diff options
| author | jsing <> | 2024-07-16 14:38:04 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-16 14:38:04 +0000 |
| commit | 772f611f8f8ff3800ee3fe27142570622d06cc38 (patch) | |
| tree | 2b4abb3d0d8f9b72dd3be8ba85d91d7d35b07f3d /src/lib/libssl/ssl_ciph.c | |
| parent | b9ac2dff20ea5834ad8b30951507caf01cb04463 (diff) | |
| download | openbsd-772f611f8f8ff3800ee3fe27142570622d06cc38.tar.gz openbsd-772f611f8f8ff3800ee3fe27142570622d06cc38.tar.bz2 openbsd-772f611f8f8ff3800ee3fe27142570622d06cc38.zip | |
Clean up SSL_HANDSHAKE_MAC_DEFAULT.
The handshake MAC needs to be upgraded when TLSv1.0 and TLSv1.1
ciphersuites are used with TLSv1.2. Since we no longer support TLSv1.0
and TLSv1.1, we can simply upgrade the handshake MAC in the ciphersuite
table and remove the various defines/macros/code that existed to handle
the upgrade.
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 17 |
1 files changed, 2 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 13790c56be..246d64e7d5 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -515,24 +515,12 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) | |||
| 515 | int | 515 | int |
| 516 | ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) | 516 | ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) |
| 517 | { | 517 | { |
| 518 | unsigned long handshake_mac; | ||
| 519 | |||
| 520 | *md = NULL; | 518 | *md = NULL; |
| 521 | 519 | ||
| 522 | if (s->s3->hs.cipher == NULL) | 520 | if (s->s3->hs.cipher == NULL) |
| 523 | return 0; | 521 | return 0; |
| 524 | 522 | ||
| 525 | handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK; | 523 | switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { |
| 526 | |||
| 527 | /* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */ | ||
| 528 | /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ | ||
| 529 | if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT) | ||
| 530 | handshake_mac = SSL_HANDSHAKE_MAC_SHA256; | ||
| 531 | |||
| 532 | switch (handshake_mac) { | ||
| 533 | case SSL_HANDSHAKE_MAC_DEFAULT: | ||
| 534 | *md = EVP_md5_sha1(); | ||
| 535 | return 1; | ||
| 536 | case SSL_HANDSHAKE_MAC_SHA256: | 524 | case SSL_HANDSHAKE_MAC_SHA256: |
| 537 | *md = EVP_sha256(); | 525 | *md = EVP_sha256(); |
| 538 | return 1; | 526 | return 1; |
| @@ -1629,7 +1617,6 @@ const EVP_MD * | |||
| 1629 | SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) | 1617 | SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) |
| 1630 | { | 1618 | { |
| 1631 | switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { | 1619 | switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { |
| 1632 | case SSL_HANDSHAKE_MAC_DEFAULT: | ||
| 1633 | case SSL_HANDSHAKE_MAC_SHA256: | 1620 | case SSL_HANDSHAKE_MAC_SHA256: |
| 1634 | return EVP_sha256(); | 1621 | return EVP_sha256(); |
| 1635 | case SSL_HANDSHAKE_MAC_SHA384: | 1622 | case SSL_HANDSHAKE_MAC_SHA384: |