Remove disabled (weakened export and non-ephemeral DH) cipher suites from

the cipher list. This reduces code size, saves data segment space and prevents them from being turned back on at runtime by flipping a bit in memory. ok guenther@
author: jsing <jsing@openbsd.org> 2014-08-10 14:57:04 +0000
committer: jsing <jsing@openbsd.org> 2014-08-10 14:57:04 +0000
commit: c24bf2e03c4a20192d0795ef087e725fe1df162d (patch)
tree: b1352c5a60bbc06e7b9aedca7751473e240a51a5 /lib/libssl/src/ssl/s3_lib.c
parent: Since we no longer need to support SSLv2-style cipher lists, start (diff)
download: wireguard-openbsd-c24bf2e03c4a20192d0795ef087e725fe1df162d.tar.xz
wireguard-openbsd-c24bf2e03c4a20192d0795ef087e725fe1df162d.zip
1 files changed, 5 insertions, 470 deletions
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c
index 4631c517ccc..e66f841df38 100644
--- a/lib/libssl/src/ssl/s3_lib.c
+++ b/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.73 2014/08/07 20:02:23 miod Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.74 2014/08/10 14:57:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -200,22 +200,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 0,
 	},
 
-	/* Cipher 03 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_RSA_RC4_40_MD5,
-		.id = SSL3_CK_RSA_RC4_40_MD5,
-		.algorithm_mkey = SSL_kRSA,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_RC4,
-		.algorithm_mac = SSL_MD5,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 04 */
 	{
 		.valid = 1,
@@ -248,22 +232,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 06 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_RSA_RC2_40_MD5,
-		.id = SSL3_CK_RSA_RC2_40_MD5,
-		.algorithm_mkey = SSL_kRSA,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_RC2,
-		.algorithm_mac = SSL_MD5,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 07 */
 #ifndef OPENSSL_NO_IDEA
 	{
@@ -282,22 +250,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 	},
 #endif
 
-	/* Cipher 08 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_RSA_DES_40_CBC_SHA,
-		.id = SSL3_CK_RSA_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kRSA,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 56,
-	},
-
 	/* Cipher 09 */
 	{
 		.valid = 1,
@@ -330,119 +282,7 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 168,
 	},
 
-	/* The DH ciphers */
-	/* Cipher 0B */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
-		.id = SSL3_CK_DH_DSS_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 0C */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
-		.id = SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 0D */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
-		.id = SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_3DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 112,
-		.alg_bits = 168,
-	},
-
-	/* Cipher 0E */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
-		.id = SSL3_CK_DH_RSA_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 0F */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
-		.id = SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_LOW,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 56,
-		.alg_bits = 56,
-	},
-
-	/* Cipher 10 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
-		.id = SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_3DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 112,
-		.alg_bits = 168,
-	},
-
 	/* The Ephemeral DH ciphers */
-	/* Cipher 11 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
-		.id = SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aDSS,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 56,
-	},
 
 	/* Cipher 12 */
 	{
@@ -476,22 +316,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 168,
 	},
 
-	/* Cipher 14 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
-		.id = SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aRSA,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 56,
-	},
-
 	/* Cipher 15 */
 	{
 		.valid = 1,
@@ -524,22 +348,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 168,
 	},
 
-	/* Cipher 17 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_ADH_RC4_40_MD5,
-		.id = SSL3_CK_ADH_RC4_40_MD5,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aNULL,
-		.algorithm_enc = SSL_RC4,
-		.algorithm_mac = SSL_MD5,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 18 */
 	{
 		.valid = 1,
@@ -556,22 +364,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 19 */
-	{
-		.valid = 0,	/* Weakened 40-bit export cipher. */
-		.name = SSL3_TXT_ADH_DES_40_CBC_SHA,
-		.id = SSL3_CK_ADH_DES_40_CBC_SHA,
-		.algorithm_mkey = SSL_kDHE,
-		.algorithm_auth = SSL_aNULL,
-		.algorithm_enc = SSL_DES,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_SSLV3,
-		.algo_strength = 0,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 40,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 1A */
 	{
 		.valid = 1,
@@ -605,6 +397,7 @@ SSL_CIPHER ssl3_ciphers[] = {
 	},
 
 	/* New AES ciphersuites */
+
 	/* Cipher 2F */
 	{
 		.valid = 1,
@@ -620,36 +413,7 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
-	/* Cipher 30 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
-		.id = TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-	/* Cipher 31 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
-		.id = TLS1_CK_DH_RSA_WITH_AES_128_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
+
 	/* Cipher 32 */
 	{
 		.valid = 1,
@@ -665,6 +429,7 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
+
 	/* Cipher 33 */
 	{
 		.valid = 1,
@@ -680,6 +445,7 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.strength_bits = 128,
 		.alg_bits = 128,
 	},
+
 	/* Cipher 34 */
 	{
 		.valid = 1,
@@ -711,37 +477,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.strength_bits = 256,
 		.alg_bits = 256,
 	},
-	/* Cipher 36 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
-		.id = TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
-	/* Cipher 37 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
-		.id = TLS1_CK_DH_RSA_WITH_AES_256_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
 
 	/* Cipher 38 */
 	{
@@ -840,38 +575,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 3E */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
-		.id = TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher 3F */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
-		.id = TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 40 */
 	{
 		.valid = 1,
@@ -907,38 +610,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 42 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.id = TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher 43 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
-		.id = TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_CAMELLIA128,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
 	/* Cipher 44 */
 	{
 		.valid = 1,
@@ -1005,38 +676,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 128,
 	},
 
-	/* Cipher 68 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
-		.id = TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
-	/* Cipher 69 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
-		.id = TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256,
-		.algorithm_mac = SSL_SHA256,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 6A */
 	{
 		.valid = 1,
@@ -1181,38 +820,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher 85 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.id = TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
-	/* Cipher 86 */
-	{
-		.valid = 0, /* not implemented (non-ephemeral DH) */
-		.name = TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
-		.id = TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_CAMELLIA256,
-		.algorithm_mac = SSL_SHA1,
-		.algorithm_ssl = SSL_TLSV1,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher 87 */
 	{
 		.valid = 1,
@@ -1337,42 +944,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher A0 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
-		.id = TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher A1 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
-		.id = TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
-		.algorithm_mkey = SSL_kDHr,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher A2 */
 	{
 		.valid = 1,
@@ -1409,42 +980,6 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256,
 	},
 
-	/* Cipher A4 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
-		.id = TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES128GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 128,
-		.alg_bits = 128,
-	},
-
-	/* Cipher A5 */
-	{
-		.valid = 0,
-		.name = TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
-		.id = TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
-		.algorithm_mkey = SSL_kDHd,
-		.algorithm_auth = SSL_aDH,
-		.algorithm_enc = SSL_AES256GCM,
-		.algorithm_mac = SSL_AEAD,
-		.algorithm_ssl = SSL_TLSV1_2,
-		.algo_strength = SSL_HIGH,
-		.algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
-		    SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
-		.strength_bits = 256,
-		.alg_bits = 256,
-	},
-
 	/* Cipher A6 */
 	{
 		.valid = 1,
author	jsing <jsing@openbsd.org>	2014-08-10 14:57:04 +0000
committer	jsing <jsing@openbsd.org>	2014-08-10 14:57:04 +0000
commit	c24bf2e03c4a20192d0795ef087e725fe1df162d (patch)
tree	b1352c5a60bbc06e7b9aedca7751473e240a51a5 /lib/libssl/src/ssl/s3_lib.c
parent	Since we no longer need to support SSLv2-style cipher lists, start (diff)
download	wireguard-openbsd-c24bf2e03c4a20192d0795ef087e725fe1df162d.tar.xz wireguard-openbsd-c24bf2e03c4a20192d0795ef087e725fe1df162d.zip