summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-12-10 15:36:47 +0000
committerjsing <>2014-12-10 15:36:47 +0000
commit1434a91c4d4dc782915ce81dd056fa8f6cb77ae1 (patch)
tree8f2441ed940045edc4ad4d11ab3d8395f2830a78
parent7b2f3298f7eb7ce5cfd1c3eb55b1ecc89118f52c (diff)
downloadopenbsd-1434a91c4d4dc782915ce81dd056fa8f6cb77ae1.tar.gz
openbsd-1434a91c4d4dc782915ce81dd056fa8f6cb77ae1.tar.bz2
openbsd-1434a91c4d4dc782915ce81dd056fa8f6cb77ae1.zip
Remove support for GOST R 34.10-94 signature authentication, along with
the two ciphersuites that use it. GOST94 public/private keys have been long obsoleted and libcrypto does not have support for them anyway. Discussed with Dmitry Eremin-Solenikov.
Diffstat
-rw-r--r--src/lib/libssl/s3_both.c5
-rw-r--r--src/lib/libssl/s3_clnt.c4
-rw-r--r--src/lib/libssl/s3_lib.c35
-rw-r--r--src/lib/libssl/s3_srvr.c6
-rw-r--r--src/lib/libssl/src/ssl/s3_both.c5
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c4
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c35
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c6
-rw-r--r--src/lib/libssl/src/ssl/ssl_cert.c3
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c17
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c9
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c5
-rw-r--r--src/lib/libssl/ssl_cert.c3
-rw-r--r--src/lib/libssl/ssl_ciph.c17
-rw-r--r--src/lib/libssl/ssl_lib.c9
-rw-r--r--src/lib/libssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/t1_lib.c5
18 files changed, 30 insertions, 154 deletions
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 752bac6c94..0d9cc3d65c 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.32 2014/11/16 14:12:47 jsing Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.33 2014/12/10 15:36:46 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -542,9 +542,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
542 } 542 }
543 else if (i == EVP_PKEY_EC) { 543 else if (i == EVP_PKEY_EC) {
544 ret = SSL_PKEY_ECC; 544 ret = SSL_PKEY_ECC;
545 }
546 else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {
547 ret = SSL_PKEY_GOST94;
548 } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { 545 } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {
549 ret = SSL_PKEY_GOST01; 546 ret = SSL_PKEY_GOST01;
550 } 547 }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b3dbe32745..6a54dfa359 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.97 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.98 2014/12/10 15:36:46 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2207,8 +2207,6 @@ ssl3_send_client_key_exchange(SSL *s)
2207 2207
2208 /* Get server sertificate PKEY and create ctx from it */ 2208 /* Get server sertificate PKEY and create ctx from it */
2209 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509; 2209 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
2210 if (!peer_cert)
2211 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST94].x509;
2212 if (!peer_cert) { 2210 if (!peer_cert) {
2213 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2211 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2214 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2212 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 9897fba6c5..4beee2d53c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.86 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.87 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -747,23 +747,6 @@ SSL_CIPHER ssl3_ciphers[] = {
747 747
748 /* GOST Ciphersuites */ 748 /* GOST Ciphersuites */
749 749
750 /* Cipher 80 */
751 {
752 .valid = 1,
753 .name = "GOST94-GOST89-GOST89",
754 .id = 0x3000080,
755 .algorithm_mkey = SSL_kGOST,
756 .algorithm_auth = SSL_aGOST94,
757 .algorithm_enc = SSL_eGOST2814789CNT,
758 .algorithm_mac = SSL_GOST89MAC,
759 .algorithm_ssl = SSL_TLSV1,
760 .algo_strength = SSL_HIGH,
761 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
762 TLS1_STREAM_MAC,
763 .strength_bits = 256,
764 .alg_bits = 256
765 },
766
767 /* Cipher 81 */ 750 /* Cipher 81 */
768 { 751 {
769 .valid = 1, 752 .valid = 1,
@@ -781,22 +764,6 @@ SSL_CIPHER ssl3_ciphers[] = {
781 .alg_bits = 256 764 .alg_bits = 256
782 }, 765 },
783 766
784 /* Cipher 82 */
785 {
786 .valid = 1,
787 .name = "GOST94-NULL-GOST94",
788 .id = 0x3000082,
789 .algorithm_mkey = SSL_kGOST,
790 .algorithm_auth = SSL_aGOST94,
791 .algorithm_enc = SSL_eNULL,
792 .algorithm_mac = SSL_GOST94,
793 .algorithm_ssl = SSL_TLSV1,
794 .algo_strength = SSL_STRONG_NONE,
795 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
796 .strength_bits = 0,
797 .alg_bits = 0
798 },
799
800 /* Cipher 83 */ 767 /* Cipher 83 */
801 { 768 {
802 .valid = 1, 769 .valid = 1,
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index e1b2f9cf2d..43880a0610 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.91 2014/11/18 05:33:43 miod Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2134,9 +2134,7 @@ ssl3_get_client_key_exchange(SSL *s)
2134 2134
2135 /* Get our certificate private key*/ 2135 /* Get our certificate private key*/
2136 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2136 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2137 if (alg_a & SSL_aGOST94) 2137 if (alg_a & SSL_aGOST01)
2138 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2139 else if (alg_a & SSL_aGOST01)
2140 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2138 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2141 2139
2142 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 2140 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 752bac6c94..0d9cc3d65c 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_both.c,v 1.32 2014/11/16 14:12:47 jsing Exp $ */ 1/* $OpenBSD: s3_both.c,v 1.33 2014/12/10 15:36:46 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -542,9 +542,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
542 } 542 }
543 else if (i == EVP_PKEY_EC) { 543 else if (i == EVP_PKEY_EC) {
544 ret = SSL_PKEY_ECC; 544 ret = SSL_PKEY_ECC;
545 }
546 else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {
547 ret = SSL_PKEY_GOST94;
548 } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { 545 } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {
549 ret = SSL_PKEY_GOST01; 546 ret = SSL_PKEY_GOST01;
550 } 547 }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index b3dbe32745..6a54dfa359 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.97 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.98 2014/12/10 15:36:46 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2207,8 +2207,6 @@ ssl3_send_client_key_exchange(SSL *s)
2207 2207
2208 /* Get server sertificate PKEY and create ctx from it */ 2208 /* Get server sertificate PKEY and create ctx from it */
2209 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509; 2209 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
2210 if (!peer_cert)
2211 peer_cert = s->session->sess_cert->peer_pkeys[SSL_PKEY_GOST94].x509;
2212 if (!peer_cert) { 2210 if (!peer_cert) {
2213 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2211 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2214 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2212 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 9897fba6c5..4beee2d53c 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.86 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.87 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -747,23 +747,6 @@ SSL_CIPHER ssl3_ciphers[] = {
747 747
748 /* GOST Ciphersuites */ 748 /* GOST Ciphersuites */
749 749
750 /* Cipher 80 */
751 {
752 .valid = 1,
753 .name = "GOST94-GOST89-GOST89",
754 .id = 0x3000080,
755 .algorithm_mkey = SSL_kGOST,
756 .algorithm_auth = SSL_aGOST94,
757 .algorithm_enc = SSL_eGOST2814789CNT,
758 .algorithm_mac = SSL_GOST89MAC,
759 .algorithm_ssl = SSL_TLSV1,
760 .algo_strength = SSL_HIGH,
761 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
762 TLS1_STREAM_MAC,
763 .strength_bits = 256,
764 .alg_bits = 256
765 },
766
767 /* Cipher 81 */ 750 /* Cipher 81 */
768 { 751 {
769 .valid = 1, 752 .valid = 1,
@@ -781,22 +764,6 @@ SSL_CIPHER ssl3_ciphers[] = {
781 .alg_bits = 256 764 .alg_bits = 256
782 }, 765 },
783 766
784 /* Cipher 82 */
785 {
786 .valid = 1,
787 .name = "GOST94-NULL-GOST94",
788 .id = 0x3000082,
789 .algorithm_mkey = SSL_kGOST,
790 .algorithm_auth = SSL_aGOST94,
791 .algorithm_enc = SSL_eNULL,
792 .algorithm_mac = SSL_GOST94,
793 .algorithm_ssl = SSL_TLSV1,
794 .algo_strength = SSL_STRONG_NONE,
795 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
796 .strength_bits = 0,
797 .alg_bits = 0
798 },
799
800 /* Cipher 83 */ 767 /* Cipher 83 */
801 { 768 {
802 .valid = 1, 769 .valid = 1,
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index e1b2f9cf2d..43880a0610 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.91 2014/11/18 05:33:43 miod Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2134,9 +2134,7 @@ ssl3_get_client_key_exchange(SSL *s)
2134 2134
2135 /* Get our certificate private key*/ 2135 /* Get our certificate private key*/
2136 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2136 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2137 if (alg_a & SSL_aGOST94) 2137 if (alg_a & SSL_aGOST01)
2138 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2139 else if (alg_a & SSL_aGOST01)
2140 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2138 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2141 2139
2142 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 2140 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 8f830d990a..323421f5db 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.47 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.48 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -167,7 +167,6 @@ ssl_cert_set_default_md(CERT *cert)
167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
169#ifndef OPENSSL_NO_GOST 169#ifndef OPENSSL_NO_GOST
170 cert->pkeys[SSL_PKEY_GOST94].digest = EVP_gostr341194();
171 cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 170 cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
172#endif 171#endif
173} 172}
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 72f774e7a9..1d7b4145eb 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.78 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -314,16 +314,12 @@ static const SSL_CIPHER cipher_aliases[] = {
314 .algorithm_auth = SSL_aECDSA, 314 .algorithm_auth = SSL_aECDSA,
315 }, 315 },
316 { 316 {
317 .name = SSL_TXT_aGOST94,
318 .algorithm_auth = SSL_aGOST94,
319 },
320 {
321 .name = SSL_TXT_aGOST01, 317 .name = SSL_TXT_aGOST01,
322 .algorithm_auth = SSL_aGOST01, 318 .algorithm_auth = SSL_aGOST01,
323 }, 319 },
324 { 320 {
325 .name = SSL_TXT_aGOST, 321 .name = SSL_TXT_aGOST,
326 .algorithm_auth = SSL_aGOST94|SSL_aGOST01, 322 .algorithm_auth = SSL_aGOST01,
327 }, 323 },
328 324
329 /* aliases combining key exchange and server authentication */ 325 /* aliases combining key exchange and server authentication */
@@ -808,12 +804,10 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
808 * algorithms. If they are not available disable the associated 804 * algorithms. If they are not available disable the associated
809 * authentication and key exchange algorithms. 805 * authentication and key exchange algorithms.
810 */ 806 */
811 if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL) 807 if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) {
812 *auth |= SSL_aGOST94;
813 if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL)
814 *auth |= SSL_aGOST01; 808 *auth |= SSL_aGOST01;
815 if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0)
816 *mkey |= SSL_kGOST; 809 *mkey |= SSL_kGOST;
810 }
817 811
818#ifdef SSL_FORBID_ENULL 812#ifdef SSL_FORBID_ENULL
819 *enc |= SSL_eNULL; 813 *enc |= SSL_eNULL;
@@ -1589,9 +1583,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1589 case SSL_aECDSA: 1583 case SSL_aECDSA:
1590 au = "ECDSA"; 1584 au = "ECDSA";
1591 break; 1585 break;
1592 case SSL_aGOST94:
1593 au = "GOST94";
1594 break;
1595 case SSL_aGOST01: 1586 case SSL_aGOST01:
1596 au = "GOST01"; 1587 au = "GOST01";
1597 break; 1588 break;
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index a03ee735ad..4369ba587a 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.91 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2051,11 +2051,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2051 mask_k |= SSL_kGOST; 2051 mask_k |= SSL_kGOST;
2052 mask_a |= SSL_aGOST01; 2052 mask_a |= SSL_aGOST01;
2053 } 2053 }
2054 cpk = &(c->pkeys[SSL_PKEY_GOST94]);
2055 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2056 mask_k |= SSL_kGOST;
2057 mask_a |= SSL_aGOST94;
2058 }
2059 2054
2060 if (rsa_enc) 2055 if (rsa_enc)
2061 mask_k|=SSL_kRSA; 2056 mask_k|=SSL_kRSA;
@@ -2211,8 +2206,6 @@ ssl_get_server_send_pkey(const SSL *s)
2211 i = SSL_PKEY_RSA_SIGN; 2206 i = SSL_PKEY_RSA_SIGN;
2212 else 2207 else
2213 i = SSL_PKEY_RSA_ENC; 2208 i = SSL_PKEY_RSA_ENC;
2214 } else if (alg_a & SSL_aGOST94) {
2215 i = SSL_PKEY_GOST94;
2216 } else if (alg_a & SSL_aGOST01) { 2209 } else if (alg_a & SSL_aGOST01) {
2217 i = SSL_PKEY_GOST01; 2210 i = SSL_PKEY_GOST01;
2218 } else { /* if (alg_a & SSL_aNULL) */ 2211 } else { /* if (alg_a & SSL_aNULL) */
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index dcc17963ee..b94249e9db 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.79 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.80 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -266,7 +266,6 @@
266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
269#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
270#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 269#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
271 270
272 271
@@ -398,9 +397,8 @@
398#define SSL_PKEY_DH_RSA 3 397#define SSL_PKEY_DH_RSA 3
399#define SSL_PKEY_DH_DSA 4 398#define SSL_PKEY_DH_DSA 4
400#define SSL_PKEY_ECC 5 399#define SSL_PKEY_ECC 5
401#define SSL_PKEY_GOST94 6 400#define SSL_PKEY_GOST01 6
402#define SSL_PKEY_GOST01 7 401#define SSL_PKEY_NUM 7
403#define SSL_PKEY_NUM 8
404 402
405/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | 403/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
406 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) 404 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 5df45ab359..3b87d958cb 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.72 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.73 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2448,7 +2448,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2448 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2448 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2449 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2449 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2450 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2450 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2451 c->pkeys[SSL_PKEY_GOST94].digest = NULL;
2452 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2451 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2453 2452
2454 for (i = 0; i < dsize; i += 2) { 2453 for (i = 0; i < dsize; i += 2) {
@@ -2496,8 +2495,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2496 if (!c->pkeys[SSL_PKEY_ECC].digest) 2495 if (!c->pkeys[SSL_PKEY_ECC].digest)
2497 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2496 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2498#ifndef OPENSSL_NO_GOST 2497#ifndef OPENSSL_NO_GOST
2499 if (!c->pkeys[SSL_PKEY_GOST94].digest)
2500 c->pkeys[SSL_PKEY_GOST94].digest = EVP_gostr341194();
2501 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2498 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2502 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2499 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2503#endif 2500#endif
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 8f830d990a..323421f5db 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.47 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.48 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -167,7 +167,6 @@ ssl_cert_set_default_md(CERT *cert)
167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
169#ifndef OPENSSL_NO_GOST 169#ifndef OPENSSL_NO_GOST
170 cert->pkeys[SSL_PKEY_GOST94].digest = EVP_gostr341194();
171 cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 170 cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
172#endif 171#endif
173} 172}
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 72f774e7a9..1d7b4145eb 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.78 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -314,16 +314,12 @@ static const SSL_CIPHER cipher_aliases[] = {
314 .algorithm_auth = SSL_aECDSA, 314 .algorithm_auth = SSL_aECDSA,
315 }, 315 },
316 { 316 {
317 .name = SSL_TXT_aGOST94,
318 .algorithm_auth = SSL_aGOST94,
319 },
320 {
321 .name = SSL_TXT_aGOST01, 317 .name = SSL_TXT_aGOST01,
322 .algorithm_auth = SSL_aGOST01, 318 .algorithm_auth = SSL_aGOST01,
323 }, 319 },
324 { 320 {
325 .name = SSL_TXT_aGOST, 321 .name = SSL_TXT_aGOST,
326 .algorithm_auth = SSL_aGOST94|SSL_aGOST01, 322 .algorithm_auth = SSL_aGOST01,
327 }, 323 },
328 324
329 /* aliases combining key exchange and server authentication */ 325 /* aliases combining key exchange and server authentication */
@@ -808,12 +804,10 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
808 * algorithms. If they are not available disable the associated 804 * algorithms. If they are not available disable the associated
809 * authentication and key exchange algorithms. 805 * authentication and key exchange algorithms.
810 */ 806 */
811 if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL) 807 if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) {
812 *auth |= SSL_aGOST94;
813 if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL)
814 *auth |= SSL_aGOST01; 808 *auth |= SSL_aGOST01;
815 if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0)
816 *mkey |= SSL_kGOST; 809 *mkey |= SSL_kGOST;
810 }
817 811
818#ifdef SSL_FORBID_ENULL 812#ifdef SSL_FORBID_ENULL
819 *enc |= SSL_eNULL; 813 *enc |= SSL_eNULL;
@@ -1589,9 +1583,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1589 case SSL_aECDSA: 1583 case SSL_aECDSA:
1590 au = "ECDSA"; 1584 au = "ECDSA";
1591 break; 1585 break;
1592 case SSL_aGOST94:
1593 au = "GOST94";
1594 break;
1595 case SSL_aGOST01: 1586 case SSL_aGOST01:
1596 au = "GOST01"; 1587 au = "GOST01";
1597 break; 1588 break;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index a03ee735ad..4369ba587a 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.91 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2051,11 +2051,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2051 mask_k |= SSL_kGOST; 2051 mask_k |= SSL_kGOST;
2052 mask_a |= SSL_aGOST01; 2052 mask_a |= SSL_aGOST01;
2053 } 2053 }
2054 cpk = &(c->pkeys[SSL_PKEY_GOST94]);
2055 if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
2056 mask_k |= SSL_kGOST;
2057 mask_a |= SSL_aGOST94;
2058 }
2059 2054
2060 if (rsa_enc) 2055 if (rsa_enc)
2061 mask_k|=SSL_kRSA; 2056 mask_k|=SSL_kRSA;
@@ -2211,8 +2206,6 @@ ssl_get_server_send_pkey(const SSL *s)
2211 i = SSL_PKEY_RSA_SIGN; 2206 i = SSL_PKEY_RSA_SIGN;
2212 else 2207 else
2213 i = SSL_PKEY_RSA_ENC; 2208 i = SSL_PKEY_RSA_ENC;
2214 } else if (alg_a & SSL_aGOST94) {
2215 i = SSL_PKEY_GOST94;
2216 } else if (alg_a & SSL_aGOST01) { 2209 } else if (alg_a & SSL_aGOST01) {
2217 i = SSL_PKEY_GOST01; 2210 i = SSL_PKEY_GOST01;
2218 } else { /* if (alg_a & SSL_aNULL) */ 2211 } else { /* if (alg_a & SSL_aNULL) */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index dcc17963ee..b94249e9db 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.79 2014/12/06 14:24:26 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.80 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -266,7 +266,6 @@
266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
269#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
270#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 269#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
271 270
272 271
@@ -398,9 +397,8 @@
398#define SSL_PKEY_DH_RSA 3 397#define SSL_PKEY_DH_RSA 3
399#define SSL_PKEY_DH_DSA 4 398#define SSL_PKEY_DH_DSA 4
400#define SSL_PKEY_ECC 5 399#define SSL_PKEY_ECC 5
401#define SSL_PKEY_GOST94 6 400#define SSL_PKEY_GOST01 6
402#define SSL_PKEY_GOST01 7 401#define SSL_PKEY_NUM 7
403#define SSL_PKEY_NUM 8
404 402
405/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | 403/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
406 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) 404 * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 5df45ab359..3b87d958cb 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.72 2014/12/10 14:58:56 jsing Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.73 2014/12/10 15:36:47 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2448,7 +2448,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2448 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2448 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2449 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2449 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2450 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2450 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2451 c->pkeys[SSL_PKEY_GOST94].digest = NULL;
2452 c->pkeys[SSL_PKEY_GOST01].digest = NULL; 2451 c->pkeys[SSL_PKEY_GOST01].digest = NULL;
2453 2452
2454 for (i = 0; i < dsize; i += 2) { 2453 for (i = 0; i < dsize; i += 2) {
@@ -2496,8 +2495,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2496 if (!c->pkeys[SSL_PKEY_ECC].digest) 2495 if (!c->pkeys[SSL_PKEY_ECC].digest)
2497 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2496 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2498#ifndef OPENSSL_NO_GOST 2497#ifndef OPENSSL_NO_GOST
2499 if (!c->pkeys[SSL_PKEY_GOST94].digest)
2500 c->pkeys[SSL_PKEY_GOST94].digest = EVP_gostr341194();
2501 if (!c->pkeys[SSL_PKEY_GOST01].digest) 2498 if (!c->pkeys[SSL_PKEY_GOST01].digest)
2502 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); 2499 c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
2503#endif 2500#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 22:11:11 +0000