From 3110dbb17da5aa0aa1cd1d56e04db576685f4500 Mon Sep 17 00:00:00 2001 From: purplerain Date: Wed, 17 Jul 2024 03:16:37 +0000 Subject: [PATCH] sync with OpenBSD -current --- bin/ed/ed.h | 6 +-- bin/ed/io.c | 10 +++- bin/ed/main.c | 25 ++++------ distrib/sets/lists/base/mi | 2 + distrib/sets/lists/man/mi | 2 + lib/libssl/man/SSL_CIPHER_get_name.3 | 6 +-- lib/libssl/s3_lib.c | 72 ++++++++++++++-------------- lib/libssl/ssl_ciph.c | 17 +------ lib/libssl/ssl_local.h | 13 +---- regress/lib/libssl/unit/tls_prf.c | 27 +---------- usr.sbin/radiusd/eap2mschap_local.h | 6 ++- 11 files changed, 71 insertions(+), 115 deletions(-) diff --git a/bin/ed/ed.h b/bin/ed/ed.h index 12d7e3d54..49de28811 100644 --- a/bin/ed/ed.h +++ b/bin/ed/ed.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ed.h,v 1.22 2016/03/27 00:43:38 mmcc Exp $ */ +/* $OpenBSD: ed.h,v 1.23 2024/07/16 05:01:10 deraadt Exp $ */ /* $NetBSD: ed.h,v 1.23 1995/03/21 09:04:40 cgd Exp $ */ /* ed.h: type and constant definitions for the ed editor. */ @@ -88,8 +88,6 @@ typedef struct undo { #define SPL0() \ do { \ if (--mutex == 0) { \ - if (sighup) \ - handle_hup(SIGHUP); \ if (sigint) \ handle_int(SIGINT); \ } \ @@ -160,7 +158,7 @@ char *get_extended_line(int *, int); int get_line_node_addr(line_t *); char *get_sbuf_line(line_t *); int get_tty_line(void); -void handle_hup(int); +void handle_hup(void); void handle_int(int); int has_trailing_escape(char *, char *); void init_buffers(void); diff --git a/bin/ed/io.c b/bin/ed/io.c index fe0b9394d..379d466df 100644 --- a/bin/ed/io.c +++ b/bin/ed/io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: io.c,v 1.25 2022/11/18 14:52:03 millert Exp $ */ +/* $OpenBSD: io.c,v 1.26 2024/07/16 05:01:10 deraadt Exp $ */ /* $NetBSD: io.c,v 1.2 1995/03/21 09:04:43 cgd Exp $ */ /* io.c: This file contains the i/o routines for the ed line editor */ @@ -30,6 +30,7 @@ #include #include +#include #include #include #include @@ -261,7 +262,9 @@ get_tty_line(void) int i = 0; int c; - for (;;) + for (;;) { + if (sighup) + handle_hup(); switch (c = getchar()) { default: oi = 0; @@ -274,6 +277,8 @@ get_tty_line(void) ibufp = ibuf; return i; case EOF: + if (sighup) + handle_hup(); if (ferror(stdin)) { perror("stdin"); seterrmsg("cannot read stdin"); @@ -291,6 +296,7 @@ get_tty_line(void) return i; } } + } } diff --git a/bin/ed/main.c b/bin/ed/main.c index 4035bfb6a..8d7302341 100644 --- a/bin/ed/main.c +++ b/bin/ed/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.68 2022/11/18 14:52:03 millert Exp $ */ +/* $OpenBSD: main.c,v 1.69 2024/07/16 05:01:10 deraadt Exp $ */ /* $NetBSD: main.c,v 1.3 1995/03/21 09:04:44 cgd Exp $ */ /* main.c: This file contains the main control and user-interface routines @@ -44,6 +44,7 @@ #include #include #include +#include #include #include @@ -180,6 +181,7 @@ top: signal(SIGWINCH, handle_winch); } signal(SIGHUP, signal_hup); + siginterrupt(SIGHUP, 1); signal(SIGQUIT, SIG_IGN); signal(SIGINT, signal_int); if (sigsetjmp(env, 1)) { @@ -1327,45 +1329,34 @@ strip_escapes(char *s) void signal_hup(int signo) { - int save_errno = errno; - - if (mutex) - sighup = 1; - else - handle_hup(signo); - errno = save_errno; + sighup = 1; } void signal_int(int signo) { - int save_errno = errno; - if (mutex) sigint = 1; else - handle_int(signo); - errno = save_errno; + handle_int(signo); /* XXX quite unsafe */ } void -handle_hup(int signo) +handle_hup(void) { char hup[PATH_MAX]; - if (!sigactive) - quit(1); /* XXX signal race */ + signal(SIGHUP, SIG_IGN); sighup = 0; - /* XXX signal race */ if (addr_last && write_file("ed.hup", "w", 1, addr_last) < 0 && home != NULL && home[0] == '/') { if (strlcpy(hup, home, sizeof(hup)) < sizeof(hup) && strlcat(hup, "/ed.hup", sizeof(hup)) < sizeof(hup)) write_file(hup, "w", 1, addr_last); } - _exit(2); + exit(2); } diff --git a/distrib/sets/lists/base/mi b/distrib/sets/lists/base/mi index 242dacbad..45a9467e8 100644 --- a/distrib/sets/lists/base/mi +++ b/distrib/sets/lists/base/mi @@ -2510,6 +2510,8 @@ ./usr/libexec/ntalkd ./usr/libexec/radiusd ./usr/libexec/radiusd/radiusd_bsdauth +./usr/libexec/radiusd/radiusd_eap2mschap +./usr/libexec/radiusd/radiusd_file ./usr/libexec/radiusd/radiusd_ipcp ./usr/libexec/radiusd/radiusd_radius ./usr/libexec/radiusd/radiusd_standard diff --git a/distrib/sets/lists/man/mi b/distrib/sets/lists/man/mi index 4eac1a62b..c250568ce 100644 --- a/distrib/sets/lists/man/mi +++ b/distrib/sets/lists/man/mi @@ -2615,6 +2615,8 @@ ./usr/share/man/man8/radiusctl.8 ./usr/share/man/man8/radiusd.8 ./usr/share/man/man8/radiusd_bsdauth.8 +./usr/share/man/man8/radiusd_eap2mschap.8 +./usr/share/man/man8/radiusd_file.8 ./usr/share/man/man8/radiusd_ipcp.8 ./usr/share/man/man8/radiusd_radius.8 ./usr/share/man/man8/radiusd_standard.8 diff --git a/lib/libssl/man/SSL_CIPHER_get_name.3 b/lib/libssl/man/SSL_CIPHER_get_name.3 index 60ef60cff..86c1d3c0b 100644 --- a/lib/libssl/man/SSL_CIPHER_get_name.3 +++ b/lib/libssl/man/SSL_CIPHER_get_name.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.16 2024/07/15 00:11:59 jsg Exp $ +.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" @@ -52,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 15 2024 $ +.Dd $Mdocdate: July 16 2024 $ .Dt SSL_CIPHER_GET_NAME 3 .Os .Sh NAME @@ -388,7 +388,7 @@ first appeared in OpenSSL 1.1.0 and has been available since .Ox 7.0 . .Fn SSL_CIPHER_get_handshake_digest first appeared in OpenSSL 1.1.1 and has been available since -.Ox 7.5 . +.Ox 7.6 . .Sh BUGS If .Fn SSL_CIPHER_description diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 1c1906d9e..5fc42ca20 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.253 2024/07/15 14:45:15 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -183,7 +183,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_MD5, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -199,7 +199,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -215,7 +215,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_MD5, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -231,7 +231,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -247,7 +247,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -267,7 +267,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -283,7 +283,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_MD5, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -299,7 +299,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_SSLV3, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -319,7 +319,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -335,7 +335,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -351,7 +351,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -367,7 +367,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -383,7 +383,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -399,7 +399,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -467,7 +467,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -483,7 +483,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -499,7 +499,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -584,7 +584,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -600,7 +600,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -616,7 +616,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -887,7 +887,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -903,7 +903,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -919,7 +919,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -935,7 +935,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -951,7 +951,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -967,7 +967,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -983,7 +983,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -999,7 +999,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -1015,7 +1015,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -1031,7 +1031,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -1047,7 +1047,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 0, .alg_bits = 0, }, @@ -1063,7 +1063,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -1079,7 +1079,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_MEDIUM, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 112, .alg_bits = 168, }, @@ -1095,7 +1095,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -1111,7 +1111,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_SHA1, .algorithm_ssl = SSL_TLSV1, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, .strength_bits = 256, .alg_bits = 256, }, diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 13790c56b..246d64e7d 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -515,24 +515,12 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) { - unsigned long handshake_mac; - *md = NULL; if (s->s3->hs.cipher == NULL) return 0; - handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK; - - /* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */ - /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ - if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT) - handshake_mac = SSL_HANDSHAKE_MAC_SHA256; - - switch (handshake_mac) { - case SSL_HANDSHAKE_MAC_DEFAULT: - *md = EVP_md5_sha1(); - return 1; + switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { case SSL_HANDSHAKE_MAC_SHA256: *md = EVP_sha256(); return 1; @@ -1629,7 +1617,6 @@ const EVP_MD * SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) { switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { - case SSL_HANDSHAKE_MAC_DEFAULT: case SSL_HANDSHAKE_MAC_SHA256: return EVP_sha256(); case SSL_HANDSHAKE_MAC_SHA384: diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index 74c6ad33e..c002c9b34 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.18 2024/07/15 14:45:15 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -246,11 +246,8 @@ __BEGIN_HIDDEN_DECLS /* Bits for algorithm2 (handshake digests and other extra flags) */ #define SSL_HANDSHAKE_MAC_MASK 0xff0 -#define SSL_HANDSHAKE_MAC_MD5 0x010 -#define SSL_HANDSHAKE_MAC_SHA 0x020 #define SSL_HANDSHAKE_MAC_SHA256 0x080 #define SSL_HANDSHAKE_MAC_SHA384 0x100 -#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) #define SSL3_CK_ID 0x03000000 #define SSL3_CK_VALUE_MASK 0x0000ffff @@ -274,10 +271,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_USE_SIGALGS(s) \ (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS) -/* See if we use SHA256 default PRF. */ -#define SSL_USE_SHA256_PRF(s) \ - (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF) - /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_USE_TLS1_2_CIPHERS(s) \ (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) @@ -1188,9 +1181,6 @@ typedef struct ssl3_state_st { /* Uses signature algorithms extension. */ #define SSL_ENC_FLAG_SIGALGS (1 << 1) -/* Uses SHA256 default PRF. */ -#define SSL_ENC_FLAG_SHA256_PRF (1 << 2) - /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) @@ -1200,7 +1190,6 @@ typedef struct ssl3_state_st { #define TLSV1_ENC_FLAGS 0 #define TLSV1_1_ENC_FLAGS 0 #define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ - SSL_ENC_FLAG_SHA256_PRF | \ SSL_ENC_FLAG_TLS1_2_CIPHERS) #define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ SSL_ENC_FLAG_TLS1_3_CIPHERS) diff --git a/regress/lib/libssl/unit/tls_prf.c b/regress/lib/libssl/unit/tls_prf.c index ea753f46f..8cb17cb05 100644 --- a/regress/lib/libssl/unit/tls_prf.c +++ b/regress/lib/libssl/unit/tls_prf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_prf.c,v 1.10 2024/06/05 04:50:36 tb Exp $ */ +/* $OpenBSD: tls_prf.c,v 1.11 2024/07/16 14:38:59 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -35,30 +35,7 @@ struct tls_prf_test { static const struct tls_prf_test tls_prf_tests[] = { { - .desc = "MD5+SHA1", - .ssl_method = TLSv1_method, - .cipher_value = 0x0033, - .out = { - 0x03, 0xa1, 0xc1, 0x7d, 0x2c, 0xa5, 0x3d, 0xe8, - 0x9d, 0x59, 0x5e, 0x30, 0xf5, 0x71, 0xbb, 0x96, - 0xde, 0x5c, 0x8e, 0xdc, 0x25, 0x8a, 0x7c, 0x05, - 0x9f, 0x7d, 0x35, 0x29, 0x45, 0xae, 0x56, 0xad, - 0x9f, 0x57, 0x15, 0x5c, 0xdb, 0x83, 0x3a, 0xac, - 0x19, 0xa8, 0x2b, 0x40, 0x72, 0x38, 0x1e, 0xed, - 0xf3, 0x25, 0xde, 0x84, 0x84, 0xd8, 0xd1, 0xfc, - 0x31, 0x85, 0x81, 0x12, 0x55, 0x4d, 0x12, 0xb5, - 0xed, 0x78, 0x5e, 0xba, 0xc8, 0xec, 0x8d, 0x28, - 0xa1, 0x21, 0x1e, 0x6e, 0x07, 0xf1, 0xfc, 0xf5, - 0xbf, 0xe4, 0x8e, 0x8e, 0x97, 0x15, 0x93, 0x85, - 0x75, 0xdd, 0x87, 0x09, 0xd0, 0x4e, 0xe5, 0xd5, - 0x9e, 0x1f, 0xd6, 0x1c, 0x3b, 0xe9, 0xad, 0xba, - 0xe0, 0x16, 0x56, 0x62, 0x90, 0xd6, 0x82, 0x84, - 0xec, 0x8a, 0x22, 0xbe, 0xdc, 0x6a, 0x5e, 0x05, - 0x12, 0x44, 0xec, 0x60, 0x61, 0xd1, 0x8a, 0x66, - }, - }, - { - .desc = "SHA256 (via TLSv1.2)", + .desc = "SHA256", .ssl_method = TLSv1_2_method, .cipher_value = 0x0033, .out = { diff --git a/usr.sbin/radiusd/eap2mschap_local.h b/usr.sbin/radiusd/eap2mschap_local.h index ff761f275..b3d523d92 100644 --- a/usr.sbin/radiusd/eap2mschap_local.h +++ b/usr.sbin/radiusd/eap2mschap_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: eap2mschap_local.h,v 1.1 2024/07/14 16:09:23 yasuoka Exp $ */ +/* $OpenBSD: eap2mschap_local.h,v 1.2 2024/07/16 06:18:20 miod Exp $ */ /* * Copyright (c) 2024 Internet Initiative Japan Inc. @@ -70,9 +70,11 @@ struct eap_mschap_challenge { uint8_t chall[16]; char chap_name[0]; } __packed; +#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L static_assert(sizeof(struct eap_mschap_challenge) == 26, ""); static_assert(offsetof(struct eap_mschap_challenge, chap) == 5, ""); static_assert(offsetof(struct eap_mschap_challenge, chall) == 10, ""); +#endif struct eap_mschap_response { struct eap eap; @@ -85,9 +87,11 @@ struct eap_mschap_response { uint8_t flags; uint8_t chap_name[0]; } __packed; +#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L static_assert(sizeof(struct eap_mschap_response) == 59, ""); static_assert(offsetof(struct eap_mschap_response, chap) == 5, ""); static_assert(offsetof(struct eap_mschap_response, peerchall) == 10, ""); +#endif struct radius_ms_chap2_response { uint8_t ident;