Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suites

that make use of it. ok bcook@ inoguchi@
author: jsing <jsing@openbsd.org> 2017-02-21 15:28:27 +0000
committer: jsing <jsing@openbsd.org> 2017-02-21 15:28:27 +0000
commit: ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1 (patch)
tree: 62cfc6b12713e6f16580ec309f7489e74bfa13ba /lib
parent: update to unbound-1.6.1 release; only version string changes compared to (diff)
download: wireguard-openbsd-ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1.tar.xz
wireguard-openbsd-ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1.zip
2 files changed, 6 insertions, 26 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index 9808c7c37fc..3e991fa5772 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.93 2017/02/07 02:08:38 beck Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.94 2017/02/21 15:28:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -176,29 +176,27 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
 #define SSL_MD_SHA256_IDX 4
 #define SSL_MD_SHA384_IDX 5
 #define SSL_MD_STREEBOG256_IDX 6
-#define SSL_MD_STREEBOG512_IDX 7
 /*Constant SSL_MAX_DIGEST equal to size of digests array should be
  * defined in the
  * ssl_locl.h */
 #define SSL_MD_NUM_IDX	SSL_MAX_DIGEST
 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
-	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 };
 
 static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
 	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
-	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
+	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
 };
 
 static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
-	0, 0, 0, 0, 0, 0, 0, 0
+	0, 0, 0, 0, 0, 0, 0,
 };
 
 static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = {
 	SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA,
 	SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
 	SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256,
-	SSL_HANDSHAKE_MAC_STREEBOG512
 };
 
 #define CIPHER_ADD	1
@@ -436,10 +434,6 @@ static const SSL_CIPHER cipher_aliases[] = {
 		.name = SSL_TXT_STREEBOG256,
 		.algorithm_mac = SSL_STREEBOG256,
 	},
-	{
-		.name = SSL_TXT_STREEBOG512,
-		.algorithm_mac = SSL_STREEBOG512,
-	},
 
 	/* protocol version aliases */
 	{
@@ -531,10 +525,6 @@ ssl_load_ciphers(void)
 	    EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
 	ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
 	    EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
-	ssl_digest_methods[SSL_MD_STREEBOG512_IDX] =
-	    EVP_get_digestbyname(SN_id_tc26_gost3411_2012_512);
-	ssl_mac_secret_size[SSL_MD_STREEBOG512_IDX] =
-	    EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG512_IDX]);
 }
 
 int
@@ -631,9 +621,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 	case SSL_STREEBOG256:
 		i = SSL_MD_STREEBOG256_IDX;
 		break;
-	case SSL_STREEBOG512:
-		i = SSL_MD_STREEBOG512_IDX;
-		break;
 	default:
 		i = -1;
 		break;
@@ -814,8 +801,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
 	*mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
 	*mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
 	*mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
-	*mac |= (ssl_digest_methods[SSL_MD_STREEBOG512_IDX] == NULL) ? SSL_STREEBOG512 : 0;
-
 }
 
 static void
@@ -1671,9 +1656,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_STREEBOG256:
 		mac = "STREEBOG256";
 		break;
-	case SSL_STREEBOG512:
-		mac = "STREEBOG512";
-		break;
 	default:
 		mac = "unknown";
 		break;
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index a64edd2c183..62d9d0314e8 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.173 2017/02/07 02:08:38 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.174 2017/02/21 15:28:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -250,7 +250,6 @@ __BEGIN_HIDDEN_DECLS
 /* Not a real MAC, just an indication it is part of cipher */
 #define SSL_AEAD		0x00000040L
 #define SSL_STREEBOG256		0x00000080L
-#define SSL_STREEBOG512		0x00000100L
 
 /* Bits for algorithm_ssl (protocol version) */
 #define SSL_SSLV3		0x00000002L
@@ -266,12 +265,11 @@ __BEGIN_HIDDEN_DECLS
 #define SSL_HANDSHAKE_MAC_SHA256 0x80
 #define SSL_HANDSHAKE_MAC_SHA384 0x100
 #define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
-#define SSL_HANDSHAKE_MAC_STREEBOG512 0x400
 #define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
 
 /* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
  * make sure to update this constant too */
-#define SSL_MAX_DIGEST 8
+#define SSL_MAX_DIGEST 7
 
 #define SSL3_CK_ID		0x03000000
 #define SSL3_CK_VALUE_MASK	0x0000ffff
author	jsing <jsing@openbsd.org>	2017-02-21 15:28:27 +0000
committer	jsing <jsing@openbsd.org>	2017-02-21 15:28:27 +0000
commit	ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1 (patch)
tree	62cfc6b12713e6f16580ec309f7489e74bfa13ba /lib
parent	update to unbound-1.6.1 release; only version string changes compared to (diff)
download	wireguard-openbsd-ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1.tar.xz wireguard-openbsd-ccd431c4a4b7c07e10cfcf435157be1fa1cd35e1.zip