diff options
| author | John Levon <john.levon@joyent.com> | 2018-10-04 12:28:27 +0000 |
|---|---|---|
| committer | John Levon <john.levon@joyent.com> | 2018-10-04 12:28:27 +0000 |
| commit | c34db11cba16cf94258399fe81d285289a7a0f4e (patch) | |
| tree | 22c0682942f2d818fbd8b69a917e35f14125a514 | |
| parent | 693e171bac5518ae35641a6f58cc970a6b9c37e5 (diff) | |
| parent | 0cd103a9ea5572c37d728a7d26701a18dc9e3a7f (diff) | |
| download | illumos-joyent-c34db11cba16cf94258399fe81d285289a7a0f4e.tar.gz | |
m
20 files changed, 535 insertions, 534 deletions
diff --git a/usr/src/boot/sys/boot/i386/libi386/pxe.h b/usr/src/boot/sys/boot/i386/libi386/pxe.h index 67e2c643d8..f4bf388aa8 100644 --- a/usr/src/boot/sys/boot/i386/libi386/pxe.h +++ b/usr/src/boot/sys/boot/i386/libi386/pxe.h @@ -36,7 +36,8 @@ * It's for your own good. :) */ -/* It seems that intel didn't think about ABI, +/* + * It seems that intel didn't think about ABI, * either that or 16bit ABI != 32bit ABI (which seems reasonable) * I have to thank Intel for the hair loss I incurred trying to figure * out why PXE was mis-reading structures I was passing it (at least @@ -48,7 +49,7 @@ */ #define PACKED __packed -#define S_SIZE(s) s, sizeof(s) - 1 +#define S_SIZE(s) s, sizeof (s) - 1 #define PXENFSROOTPATH "/pxeroot" @@ -92,8 +93,8 @@ typedef struct { uint16_t UNDIDataSize; /* UNDI Data segment size (bytes) */ SEGSEL_t UNDICodeSeg; /* UNDI Code segment address */ uint16_t UNDICodeSize; /* UNDI Code segment size (bytes) */ - SEGOFF16_t PXEPtr; /* SEG:OFF to !PXE struct, - only present when Version > 2.1 */ + /* SEG:OFF to !PXE struct, only present when Version > 2.1 */ + SEGOFF16_t PXEPtr; } PACKED pxenv_t; /* !PXE */ @@ -143,7 +144,8 @@ typedef struct { #define PXENV_UNDI_INITIALIZE 0x0003 typedef struct { PXENV_STATUS_t Status; - ADDR32_t ProtocolIni; /* Phys addr of a copy of the driver module */ + /* Phys addr of a copy of the driver module */ + ADDR32_t ProtocolIni; uint8_t reserved[8]; } PACKED t_PXENV_UNDI_INITIALIZE; @@ -155,7 +157,7 @@ typedef struct { MAC_ADDR McastAddr[MAXNUM_MCADDR]; } PACKED t_PXENV_UNDI_MCAST_ADDRESS; -#define PXENV_UNDI_RESET_ADAPTER 0x0004 +#define PXENV_UNDI_RESET_ADAPTER 0x0004 typedef struct { PXENV_STATUS_t Status; t_PXENV_UNDI_MCAST_ADDRESS R_Mcast_Buf; @@ -171,10 +173,10 @@ typedef struct { PXENV_STATUS_t Status; uint16_t OpenFlag; uint16_t PktFilter; -# define FLTR_DIRECTED 0x0001 -# define FLTR_BRDCST 0x0002 -# define FLTR_PRMSCS 0x0004 -# define FLTR_SRC_RTG 0x0008 +#define FLTR_DIRECTED 0x0001 +#define FLTR_BRDCST 0x0002 +#define FLTR_PRMSCS 0x0004 +#define FLTR_SRC_RTG 0x0008 t_PXENV_UNDI_MCAST_ADDRESS R_Mcast_Buf; } PACKED t_PXENV_UNDI_OPEN; @@ -188,14 +190,14 @@ typedef struct { typedef struct { PXENV_STATUS_t Status; uint8_t Protocol; -# define P_UNKNOWN 0 -# define P_IP 1 -# define P_ARP 2 -# define P_RARP 3 +#define P_UNKNOWN 0 +#define P_IP 1 +#define P_ARP 2 +#define P_RARP 3 uint8_t XmitFlag; -# define XMT_DESTADDR 0x0000 -# define XMT_BROADCAST 0x0001 +#define XMT_DESTADDR 0x0000 +#define XMT_BROADCAST 0x0001 SEGOFF16_t DestAddr; SEGOFF16_t TBD; @@ -236,30 +238,30 @@ typedef struct { #define PXENV_UNDI_GET_INFORMATION 0x000C typedef struct { PXENV_STATUS_t Status; - uint16_t BaseIo; /* Adapter base I/O address */ - uint16_t IntNumber; /* Adapter IRQ number */ - uint16_t MaxTranUnit; /* Adapter maximum transmit unit */ - uint16_t HwType; /* Type of protocol at the hardware addr */ -# define ETHER_TYPE 1 -# define EXP_ETHER_TYPE 2 -# define IEEE_TYPE 6 -# define ARCNET_TYPE 7 - - uint16_t HwAddrLen; /* Length of hardware address */ - MAC_ADDR CurrentNodeAddress; /* Current hardware address */ - MAC_ADDR PermNodeAddress; /* Permanent hardware address */ - SEGSEL_t ROMAddress; /* Real mode ROM segment address */ - uint16_t RxBufCt; /* Receive queue length */ - uint16_t TxBufCt; /* Transmit queue length */ + uint16_t BaseIo; /* Adapter base I/O address */ + uint16_t IntNumber; /* Adapter IRQ number */ + uint16_t MaxTranUnit; /* Adapter maximum transmit unit */ + uint16_t HwType; /* Type of protocol at the hardware addr */ +#define ETHER_TYPE 1 +#define EXP_ETHER_TYPE 2 +#define IEEE_TYPE 6 +#define ARCNET_TYPE 7 + + uint16_t HwAddrLen; /* Length of hardware address */ + MAC_ADDR CurrentNodeAddress; /* Current hardware address */ + MAC_ADDR PermNodeAddress; /* Permanent hardware address */ + SEGSEL_t ROMAddress; /* Real mode ROM segment address */ + uint16_t RxBufCt; /* Receive queue length */ + uint16_t TxBufCt; /* Transmit queue length */ } PACKED t_PXENV_UNDI_GET_INFORMATION; #define PXENV_UNDI_GET_STATISTICS 0x000D typedef struct { PXENV_STATUS_t Status; - uint32_t XmitGoodFrames; /* Number of successful transmissions */ - uint32_t RcvGoodFrames; /* Number of good frames received */ - uint32_t RcvCRCErrors; /* Number of frames with CRC errors */ - uint32_t RcvResourceErrors; /* Number of frames dropped */ + uint32_t XmitGoodFrames; /* Number of successful transmissions */ + uint32_t RcvGoodFrames; /* Number of good frames received */ + uint32_t RcvCRCErrors; /* Number of frames with CRC errors */ + uint32_t RcvResourceErrors; /* Number of frames dropped */ } PACKED t_PXENV_UNDI_GET_STATISTICS; #define PXENV_UNDI_CLEAR_STATISTICS 0x000E @@ -288,9 +290,9 @@ typedef struct { typedef struct { PXENV_STATUS_t Status; uint8_t NicType; /* Type of NIC */ -# define PCI_NIC 2 -# define PnP_NIC 3 -# define CardBus_NIC 4 +#define PCI_NIC 2 +#define PnP_NIC 3 +#define CardBus_NIC 4 union { struct { @@ -326,29 +328,29 @@ typedef struct { #define PXENV_UNDI_ISR 0x0014 typedef struct { PXENV_STATUS_t Status; - uint16_t FuncFlag; /* PXENV_UNDI_ISR_OUT_xxx */ - uint16_t BufferLength; /* Length of Frame */ - uint16_t FrameLength; /* Total length of receiver frame */ - uint16_t FrameHeaderLength; /* Length of the media header in Frame */ - SEGOFF16_t Frame; /* receive buffer */ - uint8_t ProtType; /* Protocol type */ - uint8_t PktType; /* Packet Type */ -# define PXENV_UNDI_ISR_IN_START 1 -# define PXENV_UNDI_ISR_IN_PROCESS 2 -# define PXENV_UNDI_ISR_IN_GET_NEXT 3 + uint16_t FuncFlag; /* PXENV_UNDI_ISR_OUT_xxx */ + uint16_t BufferLength; /* Length of Frame */ + uint16_t FrameLength; /* Total length of receiver frame */ + uint16_t FrameHeaderLength; /* Length of the media header in Frame */ + SEGOFF16_t Frame; /* receive buffer */ + uint8_t ProtType; /* Protocol type */ + uint8_t PktType; /* Packet Type */ +#define PXENV_UNDI_ISR_IN_START 1 +#define PXENV_UNDI_ISR_IN_PROCESS 2 +#define PXENV_UNDI_ISR_IN_GET_NEXT 3 /* one of these will be returned for PXENV_UNDI_ISR_IN_START */ -# define PXENV_UNDI_ISR_OUT_OURS 0 -# define PXENV_UNDI_ISR_OUT_NOT_OUTS 1 +#define PXENV_UNDI_ISR_OUT_OURS 0 +#define PXENV_UNDI_ISR_OUT_NOT_OUTS 1 /* * one of these will be returned for PXEND_UNDI_ISR_IN_PROCESS * and PXENV_UNDI_ISR_IN_GET_NEXT */ -# define PXENV_UNDI_ISR_OUT_DONE 0 -# define PXENV_UNDI_ISR_OUT_TRANSMIT 2 -# define PXENV_UNDI_ISR_OUT_RECEIVE 3 -# define PXENV_UNDI_ISR_OUT_BUSY 4 +#define PXENV_UNDI_ISR_OUT_DONE 0 +#define PXENV_UNDI_ISR_OUT_TRANSMIT 2 +#define PXENV_UNDI_ISR_OUT_RECEIVE 3 +#define PXENV_UNDI_ISR_OUT_BUSY 4 } PACKED t_PXENV_UNDI_ISR; #define PXENV_STOP_UNDI 0x0015 @@ -417,12 +419,12 @@ typedef struct { #define PXENV_UDP_READ 0x0032 typedef struct { PXENV_STATUS_t status; - IP4_t src_ip; /* IP of sender */ - IP4_t dest_ip; /* Only accept packets sent to this IP */ - UDP_PORT_t s_port; /* UDP source port of sender */ - UDP_PORT_t d_port; /* Only accept packets sent to this port */ - uint16_t buffer_size; /* Size of the packet buffer */ - SEGOFF16_t buffer; /* SEG:OFF to the packet buffer */ + IP4_t src_ip; /* IP of sender */ + IP4_t dest_ip; /* Only accept packets sent to this IP */ + UDP_PORT_t s_port; /* UDP source port of sender */ + UDP_PORT_t d_port; /* Only accept packets sent to this port */ + uint16_t buffer_size; /* Size of the packet buffer */ + SEGOFF16_t buffer; /* SEG:OFF to the packet buffer */ } PACKED t_PXENV_UDP_READ; #define PXENV_UDP_WRITE 0x0033 @@ -446,53 +448,55 @@ typedef struct { #define PXENV_GET_CACHED_INFO 0x0071 typedef struct { PXENV_STATUS_t Status; - uint16_t PacketType; /* type (defined right here) */ -# define PXENV_PACKET_TYPE_DHCP_DISCOVER 1 -# define PXENV_PACKET_TYPE_DHCP_ACK 2 -# define PXENV_PACKET_TYPE_BINL_REPLY 3 - uint16_t BufferSize; /* max to copy, leave at 0 for pointer */ - SEGOFF16_t Buffer; /* copy to, leave at 0 for pointer */ - uint16_t BufferLimit; /* max size of buffer in BC dataseg ? */ + uint16_t PacketType; /* type (defined right here) */ +#define PXENV_PACKET_TYPE_DHCP_DISCOVER 1 +#define PXENV_PACKET_TYPE_DHCP_ACK 2 +#define PXENV_PACKET_TYPE_BINL_REPLY 3 + uint16_t BufferSize; /* max to copy, leave at 0 for pointer */ + SEGOFF16_t Buffer; /* copy to, leave at 0 for pointer */ + uint16_t BufferLimit; /* max size of buffer in BC dataseg ? */ } PACKED t_PXENV_GET_CACHED_INFO; -/* structure filled in by PXENV_GET_CACHED_INFO +/* + * structure filled in by PXENV_GET_CACHED_INFO * (how we determine which IP we downloaded the initial bootstrap from) * words can't describe... */ typedef struct { - uint8_t opcode; -# define BOOTP_REQ 1 -# define BOOTP_REP 2 - uint8_t Hardware; /* hardware type */ - uint8_t Hardlen; /* hardware addr len */ - uint8_t Gatehops; /* zero it */ - uint32_t ident; /* random number chosen by client */ - uint16_t seconds; /* seconds since did initial bootstrap */ - uint16_t Flags; /* seconds since did initial bootstrap */ -# define BOOTP_BCAST 0x8000 /* ? */ - IP4_t cip; /* Client IP */ - IP4_t yip; /* Your IP */ - IP4_t sip; /* IP to use for next boot stage */ - IP4_t gip; /* Relay IP ? */ - MAC_ADDR CAddr; /* Client hardware address */ - uint8_t Sname[64]; /* Server's hostname (Optional) */ - uint8_t bootfile[128]; /* boot filename */ + uint8_t opcode; +#define BOOTP_REQ 1 +#define BOOTP_REP 2 + uint8_t Hardware; /* hardware type */ + uint8_t Hardlen; /* hardware addr len */ + uint8_t Gatehops; /* zero it */ + uint32_t ident; /* random number chosen by client */ + uint16_t seconds; /* seconds since did initial bootstrap */ + uint16_t Flags; /* seconds since did initial bootstrap */ +#define BOOTP_BCAST 0x8000 /* ? */ + IP4_t cip; /* Client IP */ + IP4_t yip; /* Your IP */ + IP4_t sip; /* IP to use for next boot stage */ + IP4_t gip; /* Relay IP ? */ + MAC_ADDR CAddr; /* Client hardware address */ + uint8_t Sname[64]; /* Server's hostname (Optional) */ + uint8_t bootfile[128]; /* boot filename */ union { -# if 1 -# define BOOTP_DHCPVEND 1024 /* DHCP extended vendor field size */ -# else -# define BOOTP_DHCPVEND 312 /* DHCP standard vendor field size */ -# endif - uint8_t d[BOOTP_DHCPVEND]; /* raw array of vendor/dhcp options */ +#if 1 +#define BOOTP_DHCPVEND 1024 /* DHCP extended vendor field size */ +#else +#define BOOTP_DHCPVEND 312 /* DHCP standard vendor field size */ +#endif + /* raw array of vendor/dhcp options */ + uint8_t d[BOOTP_DHCPVEND]; struct { - uint8_t magic[4]; /* DHCP magic cookie */ -# ifndef VM_RFC1048 -# define VM_RFC1048 0x63825363L /* ? */ -# endif - uint32_t flags; /* bootp flags/opcodes */ - uint8_t pad[56]; /* I don't think intel knows what a - union does... */ + uint8_t magic[4]; /* DHCP magic cookie */ +#ifndef VM_RFC1048 +#define VM_RFC1048 0x63825363L /* ? */ +#endif + uint32_t flags; /* bootp flags/opcodes */ + /* I don't think intel knows what a union does... */ + uint8_t pad[56]; } v; } vendor; } PACKED BOOTPLAYER; diff --git a/usr/src/cmd/cpc/common/cpustat.c b/usr/src/cmd/cpc/common/cpustat.c index 965fbadfea..79daedc50b 100644 --- a/usr/src/cmd/cpc/common/cpustat.c +++ b/usr/src/cmd/cpc/common/cpustat.c @@ -23,6 +23,10 @@ * Use is subject to license terms. */ +/* + * Copyright 2018 Joyent, Inc. + */ + #include <sys/types.h> #include <sys/processor.h> #include <sys/pset.h> @@ -289,6 +293,21 @@ main(int argc, char *argv[]) (void) setvbuf(stdout, NULL, _IOLBF, 0); /* + * By design, cpustat (regrettably) has multiple threads racing in + * write(2) to generate output. As there are no guarantees made with + * respect to the atomicity of concurrent writes on non-O_APPEND file + * descriptors, we must set O_APPEND on stdout to assure that no output + * is lost. If cpustat is rearchitected such that only one thread is + * generating output (which would also assure that the output is always + * in a consistent order), this code should be removed. + */ + if (fcntl(1, F_SETFL, fcntl(1, F_GETFL) | O_APPEND) == -1) { + (void) fprintf(stderr, gettext("%s: cannot set output to be " + "append-only - %s\n"), opts->pgmname, strerror(errno)); + return (1); + } + + /* * If no system-mode only sets were created, no soaker threads will be * needed. */ diff --git a/usr/src/lib/Makefile b/usr/src/lib/Makefile index 654a35dd5d..bdff519dd6 100644 --- a/usr/src/lib/Makefile +++ b/usr/src/lib/Makefile @@ -635,9 +635,9 @@ libinetsvc: libscf libinstzones: libzonecfg libcontract libipadm: libinetutil libdlpi libdhcpagent libdladm libsecdb libdhcputil libipmp: libinetutil -libipsecutil: libtecla libtsol +libipsecutil: libtecla libtsol libkmf libiscsit: libstmf libuuid -libkmf: libcryptoutil pkcs11 +libkmf: libcryptoutil pkcs11 libcustr libkvm: ../cmd/sgs/libelf libldap5: libsasl libmapid: libresolv2 libscf diff --git a/usr/src/lib/brand/lx/lx_brand/common/signal.c b/usr/src/lib/brand/lx/lx_brand/common/signal.c index a8e3601cb9..b9356d16ab 100644 --- a/usr/src/lib/brand/lx/lx_brand/common/signal.c +++ b/usr/src/lib/brand/lx/lx_brand/common/signal.c @@ -1450,7 +1450,7 @@ lx_call_user_handler(int sig, siginfo_t *sip, void *p) { void (*user_handler)(); void (*stk_builder)(); - struct lx_sigaction *lxsap; + volatile struct lx_sigaction *lxsap; ucontext_t *ucp = (ucontext_t *)p; size_t stksize; int lx_sig; @@ -1480,9 +1480,30 @@ lx_call_user_handler(int sig, siginfo_t *sip, void *p) assert(0); } - if (lxsap->lxsa_handler == SIG_DFL || lxsap->lxsa_handler == SIG_IGN) + while (lxsap->lxsa_handler == SIG_DFL || + lxsap->lxsa_handler == SIG_IGN) { + /* + * This normally shouldn't be possible, but there is a window + * in which a vfork()'d process can have its signal disposition + * corrupted by its child. While this window is narrowed by + * blocking all signals in the brand, that leaves a (smaller) + * window whereby a signal in flight is delivered before the + * brand has blocked them. To detect this case, we will spin + * if our signal disposition is impossible and all signals are + * blocked due to vfork() activity: we know that the vfork()'d + * child will eventually restore the signal disposition before + * it unblocks signals, allowing us to proceed. + */ + if (lx_all_signals_blocked()) + continue; + + if (lxsap->lxsa_handler != SIG_DFL && + lxsap->lxsa_handler != SIG_IGN) + break; + lx_err_fatal("lxsa_handler set to %s? How?!?!?", (lxsap->lxsa_handler == SIG_DFL) ? "SIG_DFL" : "SIG_IGN"); + } #if defined(_LP64) stksize = sizeof (struct lx_sigstack); @@ -1506,7 +1527,7 @@ lx_call_user_handler(int sig, siginfo_t *sip, void *p) lxsap->lxsa_handler = SIG_DFL; lx_sigdeliver(lx_sig, sip, ucp, stksize, stk_builder, user_handler, - lxsap); + (struct lx_sigaction *)lxsap); /* * We need to handle restarting system calls if requested by the @@ -2390,3 +2411,9 @@ lx_unblock_all_signals() { (void) syscall(SYS_brand, B_UNBLOCK_ALL_SIGS); } + +int +lx_all_signals_blocked() +{ + return (syscall(SYS_brand, B_ALL_SIGS_BLOCKED)); +} diff --git a/usr/src/lib/brand/lx/lx_brand/sys/lx_misc.h b/usr/src/lib/brand/lx/lx_brand/sys/lx_misc.h index ce241db8bc..455ac174df 100644 --- a/usr/src/lib/brand/lx/lx_brand/sys/lx_misc.h +++ b/usr/src/lib/brand/lx/lx_brand/sys/lx_misc.h @@ -25,7 +25,7 @@ */ /* - * Copyright 2017 Joyent, Inc. + * Copyright 2018 Joyent, Inc. */ #ifndef _SYS_LX_H @@ -149,6 +149,7 @@ extern void lx_stack_postfork(void); extern void lx_block_all_signals(); extern void lx_unblock_all_signals(); +extern int lx_all_signals_blocked(); /* * NO_UUCOPY disables calls to the uucopy* system calls to help with diff --git a/usr/src/lib/libipsecutil/Makefile.com b/usr/src/lib/libipsecutil/Makefile.com index de17899c49..aef11c9c76 100644 --- a/usr/src/lib/libipsecutil/Makefile.com +++ b/usr/src/lib/libipsecutil/Makefile.com @@ -20,11 +20,12 @@ # # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. +# Copyright 2018, Joyent, Inc. # LIBRARY = libipsecutil.a VERS = .1 -OBJECTS = ipsec_util.o algs.o ipsec_libssl_setup.o +OBJECTS = ipsec_util.o algs.o include ../../Makefile.lib @@ -32,14 +33,16 @@ LIBS += $(DYNLIB) $(LINTLIB) SRCDIR = ../common +BERDIR = $(SRC)/lib/libkmf/ber_der/inc + $(LINTLIB):= SRCS = $(SRCDIR)/$(LINTSRC) -LDLIBS += -ltecla -lsocket -lnsl -lc +LDLIBS += -ltecla -lsocket -lnsl -lc -lkmf -lkmfberder LAZYLIBS = $(ZLAZYLOAD) -ltsol $(ZNOLAZYLOAD) lint := LAZYLIBS = -ltsol LDLIBS += $(LAZYLIBS) CFLAGS += $(CCVERBOSE) -CPPFLAGS += -I$(SRCDIR) +CPPFLAGS += -I$(SRCDIR) -I$(BERDIR) CERRWARN += -_gcc=-Wno-unused-function CERRWARN += -_gcc=-Wno-uninitialized diff --git a/usr/src/lib/libipsecutil/common/ipsec_libssl_setup.c b/usr/src/lib/libipsecutil/common/ipsec_libssl_setup.c deleted file mode 100644 index e63c1b51be..0000000000 --- a/usr/src/lib/libipsecutil/common/ipsec_libssl_setup.c +++ /dev/null @@ -1,326 +0,0 @@ -/* - * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -/* - * Thread setup portions of this code derived from - * OpenSSL 0.9.x file mt/mttest.c examples - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <errno.h> -#include <libintl.h> -#include <synch.h> -#include <thread.h> -#include <dlfcn.h> -#include <openssl/lhash.h> -#include <openssl/crypto.h> -#include <openssl/ssl.h> -#include <openssl/err.h> -#include "ipsec_util.h" - -/* OpenSSL function pointers */ -static X509_NAME *(*d2i_X509_NAME_fn)() = NULL; -static int (*X509_NAME_print_ex_fp_fn)() = NULL; -static char *(*ERR_get_error_fn)() = NULL; -static char *(*ERR_error_string_fn)() = NULL; -static void (*SSL_load_error_strings_fn)() = NULL; -static void (*ERR_free_strings_fn)() = NULL; -static void (*CRYPTO_set_locking_callback_fn)() = NULL; -static void (*CRYPTO_set_id_callback_fn)() = NULL; -static void (*X509_NAME_free_fn)() = NULL; -static int (*CRYPTO_num_locks_fn)() = NULL; -static void *(*OPENSSL_malloc_fn)() = NULL; -static void (*OPENSSL_free_fn)() = NULL; - -static void solaris_locking_callback(int, int, char *, int); -static unsigned long solaris_thread_id(void); -static boolean_t thread_setup(void); -/* LINTED E_STATIC_UNUSED */ -static void thread_cleanup(void); - -mutex_t init_lock = DEFAULTMUTEX; -static mutex_t *lock_cs; -static long *lock_count; - -static boolean_t libssl_loaded = B_FALSE; -static boolean_t libcrypto_loaded = B_FALSE; - -void -libssl_load() -{ - void *dldesc; - - (void) mutex_lock(&init_lock); - if (libssl_loaded) { - (void) mutex_unlock(&init_lock); - return; - } - - dldesc = dlopen(LIBSSL, RTLD_LAZY); - if (dldesc != NULL) { - d2i_X509_NAME_fn = (X509_NAME*(*)())dlsym(dldesc, - "d2i_X509_NAME"); - if (d2i_X509_NAME_fn == NULL) - goto libssl_err; - - X509_NAME_print_ex_fp_fn = (int(*)())dlsym(dldesc, - "X509_NAME_print_ex_fp"); - if (X509_NAME_print_ex_fp_fn == NULL) - goto libssl_err; - - ERR_get_error_fn = (char *(*)())dlsym(dldesc, - "ERR_get_error"); - if (ERR_get_error_fn == NULL) - goto libssl_err; - - ERR_error_string_fn = (char *(*)())dlsym(dldesc, - "ERR_error_string"); - if (ERR_error_string_fn == NULL) - goto libssl_err; - - SSL_load_error_strings_fn = (void(*)())dlsym(dldesc, - "SSL_load_error_strings"); - if (SSL_load_error_strings_fn == NULL) - goto libssl_err; - - ERR_free_strings_fn = (void(*)())dlsym(dldesc, - "ERR_free_strings"); - if (ERR_free_strings_fn == NULL) - goto libssl_err; - - CRYPTO_set_locking_callback_fn = (void(*)())dlsym(dldesc, - "CRYPTO_set_locking_callback"); - if (CRYPTO_set_locking_callback_fn == NULL) - goto libssl_err; - - CRYPTO_set_id_callback_fn = (void(*)())dlsym(dldesc, - "CRYPTO_set_id_callback"); - if (CRYPTO_set_id_callback_fn == NULL) - goto libssl_err; - - X509_NAME_free_fn = (void(*)())dlsym(dldesc, - "X509_NAME_free"); - if (X509_NAME_free_fn == NULL) - goto libssl_err; - - if (thread_setup() == B_FALSE) - goto libssl_err; - - libssl_loaded = B_TRUE; - } - (void) mutex_unlock(&init_lock); - return; -libssl_err: - (void) dlclose(dldesc); - (void) mutex_unlock(&init_lock); -} - -void -libcrypto_load() -{ - void *dldesc; - - (void) mutex_lock(&init_lock); - if (libcrypto_loaded) { - (void) mutex_unlock(&init_lock); - return; - } - - dldesc = dlopen(LIBCRYPTO, RTLD_LAZY); - if (dldesc != NULL) { - CRYPTO_num_locks_fn = (int(*)())dlsym(dldesc, - "CRYPTO_num_locks"); - if (CRYPTO_num_locks_fn == NULL) - goto libcrypto_err; - - /* - * OPENSSL_free is really a macro, so we - * need to reference the actual symbol, - * which is CRYPTO_free. - */ - OPENSSL_free_fn = (void(*)())dlsym(dldesc, - "CRYPTO_free"); - if (OPENSSL_free_fn == NULL) - goto libcrypto_err; - - /* - * OPENSSL_malloc is really a macro, so we - * need to reference the actual symbol, - * which is CRYPTO_malloc. - */ - OPENSSL_malloc_fn = (void *(*)())dlsym(dldesc, - "CRYPTO_malloc"); - if (OPENSSL_malloc_fn == NULL) - goto libcrypto_err; - - libcrypto_loaded = B_TRUE; - } - (void) mutex_unlock(&init_lock); - return; -libcrypto_err: - (void) dlclose(dldesc); - (void) mutex_unlock(&init_lock); -} - -static boolean_t -thread_setup(void) -{ - int i; - - if ((lock_cs = OPENSSL_malloc_fn(CRYPTO_num_locks_fn() * - sizeof (mutex_t))) == NULL) - return (B_FALSE); - if ((lock_count = OPENSSL_malloc_fn(CRYPTO_num_locks_fn() * - sizeof (long))) == NULL) { - OPENSSL_free_fn(lock_cs); - return (B_FALSE); - } - - for (i = 0; i < CRYPTO_num_locks_fn(); i++) { - lock_count[i] = 0; - (void) mutex_init(&(lock_cs[i]), USYNC_THREAD, NULL); - } - - CRYPTO_set_id_callback_fn((unsigned long (*)())solaris_thread_id); - CRYPTO_set_locking_callback_fn((void (*)())solaris_locking_callback); - return (B_TRUE); -} - -static void -thread_cleanup(void) -{ - int i; - - (void) mutex_lock(&init_lock); - CRYPTO_set_locking_callback_fn(NULL); - CRYPTO_set_id_callback_fn(NULL); - for (i = 0; i < CRYPTO_num_locks_fn(); i++) - (void) mutex_destroy(&(lock_cs[i])); - OPENSSL_free_fn(lock_cs); - OPENSSL_free_fn(lock_count); - (void) mutex_unlock(&init_lock); -} - -/* ARGSUSED */ -static void -solaris_locking_callback(int mode, int type, char *file, int line) -{ - if (mode & CRYPTO_LOCK) { - (void) mutex_lock(&(lock_cs[type])); - lock_count[type]++; - } else { - (void) mutex_unlock(&(lock_cs[type])); - } -} - -static unsigned long -solaris_thread_id(void) -{ - unsigned long ret; - - ret = (unsigned long)thr_self(); - return (ret); -} - -void -print_asn1_name(FILE *file, const unsigned char *buf, long buflen) -{ - libcrypto_load(); - if (libcrypto_loaded) - libssl_load(); - - if (libssl_loaded && libcrypto_loaded) { - X509_NAME *x509name = NULL; - const unsigned char *p; - - /* Make an effort to decode the ASN1 encoded name */ - SSL_load_error_strings_fn(); - - /* - * Temporary variable is mandatory per d2i_X509(3). Upcoming - * call to d2i_X509_NAME_fn() will change the 'p' pointer. - */ - p = buf; - - x509name = d2i_X509_NAME_fn(NULL, &p, buflen); - if (x509name != NULL) { - (void) X509_NAME_print_ex_fp_fn(file, x509name, 0, - (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | - XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN)); - X509_NAME_free_fn(x509name); - (void) fprintf(file, "\n"); - } else { - char errbuf[80]; - - (void) fprintf(file, "\n# %s\n", - ERR_error_string_fn(ERR_get_error_fn(), errbuf)); - (void) fprintf(file, dgettext(TEXT_DOMAIN, - "<cannot interpret>\n")); - } - ERR_free_strings_fn(); - } else { - (void) fprintf(file, dgettext(TEXT_DOMAIN, "<cannot print>\n")); - } -} diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.c b/usr/src/lib/libipsecutil/common/ipsec_util.c index 017259967c..e27a47e63b 100644 --- a/usr/src/lib/libipsecutil/common/ipsec_util.c +++ b/usr/src/lib/libipsecutil/common/ipsec_util.c @@ -24,6 +24,7 @@ * Use is subject to license terms. * Copyright 2012 Milan Juri. All rights reserved. * Copyright 2018 Joyent, Inc. + * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. */ #include <unistd.h> @@ -47,6 +48,8 @@ #include <setjmp.h> #include <libgen.h> #include <libscf.h> +#include <kmfapi.h> +#include <ber_der.h> #include "ipsec_util.h" #include "ikedoor.h" @@ -3475,3 +3478,28 @@ ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...) (void) fclose(fp); exit(exit_status); } + +void +print_asn1_name(FILE *file, const unsigned char *buf, long buflen) +{ + KMF_X509_NAME name = { 0 }; + KMF_DATA data = { 0 }; + char *str = NULL; + + data.Data = (unsigned char *)buf; + data.Length = buflen; + + if (DerDecodeName(&data, &name) != KMF_OK) + goto fail; + + if (kmf_dn_to_string(&name, &str) != KMF_OK) + goto fail; + + (void) fprintf(file, "%s\n", str); + kmf_free_dn(&name); + free(str); + return; +fail: + kmf_free_dn(&name); + (void) fprintf(file, dgettext(TEXT_DOMAIN, "<cannot interpret>\n")); +} diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.h b/usr/src/lib/libipsecutil/common/ipsec_util.h index 44154e5c33..7f779bb95f 100644 --- a/usr/src/lib/libipsecutil/common/ipsec_util.h +++ b/usr/src/lib/libipsecutil/common/ipsec_util.h @@ -23,7 +23,7 @@ * Use is subject to license terms. */ /* - * Copyright 2017 Joyent, Inc. + * Copyright 2018 Joyent, Inc. */ #ifndef _IPSEC_UTIL_H @@ -214,20 +214,6 @@ extern int dbgstr2num(char *); extern int parsedbgopts(char *); /* - * SSL library (OpenSSL) - */ -#define LIBSSL "libssl.so" - -void libssl_load(void); - -/* - * crypto library (OpenSSL) - */ -#define LIBCRYPTO "libcrypto.so" - -void libcrypto_load(void); - -/* * functions to manipulate the IKEv1 kmcookie-label mapping file */ diff --git a/usr/src/lib/libkmf/include/kmfapi.h b/usr/src/lib/libkmf/include/kmfapi.h index 9aeb0ca202..dbe09b2db6 100644 --- a/usr/src/lib/libkmf/include/kmfapi.h +++ b/usr/src/lib/libkmf/include/kmfapi.h @@ -19,6 +19,7 @@ * CDDL HEADER END * * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright 2018, Joyent, Inc. * * Constant definitions and function prototypes for the KMF library. * Commonly used data types are defined in "kmftypes.h". @@ -275,6 +276,7 @@ extern KMF_RETURN kmf_get_kmf_error_str(KMF_RETURN, char **); * Miscellaneous */ extern KMF_RETURN kmf_dn_parser(char *, KMF_X509_NAME *); +extern KMF_RETURN kmf_dn_to_string(KMF_X509_NAME *, char **); extern KMF_RETURN kmf_read_input_file(KMF_HANDLE_T, char *, KMF_DATA *); extern KMF_RETURN kmf_der_to_pem(KMF_OBJECT_TYPE, unsigned char *, int, unsigned char **, int *); diff --git a/usr/src/lib/libkmf/libkmf/Makefile.com b/usr/src/lib/libkmf/libkmf/Makefile.com index a704d1e5a8..43de43cb1d 100644 --- a/usr/src/lib/libkmf/libkmf/Makefile.com +++ b/usr/src/lib/libkmf/libkmf/Makefile.com @@ -19,6 +19,7 @@ # CDDL HEADER END # # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2018, Joyent, Inc. # LIBRARY= libkmf.a @@ -56,8 +57,8 @@ LIBS= $(DYNLIB) $(LINTLIB) $(LINTLIB) := SRCS = $(SRCDIR)/$(LINTSRC) -LDLIBS += $(BERDERLIB) $(CRYPTOUTILLIB) -lmd -lpkcs11 -lnsl -lsocket -lc -LDLIBS6 += $(BERDERLIB64) $(CRYPTOUTILLIB64) -lmd -lpkcs11 -lnsl -lsocket -lc +LDLIBS += $(BERDERLIB) $(CRYPTOUTILLIB) -lmd -lpkcs11 -lnsl -lsocket -lc +LDLIBS += -lcustr # DYNLIB libraries do not have lint libs and are not linted $(DYNLIB) := LDLIBS += -lxml2 diff --git a/usr/src/lib/libkmf/libkmf/common/mapfile-vers b/usr/src/lib/libkmf/libkmf/common/mapfile-vers index 4e8d0d848d..977112d733 100644 --- a/usr/src/lib/libkmf/libkmf/common/mapfile-vers +++ b/usr/src/lib/libkmf/libkmf/common/mapfile-vers @@ -19,6 +19,7 @@ # CDDL HEADER END # # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2018, Joyent, Inc. # # # MAPFILE HEADER START @@ -401,6 +402,7 @@ SYMBOL_VERSION SUNWprivate_1.1 { GetIDFromSPKI; IsEqualOid; kmf_create_pk11_session; + kmf_dn_to_string; kmf_select_token; parsePolicyElement; PKCS_DigestData; diff --git a/usr/src/lib/libkmf/libkmf/common/rdn_parser.c b/usr/src/lib/libkmf/libkmf/common/rdn_parser.c index 5cc22146d8..3e23c0ac56 100644 --- a/usr/src/lib/libkmf/libkmf/common/rdn_parser.c +++ b/usr/src/lib/libkmf/libkmf/common/rdn_parser.c @@ -33,6 +33,8 @@ * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * + * Copyright 2018, Joyent, Inc. + * * File: rdn_parser.c */ @@ -44,6 +46,7 @@ #include <rdn_parser.h> #include <stdio.h> #include <values.h> +#include <libcustr.h> /* * The order here is important. The OIDs are arranged in order of @@ -535,3 +538,218 @@ kmf_dn_parser(char *string, KMF_X509_NAME *name) err = ParseDistinguishedName(string, (int)strlen(string), name); return (err); } + +static const char hexdigits[] = "0123456789abcdef"; + +static KMF_RETURN +binvalue_to_string(KMF_DATA *data, custr_t *str) +{ + size_t i; + uchar_t c; + + if (custr_appendc(str, '#') != 0) + return (KMF_ERR_MEMORY); + + for (i = 0; i < data->Length; i++) { + c = data->Data[i]; + if (custr_appendc(str, hexdigits[(c >> 4) & 0xf]) != 0 || + custr_appendc(str, hexdigits[(c & 0xf)]) != 0) { + return (KMF_ERR_MEMORY); + } + } + + return (KMF_OK); +} + +/* + * Convert an RDN value into a printable name with appropriate escaping. + * The rules are taken from RFC4514. While it is dealing with LDAP + * distinguished names, both LDAP and x509 certificates are based on the + * same underlying ITU standards, and as far as I can determine, the same + * rules apply (or at least the rules for LDAP DNs apply the same to x509 + * DNs). + */ +static KMF_RETURN +value_to_string(KMF_DATA *data, custr_t *str) +{ + size_t i; + uchar_t c; + + for (i = 0; i < data->Length; i++) { + c = data->Data[i]; + + /* + * While technically not required, it is suggested that + * printable non-ascii characters (e.g. multi-byte UTF-8 + * characters) are converted as escaped hex (as well as + * unprintable characters). AFAIK there is no one canonical + * string representation (e.g. attribute names are case + * insensitive, so 'CN=foo' and 'cn=foo' convert to the same + * binary representation, but there is nothing to say if + * either string form is canonical), so this shouldn't + * pose a problem. + */ + if (c < ' ' || c >= 0x7f) { + /* + * RFC4514 specifies the hex form in a DN string as + * \{hex}{hex}. OpenSSL uses capitals for A-F so we + * do the same. + */ + if (custr_append_printf(str, "\\%02hhX", c) != 0) + return (KMF_ERR_MEMORY); + continue; + } + + switch (c) { + case '#': + /* Escape # if at the start of a value */ + if (i != 0) + break; + /* FALLTHROUGH */ + case ' ': + /* Escape ' ' if at the start or end of a value */ + if (i != 0 && i + 1 != data->Length) + break; + /* FALLTHROUGH */ + case '"': + case '+': + case ',': + case ';': + case '<': + case '>': + case '\\': + /* Escape these */ + if (custr_appendc(str, '\\') != 0) + return (KMF_ERR_MEMORY); + } + + if (custr_appendc(str, c) != 0) + return (KMF_ERR_MEMORY); + } + + return (KMF_OK); +} + +/* + * Translate an attribute/value pair into a string. If the attribute OID + * is a well known OID (in name2kinds) we use the name instead of the OID. + */ +static KMF_RETURN +ava_to_string(KMF_X509_TYPE_VALUE_PAIR *tvp, custr_t *str) +{ + KMF_OID *kind_oid; + KMF_OID *rdn_oid = &tvp->type; + const char *attr = NULL; + size_t i; + KMF_RETURN ret = KMF_OK; + boolean_t found = B_FALSE; + + for (i = 0; name2kinds[i].name != NULL; i++) { + kind_oid = name2kinds[i].OID; + + if (!IsEqualOid(kind_oid, rdn_oid)) + continue; + + attr = name2kinds[i].name; + found = B_TRUE; + break; + } + + if (!found && (attr = kmf_oid_to_string(rdn_oid)) == NULL) { + ret = KMF_ERR_MEMORY; + goto done; + } + if (custr_append(str, attr) != 0) { + ret = KMF_ERR_MEMORY; + goto done; + } + if (custr_appendc(str, '=') != 0) { + ret = KMF_ERR_MEMORY; + goto done; + } + + /* + * RFC4514 indicates that an oid=value pair should have the value + * printed as #xxxxxx. In addition, we also print as a binary + * value if the BER tag does not indicate the value is some sort + * of printable string. + */ + switch (tvp->valueType) { + case BER_UTF8_STRING: + case BER_PRINTABLE_STRING: + case BER_T61STRING: + case BER_IA5STRING: + if (found) { + ret = value_to_string(&tvp->value, str); + break; + } + /*FALLTHROUGH*/ + default: + ret = binvalue_to_string(&tvp->value, str); + break; + } + +done: + if (!found) + free((void *)attr); + + return (ret); +} + +static KMF_RETURN +rdn_to_string(KMF_X509_RDN *rdn, custr_t *str) +{ + KMF_RETURN ret; + size_t i; + + for (i = 0; i < rdn->numberOfPairs; i++) { + if (i > 0 && custr_appendc(str, '+') != 0) + return (KMF_ERR_MEMORY); + + ret = ava_to_string(&rdn->AttributeTypeAndValue[i], str); + if (ret != KMF_OK) + return (ret); + } + + return (KMF_OK); +} + +/* + * kmf_dn_to_string + * + * Take a binary KMF_X509_NAME and convert it into a human readable string. + */ +KMF_RETURN +kmf_dn_to_string(KMF_X509_NAME *name, char **string) +{ + custr_t *str = NULL; + KMF_RETURN err = KMF_OK; + size_t i; + + if (name == NULL || string == NULL) + return (KMF_ERR_BAD_PARAMETER); + + *string = NULL; + + if (custr_alloc(&str) != 0) + return (KMF_ERR_MEMORY); + + for (i = 0; i < name->numberOfRDNs; i++) { + KMF_X509_RDN *rdn = &name->RelativeDistinguishedName[i]; + + if (i > 0 && custr_append(str, ", ") != 0) { + err = KMF_ERR_MEMORY; + goto done; + } + + if ((err = rdn_to_string(rdn, str)) != KMF_OK) + goto done; + } + + if ((*string = strdup(custr_cstr(str))) == NULL) + err = KMF_ERR_MEMORY; + +done: + custr_free(str); + return (err); +} diff --git a/usr/src/lib/pkcs11/pkcs11_tpm/common/apiutil.c b/usr/src/lib/pkcs11/pkcs11_tpm/common/apiutil.c index 07b6ceb656..3c969c2762 100644 --- a/usr/src/lib/pkcs11/pkcs11_tpm/common/apiutil.c +++ b/usr/src/lib/pkcs11/pkcs11_tpm/common/apiutil.c @@ -289,6 +289,8 @@ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * + * Copyright 2018 Gary Mills */ #include <alloca.h> @@ -301,23 +303,30 @@ extern API_Proc_Struct_t *Anchor; extern int logging; void logit(int, char *, ...); +#ifdef DEBUG static int enabled = 0; +#endif /* DEBUG */ void -loginit() { +loginit() +{ +#ifdef DEBUG if (!enabled) { enabled = 1; openlog("tpmtoken", LOG_PID | LOG_NDELAY, LOG_DAEMON); (void) setlogmask(LOG_UPTO(LOG_DEBUG)); logit(LOG_DEBUG, "Logging enabled %d enabled", enabled); } +#endif /* DEBUG */ } void logterm() { +#ifdef DEBUG closelog(); enabled = 0; +#endif /* DEBUG */ } /*ARGSUSED*/ @@ -343,8 +352,7 @@ logit(int type, char *fmt, ...) } void -AddToSessionList(pSess) - Session_Struct_t *pSess; +AddToSessionList(Session_Struct_t *pSess) { Session_Struct_t *pCur; @@ -370,8 +378,7 @@ AddToSessionList(pSess) } void -RemoveFromSessionList(pSess) - Session_Struct_t *pSess; +RemoveFromSessionList(Session_Struct_t *pSess) { Session_Struct_t *pCur, *pTmp; diff --git a/usr/src/man/man3lib/libkmf.3lib b/usr/src/man/man3lib/libkmf.3lib index 8c5fa00144..2c69a23f07 100644 --- a/usr/src/man/man3lib/libkmf.3lib +++ b/usr/src/man/man3lib/libkmf.3lib @@ -1,9 +1,10 @@ '\" te .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved. +.\" Copyright 2018 OmniOS Community Edition (OmniOSce) Association. .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH LIBKMF 3LIB "Feb 7, 2008" +.TH LIBKMF 3LIB "Mar 21, 2018" .SH NAME libkmf \- Key Management Framework library .SH SYNOPSIS @@ -14,7 +15,6 @@ cc [ \fIflag\fR... ] \fIfile\fR... \fB-lkmf\fR [ \fIlibrary\fR... ] .fi .SH DESCRIPTION -.sp .LP These functions comprise the Key Management Framework library. They are intended to be used by applications that need to perform operations involving @@ -22,7 +22,6 @@ the creation and management of public key objects such as public/private key pairs, certificates, certificate signing requests, certificate validation, certificate revocation lists, and OCSP response processing. .SH INTERFACES -.sp .LP The shared object \fBlibkmf.so.1\fR provides the public interfaces defined below. See \fBIntro\fR(3) for additional information on shared object @@ -43,70 +42,69 @@ l l . \fBkmf_decrypt\fR \fBkmf_delete_cert_from_keystore\fR \fBkmf_delete_crl\fR \fBkmf_delete_key_from_keystore\fR \fBkmf_delete_policy_from_db\fR \fBkmf_der_to_pem\fR -\fBkmf_dn_parser\fR \fBkmf_download_cert\fR -\fBkmf_download_crl\fR \fBkmf_ekuname_to_oid\fR -\fBkmf_encode_cert_record\fR \fBkmf_encrypt\fR -\fBkmf_export_pk12\fR \fBkmf_finalize\fR -\fBkmf_find_attr\fR \fBkmf_find_cert\fR -\fBkmf_find_cert_in_crl\fR \fBkmf_find_crl\fR -\fBkmf_find_key\fR \fBkmf_find_prikey_by_cert\fR -\fBkmf_free_algoid\fR \fBkmf_free_bigint\fR -\fBkmf_free_crl_dist_pts\fR \fBkmf_free_data\fR -\fBkmf_free_dn\fR \fBkmf_free_eku\fR -\fBkmf_free_eku_policy\fR \fBkmf_free_extn\fR -\fBkmf_free_kmf_cert\fR \fBkmf_free_kmf_key\fR -\fBkmf_free_policy_record\fR \fBkmf_free_raw_key\fR -\fBkmf_free_raw_sym_key\fR \fBkmf_free_signed_cert\fR -\fBkmf_free_signed_csr\fR \fBkmf_free_spki\fR -\fBkmf_free_str\fR \fBkmf_free_tbs_cert\fR -\fBkmf_free_tbs_csr\fR \fBkmf_get_attr\fR -\fBkmf_get_attr_ptr\fR \fBkmf_get_cert_auth_info_access\fR -\fBkmf_get_cert_basic_constraint\fR \fBkmf_get_cert_crl_dist_pts\fR -\fBkmf_get_cert_eku\fR \fBkmf_get_cert_email_str\fR -\fBkmf_get_cert_end_date_str\fR \fBkmf_get_cert_extn\fR -\fBkmf_get_cert_extn_str\fR \fBkmf_get_cert_id_data\fR -\fBkmf_get_cert_id_str\fR \fBkmf_get_cert_issuer_str\fR -\fBkmf_get_cert_ku\fR \fBkmf_get_cert_policies\fR -\fBkmf_get_cert_pubkey_alg_str\fR \fBkmf_get_cert_pubkey_str\fR -\fBkmf_get_cert_serial_str\fR \fBkmf_get_cert_sig_alg_str\fR -\fBkmf_get_cert_start_date_str\fR \fBkmf_get_cert_subject_str\fR -\fBkmf_get_cert_validity\fR \fBkmf_get_cert_version_str\fR -\fBkmf_get_data_format\fR \fBkmf_get_encoded_ocsp_response\fR -\fBkmf_get_file_format\fR \fBkmf_get_kmf_error_str\fR -\fBkmf_get_ocsp_for_cert\fR \fBkmf_get_ocsp_status_for_cert\fR -\fBkmf_get_pk11_handle\fR \fBkmf_get_plugin_error_str\fR -\fBkmf_get_policy\fR \fBkmf_get_string_attr\fR -\fBkmf_get_sym_key_value\fR \fBkmf_hexstr_to_bytes\fR -\fBkmf_import_crl\fR \fBkmf_import_cert\fR -\fBkmf_import_objects\fR \fBkmf_initialize\fR -\fBkmf_is_cert_data\fR \fBkmf_is_cert_file\fR -\fBkmf_is_crl_file\fR \fBkmf_ku_to_string\fR -\fBkmf_list_crl\fR \fBkmf_oid_to_ekuname\fR -\fBkmf_oid_to_string\fR \fBkmf_pem_to_der\fR -\fBkmf_pk11_token_lookup\fR \fBkmf_read_input_file\fR -\fBkmf_select_token\fR \fBkmf_set_attr\fR -\fBkmf_set_attr_at_index\fR \fBkmf_set_cert_basic_constraint\fR -\fBkmf_set_cert_extn\fR \fBkmf_set_cert_issuer\fR -\fBkmf_set_cert_issuer_altname\fR \fBkmf_set_cert_ku\fR -\fBkmf_set_cert_pubkey\fR \fBkmf_set_cert_serial\fR -\fBkmf_set_cert_sig_alg\fR \fBkmf_set_cert_subject\fR -\fBkmf_set_cert_subject_altname\fR \fBkmf_set_cert_validity\fR -\fBkmf_set_cert_version\fR \fBkmf_set_csr_extn\fR -\fBkmf_set_csr_ku\fR \fBkmf_set_csr_pubkey\fR -\fBkmf_set_csr_sig_alg\fR \fBkmf_set_csr_subject\fR -\fBkmf_set_csr_subject_altname\fR \fBkmf_set_csr_version\fR -\fBkmf_set_policy\fR \fBkmf_set_token_pin\fR -\fBkmf_sign_cert\fR \fBkmf_sign_csr\fR -\fBkmf_sign_data\fR \fBkmf_store_cert\fR -\fBkmf_store_key\fR \fBkmf_string_to_ku\fR -\fBkmf_string_to_oid\fR \fBkmf_validate_cert\fR -\fBkmf_verify_cert\fR \fBkmf_verify_crl_file\fR -\fBkmf_verify_csr\fR \fBkmf_verify_data\fR -\fBkmf_verify_policy\fR +\fBkmf_dn_parser\fR \fBkmf_dn_to_string\fR +\fBkmf_download_cert\fR \fBkmf_download_crl\fR +\fBkmf_ekuname_to_oid\fR \fBkmf_encode_cert_record\fR +\fBkmf_encrypt\fR \fBkmf_export_pk12\fR +\fBkmf_finalize\fR \fBkmf_find_attr\fR +\fBkmf_find_cert\fR \fBkmf_find_cert_in_crl\fR +\fBkmf_find_crl\fR \fBkmf_find_key\fR +\fBkmf_find_prikey_by_cert\fR \fBkmf_free_algoid\fR +\fBkmf_free_bigint\fR \fBkmf_free_crl_dist_pts\fR +\fBkmf_free_data\fR \fBkmf_free_dn\fR +\fBkmf_free_eku\fR \fBkmf_free_eku_policy\fR +\fBkmf_free_extn\fR \fBkmf_free_kmf_cert\fR +\fBkmf_free_kmf_key\fR \fBkmf_free_policy_record\fR +\fBkmf_free_raw_key\fR \fBkmf_free_raw_sym_key\fR +\fBkmf_free_signed_cert\fR \fBkmf_free_signed_csr\fR +\fBkmf_free_spki\fR \fBkmf_free_str\fR +\fBkmf_free_tbs_cert\fR \fBkmf_free_tbs_csr\fR +\fBkmf_get_attr\fR \fBkmf_get_attr_ptr\fR +\fBkmf_get_cert_auth_info_access\fR \fBkmf_get_cert_basic_constraint\fR +\fBkmf_get_cert_crl_dist_pts\fR \fBkmf_get_cert_eku\fR +\fBkmf_get_cert_email_str\fR \fBkmf_get_cert_end_date_str\fR +\fBkmf_get_cert_extn\fR \fBkmf_get_cert_extn_str\fR +\fBkmf_get_cert_id_data\fR \fBkmf_get_cert_id_str\fR +\fBkmf_get_cert_issuer_str\fR \fBkmf_get_cert_ku\fR +\fBkmf_get_cert_policies\fR \fBkmf_get_cert_pubkey_alg_str\fR +\fBkmf_get_cert_pubkey_str\fR \fBkmf_get_cert_serial_str\fR +\fBkmf_get_cert_sig_alg_str\fR \fBkmf_get_cert_start_date_str\fR +\fBkmf_get_cert_subject_str\fR \fBkmf_get_cert_validity\fR +\fBkmf_get_cert_version_str\fR \fBkmf_get_data_format\fR +\fBkmf_get_encoded_ocsp_response\fR \fBkmf_get_file_format\fR +\fBkmf_get_kmf_error_str\fR \fBkmf_get_ocsp_for_cert\fR +\fBkmf_get_ocsp_status_for_cert\fR \fBkmf_get_pk11_handle\fR +\fBkmf_get_plugin_error_str\fR \fBkmf_get_policy\fR +\fBkmf_get_string_attr\fR \fBkmf_get_sym_key_value\fR +\fBkmf_hexstr_to_bytes\fR \fBkmf_import_crl\fR +\fBkmf_import_cert\fR \fBkmf_import_objects\fR +\fBkmf_initialize\fR \fBkmf_is_cert_data\fR +\fBkmf_is_cert_file\fR \fBkmf_is_crl_file\fR +\fBkmf_ku_to_string\fR \fBkmf_list_crl\fR +\fBkmf_oid_to_ekuname\fR \fBkmf_oid_to_string\fR +\fBkmf_pem_to_der\fR \fBkmf_pk11_token_lookup\fR +\fBkmf_read_input_file\fR \fBkmf_select_token\fR +\fBkmf_set_attr\fR \fBkmf_set_attr_at_index\fR +\fBkmf_set_cert_basic_constraint\fR \fBkmf_set_cert_extn\fR +\fBkmf_set_cert_issuer\fR \fBkmf_set_cert_issuer_altname\fR +\fBkmf_set_cert_ku\fR \fBkmf_set_cert_pubkey\fR +\fBkmf_set_cert_serial\fR \fBkmf_set_cert_sig_alg\fR +\fBkmf_set_cert_subject\fR \fBkmf_set_cert_subject_altname\fR +\fBkmf_set_cert_validity\fR \fBkmf_set_cert_version\fR +\fBkmf_set_csr_extn\fR \fBkmf_set_csr_ku\fR +\fBkmf_set_csr_pubkey\fR \fBkmf_set_csr_sig_alg\fR +\fBkmf_set_csr_subject\fR \fBkmf_set_csr_subject_altname\fR +\fBkmf_set_csr_version\fR \fBkmf_set_policy\fR +\fBkmf_set_token_pin\fR \fBkmf_sign_cert\fR +\fBkmf_sign_csr\fR \fBkmf_sign_data\fR +\fBkmf_store_cert\fR \fBkmf_store_key\fR +\fBkmf_string_to_ku\fR \fBkmf_string_to_oid\fR +\fBkmf_validate_cert\fR \fBkmf_verify_cert\fR +\fBkmf_verify_crl_file\fR \fBkmf_verify_csr\fR +\fBkmf_verify_data\fR \fBkmf_verify_policy\fR .TE .SH FILES -.sp .ne 2 .na \fB\fB/lib/libkmf.so.1\fR\fR @@ -143,7 +141,6 @@ KMF structures and types. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -160,7 +157,6 @@ MT-Level Safe .TE .SH SEE ALSO -.sp .LP \fBkmfcfg\fR(1), \fBpktool\fR(1), \fBattributes\fR(5) .sp diff --git a/usr/src/tools/cw/cw.c b/usr/src/tools/cw/cw.c index 8940b5643e..a8c2cfb4f3 100644 --- a/usr/src/tools/cw/cw.c +++ b/usr/src/tools/cw/cw.c @@ -488,7 +488,7 @@ newictx(void) static void error(const char *arg) { - errx(2, "error: mapping failed at or near arg '%s'\n", arg); + errx(2, "error: mapping failed at or near arg '%s'", arg); } /* diff --git a/usr/src/uts/common/brand/lx/os/lx_brand.c b/usr/src/uts/common/brand/lx/os/lx_brand.c index 974c8603e0..d388b14c70 100644 --- a/usr/src/uts/common/brand/lx/os/lx_brand.c +++ b/usr/src/uts/common/brand/lx/os/lx_brand.c @@ -25,7 +25,7 @@ */ /* - * Copyright 2017, Joyent, Inc. All rights reserved. + * Copyright 2018, Joyent, Inc. All rights reserved. */ /* @@ -1892,6 +1892,16 @@ lx_brandsys(int cmd, int64_t *rval, uintptr_t arg1, uintptr_t arg2, mutex_exit(&p->p_lock); return (result); } + + case B_ALL_SIGS_BLOCKED: { + uint_t result; + + mutex_enter(&p->p_lock); + pd = ptolxproc(p); + result = pd->l_block_all_signals; + mutex_exit(&p->p_lock); + return (result); + } } return (EINVAL); diff --git a/usr/src/uts/common/brand/lx/sys/lx_brand.h b/usr/src/uts/common/brand/lx/sys/lx_brand.h index e30568086d..9c1579cc82 100644 --- a/usr/src/uts/common/brand/lx/sys/lx_brand.h +++ b/usr/src/uts/common/brand/lx/sys/lx_brand.h @@ -103,7 +103,7 @@ extern "C" { #define B_STORE_ARGS 137 #define B_GETPID 138 #define B_JUMP_TO_LINUX 139 -/* formerly B_SET_THUNK_PID 140 */ +#define B_ALL_SIGS_BLOCKED 140 #define B_EXIT_AS_SIG 141 /* formerly B_HELPER_WAITID 142 */ #define B_HELPER_CLONE 143 diff --git a/usr/src/uts/common/brand/lx/syscall/lx_poll.c b/usr/src/uts/common/brand/lx/syscall/lx_poll.c index 92852e72ae..e54130aff1 100644 --- a/usr/src/uts/common/brand/lx/syscall/lx_poll.c +++ b/usr/src/uts/common/brand/lx/syscall/lx_poll.c @@ -26,6 +26,12 @@ #include <sys/schedctl.h> #include <sys/lx_signal.h> +/* + * Max number of FDs that can be given to poll() or select() before we return + * EINVAL (the Linux man page documents this value as {OPEN_MAX}, and defaults + * it to this value). + */ +int lx_poll_max_fds = 1048576; /* From uts/common/syscall/poll.c */ extern int poll_copyin(pollstate_t *, pollfd_t *, nfds_t); @@ -172,11 +178,12 @@ lx_poll_common(pollfd_t *fds, nfds_t nfds, timespec_t *tsp, k_sigset_t *ksetp) * Initialize pollstate and copy in pollfd data if present. */ if (nfds != 0) { - if (nfds > p->p_fno_ctl) { - mutex_enter(&p->p_lock); - (void) rctl_action(rctlproc_legacy[RLIMIT_NOFILE], - p->p_rctls, p, RCA_SAFE); - mutex_exit(&p->p_lock); + /* + * Cap the number of FDs they can give us so we don't go + * allocating a huge chunk of memory. Note that this is *not* + * the RLIMIT_NOFILE rctl. + */ + if (nfds > lx_poll_max_fds) { error = EINVAL; goto pollout; } @@ -587,11 +594,12 @@ lx_select_common(int nfds, long *rfds, long *wfds, long *efds, * Initialize pollstate and copy in pollfd data if present. */ if (nfds != 0) { - if (nfds > p->p_fno_ctl) { - mutex_enter(&p->p_lock); - (void) rctl_action(rctlproc_legacy[RLIMIT_NOFILE], - p->p_rctls, p, RCA_SAFE); - mutex_exit(&p->p_lock); + /* + * Cap the number of FDs they can give us so we don't go + * allocating a huge chunk of memory. Note that this is *not* + * the RLIMIT_NOFILE rctl. + */ + if (nfds > lx_poll_max_fds) { error = EINVAL; goto out; } diff --git a/usr/src/uts/i86pc/io/viona/viona.c b/usr/src/uts/i86pc/io/viona/viona.c index c22c0bf646..3e441d44f4 100644 --- a/usr/src/uts/i86pc/io/viona/viona.c +++ b/usr/src/uts/i86pc/io/viona/viona.c @@ -408,6 +408,7 @@ typedef struct viona_vring { uint64_t rs_indir_bad_next; uint64_t rs_no_space; uint64_t rs_too_many_desc; + uint64_t rs_desc_bad_len; uint64_t rs_bad_ring_addr; @@ -1599,6 +1600,13 @@ vq_popchain(viona_vring_t *ring, struct iovec *iov, int niov, uint16_t *cookie) vdir = ring->vr_descr[next]; if ((vdir.vd_flags & VRING_DESC_F_INDIRECT) == 0) { + if (vdir.vd_len == 0) { + VIONA_PROBE2(desc_bad_len, + viona_vring_t *, ring, + uint32_t, vdir.vd_len); + VIONA_RING_STAT_INCR(ring, desc_bad_len); + goto bail; + } buf = viona_gpa2kva(link, vdir.vd_addr, vdir.vd_len); if (buf == NULL) { VIONA_PROBE_BAD_RING_ADDR(ring, vdir.vd_addr); @@ -1644,6 +1652,13 @@ vq_popchain(viona_vring_t *ring, struct iovec *iov, int niov, uint16_t *cookie) VIONA_RING_STAT_INCR(ring, indir_bad_nest); goto bail; + } else if (vp.vd_len == 0) { + VIONA_PROBE2(desc_bad_len, + viona_vring_t *, ring, + uint32_t, vp.vd_len); + VIONA_RING_STAT_INCR(ring, + desc_bad_len); + goto bail; } buf = viona_gpa2kva(link, vp.vd_addr, vp.vd_len); |