3 files changed, 45 insertions, 179 deletions
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index b63f36b3f1..bb736c5de9 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */
+/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -119,8 +119,7 @@ SSL_library_init(void)
        EVP_add_digest(EVP_streebog256());
        EVP_add_digest(EVP_streebog512());
 #endif
-        /* initialize cipher/digest methods table */
-        ssl_load_ciphers();
        return (1);
 }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 3cbf368ad3..ed167efffd 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.108 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -150,41 +150,6 @@
 #include "ssl_locl.h"
-#define SSL_ENC_3DES_IDX        0
-#define SSL_ENC_RC4_IDX         1
-#define SSL_ENC_NULL_IDX        2
-#define SSL_ENC_AES128_IDX      3
-#define SSL_ENC_AES256_IDX      4
-#define SSL_ENC_CAMELLIA128_IDX 5
-#define SSL_ENC_CAMELLIA256_IDX 6
-#define SSL_ENC_GOST89_IDX      7
-#define SSL_ENC_NUM_IDX         8
-static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-};
-#define SSL_MD_MD5_IDX          0
-#define SSL_MD_SHA1_IDX         1
-#define SSL_MD_GOST94_IDX       2
-#define SSL_MD_GOST89MAC_IDX    3
-#define SSL_MD_SHA256_IDX       4
-#define SSL_MD_SHA384_IDX       5
-#define SSL_MD_STREEBOG256_IDX  6
-#define SSL_MD_NUM_IDX          7
-static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-};
-static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
-};
-static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
-        0, 0, 0, 0, 0, 0, 0,
-};
 #define CIPHER_ADD      1
 #define CIPHER_KILL     2
 #define CIPHER_DEL      3
@@ -446,164 +411,77 @@ static const SSL_CIPHER cipher_aliases[] = {
        },
 };
-void
-ssl_load_ciphers(void)
-{
-        ssl_cipher_methods[SSL_ENC_3DES_IDX] =
-            EVP_get_cipherbyname(SN_des_ede3_cbc);
-        ssl_cipher_methods[SSL_ENC_RC4_IDX] =
-            EVP_get_cipherbyname(SN_rc4);
-        ssl_cipher_methods[SSL_ENC_AES128_IDX] =
-            EVP_get_cipherbyname(SN_aes_128_cbc);
-        ssl_cipher_methods[SSL_ENC_AES256_IDX] =
-            EVP_get_cipherbyname(SN_aes_256_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
-            EVP_get_cipherbyname(SN_camellia_128_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
-            EVP_get_cipherbyname(SN_camellia_256_cbc);
-        ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
-            EVP_get_cipherbyname(SN_gost89_cnt);
-        ssl_digest_methods[SSL_MD_MD5_IDX] =
-            EVP_get_digestbyname(SN_md5);
-        ssl_mac_secret_size[SSL_MD_MD5_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_SHA1_IDX] =
-            EVP_get_digestbyname(SN_sha1);
-        ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_GOST94_IDX] =
-            EVP_get_digestbyname(SN_id_GostR3411_94);
-        if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
-                    EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
-                OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
-        }
-        ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
-            EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
-        if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
-        }
-        ssl_digest_methods[SSL_MD_SHA256_IDX] =
-            EVP_get_digestbyname(SN_sha256);
-        ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
-        ssl_digest_methods[SSL_MD_SHA384_IDX] =
-            EVP_get_digestbyname(SN_sha384);
-        ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
-        ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
-            EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
-        ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
-}
 int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc,
    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
 {
-        const SSL_CIPHER *c;
+        *enc = NULL;
-        int i;
+        *md = NULL;
+        *mac_pkey_type = NID_undef;
+        *mac_secret_size = 0;
-        c = s->cipher;
+        if (ss->cipher == NULL)
-        if (c == NULL)
+                return 0;
-                return (0);
        /*
         * This function does not handle EVP_AEAD.
         * See ssl_cipher_get_aead_evp instead.
         */
-        if (c->algorithm_mac & SSL_AEAD)
+        if (ss->cipher->algorithm_mac & SSL_AEAD)
-                return(0);
+                return 0;
-        if ((enc == NULL) || (md == NULL))
-                return (0);
-        switch (c->algorithm_enc) {
+        switch (ss->cipher->algorithm_enc) {
        case SSL_3DES:
-                i = SSL_ENC_3DES_IDX;
+                *enc = EVP_des_ede3_cbc();
                break;
        case SSL_RC4:
-                i = SSL_ENC_RC4_IDX;
+                *enc = EVP_rc4();
                break;
        case SSL_eNULL:
-                i = SSL_ENC_NULL_IDX;
+                *enc = EVP_enc_null();
                break;
        case SSL_AES128:
-                i = SSL_ENC_AES128_IDX;
+                *enc = EVP_aes_128_cbc();
                break;
        case SSL_AES256:
-                i = SSL_ENC_AES256_IDX;
+                *enc = EVP_aes_256_cbc();
                break;
        case SSL_CAMELLIA128:
-                i = SSL_ENC_CAMELLIA128_IDX;
+                *enc = EVP_camellia_128_cbc();
                break;
        case SSL_CAMELLIA256:
-                i = SSL_ENC_CAMELLIA256_IDX;
+                *enc = EVP_camellia_256_cbc();
                break;
        case SSL_eGOST2814789CNT:
-                i = SSL_ENC_GOST89_IDX;
+                *enc = EVP_gost2814789_cnt();
                break;
-        default:
-                i = -1;
-                break;
-        }
-        if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
-                *enc = NULL;
-        else {
-                if (i == SSL_ENC_NULL_IDX)
-                        *enc = EVP_enc_null();
-                else
-                        *enc = ssl_cipher_methods[i];
        }
-        switch (c->algorithm_mac) {
+        switch (ss->cipher->algorithm_mac) {
        case SSL_MD5:
-                i = SSL_MD_MD5_IDX;
+                *md = EVP_md5();
                break;
        case SSL_SHA1:
-                i = SSL_MD_SHA1_IDX;
+                *md = EVP_sha1();
                break;
        case SSL_SHA256:
-                i = SSL_MD_SHA256_IDX;
+                *md = EVP_sha256();
                break;
        case SSL_SHA384:
-                i = SSL_MD_SHA384_IDX;
+                *md = EVP_sha384();
-                break;
-        case SSL_GOST94:
-                i = SSL_MD_GOST94_IDX;
                break;
        case SSL_GOST89MAC:
-                i = SSL_MD_GOST89MAC_IDX;
+                *md = EVP_gost2814789imit();
                break;
-        case SSL_STREEBOG256:
+        case SSL_GOST94:
-                i = SSL_MD_STREEBOG256_IDX;
+                *md = EVP_gostr341194();
                break;
-        default:
+        case SSL_STREEBOG256:
-                i = -1;
+                *md = EVP_streebog256();
                break;
        }
-        if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
-                *md = NULL;
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = NID_undef;
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = 0;
-        } else {
-                *md = ssl_digest_methods[i];
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = ssl_mac_pkey_id[i];
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = ssl_mac_secret_size[i];
-        }
-        if (*enc == NULL || *md == NULL ||
+        if (*enc == NULL || *md == NULL)
-            (mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
                return 0;
        /*
@@ -615,6 +493,14 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
                return 0;
+        if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
+                *mac_pkey_type = EVP_PKEY_GOSTIMIT;
+                *mac_secret_size = 32; /* XXX */
+        } else {
+                *mac_pkey_type = EVP_PKEY_HMAC;
+                *mac_secret_size = EVP_MD_size(*md);
+        }
        return 1;
 }
@@ -623,18 +509,16 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 * for s->cipher. It returns 1 on success and 0 on error.
 */
 int
-ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
+ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead)
 {
-        const SSL_CIPHER *c = s->cipher;
        *aead = NULL;
-        if (c == NULL)
+        if (ss->cipher == NULL)
                return 0;
-        if ((c->algorithm_mac & SSL_AEAD) == 0)
+        if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
                return 0;
-        switch (c->algorithm_enc) {
+        switch (ss->cipher->algorithm_enc) {
        case SSL_AES128GCM:
                *aead = EVP_aead_aes_128_gcm();
                return 1;
@@ -740,22 +624,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
 #ifdef SSL_FORBID_ENULL
        *enc |= SSL_eNULL;
 #endif
-        *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
 }
 static void
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 2dae72309c..31f3e60893 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.245 2019/04/04 16:44:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1127,7 +1127,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_has_ecc_ciphers(SSL *s);
 int ssl_verify_alarm_type(long type);
-void ssl_load_ciphers(void);
 int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len);

diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c index b63f36b3f1..bb736c5de9 100644 --- a/src/lib/libssl/ssl_algs.c +++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */	1	/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -119,8 +119,7 @@ SSL_library_init(void)
119	EVP_add_digest(EVP_streebog256());	119	EVP_add_digest(EVP_streebog256());
120	EVP_add_digest(EVP_streebog512());	120	EVP_add_digest(EVP_streebog512());
121	#endif	121	#endif
122	/* initialize cipher/digest methods table */	122
123	ssl_load_ciphers();
124	return (1);	123	return (1);
125	}	124	}
126		125


diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 3cbf368ad3..ed167efffd 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.107 2019/03/24 17:10:54 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.108 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -150,41 +150,6 @@
150		150
151	#include "ssl_locl.h"	151	#include "ssl_locl.h"
152		152
153	#define SSL_ENC_3DES_IDX 0
154	#define SSL_ENC_RC4_IDX 1
155	#define SSL_ENC_NULL_IDX 2
156	#define SSL_ENC_AES128_IDX 3
157	#define SSL_ENC_AES256_IDX 4
158	#define SSL_ENC_CAMELLIA128_IDX 5
159	#define SSL_ENC_CAMELLIA256_IDX 6
160	#define SSL_ENC_GOST89_IDX 7
161	#define SSL_ENC_NUM_IDX 8
162
163	static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
164	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
165	};
166
167	#define SSL_MD_MD5_IDX 0
168	#define SSL_MD_SHA1_IDX 1
169	#define SSL_MD_GOST94_IDX 2
170	#define SSL_MD_GOST89MAC_IDX 3
171	#define SSL_MD_SHA256_IDX 4
172	#define SSL_MD_SHA384_IDX 5
173	#define SSL_MD_STREEBOG256_IDX 6
174	#define SSL_MD_NUM_IDX 7
175	static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
176	NULL, NULL, NULL, NULL, NULL, NULL, NULL,
177	};
178
179	static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
180	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
181	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
182	};
183
184	static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
185	0, 0, 0, 0, 0, 0, 0,
186	};
187
188	#define CIPHER_ADD 1	153	#define CIPHER_ADD 1
189	#define CIPHER_KILL 2	154	#define CIPHER_KILL 2
190	#define CIPHER_DEL 3	155	#define CIPHER_DEL 3
@@ -446,164 +411,77 @@ static const SSL_CIPHER cipher_aliases[] = {
446	},	411	},
447	};	412	};
448		413
449	void
450	ssl_load_ciphers(void)
451	{
452	ssl_cipher_methods[SSL_ENC_3DES_IDX] =
453	EVP_get_cipherbyname(SN_des_ede3_cbc);
454	ssl_cipher_methods[SSL_ENC_RC4_IDX] =
455	EVP_get_cipherbyname(SN_rc4);
456	ssl_cipher_methods[SSL_ENC_AES128_IDX] =
457	EVP_get_cipherbyname(SN_aes_128_cbc);
458	ssl_cipher_methods[SSL_ENC_AES256_IDX] =
459	EVP_get_cipherbyname(SN_aes_256_cbc);
460	ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
461	EVP_get_cipherbyname(SN_camellia_128_cbc);
462	ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
463	EVP_get_cipherbyname(SN_camellia_256_cbc);
464	ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
465	EVP_get_cipherbyname(SN_gost89_cnt);
466
467	ssl_digest_methods[SSL_MD_MD5_IDX] =
468	EVP_get_digestbyname(SN_md5);
469	ssl_mac_secret_size[SSL_MD_MD5_IDX] =
470	EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
471	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
472	ssl_digest_methods[SSL_MD_SHA1_IDX] =
473	EVP_get_digestbyname(SN_sha1);
474	ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
475	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
476	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
477	ssl_digest_methods[SSL_MD_GOST94_IDX] =
478	EVP_get_digestbyname(SN_id_GostR3411_94);
479	if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
480	ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
481	EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
482	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
483	}
484	ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
485	EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
486	if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
487	ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
488	}
489
490	ssl_digest_methods[SSL_MD_SHA256_IDX] =
491	EVP_get_digestbyname(SN_sha256);
492	ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
493	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
494	ssl_digest_methods[SSL_MD_SHA384_IDX] =
495	EVP_get_digestbyname(SN_sha384);
496	ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
497	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
498	ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
499	EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
500	ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
501	EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
502	}
503
504	int	414	int
505	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	415	ssl_cipher_get_evp(const SSL_SESSION ss, const EVP_CIPHER *enc,
506	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)	416	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)
507	{	417	{
508	const SSL_CIPHER *c;	418	*enc = NULL;
509	int i;	419	*md = NULL;
		420	*mac_pkey_type = NID_undef;
		421	*mac_secret_size = 0;
510		422
511	c = s->cipher;	423	if (ss->cipher == NULL)
512	if (c == NULL)	424	return 0;
513	return (0);
514		425
515	/*	426	/*
516	* This function does not handle EVP_AEAD.	427	* This function does not handle EVP_AEAD.
517	* See ssl_cipher_get_aead_evp instead.	428	* See ssl_cipher_get_aead_evp instead.
518	*/	429	*/
519	if (c->algorithm_mac & SSL_AEAD)	430	if (ss->cipher->algorithm_mac & SSL_AEAD)
520	return(0);	431	return 0;
521
522	if ((enc == NULL) \|\| (md == NULL))
523	return (0);
524		432
525	switch (c->algorithm_enc) {	433	switch (ss->cipher->algorithm_enc) {
526	case SSL_3DES:	434	case SSL_3DES:
527	i = SSL_ENC_3DES_IDX;	435	*enc = EVP_des_ede3_cbc();
528	break;	436	break;
529	case SSL_RC4:	437	case SSL_RC4:
530	i = SSL_ENC_RC4_IDX;	438	*enc = EVP_rc4();
531	break;	439	break;
532	case SSL_eNULL:	440	case SSL_eNULL:
533	i = SSL_ENC_NULL_IDX;	441	*enc = EVP_enc_null();
534	break;	442	break;
535	case SSL_AES128:	443	case SSL_AES128:
536	i = SSL_ENC_AES128_IDX;	444	*enc = EVP_aes_128_cbc();
537	break;	445	break;
538	case SSL_AES256:	446	case SSL_AES256:
539	i = SSL_ENC_AES256_IDX;	447	*enc = EVP_aes_256_cbc();
540	break;	448	break;
541	case SSL_CAMELLIA128:	449	case SSL_CAMELLIA128:
542	i = SSL_ENC_CAMELLIA128_IDX;	450	*enc = EVP_camellia_128_cbc();
543	break;	451	break;
544	case SSL_CAMELLIA256:	452	case SSL_CAMELLIA256:
545	i = SSL_ENC_CAMELLIA256_IDX;	453	*enc = EVP_camellia_256_cbc();
546	break;	454	break;
547	case SSL_eGOST2814789CNT:	455	case SSL_eGOST2814789CNT:
548	i = SSL_ENC_GOST89_IDX;	456	*enc = EVP_gost2814789_cnt();
549	break;	457	break;
550	default:
551	i = -1;
552	break;
553	}
554
555	if ((i < 0) \|\| (i >= SSL_ENC_NUM_IDX))
556	*enc = NULL;
557	else {
558	if (i == SSL_ENC_NULL_IDX)
559	*enc = EVP_enc_null();
560	else
561	*enc = ssl_cipher_methods[i];
562	}	458	}
563		459
564	switch (c->algorithm_mac) {	460	switch (ss->cipher->algorithm_mac) {
565	case SSL_MD5:	461	case SSL_MD5:
566	i = SSL_MD_MD5_IDX;	462	*md = EVP_md5();
567	break;	463	break;
568	case SSL_SHA1:	464	case SSL_SHA1:
569	i = SSL_MD_SHA1_IDX;	465	*md = EVP_sha1();
570	break;	466	break;
571	case SSL_SHA256:	467	case SSL_SHA256:
572	i = SSL_MD_SHA256_IDX;	468	*md = EVP_sha256();
573	break;	469	break;
574	case SSL_SHA384:	470	case SSL_SHA384:
575	i = SSL_MD_SHA384_IDX;	471	*md = EVP_sha384();
576	break;
577	case SSL_GOST94:
578	i = SSL_MD_GOST94_IDX;
579	break;	472	break;
580	case SSL_GOST89MAC:	473	case SSL_GOST89MAC:
581	i = SSL_MD_GOST89MAC_IDX;	474	*md = EVP_gost2814789imit();
582	break;	475	break;
583	case SSL_STREEBOG256:	476	case SSL_GOST94:
584	i = SSL_MD_STREEBOG256_IDX;	477	*md = EVP_gostr341194();
585	break;	478	break;
586	default:	479	case SSL_STREEBOG256:
587	i = -1;	480	*md = EVP_streebog256();
588	break;	481	break;
589	}	482	}
590	if ((i < 0) \|\| (i >= SSL_MD_NUM_IDX)) {
591	*md = NULL;
592
593	if (mac_pkey_type != NULL)
594	*mac_pkey_type = NID_undef;
595	if (mac_secret_size != NULL)
596	*mac_secret_size = 0;
597	} else {
598	*md = ssl_digest_methods[i];
599	if (mac_pkey_type != NULL)
600	*mac_pkey_type = ssl_mac_pkey_id[i];
601	if (mac_secret_size != NULL)
602	*mac_secret_size = ssl_mac_secret_size[i];
603	}
604		483
605	if (enc == NULL \|\| md == NULL \|\|	484	if (enc == NULL \|\| md == NULL)
606	(mac_pkey_type != NULL && *mac_pkey_type == NID_undef))
607	return 0;	485	return 0;
608		486
609	/*	487	/*
@@ -615,6 +493,14 @@ ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
615	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)	493	if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE)
616	return 0;	494	return 0;
617		495
		496	if (ss->cipher->algorithm_mac == SSL_GOST89MAC) {
		497	*mac_pkey_type = EVP_PKEY_GOSTIMIT;
		498	mac_secret_size = 32; / XXX */
		499	} else {
		500	*mac_pkey_type = EVP_PKEY_HMAC;
		501	mac_secret_size = EVP_MD_size(md);
		502	}
		503
618	return 1;	504	return 1;
619	}	505	}
620		506
@@ -623,18 +509,16 @@ ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
623	* for s->cipher. It returns 1 on success and 0 on error.	509	* for s->cipher. It returns 1 on success and 0 on error.
624	*/	510	*/
625	int	511	int
626	ssl_cipher_get_evp_aead(const SSL_SESSION s, const EVP_AEAD *aead)	512	ssl_cipher_get_evp_aead(const SSL_SESSION ss, const EVP_AEAD *aead)
627	{	513	{
628	const SSL_CIPHER *c = s->cipher;
629
630	*aead = NULL;	514	*aead = NULL;
631		515
632	if (c == NULL)	516	if (ss->cipher == NULL)
633	return 0;	517	return 0;
634	if ((c->algorithm_mac & SSL_AEAD) == 0)	518	if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0)
635	return 0;	519	return 0;
636		520
637	switch (c->algorithm_enc) {	521	switch (ss->cipher->algorithm_enc) {
638	case SSL_AES128GCM:	522	case SSL_AES128GCM:
639	*aead = EVP_aead_aes_128_gcm();	523	*aead = EVP_aead_aes_128_gcm();
640	return 1;	524	return 1;
@@ -740,22 +624,6 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
740	#ifdef SSL_FORBID_ENULL	624	#ifdef SSL_FORBID_ENULL
741	*enc \|= SSL_eNULL;	625	*enc \|= SSL_eNULL;
742	#endif	626	#endif
743
744	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
745	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
746	*enc \|= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
747	*enc \|= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
748	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
749	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
750	*enc \|= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
751
752	*mac \|= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
753	*mac \|= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
754	*mac \|= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
755	*mac \|= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
756	*mac \|= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
757	*mac \|= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
758	*mac \|= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
759	}	627	}
760		628
761	static void	629	static void


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2dae72309c..31f3e60893 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.244 2019/03/25 17:33:26 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.245 2019/04/04 16:44:24 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1127,7 +1127,6 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher);
1127	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);	1127	STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
1128	int ssl_has_ecc_ciphers(SSL *s);	1128	int ssl_has_ecc_ciphers(SSL *s);
1129	int ssl_verify_alarm_type(long type);	1129	int ssl_verify_alarm_type(long type);
1130	void ssl_load_ciphers(void);
1131		1130
1132	int SSL_SESSION_ticket(SSL_SESSION ss, unsigned char out, size_t out_len);	1131	int SSL_SESSION_ticket(SSL_SESSION ss, unsigned char out, size_t out_len);
1133		1132