diff options
| author | jsing <> | 2014-12-07 12:13:06 +0000 |
|---|---|---|
| committer | jsing <> | 2014-12-07 12:13:06 +0000 |
| commit | b759fe3ab5f3e3c7e5ea4d3710d752edf8150ee1 (patch) | |
| tree | 380972b4033294347e6b27f3179c413c57c94cdb | |
| parent | 746356de14b9f9c1fbb46d3189f4b3c050b94086 (diff) | |
| download | openbsd-b759fe3ab5f3e3c7e5ea4d3710d752edf8150ee1.tar.gz openbsd-b759fe3ab5f3e3c7e5ea4d3710d752edf8150ee1.tar.bz2 openbsd-b759fe3ab5f3e3c7e5ea4d3710d752edf8150ee1.zip | |
Remove get_optional_pkey_id() - it is a hack that existed due to GOST
only sometimes being available... and when it was available it was via
the crypto engine. GOST is now part of libcrypto proper.
Instead of trying to do EVP PKEY lookups via string literals and the
ASN1 interfaces, lookup the methods directly using the appropriate NID.
ok bcook@
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_ciph.c | 54 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 54 |
2 files changed, 16 insertions, 92 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 2b64eb7a9a..72f774e7a9 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.76 2014/12/06 15:27:45 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -488,42 +488,6 @@ static const SSL_CIPHER cipher_aliases[] = { | |||
| 488 | }, | 488 | }, |
| 489 | }; | 489 | }; |
| 490 | 490 | ||
| 491 | /* Search for public key algorithm with given name and | ||
| 492 | * return its pkey_id if it is available. Otherwise return 0 | ||
| 493 | */ | ||
| 494 | #ifdef OPENSSL_NO_ENGINE | ||
| 495 | |||
| 496 | static int | ||
| 497 | get_optional_pkey_id(const char *pkey_name) | ||
| 498 | { | ||
| 499 | const EVP_PKEY_ASN1_METHOD *ameth; | ||
| 500 | int pkey_id = 0; | ||
| 501 | ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); | ||
| 502 | if (ameth) { | ||
| 503 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); | ||
| 504 | } | ||
| 505 | return pkey_id; | ||
| 506 | } | ||
| 507 | |||
| 508 | #else | ||
| 509 | |||
| 510 | static int | ||
| 511 | get_optional_pkey_id(const char *pkey_name) | ||
| 512 | { | ||
| 513 | const EVP_PKEY_ASN1_METHOD *ameth; | ||
| 514 | ENGINE *tmpeng = NULL; | ||
| 515 | int pkey_id = 0; | ||
| 516 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); | ||
| 517 | if (ameth) { | ||
| 518 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); | ||
| 519 | } | ||
| 520 | if (tmpeng) | ||
| 521 | ENGINE_finish(tmpeng); | ||
| 522 | return pkey_id; | ||
| 523 | } | ||
| 524 | |||
| 525 | #endif | ||
| 526 | |||
| 527 | void | 491 | void |
| 528 | ssl_load_ciphers(void) | 492 | ssl_load_ciphers(void) |
| 529 | { | 493 | { |
| @@ -840,19 +804,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, | |||
| 840 | *ssl = 0; | 804 | *ssl = 0; |
| 841 | 805 | ||
| 842 | /* | 806 | /* |
| 843 | * Check for presence of GOST 34.10 algorithms, and if they | 807 | * Check for the availability of GOST 34.10 public/private key |
| 844 | * do not present, disable appropriate auth and key exchange. | 808 | * algorithms. If they are not available disable the associated |
| 809 | * authentication and key exchange algorithms. | ||
| 845 | */ | 810 | */ |
| 846 | if (!get_optional_pkey_id("gost94")) { | 811 | if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL) |
| 847 | *auth |= SSL_aGOST94; | 812 | *auth |= SSL_aGOST94; |
| 848 | } | 813 | if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) |
| 849 | if (!get_optional_pkey_id("gost2001")) { | ||
| 850 | *auth |= SSL_aGOST01; | 814 | *auth |= SSL_aGOST01; |
| 851 | } | 815 | if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0) |
| 852 | /* Disable GOST key exchange if no GOST signature algs are available. */ | ||
| 853 | if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0) { | ||
| 854 | *mkey |= SSL_kGOST; | 816 | *mkey |= SSL_kGOST; |
| 855 | } | 817 | |
| 856 | #ifdef SSL_FORBID_ENULL | 818 | #ifdef SSL_FORBID_ENULL |
| 857 | *enc |= SSL_eNULL; | 819 | *enc |= SSL_eNULL; |
| 858 | #endif | 820 | #endif |
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 2b64eb7a9a..72f774e7a9 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.76 2014/12/06 15:27:45 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -488,42 +488,6 @@ static const SSL_CIPHER cipher_aliases[] = { | |||
| 488 | }, | 488 | }, |
| 489 | }; | 489 | }; |
| 490 | 490 | ||
| 491 | /* Search for public key algorithm with given name and | ||
| 492 | * return its pkey_id if it is available. Otherwise return 0 | ||
| 493 | */ | ||
| 494 | #ifdef OPENSSL_NO_ENGINE | ||
| 495 | |||
| 496 | static int | ||
| 497 | get_optional_pkey_id(const char *pkey_name) | ||
| 498 | { | ||
| 499 | const EVP_PKEY_ASN1_METHOD *ameth; | ||
| 500 | int pkey_id = 0; | ||
| 501 | ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); | ||
| 502 | if (ameth) { | ||
| 503 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); | ||
| 504 | } | ||
| 505 | return pkey_id; | ||
| 506 | } | ||
| 507 | |||
| 508 | #else | ||
| 509 | |||
| 510 | static int | ||
| 511 | get_optional_pkey_id(const char *pkey_name) | ||
| 512 | { | ||
| 513 | const EVP_PKEY_ASN1_METHOD *ameth; | ||
| 514 | ENGINE *tmpeng = NULL; | ||
| 515 | int pkey_id = 0; | ||
| 516 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); | ||
| 517 | if (ameth) { | ||
| 518 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); | ||
| 519 | } | ||
| 520 | if (tmpeng) | ||
| 521 | ENGINE_finish(tmpeng); | ||
| 522 | return pkey_id; | ||
| 523 | } | ||
| 524 | |||
| 525 | #endif | ||
| 526 | |||
| 527 | void | 491 | void |
| 528 | ssl_load_ciphers(void) | 492 | ssl_load_ciphers(void) |
| 529 | { | 493 | { |
| @@ -840,19 +804,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, | |||
| 840 | *ssl = 0; | 804 | *ssl = 0; |
| 841 | 805 | ||
| 842 | /* | 806 | /* |
| 843 | * Check for presence of GOST 34.10 algorithms, and if they | 807 | * Check for the availability of GOST 34.10 public/private key |
| 844 | * do not present, disable appropriate auth and key exchange. | 808 | * algorithms. If they are not available disable the associated |
| 809 | * authentication and key exchange algorithms. | ||
| 845 | */ | 810 | */ |
| 846 | if (!get_optional_pkey_id("gost94")) { | 811 | if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL) |
| 847 | *auth |= SSL_aGOST94; | 812 | *auth |= SSL_aGOST94; |
| 848 | } | 813 | if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) |
| 849 | if (!get_optional_pkey_id("gost2001")) { | ||
| 850 | *auth |= SSL_aGOST01; | 814 | *auth |= SSL_aGOST01; |
| 851 | } | 815 | if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0) |
| 852 | /* Disable GOST key exchange if no GOST signature algs are available. */ | ||
| 853 | if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0) { | ||
| 854 | *mkey |= SSL_kGOST; | 816 | *mkey |= SSL_kGOST; |
| 855 | } | 817 | |
| 856 | #ifdef SSL_FORBID_ENULL | 818 | #ifdef SSL_FORBID_ENULL |
| 857 | *enc |= SSL_eNULL; | 819 | *enc |= SSL_eNULL; |
| 858 | #endif | 820 | #endif |