From: tedu Date: Thu, 17 Apr 2014 20:34:24 +0000 (+0000) Subject: quick pass at removing ability to disable sha256 and sha512. ok miod X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=c45ad0bbdba440c92964607ead3f2ea000ef3c6e;p=openbsd quick pass at removing ability to disable sha256 and sha512. ok miod --- diff --git a/lib/libssl/s3_cbc.c b/lib/libssl/s3_cbc.c index 964266e5b26..e8f7df572f3 100644 --- a/lib/libssl/s3_cbc.c +++ b/lib/libssl/s3_cbc.c @@ -351,7 +351,6 @@ tls1_sha1_final_raw(void* ctx, unsigned char *md_out) } #define LARGEST_DIGEST_CTX SHA_CTX -#ifndef OPENSSL_NO_SHA256 static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) { @@ -364,9 +363,7 @@ tls1_sha256_final_raw(void* ctx, unsigned char *md_out) } #undef LARGEST_DIGEST_CTX #define LARGEST_DIGEST_CTX SHA256_CTX -#endif -#ifndef OPENSSL_NO_SHA512 static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) { @@ -379,7 +376,6 @@ tls1_sha512_final_raw(void* ctx, unsigned char *md_out) } #undef LARGEST_DIGEST_CTX #define LARGEST_DIGEST_CTX SHA512_CTX -#endif /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function * which ssl3_cbc_digest_record supports. */ @@ -389,14 +385,10 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: -#ifndef OPENSSL_NO_SHA256 case NID_sha224: case NID_sha256: -#endif -#ifndef OPENSSL_NO_SHA512 case NID_sha384: case NID_sha512: -#endif return 1; default: return 0; @@ -469,7 +461,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; md_size = 20; break; -#ifndef OPENSSL_NO_SHA256 case NID_sha224: SHA224_Init((SHA256_CTX*)md_state.c); md_final_raw = tls1_sha256_final_raw; @@ -482,8 +473,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; md_size = 32; break; -#endif -#ifndef OPENSSL_NO_SHA512 case NID_sha384: SHA384_Init((SHA512_CTX*)md_state.c); md_final_raw = tls1_sha512_final_raw; @@ -500,7 +489,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_block_size = 128; md_length_size = 16; break; -#endif default: /* ssl3_cbc_record_digest_supported should have been * called first to check that the hash function is diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 26bdef6b4fc..32405eac752 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1940,11 +1940,7 @@ ssl3_get_new_session_ticket(SSL *s) */ EVP_Digest(p, ticklen, s->session->session_id, &s->session->session_id_length, -#ifndef OPENSSL_NO_SHA256 EVP_sha256(), NULL); -#else - EVP_sha1(), NULL); -#endif ret = 1; return (ret); f_err: diff --git a/lib/libssl/src/ssl/s3_cbc.c b/lib/libssl/src/ssl/s3_cbc.c index 964266e5b26..e8f7df572f3 100644 --- a/lib/libssl/src/ssl/s3_cbc.c +++ b/lib/libssl/src/ssl/s3_cbc.c @@ -351,7 +351,6 @@ tls1_sha1_final_raw(void* ctx, unsigned char *md_out) } #define LARGEST_DIGEST_CTX SHA_CTX -#ifndef OPENSSL_NO_SHA256 static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) { @@ -364,9 +363,7 @@ tls1_sha256_final_raw(void* ctx, unsigned char *md_out) } #undef LARGEST_DIGEST_CTX #define LARGEST_DIGEST_CTX SHA256_CTX -#endif -#ifndef OPENSSL_NO_SHA512 static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) { @@ -379,7 +376,6 @@ tls1_sha512_final_raw(void* ctx, unsigned char *md_out) } #undef LARGEST_DIGEST_CTX #define LARGEST_DIGEST_CTX SHA512_CTX -#endif /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function * which ssl3_cbc_digest_record supports. */ @@ -389,14 +385,10 @@ ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: -#ifndef OPENSSL_NO_SHA256 case NID_sha224: case NID_sha256: -#endif -#ifndef OPENSSL_NO_SHA512 case NID_sha384: case NID_sha512: -#endif return 1; default: return 0; @@ -469,7 +461,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; md_size = 20; break; -#ifndef OPENSSL_NO_SHA256 case NID_sha224: SHA224_Init((SHA256_CTX*)md_state.c); md_final_raw = tls1_sha256_final_raw; @@ -482,8 +473,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; md_size = 32; break; -#endif -#ifndef OPENSSL_NO_SHA512 case NID_sha384: SHA384_Init((SHA512_CTX*)md_state.c); md_final_raw = tls1_sha512_final_raw; @@ -500,7 +489,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, md_block_size = 128; md_length_size = 16; break; -#endif default: /* ssl3_cbc_record_digest_supported should have been * called first to check that the hash function is diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 26bdef6b4fc..32405eac752 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1940,11 +1940,7 @@ ssl3_get_new_session_ticket(SSL *s) */ EVP_Digest(p, ticklen, s->session->session_id, &s->session->session_id_length, -#ifndef OPENSSL_NO_SHA256 EVP_sha256(), NULL); -#else - EVP_sha1(), NULL); -#endif ret = 1; return (ret); f_err: diff --git a/lib/libssl/src/ssl/ssl_algs.c b/lib/libssl/src/ssl/ssl_algs.c index 76644bda916..92973866d25 100644 --- a/lib/libssl/src/ssl/ssl_algs.c +++ b/lib/libssl/src/ssl/ssl_algs.c @@ -116,14 +116,10 @@ SSL_library_init(void) EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); #endif -#ifndef OPENSSL_NO_SHA256 EVP_add_digest(EVP_sha224()); EVP_add_digest(EVP_sha256()); -#endif -#ifndef OPENSSL_NO_SHA512 EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); -#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index c539b1229d6..483723736a6 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1061,11 +1061,7 @@ int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); -#ifdef OPENSSL_NO_SHA256 -#define tlsext_tick_md EVP_sha1 -#else #define tlsext_tick_md EVP_sha256 -#endif int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, const unsigned char *limit, SSL_SESSION **ret); diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 7ecf7e06588..b88b3561e05 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -334,14 +334,10 @@ tls1_ec_nid2curve_id(int nid) tlsext_sigalg_ecdsa(md) static unsigned char tls12_sigalgs[] = { -#ifndef OPENSSL_NO_SHA512 tlsext_sigalg(TLSEXT_hash_sha512) tlsext_sigalg(TLSEXT_hash_sha384) -#endif -#ifndef OPENSSL_NO_SHA256 tlsext_sigalg(TLSEXT_hash_sha256) tlsext_sigalg(TLSEXT_hash_sha224) -#endif #ifndef OPENSSL_NO_SHA tlsext_sigalg(TLSEXT_hash_sha1) #endif @@ -2205,14 +2201,10 @@ static tls12_lookup tls12_md[] = { #ifndef OPENSSL_NO_SHA {NID_sha1, TLSEXT_hash_sha1}, #endif -#ifndef OPENSSL_NO_SHA256 {NID_sha224, TLSEXT_hash_sha224}, {NID_sha256, TLSEXT_hash_sha256}, -#endif -#ifndef OPENSSL_NO_SHA512 {NID_sha384, TLSEXT_hash_sha384}, {NID_sha512, TLSEXT_hash_sha512} -#endif }; static tls12_lookup tls12_sig[] = { @@ -2283,20 +2275,16 @@ const EVP_MD case TLSEXT_hash_sha1: return EVP_sha1(); #endif -#ifndef OPENSSL_NO_SHA256 case TLSEXT_hash_sha224: return EVP_sha224(); case TLSEXT_hash_sha256: return EVP_sha256(); -#endif -#ifndef OPENSSL_NO_SHA512 case TLSEXT_hash_sha384: return EVP_sha384(); case TLSEXT_hash_sha512: return EVP_sha512(); -#endif default: return NULL; diff --git a/lib/libssl/ssl_algs.c b/lib/libssl/ssl_algs.c index 76644bda916..92973866d25 100644 --- a/lib/libssl/ssl_algs.c +++ b/lib/libssl/ssl_algs.c @@ -116,14 +116,10 @@ SSL_library_init(void) EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); #endif -#ifndef OPENSSL_NO_SHA256 EVP_add_digest(EVP_sha224()); EVP_add_digest(EVP_sha256()); -#endif -#ifndef OPENSSL_NO_SHA512 EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); -#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index c539b1229d6..483723736a6 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1061,11 +1061,7 @@ int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); -#ifdef OPENSSL_NO_SHA256 -#define tlsext_tick_md EVP_sha1 -#else #define tlsext_tick_md EVP_sha256 -#endif int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, const unsigned char *limit, SSL_SESSION **ret); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 7ecf7e06588..b88b3561e05 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -334,14 +334,10 @@ tls1_ec_nid2curve_id(int nid) tlsext_sigalg_ecdsa(md) static unsigned char tls12_sigalgs[] = { -#ifndef OPENSSL_NO_SHA512 tlsext_sigalg(TLSEXT_hash_sha512) tlsext_sigalg(TLSEXT_hash_sha384) -#endif -#ifndef OPENSSL_NO_SHA256 tlsext_sigalg(TLSEXT_hash_sha256) tlsext_sigalg(TLSEXT_hash_sha224) -#endif #ifndef OPENSSL_NO_SHA tlsext_sigalg(TLSEXT_hash_sha1) #endif @@ -2205,14 +2201,10 @@ static tls12_lookup tls12_md[] = { #ifndef OPENSSL_NO_SHA {NID_sha1, TLSEXT_hash_sha1}, #endif -#ifndef OPENSSL_NO_SHA256 {NID_sha224, TLSEXT_hash_sha224}, {NID_sha256, TLSEXT_hash_sha256}, -#endif -#ifndef OPENSSL_NO_SHA512 {NID_sha384, TLSEXT_hash_sha384}, {NID_sha512, TLSEXT_hash_sha512} -#endif }; static tls12_lookup tls12_sig[] = { @@ -2283,20 +2275,16 @@ const EVP_MD case TLSEXT_hash_sha1: return EVP_sha1(); #endif -#ifndef OPENSSL_NO_SHA256 case TLSEXT_hash_sha224: return EVP_sha224(); case TLSEXT_hash_sha256: return EVP_sha256(); -#endif -#ifndef OPENSSL_NO_SHA512 case TLSEXT_hash_sha384: return EVP_sha384(); case TLSEXT_hash_sha512: return EVP_sha512(); -#endif default: return NULL;