Rely upon enc_flags rather than the tls version, to upgrade SHA1+MD5 to

SHA256 in ssl_get_algorithm2(). From OpenSSL HEAD; ok jsing@
author: miod <> 2015-02-08 22:06:49 +0000
committer: miod <> 2015-02-08 22:06:49 +0000
commit: 2179ddc2e9ec9e8527a6a060f97ba8d89787f82b (patch)
tree: 13ca6fa43a2bc64d15ad272002438d4c80a91e97 /src
parent: 726b51738f080413928933335c86b6b01cf96864 (diff)
download: openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.tar.gz
openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.tar.bz2
openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.zip
2 files changed, 8 insertions, 8 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index aae497abed..c6062934dc 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.94 2015/02/07 05:46:01 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.95 2015/02/08 22:06:49 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2850,15 +2850,15 @@ ssl3_renegotiate_check(SSL *s)
        return (ret);
 }
 /*
- * If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch
+ * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
- * to new SHA256 PRF and handshake macs
+ * and handshake macs if required.
 */
 long
 ssl_get_algorithm2(SSL *s)
 {
        long    alg2 = s->s3->tmp.new_cipher->algorithm2;
-        if (s->method->version == TLS1_2_VERSION &&
+        if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
            alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
                return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
        return alg2;
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index aae497abed..c6062934dc 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.94 2015/02/07 05:46:01 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.95 2015/02/08 22:06:49 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2850,15 +2850,15 @@ ssl3_renegotiate_check(SSL *s)
        return (ret);
 }
 /*
- * If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch
+ * If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
- * to new SHA256 PRF and handshake macs
+ * and handshake macs if required.
 */
 long
 ssl_get_algorithm2(SSL *s)
 {
        long    alg2 = s->s3->tmp.new_cipher->algorithm2;
-        if (s->method->version == TLS1_2_VERSION &&
+        if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
            alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
                return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
        return alg2;
author	miod <>	2015-02-08 22:06:49 +0000
committer	miod <>	2015-02-08 22:06:49 +0000
commit	2179ddc2e9ec9e8527a6a060f97ba8d89787f82b (patch)
tree	13ca6fa43a2bc64d15ad272002438d4c80a91e97 /src
parent	726b51738f080413928933335c86b6b01cf96864 (diff)
download	openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.tar.gz openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.tar.bz2 openbsd-2179ddc2e9ec9e8527a6a060f97ba8d89787f82b.zip

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index aae497abed..c6062934dc 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.94 2015/02/07 05:46:01 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.95 2015/02/08 22:06:49 miod Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2850,15 +2850,15 @@ ssl3_renegotiate_check(SSL *s)
2850	return (ret);	2850	return (ret);
2851	}	2851	}
2852	/*	2852	/*
2853	* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch	2853	* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2854	* to new SHA256 PRF and handshake macs	2854	* and handshake macs if required.
2855	*/	2855	*/
2856	long	2856	long
2857	ssl_get_algorithm2(SSL *s)	2857	ssl_get_algorithm2(SSL *s)
2858	{	2858	{
2859	long alg2 = s->s3->tmp.new_cipher->algorithm2;	2859	long alg2 = s->s3->tmp.new_cipher->algorithm2;
2860		2860
2861	if (s->method->version == TLS1_2_VERSION &&	2861	if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2862	alg2 == (SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF))	2862	alg2 == (SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF))
2863	return SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256;	2863	return SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256;
2864	return alg2;	2864	return alg2;


diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index aae497abed..c6062934dc 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.94 2015/02/07 05:46:01 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.95 2015/02/08 22:06:49 miod Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2850,15 +2850,15 @@ ssl3_renegotiate_check(SSL *s)
2850	return (ret);	2850	return (ret);
2851	}	2851	}
2852	/*	2852	/*
2853	* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch	2853	* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF
2854	* to new SHA256 PRF and handshake macs	2854	* and handshake macs if required.
2855	*/	2855	*/
2856	long	2856	long
2857	ssl_get_algorithm2(SSL *s)	2857	ssl_get_algorithm2(SSL *s)
2858	{	2858	{
2859	long alg2 = s->s3->tmp.new_cipher->algorithm2;	2859	long alg2 = s->s3->tmp.new_cipher->algorithm2;
2860		2860
2861	if (s->method->version == TLS1_2_VERSION &&	2861	if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
2862	alg2 == (SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF))	2862	alg2 == (SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF))
2863	return SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256;	2863	return SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256;
2864	return alg2;	2864	return alg2;