From bd476af11cf7a471c351acc33081eb901c9f68d5 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 7 May 2017 21:05:05 +0000
Subject: Drop cipher suites with DSS authentication - there is no good reason
 to keep these around.

ok beck@
---
 src/lib/libssl/s3_lib.c | 198 +-----------------------------------------------
 1 file changed, 1 insertion(+), 197 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 697ac6c7c5..98d7c69721 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.143 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.144 2017/05/07 21:05:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -273,38 +273,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 	 * Ephemeral DH (DHE) ciphers.
 	 */
 
-	/* Cipher 12 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
-		.id = SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 13 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
-		.id = SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_3DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 112,
-		.alg_bits = 168,
-	},
-
 	/* Cipher 15 */
 	{
 		.valid = 1,
@@ -405,22 +373,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 32 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 33 */
 	{
 		.valid = 1,
@@ -469,22 +421,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 38 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 39 */
 	{
 		.valid = 1,
@@ -566,22 +502,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 40 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 #ifndef OPENSSL_NO_CAMELLIA
 	/* Camellia ciphersuites from RFC4132 (128-bit portion) */
 
@@ -601,22 +521,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 44 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 45 */
 	{
 		.valid = 1,
@@ -667,22 +571,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 6A */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 6B */
 	{
 		.valid = 1,
@@ -785,22 +673,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 87 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 88 */
 	{
 		.valid = 1,
@@ -910,42 +782,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher A2 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher A3 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher A6 */
 	{
 		.valid = 1,
@@ -1001,22 +837,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher BD */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher BE */
 	{
 		.valid = 1,
@@ -1065,22 +885,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher C3 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher C4 */
 	{
 		.valid = 1,
-- 
cgit v1.2.3-55-g6feb