diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2024-02-03 15:58:35 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2024-02-03 15:58:35 +0000 |
commit | 5c91698c33884b0a3f6cce362413c024017dbe9c (patch) | |
tree | 10b02c1399174e2eaef8bc83832956c73b6b7605 /lib | |
parent | 54c4f0c0f8217322ebbc0437d59ac083f2184a19 (diff) |
Remove GOST and STREEBOG support from libssl.
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.
At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.
This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump
ok tb@
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libssl/s3_lib.c | 86 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 11 | ||||
-rw-r--r-- | lib/libssl/ssl3.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_both.c | 5 | ||||
-rw-r--r-- | lib/libssl/ssl_cert.c | 6 | ||||
-rw-r--r-- | lib/libssl/ssl_ciph.c | 107 | ||||
-rw-r--r-- | lib/libssl/ssl_clnt.c | 206 | ||||
-rw-r--r-- | lib/libssl/ssl_err.c | 3 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 10 | ||||
-rw-r--r-- | lib/libssl/ssl_local.h | 20 | ||||
-rw-r--r-- | lib/libssl/ssl_sigalgs.c | 28 | ||||
-rw-r--r-- | lib/libssl/ssl_sigalgs.h | 10 | ||||
-rw-r--r-- | lib/libssl/ssl_srvr.c | 152 | ||||
-rw-r--r-- | lib/libssl/tls1.h | 10 | ||||
-rw-r--r-- | lib/libssl/tls12_key_schedule.c | 6 | ||||
-rw-r--r-- | lib/libssl/tls12_record_layer.c | 43 |
16 files changed, 32 insertions, 675 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 1ae2d047bc7..bb8e9465ba6 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.248 2023/11/29 13:39:34 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.249 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -577,41 +577,6 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* GOST Ciphersuites */ - - /* Cipher 81 */ - { - .valid = 1, - .name = "GOST2001-GOST89-GOST89", - .id = 0x3000081, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher 83 */ - { - .valid = 1, - .name = "GOST2001-NULL-GOST94", - .id = 0x3000083, - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_GOST94, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, - .strength_bits = 0, - .alg_bits = 0 - }, - #ifndef OPENSSL_NO_CAMELLIA /* Camellia ciphersuites from RFC4132 (256-bit portion) */ @@ -1362,40 +1327,6 @@ const SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 256, }, - /* Cipher FF85 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-GOST89-GOST89", - .id = 0x300ff85, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eGOST2814789CNT, - .algorithm_mac = SSL_GOST89MAC, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256| - TLS1_STREAM_MAC, - .strength_bits = 256, - .alg_bits = 256 - }, - - /* Cipher FF87 FIXME IANA */ - { - .valid = 1, - .name = "GOST2012256-NULL-STREEBOG256", - .id = 0x300ff87, /* FIXME IANA */ - .algorithm_mkey = SSL_kGOST, - .algorithm_auth = SSL_aGOST01, - .algorithm_enc = SSL_eNULL, - .algorithm_mac = SSL_STREEBOG256, - .algorithm_ssl = SSL_TLSV1, - .algo_strength = SSL_STRONG_NONE, - .algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256, - .strength_bits = 0, - .alg_bits = 0 - }, - - /* end of list */ }; @@ -2668,21 +2599,6 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) alg_k = s->s3->hs.cipher->algorithm_mkey; -#ifndef OPENSSL_NO_GOST - if ((alg_k & SSL_kGOST) != 0) { - if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) - return 0; - if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) - return 0; - } -#endif - if ((alg_k & SSL_kDHE) != 0) { if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) return 0; diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 8d65a1ec03b..03a5a80d0a7 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.232 2023/11/22 15:43:42 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.233 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -245,7 +245,6 @@ extern "C" { #define SSL_TXT_kECDH "kECDH" #define SSL_TXT_kEECDH "kEECDH" #define SSL_TXT_kPSK "kPSK" -#define SSL_TXT_kGOST "kGOST" #define SSL_TXT_kSRP "kSRP" #define SSL_TXT_aRSA "aRSA" @@ -255,9 +254,6 @@ extern "C" { #define SSL_TXT_aKRB5 "aKRB5" #define SSL_TXT_aECDSA "aECDSA" #define SSL_TXT_aPSK "aPSK" -#define SSL_TXT_aGOST94 "aGOST94" -#define SSL_TXT_aGOST01 "aGOST01" -#define SSL_TXT_aGOST "aGOST" #define SSL_TXT_DSS "DSS" #define SSL_TXT_DH "DH" @@ -293,12 +289,8 @@ extern "C" { #define SSL_TXT_MD5 "MD5" #define SSL_TXT_SHA1 "SHA1" #define SSL_TXT_SHA "SHA" /* same as "SHA1" */ -#define SSL_TXT_GOST94 "GOST94" -#define SSL_TXT_GOST89MAC "GOST89MAC" #define SSL_TXT_SHA256 "SHA256" #define SSL_TXT_SHA384 "SHA384" -#define SSL_TXT_STREEBOG256 "STREEBOG256" -#define SSL_TXT_STREEBOG512 "STREEBOG512" #define SSL_TXT_DTLS1 "DTLSv1" #define SSL_TXT_DTLS1_2 "DTLSv1.2" @@ -2176,7 +2168,6 @@ void ERR_load_SSL_strings(void); #define SSL_R_NO_CLIENT_CERT_METHOD 331 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 #define SSL_R_NO_METHOD_SPECIFIED 188 #define SSL_R_NO_PRIVATEKEY 189 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index 6c6cc2ad2b0..603d9ccb4f1 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.57 2021/09/10 14:49:13 tb Exp $ */ +/* $OpenBSD: ssl3.h,v 1.58 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -325,7 +325,7 @@ extern "C" { * enough to contain all of the cert types defined either for * SSLv3 and TLSv1. */ -#define SSL3_CT_NUMBER 13 +#define SSL3_CT_NUMBER 7 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 14d9aa85a76..995f1c46015 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.46 2023/07/07 08:53:55 tb Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.47 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -384,9 +384,6 @@ ssl_cert_type(EVP_PKEY *pkey) switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_EC: return SSL_PKEY_ECC; - case NID_id_GostR3410_2001: - case NID_id_GostR3410_2001_cc: - return SSL_PKEY_GOST01; case EVP_PKEY_RSA: case EVP_PKEY_RSA_PSS: return SSL_PKEY_RSA; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index a288050269c..5b2fe1a48d3 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.107 2023/07/08 16:40:13 beck Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.108 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -233,10 +233,6 @@ ssl_cert_dup(SSL_CERT *cert) /* We have an ECC key */ break; - case SSL_PKEY_GOST01: - /* We have a GOST key */ - break; - default: /* Can't happen. */ SSLerrorx(SSL_R_LIBRARY_BUG); diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index cea4d3e6f46..76a38405209 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.138 2024/01/04 20:02:10 tb Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.139 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -212,10 +212,6 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_ECDH, .algorithm_mkey = SSL_kECDHE, }, - { - .name = SSL_TXT_kGOST, - .algorithm_mkey = SSL_kGOST, - }, /* server authentication aliases */ { @@ -242,14 +238,6 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_ECDSA, .algorithm_auth = SSL_aECDSA, }, - { - .name = SSL_TXT_aGOST01, - .algorithm_auth = SSL_aGOST01, - }, - { - .name = SSL_TXT_aGOST, - .algorithm_auth = SSL_aGOST01, - }, /* aliases combining key exchange and server authentication */ { @@ -356,14 +344,6 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_mac = SSL_SHA1, }, { - .name = SSL_TXT_GOST94, - .algorithm_mac = SSL_GOST94, - }, - { - .name = SSL_TXT_GOST89MAC, - .algorithm_mac = SSL_GOST89MAC, - }, - { .name = SSL_TXT_SHA256, .algorithm_mac = SSL_SHA256, }, @@ -371,10 +351,6 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_SHA384, .algorithm_mac = SSL_SHA384, }, - { - .name = SSL_TXT_STREEBOG256, - .algorithm_mac = SSL_STREEBOG256, - }, /* protocol version aliases */ { @@ -472,11 +448,6 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, case SSL_CAMELLIA256: *enc = EVP_camellia_256_cbc(); break; -#ifndef OPENSSL_NO_GOST - case SSL_eGOST2814789CNT: - *enc = EVP_gost2814789_cnt(); - break; -#endif } switch (ss->cipher->algorithm_mac) { @@ -492,21 +463,11 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, case SSL_SHA384: *md = EVP_sha384(); break; -#ifndef OPENSSL_NO_GOST - case SSL_GOST89MAC: - *md = EVP_gost2814789imit(); - break; - case SSL_GOST94: - *md = EVP_gostr341194(); - break; - case SSL_STREEBOG256: - *md = EVP_streebog256(); - break; -#endif } if (*enc == NULL || *md == NULL) return 0; + /* XXX remove these from ssl_cipher_get_evp? */ /* * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not * supported via EVP_CIPHER (they should be using EVP_AEAD instead). @@ -515,18 +476,9 @@ ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, return 0; if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE) return 0; -#ifndef OPENSSL_NO_GOST - /* XXX JFC. die in fire already */ - if (ss->cipher->algorithm_mac == SSL_GOST89MAC) { - *mac_pkey_type = EVP_PKEY_GOSTIMIT; - *mac_secret_size = 32; /* XXX */ - } else { -#endif - *mac_pkey_type = EVP_PKEY_HMAC; - *mac_secret_size = EVP_MD_size(*md); -#ifndef OPENSSL_NO_GOST - } -#endif + + *mac_pkey_type = EVP_PKEY_HMAC; + *mac_secret_size = EVP_MD_size(*md); return 1; } @@ -581,14 +533,6 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) case SSL_HANDSHAKE_MAC_DEFAULT: *md = EVP_md5_sha1(); return 1; -#ifndef OPENSSL_NO_GOST - case SSL_HANDSHAKE_MAC_GOST94: - *md = EVP_gostr341194(); - return 1; - case SSL_HANDSHAKE_MAC_STREEBOG256: - *md = EVP_streebog256(); - return 1; -#endif case SSL_HANDSHAKE_MAC_SHA256: *md = EVP_sha256(); return 1; @@ -641,6 +585,7 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, *head = curr; } +/* XXX beck: remove this in a followon to removing GOST */ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) @@ -651,16 +596,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, *mac = 0; *ssl = 0; - /* - * Check for the availability of GOST 34.10 public/private key - * algorithms. If they are not available disable the associated - * authentication and key exchange algorithms. - */ -#if defined(OPENSSL_NO_GOST) || !defined(EVP_PKEY_GOSTR01) - *auth |= SSL_aGOST01; - *mkey |= SSL_kGOST; -#endif - #ifdef SSL_FORBID_ENULL *enc |= SSL_eNULL; #endif @@ -1455,9 +1390,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kECDHE: kx = "ECDH"; break; - case SSL_kGOST: - kx = "GOST"; - break; case SSL_kTLS1_3: kx = "TLSv1.3"; break; @@ -1478,9 +1410,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aECDSA: au = "ECDSA"; break; - case SSL_aGOST01: - au = "GOST01"; - break; case SSL_aTLS1_3: au = "TLSv1.3"; break; @@ -1520,9 +1449,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_CHACHA20POLY1305: enc = "ChaCha20-Poly1305"; break; - case SSL_eGOST2814789CNT: - enc = "GOST-28178-89-CNT"; - break; default: enc = "unknown"; break; @@ -1544,15 +1470,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_AEAD: mac = "AEAD"; break; - case SSL_GOST94: - mac = "GOST94"; - break; - case SSL_GOST89MAC: - mac = "GOST89IMIT"; - break; - case SSL_STREEBOG256: - mac = "STREEBOG256"; - break; default: mac = "unknown"; break; @@ -1666,8 +1583,6 @@ SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) return NID_des_cbc; case SSL_RC4: return NID_rc4; - case SSL_eGOST2814789CNT: - return NID_gost89_cnt; default: return NID_undef; } @@ -1680,10 +1595,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) switch (c->algorithm_mac) { case SSL_AEAD: return NID_undef; - case SSL_GOST89MAC: - return NID_id_Gost28147_89_MAC; - case SSL_GOST94: - return NID_id_GostR3411_94; case SSL_MD5: return NID_md5; case SSL_SHA1: @@ -1692,8 +1603,6 @@ SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) return NID_sha256; case SSL_SHA384: return NID_sha384; - case SSL_STREEBOG256: - return NID_id_tc26_gost3411_2012_256; default: return NID_undef; } @@ -1708,8 +1617,6 @@ SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) return NID_kx_dhe; case SSL_kECDHE: return NID_kx_ecdhe; - case SSL_kGOST: - return NID_kx_gost; case SSL_kRSA: return NID_kx_rsa; default: @@ -1726,8 +1633,6 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) return NID_auth_null; case SSL_aECDSA: return NID_auth_ecdsa; - case SSL_aGOST01: - return NID_auth_gost01; case SSL_aRSA: return NID_auth_rsa; default: diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 52f5de35a44..56fb9ba1c7e 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.163 2023/12/29 12:24:33 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.164 2024/02/03 15:58:33 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -161,10 +161,6 @@ #include <openssl/objects.h> #include <openssl/opensslconf.h> -#ifndef OPENSSL_NO_GOST -#include <openssl/gost.h> -#endif - #include "bytestring.h" #include "dtls_local.h" #include "ssl_local.h" @@ -829,7 +825,6 @@ ssl3_get_server_hello(SSL *s) uint8_t compression_method; const SSL_CIPHER *cipher; const SSL_METHOD *method; - unsigned long alg_k; int al, ret; s->first_packet = 1; @@ -1038,8 +1033,7 @@ ssl3_get_server_hello(SSL *s) * Don't digest cached records if no sigalgs: we may need them for * client authentication. */ - alg_k = s->s3->hs.cipher->algorithm_mkey; - if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) + if (!SSL_USE_SIGALGS(s)) tls1_transcript_free(s); if (!CBS_get_u8(&cbs, &compression_method)) @@ -1931,119 +1925,6 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb) } static int -ssl3_send_client_kex_gost(SSL *s, CBB *cbb) -{ - unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; - EVP_PKEY_CTX *pkey_ctx = NULL; - EVP_MD_CTX *ukm_hash = NULL; - EVP_PKEY *pkey; - size_t msglen; - unsigned int md_len; - CBB gostblob; - int nid; - int ret = 0; - - /* Get server certificate PKEY and create ctx from it */ - pkey = X509_get0_pubkey(s->session->peer_cert); - if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) { - SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); - goto err; - } - if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* - * If we have send a certificate, and certificate key parameters match - * those of server certificate, use certificate key for key exchange. - * Otherwise, generate ephemeral key pair. - */ - if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0) - goto err; - - /* Generate session key. */ - arc4random_buf(premaster_secret, sizeof(premaster_secret)); - - /* - * If we have client certificate, use its secret as peer key. - * XXX - this presumably lacks PFS. - */ - if (s->s3->hs.tls12.cert_request != 0 && - s->cert->key->privatekey != NULL) { - if (EVP_PKEY_derive_set_peer(pkey_ctx, - s->cert->key->privatekey) <=0) { - /* - * If there was an error - just ignore it. - * Ephemeral key would be used. - */ - ERR_clear_error(); - } - } - - /* - * Compute shared IV and store it in algorithm-specific context data. - */ - if ((ukm_hash = EVP_MD_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* XXX check handshake hash instead. */ - if (s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) - nid = NID_id_GostR3411_94; - else - nid = NID_id_tc26_gost3411_2012_256; - if (!EVP_DigestInit(ukm_hash, EVP_get_digestbynid(nid))) - goto err; - if (!EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE)) - goto err; - if (!EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE)) - goto err; - if (!EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len)) - goto err; - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, - EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { - SSLerror(s, SSL_R_LIBRARY_BUG); - goto err; - } - - /* - * Make GOST keytransport blob message, encapsulate it into sequence. - */ - msglen = 255; - if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, - sizeof(premaster_secret)) < 0) { - SSLerror(s, SSL_R_LIBRARY_BUG); - goto err; - } - - if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE)) - goto err; - if (!CBB_add_bytes(&gostblob, tmp, msglen)) - goto err; - if (!CBB_flush(cbb)) - goto err; - - /* Check if pubkey from client certificate was used. */ - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, - NULL) > 0) - s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; - - if (!tls12_derive_master_secret(s, premaster_secret, 32)) - goto err; - - ret = 1; - - err: - explicit_bzero(premaster_secret, sizeof(premaster_secret)); - EVP_PKEY_CTX_free(pkey_ctx); - EVP_MD_CTX_free(ukm_hash); - - return ret; -} - -static int ssl3_send_client_key_exchange(SSL *s) { unsigned long alg_k; @@ -2067,9 +1948,6 @@ ssl3_send_client_key_exchange(SSL *s) } else if (alg_k & SSL_kECDHE) { if (!ssl3_send_client_kex_ecdhe(s, &kex)) goto err; - } else if (alg_k & SSL_kGOST) { - if (!ssl3_send_client_kex_gost(s, &kex)) - goto err; } else { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -2115,14 +1993,6 @@ ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey, SSLerror(s, ERR_R_EVP_LIB); goto err; } -#ifndef OPENSSL_NO_GOST - if (sigalg->key_type == EVP_PKEY_GOSTR01 && - EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } -#endif if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { @@ -2230,72 +2100,6 @@ ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) return ret; } -#ifndef OPENSSL_NO_GOST -static int -ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) -{ - CBB cbb_signature; - EVP_MD_CTX *mctx; - EVP_PKEY_CTX *pctx; - const EVP_MD *md; - const unsigned char *hdata; - unsigned char *signature = NULL; - size_t signature_len; - size_t hdata_len; - int nid; - int ret = 0; - - if ((mctx = EVP_MD_CTX_new()) == NULL) - goto err; - - if (!tls1_transcript_data(s, &hdata, &hdata_len)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - (md = EVP_get_digestbynid(nid)) == NULL) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if (!EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } -#ifndef OPENSSL_NO_GOST - if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } -#endif - if (!EVP_DigestSign(mctx, NULL, &signature_len, hdata, hdata_len)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if ((signature = calloc(1, signature_len)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - if (!EVP_DigestSign(mctx, signature, &signature_len, hdata, hdata_len)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - - if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) - goto err; - if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) - goto err; - if (!CBB_flush(cert_verify)) - goto err; - - ret = 1; - err: - EVP_MD_CTX_free(mctx); - free(signature); - return ret; -} -#endif - static int ssl3_send_client_verify(SSL *s) { @@ -2331,12 +2135,6 @@ ssl3_send_client_verify(SSL *s) } else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify)) goto err; -#ifndef OPENSSL_NO_GOST - } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 || - EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { - if (!ssl3_send_client_verify_gost(s, pkey, &cert_verify)) - goto err; -#endif } else { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c index 28097ea70a9..30ca96b2fa4 100644 --- a/lib/libssl/ssl_err.c +++ b/lib/libssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.46 2023/07/08 16:40:13 beck Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.47 2024/02/03 15:58:33 beck Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -306,7 +306,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"}, {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"}, {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"}, - {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) , "no method specified"}, {ERR_REASON(SSL_R_NO_PRIVATEKEY) , "no privatekey"}, {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"}, diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index c97441c9c01..0277202de3b 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.318 2023/12/29 12:24:33 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.319 2024/02/03 15:58:34 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2297,12 +2297,6 @@ ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher) mask_a |= SSL_aECDSA; } - cpk = &(c->pkeys[SSL_PKEY_GOST01]); - if (cpk->x509 != NULL && cpk->privatekey != NULL) { - mask_k |= SSL_kGOST; - mask_a |= SSL_aGOST01; - } - cpk = &(c->pkeys[SSL_PKEY_RSA]); if (cpk->x509 != NULL && cpk->privatekey != NULL) { mask_a |= SSL_aRSA; @@ -2363,8 +2357,6 @@ ssl_get_server_send_pkey(const SSL *s) i = SSL_PKEY_ECC; } else if (alg_a & SSL_aRSA) { i = SSL_PKEY_RSA; - } else if (alg_a & SSL_aGOST01) { - i = SSL_PKEY_GOST01; } else { /* if (alg_a & SSL_aNULL) */ SSLerror(s, ERR_R_INTERNAL_ERROR); return (NULL); diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index bd6275fac7e..b4d093b2262 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.12 2023/12/29 12:24:33 tb Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.13 2024/02/03 15:58:34 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -197,7 +197,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_kRSA 0x00000001L /* RSA key exchange */ #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ #define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ -#define SSL_kGOST 0x00000200L /* GOST key exchange */ #define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */ /* Bits for algorithm_auth (server authentication) */ @@ -205,7 +204,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_aDSS 0x00000002L /* DSS auth */ #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ -#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ #define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */ /* Bits for algorithm_enc (symmetric encryption) */ @@ -218,7 +216,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_AES256 0x00000040L #define SSL_CAMELLIA128 0x00000080L #define SSL_CAMELLIA256 0x00000100L -#define SSL_eGOST2814789CNT 0x00000200L #define SSL_AES128GCM 0x00000400L #define SSL_AES256GCM 0x00000800L #define SSL_CHACHA20POLY1305 0x00001000L @@ -231,8 +228,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_MD5 0x00000001L #define SSL_SHA1 0x00000002L -#define SSL_GOST94 0x00000004L -#define SSL_GOST89MAC 0x00000008L #define SSL_SHA256 0x00000010L #define SSL_SHA384 0x00000020L /* Not a real MAC, just an indication it is part of cipher */ @@ -251,10 +246,8 @@ __BEGIN_HIDDEN_DECLS #define SSL_HANDSHAKE_MAC_MASK 0xff0 #define SSL_HANDSHAKE_MAC_MD5 0x010 #define SSL_HANDSHAKE_MAC_SHA 0x020 -#define SSL_HANDSHAKE_MAC_GOST94 0x040 #define SSL_HANDSHAKE_MAC_SHA256 0x080 #define SSL_HANDSHAKE_MAC_SHA384 0x100 -#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200 #define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) #define SSL3_CK_ID 0x03000000 @@ -267,17 +260,9 @@ __BEGIN_HIDDEN_DECLS #define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT) #define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT) #define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT) -#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT) #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) /* - * Stream MAC for GOST ciphersuites from cryptopro draft - * (currently this also goes into algorithm2). - */ -#define TLS1_STREAM_MAC 0x04 - -/* * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that * indicates that the variable part of the nonce is included as a prefix of * the record (AES-GCM, for example, does this with an 8-byte variable nonce.) @@ -324,8 +309,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_PKEY_RSA 0 #define SSL_PKEY_ECC 1 -#define SSL_PKEY_GOST01 2 -#define SSL_PKEY_NUM 3 +#define SSL_PKEY_NUM 2 #define SSL_MAX_EMPTY_RECORDS 32 diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index f59beb4320a..9876e82a6f9 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.49 2024/02/03 15:58:34 beck Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org> * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> @@ -41,14 +41,6 @@ const struct ssl_sigalg sigalgs[] = { .security_level = 5, .group_nid = NID_secp521r1, }, -#ifndef OPENSSL_NO_GOST - { - .value = SIGALG_GOSTR12_512_STREEBOG_512, - .key_type = EVP_PKEY_GOSTR12_512, - .md = EVP_streebog512, - .security_level = 0, - }, -#endif { .value = SIGALG_RSA_PKCS1_SHA384, .key_type = EVP_PKEY_RSA, @@ -75,20 +67,6 @@ const struct ssl_sigalg sigalgs[] = { .security_level = 3, .group_nid = NID_X9_62_prime256v1, }, -#ifndef OPENSSL_NO_GOST - { - .value = SIGALG_GOSTR12_256_STREEBOG_256, - .key_type = EVP_PKEY_GOSTR12_256, - .md = EVP_streebog256, - .security_level = 0, - }, - { - .value = SIGALG_GOSTR01_GOST94, - .key_type = EVP_PKEY_GOSTR01, - .md = EVP_gostr341194, - .security_level = 0, /* XXX */ - }, -#endif { .value = SIGALG_RSA_PSS_RSAE_SHA256, .key_type = EVP_PKEY_RSA, @@ -283,10 +261,6 @@ ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); case EVP_PKEY_EC: return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); -#ifndef OPENSSL_NO_GOST - case EVP_PKEY_GOSTR01: - return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); -#endif } SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); return NULL; diff --git a/lib/libssl/ssl_sigalgs.h b/lib/libssl/ssl_sigalgs.h index 21a54d642bc..5211ec6b628 100644 --- a/lib/libssl/ssl_sigalgs.h +++ b/lib/libssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.27 2024/02/03 15:58:34 beck Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> * @@ -47,14 +47,6 @@ __BEGIN_HIDDEN_DECLS #define SIGALG_PRIVATE_START 0xFE00 #define SIGALG_PRIVATE_END 0xFFFF -/* - * If Russia can elect the US President, surely - * IANA could fix this problem. - */ -#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF -#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE -#define SIGALG_GOSTR01_GOST94 0xEDED - /* Legacy sigalg for < TLSv1.2 same value as BoringSSL uses. */ #define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01 diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index f26fde50610..117afac85e6 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.159 2024/02/03 15:58:34 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -162,10 +162,6 @@ #include <openssl/opensslconf.h> #include <openssl/x509.h> -#ifndef OPENSSL_NO_GOST -#include <openssl/gost.h> -#endif - #include "bytestring.h" #include "dtls_local.h" #include "ssl_local.h" @@ -564,15 +560,7 @@ ssl3_accept(SSL *s) } alg_k = s->s3->hs.cipher->algorithm_mkey; - if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { - /* - * A GOST client may use the key from its - * certificate for key exchange, in which case - * the CertificateVerify message is not sent. - */ - s->s3->hs.state = SSL3_ST_SR_FINISHED_A; - s->init_num = 0; - } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { + if (SSL_USE_SIGALGS(s)) { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; s->init_num = 0; if (!s->session->peer_cert) @@ -795,7 +783,6 @@ ssl3_get_client_hello(SSL *s) unsigned long id; SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *ciphers = NULL; - unsigned long alg_k; const SSL_METHOD *method; uint16_t shared_version; @@ -1138,10 +1125,8 @@ ssl3_get_client_hello(SSL *s) if (!tls1_transcript_hash_init(s)) goto err; - alg_k = s->s3->hs.cipher->algorithm_mkey; - if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || - !(s->verify_mode & SSL_VERIFY_PEER)) - tls1_transcript_free(s); + if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) + tls1_transcript_free(s); /* * We now have the following setup. @@ -1816,75 +1801,6 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs) } static int -ssl3_get_client_kex_gost(SSL *s, CBS *cbs) -{ - unsigned char premaster_secret[32]; - EVP_PKEY_CTX *pkey_ctx = NULL; - EVP_PKEY *client_pubkey; - EVP_PKEY *pkey = NULL; - size_t outlen; - CBS gostblob; - - /* Get our certificate private key*/ -#ifndef OPENSSL_NO_GOST - if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0) - pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; -#endif - - if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) - goto err; - if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) - goto err; - - /* - * If client certificate is present and is of the same type, - * maybe use it for key exchange. - * Don't mind errors from EVP_PKEY_derive_set_peer, because - * it is completely valid to use a client certificate for - * authorization only. - */ - if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) { - if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0) - ERR_clear_error(); - } - - /* Decrypt session key */ - if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE)) - goto decode_err; - if (CBS_len(cbs) != 0) - goto decode_err; - outlen = sizeof(premaster_secret); - if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, - CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) { - SSLerror(s, SSL_R_DECRYPTION_FAILED); - goto err; - } - - if (!tls12_derive_master_secret(s, premaster_secret, - sizeof(premaster_secret))) - goto err; - - /* Check if pubkey from client certificate was used */ - if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, - 2, NULL) > 0) - s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; - - explicit_bzero(premaster_secret, sizeof(premaster_secret)); - EVP_PKEY_CTX_free(pkey_ctx); - - return 1; - - decode_err: - SSLerror(s, SSL_R_BAD_PACKET_LENGTH); - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - err: - explicit_bzero(premaster_secret, sizeof(premaster_secret)); - EVP_PKEY_CTX_free(pkey_ctx); - - return 0; -} - -static int ssl3_get_client_key_exchange(SSL *s) { unsigned long alg_k; @@ -1912,9 +1828,6 @@ ssl3_get_client_key_exchange(SSL *s) } else if (alg_k & SSL_kECDHE) { if (!ssl3_get_client_kex_ecdhe(s, &cbs)) goto err; - } else if (alg_k & SSL_kGOST) { - if (!ssl3_get_client_kex_gost(s, &cbs)) - goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNKNOWN_CIPHER_TYPE); @@ -2043,15 +1956,6 @@ ssl3_get_cert_verify(SSL *s) al = SSL_AD_INTERNAL_ERROR; goto fatal_err; } -#ifndef OPENSSL_NO_GOST - if (sigalg->key_type == EVP_PKEY_GOSTR01 && - EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, - NULL) <= 0) { - al = SSL_AD_INTERNAL_ERROR; - goto fatal_err; - } -#endif if (EVP_DigestVerify(mctx, CBS_data(&signature), CBS_len(&signature), hdata, hdatalen) <= 0) { SSLerror(s, ERR_R_EVP_LIB); @@ -2096,54 +2000,6 @@ ssl3_get_cert_verify(SSL *s) SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); goto fatal_err; } -#ifndef OPENSSL_NO_GOST - } else if (EVP_PKEY_id(pkey) == NID_id_GostR3410_94 || - EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) { - unsigned char sigbuf[128]; - unsigned int siglen = sizeof(sigbuf); - EVP_PKEY_CTX *pctx; - const EVP_MD *md; - int nid; - - if (!tls1_transcript_data(s, &hdata, &hdatalen)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto fatal_err; - } - if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - !(md = EVP_get_digestbynid(nid))) { - SSLerror(s, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto fatal_err; - } - if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { - SSLerror(s, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - goto fatal_err; - } - if (!EVP_DigestInit_ex(mctx, md, NULL) || - !EVP_DigestUpdate(mctx, hdata, hdatalen) || - !EVP_DigestFinal(mctx, sigbuf, &siglen) || - (EVP_PKEY_verify_init(pctx) <= 0) || - (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || - (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, - GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) { - SSLerror(s, ERR_R_EVP_LIB); - al = SSL_AD_INTERNAL_ERROR; - EVP_PKEY_CTX_free(pctx); - goto fatal_err; - } - if (EVP_PKEY_verify(pctx, CBS_data(&signature), - CBS_len(&signature), sigbuf, siglen) <= 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_BAD_SIGNATURE); - EVP_PKEY_CTX_free(pctx); - goto fatal_err; - } - - EVP_PKEY_CTX_free(pctx); -#endif } else { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_UNSUPPORTED_CERTIFICATE; diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h index 2bdbd3c1843..daf6cba6faf 100644 --- a/lib/libssl/tls1.h +++ b/lib/libssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.56 2022/07/17 14:39:09 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.57 2024/02/03 15:58:34 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -741,18 +741,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS_CT_DSS_SIGN 2 #define TLS_CT_RSA_FIXED_DH 3 #define TLS_CT_DSS_FIXED_DH 4 -#define TLS_CT_GOST94_SIGN 21 -#define TLS_CT_GOST01_SIGN 22 #define TLS_CT_ECDSA_SIGN 64 #define TLS_CT_RSA_FIXED_ECDH 65 #define TLS_CT_ECDSA_FIXED_ECDH 66 -#define TLS_CT_GOST12_256_SIGN 67 -#define TLS_CT_GOST12_512_SIGN 68 -#define TLS_CT_GOST12_256_SIGN_COMPAT 238 /* pre-IANA, for compat */ -#define TLS_CT_GOST12_512_SIGN_COMPAT 239 /* pre-IANA, for compat */ /* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -#define TLS_CT_NUMBER 13 +#define TLS_CT_NUMBER 7 #define TLS1_FINISH_MAC_LENGTH 12 diff --git a/lib/libssl/tls12_key_schedule.c b/lib/libssl/tls12_key_schedule.c index 6d714c1183a..1ac003329e3 100644 --- a/lib/libssl/tls12_key_schedule.c +++ b/lib/libssl/tls12_key_schedule.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_key_schedule.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: tls12_key_schedule.c,v 1.4 2024/02/03 15:58:34 beck Exp $ */ /* * Copyright (c) 2021 Joel Sing <jsing@openbsd.org> * @@ -124,10 +124,6 @@ tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, mac_key_len = EVP_MD_size(mac_hash); key_len = EVP_CIPHER_key_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher); - - /* Special handling for GOST... */ - if (EVP_MD_type(mac_hash) == NID_id_Gost28147_89_MAC) - mac_key_len = 32; } if (mac_key_len > EVP_MAX_MD_SIZE) diff --git a/lib/libssl/tls12_record_layer.c b/lib/libssl/tls12_record_layer.c index 3f2fe71e210..9786d7d0bda 100644 --- a/lib/libssl/tls12_record_layer.c +++ b/lib/libssl/tls12_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_record_layer.c,v 1.41 2024/01/18 16:30:43 tb Exp $ */ +/* $OpenBSD: tls12_record_layer.c,v 1.42 2024/02/03 15:58:34 beck Exp $ */ /* * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> * @@ -468,7 +468,6 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, CBS *iv) { EVP_PKEY *mac_pkey = NULL; - int gost_param_nid; int mac_type; int ret = 0; @@ -484,25 +483,10 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, goto err; if (EVP_CIPHER_key_length(rl->cipher) != CBS_len(key)) goto err; - -#ifndef OPENSSL_NO_GOST - /* XXX die die die */ - /* Special handling for GOST... */ - if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { - if (CBS_len(mac_key) != 32) - goto err; - mac_type = EVP_PKEY_GOSTIMIT; - rp->stream_mac = 1; - } else { -#endif - if (CBS_len(mac_key) > INT_MAX) - goto err; - if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) - goto err; -#ifndef OPENSSL_NO_GOST - } -#endif - + if (CBS_len(mac_key) > INT_MAX) + goto err; + if (EVP_MD_size(rl->mac_hash) != CBS_len(mac_key)) + goto err; if ((rp->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; if ((rp->hash_ctx = EVP_MD_CTX_new()) == NULL) @@ -524,23 +508,6 @@ tls12_record_layer_ccs_cipher(struct tls12_record_layer *rl, mac_pkey) <= 0) goto err; - /* More special handling for GOST... */ - if (EVP_CIPHER_nid(rl->cipher) == NID_gost89_cnt) { - gost_param_nid = NID_id_tc26_gost_28147_param_Z; - if (EVP_MD_type(rl->handshake_hash) == NID_id_GostR3411_94) - gost_param_nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; - - if (EVP_CIPHER_CTX_ctrl(rp->cipher_ctx, EVP_CTRL_GOST_SET_SBOX, - gost_param_nid, 0) <= 0) - goto err; - - if (EVP_MD_type(rl->mac_hash) == NID_id_Gost28147_89_MAC) { - if (EVP_MD_CTX_ctrl(rp->hash_ctx, EVP_MD_CTRL_GOST_SET_SBOX, - gost_param_nid, 0) <= 0) - goto err; - } - } - ret = 1; err: |