From feaf10d0a7eb5e59e69c058b10c91c45d2b1b0e3 Mon Sep 17 00:00:00 2001 From: beck <> Date: Sat, 3 Feb 2024 15:58:34 +0000 Subject: Remove GOST and STREEBOG support from libssl. This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@ --- src/lib/libssl/s3_lib.c | 86 +------------------------------------------------ 1 file changed, 1 insertion(+), 85 deletions(-) (limited to 'src/lib/libssl/s3_lib.c') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 1ae2d047bc..bb8e9465ba 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.248 2023/11/29 13:39:34 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.249 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -577,41 +577,6 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* GOST Ciphersuites */ - - /* Cipher 81 */ - { - .valid = 1, - .name = "GOST2001-GOST89-GOST89", - .id = 0x3000081, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher 83 */ - { - .valid = 1, - .name = "GOST2001-NULL-GOST94", - .id = 0x3000083, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_GOST94, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, - .strength_bits = 0, - .alg_bits = 0 - }, - #ifndef OPENSSL_NO_CAMELLIA /* Camellia ciphersuites from RFC4132 (256-bit portion) */ @@ -1362,40 +1327,6 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher FF85 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-GOST89-GOST89", - .id = 0x300ff85, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher FF87 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-NULL-STREEBOG256", - .id = 0x300ff87, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_STREEBOG256, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, - .strength_bits = 0, - .alg_bits = 0 - }, - - /* end of list */ }; @@ -2668,21 +2599,6 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) alg_k = s->s3->hs.cipher->algorithm_mkey; -#ifndef OPENSSL_NO_GOST - if ((alg_k & SSL_kGOST) != 0) { - if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) - return 0; - } -#endif - if ((alg_k & SSL_kDHE) != 0) { if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) return 0; -- cgit v1.2.3-55-g6feb