summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2018-09-06 16:40:45 +0000
committerjsing <>2018-09-06 16:40:45 +0000
commit72f73019933c7339b36a51b22acc8440b8608f61 (patch)
treee66e90f0f003a49e386ad0667b3e568deec4c31a /src
parenta267c63d946b543a11f0afc79e6a96b027035b7c (diff)
downloadopenbsd-72f73019933c7339b36a51b22acc8440b8608f61.tar.gz
openbsd-72f73019933c7339b36a51b22acc8440b8608f61.tar.bz2
openbsd-72f73019933c7339b36a51b22acc8440b8608f61.zip
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag. ok tb@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_lib.c28
-rw-r--r--src/lib/libssl/ssl_ciph.c8
-rw-r--r--src/lib/libssl/ssl_locl.h16
-rw-r--r--src/lib/libssl/t1_enc.c4
4 files changed, 25 insertions, 31 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 6e12bf9503..02e6c66a47 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.169 2018/08/27 16:48:12 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.170 2018/09/06 16:40:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -674,7 +674,7 @@ SSL_CIPHER ssl3_ciphers[] = {
674 .algorithm_ssl = SSL_TLSV1_2, 674 .algorithm_ssl = SSL_TLSV1_2,
675 .algo_strength = SSL_HIGH, 675 .algo_strength = SSL_HIGH,
676 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 676 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
677 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 677 FIXED_NONCE_LEN(4)|
678 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 678 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
679 .strength_bits = 128, 679 .strength_bits = 128,
680 .alg_bits = 128, 680 .alg_bits = 128,
@@ -692,7 +692,7 @@ SSL_CIPHER ssl3_ciphers[] = {
692 .algorithm_ssl = SSL_TLSV1_2, 692 .algorithm_ssl = SSL_TLSV1_2,
693 .algo_strength = SSL_HIGH, 693 .algo_strength = SSL_HIGH,
694 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 694 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
695 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 695 FIXED_NONCE_LEN(4)|
696 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 696 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
697 .strength_bits = 256, 697 .strength_bits = 256,
698 .alg_bits = 256, 698 .alg_bits = 256,
@@ -710,7 +710,7 @@ SSL_CIPHER ssl3_ciphers[] = {
710 .algorithm_ssl = SSL_TLSV1_2, 710 .algorithm_ssl = SSL_TLSV1_2,
711 .algo_strength = SSL_HIGH, 711 .algo_strength = SSL_HIGH,
712 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 712 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
713 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 713 FIXED_NONCE_LEN(4)|
714 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 714 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
715 .strength_bits = 128, 715 .strength_bits = 128,
716 .alg_bits = 128, 716 .alg_bits = 128,
@@ -728,7 +728,7 @@ SSL_CIPHER ssl3_ciphers[] = {
728 .algorithm_ssl = SSL_TLSV1_2, 728 .algorithm_ssl = SSL_TLSV1_2,
729 .algo_strength = SSL_HIGH, 729 .algo_strength = SSL_HIGH,
730 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 730 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
731 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 731 FIXED_NONCE_LEN(4)|
732 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 732 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
733 .strength_bits = 256, 733 .strength_bits = 256,
734 .alg_bits = 256, 734 .alg_bits = 256,
@@ -746,7 +746,7 @@ SSL_CIPHER ssl3_ciphers[] = {
746 .algorithm_ssl = SSL_TLSV1_2, 746 .algorithm_ssl = SSL_TLSV1_2,
747 .algo_strength = SSL_HIGH, 747 .algo_strength = SSL_HIGH,
748 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 748 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
749 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 749 FIXED_NONCE_LEN(4)|
750 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 750 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
751 .strength_bits = 128, 751 .strength_bits = 128,
752 .alg_bits = 128, 752 .alg_bits = 128,
@@ -764,7 +764,7 @@ SSL_CIPHER ssl3_ciphers[] = {
764 .algorithm_ssl = SSL_TLSV1_2, 764 .algorithm_ssl = SSL_TLSV1_2,
765 .algo_strength = SSL_HIGH, 765 .algo_strength = SSL_HIGH,
766 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 766 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
767 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 767 FIXED_NONCE_LEN(4)|
768 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 768 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
769 .strength_bits = 256, 769 .strength_bits = 256,
770 .alg_bits = 256, 770 .alg_bits = 256,
@@ -1191,7 +1191,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1191 .algorithm_ssl = SSL_TLSV1_2, 1191 .algorithm_ssl = SSL_TLSV1_2,
1192 .algo_strength = SSL_HIGH, 1192 .algo_strength = SSL_HIGH,
1193 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1193 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1194 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1194 FIXED_NONCE_LEN(4)|
1195 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1195 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1196 .strength_bits = 128, 1196 .strength_bits = 128,
1197 .alg_bits = 128, 1197 .alg_bits = 128,
@@ -1209,7 +1209,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1209 .algorithm_ssl = SSL_TLSV1_2, 1209 .algorithm_ssl = SSL_TLSV1_2,
1210 .algo_strength = SSL_HIGH, 1210 .algo_strength = SSL_HIGH,
1211 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1211 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1212 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1212 FIXED_NONCE_LEN(4)|
1213 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1213 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1214 .strength_bits = 256, 1214 .strength_bits = 256,
1215 .alg_bits = 256, 1215 .alg_bits = 256,
@@ -1227,7 +1227,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1227 .algorithm_ssl = SSL_TLSV1_2, 1227 .algorithm_ssl = SSL_TLSV1_2,
1228 .algo_strength = SSL_HIGH, 1228 .algo_strength = SSL_HIGH,
1229 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1229 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1230 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1230 FIXED_NONCE_LEN(4)|
1231 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1231 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1232 .strength_bits = 128, 1232 .strength_bits = 128,
1233 .alg_bits = 128, 1233 .alg_bits = 128,
@@ -1245,7 +1245,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1245 .algorithm_ssl = SSL_TLSV1_2, 1245 .algorithm_ssl = SSL_TLSV1_2,
1246 .algo_strength = SSL_HIGH, 1246 .algo_strength = SSL_HIGH,
1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| 1247 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
1248 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| 1248 FIXED_NONCE_LEN(4)|
1249 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, 1249 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
1250 .strength_bits = 256, 1250 .strength_bits = 256,
1251 .alg_bits = 256, 1251 .alg_bits = 256,
@@ -1263,7 +1263,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1263 .algorithm_ssl = SSL_TLSV1_2, 1263 .algorithm_ssl = SSL_TLSV1_2,
1264 .algo_strength = SSL_HIGH, 1264 .algo_strength = SSL_HIGH,
1265 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1265 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1266 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1266 FIXED_NONCE_LEN(12),
1267 .strength_bits = 256, 1267 .strength_bits = 256,
1268 .alg_bits = 256, 1268 .alg_bits = 256,
1269 }, 1269 },
@@ -1280,7 +1280,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1280 .algorithm_ssl = SSL_TLSV1_2, 1280 .algorithm_ssl = SSL_TLSV1_2,
1281 .algo_strength = SSL_HIGH, 1281 .algo_strength = SSL_HIGH,
1282 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1282 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1283 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1283 FIXED_NONCE_LEN(12),
1284 .strength_bits = 256, 1284 .strength_bits = 256,
1285 .alg_bits = 256, 1285 .alg_bits = 256,
1286 }, 1286 },
@@ -1297,7 +1297,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1297 .algorithm_ssl = SSL_TLSV1_2, 1297 .algorithm_ssl = SSL_TLSV1_2,
1298 .algo_strength = SSL_HIGH, 1298 .algo_strength = SSL_HIGH,
1299 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1299 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1300 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), 1300 FIXED_NONCE_LEN(12),
1301 .strength_bits = 256, 1301 .strength_bits = 256,
1302 .alg_bits = 256, 1302 .alg_bits = 256,
1303 }, 1303 },
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index e429bdeafc..9db0c68ceb 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.102 2018/09/03 18:00:50 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.103 2018/09/06 16:40:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -515,7 +515,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
515 * This function does not handle EVP_AEAD. 515 * This function does not handle EVP_AEAD.
516 * See ssl_cipher_get_aead_evp instead. 516 * See ssl_cipher_get_aead_evp instead.
517 */ 517 */
518 if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) 518 if (c->algorithm_mac & SSL_AEAD)
519 return(0); 519 return(0);
520 520
521 if ((enc == NULL) || (md == NULL)) 521 if ((enc == NULL) || (md == NULL))
@@ -593,8 +593,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
593 *mac_pkey_type = NID_undef; 593 *mac_pkey_type = NID_undef;
594 if (mac_secret_size != NULL) 594 if (mac_secret_size != NULL)
595 *mac_secret_size = 0; 595 *mac_secret_size = 0;
596 if (c->algorithm_mac == SSL_AEAD)
597 mac_pkey_type = NULL;
598 } else { 596 } else {
599 *md = ssl_digest_methods[i]; 597 *md = ssl_digest_methods[i];
600 if (mac_pkey_type != NULL) 598 if (mac_pkey_type != NULL)
@@ -624,7 +622,7 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
624 622
625 if (c == NULL) 623 if (c == NULL)
626 return 0; 624 return 0;
627 if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0) 625 if ((c->algorithm_mac & SSL_AEAD) == 0)
628 return 0; 626 return 0;
629 627
630 switch (c->algorithm_enc) { 628 switch (c->algorithm_enc) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index a4e831577d..d5680fc14a 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.213 2018/09/05 16:48:11 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.214 2018/09/06 16:40:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -282,8 +282,10 @@ __BEGIN_HIDDEN_DECLS
282#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT) 282#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
283#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) 283#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
284 284
285/* Stream MAC for GOST ciphersuites from cryptopro draft 285/*
286 * (currently this also goes into algorithm2) */ 286 * Stream MAC for GOST ciphersuites from cryptopro draft
287 * (currently this also goes into algorithm2).
288 */
287#define TLS1_STREAM_MAC 0x04 289#define TLS1_STREAM_MAC 0x04
288 290
289/* 291/*
@@ -294,14 +296,8 @@ __BEGIN_HIDDEN_DECLS
294#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22) 296#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22)
295 297
296/* 298/*
297 * SSL_CIPHER_ALGORITHM2_AEAD is an algorithm2 flag that indicates the cipher
298 * is implemented via an EVP_AEAD.
299 */
300#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
301
302/*
303 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce 299 * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
304 * for an SSL_CIPHER with the SSL_CIPHER_ALGORITHM2_AEAD flag. 300 * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD.
305 */ 301 */
306#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \ 302#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
307 (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2) 303 (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2)
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 01ff05952c..77ac5899ac 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.112 2018/09/05 16:58:59 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -661,7 +661,7 @@ tls1_setup_key_block(SSL *s)
661 return (1); 661 return (1);
662 662
663 if (s->session->cipher && 663 if (s->session->cipher &&
664 (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { 664 (s->session->cipher->algorithm_mac & SSL_AEAD)) {
665 if (!ssl_cipher_get_evp_aead(s->session, &aead)) { 665 if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
666 SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 666 SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
667 return (0); 667 return (0);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 09:06:24 +0000