From 9e01a2b9fc249398f995e0d00bee55d7e3c31be0 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Thu, 24 Jan 2019 00:07:58 +0000
Subject: Remove SHA224 based sigalgs from use in TLS 1.2 as SHA224 is
 deprecated. Remove GOST based sigalgs from TLS 1.2 since they don't work with
 TLS 1.2. ok jsing@

---
 src/lib/libssl/ssl_sigalgs.c               |  7 +------
 src/regress/lib/libssl/client/clienttest.c | 24 +++++++++++-------------
 src/regress/lib/libssl/tlsext/tlsexttest.c | 28 ++++++++++------------------
 3 files changed, 22 insertions(+), 37 deletions(-)

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 76cb441b07..fdea93e1b0 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.15 2019/01/23 23:47:13 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.16 2019/01/24 00:07:58 beck Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -182,17 +182,12 @@ uint16_t tls12_sigalgs[] = {
 	SIGALG_RSA_PSS_RSAE_SHA512,
 	SIGALG_RSA_PKCS1_SHA512,
 	SIGALG_ECDSA_SECP521R1_SHA512,
-	SIGALG_GOSTR12_512_STREEBOG_512,
 	SIGALG_RSA_PSS_RSAE_SHA384,
 	SIGALG_RSA_PKCS1_SHA384,
 	SIGALG_ECDSA_SECP384R1_SHA384,
 	SIGALG_RSA_PSS_RSAE_SHA256,
 	SIGALG_RSA_PKCS1_SHA256,
 	SIGALG_ECDSA_SECP256R1_SHA256,
-	SIGALG_GOSTR12_256_STREEBOG_256,
-	SIGALG_GOSTR01_GOST94,
-	SIGALG_RSA_PKCS1_SHA224,
-	SIGALG_ECDSA_SECP224R1_SHA224,
 	SIGALG_RSA_PKCS1_SHA1, /* XXX */
 	SIGALG_ECDSA_SHA1,     /* XXX */
 };
diff --git a/src/regress/lib/libssl/client/clienttest.c b/src/regress/lib/libssl/client/clienttest.c
index 25a8790e61..6b8ea7d8bd 100644
--- a/src/regress/lib/libssl/client/clienttest.c
+++ b/src/regress/lib/libssl/client/clienttest.c
@@ -141,12 +141,12 @@ static unsigned char cipher_list_tls12_chacha[] = {
 };
 
 static unsigned char client_hello_tls12[] = {
-	0x16, 0x03, 0x01, 0x00, 0xc5, 0x01, 0x00, 0x00,
-	0xc1, 0x03, 0x03, 0xc9, 0xf9, 0x1f, 0x05, 0xaf,
-	0x61, 0xd7, 0xe7, 0x84, 0xd1, 0x1c, 0x6f, 0x79,
-	0x32, 0x04, 0x8e, 0x5c, 0xe3, 0x18, 0x5a, 0x85,
-	0xee, 0x44, 0xe1, 0xca, 0x32, 0xce, 0x07, 0xd3,
-	0xdb, 0x0f, 0x91, 0x00, 0x00, 0x5c, 0xc0, 0x30,
+	0x16, 0x03, 0x01, 0x00, 0xbb, 0x01, 0x00, 0x00,
+	0xb7, 0x03, 0x03, 0x2b, 0x39, 0xcc, 0x56, 0xfc,
+	0xc4, 0x98, 0x8e, 0xfc, 0x22, 0x89, 0xc5, 0x1e,
+	0xa9, 0x88, 0xbd, 0x6e, 0xd8, 0xd1, 0xd6, 0xc1,
+	0xc3, 0x12, 0xe8, 0xe0, 0x1e, 0xfa, 0xa8, 0x21,
+	0xd9, 0x2d, 0x4d, 0x00, 0x00, 0x5c, 0xc0, 0x30,
 	0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
 	0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
 	0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85,
@@ -158,15 +158,13 @@ static unsigned char client_hello_tls12[] = {
 	0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41,
 	0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04,
 	0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
-	0x00, 0xff, 0x01, 0x00, 0x00, 0x3c, 0x00, 0x0b,
+	0x00, 0xff, 0x01, 0x00, 0x00, 0x32, 0x00, 0x0b,
 	0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08,
 	0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
-	0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x22,
-	0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
-	0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
-	0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
-	0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
-	0x02, 0x03,
+	0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18,
+	0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
+	0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
+	0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
 };
 
 struct client_hello_test {
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 32895a49ad..05b18b5b05 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.25 2019/01/23 18:39:28 beck Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.26 2019/01/24 00:07:58 beck Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1505,11 +1505,9 @@ test_tlsext_ri_server(void)
  */
 
 static unsigned char tlsext_sigalgs_client[] = {
-	0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
-	0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
-	0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
-	0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
-	0x02, 0x03,
+	0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
+	0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04,
+	0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
 };
 
 static int
@@ -1599,11 +1597,6 @@ test_tlsext_sigalgs_client(void)
 		failure = 1;
 		goto done;
 	}
-	if (ssl->cert->pkeys[SSL_PKEY_GOST01].sigalg->md() != EVP_streebog512()) {
-		fprintf(stderr, "FAIL: GOST01 digest mismatch\n");
-		failure = 1;
-		goto done;
-	}
 
  done:
 	CBB_cleanup(&cbb);
@@ -2733,14 +2726,13 @@ test_tlsext_srtp_server(void)
 #endif /* OPENSSL_NO_SRTP */
 
 unsigned char tlsext_clienthello_default[] = {
-	0x00, 0x3c, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
+	0x00, 0x32, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
 	0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
 	0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
-	0x00, 0x0d, 0x00, 0x22, 0x00, 0x20, 0x08, 0x06,
-	0x06, 0x01, 0x06, 0x03, 0xef, 0xef, 0x08, 0x05,
-	0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
-	0x04, 0x03, 0xee, 0xee, 0xed, 0xed, 0x03, 0x01,
-	0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
+	0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06,
+	0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01,
+	0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03,
+	0x02, 0x01, 0x02, 0x03,
 };
 
 unsigned char tlsext_clienthello_disabled[] = {};
@@ -3097,7 +3089,7 @@ test_tlsext_keyshare_client(void)
 	}
 
 	if (dlen != sizeof(tlsext_keyshare_client)) {
-		FAIL("got client sigalgs with length %zu, "
+		FAIL("got client keyshare with length %zu, "
 		    "want length %zu\n", dlen, (size_t) sizeof(tlsext_keyshare_client));
 		failure = 1;
 		goto done;
-- 
cgit v1.2.3-55-g6feb