Remove MD4 support from LibreSSL.

MD4 should have been removed a long time ago.  Also, RFC 6150 moved it to
historic in 2011.  Rides the major crank from removing SHA-0.

Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

5 files changed, 15 insertions, 48 deletions

diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 50063b653d4..de0a56735a0 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.26 2015/09/13 17:57:11 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.27 2015/09/13 23:36:21 doug Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -383,8 +383,6 @@ Streebog-256 digest.
 Streebog-512 digest.
 .It Cm md_gost94
 GOST R 34.11-94 digest.
-.It Cm md4
-MD4 digest.
 .It Cm md5
 MD5 digest.
 .It Cm ripemd160
@@ -1795,7 +1793,7 @@ install user certificates and CAs in MSIE using the Xenroll control.
 .Bk -words
 .Oo
 .Fl gost-mac | streebog256 | streebog512 | md_gost94 |
-.Fl md4 | md5 | ripemd160 | sha | sha1 |
+.Fl md5 | ripemd160 | sha1 |
 .Fl sha224 | sha256 | sha384 | sha512 | whirlpool
 .Oc
 .Op Fl binary
@@ -1818,7 +1816,7 @@ install user certificates and CAs in MSIE using the Xenroll control.
 .Pp
 .Nm openssl
 .Cm gost-mac | streebog256 | streebog512 | md_gost94 |
-.Cm md4 | md5 | ripemd160 | sha | sha1 |
+.Cm md5 | ripemd160 | sha | sha1 |
 .Cm sha224 | sha256 | sha384 | sha512 | whirlpool
 .Op Fl c
 .Op Fl d
@@ -5085,7 +5083,7 @@ instead of standard output.
 .Op Fl key Ar keyfile
 .Op Fl keyform Ar DER | PEM
 .Op Fl keyout Ar file
-.Op Fl md4 | md5 | sha1
+.Op Fl md5 | sha1
 .Op Fl modulus
 .Op Fl nameopt Ar option
 .Op Fl new
@@ -7664,7 +7662,6 @@ command were first added in
 .Op Cm dsa2048
 .Op Cm hmac
 .Op Cm md2
-.Op Cm md4
 .Op Cm md5
 .Op Cm rc2
 .Op Cm rc2-cbc
@@ -7715,7 +7712,7 @@ benchmarks in parallel.
 .Nm "openssl ts"
 .Bk -words
 .Fl query
-.Op Fl md4 | md5 | ripemd160 | sha | sha1
+.Op Fl md5 | ripemd160 | sha1
 .Op Fl cert
 .Op Fl config Ar configfile
 .Op Fl data Ar file_to_hash
@@ -7836,7 +7833,7 @@ This option specifies a previously created time stamp request in DER
 format that will be printed into the output file.
 Useful when you need to examine the content of a request in human-readable
 format.
-.It Fl md4|md5|ripemd160|sha|sha1
+.It Fl md5|ripemd160|sha1
 The message digest to apply to the data file.
 It supports all the message digest algorithms that are supported by the
 .Nm dgst
diff --git a/usr.bin/openssl/openssl.c b/usr.bin/openssl/openssl.c
index d0c0ec05518..1bda338356f 100644
--- a/usr.bin/openssl/openssl.c
+++ b/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.10 2015/09/13 12:41:01 bcook Exp $ */
+/* $OpenBSD: openssl.c,v 1.11 2015/09/13 23:36:21 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -217,9 +217,6 @@ FUNCTION functions[] = {
 	{ FUNC_TYPE_MD, "streebog256", dgst_main },
 	{ FUNC_TYPE_MD, "streebog512", dgst_main },
 #endif
-#ifndef OPENSSL_NO_MD4
-	{ FUNC_TYPE_MD, "md4", dgst_main },
-#endif
 #ifndef OPENSSL_NO_MD5
 	{ FUNC_TYPE_MD, "md5", dgst_main },
 #endif
diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c
index 5ed658bfb1f..f359e7392e7 100644
--- a/usr.bin/openssl/req.c
+++ b/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
+/* $OpenBSD: req.c,v 1.8 2015/09/13 23:36:21 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -354,7 +354,7 @@ bad:
 		BIO_printf(bio_err, " -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err, " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err, " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
-		BIO_printf(bio_err, " -[digest]      Digest to sign with (md5, sha1, md4)\n");
+		BIO_printf(bio_err, " -[digest]      Digest to sign with (md5, sha1)\n");
 		BIO_printf(bio_err, " -config file   request template file.\n");
 		BIO_printf(bio_err, " -subj arg      set or modify request subject\n");
 		BIO_printf(bio_err, " -multivalue-rdn enable support for multivalued RDNs\n");
diff --git a/usr.bin/openssl/speed.c b/usr.bin/openssl/speed.c
index a0fa9dcd8b6..d9fe3309b71 100644
--- a/usr.bin/openssl/speed.c
+++ b/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.13 2015/09/12 15:49:53 bcook Exp $ */
+/* $OpenBSD: speed.c,v 1.14 2015/09/13 23:36:21 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -124,9 +124,6 @@
 #ifndef OPENSSL_NO_IDEA
 #include <openssl/idea.h>
 #endif
-#ifndef OPENSSL_NO_MD4
-#include <openssl/md4.h>
-#endif
 #ifndef OPENSSL_NO_MD5
 #include <openssl/md5.h>
 #endif
@@ -173,7 +170,8 @@ static int do_multi(int multi);
 #define MAX_ECDH_SIZE 256
 
 static const char *names[ALGOR_NUM] = {
-	"md2", NULL /* was mdc2 */, "md4", "md5", "hmac(md5)", "sha1", "rmd160",
+	"md2", NULL /* was mdc2 */, NULL /* was md4 */, "md5", "hmac(md5)",
+	"sha1", "rmd160",
 	"rc4", "des cbc", "des ede3", "idea cbc", "seed cbc",
 	"rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc",
 	"aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
@@ -234,9 +232,6 @@ speed_main(int argc, char **argv)
 	long rsa_count;
 	unsigned rsa_num;
 	unsigned char md[EVP_MAX_MD_SIZE];
-#ifndef OPENSSL_NO_MD4
-	unsigned char md4[MD4_DIGEST_LENGTH];
-#endif
 #ifndef OPENSSL_NO_MD5
 	unsigned char md5[MD5_DIGEST_LENGTH];
 	unsigned char hmac[MD5_DIGEST_LENGTH];
@@ -318,7 +313,6 @@ speed_main(int argc, char **argv)
 	CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3;
 #endif
 #define	D_MD2		0
-#define	D_MD4		2
 #define	D_MD5		3
 #define	D_HMAC		4
 #define	D_SHA1		5
@@ -557,11 +551,6 @@ speed_main(int argc, char **argv)
 			j--;	/* Otherwise, -mr gets confused with an
 				 * algorithm. */
 		} else
-#ifndef OPENSSL_NO_MD4
-		if (strcmp(*argv, "md4") == 0)
-			doit[D_MD4] = 1;
-		else
-#endif
 #ifndef OPENSSL_NO_MD5
 		if (strcmp(*argv, "md5") == 0)
 			doit[D_MD5] = 1;
@@ -812,9 +801,6 @@ speed_main(int argc, char **argv)
 			BIO_printf(bio_err, "Error: bad option or value\n");
 			BIO_printf(bio_err, "\n");
 			BIO_printf(bio_err, "Available values:\n");
-#ifndef OPENSSL_NO_MD4
-			BIO_printf(bio_err, "md4      ");
-#endif
 #ifndef OPENSSL_NO_MD5
 			BIO_printf(bio_err, "md5      ");
 #ifndef OPENSSL_NO_HMAC
@@ -837,7 +823,7 @@ speed_main(int argc, char **argv)
 			BIO_printf(bio_err, "rmd160");
 #endif
 #if !defined(OPENSSL_NO_MD2) || \
-    !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
+    !defined(OPENSSL_NO_MD5) || \
     !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
     !defined(OPENSSL_NO_WHIRLPOOL)
 			BIO_printf(bio_err, "\n");
@@ -996,19 +982,6 @@ speed_main(int argc, char **argv)
 #define COUNT(d) (count)
 	signal(SIGALRM, sig_done);
 
-#ifndef OPENSSL_NO_MD4
-	if (doit[D_MD4]) {
-		for (j = 0; j < SIZE_NUM; j++) {
-			print_message(names[D_MD4], c[D_MD4][j], lengths[j]);
-			Time_F(START);
-			for (count = 0, run = 1; COND(c[D_MD4][j]); count++)
-				EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md4[0]), NULL, EVP_md4(), NULL);
-			d = Time_F(STOP);
-			print_result(D_MD4, j, count, d);
-		}
-	}
-#endif
-
 #ifndef OPENSSL_NO_MD5
 	if (doit[D_MD5]) {
 		for (j = 0; j < SIZE_NUM; j++) {
diff --git a/usr.bin/openssl/ts.c b/usr.bin/openssl/ts.c
index 258e636b036..d2bf2a6cd6f 100644
--- a/usr.bin/openssl/ts.c
+++ b/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.7 2015/09/12 19:34:07 lteo Exp $ */
+/* $OpenBSD: ts.c,v 1.8 2015/09/13 23:36:21 doug Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -298,7 +298,7 @@ usage:
 	BIO_printf(bio_err, "usage:\n"
 	    "ts -query [-config configfile] "
 	    "[-data file_to_hash] [-digest digest_bytes]"
-	    "[-md2|-md4|-md5|-sha|-sha1|-ripemd160] "
+	    "[-md5|-sha1|-ripemd160] "
 	    "[-policy object_id] [-no_nonce] [-cert] "
 	    "[-in request.tsq] [-out request.tsq] [-text]\n");
 	BIO_printf(bio_err, "or\n"