Merge branch 'openiked:master' into master

.clusterfuzzlite/Dockerfile

@@ -1,4 +1,6 @@
 FROM gcr.io/oss-fuzz-base/base-builder:v1
+
+ENV CLUSTERFUZZLITE=TRUE
 RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev libsystemd-dev
 COPY . $SRC/openiked-portable
 WORKDIR openiked-portable

.github/workflows/cflite_pr.yml

@@ -2,8 +2,8 @@ name: ClusterFuzzLite PR fuzzing
 on:
   pull_request:
     paths:
-      - 'iked/ikev2_pld.c'
-      - 'regress/parser-libfuzzer/**'
+      - iked/ikev2_pld.c
+      - regress/parser-libfuzzer/**
 permissions: read-all
 jobs:
   PR:

.github/workflows/cmake.yml

@@ -106,8 +106,9 @@ jobs:
 
     - name: Build
       run: |
-        git clone https://github.com/openiked/openiked-portable.git
+        git clone --depth=1 https://github.com/openiked/openiked-portable.git
         cd openiked-portable
+        [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}")
         mkdir build; cd build
         cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE
         make
@@ -127,8 +128,9 @@ jobs:
 
     - name: Build
       run: |
-        git clone https://github.com/openiked/openiked-portable.git
+        git clone --depth=1 https://github.com/openiked/openiked-portable.git
         cd openiked-portable
+        [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}")
         mkdir build; cd build
         cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE
         make
@@ -145,8 +147,9 @@ jobs:
 
     - name: Build
       run: |
-        git clone https://github.com/openiked/openiked-portable.git
+        git clone --depth=1 https://github.com/openiked/openiked-portable.git
         cd openiked-portable
+        [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}")
         mkdir build; cd build
         cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE
         make

CMakeLists.txt

@@ -78,7 +78,6 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-DHAVE_UDPENCAP6)
 	add_definitions(-DSPT_TYPE=SPT_REUSEARGV)
 	set(HAVE_VROUTE_NETLINK ON)
-	set(HAVE_SYSTEMD ON)
 endif()
 if (NOT DEFINED CMAKE_INSTALL_MANDIR)
 	set (CMAKE_INSTALL_MANDIR ${CMAKE_INSTALL_PREFIX}/man)
@@ -362,12 +361,26 @@ check_function_exists(getopt HAVE_GETOPT)
 if(HAVE_GETOPT)
         add_definitions(-DHAVE_GETOPT)
 endif()
-if(HAVE_SYSTEMD)
-	add_definitions(-DHAVE_SYSTEMD)
+
+check_function_exists(ibuf_add_buf HAVE_IBUF_ADD_BUF)
+if(HAVE_IBUF_ADD_BUF)
+        add_definitions(-DHAVE_IBUF_ADD_BUF)
+endif()
+check_function_exists(ibuf_add_zero HAVE_IBUF_ADD_ZERO)
+if(HAVE_IBUF_ADD_ZERO)
+        add_definitions(-DHAVE_IBUF_ADD_ZERO)
+endif()
+check_function_exists(ibuf_data HAVE_IBUF_DATA)
+if(HAVE_IBUF_DATA)
+        add_definitions(-DHAVE_IBUF_DATA)
 endif()
+
 if(HAVE_VROUTE OR HAVE_VROUTE_NETLINK)
 	add_definitions(-DHAVE_VROUTE)
 endif()
+if(WITH_SYSTEMD)
+	add_definitions(-DWITH_SYSTEMD)
+endif()
 if(WITH_APPARMOR)
 	add_definitions(-DWITH_APPARMOR)
 endif()
@@ -391,7 +404,7 @@ endif()
 if(CLUSTERFUZZ)
 	message("Compiling parser-libfuzzer")
 	add_subdirectory(regress/parser-libfuzzer)
-	if (NOT DEFINED ENV{CC} OR NOT DEFINED ENV{CFLAGS})
+	if (NOT DEFINED ENV{CLUSTERFUZZLITE})
 		set(CMAKE_C_COMPILER clang)
 		string(APPEND CMAKE_C_FLAGS " -g -O1 -fsanitize=fuzzer-no-link")
 	endif()

compat/CMakeLists.txt

@@ -73,6 +73,9 @@ endif()
 if(NOT HAVE_VIS)
 	list(APPEND SRCS ${IKED_COMPAT}/vis.c)
 endif()
+if(NOT HAVE_IBUF_ADD_BUF OR NOT HAVE_IBUF_ADD_ZERO OR NOT HAVE_IBUF_DATA)
+	list(APPEND SRCS ${IKED_COMPAT}/ibuf-compat.c)
+endif()
 
 set(CFLAGS)
 list(APPEND CFLAGS

compat/arc4random.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: arc4random.c,v 1.55 2019/03/24 17:56:54 deraadt Exp $	*/
+/*	$OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $	*/
 
 /*
  * Copyright (c) 1996, David Mazieres <[email protected]>
@@ -49,6 +49,8 @@
 #define BLOCKSZ	64
 #define RSBUFSZ	(16*BLOCKSZ)
 
+#define REKEY_BASE	(1024*1024) /* NB. should be a power of 2 */
+
 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
 static struct _rs {
 	size_t		rs_have;	/* valid bytes at end of rs_buf */
@@ -78,14 +80,15 @@ _rs_init(u_char *buf, size_t n)
 			_exit(1);
 	}
 
-	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
+	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8);
 	chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
 }
 
 static void
 _rs_stir(void)
 {
 	u_char rnd[KEYSZ + IVSZ];
+	uint32_t rekey_fuzz = 0;
 
 	if (getentropy(rnd, sizeof rnd) == -1)
 		_getentropy_fail();
@@ -100,7 +103,10 @@ _rs_stir(void)
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
-	rs->rs_count = 1600000;
+	/* rekey interval should not be predictable */
+	chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
+	    (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
+	rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 }
 
 static inline void

compat/chacha_private.h

@@ -4,7 +4,7 @@ D. J. Bernstein
 Public domain.
 */
 
-/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
 
 typedef unsigned char u8;
 typedef unsigned int u32;
@@ -52,7 +52,7 @@ static const char sigma[16] = "expand 32-byte k";
 static const char tau[16] = "expand 16-byte k";
 
 static void
-chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
 {
   const char *constants;
 

compat/ffs.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ffs.c,v 1.9 2014/06/10 04:16:57 deraadt Exp $	*/
+/*	$OpenBSD: ffs.c,v 1.10 2018/01/18 08:23:44 guenther Exp $	*/
 
 /*
  * Public domain.

compat/getopt.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: getopt.h,v 1.2 2008/06/26 05:42:04 ray Exp $	*/
+/*	$OpenBSD: getopt.h,v 1.3 2013/11/22 21:32:49 millert Exp $	*/
 /*	$NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $	*/
 
 /*-
@@ -34,7 +34,7 @@
 #define _GETOPT_H_
 
 /*
- * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
+ * GNU-like getopt_long()
  */
 #define no_argument        0
 #define required_argument  1
@@ -61,14 +61,12 @@ int	 getopt_long_only(int, char * const *, const char *,
 #ifndef _GETOPT_DEFINED_
 #define _GETOPT_DEFINED_
 int	 getopt(int, char * const *, const char *);
-int	 getsubopt(char **, char * const *, char **);
 
 extern   char *optarg;                  /* getopt(3) external variables */
 extern   int opterr;
 extern   int optind;
 extern   int optopt;
 extern   int optreset;
-extern   char *suboptarg;               /* getsubopt(3) external variable */
 #endif
 
 #endif /* !_GETOPT_H_ */

compat/getopt_long.c

@@ -1,8 +1,8 @@
-/*	$OpenBSD: getopt_long.c,v 1.25 2011/03/05 22:10:11 guenther Exp $	*/
+/*	$OpenBSD: getopt_long.c,v 1.32 2020/05/27 22:25:09 schwarze Exp $	*/
 /*	$NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $	*/
 
 /*
- * Copyright (c) 2002 Todd C. Miller <[email protected]>
+ * Copyright (c) 2002 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -55,11 +55,10 @@
 #if !defined(HAVE_GETOPT)
 
 #include <err.h>
-#include <getopt.h>
 #include <errno.h>
+#include <getopt.h>
 #include <stdlib.h>
 #include <string.h>
-#include <stdarg.h>
 
 int	opterr = 1;		/* if error message should be printed */
 int	optind = 1;		/* index into parent argv vector */
@@ -83,7 +82,7 @@ char    *optarg;		/* argument associated with option */
 static int getopt_internal(int, char * const *, const char *,
 			   const struct option *, int *, int);
 static int parse_long_options(char * const *, const char *,
-			      const struct option *, int *, int);
+			      const struct option *, int *, int, int);
 static int gcd(int, int);
 static void permute_args(int, int, int, char * const *);
 
@@ -148,9 +147,7 @@ permute_args(int panonopt_start, int panonopt_end, int opt_end,
 			else
 				pos += nopts;
 			swap = nargv[pos];
-			/* LINTED const cast */
-			((char **) nargv)[pos] = nargv[cstart];
-			/* LINTED const cast */
+			((char **)nargv)[pos] = nargv[cstart];
 			((char **)nargv)[cstart] = swap;
 		}
 	}
@@ -163,14 +160,16 @@ permute_args(int panonopt_start, int panonopt_end, int opt_end,
  */
 static int
 parse_long_options(char * const *nargv, const char *options,
-	const struct option *long_options, int *idx, int short_too)
+	const struct option *long_options, int *idx, int short_too, int flags)
 {
 	char *current_argv, *has_equal;
 	size_t current_argv_len;
-	int i, match;
+	int i, match, exact_match, second_partial_match;
 
 	current_argv = place;
 	match = -1;
+	exact_match = 0;
+	second_partial_match = 0;
 
 	optind++;
 
@@ -190,6 +189,7 @@ parse_long_options(char * const *nargv, const char *options,
 		if (strlen(long_options[i].name) == current_argv_len) {
 			/* exact match */
 			match = i;
+			exact_match = 1;
 			break;
 		}
 		/*
@@ -199,16 +199,20 @@ parse_long_options(char * const *nargv, const char *options,
 		if (short_too && current_argv_len == 1)
 			continue;
 
-		if (match == -1)	/* partial match */
+		if (match == -1)	/* first partial match */
 			match = i;
-		else {
-			/* ambiguous abbreviation */
-			if (PRINT_ERROR)
-				warnx(ambig, (int)current_argv_len,
-				     current_argv);
-			optopt = 0;
-			return (BADCH);
-		}
+		else if ((flags & FLAG_LONGONLY) ||
+		    long_options[i].has_arg != long_options[match].has_arg ||
+		    long_options[i].flag != long_options[match].flag ||
+		    long_options[i].val != long_options[match].val)
+			second_partial_match = 1;
+	}
+	if (!exact_match && second_partial_match) {
+		/* ambiguous abbreviation */
+		if (PRINT_ERROR)
+			warnx(ambig, (int)current_argv_len, current_argv);
+		optopt = 0;
+		return (BADCH);
 	}
 	if (match != -1) {		/* option found */
 		if (long_options[match].has_arg == no_argument
@@ -404,23 +408,15 @@ getopt_internal(int nargc, char * const *nargv, const char *options,
 			short_too = 1;		/* could be short option too */
 
 		optchar = parse_long_options(nargv, options, long_options,
-		    idx, short_too);
+		    idx, short_too, flags);
 		if (optchar != -1) {
 			place = EMSG;
 			return (optchar);
 		}
 	}
 
 	if ((optchar = (int)*place++) == (int)':' ||
-	    (optchar == (int)'-' && *place != '\0') ||
 	    (oli = strchr(options, optchar)) == NULL) {
-		/*
-		 * If the user specified "-" and  '-' isn't listed in
-		 * options, return -1 (non-option) as per POSIX.
-		 * Otherwise, it is an unknown option character (or ':').
-		 */
-		if (optchar == (int)'-' && *place == '\0')
-			return (-1);
 		if (!*place)
 			++optind;
 		if (PRINT_ERROR)
@@ -441,7 +437,7 @@ getopt_internal(int nargc, char * const *nargv, const char *options,
 		} else				/* white space */
 			place = nargv[optind];
 		optchar = parse_long_options(nargv, options, long_options,
-		    idx, 0);
+		    idx, 0, flags);
 		place = EMSG;
 		return (optchar);
 	}
@@ -472,8 +468,6 @@ getopt_internal(int nargc, char * const *nargv, const char *options,
 /*
  * getopt --
  *	Parse argc/argv argument vector.
- *
- * [eventually this will replace the BSD getopt]
  */
 int
 getopt(int nargc, char * const *nargv, const char *options)