip *, const u_char *); #ifndef __rtems__ static void status(int); static void stopit(int); #endif /* __rtems__ */ -static void tvsub(struct timeval *, const struct timeval *); static void usage(void) __dead2; #ifdef __rtems__ @@ -285,9 +287,8 @@ main(int argc, char *const *argv) { struct sockaddr_in from, sock_in; struct in_addr ifaddr; - struct timeval last, intvl; + struct timespec last, intvl; struct iovec iov; - struct ip *ip; struct msghdr msg; #ifndef __rtems__ struct sigaction si_sa; @@ -309,7 +310,7 @@ main(int argc, char *const *argv) long ltmp; int almost_done, ch, df, hold, i, icmp_len, mib[4], preload; int ssend_errno, srecv_errno, tos, ttl; - char ctrl[CMSG_SPACE(sizeof(struct timeval))]; + char ctrl[CMSG_SPACE(sizeof(struct timespec))]; #ifndef __rtems__ char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN]; #endif /* __rtems__ */ @@ -335,6 +336,8 @@ main(int argc, char *const *argv) #define getopt(argc, argv, opt) getopt_r(argc, argv, "+" opt, &getopt_data) #endif /* __rtems__ */ + options |= F_NUMERIC; + /* * Do the stuff that we need root priv's for *first*, and * then drop our setuid bit. Save error reporting for @@ -692,16 +695,16 @@ main(int argc, char *const *argv) hostname = hnamebuf; } -#ifndef __rtems__ /* From now on we will use only reverse DNS lookups. */ +#ifdef WITH_CASPER if (capdns != NULL) { const char *types[1]; - types[0] = "ADDR"; + types[0] = "ADDR2NAME"; if (cap_dns_type_limit(capdns, types, 1) < 0) err(1, "unable to limit access to system.dns service"); } -#endif /* __rtems__ */ +#endif if (connect(ssend, (struct sockaddr *)&whereto, sizeof(whereto)) != 0) err(1, "connect"); @@ -766,7 +769,9 @@ main(int argc, char *const *argv) #endif /*IPSEC*/ if (options & F_HDRINCL) { - ip = (struct ip*)outpackhdr; + struct ip ip; + + memcpy(&ip, outpackhdr, sizeof(ip)); if (!(options & (F_TTL | F_MTTL))) { mib[0] = CTL_NET; mib[1] = PF_INET; @@ -777,15 +782,16 @@ main(int argc, char *const *argv) err(1, "sysctl(net.inet.ip.ttl)"); } setsockopt(ssend, IPPROTO_IP, IP_HDRINCL, &hold, sizeof(hold)); - ip->ip_v = IPVERSION; - ip->ip_hl = sizeof(struct ip) >> 2; - ip->ip_tos = tos; - ip->ip_id = 0; - ip->ip_off = htons(df ? IP_DF : 0); - ip->ip_ttl = ttl; - ip->ip_p = IPPROTO_ICMP; - ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY; - ip->ip_dst = to->sin_addr; + ip.ip_v = IPVERSION; + ip.ip_hl = sizeof(struct ip) >> 2; + ip.ip_tos = tos; + ip.ip_id = 0; + ip.ip_off = htons(df ? IP_DF : 0); + ip.ip_ttl = ttl; + ip.ip_p = IPPROTO_ICMP; + ip.ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY; + ip.ip_dst = to->sin_addr; + memcpy(outpackhdr, &ip, sizeof(ip)); } #ifndef __rtems__ @@ -802,7 +808,7 @@ main(int argc, char *const *argv) * We must connect(2) our socket before this point. */ if (cansandbox && cap_enter() < 0 && errno != ENOSYS) - err(1, "cap_enter"); + err(1, "caph_enter_casper"); cap_rights_init(&rights, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT); if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS) @@ -855,9 +861,15 @@ main(int argc, char *const *argv) } } #ifdef SO_TIMESTAMP - { int on = 1; - if (setsockopt(srecv, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0) - err(EX_OSERR, "setsockopt SO_TIMESTAMP"); + { + int on = 1; + int ts_clock = SO_TS_MONOTONIC; + if (setsockopt(srecv, SOL_SOCKET, SO_TIMESTAMP, &on, + sizeof(on)) < 0) + err(EX_OSERR, "setsockopt SO_TIMESTAMP"); + if (setsockopt(srecv, SOL_SOCKET, SO_TS_CLOCK, &ts_clock, + sizeof(ts_clock)) < 0) + err(EX_OSERR, "setsockopt SO_TS_CLOCK"); } #endif if (sweepmax) { @@ -960,6 +972,7 @@ main(int argc, char *const *argv) msg.msg_iovlen = 1; #ifdef SO_TIMESTAMP msg.msg_control = (caddr_t)ctrl; + msg.msg_controllen = sizeof(ctrl); #endif iov.iov_base = packet; iov.iov_len = IP_MAXPACKET; @@ -972,19 +985,19 @@ main(int argc, char *const *argv) while (preload--) /* fire off them quickies */ pinger(); } - (void)gettimeofday(&last, NULL); + (void)clock_gettime(CLOCK_MONOTONIC, &last); if (options & F_FLOOD) { intvl.tv_sec = 0; - intvl.tv_usec = 10000; + intvl.tv_nsec = 10000000; } else { intvl.tv_sec = interval / 1000; - intvl.tv_usec = interval % 1000 * 1000; + intvl.tv_nsec = interval % 1000 * 1000000; } almost_done = 0; while (!finish_up) { - struct timeval now, timeout; + struct timespec now, timeout; #ifndef __rtems__ fd_set rfds; #else /* __rtems__ */ @@ -992,7 +1005,8 @@ main(int argc, char *const *argv) sizeof(fd_set) * 8)]; #define rfds (*(fd_set *)(&big_enough_rfds[0])) #endif /* __rtems__ */ - int cc, n; + int n; + ssize_t cc; check_status(); #ifndef __rtems__ @@ -1003,28 +1017,18 @@ main(int argc, char *const *argv) memset(big_enough_rfds, 0, sizeof(big_enough_rfds)); #endif /* __rtems__ */ FD_SET(srecv, &rfds); - (void)gettimeofday(&now, NULL); - timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec; - timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec; - while (timeout.tv_usec < 0) { - timeout.tv_usec += 1000000; - timeout.tv_sec--; - } - while (timeout.tv_usec >= 1000000) { - timeout.tv_usec -= 1000000; - timeout.tv_sec++; - } + (void)clock_gettime(CLOCK_MONOTONIC, &now); + timespecadd(&last, &intvl, &timeout); + timespecsub(&timeout, &now, &timeout); if (timeout.tv_sec < 0) - timerclear(&timeout); - n = select(srecv + 1, &rfds, NULL, NULL, &timeout); + timespecclear(&timeout); + n = pselect(srecv + 1, &rfds, NULL, NULL, &timeout, NULL); if (n < 0) continue; /* Must be EINTR. */ if (n == 1) { - struct timeval *tv = NULL; + struct timespec *tv = NULL; #ifdef SO_TIMESTAMP - struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl; - - msg.msg_controllen = sizeof(ctrl); + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); #endif msg.msg_namelen = sizeof(from); if ((cc = recvmsg(srecv, &msg, 0)) < 0) { @@ -1034,7 +1038,8 @@ main(int argc, char *const *argv) continue; } #ifdef SO_TIMESTAMP - if (cmsg->cmsg_level == SOL_SOCKET && + if (cmsg != NULL && + cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_TIMESTAMP && cmsg->cmsg_len == CMSG_LEN(sizeof *tv)) { /* Copy to avoid alignment problems: */ @@ -1043,7 +1048,7 @@ main(int argc, char *const *argv) } #endif if (tv == NULL) { - (void)gettimeofday(&now, NULL); + (void)clock_gettime(CLOCK_MONOTONIC, &now); tv = &now; } pr_pack((char *)packet, cc, &from, tv); @@ -1067,17 +1072,17 @@ main(int argc, char *const *argv) if (almost_done) break; almost_done = 1; - intvl.tv_usec = 0; + intvl.tv_nsec = 0; if (nreceived) { intvl.tv_sec = 2 * tmax / 1000; if (!intvl.tv_sec) intvl.tv_sec = 1; } else { intvl.tv_sec = waittime / 1000; - intvl.tv_usec = waittime % 1000 * 1000; + intvl.tv_nsec = waittime % 1000 * 1000000; } } - (void)gettimeofday(&last, NULL); + (void)clock_gettime(CLOCK_MONOTONIC, &last); if (ntransmitted - nreceived - 1 > nmissedmax) { nmissedmax = ntransmitted - nreceived - 1; if (options & F_MISSED) @@ -1116,53 +1121,69 @@ stopit(int sig __unused) * Compose and transmit an ICMP ECHO REQUEST packet. The IP packet * will be added on by the kernel. The ID field is our UNIX process ID, * and the sequence number is an ascending integer. The first TIMEVAL_LEN - * bytes of the data portion are used to hold a UNIX "timeval" struct in + * bytes of the data portion are used to hold a UNIX "timespec" struct in * host byte-order, to compute the round-trip time. */ static void pinger(void) { - struct timeval now; + struct timespec now; struct tv32 tv32; - struct ip *ip; - struct icmp *icp; + struct icmp icp; int cc, i; u_char *packet; packet = outpack; - icp = (struct icmp *)outpack; - icp->icmp_type = icmp_type; - icp->icmp_code = 0; - icp->icmp_cksum = 0; - icp->icmp_seq = htons(ntransmitted); - icp->icmp_id = ident; /* ID */ + memcpy(&icp, outpack, ICMP_MINLEN + phdr_len); + icp.icmp_type = icmp_type; + icp.icmp_code = 0; + icp.icmp_cksum = 0; + icp.icmp_seq = htons(ntransmitted); + icp.icmp_id = ident; /* ID */ CLR(ntransmitted % MAX_DUP_CHK); if ((options & F_TIME) || timing) { - (void)gettimeofday(&now, NULL); - - tv32.tv32_sec = htonl(now.tv_sec); - tv32.tv32_usec = htonl(now.tv_usec); + (void)clock_gettime(CLOCK_MONOTONIC, &now); + /* + * Truncate seconds down to 32 bits in order + * to fit the timestamp within 8 bytes of the + * packet. We're only concerned with + * durations, not absolute times. + */ + tv32.tv32_sec = (uint32_t)htonl(now.tv_sec); + tv32.tv32_nsec = (uint32_t)htonl(now.tv_nsec); if (options & F_TIME) - icp->icmp_otime = htonl((now.tv_sec % (24*60*60)) - * 1000 + now.tv_usec / 1000); + icp.icmp_otime = htonl((now.tv_sec % (24*60*60)) + * 1000 + now.tv_nsec / 1000000); if (timing) bcopy((void *)&tv32, (void *)&outpack[ICMP_MINLEN + phdr_len], sizeof(tv32)); } + memcpy(outpack, &icp, ICMP_MINLEN + phdr_len); + cc = ICMP_MINLEN + phdr_len + datalen; /* compute ICMP checksum here */ - icp->icmp_cksum = in_cksum((u_short *)icp, cc); + icp.icmp_cksum = in_cksum(outpack, cc); + /* Update icmp_cksum in the raw packet data buffer. */ + memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum, + sizeof(icp.icmp_cksum)); if (options & F_HDRINCL) { + struct ip ip; + cc += sizeof(struct ip); - ip = (struct ip *)outpackhdr; - ip->ip_len = htons(cc); - ip->ip_sum = in_cksum((u_short *)outpackhdr, cc); + ip.ip_len = htons(cc); + /* Update ip_len in the raw packet data buffer. */ + memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len, + sizeof(ip.ip_len)); + ip.ip_sum = in_cksum(outpackhdr, cc); + /* Update ip_sum in the raw packet data buffer. */ + memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum, + sizeof(ip.ip_sum)); packet = outpackhdr; } i = send(ssend, (char *)packet, cc, 0); @@ -1192,56 +1213,71 @@ pinger(void) * program to be run without having intermingled output (or statistics!). */ static void -pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) +pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv) { struct in_addr ina; - u_char *cp, *dp; - struct icmp *icp; - struct ip *ip; - const void *tp; + u_char *cp, *dp, l; + struct icmp icp; + struct ip ip; + const u_char *icmp_data_raw; double triptime; - int dupflag, hlen, i, j, recv_len, seq; + int dupflag, hlen, i, j, recv_len; + uint16_t seq; static int old_rrlen; static char old_rr[MAX_IPOPTLEN]; + struct ip oip; + u_char oip_header_len; + struct icmp oicmp; + const u_char *oicmp_raw; + + /* + * Get size of IP header of the received packet. The + * information is contained in the lower four bits of the + * first byte. + */ + memcpy(&l, buf, sizeof(l)); + hlen = (l & 0x0f) << 2; + memcpy(&ip, buf, hlen); /* Check the IP header */ - ip = (struct ip *)buf; - hlen = ip->ip_hl << 2; recv_len = cc; if (cc < hlen + ICMP_MINLEN) { if (options & F_VERBOSE) - warn("packet too short (%d bytes) from %s", cc, + warn("packet too short (%zd bytes) from %s", cc, inet_ntoa(from->sin_addr)); return; } +#ifndef icmp_data + icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_ip); +#else + icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_data); +#endif + /* Now the ICMP part */ cc -= hlen; - icp = (struct icmp *)(buf + hlen); - if (icp->icmp_type == icmp_type_rsp) { - if (icp->icmp_id != ident) + memcpy(&icp, buf + hlen, MIN((ssize_t)sizeof(icp), cc)); + if (icp.icmp_type == icmp_type_rsp) { + if (icp.icmp_id != ident) return; /* 'Twas not our ECHO */ ++nreceived; triptime = 0.0; if (timing) { - struct timeval tv1; + struct timespec tv1; struct tv32 tv32; -#ifndef icmp_data - tp = &icp->icmp_ip; -#else - tp = icp->icmp_data; -#endif - tp = (const char *)tp + phdr_len; + const u_char *tp; + + tp = icmp_data_raw + phdr_len; if ((size_t)(cc - ICMP_MINLEN - phdr_len) >= sizeof(tv1)) { /* Copy to avoid alignment problems: */ memcpy(&tv32, tp, sizeof(tv32)); tv1.tv_sec = ntohl(tv32.tv32_sec); - tv1.tv_usec = ntohl(tv32.tv32_usec); - tvsub(tv, &tv1); + tv1.tv_nsec = ntohl(tv32.tv32_nsec); + timespecsub(tv, &tv1, tv); triptime = ((double)tv->tv_sec) * 1000.0 + - ((double)tv->tv_usec) / 1000.0; + ((double)tv->tv_nsec) / 1000000.0; tsum += triptime; tsumsq += triptime * triptime; if (triptime < tmin) @@ -1252,7 +1288,7 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) timing = 0; } - seq = ntohs(icp->icmp_seq); + seq = ntohs(icp.icmp_seq); if (TST(seq % MAX_DUP_CHK)) { ++nrepeats; @@ -1274,10 +1310,9 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) if (options & F_FLOOD) (void)write(STDOUT_FILENO, &BSPACE, 1); else { - (void)printf("%d bytes from %s: icmp_seq=%u", cc, - inet_ntoa(*(struct in_addr *)&from->sin_addr.s_addr), - seq); - (void)printf(" ttl=%d", ip->ip_ttl); + (void)printf("%zd bytes from %s: icmp_seq=%u", cc, + pr_addr(from->sin_addr), seq); + (void)printf(" ttl=%d", ip.ip_ttl); if (timing) (void)printf(" time=%.3f ms", triptime); if (dupflag) @@ -1287,12 +1322,12 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) if (options & F_MASK) { /* Just prentend this cast isn't ugly */ (void)printf(" mask=%s", - inet_ntoa(*(struct in_addr *)&(icp->icmp_mask))); + inet_ntoa(*(struct in_addr *)&(icp.icmp_mask))); } if (options & F_TIME) { - (void)printf(" tso=%s", pr_ntime(icp->icmp_otime)); - (void)printf(" tsr=%s", pr_ntime(icp->icmp_rtime)); - (void)printf(" tst=%s", pr_ntime(icp->icmp_ttime)); + (void)printf(" tso=%s", pr_ntime(icp.icmp_otime)); + (void)printf(" tsr=%s", pr_ntime(icp.icmp_rtime)); + (void)printf(" tst=%s", pr_ntime(icp.icmp_ttime)); } if (recv_len != send_len) { (void)printf( @@ -1300,7 +1335,8 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) recv_len, send_len); } /* check the data */ - cp = (u_char*)&icp->icmp_data[phdr_len]; + cp = (u_char*)(buf + hlen + offsetof(struct icmp, + icmp_data) + phdr_len); dp = &outpack[ICMP_MINLEN + phdr_len]; cc -= ICMP_MINLEN + phdr_len; i = 0; @@ -1315,7 +1351,8 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) (void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x", i, *dp, *cp); (void)printf("\ncp:"); - cp = (u_char*)&icp->icmp_data[0]; + cp = (u_char*)(buf + hlen + + offsetof(struct icmp, icmp_data)); for (i = 0; i < datalen; ++i, ++cp) { if ((i % 16) == 8) (void)printf("\n\t"); @@ -1343,22 +1380,22 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) * as root to avoid leaking information not normally * available to those not running as root. */ -#ifndef icmp_data - struct ip *oip = &icp->icmp_ip; -#else - struct ip *oip = (struct ip *)icp->icmp_data; -#endif - struct icmp *oicmp = (struct icmp *)(oip + 1); + memcpy(&oip_header_len, icmp_data_raw, sizeof(oip_header_len)); + oip_header_len = (oip_header_len & 0x0f) << 2; + memcpy(&oip, icmp_data_raw, oip_header_len); + oicmp_raw = icmp_data_raw + oip_header_len; + memcpy(&oicmp, oicmp_raw, offsetof(struct icmp, icmp_id) + + sizeof(oicmp.icmp_id)); if (((options & F_VERBOSE) && uid == 0) || (!(options & F_QUIET2) && - (oip->ip_dst.s_addr == whereto.sin_addr.s_addr) && - (oip->ip_p == IPPROTO_ICMP) && - (oicmp->icmp_type == ICMP_ECHO) && - (oicmp->icmp_id == ident))) { - (void)printf("%d bytes from %s: ", cc, + (oip.ip_dst.s_addr == whereto.sin_addr.s_addr) && + (oip.ip_p == IPPROTO_ICMP) && + (oicmp.icmp_type == ICMP_ECHO) && + (oicmp.icmp_id == ident))) { + (void)printf("%zd bytes from %s: ", cc, pr_addr(from->sin_addr)); - pr_icmph(icp); + pr_icmph(&icp, &oip, oicmp_raw); } else return; } @@ -1452,65 +1489,6 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv) } } -/* - * in_cksum -- - * Checksum routine for Internet Protocol family headers (C Version) - */ -u_short -in_cksum(u_short *addr, int len) -{ - int nleft, sum; - u_short *w; - union { - u_short us; - u_char uc[2]; - } last; - u_short answer; - - nleft = len; - sum = 0; - w = addr; - - /* - * Our algorithm is simple, using a 32 bit accumulator (sum), we add - * sequential 16 bit words to it, and at the end, fold back all the - * carry bits from the top 16 bits into the lower 16 bits. - */ - while (nleft > 1) { - sum += *w++; - nleft -= 2; - } - - /* mop up an odd byte, if necessary */ - if (nleft == 1) { - last.uc[0] = *(u_char *)w; - last.uc[1] = 0; - sum += last.us; - } - - /* add back carry outs from top 16 bits to low 16 bits */ - sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ - sum += (sum >> 16); /* add carry */ - answer = ~sum; /* truncate to 16 bits */ - return(answer); -} - -/* - * tvsub -- - * Subtract 2 timeval structs: out = out - in. Out is assumed to - * be >= in. - */ -static void -tvsub(struct timeval *out, const struct timeval *in) -{ - - if ((out->tv_usec -= in->tv_usec) < 0) { - --out->tv_sec; - out->tv_usec += 1000000; - } - out->tv_sec -= in->tv_sec; -} - #ifndef __rtems__ /* * status -- @@ -1607,7 +1585,7 @@ static char *ttab[] = { * Print a descriptive string about an ICMP header. */ static void -pr_icmph(struct icmp *icp) +pr_icmph(struct icmp *icp, struct ip *oip, const u_char *const oicmp_raw) { switch(icp->icmp_type) { @@ -1645,19 +1623,11 @@ pr_icmph(struct icmp *icp) break; } /* Print returned IP header information */ -#ifndef icmp_data - pr_retip(&icp->icmp_ip); -#else - pr_retip((struct ip *)icp->icmp_data); -#endif + pr_retip(oip, oicmp_raw); break; case ICMP_SOURCEQUENCH: (void)printf("Source Quench\n"); -#ifndef icmp_data - pr_retip(&icp->icmp_ip); -#else - pr_retip((struct ip *)icp->icmp_data); -#endif + pr_retip(oip, oicmp_raw); break; case ICMP_REDIRECT: switch(icp->icmp_code) { @@ -1678,11 +1648,7 @@ pr_icmph(struct icmp *icp) break; } (void)printf("(New addr: %s)\n", inet_ntoa(icp->icmp_gwaddr)); -#ifndef icmp_data - pr_retip(&icp->icmp_ip); -#else - pr_retip((struct ip *)icp->icmp_data); -#endif + pr_retip(oip, oicmp_raw); break; case ICMP_ECHO: (void)printf("Echo Request\n"); @@ -1701,20 +1667,12 @@ pr_icmph(struct icmp *icp) icp->icmp_code); break; } -#ifndef icmp_data - pr_retip(&icp->icmp_ip); -#else - pr_retip((struct ip *)icp->icmp_data); -#endif + pr_retip(oip, oicmp_raw); break; case ICMP_PARAMPROB: (void)printf("Parameter problem: pointer = 0x%02x\n", icp->icmp_hun.ih_pptr); -#ifndef icmp_data - pr_retip(&icp->icmp_ip); -#else - pr_retip((struct ip *)icp->icmp_data); -#endif + pr_retip(oip, oicmp_raw); break; case ICMP_TSTAMP: (void)printf("Timestamp\n"); @@ -1815,14 +1773,9 @@ pr_addr(struct in_addr ina) * Dump some info on a returned (via ICMP) IP packet. */ static void -pr_retip(struct ip *ip) +pr_retip(struct ip *ip, const u_char *cp) { - u_char *cp; - int hlen; - pr_iph(ip); - hlen = ip->ip_hl << 2; - cp = (u_char *)ip + hlen; if (ip->ip_p == 6) (void)printf("TCP: from port %u, to port %u (decimal)\n", @@ -1835,7 +1788,7 @@ pr_retip(struct ip *ip) static char * pr_ntime(n_time timestamp) { - static char buf[10]; + static char buf[11]; int hour, min, sec; sec = ntohl(timestamp) / 1000; @@ -1884,9 +1837,10 @@ static cap_channel_t * capdns_setup(void) { cap_channel_t *capcas, *capdnsloc; +#ifdef WITH_CASPER const char *types[2]; int families[1]; - +#endif capcas = cap_init(); if (capcas == NULL) err(1, "unable to create casper process"); @@ -1895,14 +1849,15 @@ capdns_setup(void) cap_close(capcas); if (capdnsloc == NULL) err(1, "unable to open system.dns service"); - types[0] = "NAME"; - types[1] = "ADDR"; +#ifdef WITH_CASPER + types[0] = "NAME2ADDR"; + types[1] = "ADDR2NAME"; if (cap_dns_type_limit(capdnsloc, types, 2) < 0) err(1, "unable to limit access to system.dns service"); families[0] = AF_INET; if (cap_dns_family_limit(capdnsloc, families, 1) < 0) err(1, "unable to limit access to system.dns service"); - +#endif return (capdnsloc); } #endif /* __rtems__ */ diff --git a/freebsd/sbin/ping/rtems-bsd-ping-data.h b/freebsd/sbin/ping/rtems-bsd-ping-data.h index b89b2282..5f67525c 100644 --- a/freebsd/sbin/ping/rtems-bsd-ping-data.h +++ b/freebsd/sbin/ping/rtems-bsd-ping-data.h @@ -1,3 +1,4 @@ /* generated by userspace-header-gen.py */ #include <rtems/linkersets.h> /* ping.c */ +/* utils.c */ diff --git a/freebsd/sbin/ping/rtems-bsd-ping-namespace.h b/freebsd/sbin/ping/rtems-bsd-ping-namespace.h index a46682da..eef73af7 100644 --- a/freebsd/sbin/ping/rtems-bsd-ping-namespace.h +++ b/freebsd/sbin/ping/rtems-bsd-ping-namespace.h @@ -1,2 +1,4 @@ /* generated by userspace-header-gen.py */ /* ping.c */ +/* utils.c */ +#define in_cksum _bsd_ping_in_cksum diff --git a/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h b/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h new file mode 100644 index 00000000..255f394e --- /dev/null +++ b/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h @@ -0,0 +1,4 @@ +/* generated by userspace-header-gen.py */ +#include <rtems/linkersets.h> +#include "rtems-bsd-ping-data.h" +/* utils.c */ diff --git a/freebsd/sbin/ping/utils.c b/freebsd/sbin/ping/utils.c new file mode 100644 index 00000000..2e832b14 --- /dev/null +++ b/freebsd/sbin/ping/utils.c @@ -0,0 +1,107 @@ +#include <machine/rtems-bsd-user-space.h> + +#ifdef __rtems__ +#include "rtems-bsd-ping-namespace.h" +#endif /* __rtems__ */ + +/*- + * SPDX-License-Identifier: BSD-3-Clause + * + * Copyright (c) 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Mike Muuss. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if 0 +#ifndef lint +static const char copyright[] = +"@(#) Copyright (c) 1989, 1993\n\ + The Regents of the University of California. All rights reserved.\n"; +#endif /* not lint */ + +#ifndef lint +static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93"; +#endif /* not lint */ +#endif +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <string.h> +#ifdef __rtems__ +#include "rtems-bsd-ping-utils-data.h" +#endif /* __rtems__ */ + +#include "utils.h" + +/* + * in_cksum -- + * Checksum routine for Internet Protocol family headers (C Version) + */ +u_short +in_cksum(u_char *addr, int len) +{ + int nleft, sum; + u_char *w; + union { + u_short us; + u_char uc[2]; + } last; + u_short answer; + + nleft = len; + sum = 0; + w = addr; + + /* + * Our algorithm is simple, using a 32 bit accumulator (sum), we add + * sequential 16 bit words to it, and at the end, fold back all the + * carry bits from the top 16 bits into the lower 16 bits. + */ + while (nleft > 1) { + u_short data; + + memcpy(&data, w, sizeof(data)); + sum += data; + w += sizeof(data); + nleft -= sizeof(data); + } + + /* mop up an odd byte, if necessary */ + if (nleft == 1) { + last.uc[0] = *w; + last.uc[1] = 0; + sum += last.us; + } + + /* add back carry outs from top 16 bits to low 16 bits */ + sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ + sum += (sum >> 16); /* add carry */ + answer = ~sum; /* truncate to 16 bits */ + return(answer); +} diff --git a/freebsd/sbin/ping/utils.h b/freebsd/sbin/ping/utils.h new file mode 100644 index 00000000..cb56e587 --- /dev/null +++ b/freebsd/sbin/ping/utils.h @@ -0,0 +1,38 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (C) 2019 Jan Sucan <jansucan@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef UTILS_H +#define UTILS_H 1 + +#include <sys/types.h> + +u_short in_cksum(u_char *, int); + +#endif diff --git a/freebsd/sbin/ping6/ping6.c b/freebsd/sbin/ping6/ping6.c index c95572b0..122f6d0e 100644 --- a/freebsd/sbin/ping6/ping6.c +++ b/freebsd/sbin/ping6/ping6.c @@ -72,6 +72,7 @@ */ #if defined(__rtems__) && defined(INET6) +#if 0 #ifndef lint static const char copyright[] = "@(#) Copyright (c) 1989, 1993\n\ @@ -79,10 +80,9 @@ static const char copyright[] = #endif /* not lint */ #ifndef lint -#if 0 static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93"; -#endif #endif /* not lint */ +#endif #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); @@ -117,9 +117,9 @@ __FBSDID("$FreeBSD$"); #include <machine/rtems-bsd-commands.h> #endif /* __rtems__ */ #include <sys/param.h> +#include <sys/capsicum.h> #include <sys/uio.h> #include <sys/socket.h> -#include <sys/time.h> #include <net/if.h> #include <net/route.h> @@ -131,6 +131,10 @@ __FBSDID("$FreeBSD$"); #include <arpa/nameser.h> #include <netdb.h> +#include <capsicum_helpers.h> +#include <casper/cap_dns.h> +#include <libcasper.h> + #include <ctype.h> #include <err.h> #include <errno.h> @@ -141,6 +145,7 @@ __FBSDID("$FreeBSD$"); #include <stdlib.h> #include <string.h> #include <sysexits.h> +#include <time.h> #include <unistd.h> #ifdef IPSEC @@ -155,7 +160,7 @@ __FBSDID("$FreeBSD$"); struct tv32 { u_int32_t tv32_sec; - u_int32_t tv32_usec; + u_int32_t tv32_nsec; }; #define MAXPACKETLEN 131072 @@ -209,7 +214,7 @@ struct tv32 { #define F_DONTFRAG 0x1000000 #define F_NOUSERDATA (F_NODEADDR | F_FQDN | F_FQDNOLD | F_SUPTYPES) #define F_WAITTIME 0x2000000 -u_int options; +static u_int options; #define IN6LEN sizeof(struct in6_addr) #define SA6LEN sizeof(struct sockaddr_in6) @@ -230,7 +235,8 @@ static struct sockaddr_in6 dst; /* who to ping6 */ static struct sockaddr_in6 src; /* src addr of this packet */ static socklen_t srclen; static size_t datalen = DEFDATALEN; -static int s; /* socket file descriptor */ +static int ssend; /* send socket file descriptor */ +static int srecv; /* receive socket file descriptor */ static u_char outpack[MAXPACKETLEN]; static char BSPACE = '\b'; /* characters written for flood */ static char BBELL = '\a'; /* characters written for AUDIBLE */ @@ -240,6 +246,7 @@ static int ident; /* process id to identify our packets */ static u_int8_t nonce[8]; /* nonce field for node information */ static int hoplimit = -1; /* hoplimit */ static u_char *packet = NULL; +static cap_channel_t *capdns; /* counters */ static long nmissedmax; /* max value of ntransmitted - nreceived - 1 */ @@ -274,6 +281,7 @@ static volatile sig_atomic_t seeninfo; #ifndef __rtems__ int main(int, char *[]); #endif /* __rtems__ */ +static cap_channel_t *capdns_setup(void); static void fill(char *, char *); static int get_hoplim(struct msghdr *); static int get_pathmtu(struct msghdr *); @@ -289,7 +297,7 @@ static void pr_suptypes(struct icmp6_nodeinfo *, size_t); static void pr_nodeaddr(struct icmp6_nodeinfo *, int); static int myechoreply(const struct icmp6_hdr *); static int mynireply(const struct icmp6_nodeinfo *); -static char *dnsdecode(const u_char **, const u_char *, const u_char *, +static const char *dnsdecode(const u_char *, const u_char *, const u_char *, char *, size_t); static void pr_pack(u_char *, int, struct msghdr *); static void pr_exthdrs(struct msghdr *); @@ -298,8 +306,11 @@ static void pr_rthdr(void *, size_t); static int pr_bitrange(u_int32_t, int, int); static void pr_retip(struct ip6_hdr *, u_char *); static void summary(void); -static void tvsub(struct timeval *, struct timeval *); +#ifdef IPSEC +#ifdef IPSEC_POLICY_IPSEC static int setpolicy(int, char *); +#endif +#endif static char *nigroup(char *, int); static void usage(void); @@ -332,7 +343,7 @@ rtems_bsd_command_ping6(int argc, char *argv[]) int main(int argc, char *argv[]) { - struct timeval last, intvl; + struct timespec last, intvl; struct sockaddr_in6 from, *sin6; struct addrinfo hints, *res; struct sigaction si_sa; @@ -345,19 +356,18 @@ main(int argc, char *argv[]) struct cmsghdr *scmsgp = NULL; /* For control (ancillary) data received from recvmsg() */ #ifndef __rtems__ - struct cmsghdr cm[CONTROLLEN]; + u_char cm[CONTROLLEN]; #else /* __rtems__ */ - static struct cmsghdr cm[CONTROLLEN]; + static u_char cm[CONTROLLEN]; #endif /* __rtems__ */ #if defined(SO_SNDBUF) && defined(SO_RCVBUF) u_long lsockbufsize; int sockbufsize = 0; #endif int usepktinfo = 0; - struct in6_pktinfo *pktinfo = NULL; -#ifdef USE_RFC2292BIS + struct in6_pktinfo pktinfo; + char *cmsg_pktinfo = NULL; struct ip6_rthdr *rthdr = NULL; -#endif #ifdef IPSEC_POLICY_IPSEC char *policy_in = NULL; char *policy_out = NULL; @@ -368,6 +378,9 @@ main(int argc, char *argv[]) #ifdef IPV6_USE_MIN_MTU int mflag = 0; #endif + cap_rights_t rights_srecv; + cap_rights_t rights_ssend; + cap_rights_t rights_stdin; #ifdef __rtems__ struct getopt_data getopt_data; memset(&getopt_data, 0, sizeof(getopt_data)); @@ -381,9 +394,14 @@ main(int argc, char *argv[]) /* just to be sure */ memset(&smsghdr, 0, sizeof(smsghdr)); memset(&smsgiov, 0, sizeof(smsgiov)); + memset(&pktinfo, 0, sizeof(pktinfo)); + + intvl.tv_sec = interval / 1000; + intvl.tv_nsec = interval % 1000 * 1000000; alarmtimeout = preload = 0; datap = &outpack[ICMP6ECHOLEN + ICMP6ECHOTMLEN]; + capdns = capdns_setup(); #ifndef IPSEC #define ADDOPTS #else @@ -503,15 +521,15 @@ main(int argc, char *argv[]) errx(1, "%s: only root may use interval < 1s", strerror(EPERM)); } - intvl.tv_sec = (long)t; - intvl.tv_usec = - (long)((t - intvl.tv_sec) * 1000000); + intvl.tv_sec = (time_t)t; + intvl.tv_nsec = + (long)((t - intvl.tv_sec) * 1000000000); if (intvl.tv_sec < 0) errx(1, "illegal timing interval %s", optarg); /* less than 1/hz does not make sense */ - if (intvl.tv_sec == 0 && intvl.tv_usec < 1) { + if (intvl.tv_sec == 0 && intvl.tv_nsec < 1000) { warnx("too small interval, raised to .000001"); - intvl.tv_usec = 1; + intvl.tv_nsec = 1000; } options |= F_INTERVAL; break; @@ -562,7 +580,7 @@ main(int argc, char *argv[]) hints.ai_socktype = SOCK_RAW; hints.ai_protocol = IPPROTO_ICMPV6; - error = getaddrinfo(optarg, NULL, &hints, &res); + error = cap_getaddrinfo(capdns, optarg, NULL, &hints, &res); if (error) { errx(1, "invalid source address: %s", gai_strerror(error)); @@ -678,14 +696,14 @@ main(int argc, char *argv[]) } else target = argv[argc - 1]; - /* getaddrinfo */ + /* cap_getaddrinfo */ memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_flags = AI_CANONNAME; hints.ai_family = AF_INET6; hints.ai_socktype = SOCK_RAW; hints.ai_protocol = IPPROTO_ICMPV6; - error = getaddrinfo(target, NULL, &hints, &res); + error = cap_getaddrinfo(capdns, target, NULL, &hints, &res); if (error) errx(1, "%s", gai_strerror(error)); if (res->ai_canonname) @@ -694,13 +712,16 @@ main(int argc, char *argv[]) hostname = target; if (!res->ai_addr) - errx(1, "getaddrinfo failed"); + errx(1, "cap_getaddrinfo failed"); (void)memcpy(&dst, res->ai_addr, res->ai_addrlen); - if ((s = socket(res->ai_family, res->ai_socktype, + if ((ssend = socket(res->ai_family, res->ai_socktype, + res->ai_protocol)) < 0) + err(1, "socket ssend"); + if ((srecv = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) < 0) - err(1, "socket"); + err(1, "socket srecv"); freeaddrinfo(res); /* set the source address if specified. */ @@ -715,7 +736,7 @@ main(int argc, char *argv[]) if (dst.sin6_scope_id == 0) dst.sin6_scope_id = src.sin6_scope_id; } - if (bind(s, (struct sockaddr *)&src, srclen) != 0) + if (bind(ssend, (struct sockaddr *)&src, srclen) != 0) err(1, "bind"); } /* set the gateway (next hop) if specified */ @@ -725,15 +746,15 @@ main(int argc, char *argv[]) hints.ai_socktype = SOCK_RAW; hints.ai_protocol = IPPROTO_ICMPV6; - error = getaddrinfo(gateway, NULL, &hints, &res); + error = cap_getaddrinfo(capdns, gateway, NULL, &hints, &res); if (error) { - errx(1, "getaddrinfo for the gateway %s: %s", + errx(1, "cap_getaddrinfo for the gateway %s: %s", gateway, gai_strerror(error)); } if (res->ai_next && (options & F_VERBOSE)) warnx("gateway resolves to multiple addresses"); - if (setsockopt(s, IPPROTO_IPV6, IPV6_NEXTHOP, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_NEXTHOP, res->ai_addr, res->ai_addrlen)) { err(1, "setsockopt(IPV6_NEXTHOP)"); } @@ -749,25 +770,25 @@ main(int argc, char *argv[]) int opton = 1; #ifdef IPV6_RECVHOPOPTS - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVHOPOPTS, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVHOPOPTS, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_RECVHOPOPTS)"); #else /* old adv. API */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_HOPOPTS, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_HOPOPTS, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_HOPOPTS)"); #endif #ifdef IPV6_RECVDSTOPTS - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVDSTOPTS, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVDSTOPTS, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_RECVDSTOPTS)"); #else /* old adv. API */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_DSTOPTS, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_DSTOPTS)"); #endif #ifdef IPV6_RECVRTHDRDSTOPTS - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVRTHDRDSTOPTS, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVRTHDRDSTOPTS, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_RECVRTHDRDSTOPTS)"); #endif @@ -810,31 +831,34 @@ main(int argc, char *argv[]) arc4random_buf(nonce, sizeof(nonce)); optval = 1; if (options & F_DONTFRAG) - if (setsockopt(s, IPPROTO_IPV6, IPV6_DONTFRAG, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_DONTFRAG, &optval, sizeof(optval)) == -1) err(1, "IPV6_DONTFRAG"); hold = 1; - if (options & F_SO_DEBUG) - (void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold, + if (options & F_SO_DEBUG) { + (void)setsockopt(ssend, SOL_SOCKET, SO_DEBUG, (char *)&hold, sizeof(hold)); + (void)setsockopt(srecv, SOL_SOCKET, SO_DEBUG, (char *)&hold, + sizeof(hold)); + } optval = IPV6_DEFHLIM; if (IN6_IS_ADDR_MULTICAST(&dst.sin6_addr)) - if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, &optval, sizeof(optval)) == -1) err(1, "IPV6_MULTICAST_HOPS"); #ifdef IPV6_USE_MIN_MTU if (mflag != 1) { optval = mflag > 1 ? 0 : 1; - if (setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_USE_MIN_MTU, &optval, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_USE_MIN_MTU)"); } #ifdef IPV6_RECVPATHMTU else { optval = 1; - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPATHMTU, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVPATHMTU, &optval, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_RECVPATHMTU)"); } @@ -844,27 +868,36 @@ main(int argc, char *argv[]) #ifdef IPSEC #ifdef IPSEC_POLICY_IPSEC if (options & F_POLICY) { - if (setpolicy(s, policy_in) < 0) + if (setpolicy(srecv, policy_in) < 0) errx(1, "%s", ipsec_strerror()); - if (setpolicy(s, policy_out) < 0) + if (setpolicy(ssend, policy_out) < 0) errx(1, "%s", ipsec_strerror()); } #else if (options & F_AUTHHDR) { optval = IPSEC_LEVEL_REQUIRE; #ifdef IPV6_AUTH_TRANS_LEVEL - if (setsockopt(s, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL, &optval, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_AUTH_TRANS_LEVEL)"); + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL, + &optval, sizeof(optval)) == -1) + err(1, "setsockopt(IPV6_AUTH_TRANS_LEVEL)"); #else /* old def */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_AUTH_LEVEL, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_AUTH_LEVEL, + &optval, sizeof(optval)) == -1) + err(1, "setsockopt(IPV6_AUTH_LEVEL)"); + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_AUTH_LEVEL, &optval, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_AUTH_LEVEL)"); #endif } if (options & F_ENCRYPT) { optval = IPSEC_LEVEL_REQUIRE; - if (setsockopt(s, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL, + &optval, sizeof(optval)) == -1) + err(1, "setsockopt(IPV6_ESP_TRANS_LEVEL)"); + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL, &optval, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_ESP_TRANS_LEVEL)"); } @@ -884,7 +917,7 @@ main(int argc, char *argv[]) } else { ICMP6_FILTER_SETPASSALL(&filt); } - if (setsockopt(s, IPPROTO_ICMPV6, ICMP6_FILTER, &filt, + if (setsockopt(srecv, IPPROTO_ICMPV6, ICMP6_FILTER, &filt, sizeof(filt)) < 0) err(1, "setsockopt(ICMP6_FILTER)"); } @@ -895,11 +928,11 @@ main(int argc, char *argv[]) int opton = 1; #ifdef IPV6_RECVRTHDR - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVRTHDR, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVRTHDR, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_RECVRTHDR)"); #else /* old adv. API */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, &opton, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RTHDR, &opton, sizeof(opton))) err(1, "setsockopt(IPV6_RTHDR)"); #endif @@ -908,7 +941,7 @@ main(int argc, char *argv[]) /* optval = 1; if (IN6_IS_ADDR_MULTICAST(&dst.sin6_addr)) - if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, &optval, sizeof(optval)) == -1) err(1, "IPV6_MULTICAST_LOOP"); */ @@ -926,11 +959,10 @@ main(int argc, char *argv[]) errx(1, "can't allocate enough memory"); smsghdr.msg_control = (caddr_t)scmsg; smsghdr.msg_controllen = ip6optlen; - scmsgp = (struct cmsghdr *)scmsg; + scmsgp = CMSG_FIRSTHDR(&smsghdr); } if (usepktinfo) { - pktinfo = (struct in6_pktinfo *)(CMSG_DATA(scmsgp)); - memset(pktinfo, 0, sizeof(*pktinfo)); + cmsg_pktinfo = CMSG_DATA(scmsgp); scmsgp->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); scmsgp->cmsg_level = IPPROTO_IPV6; scmsgp->cmsg_type = IPV6_PKTINFO; @@ -941,7 +973,7 @@ main(int argc, char *argv[]) if (ifname) { #ifndef USE_SIN6_SCOPE_ID /* pktinfo must have already been allocated */ - if ((pktinfo->ipi6_ifindex = if_nametoindex(ifname)) == 0) + if ((pktinfo.ipi6_ifindex = if_nametoindex(ifname)) == 0) errx(1, "%s: invalid interface name", ifname); #else if ((dst.sin6_scope_id = if_nametoindex(ifname)) == 0) @@ -952,18 +984,15 @@ main(int argc, char *argv[]) scmsgp->cmsg_len = CMSG_LEN(sizeof(int)); scmsgp->cmsg_level = IPPROTO_IPV6; scmsgp->cmsg_type = IPV6_HOPLIMIT; - *(int *)(CMSG_DATA(scmsgp)) = hoplimit; + memcpy(CMSG_DATA(scmsgp), &hoplimit, sizeof(hoplimit)); scmsgp = CMSG_NXTHDR(&smsghdr, scmsgp); } if (argc > 1) { /* some intermediate addrs are specified */ int hops; -#ifdef USE_RFC2292BIS int rthdrlen; -#endif -#ifdef USE_RFC2292BIS rthdrlen = inet6_rth_space(IPV6_RTHDR_TYPE_0, argc - 1); scmsgp->cmsg_len = CMSG_LEN(rthdrlen); scmsgp->cmsg_level = IPPROTO_IPV6; @@ -973,42 +1002,36 @@ main(int argc, char *argv[]) IPV6_RTHDR_TYPE_0, argc - 1); if (rthdr == NULL) errx(1, "can't initialize rthdr"); -#else /* old advanced API */ - if ((scmsgp = (struct cmsghdr *)inet6_rthdr_init(scmsgp, - IPV6_RTHDR_TYPE_0)) == NULL) - errx(1, "can't initialize rthdr"); -#endif /* USE_RFC2292BIS */ for (hops = 0; hops < argc - 1; hops++) { memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET6; - if ((error = getaddrinfo(argv[hops], NULL, &hints, + if ((error = cap_getaddrinfo(capdns, argv[hops], NULL, &hints, &res))) errx(1, "%s", gai_strerror(error)); if (res->ai_addr->sa_family != AF_INET6) errx(1, "bad addr family of an intermediate addr"); sin6 = (struct sockaddr_in6 *)(void *)res->ai_addr; -#ifdef USE_RFC2292BIS if (inet6_rth_add(rthdr, &sin6->sin6_addr)) errx(1, "can't add an intermediate node"); -#else /* old advanced API */ - if (inet6_rthdr_add(scmsg, &sin6->sin6_addr, - IPV6_RTHDR_LOOSE)) - errx(1, "can't add an intermediate node"); -#endif /* USE_RFC2292BIS */ freeaddrinfo(res); } -#ifndef USE_RFC2292BIS - if (inet6_rthdr_lasthop(scmsgp, IPV6_RTHDR_LOOSE)) - errx(1, "can't set the last flag"); -#endif - scmsgp = CMSG_NXTHDR(&smsghdr, scmsgp); } + /* From now on we will use only reverse DNS lookups. */ +#ifdef WITH_CASPER + if (capdns != NULL) { + const char *types[1]; + + types[0] = "ADDR2NAME"; + if (cap_dns_type_limit(capdns, types, nitems(types)) < 0) + err(1, "unable to limit access to system.dns service"); + } +#endif if (!(options & F_SRCADDR)) { /* * get the source address. XXX since we revoked the root @@ -1025,10 +1048,9 @@ main(int argc, char *argv[]) src.sin6_port = ntohs(DUMMY_PORT); src.sin6_scope_id = dst.sin6_scope_id; -#ifdef USE_RFC2292BIS - if (pktinfo && + if (usepktinfo && setsockopt(dummy, IPPROTO_IPV6, IPV6_PKTINFO, - (void *)pktinfo, sizeof(*pktinfo))) + (void *)&pktinfo, sizeof(pktinfo))) err(1, "UDP setsockopt(IPV6_PKTINFO)"); if (hoplimit != -1 && @@ -1045,12 +1067,6 @@ main(int argc, char *argv[]) setsockopt(dummy, IPPROTO_IPV6, IPV6_RTHDR, (void *)rthdr, (rthdr->ip6r_len + 1) << 3)) err(1, "UDP setsockopt(IPV6_RTHDR)"); -#else /* old advanced API */ - if (smsghdr.msg_control && - setsockopt(dummy, IPPROTO_IPV6, IPV6_PKTOPTIONS, - (void *)smsghdr.msg_control, smsghdr.msg_controllen)) - err(1, "UDP setsockopt(IPV6_PKTOPTIONS)"); -#endif if (connect(dummy, (struct sockaddr *)&src, len) < 0) err(1, "UDP connect"); @@ -1061,14 +1077,40 @@ main(int argc, char *argv[]) close(dummy); } + /* Save pktinfo in the ancillary data. */ + if (usepktinfo) + memcpy(cmsg_pktinfo, &pktinfo, sizeof(pktinfo)); + + if (connect(ssend, (struct sockaddr *)&dst, sizeof(dst)) != 0) + err(1, "connect() ssend"); + + caph_cache_catpages(); + if (caph_enter_casper() < 0) + err(1, "caph_enter_casper"); + + cap_rights_init(&rights_stdin); + if (cap_rights_limit(STDIN_FILENO, &rights_stdin) < 0) + err(1, "cap_rights_limit stdin"); + if (caph_limit_stdout() < 0) + err(1, "caph_limit_stdout"); + if (caph_limit_stderr() < 0) + err(1, "caph_limit_stderr"); + + cap_rights_init(&rights_srecv, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT); + if (caph_rights_limit(srecv, &rights_srecv) < 0) + err(1, "cap_rights_limit srecv"); + cap_rights_init(&rights_ssend, CAP_SEND, CAP_SETSOCKOPT); + if (caph_rights_limit(ssend, &rights_ssend) < 0) + err(1, "cap_rights_limit ssend"); + #if defined(SO_SNDBUF) && defined(SO_RCVBUF) if (sockbufsize) { if (datalen > (size_t)sockbufsize) warnx("you need -b to increase socket buffer size"); - if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &sockbufsize, + if (setsockopt(ssend, SOL_SOCKET, SO_SNDBUF, &sockbufsize, sizeof(sockbufsize)) < 0) err(1, "setsockopt(SO_SNDBUF)"); - if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, &sockbufsize, + if (setsockopt(srecv, SOL_SOCKET, SO_RCVBUF, &sockbufsize, sizeof(sockbufsize)) < 0) err(1, "setsockopt(SO_RCVBUF)"); } @@ -1082,7 +1124,7 @@ main(int argc, char *argv[]) * to get some stuff for /etc/ethers. */ hold = 48 * 1024; - setsockopt(s, SOL_SOCKET, SO_RCVBUF, (char *)&hold, + setsockopt(srecv, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold)); } #endif @@ -1090,25 +1132,32 @@ main(int argc, char *argv[]) optval = 1; #ifndef USE_SIN6_SCOPE_ID #ifdef IPV6_RECVPKTINFO - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, sizeof(optval)) < 0) warn("setsockopt(IPV6_RECVPKTINFO)"); /* XXX err? */ #else /* old adv. API */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, &optval, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_PKTINFO, &optval, sizeof(optval)) < 0) warn("setsockopt(IPV6_PKTINFO)"); /* XXX err? */ #endif #endif /* USE_SIN6_SCOPE_ID */ #ifdef IPV6_RECVHOPLIMIT - if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &optval, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &optval, sizeof(optval)) < 0) warn("setsockopt(IPV6_RECVHOPLIMIT)"); /* XXX err? */ #else /* old adv. API */ - if (setsockopt(s, IPPROTO_IPV6, IPV6_HOPLIMIT, &optval, + if (setsockopt(srecv, IPPROTO_IPV6, IPV6_HOPLIMIT, &optval, sizeof(optval)) < 0) warn("setsockopt(IPV6_HOPLIMIT)"); /* XXX err? */ #endif + cap_rights_clear(&rights_srecv, CAP_SETSOCKOPT); + if (caph_rights_limit(srecv, &rights_srecv) < 0) + err(1, "cap_rights_limit srecv setsockopt"); + cap_rights_clear(&rights_ssend, CAP_SETSOCKOPT); + if (caph_rights_limit(ssend, &rights_ssend) < 0) + err(1, "cap_rights_limit ssend setsockopt"); + printf("PING6(%lu=40+8+%lu bytes) ", (unsigned long)(40 + pingerlen()), (unsigned long)(pingerlen() - 8)); printf("%s --> ", pr_addr((struct sockaddr *)&src, sizeof(src))); @@ -1122,7 +1171,7 @@ main(int argc, char *argv[]) while (preload--) pinger(); } - gettimeofday(&last, NULL); + clock_gettime(CLOCK_MONOTONIC, &last); sigemptyset(&si_sa.sa_mask); si_sa.sa_flags = 0; @@ -1141,15 +1190,12 @@ main(int argc, char *argv[]) } if (options & F_FLOOD) { intvl.tv_sec = 0; - intvl.tv_usec = 10000; - } else if ((options & F_INTERVAL) == 0) { - intvl.tv_sec = interval / 1000; - intvl.tv_usec = interval % 1000 * 1000; + intvl.tv_nsec = 10000000; } almost_done = 0; while (seenint == 0) { - struct timeval now, timeout; + struct timespec now, timeout; struct msghdr m; struct iovec iov[2]; fd_set rfds; @@ -1166,22 +1212,14 @@ main(int argc, char *argv[]) } #endif FD_ZERO(&rfds); - FD_SET(s, &rfds); - gettimeofday(&now, NULL); - timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec; - timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec; - while (timeout.tv_usec < 0) { - timeout.tv_usec += 1000000; - timeout.tv_sec--; - } - while (timeout.tv_usec > 1000000) { - timeout.tv_usec -= 1000000; - timeout.tv_sec++; - } + FD_SET(srecv, &rfds); + clock_gettime(CLOCK_MONOTONIC, &now); + timespecadd(&last, &intvl, &timeout); + timespecsub(&timeout, &now, &timeout); if (timeout.tv_sec < 0) - timeout.tv_sec = timeout.tv_usec = 0; + timespecclear(&timeout); - n = select(s + 1, &rfds, NULL, NULL, &timeout); + n = pselect(srecv + 1, &rfds, NULL, NULL, &timeout, NULL); if (n < 0) continue; /* EINTR */ if (n == 1) { @@ -1196,7 +1234,7 @@ main(int argc, char *argv[]) m.msg_control = (void *)cm; m.msg_controllen = CONTROLLEN; - cc = recvmsg(s, &m, 0); + cc = recvmsg(srecv, &m, 0); if (cc < 0) { if (errno != EINTR) { warn("recvmsg"); @@ -1242,17 +1280,18 @@ main(int argc, char *argv[]) * if we've received any packets or (waittime) * milliseconds if we haven't. */ - intvl.tv_usec = 0; + intvl.tv_nsec = 0; if (nreceived) { intvl.tv_sec = 2 * tmax / 1000; if (intvl.tv_sec == 0) intvl.tv_sec = 1; } else { intvl.tv_sec = waittime / 1000; - intvl.tv_usec = waittime % 1000 * 1000; + intvl.tv_nsec = + waittime % 1000 * 1000000; } } - gettimeofday(&last, NULL); + clock_gettime(CLOCK_MONOTONIC, &last); if (ntransmitted - nreceived - 1 > nmissedmax) { nmissedmax = ntransmitted - nreceived - 1; if (options & F_MISSED) @@ -1295,7 +1334,7 @@ onsignal(int sig) * Compose and transmit an ICMP ECHO REQUEST packet. The IP packet * will be added on by the kernel. The ID field is our UNIX process ID, * and the sequence number is an ascending integer. The first 8 bytes - * of the data portion are used to hold a UNIX "timeval" struct in VAX + * of the data portion are used to hold a UNIX "timespec" struct in VAX * byte-order, to compute the round-trip time. */ static size_t @@ -1324,7 +1363,7 @@ pinger(void) struct iovec iov[2]; int i, cc; struct icmp6_nodeinfo *nip; - int seq; + uint16_t seq; if (npackets && ntransmitted >= npackets) return(-1); /* no more transmission */ @@ -1337,6 +1376,8 @@ pinger(void) CLR(seq % mx_dup_ck); if (options & F_FQDN) { + uint16_t s; + icp->icmp6_type = ICMP6_NI_QUERY; icp->icmp6_code = ICMP6_NI_SUBJ_IPV6; nip->ni_qtype = htons(NI_QTYPE_FQDN); @@ -1344,13 +1385,15 @@ pinger(void) memcpy(nip->icmp6_ni_nonce, nonce, sizeof(nip->icmp6_ni_nonce)); - *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq); + s = htons(seq); + memcpy(nip->icmp6_ni_nonce, &s, sizeof(s)); memcpy(&outpack[ICMP6_NIQLEN], &dst.sin6_addr, sizeof(dst.sin6_addr)); cc = ICMP6_NIQLEN + sizeof(dst.sin6_addr); datalen = 0; } else if (options & F_FQDNOLD) { + uint16_t s; /* packet format in 03 draft - no Subject data on queries */ icp->icmp6_type = ICMP6_NI_QUERY; icp->icmp6_code = 0; /* code field is always 0 */ @@ -1359,11 +1402,14 @@ pinger(void) memcpy(nip->icmp6_ni_nonce, nonce, sizeof(nip->icmp6_ni_nonce)); - *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq); + s = htons(seq); + memcpy(nip->icmp6_ni_nonce, &s, sizeof(s)); cc = ICMP6_NIQLEN; datalen = 0; } else if (options & F_NODEADDR) { + uint16_t s; + icp->icmp6_type = ICMP6_NI_QUERY; icp->icmp6_code = ICMP6_NI_SUBJ_IPV6; nip->ni_qtype = htons(NI_QTYPE_NODEADDR); @@ -1371,13 +1417,16 @@ pinger(void) memcpy(nip->icmp6_ni_nonce, nonce, sizeof(nip->icmp6_ni_nonce)); - *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq); + s = htons(seq); + memcpy(nip->icmp6_ni_nonce, &s, sizeof(s)); memcpy(&outpack[ICMP6_NIQLEN], &dst.sin6_addr, sizeof(dst.sin6_addr)); cc = ICMP6_NIQLEN + sizeof(dst.sin6_addr); datalen = 0; } else if (options & F_SUPTYPES) { + uint16_t s; + icp->icmp6_type = ICMP6_NI_QUERY; icp->icmp6_code = ICMP6_NI_SUBJ_FQDN; /*empty*/ nip->ni_qtype = htons(NI_QTYPE_SUPTYPES); @@ -1386,21 +1435,29 @@ pinger(void) memcpy(nip->icmp6_ni_nonce, nonce, sizeof(nip->icmp6_ni_nonce)); - *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq); + s = htons(seq); + memcpy(nip->icmp6_ni_nonce, &s, sizeof(s)); + cc = ICMP6_NIQLEN; datalen = 0; } else { icp->icmp6_type = ICMP6_ECHO_REQUEST; icp->icmp6_code = 0; icp->icmp6_id = htons(ident); - icp->icmp6_seq = ntohs(seq); + icp->icmp6_seq = htons(seq); if (timing) { - struct timeval tv; - struct tv32 *tv32; - (void)gettimeofday(&tv, NULL); - tv32 = (struct tv32 *)&outpack[ICMP6ECHOLEN]; - tv32->tv32_sec = htonl(tv.tv_sec); - tv32->tv32_usec = htonl(tv.tv_usec); + struct timespec tv; + struct tv32 tv32; + (void)clock_gettime(CLOCK_MONOTONIC, &tv); + /* + * Truncate seconds down to 32 bits in order + * to fit the timestamp within 8 bytes of the + * packet. We're only concerned with + * durations, not absolute times. + */ + tv32.tv32_sec = (uint32_t)htonl(tv.tv_sec); + tv32.tv32_nsec = (uint32_t)htonl(tv.tv_nsec); + memcpy(&outpack[ICMP6ECHOLEN], &tv32, sizeof(tv32)); } cc = ICMP6ECHOLEN + datalen; } @@ -1410,15 +1467,13 @@ pinger(void) errx(1, "internal error; length mismatch"); #endif - smsghdr.msg_name = (caddr_t)&dst; - smsghdr.msg_namelen = sizeof(dst); memset(&iov, 0, sizeof(iov)); iov[0].iov_base = (caddr_t)outpack; iov[0].iov_len = cc; smsghdr.msg_iov = iov; smsghdr.msg_iovlen = 1; - i = sendmsg(s, &smsghdr, 0); + i = sendmsg(ssend, &smsghdr, 0); if (i < 0 || i != cc) { if (i < 0) @@ -1452,10 +1507,26 @@ mynireply(const struct icmp6_nodeinfo *nip) return 0; } -static char * -dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf, +/* + * Decode a name from a DNS message. + * + * Format of the message is described in RFC 1035 subsection 4.1.4. + * + * Arguments: + * sp - Pointer to a DNS pointer octet or to the first octet of a label + * in the message. + * ep - Pointer to the end of the message (one step past the last octet). + * base - Pointer to the beginning of the message. + * buf - Buffer into which the decoded name will be saved. + * bufsiz - Size of the buffer 'buf'. + * + * Return value: + * Pointer to an octet immediately following the ending zero octet + * of the decoded label, or NULL if an error occured. + */ +static const char * +dnsdecode(const u_char *sp, const u_char *ep, const u_char *base, char *buf, size_t bufsiz) - /*base for compressed name*/ { int i; const u_char *cp; @@ -1463,14 +1534,14 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf, const u_char *comp; int l; - cp = *sp; + cp = sp; *buf = '\0'; if (cp >= ep) return NULL; while (cp < ep) { i = *cp; - if (i == 0 || cp != *sp) { + if (i == 0 || cp != sp) { if (strlcat((char *)buf, ".", bufsiz) >= bufsiz) return NULL; /*result overrun*/ } @@ -1484,7 +1555,7 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf, return NULL; comp = base + (i & 0x3f); - if (dnsdecode(&comp, cp, base, cresult, + if (dnsdecode(comp, cp, base, cresult, sizeof(cresult)) == NULL) return NULL; if (strlcat(buf, cresult, bufsiz) >= bufsiz) @@ -1508,8 +1579,7 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf, if (i != 0) return NULL; /*not terminated*/ cp++; - *sp = cp; - return buf; + return cp; } /* @@ -1529,10 +1599,11 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) int hoplim; struct sockaddr *from; int fromlen; - u_char *cp = NULL, *dp, *end = buf + cc; + const u_char *cp = NULL; + u_char *dp, *end = buf + cc; struct in6_pktinfo *pktinfo = NULL; - struct timeval tv, tp; - struct tv32 *tpp; + struct timespec tv, tp; + struct tv32 tpp; double triptime = 0; int dupflag; size_t off; @@ -1540,7 +1611,7 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) u_int16_t seq; char dnsname[MAXDNAME + 1]; - (void)gettimeofday(&tv, NULL); + (void)clock_gettime(CLOCK_MONOTONIC, &tv); if (!mhdr || !mhdr->msg_name || mhdr->msg_namelen != sizeof(struct sockaddr_in6) || @@ -1577,12 +1648,12 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) seq = ntohs(icp->icmp6_seq); ++nreceived; if (timing) { - tpp = (struct tv32 *)(icp + 1); - tp.tv_sec = ntohl(tpp->tv32_sec); - tp.tv_usec = ntohl(tpp->tv32_usec); - tvsub(&tv, &tp); + memcpy(&tpp, icp + 1, sizeof(tpp)); + tp.tv_sec = ntohl(tpp.tv32_sec); + tp.tv_nsec = ntohl(tpp.tv32_nsec); + timespecsub(&tv, &tp, &tv); triptime = ((double)tv.tv_sec) * 1000.0 + - ((double)tv.tv_usec) / 1000.0; + ((double)tv.tv_nsec) / 1000000.0; tsum += triptime; tsumsq += triptime * triptime; if (triptime < tmin) @@ -1643,7 +1714,8 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) } } } else if (icp->icmp6_type == ICMP6_NI_REPLY && mynireply(ni)) { - seq = ntohs(*(u_int16_t *)ni->icmp6_ni_nonce); + memcpy(&seq, ni->icmp6_ni_nonce, sizeof(seq)); + seq = ntohs(seq); ++nreceived; if (TST(seq % mx_dup_ck)) { ++nrepeats; @@ -1701,9 +1773,10 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) } else { i = 0; while (cp < end) { - if (dnsdecode((const u_char **)&cp, end, + cp = dnsdecode((const u_char *)cp, end, (const u_char *)(ni + 1), dnsname, - sizeof(dnsname)) == NULL) { + sizeof(dnsname)); + if (cp == NULL) { printf("???"); break; } @@ -1721,6 +1794,7 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) } } if (options & F_VERBOSE) { + u_long t; int32_t ttl; int comma = 0; @@ -1743,7 +1817,8 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr) putchar(')'); goto fqdnend; } - ttl = (int32_t)ntohl(*(u_long *)&buf[off+ICMP6ECHOLEN+8]); + memcpy(&t, &buf[off+ICMP6ECHOLEN+8], sizeof(t)); + ttl = (int32_t)ntohl(t); if (comma) printf(","); if (!(ni->ni_flags & NI_FQDN_FLAG_VALIDTTL)) { @@ -1842,7 +1917,6 @@ pr_exthdrs(struct msghdr *mhdr) } } -#ifdef USE_RFC2292BIS static void pr_ip6opt(void *extbuf, size_t bufsize) { @@ -1904,17 +1978,7 @@ pr_ip6opt(void *extbuf, size_t bufsize) } return; } -#else /* !USE_RFC2292BIS */ -/* ARGSUSED */ -static void -pr_ip6opt(void *extbuf, size_t bufsize __unused) -{ - putchar('\n'); - return; -} -#endif /* USE_RFC2292BIS */ -#ifdef USE_RFC2292BIS static void pr_rthdr(void *extbuf, size_t bufsize) { @@ -1970,16 +2034,6 @@ pr_rthdr(void *extbuf, size_t bufsize) } -#else /* !USE_RFC2292BIS */ -/* ARGSUSED */ -static void -pr_rthdr(void *extbuf, size_t bufsize __unused) -{ - putchar('\n'); - return; -} -#endif /* USE_RFC2292BIS */ - static int pr_bitrange(u_int32_t v, int soff, int ii) { @@ -2127,11 +2181,13 @@ pr_nodeaddr(struct icmp6_nodeinfo *ni, int nilen) if (nilen % (sizeof(u_int32_t) + sizeof(struct in6_addr)) == 0) withttl = 1; while (nilen > 0) { - u_int32_t ttl; + u_int32_t ttl = 0; if (withttl) { - /* XXX: alignment? */ - ttl = (u_int32_t)ntohl(*(u_int32_t *)cp); + uint32_t t; + + memcpy(&t, cp, sizeof(t)); + ttl = (u_int32_t)ntohl(t); cp += sizeof(u_int32_t); nilen -= sizeof(u_int32_t); } @@ -2170,8 +2226,12 @@ get_hoplim(struct msghdr *mhdr) if (cm->cmsg_level == IPPROTO_IPV6 && cm->cmsg_type == IPV6_HOPLIMIT && - cm->cmsg_len == CMSG_LEN(sizeof(int))) - return(*(int *)CMSG_DATA(cm)); + cm->cmsg_len == CMSG_LEN(sizeof(int))) { + int r; + + memcpy(&r, CMSG_DATA(cm), sizeof(r)); + return(r); + } } return(-1); @@ -2180,6 +2240,7 @@ get_hoplim(struct msghdr *mhdr) static struct in6_pktinfo * get_rcvpktinfo(struct msghdr *mhdr) { + static struct in6_pktinfo pi; struct cmsghdr *cm; for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(mhdr); cm; @@ -2189,8 +2250,10 @@ get_rcvpktinfo(struct msghdr *mhdr) if (cm->cmsg_level == IPPROTO_IPV6 && cm->cmsg_type == IPV6_PKTINFO && - cm->cmsg_len == CMSG_LEN(sizeof(struct in6_pktinfo))) - return((struct in6_pktinfo *)CMSG_DATA(cm)); + cm->cmsg_len == CMSG_LEN(sizeof(struct in6_pktinfo))) { + memcpy(&pi, CMSG_DATA(cm), sizeof(pi)); + return(&pi); + } } return(NULL); @@ -2201,7 +2264,7 @@ get_pathmtu(struct msghdr *mhdr) { #ifdef IPV6_RECVPATHMTU struct cmsghdr *cm; - struct ip6_mtuinfo *mtuctl = NULL; + struct ip6_mtuinfo mtuctl; for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(mhdr); cm; cm = (struct cmsghdr *)CMSG_NXTHDR(mhdr, cm)) { @@ -2211,7 +2274,7 @@ get_pathmtu(struct msghdr *mhdr) if (cm->cmsg_level == IPPROTO_IPV6 && cm->cmsg_type == IPV6_PATHMTU && cm->cmsg_len == CMSG_LEN(sizeof(struct ip6_mtuinfo))) { - mtuctl = (struct ip6_mtuinfo *)CMSG_DATA(cm); + memcpy(&mtuctl, CMSG_DATA(cm), sizeof(mtuctl)); /* * If the notified destination is different from @@ -2221,17 +2284,17 @@ get_pathmtu(struct msghdr *mhdr) * have used the default scope zone ID for sending, * in which case the scope ID value is 0. */ - if (!IN6_ARE_ADDR_EQUAL(&mtuctl->ip6m_addr.sin6_addr, + if (!IN6_ARE_ADDR_EQUAL(&mtuctl.ip6m_addr.sin6_addr, &dst.sin6_addr) || - (mtuctl->ip6m_addr.sin6_scope_id && + (mtuctl.ip6m_addr.sin6_scope_id && dst.sin6_scope_id && - mtuctl->ip6m_addr.sin6_scope_id != + mtuctl.ip6m_addr.sin6_scope_id != dst.sin6_scope_id)) { if ((options & F_VERBOSE) != 0) { printf("path MTU for %s is notified. " "(ignored)\n", - pr_addr((struct sockaddr *)&mtuctl->ip6m_addr, - sizeof(mtuctl->ip6m_addr))); + pr_addr((struct sockaddr *)&mtuctl.ip6m_addr, + sizeof(mtuctl.ip6m_addr))); } return(0); } @@ -2240,11 +2303,11 @@ get_pathmtu(struct msghdr *mhdr) * Ignore an invalid MTU. XXX: can we just believe * the kernel check? */ - if (mtuctl->ip6m_mtu < IPV6_MMTU) + if (mtuctl.ip6m_mtu < IPV6_MMTU) return(0); /* notification for our destination. return the MTU. */ - return((int)mtuctl->ip6m_mtu); + return((int)mtuctl.ip6m_mtu); } } #endif @@ -2252,21 +2315,6 @@ get_pathmtu(struct msghdr *mhdr) } /* - * tvsub -- - * Subtract 2 timeval structs: out = out - in. Out is assumed to - * be >= in. - */ -static void -tvsub(struct timeval *out, struct timeval *in) -{ - if ((out->tv_usec -= in->tv_usec) < 0) { - --out->tv_sec; - out->tv_usec += 1000000; - } - out->tv_sec -= in->tv_sec; -} - -/* * onint -- * SIGINT handler. */ @@ -2504,8 +2552,9 @@ pr_icmph(struct icmp6_hdr *icp, u_char *end) } printf(", subject=%s", niqcode[ni->ni_code]); cp = (const u_char *)(ni + 1); - if (dnsdecode(&cp, end, NULL, dnsname, - sizeof(dnsname)) != NULL) + cp = dnsdecode(cp, end, NULL, dnsname, + sizeof(dnsname)); + if (cp != NULL) printf("(%s)", dnsname); else printf("(invalid)"); @@ -2603,7 +2652,8 @@ pr_addr(struct sockaddr *addr, int addrlen) if ((options & F_HOSTNAME) == 0) flag |= NI_NUMERICHOST; - if (getnameinfo(addr, addrlen, buf, sizeof(buf), NULL, 0, flag) == 0) + if (cap_getnameinfo(capdns, addr, addrlen, buf, sizeof(buf), NULL, 0, + flag) == 0) return (buf); else return "?"; @@ -2629,6 +2679,10 @@ pr_retip(struct ip6_hdr *ip6, u_char *end) nh = ip6->ip6_nxt; cp += hlen; while (end - cp >= 8) { +#ifdef IPSEC + struct ah ah; +#endif + switch (nh) { case IPPROTO_HOPOPTS: printf("HBH "); @@ -2653,8 +2707,9 @@ pr_retip(struct ip6_hdr *ip6, u_char *end) #ifdef IPSEC case IPPROTO_AH: printf("AH "); - hlen = (((struct ah *)cp)->ah_len+2) << 2; - nh = ((struct ah *)cp)->ah_nxt; + memcpy(&ah, cp, sizeof(ah)); + hlen = (ah.ah_len+2) << 2; + nh = ah.ah_nxt; break; #endif case IPPROTO_ICMPV6: @@ -2741,7 +2796,7 @@ setpolicy(int so __unused, char *policy) buf = ipsec_set_policy(policy, strlen(policy)); if (buf == NULL) errx(1, "%s", ipsec_strerror()); - if (setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf, + if (setsockopt(ssend, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf, ipsec_get_policylen(buf)) < 0) warnx("Unable to set IPsec policy"); free(buf); @@ -2838,4 +2893,32 @@ usage(void) " [-X timeout] [hops ...] host\n"); exit(1); } + +static cap_channel_t * +capdns_setup(void) +{ + cap_channel_t *capcas, *capdnsloc; +#ifdef WITH_CASPER + const char *types[2]; + int families[1]; +#endif + capcas = cap_init(); + if (capcas == NULL) + err(1, "unable to create casper process"); + capdnsloc = cap_service_open(capcas, "system.dns"); + /* Casper capability no longer needed. */ + cap_close(capcas); + if (capdnsloc == NULL) + err(1, "unable to open system.dns service"); +#ifdef WITH_CASPER + types[0] = "NAME2ADDR"; + types[1] = "ADDR2NAME"; + if (cap_dns_type_limit(capdnsloc, types, nitems(types)) < 0) + err(1, "unable to limit access to system.dns service"); + families[0] = AF_INET6; + if (cap_dns_family_limit(capdnsloc, families, nitems(families)) < 0) + err(1, "unable to limit access to system.dns service"); +#endif + return (capdnsloc); +} #endif /* defined(__rtems__) && defined(INET6) */ diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-data.h b/freebsd/sbin/ping6/rtems-bsd-ping6-data.h index 40e781b8..e140c085 100644 --- a/freebsd/sbin/ping6/rtems-bsd-ping6-data.h +++ b/freebsd/sbin/ping6/rtems-bsd-ping6-data.h @@ -1,4 +1,3 @@ /* generated by userspace-header-gen.py */ #include <rtems/linkersets.h> /* ping6.c */ -RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, extern u_int options); diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h b/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h index 8b875692..54f15fad 100644 --- a/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h +++ b/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h @@ -1,3 +1,2 @@ /* generated by userspace-header-gen.py */ /* ping6.c */ -#define options _bsd_ping6_options diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h b/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h index 9793bc1c..80e21133 100644 --- a/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h +++ b/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h @@ -2,6 +2,7 @@ #include <rtems/linkersets.h> #include "rtems-bsd-ping6-data.h" /* ping6.c */ +RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static cap_channel_t *capdns); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char *hostname); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char *scmsg); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char BBELL); @@ -18,7 +19,8 @@ RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int hoplimit); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int ident); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int interval); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int mx_dup_ck); -RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int s); +RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int srecv); +RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int ssend); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int timing); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int waittime); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static long int nmissedmax); @@ -36,5 +38,6 @@ RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static struct sockaddr_in6 dst); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static struct sockaddr_in6 src); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_char *packet); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_char outpack[]); +RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_int options); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_int8_t nonce[]); RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_short naflags); diff --git a/freebsd/sys/arm/ti/ti_sdhci.c b/freebsd/sys/arm/ti/ti_sdhci.c index 6656ce20..a2be1f19 100644 --- a/freebsd/sys/arm/ti/ti_sdhci.c +++ b/freebsd/sys/arm/ti/ti_sdhci.c @@ -484,15 +484,14 @@ ti_sdhci_hw_init(device_t dev) * The attach() routine has examined fdt data and set flags in * slot.host.caps to reflect what voltages we can handle. Set those * values in the CAPA register. The manual says that these values can - * only be set once, "before initialization" whatever that means, and - * that they survive a reset. So maybe doing this will be a no-op if - * u-boot has already initialized the hardware. + * only be set once, and that they survive a reset so unless u-boot didn't + * set this register this code is a no-op. */ regval = ti_mmchs_read_4(sc, MMCHS_SD_CAPA); if (sc->slot.host.caps & MMC_OCR_LOW_VOLTAGE) regval |= MMCHS_SD_CAPA_VS18; - if (sc->slot.host.caps & (MMC_OCR_290_300 | MMC_OCR_300_310)) - regval |= MMCHS_SD_CAPA_VS30; + if (sc->slot.host.caps & (MMC_OCR_320_330 | MMC_OCR_330_340)) + regval |= MMCHS_SD_CAPA_VS33; ti_mmchs_write_4(sc, MMCHS_SD_CAPA, regval); /* Set initial host configuration (1-bit, std speed, pwr off). */ @@ -526,17 +525,20 @@ ti_sdhci_attach(device_t dev) } /* - * The hardware can inherently do dual-voltage (1p8v, 3p0v) on the first + * The hardware can inherently do dual-voltage (1p8v, 3p3v) on the first * device, and only 1p8v on other devices unless an external transceiver * is used. The only way we could know about a transceiver is fdt data. * Note that we have to do this before calling ti_sdhci_hw_init() so * that it can set the right values in the CAPA register, which can only * be done once and never reset. */ - sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE; - if (sc->mmchs_clk_id == MMC1_CLK || OF_hasprop(node, "ti,dual-volt")) { - sc->slot.host.caps |= MMC_OCR_290_300 | MMC_OCR_300_310; - } + if (OF_hasprop(node, "ti,dual-volt")) { + sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE | MMC_OCR_320_330 | MMC_OCR_330_340; + } else if (OF_hasprop(node, "no-1-8-v")) { + sc->slot.host.caps |= MMC_OCR_320_330 | MMC_OCR_330_340; + } else + sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE; + /* * Set the offset from the device's memory start to the MMCHS registers. diff --git a/freebsd/sys/cam/nvme/nvme_all.h b/freebsd/sys/cam/nvme/nvme_all.h index 8ebbfff3..da40dea1 100644 --- a/freebsd/sys/cam/nvme/nvme_all.h +++ b/freebsd/sys/cam/nvme/nvme_all.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * - * Copyright (c) 2015 Netflix, Inc + * Copyright (c) 2015 Netflix, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/freebsd/sys/cam/scsi/scsi_all.c b/freebsd/sys/cam/scsi/scsi_all.c index 3aab5aab..99d82fee 100644 --- a/freebsd/sys/cam/scsi/scsi_all.c +++ b/freebsd/sys/cam/scsi/scsi_all.c @@ -2059,7 +2059,7 @@ static struct asc_table_entry asc_table[] = { { SST(0x30, 0x13, SS_RDEF, /* XXX TBD */ "Cleaning volume expired") }, /* DT WRO BK */ - { SST(0x31, 0x00, SS_RDEF, + { SST(0x31, 0x00, SS_FATAL | ENXIO, "Medium format corrupted") }, /* D L RO B */ { SST(0x31, 0x01, SS_RDEF, @@ -8294,10 +8294,10 @@ scsi_ata_identify(struct ccb_scsiio *csio, u_int32_t retries, tag_action, /*protocol*/AP_PROTO_PIO_IN, /*ata_flags*/AP_FLAG_TDIR_FROM_DEV | - AP_FLAG_BYT_BLOK_BYTES | + AP_FLAG_BYT_BLOK_BLOCKS | AP_FLAG_TLEN_SECT_CNT, /*features*/0, - /*sector_count*/dxfer_len, + /*sector_count*/dxfer_len / 512, /*lba*/0, /*command*/ATA_ATA_IDENTIFY, /*device*/ 0, diff --git a/freebsd/sys/cam/scsi/scsi_all.h b/freebsd/sys/cam/scsi/scsi_all.h index 467b955c..1e0c75bb 100644 --- a/freebsd/sys/cam/scsi/scsi_all.h +++ b/freebsd/sys/cam/scsi/scsi_all.h @@ -3622,7 +3622,9 @@ struct scsi_mode_header_10 u_int8_t data_length[2];/* Sense data length */ u_int8_t medium_type; u_int8_t dev_spec; - u_int8_t unused[2]; + u_int8_t flags; +#define SMH_LONGLBA 0x01 + u_int8_t unused; u_int8_t blk_desc_len[2]; }; diff --git a/freebsd/sys/dev/pci/pci.c b/freebsd/sys/dev/pci/pci.c index 648f6e5f..586efc3d 100644 --- a/freebsd/sys/dev/pci/pci.c +++ b/freebsd/sys/dev/pci/pci.c @@ -1677,10 +1677,13 @@ pci_mask_msix(device_t dev, u_int index) KASSERT(msix->msix_msgnum > index, ("bogus index")); offset = msix->msix_table_offset + index * 16 + 12; val = bus_read_4(msix->msix_table_res, offset); - if (!(val & PCIM_MSIX_VCTRL_MASK)) { - val |= PCIM_MSIX_VCTRL_MASK; - bus_write_4(msix->msix_table_res, offset, val); - } + val |= PCIM_MSIX_VCTRL_MASK; + + /* + * Some devices (e.g. Samsung PM961) do not support reads of this + * register, so always write the new value. + */ + bus_write_4(msix->msix_table_res, offset, val); } void @@ -1693,10 +1696,13 @@ pci_unmask_msix(device_t dev, u_int index) KASSERT(msix->msix_table_len > index, ("bogus index")); offset = msix->msix_table_offset + index * 16 + 12; val = bus_read_4(msix->msix_table_res, offset); - if (val & PCIM_MSIX_VCTRL_MASK) { - val &= ~PCIM_MSIX_VCTRL_MASK; - bus_write_4(msix->msix_table_res, offset, val); - } + val &= ~PCIM_MSIX_VCTRL_MASK; + + /* + * Some devices (e.g. Samsung PM961) do not support reads of this + * register, so always write the new value. + */ + bus_write_4(msix->msix_table_res, offset, val); } int diff --git a/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h b/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h index a22c39ad..c757cb79 100644 --- a/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h +++ b/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h @@ -158,7 +158,8 @@ static const STRUCT_USB_HOST_ID rtwn_devs[] = { RTWN_RTL8821AU_DEV(MELCO, WIU2433DM), RTWN_RTL8821AU_DEV(NETGEAR, A6100), RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_1), - RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_2) + RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_2), + RTWN_RTL8821AU_DEV(TPLINK, T2UNANO) #undef RTWN_RTL8821AU_DEV }; diff --git a/freebsd/sys/dev/sdhci/sdhci.c b/freebsd/sys/dev/sdhci/sdhci.c index 952fbd50..5d9cf26c 100644 --- a/freebsd/sys/dev/sdhci/sdhci.c +++ b/freebsd/sys/dev/sdhci/sdhci.c @@ -478,7 +478,7 @@ sdhci_set_power(struct sdhci_slot *slot, u_char power) DELAY(100); } if (!(RD1(slot, SDHCI_POWER_CONTROL) & SDHCI_POWER_ON)) - slot_printf(slot, "Bus power failed to enable"); + slot_printf(slot, "Bus power failed to enable\n"); if (slot->quirks & SDHCI_QUIRK_INTEL_POWER_UP_RESET) { WR1(slot, SDHCI_POWER_CONTROL, pwr | 0x10); @@ -1113,7 +1113,7 @@ no_tuning: slot->timeout = 10; SYSCTL_ADD_INT(device_get_sysctl_ctx(slot->bus), SYSCTL_CHILDREN(device_get_sysctl_tree(slot->bus)), OID_AUTO, - "timeout", CTLFLAG_RW, &slot->timeout, 0, + "timeout", CTLFLAG_RWTUN, &slot->timeout, 0, "Maximum timeout for SDHCI transfers (in secs)"); TASK_INIT(&slot->card_task, 0, sdhci_card_task, slot); TIMEOUT_TASK_INIT(taskqueue_swi_giant, &slot->card_delayed_task, 0, diff --git a/freebsd/sys/dev/usb/usb.h b/freebsd/sys/dev/usb/usb.h index ff33cf00..0075d429 100644 --- a/freebsd/sys/dev/usb/usb.h +++ b/freebsd/sys/dev/usb/usb.h @@ -444,6 +444,7 @@ typedef struct usb_interface_assoc_descriptor usb_interface_assoc_descriptor_t; #define UIPROTO_CDC_NONE 0 #define UIPROTO_CDC_AT 1 +#define UIPROTO_CDC_EEM 7 #define UICLASS_HID 0x03 #define UISUBCLASS_BOOT 1 diff --git a/freebsd/sys/dev/usb/usb_ioctl.h b/freebsd/sys/dev/usb/usb_ioctl.h index fcd31e31..e7e63fb9 100644 --- a/freebsd/sys/dev/usb/usb_ioctl.h +++ b/freebsd/sys/dev/usb/usb_ioctl.h @@ -70,6 +70,7 @@ enum { USB_TEMP_SERIALNET, /* USB CDC Ethernet and Modem */ USB_TEMP_MIDI, /* USB MIDI */ USB_TEMP_MULTI, /* USB Ethernet, serial, and storage */ + USB_TEMP_CDCEEM, /* USB Ethernet Emulation Model */ USB_TEMP_MAX, }; diff --git a/freebsd/sys/kern/sys_generic.c b/freebsd/sys/kern/sys_generic.c index 5032fa93..611e3166 100644 --- a/freebsd/sys/kern/sys_generic.c +++ b/freebsd/sys/kern/sys_generic.c @@ -772,7 +772,11 @@ kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data) fp = NULL; /* fhold() was not called yet */ goto out; } - fhold(fp); + if (!fhold(fp)) { + error = EBADF; + fp = NULL; + goto out; + } if (locked == LA_SLOCKED) { FILEDESC_SUNLOCK(fdp); locked = LA_UNLOCKED; diff --git a/freebsd/sys/kern/sys_pipe.c b/freebsd/sys/kern/sys_pipe.c index cdfff76d..e20c67ea 100755 --- a/freebsd/sys/kern/sys_pipe.c +++ b/freebsd/sys/kern/sys_pipe.c @@ -802,11 +802,9 @@ pipe_read(struct file *fp, struct uio *uio, struct ucred *active_cred, /* * Direct copy, bypassing a kernel buffer. */ - } else if ((size = rpipe->pipe_map.cnt) && - (rpipe->pipe_state & PIPE_DIRECTW)) { + } else if ((size = rpipe->pipe_map.cnt) != 0) { if (size > uio->uio_resid) size = (u_int) uio->uio_resid; - PIPE_UNLOCK(rpipe); error = uiomove_fromphys(rpipe->pipe_map.ms, rpipe->pipe_map.pos, size, uio); @@ -984,32 +982,33 @@ pipe_build_write_buffer(struct pipe *wpipe, struct uio *uio) u_int size; int i; - PIPE_LOCK_ASSERT(wpipe, MA_NOTOWNED); - KASSERT(wpipe->pipe_state & PIPE_DIRECTW, - ("Clone attempt on non-direct write pipe!")); + PIPE_LOCK_ASSERT(wpipe, MA_OWNED); + KASSERT((wpipe->pipe_state & PIPE_DIRECTW) == 0, + ("%s: PIPE_DIRECTW set on %p", __func__, wpipe)); + KASSERT(wpipe->pipe_map.cnt == 0, + ("%s: pipe map for %p contains residual data", __func__, wpipe)); if (uio->uio_iov->iov_len > wpipe->pipe_buffer.size) size = wpipe->pipe_buffer.size; else size = uio->uio_iov->iov_len; - if ((i = vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map, + wpipe->pipe_state |= PIPE_DIRECTW; + PIPE_UNLOCK(wpipe); + i = vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map, (vm_offset_t)uio->uio_iov->iov_base, size, VM_PROT_READ, - wpipe->pipe_map.ms, PIPENPAGES)) < 0) + wpipe->pipe_map.ms, PIPENPAGES); + PIPE_LOCK(wpipe); + if (i < 0) { + wpipe->pipe_state &= ~PIPE_DIRECTW; return (EFAULT); + } -/* - * set up the control block - */ wpipe->pipe_map.npages = i; wpipe->pipe_map.pos = ((vm_offset_t) uio->uio_iov->iov_base) & PAGE_MASK; wpipe->pipe_map.cnt = size; -/* - * and update the uio data - */ - uio->uio_iov->iov_len -= size; uio->uio_iov->iov_base = (char *)uio->uio_iov->iov_base + size; if (uio->uio_iov->iov_len == 0) @@ -1029,6 +1028,8 @@ pipe_destroy_write_buffer(struct pipe *wpipe) PIPE_LOCK_ASSERT(wpipe, MA_OWNED); KASSERT((wpipe->pipe_state & PIPE_DIRECTW) != 0, ("%s: PIPE_DIRECTW not set on %p", __func__, wpipe)); + KASSERT(wpipe->pipe_map.cnt == 0, + ("%s: pipe map for %p contains residual data", __func__, wpipe)); wpipe->pipe_state &= ~PIPE_DIRECTW; vm_page_unhold_pages(wpipe->pipe_map.ms, wpipe->pipe_map.npages); @@ -1054,6 +1055,7 @@ pipe_clone_write_buffer(struct pipe *wpipe) size = wpipe->pipe_map.cnt; pos = wpipe->pipe_map.pos; + wpipe->pipe_map.cnt = 0; wpipe->pipe_buffer.in = size; wpipe->pipe_buffer.out = 0; @@ -1111,7 +1113,6 @@ retry: else goto retry; } - wpipe->pipe_map.cnt = 0; /* transfer not ready yet */ if (wpipe->pipe_buffer.cnt > 0) { if (wpipe->pipe_state & PIPE_WANTR) { wpipe->pipe_state &= ~PIPE_WANTR; @@ -1128,19 +1129,15 @@ retry: goto retry; } - wpipe->pipe_state |= PIPE_DIRECTW; - - PIPE_UNLOCK(wpipe); error = pipe_build_write_buffer(wpipe, uio); - PIPE_LOCK(wpipe); if (error) { - wpipe->pipe_state &= ~PIPE_DIRECTW; pipeunlock(wpipe); goto error1; } while (wpipe->pipe_map.cnt != 0) { if (wpipe->pipe_state & PIPE_EOF) { + wpipe->pipe_map.cnt = 0; pipe_destroy_write_buffer(wpipe); pipeselwakeup(wpipe); pipeunlock(wpipe); @@ -1294,7 +1291,7 @@ pipe_write(struct file *fp, struct uio *uio, struct ucred *active_cred, * pipe buffer. We break out if a signal occurs or the * reader goes away. */ - if (wpipe->pipe_state & PIPE_DIRECTW) { + if (wpipe->pipe_map.cnt != 0) { if (wpipe->pipe_state & PIPE_WANTR) { wpipe->pipe_state &= ~PIPE_WANTR; wakeup(wpipe); @@ -1590,7 +1587,7 @@ pipe_ioctl(struct file *fp, u_long cmd, void *data, struct ucred *active_cred, PIPE_UNLOCK(mpipe); return (0); } - if (mpipe->pipe_state & PIPE_DIRECTW) + if (mpipe->pipe_map.cnt != 0) *(int *)data = mpipe->pipe_map.cnt; else *(int *)data = mpipe->pipe_buffer.cnt; @@ -1667,8 +1664,7 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred, #else /* __rtems__ */ if (rtems_bsd_libio_flags_to_fflag(fp->f_io.flags) & FREAD && events & (POLLIN | POLLRDNORM)) #endif /* __rtems__ */ - if ((rpipe->pipe_state & PIPE_DIRECTW) || - (rpipe->pipe_buffer.cnt > 0)) + if (rpipe->pipe_map.cnt > 0 || rpipe->pipe_buffer.cnt > 0) revents |= events & (POLLIN | POLLRDNORM); #ifndef __rtems__ @@ -1678,7 +1674,7 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred, #endif /* __rtems__ */ if (wpipe->pipe_present != PIPE_ACTIVE || (wpipe->pipe_state & PIPE_EOF) || - (((wpipe->pipe_state & PIPE_DIRECTW) == 0) && + ((wpipe->pipe_state & PIPE_DIRECTW) == 0 && ((wpipe->pipe_buffer.size - wpipe->pipe_buffer.cnt) >= PIPE_BUF || wpipe->pipe_buffer.size == 0))) revents |= events & (POLLOUT | POLLWRNORM); @@ -1796,7 +1792,7 @@ pipe_stat(struct pipe *pipe, struct stat *ub) #endif /* __rtems__ */ ub->st_mode = S_IFIFO; ub->st_blksize = PAGE_SIZE; - if (pipe->pipe_state & PIPE_DIRECTW) + if (pipe->pipe_map.cnt != 0) ub->st_size = pipe->pipe_map.cnt; else ub->st_size = pipe->pipe_buffer.cnt; @@ -2085,7 +2081,7 @@ filt_piperead(struct knote *kn, long hint) PIPE_LOCK_ASSERT(rpipe, MA_OWNED); kn->kn_data = rpipe->pipe_buffer.cnt; - if ((kn->kn_data == 0) && (rpipe->pipe_state & PIPE_DIRECTW)) + if (kn->kn_data == 0) kn->kn_data = rpipe->pipe_map.cnt; if ((rpipe->pipe_state & PIPE_EOF) || diff --git a/freebsd/sys/kern/uipc_socket.c b/freebsd/sys/kern/uipc_socket.c index 762dfb56..dc265e38 100644 --- a/freebsd/sys/kern/uipc_socket.c +++ b/freebsd/sys/kern/uipc_socket.c @@ -1156,9 +1156,9 @@ drop: so->so_state |= SS_NOFDREF; sorele(so); if (listening) { - struct socket *sp; + struct socket *sp, *tsp; - TAILQ_FOREACH(sp, &lqueue, so_list) { + TAILQ_FOREACH_SAFE(sp, &lqueue, so_list, tsp) { SOCK_LOCK(sp); if (sp->so_count == 0) { SOCK_UNLOCK(sp); @@ -2813,7 +2813,12 @@ sosetopt(struct socket *so, struct sockopt *sopt) error = sooptcopyin(sopt, &l, sizeof l, sizeof l); if (error) goto bad; - + if (l.l_linger < 0 || + l.l_linger > USHRT_MAX || + l.l_linger > (INT_MAX / hz)) { + error = EDOM; + goto bad; + } SOCK_LOCK(so); so->so_linger = l.l_linger; if (l.l_onoff) @@ -4164,6 +4169,9 @@ void so_linger_set(struct socket *so, int val) { + KASSERT(val >= 0 && val <= USHRT_MAX && val <= (INT_MAX / hz), + ("%s: val %d out of range", __func__, val)); + so->so_linger = val; } diff --git a/freebsd/sys/kern/uipc_syscalls.c b/freebsd/sys/kern/uipc_syscalls.c index 567fbdc3..251f2bbb 100644 --- a/freebsd/sys/kern/uipc_syscalls.c +++ b/freebsd/sys/kern/uipc_syscalls.c @@ -59,6 +59,7 @@ __FBSDID("$FreeBSD$"); #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/syscallsubr.h> +#include <sys/sysent.h> #include <sys/uio.h> #include <sys/un.h> #include <sys/unpcb.h> @@ -451,7 +452,8 @@ accept1(td, s, uname, anamelen, flags) if (error == 0 && uname != NULL) { #ifdef COMPAT_OLDSOCK - if (flags & ACCEPT4_COMPAT) + if (SV_PROC_FLAG(td->td_proc, SV_AOUT) && + (flags & ACCEPT4_COMPAT) != 0) ((struct osockaddr *)name)->sa_family = name->sa_family; #endif @@ -970,7 +972,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags) if (mp->msg_control) { if (mp->msg_controllen < sizeof(struct cmsghdr) #ifdef COMPAT_OLDSOCK - && mp->msg_flags != MSG_COMPAT + && (mp->msg_flags != MSG_COMPAT || + !SV_PROC_FLAG(td->td_proc, SV_AOUT)) #endif ) { error = EINVAL; @@ -981,7 +984,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags) if (error != 0) goto bad; #ifdef COMPAT_OLDSOCK - if (mp->msg_flags == MSG_COMPAT) { + if (mp->msg_flags == MSG_COMPAT && + SV_PROC_FLAG(td->td_proc, SV_AOUT)) { struct cmsghdr *cm; M_PREPEND(control, sizeof(*cm), M_WAITOK); @@ -1126,7 +1130,8 @@ sys_sendto(struct thread *td, struct sendto_args *uap) msg.msg_iovlen = 1; msg.msg_control = 0; #ifdef COMPAT_OLDSOCK - msg.msg_flags = 0; + if (SV_PROC_FLAG(td->td_proc, SV_AOUT)) + msg.msg_flags = 0; #endif aiov.iov_base = uap->buf; aiov.iov_len = uap->len; @@ -1245,7 +1250,8 @@ sys_sendmsg(struct thread *td, struct sendmsg_args *uap) return (error); msg.msg_iov = iov; #ifdef COMPAT_OLDSOCK - msg.msg_flags = 0; + if (SV_PROC_FLAG(td->td_proc, SV_AOUT)) + msg.msg_flags = 0; #endif error = sendit(td, uap->s, &msg, uap->flags); free(iov, M_IOV); @@ -1362,7 +1368,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, /* save sa_len before it is destroyed by MSG_COMPAT */ len = MIN(len, fromsa->sa_len); #ifdef COMPAT_OLDSOCK - if (mp->msg_flags & MSG_COMPAT) + if ((mp->msg_flags & MSG_COMPAT) != 0 && + SV_PROC_FLAG(td->td_proc, SV_AOUT)) ((struct osockaddr *)fromsa)->sa_family = fromsa->sa_family; #endif @@ -1385,7 +1392,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg, * If we receive rights, trim the cmsghdr; anything else * is tossed. */ - if (control && mp->msg_flags & MSG_COMPAT) { + if (control && (mp->msg_flags & MSG_COMPAT) != 0 && + SV_PROC_FLAG(td->td_proc, SV_AOUT)) { if (mtod(control, struct cmsghdr *)->cmsg_level != SOL_SOCKET || mtod(control, struct cmsghdr *)->cmsg_type != @@ -1444,7 +1452,8 @@ recvit(struct thread *td, int s, struct msghdr *mp, void *namelenp) if (namelenp != NULL) { error = copyout(&mp->msg_namelen, namelenp, sizeof (socklen_t)); #ifdef COMPAT_OLDSOCK - if (mp->msg_flags & MSG_COMPAT) + if ((mp->msg_flags & MSG_COMPAT) != 0 && + SV_PROC_FLAG(td->td_proc, SV_AOUT)) error = 0; /* old recvfrom didn't check */ #endif } @@ -1587,7 +1596,8 @@ sys_recvmsg(struct thread *td, struct recvmsg_args *uap) return (error); msg.msg_flags = uap->flags; #ifdef COMPAT_OLDSOCK - msg.msg_flags &= ~MSG_COMPAT; + if (SV_PROC_FLAG(td->td_proc, SV_AOUT)) + msg.msg_flags &= ~MSG_COMPAT; #endif uiov = msg.msg_iov; msg.msg_iov = iov; @@ -1878,7 +1888,7 @@ getsockname1(struct thread *td, struct getsockname_args *uap, int compat) if (len != 0) { #ifdef COMPAT_OLDSOCK - if (compat) + if (compat && SV_PROC_FLAG(td->td_proc, SV_AOUT)) ((struct osockaddr *)sa)->sa_family = sa->sa_family; #endif error = copyout(sa, uap->asa, (u_int)len); @@ -1993,7 +2003,7 @@ getpeername1(struct thread *td, struct getpeername_args *uap, int compat) if (len != 0) { #ifdef COMPAT_OLDSOCK - if (compat) + if (compat && SV_PROC_FLAG(td->td_proc, SV_AOUT)) ((struct osockaddr *)sa)->sa_family = sa->sa_family; #endif error = copyout(sa, uap->asa, (u_int)len); @@ -2098,7 +2108,8 @@ sockargs(struct mbuf **mp, char *buf, socklen_t buflen, int type) if (buflen > MLEN) { #ifdef COMPAT_OLDSOCK - if (type == MT_SONAME && buflen <= 112) + if (type == MT_SONAME && buflen <= 112 && + SV_CURPROC_FLAG(SV_AOUT)) buflen = MLEN; /* unix domain compat. hack */ else #endif @@ -2116,7 +2127,8 @@ sockargs(struct mbuf **mp, char *buf, socklen_t buflen, int type) sa = mtod(m, struct sockaddr *); #if defined(COMPAT_OLDSOCK) && BYTE_ORDER != BIG_ENDIAN - if (sa->sa_family == 0 && sa->sa_len < AF_MAX) + if (sa->sa_family == 0 && sa->sa_len < AF_MAX && + SV_CURPROC_FLAG(SV_AOUT)) sa->sa_family = sa->sa_len; #endif sa->sa_len = buflen; @@ -2148,7 +2160,8 @@ getsockaddr(struct sockaddr **namp, const struct sockaddr *uaddr, size_t len) free(sa, M_SONAME); } else { #if defined(COMPAT_OLDSOCK) && BYTE_ORDER != BIG_ENDIAN - if (sa->sa_family == 0 && sa->sa_len < AF_MAX) + if (sa->sa_family == 0 && sa->sa_len < AF_MAX && + SV_CURPROC_FLAG(SV_AOUT)) sa->sa_family = sa->sa_len; #endif sa->sa_len = len; diff --git a/freebsd/sys/kern/uipc_usrreq.c b/freebsd/sys/kern/uipc_usrreq.c index c4df64a5..fc4ee85d 100644 --- a/freebsd/sys/kern/uipc_usrreq.c +++ b/freebsd/sys/kern/uipc_usrreq.c @@ -2340,7 +2340,7 @@ unp_internalize(struct mbuf **controlp, struct thread *td) struct timespec *ts; void *data; socklen_t clen, datalen; - int i, error, *fdp, oldfds; + int i, j, error, *fdp, oldfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); @@ -2423,6 +2423,19 @@ unp_internalize(struct mbuf **controlp, struct thread *td) goto out; } fdp = data; + for (i = 0; i < oldfds; i++, fdp++) { + if (!fhold(fdesc->fd_ofiles[*fdp].fde_file)) { + fdp = data; + for (j = 0; j < i; j++, fdp++) { + fdrop(fdesc->fd_ofiles[*fdp]. + fde_file, td); + } + FILEDESC_SUNLOCK(fdesc); + error = EBADF; + goto out; + } + } + fdp = data; fdep = (struct filedescent **) CMSG_DATA(mtod(*controlp, struct cmsghdr *)); fdev = malloc(sizeof(*fdev) * oldfds, M_FILECAPS, @@ -2626,7 +2639,6 @@ unp_internalize_fp(struct file *fp) unp->unp_file = fp; unp->unp_msgcount++; } - fhold(fp); unp_rights++; UNP_LINK_WUNLOCK(); } @@ -2787,10 +2799,10 @@ unp_gc(__unused void *arg, int pending) if ((unp->unp_gcflag & UNPGC_DEAD) != 0) { f = unp->unp_file; if (unp->unp_msgcount == 0 || f == NULL || - f->f_count != unp->unp_msgcount) + f->f_count != unp->unp_msgcount || + !fhold(f)) continue; unref[total++] = f; - fhold(f); KASSERT(total <= unp_unreachable, ("unp_gc: incorrect unreachable count.")); } diff --git a/freebsd/sys/net/if.c b/freebsd/sys/net/if.c index a9c28263..d57e6983 100644 --- a/freebsd/sys/net/if.c +++ b/freebsd/sys/net/if.c @@ -2777,6 +2777,8 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) if (strlen(new_name) == IFNAMSIZ-1) return (EINVAL); } + if (strcmp(new_name, ifp->if_xname) == 0) + break; if (ifunit(new_name) != NULL) return (EEXIST); diff --git a/freebsd/sys/net/if_spppsubr.c b/freebsd/sys/net/if_spppsubr.c index d73befe5..e3aeb4ce 100644 --- a/freebsd/sys/net/if_spppsubr.c +++ b/freebsd/sys/net/if_spppsubr.c @@ -1062,15 +1062,13 @@ sppp_detach(struct ifnet *ifp) KASSERT(mtx_initialized(&sp->mtx), ("sppp mutex is not initialized")); /* Stop keepalive handler. */ - if (!callout_drain(&sp->keepalive_callout)) - callout_stop(&sp->keepalive_callout); + callout_drain(&sp->keepalive_callout); for (i = 0; i < IDX_COUNT; i++) { - if (!callout_drain(&sp->ch[i])) - callout_stop(&sp->ch[i]); + callout_drain(&sp->ch[i]); } - if (!callout_drain(&sp->pap_my_to_ch)) - callout_stop(&sp->pap_my_to_ch); + callout_drain(&sp->pap_my_to_ch); + mtx_destroy(&sp->pp_cpq.ifq_mtx); mtx_destroy(&sp->pp_fastq.ifq_mtx); mtx_destroy(&sp->mtx); diff --git a/freebsd/sys/netinet/sctp_asconf.c b/freebsd/sys/netinet/sctp_asconf.c index 2c66f65c..4de01ed7 100644 --- a/freebsd/sys/netinet/sctp_asconf.c +++ b/freebsd/sys/netinet/sctp_asconf.c @@ -1368,7 +1368,7 @@ sctp_asconf_queue_add(struct sctp_tcb *stcb, struct sctp_ifa *ifa, if (sctp_asconf_queue_mgmt(stcb, stcb->asoc.asconf_addr_del_pending, SCTP_DEL_IP_ADDRESS) == 0) { - SCTPDBG(SCTP_DEBUG_ASCONF2, "asconf_queue_add: queing pending delete\n"); + SCTPDBG(SCTP_DEBUG_ASCONF2, "asconf_queue_add: queuing pending delete\n"); pending_delete_queued = 1; /* clear out the pending delete info */ stcb->asoc.asconf_del_pending = 0; diff --git a/freebsd/sys/netinet/sctp_auth.c b/freebsd/sys/netinet/sctp_auth.c index 8301a98f..3555bb87 100644 --- a/freebsd/sys/netinet/sctp_auth.c +++ b/freebsd/sys/netinet/sctp_auth.c @@ -525,7 +525,7 @@ sctp_insert_sharedkey(struct sctp_keyhead *shared_keys, } else if (new_skey->keyid == skey->keyid) { /* replace the existing key */ /* verify this key *can* be replaced */ - if ((skey->deactivated) && (skey->refcount > 1)) { + if ((skey->deactivated) || (skey->refcount > 1)) { SCTPDBG(SCTP_DEBUG_AUTH1, "can't replace shared key id %u\n", new_skey->keyid); diff --git a/freebsd/sys/netinet/sctp_indata.c b/freebsd/sys/netinet/sctp_indata.c index 6c2658c3..c4a11fec 100644 --- a/freebsd/sys/netinet/sctp_indata.c +++ b/freebsd/sys/netinet/sctp_indata.c @@ -917,6 +917,9 @@ restart: break; } } + if (cnt_added && strm->pd_api_started) { + sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); + } if ((control->length > pd_point) && (strm->pd_api_started == 0)) { strm->pd_api_started = 1; control->pdapi_started = 1; @@ -1478,6 +1481,16 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, "The last fsn is now in place fsn: %u\n", chk->rec.data.fsn); control->last_frag_seen = 1; + if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) { + SCTPDBG(SCTP_DEBUG_XXX, + "New fsn: %u is not at top_fsn: %u -- abort\n", + chk->rec.data.fsn, + control->top_fsn); + sctp_abort_in_reasm(stcb, control, chk, + abort_flag, + SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); + return; + } } if (asoc->idata_supported || control->first_frag_seen) { /* @@ -1493,7 +1506,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, */ sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); return; } } @@ -1505,7 +1518,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, chk->rec.data.fsn, control->top_fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); return; } if (asoc->idata_supported || control->first_frag_seen) { @@ -1526,7 +1539,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, chk->rec.data.fsn, control->fsn_included); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); return; } } @@ -1541,7 +1554,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, control->top_fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); return; } } @@ -1584,7 +1597,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, at->rec.data.fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_14); return; } } diff --git a/freebsd/sys/netinet/sctp_indata.h b/freebsd/sys/netinet/sctp_indata.h index 59ceac3a..3f3099e8 100644 --- a/freebsd/sys/netinet/sctp_indata.h +++ b/freebsd/sys/netinet/sctp_indata.h @@ -61,7 +61,6 @@ sctp_build_readq_entry(struct sctp_tcb *stcb, (_ctl)->sinfo_ppid = ppid; \ (_ctl)->sinfo_context = context; \ (_ctl)->fsn_included = 0xffffffff; \ - (_ctl)->top_fsn = 0xffffffff; \ (_ctl)->sinfo_tsn = tsn; \ (_ctl)->sinfo_cumtsn = tsn; \ (_ctl)->sinfo_assoc_id = sctp_get_associd((in_it)); \ diff --git a/freebsd/sys/netinet/sctp_input.c b/freebsd/sys/netinet/sctp_input.c index 5386aae4..3f4e2f5f 100644 --- a/freebsd/sys/netinet/sctp_input.c +++ b/freebsd/sys/netinet/sctp_input.c @@ -446,22 +446,48 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, { struct sctp_association *asoc; struct mbuf *op_err; - int retval, abort_flag; - uint32_t initack_limit; + int retval, abort_flag, cookie_found; + int initack_limit; int nat_friendly = 0; /* First verify that we have no illegal param's */ abort_flag = 0; + cookie_found = 0; op_err = sctp_arethere_unrecognized_parameters(m, (offset + sizeof(struct sctp_init_chunk)), - &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly); + &abort_flag, (struct sctp_chunkhdr *)cp, + &nat_friendly, &cookie_found); if (abort_flag) { /* Send an abort and notify peer */ sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); *abort_no_unlock = 1; return (-1); } + if (!cookie_found) { + uint16_t len; + + len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t)); + /* We abort with an error of missing mandatory param */ + op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA); + if (op_err != NULL) { + struct sctp_error_missing_param *cause; + + SCTP_BUF_LEN(op_err) = len; + cause = mtod(op_err, struct sctp_error_missing_param *); + /* Subtract the reserved param */ + cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM); + cause->cause.length = htons(len); + cause->num_missing_params = htonl(1); + cause->type[0] = htons(SCTP_STATE_COOKIE); + } + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, + src, dst, sh, op_err, + mflowtype, mflowid, + vrf_id, net->port); + *abort_no_unlock = 1; + return (-3); + } asoc = &stcb->asoc; asoc->peer_supports_nat = (uint8_t)nat_friendly; /* process the peer's parameters in the INIT-ACK */ @@ -526,40 +552,8 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, /* calculate the RTO */ net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, SCTP_RTT_FROM_NON_DATA); - retval = sctp_send_cookie_echo(m, offset, stcb, net); - if (retval < 0) { - /* - * No cookie, we probably should send a op error. But in any - * case if there is no cookie in the INIT-ACK, we can - * abandon the peer, its broke. - */ - if (retval == -3) { - uint16_t len; - - len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t)); - /* We abort with an error of missing mandatory param */ - op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA); - if (op_err != NULL) { - struct sctp_error_missing_param *cause; - - SCTP_BUF_LEN(op_err) = len; - cause = mtod(op_err, struct sctp_error_missing_param *); - /* Subtract the reserved param */ - cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM); - cause->cause.length = htons(len); - cause->num_missing_params = htonl(1); - cause->type[0] = htons(SCTP_STATE_COOKIE); - } - sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, - src, dst, sh, op_err, - mflowtype, mflowid, - vrf_id, net->port); - *abort_no_unlock = 1; - } - return (retval); - } - - return (0); + retval = sctp_send_cookie_echo(m, offset, initack_limit, stcb, net); + return (retval); } static void @@ -2157,8 +2151,8 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, ntohl(initack_cp->init.initiate_tag), vrf_id, ntohs(initack_cp->init.num_outbound_streams), port, - (struct thread *)NULL - ); + (struct thread *)NULL, + SCTP_DONT_INITIALIZE_AUTH_PARAMS); if (stcb == NULL) { struct mbuf *op_err; diff --git a/freebsd/sys/netinet/sctp_output.c b/freebsd/sys/netinet/sctp_output.c index cd4fcdc1..9221080d 100644 --- a/freebsd/sys/netinet/sctp_output.c +++ b/freebsd/sys/netinet/sctp_output.c @@ -4972,7 +4972,10 @@ sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked struct mbuf * sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, - int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly) + int param_offset, int *abort_processing, + struct sctp_chunkhdr *cp, + int *nat_friendly, + int *cookie_found) { /* * Given a mbuf containing an INIT or INIT-ACK with the param_offset @@ -4990,17 +4993,20 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, */ struct sctp_paramhdr *phdr, params; - struct mbuf *mat, *op_err; + struct mbuf *mat, *m_tmp, *op_err, *op_err_last; int at, limit, pad_needed; uint16_t ptype, plen, padded_size; - int err_at; *abort_processing = 0; + if (cookie_found != NULL) { + *cookie_found = 0; + } mat = in_initpkt; - err_at = 0; limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk); at = param_offset; op_err = NULL; + op_err_last = NULL; + pad_needed = 0; SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n"); phdr = sctp_get_next_param(mat, at, ¶ms, sizeof(params)); while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) { @@ -5023,12 +5029,17 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, switch (ptype) { /* Param's with variable size */ case SCTP_HEARTBEAT_INFO: - case SCTP_STATE_COOKIE: case SCTP_UNRECOG_PARAM: case SCTP_ERROR_CAUSE_IND: /* ok skip fwd */ at += padded_size; break; + case SCTP_STATE_COOKIE: + if (cookie_found != NULL) { + *cookie_found = 1; + } + at += padded_size; + break; /* Param's with variable size within a range */ case SCTP_CHUNK_LIST: case SCTP_SUPPORTED_CHUNK_EXT: @@ -5117,55 +5128,44 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, break; case SCTP_HOSTNAME_ADDRESS: { - /* We can NOT handle HOST NAME addresses!! */ + /* Hostname parameters are deprecated. */ + struct sctp_gen_error_cause *cause; int l_len; SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n"); *abort_processing = 1; - if (op_err == NULL) { - /* Ok need to try to get a mbuf */ + sctp_m_freem(op_err); + op_err = NULL; + op_err_last = NULL; #ifdef INET6 - l_len = SCTP_MIN_OVERHEAD; + l_len = SCTP_MIN_OVERHEAD; #else - l_len = SCTP_MIN_V4_OVERHEAD; + l_len = SCTP_MIN_V4_OVERHEAD; #endif - l_len += sizeof(struct sctp_chunkhdr); - l_len += sizeof(struct sctp_gen_error_cause); - op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA); - if (op_err) { - SCTP_BUF_LEN(op_err) = 0; - /* - * Pre-reserve space for IP, - * SCTP, and chunk header. - */ + l_len += sizeof(struct sctp_chunkhdr); + l_len += sizeof(struct sctp_gen_error_cause); + op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA); + if (op_err != NULL) { + /* + * Pre-reserve space for IP, SCTP, + * and chunk header. + */ #ifdef INET6 - SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); + SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); #else - SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); -#endif - SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); - SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); - } - } - if (op_err) { - /* If we have space */ - struct sctp_gen_error_cause cause; - - if (err_at % 4) { - uint32_t cpthis = 0; - - pad_needed = 4 - (err_at % 4); - m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis); - err_at += pad_needed; - } - cause.code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR); - cause.length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen)); - m_copyback(op_err, err_at, sizeof(struct sctp_gen_error_cause), (caddr_t)&cause); - err_at += sizeof(struct sctp_gen_error_cause); + SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); +#endif + SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); + SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); + SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause); + cause = mtod(op_err, struct sctp_gen_error_cause *); + cause->code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR); + cause->length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen)); SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT); if (SCTP_BUF_NEXT(op_err) == NULL) { sctp_m_freem(op_err); - return (NULL); + op_err = NULL; + op_err_last = NULL; } } return (op_err); @@ -5201,37 +5201,55 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, #endif SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); + op_err_last = op_err; } } - if (op_err) { + if (op_err != NULL) { /* If we have space */ - struct sctp_paramhdr s; - - if (err_at % 4) { - uint32_t cpthis = 0; + struct sctp_paramhdr *param; - pad_needed = 4 - (err_at % 4); - m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis); - err_at += pad_needed; + if (pad_needed > 0) { + op_err_last = sctp_add_pad_tombuf(op_err_last, pad_needed); } - s.param_type = htons(SCTP_UNRECOG_PARAM); - s.param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen); - m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)&s); - err_at += sizeof(struct sctp_paramhdr); - SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT); - if (SCTP_BUF_NEXT(op_err) == NULL) { + if (op_err_last == NULL) { + sctp_m_freem(op_err); + op_err = NULL; + op_err_last = NULL; + goto more_processing; + } + if (M_TRAILINGSPACE(op_err_last) < (int)sizeof(struct sctp_paramhdr)) { + m_tmp = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA); + if (m_tmp == NULL) { + sctp_m_freem(op_err); + op_err = NULL; + op_err_last = NULL; + goto more_processing; + } + SCTP_BUF_LEN(m_tmp) = 0; + SCTP_BUF_NEXT(m_tmp) = NULL; + SCTP_BUF_NEXT(op_err_last) = m_tmp; + op_err_last = m_tmp; + } + param = (struct sctp_paramhdr *)(mtod(op_err_last, caddr_t)+SCTP_BUF_LEN(op_err_last)); + param->param_type = htons(SCTP_UNRECOG_PARAM); + param->param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen); + SCTP_BUF_LEN(op_err_last) += sizeof(struct sctp_paramhdr); + SCTP_BUF_NEXT(op_err_last) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT); + if (SCTP_BUF_NEXT(op_err_last) == NULL) { sctp_m_freem(op_err); - /* - * we are out of memory but - * we still need to have a - * look at what to do (the - * system is in trouble - * though). - */ op_err = NULL; + op_err_last = NULL; goto more_processing; + } else { + while (SCTP_BUF_NEXT(op_err_last) != NULL) { + op_err_last = SCTP_BUF_NEXT(op_err_last); + } + } + if (plen % 4 != 0) { + pad_needed = 4 - (plen % 4); + } else { + pad_needed = 0; } - err_at += plen; } } more_processing: @@ -5252,7 +5270,11 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, invalid_size: SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n"); *abort_processing = 1; - if ((op_err == NULL) && phdr) { + sctp_m_freem(op_err); + op_err = NULL; + op_err_last = NULL; + if (phdr != NULL) { + struct sctp_paramhdr *param; int l_len; #ifdef INET6 l_len = SCTP_MIN_OVERHEAD; @@ -5271,25 +5293,15 @@ invalid_size: #endif SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); + SCTP_BUF_LEN(op_err) = 2 * sizeof(struct sctp_paramhdr); + param = mtod(op_err, struct sctp_paramhdr *); + param->param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION); + param->param_length = htons(2 * sizeof(struct sctp_paramhdr)); + param++; + param->param_type = htons(ptype); + param->param_length = htons(plen); } } - if ((op_err) && phdr) { - struct sctp_paramhdr s; - - if (err_at % 4) { - uint32_t cpthis = 0; - - pad_needed = 4 - (err_at % 4); - m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis); - err_at += pad_needed; - } - s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION); - s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr)); - m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s); - err_at += sizeof(s); - /* Only copy back the p-hdr that caused the issue */ - m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr); - } return (op_err); } @@ -5569,7 +5581,9 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb, abort_flag = 0; op_err = sctp_arethere_unrecognized_parameters(init_pkt, (offset + sizeof(struct sctp_init_chunk)), - &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly); + &abort_flag, + (struct sctp_chunkhdr *)init_chk, + &nat_friendly, NULL); if (abort_flag) { do_a_abort: if (op_err == NULL) { @@ -5588,8 +5602,7 @@ do_a_abort: m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); if (m == NULL) { /* No memory, INIT timer will re-attempt. */ - if (op_err) - sctp_m_freem(op_err); + sctp_m_freem(op_err); return; } chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk); @@ -5778,8 +5791,11 @@ do_a_abort: net->ro._s_addr = sctp_source_address_selection(inp, stcb, (sctp_route_t *)&net->ro, net, 0, vrf_id); - if (net->ro._s_addr == NULL) + if (net->ro._s_addr == NULL) { + sctp_m_freem(op_err); + sctp_m_freem(m); return; + } net->src_addr_selected = 1; @@ -5808,8 +5824,11 @@ do_a_abort: net->ro._s_addr = sctp_source_address_selection(inp, stcb, (sctp_route_t *)&net->ro, net, 0, vrf_id); - if (net->ro._s_addr == NULL) + if (net->ro._s_addr == NULL) { + sctp_m_freem(op_err); + sctp_m_freem(m); return; + } net->src_addr_selected = 1; } @@ -5880,6 +5899,7 @@ do_a_abort: so = inp->sctp_socket; if (so == NULL) { /* memory problem */ + sctp_m_freem(op_err); sctp_m_freem(m); return; } else { @@ -8996,7 +9016,7 @@ sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err) int sctp_send_cookie_echo(struct mbuf *m, - int offset, + int offset, int limit, struct sctp_tcb *stcb, struct sctp_nets *net) { @@ -9022,18 +9042,30 @@ sctp_send_cookie_echo(struct mbuf *m, } ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); + if (plen < sizeof(struct sctp_paramhdr)) { + return (-6); + } if (ptype == SCTP_STATE_COOKIE) { int pad; /* found the cookie */ - if ((pad = (plen % 4))) { - plen += 4 - pad; + if (at + plen > limit) { + return (-7); } cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT); if (cookie == NULL) { /* No memory */ return (-2); } + if ((pad = (plen % 4)) > 0) { + pad = 4 - pad; + } + if (pad > 0) { + cookie = sctp_pad_lastmbuf(cookie, pad, NULL); + if (cookie == NULL) { + return (-8); + } + } #ifdef SCTP_MBUF_LOGGING if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { sctp_log_mbc(cookie, SCTP_MBUF_ICOPY); @@ -9059,7 +9091,7 @@ sctp_send_cookie_echo(struct mbuf *m, chk->rec.chunk_id.id = SCTP_COOKIE_ECHO; chk->rec.chunk_id.can_take_data = 0; chk->flags = CHUNK_FLAGS_FRAGMENT_OK; - chk->send_size = plen; + chk->send_size = SCTP_SIZE32(plen); chk->sent = SCTP_DATAGRAM_UNSENT; chk->snd_count = 0; chk->asoc = &stcb->asoc; @@ -9085,7 +9117,6 @@ sctp_send_heartbeat_ack(struct sctp_tcb *stcb, struct sctp_chunkhdr *chdr; struct sctp_tmit_chunk *chk; - if (net == NULL) /* must have a net pointer */ return; @@ -9103,13 +9134,8 @@ sctp_send_heartbeat_ack(struct sctp_tcb *stcb, chdr = mtod(outchain, struct sctp_chunkhdr *); chdr->chunk_type = SCTP_HEARTBEAT_ACK; chdr->chunk_flags = 0; - if (chk_length % 4) { - /* need pad */ - uint32_t cpthis = 0; - int padlen; - - padlen = 4 - (chk_length % 4); - m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis); + if (chk_length % 4 != 0) { + sctp_pad_lastmbuf(outchain, 4 - (chk_length % 4), NULL); } sctp_alloc_a_chunk(stcb, chk); if (chk == NULL) { @@ -12535,7 +12561,7 @@ sctp_lower_sosend(struct socket *so, struct thread *p ) { - ssize_t sndlen = 0, max_len; + ssize_t sndlen = 0, max_len, local_add_more; int error, len; struct mbuf *top = NULL; int queue_only = 0, queue_only_for_init = 0; @@ -12557,7 +12583,6 @@ sctp_lower_sosend(struct socket *so, int got_all_of_the_send = 0; int hold_tcblock = 0; int non_blocking = 0; - uint32_t local_add_more; ssize_t local_soresv = 0; uint16_t port; uint16_t sinfo_flags; @@ -12654,6 +12679,12 @@ sctp_lower_sosend(struct socket *so, sinfo_flags = inp->def_send.sinfo_flags; sinfo_assoc_id = inp->def_send.sinfo_assoc_id; } + if (flags & MSG_EOR) { + sinfo_flags |= SCTP_EOR; + } + if (flags & MSG_EOF) { + sinfo_flags |= SCTP_EOF; + } if (sinfo_flags & SCTP_SENDALL) { /* its a sendall */ error = sctp_sendall(inp, uio, top, srcv); @@ -12771,7 +12802,8 @@ sctp_lower_sosend(struct socket *so, stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id, inp->sctp_ep.pre_open_stream_count, inp->sctp_ep.port, - p); + p, + SCTP_INITIALIZE_AUTH_PARAMS); if (stcb == NULL) { /* Error is setup for us in the call */ goto out_unlocked; @@ -12800,9 +12832,6 @@ sctp_lower_sosend(struct socket *so, SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT); (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); - /* initialize authentication params for the assoc */ - sctp_initialize_auth_params(inp, stcb); - if (control) { if (sctp_process_cmsgs_for_init(stcb, control, &error)) { sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE, @@ -12823,9 +12852,17 @@ sctp_lower_sosend(struct socket *so, } } else asoc = &stcb->asoc; - if (srcv == NULL) + if (srcv == NULL) { srcv = (struct sctp_sndrcvinfo *)&asoc->def_send; - if (srcv->sinfo_flags & SCTP_ADDR_OVER) { + sinfo_flags = srcv->sinfo_flags; + if (flags & MSG_EOR) { + sinfo_flags |= SCTP_EOR; + } + if (flags & MSG_EOF) { + sinfo_flags |= SCTP_EOF; + } + } + if (sinfo_flags & SCTP_ADDR_OVER) { if (addr) net = sctp_findnet(stcb, addr); else @@ -12849,7 +12886,7 @@ sctp_lower_sosend(struct socket *so, free_cnt_applied = 1; if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) { - if (sndlen > asoc->smallest_mtu) { + if (sndlen > (ssize_t)asoc->smallest_mtu) { SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE); error = EMSGSIZE; goto out_unlocked; @@ -12877,7 +12914,7 @@ sctp_lower_sosend(struct socket *so, if ((SCTP_SB_LIMIT_SND(so) < (amount + inqueue_bytes + stcb->asoc.sb_send_resv)) || (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) { SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK); - if (sndlen > SCTP_SB_LIMIT_SND(so)) + if (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(so)) error = EMSGSIZE; else error = EWOULDBLOCK; @@ -12932,7 +12969,7 @@ sctp_lower_sosend(struct socket *so, (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) || (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) || (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) { - if (srcv->sinfo_flags & SCTP_ABORT) { + if (sinfo_flags & SCTP_ABORT) { ; } else { SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET); @@ -12947,7 +12984,7 @@ sctp_lower_sosend(struct socket *so, } #endif /* __rtems__ */ /* Are we aborting? */ - if (srcv->sinfo_flags & SCTP_ABORT) { + if (sinfo_flags & SCTP_ABORT) { struct mbuf *mm; ssize_t tot_demand, tot_out = 0, max_out; @@ -13061,7 +13098,7 @@ sctp_lower_sosend(struct socket *so, /* Unless E_EOR mode is on, we must make a send FIT in one call. */ if ((user_marks_eor == 0) && - (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) { + (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(stcb->sctp_socket))) { /* It will NEVER fit */ SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE); error = EMSGSIZE; @@ -13078,20 +13115,20 @@ sctp_lower_sosend(struct socket *so, } if (user_marks_eor) { - local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold)); + local_add_more = (ssize_t)min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold)); } else { /*- * For non-eeor the whole message must fit in * the socket send buffer. */ - local_add_more = (uint32_t)sndlen; + local_add_more = sndlen; } len = 0; if (non_blocking) { goto skip_preblock; } if (((max_len <= local_add_more) && - (SCTP_SB_LIMIT_SND(so) >= local_add_more)) || + ((ssize_t)SCTP_SB_LIMIT_SND(so) >= local_add_more)) || (max_len == 0) || ((stcb->asoc.chunks_on_out_queue + stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) { /* No room right now ! */ @@ -13099,7 +13136,7 @@ sctp_lower_sosend(struct socket *so, inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb)); while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) || ((stcb->asoc.stream_queue_cnt + stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) { - SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n", + SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %zd) || (%d+%d > %d)\n", (unsigned int)SCTP_SB_LIMIT_SND(so), inqueue_bytes, local_add_more, @@ -13151,7 +13188,7 @@ skip_preblock: * case NOTE: uio will be null when top/mbuf is passed */ if (sndlen == 0) { - if (srcv->sinfo_flags & SCTP_EOF) { + if (sinfo_flags & SCTP_EOF) { got_all_of_the_send = 1; goto dataless_eof; } else { @@ -13200,7 +13237,7 @@ skip_preblock: } sctp_snd_sb_alloc(stcb, sp->length); atomic_add_int(&asoc->stream_queue_cnt, 1); - if (srcv->sinfo_flags & SCTP_UNORDERED) { + if (sinfo_flags & SCTP_UNORDERED) { SCTP_STAT_INCR(sctps_sends_with_unord); } TAILQ_INSERT_TAIL(&strm->outqueue, sp, next); @@ -13232,7 +13269,7 @@ skip_preblock: else max_len = 0; - if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) || + if ((max_len > (ssize_t)SCTP_BASE_SYSCTL(sctp_add_more_threshold)) || (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) || (uio->uio_resid && (uio->uio_resid <= max_len))) { sndout = 0; @@ -13275,15 +13312,15 @@ skip_preblock: sctp_snd_sb_alloc(stcb, sndout); atomic_add_int(&sp->length, sndout); len += sndout; - if (srcv->sinfo_flags & SCTP_SACK_IMMEDIATELY) { + if (sinfo_flags & SCTP_SACK_IMMEDIATELY) { sp->sinfo_flags |= SCTP_SACK_IMMEDIATELY; } /* Did we reach EOR? */ if ((uio->uio_resid == 0) && ((user_marks_eor == 0) || - (srcv->sinfo_flags & SCTP_EOF) || - (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) { + (sinfo_flags & SCTP_EOF) || + (user_marks_eor && (sinfo_flags & SCTP_EOR)))) { sp->msg_is_complete = 1; } else { sp->msg_is_complete = 0; @@ -13401,10 +13438,10 @@ skip_preblock: stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED); } - if (hold_tcblock == 1) { - SCTP_TCB_UNLOCK(stcb); - hold_tcblock = 0; - } + } + if (hold_tcblock == 1) { + SCTP_TCB_UNLOCK(stcb); + hold_tcblock = 0; } SOCKBUF_LOCK(&so->so_snd); /*- @@ -13485,7 +13522,7 @@ skip_preblock: /* We send in a 0, since we do NOT have any locks */ error = sctp_msg_append(stcb, net, top, srcv, 0); top = NULL; - if (srcv->sinfo_flags & SCTP_EOF) { + if (sinfo_flags & SCTP_EOF) { /* * This should only happen for Panda for the mbuf * send case, which does NOT yet support EEOR mode. @@ -13500,7 +13537,7 @@ skip_preblock: } dataless_eof: /* EOF thing ? */ - if ((srcv->sinfo_flags & SCTP_EOF) && + if ((sinfo_flags & SCTP_EOF) && (got_all_of_the_send == 1)) { SCTP_STAT_INCR(sctps_sends_with_eof); error = 0; diff --git a/freebsd/sys/netinet/sctp_output.h b/freebsd/sys/netinet/sctp_output.h index 1b3d22d9..6d78cf90 100644 --- a/freebsd/sys/netinet/sctp_output.h +++ b/freebsd/sys/netinet/sctp_output.h @@ -92,11 +92,11 @@ sctp_send_initiate_ack(struct sctp_inpcb *, struct sctp_tcb *, struct mbuf * sctp_arethere_unrecognized_parameters(struct mbuf *, int, int *, - struct sctp_chunkhdr *, int *); + struct sctp_chunkhdr *, int *, int *); void sctp_queue_op_err(struct sctp_tcb *, struct mbuf *); int -sctp_send_cookie_echo(struct mbuf *, int, struct sctp_tcb *, +sctp_send_cookie_echo(struct mbuf *, int, int, struct sctp_tcb *, struct sctp_nets *); void sctp_send_cookie_ack(struct sctp_tcb *); diff --git a/freebsd/sys/netinet/sctp_pcb.c b/freebsd/sys/netinet/sctp_pcb.c index 3d479149..10e4768e 100644 --- a/freebsd/sys/netinet/sctp_pcb.c +++ b/freebsd/sys/netinet/sctp_pcb.c @@ -4194,8 +4194,8 @@ struct sctp_tcb * sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr, int *error, uint32_t override_tag, uint32_t vrf_id, uint16_t o_streams, uint16_t port, - struct thread *p -) + struct thread *p, + int initialize_auth_params) { /* note the p argument is only valid in unbound sockets */ @@ -4425,6 +4425,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr, inp->sctp_hashmark)]; LIST_INSERT_HEAD(head, stcb, sctp_tcbhash); } + if (initialize_auth_params == SCTP_INITIALIZE_AUTH_PARAMS) { + sctp_initialize_auth_params(inp, stcb); + } SCTP_INP_WUNLOCK(inp); SCTPDBG(SCTP_DEBUG_PCB1, "Association %p now allocated\n", (void *)stcb); return (stcb); @@ -4913,12 +4916,11 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre inp->sctp_flags |= SCTP_PCB_FLAGS_WAS_CONNECTED; if (so) { SOCKBUF_LOCK(&so->so_rcv); - if (so->so_rcv.sb_cc == 0) { - so->so_state &= ~(SS_ISCONNECTING | - SS_ISDISCONNECTING | - SS_ISCONFIRMING | - SS_ISCONNECTED); - } + so->so_state &= ~(SS_ISCONNECTING | + SS_ISDISCONNECTING | + SS_ISCONFIRMING | + SS_ISCONNECTED); + so->so_state |= SS_ISDISCONNECTED; socantrcvmore_locked(so); socantsendmore(so); sctp_sowwakeup(inp, so); @@ -5776,7 +5778,7 @@ sctp_startup_mcore_threads(void) #endif void -sctp_pcb_init() +sctp_pcb_init(void) { /* * SCTP initialization for the PCB structures should be called by diff --git a/freebsd/sys/netinet/sctp_pcb.h b/freebsd/sys/netinet/sctp_pcb.h index 5b41ae8a..0f5aca88 100644 --- a/freebsd/sys/netinet/sctp_pcb.h +++ b/freebsd/sys/netinet/sctp_pcb.h @@ -578,9 +578,13 @@ int sctp_is_address_on_local_host(struct sockaddr *addr, uint32_t vrf_id); void sctp_inpcb_free(struct sctp_inpcb *, int, int); +#define SCTP_DONT_INITIALIZE_AUTH_PARAMS 0 +#define SCTP_INITIALIZE_AUTH_PARAMS 1 + struct sctp_tcb * sctp_aloc_assoc(struct sctp_inpcb *, struct sockaddr *, - int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *); + int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *, + int); int sctp_free_assoc(struct sctp_inpcb *, struct sctp_tcb *, int, int); diff --git a/freebsd/sys/netinet/sctp_usrreq.c b/freebsd/sys/netinet/sctp_usrreq.c index 39132719..01759156 100644 --- a/freebsd/sys/netinet/sctp_usrreq.c +++ b/freebsd/sys/netinet/sctp_usrreq.c @@ -967,9 +967,9 @@ sctp_shutdown(struct socket *so) abort_anyway: op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, ""); stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_USRREQ + SCTP_LOC_6; + SCTP_INP_RUNLOCK(inp); sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_LOCKED); - SCTP_INP_RUNLOCK(inp); return (0); } } @@ -1445,8 +1445,8 @@ sctp_do_connect_x(struct socket *so, struct sctp_inpcb *inp, void *optval, stcb = sctp_aloc_assoc(inp, sa, &error, 0, vrf_id, inp->sctp_ep.pre_open_stream_count, inp->sctp_ep.port, - (struct thread *)p - ); + (struct thread *)p, + SCTP_INITIALIZE_AUTH_PARAMS); if (stcb == NULL) { /* Gak! no memory */ goto out_now; @@ -1482,9 +1482,6 @@ sctp_do_connect_x(struct socket *so, struct sctp_inpcb *inp, void *optval, a_id = (sctp_assoc_t *)optval; *a_id = sctp_get_associd(stcb); - /* initialize authentication parameters for the assoc */ - sctp_initialize_auth_params(inp, stcb); - if (delay) { /* doing delayed connection */ stcb->asoc.delayed_connection = 1; @@ -7027,7 +7024,8 @@ sctp_connect(struct socket *so, struct sockaddr *addr, struct thread *p) /* We are GOOD to go */ stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id, inp->sctp_ep.pre_open_stream_count, - inp->sctp_ep.port, p); + inp->sctp_ep.port, p, + SCTP_INITIALIZE_AUTH_PARAMS); if (stcb == NULL) { /* Gak! no memory */ goto out_now; @@ -7040,9 +7038,6 @@ sctp_connect(struct socket *so, struct sockaddr *addr, struct thread *p) SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT); (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); - /* initialize authentication parameters for the assoc */ - sctp_initialize_auth_params(inp, stcb); - sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED); SCTP_TCB_UNLOCK(stcb); out_now: @@ -7236,28 +7231,56 @@ sctp_accept(struct socket *so, struct sockaddr **addr) SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); return (ECONNRESET); } - SCTP_INP_RLOCK(inp); + SCTP_INP_WLOCK(inp); if (inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) { - SCTP_INP_RUNLOCK(inp); + SCTP_INP_WUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EOPNOTSUPP); return (EOPNOTSUPP); } if (so->so_state & SS_ISDISCONNECTED) { - SCTP_INP_RUNLOCK(inp); + SCTP_INP_WUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, ECONNABORTED); return (ECONNABORTED); } stcb = LIST_FIRST(&inp->sctp_asoc_list); if (stcb == NULL) { - SCTP_INP_RUNLOCK(inp); + SCTP_INP_WUNLOCK(inp); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); return (ECONNRESET); } SCTP_TCB_LOCK(stcb); - SCTP_INP_RUNLOCK(inp); store = stcb->asoc.primary_destination->ro._l_addr; SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE); - SCTP_TCB_UNLOCK(stcb); + /* Wake any delayed sleep action */ + if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { + inp->sctp_flags &= ~SCTP_PCB_FLAGS_DONT_WAKE; + if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEOUTPUT) { + inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEOUTPUT; + SOCKBUF_LOCK(&inp->sctp_socket->so_snd); + if (sowriteable(inp->sctp_socket)) { + sowwakeup_locked(inp->sctp_socket); + } else { + SOCKBUF_UNLOCK(&inp->sctp_socket->so_snd); + } + } + if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEINPUT) { + inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEINPUT; + SOCKBUF_LOCK(&inp->sctp_socket->so_rcv); + if (soreadable(inp->sctp_socket)) { + sctp_defered_wakeup_cnt++; + sorwakeup_locked(inp->sctp_socket); + } else { + SOCKBUF_UNLOCK(&inp->sctp_socket->so_rcv); + } + } + } + SCTP_INP_WUNLOCK(inp); + if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { + sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, + SCTP_FROM_SCTP_USRREQ + SCTP_LOC_19); + } else { + SCTP_TCB_UNLOCK(stcb); + } switch (store.sa.sa_family) { #ifdef INET case AF_INET: @@ -7299,40 +7322,6 @@ sctp_accept(struct socket *so, struct sockaddr **addr) /* TSNH */ break; } - /* Wake any delayed sleep action */ - if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { - SCTP_INP_WLOCK(inp); - inp->sctp_flags &= ~SCTP_PCB_FLAGS_DONT_WAKE; - if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEOUTPUT) { - inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEOUTPUT; - SCTP_INP_WUNLOCK(inp); - SOCKBUF_LOCK(&inp->sctp_socket->so_snd); - if (sowriteable(inp->sctp_socket)) { - sowwakeup_locked(inp->sctp_socket); - } else { - SOCKBUF_UNLOCK(&inp->sctp_socket->so_snd); - } - SCTP_INP_WLOCK(inp); - } - if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEINPUT) { - inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEINPUT; - SCTP_INP_WUNLOCK(inp); - SOCKBUF_LOCK(&inp->sctp_socket->so_rcv); - if (soreadable(inp->sctp_socket)) { - sctp_defered_wakeup_cnt++; - sorwakeup_locked(inp->sctp_socket); - } else { - SOCKBUF_UNLOCK(&inp->sctp_socket->so_rcv); - } - SCTP_INP_WLOCK(inp); - } - SCTP_INP_WUNLOCK(inp); - } - if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { - SCTP_TCB_LOCK(stcb); - sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, - SCTP_FROM_SCTP_USRREQ + SCTP_LOC_19); - } return (0); } diff --git a/freebsd/sys/netinet/sctputil.c b/freebsd/sys/netinet/sctputil.c index ba7a43a0..c7d4499c 100644 --- a/freebsd/sys/netinet/sctputil.c +++ b/freebsd/sys/netinet/sctputil.c @@ -5928,7 +5928,7 @@ get_more_data: } if ((uio->uio_resid == 0) || ((in_eeor_mode) && - (copied_so_far >= (uint32_t)max(so->so_rcv.sb_lowat, 1)))) { + (copied_so_far >= max(so->so_rcv.sb_lowat, 1)))) { goto release; } /* diff --git a/freebsd/sys/netinet/tcp_hpts.h b/freebsd/sys/netinet/tcp_hpts.h index 04c86769..ea15bc1a 100644 --- a/freebsd/sys/netinet/tcp_hpts.h +++ b/freebsd/sys/netinet/tcp_hpts.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2016-2018 Netflix Inc. + * Copyright (c) 2016-2018 Netflix, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/freebsd/sys/netinet/tcp_input.c b/freebsd/sys/netinet/tcp_input.c index e1fa55c7..05891306 100644 --- a/freebsd/sys/netinet/tcp_input.c +++ b/freebsd/sys/netinet/tcp_input.c @@ -1508,7 +1508,6 @@ tcp_autorcvbuf(struct mbuf *m, struct tcphdr *th, struct socket *so, } else { tp->rfbuf_cnt += tlen; /* add up */ } - return (newsize); } @@ -2287,7 +2286,8 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so, * DSACK - add SACK block for dropped range */ if (tp->t_flags & TF_SACK_PERMIT) { - tcp_update_sack_list(tp, th->th_seq, th->th_seq+tlen); + tcp_update_sack_list(tp, th->th_seq, + th->th_seq + todrop); /* * ACK now, as the next in-sequence segment * will clear the DSACK block again @@ -3067,28 +3067,35 @@ dodata: /* XXX */ thflags = tcp_reass(tp, th, &temp, &tlen, m); tp->t_flags |= TF_ACKNOW; } - if (tp->t_flags & TF_SACK_PERMIT) { - if (((tlen == 0) && (save_tlen > 0) && - (SEQ_LT(save_start, save_rnxt)))) { + if ((tp->t_flags & TF_SACK_PERMIT) && (save_tlen > 0)) { + if ((tlen == 0) && (SEQ_LT(save_start, save_rnxt))) { /* * DSACK actually handled in the fastpath * above. */ - tcp_update_sack_list(tp, save_start, save_start + save_tlen); - } else - if ((tlen > 0) && SEQ_GT(tp->rcv_nxt, save_rnxt)) { - /* - * Cleaning sackblks by using zero length - * update. - */ - tcp_update_sack_list(tp, save_start, save_start); - } else - if ((tlen > 0) && (tlen >= save_tlen)) { + tcp_update_sack_list(tp, save_start, + save_start + save_tlen); + } else if ((tlen > 0) && SEQ_GT(tp->rcv_nxt, save_rnxt)) { + if ((tp->rcv_numsacks >= 1) && + (tp->sackblks[0].end == save_start)) { + /* + * Partial overlap, recorded at todrop + * above. + */ + tcp_update_sack_list(tp, + tp->sackblks[0].start, + tp->sackblks[0].end); + } else { + tcp_update_dsack_list(tp, save_start, + save_start + save_tlen); + } + } else if (tlen >= save_tlen) { /* Update of sackblks. */ - tcp_update_sack_list(tp, save_start, save_start + save_tlen); - } else - if (tlen > 0) { - tcp_update_sack_list(tp, save_start, save_start+tlen); + tcp_update_dsack_list(tp, save_start, + save_start + save_tlen); + } else if (tlen > 0) { + tcp_update_dsack_list(tp, save_start, + save_start + tlen); } } #if 0 diff --git a/freebsd/sys/netinet/tcp_log_buf.h b/freebsd/sys/netinet/tcp_log_buf.h index e569395a..0662d1b5 100644 --- a/freebsd/sys/netinet/tcp_log_buf.h +++ b/freebsd/sys/netinet/tcp_log_buf.h @@ -1,8 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause-FreeBSD * - * Copyright (c) 2016-2018 - * Netflix Inc. All rights reserved. + * Copyright (c) 2016-2018 Netflix, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/freebsd/sys/netinet/tcp_output.c b/freebsd/sys/netinet/tcp_output.c index 3d0a78d0..3e024fdb 100644 --- a/freebsd/sys/netinet/tcp_output.c +++ b/freebsd/sys/netinet/tcp_output.c @@ -1509,7 +1509,13 @@ timer: if (SEQ_GT(tp->snd_nxt + xlen, tp->snd_max)) tp->snd_max = tp->snd_nxt + xlen; } - + if ((error == 0) && + (TCPS_HAVEESTABLISHED(tp->t_state) && + (tp->t_flags & TF_SACK_PERMIT) && + tp->rcv_numsacks > 0)) { + /* Clean up any DSACK's sent */ + tcp_clean_dsack_blocks(tp); + } if (error) { /* Record the error. */ TCP_LOG_EVENT(tp, NULL, &so->so_rcv, &so->so_snd, TCP_LOG_OUT, diff --git a/freebsd/sys/netinet/tcp_sack.c b/freebsd/sys/netinet/tcp_sack.c index 0f536f6c..6d6198dd 100644 --- a/freebsd/sys/netinet/tcp_sack.c +++ b/freebsd/sys/netinet/tcp_sack.c @@ -151,6 +151,108 @@ SYSCTL_INT(_net_inet_tcp_sack, OID_AUTO, globalholes, CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(tcp_sack_globalholes), 0, "Global number of TCP SACK holes currently allocated"); + +/* + * This function will find overlaps with the currently stored sackblocks + * and add any overlap as a dsack block upfront + */ +void +tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) +{ + struct sackblk head_blk,mid_blk,saved_blks[MAX_SACK_BLKS]; + int i, j, n, identical; + tcp_seq start, end; + + INP_WLOCK_ASSERT(tp->t_inpcb); + + KASSERT(SEQ_LT(rcv_start, rcv_end), ("rcv_start < rcv_end")); + + if (tp->t_inpcb->inp_socket->so_options & SO_DEBUG) { + log(LOG_DEBUG, "\nDSACK update: %d..%d, rcv_nxt: %u\n", + rcv_start, rcv_end, tp->rcv_nxt); + } + + if (SEQ_LT(rcv_end, tp->rcv_nxt) || + ((rcv_end == tp->rcv_nxt) && + (tp->rcv_numsacks > 0 ) && + (tp->sackblks[0].end == tp->rcv_nxt))) { + saved_blks[0].start = rcv_start; + saved_blks[0].end = rcv_end; + } else { + saved_blks[0].start = saved_blks[0].end = 0; + } + + head_blk.start = head_blk.end = 0; + mid_blk.start = rcv_start; + mid_blk.end = rcv_end; + identical = 0; + + for (i = 0; i < tp->rcv_numsacks; i++) { + start = tp->sackblks[i].start; + end = tp->sackblks[i].end; + if (SEQ_LT(rcv_end, start)) { + /* pkt left to sack blk */ + continue; + } + if (SEQ_GT(rcv_start, end)) { + /* pkt right to sack blk */ + continue; + } + if (SEQ_GT(tp->rcv_nxt, end)) { + if ((SEQ_MAX(rcv_start, start) != SEQ_MIN(rcv_end, end)) && + (SEQ_GT(head_blk.start, SEQ_MAX(rcv_start, start)) || + (head_blk.start == head_blk.end))) { + head_blk.start = SEQ_MAX(rcv_start, start); + head_blk.end = SEQ_MIN(rcv_end, end); + } + continue; + } + if (((head_blk.start == head_blk.end) || + SEQ_LT(start, head_blk.start)) && + (SEQ_GT(end, rcv_start) && + SEQ_LEQ(start, rcv_end))) { + head_blk.start = start; + head_blk.end = end; + } + mid_blk.start = SEQ_MIN(mid_blk.start, start); + mid_blk.end = SEQ_MAX(mid_blk.end, end); + if ((mid_blk.start == start) && + (mid_blk.end == end)) + identical = 1; + } + if (SEQ_LT(head_blk.start, head_blk.end)) { + /* store overlapping range */ + saved_blks[0].start = SEQ_MAX(rcv_start, head_blk.start); + saved_blks[0].end = SEQ_MIN(rcv_end, head_blk.end); + } + n = 1; + /* + * Second, if not ACKed, store the SACK block that + * overlaps with the DSACK block unless it is identical + */ + if ((SEQ_LT(tp->rcv_nxt, mid_blk.end) && + !((mid_blk.start == saved_blks[0].start) && + (mid_blk.end == saved_blks[0].end))) || + identical == 1) { + saved_blks[n].start = mid_blk.start; + saved_blks[n++].end = mid_blk.end; + } + for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) { + if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) || + SEQ_GT(tp->sackblks[j].start, mid_blk.end)) && + (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt)))) + saved_blks[n++] = tp->sackblks[j]; + } + j = 0; + for (i = 0; i < n; i++) { + /* we can end up with a stale inital entry */ + if (SEQ_LT(saved_blks[i].start, saved_blks[i].end)) { + tp->sackblks[j++] = saved_blks[i]; + } + } + tp->rcv_numsacks = j; +} + /* * This function is called upon receipt of new valid data (while not in * header prediction mode), and it updates the ordered list of sacks. @@ -172,9 +274,16 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) /* Check arguments. */ KASSERT(SEQ_LEQ(rcv_start, rcv_end), ("rcv_start <= rcv_end")); - /* SACK block for the received segment. */ - head_blk.start = rcv_start; - head_blk.end = rcv_end; + if ((rcv_start == rcv_end) && + (tp->rcv_numsacks >= 1) && + (rcv_end == tp->sackblks[0].end)) { + /* retaining DSACK block below rcv_nxt (todrop) */ + head_blk = tp->sackblks[0]; + } else { + /* SACK block for the received segment. */ + head_blk.start = rcv_start; + head_blk.end = rcv_end; + } /* * Merge updated SACK blocks into head_blk, and save unchanged SACK @@ -269,6 +378,10 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) if (num_saved >= MAX_SACK_BLKS) num_saved--; } + if ((rcv_start == rcv_end) && + (rcv_start == tp->sackblks[0].end)) { + num_head = 1; + } if (num_saved > 0) { /* * Copy the saved SACK blocks back. @@ -281,6 +394,45 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) tp->rcv_numsacks = num_head + num_saved; } +void +tcp_clean_dsack_blocks(struct tcpcb *tp) +{ + struct sackblk saved_blks[MAX_SACK_BLKS]; + int num_saved, i; + + INP_WLOCK_ASSERT(tp->t_inpcb); + /* + * Clean up any DSACK blocks that + * are in our queue of sack blocks. + * + */ + num_saved = 0; + for (i = 0; i < tp->rcv_numsacks; i++) { + tcp_seq start = tp->sackblks[i].start; + tcp_seq end = tp->sackblks[i].end; + if (SEQ_GEQ(start, end) || SEQ_LEQ(start, tp->rcv_nxt)) { + /* + * Discard this D-SACK block. + */ + continue; + } + /* + * Save this SACK block. + */ + saved_blks[num_saved].start = start; + saved_blks[num_saved].end = end; + num_saved++; + } + if (num_saved > 0) { + /* + * Copy the saved SACK blocks back. + */ + bcopy(saved_blks, &tp->sackblks[0], + sizeof(struct sackblk) * num_saved); + } + tp->rcv_numsacks = num_saved; +} + /* * Delete all receiver-side SACK information. */ diff --git a/freebsd/sys/netinet/tcp_subr.c b/freebsd/sys/netinet/tcp_subr.c index db2b2661..44ec38c7 100644 --- a/freebsd/sys/netinet/tcp_subr.c +++ b/freebsd/sys/netinet/tcp_subr.c @@ -201,6 +201,11 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(tcp_do_rfc1323), 0, "Enable rfc1323 (high performance TCP) extensions"); +VNET_DEFINE(int, tcp_ts_offset_per_conn) = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, ts_offset_per_conn, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(tcp_ts_offset_per_conn), 0, + "Initialize TCP timestamps per connection instead of per host pair"); + static int tcp_log_debug = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_debug, CTLFLAG_RW, &tcp_log_debug, 0, "Log errors caused by incoming TCP segments"); @@ -819,8 +824,12 @@ register_tcp_functions_as_names(struct tcp_function_block *blk, int wait, } } + if (blk->tfb_flags & TCP_FUNC_BEING_REMOVED) { + *num_names = 0; + return (EINVAL); + } + refcount_init(&blk->tfb_refcnt, 0); - blk->tfb_flags = 0; blk->tfb_id = atomic_fetchadd_int(&next_tcp_stack_id, 1); for (i = 0; i < *num_names; i++) { n = malloc(sizeof(struct tcp_function), M_TCPFUNCTIONS, wait); @@ -2651,7 +2660,17 @@ tcp_keyed_hash(struct in_conninfo *inc, u_char *key, u_int len) uint32_t tcp_new_ts_offset(struct in_conninfo *inc) { - return (tcp_keyed_hash(inc, V_ts_offset_secret, + struct in_conninfo inc_store, *local_inc; + + if (!V_tcp_ts_offset_per_conn) { + memcpy(&inc_store, inc, sizeof(struct in_conninfo)); + inc_store.inc_lport = 0; + inc_store.inc_fport = 0; + local_inc = &inc_store; + } else { + local_inc = inc; + } + return (tcp_keyed_hash(local_inc, V_ts_offset_secret, sizeof(V_ts_offset_secret))); } diff --git a/freebsd/sys/netinet/tcp_var.h b/freebsd/sys/netinet/tcp_var.h index 2fbe07ad..cca8623e 100644 --- a/freebsd/sys/netinet/tcp_var.h +++ b/freebsd/sys/netinet/tcp_var.h @@ -798,6 +798,7 @@ VNET_DECLARE(struct inpcbinfo, tcbinfo); #define V_tcp_do_autosndbuf VNET(tcp_do_autosndbuf) #define V_tcp_do_ecn VNET(tcp_do_ecn) #define V_tcp_do_rfc1323 VNET(tcp_do_rfc1323) +#define V_tcp_ts_offset_per_conn VNET(tcp_ts_offset_per_conn) #define V_tcp_do_rfc3042 VNET(tcp_do_rfc3042) #define V_tcp_do_rfc3390 VNET(tcp_do_rfc3390) #define V_tcp_do_rfc3465 VNET(tcp_do_rfc3465) @@ -934,7 +935,9 @@ uint32_t tcp_new_ts_offset(struct in_conninfo *); tcp_seq tcp_new_isn(struct in_conninfo *); int tcp_sack_doack(struct tcpcb *, struct tcpopt *, tcp_seq); +void tcp_update_dsack_list(struct tcpcb *, tcp_seq, tcp_seq); void tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_laststart, tcp_seq rcv_lastend); +void tcp_clean_dsack_blocks(struct tcpcb *tp); void tcp_clean_sackreport(struct tcpcb *tp); void tcp_sack_adjust(struct tcpcb *tp); struct sackhole *tcp_sack_output(struct tcpcb *tp, int *sack_bytes_rexmt); diff --git a/freebsd/sys/netinet/udp_usrreq.c b/freebsd/sys/netinet/udp_usrreq.c index 33b89c21..f89660d6 100644 --- a/freebsd/sys/netinet/udp_usrreq.c +++ b/freebsd/sys/netinet/udp_usrreq.c @@ -1162,9 +1162,23 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, src.sin_family = 0; sin = (struct sockaddr_in *)addr; +retry: if (sin == NULL || (inp->inp_laddr.s_addr == INADDR_ANY && inp->inp_lport == 0)) { INP_WLOCK(inp); + /* + * In case we lost a race and another thread bound addr/port + * on the inp we cannot keep the wlock (which still would be + * fine) as further down, based on these values we make + * decisions for the pcbinfo lock. If the locks are not in + * synch the assertions on unlock will fire, hence we go for + * one retry loop. + */ + if (sin != NULL && (inp->inp_laddr.s_addr != INADDR_ANY || + inp->inp_lport != 0)) { + INP_WUNLOCK(inp); + goto retry; + } unlock_inp = UH_WLOCKED; } else { INP_RLOCK(inp); @@ -1264,36 +1278,44 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, } /* - * Depending on whether or not the application has bound or connected - * the socket, we may have to do varying levels of work. The optimal - * case is for a connected UDP socket, as a global lock isn't - * required at all. - * - * In order to decide which we need, we require stability of the - * inpcb binding, which we ensure by acquiring a read lock on the - * inpcb. This doesn't strictly follow the lock order, so we play - * the trylock and retry game; note that we may end up with more - * conservative locks than required the second time around, so later - * assertions have to accept that. Further analysis of the number of - * misses under contention is required. - * - * XXXRW: Check that hash locking update here is correct. + * In the old days, depending on whether or not the application had + * bound or connected the socket, we had to do varying levels of work. + * The optimal case was for a connected UDP socket, as a global lock + * wasn't required at all. + * In order to decide which we need, we required stability of the + * inpcb binding, which we ensured by acquiring a read lock on the + * inpcb. This didn't strictly follow the lock order, so we played + * the trylock and retry game. + * With the re-introduction of the route-cache in some cases, we started + * to acquire an early inp wlock and a possible race during re-lock + * went away. With the introduction of epoch(9) some read locking + * became epoch(9) and the lock-order issues also went away. + * Due to route-cache we may now hold more conservative locks than + * otherwise required and have split up the 2nd case in case 2 and 3 + * in order to keep the udpinfo lock level in sync with the inp one + * for the IP_SENDSRCADDR case below. */ pr = inp->inp_socket->so_proto->pr_protocol; pcbinfo = udp_get_inpcbinfo(pr); - sin = (struct sockaddr_in *)addr; if (sin != NULL && (inp->inp_laddr.s_addr == INADDR_ANY && inp->inp_lport == 0)) { INP_HASH_WLOCK(pcbinfo); unlock_udbinfo = UH_WLOCKED; - } else if ((sin != NULL && ( - (sin->sin_addr.s_addr == INADDR_ANY) || - (sin->sin_addr.s_addr == INADDR_BROADCAST) || - (inp->inp_laddr.s_addr == INADDR_ANY) || - (inp->inp_lport == 0))) || - (src.sin_family == AF_INET)) { + } else if (sin != NULL && + (sin->sin_addr.s_addr == INADDR_ANY || + sin->sin_addr.s_addr == INADDR_BROADCAST || + inp->inp_laddr.s_addr == INADDR_ANY || + inp->inp_lport == 0)) { INP_HASH_RLOCK_ET(pcbinfo, et); unlock_udbinfo = UH_RLOCKED; + } else if (src.sin_family == AF_INET) { + if (unlock_inp == UH_WLOCKED) { + INP_HASH_WLOCK(pcbinfo); + unlock_udbinfo = UH_WLOCKED; + } else { + INP_HASH_RLOCK_ET(pcbinfo, et); + unlock_udbinfo = UH_RLOCKED; + } } else unlock_udbinfo = UH_UNLOCKED; @@ -1503,8 +1525,9 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, if (flowtype != M_HASHTYPE_NONE) { m->m_pkthdr.flowid = flowid; M_HASHTYPE_SET(m, flowtype); + } #ifdef RSS - } else { + else { uint32_t hash_val, hash_type; /* * Calculate an appropriate RSS hash for UDP and @@ -1527,10 +1550,8 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, m->m_pkthdr.flowid = hash_val; M_HASHTYPE_SET(m, hash_type); } -#endif } -#ifdef RSS /* * Don't override with the inp cached flowid value. * @@ -1565,12 +1586,22 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, release: if (unlock_udbinfo == UH_WLOCKED) { KASSERT(unlock_inp == UH_WLOCKED, - ("%s: excl udbinfo lock, shared inp lock", __func__)); + ("%s: excl udbinfo lock %#03x, shared inp lock %#03x, " + "sin %p daddr %#010x inp %p laddr %#010x lport %#06x " + "src fam %#04x", + __func__, unlock_udbinfo, unlock_inp, sin, + (sin != NULL) ? sin->sin_addr.s_addr : 0xfefefefe, inp, + inp->inp_laddr.s_addr, inp->inp_lport, src.sin_family)); INP_HASH_WUNLOCK(pcbinfo); INP_WUNLOCK(inp); } else if (unlock_udbinfo == UH_RLOCKED) { KASSERT(unlock_inp == UH_RLOCKED, - ("%s: shared udbinfo lock, excl inp lock", __func__)); + ("%s: shared udbinfo lock %#03x, excl inp lock %#03x, " + "sin %p daddr %#010x inp %p laddr %#010x lport %#06x " + "src fam %#04x", + __func__, unlock_udbinfo, unlock_inp, sin, + (sin != NULL) ? sin->sin_addr.s_addr : 0xfefefefe, inp, + inp->inp_laddr.s_addr, inp->inp_lport, src.sin_family)); INP_HASH_RUNLOCK_ET(pcbinfo, et); INP_RUNLOCK(inp); } else if (unlock_inp == UH_WLOCKED) diff --git a/freebsd/sys/netinet6/sctp6_usrreq.c b/freebsd/sys/netinet6/sctp6_usrreq.c index 6a3391ee..3465f3c3 100644 --- a/freebsd/sys/netinet6/sctp6_usrreq.c +++ b/freebsd/sys/netinet6/sctp6_usrreq.c @@ -912,7 +912,8 @@ sctp6_connect(struct socket *so, struct sockaddr *addr, struct thread *p) /* We are GOOD to go */ stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id, inp->sctp_ep.pre_open_stream_count, - inp->sctp_ep.port, p); + inp->sctp_ep.port, p, + SCTP_INITIALIZE_AUTH_PARAMS); SCTP_ASOC_CREATE_UNLOCK(inp); if (stcb == NULL) { /* Gak! no memory */ @@ -925,10 +926,6 @@ sctp6_connect(struct socket *so, struct sockaddr *addr, struct thread *p) } SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT); (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); - - /* initialize authentication parameters for the assoc */ - sctp_initialize_auth_params(inp, stcb); - sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED); SCTP_TCB_UNLOCK(stcb); return (error); diff --git a/freebsd/sys/netinet6/udp6_usrreq.c b/freebsd/sys/netinet6/udp6_usrreq.c index e0fcd06d..270b4880 100644 --- a/freebsd/sys/netinet6/udp6_usrreq.c +++ b/freebsd/sys/netinet6/udp6_usrreq.c @@ -744,9 +744,24 @@ udp6_output(struct socket *so, int flags_arg, struct mbuf *m, * - when we are not bound to an address and source port (it is * in6_pcbsetport() which will require the write lock). */ +retry: if (sin6 == NULL || (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) && inp->inp_lport == 0)) { INP_WLOCK(inp); + /* + * In case we lost a race and another thread bound addr/port + * on the inp we cannot keep the wlock (which still would be + * fine) as further down, based on these values we make + * decisions for the pcbinfo lock. If the locks are not in + * synch the assertions on unlock will fire, hence we go for + * one retry loop. + */ + if (sin6 != NULL && + (!IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) || + inp->inp_lport != 0)) { + INP_WUNLOCK(inp); + goto retry; + } unlock_inp = UH_WLOCKED; } else { INP_RLOCK(inp); diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c index 9f30cf36..f5c3967c 100644 --- a/freebsd/sys/netipsec/ipsec.c +++ b/freebsd/sys/netipsec/ipsec.c @@ -1325,6 +1325,8 @@ ok: __func__, replay->overflow, ipsec_sa2str(sav, buf, sizeof(buf)))); } + + replay->count++; return (0); } diff --git a/freebsd/sys/opencrypto/criov.c b/freebsd/sys/opencrypto/criov.c index 7fc7d392..a1893691 100644 --- a/freebsd/sys/opencrypto/criov.c +++ b/freebsd/sys/opencrypto/criov.c @@ -40,6 +40,8 @@ __FBSDID("$FreeBSD$"); #include <sys/kernel.h> #include <sys/mbuf.h> #include <sys/uio.h> +#include <sys/limits.h> +#include <sys/lock.h> #include <opencrypto/cryptodev.h> @@ -241,3 +243,55 @@ crypto_mbuftoiov(struct mbuf *mbuf, struct iovec **iovptr, int *cnt, *cnt = i; return 0; } + +static inline void * +m_contiguous_subsegment(struct mbuf *m, size_t skip, size_t len) +{ + int rel_off; + + MPASS(skip <= INT_MAX); + + m = m_getptr(m, (int)skip, &rel_off); + if (m == NULL) + return (NULL); + + MPASS(rel_off >= 0); + skip = rel_off; + if (skip + len > m->m_len) + return (NULL); + + return (mtod(m, char*) + skip); +} + +static inline void * +cuio_contiguous_segment(struct uio *uio, size_t skip, size_t len) +{ + int rel_off, idx; + + MPASS(skip <= INT_MAX); + idx = cuio_getptr(uio, (int)skip, &rel_off); + if (idx < 0) + return (NULL); + + MPASS(rel_off >= 0); + skip = rel_off; + if (skip + len > uio->uio_iov[idx].iov_len) + return (NULL); + return ((char *)uio->uio_iov[idx].iov_base + skip); +} + +void * +crypto_contiguous_subsegment(int crp_flags, void *crpbuf, + size_t skip, size_t len) +{ + if ((crp_flags & CRYPTO_F_IMBUF) != 0) + return (m_contiguous_subsegment(crpbuf, skip, len)); + else if ((crp_flags & CRYPTO_F_IOV) != 0) + return (cuio_contiguous_segment(crpbuf, skip, len)); + else { + MPASS((crp_flags & (CRYPTO_F_IMBUF | CRYPTO_F_IOV)) != + (CRYPTO_F_IMBUF | CRYPTO_F_IOV)); + return ((char*)crpbuf + skip); + } +} + diff --git a/freebsd/sys/opencrypto/cryptodev.h b/freebsd/sys/opencrypto/cryptodev.h index c9cf4d01..bd71e518 100644 --- a/freebsd/sys/opencrypto/cryptodev.h +++ b/freebsd/sys/opencrypto/cryptodev.h @@ -571,5 +571,7 @@ extern void crypto_copydata(int flags, caddr_t buf, int off, int size, extern int crypto_apply(int flags, caddr_t buf, int off, int len, int (*f)(void *, void *, u_int), void *arg); +extern void *crypto_contiguous_subsegment(int, void *, size_t, size_t); + #endif /* _KERNEL */ #endif /* _CRYPTO_CRYPTO_H_ */ diff --git a/freebsd/sys/sys/ata.h b/freebsd/sys/sys/ata.h index df87ddb5..22edb557 100644 --- a/freebsd/sys/sys/ata.h +++ b/freebsd/sys/sys/ata.h @@ -143,7 +143,8 @@ struct ata_params { /*77*/ u_int16_t satacapabilities2; #define ATA_SATA_CURR_GEN_MASK 0x0006 #define ATA_SUPPORT_NCQ_STREAM 0x0010 -#define ATA_SUPPORT_NCQ_QMANAGEMENT 0x0020 +#define ATA_SUPPORT_NCQ_NON_DATA 0x0020 +#define ATA_SUPPORT_NCQ_QMANAGEMENT ATA_SUPPORT_NCQ_NON_DATA #define ATA_SUPPORT_RCVSND_FPDMA_QUEUED 0x0040 /*78*/ u_int16_t satasupport; #define ATA_SUPPORT_NONZERO 0x0002 @@ -152,6 +153,7 @@ struct ata_params { #define ATA_SUPPORT_INORDERDATA 0x0010 #define ATA_SUPPORT_ASYNCNOTIF 0x0020 #define ATA_SUPPORT_SOFTSETPRESERVE 0x0040 +#define ATA_SUPPORT_NCQ_AUTOSENSE 0x0080 /*79*/ u_int16_t sataenabled; #define ATA_ENABLED_DAPST 0x0080 @@ -285,7 +287,8 @@ struct ata_params { #define ATA_FORM_FACTOR_C_FAST 0x0009 /*169*/ u_int16_t support_dsm; #define ATA_SUPPORT_DSM_TRIM 0x0001 - u_int16_t reserved170[6]; +/*170*/ u_int8_t product_id[8]; /* Additional Product Identifier */ + u_int16_t reserved174[2]; /*176*/ u_int8_t media_serial[60]; /*206*/ u_int16_t sct; u_int16_t reserved207[2]; diff --git a/freebsd/sys/sys/file.h b/freebsd/sys/sys/file.h index 22e6c8d0..0e7c296a 100644 --- a/freebsd/sys/sys/file.h +++ b/freebsd/sys/sys/file.h @@ -410,8 +410,14 @@ _fnoop(void) return (0); } -#define fhold(fp) \ - (refcount_acquire(&(fp)->f_count)) +#ifndef __rtems__ +static __inline __result_use_check bool +fhold(struct file *fp) +{ + return (refcount_acquire_checked(&fp->f_count)); +} +#endif /* __rtems__ */ + #ifndef __rtems__ #define fdrop(fp, td) \ (refcount_release(&(fp)->f_count) ? _fdrop((fp), (td)) : _fnoop()) diff --git a/freebsd/sys/sys/lockstat.h b/freebsd/sys/sys/lockstat.h index 9a6674fa..0526f4fb 100644 --- a/freebsd/sys/sys/lockstat.h +++ b/freebsd/sys/sys/lockstat.h @@ -65,6 +65,13 @@ SDT_PROBE_DECLARE(lockstat, , , sx__spin); SDT_PROBE_DECLARE(lockstat, , , sx__upgrade); SDT_PROBE_DECLARE(lockstat, , , sx__downgrade); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__acquire); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__release); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__disown); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__block); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__upgrade); +SDT_PROBE_DECLARE(lockstat, , , lockmgr__downgrade); + SDT_PROBE_DECLARE(lockstat, , , thread__spin); #define LOCKSTAT_WRITER 0 diff --git a/freebsd/sys/sys/malloc.h b/freebsd/sys/sys/malloc.h index b120d4b5..83510329 100644 --- a/freebsd/sys/sys/malloc.h +++ b/freebsd/sys/sys/malloc.h @@ -183,7 +183,7 @@ void *contigmalloc(unsigned long size, struct malloc_type *type, int flags, void *contigmalloc_domainset(unsigned long size, struct malloc_type *type, struct domainset *ds, int flags, vm_paddr_t low, vm_paddr_t high, unsigned long alignment, vm_paddr_t boundary) - __malloc_like __result_use_check __alloc_size(1) __alloc_align(6); + __malloc_like __result_use_check __alloc_size(1) __alloc_align(7); void free(void *addr, struct malloc_type *type); void free_domain(void *addr, struct malloc_type *type); #ifndef __rtems__ diff --git a/freebsd/sys/sys/mount.h b/freebsd/sys/sys/mount.h index edc66f05..dabb506d 100644 --- a/freebsd/sys/sys/mount.h +++ b/freebsd/sys/sys/mount.h @@ -368,23 +368,20 @@ void __mnt_vnode_markerfree_active(struct vnode **mvp, struct mount *); /* * Internal filesystem control flags stored in mnt_kern_flag. * - * MNTK_UNMOUNT locks the mount entry so that name lookup cannot proceed - * past the mount point. This keeps the subtree stable during mounts - * and unmounts. + * MNTK_UNMOUNT locks the mount entry so that name lookup cannot + * proceed past the mount point. This keeps the subtree stable during + * mounts and unmounts. When non-forced unmount flushes all vnodes + * from the mp queue, the MNTK_UNMOUNT flag prevents insmntque() from + * queueing new vnodes. * * MNTK_UNMOUNTF permits filesystems to detect a forced unmount while * dounmount() is still waiting to lock the mountpoint. This allows * the filesystem to cancel operations that might otherwise deadlock * with the unmount attempt (used by NFS). - * - * MNTK_NOINSMNTQ is strict subset of MNTK_UNMOUNT. They are separated - * to allow for failed unmount attempt to restore the syncer vnode for - * the mount. */ #define MNTK_UNMOUNTF 0x00000001 /* forced unmount in progress */ #define MNTK_ASYNC 0x00000002 /* filtered async flag */ #define MNTK_SOFTDEP 0x00000004 /* async disabled by softdep */ -#define MNTK_NOINSMNTQ 0x00000008 /* insmntque is not allowed */ #define MNTK_DRAINING 0x00000010 /* lock draining is happening */ #define MNTK_REFEXPIRE 0x00000020 /* refcount expiring is happening */ #define MNTK_EXTENDED_SHARED 0x00000040 /* Allow shared locking for more ops */ diff --git a/freebsd/sys/sys/proc.h b/freebsd/sys/sys/proc.h index a69d91b4..01cf3963 100644 --- a/freebsd/sys/sys/proc.h +++ b/freebsd/sys/sys/proc.h @@ -813,6 +813,8 @@ struct proc { #define P2_ASLR_ENABLE 0x00000040 /* Force enable ASLR. */ #define P2_ASLR_DISABLE 0x00000080 /* Force disable ASLR. */ #define P2_ASLR_IGNSTART 0x00000100 /* Enable ASLR to consume sbrk area. */ +#define P2_STKGAP_DISABLE 0x00000800 /* Disable stack gap for MAP_STACK */ +#define P2_STKGAP_DISABLE_EXEC 0x00001000 /* Stack gap disabled after exec */ /* Flags protected by proctree_lock, kept in p_treeflags. */ #define P_TREE_ORPHANED 0x00000001 /* Reparented, on orphan list */ @@ -1126,11 +1128,13 @@ void proc_linkup(struct proc *p, struct thread *td); struct proc *proc_realparent(struct proc *child); void proc_reap(struct thread *td, struct proc *p, int *status, int options); void proc_reparent(struct proc *child, struct proc *newparent, bool set_oppid); +void proc_add_orphan(struct proc *child, struct proc *parent); void proc_set_traced(struct proc *p, bool stop); void proc_wkilled(struct proc *p); struct pstats *pstats_alloc(void); void pstats_fork(struct pstats *src, struct pstats *dst); void pstats_free(struct pstats *ps); +void proc_clear_orphan(struct proc *p); void reaper_abandon_children(struct proc *p, bool exiting); #ifndef __rtems__ int securelevel_ge(struct ucred *cr, int level); diff --git a/freebsd/sys/sys/refcount.h b/freebsd/sys/sys/refcount.h index 41713147..0cc4ee6c 100644 --- a/freebsd/sys/sys/refcount.h +++ b/freebsd/sys/sys/refcount.h @@ -37,6 +37,7 @@ #ifdef _KERNEL #include <sys/systm.h> #else +#include <stdbool.h> #define KASSERT(exp, msg) /* */ #endif @@ -55,7 +56,21 @@ refcount_acquire(volatile u_int *count) atomic_add_int((volatile int *)count, 1); } -static __inline int +static __inline __result_use_check bool +refcount_acquire_checked(volatile u_int *count) +{ + u_int lcount; + + for (lcount = *count;;) { + if (__predict_false(lcount + 1 < lcount)) + return (false); + if (__predict_true(atomic_fcmpset_int(count, &lcount, + lcount + 1) == 1)) + return (true); + } +} + +static __inline bool refcount_release(volatile u_int *count) { u_int old; @@ -64,7 +79,7 @@ refcount_release(volatile u_int *count) old = atomic_fetchadd_int((volatile int *)count, -1); KASSERT(old > 0, ("refcount %p is zero", count)); if (old > 1) - return (0); + return (false); /* * Last reference. Signal the user to call the destructor. @@ -73,7 +88,7 @@ refcount_release(volatile u_int *count) * at the start of the function synchronized with this fence. */ atomic_thread_fence_acq(); - return (1); + return (true); } /* @@ -82,7 +97,7 @@ refcount_release(volatile u_int *count) * * A temporary hack until refcount_* APIs are sorted out. */ -static __inline __result_use_check int +static __inline __result_use_check bool refcount_acquire_if_not_zero(volatile u_int *count) { u_int old; @@ -91,13 +106,13 @@ refcount_acquire_if_not_zero(volatile u_int *count) for (;;) { KASSERT(old < UINT_MAX, ("refcount %p overflowed", count)); if (old == 0) - return (0); + return (false); if (atomic_fcmpset_int(count, &old, old + 1)) - return (1); + return (true); } } -static __inline __result_use_check int +static __inline __result_use_check bool refcount_release_if_not_last(volatile u_int *count) { u_int old; @@ -106,9 +121,9 @@ refcount_release_if_not_last(volatile u_int *count) for (;;) { KASSERT(old > 0, ("refcount %p is zero", count)); if (old == 1) - return (0); + return (false); if (atomic_fcmpset_int(count, &old, old - 1)) - return (1); + return (true); } } diff --git a/freebsd/sys/sys/sysproto.h b/freebsd/sys/sys/sysproto.h index 82249d38..5ebcdde3 100644 --- a/freebsd/sys/sys/sysproto.h +++ b/freebsd/sys/sys/sysproto.h @@ -1,7 +1,7 @@ /* * System call prototypes. * - * DO NOT EDIT-- this file is automatically generated. + * DO NOT EDIT-- this file is automatically @generated. * $FreeBSD$ */ diff --git a/freebsd/sys/sys/vnode.h b/freebsd/sys/sys/vnode.h index d88ff30a..c1235a79 100644 --- a/freebsd/sys/sys/vnode.h +++ b/freebsd/sys/sys/vnode.h @@ -660,6 +660,8 @@ void _vhold(struct vnode *, bool); void vinactive(struct vnode *, struct thread *); int vinvalbuf(struct vnode *vp, int save, int slpflag, int slptimeo); int vtruncbuf(struct vnode *vp, off_t length, int blksize); +void v_inval_buf_range(struct vnode *vp, daddr_t startlbn, daddr_t endlbn, + int blksize); void vunref(struct vnode *); void vn_printf(struct vnode *vp, const char *fmt, ...) __printflike(2,3); int vrecycle(struct vnode *vp); @@ -2660,6 +2660,7 @@ class user_space(builder.Module): 'sbin/dhclient/privsep.h', 'sbin/dhclient/tree.h', 'sbin/ifconfig/ifconfig.h', + 'sbin/ping/utils.h', 'usr.bin/netstat/netstat.h' ] ) @@ -2929,6 +2930,7 @@ class user_space(builder.Module): 'sbin/pfctl/pf_print_state.c', 'sbin/ping6/ping6.c', 'sbin/ping/ping.c', + 'sbin/ping/utils.c', 'sbin/route/route.c', 'sbin/sysctl/sysctl.c', 'usr.bin/netstat/bpf.c', diff --git a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h index 77b166b1..cae62d39 100644 --- a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h +++ b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h @@ -51,6 +51,8 @@ #define altq_remove _bsd_altq_remove #define altq_remove_queue _bsd_altq_remove_queue #define altqs_inactive_open _bsd_altqs_inactive_open +#define am335x_pwm_config_ecap _bsd_am335x_pwm_config_ecap +#define am335x_pwmss_driver _bsd_am335x_pwmss_driver #define arp_announce_ifaddr _bsd_arp_announce_ifaddr #define arp_ifinit _bsd_arp_ifinit #define arprequest _bsd_arprequest @@ -587,6 +589,7 @@ #define counter_u64_zero _bsd_counter_u64_zero #define crc32_tab _bsd_crc32_tab #define crypto_apply _bsd_crypto_apply +#define crypto_contiguous_subsegment _bsd_crypto_contiguous_subsegment #define crypto_copyback _bsd_crypto_copyback #define crypto_copydata _bsd_crypto_copydata #define crypto_devallowsoft _bsd_crypto_devallowsoft @@ -613,7 +616,6 @@ #define crypto_onetimeauth_poly1305_final _bsd_crypto_onetimeauth_poly1305_final #define crypto_onetimeauth_poly1305_init _bsd_crypto_onetimeauth_poly1305_init #define crypto_onetimeauth_poly1305_keybytes _bsd_crypto_onetimeauth_poly1305_keybytes -#define crypto_onetimeauth_poly1305_keygen _bsd_crypto_onetimeauth_poly1305_keygen #define _crypto_onetimeauth_poly1305_pick_best_implementation _bsd__crypto_onetimeauth_poly1305_pick_best_implementation #define crypto_onetimeauth_poly1305_statebytes _bsd_crypto_onetimeauth_poly1305_statebytes #define crypto_onetimeauth_poly1305_update _bsd_crypto_onetimeauth_poly1305_update @@ -1095,6 +1097,13 @@ #define e1000_write_vfta_generic _bsd_e1000_write_vfta_generic #define e1000_write_vfta_i350 _bsd_e1000_write_vfta_i350 #define e1000_write_xmdio_reg _bsd_e1000_write_xmdio_reg +#define edid_is_valid _bsd_edid_is_valid +#define edid_nproducts _bsd_edid_nproducts +#define edid_nvendors _bsd_edid_nvendors +#define edid_parse _bsd_edid_parse +#define edid_print _bsd_edid_print +#define edid_products _bsd_edid_products +#define edid_vendors _bsd_edid_vendors #define ehci_detach _bsd_ehci_detach #define ehci_get_port_speed_hostc _bsd_ehci_get_port_speed_hostc #define ehci_get_port_speed_portsc _bsd_ehci_get_port_speed_portsc @@ -1221,6 +1230,16 @@ #define eventhandler_find_list _bsd_eventhandler_find_list #define eventhandler_prune_list _bsd_eventhandler_prune_list #define eventhandler_register _bsd_eventhandler_register +#define fb_commonioctl _bsd_fb_commonioctl +#define fbd_devclass _bsd_fbd_devclass +#define fbd_driver _bsd_fbd_driver +#define fbd_list _bsd_fbd_list +#define fbd_register _bsd_fbd_register +#define fb_dump_adp_info _bsd_fb_dump_adp_info +#define fb_dump_mode_info _bsd_fb_dump_mode_info +#define fbd_unregister _bsd_fbd_unregister +#define fb_list_head _bsd_fb_list_head +#define fb_type _bsd_fb_type #define fdt_addrsize_cells _bsd_fdt_addrsize_cells #define fdt_data_get _bsd_fdt_data_get #define fdt_data_to_res _bsd_fdt_data_to_res @@ -1239,6 +1258,10 @@ #define fdt_immr_va _bsd_fdt_immr_va #define fdt_is_compatible_strict _bsd_fdt_is_compatible_strict #define fdt_parent_addr_cells _bsd_fdt_parent_addr_cells +#define fdt_pinctrl_configure _bsd_fdt_pinctrl_configure +#define fdt_pinctrl_configure_by_name _bsd_fdt_pinctrl_configure_by_name +#define fdt_pinctrl_configure_tree _bsd_fdt_pinctrl_configure_tree +#define fdt_pinctrl_register _bsd_fdt_pinctrl_register #define fdt_regsize _bsd_fdt_regsize #define fib4_free_nh_ext _bsd_fib4_free_nh_ext #define fib4_lookup_nh_basic _bsd_fib4_lookup_nh_basic @@ -1329,6 +1352,15 @@ #define gpiobus_init_softc _bsd_gpiobus_init_softc #define gpiobus_release_pin _bsd_gpiobus_release_pin #define gpio_check_flags _bsd_gpio_check_flags +#define gpio_pin_get_by_ofw_idx _bsd_gpio_pin_get_by_ofw_idx +#define gpio_pin_get_by_ofw_name _bsd_gpio_pin_get_by_ofw_name +#define gpio_pin_get_by_ofw_property _bsd_gpio_pin_get_by_ofw_property +#define gpio_pin_get_by_ofw_propidx _bsd_gpio_pin_get_by_ofw_propidx +#define gpio_pin_getcaps _bsd_gpio_pin_getcaps +#define gpio_pin_is_active _bsd_gpio_pin_is_active +#define gpio_pin_release _bsd_gpio_pin_release +#define gpio_pin_set_active _bsd_gpio_pin_set_active +#define gpio_pin_setflags _bsd_gpio_pin_setflags #define gre_hashdestroy _bsd_gre_hashdestroy #define gre_hashinit _bsd_gre_hashinit #define gre_input _bsd_gre_input @@ -1998,6 +2030,31 @@ #define igmp_input _bsd_igmp_input #define igmp_mtx _bsd_igmp_mtx #define igmp_slowtimo _bsd_igmp_slowtimo +#define iic2errno _bsd_iic2errno +#define iicbus_block_read _bsd_iicbus_block_read +#define iicbus_block_write _bsd_iicbus_block_write +#define iicbus_devclass _bsd_iicbus_devclass +#define iicbus_driver _bsd_iicbus_driver +#define iicbus_generic_intr _bsd_iicbus_generic_intr +#define iicbus_init_frequency _bsd_iicbus_init_frequency +#define iicbus_intr _bsd_iicbus_intr +#define iicbus_null_callback _bsd_iicbus_null_callback +#define iicbus_null_repeated_start _bsd_iicbus_null_repeated_start +#define iicbus_read _bsd_iicbus_read +#define iicbus_read_byte _bsd_iicbus_read_byte +#define iicbus_release_bus _bsd_iicbus_release_bus +#define iicbus_repeated_start _bsd_iicbus_repeated_start +#define iicbus_request_bus _bsd_iicbus_request_bus +#define iicbus_start _bsd_iicbus_start +#define iicbus_started _bsd_iicbus_started +#define iicbus_stop _bsd_iicbus_stop +#define iicbus_transfer _bsd_iicbus_transfer +#define iicbus_transfer_excl _bsd_iicbus_transfer_excl +#define iicbus_transfer_gen _bsd_iicbus_transfer_gen +#define iicbus_write _bsd_iicbus_write +#define iicbus_write_byte _bsd_iicbus_write_byte +#define iicdev_readfrom _bsd_iicdev_readfrom +#define iicdev_writeto _bsd_iicdev_writeto #define im6o_mc_filter _bsd_im6o_mc_filter #define imo_multi_filter _bsd_imo_multi_filter #define in4_cksum _bsd_in4_cksum @@ -3032,6 +3089,14 @@ #define ofw_bus_status_okay _bsd_ofw_bus_status_okay #define ofw_bus_string_list_to_array _bsd_ofw_bus_string_list_to_array #define ofw_fdt _bsd_ofw_fdt +#define ofw_gpiobus_add_fdt_child _bsd_ofw_gpiobus_add_fdt_child +#define ofwgpiobus_devclass _bsd_ofwgpiobus_devclass +#define ofw_gpiobus_driver _bsd_ofw_gpiobus_driver +#define ofw_gpiobus_parse_gpios _bsd_ofw_gpiobus_parse_gpios +#define ofw_gpiobus_register_provider _bsd_ofw_gpiobus_register_provider +#define ofw_gpiobus_unregister_provider _bsd_ofw_gpiobus_unregister_provider +#define ofw_iicbus_devclass _bsd_ofw_iicbus_devclass +#define ofw_iicbus_driver _bsd_ofw_iicbus_driver #define ofw_parse_bootargs _bsd_ofw_parse_bootargs #define ofw_reg_to_paddr _bsd_ofw_reg_to_paddr #define OF_write _bsd_OF_write @@ -3077,10 +3142,13 @@ #define pcib_attach_common _bsd_pcib_attach_common #define pcib_bridge_init _bsd_pcib_bridge_init #define pcib_child_present _bsd_pcib_child_present +#define pcib_decode_rid _bsd_pcib_decode_rid #define pcib_detach _bsd_pcib_detach #define pcib_driver _bsd_pcib_driver +#define pcib_get_id _bsd_pcib_get_id #define pcibios_pcib_route_interrupt _bsd_pcibios_pcib_route_interrupt #define pcib_map_msi _bsd_pcib_map_msi +#define pcib_maxfuncs _bsd_pcib_maxfuncs #define pcib_maxslots _bsd_pcib_maxslots #define pcib_read_ivar _bsd_pcib_read_ivar #define pcib_release_msi _bsd_pcib_release_msi @@ -3426,6 +3494,8 @@ #define pgsigio _bsd_pgsigio #define phashinit _bsd_phashinit #define phashinit_flags _bsd_phashinit_flags +#define pick_mode_by_dotclock _bsd_pick_mode_by_dotclock +#define pick_mode_by_ref _bsd_pick_mode_by_ref #define pipe_dtor _bsd_pipe_dtor #define pipe_named_ctor _bsd_pipe_named_ctor #define pipeselwakeup _bsd_pipeselwakeup @@ -3437,16 +3507,6 @@ #define Poly1305_Setkey _bsd_Poly1305_Setkey #define Poly1305_Update _bsd_Poly1305_Update #define ppsratecheck _bsd_ppsratecheck -#define preload_addr_relocate _bsd_preload_addr_relocate -#define preload_bootstrap_relocate _bsd_preload_bootstrap_relocate -#define preload_delete_name _bsd_preload_delete_name -#define preload_fetch_addr _bsd_preload_fetch_addr -#define preload_fetch_size _bsd_preload_fetch_size -#define preload_metadata _bsd_preload_metadata -#define preload_search_by_name _bsd_preload_search_by_name -#define preload_search_by_type _bsd_preload_search_by_type -#define preload_search_info _bsd_preload_search_info -#define preload_search_next_name _bsd_preload_search_next_name #define printf _bsd_printf #define printf_uuid _bsd_printf_uuid #define prison0 _bsd_prison0 @@ -3583,6 +3643,7 @@ #define r88e_tx_setup_hwseq _bsd_r88e_tx_setup_hwseq #define r88e_tx_setup_macid _bsd_r88e_tx_setup_macid #define r88eu_attach _bsd_r88eu_attach +#define r88eu_classify_intr _bsd_r88eu_classify_intr #define r88eu_init_bb _bsd_r88eu_init_bb #define r88eu_init_intr _bsd_r88eu_init_intr #define r88eu_init_rx_agg _bsd_r88eu_init_rx_agg @@ -4509,6 +4570,8 @@ #define Skein_512_Output _bsd_Skein_512_Output #define Skein_512_Process_Block _bsd_Skein_512_Process_Block #define Skein_512_Update _bsd_Skein_512_Update +#define Skein_Get64_LSB_First _bsd_Skein_Get64_LSB_First +#define Skein_Put64_LSB_First _bsd_Skein_Put64_LSB_First #define skipjack_backwards _bsd_skipjack_backwards #define skipjack_forwards _bsd_skipjack_forwards #define sl_compress_init _bsd_sl_compress_init @@ -4600,6 +4663,7 @@ #define soreceive_generic _bsd_soreceive_generic #define soreserve _bsd_soreserve #define sorflush _bsd_sorflush +#define sort_modes _bsd_sort_modes #define sosend _bsd_sosend #define sosend_dgram _bsd_sosend_dgram #define sosend_generic _bsd_sosend_generic @@ -4803,6 +4867,7 @@ #define tcp_autosndbuf_max _bsd_tcp_autosndbuf_max #define tcp_backoff _bsd_tcp_backoff #define tcp_ccalgounload _bsd_tcp_ccalgounload +#define tcp_clean_dsack_blocks _bsd_tcp_clean_dsack_blocks #define tcp_clean_sackreport _bsd_tcp_clean_sackreport #define tcp_close _bsd_tcp_close #define tcp_compute_pipe _bsd_tcp_compute_pipe @@ -4934,12 +4999,14 @@ #define tcp_timer_suspend _bsd_tcp_timer_suspend #define tcp_totbackoff _bsd_tcp_totbackoff #define tcp_trace _bsd_tcp_trace +#define tcp_ts_offset_per_conn _bsd_tcp_ts_offset_per_conn #define tcp_tw_2msl_scan _bsd_tcp_tw_2msl_scan #define tcp_twcheck _bsd_tcp_twcheck #define tcp_twclose _bsd_tcp_twclose #define tcp_tw_init _bsd_tcp_tw_init #define tcp_twstart _bsd_tcp_twstart #define tcp_tw_zone_change _bsd_tcp_tw_zone_change +#define tcp_update_dsack_list _bsd_tcp_update_dsack_list #define tcp_update_sack_list _bsd_tcp_update_sack_list #define tcp_use_hostcache _bsd_tcp_use_hostcache #define tcp_usrreqs _bsd_tcp_usrreqs @@ -4951,6 +5018,7 @@ #define t_functions _bsd_t_functions #define t_functions_inited _bsd_t_functions_inited #define ti_am335x_clk_devmap _bsd_ti_am335x_clk_devmap +#define ti_am335x_pinmux_dev _bsd_ti_am335x_pinmux_dev #define tick _bsd_tick #define ticket_altqs_active _bsd_ticket_altqs_active #define ticket_altqs_inactive _bsd_ticket_altqs_inactive @@ -4965,6 +5033,10 @@ #define _timeout_task_init _bsd__timeout_task_init #define timevaladd _bsd_timevaladd #define timevalsub _bsd_timevalsub +#define ti_pinmux_padconf_get _bsd_ti_pinmux_padconf_get +#define ti_pinmux_padconf_get_gpiomode _bsd_ti_pinmux_padconf_get_gpiomode +#define ti_pinmux_padconf_set _bsd_ti_pinmux_padconf_set +#define ti_pinmux_padconf_set_gpiomode _bsd_ti_pinmux_padconf_set_gpiomode #define ti_prcm_clk_disable _bsd_ti_prcm_clk_disable #define ti_prcm_clk_enable _bsd_ti_prcm_clk_enable #define ti_prcm_clk_get_source_freq _bsd_ti_prcm_clk_get_source_freq @@ -5043,7 +5115,6 @@ #define tty_signal_pgrp _bsd_tty_signal_pgrp #define tty_signal_sessleader _bsd_tty_signal_sessleader #define tty_timedwait _bsd_tty_timedwait -#define tty_udev _bsd_tty_udev #define tty_wait _bsd_tty_wait #define tty_wait_background _bsd_tty_wait_background #define tty_wakeup _bsd_tty_wakeup @@ -5434,7 +5505,21 @@ #define uuidcmp _bsd_uuidcmp #define uuid_ether_add _bsd_uuid_ether_add #define uuid_ether_del _bsd_uuid_ether_del +#define vesagtf_mode _bsd_vesagtf_mode +#define vesagtf_mode_params _bsd_vesagtf_mode_params #define vht80_chan_ranges _bsd_vht80_chan_ranges +#define vid_allocate _bsd_vid_allocate +#define vid_configure _bsd_vid_configure +#define videomode_count _bsd_videomode_count +#define videomode_list _bsd_videomode_list +#define vid_find_adapter _bsd_vid_find_adapter +#define vid_get_adapter _bsd_vid_get_adapter +#define vid_get_switch _bsd_vid_get_switch +#define vid_init_struct _bsd_vid_init_struct +#define vid_register _bsd_vid_register +#define vid_release _bsd_vid_release +#define vidsw _bsd_vidsw +#define vid_unregister _bsd_vid_unregister #define vlan_cookie_p _bsd_vlan_cookie_p #define vlan_devat_p _bsd_vlan_devat_p #define vlan_input_p _bsd_vlan_input_p diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs.h b/rtemsbsd/include/rtems/bsd/local/usbdevs.h index 048a254c..1909e626 100644 --- a/rtemsbsd/include/rtems/bsd/local/usbdevs.h +++ b/rtemsbsd/include/rtems/bsd/local/usbdevs.h @@ -4666,6 +4666,7 @@ #define USB_PRODUCT_TPLINK_T4UV2 0x010d /* Archer T4U ver 2 */ #define USB_PRODUCT_TPLINK_T4UHV1 0x0103 /* Archer T4UH ver 1 */ #define USB_PRODUCT_TPLINK_T4UHV2 0x010e /* Archer T4UH ver 2 */ +#define USB_PRODUCT_TPLINK_T2UNANO 0x011e /* Archer T2U Nano */ #define USB_PRODUCT_TPLINK_RTL8153 0x0601 /* RTL8153 USB 10/100/1000 LAN */ /* Trek Technology products */ diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h index ec09988d..e7cc4655 100644 --- a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h +++ b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h @@ -17822,6 +17822,12 @@ const struct usb_knowndev usb_knowndevs[] = { "Archer T4UH ver 2", }, { + USB_VENDOR_TPLINK, USB_PRODUCT_TPLINK_T2UNANO, + 0, + "TP-Link", + "Archer T2U Nano", + }, + { USB_VENDOR_TPLINK, USB_PRODUCT_TPLINK_RTL8153, 0, "TP-Link", |