sync with OpenBSD -current

bin/ed/ed.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ed.h,v 1.22 2016/03/27 00:43:38 mmcc Exp $	*/
+/*	$OpenBSD: ed.h,v 1.23 2024/07/16 05:01:10 deraadt Exp $	*/
 /*	$NetBSD: ed.h,v 1.23 1995/03/21 09:04:40 cgd Exp $	*/
 
 /* ed.h: type and constant definitions for the ed editor. */
@@ -88,8 +88,6 @@ typedef struct undo {
 #define SPL0()						\
 	do {						\
 		if (--mutex == 0) {			\
-			if (sighup)			\
-				handle_hup(SIGHUP);	\
 			if (sigint)			\
 				handle_int(SIGINT);	\
 		}					\
@@ -160,7 +158,7 @@ char *get_extended_line(int *, int);
 int get_line_node_addr(line_t *);
 char *get_sbuf_line(line_t *);
 int get_tty_line(void);
-void handle_hup(int);
+void handle_hup(void);
 void handle_int(int);
 int has_trailing_escape(char *, char *);
 void init_buffers(void);

bin/ed/io.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: io.c,v 1.25 2022/11/18 14:52:03 millert Exp $	*/
+/*	$OpenBSD: io.c,v 1.26 2024/07/16 05:01:10 deraadt Exp $	*/
 /*	$NetBSD: io.c,v 1.2 1995/03/21 09:04:43 cgd Exp $	*/
 
 /* io.c: This file contains the i/o routines for the ed line editor */
@@ -30,6 +30,7 @@
 
 #include <regex.h>
 #include <signal.h>
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -261,7 +262,9 @@ get_tty_line(void)
 	int i = 0;
 	int c;
 
-	for (;;)
+	for (;;) {
+		if (sighup)
+			handle_hup();
 		switch (c = getchar()) {
 		default:
 			oi = 0;
@@ -274,6 +277,8 @@ get_tty_line(void)
 			ibufp = ibuf;
 			return i;
 		case EOF:
+			if (sighup)
+				handle_hup();
 			if (ferror(stdin)) {
 				perror("stdin");
 				seterrmsg("cannot read stdin");
@@ -291,6 +296,7 @@ get_tty_line(void)
 				return i;
 			}
 		}
+	}
 }
 
 

bin/ed/main.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.68 2022/11/18 14:52:03 millert Exp $	*/
+/*	$OpenBSD: main.c,v 1.69 2024/07/16 05:01:10 deraadt Exp $	*/
 /*	$NetBSD: main.c,v 1.3 1995/03/21 09:04:44 cgd Exp $	*/
 
 /* main.c: This file contains the main control and user-interface routines
@@ -44,6 +44,7 @@
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
+#include <unistd.h>
 
 #include <ctype.h>
 #include <err.h>
@@ -180,6 +181,7 @@ top:
 		signal(SIGWINCH, handle_winch);
 	}
 	signal(SIGHUP, signal_hup);
+	siginterrupt(SIGHUP, 1);
 	signal(SIGQUIT, SIG_IGN);
 	signal(SIGINT, signal_int);
 	if (sigsetjmp(env, 1)) {
@@ -1327,45 +1329,34 @@ strip_escapes(char *s)
 void
 signal_hup(int signo)
 {
-	int save_errno = errno;
-
-	if (mutex)
 	sighup = 1;
-	else
-		handle_hup(signo);
-	errno = save_errno;
 }
 
 
 void
 signal_int(int signo)
 {
-	int save_errno = errno;
-
 	if (mutex)
 		sigint = 1;
 	else
-		handle_int(signo);
+		handle_int(signo);	/* XXX quite unsafe */
-	errno = save_errno;
 }
 
 
 void
-handle_hup(int signo)
+handle_hup(void)
 {
 	char hup[PATH_MAX];
 
-	if (!sigactive)
+	signal(SIGHUP, SIG_IGN);
-		quit(1);		/* XXX signal race */
 	sighup = 0;
-	/* XXX signal race */
 	if (addr_last && write_file("ed.hup", "w", 1, addr_last) < 0 &&
 	    home != NULL && home[0] == '/') {
 		if (strlcpy(hup, home, sizeof(hup)) < sizeof(hup) &&
 		    strlcat(hup, "/ed.hup", sizeof(hup)) < sizeof(hup))
 			write_file(hup, "w", 1, addr_last);
 	}
-	_exit(2);
+	exit(2);
 }
 
 

distrib/sets/lists/base/mi

@@ -2510,6 +2510,8 @@
 ./usr/libexec/ntalkd
 ./usr/libexec/radiusd
 ./usr/libexec/radiusd/radiusd_bsdauth
+./usr/libexec/radiusd/radiusd_eap2mschap
+./usr/libexec/radiusd/radiusd_file
 ./usr/libexec/radiusd/radiusd_ipcp
 ./usr/libexec/radiusd/radiusd_radius
 ./usr/libexec/radiusd/radiusd_standard

distrib/sets/lists/man/mi

@@ -2615,6 +2615,8 @@
 ./usr/share/man/man8/radiusctl.8
 ./usr/share/man/man8/radiusd.8
 ./usr/share/man/man8/radiusd_bsdauth.8
+./usr/share/man/man8/radiusd_eap2mschap.8
+./usr/share/man/man8/radiusd_file.8
 ./usr/share/man/man8/radiusd_ipcp.8
 ./usr/share/man/man8/radiusd_radius.8
 ./usr/share/man/man8/radiusd_standard.8

lib/libssl/man/SSL_CIPHER_get_name.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.16 2024/07/15 00:11:59 jsg Exp $
+.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 15 2024 $
+.Dd $Mdocdate: July 16 2024 $
 .Dt SSL_CIPHER_GET_NAME 3
 .Os
 .Sh NAME
@@ -388,7 +388,7 @@ first appeared in OpenSSL 1.1.0 and has been available since
 .Ox 7.0 .
 .Fn SSL_CIPHER_get_handshake_digest
 first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.5 .
+.Ox 7.6 .
 .Sh BUGS
 If
 .Fn SSL_CIPHER_description

lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.253 2024/07/15 14:45:15 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -183,7 +183,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_MD5,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_STRONG_NONE,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 0,
 		.alg_bits = 0,
 	},
@@ -199,7 +199,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_STRONG_NONE,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 0,
 		.alg_bits = 0,
 	},
@@ -215,7 +215,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_MD5,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -231,7 +231,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -247,7 +247,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -267,7 +267,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -283,7 +283,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_MD5,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -299,7 +299,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_SSLV3,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -319,7 +319,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -335,7 +335,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -351,7 +351,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -367,7 +367,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -383,7 +383,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -399,7 +399,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -467,7 +467,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -483,7 +483,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -499,7 +499,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -584,7 +584,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -600,7 +600,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -616,7 +616,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -887,7 +887,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_STRONG_NONE,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 0,
 		.alg_bits = 0,
 	},
@@ -903,7 +903,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -919,7 +919,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -935,7 +935,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -951,7 +951,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -967,7 +967,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_STRONG_NONE,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 0,
 		.alg_bits = 0,
 	},
@@ -983,7 +983,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -999,7 +999,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -1015,7 +1015,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -1031,7 +1031,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
@@ -1047,7 +1047,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_STRONG_NONE,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 0,
 		.alg_bits = 0,
 	},
@@ -1063,7 +1063,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -1079,7 +1079,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 112,
 		.alg_bits = 168,
 	},
@@ -1095,7 +1095,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
@@ -1111,7 +1111,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 		.algorithm_mac = SSL_SHA1,
 		.algorithm_ssl = SSL_TLSV1,
 		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},

lib/libssl/ssl_ciph.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -515,24 +515,12 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
 int
 ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
 {
-	unsigned long handshake_mac;
-
 	*md = NULL;
 
 	if (s->s3->hs.cipher == NULL)
 		return 0;
 
-	handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK;
+	switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
-
-	/* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */
-	/* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */
-	if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT)
-		handshake_mac = SSL_HANDSHAKE_MAC_SHA256;
-
-	switch (handshake_mac) {
-	case SSL_HANDSHAKE_MAC_DEFAULT:
-		*md = EVP_md5_sha1();
-		return 1;
 	case SSL_HANDSHAKE_MAC_SHA256:
 		*md = EVP_sha256();
 		return 1;
@@ -1629,7 +1617,6 @@ const EVP_MD *
 SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
 {
 	switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
-	case SSL_HANDSHAKE_MAC_DEFAULT:
 	case SSL_HANDSHAKE_MAC_SHA256:
 		return EVP_sha256();
 	case SSL_HANDSHAKE_MAC_SHA384:

lib/libssl/ssl_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.18 2024/07/15 14:45:15 jsing Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -246,11 +246,8 @@ __BEGIN_HIDDEN_DECLS
 /* Bits for algorithm2 (handshake digests and other extra flags) */
 
 #define SSL_HANDSHAKE_MAC_MASK		0xff0
-#define SSL_HANDSHAKE_MAC_MD5		0x010
-#define SSL_HANDSHAKE_MAC_SHA		0x020
 #define SSL_HANDSHAKE_MAC_SHA256	0x080
 #define SSL_HANDSHAKE_MAC_SHA384	0x100
-#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
 
 #define SSL3_CK_ID		0x03000000
 #define SSL3_CK_VALUE_MASK	0x0000ffff
@@ -274,10 +271,6 @@ __BEGIN_HIDDEN_DECLS
 #define SSL_USE_SIGALGS(s) \
 	(s->method->enc_flags & SSL_ENC_FLAG_SIGALGS)
 
-/* See if we use SHA256 default PRF. */
-#define SSL_USE_SHA256_PRF(s) \
-	(s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
-
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
 #define SSL_USE_TLS1_2_CIPHERS(s) \
 	(s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
@@ -1188,9 +1181,6 @@ typedef struct ssl3_state_st {
 /* Uses signature algorithms extension. */
 #define SSL_ENC_FLAG_SIGALGS            (1 << 1)
 
-/* Uses SHA256 default PRF. */
-#define SSL_ENC_FLAG_SHA256_PRF         (1 << 2)
-
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
 #define SSL_ENC_FLAG_TLS1_2_CIPHERS     (1 << 4)
 
@@ -1200,7 +1190,6 @@ typedef struct ssl3_state_st {
 #define TLSV1_ENC_FLAGS		0
 #define TLSV1_1_ENC_FLAGS	0
 #define TLSV1_2_ENC_FLAGS	(SSL_ENC_FLAG_SIGALGS		| \
-				 SSL_ENC_FLAG_SHA256_PRF	| \
 				 SSL_ENC_FLAG_TLS1_2_CIPHERS)
 #define TLSV1_3_ENC_FLAGS	(SSL_ENC_FLAG_SIGALGS		| \
 				 SSL_ENC_FLAG_TLS1_3_CIPHERS)

regress/lib/libssl/unit/tls_prf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_prf.c,v 1.10 2024/06/05 04:50:36 tb Exp $ */
+/* $OpenBSD: tls_prf.c,v 1.11 2024/07/16 14:38:59 jsing Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -35,30 +35,7 @@ struct tls_prf_test {
 
 static const struct tls_prf_test tls_prf_tests[] = {
 	{
-		.desc = "MD5+SHA1",
+		.desc = "SHA256",
-		.ssl_method = TLSv1_method,
-		.cipher_value = 0x0033,
-		.out = {
-			0x03, 0xa1, 0xc1, 0x7d, 0x2c, 0xa5, 0x3d, 0xe8,
-			0x9d, 0x59, 0x5e, 0x30, 0xf5, 0x71, 0xbb, 0x96,
-			0xde, 0x5c, 0x8e, 0xdc, 0x25, 0x8a, 0x7c, 0x05,
-			0x9f, 0x7d, 0x35, 0x29, 0x45, 0xae, 0x56, 0xad,
-			0x9f, 0x57, 0x15, 0x5c, 0xdb, 0x83, 0x3a, 0xac,
-			0x19, 0xa8, 0x2b, 0x40, 0x72, 0x38, 0x1e, 0xed,
-			0xf3, 0x25, 0xde, 0x84, 0x84, 0xd8, 0xd1, 0xfc,
-			0x31, 0x85, 0x81, 0x12, 0x55, 0x4d, 0x12, 0xb5,
-			0xed, 0x78, 0x5e, 0xba, 0xc8, 0xec, 0x8d, 0x28,
-			0xa1, 0x21, 0x1e, 0x6e, 0x07, 0xf1, 0xfc, 0xf5,
-			0xbf, 0xe4, 0x8e, 0x8e, 0x97, 0x15, 0x93, 0x85,
-			0x75, 0xdd, 0x87, 0x09, 0xd0, 0x4e, 0xe5, 0xd5,
-			0x9e, 0x1f, 0xd6, 0x1c, 0x3b, 0xe9, 0xad, 0xba,
-			0xe0, 0x16, 0x56, 0x62, 0x90, 0xd6, 0x82, 0x84,
-			0xec, 0x8a, 0x22, 0xbe, 0xdc, 0x6a, 0x5e, 0x05,
-			0x12, 0x44, 0xec, 0x60, 0x61, 0xd1, 0x8a, 0x66,
-		},
-	},
-	{
-		.desc = "SHA256 (via TLSv1.2)",
 		.ssl_method = TLSv1_2_method,
 		.cipher_value = 0x0033,
 		.out = {

usr.sbin/radiusd/eap2mschap_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: eap2mschap_local.h,v 1.1 2024/07/14 16:09:23 yasuoka Exp $	*/
+/*	$OpenBSD: eap2mschap_local.h,v 1.2 2024/07/16 06:18:20 miod Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -70,9 +70,11 @@ struct eap_mschap_challenge {
 	uint8_t		chall[16];
 	char		chap_name[0];
 } __packed;
+#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
 static_assert(sizeof(struct eap_mschap_challenge) == 26, "");
 static_assert(offsetof(struct eap_mschap_challenge, chap) == 5, "");
 static_assert(offsetof(struct eap_mschap_challenge, chall) == 10, "");
+#endif
 
 struct eap_mschap_response {
 	struct eap	eap;
@@ -85,9 +87,11 @@ struct eap_mschap_response {
 	uint8_t		flags;
 	uint8_t		chap_name[0];
 } __packed;
+#if defined(__STDC_VERSION__) && __STDC_VERSION >= 201112L
 static_assert(sizeof(struct eap_mschap_response) == 59, "");
 static_assert(offsetof(struct eap_mschap_response, chap) == 5, "");
 static_assert(offsetof(struct eap_mschap_response, peerchall) == 10, "");
+#endif
 
 struct radius_ms_chap2_response {
 	uint8_t		ident;