diff options
| author | Rich Salz <rsalz@akamai.com> | 2015-08-04 12:32:40 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2015-08-11 18:23:29 -0400 |
| commit | ade44dcb16141c8a30ca6c56a1fd1a0b14dcc360 (patch) | |
| tree | 0dbe0854e5836feb0776b999c80ecd9d95c2e11f /ssl | |
| parent | f75d5171be0b3b5419c8974133e1573cf976a8bb (diff) | |
Remove Gost94 signature algorithm.
This was obsolete in 2001. This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_both.c | 4 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 3 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 90 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 10 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 12 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 3 |
7 files changed, 11 insertions, 116 deletions
diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 943cf733f0..4d69c2af82 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -618,9 +618,7 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey) ret = SSL_PKEY_ECC; } #endif - else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) { - ret = SSL_PKEY_GOST94; - } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { + else if (i == NID_id_GostR3410_2001) { ret = SSL_PKEY_GOST01; } else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX)) { /* diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 1661b0ef8c..01a0a8c43c 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3059,8 +3059,7 @@ int ssl3_send_client_verify(SSL *s) n = j + 2; } else #endif - if (pkey->type == NID_id_GostR3410_94 - || pkey->type == NID_id_GostR3410_2001) { + if (pkey->type == NID_id_GostR3410_2001) { unsigned char signbuf[64]; int i; size_t sigsize = 64; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 83b8f686bb..0a3bba4890 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1147,19 +1147,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { { 1, - "GOST94-GOST89-GOST89", - 0x3000080, - SSL_kGOST, - SSL_aGOST94, - SSL_eGOST2814789CNT, - SSL_GOST89MAC, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC, - 256, - 256}, - { - 1, "GOST2001-GOST89-GOST89", 0x3000081, SSL_kGOST, @@ -1170,20 +1157,8 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_NOT_EXP | SSL_HIGH, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC, 256, - 256}, - { - 1, - "GOST94-NULL-GOST94", - 0x3000082, - SSL_kGOST, - SSL_aGOST94, - SSL_eNULL, - SSL_GOST94, - SSL_TLSV1, - SSL_NOT_EXP | SSL_STRONG_NONE, - SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, - 0, - 0}, + 256 + }, { 1, "GOST2001-NULL-GOST94", @@ -1196,7 +1171,8 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { SSL_NOT_EXP | SSL_STRONG_NONE, SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94, 0, - 0}, + 0 + }, #ifndef OPENSSL_NO_CAMELLIA /* Camellia ciphersuites from RFC4132 (256-bit portion) */ @@ -3474,63 +3450,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256}, #endif -#ifdef TEMP_GOST_TLS -/* Cipher FF00 */ - { - 1, - "GOST-MD5", - 0x0300ff00, - SSL_kRSA, - SSL_aRSA, - SSL_eGOST2814789CNT, - SSL_MD5, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256, - }, - { - 1, - "GOST-GOST94", - 0x0300ff01, - SSL_kRSA, - SSL_aRSA, - SSL_eGOST2814789CNT, - SSL_GOST94, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256}, - { - 1, - "GOST-GOST89MAC", - 0x0300ff02, - SSL_kRSA, - SSL_aRSA, - SSL_eGOST2814789CNT, - SSL_GOST89MAC, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 256, - 256}, - { - 1, - "GOST-GOST89STREAM", - 0x0300ff03, - SSL_kRSA, - SSL_aRSA, - SSL_eGOST2814789CNT, - SSL_GOST89MAC, - SSL_TLSV1, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF | TLS1_STREAM_MAC, - 256, - 256}, -#endif - /* end of list */ }; @@ -4694,7 +4613,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) #ifndef OPENSSL_NO_GOST if (s->version >= TLS1_VERSION) { if (alg_k & SSL_kGOST) { - p[ret++] = TLS_CT_GOST94_SIGN; p[ret++] = TLS_CT_GOST01_SIGN; return (ret); } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 76f49bd837..acb2fa94bc 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2736,9 +2736,7 @@ int ssl3_get_client_key_exchange(SSL *s) /* Get our certificate private key */ alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if (alg_a & SSL_aGOST94) - pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; - else if (alg_a & SSL_aGOST01) + if (alg_a & SSL_aGOST01) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); @@ -2874,8 +2872,7 @@ int ssl3_get_cert_verify(SSL *s) * If key is GOST and n is exactly 64, it is bare signature without * length field */ - if (n == 64 && (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001)) { + if (n == 64 && pkey->type == NID_id_GostR3410_2001) { len = 64; } else { if (SSL_USE_SIGALGS(s)) { @@ -2984,8 +2981,7 @@ int ssl3_get_cert_verify(SSL *s) } } else #endif - if (pkey->type == NID_id_GostR3410_94 - || pkey->type == NID_id_GostR3410_2001) { + if (pkey->type == NID_id_GostR3410_2001) { unsigned char signature[64]; int idx; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index da64301b58..08a95f958b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -331,9 +331,8 @@ static const SSL_CIPHER cipher_aliases[] = { {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, - {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94 | SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0}, /* aliases combining key exchange and server authentication */ @@ -528,14 +527,12 @@ void ssl_load_ciphers(void) disabled_mac_mask |= SSL_GOST89MAC; } - if (!get_optional_pkey_id("gost94")) - disabled_auth_mask |= SSL_aGOST94; if (!get_optional_pkey_id("gost2001")) disabled_auth_mask |= SSL_aGOST01; /* * Disable GOST key exchange if no GOST signature algs are available * */ - if ((disabled_auth_mask & (SSL_aGOST94 | SSL_aGOST01)) == (SSL_aGOST94 | SSL_aGOST01)) + if ((disabled_auth_mask & SSL_aGOST01) == SSL_aGOST01) disabled_mkey_mask |= SSL_kGOST; } @@ -1673,9 +1670,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aSRP: au = "SRP"; break; - case SSL_aGOST94: - au = "GOST94"; - break; case SSL_aGOST01: au = "GOST01"; break; @@ -1961,8 +1955,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) return SSL_PKEY_DSA_SIGN; else if (alg_a & SSL_aRSA) return SSL_PKEY_RSA_ENC; - else if (alg_a & SSL_aGOST94) - return SSL_PKEY_GOST94; else if (alg_a & SSL_aGOST01) return SSL_PKEY_GOST01; return -1; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5a0ec8afc8..2a2eb7827c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2007,11 +2007,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) mask_k |= SSL_kGOST; mask_a |= SSL_aGOST01; } - cpk = &(c->pkeys[SSL_PKEY_GOST94]); - if (cpk->x509 != NULL && cpk->privatekey != NULL) { - mask_k |= SSL_kGOST; - mask_a |= SSL_aGOST94; - } if (rsa_enc || (rsa_tmp && rsa_sign)) mask_k |= SSL_kRSA; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index bc8388ab87..63b547a8f9 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -339,8 +339,6 @@ # define SSL_aECDSA 0x00000040L /* PSK auth */ # define SSL_aPSK 0x00000080L -/* GOST R 34.10-94 signature auth */ -# define SSL_aGOST94 0x00000100L /* GOST R 34.10-2001 signature auth */ # define SSL_aGOST01 0x00000200L /* SRP auth */ @@ -508,7 +506,6 @@ # define SSL_PKEY_DH_RSA 3 # define SSL_PKEY_DH_DSA 4 # define SSL_PKEY_ECC 5 -# define SSL_PKEY_GOST94 6 # define SSL_PKEY_GOST01 7 # define SSL_PKEY_NUM 8 |