summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/s3_lib.c72
-rw-r--r--src/lib/libssl/ssl_ciph.c17
-rw-r--r--src/lib/libssl/ssl_local.h13
3 files changed, 39 insertions, 63 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 1c1906d9e7..5fc42ca200 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.253 2024/07/15 14:45:15 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.254 2024/07/16 14:38:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -183,7 +183,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
183 .algorithm_mac = SSL_MD5, 183 .algorithm_mac = SSL_MD5,
184 .algorithm_ssl = SSL_SSLV3, 184 .algorithm_ssl = SSL_SSLV3,
185 .algo_strength = SSL_STRONG_NONE, 185 .algo_strength = SSL_STRONG_NONE,
186 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 186 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
187 .strength_bits = 0, 187 .strength_bits = 0,
188 .alg_bits = 0, 188 .alg_bits = 0,
189 }, 189 },
@@ -199,7 +199,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
199 .algorithm_mac = SSL_SHA1, 199 .algorithm_mac = SSL_SHA1,
200 .algorithm_ssl = SSL_SSLV3, 200 .algorithm_ssl = SSL_SSLV3,
201 .algo_strength = SSL_STRONG_NONE, 201 .algo_strength = SSL_STRONG_NONE,
202 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 202 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
203 .strength_bits = 0, 203 .strength_bits = 0,
204 .alg_bits = 0, 204 .alg_bits = 0,
205 }, 205 },
@@ -215,7 +215,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
215 .algorithm_mac = SSL_MD5, 215 .algorithm_mac = SSL_MD5,
216 .algorithm_ssl = SSL_SSLV3, 216 .algorithm_ssl = SSL_SSLV3,
217 .algo_strength = SSL_LOW, 217 .algo_strength = SSL_LOW,
218 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 218 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
219 .strength_bits = 128, 219 .strength_bits = 128,
220 .alg_bits = 128, 220 .alg_bits = 128,
221 }, 221 },
@@ -231,7 +231,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
231 .algorithm_mac = SSL_SHA1, 231 .algorithm_mac = SSL_SHA1,
232 .algorithm_ssl = SSL_SSLV3, 232 .algorithm_ssl = SSL_SSLV3,
233 .algo_strength = SSL_LOW, 233 .algo_strength = SSL_LOW,
234 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 234 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
235 .strength_bits = 128, 235 .strength_bits = 128,
236 .alg_bits = 128, 236 .alg_bits = 128,
237 }, 237 },
@@ -247,7 +247,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
247 .algorithm_mac = SSL_SHA1, 247 .algorithm_mac = SSL_SHA1,
248 .algorithm_ssl = SSL_SSLV3, 248 .algorithm_ssl = SSL_SSLV3,
249 .algo_strength = SSL_MEDIUM, 249 .algo_strength = SSL_MEDIUM,
250 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 250 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
251 .strength_bits = 112, 251 .strength_bits = 112,
252 .alg_bits = 168, 252 .alg_bits = 168,
253 }, 253 },
@@ -267,7 +267,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
267 .algorithm_mac = SSL_SHA1, 267 .algorithm_mac = SSL_SHA1,
268 .algorithm_ssl = SSL_SSLV3, 268 .algorithm_ssl = SSL_SSLV3,
269 .algo_strength = SSL_MEDIUM, 269 .algo_strength = SSL_MEDIUM,
270 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 270 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
271 .strength_bits = 112, 271 .strength_bits = 112,
272 .alg_bits = 168, 272 .alg_bits = 168,
273 }, 273 },
@@ -283,7 +283,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
283 .algorithm_mac = SSL_MD5, 283 .algorithm_mac = SSL_MD5,
284 .algorithm_ssl = SSL_SSLV3, 284 .algorithm_ssl = SSL_SSLV3,
285 .algo_strength = SSL_LOW, 285 .algo_strength = SSL_LOW,
286 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 286 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
287 .strength_bits = 128, 287 .strength_bits = 128,
288 .alg_bits = 128, 288 .alg_bits = 128,
289 }, 289 },
@@ -299,7 +299,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
299 .algorithm_mac = SSL_SHA1, 299 .algorithm_mac = SSL_SHA1,
300 .algorithm_ssl = SSL_SSLV3, 300 .algorithm_ssl = SSL_SSLV3,
301 .algo_strength = SSL_MEDIUM, 301 .algo_strength = SSL_MEDIUM,
302 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 302 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
303 .strength_bits = 112, 303 .strength_bits = 112,
304 .alg_bits = 168, 304 .alg_bits = 168,
305 }, 305 },
@@ -319,7 +319,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
319 .algorithm_mac = SSL_SHA1, 319 .algorithm_mac = SSL_SHA1,
320 .algorithm_ssl = SSL_TLSV1, 320 .algorithm_ssl = SSL_TLSV1,
321 .algo_strength = SSL_HIGH, 321 .algo_strength = SSL_HIGH,
322 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 322 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
323 .strength_bits = 128, 323 .strength_bits = 128,
324 .alg_bits = 128, 324 .alg_bits = 128,
325 }, 325 },
@@ -335,7 +335,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
335 .algorithm_mac = SSL_SHA1, 335 .algorithm_mac = SSL_SHA1,
336 .algorithm_ssl = SSL_TLSV1, 336 .algorithm_ssl = SSL_TLSV1,
337 .algo_strength = SSL_HIGH, 337 .algo_strength = SSL_HIGH,
338 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 338 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
339 .strength_bits = 128, 339 .strength_bits = 128,
340 .alg_bits = 128, 340 .alg_bits = 128,
341 }, 341 },
@@ -351,7 +351,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
351 .algorithm_mac = SSL_SHA1, 351 .algorithm_mac = SSL_SHA1,
352 .algorithm_ssl = SSL_TLSV1, 352 .algorithm_ssl = SSL_TLSV1,
353 .algo_strength = SSL_HIGH, 353 .algo_strength = SSL_HIGH,
354 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 354 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
355 .strength_bits = 128, 355 .strength_bits = 128,
356 .alg_bits = 128, 356 .alg_bits = 128,
357 }, 357 },
@@ -367,7 +367,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
367 .algorithm_mac = SSL_SHA1, 367 .algorithm_mac = SSL_SHA1,
368 .algorithm_ssl = SSL_TLSV1, 368 .algorithm_ssl = SSL_TLSV1,
369 .algo_strength = SSL_HIGH, 369 .algo_strength = SSL_HIGH,
370 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 370 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
371 .strength_bits = 256, 371 .strength_bits = 256,
372 .alg_bits = 256, 372 .alg_bits = 256,
373 }, 373 },
@@ -383,7 +383,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
383 .algorithm_mac = SSL_SHA1, 383 .algorithm_mac = SSL_SHA1,
384 .algorithm_ssl = SSL_TLSV1, 384 .algorithm_ssl = SSL_TLSV1,
385 .algo_strength = SSL_HIGH, 385 .algo_strength = SSL_HIGH,
386 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 386 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
387 .strength_bits = 256, 387 .strength_bits = 256,
388 .alg_bits = 256, 388 .alg_bits = 256,
389 }, 389 },
@@ -399,7 +399,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
399 .algorithm_mac = SSL_SHA1, 399 .algorithm_mac = SSL_SHA1,
400 .algorithm_ssl = SSL_TLSV1, 400 .algorithm_ssl = SSL_TLSV1,
401 .algo_strength = SSL_HIGH, 401 .algo_strength = SSL_HIGH,
402 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 402 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
403 .strength_bits = 256, 403 .strength_bits = 256,
404 .alg_bits = 256, 404 .alg_bits = 256,
405 }, 405 },
@@ -467,7 +467,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
467 .algorithm_mac = SSL_SHA1, 467 .algorithm_mac = SSL_SHA1,
468 .algorithm_ssl = SSL_TLSV1, 468 .algorithm_ssl = SSL_TLSV1,
469 .algo_strength = SSL_HIGH, 469 .algo_strength = SSL_HIGH,
470 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 470 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
471 .strength_bits = 128, 471 .strength_bits = 128,
472 .alg_bits = 128, 472 .alg_bits = 128,
473 }, 473 },
@@ -483,7 +483,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
483 .algorithm_mac = SSL_SHA1, 483 .algorithm_mac = SSL_SHA1,
484 .algorithm_ssl = SSL_TLSV1, 484 .algorithm_ssl = SSL_TLSV1,
485 .algo_strength = SSL_HIGH, 485 .algo_strength = SSL_HIGH,
486 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 486 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
487 .strength_bits = 128, 487 .strength_bits = 128,
488 .alg_bits = 128, 488 .alg_bits = 128,
489 }, 489 },
@@ -499,7 +499,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
499 .algorithm_mac = SSL_SHA1, 499 .algorithm_mac = SSL_SHA1,
500 .algorithm_ssl = SSL_TLSV1, 500 .algorithm_ssl = SSL_TLSV1,
501 .algo_strength = SSL_HIGH, 501 .algo_strength = SSL_HIGH,
502 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 502 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
503 .strength_bits = 128, 503 .strength_bits = 128,
504 .alg_bits = 128, 504 .alg_bits = 128,
505 }, 505 },
@@ -584,7 +584,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
584 .algorithm_mac = SSL_SHA1, 584 .algorithm_mac = SSL_SHA1,
585 .algorithm_ssl = SSL_TLSV1, 585 .algorithm_ssl = SSL_TLSV1,
586 .algo_strength = SSL_HIGH, 586 .algo_strength = SSL_HIGH,
587 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 587 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
588 .strength_bits = 256, 588 .strength_bits = 256,
589 .alg_bits = 256, 589 .alg_bits = 256,
590 }, 590 },
@@ -600,7 +600,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
600 .algorithm_mac = SSL_SHA1, 600 .algorithm_mac = SSL_SHA1,
601 .algorithm_ssl = SSL_TLSV1, 601 .algorithm_ssl = SSL_TLSV1,
602 .algo_strength = SSL_HIGH, 602 .algo_strength = SSL_HIGH,
603 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 603 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
604 .strength_bits = 256, 604 .strength_bits = 256,
605 .alg_bits = 256, 605 .alg_bits = 256,
606 }, 606 },
@@ -616,7 +616,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
616 .algorithm_mac = SSL_SHA1, 616 .algorithm_mac = SSL_SHA1,
617 .algorithm_ssl = SSL_TLSV1, 617 .algorithm_ssl = SSL_TLSV1,
618 .algo_strength = SSL_HIGH, 618 .algo_strength = SSL_HIGH,
619 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 619 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
620 .strength_bits = 256, 620 .strength_bits = 256,
621 .alg_bits = 256, 621 .alg_bits = 256,
622 }, 622 },
@@ -887,7 +887,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
887 .algorithm_mac = SSL_SHA1, 887 .algorithm_mac = SSL_SHA1,
888 .algorithm_ssl = SSL_TLSV1, 888 .algorithm_ssl = SSL_TLSV1,
889 .algo_strength = SSL_STRONG_NONE, 889 .algo_strength = SSL_STRONG_NONE,
890 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 890 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
891 .strength_bits = 0, 891 .strength_bits = 0,
892 .alg_bits = 0, 892 .alg_bits = 0,
893 }, 893 },
@@ -903,7 +903,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
903 .algorithm_mac = SSL_SHA1, 903 .algorithm_mac = SSL_SHA1,
904 .algorithm_ssl = SSL_TLSV1, 904 .algorithm_ssl = SSL_TLSV1,
905 .algo_strength = SSL_LOW, 905 .algo_strength = SSL_LOW,
906 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 906 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
907 .strength_bits = 128, 907 .strength_bits = 128,
908 .alg_bits = 128, 908 .alg_bits = 128,
909 }, 909 },
@@ -919,7 +919,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
919 .algorithm_mac = SSL_SHA1, 919 .algorithm_mac = SSL_SHA1,
920 .algorithm_ssl = SSL_TLSV1, 920 .algorithm_ssl = SSL_TLSV1,
921 .algo_strength = SSL_MEDIUM, 921 .algo_strength = SSL_MEDIUM,
922 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 922 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
923 .strength_bits = 112, 923 .strength_bits = 112,
924 .alg_bits = 168, 924 .alg_bits = 168,
925 }, 925 },
@@ -935,7 +935,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
935 .algorithm_mac = SSL_SHA1, 935 .algorithm_mac = SSL_SHA1,
936 .algorithm_ssl = SSL_TLSV1, 936 .algorithm_ssl = SSL_TLSV1,
937 .algo_strength = SSL_HIGH, 937 .algo_strength = SSL_HIGH,
938 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 938 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
939 .strength_bits = 128, 939 .strength_bits = 128,
940 .alg_bits = 128, 940 .alg_bits = 128,
941 }, 941 },
@@ -951,7 +951,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
951 .algorithm_mac = SSL_SHA1, 951 .algorithm_mac = SSL_SHA1,
952 .algorithm_ssl = SSL_TLSV1, 952 .algorithm_ssl = SSL_TLSV1,
953 .algo_strength = SSL_HIGH, 953 .algo_strength = SSL_HIGH,
954 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 954 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
955 .strength_bits = 256, 955 .strength_bits = 256,
956 .alg_bits = 256, 956 .alg_bits = 256,
957 }, 957 },
@@ -967,7 +967,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
967 .algorithm_mac = SSL_SHA1, 967 .algorithm_mac = SSL_SHA1,
968 .algorithm_ssl = SSL_TLSV1, 968 .algorithm_ssl = SSL_TLSV1,
969 .algo_strength = SSL_STRONG_NONE, 969 .algo_strength = SSL_STRONG_NONE,
970 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 970 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
971 .strength_bits = 0, 971 .strength_bits = 0,
972 .alg_bits = 0, 972 .alg_bits = 0,
973 }, 973 },
@@ -983,7 +983,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
983 .algorithm_mac = SSL_SHA1, 983 .algorithm_mac = SSL_SHA1,
984 .algorithm_ssl = SSL_TLSV1, 984 .algorithm_ssl = SSL_TLSV1,
985 .algo_strength = SSL_LOW, 985 .algo_strength = SSL_LOW,
986 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 986 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
987 .strength_bits = 128, 987 .strength_bits = 128,
988 .alg_bits = 128, 988 .alg_bits = 128,
989 }, 989 },
@@ -999,7 +999,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
999 .algorithm_mac = SSL_SHA1, 999 .algorithm_mac = SSL_SHA1,
1000 .algorithm_ssl = SSL_TLSV1, 1000 .algorithm_ssl = SSL_TLSV1,
1001 .algo_strength = SSL_MEDIUM, 1001 .algo_strength = SSL_MEDIUM,
1002 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1002 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1003 .strength_bits = 112, 1003 .strength_bits = 112,
1004 .alg_bits = 168, 1004 .alg_bits = 168,
1005 }, 1005 },
@@ -1015,7 +1015,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1015 .algorithm_mac = SSL_SHA1, 1015 .algorithm_mac = SSL_SHA1,
1016 .algorithm_ssl = SSL_TLSV1, 1016 .algorithm_ssl = SSL_TLSV1,
1017 .algo_strength = SSL_HIGH, 1017 .algo_strength = SSL_HIGH,
1018 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1018 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1019 .strength_bits = 128, 1019 .strength_bits = 128,
1020 .alg_bits = 128, 1020 .alg_bits = 128,
1021 }, 1021 },
@@ -1031,7 +1031,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1031 .algorithm_mac = SSL_SHA1, 1031 .algorithm_mac = SSL_SHA1,
1032 .algorithm_ssl = SSL_TLSV1, 1032 .algorithm_ssl = SSL_TLSV1,
1033 .algo_strength = SSL_HIGH, 1033 .algo_strength = SSL_HIGH,
1034 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1034 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1035 .strength_bits = 256, 1035 .strength_bits = 256,
1036 .alg_bits = 256, 1036 .alg_bits = 256,
1037 }, 1037 },
@@ -1047,7 +1047,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1047 .algorithm_mac = SSL_SHA1, 1047 .algorithm_mac = SSL_SHA1,
1048 .algorithm_ssl = SSL_TLSV1, 1048 .algorithm_ssl = SSL_TLSV1,
1049 .algo_strength = SSL_STRONG_NONE, 1049 .algo_strength = SSL_STRONG_NONE,
1050 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1050 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1051 .strength_bits = 0, 1051 .strength_bits = 0,
1052 .alg_bits = 0, 1052 .alg_bits = 0,
1053 }, 1053 },
@@ -1063,7 +1063,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1063 .algorithm_mac = SSL_SHA1, 1063 .algorithm_mac = SSL_SHA1,
1064 .algorithm_ssl = SSL_TLSV1, 1064 .algorithm_ssl = SSL_TLSV1,
1065 .algo_strength = SSL_LOW, 1065 .algo_strength = SSL_LOW,
1066 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1066 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1067 .strength_bits = 128, 1067 .strength_bits = 128,
1068 .alg_bits = 128, 1068 .alg_bits = 128,
1069 }, 1069 },
@@ -1079,7 +1079,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1079 .algorithm_mac = SSL_SHA1, 1079 .algorithm_mac = SSL_SHA1,
1080 .algorithm_ssl = SSL_TLSV1, 1080 .algorithm_ssl = SSL_TLSV1,
1081 .algo_strength = SSL_MEDIUM, 1081 .algo_strength = SSL_MEDIUM,
1082 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1082 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1083 .strength_bits = 112, 1083 .strength_bits = 112,
1084 .alg_bits = 168, 1084 .alg_bits = 168,
1085 }, 1085 },
@@ -1095,7 +1095,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1095 .algorithm_mac = SSL_SHA1, 1095 .algorithm_mac = SSL_SHA1,
1096 .algorithm_ssl = SSL_TLSV1, 1096 .algorithm_ssl = SSL_TLSV1,
1097 .algo_strength = SSL_HIGH, 1097 .algo_strength = SSL_HIGH,
1098 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1098 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1099 .strength_bits = 128, 1099 .strength_bits = 128,
1100 .alg_bits = 128, 1100 .alg_bits = 128,
1101 }, 1101 },
@@ -1111,7 +1111,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
1111 .algorithm_mac = SSL_SHA1, 1111 .algorithm_mac = SSL_SHA1,
1112 .algorithm_ssl = SSL_TLSV1, 1112 .algorithm_ssl = SSL_TLSV1,
1113 .algo_strength = SSL_HIGH, 1113 .algo_strength = SSL_HIGH,
1114 .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT, 1114 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256,
1115 .strength_bits = 256, 1115 .strength_bits = 256,
1116 .alg_bits = 256, 1116 .alg_bits = 256,
1117 }, 1117 },
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 13790c56be..246d64e7d5 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.144 2024/07/16 14:38:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -515,24 +515,12 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
515int 515int
516ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) 516ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
517{ 517{
518 unsigned long handshake_mac;
519
520 *md = NULL; 518 *md = NULL;
521 519
522 if (s->s3->hs.cipher == NULL) 520 if (s->s3->hs.cipher == NULL)
523 return 0; 521 return 0;
524 522
525 handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK; 523 switch (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
526
527 /* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */
528 /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */
529 if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT)
530 handshake_mac = SSL_HANDSHAKE_MAC_SHA256;
531
532 switch (handshake_mac) {
533 case SSL_HANDSHAKE_MAC_DEFAULT:
534 *md = EVP_md5_sha1();
535 return 1;
536 case SSL_HANDSHAKE_MAC_SHA256: 524 case SSL_HANDSHAKE_MAC_SHA256:
537 *md = EVP_sha256(); 525 *md = EVP_sha256();
538 return 1; 526 return 1;
@@ -1629,7 +1617,6 @@ const EVP_MD *
1629SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) 1617SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
1630{ 1618{
1631 switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { 1619 switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
1632 case SSL_HANDSHAKE_MAC_DEFAULT:
1633 case SSL_HANDSHAKE_MAC_SHA256: 1620 case SSL_HANDSHAKE_MAC_SHA256:
1634 return EVP_sha256(); 1621 return EVP_sha256();
1635 case SSL_HANDSHAKE_MAC_SHA384: 1622 case SSL_HANDSHAKE_MAC_SHA384:
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index 74c6ad33ee..c002c9b34f 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_local.h,v 1.18 2024/07/15 14:45:15 jsing Exp $ */ 1/* $OpenBSD: ssl_local.h,v 1.19 2024/07/16 14:38:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -246,11 +246,8 @@ __BEGIN_HIDDEN_DECLS
246/* Bits for algorithm2 (handshake digests and other extra flags) */ 246/* Bits for algorithm2 (handshake digests and other extra flags) */
247 247
248#define SSL_HANDSHAKE_MAC_MASK 0xff0 248#define SSL_HANDSHAKE_MAC_MASK 0xff0
249#define SSL_HANDSHAKE_MAC_MD5 0x010
250#define SSL_HANDSHAKE_MAC_SHA 0x020
251#define SSL_HANDSHAKE_MAC_SHA256 0x080 249#define SSL_HANDSHAKE_MAC_SHA256 0x080
252#define SSL_HANDSHAKE_MAC_SHA384 0x100 250#define SSL_HANDSHAKE_MAC_SHA384 0x100
253#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
254 251
255#define SSL3_CK_ID 0x03000000 252#define SSL3_CK_ID 0x03000000
256#define SSL3_CK_VALUE_MASK 0x0000ffff 253#define SSL3_CK_VALUE_MASK 0x0000ffff
@@ -274,10 +271,6 @@ __BEGIN_HIDDEN_DECLS
274#define SSL_USE_SIGALGS(s) \ 271#define SSL_USE_SIGALGS(s) \
275 (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS) 272 (s->method->enc_flags & SSL_ENC_FLAG_SIGALGS)
276 273
277/* See if we use SHA256 default PRF. */
278#define SSL_USE_SHA256_PRF(s) \
279 (s->method->enc_flags & SSL_ENC_FLAG_SHA256_PRF)
280
281/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ 274/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
282#define SSL_USE_TLS1_2_CIPHERS(s) \ 275#define SSL_USE_TLS1_2_CIPHERS(s) \
283 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) 276 (s->method->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
@@ -1188,9 +1181,6 @@ typedef struct ssl3_state_st {
1188/* Uses signature algorithms extension. */ 1181/* Uses signature algorithms extension. */
1189#define SSL_ENC_FLAG_SIGALGS (1 << 1) 1182#define SSL_ENC_FLAG_SIGALGS (1 << 1)
1190 1183
1191/* Uses SHA256 default PRF. */
1192#define SSL_ENC_FLAG_SHA256_PRF (1 << 2)
1193
1194/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ 1184/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
1195#define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) 1185#define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4)
1196 1186
@@ -1200,7 +1190,6 @@ typedef struct ssl3_state_st {
1200#define TLSV1_ENC_FLAGS 0 1190#define TLSV1_ENC_FLAGS 0
1201#define TLSV1_1_ENC_FLAGS 0 1191#define TLSV1_1_ENC_FLAGS 0
1202#define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ 1192#define TLSV1_2_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1203 SSL_ENC_FLAG_SHA256_PRF | \
1204 SSL_ENC_FLAG_TLS1_2_CIPHERS) 1193 SSL_ENC_FLAG_TLS1_2_CIPHERS)
1205#define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ 1194#define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \
1206 SSL_ENC_FLAG_TLS1_3_CIPHERS) 1195 SSL_ENC_FLAG_TLS1_3_CIPHERS)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 12:20:12 +0000