Drop SSL_CIPHER_ALGORITHM2_AEAD flag.

author jsing <jsing@openbsd.org>

Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)

committer jsing <jsing@openbsd.org>

Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)
author jsing <jsing@openbsd.org>
Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)
committer jsing <jsing@openbsd.org>
Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c

index 6e12bf9..02e6c66 100644 (file)
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.169 2018/08/27 16:48:12 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.170 2018/09/06 16:40:45 jsing Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
@@ -674,7 +674,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 128,
                 .alg_bits = 128,
@@ -692,7 +692,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 256,
                 .alg_bits = 256,
@@ -710,7 +710,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 128,
                 .alg_bits = 128,
@@ -728,7 +728,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 256,
                 .alg_bits = 256,
@@ -746,7 +746,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 128,
                 .alg_bits = 128,
@@ -764,7 +764,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 256,
                 .alg_bits = 256,
@@ -1191,7 +1191,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 128,
                 .alg_bits = 128,
@@ -1209,7 +1209,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 256,
                 .alg_bits = 256,
@@ -1227,7 +1227,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 128,
                 .alg_bits = 128,
@@ -1245,7 +1245,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)|
+                   FIXED_NONCE_LEN(4)|
                     SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD,
                 .strength_bits = 256,
                 .alg_bits = 256,
@@ -1263,7 +1263,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
+                   FIXED_NONCE_LEN(12),
                 .strength_bits = 256,
                 .alg_bits = 256,
         },
@@ -1280,7 +1280,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
+                   FIXED_NONCE_LEN(12),
                 .strength_bits = 256,
                 .alg_bits = 256,
         },
@@ -1297,7 +1297,7 @@ SSL_CIPHER ssl3_ciphers[] = {
                 .algorithm_ssl = SSL_TLSV1_2,
                 .algo_strength = SSL_HIGH,
                 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
-                   SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
+                   FIXED_NONCE_LEN(12),
                 .strength_bits = 256,
                 .alg_bits = 256,
         },
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c

index e429bde..9db0c68 100644 (file)
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.102 2018/09/03 18:00:50 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.103 2018/09/06 16:40:45 jsing Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
@@ -515,7 +515,7 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
          * This function does not handle EVP_AEAD.
          * See ssl_cipher_get_aead_evp instead.
          */
-       if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)
+       if (c->algorithm_mac & SSL_AEAD)
                 return(0);
  
         if ((enc == NULL) || (md == NULL))
@@ -593,8 +593,6 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                         *mac_pkey_type = NID_undef;
                 if (mac_secret_size != NULL)
                         *mac_secret_size = 0;
-               if (c->algorithm_mac == SSL_AEAD)
-                       mac_pkey_type = NULL;
         } else {
                 *md = ssl_digest_methods[i];
                 if (mac_pkey_type != NULL)
@@ -624,7 +622,7 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
  
         if (c == NULL)
                 return 0;
-       if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0)
+       if ((c->algorithm_mac & SSL_AEAD) == 0)
                 return 0;
  
         switch (c->algorithm_enc) {
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h

index a4e8315..d5680fc 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.213 2018/09/05 16:48:11 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.214 2018/09/06 16:40:45 jsing Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
@@ -282,8 +282,10 @@ __BEGIN_HIDDEN_DECLS
  #define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
  #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
  
-/* Stream MAC for GOST ciphersuites from cryptopro draft
- * (currently this also goes into algorithm2) */
+/*
+ * Stream MAC for GOST ciphersuites from cryptopro draft
+ * (currently this also goes into algorithm2).
+ */
  #define TLS1_STREAM_MAC 0x04
  
  /*
@@ -293,15 +295,9 @@ __BEGIN_HIDDEN_DECLS
   */
  #define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22)
  
-/*
- * SSL_CIPHER_ALGORITHM2_AEAD is an algorithm2 flag that indicates the cipher
- * is implemented via an EVP_AEAD.
- */
-#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
-
  /*
   * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
- * for an SSL_CIPHER with the SSL_CIPHER_ALGORITHM2_AEAD flag.
+ * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD.
   */
  #define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
         (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2)
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c

index 01ff059..77ac589 100644 (file)
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.112 2018/09/05 16:58:59 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */
  /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   * All rights reserved.
   *
@@ -661,7 +661,7 @@ tls1_setup_key_block(SSL *s)
                 return (1);
  
         if (s->session->cipher &&
-           (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) {
+           (s->session->cipher->algorithm_mac & SSL_AEAD)) {
                 if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
                         SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                         return (0);
author	jsing <jsing@openbsd.org>
	Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)
committer	jsing <jsing@openbsd.org>
	Thu, 6 Sep 2018 16:40:45 +0000 (16:40 +0000)
lib/libssl/s3_lib.c		patch \| blob \| history
lib/libssl/ssl_ciph.c		patch \| blob \| history
lib/libssl/ssl_locl.h		patch \| blob \| history
lib/libssl/t1_enc.c		patch \| blob \| history