Drop cipher suites with DSS authentication - there is no good reason to

keep these around. ok beck@
author: jsing <jsing@openbsd.org> 2017-05-07 21:05:05 +0000
committer: jsing <jsing@openbsd.org> 2017-05-07 21:05:05 +0000
commit: e4f77e2116bd47f5e89313def9366c1f6f4e64dd (patch)
tree: b57b93fa60882934ff15c2b19aa372924bfad0dc /lib/libssl/s3_lib.c
parent: Fix stage transition from the initial one to DROPPING (diff)
download: wireguard-openbsd-e4f77e2116bd47f5e89313def9366c1f6f4e64dd.tar.xz
wireguard-openbsd-e4f77e2116bd47f5e89313def9366c1f6f4e64dd.zip
1 files changed, 1 insertions, 197 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 697ac6c7c5a..98d7c69721d 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.143 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.144 2017/05/07 21:05:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -273,38 +273,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 	 * Ephemeral DH (DHE) ciphers.
 	 */
 
-	/* Cipher 12 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
-		.id = SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 13 */
-	{
-		.valid = 1,
-		.name = SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
-		.id = SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_3DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_MEDIUM,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 112,
-		.alg_bits = 168,
-	},
-
 	/* Cipher 15 */
 	{
 		.valid = 1,
@@ -405,22 +373,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 32 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 33 */
 	{
 		.valid = 1,
@@ -469,22 +421,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 38 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 39 */
 	{
 		.valid = 1,
@@ -566,22 +502,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 40 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 #ifndef OPENSSL_NO_CAMELLIA
 	/* Camellia ciphersuites from RFC4132 (128-bit portion) */
 
@@ -601,22 +521,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 44 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 45 */
 	{
 		.valid = 1,
@@ -667,22 +571,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 6A */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 6B */
 	{
 		.valid = 1,
@@ -785,22 +673,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 87 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 88 */
 	{
 		.valid = 1,
@@ -910,42 +782,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher A2 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES128GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher A3 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
-		.id = TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_AES256GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher A6 */
 	{
 		.valid = 1,
@@ -1001,22 +837,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher BD */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher BE */
 	{
 		.valid = 1,
@@ -1065,22 +885,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher C3 */
-	{
-		.valid = 1,
-		.name = TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
-		.id = TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher C4 */
 	{
 		.valid = 1,
author	jsing <jsing@openbsd.org>	2017-05-07 21:05:05 +0000
committer	jsing <jsing@openbsd.org>	2017-05-07 21:05:05 +0000
commit	e4f77e2116bd47f5e89313def9366c1f6f4e64dd (patch)
tree	b57b93fa60882934ff15c2b19aa372924bfad0dc /lib/libssl/s3_lib.c
parent	Fix stage transition from the initial one to DROPPING (diff)
download	wireguard-openbsd-e4f77e2116bd47f5e89313def9366c1f6f4e64dd.tar.xz wireguard-openbsd-e4f77e2116bd47f5e89313def9366c1f6f4e64dd.zip