SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2024-07-20 14:53:57 +00:00
parent d1109c2ac1
commit 2682037f04
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
26 changed files with 199 additions and 165 deletions
Download patch file Download diff file Expand all files Collapse all files

1
distrib/sets/lists/comp/md.armv7
View file

@ -68,6 +68,7 @@
./usr/include/armv7/cpufunc.h
./usr/include/armv7/db_machdep.h
./usr/include/armv7/disklabel.h
./usr/include/armv7/elf.h
./usr/include/armv7/endian.h
./usr/include/armv7/exec.h
./usr/include/armv7/fdt.h

6
lib/libssl/d1_pkt.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: d1_pkt.c,v 1.128 2023/07/02 20:16:47 tb Exp $ */
/* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@ -596,7 +596,7 @@ dtls1_read_handshake_unexpected(SSL *s)
* It should be impossible to hit this, but keep the safety
* harness for now...
*/
if (s->session == NULL || s->session->cipher == NULL)
if (s->session == NULL || s->s3->hs.cipher == NULL)
return 1;
/*
@ -650,7 +650,7 @@ dtls1_read_handshake_unexpected(SSL *s)
return -1;
}
if (s->session == NULL || s->session->cipher == NULL) {
if (s->session == NULL || s->s3->hs.cipher == NULL) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
return -1;
}

6
lib/libssl/s3_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */
/* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -1478,6 +1478,8 @@ ssl3_free(SSL *s)
tls_buffer_free(s->s3->handshake_fragment);
freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
@ -1522,6 +1524,8 @@ ssl3_clear(SSL *s)
s->s3->hs.sigalgs = NULL;
s->s3->hs.sigalgs_len = 0;
sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
s->s3->hs.client_ciphers = NULL;
sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
s->s3->hs.peer_certs = NULL;
sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);

12
lib/libssl/ssl_asn1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_asn1.c,v 1.67 2023/07/08 16:40:13 beck Exp $ */
/* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */
/*
* Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
*
@ -70,10 +70,7 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len,
goto err;
/* Cipher suite ID. */
/* XXX - require cipher to be non-NULL or always/only use cipher_id. */
cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK);
if (s->cipher != NULL)
cid = ssl3_cipher_get_value(s->cipher);
if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
goto err;
if (!CBB_add_u16(&cipher_suite, cid))
@ -196,7 +193,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len)
if (ss == NULL)
return 0;
if (ss->cipher == NULL && ss->cipher_id == 0)
if (ss->cipher_id == 0)
return 0;
return SSL_SESSION_encode(ss, out, out_len, 1);
@ -212,7 +209,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp)
if (ss == NULL)
return 0;
if (ss->cipher == NULL && ss->cipher_id == 0)
if (ss->cipher_id == 0)
return 0;
if (!SSL_SESSION_encode(ss, &data, &data_len, 0))
@ -287,9 +284,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
goto err;
if (CBS_len(&cipher_suite) != 0)
goto err;
/* XXX - populate cipher instead? */
s->cipher = NULL;
s->cipher_id = SSL3_CK_ID | cipher_value;
/* Session ID. */

32
lib/libssl/ssl_ciph.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */
/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -408,25 +408,27 @@ static const SSL_CIPHER cipher_aliases[] = {
};
int
ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc, const EVP_MD **md,
int *mac_pkey_type, int *mac_secret_size)
{
const SSL_CIPHER *cipher;
*enc = NULL;
*md = NULL;
*mac_pkey_type = NID_undef;
*mac_secret_size = 0;
if (ss->cipher == NULL)
if ((cipher = s->s3->hs.cipher) == NULL)
return 0;
/*
* This function does not handle EVP_AEAD.
* See ssl_cipher_get_evp_aead instead.
*/
if (ss->cipher->algorithm_mac & SSL_AEAD)
if (cipher->algorithm_mac & SSL_AEAD)
return 0;
switch (ss->cipher->algorithm_enc) {
switch (cipher->algorithm_enc) {
case SSL_3DES:
*enc = EVP_des_ede3_cbc();
break;
@ -450,7 +452,7 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
break;
}
switch (ss->cipher->algorithm_mac) {
switch (cipher->algorithm_mac) {
case SSL_MD5:
*md = EVP_md5();
break;
@ -487,16 +489,18 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
* for s->cipher. It returns 1 on success and 0 on error.
*/
int
ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead)
{
const SSL_CIPHER *cipher;
*aead = NULL;
if (ss->cipher == NULL)
if ((cipher = s->s3->hs.cipher) == NULL)
return 0;
if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
if ((cipher->algorithm_mac & SSL_AEAD) == 0)
return 0;
switch (ss->cipher->algorithm_enc) {
switch (cipher->algorithm_enc) {
case SSL_AES128GCM:
*aead = EVP_aead_aes_128_gcm();
return 1;
@ -515,12 +519,14 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
int
ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
{
const SSL_CIPHER *cipher;
*md = NULL;
if (s->s3->hs.cipher == NULL)
if ((cipher = s->s3->hs.cipher) == NULL)
return 0;
switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
switch (cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
case SSL_HANDSHAKE_MAC_SHA256:
*md = EVP_sha256();
return 1;

16
lib/libssl/ssl_clnt.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_clnt.c,v 1.165 2024/02/03 18:03:49 tb Exp $ */
/* $OpenBSD: ssl_clnt.c,v 1.167 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -481,7 +481,7 @@ ssl3_connect(SSL *s)
s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
s->init_num = 0;
s->session->cipher = s->s3->hs.cipher;
s->session->cipher_id = s->s3->hs.cipher->id;
if (!tls1_setup_key_block(s)) {
ret = -1;
@ -941,8 +941,13 @@ ssl3_get_server_hello(SSL *s)
}
s->session->master_key_length = master_key_length;
if ((s->session->cipher = pref_cipher) == NULL)
s->session->cipher =
/*
* XXX - this appears to be completely broken. The
* client cannot change the cipher at this stage,
* as the server has already made a selection.
*/
if ((s->s3->hs.cipher = pref_cipher) == NULL)
s->s3->hs.cipher =
ssl3_get_cipher_by_value(cipher_suite);
s->s3->flags |= SSL3_FLAGS_CCS_OK;
}
@ -1011,14 +1016,13 @@ ssl3_get_server_hello(SSL *s)
* and/or cipher_id values may not be set. Make sure that
* cipher_id is set and use it for comparison.
*/
if (s->session->cipher)
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != cipher->id)) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
goto fatal_err;
}
s->s3->hs.cipher = cipher;
s->session->cipher_id = cipher->id;
if (!tls1_transcript_hash_init(s))
goto err;

15
lib/libssl/ssl_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */
/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -1528,9 +1528,9 @@ LSSL_ALIAS(SSL_get_ciphers);
STACK_OF(SSL_CIPHER) *
SSL_get_client_ciphers(const SSL *s)
{
if (s == NULL || s->session == NULL || !s->server)
if (s == NULL || !s->server)
return NULL;
return s->session->ciphers;
return s->s3->hs.client_ciphers;
}
LSSL_ALIAS(SSL_get_client_ciphers);
@ -1713,10 +1713,10 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
char *end;
int i;
if (!s->server || s->session == NULL || len < 2)
if (!s->server || len < 2)
return NULL;
if ((client_ciphers = s->session->ciphers) == NULL)
if ((client_ciphers = s->s3->hs.client_ciphers) == NULL)
return NULL;
if ((server_ciphers = SSL_get_ciphers(s)) == NULL)
return NULL;
@ -3073,11 +3073,10 @@ LSSL_ALIAS(SSL_get_privatekey);
const SSL_CIPHER *
SSL_get_current_cipher(const SSL *s)
{
if ((s->session != NULL) && (s->session->cipher != NULL))
return (s->session->cipher);
return (NULL);
return s->s3->hs.cipher;
}
LSSL_ALIAS(SSL_get_current_cipher);
const void *
SSL_get_current_compression(SSL *s)
{

12
lib/libssl/ssl_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */
/* $OpenBSD: ssl_local.h,v 1.21 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -438,13 +438,10 @@ struct ssl_session_st {
time_t time;
int references;
const SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
char *tlsext_hostname;
/* Session resumption - RFC 5077 and RFC 8446. */
@ -568,6 +565,9 @@ typedef struct ssl_handshake_st {
/* Cipher being negotiated in this handshake. */
const SSL_CIPHER *cipher;
/* Ciphers sent by the client. */
STACK_OF(SSL_CIPHER) *client_ciphers;
/* Extensions seen in this handshake. */
uint32_t extensions_seen;
@ -1266,9 +1266,9 @@ int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
STACK_OF(SSL_CIPHER) *cipherlist_tls13,
STACK_OF(SSL_CIPHER) **out_cipherlist);
void ssl_update_cache(SSL *s, int mode);
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
int ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
int ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead);
int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md);
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);

9
lib/libssl/ssl_pkt.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */
/* $OpenBSD: ssl_pkt.c,v 1.67 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -904,7 +904,7 @@ ssl3_read_handshake_unexpected(SSL *s)
* It should be impossible to hit this, but keep the safety
* harness for now...
*/
if (s->session == NULL || s->session->cipher == NULL)
if (s->session == NULL || s->s3->hs.cipher == NULL)
return 1;
/*
@ -953,7 +953,7 @@ ssl3_read_handshake_unexpected(SSL *s)
return -1;
}
if (s->session == NULL || s->session->cipher == NULL) {
if (s->session == NULL || s->s3->hs.cipher == NULL) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
return -1;
}
@ -1235,7 +1235,8 @@ ssl3_do_change_cipher_spec(SSL *s)
return (0);
}
s->session->cipher = s->s3->hs.cipher;
s->session->cipher_id = s->s3->hs.cipher->id;
if (!tls1_setup_key_block(s))
return (0);
}

18
lib/libssl/ssl_sess.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_sess.c,v 1.125 2024/03/27 06:47:52 tb Exp $ */
/* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -287,14 +287,8 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
copy->time = sess->time;
copy->references = 1;
copy->cipher = sess->cipher;
copy->cipher_id = sess->cipher_id;
if (sess->ciphers != NULL) {
if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL)
goto err;
}
if (sess->tlsext_hostname != NULL) {
copy->tlsext_hostname = strdup(sess->tlsext_hostname);
if (copy->tlsext_hostname == NULL)
@ -712,12 +706,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert)
goto err;
}
if (sess->cipher == NULL) {
sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id);
if (sess->cipher == NULL)
goto err;
}
if (sess->timeout < (time(NULL) - sess->time)) {
s->session_ctx->stats.sess_timeout++;
if (!ticket_decrypted) {
@ -881,8 +869,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
X509_free(ss->peer_cert);
sk_SSL_CIPHER_free(ss->ciphers);
free(ss->tlsext_hostname);
free(ss->tlsext_tick);
free(ss->tlsext_ecpointformatlist);
@ -998,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version);
const SSL_CIPHER *
SSL_SESSION_get0_cipher(const SSL_SESSION *s)
{
return s->cipher;
return ssl3_get_cipher_by_id(s->cipher_id);
}
LSSL_ALIAS(SSL_SESSION_get0_cipher);

35
lib/libssl/ssl_srvr.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_srvr.c,v 1.161 2024/06/25 14:10:45 jsing Exp $ */
/* $OpenBSD: ssl_srvr.c,v 1.164 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -651,7 +651,7 @@ ssl3_accept(SSL *s)
goto end;
s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
s->init_num = 0;
s->session->cipher = s->s3->hs.cipher;
s->session->cipher_id = s->s3->hs.cipher->id;
if (!tls1_setup_key_block(s)) {
ret = -1;
@ -978,7 +978,7 @@ ssl3_get_client_hello(SSL *s)
/* XXX - CBS_len(&cipher_suites) will always be zero here... */
if (s->hit && CBS_len(&cipher_suites) > 0) {
j = 0;
id = s->session->cipher->id;
id = s->session->cipher_id;
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
c = sk_SSL_CIPHER_value(ciphers, i);
@ -1078,23 +1078,31 @@ ssl3_get_client_hello(SSL *s)
s->hit = 1;
s->session->verify_result = X509_V_OK;
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
s->s3->hs.client_ciphers = ciphers;
ciphers = NULL;
/*
* XXX - this allows the callback to use any client cipher and
* completely ignore the server cipher list. We should ensure
* that the pref_cipher is in both the client list and the
* server list.
*/
/* Check if some cipher was preferred by the callback. */
if (pref_cipher == NULL)
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,
SSL_get_ciphers(s));
if (pref_cipher == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerror(s, SSL_R_NO_SHARED_CIPHER);
goto fatal_err;
}
s->session->cipher = pref_cipher;
s->s3->hs.cipher = pref_cipher;
/* XXX - why? */
sk_SSL_CIPHER_free(s->cipher_list);
s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers);
}
/*
@ -1108,19 +1116,22 @@ ssl3_get_client_hello(SSL *s)
SSLerror(s, SSL_R_NO_CIPHERS_PASSED);
goto fatal_err;
}
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
s->s3->hs.client_ciphers = ciphers;
ciphers = NULL;
if ((c = ssl3_choose_cipher(s, s->session->ciphers,
if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers,
SSL_get_ciphers(s))) == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerror(s, SSL_R_NO_SHARED_CIPHER);
goto fatal_err;
}
s->s3->hs.cipher = c;
s->session->cipher_id = s->s3->hs.cipher->id;
} else {
s->s3->hs.cipher = s->session->cipher;
s->s3->hs.cipher = ssl3_get_cipher_by_id(s->session->cipher_id);
if (s->s3->hs.cipher == NULL)
goto fatal_err;
}
if (!tls1_transcript_hash_init(s))

9
lib/libssl/ssl_txt.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_txt.c,v 1.37 2023/07/08 16:40:13 beck Exp $ */
/* $OpenBSD: ssl_txt.c,v 1.38 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -108,6 +108,7 @@ LSSL_ALIAS(SSL_SESSION_print_fp);
int
SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
{
const SSL_CIPHER *cipher;
size_t i;
int ret = 0;
@ -121,15 +122,15 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
ssl_version_string(x->ssl_version)) <= 0)
goto err;
if (x->cipher == NULL) {
if ((cipher = ssl3_get_cipher_by_id(x->cipher_id)) == NULL) {
if (BIO_printf(bp, " Cipher : %04lX\n",
x->cipher_id & SSL3_CK_VALUE_MASK) <= 0)
goto err;
} else {
const char *cipher_name = "unknown";
if (x->cipher->name != NULL)
cipher_name = x->cipher->name;
if (cipher->name != NULL)
cipher_name = cipher->name;
if (BIO_printf(bp, " Cipher : %s\n", cipher_name) <= 0)
goto err;

18
lib/libssl/t1_enc.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: t1_enc.c,v 1.157 2022/11/26 16:08:56 tb Exp $ */
/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -357,15 +357,17 @@ tls1_setup_key_block(SSL *s)
if (s->s3->hs.tls12.key_block != NULL)
return (1);
if (s->session->cipher &&
(s->session->cipher->algorithm_mac & SSL_AEAD)) {
if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
if (s->s3->hs.cipher == NULL)
return (0);
if ((s->s3->hs.cipher->algorithm_mac & SSL_AEAD) != 0) {
if (!ssl_cipher_get_evp_aead(s, &aead)) {
SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return (0);
}
} else {
/* XXX - mac_type and mac_secret_size are now unused. */
if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
if (!ssl_cipher_get_evp(s, &cipher, &mac_hash,
&mac_type, &mac_secret_size)) {
SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return (0);
@ -395,12 +397,12 @@ tls1_setup_key_block(SSL *s)
*/
s->s3->need_empty_fragments = 1;
if (s->session->cipher != NULL) {
if (s->session->cipher->algorithm_enc == SSL_eNULL)
if (s->s3->hs.cipher != NULL) {
if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL)
s->s3->need_empty_fragments = 0;
#ifndef OPENSSL_NO_RC4
if (s->session->cipher->algorithm_enc == SSL_RC4)
if (s->s3->hs.cipher->algorithm_enc == SSL_RC4)
s->s3->need_empty_fragments = 0;
#endif
}

4
lib/libssl/tls13_client.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */
/* $OpenBSD: tls13_client.c,v 1.103 2024/07/20 04:04:23 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@ -347,7 +347,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
&shared_key_len))
goto err;
s->session->cipher = ctx->hs->cipher;
s->session->cipher_id = ctx->hs->cipher->id;
s->session->ssl_version = ctx->hs->tls13.server_version;
if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)

8
lib/libssl/tls13_server.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */
/* $OpenBSD: tls13_server.c,v 1.108 2024/07/20 04:04:23 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@ -275,8 +275,8 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
}
ctx->hs->cipher = cipher;
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
sk_SSL_CIPHER_free(s->s3->hs.client_ciphers);
s->s3->hs.client_ciphers = ciphers;
ciphers = NULL;
/* Ensure only the NULL compression method is advertised. */
@ -383,7 +383,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
&shared_key_len))
goto err;
s->session->cipher = ctx->hs->cipher;
s->session->cipher_id = ctx->hs->cipher->id;
if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
goto err;

5
libexec/getty/main.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: main.c,v 1.55 2024/04/28 16:42:53 florian Exp $ */
/* $OpenBSD: main.c,v 1.56 2024/07/19 15:28:51 bluhm Exp $ */
/*-
* Copyright (c) 1980, 1993
@ -172,7 +172,8 @@ main(int argc, char *argv[])
tname = "default";
if (unveil(_PATH_GETTYTAB, "r") == -1) {
if (unveil(_PATH_GETTYTAB, "r") == -1 ||
unveil(_PATH_GETTYTAB ".db", "r") == -1) {
syslog(LOG_ERR, "%s: %m", tname);
exit(1);
}

27
regress/usr.bin/ssh/multiplex.sh
View file

@ -1,4 +1,4 @@
# $OpenBSD: multiplex.sh,v 1.36 2023/03/01 09:29:32 dtucker Exp $
# $OpenBSD: multiplex.sh,v 1.37 2024/07/19 04:33:36 djm Exp $
# Placed in the Public Domain.
CTL=$OBJ/ctl-sock
@ -50,19 +50,20 @@ if [ $? -ne 0 ]; then
fail "environment not found"
fi
for mode in "" "-Oproxy"; do
verbose "test $tid: transfer $mode"
rm -f ${COPY}
trace "ssh transfer over $mode multiplexed connection and check result"
${SSH} $mode -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}"
verbose "test $tid: transfer"
rm -f ${COPY}
trace "ssh transfer over multiplexed connection and check result"
${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}"
rm -f ${COPY}
trace "ssh transfer over multiplexed connection and check result"
${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
rm -f ${COPY}
trace "ssh transfer over $mode multiplexed connection and check result"
${SSH} $mode -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
done
rm -f ${COPY}
trace "sftp transfer over multiplexed connection and check result"

6
sys/arch/arm64/arm64/cpu.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cpu.c,v 1.127 2024/07/17 15:21:59 kettenis Exp $ */
/* $OpenBSD: cpu.c,v 1.128 2024/07/18 17:18:01 kettenis Exp $ */
/*
* Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
@ -1035,12 +1035,12 @@ cpu_identify_cleanup(void)
cpu_id_aa64isar0 = value;
/* ID_AA64ISAR1_EL1 */
value = cpu_id_aa64isar1 &= ID_AA64ISAR1_MASK;
value = cpu_id_aa64isar1 & ID_AA64ISAR1_MASK;
value &= ~ID_AA64ISAR1_SPECRES_MASK;
cpu_id_aa64isar1 = value;
/* ID_AA64ISAR2_EL1 */
value = cpu_id_aa64isar2 &= ID_AA64ISAR2_MASK;
value = cpu_id_aa64isar2 & ID_AA64ISAR2_MASK;
value &= ~ID_AA64ISAR2_CLRBHB_MASK;
cpu_id_aa64isar2 = value;

3
sys/dev/usb/uvideo.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: uvideo.c,v 1.220 2024/05/23 03:21:09 jsg Exp $ */
/* $OpenBSD: uvideo.c,v 1.221 2024/07/20 12:34:52 jsg Exp $ */
/*
* Copyright (c) 2008 Robert Nagy <robert@openbsd.org>
@ -177,6 +177,7 @@ usbd_status uvideo_usb_control(struct uvideo_softc *, uint8_t, uint8_t,
#include <sys/namei.h>
#include <sys/proc.h>
#include <sys/vnode.h>
#include <sys/fcntl.h>
void uvideo_dump_desc_all(struct uvideo_softc *);
void uvideo_dump_desc_vc_header(struct uvideo_softc *,

16
sys/netinet/ip_input.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ip_input.c,v 1.399 2024/07/14 18:53:39 bluhm Exp $ */
/* $OpenBSD: ip_input.c,v 1.400 2024/07/19 16:58:31 bluhm Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@ -94,7 +94,7 @@
int ip_forwarding = 0; /* [a] */
int ipmforwarding = 0;
int ipmultipath = 0;
int ip_sendredirects = 1;
int ip_sendredirects = 1; /* [a] */
int ip_dosourceroute = 0;
int ip_defttl = IPDEFTTL;
int ip_mtudisc = 1;
@ -113,13 +113,13 @@ int ip_frags = 0;
const struct sysctl_bounded_args ipctl_vars_unlocked[] = {
{ IPCTL_FORWARDING, &ip_forwarding, 0, 2 },
{ IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 },
};
const struct sysctl_bounded_args ipctl_vars[] = {
#ifdef MROUTING
{ IPCTL_MRTPROTO, &ip_mrtproto, SYSCTL_INT_READONLY },
#endif
{ IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 },
{ IPCTL_DEFTTL, &ip_defttl, 0, 255 },
{ IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 },
{ IPCTL_IPPORT_FIRSTAUTO, &ipport_firstauto, 0, 65535 },
@ -1605,10 +1605,11 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct route *ro, int flags)
* Don't send redirect if we advertise destination's arp address
* as ours (proxy arp).
*/
if ((rt->rt_ifidx == ifp->if_index) &&
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
satosin(rt_key(rt))->sin_addr.s_addr != 0 &&
ip_sendredirects && !ISSET(flags, IP_REDIRECT) &&
if (rt->rt_ifidx == ifp->if_index &&
!ISSET(rt->rt_flags, RTF_DYNAMIC|RTF_MODIFIED) &&
satosin(rt_key(rt))->sin_addr.s_addr != INADDR_ANY &&
!ISSET(flags, IP_REDIRECT) &&
atomic_load_int(&ip_sendredirects) &&
!arpproxy(satosin(rt_key(rt))->sin_addr, rtableid)) {
if ((ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_netmask) ==
ifatoia(rt->rt_ifa)->ia_net) {
@ -1803,6 +1804,7 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
NET_UNLOCK();
return (error);
case IPCTL_FORWARDING:
case IPCTL_SENDREDIRECTS:
return (sysctl_bounded_arr(
ipctl_vars_unlocked, nitems(ipctl_vars_unlocked),
name, namelen, oldp, oldlenp, newp, newlen));

6
sys/netinet/udp_usrreq.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: udp_usrreq.c,v 1.321 2024/07/12 19:50:35 bluhm Exp $ */
/* $OpenBSD: udp_usrreq.c,v 1.322 2024/07/19 15:41:58 bluhm Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
@ -592,7 +592,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af)
}
KASSERT(sotoinpcb(inp->inp_socket) == inp);
soassertlocked(inp->inp_socket);
soassertlocked_readonly(inp->inp_socket);
#ifdef INET6
if (ip6 && inp->inp_ip6_minhlim &&
@ -1207,7 +1207,7 @@ udp_send(struct socket *so, struct mbuf *m, struct mbuf *addr,
{
struct inpcb *inp = sotoinpcb(so);
soassertlocked(so);
soassertlocked_readonly(so);
#ifdef PIPEX
if (inp->inp_pipex) {

6
sys/netinet6/in6_proto.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: in6_proto.c,v 1.115 2024/07/12 19:50:35 bluhm Exp $ */
/* $OpenBSD: in6_proto.c,v 1.116 2024/07/19 16:58:32 bluhm Exp $ */
/* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */
/*
@ -343,10 +343,10 @@ const struct domain inet6domain = {
/*
* Internet configuration info
*/
int ip6_forwarding = 0; /* no forwarding unless sysctl'd to enable */
int ip6_forwarding = 0; /* [a] no forwarding unless sysctl to enable */
int ip6_mforwarding = 0; /* no multicast forwarding unless ... */
int ip6_multipath = 0; /* no using multipath routes unless ... */
int ip6_sendredirects = 1;
int ip6_sendredirects = 1; /* [a] */
int ip6_defhlim = IPV6_DEFHLIM;
int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS;
int ip6_maxfragpackets = 200;

7
sys/netinet6/ip6_forward.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ip6_forward.c,v 1.123 2024/07/13 10:09:40 bluhm Exp $ */
/* $OpenBSD: ip6_forward.c,v 1.124 2024/07/19 16:58:32 bluhm Exp $ */
/* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */
/*
@ -280,8 +280,9 @@ reroute:
goto freecopy;
}
if (rt->rt_ifidx == ifidx &&
ip6_sendredirects && !ISSET(flags, IPV6_REDIRECT) &&
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
!ISSET(rt->rt_flags, RTF_DYNAMIC|RTF_MODIFIED) &&
!ISSET(flags, IPV6_REDIRECT) &&
atomic_load_int(&ip6_sendredirects)) {
if ((ifp->if_flags & IFF_POINTOPOINT) &&
nd6_is_addr_neighbor(&ro->ro_dstsin6, ifp)) {
/*

5
sys/netinet6/ip6_input.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ip6_input.c,v 1.265 2024/07/14 18:53:39 bluhm Exp $ */
/* $OpenBSD: ip6_input.c,v 1.266 2024/07/19 16:58:32 bluhm Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@ -1445,6 +1445,7 @@ extern int ip6_mrtproto;
const struct sysctl_bounded_args ipv6ctl_vars_unlocked[] = {
{ IPV6CTL_FORWARDING, &ip6_forwarding, 0, 2 },
{ IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 },
};
const struct sysctl_bounded_args ipv6ctl_vars[] = {
@ -1452,7 +1453,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = {
#ifdef MROUTING
{ IPV6CTL_MRTPROTO, &ip6_mrtproto, SYSCTL_INT_READONLY },
#endif
{ IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 },
{ IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 },
{ IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 },
{ IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX },
@ -1572,6 +1572,7 @@ ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
NET_UNLOCK();
return (error);
case IPV6CTL_FORWARDING:
case IPV6CTL_SENDREDIRECTS:
return (sysctl_bounded_arr(
ipv6ctl_vars_unlocked, nitems(ipv6ctl_vars_unlocked),
name, namelen, oldp, oldlenp, newp, newlen));

70
usr.sbin/radiusd/radiusd_file.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_file.c,v 1.3 2024/07/17 10:15:39 yasuoka Exp $ */
/* $OpenBSD: radiusd_file.c,v 1.5 2024/07/18 22:40:09 yasuoka Exp $ */
/*
* Copyright (c) 2024 YASUOKA Masahiko <yasuoka@yasuoka.net>
@ -82,6 +82,8 @@ static void auth_md5chap(struct module_file *, u_int, RADIUS_PACKET *,
char *, struct module_file_userinfo *);
static void auth_mschapv2(struct module_file *, u_int, RADIUS_PACKET *,
char *, struct module_file_userinfo *);
static void auth_reject(struct module_file *, u_int, RADIUS_PACKET *,
char *, struct module_file_userinfo *);
static struct module_handlers module_file_handlers = {
.access_request = module_file_access_request,
@ -100,6 +102,7 @@ main(int argc, char *argv[])
ssize_t n;
size_t datalen;
struct module_file_params *paramsp, params;
char pathdb[PATH_MAX];
while ((ch = getopt(argc, argv, "M")) != -1)
switch (ch) {
@ -122,9 +125,12 @@ main(int argc, char *argv[])
pid = start_child(saved_argv0, pairsock[1]);
/* Privileged process */
if (pledge("stdio rpath unveil", NULL) == -1)
err(EXIT_FAILURE, "pledge");
setproctitle("[priv]");
imsg_init(&ibuf, pairsock[0]);
/* Receive parameters from the main process. */
if (imsg_sync_read(&ibuf, 2000) <= 0 ||
(n = imsg_get(&ibuf, &imsg)) <= 0)
exit(EXIT_FAILURE);
@ -137,7 +143,10 @@ main(int argc, char *argv[])
"message is wrong size");
paramsp = imsg.data;
if (paramsp->path[0] != '\0') {
if (unveil(paramsp->path, "r") == -1)
strlcpy(pathdb, paramsp->path, sizeof(pathdb));
strlcat(pathdb, ".db", sizeof(pathdb));
if (unveil(paramsp->path, "r") == -1 ||
unveil(pathdb, "r") == -1)
err(EXIT_FAILURE, "unveil");
}
if (paramsp->debug)
@ -145,8 +154,6 @@ main(int argc, char *argv[])
if (unveil(NULL, NULL) == -1)
err(EXIT_FAILURE, "unveil");
if (pledge("stdio rpath", NULL) == -1)
err(EXIT_FAILURE, "pledge");
memcpy(&params, paramsp, sizeof(params));
@ -316,6 +323,7 @@ module_file_start(void *ctx)
{
struct module_file *module = ctx;
/* Send parameters to parent */
if (module->params.path[0] == '\0') {
module_send_message(module->base, IMSG_NG,
"`path' is not configured");
@ -344,7 +352,7 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt,
if ((radpkt = radius_convert_packet(pkt, pktlen)) == NULL) {
log_warn("%s: radius_convert_packet()", __func__);
goto on_error;
goto out;
}
radius_get_string_attr(radpkt, RADIUS_TYPE_USER_NAME, username,
sizeof(username));
@ -354,11 +362,11 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt,
imsg_flush(&self->ibuf);
if ((n = imsg_read(&self->ibuf)) == -1 || n == 0) {
log_warn("%s: imsg_read()", __func__);
goto on_error;
goto out;
}
if ((n = imsg_get(&self->ibuf, &imsg)) <= 0) {
log_warn("%s: imsg_get()", __func__);
goto on_error;
goto out;
}
datalen = imsg.hdr.len - IMSG_HEADER_SIZE;
@ -367,24 +375,21 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt,
password[0])) {
log_warn("%s: received IMSG_RADIUSD_FILE_USERINFO is "
"invalid", __func__);
goto on_error;
goto out;
}
ent = imsg.data;
if (radius_has_attr(radpkt, RADIUS_TYPE_USER_PASSWORD))
auth_pap(self, query_id, radpkt, username, ent);
else if (radius_has_attr(radpkt, RADIUS_TYPE_CHAP_PASSWORD))
auth_md5chap(self, query_id, radpkt, username, ent);
else if (radius_has_vs_attr(radpkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_CHAP2_RESPONSE))
auth_mschapv2(self, query_id, radpkt, username, ent);
else
auth_reject(self, query_id, radpkt, username, ent);
} else
goto on_error;
if (radius_has_attr(radpkt, RADIUS_TYPE_USER_PASSWORD))
auth_pap(self, query_id, radpkt, username, ent);
else if (radius_has_attr(radpkt, RADIUS_TYPE_CHAP_PASSWORD))
auth_md5chap(self, query_id, radpkt, username, ent);
else if (radius_has_vs_attr(radpkt, RADIUS_VENDOR_MICROSOFT,
RADIUS_VTYPE_MS_CHAP2_RESPONSE))
auth_mschapv2(self, query_id, radpkt, username, ent);
else {
log_info("q=%u unsupported authentication methods", query_id);
explicit_bzero(ent->password, strlen(ent->password));
}
on_error:
auth_reject(self, query_id, radpkt, username, NULL);
out:
if (radpkt != NULL)
radius_delete_packet(radpkt);
imsg_free(&imsg);
@ -585,3 +590,24 @@ auth_mschapv2(struct module_file *self, u_int q_id, RADIUS_PACKET *radpkt,
if (respkt != NULL)
radius_delete_packet(respkt);
}
void
auth_reject(struct module_file *self, u_int q_id, RADIUS_PACKET *radpkt,
char *username, struct module_file_userinfo *ent)
{
RADIUS_PACKET *respkt = NULL;
if (ent != NULL)
explicit_bzero(ent->password, strlen(ent->password));
log_info("q=%u User `%s' authentication failed", q_id,
username);
if ((respkt = radius_new_response_packet(RADIUS_CODE_ACCESS_REJECT,
radpkt)) == NULL) {
log_warn("%s: radius_new_response_packet()", __func__);
return;
}
module_accsreq_answer(self->base, q_id,
radius_get_data(respkt), radius_get_length(respkt));
radius_delete_packet(respkt);
}

12
usr.sbin/relayd/relay_http.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: relay_http.c,v 1.88 2024/07/08 14:22:09 florian Exp $ */
/* $OpenBSD: relay_http.c,v 1.90 2024/07/20 06:54:15 anton Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@ -436,16 +436,8 @@ relay_read_http(struct bufferevent *bev, void *arg)
desc->http_lastheader);
break;
case HTTP_METHOD_RESPONSE:
/*
* Strip Content-Length header from
* HEAD responses since there is no
* actual payload in the response.
*/
if (request_method == HTTP_METHOD_HEAD) {
kv_delete(&desc->http_headers,
desc->http_lastheader);
if (request_method == HTTP_METHOD_HEAD)
break;
}
/* FALLTHROUGH */
default:
/*