summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2017-02-21 15:28:27 +0000
committerjsing <>2017-02-21 15:28:27 +0000
commit1e186842df883d79e6659f67be239947d6712a5d (patch)
tree6cf136c9fd33f9f817232c034769b204fea65a9d /src
parent02ca28ec0eaa561d8ef6d5b474567ba08a6ee767 (diff)
downloadopenbsd-1e186842df883d79e6659f67be239947d6712a5d.tar.gz
openbsd-1e186842df883d79e6659f67be239947d6712a5d.tar.bz2
openbsd-1e186842df883d79e6659f67be239947d6712a5d.zip
Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suites
that make use of it. ok bcook@ inoguchi@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_ciph.c26
-rw-r--r--src/lib/libssl/ssl_locl.h6
2 files changed, 6 insertions, 26 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 9808c7c37f..3e991fa577 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.93 2017/02/07 02:08:38 beck Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.94 2017/02/21 15:28:27 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -176,29 +176,27 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
176#define SSL_MD_SHA256_IDX 4 176#define SSL_MD_SHA256_IDX 4
177#define SSL_MD_SHA384_IDX 5 177#define SSL_MD_SHA384_IDX 5
178#define SSL_MD_STREEBOG256_IDX 6 178#define SSL_MD_STREEBOG256_IDX 6
179#define SSL_MD_STREEBOG512_IDX 7
180/*Constant SSL_MAX_DIGEST equal to size of digests array should be 179/*Constant SSL_MAX_DIGEST equal to size of digests array should be
181 * defined in the 180 * defined in the
182 * ssl_locl.h */ 181 * ssl_locl.h */
183#define SSL_MD_NUM_IDX SSL_MAX_DIGEST 182#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
184static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { 183static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
185 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL 184 NULL, NULL, NULL, NULL, NULL, NULL, NULL,
186}; 185};
187 186
188static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { 187static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
189 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT, 188 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
190 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, 189 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
191}; 190};
192 191
193static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { 192static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
194 0, 0, 0, 0, 0, 0, 0, 0 193 0, 0, 0, 0, 0, 0, 0,
195}; 194};
196 195
197static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = { 196static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = {
198 SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA, 197 SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA,
199 SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, 198 SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
200 SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256, 199 SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256,
201 SSL_HANDSHAKE_MAC_STREEBOG512
202}; 200};
203 201
204#define CIPHER_ADD 1 202#define CIPHER_ADD 1
@@ -436,10 +434,6 @@ static const SSL_CIPHER cipher_aliases[] = {
436 .name = SSL_TXT_STREEBOG256, 434 .name = SSL_TXT_STREEBOG256,
437 .algorithm_mac = SSL_STREEBOG256, 435 .algorithm_mac = SSL_STREEBOG256,
438 }, 436 },
439 {
440 .name = SSL_TXT_STREEBOG512,
441 .algorithm_mac = SSL_STREEBOG512,
442 },
443 437
444 /* protocol version aliases */ 438 /* protocol version aliases */
445 { 439 {
@@ -531,10 +525,6 @@ ssl_load_ciphers(void)
531 EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256); 525 EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
532 ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] = 526 ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
533 EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]); 527 EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
534 ssl_digest_methods[SSL_MD_STREEBOG512_IDX] =
535 EVP_get_digestbyname(SN_id_tc26_gost3411_2012_512);
536 ssl_mac_secret_size[SSL_MD_STREEBOG512_IDX] =
537 EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG512_IDX]);
538} 528}
539 529
540int 530int
@@ -631,9 +621,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
631 case SSL_STREEBOG256: 621 case SSL_STREEBOG256:
632 i = SSL_MD_STREEBOG256_IDX; 622 i = SSL_MD_STREEBOG256_IDX;
633 break; 623 break;
634 case SSL_STREEBOG512:
635 i = SSL_MD_STREEBOG512_IDX;
636 break;
637 default: 624 default:
638 i = -1; 625 i = -1;
639 break; 626 break;
@@ -814,8 +801,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
814 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0; 801 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
815 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0; 802 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
816 *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0; 803 *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
817 *mac |= (ssl_digest_methods[SSL_MD_STREEBOG512_IDX] == NULL) ? SSL_STREEBOG512 : 0;
818
819} 804}
820 805
821static void 806static void
@@ -1671,9 +1656,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1671 case SSL_STREEBOG256: 1656 case SSL_STREEBOG256:
1672 mac = "STREEBOG256"; 1657 mac = "STREEBOG256";
1673 break; 1658 break;
1674 case SSL_STREEBOG512:
1675 mac = "STREEBOG512";
1676 break;
1677 default: 1659 default:
1678 mac = "unknown"; 1660 mac = "unknown";
1679 break; 1661 break;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index a64edd2c18..62d9d0314e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.173 2017/02/07 02:08:38 beck Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.174 2017/02/21 15:28:27 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -250,7 +250,6 @@ __BEGIN_HIDDEN_DECLS
250/* Not a real MAC, just an indication it is part of cipher */ 250/* Not a real MAC, just an indication it is part of cipher */
251#define SSL_AEAD 0x00000040L 251#define SSL_AEAD 0x00000040L
252#define SSL_STREEBOG256 0x00000080L 252#define SSL_STREEBOG256 0x00000080L
253#define SSL_STREEBOG512 0x00000100L
254 253
255/* Bits for algorithm_ssl (protocol version) */ 254/* Bits for algorithm_ssl (protocol version) */
256#define SSL_SSLV3 0x00000002L 255#define SSL_SSLV3 0x00000002L
@@ -266,12 +265,11 @@ __BEGIN_HIDDEN_DECLS
266#define SSL_HANDSHAKE_MAC_SHA256 0x80 265#define SSL_HANDSHAKE_MAC_SHA256 0x80
267#define SSL_HANDSHAKE_MAC_SHA384 0x100 266#define SSL_HANDSHAKE_MAC_SHA384 0x100
268#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200 267#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
269#define SSL_HANDSHAKE_MAC_STREEBOG512 0x400
270#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) 268#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
271 269
272/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX 270/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
273 * make sure to update this constant too */ 271 * make sure to update this constant too */
274#define SSL_MAX_DIGEST 8 272#define SSL_MAX_DIGEST 7
275 273
276#define SSL3_CK_ID 0x03000000 274#define SSL3_CK_ID 0x03000000
277#define SSL3_CK_VALUE_MASK 0x0000ffff 275#define SSL3_CK_VALUE_MASK 0x0000ffff
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 19:11:55 +0000