Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,

nor do we plan on supporting them. ok guenther@
author: jsing <> 2014-09-07 12:16:23 +0000
committer: jsing <> 2014-09-07 12:16:23 +0000
commit: 0fed0b531b893a421795b86e91da5c89afa84e40 (patch)
tree: 05653f416e3e348af48f738c0cc7f45d8437ec05 /src/lib/libssl/ssl_ciph.c
parent: 620b0c428295995017c04f2dfbb4d70cb01a3701 (diff)
download: openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.tar.gz
openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.tar.bz2
openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.zip
1 files changed, 9 insertions, 39 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 70c91bf600..701d0f2277 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = {
                .algorithm_mkey = SSL_kRSA,
        },
        {
-                /* no such ciphersuites supported! */
-                .name = SSL_TXT_kDHr,
-                .algorithm_mkey = SSL_kDHr,
-        },
-        {
-                /* no such ciphersuites supported! */
-                .name = SSL_TXT_kDHd,
-                .algorithm_mkey = SSL_kDHd,
-        },
-        {
-                /* no such ciphersuites supported! */
-                .name = SSL_TXT_kDH,
-                .algorithm_mkey = SSL_kDHr|SSL_kDHd,
-        },
-        {
                .name = SSL_TXT_kEDH,
                .algorithm_mkey = SSL_kDHE,
        },
        {
                .name = SSL_TXT_DH,
-                .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE,
+                .algorithm_mkey = SSL_kDHE,
        },
        
        {
@@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .algorithm_auth = SSL_aNULL,
        },
        {
-                /* no such ciphersuites supported! */
-                .name = SSL_TXT_aDH,
-                .algorithm_auth = SSL_aDH,
-        },
-        {
                .name = SSL_TXT_aECDH,
                .algorithm_auth = SSL_aECDH,
        },
@@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
 }
 static void
-ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
+ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
+    unsigned long *enc, unsigned long *mac, unsigned long *ssl)
 {
        *mkey = 0;
        *auth = 0;
@@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
        *mac = 0;
        *ssl = 0;
-        *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
+        /*
-        *auth |= SSL_aDH;
+         * Check for presence of GOST 34.10 algorithms, and if they
+         * do not present, disable  appropriate auth and key exchange.
-        /* Check for presence of GOST 34.10 algorithms, and if they
+         */
-         * do not present, disable  appropriate auth and key exchange */
        if (!get_optional_pkey_id("gost94")) {
                *auth |= SSL_aGOST94;
        }
        if (!get_optional_pkey_id("gost2001")) {
                *auth |= SSL_aGOST01;
        }
-        /* Disable GOST key exchange if no GOST signature algs are available * */
+        /* Disable GOST key exchange if no GOST signature algs are available. */
        if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
                *mkey |= SSL_kGOST;
        }
@@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        /* Move ciphers without forward secrecy to the end */
        ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
        ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
        /* RC4 is sort-of broken -- move the the end */
@@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kRSA:
                kx = "RSA";
                break;
-        case SSL_kDHr:
-                kx = "DH/RSA";
-                break;
-        case SSL_kDHd:
-                kx = "DH/DSS";
-                break;
        case SSL_kDHE:
                kx = "DH";
                break;
@@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_aDSS:
                au = "DSS";
                break;
-        case SSL_aDH:
-                au = "DH";
-                break;
        case SSL_aECDH:
                au = "ECDH";
                break;
author	jsing <>	2014-09-07 12:16:23 +0000
committer	jsing <>	2014-09-07 12:16:23 +0000
commit	0fed0b531b893a421795b86e91da5c89afa84e40 (patch)
tree	05653f416e3e348af48f738c0cc7f45d8437ec05 /src/lib/libssl/ssl_ciph.c
parent	620b0c428295995017c04f2dfbb4d70cb01a3701 (diff)
download	openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.tar.gz openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.tar.bz2 openbsd-0fed0b531b893a421795b86e91da5c89afa84e40.zip

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 70c91bf600..701d0f2277 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = {
249	.algorithm_mkey = SSL_kRSA,	249	.algorithm_mkey = SSL_kRSA,
250	},	250	},
251	{	251	{
252	/* no such ciphersuites supported! */
253	.name = SSL_TXT_kDHr,
254	.algorithm_mkey = SSL_kDHr,
255	},
256	{
257	/* no such ciphersuites supported! */
258	.name = SSL_TXT_kDHd,
259	.algorithm_mkey = SSL_kDHd,
260	},
261	{
262	/* no such ciphersuites supported! */
263	.name = SSL_TXT_kDH,
264	.algorithm_mkey = SSL_kDHr\|SSL_kDHd,
265	},
266	{
267	.name = SSL_TXT_kEDH,	252	.name = SSL_TXT_kEDH,
268	.algorithm_mkey = SSL_kDHE,	253	.algorithm_mkey = SSL_kDHE,
269	},	254	},
270	{	255	{
271	.name = SSL_TXT_DH,	256	.name = SSL_TXT_DH,
272	.algorithm_mkey = SSL_kDHr\|SSL_kDHd\|SSL_kDHE,	257	.algorithm_mkey = SSL_kDHE,
273	},	258	},
274		259
275	{	260	{
@@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = {
316	.algorithm_auth = SSL_aNULL,	301	.algorithm_auth = SSL_aNULL,
317	},	302	},
318	{	303	{
319	/* no such ciphersuites supported! */
320	.name = SSL_TXT_aDH,
321	.algorithm_auth = SSL_aDH,
322	},
323	{
324	.name = SSL_TXT_aECDH,	304	.name = SSL_TXT_aECDH,
325	.algorithm_auth = SSL_aECDH,	305	.algorithm_auth = SSL_aECDH,
326	},	306	},
@@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER *head, CIPHER_ORDER curr,
836	}	816	}
837		817
838	static void	818	static void
839	ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, unsigned long enc, unsigned long mac, unsigned long *ssl)	819	ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
		820	unsigned long enc, unsigned long mac, unsigned long *ssl)
840	{	821	{
841	*mkey = 0;	822	*mkey = 0;
842	*auth = 0;	823	*auth = 0;
@@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, unsigned long
844	*mac = 0;	825	*mac = 0;
845	*ssl = 0;	826	*ssl = 0;
846		827
847	mkey \|= SSL_kDHr\|SSL_kDHd; / no such ciphersuites supported! */	828	/*
848	*auth \|= SSL_aDH;	829	* Check for presence of GOST 34.10 algorithms, and if they
849		830	* do not present, disable appropriate auth and key exchange.
850	/* Check for presence of GOST 34.10 algorithms, and if they	831	*/
851	* do not present, disable appropriate auth and key exchange */
852	if (!get_optional_pkey_id("gost94")) {	832	if (!get_optional_pkey_id("gost94")) {
853	*auth \|= SSL_aGOST94;	833	*auth \|= SSL_aGOST94;
854	}	834	}
855	if (!get_optional_pkey_id("gost2001")) {	835	if (!get_optional_pkey_id("gost2001")) {
856	*auth \|= SSL_aGOST01;	836	*auth \|= SSL_aGOST01;
857	}	837	}
858	/* Disable GOST key exchange if no GOST signature algs are available * */	838	/* Disable GOST key exchange if no GOST signature algs are available. */
859	if ((*auth & (SSL_aGOST94\|SSL_aGOST01)) == (SSL_aGOST94\|SSL_aGOST01)) {	839	if ((*auth & (SSL_aGOST94\|SSL_aGOST01)) == (SSL_aGOST94\|SSL_aGOST01)) {
860	*mkey \|= SSL_kGOST;	840	*mkey \|= SSL_kGOST;
861	}	841	}
@@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1474		1454
1475	/* Move ciphers without forward secrecy to the end */	1455	/* Move ciphers without forward secrecy to the end */
1476	ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);	1456	ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1477	/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1478	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);	1457	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1479		1458
1480	/* RC4 is sort-of broken -- move the the end */	1459	/* RC4 is sort-of broken -- move the the end */
@@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1603	case SSL_kRSA:	1582	case SSL_kRSA:
1604	kx = "RSA";	1583	kx = "RSA";
1605	break;	1584	break;
1606	case SSL_kDHr:
1607	kx = "DH/RSA";
1608	break;
1609	case SSL_kDHd:
1610	kx = "DH/DSS";
1611	break;
1612	case SSL_kDHE:	1585	case SSL_kDHE:
1613	kx = "DH";	1586	kx = "DH";
1614	break;	1587	break;
@@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1632	case SSL_aDSS:	1605	case SSL_aDSS:
1633	au = "DSS";	1606	au = "DSS";
1634	break;	1607	break;
1635	case SSL_aDH:
1636	au = "DH";
1637	break;
1638	case SSL_aECDH:	1608	case SSL_aECDH:
1639	au = "ECDH";	1609	au = "ECDH";
1640	break;	1610	break;