summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2017-08-12 02:55:22 +0000
committerjsing <>2017-08-12 02:55:22 +0000
commit6c1ad08ad5efc682da1effe59e647f7ac8cdb641 (patch)
tree772b4920210f4698c462169705fb8707d52beb22
parentb316f9f277648e3f7b8d4b8e8c5efe957a0fd85c (diff)
downloadopenbsd-6c1ad08ad5efc682da1effe59e647f7ac8cdb641.tar.gz
openbsd-6c1ad08ad5efc682da1effe59e647f7ac8cdb641.tar.bz2
openbsd-6c1ad08ad5efc682da1effe59e647f7ac8cdb641.zip
Remove support for DSS/DSA, since we removed the cipher suites a while
back. ok guenther@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c6
-rw-r--r--src/lib/libssl/ssl_algs.c6
-rw-r--r--src/lib/libssl/ssl_both.c4
-rw-r--r--src/lib/libssl/ssl_cert.c8
-rw-r--r--src/lib/libssl/ssl_clnt.c21
-rw-r--r--src/lib/libssl/ssl_lib.c16
-rw-r--r--src/lib/libssl/ssl_locl.h13
-rw-r--r--src/lib/libssl/ssl_srvr.c13
-rw-r--r--src/lib/libssl/t1_lib.c14
9 files changed, 16 insertions, 85 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index ad627d10d8..3a11d62893 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2460,14 +2460,10 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb)
2460 if ((alg_k & SSL_kDHE) != 0) { 2460 if ((alg_k & SSL_kDHE) != 0) {
2461 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH)) 2461 if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2462 return 0; 2462 return 0;
2463 if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
2464 return 0;
2465 } 2463 }
2466 2464
2467 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN)) 2465 if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
2468 return 0; 2466 return 0;
2469 if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
2470 return 0;
2471 2467
2472 /* 2468 /*
2473 * ECDSA certs can be used with RSA cipher suites as well 2469 * ECDSA certs can be used with RSA cipher suites as well
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index ca84891e72..b63f36b3f1 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_algs.c,v 1.26 2017/04/29 22:31:42 beck Exp $ */ 1/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -112,10 +112,6 @@ SSL_library_init(void)
112 EVP_add_digest(EVP_sha256()); 112 EVP_add_digest(EVP_sha256());
113 EVP_add_digest(EVP_sha384()); 113 EVP_add_digest(EVP_sha384());
114 EVP_add_digest(EVP_sha512()); 114 EVP_add_digest(EVP_sha512());
115 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
116 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
117 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
118 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
119 EVP_add_digest(EVP_ecdsa()); 115 EVP_add_digest(EVP_ecdsa());
120#ifndef OPENSSL_NO_GOST 116#ifndef OPENSSL_NO_GOST
121 EVP_add_digest(EVP_gostr341194()); 117 EVP_add_digest(EVP_gostr341194());
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 4a724560f2..17f93f551b 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.9 2017/05/07 04:22:24 beck Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.10 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -568,8 +568,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
568 i = pk->type; 568 i = pk->type;
569 if (i == EVP_PKEY_RSA) { 569 if (i == EVP_PKEY_RSA) {
570 ret = SSL_PKEY_RSA_ENC; 570 ret = SSL_PKEY_RSA_ENC;
571 } else if (i == EVP_PKEY_DSA) {
572 ret = SSL_PKEY_DSA_SIGN;
573 } else if (i == EVP_PKEY_EC) { 571 } else if (i == EVP_PKEY_EC) {
574 ret = SSL_PKEY_ECC; 572 ret = SSL_PKEY_ECC;
575 } else if (i == NID_id_GostR3410_2001 || 573 } else if (i == NID_id_GostR3410_2001 ||
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 174441c70e..a244353b88 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.65 2017/08/10 17:18:38 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.66 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -162,7 +162,6 @@ static void
162ssl_cert_set_default_md(CERT *cert) 162ssl_cert_set_default_md(CERT *cert)
163{ 163{
164 /* Set digest values to defaults */ 164 /* Set digest values to defaults */
165 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
166 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 165 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 166 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
168 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
@@ -267,12 +266,7 @@ ssl_cert_dup(CERT *cert)
267 /* We have an RSA key. */ 266 /* We have an RSA key. */
268 break; 267 break;
269 268
270 case SSL_PKEY_DSA_SIGN:
271 /* We have a DSA key. */
272 break;
273
274 case SSL_PKEY_DH_RSA: 269 case SSL_PKEY_DH_RSA:
275 case SSL_PKEY_DH_DSA:
276 /* We have a DH key. */ 270 /* We have a DH key. */
277 break; 271 break;
278 272
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index a1745143f0..865c961db7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1162,8 +1162,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
1162 1162
1163 if (alg_a & SSL_aRSA) 1163 if (alg_a & SSL_aRSA)
1164 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1164 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1165 else if (alg_a & SSL_aDSS)
1166 *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1167 else 1165 else
1168 /* XXX - Anonymous DH, so no certificate or pkey. */ 1166 /* XXX - Anonymous DH, so no certificate or pkey. */
1169 *pkey = NULL; 1167 *pkey = NULL;
@@ -2395,16 +2393,6 @@ ssl3_send_client_verify(SSL *s)
2395 } 2393 }
2396 s2n(u, p); 2394 s2n(u, p);
2397 n = u + 2; 2395 n = u + 2;
2398 } else if (pkey->type == EVP_PKEY_DSA) {
2399 if (!DSA_sign(pkey->save_type,
2400 &(data[MD5_DIGEST_LENGTH]),
2401 SHA_DIGEST_LENGTH, &(p[2]),
2402 (unsigned int *)&j, pkey->pkey.dsa)) {
2403 SSLerror(s, ERR_R_DSA_LIB);
2404 goto err;
2405 }
2406 s2n(j, p);
2407 n = j + 2;
2408 } else if (pkey->type == EVP_PKEY_EC) { 2396 } else if (pkey->type == EVP_PKEY_EC) {
2409 if (!ECDSA_sign(pkey->save_type, 2397 if (!ECDSA_sign(pkey->save_type,
2410 &(data[MD5_DIGEST_LENGTH]), 2398 &(data[MD5_DIGEST_LENGTH]),
@@ -2593,13 +2581,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
2593 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { 2581 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
2594 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT); 2582 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2595 goto f_err; 2583 goto f_err;
2596 } else if ((alg_a & SSL_aDSS) &&
2597 !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
2598 SSLerror(s, SSL_R_MISSING_DSA_SIGNING_CERT);
2599 goto f_err;
2600 } 2584 }
2601 if ((alg_k & SSL_kRSA) && 2585 if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2602 !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2603 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2586 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2604 goto f_err; 2587 goto f_err;
2605 } 2588 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6e555898ad..de78ad2fcf 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.165 2017/08/11 21:06:52 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2041,7 +2041,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
2041void 2041void
2042ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) 2042ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2043{ 2043{
2044 int rsa_enc, rsa_sign, dh_tmp, dsa_sign; 2044 int rsa_enc, rsa_sign, dh_tmp;
2045 int have_ecc_cert; 2045 int have_ecc_cert;
2046 unsigned long mask_k, mask_a; 2046 unsigned long mask_k, mask_a;
2047 X509 *x = NULL; 2047 X509 *x = NULL;
@@ -2057,8 +2057,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2057 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); 2057 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
2058 cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); 2058 cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
2059 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); 2059 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
2060 cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
2061 dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
2062 cpk = &(c->pkeys[SSL_PKEY_ECC]); 2060 cpk = &(c->pkeys[SSL_PKEY_ECC]);
2063 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); 2061 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
2064 2062
@@ -2080,9 +2078,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2080 if (rsa_enc || rsa_sign) 2078 if (rsa_enc || rsa_sign)
2081 mask_a |= SSL_aRSA; 2079 mask_a |= SSL_aRSA;
2082 2080
2083 if (dsa_sign)
2084 mask_a |= SSL_aDSS;
2085
2086 mask_a |= SSL_aNULL; 2081 mask_a |= SSL_aNULL;
2087 2082
2088 /* 2083 /*
@@ -2159,8 +2154,6 @@ ssl_get_server_send_pkey(const SSL *s)
2159 2154
2160 if (alg_a & SSL_aECDSA) { 2155 if (alg_a & SSL_aECDSA) {
2161 i = SSL_PKEY_ECC; 2156 i = SSL_PKEY_ECC;
2162 } else if (alg_a & SSL_aDSS) {
2163 i = SSL_PKEY_DSA_SIGN;
2164 } else if (alg_a & SSL_aRSA) { 2157 } else if (alg_a & SSL_aRSA) {
2165 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) 2158 if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
2166 i = SSL_PKEY_RSA_SIGN; 2159 i = SSL_PKEY_RSA_SIGN;
@@ -2197,10 +2190,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
2197 alg_a = cipher->algorithm_auth; 2190 alg_a = cipher->algorithm_auth;
2198 c = s->cert; 2191 c = s->cert;
2199 2192
2200 if ((alg_a & SSL_aDSS) && 2193 if (alg_a & SSL_aRSA) {
2201 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2202 idx = SSL_PKEY_DSA_SIGN;
2203 else if (alg_a & SSL_aRSA) {
2204 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 2194 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2205 idx = SSL_PKEY_RSA_SIGN; 2195 idx = SSL_PKEY_RSA_SIGN;
2206 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 2196 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 52e4b6c5e9..6f9be12fa7 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.187 2017/08/11 20:14:13 doug Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -341,15 +341,12 @@ __BEGIN_HIDDEN_DECLS
341#define SSL_USE_TLS1_2_CIPHERS(s) \ 341#define SSL_USE_TLS1_2_CIPHERS(s) \
342 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) 342 (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
343 343
344/* Mostly for SSLv3 */
345#define SSL_PKEY_RSA_ENC 0 344#define SSL_PKEY_RSA_ENC 0
346#define SSL_PKEY_RSA_SIGN 1 345#define SSL_PKEY_RSA_SIGN 1
347#define SSL_PKEY_DSA_SIGN 2 346#define SSL_PKEY_DH_RSA 2
348#define SSL_PKEY_DH_RSA 3 347#define SSL_PKEY_ECC 3
349#define SSL_PKEY_DH_DSA 4 348#define SSL_PKEY_GOST01 4
350#define SSL_PKEY_ECC 5 349#define SSL_PKEY_NUM 5
351#define SSL_PKEY_GOST01 6
352#define SSL_PKEY_NUM 7
353 350
354#define SSL_MAX_EMPTY_RECORDS 32 351#define SSL_MAX_EMPTY_RECORDS 32
355 352
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index e370b7571c..a21039e727 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2256,17 +2256,6 @@ ssl3_get_cert_verify(SSL *s)
2256 goto f_err; 2256 goto f_err;
2257 } 2257 }
2258 } else 2258 } else
2259 if (pkey->type == EVP_PKEY_DSA) {
2260 j = DSA_verify(pkey->save_type,
2261 &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2262 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
2263 if (j <= 0) {
2264 /* bad signature */
2265 al = SSL_AD_DECRYPT_ERROR;
2266 SSLerror(s, SSL_R_BAD_DSA_SIGNATURE);
2267 goto f_err;
2268 }
2269 } else
2270 if (pkey->type == EVP_PKEY_EC) { 2259 if (pkey->type == EVP_PKEY_EC) {
2271 j = ECDSA_verify(pkey->save_type, 2260 j = ECDSA_verify(pkey->save_type,
2272 &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2261 &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 4983ad27fa..3e5133ab54 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.126 2017/08/11 20:14:13 doug Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -631,18 +631,15 @@ tls1_check_ec_tmp_key(SSL *s)
631 631
632static unsigned char tls12_sigalgs[] = { 632static unsigned char tls12_sigalgs[] = {
633 TLSEXT_hash_sha512, TLSEXT_signature_rsa, 633 TLSEXT_hash_sha512, TLSEXT_signature_rsa,
634 TLSEXT_hash_sha512, TLSEXT_signature_dsa,
635 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, 634 TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
636#ifndef OPENSSL_NO_GOST 635#ifndef OPENSSL_NO_GOST
637 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, 636 TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
638#endif 637#endif
639 638
640 TLSEXT_hash_sha384, TLSEXT_signature_rsa, 639 TLSEXT_hash_sha384, TLSEXT_signature_rsa,
641 TLSEXT_hash_sha384, TLSEXT_signature_dsa,
642 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, 640 TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
643 641
644 TLSEXT_hash_sha256, TLSEXT_signature_rsa, 642 TLSEXT_hash_sha256, TLSEXT_signature_rsa,
645 TLSEXT_hash_sha256, TLSEXT_signature_dsa,
646 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, 643 TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
647 644
648#ifndef OPENSSL_NO_GOST 645#ifndef OPENSSL_NO_GOST
@@ -651,11 +648,9 @@ static unsigned char tls12_sigalgs[] = {
651#endif 648#endif
652 649
653 TLSEXT_hash_sha224, TLSEXT_signature_rsa, 650 TLSEXT_hash_sha224, TLSEXT_signature_rsa,
654 TLSEXT_hash_sha224, TLSEXT_signature_dsa,
655 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, 651 TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
656 652
657 TLSEXT_hash_sha1, TLSEXT_signature_rsa, 653 TLSEXT_hash_sha1, TLSEXT_signature_rsa,
658 TLSEXT_hash_sha1, TLSEXT_signature_dsa,
659 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, 654 TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
660}; 655};
661 656
@@ -1932,7 +1927,6 @@ static tls12_lookup tls12_md[] = {
1932 1927
1933static tls12_lookup tls12_sig[] = { 1928static tls12_lookup tls12_sig[] = {
1934 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 1929 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
1935 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
1936 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, 1930 {EVP_PKEY_EC, TLSEXT_signature_ecdsa},
1937 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, 1931 {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
1938}; 1932};
@@ -2020,7 +2014,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2020 2014
2021 CBS_init(&cbs, data, dsize); 2015 CBS_init(&cbs, data, dsize);
2022 2016
2023 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2024 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; 2017 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2025 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; 2018 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2026 c->pkeys[SSL_PKEY_ECC].digest = NULL; 2019 c->pkeys[SSL_PKEY_ECC].digest = NULL;
@@ -2039,9 +2032,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2039 case TLSEXT_signature_rsa: 2032 case TLSEXT_signature_rsa:
2040 idx = SSL_PKEY_RSA_SIGN; 2033 idx = SSL_PKEY_RSA_SIGN;
2041 break; 2034 break;
2042 case TLSEXT_signature_dsa:
2043 idx = SSL_PKEY_DSA_SIGN;
2044 break;
2045 case TLSEXT_signature_ecdsa: 2035 case TLSEXT_signature_ecdsa:
2046 idx = SSL_PKEY_ECC; 2036 idx = SSL_PKEY_ECC;
2047 break; 2037 break;
@@ -2068,8 +2058,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2068 /* Set any remaining keys to default values. NOTE: if alg is not 2058 /* Set any remaining keys to default values. NOTE: if alg is not
2069 * supported it stays as NULL. 2059 * supported it stays as NULL.
2070 */ 2060 */
2071 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2072 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2073 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2061 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2074 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2062 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2075 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2063 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 13:43:49 +0000