diff options
| -rw-r--r-- | lib/libssl/d1_clnt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/d1_srvr.c | 5 | ||||
| -rw-r--r-- | lib/libssl/s3_clnt.c | 19 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 7 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 8 | ||||
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 48 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 18 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 9 |
8 files changed, 27 insertions, 91 deletions
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index 471871ff465..0cc4016d114 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.34 2014/08/10 14:42:55 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -982,7 +982,7 @@ dtls1_send_client_key_exchange(SSL *s) s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & SSL_kDHE) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert->peer_dh_tmp != NULL) diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index 4532a07da5c..051d1e1ccf6 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.37 2014/08/24 14:36:45 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.38 2014/09/07 12:16:23 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -462,8 +462,7 @@ dtls1_accept(SSL *s) /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) - || (alg_k & SSL_kECDHE) + || (alg_k & (SSL_kDHE|SSL_kECDHE)) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL ) diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 9ccc67acb94..bbe2b913921 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.89 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1329,11 +1329,6 @@ ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_dh_tmp = dh; dh = NULL; - } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, - SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); - goto f_err; } else if (alg_k & SSL_kECDHE) { EC_GROUP *ngroup; const EC_GROUP *group; @@ -2006,7 +2001,7 @@ ssl3_send_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret( s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & SSL_kDHE) { DH *dh_srvr, *dh_clnt; if (s->session->sess_cert == NULL) { @@ -2611,7 +2606,7 @@ ssl3_check_cert_and_algorithm(SSL *s) alg_a = s->s3->tmp.new_cipher->algorithm_auth; /* We don't have a certificate. */ - if (alg_a & (SSL_aDH|SSL_aNULL)) + if (alg_a & SSL_aNULL) return (1); sc = s->session->sess_cert; @@ -2664,14 +2659,6 @@ ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY); goto f_err; - } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DH_RSA_CERT); - goto f_err; - } else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_DH_DSA_CERT); - goto f_err; } return (1); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 8d03512a264..d8b923afd4a 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.79 2014/08/24 14:36:45 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2610,12 +2610,11 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) } #endif - if (alg_k & (SSL_kDHr|SSL_kDHE)) { + if (alg_k & SSL_kDHE) { p[ret++] = SSL3_CT_RSA_FIXED_DH; p[ret++] = SSL3_CT_DSS_FIXED_DH; } - if ((s->version == SSL3_VERSION) && - (alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) { + if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) { p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 597ddd43105..7ff3de77f33 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.82 2014/08/24 14:36:45 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.83 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -420,8 +420,7 @@ ssl3_accept(SSL *s) * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp || - (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) || - (alg_k & SSL_kECDHE) || + (alg_k & (SSL_kDHE|SSL_kECDHE)) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))) { @@ -1967,8 +1966,7 @@ ssl3_get_client_key_exchange(SSL *s) s->session->master_key, p, i); OPENSSL_cleanse(p, i); - } else - if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { + } else if (alg_k & SSL_kDHE) { if (2 > n) goto truncated; n2s(p, i); diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 70c91bf6007..701d0f2277e 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_mkey = SSL_kRSA, }, { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDHr, - .algorithm_mkey = SSL_kDHr, - }, - { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDHd, - .algorithm_mkey = SSL_kDHd, - }, - { - /* no such ciphersuites supported! */ - .name = SSL_TXT_kDH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd, - }, - { .name = SSL_TXT_kEDH, .algorithm_mkey = SSL_kDHE, }, { .name = SSL_TXT_DH, - .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, + .algorithm_mkey = SSL_kDHE, }, { @@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = { .algorithm_auth = SSL_aNULL, }, { - /* no such ciphersuites supported! */ - .name = SSL_TXT_aDH, - .algorithm_auth = SSL_aDH, - }, - { .name = SSL_TXT_aECDH, .algorithm_auth = SSL_aECDH, }, @@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, } static void -ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) +ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, + unsigned long *enc, unsigned long *mac, unsigned long *ssl) { *mkey = 0; *auth = 0; @@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *mac = 0; *ssl = 0; - *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ - *auth |= SSL_aDH; - - /* Check for presence of GOST 34.10 algorithms, and if they - * do not present, disable appropriate auth and key exchange */ + /* + * Check for presence of GOST 34.10 algorithms, and if they + * do not present, disable appropriate auth and key exchange. + */ if (!get_optional_pkey_id("gost94")) { *auth |= SSL_aGOST94; } if (!get_optional_pkey_id("gost2001")) { *auth |= SSL_aGOST01; } - /* Disable GOST key exchange if no GOST signature algs are available * */ + /* Disable GOST key exchange if no GOST signature algs are available. */ if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { *mkey |= SSL_kGOST; } @@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Move ciphers without forward secrecy to the end */ ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* RC4 is sort-of broken -- move the the end */ @@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kRSA: kx = "RSA"; break; - case SSL_kDHr: - kx = "DH/RSA"; - break; - case SSL_kDHd: - kx = "DH/DSS"; - break; case SSL_kDHE: kx = "DH"; break; @@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aDSS: au = "DSS"; break; - case SSL_aDH: - au = "DH"; - break; case SSL_aECDH: au = "ECDH"; break; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index fad600a07eb..bd5f9f6da14 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.83 2014/08/24 14:36:45 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.84 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1929,7 +1929,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { CERT_PKEY *cpk; - int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; + int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; int have_ecc_cert, ecdh_ok, ecdsa_ok; int have_ecdh_tmp; @@ -1950,11 +1950,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); - dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ - dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_ECC]); have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); mask_k = 0; @@ -1977,12 +1973,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (dh_tmp) mask_k|=SSL_kDHE; - if (dh_rsa) - mask_k|=SSL_kDHr; - - if (dh_dsa) - mask_k|=SSL_kDHd; - if (rsa_enc || rsa_sign) mask_a|=SSL_aRSA; @@ -2124,10 +2114,6 @@ ssl_get_server_send_pkey(const SSL *s) i = SSL_PKEY_ECC; } else if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; - } else if (alg_k & SSL_kDHr) { - i = SSL_PKEY_DH_RSA; - } else if (alg_k & SSL_kDHd) { - i = SSL_PKEY_DH_DSA; } else if (alg_a & SSL_aDSS) { i = SSL_PKEY_DSA_SIGN; } else if (alg_a & SSL_aRSA) { diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index ec8f0fb7226..7c1aef68b14 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.67 2014/08/24 14:36:46 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.68 2014/09/07 12:16:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -254,8 +254,6 @@ /* Bits for algorithm_mkey (key exchange algorithm) */ #define SSL_kRSA 0x00000001L /* RSA key exchange */ -#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */ -#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */ #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ #define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ #define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ @@ -266,11 +264,10 @@ #define SSL_aRSA 0x00000001L /* RSA auth */ #define SSL_aDSS 0x00000002L /* DSS auth */ #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ -#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */ #define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ -#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ -#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ +#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ +#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ /* Bits for algorithm_enc (symmetric encryption) */ |