summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/s3_lib.c86
-rw-r--r--src/lib/libssl/ssl.h11
-rw-r--r--src/lib/libssl/ssl3.h4
-rw-r--r--src/lib/libssl/ssl_both.c5
-rw-r--r--src/lib/libssl/ssl_cert.c6
-rw-r--r--src/lib/libssl/ssl_ciph.c107
-rw-r--r--src/lib/libssl/ssl_clnt.c206
-rw-r--r--src/lib/libssl/ssl_err.c3
-rw-r--r--src/lib/libssl/ssl_lib.c10
-rw-r--r--src/lib/libssl/ssl_local.h20
-rw-r--r--src/lib/libssl/ssl_sigalgs.c28
-rw-r--r--src/lib/libssl/ssl_sigalgs.h10
-rw-r--r--src/lib/libssl/ssl_srvr.c152
-rw-r--r--src/lib/libssl/tls1.h10
-rw-r--r--src/lib/libssl/tls12_key_schedule.c6
-rw-r--r--src/lib/libssl/tls12_record_layer.c43
16 files changed, 32 insertions, 675 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 1ae2d047bc..bb8e9465ba 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.248 2023/11/29 13:39:34 tb Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.249 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -577,41 +577,6 @@ const SSL_CIPHER ssl3_ciphers[] = {
577 .alg_bits = 256, 577 .alg_bits = 256,
578 }, 578 },
579 579
580 /* GOST Ciphersuites */
581
582 /* Cipher 81 */
583 {
584 .valid = 1,
585 .name = "GOST2001-GOST89-GOST89",
586 .id = 0x3000081,
587 .algorithm_mkey = SSL_kGOST,
588 .algorithm_auth = SSL_aGOST01,
589 .algorithm_enc = SSL_eGOST2814789CNT,
590 .algorithm_mac = SSL_GOST89MAC,
591 .algorithm_ssl = SSL_TLSV1,
592 .algo_strength = SSL_HIGH,
593 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|
594 TLS1_STREAM_MAC,
595 .strength_bits = 256,
596 .alg_bits = 256
597 },
598
599 /* Cipher 83 */
600 {
601 .valid = 1,
602 .name = "GOST2001-NULL-GOST94",
603 .id = 0x3000083,
604 .algorithm_mkey = SSL_kGOST,
605 .algorithm_auth = SSL_aGOST01,
606 .algorithm_enc = SSL_eNULL,
607 .algorithm_mac = SSL_GOST94,
608 .algorithm_ssl = SSL_TLSV1,
609 .algo_strength = SSL_STRONG_NONE,
610 .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
611 .strength_bits = 0,
612 .alg_bits = 0
613 },
614
615#ifndef OPENSSL_NO_CAMELLIA 580#ifndef OPENSSL_NO_CAMELLIA
616 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 581 /* Camellia ciphersuites from RFC4132 (256-bit portion) */
617 582
@@ -1362,40 +1327,6 @@ const SSL_CIPHER ssl3_ciphers[] = {
1362 .alg_bits = 256, 1327 .alg_bits = 256,
1363 }, 1328 },
1364 1329
1365 /* Cipher FF85 FIXME IANA */
1366 {
1367 .valid = 1,
1368 .name = "GOST2012256-GOST89-GOST89",
1369 .id = 0x300ff85, /* FIXME IANA */
1370 .algorithm_mkey = SSL_kGOST,
1371 .algorithm_auth = SSL_aGOST01,
1372 .algorithm_enc = SSL_eGOST2814789CNT,
1373 .algorithm_mac = SSL_GOST89MAC,
1374 .algorithm_ssl = SSL_TLSV1,
1375 .algo_strength = SSL_HIGH,
1376 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|
1377 TLS1_STREAM_MAC,
1378 .strength_bits = 256,
1379 .alg_bits = 256
1380 },
1381
1382 /* Cipher FF87 FIXME IANA */
1383 {
1384 .valid = 1,
1385 .name = "GOST2012256-NULL-STREEBOG256",
1386 .id = 0x300ff87, /* FIXME IANA */
1387 .algorithm_mkey = SSL_kGOST,
1388 .algorithm_auth = SSL_aGOST01,
1389 .algorithm_enc = SSL_eNULL,
1390 .algorithm_mac = SSL_STREEBOG256,
1391 .algorithm_ssl = SSL_TLSV1,
1392 .algo_strength = SSL_STRONG_NONE,
1393 .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256,
1394 .strength_bits = 0,
1395 .alg_bits = 0
1396 },
1397
1398
1399 /* end of list */ 1330 /* end of list */
1400}; 1331};
1401 1332
@@ -2668,21 +2599,6 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2668 2599
2669 alg_k = s->s3->hs.cipher->algorithm_mkey; 2600 alg_k = s->s3->hs.cipher->algorithm_mkey;
2670 2601
2671#ifndef OPENSSL_NO_GOST
2672 if ((alg_k & SSL_kGOST) != 0) {
2673 if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2674 return 0;
2675 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
2676 return 0;
2677 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
2678 return 0;
2679 if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT))
2680 return 0;
2681 if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT))
2682 return 0;
2683 }
2684#endif
2685
2686 if ((alg_k & SSL_kDHE) != 0) { 2602 if ((alg_k & SSL_kDHE) != 0) {
2687 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2603 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2688 return 0; 2604 return 0;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 8d65a1ec03..03a5a80d0a 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.232 2023/11/22 15:43:42 tb Exp $ */ 1/* $OpenBSD: ssl.h,v 1.233 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -245,7 +245,6 @@ extern "C" {
245#define SSL_TXT_kECDH "kECDH" 245#define SSL_TXT_kECDH "kECDH"
246#define SSL_TXT_kEECDH "kEECDH" 246#define SSL_TXT_kEECDH "kEECDH"
247#define SSL_TXT_kPSK "kPSK" 247#define SSL_TXT_kPSK "kPSK"
248#define SSL_TXT_kGOST "kGOST"
249#define SSL_TXT_kSRP "kSRP" 248#define SSL_TXT_kSRP "kSRP"
250 249
251#define SSL_TXT_aRSA "aRSA" 250#define SSL_TXT_aRSA "aRSA"
@@ -255,9 +254,6 @@ extern "C" {
255#define SSL_TXT_aKRB5 "aKRB5" 254#define SSL_TXT_aKRB5 "aKRB5"
256#define SSL_TXT_aECDSA "aECDSA" 255#define SSL_TXT_aECDSA "aECDSA"
257#define SSL_TXT_aPSK "aPSK" 256#define SSL_TXT_aPSK "aPSK"
258#define SSL_TXT_aGOST94 "aGOST94"
259#define SSL_TXT_aGOST01 "aGOST01"
260#define SSL_TXT_aGOST "aGOST"
261 257
262#define SSL_TXT_DSS "DSS" 258#define SSL_TXT_DSS "DSS"
263#define SSL_TXT_DH "DH" 259#define SSL_TXT_DH "DH"
@@ -293,12 +289,8 @@ extern "C" {
293#define SSL_TXT_MD5 "MD5" 289#define SSL_TXT_MD5 "MD5"
294#define SSL_TXT_SHA1 "SHA1" 290#define SSL_TXT_SHA1 "SHA1"
295#define SSL_TXT_SHA "SHA" /* same as "SHA1" */ 291#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
296#define SSL_TXT_GOST94 "GOST94"
297#define SSL_TXT_GOST89MAC "GOST89MAC"
298#define SSL_TXT_SHA256 "SHA256" 292#define SSL_TXT_SHA256 "SHA256"
299#define SSL_TXT_SHA384 "SHA384" 293#define SSL_TXT_SHA384 "SHA384"
300#define SSL_TXT_STREEBOG256 "STREEBOG256"
301#define SSL_TXT_STREEBOG512 "STREEBOG512"
302 294
303#define SSL_TXT_DTLS1 "DTLSv1" 295#define SSL_TXT_DTLS1 "DTLSv1"
304#define SSL_TXT_DTLS1_2 "DTLSv1.2" 296#define SSL_TXT_DTLS1_2 "DTLSv1.2"
@@ -2176,7 +2168,6 @@ void ERR_load_SSL_strings(void);
2176#define SSL_R_NO_CLIENT_CERT_METHOD 331 2168#define SSL_R_NO_CLIENT_CERT_METHOD 331
2177#define SSL_R_NO_CLIENT_CERT_RECEIVED 186 2169#define SSL_R_NO_CLIENT_CERT_RECEIVED 186
2178#define SSL_R_NO_COMPRESSION_SPECIFIED 187 2170#define SSL_R_NO_COMPRESSION_SPECIFIED 187
2179#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
2180#define SSL_R_NO_METHOD_SPECIFIED 188 2171#define SSL_R_NO_METHOD_SPECIFIED 188
2181#define SSL_R_NO_PRIVATEKEY 189 2172#define SSL_R_NO_PRIVATEKEY 189
2182#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 2173#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 6c6cc2ad2b..603d9ccb4f 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl3.h,v 1.57 2021/09/10 14:49:13 tb Exp $ */ 1/* $OpenBSD: ssl3.h,v 1.58 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -325,7 +325,7 @@ extern "C" {
325 * enough to contain all of the cert types defined either for 325 * enough to contain all of the cert types defined either for
326 * SSLv3 and TLSv1. 326 * SSLv3 and TLSv1.
327 */ 327 */
328#define SSL3_CT_NUMBER 13 328#define SSL3_CT_NUMBER 7
329 329
330#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 330#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
331#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 331#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 14d9aa85a7..995f1c4601 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.46 2023/07/07 08:53:55 tb Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.47 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -384,9 +384,6 @@ ssl_cert_type(EVP_PKEY *pkey)
384 switch (EVP_PKEY_id(pkey)) { 384 switch (EVP_PKEY_id(pkey)) {
385 case EVP_PKEY_EC: 385 case EVP_PKEY_EC:
386 return SSL_PKEY_ECC; 386 return SSL_PKEY_ECC;
387 case NID_id_GostR3410_2001:
388 case NID_id_GostR3410_2001_cc:
389 return SSL_PKEY_GOST01;
390 case EVP_PKEY_RSA: 387 case EVP_PKEY_RSA:
391 case EVP_PKEY_RSA_PSS: 388 case EVP_PKEY_RSA_PSS:
392 return SSL_PKEY_RSA; 389 return SSL_PKEY_RSA;
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index a288050269..5b2fe1a48d 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.107 2023/07/08 16:40:13 beck Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.108 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -233,10 +233,6 @@ ssl_cert_dup(SSL_CERT *cert)
233 /* We have an ECC key */ 233 /* We have an ECC key */
234 break; 234 break;
235 235
236 case SSL_PKEY_GOST01:
237 /* We have a GOST key */
238 break;
239
240 default: 236 default:
241 /* Can't happen. */ 237 /* Can't happen. */
242 SSLerrorx(SSL_R_LIBRARY_BUG); 238 SSLerrorx(SSL_R_LIBRARY_BUG);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index cea4d3e6f4..76a3840520 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.138 2024/01/04 20:02:10 tb Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.139 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -212,10 +212,6 @@ static const SSL_CIPHER cipher_aliases[] = {
212 .name = SSL_TXT_ECDH, 212 .name = SSL_TXT_ECDH,
213 .algorithm_mkey = SSL_kECDHE, 213 .algorithm_mkey = SSL_kECDHE,
214 }, 214 },
215 {
216 .name = SSL_TXT_kGOST,
217 .algorithm_mkey = SSL_kGOST,
218 },
219 215
220 /* server authentication aliases */ 216 /* server authentication aliases */
221 { 217 {
@@ -242,14 +238,6 @@ static const SSL_CIPHER cipher_aliases[] = {
242 .name = SSL_TXT_ECDSA, 238 .name = SSL_TXT_ECDSA,
243 .algorithm_auth = SSL_aECDSA, 239 .algorithm_auth = SSL_aECDSA,
244 }, 240 },
245 {
246 .name = SSL_TXT_aGOST01,
247 .algorithm_auth = SSL_aGOST01,
248 },
249 {
250 .name = SSL_TXT_aGOST,
251 .algorithm_auth = SSL_aGOST01,
252 },
253 241
254 /* aliases combining key exchange and server authentication */ 242 /* aliases combining key exchange and server authentication */
255 { 243 {
@@ -356,14 +344,6 @@ static const SSL_CIPHER cipher_aliases[] = {
356 .algorithm_mac = SSL_SHA1, 344 .algorithm_mac = SSL_SHA1,
357 }, 345 },
358 { 346 {
359 .name = SSL_TXT_GOST94,
360 .algorithm_mac = SSL_GOST94,
361 },
362 {
363 .name = SSL_TXT_GOST89MAC,
364 .algorithm_mac = SSL_GOST89MAC,
365 },
366 {
367 .name = SSL_TXT_SHA256, 347 .name = SSL_TXT_SHA256,
368 .algorithm_mac = SSL_SHA256, 348 .algorithm_mac = SSL_SHA256,
369 }, 349 },
@@ -371,10 +351,6 @@ static const SSL_CIPHER cipher_aliases[] = {
371 .name = SSL_TXT_SHA384, 351 .name = SSL_TXT_SHA384,
372 .algorithm_mac = SSL_SHA384, 352 .algorithm_mac = SSL_SHA384,
373 }, 353 },
374 {
375 .name = SSL_TXT_STREEBOG256,
376 .algorithm_mac = SSL_STREEBOG256,
377 },
378 354
379 /* protocol version aliases */ 355 /* protocol version aliases */
380 { 356 {
@@ -472,11 +448,6 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
472 case SSL_CAMELLIA256: 448 case SSL_CAMELLIA256:
473 *enc = EVP_camellia_256_cbc(); 449 *enc = EVP_camellia_256_cbc();
474 break; 450 break;
475#ifndef OPENSSL_NO_GOST
476 case SSL_eGOST2814789CNT:
477 *enc = EVP_gost2814789_cnt();
478 break;
479#endif
480 } 451 }
481 452
482 switch (ss->cipher->algorithm_mac) { 453 switch (ss->cipher->algorithm_mac) {
@@ -492,21 +463,11 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
492 case SSL_SHA384: 463 case SSL_SHA384:
493 *md = EVP_sha384(); 464 *md = EVP_sha384();
494 break; 465 break;
495#ifndef OPENSSL_NO_GOST
496 case SSL_GOST89MAC:
497 *md = EVP_gost2814789imit();
498 break;
499 case SSL_GOST94:
500 *md = EVP_gostr341194();
501 break;
502 case SSL_STREEBOG256:
503 *md = EVP_streebog256();
504 break;
505#endif
506 } 466 }
507 if (*enc == NULL || *md == NULL) 467 if (*enc == NULL || *md == NULL)
508 return 0; 468 return 0;
509 469
470 /* XXX remove these from ssl_cipher_get_evp? */
510 /* 471 /*
511 * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not 472 * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not
512 * supported via EVP_CIPHER (they should be using EVP_AEAD instead). 473 * supported via EVP_CIPHER (they should be using EVP_AEAD instead).
@@ -515,18 +476,9 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
515 return 0; 476 return 0;
516 if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE) 477 if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
517 return 0; 478 return 0;
518#ifndef OPENSSL_NO_GOST 479
519 /* XXX JFC. die in fire already */ 480 *mac_pkey_type = EVP_PKEY_HMAC;
520 if (ss->cipher->algorithm_mac == SSL_GOST89MAC) { 481 *mac_secret_size = EVP_MD_size(*md);
521 *mac_pkey_type = EVP_PKEY_GOSTIMIT;
522 *mac_secret_size = 32; /* XXX */
523 } else {
524#endif
525 *mac_pkey_type = EVP_PKEY_HMAC;
526 *mac_secret_size = EVP_MD_size(*md);
527#ifndef OPENSSL_NO_GOST
528 }
529#endif
530 return 1; 482 return 1;
531} 483}
532 484
@@ -581,14 +533,6 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
581 case SSL_HANDSHAKE_MAC_DEFAULT: 533 case SSL_HANDSHAKE_MAC_DEFAULT:
582 *md = EVP_md5_sha1(); 534 *md = EVP_md5_sha1();
583 return 1; 535 return 1;
584#ifndef OPENSSL_NO_GOST
585 case SSL_HANDSHAKE_MAC_GOST94:
586 *md = EVP_gostr341194();
587 return 1;
588 case SSL_HANDSHAKE_MAC_STREEBOG256:
589 *md = EVP_streebog256();
590 return 1;
591#endif
592 case SSL_HANDSHAKE_MAC_SHA256: 536 case SSL_HANDSHAKE_MAC_SHA256:
593 *md = EVP_sha256(); 537 *md = EVP_sha256();
594 return 1; 538 return 1;
@@ -641,6 +585,7 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
641 *head = curr; 585 *head = curr;
642} 586}
643 587
588/* XXX beck: remove this in a followon to removing GOST */
644static void 589static void
645ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, 590ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
646 unsigned long *enc, unsigned long *mac, unsigned long *ssl) 591 unsigned long *enc, unsigned long *mac, unsigned long *ssl)
@@ -651,16 +596,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
651 *mac = 0; 596 *mac = 0;
652 *ssl = 0; 597 *ssl = 0;
653 598
654 /*
655 * Check for the availability of GOST 34.10 public/private key
656 * algorithms. If they are not available disable the associated
657 * authentication and key exchange algorithms.
658 */
659#if defined(OPENSSL_NO_GOST) || !defined(EVP_PKEY_GOSTR01)
660 *auth |= SSL_aGOST01;
661 *mkey |= SSL_kGOST;
662#endif
663
664#ifdef SSL_FORBID_ENULL 599#ifdef SSL_FORBID_ENULL
665 *enc |= SSL_eNULL; 600 *enc |= SSL_eNULL;
666#endif 601#endif
@@ -1455,9 +1390,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1455 case SSL_kECDHE: 1390 case SSL_kECDHE:
1456 kx = "ECDH"; 1391 kx = "ECDH";
1457 break; 1392 break;
1458 case SSL_kGOST:
1459 kx = "GOST";
1460 break;
1461 case SSL_kTLS1_3: 1393 case SSL_kTLS1_3:
1462 kx = "TLSv1.3"; 1394 kx = "TLSv1.3";
1463 break; 1395 break;
@@ -1478,9 +1410,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1478 case SSL_aECDSA: 1410 case SSL_aECDSA:
1479 au = "ECDSA"; 1411 au = "ECDSA";
1480 break; 1412 break;
1481 case SSL_aGOST01:
1482 au = "GOST01";
1483 break;
1484 case SSL_aTLS1_3: 1413 case SSL_aTLS1_3:
1485 au = "TLSv1.3"; 1414 au = "TLSv1.3";
1486 break; 1415 break;
@@ -1520,9 +1449,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1520 case SSL_CHACHA20POLY1305: 1449 case SSL_CHACHA20POLY1305:
1521 enc = "ChaCha20-Poly1305"; 1450 enc = "ChaCha20-Poly1305";
1522 break; 1451 break;
1523 case SSL_eGOST2814789CNT:
1524 enc = "GOST-28178-89-CNT";
1525 break;
1526 default: 1452 default:
1527 enc = "unknown"; 1453 enc = "unknown";
1528 break; 1454 break;
@@ -1544,15 +1470,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1544 case SSL_AEAD: 1470 case SSL_AEAD:
1545 mac = "AEAD"; 1471 mac = "AEAD";
1546 break; 1472 break;
1547 case SSL_GOST94:
1548 mac = "GOST94";
1549 break;
1550 case SSL_GOST89MAC:
1551 mac = "GOST89IMIT";
1552 break;
1553 case SSL_STREEBOG256:
1554 mac = "STREEBOG256";
1555 break;
1556 default: 1473 default:
1557 mac = "unknown"; 1474 mac = "unknown";
1558 break; 1475 break;
@@ -1666,8 +1583,6 @@ SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
1666 return NID_des_cbc; 1583 return NID_des_cbc;
1667 case SSL_RC4: 1584 case SSL_RC4:
1668 return NID_rc4; 1585 return NID_rc4;
1669 case SSL_eGOST2814789CNT:
1670 return NID_gost89_cnt;
1671 default: 1586 default:
1672 return NID_undef; 1587 return NID_undef;
1673 } 1588 }
@@ -1680,10 +1595,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
1680 switch (c->algorithm_mac) { 1595 switch (c->algorithm_mac) {
1681 case SSL_AEAD: 1596 case SSL_AEAD:
1682 return NID_undef; 1597 return NID_undef;
1683 case SSL_GOST89MAC:
1684 return NID_id_Gost28147_89_MAC;
1685 case SSL_GOST94:
1686 return NID_id_GostR3411_94;
1687 case SSL_MD5: 1598 case SSL_MD5:
1688 return NID_md5; 1599 return NID_md5;
1689 case SSL_SHA1: 1600 case SSL_SHA1:
@@ -1692,8 +1603,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
1692 return NID_sha256; 1603 return NID_sha256;
1693 case SSL_SHA384: 1604 case SSL_SHA384:
1694 return NID_sha384; 1605 return NID_sha384;
1695 case SSL_STREEBOG256:
1696 return NID_id_tc26_gost3411_2012_256;
1697 default: 1606 default:
1698 return NID_undef; 1607 return NID_undef;
1699 } 1608 }
@@ -1708,8 +1617,6 @@ SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
1708 return NID_kx_dhe; 1617 return NID_kx_dhe;
1709 case SSL_kECDHE: 1618 case SSL_kECDHE:
1710 return NID_kx_ecdhe; 1619 return NID_kx_ecdhe;
1711 case SSL_kGOST:
1712 return NID_kx_gost;
1713 case SSL_kRSA: 1620 case SSL_kRSA:
1714 return NID_kx_rsa; 1621 return NID_kx_rsa;
1715 default: 1622 default:
@@ -1726,8 +1633,6 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
1726 return NID_auth_null; 1633 return NID_auth_null;
1727 case SSL_aECDSA: 1634 case SSL_aECDSA:
1728 return NID_auth_ecdsa; 1635 return NID_auth_ecdsa;
1729 case SSL_aGOST01:
1730 return NID_auth_gost01;
1731 case SSL_aRSA: 1636 case SSL_aRSA:
1732 return NID_auth_rsa; 1637 return NID_auth_rsa;
1733 default: 1638 default:
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 52f5de35a4..56fb9ba1c7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.163 2023/12/29 12:24:33 tb Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.164 2024/02/03 15:58:33 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -161,10 +161,6 @@
161#include <openssl/objects.h> 161#include <openssl/objects.h>
162#include <openssl/opensslconf.h> 162#include <openssl/opensslconf.h>
163 163
164#ifndef OPENSSL_NO_GOST
165#include <openssl/gost.h>
166#endif
167
168#include "bytestring.h" 164#include "bytestring.h"
169#include "dtls_local.h" 165#include "dtls_local.h"
170#include "ssl_local.h" 166#include "ssl_local.h"
@@ -829,7 +825,6 @@ ssl3_get_server_hello(SSL *s)
829 uint8_t compression_method; 825 uint8_t compression_method;
830 const SSL_CIPHER *cipher; 826 const SSL_CIPHER *cipher;
831 const SSL_METHOD *method; 827 const SSL_METHOD *method;
832 unsigned long alg_k;
833 int al, ret; 828 int al, ret;
834 829
835 s->first_packet = 1; 830 s->first_packet = 1;
@@ -1038,8 +1033,7 @@ ssl3_get_server_hello(SSL *s)
1038 * Don't digest cached records if no sigalgs: we may need them for 1033 * Don't digest cached records if no sigalgs: we may need them for
1039 * client authentication. 1034 * client authentication.
1040 */ 1035 */
1041 alg_k = s->s3->hs.cipher->algorithm_mkey; 1036 if (!SSL_USE_SIGALGS(s))
1042 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
1043 tls1_transcript_free(s); 1037 tls1_transcript_free(s);
1044 1038
1045 if (!CBS_get_u8(&cbs, &compression_method)) 1039 if (!CBS_get_u8(&cbs, &compression_method))
@@ -1931,119 +1925,6 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1931} 1925}
1932 1926
1933static int 1927static int
1934ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
1935{
1936 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
1937 EVP_PKEY_CTX *pkey_ctx = NULL;
1938 EVP_MD_CTX *ukm_hash = NULL;
1939 EVP_PKEY *pkey;
1940 size_t msglen;
1941 unsigned int md_len;
1942 CBB gostblob;
1943 int nid;
1944 int ret = 0;
1945
1946 /* Get server certificate PKEY and create ctx from it */
1947 pkey = X509_get0_pubkey(s->session->peer_cert);
1948 if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
1949 SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
1950 goto err;
1951 }
1952 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
1953 SSLerror(s, ERR_R_MALLOC_FAILURE);
1954 goto err;
1955 }
1956
1957 /*
1958 * If we have send a certificate, and certificate key parameters match
1959 * those of server certificate, use certificate key for key exchange.
1960 * Otherwise, generate ephemeral key pair.
1961 */
1962 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0)
1963 goto err;
1964
1965 /* Generate session key. */
1966 arc4random_buf(premaster_secret, sizeof(premaster_secret));
1967
1968 /*
1969 * If we have client certificate, use its secret as peer key.
1970 * XXX - this presumably lacks PFS.
1971 */
1972 if (s->s3->hs.tls12.cert_request != 0 &&
1973 s->cert->key->privatekey != NULL) {
1974 if (EVP_PKEY_derive_set_peer(pkey_ctx,
1975 s->cert->key->privatekey) <=0) {
1976 /*
1977 * If there was an error - just ignore it.
1978 * Ephemeral key would be used.
1979 */
1980 ERR_clear_error();
1981 }
1982 }
1983
1984 /*
1985 * Compute shared IV and store it in algorithm-specific context data.
1986 */
1987 if ((ukm_hash = EVP_MD_CTX_new()) == NULL) {
1988 SSLerror(s, ERR_R_MALLOC_FAILURE);
1989 goto err;
1990 }
1991
1992 /* XXX check handshake hash instead. */
1993 if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
1994 nid = NID_id_GostR3411_94;
1995 else
1996 nid = NID_id_tc26_gost3411_2012_256;
1997 if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid)))
1998 goto err;
1999 if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE))
2000 goto err;
2001 if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE))
2002 goto err;
2003 if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len))
2004 goto err;
2005 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2006 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2007 SSLerror(s, SSL_R_LIBRARY_BUG);
2008 goto err;
2009 }
2010
2011 /*
2012 * Make GOST keytransport blob message, encapsulate it into sequence.
2013 */
2014 msglen = 255;
2015 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2016 sizeof(premaster_secret)) < 0) {
2017 SSLerror(s, SSL_R_LIBRARY_BUG);
2018 goto err;
2019 }
2020
2021 if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
2022 goto err;
2023 if (!CBB_add_bytes(&gostblob, tmp, msglen))
2024 goto err;
2025 if (!CBB_flush(cbb))
2026 goto err;
2027
2028 /* Check if pubkey from client certificate was used. */
2029 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
2030 NULL) > 0)
2031 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2032
2033 if (!tls12_derive_master_secret(s, premaster_secret, 32))
2034 goto err;
2035
2036 ret = 1;
2037
2038 err:
2039 explicit_bzero(premaster_secret, sizeof(premaster_secret));
2040 EVP_PKEY_CTX_free(pkey_ctx);
2041 EVP_MD_CTX_free(ukm_hash);
2042
2043 return ret;
2044}
2045
2046static int
2047ssl3_send_client_key_exchange(SSL *s) 1928ssl3_send_client_key_exchange(SSL *s)
2048{ 1929{
2049 unsigned long alg_k; 1930 unsigned long alg_k;
@@ -2067,9 +1948,6 @@ ssl3_send_client_key_exchange(SSL *s)
2067 } else if (alg_k & SSL_kECDHE) { 1948 } else if (alg_k & SSL_kECDHE) {
2068 if (!ssl3_send_client_kex_ecdhe(s, &kex)) 1949 if (!ssl3_send_client_kex_ecdhe(s, &kex))
2069 goto err; 1950 goto err;
2070 } else if (alg_k & SSL_kGOST) {
2071 if (!ssl3_send_client_kex_gost(s, &kex))
2072 goto err;
2073 } else { 1951 } else {
2074 ssl3_send_alert(s, SSL3_AL_FATAL, 1952 ssl3_send_alert(s, SSL3_AL_FATAL,
2075 SSL_AD_HANDSHAKE_FAILURE); 1953 SSL_AD_HANDSHAKE_FAILURE);
@@ -2115,14 +1993,6 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
2115 SSLerror(s, ERR_R_EVP_LIB); 1993 SSLerror(s, ERR_R_EVP_LIB);
2116 goto err; 1994 goto err;
2117 } 1995 }
2118#ifndef OPENSSL_NO_GOST
2119 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2120 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2121 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2122 SSLerror(s, ERR_R_EVP_LIB);
2123 goto err;
2124 }
2125#endif
2126 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && 1996 if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) &&
2127 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || 1997 (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
2128 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { 1998 !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) {
@@ -2230,72 +2100,6 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2230 return ret; 2100 return ret;
2231} 2101}
2232 2102
2233#ifndef OPENSSL_NO_GOST
2234static int
2235ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2236{
2237 CBB cbb_signature;
2238 EVP_MD_CTX *mctx;
2239 EVP_PKEY_CTX *pctx;
2240 const EVP_MD *md;
2241 const unsigned char *hdata;
2242 unsigned char *signature = NULL;
2243 size_t signature_len;
2244 size_t hdata_len;
2245 int nid;
2246 int ret = 0;
2247
2248 if ((mctx = EVP_MD_CTX_new()) == NULL)
2249 goto err;
2250
2251 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
2252 SSLerror(s, ERR_R_INTERNAL_ERROR);
2253 goto err;
2254 }
2255 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2256 (md = EVP_get_digestbynid(nid)) == NULL) {
2257 SSLerror(s, ERR_R_EVP_LIB);
2258 goto err;
2259 }
2260 if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) {
2261 SSLerror(s, ERR_R_EVP_LIB);
2262 goto err;
2263 }
2264#ifndef OPENSSL_NO_GOST
2265 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
2266 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) {
2267 SSLerror(s, ERR_R_EVP_LIB);
2268 goto err;
2269 }
2270#endif
2271 if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) {
2272 SSLerror(s, ERR_R_EVP_LIB);
2273 goto err;
2274 }
2275 if ((signature = calloc(1, signature_len)) == NULL) {
2276 SSLerror(s, ERR_R_MALLOC_FAILURE);
2277 goto err;
2278 }
2279 if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) {
2280 SSLerror(s, ERR_R_EVP_LIB);
2281 goto err;
2282 }
2283
2284 if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature))
2285 goto err;
2286 if (!CBB_add_bytes(&cbb_signature, signature, signature_len))
2287 goto err;
2288 if (!CBB_flush(cert_verify))
2289 goto err;
2290
2291 ret = 1;
2292 err:
2293 EVP_MD_CTX_free(mctx);
2294 free(signature);
2295 return ret;
2296}
2297#endif
2298
2299static int 2103static int
2300ssl3_send_client_verify(SSL *s) 2104ssl3_send_client_verify(SSL *s)
2301{ 2105{
@@ -2331,12 +2135,6 @@ ssl3_send_client_verify(SSL *s)
2331 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { 2135 } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
2332 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) 2136 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2333 goto err; 2137 goto err;
2334#ifndef OPENSSL_NO_GOST
2335 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2336 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2337 if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify))
2338 goto err;
2339#endif
2340 } else { 2138 } else {
2341 SSLerror(s, ERR_R_INTERNAL_ERROR); 2139 SSLerror(s, ERR_R_INTERNAL_ERROR);
2342 goto err; 2140 goto err;
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 28097ea70a..30ca96b2fa 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_err.c,v 1.46 2023/07/08 16:40:13 beck Exp $ */ 1/* $OpenBSD: ssl_err.c,v 1.47 2024/02/03 15:58:33 beck Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
@@ -306,7 +306,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
306 {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"}, 306 {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"},
307 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"}, 307 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"},
308 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"}, 308 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"},
309 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"},
310 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) , "no method specified"}, 309 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) , "no method specified"},
311 {ERR_REASON(SSL_R_NO_PRIVATEKEY) , "no privatekey"}, 310 {ERR_REASON(SSL_R_NO_PRIVATEKEY) , "no privatekey"},
312 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"}, 311 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c97441c9c0..0277202de3 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.318 2023/12/29 12:24:33 tb Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.319 2024/02/03 15:58:34 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2297,12 +2297,6 @@ ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher)
2297 mask_a |= SSL_aECDSA; 2297 mask_a |= SSL_aECDSA;
2298 } 2298 }
2299 2299
2300 cpk = &(c->pkeys[SSL_PKEY_GOST01]);
2301 if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2302 mask_k |= SSL_kGOST;
2303 mask_a |= SSL_aGOST01;
2304 }
2305
2306 cpk = &(c->pkeys[SSL_PKEY_RSA]); 2300 cpk = &(c->pkeys[SSL_PKEY_RSA]);
2307 if (cpk->x509 != NULL && cpk->privatekey != NULL) { 2301 if (cpk->x509 != NULL && cpk->privatekey != NULL) {
2308 mask_a |= SSL_aRSA; 2302 mask_a |= SSL_aRSA;
@@ -2363,8 +2357,6 @@ ssl_get_server_send_pkey(const SSL *s)
2363 i = SSL_PKEY_ECC; 2357 i = SSL_PKEY_ECC;
2364 } else if (alg_a & SSL_aRSA) { 2358 } else if (alg_a & SSL_aRSA) {
2365 i = SSL_PKEY_RSA; 2359 i = SSL_PKEY_RSA;
2366 } else if (alg_a & SSL_aGOST01) {
2367 i = SSL_PKEY_GOST01;
2368 } else { /* if (alg_a & SSL_aNULL) */ 2360 } else { /* if (alg_a & SSL_aNULL) */
2369 SSLerror(s, ERR_R_INTERNAL_ERROR); 2361 SSLerror(s, ERR_R_INTERNAL_ERROR);
2370 return (NULL); 2362 return (NULL);
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index bd6275fac7..b4d093b226 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_local.h,v 1.12 2023/12/29 12:24:33 tb Exp $ */ 1/* $OpenBSD: ssl_local.h,v 1.13 2024/02/03 15:58:34 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -197,7 +197,6 @@ __BEGIN_HIDDEN_DECLS
197#define SSL_kRSA 0x00000001L /* RSA key exchange */ 197#define SSL_kRSA 0x00000001L /* RSA key exchange */
198#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ 198#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
199#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ 199#define SSL_kECDHE 0x00000080L /* ephemeral ECDH */
200#define SSL_kGOST 0x00000200L /* GOST key exchange */
201#define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */ 200#define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */
202 201
203/* Bits for algorithm_auth (server authentication) */ 202/* Bits for algorithm_auth (server authentication) */
@@ -205,7 +204,6 @@ __BEGIN_HIDDEN_DECLS
205#define SSL_aDSS 0x00000002L /* DSS auth */ 204#define SSL_aDSS 0x00000002L /* DSS auth */
206#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 205#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
207#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 206#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
208#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
209#define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */ 207#define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */
210 208
211/* Bits for algorithm_enc (symmetric encryption) */ 209/* Bits for algorithm_enc (symmetric encryption) */
@@ -218,7 +216,6 @@ __BEGIN_HIDDEN_DECLS
218#define SSL_AES256 0x00000040L 216#define SSL_AES256 0x00000040L
219#define SSL_CAMELLIA128 0x00000080L 217#define SSL_CAMELLIA128 0x00000080L
220#define SSL_CAMELLIA256 0x00000100L 218#define SSL_CAMELLIA256 0x00000100L
221#define SSL_eGOST2814789CNT 0x00000200L
222#define SSL_AES128GCM 0x00000400L 219#define SSL_AES128GCM 0x00000400L
223#define SSL_AES256GCM 0x00000800L 220#define SSL_AES256GCM 0x00000800L
224#define SSL_CHACHA20POLY1305 0x00001000L 221#define SSL_CHACHA20POLY1305 0x00001000L
@@ -231,8 +228,6 @@ __BEGIN_HIDDEN_DECLS
231 228
232#define SSL_MD5 0x00000001L 229#define SSL_MD5 0x00000001L
233#define SSL_SHA1 0x00000002L 230#define SSL_SHA1 0x00000002L
234#define SSL_GOST94 0x00000004L
235#define SSL_GOST89MAC 0x00000008L
236#define SSL_SHA256 0x00000010L 231#define SSL_SHA256 0x00000010L
237#define SSL_SHA384 0x00000020L 232#define SSL_SHA384 0x00000020L
238/* Not a real MAC, just an indication it is part of cipher */ 233/* Not a real MAC, just an indication it is part of cipher */
@@ -251,10 +246,8 @@ __BEGIN_HIDDEN_DECLS
251#define SSL_HANDSHAKE_MAC_MASK 0xff0 246#define SSL_HANDSHAKE_MAC_MASK 0xff0
252#define SSL_HANDSHAKE_MAC_MD5 0x010 247#define SSL_HANDSHAKE_MAC_MD5 0x010
253#define SSL_HANDSHAKE_MAC_SHA 0x020 248#define SSL_HANDSHAKE_MAC_SHA 0x020
254#define SSL_HANDSHAKE_MAC_GOST94 0x040
255#define SSL_HANDSHAKE_MAC_SHA256 0x080 249#define SSL_HANDSHAKE_MAC_SHA256 0x080
256#define SSL_HANDSHAKE_MAC_SHA384 0x100 250#define SSL_HANDSHAKE_MAC_SHA384 0x100
257#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
258#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) 251#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
259 252
260#define SSL3_CK_ID 0x03000000 253#define SSL3_CK_ID 0x03000000
@@ -267,17 +260,9 @@ __BEGIN_HIDDEN_DECLS
267#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT) 260#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
268#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT) 261#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
269#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT) 262#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
270#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
271#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
272#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) 263#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
273 264
274/* 265/*
275 * Stream MAC for GOST ciphersuites from cryptopro draft
276 * (currently this also goes into algorithm2).
277 */
278#define TLS1_STREAM_MAC 0x04
279
280/*
281 * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that 266 * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that
282 * indicates that the variable part of the nonce is included as a prefix of 267 * indicates that the variable part of the nonce is included as a prefix of
283 * the record (AES-GCM, for example, does this with an 8-byte variable nonce.) 268 * the record (AES-GCM, for example, does this with an 8-byte variable nonce.)
@@ -324,8 +309,7 @@ __BEGIN_HIDDEN_DECLS
324 309
325#define SSL_PKEY_RSA 0 310#define SSL_PKEY_RSA 0
326#define SSL_PKEY_ECC 1 311#define SSL_PKEY_ECC 1
327#define SSL_PKEY_GOST01 2 312#define SSL_PKEY_NUM 2
328#define SSL_PKEY_NUM 3
329 313
330#define SSL_MAX_EMPTY_RECORDS 32 314#define SSL_MAX_EMPTY_RECORDS 32
331 315
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index f59beb4320..9876e82a6f 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.49 2024/02/03 15:58:34 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -41,14 +41,6 @@ const struct ssl_sigalg sigalgs[] = {
41 .security_level = 5, 41 .security_level = 5,
42 .group_nid = NID_secp521r1, 42 .group_nid = NID_secp521r1,
43 }, 43 },
44#ifndef OPENSSL_NO_GOST
45 {
46 .value = SIGALG_GOSTR12_512_STREEBOG_512,
47 .key_type = EVP_PKEY_GOSTR12_512,
48 .md = EVP_streebog512,
49 .security_level = 0,
50 },
51#endif
52 { 44 {
53 .value = SIGALG_RSA_PKCS1_SHA384, 45 .value = SIGALG_RSA_PKCS1_SHA384,
54 .key_type = EVP_PKEY_RSA, 46 .key_type = EVP_PKEY_RSA,
@@ -75,20 +67,6 @@ const struct ssl_sigalg sigalgs[] = {
75 .security_level = 3, 67 .security_level = 3,
76 .group_nid = NID_X9_62_prime256v1, 68 .group_nid = NID_X9_62_prime256v1,
77 }, 69 },
78#ifndef OPENSSL_NO_GOST
79 {
80 .value = SIGALG_GOSTR12_256_STREEBOG_256,
81 .key_type = EVP_PKEY_GOSTR12_256,
82 .md = EVP_streebog256,
83 .security_level = 0,
84 },
85 {
86 .value = SIGALG_GOSTR01_GOST94,
87 .key_type = EVP_PKEY_GOSTR01,
88 .md = EVP_gostr341194,
89 .security_level = 0, /* XXX */
90 },
91#endif
92 { 70 {
93 .value = SIGALG_RSA_PSS_RSAE_SHA256, 71 .value = SIGALG_RSA_PSS_RSAE_SHA256,
94 .key_type = EVP_PKEY_RSA, 72 .key_type = EVP_PKEY_RSA,
@@ -283,10 +261,6 @@ ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
283 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); 261 return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
284 case EVP_PKEY_EC: 262 case EVP_PKEY_EC:
285 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); 263 return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
286#ifndef OPENSSL_NO_GOST
287 case EVP_PKEY_GOSTR01:
288 return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94);
289#endif
290 } 264 }
291 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); 265 SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
292 return NULL; 266 return NULL;
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 21a54d642b..5211ec6b62 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */ 1/* $OpenBSD: ssl_sigalgs.h,v 1.27 2024/02/03 15:58:34 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -47,14 +47,6 @@ __BEGIN_HIDDEN_DECLS
47#define SIGALG_PRIVATE_START 0xFE00 47#define SIGALG_PRIVATE_START 0xFE00
48#define SIGALG_PRIVATE_END 0xFFFF 48#define SIGALG_PRIVATE_END 0xFFFF
49 49
50/*
51 * If Russia can elect the US President, surely
52 * IANA could fix this problem.
53 */
54#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF
55#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE
56#define SIGALG_GOSTR01_GOST94 0xEDED
57
58/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */ 50/* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */
59#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01 51#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01
60 52
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index f26fde5061..117afac85e 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.159 2024/02/03 15:58:34 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -162,10 +162,6 @@
162#include <openssl/opensslconf.h> 162#include <openssl/opensslconf.h>
163#include <openssl/x509.h> 163#include <openssl/x509.h>
164 164
165#ifndef OPENSSL_NO_GOST
166#include <openssl/gost.h>
167#endif
168
169#include "bytestring.h" 165#include "bytestring.h"
170#include "dtls_local.h" 166#include "dtls_local.h"
171#include "ssl_local.h" 167#include "ssl_local.h"
@@ -564,15 +560,7 @@ ssl3_accept(SSL *s)
564 } 560 }
565 561
566 alg_k = s->s3->hs.cipher->algorithm_mkey; 562 alg_k = s->s3->hs.cipher->algorithm_mkey;
567 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 563 if (SSL_USE_SIGALGS(s)) {
568 /*
569 * A GOST client may use the key from its
570 * certificate for key exchange, in which case
571 * the CertificateVerify message is not sent.
572 */
573 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
574 s->init_num = 0;
575 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
576 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; 564 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
577 s->init_num = 0; 565 s->init_num = 0;
578 if (!s->session->peer_cert) 566 if (!s->session->peer_cert)
@@ -795,7 +783,6 @@ ssl3_get_client_hello(SSL *s)
795 unsigned long id; 783 unsigned long id;
796 SSL_CIPHER *c; 784 SSL_CIPHER *c;
797 STACK_OF(SSL_CIPHER) *ciphers = NULL; 785 STACK_OF(SSL_CIPHER) *ciphers = NULL;
798 unsigned long alg_k;
799 const SSL_METHOD *method; 786 const SSL_METHOD *method;
800 uint16_t shared_version; 787 uint16_t shared_version;
801 788
@@ -1138,10 +1125,8 @@ ssl3_get_client_hello(SSL *s)
1138 if (!tls1_transcript_hash_init(s)) 1125 if (!tls1_transcript_hash_init(s))
1139 goto err; 1126 goto err;
1140 1127
1141 alg_k = s->s3->hs.cipher->algorithm_mkey; 1128 if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER))
1142 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || 1129 tls1_transcript_free(s);
1143 !(s->verify_mode & SSL_VERIFY_PEER))
1144 tls1_transcript_free(s);
1145 1130
1146 /* 1131 /*
1147 * We now have the following setup. 1132 * We now have the following setup.
@@ -1816,75 +1801,6 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1816} 1801}
1817 1802
1818static int 1803static int
1819ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1820{
1821 unsigned char premaster_secret[32];
1822 EVP_PKEY_CTX *pkey_ctx = NULL;
1823 EVP_PKEY *client_pubkey;
1824 EVP_PKEY *pkey = NULL;
1825 size_t outlen;
1826 CBS gostblob;
1827
1828 /* Get our certificate private key*/
1829#ifndef OPENSSL_NO_GOST
1830 if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1831 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1832#endif
1833
1834 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
1835 goto err;
1836 if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0)
1837 goto err;
1838
1839 /*
1840 * If client certificate is present and is of the same type,
1841 * maybe use it for key exchange.
1842 * Don't mind errors from EVP_PKEY_derive_set_peer, because
1843 * it is completely valid to use a client certificate for
1844 * authorization only.
1845 */
1846 if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1847 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1848 ERR_clear_error();
1849 }
1850
1851 /* Decrypt session key */
1852 if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
1853 goto decode_err;
1854 if (CBS_len(cbs) != 0)
1855 goto decode_err;
1856 outlen = sizeof(premaster_secret);
1857 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
1858 CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
1859 SSLerror(s, SSL_R_DECRYPTION_FAILED);
1860 goto err;
1861 }
1862
1863 if (!tls12_derive_master_secret(s, premaster_secret,
1864 sizeof(premaster_secret)))
1865 goto err;
1866
1867 /* Check if pubkey from client certificate was used */
1868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY,
1869 2, NULL) > 0)
1870 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
1871
1872 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1873 EVP_PKEY_CTX_free(pkey_ctx);
1874
1875 return 1;
1876
1877 decode_err:
1878 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1879 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1880 err:
1881 explicit_bzero(premaster_secret, sizeof(premaster_secret));
1882 EVP_PKEY_CTX_free(pkey_ctx);
1883
1884 return 0;
1885}
1886
1887static int
1888ssl3_get_client_key_exchange(SSL *s) 1804ssl3_get_client_key_exchange(SSL *s)
1889{ 1805{
1890 unsigned long alg_k; 1806 unsigned long alg_k;
@@ -1912,9 +1828,6 @@ ssl3_get_client_key_exchange(SSL *s)
1912 } else if (alg_k & SSL_kECDHE) { 1828 } else if (alg_k & SSL_kECDHE) {
1913 if (!ssl3_get_client_kex_ecdhe(s, &cbs)) 1829 if (!ssl3_get_client_kex_ecdhe(s, &cbs))
1914 goto err; 1830 goto err;
1915 } else if (alg_k & SSL_kGOST) {
1916 if (!ssl3_get_client_kex_gost(s, &cbs))
1917 goto err;
1918 } else { 1831 } else {
1919 al = SSL_AD_HANDSHAKE_FAILURE; 1832 al = SSL_AD_HANDSHAKE_FAILURE;
1920 SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); 1833 SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE);
@@ -2043,15 +1956,6 @@ ssl3_get_cert_verify(SSL *s)
2043 al = SSL_AD_INTERNAL_ERROR; 1956 al = SSL_AD_INTERNAL_ERROR;
2044 goto fatal_err; 1957 goto fatal_err;
2045 } 1958 }
2046#ifndef OPENSSL_NO_GOST
2047 if (sigalg->key_type == EVP_PKEY_GOSTR01 &&
2048 EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2049 EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE,
2050 NULL) <= 0) {
2051 al = SSL_AD_INTERNAL_ERROR;
2052 goto fatal_err;
2053 }
2054#endif
2055 if (EVP_DigestVerify(mctx, CBS_data(&signature), 1959 if (EVP_DigestVerify(mctx, CBS_data(&signature),
2056 CBS_len(&signature), hdata, hdatalen) <= 0) { 1960 CBS_len(&signature), hdata, hdatalen) <= 0) {
2057 SSLerror(s, ERR_R_EVP_LIB); 1961 SSLerror(s, ERR_R_EVP_LIB);
@@ -2096,54 +2000,6 @@ ssl3_get_cert_verify(SSL *s)
2096 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); 2000 SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE);
2097 goto fatal_err; 2001 goto fatal_err;
2098 } 2002 }
2099#ifndef OPENSSL_NO_GOST
2100 } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 ||
2101 EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2102 unsigned char sigbuf[128];
2103 unsigned int siglen = sizeof(sigbuf);
2104 EVP_PKEY_CTX *pctx;
2105 const EVP_MD *md;
2106 int nid;
2107
2108 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2109 SSLerror(s, ERR_R_INTERNAL_ERROR);
2110 al = SSL_AD_INTERNAL_ERROR;
2111 goto fatal_err;
2112 }
2113 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
2114 !(md = EVP_get_digestbynid(nid))) {
2115 SSLerror(s, ERR_R_EVP_LIB);
2116 al = SSL_AD_INTERNAL_ERROR;
2117 goto fatal_err;
2118 }
2119 if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) {
2120 SSLerror(s, ERR_R_EVP_LIB);
2121 al = SSL_AD_INTERNAL_ERROR;
2122 goto fatal_err;
2123 }
2124 if (!EVP_DigestInit_ex(mctx, md, NULL) ||
2125 !EVP_DigestUpdate(mctx, hdata, hdatalen) ||
2126 !EVP_DigestFinal(mctx, sigbuf, &siglen) ||
2127 (EVP_PKEY_verify_init(pctx) <= 0) ||
2128 (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) ||
2129 (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY,
2130 EVP_PKEY_CTRL_GOST_SIG_FORMAT,
2131 GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) {
2132 SSLerror(s, ERR_R_EVP_LIB);
2133 al = SSL_AD_INTERNAL_ERROR;
2134 EVP_PKEY_CTX_free(pctx);
2135 goto fatal_err;
2136 }
2137 if (EVP_PKEY_verify(pctx, CBS_data(&signature),
2138 CBS_len(&signature), sigbuf, siglen) <= 0) {
2139 al = SSL_AD_DECRYPT_ERROR;
2140 SSLerror(s, SSL_R_BAD_SIGNATURE);
2141 EVP_PKEY_CTX_free(pctx);
2142 goto fatal_err;
2143 }
2144
2145 EVP_PKEY_CTX_free(pctx);
2146#endif
2147 } else { 2003 } else {
2148 SSLerror(s, ERR_R_INTERNAL_ERROR); 2004 SSLerror(s, ERR_R_INTERNAL_ERROR);
2149 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 2005 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 2bdbd3c184..daf6cba6fa 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls1.h,v 1.56 2022/07/17 14:39:09 jsing Exp $ */ 1/* $OpenBSD: tls1.h,v 1.57 2024/02/03 15:58:34 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -741,18 +741,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
741#define TLS_CT_DSS_SIGN 2 741#define TLS_CT_DSS_SIGN 2
742#define TLS_CT_RSA_FIXED_DH 3 742#define TLS_CT_RSA_FIXED_DH 3
743#define TLS_CT_DSS_FIXED_DH 4 743#define TLS_CT_DSS_FIXED_DH 4
744#define TLS_CT_GOST94_SIGN 21
745#define TLS_CT_GOST01_SIGN 22
746#define TLS_CT_ECDSA_SIGN 64 744#define TLS_CT_ECDSA_SIGN 64
747#define TLS_CT_RSA_FIXED_ECDH 65 745#define TLS_CT_RSA_FIXED_ECDH 65
748#define TLS_CT_ECDSA_FIXED_ECDH 66 746#define TLS_CT_ECDSA_FIXED_ECDH 66
749#define TLS_CT_GOST12_256_SIGN 67
750#define TLS_CT_GOST12_512_SIGN 68
751#define TLS_CT_GOST12_256_SIGN_COMPAT 238 /* pre-IANA, for compat */
752#define TLS_CT_GOST12_512_SIGN_COMPAT 239 /* pre-IANA, for compat */
753/* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see 747/* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
754 * comment there) */ 748 * comment there) */
755#define TLS_CT_NUMBER 13 749#define TLS_CT_NUMBER 7
756 750
757#define TLS1_FINISH_MAC_LENGTH 12 751#define TLS1_FINISH_MAC_LENGTH 12
758 752
diff --git a/src/lib/libssl/tls12_key_schedule.c b/src/lib/libssl/tls12_key_schedule.c
index 6d714c1183..1ac003329e 100644
--- a/src/lib/libssl/tls12_key_schedule.c
+++ b/src/lib/libssl/tls12_key_schedule.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_key_schedule.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */ 1/* $OpenBSD: tls12_key_schedule.c,v 1.4 2024/02/03 15:58:34 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -124,10 +124,6 @@ tls12_key_block_generate(struct tls12_key_block *kb, SSL *s,
124 mac_key_len = EVP_MD_size(mac_hash); 124 mac_key_len = EVP_MD_size(mac_hash);
125 key_len = EVP_CIPHER_key_length(cipher); 125 key_len = EVP_CIPHER_key_length(cipher);
126 iv_len = EVP_CIPHER_iv_length(cipher); 126 iv_len = EVP_CIPHER_iv_length(cipher);
127
128 /* Special handling for GOST... */
129 if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC)
130 mac_key_len = 32;
131 } 127 }
132 128
133 if (mac_key_len > EVP_MAX_MD_SIZE) 129 if (mac_key_len > EVP_MAX_MD_SIZE)
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 3f2fe71e21..9786d7d0bd 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls12_record_layer.c,v 1.41 2024/01/18 16:30:43 tb Exp $ */ 1/* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -468,7 +468,6 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
468 CBS *iv) 468 CBS *iv)
469{ 469{
470 EVP_PKEY *mac_pkey = NULL; 470 EVP_PKEY *mac_pkey = NULL;
471 int gost_param_nid;
472 int mac_type; 471 int mac_type;
473 int ret = 0; 472 int ret = 0;
474 473
@@ -484,25 +483,10 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
484 goto err; 483 goto err;
485 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) 484 if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key))
486 goto err; 485 goto err;
487 486 if (CBS_len(mac_key) > INT_MAX)
488#ifndef OPENSSL_NO_GOST 487 goto err;
489 /* XXX die die die */ 488 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
490 /* Special handling for GOST... */ 489 goto err;
491 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
492 if (CBS_len(mac_key) != 32)
493 goto err;
494 mac_type = EVP_PKEY_GOSTIMIT;
495 rp->stream_mac = 1;
496 } else {
497#endif
498 if (CBS_len(mac_key) > INT_MAX)
499 goto err;
500 if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key))
501 goto err;
502#ifndef OPENSSL_NO_GOST
503 }
504#endif
505
506 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 490 if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
507 goto err; 491 goto err;
508 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) 492 if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL)
@@ -524,23 +508,6 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl,
524 mac_pkey) <= 0) 508 mac_pkey) <= 0)
525 goto err; 509 goto err;
526 510
527 /* More special handling for GOST... */
528 if (EVP_CIPHER_nid(rl->cipher) == NID_gost89_cnt) {
529 gost_param_nid = NID_id_tc26_gost_28147_param_Z;
530 if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94)
531 gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet;
532
533 if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX,
534 gost_param_nid, 0) <= 0)
535 goto err;
536
537 if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) {
538 if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX,
539 gost_param_nid, 0) <= 0)
540 goto err;
541 }
542 }
543
544 ret = 1; 511 ret = 1;
545 512
546 err: 513 err:
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-14 22:34:52 +0000