mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
Remove support for DSS/DSA, since we removed the cipher suites a while
back. ok guenther@
This commit is contained in:
jsing
parent
9234d803cf
commit
4722f98804
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
|
||||
/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -2460,14 +2460,10 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb)
|
||||
if ((alg_k & SSL_kDHE) != 0) {
|
||||
if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
|
||||
return 0;
|
||||
if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
|
||||
return 0;
|
||||
if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* ECDSA certs can be used with RSA cipher suites as well
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_algs.c,v 1.26 2017/04/29 22:31:42 beck Exp $ */
|
||||
/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -112,10 +112,6 @@ SSL_library_init(void)
|
||||
EVP_add_digest(EVP_sha256());
|
||||
EVP_add_digest(EVP_sha384());
|
||||
EVP_add_digest(EVP_sha512());
|
||||
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
||||
EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
|
||||
EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
|
||||
EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
|
||||
EVP_add_digest(EVP_ecdsa());
|
||||
#ifndef OPENSSL_NO_GOST
|
||||
EVP_add_digest(EVP_gostr341194());
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_both.c,v 1.9 2017/05/07 04:22:24 beck Exp $ */
|
||||
/* $OpenBSD: ssl_both.c,v 1.10 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -568,8 +568,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
|
||||
i = pk->type;
|
||||
if (i == EVP_PKEY_RSA) {
|
||||
ret = SSL_PKEY_RSA_ENC;
|
||||
} else if (i == EVP_PKEY_DSA) {
|
||||
ret = SSL_PKEY_DSA_SIGN;
|
||||
} else if (i == EVP_PKEY_EC) {
|
||||
ret = SSL_PKEY_ECC;
|
||||
} else if (i == NID_id_GostR3410_2001 ||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_cert.c,v 1.65 2017/08/10 17:18:38 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_cert.c,v 1.66 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -162,7 +162,6 @@ static void
|
||||
ssl_cert_set_default_md(CERT *cert)
|
||||
{
|
||||
/* Set digest values to defaults */
|
||||
cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
|
||||
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
|
||||
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
|
||||
cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
|
||||
@ -267,12 +266,7 @@ ssl_cert_dup(CERT *cert)
|
||||
/* We have an RSA key. */
|
||||
break;
|
||||
|
||||
case SSL_PKEY_DSA_SIGN:
|
||||
/* We have a DSA key. */
|
||||
break;
|
||||
|
||||
case SSL_PKEY_DH_RSA:
|
||||
case SSL_PKEY_DH_DSA:
|
||||
/* We have a DH key. */
|
||||
break;
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_clnt.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */
|
||||
/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -1162,8 +1162,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
|
||||
|
||||
if (alg_a & SSL_aRSA)
|
||||
*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
|
||||
else if (alg_a & SSL_aDSS)
|
||||
*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
|
||||
else
|
||||
/* XXX - Anonymous DH, so no certificate or pkey. */
|
||||
*pkey = NULL;
|
||||
@ -2395,16 +2393,6 @@ ssl3_send_client_verify(SSL *s)
|
||||
}
|
||||
s2n(u, p);
|
||||
n = u + 2;
|
||||
} else if (pkey->type == EVP_PKEY_DSA) {
|
||||
if (!DSA_sign(pkey->save_type,
|
||||
&(data[MD5_DIGEST_LENGTH]),
|
||||
SHA_DIGEST_LENGTH, &(p[2]),
|
||||
(unsigned int *)&j, pkey->pkey.dsa)) {
|
||||
SSLerror(s, ERR_R_DSA_LIB);
|
||||
goto err;
|
||||
}
|
||||
s2n(j, p);
|
||||
n = j + 2;
|
||||
} else if (pkey->type == EVP_PKEY_EC) {
|
||||
if (!ECDSA_sign(pkey->save_type,
|
||||
&(data[MD5_DIGEST_LENGTH]),
|
||||
@ -2593,13 +2581,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
|
||||
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
|
||||
SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
|
||||
goto f_err;
|
||||
} else if ((alg_a & SSL_aDSS) &&
|
||||
!has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
|
||||
SSLerror(s, SSL_R_MISSING_DSA_SIGNING_CERT);
|
||||
goto f_err;
|
||||
}
|
||||
if ((alg_k & SSL_kRSA) &&
|
||||
!has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
|
||||
if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
|
||||
SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_lib.c,v 1.165 2017/08/11 21:06:52 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -2041,7 +2041,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
|
||||
void
|
||||
ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
{
|
||||
int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
|
||||
int rsa_enc, rsa_sign, dh_tmp;
|
||||
int have_ecc_cert;
|
||||
unsigned long mask_k, mask_a;
|
||||
X509 *x = NULL;
|
||||
@ -2057,8 +2057,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
|
||||
rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
|
||||
dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_ECC]);
|
||||
have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
|
||||
@ -2080,9 +2078,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
if (rsa_enc || rsa_sign)
|
||||
mask_a |= SSL_aRSA;
|
||||
|
||||
if (dsa_sign)
|
||||
mask_a |= SSL_aDSS;
|
||||
|
||||
mask_a |= SSL_aNULL;
|
||||
|
||||
/*
|
||||
@ -2159,8 +2154,6 @@ ssl_get_server_send_pkey(const SSL *s)
|
||||
|
||||
if (alg_a & SSL_aECDSA) {
|
||||
i = SSL_PKEY_ECC;
|
||||
} else if (alg_a & SSL_aDSS) {
|
||||
i = SSL_PKEY_DSA_SIGN;
|
||||
} else if (alg_a & SSL_aRSA) {
|
||||
if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
|
||||
i = SSL_PKEY_RSA_SIGN;
|
||||
@ -2197,10 +2190,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
|
||||
alg_a = cipher->algorithm_auth;
|
||||
c = s->cert;
|
||||
|
||||
if ((alg_a & SSL_aDSS) &&
|
||||
(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
|
||||
idx = SSL_PKEY_DSA_SIGN;
|
||||
else if (alg_a & SSL_aRSA) {
|
||||
if (alg_a & SSL_aRSA) {
|
||||
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
|
||||
idx = SSL_PKEY_RSA_SIGN;
|
||||
else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_locl.h,v 1.187 2017/08/11 20:14:13 doug Exp $ */
|
||||
/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -341,15 +341,12 @@ __BEGIN_HIDDEN_DECLS
|
||||
#define SSL_USE_TLS1_2_CIPHERS(s) \
|
||||
(s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
|
||||
|
||||
/* Mostly for SSLv3 */
|
||||
#define SSL_PKEY_RSA_ENC 0
|
||||
#define SSL_PKEY_RSA_SIGN 1
|
||||
#define SSL_PKEY_DSA_SIGN 2
|
||||
#define SSL_PKEY_DH_RSA 3
|
||||
#define SSL_PKEY_DH_DSA 4
|
||||
#define SSL_PKEY_ECC 5
|
||||
#define SSL_PKEY_GOST01 6
|
||||
#define SSL_PKEY_NUM 7
|
||||
#define SSL_PKEY_DH_RSA 2
|
||||
#define SSL_PKEY_ECC 3
|
||||
#define SSL_PKEY_GOST01 4
|
||||
#define SSL_PKEY_NUM 5
|
||||
|
||||
#define SSL_MAX_EMPTY_RECORDS 32
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -2256,17 +2256,6 @@ ssl3_get_cert_verify(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
} else
|
||||
if (pkey->type == EVP_PKEY_DSA) {
|
||||
j = DSA_verify(pkey->save_type,
|
||||
&(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
|
||||
SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
|
||||
if (j <= 0) {
|
||||
/* bad signature */
|
||||
al = SSL_AD_DECRYPT_ERROR;
|
||||
SSLerror(s, SSL_R_BAD_DSA_SIGNATURE);
|
||||
goto f_err;
|
||||
}
|
||||
} else
|
||||
if (pkey->type == EVP_PKEY_EC) {
|
||||
j = ECDSA_verify(pkey->save_type,
|
||||
&(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: t1_lib.c,v 1.126 2017/08/11 20:14:13 doug Exp $ */
|
||||
/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -631,18 +631,15 @@ tls1_check_ec_tmp_key(SSL *s)
|
||||
|
||||
static unsigned char tls12_sigalgs[] = {
|
||||
TLSEXT_hash_sha512, TLSEXT_signature_rsa,
|
||||
TLSEXT_hash_sha512, TLSEXT_signature_dsa,
|
||||
TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
|
||||
#ifndef OPENSSL_NO_GOST
|
||||
TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
|
||||
#endif
|
||||
|
||||
TLSEXT_hash_sha384, TLSEXT_signature_rsa,
|
||||
TLSEXT_hash_sha384, TLSEXT_signature_dsa,
|
||||
TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
|
||||
|
||||
TLSEXT_hash_sha256, TLSEXT_signature_rsa,
|
||||
TLSEXT_hash_sha256, TLSEXT_signature_dsa,
|
||||
TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
|
||||
|
||||
#ifndef OPENSSL_NO_GOST
|
||||
@ -651,11 +648,9 @@ static unsigned char tls12_sigalgs[] = {
|
||||
#endif
|
||||
|
||||
TLSEXT_hash_sha224, TLSEXT_signature_rsa,
|
||||
TLSEXT_hash_sha224, TLSEXT_signature_dsa,
|
||||
TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
|
||||
|
||||
TLSEXT_hash_sha1, TLSEXT_signature_rsa,
|
||||
TLSEXT_hash_sha1, TLSEXT_signature_dsa,
|
||||
TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
|
||||
};
|
||||
|
||||
@ -1932,7 +1927,6 @@ static tls12_lookup tls12_md[] = {
|
||||
|
||||
static tls12_lookup tls12_sig[] = {
|
||||
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
||||
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
|
||||
{EVP_PKEY_EC, TLSEXT_signature_ecdsa},
|
||||
{EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
|
||||
};
|
||||
@ -2020,7 +2014,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
|
||||
|
||||
CBS_init(&cbs, data, dsize);
|
||||
|
||||
c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
|
||||
c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
|
||||
c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
|
||||
c->pkeys[SSL_PKEY_ECC].digest = NULL;
|
||||
@ -2039,9 +2032,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
|
||||
case TLSEXT_signature_rsa:
|
||||
idx = SSL_PKEY_RSA_SIGN;
|
||||
break;
|
||||
case TLSEXT_signature_dsa:
|
||||
idx = SSL_PKEY_DSA_SIGN;
|
||||
break;
|
||||
case TLSEXT_signature_ecdsa:
|
||||
idx = SSL_PKEY_ECC;
|
||||
break;
|
||||
@ -2068,8 +2058,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
|
||||
/* Set any remaining keys to default values. NOTE: if alg is not
|
||||
* supported it stays as NULL.
|
||||
*/
|
||||
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
|
||||
c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
|
||||
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
|
||||
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
|
||||
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
|
||||
|
||||
Loading…
Reference in New Issue
Block a user