Clean up the cipher/digest table mess.

The original implementation allows for libcrypto to be compiled without a given algorithm and libssl then detects that ciphers or digests are unavailable so that it can disable the associated cipher suites. This is unnecessary since we do not compile out algorithms. ok beck@, tb@ (a while back)
author: jsing <> 2019-04-04 16:44:24 +0000
committer: jsing <> 2019-04-04 16:44:24 +0000
commit: 4ee3e34310a4dd1cee5a12b0e0b222cbea806322 (patch)
tree: 183461b00fc0b82a96b5d144624116543c5cd88a
parent: 71b5f161c982b24df543400bbfc808f5b8c4937b (diff)
download: openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.tar.gz
openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.tar.bz2
openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.zip
3 files changed, 45 insertions, 179 deletions
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index b63f36b3f1..bb736c5de9 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -119,8 +119,7 @@ SSL_library_init(void)
        EVP_add_digest(EVP_streebog256());
        EVP_add_digest(EVP_streebog512());
 #endif
-        /* initialize cipher/digest methods table */
-        ssl_load_ciphers();
        return (1);
 }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 3cbf368ad3..ed167efffd 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.108 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -150,41 +150,6 @@
 #include "ssl_locl.h"
-#define SSL_ENC_3DES_IDX        0
-#define SSL_ENC_RC4_IDX         1
-#define SSL_ENC_NULL_IDX        2
-#define SSL_ENC_AES128_IDX      3
-#define SSL_ENC_AES256_IDX      4
-#define SSL_ENC_CAMELLIA128_IDX 5
-#define SSL_ENC_CAMELLIA256_IDX 6
-#define SSL_ENC_GOST89_IDX      7
-#define SSL_ENC_NUM_IDX         8
-static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-};
-#define SSL_MD_MD5_IDX          0
-#define SSL_MD_SHA1_IDX         1
-#define SSL_MD_GOST94_IDX       2
-#define SSL_MD_GOST89MAC_IDX    3
-#define SSL_MD_SHA256_IDX       4
-#define SSL_MD_SHA384_IDX       5
-#define SSL_MD_STREEBOG256_IDX  6
-#define SSL_MD_NUM_IDX          7
-static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-};
-static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
-};
-static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
-        0, 0, 0, 0, 0, 0, 0,
-};
 #define CIPHER_ADD      1
 #define CIPHER_KILL     2
 #define CIPHER_DEL      3
@@ -446,164 +411,77 @@ static const SSL_CIPHER cipher_aliases[] = {
        },
 };
-void
-ssl_load_ciphers(void)
-{
-        ssl_cipher_methods[SSL_ENC_3DES_IDX] =
-            EVP_get_cipherbyname(SN_des_ede3_cbc);
-        ssl_cipher_methods[SSL_ENC_RC4_IDX] =
-            EVP_get_cipherbyname(SN_rc4);
-        ssl_cipher_methods[SSL_ENC_AES128_IDX] =
-            EVP_get_cipherbyname(SN_aes_128_cbc);
-        ssl_cipher_methods[SSL_ENC_AES256_IDX] =
-            EVP_get_cipherbyname(SN_aes_256_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
-            EVP_get_cipherbyname(SN_camellia_128_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
-            EVP_get_cipherbyname(SN_camellia_256_cbc);
-        ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
-            EVP_get_cipherbyname(SN_gost89_cnt);
-        ssl_digest_methods[SSL_MD_MD5_IDX] =
-            EVP_get_digestbyname(SN_md5);
-        ssl_mac_secret_size[SSL_MD_MD5_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_SHA1_IDX] =
-            EVP_get_digestbyname(SN_sha1);
-        ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_GOST94_IDX] =
-            EVP_get_digestbyname(SN_id_GostR3411_94);
-        if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
-                    EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
-                OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
-        }
-        ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
-            EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
-        if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
-        }
-        ssl_digest_methods[SSL_MD_SHA256_IDX] =
-            EVP_get_digestbyname(SN_sha256);
-        ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
-        ssl_digest_methods[SSL_MD_SHA384_IDX] =
-            EVP_get_digestbyname(SN_sha384);
-        ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
-        ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
-            EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
-        ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
-}
 int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
 {
-        const SSL_CIPHER *c;
+        *enc = NULL;
-        int i;
+        *md = NULL;
+        *mac_pkey_type = NID_undef;
+        *mac_secret_size = 0;
-        c = s->cipher;
+        if (ss->cipher == NULL)
-        if (c == NULL)
+                return 0;
-                return (0);
        /*
         * This function does not handle EVP_AEAD.
         * See ssl_cipher_get_aead_evp instead.
         */
-        if (c->algorithm_mac & SSL_AEAD)
+        if (ss->cipher->algorithm_mac & SSL_AEAD)
-                return(0);
+                return 0;
-        if ((enc == NULL) || (md == NULL))
-                return (0);
-        switch (c->algorithm_enc) {
+        switch (ss->cipher->algorithm_enc) {
        case SSL_3DES:
-                i = SSL_ENC_3DES_IDX;
+                *enc = EVP_des_ede3_cbc();
                break;
        case SSL_RC4:
-                i = SSL_ENC_RC4_IDX;
+                *enc = EVP_rc4();
                break;
        case SSL_eNULL:
-                i = SSL_ENC_NULL_IDX;
+                *enc = EVP_enc_null();
                break;
        case SSL_AES128:
-                i = SSL_ENC_AES128_IDX;
+                *enc = EVP_aes_128_cbc();
                break;
        case SSL_AES256:
-                i = SSL_ENC_AES256_IDX;
+                *enc = EVP_aes_256_cbc();
                break;
        case SSL_CAMELLIA128:
-                i = SSL_ENC_CAMELLIA128_IDX;
+                *enc = EVP_camellia_128_cbc();
                break;
        case SSL_CAMELLIA256:
-                i = SSL_ENC_CAMELLIA256_IDX;
+                *enc = EVP_camellia_256_cbc();
                break;
        case SSL_eGOST2814789CNT:
-                i = SSL_ENC_GOST89_IDX;
+                *enc = EVP_gost2814789_cnt();
                break;
-        default:
-                i = -1;
-                break;
-        }
-        if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
-                *enc = NULL;
-        else {
-                if (i == SSL_ENC_NULL_IDX)
-                        *enc = EVP_enc_null();
-                else
-                        *enc = ssl_cipher_methods[i];
        }
-        switch (c->algorithm_mac) {
+        switch (ss->cipher->algorithm_mac) {
        case SSL_MD5:
-                i = SSL_MD_MD5_IDX;
+                *md = EVP_md5();
                break;
        case SSL_SHA1:
-                i = SSL_MD_SHA1_IDX;
+                *md = EVP_sha1();
                break;
        case SSL_SHA256:
-                i = SSL_MD_SHA256_IDX;
+                *md = EVP_sha256();
                break;
        case SSL_SHA384:
-                i = SSL_MD_SHA384_IDX;
+                *md = EVP_sha384();
-                break;
-        case SSL_GOST94:
-                i = SSL_MD_GOST94_IDX;
                break;
        case SSL_GOST89MAC:
-                i = SSL_MD_GOST89MAC_IDX;
+                *md = EVP_gost2814789imit();
                break;
-        case SSL_STREEBOG256:
+        case SSL_GOST94:
-                i = SSL_MD_STREEBOG256_IDX;
+                *md = EVP_gostr341194();
                break;
-        default:
+        case SSL_STREEBOG256:
-                i = -1;
+                *md = EVP_streebog256();
                break;
        }
-        if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
-                *md = NULL;
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = NID_undef;
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = 0;
-        } else {
-                *md = ssl_digest_methods[i];
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = ssl_mac_pkey_id[i];
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = ssl_mac_secret_size[i];
-        }
-        if (*enc == NULL || *md == NULL ||
+        if (*enc == NULL || *md == NULL)
-            (mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
                return 0;
        /*
@@ -615,6 +493,14 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
                return 0;
+        if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
+                *mac_pkey_type = EVP_PKEY_GOSTIMIT;
+                *mac_secret_size = 32; /* XXX */
+        } else {
+                *mac_pkey_type = EVP_PKEY_HMAC;
+                *mac_secret_size = EVP_MD_size(*md);
+        }
        return 1;
 }
@@ -623,18 +509,16 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 * for s->cipher. It returns 1 on success and 0 on error.
 */
 int
-ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
+ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
 {
-        const SSL_CIPHER *c = s->cipher;
        *aead = NULL;
-        if (c == NULL)
+        if (ss->cipher == NULL)
                return 0;
-        if ((c->algorithm_mac & SSL_AEAD) == 0)
+        if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
                return 0;
-        switch (c->algorithm_enc) {
+        switch (ss->cipher->algorithm_enc) {
        case SSL_AES128GCM:
                *aead = EVP_aead_aes_128_gcm();
                return 1;
@@ -740,22 +624,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
 #ifdef SSL_FORBID_ENULL
        *enc |= SSL_eNULL;
 #endif
-        *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
 }
 static void
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 2dae72309c..31f3e60893 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.245 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1127,7 +1127,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_has_ecc_ciphers(SSL *s);
 int ssl_verify_alarm_type(long type);
-void ssl_load_ciphers(void);
 int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len);
author	jsing <>	2019-04-04 16:44:24 +0000
committer	jsing <>	2019-04-04 16:44:24 +0000
commit	4ee3e34310a4dd1cee5a12b0e0b222cbea806322 (patch)
tree	183461b00fc0b82a96b5d144624116543c5cd88a
parent	71b5f161c982b24df543400bbfc808f5b8c4937b (diff)
download	openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.tar.gz openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.tar.bz2 openbsd-4ee3e34310a4dd1cee5a12b0e0b222cbea806322.zip

diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c index b63f36b3f1..bb736c5de9 100644 --- a/src/lib/libssl/ssl_algs.c +++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */	1	/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -119,8 +119,7 @@ SSL_library_init(void)
119	EVP_add_digest(EVP_streebog256());	119	EVP_add_digest(EVP_streebog256());
120	EVP_add_digest(EVP_streebog512());	120	EVP_add_digest(EVP_streebog512());
121	#endif	121	#endif
122	/* initialize cipher/digest methods table */	122
123	ssl_load_ciphers();
124	return (1);	123	return (1);
125	}	124	}
126		125


diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 3cbf368ad3..ed167efffd 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.108 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -150,41 +150,6 @@
150		150
151	#include "ssl_locl.h"	151	#include "ssl_locl.h"
152		152
153	#define SSL_ENC_3DES_IDX 0
154	#define SSL_ENC_RC4_IDX 1
155	#define SSL_ENC_NULL_IDX 2
156	#define SSL_ENC_AES128_IDX 3
157	#define SSL_ENC_AES256_IDX 4
158	#define SSL_ENC_CAMELLIA128_IDX 5
159	#define SSL_ENC_CAMELLIA256_IDX 6
160	#define SSL_ENC_GOST89_IDX 7
161	#define SSL_ENC_NUM_IDX 8
162
163	static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
164	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
165	};
166
167	#define SSL_MD_MD5_IDX 0
168	#define SSL_MD_SHA1_IDX 1
169	#define SSL_MD_GOST94_IDX 2
170	#define SSL_MD_GOST89MAC_IDX 3
171	#define SSL_MD_SHA256_IDX 4
172	#define SSL_MD_SHA384_IDX 5
173	#define SSL_MD_STREEBOG256_IDX 6
174	#define SSL_MD_NUM_IDX 7
175	static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
176	NULL, NULL, NULL, NULL, NULL, NULL, NULL,
177	};
178
179	static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
180	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
181	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
182	};
183
184	static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
185	0, 0, 0, 0, 0, 0, 0,
186	};
187
188	#define CIPHER_ADD 1	153	#define CIPHER_ADD 1
189	#define CIPHER_KILL 2	154	#define CIPHER_KILL 2
190	#define CIPHER_DEL 3	155	#define CIPHER_DEL 3
@@ -446,164 +411,77 @@ static const SSL_CIPHER cipher_aliases[] = {
446	},	411	},
447	};	412	};
448		413
449	void
450	ssl_load_ciphers(void)
451	{
452	ssl_cipher_methods[SSL_ENC_3DES_IDX] =
453	EVP_get_cipherbyname(SN_des_ede3_cbc);
454	ssl_cipher_methods[SSL_ENC_RC4_IDX] =
455	EVP_get_cipherbyname(SN_rc4);
456	ssl_cipher_methods[SSL_ENC_AES128_IDX] =
457	EVP_get_cipherbyname(SN_aes_128_cbc);
458	ssl_cipher_methods[SSL_ENC_AES256_IDX] =
459	EVP_get_cipherbyname(SN_aes_256_cbc);
460	ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
461	EVP_get_cipherbyname(SN_camellia_128_cbc);
462	ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
463	EVP_get_cipherbyname(SN_camellia_256_cbc);
464	ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
465	EVP_get_cipherbyname(SN_gost89_cnt);
466
467	ssl_digest_methods[SSL_MD_MD5_IDX] =
468	EVP_get_digestbyname(SN_md5);
469	ssl_mac_secret_size[SSL_MD_MD5_IDX] =
470	EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
471	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
472	ssl_digest_methods[SSL_MD_SHA1_IDX] =
473	EVP_get_digestbyname(SN_sha1);
474	ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
475	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
476	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
477	ssl_digest_methods[SSL_MD_GOST94_IDX] =
478	EVP_get_digestbyname(SN_id_GostR3411_94);
479	if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
480	ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
481	EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
482	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
483	}
484	ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
485	EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
486	if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
487	ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
488	}
489
490	ssl_digest_methods[SSL_MD_SHA256_IDX] =
491	EVP_get_digestbyname(SN_sha256);
492	ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
493	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
494	ssl_digest_methods[SSL_MD_SHA384_IDX] =
495	EVP_get_digestbyname(SN_sha384);
496	ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
497	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
498	ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
499	EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
500	ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
501	EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
502	}
503
504	int	414	int
505	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	415	ssl_cipher_get_evp(const SSL_SESSION ss, const EVP_CIPHER *enc,
506	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)	416	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)
507	{	417	{
508	const SSL_CIPHER *c;	418	*enc = NULL;
509	int i;	419	*md = NULL;
		420	*mac_pkey_type = NID_undef;
		421	*mac_secret_size = 0;
510		422
511	c = s->cipher;	423	if (ss->cipher == NULL)
512	if (c == NULL)	424	return 0;
513	return (0);
514		425
515	/*	426	/*
516	* This function does not handle EVP_AEAD.	427	* This function does not handle EVP_AEAD.
517	* See ssl_cipher_get_aead_evp instead.	428	* See ssl_cipher_get_aead_evp instead.
518	*/	429	*/
519	if (c->algorithm_mac & SSL_AEAD)	430	if (ss->cipher->algorithm_mac & SSL_AEAD)
520	return(0);	431	return 0;
521
522	if ((enc == NULL) \|\| (md == NULL))
523	return (0);
524		432
525	switch (c->algorithm_enc) {	433	switch (ss->cipher->algorithm_enc) {
526	case SSL_3DES:	434	case SSL_3DES:
527	i = SSL_ENC_3DES_IDX;	435	*enc = EVP_des_ede3_cbc();
528	break;	436	break;
529	case SSL_RC4:	437	case SSL_RC4:
530	i = SSL_ENC_RC4_IDX;	438	*enc = EVP_rc4();
531	break;	439	break;
532	case SSL_eNULL:	440	case SSL_eNULL:
533	i = SSL_ENC_NULL_IDX;	441	*enc = EVP_enc_null();
534	break;	442	break;
535	case SSL_AES128:	443	case SSL_AES128:
536	i = SSL_ENC_AES128_IDX;	444	*enc = EVP_aes_128_cbc();
537	break;	445	break;
538	case SSL_AES256:	446	case SSL_AES256:
539	i = SSL_ENC_AES256_IDX;	447	*enc = EVP_aes_256_cbc();
540	break;	448	break;
541	case SSL_CAMELLIA128:	449	case SSL_CAMELLIA128:
542	i = SSL_ENC_CAMELLIA128_IDX;	450	*enc = EVP_camellia_128_cbc();
543	break;	451	break;
544	case SSL_CAMELLIA256:	452	case SSL_CAMELLIA256:
545	i = SSL_ENC_CAMELLIA256_IDX;	453	*enc = EVP_camellia_256_cbc();
546	break;	454	break;
547	case SSL_eGOST2814789CNT:	455	case SSL_eGOST2814789CNT:
548	i = SSL_ENC_GOST89_IDX;	456	*enc = EVP_gost2814789_cnt();
549	break;	457	break;
550	default:
551	i = -1;
552	break;
553	}
554
555	if ((i < 0) \|\| (i >= SSL_ENC_NUM_IDX))
556	*enc = NULL;
557	else {
558	if (i == SSL_ENC_NULL_IDX)
559	*enc = EVP_enc_null();
560	else
561	*enc = ssl_cipher_methods[i];
562	}	458	}
563		459
564	switch (c->algorithm_mac) {	460	switch (ss->cipher->algorithm_mac) {
565	case SSL_MD5:	461	case SSL_MD5:
566	i = SSL_MD_MD5_IDX;	462	*md = EVP_md5();
567	break;	463	break;
568	case SSL_SHA1:	464	case SSL_SHA1:
569	i = SSL_MD_SHA1_IDX;	465	*md = EVP_sha1();
570	break;	466	break;
571	case SSL_SHA256:	467	case SSL_SHA256:
572	i = SSL_MD_SHA256_IDX;	468	*md = EVP_sha256();
573	break;	469	break;
574	case SSL_SHA384:	470	case SSL_SHA384:
575	i = SSL_MD_SHA384_IDX;	471	*md = EVP_sha384();
576	break;
577	case SSL_GOST94:
578	i = SSL_MD_GOST94_IDX;
579	break;	472	break;
580	case SSL_GOST89MAC:	473	case SSL_GOST89MAC:
581	i = SSL_MD_GOST89MAC_IDX;	474	*md = EVP_gost2814789imit();
582	break;	475	break;
583	case SSL_STREEBOG256:	476	case SSL_GOST94:
584	i = SSL_MD_STREEBOG256_IDX;	477	*md = EVP_gostr341194();
585	break;	478	break;
586	default:	479	case SSL_STREEBOG256:
587	i = -1;	480	*md = EVP_streebog256();
588	break;	481	break;
589	}	482	}
590	if ((i < 0) \|\| (i >= SSL_MD_NUM_IDX)) {
591	*md = NULL;
592
593	if (mac_pkey_type != NULL)
594	*mac_pkey_type = NID_undef;
595	if (mac_secret_size != NULL)
596	*mac_secret_size = 0;
597	} else {
598	*md = ssl_digest_methods[i];
599	if (mac_pkey_type != NULL)
600	*mac_pkey_type = ssl_mac_pkey_id[i];
601	if (mac_secret_size != NULL)
602	*mac_secret_size = ssl_mac_secret_size[i];
603	}
604		483
605	if (enc == NULL \|\| md == NULL \|\|	484	if (enc == NULL \|\| md == NULL)
606	(mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
607	return 0;	485	return 0;
608		486
609	/*	487	/*
@@ -615,6 +493,14 @@ ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
615	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)	493	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
616	return 0;	494	return 0;
617		495
		496	if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
		497	*mac_pkey_type = EVP_PKEY_GOSTIMIT;
		498	mac_secret_size = 32; / XXX */
		499	} else {
		500	*mac_pkey_type = EVP_PKEY_HMAC;
		501	mac_secret_size = EVP_MD_size(md);
		502	}
		503
618	return 1;	504	return 1;
619	}	505	}
620		506
@@ -623,18 +509,16 @@ ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
623	* for s->cipher. It returns 1 on success and 0 on error.	509	* for s->cipher. It returns 1 on success and 0 on error.
624	*/	510	*/
625	int	511	int
626	ssl_cipher_get_evp_aead(const SSL_SESSION s, const EVP_AEAD *aead)	512	ssl_cipher_get_evp_aead(const SSL_SESSION ss, const EVP_AEAD *aead)
627	{	513	{
628	const SSL_CIPHER *c = s->cipher;
629
630	*aead = NULL;	514	*aead = NULL;
631		515
632	if (c == NULL)	516	if (ss->cipher == NULL)
633	return 0;	517	return 0;
634	if ((c->algorithm_mac & SSL_AEAD) == 0)	518	if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
635	return 0;	519	return 0;
636		520
637	switch (c->algorithm_enc) {	521	switch (ss->cipher->algorithm_enc) {
638	case SSL_AES128GCM:	522	case SSL_AES128GCM:
639	*aead = EVP_aead_aes_128_gcm();	523	*aead = EVP_aead_aes_128_gcm();
640	return 1;	524	return 1;
@@ -740,22 +624,6 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
740	#ifdef SSL_FORBID_ENULL	624	#ifdef SSL_FORBID_ENULL
741	*enc \|= SSL_eNULL;	625	*enc \|= SSL_eNULL;
742	#endif	626	#endif
743
744	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
745	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
746	*enc \|= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
747	*enc \|= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
748	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
749	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
750	*enc \|= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
751
752	*mac \|= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
753	*mac \|= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
754	*mac \|= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
755	*mac \|= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
756	*mac \|= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
757	*mac \|= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
758	*mac \|= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
759	}	627	}
760		628
761	static void	629	static void


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2dae72309c..31f3e60893 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.245 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1127,7 +1127,6 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher);
1127	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);	1127	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
1128	int ssl_has_ecc_ciphers(SSL *s);	1128	int ssl_has_ecc_ciphers(SSL *s);
1129	int ssl_verify_alarm_type(long type);	1129	int ssl_verify_alarm_type(long type);
1130	void ssl_load_ciphers(void);
1131		1130
1132	int SSL_SESSION_ticket(SSL_SESSION ss, unsigned char out, size_t out_len);	1131	int SSL_SESSION_ticket(SSL_SESSION ss, unsigned char out, size_t out_len);
1133		1132