diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 4cc3d87f..162e67bd 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1152,7 +1152,7 @@ OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher); * mode). */ OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher); -/* SSL_CIPHER_has_MD5_HMAC returns one if |cipher| uses HMAC-MD5. */ +/* SSL_CIPHER_has_MD5_HMAC returns zero. */ OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher); /* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. */ @@ -1276,7 +1276,7 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, * whose bulk cipher use the corresponding encryption scheme. Note that * |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers. * - * |MD5|, |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the + * |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the * corresponding hash function in their MAC. AEADs are matched by none of * these. * diff --git a/ssl/internal.h b/ssl/internal.h index 919f5aa2..eb477850 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -195,12 +195,11 @@ extern "C" { #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) /* Bits for |algorithm_mac| (symmetric authentication). */ -#define SSL_MD5 0x00000001L -#define SSL_SHA1 0x00000002L -#define SSL_SHA256 0x00000004L -#define SSL_SHA384 0x00000008L +#define SSL_SHA1 0x00000001L +#define SSL_SHA256 0x00000002L +#define SSL_SHA384 0x00000004L /* SSL_AEAD is set for all AEADs. */ -#define SSL_AEAD 0x00000010L +#define SSL_AEAD 0x00000008L /* Bits for |algorithm_prf| (handshake digest). */ #define SSL_HANDSHAKE_MAC_DEFAULT 0x1 diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c index 20b075e7..965c3c6d 100644 --- a/ssl/ssl_cipher.c +++ b/ssl/ssl_cipher.c @@ -678,7 +678,6 @@ static const CIPHER_ALIAS kCipherAliases[] = { 0}, /* MAC aliases */ - {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0}, {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, @@ -1473,7 +1472,7 @@ int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) { } int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) { - return (cipher->algorithm_mac & SSL_MD5) != 0; + return 0; } int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) { @@ -1627,15 +1626,10 @@ static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) { static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) { switch (cipher->algorithm_prf) { case SSL_HANDSHAKE_MAC_DEFAULT: - /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is - * only ever MD5 or SHA-1. */ - switch (cipher->algorithm_mac) { - case SSL_MD5: - return "MD5"; - case SSL_SHA1: - return "SHA"; - } - break; + /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which + * is SHA-1 for all supported ciphers. */ + assert(cipher->algorithm_mac == SSL_SHA1); + return "SHA"; case SSL_HANDSHAKE_MAC_SHA256: return "SHA256"; case SSL_HANDSHAKE_MAC_SHA384: @@ -1824,10 +1818,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, } switch (alg_mac) { - case SSL_MD5: - mac = "MD5"; - break; - case SSL_SHA1: mac = "SHA1"; break; @@ -1917,19 +1907,9 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { return 0; } - size_t mac_len; - switch (cipher->algorithm_mac) { - case SSL_MD5: - mac_len = MD5_DIGEST_LENGTH; - break; - case SSL_SHA1: - mac_len = SHA_DIGEST_LENGTH; - break; - default: - return 0; - } - - size_t ret = 1 + mac_len; + /* All supported TLS 1.0 ciphers use SHA-1. */ + assert(cipher->algorithm_mac == SSL_SHA1); + size_t ret = 1 + SHA_DIGEST_LENGTH; ret += block_size - (ret % block_size); return ret; }