diff options
-rw-r--r-- | lib/libssl/s3_lib.c | 58 | ||||
-rw-r--r-- | lib/libssl/ssl_local.h | 16 |
2 files changed, 15 insertions, 59 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 6ebe2605dae..0eec6e97129 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.251 2024/03/02 11:46:55 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.252 2024/05/10 05:08:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -168,13 +168,6 @@ #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) -/* - * FIXED_NONCE_LEN is a macro that provides in the correct value to set the - * fixed nonce length in algorithms2. It is the inverse of the - * SSL_CIPHER_AEAD_FIXED_NONCE_LEN macro. - */ -#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24) - /* list of available SSLv3 ciphers (sorted by id) */ const SSL_CIPHER ssl3_ciphers[] = { @@ -644,9 +637,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -662,9 +653,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, .strength_bits = 256, .alg_bits = 256, }, @@ -680,9 +669,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -698,9 +685,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, .strength_bits = 256, .alg_bits = 256, }, @@ -716,9 +701,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -734,9 +717,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, .strength_bits = 256, .alg_bits = 256, }, @@ -1215,9 +1196,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -1233,9 +1212,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, .strength_bits = 256, .alg_bits = 256, }, @@ -1251,9 +1228,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 128, .alg_bits = 128, }, @@ -1269,9 +1244,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - FIXED_NONCE_LEN(4)| - SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, .strength_bits = 256, .alg_bits = 256, }, @@ -1287,8 +1260,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(12), + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -1304,8 +1276,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(12), + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, @@ -1321,8 +1292,7 @@ const SSL_CIPHER ssl3_ciphers[] = { .algorithm_mac = SSL_AEAD, .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, - .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - FIXED_NONCE_LEN(12), + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, .strength_bits = 256, .alg_bits = 256, }, diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index 2266d5e3ce8..551bdd5766c 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.14 2024/03/26 03:44:11 beck Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.15 2024/05/10 05:08:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -263,20 +263,6 @@ __BEGIN_HIDDEN_DECLS #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) /* - * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that - * indicates that the variable part of the nonce is included as a prefix of - * the record (AES-GCM, for example, does this with an 8-byte variable nonce.) - */ -#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22) - -/* - * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce - * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD. - */ -#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \ - (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2) - -/* * Cipher strength information. */ #define SSL_STRONG_MASK 0x000001fcL |