Commit: e3281f334a9ff119b150b57e7d322adfc16fd176 Parent: ef2c2c95db4385ea75eca69336f96653c94ceaae Author: Randy Palamar Date: Tue, 26 Sep 2023 06:00:47 -0600 add sys/openbsd from oasis this also provides libbsd which is useful for building other programs note: nc is disabled for now Diffstat:
63 files changed, 5136 insertions(+), 0 deletions(-)
diff --git a/pkg/gen.lua b/pkg/gen.lua @@ -4,3 +4,4 @@ subgen('devel') subgen('editors') subgen('lang') subgen('libs') +subgen('sys') diff --git a/pkg/sys/gen.lua b/pkg/sys/gen.lua @@ -0,0 +1 @@ +subgen('openbsd') diff --git a/pkg/sys/openbsd/.gitignore b/pkg/sys/openbsd/.gitignore @@ -0,0 +1,4 @@ +/nc.ninja +/src +/src.tar.gz +/sys.tar.gz diff --git a/pkg/sys/openbsd/fetch.sh b/pkg/sys/openbsd/fetch.sh @@ -0,0 +1,34 @@ +set -e + +dir=$1 +shift + +cd "$dir" + +if [ -e src ] ; then + rm -rf src +fi + +if ! sh "$OLDPWD/scripts/checksum.sh" -c sha256 2>/dev/null ; then + curl -L -K url -O + sh "$OLDPWD/scripts/checksum.sh" -c sha256 +fi + +sh "$OLDPWD/scripts/extract.sh" src.tar.gz -s ',^,src/,' \ + 'bin/pax/*' \ + 'include/*' \ + 'lib/libc/*' \ + 'lib/libcrypto/arc4random/*' \ + 'lib/libutil/*' \ + 'usr.bin/diff/*' \ + 'usr.bin/doas/*' \ + 'usr.bin/fmt/*' \ + 'usr.bin/m4/*' \ + 'usr.bin/nc/*' \ + 'usr.bin/patch/*' \ + 'usr.bin/rsync/*' \ + 'usr.bin/yacc/*' \ + 'usr.sbin/acme-client/*' +sh "$OLDPWD/scripts/extract.sh" sys.tar.gz -s ',^,src/,' 'sys/sys/*' + +git apply -v --whitespace=nowarn --directory "$dir/src" patch/* diff --git a/pkg/sys/openbsd/gen.lua b/pkg/sys/openbsd/gen.lua @@ -0,0 +1,107 @@ +cflags({ + '-Wall', '-Wno-pointer-sign', '-Wno-maybe-uninitialized', '-Wno-attributes', + [[-D 'DEF_WEAK(n)=_Static_assert(1, "")']], + '-I $dir/include', + '-I $outdir/include', +}) + +pkg.hdrs = { + copy('$outdir/include', '$srcdir/sys', {'sys/queue.h', 'sys/tree.h', 'sys/_null.h'}), + copy('$outdir/include', '$srcdir/include', {'fts.h', 'vis.h'}), + copy('$outdir/include', '$srcdir/lib/libutil', {'ohash.h'}), +} +pkg.deps = {'$gendir/headers'} + +-- Link arc4random.c to '$outdir' so that it doesn't include the local +-- arc4random.h +build('copy', '$outdir/lib/libc/crypt/arc4random.c', '$srcdir/lib/libc/crypt/arc4random.c') +build('copy', '$outdir/lib/libc/crypt/arc4random.h', '$srcdir/lib/libcrypto/arc4random/arc4random_linux.h') +build('copy', '$outdir/lib/libc/crypt/chacha_private.h', '$srcdir/lib/libc/crypt/chacha_private.h') +cc('$outdir/lib/libc/crypt/arc4random.c', { + '$outdir/lib/libc/crypt/arc4random.h', + '$outdir/lib/libc/crypt/chacha_private.h', +}) + +lib('libbsd.a', [[ + lib/libc/( + crypt/(arc4random.c.o arc4random_uniform.c) + gen/(fts.c getprogname.c pwcache.c readpassphrase.c setprogname.c unvis.c vis.c warnc.c vwarnc.c) + net/base64.c + stdlib/(freezero.c recallocarray.c strtonum.c) + string/(strmode.c timingsafe_bcmp.c timingsafe_memcmp.c) + ) + lib/libutil/(fmt_scaled.c ohash.c) +]]) +file('lib/libbsd.a', '644', '$outdir/libbsd.a') + +-- diff +exe('diff', 'usr.bin/diff/(diff.c diffdir.c diffreg.c xmalloc.c) libbsd.a') +file('bin/diff', '755', '$outdir/diff') +man({'usr.bin/diff/diff.1'}) + +-- doas +yacc('usr.bin/doas/parse', 'usr.bin/doas/parse.y') +cc('$outdir/usr.bin/doas/parse.tab.c', nil, {cflags='$cflags -I $srcdir/usr.bin/doas'}) +cc('usr.bin/doas/doas.c', nil, {cflags='$cflags -D _GNU_SOURCE'}) +exe('doas', 'usr.bin/doas/(doas.c.o env.c parse.tab.c.o persist.c) libbsd.a') +file('bin/doas', '6755', '$outdir/doas') +man({'usr.bin/doas/doas.1', 'usr.bin/doas/doas.conf.5'}) + +-- fmt +file('bin/fmt', '755', exe('fmt', {'usr.bin/fmt/fmt.c', 'libbsd.a'})) +man({'usr.bin/fmt/fmt.1'}) + +--[[ +-- nc +sub('nc.ninja', function() + cflags({'-isystem $builddir/pkg/libtls-bearssl/include'}) + exe('nc', [[ + usr.bin/nc/(netcat.c atomicio.c socks.c) + $builddir/pkg/libtls-bearssl/libtls.a.d + libbsd.a + , {'pkg/libtls-bearssl/headers'}) + file('bin/nc', '755', '$outdir/nc') + man({'usr.bin/nc/nc.1'}) +end) +--]] + +-- m4 +yacc('usr.bin/m4/parser', 'usr.bin/m4/parser.y') +cc('usr.bin/m4/tokenizer.c', {'$outdir/usr.bin/m4/parser.tab.h'}, {cflags='$cflags -I $outdir/usr.bin/m4'}) +exe('m4', [[ + usr.bin/m4/(eval.c expr.c look.c main.c misc.c gnum4.c trace.c tokenizer.c.o) + $outdir/usr.bin/m4/parser.tab.c + libbsd.a +]]) +file('bin/m4', '755', '$outdir/m4') +man({'usr.bin/m4/m4.1'}) + +-- patch +exe('patch', 'usr.bin/patch/(patch.c pch.c inp.c util.c backupfile.c mkpath.c ed.c) libbsd.a') +file('bin/patch', '755', '$outdir/patch') +man({'usr.bin/patch/patch.1'}) + +-- pax +exe('pax', [[bin/pax/( + ar_io.c ar_subs.c buf_subs.c cpio.c file_subs.c ftree.c + gen_subs.c getoldopt.c options.c pat_rep.c pax.c sel_subs.c tables.c + tar.c tty_subs.c +) libbsd.a]]) +file('bin/pax', '755', '$outdir/pax') +sym('bin/tar', 'pax') +sym('bin/cpio', 'pax') +man({'bin/pax/pax.1', 'bin/pax/tar.1', 'bin/pax/cpio.1'}) + +-- rsync +exe('rsync', [[ + usr.bin/rsync/( + blocks.c client.c copy.c downloader.c fargs.c flist.c hash.c ids.c + io.c log.c main.c md4.c misc.c mkpath.c mktemp.c receiver.c rmatch.c + rules.c sender.c server.c session.c socket.c symlinks.c uploader.c + ) + libbsd.a +]]) +file('bin/rsync', '755', '$outdir/rsync') +man({'usr.bin/rsync/rsync.1', 'usr.bin/rsync/rsync.5', 'usr.bin/rsync/rsyncd.5'}) + +fetch('local') diff --git a/pkg/sys/openbsd/include/err.h b/pkg/sys/openbsd/include/err.h @@ -0,0 +1,3 @@ +#include_next <err.h> +void warnc(int, const char *, ...) __attribute__((__format__ (printf, 2, 3))); +void vwarnc(int, const char *, va_list) __attribute__((__format__ (printf, 2, 0))); diff --git a/pkg/sys/openbsd/include/grp.h b/pkg/sys/openbsd/include/grp.h @@ -0,0 +1,4 @@ +#include_next <grp.h> +#define setgroupent(n) setgrent() +const char *group_from_gid(gid_t, int); +int gid_from_group(const char *, gid_t *); diff --git a/pkg/sys/openbsd/include/machine/endian.h b/pkg/sys/openbsd/include/machine/endian.h @@ -0,0 +1 @@ +#include <endian.h> diff --git a/pkg/sys/openbsd/include/netinet/ip.h b/pkg/sys/openbsd/include/netinet/ip.h @@ -0,0 +1,9 @@ +#include_next <netinet/ip.h> +#define IPTOS_DSCP_CS0 0x00 +#define IPTOS_DSCP_CS1 0x20 +#define IPTOS_DSCP_CS2 0x40 +#define IPTOS_DSCP_CS3 0x60 +#define IPTOS_DSCP_CS4 0x80 +#define IPTOS_DSCP_CS5 0xa0 +#define IPTOS_DSCP_CS6 0xc0 +#define IPTOS_DSCP_CS7 0xe0 diff --git a/pkg/sys/openbsd/include/pwd.h b/pkg/sys/openbsd/include/pwd.h @@ -0,0 +1,4 @@ +#include_next <pwd.h> +#define setpassent(n) setpwent() +const char *user_from_uid(uid_t, int); +int uid_from_user(const char *, uid_t *); diff --git a/pkg/sys/openbsd/include/readpassphrase.h b/pkg/sys/openbsd/include/readpassphrase.h @@ -0,0 +1,40 @@ +/* $OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $ */ + +/* + * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + +#ifndef _READPASSPHRASE_H_ +#define _READPASSPHRASE_H_ + +#define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */ +#define RPP_ECHO_ON 0x01 /* Leave echo on. */ +#define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */ +#define RPP_FORCELOWER 0x04 /* Force input to lower case. */ +#define RPP_FORCEUPPER 0x08 /* Force input to upper case. */ +#define RPP_SEVENBIT 0x10 /* Strip the high bit from input. */ +#define RPP_STDIN 0x20 /* Read from stdin, not /dev/tty */ + +#include <sys/cdefs.h> + +__BEGIN_DECLS +char * readpassphrase(const char *, char *, size_t, int); +__END_DECLS + +#endif /* !_READPASSPHRASE_H_ */ diff --git a/pkg/sys/openbsd/include/resolv.h b/pkg/sys/openbsd/include/resolv.h @@ -0,0 +1,3 @@ +#include_next <resolv.h> +int b64_ntop(unsigned char const *, size_t, char *, size_t); +int b64_pton(char const *, unsigned char *, size_t); diff --git a/pkg/sys/openbsd/include/stdlib.h b/pkg/sys/openbsd/include/stdlib.h @@ -0,0 +1,11 @@ +#include_next <stdlib.h> +#include <stdint.h> +void freezero(void *, size_t); +void *recallocarray(void *, size_t, size_t, size_t); +long long strtonum(const char *, long long, long long, const char **); +uint32_t arc4random(void); +uint32_t arc4random_uniform(uint32_t); +void arc4random_buf(void *, size_t); +void setprogname(const char *); +const char *getprogname(void); +extern char *__progname; diff --git a/pkg/sys/openbsd/include/string.h b/pkg/sys/openbsd/include/string.h @@ -0,0 +1,5 @@ +#include_next <string.h> +char *strcasestr(const char *, const char *); +void strmode(int, char *); +int timingsafe_memcmp(const void *, const void *, size_t); +int timingsafe_bcmp(const void *, const void *, size_t); diff --git a/pkg/sys/openbsd/include/sys/cdefs.h b/pkg/sys/openbsd/include/sys/cdefs.h @@ -0,0 +1,5 @@ +/* only needed for C++ */ +#define __BEGIN_DECLS +#define __END_DECLS + +#define __dead __attribute__((__noreturn__)) diff --git a/pkg/sys/openbsd/include/sys/param.h b/pkg/sys/openbsd/include/sys/param.h @@ -0,0 +1,3 @@ +#include_next <sys/param.h> +#define ALIGNBYTES (sizeof(uintptr_t) - 1) +#define ALIGN(p) (((uintptr_t)(p) + ALIGNBYTES) &~ ALIGNBYTES) diff --git a/pkg/sys/openbsd/include/sys/time.h b/pkg/sys/openbsd/include/sys/time.h @@ -0,0 +1,14 @@ +#include_next <sys/time.h> +#define timespeccmp(tsp, usp, cmp) \ + (((tsp)->tv_sec == (usp)->tv_sec) ? \ + ((tsp)->tv_nsec cmp (usp)->tv_nsec) : \ + ((tsp)->tv_sec cmp (usp)->tv_sec)) +#define timespecsub(tsp, usp, vsp) \ + do { \ + (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec; \ + (vsp)->tv_nsec = (tsp)->tv_nsec - (usp)->tv_nsec; \ + if ((vsp)->tv_nsec < 0) { \ + (vsp)->tv_sec--; \ + (vsp)->tv_nsec += 1000000000L; \ + } \ + } while (0) diff --git a/pkg/sys/openbsd/include/unistd.h b/pkg/sys/openbsd/include/unistd.h @@ -0,0 +1,3 @@ +#include_next <unistd.h> +#define pledge(request, paths) 0 /* linux doesn't have pledge */ +#define unveil(path, permissions) 0 /* linux doesn't have unveil */ diff --git a/pkg/sys/openbsd/include/util.h b/pkg/sys/openbsd/include/util.h @@ -0,0 +1,9 @@ +#ifndef _UTIL_H_ +#define _UTIL_H_ + +#define FMT_SCALED_STRSIZE 7 /* minus sign, 4 digits, suffix, null byte */ + +int fmt_scaled(long long, char *); +int scan_scaled(char *, long long *); + +#endif diff --git a/pkg/sys/openbsd/patch/0001-fts-Avoid-d_namlen.patch b/pkg/sys/openbsd/patch/0001-fts-Avoid-d_namlen.patch @@ -0,0 +1,49 @@ +From b546a0ae0beb2323143aed00d05e2fdf4fef5239 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 17 Apr 2016 23:50:15 -0700 +Subject: [PATCH] fts: Avoid d_namlen + +--- + lib/libc/gen/fts.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/libc/gen/fts.c b/lib/libc/gen/fts.c +index 98b3a0a39..c186b7af2 100644 +--- a/lib/libc/gen/fts.c ++++ b/lib/libc/gen/fts.c +@@ -555,6 +555,7 @@ fts_build(FTS *sp, int type) + int nitems, cderrno, descend, level, nlinks, nostat, doadjust; + int saved_errno; + char *cp; ++ size_t namlen; + + /* Set current node pointer. */ + cur = sp->fts_cur; +@@ -653,11 +654,12 @@ fts_build(FTS *sp, int type) + if (!ISSET(FTS_SEEDOT) && ISDOT(dp->d_name)) + continue; + +- if (!(p = fts_alloc(sp, dp->d_name, dp->d_namlen))) ++ namlen = strlen(dp->d_name); ++ if (!(p = fts_alloc(sp, dp->d_name, namlen))) + goto mem1; +- if (dp->d_namlen >= maxlen) { /* include space for NUL */ ++ if (namlen >= maxlen) { /* include space for NUL */ + oldaddr = sp->fts_path; +- if (fts_palloc(sp, dp->d_namlen +len + 1)) { ++ if (fts_palloc(sp, namlen +len + 1)) { + /* + * No more memory for path or structures. Save + * errno, free up the current structure and the +@@ -683,7 +685,7 @@ mem1: saved_errno = errno; + + p->fts_level = level; + p->fts_parent = sp->fts_cur; +- p->fts_pathlen = len + dp->d_namlen; ++ p->fts_pathlen = len + namlen; + if (p->fts_pathlen < len) { + /* + * If we wrap, free up the current structure and +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0002-fts-Add-some-includes.patch b/pkg/sys/openbsd/patch/0002-fts-Add-some-includes.patch @@ -0,0 +1,46 @@ +From 2280f1bcd79a988c95548f65b9e3d7e08ac51b09 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Apr 2016 01:25:29 -0700 +Subject: [PATCH] fts: Add some includes + +--- + include/fts.h | 2 ++ + lib/libc/gen/fts.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/include/fts.h b/include/fts.h +index eaf6be07c6f..a5b3aff91e7 100644 +--- a/include/fts.h ++++ b/include/fts.h +@@ -35,6 +35,8 @@ + #ifndef _FTS_H_ + #define _FTS_H_ + ++#include <sys/cdefs.h> ++ + typedef struct { + struct _ftsent *fts_cur; /* current node */ + struct _ftsent *fts_child; /* linked list of children */ +diff --git a/lib/libc/gen/fts.c b/lib/libc/gen/fts.c +index 77f26d6c27c..86585190a99 100644 +--- a/lib/libc/gen/fts.c ++++ b/lib/libc/gen/fts.c +@@ -31,6 +31,7 @@ + + #include <sys/param.h> /* ALIGN ALIGNBYTES */ + #include <sys/stat.h> ++#include <sys/types.h> + + #include <dirent.h> + #include <errno.h> +@@ -39,6 +40,7 @@ + #include <limits.h> + #include <stdlib.h> + #include <string.h> ++#include <time.h> + #include <unistd.h> + + #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0003-pax-Set-listf-to-stderr-in-main.patch b/pkg/sys/openbsd/patch/0003-pax-Set-listf-to-stderr-in-main.patch @@ -0,0 +1,34 @@ +From e2ca2e2a530e61e8af65dca829aa1fcad5c59a7d Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Apr 2016 00:13:51 -0700 +Subject: [PATCH] pax: Set listf to stderr in main + +--- + bin/pax/pax.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/bin/pax/pax.c b/bin/pax/pax.c +index f6b3634369a..3d50e051075 100644 +--- a/bin/pax/pax.c ++++ b/bin/pax/pax.c +@@ -93,7 +93,7 @@ char *dirptr; /* destination dir in a copy */ + char *argv0; /* root of argv[0] */ + enum op_mode op_mode; /* what program are we acting as? */ + sigset_t s_mask; /* signal mask for cleanup critical sect */ +-FILE *listf = stderr; /* file pointer to print file list to */ ++FILE *listf; /* file pointer to print file list to */ + int listfd = STDERR_FILENO; /* fd matching listf, for sighandler output */ + char *tempfile; /* tempfile to use for mkstemp(3) */ + char *tempbase; /* basename of tempfile to use for mkstemp(3) */ +@@ -224,6 +224,8 @@ main(int argc, char **argv) + char *tmpdir; + size_t tdlen; + ++ listf = stderr; ++ + /* + * Keep a reference to cwd, so we can always come back home. + */ +-- +2.19.0 + diff --git a/pkg/sys/openbsd/patch/0004-pax-Add-some-includes.patch b/pkg/sys/openbsd/patch/0004-pax-Add-some-includes.patch @@ -0,0 +1,86 @@ +From fbf6dc8783f31408cc090cf42cf92008d4f2a455 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Apr 2016 01:27:29 -0700 +Subject: [PATCH] pax: Add some includes + +--- + bin/pax/ar_subs.c | 3 ++- + bin/pax/buf_subs.c | 1 + + bin/pax/file_subs.c | 2 ++ + bin/pax/sel_subs.c | 1 + + bin/pax/tables.c | 1 + + 5 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bin/pax/ar_subs.c b/bin/pax/ar_subs.c +index 51dd6e085..f70ec4ed0 100644 +--- a/bin/pax/ar_subs.c ++++ b/bin/pax/ar_subs.c +@@ -36,14 +36,15 @@ + + #include <sys/types.h> + #include <sys/stat.h> ++#include <sys/time.h> + #include <errno.h> + #include <fcntl.h> + #include <signal.h> + #include <stdio.h> ++#include <stdlib.h> + #include <string.h> + #include <time.h> + #include <unistd.h> +- + #include "pax.h" + #include "extern.h" + +diff --git a/bin/pax/buf_subs.c b/bin/pax/buf_subs.c +index 41f06ae31..30be3dc46 100644 +--- a/bin/pax/buf_subs.c ++++ b/bin/pax/buf_subs.c +@@ -36,6 +36,7 @@ + + #include <sys/types.h> + #include <sys/stat.h> ++#include <sys/time.h> + #include <stdio.h> + #include <errno.h> + #include <unistd.h> +diff --git a/bin/pax/file_subs.c b/bin/pax/file_subs.c +index 9f834bf17..57ebdb490 100644 +--- a/bin/pax/file_subs.c ++++ b/bin/pax/file_subs.c +@@ -35,6 +35,8 @@ + */ + + #include <sys/stat.h> ++#include <sys/time.h> ++#include <sys/types.h> + #include <err.h> + #include <errno.h> + #include <fcntl.h> +diff --git a/bin/pax/sel_subs.c b/bin/pax/sel_subs.c +index 17200b5a4..136f87c5d 100644 +--- a/bin/pax/sel_subs.c ++++ b/bin/pax/sel_subs.c +@@ -43,6 +43,7 @@ + #include <stdlib.h> + #include <string.h> + #include <time.h> ++#include <unistd.h> + + #include "pax.h" + #include "extern.h" +diff --git a/bin/pax/tables.c b/bin/pax/tables.c +index b700f1649..99790f986 100644 +--- a/bin/pax/tables.c ++++ b/bin/pax/tables.c +@@ -36,6 +36,7 @@ + + #include <sys/types.h> + #include <sys/stat.h> ++#include <sys/time.h> + #include <errno.h> + #include <fcntl.h> + #include <limits.h> +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0005-tar-Default-to-stdin.patch b/pkg/sys/openbsd/patch/0005-tar-Default-to-stdin.patch @@ -0,0 +1,25 @@ +From 901940cdf7fc13516ff55e81df0b546eb7c74595 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Apr 2016 01:16:12 -0700 +Subject: [PATCH] tar: Default to stdin + +--- + bin/pax/options.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/pax/options.c b/bin/pax/options.c +index 5db0948858c..dbb4b816c37 100644 +--- a/bin/pax/options.c ++++ b/bin/pax/options.c +@@ -937,7 +937,7 @@ tar_options(int argc, char **argv) + if ((arcname == NULL) || (*arcname == '\0')) { + arcname = getenv("TAPE"); + if ((arcname == NULL) || (*arcname == '\0')) +- arcname = _PATH_DEFTAPE; ++ arcname = "-"; + } + if ((arcname[0] == '-') && (arcname[1]== '\0')) + arcname = NULL; +-- +2.25.0 + diff --git a/pkg/sys/openbsd/patch/0006-yacc-Add-some-includes.patch b/pkg/sys/openbsd/patch/0006-yacc-Add-some-includes.patch @@ -0,0 +1,24 @@ +From f926c3a15c772a7d54561e01682dea486c2a2833 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Apr 2016 17:34:01 -0700 +Subject: [PATCH] yacc: Add some includes + +--- + usr.bin/yacc/defs.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usr.bin/yacc/defs.h b/usr.bin/yacc/defs.h +index 7300caec2..fab6e1266 100644 +--- a/usr.bin/yacc/defs.h ++++ b/usr.bin/yacc/defs.h +@@ -35,6 +35,7 @@ + * @(#)defs.h 5.6 (Berkeley) 5/24/93 + */ + ++#include <sys/cdefs.h> + #include <assert.h> + #include <ctype.h> + #include <stdio.h> +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0007-diff-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0007-diff-Add-missing-includes.patch @@ -0,0 +1,37 @@ +From 7ce395bfbff36cf0020d0a425ff3053fcf2eaa3d Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 4 Jun 2016 14:48:20 -0700 +Subject: [PATCH] diff: Add missing includes + +--- + usr.bin/diff/diff.c | 1 + + usr.bin/diff/diffreg.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/usr.bin/diff/diff.c b/usr.bin/diff/diff.c +index 2b075f12c..80c7f842e 100644 +--- a/usr.bin/diff/diff.c ++++ b/usr.bin/diff/diff.c +@@ -20,6 +20,7 @@ + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + ++#include <sys/cdefs.h> + #include <sys/stat.h> + + #include <ctype.h> +diff --git a/usr.bin/diff/diffreg.c b/usr.bin/diff/diffreg.c +index 35d61c349..953018cf5 100644 +--- a/usr.bin/diff/diffreg.c ++++ b/usr.bin/diff/diffreg.c +@@ -77,6 +77,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <time.h> + #include <unistd.h> + #include <limits.h> + +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0008-patch-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0008-patch-Add-missing-includes.patch @@ -0,0 +1,24 @@ +From 299d570c708b33349131b8ca925c3e9bb733db84 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 4 Jun 2016 18:40:24 -0700 +Subject: [PATCH] patch: Add missing includes + +--- + usr.bin/patch/patch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usr.bin/patch/patch.c b/usr.bin/patch/patch.c +index 0cb924db733..17b3aa4e23a 100644 +--- a/usr.bin/patch/patch.c ++++ b/usr.bin/patch/patch.c +@@ -26,6 +26,7 @@ + * behaviour + */ + ++#include <sys/cdefs.h> + #include <sys/types.h> + #include <sys/stat.h> + #include <unistd.h> +-- +2.19.0 + diff --git a/pkg/sys/openbsd/patch/0009-patch-Avoid-d_namlen.patch b/pkg/sys/openbsd/patch/0009-patch-Avoid-d_namlen.patch @@ -0,0 +1,25 @@ +From 602381b693ff286ed17a9a04bfceaeb255992843 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 4 Jun 2016 18:40:37 -0700 +Subject: [PATCH] patch: Avoid d_namlen + +--- + usr.bin/patch/backupfile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr.bin/patch/backupfile.c b/usr.bin/patch/backupfile.c +index ed0767762e0..fc05e48e68d 100644 +--- a/usr.bin/patch/backupfile.c ++++ b/usr.bin/patch/backupfile.c +@@ -106,7 +106,7 @@ max_backup_version(const char *file, const char *dir) + file_name_length = strlen(file); + + while ((dp = readdir(dirp)) != NULL) { +- if (dp->d_namlen <= file_name_length) ++ if (strlen(dp->d_name) <= file_name_length) + continue; + + this_version = version_number(file, dp->d_name, file_name_length); +-- +2.31.1 + diff --git a/pkg/sys/openbsd/patch/0010-pax-Fix-GNU-long-name-handling-with-short-read.patch b/pkg/sys/openbsd/patch/0010-pax-Fix-GNU-long-name-handling-with-short-read.patch @@ -0,0 +1,176 @@ +From ec3fd37495e977af375a98a472d19ae0ccbcd874 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 3 Dec 2016 20:49:24 -0800 +Subject: [PATCH] pax: Fix GNU long name handling with short read + +--- + bin/pax/ar_subs.c | 66 +++++++++++++++++++++++++++++++++------------ + bin/pax/buf_subs.c | 4 +-- + bin/pax/file_subs.c | 25 +---------------- + 3 files changed, 51 insertions(+), 44 deletions(-) + +diff --git a/bin/pax/ar_subs.c b/bin/pax/ar_subs.c +index e5b0a4ee5d1..f0a55abe2f7 100644 +--- a/bin/pax/ar_subs.c ++++ b/bin/pax/ar_subs.c +@@ -37,6 +37,7 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/time.h> ++#include <err.h> + #include <errno.h> + #include <fcntl.h> + #include <signal.h> +@@ -51,6 +52,7 @@ + static void wr_archive(ARCHD *, int is_app); + static int get_arc(void); + static int next_head(ARCHD *); ++static int rd_gnu_string(ARCHD *); + extern sigset_t s_mask; + + /* +@@ -93,16 +95,8 @@ list(void) + * step through the archive until the format says it is done + */ + while (next_head(arcn) == 0) { +- if (arcn->type == PAX_GLL || arcn->type == PAX_GLF) { +- /* +- * we need to read, to get the real filename +- */ +- off_t cnt; +- if (!rd_wrfile(arcn, arcn->type == PAX_GLF +- ? -1 : -2, &cnt)) +- (void)rd_skip(cnt + arcn->pad); ++ if (rd_gnu_string(arcn)) + continue; +- } + + /* + * check for pattern, and user specified options match. +@@ -208,15 +202,8 @@ extract(void) + * says it is done + */ + while (next_head(arcn) == 0) { +- if (arcn->type == PAX_GLL || arcn->type == PAX_GLF) { +- /* +- * we need to read, to get the real filename +- */ +- if (!rd_wrfile(arcn, arcn->type == PAX_GLF +- ? -1 : -2, &cnt)) +- (void)rd_skip(cnt + arcn->pad); ++ if (rd_gnu_string(arcn)) + continue; +- } + + /* + * check for pattern, and user specified options match. When +@@ -1243,3 +1230,48 @@ get_arc(void) + paxwarn(1, "Sorry, unable to determine archive format."); + return(-1); + } ++ ++/* ++ * rd_gnu_string() ++ * Read the file contents into an allocated string if it is a GNU tar ++ * long link/file. ++ * Return: ++ * 1 if gnu string read, 0 otherwise ++ */ ++ ++static int ++rd_gnu_string(ARCHD *arcn) ++{ ++ char **strp; ++ ++ switch (arcn->type) { ++ case PAX_GLF: ++ strp = &gnu_name_string; ++ break; ++ case PAX_GLL: ++ strp = &gnu_link_string; ++ break; ++ default: ++ strp = NULL; ++ break; ++ } ++ if (!strp) ++ return 0; ++ /* ++ * we need to read, to get the real filename ++ */ ++ if (*strp) ++ err(1, "WARNING! Major Internal Error! GNU hack Failing!"); ++ *strp = malloc(arcn->sb.st_size + 1); ++ if (*strp == NULL) { ++ paxwarn(1, "Out of memory"); ++ (void)rd_skip(arcn->skip + arcn->pad); ++ } else if (rd_wrbuf(*strp, arcn->sb.st_size) < arcn->sb.st_size) { ++ free(*strp); ++ *strp = NULL; ++ } else { ++ (*strp)[arcn->sb.st_size] = '\0'; ++ (void)rd_skip(arcn->pad); ++ } ++ return 1; ++} +diff --git a/bin/pax/buf_subs.c b/bin/pax/buf_subs.c +index 68534dcbe25..e84f9e0d3d6 100644 +--- a/bin/pax/buf_subs.c ++++ b/bin/pax/buf_subs.c +@@ -673,9 +673,7 @@ rd_wrfile(ARCHD *arcn, int ofd, off_t *left) + * pass the blocksize of the file being written to the write routine, + * if the size is zero, use the default MINFBSZ + */ +- if (ofd < 0) +- sz = PAXPATHLEN + 1; /* GNU tar long link/file */ +- else if (fstat(ofd, &sb) == 0) { ++ if (fstat(ofd, &sb) == 0) { + if (sb.st_blksize > 0) + sz = (int)sb.st_blksize; + } else +diff --git a/bin/pax/file_subs.c b/bin/pax/file_subs.c +index 89b4872988b..8aa3d249923 100644 +--- a/bin/pax/file_subs.c ++++ b/bin/pax/file_subs.c +@@ -919,7 +919,6 @@ file_write(int fd, char *str, int cnt, int *rem, int *isempt, int sz, + char *end; + int wcnt; + char *st = str; +- char **strp; + + /* + * while we have data to process +@@ -978,29 +977,7 @@ file_write(int fd, char *str, int cnt, int *rem, int *isempt, int sz, + /* + * have non-zero data in this file system block, have to write + */ +- switch (fd) { +- case -1: +- strp = &gnu_name_string; +- break; +- case -2: +- strp = &gnu_link_string; +- break; +- default: +- strp = NULL; +- break; +- } +- if (strp) { +- if (*strp) +- err(1, "WARNING! Major Internal Error! GNU hack Failing!"); +- *strp = malloc(wcnt + 1); +- if (*strp == NULL) { +- paxwarn(1, "Out of memory"); +- return(-1); +- } +- memcpy(*strp, st, wcnt); +- (*strp)[wcnt] = '\0'; +- break; +- } else if (write(fd, st, wcnt) != wcnt) { ++ if (write(fd, st, wcnt) != wcnt) { + syswarn(1, errno, "Failed write to file %s", name); + return(-1); + } +-- +2.26.2 + diff --git a/pkg/sys/openbsd/patch/0011-pax-Support-xz-compression-with-J-flag.patch b/pkg/sys/openbsd/patch/0011-pax-Support-xz-compression-with-J-flag.patch @@ -0,0 +1,90 @@ +From 86ce82bfd12c6db2468e3db4afd843cf081f71b2 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 3 Dec 2016 23:50:27 -0800 +Subject: [PATCH] pax: Support xz compression with -J flag + +--- + bin/pax/options.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/bin/pax/options.c b/bin/pax/options.c +index 560478f2681..27de25d655b 100644 +--- a/bin/pax/options.c ++++ b/bin/pax/options.c +@@ -154,6 +154,7 @@ static int xz_id(char *_blk, int _size); + #define GZIP_CMD "gzip" /* command to run as gzip */ + #define COMPRESS_CMD "compress" /* command to run as compress */ + #define BZIP2_CMD "bzip2" /* command to run as bzip2 */ ++#define XZ_CMD "xz" /* command to run as xz */ + + /* + * Format specific routine table +@@ -300,7 +301,7 @@ pax_options(int argc, char **argv) + /* + * process option flags + */ +- while ((c=getopt(argc,argv,"ab:cdf:ijklno:p:rs:tuvwx:zB:DE:G:HLOPT:U:XYZ0")) ++ while ((c=getopt(argc,argv,"ab:cdf:ijklno:p:rs:tuvwx:zB:DE:G:HJLOPT:U:XYZ0")) + != -1) { + switch (c) { + case 'a': +@@ -556,6 +557,12 @@ pax_options(int argc, char **argv) + Hflag = 1; + flg |= CHF; + break; ++ case 'J': ++ /* ++ * use xz. Non standard option. ++ */ ++ gzip_program = XZ_CMD; ++ break; + case 'L': + /* + * follow symlinks +@@ -731,7 +738,7 @@ tar_options(int argc, char **argv) + * process option flags + */ + while ((c = getoldopt(argc, argv, +- "b:cef:hjmopqruts:vwxzBC:HI:LNOPXZ014578")) != -1) { ++ "b:cef:hjmopqruts:vwxzBC:HI:JLNOPXZ014578")) != -1) { + switch (c) { + case 'b': + /* +@@ -880,6 +887,12 @@ tar_options(int argc, char **argv) + incfiles[nincfiles - 1].file = optarg; + incfiles[nincfiles - 1].dir = chdname; + break; ++ case 'J': ++ /* ++ * use xz. Non standard option. ++ */ ++ gzip_program = XZ_CMD; ++ break; + case 'L': + /* + * follow symlinks +@@ -1163,7 +1176,7 @@ cpio_options(int argc, char **argv) + dflag = 1; + act = -1; + nodirs = 1; +- while ((c=getopt(argc,argv,"abcdfijklmoprstuvzABC:E:F:H:I:LO:SZ6")) != -1) ++ while ((c=getopt(argc,argv,"abcdfijklmoprstuvzABC:E:F:H:I:JLO:SZ6")) != -1) + switch (c) { + case 'a': + /* +@@ -1347,6 +1360,12 @@ cpio_options(int argc, char **argv) + (void)fputs("\n\n", stderr); + cpio_usage(); + break; ++ case 'J': ++ /* ++ * use xz. Non standard option. ++ */ ++ gzip_program = XZ_CMD; ++ break; + case 'L': + /* + * follow symbolic links +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0012-setprogname-Explicitly-discard-const-qualifier.patch b/pkg/sys/openbsd/patch/0012-setprogname-Explicitly-discard-const-qualifier.patch @@ -0,0 +1,23 @@ +From 7cc3b8b8b1ca390b6ed65d3234827bc7393f9300 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 11 Dec 2016 14:36:13 -0800 +Subject: [PATCH] setprogname: Explicitly discard const qualifier + +--- + lib/libc/gen/setprogname.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/libc/gen/setprogname.c b/lib/libc/gen/setprogname.c +index bce4cbdac44..0c1573c9162 100644 +--- a/lib/libc/gen/setprogname.c ++++ b/lib/libc/gen/setprogname.c +@@ -27,5 +27,5 @@ setprogname(const char *progname) + if (tmpn == NULL) + __progname = (char *)progname; + else +- __progname = tmpn + 1; ++ __progname = (char *)tmpn + 1; + } +-- +2.14.2 + diff --git a/pkg/sys/openbsd/patch/0013-readpassphrase-Support-systems-without-VSTATUS-and-T.patch b/pkg/sys/openbsd/patch/0013-readpassphrase-Support-systems-without-VSTATUS-and-T.patch @@ -0,0 +1,38 @@ +From d36036bbd959091b6442d003128342ed515af01b Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 26 Feb 2017 17:01:33 -0800 +Subject: [PATCH] readpassphrase: Support systems without VSTATUS and TCSASOFT + +--- + lib/libc/gen/readpassphrase.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/libc/gen/readpassphrase.c b/lib/libc/gen/readpassphrase.c +index a1aeb342b..a50eaf003 100644 +--- a/lib/libc/gen/readpassphrase.c ++++ b/lib/libc/gen/readpassphrase.c +@@ -32,6 +32,10 @@ + #include <unistd.h> + #include <readpassphrase.h> + ++#ifndef TCSASOFT ++#define TCSASOFT 0 ++#endif ++ + static volatile sig_atomic_t signo[_NSIG]; + + static void handler(int); +@@ -81,8 +85,10 @@ restart: + memcpy(&term, &oterm, sizeof(term)); + if (!(flags & RPP_ECHO_ON)) + term.c_lflag &= ~(ECHO | ECHONL); ++#ifdef VSTATUS + if (term.c_cc[VSTATUS] != _POSIX_VDISABLE) + term.c_cc[VSTATUS] = _POSIX_VDISABLE; ++#endif + (void)tcsetattr(input, TCSAFLUSH|TCSASOFT, &term); + } else { + memset(&term, 0, sizeof(term)); +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0014-Remove-getpass-definition.patch b/pkg/sys/openbsd/patch/0014-Remove-getpass-definition.patch @@ -0,0 +1,36 @@ +From e76fda424564544bc8298fb5be7cda966451497d Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 26 Feb 2017 17:12:56 -0800 +Subject: [PATCH] Remove getpass definition + +It is a legacy function and musl already provides an implementation. +--- + lib/libc/gen/readpassphrase.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/lib/libc/gen/readpassphrase.c b/lib/libc/gen/readpassphrase.c +index a50eaf003..57c6dc527 100644 +--- a/lib/libc/gen/readpassphrase.c ++++ b/lib/libc/gen/readpassphrase.c +@@ -183,16 +183,8 @@ restart: + } + DEF_WEAK(readpassphrase); + +-char * +-getpass(const char *prompt) +-{ +- static char buf[_PASSWORD_LEN + 1]; +- +- return(readpassphrase(prompt, buf, sizeof(buf), RPP_ECHO_OFF)); +-} +- +-static void handler(int s) ++static void ++handler(int s) + { +- + signo[s] = 1; + } +-- +2.12.2 + diff --git a/pkg/sys/openbsd/patch/0015-doas-Port-to-linux-musl.patch b/pkg/sys/openbsd/patch/0015-doas-Port-to-linux-musl.patch @@ -0,0 +1,581 @@ +From 8fa1e97f6927bf1afddb5923fff3d29c3389817d Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sun, 26 Feb 2017 16:50:55 -0800 +Subject: [PATCH] doas: Port to linux/musl + +Remove -a login style option and BSD authentication. Instead, compare +against shadow file. + +Use timestamp files in /run/doas instead of TIOC*VERAUTH to implement +persist. + +Use initgroups/setgid/setuid instead of setusercontext. + +Provide UID_MAX and GID_MAX defaults. + +Use LOGIN_NAME_MAX instead of _PW_NAME_LEN. + +Remove call to closefrom. + +Replace calls to errc with err after setting errno. + +Call openlog at start to set syslog identity. + +Remove unveil/pledge since they aren't supported on Linux. + +Simplify handling of PATH in the environment since we don't have +login.conf with per-user default PATH. +--- + usr.bin/doas/doas.1 | 9 --- + usr.bin/doas/doas.c | 168 +++++++++++++---------------------------- + usr.bin/doas/doas.h | 6 +- + usr.bin/doas/env.c | 17 ++--- + usr.bin/doas/parse.y | 1 + + usr.bin/doas/persist.c | 133 ++++++++++++++++++++++++++++++++ + 6 files changed, 198 insertions(+), 136 deletions(-) + create mode 100644 usr.bin/doas/persist.c + +diff --git a/usr.bin/doas/doas.1 b/usr.bin/doas/doas.1 +index 25827cc7104..3542680faf5 100644 +--- a/usr.bin/doas/doas.1 ++++ b/usr.bin/doas/doas.1 +@@ -22,7 +22,6 @@ + .Sh SYNOPSIS + .Nm doas + .Op Fl Lns +-.Op Fl a Ar style + .Op Fl C Ar config + .Op Fl u Ar user + .Ar command +@@ -67,14 +66,6 @@ The working directory is not changed. + .Pp + The options are as follows: + .Bl -tag -width tenletters +-.It Fl a Ar style +-Use the specified authentication style when validating the user, +-as allowed by +-.Pa /etc/login.conf . +-A list of doas-specific authentication methods may be configured by adding an +-.Sq auth-doas +-entry in +-.Xr login.conf 5 . + .It Fl C Ar config + Parse and check the configuration file + .Ar config , +diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c +index 8b684d6006c..27d7b01014e 100644 +--- a/usr.bin/doas/doas.c ++++ b/usr.bin/doas/doas.c +@@ -20,8 +20,6 @@ + #include <sys/ioctl.h> + + #include <limits.h> +-#include <login_cap.h> +-#include <bsd_auth.h> + #include <readpassphrase.h> + #include <string.h> + #include <stdio.h> +@@ -33,13 +31,22 @@ + #include <syslog.h> + #include <errno.h> + #include <fcntl.h> ++#include <shadow.h> + + #include "doas.h" + ++#ifndef UID_MAX ++#define UID_MAX 65535 ++#endif ++ ++#ifndef GID_MAX ++#define GID_MAX 65535 ++#endif ++ + static void __dead + usage(void) + { +- fprintf(stderr, "usage: doas [-Lns] [-a style] [-C config] [-u user]" ++ fprintf(stderr, "usage: doas [-Lns] [-C config] [-u user]" + " command [arg ...]\n"); + exit(1); + } +@@ -200,16 +207,28 @@ checkconfig(const char *confpath, int argc, char **argv, + } + + static int +-authuser_checkpass(char *myname, char *login_style) ++verifypasswd(const char *user, const char *pass) ++{ ++ struct spwd *sp; ++ char *p1, *p2; ++ ++ sp = getspnam(user); ++ if (!sp) ++ return 0; ++ p1 = sp->sp_pwdp; ++ if (p1[0] == '!' || p1[0] == '*') ++ return 0; ++ p2 = crypt(pass, p1); ++ if (!p2) ++ return 0; ++ return strcmp(p1, p2) == 0; ++} ++ ++static int ++authuser_checkpass(char *myname) + { + char *challenge = NULL, *response, rbuf[1024], cbuf[128]; +- auth_session_t *as; + +- if (!(as = auth_userchallenge(myname, login_style, "auth-doas", +- &challenge))) { +- warnx("Authentication failed"); +- return AUTH_FAILED; +- } + if (!challenge) { + char host[HOST_NAME_MAX + 1]; + +@@ -222,14 +241,12 @@ authuser_checkpass(char *myname, char *login_style) + response = readpassphrase(challenge, rbuf, sizeof(rbuf), + RPP_REQUIRE_TTY); + if (response == NULL && errno == ENOTTY) { +- syslog(LOG_AUTHPRIV | LOG_NOTICE, +- "tty required for %s", myname); ++ syslog(LOG_NOTICE, "tty required for %s", myname); + errx(1, "a tty is required"); + } +- if (!auth_userresponse(as, response, 0)) { ++ if (!verifypasswd(myname, response)) { + explicit_bzero(rbuf, sizeof(rbuf)); +- syslog(LOG_AUTHPRIV | LOG_NOTICE, +- "failed auth for %s", myname); ++ syslog(LOG_NOTICE, "failed auth for %s", myname); + warnx("Authentication failed"); + return AUTH_FAILED; + } +@@ -238,79 +255,36 @@ authuser_checkpass(char *myname, char *login_style) + } + + static void +-authuser(char *myname, char *login_style, int persist) ++authuser(char *myname, int persist) + { +- int i, fd = -1; ++ int i, fd = -1, valid = 0; + +- if (persist) +- fd = open("/dev/tty", O_RDWR); +- if (fd != -1) { +- if (ioctl(fd, TIOCCHKVERAUTH) == 0) ++ if (persist) { ++ fd = openpersist(&valid); ++ if (valid) + goto good; + } + for (i = 0; i < AUTH_RETRIES; i++) { +- if (authuser_checkpass(myname, login_style) == AUTH_OK) ++ if (authuser_checkpass(myname) == AUTH_OK) + goto good; + } + exit(1); + good: + if (fd != -1) { +- int secs = 5 * 60; +- ioctl(fd, TIOCSETVERAUTH, &secs); ++ setpersist(fd); + close(fd); + } + } + +-int +-unveilcommands(const char *ipath, const char *cmd) +-{ +- char *path = NULL, *p; +- int unveils = 0; +- +- if (strchr(cmd, '/') != NULL) { +- if (unveil(cmd, "x") != -1) +- unveils++; +- goto done; +- } +- +- if (!ipath) { +- errno = ENOENT; +- goto done; +- } +- path = strdup(ipath); +- if (!path) { +- errno = ENOENT; +- goto done; +- } +- for (p = path; p && *p; ) { +- char buf[PATH_MAX]; +- char *cp = strsep(&p, ":"); +- +- if (cp) { +- int r = snprintf(buf, sizeof buf, "%s/%s", cp, cmd); +- if (r >= 0 && r < sizeof buf) { +- if (unveil(buf, "x") != -1) +- unveils++; +- } +- } +- } +-done: +- free(path); +- return (unveils); +-} +- + int + main(int argc, char **argv) + { +- const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:" +- "/usr/local/bin:/usr/local/sbin"; + const char *confpath = NULL; + char *shargv[] = { NULL, NULL }; + char *sh; +- const char *p; + const char *cmd; + char cmdline[LINE_MAX]; +- char mypwbuf[_PW_BUF_LEN], targpwbuf[_PW_BUF_LEN]; ++ char mypwbuf[1024], targpwbuf[1024]; + struct passwd mypwstore, targpwstore; + struct passwd *mypw, *targpw; + const struct rule *rule; +@@ -323,28 +297,20 @@ main(int argc, char **argv) + int nflag = 0; + char cwdpath[PATH_MAX]; + const char *cwd; +- char *login_style = NULL; + char **envp; + + setprogname("doas"); +- +- closefrom(STDERR_FILENO + 1); ++ openlog("doas", 0, LOG_AUTHPRIV); + + uid = getuid(); + +- while ((ch = getopt(argc, argv, "a:C:Lnsu:")) != -1) { ++ while ((ch = getopt(argc, argv, "C:Lnsu:")) != -1) { + switch (ch) { +- case 'a': +- login_style = optarg; +- break; + case 'C': + confpath = optarg; + break; + case 'L': +- i = open("/dev/tty", O_RDWR); +- if (i != -1) +- ioctl(i, TIOCCLRVERAUTH); +- exit(i == -1); ++ exit(clearpersist() != 0); + case 'u': + if (parseuid(optarg, &target) != 0) + errx(1, "unknown user"); +@@ -414,50 +380,30 @@ main(int argc, char **argv) + cmd = argv[0]; + if (!permit(uid, groups, ngroups, &rule, target, cmd, + (const char **)argv + 1)) { +- syslog(LOG_AUTHPRIV | LOG_NOTICE, +- "command not permitted for %s: %s", mypw->pw_name, cmdline); +- errc(1, EPERM, NULL); ++ syslog(LOG_NOTICE, "command not permitted for %s: %s", mypw->pw_name, cmdline); ++ errno = EPERM; ++ err(1, NULL); + } + + if (!(rule->options & NOPASS)) { + if (nflag) + errx(1, "Authentication required"); + +- authuser(mypw->pw_name, login_style, rule->options & PERSIST); ++ authuser(mypw->pw_name, rule->options & PERSIST); + } + +- if ((p = getenv("PATH")) != NULL) +- formerpath = strdup(p); +- if (formerpath == NULL) +- formerpath = ""; +- +- if (unveil(_PATH_LOGIN_CONF, "r") == -1) +- err(1, "unveil %s", _PATH_LOGIN_CONF); +- if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1) +- err(1, "unveil %s.db", _PATH_LOGIN_CONF); +- if (unveil(_PATH_LOGIN_CONF_D, "r") == -1) +- err(1, "unveil %s", _PATH_LOGIN_CONF_D); +- if (rule->cmd) { +- if (setenv("PATH", safepath, 1) == -1) +- err(1, "failed to set PATH '%s'", safepath); +- } +- if (unveilcommands(getenv("PATH"), cmd) == 0) +- goto fail; +- +- if (pledge("stdio rpath getpw exec id", NULL) == -1) +- err(1, "pledge"); +- + rv = getpwuid_r(target, &targpwstore, targpwbuf, sizeof(targpwbuf), &targpw); + if (rv != 0) + err(1, "getpwuid_r failed"); + if (targpw == NULL) + errx(1, "no passwd entry for target"); + +- if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP | +- LOGIN_SETPATH | +- LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK | +- LOGIN_SETUSER | LOGIN_SETENV | LOGIN_SETRTABLE) != 0) +- errx(1, "failed to set user context for target"); ++ if (initgroups(targpw->pw_name, targpw->pw_gid) == -1) ++ err(1, "initgroups"); ++ if (setgid(targpw->pw_gid) == -1) ++ err(1, "setgid"); ++ if (setuid(targpw->pw_uid) == -1) ++ err(1, "setuid"); + + if (pledge("stdio rpath exec", NULL) == -1) + err(1, "pledge"); +@@ -471,23 +417,17 @@ main(int argc, char **argv) + err(1, "pledge"); + + if (!(rule->options & NOLOG)) { +- syslog(LOG_AUTHPRIV | LOG_INFO, +- "%s ran command %s as %s from %s", ++ syslog(LOG_INFO, "%s ran command %s as %s from %s", + mypw->pw_name, cmdline, targpw->pw_name, cwd); + } + + envp = prepenv(rule, mypw, targpw); + +- /* setusercontext set path for the next process, so reset it for us */ + if (rule->cmd) { + if (setenv("PATH", safepath, 1) == -1) + err(1, "failed to set PATH '%s'", safepath); +- } else { +- if (setenv("PATH", formerpath, 1) == -1) +- err(1, "failed to set PATH '%s'", formerpath); + } + execvpe(cmd, argv, envp); +-fail: + if (errno == ENOENT) + errx(1, "%s: command not found", cmd); + err(1, "%s", cmd); +diff --git a/usr.bin/doas/doas.h b/usr.bin/doas/doas.h +index b98fe353b18..6567625c471 100644 +--- a/usr.bin/doas/doas.h ++++ b/usr.bin/doas/doas.h +@@ -29,13 +29,17 @@ extern struct rule **rules; + extern size_t nrules; + extern int parse_error; + +-extern const char *formerpath; ++extern const char *safepath; + + struct passwd; + + char **prepenv(const struct rule *, const struct passwd *, + const struct passwd *); + ++int openpersist(int *valid); ++int setpersist(int fd); ++int clearpersist(void); ++ + #define PERMIT 1 + #define DENY 2 + +diff --git a/usr.bin/doas/env.c b/usr.bin/doas/env.c +index 2d93a4089b6..dc9be691955 100644 +--- a/usr.bin/doas/env.c ++++ b/usr.bin/doas/env.c +@@ -28,7 +28,7 @@ + + #include "doas.h" + +-const char *formerpath; ++const char *safepath = "/bin"; + + struct envnode { + RB_ENTRY(envnode) node; +@@ -103,7 +103,7 @@ createenv(const struct rule *rule, const struct passwd *mypw, + addnode(env, "DOAS_USER", mypw->pw_name); + addnode(env, "HOME", targpw->pw_dir); + addnode(env, "LOGNAME", targpw->pw_name); +- addnode(env, "PATH", getenv("PATH")); ++ addnode(env, "PATH", safepath); + addnode(env, "SHELL", targpw->pw_shell); + addnode(env, "USER", targpw->pw_name); + +@@ -200,17 +200,10 @@ fillenv(struct env *env, const char **envlist) + /* assign value or inherit from environ */ + if (eq) { + val = eq + 1; +- if (*val == '$') { +- if (strcmp(val + 1, "PATH") == 0) +- val = formerpath; +- else +- val = getenv(val + 1); +- } ++ if (*val == '$') ++ val = getenv(val + 1); + } else { +- if (strcmp(name, "PATH") == 0) +- val = formerpath; +- else +- val = getenv(name); ++ val = getenv(name); + } + /* at last, we have something to insert */ + if (val) { +diff --git a/usr.bin/doas/parse.y b/usr.bin/doas/parse.y +index 604becb5445..e5fc912a9c4 100644 +--- a/usr.bin/doas/parse.y ++++ b/usr.bin/doas/parse.y +@@ -20,6 +20,7 @@ + #include <ctype.h> + #include <limits.h> + #include <unistd.h> ++#include <stdlib.h> + #include <stdint.h> + #include <stdarg.h> + #include <stdio.h> +diff --git a/usr.bin/doas/persist.c b/usr.bin/doas/persist.c +new file mode 100644 +index 00000000000..4ad1bf1efbf +--- /dev/null ++++ b/usr.bin/doas/persist.c +@@ -0,0 +1,133 @@ ++#include <errno.h> ++#include <fcntl.h> ++#include <limits.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/stat.h> ++#include <sys/types.h> ++#include <time.h> ++#include <unistd.h> ++ ++#include "doas.h" ++ ++#define PERSIST_DIR "/run/doas" ++#define PERSIST_TIMEOUT 5 * 60 ++ ++static int ++ttyid(dev_t *tty) ++{ ++ int fd, i; ++ char buf[BUFSIZ], *p; ++ ssize_t n; ++ ++ fd = open("/proc/self/stat", O_RDONLY); ++ if (fd == -1) ++ return -1; ++ n = read(fd, buf, sizeof(buf) - 1); ++ if (n >= 0) ++ buf[n] = '\0'; ++ /* check that we read the whole file */ ++ n = read(fd, buf, 1); ++ close(fd); ++ if (n != 0) ++ return -1; ++ p = strrchr(buf, ')'); ++ if (!p) ++ return -1; ++ ++p; ++ /* ttr_nr is the 5th field after executable name, so skip the next 4 */ ++ for (i = 0; i < 4; ++i) { ++ p = strchr(++p, ' '); ++ if (!p) ++ return -1; ++ } ++ *tty = strtol(p, &p, 10); ++ if (*p != ' ') ++ return -1; ++ return 0; ++} ++ ++static int ++persistpath(char *buf, size_t len) ++{ ++ dev_t tty; ++ int n; ++ ++ if (ttyid(&tty) < 0) ++ return -1; ++ n = snprintf(buf, len, PERSIST_DIR "/%ju-%ju", (uintmax_t)getuid(), (uintmax_t)tty); ++ if (n < 0 || n >= (int)len) ++ return -1; ++ return 0; ++} ++ ++int ++openpersist(int *valid) ++{ ++ char path[256]; ++ struct stat st; ++ struct timespec ts; ++ int fd; ++ ++ if (stat(PERSIST_DIR, &st) < 0) { ++ if (errno != ENOENT) ++ return -1; ++ if (mkdir(PERSIST_DIR, 0700) < 0) ++ return -1; ++ } else if (st.st_uid != 0 || st.st_mode != (S_IFDIR | 0700)) { ++ return -1; ++ } ++ if (persistpath(path, sizeof(path)) < 0) ++ return -1; ++ fd = open(path, O_RDONLY); ++ if (fd == -1) { ++ char tmp[256]; ++ struct timespec ts[2] = { { .tv_nsec = UTIME_OMIT }, { 0 } }; ++ int n; ++ ++ n = snprintf(tmp, sizeof(tmp), PERSIST_DIR "/.tmp-%d", getpid()); ++ if (n < 0 || n >= (int)sizeof(tmp)) ++ return -1; ++ fd = open(tmp, O_RDONLY | O_CREAT | O_EXCL, 0); ++ if (fd == -1) ++ return -1; ++ if (futimens(fd, ts) < 0 || rename(tmp, path) < 0) { ++ close(fd); ++ unlink(tmp); ++ return -1; ++ } ++ *valid = 0; ++ } else { ++ *valid = clock_gettime(CLOCK_BOOTTIME, &ts) == 0 && ++ fstat(fd, &st) == 0 && ++ (ts.tv_sec < st.st_mtim.tv_sec || ++ (ts.tv_sec == st.st_mtim.tv_sec && ts.tv_nsec < st.st_mtim.tv_nsec)) && ++ st.st_mtime - ts.tv_sec <= PERSIST_TIMEOUT; ++ } ++ return fd; ++} ++ ++int ++setpersist(int fd) ++{ ++ struct timespec times[2]; ++ ++ if (clock_gettime(CLOCK_BOOTTIME, ×[1]) < 0) ++ return -1; ++ times[0].tv_nsec = UTIME_OMIT; ++ times[1].tv_sec += PERSIST_TIMEOUT; ++ return futimens(fd, times); ++} ++ ++int ++clearpersist(void) ++{ ++ char path[256]; ++ ++ if (persistpath(path, sizeof(path)) < 0) ++ return -1; ++ if (unlink(path) < 0 && errno != ENOENT) ++ return -1; ++ return 0; ++} +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0016-pwcache-Don-t-use-fixed-buffer-sizes.patch b/pkg/sys/openbsd/patch/0016-pwcache-Don-t-use-fixed-buffer-sizes.patch @@ -0,0 +1,92 @@ +From ab480e176692b91f2fb6fb9ea2e1725d980d805d Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 14 Apr 2017 11:25:01 -0700 +Subject: [PATCH] pwcache: Don't use fixed buffer sizes + +--- + lib/libc/gen/pwcache.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/lib/libc/gen/pwcache.c b/lib/libc/gen/pwcache.c +index d54daa08cc7..2f30f4b966b 100644 +--- a/lib/libc/gen/pwcache.c ++++ b/lib/libc/gen/pwcache.c +@@ -202,8 +202,7 @@ grptb_start(void) + const char * + user_from_uid(uid_t uid, int noname) + { +- struct passwd pwstore, *pw = NULL; +- char pwbuf[_PW_BUF_LEN]; ++ struct passwd *pw; + UIDC **pptr, *ptr = NULL; + + if ((uidtb != NULL) || (uidtb_start() == 0)) { +@@ -226,7 +225,7 @@ user_from_uid(uid_t uid, int noname) + *pptr = ptr = malloc(sizeof(UIDC)); + } + +- getpwuid_r(uid, &pwstore, pwbuf, sizeof(pwbuf), &pw); ++ pw = getpwuid(uid); + if (pw == NULL) { + /* + * no match for this uid in the local password file +@@ -263,8 +262,7 @@ user_from_uid(uid_t uid, int noname) + const char * + group_from_gid(gid_t gid, int noname) + { +- struct group grstore, *gr = NULL; +- char grbuf[_GR_BUF_LEN]; ++ struct group *gr; + GIDC **pptr, *ptr = NULL; + + if ((gidtb != NULL) || (gidtb_start() == 0)) { +@@ -287,7 +285,7 @@ group_from_gid(gid_t gid, int noname) + *pptr = ptr = malloc(sizeof(GIDC)); + } + +- getgrgid_r(gid, &grstore, grbuf, sizeof(grbuf), &gr); ++ gr = getgrgid(gid); + if (gr == NULL) { + /* + * no match for this gid in the local group file, put in +@@ -322,8 +320,7 @@ group_from_gid(gid_t gid, int noname) + int + uid_from_user(const char *name, uid_t *uid) + { +- struct passwd pwstore, *pw = NULL; +- char pwbuf[_PW_BUF_LEN]; ++ struct passwd *pw; + UIDC **pptr, *ptr = NULL; + size_t namelen; + +@@ -357,7 +354,7 @@ uid_from_user(const char *name, uid_t *uid) + * no match, look it up, if no match store it as an invalid entry, + * or store the matching uid + */ +- getpwnam_r(name, &pwstore, pwbuf, sizeof(pwbuf), &pw); ++ pw = getpwnam(name); + if (ptr == NULL) { + if (pw == NULL) + return -1; +@@ -383,8 +380,7 @@ uid_from_user(const char *name, uid_t *uid) + int + gid_from_group(const char *name, gid_t *gid) + { +- struct group grstore, *gr = NULL; +- char grbuf[_GR_BUF_LEN]; ++ struct group *gr; + GIDC **pptr, *ptr = NULL; + size_t namelen; + +@@ -418,7 +414,7 @@ gid_from_group(const char *name, gid_t *gid) + * no match, look it up, if no match store it as an invalid entry, + * or store the matching gid + */ +- getgrnam_r(name, &grstore, grbuf, sizeof(grbuf), &gr); ++ gr = getgrnam(name); + if (ptr == NULL) { + if (gr == NULL) + return -1; +-- +2.19.0 + diff --git a/pkg/sys/openbsd/patch/0017-Add-standalone-freezero.patch b/pkg/sys/openbsd/patch/0017-Add-standalone-freezero.patch @@ -0,0 +1,51 @@ +From 98a3b77cfa775c87010159d49f5b17d84fe1aa7b Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 10 Oct 2017 03:07:56 -0700 +Subject: [PATCH] Add standalone freezero + +--- + lib/libc/stdlib/freezero.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + create mode 100644 lib/libc/stdlib/freezero.c + +diff --git a/lib/libc/stdlib/freezero.c b/lib/libc/stdlib/freezero.c +new file mode 100644 +index 00000000000..31face3828b +--- /dev/null ++++ b/lib/libc/stdlib/freezero.c +@@ -0,0 +1,32 @@ ++/* ++ * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> ++ * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> ++ * Copyright (c) 2008 Damien Miller <djm@openbsd.org> ++ * Copyright (c) 2000 Poul-Henning Kamp <phk@FreeBSD.org> ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include <string.h> ++#include <stdlib.h> ++ ++void ++freezero(void *ptr, size_t sz) ++{ ++ /* This is legal. */ ++ if (ptr == NULL) ++ return; ++ ++ explicit_bzero(ptr, sz); ++ free(ptr); ++} +-- +2.14.2 + diff --git a/pkg/sys/openbsd/patch/0018-m4-Use-hand-written-lexer-to-avoid-cycle-in-bootstra.patch b/pkg/sys/openbsd/patch/0018-m4-Use-hand-written-lexer-to-avoid-cycle-in-bootstra.patch @@ -0,0 +1,327 @@ +From edf250c633bef40e7e37dafc9fc393dd2ad9074f Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 10 Apr 2018 13:37:14 -0700 +Subject: [PATCH] m4: Use hand-written lexer to avoid cycle in bootstrap + +--- + usr.bin/m4/tokenizer.c | 191 +++++++++++++++++++++++++++++++++++++++++ + usr.bin/m4/tokenizer.l | 109 ----------------------- + 2 files changed, 191 insertions(+), 109 deletions(-) + create mode 100644 usr.bin/m4/tokenizer.c + delete mode 100644 usr.bin/m4/tokenizer.l + +diff --git a/usr.bin/m4/tokenizer.c b/usr.bin/m4/tokenizer.c +new file mode 100644 +index 00000000000..fa19fc65035 +--- /dev/null ++++ b/usr.bin/m4/tokenizer.c +@@ -0,0 +1,191 @@ ++/* $OpenBSD: tokenizer.l,v 1.10 2017/06/17 01:55:16 bcallah Exp $ */ ++/* ++ * Copyright (c) 2004 Marc Espie <espie@cvs.openbsd.org> ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++#include "parser.tab.h" ++#include <assert.h> ++#include <ctype.h> ++#include <errno.h> ++#include <limits.h> ++#include <stdbool.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <stdint.h> ++ ++extern void m4_warnx(const char *, ...); ++extern int mimic_gnu; ++extern int32_t yylval; ++static const char *yypos; ++ ++void ++yy_scan_string(const char *s) ++{ ++ yypos = s; ++} ++ ++static int32_t ++number(const char *yytext, size_t yylen) ++{ ++ long l; ++ ++ errno = 0; ++ l = strtol(yytext, NULL, 0); ++ if (((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE) || ++ l > INT32_MAX || l < INT32_MIN) ++ m4_warnx("numeric overflow in expr: %.*s", (int)yylen, yytext); ++ return l; ++} ++ ++static int32_t ++parse_radix(const char *yytext, size_t yylen) ++{ ++ long base; ++ char *next; ++ long l; ++ int d; ++ ++ l = 0; ++ base = strtol(yytext+2, &next, 0); ++ if (base > 36 || next == NULL) { ++ m4_warnx("error in number %.*s", (int)yylen, yytext); ++ } else { ++ next++; ++ while (*next != 0) { ++ if (*next >= '0' && *next <= '9') ++ d = *next - '0'; ++ else if (*next >= 'a' && *next <= 'z') ++ d = *next - 'a' + 10; ++ else { ++ assert(*next >= 'A' && *next <= 'Z'); ++ d = *next - 'A' + 10; ++ } ++ if (d >= base) { ++ m4_warnx("error in number %.*s", (int)yylen, yytext); ++ return 0; ++ } ++ l = base * l + d; ++ next++; ++ } ++ } ++ return l; ++} ++ ++static int ++isodigit(int c) ++{ ++ return c >= '0' && c <= '7'; ++} ++ ++int yylex(void) ++{ ++ const char *start; ++ ++next: ++ start = yypos; ++ switch (*yypos) { ++ case ' ': ++ case '\t': ++ case '\n': ++ ++yypos; ++ goto next; ++ case '<': ++ switch (yypos[1]) { ++ case '=': ++ yypos += 2; ++ return LE; ++ case '<': ++ yypos += 2; ++ return LSHIFT; ++ } ++ break; ++ case '>': ++ switch (yypos[1]) { ++ case '=': ++ yypos += 2; ++ return GE; ++ case '>': ++ yypos += 2; ++ return RSHIFT; ++ } ++ break; ++ case '=': ++ if (yypos[1] != '=') ++ break; ++ yypos += 2; ++ return EQ; ++ case '!': ++ if (yypos[1] != '=') ++ break; ++ yypos += 2; ++ return NE; ++ case '&': ++ if (yypos[1] != '&') ++ break; ++ yypos += 2; ++ return LAND; ++ case '|': ++ if (yypos[1] != '|') ++ break; ++ yypos += 2; ++ return LOR; ++ case '*': ++ if (!mimic_gnu || yypos[1] != '*') ++ break; ++ yypos += 2; ++ return EXPONENT; ++ case '0': ++ switch (*++yypos) { ++ case 'x': ++ case 'X': ++ if (!isxdigit(*++yypos)) ++ return ERROR; ++ do ++yypos; ++ while (isxdigit(*yypos)); ++ break; ++ case 'r': ++ case 'R': ++ if (!mimic_gnu) ++ break; ++ if (!isdigit(*++yypos)) ++ return ERROR; ++ do ++yypos; ++ while (isdigit(*yypos)); ++ if (*yypos != ':') ++ return ERROR; ++ if (!isalnum(*++yypos)) ++ return ERROR; ++ do ++yypos; ++ while (isalnum(*yypos)); ++ yylval = parse_radix(start, yypos - start); ++ return NUMBER; ++ default: ++ do ++yypos; ++ while (isodigit(*yypos)); ++ break; ++ } ++ yylval = number(start, yypos - start); ++ return NUMBER; ++ case '\0': ++ return '\0'; ++ } ++ if (isdigit(*yypos)) { ++ do ++yypos; ++ while (isdigit(*yypos)); ++ yylval = number(start, yypos - start); ++ return NUMBER; ++ } ++ ++ return *yypos++; ++} +diff --git a/usr.bin/m4/tokenizer.l b/usr.bin/m4/tokenizer.l +deleted file mode 100644 +index 94f02fb6085..00000000000 +--- a/usr.bin/m4/tokenizer.l ++++ /dev/null +@@ -1,109 +0,0 @@ +-%{ +-/* $OpenBSD: tokenizer.l,v 1.10 2017/06/17 01:55:16 bcallah Exp $ */ +-/* +- * Copyright (c) 2004 Marc Espie <espie@cvs.openbsd.org> +- * +- * Permission to use, copy, modify, and distribute this software for any +- * purpose with or without fee is hereby granted, provided that the above +- * copyright notice and this permission notice appear in all copies. +- * +- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +- */ +-#include "parser.h" +-#include <assert.h> +-#include <stdlib.h> +-#include <errno.h> +-#include <stdint.h> +-#include <limits.h> +- +-extern void m4_warnx(const char *, ...); +-extern int mimic_gnu; +-extern int32_t yylval; +- +-int32_t number(void); +-int32_t parse_radix(void); +-%} +- +-delim [ \t\n] +-ws {delim}+ +-hex 0[xX][0-9a-fA-F]+ +-oct 0[0-7]* +-dec [1-9][0-9]* +-radix 0[rR][0-9]+:[0-9a-zA-Z]+ +- +-%option noyywrap +- +-%% +-{ws} {/* just skip it */} +-{hex}|{oct}|{dec} { yylval = number(); return(NUMBER); } +-{radix} { if (mimic_gnu) { +- yylval = parse_radix(); return(NUMBER); +- } else { +- return(ERROR); +- } +- } +-"<=" { return(LE); } +-">=" { return(GE); } +-"<<" { return(LSHIFT); } +-">>" { return(RSHIFT); } +-"==" { return(EQ); } +-"!=" { return(NE); } +-"&&" { return(LAND); } +-"||" { return(LOR); } +-"**" { if (mimic_gnu) { return (EXPONENT); } } +-. { return yytext[0]; } +-%% +- +-int32_t +-number() +-{ +- long l; +- +- errno = 0; +- l = strtol(yytext, NULL, 0); +- if (((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE) || +- l > INT32_MAX || l < INT32_MIN) +- m4_warnx("numeric overflow in expr: %s", yytext); +- return l; +-} +- +-int32_t +-parse_radix() +-{ +- long base; +- char *next; +- long l; +- int d; +- +- l = 0; +- base = strtol(yytext+2, &next, 0); +- if (base > 36 || next == NULL) { +- m4_warnx("error in number %s", yytext); +- } else { +- next++; +- while (*next != 0) { +- if (*next >= '0' && *next <= '9') +- d = *next - '0'; +- else if (*next >= 'a' && *next <= 'z') +- d = *next - 'a' + 10; +- else { +- assert(*next >= 'A' && *next <= 'Z'); +- d = *next - 'A' + 10; +- } +- if (d >= base) { +- m4_warnx("error in number %s", yytext); +- return 0; +- } +- l = base * l + d; +- next++; +- } +- } +- return l; +-} +- +-- +2.17.0 + diff --git a/pkg/sys/openbsd/patch/0019-m4-Use-_Noreturn-instead-of-__dead.patch b/pkg/sys/openbsd/patch/0019-m4-Use-_Noreturn-instead-of-__dead.patch @@ -0,0 +1,25 @@ +From 0f0eb43f3d6fb749fac229e3d6c8f74b2c40ece2 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 10 Apr 2018 16:03:44 -0700 +Subject: [PATCH] m4: Use _Noreturn instead of __dead + +--- + usr.bin/m4/extern.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr.bin/m4/extern.h b/usr.bin/m4/extern.h +index ea8406b8540..0c07599777d 100644 +--- a/usr.bin/m4/extern.h ++++ b/usr.bin/m4/extern.h +@@ -113,7 +113,7 @@ extern void usage(void); + extern void resizedivs(int); + extern size_t buffer_mark(void); + extern void dump_buffer(FILE *, size_t); +-extern void __dead m4errx(int, const char *, ...); ++extern void _Noreturn m4errx(int, const char *, ...); + + extern int obtain_char(struct input_file *); + extern void set_input(struct input_file *, FILE *, const char *); +-- +2.17.0 + diff --git a/pkg/sys/openbsd/patch/0020-m4-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0020-m4-Add-missing-includes.patch @@ -0,0 +1,50 @@ +From 3cc2a61c553d138778a6ec1dd84cd042ce834b4e Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 10 Apr 2018 16:24:12 -0700 +Subject: [PATCH] m4: Add missing includes + +--- + usr.bin/m4/look.c | 1 + + usr.bin/m4/main.c | 1 + + usr.bin/m4/parser.y | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/usr.bin/m4/look.c b/usr.bin/m4/look.c +index ac504570a9f..5feb0413cd6 100644 +--- a/usr.bin/m4/look.c ++++ b/usr.bin/m4/look.c +@@ -38,6 +38,7 @@ + * by: oz + */ + ++#include <sys/cdefs.h> + #include <stdio.h> + #include <stdlib.h> + #include <stdint.h> +diff --git a/usr.bin/m4/main.c b/usr.bin/m4/main.c +index f1b8fa5a55b..4e664c0a50b 100644 +--- a/usr.bin/m4/main.c ++++ b/usr.bin/m4/main.c +@@ -39,6 +39,7 @@ + * by: oz + */ + ++#include <sys/cdefs.h> + #include <assert.h> + #include <signal.h> + #include <err.h> +diff --git a/usr.bin/m4/parser.y b/usr.bin/m4/parser.y +index 5b46d261a9a..fedded1e44c 100644 +--- a/usr.bin/m4/parser.y ++++ b/usr.bin/m4/parser.y +@@ -17,6 +17,7 @@ + */ + #include <math.h> + #include <stdint.h> ++#include <stdlib.h> + #define YYSTYPE int32_t + extern int32_t end_result; + extern int yylex(void); +-- +2.22.0 + diff --git a/pkg/sys/openbsd/patch/0021-libutil-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0021-libutil-Add-missing-includes.patch @@ -0,0 +1,24 @@ +From 72cfeec702c7b76cce88be4c411ce40a8abb628c Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 10 Apr 2018 16:23:22 -0700 +Subject: [PATCH] libutil: Add missing includes + +--- + lib/libutil/ohash.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/libutil/ohash.c b/lib/libutil/ohash.c +index 74ca4fafd9c..9537c60eac4 100644 +--- a/lib/libutil/ohash.c ++++ b/lib/libutil/ohash.c +@@ -15,6 +15,7 @@ + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + ++#include <sys/cdefs.h> + #include <stddef.h> + #include <stdint.h> + #include <stdlib.h> +-- +2.17.0 + diff --git a/pkg/sys/openbsd/patch/0022-acme-client-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0022-acme-client-Add-missing-includes.patch @@ -0,0 +1,25 @@ +From 7ea4349d2ed8afd672348a7d2f3534007e5dc442 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 18 Mar 2019 14:52:31 -0700 +Subject: [PATCH] acme-client: Add missing includes + +--- + usr.sbin/acme-client/extern.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h +index dda2edde4..d83ead634 100644 +--- a/usr.sbin/acme-client/extern.h ++++ b/usr.sbin/acme-client/extern.h +@@ -17,6 +17,8 @@ + #ifndef EXTERN_H + #define EXTERN_H + ++#include <sys/cdefs.h> ++#include <sys/types.h> + #include "parse.h" + + #define MAX_SERVERS_DNS 8 +-- +2.21.0 + diff --git a/pkg/sys/openbsd/patch/0023-rsync-Add-missing-includes.patch b/pkg/sys/openbsd/patch/0023-rsync-Add-missing-includes.patch @@ -0,0 +1,42 @@ +From d423093f8dec64533733deb0762353f68b0adeb2 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 14 Jun 2019 12:40:56 -0700 +Subject: [PATCH] rsync: Add missing includes + +- stdio.h in socket.c for sscanf +- stdint.h in extern.h for fixed-width integer types +- sys/types.h in extern.h for various type definitions +--- + usr.bin/rsync/extern.h | 3 +++ + usr.bin/rsync/socket.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/usr.bin/rsync/extern.h b/usr.bin/rsync/extern.h +index 2815f82cf89..a3f2a15b959 100644 +--- a/usr.bin/rsync/extern.h ++++ b/usr.bin/rsync/extern.h +@@ -17,6 +17,9 @@ + #ifndef EXTERN_H + #define EXTERN_H + ++#include <stdint.h> ++#include <sys/types.h> ++ + /* + * This is the rsync protocol version that we support. + */ +diff --git a/usr.bin/rsync/socket.c b/usr.bin/rsync/socket.c +index 953b229afbc..aa95cce9369 100644 +--- a/usr.bin/rsync/socket.c ++++ b/usr.bin/rsync/socket.c +@@ -28,6 +28,7 @@ + #include <poll.h> + #include <resolv.h> + #include <stdlib.h> ++#include <stdio.h> + #include <string.h> + #include <unistd.h> + #include <err.h> +-- +2.34.1 + diff --git a/pkg/sys/openbsd/patch/0024-rsync-Use-standard-S_ISVTX-instead-of-S_ISTXT.patch b/pkg/sys/openbsd/patch/0024-rsync-Use-standard-S_ISVTX-instead-of-S_ISTXT.patch @@ -0,0 +1,34 @@ +From d5670219baefe6769a42984abb93e19d8a43dada Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 14 Jun 2019 12:42:15 -0700 +Subject: [PATCH] rsync: Use standard S_ISVTX instead of S_ISTXT + +--- + usr.bin/rsync/receiver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/usr.bin/rsync/receiver.c b/usr.bin/rsync/receiver.c +index 6e5b01670cd..67510b3e932 100644 +--- a/usr.bin/rsync/receiver.c ++++ b/usr.bin/rsync/receiver.c +@@ -87,7 +87,7 @@ rsync_set_metadata(struct sess *sess, int newfile, + "to user.group: %u.%u", f->path, uid, gid); + } else + LOG4("%s: updated uid and/or gid", f->path); +- mode &= ~(S_ISTXT | S_ISUID | S_ISGID); ++ mode &= ~(S_ISVTX | S_ISUID | S_ISGID); + } + + /* Conditionally adjust file permissions. */ +@@ -148,7 +148,7 @@ rsync_set_metadata_at(struct sess *sess, int newfile, int rootfd, + "to user.group: %u.%u", f->path, uid, gid); + } else + LOG4("%s: updated uid and/or gid", f->path); +- mode &= ~(S_ISTXT | S_ISUID | S_ISGID); ++ mode &= ~(S_ISVTX | S_ISUID | S_ISGID); + } + + /* Conditionally adjust file permissions. */ +-- +2.34.1 + diff --git a/pkg/sys/openbsd/patch/0025-rsync-Avoid-pointer-arithmetic-on-void.patch b/pkg/sys/openbsd/patch/0025-rsync-Avoid-pointer-arithmetic-on-void.patch @@ -0,0 +1,149 @@ +From b93dee95670eccc6a5c34f1f8a3b828998d0da7b Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Sat, 15 Jun 2019 20:06:13 -0700 +Subject: [PATCH] rsync: Avoid pointer arithmetic on `void *` + +--- + usr.bin/rsync/blocks.c | 8 ++++---- + usr.bin/rsync/downloader.c | 2 +- + usr.bin/rsync/io.c | 12 ++++++------ + usr.bin/rsync/sender.c | 5 +++-- + 4 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/usr.bin/rsync/blocks.c b/usr.bin/rsync/blocks.c +index 56790729f27..906733c968e 100644 +--- a/usr.bin/rsync/blocks.c ++++ b/usr.bin/rsync/blocks.c +@@ -157,7 +157,7 @@ blk_find(struct sess *sess, struct blkstat *st, + if (!recomp) { + fhash = (st->s1 & 0xFFFF) | (st->s2 << 16); + } else { +- fhash = hash_fast(st->map + st->offs, (size_t)osz); ++ fhash = hash_fast((char *)st->map + st->offs, (size_t)osz); + st->s1 = fhash & 0xFFFF; + st->s2 = fhash >> 16; + } +@@ -170,7 +170,7 @@ blk_find(struct sess *sess, struct blkstat *st, + if (st->hint < blks->blksz && + fhash == blks->blks[st->hint].chksum_short && + (size_t)osz == blks->blks[st->hint].len) { +- hash_slow(st->map + st->offs, (size_t)osz, md, sess); ++ hash_slow((char *)st->map + st->offs, (size_t)osz, md, sess); + have_md = 1; + if (memcmp(md, blks->blks[st->hint].chksum_long, blks->csum) == 0) { + LOG4("%s: found matching hinted match: " +@@ -203,7 +203,7 @@ blk_find(struct sess *sess, struct blkstat *st, + (intmax_t)ent->blk->offs, ent->blk->len); + + if (have_md == 0) { +- hash_slow(st->map + st->offs, (size_t)osz, md, sess); ++ hash_slow((char *)st->map + st->offs, (size_t)osz, md, sess); + have_md = 1; + } + +@@ -221,7 +221,7 @@ blk_find(struct sess *sess, struct blkstat *st, + * block in the sequence. + */ + +- map = st->map + st->offs; ++ map = (char *)st->map + st->offs; + st->s1 -= map[0]; + st->s2 -= osz * map[0]; + +diff --git a/usr.bin/rsync/downloader.c b/usr.bin/rsync/downloader.c +index cab6eb23f9f..07ec334f6b4 100644 +--- a/usr.bin/rsync/downloader.c ++++ b/usr.bin/rsync/downloader.c +@@ -495,7 +495,7 @@ again: + sz = tok == p->blk.blksz - 1 ? p->blk.rem : p->blk.len; + assert(sz); + assert(p->map != MAP_FAILED); +- buf = p->map + (tok * p->blk.len); ++ buf = (char *)p->map + (tok * p->blk.len); + + /* + * Now we read from our block. +diff --git a/usr.bin/rsync/io.c b/usr.bin/rsync/io.c +index dc224ae8aed..fcf9e92dbaa 100644 +--- a/usr.bin/rsync/io.c ++++ b/usr.bin/rsync/io.c +@@ -117,7 +117,7 @@ io_write_blocking(int fd, const void *buf, size_t sz) + ERRX("io_write_nonblocking: short write"); + return 0; + } +- buf += wsz; ++ buf = (char *)buf + wsz; + sz -= wsz; + } + +@@ -156,7 +156,7 @@ io_write_buf(struct sess *sess, int fd, const void *buf, size_t sz) + } + sess->total_write += wsz; + sz -= wsz; +- buf += wsz; ++ buf = (char *)buf + wsz; + } + + return 1; +@@ -250,7 +250,7 @@ io_read_blocking(int fd, void *buf, size_t sz) + ERRX("io_read_nonblocking: short read"); + return 0; + } +- buf += rsz; ++ buf = (char *)buf + rsz; + sz -= rsz; + } + +@@ -367,7 +367,7 @@ io_read_buf(struct sess *sess, int fd, void *buf, size_t sz) + } + sz -= rsz; + sess->mplex_read_remain -= rsz; +- buf += rsz; ++ buf = (char *)buf + rsz; + sess->total_read += rsz; + continue; + } +@@ -463,7 +463,7 @@ io_buffer_buf(void *buf, size_t *bufpos, size_t buflen, const void *val, + { + + assert(*bufpos + valsz <= buflen); +- memcpy(buf + *bufpos, val, valsz); ++ memcpy((char *)buf + *bufpos, val, valsz); + *bufpos += valsz; + } + +@@ -662,7 +662,7 @@ io_unbuffer_buf(const void *buf, size_t *bufpos, size_t bufsz, void *val, + { + + assert(*bufpos + valsz <= bufsz); +- memcpy(val, buf + *bufpos, valsz); ++ memcpy(val, (char *)buf + *bufpos, valsz); + *bufpos += valsz; + } + +diff --git a/usr.bin/rsync/sender.c b/usr.bin/rsync/sender.c +index e2999aa2589..9dd008def01 100644 +--- a/usr.bin/rsync/sender.c ++++ b/usr.bin/rsync/sender.c +@@ -128,7 +128,7 @@ send_up_fsm(struct sess *sess, size_t *phase, + return 0; + } + io_lowbuffer_buf(sess, *wb, &pos, *wbsz, +- up->stat.map + up->stat.curpos, sz); ++ (char *)up->stat.map + up->stat.curpos, sz); + + up->stat.curpos += sz; + if (up->stat.curpos == up->stat.curlen) +@@ -557,7 +557,8 @@ rsync_sender(struct sess *sess, int fdin, + if ((pfd[1].revents & POLLOUT) && wbufsz > 0) { + assert(pfd[2].fd == -1); + assert(wbufsz - wbufpos); +- ssz = write(fdout, wbuf + wbufpos, wbufsz - wbufpos); ++ ssz = write(fdout, ++ (char *)wbuf + wbufpos, wbufsz - wbufpos); + if (ssz == -1) { + ERR("write"); + goto out; +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0026-Include-sys-sysmacros.h-if-necessary.patch b/pkg/sys/openbsd/patch/0026-Include-sys-sysmacros.h-if-necessary.patch @@ -0,0 +1,73 @@ +From 0d3a091280d0874fb561c83431803eb2489876cb Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 5 Aug 2019 21:42:54 -0700 +Subject: [PATCH] Include sys/sysmacros.h if necessary + +--- + bin/pax/cpio.c | 4 ++++ + bin/pax/gen_subs.c | 3 +++ + bin/pax/tar.c | 3 +++ + usr.bin/rsync/flist.c | 4 ++++ + 4 files changed, 14 insertions(+) + +diff --git a/bin/pax/cpio.c b/bin/pax/cpio.c +index 92fe965163a..3832b1e87aa 100644 +--- a/bin/pax/cpio.c ++++ b/bin/pax/cpio.c +@@ -41,6 +41,10 @@ + #include <stdio.h> + #include <unistd.h> + #include <stdlib.h> ++#ifndef major ++#include <sys/sysmacros.h> ++#endif ++ + #include "pax.h" + #include "cpio.h" + #include "extern.h" +diff --git a/bin/pax/gen_subs.c b/bin/pax/gen_subs.c +index 42c70804fb7..405dd2c24ed 100644 +--- a/bin/pax/gen_subs.c ++++ b/bin/pax/gen_subs.c +@@ -45,6 +45,9 @@ + #include <unistd.h> + #include <utmp.h> + #include <vis.h> ++#ifndef major ++#include <sys/sysmacros.h> ++#endif + + #include "pax.h" + #include "extern.h" +diff --git a/bin/pax/tar.c b/bin/pax/tar.c +index 9d8a92d9d13..e84a9c69a09 100644 +--- a/bin/pax/tar.c ++++ b/bin/pax/tar.c +@@ -45,6 +45,9 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#ifndef major ++#include <sys/sysmacros.h> ++#endif + + #include "pax.h" + #include "extern.h" +diff --git a/usr.bin/rsync/flist.c b/usr.bin/rsync/flist.c +index 392ba494423..5f15487623a 100644 +--- a/usr.bin/rsync/flist.c ++++ b/usr.bin/rsync/flist.c +@@ -16,6 +16,10 @@ + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + #include <sys/stat.h> ++#include <sys/types.h> ++#ifndef major ++#include <sys/sysmacros.h> ++#endif + + #include <assert.h> + #include <errno.h> +-- +2.34.1 + diff --git a/pkg/sys/openbsd/patch/0027-nc-Portability-fixes-from-libressl-portable.patch b/pkg/sys/openbsd/patch/0027-nc-Portability-fixes-from-libressl-portable.patch @@ -0,0 +1,194 @@ +From 6c278af8cc6a9fcb94b9bbe572b0bd3f7dd492c1 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Mon, 2 Dec 2019 21:11:04 -0800 +Subject: [PATCH] nc: Portability fixes from libressl-portable + +--- + usr.bin/nc/netcat.c | 55 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 48 insertions(+), 7 deletions(-) + +diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c +index c8f1cdd9f75..7369ed85619 100644 +--- a/usr.bin/nc/netcat.c ++++ b/usr.bin/nc/netcat.c +@@ -93,9 +93,13 @@ int zflag; /* Port Scan Flag */ + int Dflag; /* sodebug */ + int Iflag; /* TCP receive buffer size */ + int Oflag; /* TCP send buffer size */ ++#ifdef TCP_MD5SIG + int Sflag; /* TCP MD5 signature option */ ++#endif + int Tflag = -1; /* IP Type of Service */ ++#ifdef SO_RTABLE + int rtableid = -1; ++#endif + + int usetls; /* use TLS */ + const char *Cflag; /* Public cert file */ +@@ -268,12 +272,14 @@ main(int argc, char *argv[]) + case 'u': + uflag = 1; + break; ++#ifdef SO_RTABLE + case 'V': + rtableid = (int)strtonum(optarg, 0, + RT_TABLEID_MAX, &errstr); + if (errstr) + errx(1, "rtable %s: %s", errstr, optarg); + break; ++#endif + case 'v': + vflag = 1; + break; +@@ -320,9 +326,11 @@ main(int argc, char *argv[]) + case 'o': + oflag = optarg; + break; ++#ifdef TCP_MD5SIG + case 'S': + Sflag = 1; + break; ++#endif + case 'T': + errstr = NULL; + errno = 0; +@@ -346,9 +354,11 @@ main(int argc, char *argv[]) + argc -= optind; + argv += optind; + ++#ifdef SO_RTABLE + if (rtableid >= 0) + if (setrtable(rtableid) == -1) + err(1, "setrtable"); ++#endif + + /* Cruft to make sure options are clean, and used properly. */ + if (argc == 1 && family == AF_UNIX) { +@@ -927,7 +937,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, + char *ipaddr) + { + struct addrinfo *res, *res0; +- int s = -1, error, herr, on = 1, save_errno; ++ int s = -1, error, herr, save_errno; ++#ifdef SO_BINDANY ++ int on = 1; ++#endif + + if ((error = getaddrinfo(host, port, &hints, &res0))) + errx(1, "getaddrinfo for host \"%s\" port %s: %s", host, +@@ -942,8 +955,10 @@ remote_connect(const char *host, const char *port, struct addrinfo hints, + if (sflag || pflag) { + struct addrinfo ahints, *ares; + ++#ifdef SO_BINDANY + /* try SO_BINDANY, but don't insist */ + setsockopt(s, SOL_SOCKET, SO_BINDANY, &on, sizeof(on)); ++#endif + memset(&ahints, 0, sizeof(struct addrinfo)); + ahints.ai_family = res->ai_family; + ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM; +@@ -1035,8 +1050,11 @@ int + local_listen(const char *host, const char *port, struct addrinfo hints) + { + struct addrinfo *res, *res0; +- int s = -1, ret, x = 1, save_errno; ++ int s = -1, save_errno; + int error; ++#ifdef SO_REUSEPORT ++ int ret, x = 1; ++#endif + + /* Allow nodename to be null. */ + hints.ai_flags |= AI_PASSIVE; +@@ -1056,9 +1074,11 @@ local_listen(const char *host, const char *port, struct addrinfo hints) + res->ai_protocol)) == -1) + continue; + ++#ifdef SO_REUSEPORT + ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); + if (ret == -1) + err(1, NULL); ++#endif + + set_common_sockopts(s, res->ai_family); + +@@ -1557,11 +1577,13 @@ set_common_sockopts(int s, int af) + { + int x = 1; + ++#ifdef TCP_MD5SIG + if (Sflag) { + if (setsockopt(s, IPPROTO_TCP, TCP_MD5SIG, + &x, sizeof(x)) == -1) + err(1, NULL); + } ++#endif + if (Dflag) { + if (setsockopt(s, SOL_SOCKET, SO_DEBUG, + &x, sizeof(x)) == -1) +@@ -1572,9 +1594,16 @@ set_common_sockopts(int s, int af) + IP_TOS, &Tflag, sizeof(Tflag)) == -1) + err(1, "set IP ToS"); + ++#ifdef IPV6_TCLASS + else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, + IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1) + err(1, "set IPv6 traffic class"); ++#else ++ else if (af == AF_INET6) { ++ errno = ENOPROTOOPT; ++ err(1, "set IPv6 traffic class not supported"); ++ } ++#endif + } + if (Iflag) { + if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, +@@ -1598,13 +1627,17 @@ set_common_sockopts(int s, int af) + } + + if (minttl != -1) { ++#ifdef IP_MINTTL + if (af == AF_INET && setsockopt(s, IPPROTO_IP, + IP_MINTTL, &minttl, sizeof(minttl))) + err(1, "set IP min TTL"); ++#endif + +- else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, ++#ifdef IPV6_MINHOPCOUNT ++ if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, + IPV6_MINHOPCOUNT, &minttl, sizeof(minttl))) + err(1, "set IPv6 min hop count"); ++#endif + } + } + +@@ -1829,14 +1862,22 @@ help(void) + \t-P proxyuser\tUsername for proxy authentication\n\ + \t-p port\t Specify local port for remote connects\n\ + \t-R CAfile CA bundle\n\ +- \t-r Randomize remote ports\n\ +- \t-S Enable the TCP MD5 signature option\n\ ++ \t-r Randomize remote ports\n" ++#ifdef TCP_MD5SIG ++ "\ ++ \t-S Enable the TCP MD5 signature option\n" ++#endif ++ "\ + \t-s sourceaddr Local source address\n\ + \t-T keyword TOS value or TLS options\n\ + \t-t Answer TELNET negotiation\n\ + \t-U Use UNIX domain socket\n\ +- \t-u UDP mode\n\ +- \t-V rtable Specify alternate routing table\n\ ++ \t-u UDP mode\n" ++#ifdef SO_RTABLE ++ "\ ++ \t-V rtable Specify alternate routing table\n" ++#endif ++ "\ + \t-v Verbose\n\ + \t-W recvlimit Terminate after receiving a number of packets\n\ + \t-w timeout Timeout for connects and final net reads\n\ +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0028-pax-Ignore-EOPNOTSUPP-from-fchmodat.patch b/pkg/sys/openbsd/patch/0028-pax-Ignore-EOPNOTSUPP-from-fchmodat.patch @@ -0,0 +1,26 @@ +From 0f49ae38698a163f7954d28bbaba473b6bf28239 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 10 Jan 2020 21:40:03 -0800 +Subject: [PATCH] pax: Ignore EOPNOTSUPP from fchmodat + +Linux does not support changing the mode of symlinks. +--- + bin/pax/file_subs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/pax/file_subs.c b/bin/pax/file_subs.c +index 8aa3d249923..2c0994feca6 100644 +--- a/bin/pax/file_subs.c ++++ b/bin/pax/file_subs.c +@@ -795,7 +795,7 @@ void + set_pmode(char *fnm, mode_t mode) + { + mode &= ABITS; +- if (fchmodat(AT_FDCWD, fnm, mode, AT_SYMLINK_NOFOLLOW) == -1) ++ if (fchmodat(AT_FDCWD, fnm, mode, AT_SYMLINK_NOFOLLOW) == -1 && errno != EOPNOTSUPP) + syswarn(1, errno, "Could not set permissions on %s", fnm); + } + +-- +2.26.2 + diff --git a/pkg/sys/openbsd/patch/0029-acme-client-Fix-build-with-old-bison-versions.patch b/pkg/sys/openbsd/patch/0029-acme-client-Fix-build-with-old-bison-versions.patch @@ -0,0 +1,24 @@ +From c3aab43559f17feb64a29f8b0d395532cb423e8b Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 15 Apr 2020 20:26:16 -0700 +Subject: [PATCH] acme-client: Fix build with old bison versions + +--- + usr.sbin/acme-client/parse.y | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y +index 20818328d92..f392e516b63 100644 +--- a/usr.sbin/acme-client/parse.y ++++ b/usr.sbin/acme-client/parse.y +@@ -97,6 +97,7 @@ typedef struct { + } v; + int lineno; + } YYSTYPE; ++#define YYSTYPE_IS_DECLARED 1 + + %} + +-- +2.26.1 + diff --git a/pkg/sys/openbsd/patch/0030-rsync-Add-implementation-of-MD4.patch b/pkg/sys/openbsd/patch/0030-rsync-Add-implementation-of-MD4.patch @@ -0,0 +1,410 @@ +From 01657f2c1445cf4874337a0966a76f24ba9c9536 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 15 Apr 2020 22:10:06 -0700 +Subject: [PATCH] rsync: Add implementation of MD4 + +--- + usr.bin/rsync/Makefile | 2 +- + usr.bin/rsync/blocks.c | 2 +- + usr.bin/rsync/downloader.c | 2 +- + usr.bin/rsync/hash.c | 2 +- + usr.bin/rsync/md4.c | 266 +++++++++++++++++++++++++++++++++++++ + usr.bin/rsync/md4.h | 47 +++++++ + usr.bin/rsync/sender.c | 2 +- + 7 files changed, 318 insertions(+), 5 deletions(-) + create mode 100644 usr.bin/rsync/md4.c + create mode 100644 usr.bin/rsync/md4.h + +diff --git a/usr.bin/rsync/Makefile b/usr.bin/rsync/Makefile +index 3c60f18e07f..172045ce7ac 100644 +--- a/usr.bin/rsync/Makefile ++++ b/usr.bin/rsync/Makefile +@@ -2,7 +2,7 @@ + + PROG= openrsync + SRCS= blocks.c client.c copy.c downloader.c fargs.c flist.c hash.c ids.c \ +- io.c log.c main.c misc.c mkpath.c mktemp.c receiver.c rmatch.c \ ++ io.c log.c main.c md4.c misc.c mkpath.c mktemp.c receiver.c rmatch.c \ + rules.c sender.c server.c session.c socket.c symlinks.c uploader.c + LDADD+= -lcrypto -lm -lutil + DPADD+= ${LIBCRYPTO} ${LIBM} ${LIBUTIL} +diff --git a/usr.bin/rsync/blocks.c b/usr.bin/rsync/blocks.c +index 906733c968e..0a8c3f485d1 100644 +--- a/usr.bin/rsync/blocks.c ++++ b/usr.bin/rsync/blocks.c +@@ -26,7 +26,7 @@ + #include <string.h> + #include <unistd.h> + +-#include <openssl/md4.h> ++#include "md4.h" + + #include "extern.h" + +diff --git a/usr.bin/rsync/downloader.c b/usr.bin/rsync/downloader.c +index 07ec334f6b4..6543851fd2c 100644 +--- a/usr.bin/rsync/downloader.c ++++ b/usr.bin/rsync/downloader.c +@@ -28,7 +28,7 @@ + #include <time.h> + #include <unistd.h> + +-#include <openssl/md4.h> ++#include "md4.h" + + #include "extern.h" + +diff --git a/usr.bin/rsync/hash.c b/usr.bin/rsync/hash.c +index b87c56f527c..44ae0d26282 100644 +--- a/usr.bin/rsync/hash.c ++++ b/usr.bin/rsync/hash.c +@@ -21,7 +21,7 @@ + #include <stdint.h> + #include <stdlib.h> + +-#include <openssl/md4.h> ++#include "md4.h" + + #include "extern.h" + +diff --git a/usr.bin/rsync/md4.c b/usr.bin/rsync/md4.c +new file mode 100644 +index 00000000000..528f985563f +--- /dev/null ++++ b/usr.bin/rsync/md4.c +@@ -0,0 +1,266 @@ ++/* ++ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. ++ * MD4 Message-Digest Algorithm (RFC 1320). ++ * ++ * Homepage: ++ * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4 ++ * ++ * Author: ++ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com> ++ * ++ * This software was written by Alexander Peslyak in 2001. No copyright is ++ * claimed, and the software is hereby placed in the public domain. ++ * In case this attempt to disclaim copyright and place the software in the ++ * public domain is deemed null and void, then the software is ++ * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the ++ * general public under the following terms: ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted. ++ * ++ * There's ABSOLUTELY NO WARRANTY, express or implied. ++ * ++ * (This is a heavily cut-down "BSD license".) ++ * ++ * This differs from Colin Plumb's older public domain implementation in that ++ * no exactly 32-bit integer data type is required (any 32-bit or wider ++ * unsigned integer data type will do), there's no compile-time endianness ++ * configuration, and the function prototypes match OpenSSL's. No code from ++ * Colin Plumb's implementation has been reused; this comment merely compares ++ * the properties of the two independent implementations. ++ * ++ * The primary goals of this implementation are portability and ease of use. ++ * It is meant to be fast, but not as fast as possible. Some known ++ * optimizations are not included to reduce source code size and avoid ++ * compile-time configuration. ++ */ ++ ++#include <string.h> ++ ++#include "md4.h" ++ ++/* ++ * The basic MD4 functions. ++ * ++ * F and G are optimized compared to their RFC 1320 definitions, with the ++ * optimization for F borrowed from Colin Plumb's MD5 implementation. ++ */ ++#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) ++#define G(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) ++#define H(x, y, z) ((x) ^ (y) ^ (z)) ++ ++/* ++ * The MD4 transformation for all three rounds. ++ */ ++#define STEP(f, a, b, c, d, x, s) \ ++ (a) += f((b), (c), (d)) + (x); \ ++ (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); ++ ++/* ++ * SET reads 4 input bytes in little-endian byte order and stores them in a ++ * properly aligned word in host byte order. ++ * ++ * The check for little-endian architectures that tolerate unaligned memory ++ * accesses is just an optimization. Nothing will break if it fails to detect ++ * a suitable architecture. ++ * ++ * Unfortunately, this optimization may be a C strict aliasing rules violation ++ * if the caller's data buffer has effective type that cannot be aliased by ++ * MD4_u32plus. In practice, this problem may occur if these MD4 routines are ++ * inlined into a calling function, or with future and dangerously advanced ++ * link-time optimizations. For the time being, keeping these MD4 routines in ++ * their own translation unit avoids the problem. ++ */ ++#if defined(__i386__) || defined(__x86_64__) || defined(__vax__) ++#define SET(n) \ ++ (*(MD4_u32plus *)&ptr[(n) * 4]) ++#define GET(n) \ ++ SET(n) ++#else ++#define SET(n) \ ++ (ctx->block[(n)] = \ ++ (MD4_u32plus)ptr[(n) * 4] | \ ++ ((MD4_u32plus)ptr[(n) * 4 + 1] << 8) | \ ++ ((MD4_u32plus)ptr[(n) * 4 + 2] << 16) | \ ++ ((MD4_u32plus)ptr[(n) * 4 + 3] << 24)) ++#define GET(n) \ ++ (ctx->block[(n)]) ++#endif ++ ++/* ++ * This processes one or more 64-byte data blocks, but does NOT update the bit ++ * counters. There are no alignment requirements. ++ */ ++static const void *body(MD4_CTX *ctx, const void *data, unsigned long size) ++{ ++ const unsigned char *ptr; ++ MD4_u32plus a, b, c, d; ++ MD4_u32plus saved_a, saved_b, saved_c, saved_d; ++ const MD4_u32plus ac1 = 0x5a827999, ac2 = 0x6ed9eba1; ++ ++ ptr = (const unsigned char *)data; ++ ++ a = ctx->a; ++ b = ctx->b; ++ c = ctx->c; ++ d = ctx->d; ++ ++ do { ++ saved_a = a; ++ saved_b = b; ++ saved_c = c; ++ saved_d = d; ++ ++/* Round 1 */ ++ STEP(F, a, b, c, d, SET(0), 3) ++ STEP(F, d, a, b, c, SET(1), 7) ++ STEP(F, c, d, a, b, SET(2), 11) ++ STEP(F, b, c, d, a, SET(3), 19) ++ STEP(F, a, b, c, d, SET(4), 3) ++ STEP(F, d, a, b, c, SET(5), 7) ++ STEP(F, c, d, a, b, SET(6), 11) ++ STEP(F, b, c, d, a, SET(7), 19) ++ STEP(F, a, b, c, d, SET(8), 3) ++ STEP(F, d, a, b, c, SET(9), 7) ++ STEP(F, c, d, a, b, SET(10), 11) ++ STEP(F, b, c, d, a, SET(11), 19) ++ STEP(F, a, b, c, d, SET(12), 3) ++ STEP(F, d, a, b, c, SET(13), 7) ++ STEP(F, c, d, a, b, SET(14), 11) ++ STEP(F, b, c, d, a, SET(15), 19) ++ ++/* Round 2 */ ++ STEP(G, a, b, c, d, GET(0) + ac1, 3) ++ STEP(G, d, a, b, c, GET(4) + ac1, 5) ++ STEP(G, c, d, a, b, GET(8) + ac1, 9) ++ STEP(G, b, c, d, a, GET(12) + ac1, 13) ++ STEP(G, a, b, c, d, GET(1) + ac1, 3) ++ STEP(G, d, a, b, c, GET(5) + ac1, 5) ++ STEP(G, c, d, a, b, GET(9) + ac1, 9) ++ STEP(G, b, c, d, a, GET(13) + ac1, 13) ++ STEP(G, a, b, c, d, GET(2) + ac1, 3) ++ STEP(G, d, a, b, c, GET(6) + ac1, 5) ++ STEP(G, c, d, a, b, GET(10) + ac1, 9) ++ STEP(G, b, c, d, a, GET(14) + ac1, 13) ++ STEP(G, a, b, c, d, GET(3) + ac1, 3) ++ STEP(G, d, a, b, c, GET(7) + ac1, 5) ++ STEP(G, c, d, a, b, GET(11) + ac1, 9) ++ STEP(G, b, c, d, a, GET(15) + ac1, 13) ++ ++/* Round 3 */ ++ STEP(H, a, b, c, d, GET(0) + ac2, 3) ++ STEP(H, d, a, b, c, GET(8) + ac2, 9) ++ STEP(H, c, d, a, b, GET(4) + ac2, 11) ++ STEP(H, b, c, d, a, GET(12) + ac2, 15) ++ STEP(H, a, b, c, d, GET(2) + ac2, 3) ++ STEP(H, d, a, b, c, GET(10) + ac2, 9) ++ STEP(H, c, d, a, b, GET(6) + ac2, 11) ++ STEP(H, b, c, d, a, GET(14) + ac2, 15) ++ STEP(H, a, b, c, d, GET(1) + ac2, 3) ++ STEP(H, d, a, b, c, GET(9) + ac2, 9) ++ STEP(H, c, d, a, b, GET(5) + ac2, 11) ++ STEP(H, b, c, d, a, GET(13) + ac2, 15) ++ STEP(H, a, b, c, d, GET(3) + ac2, 3) ++ STEP(H, d, a, b, c, GET(11) + ac2, 9) ++ STEP(H, c, d, a, b, GET(7) + ac2, 11) ++ STEP(H, b, c, d, a, GET(15) + ac2, 15) ++ ++ a += saved_a; ++ b += saved_b; ++ c += saved_c; ++ d += saved_d; ++ ++ ptr += 64; ++ } while (size -= 64); ++ ++ ctx->a = a; ++ ctx->b = b; ++ ctx->c = c; ++ ctx->d = d; ++ ++ return ptr; ++} ++ ++void MD4_Init(MD4_CTX *ctx) ++{ ++ ctx->a = 0x67452301; ++ ctx->b = 0xefcdab89; ++ ctx->c = 0x98badcfe; ++ ctx->d = 0x10325476; ++ ++ ctx->lo = 0; ++ ctx->hi = 0; ++} ++ ++void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size) ++{ ++ MD4_u32plus saved_lo; ++ unsigned long used, available; ++ ++ saved_lo = ctx->lo; ++ if ((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo) ++ ctx->hi++; ++ ctx->hi += size >> 29; ++ ++ used = saved_lo & 0x3f; ++ ++ if (used) { ++ available = 64 - used; ++ ++ if (size < available) { ++ memcpy(&ctx->buffer[used], data, size); ++ return; ++ } ++ ++ memcpy(&ctx->buffer[used], data, available); ++ data = (const unsigned char *)data + available; ++ size -= available; ++ body(ctx, ctx->buffer, 64); ++ } ++ ++ if (size >= 64) { ++ data = body(ctx, data, size & ~(unsigned long)0x3f); ++ size &= 0x3f; ++ } ++ ++ memcpy(ctx->buffer, data, size); ++} ++ ++#define OUT(dst, src) \ ++ (dst)[0] = (unsigned char)(src); \ ++ (dst)[1] = (unsigned char)((src) >> 8); \ ++ (dst)[2] = (unsigned char)((src) >> 16); \ ++ (dst)[3] = (unsigned char)((src) >> 24); ++ ++void MD4_Final(unsigned char *result, MD4_CTX *ctx) ++{ ++ unsigned long used, available; ++ ++ used = ctx->lo & 0x3f; ++ ++ ctx->buffer[used++] = 0x80; ++ ++ available = 64 - used; ++ ++ if (available < 8) { ++ memset(&ctx->buffer[used], 0, available); ++ body(ctx, ctx->buffer, 64); ++ used = 0; ++ available = 64; ++ } ++ ++ memset(&ctx->buffer[used], 0, available - 8); ++ ++ ctx->lo <<= 3; ++ OUT(&ctx->buffer[56], ctx->lo) ++ OUT(&ctx->buffer[60], ctx->hi) ++ ++ body(ctx, ctx->buffer, 64); ++ ++ OUT(&result[0], ctx->a) ++ OUT(&result[4], ctx->b) ++ OUT(&result[8], ctx->c) ++ OUT(&result[12], ctx->d) ++ ++ memset(ctx, 0, sizeof(*ctx)); ++} +diff --git a/usr.bin/rsync/md4.h b/usr.bin/rsync/md4.h +new file mode 100644 +index 00000000000..ebf5bb555a0 +--- /dev/null ++++ b/usr.bin/rsync/md4.h +@@ -0,0 +1,47 @@ ++/* ++ * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. ++ * MD4 Message-Digest Algorithm (RFC 1320). ++ * ++ * Homepage: ++ * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4 ++ * ++ * Author: ++ * Alexander Peslyak, better known as Solar Designer <solar at openwall.com> ++ * ++ * This software was written by Alexander Peslyak in 2001. No copyright is ++ * claimed, and the software is hereby placed in the public domain. ++ * In case this attempt to disclaim copyright and place the software in the ++ * public domain is deemed null and void, then the software is ++ * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the ++ * general public under the following terms: ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted. ++ * ++ * There's ABSOLUTELY NO WARRANTY, express or implied. ++ * ++ * See md4.c for more information. ++ */ ++ ++#ifndef _MD4_H ++#define _MD4_H ++ ++#include <stdint.h> ++ ++#define MD4_DIGEST_LENGTH 16 ++ ++/* Any 32-bit or wider unsigned integer data type will do */ ++typedef uint_fast32_t MD4_u32plus; ++ ++typedef struct { ++ MD4_u32plus lo, hi; ++ MD4_u32plus a, b, c, d; ++ unsigned char buffer[64]; ++ MD4_u32plus block[16]; ++} MD4_CTX; ++ ++extern void MD4_Init(MD4_CTX *ctx); ++extern void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size); ++extern void MD4_Final(unsigned char *result, MD4_CTX *ctx); ++ ++#endif +diff --git a/usr.bin/rsync/sender.c b/usr.bin/rsync/sender.c +index 9dd008def01..2aeb99b64a0 100644 +--- a/usr.bin/rsync/sender.c ++++ b/usr.bin/rsync/sender.c +@@ -26,7 +26,7 @@ + #include <string.h> + #include <unistd.h> + +-#include <openssl/md4.h> ++#include "md4.h" + + #include "extern.h" + +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0031-pax-Fix-some-incorrect-format-specifiers.patch b/pkg/sys/openbsd/patch/0031-pax-Fix-some-incorrect-format-specifiers.patch @@ -0,0 +1,48 @@ +From f855b534ca2c34c3691a0c89d1be482a33a3610c Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Thu, 4 Jun 2020 21:36:11 -0700 +Subject: [PATCH] pax: Fix some incorrect format specifiers + +--- + bin/pax/cpio.c | 2 +- + bin/pax/gen_subs.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/bin/pax/cpio.c b/bin/pax/cpio.c +index 3832b1e87aa..769a9dfb990 100644 +--- a/bin/pax/cpio.c ++++ b/bin/pax/cpio.c +@@ -214,7 +214,7 @@ rd_ln_nm(ARCHD *arcn) + */ + if ((arcn->sb.st_size <= 0) || + (arcn->sb.st_size >= (off_t)sizeof(arcn->ln_name))) { +- paxwarn(1, "Cpio link name length is invalid: %lld", ++ paxwarn(1, "Cpio link name length is invalid: %zu", + arcn->sb.st_size); + return(-1); + } +diff --git a/bin/pax/gen_subs.c b/bin/pax/gen_subs.c +index 405dd2c24ed..7eb82007e3b 100644 +--- a/bin/pax/gen_subs.c ++++ b/bin/pax/gen_subs.c +@@ -109,7 +109,7 @@ ls_list(ARCHD *arcn, time_t now, FILE *fp) + if (strftime(f_date, sizeof(f_date), TIMEFMT(sbp->st_mtime, now), + localtime(&(sbp->st_mtime))) == 0) + f_date[0] = '\0'; +- (void)fprintf(fp, "%s%2u %-*.*s %-*.*s ", f_mode, sbp->st_nlink, ++ (void)fprintf(fp, "%s%2u %-*.*s %-*.*s ", f_mode, (unsigned)sbp->st_nlink, + NAME_WIDTH, UT_NAMESIZE, user_from_uid(sbp->st_uid, 0), + NAME_WIDTH, UT_NAMESIZE, group_from_gid(sbp->st_gid, 0)); + +@@ -121,7 +121,7 @@ ls_list(ARCHD *arcn, time_t now, FILE *fp) + (unsigned long)MAJOR(sbp->st_rdev), + (unsigned long)MINOR(sbp->st_rdev)); + else { +- (void)fprintf(fp, "%9llu ", sbp->st_size); ++ (void)fprintf(fp, "%9zu ", sbp->st_size); + } + + /* +-- +2.27.0 + diff --git a/pkg/sys/openbsd/patch/0032-pax-Use-memcpy-to-set-TMAGIC-and-TVERSION-to-avoid-w.patch b/pkg/sys/openbsd/patch/0032-pax-Use-memcpy-to-set-TMAGIC-and-TVERSION-to-avoid-w.patch @@ -0,0 +1,27 @@ +From e5c8e801a42459bf0c416f6751b687d61f46fcf1 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Thu, 4 Jun 2020 21:44:26 -0700 +Subject: [PATCH] pax: Use memcpy to set TMAGIC and TVERSION to avoid warning + +--- + bin/pax/tar.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/bin/pax/tar.c b/bin/pax/tar.c +index 8d6b3f37012..1f4012123c3 100644 +--- a/bin/pax/tar.c ++++ b/bin/pax/tar.c +@@ -1040,8 +1040,8 @@ ustar_wr(ARCHD *arcn) + break; + } + +- strncpy(hd->magic, TMAGIC, TMAGLEN); +- strncpy(hd->version, TVERSION, TVERSLEN); ++ memcpy(hd->magic, TMAGIC, TMAGLEN); ++ memcpy(hd->version, TVERSION, TVERSLEN); + + /* + * set the remaining fields. Some versions want all 16 bits of mode +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0033-rsync-Fix-some-incorrect-format-specifiers.patch b/pkg/sys/openbsd/patch/0033-rsync-Fix-some-incorrect-format-specifiers.patch @@ -0,0 +1,42 @@ +From 0a32d4f555441c1928547f8f08a6373a6c9d8bf1 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Thu, 4 Jun 2020 21:36:24 -0700 +Subject: [PATCH] rsync: Fix some incorrect format specifiers + +--- + usr.bin/rsync/fargs.c | 4 ++-- + usr.bin/rsync/uploader.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/usr.bin/rsync/fargs.c b/usr.bin/rsync/fargs.c +index 7ccb5bff7d2..ef1aaf37c87 100644 +--- a/usr.bin/rsync/fargs.c ++++ b/usr.bin/rsync/fargs.c +@@ -132,9 +132,9 @@ fargs_cmdline(struct sess *sess, const struct fargs *f, size_t *skip) + /* --devices is sent as -D --no-specials */ + addargs(&args, "--no-specials"); + if (sess->opts->max_size >= 0) +- addargs(&args, "--max-size=%lld", sess->opts->max_size); ++ addargs(&args, "--max-size=%jd", (intmax_t)sess->opts->max_size); + if (sess->opts->min_size >= 0) +- addargs(&args, "--min-size=%lld", sess->opts->min_size); ++ addargs(&args, "--min-size=%jd", (intmax_t)sess->opts->min_size); + + /* only add --compare-dest, etc if this is the sender */ + if (sess->opts->alt_base_mode != 0 && +diff --git a/usr.bin/rsync/uploader.c b/usr.bin/rsync/uploader.c +index 678b6c96218..951a5ee4133 100644 +--- a/usr.bin/rsync/uploader.c ++++ b/usr.bin/rsync/uploader.c +@@ -1010,7 +1010,7 @@ rsync_uploader(struct upload *u, int *fileinfd, + init_blk(&blk.blks[i], &blk, offs, i, mbuf, sess); + offs += blk.len; + LOG3( +- "i=%ld, offs=%lld, msz=%ld, blk.len=%lu, blk.rem=%lu", ++ "i=%zu, offs=%td, msz=%zd, blk.len=%zu, blk.rem=%zu", + i, offs, msz, blk.len, blk.rem); + i++; + } while (i < blk.blksz); +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0034-m4-Declare-dopaste-only-when-it-s-used.patch b/pkg/sys/openbsd/patch/0034-m4-Declare-dopaste-only-when-it-s-used.patch @@ -0,0 +1,26 @@ +From 666a050e706230ba5b0316a316100d8c7e86c93c Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Thu, 4 Jun 2020 21:42:18 -0700 +Subject: [PATCH] m4: Declare dopaste only when it's used + +--- + usr.bin/m4/eval.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/usr.bin/m4/eval.c b/usr.bin/m4/eval.c +index d226505cab3..fe9fbde3d9c 100644 +--- a/usr.bin/m4/eval.c ++++ b/usr.bin/m4/eval.c +@@ -61,7 +61,9 @@ static void dodump(const char *[], int); + static void dotrace(const char *[], int, int); + static void doifelse(const char *[], int); + static int doincl(const char *); ++#ifdef EXTENDED + static int dopaste(const char *); ++#endif + static void dochq(const char *[], int); + static void dochc(const char *[], int); + static void dom4wrap(const char *); +-- +2.27.0 + diff --git a/pkg/sys/openbsd/patch/0035-acme-client-Fix-signed-ness-of-base64buf_url-input.patch b/pkg/sys/openbsd/patch/0035-acme-client-Fix-signed-ness-of-base64buf_url-input.patch @@ -0,0 +1,160 @@ +From cc94758cade79724cc820e654ae12bee639c2692 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 23 Apr 2021 20:10:05 -0700 +Subject: [PATCH] acme-client: Fix signed-ness of base64buf_url input + +This make most of the pointer casts unnecessary. +--- + usr.sbin/acme-client/acctproc.c | 17 +++++++++-------- + usr.sbin/acme-client/base64.c | 2 +- + usr.sbin/acme-client/extern.h | 2 +- + usr.sbin/acme-client/keyproc.c | 5 +++-- + usr.sbin/acme-client/revokeproc.c | 6 ++++-- + 5 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c +index e3a0eb64dec..23d8a1c3a33 100644 +--- a/usr.sbin/acme-client/acctproc.c ++++ b/usr.sbin/acme-client/acctproc.c +@@ -43,8 +43,9 @@ + static char * + bn2string(const BIGNUM *bn) + { +- int len; +- char *buf, *bbuf; ++ int len; ++ unsigned char *buf; ++ char *bbuf; + + /* Extract big-endian representation of BIGNUM. */ + +@@ -52,7 +53,7 @@ bn2string(const BIGNUM *bn) + if ((buf = malloc(len)) == NULL) { + warn("malloc"); + return NULL; +- } else if (len != BN_bn2bin(bn, (unsigned char *)buf)) { ++ } else if (len != BN_bn2bin(bn, buf)) { + warnx("BN_bn2bin"); + free(buf); + return NULL; +@@ -168,7 +169,7 @@ op_thumbprint(int fd, EVP_PKEY *pkey) + warnx("EVP_Digest"); + goto out; + } +- if ((dig64 = base64buf_url((char *)dig, digsz)) == NULL) { ++ if ((dig64 = base64buf_url(dig, digsz)) == NULL) { + warnx("base64buf_url"); + goto out; + } +@@ -282,7 +283,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + /* Base64-encode the payload. */ + +- if ((pay64 = base64buf_url(pay, strlen(pay))) == NULL) { ++ if ((pay64 = base64buf_url((unsigned char *)pay, strlen(pay))) == NULL) { + warnx("base64buf_url"); + goto out; + } +@@ -325,7 +326,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + /* The header combined with the nonce, base64. */ + +- if ((prot64 = base64buf_url(prot, strlen(prot))) == NULL) { ++ if ((prot64 = base64buf_url((unsigned char *)prot, strlen(prot))) == NULL) { + warnx("base64buf_url"); + goto out; + } +@@ -364,7 +365,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + switch (EVP_PKEY_base_id(pkey)) { + case EVP_PKEY_RSA: +- if ((dig64 = base64buf_url((char *)dig, digsz)) == NULL) { ++ if ((dig64 = base64buf_url(dig, digsz)) == NULL) { + warnx("base64buf_url"); + goto out; + } +@@ -403,7 +404,7 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + goto out; + } + +- if ((dig64 = base64buf_url((char *)buf, 2 * bn_len)) == NULL) { ++ if ((dig64 = base64buf_url(buf, 2 * bn_len)) == NULL) { + warnx("base64buf_url"); + goto out; + } +diff --git a/usr.sbin/acme-client/base64.c b/usr.sbin/acme-client/base64.c +index 2b6377f0d81..0d84ad4b458 100644 +--- a/usr.sbin/acme-client/base64.c ++++ b/usr.sbin/acme-client/base64.c +@@ -39,7 +39,7 @@ base64len(size_t len) + * Returns NULL on allocation failure (not logged). + */ + char * +-base64buf_url(const char *data, size_t len) ++base64buf_url(const unsigned char *data, size_t len) + { + size_t i, sz; + char *buf; +diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h +index 32d4b4b3d85..701733df786 100644 +--- a/usr.sbin/acme-client/extern.h ++++ b/usr.sbin/acme-client/extern.h +@@ -245,7 +245,7 @@ int checkexit_ext(int *, pid_t, enum comp); + */ + size_t base64buf(char *, const char *, size_t); + size_t base64len(size_t); +-char *base64buf_url(const char *, size_t); ++char *base64buf_url(const unsigned char *, size_t); + + /* + * JSON parsing routines. +diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c +index a3b6666c279..f0df9f292d4 100644 +--- a/usr.sbin/acme-client/keyproc.c ++++ b/usr.sbin/acme-client/keyproc.c +@@ -77,7 +77,8 @@ int + keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + enum keytype keytype) + { +- char *der64 = NULL, *der = NULL, *dercp; ++ char *der64 = NULL; ++ unsigned char *der = NULL, *dercp; + char *sans = NULL, *san = NULL; + FILE *f; + size_t i, sansz; +@@ -238,7 +239,7 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + } else if ((der = dercp = malloc(len)) == NULL) { + warn("malloc"); + goto out; +- } else if (len != i2d_X509_REQ(x, (u_char **)&dercp)) { ++ } else if (len != i2d_X509_REQ(x, &dercp)) { + warnx("i2d_X509_REQ"); + goto out; + } else if ((der64 = base64buf_url(der, len)) == NULL) { +diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c +index 0f1bf32678b..58e81233f1a 100644 +--- a/usr.sbin/acme-client/revokeproc.c ++++ b/usr.sbin/acme-client/revokeproc.c +@@ -63,7 +63,9 @@ revokeproc(int fd, const char *certfile, int force, + int revocate, const char *const *alts, size_t altsz) + { + GENERAL_NAMES *sans = NULL; +- char *der = NULL, *dercp, *der64 = NULL; ++ unsigned char *der = NULL, *dercp; ++ char *der64 = NULL; ++ char *san = NULL, *str, *tok; + int rc = 0, cc, i, len; + size_t *found = NULL; + FILE *f = NULL; +@@ -240,7 +242,7 @@ revokeproc(int fd, const char *certfile, int force, + } else if ((der = dercp = malloc(len)) == NULL) { + warn("malloc"); + goto out; +- } else if (len != i2d_X509(x, (u_char **)&dercp)) { ++ } else if (len != i2d_X509(x, &dercp)) { + warnx("i2d_X509"); + goto out; + } else if ((der64 = base64buf_url(der, len)) == NULL) { +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch b/pkg/sys/openbsd/patch/0036-acme-client-Port-to-BearSSL.patch @@ -0,0 +1,1548 @@ +From 01e722b50d1f5b56bd1f4a1673d0d812958cc49c Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Fri, 23 Apr 2021 23:14:16 -0700 +Subject: [PATCH] acme-client: Port to BearSSL + +--- + usr.sbin/acme-client/acctproc.c | 299 +++++++++------------------ + usr.sbin/acme-client/certproc.c | 5 - + usr.sbin/acme-client/key.c | 333 ++++++++++++++++++++++++------ + usr.sbin/acme-client/key.h | 22 +- + usr.sbin/acme-client/keyproc.c | 198 ++++++------------ + usr.sbin/acme-client/revokeproc.c | 235 ++++++++++----------- + 6 files changed, 558 insertions(+), 534 deletions(-) + +diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c +index 23d8a1c3a33..3d3e32c1a57 100644 +--- a/usr.sbin/acme-client/acctproc.c ++++ b/usr.sbin/acme-client/acctproc.c +@@ -19,74 +19,29 @@ + + #include <err.h> + #include <errno.h> +-#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <string.h> + #include <unistd.h> + +-#include <openssl/bn.h> +-#include <openssl/ec.h> +-#include <openssl/ecdsa.h> +-#include <openssl/evp.h> +-#include <openssl/rsa.h> +-#include <openssl/err.h> ++#include <bearssl.h> + + #include "extern.h" + #include "key.h" + +-/* +- * Converts a BIGNUM to the form used in JWK. +- * This is essentially a base64-encoded big-endian binary string +- * representation of the number. +- */ +-static char * +-bn2string(const BIGNUM *bn) +-{ +- int len; +- unsigned char *buf; +- char *bbuf; +- +- /* Extract big-endian representation of BIGNUM. */ +- +- len = BN_num_bytes(bn); +- if ((buf = malloc(len)) == NULL) { +- warn("malloc"); +- return NULL; +- } else if (len != BN_bn2bin(bn, buf)) { +- warnx("BN_bn2bin"); +- free(buf); +- return NULL; +- } +- +- /* Convert to base64url. */ +- +- if ((bbuf = base64buf_url(buf, len)) == NULL) { +- warnx("base64buf_url"); +- free(buf); +- return NULL; +- } +- +- free(buf); +- return bbuf; +-} +- + /* + * Extract the relevant RSA components from the key and create the JSON + * thumbprint from them. + */ + static char * +-op_thumb_rsa(EVP_PKEY *pkey) ++op_thumb_rsa(struct key *key) + { + char *exp = NULL, *mod = NULL, *json = NULL; +- RSA *r; +- +- if ((r = EVP_PKEY_get0_RSA(pkey)) == NULL) +- warnx("EVP_PKEY_get0_RSA"); +- else if ((mod = bn2string(RSA_get0_n(r))) == NULL) +- warnx("bn2string"); +- else if ((exp = bn2string(RSA_get0_e(r))) == NULL) +- warnx("bn2string"); ++ ++ if ((mod = base64buf_url(key->rsa.pk.n, key->rsa.pk.nlen)) == NULL) ++ warnx("base64buf_url"); ++ else if ((exp = base64buf_url(key->rsa.pk.e, key->rsa.pk.elen)) == NULL) ++ warnx("base64buf_url"); + else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL) + warnx("json_fmt_thumb_rsa"); + +@@ -100,31 +55,23 @@ op_thumb_rsa(EVP_PKEY *pkey) + * thumbprint from them. + */ + static char * +-op_thumb_ec(EVP_PKEY *pkey) ++op_thumb_ec(struct key *key) + { +- BIGNUM *X = NULL, *Y = NULL; +- EC_KEY *ec = NULL; ++ size_t len; + char *x = NULL, *y = NULL; + char *json = NULL; + +- if ((ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) +- warnx("EVP_PKEY_get0_EC_KEY"); +- else if ((X = BN_new()) == NULL) +- warnx("BN_new"); +- else if ((Y = BN_new()) == NULL) +- warnx("BN_new"); +- else if (!EC_POINT_get_affine_coordinates(EC_KEY_get0_group(ec), +- EC_KEY_get0_public_key(ec), X, Y, NULL)) +- warnx("EC_POINT_get_affine_coordinates"); +- else if ((x = bn2string(X)) == NULL) +- warnx("bn2string"); +- else if ((y = bn2string(Y)) == NULL) +- warnx("bn2string"); ++ /* Points are stored in uncompressed format. */ ++ len = key->ec.pk.qlen / 2; ++ if (key->ec.pk.qlen % 2 != 1 || key->ec.pk.q[0] != 0x04) ++ warnx("invalid EC public key"); ++ else if ((x = base64buf_url(key->ec.pk.q + 1, len)) == NULL) ++ warnx("base64buf_url"); ++ else if ((y = base64buf_url(key->ec.pk.q + 1 + len, len)) == NULL) ++ warnx("base64buf_url"); + else if ((json = json_fmt_thumb_ec(x, y)) == NULL) + warnx("json_fmt_thumb_ec"); + +- BN_free(X); +- BN_free(Y); + free(x); + free(y); + return json; +@@ -134,26 +81,26 @@ op_thumb_ec(EVP_PKEY *pkey) + * The thumbprint operation is used for the challenge sequence. + */ + static int +-op_thumbprint(int fd, EVP_PKEY *pkey) ++op_thumbprint(int fd, struct key *pkey) + { +- char *thumb = NULL, *dig64 = NULL; +- unsigned char dig[EVP_MAX_MD_SIZE]; +- unsigned int digsz; +- int rc = 0; ++ char *thumb = NULL, *dig64 = NULL; ++ br_sha256_context ctx; ++ unsigned char dig[br_sha256_SIZE]; ++ int rc = 0; + + /* Construct the thumbprint input itself. */ + +- switch (EVP_PKEY_base_id(pkey)) { +- case EVP_PKEY_RSA: ++ switch (pkey->type) { ++ case BR_KEYTYPE_RSA: + if ((thumb = op_thumb_rsa(pkey)) != NULL) + break; + goto out; +- case EVP_PKEY_EC: ++ case BR_KEYTYPE_EC: + if ((thumb = op_thumb_ec(pkey)) != NULL) + break; + goto out; + default: +- warnx("EVP_PKEY_base_id: unknown key type"); ++ warnx("unknown key type"); + goto out; + } + +@@ -164,12 +111,10 @@ op_thumbprint(int fd, EVP_PKEY *pkey) + * it up in the read loop). + */ + +- if (!EVP_Digest(thumb, strlen(thumb), dig, &digsz, EVP_sha256(), +- NULL)) { +- warnx("EVP_Digest"); +- goto out; +- } +- if ((dig64 = base64buf_url(dig, digsz)) == NULL) { ++ br_sha256_init(&ctx); ++ br_sha256_update(&ctx, thumb, strlen(thumb)); ++ br_sha256_out(&ctx, dig); ++ if ((dig64 = base64buf_url(dig, sizeof(dig))) == NULL) { + warnx("base64buf_url"); + goto out; + } +@@ -184,11 +129,10 @@ out: + } + + static int +-op_sign_rsa(char **prot, EVP_PKEY *pkey, const char *nonce, const char *url) ++op_sign_rsa(char **prot, struct key *key, const char *nonce, const char *url) + { + char *exp = NULL, *mod = NULL; + int rc = 0; +- RSA *r; + + *prot = NULL; + +@@ -197,12 +141,10 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey, const char *nonce, const char *url) + * Finally, format the header combined with the nonce. + */ + +- if ((r = EVP_PKEY_get0_RSA(pkey)) == NULL) +- warnx("EVP_PKEY_get0_RSA"); +- else if ((mod = bn2string(RSA_get0_n(r))) == NULL) +- warnx("bn2string"); +- else if ((exp = bn2string(RSA_get0_e(r))) == NULL) +- warnx("bn2string"); ++ if ((mod = base64buf_url(key->rsa.pk.n, key->rsa.pk.nlen)) == NULL) ++ warnx("base64buf_url"); ++ else if ((exp = base64buf_url(key->rsa.pk.e, key->rsa.pk.elen)) == NULL) ++ warnx("base64buf_url"); + else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce, url)) == NULL) + warnx("json_fmt_protected_rsa"); + else +@@ -214,35 +156,27 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey, const char *nonce, const char *url) + } + + static int +-op_sign_ec(char **prot, EVP_PKEY *pkey, const char *nonce, const char *url) ++op_sign_ec(char **prot, struct key *key, const char *nonce, const char *url) + { +- BIGNUM *X = NULL, *Y = NULL; +- EC_KEY *ec = NULL; ++ size_t len; + char *x = NULL, *y = NULL; + int rc = 0; + + *prot = NULL; + +- if ((ec = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) +- warnx("EVP_PKEY_get0_EC_KEY"); +- else if ((X = BN_new()) == NULL) +- warnx("BN_new"); +- else if ((Y = BN_new()) == NULL) +- warnx("BN_new"); +- else if (!EC_POINT_get_affine_coordinates(EC_KEY_get0_group(ec), +- EC_KEY_get0_public_key(ec), X, Y, NULL)) +- warnx("EC_POINT_get_affine_coordinates"); +- else if ((x = bn2string(X)) == NULL) +- warnx("bn2string"); +- else if ((y = bn2string(Y)) == NULL) +- warnx("bn2string"); ++ /* Points are stored in uncompressed format. */ ++ len = key->ec.pk.qlen / 2; ++ if (key->ec.pk.qlen % 2 != 1 || key->ec.pk.q[0] != 0x04) ++ warnx("invalid EC public key"); ++ else if ((x = base64buf_url(key->ec.pk.q + 1, len)) == NULL) ++ warnx("base64buf_url"); ++ else if ((y = base64buf_url(key->ec.pk.q + 1 + len, len)) == NULL) ++ warnx("base64buf_url"); + else if ((*prot = json_fmt_protected_ec(x, y, nonce, url)) == NULL) + warnx("json_fmt_protected_ec"); + else + rc = 1; + +- BN_free(X); +- BN_free(Y); + free(x); + free(y); + return rc; +@@ -253,20 +187,18 @@ op_sign_ec(char **prot, EVP_PKEY *pkey, const char *nonce, const char *url) + * This requires the sender ("fd") to provide the payload and a nonce. + */ + static int +-op_sign(int fd, EVP_PKEY *pkey, enum acctop op) ++op_sign(int fd, struct key *key, enum acctop op) + { +- EVP_MD_CTX *ctx = NULL; +- const EVP_MD *evp_md = NULL; +- ECDSA_SIG *ec_sig = NULL; +- const BIGNUM *ec_sig_r = NULL, *ec_sig_s = NULL; +- int bn_len, sign_len, rc = 0; ++ br_hash_compat_context ctx; ++ int sign_len, rc = 0; ++ unsigned int digsz, sigsz; + char *nonce = NULL, *pay = NULL, *pay64 = NULL; + char *prot = NULL, *prot64 = NULL; +- char *sign = NULL, *dig64 = NULL, *fin = NULL; ++ char *sign = NULL, *sig64 = NULL, *fin = NULL; + char *url = NULL, *kid = NULL, *alg = NULL; +- const unsigned char *digp; +- unsigned char *dig = NULL, *buf = NULL; +- size_t digsz; ++ unsigned char dig[64]; ++ unsigned char *sig = NULL; ++ const unsigned char *oid = NULL; + + /* Read our payload and nonce from the requestor. */ + +@@ -283,19 +215,22 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + /* Base64-encode the payload. */ + +- if ((pay64 = base64buf_url((unsigned char *)pay, strlen(pay))) == NULL) { ++ if ((pay64 = base64buf_url(pay, strlen(pay))) == NULL) { + warnx("base64buf_url"); + goto out; + } + +- switch (EVP_PKEY_base_id(pkey)) { +- case EVP_PKEY_RSA: ++ switch (key->type) { ++ case BR_KEYTYPE_RSA: + alg = "RS256"; +- evp_md = EVP_sha256(); ++ ctx.vtable = &br_sha256_vtable; ++ oid = BR_HASH_OID_SHA256; ++ sigsz = (key->rsa.sk.n_bitlen + 7) / 8; + break; +- case EVP_PKEY_EC: ++ case BR_KEYTYPE_EC: + alg = "ES384"; +- evp_md = EVP_sha384(); ++ ctx.vtable = &br_sha384_vtable; ++ sigsz = 96; + break; + default: + warnx("unknown account key type"); +@@ -309,17 +244,17 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + goto out; + } + } else { +- switch (EVP_PKEY_base_id(pkey)) { +- case EVP_PKEY_RSA: +- if (!op_sign_rsa(&prot, pkey, nonce, url)) ++ switch (key->type) { ++ case BR_KEYTYPE_RSA: ++ if (!op_sign_rsa(&prot, key, nonce, url)) + goto out; + break; +- case EVP_PKEY_EC: +- if (!op_sign_ec(&prot, pkey, nonce, url)) ++ case BR_KEYTYPE_EC: ++ if (!op_sign_ec(&prot, key, nonce, url)) + goto out; + break; + default: +- warnx("EVP_PKEY_base_id"); ++ warnx("unknown key type"); + goto out; + } + } +@@ -342,76 +277,34 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + /* Sign the message. */ + +- if ((ctx = EVP_MD_CTX_new()) == NULL) { +- warnx("EVP_MD_CTX_new"); +- goto out; +- } +- if (!EVP_DigestSignInit(ctx, NULL, evp_md, NULL, pkey)) { +- warnx("EVP_DigestSignInit"); +- goto out; +- } +- if (!EVP_DigestSign(ctx, NULL, &digsz, sign, sign_len)) { +- warnx("EVP_DigestSign"); +- goto out; +- } +- if ((dig = malloc(digsz)) == NULL) { ++ ctx.vtable->init(&ctx.vtable); ++ ctx.vtable->update(&ctx.vtable, sign, sign_len); ++ ctx.vtable->out(&ctx.vtable, dig); ++ digsz = ctx.vtable->desc >> BR_HASHDESC_OUT_OFF & BR_HASHDESC_OUT_MASK; ++ ++ if ((sig = malloc(sigsz)) == NULL) { + warn("malloc"); + goto out; + } +- if (!EVP_DigestSign(ctx, dig, &digsz, sign, sign_len)) { +- warnx("EVP_DigestSign"); +- goto out; +- } + +- switch (EVP_PKEY_base_id(pkey)) { +- case EVP_PKEY_RSA: +- if ((dig64 = base64buf_url(dig, digsz)) == NULL) { +- warnx("base64buf_url"); ++ switch (key->type) { ++ case BR_KEYTYPE_RSA: ++ if (!br_rsa_pkcs1_sign_get_default()(oid, dig, digsz, ++ &key->rsa.sk, sig)) { ++ warnx("br_rsa_pkcs1_sign"); + goto out; + } + break; +- case EVP_PKEY_EC: +- if (digsz > LONG_MAX) { +- warnx("EC signature too long"); +- goto out; +- } +- +- digp = dig; +- if ((ec_sig = d2i_ECDSA_SIG(NULL, &digp, digsz)) == NULL) { +- warnx("d2i_ECDSA_SIG"); ++ case BR_KEYTYPE_EC: ++ sigsz = br_ecdsa_sign_raw_get_default()(br_ec_get_default(), ++ ctx.vtable, dig, &key->ec.sk, sig); ++ if (sigsz == 0 || sigsz % 2 != 0) { ++ warnx("br_ecdsa_sign_raw"); + goto out; + } +- +- if ((ec_sig_r = ECDSA_SIG_get0_r(ec_sig)) == NULL || +- (ec_sig_s = ECDSA_SIG_get0_s(ec_sig)) == NULL) { +- warnx("ECDSA_SIG_get0"); +- goto out; +- } +- +- if ((bn_len = (EVP_PKEY_bits(pkey) + 7) / 8) <= 0) { +- warnx("EVP_PKEY_bits"); +- goto out; +- } +- +- if ((buf = calloc(2, bn_len)) == NULL) { +- warnx("calloc"); +- goto out; +- } +- +- if (BN_bn2binpad(ec_sig_r, buf, bn_len) != bn_len || +- BN_bn2binpad(ec_sig_s, buf + bn_len, bn_len) != bn_len) { +- warnx("BN_bn2binpad"); +- goto out; +- } +- +- if ((dig64 = base64buf_url(buf, 2 * bn_len)) == NULL) { +- warnx("base64buf_url"); +- goto out; +- } +- + break; + default: +- warnx("EVP_PKEY_base_id"); ++ warnx("unknown key type"); + goto out; + } + +@@ -421,7 +314,11 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + * when we next enter the read loop). + */ + +- if ((fin = json_fmt_signed(prot64, pay64, dig64)) == NULL) { ++ if ((sig64 = base64buf_url(sig, sigsz)) == NULL) { ++ warnx("base64buf_url"); ++ goto out; ++ } ++ if ((fin = json_fmt_signed(prot64, pay64, sig64)) == NULL) { + warnx("json_fmt_signed"); + goto out; + } else if (writestr(fd, COMM_REQ, fin) < 0) +@@ -429,8 +326,6 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op) + + rc = 1; + out: +- ECDSA_SIG_free(ec_sig); +- EVP_MD_CTX_free(ctx); + free(pay); + free(sign); + free(pay64); +@@ -439,10 +334,9 @@ out: + free(kid); + free(prot); + free(prot64); +- free(dig); +- free(dig64); ++ free(sig); ++ free(sig64); + free(fin); +- free(buf); + return rc; + } + +@@ -450,7 +344,7 @@ int + acctproc(int netsock, const char *acctkey, enum keytype keytype) + { + FILE *f = NULL; +- EVP_PKEY *pkey = NULL; ++ struct key *pkey = NULL; + long lval; + enum acctop op; + int rc = 0, cc, newacct = 0; +@@ -476,8 +370,6 @@ acctproc(int netsock, const char *acctkey, enum keytype keytype) + + /* File-system, user, and sandbox jailing. */ + +- ERR_load_crypto_strings(); +- + if (pledge("stdio", NULL) == -1) { + warn("pledge"); + goto out; +@@ -555,8 +447,7 @@ out: + close(netsock); + if (f != NULL) + fclose(f); +- EVP_PKEY_free(pkey); +- ERR_print_errors_fp(stderr); +- ERR_free_strings(); ++ if (pkey != NULL) ++ freezero(pkey, sizeof(*pkey) + pkey->datasz); + return rc; + } +diff --git a/usr.sbin/acme-client/certproc.c b/usr.sbin/acme-client/certproc.c +index f443d573675..85c3897a4b8 100644 +--- a/usr.sbin/acme-client/certproc.c ++++ b/usr.sbin/acme-client/certproc.c +@@ -21,11 +21,6 @@ + #include <string.h> + #include <unistd.h> + +-#include <openssl/pem.h> +-#include <openssl/x509.h> +-#include <openssl/x509v3.h> +-#include <openssl/err.h> +- + #include "extern.h" + + #define BEGIN_MARKER "-----BEGIN CERTIFICATE-----" +diff --git a/usr.sbin/acme-client/key.c b/usr.sbin/acme-client/key.c +index a6fc437f863..c0e54b15742 100644 +--- a/usr.sbin/acme-client/key.c ++++ b/usr.sbin/acme-client/key.c +@@ -17,15 +17,11 @@ + */ + + #include <err.h> ++#include <stdio.h> + #include <stdlib.h> + #include <unistd.h> + +-#include <openssl/evp.h> +-#include <openssl/pem.h> +-#include <openssl/rsa.h> +-#include <openssl/ecdsa.h> +-#include <openssl/ec.h> +-#include <openssl/obj_mac.h> ++#include <bearssl.h> + + #include "key.h" + +@@ -34,111 +30,318 @@ + */ + #define KBITS 4096 + ++static void ++prng_init(const br_prng_class **ctx, const void *params, const void *seed, size_t len) ++{ ++} ++ ++static void ++prng_generate(const br_prng_class **ctx, void *out, size_t len) ++{ ++ arc4random_buf(out, len); ++} ++ ++static void ++prng_update(const br_prng_class **ctx, const void *seed, size_t len) ++{ ++} ++ ++static const br_prng_class prng_class = { ++ 0, prng_init, prng_generate, prng_update ++}, *prng = &prng_class; ++ + /* + * Create an RSA key with the default KBITS number of bits. + */ +-EVP_PKEY * ++struct key * + rsa_key_create(FILE *f, const char *fname) + { +- EVP_PKEY_CTX *ctx = NULL; +- EVP_PKEY *pkey = NULL; ++ struct key *key = NULL; ++ size_t slen, plen; ++ unsigned char *sbuf, *pbuf; ++ unsigned char d[KBITS / 8]; ++ unsigned char *der = NULL, *pem = NULL; ++ size_t derlen, pemlen; + +- /* First, create the context and the key. */ ++ /* First, allocate and generate the key. */ + +- if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) { +- warnx("EVP_PKEY_CTX_new_id"); +- goto err; +- } else if (EVP_PKEY_keygen_init(ctx) <= 0) { +- warnx("EVP_PKEY_keygen_init"); ++ slen = BR_RSA_KBUF_PRIV_SIZE(KBITS); ++ plen = BR_RSA_KBUF_PUB_SIZE(KBITS); ++ if ((key = malloc(sizeof(*key) + slen + plen)) == NULL) { ++ warnx("malloc"); + goto err; +- } else if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KBITS) <= 0) { +- warnx("EVP_PKEY_set_rsa_keygen_bits"); ++ } ++ key->type = BR_KEYTYPE_RSA; ++ key->datasz = slen + plen; ++ sbuf = key->data; ++ pbuf = key->data + slen; ++ if (!br_rsa_keygen_get_default()(&prng, &key->rsa.sk, sbuf, ++ &key->rsa.pk, pbuf, KBITS, 0x10001)) { ++ warnx("br_rsa_keygen"); + goto err; +- } else if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { +- warnx("EVP_PKEY_keygen"); ++ } ++ ++ /* Compute the private exponent. */ ++ ++ if (!br_rsa_compute_privexp_get_default()(d, &key->rsa.sk, 0x10001)) { ++ warnx("br_rsa_compute_modulus"); + goto err; + } + +- /* Serialise the key to the disc. */ ++ /* Serialise the key to the disk. */ + +- if (PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) ++ derlen = br_encode_rsa_raw_der(NULL, &key->rsa.sk, &key->rsa.pk, ++ d, sizeof(d)); ++ if ((der = malloc(derlen)) == NULL) { ++ warn("malloc"); ++ goto err; ++ } ++ br_encode_rsa_raw_der(der, &key->rsa.sk, &key->rsa.pk, d, sizeof(d)); ++ pemlen = br_pem_encode(NULL, der, derlen, BR_ENCODE_PEM_RSA_RAW, 0); ++ if ((pem = malloc(pemlen + 1)) == NULL) { ++ warn("malloc"); ++ goto err; ++ } ++ br_pem_encode(pem, der, derlen, BR_ENCODE_PEM_RSA_RAW, 0); ++ if (fwrite(pem, 1, pemlen, f) == pemlen) + goto out; + +- warnx("%s: PEM_write_PrivateKey", fname); ++ warn("write private key"); + + err: +- EVP_PKEY_free(pkey); +- pkey = NULL; ++ free(key); ++ key = NULL; + out: +- EVP_PKEY_CTX_free(ctx); +- return pkey; ++ free(der); ++ free(pem); ++ return key; + } + +-EVP_PKEY * ++struct key * + ec_key_create(FILE *f, const char *fname) + { +- EC_KEY *eckey = NULL; +- EVP_PKEY *pkey = NULL; ++ struct key *key = NULL; ++ const br_ec_impl *ec; ++ size_t slen, plen; ++ unsigned char *sbuf, *pbuf; ++ unsigned char *der = NULL, *pem = NULL; ++ size_t derlen, pemlen; + +- if ((eckey = EC_KEY_new_by_curve_name(NID_secp384r1)) == NULL ) { +- warnx("EC_KEY_new_by_curve_name"); ++ slen = BR_EC_KBUF_PRIV_MAX_SIZE; ++ plen = BR_EC_KBUF_PUB_MAX_SIZE; ++ if ((key = malloc(sizeof(*key) + slen + plen)) == NULL) { ++ warn("malloc"); + goto err; + } ++ key->type = BR_KEYTYPE_EC; ++ key->datasz = slen + plen; ++ sbuf = key->data; ++ pbuf = key->data + slen; + +- if (!EC_KEY_generate_key(eckey)) { +- warnx("EC_KEY_generate_key"); ++ ec = br_ec_get_default(); ++ if (br_ec_keygen(&prng, ec, &key->ec.sk, sbuf, BR_EC_secp384r1) == 0) { ++ warnx("br_ec_keygen"); + goto err; + } +- +- /* set OPENSSL_EC_NAMED_CURVE to be able to load the key */ +- +- EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE); +- +- /* Serialise the key to the disc in EC format */ +- +- if (!PEM_write_ECPrivateKey(f, eckey, NULL, NULL, 0, NULL, NULL)) { +- warnx("%s: PEM_write_ECPrivateKey", fname); ++ if (br_ec_compute_pub(ec, &key->ec.pk, pbuf, &key->ec.sk) == 0) { ++ warnx("br_ec_compute_pub"); + goto err; + } + +- /* Convert the EC key into a PKEY structure */ ++ /* Serialise the key to the disk in EC format */ + +- if ((pkey = EVP_PKEY_new()) == NULL) { +- warnx("EVP_PKEY_new"); ++ if ((derlen = br_encode_ec_raw_der(NULL, &key->ec.sk, ++ &key->ec.pk)) == 0) { ++ warnx("br_encode_ec_raw_der"); ++ goto err; ++ } ++ if ((der = malloc(derlen)) == NULL) { ++ warn("malloc"); + goto err; + } +- if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) { +- warnx("EVP_PKEY_assign_EC_KEY"); ++ br_encode_ec_raw_der(der, &key->ec.sk, &key->ec.pk); ++ pemlen = br_pem_encode(NULL, der, derlen, BR_ENCODE_PEM_EC_RAW, 0); ++ if ((pem = malloc(pemlen + 1)) == NULL) { ++ warn("malloc"); + goto err; + } ++ br_pem_encode(pem, der, derlen, BR_ENCODE_PEM_EC_RAW, 0); ++ if (fwrite(pem, 1, pemlen, f) == pemlen) ++ goto out; + +- goto out; ++ warn("write private key"); + + err: +- EVP_PKEY_free(pkey); +- pkey = NULL; ++ free(key); ++ key = NULL; + out: +- EC_KEY_free(eckey); +- return pkey; ++ free(der); ++ free(pem); ++ return key; + } + ++static void ++append_skey(void *ctx, const void *src, size_t len) ++{ ++ br_skey_decoder_push(ctx, src, len); ++} + +- +-EVP_PKEY * ++struct key * + key_load(FILE *f, const char *fname) + { +- EVP_PKEY *pkey; ++ struct key *key = NULL; ++ size_t datasz, len = 0, n; ++ int type = 0, err; ++ unsigned char buf[8192], *pos; ++ br_pem_decoder_context pemctx; ++ br_skey_decoder_context keyctx; ++ br_rsa_compute_modulus compute_modulus; ++ br_rsa_compute_pubexp compute_pubexp; ++ const br_ec_impl *ecimpl; ++ const br_rsa_private_key *rsa; ++ const br_ec_private_key *ec; ++ const char *name = NULL; ++ uint32_t pubexp; ++ ++ br_pem_decoder_init(&pemctx); ++ br_skey_decoder_init(&keyctx); ++ while (type == 0) { ++ if (len == 0) { ++ if (feof(f)) { ++ warnx("%s: missing private key", fname); ++ break; ++ } ++ len = fread(buf, 1, sizeof(buf), f); ++ if (ferror(f)) { ++ warn("%s: read", fname); ++ goto err; ++ } ++ pos = buf; ++ } ++ n = br_pem_decoder_push(&pemctx, pos, len); ++ pos += n; ++ len -= n; ++ switch (br_pem_decoder_event(&pemctx)) { ++ case BR_PEM_BEGIN_OBJ: ++ name = br_pem_decoder_name(&pemctx); ++ if (strcmp(name, BR_ENCODE_PEM_PKCS8) != 0 && ++ strcmp(name, BR_ENCODE_PEM_RSA_RAW) != 0 && ++ strcmp(name, BR_ENCODE_PEM_EC_RAW) != 0) { ++ name = NULL; ++ break; ++ } ++ br_pem_decoder_setdest(&pemctx, append_skey, &keyctx); ++ break; ++ case BR_PEM_END_OBJ: ++ if (name == NULL) ++ break; ++ if ((err = br_skey_decoder_last_error(&keyctx)) != 0) { ++ warnx("%s: br_skey_decoder: %d", fname, err); ++ goto err; ++ } ++ type = br_skey_decoder_key_type(&keyctx); ++ break; ++ case 0: ++ break; ++ default: ++ warnx("%s: PEM decoding failed", fname); ++ goto err; ++ } ++ } ++ ++ switch (type) { ++ case BR_KEYTYPE_RSA: ++ rsa = br_skey_decoder_get_rsa(&keyctx); ++ compute_modulus = br_rsa_compute_modulus_get_default(); ++ compute_pubexp = br_rsa_compute_pubexp_get_default(); ++ ++ /* Compute public modulus size. This will fail if ++ * p or q is not 3 mod 4. */ ++ if ((datasz = compute_modulus(NULL, rsa)) == 0) { ++ warnx("%s: br_rsa_compute_modulus", fname); ++ goto err; ++ } ++ datasz += 4 + rsa->plen + rsa->qlen + rsa->dplen + rsa->dqlen + ++ rsa->iqlen; + +- pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL); +- if (pkey == NULL) { +- warnx("%s: PEM_read_PrivateKey", fname); +- return NULL; ++ if ((key = malloc(sizeof(*key) + datasz)) == NULL) { ++ warn("malloc"); ++ goto err; ++ } ++ key->type = BR_KEYTYPE_RSA; ++ key->datasz = datasz; ++ ++ if ((pubexp = compute_pubexp(rsa)) == 0) { ++ warnx("%s: br_rsa_compute_pubexp", fname); ++ goto err; ++ } ++ ++ /* Copy private key. */ ++ key->rsa.sk.n_bitlen = rsa->n_bitlen; ++ key->rsa.sk.p = key->data; ++ key->rsa.sk.plen = rsa->plen; ++ key->rsa.sk.q = key->rsa.sk.p + rsa->plen; ++ key->rsa.sk.qlen = rsa->qlen; ++ key->rsa.sk.dp = key->rsa.sk.q + rsa->qlen; ++ key->rsa.sk.dplen = rsa->dplen; ++ key->rsa.sk.dq = key->rsa.sk.dp + rsa->dplen; ++ key->rsa.sk.dqlen = rsa->dqlen; ++ key->rsa.sk.iq = key->rsa.sk.dq + rsa->dqlen; ++ key->rsa.sk.iqlen = rsa->iqlen; ++ memcpy(key->rsa.sk.p, rsa->p, rsa->plen); ++ memcpy(key->rsa.sk.q, rsa->q, rsa->qlen); ++ memcpy(key->rsa.sk.dp, rsa->dp, rsa->dplen); ++ memcpy(key->rsa.sk.dq, rsa->dq, rsa->dqlen); ++ memcpy(key->rsa.sk.iq, rsa->iq, rsa->iqlen); ++ ++ /* Compute public modulus and encode public exponent. */ ++ key->rsa.pk.n = key->rsa.sk.iq + rsa->iqlen; ++ key->rsa.pk.nlen = compute_modulus(key->rsa.pk.n, rsa); ++ key->rsa.pk.elen = 4; ++ key->rsa.pk.e = key->rsa.pk.n + key->rsa.pk.nlen; ++ key->rsa.pk.e[0] = pubexp >> 24; ++ key->rsa.pk.e[1] = pubexp >> 16; ++ key->rsa.pk.e[2] = pubexp >> 8; ++ key->rsa.pk.e[3] = pubexp; ++ ++ /* Trim leading zeros. */ ++ while (key->rsa.pk.elen > 0 && key->rsa.pk.e[0] == 0) { ++ --key->rsa.pk.elen; ++ ++key->rsa.pk.e; ++ } ++ goto out; ++ case BR_KEYTYPE_EC: ++ ec = br_skey_decoder_get_ec(&keyctx); ++ ecimpl = br_ec_get_default(); ++ if ((datasz = br_ec_compute_pub(ecimpl, NULL, NULL, ec)) == 0) { ++ warnx("%s: br_ec_compute_pub", fname); ++ goto err; ++ } ++ datasz += ec->xlen; ++ ++ if ((key = malloc(sizeof(*key) + datasz)) == NULL) { ++ warn("malloc"); ++ goto err; ++ } ++ key->type = BR_KEYTYPE_EC; ++ key->datasz = datasz; ++ ++ key->ec.sk.curve = ec->curve; ++ key->ec.sk.x = key->data; ++ key->ec.sk.xlen = ec->xlen; ++ memcpy(key->ec.sk.x, ec->x, ec->xlen); ++ br_ec_compute_pub(ecimpl, &key->ec.pk, ++ key->ec.sk.x + key->ec.sk.xlen, &key->ec.sk); ++ goto out; + } +- if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA || +- EVP_PKEY_base_id(pkey) == EVP_PKEY_EC) +- return pkey; + +- warnx("%s: unsupported key type", fname); +- EVP_PKEY_free(pkey); +- return NULL; ++ warnx("%s: missing private key", fname); ++ ++err: ++ free(key); ++ key = NULL; ++out: ++ explicit_bzero(&pemctx, sizeof(pemctx)); ++ explicit_bzero(&keyctx, sizeof(keyctx)); ++ return key; + } +diff --git a/usr.sbin/acme-client/key.h b/usr.sbin/acme-client/key.h +index 272d36eb09a..12abdec813c 100644 +--- a/usr.sbin/acme-client/key.h ++++ b/usr.sbin/acme-client/key.h +@@ -18,8 +18,24 @@ + #ifndef KEY_H + #define KEY_H + +-EVP_PKEY *rsa_key_create(FILE *, const char *); +-EVP_PKEY *ec_key_create(FILE *, const char *); +-EVP_PKEY *key_load(FILE *, const char *); ++struct key { ++ int type; ++ union { ++ struct { ++ br_rsa_public_key pk; ++ br_rsa_private_key sk; ++ } rsa; ++ struct { ++ br_ec_public_key pk; ++ br_ec_private_key sk; ++ } ec; ++ }; ++ size_t datasz; ++ unsigned char data[]; ++}; ++ ++struct key *rsa_key_create(FILE *, const char *); ++struct key *ec_key_create(FILE *, const char *); ++struct key *key_load(FILE *, const char *); + + #endif /* ! KEY_H */ +diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c +index f0df9f292d4..fc7de74b616 100644 +--- a/usr.sbin/acme-client/keyproc.c ++++ b/usr.sbin/acme-client/keyproc.c +@@ -18,55 +18,18 @@ + #include <sys/stat.h> + + #include <err.h> ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <string.h> + #include <unistd.h> + +-#include <openssl/pem.h> +-#include <openssl/err.h> +-#include <openssl/rand.h> +-#include <openssl/x509.h> +-#include <openssl/x509v3.h> ++#include <bearssl.h> ++#include <x509cert.h> + + #include "extern.h" + #include "key.h" + +-/* +- * This was lifted more or less directly from demos/x509/mkreq.c of the +- * OpenSSL source code. +- */ +-static int +-add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) +-{ +- X509_EXTENSION *ex; +- char *cp; +- +- /* +- * XXX: I don't like this at all. +- * There's no documentation for X509V3_EXT_conf_nid, so I'm not +- * sure if the "value" parameter is ever written to, touched, +- * etc. +- * The 'official' examples suggest not (they use a string +- * literal as the input), but to be safe, I'm doing an +- * allocation here and just letting it go. +- * This leaks memory, but bounded to the number of SANs. +- */ +- +- if ((cp = strdup(value)) == NULL) { +- warn("strdup"); +- return (0); +- } +- ex = X509V3_EXT_conf_nid(NULL, NULL, nid, cp); +- if (ex == NULL) { +- warnx("X509V3_EXT_conf_nid"); +- free(cp); +- return (0); +- } +- sk_X509_EXTENSION_push(sk, ex); +- return (1); +-} +- + /* + * Create an X509 certificate from the private key we have on file. + * To do this, we first open the key file, then jail ourselves. +@@ -77,18 +40,20 @@ int + keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + enum keytype keytype) + { +- char *der64 = NULL; +- unsigned char *der = NULL, *dercp; +- char *sans = NULL, *san = NULL; +- FILE *f; +- size_t i, sansz; +- void *pp; +- EVP_PKEY *pkey = NULL; +- X509_REQ *x = NULL; +- X509_NAME *name = NULL; +- int len, rc = 0, cc, nid, newkey = 0; +- mode_t prev; +- STACK_OF(X509_EXTENSION) *exts = NULL; ++ char *der64 = NULL; ++ unsigned char *der = NULL; ++ FILE *f; ++ size_t i; ++ struct key *pkey = NULL; ++ struct x509cert_req req; ++ struct x509cert_skey skey; ++ struct x509cert_dn dn; ++ struct x509cert_rdn rdn; ++ struct x509cert_item item; ++ int len, rc = 0, newkey = 0; ++ mode_t prev; ++ ++ req.alts = NULL; + + /* + * First, open our private key file read-only or write-only if +@@ -110,8 +75,6 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + + /* File-system, user, and sandbox jail. */ + +- ERR_load_crypto_strings(); +- + if (pledge("stdio", NULL) == -1) { + warn("pledge"); + goto out; +@@ -145,102 +108,61 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + * Then set it as the X509 requester's key. + */ + +- if ((x = X509_REQ_new()) == NULL) { +- warnx("X509_REQ_new"); +- goto out; +- } else if (!X509_REQ_set_version(x, 0)) { +- warnx("X509_REQ_set_version"); +- goto out; +- } else if (!X509_REQ_set_pubkey(x, pkey)) { +- warnx("X509_REQ_set_pubkey"); +- goto out; ++ req.pkey.key_type = pkey->type; ++ skey.type = pkey->type; ++ switch (pkey->type) { ++ case BR_KEYTYPE_RSA: ++ req.pkey.key.rsa = pkey->rsa.pk; ++ skey.u.rsa = &pkey->rsa.sk; ++ break; ++ case BR_KEYTYPE_EC: ++ req.pkey.key.ec = pkey->ec.pk; ++ skey.u.ec = &pkey->ec.sk; ++ break; + } + + /* Now specify the common name that we'll request. */ + +- if ((name = X509_NAME_new()) == NULL) { +- warnx("X509_NAME_new"); +- goto out; +- } else if (!X509_NAME_add_entry_by_txt(name, "CN", +- MBSTRING_ASC, (u_char *)alts[0], -1, -1, 0)) { +- warnx("X509_NAME_add_entry_by_txt: CN=%s", alts[0]); +- goto out; +- } else if (!X509_REQ_set_subject_name(x, name)) { +- warnx("X509_req_set_issuer_name"); +- goto out; +- } ++ rdn.oid = x509cert_oid_CN; ++ rdn.val.tag = X509CERT_ASN1_UTF8STRING; ++ rdn.val.val = alts[0]; ++ rdn.val.len = strlen(alts[0]); ++ rdn.val.enc = NULL; ++ dn.rdn = &rdn; ++ dn.rdn_len = 1; ++ req.subject.enc = x509cert_dn_encoder; ++ req.subject.val = &dn; + +- /* +- * Now add the SAN extensions. +- * This was lifted more or less directly from demos/x509/mkreq.c +- * of the OpenSSL source code. +- * (The zeroth altname is the domain name.) +- * TODO: is this the best way of doing this? +- */ ++ /* Now add the SAN extension. */ + +- nid = NID_subject_alt_name; +- if ((exts = sk_X509_EXTENSION_new_null()) == NULL) { +- warnx("sk_X509_EXTENSION_new_null"); ++ req.alts_len = altsz; ++ req.alts = calloc(altsz, sizeof(req.alts[0])); ++ if (req.alts == NULL) { ++ warn("calloc"); + goto out; + } +- /* Initialise to empty string. */ +- if ((sans = strdup("")) == NULL) { +- warn("strdup"); +- goto out; +- } +- sansz = strlen(sans) + 1; + +- /* +- * For each SAN entry, append it to the string. +- * We need a single SAN entry for all of the SAN +- * domains: NOT an entry per domain! +- */ ++ /* Add a dNSName SAN entry for each alternate name. */ + + for (i = 0; i < altsz; i++) { +- cc = asprintf(&san, "%sDNS:%s", +- i ? "," : "", alts[i]); +- if (cc == -1) { +- warn("asprintf"); +- goto out; +- } +- pp = recallocarray(sans, sansz, sansz + strlen(san), 1); +- if (pp == NULL) { +- warn("recallocarray"); +- goto out; +- } +- sans = pp; +- sansz += strlen(san); +- strlcat(sans, san, sansz); +- free(san); +- san = NULL; +- } +- +- if (!add_ext(exts, nid, sans)) { +- warnx("add_ext"); +- goto out; +- } else if (!X509_REQ_add_extensions(x, exts)) { +- warnx("X509_REQ_add_extensions"); +- goto out; +- } +- sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); +- +- /* Sign the X509 request using SHA256. */ +- +- if (!X509_REQ_sign(x, pkey, EVP_sha256())) { +- warnx("X509_sign"); +- goto out; ++ req.alts[i].tag = X509CERT_SAN_DNSNAME; ++ req.alts[i].val = alts[i]; ++ req.alts[i].len = strlen(alts[i]); + } + +- /* Now, serialise to DER, then base64. */ ++ /* Sign the X.509 request using SHA256, and serialise to ++ * DER then base64. */ + +- if ((len = i2d_X509_REQ(x, NULL)) < 0) { +- warnx("i2d_X509_REQ"); ++ item.enc = x509cert_req_encoder; ++ item.val = &req; ++ if ((len = x509cert_sign(&item, &skey, &br_sha256_vtable, NULL)) == 0) { ++ warnx("x509cert_sign"); + goto out; +- } else if ((der = dercp = malloc(len)) == NULL) { ++ } else if ((der = malloc(len)) == NULL) { + warn("malloc"); + goto out; +- } else if (len != i2d_X509_REQ(x, &dercp)) { +- warnx("i2d_X509_REQ"); ++ } else if ((len = x509cert_sign(&item, &skey, &br_sha256_vtable, der)) == 0) { ++ warnx("x509cert_sign"); + goto out; + } else if ((der64 = base64buf_url(der, len)) == NULL) { + warnx("base64buf_url"); +@@ -265,12 +187,8 @@ out: + fclose(f); + free(der); + free(der64); +- free(sans); +- free(san); +- X509_REQ_free(x); +- X509_NAME_free(name); +- EVP_PKEY_free(pkey); +- ERR_print_errors_fp(stderr); +- ERR_free_strings(); ++ free(req.alts); ++ if (pkey != NULL) ++ freezero(pkey, pkey->datasz); + return rc; + } +diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c +index 58e81233f1a..6d0f2b39d02 100644 +--- a/usr.sbin/acme-client/revokeproc.c ++++ b/usr.sbin/acme-client/revokeproc.c +@@ -22,58 +22,54 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <time.h> + #include <unistd.h> + #include <vis.h> + +-#include <openssl/pem.h> +-#include <openssl/x509.h> +-#include <openssl/x509v3.h> +-#include <openssl/err.h> ++#include <bearssl.h> + + #include "extern.h" + + #define RENEW_ALLOW (30 * 24 * 60 * 60) + +-/* +- * Convert the X509's expiration time into a time_t value. +- */ +-static time_t +-X509expires(X509 *x) ++static void ++append_cert(void *ctx, const void *buf, size_t len) + { +- ASN1_TIME *atim; +- struct tm t; +- +- if ((atim = X509_getm_notAfter(x)) == NULL) { +- warnx("missing notAfter"); +- return -1; +- } +- +- memset(&t, 0, sizeof(t)); +- +- if (!ASN1_TIME_to_tm(atim, &t)) { +- warnx("invalid ASN1_TIME"); +- return -1; ++ br_x509_certificate *cert = ctx; ++ size_t newlen; ++ unsigned char *newdata; ++ ++ if (cert->data_len == -1) ++ return; ++ newlen = cert->data_len + len; ++ if ((newdata = realloc(cert->data, newlen)) != NULL) { ++ memcpy(newdata + cert->data_len, buf, len); ++ cert->data = newdata; ++ cert->data_len = newlen; ++ } else { ++ warn("realloc"); ++ cert->data_len = -1; + } +- +- return timegm(&t); + } + + int + revokeproc(int fd, const char *certfile, int force, + int revocate, const char *const *alts, size_t altsz) + { +- GENERAL_NAMES *sans = NULL; +- unsigned char *der = NULL, *dercp; +- char *der64 = NULL; +- char *san = NULL, *str, *tok; +- int rc = 0, cc, i, len; +- size_t *found = NULL; ++ static const unsigned char dnsname[] = {0, 2}; ++ char buf[8192], *pos, *sans = NULL, *der64 = NULL; ++ int rc = 0, cc, state, err; ++ size_t i, j, n, len = 0, altlen, altmax, eltsz; + FILE *f = NULL; +- X509 *x = NULL; ++ br_pem_decoder_context pc; ++ br_x509_decoder_context xd; ++ br_x509_minimal_context xc; ++ br_x509_certificate cert = {0}; ++ br_name_element *elts = NULL; ++ uint32_t days, secs; + long lval; + enum revokeop op, rop; + time_t t; +- size_t j; + + /* + * First try to open the certificate before we drop privileges +@@ -88,8 +84,6 @@ revokeproc(int fd, const char *certfile, int force, + + /* File-system and sandbox jailing. */ + +- ERR_load_crypto_strings(); +- + if (pledge("stdio", NULL) == -1) { + warn("pledge"); + goto out; +@@ -113,39 +107,84 @@ revokeproc(int fd, const char *certfile, int force, + goto out; + } + +- if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL) { +- warnx("PEM_read_X509"); +- goto out; ++ br_pem_decoder_init(&pc); ++ for (state = 0; state != 2;) { ++ if (len == 0) { ++ if (feof(f)) { ++ warnx("%s: truncated certificate", certfile); ++ goto out; ++ } ++ len = fread(buf, 1, sizeof(buf), f); ++ if (ferror(f)) { ++ warn("fread"); ++ goto out; ++ } ++ pos = buf; ++ } ++ n = br_pem_decoder_push(&pc, pos, len); ++ pos += n; ++ len -= n; ++ switch (br_pem_decoder_event(&pc)) { ++ case BR_PEM_BEGIN_OBJ: ++ if (strcmp(br_pem_decoder_name(&pc), "CERTIFICATE") == 0) { ++ br_pem_decoder_setdest(&pc, append_cert, &cert); ++ state = 1; ++ } ++ break; ++ case BR_PEM_END_OBJ: ++ if (state == 1) ++ state = 2; ++ break; ++ case 0: ++ break; ++ default: ++ warnx("%s: PEM decoding error", certfile); ++ goto out; ++ } + } +- +- /* Cache and sanity check X509v3 extensions. */ +- +- if (X509_check_purpose(x, -1, -1) <= 0) { +- warnx("%s: invalid X509v3 extensions", certfile); ++ if (cert.data_len == -1) + goto out; +- } + + /* Read out the expiration date. */ + +- if ((t = X509expires(x)) == -1) { +- warnx("X509expires"); ++ br_x509_decoder_init(&xd, NULL, NULL); ++ br_x509_decoder_push(&xd, cert.data, cert.data_len); ++ if ((err = br_x509_decoder_last_error(&xd)) != 0) { ++ warnx("%s: X.509 decoding error %d", certfile, err); + goto out; + } ++ br_x509_decoder_get_notafter(&xd, &days, &secs); ++ t = 86400ll * (days - 719528) + 86400; + +- /* Extract list of SAN entries from the certificate. */ +- +- sans = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); +- if (sans == NULL) { +- warnx("%s: does not have a SAN entry", certfile); +- if (revocate) +- goto out; +- force = 2; ++ for (i = 0, altmax = 0; i < altsz; ++i) { ++ altlen = strlen(alts[i]) + 1; ++ if (altlen > altmax) ++ altmax = altlen; ++ } ++ eltsz = altsz + 1; ++ if ((elts = calloc(eltsz, sizeof(elts[0]))) == NULL || ++ (sans = calloc(eltsz, altmax)) == NULL) { ++ warn("calloc"); ++ goto out; ++ } ++ for (i = 0; i < eltsz; ++i) { ++ elts[i].oid = dnsname; ++ elts[i].buf = sans + i * altmax; ++ elts[i].len = altmax; + } + +- /* An array of buckets: the number of entries found. */ ++ /* Extract list of SAN entries from the certificate. */ + +- if ((found = calloc(altsz, sizeof(size_t))) == NULL) { +- warn("calloc"); ++ br_x509_minimal_init(&xc, &br_sha256_vtable, NULL, 0); ++ br_x509_minimal_set_hash(&xc, br_sha256_ID, &br_sha256_vtable); ++ br_x509_minimal_set_name_elements(&xc, elts, eltsz); ++ xc.vtable->start_chain(&xc.vtable, NULL); ++ xc.vtable->start_cert(&xc.vtable, cert.data_len); ++ xc.vtable->append(&xc.vtable, cert.data, cert.data_len); ++ xc.vtable->end_cert(&xc.vtable); ++ err = xc.vtable->end_chain(&xc.vtable); ++ if (err != BR_ERR_X509_NOT_TRUSTED) { ++ warnx("%s: X.509 engine error %d", certfile, err); + goto out; + } + +@@ -154,63 +193,37 @@ revokeproc(int fd, const char *certfile, int force, + * configuration file and that all domains are represented only once. + */ + +- for (i = 0; i < sk_GENERAL_NAME_num(sans); i++) { +- GENERAL_NAME *gen_name; +- const ASN1_IA5STRING *name; +- const unsigned char *name_buf; +- int name_len; +- int name_type; +- +- gen_name = sk_GENERAL_NAME_value(sans, i); +- assert(gen_name != NULL); +- +- name = GENERAL_NAME_get0_value(gen_name, &name_type); +- if (name_type != GEN_DNS) +- continue; +- +- /* name_buf isn't a C string and could contain embedded NULs. */ +- name_buf = ASN1_STRING_get0_data(name); +- name_len = ASN1_STRING_length(name); +- +- for (j = 0; j < altsz; j++) { +- if ((size_t)name_len != strlen(alts[j])) +- continue; +- if (memcmp(name_buf, alts[j], name_len) == 0) ++ for (i = 0; i < altsz; i++) { ++ for (j = 0; j < eltsz; j++) { ++ if (elts[j].status == 1 && ++ strcmp(alts[i], elts[j].buf) == 0) { ++ elts[j].status = 0; + break; +- } +- if (j == altsz) { +- if (revocate) { +- char *visbuf; +- +- visbuf = calloc(4, name_len + 1); +- if (visbuf == NULL) { +- warn("%s: unexpected SAN", certfile); +- goto out; +- } +- strvisx(visbuf, name_buf, name_len, VIS_SAFE); +- warnx("%s: unexpected SAN entry: %s", +- certfile, visbuf); +- free(visbuf); +- goto out; + } +- force = 2; +- continue; + } +- if (found[j]++) { ++ if (j == eltsz) { + if (revocate) { +- warnx("%s: duplicate SAN entry: %.*s", +- certfile, name_len, name_buf); ++ warnx("%s: domain not listed: %s", certfile, alts[i]); + goto out; + } + force = 2; + } + } + +- for (j = 0; j < altsz; j++) { +- if (found[j]) ++ for (i = 0; i < eltsz; i++) { ++ if (elts[i].status == 0) + continue; + if (revocate) { +- warnx("%s: domain not listed: %s", certfile, alts[j]); ++ char *visbuf; ++ ++ if (elts[i].status != 1 || ++ stravis(&visbuf, elts[i].buf, VIS_SAFE) < 0) { ++ warnx("%s: unexpected SAN", certfile); ++ goto out; ++ } ++ warnx("%s: unexpected SAN entry: %s", ++ certfile, visbuf); ++ free(visbuf); + goto out; + } + force = 2; +@@ -236,16 +249,7 @@ revokeproc(int fd, const char *certfile, int force, + if (cc <= 0) + goto out; + +- if ((len = i2d_X509(x, NULL)) < 0) { +- warnx("i2d_X509"); +- goto out; +- } else if ((der = dercp = malloc(len)) == NULL) { +- warn("malloc"); +- goto out; +- } else if (len != i2d_X509(x, &dercp)) { +- warnx("i2d_X509"); +- goto out; +- } else if ((der64 = base64buf_url(der, len)) == NULL) { ++ if ((der64 = base64buf_url(cert.data, cert.data_len)) == NULL) { + warnx("base64buf_url"); + goto out; + } else if (writestr(fd, COMM_CSR, der64) >= 0) +@@ -298,12 +302,9 @@ out: + close(fd); + if (f != NULL) + fclose(f); +- X509_free(x); +- GENERAL_NAMES_free(sans); +- free(der); +- free(found); ++ free(cert.data); ++ free(sans); ++ free(elts); + free(der64); +- ERR_print_errors_fp(stderr); +- ERR_free_strings(); + return rc; + } +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0037-pax-Use-POSIX-struct-stat-fields-for-high-resolution.patch b/pkg/sys/openbsd/patch/0037-pax-Use-POSIX-struct-stat-fields-for-high-resolution.patch @@ -0,0 +1,46 @@ +From 82646d38665109ec5f0753ba384da94d529bbbe9 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 27 Apr 2022 19:57:54 -0700 +Subject: [PATCH] pax: Use POSIX struct stat fields for high resolution + timestamps + +--- + bin/pax/tar.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/bin/pax/tar.c b/bin/pax/tar.c +index 1f4012123c3..7ede7938c3d 100644 +--- a/bin/pax/tar.c ++++ b/bin/pax/tar.c +@@ -417,8 +417,7 @@ tar_rd(ARCHD *arcn, char *buf) + arcn->sb.st_mtime = INT_MAX; /* XXX 2038 */ + else + arcn->sb.st_mtime = val; +- arcn->sb.st_ctime = arcn->sb.st_atime = arcn->sb.st_mtime; +- arcn->sb.st_ctimensec = arcn->sb.st_atimensec = arcn->sb.st_mtimensec; ++ arcn->sb.st_ctim = arcn->sb.st_atim = arcn->sb.st_mtim; + + /* + * have to look at the last character, it may be a '/' and that is used +@@ -795,14 +794,10 @@ reset: + else + arcn->sb.st_mtime = val; + } +- if (arcn->sb.st_ctime == 0) { +- arcn->sb.st_ctime = arcn->sb.st_mtime; +- arcn->sb.st_ctimensec = arcn->sb.st_mtimensec; +- } +- if (arcn->sb.st_atime == 0) { +- arcn->sb.st_atime = arcn->sb.st_mtime; +- arcn->sb.st_atimensec = arcn->sb.st_mtimensec; +- } ++ if (arcn->sb.st_ctime == 0) ++ arcn->sb.st_ctim = arcn->sb.st_mtim; ++ if (arcn->sb.st_atime == 0) ++ arcn->sb.st_atim = arcn->sb.st_mtim; + + /* + * If we can find the ascii names for gname and uname in the password +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0038-rsync-Pass-long-long-to-scan_scaled.patch b/pkg/sys/openbsd/patch/0038-rsync-Pass-long-long-to-scan_scaled.patch @@ -0,0 +1,42 @@ +From 0e9ff28bc2e5bd4828b98b50333d12a6d24486fe Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Wed, 27 Apr 2022 20:03:45 -0700 +Subject: [PATCH] rsync: Pass long long * to scan_scaled + +off_t might not be long long. +--- + usr.bin/rsync/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/usr.bin/rsync/main.c b/usr.bin/rsync/main.c +index dd175597914..5d7f055a9ae 100644 +--- a/usr.bin/rsync/main.c ++++ b/usr.bin/rsync/main.c +@@ -353,6 +353,7 @@ main(int argc, char *argv[]) + struct fargs *fargs; + char **args; + const char *errstr; ++ long long size; + + /* Global pledge. */ + +@@ -488,12 +489,14 @@ basedir: + opts.basedir[basedir_cnt++] = optarg; + break; + case OP_MAX_SIZE: +- if (scan_scaled(optarg, &opts.max_size) == -1) ++ if (scan_scaled(optarg, &size) == -1) + err(1, "bad max-size"); ++ opts.max_size = size; + break; + case OP_MIN_SIZE: +- if (scan_scaled(optarg, &opts.min_size) == -1) ++ if (scan_scaled(optarg, &size) == -1) + err(1, "bad min-size"); ++ opts.max_size = size; + break; + case OP_VERSION: + fprintf(stderr, "openrsync: protocol version %u\n", +-- +2.37.3 + diff --git a/pkg/sys/openbsd/patch/0039-libutil-Include-util.h-instead-of-util.h.patch b/pkg/sys/openbsd/patch/0039-libutil-Include-util.h-instead-of-util.h.patch @@ -0,0 +1,28 @@ +From 43cb99e0700fe904af34962b9b7ca4560dd70d62 Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Tue, 6 Sep 2022 23:36:35 -0700 +Subject: [PATCH] libutil: Include <util.h> instead of "util.h" + +We provide our own util.h and want to use that instead of OpenBSD's +version. +--- + lib/libutil/fmt_scaled.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/libutil/fmt_scaled.c b/lib/libutil/fmt_scaled.c +index 374901ffe1e..05ef9983afe 100644 +--- a/lib/libutil/fmt_scaled.c ++++ b/lib/libutil/fmt_scaled.c +@@ -42,8 +42,7 @@ + #include <string.h> + #include <ctype.h> + #include <limits.h> +- +-#include "util.h" ++#include <util.h> + + typedef enum { + NONE = 0, KILO = 1, MEGA = 2, GIGA = 3, TERA = 4, PETA = 5, EXA = 6 +-- +2.35.1 + diff --git a/pkg/sys/openbsd/patch/0040-nc-Add-option-to-disable-certificate-time-checking.patch b/pkg/sys/openbsd/patch/0040-nc-Add-option-to-disable-certificate-time-checking.patch @@ -0,0 +1,59 @@ +From 506272f64ba252c562e3036d14713de780817d1a Mon Sep 17 00:00:00 2001 +From: Michael Forney <mforney@mforney.org> +Date: Thu, 20 May 2021 13:44:35 -0700 +Subject: [PATCH] nc: Add option to disable certificate time checking + +--- + usr.bin/nc/nc.1 | 2 ++ + usr.bin/nc/netcat.c | 8 ++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 +index 0ef318e0e6f..5858ef763dc 100644 +--- a/usr.bin/nc/nc.1 ++++ b/usr.bin/nc/nc.1 +@@ -249,6 +249,8 @@ may be one of: + which disables certificate verification; + .Cm noname , + which disables certificate name checking; ++.Cm notime , ++which disables certificate validity time checking; + .Cm clientcert , + which requires a client certificate on incoming connections; or + .Cm muststaple , +diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c +index 7369ed85619..29d2cb3bf29 100644 +--- a/usr.bin/nc/netcat.c ++++ b/usr.bin/nc/netcat.c +@@ -70,8 +70,9 @@ + + #define TLS_NOVERIFY (1 << 1) + #define TLS_NONAME (1 << 2) +-#define TLS_CCERT (1 << 3) +-#define TLS_MUSTSTAPLE (1 << 4) ++#define TLS_NOTIME (1 << 3) ++#define TLS_CCERT (1 << 4) ++#define TLS_MUSTSTAPLE (1 << 5) + + /* Command Line Options */ + int dflag; /* detached, no stdin */ +@@ -546,6 +547,8 @@ main(int argc, char *argv[]) + errx(1, "clientcert is only valid with -l"); + if (TLSopt & TLS_NONAME) + tls_config_insecure_noverifyname(tls_cfg); ++ if (TLSopt & TLS_NOTIME) ++ tls_config_insecure_noverifytime(tls_cfg); + if (TLSopt & TLS_NOVERIFY) { + if (tls_expecthash != NULL) + errx(1, "-H and -T noverify may not be used " +@@ -1705,6 +1708,7 @@ process_tls_opt(char *s, int *flags) + { "muststaple", TLS_MUSTSTAPLE, NULL }, + { "noverify", TLS_NOVERIFY, NULL }, + { "noname", TLS_NONAME, NULL }, ++ { "notime", TLS_NOTIME, NULL }, + { "protocols", -1, &tls_protocols }, + { NULL, -1, NULL }, + }; +-- +2.37.3 + diff --git a/pkg/sys/openbsd/sha256 b/pkg/sys/openbsd/sha256 @@ -0,0 +1,2 @@ +4d545e75c144848b06cb1ee661ab13b654683ae47fcd5f264a4520ab2bfe4c0f src.tar.gz +bb0dfa11584d68464b3f788e43655f6454bb3ecba8ad5500377630bcf23570ec sys.tar.gz diff --git a/pkg/sys/openbsd/url b/pkg/sys/openbsd/url @@ -0,0 +1,5 @@ +remote-name +url = "https://fastly.cdn.openbsd.org/pub/OpenBSD/7.3/src.tar.gz" + +remote-name +url = "https://fastly.cdn.openbsd.org/pub/OpenBSD/7.3/sys.tar.gz" diff --git a/pkg/sys/openbsd/ver b/pkg/sys/openbsd/ver @@ -0,0 +1 @@ +7.3 r0 diff --git a/sets.lua b/sets.lua @@ -3,6 +3,7 @@ local S = {} S.bin = { 'awk', 'hyx', + 'openbsd', 'pwgen', 'samurai', 'skeleton',