mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,
nor do we plan on supporting them. ok guenther@
This commit is contained in:
jsing
parent
c91b5231ca
commit
c54199ea7f
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: d1_clnt.c,v 1.34 2014/08/10 14:42:55 jsing Exp $ */
|
||||
/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/*
|
||||
* DTLS implementation written by Nagendra Modadugu
|
||||
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
|
||||
@ -982,7 +982,7 @@ dtls1_send_client_key_exchange(SSL *s)
|
||||
s->session->master_key,
|
||||
tmp_buf, sizeof tmp_buf);
|
||||
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
|
||||
} else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
DH *dh_srvr, *dh_clnt;
|
||||
|
||||
if (s->session->sess_cert->peer_dh_tmp != NULL)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: d1_srvr.c,v 1.37 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: d1_srvr.c,v 1.38 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/*
|
||||
* DTLS implementation written by Nagendra Modadugu
|
||||
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
|
||||
@ -462,8 +462,7 @@ dtls1_accept(SSL *s)
|
||||
/* only send if a DH key exchange or
|
||||
* RSA but we have a sign only certificate */
|
||||
if (s->s3->tmp.use_rsa_tmp
|
||||
|| (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd))
|
||||
|| (alg_k & SSL_kECDHE)
|
||||
|| (alg_k & (SSL_kDHE|SSL_kECDHE))
|
||||
|| ((alg_k & SSL_kRSA)
|
||||
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|
||||
)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
|
||||
/* $OpenBSD: s3_clnt.c,v 1.89 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -1329,11 +1329,6 @@ ssl3_get_key_exchange(SSL *s)
|
||||
|
||||
s->session->sess_cert->peer_dh_tmp = dh;
|
||||
dh = NULL;
|
||||
} else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
|
||||
al = SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
|
||||
SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
|
||||
goto f_err;
|
||||
} else if (alg_k & SSL_kECDHE) {
|
||||
EC_GROUP *ngroup;
|
||||
const EC_GROUP *group;
|
||||
@ -2006,7 +2001,7 @@ ssl3_send_client_key_exchange(SSL *s)
|
||||
s->method->ssl3_enc->generate_master_secret(
|
||||
s, s->session->master_key, tmp_buf, sizeof tmp_buf);
|
||||
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
|
||||
} else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
DH *dh_srvr, *dh_clnt;
|
||||
|
||||
if (s->session->sess_cert == NULL) {
|
||||
@ -2611,7 +2606,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
|
||||
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
||||
|
||||
/* We don't have a certificate. */
|
||||
if (alg_a & (SSL_aDH|SSL_aNULL))
|
||||
if (alg_a & SSL_aNULL)
|
||||
return (1);
|
||||
|
||||
sc = s->session->sess_cert;
|
||||
@ -2664,14 +2659,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_KEY);
|
||||
goto f_err;
|
||||
} else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_RSA_CERT);
|
||||
goto f_err;
|
||||
} else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_DSA_CERT);
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
return (1);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_lib.c,v 1.79 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -2610,12 +2610,11 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (alg_k & (SSL_kDHr|SSL_kDHE)) {
|
||||
if (alg_k & SSL_kDHE) {
|
||||
p[ret++] = SSL3_CT_RSA_FIXED_DH;
|
||||
p[ret++] = SSL3_CT_DSS_FIXED_DH;
|
||||
}
|
||||
if ((s->version == SSL3_VERSION) &&
|
||||
(alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) {
|
||||
if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) {
|
||||
p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
|
||||
p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_srvr.c,v 1.82 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: s3_srvr.c,v 1.83 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -420,8 +420,7 @@ ssl3_accept(SSL *s)
|
||||
* public key for key exchange.
|
||||
*/
|
||||
if (s->s3->tmp.use_rsa_tmp ||
|
||||
(alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) ||
|
||||
(alg_k & SSL_kECDHE) ||
|
||||
(alg_k & (SSL_kDHE|SSL_kECDHE)) ||
|
||||
((alg_k & SSL_kRSA) &&
|
||||
(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
|
||||
NULL))) {
|
||||
@ -1967,8 +1966,7 @@ ssl3_get_client_key_exchange(SSL *s)
|
||||
s->session->master_key,
|
||||
p, i);
|
||||
OPENSSL_cleanse(p, i);
|
||||
} else
|
||||
if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
if (2 > n)
|
||||
goto truncated;
|
||||
n2s(p, i);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: d1_clnt.c,v 1.34 2014/08/10 14:42:55 jsing Exp $ */
|
||||
/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/*
|
||||
* DTLS implementation written by Nagendra Modadugu
|
||||
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
|
||||
@ -982,7 +982,7 @@ dtls1_send_client_key_exchange(SSL *s)
|
||||
s->session->master_key,
|
||||
tmp_buf, sizeof tmp_buf);
|
||||
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
|
||||
} else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
DH *dh_srvr, *dh_clnt;
|
||||
|
||||
if (s->session->sess_cert->peer_dh_tmp != NULL)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: d1_srvr.c,v 1.37 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: d1_srvr.c,v 1.38 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/*
|
||||
* DTLS implementation written by Nagendra Modadugu
|
||||
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
|
||||
@ -462,8 +462,7 @@ dtls1_accept(SSL *s)
|
||||
/* only send if a DH key exchange or
|
||||
* RSA but we have a sign only certificate */
|
||||
if (s->s3->tmp.use_rsa_tmp
|
||||
|| (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd))
|
||||
|| (alg_k & SSL_kECDHE)
|
||||
|| (alg_k & (SSL_kDHE|SSL_kECDHE))
|
||||
|| ((alg_k & SSL_kRSA)
|
||||
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|
||||
)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
|
||||
/* $OpenBSD: s3_clnt.c,v 1.89 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -1329,11 +1329,6 @@ ssl3_get_key_exchange(SSL *s)
|
||||
|
||||
s->session->sess_cert->peer_dh_tmp = dh;
|
||||
dh = NULL;
|
||||
} else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
|
||||
al = SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
|
||||
SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
|
||||
goto f_err;
|
||||
} else if (alg_k & SSL_kECDHE) {
|
||||
EC_GROUP *ngroup;
|
||||
const EC_GROUP *group;
|
||||
@ -2006,7 +2001,7 @@ ssl3_send_client_key_exchange(SSL *s)
|
||||
s->method->ssl3_enc->generate_master_secret(
|
||||
s, s->session->master_key, tmp_buf, sizeof tmp_buf);
|
||||
OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
|
||||
} else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
DH *dh_srvr, *dh_clnt;
|
||||
|
||||
if (s->session->sess_cert == NULL) {
|
||||
@ -2611,7 +2606,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
|
||||
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
||||
|
||||
/* We don't have a certificate. */
|
||||
if (alg_a & (SSL_aDH|SSL_aNULL))
|
||||
if (alg_a & SSL_aNULL)
|
||||
return (1);
|
||||
|
||||
sc = s->session->sess_cert;
|
||||
@ -2664,14 +2659,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_KEY);
|
||||
goto f_err;
|
||||
} else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_RSA_CERT);
|
||||
goto f_err;
|
||||
} else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
|
||||
SSL_R_MISSING_DH_DSA_CERT);
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
return (1);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_lib.c,v 1.79 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -2610,12 +2610,11 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (alg_k & (SSL_kDHr|SSL_kDHE)) {
|
||||
if (alg_k & SSL_kDHE) {
|
||||
p[ret++] = SSL3_CT_RSA_FIXED_DH;
|
||||
p[ret++] = SSL3_CT_DSS_FIXED_DH;
|
||||
}
|
||||
if ((s->version == SSL3_VERSION) &&
|
||||
(alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) {
|
||||
if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) {
|
||||
p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
|
||||
p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: s3_srvr.c,v 1.82 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: s3_srvr.c,v 1.83 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -420,8 +420,7 @@ ssl3_accept(SSL *s)
|
||||
* public key for key exchange.
|
||||
*/
|
||||
if (s->s3->tmp.use_rsa_tmp ||
|
||||
(alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) ||
|
||||
(alg_k & SSL_kECDHE) ||
|
||||
(alg_k & (SSL_kDHE|SSL_kECDHE)) ||
|
||||
((alg_k & SSL_kRSA) &&
|
||||
(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
|
||||
NULL))) {
|
||||
@ -1967,8 +1966,7 @@ ssl3_get_client_key_exchange(SSL *s)
|
||||
s->session->master_key,
|
||||
p, i);
|
||||
OPENSSL_cleanse(p, i);
|
||||
} else
|
||||
if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
|
||||
} else if (alg_k & SSL_kDHE) {
|
||||
if (2 > n)
|
||||
goto truncated;
|
||||
n2s(p, i);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -248,28 +248,13 @@ static const SSL_CIPHER cipher_aliases[] = {
|
||||
.name = SSL_TXT_kRSA,
|
||||
.algorithm_mkey = SSL_kRSA,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDHr,
|
||||
.algorithm_mkey = SSL_kDHr,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDHd,
|
||||
.algorithm_mkey = SSL_kDHd,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDH,
|
||||
.algorithm_mkey = SSL_kDHr|SSL_kDHd,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_kEDH,
|
||||
.algorithm_mkey = SSL_kDHE,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_DH,
|
||||
.algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE,
|
||||
.algorithm_mkey = SSL_kDHE,
|
||||
},
|
||||
|
||||
{
|
||||
@ -315,11 +300,6 @@ static const SSL_CIPHER cipher_aliases[] = {
|
||||
.name = SSL_TXT_aNULL,
|
||||
.algorithm_auth = SSL_aNULL,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_aDH,
|
||||
.algorithm_auth = SSL_aDH,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_aECDH,
|
||||
.algorithm_auth = SSL_aECDH,
|
||||
@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
|
||||
}
|
||||
|
||||
static void
|
||||
ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
|
||||
ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
|
||||
unsigned long *enc, unsigned long *mac, unsigned long *ssl)
|
||||
{
|
||||
*mkey = 0;
|
||||
*auth = 0;
|
||||
@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
|
||||
*mac = 0;
|
||||
*ssl = 0;
|
||||
|
||||
*mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
|
||||
*auth |= SSL_aDH;
|
||||
|
||||
/* Check for presence of GOST 34.10 algorithms, and if they
|
||||
* do not present, disable appropriate auth and key exchange */
|
||||
/*
|
||||
* Check for presence of GOST 34.10 algorithms, and if they
|
||||
* do not present, disable appropriate auth and key exchange.
|
||||
*/
|
||||
if (!get_optional_pkey_id("gost94")) {
|
||||
*auth |= SSL_aGOST94;
|
||||
}
|
||||
if (!get_optional_pkey_id("gost2001")) {
|
||||
*auth |= SSL_aGOST01;
|
||||
}
|
||||
/* Disable GOST key exchange if no GOST signature algs are available * */
|
||||
/* Disable GOST key exchange if no GOST signature algs are available. */
|
||||
if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
|
||||
*mkey |= SSL_kGOST;
|
||||
}
|
||||
@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
/* Move ciphers without forward secrecy to the end */
|
||||
ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
|
||||
/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
|
||||
ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
|
||||
|
||||
/* RC4 is sort-of broken -- move the the end */
|
||||
@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
case SSL_kRSA:
|
||||
kx = "RSA";
|
||||
break;
|
||||
case SSL_kDHr:
|
||||
kx = "DH/RSA";
|
||||
break;
|
||||
case SSL_kDHd:
|
||||
kx = "DH/DSS";
|
||||
break;
|
||||
case SSL_kDHE:
|
||||
kx = "DH";
|
||||
break;
|
||||
@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
case SSL_aDSS:
|
||||
au = "DSS";
|
||||
break;
|
||||
case SSL_aDH:
|
||||
au = "DH";
|
||||
break;
|
||||
case SSL_aECDH:
|
||||
au = "ECDH";
|
||||
break;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_lib.c,v 1.83 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_lib.c,v 1.84 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -1929,7 +1929,7 @@ void
|
||||
ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
{
|
||||
CERT_PKEY *cpk;
|
||||
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
|
||||
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign;
|
||||
unsigned long mask_k, mask_a;
|
||||
int have_ecc_cert, ecdh_ok, ecdsa_ok;
|
||||
int have_ecdh_tmp;
|
||||
@ -1950,11 +1950,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
|
||||
dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
|
||||
dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
|
||||
/* FIX THIS EAY EAY EAY */
|
||||
dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_ECC]);
|
||||
have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
mask_k = 0;
|
||||
@ -1977,12 +1973,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
if (dh_tmp)
|
||||
mask_k|=SSL_kDHE;
|
||||
|
||||
if (dh_rsa)
|
||||
mask_k|=SSL_kDHr;
|
||||
|
||||
if (dh_dsa)
|
||||
mask_k|=SSL_kDHd;
|
||||
|
||||
if (rsa_enc || rsa_sign)
|
||||
mask_a|=SSL_aRSA;
|
||||
|
||||
@ -2124,10 +2114,6 @@ ssl_get_server_send_pkey(const SSL *s)
|
||||
i = SSL_PKEY_ECC;
|
||||
} else if (alg_a & SSL_aECDSA) {
|
||||
i = SSL_PKEY_ECC;
|
||||
} else if (alg_k & SSL_kDHr) {
|
||||
i = SSL_PKEY_DH_RSA;
|
||||
} else if (alg_k & SSL_kDHd) {
|
||||
i = SSL_PKEY_DH_DSA;
|
||||
} else if (alg_a & SSL_aDSS) {
|
||||
i = SSL_PKEY_DSA_SIGN;
|
||||
} else if (alg_a & SSL_aRSA) {
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_locl.h,v 1.67 2014/08/24 14:36:46 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_locl.h,v 1.68 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -254,8 +254,6 @@
|
||||
|
||||
/* Bits for algorithm_mkey (key exchange algorithm) */
|
||||
#define SSL_kRSA 0x00000001L /* RSA key exchange */
|
||||
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
|
||||
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
|
||||
#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
|
||||
#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
|
||||
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
|
||||
@ -266,11 +264,10 @@
|
||||
#define SSL_aRSA 0x00000001L /* RSA auth */
|
||||
#define SSL_aDSS 0x00000002L /* DSS auth */
|
||||
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
|
||||
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
|
||||
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
|
||||
#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
|
||||
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
|
||||
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
|
||||
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
|
||||
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
|
||||
|
||||
|
||||
/* Bits for algorithm_enc (symmetric encryption) */
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -248,28 +248,13 @@ static const SSL_CIPHER cipher_aliases[] = {
|
||||
.name = SSL_TXT_kRSA,
|
||||
.algorithm_mkey = SSL_kRSA,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDHr,
|
||||
.algorithm_mkey = SSL_kDHr,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDHd,
|
||||
.algorithm_mkey = SSL_kDHd,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_kDH,
|
||||
.algorithm_mkey = SSL_kDHr|SSL_kDHd,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_kEDH,
|
||||
.algorithm_mkey = SSL_kDHE,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_DH,
|
||||
.algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE,
|
||||
.algorithm_mkey = SSL_kDHE,
|
||||
},
|
||||
|
||||
{
|
||||
@ -315,11 +300,6 @@ static const SSL_CIPHER cipher_aliases[] = {
|
||||
.name = SSL_TXT_aNULL,
|
||||
.algorithm_auth = SSL_aNULL,
|
||||
},
|
||||
{
|
||||
/* no such ciphersuites supported! */
|
||||
.name = SSL_TXT_aDH,
|
||||
.algorithm_auth = SSL_aDH,
|
||||
},
|
||||
{
|
||||
.name = SSL_TXT_aECDH,
|
||||
.algorithm_auth = SSL_aECDH,
|
||||
@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
|
||||
}
|
||||
|
||||
static void
|
||||
ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
|
||||
ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
|
||||
unsigned long *enc, unsigned long *mac, unsigned long *ssl)
|
||||
{
|
||||
*mkey = 0;
|
||||
*auth = 0;
|
||||
@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
|
||||
*mac = 0;
|
||||
*ssl = 0;
|
||||
|
||||
*mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
|
||||
*auth |= SSL_aDH;
|
||||
|
||||
/* Check for presence of GOST 34.10 algorithms, and if they
|
||||
* do not present, disable appropriate auth and key exchange */
|
||||
/*
|
||||
* Check for presence of GOST 34.10 algorithms, and if they
|
||||
* do not present, disable appropriate auth and key exchange.
|
||||
*/
|
||||
if (!get_optional_pkey_id("gost94")) {
|
||||
*auth |= SSL_aGOST94;
|
||||
}
|
||||
if (!get_optional_pkey_id("gost2001")) {
|
||||
*auth |= SSL_aGOST01;
|
||||
}
|
||||
/* Disable GOST key exchange if no GOST signature algs are available * */
|
||||
/* Disable GOST key exchange if no GOST signature algs are available. */
|
||||
if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
|
||||
*mkey |= SSL_kGOST;
|
||||
}
|
||||
@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
|
||||
/* Move ciphers without forward secrecy to the end */
|
||||
ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
|
||||
/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
|
||||
ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
|
||||
|
||||
/* RC4 is sort-of broken -- move the the end */
|
||||
@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
case SSL_kRSA:
|
||||
kx = "RSA";
|
||||
break;
|
||||
case SSL_kDHr:
|
||||
kx = "DH/RSA";
|
||||
break;
|
||||
case SSL_kDHd:
|
||||
kx = "DH/DSS";
|
||||
break;
|
||||
case SSL_kDHE:
|
||||
kx = "DH";
|
||||
break;
|
||||
@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
case SSL_aDSS:
|
||||
au = "DSS";
|
||||
break;
|
||||
case SSL_aDH:
|
||||
au = "DH";
|
||||
break;
|
||||
case SSL_aECDH:
|
||||
au = "ECDH";
|
||||
break;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_lib.c,v 1.83 2014/08/24 14:36:45 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_lib.c,v 1.84 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -1929,7 +1929,7 @@ void
|
||||
ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
{
|
||||
CERT_PKEY *cpk;
|
||||
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
|
||||
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign;
|
||||
unsigned long mask_k, mask_a;
|
||||
int have_ecc_cert, ecdh_ok, ecdsa_ok;
|
||||
int have_ecdh_tmp;
|
||||
@ -1950,11 +1950,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
|
||||
dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
|
||||
dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
|
||||
/* FIX THIS EAY EAY EAY */
|
||||
dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
cpk = &(c->pkeys[SSL_PKEY_ECC]);
|
||||
have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
|
||||
mask_k = 0;
|
||||
@ -1977,12 +1973,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
||||
if (dh_tmp)
|
||||
mask_k|=SSL_kDHE;
|
||||
|
||||
if (dh_rsa)
|
||||
mask_k|=SSL_kDHr;
|
||||
|
||||
if (dh_dsa)
|
||||
mask_k|=SSL_kDHd;
|
||||
|
||||
if (rsa_enc || rsa_sign)
|
||||
mask_a|=SSL_aRSA;
|
||||
|
||||
@ -2124,10 +2114,6 @@ ssl_get_server_send_pkey(const SSL *s)
|
||||
i = SSL_PKEY_ECC;
|
||||
} else if (alg_a & SSL_aECDSA) {
|
||||
i = SSL_PKEY_ECC;
|
||||
} else if (alg_k & SSL_kDHr) {
|
||||
i = SSL_PKEY_DH_RSA;
|
||||
} else if (alg_k & SSL_kDHd) {
|
||||
i = SSL_PKEY_DH_DSA;
|
||||
} else if (alg_a & SSL_aDSS) {
|
||||
i = SSL_PKEY_DSA_SIGN;
|
||||
} else if (alg_a & SSL_aRSA) {
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssl_locl.h,v 1.67 2014/08/24 14:36:46 jsing Exp $ */
|
||||
/* $OpenBSD: ssl_locl.h,v 1.68 2014/09/07 12:16:23 jsing Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -254,8 +254,6 @@
|
||||
|
||||
/* Bits for algorithm_mkey (key exchange algorithm) */
|
||||
#define SSL_kRSA 0x00000001L /* RSA key exchange */
|
||||
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
|
||||
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
|
||||
#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
|
||||
#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
|
||||
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
|
||||
@ -266,11 +264,10 @@
|
||||
#define SSL_aRSA 0x00000001L /* RSA auth */
|
||||
#define SSL_aDSS 0x00000002L /* DSS auth */
|
||||
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
|
||||
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
|
||||
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
|
||||
#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
|
||||
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
|
||||
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
|
||||
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
|
||||
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
|
||||
|
||||
|
||||
/* Bits for algorithm_enc (symmetric encryption) */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user