diff --git a/distrib/sets/lists/comp/md.armv7 b/distrib/sets/lists/comp/md.armv7 index fea44cf9a..0fee78f66 100644 --- a/distrib/sets/lists/comp/md.armv7 +++ b/distrib/sets/lists/comp/md.armv7 @@ -68,6 +68,7 @@ ./usr/include/armv7/cpufunc.h ./usr/include/armv7/db_machdep.h ./usr/include/armv7/disklabel.h +./usr/include/armv7/elf.h ./usr/include/armv7/endian.h ./usr/include/armv7/exec.h ./usr/include/armv7/fdt.h diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index df9581a3c..cf32ca8cd 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.128 2023/07/02 20:16:47 tb Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -596,7 +596,7 @@ dtls1_read_handshake_unexpected(SSL *s) * It should be impossible to hit this, but keep the safety * harness for now... */ - if (s->session == NULL || s->session->cipher == NULL) + if (s->session == NULL || s->s3->hs.cipher == NULL) return 1; /* @@ -650,7 +650,7 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - if (s->session == NULL || s->session->cipher == NULL) { + if (s->session == NULL || s->s3->hs.cipher == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 5fc42ca20..38e7ba7f1 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.255 2024/07/19 08:54:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1478,6 +1478,8 @@ ssl3_free(SSL *s) tls_buffer_free(s->s3->handshake_fragment); freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); + + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); @@ -1522,6 +1524,8 @@ ssl3_clear(SSL *s) s->s3->hs.sigalgs = NULL; s->s3->hs.sigalgs_len = 0; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = NULL; sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); s->s3->hs.peer_certs = NULL; sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index f4552f1c9..ef34cbdb0 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.67 2023/07/08 16:40:13 beck Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -70,10 +70,7 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, goto err; /* Cipher suite ID. */ - /* XXX - require cipher to be non-NULL or always/only use cipher_id. */ cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK); - if (s->cipher != NULL) - cid = ssl3_cipher_get_value(s->cipher); if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) goto err; if (!CBB_add_u16(&cipher_suite, cid)) @@ -196,7 +193,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) if (ss == NULL) return 0; - if (ss->cipher == NULL && ss->cipher_id == 0) + if (ss->cipher_id == 0) return 0; return SSL_SESSION_encode(ss, out, out_len, 1); @@ -212,7 +209,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) if (ss == NULL) return 0; - if (ss->cipher == NULL && ss->cipher_id == 0) + if (ss->cipher_id == 0) return 0; if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) @@ -287,9 +284,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) goto err; if (CBS_len(&cipher_suite) != 0) goto err; - - /* XXX - populate cipher instead? */ - s->cipher = NULL; s->cipher_id = SSL3_CK_ID | cipher_value; /* Session ID. */ diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 246d64e7d..7c3235490 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.145 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -408,25 +408,27 @@ static const SSL_CIPHER cipher_aliases[] = { }; int -ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size) +ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc, const EVP_MD **md, + int *mac_pkey_type, int *mac_secret_size) { + const SSL_CIPHER *cipher; + *enc = NULL; *md = NULL; *mac_pkey_type = NID_undef; *mac_secret_size = 0; - if (ss->cipher == NULL) + if ((cipher = s->s3->hs.cipher) == NULL) return 0; /* * This function does not handle EVP_AEAD. * See ssl_cipher_get_evp_aead instead. */ - if (ss->cipher->algorithm_mac & SSL_AEAD) + if (cipher->algorithm_mac & SSL_AEAD) return 0; - switch (ss->cipher->algorithm_enc) { + switch (cipher->algorithm_enc) { case SSL_3DES: *enc = EVP_des_ede3_cbc(); break; @@ -450,7 +452,7 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, break; } - switch (ss->cipher->algorithm_mac) { + switch (cipher->algorithm_mac) { case SSL_MD5: *md = EVP_md5(); break; @@ -487,16 +489,18 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, * for s->cipher. It returns 1 on success and 0 on error. */ int -ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) +ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead) { + const SSL_CIPHER *cipher; + *aead = NULL; - if (ss->cipher == NULL) + if ((cipher = s->s3->hs.cipher) == NULL) return 0; - if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0) + if ((cipher->algorithm_mac & SSL_AEAD) == 0) return 0; - switch (ss->cipher->algorithm_enc) { + switch (cipher->algorithm_enc) { case SSL_AES128GCM: *aead = EVP_aead_aes_128_gcm(); return 1; @@ -515,12 +519,14 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) { + const SSL_CIPHER *cipher; + *md = NULL; - if (s->s3->hs.cipher == NULL) + if ((cipher = s->s3->hs.cipher) == NULL) return 0; - switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { + switch (cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { case SSL_HANDSHAKE_MAC_SHA256: *md = EVP_sha256(); return 1; diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 0903f7ea2..8f097833f 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.165 2024/02/03 18:03:49 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.167 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -481,7 +481,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_FINISHED_A; s->init_num = 0; - s->session->cipher = s->s3->hs.cipher; + s->session->cipher_id = s->s3->hs.cipher->id; if (!tls1_setup_key_block(s)) { ret = -1; @@ -941,8 +941,13 @@ ssl3_get_server_hello(SSL *s) } s->session->master_key_length = master_key_length; - if ((s->session->cipher = pref_cipher) == NULL) - s->session->cipher = + /* + * XXX - this appears to be completely broken. The + * client cannot change the cipher at this stage, + * as the server has already made a selection. + */ + if ((s->s3->hs.cipher = pref_cipher) == NULL) + s->s3->hs.cipher = ssl3_get_cipher_by_value(cipher_suite); s->s3->flags |= SSL3_FLAGS_CCS_OK; } @@ -1011,14 +1016,13 @@ ssl3_get_server_hello(SSL *s) * and/or cipher_id values may not be set. Make sure that * cipher_id is set and use it for comparison. */ - if (s->session->cipher) - s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto fatal_err; } s->s3->hs.cipher = cipher; + s->session->cipher_id = cipher->id; if (!tls1_transcript_hash_init(s)) goto err; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index d78cb2ac3..4cf5c46fd 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1528,9 +1528,9 @@ LSSL_ALIAS(SSL_get_ciphers); STACK_OF(SSL_CIPHER) * SSL_get_client_ciphers(const SSL *s) { - if (s == NULL || s->session == NULL || !s->server) + if (s == NULL || !s->server) return NULL; - return s->session->ciphers; + return s->s3->hs.client_ciphers; } LSSL_ALIAS(SSL_get_client_ciphers); @@ -1713,10 +1713,10 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) char *end; int i; - if (!s->server || s->session == NULL || len < 2) + if (!s->server || len < 2) return NULL; - if ((client_ciphers = s->session->ciphers) == NULL) + if ((client_ciphers = s->s3->hs.client_ciphers) == NULL) return NULL; if ((server_ciphers = SSL_get_ciphers(s)) == NULL) return NULL; @@ -3073,11 +3073,10 @@ LSSL_ALIAS(SSL_get_privatekey); const SSL_CIPHER * SSL_get_current_cipher(const SSL *s) { - if ((s->session != NULL) && (s->session->cipher != NULL)) - return (s->session->cipher); - return (NULL); + return s->s3->hs.cipher; } LSSL_ALIAS(SSL_get_current_cipher); + const void * SSL_get_current_compression(SSL *s) { diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index c002c9b34..79f41e6dc 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.21 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -438,13 +438,10 @@ struct ssl_session_st { time_t time; int references; - const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this * needs to be used to load * the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ - char *tlsext_hostname; /* Session resumption - RFC 5077 and RFC 8446. */ @@ -568,6 +565,9 @@ typedef struct ssl_handshake_st { /* Cipher being negotiated in this handshake. */ const SSL_CIPHER *cipher; + /* Ciphers sent by the client. */ + STACK_OF(SSL_CIPHER) *client_ciphers; + /* Extensions seen in this handshake. */ uint32_t extensions_seen; @@ -1266,9 +1266,9 @@ int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, STACK_OF(SSL_CIPHER) *cipherlist_tls13, STACK_OF(SSL_CIPHER) **out_cipherlist); void ssl_update_cache(SSL *s, int mode); -int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, +int ssl_cipher_get_evp(SSL *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); -int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead); +int ssl_cipher_get_evp_aead(SSL *s, const EVP_AEAD **aead); int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md); int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c index 2c33c4538..7d6785a3d 100644 --- a/lib/libssl/ssl_pkt.c +++ b/lib/libssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.66 2023/07/11 17:02:47 tb Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.67 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -904,7 +904,7 @@ ssl3_read_handshake_unexpected(SSL *s) * It should be impossible to hit this, but keep the safety * harness for now... */ - if (s->session == NULL || s->session->cipher == NULL) + if (s->session == NULL || s->s3->hs.cipher == NULL) return 1; /* @@ -953,7 +953,7 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - if (s->session == NULL || s->session->cipher == NULL) { + if (s->session == NULL || s->s3->hs.cipher == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -1235,7 +1235,8 @@ ssl3_do_change_cipher_spec(SSL *s) return (0); } - s->session->cipher = s->s3->hs.cipher; + s->session->cipher_id = s->s3->hs.cipher->id; + if (!tls1_setup_key_block(s)) return (0); } diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index cb985cadb..c2bd1bf13 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.125 2024/03/27 06:47:52 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -287,14 +287,8 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) copy->time = sess->time; copy->references = 1; - copy->cipher = sess->cipher; copy->cipher_id = sess->cipher_id; - if (sess->ciphers != NULL) { - if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL) - goto err; - } - if (sess->tlsext_hostname != NULL) { copy->tlsext_hostname = strdup(sess->tlsext_hostname); if (copy->tlsext_hostname == NULL) @@ -712,12 +706,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) goto err; } - if (sess->cipher == NULL) { - sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id); - if (sess->cipher == NULL) - goto err; - } - if (sess->timeout < (time(NULL) - sess->time)) { s->session_ctx->stats.sess_timeout++; if (!ticket_decrypted) { @@ -881,8 +869,6 @@ SSL_SESSION_free(SSL_SESSION *ss) X509_free(ss->peer_cert); - sk_SSL_CIPHER_free(ss->ciphers); - free(ss->tlsext_hostname); free(ss->tlsext_tick); free(ss->tlsext_ecpointformatlist); @@ -998,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version); const SSL_CIPHER * SSL_SESSION_get0_cipher(const SSL_SESSION *s) { - return s->cipher; + return ssl3_get_cipher_by_id(s->cipher_id); } LSSL_ALIAS(SSL_SESSION_get0_cipher); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index e9f14dc61..be6bd7402 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.161 2024/06/25 14:10:45 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.164 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -651,7 +651,7 @@ ssl3_accept(SSL *s) goto end; s->s3->hs.state = SSL3_ST_SW_FINISHED_A; s->init_num = 0; - s->session->cipher = s->s3->hs.cipher; + s->session->cipher_id = s->s3->hs.cipher->id; if (!tls1_setup_key_block(s)) { ret = -1; @@ -978,7 +978,7 @@ ssl3_get_client_hello(SSL *s) /* XXX - CBS_len(&cipher_suites) will always be zero here... */ if (s->hit && CBS_len(&cipher_suites) > 0) { j = 0; - id = s->session->cipher->id; + id = s->session->cipher_id; for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { c = sk_SSL_CIPHER_value(ciphers, i); @@ -1078,23 +1078,31 @@ ssl3_get_client_hello(SSL *s) s->hit = 1; s->session->verify_result = X509_V_OK; - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; + /* + * XXX - this allows the callback to use any client cipher and + * completely ignore the server cipher list. We should ensure + * that the pref_cipher is in both the client list and the + * server list. + */ + /* Check if some cipher was preferred by the callback. */ if (pref_cipher == NULL) - pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, SSL_get_ciphers(s)); if (pref_cipher == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); goto fatal_err; } - s->session->cipher = pref_cipher; + s->s3->hs.cipher = pref_cipher; + /* XXX - why? */ sk_SSL_CIPHER_free(s->cipher_list); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers); } /* @@ -1108,19 +1116,22 @@ ssl3_get_client_hello(SSL *s) SSLerror(s, SSL_R_NO_CIPHERS_PASSED); goto fatal_err; } - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; - if ((c = ssl3_choose_cipher(s, s->session->ciphers, + if ((c = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, SSL_get_ciphers(s))) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); goto fatal_err; } s->s3->hs.cipher = c; + s->session->cipher_id = s->s3->hs.cipher->id; } else { - s->s3->hs.cipher = s->session->cipher; + s->s3->hs.cipher = ssl3_get_cipher_by_id(s->session->cipher_id); + if (s->s3->hs.cipher == NULL) + goto fatal_err; } if (!tls1_transcript_hash_init(s)) diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index ee3d218d6..26b631d5a 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.37 2023/07/08 16:40:13 beck Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.38 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -108,6 +108,7 @@ LSSL_ALIAS(SSL_SESSION_print_fp); int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { + const SSL_CIPHER *cipher; size_t i; int ret = 0; @@ -121,15 +122,15 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) ssl_version_string(x->ssl_version)) <= 0) goto err; - if (x->cipher == NULL) { + if ((cipher = ssl3_get_cipher_by_id(x->cipher_id)) == NULL) { if (BIO_printf(bp, " Cipher : %04lX\n", x->cipher_id & SSL3_CK_VALUE_MASK) <= 0) goto err; } else { const char *cipher_name = "unknown"; - if (x->cipher->name != NULL) - cipher_name = x->cipher->name; + if (cipher->name != NULL) + cipher_name = cipher->name; if (BIO_printf(bp, " Cipher : %s\n", cipher_name) <= 0) goto err; diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index c6140e9b3..64e1dd5b6 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.157 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -357,15 +357,17 @@ tls1_setup_key_block(SSL *s) if (s->s3->hs.tls12.key_block != NULL) return (1); - if (s->session->cipher && - (s->session->cipher->algorithm_mac & SSL_AEAD)) { - if (!ssl_cipher_get_evp_aead(s->session, &aead)) { + if (s->s3->hs.cipher == NULL) + return (0); + + if ((s->s3->hs.cipher->algorithm_mac & SSL_AEAD) != 0) { + if (!ssl_cipher_get_evp_aead(s, &aead)) { SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } } else { /* XXX - mac_type and mac_secret_size are now unused. */ - if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash, + if (!ssl_cipher_get_evp(s, &cipher, &mac_hash, &mac_type, &mac_secret_size)) { SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); @@ -395,12 +397,12 @@ tls1_setup_key_block(SSL *s) */ s->s3->need_empty_fragments = 1; - if (s->session->cipher != NULL) { - if (s->session->cipher->algorithm_enc == SSL_eNULL) + if (s->s3->hs.cipher != NULL) { + if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL) s->s3->need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 - if (s->session->cipher->algorithm_enc == SSL_RC4) + if (s->s3->hs.cipher->algorithm_enc == SSL_RC4) s->s3->need_empty_fragments = 0; #endif } diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 053cf1689..8f6894fd8 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.102 2023/06/10 15:34:36 tb Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.103 2024/07/20 04:04:23 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -347,7 +347,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) &shared_key_len)) goto err; - s->session->cipher = ctx->hs->cipher; + s->session->cipher_id = ctx->hs->cipher->id; s->session->ssl_version = ctx->hs->tls13.server_version; if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index dfeb1e016..6bd2993cf 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.106 2023/06/10 15:34:36 tb Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.108 2024/07/20 04:04:23 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -275,8 +275,8 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } ctx->hs->cipher = cipher; - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); + s->s3->hs.client_ciphers = ciphers; ciphers = NULL; /* Ensure only the NULL compression method is advertised. */ @@ -383,7 +383,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) &shared_key_len)) goto err; - s->session->cipher = ctx->hs->cipher; + s->session->cipher_id = ctx->hs->cipher->id; if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; diff --git a/libexec/getty/main.c b/libexec/getty/main.c index dac5ad344..74b3aa277 100644 --- a/libexec/getty/main.c +++ b/libexec/getty/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.55 2024/04/28 16:42:53 florian Exp $ */ +/* $OpenBSD: main.c,v 1.56 2024/07/19 15:28:51 bluhm Exp $ */ /*- * Copyright (c) 1980, 1993 @@ -172,7 +172,8 @@ main(int argc, char *argv[]) tname = "default"; - if (unveil(_PATH_GETTYTAB, "r") == -1) { + if (unveil(_PATH_GETTYTAB, "r") == -1 || + unveil(_PATH_GETTYTAB ".db", "r") == -1) { syslog(LOG_ERR, "%s: %m", tname); exit(1); } diff --git a/regress/usr.bin/ssh/multiplex.sh b/regress/usr.bin/ssh/multiplex.sh index 1bae1b2eb..a8b59e635 100644 --- a/regress/usr.bin/ssh/multiplex.sh +++ b/regress/usr.bin/ssh/multiplex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: multiplex.sh,v 1.36 2023/03/01 09:29:32 dtucker Exp $ +# $OpenBSD: multiplex.sh,v 1.37 2024/07/19 04:33:36 djm Exp $ # Placed in the Public Domain. CTL=$OBJ/ctl-sock @@ -50,19 +50,20 @@ if [ $? -ne 0 ]; then fail "environment not found" fi +for mode in "" "-Oproxy"; do + verbose "test $tid: transfer $mode" + rm -f ${COPY} + trace "ssh transfer over $mode multiplexed connection and check result" + ${SSH} $mode -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}" + cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}" -verbose "test $tid: transfer" -rm -f ${COPY} -trace "ssh transfer over multiplexed connection and check result" -${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY} -test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}" -cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}" - -rm -f ${COPY} -trace "ssh transfer over multiplexed connection and check result" -${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY} -test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}" -cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" + rm -f ${COPY} + trace "ssh transfer over $mode multiplexed connection and check result" + ${SSH} $mode -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY} + test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}" + cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}" +done rm -f ${COPY} trace "sftp transfer over multiplexed connection and check result" diff --git a/sys/arch/arm64/arm64/cpu.c b/sys/arch/arm64/arm64/cpu.c index 09c2cdf8f..ee5a405fa 100644 --- a/sys/arch/arm64/arm64/cpu.c +++ b/sys/arch/arm64/arm64/cpu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpu.c,v 1.127 2024/07/17 15:21:59 kettenis Exp $ */ +/* $OpenBSD: cpu.c,v 1.128 2024/07/18 17:18:01 kettenis Exp $ */ /* * Copyright (c) 2016 Dale Rahn @@ -1035,12 +1035,12 @@ cpu_identify_cleanup(void) cpu_id_aa64isar0 = value; /* ID_AA64ISAR1_EL1 */ - value = cpu_id_aa64isar1 &= ID_AA64ISAR1_MASK; + value = cpu_id_aa64isar1 & ID_AA64ISAR1_MASK; value &= ~ID_AA64ISAR1_SPECRES_MASK; cpu_id_aa64isar1 = value; /* ID_AA64ISAR2_EL1 */ - value = cpu_id_aa64isar2 &= ID_AA64ISAR2_MASK; + value = cpu_id_aa64isar2 & ID_AA64ISAR2_MASK; value &= ~ID_AA64ISAR2_CLRBHB_MASK; cpu_id_aa64isar2 = value; diff --git a/sys/dev/usb/uvideo.c b/sys/dev/usb/uvideo.c index 0ec04d8cc..c3b67b8ba 100644 --- a/sys/dev/usb/uvideo.c +++ b/sys/dev/usb/uvideo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvideo.c,v 1.220 2024/05/23 03:21:09 jsg Exp $ */ +/* $OpenBSD: uvideo.c,v 1.221 2024/07/20 12:34:52 jsg Exp $ */ /* * Copyright (c) 2008 Robert Nagy @@ -177,6 +177,7 @@ usbd_status uvideo_usb_control(struct uvideo_softc *, uint8_t, uint8_t, #include #include #include +#include void uvideo_dump_desc_all(struct uvideo_softc *); void uvideo_dump_desc_vc_header(struct uvideo_softc *, diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 1d68e0f61..46e352610 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.399 2024/07/14 18:53:39 bluhm Exp $ */ +/* $OpenBSD: ip_input.c,v 1.400 2024/07/19 16:58:31 bluhm Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -94,7 +94,7 @@ int ip_forwarding = 0; /* [a] */ int ipmforwarding = 0; int ipmultipath = 0; -int ip_sendredirects = 1; +int ip_sendredirects = 1; /* [a] */ int ip_dosourceroute = 0; int ip_defttl = IPDEFTTL; int ip_mtudisc = 1; @@ -113,13 +113,13 @@ int ip_frags = 0; const struct sysctl_bounded_args ipctl_vars_unlocked[] = { { IPCTL_FORWARDING, &ip_forwarding, 0, 2 }, + { IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 }, }; const struct sysctl_bounded_args ipctl_vars[] = { #ifdef MROUTING { IPCTL_MRTPROTO, &ip_mrtproto, SYSCTL_INT_READONLY }, #endif - { IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 }, { IPCTL_DEFTTL, &ip_defttl, 0, 255 }, { IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 }, { IPCTL_IPPORT_FIRSTAUTO, &ipport_firstauto, 0, 65535 }, @@ -1605,10 +1605,11 @@ ip_forward(struct mbuf *m, struct ifnet *ifp, struct route *ro, int flags) * Don't send redirect if we advertise destination's arp address * as ours (proxy arp). */ - if ((rt->rt_ifidx == ifp->if_index) && - (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 && - satosin(rt_key(rt))->sin_addr.s_addr != 0 && - ip_sendredirects && !ISSET(flags, IP_REDIRECT) && + if (rt->rt_ifidx == ifp->if_index && + !ISSET(rt->rt_flags, RTF_DYNAMIC|RTF_MODIFIED) && + satosin(rt_key(rt))->sin_addr.s_addr != INADDR_ANY && + !ISSET(flags, IP_REDIRECT) && + atomic_load_int(&ip_sendredirects) && !arpproxy(satosin(rt_key(rt))->sin_addr, rtableid)) { if ((ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_netmask) == ifatoia(rt->rt_ifa)->ia_net) { @@ -1803,6 +1804,7 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, NET_UNLOCK(); return (error); case IPCTL_FORWARDING: + case IPCTL_SENDREDIRECTS: return (sysctl_bounded_arr( ipctl_vars_unlocked, nitems(ipctl_vars_unlocked), name, namelen, oldp, oldlenp, newp, newlen)); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index bb85eb6d2..0e4002a4c 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.321 2024/07/12 19:50:35 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.322 2024/07/19 15:41:58 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -592,7 +592,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af) } KASSERT(sotoinpcb(inp->inp_socket) == inp); - soassertlocked(inp->inp_socket); + soassertlocked_readonly(inp->inp_socket); #ifdef INET6 if (ip6 && inp->inp_ip6_minhlim && @@ -1207,7 +1207,7 @@ udp_send(struct socket *so, struct mbuf *m, struct mbuf *addr, { struct inpcb *inp = sotoinpcb(so); - soassertlocked(so); + soassertlocked_readonly(so); #ifdef PIPEX if (inp->inp_pipex) { diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index a737e995c..ac9f88481 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_proto.c,v 1.115 2024/07/12 19:50:35 bluhm Exp $ */ +/* $OpenBSD: in6_proto.c,v 1.116 2024/07/19 16:58:32 bluhm Exp $ */ /* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */ /* @@ -343,10 +343,10 @@ const struct domain inet6domain = { /* * Internet configuration info */ -int ip6_forwarding = 0; /* no forwarding unless sysctl'd to enable */ +int ip6_forwarding = 0; /* [a] no forwarding unless sysctl to enable */ int ip6_mforwarding = 0; /* no multicast forwarding unless ... */ int ip6_multipath = 0; /* no using multipath routes unless ... */ -int ip6_sendredirects = 1; +int ip6_sendredirects = 1; /* [a] */ int ip6_defhlim = IPV6_DEFHLIM; int ip6_defmcasthlim = IPV6_DEFAULT_MULTICAST_HOPS; int ip6_maxfragpackets = 200; diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 5d2cf5559..c4054781c 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.123 2024/07/13 10:09:40 bluhm Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.124 2024/07/19 16:58:32 bluhm Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -280,8 +280,9 @@ reroute: goto freecopy; } if (rt->rt_ifidx == ifidx && - ip6_sendredirects && !ISSET(flags, IPV6_REDIRECT) && - (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) { + !ISSET(rt->rt_flags, RTF_DYNAMIC|RTF_MODIFIED) && + !ISSET(flags, IPV6_REDIRECT) && + atomic_load_int(&ip6_sendredirects)) { if ((ifp->if_flags & IFF_POINTOPOINT) && nd6_is_addr_neighbor(&ro->ro_dstsin6, ifp)) { /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 4ab7d8c45..79ba29050 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.265 2024/07/14 18:53:39 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.266 2024/07/19 16:58:32 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -1445,6 +1445,7 @@ extern int ip6_mrtproto; const struct sysctl_bounded_args ipv6ctl_vars_unlocked[] = { { IPV6CTL_FORWARDING, &ip6_forwarding, 0, 2 }, + { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, }; const struct sysctl_bounded_args ipv6ctl_vars[] = { @@ -1452,7 +1453,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = { #ifdef MROUTING { IPV6CTL_MRTPROTO, &ip6_mrtproto, SYSCTL_INT_READONLY }, #endif - { IPV6CTL_SENDREDIRECTS, &ip6_sendredirects, 0, 1 }, { IPV6CTL_DEFHLIM, &ip6_defhlim, 0, 255 }, { IPV6CTL_MAXFRAGPACKETS, &ip6_maxfragpackets, 0, 1000 }, { IPV6CTL_LOG_INTERVAL, &ip6_log_interval, 0, INT_MAX }, @@ -1572,6 +1572,7 @@ ip6_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, NET_UNLOCK(); return (error); case IPV6CTL_FORWARDING: + case IPV6CTL_SENDREDIRECTS: return (sysctl_bounded_arr( ipv6ctl_vars_unlocked, nitems(ipv6ctl_vars_unlocked), name, namelen, oldp, oldlenp, newp, newlen)); diff --git a/usr.sbin/radiusd/radiusd_file.c b/usr.sbin/radiusd/radiusd_file.c index c140e0817..550638b53 100644 --- a/usr.sbin/radiusd/radiusd_file.c +++ b/usr.sbin/radiusd/radiusd_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_file.c,v 1.3 2024/07/17 10:15:39 yasuoka Exp $ */ +/* $OpenBSD: radiusd_file.c,v 1.5 2024/07/18 22:40:09 yasuoka Exp $ */ /* * Copyright (c) 2024 YASUOKA Masahiko @@ -82,6 +82,8 @@ static void auth_md5chap(struct module_file *, u_int, RADIUS_PACKET *, char *, struct module_file_userinfo *); static void auth_mschapv2(struct module_file *, u_int, RADIUS_PACKET *, char *, struct module_file_userinfo *); +static void auth_reject(struct module_file *, u_int, RADIUS_PACKET *, + char *, struct module_file_userinfo *); static struct module_handlers module_file_handlers = { .access_request = module_file_access_request, @@ -100,6 +102,7 @@ main(int argc, char *argv[]) ssize_t n; size_t datalen; struct module_file_params *paramsp, params; + char pathdb[PATH_MAX]; while ((ch = getopt(argc, argv, "M")) != -1) switch (ch) { @@ -122,9 +125,12 @@ main(int argc, char *argv[]) pid = start_child(saved_argv0, pairsock[1]); /* Privileged process */ + if (pledge("stdio rpath unveil", NULL) == -1) + err(EXIT_FAILURE, "pledge"); setproctitle("[priv]"); imsg_init(&ibuf, pairsock[0]); + /* Receive parameters from the main process. */ if (imsg_sync_read(&ibuf, 2000) <= 0 || (n = imsg_get(&ibuf, &imsg)) <= 0) exit(EXIT_FAILURE); @@ -137,7 +143,10 @@ main(int argc, char *argv[]) "message is wrong size"); paramsp = imsg.data; if (paramsp->path[0] != '\0') { - if (unveil(paramsp->path, "r") == -1) + strlcpy(pathdb, paramsp->path, sizeof(pathdb)); + strlcat(pathdb, ".db", sizeof(pathdb)); + if (unveil(paramsp->path, "r") == -1 || + unveil(pathdb, "r") == -1) err(EXIT_FAILURE, "unveil"); } if (paramsp->debug) @@ -145,8 +154,6 @@ main(int argc, char *argv[]) if (unveil(NULL, NULL) == -1) err(EXIT_FAILURE, "unveil"); - if (pledge("stdio rpath", NULL) == -1) - err(EXIT_FAILURE, "pledge"); memcpy(¶ms, paramsp, sizeof(params)); @@ -316,6 +323,7 @@ module_file_start(void *ctx) { struct module_file *module = ctx; + /* Send parameters to parent */ if (module->params.path[0] == '\0') { module_send_message(module->base, IMSG_NG, "`path' is not configured"); @@ -344,7 +352,7 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt, if ((radpkt = radius_convert_packet(pkt, pktlen)) == NULL) { log_warn("%s: radius_convert_packet()", __func__); - goto on_error; + goto out; } radius_get_string_attr(radpkt, RADIUS_TYPE_USER_NAME, username, sizeof(username)); @@ -354,11 +362,11 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt, imsg_flush(&self->ibuf); if ((n = imsg_read(&self->ibuf)) == -1 || n == 0) { log_warn("%s: imsg_read()", __func__); - goto on_error; + goto out; } if ((n = imsg_get(&self->ibuf, &imsg)) <= 0) { log_warn("%s: imsg_get()", __func__); - goto on_error; + goto out; } datalen = imsg.hdr.len - IMSG_HEADER_SIZE; @@ -367,24 +375,21 @@ module_file_access_request(void *ctx, u_int query_id, const u_char *pkt, password[0])) { log_warn("%s: received IMSG_RADIUSD_FILE_USERINFO is " "invalid", __func__); - goto on_error; + goto out; } ent = imsg.data; + if (radius_has_attr(radpkt, RADIUS_TYPE_USER_PASSWORD)) + auth_pap(self, query_id, radpkt, username, ent); + else if (radius_has_attr(radpkt, RADIUS_TYPE_CHAP_PASSWORD)) + auth_md5chap(self, query_id, radpkt, username, ent); + else if (radius_has_vs_attr(radpkt, RADIUS_VENDOR_MICROSOFT, + RADIUS_VTYPE_MS_CHAP2_RESPONSE)) + auth_mschapv2(self, query_id, radpkt, username, ent); + else + auth_reject(self, query_id, radpkt, username, ent); } else - goto on_error; - - if (radius_has_attr(radpkt, RADIUS_TYPE_USER_PASSWORD)) - auth_pap(self, query_id, radpkt, username, ent); - else if (radius_has_attr(radpkt, RADIUS_TYPE_CHAP_PASSWORD)) - auth_md5chap(self, query_id, radpkt, username, ent); - else if (radius_has_vs_attr(radpkt, RADIUS_VENDOR_MICROSOFT, - RADIUS_VTYPE_MS_CHAP2_RESPONSE)) - auth_mschapv2(self, query_id, radpkt, username, ent); - else { - log_info("q=%u unsupported authentication methods", query_id); - explicit_bzero(ent->password, strlen(ent->password)); - } - on_error: + auth_reject(self, query_id, radpkt, username, NULL); + out: if (radpkt != NULL) radius_delete_packet(radpkt); imsg_free(&imsg); @@ -585,3 +590,24 @@ auth_mschapv2(struct module_file *self, u_int q_id, RADIUS_PACKET *radpkt, if (respkt != NULL) radius_delete_packet(respkt); } + +void +auth_reject(struct module_file *self, u_int q_id, RADIUS_PACKET *radpkt, + char *username, struct module_file_userinfo *ent) +{ + RADIUS_PACKET *respkt = NULL; + + if (ent != NULL) + explicit_bzero(ent->password, strlen(ent->password)); + + log_info("q=%u User `%s' authentication failed", q_id, + username); + if ((respkt = radius_new_response_packet(RADIUS_CODE_ACCESS_REJECT, + radpkt)) == NULL) { + log_warn("%s: radius_new_response_packet()", __func__); + return; + } + module_accsreq_answer(self->base, q_id, + radius_get_data(respkt), radius_get_length(respkt)); + radius_delete_packet(respkt); +} diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c index ce7b6817f..0c511d0b9 100644 --- a/usr.sbin/relayd/relay_http.c +++ b/usr.sbin/relayd/relay_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay_http.c,v 1.88 2024/07/08 14:22:09 florian Exp $ */ +/* $OpenBSD: relay_http.c,v 1.90 2024/07/20 06:54:15 anton Exp $ */ /* * Copyright (c) 2006 - 2016 Reyk Floeter @@ -436,16 +436,8 @@ relay_read_http(struct bufferevent *bev, void *arg) desc->http_lastheader); break; case HTTP_METHOD_RESPONSE: - /* - * Strip Content-Length header from - * HEAD responses since there is no - * actual payload in the response. - */ - if (request_method == HTTP_METHOD_HEAD) { - kv_delete(&desc->http_headers, - desc->http_lastheader); + if (request_method == HTTP_METHOD_HEAD) break; - } /* FALLTHROUGH */ default: /*