Remove last remnants of GOST support.
This removes support code for a "stream_mac" mode only used by GOST. Also get
rid of this
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
comment next to it. It's not actually related to GOST (dates to OpenSSL initial
commit), but isn't especially helpful at this point.
Change-Id: Ib13c6e27e16e0d1fb59ed0142ddf913b9abc20b7
Reviewed-on: https://boringssl-review.googlesource.com/1281
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 056b43e..7edda2a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -214,7 +214,6 @@
#define SSL_TXT_kECDH "kECDH"
#define SSL_TXT_kEECDH "kEECDH"
#define SSL_TXT_kPSK "kPSK"
-#define SSL_TXT_kGOST "kGOST"
#define SSL_TXT_kSRP "kSRP"
#define SSL_TXT_aRSA "aRSA"
@@ -223,9 +222,6 @@
#define SSL_TXT_aECDH "aECDH"
#define SSL_TXT_aECDSA "aECDSA"
#define SSL_TXT_aPSK "aPSK"
-#define SSL_TXT_aGOST94 "aGOST94"
-#define SSL_TXT_aGOST01 "aGOST01"
-#define SSL_TXT_aGOST "aGOST"
#define SSL_TXT_DSS "DSS"
#define SSL_TXT_DH "DH"
@@ -257,8 +253,6 @@
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
-#define SSL_TXT_GOST94 "GOST94"
-#define SSL_TXT_GOST89MAC "GOST89MAC"
#define SSL_TXT_SHA256 "SHA256"
#define SSL_TXT_SHA384 "SHA384"
@@ -1249,9 +1243,6 @@
#define SSL_want_session(s) (SSL_want(s) == SSL_PENDING_SESSION)
#define SSL_want_certificate(s) (SSL_want(s) == SSL_CERTIFICATE_SELECTION_PENDING)
-#define SSL_MAC_FLAG_READ_MAC_STREAM 1
-#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
-
#ifndef OPENSSL_NO_SSL_INTERN
struct ssl_st
@@ -1342,7 +1333,6 @@
/* These are the ones being used, the ones in SSL_SESSION are
* the ones to be 'copied' into these ones */
- int mac_flags;
SSL_AEAD_CTX *aead_read_ctx; /* AEAD context. If non-NULL, then
|enc_read_ctx| and |read_hash| are
ignored. */
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index fc142e1..3b1b51c 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -704,8 +704,6 @@
#define TLS_CT_ECDSA_SIGN 64
#define TLS_CT_RSA_FIXED_ECDH 65
#define TLS_CT_ECDSA_FIXED_ECDH 66
-#define TLS_CT_GOST94_SIGN 21
-#define TLS_CT_GOST01_SIGN 22
#define TLS1_FINISH_MAC_LENGTH 12
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index d4698aa..6c8bc15 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -512,14 +512,6 @@
ret = SSL_PKEY_ECC;
}
#endif
- else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc)
- {
- ret = SSL_PKEY_GOST94;
- }
- else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc)
- {
- ret = SSL_PKEY_GOST01;
- }
else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX))
{
/* For DH two cases: DH certificate signed with RSA and
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 28f65c7..d2dd3b5 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2496,11 +2496,6 @@
EVP_PKEY_free(srvr_pub_pkey);
}
#endif /* !OPENSSL_NO_ECDH */
- else if (alg_k & SSL_kGOST)
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_GOST_NOT_SUPPORTED);
- goto err;
- }
else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK)))
{
ssl3_send_alert(s, SSL3_AL_FATAL,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 79dcc88..81719c6 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1269,65 +1269,6 @@
256,
},
- /* GOST Ciphersuites */
-
- {
- 1,
- "GOST94-GOST89-GOST89",
- 0x3000080,
- SSL_kGOST,
- SSL_aGOST94,
- SSL_eGOST2814789CNT,
- SSL_GOST89MAC,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC,
- 256,
- 256
- },
- {
- 1,
- "GOST2001-GOST89-GOST89",
- 0x3000081,
- SSL_kGOST,
- SSL_aGOST01,
- SSL_eGOST2814789CNT,
- SSL_GOST89MAC,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC,
- 256,
- 256
- },
- {
- 1,
- "GOST94-NULL-GOST94",
- 0x3000082,
- SSL_kGOST,
- SSL_aGOST94,
- SSL_eNULL,
- SSL_GOST94,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE,
- SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
- 0,
- 0
- },
- {
- 1,
- "GOST2001-NULL-GOST94",
- 0x3000083,
- SSL_kGOST,
- SSL_aGOST01,
- SSL_eNULL,
- SSL_GOST94,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_STRONG_NONE,
- SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94,
- 0,
- 0
- },
-
#ifndef OPENSSL_NO_CAMELLIA
/* Camellia ciphersuites from RFC4132 (256-bit portion) */
@@ -2500,67 +2441,6 @@
#endif /* OPENSSL_NO_ECDH */
-
-#ifdef TEMP_GOST_TLS
-/* Cipher FF00 */
- {
- 1,
- "GOST-MD5",
- 0x0300ff00,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eGOST2814789CNT,
- SSL_MD5,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256,
- },
- {
- 1,
- "GOST-GOST94",
- 0x0300ff01,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eGOST2814789CNT,
- SSL_GOST94,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256
- },
- {
- 1,
- "GOST-GOST89MAC",
- 0x0300ff02,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eGOST2814789CNT,
- SSL_GOST89MAC,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 256,
- 256
- },
- {
- 1,
- "GOST-GOST89STREAM",
- 0x0300ff03,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eGOST2814789CNT,
- SSL_GOST89MAC,
- SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|TLS1_STREAM_MAC,
- 256,
- 256
- },
-#endif
-
{
1,
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4441a39..a0c8d38 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2520,11 +2520,6 @@
premaster_secret_len = ecdh_len;
}
#endif
- else if (alg_k & SSL_kGOST)
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange, SSL_R_GOST_NOT_SUPPORTED);
- goto err;
- }
#ifndef OPENSSL_NO_PSK
else if (alg_k & SSL_kPSK)
{
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bece2cd..4241c23 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -157,16 +157,13 @@
#define SSL_ENC_AES256_IDX 7
#define SSL_ENC_CAMELLIA128_IDX 8
#define SSL_ENC_CAMELLIA256_IDX 9
-#define SSL_ENC_GOST89_IDX 10
-#define SSL_ENC_SEED_IDX 11
-#define SSL_ENC_AES128GCM_IDX 12
-#define SSL_ENC_AES256GCM_IDX 13
-#define SSL_ENC_NUM_IDX 14
+#define SSL_ENC_SEED_IDX 10
+#define SSL_ENC_AES128GCM_IDX 11
+#define SSL_ENC_AES256GCM_IDX 12
+#define SSL_ENC_NUM_IDX 13
-static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
- NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
- };
+static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]= { 0 };
#define SSL_COMP_NULL_IDX 0
#define SSL_COMP_ZLIB_IDX 1
@@ -174,34 +171,22 @@
#define SSL_MD_MD5_IDX 0
#define SSL_MD_SHA1_IDX 1
-#define SSL_MD_GOST94_IDX 2
-#define SSL_MD_GOST89MAC_IDX 3
-#define SSL_MD_SHA256_IDX 4
-#define SSL_MD_SHA384_IDX 5
+#define SSL_MD_SHA256_IDX 2
+#define SSL_MD_SHA384_IDX 3
/*Constant SSL_MAX_DIGEST equal to size of digests array should be
* defined in the
* ssl_locl.h */
#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
-static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
- NULL,NULL,NULL,NULL,NULL,NULL
- };
-/* PKEY_TYPE for GOST89MAC is known in advance, but, because
- * implementation is engine-provided, we'll fill it only if
- * corresponding EVP_PKEY_METHOD is found
- */
+static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { 0 };
static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
- EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,
- EVP_PKEY_HMAC,EVP_PKEY_HMAC
+ EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
};
-static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
- 0,0,0,0,0,0
- };
+static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { 0 };
static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
- SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
- SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
- SSL_HANDSHAKE_MAC_SHA384
+ SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA,
+ SSL_HANDSHAKE_MAC_SHA256, SSL_HANDSHAKE_MAC_SHA384,
};
#define CIPHER_ADD 1
@@ -248,7 +233,6 @@
{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
{0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0},
- {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
@@ -260,9 +244,6 @@
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
- {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
- {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
- {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
/* aliases combining key exchange and server authentication */
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
@@ -296,8 +277,6 @@
{0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0},
{0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
{0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
- {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
- {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
{0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0},
{0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0},
@@ -431,9 +410,6 @@
case SSL_CAMELLIA256:
i=SSL_ENC_CAMELLIA256_IDX;
break;
- case SSL_eGOST2814789CNT:
- i=SSL_ENC_GOST89_IDX;
- break;
case SSL_SEED:
i=SSL_ENC_SEED_IDX;
break;
@@ -512,12 +488,6 @@
case SSL_SHA384:
i=SSL_MD_SHA384_IDX;
break;
- case SSL_GOST94:
- i = SSL_MD_GOST94_IDX;
- break;
- case SSL_GOST89MAC:
- i = SSL_MD_GOST89MAC_IDX;
- break;
default:
i= -1;
break;
@@ -631,15 +601,12 @@
*enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
*enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
*enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
- *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
*enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0;
*mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
*mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
*mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
*mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
- *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
- *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
}
@@ -1847,10 +1814,6 @@
return SSL_PKEY_DSA_SIGN;
else if (alg_a & SSL_aRSA)
return SSL_PKEY_RSA_ENC;
- else if (alg_a & SSL_aGOST94)
- return SSL_PKEY_GOST94;
- else if (alg_a & SSL_aGOST01)
- return SSL_PKEY_GOST01;
return -1;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d8abe7c..74a8e06 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2281,17 +2281,6 @@
rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
#endif
- cpk = &(c->pkeys[SSL_PKEY_GOST01]);
- if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
- mask_k |= SSL_kGOST;
- mask_a |= SSL_aGOST01;
- }
- cpk = &(c->pkeys[SSL_PKEY_GOST94]);
- if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
- mask_k |= SSL_kGOST;
- mask_a |= SSL_aGOST94;
- }
-
if (rsa_enc || (rsa_tmp && rsa_sign))
mask_k|=SSL_kRSA;
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 55e94f5..866e381 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -284,8 +284,7 @@
#define SSL_kECDHe 0x00000020L /* ECDH cert, ECDSA CA cert */
#define SSL_kEECDH 0x00000040L /* ephemeral ECDH */
#define SSL_kPSK 0x00000080L /* PSK */
-#define SSL_kGOST 0x00000100L /* GOST key exchange */
-#define SSL_kSRP 0x00000200L /* SRP */
+#define SSL_kSRP 0x00000100L /* SRP */
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
@@ -295,8 +294,6 @@
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
#define SSL_aECDSA 0x00000020L /* ECDSA auth*/
#define SSL_aPSK 0x00000040L /* PSK auth */
-#define SSL_aGOST94 0x00000080L /* GOST R 34.10-94 signature auth */
-#define SSL_aGOST01 0x00000100L /* GOST R 34.10-2001 signature auth */
/* Bits for algorithm_enc (symmetric encryption) */
@@ -310,11 +307,10 @@
#define SSL_AES256 0x00000080L
#define SSL_CAMELLIA128 0x00000100L
#define SSL_CAMELLIA256 0x00000200L
-#define SSL_eGOST2814789CNT 0x00000400L
-#define SSL_SEED 0x00000800L
-#define SSL_AES128GCM 0x00001000L
-#define SSL_AES256GCM 0x00002000L
-#define SSL_CHACHA20POLY1305 0x00004000L
+#define SSL_SEED 0x00000400L
+#define SSL_AES128GCM 0x00000800L
+#define SSL_AES256GCM 0x00001000L
+#define SSL_CHACHA20POLY1305 0x00002000L
#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
@@ -324,12 +320,10 @@
#define SSL_MD5 0x00000001L
#define SSL_SHA1 0x00000002L
-#define SSL_GOST94 0x00000004L
-#define SSL_GOST89MAC 0x00000008L
-#define SSL_SHA256 0x00000010L
-#define SSL_SHA384 0x00000020L
+#define SSL_SHA256 0x00000004L
+#define SSL_SHA384 0x00000008L
/* Not a real MAC, just an indication it is part of cipher */
-#define SSL_AEAD 0x00000040L
+#define SSL_AEAD 0x00000010L
/* Bits for algorithm_ssl (protocol version) */
#define SSL_SSLV2 0x00000001L
@@ -342,14 +336,13 @@
#define SSL_HANDSHAKE_MAC_MD5 0x10
#define SSL_HANDSHAKE_MAC_SHA 0x20
-#define SSL_HANDSHAKE_MAC_GOST94 0x40
-#define SSL_HANDSHAKE_MAC_SHA256 0x80
-#define SSL_HANDSHAKE_MAC_SHA384 0x100
+#define SSL_HANDSHAKE_MAC_SHA256 0x40
+#define SSL_HANDSHAKE_MAC_SHA384 0x80
#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
* make sure to update this constant too */
-#define SSL_MAX_DIGEST 6
+#define SSL_MAX_DIGEST 4
#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
@@ -358,13 +351,8 @@
#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
-/* Stream MAC for GOST ciphersuites from cryptopro draft
- * (currently this also goes into algorithm2) */
-#define TLS1_STREAM_MAC 0x04
-
#define TLSEXT_CHANNEL_ID_SIZE 128
/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
@@ -476,9 +464,7 @@
#define SSL_PKEY_DH_RSA 3
#define SSL_PKEY_DH_DSA 4
#define SSL_PKEY_ECC 5
-#define SSL_PKEY_GOST94 6
-#define SSL_PKEY_GOST01 7
-#define SSL_PKEY_NUM 8
+#define SSL_PKEY_NUM 6
/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index d32315e..8baf59d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -423,11 +423,6 @@
if (is_read)
{
- if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
- s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
- else
- s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
-
if (s->enc_read_ctx != NULL && !SSL_IS_DTLS(s))
EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
else if ((s->enc_read_ctx=EVP_CIPHER_CTX_new()) == NULL)
@@ -441,11 +436,6 @@
}
else
{
- if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
- s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
- else
- s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
-
/* When updating the write contexts for DTLS, we do not wish to
* free the old ones because DTLS stores pointers to them in
* order to implement retransmission. */
@@ -1182,7 +1172,6 @@
int i;
EVP_MD_CTX hmac, *mac_ctx;
unsigned char header[13];
- int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
int t;
if (send)
@@ -1202,17 +1191,9 @@
assert(t >= 0);
md_size=t;
- /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
- if (stream_mac)
- {
- mac_ctx = hash;
- }
- else
- {
- if (!EVP_MD_CTX_copy(&hmac,hash))
- return -1;
- mac_ctx = &hmac;
- }
+ if (!EVP_MD_CTX_copy(&hmac,hash))
+ return -1;
+ mac_ctx = &hmac;
if (SSL_IS_DTLS(ssl))
{
@@ -1261,18 +1242,7 @@
assert(t > 0);
}
- if (!stream_mac)
- EVP_MD_CTX_cleanup(&hmac);
-#ifdef TLS_DEBUG
-printf("sec=");
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
-printf("seq=");
-{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("buf=");
-{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
-printf("rec=");
-{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
-#endif
+ EVP_MD_CTX_cleanup(&hmac);
if (!SSL_IS_DTLS(ssl))
{
@@ -1283,9 +1253,6 @@
}
}
-#ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
-#endif
return(md_size);
}
