diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-09-07 12:16:24 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-09-07 12:16:24 +0000 |
| commit | c829d9c6024659a6ef1a28959b0d3f984d11ed7f (patch) | |
| tree | 75b0b9c83fce604fe8ae06383d8d4e20045299b5 /lib/libssl/ssl_ciph.c | |
| parent | 89099ea75c2e3ce3bbf36a3abc9f7df93e0ce9be (diff) | |
Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,
nor do we plan on supporting them.
ok guenther@
Diffstat (limited to 'lib/libssl/ssl_ciph.c')
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 48 |
1 files changed, 9 insertions, 39 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 70c91bf6007..701d0f2277e 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_mkey = SSL_kRSA, }, { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDHr, - .algorithm_mkey = SSL_kDHr, - }, - { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDHd, - .algorithm_mkey = SSL_kDHd, - }, - { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd, - }, - { .name = SSL_TXT_kEDH, .algorithm_mkey = SSL_kDHE, }, { .name = SSL_TXT_DH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, + .algorithm_mkey = SSL_kDHE, }, { @@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_auth = SSL_aNULL, }, { - /* no such ciphersuites supported! */ - .name = SSL_TXT_aDH, - .algorithm_auth = SSL_aDH, - }, - { .name = SSL_TXT_aECDH, .algorithm_auth = SSL_aECDH, }, @@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, } static void -ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) +ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, + unsigned long *enc, unsigned long *mac, unsigned long *ssl) { *mkey = 0; *auth = 0; @@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *mac = 0; *ssl = 0; - *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ - *auth |= SSL_aDH; - - /* Check for presence of GOST 34.10 algorithms, and if they - * do not present, disable appropriate auth and key exchange */ + /* + * Check for presence of GOST 34.10 algorithms, and if they + * do not present, disable appropriate auth and key exchange. + */ if (!get_optional_pkey_id("gost94")) { *auth |= SSL_aGOST94; } if (!get_optional_pkey_id("gost2001")) { *auth |= SSL_aGOST01; } - /* Disable GOST key exchange if no GOST signature algs are available * */ + /* Disable GOST key exchange if no GOST signature algs are available. */ if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { *mkey |= SSL_kGOST; } @@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Move ciphers without forward secrecy to the end */ ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* RC4 is sort-of broken -- move the the end */ @@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kRSA: kx = "RSA"; break; - case SSL_kDHr: - kx = "DH/RSA"; - break; - case SSL_kDHd: - kx = "DH/DSS"; - break; case SSL_kDHE: kx = "DH"; break; @@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aDSS: au = "DSS"; break; - case SSL_aDH: - au = "DH"; - break; case SSL_aECDH: au = "ECDH"; break; |