[rtems-libbsd commit] Update to FreeBSD stable/12 2019-09-23
Sebastian Huber
sebh at rtems.org
Tue Sep 24 07:31:01 UTC 2019
Module: rtems-libbsd
Branch: 5-freebsd-12
Commit: 37323bb8196bb2d865115a976d6d972fedd498de
Changeset: http://git.rtems.org/rtems-libbsd/commit/?id=37323bb8196bb2d865115a976d6d972fedd498de
Author: Sebastian Huber <sebastian.huber at embedded-brains.de>
Date: Mon Sep 23 12:49:10 2019 +0200
Update to FreeBSD stable/12 2019-09-23
Git mirror commit 7e8d1444023128d34fb9aa4e4515928a4f794d1b.
---
freebsd-org | 2 +-
freebsd/contrib/tcpdump/tcpdump.c | 2 +-
freebsd/contrib/wpa/src/ap/ap_config.h | 213 ++++++++-
freebsd/contrib/wpa/src/ap/ap_drv_ops.c | 66 ++-
freebsd/contrib/wpa/src/ap/ap_drv_ops.h | 11 +-
freebsd/contrib/wpa/src/ap/hostapd.h | 28 +-
freebsd/contrib/wpa/src/ap/ieee802_11.h | 18 +-
freebsd/contrib/wpa/src/ap/sta_info.h | 8 +
freebsd/contrib/wpa/src/ap/wpa_auth.c | 43 +-
freebsd/contrib/wpa/src/ap/wpa_auth.h | 3 +
freebsd/contrib/wpa/src/ap/wpa_auth_ft.c | 33 +-
freebsd/contrib/wpa/src/common/dpp.h | 39 +-
.../contrib/wpa/src/common/hw_features_common.c | 25 +-
.../contrib/wpa/src/common/hw_features_common.h | 8 +-
freebsd/contrib/wpa/src/common/ieee802_11_common.c | 201 ++++++++-
freebsd/contrib/wpa/src/common/ieee802_11_common.h | 4 +
freebsd/contrib/wpa/src/common/ieee802_11_defs.h | 94 +++-
freebsd/contrib/wpa/src/common/qca-vendor.h | 443 +++++++++++++++++-
freebsd/contrib/wpa/src/common/sae.h | 1 +
freebsd/contrib/wpa/src/common/version.h | 2 +-
freebsd/contrib/wpa/src/common/wpa_common.c | 10 +
freebsd/contrib/wpa/src/common/wpa_ctrl.h | 3 +
freebsd/contrib/wpa/src/crypto/crypto.h | 7 -
freebsd/contrib/wpa/src/crypto/crypto_openssl.c | 37 +-
freebsd/contrib/wpa/src/crypto/sha1-prf.c | 2 +-
freebsd/contrib/wpa/src/crypto/sha1.c | 3 +-
freebsd/contrib/wpa/src/crypto/sha256-prf.c | 2 +-
freebsd/contrib/wpa/src/crypto/sha256.h | 6 +-
freebsd/contrib/wpa/src/crypto/tls.h | 47 +-
freebsd/contrib/wpa/src/drivers/driver.h | 152 ++++++-
freebsd/contrib/wpa/src/drivers/driver_bsd.c | 8 +-
freebsd/contrib/wpa/src/drivers/driver_common.c | 2 +
freebsd/contrib/wpa/src/drivers/driver_ndis.c | 2 +-
freebsd/contrib/wpa/src/drivers/driver_nl80211.h | 16 +-
freebsd/contrib/wpa/src/eap_common/eap_defs.h | 1 +
freebsd/contrib/wpa/src/eap_peer/eap.c | 10 +-
freebsd/contrib/wpa/src/eap_peer/eap.h | 12 +-
freebsd/contrib/wpa/src/eap_peer/eap_config.h | 2 +
freebsd/contrib/wpa/src/eap_peer/eap_leap.c | 4 +-
freebsd/contrib/wpa/src/eap_peer/eap_methods.h | 1 +
freebsd/contrib/wpa/src/eap_peer/eap_peap.c | 6 +-
freebsd/contrib/wpa/src/eap_peer/eap_tls.c | 19 +-
freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c | 16 +-
freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h | 4 +-
freebsd/contrib/wpa/src/eap_server/eap_methods.h | 1 +
freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h | 3 +
freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c | 9 +-
freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h | 13 +-
freebsd/contrib/wpa/src/rsn_supp/wpa.c | 107 +++--
freebsd/contrib/wpa/src/rsn_supp/wpa.h | 2 +-
freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c | 19 +-
freebsd/contrib/wpa/src/rsn_supp/wpa_i.h | 2 +-
freebsd/contrib/wpa/src/utils/common.c | 33 +-
freebsd/contrib/wpa/src/utils/common.h | 3 +
freebsd/contrib/wpa/src/utils/wpa_debug.c | 1 +
freebsd/contrib/wpa/src/wps/wps.h | 2 +-
freebsd/contrib/wpa/wpa_supplicant/ap.h | 2 +-
freebsd/contrib/wpa/wpa_supplicant/bss.c | 10 +-
freebsd/contrib/wpa/wpa_supplicant/config.c | 8 +-
freebsd/contrib/wpa/wpa_supplicant/config.h | 10 +
freebsd/contrib/wpa/wpa_supplicant/config_file.c | 3 +
freebsd/contrib/wpa/wpa_supplicant/config_ssid.h | 28 +-
freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c | 121 ++---
.../contrib/wpa/wpa_supplicant/dpp_supplicant.h | 1 +
freebsd/contrib/wpa/wpa_supplicant/driver_i.h | 14 +-
freebsd/contrib/wpa/wpa_supplicant/eap_register.c | 10 +
freebsd/contrib/wpa/wpa_supplicant/events.c | 56 ++-
freebsd/contrib/wpa/wpa_supplicant/interworking.c | 6 +-
freebsd/contrib/wpa/wpa_supplicant/notify.c | 46 +-
freebsd/contrib/wpa/wpa_supplicant/notify.h | 12 +-
freebsd/contrib/wpa/wpa_supplicant/op_classes.c | 2 +-
freebsd/contrib/wpa/wpa_supplicant/rrm.c | 12 +-
.../contrib/wpa/wpa_supplicant/wpa_supplicant.c | 126 +++++-
.../contrib/wpa/wpa_supplicant/wpa_supplicant_i.h | 32 +-
freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c | 11 +-
freebsd/crypto/openssl/apps/apps.c | 9 +-
freebsd/crypto/openssl/apps/apps.h | 4 +-
freebsd/crypto/openssl/apps/ca.c | 4 +-
freebsd/crypto/openssl/apps/dgst.c | 4 +-
freebsd/crypto/openssl/apps/enc.c | 2 +-
freebsd/crypto/openssl/apps/ocsp.c | 6 +-
freebsd/crypto/openssl/apps/openssl.c | 3 +-
freebsd/crypto/openssl/apps/pkcs12.c | 2 +-
freebsd/crypto/openssl/apps/req.c | 16 +-
freebsd/crypto/openssl/apps/s_apps.h | 20 +-
freebsd/crypto/openssl/apps/s_cb.c | 3 +-
freebsd/crypto/openssl/apps/s_client.c | 2 +-
freebsd/crypto/openssl/apps/speed.c | 2 +-
freebsd/crypto/openssl/crypto/asn1/a_time.c | 47 +-
freebsd/crypto/openssl/crypto/asn1/a_type.c | 10 +-
freebsd/crypto/openssl/crypto/asn1/x_bignum.c | 19 +-
freebsd/crypto/openssl/crypto/bio/b_addr.c | 26 +-
freebsd/crypto/openssl/crypto/bio/bss_dgram.c | 4 +-
freebsd/crypto/openssl/crypto/bio/bss_file.c | 61 ++-
freebsd/crypto/openssl/crypto/bio/bss_mem.c | 4 +-
freebsd/crypto/openssl/crypto/bn/bn_div.c | 4 +-
freebsd/crypto/openssl/crypto/bn/bn_lcl.h | 4 +-
freebsd/crypto/openssl/crypto/bn/bn_lib.c | 101 +++--
freebsd/crypto/openssl/crypto/bn/bn_prime.c | 8 +-
freebsd/crypto/openssl/crypto/bn/bn_rand.c | 7 +-
freebsd/crypto/openssl/crypto/bn/bn_sqrt.c | 5 +-
freebsd/crypto/openssl/crypto/cms/cms_att.c | 136 +++++-
freebsd/crypto/openssl/crypto/cms/cms_env.c | 20 +-
freebsd/crypto/openssl/crypto/cms/cms_err.c | 5 +-
freebsd/crypto/openssl/crypto/cms/cms_lcl.h | 9 +-
freebsd/crypto/openssl/crypto/cms/cms_sd.c | 38 +-
freebsd/crypto/openssl/crypto/cms/cms_smime.c | 6 +-
freebsd/crypto/openssl/crypto/conf/conf_sap.c | 2 +-
freebsd/crypto/openssl/crypto/ctype.c | 8 +-
freebsd/crypto/openssl/crypto/dh/dh_check.c | 37 +-
freebsd/crypto/openssl/crypto/dh/dh_gen.c | 52 +--
freebsd/crypto/openssl/crypto/dh/dh_key.c | 13 +-
freebsd/crypto/openssl/crypto/dh/dh_lib.c | 6 +-
freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c | 4 +-
freebsd/crypto/openssl/crypto/dsa/dsa_err.c | 4 +-
freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c | 10 +-
freebsd/crypto/openssl/crypto/ec/ec_asn1.c | 73 ++-
freebsd/crypto/openssl/crypto/ec/ec_curve.c | 114 ++++-
freebsd/crypto/openssl/crypto/ec/ec_lcl.h | 4 +-
freebsd/crypto/openssl/crypto/ec/ec_lib.c | 103 ++++-
freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c | 2 +-
freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c | 16 +-
freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c | 62 ++-
freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c | 63 ++-
freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c | 65 ++-
freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c | 26 +-
freebsd/crypto/openssl/crypto/ec/ecx_meth.c | 2 +-
.../crypto/openssl/crypto/engine/eng_devcrypto.c | 2 +-
freebsd/crypto/openssl/crypto/engine/eng_openssl.c | 8 +-
freebsd/crypto/openssl/crypto/err/err.c | 16 +-
freebsd/crypto/openssl/crypto/evp/bio_ok.c | 6 +-
freebsd/crypto/openssl/crypto/evp/e_aes.c | 91 +++-
freebsd/crypto/openssl/crypto/evp/e_aria.c | 13 +-
.../openssl/crypto/evp/e_chacha20_poly1305.c | 7 +-
freebsd/crypto/openssl/crypto/evp/evp_err.c | 11 +-
freebsd/crypto/openssl/crypto/evp/evp_lib.c | 9 +-
freebsd/crypto/openssl/crypto/evp/m_sha3.c | 5 +-
.../crypto/openssl/crypto/include/internal/ctype.h | 4 +-
.../openssl/crypto/include/internal/rand_int.h | 6 +-
.../openssl/crypto/include/internal/sm2err.h | 6 +-
freebsd/crypto/openssl/crypto/init.c | 3 +-
freebsd/crypto/openssl/crypto/lhash/lhash.c | 8 +-
freebsd/crypto/openssl/crypto/o_str.c | 2 +-
freebsd/crypto/openssl/crypto/pem/pvkfmt.c | 5 +-
freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c | 14 +-
freebsd/crypto/openssl/crypto/rand/drbg_lib.c | 13 +-
freebsd/crypto/openssl/crypto/rand/rand_err.c | 3 +-
freebsd/crypto/openssl/crypto/rand/rand_lcl.h | 46 +-
freebsd/crypto/openssl/crypto/rand/rand_lib.c | 148 +++++-
freebsd/crypto/openssl/crypto/rand/rand_unix.c | 185 ++++++--
freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c | 13 +
freebsd/crypto/openssl/crypto/rsa/rsa_err.c | 4 +-
freebsd/crypto/openssl/crypto/rsa/rsa_gen.c | 2 +-
freebsd/crypto/openssl/crypto/rsa/rsa_lib.c | 17 +-
freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c | 10 +
freebsd/crypto/openssl/crypto/sm2/sm2_sign.c | 6 +-
freebsd/crypto/openssl/crypto/store/loader_file.c | 18 +-
freebsd/crypto/openssl/crypto/store/store_lib.c | 4 +-
freebsd/crypto/openssl/crypto/threads_none.c | 15 +-
freebsd/crypto/openssl/crypto/threads_pthread.c | 12 +-
freebsd/crypto/openssl/crypto/ui/ui_lib.c | 4 +-
freebsd/crypto/openssl/crypto/ui/ui_openssl.c | 2 +-
freebsd/crypto/openssl/crypto/uid.c | 12 +-
freebsd/crypto/openssl/crypto/whrlpool/wp_block.c | 3 +-
freebsd/crypto/openssl/crypto/x509/by_dir.c | 6 +-
freebsd/crypto/openssl/crypto/x509/t_req.c | 6 +-
freebsd/crypto/openssl/crypto/x509/x509_att.c | 6 +-
freebsd/crypto/openssl/crypto/x509/x509_cmp.c | 12 +-
freebsd/crypto/openssl/crypto/x509/x509_err.c | 4 +-
freebsd/crypto/openssl/crypto/x509/x509_lu.c | 113 +++--
freebsd/crypto/openssl/crypto/x509/x509_vfy.c | 12 +-
freebsd/crypto/openssl/crypto/x509v3/v3_alt.c | 11 +-
freebsd/crypto/openssl/crypto/x509v3/v3_purp.c | 16 +-
freebsd/crypto/openssl/e_os.h | 30 +-
.../openssl/include/internal/constant_time_locl.h | 64 ++-
freebsd/crypto/openssl/include/internal/cryptlib.h | 1 +
freebsd/crypto/openssl/include/internal/dsoerr.h | 4 +-
freebsd/crypto/openssl/include/internal/refcount.h | 2 +-
.../crypto/openssl/include/internal/thread_once.h | 2 +-
.../crypto/openssl/include/internal/tsan_assist.h | 2 +-
freebsd/crypto/openssl/include/openssl/asn1err.h | 6 +-
freebsd/crypto/openssl/include/openssl/asyncerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/bio.h | 6 +-
freebsd/crypto/openssl/include/openssl/bioerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/bnerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/buffererr.h | 6 +-
freebsd/crypto/openssl/include/openssl/cms.h | 5 +-
freebsd/crypto/openssl/include/openssl/cmserr.h | 8 +-
freebsd/crypto/openssl/include/openssl/comperr.h | 6 +-
freebsd/crypto/openssl/include/openssl/conferr.h | 6 +-
freebsd/crypto/openssl/include/openssl/cryptoerr.h | 9 +-
freebsd/crypto/openssl/include/openssl/cterr.h | 6 +-
freebsd/crypto/openssl/include/openssl/dherr.h | 6 +-
freebsd/crypto/openssl/include/openssl/dsaerr.h | 7 +-
freebsd/crypto/openssl/include/openssl/ec.h | 7 +-
freebsd/crypto/openssl/include/openssl/ecerr.h | 4 +
freebsd/crypto/openssl/include/openssl/engineerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/evp.h | 4 +
freebsd/crypto/openssl/include/openssl/evperr.h | 12 +-
freebsd/crypto/openssl/include/openssl/kdferr.h | 6 +-
.../crypto/openssl/include/openssl/objectserr.h | 6 +-
freebsd/crypto/openssl/include/openssl/ocsperr.h | 6 +-
freebsd/crypto/openssl/include/openssl/opensslv.h | 4 +-
freebsd/crypto/openssl/include/openssl/pemerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/pkcs12err.h | 6 +-
freebsd/crypto/openssl/include/openssl/pkcs7err.h | 6 +-
freebsd/crypto/openssl/include/openssl/randerr.h | 5 +-
freebsd/crypto/openssl/include/openssl/rsaerr.h | 7 +-
freebsd/crypto/openssl/include/openssl/ssl.h | 60 +--
freebsd/crypto/openssl/include/openssl/sslerr.h | 4 +
freebsd/crypto/openssl/include/openssl/store.h | 6 +-
freebsd/crypto/openssl/include/openssl/storeerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/tls1.h | 4 +-
freebsd/crypto/openssl/include/openssl/tserr.h | 6 +-
freebsd/crypto/openssl/include/openssl/uierr.h | 6 +-
freebsd/crypto/openssl/include/openssl/x509err.h | 7 +-
freebsd/crypto/openssl/include/openssl/x509v3.h | 2 +
freebsd/crypto/openssl/include/openssl/x509v3err.h | 6 +-
freebsd/crypto/openssl/ssl/d1_msg.c | 5 +-
freebsd/crypto/openssl/ssl/record/rec_layer_s3.c | 12 +-
freebsd/crypto/openssl/ssl/s3_lib.c | 14 +-
freebsd/crypto/openssl/ssl/ssl_cert.c | 5 +-
freebsd/crypto/openssl/ssl/ssl_ciph.c | 13 +-
freebsd/crypto/openssl/ssl/ssl_lib.c | 20 +-
freebsd/crypto/openssl/ssl/ssl_locl.h | 37 +-
freebsd/crypto/openssl/ssl/ssl_sess.c | 39 +-
freebsd/crypto/openssl/ssl/statem/extensions.c | 21 +-
.../crypto/openssl/ssl/statem/extensions_clnt.c | 16 +-
.../crypto/openssl/ssl/statem/extensions_srvr.c | 20 +-
freebsd/crypto/openssl/ssl/statem/statem_clnt.c | 6 -
freebsd/crypto/openssl/ssl/statem/statem_lib.c | 19 +-
freebsd/crypto/openssl/ssl/statem/statem_srvr.c | 54 +--
freebsd/crypto/openssl/ssl/t1_lib.c | 275 ++++++-----
freebsd/crypto/openssl/ssl/tls13_enc.c | 53 ++-
freebsd/include/rpcsvc/yp_prot.h | 2 +-
freebsd/lib/libc/nameser/ns_name.c | 4 +-
freebsd/lib/libc/net/gethostbynis.c | 7 +-
freebsd/lib/libc/net/getnetbynis.c | 7 +-
freebsd/lib/libc/net/getservent.c | 15 +-
freebsd/lib/libc/rpc/getrpcent.c | 14 +-
freebsd/lib/libcapsicum/capsicum_helpers.h | 4 +
freebsd/sbin/ping/ping.c | 383 +++++++---------
freebsd/sbin/ping/rtems-bsd-ping-data.h | 1 +
freebsd/sbin/ping/rtems-bsd-ping-namespace.h | 2 +
freebsd/sbin/ping/rtems-bsd-ping-utils-data.h | 4 +
freebsd/sbin/ping/utils.c | 107 +++++
freebsd/sbin/ping/utils.h | 38 ++
freebsd/sbin/ping6/ping6.c | 501 ++++++++++++---------
freebsd/sbin/ping6/rtems-bsd-ping6-data.h | 1 -
freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h | 1 -
freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h | 5 +-
freebsd/sys/arm/ti/ti_sdhci.c | 22 +-
freebsd/sys/cam/nvme/nvme_all.h | 2 +-
freebsd/sys/cam/scsi/scsi_all.c | 6 +-
freebsd/sys/cam/scsi/scsi_all.h | 4 +-
freebsd/sys/dev/pci/pci.c | 22 +-
freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h | 3 +-
freebsd/sys/dev/sdhci/sdhci.c | 4 +-
freebsd/sys/dev/usb/usb.h | 1 +
freebsd/sys/dev/usb/usb_ioctl.h | 1 +
freebsd/sys/kern/sys_generic.c | 6 +-
freebsd/sys/kern/sys_pipe.c | 52 +--
freebsd/sys/kern/uipc_socket.c | 14 +-
freebsd/sys/kern/uipc_syscalls.c | 41 +-
freebsd/sys/kern/uipc_usrreq.c | 20 +-
freebsd/sys/net/if.c | 2 +
freebsd/sys/net/if_spppsubr.c | 10 +-
freebsd/sys/netinet/sctp_asconf.c | 2 +-
freebsd/sys/netinet/sctp_auth.c | 2 +-
freebsd/sys/netinet/sctp_indata.c | 23 +-
freebsd/sys/netinet/sctp_indata.h | 1 -
freebsd/sys/netinet/sctp_input.c | 72 ++-
freebsd/sys/netinet/sctp_output.c | 293 ++++++------
freebsd/sys/netinet/sctp_output.h | 4 +-
freebsd/sys/netinet/sctp_pcb.c | 20 +-
freebsd/sys/netinet/sctp_pcb.h | 6 +-
freebsd/sys/netinet/sctp_usrreq.c | 89 ++--
freebsd/sys/netinet/sctputil.c | 2 +-
freebsd/sys/netinet/tcp_hpts.h | 2 +-
freebsd/sys/netinet/tcp_input.c | 45 +-
freebsd/sys/netinet/tcp_log_buf.h | 3 +-
freebsd/sys/netinet/tcp_output.c | 8 +-
freebsd/sys/netinet/tcp_sack.c | 158 ++++++-
freebsd/sys/netinet/tcp_subr.c | 23 +-
freebsd/sys/netinet/tcp_var.h | 3 +
freebsd/sys/netinet/udp_usrreq.c | 83 ++--
freebsd/sys/netinet6/sctp6_usrreq.c | 7 +-
freebsd/sys/netinet6/udp6_usrreq.c | 15 +
freebsd/sys/netipsec/ipsec.c | 2 +
freebsd/sys/opencrypto/criov.c | 54 +++
freebsd/sys/opencrypto/cryptodev.h | 2 +
freebsd/sys/sys/ata.h | 7 +-
freebsd/sys/sys/file.h | 10 +-
freebsd/sys/sys/lockstat.h | 7 +
freebsd/sys/sys/malloc.h | 2 +-
freebsd/sys/sys/mount.h | 13 +-
freebsd/sys/sys/proc.h | 4 +
freebsd/sys/sys/refcount.h | 33 +-
freebsd/sys/sys/sysproto.h | 2 +-
freebsd/sys/sys/vnode.h | 2 +
libbsd.py | 2 +
.../include/machine/rtems-bsd-kernel-namespace.h | 109 ++++-
rtemsbsd/include/rtems/bsd/local/usbdevs.h | 1 +
rtemsbsd/include/rtems/bsd/local/usbdevs_data.h | 6 +
304 files changed, 5686 insertions(+), 2229 deletions(-)
diff --git a/freebsd-org b/freebsd-org
index 621e7ba..7e8d144 160000
--- a/freebsd-org
+++ b/freebsd-org
@@ -1 +1 @@
-Subproject commit 621e7bafbf6857451f23ba11b0495c7ac69aff89
+Subproject commit 7e8d1444023128d34fb9aa4e4515928a4f794d1b
diff --git a/freebsd/contrib/tcpdump/tcpdump.c b/freebsd/contrib/tcpdump/tcpdump.c
index d48ad1b..3b68ed5 100644
--- a/freebsd/contrib/tcpdump/tcpdump.c
+++ b/freebsd/contrib/tcpdump/tcpdump.c
@@ -775,7 +775,7 @@ capdns_setup(void)
if (capdnsloc == NULL)
error("unable to open system.dns service");
/* Limit system.dns to reverse DNS lookups. */
- types[0] = "ADDR";
+ types[0] = "ADDR2NAME";
if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
error("unable to limit access to system.dns service");
families[0] = AF_INET;
diff --git a/freebsd/contrib/wpa/src/ap/ap_config.h b/freebsd/contrib/wpa/src/ap/ap_config.h
index 509677a..ea581a8 100644
--- a/freebsd/contrib/wpa/src/ap/ap_config.h
+++ b/freebsd/contrib/wpa/src/ap/ap_config.h
@@ -15,6 +15,7 @@
#include "common/wpa_common.h"
#include "common/ieee802_11_defs.h"
#include "common/ieee802_11_common.h"
+#include "crypto/sha256.h"
#include "wps/wps.h"
#include "fst/fst.h"
#include "vlan.h"
@@ -252,6 +253,18 @@ struct sae_password_entry {
int vlan_id;
};
+struct dpp_controller_conf {
+ struct dpp_controller_conf *next;
+ u8 pkhash[SHA256_MAC_LEN];
+ struct hostapd_ip_addr ipaddr;
+};
+
+struct airtime_sta_weight {
+ struct airtime_sta_weight *next;
+ unsigned int weight;
+ u8 addr[ETH_ALEN];
+};
+
/**
* struct hostapd_bss_config - Per-BSS configuration
*/
@@ -288,6 +301,7 @@ struct hostapd_bss_config {
int radius_request_cui;
struct hostapd_radius_attr *radius_auth_req_attr;
struct hostapd_radius_attr *radius_acct_req_attr;
+ char *radius_req_attr_sqlite;
int radius_das_port;
unsigned int radius_das_time_window;
int radius_das_require_event_timestamp;
@@ -390,8 +404,11 @@ struct hostapd_bss_config {
char *ca_cert;
char *server_cert;
+ char *server_cert2;
char *private_key;
+ char *private_key2;
char *private_key_passwd;
+ char *private_key_passwd2;
char *check_cert_subject;
int check_crl;
int check_crl_strict;
@@ -410,7 +427,10 @@ struct hostapd_bss_config {
int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
+ int eap_teap_auth;
+ int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
int fragment_size;
u16 pwd_group;
@@ -570,6 +590,7 @@ struct hostapd_bss_config {
int osen;
int proxy_arp;
int na_mcast_to_ucast;
+
#ifdef CONFIG_HS20
int hs20;
int hs20_release;
@@ -692,6 +713,9 @@ struct hostapd_bss_config {
struct wpabuf *dpp_netaccesskey;
unsigned int dpp_netaccesskey_expiry;
struct wpabuf *dpp_csign;
+#ifdef CONFIG_DPP2
+ struct dpp_controller_conf *dpp_controller;
+#endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */
#ifdef CONFIG_OWE
@@ -709,6 +733,100 @@ struct hostapd_bss_config {
#define BACKHAUL_BSS 1
#define FRONTHAUL_BSS 2
int multi_ap; /* bitmap of BACKHAUL_BSS, FRONTHAUL_BSS */
+
+#ifdef CONFIG_AIRTIME_POLICY
+ unsigned int airtime_weight;
+ int airtime_limit;
+ struct airtime_sta_weight *airtime_weight_list;
+#endif /* CONFIG_AIRTIME_POLICY */
+
+#ifdef CONFIG_MACSEC
+ /**
+ * macsec_policy - Determines the policy for MACsec secure session
+ *
+ * 0: MACsec not in use (default)
+ * 1: MACsec enabled - Should secure, accept key server's advice to
+ * determine whether to use a secure session or not.
+ */
+ int macsec_policy;
+
+ /**
+ * macsec_integ_only - Determines how MACsec are transmitted
+ *
+ * This setting applies only when MACsec is in use, i.e.,
+ * - macsec_policy is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: Encrypt traffic (default)
+ * 1: Integrity only
+ */
+ int macsec_integ_only;
+
+ /**
+ * macsec_replay_protect - Enable MACsec replay protection
+ *
+ * This setting applies only when MACsec is in use, i.e.,
+ * - macsec_policy is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: Replay protection disabled (default)
+ * 1: Replay protection enabled
+ */
+ int macsec_replay_protect;
+
+ /**
+ * macsec_replay_window - MACsec replay protection window
+ *
+ * A window in which replay is tolerated, to allow receipt of frames
+ * that have been misordered by the network.
+ *
+ * This setting applies only when MACsec replay protection active, i.e.,
+ * - macsec_replay_protect is enabled
+ * - the key server has decided to enable MACsec
+ *
+ * 0: No replay window, strict check (default)
+ * 1..2^32-1: number of packets that could be misordered
+ */
+ u32 macsec_replay_window;
+
+ /**
+ * macsec_port - MACsec port (in SCI)
+ *
+ * Port component of the SCI.
+ *
+ * Range: 1-65534 (default: 1)
+ */
+ int macsec_port;
+
+ /**
+ * mka_priority - Priority of MKA Actor
+ *
+ * Range: 0-255 (default: 255)
+ */
+ int mka_priority;
+
+ /**
+ * mka_ckn - MKA pre-shared CKN
+ */
+#define MACSEC_CKN_MAX_LEN 32
+ size_t mka_ckn_len;
+ u8 mka_ckn[MACSEC_CKN_MAX_LEN];
+
+ /**
+ * mka_cak - MKA pre-shared CAK
+ */
+#define MACSEC_CAK_MAX_LEN 32
+ size_t mka_cak_len;
+ u8 mka_cak[MACSEC_CAK_MAX_LEN];
+
+#define MKA_PSK_SET_CKN BIT(0)
+#define MKA_PSK_SET_CAK BIT(1)
+#define MKA_PSK_SET (MKA_PSK_SET_CKN | MKA_PSK_SET_CAK)
+ /**
+ * mka_psk_set - Whether mka_ckn and mka_cak are set
+ */
+ u8 mka_psk_set;
+#endif /* CONFIG_MACSEC */
};
/**
@@ -727,7 +845,20 @@ struct he_operation {
u8 he_bss_color;
u8 he_default_pe_duration;
u8 he_twt_required;
- u8 he_rts_threshold;
+ u16 he_rts_threshold;
+ u16 he_basic_mcs_nss_set;
+};
+
+/**
+ * struct spatial_reuse - Spatial reuse
+ */
+struct spatial_reuse {
+ u8 sr_control;
+ u8 non_srg_obss_pd_max_offset;
+ u8 srg_obss_pd_min_offset;
+ u8 srg_obss_pd_max_offset;
+ u8 srg_obss_color_bitmap;
+ u8 srg_obss_color_partial_bitmap;
};
/**
@@ -852,6 +983,10 @@ struct hostapd_config {
struct he_phy_capabilities_info he_phy_capab;
struct he_operation he_op;
struct ieee80211_he_mu_edca_parameter_set he_mu_edca;
+ struct spatial_reuse spr;
+ u8 he_oper_chwidth;
+ u8 he_oper_centr_freq_seg0_idx;
+ u8 he_oper_centr_freq_seg1_idx;
#endif /* CONFIG_IEEE80211AX */
/* VHT enable/disable config from CHAN_SWITCH */
@@ -861,12 +996,87 @@ struct hostapd_config {
int rssi_reject_assoc_rssi;
int rssi_reject_assoc_timeout;
+
+#ifdef CONFIG_AIRTIME_POLICY
+ enum {
+ AIRTIME_MODE_OFF = 0,
+ AIRTIME_MODE_STATIC = 1,
+ AIRTIME_MODE_DYNAMIC = 2,
+ AIRTIME_MODE_LIMIT = 3,
+ __AIRTIME_MODE_MAX,
+ } airtime_mode;
+ unsigned int airtime_update_interval;
+#define AIRTIME_MODE_MAX (__AIRTIME_MODE_MAX - 1)
+#endif /* CONFIG_AIRTIME_POLICY */
};
+static inline u8 hostapd_get_oper_chwidth(struct hostapd_config *conf)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ return conf->he_oper_chwidth;
+#endif /* CONFIG_IEEE80211AX */
+ return conf->vht_oper_chwidth;
+}
+
+static inline void
+hostapd_set_oper_chwidth(struct hostapd_config *conf, u8 oper_chwidth)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ conf->he_oper_chwidth = oper_chwidth;
+#endif /* CONFIG_IEEE80211AX */
+ conf->vht_oper_chwidth = oper_chwidth;
+}
+
+static inline u8
+hostapd_get_oper_centr_freq_seg0_idx(struct hostapd_config *conf)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ return conf->he_oper_centr_freq_seg0_idx;
+#endif /* CONFIG_IEEE80211AX */
+ return conf->vht_oper_centr_freq_seg0_idx;
+}
+
+static inline void
+hostapd_set_oper_centr_freq_seg0_idx(struct hostapd_config *conf,
+ u8 oper_centr_freq_seg0_idx)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ conf->he_oper_centr_freq_seg0_idx = oper_centr_freq_seg0_idx;
+#endif /* CONFIG_IEEE80211AX */
+ conf->vht_oper_centr_freq_seg0_idx = oper_centr_freq_seg0_idx;
+}
+
+static inline u8
+hostapd_get_oper_centr_freq_seg1_idx(struct hostapd_config *conf)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ return conf->he_oper_centr_freq_seg1_idx;
+#endif /* CONFIG_IEEE80211AX */
+ return conf->vht_oper_centr_freq_seg1_idx;
+}
+
+static inline void
+hostapd_set_oper_centr_freq_seg1_idx(struct hostapd_config *conf,
+ u8 oper_centr_freq_seg1_idx)
+{
+#ifdef CONFIG_IEEE80211AX
+ if (conf->ieee80211ax)
+ conf->he_oper_centr_freq_seg1_idx = oper_centr_freq_seg1_idx;
+#endif /* CONFIG_IEEE80211AX */
+ conf->vht_oper_centr_freq_seg1_idx = oper_centr_freq_seg1_idx;
+}
+
+
int hostapd_mac_comp(const void *a, const void *b);
struct hostapd_config * hostapd_config_defaults(void);
void hostapd_config_defaults_bss(struct hostapd_bss_config *bss);
+void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr);
void hostapd_config_free_eap_user(struct hostapd_eap_user *user);
void hostapd_config_free_eap_users(struct hostapd_eap_user *user);
void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **p);
@@ -885,6 +1095,7 @@ const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan,
int vlan_id);
struct hostapd_radius_attr *
hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type);
+struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value);
int hostapd_config_check(struct hostapd_config *conf, int full_config);
void hostapd_set_security_params(struct hostapd_bss_config *bss,
int full_config);
diff --git a/freebsd/contrib/wpa/src/ap/ap_drv_ops.c b/freebsd/contrib/wpa/src/ap/ap_drv_ops.c
index 09a6188..1ea015f 100644
--- a/freebsd/contrib/wpa/src/ap/ap_drv_ops.c
+++ b/freebsd/contrib/wpa/src/ap/ap_drv_ops.c
@@ -415,6 +415,8 @@ int hostapd_sta_add(struct hostapd_data *hapd,
u16 listen_interval,
const struct ieee80211_ht_capabilities *ht_capab,
const struct ieee80211_vht_capabilities *vht_capab,
+ const struct ieee80211_he_capabilities *he_capab,
+ size_t he_capab_len,
u32 flags, u8 qosinfo, u8 vht_opmode, int supp_p2p_ps,
int set)
{
@@ -434,6 +436,8 @@ int hostapd_sta_add(struct hostapd_data *hapd,
params.listen_interval = listen_interval;
params.ht_capabilities = ht_capab;
params.vht_capabilities = vht_capab;
+ params.he_capab = he_capab;
+ params.he_capab_len = he_capab_len;
params.vht_opmode_enabled = !!(flags & WLAN_STA_VHT_OPMODE_ENABLED);
params.vht_opmode = vht_opmode;
params.flags = hostapd_sta_flags_to_drv(flags);
@@ -539,17 +543,20 @@ int hostapd_flush(struct hostapd_data *hapd)
int hostapd_set_freq(struct hostapd_data *hapd, enum hostapd_hw_mode mode,
int freq, int channel, int ht_enabled, int vht_enabled,
- int sec_channel_offset, int vht_oper_chwidth,
+ int he_enabled,
+ int sec_channel_offset, int oper_chwidth,
int center_segment0, int center_segment1)
{
struct hostapd_freq_params data;
+ struct hostapd_hw_modes *cmode = hapd->iface->current_mode;
if (hostapd_set_freq_params(&data, mode, freq, channel, ht_enabled,
- vht_enabled, sec_channel_offset,
- vht_oper_chwidth,
+ vht_enabled, he_enabled, sec_channel_offset,
+ oper_chwidth,
center_segment0, center_segment1,
- hapd->iface->current_mode ?
- hapd->iface->current_mode->vht_capab : 0))
+ cmode ? cmode->vht_capab : 0,
+ cmode ?
+ &cmode->he_capab[IEEE80211_MODE_AP] : NULL))
return -1;
if (hapd->driver == NULL)
@@ -585,6 +592,16 @@ int hostapd_sta_set_flags(struct hostapd_data *hapd, u8 *addr,
}
+int hostapd_sta_set_airtime_weight(struct hostapd_data *hapd, const u8 *addr,
+ unsigned int weight)
+{
+ if (!hapd->driver || !hapd->driver->sta_set_airtime_weight)
+ return 0;
+ return hapd->driver->sta_set_airtime_weight(hapd->drv_priv, addr,
+ weight);
+}
+
+
int hostapd_set_country(struct hostapd_data *hapd, const char *country)
{
if (hapd->driver == NULL ||
@@ -777,14 +794,16 @@ int hostapd_drv_send_action_addr3_ap(struct hostapd_data *hapd,
int hostapd_start_dfs_cac(struct hostapd_iface *iface,
enum hostapd_hw_mode mode, int freq,
int channel, int ht_enabled, int vht_enabled,
- int sec_channel_offset, int vht_oper_chwidth,
+ int he_enabled,
+ int sec_channel_offset, int oper_chwidth,
int center_segment0, int center_segment1)
{
struct hostapd_data *hapd = iface->bss[0];
struct hostapd_freq_params data;
int res;
+ struct hostapd_hw_modes *cmode = iface->current_mode;
- if (!hapd->driver || !hapd->driver->start_dfs_cac)
+ if (!hapd->driver || !hapd->driver->start_dfs_cac || !cmode)
return 0;
if (!iface->conf->ieee80211h) {
@@ -794,10 +813,11 @@ int hostapd_start_dfs_cac(struct hostapd_iface *iface,
}
if (hostapd_set_freq_params(&data, mode, freq, channel, ht_enabled,
- vht_enabled, sec_channel_offset,
- vht_oper_chwidth, center_segment0,
+ vht_enabled, he_enabled, sec_channel_offset,
+ oper_chwidth, center_segment0,
center_segment1,
- iface->current_mode->vht_capab)) {
+ cmode->vht_capab,
+ &cmode->he_capab[IEEE80211_MODE_AP])) {
wpa_printf(MSG_ERROR, "Can't set freq params");
return -1;
}
@@ -921,15 +941,17 @@ int hostapd_drv_do_acs(struct hostapd_data *hapd)
if (hapd->iface->conf->ieee80211n && params.ht40_enabled)
params.ch_width = 40;
- /* Note: VHT20 is defined by combination of ht_capab & vht_oper_chwidth
+ /* Note: VHT20 is defined by combination of ht_capab & oper_chwidth
*/
- if (hapd->iface->conf->ieee80211ac && params.ht40_enabled) {
- if (hapd->iface->conf->vht_oper_chwidth == VHT_CHANWIDTH_80MHZ)
+ if ((hapd->iface->conf->ieee80211ax ||
+ hapd->iface->conf->ieee80211ac) &&
+ params.ht40_enabled) {
+ u8 oper_chwidth = hostapd_get_oper_chwidth(hapd->iface->conf);
+
+ if (oper_chwidth == CHANWIDTH_80MHZ)
params.ch_width = 80;
- else if (hapd->iface->conf->vht_oper_chwidth ==
- VHT_CHANWIDTH_160MHZ ||
- hapd->iface->conf->vht_oper_chwidth ==
- VHT_CHANWIDTH_80P80MHZ)
+ else if (oper_chwidth == CHANWIDTH_160MHZ ||
+ oper_chwidth == CHANWIDTH_80P80MHZ)
params.ch_width = 160;
}
@@ -938,3 +960,13 @@ int hostapd_drv_do_acs(struct hostapd_data *hapd)
return ret;
}
+
+
+int hostapd_drv_update_dh_ie(struct hostapd_data *hapd, const u8 *peer,
+ u16 reason_code, const u8 *ie, size_t ielen)
+{
+ if (!hapd->driver || !hapd->driver->update_dh_ie || !hapd->drv_priv)
+ return 0;
+ return hapd->driver->update_dh_ie(hapd->drv_priv, peer, reason_code,
+ ie, ielen);
+}
diff --git a/freebsd/contrib/wpa/src/ap/ap_drv_ops.h b/freebsd/contrib/wpa/src/ap/ap_drv_ops.h
index de40171..ca7f7ab 100644
--- a/freebsd/contrib/wpa/src/ap/ap_drv_ops.h
+++ b/freebsd/contrib/wpa/src/ap/ap_drv_ops.h
@@ -41,6 +41,8 @@ int hostapd_sta_add(struct hostapd_data *hapd,
u16 listen_interval,
const struct ieee80211_ht_capabilities *ht_capab,
const struct ieee80211_vht_capabilities *vht_capab,
+ const struct ieee80211_he_capabilities *he_capab,
+ size_t he_capab_len,
u32 flags, u8 qosinfo, u8 vht_opmode, int supp_p2p_ps,
int set);
int hostapd_set_privacy(struct hostapd_data *hapd, int enabled);
@@ -61,12 +63,14 @@ int hostapd_get_seqnum(const char *ifname, struct hostapd_data *hapd,
int hostapd_flush(struct hostapd_data *hapd);
int hostapd_set_freq(struct hostapd_data *hapd, enum hostapd_hw_mode mode,
int freq, int channel, int ht_enabled, int vht_enabled,
- int sec_channel_offset, int vht_oper_chwidth,
+ int he_enabled, int sec_channel_offset, int oper_chwidth,
int center_segment0, int center_segment1);
int hostapd_set_rts(struct hostapd_data *hapd, int rts);
int hostapd_set_frag(struct hostapd_data *hapd, int frag);
int hostapd_sta_set_flags(struct hostapd_data *hapd, u8 *addr,
int total_flags, int flags_or, int flags_and);
+int hostapd_sta_set_airtime_weight(struct hostapd_data *hapd, const u8 *addr,
+ unsigned int weight);
int hostapd_set_country(struct hostapd_data *hapd, const char *country);
int hostapd_set_tx_queue_params(struct hostapd_data *hapd, int queue, int aifs,
int cw_min, int cw_max, int burst_time);
@@ -122,9 +126,12 @@ int hostapd_add_tspec(struct hostapd_data *hapd, const u8 *addr,
int hostapd_start_dfs_cac(struct hostapd_iface *iface,
enum hostapd_hw_mode mode, int freq,
int channel, int ht_enabled, int vht_enabled,
- int sec_channel_offset, int vht_oper_chwidth,
+ int he_enabled,
+ int sec_channel_offset, int oper_chwidth,
int center_segment0, int center_segment1);
int hostapd_drv_do_acs(struct hostapd_data *hapd);
+int hostapd_drv_update_dh_ie(struct hostapd_data *hapd, const u8 *peer,
+ u16 reason_code, const u8 *ie, size_t ielen);
#include "drivers/driver.h"
diff --git a/freebsd/contrib/wpa/src/ap/hostapd.h b/freebsd/contrib/wpa/src/ap/hostapd.h
index 790d377..518c7f1 100644
--- a/freebsd/contrib/wpa/src/ap/hostapd.h
+++ b/freebsd/contrib/wpa/src/ap/hostapd.h
@@ -9,6 +9,10 @@
#ifndef HOSTAPD_H
#define HOSTAPD_H
+#ifdef CONFIG_SQLITE
+#include <sqlite3.h>
+#endif /* CONFIG_SQLITE */
+
#include "common/defs.h"
#include "utils/list.h"
#include "ap_config.h"
@@ -232,6 +236,10 @@ struct hostapd_data {
struct wps_stat wps_stats;
#endif /* CONFIG_WPS */
+#ifdef CONFIG_MACSEC
+ struct ieee802_1x_kay *kay;
+#endif /* CONFIG_MACSEC */
+
struct hostapd_probereq_cb *probereq_cb;
size_t num_probereq_cb;
@@ -379,6 +387,17 @@ struct hostapd_data {
unsigned int dpp_ignore_netaccesskey_mismatch:1;
#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_DPP */
+
+#ifdef CONFIG_AIRTIME_POLICY
+ unsigned int num_backlogged_sta;
+ unsigned int airtime_weight;
+#endif /* CONFIG_AIRTIME_POLICY */
+
+ u8 last_1x_eapol_key_replay_counter[8];
+
+#ifdef CONFIG_SQLITE
+ sqlite3 *rad_attr_db;
+#endif /* CONFIG_SQLITE */
};
@@ -541,6 +560,12 @@ struct hostapd_iface {
unsigned int num_sta_seen;
u8 dfs_domain;
+#ifdef CONFIG_AIRTIME_POLICY
+ unsigned int airtime_quantum;
+#endif /* CONFIG_AIRTIME_POLICY */
+
+ /* Previous WMM element information */
+ struct hostapd_wmm_ac_params prev_wmm[WMM_AC_NUM];
};
/* hostapd.c */
@@ -607,7 +632,8 @@ int hostapd_probe_req_rx(struct hostapd_data *hapd, const u8 *sa, const u8 *da,
const u8 *bssid, const u8 *ie, size_t ie_len,
int ssi_signal);
void hostapd_event_ch_switch(struct hostapd_data *hapd, int freq, int ht,
- int offset, int width, int cf1, int cf2);
+ int offset, int width, int cf1, int cf2,
+ int finished);
struct survey_results;
void hostapd_event_get_survey(struct hostapd_iface *iface,
struct survey_results *survey_results);
diff --git a/freebsd/contrib/wpa/src/ap/ieee802_11.h b/freebsd/contrib/wpa/src/ap/ieee802_11.h
index db7badc..b8453c9 100644
--- a/freebsd/contrib/wpa/src/ap/ieee802_11.h
+++ b/freebsd/contrib/wpa/src/ap/ieee802_11.h
@@ -18,6 +18,7 @@ struct ieee80211_vht_capabilities;
struct ieee80211_mgmt;
struct vlan_description;
struct hostapd_sta_wpa_psk_short;
+enum ieee80211_op_mode;
int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
struct hostapd_frame_info *fi);
@@ -57,9 +58,11 @@ u8 * hostapd_eid_vht_operation(struct hostapd_data *hapd, u8 *eid);
u8 * hostapd_eid_vendor_vht(struct hostapd_data *hapd, u8 *eid);
u8 * hostapd_eid_wb_chsw_wrapper(struct hostapd_data *hapd, u8 *eid);
u8 * hostapd_eid_txpower_envelope(struct hostapd_data *hapd, u8 *eid);
-u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid);
+u8 * hostapd_eid_he_capab(struct hostapd_data *hapd, u8 *eid,
+ enum ieee80211_op_mode opmode);
u8 * hostapd_eid_he_operation(struct hostapd_data *hapd, u8 *eid);
u8 * hostapd_eid_he_mu_edca_parameter_set(struct hostapd_data *hapd, u8 *eid);
+u8 * hostapd_eid_spatial_reuse(struct hostapd_data *hapd, u8 *eid);
int hostapd_ht_operation_update(struct hostapd_iface *iface);
void ieee802_11_send_sa_query_req(struct hostapd_data *hapd,
@@ -70,6 +73,10 @@ void hostapd_get_ht_capab(struct hostapd_data *hapd,
void hostapd_get_vht_capab(struct hostapd_data *hapd,
struct ieee80211_vht_capabilities *vht_cap,
struct ieee80211_vht_capabilities *neg_vht_cap);
+void hostapd_get_he_capab(struct hostapd_data *hapd,
+ const struct ieee80211_he_capabilities *he_cap,
+ struct ieee80211_he_capabilities *neg_he_cap,
+ size_t he_capab_len);
int hostapd_get_aid(struct hostapd_data *hapd, struct sta_info *sta);
u16 copy_sta_ht_capab(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *ht_capab);
@@ -85,6 +92,9 @@ u16 copy_sta_vht_oper(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *vht_oper);
u16 set_sta_vht_opmode(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *vht_opmode);
+u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
+ enum ieee80211_op_mode opmode, const u8 *he_capab,
+ size_t he_capab_len);
void hostapd_tx_status(struct hostapd_data *hapd, const u8 *addr,
const u8 *buf, size_t len, int ack);
void hostapd_eapol_tx_status(struct hostapd_data *hapd, const u8 *dst,
@@ -153,6 +163,12 @@ void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
u8 * owe_assoc_req_process(struct hostapd_data *hapd, struct sta_info *sta,
const u8 *owe_dh, u8 owe_dh_len,
u8 *owe_buf, size_t owe_buf_len, u16 *reason);
+u16 owe_process_rsn_ie(struct hostapd_data *hapd, struct sta_info *sta,
+ const u8 *rsn_ie, size_t rsn_ie_len,
+ const u8 *owe_dh, size_t owe_dh_len);
+u16 owe_validate_request(struct hostapd_data *hapd, const u8 *peer,
+ const u8 *rsn_ie, size_t rsn_ie_len,
+ const u8 *owe_dh, size_t owe_dh_len);
void fils_hlp_timeout(void *eloop_ctx, void *eloop_data);
void fils_hlp_finish_assoc(struct hostapd_data *hapd, struct sta_info *sta);
void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
diff --git a/freebsd/contrib/wpa/src/ap/sta_info.h b/freebsd/contrib/wpa/src/ap/sta_info.h
index ece0c60..5456a63 100644
--- a/freebsd/contrib/wpa/src/ap/sta_info.h
+++ b/freebsd/contrib/wpa/src/ap/sta_info.h
@@ -37,6 +37,7 @@
#define WLAN_STA_VENDOR_VHT BIT(21)
#define WLAN_STA_PENDING_FILS_ERP BIT(22)
#define WLAN_STA_MULTI_AP BIT(23)
+#define WLAN_STA_HE BIT(24)
#define WLAN_STA_PENDING_DISASSOC_CB BIT(29)
#define WLAN_STA_PENDING_DEAUTH_CB BIT(30)
#define WLAN_STA_NONERP BIT(31)
@@ -119,6 +120,7 @@ struct sta_info {
unsigned int agreed_to_steer:1;
unsigned int hs20_t_c_filtering:1;
unsigned int ft_over_ds:1;
+ unsigned int external_dh_updated:1;
u16 auth_alg;
@@ -166,6 +168,8 @@ struct sta_info {
struct ieee80211_vht_capabilities *vht_capabilities;
struct ieee80211_vht_operation *vht_operation;
u8 vht_opmode;
+ struct ieee80211_he_capabilities *he_capab;
+ size_t he_capab_len;
#ifdef CONFIG_IEEE80211W
int sa_query_count; /* number of pending SA Query requests;
@@ -275,6 +279,10 @@ struct sta_info {
u8 last_tk[WPA_TK_MAX_LEN];
size_t last_tk_len;
#endif /* CONFIG_TESTING_OPTIONS */
+#ifdef CONFIG_AIRTIME_POLICY
+ unsigned int airtime_weight;
+ struct os_reltime backlogged_until;
+#endif /* CONFIG_AIRTIME_POLICY */
};
diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth.c b/freebsd/contrib/wpa/src/ap/wpa_auth.c
index 5a1b250..47028b5 100644
--- a/freebsd/contrib/wpa/src/ap/wpa_auth.c
+++ b/freebsd/contrib/wpa/src/ap/wpa_auth.c
@@ -936,6 +936,7 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
+ forced_memzero(&PTK, sizeof(PTK));
sm->PTK_valid = TRUE;
return 0;
@@ -1409,6 +1410,8 @@ static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
#endif /* CONFIG_SHA256 */
#endif /* CONFIG_SHA384 */
+ forced_memzero(data, sizeof(data));
+
return ret;
}
@@ -2048,7 +2051,7 @@ SM_STATE(WPA_PTK, INITPMK)
sm->Disconnect = TRUE;
return;
}
- os_memset(msk, 0, sizeof(msk));
+ forced_memzero(msk, sizeof(msk));
sm->req_replay_counter_used = 0;
/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
@@ -2287,12 +2290,12 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
pmk_r0_name, WPA_PMK_NAME_LEN);
wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
- os_memset(fils_ft, 0, sizeof(fils_ft));
+ forced_memzero(fils_ft, sizeof(fils_ft));
res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
sm->addr, sm->pmk_r1_name,
use_sha384);
- os_memset(pmk_r0, 0, PMK_LEN_MAX);
+ forced_memzero(pmk_r0, PMK_LEN_MAX);
if (res < 0)
return -1;
wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
@@ -2310,7 +2313,7 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
sm->wpa_key_mgmt, sm->fils_key_auth_sta,
sm->fils_key_auth_ap,
&sm->fils_key_auth_len);
- os_memset(ick, 0, sizeof(ick));
+ forced_memzero(ick, sizeof(ick));
/* Store nonces for (Re)Association Request/Response frame processing */
os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
@@ -2612,7 +2615,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
wpa_printf(MSG_DEBUG,
"FILS: Not enough room for FILS elements");
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
return -1;
}
@@ -2622,7 +2625,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
wpabuf_head(plain), wpabuf_len(plain),
5, aad, aad_len, pos) < 0) {
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
return -1;
}
@@ -2630,7 +2633,7 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
"FILS: Encrypted Association Response elements",
pos, AES_BLOCK_SIZE + wpabuf_len(plain));
current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
sm->fils_completed = 1;
@@ -2684,7 +2687,7 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
* of GTK in the BSS.
*/
if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
return NULL;
}
gtk = dummy_gtk;
@@ -2711,13 +2714,13 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
wpa_printf(MSG_WARNING,
"FILS: Failed to get channel info for OCI element");
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
return NULL;
}
pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
if (ocv_insert_extended_oci(&ci, pos) < 0) {
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
return NULL;
}
}
@@ -2780,7 +2783,7 @@ u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
(unsigned int) wpabuf_len(plain));
- wpabuf_free(plain);
+ wpabuf_clear_free(plain);
sm->fils_completed = 1;
return pos;
}
@@ -3032,6 +3035,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
sm->MICVerified = TRUE;
os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
+ forced_memzero(&PTK, sizeof(PTK));
sm->PTK_valid = TRUE;
}
@@ -4248,8 +4252,12 @@ int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
/* Private MIB */
ret = os_snprintf(buf + len, buflen - len,
+ "wpa=%d\n"
+ "AKMSuiteSelector=" RSN_SUITE "\n"
"hostapdWPAPTKState=%d\n"
"hostapdWPAPTKGroupState=%d\n",
+ sm->wpa,
+ RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
sm->wpa_ptk_state,
sm->wpa_ptk_group_state);
if (os_snprintf_error(buflen - len, ret))
@@ -4361,6 +4369,15 @@ int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
sm->wpa_auth->conf.disable_pmksa_caching)
return -1;
+#ifdef CONFIG_IEEE80211R_AP
+ if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
+ wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
+ !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
+ /* Cache MPMK/XXKey instead of initial part from MSK */
+ pmk = pmk + PMK_LEN;
+ pmk_len = PMK_LEN;
+ } else
+#endif /* CONFIG_IEEE80211R_AP */
if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
if (pmk_len > PMK_LEN_SUITE_B_192)
pmk_len = PMK_LEN_SUITE_B_192;
@@ -4368,6 +4385,7 @@ int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
pmk_len = PMK_LEN;
}
+ wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
sm->PTK.kck, sm->PTK.kck_len,
sm->wpa_auth->addr, sm->addr, session_timeout,
@@ -4386,6 +4404,7 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
if (wpa_auth == NULL)
return -1;
+ wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
NULL, 0,
wpa_auth->addr,
@@ -4403,6 +4422,7 @@ int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
if (wpa_auth->conf.disable_pmksa_caching)
return -1;
+ wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN);
if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
NULL, 0,
wpa_auth->addr, addr, 0, NULL,
@@ -4427,6 +4447,7 @@ int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
if (wpa_auth->conf.disable_pmksa_caching)
return -1;
+ wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (2)", pmk, PMK_LEN);
if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
NULL, 0, wpa_auth->addr, addr, session_timeout,
NULL, akmp))
diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth.h b/freebsd/contrib/wpa/src/ap/wpa_auth.h
index df1e17a..a348bc2 100644
--- a/freebsd/contrib/wpa/src/ap/wpa_auth.h
+++ b/freebsd/contrib/wpa/src/ap/wpa_auth.h
@@ -475,6 +475,9 @@ void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
u8 * wpa_auth_write_assoc_resp_owe(struct wpa_state_machine *sm,
u8 *pos, size_t max_len,
const u8 *req_ies, size_t req_ies_len);
+u8 * wpa_auth_write_assoc_resp_fils(struct wpa_state_machine *sm,
+ u8 *pos, size_t max_len,
+ const u8 *req_ies, size_t req_ies_len);
void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg);
void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z);
diff --git a/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c b/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c
index e2eaacb..619f056 100644
--- a/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c
+++ b/freebsd/contrib/wpa/src/ap/wpa_auth_ft.c
@@ -27,6 +27,7 @@
#include "wmm.h"
#include "wpa_auth.h"
#include "wpa_auth_i.h"
+#include "pmksa_cache_auth.h"
#ifdef CONFIG_IEEE80211R_AP
@@ -2096,8 +2097,16 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk)
const u8 *identity, *radius_cui;
size_t identity_len, radius_cui_len;
int session_timeout;
-
- if (sm->xxkey_len == 0) {
+ const u8 *mpmk;
+ size_t mpmk_len;
+
+ if (sm->xxkey_len > 0) {
+ mpmk = sm->xxkey;
+ mpmk_len = sm->xxkey_len;
+ } else if (sm->pmksa) {
+ mpmk = sm->pmksa->pmk;
+ mpmk_len = sm->pmksa->pmk_len;
+ } else {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
"derivation");
return -1;
@@ -2114,7 +2123,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk)
&radius_cui);
session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr);
- if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
+ if (wpa_derive_pmk_r0(mpmk, mpmk_len, ssid, ssid_len, mdid,
r0kh, r0kh_len, sm->addr,
pmk_r0, pmk_r0_name,
wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) < 0)
@@ -2219,6 +2228,7 @@ static u8 * wpa_ft_gtk_subelem(struct wpa_state_machine *sm, size_t *len)
return NULL;
}
+ forced_memzero(keybuf, sizeof(keybuf));
*len = subelem_len;
return subelem;
}
@@ -3092,8 +3102,9 @@ void wpa_ft_process_auth(struct wpa_state_machine *sm, const u8 *bssid,
status = res;
wpa_printf(MSG_DEBUG, "FT: FT authentication response: dst=" MACSTR
- " auth_transaction=%d status=%d",
- MAC2STR(sm->addr), auth_transaction + 1, status);
+ " auth_transaction=%d status=%u (%s)",
+ MAC2STR(sm->addr), auth_transaction + 1, status,
+ status2str(status));
wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len);
cb(ctx, sm->addr, bssid, auth_transaction + 1, status,
resp_ies, resp_ies_len);
@@ -3451,8 +3462,9 @@ static int wpa_ft_send_rrb_auth_resp(struct wpa_state_machine *sm,
u8 *pos;
wpa_printf(MSG_DEBUG, "FT: RRB authentication response: STA=" MACSTR
- " CurrentAP=" MACSTR " status=%d",
- MAC2STR(sm->addr), MAC2STR(current_ap), status);
+ " CurrentAP=" MACSTR " status=%u (%s)",
+ MAC2STR(sm->addr), MAC2STR(current_ap), status,
+ status2str(status));
wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len);
/* RRB - Forward action frame response to the Current AP */
@@ -3558,7 +3570,7 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len,
pmk_r0->vlan, src_addr, type,
packet, packet_len);
- os_memset(pmk_r1, 0, sizeof(pmk_r1));
+ forced_memzero(pmk_r1, sizeof(pmk_r1));
return ret;
}
@@ -3884,10 +3896,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
ret = 0;
out:
- if (plain) {
- os_memset(plain, 0, plain_len);
- os_free(plain);
- }
+ bin_clear_free(plain, plain_len);
return ret;
diff --git a/freebsd/contrib/wpa/src/common/dpp.h b/freebsd/contrib/wpa/src/common/dpp.h
index 5a6d8cc..db640ef 100644
--- a/freebsd/contrib/wpa/src/common/dpp.h
+++ b/freebsd/contrib/wpa/src/common/dpp.h
@@ -18,9 +18,11 @@
#include "crypto/sha256.h"
struct crypto_ecdh;
+struct hostapd_ip_addr;
struct dpp_global;
#define DPP_HDR_LEN (4 + 2) /* OUI, OUI Type, Crypto Suite, DPP frame type */
+#define DPP_TCP_PORT 7871
enum dpp_public_action_frame_type {
DPP_PA_AUTHENTICATION_REQ = 0,
@@ -259,6 +261,22 @@ struct dpp_introduction {
size_t pmk_len;
};
+struct dpp_relay_config {
+ const struct hostapd_ip_addr *ipaddr;
+ const u8 *pkhash;
+
+ void *cb_ctx;
+ void (*tx)(void *ctx, const u8 *addr, unsigned int freq, const u8 *msg,
+ size_t len);
+ void (*gas_resp_tx)(void *ctx, const u8 *addr, u8 dialog_token, int prot,
+ struct wpabuf *buf);
+};
+
+struct dpp_controller_config {
+ const char *configurator_params;
+ int tcp_port;
+};
+
#ifdef CONFIG_TESTING_OPTIONS
enum dpp_test_behavior {
DPP_TEST_DISABLED = 0,
@@ -497,7 +515,26 @@ int dpp_configurator_add(struct dpp_global *dpp, const char *cmd);
int dpp_configurator_remove(struct dpp_global *dpp, const char *id);
int dpp_configurator_get_key_id(struct dpp_global *dpp, unsigned int id,
char *buf, size_t buflen);
-struct dpp_global * dpp_global_init(void);
+int dpp_relay_add_controller(struct dpp_global *dpp,
+ struct dpp_relay_config *config);
+int dpp_relay_rx_action(struct dpp_global *dpp, const u8 *src, const u8 *hdr,
+ const u8 *buf, size_t len, unsigned int freq,
+ const u8 *i_bootstrap, const u8 *r_bootstrap);
+int dpp_relay_rx_gas_req(struct dpp_global *dpp, const u8 *src, const u8 *data,
+ size_t data_len);
+int dpp_controller_start(struct dpp_global *dpp,
+ struct dpp_controller_config *config);
+void dpp_controller_stop(struct dpp_global *dpp);
+int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth,
+ const struct hostapd_ip_addr *addr, int port);
+
+struct dpp_global_config {
+ void *msg_ctx;
+ void *cb_ctx;
+ int (*process_conf_obj)(void *ctx, struct dpp_authentication *auth);
+};
+
+struct dpp_global * dpp_global_init(struct dpp_global_config *config);
void dpp_global_clear(struct dpp_global *dpp);
void dpp_global_deinit(struct dpp_global *dpp);
diff --git a/freebsd/contrib/wpa/src/common/hw_features_common.c b/freebsd/contrib/wpa/src/common/hw_features_common.c
index 33d0d87..b9e0ada 100644
--- a/freebsd/contrib/wpa/src/common/hw_features_common.c
+++ b/freebsd/contrib/wpa/src/common/hw_features_common.c
@@ -363,30 +363,35 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode,
int hostapd_set_freq_params(struct hostapd_freq_params *data,
enum hostapd_hw_mode mode,
int freq, int channel, int ht_enabled,
- int vht_enabled, int sec_channel_offset,
- int vht_oper_chwidth, int center_segment0,
- int center_segment1, u32 vht_caps)
+ int vht_enabled, int he_enabled,
+ int sec_channel_offset,
+ int oper_chwidth, int center_segment0,
+ int center_segment1, u32 vht_caps,
+ struct he_capabilities *he_cap)
{
+ if (!he_cap)
+ he_enabled = 0;
os_memset(data, 0, sizeof(*data));
data->mode = mode;
data->freq = freq;
data->channel = channel;
data->ht_enabled = ht_enabled;
data->vht_enabled = vht_enabled;
+ data->he_enabled = he_enabled;
data->sec_channel_offset = sec_channel_offset;
data->center_freq1 = freq + sec_channel_offset * 10;
data->center_freq2 = 0;
data->bandwidth = sec_channel_offset ? 40 : 20;
- if (data->vht_enabled) switch (vht_oper_chwidth) {
- case VHT_CHANWIDTH_USE_HT:
+ if (data->vht_enabled) switch (oper_chwidth) {
+ case CHANWIDTH_USE_HT:
if (center_segment1 ||
(center_segment0 != 0 &&
5000 + center_segment0 * 5 != data->center_freq1 &&
2407 + center_segment0 * 5 != data->center_freq1))
return -1;
break;
- case VHT_CHANWIDTH_80P80MHZ:
+ case CHANWIDTH_80P80MHZ:
if (!(vht_caps & VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)) {
wpa_printf(MSG_ERROR,
"80+80 channel width is not supported!");
@@ -397,11 +402,11 @@ int hostapd_set_freq_params(struct hostapd_freq_params *data,
return -1;
data->center_freq2 = 5000 + center_segment1 * 5;
/* fall through */
- case VHT_CHANWIDTH_80MHZ:
+ case CHANWIDTH_80MHZ:
data->bandwidth = 80;
- if ((vht_oper_chwidth == VHT_CHANWIDTH_80MHZ &&
+ if ((oper_chwidth == CHANWIDTH_80MHZ &&
center_segment1) ||
- (vht_oper_chwidth == VHT_CHANWIDTH_80P80MHZ &&
+ (oper_chwidth == CHANWIDTH_80P80MHZ &&
!center_segment1) ||
!sec_channel_offset)
return -1;
@@ -434,7 +439,7 @@ int hostapd_set_freq_params(struct hostapd_freq_params *data,
return -1;
}
break;
- case VHT_CHANWIDTH_160MHZ:
+ case CHANWIDTH_160MHZ:
data->bandwidth = 160;
if (!(vht_caps & (VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) {
diff --git a/freebsd/contrib/wpa/src/common/hw_features_common.h b/freebsd/contrib/wpa/src/common/hw_features_common.h
index eb1f1c5..2d2a539 100644
--- a/freebsd/contrib/wpa/src/common/hw_features_common.h
+++ b/freebsd/contrib/wpa/src/common/hw_features_common.h
@@ -32,9 +32,11 @@ int check_40mhz_2g4(struct hostapd_hw_modes *mode,
int hostapd_set_freq_params(struct hostapd_freq_params *data,
enum hostapd_hw_mode mode,
int freq, int channel, int ht_enabled,
- int vht_enabled, int sec_channel_offset,
- int vht_oper_chwidth, int center_segment0,
- int center_segment1, u32 vht_caps);
+ int vht_enabled, int he_enabled,
+ int sec_channel_offset,
+ int oper_chwidth, int center_segment0,
+ int center_segment1, u32 vht_caps,
+ struct he_capabilities *he_caps);
void set_disable_ht40(struct ieee80211_ht_capabilities *htcaps,
int disabled);
int ieee80211ac_cap_check(u32 hw, u32 conf);
diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_common.c b/freebsd/contrib/wpa/src/common/ieee802_11_common.c
index c6fc901..a7f7a5a 100644
--- a/freebsd/contrib/wpa/src/common/ieee802_11_common.c
+++ b/freebsd/contrib/wpa/src/common/ieee802_11_common.c
@@ -276,6 +276,10 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen,
elems->he_capabilities = pos;
elems->he_capabilities_len = elen;
break;
+ case WLAN_EID_EXT_HE_OPERATION:
+ elems->he_operation = pos;
+ elems->he_operation_len = elen;
+ break;
case WLAN_EID_EXT_OCV_OCI:
elems->oci = pos;
elems->oci_len = elen;
@@ -704,7 +708,7 @@ enum hostapd_hw_mode ieee80211_freq_to_chan(int freq, u8 *channel)
{
u8 op_class;
- return ieee80211_freq_to_channel_ext(freq, 0, VHT_CHANWIDTH_USE_HT,
+ return ieee80211_freq_to_channel_ext(freq, 0, CHANWIDTH_USE_HT,
&op_class, channel);
}
@@ -714,7 +718,7 @@ enum hostapd_hw_mode ieee80211_freq_to_chan(int freq, u8 *channel)
* for HT40 and VHT. DFS channels are not covered.
* @freq: Frequency (MHz) to convert
* @sec_channel: 0 = non-HT40, 1 = sec. channel above, -1 = sec. channel below
- * @vht: VHT channel width (VHT_CHANWIDTH_*)
+ * @vht: VHT channel width (CHANWIDTH_*)
* @op_class: Buffer for returning operating class
* @channel: Buffer for returning channel number
* Returns: hw_mode on success, NUM_HOSTAPD_MODES on failure
@@ -769,13 +773,13 @@ enum hostapd_hw_mode ieee80211_freq_to_channel_ext(unsigned int freq,
}
switch (vht) {
- case VHT_CHANWIDTH_80MHZ:
+ case CHANWIDTH_80MHZ:
vht_opclass = 128;
break;
- case VHT_CHANWIDTH_160MHZ:
+ case CHANWIDTH_160MHZ:
vht_opclass = 129;
break;
- case VHT_CHANWIDTH_80P80MHZ:
+ case CHANWIDTH_80P80MHZ:
vht_opclass = 130;
break;
default:
@@ -894,16 +898,16 @@ int ieee80211_chaninfo_to_channel(unsigned int freq, enum chan_width chanwidth,
case CHAN_WIDTH_20_NOHT:
case CHAN_WIDTH_20:
case CHAN_WIDTH_40:
- vht = VHT_CHANWIDTH_USE_HT;
+ vht = CHANWIDTH_USE_HT;
break;
case CHAN_WIDTH_80:
- vht = VHT_CHANWIDTH_80MHZ;
+ vht = CHANWIDTH_80MHZ;
break;
case CHAN_WIDTH_80P80:
- vht = VHT_CHANWIDTH_80P80MHZ;
+ vht = CHANWIDTH_80P80MHZ;
break;
case CHAN_WIDTH_160:
- vht = VHT_CHANWIDTH_160MHZ;
+ vht = CHANWIDTH_160MHZ;
break;
}
@@ -1317,6 +1321,185 @@ const char * fc2str(u16 fc)
}
+const char * reason2str(u16 reason)
+{
+#define R2S(r) case WLAN_REASON_ ## r: return #r;
+ switch (reason) {
+ R2S(UNSPECIFIED)
+ R2S(PREV_AUTH_NOT_VALID)
+ R2S(DEAUTH_LEAVING)
+ R2S(DISASSOC_DUE_TO_INACTIVITY)
+ R2S(DISASSOC_AP_BUSY)
+ R2S(CLASS2_FRAME_FROM_NONAUTH_STA)
+ R2S(CLASS3_FRAME_FROM_NONASSOC_STA)
+ R2S(DISASSOC_STA_HAS_LEFT)
+ R2S(STA_REQ_ASSOC_WITHOUT_AUTH)
+ R2S(PWR_CAPABILITY_NOT_VALID)
+ R2S(SUPPORTED_CHANNEL_NOT_VALID)
+ R2S(BSS_TRANSITION_DISASSOC)
+ R2S(INVALID_IE)
+ R2S(MICHAEL_MIC_FAILURE)
+ R2S(4WAY_HANDSHAKE_TIMEOUT)
+ R2S(GROUP_KEY_UPDATE_TIMEOUT)
+ R2S(IE_IN_4WAY_DIFFERS)
+ R2S(GROUP_CIPHER_NOT_VALID)
+ R2S(PAIRWISE_CIPHER_NOT_VALID)
+ R2S(AKMP_NOT_VALID)
+ R2S(UNSUPPORTED_RSN_IE_VERSION)
+ R2S(INVALID_RSN_IE_CAPAB)
+ R2S(IEEE_802_1X_AUTH_FAILED)
+ R2S(CIPHER_SUITE_REJECTED)
+ R2S(TDLS_TEARDOWN_UNREACHABLE)
+ R2S(TDLS_TEARDOWN_UNSPECIFIED)
+ R2S(SSP_REQUESTED_DISASSOC)
+ R2S(NO_SSP_ROAMING_AGREEMENT)
+ R2S(BAD_CIPHER_OR_AKM)
+ R2S(NOT_AUTHORIZED_THIS_LOCATION)
+ R2S(SERVICE_CHANGE_PRECLUDES_TS)
+ R2S(UNSPECIFIED_QOS_REASON)
+ R2S(NOT_ENOUGH_BANDWIDTH)
+ R2S(DISASSOC_LOW_ACK)
+ R2S(EXCEEDED_TXOP)
+ R2S(STA_LEAVING)
+ R2S(END_TS_BA_DLS)
+ R2S(UNKNOWN_TS_BA)
+ R2S(TIMEOUT)
+ R2S(PEERKEY_MISMATCH)
+ R2S(AUTHORIZED_ACCESS_LIMIT_REACHED)
+ R2S(EXTERNAL_SERVICE_REQUIREMENTS)
+ R2S(INVALID_FT_ACTION_FRAME_COUNT)
+ R2S(INVALID_PMKID)
+ R2S(INVALID_MDE)
+ R2S(INVALID_FTE)
+ R2S(MESH_PEERING_CANCELLED)
+ R2S(MESH_MAX_PEERS)
+ R2S(MESH_CONFIG_POLICY_VIOLATION)
+ R2S(MESH_CLOSE_RCVD)
+ R2S(MESH_MAX_RETRIES)
+ R2S(MESH_CONFIRM_TIMEOUT)
+ R2S(MESH_INVALID_GTK)
+ R2S(MESH_INCONSISTENT_PARAMS)
+ R2S(MESH_INVALID_SECURITY_CAP)
+ R2S(MESH_PATH_ERROR_NO_PROXY_INFO)
+ R2S(MESH_PATH_ERROR_NO_FORWARDING_INFO)
+ R2S(MESH_PATH_ERROR_DEST_UNREACHABLE)
+ R2S(MAC_ADDRESS_ALREADY_EXISTS_IN_MBSS)
+ R2S(MESH_CHANNEL_SWITCH_REGULATORY_REQ)
+ R2S(MESH_CHANNEL_SWITCH_UNSPECIFIED)
+ }
+ return "UNKNOWN";
+#undef R2S
+}
+
+
+const char * status2str(u16 status)
+{
+#define S2S(s) case WLAN_STATUS_ ## s: return #s;
+ switch (status) {
+ S2S(SUCCESS)
+ S2S(UNSPECIFIED_FAILURE)
+ S2S(TDLS_WAKEUP_ALTERNATE)
+ S2S(TDLS_WAKEUP_REJECT)
+ S2S(SECURITY_DISABLED)
+ S2S(UNACCEPTABLE_LIFETIME)
+ S2S(NOT_IN_SAME_BSS)
+ S2S(CAPS_UNSUPPORTED)
+ S2S(REASSOC_NO_ASSOC)
+ S2S(ASSOC_DENIED_UNSPEC)
+ S2S(NOT_SUPPORTED_AUTH_ALG)
+ S2S(UNKNOWN_AUTH_TRANSACTION)
+ S2S(CHALLENGE_FAIL)
+ S2S(AUTH_TIMEOUT)
+ S2S(AP_UNABLE_TO_HANDLE_NEW_STA)
+ S2S(ASSOC_DENIED_RATES)
+ S2S(ASSOC_DENIED_NOSHORT)
+ S2S(SPEC_MGMT_REQUIRED)
+ S2S(PWR_CAPABILITY_NOT_VALID)
+ S2S(SUPPORTED_CHANNEL_NOT_VALID)
+ S2S(ASSOC_DENIED_NO_SHORT_SLOT_TIME)
+ S2S(ASSOC_DENIED_NO_HT)
+ S2S(R0KH_UNREACHABLE)
+ S2S(ASSOC_DENIED_NO_PCO)
+ S2S(ASSOC_REJECTED_TEMPORARILY)
+ S2S(ROBUST_MGMT_FRAME_POLICY_VIOLATION)
+ S2S(UNSPECIFIED_QOS_FAILURE)
+ S2S(DENIED_INSUFFICIENT_BANDWIDTH)
+ S2S(DENIED_POOR_CHANNEL_CONDITIONS)
+ S2S(DENIED_QOS_NOT_SUPPORTED)
+ S2S(REQUEST_DECLINED)
+ S2S(INVALID_PARAMETERS)
+ S2S(REJECTED_WITH_SUGGESTED_CHANGES)
+ S2S(INVALID_IE)
+ S2S(GROUP_CIPHER_NOT_VALID)
+ S2S(PAIRWISE_CIPHER_NOT_VALID)
+ S2S(AKMP_NOT_VALID)
+ S2S(UNSUPPORTED_RSN_IE_VERSION)
+ S2S(INVALID_RSN_IE_CAPAB)
+ S2S(CIPHER_REJECTED_PER_POLICY)
+ S2S(TS_NOT_CREATED)
+ S2S(DIRECT_LINK_NOT_ALLOWED)
+ S2S(DEST_STA_NOT_PRESENT)
+ S2S(DEST_STA_NOT_QOS_STA)
+ S2S(ASSOC_DENIED_LISTEN_INT_TOO_LARGE)
+ S2S(INVALID_FT_ACTION_FRAME_COUNT)
+ S2S(INVALID_PMKID)
+ S2S(INVALID_MDIE)
+ S2S(INVALID_FTIE)
+ S2S(REQUESTED_TCLAS_NOT_SUPPORTED)
+ S2S(INSUFFICIENT_TCLAS_PROCESSING_RESOURCES)
+ S2S(TRY_ANOTHER_BSS)
+ S2S(GAS_ADV_PROTO_NOT_SUPPORTED)
+ S2S(NO_OUTSTANDING_GAS_REQ)
+ S2S(GAS_RESP_NOT_RECEIVED)
+ S2S(STA_TIMED_OUT_WAITING_FOR_GAS_RESP)
+ S2S(GAS_RESP_LARGER_THAN_LIMIT)
+ S2S(REQ_REFUSED_HOME)
+ S2S(ADV_SRV_UNREACHABLE)
+ S2S(REQ_REFUSED_SSPN)
+ S2S(REQ_REFUSED_UNAUTH_ACCESS)
+ S2S(INVALID_RSNIE)
+ S2S(U_APSD_COEX_NOT_SUPPORTED)
+ S2S(U_APSD_COEX_MODE_NOT_SUPPORTED)
+ S2S(BAD_INTERVAL_WITH_U_APSD_COEX)
+ S2S(ANTI_CLOGGING_TOKEN_REQ)
+ S2S(FINITE_CYCLIC_GROUP_NOT_SUPPORTED)
+ S2S(CANNOT_FIND_ALT_TBTT)
+ S2S(TRANSMISSION_FAILURE)
+ S2S(REQ_TCLAS_NOT_SUPPORTED)
+ S2S(TCLAS_RESOURCES_EXCHAUSTED)
+ S2S(REJECTED_WITH_SUGGESTED_BSS_TRANSITION)
+ S2S(REJECT_WITH_SCHEDULE)
+ S2S(REJECT_NO_WAKEUP_SPECIFIED)
+ S2S(SUCCESS_POWER_SAVE_MODE)
+ S2S(PENDING_ADMITTING_FST_SESSION)
+ S2S(PERFORMING_FST_NOW)
+ S2S(PENDING_GAP_IN_BA_WINDOW)
+ S2S(REJECT_U_PID_SETTING)
+ S2S(REFUSED_EXTERNAL_REASON)
+ S2S(REFUSED_AP_OUT_OF_MEMORY)
+ S2S(REJECTED_EMERGENCY_SERVICE_NOT_SUPPORTED)
+ S2S(QUERY_RESP_OUTSTANDING)
+ S2S(REJECT_DSE_BAND)
+ S2S(TCLAS_PROCESSING_TERMINATED)
+ S2S(TS_SCHEDULE_CONFLICT)
+ S2S(DENIED_WITH_SUGGESTED_BAND_AND_CHANNEL)
+ S2S(MCCAOP_RESERVATION_CONFLICT)
+ S2S(MAF_LIMIT_EXCEEDED)
+ S2S(MCCA_TRACK_LIMIT_EXCEEDED)
+ S2S(DENIED_DUE_TO_SPECTRUM_MANAGEMENT)
+ S2S(ASSOC_DENIED_NO_VHT)
+ S2S(ENABLEMENT_DENIED)
+ S2S(RESTRICTION_FROM_AUTHORIZED_GDB)
+ S2S(AUTHORIZATION_DEENABLED)
+ S2S(FILS_AUTHENTICATION_FAILURE)
+ S2S(UNKNOWN_AUTHENTICATION_SERVER)
+ S2S(UNKNOWN_PASSWORD_IDENTIFIER)
+ }
+ return "UNKNOWN";
+#undef S2S
+}
+
+
int mb_ies_info_by_ies(struct mb_ies_info *info, const u8 *ies_buf,
size_t ies_len)
{
diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_common.h b/freebsd/contrib/wpa/src/common/ieee802_11_common.h
index d41bd39..9b045b4 100644
--- a/freebsd/contrib/wpa/src/common/ieee802_11_common.h
+++ b/freebsd/contrib/wpa/src/common/ieee802_11_common.h
@@ -94,6 +94,7 @@ struct ieee802_11_elems {
const u8 *oci;
const u8 *multi_ap;
const u8 *he_capabilities;
+ const u8 *he_operation;
u8 ssid_len;
u8 supp_rates_len;
@@ -143,6 +144,7 @@ struct ieee802_11_elems {
u8 oci_len;
u8 multi_ap_len;
u8 he_capabilities_len;
+ u8 he_operation_len;
struct mb_ies_info mb_ies;
};
@@ -185,6 +187,8 @@ int mb_ies_info_by_ies(struct mb_ies_info *info, const u8 *ies_buf,
struct wpabuf * mb_ies_by_info(struct mb_ies_info *info);
const char * fc2str(u16 fc);
+const char * reason2str(u16 reason);
+const char * status2str(u16 status);
struct oper_class_map {
enum hostapd_hw_mode mode;
diff --git a/freebsd/contrib/wpa/src/common/ieee802_11_defs.h b/freebsd/contrib/wpa/src/common/ieee802_11_defs.h
index adaa893..b0aa913 100644
--- a/freebsd/contrib/wpa/src/common/ieee802_11_defs.h
+++ b/freebsd/contrib/wpa/src/common/ieee802_11_defs.h
@@ -468,6 +468,7 @@
#define WLAN_EID_EXT_HE_CAPABILITIES 35
#define WLAN_EID_EXT_HE_OPERATION 36
#define WLAN_EID_EXT_HE_MU_EDCA_PARAMS 38
+#define WLAN_EID_EXT_SPATIAL_REUSE 39
#define WLAN_EID_EXT_OCV_OCI 54
/* Extended Capabilities field */
@@ -1274,10 +1275,12 @@ struct ieee80211_ampe_ie {
#define VHT_RX_NSS_MAX_STREAMS 8
/* VHT channel widths */
-#define VHT_CHANWIDTH_USE_HT 0
-#define VHT_CHANWIDTH_80MHZ 1
-#define VHT_CHANWIDTH_160MHZ 2
-#define VHT_CHANWIDTH_80P80MHZ 3
+#define CHANWIDTH_USE_HT 0
+#define CHANWIDTH_80MHZ 1
+#define CHANWIDTH_160MHZ 2
+#define CHANWIDTH_80P80MHZ 3
+
+#define HE_NSS_MAX_STREAMS 8
#define OUI_MICROSOFT 0x0050f2 /* Microsoft (also used in Wi-Fi specs)
* 00:50:F2 */
@@ -2091,7 +2094,7 @@ enum phy_type {
/*
* IEEE P802.11-REVmc/D5.0 Table 9-152 - HT/VHT Operation Information
* subfields.
- * Note: These definitions are not the same as other VHT_CHANWIDTH_*.
+ * Note: These definitions are not the same as other CHANWIDTH_*.
*/
enum nr_chan_width {
NR_CHAN_WIDTH_20 = 0,
@@ -2104,21 +2107,46 @@ enum nr_chan_width {
struct ieee80211_he_capabilities {
u8 he_mac_capab_info[6];
u8 he_phy_capab_info[11];
- u8 he_txrx_mcs_support[12]; /* TODO: 4, 8, or 12 octets */
- /* PPE Thresholds (optional) */
+ /* Followed by 4, 8, or 12 octets of Supported HE-MCS And NSS Set field
+ * and optional variable length PPE Thresholds field. */
+ u8 optional[];
} STRUCT_PACKED;
struct ieee80211_he_operation {
- u32 he_oper_params; /* HE Operation Parameters[3] and
- * BSS Color Information[1] */
- u8 he_mcs_nss_set[2];
+ le32 he_oper_params; /* HE Operation Parameters[3] and
+ * BSS Color Information[1] */
+ le16 he_mcs_nss_set;
u8 vht_op_info_chwidth;
u8 vht_op_info_chan_center_freq_seg0_idx;
u8 vht_op_info_chan_center_freq_seg1_idx;
/* Followed by conditional MaxBSSID Indicator subfield (u8) */
} STRUCT_PACKED;
+/*
+ * IEEE P802.11ax/D4.0, 9.4.2.246 Spatial Reuse Parameter Set element
+ */
+struct ieee80211_spatial_reuse {
+ u8 sr_ctrl; /* SR Control */
+ /* Up to 19 octets of parameters:
+ * Non-SRG OBSS PD Max Offset[0 or 1]
+ * SRG OBSS PD Min Offset[0 or 1]
+ * SRG OBSS PD Max Offset[0 or 1]
+ * SRG BSS Color Bitmap[0 or 8]
+ * SRG Partial BSSID Bitmap[0 or 8]
+ */
+ u8 params[19];
+} STRUCT_PACKED;
+
/* HE Capabilities Information defines */
+
+#define HE_PHYCAP_CHANNEL_WIDTH_SET_IDX 0
+#define HE_PHYCAP_CHANNEL_WIDTH_MASK ((u8) (BIT(1) | BIT(2) | \
+ BIT(3) | BIT(4)))
+#define HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_IN_2G ((u8) BIT(1))
+#define HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G ((u8) BIT(2))
+#define HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G ((u8) BIT(3))
+#define HE_PHYCAP_CHANNEL_WIDTH_SET_80PLUS80MHZ_IN_5G ((u8) BIT(4))
+
#define HE_PHYCAP_SU_BEAMFORMER_CAPAB_IDX 3
#define HE_PHYCAP_SU_BEAMFORMER_CAPAB ((u8) BIT(7))
#define HE_PHYCAP_SU_BEAMFORMEE_CAPAB_IDX 4
@@ -2126,23 +2154,39 @@ struct ieee80211_he_operation {
#define HE_PHYCAP_MU_BEAMFORMER_CAPAB_IDX 4
#define HE_PHYCAP_MU_BEAMFORMER_CAPAB ((u8) BIT(1))
+#define HE_PHYCAP_PPE_THRESHOLD_PRESENT_IDX 6
+#define HE_PHYCAP_PPE_THRESHOLD_PRESENT ((u8) BIT(7))
+
+/* HE PPE Threshold define */
+#define HE_PPE_THRES_RU_INDEX_BITMASK_MASK 0xf
+#define HE_PPE_THRES_RU_INDEX_BITMASK_SHIFT 3
+#define HE_PPE_THRES_NSS_MASK 0x7
+
/* HE Operation defines */
/* HE Operation Parameters and BSS Color Information fields */
-#define HE_OPERATION_BSS_COLOR_MASK ((u32) (BIT(0) | BIT(1) | \
- BIT(2) | BIT(3) | \
- BIT(4) | BIT(5)))
-#define HE_OPERATION_PARTIAL_BSS_COLOR ((u32) BIT(6))
-#define HE_OPERATION_BSS_COLOR_DISABLED ((u32) BIT(7))
-#define HE_OPERATION_DFLT_PE_DURATION_MASK ((u32) (BIT(8) | BIT(9) | \
- BIT(10)))
-#define HE_OPERATION_DFLT_PE_DURATION_OFFSET 8
-#define HE_OPERATION_TWT_REQUIRED ((u32) BIT(11))
-#define HE_OPERATION_RTS_THRESHOLD_MASK ((u32) (BIT(12) | BIT(13) | \
- BIT(14) | BIT(15) | \
- BIT(16) | BIT(17) | \
- BIT(18) | BIT(19) | \
- BIT(20) | BIT(21)))
-#define HE_OPERATION_RTS_THRESHOLD_OFFSET 12
+#define HE_OPERATION_DFLT_PE_DURATION_MASK ((u32) (BIT(0) | BIT(1) | \
+ BIT(2)))
+#define HE_OPERATION_DFLT_PE_DURATION_OFFSET 0
+#define HE_OPERATION_TWT_REQUIRED ((u32) BIT(3))
+#define HE_OPERATION_RTS_THRESHOLD_MASK ((u32) (BIT(4) | BIT(5) | \
+ BIT(6) | BIT(7) | \
+ BIT(8) | BIT(9) | \
+ BIT(10) | BIT(11) | \
+ BIT(12) | BIT(13)))
+#define HE_OPERATION_RTS_THRESHOLD_OFFSET 4
+#define HE_OPERATION_BSS_COLOR_MASK ((u32) (BIT(24) | BIT(25) | \
+ BIT(26) | BIT(27) | \
+ BIT(28) | BIT(29)))
+#define HE_OPERATION_PARTIAL_BSS_COLOR ((u32) BIT(30))
+#define HE_OPERATION_BSS_COLOR_DISABLED ((u32) BIT(31))
+#define HE_OPERATION_BSS_COLOR_OFFSET 24
+
+/* Spatial Reuse defines */
+#define SPATIAL_REUSE_SRP_DISALLOWED BIT(0)
+#define SPATIAL_REUSE_NON_SRG_OBSS_PD_SR_DISALLOWED BIT(1)
+#define SPATIAL_REUSE_NON_SRG_OFFSET_PRESENT BIT(2)
+#define SPATIAL_REUSE_SRG_INFORMATION_PRESENT BIT(3)
+#define SPATIAL_REUSE_HESIGA_SR_VAL15_ALLOWED BIT(4)
struct ieee80211_he_mu_edca_parameter_set {
u8 he_qos_info;
diff --git a/freebsd/contrib/wpa/src/common/qca-vendor.h b/freebsd/contrib/wpa/src/common/qca-vendor.h
index c34a3bc..ff8c22a 100644
--- a/freebsd/contrib/wpa/src/common/qca-vendor.h
+++ b/freebsd/contrib/wpa/src/common/qca-vendor.h
@@ -1,7 +1,7 @@
/*
* Qualcomm Atheros OUI and vendor specific assignments
* Copyright (c) 2014-2017, Qualcomm Atheros, Inc.
- * Copyright (c) 2018, The Linux Foundation
+ * Copyright (c) 2018-2019, The Linux Foundation
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -98,6 +98,9 @@ enum qca_radiotap_vendor_ids {
* which supports DFS offloading, to indicate a radar pattern has been
* detected. The channel is now unusable.
*
+ * @QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO: Get information from the driver.
+ * Attributes defined in enum qca_wlan_vendor_attr_get_wifi_info.
+ *
* @QCA_NL80211_VENDOR_SUBCMD_GET_LOGGER_FEATURE_SET: Get the feature bitmap
* based on enum wifi_logger_supported_features. Attributes defined in
* enum qca_wlan_vendor_attr_get_logger_features.
@@ -373,7 +376,9 @@ enum qca_radiotap_vendor_ids {
* @QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START: Start spectral scan. The scan
* parameters are specified by enum qca_wlan_vendor_attr_spectral_scan.
* This returns a cookie (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COOKIE)
- * identifying the operation in success case.
+ * identifying the operation in success case. In failure cases an
+ * error code (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE)
+ * describing the reason for the failure is returned.
*
* @QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_STOP: Stop spectral scan. This uses
* a cookie (%QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COOKIE) from
@@ -524,6 +529,65 @@ enum qca_radiotap_vendor_ids {
* parameters including Zigbee state and specific WLAN periods to enhance
* PTA master. All these parameters are delivered by the attributes
* defined in enum qca_mpta_helper_vendor_attr.
+ * @QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING: This sub command is used to
+ * implement Beacon frame reporting feature.
+ *
+ * Userspace can request the driver/firmware to periodically report
+ * received Beacon frames whose BSSID is same as the current connected
+ * BSS's MAC address.
+ *
+ * In case the STA seamlessly (without sending disconnect indication to
+ * userspace) roams to a different BSS, Beacon frame reporting will be
+ * automatically enabled for the Beacon frames whose BSSID is same as the
+ * MAC address of the new BSS. Beacon reporting will be stopped when the
+ * STA is disconnected (when the disconnect indication is sent to
+ * userspace) and need to be explicitly enabled by userspace for next
+ * connection.
+ *
+ * When a Beacon frame matching configured conditions is received, and if
+ * userspace has requested to send asynchronous beacon reports, the
+ * driver/firmware will encapsulate the details of the Beacon frame in an
+ * event and send it to userspace along with updating the BSS information
+ * in cfg80211 scan cache, otherwise driver will only update the cfg80211
+ * scan cache with the information from the received Beacon frame but will
+ * not send any active report to userspace.
+ *
+ * The userspace can request the driver/firmware to stop reporting Beacon
+ * frames. If the driver/firmware is not able to receive Beacon frames due
+ * to other Wi-Fi operations such as off-channel activities, etc., the
+ * driver/firmware will send a pause event to userspace and stop reporting
+ * Beacon frames. Whether the beacon reporting will be automatically
+ * resumed or not by the driver/firmware later will be reported to
+ * userspace using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES
+ * flag. The beacon reporting shall be resumed for all the cases except
+ * either when userspace sets
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_DO_NOT_RESUME flag in the command
+ * which triggered the current beacon reporting or during any disconnection
+ * case as indicated by setting
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED by the
+ * driver.
+ *
+ * After QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_PAUSE event is received
+ * by userspace with QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES
+ * flag not set, the next first
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO event from the driver
+ * shall be considered as un-pause event.
+ *
+ * All the attributes used with this command are defined in
+ * enum qca_wlan_vendor_attr_beacon_reporting_params.
+ * @QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP: In practice, some APs have
+ * interop issues with the DUT. This sub command is used to transfer the
+ * AP info between the driver and user space. This works both as a command
+ * and an event. As a command, it configures the stored list of APs from
+ * user space to firmware; as an event, it indicates the AP info detected
+ * by the firmware to user space for persistent storage. The attributes
+ * defined in enum qca_vendor_attr_interop_issues_ap are used to deliver
+ * the parameters.
+ * @QCA_NL80211_VENDOR_SUBCMD_OEM_DATA: This command is used to send OEM data
+ * binary blobs from application/service to firmware. The attributes
+ * defined in enum qca_wlan_vendor_attr_oem_data_params are used to deliver
+ * the parameters.
*/
enum qca_nl80211_vendor_subcmds {
QCA_NL80211_VENDOR_SUBCMD_UNSPEC = 0,
@@ -692,6 +756,9 @@ enum qca_nl80211_vendor_subcmds {
QCA_NL80211_VENDOR_SUBCMD_GET_FW_STATE = 177,
QCA_NL80211_VENDOR_SUBCMD_PEER_STATS_CACHE_FLUSH = 178,
QCA_NL80211_VENDOR_SUBCMD_MPTA_HELPER_CONFIG = 179,
+ QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING = 180,
+ QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP = 181,
+ QCA_NL80211_VENDOR_SUBCMD_OEM_DATA = 182,
};
enum qca_wlan_vendor_attr {
@@ -1788,6 +1855,30 @@ enum qca_wlan_vendor_attr_config {
*/
QCA_WLAN_VENDOR_ATTR_CONFIG_GTX = 57,
+ /* Attribute to configure disconnect IEs to the driver.
+ * This carries an array of unsigned 8-bit characters.
+ *
+ * If this is configured, driver shall fill the IEs in disassoc/deauth
+ * frame.
+ * These IEs are expected to be considered only for the next
+ * immediate disconnection (disassoc/deauth frame) originated by
+ * the DUT, irrespective of the entity (user space/driver/firmware)
+ * triggering the disconnection.
+ * The host drivers are not expected to use the IEs set through
+ * this interface for further disconnections after the first immediate
+ * disconnection initiated post the configuration.
+ * If the IEs are also updated through cfg80211 interface (after the
+ * enhancement to cfg80211_disconnect), host driver is expected to
+ * take the union of IEs from both of these interfaces and send in
+ * further disassoc/deauth frames.
+ */
+ QCA_WLAN_VENDOR_ATTR_DISCONNECT_IES = 58,
+
+ /* 8-bit unsigned value for ELNA bypass.
+ * 1-Enable, 0-Disable
+ */
+ QCA_WLAN_VENDOR_ATTR_CONFIG_ELNA_BYPASS = 59,
+
/* keep last */
QCA_WLAN_VENDOR_ATTR_CONFIG_AFTER_LAST,
QCA_WLAN_VENDOR_ATTR_CONFIG_MAX =
@@ -3204,11 +3295,28 @@ enum qca_vendor_attr_sar_limits {
/**
* enum qca_wlan_vendor_attr_get_wifi_info: Attributes for data used by
* QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO sub command.
+ *
+ * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_DRIVER_VERSION: In a request this attribute
+ * should be set to any U8 value to indicate that the driver version
+ * should be returned. When enabled in this manner, in a response this
+ * attribute will contain a string representation of the driver version.
+ *
+ * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_FIRMWARE_VERSION: In a request this attribute
+ * should be set to any U8 value to indicate that the firmware version
+ * should be returned. When enabled in this manner, in a response this
+ * attribute will contain a string representation of the firmware version.
+ *
+ * @QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX: In a request this attribute
+ * should be set to any U32 value to indicate that the current radio
+ * index should be returned. When enabled in this manner, in a response
+ * this attribute will contain a U32 radio index value.
+ *
*/
enum qca_wlan_vendor_attr_get_wifi_info {
QCA_WLAN_VENDOR_ATTR_WIFI_INFO_GET_INVALID = 0,
QCA_WLAN_VENDOR_ATTR_WIFI_INFO_DRIVER_VERSION = 1,
QCA_WLAN_VENDOR_ATTR_WIFI_INFO_FIRMWARE_VERSION = 2,
+ QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX = 3,
/* keep last */
QCA_WLAN_VENDOR_ATTR_WIFI_INFO_GET_AFTER_LAST,
@@ -4481,6 +4589,44 @@ enum qca_wlan_vendor_attr_spectral_scan {
* qca_wlan_vendor_attr_spectral_scan_request_type.
*/
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_REQUEST_TYPE = 23,
+ /* This specifies the frequency span over which spectral
+ * scan would be carried out. Its value depends on the
+ * value of QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE and
+ * the relation is as follows.
+ * QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL
+ * Not applicable. Spectral scan would happen in the
+ * operating span.
+ * QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE
+ * Center frequency (in MHz) of the span of interest or
+ * for convenience, center frequency (in MHz) of any channel
+ * in the span of interest. If agile spectral scan is initiated
+ * without setting a valid frequency it returns the error code
+ * (QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED).
+ * u32 attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY = 24,
+ /* Spectral scan mode. u32 attribute.
+ * It uses values defined in enum qca_wlan_vendor_spectral_scan_mode.
+ * If this attribute is not present, it is assumed to be
+ * normal mode (QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL).
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE = 25,
+ /* Spectral scan error code. u32 attribute.
+ * It uses values defined in enum
+ * qca_wlan_vendor_spectral_scan_error_code.
+ * This attribute is included only in failure scenarios.
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE = 26,
+ /* 8-bit unsigned value to enable/disable debug of the
+ * Spectral DMA ring.
+ * 1-enable, 0-disable
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_RING_DEBUG = 27,
+ /* 8-bit unsigned value to enable/disable debug of the
+ * Spectral DMA buffers.
+ * 1-enable, 0-disable
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_BUFFER_DEBUG = 28,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_AFTER_LAST,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_MAX =
@@ -4559,6 +4705,8 @@ enum qca_wlan_vendor_attr_spectral_cap {
* u8 attribute.
*/
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_DEFAULT_AGC_MAX_GAIN = 10,
+ /* Flag attribute to indicate agile spectral scan capability */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_AGILE_SPECTRAL = 11,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_AFTER_LAST,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_MAX =
@@ -4575,6 +4723,13 @@ enum qca_wlan_vendor_attr_spectral_scan_status {
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_IS_ENABLED = 1,
/* Flag attribute to indicate whether spectral scan is in progress*/
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_IS_ACTIVE = 2,
+ /* Spectral scan mode. u32 attribute.
+ * It uses values defined in enum qca_wlan_vendor_spectral_scan_mode.
+ * If this attribute is not present, normal mode
+ * (QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL is assumed to be
+ * requested.
+ */
+ QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MODE = 3,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_AFTER_LAST,
QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MAX =
@@ -4600,6 +4755,43 @@ enum qca_wlan_vendor_attr_spectral_scan_request_type {
};
/**
+ * qca_wlan_vendor_spectral_scan_mode: Attribute values for
+ * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_MODE in the vendor subcmd
+ * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START and
+ * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_STATUS_MODE in the vendor subcmd
+ * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_GET_STATUS. This represents the
+ * spectral scan modes.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL: Normal spectral scan:
+ * spectral scan in the current operating span.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE: Agile spectral scan:
+ * spectral scan in the configured agile span.
+ */
+enum qca_wlan_vendor_spectral_scan_mode {
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_NORMAL = 0,
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_MODE_AGILE = 1,
+};
+
+/**
+ * qca_wlan_vendor_spectral_scan_error_code: Attribute values for
+ * QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_ERROR_CODE in the vendor subcmd
+ * QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_START.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_UNSUPPORTED: Changing the value
+ * of a parameter is not supported.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_MODE_UNSUPPORTED: Requested spectral scan
+ * mode is not supported.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_INVALID_VALUE: A parameter
+ * has invalid value.
+ * @QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED: A parameter
+ * is not initialized.
+ */
+enum qca_wlan_vendor_spectral_scan_error_code {
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_UNSUPPORTED = 0,
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_MODE_UNSUPPORTED = 1,
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_INVALID_VALUE = 2,
+ QCA_WLAN_VENDOR_SPECTRAL_SCAN_ERR_PARAM_NOT_INITIALIZED = 3,
+};
+
+/**
* qca_wlan_vendor_spectral_scan_cap_hw_gen: Attribute values for
* QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CAP_HW_GEN to the vendor subcmd
* QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_GET_CAP_INFO. This represents the
@@ -6709,4 +6901,251 @@ enum qca_mpta_helper_vendor_attr {
QCA_MPTA_HELPER_VENDOR_ATTR_AFTER_LAST - 1
};
+/**
+ * enum qca_wlan_vendor_beacon_reporting_op_types - Defines different types of
+ * operations for which %QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING can be used.
+ * Will be used by %QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.
+ *
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START: Sent by userspace to the driver
+ * to request the driver to start reporting Beacon frames.
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP: Sent by userspace to the driver to
+ * request the driver to stop reporting Beacon frames.
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO: Sent by the driver to
+ * userspace to report received Beacon frames.
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE: Sent by the driver to userspace
+ * to indicate that the driver is going to pause reporting Beacon frames.
+ */
+enum qca_wlan_vendor_beacon_reporting_op_types {
+ QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START = 0,
+ QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP = 1,
+ QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO = 2,
+ QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE = 3,
+};
+
+/**
+ * enum qca_wlan_vendor_beacon_reporting_pause_reasons - Defines different types
+ * of reasons for which the driver is pausing reporting Beacon frames. Will be
+ * used by %QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON.
+ *
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_UNSPECIFIED: For unspecified
+ * reasons.
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_SCAN_STARTED: When the
+ * driver/firmware is starting a scan.
+ * @QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED: When the
+ * driver/firmware disconnects from the ESS and indicates the disconnection to
+ * userspace (non-seamless roaming case). This reason code will be used by the
+ * driver/firmware to indicate stopping of beacon report events. Userspace will
+ * need to start beacon reporting again (if desired) by sending vendor command
+ * QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING with
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START after the next connection is
+ * completed.
+ */
+enum qca_wlan_vendor_beacon_reporting_pause_reasons {
+ QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_UNSPECIFIED = 0,
+ QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_SCAN_STARTED = 1,
+ QCA_WLAN_VENDOR_BEACON_REPORTING_PAUSE_REASON_DISCONNECTED = 2,
+};
+
+/*
+ * enum qca_wlan_vendor_attr_beacon_reporting_params - List of attributes used
+ * in vendor sub-command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING.
+ */
+enum qca_wlan_vendor_attr_beacon_reporting_params {
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_INVALID = 0,
+ /* Specifies the type of operation that the vendor command/event is
+ * intended for. Possible values for this attribute are defined in
+ * enum qca_wlan_vendor_beacon_reporting_op_types. u32 attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE = 1,
+ /* Optionally set by userspace to request the driver to report Beacon
+ * frames using asynchronous vendor events when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START. NLA_FLAG attribute.
+ * If this flag is not set, the driver will only update Beacon frames in
+ * cfg80211 scan cache but not send any vendor events.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_ACTIVE_REPORTING = 2,
+ /* Optionally used by userspace to request the driver/firmware to report
+ * Beacon frames periodically when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START.
+ * u32 attribute, indicates the period of Beacon frames to be reported
+ * and in the units of beacon interval.
+ * If this attribute is missing in the command, then the default value
+ * of 1 will be assumed by driver, i.e., to report every Beacon frame.
+ * Zero is an invalid value.
+ * If a valid value is received for this attribute, the driver will
+ * update the cfg80211 scan cache periodically as per the value received
+ * in this attribute in addition to updating the cfg80211 scan cache
+ * when there is significant change in Beacon frame IEs.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PERIOD = 3,
+ /* Used by the driver to encapsulate the SSID when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO.
+ * u8 array with a maximum size of 32.
+ *
+ * When generating beacon report from non-MBSSID Beacon frame, the SSID
+ * will be taken from the SSID element of the received Beacon frame.
+ *
+ * When generating beacon report from Multiple BSSID Beacon frame and if
+ * the BSSID of the current connected BSS matches the BSSID of the
+ * transmitting BSS, the SSID will be taken from the SSID element of the
+ * received Beacon frame.
+ *
+ * When generating beacon report from Multiple BSSID Beacon frame and if
+ * the BSSID of the current connected BSS matches the BSSID of one of
+ * the* nontransmitting BSSs, the SSID will be taken from the SSID field
+ * included in the nontransmitted BSS profile whose derived BSSID is
+ * same as the BSSID of the current connected BSS. When there is no
+ * nontransmitted BSS profile whose derived BSSID is same as the BSSID
+ * of current connected* BSS, this attribute will not be present.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_SSID = 4,
+ /* Used by the driver to encapsulate the BSSID of the AP to which STA is
+ * currently connected to when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u8 array with a
+ * fixed size of 6 bytes.
+ *
+ * When generating beacon report from a Multiple BSSID beacon and the
+ * current connected BSSID matches one of the nontransmitted BSSIDs in a
+ * Multiple BSSID set, this BSSID will be that particular nontransmitted
+ * BSSID and not the transmitted BSSID (i.e., the transmitting address
+ * of the Beacon frame).
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BSSID = 5,
+ /* Used by the driver to encapsulate the frequency in MHz on which
+ * the Beacon frame was received when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is
+ * set to QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO.
+ * u32 attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_FREQ = 6,
+ /* Used by the driver to encapsulate the Beacon interval
+ * when the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO.
+ * u16 attribute. The value will be copied from the Beacon frame and the
+ * units are TUs.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BI = 7,
+ /* Used by the driver to encapsulate the Timestamp field from the Beacon
+ * frame when the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set
+ * to QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO.
+ * u64 attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_TSF = 8,
+ /* Used by the driver to encapsulate the CLOCK_BOOTTIME when this
+ * Beacon frame is received in the driver when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u64 attribute, in
+ * the units of nanoseconds. This value is expected to have accuracy of
+ * about 10 ms.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_BOOTTIME_WHEN_RECEIVED = 9,
+ /* Used by the driver to encapsulate the IEs of the Beacon frame from
+ * which this event is generated when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_BEACON_INFO. u8 array.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_IES = 10,
+ /* Used by the driver to specify the reason for the driver/firmware to
+ * pause sending beacons to userspace when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE. Possible values are
+ * defined in enum qca_wlan_vendor_beacon_reporting_pause_reasons, u32
+ * attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_PAUSE_REASON = 11,
+ /* Used by the driver to specify whether the driver will automatically
+ * resume reporting beacon events to userspace later (for example after
+ * the ongoing off-channel activity is completed etc.) when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE. NLA_FLAG attribute.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES = 12,
+ /* Optionally set by userspace to request the driver not to resume
+ * beacon reporting after a pause is completed, when the
+ * QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE is set to
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START. NLA_FLAG attribute.
+ * If this flag is set, the driver will not resume beacon reporting
+ * after any pause in beacon reporting is completed. Userspace has to
+ * send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START command again in order
+ * to initiate beacon reporting again. If this flag is set in the recent
+ * QCA_WLAN_VENDOR_BEACON_REPORTING_OP_START command, then in the
+ * subsequent QCA_WLAN_VENDOR_BEACON_REPORTING_OP_PAUSE event (if any)
+ * the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES shall not be
+ * set by the driver. Setting this flag until and unless there is a
+ * specific need is not recommended as there is a chance of some beacons
+ * received after pause command and next start command being not
+ * reported.
+ */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_DO_NOT_RESUME = 13,
+
+ /* Keep last */
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_LAST,
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_MAX =
+ QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_LAST - 1
+};
+
+/**
+ * enum qca_vendor_interop_issues_ap_type - Interop issue types
+ * This enum defines the valid set of values of interop issue types. These
+ * values are used by attribute %QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE.
+ *
+ * @QCA_VENDOR_INTEROP_ISSUES_AP_ON_STA_PS: The AP has power save interop issue
+ * when the STA's Qpower feature is enabled.
+ */
+enum qca_vendor_interop_issues_ap_type {
+ QCA_VENDOR_INTEROP_ISSUES_AP_INVALID = 0,
+ QCA_VENDOR_INTEROP_ISSUES_AP_ON_STA_PS = 1,
+};
+
+/**
+ * enum qca_vendor_attr_interop_issues_ap - attribute for AP with interop issues
+ * Values are used by %QCA_NL80211_VENDOR_SUBCMD_INTEROP_ISSUES_AP.
+ *
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_INVALID: Invalid value
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE: Interop issue type
+ * 32-bit unsigned value. The values defined in enum
+ * qca_vendor_interop_issues_ap_type are used.
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST: APs' BSSID container
+ * array of nested QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID attributes.
+ * It is present and mandatory for the command but is not used for the event
+ * since only a single BSSID is reported in an event.
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID: AP's BSSID 6-byte MAC address.
+ * It is used within the nested QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST
+ * attribute in command case and without such encapsulation in the event case.
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST: last value
+ * @QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_MAX: max value
+ */
+enum qca_vendor_attr_interop_issues_ap {
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_INVALID,
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_TYPE,
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_LIST,
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_BSSID,
+ /* keep last */
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST,
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_MAX =
+ QCA_WLAN_VENDOR_ATTR_INTEROP_ISSUES_AP_AFTER_LAST - 1
+};
+
+/*
+ * enum qca_wlan_vendor_attr_oem_data_params - Used by the vendor command
+ * QCA_NL80211_VENDOR_SUBCMD_OEM_DATA.
+ *
+ * @QCA_WLAN_VENDOR_ATTR_OEM_DATA_CMD_DATA: The binary blob for the vendor
+ * command QCA_NL80211_VENDOR_SUBCMD_OEM_DATA are carried through this attribute.
+ * NLA_BINARY attribute, the max size is 1024 bytes.
+ */
+enum qca_wlan_vendor_attr_oem_data_params {
+ QCA_WLAN_VENDOR_ATTR_OEM_DATA_INVALID = 0,
+ QCA_WLAN_VENDOR_ATTR_OEM_DATA_CMD_DATA = 1,
+
+ /* keep last */
+ QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_AFTER_LAST,
+ QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_MAX =
+ QCA_WLAN_VENDOR_ATTR_OEM_DATA_PARAMS_AFTER_LAST - 1
+};
#endif /* QCA_VENDOR_H */
diff --git a/freebsd/contrib/wpa/src/common/sae.h b/freebsd/contrib/wpa/src/common/sae.h
index 3eb6e32..10f9302 100644
--- a/freebsd/contrib/wpa/src/common/sae.h
+++ b/freebsd/contrib/wpa/src/common/sae.h
@@ -33,6 +33,7 @@ struct sae_temporary_data {
struct crypto_bignum *sae_rand;
struct crypto_ec *ec;
int prime_len;
+ int order_len;
const struct dh_group *dh;
const struct crypto_bignum *prime;
const struct crypto_bignum *order;
diff --git a/freebsd/contrib/wpa/src/common/version.h b/freebsd/contrib/wpa/src/common/version.h
index 06fc5e4..c2a3a80 100644
--- a/freebsd/contrib/wpa/src/common/version.h
+++ b/freebsd/contrib/wpa/src/common/version.h
@@ -9,6 +9,6 @@
#define GIT_VERSION_STR_POSTFIX ""
#endif /* GIT_VERSION_STR_POSTFIX */
-#define VERSION_STR "2.8" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
+#define VERSION_STR "2.9" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
#endif /* VERSION_H */
diff --git a/freebsd/contrib/wpa/src/common/wpa_common.c b/freebsd/contrib/wpa/src/common/wpa_common.c
index b2b5879..6fcbf20 100644
--- a/freebsd/contrib/wpa/src/common/wpa_common.c
+++ b/freebsd/contrib/wpa/src/common/wpa_common.c
@@ -2077,6 +2077,16 @@ u32 wpa_akm_to_suite(int akm)
return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
+ if (akm & WPA_KEY_MGMT_SAE)
+ return RSN_AUTH_KEY_MGMT_SAE;
+ if (akm & WPA_KEY_MGMT_FT_SAE)
+ return RSN_AUTH_KEY_MGMT_FT_SAE;
+ if (akm & WPA_KEY_MGMT_OWE)
+ return RSN_AUTH_KEY_MGMT_OWE;
+ if (akm & WPA_KEY_MGMT_DPP)
+ return RSN_AUTH_KEY_MGMT_DPP;
+ if (akm & WPA_KEY_MGMT_OSEN)
+ return RSN_AUTH_KEY_MGMT_OSEN;
return 0;
}
diff --git a/freebsd/contrib/wpa/src/common/wpa_ctrl.h b/freebsd/contrib/wpa/src/common/wpa_ctrl.h
index f65077e..b24ae63 100644
--- a/freebsd/contrib/wpa/src/common/wpa_ctrl.h
+++ b/freebsd/contrib/wpa/src/common/wpa_ctrl.h
@@ -87,6 +87,9 @@ extern "C" {
#define WPA_EVENT_BEACON_LOSS "CTRL-EVENT-BEACON-LOSS "
/** Regulatory domain channel */
#define WPA_EVENT_REGDOM_CHANGE "CTRL-EVENT-REGDOM-CHANGE "
+/** Channel switch started (followed by freq=<MHz> and other channel parameters)
+ */
+#define WPA_EVENT_CHANNEL_SWITCH_STARTED "CTRL-EVENT-STARTED-CHANNEL-SWITCH "
/** Channel switch (followed by freq=<MHz> and other channel parameters) */
#define WPA_EVENT_CHANNEL_SWITCH "CTRL-EVENT-CHANNEL-SWITCH "
/** SAE authentication failed due to unknown password identifier */
diff --git a/freebsd/contrib/wpa/src/crypto/crypto.h b/freebsd/contrib/wpa/src/crypto/crypto.h
index 12109ce..15f8ad0 100644
--- a/freebsd/contrib/wpa/src/crypto/crypto.h
+++ b/freebsd/contrib/wpa/src/crypto/crypto.h
@@ -645,13 +645,6 @@ int crypto_bignum_cmp(const struct crypto_bignum *a,
const struct crypto_bignum *b);
/**
- * crypto_bignum_bits - Get size of a bignum in bits
- * @a: Bignum
- * Returns: Number of bits in the bignum
- */
-int crypto_bignum_bits(const struct crypto_bignum *a);
-
-/**
* crypto_bignum_is_zero - Is the given bignum zero
* @a: Bignum
* Returns: 1 if @a is zero or 0 if not
diff --git a/freebsd/contrib/wpa/src/crypto/crypto_openssl.c b/freebsd/contrib/wpa/src/crypto/crypto_openssl.c
index 5b4c41a..d801402 100644
--- a/freebsd/contrib/wpa/src/crypto/crypto_openssl.c
+++ b/freebsd/contrib/wpa/src/crypto/crypto_openssl.c
@@ -572,8 +572,8 @@ int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
failed = !q || !ctx || !tmp ||
!BN_mod_exp(tmp, pub, q, p, ctx) ||
!BN_is_one(tmp);
- BN_clear(q);
- BN_clear(tmp);
+ BN_clear_free(q);
+ BN_clear_free(tmp);
BN_CTX_free(ctx);
if (failed)
goto fail;
@@ -582,8 +582,8 @@ int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
prime, prime_len, secret, len);
fail:
- BN_clear(pub);
- BN_clear(p);
+ BN_clear_free(pub);
+ BN_clear_free(p);
return res;
}
@@ -1305,6 +1305,18 @@ int crypto_bignum_to_bin(const struct crypto_bignum *a,
if (padlen > buflen)
return -1;
+ if (padlen) {
+#ifdef OPENSSL_IS_BORINGSSL
+ if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
+ return -1;
+ return padlen;
+#else /* OPENSSL_IS_BORINGSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
+#endif
+#endif
+ }
+
num_bytes = BN_num_bytes((const BIGNUM *) a);
if ((size_t) num_bytes > buflen)
return -1;
@@ -1478,12 +1490,6 @@ int crypto_bignum_cmp(const struct crypto_bignum *a,
}
-int crypto_bignum_bits(const struct crypto_bignum *a)
-{
- return BN_num_bits((const BIGNUM *) a);
-}
-
-
int crypto_bignum_is_zero(const struct crypto_bignum *a)
{
return BN_is_zero((const BIGNUM *) a);
@@ -1872,7 +1878,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
{
struct crypto_ecdh *ecdh;
EVP_PKEY *params = NULL;
- EC_KEY *ec_params;
+ EC_KEY *ec_params = NULL;
EVP_PKEY_CTX *kctx = NULL;
ecdh = os_zalloc(sizeof(*ecdh));
@@ -1915,6 +1921,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
}
done:
+ EC_KEY_free(ec_params);
EVP_PKEY_free(params);
EVP_PKEY_CTX_free(kctx);
@@ -2054,13 +2061,17 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
secret = wpabuf_alloc(secret_len);
if (!secret)
goto fail;
- if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len),
- &secret_len) != 1) {
+ if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EVP_PKEY_derive(2) failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
+ if (secret->size != secret_len)
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
+ (int) secret->size, (int) secret_len);
+ wpabuf_put(secret, secret_len);
done:
BN_free(x);
diff --git a/freebsd/contrib/wpa/src/crypto/sha1-prf.c b/freebsd/contrib/wpa/src/crypto/sha1-prf.c
index 004260d..0351a39 100644
--- a/freebsd/contrib/wpa/src/crypto/sha1-prf.c
+++ b/freebsd/contrib/wpa/src/crypto/sha1-prf.c
@@ -63,7 +63,7 @@ int sha1_prf(const u8 *key, size_t key_len, const char *label,
}
counter++;
}
- os_memset(hash, 0, sizeof(hash));
+ forced_memzero(hash, sizeof(hash));
return 0;
}
diff --git a/freebsd/contrib/wpa/src/crypto/sha1.c b/freebsd/contrib/wpa/src/crypto/sha1.c
index de751fb..7916c56 100644
--- a/freebsd/contrib/wpa/src/crypto/sha1.c
+++ b/freebsd/contrib/wpa/src/crypto/sha1.c
@@ -88,7 +88,8 @@ int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
_addr[1] = mac;
_len[1] = SHA1_MAC_LEN;
ret = sha1_vector(2, _addr, _len, mac);
- os_memset(k_pad, 0, sizeof(k_pad));
+ forced_memzero(k_pad, sizeof(k_pad));
+ forced_memzero(tk, sizeof(tk));
return ret;
}
diff --git a/freebsd/contrib/wpa/src/crypto/sha256-prf.c b/freebsd/contrib/wpa/src/crypto/sha256-prf.c
index e2150e2..aa8d09f 100644
--- a/freebsd/contrib/wpa/src/crypto/sha256-prf.c
+++ b/freebsd/contrib/wpa/src/crypto/sha256-prf.c
@@ -104,7 +104,7 @@ int sha256_prf_bits(const u8 *key, size_t key_len, const char *label,
buf[pos - 1] &= mask;
}
- os_memset(hash, 0, sizeof(hash));
+ forced_memzero(hash, sizeof(hash));
return 0;
}
diff --git a/freebsd/contrib/wpa/src/crypto/sha256.h b/freebsd/contrib/wpa/src/crypto/sha256.h
index 5219022..8054bbe 100644
--- a/freebsd/contrib/wpa/src/crypto/sha256.h
+++ b/freebsd/contrib/wpa/src/crypto/sha256.h
@@ -20,9 +20,9 @@ int sha256_prf(const u8 *key, size_t key_len, const char *label,
int sha256_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits);
-void tls_prf_sha256(const u8 *secret, size_t secret_len,
- const char *label, const u8 *seed, size_t seed_len,
- u8 *out, size_t outlen);
+int tls_prf_sha256(const u8 *secret, size_t secret_len,
+ const char *label, const u8 *seed, size_t seed_len,
+ u8 *out, size_t outlen);
int hmac_sha256_kdf(const u8 *secret, size_t secret_len,
const char *label, const u8 *seed, size_t seed_len,
u8 *out, size_t outlen);
diff --git a/freebsd/contrib/wpa/src/crypto/tls.h b/freebsd/contrib/wpa/src/crypto/tls.h
index 8bdb91f..c8b1a82 100644
--- a/freebsd/contrib/wpa/src/crypto/tls.h
+++ b/freebsd/contrib/wpa/src/crypto/tls.h
@@ -48,6 +48,18 @@ enum tls_fail_reason {
#define TLS_MAX_ALT_SUBJECT 10
+struct tls_cert_data {
+ int depth;
+ const char *subject;
+ const struct wpabuf *cert;
+ const u8 *hash;
+ size_t hash_len;
+ const char *altsubject[TLS_MAX_ALT_SUBJECT];
+ int num_altsubject;
+ const char *serial_num;
+ int tod;
+};
+
union tls_event_data {
struct {
int depth;
@@ -57,16 +69,7 @@ union tls_event_data {
const struct wpabuf *cert;
} cert_fail;
- struct {
- int depth;
- const char *subject;
- const struct wpabuf *cert;
- const u8 *hash;
- size_t hash_len;
- const char *altsubject[TLS_MAX_ALT_SUBJECT];
- int num_altsubject;
- const char *serial_num;
- } peer_cert;
+ struct tls_cert_data peer_cert;
struct {
int is_local;
@@ -108,6 +111,7 @@ struct tls_config {
#define TLS_CONN_ENABLE_TLSv1_0 BIT(14)
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
+#define TLS_CONN_TEAP_ANON_DH BIT(17)
/**
* struct tls_connection_params - Parameters for TLS connection
@@ -184,12 +188,15 @@ struct tls_connection_params {
const char *suffix_match;
const char *domain_match;
const char *client_cert;
+ const char *client_cert2;
const u8 *client_cert_blob;
size_t client_cert_blob_len;
const char *private_key;
+ const char *private_key2;
const u8 *private_key_blob;
size_t private_key_blob_len;
const char *private_key_passwd;
+ const char *private_key_passwd2;
const char *dh_file;
const u8 *dh_blob;
size_t dh_blob_len;
@@ -643,4 +650,24 @@ tls_connection_get_success_data(struct tls_connection *conn);
void tls_connection_remove_session(struct tls_connection *conn);
+/**
+ * tls_get_tls_unique - Fetch "tls-unique" for channel binding
+ * @conn: Connection context data from tls_connection_init()
+ * @buf: Buffer for returning the value
+ * @max_len: Maximum length of the buffer in bytes
+ * Returns: Number of bytes written to buf or -1 on error
+ *
+ * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which
+ * is the first TLS Finished message sent in the most recent TLS handshake of
+ * the TLS connection.
+ */
+int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len);
+
+/**
+ * tls_connection_get_cipher_suite - Get current TLS cipher suite
+ * @conn: Connection context data from tls_connection_init()
+ * Returns: TLS cipher suite of the current connection or 0 on error
+ */
+u16 tls_connection_get_cipher_suite(struct tls_connection *conn);
+
#endif /* TLS_H */
diff --git a/freebsd/contrib/wpa/src/drivers/driver.h b/freebsd/contrib/wpa/src/drivers/driver.h
index e7c8f31..2a8459a 100644
--- a/freebsd/contrib/wpa/src/drivers/driver.h
+++ b/freebsd/contrib/wpa/src/drivers/driver.h
@@ -102,6 +102,20 @@ enum reg_type {
};
/**
+ * struct hostapd_wmm_rule - WMM regulatory rule
+ * @min_cwmin: Lower bound of CW_min value
+ * @min_cwmax: Lower bound of CW_max value
+ * @min_aifs: Lower bound of AIFS value
+ * @max_txop: Upper bound of TXOP, value in units of 32 usec
+ */
+struct hostapd_wmm_rule {
+ int min_cwmin;
+ int min_cwmax;
+ int min_aifs;
+ int max_txop;
+};
+
+/**
* struct hostapd_channel_data - Channel information
*/
struct hostapd_channel_data {
@@ -156,34 +170,48 @@ struct hostapd_channel_data {
* dfs_cac_ms - DFS CAC time in milliseconds
*/
unsigned int dfs_cac_ms;
-};
-#define HE_MAX_NUM_SS 8
-#define HE_MAX_PHY_CAPAB_SIZE 3
+ /**
+ * wmm_rules_valid - Indicates wmm_rules state
+ */
+ int wmm_rules_valid;
-/**
- * struct he_ppe_threshold - IEEE 802.11ax HE PPE Threshold
- */
-struct he_ppe_threshold {
- u32 numss_m1;
- u32 ru_count;
- u32 ppet16_ppet8_ru3_ru0[HE_MAX_NUM_SS];
+ /**
+ * wmm_rules - WMM regulatory rules
+ */
+ struct hostapd_wmm_rule wmm_rules[WMM_AC_NUM];
};
+#define HE_MAX_MAC_CAPAB_SIZE 6
+#define HE_MAX_PHY_CAPAB_SIZE 11
+#define HE_MAX_MCS_CAPAB_SIZE 12
+#define HE_MAX_PPET_CAPAB_SIZE 25
+
/**
* struct he_capabilities - IEEE 802.11ax HE capabilities
*/
struct he_capabilities {
u8 he_supported;
- u32 phy_cap[HE_MAX_PHY_CAPAB_SIZE];
- u32 mac_cap;
- u32 mcs;
- struct he_ppe_threshold ppet;
+ u8 phy_cap[HE_MAX_PHY_CAPAB_SIZE];
+ u8 mac_cap[HE_MAX_MAC_CAPAB_SIZE];
+ u8 mcs[HE_MAX_MCS_CAPAB_SIZE];
+ u8 ppet[HE_MAX_PPET_CAPAB_SIZE];
};
#define HOSTAPD_MODE_FLAG_HT_INFO_KNOWN BIT(0)
#define HOSTAPD_MODE_FLAG_VHT_INFO_KNOWN BIT(1)
+
+enum ieee80211_op_mode {
+ IEEE80211_MODE_INFRA = 0,
+ IEEE80211_MODE_IBSS = 1,
+ IEEE80211_MODE_AP = 2,
+ IEEE80211_MODE_MESH = 5,
+
+ /* only add new entries before IEEE80211_MODE_NUM */
+ IEEE80211_MODE_NUM
+};
+
/**
* struct hostapd_hw_modes - Supported hardware mode information
*/
@@ -243,15 +271,10 @@ struct hostapd_hw_modes {
/**
* he_capab - HE (IEEE 802.11ax) capabilities
*/
- struct he_capabilities he_capab;
+ struct he_capabilities he_capab[IEEE80211_MODE_NUM];
};
-#define IEEE80211_MODE_INFRA 0
-#define IEEE80211_MODE_IBSS 1
-#define IEEE80211_MODE_AP 2
-#define IEEE80211_MODE_MESH 5
-
#define IEEE80211_CAP_ESS 0x0001
#define IEEE80211_CAP_IBSS 0x0002
#define IEEE80211_CAP_PRIVACY 0x0010
@@ -699,6 +722,11 @@ struct hostapd_freq_params {
int vht_enabled;
/**
+ * he_enabled - Whether HE is enabled
+ */
+ int he_enabled;
+
+ /**
* center_freq1 - Segment 0 center frequency in MHz
*
* Valid for both HT and VHT.
@@ -1046,6 +1074,14 @@ struct wpa_driver_associate_params {
int req_key_mgmt_offload;
/**
+ * req_handshake_offload - Request EAPOL handshake offload
+ *
+ * Request EAPOL handshake offload for this connection if the device
+ * supports it.
+ */
+ int req_handshake_offload;
+
+ /**
* Flag for indicating whether this association includes support for
* RRM (Radio Resource Measurements)
*/
@@ -1122,6 +1158,11 @@ enum hide_ssid {
HIDDEN_SSID_ZERO_CONTENTS
};
+enum ch_switch_state {
+ CH_SW_STARTED,
+ CH_SW_FINISHED
+};
+
struct wowlan_triggers {
u8 any;
u8 disconnect;
@@ -1752,6 +1793,7 @@ struct hostapd_data;
struct hostap_sta_driver_data {
unsigned long rx_packets, tx_packets;
unsigned long long rx_bytes, tx_bytes;
+ unsigned long long rx_airtime, tx_airtime;
int bytes_64bit; /* whether 64-bit byte counters are supported */
unsigned long current_tx_rate;
unsigned long current_rx_rate;
@@ -1761,6 +1803,8 @@ struct hostap_sta_driver_data {
unsigned long tx_retry_failed;
unsigned long tx_retry_count;
s8 last_ack_rssi;
+ unsigned long backlog_packets;
+ unsigned long backlog_bytes;
s8 signal;
u8 rx_vhtmcs;
u8 tx_vhtmcs;
@@ -1781,6 +1825,8 @@ struct hostapd_sta_add_params {
const struct ieee80211_vht_capabilities *vht_capabilities;
int vht_opmode_enabled;
u8 vht_opmode;
+ const struct ieee80211_he_capabilities *he_capab;
+ size_t he_capab_len;
u32 flags; /* bitmask of WPA_STA_* flags */
u32 flags_mask; /* unset bits in flags */
#ifdef CONFIG_MESH
@@ -2337,7 +2383,7 @@ struct wpa_driver_ops {
*
* Returns: 0 on success, -1 on failure
*/
- int (*deauthenticate)(void *priv, const u8 *addr, int reason_code);
+ int (*deauthenticate)(void *priv, const u8 *addr, u16 reason_code);
/**
* associate - Request driver to associate
@@ -2806,7 +2852,7 @@ struct wpa_driver_ops {
* a Deauthentication frame to be sent to it.
*/
int (*sta_deauth)(void *priv, const u8 *own_addr, const u8 *addr,
- int reason);
+ u16 reason);
/**
* sta_disassoc - Disassociate a station (AP only)
@@ -2820,7 +2866,7 @@ struct wpa_driver_ops {
* a Disassociation frame to be sent to it.
*/
int (*sta_disassoc)(void *priv, const u8 *own_addr, const u8 *addr,
- int reason);
+ u16 reason);
/**
* sta_remove - Remove a station entry (AP only)
@@ -2938,6 +2984,16 @@ struct wpa_driver_ops {
unsigned int flags_and);
/**
+ * sta_set_airtime_weight - Set station airtime weight (AP only)
+ * @priv: Private driver interface data
+ * @addr: Station address
+ * @weight: New weight for station airtime assignment
+ * Returns: 0 on success, -1 on failure
+ */
+ int (*sta_set_airtime_weight)(void *priv, const u8 *addr,
+ unsigned int weight);
+
+ /**
* set_tx_queue_params - Set TX queue parameters
* @priv: Private driver interface data
* @queue: Queue number (0 = VO, 1 = VI, 2 = BE, 3 = BK)
@@ -3975,6 +4031,18 @@ struct wpa_driver_ops {
int (*leave_mesh)(void *priv);
/**
+ * probe_mesh_link - Inject a frame over direct mesh link to a given
+ * peer skipping the next_hop lookup from mpath table.
+ * @priv: Private driver interface data
+ * @addr: Peer MAC address
+ * @eth: Ethernet frame to be sent
+ * @len: Ethernet frame lengtn in bytes
+ * Returns 0 on success, -1 on failure
+ */
+ int (*probe_mesh_link)(void *priv, const u8 *addr, const u8 *eth,
+ size_t len);
+
+ /**
* do_acs - Automatically select channel
* @priv: Private driver interface data
* @params: Parameters for ACS
@@ -4167,6 +4235,21 @@ struct wpa_driver_ops {
* Returns: 0 on success, < 0 on failure
*/
int (*set_4addr_mode)(void *priv, const char *bridge_ifname, int val);
+
+ /**
+ * update_dh_ie - Update DH IE
+ * @priv: Private driver interface data
+ * @peer_mac: Peer MAC address
+ * @reason_code: Reacon code
+ * @ie: DH IE
+ * @ie_len: DH IE length in bytes
+ * Returns: 0 on success, -1 on failure
+ *
+ * This callback is used to let the driver know the DH processing result
+ * and DH IE for a pending association.
+ */
+ int (*update_dh_ie)(void *priv, const u8 *peer_mac, u16 reason_code,
+ const u8 *ie, size_t ie_len);
};
/**
@@ -4541,6 +4624,15 @@ enum wpa_event_type {
EVENT_CH_SWITCH,
/**
+ * EVENT_CH_SWITCH_STARTED - AP or GO started to switch channels
+ *
+ * This is a pre-switch event indicating the shortly following switch
+ * of operating channels.
+ *
+ * Described in wpa_event_data.ch_switch
+ */
+ EVENT_CH_SWITCH_STARTED,
+ /**
* EVENT_WNM - Request WNM operation
*
* This event can be used to request a WNM operation to be performed.
@@ -4703,6 +4795,11 @@ enum wpa_event_type {
* This event is emitted when an interface is added/removed for WDS STA.
*/
EVENT_WDS_STA_INTERFACE_STATUS,
+
+ /**
+ * EVENT_UPDATE_DH - Notification of updated DH information
+ */
+ EVENT_UPDATE_DH,
};
@@ -5536,6 +5633,15 @@ union wpa_event_data {
INTERFACE_REMOVED
} istatus;
} wds_sta_interface;
+
+ /**
+ * struct update_dh - Data for EVENT_UPDATE_DH
+ */
+ struct update_dh {
+ const u8 *peer;
+ const u8 *ie;
+ size_t ie_len;
+ } update_dh;
};
/**
diff --git a/freebsd/contrib/wpa/src/drivers/driver_bsd.c b/freebsd/contrib/wpa/src/drivers/driver_bsd.c
index 3ef49fd..213c52e 100644
--- a/freebsd/contrib/wpa/src/drivers/driver_bsd.c
+++ b/freebsd/contrib/wpa/src/drivers/driver_bsd.c
@@ -664,7 +664,7 @@ rtbuf_len(void)
#undef WPA_OUI_TYPE
static int bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr,
- int reason_code);
+ u16 reason_code);
static const char *
ether_sprintf(const u8 *addr)
@@ -756,7 +756,7 @@ bsd_read_sta_driver_data(void *priv, struct hostap_sta_driver_data *data,
}
static int
-bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, int reason_code)
+bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, u16 reason_code)
{
return bsd_send_mlme_param(priv, IEEE80211_MLME_DEAUTH, reason_code,
addr);
@@ -764,7 +764,7 @@ bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr, int reason_code)
static int
bsd_sta_disassoc(void *priv, const u8 *own_addr, const u8 *addr,
- int reason_code)
+ u16 reason_code)
{
return bsd_send_mlme_param(priv, IEEE80211_MLME_DISASSOC, reason_code,
addr);
@@ -1027,7 +1027,7 @@ wpa_driver_bsd_set_drop_unencrypted(void *priv, int enabled)
}
static int
-wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, int reason_code)
+wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, u16 reason_code)
{
return bsd_send_mlme_param(priv, IEEE80211_MLME_DEAUTH, reason_code,
addr);
diff --git a/freebsd/contrib/wpa/src/drivers/driver_common.c b/freebsd/contrib/wpa/src/drivers/driver_common.c
index be9ff3f..672f022 100644
--- a/freebsd/contrib/wpa/src/drivers/driver_common.c
+++ b/freebsd/contrib/wpa/src/drivers/driver_common.c
@@ -69,6 +69,7 @@ const char * event_to_string(enum wpa_event_type event)
E2S(DRIVER_CLIENT_POLL_OK);
E2S(EAPOL_TX_STATUS);
E2S(CH_SWITCH);
+ E2S(CH_SWITCH_STARTED);
E2S(WNM);
E2S(CONNECT_FAILED_REASON);
E2S(DFS_RADAR_DETECTED);
@@ -89,6 +90,7 @@ const char * event_to_string(enum wpa_event_type event)
E2S(STATION_OPMODE_CHANGED);
E2S(INTERFACE_MAC_CHANGED);
E2S(WDS_STA_INTERFACE_STATUS);
+ E2S(UPDATE_DH);
}
return "UNKNOWN";
diff --git a/freebsd/contrib/wpa/src/drivers/driver_ndis.c b/freebsd/contrib/wpa/src/drivers/driver_ndis.c
index 7e0db26..a04604c 100644
--- a/freebsd/contrib/wpa/src/drivers/driver_ndis.c
+++ b/freebsd/contrib/wpa/src/drivers/driver_ndis.c
@@ -722,7 +722,7 @@ static int wpa_driver_ndis_disconnect(struct wpa_driver_ndis_data *drv)
static int wpa_driver_ndis_deauthenticate(void *priv, const u8 *addr,
- int reason_code)
+ u16 reason_code)
{
struct wpa_driver_ndis_data *drv = priv;
return wpa_driver_ndis_disconnect(drv);
diff --git a/freebsd/contrib/wpa/src/drivers/driver_nl80211.h b/freebsd/contrib/wpa/src/drivers/driver_nl80211.h
index 1e7fe7a..7498269 100644
--- a/freebsd/contrib/wpa/src/drivers/driver_nl80211.h
+++ b/freebsd/contrib/wpa/src/drivers/driver_nl80211.h
@@ -83,6 +83,12 @@ struct i802_bss {
u8 rand_addr[ETH_ALEN];
};
+struct drv_nl80211_if_info {
+ int ifindex;
+ /* the AP/AP_VLAN iface that is in this bridge */
+ int reason;
+};
+
struct wpa_driver_nl80211_data {
struct nl80211_global *global;
struct dl_list list;
@@ -163,7 +169,6 @@ struct wpa_driver_nl80211_data {
unsigned int scan_vendor_cmd_avail:1;
unsigned int connect_reassoc:1;
unsigned int set_wifi_conf_vendor_cmd_avail:1;
- unsigned int he_capab_vendor_cmd_avail:1;
unsigned int fetch_bss_trans_status:1;
unsigned int roam_vendor_cmd_avail:1;
unsigned int get_supported_akm_suites_avail:1;
@@ -188,11 +193,8 @@ struct wpa_driver_nl80211_data {
struct nl_handle *rtnl_sk; /* nl_sock for NETLINK_ROUTE */
- int default_if_indices[16];
- /* the AP/AP_VLAN iface that is in this bridge */
- int default_if_indices_reason[16];
- int *if_indices;
- int *if_indices_reason;
+ struct drv_nl80211_if_info default_if_indices[16];
+ struct drv_nl80211_if_info *if_indices;
int num_if_indices;
/* From failed authentication command */
@@ -215,8 +217,6 @@ struct wpa_driver_nl80211_data {
* (NL80211_CMD_VENDOR). 0 if no pending scan request.
*/
int last_scan_cmd;
-
- struct he_capabilities he_capab;
};
struct nl_msg;
diff --git a/freebsd/contrib/wpa/src/eap_common/eap_defs.h b/freebsd/contrib/wpa/src/eap_common/eap_defs.h
index 54f26ca..bc3047c 100644
--- a/freebsd/contrib/wpa/src/eap_common/eap_defs.h
+++ b/freebsd/contrib/wpa/src/eap_common/eap_defs.h
@@ -92,6 +92,7 @@ typedef enum {
EAP_TYPE_GPSK = 51 /* RFC 5433 */,
EAP_TYPE_PWD = 52 /* RFC 5931 */,
EAP_TYPE_EKE = 53 /* RFC 6124 */,
+ EAP_TYPE_TEAP = 55 /* RFC 7170 */,
EAP_TYPE_EXPANDED = 254 /* RFC 3748 */
} EapType;
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap.c b/freebsd/contrib/wpa/src/eap_peer/eap.c
index c682b06..5d43af4 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap.c
@@ -2099,12 +2099,8 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
}
}
- sm->eapol_cb->notify_cert(sm->eapol_ctx,
- data->peer_cert.depth,
- data->peer_cert.subject,
- data->peer_cert.altsubject,
- data->peer_cert.num_altsubject,
- hash_hex, data->peer_cert.cert);
+ sm->eapol_cb->notify_cert(sm->eapol_ctx, &data->peer_cert,
+ hash_hex);
break;
case TLS_ALERT:
if (data->alert.is_local)
@@ -2609,7 +2605,7 @@ static int eap_allowed_phase2_type(int vendor, int type)
if (vendor != EAP_VENDOR_IETF)
return 0;
return type != EAP_TYPE_PEAP && type != EAP_TYPE_TTLS &&
- type != EAP_TYPE_FAST;
+ type != EAP_TYPE_FAST && type != EAP_TYPE_TEAP;
}
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap.h b/freebsd/contrib/wpa/src/eap_peer/eap.h
index d0837e3..acd70d0 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap.h
+++ b/freebsd/contrib/wpa/src/eap_peer/eap.h
@@ -16,6 +16,7 @@
struct eap_sm;
struct wpa_config_blob;
struct wpabuf;
+struct tls_cert_data;
struct eap_method_type {
int vendor;
@@ -226,16 +227,11 @@ struct eapol_callbacks {
/**
* notify_cert - Notification of a peer certificate
* @ctx: eapol_ctx from eap_peer_sm_init() call
- * @depth: Depth in certificate chain (0 = server)
- * @subject: Subject of the peer certificate
- * @altsubject: Select fields from AltSubject of the peer certificate
- * @num_altsubject: Number of altsubject values
+ * @cert: Certificate information
* @cert_hash: SHA-256 hash of the certificate
- * @cert: Peer certificate
*/
- void (*notify_cert)(void *ctx, int depth, const char *subject,
- const char *altsubject[], int num_altsubject,
- const char *cert_hash, const struct wpabuf *cert);
+ void (*notify_cert)(void *ctx, struct tls_cert_data *cert,
+ const char *cert_hash);
/**
* notify_status - Notification of the current EAP state
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_config.h b/freebsd/contrib/wpa/src/eap_peer/eap_config.h
index 3a88f2a..148c906 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_config.h
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_config.h
@@ -816,6 +816,8 @@ struct eap_peer_config {
EXT_CERT_CHECK_GOOD,
EXT_CERT_CHECK_BAD,
} pending_ext_cert_check;
+
+ int teap_anon_dh;
};
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_leap.c b/freebsd/contrib/wpa/src/eap_peer/eap_leap.c
index 5f087bf..e94c60e 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_leap.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_leap.c
@@ -392,8 +392,8 @@ static u8 * eap_leap_getKey(struct eap_sm *sm, void *priv, size_t *len)
wpa_hexdump_key(MSG_DEBUG, "EAP-LEAP: master key", key, LEAP_KEY_LEN);
*len = LEAP_KEY_LEN;
- os_memset(pw_hash, 0, sizeof(pw_hash));
- os_memset(pw_hash_hash, 0, sizeof(pw_hash_hash));
+ forced_memzero(pw_hash, sizeof(pw_hash));
+ forced_memzero(pw_hash_hash, sizeof(pw_hash_hash));
return key;
}
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_methods.h b/freebsd/contrib/wpa/src/eap_peer/eap_methods.h
index b96b211..09e08d3 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_methods.h
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_methods.h
@@ -97,6 +97,7 @@ int eap_peer_psk_register(void);
int eap_peer_aka_register(void);
int eap_peer_aka_prime_register(void);
int eap_peer_fast_register(void);
+int eap_peer_teap_register(void);
int eap_peer_pax_register(void);
int eap_peer_sake_register(void);
int eap_peer_gpsk_register(void);
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_peap.c b/freebsd/contrib/wpa/src/eap_peer/eap_peap.c
index 74bc265..10892c5 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_peap.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_peap.c
@@ -297,7 +297,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
res = peap_prfplus(data->peap_version, tk, 40,
"Inner Methods Compound Keys",
isk, sizeof(isk), imck, sizeof(imck));
- os_memset(isk, 0, sizeof(isk));
+ forced_memzero(isk, sizeof(isk));
if (res < 0)
return -1;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
@@ -307,7 +307,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
os_memcpy(data->cmk, imck + 40, 20);
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
- os_memset(imck, 0, sizeof(imck));
+ forced_memzero(imck, sizeof(imck));
return 0;
}
@@ -1269,7 +1269,7 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
os_memcpy(key, csk, EAP_TLS_KEY_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
key, EAP_TLS_KEY_LEN);
- os_memset(csk, 0, sizeof(csk));
+ forced_memzero(csk, sizeof(csk));
} else
os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
index 37d7f57..16927d7 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
@@ -176,6 +176,9 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
struct eap_method_ret *ret)
{
const char *label;
+ const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
+ const u8 *context = NULL;
+ size_t context_len = 0;
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
@@ -186,6 +189,8 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
if (data->ssl.tls_v13) {
label = "EXPORTER_EAP_TLS_Key_Material";
+ context = eap_tls13_context;
+ context_len = 1;
/* A possible NewSessionTicket may be received before
* EAP-Success, so need to allow it to be received. */
@@ -200,7 +205,7 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
eap_tls_free_key(data);
data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
- NULL, 0,
+ context, context_len,
EAP_TLS_KEY_LEN +
EAP_EMSK_LEN);
if (data->key_data) {
@@ -293,6 +298,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
return NULL;
}
+ if (res == 2) {
+ /* Application data included in the handshake message (used by
+ * EAP-TLS 1.3 to indicate conclusion of the exchange). */
+ wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data",
+ resp);
+ wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data",
+ data->ssl.tls_out);
+ eap_peer_tls_reset_output(&data->ssl);
+ /* Send an ACK to allow the server to complete exchange */
+ res = 1;
+ }
+
if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
eap_tls_success(sm, data, ret);
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c
index d8b0f47..61abb52 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.c
@@ -161,7 +161,8 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
- if (sm->workaround && data->eap_type != EAP_TYPE_FAST) {
+ if (sm->workaround && data->eap_type != EAP_TYPE_FAST &&
+ data->eap_type != EAP_TYPE_TEAP) {
/*
* Some deployed authentication servers seem to be unable to
* handle the TLS Session Ticket extension (they are supposed
@@ -173,7 +174,15 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
*/
params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
}
+ if (data->eap_type == EAP_TYPE_TEAP) {
+ /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */
+ params->flags |= TLS_CONN_DISABLE_TLSv1_0 |
+ TLS_CONN_DISABLE_TLSv1_1;
+ if (config->teap_anon_dh)
+ params->flags |= TLS_CONN_TEAP_ANON_DH;
+ }
if (data->eap_type == EAP_TYPE_FAST ||
+ data->eap_type == EAP_TYPE_TEAP ||
data->eap_type == EAP_TYPE_TTLS ||
data->eap_type == EAP_TYPE_PEAP) {
/* The current EAP peer implementation is not yet ready for the
@@ -406,17 +415,18 @@ u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
if (eap_type == EAP_TYPE_TLS && data->tls_v13) {
u8 *id, *method_id;
+ const u8 context[] = { EAP_TYPE_TLS };
/* Session-Id = <EAP-Type> || Method-Id
* Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
- * "", 64)
+ * Type-Code, 64)
*/
*len = 1 + 64;
id = os_malloc(*len);
if (!id)
return NULL;
method_id = eap_peer_tls_derive_key(
- sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64);
+ sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64);
if (!method_id) {
os_free(id);
return NULL;
diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h
index 5f82529..d96eff1 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls_common.h
@@ -70,7 +70,8 @@ struct eap_ssl_data {
void *ssl_ctx;
/**
- * eap_type - EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
+ * eap_type - EAP method used in Phase 1
+ * (EAP_TYPE_TLS/PEAP/TTLS/FAST/TEAP)
*/
u8 eap_type;
@@ -85,6 +86,7 @@ struct eap_ssl_data {
#define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
#define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
#define EAP_TLS_FLAGS_START 0x20
+#define EAP_TEAP_FLAGS_OUTER_TLV_LEN 0x10
#define EAP_TLS_VERSION_MASK 0x07
/* could be up to 128 bytes, but only the first 64 bytes are used */
diff --git a/freebsd/contrib/wpa/src/eap_server/eap_methods.h b/freebsd/contrib/wpa/src/eap_server/eap_methods.h
index 3bf1495..fdbea7a 100644
--- a/freebsd/contrib/wpa/src/eap_server/eap_methods.h
+++ b/freebsd/contrib/wpa/src/eap_server/eap_methods.h
@@ -41,6 +41,7 @@ int eap_server_sake_register(void);
int eap_server_gpsk_register(void);
int eap_server_vendor_test_register(void);
int eap_server_fast_register(void);
+int eap_server_teap_register(void);
int eap_server_wsc_register(void);
int eap_server_ikev2_register(void);
int eap_server_tnc_register(void);
diff --git a/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h b/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
index 44f3f31..bcdd509 100644
--- a/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
+++ b/freebsd/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
@@ -36,7 +36,10 @@ struct eapol_auth_config {
int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
+ int eap_teap_auth;
+ int eap_teap_pac_no_inner;
int eap_sim_aka_result_ind;
+ int eap_sim_id;
int tnc;
struct wps_context *wps;
int fragment_size;
diff --git a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
index c69f815..51c1703 100644
--- a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
+++ b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
@@ -2000,15 +2000,12 @@ static void eapol_sm_eap_param_needed(void *ctx, enum wpa_ctrl_req_type field,
#define eapol_sm_eap_param_needed NULL
#endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
-static void eapol_sm_notify_cert(void *ctx, int depth, const char *subject,
- const char *altsubject[],
- int num_altsubject, const char *cert_hash,
- const struct wpabuf *cert)
+static void eapol_sm_notify_cert(void *ctx, struct tls_cert_data *cert,
+ const char *cert_hash)
{
struct eapol_sm *sm = ctx;
if (sm->ctx->cert_cb)
- sm->ctx->cert_cb(sm->ctx->ctx, depth, subject, altsubject,
- num_altsubject, cert_hash, cert);
+ sm->ctx->cert_cb(sm->ctx->ctx, cert, cert_hash);
}
diff --git a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
index 74f40bb..c9d7522 100644
--- a/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
+++ b/freebsd/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
@@ -11,6 +11,8 @@
#include "common/defs.h"
+struct tls_cert_data;
+
typedef enum { Unauthorized, Authorized } PortStatus;
typedef enum { Auto, ForceUnauthorized, ForceAuthorized } PortControl;
@@ -246,16 +248,11 @@ struct eapol_ctx {
/**
* cert_cb - Notification of a peer certificate
* @ctx: Callback context (ctx)
- * @depth: Depth in certificate chain (0 = server)
- * @subject: Subject of the peer certificate
- * @altsubject: Select fields from AltSubject of the peer certificate
- * @num_altsubject: Number of altsubject values
+ * @cert: Certificate information
* @cert_hash: SHA-256 hash of the certificate
- * @cert: Peer certificate
*/
- void (*cert_cb)(void *ctx, int depth, const char *subject,
- const char *altsubject[], int num_altsubject,
- const char *cert_hash, const struct wpabuf *cert);
+ void (*cert_cb)(void *ctx, struct tls_cert_data *cert,
+ const char *cert_hash);
/**
* cert_in_cb - Include server certificates in callback
diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa.c b/freebsd/contrib/wpa/src/rsn_supp/wpa.c
index c2ebec5..df99fc9 100644
--- a/freebsd/contrib/wpa/src/rsn_supp/wpa.c
+++ b/freebsd/contrib/wpa/src/rsn_supp/wpa.c
@@ -307,6 +307,9 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
#endif /* CONFIG_IEEE80211R */
} else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
int res, pmk_len;
+#ifdef CONFIG_IEEE80211R
+ u8 buf[2 * PMK_LEN];
+#endif /* CONFIG_IEEE80211R */
if (wpa_key_mgmt_sha384(sm->key_mgmt))
pmk_len = PMK_LEN_SUITE_B_192;
@@ -322,24 +325,42 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
pmk_len = 16;
}
- } else {
+ }
#ifdef CONFIG_IEEE80211R
- u8 buf[2 * PMK_LEN];
- if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
- {
- if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
- os_memcpy(sm->xxkey, buf,
- SHA384_MAC_LEN);
- sm->xxkey_len = SHA384_MAC_LEN;
- } else {
- os_memcpy(sm->xxkey, buf + PMK_LEN,
- PMK_LEN);
- sm->xxkey_len = PMK_LEN;
- }
- os_memset(buf, 0, sizeof(buf));
+ if (res == 0 &&
+ eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
+ if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
+ os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
+ sm->xxkey_len = SHA384_MAC_LEN;
+ } else {
+ os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
+ sm->xxkey_len = PMK_LEN;
+ }
+ forced_memzero(buf, sizeof(buf));
+ if (sm->proto == WPA_PROTO_RSN &&
+ wpa_key_mgmt_ft(sm->key_mgmt)) {
+ struct rsn_pmksa_cache_entry *sa = NULL;
+ const u8 *fils_cache_id = NULL;
+
+#ifdef CONFIG_FILS
+ if (sm->fils_cache_id_set)
+ fils_cache_id = sm->fils_cache_id;
+#endif /* CONFIG_FILS */
+ wpa_hexdump_key(MSG_DEBUG,
+ "FT: Cache XXKey/MPMK",
+ sm->xxkey, sm->xxkey_len);
+ sa = pmksa_cache_add(sm->pmksa,
+ sm->xxkey, sm->xxkey_len,
+ NULL, NULL, 0,
+ src_addr, sm->own_addr,
+ sm->network_ctx,
+ sm->key_mgmt,
+ fils_cache_id);
+ if (!sm->cur_pmksa)
+ sm->cur_pmksa = sa;
}
-#endif /* CONFIG_IEEE80211R */
}
+#endif /* CONFIG_IEEE80211R */
if (res == 0) {
struct rsn_pmksa_cache_entry *sa = NULL;
const u8 *fils_cache_id = NULL;
@@ -630,7 +651,7 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
os_memcpy(buf, &ptk->tk[16], 8);
os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
os_memcpy(&ptk->tk[24], buf, 8);
- os_memset(buf, 0, sizeof(buf));
+ forced_memzero(buf, sizeof(buf));
}
sm->tptk_set = 1;
@@ -904,7 +925,7 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to set GTK to the driver "
"(Group only)");
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ forced_memzero(gtk_buf, sizeof(gtk_buf));
return -1;
}
} else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
@@ -914,10 +935,10 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
"WPA: Failed to set GTK to "
"the driver (alg=%d keylen=%d keyidx=%d)",
gd->alg, gd->gtk_len, gd->keyidx);
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ forced_memzero(gtk_buf, sizeof(gtk_buf));
return -1;
}
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ forced_memzero(gtk_buf, sizeof(gtk_buf));
if (wnm_sleep) {
sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
@@ -1023,10 +1044,10 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Failed to install GTK");
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
return -1;
}
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
return 0;
}
@@ -1695,12 +1716,12 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
os_memcpy(gd->gtk, key_data, key_data_len);
if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
- os_memset(ek, 0, sizeof(ek));
+ forced_memzero(ek, sizeof(ek));
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"WPA: RC4 failed");
return -1;
}
- os_memset(ek, 0, sizeof(ek));
+ forced_memzero(ek, sizeof(ek));
#endif /* CONFIG_NO_RC4 */
} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
if (maxkeylen % 8) {
@@ -1849,7 +1870,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
goto failed;
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
if (rekey) {
wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
@@ -1868,7 +1889,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
return;
failed:
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
}
@@ -1982,12 +2003,12 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
os_memcpy(ek, key->key_iv, 16);
os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
- os_memset(ek, 0, sizeof(ek));
+ forced_memzero(ek, sizeof(ek));
wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
"WPA: RC4 failed");
return -1;
}
- os_memset(ek, 0, sizeof(ek));
+ forced_memzero(ek, sizeof(ek));
#endif /* CONFIG_NO_RC4 */
} else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
@@ -3427,12 +3448,12 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
gd.gtk, gd.gtk_len);
if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
"WNM mode");
return -1;
}
- os_memset(&gd, 0, sizeof(gd));
+ forced_memzero(&gd, sizeof(gd));
#ifdef CONFIG_IEEE80211W
} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
const struct wpa_igtk_kde *igtk;
@@ -3862,7 +3883,7 @@ int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
dh_ss ? wpabuf_head(dh_ss) : NULL,
dh_ss ? wpabuf_len(dh_ss) : 0,
sm->pmk, &sm->pmk_len);
- os_memset(rmsk, 0, sizeof(rmsk));
+ forced_memzero(rmsk, sizeof(rmsk));
/* Don't use DHss in PTK derivation if PMKSA caching is not
* used. */
@@ -3937,7 +3958,7 @@ int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
sm->fils_key_auth_ap,
&sm->fils_key_auth_len);
wpabuf_free(pub);
- os_memset(ick, 0, sizeof(ick));
+ forced_memzero(ick, sizeof(ick));
return res;
fail:
wpabuf_free(pub);
@@ -4301,6 +4322,26 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
sm->fils_session, FILS_SESSION_LEN);
}
+ if (!elems.rsn_ie) {
+ wpa_printf(MSG_DEBUG,
+ "FILS: No RSNE in (Re)Association Response");
+ /* As an interop workaround, allow this for now since IEEE Std
+ * 802.11ai-2016 did not include all the needed changes to make
+ * a FILS AP include RSNE in the frame. This workaround might
+ * eventually be removed and replaced with rejection (goto fail)
+ * to follow a strict interpretation of the standard. */
+ } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
+ sm->ap_rsn_ie, sm->ap_rsn_ie_len,
+ elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+ "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
+ wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
+ sm->ap_rsn_ie, sm->ap_rsn_ie_len);
+ wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
+ elems.rsn_ie, elems.rsn_ie_len);
+ goto fail;
+ }
+
/* TODO: FILS Public Key */
if (!elems.fils_key_confirm) {
@@ -4441,9 +4482,11 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
sm->fils_completed = 1;
+ forced_memzero(&gd, sizeof(gd));
return 0;
fail:
+ forced_memzero(&gd, sizeof(gd));
return -1;
}
@@ -4655,7 +4698,7 @@ int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
else if (group == 21)
res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
os_strlen(info), sm->pmk, hash_len);
- os_memset(prk, 0, SHA512_MAC_LEN);
+ forced_memzero(prk, SHA512_MAC_LEN);
if (res < 0) {
sm->pmk_len = 0;
return -1;
diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa.h b/freebsd/contrib/wpa/src/rsn_supp/wpa.h
index 8903f8e..ae9cd64 100644
--- a/freebsd/contrib/wpa/src/rsn_supp/wpa.h
+++ b/freebsd/contrib/wpa/src/rsn_supp/wpa.h
@@ -26,7 +26,7 @@ struct wpa_sm_ctx {
void (*set_state)(void *ctx, enum wpa_states state);
enum wpa_states (*get_state)(void *ctx);
- void (*deauthenticate)(void * ctx, int reason_code);
+ void (*deauthenticate)(void * ctx, u16 reason_code);
int (*set_key)(void *ctx, enum wpa_alg alg,
const u8 *addr, int key_idx, int set_tx,
const u8 *seq, size_t seq_len,
diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c b/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c
index 6738b05..e30e910 100644
--- a/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c
+++ b/freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c
@@ -20,6 +20,7 @@
#include "drivers/driver.h"
#include "wpa.h"
#include "wpa_i.h"
+#include "pmksa_cache.h"
#ifdef CONFIG_IEEE80211R
@@ -29,15 +30,23 @@ int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
u8 ptk_name[WPA_PMK_NAME_LEN];
const u8 *anonce = key->key_nonce;
int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
-
- if (sm->xxkey_len == 0) {
+ const u8 *mpmk;
+ size_t mpmk_len;
+
+ if (sm->xxkey_len > 0) {
+ mpmk = sm->xxkey;
+ mpmk_len = sm->xxkey_len;
+ } else if (sm->cur_pmksa) {
+ mpmk = sm->cur_pmksa->pmk;
+ mpmk_len = sm->cur_pmksa->pmk_len;
+ } else {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
"derivation");
return -1;
}
sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
- if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, sm->ssid,
+ if (wpa_derive_pmk_r0(mpmk, mpmk_len, sm->ssid,
sm->ssid_len, sm->mobility_domain,
sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0)
@@ -821,10 +830,10 @@ static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
igtk_elem + 2, 6, igtk, igtk_len) < 0) {
wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
"driver.");
- os_memset(igtk, 0, sizeof(igtk));
+ forced_memzero(igtk, sizeof(igtk));
return -1;
}
- os_memset(igtk, 0, sizeof(igtk));
+ forced_memzero(igtk, sizeof(igtk));
return 0;
}
diff --git a/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h b/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h
index 0c5955c..d86734b 100644
--- a/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h
+++ b/freebsd/contrib/wpa/src/rsn_supp/wpa_i.h
@@ -188,7 +188,7 @@ static inline enum wpa_states wpa_sm_get_state(struct wpa_sm *sm)
return sm->ctx->get_state(sm->ctx->ctx);
}
-static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, int reason_code)
+static inline void wpa_sm_deauthenticate(struct wpa_sm *sm, u16 reason_code)
{
WPA_ASSERT(sm->ctx->deauthenticate);
sm->ctx->deauthenticate(sm->ctx->ctx, reason_code);
diff --git a/freebsd/contrib/wpa/src/utils/common.c b/freebsd/contrib/wpa/src/utils/common.c
index a1fdfae..0eb8bc6 100644
--- a/freebsd/contrib/wpa/src/utils/common.c
+++ b/freebsd/contrib/wpa/src/utils/common.c
@@ -232,6 +232,16 @@ void inc_byte_array(u8 *counter, size_t len)
}
+void buf_shift_right(u8 *buf, size_t len, size_t bits)
+{
+ size_t i;
+
+ for (i = len - 1; i > 0; i--)
+ buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
+ buf[0] >>= bits;
+}
+
+
void wpa_get_ntp_timestamp(u8 *buf)
{
struct os_time now;
@@ -962,7 +972,7 @@ void str_clear_free(char *str)
{
if (str) {
size_t len = os_strlen(str);
- os_memset(str, 0, len);
+ forced_memzero(str, len);
os_free(str);
}
}
@@ -971,7 +981,7 @@ void str_clear_free(char *str)
void bin_clear_free(void *bin, size_t len)
{
if (bin) {
- os_memset(bin, 0, len);
+ forced_memzero(bin, len);
os_free(bin);
}
}
@@ -1251,3 +1261,22 @@ char * get_param(const char *cmd, const char *param)
val[len] = '\0';
return val;
}
+
+
+/* Try to prevent most compilers from optimizing out clearing of memory that
+ * becomes unaccessible after this function is called. This is mostly the case
+ * for clearing local stack variables at the end of a function. This is not
+ * exactly perfect, i.e., someone could come up with a compiler that figures out
+ * the pointer is pointing to memset and then end up optimizing the call out, so
+ * try go a bit further by storing the first octet (now zero) to make this even
+ * a bit more difficult to optimize out. Once memset_s() is available, that
+ * could be used here instead. */
+static void * (* const volatile memset_func)(void *, int, size_t) = memset;
+static u8 forced_memzero_val;
+
+void forced_memzero(void *ptr, size_t len)
+{
+ memset_func(ptr, 0, len);
+ if (len)
+ forced_memzero_val = ((u8 *) ptr)[0];
+}
diff --git a/freebsd/contrib/wpa/src/utils/common.h b/freebsd/contrib/wpa/src/utils/common.h
index 924a8fe..037876a 100644
--- a/freebsd/contrib/wpa/src/utils/common.h
+++ b/freebsd/contrib/wpa/src/utils/common.h
@@ -469,6 +469,7 @@ int hwaddr_aton2(const char *txt, u8 *addr);
int hex2byte(const char *hex);
int hexstr2bin(const char *hex, u8 *buf, size_t len);
void inc_byte_array(u8 *counter, size_t len);
+void buf_shift_right(u8 *buf, size_t len, size_t bits);
void wpa_get_ntp_timestamp(u8 *buf);
int wpa_scnprintf(char *buf, size_t size, const char *fmt, ...);
int wpa_snprintf_hex_sep(char *buf, size_t buf_size, const u8 *data, size_t len,
@@ -561,6 +562,8 @@ int str_starts(const char *str, const char *start);
u8 rssi_to_rcpi(int rssi);
char * get_param(const char *cmd, const char *param);
+void forced_memzero(void *ptr, size_t len);
+
/*
* gcc 4.4 ends up generating strict-aliasing warnings about some very common
* networking socket uses that do not really result in a real problem and
diff --git a/freebsd/contrib/wpa/src/utils/wpa_debug.c b/freebsd/contrib/wpa/src/utils/wpa_debug.c
index 6659699..a7b8d59 100644
--- a/freebsd/contrib/wpa/src/utils/wpa_debug.c
+++ b/freebsd/contrib/wpa/src/utils/wpa_debug.c
@@ -146,6 +146,7 @@ int wpa_debug_open_linux_tracing(void)
printf("failed to read /proc/mounts\n");
return -1;
}
+ buf[buflen] = '\0';
line = strtok_r(buf, "\n", &tmp1);
while (line) {
diff --git a/freebsd/contrib/wpa/src/wps/wps.h b/freebsd/contrib/wpa/src/wps/wps.h
index 14ce863..9963c46 100644
--- a/freebsd/contrib/wpa/src/wps/wps.h
+++ b/freebsd/contrib/wpa/src/wps/wps.h
@@ -733,7 +733,7 @@ struct wps_context {
* uses this when acting as an Enrollee to notify Registrar of the
* current configuration.
*
- * When using WPA/WPA2-Person, this key can be either the ASCII
+ * When using WPA/WPA2-Personal, this key can be either the ASCII
* passphrase (8..63 characters) or the 32-octet PSK (64 hex
* characters). When this is set to the ASCII passphrase, the PSK can
* be provided in the psk buffer and used per-Enrollee to control which
diff --git a/freebsd/contrib/wpa/wpa_supplicant/ap.h b/freebsd/contrib/wpa/wpa_supplicant/ap.h
index 447b551..6c6e94c 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/ap.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/ap.h
@@ -54,7 +54,7 @@ int ap_switch_channel(struct wpa_supplicant *wpa_s,
struct csa_settings *settings);
int ap_ctrl_iface_chanswitch(struct wpa_supplicant *wpa_s, const char *txtaddr);
void wpas_ap_ch_switch(struct wpa_supplicant *wpa_s, int freq, int ht,
- int offset, int width, int cf1, int cf2);
+ int offset, int width, int cf1, int cf2, int finished);
struct wpabuf * wpas_ap_wps_nfc_config_token(struct wpa_supplicant *wpa_s,
int ndef);
#ifdef CONFIG_AP
diff --git a/freebsd/contrib/wpa/wpa_supplicant/bss.c b/freebsd/contrib/wpa/wpa_supplicant/bss.c
index f9b703b..5b080a3 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/bss.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/bss.c
@@ -433,6 +433,7 @@ static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
struct os_reltime *fetch_time)
{
struct wpa_bss *bss;
+ char extra[50];
bss = os_zalloc(sizeof(*bss) + res->ie_len + res->beacon_ie_len);
if (bss == NULL)
@@ -458,10 +459,15 @@ static struct wpa_bss * wpa_bss_add(struct wpa_supplicant *wpa_s,
dl_list_add_tail(&wpa_s->bss, &bss->list);
dl_list_add_tail(&wpa_s->bss_id, &bss->list_id);
wpa_s->num_bss++;
+ if (!is_zero_ether_addr(bss->hessid))
+ os_snprintf(extra, sizeof(extra), " HESSID " MACSTR,
+ MAC2STR(bss->hessid));
+ else
+ extra[0] = '\0';
wpa_dbg(wpa_s, MSG_DEBUG, "BSS: Add new id %u BSSID " MACSTR
- " SSID '%s' freq %d",
+ " SSID '%s' freq %d%s",
bss->id, MAC2STR(bss->bssid), wpa_ssid_txt(ssid, ssid_len),
- bss->freq);
+ bss->freq, extra);
wpas_notify_bss_added(wpa_s, bss->bssid, bss->id);
return bss;
}
diff --git a/freebsd/contrib/wpa/wpa_supplicant/config.c b/freebsd/contrib/wpa/wpa_supplicant/config.c
index 0eac7a9..ce10b43 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/config.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/config.c
@@ -2242,8 +2242,8 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(ht, 0, 1) },
{ INT_RANGE(vht, 0, 1) },
{ INT_RANGE(ht40, -1, 1) },
- { INT_RANGE(max_oper_chwidth, VHT_CHANWIDTH_USE_HT,
- VHT_CHANWIDTH_80P80MHZ) },
+ { INT_RANGE(max_oper_chwidth, CHANWIDTH_USE_HT,
+ CHANWIDTH_80P80MHZ) },
{ INT(vht_center_freq1) },
{ INT(vht_center_freq2) },
#ifdef IEEE8021X_EAPOL
@@ -2409,6 +2409,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(owe_group, 0, 65535) },
{ INT_RANGE(owe_only, 0, 1) },
{ INT_RANGE(multi_ap_backhaul_sta, 0, 1) },
+ { INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
};
#undef OFFSET
@@ -4870,6 +4871,9 @@ static const struct global_parse_data global_fields[] = {
{ INT_RANGE(gas_rand_mac_addr, 0, 2), 0 },
{ INT_RANGE(dpp_config_processing, 0, 2), 0 },
{ INT_RANGE(coloc_intf_reporting, 0, 1), 0 },
+#ifdef CONFIG_WNM
+ { INT_RANGE(disable_btm, 0, 1), CFG_CHANGED_DISABLE_BTM },
+#endif /* CONFIG_WNM */
};
#undef FUNC
diff --git a/freebsd/contrib/wpa/wpa_supplicant/config.h b/freebsd/contrib/wpa/wpa_supplicant/config.h
index a617ea1..e27b869 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/config.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/config.h
@@ -377,6 +377,7 @@ struct wpa_cred {
#define CFG_CHANGED_P2P_PASSPHRASE_LEN BIT(16)
#define CFG_CHANGED_SCHED_SCAN_PLANS BIT(17)
#define CFG_CHANGED_WOWLAN_TRIGGERS BIT(18)
+#define CFG_CHANGED_DISABLE_BTM BIT(19)
/**
* struct wpa_config - wpa_supplicant configuration data
@@ -1530,6 +1531,15 @@ struct wpa_config {
* By default, permanent MAC address is used.
*/
int p2p_interface_random_mac_addr;
+
+ /**
+ * disable_btm - Disable BSS transition management in STA
+ * - Set to 0 to enable BSS transition management
+ * - Set to 1 to disable BSS transition management
+ *
+ * By default BSS transition management is enabled
+ */
+ int disable_btm;
};
diff --git a/freebsd/contrib/wpa/wpa_supplicant/config_file.c b/freebsd/contrib/wpa/wpa_supplicant/config_file.c
index e3e17e0..8f812e1 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/config_file.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/config_file.c
@@ -896,6 +896,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(owe_group);
INT(owe_only);
INT(multi_ap_backhaul_sta);
+ INT(ft_eap_pmksa_caching);
#ifdef CONFIG_HT_OVERRIDES
INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);
@@ -1546,6 +1547,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
if (config->p2p_interface_random_mac_addr)
fprintf(f, "p2p_interface_random_mac_addr=%d\n",
config->p2p_interface_random_mac_addr);
+ if (config->disable_btm)
+ fprintf(f, "disable_btm=1\n");
}
#endif /* CONFIG_NO_CONFIG_WRITE */
diff --git a/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h b/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h
index 1b2b1f1..d5c5c00 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/config_ssid.h
@@ -48,6 +48,15 @@ struct psk_list_entry {
u8 p2p;
};
+enum wpas_mode {
+ WPAS_MODE_INFRA = 0,
+ WPAS_MODE_IBSS = 1,
+ WPAS_MODE_AP = 2,
+ WPAS_MODE_P2P_GO = 3,
+ WPAS_MODE_P2P_GROUP_FORMATION = 4,
+ WPAS_MODE_MESH = 5,
+};
+
/**
* struct wpa_ssid - Network configuration data
*
@@ -394,14 +403,7 @@ struct wpa_ssid {
* CCMP, but not both), and psk must also be set (either directly or
* using ASCII passphrase).
*/
- enum wpas_mode {
- WPAS_MODE_INFRA = 0,
- WPAS_MODE_IBSS = 1,
- WPAS_MODE_AP = 2,
- WPAS_MODE_P2P_GO = 3,
- WPAS_MODE_P2P_GROUP_FORMATION = 4,
- WPAS_MODE_MESH = 5,
- } mode;
+ enum wpas_mode mode;
/**
* pbss - Whether to use PBSS. Relevant to DMG networks only.
@@ -1005,6 +1007,16 @@ struct wpa_ssid {
* 1 = Multi-AP backhaul station
*/
int multi_ap_backhaul_sta;
+
+ /**
+ * ft_eap_pmksa_caching - Whether FT-EAP PMKSA caching is allowed
+ * 0 = do not try to use PMKSA caching with FT-EAP
+ * 1 = try to use PMKSA caching with FT-EAP
+ *
+ * This controls whether to try to use PMKSA caching with FT-EAP for the
+ * FT initial mobility domain association.
+ */
+ int ft_eap_pmksa_caching;
};
#endif /* CONFIG_SSID_H */
diff --git a/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c b/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c
index c7bcfef..b9c92d4 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/ctrl_iface.c
@@ -10,10 +10,10 @@
#include "utils/includes.h"
#ifdef CONFIG_TESTING_OPTIONS
-#include <net/ethernet.h>
#include <netinet/ip.h>
#endif /* CONFIG_TESTING_OPTIONS */
+#include <net/ethernet.h>
#include "utils/common.h"
#include "utils/eloop.h"
#include "utils/uuid.h"
@@ -3131,6 +3131,49 @@ static int wpa_supplicant_ctrl_iface_mesh_peer_add(
return wpas_mesh_peer_add(wpa_s, addr, duration);
}
+
+static int wpa_supplicant_ctrl_iface_mesh_link_probe(
+ struct wpa_supplicant *wpa_s, char *cmd)
+{
+ struct ether_header *eth;
+ u8 addr[ETH_ALEN];
+ u8 *buf;
+ char *pos;
+ size_t payload_len = 0, len;
+ int ret = -1;
+
+ if (hwaddr_aton(cmd, addr))
+ return -1;
+
+ pos = os_strstr(cmd, " payload=");
+ if (pos) {
+ pos = pos + 9;
+ payload_len = os_strlen(pos);
+ if (payload_len & 1)
+ return -1;
+
+ payload_len /= 2;
+ }
+
+ len = ETH_HLEN + payload_len;
+ buf = os_malloc(len);
+ if (!buf)
+ return -1;
+
+ eth = (struct ether_header *) buf;
+ os_memcpy(eth->ether_dhost, addr, ETH_ALEN);
+ os_memcpy(eth->ether_shost, wpa_s->own_addr, ETH_ALEN);
+ eth->ether_type = htons(ETH_P_802_3);
+
+ if (payload_len && hexstr2bin(pos, buf + ETH_HLEN, payload_len) < 0)
+ goto fail;
+
+ ret = wpa_drv_mesh_link_probe(wpa_s, addr, buf, len);
+fail:
+ os_free(buf);
+ return -ret;
+}
+
#endif /* CONFIG_MESH */
@@ -5550,17 +5593,17 @@ static int parse_freq(int chwidth, int freq2)
if (freq2 < 0)
return -1;
if (freq2)
- return VHT_CHANWIDTH_80P80MHZ;
+ return CHANWIDTH_80P80MHZ;
switch (chwidth) {
case 0:
case 20:
case 40:
- return VHT_CHANWIDTH_USE_HT;
+ return CHANWIDTH_USE_HT;
case 80:
- return VHT_CHANWIDTH_80MHZ;
+ return CHANWIDTH_80MHZ;
case 160:
- return VHT_CHANWIDTH_160MHZ;
+ return CHANWIDTH_160MHZ;
default:
wpa_printf(MSG_DEBUG, "Unknown max oper bandwidth: %d",
chwidth);
@@ -9585,59 +9628,10 @@ static int wpas_ctrl_iface_mac_rand_scan(struct wpa_supplicant *wpa_s,
return -1;
}
- if (!enable) {
- wpas_mac_addr_rand_scan_clear(wpa_s, type);
- if (wpa_s->pno) {
- if (type & MAC_ADDR_RAND_PNO) {
- wpas_stop_pno(wpa_s);
- wpas_start_pno(wpa_s);
- }
- } else if (wpa_s->sched_scanning &&
- (type & MAC_ADDR_RAND_SCHED_SCAN)) {
- wpas_scan_restart_sched_scan(wpa_s);
- }
- return 0;
- }
-
- if ((addr && !mask) || (!addr && mask)) {
- wpa_printf(MSG_INFO,
- "CTRL: MAC_RAND_SCAN invalid addr/mask combination");
- return -1;
- }
-
- if (addr && mask && (!(mask[0] & 0x01) || (addr[0] & 0x01))) {
- wpa_printf(MSG_INFO,
- "CTRL: MAC_RAND_SCAN cannot allow multicast address");
- return -1;
- }
-
- if (type & MAC_ADDR_RAND_SCAN) {
- if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCAN,
- addr, mask))
- return -1;
- }
+ if (!enable)
+ return wpas_disable_mac_addr_randomization(wpa_s, type);
- if (type & MAC_ADDR_RAND_SCHED_SCAN) {
- if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCHED_SCAN,
- addr, mask))
- return -1;
-
- if (wpa_s->sched_scanning && !wpa_s->pno)
- wpas_scan_restart_sched_scan(wpa_s);
- }
-
- if (type & MAC_ADDR_RAND_PNO) {
- if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_PNO,
- addr, mask))
- return -1;
-
- if (wpa_s->pno) {
- wpas_stop_pno(wpa_s);
- wpas_start_pno(wpa_s);
- }
- }
-
- return 0;
+ return wpas_enable_mac_addr_randomization(wpa_s, type, addr, mask);
}
@@ -10173,6 +10167,9 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
} else if (os_strncmp(buf, "MESH_PEER_ADD ", 14) == 0) {
if (wpa_supplicant_ctrl_iface_mesh_peer_add(wpa_s, buf + 14))
reply_len = -1;
+ } else if (os_strncmp(buf, "MESH_LINK_PROBE ", 16) == 0) {
+ if (wpa_supplicant_ctrl_iface_mesh_link_probe(wpa_s, buf + 16))
+ reply_len = -1;
#endif /* CONFIG_MESH */
#ifdef CONFIG_P2P
} else if (os_strncmp(buf, "P2P_FIND ", 9) == 0) {
@@ -10747,6 +10744,16 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
} else if (os_strncmp(buf, "DPP_PKEX_REMOVE ", 16) == 0) {
if (wpas_dpp_pkex_remove(wpa_s, buf + 16) < 0)
reply_len = -1;
+#ifdef CONFIG_DPP2
+ } else if (os_strncmp(buf, "DPP_CONTROLLER_START ", 21) == 0) {
+ if (wpas_dpp_controller_start(wpa_s, buf + 20) < 0)
+ reply_len = -1;
+ } else if (os_strcmp(buf, "DPP_CONTROLLER_START") == 0) {
+ if (wpas_dpp_controller_start(wpa_s, NULL) < 0)
+ reply_len = -1;
+ } else if (os_strcmp(buf, "DPP_CONTROLLER_STOP") == 0) {
+ dpp_controller_stop(wpa_s->dpp);
+#endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */
} else {
os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
diff --git a/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h b/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h
index ecb7a7d..9ba315f 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/dpp_supplicant.h
@@ -25,5 +25,6 @@ int wpas_dpp_init(struct wpa_supplicant *wpa_s);
void wpas_dpp_deinit(struct wpa_supplicant *wpa_s);
int wpas_dpp_check_connect(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid,
struct wpa_bss *bss);
+int wpas_dpp_controller_start(struct wpa_supplicant *wpa_s, const char *cmd);
#endif /* DPP_SUPPLICANT_H */
diff --git a/freebsd/contrib/wpa/wpa_supplicant/driver_i.h b/freebsd/contrib/wpa/wpa_supplicant/driver_i.h
index 4a9f472..cf9972a 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/driver_i.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/driver_i.h
@@ -87,6 +87,16 @@ static inline int wpa_drv_leave_mesh(struct wpa_supplicant *wpa_s)
return -1;
}
+static inline int wpa_drv_mesh_link_probe(struct wpa_supplicant *wpa_s,
+ const u8 *addr,
+ const u8 *eth, size_t len)
+{
+ if (wpa_s->driver->probe_mesh_link)
+ return wpa_s->driver->probe_mesh_link(wpa_s->drv_priv, addr,
+ eth, len);
+ return -1;
+}
+
static inline int wpa_drv_scan(struct wpa_supplicant *wpa_s,
struct wpa_driver_scan_params *params)
{
@@ -168,7 +178,7 @@ static inline int wpa_drv_get_seqnum(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_sta_deauth(struct wpa_supplicant *wpa_s,
- const u8 *addr, int reason_code)
+ const u8 *addr, u16 reason_code)
{
if (wpa_s->driver->sta_deauth) {
return wpa_s->driver->sta_deauth(wpa_s->drv_priv,
@@ -179,7 +189,7 @@ static inline int wpa_drv_sta_deauth(struct wpa_supplicant *wpa_s,
}
static inline int wpa_drv_deauthenticate(struct wpa_supplicant *wpa_s,
- const u8 *addr, int reason_code)
+ const u8 *addr, u16 reason_code)
{
if (wpa_s->driver->deauthenticate) {
return wpa_s->driver->deauthenticate(wpa_s->drv_priv, addr,
diff --git a/freebsd/contrib/wpa/wpa_supplicant/eap_register.c b/freebsd/contrib/wpa/wpa_supplicant/eap_register.c
index ee31c51..711f4b9 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/eap_register.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/eap_register.c
@@ -104,6 +104,11 @@ int eap_register_methods(void)
ret = eap_peer_fast_register();
#endif /* EAP_FAST */
+#ifdef EAP_TEAP
+ if (ret == 0)
+ ret = eap_peer_teap_register();
+#endif /* EAP_TEAP */
+
#ifdef EAP_PAX
if (ret == 0)
ret = eap_peer_pax_register();
@@ -239,6 +244,11 @@ int eap_register_methods(void)
ret = eap_server_fast_register();
#endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+ if (ret == 0)
+ ret = eap_server_teap_register();
+#endif /* EAP_SERVER_TEAP */
+
#ifdef EAP_SERVER_WSC
if (ret == 0)
ret = eap_server_wsc_register();
diff --git a/freebsd/contrib/wpa/wpa_supplicant/events.c b/freebsd/contrib/wpa/wpa_supplicant/events.c
index 8673d09..06f37a3 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/events.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/events.c
@@ -1224,7 +1224,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
continue;
}
- if (ssid->mode != IEEE80211_MODE_MESH && !bss_is_ess(bss) &&
+ if (ssid->mode != WPAS_MODE_MESH && !bss_is_ess(bss) &&
!bss_is_pbss(bss)) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
@@ -1248,7 +1248,7 @@ struct wpa_ssid * wpa_scan_res_match(struct wpa_supplicant *wpa_s,
}
#ifdef CONFIG_MESH
- if (ssid->mode == IEEE80211_MODE_MESH && ssid->frequency > 0 &&
+ if (ssid->mode == WPAS_MODE_MESH && ssid->frequency > 0 &&
ssid->frequency != bss->freq) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
@@ -1617,9 +1617,9 @@ wpa_supplicant_pick_new_network(struct wpa_supplicant *wpa_s)
continue;
}
#endif /* !CONFIG_IBSS_RSN */
- if (ssid->mode == IEEE80211_MODE_IBSS ||
- ssid->mode == IEEE80211_MODE_AP ||
- ssid->mode == IEEE80211_MODE_MESH)
+ if (ssid->mode == WPAS_MODE_IBSS ||
+ ssid->mode == WPAS_MODE_AP ||
+ ssid->mode == WPAS_MODE_MESH)
return ssid;
}
}
@@ -2841,7 +2841,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE ||
wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE ||
(wpa_s->current_ssid &&
- wpa_s->current_ssid->mode == IEEE80211_MODE_IBSS)) {
+ wpa_s->current_ssid->mode == WPAS_MODE_IBSS)) {
if (wpa_s->current_ssid &&
wpa_s->key_mgmt == WPA_KEY_MGMT_WPA_NONE &&
(wpa_s->drv_flags &
@@ -3598,8 +3598,9 @@ static void wpas_event_disassoc(struct wpa_supplicant *wpa_s,
ie_len = info->ie_len;
reason_code = info->reason_code;
locally_generated = info->locally_generated;
- wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u%s", reason_code,
- locally_generated ? " (locally generated)" : "");
+ wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u (%s)%s", reason_code,
+ reason2str(reason_code),
+ locally_generated ? " locally_generated=1" : "");
if (addr)
wpa_dbg(wpa_s, MSG_DEBUG, " * address " MACSTR,
MAC2STR(addr));
@@ -3652,9 +3653,9 @@ static void wpas_event_deauth(struct wpa_supplicant *wpa_s,
ie_len = info->ie_len;
reason_code = info->reason_code;
locally_generated = info->locally_generated;
- wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u%s",
- reason_code,
- locally_generated ? " (locally generated)" : "");
+ wpa_dbg(wpa_s, MSG_DEBUG, " * reason %u (%s)%s",
+ reason_code, reason2str(reason_code),
+ locally_generated ? " locally_generated=1" : "");
if (addr) {
wpa_dbg(wpa_s, MSG_DEBUG, " * address " MACSTR,
MAC2STR(addr));
@@ -4060,9 +4061,18 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s,
union wpa_event_data *data)
{
const u8 *bssid = data->assoc_reject.bssid;
+#ifdef CONFIG_MBO
+ struct wpa_bss *reject_bss;
+#endif /* CONFIG_MBO */
if (!bssid || is_zero_ether_addr(bssid))
bssid = wpa_s->pending_bssid;
+#ifdef CONFIG_MBO
+ if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME)
+ reject_bss = wpa_s->current_bss;
+ else
+ reject_bss = wpa_bss_get_bssid(wpa_s, bssid);
+#endif /* CONFIG_MBO */
if (data->assoc_reject.bssid)
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_ASSOC_REJECT
@@ -4113,8 +4123,7 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_MBO
if (data->assoc_reject.status_code ==
WLAN_STATUS_DENIED_POOR_CHANNEL_CONDITIONS &&
- wpa_s->current_bss && data->assoc_reject.bssid &&
- data->assoc_reject.resp_ies) {
+ reject_bss && data->assoc_reject.resp_ies) {
const u8 *rssi_rej;
rssi_rej = mbo_get_attr_from_ies(
@@ -4125,13 +4134,12 @@ static void wpas_event_assoc_reject(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG,
"OCE: RSSI-based association rejection from "
MACSTR " (Delta RSSI: %u, Retry Delay: %u)",
- MAC2STR(data->assoc_reject.bssid),
+ MAC2STR(reject_bss->bssid),
rssi_rej[2], rssi_rej[3]);
wpa_bss_tmp_disallow(wpa_s,
- data->assoc_reject.bssid,
+ reject_bss->bssid,
rssi_rej[3],
- rssi_rej[2] +
- wpa_s->current_bss->level);
+ rssi_rej[2] + reject_bss->level);
}
}
#endif /* CONFIG_MBO */
@@ -4463,18 +4471,24 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
data->rx_from_unknown.wds);
break;
#endif /* CONFIG_AP */
+
+ case EVENT_CH_SWITCH_STARTED:
case EVENT_CH_SWITCH:
if (!data || !wpa_s->current_ssid)
break;
- wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_CHANNEL_SWITCH
- "freq=%d ht_enabled=%d ch_offset=%d ch_width=%s cf1=%d cf2=%d",
+ wpa_msg(wpa_s, MSG_INFO,
+ "%sfreq=%d ht_enabled=%d ch_offset=%d ch_width=%s cf1=%d cf2=%d",
+ event == EVENT_CH_SWITCH ? WPA_EVENT_CHANNEL_SWITCH :
+ WPA_EVENT_CHANNEL_SWITCH_STARTED,
data->ch_switch.freq,
data->ch_switch.ht_enabled,
data->ch_switch.ch_offset,
channel_width_to_string(data->ch_switch.ch_width),
data->ch_switch.cf1,
data->ch_switch.cf2);
+ if (event == EVENT_CH_SWITCH_STARTED)
+ break;
wpa_s->assoc_freq = data->ch_switch.freq;
wpa_s->current_ssid->frequency = data->ch_switch.freq;
@@ -4490,7 +4504,8 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
data->ch_switch.ch_offset,
data->ch_switch.ch_width,
data->ch_switch.cf1,
- data->ch_switch.cf2);
+ data->ch_switch.cf2,
+ 1);
}
#endif /* CONFIG_AP */
@@ -4703,6 +4718,7 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
wpa_dbg(wpa_s, MSG_DEBUG, "Interface was enabled");
if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) {
wpa_supplicant_update_mac_addr(wpa_s);
+ wpa_supplicant_set_default_scan_ies(wpa_s);
if (wpa_s->p2p_mgmt) {
wpa_supplicant_set_state(wpa_s,
WPA_DISCONNECTED);
diff --git a/freebsd/contrib/wpa/wpa_supplicant/interworking.c b/freebsd/contrib/wpa/wpa_supplicant/interworking.c
index 44829a6..805e31c 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/interworking.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/interworking.c
@@ -1390,6 +1390,9 @@ static struct wpa_cred * interworking_credentials_available_roaming_consortium(
cred->num_roaming_consortiums == 0)
continue;
+ if (!cred->eap_method)
+ continue;
+
if ((cred->roaming_consortium_len == 0 ||
!roaming_consortium_match(ie, anqp,
cred->roaming_consortium,
@@ -2671,7 +2674,8 @@ static void interworking_next_anqp_fetch(struct wpa_supplicant *wpa_s)
found++;
bss->flags |= WPA_BSS_ANQP_FETCH_TRIED;
wpa_msg(wpa_s, MSG_INFO, "Starting ANQP fetch for "
- MACSTR, MAC2STR(bss->bssid));
+ MACSTR " (HESSID " MACSTR ")",
+ MAC2STR(bss->bssid), MAC2STR(bss->hessid));
interworking_anqp_send_req(wpa_s, bss);
break;
}
diff --git a/freebsd/contrib/wpa/wpa_supplicant/notify.c b/freebsd/contrib/wpa/wpa_supplicant/notify.c
index c1fb8ae..cc01893 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/notify.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/notify.c
@@ -20,6 +20,7 @@
#include "dbus/dbus_new.h"
#include "rsn_supp/wpa.h"
#include "fst/fst.h"
+#include "crypto/tls.h"
#include "driver_i.h"
#include "scan.h"
#include "p2p_supplicant.h"
@@ -788,42 +789,41 @@ void wpas_notify_sta_authorized(struct wpa_supplicant *wpa_s,
}
-void wpas_notify_certification(struct wpa_supplicant *wpa_s, int depth,
- const char *subject, const char *altsubject[],
- int num_altsubject, const char *cert_hash,
- const struct wpabuf *cert)
+void wpas_notify_certification(struct wpa_supplicant *wpa_s,
+ struct tls_cert_data *cert,
+ const char *cert_hash)
{
+ int i;
+
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
- "depth=%d subject='%s'%s%s",
- depth, subject, cert_hash ? " hash=" : "",
- cert_hash ? cert_hash : "");
+ "depth=%d subject='%s'%s%s%s",
+ cert->depth, cert->subject, cert_hash ? " hash=" : "",
+ cert_hash ? cert_hash : "",
+ cert->tod ? " tod=1" : "");
- if (cert) {
+ if (cert->cert) {
char *cert_hex;
- size_t len = wpabuf_len(cert) * 2 + 1;
+ size_t len = wpabuf_len(cert->cert) * 2 + 1;
cert_hex = os_malloc(len);
if (cert_hex) {
- wpa_snprintf_hex(cert_hex, len, wpabuf_head(cert),
- wpabuf_len(cert));
+ wpa_snprintf_hex(cert_hex, len, wpabuf_head(cert->cert),
+ wpabuf_len(cert->cert));
wpa_msg_ctrl(wpa_s, MSG_INFO,
WPA_EVENT_EAP_PEER_CERT
"depth=%d subject='%s' cert=%s",
- depth, subject, cert_hex);
+ cert->depth, cert->subject, cert_hex);
os_free(cert_hex);
}
}
- if (altsubject) {
- int i;
-
- for (i = 0; i < num_altsubject; i++)
- wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT
- "depth=%d %s", depth, altsubject[i]);
- }
+ for (i = 0; i < cert->num_altsubject; i++)
+ wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT
+ "depth=%d %s", cert->depth, cert->altsubject[i]);
/* notify the new DBus API */
- wpas_dbus_signal_certification(wpa_s, depth, subject, altsubject,
- num_altsubject, cert_hash, cert);
+ wpas_dbus_signal_certification(wpa_s, cert->depth, cert->subject,
+ cert->altsubject, cert->num_altsubject,
+ cert_hash, cert->cert);
}
@@ -903,7 +903,7 @@ void wpas_notify_mesh_group_started(struct wpa_supplicant *wpa_s,
void wpas_notify_mesh_group_removed(struct wpa_supplicant *wpa_s,
const u8 *meshid, u8 meshid_len,
- int reason_code)
+ u16 reason_code)
{
if (wpa_s->p2p_mgmt)
return;
@@ -924,7 +924,7 @@ void wpas_notify_mesh_peer_connected(struct wpa_supplicant *wpa_s,
void wpas_notify_mesh_peer_disconnected(struct wpa_supplicant *wpa_s,
- const u8 *peer_addr, int reason_code)
+ const u8 *peer_addr, u16 reason_code)
{
if (wpa_s->p2p_mgmt)
return;
diff --git a/freebsd/contrib/wpa/wpa_supplicant/notify.h b/freebsd/contrib/wpa/wpa_supplicant/notify.h
index 65f513e..e843aa1 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/notify.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/notify.h
@@ -14,6 +14,7 @@
struct wps_credential;
struct wps_event_m2d;
struct wps_event_fail;
+struct tls_cert_data;
int wpas_notify_supplicant_initialized(struct wpa_global *global);
void wpas_notify_supplicant_deinitialized(struct wpa_global *global);
@@ -130,10 +131,9 @@ void wpas_notify_persistent_group_removed(struct wpa_supplicant *wpa_s,
void wpas_notify_p2p_wps_failed(struct wpa_supplicant *wpa_s,
struct wps_event_fail *fail);
-void wpas_notify_certification(struct wpa_supplicant *wpa_s, int depth,
- const char *subject, const char *altsubject[],
- int num_altsubject, const char *cert_hash,
- const struct wpabuf *cert);
+void wpas_notify_certification(struct wpa_supplicant *wpa_s,
+ struct tls_cert_data *cert,
+ const char *cert_hash);
void wpas_notify_preq(struct wpa_supplicant *wpa_s,
const u8 *addr, const u8 *dst, const u8 *bssid,
const u8 *ie, size_t ie_len, u32 ssi_signal);
@@ -151,10 +151,10 @@ void wpas_notify_mesh_group_started(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid);
void wpas_notify_mesh_group_removed(struct wpa_supplicant *wpa_s,
const u8 *meshid, u8 meshid_len,
- int reason_code);
+ u16 reason_code);
void wpas_notify_mesh_peer_connected(struct wpa_supplicant *wpa_s,
const u8 *peer_addr);
void wpas_notify_mesh_peer_disconnected(struct wpa_supplicant *wpa_s,
- const u8 *peer_addr, int reason_code);
+ const u8 *peer_addr, u16 reason_code);
#endif /* NOTIFY_H */
diff --git a/freebsd/contrib/wpa/wpa_supplicant/op_classes.c b/freebsd/contrib/wpa/wpa_supplicant/op_classes.c
index 8b517af..f0fd790 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/op_classes.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/op_classes.c
@@ -350,7 +350,7 @@ size_t wpas_supp_op_class_ie(struct wpa_supplicant *wpa_s,
* TODO: Use the secondary channel and VHT channel width that will be
* used after association.
*/
- if (ieee80211_freq_to_channel_ext(freq, 0, VHT_CHANWIDTH_USE_HT,
+ if (ieee80211_freq_to_channel_ext(freq, 0, CHANWIDTH_USE_HT,
¤t, &chan) == NUM_HOSTAPD_MODES)
return 0;
diff --git a/freebsd/contrib/wpa/wpa_supplicant/rrm.c b/freebsd/contrib/wpa/wpa_supplicant/rrm.c
index 8cff125..4dcd8b9 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/rrm.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/rrm.c
@@ -719,20 +719,20 @@ static int wpas_get_op_chan_phy(int freq, const u8 *ies, size_t ies_len,
seg0 = vht_oper->vht_op_info_chan_center_freq_seg0_idx;
seg1 = vht_oper->vht_op_info_chan_center_freq_seg1_idx;
if (seg1 && abs(seg1 - seg0) == 8)
- vht = VHT_CHANWIDTH_160MHZ;
+ vht = CHANWIDTH_160MHZ;
else if (seg1)
- vht = VHT_CHANWIDTH_80P80MHZ;
+ vht = CHANWIDTH_80P80MHZ;
else
- vht = VHT_CHANWIDTH_80MHZ;
+ vht = CHANWIDTH_80MHZ;
break;
case 2:
- vht = VHT_CHANWIDTH_160MHZ;
+ vht = CHANWIDTH_160MHZ;
break;
case 3:
- vht = VHT_CHANWIDTH_80P80MHZ;
+ vht = CHANWIDTH_80P80MHZ;
break;
default:
- vht = VHT_CHANWIDTH_USE_HT;
+ vht = CHANWIDTH_USE_HT;
break;
}
}
diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c
index 1bc62ce..2d4c674 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.c
@@ -38,6 +38,7 @@
#include "rsn_supp/preauth.h"
#include "rsn_supp/pmksa_cache.h"
#include "common/wpa_ctrl.h"
+#include "common/ieee802_11_common.h"
#include "common/ieee802_11_defs.h"
#include "common/hw_features_common.h"
#include "common/gas_server.h"
@@ -1418,9 +1419,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT FT/802.1X-SHA384");
- if (pmksa_cache_get_current(wpa_s->wpa)) {
- /* PMKSA caching with FT is not fully functional, so
- * disable the case for now. */
+ if (!ssid->ft_eap_pmksa_caching &&
+ pmksa_cache_get_current(wpa_s->wpa)) {
+ /* PMKSA caching with FT may have interoperability
+ * issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa);
@@ -1459,9 +1461,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
} else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X");
- if (pmksa_cache_get_current(wpa_s->wpa)) {
- /* PMKSA caching with FT is not fully functional, so
- * disable the case for now. */
+ if (!ssid->ft_eap_pmksa_caching &&
+ pmksa_cache_get_current(wpa_s->wpa)) {
+ /* PMKSA caching with FT may have interoperability
+ * issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa);
@@ -1710,7 +1713,8 @@ static void wpas_ext_capab_byte(struct wpa_supplicant *wpa_s, u8 *pos, int idx)
case 2: /* Bits 16-23 */
#ifdef CONFIG_WNM
*pos |= 0x02; /* Bit 17 - WNM-Sleep Mode */
- *pos |= 0x08; /* Bit 19 - BSS Transition */
+ if (!wpa_s->conf->disable_btm)
+ *pos |= 0x08; /* Bit 19 - BSS Transition */
#endif /* CONFIG_WNM */
break;
case 3: /* Bits 24-31 */
@@ -2064,7 +2068,7 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_TDLS */
if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
- ssid->mode == IEEE80211_MODE_INFRA) {
+ ssid->mode == WPAS_MODE_INFRA) {
sme_authenticate(wpa_s, bss, ssid);
return;
}
@@ -2138,6 +2142,7 @@ void ibss_mesh_setup_freq(struct wpa_supplicant *wpa_s,
const struct wpa_ssid *ssid,
struct hostapd_freq_params *freq)
{
+ int ieee80211_mode = wpas_mode_to_ieee80211_mode(ssid->mode);
enum hostapd_hw_mode hw_mode;
struct hostapd_hw_modes *mode = NULL;
int ht40plus[] = { 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157,
@@ -2201,6 +2206,9 @@ void ibss_mesh_setup_freq(struct wpa_supplicant *wpa_s,
if (!mode)
return;
+ /* HE can work without HT + VHT */
+ freq->he_enabled = mode->he_capab[ieee80211_mode].he_supported;
+
#ifdef CONFIG_HT_OVERRIDES
if (ssid->disable_ht) {
freq->ht_enabled = 0;
@@ -2354,11 +2362,11 @@ skip_ht40:
return;
}
- chwidth = VHT_CHANWIDTH_80MHZ;
+ chwidth = CHANWIDTH_80MHZ;
seg0 = vht80[j] + 6;
seg1 = 0;
- if (ssid->max_oper_chwidth == VHT_CHANWIDTH_80P80MHZ) {
+ if (ssid->max_oper_chwidth == CHANWIDTH_80P80MHZ) {
/* setup center_freq2, bandwidth */
for (k = 0; k < ARRAY_SIZE(vht80); k++) {
/* Only accept 80 MHz segments separated by a gap */
@@ -2377,27 +2385,27 @@ skip_ht40:
continue;
/* Found a suitable second segment for 80+80 */
- chwidth = VHT_CHANWIDTH_80P80MHZ;
+ chwidth = CHANWIDTH_80P80MHZ;
vht_caps |=
VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ;
seg1 = vht80[k] + 6;
}
- if (chwidth == VHT_CHANWIDTH_80P80MHZ)
+ if (chwidth == CHANWIDTH_80P80MHZ)
break;
}
- } else if (ssid->max_oper_chwidth == VHT_CHANWIDTH_160MHZ) {
+ } else if (ssid->max_oper_chwidth == CHANWIDTH_160MHZ) {
if (freq->freq == 5180) {
- chwidth = VHT_CHANWIDTH_160MHZ;
+ chwidth = CHANWIDTH_160MHZ;
vht_caps |= VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
seg0 = 50;
} else if (freq->freq == 5520) {
- chwidth = VHT_CHANWIDTH_160MHZ;
+ chwidth = CHANWIDTH_160MHZ;
vht_caps |= VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
seg0 = 114;
}
- } else if (ssid->max_oper_chwidth == VHT_CHANWIDTH_USE_HT) {
- chwidth = VHT_CHANWIDTH_USE_HT;
+ } else if (ssid->max_oper_chwidth == CHANWIDTH_USE_HT) {
+ chwidth = CHANWIDTH_USE_HT;
seg0 = vht80[j] + 2;
#ifdef CONFIG_HT_OVERRIDES
if (ssid->disable_ht40)
@@ -2407,9 +2415,10 @@ skip_ht40:
if (hostapd_set_freq_params(&vht_freq, mode->mode, freq->freq,
freq->channel, freq->ht_enabled,
- vht_freq.vht_enabled,
+ vht_freq.vht_enabled, freq->he_enabled,
freq->sec_channel_offset,
- chwidth, seg0, seg1, vht_caps) != 0)
+ chwidth, seg0, seg1, vht_caps,
+ &mode->he_capab[ieee80211_mode]) != 0)
return;
*freq = vht_freq;
@@ -3222,7 +3231,7 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SHA256 ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B ||
params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192))
- params.req_key_mgmt_offload = 1;
+ params.req_handshake_offload = 1;
if (wpa_s->conf->key_mgmt_offload) {
if (params.key_mgmt_suite == WPA_KEY_MGMT_IEEE8021X ||
@@ -3423,16 +3432,17 @@ static void wpa_supplicant_clear_connection(struct wpa_supplicant *wpa_s,
* current AP.
*/
void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s,
- int reason_code)
+ u16 reason_code)
{
u8 *addr = NULL;
union wpa_event_data event;
int zero_addr = 0;
wpa_dbg(wpa_s, MSG_DEBUG, "Request to deauthenticate - bssid=" MACSTR
- " pending_bssid=" MACSTR " reason=%d state=%s",
+ " pending_bssid=" MACSTR " reason=%d (%s) state=%s",
MAC2STR(wpa_s->bssid), MAC2STR(wpa_s->pending_bssid),
- reason_code, wpa_supplicant_state_txt(wpa_s->wpa_state));
+ reason_code, reason2str(reason_code),
+ wpa_supplicant_state_txt(wpa_s->wpa_state));
if (!is_zero_ether_addr(wpa_s->pending_bssid) &&
(wpa_s->wpa_state == WPA_AUTHENTICATING ||
@@ -3474,7 +3484,7 @@ void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s,
if (addr) {
wpa_drv_deauthenticate(wpa_s, addr, reason_code);
os_memset(&event, 0, sizeof(event));
- event.deauth_info.reason_code = (u16) reason_code;
+ event.deauth_info.reason_code = reason_code;
event.deauth_info.locally_generated = 1;
wpa_supplicant_event(wpa_s, EVENT_DEAUTH, &event);
if (zero_addr)
@@ -4229,7 +4239,7 @@ void wpa_supplicant_rx_eapol(void *ctx, const u8 *src_addr,
!wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt) ||
wpa_s->wpa_state != WPA_COMPLETED) &&
(wpa_s->current_ssid == NULL ||
- wpa_s->current_ssid->mode != IEEE80211_MODE_IBSS)) {
+ wpa_s->current_ssid->mode != WPAS_MODE_IBSS)) {
/* Timeout for completing IEEE 802.1X and WPA authentication */
int timeout = 10;
@@ -6621,6 +6631,9 @@ void wpa_supplicant_update_config(struct wpa_supplicant *wpa_s)
wpa_s->conf->wowlan_triggers);
}
+ if (wpa_s->conf->changed_parameters & CFG_CHANGED_DISABLE_BTM)
+ wpa_supplicant_set_default_scan_ies(wpa_s);
+
#ifdef CONFIG_WPS
wpas_wps_update_config(wpa_s);
#endif /* CONFIG_WPS */
@@ -7468,3 +7481,66 @@ int wpa_is_bss_tmp_disallowed(struct wpa_supplicant *wpa_s,
return 1;
}
+
+
+int wpas_enable_mac_addr_randomization(struct wpa_supplicant *wpa_s,
+ unsigned int type, const u8 *addr,
+ const u8 *mask)
+{
+ if ((addr && !mask) || (!addr && mask)) {
+ wpa_printf(MSG_INFO,
+ "MAC_ADDR_RAND_SCAN invalid addr/mask combination");
+ return -1;
+ }
+
+ if (addr && mask && (!(mask[0] & 0x01) || (addr[0] & 0x01))) {
+ wpa_printf(MSG_INFO,
+ "MAC_ADDR_RAND_SCAN cannot allow multicast address");
+ return -1;
+ }
+
+ if (type & MAC_ADDR_RAND_SCAN) {
+ if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCAN,
+ addr, mask))
+ return -1;
+ }
+
+ if (type & MAC_ADDR_RAND_SCHED_SCAN) {
+ if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_SCHED_SCAN,
+ addr, mask))
+ return -1;
+
+ if (wpa_s->sched_scanning && !wpa_s->pno)
+ wpas_scan_restart_sched_scan(wpa_s);
+ }
+
+ if (type & MAC_ADDR_RAND_PNO) {
+ if (wpas_mac_addr_rand_scan_set(wpa_s, MAC_ADDR_RAND_PNO,
+ addr, mask))
+ return -1;
+
+ if (wpa_s->pno) {
+ wpas_stop_pno(wpa_s);
+ wpas_start_pno(wpa_s);
+ }
+ }
+
+ return 0;
+}
+
+
+int wpas_disable_mac_addr_randomization(struct wpa_supplicant *wpa_s,
+ unsigned int type)
+{
+ wpas_mac_addr_rand_scan_clear(wpa_s, type);
+ if (wpa_s->pno) {
+ if (type & MAC_ADDR_RAND_PNO) {
+ wpas_stop_pno(wpa_s);
+ wpas_start_pno(wpa_s);
+ }
+ } else if (wpa_s->sched_scanning && (type & MAC_ADDR_RAND_SCHED_SCAN)) {
+ wpas_scan_restart_sched_scan(wpa_s);
+ }
+
+ return 0;
+}
diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
index 16e4db6..8a4bdf8 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
+++ b/freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
@@ -802,7 +802,9 @@ struct wpa_supplicant {
int sae_group_index;
unsigned int sae_pmksa_caching:1;
u16 seq_num;
- struct external_auth ext_auth;
+ u8 ext_auth_bssid[ETH_ALEN];
+ u8 ext_auth_ssid[SSID_MAX_LEN];
+ size_t ext_auth_ssid_len;
#endif /* CONFIG_SAE */
} sme;
#endif /* CONFIG_SME */
@@ -821,6 +823,7 @@ struct wpa_supplicant {
unsigned int mesh_if_created:1;
unsigned int mesh_ht_enabled:1;
unsigned int mesh_vht_enabled:1;
+ unsigned int mesh_he_enabled:1;
struct wpa_driver_mesh_join_params *mesh_params;
#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
/* struct external_pmksa_cache::list */
@@ -1291,7 +1294,7 @@ struct wpa_ssid * wpa_supplicant_get_ssid(struct wpa_supplicant *wpa_s);
const char * wpa_supplicant_get_eap_mode(struct wpa_supplicant *wpa_s);
void wpa_supplicant_cancel_auth_timeout(struct wpa_supplicant *wpa_s);
void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s,
- int reason_code);
+ u16 reason_code);
struct wpa_ssid * wpa_supplicant_add_network(struct wpa_supplicant *wpa_s);
int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id);
@@ -1415,6 +1418,12 @@ size_t wpas_supp_op_class_ie(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid,
int freq, u8 *pos, size_t len);
+int wpas_enable_mac_addr_randomization(struct wpa_supplicant *wpa_s,
+ unsigned int type, const u8 *addr,
+ const u8 *mask);
+int wpas_disable_mac_addr_randomization(struct wpa_supplicant *wpa_s,
+ unsigned int type);
+
/**
* wpa_supplicant_ctrl_iface_ctrl_rsp_handle - Handle a control response
* @wpa_s: Pointer to wpa_supplicant data
@@ -1462,6 +1471,25 @@ static inline int network_is_persistent_group(struct wpa_ssid *ssid)
return ssid->disabled == 2 && ssid->p2p_persistent_group;
}
+
+static inline int wpas_mode_to_ieee80211_mode(enum wpas_mode mode)
+{
+ switch (mode) {
+ default:
+ case WPAS_MODE_INFRA:
+ return IEEE80211_MODE_INFRA;
+ case WPAS_MODE_IBSS:
+ return IEEE80211_MODE_IBSS;
+ case WPAS_MODE_AP:
+ case WPAS_MODE_P2P_GO:
+ case WPAS_MODE_P2P_GROUP_FORMATION:
+ return IEEE80211_MODE_AP;
+ case WPAS_MODE_MESH:
+ return IEEE80211_MODE_MESH;
+ }
+}
+
+
int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid);
int wpas_get_ssid_pmf(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid);
diff --git a/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c b/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c
index 3dc6a21..fa88bd8 100644
--- a/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c
+++ b/freebsd/contrib/wpa/wpa_supplicant/wpas_glue.c
@@ -466,7 +466,7 @@ static enum wpa_states _wpa_supplicant_get_state(void *wpa_s)
}
-static void _wpa_supplicant_deauthenticate(void *wpa_s, int reason_code)
+static void _wpa_supplicant_deauthenticate(void *wpa_s, u16 reason_code)
{
wpa_supplicant_deauthenticate(wpa_s, reason_code);
/* Schedule a scan to make sure we continue looking for networks */
@@ -1019,15 +1019,12 @@ static void wpa_supplicant_port_cb(void *ctx, int authorized)
}
-static void wpa_supplicant_cert_cb(void *ctx, int depth, const char *subject,
- const char *altsubject[], int num_altsubject,
- const char *cert_hash,
- const struct wpabuf *cert)
+static void wpa_supplicant_cert_cb(void *ctx, struct tls_cert_data *cert,
+ const char *cert_hash)
{
struct wpa_supplicant *wpa_s = ctx;
- wpas_notify_certification(wpa_s, depth, subject, altsubject,
- num_altsubject, cert_hash, cert);
+ wpas_notify_certification(wpa_s, cert, cert_hash);
}
diff --git a/freebsd/crypto/openssl/apps/apps.c b/freebsd/crypto/openssl/apps/apps.c
index 4b27a74..69c2269 100644
--- a/freebsd/crypto/openssl/apps/apps.c
+++ b/freebsd/crypto/openssl/apps/apps.c
@@ -50,7 +50,6 @@
#endif
#include <openssl/bn.h>
#include <openssl/ssl.h>
-#include "s_apps.h"
#include "apps.h"
#ifdef _WIN32
@@ -58,6 +57,14 @@ static int WIN32_rename(const char *from, const char *to);
# define rename(from,to) WIN32_rename((from),(to))
#endif
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+# include <conio.h>
+#endif
+
+#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
+# define _kbhit kbhit
+#endif
+
typedef struct {
const char *name;
unsigned long flag;
diff --git a/freebsd/crypto/openssl/apps/apps.h b/freebsd/crypto/openssl/apps/apps.h
index d9eb650..4a3e1a8 100644
--- a/freebsd/crypto/openssl/apps/apps.h
+++ b/freebsd/crypto/openssl/apps/apps.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -444,11 +444,9 @@ void destroy_ui_method(void);
const UI_METHOD *get_ui_method(void);
int chopup_args(ARGS *arg, char *buf);
-# ifdef HEADER_X509_H
int dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, X509_NAME *nm,
unsigned long lflags);
-# endif
void print_bignum_var(BIO *, const BIGNUM *, const char*,
int, unsigned char *);
void print_array(BIO *, const char *, int, const unsigned char *);
diff --git a/freebsd/crypto/openssl/apps/ca.c b/freebsd/crypto/openssl/apps/ca.c
index f0761ef..4bf0ce1 100644
--- a/freebsd/crypto/openssl/apps/ca.c
+++ b/freebsd/crypto/openssl/apps/ca.c
@@ -6,7 +6,7 @@
#endif /* __rtems__ */
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -729,7 +729,7 @@ end_of_options:
/*****************************************************************/
if (req || gencrl) {
- if (spkac_file != NULL) {
+ if (spkac_file != NULL && outfile != NULL) {
output_der = 1;
batch = 1;
}
diff --git a/freebsd/crypto/openssl/apps/dgst.c b/freebsd/crypto/openssl/apps/dgst.c
index 9f1b907..a5a4744 100644
--- a/freebsd/crypto/openssl/apps/dgst.c
+++ b/freebsd/crypto/openssl/apps/dgst.c
@@ -6,7 +6,7 @@
#endif /* __rtems__ */
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -428,7 +428,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
size_t len;
int i;
- for (;;) {
+ while (BIO_pending(bp) || !BIO_eof(bp)) {
i = BIO_read(bp, (char *)buf, BUFSIZE);
if (i < 0) {
BIO_printf(bio_err, "Read Error in %s\n", file);
diff --git a/freebsd/crypto/openssl/apps/enc.c b/freebsd/crypto/openssl/apps/enc.c
index 3520031..b2cd74c 100644
--- a/freebsd/crypto/openssl/apps/enc.c
+++ b/freebsd/crypto/openssl/apps/enc.c
@@ -598,7 +598,7 @@ int enc_main(int argc, char **argv)
if (benc != NULL)
wbio = BIO_push(benc, wbio);
- for (;;) {
+ while (BIO_pending(rbio) || !BIO_eof(rbio)) {
inl = BIO_read(rbio, (char *)buff, bsize);
if (inl <= 0)
break;
diff --git a/freebsd/crypto/openssl/apps/ocsp.c b/freebsd/crypto/openssl/apps/ocsp.c
index 2aaf3b9..7ff6a20 100644
--- a/freebsd/crypto/openssl/apps/ocsp.c
+++ b/freebsd/crypto/openssl/apps/ocsp.c
@@ -1423,9 +1423,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*q = '\0';
/*
- * Skip "GET / HTTP..." requests often used by load-balancers
+ * Skip "GET / HTTP..." requests often used by load-balancers. Note:
+ * 'p' was incremented above to point to the first byte *after* the
+ * leading slash, so with 'GET / ' it is now an empty string.
*/
- if (p[1] == '\0')
+ if (p[0] == '\0')
goto out;
len = urldecode(p);
diff --git a/freebsd/crypto/openssl/apps/openssl.c b/freebsd/crypto/openssl/apps/openssl.c
index a658a25..31ec58d 100644
--- a/freebsd/crypto/openssl/apps/openssl.c
+++ b/freebsd/crypto/openssl/apps/openssl.c
@@ -6,7 +6,7 @@
#endif /* __rtems__ */
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -33,7 +33,6 @@
# include <openssl/engine.h>
#endif
#include <openssl/err.h>
-#include "s_apps.h"
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>
diff --git a/freebsd/crypto/openssl/apps/pkcs12.c b/freebsd/crypto/openssl/apps/pkcs12.c
index 66993dc..c3111ee 100644
--- a/freebsd/crypto/openssl/apps/pkcs12.c
+++ b/freebsd/crypto/openssl/apps/pkcs12.c
@@ -845,7 +845,7 @@ static int alg_print(const X509_ALGOR *alg)
goto done;
}
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
- "Block size(r): %ld, Paralelizm(p): %ld",
+ "Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
diff --git a/freebsd/crypto/openssl/apps/req.c b/freebsd/crypto/openssl/apps/req.c
index 2fc7e79..546c80a 100644
--- a/freebsd/crypto/openssl/apps/req.c
+++ b/freebsd/crypto/openssl/apps/req.c
@@ -6,7 +6,7 @@
#endif /* __rtems__ */
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -888,9 +888,19 @@ int req_main(int argc, char **argv)
if (text) {
if (x509)
- X509_print_ex(out, x509ss, get_nameopt(), reqflag);
+ ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
else
- X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
+ ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
+
+ if (ret == 0) {
+ if (x509)
+ BIO_printf(bio_err, "Error printing certificate\n");
+ else
+ BIO_printf(bio_err, "Error printing certificate request\n");
+
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
if (subject) {
diff --git a/freebsd/crypto/openssl/apps/s_apps.h b/freebsd/crypto/openssl/apps/s_apps.h
index 0a3bc96..f94e659 100644
--- a/freebsd/crypto/openssl/apps/s_apps.h
+++ b/freebsd/crypto/openssl/apps/s_apps.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,13 +9,7 @@
#include <openssl/opensslconf.h>
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-# include <conio.h>
-#endif
-
-#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
-# define _kbhit kbhit
-#endif
+#include <openssl/ssl.h>
#define PORT "4433"
#define PROTOCOL "tcp"
@@ -24,17 +18,15 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out);
-#ifdef HEADER_X509_H
+
int verify_callback(int ok, X509_STORE_CTX *ctx);
-#endif
-#ifdef HEADER_SSL_H
+
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_groups(BIO *out, SSL *s, int noshared);
-#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
@@ -44,13 +36,11 @@ int should_retry(int i);
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
-#ifdef HEADER_SSL_H
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
int len, void *arg);
-#endif
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
@@ -75,7 +65,6 @@ int args_excert(int option, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc);
void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
-#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
@@ -86,4 +75,3 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
-#endif
diff --git a/freebsd/crypto/openssl/apps/s_cb.c b/freebsd/crypto/openssl/apps/s_cb.c
index 3df9547..7b60c2d 100644
--- a/freebsd/crypto/openssl/apps/s_cb.c
+++ b/freebsd/crypto/openssl/apps/s_cb.c
@@ -1537,7 +1537,8 @@ void print_ca_names(BIO *bio, SSL *s)
int i;
if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
- BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
+ if (!SSL_is_server(s))
+ BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
return;
}
diff --git a/freebsd/crypto/openssl/apps/s_client.c b/freebsd/crypto/openssl/apps/s_client.c
index 4c052ef..7810574 100644
--- a/freebsd/crypto/openssl/apps/s_client.c
+++ b/freebsd/crypto/openssl/apps/s_client.c
@@ -2367,7 +2367,7 @@ int s_client_main(int argc, char **argv)
(void)BIO_flush(fbio);
/*
* The first line is the HTTP response. According to RFC 7230,
- * it's formated exactly like this:
+ * it's formatted exactly like this:
*
* HTTP/d.d ddd Reason text\r\n
*/
diff --git a/freebsd/crypto/openssl/apps/speed.c b/freebsd/crypto/openssl/apps/speed.c
index 02eb30a..47e1a2f 100644
--- a/freebsd/crypto/openssl/apps/speed.c
+++ b/freebsd/crypto/openssl/apps/speed.c
@@ -1809,7 +1809,7 @@ int speed_main(int argc, char **argv)
}
buflen = lengths[size_num - 1];
- if (buflen < 36) /* size of random vector in RSA bencmark */
+ if (buflen < 36) /* size of random vector in RSA benchmark */
buflen = 36;
buflen += MAX_MISALIGNMENT + 1;
loopargs[i].buf_malloc = app_malloc(buflen, "input buffer");
diff --git a/freebsd/crypto/openssl/crypto/asn1/a_time.c b/freebsd/crypto/openssl/crypto/asn1/a_time.c
index 1031b36..ad8c916 100644
--- a/freebsd/crypto/openssl/crypto/asn1/a_time.c
+++ b/freebsd/crypto/openssl/crypto/asn1/a_time.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -69,7 +69,7 @@ static void determine_days(struct tm *tm)
}
c = y / 100;
y %= 100;
- /* Zeller's congruance */
+ /* Zeller's congruence */
tm->tm_wday = (d + (13 * m) / 5 + y + y / 4 + c / 4 + 5 * c + 6) % 7;
}
@@ -81,7 +81,11 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
char *a;
int n, i, i2, l, o, min_l = 11, strict = 0, end = 6, btz = 5, md;
struct tm tmp;
-
+#if defined(CHARSET_EBCDIC)
+ const char upper_z = 0x5A, num_zero = 0x30, period = 0x2E, minus = 0x2D, plus = 0x2B;
+#else
+ const char upper_z = 'Z', num_zero = '0', period = '.', minus = '-', plus = '+';
+#endif
/*
* ASN1_STRING_FLAG_X509_TIME is used to enforce RFC 5280
* time string format, in which:
@@ -122,20 +126,20 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
if (l < min_l)
goto err;
for (i = 0; i < end; i++) {
- if (!strict && (i == btz) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
+ if (!strict && (i == btz) && ((a[o] == upper_z) || (a[o] == plus) || (a[o] == minus))) {
i++;
break;
}
- if (!ossl_isdigit(a[o]))
+ if (!ascii_isdigit(a[o]))
goto err;
- n = a[o] - '0';
+ n = a[o] - num_zero;
/* incomplete 2-digital number */
if (++o == l)
goto err;
- if (!ossl_isdigit(a[o]))
+ if (!ascii_isdigit(a[o]))
goto err;
- n = (n * 10) + a[o] - '0';
+ n = (n * 10) + a[o] - num_zero;
/* no more bytes to read, but we haven't seen time-zone yet */
if (++o == l)
goto err;
@@ -187,14 +191,14 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
* Optional fractional seconds: decimal point followed by one or more
* digits.
*/
- if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == '.') {
+ if (d->type == V_ASN1_GENERALIZEDTIME && a[o] == period) {
if (strict)
/* RFC 5280 forbids fractional seconds */
goto err;
if (++o == l)
goto err;
i = o;
- while ((o < l) && ossl_isdigit(a[o]))
+ while ((o < l) && ascii_isdigit(a[o]))
o++;
/* Must have at least one digit after decimal point */
if (i == o)
@@ -209,10 +213,10 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
* 'o' can point to '\0' is either the subsequent if or the first
* else if is true.
*/
- if (a[o] == 'Z') {
+ if (a[o] == upper_z) {
o++;
- } else if (!strict && ((a[o] == '+') || (a[o] == '-'))) {
- int offsign = a[o] == '-' ? 1 : -1;
+ } else if (!strict && ((a[o] == plus) || (a[o] == minus))) {
+ int offsign = a[o] == minus ? 1 : -1;
int offset = 0;
o++;
@@ -225,13 +229,13 @@ int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d)
if (o + 4 != l)
goto err;
for (i = end; i < end + 2; i++) {
- if (!ossl_isdigit(a[o]))
+ if (!ascii_isdigit(a[o]))
goto err;
- n = a[o] - '0';
+ n = a[o] - num_zero;
o++;
- if (!ossl_isdigit(a[o]))
+ if (!ascii_isdigit(a[o]))
goto err;
- n = (n * 10) + a[o] - '0';
+ n = (n * 10) + a[o] - num_zero;
i2 = (d->type == V_ASN1_UTCTIME) ? i + 1 : i;
if ((n < min[i2]) || (n > max[i2]))
goto err;
@@ -302,7 +306,7 @@ ASN1_TIME *asn1_time_from_tm(ASN1_TIME *s, struct tm *ts, int type)
ts->tm_mday, ts->tm_hour, ts->tm_min,
ts->tm_sec);
-#ifdef CHARSET_EBCDIC_not
+#ifdef CHARSET_EBCDIC
ebcdic2ascii(tmps->data, tmps->data, tmps->length);
#endif
return tmps;
@@ -469,6 +473,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
char *v;
int gmt = 0, l;
struct tm stm;
+ const char upper_z = 0x5A, period = 0x2E;
if (!asn1_time_to_tm(&stm, tm)) {
/* asn1_time_to_tm will check the time type */
@@ -477,7 +482,7 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
l = tm->length;
v = (char *)tm->data;
- if (v[l - 1] == 'Z')
+ if (v[l - 1] == upper_z)
gmt = 1;
if (tm->type == V_ASN1_GENERALIZEDTIME) {
@@ -488,10 +493,10 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
* Try to parse fractional seconds. '14' is the place of
* 'fraction point' in a GeneralizedTime string.
*/
- if (tm->length > 15 && v[14] == '.') {
+ if (tm->length > 15 && v[14] == period) {
f = &v[14];
f_len = 1;
- while (14 + f_len < l && ossl_isdigit(f[f_len]))
+ while (14 + f_len < l && ascii_isdigit(f[f_len]))
++f_len;
}
diff --git a/freebsd/crypto/openssl/crypto/asn1/a_type.c b/freebsd/crypto/openssl/crypto/asn1/a_type.c
index b72396c..6166397 100644
--- a/freebsd/crypto/openssl/crypto/asn1/a_type.c
+++ b/freebsd/crypto/openssl/crypto/asn1/a_type.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -17,7 +17,9 @@
int ASN1_TYPE_get(const ASN1_TYPE *a)
{
- if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
+ if (a->type == V_ASN1_BOOLEAN
+ || a->type == V_ASN1_NULL
+ || a->value.ptr != NULL)
return a->type;
else
return 0;
@@ -25,7 +27,9 @@ int ASN1_TYPE_get(const ASN1_TYPE *a)
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
{
- if (a->value.ptr != NULL) {
+ if (a->type != V_ASN1_BOOLEAN
+ && a->type != V_ASN1_NULL
+ && a->value.ptr != NULL) {
ASN1_TYPE **tmp_a = &a;
asn1_primitive_free((ASN1_VALUE **)tmp_a, NULL, 0);
}
diff --git a/freebsd/crypto/openssl/crypto/asn1/x_bignum.c b/freebsd/crypto/openssl/crypto/asn1/x_bignum.c
index f4068db..0cf718d 100644
--- a/freebsd/crypto/openssl/crypto/asn1/x_bignum.c
+++ b/freebsd/crypto/openssl/crypto/asn1/x_bignum.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -132,9 +132,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, char *free_cont, const ASN1_ITEM *it)
{
- if (!*pval)
- bn_secure_new(pval, it);
- return bn_c2i(pval, cont, len, utype, free_cont, it);
+ int ret;
+ BIGNUM *bn;
+
+ if (!*pval && !bn_secure_new(pval, it))
+ return 0;
+
+ ret = bn_c2i(pval, cont, len, utype, free_cont, it);
+ if (!ret)
+ return 0;
+
+ /* Set constant-time flag for all secure BIGNUMS */
+ bn = (BIGNUM *)*pval;
+ BN_set_flags(bn, BN_FLG_CONSTTIME);
+ return ret;
}
static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
diff --git a/freebsd/crypto/openssl/crypto/bio/b_addr.c b/freebsd/crypto/openssl/crypto/bio/b_addr.c
index 5a672da..eca19cd 100644
--- a/freebsd/crypto/openssl/crypto/bio/b_addr.c
+++ b/freebsd/crypto/openssl/crypto/bio/b_addr.c
@@ -677,7 +677,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
if (1) {
#ifdef AI_PASSIVE
- int gai_ret = 0;
+ int gai_ret = 0, old_ret = 0;
struct addrinfo hints;
memset(&hints, 0, sizeof(hints));
@@ -685,12 +685,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
hints.ai_family = family;
hints.ai_socktype = socktype;
hints.ai_protocol = protocol;
-#ifdef AI_ADDRCONFIG
-#ifdef AF_UNSPEC
+# ifdef AI_ADDRCONFIG
+# ifdef AF_UNSPEC
if (family == AF_UNSPEC)
-#endif
+# endif
hints.ai_flags |= AI_ADDRCONFIG;
-#endif
+# endif
if (lookup_type == BIO_LOOKUP_SERVER)
hints.ai_flags |= AI_PASSIVE;
@@ -698,6 +698,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
/* Note that |res| SHOULD be a 'struct addrinfo **' thanks to
* macro magic in bio_lcl.h
*/
+ retry:
switch ((gai_ret = getaddrinfo(host, service, &hints, res))) {
# ifdef EAI_SYSTEM
case EAI_SYSTEM:
@@ -705,12 +706,25 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
break;
# endif
+# ifdef EAI_MEMORY
+ case EAI_MEMORY:
+ BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
+ break;
+# endif
case 0:
ret = 1; /* Success */
break;
default:
+# if defined(AI_ADDRCONFIG) && defined(AI_NUMERICHOST)
+ if (hints.ai_flags & AI_ADDRCONFIG) {
+ hints.ai_flags &= ~AI_ADDRCONFIG;
+ hints.ai_flags |= AI_NUMERICHOST;
+ old_ret = gai_ret;
+ goto retry;
+ }
+# endif
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
- ERR_add_error_data(1, gai_strerror(gai_ret));
+ ERR_add_error_data(1, gai_strerror(old_ret ? old_ret : gai_ret));
break;
}
} else {
diff --git a/freebsd/crypto/openssl/crypto/bio/bss_dgram.c b/freebsd/crypto/openssl/crypto/bio/bss_dgram.c
index 160a7c8..e94a27d 100644
--- a/freebsd/crypto/openssl/crypto/bio/bss_dgram.c
+++ b/freebsd/crypto/openssl/crypto/bio/bss_dgram.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -786,7 +786,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
* reasons. When BIO_CTRL_DGRAM_SET_PEEK_MODE was first defined its value
* was incorrectly clashing with BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. The
* value has been updated to a non-clashing value. However to preserve
- * binary compatiblity we now respond to both the old value and the new one
+ * binary compatibility we now respond to both the old value and the new one
*/
case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
case BIO_CTRL_DGRAM_SET_PEEK_MODE:
diff --git a/freebsd/crypto/openssl/crypto/bio/bss_file.c b/freebsd/crypto/openssl/crypto/bio/bss_file.c
index 1411744..e4c7e27 100644
--- a/freebsd/crypto/openssl/crypto/bio/bss_file.c
+++ b/freebsd/crypto/openssl/crypto/bio/bss_file.c
@@ -9,10 +9,7 @@
* https://www.openssl.org/source/license.html
*/
-#ifndef HEADER_BSS_FILE_C
-# define HEADER_BSS_FILE_C
-
-# if defined(__linux) || defined(__sun) || defined(__hpux)
+#if defined(__linux) || defined(__sun) || defined(__hpux)
/*
* Following definition aliases fopen to fopen64 on above mentioned
* platforms. This makes it possible to open and sequentially access files
@@ -25,17 +22,17 @@
* of 32-bit platforms which allow for sequential access of large files
* without extra "magic" comprise *BSD, Darwin, IRIX...
*/
-# ifndef _FILE_OFFSET_BITS
-# define _FILE_OFFSET_BITS 64
-# endif
+# ifndef _FILE_OFFSET_BITS
+# define _FILE_OFFSET_BITS 64
# endif
+#endif
-# include <stdio.h>
-# include <errno.h>
-# include "bio_lcl.h"
-# include <openssl/err.h>
+#include <stdio.h>
+#include <errno.h>
+#include "bio_lcl.h"
+#include <openssl/err.h>
-# if !defined(OPENSSL_NO_STDIO)
+#if !defined(OPENSSL_NO_STDIO)
static int file_write(BIO *h, const char *buf, int num);
static int file_read(BIO *h, char *buf, int size);
@@ -74,9 +71,9 @@ BIO *BIO_new_file(const char *filename, const char *mode)
SYSerr(SYS_F_FOPEN, get_last_sys_error());
ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
if (errno == ENOENT
-# ifdef ENXIO
+#ifdef ENXIO
|| errno == ENXIO
-# endif
+#endif
)
BIOerr(BIO_F_BIO_NEW_FILE, BIO_R_NO_SUCH_FILE);
else
@@ -214,33 +211,33 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
b->shutdown = (int)num & BIO_CLOSE;
b->ptr = ptr;
b->init = 1;
-# if BIO_FLAGS_UPLINK!=0
-# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
-# define _IOB_ENTRIES 20
-# endif
+# if BIO_FLAGS_UPLINK!=0
+# if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
+# define _IOB_ENTRIES 20
+# endif
/* Safety net to catch purely internal BIO_set_fp calls */
-# if defined(_MSC_VER) && _MSC_VER>=1900
+# if defined(_MSC_VER) && _MSC_VER>=1900
if (ptr == stdin || ptr == stdout || ptr == stderr)
BIO_clear_flags(b, BIO_FLAGS_UPLINK);
-# elif defined(_IOB_ENTRIES)
+# elif defined(_IOB_ENTRIES)
if ((size_t)ptr >= (size_t)stdin &&
(size_t)ptr < (size_t)(stdin + _IOB_ENTRIES))
BIO_clear_flags(b, BIO_FLAGS_UPLINK);
-# endif
# endif
-# ifdef UP_fsetmod
+# endif
+# ifdef UP_fsetmod
if (b->flags & BIO_FLAGS_UPLINK)
UP_fsetmod(b->ptr, (char)((num & BIO_FP_TEXT) ? 't' : 'b'));
else
-# endif
+# endif
{
-# if defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_WINDOWS)
int fd = _fileno((FILE *)ptr);
if (num & BIO_FP_TEXT)
_setmode(fd, _O_TEXT);
else
_setmode(fd, _O_BINARY);
-# elif defined(OPENSSL_SYS_MSDOS)
+# elif defined(OPENSSL_SYS_MSDOS)
int fd = fileno((FILE *)ptr);
/* Set correct text/binary mode */
if (num & BIO_FP_TEXT)
@@ -253,11 +250,11 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
} else
_setmode(fd, _O_BINARY);
}
-# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
int fd = fileno((FILE *)ptr);
if (!(num & BIO_FP_TEXT))
setmode(fd, O_BINARY);
-# endif
+# endif
}
break;
case BIO_C_SET_FILENAME:
@@ -279,15 +276,15 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
break;
}
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
if (!(num & BIO_FP_TEXT))
OPENSSL_strlcat(p, "b", sizeof(p));
else
OPENSSL_strlcat(p, "t", sizeof(p));
-# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
if (!(num & BIO_FP_TEXT))
OPENSSL_strlcat(p, "b", sizeof(p));
-# endif
+# endif
fp = openssl_fopen(ptr, p);
if (fp == NULL) {
SYSerr(SYS_F_FOPEN, get_last_sys_error());
@@ -424,6 +421,4 @@ BIO *BIO_new_file(const char *filename, const char *mode)
return NULL;
}
-# endif /* OPENSSL_NO_STDIO */
-
-#endif /* HEADER_BSS_FILE_C */
+#endif /* OPENSSL_NO_STDIO */
diff --git a/freebsd/crypto/openssl/crypto/bio/bss_mem.c b/freebsd/crypto/openssl/crypto/bio/bss_mem.c
index 8f14d79..be61400 100644
--- a/freebsd/crypto/openssl/crypto/bio/bss_mem.c
+++ b/freebsd/crypto/openssl/crypto/bio/bss_mem.c
@@ -261,9 +261,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
bm = bbm->buf;
if (bm->data != NULL) {
if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
- if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
- bm->length = bm->max;
- } else {
+ if (!(b->flags & BIO_FLAGS_NONCLEAR_RST)) {
memset(bm->data, 0, bm->max);
bm->length = 0;
}
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_div.c b/freebsd/crypto/openssl/crypto/bn/bn_div.c
index efb7142..684264e 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_div.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_div.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -260,7 +260,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
*
* - availability of constant-time bn_div_3_words;
* - dividend is at least as "wide" as divisor, limb-wise, zero-padded
- * if so requied, which shouldn't be a privacy problem, because
+ * if so required, which shouldn't be a privacy problem, because
* divisor's length is considered public;
*/
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_lcl.h b/freebsd/crypto/openssl/crypto/bn/bn_lcl.h
index 8a36db2..7f823a6 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_lcl.h
+++ b/freebsd/crypto/openssl/crypto/bn/bn_lcl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -295,7 +295,7 @@ struct bn_gencb_st {
(b) > 23 ? 3 : 1)
/*
- * BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
+ * BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
* line width of the target processor is at least the following value.
*/
# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_lib.c b/freebsd/crypto/openssl/crypto/bn/bn_lib.c
index e900e4a..611db29 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_lib.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_lib.c
@@ -134,20 +134,66 @@ int BN_num_bits_word(BN_ULONG l)
return bits;
}
+/*
+ * This function still leaks `a->dmax`: it's caller's responsibility to
+ * expand the input `a` in advance to a public length.
+ */
+static ossl_inline
+int bn_num_bits_consttime(const BIGNUM *a)
+{
+ int j, ret;
+ unsigned int mask, past_i;
+ int i = a->top - 1;
+ bn_check_top(a);
+
+ for (j = 0, past_i = 0, ret = 0; j < a->dmax; j++) {
+ mask = constant_time_eq_int(i, j); /* 0xff..ff if i==j, 0x0 otherwise */
+
+ ret += BN_BITS2 & (~mask & ~past_i);
+ ret += BN_num_bits_word(a->d[j]) & mask;
+
+ past_i |= mask; /* past_i will become 0xff..ff after i==j */
+ }
+
+ /*
+ * if BN_is_zero(a) => i is -1 and ret contains garbage, so we mask the
+ * final result.
+ */
+ mask = ~(constant_time_eq_int(i, ((int)-1)));
+
+ return ret & mask;
+}
+
int BN_num_bits(const BIGNUM *a)
{
int i = a->top - 1;
bn_check_top(a);
+ if (a->flags & BN_FLG_CONSTTIME) {
+ /*
+ * We assume that BIGNUMs flagged as CONSTTIME have also been expanded
+ * so that a->dmax is not leaking secret information.
+ *
+ * In other words, it's the caller's responsibility to ensure `a` has
+ * been preallocated in advance to a public length if we hit this
+ * branch.
+ *
+ */
+ return bn_num_bits_consttime(a);
+ }
+
if (BN_is_zero(a))
return 0;
+
return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
}
-static void bn_free_d(BIGNUM *a)
+static void bn_free_d(BIGNUM *a, int clear)
{
if (BN_get_flags(a, BN_FLG_SECURE))
- OPENSSL_secure_free(a->d);
+ OPENSSL_secure_clear_free(a->d, a->dmax * sizeof(a->d[0]));
+ else if (clear != 0)
+ OPENSSL_clear_free(a->d, a->dmax * sizeof(a->d[0]));
else
OPENSSL_free(a->d);
}
@@ -157,10 +203,8 @@ void BN_clear_free(BIGNUM *a)
{
if (a == NULL)
return;
- if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
- OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
- bn_free_d(a);
- }
+ if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA))
+ bn_free_d(a, 1);
if (BN_get_flags(a, BN_FLG_MALLOCED)) {
OPENSSL_cleanse(a, sizeof(*a));
OPENSSL_free(a);
@@ -172,7 +216,7 @@ void BN_free(BIGNUM *a)
if (a == NULL)
return;
if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
- bn_free_d(a);
+ bn_free_d(a, 0);
if (a->flags & BN_FLG_MALLOCED)
OPENSSL_free(a);
}
@@ -250,10 +294,8 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
BN_ULONG *a = bn_expand_internal(b, words);
if (!a)
return NULL;
- if (b->d) {
- OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
- bn_free_d(b);
- }
+ if (b->d != NULL)
+ bn_free_d(b, 1);
b->d = a;
b->dmax = words;
}
@@ -418,8 +460,11 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
return ret;
}
+typedef enum {big, little} endianess_t;
+
/* ignore negative */
-static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
+static
+int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianess_t endianess)
{
int n;
size_t i, lasti, j, atop, mask;
@@ -451,10 +496,17 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
lasti = atop - 1;
atop = a->top * BN_BYTES;
- for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
+ if (endianess == big)
+ to += tolen; /* start from the end of the buffer */
+ for (i = 0, j = 0; j < (size_t)tolen; j++) {
+ unsigned char val;
l = a->d[i / BN_BYTES];
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
- *--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+ val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+ if (endianess == big)
+ *--to = val;
+ else
+ *to++ = val;
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
}
@@ -465,12 +517,12 @@ int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
if (tolen < 0)
return -1;
- return bn2binpad(a, to, tolen);
+ return bn2binpad(a, to, tolen, big);
}
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
{
- return bn2binpad(a, to, -1);
+ return bn2binpad(a, to, -1, big);
}
BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
@@ -522,22 +574,9 @@ BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
{
- int i;
- BN_ULONG l;
- bn_check_top(a);
- i = BN_num_bytes(a);
- if (tolen < i)
+ if (tolen < 0)
return -1;
- /* Add trailing zeroes if necessary */
- if (tolen > i)
- memset(to + i, 0, tolen - i);
- to += i;
- while (i--) {
- l = a->d[i / BN_BYTES];
- to--;
- *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
- }
- return tolen;
+ return bn2binpad(a, to, tolen, little);
}
int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_prime.c b/freebsd/crypto/openssl/crypto/bn/bn_prime.c
index c379eab..f5d8fab 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_prime.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_prime.c
@@ -65,8 +65,12 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
/* There are no prime numbers this small. */
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
return 0;
- } else if (bits == 2 && safe) {
- /* The smallest safe prime (7) is three bits. */
+ } else if (add == NULL && safe && bits < 6 && bits != 3) {
+ /*
+ * The smallest safe prime (7) is three bits.
+ * But the following two safe primes with less than 6 bits (11, 23)
+ * are unreachable for BN_rand with BN_RAND_TOP_TWO.
+ */
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
return 0;
}
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_rand.c b/freebsd/crypto/openssl/crypto/bn/bn_rand.c
index 68ded7c..f4d7eec 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_rand.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_rand.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -227,8 +227,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
goto err;
/* We copy |priv| into a local buffer to avoid exposing its length. */
- todo = sizeof(priv->d[0]) * priv->top;
- if (todo > sizeof(private_bytes)) {
+ if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
/*
* No reasonable DSA or ECDSA key should have a private key this
* large and we don't handle this case in order to avoid leaking the
@@ -237,8 +236,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
- memcpy(private_bytes, priv->d, todo);
- memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (done = 0; done < num_k_bytes;) {
if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c b/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c
index 7e6f0b7..e6f424c 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_sqrt.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -127,7 +127,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
* = a.
*
* (This is due to A.O.L. Atkin,
- * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+ * Subject: Square Roots and Cognate Matters modulo p=8n+5.
+ * URL: https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind9211&L=NMBRTHRY&P=4026
* November 1992.)
*/
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_att.c b/freebsd/crypto/openssl/crypto/cms/cms_att.c
index b5043b7..252f596 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_att.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_att.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,56 @@
#include <openssl/err.h>
#include <openssl/cms.h>
#include "cms_lcl.h"
+#include "internal/nelem.h"
+
+/*-
+ * Attribute flags.
+ * CMS attribute restrictions are discussed in
+ * - RFC 5652 Section 11.
+ * ESS attribute restrictions are discussed in
+ * - RFC 2634 Section 1.3.4 AND
+ * - RFC 5035 Section 5.4
+ */
+/* This is a signed attribute */
+#define CMS_ATTR_F_SIGNED 0x01
+/* This is an unsigned attribute */
+#define CMS_ATTR_F_UNSIGNED 0x02
+/* Must be present if there are any other attributes of the same type */
+#define CMS_ATTR_F_REQUIRED_COND 0x10
+/* There can only be one instance of this attribute */
+#define CMS_ATTR_F_ONLY_ONE 0x20
+/* The Attribute's value must have exactly one entry */
+#define CMS_ATTR_F_ONE_ATTR_VALUE 0x40
+
+/* Attributes rules for different attributes */
+static const struct {
+ int nid; /* The attribute id */
+ int flags;
+} cms_attribute_properties[] = {
+ /* See RFC Section 11 */
+ { NID_pkcs9_contentType, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE
+ | CMS_ATTR_F_REQUIRED_COND },
+ { NID_pkcs9_messageDigest, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE
+ | CMS_ATTR_F_REQUIRED_COND },
+ { NID_pkcs9_signingTime, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE },
+ { NID_pkcs9_countersignature, CMS_ATTR_F_UNSIGNED },
+ /* ESS */
+ { NID_id_smime_aa_signingCertificate, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE },
+ { NID_id_smime_aa_signingCertificateV2, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE },
+ { NID_id_smime_aa_receiptRequest, CMS_ATTR_F_SIGNED
+ | CMS_ATTR_F_ONLY_ONE
+ | CMS_ATTR_F_ONE_ATTR_VALUE }
+};
/* CMS SignedData Attribute utilities */
@@ -151,4 +201,86 @@ void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type);
}
-/* Specific attribute cases */
+/*
+ * Retrieve an attribute by nid from a stack of attributes starting at index
+ * *lastpos + 1.
+ * Returns the attribute or NULL if there is no attribute.
+ * If an attribute was found *lastpos returns the index of the found attribute.
+ */
+static X509_ATTRIBUTE *cms_attrib_get(int nid,
+ const STACK_OF(X509_ATTRIBUTE) *attrs,
+ int *lastpos)
+{
+ X509_ATTRIBUTE *at;
+ int loc;
+
+ loc = X509at_get_attr_by_NID(attrs, nid, *lastpos);
+ if (loc < 0)
+ return NULL;
+
+ at = X509at_get_attr(attrs, loc);
+ *lastpos = loc;
+ return at;
+}
+
+static int cms_check_attribute(int nid, int flags, int type,
+ const STACK_OF(X509_ATTRIBUTE) *attrs,
+ int have_attrs)
+{
+ int lastpos = -1;
+ X509_ATTRIBUTE *at = cms_attrib_get(nid, attrs, &lastpos);
+
+ if (at != NULL) {
+ int count = X509_ATTRIBUTE_count(at);
+
+ /* Is this attribute allowed? */
+ if (((flags & type) == 0)
+ /* check if multiple attributes of the same type are allowed */
+ || (((flags & CMS_ATTR_F_ONLY_ONE) != 0)
+ && cms_attrib_get(nid, attrs, &lastpos) != NULL)
+ /* Check if attribute should have exactly one value in its set */
+ || (((flags & CMS_ATTR_F_ONE_ATTR_VALUE) != 0)
+ && count != 1)
+ /* There should be at least one value */
+ || count == 0)
+ return 0;
+ } else {
+ /* fail if a required attribute is missing */
+ if (have_attrs
+ && ((flags & CMS_ATTR_F_REQUIRED_COND) != 0)
+ && (flags & type) != 0)
+ return 0;
+ }
+ return 1;
+}
+
+/*
+ * Check that the signerinfo attributes obey the attribute rules which includes
+ * the following checks
+ * - If any signed attributes exist then there must be a Content Type
+ * and Message Digest attribute in the signed attributes.
+ * - The countersignature attribute is an optional unsigned attribute only.
+ * - Content Type, Message Digest, and Signing time attributes are signed
+ * attributes. Only one instance of each is allowed, with each of these
+ * attributes containing a single attribute value in its set.
+ */
+int CMS_si_check_attributes(const CMS_SignerInfo *si)
+{
+ int i;
+ int have_signed_attrs = (CMS_signed_get_attr_count(si) > 0);
+ int have_unsigned_attrs = (CMS_unsigned_get_attr_count(si) > 0);
+
+ for (i = 0; i < (int)OSSL_NELEM(cms_attribute_properties); ++i) {
+ int nid = cms_attribute_properties[i].nid;
+ int flags = cms_attribute_properties[i].flags;
+
+ if (!cms_check_attribute(nid, flags, CMS_ATTR_F_SIGNED,
+ si->signedAttrs, have_signed_attrs)
+ || !cms_check_attribute(nid, flags, CMS_ATTR_F_UNSIGNED,
+ si->unsignedAttrs, have_unsigned_attrs)) {
+ CMSerr(CMS_F_CMS_SI_CHECK_ATTRIBUTES, CMS_R_ATTRIBUTE_ERROR);
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_env.c b/freebsd/crypto/openssl/crypto/cms/cms_env.c
index 171c096..098a504 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_env.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_env.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -365,6 +365,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
unsigned char *ek = NULL;
size_t eklen;
int ret = 0;
+ size_t fixlen = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
@@ -373,6 +374,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
return 0;
}
+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+ if (ciph == NULL) {
+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+ return 0;
+ }
+
+ fixlen = EVP_CIPHER_key_length(ciph);
+ }
+
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ktri->pctx == NULL)
return 0;
@@ -403,7 +417,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0) {
+ ktri->encryptedKey->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
goto err;
}
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_err.c b/freebsd/crypto/openssl/crypto/cms/cms_err.c
index 1a24220..aa21204 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_err.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -148,6 +148,8 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 0),
"CMS_SignerInfo_verify_content"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SIGN_RECEIPT, 0), "CMS_sign_receipt"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_SI_CHECK_ATTRIBUTES, 0),
+ "CMS_si_check_attributes"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_STREAM, 0), "CMS_stream"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_UNCOMPRESS, 0), "CMS_uncompress"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_VERIFY, 0), "CMS_verify"},
@@ -157,6 +159,7 @@ static const ERR_STRING_DATA CMS_str_functs[] = {
static const ERR_STRING_DATA CMS_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"},
+ {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ATTRIBUTE_ERROR), "attribute error"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT),
"certificate already present"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID),
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_lcl.h b/freebsd/crypto/openssl/crypto/cms/cms_lcl.h
index 916fcbf..68aa012 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_lcl.h
+++ b/freebsd/crypto/openssl/crypto/cms/cms_lcl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
+ int havenocert;
};
struct CMS_RecipientInfo_st {
@@ -317,8 +319,6 @@ struct CMS_OtherKeyAttribute_st {
/* ESS structures */
-# ifdef HEADER_X509V3_H
-
struct CMS_ReceiptRequest_st {
ASN1_OCTET_STRING *signedContentIdentifier;
CMS_ReceiptsFrom *receiptsFrom;
@@ -332,7 +332,6 @@ struct CMS_ReceiptsFrom_st {
STACK_OF(GENERAL_NAMES) *receiptList;
} d;
};
-# endif
struct CMS_Receipt_st {
int32_t version;
@@ -416,6 +415,8 @@ int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms,
/* PWRI routines */
int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
int en_de);
+/* SignerInfo routines */
+int CMS_si_check_attributes(const CMS_SignerInfo *si);
DECLARE_ASN1_ITEM(CMS_CertificateChoices)
DECLARE_ASN1_ITEM(CMS_DigestedData)
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_sd.c b/freebsd/crypto/openssl/crypto/cms/cms_sd.c
index cac5a51..d532898 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_sd.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_sd.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -111,6 +111,27 @@ static void cms_sd_set_version(CMS_SignedData *sd)
}
+/*
+ * RFC 5652 Section 11.1 Content Type
+ * The content-type attribute within signed-data MUST
+ * 1) be present if there are signed attributes
+ * 2) match the content type in the signed-data,
+ * 3) be a signed attribute.
+ * 4) not have more than one copy of the attribute.
+ *
+ * Note that since the CMS_SignerInfo_sign() always adds the "signing time"
+ * attribute, the content type attribute MUST be added also.
+ * Assumptions: This assumes that the attribute does not already exist.
+ */
+static int cms_set_si_contentType_attr(CMS_ContentInfo *cms, CMS_SignerInfo *si)
+{
+ ASN1_OBJECT *ctype = cms->d.signedData->encapContentInfo->eContentType;
+
+ /* Add the contentType attribute */
+ return CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
+ V_ASN1_OBJECT, ctype, -1) > 0;
+}
+
/* Copy an existing messageDigest value */
static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si)
@@ -330,6 +351,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
if (flags & CMS_REUSE_DIGEST) {
if (!cms_copy_messageDigest(cms, si))
goto err;
+ if (!cms_set_si_contentType_attr(cms, si))
+ goto err;
if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) &&
!CMS_SignerInfo_sign(si))
goto err;
@@ -560,8 +583,6 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
*/
if (CMS_signed_get_attr_count(si) >= 0) {
- ASN1_OBJECT *ctype =
- cms->d.signedData->encapContentInfo->eContentType;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
@@ -570,9 +591,9 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
V_ASN1_OCTET_STRING, md, mdlen))
goto err;
/* Copy content type across */
- if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
- V_ASN1_OBJECT, ctype, -1) <= 0)
+ if (!cms_set_si_contentType_attr(cms, si))
goto err;
+
if (!CMS_SignerInfo_sign(si))
goto err;
} else if (si->pctx) {
@@ -652,6 +673,9 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
goto err;
}
+ if (!CMS_si_check_attributes(si))
+ goto err;
+
if (si->pctx)
pctx = si->pctx;
else {
@@ -698,7 +722,6 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
OPENSSL_free(abuf);
EVP_MD_CTX_reset(mctx);
return 0;
-
}
int CMS_SignerInfo_verify(CMS_SignerInfo *si)
@@ -713,6 +736,9 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si)
return -1;
}
+ if (!CMS_si_check_attributes(si))
+ return -1;
+
md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
if (md == NULL)
return -1;
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_smime.c b/freebsd/crypto/openssl/crypto/cms/cms_smime.c
index 587923e..1b62331 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_smime.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_smime.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -745,6 +745,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
+ if (!cert)
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
+ else
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
if (!pk && !cert && !dcont && !out)
return 1;
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_sap.c b/freebsd/crypto/openssl/crypto/conf/conf_sap.c
index 5010574..51ec044 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_sap.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_sap.c
@@ -44,7 +44,7 @@ void OPENSSL_config(const char *appname)
int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)
{
- int ret;
+ int ret = 0;
const char *filename;
const char *appname;
unsigned long flags;
diff --git a/freebsd/crypto/openssl/crypto/ctype.c b/freebsd/crypto/openssl/crypto/ctype.c
index 1eb6a26..bd65077 100644
--- a/freebsd/crypto/openssl/crypto/ctype.c
+++ b/freebsd/crypto/openssl/crypto/ctype.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -274,3 +274,9 @@ int ossl_toupper(int c)
{
return ossl_islower(c) ? c ^ case_change : c;
}
+
+int ascii_isdigit(const char inchar) {
+ if (inchar > 0x2F && inchar < 0x3A)
+ return 1;
+ return 0;
+}
diff --git a/freebsd/crypto/openssl/crypto/dh/dh_check.c b/freebsd/crypto/openssl/crypto/dh/dh_check.c
index 0ff2d5f..f53940c 100644
--- a/freebsd/crypto/openssl/crypto/dh/dh_check.c
+++ b/freebsd/crypto/openssl/crypto/dh/dh_check.c
@@ -26,7 +26,8 @@ int DH_check_params_ex(const DH *dh)
{
int errflags = 0;
- (void)DH_check_params(dh, &errflags);
+ if (!DH_check_params(dh, &errflags))
+ return 0;
if ((errflags & DH_CHECK_P_NOT_PRIME) != 0)
DHerr(DH_F_DH_CHECK_PARAMS_EX, DH_R_CHECK_P_NOT_PRIME);
@@ -69,18 +70,14 @@ int DH_check_params(const DH *dh, int *ret)
/*-
* Check that p is a safe prime and
- * if g is 2, 3 or 5, check that it is a suitable generator
- * where
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5
- * for 5, p mod 10 == 3 or 7
- * should hold.
+ * g is a suitable generator.
*/
int DH_check_ex(const DH *dh)
{
int errflags = 0;
- (void)DH_check(dh, &errflags);
+ if (!DH_check(dh, &errflags))
+ return 0;
if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0)
DHerr(DH_F_DH_CHECK_EX, DH_R_NOT_SUITABLE_GENERATOR);
@@ -104,10 +101,11 @@ int DH_check(const DH *dh, int *ret)
{
int ok = 0, r;
BN_CTX *ctx = NULL;
- BN_ULONG l;
BIGNUM *t1 = NULL, *t2 = NULL;
- *ret = 0;
+ if (!DH_check_params(dh, ret))
+ return 0;
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
@@ -141,21 +139,7 @@ int DH_check(const DH *dh, int *ret)
*ret |= DH_CHECK_INVALID_Q_VALUE;
if (dh->j && BN_cmp(dh->j, t1))
*ret |= DH_CHECK_INVALID_J_VALUE;
-
- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
- l = BN_mod_word(dh->p, 24);
- if (l == (BN_ULONG)-1)
- goto err;
- if (l != 11)
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
- l = BN_mod_word(dh->p, 10);
- if (l == (BN_ULONG)-1)
- goto err;
- if ((l != 3) && (l != 7))
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- } else
- *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
+ }
r = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME, ctx, NULL);
if (r < 0)
@@ -182,7 +166,8 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
{
int errflags = 0;
- (void)DH_check(dh, &errflags);
+ if (!DH_check_pub_key(dh, pub_key, &errflags))
+ return 0;
if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0)
DHerr(DH_F_DH_CHECK_PUB_KEY_EX, DH_R_CHECK_PUBKEY_TOO_SMALL);
diff --git a/freebsd/crypto/openssl/crypto/dh/dh_gen.c b/freebsd/crypto/openssl/crypto/dh/dh_gen.c
index 74c9cdb..0348fa9 100644
--- a/freebsd/crypto/openssl/crypto/dh/dh_gen.c
+++ b/freebsd/crypto/openssl/crypto/dh/dh_gen.c
@@ -32,30 +32,33 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
/*-
* We generate DH parameters as follows
- * find a prime q which is prime_len/2 bits long.
- * p=(2*q)+1 or (p-1)/2 = q
- * For this case, g is a generator if
- * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
- * Since the factors of p-1 are q and 2, we just need to check
- * g^2 mod p != 1 and g^q mod p != 1.
+ * find a prime p which is prime_len bits long,
+ * where q=(p-1)/2 is also prime.
+ * In the following we assume that g is not 0, 1 or p-1, since it
+ * would generate only trivial subgroups.
+ * For this case, g is a generator of the order-q subgroup if
+ * g^q mod p == 1.
+ * Or in terms of the Legendre symbol: (g/p) == 1.
*
* Having said all that,
* there is another special case method for the generators 2, 3 and 5.
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5 <<<<< does not work for safe primes.
- * for 5, p mod 10 == 3 or 7
+ * Using the quadratic reciprocity law it is possible to solve
+ * (g/p) == 1 for the special values 2, 3, 5:
+ * (2/p) == 1 if p mod 8 == 1 or 7.
+ * (3/p) == 1 if p mod 12 == 1 or 11.
+ * (5/p) == 1 if p mod 5 == 1 or 4.
+ * See for instance: https://en.wikipedia.org/wiki/Legendre_symbol
*
- * Thanks to Phil Karn for the pointers about the
- * special generators and for answering some of my questions.
+ * Since all safe primes > 7 must satisfy p mod 12 == 11
+ * and all safe primes > 11 must satisfy p mod 5 != 1
+ * we can further improve the condition for g = 2, 3 and 5:
+ * for 2, p mod 24 == 23
+ * for 3, p mod 12 == 11
+ * for 5, p mod 60 == 59
*
- * I've implemented the second simple method :-).
- * Since DH should be using a safe prime (both p and q are prime),
- * this generator function can take a very very long time to run.
- */
-/*
- * Actually there is no reason to insist that 'generator' be a generator.
- * It's just as OK (and in some sense better) to use a generator of the
- * order-q subgroup.
+ * However for compatibilty with previous versions we use:
+ * for 2, p mod 24 == 11
+ * for 5, p mod 60 == 23
*/
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
BN_GENCB *cb)
@@ -90,13 +93,10 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
goto err;
g = 2;
} else if (generator == DH_GENERATOR_5) {
- if (!BN_set_word(t1, 10))
+ if (!BN_set_word(t1, 60))
goto err;
- if (!BN_set_word(t2, 3))
+ if (!BN_set_word(t2, 23))
goto err;
- /*
- * BN_set_word(t3,7); just have to miss out on these ones :-(
- */
g = 5;
} else {
/*
@@ -104,9 +104,9 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
* not: since we are using safe primes, it will generate either an
* order-q or an order-2q group, which both is OK
*/
- if (!BN_set_word(t1, 2))
+ if (!BN_set_word(t1, 12))
goto err;
- if (!BN_set_word(t2, 1))
+ if (!BN_set_word(t2, 11))
goto err;
g = generator;
}
diff --git a/freebsd/crypto/openssl/crypto/dh/dh_key.c b/freebsd/crypto/openssl/crypto/dh/dh_key.c
index 64d6e7d..06cdeed 100644
--- a/freebsd/crypto/openssl/crypto/dh/dh_key.c
+++ b/freebsd/crypto/openssl/crypto/dh/dh_key.c
@@ -127,6 +127,15 @@ static int generate_key(DH *dh)
l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
if (!BN_priv_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
goto err;
+ /*
+ * We handle just one known case where g is a quadratic non-residue:
+ * for g = 2: p % 8 == 3
+ */
+ if (BN_is_word(dh->g, DH_GENERATOR_2) && !BN_is_bit_set(dh->p, 2)) {
+ /* clear bit 0, since it won't be a secret anyway */
+ if (!BN_clear_bit(priv_key, 0))
+ goto err;
+ }
}
}
@@ -138,11 +147,11 @@ static int generate_key(DH *dh)
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
- BN_free(prk);
+ BN_clear_free(prk);
goto err;
}
/* We MUST free prk before any further use of priv_key */
- BN_free(prk);
+ BN_clear_free(prk);
}
dh->pub_key = pub_key;
diff --git a/freebsd/crypto/openssl/crypto/dh/dh_lib.c b/freebsd/crypto/openssl/crypto/dh/dh_lib.c
index ee65d4c..2451c3c 100644
--- a/freebsd/crypto/openssl/crypto/dh/dh_lib.c
+++ b/freebsd/crypto/openssl/crypto/dh/dh_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -236,11 +236,11 @@ void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
{
if (pub_key != NULL) {
- BN_free(dh->pub_key);
+ BN_clear_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
- BN_free(dh->priv_key);
+ BN_clear_free(dh->priv_key);
dh->priv_key = priv_key;
}
diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c b/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c
index 82ca2b1..d613b6c 100644
--- a/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c
+++ b/freebsd/crypto/openssl/crypto/dsa/dsa_ameth.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -505,7 +505,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
- return 2;
+ return 1;
default:
return -2;
diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_err.c b/freebsd/crypto/openssl/crypto/dsa/dsa_err.c
index 2e944be..587e2b3 100644
--- a/freebsd/crypto/openssl/crypto/dsa/dsa_err.c
+++ b/freebsd/crypto/openssl/crypto/dsa/dsa_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,8 @@ static const ERR_STRING_DATA DSA_str_reasons[] = {
"invalid digest type"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
+ "missing private key"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
diff --git a/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c b/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c
index b6834f5..4b2501a 100644
--- a/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c
+++ b/freebsd/crypto/openssl/crypto/dsa/dsa_ossl.c
@@ -74,6 +74,10 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
reason = DSA_R_MISSING_PARAMETERS;
goto err;
}
+ if (dsa->priv_key == NULL) {
+ reason = DSA_R_MISSING_PRIVATE_KEY;
+ goto err;
+ }
ret = DSA_SIG_new();
if (ret == NULL)
@@ -197,6 +201,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_INVALID_PARAMETERS);
return 0;
}
+ if (dsa->priv_key == NULL) {
+ DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PRIVATE_KEY);
+ return 0;
+ }
k = BN_new();
l = BN_new();
@@ -250,7 +258,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* one bit longer than the modulus.
*
* There are some concerns about the efficacy of doing this. More
- * specificly refer to the discussion starting with:
+ * specifically refer to the discussion starting with:
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
* The fix is to rework BN so these gymnastics aren't required.
*/
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_asn1.c b/freebsd/crypto/openssl/crypto/ec/ec_asn1.c
index 1862e26..26b9e5d 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_asn1.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec_asn1.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -570,10 +570,12 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
{
int ok = 0, tmp;
- EC_GROUP *ret = NULL;
+ EC_GROUP *ret = NULL, *dup = NULL;
BIGNUM *p = NULL, *a = NULL, *b = NULL;
EC_POINT *point = NULL;
long field_bits;
+ int curve_name = NID_undef;
+ BN_CTX *ctx = NULL;
if (!params->fieldID || !params->fieldID->fieldType ||
!params->fieldID->p.ptr) {
@@ -791,18 +793,79 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
goto err;
}
+ /*
+ * Check if the explicit parameters group just created matches one of the
+ * built-in curves.
+ *
+ * We create a copy of the group just built, so that we can remove optional
+ * fields for the lookup: we do this to avoid the possibility that one of
+ * the optional parameters is used to force the library into using a less
+ * performant and less secure EC_METHOD instead of the specialized one.
+ * In any case, `seed` is not really used in any computation, while a
+ * cofactor different from the one in the built-in table is just
+ * mathematically wrong anyway and should not be used.
+ */
+ if ((ctx = BN_CTX_new()) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_BN_LIB);
+ goto err;
+ }
+ if ((dup = EC_GROUP_dup(ret)) == NULL
+ || EC_GROUP_set_seed(dup, NULL, 0) != 1
+ || !EC_GROUP_set_generator(dup, point, a, NULL)) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
+ goto err;
+ }
+ if ((curve_name = ec_curve_nid_from_params(dup, ctx)) != NID_undef) {
+ /*
+ * The input explicit parameters successfully matched one of the
+ * built-in curves: often for built-in curves we have specialized
+ * methods with better performance and hardening.
+ *
+ * In this case we replace the `EC_GROUP` created through explicit
+ * parameters with one created from a named group.
+ */
+ EC_GROUP *named_group = NULL;
+
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+ /*
+ * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
+ * the same curve, we prefer the SECP nid when matching explicit
+ * parameters as that is associated with a specialized EC_METHOD.
+ */
+ if (curve_name == NID_wap_wsg_idm_ecid_wtls12)
+ curve_name = NID_secp224r1;
+#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
+
+ if ((named_group = EC_GROUP_new_by_curve_name(curve_name)) == NULL) {
+ ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_EC_LIB);
+ goto err;
+ }
+ EC_GROUP_free(ret);
+ ret = named_group;
+
+ /*
+ * Set the flag so that EC_GROUPs created from explicit parameters are
+ * serialized using explicit parameters by default.
+ */
+ EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
+ }
+
ok = 1;
err:
if (!ok) {
- EC_GROUP_clear_free(ret);
+ EC_GROUP_free(ret);
ret = NULL;
}
+ EC_GROUP_free(dup);
BN_free(p);
BN_free(a);
BN_free(b);
EC_POINT_free(point);
+
+ BN_CTX_free(ctx);
+
return ret;
}
@@ -863,7 +926,7 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
}
if (a) {
- EC_GROUP_clear_free(*a);
+ EC_GROUP_free(*a);
*a = group;
}
@@ -911,7 +974,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
ret = *a;
if (priv_key->parameters) {
- EC_GROUP_clear_free(ret->group);
+ EC_GROUP_free(ret->group);
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
}
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_curve.c b/freebsd/crypto/openssl/crypto/ec/ec_curve.c
index 7ffd2eb..017455f 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_curve.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec_curve.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -3199,3 +3199,115 @@ int EC_curve_nist2nid(const char *name)
}
return NID_undef;
}
+
+#define NUM_BN_FIELDS 6
+/*
+ * Validates EC domain parameter data for known named curves.
+ * This can be used when a curve is loaded explicitly (without a curve
+ * name) or to validate that domain parameters have not been modified.
+ *
+ * Returns: The nid associated with the found named curve, or NID_undef
+ * if not found. If there was an error it returns -1.
+ */
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
+{
+ int ret = -1, nid, len, field_type, param_len;
+ size_t i, seed_len;
+ const unsigned char *seed, *params_seed, *params;
+ unsigned char *param_bytes = NULL;
+ const EC_CURVE_DATA *data;
+ const EC_POINT *generator = NULL;
+ const EC_METHOD *meth;
+ const BIGNUM *cofactor = NULL;
+ /* An array of BIGNUMs for (p, a, b, x, y, order) */
+ BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
+
+ meth = EC_GROUP_method_of(group);
+ if (meth == NULL)
+ return -1;
+ /* Use the optional named curve nid as a search field */
+ nid = EC_GROUP_get_curve_name(group);
+ field_type = EC_METHOD_get_field_type(meth);
+ seed_len = EC_GROUP_get_seed_len(group);
+ seed = EC_GROUP_get0_seed(group);
+ cofactor = EC_GROUP_get0_cofactor(group);
+
+ BN_CTX_start(ctx);
+
+ /*
+ * The built-in curves contains data fields (p, a, b, x, y, order) that are
+ * all zero-padded to be the same size. The size of the padding is
+ * determined by either the number of bytes in the field modulus (p) or the
+ * EC group order, whichever is larger.
+ */
+ param_len = BN_num_bytes(group->order);
+ len = BN_num_bytes(group->field);
+ if (len > param_len)
+ param_len = len;
+
+ /* Allocate space to store the padded data for (p, a, b, x, y, order) */
+ param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
+ if (param_bytes == NULL)
+ goto end;
+
+ /* Create the bignums */
+ for (i = 0; i < NUM_BN_FIELDS; ++i) {
+ if ((bn[i] = BN_CTX_get(ctx)) == NULL)
+ goto end;
+ }
+ /*
+ * Fill in the bn array with the same values as the internal curves
+ * i.e. the values are p, a, b, x, y, order.
+ */
+ /* Get p, a & b */
+ if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
+ && ((generator = EC_GROUP_get0_generator(group)) != NULL)
+ /* Get x & y */
+ && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
+ /* Get order */
+ && EC_GROUP_get_order(group, bn[5], ctx)))
+ goto end;
+
+ /*
+ * Convert the bignum array to bytes that are joined together to form
+ * a single buffer that contains data for all fields.
+ * (p, a, b, x, y, order) are all zero padded to be the same size.
+ */
+ for (i = 0; i < NUM_BN_FIELDS; ++i) {
+ if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
+ goto end;
+ }
+
+ for (i = 0; i < curve_list_length; i++) {
+ const ec_list_element curve = curve_list[i];
+
+ data = curve.data;
+ /* Get the raw order byte data */
+ params_seed = (const unsigned char *)(data + 1); /* skip header */
+ params = params_seed + data->seed_len;
+
+ /* Look for unique fields in the fixed curve data */
+ if (data->field_type == field_type
+ && param_len == data->param_len
+ && (nid <= 0 || nid == curve.nid)
+ /* check the optional cofactor (ignore if its zero) */
+ && (BN_is_zero(cofactor)
+ || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
+ /* Check the optional seed (ignore if its not set) */
+ && (data->seed_len == 0 || seed_len == 0
+ || ((size_t)data->seed_len == seed_len
+ && memcmp(params_seed, seed, seed_len) == 0))
+ /* Check that the groups params match the built-in curve params */
+ && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
+ == 0) {
+ ret = curve.nid;
+ goto end;
+ }
+ }
+ /* Gets here if the group was not found */
+ ret = NID_undef;
+end:
+ OPENSSL_free(param_bytes);
+ BN_CTX_end(ctx);
+ return ret;
+}
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
index 119255f..fbdb04e 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
+++ b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
@@ -154,7 +154,7 @@ struct ec_method_st {
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/*-
- * 'field_inv' computes the multipicative inverse of a in the field,
+ * 'field_inv' computes the multiplicative inverse of a in the field,
* storing the result in r.
*
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
@@ -595,6 +595,8 @@ int ec_key_simple_generate_key(EC_KEY *eckey);
int ec_key_simple_generate_public_key(EC_KEY *eckey);
int ec_key_simple_check_key(const EC_KEY *eckey);
+int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
+
/* EC_METHOD definitions */
struct ec_key_method_st {
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_lib.c b/freebsd/crypto/openssl/crypto/ec/ec_lib.c
index 6da3f8b..d86e22d 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_lib.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec_lib.c
@@ -267,6 +267,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
static int ec_precompute_mont_data(EC_GROUP *);
+/*-
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
+ * This works for all curves of cryptographic interest.
+ *
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
+ * h_min = (q + 1 - 2*sqrt(q))/n
+ * h_max = (q + 1 + 2*sqrt(q))/n
+ * h_max - h_min = 4*sqrt(q)/n
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
+ *
+ * Otherwise, zero cofactor and return success.
+ */
+static int ec_guess_cofactor(EC_GROUP *group) {
+ int ret = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *q = NULL;
+
+ /*-
+ * If the cofactor is too large, we cannot guess it.
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
+ */
+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
+ /* default to 0 */
+ BN_zero(group->cofactor);
+ /* return success */
+ return 1;
+ }
+
+ if ((ctx = BN_CTX_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((q = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /* set q = 2**m for binary fields; q = p otherwise */
+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
+ BN_zero(q);
+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
+ goto err;
+ } else {
+ if (!BN_copy(q, group->field))
+ goto err;
+ }
+
+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
+ /* q + 1 + n/2 */
+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
+ /* (q + 1 + n/2)/n */
+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
+ goto err;
+ ret = 1;
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor)
{
@@ -275,6 +336,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
return 0;
}
+ /* require group->field >= 1 */
+ if (group->field == NULL || BN_is_zero(group->field)
+ || BN_is_negative(group->field)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
+ return 0;
+ }
+
+ /*-
+ * - require order >= 1
+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
+ * longer than field cardinality
+ */
+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
+ return 0;
+ }
+
+ /*-
+ * Unfortunately the cofactor is an optional field in many standards.
+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
+ * So accept cofactor == NULL or cofactor >= 0.
+ */
+ if (cofactor != NULL && BN_is_negative(cofactor)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
+ return 0;
+ }
+
if (group->generator == NULL) {
group->generator = EC_POINT_new(group);
if (group->generator == NULL)
@@ -283,17 +372,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
if (!EC_POINT_copy(group->generator, generator))
return 0;
- if (order != NULL) {
- if (!BN_copy(group->order, order))
- return 0;
- } else
- BN_zero(group->order);
+ if (!BN_copy(group->order, order))
+ return 0;
- if (cofactor != NULL) {
+ /* Either take the provided positive cofactor, or try to compute it */
+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
if (!BN_copy(group->cofactor, cofactor))
return 0;
- } else
+ } else if (!ec_guess_cofactor(group)) {
BN_zero(group->cofactor);
+ return 0;
+ }
/*
* Some groups have an order with
diff --git a/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c b/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c
index 6d64199..97a26ee 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecdh_ossl.c
@@ -60,7 +60,7 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL) {
- ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_NO_PRIVATE_VALUE);
+ ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_MISSING_PRIVATE_KEY);
goto err;
}
diff --git a/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c b/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c
index e173047..dbf5dba 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecdsa_ossl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -43,11 +43,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
const EC_GROUP *group;
int ret = 0;
int order_bits;
+ const BIGNUM *priv_key;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
+ if ((priv_key = EC_KEY_get0_private_key(eckey)) == NULL) {
+ ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_MISSING_PRIVATE_KEY);
+ return 0;
+ }
if (!EC_KEY_can_sign(eckey)) {
ECerr(EC_F_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
@@ -85,8 +90,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/* get random k */
do {
if (dgst != NULL) {
- if (!BN_generate_dsa_nonce(k, order,
- EC_KEY_get0_private_key(eckey),
+ if (!BN_generate_dsa_nonce(k, order, priv_key,
dgst, dlen, ctx)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
@@ -164,10 +168,14 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
- if (group == NULL || priv_key == NULL) {
+ if (group == NULL) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
+ if (priv_key == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
+ return NULL;
+ }
if (!EC_KEY_can_sign(eckey)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
index badd762..0dcba53 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
@@ -326,34 +326,21 @@ static void felem_to_bin28(u8 out[28], const felem in)
}
}
-/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
-static void flip_endian(u8 *out, const u8 *in, unsigned len)
-{
- unsigned i;
- for (i = 0; i < len; ++i)
- out[i] = in[len - 1 - i];
-}
-
/* From OpenSSL BIGNUM to internal representation */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
- felem_bytearray b_in;
felem_bytearray b_out;
- unsigned num_bytes;
+ int num_bytes;
- /* BN_bn2bin eats leading zeroes */
- memset(b_out, 0, sizeof(b_out));
- num_bytes = BN_num_bytes(bn);
- if (num_bytes > sizeof(b_out)) {
+ if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- if (BN_is_negative(bn)) {
+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
+ if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- num_bytes = BN_bn2bin(bn, b_in);
- flip_endian(b_out, b_in, num_bytes);
bin28_to_felem(out, b_out);
return 1;
}
@@ -361,10 +348,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* From internal representation to OpenSSL BIGNUM */
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
- felem_bytearray b_in, b_out;
- felem_to_bin28(b_in, in);
- flip_endian(b_out, b_in, sizeof(b_out));
- return BN_bin2bn(b_out, sizeof(b_out), out);
+ felem_bytearray b_out;
+ felem_to_bin28(b_out, in);
+ return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/******************************************************************************/
@@ -1404,8 +1390,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
felem (*pre_comp)[17][3] = NULL;
felem *tmp_felems = NULL;
- felem_bytearray tmp;
- unsigned num_bytes;
+ int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
felem x_in, y_in, z_in, x_out, y_out, z_out;
@@ -1480,14 +1465,12 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
* i.e., they contribute nothing to the linear combination
*/
for (i = 0; i < num_points; ++i) {
- if (i == num)
+ if (i == num) {
/* the generator */
- {
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
- } else
+ } else {
/* the i^th point */
- {
p = points[i];
p_scalar = scalars[i];
}
@@ -1503,10 +1486,16 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(p_scalar, tmp);
- flip_endian(secrets[i], tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar,
+ secrets[i], sizeof(secrets[i]));
+ } else {
+ num_bytes = BN_bn2lebinpad(p_scalar,
+ secrets[i], sizeof(secrets[i]));
+ }
+ if (num_bytes < 0) {
+ ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
+ goto err;
+ }
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -1549,20 +1538,21 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(scalar, tmp);
- flip_endian(g_secret, tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
+ } else {
+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
+ }
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const felem(*)[17][3])pre_comp, g_pre_comp);
- } else
+ } else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
+ }
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
index 4bfebe6..a8269f1 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
@@ -148,34 +148,21 @@ static void smallfelem_to_bin32(u8 out[32], const smallfelem in)
*((u64 *)&out[24]) = in[3];
}
-/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
-static void flip_endian(u8 *out, const u8 *in, unsigned len)
-{
- unsigned i;
- for (i = 0; i < len; ++i)
- out[i] = in[len - 1 - i];
-}
-
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
- felem_bytearray b_in;
felem_bytearray b_out;
- unsigned num_bytes;
+ int num_bytes;
- /* BN_bn2bin eats leading zeroes */
- memset(b_out, 0, sizeof(b_out));
- num_bytes = BN_num_bytes(bn);
- if (num_bytes > sizeof(b_out)) {
+ if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- if (BN_is_negative(bn)) {
+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
+ if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- num_bytes = BN_bn2bin(bn, b_in);
- flip_endian(b_out, b_in, num_bytes);
bin32_to_felem(out, b_out);
return 1;
}
@@ -183,10 +170,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
{
- felem_bytearray b_in, b_out;
- smallfelem_to_bin32(b_in, in);
- flip_endian(b_out, b_in, sizeof(b_out));
- return BN_bin2bn(b_out, sizeof(b_out), out);
+ felem_bytearray b_out;
+ smallfelem_to_bin32(b_out, in);
+ return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -2026,8 +2012,8 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
smallfelem (*pre_comp)[17][3] = NULL;
smallfelem *tmp_smallfelems = NULL;
- felem_bytearray tmp;
- unsigned i, num_bytes;
+ unsigned i;
+ int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
smallfelem x_in, y_in, z_in;
@@ -2104,17 +2090,15 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
memset(secrets, 0, sizeof(*secrets) * num_points);
memset(pre_comp, 0, sizeof(*pre_comp) * num_points);
for (i = 0; i < num_points; ++i) {
- if (i == num)
+ if (i == num) {
/*
* we didn't have a valid precomputation, so we pick the
* generator
*/
- {
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
- } else
+ } else {
/* the i^th point */
- {
p = points[i];
p_scalar = scalars[i];
}
@@ -2130,10 +2114,16 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(p_scalar, tmp);
- flip_endian(secrets[i], tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar,
+ secrets[i], sizeof(secrets[i]));
+ } else {
+ num_bytes = BN_bn2lebinpad(p_scalar,
+ secrets[i], sizeof(secrets[i]));
+ }
+ if (num_bytes < 0) {
+ ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
+ goto err;
+ }
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -2178,20 +2168,21 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(scalar, tmp);
- flip_endian(g_secret, tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
+ } else {
+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
+ }
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const smallfelem(*)[17][3])pre_comp, g_pre_comp);
- } else
+ } else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const smallfelem(*)[17][3])pre_comp, NULL);
+ }
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
index 2fd19dd..3642bc1 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
@@ -171,34 +171,21 @@ static void felem_to_bin66(u8 out[66], const felem in)
(*((limb *) & out[58])) = in[8];
}
-/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
-static void flip_endian(u8 *out, const u8 *in, unsigned len)
-{
- unsigned i;
- for (i = 0; i < len; ++i)
- out[i] = in[len - 1 - i];
-}
-
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
static int BN_to_felem(felem out, const BIGNUM *bn)
{
- felem_bytearray b_in;
felem_bytearray b_out;
- unsigned num_bytes;
+ int num_bytes;
- /* BN_bn2bin eats leading zeroes */
- memset(b_out, 0, sizeof(b_out));
- num_bytes = BN_num_bytes(bn);
- if (num_bytes > sizeof(b_out)) {
+ if (BN_is_negative(bn)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- if (BN_is_negative(bn)) {
+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
+ if (num_bytes < 0) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
- num_bytes = BN_bn2bin(bn, b_in);
- flip_endian(b_out, b_in, num_bytes);
bin66_to_felem(out, b_out);
return 1;
}
@@ -206,10 +193,9 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
- felem_bytearray b_in, b_out;
- felem_to_bin66(b_in, in);
- flip_endian(b_out, b_in, sizeof(b_out));
- return BN_bin2bn(b_out, sizeof(b_out), out);
+ felem_bytearray b_out;
+ felem_to_bin66(b_out, in);
+ return BN_lebin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -1271,7 +1257,7 @@ static void point_add(felem x3, felem y3, felem z3,
* ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
* 71e913863f7, in that case the penultimate intermediate is -9G and
* the final digit is also -9G. Since this only happens for a single
- * scalar, the timing leak is irrelevent. (Any attacker who wanted to
+ * scalar, the timing leak is irrelevant. (Any attacker who wanted to
* check whether a secret scalar was that exact value, can already do
* so.)
*/
@@ -1868,8 +1854,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
felem_bytearray *secrets = NULL;
felem (*pre_comp)[17][3] = NULL;
felem *tmp_felems = NULL;
- felem_bytearray tmp;
- unsigned i, num_bytes;
+ unsigned i;
+ int num_bytes;
int have_pre_comp = 0;
size_t num_points = num;
felem x_in, y_in, z_in, x_out, y_out, z_out;
@@ -1944,17 +1930,15 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
* i.e., they contribute nothing to the linear combination
*/
for (i = 0; i < num_points; ++i) {
- if (i == num)
+ if (i == num) {
/*
* we didn't have a valid precomputation, so we pick the
* generator
*/
- {
p = EC_GROUP_get0_generator(group);
p_scalar = scalar;
- } else
+ } else {
/* the i^th point */
- {
p = points[i];
p_scalar = scalars[i];
}
@@ -1970,10 +1954,16 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(p_scalar, tmp);
- flip_endian(secrets[i], tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar,
+ secrets[i], sizeof(secrets[i]));
+ } else {
+ num_bytes = BN_bn2lebinpad(p_scalar,
+ secrets[i], sizeof(secrets[i]));
+ }
+ if (num_bytes < 0) {
+ ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
+ goto err;
+ }
/* precompute multiples */
if ((!BN_to_felem(x_out, p->X)) ||
(!BN_to_felem(y_out, p->Y)) ||
@@ -2016,21 +2006,22 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB);
goto err;
}
- num_bytes = BN_bn2bin(tmp_scalar, tmp);
- } else
- num_bytes = BN_bn2bin(scalar, tmp);
- flip_endian(g_secret, tmp, num_bytes);
+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
+ } else {
+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
+ }
/* do the multiplication with generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
g_secret,
mixed, (const felem(*)[17][3])pre_comp,
(const felem(*)[3])g_pre_comp);
- } else
+ } else {
/* do the multiplication without generator precomputation */
batch_mul(x_out, y_out, z_out,
(const felem_bytearray(*))secrets, num_points,
NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
+ }
/* reduce the output to its unique minimal representation */
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c
index cca7082..6e8397f 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistputil.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -160,13 +160,13 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
* of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
* by using bit-wise subtraction as follows:
*
- * b_k b_(k-1) ... b_2 b_1 b_0
- * - b_k ... b_3 b_2 b_1 b_0
- * -------------------------------------
- * s_k b_(k-1) ... s_3 s_2 s_1 s_0
+ * b_k b_(k-1) ... b_2 b_1 b_0
+ * - b_k ... b_3 b_2 b_1 b_0
+ * -----------------------------------------
+ * s_(k+1) s_k ... s_3 s_2 s_1 s_0
*
* A left-shift followed by subtraction of the original value yields a new
- * representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+ * representation of the same value, using signed bits s_i = b_(i-1) - b_i.
* This representation from Booth's paper has since appeared in the
* literature under a variety of different names including "reversed binary
* form", "alternating greedy expansion", "mutual opposite form", and
@@ -190,7 +190,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
* (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
* signed bits into a signed digit:
*
- * s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+ * s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j)
*
* The sign-alternating property implies that the resulting digit values are
* integers from -16 to 16.
@@ -198,14 +198,14 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
* Of course, we don't actually need to compute the signed digits s_i as an
* intermediate step (that's just a nice way to see how this scheme relates
* to the wNAF): a direct computation obtains the recoded digit from the
- * six bits b_(4j + 4) ... b_(4j - 1).
+ * six bits b_(5j + 4) ... b_(5j - 1).
*
- * This function takes those five bits as an integer (0 .. 63), writing the
+ * This function takes those six bits as an integer (0 .. 63), writing the
* recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
- * value, in the range 0 .. 8). Note that this integer essentially provides the
- * input bits "shifted to the left" by one position: for example, the input to
- * compute the least significant recoded digit, given that there's no bit b_-1,
- * has to be b_4 b_3 b_2 b_1 b_0 0.
+ * value, in the range 0 .. 16). Note that this integer essentially provides
+ * the input bits "shifted to the left" by one position: for example, the input
+ * to compute the least significant recoded digit, given that there's no bit
+ * b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.
*
*/
void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
diff --git a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
index f00aba4..f80aa12 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
@@ -534,7 +534,7 @@ static int ecd_item_sign25519(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
if (alg2)
X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
- /* Algorithm idetifiers set: carry on as normal */
+ /* Algorithm identifiers set: carry on as normal */
return 3;
}
diff --git a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
index 528d0bd..5ffbeea 100644
--- a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
+++ b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
@@ -26,7 +26,7 @@
#include "internal/engine.h"
-#ifdef CRYPTO_ALGORITHM_MIN
+#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX
# define CHECK_BSD_STYLE_MACROS
#endif
diff --git a/freebsd/crypto/openssl/crypto/engine/eng_openssl.c b/freebsd/crypto/openssl/crypto/engine/eng_openssl.c
index 5a094a1..986d65e 100644
--- a/freebsd/crypto/openssl/crypto/engine/eng_openssl.c
+++ b/freebsd/crypto/openssl/crypto/engine/eng_openssl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -31,12 +31,14 @@
*/
#define TEST_ENG_OPENSSL_RC4
#ifndef OPENSSL_NO_STDIO
-#define TEST_ENG_OPENSSL_PKEY
+# define TEST_ENG_OPENSSL_PKEY
#endif
/* #define TEST_ENG_OPENSSL_HMAC */
/* #define TEST_ENG_OPENSSL_HMAC_INIT */
/* #define TEST_ENG_OPENSSL_RC4_OTHERS */
-#define TEST_ENG_OPENSSL_RC4_P_INIT
+#ifndef OPENSSL_NO_STDIO
+# define TEST_ENG_OPENSSL_RC4_P_INIT
+#endif
/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
#define TEST_ENG_OPENSSL_SHA
/* #define TEST_ENG_OPENSSL_SHA_OTHERS */
diff --git a/freebsd/crypto/openssl/crypto/err/err.c b/freebsd/crypto/openssl/crypto/err/err.c
index 806dae3..001cdaa 100644
--- a/freebsd/crypto/openssl/crypto/err/err.c
+++ b/freebsd/crypto/openssl/crypto/err/err.c
@@ -186,8 +186,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
}
#ifndef OPENSSL_NO_ERR
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
-# define SPACE_SYS_STR_REASONS 4 * 1024
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
+# define SPACE_SYS_STR_REASONS 8 * 1024
# define NUM_SYS_STR_REASONS 127
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -221,21 +221,23 @@ static void build_SYS_str_reasons(void)
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
- if (str->string == NULL) {
+ /*
+ * If we have used up all the space in strerror_pool,
+ * there's no point in calling openssl_strerror_r()
+ */
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
size_t l = strlen(cur);
str->string = cur;
cnt += l;
- if (cnt > sizeof(strerror_pool))
- cnt = sizeof(strerror_pool);
cur += l;
/*
* VMS has an unusual quirk of adding spaces at the end of
- * some (most? all?) messages. Lets trim them off.
+ * some (most? all?) messages. Lets trim them off.
*/
- while (ossl_isspace(cur[-1])) {
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
cur--;
cnt--;
}
diff --git a/freebsd/crypto/openssl/crypto/evp/bio_ok.c b/freebsd/crypto/openssl/crypto/evp/bio_ok.c
index 1d21bd0..c350bef 100644
--- a/freebsd/crypto/openssl/crypto/evp/bio_ok.c
+++ b/freebsd/crypto/openssl/crypto/evp/bio_ok.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -40,9 +40,9 @@
of memory.
BIO_f_reliable splits data stream into blocks. Each block is prefixed
- with it's length and suffixed with it's digest. So you need only
+ with its length and suffixed with its digest. So you need only
several Kbytes of memory to buffer single block before verifying
- it's digest.
+ its digest.
BIO_f_reliable goes further and adds several important capabilities:
diff --git a/freebsd/crypto/openssl/crypto/evp/e_aes.c b/freebsd/crypto/openssl/crypto/evp/e_aes.c
index 1d025fe..434bd46 100644
--- a/freebsd/crypto/openssl/crypto/evp/e_aes.c
+++ b/freebsd/crypto/openssl/crypto/evp/e_aes.c
@@ -178,7 +178,7 @@ static void ctr64_inc(unsigned char *counter)
# define HWAES_xts_decrypt aes_p8_xts_decrypt
#endif
-#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
+#if !defined(OPENSSL_NO_ASM) && ( \
((defined(__i386) || defined(__i386__) || \
defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
defined(__x86_64) || defined(__x86_64__) || \
@@ -385,10 +385,25 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+
if (!iv && !key)
return 1;
if (key) {
+ /* The key is two half length keys in reality */
+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
+
+ /*
+ * Verify that the two keys are different.
+ *
+ * This addresses Rogaway's vulnerability.
+ * See comment in aes_xts_init_key() below.
+ */
+ if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
+ }
+
/* key_len is two AES keys */
if (enc) {
aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
@@ -789,11 +804,26 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+
if (!iv && !key)
return 1;
if (key) {
- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
+ /* The key is two half length keys in reality */
+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
+ const int bits = bytes * 8;
+
+ /*
+ * Verify that the two keys are different.
+ *
+ * This addresses Rogaway's vulnerability.
+ * See comment in aes_xts_init_key() below.
+ */
+ if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
+ }
+
xctx->stream = NULL;
/* key_len is two AES keys */
if (enc) {
@@ -1580,7 +1610,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
switch (type) {
case EVP_CTRL_INIT:
- ivlen = EVP_CIPHER_CTX_iv_length(c);
+ ivlen = EVP_CIPHER_iv_length(c->cipher);
iv = EVP_CIPHER_CTX_iv_noconst(c);
gctx->key_set = 0;
gctx->iv_set = 0;
@@ -1591,6 +1621,10 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
gctx->tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = gctx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@@ -2301,6 +2335,10 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
cctx->aes.ccm.tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = 15 - cctx->aes.ccm.l;
+ return 1;
+
case EVP_CTRL_AEAD_TLS1_AAD:
if (arg != EVP_AEAD_TLS1_AAD_LEN)
return 0;
@@ -2819,13 +2857,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_INIT:
gctx->key_set = 0;
gctx->iv_set = 0;
- gctx->ivlen = c->cipher->iv_len;
+ gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
gctx->iv = c->iv;
gctx->taglen = -1;
gctx->iv_gen = 0;
gctx->tls_aad_len = -1;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = gctx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
@@ -3275,7 +3317,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY)
+ | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
@@ -3286,10 +3328,12 @@ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
- EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
+ EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX, c);
+
if (type == EVP_CTRL_COPY) {
EVP_CIPHER_CTX *out = ptr;
EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
+
if (xctx->xts.key1) {
if (xctx->xts.key1 != &xctx->ks1)
return 0;
@@ -3313,11 +3357,36 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+
if (!iv && !key)
return 1;
if (key)
do {
+ /* The key is two half length keys in reality */
+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2;
+
+ /*
+ * Verify that the two keys are different.
+ *
+ * This addresses the vulnerability described in Rogaway's
+ * September 2004 paper:
+ *
+ * "Efficient Instantiations of Tweakable Blockciphers and
+ * Refinements to Modes OCB and PMAC".
+ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf)
+ *
+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states
+ * that:
+ * "The check for Key_1 != Key_2 shall be done at any place
+ * BEFORE using the keys in the XTS-AES algorithm to process
+ * data with them."
+ */
+ if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+ return 0;
+ }
+
#ifdef AES_XTS_ASM
xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
#else
@@ -3450,7 +3519,9 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
cctx->len_set = 0;
cctx->tls_aad_len = -1;
return 1;
-
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = 15 - cctx->L;
+ return 1;
case EVP_CTRL_AEAD_TLS1_AAD:
/* Save the AAD for later use */
if (arg != EVP_AEAD_TLS1_AAD_LEN)
@@ -3899,13 +3970,17 @@ static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_INIT:
octx->key_set = 0;
octx->iv_set = 0;
- octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
+ octx->ivlen = EVP_CIPHER_iv_length(c->cipher);
octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
octx->taglen = 16;
octx->data_buf_len = 0;
octx->aad_buf_len = 0;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = octx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
/* IV len must be 1 to 15 */
if (arg <= 0 || arg > 15)
diff --git a/freebsd/crypto/openssl/crypto/evp/e_aria.c b/freebsd/crypto/openssl/crypto/evp/e_aria.c
index 6a9d5de..df13346 100644
--- a/freebsd/crypto/openssl/crypto/evp/e_aria.c
+++ b/freebsd/crypto/openssl/crypto/evp/e_aria.c
@@ -254,7 +254,7 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
case EVP_CTRL_INIT:
gctx->key_set = 0;
gctx->iv_set = 0;
- gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
+ gctx->ivlen = EVP_CIPHER_iv_length(c->cipher);
gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
gctx->taglen = -1;
gctx->iv_gen = 0;
@@ -276,6 +276,10 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
gctx->ivlen = arg;
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = gctx->ivlen;
+ return 1;
+
case EVP_CTRL_AEAD_SET_TAG:
if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
return 0;
@@ -575,6 +579,10 @@ static int aria_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = 15 - cctx->L;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
arg = 15 - arg;
/* fall thru */
@@ -744,7 +752,8 @@ static int aria_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
#define ARIA_AUTH_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
- | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER)
+ | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_AEAD_CIPHER \
+ | EVP_CIPH_CUSTOM_IV_LENGTH)
#define BLOCK_CIPHER_aead(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
static const EVP_CIPHER aria_##keylen##_##mode = { \
diff --git a/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c b/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c
index 4eeb7bc..8569e68 100644
--- a/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c
+++ b/freebsd/crypto/openssl/crypto/evp/e_chacha20_poly1305.c
@@ -536,6 +536,10 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
}
return 1;
+ case EVP_CTRL_GET_IVLEN:
+ *(int *)ptr = actx->nonce_len;
+ return 1;
+
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
return 0;
@@ -615,7 +619,8 @@ static EVP_CIPHER chacha20_poly1305 = {
12, /* iv_len, 96-bit nonce in the context */
EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
- EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
+ EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER |
+ EVP_CIPH_CUSTOM_IV_LENGTH,
chacha20_poly1305_init_key,
chacha20_poly1305_cipher,
chacha20_poly1305_cleanup,
diff --git a/freebsd/crypto/openssl/crypto/evp/evp_err.c b/freebsd/crypto/openssl/crypto/evp/evp_err.c
index 94adca9..0348767 100644
--- a/freebsd/crypto/openssl/crypto/evp/evp_err.c
+++ b/freebsd/crypto/openssl/crypto/evp/evp_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -17,11 +17,15 @@
static const ERR_STRING_DATA EVP_str_functs[] = {
{ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
+ "aes_t4_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"},
@@ -151,6 +155,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
+ "r_32_12_16_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
{0, NULL}
@@ -162,6 +168,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ARIA_KEY_SETUP_FAILED),
"aria key setup failed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_DECRYPT), "bad decrypt"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BAD_KEY_LENGTH), "bad key length"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "buffer too small"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CAMELLIA_KEY_SETUP_FAILED),
"camellia key setup failed"},
@@ -268,6 +275,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"wrap mode not allowed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
"wrong final block length"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
+ "xts duplicated keys"},
{0, NULL}
};
diff --git a/freebsd/crypto/openssl/crypto/evp/evp_lib.c b/freebsd/crypto/openssl/crypto/evp/evp_lib.c
index 280e7da..8c085c4 100644
--- a/freebsd/crypto/openssl/crypto/evp/evp_lib.c
+++ b/freebsd/crypto/openssl/crypto/evp/evp_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -244,6 +244,13 @@ int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher)
int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx)
{
+ int i, rv;
+
+ if ((EVP_CIPHER_flags(ctx->cipher) & EVP_CIPH_CUSTOM_IV_LENGTH) != 0) {
+ rv = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN,
+ 0, &i);
+ return (rv == 1) ? i : -1;
+ }
return ctx->cipher->iv_len;
}
diff --git a/freebsd/crypto/openssl/crypto/evp/m_sha3.c b/freebsd/crypto/openssl/crypto/evp/m_sha3.c
index bbe306f..49aec6a 100644
--- a/freebsd/crypto/openssl/crypto/evp/m_sha3.c
+++ b/freebsd/crypto/openssl/crypto/evp/m_sha3.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -110,6 +110,9 @@ static int sha3_final(EVP_MD_CTX *evp_ctx, unsigned char *md)
size_t bsz = ctx->block_size;
size_t num = ctx->num;
+ if (ctx->md_size == 0)
+ return 1;
+
/*
* Pad the data with 10*1. Note that |num| can be |bsz - 1|
* in which case both byte operations below are performed on
diff --git a/freebsd/crypto/openssl/crypto/include/internal/ctype.h b/freebsd/crypto/openssl/crypto/include/internal/ctype.h
index a35b12b..9f3a583 100644
--- a/freebsd/crypto/openssl/crypto/include/internal/ctype.h
+++ b/freebsd/crypto/openssl/crypto/include/internal/ctype.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -57,6 +57,8 @@ int ossl_ctype_check(int c, unsigned int mask);
int ossl_tolower(int c);
int ossl_toupper(int c);
+int ascii_isdigit(const char inchar);
+
# define ossl_isalnum(c) (ossl_ctype_check((c), CTYPE_MASK_alnum))
# define ossl_isalpha(c) (ossl_ctype_check((c), CTYPE_MASK_alpha))
# ifdef CHARSET_EBCDIC
diff --git a/freebsd/crypto/openssl/crypto/include/internal/rand_int.h b/freebsd/crypto/openssl/crypto/include/internal/rand_int.h
index 888cab1..10347ab 100644
--- a/freebsd/crypto/openssl/crypto/include/internal/rand_int.h
+++ b/freebsd/crypto/openssl/crypto/include/internal/rand_int.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -26,7 +26,6 @@ typedef struct rand_pool_st RAND_POOL;
void rand_cleanup_int(void);
void rand_drbg_cleanup_int(void);
void drbg_delete_thread_state(void);
-void rand_fork(void);
/* Hardware-based seeding functions. */
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
@@ -52,7 +51,8 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
/*
* RAND_POOL functions
*/
-RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);
+RAND_POOL *rand_pool_new(int entropy_requested, int secure,
+ size_t min_len, size_t max_len);
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
size_t entropy);
void rand_pool_free(RAND_POOL *pool);
diff --git a/freebsd/crypto/openssl/crypto/include/internal/sm2err.h b/freebsd/crypto/openssl/crypto/include/internal/sm2err.h
index a4db1b7..09edfab 100644
--- a/freebsd/crypto/openssl/crypto/include/internal/sm2err.h
+++ b/freebsd/crypto/openssl/crypto/include/internal/sm2err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_SM2ERR_H
# define HEADER_SM2ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_SM2
diff --git a/freebsd/crypto/openssl/crypto/init.c b/freebsd/crypto/openssl/crypto/init.c
index e1d2781..0275ecb 100644
--- a/freebsd/crypto/openssl/crypto/init.c
+++ b/freebsd/crypto/openssl/crypto/init.c
@@ -42,7 +42,7 @@ static int stopped = 0;
* destructor for threads terminating before libcrypto is initialized or
* after it's de-initialized. Access to the key doesn't have to be
* serialized for the said threads, because they didn't use libcrypto
- * and it doesn't matter if they pick "impossible" or derefernce real
+ * and it doesn't matter if they pick "impossible" or dereference real
* key value and pull NULL past initialization in the first thread that
* intends to use libcrypto.
*/
@@ -863,6 +863,5 @@ void OPENSSL_fork_parent(void)
void OPENSSL_fork_child(void)
{
- rand_fork();
}
#endif
diff --git a/freebsd/crypto/openssl/crypto/lhash/lhash.c b/freebsd/crypto/openssl/crypto/lhash/lhash.c
index bb109a1..107b7bd 100644
--- a/freebsd/crypto/openssl/crypto/lhash/lhash.c
+++ b/freebsd/crypto/openssl/crypto/lhash/lhash.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -21,14 +21,14 @@
/*
* A hashing implementation that appears to be based on the linear hashing
- * alogrithm:
+ * algorithm:
* https://en.wikipedia.org/wiki/Linear_hashing
*
* Litwin, Witold (1980), "Linear hashing: A new tool for file and table
* addressing", Proc. 6th Conference on Very Large Databases: 212-223
- * http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
+ * https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
*
- * From the wikipedia article "Linear hashing is used in the BDB Berkeley
+ * From the Wikipedia article "Linear hashing is used in the BDB Berkeley
* database system, which in turn is used by many software systems such as
* OpenLDAP, using a C implementation derived from the CACM article and first
* published on the Usenet in 1988 by Esmond Pitt."
diff --git a/freebsd/crypto/openssl/crypto/o_str.c b/freebsd/crypto/openssl/crypto/o_str.c
index 79d72a2..6de7e7f 100644
--- a/freebsd/crypto/openssl/crypto/o_str.c
+++ b/freebsd/crypto/openssl/crypto/o_str.c
@@ -233,7 +233,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
* buf is left unused.
*/
err = strerror_r(errnum, buf, buflen);
- if (err == NULL)
+ if (err == NULL || buflen == 0)
return 0;
/*
* If err is statically allocated, err != buf and we need to copy the data.
diff --git a/freebsd/crypto/openssl/crypto/pem/pvkfmt.c b/freebsd/crypto/openssl/crypto/pem/pvkfmt.c
index 4533cd5..68e3d01 100644
--- a/freebsd/crypto/openssl/crypto/pem/pvkfmt.c
+++ b/freebsd/crypto/openssl/crypto/pem/pvkfmt.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -276,6 +276,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
if (!read_lebn(&p, 20, &priv_key))
goto memerr;
+ /* Set constant time flag before public key calculation */
+ BN_set_flags(priv_key, BN_FLG_CONSTTIME);
+
/* Calculate public key */
pub_key = BN_new();
if (pub_key == NULL)
diff --git a/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c b/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c
index 357e5c1..9078d37 100644
--- a/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c
+++ b/freebsd/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -139,7 +139,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
}
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
+ size_t fixlen)
{
EVP_PKEY_CTX *pctx = NULL;
unsigned char *ek = NULL;
@@ -172,7 +173,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
}
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
- ri->enc_key->data, ri->enc_key->length) <= 0) {
+ ri->enc_key->data, ri->enc_key->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
ret = 0;
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
goto err;
@@ -501,13 +504,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
+ EVP_CIPHER_key_length(evp_cipher)) < 0)
goto err;
ERR_clear_error();
}
} else {
/* Only exit on fatal errors, not decrypt failure */
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
goto err;
ERR_clear_error();
}
diff --git a/freebsd/crypto/openssl/crypto/rand/drbg_lib.c b/freebsd/crypto/openssl/crypto/rand/drbg_lib.c
index 48f941b..ffa0306 100644
--- a/freebsd/crypto/openssl/crypto/rand/drbg_lib.c
+++ b/freebsd/crypto/openssl/crypto/rand/drbg_lib.c
@@ -199,7 +199,7 @@ static RAND_DRBG *rand_drbg_new(int secure,
}
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
- drbg->fork_count = rand_fork_count;
+ drbg->fork_id = openssl_get_fork_id();
drbg->parent = parent;
if (parent == NULL) {
@@ -320,7 +320,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
/*
* NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy
* and nonce in 1 call by increasing the entropy with 50% and increasing
- * the minimum length to accomadate the length of the nonce.
+ * the minimum length to accommodate the length of the nonce.
* We do this in case a nonce is require and get_nonce is NULL.
*/
if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
@@ -580,6 +580,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
+ int fork_id;
int reseed_required = 0;
if (drbg->state != DRBG_READY) {
@@ -605,8 +606,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
return 0;
}
- if (drbg->fork_count != rand_fork_count) {
- drbg->fork_count = rand_fork_count;
+ fork_id = openssl_get_fork_id();
+
+ if (drbg->fork_id != fork_id) {
+ drbg->fork_id = fork_id;
reseed_required = 1;
}
@@ -666,7 +669,7 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
if (drbg->adin_pool == NULL) {
if (drbg->type == 0)
goto err;
- drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);
+ drbg->adin_pool = rand_pool_new(0, 0, 0, drbg->max_adinlen);
if (drbg->adin_pool == NULL)
goto err;
}
diff --git a/freebsd/crypto/openssl/crypto/rand/rand_err.c b/freebsd/crypto/openssl/crypto/rand/rand_err.c
index c8f2e67..61f2989 100644
--- a/freebsd/crypto/openssl/crypto/rand/rand_err.c
+++ b/freebsd/crypto/openssl/crypto/rand/rand_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -49,6 +49,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = {
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ATTACH, 0), "rand_pool_attach"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_BYTES_NEEDED, 0),
"rand_pool_bytes_needed"},
+ {ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_GROW, 0), "rand_pool_grow"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_WRITE_FILE, 0), "RAND_write_file"},
{0, NULL}
diff --git a/freebsd/crypto/openssl/crypto/rand/rand_lcl.h b/freebsd/crypto/openssl/crypto/rand/rand_lcl.h
index c3e9804..306c59f 100644
--- a/freebsd/crypto/openssl/crypto/rand/rand_lcl.h
+++ b/freebsd/crypto/openssl/crypto/rand/rand_lcl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -45,7 +45,6 @@
# define DRBG_MAX_LENGTH INT32_MAX
-
/*
* Maximum allocation size for RANDOM_POOL buffers
*
@@ -72,6 +71,24 @@
* 1.5 * (RAND_DRBG_STRENGTH / 8))
*/
+/*
+ * Initial allocation minimum.
+ *
+ * There is a distinction between the secure and normal allocation minimums.
+ * Ideally, the secure allocation size should be a power of two. The normal
+ * allocation size doesn't have any such restriction.
+ *
+ * The secure value is based on 128 bits of secure material, which is 16 bytes.
+ * Typically, the DRBGs will set a minimum larger than this so optimal
+ * allocation ought to take place (for full quality seed material).
+ *
+ * The normal value has been chosed by noticing that the rand_drbg_get_nonce
+ * function is usually the largest of the built in allocation (twenty four
+ * bytes and then appending another sixteen bytes). This means the buffer ends
+ * with 40 bytes. The value of forty eight is comfortably above this which
+ * allows some slack in the platform specific values used.
+ */
+# define RAND_POOL_MIN_ALLOCATION(secure) ((secure) ? 16 : 48)
/* DRBG status values */
typedef enum drbg_status_e {
@@ -150,9 +167,11 @@ struct rand_pool_st {
size_t len; /* current number of random bytes contained in the pool */
int attached; /* true pool was attached to existing buffer */
+ int secure; /* 1: allocated on the secure heap, 0: otherwise */
size_t min_len; /* minimum number of random bytes requested */
size_t max_len; /* maximum number of random bytes (allocated buffer size) */
+ size_t alloc_len; /* current number of bytes allocated */
size_t entropy; /* current entropy count in bits */
size_t entropy_requested; /* requested entropy count in bits */
};
@@ -167,12 +186,12 @@ struct rand_drbg_st {
int secure; /* 1: allocated on the secure heap, 0: otherwise */
int type; /* the nid of the underlying algorithm */
/*
- * Stores the value of the rand_fork_count global as of when we last
- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
- * the child process.
+ * Stores the return value of openssl_get_fork_id() as of when we last
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
+ * DRBG in the child process.
*/
- int fork_count;
+ int fork_id;
unsigned short flags; /* various external flags */
/*
@@ -264,19 +283,6 @@ struct rand_drbg_st {
/* The global RAND method, and the global buffer and DRBG instance. */
extern RAND_METHOD rand_meth;
-/*
- * A "generation count" of forks. Incremented in the child process after a
- * fork. Since rand_fork_count is increment-only, and only ever written to in
- * the child process of the fork, which is guaranteed to be single-threaded, no
- * locking is needed for normal (read) accesses; the rest of pthread fork
- * processing is assumed to introduce the necessary memory barriers. Sibling
- * children of a given parent will produce duplicate values, but this is not
- * problematic because the reseeding process pulls input from the system CSPRNG
- * and/or other global sources, so the siblings will end up generating
- * different output streams.
- */
-extern int rand_fork_count;
-
/* DRBG helpers */
int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *buffer, size_t len, size_t entropy);
diff --git a/freebsd/crypto/openssl/crypto/rand/rand_lib.c b/freebsd/crypto/openssl/crypto/rand/rand_lib.c
index ea07ac6..e9cf893 100644
--- a/freebsd/crypto/openssl/crypto/rand/rand_lib.c
+++ b/freebsd/crypto/openssl/crypto/rand/rand_lib.c
@@ -28,8 +28,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
static const RAND_METHOD *default_RAND_meth;
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
-int rand_fork_count;
-
static CRYPTO_RWLOCK *rand_nonce_lock;
static int rand_nonce_count;
@@ -152,7 +150,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
pool = drbg->seed_pool;
pool->entropy_requested = entropy;
} else {
- pool = rand_pool_new(entropy, min_len, max_len);
+ pool = rand_pool_new(entropy, drbg->secure, min_len, max_len);
if (pool == NULL)
return 0;
}
@@ -165,7 +163,9 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
size_t bytes = 0;
/*
- * Get random from parent, include our state as additional input.
+ * Get random data from parent. Include our address as additional input,
+ * in order to provide some additional distinction between different
+ * DRBG child instances.
* Our lock is already held, but we need to lock our parent before
* generating bits from it. (Note: taking the lock will be a no-op
* if locking if drbg->parent->lock == NULL.)
@@ -174,7 +174,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
if (RAND_DRBG_generate(drbg->parent,
buffer, bytes_needed,
prediction_resistance,
- NULL, 0) != 0)
+ (unsigned char *)&drbg, sizeof(drbg)) != 0)
bytes = bytes_needed;
drbg->reseed_next_counter
= tsan_load(&drbg->parent->reseed_prop_counter);
@@ -218,8 +218,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
unsigned char *out, size_t outlen)
{
- if (drbg->seed_pool == NULL)
- OPENSSL_secure_clear_free(out, outlen);
+ if (drbg->seed_pool == NULL) {
+ if (drbg->secure)
+ OPENSSL_secure_clear_free(out, outlen);
+ else
+ OPENSSL_clear_free(out, outlen);
+ }
}
@@ -237,9 +241,10 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
struct {
void * instance;
int count;
- } data = { NULL, 0 };
+ } data;
- pool = rand_pool_new(0, min_len, max_len);
+ memset(&data, 0, sizeof(data));
+ pool = rand_pool_new(0, 0, min_len, max_len);
if (pool == NULL)
return 0;
@@ -268,7 +273,7 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
unsigned char *out, size_t outlen)
{
- OPENSSL_secure_clear_free(out, outlen);
+ OPENSSL_clear_free(out, outlen);
}
/*
@@ -300,11 +305,6 @@ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out)
rand_pool_reattach(pool, out);
}
-void rand_fork(void)
-{
- rand_fork_count++;
-}
-
DEFINE_RUN_ONCE_STATIC(do_rand_init)
{
#ifndef OPENSSL_NO_ENGINE
@@ -364,7 +364,7 @@ void rand_cleanup_int(void)
}
/*
- * RAND_close_seed_files() ensures that any seed file decriptors are
+ * RAND_close_seed_files() ensures that any seed file descriptors are
* closed after use.
*/
void RAND_keep_random_devices_open(int keep)
@@ -403,7 +403,7 @@ int RAND_poll(void)
} else {
/* fill random pool and seed the current legacy RNG */
- pool = rand_pool_new(RAND_DRBG_STRENGTH,
+ pool = rand_pool_new(RAND_DRBG_STRENGTH, 1,
(RAND_DRBG_STRENGTH + 7) / 8,
RAND_POOL_MAX_LENGTH);
if (pool == NULL)
@@ -430,9 +430,11 @@ err:
* Allocate memory and initialize a new random pool
*/
-RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
+RAND_POOL *rand_pool_new(int entropy_requested, int secure,
+ size_t min_len, size_t max_len)
{
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
+ size_t min_alloc_size = RAND_POOL_MIN_ALLOCATION(secure);
if (pool == NULL) {
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
@@ -442,14 +444,22 @@ RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
pool->min_len = min_len;
pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
RAND_POOL_MAX_LENGTH : max_len;
+ pool->alloc_len = min_len < min_alloc_size ? min_alloc_size : min_len;
+ if (pool->alloc_len > pool->max_len)
+ pool->alloc_len = pool->max_len;
+
+ if (secure)
+ pool->buffer = OPENSSL_secure_zalloc(pool->alloc_len);
+ else
+ pool->buffer = OPENSSL_zalloc(pool->alloc_len);
- pool->buffer = OPENSSL_secure_zalloc(pool->max_len);
if (pool->buffer == NULL) {
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
goto err;
}
pool->entropy_requested = entropy_requested;
+ pool->secure = secure;
return pool;
@@ -484,7 +494,7 @@ RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
pool->attached = 1;
- pool->min_len = pool->max_len = pool->len;
+ pool->min_len = pool->max_len = pool->alloc_len = pool->len;
pool->entropy = entropy;
return pool;
@@ -504,8 +514,13 @@ void rand_pool_free(RAND_POOL *pool)
* to rand_pool_attach() as `const unsigned char*`.
* (see corresponding comment in rand_pool_attach()).
*/
- if (!pool->attached)
- OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
+ if (!pool->attached) {
+ if (pool->secure)
+ OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
+ else
+ OPENSSL_clear_free(pool->buffer, pool->alloc_len);
+ }
+
OPENSSL_free(pool);
}
@@ -598,6 +613,42 @@ size_t rand_pool_entropy_needed(RAND_POOL *pool)
return 0;
}
+/* Increase the allocation size -- not usable for an attached pool */
+static int rand_pool_grow(RAND_POOL *pool, size_t len)
+{
+ if (len > pool->alloc_len - pool->len) {
+ unsigned char *p;
+ const size_t limit = pool->max_len / 2;
+ size_t newlen = pool->alloc_len;
+
+ if (pool->attached || len > pool->max_len - pool->len) {
+ RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ do
+ newlen = newlen < limit ? newlen * 2 : pool->max_len;
+ while (len > newlen - pool->len);
+
+ if (pool->secure)
+ p = OPENSSL_secure_zalloc(newlen);
+ else
+ p = OPENSSL_zalloc(newlen);
+ if (p == NULL) {
+ RANDerr(RAND_F_RAND_POOL_GROW, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ memcpy(p, pool->buffer, pool->len);
+ if (pool->secure)
+ OPENSSL_secure_clear_free(pool->buffer, pool->alloc_len);
+ else
+ OPENSSL_clear_free(pool->buffer, pool->alloc_len);
+ pool->buffer = p;
+ pool->alloc_len = newlen;
+ }
+ return 1;
+}
+
/*
* Returns the number of bytes needed to fill the pool, assuming
* the input has 1 / |entropy_factor| entropy bits per data bit.
@@ -627,6 +678,24 @@ size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor)
/* to meet the min_len requirement */
bytes_needed = pool->min_len - pool->len;
+ /*
+ * Make sure the buffer is large enough for the requested amount
+ * of data. This guarantees that existing code patterns where
+ * rand_pool_add_begin, rand_pool_add_end or rand_pool_add
+ * are used to collect entropy data without any error handling
+ * whatsoever, continue to be valid.
+ * Furthermore if the allocation here fails once, make sure that
+ * we don't fall back to a less secure or even blocking random source,
+ * as that could happen by the existing code patterns.
+ * This is not a concern for additional data, therefore that
+ * is not needed if rand_pool_grow fails in other places.
+ */
+ if (!rand_pool_grow(pool, bytes_needed)) {
+ /* persistent error for this pool */
+ pool->max_len = pool->len = 0;
+ return 0;
+ }
+
return bytes_needed;
}
@@ -659,6 +728,27 @@ int rand_pool_add(RAND_POOL *pool,
}
if (len > 0) {
+ /*
+ * This is to protect us from accidentally passing the buffer
+ * returned from rand_pool_add_begin.
+ * The check for alloc_len makes sure we do not compare the
+ * address of the end of the allocated memory to something
+ * different, since that comparison would have an
+ * indeterminate result.
+ */
+ if (pool->alloc_len > pool->len && pool->buffer + pool->len == buffer) {
+ RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /*
+ * We have that only for cases when a pool is used to collect
+ * additional data.
+ * For entropy data, as long as the allocation request stays within
+ * the limits given by rand_pool_bytes_needed this rand_pool_grow
+ * below is guaranteed to succeed, thus no allocation happens.
+ */
+ if (!rand_pool_grow(pool, len))
+ return 0;
memcpy(pool->buffer + pool->len, buffer, len);
pool->len += len;
pool->entropy += entropy;
@@ -694,6 +784,18 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
return NULL;
}
+ /*
+ * As long as the allocation request stays within the limits given
+ * by rand_pool_bytes_needed this rand_pool_grow below is guaranteed
+ * to succeed, thus no allocation happens.
+ * We have that only for cases when a pool is used to collect
+ * additional data. Then the buffer might need to grow here,
+ * and of course the caller is responsible to check the return
+ * value of this function.
+ */
+ if (!rand_pool_grow(pool, len))
+ return NULL;
+
return pool->buffer + pool->len;
}
@@ -708,7 +810,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
*/
int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
{
- if (len > pool->max_len - pool->len) {
+ if (len > pool->alloc_len - pool->len) {
RANDerr(RAND_F_RAND_POOL_ADD_END, RAND_R_RANDOM_POOL_OVERFLOW);
return 0;
}
diff --git a/freebsd/crypto/openssl/crypto/rand/rand_unix.c b/freebsd/crypto/openssl/crypto/rand/rand_unix.c
index a5d658e..d92cea7 100644
--- a/freebsd/crypto/openssl/crypto/rand/rand_unix.c
+++ b/freebsd/crypto/openssl/crypto/rand/rand_unix.c
@@ -16,14 +16,19 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/rand.h>
+#include <openssl/crypto.h>
#include "rand_lcl.h"
#include "internal/rand_int.h"
#include <stdio.h>
#include "internal/dso.h"
-#if defined(__linux)
-# include <asm/unistd.h>
+#ifdef __linux
+# include <sys/syscall.h>
+# ifdef DEVRANDOM_WAIT
+# include <sys/shm.h>
+# include <sys/utsname.h>
+# endif
#endif
-#if defined(__FreeBSD__)
+#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
# include <sys/types.h>
# include <sys/sysctl.h>
# include <sys/param.h>
@@ -277,6 +282,17 @@ static ssize_t sysctl_random(char *buf, size_t buflen)
# endif
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
+
+# if defined(__linux) && !defined(__NR_getrandom)
+# if defined(__arm__) && defined(__NR_SYSCALL_BASE)
+# define __NR_getrandom (__NR_SYSCALL_BASE+384)
+# elif defined(__i386__)
+# define __NR_getrandom 355
+# elif defined(__x86_64__) && !defined(__ILP32__)
+# define __NR_getrandom 318
+# endif
+# endif
+
/*
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
@@ -348,6 +364,91 @@ static struct random_device {
} random_devices[OSSL_NELEM(random_device_paths)];
static int keep_random_devices_open = 1;
+# if defined(__linux) && defined(DEVRANDOM_WAIT)
+static void *shm_addr;
+
+static void cleanup_shm(void)
+{
+ shmdt(shm_addr);
+}
+
+/*
+ * Ensure that the system randomness source has been adequately seeded.
+ * This is done by having the first start of libcrypto, wait until the device
+ * /dev/random becomes able to supply a byte of entropy. Subsequent starts
+ * of the library and later reseedings do not need to do this.
+ */
+static int wait_random_seeded(void)
+{
+ static int seeded = OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID < 0;
+ static const int kernel_version[] = { DEVRANDOM_SAFE_KERNEL };
+ int kernel[2];
+ int shm_id, fd, r;
+ char c, *p;
+ struct utsname un;
+ fd_set fds;
+
+ if (!seeded) {
+ /* See if anything has created the global seeded indication */
+ if ((shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1, 0)) == -1) {
+ /*
+ * Check the kernel's version and fail if it is too recent.
+ *
+ * Linux kernels from 4.8 onwards do not guarantee that
+ * /dev/urandom is properly seeded when /dev/random becomes
+ * readable. However, such kernels support the getentropy(2)
+ * system call and this should always succeed which renders
+ * this alternative but essentially identical source moot.
+ */
+ if (uname(&un) == 0) {
+ kernel[0] = atoi(un.release);
+ p = strchr(un.release, '.');
+ kernel[1] = p == NULL ? 0 : atoi(p + 1);
+ if (kernel[0] > kernel_version[0]
+ || (kernel[0] == kernel_version[0]
+ && kernel[1] >= kernel_version[1])) {
+ return 0;
+ }
+ }
+ /* Open /dev/random and wait for it to be readable */
+ if ((fd = open(DEVRANDOM_WAIT, O_RDONLY)) != -1) {
+ if (DEVRANDM_WAIT_USE_SELECT && fd < FD_SETSIZE) {
+ FD_ZERO(&fds);
+ FD_SET(fd, &fds);
+ while ((r = select(fd + 1, &fds, NULL, NULL, NULL)) < 0
+ && errno == EINTR);
+ } else {
+ while ((r = read(fd, &c, 1)) < 0 && errno == EINTR);
+ }
+ close(fd);
+ if (r == 1) {
+ seeded = 1;
+ /* Create the shared memory indicator */
+ shm_id = shmget(OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID, 1,
+ IPC_CREAT | S_IRUSR | S_IRGRP | S_IROTH);
+ }
+ }
+ }
+ if (shm_id != -1) {
+ seeded = 1;
+ /*
+ * Map the shared memory to prevent its premature destruction.
+ * If this call fails, it isn't a big problem.
+ */
+ shm_addr = shmat(shm_id, NULL, SHM_RDONLY);
+ if (shm_addr != (void *)-1)
+ OPENSSL_atexit(&cleanup_shm);
+ }
+ }
+ return seeded;
+}
+# else /* defined __linux */
+static int wait_random_seeded(void)
+{
+ return 1;
+}
+# endif
+
/*
* Verify that the file descriptor associated with the random source is
* still valid. The rationale for doing this is the fact that it is not
@@ -474,12 +575,12 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# if defined(OPENSSL_RAND_SEED_NONE)
return rand_pool_entropy_available(pool);
# else
- size_t bytes_needed;
- size_t entropy_available = 0;
- unsigned char *buffer;
+ size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{
+ size_t bytes_needed;
+ unsigned char *buffer;
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
int attempts = 3;
@@ -509,36 +610,16 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# endif
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
- bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
- {
+ if (wait_random_seeded()) {
+ size_t bytes_needed;
+ unsigned char *buffer;
size_t i;
-#ifdef DEVRANDOM_WAIT
- static int wait_done = 0;
- /*
- * On some implementations reading from /dev/urandom is possible
- * before it is initialized. Therefore we wait for /dev/random
- * to be readable to make sure /dev/urandom is initialized.
- */
- if (!wait_done && bytes_needed > 0) {
- int f = open(DEVRANDOM_WAIT, O_RDONLY);
-
- if (f >= 0) {
- fd_set fds;
-
- FD_ZERO(&fds);
- FD_SET(f, &fds);
- while (select(f+1, &fds, NULL, NULL, NULL) < 0
- && errno == EINTR);
- close(f);
- }
- wait_done = 1;
- }
-#endif
-
- for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths); i++) {
+ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+ for (i = 0; bytes_needed > 0 && i < OSSL_NELEM(random_device_paths);
+ i++) {
ssize_t bytes = 0;
- /* Maximum allowed number of consecutive unsuccessful attempts */
+ /* Maximum number of consecutive unsuccessful attempts */
int attempts = 3;
const int fd = get_random_device(i);
@@ -552,7 +633,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
- attempts = 3; /* reset counter after successful attempt */
+ attempts = 3; /* reset counter on successful attempt */
} else if (bytes < 0 && errno != EINTR) {
break;
}
@@ -560,7 +641,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
if (bytes < 0 || !keep_random_devices_open)
close_random_device(i);
- bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+ bytes_needed = rand_pool_bytes_needed(pool, 1);
}
entropy_available = rand_pool_entropy_available(pool);
if (entropy_available > 0)
@@ -581,26 +662,29 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
# endif
# if defined(OPENSSL_RAND_SEED_EGD)
- bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
- if (bytes_needed > 0) {
+ {
static const char *paths[] = { DEVRANDOM_EGD, NULL };
+ size_t bytes_needed;
+ unsigned char *buffer;
int i;
- for (i = 0; paths[i] != NULL; i++) {
+ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+ for (i = 0; bytes_needed > 0 && paths[i] != NULL; i++) {
+ size_t bytes = 0;
+ int num;
+
buffer = rand_pool_add_begin(pool, bytes_needed);
- if (buffer != NULL) {
- size_t bytes = 0;
- int num = RAND_query_egd_bytes(paths[i],
- buffer, (int)bytes_needed);
- if (num == (int)bytes_needed)
- bytes = bytes_needed;
+ num = RAND_query_egd_bytes(paths[i],
+ buffer, (int)bytes_needed);
+ if (num == (int)bytes_needed)
+ bytes = bytes_needed;
- rand_pool_add_end(pool, bytes, 8 * bytes);
- entropy_available = rand_pool_entropy_available(pool);
- }
- if (entropy_available > 0)
- return entropy_available;
+ rand_pool_add_end(pool, bytes, 8 * bytes);
+ bytes_needed = rand_pool_bytes_needed(pool, 1);
}
+ entropy_available = rand_pool_entropy_available(pool);
+ if (entropy_available > 0)
+ return entropy_available;
}
# endif
@@ -634,15 +718,18 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
int rand_pool_add_additional_data(RAND_POOL *pool)
{
struct {
+ int fork_id;
CRYPTO_THREAD_ID tid;
uint64_t time;
} data = { 0 };
/*
* Add some noise from the thread id and a high resolution timer.
+ * The fork_id adds some extra fork-safety.
* The thread id adds a little randomness if the drbg is accessed
* concurrently (which is the case for the <master> drbg).
*/
+ data.fork_id = openssl_get_fork_id();
data.tid = CRYPTO_THREAD_get_current_id();
data.time = get_timer_bits();
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
index a23e248..6ab1c14 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
@@ -460,6 +460,9 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
{
X509_ALGOR *alg = NULL;
+ const EVP_MD *md;
+ const EVP_MD *mgf1md;
+ int min_saltlen;
switch (op) {
@@ -499,6 +502,16 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
#endif
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+ if (pkey->pkey.rsa->pss != NULL) {
+ if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md,
+ &min_saltlen)) {
+ RSAerr(0, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ *(int *)arg2 = EVP_MD_type(md);
+ /* Return of 2 indicates this MD is mandatory */
+ return 2;
+ }
*(int *)arg2 = NID_sha256;
return 1;
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_err.c b/freebsd/crypto/openssl/crypto/rsa/rsa_err.c
index 3000019..e7a3c06 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_err.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -176,6 +176,8 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MGF1_DIGEST_NOT_ALLOWED),
"mgf1 digest not allowed"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MISSING_PRIVATE_KEY),
+ "missing private key"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R),
"mp coefficient not inverse of r"},
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c b/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c
index 22d99bb..86b0efc 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_gen.c
@@ -252,7 +252,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
*
* This strategy has the following goals:
*
- * 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
+ * 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
* 2. stay the same logic with normal 2-prime key
*/
bitse -= bitsr[i];
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c b/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c
index c0edd05..cf2abae 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -200,6 +200,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
+ BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@@ -217,10 +218,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
+ BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
+ BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@@ -239,14 +242,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
+ BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
+ BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
+ BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;
@@ -278,12 +284,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
if (pinfo == NULL)
goto err;
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
- BN_free(pinfo->r);
- BN_free(pinfo->d);
- BN_free(pinfo->t);
+ BN_clear_free(pinfo->r);
+ BN_clear_free(pinfo->d);
+ BN_clear_free(pinfo->t);
pinfo->r = primes[i];
pinfo->d = exps[i];
pinfo->t = coeffs[i];
+ BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
+ BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
+ BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
} else {
rsa_multip_info_free(pinfo);
goto err;
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
index 2c9ded7..2c67ac2 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
@@ -323,6 +323,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
+ if (rsa->d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY);
+ BN_free(d);
+ goto err;
+ }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
@@ -440,6 +445,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
+ if (rsa->d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_MISSING_PRIVATE_KEY);
+ BN_free(d);
+ goto err;
+ }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
diff --git a/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c b/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c
index 1f912db..2d36d2a 100644
--- a/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c
+++ b/freebsd/crypto/openssl/crypto/sm2/sm2_sign.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017 Ribose Inc. All Rights Reserved.
* Ported from Ribose contributions from Botan.
*
@@ -315,12 +315,12 @@ static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig,
/*
* B1: verify whether r' in [1,n-1], verification failed if not
- * B2: vefify whether s' in [1,n-1], verification failed if not
+ * B2: verify whether s' in [1,n-1], verification failed if not
* B3: set M'~=ZA || M'
* B4: calculate e'=Hv(M'~)
* B5: calculate t = (r' + s') modn, verification failed if t=0
* B6: calculate the point (x1', y1')=[s']G + [t]PA
- * B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed
+ * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
*/
ECDSA_SIG_get0(sig, &r, &s);
diff --git a/freebsd/crypto/openssl/crypto/store/loader_file.c b/freebsd/crypto/openssl/crypto/store/loader_file.c
index f2887bb..8485e46 100644
--- a/freebsd/crypto/openssl/crypto/store/loader_file.c
+++ b/freebsd/crypto/openssl/crypto/store/loader_file.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -174,7 +174,7 @@ typedef OSSL_STORE_INFO *(*file_try_decode_fn)(const char *pem_name,
typedef int (*file_eof_fn)(void *handler_ctx);
/*
* The destroy_ctx function is used to destroy the handler_ctx that was
- * intiated by a repeatable try_decode fuction. This is only used when
+ * initiated by a repeatable try_decode function. This is only used when
* the handler is marked repeatable.
*/
typedef void (*file_destroy_ctx_fn)(void **handler_ctx);
@@ -472,7 +472,7 @@ static FILE_HANDLER PrivateKey_handler = {
};
/*
- * Public key decoder. Only supports SubjectPublicKeyInfo formated keys.
+ * Public key decoder. Only supports SubjectPublicKeyInfo formatted keys.
*/
static OSSL_STORE_INFO *try_decode_PUBKEY(const char *pem_name,
const char *pem_header,
@@ -862,10 +862,10 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader,
if (ctx->_.dir.last_entry == NULL) {
if (ctx->_.dir.last_errno != 0) {
char errbuf[256];
- errno = ctx->_.dir.last_errno;
- openssl_strerror_r(errno, errbuf, sizeof(errbuf));
OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, ERR_R_SYS_LIB);
- ERR_add_error_data(1, errbuf);
+ errno = ctx->_.dir.last_errno;
+ if (openssl_strerror_r(errno, errbuf, sizeof(errbuf)))
+ ERR_add_error_data(1, errbuf);
goto err;
}
ctx->_.dir.end_reached = 1;
@@ -1262,11 +1262,11 @@ static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx,
if (!ctx->_.dir.end_reached) {
char errbuf[256];
assert(ctx->_.dir.last_errno != 0);
+ OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_SYS_LIB);
errno = ctx->_.dir.last_errno;
ctx->errcnt++;
- openssl_strerror_r(errno, errbuf, sizeof(errbuf));
- OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_SYS_LIB);
- ERR_add_error_data(1, errbuf);
+ if (openssl_strerror_r(errno, errbuf, sizeof(errbuf)))
+ ERR_add_error_data(1, errbuf);
}
return NULL;
}
diff --git a/freebsd/crypto/openssl/crypto/store/store_lib.c b/freebsd/crypto/openssl/crypto/store/store_lib.c
index 7c6b55e..5c83260 100644
--- a/freebsd/crypto/openssl/crypto/store/store_lib.c
+++ b/freebsd/crypto/openssl/crypto/store/store_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -230,7 +230,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
* Functions to generate OSSL_STORE_INFOs, one function for each type we
* support having in them as well as a generic constructor.
*
- * In all cases, ownership of the object is transfered to the OSSL_STORE_INFO
+ * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
* and will therefore be freed when the OSSL_STORE_INFO is freed.
*/
static OSSL_STORE_INFO *store_info_new(int type, void *data)
diff --git a/freebsd/crypto/openssl/crypto/threads_none.c b/freebsd/crypto/openssl/crypto/threads_none.c
index 988210f..223f736 100644
--- a/freebsd/crypto/openssl/crypto/threads_none.c
+++ b/freebsd/crypto/openssl/crypto/threads_none.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,11 @@
#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+# endif
+
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
{
CRYPTO_RWLOCK *lock;
@@ -135,4 +140,12 @@ int openssl_init_fork_handlers(void)
return 0;
}
+int openssl_get_fork_id(void)
+{
+# if defined(OPENSSL_SYS_UNIX)
+ return getpid();
+# else
+ return return 0;
+# endif
+}
#endif
diff --git a/freebsd/crypto/openssl/crypto/threads_pthread.c b/freebsd/crypto/openssl/crypto/threads_pthread.c
index 9a4514f..89f74ae 100644
--- a/freebsd/crypto/openssl/crypto/threads_pthread.c
+++ b/freebsd/crypto/openssl/crypto/threads_pthread.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -14,6 +14,11 @@
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+#endif
+
# ifdef PTHREAD_RWLOCK_INITIALIZER
# define USE_RWLOCK
# endif
@@ -196,4 +201,9 @@ int openssl_init_fork_handlers(void)
# endif
return 0;
}
+
+int openssl_get_fork_id(void)
+{
+ return getpid();
+}
#endif
diff --git a/freebsd/crypto/openssl/crypto/ui/ui_lib.c b/freebsd/crypto/openssl/crypto/ui/ui_lib.c
index 3f01a4e..aab3054 100644
--- a/freebsd/crypto/openssl/crypto/ui/ui_lib.c
+++ b/freebsd/crypto/openssl/crypto/ui/ui_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -502,6 +502,7 @@ int UI_process(UI *ui)
if (ui->meth->ui_flush != NULL)
switch (ui->meth->ui_flush(ui)) {
case -1: /* Interrupt/Cancel/something... */
+ ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
case 0: /* Errors */
@@ -519,6 +520,7 @@ int UI_process(UI *ui)
sk_UI_STRING_value(ui->strings,
i))) {
case -1: /* Interrupt/Cancel/something... */
+ ui->flags &= ~UI_FLAG_REDOABLE;
ok = -2;
goto err;
case 0: /* Errors */
diff --git a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
index 5edcec1..03596ee 100644
--- a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
+++ b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
@@ -81,7 +81,7 @@
* systems that require something different.
*
* Note: we do not use SGTTY unless it's defined by the configuration. We
- * may eventually opt to remove it's use entirely.
+ * may eventually opt to remove its use entirely.
*/
# if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
diff --git a/freebsd/crypto/openssl/crypto/uid.c b/freebsd/crypto/openssl/crypto/uid.c
index b51a685..3b59944 100644
--- a/freebsd/crypto/openssl/crypto/uid.c
+++ b/freebsd/crypto/openssl/crypto/uid.c
@@ -12,20 +12,20 @@
#include <openssl/crypto.h>
#include <openssl/opensslconf.h>
-#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
-
-# include OPENSSL_UNISTD
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
int OPENSSL_issetugid(void)
{
- return issetugid();
+ return 0;
}
-#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
+
+# include OPENSSL_UNISTD
int OPENSSL_issetugid(void)
{
- return 0;
+ return issetugid();
}
#else
diff --git a/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c b/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c
index 69e8486..924d0c1 100644
--- a/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c
+++ b/freebsd/crypto/openssl/crypto/whrlpool/wp_block.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -89,6 +89,7 @@ typedef unsigned long long u64;
#ifndef PEDANTIC
# if defined(_MSC_VER)
# if defined(_WIN64) /* applies to both IA-64 and AMD64 */
+# include <stdlib.h>
# pragma intrinsic(_rotl64)
# define ROTATE(a,n) _rotl64((a),n)
# endif
diff --git a/freebsd/crypto/openssl/crypto/x509/by_dir.c b/freebsd/crypto/openssl/crypto/x509/by_dir.c
index e05e72a..6d9f3f4 100644
--- a/freebsd/crypto/openssl/crypto/x509/by_dir.c
+++ b/freebsd/crypto/openssl/crypto/x509/by_dir.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -329,10 +329,10 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
/*
* we have added it to the cache so now pull it out again
*/
- CRYPTO_THREAD_write_lock(ctx->lock);
+ X509_STORE_lock(xl->store_ctx);
j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
- CRYPTO_THREAD_unlock(ctx->lock);
+ X509_STORE_unlock(xl->store_ctx);
/* If a CRL, update the last file suffix added for this */
diff --git a/freebsd/crypto/openssl/crypto/x509/t_req.c b/freebsd/crypto/openssl/crypto/x509/t_req.c
index b0d261f..f6cc6d6 100644
--- a/freebsd/crypto/openssl/crypto/x509/t_req.c
+++ b/freebsd/crypto/openssl/crypto/x509/t_req.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -129,6 +129,10 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
+ if (count == 0) {
+ X509err(X509_F_X509_REQ_PRINT_EX, X509_R_INVALID_ATTRIBUTES);
+ return 0;
+ }
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_att.c b/freebsd/crypto/openssl/crypto/x509/x509_att.c
index 921ff6f..37afa34 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_att.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_att.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -316,7 +316,9 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
if (!ttmp)
return NULL;
- if (atrtype != ASN1_TYPE_get(ttmp)) {
+ if (atrtype == V_ASN1_BOOLEAN
+ || atrtype == V_ASN1_NULL
+ || atrtype != ASN1_TYPE_get(ttmp)) {
X509err(X509_F_X509_ATTRIBUTE_GET0_DATA, X509_R_WRONG_TYPE);
return NULL;
}
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_cmp.c b/freebsd/crypto/openssl/crypto/x509/x509_cmp.c
index 74838f5..ba348f8 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_cmp.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_cmp.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -452,9 +452,17 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
STACK_OF(X509) *ret;
int i;
ret = sk_X509_dup(chain);
+ if (ret == NULL)
+ return NULL;
for (i = 0; i < sk_X509_num(ret); i++) {
X509 *x = sk_X509_value(ret, i);
- X509_up_ref(x);
+ if (!X509_up_ref(x))
+ goto err;
}
return ret;
+ err:
+ while (i-- > 0)
+ X509_free (sk_X509_value(ret, i));
+ sk_X509_free(ret);
+ return NULL;
}
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_err.c b/freebsd/crypto/openssl/crypto/x509/x509_err.c
index 9509fc1..8a6ff0d 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_err.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -125,6 +125,8 @@ static const ERR_STRING_DATA X509_str_reasons[] = {
{ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE),
"crl verify failure"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_IDP_MISMATCH), "idp mismatch"},
+ {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_ATTRIBUTES),
+ "invalid attributes"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_DIRECTORY), "invalid directory"},
{ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_FIELD_NAME),
"invalid field name"},
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_lu.c b/freebsd/crypto/openssl/crypto/x509/x509_lu.c
index 42010e6..b4a7616 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_lu.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_lu.c
@@ -291,24 +291,25 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
X509_NAME *name, X509_OBJECT *ret)
{
- X509_STORE *ctx = vs->ctx;
+ X509_STORE *store = vs->ctx;
X509_LOOKUP *lu;
X509_OBJECT stmp, *tmp;
int i, j;
- if (ctx == NULL)
+ if (store == NULL)
return 0;
stmp.type = X509_LU_NONE;
stmp.data.ptr = NULL;
- CRYPTO_THREAD_write_lock(ctx->lock);
- tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
- CRYPTO_THREAD_unlock(ctx->lock);
+
+ X509_STORE_lock(store);
+ tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name);
+ X509_STORE_unlock(store);
if (tmp == NULL || type == X509_LU_CRL) {
- for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
- lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
+ for (i = 0; i < sk_X509_LOOKUP_num(store->get_cert_methods); i++) {
+ lu = sk_X509_LOOKUP_value(store->get_cert_methods, i);
j = X509_LOOKUP_by_subject(lu, type, name, &stmp);
if (j) {
tmp = &stmp;
@@ -319,15 +320,16 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
return 0;
}
+ if (!X509_OBJECT_up_ref_count(tmp))
+ return 0;
+
ret->type = tmp->type;
ret->data.ptr = tmp->data.ptr;
- X509_OBJECT_up_ref_count(ret);
-
return 1;
}
-static int x509_store_add(X509_STORE *ctx, void *x, int crl) {
+static int x509_store_add(X509_STORE *store, void *x, int crl) {
X509_OBJECT *obj;
int ret = 0, added = 0;
@@ -344,18 +346,20 @@ static int x509_store_add(X509_STORE *ctx, void *x, int crl) {
obj->type = X509_LU_X509;
obj->data.x509 = (X509 *)x;
}
- X509_OBJECT_up_ref_count(obj);
-
- CRYPTO_THREAD_write_lock(ctx->lock);
+ if (!X509_OBJECT_up_ref_count(obj)) {
+ obj->type = X509_LU_NONE;
+ X509_OBJECT_free(obj);
+ return 0;
+ }
- if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
+ X509_STORE_lock(store);
+ if (X509_OBJECT_retrieve_match(store->objs, obj)) {
ret = 1;
} else {
- added = sk_X509_OBJECT_push(ctx->objs, obj);
+ added = sk_X509_OBJECT_push(store->objs, obj);
ret = added != 0;
}
-
- CRYPTO_THREAD_unlock(ctx->lock);
+ X509_STORE_unlock(store);
if (added == 0) /* obj not pushed */
X509_OBJECT_free(obj);
@@ -536,12 +540,13 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
STACK_OF(X509) *sk = NULL;
X509 *x;
X509_OBJECT *obj;
+ X509_STORE *store = ctx->ctx;
- if (ctx->ctx == NULL)
+ if (store == NULL)
return NULL;
- CRYPTO_THREAD_write_lock(ctx->ctx->lock);
- idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
+ X509_STORE_lock(store);
+ idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
/*
* Nothing found in cache: do lookup to possibly add new objects to
@@ -549,7 +554,8 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
*/
X509_OBJECT *xobj = X509_OBJECT_new();
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
+
if (xobj == NULL)
return NULL;
if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) {
@@ -557,27 +563,31 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
return NULL;
}
X509_OBJECT_free(xobj);
- CRYPTO_THREAD_write_lock(ctx->ctx->lock);
- idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
+ X509_STORE_lock(store);
+ idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
return NULL;
}
}
sk = sk_X509_new_null();
for (i = 0; i < cnt; i++, idx++) {
- obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
+ obj = sk_X509_OBJECT_value(store->objs, idx);
x = obj->data.x509;
- X509_up_ref(x);
+ if (!X509_up_ref(x)) {
+ X509_STORE_unlock(store);
+ sk_X509_pop_free(sk, X509_free);
+ return NULL;
+ }
if (!sk_X509_push(sk, x)) {
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return NULL;
}
}
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
return sk;
}
@@ -587,37 +597,42 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
X509_CRL *x;
X509_OBJECT *obj, *xobj = X509_OBJECT_new();
+ X509_STORE *store = ctx->ctx;
/* Always do lookup to possibly add new CRLs to cache */
if (sk == NULL
|| xobj == NULL
- || ctx->ctx == NULL
+ || store == NULL
|| !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
X509_OBJECT_free(xobj);
sk_X509_CRL_free(sk);
return NULL;
}
X509_OBJECT_free(xobj);
- CRYPTO_THREAD_write_lock(ctx->ctx->lock);
- idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
+ X509_STORE_lock(store);
+ idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt);
if (idx < 0) {
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
sk_X509_CRL_free(sk);
return NULL;
}
for (i = 0; i < cnt; i++, idx++) {
- obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
+ obj = sk_X509_OBJECT_value(store->objs, idx);
x = obj->data.crl;
- X509_CRL_up_ref(x);
+ if (!X509_CRL_up_ref(x)) {
+ X509_STORE_unlock(store);
+ sk_X509_CRL_pop_free(sk, X509_CRL_free);
+ return NULL;
+ }
if (!sk_X509_CRL_push(sk, x)) {
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
X509_CRL_free(x);
sk_X509_CRL_pop_free(sk, X509_CRL_free);
return NULL;
}
}
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
+ X509_STORE_unlock(store);
return sk;
}
@@ -665,6 +680,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
X509_NAME *xn;
X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
+ X509_STORE *store = ctx->ctx;
int i, ok, idx, ret;
if (obj == NULL)
@@ -680,25 +696,28 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
if (ctx->check_issued(ctx, x, obj->data.x509)) {
if (x509_check_cert_time(ctx, obj->data.x509, -1)) {
*issuer = obj->data.x509;
- X509_up_ref(*issuer);
+ if (!X509_up_ref(*issuer)) {
+ *issuer = NULL;
+ ok = -1;
+ }
X509_OBJECT_free(obj);
- return 1;
+ return ok;
}
}
X509_OBJECT_free(obj);
- if (ctx->ctx == NULL)
+ if (store == NULL)
return 0;
/* Else find index of first cert accepted by 'check_issued' */
ret = 0;
- CRYPTO_THREAD_write_lock(ctx->ctx->lock);
- idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+ X509_STORE_lock(store);
+ idx = X509_OBJECT_idx_by_subject(store->objs, X509_LU_X509, xn);
if (idx != -1) { /* should be true as we've had at least one
* match */
/* Look through all matching certs for suitable issuer */
- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
- pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+ for (i = idx; i < sk_X509_OBJECT_num(store->objs); i++) {
+ pobj = sk_X509_OBJECT_value(store->objs, i);
/* See if we've run past the matches */
if (pobj->type != X509_LU_X509)
break;
@@ -719,9 +738,11 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
}
}
}
- CRYPTO_THREAD_unlock(ctx->ctx->lock);
- if (*issuer)
- X509_up_ref(*issuer);
+ if (*issuer && !X509_up_ref(*issuer)) {
+ *issuer = NULL;
+ ret = -1;
+ }
+ X509_STORE_unlock(store);
return ret;
}
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
index 7614e8a..036d0d8 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1790,7 +1790,11 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
ASN1_TIME *asn1_cmp_time = NULL;
int i, day, sec, ret = 0;
-
+#ifdef CHARSET_EBCDIC
+ const char upper_z = 0x5A;
+#else
+ const char upper_z = 'Z';
+#endif
/*
* Note that ASN.1 allows much more slack in the time format than RFC5280.
* In RFC5280, the representation is fixed:
@@ -1821,10 +1825,10 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
* Digit and date ranges will be verified in the conversion methods.
*/
for (i = 0; i < ctm->length - 1; i++) {
- if (!ossl_isdigit(ctm->data[i]))
+ if (!ascii_isdigit(ctm->data[i]))
return 0;
}
- if (ctm->data[ctm->length - 1] != 'Z')
+ if (ctm->data[ctm->length - 1] != upper_z)
return 0;
/*
diff --git a/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c b/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c
index cf02a77..d749f08 100644
--- a/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c
+++ b/freebsd/crypto/openssl/crypto/x509v3/v3_alt.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -159,15 +159,18 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
break;
case GEN_EMAIL:
- BIO_printf(out, "email:%s", gen->d.ia5->data);
+ BIO_printf(out, "email:");
+ ASN1_STRING_print(out, gen->d.ia5);
break;
case GEN_DNS:
- BIO_printf(out, "DNS:%s", gen->d.ia5->data);
+ BIO_printf(out, "DNS:");
+ ASN1_STRING_print(out, gen->d.ia5);
break;
case GEN_URI:
- BIO_printf(out, "URI:%s", gen->d.ia5->data);
+ BIO_printf(out, "URI:");
+ ASN1_STRING_print(out, gen->d.ia5);
break;
case GEN_DIRNAME:
diff --git a/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c b/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c
index a23a0ed..56f8285 100644
--- a/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c
+++ b/freebsd/crypto/openssl/crypto/x509v3/v3_purp.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -873,6 +873,20 @@ const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
return (x->akid != NULL ? x->akid->keyid : NULL);
}
+const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return (x->akid != NULL ? x->akid->issuer : NULL);
+}
+
+const ASN1_INTEGER *X509_get0_authority_serial(X509 *x)
+{
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(x, -1, -1);
+ return (x->akid != NULL ? x->akid->serial : NULL);
+}
+
long X509_get_pathlen(X509 *x)
{
/* Called for side effect of caching extensions */
diff --git a/freebsd/crypto/openssl/e_os.h b/freebsd/crypto/openssl/e_os.h
index e9ce6c9..858bc40 100644
--- a/freebsd/crypto/openssl/e_os.h
+++ b/freebsd/crypto/openssl/e_os.h
@@ -28,8 +28,34 @@
* default, we will try to read at least one of these files
*/
# define DEVRANDOM "/dev/urandom", "/dev/random", "/dev/hwrng", "/dev/srandom"
-# ifdef __linux
-# define DEVRANDOM_WAIT "/dev/random"
+# if defined(__linux) && !defined(__ANDROID__)
+# ifndef DEVRANDOM_WAIT
+# define DEVRANDOM_WAIT "/dev/random"
+# endif
+/*
+ * Linux kernels 4.8 and later changes how their random device works and there
+ * is no reliable way to tell that /dev/urandom has been seeded -- getentropy(2)
+ * should be used instead.
+ */
+# ifndef DEVRANDOM_SAFE_KERNEL
+# define DEVRANDOM_SAFE_KERNEL 4, 8
+# endif
+/*
+ * Some operating systems do not permit select(2) on their random devices,
+ * defining this to zero will force the used of read(2) to extract one byte
+ * from /dev/random.
+ */
+# ifndef DEVRANDM_WAIT_USE_SELECT
+# define DEVRANDM_WAIT_USE_SELECT 1
+# endif
+/*
+ * Define the shared memory identifier used to indicate if the operating
+ * system has properly seeded the DEVRANDOM source.
+ */
+# ifndef OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID
+# define OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID 114
+# endif
+
# endif
# endif
# if !defined(OPENSSL_NO_EGD) && !defined(DEVRANDOM_EGD)
diff --git a/freebsd/crypto/openssl/include/internal/constant_time_locl.h b/freebsd/crypto/openssl/include/internal/constant_time_locl.h
index cde30f4..0193a65 100644
--- a/freebsd/crypto/openssl/include/internal/constant_time_locl.h
+++ b/freebsd/crypto/openssl/include/internal/constant_time_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -213,18 +213,72 @@ static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
+/*
+ * Returns the value unmodified, but avoids optimizations.
+ * The barriers prevent the compiler from narrowing down the
+ * possible value range of the mask and ~mask in the select
+ * statements, which avoids the recognition of the select
+ * and turning it into a conditional load or branch.
+ */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ unsigned int r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile unsigned int r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint32_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint32_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint64_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint64_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for size_t. */
+static ossl_inline size_t value_barrier_s(size_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ size_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile size_t r = a;
+#endif
+ return r;
+}
+
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline size_t constant_time_select_s(size_t mask,
size_t a,
size_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -249,13 +303,13 @@ static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b)
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
uint32_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
}
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
uint64_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
}
/*
diff --git a/freebsd/crypto/openssl/include/internal/cryptlib.h b/freebsd/crypto/openssl/include/internal/cryptlib.h
index b4d76d5..23e17e5 100644
--- a/freebsd/crypto/openssl/include/internal/cryptlib.h
+++ b/freebsd/crypto/openssl/include/internal/cryptlib.h
@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
void OPENSSL_showfatal(const char *fmta, ...);
void crypto_cleanup_all_ex_data_int(void);
int openssl_init_fork_handlers(void);
+int openssl_get_fork_id(void);
char *ossl_safe_getenv(const char *name);
diff --git a/freebsd/crypto/openssl/include/internal/dsoerr.h b/freebsd/crypto/openssl/include/internal/dsoerr.h
index 0edf277..5f4511c 100644
--- a/freebsd/crypto/openssl/include/internal/dsoerr.h
+++ b/freebsd/crypto/openssl/include/internal/dsoerr.h
@@ -11,7 +11,9 @@
#ifndef HEADER_DSOERR_H
# define HEADER_DSOERR_H
-# include <openssl/opensslconf.h>
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
# ifdef __cplusplus
extern "C"
diff --git a/freebsd/crypto/openssl/include/internal/refcount.h b/freebsd/crypto/openssl/include/internal/refcount.h
index d2364c6..6e1a840 100644
--- a/freebsd/crypto/openssl/include/internal/refcount.h
+++ b/freebsd/crypto/openssl/include/internal/refcount.h
@@ -105,7 +105,7 @@ static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock)
# if _WIN32_WCE >= 0x600
extern long __cdecl _InterlockedExchangeAdd(long volatile*, long);
# else
- // under Windows CE we still have old-style Interlocked* functions
+ /* under Windows CE we still have old-style Interlocked* functions */
extern long __cdecl InterlockedExchangeAdd(long volatile*, long);
# define _InterlockedExchangeAdd InterlockedExchangeAdd
# endif
diff --git a/freebsd/crypto/openssl/include/internal/thread_once.h b/freebsd/crypto/openssl/include/internal/thread_once.h
index 8a25d04..8f8aa6e 100644
--- a/freebsd/crypto/openssl/include/internal/thread_once.h
+++ b/freebsd/crypto/openssl/include/internal/thread_once.h
@@ -72,7 +72,7 @@
* function defined via DEFINE_ONCE_STATIC where both functions use the same
* CRYPTO_ONCE object to synchronise. Where an alternative initialiser function
* is used only one of the primary or the alternative initialiser function will
- * ever be called - and that function will be called exactly once. Definitition
+ * ever be called - and that function will be called exactly once. Definition
* of an alternative initialiser function MUST occur AFTER the definition of the
* primary initialiser function.
*
diff --git a/freebsd/crypto/openssl/include/internal/tsan_assist.h b/freebsd/crypto/openssl/include/internal/tsan_assist.h
index d41ebb3..cc30162 100644
--- a/freebsd/crypto/openssl/include/internal/tsan_assist.h
+++ b/freebsd/crypto/openssl/include/internal/tsan_assist.h
@@ -18,7 +18,7 @@
* if (var == NOT_YET_INITIALIZED)
* var = function_returning_same_value();
*
- * This does work provided that loads and stores are single-instuction
+ * This does work provided that loads and stores are single-instruction
* operations (and integer ones are on *all* supported platforms), but
* it upsets Thread Sanitizer. Suggested solution is
*
diff --git a/freebsd/crypto/openssl/include/openssl/asn1err.h b/freebsd/crypto/openssl/include/openssl/asn1err.h
index 5a91126..faed5a5 100644
--- a/freebsd/crypto/openssl/include/openssl/asn1err.h
+++ b/freebsd/crypto/openssl/include/openssl/asn1err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_ASN1ERR_H
# define HEADER_ASN1ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/asyncerr.h b/freebsd/crypto/openssl/include/openssl/asyncerr.h
index 5497ba7..91afbbb 100644
--- a/freebsd/crypto/openssl/include/openssl/asyncerr.h
+++ b/freebsd/crypto/openssl/include/openssl/asyncerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_ASYNCERR_H
# define HEADER_ASYNCERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/bio.h b/freebsd/crypto/openssl/include/openssl/bio.h
index 2888b42..e1fddfb 100644
--- a/freebsd/crypto/openssl/include/openssl/bio.h
+++ b/freebsd/crypto/openssl/include/openssl/bio.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -20,10 +20,6 @@
# include <openssl/crypto.h>
# include <openssl/bioerr.h>
-# ifndef OPENSSL_NO_SCTP
-# include <openssl/e_os2.h>
-# endif
-
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/freebsd/crypto/openssl/include/openssl/bioerr.h b/freebsd/crypto/openssl/include/openssl/bioerr.h
index f119a59..46e2c96 100644
--- a/freebsd/crypto/openssl/include/openssl/bioerr.h
+++ b/freebsd/crypto/openssl/include/openssl/bioerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_BIOERR_H
# define HEADER_BIOERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/bnerr.h b/freebsd/crypto/openssl/include/openssl/bnerr.h
index 8a022cc..9f3c7cf 100644
--- a/freebsd/crypto/openssl/include/openssl/bnerr.h
+++ b/freebsd/crypto/openssl/include/openssl/bnerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_BNERR_H
# define HEADER_BNERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/buffererr.h b/freebsd/crypto/openssl/include/openssl/buffererr.h
index 3aee132..04f6ff7 100644
--- a/freebsd/crypto/openssl/include/openssl/buffererr.h
+++ b/freebsd/crypto/openssl/include/openssl/buffererr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_BUFERR_H
# define HEADER_BUFERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/cms.h b/freebsd/crypto/openssl/include/openssl/cms.h
index ddf37e5..c762796 100644
--- a/freebsd/crypto/openssl/include/openssl/cms.h
+++ b/freebsd/crypto/openssl/include/openssl/cms.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -284,8 +284,6 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
int lastpos, int type);
-# ifdef HEADER_X509V3_H
-
int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
int allorfirst,
@@ -298,7 +296,6 @@ void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr,
int *pallorfirst,
STACK_OF(GENERAL_NAMES) **plist,
STACK_OF(GENERAL_NAMES) **prto);
-# endif
int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri,
X509_ALGOR **palg,
ASN1_OCTET_STRING **pukm);
diff --git a/freebsd/crypto/openssl/include/openssl/cmserr.h b/freebsd/crypto/openssl/include/openssl/cmserr.h
index 3f8ae26..7dbc13d 100644
--- a/freebsd/crypto/openssl/include/openssl/cmserr.h
+++ b/freebsd/crypto/openssl/include/openssl/cmserr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_CMSERR_H
# define HEADER_CMSERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CMS
@@ -101,6 +105,7 @@ int ERR_load_CMS_strings(void);
# define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 153
# define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 154
# define CMS_F_CMS_SIGN_RECEIPT 163
+# define CMS_F_CMS_SI_CHECK_ATTRIBUTES 183
# define CMS_F_CMS_STREAM 155
# define CMS_F_CMS_UNCOMPRESS 156
# define CMS_F_CMS_VERIFY 157
@@ -110,6 +115,7 @@ int ERR_load_CMS_strings(void);
* CMS reason codes.
*/
# define CMS_R_ADD_SIGNER_ERROR 99
+# define CMS_R_ATTRIBUTE_ERROR 161
# define CMS_R_CERTIFICATE_ALREADY_PRESENT 175
# define CMS_R_CERTIFICATE_HAS_NO_KEYID 160
# define CMS_R_CERTIFICATE_VERIFY_ERROR 100
diff --git a/freebsd/crypto/openssl/include/openssl/comperr.h b/freebsd/crypto/openssl/include/openssl/comperr.h
index edea63a..90231e9 100644
--- a/freebsd/crypto/openssl/include/openssl/comperr.h
+++ b/freebsd/crypto/openssl/include/openssl/comperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_COMPERR_H
# define HEADER_COMPERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_COMP
diff --git a/freebsd/crypto/openssl/include/openssl/conferr.h b/freebsd/crypto/openssl/include/openssl/conferr.h
index d1c92f4..32b9229 100644
--- a/freebsd/crypto/openssl/include/openssl/conferr.h
+++ b/freebsd/crypto/openssl/include/openssl/conferr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_CONFERR_H
# define HEADER_CONFERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/cryptoerr.h b/freebsd/crypto/openssl/include/openssl/cryptoerr.h
index 10723d0..3db5a4e 100644
--- a/freebsd/crypto/openssl/include/openssl/cryptoerr.h
+++ b/freebsd/crypto/openssl/include/openssl/cryptoerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,12 +11,13 @@
#ifndef HEADER_CRYPTOERR_H
# define HEADER_CRYPTOERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
-
-# include <openssl/symhacks.h>
-
int ERR_load_CRYPTO_strings(void);
/*
diff --git a/freebsd/crypto/openssl/include/openssl/cterr.h b/freebsd/crypto/openssl/include/openssl/cterr.h
index 764e1a2..feb7bc5 100644
--- a/freebsd/crypto/openssl/include/openssl/cterr.h
+++ b/freebsd/crypto/openssl/include/openssl/cterr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_CTERR_H
# define HEADER_CTERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CT
diff --git a/freebsd/crypto/openssl/include/openssl/dherr.h b/freebsd/crypto/openssl/include/openssl/dherr.h
index 81e73f7..916b3be 100644
--- a/freebsd/crypto/openssl/include/openssl/dherr.h
+++ b/freebsd/crypto/openssl/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_DHERR_H
# define HEADER_DHERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_DH
diff --git a/freebsd/crypto/openssl/include/openssl/dsaerr.h b/freebsd/crypto/openssl/include/openssl/dsaerr.h
index d94f97b..495a1ac 100644
--- a/freebsd/crypto/openssl/include/openssl/dsaerr.h
+++ b/freebsd/crypto/openssl/include/openssl/dsaerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_DSAERR_H
# define HEADER_DSAERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_DSA
@@ -57,6 +61,7 @@ int ERR_load_DSA_strings(void);
# define DSA_R_INVALID_DIGEST_TYPE 106
# define DSA_R_INVALID_PARAMETERS 112
# define DSA_R_MISSING_PARAMETERS 101
+# define DSA_R_MISSING_PRIVATE_KEY 111
# define DSA_R_MODULUS_TOO_LARGE 103
# define DSA_R_NO_PARAMETERS_SET 107
# define DSA_R_PARAMETER_ENCODING_ERROR 105
diff --git a/freebsd/crypto/openssl/include/openssl/ec.h b/freebsd/crypto/openssl/include/openssl/ec.h
index 347cfb6..5af9ebd 100644
--- a/freebsd/crypto/openssl/include/openssl/ec.h
+++ b/freebsd/crypto/openssl/include/openssl/ec.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -142,7 +142,7 @@ const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
*/
int EC_METHOD_get_field_type(const EC_METHOD *meth);
-/** Sets the generator and it's order/cofactor of a EC_GROUP object.
+/** Sets the generator and its order/cofactor of a EC_GROUP object.
* \param group EC_GROUP object
* \param generator EC_POINT object with the generator.
* \param order the order of the group generated by the generator.
@@ -1138,7 +1138,8 @@ void ECDSA_SIG_free(ECDSA_SIG *sig);
* (*pp += length of the DER encoded signature)).
* \param sig pointer to the ECDSA_SIG object
* \param pp pointer to a unsigned char pointer for the output or NULL
- * \return the length of the DER encoded ECDSA_SIG object or 0
+ * \return the length of the DER encoded ECDSA_SIG object or a negative value
+ * on error
*/
int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
diff --git a/freebsd/crypto/openssl/include/openssl/ecerr.h b/freebsd/crypto/openssl/include/openssl/ecerr.h
index be313d2..f7b9183 100644
--- a/freebsd/crypto/openssl/include/openssl/ecerr.h
+++ b/freebsd/crypto/openssl/include/openssl/ecerr.h
@@ -11,6 +11,10 @@
#ifndef HEADER_ECERR_H
# define HEADER_ECERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_EC
diff --git a/freebsd/crypto/openssl/include/openssl/engineerr.h b/freebsd/crypto/openssl/include/openssl/engineerr.h
index b4c036b..05e84bd 100644
--- a/freebsd/crypto/openssl/include/openssl/engineerr.h
+++ b/freebsd/crypto/openssl/include/openssl/engineerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_ENGINEERR_H
# define HEADER_ENGINEERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_ENGINE
diff --git a/freebsd/crypto/openssl/include/openssl/evp.h b/freebsd/crypto/openssl/include/openssl/evp.h
index dd1117d..545654a 100644
--- a/freebsd/crypto/openssl/include/openssl/evp.h
+++ b/freebsd/crypto/openssl/include/openssl/evp.h
@@ -260,6 +260,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
# define EVP_CIPH_RAND_KEY 0x200
/* cipher has its own additional copying logic */
# define EVP_CIPH_CUSTOM_COPY 0x400
+/* Don't use standard iv length function */
+# define EVP_CIPH_CUSTOM_IV_LENGTH 0x800
/* Allow use default ASN1 get/set iv */
# define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
/* Buffer length in bits not bytes: CFB1 mode only */
@@ -349,6 +351,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
/* Set the input buffer lengths to use for a pipelined operation */
# define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24
+# define EVP_CTRL_GET_IVLEN 0x25
+
/* Padding modes */
#define EVP_PADDING_PKCS7 1
#define EVP_PADDING_ISO7816_4 2
diff --git a/freebsd/crypto/openssl/include/openssl/evperr.h b/freebsd/crypto/openssl/include/openssl/evperr.h
index 84f03eb..6a651f5 100644
--- a/freebsd/crypto/openssl/include/openssl/evperr.h
+++ b/freebsd/crypto/openssl/include/openssl/evperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_EVPERR_H
# define HEADER_EVPERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
@@ -20,11 +24,14 @@ int ERR_load_EVP_strings(void);
* EVP function codes.
*/
# define EVP_F_AESNI_INIT_KEY 165
+# define EVP_F_AESNI_XTS_INIT_KEY 207
# define EVP_F_AES_GCM_CTRL 196
# define EVP_F_AES_INIT_KEY 133
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
+# define EVP_F_AES_T4_XTS_INIT_KEY 208
# define EVP_F_AES_WRAP_CIPHER 170
+# define EVP_F_AES_XTS_INIT_KEY 209
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_ARIA_CCM_INIT_KEY 175
# define EVP_F_ARIA_GCM_CTRL 197
@@ -115,6 +122,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_PKEY_SET_TYPE 158
# define EVP_F_RC2_MAGIC_TO_METH 109
# define EVP_F_RC5_CTRL 125
+# define EVP_F_R_32_12_16_INIT_KEY 242
# define EVP_F_S390X_AES_GCM_CTRL 201
# define EVP_F_UPDATE 173
@@ -124,6 +132,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_AES_KEY_SETUP_FAILED 143
# define EVP_R_ARIA_KEY_SETUP_FAILED 176
# define EVP_R_BAD_DECRYPT 100
+# define EVP_R_BAD_KEY_LENGTH 195
# define EVP_R_BUFFER_TOO_SMALL 155
# define EVP_R_CAMELLIA_KEY_SETUP_FAILED 157
# define EVP_R_CIPHER_PARAMETER_ERROR 122
@@ -190,5 +199,6 @@ int ERR_load_EVP_strings(void);
# define EVP_R_UNSUPPORTED_SALT_TYPE 126
# define EVP_R_WRAP_MODE_NOT_ALLOWED 170
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
+# define EVP_R_XTS_DUPLICATED_KEYS 183
#endif
diff --git a/freebsd/crypto/openssl/include/openssl/kdferr.h b/freebsd/crypto/openssl/include/openssl/kdferr.h
index 6437c27..3f51bd0 100644
--- a/freebsd/crypto/openssl/include/openssl/kdferr.h
+++ b/freebsd/crypto/openssl/include/openssl/kdferr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_KDFERR_H
# define HEADER_KDFERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/objectserr.h b/freebsd/crypto/openssl/include/openssl/objectserr.h
index 02308df..02e166f 100644
--- a/freebsd/crypto/openssl/include/openssl/objectserr.h
+++ b/freebsd/crypto/openssl/include/openssl/objectserr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_OBJERR_H
# define HEADER_OBJERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/ocsperr.h b/freebsd/crypto/openssl/include/openssl/ocsperr.h
index 7d93b12..8dd9e01 100644
--- a/freebsd/crypto/openssl/include/openssl/ocsperr.h
+++ b/freebsd/crypto/openssl/include/openssl/ocsperr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_OCSPERR_H
# define HEADER_OCSPERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_OCSP
diff --git a/freebsd/crypto/openssl/include/openssl/opensslv.h b/freebsd/crypto/openssl/include/openssl/opensslv.h
index e4f3ffe..b545247 100644
--- a/freebsd/crypto/openssl/include/openssl/opensslv.h
+++ b/freebsd/crypto/openssl/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010103fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c-freebsd 28 May 2019"
+# define OPENSSL_VERSION_NUMBER 0x1010104fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1d-freebsd 10 Sep 2019"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/freebsd/crypto/openssl/include/openssl/pemerr.h b/freebsd/crypto/openssl/include/openssl/pemerr.h
index cd61b82..0c45918 100644
--- a/freebsd/crypto/openssl/include/openssl/pemerr.h
+++ b/freebsd/crypto/openssl/include/openssl/pemerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_PEMERR_H
# define HEADER_PEMERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/pkcs12err.h b/freebsd/crypto/openssl/include/openssl/pkcs12err.h
index c7184ff..eff5eb2 100644
--- a/freebsd/crypto/openssl/include/openssl/pkcs12err.h
+++ b/freebsd/crypto/openssl/include/openssl/pkcs12err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_PKCS12ERR_H
# define HEADER_PKCS12ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/pkcs7err.h b/freebsd/crypto/openssl/include/openssl/pkcs7err.h
index 0ba418d..02e0299 100644
--- a/freebsd/crypto/openssl/include/openssl/pkcs7err.h
+++ b/freebsd/crypto/openssl/include/openssl/pkcs7err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_PKCS7ERR_H
# define HEADER_PKCS7ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/randerr.h b/freebsd/crypto/openssl/include/openssl/randerr.h
index 599a2a1..70d1a17 100644
--- a/freebsd/crypto/openssl/include/openssl/randerr.h
+++ b/freebsd/crypto/openssl/include/openssl/randerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,8 @@
#ifndef HEADER_RANDERR_H
# define HEADER_RANDERR_H
+# include <openssl/symhacks.h>
+
# ifdef __cplusplus
extern "C"
# endif
@@ -42,6 +44,7 @@ int ERR_load_RAND_strings(void);
# define RAND_F_RAND_POOL_ADD_END 114
# define RAND_F_RAND_POOL_ATTACH 124
# define RAND_F_RAND_POOL_BYTES_NEEDED 115
+# define RAND_F_RAND_POOL_GROW 125
# define RAND_F_RAND_POOL_NEW 116
# define RAND_F_RAND_WRITE_FILE 112
diff --git a/freebsd/crypto/openssl/include/openssl/rsaerr.h b/freebsd/crypto/openssl/include/openssl/rsaerr.h
index d5bc01c..59b15e1 100644
--- a/freebsd/crypto/openssl/include/openssl/rsaerr.h
+++ b/freebsd/crypto/openssl/include/openssl/rsaerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_RSAERR_H
# define HEADER_RSAERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
@@ -126,6 +130,7 @@ int ERR_load_RSA_strings(void);
# define RSA_R_KEY_PRIME_NUM_INVALID 165
# define RSA_R_KEY_SIZE_TOO_SMALL 120
# define RSA_R_LAST_OCTET_INVALID 134
+# define RSA_R_MISSING_PRIVATE_KEY 179
# define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152
# define RSA_R_MODULUS_TOO_LARGE 105
# define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R 168
diff --git a/freebsd/crypto/openssl/include/openssl/ssl.h b/freebsd/crypto/openssl/include/openssl/ssl.h
index f93dc68..6724ccf 100644
--- a/freebsd/crypto/openssl/include/openssl/ssl.h
+++ b/freebsd/crypto/openssl/include/openssl/ssl.h
@@ -1364,24 +1364,24 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
# define SSL_CTX_set1_chain_cert_store(ctx,st) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
-# define SSL_set0_chain(ctx,sk) \
- SSL_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk))
-# define SSL_set1_chain(ctx,sk) \
- SSL_ctrl(ctx,SSL_CTRL_CHAIN,1,(char *)(sk))
-# define SSL_add0_chain_cert(ctx,x509) \
- SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
-# define SSL_add1_chain_cert(ctx,x509) \
- SSL_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
-# define SSL_get0_chain_certs(ctx,px509) \
- SSL_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
-# define SSL_clear_chain_certs(ctx) \
- SSL_set0_chain(ctx,NULL)
+# define SSL_set0_chain(s,sk) \
+ SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))
+# define SSL_set1_chain(s,sk) \
+ SSL_ctrl(s,SSL_CTRL_CHAIN,1,(char *)(sk))
+# define SSL_add0_chain_cert(s,x509) \
+ SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
+# define SSL_add1_chain_cert(s,x509) \
+ SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
+# define SSL_get0_chain_certs(s,px509) \
+ SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
+# define SSL_clear_chain_certs(s) \
+ SSL_set0_chain(s,NULL)
# define SSL_build_cert_chain(s, flags) \
SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
-# define SSL_select_current_cert(ctx,x509) \
- SSL_ctrl(ctx,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
-# define SSL_set_current_cert(ctx,op) \
- SSL_ctrl(ctx,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
+# define SSL_select_current_cert(s,x509) \
+ SSL_ctrl(s,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
+# define SSL_set_current_cert(s,op) \
+ SSL_ctrl(s,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
# define SSL_set0_verify_cert_store(s,st) \
SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
# define SSL_set1_verify_cert_store(s,st) \
@@ -1390,34 +1390,34 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
# define SSL_set1_chain_cert_store(s,st) \
SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
-# define SSL_get1_groups(ctx, s) \
- SSL_ctrl(ctx,SSL_CTRL_GET_GROUPS,0,(char *)(s))
+# define SSL_get1_groups(s, glist) \
+ SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
# define SSL_CTX_set1_groups(ctx, glist, glistlen) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
# define SSL_CTX_set1_groups_list(ctx, s) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
-# define SSL_set1_groups(ctx, glist, glistlen) \
- SSL_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
-# define SSL_set1_groups_list(ctx, s) \
- SSL_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
+# define SSL_set1_groups(s, glist, glistlen) \
+ SSL_ctrl(s,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
+# define SSL_set1_groups_list(s, str) \
+ SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
# define SSL_get_shared_group(s, n) \
SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL)
# define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
# define SSL_CTX_set1_sigalgs_list(ctx, s) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s))
-# define SSL_set1_sigalgs(ctx, slist, slistlen) \
- SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
-# define SSL_set1_sigalgs_list(ctx, s) \
- SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s))
+# define SSL_set1_sigalgs(s, slist, slistlen) \
+ SSL_ctrl(s,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
+# define SSL_set1_sigalgs_list(s, str) \
+ SSL_ctrl(s,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(str))
# define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
# define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s))
-# define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
- SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,clistlen,(int *)(slist))
-# define SSL_set1_client_sigalgs_list(ctx, s) \
- SSL_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s))
+# define SSL_set1_client_sigalgs(s, slist, slistlen) \
+ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
+# define SSL_set1_client_sigalgs_list(s, str) \
+ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(str))
# define SSL_get0_certificate_types(s, clist) \
SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist))
# define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
diff --git a/freebsd/crypto/openssl/include/openssl/sslerr.h b/freebsd/crypto/openssl/include/openssl/sslerr.h
index a50a075..3d6850d 100644
--- a/freebsd/crypto/openssl/include/openssl/sslerr.h
+++ b/freebsd/crypto/openssl/include/openssl/sslerr.h
@@ -11,6 +11,10 @@
#ifndef HEADER_SSLERR_H
# define HEADER_SSLERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/store.h b/freebsd/crypto/openssl/include/openssl/store.h
index 7b43e8b..a40a733 100644
--- a/freebsd/crypto/openssl/include/openssl/store.h
+++ b/freebsd/crypto/openssl/include/openssl/store.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -85,7 +85,7 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx);
int OSSL_STORE_eof(OSSL_STORE_CTX *ctx);
/*
- * Check if an error occured
+ * Check if an error occurred
* Returns 1 if it did, 0 otherwise.
*/
int OSSL_STORE_error(OSSL_STORE_CTX *ctx);
@@ -117,7 +117,7 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx);
* Functions to generate OSSL_STORE_INFOs, one function for each type we
* support having in them, as well as a generic constructor.
*
- * In all cases, ownership of the object is transfered to the OSSL_STORE_INFO
+ * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
* and will therefore be freed when the OSSL_STORE_INFO is freed.
*/
OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name);
diff --git a/freebsd/crypto/openssl/include/openssl/storeerr.h b/freebsd/crypto/openssl/include/openssl/storeerr.h
index 33d0ab7..190eab0 100644
--- a/freebsd/crypto/openssl/include/openssl/storeerr.h
+++ b/freebsd/crypto/openssl/include/openssl/storeerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_OSSL_STOREERR_H
# define HEADER_OSSL_STOREERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/tls1.h b/freebsd/crypto/openssl/include/openssl/tls1.h
index e13b5dd..76d9fda 100644
--- a/freebsd/crypto/openssl/include/openssl/tls1.h
+++ b/freebsd/crypto/openssl/include/openssl/tls1.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1222,7 +1222,7 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
/*
* extended master secret
*/
-# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x63\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
+# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x6e\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
# endif
/* TLS Session Ticket extension struct */
diff --git a/freebsd/crypto/openssl/include/openssl/tserr.h b/freebsd/crypto/openssl/include/openssl/tserr.h
index 3e04925..07f2333 100644
--- a/freebsd/crypto/openssl/include/openssl/tserr.h
+++ b/freebsd/crypto/openssl/include/openssl/tserr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_TSERR_H
# define HEADER_TSERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_TS
diff --git a/freebsd/crypto/openssl/include/openssl/uierr.h b/freebsd/crypto/openssl/include/openssl/uierr.h
index 72fd9a9..bd68864 100644
--- a/freebsd/crypto/openssl/include/openssl/uierr.h
+++ b/freebsd/crypto/openssl/include/openssl/uierr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_UIERR_H
# define HEADER_UIERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/x509err.h b/freebsd/crypto/openssl/include/openssl/x509err.h
index b1d6a87..0273853 100644
--- a/freebsd/crypto/openssl/include/openssl/x509err.h
+++ b/freebsd/crypto/openssl/include/openssl/x509err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_X509ERR_H
# define HEADER_X509ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
@@ -93,6 +97,7 @@ int ERR_load_X509_strings(void);
# define X509_R_CRL_ALREADY_DELTA 127
# define X509_R_CRL_VERIFY_FAILURE 131
# define X509_R_IDP_MISMATCH 128
+# define X509_R_INVALID_ATTRIBUTES 138
# define X509_R_INVALID_DIRECTORY 113
# define X509_R_INVALID_FIELD_NAME 119
# define X509_R_INVALID_TRUST 123
diff --git a/freebsd/crypto/openssl/include/openssl/x509v3.h b/freebsd/crypto/openssl/include/openssl/x509v3.h
index 9ea2027..6c6eca3 100644
--- a/freebsd/crypto/openssl/include/openssl/x509v3.h
+++ b/freebsd/crypto/openssl/include/openssl/x509v3.h
@@ -661,6 +661,8 @@ uint32_t X509_get_key_usage(X509 *x);
uint32_t X509_get_extended_key_usage(X509 *x);
const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
+const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
+const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
int X509_PURPOSE_get_count(void);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
diff --git a/freebsd/crypto/openssl/include/openssl/x509v3err.h b/freebsd/crypto/openssl/include/openssl/x509v3err.h
index 6b3df12..5f25442 100644
--- a/freebsd/crypto/openssl/include/openssl/x509v3err.h
+++ b/freebsd/crypto/openssl/include/openssl/x509v3err.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -11,6 +11,10 @@
#ifndef HEADER_X509V3ERR_H
# define HEADER_X509V3ERR_H
+# ifndef HEADER_SYMHACKS_H
+# include <openssl/symhacks.h>
+# endif
+
# ifdef __cplusplus
extern "C"
# endif
diff --git a/freebsd/crypto/openssl/ssl/d1_msg.c b/freebsd/crypto/openssl/ssl/d1_msg.c
index feae6ca..341fefd 100644
--- a/freebsd/crypto/openssl/ssl/d1_msg.c
+++ b/freebsd/crypto/openssl/ssl/d1_msg.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,8 +54,7 @@ int dtls1_dispatch_alert(SSL *s)
s->s3->alert_dispatch = 1;
/* fprintf( stderr, "not done with alert\n" ); */
} else {
- if (s->s3->send_alert[0] == SSL3_AL_FATAL)
- (void)BIO_flush(s->wbio);
+ (void)BIO_flush(s->wbio);
if (s->msg_callback)
s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,
diff --git a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
index 6b63d21..d7bf210 100644
--- a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
+++ b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
@@ -376,6 +376,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
s->rlayer.wnum = 0;
/*
+ * If we are supposed to be sending a KeyUpdate then go into init unless we
+ * have writes pending - in which case we should finish doing that first.
+ */
+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
+ ossl_statem_set_in_init(s, 1);
+
+ /*
* When writing early data on the server side we could be "in_init" in
* between receiving the EoED and the CF - but we don't want to handle those
* messages yet.
@@ -630,8 +637,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
*/
s->s3->empty_fragment_done = 0;
- if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
- !SSL_IS_DTLS(s))
+ if (tmpwrit == n
+ && (s->mode & SSL_MODE_RELEASE_BUFFERS) != 0
+ && !SSL_IS_DTLS(s))
ssl3_release_write_buffer(s);
*written = tot + tmpwrit;
diff --git a/freebsd/crypto/openssl/ssl/s3_lib.c b/freebsd/crypto/openssl/ssl/s3_lib.c
index 02e1236..41b4724 100644
--- a/freebsd/crypto/openssl/ssl/s3_lib.c
+++ b/freebsd/crypto/openssl/ssl/s3_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -3569,6 +3569,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
+ ret = 1;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
@@ -3603,8 +3604,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
if (!s->session)
return 0;
- clist = s->session->ext.supportedgroups;
- clistlen = s->session->ext.supportedgroups_len;
+ clist = s->ext.peer_supportedgroups;
+ clistlen = s->ext.peer_supportedgroups_len;
if (parg) {
size_t i;
int *cptr = parg;
@@ -3718,13 +3719,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
- SSL_SESSION *sess = s->session;
const unsigned char **pformat = parg;
- if (sess == NULL || sess->ext.ecpointformats == NULL)
+ if (s->ext.peer_ecpointformats == NULL)
return 0;
- *pformat = sess->ext.ecpointformats;
- return (int)sess->ext.ecpointformats_len;
+ *pformat = s->ext.peer_ecpointformats;
+ return (int)s->ext.peer_ecpointformats_len;
}
#endif
diff --git a/freebsd/crypto/openssl/ssl/ssl_cert.c b/freebsd/crypto/openssl/ssl/ssl_cert.c
index c78097a..b76c68d 100644
--- a/freebsd/crypto/openssl/ssl/ssl_cert.c
+++ b/freebsd/crypto/openssl/ssl/ssl_cert.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -156,8 +156,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
- /* Shared sigalgs also NULL */
- ret->shared_sigalgs = NULL;
/* Copy any custom client certificate types */
if (cert->ctype) {
ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
@@ -242,7 +240,6 @@ void ssl_cert_free(CERT *c)
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
- OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
diff --git a/freebsd/crypto/openssl/ssl/ssl_ciph.c b/freebsd/crypto/openssl/ssl/ssl_ciph.c
index 9328d54..2f764a1 100644
--- a/freebsd/crypto/openssl/ssl/ssl_ciph.c
+++ b/freebsd/crypto/openssl/ssl/ssl_ciph.c
@@ -1379,24 +1379,25 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
{
int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
- if (ret && ctx->cipher_list != NULL) {
- /* We already have a cipher_list, so we need to update it */
+ if (ret && ctx->cipher_list != NULL)
return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
ctx->tls13_ciphersuites);
- }
return ret;
}
int SSL_set_ciphersuites(SSL *s, const char *str)
{
+ STACK_OF(SSL_CIPHER) *cipher_list;
int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
- if (ret && s->cipher_list != NULL) {
- /* We already have a cipher_list, so we need to update it */
+ if (s->cipher_list == NULL) {
+ if ((cipher_list = SSL_get_ciphers(s)) != NULL)
+ s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
+ }
+ if (ret && s->cipher_list != NULL)
return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
s->tls13_ciphersuites);
- }
return ret;
}
diff --git a/freebsd/crypto/openssl/ssl/ssl_lib.c b/freebsd/crypto/openssl/ssl/ssl_lib.c
index 9c2c9da..0a0818f 100644
--- a/freebsd/crypto/openssl/ssl/ssl_lib.c
+++ b/freebsd/crypto/openssl/ssl/ssl_lib.c
@@ -630,6 +630,11 @@ int SSL_clear(SSL *s)
/* Clear the verification result peername */
X509_VERIFY_PARAM_move_peername(s->param, NULL);
+ /* Clear any shared connection state */
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
+
/*
* Check to see if we were changed into a different method, if so, revert
* back.
@@ -869,7 +874,7 @@ int SSL_up_ref(SSL *s)
int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
- if (sid_ctx_len > sizeof(ctx->sid_ctx)) {
+ if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
@@ -1162,6 +1167,7 @@ void SSL_free(SSL *s)
sk_SSL_CIPHER_free(s->cipher_list);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
sk_SSL_CIPHER_free(s->tls13_ciphersuites);
+ sk_SSL_CIPHER_free(s->peer_ciphers);
/* Make the next call work :-) */
if (s->session != NULL) {
@@ -1174,13 +1180,16 @@ void SSL_free(SSL *s)
clear_ciphers(s);
ssl_cert_free(s->cert);
+ OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
OPENSSL_free(s->ext.hostname);
SSL_CTX_free(s->session_ctx);
#ifndef OPENSSL_NO_EC
OPENSSL_free(s->ext.ecpointformats);
+ OPENSSL_free(s->ext.peer_ecpointformats);
OPENSSL_free(s->ext.supportedgroups);
+ OPENSSL_free(s->ext.peer_supportedgroups);
#endif /* OPENSSL_NO_EC */
sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
#ifndef OPENSSL_NO_OCSP
@@ -2439,9 +2448,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s)
{
- if ((s == NULL) || (s->session == NULL) || !s->server)
+ if ((s == NULL) || !s->server)
return NULL;
- return s->session->ciphers;
+ return s->peer_ciphers;
}
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
@@ -2580,13 +2589,12 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
int i;
if (!s->server
- || s->session == NULL
- || s->session->ciphers == NULL
+ || s->peer_ciphers == NULL
|| size < 2)
return NULL;
p = buf;
- clntsk = s->session->ciphers;
+ clntsk = s->peer_ciphers;
srvrsk = SSL_get_ciphers(s);
if (clntsk == NULL || srvrsk == NULL)
return NULL;
diff --git a/freebsd/crypto/openssl/ssl/ssl_locl.h b/freebsd/crypto/openssl/ssl/ssl_locl.h
index 0cf3893..25875c9 100644
--- a/freebsd/crypto/openssl/ssl/ssl_locl.h
+++ b/freebsd/crypto/openssl/ssl/ssl_locl.h
@@ -552,7 +552,6 @@ struct ssl_session_st {
const SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to
* load the 'cipher' structure */
- STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */
CRYPTO_EX_DATA ex_data; /* application specific data */
/*
* These are used to make removal of session-ids more efficient and to
@@ -562,13 +561,7 @@ struct ssl_session_st {
struct {
char *hostname;
-# ifndef OPENSSL_NO_EC
- size_t ecpointformats_len;
- unsigned char *ecpointformats; /* peer's list */
-# endif /* OPENSSL_NO_EC */
- size_t supportedgroups_len;
- uint16_t *supportedgroups; /* peer's list */
- /* RFC4507 info */
+ /* RFC4507 info */
unsigned char *tick; /* Session ticket */
size_t ticklen; /* Session ticket length */
/* Session lifetime hint in seconds */
@@ -1137,6 +1130,7 @@ struct ssl_st {
/* Per connection DANE state */
SSL_DANE dane;
/* crypto */
+ STACK_OF(SSL_CIPHER) *peer_ciphers;
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
/* TLSv1.3 specific ciphersuites */
@@ -1300,10 +1294,19 @@ struct ssl_st {
size_t ecpointformats_len;
/* our list */
unsigned char *ecpointformats;
+
+ size_t peer_ecpointformats_len;
+ /* peer's list */
+ unsigned char *peer_ecpointformats;
# endif /* OPENSSL_NO_EC */
size_t supportedgroups_len;
/* our list */
uint16_t *supportedgroups;
+
+ size_t peer_supportedgroups_len;
+ /* peer's list */
+ uint16_t *peer_supportedgroups;
+
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *session_ticket;
/* TLS Session Ticket extension callback */
@@ -1459,7 +1462,6 @@ struct ssl_st {
size_t block_padding;
CRYPTO_RWLOCK *lock;
- RAND_DRBG *drbg;
/* The number of TLS1.3 tickets to automatically send */
size_t num_tickets;
@@ -1471,6 +1473,13 @@ struct ssl_st {
/* Callback to determine if early_data is acceptable or not */
SSL_allow_early_data_cb_fn allow_early_data_cb;
void *allow_early_data_cb_data;
+
+ /*
+ * Signature algorithms shared by client and server: cached because these
+ * are used most often.
+ */
+ const struct sigalg_lookup_st **shared_sigalgs;
+ size_t shared_sigalgslen;
};
/*
@@ -1905,12 +1914,6 @@ typedef struct cert_st {
/* Size of above array */
size_t client_sigalgslen;
/*
- * Signature algorithms shared by client and server: cached because these
- * are used most often.
- */
- const SIGALG_LOOKUP **shared_sigalgs;
- size_t shared_sigalgslen;
- /*
* Certificate setup callback: if set is called whenever a certificate
* may be required (client or server). the callback can then examine any
* appropriate parameters and setup any certificates required. This
@@ -2240,8 +2243,8 @@ static ossl_inline int ssl_has_cert(const SSL *s, int idx)
static ossl_inline void tls1_get_peer_groups(SSL *s, const uint16_t **pgroups,
size_t *pgroupslen)
{
- *pgroups = s->session->ext.supportedgroups;
- *pgroupslen = s->session->ext.supportedgroups_len;
+ *pgroups = s->ext.peer_supportedgroups;
+ *pgroupslen = s->ext.peer_supportedgroups_len;
}
# ifndef OPENSSL_UNIT_TEST
diff --git a/freebsd/crypto/openssl/ssl/ssl_sess.c b/freebsd/crypto/openssl/ssl/ssl_sess.c
index 9a5141b..69b6aee 100644
--- a/freebsd/crypto/openssl/ssl/ssl_sess.c
+++ b/freebsd/crypto/openssl/ssl/ssl_sess.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -123,12 +123,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->psk_identity_hint = NULL;
dest->psk_identity = NULL;
#endif
- dest->ciphers = NULL;
dest->ext.hostname = NULL;
-#ifndef OPENSSL_NO_EC
- dest->ext.ecpointformats = NULL;
- dest->ext.supportedgroups = NULL;
-#endif
dest->ext.tick = NULL;
dest->ext.alpn_selected = NULL;
#ifndef OPENSSL_NO_SRP
@@ -178,12 +173,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
}
#endif
- if (src->ciphers != NULL) {
- dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
- if (dest->ciphers == NULL)
- goto err;
- }
-
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
&dest->ex_data, &src->ex_data)) {
goto err;
@@ -195,23 +184,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
goto err;
}
}
-#ifndef OPENSSL_NO_EC
- if (src->ext.ecpointformats) {
- dest->ext.ecpointformats =
- OPENSSL_memdup(src->ext.ecpointformats,
- src->ext.ecpointformats_len);
- if (dest->ext.ecpointformats == NULL)
- goto err;
- }
- if (src->ext.supportedgroups) {
- dest->ext.supportedgroups =
- OPENSSL_memdup(src->ext.supportedgroups,
- src->ext.supportedgroups_len
- * sizeof(*src->ext.supportedgroups));
- if (dest->ext.supportedgroups == NULL)
- goto err;
- }
-#endif
if (ticket != 0 && src->ext.tick != NULL) {
dest->ext.tick =
@@ -792,17 +764,8 @@ void SSL_SESSION_free(SSL_SESSION *ss)
OPENSSL_cleanse(ss->session_id, sizeof(ss->session_id));
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
- sk_SSL_CIPHER_free(ss->ciphers);
OPENSSL_free(ss->ext.hostname);
OPENSSL_free(ss->ext.tick);
-#ifndef OPENSSL_NO_EC
- OPENSSL_free(ss->ext.ecpointformats);
- ss->ext.ecpointformats = NULL;
- ss->ext.ecpointformats_len = 0;
- OPENSSL_free(ss->ext.supportedgroups);
- ss->ext.supportedgroups = NULL;
- ss->ext.supportedgroups_len = 0;
-#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_PSK
OPENSSL_free(ss->psk_identity_hint);
OPENSSL_free(ss->psk_identity);
diff --git a/freebsd/crypto/openssl/ssl/statem/extensions.c b/freebsd/crypto/openssl/ssl/statem/extensions.c
index 91c3fd5..33df908 100644
--- a/freebsd/crypto/openssl/ssl/statem/extensions.c
+++ b/freebsd/crypto/openssl/ssl/statem/extensions.c
@@ -1042,18 +1042,18 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
*/
if (s->ext.ecpointformats != NULL
&& s->ext.ecpointformats_len > 0
- && s->session->ext.ecpointformats != NULL
- && s->session->ext.ecpointformats_len > 0
+ && s->ext.peer_ecpointformats != NULL
+ && s->ext.peer_ecpointformats_len > 0
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */
size_t i;
- unsigned char *list = s->session->ext.ecpointformats;
+ unsigned char *list = s->ext.peer_ecpointformats;
- for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
+ for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
break;
}
- if (i == s->session->ext.ecpointformats_len) {
+ if (i == s->ext.peer_ecpointformats_len) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0;
@@ -1450,8 +1450,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
unsigned char *early_secret;
+#ifdef CHARSET_EBCDIC
+ static const unsigned char resumption_label[] = { 0x72, 0x65, 0x64, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
+ static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
+#else
static const unsigned char resumption_label[] = "res binder";
static const unsigned char external_label[] = "ext binder";
+#endif
const unsigned char *label;
size_t bindersize, labelsize, hashsize;
int hashsizei = EVP_MD_size(md);
@@ -1650,9 +1655,9 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE
- || (s->ctx->allow_early_data_cb != NULL
- && !s->ctx->allow_early_data_cb(s,
- s->ctx->allow_early_data_cb_data))) {
+ || (s->allow_early_data_cb != NULL
+ && !s->allow_early_data_cb(s,
+ s->allow_early_data_cb_data))) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
diff --git a/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c b/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c
index ead0dde..49835ac 100644
--- a/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c
+++ b/freebsd/crypto/openssl/ssl/statem/extensions_clnt.c
@@ -1373,19 +1373,19 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
return 0;
}
- s->session->ext.ecpointformats_len = 0;
- OPENSSL_free(s->session->ext.ecpointformats);
- s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
- if (s->session->ext.ecpointformats == NULL) {
+ s->ext.peer_ecpointformats_len = 0;
+ OPENSSL_free(s->ext.peer_ecpointformats);
+ s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
+ if (s->ext.peer_ecpointformats == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
}
- s->session->ext.ecpointformats_len = ecpointformats_len;
+ s->ext.peer_ecpointformats_len = ecpointformats_len;
if (!PACKET_copy_bytes(&ecptformatlist,
- s->session->ext.ecpointformats,
+ s->ext.peer_ecpointformats,
ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
@@ -1860,8 +1860,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
- skey = ssl_generate_pkey(ckey);
- if (skey == NULL) {
+ skey = EVP_PKEY_new();
+ if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c b/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c
index a2c2ebe..f68b6d8 100644
--- a/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c
+++ b/freebsd/crypto/openssl/ssl/statem/extensions_srvr.c
@@ -256,8 +256,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
- &s->session->ext.ecpointformats,
- &s->session->ext.ecpointformats_len)) {
+ &s->ext.peer_ecpointformats,
+ &s->ext.peer_ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
@@ -964,12 +964,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
}
if (!s->hit || SSL_IS_TLS13(s)) {
- OPENSSL_free(s->session->ext.supportedgroups);
- s->session->ext.supportedgroups = NULL;
- s->session->ext.supportedgroups_len = 0;
+ OPENSSL_free(s->ext.peer_supportedgroups);
+ s->ext.peer_supportedgroups = NULL;
+ s->ext.peer_supportedgroups_len = 0;
if (!tls1_save_u16(&supported_groups_list,
- &s->session->ext.supportedgroups,
- &s->session->ext.supportedgroups_len)) {
+ &s->ext.peer_supportedgroups,
+ &s->ext.peer_supportedgroups_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
@@ -1378,7 +1378,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
- && (s->session->ext.ecpointformats != NULL);
+ && (s->ext.peer_ecpointformats != NULL);
const unsigned char *plist;
size_t plistlen;
@@ -1489,6 +1489,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
index ec82e6d..760b6db 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
@@ -475,12 +475,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_CR_KEY_UPDATE:
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
- st->hand_state = TLS_ST_CW_KEY_UPDATE;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
-
case TLS_ST_CW_KEY_UPDATE:
case TLS_ST_CR_SESSION_TICKET:
case TLS_ST_CW_FINISHED:
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_lib.c b/freebsd/crypto/openssl/ssl/statem/statem_lib.c
index 74d380a..70ff8db 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_lib.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_lib.c
@@ -170,9 +170,19 @@ int tls_setup_handshake(SSL *s)
static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
void **hdata, size_t *hdatalen)
{
+#ifdef CHARSET_EBCDIC
+ static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
+ 0x69, 0x66, 0x79, 0x00 };
+ static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
+ 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
+ 0x69, 0x66, 0x79, 0x00 };
+#else
static const char *servercontext = "TLS 1.3, server CertificateVerify";
static const char *clientcontext = "TLS 1.3, client CertificateVerify";
-
+#endif
if (SSL_IS_TLS13(s)) {
size_t hashlen;
@@ -647,12 +657,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
/*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
- * not also request an update (otherwise we get into an infinite loop). We
- * ignore a request for us to update our sending keys too if we already
- * sent close_notify.
+ * not also request an update (otherwise we get into an infinite loop).
*/
- if (updatetype == SSL_KEY_UPDATE_REQUESTED
- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) {
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
index de1a6c7..11c937e 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
@@ -504,12 +504,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_SR_KEY_UPDATE:
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
- st->hand_state = TLS_ST_SW_KEY_UPDATE;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
-
case TLS_ST_SW_KEY_UPDATE:
st->hand_state = TLS_ST_OK;
return WRITE_TRAN_CONTINUE;
@@ -1929,14 +1923,14 @@ static int tls_early_post_process_client_hello(SSL *s)
&& master_key_length > 0) {
s->session->master_key_length = master_key_length;
s->hit = 1;
- s->session->ciphers = ciphers;
+ s->peer_ciphers = ciphers;
s->session->verify_result = X509_V_OK;
ciphers = NULL;
/* check if some cipher was preferred by call back */
if (pref_cipher == NULL)
- pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
+ pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
SSL_get_ciphers(s));
if (pref_cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@@ -1947,9 +1941,9 @@ static int tls_early_post_process_client_hello(SSL *s)
s->session->cipher = pref_cipher;
sk_SSL_CIPHER_free(s->cipher_list);
- s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
sk_SSL_CIPHER_free(s->cipher_list_by_id);
- s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
}
}
@@ -2049,12 +2043,12 @@ static int tls_early_post_process_client_hello(SSL *s)
#endif
/*
- * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
+ * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
*/
if (!s->hit || SSL_IS_TLS13(s)) {
- sk_SSL_CIPHER_free(s->session->ciphers);
- s->session->ciphers = ciphers;
+ sk_SSL_CIPHER_free(s->peer_ciphers);
+ s->peer_ciphers = ciphers;
if (ciphers == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@@ -2070,6 +2064,10 @@ static int tls_early_post_process_client_hello(SSL *s)
#else
s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
+ if (!tls1_set_server_sigalgs(s)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
}
sk_SSL_CIPHER_free(ciphers);
@@ -2237,31 +2235,25 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
if (wst == WORK_MORE_B) {
if (!s->hit || SSL_IS_TLS13(s)) {
/* Let cert callback update server certificates if required */
- if (!s->hit) {
- if (s->cert->cert_cb != NULL) {
- int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
- if (rv == 0) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
- SSL_R_CERT_CB_ERROR);
- goto err;
- }
- if (rv < 0) {
- s->rwstate = SSL_X509_LOOKUP;
- return WORK_MORE_B;
- }
- s->rwstate = SSL_NOTHING;
- }
- if (!tls1_set_server_sigalgs(s)) {
- /* SSLfatal already called */
+ if (!s->hit && s->cert->cert_cb != NULL) {
+ int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
+ if (rv == 0) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_CERT_CB_ERROR);
goto err;
}
+ if (rv < 0) {
+ s->rwstate = SSL_X509_LOOKUP;
+ return WORK_MORE_B;
+ }
+ s->rwstate = SSL_NOTHING;
}
/* In TLSv1.3 we selected the ciphersuite before resumption */
if (!SSL_IS_TLS13(s)) {
cipher =
- ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
if (cipher == NULL) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
diff --git a/freebsd/crypto/openssl/ssl/t1_lib.c b/freebsd/crypto/openssl/ssl/t1_lib.c
index 087fd0b..edb557e 100644
--- a/freebsd/crypto/openssl/ssl/t1_lib.c
+++ b/freebsd/crypto/openssl/ssl/t1_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -23,6 +23,8 @@
#include "ssl_locl.h"
#include <openssl/ct.h>
+static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey);
+
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
tls1_mac,
@@ -467,11 +469,11 @@ static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
* If point formats extension present check it, otherwise everything is
* supported (see RFC4492).
*/
- if (s->session->ext.ecpointformats == NULL)
+ if (s->ext.peer_ecpointformats == NULL)
return 1;
- for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
- if (s->session->ext.ecpointformats[i] == comp_id)
+ for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
+ if (s->ext.peer_ecpointformats[i] == comp_id)
return 1;
}
return 0;
@@ -580,7 +582,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
if (check_ee_md && tls1_suiteb(s)) {
int check_md;
size_t i;
- CERT *c = s->cert;
/* Check to see we have necessary signing algorithm */
if (group_id == TLSEXT_curve_P_256)
@@ -589,8 +590,8 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
- for (i = 0; i < c->shared_sigalgslen; i++) {
- if (check_md == c->shared_sigalgs[i]->sigandhash)
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ if (check_md == s->shared_sigalgs[i]->sigandhash)
return 1;;
}
return 0;
@@ -1217,9 +1218,9 @@ int tls1_set_server_sigalgs(SSL *s)
size_t i;
/* Clear any shared signature algorithms */
- OPENSSL_free(s->cert->shared_sigalgs);
- s->cert->shared_sigalgs = NULL;
- s->cert->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* Clear certificate validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++)
s->s3->tmp.valid_flags[i] = 0;
@@ -1254,7 +1255,7 @@ int tls1_set_server_sigalgs(SSL *s)
SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (s->cert->shared_sigalgs != NULL)
+ if (s->shared_sigalgs != NULL)
return 1;
/* Fatal error if no shared signature algorithms */
@@ -1726,9 +1727,9 @@ static int tls1_set_shared_sigalgs(SSL *s)
CERT *c = s->cert;
unsigned int is_suiteb = tls1_suiteb(s);
- OPENSSL_free(c->shared_sigalgs);
- c->shared_sigalgs = NULL;
- c->shared_sigalgslen = 0;
+ OPENSSL_free(s->shared_sigalgs);
+ s->shared_sigalgs = NULL;
+ s->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
conf = c->client_sigalgs;
@@ -1759,8 +1760,8 @@ static int tls1_set_shared_sigalgs(SSL *s)
} else {
salgs = NULL;
}
- c->shared_sigalgs = salgs;
- c->shared_sigalgslen = nmatch;
+ s->shared_sigalgs = salgs;
+ s->shared_sigalgslen = nmatch;
return 1;
}
@@ -1821,7 +1822,6 @@ int tls1_process_sigalgs(SSL *s)
{
size_t i;
uint32_t *pvalid = s->s3->tmp.valid_flags;
- CERT *c = s->cert;
if (!tls1_set_shared_sigalgs(s))
return 0;
@@ -1829,8 +1829,8 @@ int tls1_process_sigalgs(SSL *s)
for (i = 0; i < SSL_PKEY_NUM; i++)
pvalid[i] = 0;
- for (i = 0; i < c->shared_sigalgslen; i++) {
- const SIGALG_LOOKUP *sigptr = c->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ const SIGALG_LOOKUP *sigptr = s->shared_sigalgs[i];
int idx = sigptr->sig_idx;
/* Ignore PKCS1 based sig algs in TLSv1.3 */
@@ -1877,12 +1877,12 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
const SIGALG_LOOKUP *shsigalgs;
- if (s->cert->shared_sigalgs == NULL
+ if (s->shared_sigalgs == NULL
|| idx < 0
- || idx >= (int)s->cert->shared_sigalgslen
- || s->cert->shared_sigalgslen > INT_MAX)
+ || idx >= (int)s->shared_sigalgslen
+ || s->shared_sigalgslen > INT_MAX)
return 0;
- shsigalgs = s->cert->shared_sigalgs[idx];
+ shsigalgs = s->shared_sigalgs[idx];
if (phash != NULL)
*phash = shsigalgs->hash;
if (psign != NULL)
@@ -1893,7 +1893,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
*rsig = (unsigned char)(shsigalgs->sigalg & 0xff);
if (rhash != NULL)
*rhash = (unsigned char)((shsigalgs->sigalg >> 8) & 0xff);
- return (int)s->cert->shared_sigalgslen;
+ return (int)s->shared_sigalgslen;
}
/* Maximum possible number of unique entries in sigalgs array */
@@ -2074,18 +2074,36 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
return 0;
}
-static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
+static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
- int sig_nid;
+ int sig_nid, use_pc_sigalgs = 0;
size_t i;
+ const SIGALG_LOOKUP *sigalg;
+ size_t sigalgslen;
if (default_nid == -1)
return 1;
sig_nid = X509_get_signature_nid(x);
if (default_nid)
return sig_nid == default_nid ? 1 : 0;
- for (i = 0; i < c->shared_sigalgslen; i++)
- if (sig_nid == c->shared_sigalgs[i]->sigandhash)
+
+ if (SSL_IS_TLS13(s) && s->s3->tmp.peer_cert_sigalgs != NULL) {
+ /*
+ * If we're in TLSv1.3 then we only get here if we're checking the
+ * chain. If the peer has specified peer_cert_sigalgs then we use them
+ * otherwise we default to normal sigalgs.
+ */
+ sigalgslen = s->s3->tmp.peer_cert_sigalgslen;
+ use_pc_sigalgs = 1;
+ } else {
+ sigalgslen = s->shared_sigalgslen;
+ }
+ for (i = 0; i < sigalgslen; i++) {
+ sigalg = use_pc_sigalgs
+ ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
+ : s->shared_sigalgs[i];
+ if (sig_nid == sigalg->sigandhash)
return 1;
+ }
return 0;
}
@@ -2242,14 +2260,21 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
}
}
/* Check signature algorithm of each cert in chain */
- if (!tls1_check_sig_alg(c, x, default_nid)) {
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We only get here if the application has called SSL_check_chain(),
+ * so check_flags is always set.
+ */
+ if (find_sig_alg(s, x, pk) != NULL)
+ rv |= CERT_PKEY_EE_SIGNATURE;
+ } else if (!tls1_check_sig_alg(s, x, default_nid)) {
if (!check_flags)
goto end;
} else
rv |= CERT_PKEY_EE_SIGNATURE;
rv |= CERT_PKEY_CA_SIGNATURE;
for (i = 0; i < sk_X509_num(chain); i++) {
- if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
+ if (!tls1_check_sig_alg(s, sk_X509_value(chain, i), default_nid)) {
if (check_flags) {
rv &= ~CERT_PKEY_CA_SIGNATURE;
break;
@@ -2530,44 +2555,33 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
}
/*
- * Returns true if |s| has a usable certificate configured for use
- * with signature scheme |sig|.
- * "Usable" includes a check for presence as well as applying
- * the signature_algorithm_cert restrictions sent by the peer (if any).
- * Returns false if no usable certificate is found.
+ * Checks the given cert against signature_algorithm_cert restrictions sent by
+ * the peer (if any) as well as whether the hash from the sigalg is usable with
+ * the key.
+ * Returns true if the cert is usable and false otherwise.
*/
-static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
+static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
+ EVP_PKEY *pkey)
{
const SIGALG_LOOKUP *lu;
int mdnid, pknid, default_mdnid;
- int mandatory_md = 0;
size_t i;
- /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
- if (idx == -1)
- idx = sig->sig_idx;
- if (!ssl_has_cert(s, idx))
- return 0;
/* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
ERR_set_mark();
- switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
- &default_mdnid)) {
- case 2:
- mandatory_md = 1;
- break;
- case 1:
- break;
- default: /* If it didn't report a mandatory NID, for whatever reasons,
- * just clear the error and allow all hashes to be used. */
- ERR_pop_to_mark();
- }
+ if (EVP_PKEY_get_default_digest_nid(pkey, &default_mdnid) == 2 &&
+ sig->hash != default_mdnid)
+ return 0;
+
+ /* If it didn't report a mandatory NID, for whatever reasons,
+ * just clear the error and allow all hashes to be used. */
+ ERR_pop_to_mark();
+
if (s->s3->tmp.peer_cert_sigalgs != NULL) {
for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
if (lu == NULL
- || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
- &pknid, NULL, NULL)
- || (mandatory_md && mdnid != default_mdnid))
+ || !X509_get_signature_info(x, &mdnid, &pknid, NULL, NULL))
continue;
/*
* TODO this does not differentiate between the
@@ -2580,7 +2594,104 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
}
return 0;
}
- return !mandatory_md || sig->hash == default_mdnid;
+ return 1;
+}
+
+/*
+ * Returns true if |s| has a usable certificate configured for use
+ * with signature scheme |sig|.
+ * "Usable" includes a check for presence as well as applying
+ * the signature_algorithm_cert restrictions sent by the peer (if any).
+ * Returns false if no usable certificate is found.
+ */
+static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
+{
+ /* TLS 1.2 callers can override sig->sig_idx, but not TLS 1.3 callers. */
+ if (idx == -1)
+ idx = sig->sig_idx;
+ if (!ssl_has_cert(s, idx))
+ return 0;
+
+ return check_cert_usable(s, sig, s->cert->pkeys[idx].x509,
+ s->cert->pkeys[idx].privatekey);
+}
+
+/*
+ * Returns true if the supplied cert |x| and key |pkey| is usable with the
+ * specified signature scheme |sig|, or false otherwise.
+ */
+static int is_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
+ EVP_PKEY *pkey)
+{
+ size_t idx;
+
+ if (ssl_cert_lookup_by_pkey(pkey, &idx) == NULL)
+ return 0;
+
+ /* Check the key is consistent with the sig alg */
+ if ((int)idx != sig->sig_idx)
+ return 0;
+
+ return check_cert_usable(s, sig, x, pkey);
+}
+
+/*
+ * Find a signature scheme that works with the supplied certificate |x| and key
+ * |pkey|. |x| and |pkey| may be NULL in which case we additionally look at our
+ * available certs/keys to find one that works.
+ */
+static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
+{
+ const SIGALG_LOOKUP *lu = NULL;
+ size_t i;
+#ifndef OPENSSL_NO_EC
+ int curve = -1;
+#endif
+ EVP_PKEY *tmppkey;
+
+ /* Look for a shared sigalgs matching possible certificates */
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
+
+ /* Skip SHA1, SHA224, DSA and RSA if not PSS */
+ if (lu->hash == NID_sha1
+ || lu->hash == NID_sha224
+ || lu->sig == EVP_PKEY_DSA
+ || lu->sig == EVP_PKEY_RSA)
+ continue;
+ /* Check that we have a cert, and signature_algorithms_cert */
+ if (!tls1_lookup_md(lu, NULL))
+ continue;
+ if ((pkey == NULL && !has_usable_cert(s, lu, -1))
+ || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
+ continue;
+
+ tmppkey = (pkey != NULL) ? pkey
+ : s->cert->pkeys[lu->sig_idx].privatekey;
+
+ if (lu->sig == EVP_PKEY_EC) {
+#ifndef OPENSSL_NO_EC
+ if (curve == -1) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmppkey);
+ curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ }
+ if (lu->curve != NID_undef && curve != lu->curve)
+ continue;
+#else
+ continue;
+#endif
+ } else if (lu->sig == EVP_PKEY_RSA_PSS) {
+ /* validate that key is large enough for the signature algorithm */
+ if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
+ continue;
+ }
+ break;
+ }
+
+ if (i == s->shared_sigalgslen)
+ return NULL;
+
+ return lu;
}
/*
@@ -2603,48 +2714,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
s->s3->tmp.sigalg = NULL;
if (SSL_IS_TLS13(s)) {
- size_t i;
-#ifndef OPENSSL_NO_EC
- int curve = -1;
-#endif
-
- /* Look for a certificate matching shared sigalgs */
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
- sig_idx = -1;
-
- /* Skip SHA1, SHA224, DSA and RSA if not PSS */
- if (lu->hash == NID_sha1
- || lu->hash == NID_sha224
- || lu->sig == EVP_PKEY_DSA
- || lu->sig == EVP_PKEY_RSA)
- continue;
- /* Check that we have a cert, and signature_algorithms_cert */
- if (!tls1_lookup_md(lu, NULL) || !has_usable_cert(s, lu, -1))
- continue;
- if (lu->sig == EVP_PKEY_EC) {
-#ifndef OPENSSL_NO_EC
- if (curve == -1) {
- EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
-
- curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
- }
- if (lu->curve != NID_undef && curve != lu->curve)
- continue;
-#else
- continue;
-#endif
- } else if (lu->sig == EVP_PKEY_RSA_PSS) {
- /* validate that key is large enough for the signature algorithm */
- EVP_PKEY *pkey;
-
- pkey = s->cert->pkeys[lu->sig_idx].privatekey;
- if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
- continue;
- }
- break;
- }
- if (i == s->cert->shared_sigalgslen) {
+ lu = find_sig_alg(s, NULL, NULL);
+ if (lu == NULL) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
@@ -2677,8 +2748,8 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
* Find highest preference signature algorithm matching
* cert type
*/
- for (i = 0; i < s->cert->shared_sigalgslen; i++) {
- lu = s->cert->shared_sigalgs[i];
+ for (i = 0; i < s->shared_sigalgslen; i++) {
+ lu = s->shared_sigalgs[i];
if (s->server) {
if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1)
@@ -2705,7 +2776,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
#endif
break;
}
- if (i == s->cert->shared_sigalgslen) {
+ if (i == s->shared_sigalgslen) {
if (!fatalerrs)
return 1;
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
diff --git a/freebsd/crypto/openssl/ssl/tls13_enc.c b/freebsd/crypto/openssl/ssl/tls13_enc.c
index d3062e7..e1896cb 100644
--- a/freebsd/crypto/openssl/ssl/tls13_enc.c
+++ b/freebsd/crypto/openssl/ssl/tls13_enc.c
@@ -32,7 +32,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen, int fatal)
{
+#ifdef CHARSET_EBCDIC
+ static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 };
+#else
static const unsigned char label_prefix[] = "tls13 ";
+#endif
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
int ret;
size_t hkdflabellen;
@@ -114,7 +118,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
unsigned char *key, size_t keylen)
{
- static const unsigned char keylabel[] = "key";
+#ifdef CHARSET_EBCDIC
+ static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 };
+#else
+ static const unsigned char keylabel[] = "key";
+#endif
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
NULL, 0, key, keylen, 1);
@@ -127,7 +135,11 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
unsigned char *iv, size_t ivlen)
{
- static const unsigned char ivlabel[] = "iv";
+#ifdef CHARSET_EBCDIC
+ static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 };
+#else
+ static const unsigned char ivlabel[] = "iv";
+#endif
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
NULL, 0, iv, ivlen, 1);
@@ -137,7 +149,11 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
const unsigned char *secret,
unsigned char *fin, size_t finlen)
{
- static const unsigned char finishedlabel[] = "finished";
+#ifdef CHARSET_EBCDIC
+ static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 };
+#else
+ static const unsigned char finishedlabel[] = "finished";
+#endif
return tls13_hkdf_expand(s, md, secret, finishedlabel,
sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
@@ -158,7 +174,11 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
int mdleni;
int ret;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+#ifdef CHARSET_EBCDIC
+ static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 };
+#else
static const char derived_secret_label[] = "derived";
+#endif
unsigned char preextractsec[EVP_MAX_MD_SIZE];
if (pctx == NULL) {
@@ -411,6 +431,16 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
int tls13_change_cipher_state(SSL *s, int which)
{
+#ifdef CHARSET_EBCDIC
+ static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
+ static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
+ static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
+ static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
+ static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
+ static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
+ static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
+ static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
+#else
static const unsigned char client_early_traffic[] = "c e traffic";
static const unsigned char client_handshake_traffic[] = "c hs traffic";
static const unsigned char client_application_traffic[] = "c ap traffic";
@@ -419,6 +449,7 @@ int tls13_change_cipher_state(SSL *s, int which)
static const unsigned char exporter_master_secret[] = "exp master";
static const unsigned char resumption_master_secret[] = "res master";
static const unsigned char early_exporter_master_secret[] = "e exp master";
+#endif
unsigned char *iv;
unsigned char secret[EVP_MAX_MD_SIZE];
unsigned char hashval[EVP_MAX_MD_SIZE];
@@ -686,7 +717,11 @@ int tls13_change_cipher_state(SSL *s, int which)
int tls13_update_key(SSL *s, int sending)
{
- static const unsigned char application_traffic[] = "traffic upd";
+#ifdef CHARSET_EBCDIC
+ static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00};
+#else
+ static const unsigned char application_traffic[] = "traffic upd";
+#endif
const EVP_MD *md = ssl_handshake_md(s);
size_t hashlen = EVP_MD_size(md);
unsigned char *insecret, *iv;
@@ -743,7 +778,11 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
size_t contextlen, int use_context)
{
unsigned char exportsecret[EVP_MAX_MD_SIZE];
+#ifdef CHARSET_EBCDIC
+ static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
+#else
static const unsigned char exporterlabel[] = "exporter";
+#endif
unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
const EVP_MD *md = ssl_handshake_md(s);
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
@@ -780,7 +819,11 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
const unsigned char *context,
size_t contextlen)
{
- static const unsigned char exporterlabel[] = "exporter";
+#ifdef CHARSET_EBCDIC
+ static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
+#else
+ static const unsigned char exporterlabel[] = "exporter";
+#endif
unsigned char exportsecret[EVP_MAX_MD_SIZE];
unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
const EVP_MD *md;
diff --git a/freebsd/include/rpcsvc/yp_prot.h b/freebsd/include/rpcsvc/yp_prot.h
index a0090ac..61cddd1 100644
--- a/freebsd/include/rpcsvc/yp_prot.h
+++ b/freebsd/include/rpcsvc/yp_prot.h
@@ -81,7 +81,7 @@ typedef u_int bool;
#define YPPROG ((u_long)100004)
#define YPVERS ((u_long)2)
#define YPVERS_ORIG ((u_long)1)
-#define YPMAXRECORD ((u_long)1024)
+#define YPMAXRECORD ((u_long)16 * 1024 * 1024)
#define YPMAXDOMAIN ((u_long)64)
#define YPMAXMAP ((u_long)64)
#define YPMAXPEER ((u_long)256)
diff --git a/freebsd/lib/libc/nameser/ns_name.c b/freebsd/lib/libc/nameser/ns_name.c
index 50946fa..0e76435 100644
--- a/freebsd/lib/libc/nameser/ns_name.c
+++ b/freebsd/lib/libc/nameser/ns_name.c
@@ -686,7 +686,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
{
const u_char *cp;
u_int n;
- int l;
+ int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -696,7 +696,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}
diff --git a/freebsd/lib/libc/net/gethostbynis.c b/freebsd/lib/libc/net/gethostbynis.c
index 5cf4b2e..9a715b1 100644
--- a/freebsd/lib/libc/net/gethostbynis.c
+++ b/freebsd/lib/libc/net/gethostbynis.c
@@ -60,7 +60,7 @@ _gethostbynis(const char *name, char *map, int af, struct hostent *he,
char *cp, **q;
char *result;
int resultlen, size, addrok = 0;
- char ypbuf[YPMAXRECORD + 2];
+ char *ypbuf;
res_state statp;
statp = __res_state();
@@ -90,10 +90,11 @@ _gethostbynis(const char *name, char *map, int af, struct hostent *he,
}
/* avoid potential memory leak */
- bcopy((char *)result, (char *)&ypbuf, resultlen);
+ ypbuf = alloca(resultlen + 2);
+ bcopy(result, ypbuf, resultlen);
ypbuf[resultlen] = '\0';
free(result);
- result = (char *)&ypbuf;
+ result = ypbuf;
if ((cp = strchr(result, '\n')))
*cp = '\0';
diff --git a/freebsd/lib/libc/net/getnetbynis.c b/freebsd/lib/libc/net/getnetbynis.c
index cb7f1a6..a643c8d 100644
--- a/freebsd/lib/libc/net/getnetbynis.c
+++ b/freebsd/lib/libc/net/getnetbynis.c
@@ -60,7 +60,7 @@ _getnetbynis(const char *name, char *map, int af, struct netent *ne,
char *cp, **q;
char *result;
int resultlen, len;
- char ypbuf[YPMAXRECORD + 2];
+ char *ypbuf;
switch(af) {
case AF_INET:
@@ -79,10 +79,11 @@ _getnetbynis(const char *name, char *map, int af, struct netent *ne,
&resultlen))
return (-1);
- bcopy((char *)result, (char *)&ypbuf, resultlen);
+ ypbuf = alloca(resultlen + 2);
+ bcopy(result, ypbuf, resultlen);
ypbuf[resultlen] = '\0';
free(result);
- result = (char *)&ypbuf;
+ result = ypbuf;
if ((cp = strchr(result, '\n')))
*cp = '\0';
diff --git a/freebsd/lib/libc/net/getservent.c b/freebsd/lib/libc/net/getservent.c
index 5358093..6e33f36 100644
--- a/freebsd/lib/libc/net/getservent.c
+++ b/freebsd/lib/libc/net/getservent.c
@@ -666,7 +666,7 @@ nis_servent(void *retval, void *mdata, va_list ap)
{
char *resultbuf, *lastkey;
int resultbuflen;
- char buf[YPMAXRECORD + 2];
+ char *buf;
struct nis_state *st;
int rv;
@@ -683,6 +683,7 @@ nis_servent(void *retval, void *mdata, va_list ap)
name = NULL;
proto = NULL;
+ buf = NULL;
how = (enum nss_lookup_type)mdata;
switch (how) {
case nss_lt_name:
@@ -718,7 +719,10 @@ nis_servent(void *retval, void *mdata, va_list ap)
do {
switch (how) {
case nss_lt_name:
- snprintf(buf, sizeof(buf), "%s/%s", name, proto);
+ free(buf);
+ asprintf(&buf, "%s/%s", name, proto);
+ if (buf == NULL)
+ return (NS_TRYAGAIN);
if (yp_match(st->yp_domain, "services.byname", buf,
strlen(buf), &resultbuf, &resultbuflen)) {
rv = NS_NOTFOUND;
@@ -726,8 +730,10 @@ nis_servent(void *retval, void *mdata, va_list ap)
}
break;
case nss_lt_id:
- snprintf(buf, sizeof(buf), "%d/%s", ntohs(port),
- proto);
+ free(buf);
+ asprintf(&buf, "%d/%s", ntohs(port), proto);
+ if (buf == NULL)
+ return (NS_TRYAGAIN);
/*
* We have to be a little flexible
@@ -793,6 +799,7 @@ nis_servent(void *retval, void *mdata, va_list ap)
} while (!(rv & NS_TERMINATE) && how == nss_lt_all);
fin:
+ free(buf);
if (rv == NS_SUCCESS && retval != NULL)
*(struct servent **)retval = serv;
diff --git a/freebsd/lib/libc/rpc/getrpcent.c b/freebsd/lib/libc/rpc/getrpcent.c
index d287d0b..bcac030 100644
--- a/freebsd/lib/libc/rpc/getrpcent.c
+++ b/freebsd/lib/libc/rpc/getrpcent.c
@@ -402,7 +402,7 @@ nis_rpcent(void *retval, void *mdata, va_list ap)
char *lastkey;
char *resultbuf;
int resultbuflen;
- char buf[YPMAXRECORD + 2];
+ char *buf;
struct nis_state *st;
int rv;
@@ -424,6 +424,7 @@ nis_rpcent(void *retval, void *mdata, va_list ap)
return (NS_NOTFOUND);
}
+ buf = NULL;
rpc = va_arg(ap, struct rpcent *);
buffer = va_arg(ap, char *);
bufsize = va_arg(ap, size_t);
@@ -447,7 +448,10 @@ nis_rpcent(void *retval, void *mdata, va_list ap)
case nss_lt_name:
if (!st->no_name_map)
{
- snprintf(buf, sizeof buf, "%s", name);
+ free(buf);
+ asprintf(&buf, "%s", name);
+ if (buf == NULL)
+ return (NS_TRYAGAIN);
rv = yp_match(st->domain, "rpc.byname", buf,
strlen(buf), &resultbuf, &resultbuflen);
@@ -475,7 +479,10 @@ nis_rpcent(void *retval, void *mdata, va_list ap)
}
break;
case nss_lt_id:
- snprintf(buf, sizeof buf, "%d", number);
+ free(buf);
+ asprintf(&buf, "%d", number);
+ if (buf == NULL)
+ return (NS_TRYAGAIN);
if (yp_match(st->domain, "rpc.bynumber", buf,
strlen(buf), &resultbuf, &resultbuflen)) {
rv = NS_NOTFOUND;
@@ -562,6 +569,7 @@ done:
} while (!(rv & NS_TERMINATE) && (how == nss_lt_all));
fin:
+ free(buf);
if ((rv == NS_SUCCESS) && (retval != NULL))
*((struct rpcent **)retval) = rpc;
diff --git a/freebsd/lib/libcapsicum/capsicum_helpers.h b/freebsd/lib/libcapsicum/capsicum_helpers.h
index d1c46e7..3064438 100644
--- a/freebsd/lib/libcapsicum/capsicum_helpers.h
+++ b/freebsd/lib/libcapsicum/capsicum_helpers.h
@@ -51,6 +51,7 @@ __BEGIN_DECLS
static __inline int
caph_limit_stream(int fd, int flags)
{
+#ifndef __rtems__
cap_rights_t rights;
unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ, FIODTYPE };
@@ -75,6 +76,7 @@ caph_limit_stream(int fd, int flags)
if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS)
return (-1);
+#endif /* __rtems__ */
return (0);
}
@@ -123,7 +125,9 @@ static __inline void
caph_cache_catpages(void)
{
+#ifndef __rtems__
(void)catopen("libc", NL_CAT_LOCALE);
+#endif /* __rtems__ */
}
static __inline int
diff --git a/freebsd/sbin/ping/ping.c b/freebsd/sbin/ping/ping.c
index d3eafd7..7197605 100644
--- a/freebsd/sbin/ping/ping.c
+++ b/freebsd/sbin/ping/ping.c
@@ -103,16 +103,20 @@ __FBSDID("$FreeBSD$");
#include <errno.h>
#include <math.h>
#include <netdb.h>
+#include <stddef.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
+#include <time.h>
#include <unistd.h>
#ifdef __rtems__
#include "rtems-bsd-ping-ping-data.h"
#endif /* __rtems__ */
+#include "utils.h"
+
#define INADDR_LEN ((int)sizeof(in_addr_t))
#define TIMEVAL_LEN ((int)sizeof(struct tv32))
#define MASK_LEN (ICMP_MASKLEN - ICMP_MINLEN)
@@ -134,7 +138,7 @@ __FBSDID("$FreeBSD$");
struct tv32 {
int32_t tv32_sec;
- int32_t tv32_usec;
+ int32_t tv32_nsec;
};
/* various options */
@@ -234,7 +238,6 @@ static char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN];
#endif /* __rtems__ */
static void fill(char *, char *);
-static u_short in_cksum(u_short *, int);
#ifndef __rtems__
static cap_channel_t *capdns_setup(void);
#endif /* __rtems__ */
@@ -243,15 +246,14 @@ static void finish(void) __dead2;
static void pinger(void);
static char *pr_addr(struct in_addr);
static char *pr_ntime(n_time);
-static void pr_icmph(struct icmp *);
+static void pr_icmph(struct icmp *, struct ip *, const u_char *const);
static void pr_iph(struct ip *);
-static void pr_pack(char *, int, struct sockaddr_in *, struct timeval *);
-static void pr_retip(struct ip *);
+static void pr_pack(char *, ssize_t, struct sockaddr_in *, struct timespec *);
+static void pr_retip(struct ip *, const u_char *);
#ifndef __rtems__
static void status(int);
static void stopit(int);
#endif /* __rtems__ */
-static void tvsub(struct timeval *, const struct timeval *);
static void usage(void) __dead2;
#ifdef __rtems__
@@ -285,9 +287,8 @@ main(int argc, char *const *argv)
{
struct sockaddr_in from, sock_in;
struct in_addr ifaddr;
- struct timeval last, intvl;
+ struct timespec last, intvl;
struct iovec iov;
- struct ip *ip;
struct msghdr msg;
#ifndef __rtems__
struct sigaction si_sa;
@@ -309,7 +310,7 @@ main(int argc, char *const *argv)
long ltmp;
int almost_done, ch, df, hold, i, icmp_len, mib[4], preload;
int ssend_errno, srecv_errno, tos, ttl;
- char ctrl[CMSG_SPACE(sizeof(struct timeval))];
+ char ctrl[CMSG_SPACE(sizeof(struct timespec))];
#ifndef __rtems__
char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN];
#endif /* __rtems__ */
@@ -335,6 +336,8 @@ main(int argc, char *const *argv)
#define getopt(argc, argv, opt) getopt_r(argc, argv, "+" opt, &getopt_data)
#endif /* __rtems__ */
+ options |= F_NUMERIC;
+
/*
* Do the stuff that we need root priv's for *first*, and
* then drop our setuid bit. Save error reporting for
@@ -692,16 +695,16 @@ main(int argc, char *const *argv)
hostname = hnamebuf;
}
-#ifndef __rtems__
/* From now on we will use only reverse DNS lookups. */
+#ifdef WITH_CASPER
if (capdns != NULL) {
const char *types[1];
- types[0] = "ADDR";
+ types[0] = "ADDR2NAME";
if (cap_dns_type_limit(capdns, types, 1) < 0)
err(1, "unable to limit access to system.dns service");
}
-#endif /* __rtems__ */
+#endif
if (connect(ssend, (struct sockaddr *)&whereto, sizeof(whereto)) != 0)
err(1, "connect");
@@ -766,7 +769,9 @@ main(int argc, char *const *argv)
#endif /*IPSEC*/
if (options & F_HDRINCL) {
- ip = (struct ip*)outpackhdr;
+ struct ip ip;
+
+ memcpy(&ip, outpackhdr, sizeof(ip));
if (!(options & (F_TTL | F_MTTL))) {
mib[0] = CTL_NET;
mib[1] = PF_INET;
@@ -777,15 +782,16 @@ main(int argc, char *const *argv)
err(1, "sysctl(net.inet.ip.ttl)");
}
setsockopt(ssend, IPPROTO_IP, IP_HDRINCL, &hold, sizeof(hold));
- ip->ip_v = IPVERSION;
- ip->ip_hl = sizeof(struct ip) >> 2;
- ip->ip_tos = tos;
- ip->ip_id = 0;
- ip->ip_off = htons(df ? IP_DF : 0);
- ip->ip_ttl = ttl;
- ip->ip_p = IPPROTO_ICMP;
- ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY;
- ip->ip_dst = to->sin_addr;
+ ip.ip_v = IPVERSION;
+ ip.ip_hl = sizeof(struct ip) >> 2;
+ ip.ip_tos = tos;
+ ip.ip_id = 0;
+ ip.ip_off = htons(df ? IP_DF : 0);
+ ip.ip_ttl = ttl;
+ ip.ip_p = IPPROTO_ICMP;
+ ip.ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY;
+ ip.ip_dst = to->sin_addr;
+ memcpy(outpackhdr, &ip, sizeof(ip));
}
#ifndef __rtems__
@@ -802,7 +808,7 @@ main(int argc, char *const *argv)
* We must connect(2) our socket before this point.
*/
if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
- err(1, "cap_enter");
+ err(1, "caph_enter_casper");
cap_rights_init(&rights, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT);
if (cap_rights_limit(srecv, &rights) < 0 && errno != ENOSYS)
@@ -855,9 +861,15 @@ main(int argc, char *const *argv)
}
}
#ifdef SO_TIMESTAMP
- { int on = 1;
- if (setsockopt(srecv, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0)
- err(EX_OSERR, "setsockopt SO_TIMESTAMP");
+ {
+ int on = 1;
+ int ts_clock = SO_TS_MONOTONIC;
+ if (setsockopt(srecv, SOL_SOCKET, SO_TIMESTAMP, &on,
+ sizeof(on)) < 0)
+ err(EX_OSERR, "setsockopt SO_TIMESTAMP");
+ if (setsockopt(srecv, SOL_SOCKET, SO_TS_CLOCK, &ts_clock,
+ sizeof(ts_clock)) < 0)
+ err(EX_OSERR, "setsockopt SO_TS_CLOCK");
}
#endif
if (sweepmax) {
@@ -960,6 +972,7 @@ main(int argc, char *const *argv)
msg.msg_iovlen = 1;
#ifdef SO_TIMESTAMP
msg.msg_control = (caddr_t)ctrl;
+ msg.msg_controllen = sizeof(ctrl);
#endif
iov.iov_base = packet;
iov.iov_len = IP_MAXPACKET;
@@ -972,19 +985,19 @@ main(int argc, char *const *argv)
while (preload--) /* fire off them quickies */
pinger();
}
- (void)gettimeofday(&last, NULL);
+ (void)clock_gettime(CLOCK_MONOTONIC, &last);
if (options & F_FLOOD) {
intvl.tv_sec = 0;
- intvl.tv_usec = 10000;
+ intvl.tv_nsec = 10000000;
} else {
intvl.tv_sec = interval / 1000;
- intvl.tv_usec = interval % 1000 * 1000;
+ intvl.tv_nsec = interval % 1000 * 1000000;
}
almost_done = 0;
while (!finish_up) {
- struct timeval now, timeout;
+ struct timespec now, timeout;
#ifndef __rtems__
fd_set rfds;
#else /* __rtems__ */
@@ -992,7 +1005,8 @@ main(int argc, char *const *argv)
sizeof(fd_set) * 8)];
#define rfds (*(fd_set *)(&big_enough_rfds[0]))
#endif /* __rtems__ */
- int cc, n;
+ int n;
+ ssize_t cc;
check_status();
#ifndef __rtems__
@@ -1003,28 +1017,18 @@ main(int argc, char *const *argv)
memset(big_enough_rfds, 0, sizeof(big_enough_rfds));
#endif /* __rtems__ */
FD_SET(srecv, &rfds);
- (void)gettimeofday(&now, NULL);
- timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec;
- timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec;
- while (timeout.tv_usec < 0) {
- timeout.tv_usec += 1000000;
- timeout.tv_sec--;
- }
- while (timeout.tv_usec >= 1000000) {
- timeout.tv_usec -= 1000000;
- timeout.tv_sec++;
- }
+ (void)clock_gettime(CLOCK_MONOTONIC, &now);
+ timespecadd(&last, &intvl, &timeout);
+ timespecsub(&timeout, &now, &timeout);
if (timeout.tv_sec < 0)
- timerclear(&timeout);
- n = select(srecv + 1, &rfds, NULL, NULL, &timeout);
+ timespecclear(&timeout);
+ n = pselect(srecv + 1, &rfds, NULL, NULL, &timeout, NULL);
if (n < 0)
continue; /* Must be EINTR. */
if (n == 1) {
- struct timeval *tv = NULL;
+ struct timespec *tv = NULL;
#ifdef SO_TIMESTAMP
- struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl;
-
- msg.msg_controllen = sizeof(ctrl);
+ struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
#endif
msg.msg_namelen = sizeof(from);
if ((cc = recvmsg(srecv, &msg, 0)) < 0) {
@@ -1034,7 +1038,8 @@ main(int argc, char *const *argv)
continue;
}
#ifdef SO_TIMESTAMP
- if (cmsg->cmsg_level == SOL_SOCKET &&
+ if (cmsg != NULL &&
+ cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SCM_TIMESTAMP &&
cmsg->cmsg_len == CMSG_LEN(sizeof *tv)) {
/* Copy to avoid alignment problems: */
@@ -1043,7 +1048,7 @@ main(int argc, char *const *argv)
}
#endif
if (tv == NULL) {
- (void)gettimeofday(&now, NULL);
+ (void)clock_gettime(CLOCK_MONOTONIC, &now);
tv = &now;
}
pr_pack((char *)packet, cc, &from, tv);
@@ -1067,17 +1072,17 @@ main(int argc, char *const *argv)
if (almost_done)
break;
almost_done = 1;
- intvl.tv_usec = 0;
+ intvl.tv_nsec = 0;
if (nreceived) {
intvl.tv_sec = 2 * tmax / 1000;
if (!intvl.tv_sec)
intvl.tv_sec = 1;
} else {
intvl.tv_sec = waittime / 1000;
- intvl.tv_usec = waittime % 1000 * 1000;
+ intvl.tv_nsec = waittime % 1000 * 1000000;
}
}
- (void)gettimeofday(&last, NULL);
+ (void)clock_gettime(CLOCK_MONOTONIC, &last);
if (ntransmitted - nreceived - 1 > nmissedmax) {
nmissedmax = ntransmitted - nreceived - 1;
if (options & F_MISSED)
@@ -1116,53 +1121,69 @@ stopit(int sig __unused)
* Compose and transmit an ICMP ECHO REQUEST packet. The IP packet
* will be added on by the kernel. The ID field is our UNIX process ID,
* and the sequence number is an ascending integer. The first TIMEVAL_LEN
- * bytes of the data portion are used to hold a UNIX "timeval" struct in
+ * bytes of the data portion are used to hold a UNIX "timespec" struct in
* host byte-order, to compute the round-trip time.
*/
static void
pinger(void)
{
- struct timeval now;
+ struct timespec now;
struct tv32 tv32;
- struct ip *ip;
- struct icmp *icp;
+ struct icmp icp;
int cc, i;
u_char *packet;
packet = outpack;
- icp = (struct icmp *)outpack;
- icp->icmp_type = icmp_type;
- icp->icmp_code = 0;
- icp->icmp_cksum = 0;
- icp->icmp_seq = htons(ntransmitted);
- icp->icmp_id = ident; /* ID */
+ memcpy(&icp, outpack, ICMP_MINLEN + phdr_len);
+ icp.icmp_type = icmp_type;
+ icp.icmp_code = 0;
+ icp.icmp_cksum = 0;
+ icp.icmp_seq = htons(ntransmitted);
+ icp.icmp_id = ident; /* ID */
CLR(ntransmitted % MAX_DUP_CHK);
if ((options & F_TIME) || timing) {
- (void)gettimeofday(&now, NULL);
-
- tv32.tv32_sec = htonl(now.tv_sec);
- tv32.tv32_usec = htonl(now.tv_usec);
+ (void)clock_gettime(CLOCK_MONOTONIC, &now);
+ /*
+ * Truncate seconds down to 32 bits in order
+ * to fit the timestamp within 8 bytes of the
+ * packet. We're only concerned with
+ * durations, not absolute times.
+ */
+ tv32.tv32_sec = (uint32_t)htonl(now.tv_sec);
+ tv32.tv32_nsec = (uint32_t)htonl(now.tv_nsec);
if (options & F_TIME)
- icp->icmp_otime = htonl((now.tv_sec % (24*60*60))
- * 1000 + now.tv_usec / 1000);
+ icp.icmp_otime = htonl((now.tv_sec % (24*60*60))
+ * 1000 + now.tv_nsec / 1000000);
if (timing)
bcopy((void *)&tv32,
(void *)&outpack[ICMP_MINLEN + phdr_len],
sizeof(tv32));
}
+ memcpy(outpack, &icp, ICMP_MINLEN + phdr_len);
+
cc = ICMP_MINLEN + phdr_len + datalen;
/* compute ICMP checksum here */
- icp->icmp_cksum = in_cksum((u_short *)icp, cc);
+ icp.icmp_cksum = in_cksum(outpack, cc);
+ /* Update icmp_cksum in the raw packet data buffer. */
+ memcpy(outpack + offsetof(struct icmp, icmp_cksum), &icp.icmp_cksum,
+ sizeof(icp.icmp_cksum));
if (options & F_HDRINCL) {
+ struct ip ip;
+
cc += sizeof(struct ip);
- ip = (struct ip *)outpackhdr;
- ip->ip_len = htons(cc);
- ip->ip_sum = in_cksum((u_short *)outpackhdr, cc);
+ ip.ip_len = htons(cc);
+ /* Update ip_len in the raw packet data buffer. */
+ memcpy(outpackhdr + offsetof(struct ip, ip_len), &ip.ip_len,
+ sizeof(ip.ip_len));
+ ip.ip_sum = in_cksum(outpackhdr, cc);
+ /* Update ip_sum in the raw packet data buffer. */
+ memcpy(outpackhdr + offsetof(struct ip, ip_sum), &ip.ip_sum,
+ sizeof(ip.ip_sum));
packet = outpackhdr;
}
i = send(ssend, (char *)packet, cc, 0);
@@ -1192,56 +1213,71 @@ pinger(void)
* program to be run without having intermingled output (or statistics!).
*/
static void
-pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
+pr_pack(char *buf, ssize_t cc, struct sockaddr_in *from, struct timespec *tv)
{
struct in_addr ina;
- u_char *cp, *dp;
- struct icmp *icp;
- struct ip *ip;
- const void *tp;
+ u_char *cp, *dp, l;
+ struct icmp icp;
+ struct ip ip;
+ const u_char *icmp_data_raw;
double triptime;
- int dupflag, hlen, i, j, recv_len, seq;
+ int dupflag, hlen, i, j, recv_len;
+ uint16_t seq;
static int old_rrlen;
static char old_rr[MAX_IPOPTLEN];
+ struct ip oip;
+ u_char oip_header_len;
+ struct icmp oicmp;
+ const u_char *oicmp_raw;
+
+ /*
+ * Get size of IP header of the received packet. The
+ * information is contained in the lower four bits of the
+ * first byte.
+ */
+ memcpy(&l, buf, sizeof(l));
+ hlen = (l & 0x0f) << 2;
+ memcpy(&ip, buf, hlen);
/* Check the IP header */
- ip = (struct ip *)buf;
- hlen = ip->ip_hl << 2;
recv_len = cc;
if (cc < hlen + ICMP_MINLEN) {
if (options & F_VERBOSE)
- warn("packet too short (%d bytes) from %s", cc,
+ warn("packet too short (%zd bytes) from %s", cc,
inet_ntoa(from->sin_addr));
return;
}
+#ifndef icmp_data
+ icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_ip);
+#else
+ icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_data);
+#endif
+
/* Now the ICMP part */
cc -= hlen;
- icp = (struct icmp *)(buf + hlen);
- if (icp->icmp_type == icmp_type_rsp) {
- if (icp->icmp_id != ident)
+ memcpy(&icp, buf + hlen, MIN((ssize_t)sizeof(icp), cc));
+ if (icp.icmp_type == icmp_type_rsp) {
+ if (icp.icmp_id != ident)
return; /* 'Twas not our ECHO */
++nreceived;
triptime = 0.0;
if (timing) {
- struct timeval tv1;
+ struct timespec tv1;
struct tv32 tv32;
-#ifndef icmp_data
- tp = &icp->icmp_ip;
-#else
- tp = icp->icmp_data;
-#endif
- tp = (const char *)tp + phdr_len;
+ const u_char *tp;
+
+ tp = icmp_data_raw + phdr_len;
if ((size_t)(cc - ICMP_MINLEN - phdr_len) >=
sizeof(tv1)) {
/* Copy to avoid alignment problems: */
memcpy(&tv32, tp, sizeof(tv32));
tv1.tv_sec = ntohl(tv32.tv32_sec);
- tv1.tv_usec = ntohl(tv32.tv32_usec);
- tvsub(tv, &tv1);
+ tv1.tv_nsec = ntohl(tv32.tv32_nsec);
+ timespecsub(tv, &tv1, tv);
triptime = ((double)tv->tv_sec) * 1000.0 +
- ((double)tv->tv_usec) / 1000.0;
+ ((double)tv->tv_nsec) / 1000000.0;
tsum += triptime;
tsumsq += triptime * triptime;
if (triptime < tmin)
@@ -1252,7 +1288,7 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
timing = 0;
}
- seq = ntohs(icp->icmp_seq);
+ seq = ntohs(icp.icmp_seq);
if (TST(seq % MAX_DUP_CHK)) {
++nrepeats;
@@ -1274,10 +1310,9 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
if (options & F_FLOOD)
(void)write(STDOUT_FILENO, &BSPACE, 1);
else {
- (void)printf("%d bytes from %s: icmp_seq=%u", cc,
- inet_ntoa(*(struct in_addr *)&from->sin_addr.s_addr),
- seq);
- (void)printf(" ttl=%d", ip->ip_ttl);
+ (void)printf("%zd bytes from %s: icmp_seq=%u", cc,
+ pr_addr(from->sin_addr), seq);
+ (void)printf(" ttl=%d", ip.ip_ttl);
if (timing)
(void)printf(" time=%.3f ms", triptime);
if (dupflag)
@@ -1287,12 +1322,12 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
if (options & F_MASK) {
/* Just prentend this cast isn't ugly */
(void)printf(" mask=%s",
- inet_ntoa(*(struct in_addr *)&(icp->icmp_mask)));
+ inet_ntoa(*(struct in_addr *)&(icp.icmp_mask)));
}
if (options & F_TIME) {
- (void)printf(" tso=%s", pr_ntime(icp->icmp_otime));
- (void)printf(" tsr=%s", pr_ntime(icp->icmp_rtime));
- (void)printf(" tst=%s", pr_ntime(icp->icmp_ttime));
+ (void)printf(" tso=%s", pr_ntime(icp.icmp_otime));
+ (void)printf(" tsr=%s", pr_ntime(icp.icmp_rtime));
+ (void)printf(" tst=%s", pr_ntime(icp.icmp_ttime));
}
if (recv_len != send_len) {
(void)printf(
@@ -1300,7 +1335,8 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
recv_len, send_len);
}
/* check the data */
- cp = (u_char*)&icp->icmp_data[phdr_len];
+ cp = (u_char*)(buf + hlen + offsetof(struct icmp,
+ icmp_data) + phdr_len);
dp = &outpack[ICMP_MINLEN + phdr_len];
cc -= ICMP_MINLEN + phdr_len;
i = 0;
@@ -1315,7 +1351,8 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
(void)printf("\nwrong data byte #%d should be 0x%x but was 0x%x",
i, *dp, *cp);
(void)printf("\ncp:");
- cp = (u_char*)&icp->icmp_data[0];
+ cp = (u_char*)(buf + hlen +
+ offsetof(struct icmp, icmp_data));
for (i = 0; i < datalen; ++i, ++cp) {
if ((i % 16) == 8)
(void)printf("\n\t");
@@ -1343,22 +1380,22 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
* as root to avoid leaking information not normally
* available to those not running as root.
*/
-#ifndef icmp_data
- struct ip *oip = &icp->icmp_ip;
-#else
- struct ip *oip = (struct ip *)icp->icmp_data;
-#endif
- struct icmp *oicmp = (struct icmp *)(oip + 1);
+ memcpy(&oip_header_len, icmp_data_raw, sizeof(oip_header_len));
+ oip_header_len = (oip_header_len & 0x0f) << 2;
+ memcpy(&oip, icmp_data_raw, oip_header_len);
+ oicmp_raw = icmp_data_raw + oip_header_len;
+ memcpy(&oicmp, oicmp_raw, offsetof(struct icmp, icmp_id) +
+ sizeof(oicmp.icmp_id));
if (((options & F_VERBOSE) && uid == 0) ||
(!(options & F_QUIET2) &&
- (oip->ip_dst.s_addr == whereto.sin_addr.s_addr) &&
- (oip->ip_p == IPPROTO_ICMP) &&
- (oicmp->icmp_type == ICMP_ECHO) &&
- (oicmp->icmp_id == ident))) {
- (void)printf("%d bytes from %s: ", cc,
+ (oip.ip_dst.s_addr == whereto.sin_addr.s_addr) &&
+ (oip.ip_p == IPPROTO_ICMP) &&
+ (oicmp.icmp_type == ICMP_ECHO) &&
+ (oicmp.icmp_id == ident))) {
+ (void)printf("%zd bytes from %s: ", cc,
pr_addr(from->sin_addr));
- pr_icmph(icp);
+ pr_icmph(&icp, &oip, oicmp_raw);
} else
return;
}
@@ -1452,65 +1489,6 @@ pr_pack(char *buf, int cc, struct sockaddr_in *from, struct timeval *tv)
}
}
-/*
- * in_cksum --
- * Checksum routine for Internet Protocol family headers (C Version)
- */
-u_short
-in_cksum(u_short *addr, int len)
-{
- int nleft, sum;
- u_short *w;
- union {
- u_short us;
- u_char uc[2];
- } last;
- u_short answer;
-
- nleft = len;
- sum = 0;
- w = addr;
-
- /*
- * Our algorithm is simple, using a 32 bit accumulator (sum), we add
- * sequential 16 bit words to it, and at the end, fold back all the
- * carry bits from the top 16 bits into the lower 16 bits.
- */
- while (nleft > 1) {
- sum += *w++;
- nleft -= 2;
- }
-
- /* mop up an odd byte, if necessary */
- if (nleft == 1) {
- last.uc[0] = *(u_char *)w;
- last.uc[1] = 0;
- sum += last.us;
- }
-
- /* add back carry outs from top 16 bits to low 16 bits */
- sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
- sum += (sum >> 16); /* add carry */
- answer = ~sum; /* truncate to 16 bits */
- return(answer);
-}
-
-/*
- * tvsub --
- * Subtract 2 timeval structs: out = out - in. Out is assumed to
- * be >= in.
- */
-static void
-tvsub(struct timeval *out, const struct timeval *in)
-{
-
- if ((out->tv_usec -= in->tv_usec) < 0) {
- --out->tv_sec;
- out->tv_usec += 1000000;
- }
- out->tv_sec -= in->tv_sec;
-}
-
#ifndef __rtems__
/*
* status --
@@ -1607,7 +1585,7 @@ static char *ttab[] = {
* Print a descriptive string about an ICMP header.
*/
static void
-pr_icmph(struct icmp *icp)
+pr_icmph(struct icmp *icp, struct ip *oip, const u_char *const oicmp_raw)
{
switch(icp->icmp_type) {
@@ -1645,19 +1623,11 @@ pr_icmph(struct icmp *icp)
break;
}
/* Print returned IP header information */
-#ifndef icmp_data
- pr_retip(&icp->icmp_ip);
-#else
- pr_retip((struct ip *)icp->icmp_data);
-#endif
+ pr_retip(oip, oicmp_raw);
break;
case ICMP_SOURCEQUENCH:
(void)printf("Source Quench\n");
-#ifndef icmp_data
- pr_retip(&icp->icmp_ip);
-#else
- pr_retip((struct ip *)icp->icmp_data);
-#endif
+ pr_retip(oip, oicmp_raw);
break;
case ICMP_REDIRECT:
switch(icp->icmp_code) {
@@ -1678,11 +1648,7 @@ pr_icmph(struct icmp *icp)
break;
}
(void)printf("(New addr: %s)\n", inet_ntoa(icp->icmp_gwaddr));
-#ifndef icmp_data
- pr_retip(&icp->icmp_ip);
-#else
- pr_retip((struct ip *)icp->icmp_data);
-#endif
+ pr_retip(oip, oicmp_raw);
break;
case ICMP_ECHO:
(void)printf("Echo Request\n");
@@ -1701,20 +1667,12 @@ pr_icmph(struct icmp *icp)
icp->icmp_code);
break;
}
-#ifndef icmp_data
- pr_retip(&icp->icmp_ip);
-#else
- pr_retip((struct ip *)icp->icmp_data);
-#endif
+ pr_retip(oip, oicmp_raw);
break;
case ICMP_PARAMPROB:
(void)printf("Parameter problem: pointer = 0x%02x\n",
icp->icmp_hun.ih_pptr);
-#ifndef icmp_data
- pr_retip(&icp->icmp_ip);
-#else
- pr_retip((struct ip *)icp->icmp_data);
-#endif
+ pr_retip(oip, oicmp_raw);
break;
case ICMP_TSTAMP:
(void)printf("Timestamp\n");
@@ -1815,14 +1773,9 @@ pr_addr(struct in_addr ina)
* Dump some info on a returned (via ICMP) IP packet.
*/
static void
-pr_retip(struct ip *ip)
+pr_retip(struct ip *ip, const u_char *cp)
{
- u_char *cp;
- int hlen;
-
pr_iph(ip);
- hlen = ip->ip_hl << 2;
- cp = (u_char *)ip + hlen;
if (ip->ip_p == 6)
(void)printf("TCP: from port %u, to port %u (decimal)\n",
@@ -1835,7 +1788,7 @@ pr_retip(struct ip *ip)
static char *
pr_ntime(n_time timestamp)
{
- static char buf[10];
+ static char buf[11];
int hour, min, sec;
sec = ntohl(timestamp) / 1000;
@@ -1884,9 +1837,10 @@ static cap_channel_t *
capdns_setup(void)
{
cap_channel_t *capcas, *capdnsloc;
+#ifdef WITH_CASPER
const char *types[2];
int families[1];
-
+#endif
capcas = cap_init();
if (capcas == NULL)
err(1, "unable to create casper process");
@@ -1895,14 +1849,15 @@ capdns_setup(void)
cap_close(capcas);
if (capdnsloc == NULL)
err(1, "unable to open system.dns service");
- types[0] = "NAME";
- types[1] = "ADDR";
+#ifdef WITH_CASPER
+ types[0] = "NAME2ADDR";
+ types[1] = "ADDR2NAME";
if (cap_dns_type_limit(capdnsloc, types, 2) < 0)
err(1, "unable to limit access to system.dns service");
families[0] = AF_INET;
if (cap_dns_family_limit(capdnsloc, families, 1) < 0)
err(1, "unable to limit access to system.dns service");
-
+#endif
return (capdnsloc);
}
#endif /* __rtems__ */
diff --git a/freebsd/sbin/ping/rtems-bsd-ping-data.h b/freebsd/sbin/ping/rtems-bsd-ping-data.h
index b89b228..5f67525 100644
--- a/freebsd/sbin/ping/rtems-bsd-ping-data.h
+++ b/freebsd/sbin/ping/rtems-bsd-ping-data.h
@@ -1,3 +1,4 @@
/* generated by userspace-header-gen.py */
#include <rtems/linkersets.h>
/* ping.c */
+/* utils.c */
diff --git a/freebsd/sbin/ping/rtems-bsd-ping-namespace.h b/freebsd/sbin/ping/rtems-bsd-ping-namespace.h
index a46682d..eef73af 100644
--- a/freebsd/sbin/ping/rtems-bsd-ping-namespace.h
+++ b/freebsd/sbin/ping/rtems-bsd-ping-namespace.h
@@ -1,2 +1,4 @@
/* generated by userspace-header-gen.py */
/* ping.c */
+/* utils.c */
+#define in_cksum _bsd_ping_in_cksum
diff --git a/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h b/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h
new file mode 100644
index 0000000..255f394
--- /dev/null
+++ b/freebsd/sbin/ping/rtems-bsd-ping-utils-data.h
@@ -0,0 +1,4 @@
+/* generated by userspace-header-gen.py */
+#include <rtems/linkersets.h>
+#include "rtems-bsd-ping-data.h"
+/* utils.c */
diff --git a/freebsd/sbin/ping/utils.c b/freebsd/sbin/ping/utils.c
new file mode 100644
index 0000000..2e832b1
--- /dev/null
+++ b/freebsd/sbin/ping/utils.c
@@ -0,0 +1,107 @@
+#include <machine/rtems-bsd-user-space.h>
+
+#ifdef __rtems__
+#include "rtems-bsd-ping-namespace.h"
+#endif /* __rtems__ */
+
+/*-
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright (c) 1989, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Mike Muuss.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if 0
+#ifndef lint
+static const char copyright[] =
+"@(#) Copyright (c) 1989, 1993\n\
+ The Regents of the University of California. All rights reserved.\n";
+#endif /* not lint */
+
+#ifndef lint
+static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93";
+#endif /* not lint */
+#endif
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <string.h>
+#ifdef __rtems__
+#include "rtems-bsd-ping-utils-data.h"
+#endif /* __rtems__ */
+
+#include "utils.h"
+
+/*
+ * in_cksum --
+ * Checksum routine for Internet Protocol family headers (C Version)
+ */
+u_short
+in_cksum(u_char *addr, int len)
+{
+ int nleft, sum;
+ u_char *w;
+ union {
+ u_short us;
+ u_char uc[2];
+ } last;
+ u_short answer;
+
+ nleft = len;
+ sum = 0;
+ w = addr;
+
+ /*
+ * Our algorithm is simple, using a 32 bit accumulator (sum), we add
+ * sequential 16 bit words to it, and at the end, fold back all the
+ * carry bits from the top 16 bits into the lower 16 bits.
+ */
+ while (nleft > 1) {
+ u_short data;
+
+ memcpy(&data, w, sizeof(data));
+ sum += data;
+ w += sizeof(data);
+ nleft -= sizeof(data);
+ }
+
+ /* mop up an odd byte, if necessary */
+ if (nleft == 1) {
+ last.uc[0] = *w;
+ last.uc[1] = 0;
+ sum += last.us;
+ }
+
+ /* add back carry outs from top 16 bits to low 16 bits */
+ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
+ sum += (sum >> 16); /* add carry */
+ answer = ~sum; /* truncate to 16 bits */
+ return(answer);
+}
diff --git a/freebsd/sbin/ping/utils.h b/freebsd/sbin/ping/utils.h
new file mode 100644
index 0000000..cb56e58
--- /dev/null
+++ b/freebsd/sbin/ping/utils.h
@@ -0,0 +1,38 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (C) 2019 Jan Sucan <jansucan at FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef UTILS_H
+#define UTILS_H 1
+
+#include <sys/types.h>
+
+u_short in_cksum(u_char *, int);
+
+#endif
diff --git a/freebsd/sbin/ping6/ping6.c b/freebsd/sbin/ping6/ping6.c
index c95572b..122f6d0 100644
--- a/freebsd/sbin/ping6/ping6.c
+++ b/freebsd/sbin/ping6/ping6.c
@@ -72,6 +72,7 @@
*/
#if defined(__rtems__) && defined(INET6)
+#if 0
#ifndef lint
static const char copyright[] =
"@(#) Copyright (c) 1989, 1993\n\
@@ -79,10 +80,9 @@ static const char copyright[] =
#endif /* not lint */
#ifndef lint
-#if 0
static char sccsid[] = "@(#)ping.c 8.1 (Berkeley) 6/5/93";
-#endif
#endif /* not lint */
+#endif
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
@@ -117,9 +117,9 @@ __FBSDID("$FreeBSD$");
#include <machine/rtems-bsd-commands.h>
#endif /* __rtems__ */
#include <sys/param.h>
+#include <sys/capsicum.h>
#include <sys/uio.h>
#include <sys/socket.h>
-#include <sys/time.h>
#include <net/if.h>
#include <net/route.h>
@@ -131,6 +131,10 @@ __FBSDID("$FreeBSD$");
#include <arpa/nameser.h>
#include <netdb.h>
+#include <capsicum_helpers.h>
+#include <casper/cap_dns.h>
+#include <libcasper.h>
+
#include <ctype.h>
#include <err.h>
#include <errno.h>
@@ -141,6 +145,7 @@ __FBSDID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
+#include <time.h>
#include <unistd.h>
#ifdef IPSEC
@@ -155,7 +160,7 @@ __FBSDID("$FreeBSD$");
struct tv32 {
u_int32_t tv32_sec;
- u_int32_t tv32_usec;
+ u_int32_t tv32_nsec;
};
#define MAXPACKETLEN 131072
@@ -209,7 +214,7 @@ struct tv32 {
#define F_DONTFRAG 0x1000000
#define F_NOUSERDATA (F_NODEADDR | F_FQDN | F_FQDNOLD | F_SUPTYPES)
#define F_WAITTIME 0x2000000
-u_int options;
+static u_int options;
#define IN6LEN sizeof(struct in6_addr)
#define SA6LEN sizeof(struct sockaddr_in6)
@@ -230,7 +235,8 @@ static struct sockaddr_in6 dst; /* who to ping6 */
static struct sockaddr_in6 src; /* src addr of this packet */
static socklen_t srclen;
static size_t datalen = DEFDATALEN;
-static int s; /* socket file descriptor */
+static int ssend; /* send socket file descriptor */
+static int srecv; /* receive socket file descriptor */
static u_char outpack[MAXPACKETLEN];
static char BSPACE = '\b'; /* characters written for flood */
static char BBELL = '\a'; /* characters written for AUDIBLE */
@@ -240,6 +246,7 @@ static int ident; /* process id to identify our packets */
static u_int8_t nonce[8]; /* nonce field for node information */
static int hoplimit = -1; /* hoplimit */
static u_char *packet = NULL;
+static cap_channel_t *capdns;
/* counters */
static long nmissedmax; /* max value of ntransmitted - nreceived - 1 */
@@ -274,6 +281,7 @@ static volatile sig_atomic_t seeninfo;
#ifndef __rtems__
int main(int, char *[]);
#endif /* __rtems__ */
+static cap_channel_t *capdns_setup(void);
static void fill(char *, char *);
static int get_hoplim(struct msghdr *);
static int get_pathmtu(struct msghdr *);
@@ -289,7 +297,7 @@ static void pr_suptypes(struct icmp6_nodeinfo *, size_t);
static void pr_nodeaddr(struct icmp6_nodeinfo *, int);
static int myechoreply(const struct icmp6_hdr *);
static int mynireply(const struct icmp6_nodeinfo *);
-static char *dnsdecode(const u_char **, const u_char *, const u_char *,
+static const char *dnsdecode(const u_char *, const u_char *, const u_char *,
char *, size_t);
static void pr_pack(u_char *, int, struct msghdr *);
static void pr_exthdrs(struct msghdr *);
@@ -298,8 +306,11 @@ static void pr_rthdr(void *, size_t);
static int pr_bitrange(u_int32_t, int, int);
static void pr_retip(struct ip6_hdr *, u_char *);
static void summary(void);
-static void tvsub(struct timeval *, struct timeval *);
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
static int setpolicy(int, char *);
+#endif
+#endif
static char *nigroup(char *, int);
static void usage(void);
@@ -332,7 +343,7 @@ rtems_bsd_command_ping6(int argc, char *argv[])
int
main(int argc, char *argv[])
{
- struct timeval last, intvl;
+ struct timespec last, intvl;
struct sockaddr_in6 from, *sin6;
struct addrinfo hints, *res;
struct sigaction si_sa;
@@ -345,19 +356,18 @@ main(int argc, char *argv[])
struct cmsghdr *scmsgp = NULL;
/* For control (ancillary) data received from recvmsg() */
#ifndef __rtems__
- struct cmsghdr cm[CONTROLLEN];
+ u_char cm[CONTROLLEN];
#else /* __rtems__ */
- static struct cmsghdr cm[CONTROLLEN];
+ static u_char cm[CONTROLLEN];
#endif /* __rtems__ */
#if defined(SO_SNDBUF) && defined(SO_RCVBUF)
u_long lsockbufsize;
int sockbufsize = 0;
#endif
int usepktinfo = 0;
- struct in6_pktinfo *pktinfo = NULL;
-#ifdef USE_RFC2292BIS
+ struct in6_pktinfo pktinfo;
+ char *cmsg_pktinfo = NULL;
struct ip6_rthdr *rthdr = NULL;
-#endif
#ifdef IPSEC_POLICY_IPSEC
char *policy_in = NULL;
char *policy_out = NULL;
@@ -368,6 +378,9 @@ main(int argc, char *argv[])
#ifdef IPV6_USE_MIN_MTU
int mflag = 0;
#endif
+ cap_rights_t rights_srecv;
+ cap_rights_t rights_ssend;
+ cap_rights_t rights_stdin;
#ifdef __rtems__
struct getopt_data getopt_data;
memset(&getopt_data, 0, sizeof(getopt_data));
@@ -381,9 +394,14 @@ main(int argc, char *argv[])
/* just to be sure */
memset(&smsghdr, 0, sizeof(smsghdr));
memset(&smsgiov, 0, sizeof(smsgiov));
+ memset(&pktinfo, 0, sizeof(pktinfo));
+
+ intvl.tv_sec = interval / 1000;
+ intvl.tv_nsec = interval % 1000 * 1000000;
alarmtimeout = preload = 0;
datap = &outpack[ICMP6ECHOLEN + ICMP6ECHOTMLEN];
+ capdns = capdns_setup();
#ifndef IPSEC
#define ADDOPTS
#else
@@ -503,15 +521,15 @@ main(int argc, char *argv[])
errx(1, "%s: only root may use interval < 1s",
strerror(EPERM));
}
- intvl.tv_sec = (long)t;
- intvl.tv_usec =
- (long)((t - intvl.tv_sec) * 1000000);
+ intvl.tv_sec = (time_t)t;
+ intvl.tv_nsec =
+ (long)((t - intvl.tv_sec) * 1000000000);
if (intvl.tv_sec < 0)
errx(1, "illegal timing interval %s", optarg);
/* less than 1/hz does not make sense */
- if (intvl.tv_sec == 0 && intvl.tv_usec < 1) {
+ if (intvl.tv_sec == 0 && intvl.tv_nsec < 1000) {
warnx("too small interval, raised to .000001");
- intvl.tv_usec = 1;
+ intvl.tv_nsec = 1000;
}
options |= F_INTERVAL;
break;
@@ -562,7 +580,7 @@ main(int argc, char *argv[])
hints.ai_socktype = SOCK_RAW;
hints.ai_protocol = IPPROTO_ICMPV6;
- error = getaddrinfo(optarg, NULL, &hints, &res);
+ error = cap_getaddrinfo(capdns, optarg, NULL, &hints, &res);
if (error) {
errx(1, "invalid source address: %s",
gai_strerror(error));
@@ -678,14 +696,14 @@ main(int argc, char *argv[])
} else
target = argv[argc - 1];
- /* getaddrinfo */
+ /* cap_getaddrinfo */
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = AF_INET6;
hints.ai_socktype = SOCK_RAW;
hints.ai_protocol = IPPROTO_ICMPV6;
- error = getaddrinfo(target, NULL, &hints, &res);
+ error = cap_getaddrinfo(capdns, target, NULL, &hints, &res);
if (error)
errx(1, "%s", gai_strerror(error));
if (res->ai_canonname)
@@ -694,13 +712,16 @@ main(int argc, char *argv[])
hostname = target;
if (!res->ai_addr)
- errx(1, "getaddrinfo failed");
+ errx(1, "cap_getaddrinfo failed");
(void)memcpy(&dst, res->ai_addr, res->ai_addrlen);
- if ((s = socket(res->ai_family, res->ai_socktype,
+ if ((ssend = socket(res->ai_family, res->ai_socktype,
+ res->ai_protocol)) < 0)
+ err(1, "socket ssend");
+ if ((srecv = socket(res->ai_family, res->ai_socktype,
res->ai_protocol)) < 0)
- err(1, "socket");
+ err(1, "socket srecv");
freeaddrinfo(res);
/* set the source address if specified. */
@@ -715,7 +736,7 @@ main(int argc, char *argv[])
if (dst.sin6_scope_id == 0)
dst.sin6_scope_id = src.sin6_scope_id;
}
- if (bind(s, (struct sockaddr *)&src, srclen) != 0)
+ if (bind(ssend, (struct sockaddr *)&src, srclen) != 0)
err(1, "bind");
}
/* set the gateway (next hop) if specified */
@@ -725,15 +746,15 @@ main(int argc, char *argv[])
hints.ai_socktype = SOCK_RAW;
hints.ai_protocol = IPPROTO_ICMPV6;
- error = getaddrinfo(gateway, NULL, &hints, &res);
+ error = cap_getaddrinfo(capdns, gateway, NULL, &hints, &res);
if (error) {
- errx(1, "getaddrinfo for the gateway %s: %s",
+ errx(1, "cap_getaddrinfo for the gateway %s: %s",
gateway, gai_strerror(error));
}
if (res->ai_next && (options & F_VERBOSE))
warnx("gateway resolves to multiple addresses");
- if (setsockopt(s, IPPROTO_IPV6, IPV6_NEXTHOP,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_NEXTHOP,
res->ai_addr, res->ai_addrlen)) {
err(1, "setsockopt(IPV6_NEXTHOP)");
}
@@ -749,25 +770,25 @@ main(int argc, char *argv[])
int opton = 1;
#ifdef IPV6_RECVHOPOPTS
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVHOPOPTS, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVHOPOPTS, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_RECVHOPOPTS)");
#else /* old adv. API */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_HOPOPTS, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_HOPOPTS, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_HOPOPTS)");
#endif
#ifdef IPV6_RECVDSTOPTS
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVDSTOPTS, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVDSTOPTS, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_RECVDSTOPTS)");
#else /* old adv. API */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_DSTOPTS, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_DSTOPTS)");
#endif
#ifdef IPV6_RECVRTHDRDSTOPTS
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVRTHDRDSTOPTS, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVRTHDRDSTOPTS, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_RECVRTHDRDSTOPTS)");
#endif
@@ -810,31 +831,34 @@ main(int argc, char *argv[])
arc4random_buf(nonce, sizeof(nonce));
optval = 1;
if (options & F_DONTFRAG)
- if (setsockopt(s, IPPROTO_IPV6, IPV6_DONTFRAG,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_DONTFRAG,
&optval, sizeof(optval)) == -1)
err(1, "IPV6_DONTFRAG");
hold = 1;
- if (options & F_SO_DEBUG)
- (void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold,
+ if (options & F_SO_DEBUG) {
+ (void)setsockopt(ssend, SOL_SOCKET, SO_DEBUG, (char *)&hold,
sizeof(hold));
+ (void)setsockopt(srecv, SOL_SOCKET, SO_DEBUG, (char *)&hold,
+ sizeof(hold));
+ }
optval = IPV6_DEFHLIM;
if (IN6_IS_ADDR_MULTICAST(&dst.sin6_addr))
- if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_MULTICAST_HOPS,
&optval, sizeof(optval)) == -1)
err(1, "IPV6_MULTICAST_HOPS");
#ifdef IPV6_USE_MIN_MTU
if (mflag != 1) {
optval = mflag > 1 ? 0 : 1;
- if (setsockopt(s, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
&optval, sizeof(optval)) == -1)
err(1, "setsockopt(IPV6_USE_MIN_MTU)");
}
#ifdef IPV6_RECVPATHMTU
else {
optval = 1;
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPATHMTU,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVPATHMTU,
&optval, sizeof(optval)) == -1)
err(1, "setsockopt(IPV6_RECVPATHMTU)");
}
@@ -844,27 +868,36 @@ main(int argc, char *argv[])
#ifdef IPSEC
#ifdef IPSEC_POLICY_IPSEC
if (options & F_POLICY) {
- if (setpolicy(s, policy_in) < 0)
+ if (setpolicy(srecv, policy_in) < 0)
errx(1, "%s", ipsec_strerror());
- if (setpolicy(s, policy_out) < 0)
+ if (setpolicy(ssend, policy_out) < 0)
errx(1, "%s", ipsec_strerror());
}
#else
if (options & F_AUTHHDR) {
optval = IPSEC_LEVEL_REQUIRE;
#ifdef IPV6_AUTH_TRANS_LEVEL
- if (setsockopt(s, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL,
&optval, sizeof(optval)) == -1)
err(1, "setsockopt(IPV6_AUTH_TRANS_LEVEL)");
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_AUTH_TRANS_LEVEL,
+ &optval, sizeof(optval)) == -1)
+ err(1, "setsockopt(IPV6_AUTH_TRANS_LEVEL)");
#else /* old def */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_AUTH_LEVEL,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_AUTH_LEVEL,
+ &optval, sizeof(optval)) == -1)
+ err(1, "setsockopt(IPV6_AUTH_LEVEL)");
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_AUTH_LEVEL,
&optval, sizeof(optval)) == -1)
err(1, "setsockopt(IPV6_AUTH_LEVEL)");
#endif
}
if (options & F_ENCRYPT) {
optval = IPSEC_LEVEL_REQUIRE;
- if (setsockopt(s, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL,
+ &optval, sizeof(optval)) == -1)
+ err(1, "setsockopt(IPV6_ESP_TRANS_LEVEL)");
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_ESP_TRANS_LEVEL,
&optval, sizeof(optval)) == -1)
err(1, "setsockopt(IPV6_ESP_TRANS_LEVEL)");
}
@@ -884,7 +917,7 @@ main(int argc, char *argv[])
} else {
ICMP6_FILTER_SETPASSALL(&filt);
}
- if (setsockopt(s, IPPROTO_ICMPV6, ICMP6_FILTER, &filt,
+ if (setsockopt(srecv, IPPROTO_ICMPV6, ICMP6_FILTER, &filt,
sizeof(filt)) < 0)
err(1, "setsockopt(ICMP6_FILTER)");
}
@@ -895,11 +928,11 @@ main(int argc, char *argv[])
int opton = 1;
#ifdef IPV6_RECVRTHDR
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVRTHDR, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVRTHDR, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_RECVRTHDR)");
#else /* old adv. API */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, &opton,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RTHDR, &opton,
sizeof(opton)))
err(1, "setsockopt(IPV6_RTHDR)");
#endif
@@ -908,7 +941,7 @@ main(int argc, char *argv[])
/*
optval = 1;
if (IN6_IS_ADDR_MULTICAST(&dst.sin6_addr))
- if (setsockopt(s, IPPROTO_IPV6, IPV6_MULTICAST_LOOP,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_MULTICAST_LOOP,
&optval, sizeof(optval)) == -1)
err(1, "IPV6_MULTICAST_LOOP");
*/
@@ -926,11 +959,10 @@ main(int argc, char *argv[])
errx(1, "can't allocate enough memory");
smsghdr.msg_control = (caddr_t)scmsg;
smsghdr.msg_controllen = ip6optlen;
- scmsgp = (struct cmsghdr *)scmsg;
+ scmsgp = CMSG_FIRSTHDR(&smsghdr);
}
if (usepktinfo) {
- pktinfo = (struct in6_pktinfo *)(CMSG_DATA(scmsgp));
- memset(pktinfo, 0, sizeof(*pktinfo));
+ cmsg_pktinfo = CMSG_DATA(scmsgp);
scmsgp->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
scmsgp->cmsg_level = IPPROTO_IPV6;
scmsgp->cmsg_type = IPV6_PKTINFO;
@@ -941,7 +973,7 @@ main(int argc, char *argv[])
if (ifname) {
#ifndef USE_SIN6_SCOPE_ID
/* pktinfo must have already been allocated */
- if ((pktinfo->ipi6_ifindex = if_nametoindex(ifname)) == 0)
+ if ((pktinfo.ipi6_ifindex = if_nametoindex(ifname)) == 0)
errx(1, "%s: invalid interface name", ifname);
#else
if ((dst.sin6_scope_id = if_nametoindex(ifname)) == 0)
@@ -952,18 +984,15 @@ main(int argc, char *argv[])
scmsgp->cmsg_len = CMSG_LEN(sizeof(int));
scmsgp->cmsg_level = IPPROTO_IPV6;
scmsgp->cmsg_type = IPV6_HOPLIMIT;
- *(int *)(CMSG_DATA(scmsgp)) = hoplimit;
+ memcpy(CMSG_DATA(scmsgp), &hoplimit, sizeof(hoplimit));
scmsgp = CMSG_NXTHDR(&smsghdr, scmsgp);
}
if (argc > 1) { /* some intermediate addrs are specified */
int hops;
-#ifdef USE_RFC2292BIS
int rthdrlen;
-#endif
-#ifdef USE_RFC2292BIS
rthdrlen = inet6_rth_space(IPV6_RTHDR_TYPE_0, argc - 1);
scmsgp->cmsg_len = CMSG_LEN(rthdrlen);
scmsgp->cmsg_level = IPPROTO_IPV6;
@@ -973,42 +1002,36 @@ main(int argc, char *argv[])
IPV6_RTHDR_TYPE_0, argc - 1);
if (rthdr == NULL)
errx(1, "can't initialize rthdr");
-#else /* old advanced API */
- if ((scmsgp = (struct cmsghdr *)inet6_rthdr_init(scmsgp,
- IPV6_RTHDR_TYPE_0)) == NULL)
- errx(1, "can't initialize rthdr");
-#endif /* USE_RFC2292BIS */
for (hops = 0; hops < argc - 1; hops++) {
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
- if ((error = getaddrinfo(argv[hops], NULL, &hints,
+ if ((error = cap_getaddrinfo(capdns, argv[hops], NULL, &hints,
&res)))
errx(1, "%s", gai_strerror(error));
if (res->ai_addr->sa_family != AF_INET6)
errx(1,
"bad addr family of an intermediate addr");
sin6 = (struct sockaddr_in6 *)(void *)res->ai_addr;
-#ifdef USE_RFC2292BIS
if (inet6_rth_add(rthdr, &sin6->sin6_addr))
errx(1, "can't add an intermediate node");
-#else /* old advanced API */
- if (inet6_rthdr_add(scmsg, &sin6->sin6_addr,
- IPV6_RTHDR_LOOSE))
- errx(1, "can't add an intermediate node");
-#endif /* USE_RFC2292BIS */
freeaddrinfo(res);
}
-#ifndef USE_RFC2292BIS
- if (inet6_rthdr_lasthop(scmsgp, IPV6_RTHDR_LOOSE))
- errx(1, "can't set the last flag");
-#endif
-
scmsgp = CMSG_NXTHDR(&smsghdr, scmsgp);
}
+ /* From now on we will use only reverse DNS lookups. */
+#ifdef WITH_CASPER
+ if (capdns != NULL) {
+ const char *types[1];
+
+ types[0] = "ADDR2NAME";
+ if (cap_dns_type_limit(capdns, types, nitems(types)) < 0)
+ err(1, "unable to limit access to system.dns service");
+ }
+#endif
if (!(options & F_SRCADDR)) {
/*
* get the source address. XXX since we revoked the root
@@ -1025,10 +1048,9 @@ main(int argc, char *argv[])
src.sin6_port = ntohs(DUMMY_PORT);
src.sin6_scope_id = dst.sin6_scope_id;
-#ifdef USE_RFC2292BIS
- if (pktinfo &&
+ if (usepktinfo &&
setsockopt(dummy, IPPROTO_IPV6, IPV6_PKTINFO,
- (void *)pktinfo, sizeof(*pktinfo)))
+ (void *)&pktinfo, sizeof(pktinfo)))
err(1, "UDP setsockopt(IPV6_PKTINFO)");
if (hoplimit != -1 &&
@@ -1045,12 +1067,6 @@ main(int argc, char *argv[])
setsockopt(dummy, IPPROTO_IPV6, IPV6_RTHDR,
(void *)rthdr, (rthdr->ip6r_len + 1) << 3))
err(1, "UDP setsockopt(IPV6_RTHDR)");
-#else /* old advanced API */
- if (smsghdr.msg_control &&
- setsockopt(dummy, IPPROTO_IPV6, IPV6_PKTOPTIONS,
- (void *)smsghdr.msg_control, smsghdr.msg_controllen))
- err(1, "UDP setsockopt(IPV6_PKTOPTIONS)");
-#endif
if (connect(dummy, (struct sockaddr *)&src, len) < 0)
err(1, "UDP connect");
@@ -1061,14 +1077,40 @@ main(int argc, char *argv[])
close(dummy);
}
+ /* Save pktinfo in the ancillary data. */
+ if (usepktinfo)
+ memcpy(cmsg_pktinfo, &pktinfo, sizeof(pktinfo));
+
+ if (connect(ssend, (struct sockaddr *)&dst, sizeof(dst)) != 0)
+ err(1, "connect() ssend");
+
+ caph_cache_catpages();
+ if (caph_enter_casper() < 0)
+ err(1, "caph_enter_casper");
+
+ cap_rights_init(&rights_stdin);
+ if (cap_rights_limit(STDIN_FILENO, &rights_stdin) < 0)
+ err(1, "cap_rights_limit stdin");
+ if (caph_limit_stdout() < 0)
+ err(1, "caph_limit_stdout");
+ if (caph_limit_stderr() < 0)
+ err(1, "caph_limit_stderr");
+
+ cap_rights_init(&rights_srecv, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT);
+ if (caph_rights_limit(srecv, &rights_srecv) < 0)
+ err(1, "cap_rights_limit srecv");
+ cap_rights_init(&rights_ssend, CAP_SEND, CAP_SETSOCKOPT);
+ if (caph_rights_limit(ssend, &rights_ssend) < 0)
+ err(1, "cap_rights_limit ssend");
+
#if defined(SO_SNDBUF) && defined(SO_RCVBUF)
if (sockbufsize) {
if (datalen > (size_t)sockbufsize)
warnx("you need -b to increase socket buffer size");
- if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &sockbufsize,
+ if (setsockopt(ssend, SOL_SOCKET, SO_SNDBUF, &sockbufsize,
sizeof(sockbufsize)) < 0)
err(1, "setsockopt(SO_SNDBUF)");
- if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, &sockbufsize,
+ if (setsockopt(srecv, SOL_SOCKET, SO_RCVBUF, &sockbufsize,
sizeof(sockbufsize)) < 0)
err(1, "setsockopt(SO_RCVBUF)");
}
@@ -1082,7 +1124,7 @@ main(int argc, char *argv[])
* to get some stuff for /etc/ethers.
*/
hold = 48 * 1024;
- setsockopt(s, SOL_SOCKET, SO_RCVBUF, (char *)&hold,
+ setsockopt(srecv, SOL_SOCKET, SO_RCVBUF, (char *)&hold,
sizeof(hold));
}
#endif
@@ -1090,25 +1132,32 @@ main(int argc, char *argv[])
optval = 1;
#ifndef USE_SIN6_SCOPE_ID
#ifdef IPV6_RECVPKTINFO
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval,
sizeof(optval)) < 0)
warn("setsockopt(IPV6_RECVPKTINFO)"); /* XXX err? */
#else /* old adv. API */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, &optval,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_PKTINFO, &optval,
sizeof(optval)) < 0)
warn("setsockopt(IPV6_PKTINFO)"); /* XXX err? */
#endif
#endif /* USE_SIN6_SCOPE_ID */
#ifdef IPV6_RECVHOPLIMIT
- if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &optval,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &optval,
sizeof(optval)) < 0)
warn("setsockopt(IPV6_RECVHOPLIMIT)"); /* XXX err? */
#else /* old adv. API */
- if (setsockopt(s, IPPROTO_IPV6, IPV6_HOPLIMIT, &optval,
+ if (setsockopt(srecv, IPPROTO_IPV6, IPV6_HOPLIMIT, &optval,
sizeof(optval)) < 0)
warn("setsockopt(IPV6_HOPLIMIT)"); /* XXX err? */
#endif
+ cap_rights_clear(&rights_srecv, CAP_SETSOCKOPT);
+ if (caph_rights_limit(srecv, &rights_srecv) < 0)
+ err(1, "cap_rights_limit srecv setsockopt");
+ cap_rights_clear(&rights_ssend, CAP_SETSOCKOPT);
+ if (caph_rights_limit(ssend, &rights_ssend) < 0)
+ err(1, "cap_rights_limit ssend setsockopt");
+
printf("PING6(%lu=40+8+%lu bytes) ", (unsigned long)(40 + pingerlen()),
(unsigned long)(pingerlen() - 8));
printf("%s --> ", pr_addr((struct sockaddr *)&src, sizeof(src)));
@@ -1122,7 +1171,7 @@ main(int argc, char *argv[])
while (preload--)
pinger();
}
- gettimeofday(&last, NULL);
+ clock_gettime(CLOCK_MONOTONIC, &last);
sigemptyset(&si_sa.sa_mask);
si_sa.sa_flags = 0;
@@ -1141,15 +1190,12 @@ main(int argc, char *argv[])
}
if (options & F_FLOOD) {
intvl.tv_sec = 0;
- intvl.tv_usec = 10000;
- } else if ((options & F_INTERVAL) == 0) {
- intvl.tv_sec = interval / 1000;
- intvl.tv_usec = interval % 1000 * 1000;
+ intvl.tv_nsec = 10000000;
}
almost_done = 0;
while (seenint == 0) {
- struct timeval now, timeout;
+ struct timespec now, timeout;
struct msghdr m;
struct iovec iov[2];
fd_set rfds;
@@ -1166,22 +1212,14 @@ main(int argc, char *argv[])
}
#endif
FD_ZERO(&rfds);
- FD_SET(s, &rfds);
- gettimeofday(&now, NULL);
- timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec;
- timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec;
- while (timeout.tv_usec < 0) {
- timeout.tv_usec += 1000000;
- timeout.tv_sec--;
- }
- while (timeout.tv_usec > 1000000) {
- timeout.tv_usec -= 1000000;
- timeout.tv_sec++;
- }
+ FD_SET(srecv, &rfds);
+ clock_gettime(CLOCK_MONOTONIC, &now);
+ timespecadd(&last, &intvl, &timeout);
+ timespecsub(&timeout, &now, &timeout);
if (timeout.tv_sec < 0)
- timeout.tv_sec = timeout.tv_usec = 0;
+ timespecclear(&timeout);
- n = select(s + 1, &rfds, NULL, NULL, &timeout);
+ n = pselect(srecv + 1, &rfds, NULL, NULL, &timeout, NULL);
if (n < 0)
continue; /* EINTR */
if (n == 1) {
@@ -1196,7 +1234,7 @@ main(int argc, char *argv[])
m.msg_control = (void *)cm;
m.msg_controllen = CONTROLLEN;
- cc = recvmsg(s, &m, 0);
+ cc = recvmsg(srecv, &m, 0);
if (cc < 0) {
if (errno != EINTR) {
warn("recvmsg");
@@ -1242,17 +1280,18 @@ main(int argc, char *argv[])
* if we've received any packets or (waittime)
* milliseconds if we haven't.
*/
- intvl.tv_usec = 0;
+ intvl.tv_nsec = 0;
if (nreceived) {
intvl.tv_sec = 2 * tmax / 1000;
if (intvl.tv_sec == 0)
intvl.tv_sec = 1;
} else {
intvl.tv_sec = waittime / 1000;
- intvl.tv_usec = waittime % 1000 * 1000;
+ intvl.tv_nsec =
+ waittime % 1000 * 1000000;
}
}
- gettimeofday(&last, NULL);
+ clock_gettime(CLOCK_MONOTONIC, &last);
if (ntransmitted - nreceived - 1 > nmissedmax) {
nmissedmax = ntransmitted - nreceived - 1;
if (options & F_MISSED)
@@ -1295,7 +1334,7 @@ onsignal(int sig)
* Compose and transmit an ICMP ECHO REQUEST packet. The IP packet
* will be added on by the kernel. The ID field is our UNIX process ID,
* and the sequence number is an ascending integer. The first 8 bytes
- * of the data portion are used to hold a UNIX "timeval" struct in VAX
+ * of the data portion are used to hold a UNIX "timespec" struct in VAX
* byte-order, to compute the round-trip time.
*/
static size_t
@@ -1324,7 +1363,7 @@ pinger(void)
struct iovec iov[2];
int i, cc;
struct icmp6_nodeinfo *nip;
- int seq;
+ uint16_t seq;
if (npackets && ntransmitted >= npackets)
return(-1); /* no more transmission */
@@ -1337,6 +1376,8 @@ pinger(void)
CLR(seq % mx_dup_ck);
if (options & F_FQDN) {
+ uint16_t s;
+
icp->icmp6_type = ICMP6_NI_QUERY;
icp->icmp6_code = ICMP6_NI_SUBJ_IPV6;
nip->ni_qtype = htons(NI_QTYPE_FQDN);
@@ -1344,13 +1385,15 @@ pinger(void)
memcpy(nip->icmp6_ni_nonce, nonce,
sizeof(nip->icmp6_ni_nonce));
- *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq);
+ s = htons(seq);
+ memcpy(nip->icmp6_ni_nonce, &s, sizeof(s));
memcpy(&outpack[ICMP6_NIQLEN], &dst.sin6_addr,
sizeof(dst.sin6_addr));
cc = ICMP6_NIQLEN + sizeof(dst.sin6_addr);
datalen = 0;
} else if (options & F_FQDNOLD) {
+ uint16_t s;
/* packet format in 03 draft - no Subject data on queries */
icp->icmp6_type = ICMP6_NI_QUERY;
icp->icmp6_code = 0; /* code field is always 0 */
@@ -1359,11 +1402,14 @@ pinger(void)
memcpy(nip->icmp6_ni_nonce, nonce,
sizeof(nip->icmp6_ni_nonce));
- *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq);
+ s = htons(seq);
+ memcpy(nip->icmp6_ni_nonce, &s, sizeof(s));
cc = ICMP6_NIQLEN;
datalen = 0;
} else if (options & F_NODEADDR) {
+ uint16_t s;
+
icp->icmp6_type = ICMP6_NI_QUERY;
icp->icmp6_code = ICMP6_NI_SUBJ_IPV6;
nip->ni_qtype = htons(NI_QTYPE_NODEADDR);
@@ -1371,13 +1417,16 @@ pinger(void)
memcpy(nip->icmp6_ni_nonce, nonce,
sizeof(nip->icmp6_ni_nonce));
- *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq);
+ s = htons(seq);
+ memcpy(nip->icmp6_ni_nonce, &s, sizeof(s));
memcpy(&outpack[ICMP6_NIQLEN], &dst.sin6_addr,
sizeof(dst.sin6_addr));
cc = ICMP6_NIQLEN + sizeof(dst.sin6_addr);
datalen = 0;
} else if (options & F_SUPTYPES) {
+ uint16_t s;
+
icp->icmp6_type = ICMP6_NI_QUERY;
icp->icmp6_code = ICMP6_NI_SUBJ_FQDN; /*empty*/
nip->ni_qtype = htons(NI_QTYPE_SUPTYPES);
@@ -1386,21 +1435,29 @@ pinger(void)
memcpy(nip->icmp6_ni_nonce, nonce,
sizeof(nip->icmp6_ni_nonce));
- *(u_int16_t *)nip->icmp6_ni_nonce = ntohs(seq);
+ s = htons(seq);
+ memcpy(nip->icmp6_ni_nonce, &s, sizeof(s));
+
cc = ICMP6_NIQLEN;
datalen = 0;
} else {
icp->icmp6_type = ICMP6_ECHO_REQUEST;
icp->icmp6_code = 0;
icp->icmp6_id = htons(ident);
- icp->icmp6_seq = ntohs(seq);
+ icp->icmp6_seq = htons(seq);
if (timing) {
- struct timeval tv;
- struct tv32 *tv32;
- (void)gettimeofday(&tv, NULL);
- tv32 = (struct tv32 *)&outpack[ICMP6ECHOLEN];
- tv32->tv32_sec = htonl(tv.tv_sec);
- tv32->tv32_usec = htonl(tv.tv_usec);
+ struct timespec tv;
+ struct tv32 tv32;
+ (void)clock_gettime(CLOCK_MONOTONIC, &tv);
+ /*
+ * Truncate seconds down to 32 bits in order
+ * to fit the timestamp within 8 bytes of the
+ * packet. We're only concerned with
+ * durations, not absolute times.
+ */
+ tv32.tv32_sec = (uint32_t)htonl(tv.tv_sec);
+ tv32.tv32_nsec = (uint32_t)htonl(tv.tv_nsec);
+ memcpy(&outpack[ICMP6ECHOLEN], &tv32, sizeof(tv32));
}
cc = ICMP6ECHOLEN + datalen;
}
@@ -1410,15 +1467,13 @@ pinger(void)
errx(1, "internal error; length mismatch");
#endif
- smsghdr.msg_name = (caddr_t)&dst;
- smsghdr.msg_namelen = sizeof(dst);
memset(&iov, 0, sizeof(iov));
iov[0].iov_base = (caddr_t)outpack;
iov[0].iov_len = cc;
smsghdr.msg_iov = iov;
smsghdr.msg_iovlen = 1;
- i = sendmsg(s, &smsghdr, 0);
+ i = sendmsg(ssend, &smsghdr, 0);
if (i < 0 || i != cc) {
if (i < 0)
@@ -1452,10 +1507,26 @@ mynireply(const struct icmp6_nodeinfo *nip)
return 0;
}
-static char *
-dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf,
+/*
+ * Decode a name from a DNS message.
+ *
+ * Format of the message is described in RFC 1035 subsection 4.1.4.
+ *
+ * Arguments:
+ * sp - Pointer to a DNS pointer octet or to the first octet of a label
+ * in the message.
+ * ep - Pointer to the end of the message (one step past the last octet).
+ * base - Pointer to the beginning of the message.
+ * buf - Buffer into which the decoded name will be saved.
+ * bufsiz - Size of the buffer 'buf'.
+ *
+ * Return value:
+ * Pointer to an octet immediately following the ending zero octet
+ * of the decoded label, or NULL if an error occured.
+ */
+static const char *
+dnsdecode(const u_char *sp, const u_char *ep, const u_char *base, char *buf,
size_t bufsiz)
- /*base for compressed name*/
{
int i;
const u_char *cp;
@@ -1463,14 +1534,14 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf,
const u_char *comp;
int l;
- cp = *sp;
+ cp = sp;
*buf = '\0';
if (cp >= ep)
return NULL;
while (cp < ep) {
i = *cp;
- if (i == 0 || cp != *sp) {
+ if (i == 0 || cp != sp) {
if (strlcat((char *)buf, ".", bufsiz) >= bufsiz)
return NULL; /*result overrun*/
}
@@ -1484,7 +1555,7 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf,
return NULL;
comp = base + (i & 0x3f);
- if (dnsdecode(&comp, cp, base, cresult,
+ if (dnsdecode(comp, cp, base, cresult,
sizeof(cresult)) == NULL)
return NULL;
if (strlcat(buf, cresult, bufsiz) >= bufsiz)
@@ -1508,8 +1579,7 @@ dnsdecode(const u_char **sp, const u_char *ep, const u_char *base, char *buf,
if (i != 0)
return NULL; /*not terminated*/
cp++;
- *sp = cp;
- return buf;
+ return cp;
}
/*
@@ -1529,10 +1599,11 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
int hoplim;
struct sockaddr *from;
int fromlen;
- u_char *cp = NULL, *dp, *end = buf + cc;
+ const u_char *cp = NULL;
+ u_char *dp, *end = buf + cc;
struct in6_pktinfo *pktinfo = NULL;
- struct timeval tv, tp;
- struct tv32 *tpp;
+ struct timespec tv, tp;
+ struct tv32 tpp;
double triptime = 0;
int dupflag;
size_t off;
@@ -1540,7 +1611,7 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
u_int16_t seq;
char dnsname[MAXDNAME + 1];
- (void)gettimeofday(&tv, NULL);
+ (void)clock_gettime(CLOCK_MONOTONIC, &tv);
if (!mhdr || !mhdr->msg_name ||
mhdr->msg_namelen != sizeof(struct sockaddr_in6) ||
@@ -1577,12 +1648,12 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
seq = ntohs(icp->icmp6_seq);
++nreceived;
if (timing) {
- tpp = (struct tv32 *)(icp + 1);
- tp.tv_sec = ntohl(tpp->tv32_sec);
- tp.tv_usec = ntohl(tpp->tv32_usec);
- tvsub(&tv, &tp);
+ memcpy(&tpp, icp + 1, sizeof(tpp));
+ tp.tv_sec = ntohl(tpp.tv32_sec);
+ tp.tv_nsec = ntohl(tpp.tv32_nsec);
+ timespecsub(&tv, &tp, &tv);
triptime = ((double)tv.tv_sec) * 1000.0 +
- ((double)tv.tv_usec) / 1000.0;
+ ((double)tv.tv_nsec) / 1000000.0;
tsum += triptime;
tsumsq += triptime * triptime;
if (triptime < tmin)
@@ -1643,7 +1714,8 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
}
}
} else if (icp->icmp6_type == ICMP6_NI_REPLY && mynireply(ni)) {
- seq = ntohs(*(u_int16_t *)ni->icmp6_ni_nonce);
+ memcpy(&seq, ni->icmp6_ni_nonce, sizeof(seq));
+ seq = ntohs(seq);
++nreceived;
if (TST(seq % mx_dup_ck)) {
++nrepeats;
@@ -1701,9 +1773,10 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
} else {
i = 0;
while (cp < end) {
- if (dnsdecode((const u_char **)&cp, end,
+ cp = dnsdecode((const u_char *)cp, end,
(const u_char *)(ni + 1), dnsname,
- sizeof(dnsname)) == NULL) {
+ sizeof(dnsname));
+ if (cp == NULL) {
printf("???");
break;
}
@@ -1721,6 +1794,7 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
}
}
if (options & F_VERBOSE) {
+ u_long t;
int32_t ttl;
int comma = 0;
@@ -1743,7 +1817,8 @@ pr_pack(u_char *buf, int cc, struct msghdr *mhdr)
putchar(')');
goto fqdnend;
}
- ttl = (int32_t)ntohl(*(u_long *)&buf[off+ICMP6ECHOLEN+8]);
+ memcpy(&t, &buf[off+ICMP6ECHOLEN+8], sizeof(t));
+ ttl = (int32_t)ntohl(t);
if (comma)
printf(",");
if (!(ni->ni_flags & NI_FQDN_FLAG_VALIDTTL)) {
@@ -1842,7 +1917,6 @@ pr_exthdrs(struct msghdr *mhdr)
}
}
-#ifdef USE_RFC2292BIS
static void
pr_ip6opt(void *extbuf, size_t bufsize)
{
@@ -1904,17 +1978,7 @@ pr_ip6opt(void *extbuf, size_t bufsize)
}
return;
}
-#else /* !USE_RFC2292BIS */
-/* ARGSUSED */
-static void
-pr_ip6opt(void *extbuf, size_t bufsize __unused)
-{
- putchar('\n');
- return;
-}
-#endif /* USE_RFC2292BIS */
-#ifdef USE_RFC2292BIS
static void
pr_rthdr(void *extbuf, size_t bufsize)
{
@@ -1970,16 +2034,6 @@ pr_rthdr(void *extbuf, size_t bufsize)
}
-#else /* !USE_RFC2292BIS */
-/* ARGSUSED */
-static void
-pr_rthdr(void *extbuf, size_t bufsize __unused)
-{
- putchar('\n');
- return;
-}
-#endif /* USE_RFC2292BIS */
-
static int
pr_bitrange(u_int32_t v, int soff, int ii)
{
@@ -2127,11 +2181,13 @@ pr_nodeaddr(struct icmp6_nodeinfo *ni, int nilen)
if (nilen % (sizeof(u_int32_t) + sizeof(struct in6_addr)) == 0)
withttl = 1;
while (nilen > 0) {
- u_int32_t ttl;
+ u_int32_t ttl = 0;
if (withttl) {
- /* XXX: alignment? */
- ttl = (u_int32_t)ntohl(*(u_int32_t *)cp);
+ uint32_t t;
+
+ memcpy(&t, cp, sizeof(t));
+ ttl = (u_int32_t)ntohl(t);
cp += sizeof(u_int32_t);
nilen -= sizeof(u_int32_t);
}
@@ -2170,8 +2226,12 @@ get_hoplim(struct msghdr *mhdr)
if (cm->cmsg_level == IPPROTO_IPV6 &&
cm->cmsg_type == IPV6_HOPLIMIT &&
- cm->cmsg_len == CMSG_LEN(sizeof(int)))
- return(*(int *)CMSG_DATA(cm));
+ cm->cmsg_len == CMSG_LEN(sizeof(int))) {
+ int r;
+
+ memcpy(&r, CMSG_DATA(cm), sizeof(r));
+ return(r);
+ }
}
return(-1);
@@ -2180,6 +2240,7 @@ get_hoplim(struct msghdr *mhdr)
static struct in6_pktinfo *
get_rcvpktinfo(struct msghdr *mhdr)
{
+ static struct in6_pktinfo pi;
struct cmsghdr *cm;
for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(mhdr); cm;
@@ -2189,8 +2250,10 @@ get_rcvpktinfo(struct msghdr *mhdr)
if (cm->cmsg_level == IPPROTO_IPV6 &&
cm->cmsg_type == IPV6_PKTINFO &&
- cm->cmsg_len == CMSG_LEN(sizeof(struct in6_pktinfo)))
- return((struct in6_pktinfo *)CMSG_DATA(cm));
+ cm->cmsg_len == CMSG_LEN(sizeof(struct in6_pktinfo))) {
+ memcpy(&pi, CMSG_DATA(cm), sizeof(pi));
+ return(&pi);
+ }
}
return(NULL);
@@ -2201,7 +2264,7 @@ get_pathmtu(struct msghdr *mhdr)
{
#ifdef IPV6_RECVPATHMTU
struct cmsghdr *cm;
- struct ip6_mtuinfo *mtuctl = NULL;
+ struct ip6_mtuinfo mtuctl;
for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(mhdr); cm;
cm = (struct cmsghdr *)CMSG_NXTHDR(mhdr, cm)) {
@@ -2211,7 +2274,7 @@ get_pathmtu(struct msghdr *mhdr)
if (cm->cmsg_level == IPPROTO_IPV6 &&
cm->cmsg_type == IPV6_PATHMTU &&
cm->cmsg_len == CMSG_LEN(sizeof(struct ip6_mtuinfo))) {
- mtuctl = (struct ip6_mtuinfo *)CMSG_DATA(cm);
+ memcpy(&mtuctl, CMSG_DATA(cm), sizeof(mtuctl));
/*
* If the notified destination is different from
@@ -2221,17 +2284,17 @@ get_pathmtu(struct msghdr *mhdr)
* have used the default scope zone ID for sending,
* in which case the scope ID value is 0.
*/
- if (!IN6_ARE_ADDR_EQUAL(&mtuctl->ip6m_addr.sin6_addr,
+ if (!IN6_ARE_ADDR_EQUAL(&mtuctl.ip6m_addr.sin6_addr,
&dst.sin6_addr) ||
- (mtuctl->ip6m_addr.sin6_scope_id &&
+ (mtuctl.ip6m_addr.sin6_scope_id &&
dst.sin6_scope_id &&
- mtuctl->ip6m_addr.sin6_scope_id !=
+ mtuctl.ip6m_addr.sin6_scope_id !=
dst.sin6_scope_id)) {
if ((options & F_VERBOSE) != 0) {
printf("path MTU for %s is notified. "
"(ignored)\n",
- pr_addr((struct sockaddr *)&mtuctl->ip6m_addr,
- sizeof(mtuctl->ip6m_addr)));
+ pr_addr((struct sockaddr *)&mtuctl.ip6m_addr,
+ sizeof(mtuctl.ip6m_addr)));
}
return(0);
}
@@ -2240,11 +2303,11 @@ get_pathmtu(struct msghdr *mhdr)
* Ignore an invalid MTU. XXX: can we just believe
* the kernel check?
*/
- if (mtuctl->ip6m_mtu < IPV6_MMTU)
+ if (mtuctl.ip6m_mtu < IPV6_MMTU)
return(0);
/* notification for our destination. return the MTU. */
- return((int)mtuctl->ip6m_mtu);
+ return((int)mtuctl.ip6m_mtu);
}
}
#endif
@@ -2252,21 +2315,6 @@ get_pathmtu(struct msghdr *mhdr)
}
/*
- * tvsub --
- * Subtract 2 timeval structs: out = out - in. Out is assumed to
- * be >= in.
- */
-static void
-tvsub(struct timeval *out, struct timeval *in)
-{
- if ((out->tv_usec -= in->tv_usec) < 0) {
- --out->tv_sec;
- out->tv_usec += 1000000;
- }
- out->tv_sec -= in->tv_sec;
-}
-
-/*
* onint --
* SIGINT handler.
*/
@@ -2504,8 +2552,9 @@ pr_icmph(struct icmp6_hdr *icp, u_char *end)
}
printf(", subject=%s", niqcode[ni->ni_code]);
cp = (const u_char *)(ni + 1);
- if (dnsdecode(&cp, end, NULL, dnsname,
- sizeof(dnsname)) != NULL)
+ cp = dnsdecode(cp, end, NULL, dnsname,
+ sizeof(dnsname));
+ if (cp != NULL)
printf("(%s)", dnsname);
else
printf("(invalid)");
@@ -2603,7 +2652,8 @@ pr_addr(struct sockaddr *addr, int addrlen)
if ((options & F_HOSTNAME) == 0)
flag |= NI_NUMERICHOST;
- if (getnameinfo(addr, addrlen, buf, sizeof(buf), NULL, 0, flag) == 0)
+ if (cap_getnameinfo(capdns, addr, addrlen, buf, sizeof(buf), NULL, 0,
+ flag) == 0)
return (buf);
else
return "?";
@@ -2629,6 +2679,10 @@ pr_retip(struct ip6_hdr *ip6, u_char *end)
nh = ip6->ip6_nxt;
cp += hlen;
while (end - cp >= 8) {
+#ifdef IPSEC
+ struct ah ah;
+#endif
+
switch (nh) {
case IPPROTO_HOPOPTS:
printf("HBH ");
@@ -2653,8 +2707,9 @@ pr_retip(struct ip6_hdr *ip6, u_char *end)
#ifdef IPSEC
case IPPROTO_AH:
printf("AH ");
- hlen = (((struct ah *)cp)->ah_len+2) << 2;
- nh = ((struct ah *)cp)->ah_nxt;
+ memcpy(&ah, cp, sizeof(ah));
+ hlen = (ah.ah_len+2) << 2;
+ nh = ah.ah_nxt;
break;
#endif
case IPPROTO_ICMPV6:
@@ -2741,7 +2796,7 @@ setpolicy(int so __unused, char *policy)
buf = ipsec_set_policy(policy, strlen(policy));
if (buf == NULL)
errx(1, "%s", ipsec_strerror());
- if (setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf,
+ if (setsockopt(ssend, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf,
ipsec_get_policylen(buf)) < 0)
warnx("Unable to set IPsec policy");
free(buf);
@@ -2838,4 +2893,32 @@ usage(void)
" [-X timeout] [hops ...] host\n");
exit(1);
}
+
+static cap_channel_t *
+capdns_setup(void)
+{
+ cap_channel_t *capcas, *capdnsloc;
+#ifdef WITH_CASPER
+ const char *types[2];
+ int families[1];
+#endif
+ capcas = cap_init();
+ if (capcas == NULL)
+ err(1, "unable to create casper process");
+ capdnsloc = cap_service_open(capcas, "system.dns");
+ /* Casper capability no longer needed. */
+ cap_close(capcas);
+ if (capdnsloc == NULL)
+ err(1, "unable to open system.dns service");
+#ifdef WITH_CASPER
+ types[0] = "NAME2ADDR";
+ types[1] = "ADDR2NAME";
+ if (cap_dns_type_limit(capdnsloc, types, nitems(types)) < 0)
+ err(1, "unable to limit access to system.dns service");
+ families[0] = AF_INET6;
+ if (cap_dns_family_limit(capdnsloc, families, nitems(families)) < 0)
+ err(1, "unable to limit access to system.dns service");
+#endif
+ return (capdnsloc);
+}
#endif /* defined(__rtems__) && defined(INET6) */
diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-data.h b/freebsd/sbin/ping6/rtems-bsd-ping6-data.h
index 40e781b..e140c08 100644
--- a/freebsd/sbin/ping6/rtems-bsd-ping6-data.h
+++ b/freebsd/sbin/ping6/rtems-bsd-ping6-data.h
@@ -1,4 +1,3 @@
/* generated by userspace-header-gen.py */
#include <rtems/linkersets.h>
/* ping6.c */
-RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, extern u_int options);
diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h b/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h
index 8b87569..54f15fa 100644
--- a/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h
+++ b/freebsd/sbin/ping6/rtems-bsd-ping6-namespace.h
@@ -1,3 +1,2 @@
/* generated by userspace-header-gen.py */
/* ping6.c */
-#define options _bsd_ping6_options
diff --git a/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h b/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h
index 9793bc1..80e2113 100644
--- a/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h
+++ b/freebsd/sbin/ping6/rtems-bsd-ping6-ping6-data.h
@@ -2,6 +2,7 @@
#include <rtems/linkersets.h>
#include "rtems-bsd-ping6-data.h"
/* ping6.c */
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static cap_channel_t *capdns);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char *hostname);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char *scmsg);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static char BBELL);
@@ -18,7 +19,8 @@ RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int hoplimit);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int ident);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int interval);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int mx_dup_ck);
-RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int s);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int srecv);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int ssend);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int timing);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static int waittime);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static long int nmissedmax);
@@ -36,5 +38,6 @@ RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static struct sockaddr_in6 dst);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static struct sockaddr_in6 src);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_char *packet);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_char outpack[]);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_int options);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_int8_t nonce[]);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_ping6, static u_short naflags);
diff --git a/freebsd/sys/arm/ti/ti_sdhci.c b/freebsd/sys/arm/ti/ti_sdhci.c
index 6656ce2..a2be1f1 100644
--- a/freebsd/sys/arm/ti/ti_sdhci.c
+++ b/freebsd/sys/arm/ti/ti_sdhci.c
@@ -484,15 +484,14 @@ ti_sdhci_hw_init(device_t dev)
* The attach() routine has examined fdt data and set flags in
* slot.host.caps to reflect what voltages we can handle. Set those
* values in the CAPA register. The manual says that these values can
- * only be set once, "before initialization" whatever that means, and
- * that they survive a reset. So maybe doing this will be a no-op if
- * u-boot has already initialized the hardware.
+ * only be set once, and that they survive a reset so unless u-boot didn't
+ * set this register this code is a no-op.
*/
regval = ti_mmchs_read_4(sc, MMCHS_SD_CAPA);
if (sc->slot.host.caps & MMC_OCR_LOW_VOLTAGE)
regval |= MMCHS_SD_CAPA_VS18;
- if (sc->slot.host.caps & (MMC_OCR_290_300 | MMC_OCR_300_310))
- regval |= MMCHS_SD_CAPA_VS30;
+ if (sc->slot.host.caps & (MMC_OCR_320_330 | MMC_OCR_330_340))
+ regval |= MMCHS_SD_CAPA_VS33;
ti_mmchs_write_4(sc, MMCHS_SD_CAPA, regval);
/* Set initial host configuration (1-bit, std speed, pwr off). */
@@ -526,17 +525,20 @@ ti_sdhci_attach(device_t dev)
}
/*
- * The hardware can inherently do dual-voltage (1p8v, 3p0v) on the first
+ * The hardware can inherently do dual-voltage (1p8v, 3p3v) on the first
* device, and only 1p8v on other devices unless an external transceiver
* is used. The only way we could know about a transceiver is fdt data.
* Note that we have to do this before calling ti_sdhci_hw_init() so
* that it can set the right values in the CAPA register, which can only
* be done once and never reset.
*/
- sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE;
- if (sc->mmchs_clk_id == MMC1_CLK || OF_hasprop(node, "ti,dual-volt")) {
- sc->slot.host.caps |= MMC_OCR_290_300 | MMC_OCR_300_310;
- }
+ if (OF_hasprop(node, "ti,dual-volt")) {
+ sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE | MMC_OCR_320_330 | MMC_OCR_330_340;
+ } else if (OF_hasprop(node, "no-1-8-v")) {
+ sc->slot.host.caps |= MMC_OCR_320_330 | MMC_OCR_330_340;
+ } else
+ sc->slot.host.caps |= MMC_OCR_LOW_VOLTAGE;
+
/*
* Set the offset from the device's memory start to the MMCHS registers.
diff --git a/freebsd/sys/cam/nvme/nvme_all.h b/freebsd/sys/cam/nvme/nvme_all.h
index 8ebbfff..da40dea 100644
--- a/freebsd/sys/cam/nvme/nvme_all.h
+++ b/freebsd/sys/cam/nvme/nvme_all.h
@@ -1,7 +1,7 @@
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
- * Copyright (c) 2015 Netflix, Inc
+ * Copyright (c) 2015 Netflix, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/freebsd/sys/cam/scsi/scsi_all.c b/freebsd/sys/cam/scsi/scsi_all.c
index 3aab5aab..99d82fe 100644
--- a/freebsd/sys/cam/scsi/scsi_all.c
+++ b/freebsd/sys/cam/scsi/scsi_all.c
@@ -2059,7 +2059,7 @@ static struct asc_table_entry asc_table[] = {
{ SST(0x30, 0x13, SS_RDEF, /* XXX TBD */
"Cleaning volume expired") },
/* DT WRO BK */
- { SST(0x31, 0x00, SS_RDEF,
+ { SST(0x31, 0x00, SS_FATAL | ENXIO,
"Medium format corrupted") },
/* D L RO B */
{ SST(0x31, 0x01, SS_RDEF,
@@ -8294,10 +8294,10 @@ scsi_ata_identify(struct ccb_scsiio *csio, u_int32_t retries,
tag_action,
/*protocol*/AP_PROTO_PIO_IN,
/*ata_flags*/AP_FLAG_TDIR_FROM_DEV |
- AP_FLAG_BYT_BLOK_BYTES |
+ AP_FLAG_BYT_BLOK_BLOCKS |
AP_FLAG_TLEN_SECT_CNT,
/*features*/0,
- /*sector_count*/dxfer_len,
+ /*sector_count*/dxfer_len / 512,
/*lba*/0,
/*command*/ATA_ATA_IDENTIFY,
/*device*/ 0,
diff --git a/freebsd/sys/cam/scsi/scsi_all.h b/freebsd/sys/cam/scsi/scsi_all.h
index 467b955..1e0c75b 100644
--- a/freebsd/sys/cam/scsi/scsi_all.h
+++ b/freebsd/sys/cam/scsi/scsi_all.h
@@ -3622,7 +3622,9 @@ struct scsi_mode_header_10
u_int8_t data_length[2];/* Sense data length */
u_int8_t medium_type;
u_int8_t dev_spec;
- u_int8_t unused[2];
+ u_int8_t flags;
+#define SMH_LONGLBA 0x01
+ u_int8_t unused;
u_int8_t blk_desc_len[2];
};
diff --git a/freebsd/sys/dev/pci/pci.c b/freebsd/sys/dev/pci/pci.c
index 648f6e5..586efc3 100644
--- a/freebsd/sys/dev/pci/pci.c
+++ b/freebsd/sys/dev/pci/pci.c
@@ -1677,10 +1677,13 @@ pci_mask_msix(device_t dev, u_int index)
KASSERT(msix->msix_msgnum > index, ("bogus index"));
offset = msix->msix_table_offset + index * 16 + 12;
val = bus_read_4(msix->msix_table_res, offset);
- if (!(val & PCIM_MSIX_VCTRL_MASK)) {
- val |= PCIM_MSIX_VCTRL_MASK;
- bus_write_4(msix->msix_table_res, offset, val);
- }
+ val |= PCIM_MSIX_VCTRL_MASK;
+
+ /*
+ * Some devices (e.g. Samsung PM961) do not support reads of this
+ * register, so always write the new value.
+ */
+ bus_write_4(msix->msix_table_res, offset, val);
}
void
@@ -1693,10 +1696,13 @@ pci_unmask_msix(device_t dev, u_int index)
KASSERT(msix->msix_table_len > index, ("bogus index"));
offset = msix->msix_table_offset + index * 16 + 12;
val = bus_read_4(msix->msix_table_res, offset);
- if (val & PCIM_MSIX_VCTRL_MASK) {
- val &= ~PCIM_MSIX_VCTRL_MASK;
- bus_write_4(msix->msix_table_res, offset, val);
- }
+ val &= ~PCIM_MSIX_VCTRL_MASK;
+
+ /*
+ * Some devices (e.g. Samsung PM961) do not support reads of this
+ * register, so always write the new value.
+ */
+ bus_write_4(msix->msix_table_res, offset, val);
}
int
diff --git a/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h b/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h
index a22c39a..c757cb7 100644
--- a/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h
+++ b/freebsd/sys/dev/rtwn/usb/rtwn_usb_attach.h
@@ -158,7 +158,8 @@ static const STRUCT_USB_HOST_ID rtwn_devs[] = {
RTWN_RTL8821AU_DEV(MELCO, WIU2433DM),
RTWN_RTL8821AU_DEV(NETGEAR, A6100),
RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_1),
- RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_2)
+ RTWN_RTL8821AU_DEV(REALTEK, RTL8821AU_2),
+ RTWN_RTL8821AU_DEV(TPLINK, T2UNANO)
#undef RTWN_RTL8821AU_DEV
};
diff --git a/freebsd/sys/dev/sdhci/sdhci.c b/freebsd/sys/dev/sdhci/sdhci.c
index 952fbd5..5d9cf26 100644
--- a/freebsd/sys/dev/sdhci/sdhci.c
+++ b/freebsd/sys/dev/sdhci/sdhci.c
@@ -478,7 +478,7 @@ sdhci_set_power(struct sdhci_slot *slot, u_char power)
DELAY(100);
}
if (!(RD1(slot, SDHCI_POWER_CONTROL) & SDHCI_POWER_ON))
- slot_printf(slot, "Bus power failed to enable");
+ slot_printf(slot, "Bus power failed to enable\n");
if (slot->quirks & SDHCI_QUIRK_INTEL_POWER_UP_RESET) {
WR1(slot, SDHCI_POWER_CONTROL, pwr | 0x10);
@@ -1113,7 +1113,7 @@ no_tuning:
slot->timeout = 10;
SYSCTL_ADD_INT(device_get_sysctl_ctx(slot->bus),
SYSCTL_CHILDREN(device_get_sysctl_tree(slot->bus)), OID_AUTO,
- "timeout", CTLFLAG_RW, &slot->timeout, 0,
+ "timeout", CTLFLAG_RWTUN, &slot->timeout, 0,
"Maximum timeout for SDHCI transfers (in secs)");
TASK_INIT(&slot->card_task, 0, sdhci_card_task, slot);
TIMEOUT_TASK_INIT(taskqueue_swi_giant, &slot->card_delayed_task, 0,
diff --git a/freebsd/sys/dev/usb/usb.h b/freebsd/sys/dev/usb/usb.h
index ff33cf0..0075d42 100644
--- a/freebsd/sys/dev/usb/usb.h
+++ b/freebsd/sys/dev/usb/usb.h
@@ -444,6 +444,7 @@ typedef struct usb_interface_assoc_descriptor usb_interface_assoc_descriptor_t;
#define UIPROTO_CDC_NONE 0
#define UIPROTO_CDC_AT 1
+#define UIPROTO_CDC_EEM 7
#define UICLASS_HID 0x03
#define UISUBCLASS_BOOT 1
diff --git a/freebsd/sys/dev/usb/usb_ioctl.h b/freebsd/sys/dev/usb/usb_ioctl.h
index fcd31e3..e7e63fb 100644
--- a/freebsd/sys/dev/usb/usb_ioctl.h
+++ b/freebsd/sys/dev/usb/usb_ioctl.h
@@ -70,6 +70,7 @@ enum {
USB_TEMP_SERIALNET, /* USB CDC Ethernet and Modem */
USB_TEMP_MIDI, /* USB MIDI */
USB_TEMP_MULTI, /* USB Ethernet, serial, and storage */
+ USB_TEMP_CDCEEM, /* USB Ethernet Emulation Model */
USB_TEMP_MAX,
};
diff --git a/freebsd/sys/kern/sys_generic.c b/freebsd/sys/kern/sys_generic.c
index 5032fa9..611e316 100644
--- a/freebsd/sys/kern/sys_generic.c
+++ b/freebsd/sys/kern/sys_generic.c
@@ -772,7 +772,11 @@ kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data)
fp = NULL; /* fhold() was not called yet */
goto out;
}
- fhold(fp);
+ if (!fhold(fp)) {
+ error = EBADF;
+ fp = NULL;
+ goto out;
+ }
if (locked == LA_SLOCKED) {
FILEDESC_SUNLOCK(fdp);
locked = LA_UNLOCKED;
diff --git a/freebsd/sys/kern/sys_pipe.c b/freebsd/sys/kern/sys_pipe.c
index cdfff76..e20c67e 100755
--- a/freebsd/sys/kern/sys_pipe.c
+++ b/freebsd/sys/kern/sys_pipe.c
@@ -802,11 +802,9 @@ pipe_read(struct file *fp, struct uio *uio, struct ucred *active_cred,
/*
* Direct copy, bypassing a kernel buffer.
*/
- } else if ((size = rpipe->pipe_map.cnt) &&
- (rpipe->pipe_state & PIPE_DIRECTW)) {
+ } else if ((size = rpipe->pipe_map.cnt) != 0) {
if (size > uio->uio_resid)
size = (u_int) uio->uio_resid;
-
PIPE_UNLOCK(rpipe);
error = uiomove_fromphys(rpipe->pipe_map.ms,
rpipe->pipe_map.pos, size, uio);
@@ -984,32 +982,33 @@ pipe_build_write_buffer(struct pipe *wpipe, struct uio *uio)
u_int size;
int i;
- PIPE_LOCK_ASSERT(wpipe, MA_NOTOWNED);
- KASSERT(wpipe->pipe_state & PIPE_DIRECTW,
- ("Clone attempt on non-direct write pipe!"));
+ PIPE_LOCK_ASSERT(wpipe, MA_OWNED);
+ KASSERT((wpipe->pipe_state & PIPE_DIRECTW) == 0,
+ ("%s: PIPE_DIRECTW set on %p", __func__, wpipe));
+ KASSERT(wpipe->pipe_map.cnt == 0,
+ ("%s: pipe map for %p contains residual data", __func__, wpipe));
if (uio->uio_iov->iov_len > wpipe->pipe_buffer.size)
size = wpipe->pipe_buffer.size;
else
size = uio->uio_iov->iov_len;
- if ((i = vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map,
+ wpipe->pipe_state |= PIPE_DIRECTW;
+ PIPE_UNLOCK(wpipe);
+ i = vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map,
(vm_offset_t)uio->uio_iov->iov_base, size, VM_PROT_READ,
- wpipe->pipe_map.ms, PIPENPAGES)) < 0)
+ wpipe->pipe_map.ms, PIPENPAGES);
+ PIPE_LOCK(wpipe);
+ if (i < 0) {
+ wpipe->pipe_state &= ~PIPE_DIRECTW;
return (EFAULT);
+ }
-/*
- * set up the control block
- */
wpipe->pipe_map.npages = i;
wpipe->pipe_map.pos =
((vm_offset_t) uio->uio_iov->iov_base) & PAGE_MASK;
wpipe->pipe_map.cnt = size;
-/*
- * and update the uio data
- */
-
uio->uio_iov->iov_len -= size;
uio->uio_iov->iov_base = (char *)uio->uio_iov->iov_base + size;
if (uio->uio_iov->iov_len == 0)
@@ -1029,6 +1028,8 @@ pipe_destroy_write_buffer(struct pipe *wpipe)
PIPE_LOCK_ASSERT(wpipe, MA_OWNED);
KASSERT((wpipe->pipe_state & PIPE_DIRECTW) != 0,
("%s: PIPE_DIRECTW not set on %p", __func__, wpipe));
+ KASSERT(wpipe->pipe_map.cnt == 0,
+ ("%s: pipe map for %p contains residual data", __func__, wpipe));
wpipe->pipe_state &= ~PIPE_DIRECTW;
vm_page_unhold_pages(wpipe->pipe_map.ms, wpipe->pipe_map.npages);
@@ -1054,6 +1055,7 @@ pipe_clone_write_buffer(struct pipe *wpipe)
size = wpipe->pipe_map.cnt;
pos = wpipe->pipe_map.pos;
+ wpipe->pipe_map.cnt = 0;
wpipe->pipe_buffer.in = size;
wpipe->pipe_buffer.out = 0;
@@ -1111,7 +1113,6 @@ retry:
else
goto retry;
}
- wpipe->pipe_map.cnt = 0; /* transfer not ready yet */
if (wpipe->pipe_buffer.cnt > 0) {
if (wpipe->pipe_state & PIPE_WANTR) {
wpipe->pipe_state &= ~PIPE_WANTR;
@@ -1128,19 +1129,15 @@ retry:
goto retry;
}
- wpipe->pipe_state |= PIPE_DIRECTW;
-
- PIPE_UNLOCK(wpipe);
error = pipe_build_write_buffer(wpipe, uio);
- PIPE_LOCK(wpipe);
if (error) {
- wpipe->pipe_state &= ~PIPE_DIRECTW;
pipeunlock(wpipe);
goto error1;
}
while (wpipe->pipe_map.cnt != 0) {
if (wpipe->pipe_state & PIPE_EOF) {
+ wpipe->pipe_map.cnt = 0;
pipe_destroy_write_buffer(wpipe);
pipeselwakeup(wpipe);
pipeunlock(wpipe);
@@ -1294,7 +1291,7 @@ pipe_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
* pipe buffer. We break out if a signal occurs or the
* reader goes away.
*/
- if (wpipe->pipe_state & PIPE_DIRECTW) {
+ if (wpipe->pipe_map.cnt != 0) {
if (wpipe->pipe_state & PIPE_WANTR) {
wpipe->pipe_state &= ~PIPE_WANTR;
wakeup(wpipe);
@@ -1590,7 +1587,7 @@ pipe_ioctl(struct file *fp, u_long cmd, void *data, struct ucred *active_cred,
PIPE_UNLOCK(mpipe);
return (0);
}
- if (mpipe->pipe_state & PIPE_DIRECTW)
+ if (mpipe->pipe_map.cnt != 0)
*(int *)data = mpipe->pipe_map.cnt;
else
*(int *)data = mpipe->pipe_buffer.cnt;
@@ -1667,8 +1664,7 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred,
#else /* __rtems__ */
if (rtems_bsd_libio_flags_to_fflag(fp->f_io.flags) & FREAD && events & (POLLIN | POLLRDNORM))
#endif /* __rtems__ */
- if ((rpipe->pipe_state & PIPE_DIRECTW) ||
- (rpipe->pipe_buffer.cnt > 0))
+ if (rpipe->pipe_map.cnt > 0 || rpipe->pipe_buffer.cnt > 0)
revents |= events & (POLLIN | POLLRDNORM);
#ifndef __rtems__
@@ -1678,7 +1674,7 @@ pipe_poll(struct file *fp, int events, struct ucred *active_cred,
#endif /* __rtems__ */
if (wpipe->pipe_present != PIPE_ACTIVE ||
(wpipe->pipe_state & PIPE_EOF) ||
- (((wpipe->pipe_state & PIPE_DIRECTW) == 0) &&
+ ((wpipe->pipe_state & PIPE_DIRECTW) == 0 &&
((wpipe->pipe_buffer.size - wpipe->pipe_buffer.cnt) >= PIPE_BUF ||
wpipe->pipe_buffer.size == 0)))
revents |= events & (POLLOUT | POLLWRNORM);
@@ -1796,7 +1792,7 @@ pipe_stat(struct pipe *pipe, struct stat *ub)
#endif /* __rtems__ */
ub->st_mode = S_IFIFO;
ub->st_blksize = PAGE_SIZE;
- if (pipe->pipe_state & PIPE_DIRECTW)
+ if (pipe->pipe_map.cnt != 0)
ub->st_size = pipe->pipe_map.cnt;
else
ub->st_size = pipe->pipe_buffer.cnt;
@@ -2085,7 +2081,7 @@ filt_piperead(struct knote *kn, long hint)
PIPE_LOCK_ASSERT(rpipe, MA_OWNED);
kn->kn_data = rpipe->pipe_buffer.cnt;
- if ((kn->kn_data == 0) && (rpipe->pipe_state & PIPE_DIRECTW))
+ if (kn->kn_data == 0)
kn->kn_data = rpipe->pipe_map.cnt;
if ((rpipe->pipe_state & PIPE_EOF) ||
diff --git a/freebsd/sys/kern/uipc_socket.c b/freebsd/sys/kern/uipc_socket.c
index 762dfb5..dc265e3 100644
--- a/freebsd/sys/kern/uipc_socket.c
+++ b/freebsd/sys/kern/uipc_socket.c
@@ -1156,9 +1156,9 @@ drop:
so->so_state |= SS_NOFDREF;
sorele(so);
if (listening) {
- struct socket *sp;
+ struct socket *sp, *tsp;
- TAILQ_FOREACH(sp, &lqueue, so_list) {
+ TAILQ_FOREACH_SAFE(sp, &lqueue, so_list, tsp) {
SOCK_LOCK(sp);
if (sp->so_count == 0) {
SOCK_UNLOCK(sp);
@@ -2813,7 +2813,12 @@ sosetopt(struct socket *so, struct sockopt *sopt)
error = sooptcopyin(sopt, &l, sizeof l, sizeof l);
if (error)
goto bad;
-
+ if (l.l_linger < 0 ||
+ l.l_linger > USHRT_MAX ||
+ l.l_linger > (INT_MAX / hz)) {
+ error = EDOM;
+ goto bad;
+ }
SOCK_LOCK(so);
so->so_linger = l.l_linger;
if (l.l_onoff)
@@ -4164,6 +4169,9 @@ void
so_linger_set(struct socket *so, int val)
{
+ KASSERT(val >= 0 && val <= USHRT_MAX && val <= (INT_MAX / hz),
+ ("%s: val %d out of range", __func__, val));
+
so->so_linger = val;
}
diff --git a/freebsd/sys/kern/uipc_syscalls.c b/freebsd/sys/kern/uipc_syscalls.c
index 567fbdc..251f2bb 100644
--- a/freebsd/sys/kern/uipc_syscalls.c
+++ b/freebsd/sys/kern/uipc_syscalls.c
@@ -59,6 +59,7 @@ __FBSDID("$FreeBSD$");
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/syscallsubr.h>
+#include <sys/sysent.h>
#include <sys/uio.h>
#include <sys/un.h>
#include <sys/unpcb.h>
@@ -451,7 +452,8 @@ accept1(td, s, uname, anamelen, flags)
if (error == 0 && uname != NULL) {
#ifdef COMPAT_OLDSOCK
- if (flags & ACCEPT4_COMPAT)
+ if (SV_PROC_FLAG(td->td_proc, SV_AOUT) &&
+ (flags & ACCEPT4_COMPAT) != 0)
((struct osockaddr *)name)->sa_family =
name->sa_family;
#endif
@@ -970,7 +972,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags)
if (mp->msg_control) {
if (mp->msg_controllen < sizeof(struct cmsghdr)
#ifdef COMPAT_OLDSOCK
- && mp->msg_flags != MSG_COMPAT
+ && (mp->msg_flags != MSG_COMPAT ||
+ !SV_PROC_FLAG(td->td_proc, SV_AOUT))
#endif
) {
error = EINVAL;
@@ -981,7 +984,8 @@ sendit(struct thread *td, int s, struct msghdr *mp, int flags)
if (error != 0)
goto bad;
#ifdef COMPAT_OLDSOCK
- if (mp->msg_flags == MSG_COMPAT) {
+ if (mp->msg_flags == MSG_COMPAT &&
+ SV_PROC_FLAG(td->td_proc, SV_AOUT)) {
struct cmsghdr *cm;
M_PREPEND(control, sizeof(*cm), M_WAITOK);
@@ -1126,7 +1130,8 @@ sys_sendto(struct thread *td, struct sendto_args *uap)
msg.msg_iovlen = 1;
msg.msg_control = 0;
#ifdef COMPAT_OLDSOCK
- msg.msg_flags = 0;
+ if (SV_PROC_FLAG(td->td_proc, SV_AOUT))
+ msg.msg_flags = 0;
#endif
aiov.iov_base = uap->buf;
aiov.iov_len = uap->len;
@@ -1245,7 +1250,8 @@ sys_sendmsg(struct thread *td, struct sendmsg_args *uap)
return (error);
msg.msg_iov = iov;
#ifdef COMPAT_OLDSOCK
- msg.msg_flags = 0;
+ if (SV_PROC_FLAG(td->td_proc, SV_AOUT))
+ msg.msg_flags = 0;
#endif
error = sendit(td, uap->s, &msg, uap->flags);
free(iov, M_IOV);
@@ -1362,7 +1368,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg,
/* save sa_len before it is destroyed by MSG_COMPAT */
len = MIN(len, fromsa->sa_len);
#ifdef COMPAT_OLDSOCK
- if (mp->msg_flags & MSG_COMPAT)
+ if ((mp->msg_flags & MSG_COMPAT) != 0 &&
+ SV_PROC_FLAG(td->td_proc, SV_AOUT))
((struct osockaddr *)fromsa)->sa_family =
fromsa->sa_family;
#endif
@@ -1385,7 +1392,8 @@ kern_recvit(struct thread *td, int s, struct msghdr *mp, enum uio_seg fromseg,
* If we receive rights, trim the cmsghdr; anything else
* is tossed.
*/
- if (control && mp->msg_flags & MSG_COMPAT) {
+ if (control && (mp->msg_flags & MSG_COMPAT) != 0 &&
+ SV_PROC_FLAG(td->td_proc, SV_AOUT)) {
if (mtod(control, struct cmsghdr *)->cmsg_level !=
SOL_SOCKET ||
mtod(control, struct cmsghdr *)->cmsg_type !=
@@ -1444,7 +1452,8 @@ recvit(struct thread *td, int s, struct msghdr *mp, void *namelenp)
if (namelenp != NULL) {
error = copyout(&mp->msg_namelen, namelenp, sizeof (socklen_t));
#ifdef COMPAT_OLDSOCK
- if (mp->msg_flags & MSG_COMPAT)
+ if ((mp->msg_flags & MSG_COMPAT) != 0 &&
+ SV_PROC_FLAG(td->td_proc, SV_AOUT))
error = 0; /* old recvfrom didn't check */
#endif
}
@@ -1587,7 +1596,8 @@ sys_recvmsg(struct thread *td, struct recvmsg_args *uap)
return (error);
msg.msg_flags = uap->flags;
#ifdef COMPAT_OLDSOCK
- msg.msg_flags &= ~MSG_COMPAT;
+ if (SV_PROC_FLAG(td->td_proc, SV_AOUT))
+ msg.msg_flags &= ~MSG_COMPAT;
#endif
uiov = msg.msg_iov;
msg.msg_iov = iov;
@@ -1878,7 +1888,7 @@ getsockname1(struct thread *td, struct getsockname_args *uap, int compat)
if (len != 0) {
#ifdef COMPAT_OLDSOCK
- if (compat)
+ if (compat && SV_PROC_FLAG(td->td_proc, SV_AOUT))
((struct osockaddr *)sa)->sa_family = sa->sa_family;
#endif
error = copyout(sa, uap->asa, (u_int)len);
@@ -1993,7 +2003,7 @@ getpeername1(struct thread *td, struct getpeername_args *uap, int compat)
if (len != 0) {
#ifdef COMPAT_OLDSOCK
- if (compat)
+ if (compat && SV_PROC_FLAG(td->td_proc, SV_AOUT))
((struct osockaddr *)sa)->sa_family = sa->sa_family;
#endif
error = copyout(sa, uap->asa, (u_int)len);
@@ -2098,7 +2108,8 @@ sockargs(struct mbuf **mp, char *buf, socklen_t buflen, int type)
if (buflen > MLEN) {
#ifdef COMPAT_OLDSOCK
- if (type == MT_SONAME && buflen <= 112)
+ if (type == MT_SONAME && buflen <= 112 &&
+ SV_CURPROC_FLAG(SV_AOUT))
buflen = MLEN; /* unix domain compat. hack */
else
#endif
@@ -2116,7 +2127,8 @@ sockargs(struct mbuf **mp, char *buf, socklen_t buflen, int type)
sa = mtod(m, struct sockaddr *);
#if defined(COMPAT_OLDSOCK) && BYTE_ORDER != BIG_ENDIAN
- if (sa->sa_family == 0 && sa->sa_len < AF_MAX)
+ if (sa->sa_family == 0 && sa->sa_len < AF_MAX &&
+ SV_CURPROC_FLAG(SV_AOUT))
sa->sa_family = sa->sa_len;
#endif
sa->sa_len = buflen;
@@ -2148,7 +2160,8 @@ getsockaddr(struct sockaddr **namp, const struct sockaddr *uaddr, size_t len)
free(sa, M_SONAME);
} else {
#if defined(COMPAT_OLDSOCK) && BYTE_ORDER != BIG_ENDIAN
- if (sa->sa_family == 0 && sa->sa_len < AF_MAX)
+ if (sa->sa_family == 0 && sa->sa_len < AF_MAX &&
+ SV_CURPROC_FLAG(SV_AOUT))
sa->sa_family = sa->sa_len;
#endif
sa->sa_len = len;
diff --git a/freebsd/sys/kern/uipc_usrreq.c b/freebsd/sys/kern/uipc_usrreq.c
index c4df64a..fc4ee85 100644
--- a/freebsd/sys/kern/uipc_usrreq.c
+++ b/freebsd/sys/kern/uipc_usrreq.c
@@ -2340,7 +2340,7 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
struct timespec *ts;
void *data;
socklen_t clen, datalen;
- int i, error, *fdp, oldfds;
+ int i, j, error, *fdp, oldfds;
u_int newlen;
UNP_LINK_UNLOCK_ASSERT();
@@ -2423,6 +2423,19 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
goto out;
}
fdp = data;
+ for (i = 0; i < oldfds; i++, fdp++) {
+ if (!fhold(fdesc->fd_ofiles[*fdp].fde_file)) {
+ fdp = data;
+ for (j = 0; j < i; j++, fdp++) {
+ fdrop(fdesc->fd_ofiles[*fdp].
+ fde_file, td);
+ }
+ FILEDESC_SUNLOCK(fdesc);
+ error = EBADF;
+ goto out;
+ }
+ }
+ fdp = data;
fdep = (struct filedescent **)
CMSG_DATA(mtod(*controlp, struct cmsghdr *));
fdev = malloc(sizeof(*fdev) * oldfds, M_FILECAPS,
@@ -2626,7 +2639,6 @@ unp_internalize_fp(struct file *fp)
unp->unp_file = fp;
unp->unp_msgcount++;
}
- fhold(fp);
unp_rights++;
UNP_LINK_WUNLOCK();
}
@@ -2787,10 +2799,10 @@ unp_gc(__unused void *arg, int pending)
if ((unp->unp_gcflag & UNPGC_DEAD) != 0) {
f = unp->unp_file;
if (unp->unp_msgcount == 0 || f == NULL ||
- f->f_count != unp->unp_msgcount)
+ f->f_count != unp->unp_msgcount ||
+ !fhold(f))
continue;
unref[total++] = f;
- fhold(f);
KASSERT(total <= unp_unreachable,
("unp_gc: incorrect unreachable count."));
}
diff --git a/freebsd/sys/net/if.c b/freebsd/sys/net/if.c
index a9c2826..d57e698 100644
--- a/freebsd/sys/net/if.c
+++ b/freebsd/sys/net/if.c
@@ -2777,6 +2777,8 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
if (strlen(new_name) == IFNAMSIZ-1)
return (EINVAL);
}
+ if (strcmp(new_name, ifp->if_xname) == 0)
+ break;
if (ifunit(new_name) != NULL)
return (EEXIST);
diff --git a/freebsd/sys/net/if_spppsubr.c b/freebsd/sys/net/if_spppsubr.c
index d73befe..e3aeb4c 100644
--- a/freebsd/sys/net/if_spppsubr.c
+++ b/freebsd/sys/net/if_spppsubr.c
@@ -1062,15 +1062,13 @@ sppp_detach(struct ifnet *ifp)
KASSERT(mtx_initialized(&sp->mtx), ("sppp mutex is not initialized"));
/* Stop keepalive handler. */
- if (!callout_drain(&sp->keepalive_callout))
- callout_stop(&sp->keepalive_callout);
+ callout_drain(&sp->keepalive_callout);
for (i = 0; i < IDX_COUNT; i++) {
- if (!callout_drain(&sp->ch[i]))
- callout_stop(&sp->ch[i]);
+ callout_drain(&sp->ch[i]);
}
- if (!callout_drain(&sp->pap_my_to_ch))
- callout_stop(&sp->pap_my_to_ch);
+ callout_drain(&sp->pap_my_to_ch);
+
mtx_destroy(&sp->pp_cpq.ifq_mtx);
mtx_destroy(&sp->pp_fastq.ifq_mtx);
mtx_destroy(&sp->mtx);
diff --git a/freebsd/sys/netinet/sctp_asconf.c b/freebsd/sys/netinet/sctp_asconf.c
index 2c66f65..4de01ed 100644
--- a/freebsd/sys/netinet/sctp_asconf.c
+++ b/freebsd/sys/netinet/sctp_asconf.c
@@ -1368,7 +1368,7 @@ sctp_asconf_queue_add(struct sctp_tcb *stcb, struct sctp_ifa *ifa,
if (sctp_asconf_queue_mgmt(stcb,
stcb->asoc.asconf_addr_del_pending,
SCTP_DEL_IP_ADDRESS) == 0) {
- SCTPDBG(SCTP_DEBUG_ASCONF2, "asconf_queue_add: queing pending delete\n");
+ SCTPDBG(SCTP_DEBUG_ASCONF2, "asconf_queue_add: queuing pending delete\n");
pending_delete_queued = 1;
/* clear out the pending delete info */
stcb->asoc.asconf_del_pending = 0;
diff --git a/freebsd/sys/netinet/sctp_auth.c b/freebsd/sys/netinet/sctp_auth.c
index 8301a98..3555bb8 100644
--- a/freebsd/sys/netinet/sctp_auth.c
+++ b/freebsd/sys/netinet/sctp_auth.c
@@ -525,7 +525,7 @@ sctp_insert_sharedkey(struct sctp_keyhead *shared_keys,
} else if (new_skey->keyid == skey->keyid) {
/* replace the existing key */
/* verify this key *can* be replaced */
- if ((skey->deactivated) && (skey->refcount > 1)) {
+ if ((skey->deactivated) || (skey->refcount > 1)) {
SCTPDBG(SCTP_DEBUG_AUTH1,
"can't replace shared key id %u\n",
new_skey->keyid);
diff --git a/freebsd/sys/netinet/sctp_indata.c b/freebsd/sys/netinet/sctp_indata.c
index 6c2658c..c4a11fe 100644
--- a/freebsd/sys/netinet/sctp_indata.c
+++ b/freebsd/sys/netinet/sctp_indata.c
@@ -917,6 +917,9 @@ restart:
break;
}
}
+ if (cnt_added && strm->pd_api_started) {
+ sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
+ }
if ((control->length > pd_point) && (strm->pd_api_started == 0)) {
strm->pd_api_started = 1;
control->pdapi_started = 1;
@@ -1478,6 +1481,16 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
"The last fsn is now in place fsn: %u\n",
chk->rec.data.fsn);
control->last_frag_seen = 1;
+ if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) {
+ SCTPDBG(SCTP_DEBUG_XXX,
+ "New fsn: %u is not at top_fsn: %u -- abort\n",
+ chk->rec.data.fsn,
+ control->top_fsn);
+ sctp_abort_in_reasm(stcb, control, chk,
+ abort_flag,
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
+ return;
+ }
}
if (asoc->idata_supported || control->first_frag_seen) {
/*
@@ -1493,7 +1506,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
*/
sctp_abort_in_reasm(stcb, control, chk,
abort_flag,
- SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
return;
}
}
@@ -1505,7 +1518,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
chk->rec.data.fsn, control->top_fsn);
sctp_abort_in_reasm(stcb, control,
chk, abort_flag,
- SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
return;
}
if (asoc->idata_supported || control->first_frag_seen) {
@@ -1526,7 +1539,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
chk->rec.data.fsn, control->fsn_included);
sctp_abort_in_reasm(stcb, control, chk,
abort_flag,
- SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
return;
}
}
@@ -1541,7 +1554,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
control->top_fsn);
sctp_abort_in_reasm(stcb, control, chk,
abort_flag,
- SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
return;
}
}
@@ -1584,7 +1597,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
at->rec.data.fsn);
sctp_abort_in_reasm(stcb, control,
chk, abort_flag,
- SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
+ SCTP_FROM_SCTP_INDATA + SCTP_LOC_14);
return;
}
}
diff --git a/freebsd/sys/netinet/sctp_indata.h b/freebsd/sys/netinet/sctp_indata.h
index 59ceac3..3f3099e 100644
--- a/freebsd/sys/netinet/sctp_indata.h
+++ b/freebsd/sys/netinet/sctp_indata.h
@@ -61,7 +61,6 @@ sctp_build_readq_entry(struct sctp_tcb *stcb,
(_ctl)->sinfo_ppid = ppid; \
(_ctl)->sinfo_context = context; \
(_ctl)->fsn_included = 0xffffffff; \
- (_ctl)->top_fsn = 0xffffffff; \
(_ctl)->sinfo_tsn = tsn; \
(_ctl)->sinfo_cumtsn = tsn; \
(_ctl)->sinfo_assoc_id = sctp_get_associd((in_it)); \
diff --git a/freebsd/sys/netinet/sctp_input.c b/freebsd/sys/netinet/sctp_input.c
index 5386aae..3f4e2f5 100644
--- a/freebsd/sys/netinet/sctp_input.c
+++ b/freebsd/sys/netinet/sctp_input.c
@@ -446,22 +446,48 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
{
struct sctp_association *asoc;
struct mbuf *op_err;
- int retval, abort_flag;
- uint32_t initack_limit;
+ int retval, abort_flag, cookie_found;
+ int initack_limit;
int nat_friendly = 0;
/* First verify that we have no illegal param's */
abort_flag = 0;
+ cookie_found = 0;
op_err = sctp_arethere_unrecognized_parameters(m,
(offset + sizeof(struct sctp_init_chunk)),
- &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
+ &abort_flag, (struct sctp_chunkhdr *)cp,
+ &nat_friendly, &cookie_found);
if (abort_flag) {
/* Send an abort and notify peer */
sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
*abort_no_unlock = 1;
return (-1);
}
+ if (!cookie_found) {
+ uint16_t len;
+
+ len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t));
+ /* We abort with an error of missing mandatory param */
+ op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
+ if (op_err != NULL) {
+ struct sctp_error_missing_param *cause;
+
+ SCTP_BUF_LEN(op_err) = len;
+ cause = mtod(op_err, struct sctp_error_missing_param *);
+ /* Subtract the reserved param */
+ cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM);
+ cause->cause.length = htons(len);
+ cause->num_missing_params = htonl(1);
+ cause->type[0] = htons(SCTP_STATE_COOKIE);
+ }
+ sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
+ src, dst, sh, op_err,
+ mflowtype, mflowid,
+ vrf_id, net->port);
+ *abort_no_unlock = 1;
+ return (-3);
+ }
asoc = &stcb->asoc;
asoc->peer_supports_nat = (uint8_t)nat_friendly;
/* process the peer's parameters in the INIT-ACK */
@@ -526,40 +552,8 @@ sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
/* calculate the RTO */
net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered,
SCTP_RTT_FROM_NON_DATA);
- retval = sctp_send_cookie_echo(m, offset, stcb, net);
- if (retval < 0) {
- /*
- * No cookie, we probably should send a op error. But in any
- * case if there is no cookie in the INIT-ACK, we can
- * abandon the peer, its broke.
- */
- if (retval == -3) {
- uint16_t len;
-
- len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t));
- /* We abort with an error of missing mandatory param */
- op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
- if (op_err != NULL) {
- struct sctp_error_missing_param *cause;
-
- SCTP_BUF_LEN(op_err) = len;
- cause = mtod(op_err, struct sctp_error_missing_param *);
- /* Subtract the reserved param */
- cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM);
- cause->cause.length = htons(len);
- cause->num_missing_params = htonl(1);
- cause->type[0] = htons(SCTP_STATE_COOKIE);
- }
- sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
- src, dst, sh, op_err,
- mflowtype, mflowid,
- vrf_id, net->port);
- *abort_no_unlock = 1;
- }
- return (retval);
- }
-
- return (0);
+ retval = sctp_send_cookie_echo(m, offset, initack_limit, stcb, net);
+ return (retval);
}
static void
@@ -2157,8 +2151,8 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
ntohl(initack_cp->init.initiate_tag), vrf_id,
ntohs(initack_cp->init.num_outbound_streams),
port,
- (struct thread *)NULL
- );
+ (struct thread *)NULL,
+ SCTP_DONT_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
struct mbuf *op_err;
diff --git a/freebsd/sys/netinet/sctp_output.c b/freebsd/sys/netinet/sctp_output.c
index cd4fcdc..9221080 100644
--- a/freebsd/sys/netinet/sctp_output.c
+++ b/freebsd/sys/netinet/sctp_output.c
@@ -4972,7 +4972,10 @@ sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
struct mbuf *
sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
- int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
+ int param_offset, int *abort_processing,
+ struct sctp_chunkhdr *cp,
+ int *nat_friendly,
+ int *cookie_found)
{
/*
* Given a mbuf containing an INIT or INIT-ACK with the param_offset
@@ -4990,17 +4993,20 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
*/
struct sctp_paramhdr *phdr, params;
- struct mbuf *mat, *op_err;
+ struct mbuf *mat, *m_tmp, *op_err, *op_err_last;
int at, limit, pad_needed;
uint16_t ptype, plen, padded_size;
- int err_at;
*abort_processing = 0;
+ if (cookie_found != NULL) {
+ *cookie_found = 0;
+ }
mat = in_initpkt;
- err_at = 0;
limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
at = param_offset;
op_err = NULL;
+ op_err_last = NULL;
+ pad_needed = 0;
SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
phdr = sctp_get_next_param(mat, at, ¶ms, sizeof(params));
while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
@@ -5023,12 +5029,17 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
switch (ptype) {
/* Param's with variable size */
case SCTP_HEARTBEAT_INFO:
- case SCTP_STATE_COOKIE:
case SCTP_UNRECOG_PARAM:
case SCTP_ERROR_CAUSE_IND:
/* ok skip fwd */
at += padded_size;
break;
+ case SCTP_STATE_COOKIE:
+ if (cookie_found != NULL) {
+ *cookie_found = 1;
+ }
+ at += padded_size;
+ break;
/* Param's with variable size within a range */
case SCTP_CHUNK_LIST:
case SCTP_SUPPORTED_CHUNK_EXT:
@@ -5117,55 +5128,44 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
break;
case SCTP_HOSTNAME_ADDRESS:
{
- /* We can NOT handle HOST NAME addresses!! */
+ /* Hostname parameters are deprecated. */
+ struct sctp_gen_error_cause *cause;
int l_len;
SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
*abort_processing = 1;
- if (op_err == NULL) {
- /* Ok need to try to get a mbuf */
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
#ifdef INET6
- l_len = SCTP_MIN_OVERHEAD;
+ l_len = SCTP_MIN_OVERHEAD;
#else
- l_len = SCTP_MIN_V4_OVERHEAD;
+ l_len = SCTP_MIN_V4_OVERHEAD;
#endif
- l_len += sizeof(struct sctp_chunkhdr);
- l_len += sizeof(struct sctp_gen_error_cause);
- op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
- if (op_err) {
- SCTP_BUF_LEN(op_err) = 0;
- /*
- * Pre-reserve space for IP,
- * SCTP, and chunk header.
- */
+ l_len += sizeof(struct sctp_chunkhdr);
+ l_len += sizeof(struct sctp_gen_error_cause);
+ op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
+ if (op_err != NULL) {
+ /*
+ * Pre-reserve space for IP, SCTP,
+ * and chunk header.
+ */
#ifdef INET6
- SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
#else
- SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
-#endif
- SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
- SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
- }
- }
- if (op_err) {
- /* If we have space */
- struct sctp_gen_error_cause cause;
-
- if (err_at % 4) {
- uint32_t cpthis = 0;
-
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
- }
- cause.code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
- cause.length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
- m_copyback(op_err, err_at, sizeof(struct sctp_gen_error_cause), (caddr_t)&cause);
- err_at += sizeof(struct sctp_gen_error_cause);
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
+#endif
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
+ cause = mtod(op_err, struct sctp_gen_error_cause *);
+ cause->code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
+ cause->length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
if (SCTP_BUF_NEXT(op_err) == NULL) {
sctp_m_freem(op_err);
- return (NULL);
+ op_err = NULL;
+ op_err_last = NULL;
}
}
return (op_err);
@@ -5201,37 +5201,55 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
#endif
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ op_err_last = op_err;
}
}
- if (op_err) {
+ if (op_err != NULL) {
/* If we have space */
- struct sctp_paramhdr s;
-
- if (err_at % 4) {
- uint32_t cpthis = 0;
+ struct sctp_paramhdr *param;
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
+ if (pad_needed > 0) {
+ op_err_last = sctp_add_pad_tombuf(op_err_last, pad_needed);
}
- s.param_type = htons(SCTP_UNRECOG_PARAM);
- s.param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
- m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)&s);
- err_at += sizeof(struct sctp_paramhdr);
- SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
- if (SCTP_BUF_NEXT(op_err) == NULL) {
+ if (op_err_last == NULL) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ goto more_processing;
+ }
+ if (M_TRAILINGSPACE(op_err_last) < (int)sizeof(struct sctp_paramhdr)) {
+ m_tmp = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
+ if (m_tmp == NULL) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ goto more_processing;
+ }
+ SCTP_BUF_LEN(m_tmp) = 0;
+ SCTP_BUF_NEXT(m_tmp) = NULL;
+ SCTP_BUF_NEXT(op_err_last) = m_tmp;
+ op_err_last = m_tmp;
+ }
+ param = (struct sctp_paramhdr *)(mtod(op_err_last, caddr_t)+SCTP_BUF_LEN(op_err_last));
+ param->param_type = htons(SCTP_UNRECOG_PARAM);
+ param->param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
+ SCTP_BUF_LEN(op_err_last) += sizeof(struct sctp_paramhdr);
+ SCTP_BUF_NEXT(op_err_last) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
+ if (SCTP_BUF_NEXT(op_err_last) == NULL) {
sctp_m_freem(op_err);
- /*
- * we are out of memory but
- * we still need to have a
- * look at what to do (the
- * system is in trouble
- * though).
- */
op_err = NULL;
+ op_err_last = NULL;
goto more_processing;
+ } else {
+ while (SCTP_BUF_NEXT(op_err_last) != NULL) {
+ op_err_last = SCTP_BUF_NEXT(op_err_last);
+ }
+ }
+ if (plen % 4 != 0) {
+ pad_needed = 4 - (plen % 4);
+ } else {
+ pad_needed = 0;
}
- err_at += plen;
}
}
more_processing:
@@ -5252,7 +5270,11 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
invalid_size:
SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
*abort_processing = 1;
- if ((op_err == NULL) && phdr) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ if (phdr != NULL) {
+ struct sctp_paramhdr *param;
int l_len;
#ifdef INET6
l_len = SCTP_MIN_OVERHEAD;
@@ -5271,25 +5293,15 @@ invalid_size:
#endif
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ SCTP_BUF_LEN(op_err) = 2 * sizeof(struct sctp_paramhdr);
+ param = mtod(op_err, struct sctp_paramhdr *);
+ param->param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
+ param->param_length = htons(2 * sizeof(struct sctp_paramhdr));
+ param++;
+ param->param_type = htons(ptype);
+ param->param_length = htons(plen);
}
}
- if ((op_err) && phdr) {
- struct sctp_paramhdr s;
-
- if (err_at % 4) {
- uint32_t cpthis = 0;
-
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
- }
- s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
- s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
- m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
- err_at += sizeof(s);
- /* Only copy back the p-hdr that caused the issue */
- m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
- }
return (op_err);
}
@@ -5569,7 +5581,9 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
abort_flag = 0;
op_err = sctp_arethere_unrecognized_parameters(init_pkt,
(offset + sizeof(struct sctp_init_chunk)),
- &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
+ &abort_flag,
+ (struct sctp_chunkhdr *)init_chk,
+ &nat_friendly, NULL);
if (abort_flag) {
do_a_abort:
if (op_err == NULL) {
@@ -5588,8 +5602,7 @@ do_a_abort:
m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
if (m == NULL) {
/* No memory, INIT timer will re-attempt. */
- if (op_err)
- sctp_m_freem(op_err);
+ sctp_m_freem(op_err);
return;
}
chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
@@ -5778,8 +5791,11 @@ do_a_abort:
net->ro._s_addr = sctp_source_address_selection(inp,
stcb, (sctp_route_t *)&net->ro,
net, 0, vrf_id);
- if (net->ro._s_addr == NULL)
+ if (net->ro._s_addr == NULL) {
+ sctp_m_freem(op_err);
+ sctp_m_freem(m);
return;
+ }
net->src_addr_selected = 1;
@@ -5808,8 +5824,11 @@ do_a_abort:
net->ro._s_addr = sctp_source_address_selection(inp,
stcb, (sctp_route_t *)&net->ro,
net, 0, vrf_id);
- if (net->ro._s_addr == NULL)
+ if (net->ro._s_addr == NULL) {
+ sctp_m_freem(op_err);
+ sctp_m_freem(m);
return;
+ }
net->src_addr_selected = 1;
}
@@ -5880,6 +5899,7 @@ do_a_abort:
so = inp->sctp_socket;
if (so == NULL) {
/* memory problem */
+ sctp_m_freem(op_err);
sctp_m_freem(m);
return;
} else {
@@ -8996,7 +9016,7 @@ sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
int
sctp_send_cookie_echo(struct mbuf *m,
- int offset,
+ int offset, int limit,
struct sctp_tcb *stcb,
struct sctp_nets *net)
{
@@ -9022,18 +9042,30 @@ sctp_send_cookie_echo(struct mbuf *m,
}
ptype = ntohs(phdr->param_type);
plen = ntohs(phdr->param_length);
+ if (plen < sizeof(struct sctp_paramhdr)) {
+ return (-6);
+ }
if (ptype == SCTP_STATE_COOKIE) {
int pad;
/* found the cookie */
- if ((pad = (plen % 4))) {
- plen += 4 - pad;
+ if (at + plen > limit) {
+ return (-7);
}
cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
if (cookie == NULL) {
/* No memory */
return (-2);
}
+ if ((pad = (plen % 4)) > 0) {
+ pad = 4 - pad;
+ }
+ if (pad > 0) {
+ cookie = sctp_pad_lastmbuf(cookie, pad, NULL);
+ if (cookie == NULL) {
+ return (-8);
+ }
+ }
#ifdef SCTP_MBUF_LOGGING
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
sctp_log_mbc(cookie, SCTP_MBUF_ICOPY);
@@ -9059,7 +9091,7 @@ sctp_send_cookie_echo(struct mbuf *m,
chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
chk->rec.chunk_id.can_take_data = 0;
chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
- chk->send_size = plen;
+ chk->send_size = SCTP_SIZE32(plen);
chk->sent = SCTP_DATAGRAM_UNSENT;
chk->snd_count = 0;
chk->asoc = &stcb->asoc;
@@ -9085,7 +9117,6 @@ sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
struct sctp_chunkhdr *chdr;
struct sctp_tmit_chunk *chk;
-
if (net == NULL)
/* must have a net pointer */
return;
@@ -9103,13 +9134,8 @@ sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
chdr = mtod(outchain, struct sctp_chunkhdr *);
chdr->chunk_type = SCTP_HEARTBEAT_ACK;
chdr->chunk_flags = 0;
- if (chk_length % 4) {
- /* need pad */
- uint32_t cpthis = 0;
- int padlen;
-
- padlen = 4 - (chk_length % 4);
- m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
+ if (chk_length % 4 != 0) {
+ sctp_pad_lastmbuf(outchain, 4 - (chk_length % 4), NULL);
}
sctp_alloc_a_chunk(stcb, chk);
if (chk == NULL) {
@@ -12535,7 +12561,7 @@ sctp_lower_sosend(struct socket *so,
struct thread *p
)
{
- ssize_t sndlen = 0, max_len;
+ ssize_t sndlen = 0, max_len, local_add_more;
int error, len;
struct mbuf *top = NULL;
int queue_only = 0, queue_only_for_init = 0;
@@ -12557,7 +12583,6 @@ sctp_lower_sosend(struct socket *so,
int got_all_of_the_send = 0;
int hold_tcblock = 0;
int non_blocking = 0;
- uint32_t local_add_more;
ssize_t local_soresv = 0;
uint16_t port;
uint16_t sinfo_flags;
@@ -12654,6 +12679,12 @@ sctp_lower_sosend(struct socket *so,
sinfo_flags = inp->def_send.sinfo_flags;
sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
}
+ if (flags & MSG_EOR) {
+ sinfo_flags |= SCTP_EOR;
+ }
+ if (flags & MSG_EOF) {
+ sinfo_flags |= SCTP_EOF;
+ }
if (sinfo_flags & SCTP_SENDALL) {
/* its a sendall */
error = sctp_sendall(inp, uio, top, srcv);
@@ -12771,7 +12802,8 @@ sctp_lower_sosend(struct socket *so,
stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
inp->sctp_ep.pre_open_stream_count,
inp->sctp_ep.port,
- p);
+ p,
+ SCTP_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
/* Error is setup for us in the call */
goto out_unlocked;
@@ -12800,9 +12832,6 @@ sctp_lower_sosend(struct socket *so,
SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
- /* initialize authentication params for the assoc */
- sctp_initialize_auth_params(inp, stcb);
-
if (control) {
if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE,
@@ -12823,9 +12852,17 @@ sctp_lower_sosend(struct socket *so,
}
} else
asoc = &stcb->asoc;
- if (srcv == NULL)
+ if (srcv == NULL) {
srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
- if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
+ sinfo_flags = srcv->sinfo_flags;
+ if (flags & MSG_EOR) {
+ sinfo_flags |= SCTP_EOR;
+ }
+ if (flags & MSG_EOF) {
+ sinfo_flags |= SCTP_EOF;
+ }
+ }
+ if (sinfo_flags & SCTP_ADDR_OVER) {
if (addr)
net = sctp_findnet(stcb, addr);
else
@@ -12849,7 +12886,7 @@ sctp_lower_sosend(struct socket *so,
free_cnt_applied = 1;
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
- if (sndlen > asoc->smallest_mtu) {
+ if (sndlen > (ssize_t)asoc->smallest_mtu) {
SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
error = EMSGSIZE;
goto out_unlocked;
@@ -12877,7 +12914,7 @@ sctp_lower_sosend(struct socket *so,
if ((SCTP_SB_LIMIT_SND(so) < (amount + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
(stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
- if (sndlen > SCTP_SB_LIMIT_SND(so))
+ if (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(so))
error = EMSGSIZE;
else
error = EWOULDBLOCK;
@@ -12932,7 +12969,7 @@ sctp_lower_sosend(struct socket *so,
(SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
(SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
(asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
- if (srcv->sinfo_flags & SCTP_ABORT) {
+ if (sinfo_flags & SCTP_ABORT) {
;
} else {
SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
@@ -12947,7 +12984,7 @@ sctp_lower_sosend(struct socket *so,
}
#endif /* __rtems__ */
/* Are we aborting? */
- if (srcv->sinfo_flags & SCTP_ABORT) {
+ if (sinfo_flags & SCTP_ABORT) {
struct mbuf *mm;
ssize_t tot_demand, tot_out = 0, max_out;
@@ -13061,7 +13098,7 @@ sctp_lower_sosend(struct socket *so,
/* Unless E_EOR mode is on, we must make a send FIT in one call. */
if ((user_marks_eor == 0) &&
- (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
+ (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
/* It will NEVER fit */
SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
error = EMSGSIZE;
@@ -13078,20 +13115,20 @@ sctp_lower_sosend(struct socket *so,
}
if (user_marks_eor) {
- local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
+ local_add_more = (ssize_t)min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
} else {
/*-
* For non-eeor the whole message must fit in
* the socket send buffer.
*/
- local_add_more = (uint32_t)sndlen;
+ local_add_more = sndlen;
}
len = 0;
if (non_blocking) {
goto skip_preblock;
}
if (((max_len <= local_add_more) &&
- (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
+ ((ssize_t)SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
(max_len == 0) ||
((stcb->asoc.chunks_on_out_queue + stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
/* No room right now ! */
@@ -13099,7 +13136,7 @@ sctp_lower_sosend(struct socket *so,
inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
((stcb->asoc.stream_queue_cnt + stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
- SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
+ SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %zd) || (%d+%d > %d)\n",
(unsigned int)SCTP_SB_LIMIT_SND(so),
inqueue_bytes,
local_add_more,
@@ -13151,7 +13188,7 @@ skip_preblock:
* case NOTE: uio will be null when top/mbuf is passed
*/
if (sndlen == 0) {
- if (srcv->sinfo_flags & SCTP_EOF) {
+ if (sinfo_flags & SCTP_EOF) {
got_all_of_the_send = 1;
goto dataless_eof;
} else {
@@ -13200,7 +13237,7 @@ skip_preblock:
}
sctp_snd_sb_alloc(stcb, sp->length);
atomic_add_int(&asoc->stream_queue_cnt, 1);
- if (srcv->sinfo_flags & SCTP_UNORDERED) {
+ if (sinfo_flags & SCTP_UNORDERED) {
SCTP_STAT_INCR(sctps_sends_with_unord);
}
TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
@@ -13232,7 +13269,7 @@ skip_preblock:
else
max_len = 0;
- if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
+ if ((max_len > (ssize_t)SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
(max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
(uio->uio_resid && (uio->uio_resid <= max_len))) {
sndout = 0;
@@ -13275,15 +13312,15 @@ skip_preblock:
sctp_snd_sb_alloc(stcb, sndout);
atomic_add_int(&sp->length, sndout);
len += sndout;
- if (srcv->sinfo_flags & SCTP_SACK_IMMEDIATELY) {
+ if (sinfo_flags & SCTP_SACK_IMMEDIATELY) {
sp->sinfo_flags |= SCTP_SACK_IMMEDIATELY;
}
/* Did we reach EOR? */
if ((uio->uio_resid == 0) &&
((user_marks_eor == 0) ||
- (srcv->sinfo_flags & SCTP_EOF) ||
- (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
+ (sinfo_flags & SCTP_EOF) ||
+ (user_marks_eor && (sinfo_flags & SCTP_EOR)))) {
sp->msg_is_complete = 1;
} else {
sp->msg_is_complete = 0;
@@ -13401,10 +13438,10 @@ skip_preblock:
stcb,
SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
}
- if (hold_tcblock == 1) {
- SCTP_TCB_UNLOCK(stcb);
- hold_tcblock = 0;
- }
+ }
+ if (hold_tcblock == 1) {
+ SCTP_TCB_UNLOCK(stcb);
+ hold_tcblock = 0;
}
SOCKBUF_LOCK(&so->so_snd);
/*-
@@ -13485,7 +13522,7 @@ skip_preblock:
/* We send in a 0, since we do NOT have any locks */
error = sctp_msg_append(stcb, net, top, srcv, 0);
top = NULL;
- if (srcv->sinfo_flags & SCTP_EOF) {
+ if (sinfo_flags & SCTP_EOF) {
/*
* This should only happen for Panda for the mbuf
* send case, which does NOT yet support EEOR mode.
@@ -13500,7 +13537,7 @@ skip_preblock:
}
dataless_eof:
/* EOF thing ? */
- if ((srcv->sinfo_flags & SCTP_EOF) &&
+ if ((sinfo_flags & SCTP_EOF) &&
(got_all_of_the_send == 1)) {
SCTP_STAT_INCR(sctps_sends_with_eof);
error = 0;
diff --git a/freebsd/sys/netinet/sctp_output.h b/freebsd/sys/netinet/sctp_output.h
index 1b3d22d..6d78cf9 100644
--- a/freebsd/sys/netinet/sctp_output.h
+++ b/freebsd/sys/netinet/sctp_output.h
@@ -92,11 +92,11 @@ sctp_send_initiate_ack(struct sctp_inpcb *, struct sctp_tcb *,
struct mbuf *
sctp_arethere_unrecognized_parameters(struct mbuf *, int, int *,
- struct sctp_chunkhdr *, int *);
+ struct sctp_chunkhdr *, int *, int *);
void sctp_queue_op_err(struct sctp_tcb *, struct mbuf *);
int
-sctp_send_cookie_echo(struct mbuf *, int, struct sctp_tcb *,
+sctp_send_cookie_echo(struct mbuf *, int, int, struct sctp_tcb *,
struct sctp_nets *);
void sctp_send_cookie_ack(struct sctp_tcb *);
diff --git a/freebsd/sys/netinet/sctp_pcb.c b/freebsd/sys/netinet/sctp_pcb.c
index 3d47914..10e4768 100644
--- a/freebsd/sys/netinet/sctp_pcb.c
+++ b/freebsd/sys/netinet/sctp_pcb.c
@@ -4194,8 +4194,8 @@ struct sctp_tcb *
sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
int *error, uint32_t override_tag, uint32_t vrf_id,
uint16_t o_streams, uint16_t port,
- struct thread *p
-)
+ struct thread *p,
+ int initialize_auth_params)
{
/* note the p argument is only valid in unbound sockets */
@@ -4425,6 +4425,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
inp->sctp_hashmark)];
LIST_INSERT_HEAD(head, stcb, sctp_tcbhash);
}
+ if (initialize_auth_params == SCTP_INITIALIZE_AUTH_PARAMS) {
+ sctp_initialize_auth_params(inp, stcb);
+ }
SCTP_INP_WUNLOCK(inp);
SCTPDBG(SCTP_DEBUG_PCB1, "Association %p now allocated\n", (void *)stcb);
return (stcb);
@@ -4913,12 +4916,11 @@ sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfre
inp->sctp_flags |= SCTP_PCB_FLAGS_WAS_CONNECTED;
if (so) {
SOCKBUF_LOCK(&so->so_rcv);
- if (so->so_rcv.sb_cc == 0) {
- so->so_state &= ~(SS_ISCONNECTING |
- SS_ISDISCONNECTING |
- SS_ISCONFIRMING |
- SS_ISCONNECTED);
- }
+ so->so_state &= ~(SS_ISCONNECTING |
+ SS_ISDISCONNECTING |
+ SS_ISCONFIRMING |
+ SS_ISCONNECTED);
+ so->so_state |= SS_ISDISCONNECTED;
socantrcvmore_locked(so);
socantsendmore(so);
sctp_sowwakeup(inp, so);
@@ -5776,7 +5778,7 @@ sctp_startup_mcore_threads(void)
#endif
void
-sctp_pcb_init()
+sctp_pcb_init(void)
{
/*
* SCTP initialization for the PCB structures should be called by
diff --git a/freebsd/sys/netinet/sctp_pcb.h b/freebsd/sys/netinet/sctp_pcb.h
index 5b41ae8..0f5aca8 100644
--- a/freebsd/sys/netinet/sctp_pcb.h
+++ b/freebsd/sys/netinet/sctp_pcb.h
@@ -578,9 +578,13 @@ int sctp_is_address_on_local_host(struct sockaddr *addr, uint32_t vrf_id);
void sctp_inpcb_free(struct sctp_inpcb *, int, int);
+#define SCTP_DONT_INITIALIZE_AUTH_PARAMS 0
+#define SCTP_INITIALIZE_AUTH_PARAMS 1
+
struct sctp_tcb *
sctp_aloc_assoc(struct sctp_inpcb *, struct sockaddr *,
- int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *);
+ int *, uint32_t, uint32_t, uint16_t, uint16_t, struct thread *,
+ int);
int sctp_free_assoc(struct sctp_inpcb *, struct sctp_tcb *, int, int);
diff --git a/freebsd/sys/netinet/sctp_usrreq.c b/freebsd/sys/netinet/sctp_usrreq.c
index 3913271..0175915 100644
--- a/freebsd/sys/netinet/sctp_usrreq.c
+++ b/freebsd/sys/netinet/sctp_usrreq.c
@@ -967,9 +967,9 @@ sctp_shutdown(struct socket *so)
abort_anyway:
op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_USRREQ + SCTP_LOC_6;
+ SCTP_INP_RUNLOCK(inp);
sctp_abort_an_association(stcb->sctp_ep, stcb,
op_err, SCTP_SO_LOCKED);
- SCTP_INP_RUNLOCK(inp);
return (0);
}
}
@@ -1445,8 +1445,8 @@ sctp_do_connect_x(struct socket *so, struct sctp_inpcb *inp, void *optval,
stcb = sctp_aloc_assoc(inp, sa, &error, 0, vrf_id,
inp->sctp_ep.pre_open_stream_count,
inp->sctp_ep.port,
- (struct thread *)p
- );
+ (struct thread *)p,
+ SCTP_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
/* Gak! no memory */
goto out_now;
@@ -1482,9 +1482,6 @@ sctp_do_connect_x(struct socket *so, struct sctp_inpcb *inp, void *optval,
a_id = (sctp_assoc_t *)optval;
*a_id = sctp_get_associd(stcb);
- /* initialize authentication parameters for the assoc */
- sctp_initialize_auth_params(inp, stcb);
-
if (delay) {
/* doing delayed connection */
stcb->asoc.delayed_connection = 1;
@@ -7027,7 +7024,8 @@ sctp_connect(struct socket *so, struct sockaddr *addr, struct thread *p)
/* We are GOOD to go */
stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
inp->sctp_ep.pre_open_stream_count,
- inp->sctp_ep.port, p);
+ inp->sctp_ep.port, p,
+ SCTP_INITIALIZE_AUTH_PARAMS);
if (stcb == NULL) {
/* Gak! no memory */
goto out_now;
@@ -7040,9 +7038,6 @@ sctp_connect(struct socket *so, struct sockaddr *addr, struct thread *p)
SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
- /* initialize authentication parameters for the assoc */
- sctp_initialize_auth_params(inp, stcb);
-
sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
SCTP_TCB_UNLOCK(stcb);
out_now:
@@ -7236,28 +7231,56 @@ sctp_accept(struct socket *so, struct sockaddr **addr)
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
return (ECONNRESET);
}
- SCTP_INP_RLOCK(inp);
+ SCTP_INP_WLOCK(inp);
if (inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) {
- SCTP_INP_RUNLOCK(inp);
+ SCTP_INP_WUNLOCK(inp);
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EOPNOTSUPP);
return (EOPNOTSUPP);
}
if (so->so_state & SS_ISDISCONNECTED) {
- SCTP_INP_RUNLOCK(inp);
+ SCTP_INP_WUNLOCK(inp);
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, ECONNABORTED);
return (ECONNABORTED);
}
stcb = LIST_FIRST(&inp->sctp_asoc_list);
if (stcb == NULL) {
- SCTP_INP_RUNLOCK(inp);
+ SCTP_INP_WUNLOCK(inp);
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
return (ECONNRESET);
}
SCTP_TCB_LOCK(stcb);
- SCTP_INP_RUNLOCK(inp);
store = stcb->asoc.primary_destination->ro._l_addr;
SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
- SCTP_TCB_UNLOCK(stcb);
+ /* Wake any delayed sleep action */
+ if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) {
+ inp->sctp_flags &= ~SCTP_PCB_FLAGS_DONT_WAKE;
+ if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEOUTPUT) {
+ inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEOUTPUT;
+ SOCKBUF_LOCK(&inp->sctp_socket->so_snd);
+ if (sowriteable(inp->sctp_socket)) {
+ sowwakeup_locked(inp->sctp_socket);
+ } else {
+ SOCKBUF_UNLOCK(&inp->sctp_socket->so_snd);
+ }
+ }
+ if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEINPUT) {
+ inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEINPUT;
+ SOCKBUF_LOCK(&inp->sctp_socket->so_rcv);
+ if (soreadable(inp->sctp_socket)) {
+ sctp_defered_wakeup_cnt++;
+ sorwakeup_locked(inp->sctp_socket);
+ } else {
+ SOCKBUF_UNLOCK(&inp->sctp_socket->so_rcv);
+ }
+ }
+ }
+ SCTP_INP_WUNLOCK(inp);
+ if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
+ sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
+ SCTP_FROM_SCTP_USRREQ + SCTP_LOC_19);
+ } else {
+ SCTP_TCB_UNLOCK(stcb);
+ }
switch (store.sa.sa_family) {
#ifdef INET
case AF_INET:
@@ -7299,40 +7322,6 @@ sctp_accept(struct socket *so, struct sockaddr **addr)
/* TSNH */
break;
}
- /* Wake any delayed sleep action */
- if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) {
- SCTP_INP_WLOCK(inp);
- inp->sctp_flags &= ~SCTP_PCB_FLAGS_DONT_WAKE;
- if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEOUTPUT) {
- inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEOUTPUT;
- SCTP_INP_WUNLOCK(inp);
- SOCKBUF_LOCK(&inp->sctp_socket->so_snd);
- if (sowriteable(inp->sctp_socket)) {
- sowwakeup_locked(inp->sctp_socket);
- } else {
- SOCKBUF_UNLOCK(&inp->sctp_socket->so_snd);
- }
- SCTP_INP_WLOCK(inp);
- }
- if (inp->sctp_flags & SCTP_PCB_FLAGS_WAKEINPUT) {
- inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEINPUT;
- SCTP_INP_WUNLOCK(inp);
- SOCKBUF_LOCK(&inp->sctp_socket->so_rcv);
- if (soreadable(inp->sctp_socket)) {
- sctp_defered_wakeup_cnt++;
- sorwakeup_locked(inp->sctp_socket);
- } else {
- SOCKBUF_UNLOCK(&inp->sctp_socket->so_rcv);
- }
- SCTP_INP_WLOCK(inp);
- }
- SCTP_INP_WUNLOCK(inp);
- }
- if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
- SCTP_TCB_LOCK(stcb);
- sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
- SCTP_FROM_SCTP_USRREQ + SCTP_LOC_19);
- }
return (0);
}
diff --git a/freebsd/sys/netinet/sctputil.c b/freebsd/sys/netinet/sctputil.c
index ba7a43a..c7d4499 100644
--- a/freebsd/sys/netinet/sctputil.c
+++ b/freebsd/sys/netinet/sctputil.c
@@ -5928,7 +5928,7 @@ get_more_data:
}
if ((uio->uio_resid == 0) ||
((in_eeor_mode) &&
- (copied_so_far >= (uint32_t)max(so->so_rcv.sb_lowat, 1)))) {
+ (copied_so_far >= max(so->so_rcv.sb_lowat, 1)))) {
goto release;
}
/*
diff --git a/freebsd/sys/netinet/tcp_hpts.h b/freebsd/sys/netinet/tcp_hpts.h
index 04c8676..ea15bc1 100644
--- a/freebsd/sys/netinet/tcp_hpts.h
+++ b/freebsd/sys/netinet/tcp_hpts.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2016-2018 Netflix Inc.
+ * Copyright (c) 2016-2018 Netflix, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/freebsd/sys/netinet/tcp_input.c b/freebsd/sys/netinet/tcp_input.c
index e1fa55c..0589130 100644
--- a/freebsd/sys/netinet/tcp_input.c
+++ b/freebsd/sys/netinet/tcp_input.c
@@ -1508,7 +1508,6 @@ tcp_autorcvbuf(struct mbuf *m, struct tcphdr *th, struct socket *so,
} else {
tp->rfbuf_cnt += tlen; /* add up */
}
-
return (newsize);
}
@@ -2287,7 +2286,8 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so,
* DSACK - add SACK block for dropped range
*/
if (tp->t_flags & TF_SACK_PERMIT) {
- tcp_update_sack_list(tp, th->th_seq, th->th_seq+tlen);
+ tcp_update_sack_list(tp, th->th_seq,
+ th->th_seq + todrop);
/*
* ACK now, as the next in-sequence segment
* will clear the DSACK block again
@@ -3067,28 +3067,35 @@ dodata: /* XXX */
thflags = tcp_reass(tp, th, &temp, &tlen, m);
tp->t_flags |= TF_ACKNOW;
}
- if (tp->t_flags & TF_SACK_PERMIT) {
- if (((tlen == 0) && (save_tlen > 0) &&
- (SEQ_LT(save_start, save_rnxt)))) {
+ if ((tp->t_flags & TF_SACK_PERMIT) && (save_tlen > 0)) {
+ if ((tlen == 0) && (SEQ_LT(save_start, save_rnxt))) {
/*
* DSACK actually handled in the fastpath
* above.
*/
- tcp_update_sack_list(tp, save_start, save_start + save_tlen);
- } else
- if ((tlen > 0) && SEQ_GT(tp->rcv_nxt, save_rnxt)) {
- /*
- * Cleaning sackblks by using zero length
- * update.
- */
- tcp_update_sack_list(tp, save_start, save_start);
- } else
- if ((tlen > 0) && (tlen >= save_tlen)) {
+ tcp_update_sack_list(tp, save_start,
+ save_start + save_tlen);
+ } else if ((tlen > 0) && SEQ_GT(tp->rcv_nxt, save_rnxt)) {
+ if ((tp->rcv_numsacks >= 1) &&
+ (tp->sackblks[0].end == save_start)) {
+ /*
+ * Partial overlap, recorded at todrop
+ * above.
+ */
+ tcp_update_sack_list(tp,
+ tp->sackblks[0].start,
+ tp->sackblks[0].end);
+ } else {
+ tcp_update_dsack_list(tp, save_start,
+ save_start + save_tlen);
+ }
+ } else if (tlen >= save_tlen) {
/* Update of sackblks. */
- tcp_update_sack_list(tp, save_start, save_start + save_tlen);
- } else
- if (tlen > 0) {
- tcp_update_sack_list(tp, save_start, save_start+tlen);
+ tcp_update_dsack_list(tp, save_start,
+ save_start + save_tlen);
+ } else if (tlen > 0) {
+ tcp_update_dsack_list(tp, save_start,
+ save_start + tlen);
}
}
#if 0
diff --git a/freebsd/sys/netinet/tcp_log_buf.h b/freebsd/sys/netinet/tcp_log_buf.h
index e569395..0662d1b 100644
--- a/freebsd/sys/netinet/tcp_log_buf.h
+++ b/freebsd/sys/netinet/tcp_log_buf.h
@@ -1,8 +1,7 @@
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
- * Copyright (c) 2016-2018
- * Netflix Inc. All rights reserved.
+ * Copyright (c) 2016-2018 Netflix, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/freebsd/sys/netinet/tcp_output.c b/freebsd/sys/netinet/tcp_output.c
index 3d0a78d..3e024fd 100644
--- a/freebsd/sys/netinet/tcp_output.c
+++ b/freebsd/sys/netinet/tcp_output.c
@@ -1509,7 +1509,13 @@ timer:
if (SEQ_GT(tp->snd_nxt + xlen, tp->snd_max))
tp->snd_max = tp->snd_nxt + xlen;
}
-
+ if ((error == 0) &&
+ (TCPS_HAVEESTABLISHED(tp->t_state) &&
+ (tp->t_flags & TF_SACK_PERMIT) &&
+ tp->rcv_numsacks > 0)) {
+ /* Clean up any DSACK's sent */
+ tcp_clean_dsack_blocks(tp);
+ }
if (error) {
/* Record the error. */
TCP_LOG_EVENT(tp, NULL, &so->so_rcv, &so->so_snd, TCP_LOG_OUT,
diff --git a/freebsd/sys/netinet/tcp_sack.c b/freebsd/sys/netinet/tcp_sack.c
index 0f536f6..6d6198d 100644
--- a/freebsd/sys/netinet/tcp_sack.c
+++ b/freebsd/sys/netinet/tcp_sack.c
@@ -151,6 +151,108 @@ SYSCTL_INT(_net_inet_tcp_sack, OID_AUTO, globalholes, CTLFLAG_VNET | CTLFLAG_RD,
&VNET_NAME(tcp_sack_globalholes), 0,
"Global number of TCP SACK holes currently allocated");
+
+/*
+ * This function will find overlaps with the currently stored sackblocks
+ * and add any overlap as a dsack block upfront
+ */
+void
+tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
+{
+ struct sackblk head_blk,mid_blk,saved_blks[MAX_SACK_BLKS];
+ int i, j, n, identical;
+ tcp_seq start, end;
+
+ INP_WLOCK_ASSERT(tp->t_inpcb);
+
+ KASSERT(SEQ_LT(rcv_start, rcv_end), ("rcv_start < rcv_end"));
+
+ if (tp->t_inpcb->inp_socket->so_options & SO_DEBUG) {
+ log(LOG_DEBUG, "\nDSACK update: %d..%d, rcv_nxt: %u\n",
+ rcv_start, rcv_end, tp->rcv_nxt);
+ }
+
+ if (SEQ_LT(rcv_end, tp->rcv_nxt) ||
+ ((rcv_end == tp->rcv_nxt) &&
+ (tp->rcv_numsacks > 0 ) &&
+ (tp->sackblks[0].end == tp->rcv_nxt))) {
+ saved_blks[0].start = rcv_start;
+ saved_blks[0].end = rcv_end;
+ } else {
+ saved_blks[0].start = saved_blks[0].end = 0;
+ }
+
+ head_blk.start = head_blk.end = 0;
+ mid_blk.start = rcv_start;
+ mid_blk.end = rcv_end;
+ identical = 0;
+
+ for (i = 0; i < tp->rcv_numsacks; i++) {
+ start = tp->sackblks[i].start;
+ end = tp->sackblks[i].end;
+ if (SEQ_LT(rcv_end, start)) {
+ /* pkt left to sack blk */
+ continue;
+ }
+ if (SEQ_GT(rcv_start, end)) {
+ /* pkt right to sack blk */
+ continue;
+ }
+ if (SEQ_GT(tp->rcv_nxt, end)) {
+ if ((SEQ_MAX(rcv_start, start) != SEQ_MIN(rcv_end, end)) &&
+ (SEQ_GT(head_blk.start, SEQ_MAX(rcv_start, start)) ||
+ (head_blk.start == head_blk.end))) {
+ head_blk.start = SEQ_MAX(rcv_start, start);
+ head_blk.end = SEQ_MIN(rcv_end, end);
+ }
+ continue;
+ }
+ if (((head_blk.start == head_blk.end) ||
+ SEQ_LT(start, head_blk.start)) &&
+ (SEQ_GT(end, rcv_start) &&
+ SEQ_LEQ(start, rcv_end))) {
+ head_blk.start = start;
+ head_blk.end = end;
+ }
+ mid_blk.start = SEQ_MIN(mid_blk.start, start);
+ mid_blk.end = SEQ_MAX(mid_blk.end, end);
+ if ((mid_blk.start == start) &&
+ (mid_blk.end == end))
+ identical = 1;
+ }
+ if (SEQ_LT(head_blk.start, head_blk.end)) {
+ /* store overlapping range */
+ saved_blks[0].start = SEQ_MAX(rcv_start, head_blk.start);
+ saved_blks[0].end = SEQ_MIN(rcv_end, head_blk.end);
+ }
+ n = 1;
+ /*
+ * Second, if not ACKed, store the SACK block that
+ * overlaps with the DSACK block unless it is identical
+ */
+ if ((SEQ_LT(tp->rcv_nxt, mid_blk.end) &&
+ !((mid_blk.start == saved_blks[0].start) &&
+ (mid_blk.end == saved_blks[0].end))) ||
+ identical == 1) {
+ saved_blks[n].start = mid_blk.start;
+ saved_blks[n++].end = mid_blk.end;
+ }
+ for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) {
+ if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) ||
+ SEQ_GT(tp->sackblks[j].start, mid_blk.end)) &&
+ (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt))))
+ saved_blks[n++] = tp->sackblks[j];
+ }
+ j = 0;
+ for (i = 0; i < n; i++) {
+ /* we can end up with a stale inital entry */
+ if (SEQ_LT(saved_blks[i].start, saved_blks[i].end)) {
+ tp->sackblks[j++] = saved_blks[i];
+ }
+ }
+ tp->rcv_numsacks = j;
+}
+
/*
* This function is called upon receipt of new valid data (while not in
* header prediction mode), and it updates the ordered list of sacks.
@@ -172,9 +274,16 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
/* Check arguments. */
KASSERT(SEQ_LEQ(rcv_start, rcv_end), ("rcv_start <= rcv_end"));
- /* SACK block for the received segment. */
- head_blk.start = rcv_start;
- head_blk.end = rcv_end;
+ if ((rcv_start == rcv_end) &&
+ (tp->rcv_numsacks >= 1) &&
+ (rcv_end == tp->sackblks[0].end)) {
+ /* retaining DSACK block below rcv_nxt (todrop) */
+ head_blk = tp->sackblks[0];
+ } else {
+ /* SACK block for the received segment. */
+ head_blk.start = rcv_start;
+ head_blk.end = rcv_end;
+ }
/*
* Merge updated SACK blocks into head_blk, and save unchanged SACK
@@ -269,6 +378,10 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
if (num_saved >= MAX_SACK_BLKS)
num_saved--;
}
+ if ((rcv_start == rcv_end) &&
+ (rcv_start == tp->sackblks[0].end)) {
+ num_head = 1;
+ }
if (num_saved > 0) {
/*
* Copy the saved SACK blocks back.
@@ -281,6 +394,45 @@ tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
tp->rcv_numsacks = num_head + num_saved;
}
+void
+tcp_clean_dsack_blocks(struct tcpcb *tp)
+{
+ struct sackblk saved_blks[MAX_SACK_BLKS];
+ int num_saved, i;
+
+ INP_WLOCK_ASSERT(tp->t_inpcb);
+ /*
+ * Clean up any DSACK blocks that
+ * are in our queue of sack blocks.
+ *
+ */
+ num_saved = 0;
+ for (i = 0; i < tp->rcv_numsacks; i++) {
+ tcp_seq start = tp->sackblks[i].start;
+ tcp_seq end = tp->sackblks[i].end;
+ if (SEQ_GEQ(start, end) || SEQ_LEQ(start, tp->rcv_nxt)) {
+ /*
+ * Discard this D-SACK block.
+ */
+ continue;
+ }
+ /*
+ * Save this SACK block.
+ */
+ saved_blks[num_saved].start = start;
+ saved_blks[num_saved].end = end;
+ num_saved++;
+ }
+ if (num_saved > 0) {
+ /*
+ * Copy the saved SACK blocks back.
+ */
+ bcopy(saved_blks, &tp->sackblks[0],
+ sizeof(struct sackblk) * num_saved);
+ }
+ tp->rcv_numsacks = num_saved;
+}
+
/*
* Delete all receiver-side SACK information.
*/
diff --git a/freebsd/sys/netinet/tcp_subr.c b/freebsd/sys/netinet/tcp_subr.c
index db2b266..44ec38c 100644
--- a/freebsd/sys/netinet/tcp_subr.c
+++ b/freebsd/sys/netinet/tcp_subr.c
@@ -201,6 +201,11 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(tcp_do_rfc1323), 0,
"Enable rfc1323 (high performance TCP) extensions");
+VNET_DEFINE(int, tcp_ts_offset_per_conn) = 1;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, ts_offset_per_conn, CTLFLAG_VNET | CTLFLAG_RW,
+ &VNET_NAME(tcp_ts_offset_per_conn), 0,
+ "Initialize TCP timestamps per connection instead of per host pair");
+
static int tcp_log_debug = 0;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_debug, CTLFLAG_RW,
&tcp_log_debug, 0, "Log errors caused by incoming TCP segments");
@@ -819,8 +824,12 @@ register_tcp_functions_as_names(struct tcp_function_block *blk, int wait,
}
}
+ if (blk->tfb_flags & TCP_FUNC_BEING_REMOVED) {
+ *num_names = 0;
+ return (EINVAL);
+ }
+
refcount_init(&blk->tfb_refcnt, 0);
- blk->tfb_flags = 0;
blk->tfb_id = atomic_fetchadd_int(&next_tcp_stack_id, 1);
for (i = 0; i < *num_names; i++) {
n = malloc(sizeof(struct tcp_function), M_TCPFUNCTIONS, wait);
@@ -2651,7 +2660,17 @@ tcp_keyed_hash(struct in_conninfo *inc, u_char *key, u_int len)
uint32_t
tcp_new_ts_offset(struct in_conninfo *inc)
{
- return (tcp_keyed_hash(inc, V_ts_offset_secret,
+ struct in_conninfo inc_store, *local_inc;
+
+ if (!V_tcp_ts_offset_per_conn) {
+ memcpy(&inc_store, inc, sizeof(struct in_conninfo));
+ inc_store.inc_lport = 0;
+ inc_store.inc_fport = 0;
+ local_inc = &inc_store;
+ } else {
+ local_inc = inc;
+ }
+ return (tcp_keyed_hash(local_inc, V_ts_offset_secret,
sizeof(V_ts_offset_secret)));
}
diff --git a/freebsd/sys/netinet/tcp_var.h b/freebsd/sys/netinet/tcp_var.h
index 2fbe07a..cca8623 100644
--- a/freebsd/sys/netinet/tcp_var.h
+++ b/freebsd/sys/netinet/tcp_var.h
@@ -798,6 +798,7 @@ VNET_DECLARE(struct inpcbinfo, tcbinfo);
#define V_tcp_do_autosndbuf VNET(tcp_do_autosndbuf)
#define V_tcp_do_ecn VNET(tcp_do_ecn)
#define V_tcp_do_rfc1323 VNET(tcp_do_rfc1323)
+#define V_tcp_ts_offset_per_conn VNET(tcp_ts_offset_per_conn)
#define V_tcp_do_rfc3042 VNET(tcp_do_rfc3042)
#define V_tcp_do_rfc3390 VNET(tcp_do_rfc3390)
#define V_tcp_do_rfc3465 VNET(tcp_do_rfc3465)
@@ -934,7 +935,9 @@ uint32_t tcp_new_ts_offset(struct in_conninfo *);
tcp_seq tcp_new_isn(struct in_conninfo *);
int tcp_sack_doack(struct tcpcb *, struct tcpopt *, tcp_seq);
+void tcp_update_dsack_list(struct tcpcb *, tcp_seq, tcp_seq);
void tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_laststart, tcp_seq rcv_lastend);
+void tcp_clean_dsack_blocks(struct tcpcb *tp);
void tcp_clean_sackreport(struct tcpcb *tp);
void tcp_sack_adjust(struct tcpcb *tp);
struct sackhole *tcp_sack_output(struct tcpcb *tp, int *sack_bytes_rexmt);
diff --git a/freebsd/sys/netinet/udp_usrreq.c b/freebsd/sys/netinet/udp_usrreq.c
index 33b89c2..f89660d 100644
--- a/freebsd/sys/netinet/udp_usrreq.c
+++ b/freebsd/sys/netinet/udp_usrreq.c
@@ -1162,9 +1162,23 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
src.sin_family = 0;
sin = (struct sockaddr_in *)addr;
+retry:
if (sin == NULL ||
(inp->inp_laddr.s_addr == INADDR_ANY && inp->inp_lport == 0)) {
INP_WLOCK(inp);
+ /*
+ * In case we lost a race and another thread bound addr/port
+ * on the inp we cannot keep the wlock (which still would be
+ * fine) as further down, based on these values we make
+ * decisions for the pcbinfo lock. If the locks are not in
+ * synch the assertions on unlock will fire, hence we go for
+ * one retry loop.
+ */
+ if (sin != NULL && (inp->inp_laddr.s_addr != INADDR_ANY ||
+ inp->inp_lport != 0)) {
+ INP_WUNLOCK(inp);
+ goto retry;
+ }
unlock_inp = UH_WLOCKED;
} else {
INP_RLOCK(inp);
@@ -1264,36 +1278,44 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
}
/*
- * Depending on whether or not the application has bound or connected
- * the socket, we may have to do varying levels of work. The optimal
- * case is for a connected UDP socket, as a global lock isn't
- * required at all.
- *
- * In order to decide which we need, we require stability of the
- * inpcb binding, which we ensure by acquiring a read lock on the
- * inpcb. This doesn't strictly follow the lock order, so we play
- * the trylock and retry game; note that we may end up with more
- * conservative locks than required the second time around, so later
- * assertions have to accept that. Further analysis of the number of
- * misses under contention is required.
- *
- * XXXRW: Check that hash locking update here is correct.
+ * In the old days, depending on whether or not the application had
+ * bound or connected the socket, we had to do varying levels of work.
+ * The optimal case was for a connected UDP socket, as a global lock
+ * wasn't required at all.
+ * In order to decide which we need, we required stability of the
+ * inpcb binding, which we ensured by acquiring a read lock on the
+ * inpcb. This didn't strictly follow the lock order, so we played
+ * the trylock and retry game.
+ * With the re-introduction of the route-cache in some cases, we started
+ * to acquire an early inp wlock and a possible race during re-lock
+ * went away. With the introduction of epoch(9) some read locking
+ * became epoch(9) and the lock-order issues also went away.
+ * Due to route-cache we may now hold more conservative locks than
+ * otherwise required and have split up the 2nd case in case 2 and 3
+ * in order to keep the udpinfo lock level in sync with the inp one
+ * for the IP_SENDSRCADDR case below.
*/
pr = inp->inp_socket->so_proto->pr_protocol;
pcbinfo = udp_get_inpcbinfo(pr);
- sin = (struct sockaddr_in *)addr;
if (sin != NULL &&
(inp->inp_laddr.s_addr == INADDR_ANY && inp->inp_lport == 0)) {
INP_HASH_WLOCK(pcbinfo);
unlock_udbinfo = UH_WLOCKED;
- } else if ((sin != NULL && (
- (sin->sin_addr.s_addr == INADDR_ANY) ||
- (sin->sin_addr.s_addr == INADDR_BROADCAST) ||
- (inp->inp_laddr.s_addr == INADDR_ANY) ||
- (inp->inp_lport == 0))) ||
- (src.sin_family == AF_INET)) {
+ } else if (sin != NULL &&
+ (sin->sin_addr.s_addr == INADDR_ANY ||
+ sin->sin_addr.s_addr == INADDR_BROADCAST ||
+ inp->inp_laddr.s_addr == INADDR_ANY ||
+ inp->inp_lport == 0)) {
INP_HASH_RLOCK_ET(pcbinfo, et);
unlock_udbinfo = UH_RLOCKED;
+ } else if (src.sin_family == AF_INET) {
+ if (unlock_inp == UH_WLOCKED) {
+ INP_HASH_WLOCK(pcbinfo);
+ unlock_udbinfo = UH_WLOCKED;
+ } else {
+ INP_HASH_RLOCK_ET(pcbinfo, et);
+ unlock_udbinfo = UH_RLOCKED;
+ }
} else
unlock_udbinfo = UH_UNLOCKED;
@@ -1503,8 +1525,9 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
if (flowtype != M_HASHTYPE_NONE) {
m->m_pkthdr.flowid = flowid;
M_HASHTYPE_SET(m, flowtype);
+ }
#ifdef RSS
- } else {
+ else {
uint32_t hash_val, hash_type;
/*
* Calculate an appropriate RSS hash for UDP and
@@ -1527,10 +1550,8 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
m->m_pkthdr.flowid = hash_val;
M_HASHTYPE_SET(m, hash_type);
}
-#endif
}
-#ifdef RSS
/*
* Don't override with the inp cached flowid value.
*
@@ -1565,12 +1586,22 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
release:
if (unlock_udbinfo == UH_WLOCKED) {
KASSERT(unlock_inp == UH_WLOCKED,
- ("%s: excl udbinfo lock, shared inp lock", __func__));
+ ("%s: excl udbinfo lock %#03x, shared inp lock %#03x, "
+ "sin %p daddr %#010x inp %p laddr %#010x lport %#06x "
+ "src fam %#04x",
+ __func__, unlock_udbinfo, unlock_inp, sin,
+ (sin != NULL) ? sin->sin_addr.s_addr : 0xfefefefe, inp,
+ inp->inp_laddr.s_addr, inp->inp_lport, src.sin_family));
INP_HASH_WUNLOCK(pcbinfo);
INP_WUNLOCK(inp);
} else if (unlock_udbinfo == UH_RLOCKED) {
KASSERT(unlock_inp == UH_RLOCKED,
- ("%s: shared udbinfo lock, excl inp lock", __func__));
+ ("%s: shared udbinfo lock %#03x, excl inp lock %#03x, "
+ "sin %p daddr %#010x inp %p laddr %#010x lport %#06x "
+ "src fam %#04x",
+ __func__, unlock_udbinfo, unlock_inp, sin,
+ (sin != NULL) ? sin->sin_addr.s_addr : 0xfefefefe, inp,
+ inp->inp_laddr.s_addr, inp->inp_lport, src.sin_family));
INP_HASH_RUNLOCK_ET(pcbinfo, et);
INP_RUNLOCK(inp);
} else if (unlock_inp == UH_WLOCKED)
diff --git a/freebsd/sys/netinet6/sctp6_usrreq.c b/freebsd/sys/netinet6/sctp6_usrreq.c
index 6a3391e..3465f3c 100644
--- a/freebsd/sys/netinet6/sctp6_usrreq.c
+++ b/freebsd/sys/netinet6/sctp6_usrreq.c
@@ -912,7 +912,8 @@ sctp6_connect(struct socket *so, struct sockaddr *addr, struct thread *p)
/* We are GOOD to go */
stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
inp->sctp_ep.pre_open_stream_count,
- inp->sctp_ep.port, p);
+ inp->sctp_ep.port, p,
+ SCTP_INITIALIZE_AUTH_PARAMS);
SCTP_ASOC_CREATE_UNLOCK(inp);
if (stcb == NULL) {
/* Gak! no memory */
@@ -925,10 +926,6 @@ sctp6_connect(struct socket *so, struct sockaddr *addr, struct thread *p)
}
SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
-
- /* initialize authentication parameters for the assoc */
- sctp_initialize_auth_params(inp, stcb);
-
sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
SCTP_TCB_UNLOCK(stcb);
return (error);
diff --git a/freebsd/sys/netinet6/udp6_usrreq.c b/freebsd/sys/netinet6/udp6_usrreq.c
index e0fcd06..270b488 100644
--- a/freebsd/sys/netinet6/udp6_usrreq.c
+++ b/freebsd/sys/netinet6/udp6_usrreq.c
@@ -744,9 +744,24 @@ udp6_output(struct socket *so, int flags_arg, struct mbuf *m,
* - when we are not bound to an address and source port (it is
* in6_pcbsetport() which will require the write lock).
*/
+retry:
if (sin6 == NULL || (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) &&
inp->inp_lport == 0)) {
INP_WLOCK(inp);
+ /*
+ * In case we lost a race and another thread bound addr/port
+ * on the inp we cannot keep the wlock (which still would be
+ * fine) as further down, based on these values we make
+ * decisions for the pcbinfo lock. If the locks are not in
+ * synch the assertions on unlock will fire, hence we go for
+ * one retry loop.
+ */
+ if (sin6 != NULL &&
+ (!IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) ||
+ inp->inp_lport != 0)) {
+ INP_WUNLOCK(inp);
+ goto retry;
+ }
unlock_inp = UH_WLOCKED;
} else {
INP_RLOCK(inp);
diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c
index 9f30cf3..f5c3967 100644
--- a/freebsd/sys/netipsec/ipsec.c
+++ b/freebsd/sys/netipsec/ipsec.c
@@ -1325,6 +1325,8 @@ ok:
__func__, replay->overflow,
ipsec_sa2str(sav, buf, sizeof(buf))));
}
+
+ replay->count++;
return (0);
}
diff --git a/freebsd/sys/opencrypto/criov.c b/freebsd/sys/opencrypto/criov.c
index 7fc7d39..a189369 100644
--- a/freebsd/sys/opencrypto/criov.c
+++ b/freebsd/sys/opencrypto/criov.c
@@ -40,6 +40,8 @@ __FBSDID("$FreeBSD$");
#include <sys/kernel.h>
#include <sys/mbuf.h>
#include <sys/uio.h>
+#include <sys/limits.h>
+#include <sys/lock.h>
#include <opencrypto/cryptodev.h>
@@ -241,3 +243,55 @@ crypto_mbuftoiov(struct mbuf *mbuf, struct iovec **iovptr, int *cnt,
*cnt = i;
return 0;
}
+
+static inline void *
+m_contiguous_subsegment(struct mbuf *m, size_t skip, size_t len)
+{
+ int rel_off;
+
+ MPASS(skip <= INT_MAX);
+
+ m = m_getptr(m, (int)skip, &rel_off);
+ if (m == NULL)
+ return (NULL);
+
+ MPASS(rel_off >= 0);
+ skip = rel_off;
+ if (skip + len > m->m_len)
+ return (NULL);
+
+ return (mtod(m, char*) + skip);
+}
+
+static inline void *
+cuio_contiguous_segment(struct uio *uio, size_t skip, size_t len)
+{
+ int rel_off, idx;
+
+ MPASS(skip <= INT_MAX);
+ idx = cuio_getptr(uio, (int)skip, &rel_off);
+ if (idx < 0)
+ return (NULL);
+
+ MPASS(rel_off >= 0);
+ skip = rel_off;
+ if (skip + len > uio->uio_iov[idx].iov_len)
+ return (NULL);
+ return ((char *)uio->uio_iov[idx].iov_base + skip);
+}
+
+void *
+crypto_contiguous_subsegment(int crp_flags, void *crpbuf,
+ size_t skip, size_t len)
+{
+ if ((crp_flags & CRYPTO_F_IMBUF) != 0)
+ return (m_contiguous_subsegment(crpbuf, skip, len));
+ else if ((crp_flags & CRYPTO_F_IOV) != 0)
+ return (cuio_contiguous_segment(crpbuf, skip, len));
+ else {
+ MPASS((crp_flags & (CRYPTO_F_IMBUF | CRYPTO_F_IOV)) !=
+ (CRYPTO_F_IMBUF | CRYPTO_F_IOV));
+ return ((char*)crpbuf + skip);
+ }
+}
+
diff --git a/freebsd/sys/opencrypto/cryptodev.h b/freebsd/sys/opencrypto/cryptodev.h
index c9cf4d0..bd71e51 100644
--- a/freebsd/sys/opencrypto/cryptodev.h
+++ b/freebsd/sys/opencrypto/cryptodev.h
@@ -571,5 +571,7 @@ extern void crypto_copydata(int flags, caddr_t buf, int off, int size,
extern int crypto_apply(int flags, caddr_t buf, int off, int len,
int (*f)(void *, void *, u_int), void *arg);
+extern void *crypto_contiguous_subsegment(int, void *, size_t, size_t);
+
#endif /* _KERNEL */
#endif /* _CRYPTO_CRYPTO_H_ */
diff --git a/freebsd/sys/sys/ata.h b/freebsd/sys/sys/ata.h
index df87ddb..22edb55 100644
--- a/freebsd/sys/sys/ata.h
+++ b/freebsd/sys/sys/ata.h
@@ -143,7 +143,8 @@ struct ata_params {
/*77*/ u_int16_t satacapabilities2;
#define ATA_SATA_CURR_GEN_MASK 0x0006
#define ATA_SUPPORT_NCQ_STREAM 0x0010
-#define ATA_SUPPORT_NCQ_QMANAGEMENT 0x0020
+#define ATA_SUPPORT_NCQ_NON_DATA 0x0020
+#define ATA_SUPPORT_NCQ_QMANAGEMENT ATA_SUPPORT_NCQ_NON_DATA
#define ATA_SUPPORT_RCVSND_FPDMA_QUEUED 0x0040
/*78*/ u_int16_t satasupport;
#define ATA_SUPPORT_NONZERO 0x0002
@@ -152,6 +153,7 @@ struct ata_params {
#define ATA_SUPPORT_INORDERDATA 0x0010
#define ATA_SUPPORT_ASYNCNOTIF 0x0020
#define ATA_SUPPORT_SOFTSETPRESERVE 0x0040
+#define ATA_SUPPORT_NCQ_AUTOSENSE 0x0080
/*79*/ u_int16_t sataenabled;
#define ATA_ENABLED_DAPST 0x0080
@@ -285,7 +287,8 @@ struct ata_params {
#define ATA_FORM_FACTOR_C_FAST 0x0009
/*169*/ u_int16_t support_dsm;
#define ATA_SUPPORT_DSM_TRIM 0x0001
- u_int16_t reserved170[6];
+/*170*/ u_int8_t product_id[8]; /* Additional Product Identifier */
+ u_int16_t reserved174[2];
/*176*/ u_int8_t media_serial[60];
/*206*/ u_int16_t sct;
u_int16_t reserved207[2];
diff --git a/freebsd/sys/sys/file.h b/freebsd/sys/sys/file.h
index 22e6c8d..0e7c296 100644
--- a/freebsd/sys/sys/file.h
+++ b/freebsd/sys/sys/file.h
@@ -410,8 +410,14 @@ _fnoop(void)
return (0);
}
-#define fhold(fp) \
- (refcount_acquire(&(fp)->f_count))
+#ifndef __rtems__
+static __inline __result_use_check bool
+fhold(struct file *fp)
+{
+ return (refcount_acquire_checked(&fp->f_count));
+}
+#endif /* __rtems__ */
+
#ifndef __rtems__
#define fdrop(fp, td) \
(refcount_release(&(fp)->f_count) ? _fdrop((fp), (td)) : _fnoop())
diff --git a/freebsd/sys/sys/lockstat.h b/freebsd/sys/sys/lockstat.h
index 9a6674f..0526f4f 100644
--- a/freebsd/sys/sys/lockstat.h
+++ b/freebsd/sys/sys/lockstat.h
@@ -65,6 +65,13 @@ SDT_PROBE_DECLARE(lockstat, , , sx__spin);
SDT_PROBE_DECLARE(lockstat, , , sx__upgrade);
SDT_PROBE_DECLARE(lockstat, , , sx__downgrade);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__acquire);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__release);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__disown);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__block);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__upgrade);
+SDT_PROBE_DECLARE(lockstat, , , lockmgr__downgrade);
+
SDT_PROBE_DECLARE(lockstat, , , thread__spin);
#define LOCKSTAT_WRITER 0
diff --git a/freebsd/sys/sys/malloc.h b/freebsd/sys/sys/malloc.h
index b120d4b..8351032 100644
--- a/freebsd/sys/sys/malloc.h
+++ b/freebsd/sys/sys/malloc.h
@@ -183,7 +183,7 @@ void *contigmalloc(unsigned long size, struct malloc_type *type, int flags,
void *contigmalloc_domainset(unsigned long size, struct malloc_type *type,
struct domainset *ds, int flags, vm_paddr_t low, vm_paddr_t high,
unsigned long alignment, vm_paddr_t boundary)
- __malloc_like __result_use_check __alloc_size(1) __alloc_align(6);
+ __malloc_like __result_use_check __alloc_size(1) __alloc_align(7);
void free(void *addr, struct malloc_type *type);
void free_domain(void *addr, struct malloc_type *type);
#ifndef __rtems__
diff --git a/freebsd/sys/sys/mount.h b/freebsd/sys/sys/mount.h
index edc66f0..dabb506 100644
--- a/freebsd/sys/sys/mount.h
+++ b/freebsd/sys/sys/mount.h
@@ -368,23 +368,20 @@ void __mnt_vnode_markerfree_active(struct vnode **mvp, struct mount *);
/*
* Internal filesystem control flags stored in mnt_kern_flag.
*
- * MNTK_UNMOUNT locks the mount entry so that name lookup cannot proceed
- * past the mount point. This keeps the subtree stable during mounts
- * and unmounts.
+ * MNTK_UNMOUNT locks the mount entry so that name lookup cannot
+ * proceed past the mount point. This keeps the subtree stable during
+ * mounts and unmounts. When non-forced unmount flushes all vnodes
+ * from the mp queue, the MNTK_UNMOUNT flag prevents insmntque() from
+ * queueing new vnodes.
*
* MNTK_UNMOUNTF permits filesystems to detect a forced unmount while
* dounmount() is still waiting to lock the mountpoint. This allows
* the filesystem to cancel operations that might otherwise deadlock
* with the unmount attempt (used by NFS).
- *
- * MNTK_NOINSMNTQ is strict subset of MNTK_UNMOUNT. They are separated
- * to allow for failed unmount attempt to restore the syncer vnode for
- * the mount.
*/
#define MNTK_UNMOUNTF 0x00000001 /* forced unmount in progress */
#define MNTK_ASYNC 0x00000002 /* filtered async flag */
#define MNTK_SOFTDEP 0x00000004 /* async disabled by softdep */
-#define MNTK_NOINSMNTQ 0x00000008 /* insmntque is not allowed */
#define MNTK_DRAINING 0x00000010 /* lock draining is happening */
#define MNTK_REFEXPIRE 0x00000020 /* refcount expiring is happening */
#define MNTK_EXTENDED_SHARED 0x00000040 /* Allow shared locking for more ops */
diff --git a/freebsd/sys/sys/proc.h b/freebsd/sys/sys/proc.h
index a69d91b..01cf396 100644
--- a/freebsd/sys/sys/proc.h
+++ b/freebsd/sys/sys/proc.h
@@ -813,6 +813,8 @@ struct proc {
#define P2_ASLR_ENABLE 0x00000040 /* Force enable ASLR. */
#define P2_ASLR_DISABLE 0x00000080 /* Force disable ASLR. */
#define P2_ASLR_IGNSTART 0x00000100 /* Enable ASLR to consume sbrk area. */
+#define P2_STKGAP_DISABLE 0x00000800 /* Disable stack gap for MAP_STACK */
+#define P2_STKGAP_DISABLE_EXEC 0x00001000 /* Stack gap disabled after exec */
/* Flags protected by proctree_lock, kept in p_treeflags. */
#define P_TREE_ORPHANED 0x00000001 /* Reparented, on orphan list */
@@ -1126,11 +1128,13 @@ void proc_linkup(struct proc *p, struct thread *td);
struct proc *proc_realparent(struct proc *child);
void proc_reap(struct thread *td, struct proc *p, int *status, int options);
void proc_reparent(struct proc *child, struct proc *newparent, bool set_oppid);
+void proc_add_orphan(struct proc *child, struct proc *parent);
void proc_set_traced(struct proc *p, bool stop);
void proc_wkilled(struct proc *p);
struct pstats *pstats_alloc(void);
void pstats_fork(struct pstats *src, struct pstats *dst);
void pstats_free(struct pstats *ps);
+void proc_clear_orphan(struct proc *p);
void reaper_abandon_children(struct proc *p, bool exiting);
#ifndef __rtems__
int securelevel_ge(struct ucred *cr, int level);
diff --git a/freebsd/sys/sys/refcount.h b/freebsd/sys/sys/refcount.h
index 4171314..0cc4ee6 100644
--- a/freebsd/sys/sys/refcount.h
+++ b/freebsd/sys/sys/refcount.h
@@ -37,6 +37,7 @@
#ifdef _KERNEL
#include <sys/systm.h>
#else
+#include <stdbool.h>
#define KASSERT(exp, msg) /* */
#endif
@@ -55,7 +56,21 @@ refcount_acquire(volatile u_int *count)
atomic_add_int((volatile int *)count, 1);
}
-static __inline int
+static __inline __result_use_check bool
+refcount_acquire_checked(volatile u_int *count)
+{
+ u_int lcount;
+
+ for (lcount = *count;;) {
+ if (__predict_false(lcount + 1 < lcount))
+ return (false);
+ if (__predict_true(atomic_fcmpset_int(count, &lcount,
+ lcount + 1) == 1))
+ return (true);
+ }
+}
+
+static __inline bool
refcount_release(volatile u_int *count)
{
u_int old;
@@ -64,7 +79,7 @@ refcount_release(volatile u_int *count)
old = atomic_fetchadd_int((volatile int *)count, -1);
KASSERT(old > 0, ("refcount %p is zero", count));
if (old > 1)
- return (0);
+ return (false);
/*
* Last reference. Signal the user to call the destructor.
@@ -73,7 +88,7 @@ refcount_release(volatile u_int *count)
* at the start of the function synchronized with this fence.
*/
atomic_thread_fence_acq();
- return (1);
+ return (true);
}
/*
@@ -82,7 +97,7 @@ refcount_release(volatile u_int *count)
*
* A temporary hack until refcount_* APIs are sorted out.
*/
-static __inline __result_use_check int
+static __inline __result_use_check bool
refcount_acquire_if_not_zero(volatile u_int *count)
{
u_int old;
@@ -91,13 +106,13 @@ refcount_acquire_if_not_zero(volatile u_int *count)
for (;;) {
KASSERT(old < UINT_MAX, ("refcount %p overflowed", count));
if (old == 0)
- return (0);
+ return (false);
if (atomic_fcmpset_int(count, &old, old + 1))
- return (1);
+ return (true);
}
}
-static __inline __result_use_check int
+static __inline __result_use_check bool
refcount_release_if_not_last(volatile u_int *count)
{
u_int old;
@@ -106,9 +121,9 @@ refcount_release_if_not_last(volatile u_int *count)
for (;;) {
KASSERT(old > 0, ("refcount %p is zero", count));
if (old == 1)
- return (0);
+ return (false);
if (atomic_fcmpset_int(count, &old, old - 1))
- return (1);
+ return (true);
}
}
diff --git a/freebsd/sys/sys/sysproto.h b/freebsd/sys/sys/sysproto.h
index 82249d3..5ebcdde 100644
--- a/freebsd/sys/sys/sysproto.h
+++ b/freebsd/sys/sys/sysproto.h
@@ -1,7 +1,7 @@
/*
* System call prototypes.
*
- * DO NOT EDIT-- this file is automatically generated.
+ * DO NOT EDIT-- this file is automatically @generated.
* $FreeBSD$
*/
diff --git a/freebsd/sys/sys/vnode.h b/freebsd/sys/sys/vnode.h
index d88ff30..c1235a7 100644
--- a/freebsd/sys/sys/vnode.h
+++ b/freebsd/sys/sys/vnode.h
@@ -660,6 +660,8 @@ void _vhold(struct vnode *, bool);
void vinactive(struct vnode *, struct thread *);
int vinvalbuf(struct vnode *vp, int save, int slpflag, int slptimeo);
int vtruncbuf(struct vnode *vp, off_t length, int blksize);
+void v_inval_buf_range(struct vnode *vp, daddr_t startlbn, daddr_t endlbn,
+ int blksize);
void vunref(struct vnode *);
void vn_printf(struct vnode *vp, const char *fmt, ...) __printflike(2,3);
int vrecycle(struct vnode *vp);
diff --git a/libbsd.py b/libbsd.py
index d6ab989..4885622 100644
--- a/libbsd.py
+++ b/libbsd.py
@@ -2660,6 +2660,7 @@ class user_space(builder.Module):
'sbin/dhclient/privsep.h',
'sbin/dhclient/tree.h',
'sbin/ifconfig/ifconfig.h',
+ 'sbin/ping/utils.h',
'usr.bin/netstat/netstat.h'
]
)
@@ -2929,6 +2930,7 @@ class user_space(builder.Module):
'sbin/pfctl/pf_print_state.c',
'sbin/ping6/ping6.c',
'sbin/ping/ping.c',
+ 'sbin/ping/utils.c',
'sbin/route/route.c',
'sbin/sysctl/sysctl.c',
'usr.bin/netstat/bpf.c',
diff --git a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
index 77b166b..cae62d3 100644
--- a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
+++ b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
@@ -51,6 +51,8 @@
#define altq_remove _bsd_altq_remove
#define altq_remove_queue _bsd_altq_remove_queue
#define altqs_inactive_open _bsd_altqs_inactive_open
+#define am335x_pwm_config_ecap _bsd_am335x_pwm_config_ecap
+#define am335x_pwmss_driver _bsd_am335x_pwmss_driver
#define arp_announce_ifaddr _bsd_arp_announce_ifaddr
#define arp_ifinit _bsd_arp_ifinit
#define arprequest _bsd_arprequest
@@ -587,6 +589,7 @@
#define counter_u64_zero _bsd_counter_u64_zero
#define crc32_tab _bsd_crc32_tab
#define crypto_apply _bsd_crypto_apply
+#define crypto_contiguous_subsegment _bsd_crypto_contiguous_subsegment
#define crypto_copyback _bsd_crypto_copyback
#define crypto_copydata _bsd_crypto_copydata
#define crypto_devallowsoft _bsd_crypto_devallowsoft
@@ -613,7 +616,6 @@
#define crypto_onetimeauth_poly1305_final _bsd_crypto_onetimeauth_poly1305_final
#define crypto_onetimeauth_poly1305_init _bsd_crypto_onetimeauth_poly1305_init
#define crypto_onetimeauth_poly1305_keybytes _bsd_crypto_onetimeauth_poly1305_keybytes
-#define crypto_onetimeauth_poly1305_keygen _bsd_crypto_onetimeauth_poly1305_keygen
#define _crypto_onetimeauth_poly1305_pick_best_implementation _bsd__crypto_onetimeauth_poly1305_pick_best_implementation
#define crypto_onetimeauth_poly1305_statebytes _bsd_crypto_onetimeauth_poly1305_statebytes
#define crypto_onetimeauth_poly1305_update _bsd_crypto_onetimeauth_poly1305_update
@@ -1095,6 +1097,13 @@
#define e1000_write_vfta_generic _bsd_e1000_write_vfta_generic
#define e1000_write_vfta_i350 _bsd_e1000_write_vfta_i350
#define e1000_write_xmdio_reg _bsd_e1000_write_xmdio_reg
+#define edid_is_valid _bsd_edid_is_valid
+#define edid_nproducts _bsd_edid_nproducts
+#define edid_nvendors _bsd_edid_nvendors
+#define edid_parse _bsd_edid_parse
+#define edid_print _bsd_edid_print
+#define edid_products _bsd_edid_products
+#define edid_vendors _bsd_edid_vendors
#define ehci_detach _bsd_ehci_detach
#define ehci_get_port_speed_hostc _bsd_ehci_get_port_speed_hostc
#define ehci_get_port_speed_portsc _bsd_ehci_get_port_speed_portsc
@@ -1221,6 +1230,16 @@
#define eventhandler_find_list _bsd_eventhandler_find_list
#define eventhandler_prune_list _bsd_eventhandler_prune_list
#define eventhandler_register _bsd_eventhandler_register
+#define fb_commonioctl _bsd_fb_commonioctl
+#define fbd_devclass _bsd_fbd_devclass
+#define fbd_driver _bsd_fbd_driver
+#define fbd_list _bsd_fbd_list
+#define fbd_register _bsd_fbd_register
+#define fb_dump_adp_info _bsd_fb_dump_adp_info
+#define fb_dump_mode_info _bsd_fb_dump_mode_info
+#define fbd_unregister _bsd_fbd_unregister
+#define fb_list_head _bsd_fb_list_head
+#define fb_type _bsd_fb_type
#define fdt_addrsize_cells _bsd_fdt_addrsize_cells
#define fdt_data_get _bsd_fdt_data_get
#define fdt_data_to_res _bsd_fdt_data_to_res
@@ -1239,6 +1258,10 @@
#define fdt_immr_va _bsd_fdt_immr_va
#define fdt_is_compatible_strict _bsd_fdt_is_compatible_strict
#define fdt_parent_addr_cells _bsd_fdt_parent_addr_cells
+#define fdt_pinctrl_configure _bsd_fdt_pinctrl_configure
+#define fdt_pinctrl_configure_by_name _bsd_fdt_pinctrl_configure_by_name
+#define fdt_pinctrl_configure_tree _bsd_fdt_pinctrl_configure_tree
+#define fdt_pinctrl_register _bsd_fdt_pinctrl_register
#define fdt_regsize _bsd_fdt_regsize
#define fib4_free_nh_ext _bsd_fib4_free_nh_ext
#define fib4_lookup_nh_basic _bsd_fib4_lookup_nh_basic
@@ -1329,6 +1352,15 @@
#define gpiobus_init_softc _bsd_gpiobus_init_softc
#define gpiobus_release_pin _bsd_gpiobus_release_pin
#define gpio_check_flags _bsd_gpio_check_flags
+#define gpio_pin_get_by_ofw_idx _bsd_gpio_pin_get_by_ofw_idx
+#define gpio_pin_get_by_ofw_name _bsd_gpio_pin_get_by_ofw_name
+#define gpio_pin_get_by_ofw_property _bsd_gpio_pin_get_by_ofw_property
+#define gpio_pin_get_by_ofw_propidx _bsd_gpio_pin_get_by_ofw_propidx
+#define gpio_pin_getcaps _bsd_gpio_pin_getcaps
+#define gpio_pin_is_active _bsd_gpio_pin_is_active
+#define gpio_pin_release _bsd_gpio_pin_release
+#define gpio_pin_set_active _bsd_gpio_pin_set_active
+#define gpio_pin_setflags _bsd_gpio_pin_setflags
#define gre_hashdestroy _bsd_gre_hashdestroy
#define gre_hashinit _bsd_gre_hashinit
#define gre_input _bsd_gre_input
@@ -1998,6 +2030,31 @@
#define igmp_input _bsd_igmp_input
#define igmp_mtx _bsd_igmp_mtx
#define igmp_slowtimo _bsd_igmp_slowtimo
+#define iic2errno _bsd_iic2errno
+#define iicbus_block_read _bsd_iicbus_block_read
+#define iicbus_block_write _bsd_iicbus_block_write
+#define iicbus_devclass _bsd_iicbus_devclass
+#define iicbus_driver _bsd_iicbus_driver
+#define iicbus_generic_intr _bsd_iicbus_generic_intr
+#define iicbus_init_frequency _bsd_iicbus_init_frequency
+#define iicbus_intr _bsd_iicbus_intr
+#define iicbus_null_callback _bsd_iicbus_null_callback
+#define iicbus_null_repeated_start _bsd_iicbus_null_repeated_start
+#define iicbus_read _bsd_iicbus_read
+#define iicbus_read_byte _bsd_iicbus_read_byte
+#define iicbus_release_bus _bsd_iicbus_release_bus
+#define iicbus_repeated_start _bsd_iicbus_repeated_start
+#define iicbus_request_bus _bsd_iicbus_request_bus
+#define iicbus_start _bsd_iicbus_start
+#define iicbus_started _bsd_iicbus_started
+#define iicbus_stop _bsd_iicbus_stop
+#define iicbus_transfer _bsd_iicbus_transfer
+#define iicbus_transfer_excl _bsd_iicbus_transfer_excl
+#define iicbus_transfer_gen _bsd_iicbus_transfer_gen
+#define iicbus_write _bsd_iicbus_write
+#define iicbus_write_byte _bsd_iicbus_write_byte
+#define iicdev_readfrom _bsd_iicdev_readfrom
+#define iicdev_writeto _bsd_iicdev_writeto
#define im6o_mc_filter _bsd_im6o_mc_filter
#define imo_multi_filter _bsd_imo_multi_filter
#define in4_cksum _bsd_in4_cksum
@@ -3032,6 +3089,14 @@
#define ofw_bus_status_okay _bsd_ofw_bus_status_okay
#define ofw_bus_string_list_to_array _bsd_ofw_bus_string_list_to_array
#define ofw_fdt _bsd_ofw_fdt
+#define ofw_gpiobus_add_fdt_child _bsd_ofw_gpiobus_add_fdt_child
+#define ofwgpiobus_devclass _bsd_ofwgpiobus_devclass
+#define ofw_gpiobus_driver _bsd_ofw_gpiobus_driver
+#define ofw_gpiobus_parse_gpios _bsd_ofw_gpiobus_parse_gpios
+#define ofw_gpiobus_register_provider _bsd_ofw_gpiobus_register_provider
+#define ofw_gpiobus_unregister_provider _bsd_ofw_gpiobus_unregister_provider
+#define ofw_iicbus_devclass _bsd_ofw_iicbus_devclass
+#define ofw_iicbus_driver _bsd_ofw_iicbus_driver
#define ofw_parse_bootargs _bsd_ofw_parse_bootargs
#define ofw_reg_to_paddr _bsd_ofw_reg_to_paddr
#define OF_write _bsd_OF_write
@@ -3077,10 +3142,13 @@
#define pcib_attach_common _bsd_pcib_attach_common
#define pcib_bridge_init _bsd_pcib_bridge_init
#define pcib_child_present _bsd_pcib_child_present
+#define pcib_decode_rid _bsd_pcib_decode_rid
#define pcib_detach _bsd_pcib_detach
#define pcib_driver _bsd_pcib_driver
+#define pcib_get_id _bsd_pcib_get_id
#define pcibios_pcib_route_interrupt _bsd_pcibios_pcib_route_interrupt
#define pcib_map_msi _bsd_pcib_map_msi
+#define pcib_maxfuncs _bsd_pcib_maxfuncs
#define pcib_maxslots _bsd_pcib_maxslots
#define pcib_read_ivar _bsd_pcib_read_ivar
#define pcib_release_msi _bsd_pcib_release_msi
@@ -3426,6 +3494,8 @@
#define pgsigio _bsd_pgsigio
#define phashinit _bsd_phashinit
#define phashinit_flags _bsd_phashinit_flags
+#define pick_mode_by_dotclock _bsd_pick_mode_by_dotclock
+#define pick_mode_by_ref _bsd_pick_mode_by_ref
#define pipe_dtor _bsd_pipe_dtor
#define pipe_named_ctor _bsd_pipe_named_ctor
#define pipeselwakeup _bsd_pipeselwakeup
@@ -3437,16 +3507,6 @@
#define Poly1305_Setkey _bsd_Poly1305_Setkey
#define Poly1305_Update _bsd_Poly1305_Update
#define ppsratecheck _bsd_ppsratecheck
-#define preload_addr_relocate _bsd_preload_addr_relocate
-#define preload_bootstrap_relocate _bsd_preload_bootstrap_relocate
-#define preload_delete_name _bsd_preload_delete_name
-#define preload_fetch_addr _bsd_preload_fetch_addr
-#define preload_fetch_size _bsd_preload_fetch_size
-#define preload_metadata _bsd_preload_metadata
-#define preload_search_by_name _bsd_preload_search_by_name
-#define preload_search_by_type _bsd_preload_search_by_type
-#define preload_search_info _bsd_preload_search_info
-#define preload_search_next_name _bsd_preload_search_next_name
#define printf _bsd_printf
#define printf_uuid _bsd_printf_uuid
#define prison0 _bsd_prison0
@@ -3583,6 +3643,7 @@
#define r88e_tx_setup_hwseq _bsd_r88e_tx_setup_hwseq
#define r88e_tx_setup_macid _bsd_r88e_tx_setup_macid
#define r88eu_attach _bsd_r88eu_attach
+#define r88eu_classify_intr _bsd_r88eu_classify_intr
#define r88eu_init_bb _bsd_r88eu_init_bb
#define r88eu_init_intr _bsd_r88eu_init_intr
#define r88eu_init_rx_agg _bsd_r88eu_init_rx_agg
@@ -4509,6 +4570,8 @@
#define Skein_512_Output _bsd_Skein_512_Output
#define Skein_512_Process_Block _bsd_Skein_512_Process_Block
#define Skein_512_Update _bsd_Skein_512_Update
+#define Skein_Get64_LSB_First _bsd_Skein_Get64_LSB_First
+#define Skein_Put64_LSB_First _bsd_Skein_Put64_LSB_First
#define skipjack_backwards _bsd_skipjack_backwards
#define skipjack_forwards _bsd_skipjack_forwards
#define sl_compress_init _bsd_sl_compress_init
@@ -4600,6 +4663,7 @@
#define soreceive_generic _bsd_soreceive_generic
#define soreserve _bsd_soreserve
#define sorflush _bsd_sorflush
+#define sort_modes _bsd_sort_modes
#define sosend _bsd_sosend
#define sosend_dgram _bsd_sosend_dgram
#define sosend_generic _bsd_sosend_generic
@@ -4803,6 +4867,7 @@
#define tcp_autosndbuf_max _bsd_tcp_autosndbuf_max
#define tcp_backoff _bsd_tcp_backoff
#define tcp_ccalgounload _bsd_tcp_ccalgounload
+#define tcp_clean_dsack_blocks _bsd_tcp_clean_dsack_blocks
#define tcp_clean_sackreport _bsd_tcp_clean_sackreport
#define tcp_close _bsd_tcp_close
#define tcp_compute_pipe _bsd_tcp_compute_pipe
@@ -4934,12 +4999,14 @@
#define tcp_timer_suspend _bsd_tcp_timer_suspend
#define tcp_totbackoff _bsd_tcp_totbackoff
#define tcp_trace _bsd_tcp_trace
+#define tcp_ts_offset_per_conn _bsd_tcp_ts_offset_per_conn
#define tcp_tw_2msl_scan _bsd_tcp_tw_2msl_scan
#define tcp_twcheck _bsd_tcp_twcheck
#define tcp_twclose _bsd_tcp_twclose
#define tcp_tw_init _bsd_tcp_tw_init
#define tcp_twstart _bsd_tcp_twstart
#define tcp_tw_zone_change _bsd_tcp_tw_zone_change
+#define tcp_update_dsack_list _bsd_tcp_update_dsack_list
#define tcp_update_sack_list _bsd_tcp_update_sack_list
#define tcp_use_hostcache _bsd_tcp_use_hostcache
#define tcp_usrreqs _bsd_tcp_usrreqs
@@ -4951,6 +5018,7 @@
#define t_functions _bsd_t_functions
#define t_functions_inited _bsd_t_functions_inited
#define ti_am335x_clk_devmap _bsd_ti_am335x_clk_devmap
+#define ti_am335x_pinmux_dev _bsd_ti_am335x_pinmux_dev
#define tick _bsd_tick
#define ticket_altqs_active _bsd_ticket_altqs_active
#define ticket_altqs_inactive _bsd_ticket_altqs_inactive
@@ -4965,6 +5033,10 @@
#define _timeout_task_init _bsd__timeout_task_init
#define timevaladd _bsd_timevaladd
#define timevalsub _bsd_timevalsub
+#define ti_pinmux_padconf_get _bsd_ti_pinmux_padconf_get
+#define ti_pinmux_padconf_get_gpiomode _bsd_ti_pinmux_padconf_get_gpiomode
+#define ti_pinmux_padconf_set _bsd_ti_pinmux_padconf_set
+#define ti_pinmux_padconf_set_gpiomode _bsd_ti_pinmux_padconf_set_gpiomode
#define ti_prcm_clk_disable _bsd_ti_prcm_clk_disable
#define ti_prcm_clk_enable _bsd_ti_prcm_clk_enable
#define ti_prcm_clk_get_source_freq _bsd_ti_prcm_clk_get_source_freq
@@ -5043,7 +5115,6 @@
#define tty_signal_pgrp _bsd_tty_signal_pgrp
#define tty_signal_sessleader _bsd_tty_signal_sessleader
#define tty_timedwait _bsd_tty_timedwait
-#define tty_udev _bsd_tty_udev
#define tty_wait _bsd_tty_wait
#define tty_wait_background _bsd_tty_wait_background
#define tty_wakeup _bsd_tty_wakeup
@@ -5434,7 +5505,21 @@
#define uuidcmp _bsd_uuidcmp
#define uuid_ether_add _bsd_uuid_ether_add
#define uuid_ether_del _bsd_uuid_ether_del
+#define vesagtf_mode _bsd_vesagtf_mode
+#define vesagtf_mode_params _bsd_vesagtf_mode_params
#define vht80_chan_ranges _bsd_vht80_chan_ranges
+#define vid_allocate _bsd_vid_allocate
+#define vid_configure _bsd_vid_configure
+#define videomode_count _bsd_videomode_count
+#define videomode_list _bsd_videomode_list
+#define vid_find_adapter _bsd_vid_find_adapter
+#define vid_get_adapter _bsd_vid_get_adapter
+#define vid_get_switch _bsd_vid_get_switch
+#define vid_init_struct _bsd_vid_init_struct
+#define vid_register _bsd_vid_register
+#define vid_release _bsd_vid_release
+#define vidsw _bsd_vidsw
+#define vid_unregister _bsd_vid_unregister
#define vlan_cookie_p _bsd_vlan_cookie_p
#define vlan_devat_p _bsd_vlan_devat_p
#define vlan_input_p _bsd_vlan_input_p
diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs.h b/rtemsbsd/include/rtems/bsd/local/usbdevs.h
index 048a254..1909e62 100644
--- a/rtemsbsd/include/rtems/bsd/local/usbdevs.h
+++ b/rtemsbsd/include/rtems/bsd/local/usbdevs.h
@@ -4666,6 +4666,7 @@
#define USB_PRODUCT_TPLINK_T4UV2 0x010d /* Archer T4U ver 2 */
#define USB_PRODUCT_TPLINK_T4UHV1 0x0103 /* Archer T4UH ver 1 */
#define USB_PRODUCT_TPLINK_T4UHV2 0x010e /* Archer T4UH ver 2 */
+#define USB_PRODUCT_TPLINK_T2UNANO 0x011e /* Archer T2U Nano */
#define USB_PRODUCT_TPLINK_RTL8153 0x0601 /* RTL8153 USB 10/100/1000 LAN */
/* Trek Technology products */
diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
index ec09988..e7cc465 100644
--- a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
+++ b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
@@ -17822,6 +17822,12 @@ const struct usb_knowndev usb_knowndevs[] = {
"Archer T4UH ver 2",
},
{
+ USB_VENDOR_TPLINK, USB_PRODUCT_TPLINK_T2UNANO,
+ 0,
+ "TP-Link",
+ "Archer T2U Nano",
+ },
+ {
USB_VENDOR_TPLINK, USB_PRODUCT_TPLINK_RTL8153,
0,
"TP-Link",
More information about the vc
mailing list