diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2017-08-12 02:55:23 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2017-08-12 02:55:23 +0000 |
| commit | 07110562216eb7d7823ca7709246e63863d3c00d (patch) | |
| tree | 720a87c9e9c4bdb3e8211f4591186be795c30811 | |
| parent | 70a23fd70d70fb75e696969db524ce069e91c981 (diff) | |
Remove support for DSS/DSA, since we removed the cipher suites a while
back.
ok guenther@
| -rw-r--r-- | lib/libssl/s3_lib.c | 6 | ||||
| -rw-r--r-- | lib/libssl/ssl_algs.c | 6 | ||||
| -rw-r--r-- | lib/libssl/ssl_both.c | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl_cert.c | 8 | ||||
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 21 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 16 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 13 | ||||
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 13 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 14 |
9 files changed, 16 insertions, 85 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index ad627d10d81..3a11d628930 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2460,14 +2460,10 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) if ((alg_k & SSL_kDHE) != 0) { if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) return 0; - if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH)) - return 0; } if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) return 0; - if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN)) - return 0; /* * ECDSA certs can be used with RSA cipher suites as well diff --git a/lib/libssl/ssl_algs.c b/lib/libssl/ssl_algs.c index ca84891e72e..b63f36b3f10 100644 --- a/lib/libssl/ssl_algs.c +++ b/lib/libssl/ssl_algs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_algs.c,v 1.26 2017/04/29 22:31:42 beck Exp $ */ +/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -112,10 +112,6 @@ SSL_library_init(void) EVP_add_digest(EVP_sha256()); EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); - EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ - EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); - EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); - EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); EVP_add_digest(EVP_ecdsa()); #ifndef OPENSSL_NO_GOST EVP_add_digest(EVP_gostr341194()); diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 4a724560f24..17f93f551be 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.9 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.10 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -568,8 +568,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey) i = pk->type; if (i == EVP_PKEY_RSA) { ret = SSL_PKEY_RSA_ENC; - } else if (i == EVP_PKEY_DSA) { - ret = SSL_PKEY_DSA_SIGN; } else if (i == EVP_PKEY_EC) { ret = SSL_PKEY_ECC; } else if (i == NID_id_GostR3410_2001 || diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 174441c70e3..a244353b885 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.65 2017/08/10 17:18:38 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.66 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -162,7 +162,6 @@ static void ssl_cert_set_default_md(CERT *cert) { /* Set digest values to defaults */ - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); @@ -267,12 +266,7 @@ ssl_cert_dup(CERT *cert) /* We have an RSA key. */ break; - case SSL_PKEY_DSA_SIGN: - /* We have a DSA key. */ - break; - case SSL_PKEY_DH_RSA: - case SSL_PKEY_DH_DSA: /* We have a DH key. */ break; diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index a1745143f01..865c961db74 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1162,8 +1162,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) if (alg_a & SSL_aRSA) *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); - else if (alg_a & SSL_aDSS) - *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); else /* XXX - Anonymous DH, so no certificate or pkey. */ *pkey = NULL; @@ -2395,16 +2393,6 @@ ssl3_send_client_verify(SSL *s) } s2n(u, p); n = u + 2; - } else if (pkey->type == EVP_PKEY_DSA) { - if (!DSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, &(p[2]), - (unsigned int *)&j, pkey->pkey.dsa)) { - SSLerror(s, ERR_R_DSA_LIB); - goto err; - } - s2n(j, p); - n = j + 2; } else if (pkey->type == EVP_PKEY_EC) { if (!ECDSA_sign(pkey->save_type, &(data[MD5_DIGEST_LENGTH]), @@ -2593,13 +2581,8 @@ ssl3_check_cert_and_algorithm(SSL *s) if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); goto f_err; - } else if ((alg_a & SSL_aDSS) && - !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { - SSLerror(s, SSL_R_MISSING_DSA_SIGNING_CERT); - goto f_err; } - if ((alg_k & SSL_kRSA) && - !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { + if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) { SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 6e555898ad5..de78ad2fcff 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.165 2017/08/11 21:06:52 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2041,7 +2041,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { - int rsa_enc, rsa_sign, dh_tmp, dsa_sign; + int rsa_enc, rsa_sign, dh_tmp; int have_ecc_cert; unsigned long mask_k, mask_a; X509 *x = NULL; @@ -2057,8 +2057,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_ECC]); have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); @@ -2080,9 +2078,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (rsa_enc || rsa_sign) mask_a |= SSL_aRSA; - if (dsa_sign) - mask_a |= SSL_aDSS; - mask_a |= SSL_aNULL; /* @@ -2159,8 +2154,6 @@ ssl_get_server_send_pkey(const SSL *s) if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; - } else if (alg_a & SSL_aDSS) { - i = SSL_PKEY_DSA_SIGN; } else if (alg_a & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) i = SSL_PKEY_RSA_SIGN; @@ -2197,10 +2190,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) alg_a = cipher->algorithm_auth; c = s->cert; - if ((alg_a & SSL_aDSS) && - (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) - idx = SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) { + if (alg_a & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) idx = SSL_PKEY_RSA_SIGN; else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 52e4b6c5e9b..6f9be12fa7c 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.187 2017/08/11 20:14:13 doug Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -341,15 +341,12 @@ __BEGIN_HIDDEN_DECLS #define SSL_USE_TLS1_2_CIPHERS(s) \ (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) -/* Mostly for SSLv3 */ #define SSL_PKEY_RSA_ENC 0 #define SSL_PKEY_RSA_SIGN 1 -#define SSL_PKEY_DSA_SIGN 2 -#define SSL_PKEY_DH_RSA 3 -#define SSL_PKEY_DH_DSA 4 -#define SSL_PKEY_ECC 5 -#define SSL_PKEY_GOST01 6 -#define SSL_PKEY_NUM 7 +#define SSL_PKEY_DH_RSA 2 +#define SSL_PKEY_ECC 3 +#define SSL_PKEY_GOST01 4 +#define SSL_PKEY_NUM 5 #define SSL_MAX_EMPTY_RECORDS 32 diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index e370b7571cd..a21039e7278 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2256,17 +2256,6 @@ ssl3_get_cert_verify(SSL *s) goto f_err; } } else - if (pkey->type == EVP_PKEY_DSA) { - j = DSA_verify(pkey->save_type, - &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); - if (j <= 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_BAD_DSA_SIGNATURE); - goto f_err; - } - } else if (pkey->type == EVP_PKEY_EC) { j = ECDSA_verify(pkey->save_type, &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 4983ad27fa7..3e5133ab54c 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.126 2017/08/11 20:14:13 doug Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -631,18 +631,15 @@ tls1_check_ec_tmp_key(SSL *s) static unsigned char tls12_sigalgs[] = { TLSEXT_hash_sha512, TLSEXT_signature_rsa, - TLSEXT_hash_sha512, TLSEXT_signature_dsa, TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, #ifndef OPENSSL_NO_GOST TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, #endif TLSEXT_hash_sha384, TLSEXT_signature_rsa, - TLSEXT_hash_sha384, TLSEXT_signature_dsa, TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, TLSEXT_hash_sha256, TLSEXT_signature_rsa, - TLSEXT_hash_sha256, TLSEXT_signature_dsa, TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, #ifndef OPENSSL_NO_GOST @@ -651,11 +648,9 @@ static unsigned char tls12_sigalgs[] = { #endif TLSEXT_hash_sha224, TLSEXT_signature_rsa, - TLSEXT_hash_sha224, TLSEXT_signature_dsa, TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, TLSEXT_hash_sha1, TLSEXT_signature_rsa, - TLSEXT_hash_sha1, TLSEXT_signature_dsa, TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, }; @@ -1932,7 +1927,6 @@ static tls12_lookup tls12_md[] = { static tls12_lookup tls12_sig[] = { {EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_DSA, TLSEXT_signature_dsa}, {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, }; @@ -2020,7 +2014,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) CBS_init(&cbs, data, dsize); - c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL; c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; c->pkeys[SSL_PKEY_ECC].digest = NULL; @@ -2039,9 +2032,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) case TLSEXT_signature_rsa: idx = SSL_PKEY_RSA_SIGN; break; - case TLSEXT_signature_dsa: - idx = SSL_PKEY_DSA_SIGN; - break; case TLSEXT_signature_ecdsa: idx = SSL_PKEY_ECC; break; @@ -2068,8 +2058,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) /* Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. */ - if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); |