1 files changed, 6 insertions, 101 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index cea4d3e6f4..76a3840520 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.138 2024/01/04 20:02:10 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.139 2024/02/03 15:58:33 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -212,10 +212,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .name = SSL_TXT_ECDH,
                .algorithm_mkey = SSL_kECDHE,
        },
-        {
-                .name = SSL_TXT_kGOST,
-                .algorithm_mkey = SSL_kGOST,
-        },
        /* server authentication aliases */
        {
@@ -242,14 +238,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .name = SSL_TXT_ECDSA,
                .algorithm_auth = SSL_aECDSA,
        },
-        {
-                .name = SSL_TXT_aGOST01,
-                .algorithm_auth = SSL_aGOST01,
-        },
-        {
-                .name = SSL_TXT_aGOST,
-                .algorithm_auth = SSL_aGOST01,
-        },
        /* aliases combining key exchange and server authentication */
        {
@@ -356,14 +344,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .algorithm_mac = SSL_SHA1,
        },
        {
-                .name = SSL_TXT_GOST94,
-                .algorithm_mac = SSL_GOST94,
-        },
-        {
-                .name = SSL_TXT_GOST89MAC,
-                .algorithm_mac = SSL_GOST89MAC,
-        },
-        {
                .name = SSL_TXT_SHA256,
                .algorithm_mac = SSL_SHA256,
        },
@@ -371,10 +351,6 @@ static const SSL_CIPHER cipher_aliases[] = {
                .name = SSL_TXT_SHA384,
                .algorithm_mac = SSL_SHA384,
        },
-        {
-                .name = SSL_TXT_STREEBOG256,
-                .algorithm_mac = SSL_STREEBOG256,
-        },
        /* protocol version aliases */
        {
@@ -472,11 +448,6 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
        case SSL_CAMELLIA256:
                *enc = EVP_camellia_256_cbc();
                break;
-#ifndef OPENSSL_NO_GOST
-        case SSL_eGOST2814789CNT:
-                *enc = EVP_gost2814789_cnt();
-                break;
-#endif
        }
        switch (ss->cipher->algorithm_mac) {
@@ -492,21 +463,11 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
        case SSL_SHA384:
                *md = EVP_sha384();
                break;
-#ifndef OPENSSL_NO_GOST
-        case SSL_GOST89MAC:
-                *md = EVP_gost2814789imit();
-                break;
-        case SSL_GOST94:
-                *md = EVP_gostr341194();
-                break;
-        case SSL_STREEBOG256:
-                *md = EVP_streebog256();
-                break;
-#endif
        }
        if (*enc == NULL || *md == NULL)
                return 0;
+        /* XXX remove these from ssl_cipher_get_evp? */
        /*
         * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
         * supported via EVP_CIPHER (they should be using EVP_AEAD instead).
@@ -515,18 +476,9 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
                return 0;
        if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
                return 0;
-#ifndef OPENSSL_NO_GOST
-        /* XXX JFC. die in fire already */
+        *mac_pkey_type = EVP_PKEY_HMAC;
-        if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
+        *mac_secret_size = EVP_MD_size(*md);
-                *mac_pkey_type = EVP_PKEY_GOSTIMIT;
-                *mac_secret_size = 32; /* XXX */
-        } else {
-#endif
-                *mac_pkey_type = EVP_PKEY_HMAC;
-                *mac_secret_size = EVP_MD_size(*md);
-#ifndef OPENSSL_NO_GOST
-        }
-#endif
        return 1;
 }
@@ -581,14 +533,6 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
        case SSL_HANDSHAKE_MAC_DEFAULT:
                *md = EVP_md5_sha1();
                return 1;
-#ifndef OPENSSL_NO_GOST
-        case SSL_HANDSHAKE_MAC_GOST94:
-                *md = EVP_gostr341194();
-                return 1;
-        case SSL_HANDSHAKE_MAC_STREEBOG256:
-                *md = EVP_streebog256();
-                return 1;
-#endif
        case SSL_HANDSHAKE_MAC_SHA256:
                *md = EVP_sha256();
                return 1;
@@ -641,6 +585,7 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
        *head = curr;
 }
+/* XXX beck: remove this in a followon to removing GOST */
 static void
 ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
    unsigned long *enc, unsigned long *mac, unsigned long *ssl)
@@ -651,16 +596,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
        *mac = 0;
        *ssl = 0;
-        /*
-         * Check for the availability of GOST 34.10 public/private key
-         * algorithms. If they are not available disable the associated
-         * authentication and key exchange algorithms.
-         */
-#if defined(OPENSSL_NO_GOST) || !defined(EVP_PKEY_GOSTR01)
-        *auth |= SSL_aGOST01;
-        *mkey |= SSL_kGOST;
-#endif
 #ifdef SSL_FORBID_ENULL
        *enc |= SSL_eNULL;
 #endif
@@ -1455,9 +1390,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kECDHE:
                kx = "ECDH";
                break;
-        case SSL_kGOST:
-                kx = "GOST";
-                break;
        case SSL_kTLS1_3:
                kx = "TLSv1.3";
                break;
@@ -1478,9 +1410,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_aECDSA:
                au = "ECDSA";
                break;
-        case SSL_aGOST01:
-                au = "GOST01";
-                break;
        case SSL_aTLS1_3:
                au = "TLSv1.3";
                break;
@@ -1520,9 +1449,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_CHACHA20POLY1305:
                enc = "ChaCha20-Poly1305";
                break;
-        case SSL_eGOST2814789CNT:
-                enc = "GOST-28178-89-CNT";
-                break;
        default:
                enc = "unknown";
                break;
@@ -1544,15 +1470,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AEAD:
                mac = "AEAD";
                break;
-        case SSL_GOST94:
-                mac = "GOST94";
-                break;
-        case SSL_GOST89MAC:
-                mac = "GOST89IMIT";
-                break;
-        case SSL_STREEBOG256:
-                mac = "STREEBOG256";
-                break;
        default:
                mac = "unknown";
                break;
@@ -1666,8 +1583,6 @@ SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
                return NID_des_cbc;
        case SSL_RC4:
                return NID_rc4;
-        case SSL_eGOST2814789CNT:
-                return NID_gost89_cnt;
        default:
                return NID_undef;
        }
@@ -1680,10 +1595,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
        switch (c->algorithm_mac) {
        case SSL_AEAD:
                return NID_undef;
-        case SSL_GOST89MAC:
-                return NID_id_Gost28147_89_MAC;
-        case SSL_GOST94:
-                return NID_id_GostR3411_94;
        case SSL_MD5:
                return NID_md5;
        case SSL_SHA1:
@@ -1692,8 +1603,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
                return NID_sha256;
        case SSL_SHA384:
                return NID_sha384;
-        case SSL_STREEBOG256:
-                return NID_id_tc26_gost3411_2012_256;
        default:
                return NID_undef;
        }
@@ -1708,8 +1617,6 @@ SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
                return NID_kx_dhe;
        case SSL_kECDHE:
                return NID_kx_ecdhe;
-        case SSL_kGOST:
-                return NID_kx_gost;
        case SSL_kRSA:
                return NID_kx_rsa;
        default:
@@ -1726,8 +1633,6 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
                return NID_auth_null;
        case SSL_aECDSA:
                return NID_auth_ecdsa;
-        case SSL_aGOST01:
-                return NID_auth_gost01;
        case SSL_aRSA:
                return NID_auth_rsa;
        default:

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index cea4d3e6f4..76a3840520 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.138 2024/01/04 20:02:10 tb Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.139 2024/02/03 15:58:33 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -212,10 +212,6 @@ static const SSL_CIPHER cipher_aliases[] = {
212	.name = SSL_TXT_ECDH,	212	.name = SSL_TXT_ECDH,
213	.algorithm_mkey = SSL_kECDHE,	213	.algorithm_mkey = SSL_kECDHE,
214	},	214	},
215	{
216	.name = SSL_TXT_kGOST,
217	.algorithm_mkey = SSL_kGOST,
218	},
219		215
220	/* server authentication aliases */	216	/* server authentication aliases */
221	{	217	{
@@ -242,14 +238,6 @@ static const SSL_CIPHER cipher_aliases[] = {
242	.name = SSL_TXT_ECDSA,	238	.name = SSL_TXT_ECDSA,
243	.algorithm_auth = SSL_aECDSA,	239	.algorithm_auth = SSL_aECDSA,
244	},	240	},
245	{
246	.name = SSL_TXT_aGOST01,
247	.algorithm_auth = SSL_aGOST01,
248	},
249	{
250	.name = SSL_TXT_aGOST,
251	.algorithm_auth = SSL_aGOST01,
252	},
253		241
254	/* aliases combining key exchange and server authentication */	242	/* aliases combining key exchange and server authentication */
255	{	243	{
@@ -356,14 +344,6 @@ static const SSL_CIPHER cipher_aliases[] = {
356	.algorithm_mac = SSL_SHA1,	344	.algorithm_mac = SSL_SHA1,
357	},	345	},
358	{	346	{
359	.name = SSL_TXT_GOST94,
360	.algorithm_mac = SSL_GOST94,
361	},
362	{
363	.name = SSL_TXT_GOST89MAC,
364	.algorithm_mac = SSL_GOST89MAC,
365	},
366	{
367	.name = SSL_TXT_SHA256,	347	.name = SSL_TXT_SHA256,
368	.algorithm_mac = SSL_SHA256,	348	.algorithm_mac = SSL_SHA256,
369	},	349	},
@@ -371,10 +351,6 @@ static const SSL_CIPHER cipher_aliases[] = {
371	.name = SSL_TXT_SHA384,	351	.name = SSL_TXT_SHA384,
372	.algorithm_mac = SSL_SHA384,	352	.algorithm_mac = SSL_SHA384,
373	},	353	},
374	{
375	.name = SSL_TXT_STREEBOG256,
376	.algorithm_mac = SSL_STREEBOG256,
377	},
378		354
379	/* protocol version aliases */	355	/* protocol version aliases */
380	{	356	{
@@ -472,11 +448,6 @@ ssl_cipher_get_evp(const SSL_SESSION ss, const EVP_CIPHER *enc,
472	case SSL_CAMELLIA256:	448	case SSL_CAMELLIA256:
473	*enc = EVP_camellia_256_cbc();	449	*enc = EVP_camellia_256_cbc();
474	break;	450	break;
475	#ifndef OPENSSL_NO_GOST
476	case SSL_eGOST2814789CNT:
477	*enc = EVP_gost2814789_cnt();
478	break;
479	#endif
480	}	451	}
481		452
482	switch (ss->cipher->algorithm_mac) {	453	switch (ss->cipher->algorithm_mac) {
@@ -492,21 +463,11 @@ ssl_cipher_get_evp(const SSL_SESSION ss, const EVP_CIPHER *enc,
492	case SSL_SHA384:	463	case SSL_SHA384:
493	*md = EVP_sha384();	464	*md = EVP_sha384();
494	break;	465	break;
495	#ifndef OPENSSL_NO_GOST
496	case SSL_GOST89MAC:
497	*md = EVP_gost2814789imit();
498	break;
499	case SSL_GOST94:
500	*md = EVP_gostr341194();
501	break;
502	case SSL_STREEBOG256:
503	*md = EVP_streebog256();
504	break;
505	#endif
506	}	466	}
507	if (enc == NULL \|\| md == NULL)	467	if (enc == NULL \|\| md == NULL)
508	return 0;	468	return 0;
509		469
		470	/* XXX remove these from ssl_cipher_get_evp? */
510	/*	471	/*
511	* EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not	472	* EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
512	* supported via EVP_CIPHER (they should be using EVP_AEAD instead).	473	* supported via EVP_CIPHER (they should be using EVP_AEAD instead).
@@ -515,18 +476,9 @@ ssl_cipher_get_evp(const SSL_SESSION ss, const EVP_CIPHER *enc,
515	return 0;	476	return 0;
516	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)	477	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
517	return 0;	478	return 0;
518	#ifndef OPENSSL_NO_GOST	479
519	/* XXX JFC. die in fire already */	480	*mac_pkey_type = EVP_PKEY_HMAC;
520	if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {	481	mac_secret_size = EVP_MD_size(md);
521	*mac_pkey_type = EVP_PKEY_GOSTIMIT;
522	mac_secret_size = 32; / XXX */
523	} else {
524	#endif
525	*mac_pkey_type = EVP_PKEY_HMAC;
526	mac_secret_size = EVP_MD_size(md);
527	#ifndef OPENSSL_NO_GOST
528	}
529	#endif
530	return 1;	482	return 1;
531	}	483	}
532		484
@@ -581,14 +533,6 @@ ssl_get_handshake_evp_md(SSL s, const EVP_MD *md)
581	case SSL_HANDSHAKE_MAC_DEFAULT:	533	case SSL_HANDSHAKE_MAC_DEFAULT:
582	*md = EVP_md5_sha1();	534	*md = EVP_md5_sha1();
583	return 1;	535	return 1;
584	#ifndef OPENSSL_NO_GOST
585	case SSL_HANDSHAKE_MAC_GOST94:
586	*md = EVP_gostr341194();
587	return 1;
588	case SSL_HANDSHAKE_MAC_STREEBOG256:
589	*md = EVP_streebog256();
590	return 1;
591	#endif
592	case SSL_HANDSHAKE_MAC_SHA256:	536	case SSL_HANDSHAKE_MAC_SHA256:
593	*md = EVP_sha256();	537	*md = EVP_sha256();
594	return 1;	538	return 1;
@@ -641,6 +585,7 @@ ll_append_head(CIPHER_ORDER *head, CIPHER_ORDER curr,
641	*head = curr;	585	*head = curr;
642	}	586	}
643		587
		588	/* XXX beck: remove this in a followon to removing GOST */
644	static void	589	static void
645	ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,	590	ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
646	unsigned long enc, unsigned long mac, unsigned long *ssl)	591	unsigned long enc, unsigned long mac, unsigned long *ssl)
@@ -651,16 +596,6 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
651	*mac = 0;	596	*mac = 0;
652	*ssl = 0;	597	*ssl = 0;
653		598
654	/*
655	* Check for the availability of GOST 34.10 public/private key
656	* algorithms. If they are not available disable the associated
657	* authentication and key exchange algorithms.
658	*/
659	#if defined(OPENSSL_NO_GOST) \|\| !defined(EVP_PKEY_GOSTR01)
660	*auth \|= SSL_aGOST01;
661	*mkey \|= SSL_kGOST;
662	#endif
663
664	#ifdef SSL_FORBID_ENULL	599	#ifdef SSL_FORBID_ENULL
665	*enc \|= SSL_eNULL;	600	*enc \|= SSL_eNULL;
666	#endif	601	#endif
@@ -1455,9 +1390,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1455	case SSL_kECDHE:	1390	case SSL_kECDHE:
1456	kx = "ECDH";	1391	kx = "ECDH";
1457	break;	1392	break;
1458	case SSL_kGOST:
1459	kx = "GOST";
1460	break;
1461	case SSL_kTLS1_3:	1393	case SSL_kTLS1_3:
1462	kx = "TLSv1.3";	1394	kx = "TLSv1.3";
1463	break;	1395	break;
@@ -1478,9 +1410,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1478	case SSL_aECDSA:	1410	case SSL_aECDSA:
1479	au = "ECDSA";	1411	au = "ECDSA";
1480	break;	1412	break;
1481	case SSL_aGOST01:
1482	au = "GOST01";
1483	break;
1484	case SSL_aTLS1_3:	1413	case SSL_aTLS1_3:
1485	au = "TLSv1.3";	1414	au = "TLSv1.3";
1486	break;	1415	break;
@@ -1520,9 +1449,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1520	case SSL_CHACHA20POLY1305:	1449	case SSL_CHACHA20POLY1305:
1521	enc = "ChaCha20-Poly1305";	1450	enc = "ChaCha20-Poly1305";
1522	break;	1451	break;
1523	case SSL_eGOST2814789CNT:
1524	enc = "GOST-28178-89-CNT";
1525	break;
1526	default:	1452	default:
1527	enc = "unknown";	1453	enc = "unknown";
1528	break;	1454	break;
@@ -1544,15 +1470,6 @@ SSL_CIPHER_description(const SSL_CIPHER cipher, char buf, int len)
1544	case SSL_AEAD:	1470	case SSL_AEAD:
1545	mac = "AEAD";	1471	mac = "AEAD";
1546	break;	1472	break;
1547	case SSL_GOST94:
1548	mac = "GOST94";
1549	break;
1550	case SSL_GOST89MAC:
1551	mac = "GOST89IMIT";
1552	break;
1553	case SSL_STREEBOG256:
1554	mac = "STREEBOG256";
1555	break;
1556	default:	1473	default:
1557	mac = "unknown";	1474	mac = "unknown";
1558	break;	1475	break;
@@ -1666,8 +1583,6 @@ SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
1666	return NID_des_cbc;	1583	return NID_des_cbc;
1667	case SSL_RC4:	1584	case SSL_RC4:
1668	return NID_rc4;	1585	return NID_rc4;
1669	case SSL_eGOST2814789CNT:
1670	return NID_gost89_cnt;
1671	default:	1586	default:
1672	return NID_undef;	1587	return NID_undef;
1673	}	1588	}
@@ -1680,10 +1595,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
1680	switch (c->algorithm_mac) {	1595	switch (c->algorithm_mac) {
1681	case SSL_AEAD:	1596	case SSL_AEAD:
1682	return NID_undef;	1597	return NID_undef;
1683	case SSL_GOST89MAC:
1684	return NID_id_Gost28147_89_MAC;
1685	case SSL_GOST94:
1686	return NID_id_GostR3411_94;
1687	case SSL_MD5:	1598	case SSL_MD5:
1688	return NID_md5;	1599	return NID_md5;
1689	case SSL_SHA1:	1600	case SSL_SHA1:
@@ -1692,8 +1603,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
1692	return NID_sha256;	1603	return NID_sha256;
1693	case SSL_SHA384:	1604	case SSL_SHA384:
1694	return NID_sha384;	1605	return NID_sha384;
1695	case SSL_STREEBOG256:
1696	return NID_id_tc26_gost3411_2012_256;
1697	default:	1606	default:
1698	return NID_undef;	1607	return NID_undef;
1699	}	1608	}
@@ -1708,8 +1617,6 @@ SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
1708	return NID_kx_dhe;	1617	return NID_kx_dhe;
1709	case SSL_kECDHE:	1618	case SSL_kECDHE:
1710	return NID_kx_ecdhe;	1619	return NID_kx_ecdhe;
1711	case SSL_kGOST:
1712	return NID_kx_gost;
1713	case SSL_kRSA:	1620	case SSL_kRSA:
1714	return NID_kx_rsa;	1621	return NID_kx_rsa;
1715	default:	1622	default:
@@ -1726,8 +1633,6 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
1726	return NID_auth_null;	1633	return NID_auth_null;
1727	case SSL_aECDSA:	1634	case SSL_aECDSA:
1728	return NID_auth_ecdsa;	1635	return NID_auth_ecdsa;
1729	case SSL_aGOST01:
1730	return NID_auth_gost01;
1731	case SSL_aRSA:	1636	case SSL_aRSA:
1732	return NID_auth_rsa;	1637	return NID_auth_rsa;
1733	default:	1638	default: