summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-07-12 13:11:53 +0000
committerjsing <>2014-07-12 13:11:53 +0000
commitf369cbd2df9afb8ac061dda10793999764e0368b (patch)
treedd77c44528a0b25f7964c067da56be1302be9ee2
parente38eced5b24c9ac14880daf6256db41e61f7b6ac (diff)
downloadopenbsd-f369cbd2df9afb8ac061dda10793999764e0368b.tar.gz
openbsd-f369cbd2df9afb8ac061dda10793999764e0368b.tar.bz2
openbsd-f369cbd2df9afb8ac061dda10793999764e0368b.zip
Remove remnants from PSK, KRB5 and SRP.
ok beck@ miod@
Diffstat
-rw-r--r--src/lib/libssl/d1_clnt.c8
-rw-r--r--src/lib/libssl/d1_srvr.c31
-rw-r--r--src/lib/libssl/s3_clnt.c25
-rw-r--r--src/lib/libssl/s3_pkt.c6
-rw-r--r--src/lib/libssl/s3_srvr.c56
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c8
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c31
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c25
-rw-r--r--src/lib/libssl/src/ssl/s3_pkt.c6
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c56
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c62
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c5
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h9
-rw-r--r--src/lib/libssl/ssl_ciph.c62
-rw-r--r--src/lib/libssl/ssl_lib.c5
-rw-r--r--src/lib/libssl/ssl_locl.h9
16 files changed, 86 insertions, 318 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index b85908c733..004fd6e04f 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.29 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -395,9 +395,9 @@ dtls1_connect(SSL *s)
395 s->init_num = 0; 395 s->init_num = 0;
396 break; 396 break;
397 } 397 }
398 /* Check if it is anon DH or PSK */ 398 /* Check if it is anon DH. */
399 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 399 if (!(s->s3->tmp.new_cipher->algorithm_auth &
400 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 400 SSL_aNULL)) {
401 ret = ssl3_get_server_certificate(s); 401 ret = ssl3_get_server_certificate(s);
402 if (ret <= 0) 402 if (ret <= 0)
403 goto end; 403 goto end;
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 8531f2db2b..a94b7ed61b 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -427,9 +427,9 @@ dtls1_accept(SSL *s)
427 427
428 case SSL3_ST_SW_CERT_A: 428 case SSL3_ST_SW_CERT_A:
429 case SSL3_ST_SW_CERT_B: 429 case SSL3_ST_SW_CERT_B:
430 /* Check if it is anon DH or normal PSK */ 430 /* Check if it is anon DH. */
431 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 431 if (!(s->s3->tmp.new_cipher->algorithm_auth &
432 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 432 SSL_aNULL)) {
433 dtls1_start_timer(s); 433 dtls1_start_timer(s);
434 ret = dtls1_send_server_certificate(s); 434 ret = dtls1_send_server_certificate(s);
435 if (ret <= 0) 435 if (ret <= 0)
@@ -500,22 +500,13 @@ dtls1_accept(SSL *s)
500 * and in RFC 2246) ... except when the application 500 * and in RFC 2246) ... except when the application
501 * insists on verification (against the specs, but 501 * insists on verification (against the specs, but
502 * s3_clnt.c accepts this for SSL 3). 502 * s3_clnt.c accepts this for SSL 3).
503 *
504 * - We are using a Kerberos ciphersuite.
505 *
506 * - We are using normal PSK certificates and
507 * Certificate Requests are omitted
508 */ 503 */
509 if (!(s->verify_mode & SSL_VERIFY_PEER) || 504 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
510 ((s->session->peer != NULL) && 505 ((s->session->peer != NULL) &&
511 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 506 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
512 ((s->s3->tmp.new_cipher->algorithm_auth & 507 ((s->s3->tmp.new_cipher->algorithm_auth &
513 SSL_aNULL) && !(s->verify_mode & 508 SSL_aNULL) && !(s->verify_mode &
514 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 509 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
515 (s->s3->tmp.new_cipher->algorithm_auth &
516 SSL_aKRB5) ||
517 (s->s3->tmp.new_cipher->algorithm_mkey &
518 SSL_kPSK)) {
519 /* no cert request */ 510 /* no cert request */
520 skip = 1; 511 skip = 1;
521 s->s3->tmp.cert_request = 0; 512 s->s3->tmp.cert_request = 0;
@@ -1216,8 +1207,7 @@ dtls1_send_server_key_exchange(SSL *s)
1216 n += 2 + nr[i]; 1207 n += 2 + nr[i];
1217 } 1208 }
1218 1209
1219 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1210 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1220 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1221 if ((pkey = ssl_get_sign_pkey(s, 1211 if ((pkey = ssl_get_sign_pkey(s,
1222 s->s3->tmp.new_cipher, NULL)) == NULL) { 1212 s->s3->tmp.new_cipher, NULL)) == NULL) {
1223 al = SSL_AD_DECODE_ERROR; 1213 al = SSL_AD_DECODE_ERROR;
@@ -1463,12 +1453,9 @@ dtls1_send_server_certificate(SSL *s)
1463 if (s->state == SSL3_ST_SW_CERT_A) { 1453 if (s->state == SSL3_ST_SW_CERT_A) {
1464 x = ssl_get_server_send_cert(s); 1454 x = ssl_get_server_send_cert(s);
1465 if (x == NULL) { 1455 if (x == NULL) {
1466 /* VRS: allow null cert if auth == KRB5 */ 1456 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
1467 if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || 1457 ERR_R_INTERNAL_ERROR);
1468 (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) { 1458 return (0);
1469 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1470 return (0);
1471 }
1472 } 1459 }
1473 1460
1474 l = dtls1_output_cert_chain(s, x); 1461 l = dtls1_output_cert_chain(s, x);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 884b9f1efb..7d6681b3ac 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.78 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -339,11 +339,9 @@ ssl3_connect(SSL *s)
339 s->init_num = 0; 339 s->init_num = 0;
340 break; 340 break;
341 } 341 }
342 /* Check if it is anon DH/ECDH or PSK */ 342 /* Check if it is anon DH/ECDH. */
343 if (!(s->s3->tmp.new_cipher->algorithm_auth & 343 if (!(s->s3->tmp.new_cipher->algorithm_auth &
344 SSL_aNULL) && 344 SSL_aNULL)) {
345 !(s->s3->tmp.new_cipher->algorithm_mkey &
346 SSL_kPSK)) {
347 ret = ssl3_get_server_certificate(s); 345 ret = ssl3_get_server_certificate(s);
348 if (ret <= 0) 346 if (ret <= 0)
349 goto end; 347 goto end;
@@ -996,7 +994,6 @@ ssl3_get_server_certificate(SSL *s)
996 SESS_CERT *sc; 994 SESS_CERT *sc;
997 EVP_PKEY *pkey = NULL; 995 EVP_PKEY *pkey = NULL;
998 996
999 /* VRS: 0=> will allow null cert if auth == KRB5 */
1000 int need_cert = 1; 997 int need_cert = 1;
1001 998
1002 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 999 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
@@ -1005,9 +1002,7 @@ ssl3_get_server_certificate(SSL *s)
1005 if (!ok) 1002 if (!ok)
1006 return ((int)n); 1003 return ((int)n);
1007 1004
1008 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1005 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)) {
1009 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1010 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1011 s->s3->tmp.reuse_message = 1; 1006 s->s3->tmp.reuse_message = 1;
1012 return (1); 1007 return (1);
1013 } 1008 }
@@ -1098,12 +1093,6 @@ ssl3_get_server_certificate(SSL *s)
1098 1093
1099 pkey = X509_get_pubkey(x); 1094 pkey = X509_get_pubkey(x);
1100 1095
1101 /* VRS: allow null cert if auth == KRB5 */
1102 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1103 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1104 ? 0 : 1;
1105
1106
1107 if (need_cert && ((pkey == NULL) || 1096 if (need_cert && ((pkey == NULL) ||
1108 EVP_PKEY_missing_parameters(pkey))) { 1097 EVP_PKEY_missing_parameters(pkey))) {
1109 x = NULL; 1098 x = NULL;
@@ -1553,8 +1542,8 @@ ssl3_get_key_exchange(SSL *s)
1553 } 1542 }
1554 } 1543 }
1555 } else { 1544 } else {
1556 /* aNULL or kPSK do not need public keys */ 1545 /* aNULL does not need public keys. */
1557 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) { 1546 if (!(alg_a & SSL_aNULL)) {
1558 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1559 ERR_R_INTERNAL_ERROR); 1548 ERR_R_INTERNAL_ERROR);
1560 goto err; 1549 goto err;
@@ -2615,7 +2604,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2615 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2604 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2616 2605
2617 /* We don't have a certificate. */ 2606 /* We don't have a certificate. */
2618 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2607 if (alg_a & (SSL_aDH|SSL_aNULL))
2619 return (1); 2608 return (1);
2620 2609
2621 sc = s->session->sess_cert; 2610 sc = s->session->sess_cert;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 237d90c581..cbd35ff7e3 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1134,10 +1134,6 @@ start:
1134 SSL_R_NO_RENEGOTIATION); 1134 SSL_R_NO_RENEGOTIATION);
1135 goto f_err; 1135 goto f_err;
1136 } 1136 }
1137#ifdef SSL_AD_MISSING_SRP_USERNAME
1138 else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1139 return (0);
1140#endif
1141 } else if (alert_level == 2) { 1137 } else if (alert_level == 2) {
1142 /* fatal */ 1138 /* fatal */
1143 s->rwstate = SSL_NOTHING; 1139 s->rwstate = SSL_NOTHING;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 2d1bee1723..e0a7d78995 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -373,13 +373,9 @@ ssl3_accept(SSL *s)
373 373
374 case SSL3_ST_SW_CERT_A: 374 case SSL3_ST_SW_CERT_A:
375 case SSL3_ST_SW_CERT_B: 375 case SSL3_ST_SW_CERT_B:
376 /* Check if it is anon DH or anon ECDH, */ 376 /* Check if it is anon DH or anon ECDH. */
377 /* normal PSK or KRB5 or SRP */ 377 if (!(s->s3->tmp.new_cipher->algorithm_auth &
378 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 378 SSL_aNULL)) {
379 && !(s->s3->tmp.new_cipher->algorithm_mkey &
380 SSL_kPSK)
381 && !(s->s3->tmp.new_cipher->algorithm_auth &
382 SSL_aKRB5)) {
383 ret = ssl3_send_server_certificate(s); 379 ret = ssl3_send_server_certificate(s);
384 if (ret <= 0) 380 if (ret <= 0)
385 goto end; 381 goto end;
@@ -417,10 +413,7 @@ ssl3_accept(SSL *s)
417 413
418 /* 414 /*
419 * Only send if a DH key exchange, fortezza or 415 * Only send if a DH key exchange, fortezza or
420 * RSA but we have a sign only certificate 416 * RSA but we have a sign only certificate.
421 *
422 * PSK: send ServerKeyExchange if PSK identity
423 * hint is provided
424 * 417 *
425 * For ECC ciphersuites, we send a serverKeyExchange 418 * For ECC ciphersuites, we send a serverKeyExchange
426 * message only if the cipher suite is either 419 * message only if the cipher suite is either
@@ -428,13 +421,12 @@ ssl3_accept(SSL *s)
428 * server certificate contains the server's 421 * server certificate contains the server's
429 * public key for key exchange. 422 * public key for key exchange.
430 */ 423 */
431 if (s->s3->tmp.use_rsa_tmp 424 if (s->s3->tmp.use_rsa_tmp ||
432 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 425 (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) ||
433 || (alg_k & SSL_kEECDH) 426 (alg_k & SSL_kEECDH) ||
434 || ((alg_k & SSL_kRSA) 427 ((alg_k & SSL_kRSA) &&
435 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == 428 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
436 NULL 429 NULL))) {
437 ))) {
438 ret = ssl3_send_server_key_exchange(s); 430 ret = ssl3_send_server_key_exchange(s);
439 if (ret <= 0) 431 if (ret <= 0)
440 goto end; 432 goto end;
@@ -463,22 +455,13 @@ ssl3_accept(SSL *s)
463 * and in RFC 2246) ... except when the application 455 * and in RFC 2246) ... except when the application
464 * insists on verification (against the specs, but 456 * insists on verification (against the specs, but
465 * s3_clnt.c accepts this for SSL 3). 457 * s3_clnt.c accepts this for SSL 3).
466 *
467 * - We are using a Kerberos ciphersuite.
468 *
469 * - We are using normal PSK certificates and
470 * Certificate Requests are omitted
471 */ 458 */
472 if (!(s->verify_mode & SSL_VERIFY_PEER) || 459 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
473 ((s->session->peer != NULL) && 460 ((s->session->peer != NULL) &&
474 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 461 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
475 ((s->s3->tmp.new_cipher->algorithm_auth & 462 ((s->s3->tmp.new_cipher->algorithm_auth &
476 SSL_aNULL) && !(s->verify_mode & 463 SSL_aNULL) && !(s->verify_mode &
477 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 464 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
478 (s->s3->tmp.new_cipher->algorithm_auth &
479 SSL_aKRB5) ||
480 (s->s3->tmp.new_cipher->algorithm_mkey &
481 SSL_kPSK)) {
482 /* No cert request */ 465 /* No cert request */
483 skip = 1; 466 skip = 1;
484 s->s3->tmp.cert_request = 0; 467 s->s3->tmp.cert_request = 0;
@@ -1605,8 +1588,7 @@ ssl3_send_server_key_exchange(SSL *s)
1605 n += 2 + nr[i]; 1588 n += 2 + nr[i];
1606 } 1589 }
1607 1590
1608 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 1591 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1609 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1610 if ((pkey = ssl_get_sign_pkey( 1592 if ((pkey = ssl_get_sign_pkey(
1611 s, s->s3->tmp.new_cipher, &md)) == NULL) { 1593 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1612 al = SSL_AD_DECODE_ERROR; 1594 al = SSL_AD_DECODE_ERROR;
@@ -2681,15 +2663,9 @@ ssl3_send_server_certificate(SSL *s)
2681 if (s->state == SSL3_ST_SW_CERT_A) { 2663 if (s->state == SSL3_ST_SW_CERT_A) {
2682 x = ssl_get_server_send_cert(s); 2664 x = ssl_get_server_send_cert(s);
2683 if (x == NULL) { 2665 if (x == NULL) {
2684 /* VRS: allow null cert if auth == KRB5 */ 2666 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2685 if ((s->s3->tmp.new_cipher->algorithm_auth != 2667 ERR_R_INTERNAL_ERROR);
2686 SSL_aKRB5) || 2668 return (0);
2687 (s->s3->tmp.new_cipher->algorithm_mkey &
2688 SSL_kKRB5)) {
2689 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2690 ERR_R_INTERNAL_ERROR);
2691 return (0);
2692 }
2693 } 2669 }
2694 2670
2695 l = ssl3_output_cert_chain(s, x); 2671 l = ssl3_output_cert_chain(s, x);
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index b85908c733..004fd6e04f 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.29 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -395,9 +395,9 @@ dtls1_connect(SSL *s)
395 s->init_num = 0; 395 s->init_num = 0;
396 break; 396 break;
397 } 397 }
398 /* Check if it is anon DH or PSK */ 398 /* Check if it is anon DH. */
399 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 399 if (!(s->s3->tmp.new_cipher->algorithm_auth &
400 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 400 SSL_aNULL)) {
401 ret = ssl3_get_server_certificate(s); 401 ret = ssl3_get_server_certificate(s);
402 if (ret <= 0) 402 if (ret <= 0)
403 goto end; 403 goto end;
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index 8531f2db2b..a94b7ed61b 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -427,9 +427,9 @@ dtls1_accept(SSL *s)
427 427
428 case SSL3_ST_SW_CERT_A: 428 case SSL3_ST_SW_CERT_A:
429 case SSL3_ST_SW_CERT_B: 429 case SSL3_ST_SW_CERT_B:
430 /* Check if it is anon DH or normal PSK */ 430 /* Check if it is anon DH. */
431 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 431 if (!(s->s3->tmp.new_cipher->algorithm_auth &
432 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 432 SSL_aNULL)) {
433 dtls1_start_timer(s); 433 dtls1_start_timer(s);
434 ret = dtls1_send_server_certificate(s); 434 ret = dtls1_send_server_certificate(s);
435 if (ret <= 0) 435 if (ret <= 0)
@@ -500,22 +500,13 @@ dtls1_accept(SSL *s)
500 * and in RFC 2246) ... except when the application 500 * and in RFC 2246) ... except when the application
501 * insists on verification (against the specs, but 501 * insists on verification (against the specs, but
502 * s3_clnt.c accepts this for SSL 3). 502 * s3_clnt.c accepts this for SSL 3).
503 *
504 * - We are using a Kerberos ciphersuite.
505 *
506 * - We are using normal PSK certificates and
507 * Certificate Requests are omitted
508 */ 503 */
509 if (!(s->verify_mode & SSL_VERIFY_PEER) || 504 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
510 ((s->session->peer != NULL) && 505 ((s->session->peer != NULL) &&
511 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 506 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
512 ((s->s3->tmp.new_cipher->algorithm_auth & 507 ((s->s3->tmp.new_cipher->algorithm_auth &
513 SSL_aNULL) && !(s->verify_mode & 508 SSL_aNULL) && !(s->verify_mode &
514 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 509 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
515 (s->s3->tmp.new_cipher->algorithm_auth &
516 SSL_aKRB5) ||
517 (s->s3->tmp.new_cipher->algorithm_mkey &
518 SSL_kPSK)) {
519 /* no cert request */ 510 /* no cert request */
520 skip = 1; 511 skip = 1;
521 s->s3->tmp.cert_request = 0; 512 s->s3->tmp.cert_request = 0;
@@ -1216,8 +1207,7 @@ dtls1_send_server_key_exchange(SSL *s)
1216 n += 2 + nr[i]; 1207 n += 2 + nr[i];
1217 } 1208 }
1218 1209
1219 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1210 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1220 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1221 if ((pkey = ssl_get_sign_pkey(s, 1211 if ((pkey = ssl_get_sign_pkey(s,
1222 s->s3->tmp.new_cipher, NULL)) == NULL) { 1212 s->s3->tmp.new_cipher, NULL)) == NULL) {
1223 al = SSL_AD_DECODE_ERROR; 1213 al = SSL_AD_DECODE_ERROR;
@@ -1463,12 +1453,9 @@ dtls1_send_server_certificate(SSL *s)
1463 if (s->state == SSL3_ST_SW_CERT_A) { 1453 if (s->state == SSL3_ST_SW_CERT_A) {
1464 x = ssl_get_server_send_cert(s); 1454 x = ssl_get_server_send_cert(s);
1465 if (x == NULL) { 1455 if (x == NULL) {
1466 /* VRS: allow null cert if auth == KRB5 */ 1456 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
1467 if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || 1457 ERR_R_INTERNAL_ERROR);
1468 (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) { 1458 return (0);
1469 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1470 return (0);
1471 }
1472 } 1459 }
1473 1460
1474 l = dtls1_output_cert_chain(s, x); 1461 l = dtls1_output_cert_chain(s, x);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 884b9f1efb..7d6681b3ac 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.78 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -339,11 +339,9 @@ ssl3_connect(SSL *s)
339 s->init_num = 0; 339 s->init_num = 0;
340 break; 340 break;
341 } 341 }
342 /* Check if it is anon DH/ECDH or PSK */ 342 /* Check if it is anon DH/ECDH. */
343 if (!(s->s3->tmp.new_cipher->algorithm_auth & 343 if (!(s->s3->tmp.new_cipher->algorithm_auth &
344 SSL_aNULL) && 344 SSL_aNULL)) {
345 !(s->s3->tmp.new_cipher->algorithm_mkey &
346 SSL_kPSK)) {
347 ret = ssl3_get_server_certificate(s); 345 ret = ssl3_get_server_certificate(s);
348 if (ret <= 0) 346 if (ret <= 0)
349 goto end; 347 goto end;
@@ -996,7 +994,6 @@ ssl3_get_server_certificate(SSL *s)
996 SESS_CERT *sc; 994 SESS_CERT *sc;
997 EVP_PKEY *pkey = NULL; 995 EVP_PKEY *pkey = NULL;
998 996
999 /* VRS: 0=> will allow null cert if auth == KRB5 */
1000 int need_cert = 1; 997 int need_cert = 1;
1001 998
1002 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 999 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
@@ -1005,9 +1002,7 @@ ssl3_get_server_certificate(SSL *s)
1005 if (!ok) 1002 if (!ok)
1006 return ((int)n); 1003 return ((int)n);
1007 1004
1008 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1005 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)) {
1009 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1010 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1011 s->s3->tmp.reuse_message = 1; 1006 s->s3->tmp.reuse_message = 1;
1012 return (1); 1007 return (1);
1013 } 1008 }
@@ -1098,12 +1093,6 @@ ssl3_get_server_certificate(SSL *s)
1098 1093
1099 pkey = X509_get_pubkey(x); 1094 pkey = X509_get_pubkey(x);
1100 1095
1101 /* VRS: allow null cert if auth == KRB5 */
1102 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1103 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1104 ? 0 : 1;
1105
1106
1107 if (need_cert && ((pkey == NULL) || 1096 if (need_cert && ((pkey == NULL) ||
1108 EVP_PKEY_missing_parameters(pkey))) { 1097 EVP_PKEY_missing_parameters(pkey))) {
1109 x = NULL; 1098 x = NULL;
@@ -1553,8 +1542,8 @@ ssl3_get_key_exchange(SSL *s)
1553 } 1542 }
1554 } 1543 }
1555 } else { 1544 } else {
1556 /* aNULL or kPSK do not need public keys */ 1545 /* aNULL does not need public keys. */
1557 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) { 1546 if (!(alg_a & SSL_aNULL)) {
1558 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1559 ERR_R_INTERNAL_ERROR); 1548 ERR_R_INTERNAL_ERROR);
1560 goto err; 1549 goto err;
@@ -2615,7 +2604,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2615 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2604 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2616 2605
2617 /* We don't have a certificate. */ 2606 /* We don't have a certificate. */
2618 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2607 if (alg_a & (SSL_aDH|SSL_aNULL))
2619 return (1); 2608 return (1);
2620 2609
2621 sc = s->session->sess_cert; 2610 sc = s->session->sess_cert;
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 237d90c581..cbd35ff7e3 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */ 1/* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1134,10 +1134,6 @@ start:
1134 SSL_R_NO_RENEGOTIATION); 1134 SSL_R_NO_RENEGOTIATION);
1135 goto f_err; 1135 goto f_err;
1136 } 1136 }
1137#ifdef SSL_AD_MISSING_SRP_USERNAME
1138 else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1139 return (0);
1140#endif
1141 } else if (alert_level == 2) { 1137 } else if (alert_level == 2) {
1142 /* fatal */ 1138 /* fatal */
1143 s->rwstate = SSL_NOTHING; 1139 s->rwstate = SSL_NOTHING;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 2d1bee1723..e0a7d78995 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -373,13 +373,9 @@ ssl3_accept(SSL *s)
373 373
374 case SSL3_ST_SW_CERT_A: 374 case SSL3_ST_SW_CERT_A:
375 case SSL3_ST_SW_CERT_B: 375 case SSL3_ST_SW_CERT_B:
376 /* Check if it is anon DH or anon ECDH, */ 376 /* Check if it is anon DH or anon ECDH. */
377 /* normal PSK or KRB5 or SRP */ 377 if (!(s->s3->tmp.new_cipher->algorithm_auth &
378 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 378 SSL_aNULL)) {
379 && !(s->s3->tmp.new_cipher->algorithm_mkey &
380 SSL_kPSK)
381 && !(s->s3->tmp.new_cipher->algorithm_auth &
382 SSL_aKRB5)) {
383 ret = ssl3_send_server_certificate(s); 379 ret = ssl3_send_server_certificate(s);
384 if (ret <= 0) 380 if (ret <= 0)
385 goto end; 381 goto end;
@@ -417,10 +413,7 @@ ssl3_accept(SSL *s)
417 413
418 /* 414 /*
419 * Only send if a DH key exchange, fortezza or 415 * Only send if a DH key exchange, fortezza or
420 * RSA but we have a sign only certificate 416 * RSA but we have a sign only certificate.
421 *
422 * PSK: send ServerKeyExchange if PSK identity
423 * hint is provided
424 * 417 *
425 * For ECC ciphersuites, we send a serverKeyExchange 418 * For ECC ciphersuites, we send a serverKeyExchange
426 * message only if the cipher suite is either 419 * message only if the cipher suite is either
@@ -428,13 +421,12 @@ ssl3_accept(SSL *s)
428 * server certificate contains the server's 421 * server certificate contains the server's
429 * public key for key exchange. 422 * public key for key exchange.
430 */ 423 */
431 if (s->s3->tmp.use_rsa_tmp 424 if (s->s3->tmp.use_rsa_tmp ||
432 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 425 (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) ||
433 || (alg_k & SSL_kEECDH) 426 (alg_k & SSL_kEECDH) ||
434 || ((alg_k & SSL_kRSA) 427 ((alg_k & SSL_kRSA) &&
435 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == 428 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
436 NULL 429 NULL))) {
437 ))) {
438 ret = ssl3_send_server_key_exchange(s); 430 ret = ssl3_send_server_key_exchange(s);
439 if (ret <= 0) 431 if (ret <= 0)
440 goto end; 432 goto end;
@@ -463,22 +455,13 @@ ssl3_accept(SSL *s)
463 * and in RFC 2246) ... except when the application 455 * and in RFC 2246) ... except when the application
464 * insists on verification (against the specs, but 456 * insists on verification (against the specs, but
465 * s3_clnt.c accepts this for SSL 3). 457 * s3_clnt.c accepts this for SSL 3).
466 *
467 * - We are using a Kerberos ciphersuite.
468 *
469 * - We are using normal PSK certificates and
470 * Certificate Requests are omitted
471 */ 458 */
472 if (!(s->verify_mode & SSL_VERIFY_PEER) || 459 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
473 ((s->session->peer != NULL) && 460 ((s->session->peer != NULL) &&
474 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 461 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
475 ((s->s3->tmp.new_cipher->algorithm_auth & 462 ((s->s3->tmp.new_cipher->algorithm_auth &
476 SSL_aNULL) && !(s->verify_mode & 463 SSL_aNULL) && !(s->verify_mode &
477 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 464 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
478 (s->s3->tmp.new_cipher->algorithm_auth &
479 SSL_aKRB5) ||
480 (s->s3->tmp.new_cipher->algorithm_mkey &
481 SSL_kPSK)) {
482 /* No cert request */ 465 /* No cert request */
483 skip = 1; 466 skip = 1;
484 s->s3->tmp.cert_request = 0; 467 s->s3->tmp.cert_request = 0;
@@ -1605,8 +1588,7 @@ ssl3_send_server_key_exchange(SSL *s)
1605 n += 2 + nr[i]; 1588 n += 2 + nr[i];
1606 } 1589 }
1607 1590
1608 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 1591 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1609 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1610 if ((pkey = ssl_get_sign_pkey( 1592 if ((pkey = ssl_get_sign_pkey(
1611 s, s->s3->tmp.new_cipher, &md)) == NULL) { 1593 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1612 al = SSL_AD_DECODE_ERROR; 1594 al = SSL_AD_DECODE_ERROR;
@@ -2681,15 +2663,9 @@ ssl3_send_server_certificate(SSL *s)
2681 if (s->state == SSL3_ST_SW_CERT_A) { 2663 if (s->state == SSL3_ST_SW_CERT_A) {
2682 x = ssl_get_server_send_cert(s); 2664 x = ssl_get_server_send_cert(s);
2683 if (x == NULL) { 2665 if (x == NULL) {
2684 /* VRS: allow null cert if auth == KRB5 */ 2666 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2685 if ((s->s3->tmp.new_cipher->algorithm_auth != 2667 ERR_R_INTERNAL_ERROR);
2686 SSL_aKRB5) || 2668 return (0);
2687 (s->s3->tmp.new_cipher->algorithm_mkey &
2688 SSL_kKRB5)) {
2689 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2690 ERR_R_INTERNAL_ERROR);
2691 return (0);
2692 }
2693 } 2669 }
2694 2670
2695 l = ssl3_output_cert_chain(s, x); 2671 l = ssl3_output_cert_chain(s, x);
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 9df4f8a0c9..a2dec527ca 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.64 2014/07/12 07:52:36 guenther Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -273,11 +273,6 @@ static const SSL_CIPHER cipher_aliases[] = {
273 }, 273 },
274 274
275 { 275 {
276 .name = SSL_TXT_kKRB5,
277 .algorithm_mkey = SSL_kKRB5,
278 },
279
280 {
281 .name = SSL_TXT_kECDHr, 276 .name = SSL_TXT_kECDHr,
282 .algorithm_mkey = SSL_kECDHr, 277 .algorithm_mkey = SSL_kECDHr,
283 }, 278 },
@@ -299,14 +294,6 @@ static const SSL_CIPHER cipher_aliases[] = {
299 }, 294 },
300 295
301 { 296 {
302 .name = SSL_TXT_kPSK,
303 .algorithm_mkey = SSL_kPSK,
304 },
305 {
306 .name = SSL_TXT_kSRP,
307 .algorithm_mkey = SSL_kSRP,
308 },
309 {
310 .name = SSL_TXT_kGOST, 297 .name = SSL_TXT_kGOST,
311 .algorithm_mkey = SSL_kGOST, 298 .algorithm_mkey = SSL_kGOST,
312 }, 299 },
@@ -325,10 +312,6 @@ static const SSL_CIPHER cipher_aliases[] = {
325 .algorithm_auth = SSL_aDSS, 312 .algorithm_auth = SSL_aDSS,
326 }, 313 },
327 { 314 {
328 .name = SSL_TXT_aKRB5,
329 .algorithm_auth = SSL_aKRB5,
330 },
331 {
332 .name = SSL_TXT_aNULL, 315 .name = SSL_TXT_aNULL,
333 .algorithm_auth = SSL_aNULL, 316 .algorithm_auth = SSL_aNULL,
334 }, 317 },
@@ -350,10 +333,6 @@ static const SSL_CIPHER cipher_aliases[] = {
350 .algorithm_auth = SSL_aECDSA, 333 .algorithm_auth = SSL_aECDSA,
351 }, 334 },
352 { 335 {
353 .name = SSL_TXT_aPSK,
354 .algorithm_auth = SSL_aPSK,
355 },
356 {
357 .name = SSL_TXT_aGOST94, 336 .name = SSL_TXT_aGOST94,
358 .algorithm_auth = SSL_aGOST94, 337 .algorithm_auth = SSL_aGOST94,
359 }, 338 },
@@ -382,11 +361,6 @@ static const SSL_CIPHER cipher_aliases[] = {
382 .algorithm_enc = SSL_eNULL, 361 .algorithm_enc = SSL_eNULL,
383 }, 362 },
384 { 363 {
385 .name = SSL_TXT_KRB5,
386 .algorithm_mkey = SSL_kKRB5,
387 .algorithm_auth = SSL_aKRB5,
388 },
389 {
390 .name = SSL_TXT_RSA, 364 .name = SSL_TXT_RSA,
391 .algorithm_mkey = SSL_kRSA, 365 .algorithm_mkey = SSL_kRSA,
392 .algorithm_auth = SSL_aRSA, 366 .algorithm_auth = SSL_aRSA,
@@ -401,16 +375,7 @@ static const SSL_CIPHER cipher_aliases[] = {
401 .algorithm_mkey = SSL_kEECDH, 375 .algorithm_mkey = SSL_kEECDH,
402 .algorithm_auth = SSL_aNULL, 376 .algorithm_auth = SSL_aNULL,
403 }, 377 },
404 { 378
405 .name = SSL_TXT_PSK,
406 .algorithm_mkey = SSL_kPSK,
407 .algorithm_auth = SSL_aPSK,
408 },
409 {
410 .name = SSL_TXT_SRP,
411 .algorithm_mkey = SSL_kSRP,
412 },
413
414 /* symmetric encryption aliases */ 379 /* symmetric encryption aliases */
415 { 380 {
416 .name = SSL_TXT_DES, 381 .name = SSL_TXT_DES,
@@ -881,11 +846,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
881 846
882 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 847 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
883 *auth |= SSL_aDH; 848 *auth |= SSL_aDH;
884 *mkey |= SSL_kKRB5; 849
885 *auth |= SSL_aKRB5;
886 *mkey |= SSL_kPSK;
887 *auth |= SSL_aPSK;
888 *mkey |= SSL_kSRP;
889 /* Check for presence of GOST 34.10 algorithms, and if they 850 /* Check for presence of GOST 34.10 algorithms, and if they
890 * do not present, disable appropriate auth and key exchange */ 851 * do not present, disable appropriate auth and key exchange */
891 if (!get_optional_pkey_id("gost94")) { 852 if (!get_optional_pkey_id("gost94")) {
@@ -1515,8 +1476,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1515 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1476 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1516 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ 1477 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1517 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1478 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1518 ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1519 ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1520 1479
1521 /* RC4 is sort-of broken -- move the the end */ 1480 /* RC4 is sort-of broken -- move the the end */
1522 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1481 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
@@ -1650,9 +1609,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1650 case SSL_kDHd: 1609 case SSL_kDHd:
1651 kx = "DH/DSS"; 1610 kx = "DH/DSS";
1652 break; 1611 break;
1653 case SSL_kKRB5:
1654 kx = "KRB5";
1655 break;
1656 case SSL_kEDH: 1612 case SSL_kEDH:
1657 kx = "DH"; 1613 kx = "DH";
1658 break; 1614 break;
@@ -1665,12 +1621,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1665 case SSL_kEECDH: 1621 case SSL_kEECDH:
1666 kx = "ECDH"; 1622 kx = "ECDH";
1667 break; 1623 break;
1668 case SSL_kPSK:
1669 kx = "PSK";
1670 break;
1671 case SSL_kSRP:
1672 kx = "SRP";
1673 break;
1674 default: 1624 default:
1675 kx = "unknown"; 1625 kx = "unknown";
1676 } 1626 }
@@ -1685,9 +1635,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1685 case SSL_aDH: 1635 case SSL_aDH:
1686 au = "DH"; 1636 au = "DH";
1687 break; 1637 break;
1688 case SSL_aKRB5:
1689 au = "KRB5";
1690 break;
1691 case SSL_aECDH: 1638 case SSL_aECDH:
1692 au = "ECDH"; 1639 au = "ECDH";
1693 break; 1640 break;
@@ -1697,9 +1644,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1697 case SSL_aECDSA: 1644 case SSL_aECDSA:
1698 au = "ECDSA"; 1645 au = "ECDSA";
1699 break; 1646 break;
1700 case SSL_aPSK:
1701 au = "PSK";
1702 break;
1703 default: 1647 default:
1704 au = "unknown"; 1648 au = "unknown";
1705 break; 1649 break;
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index c3169204f6..beb8089475 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.75 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2137,9 +2137,6 @@ ssl_get_server_send_pkey(const SSL *s)
2137 i = SSL_PKEY_RSA_SIGN; 2137 i = SSL_PKEY_RSA_SIGN;
2138 else 2138 else
2139 i = SSL_PKEY_RSA_ENC; 2139 i = SSL_PKEY_RSA_ENC;
2140 } else if (alg_a & SSL_aKRB5) {
2141 /* VRS something else here? */
2142 return (NULL);
2143 } else if (alg_a & SSL_aGOST94) { 2140 } else if (alg_a & SSL_aGOST94) {
2144 i = SSL_PKEY_GOST94; 2141 i = SSL_PKEY_GOST94;
2145 } else if (alg_a & SSL_aGOST01) { 2142 } else if (alg_a & SSL_aGOST01) {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index c1e402b3a1..0d96ee5fe8 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.59 2014/07/11 08:17:36 miod Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.60 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -257,13 +257,10 @@
257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */ 257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */ 258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
259#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */ 259#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
260#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
261#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ 260#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
262#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ 261#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
263#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */ 262#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
264#define SSL_kPSK 0x00000100L /* PSK */ 263#define SSL_kGOST 0x00000200L /* GOST key exchange */
265#define SSL_kGOST 0x00000200L /* GOST key exchange */
266#define SSL_kSRP 0x00000400L /* SRP */
267 264
268/* Bits for algorithm_auth (server authentication) */ 265/* Bits for algorithm_auth (server authentication) */
269#define SSL_aRSA 0x00000001L /* RSA auth */ 266#define SSL_aRSA 0x00000001L /* RSA auth */
@@ -271,9 +268,7 @@
271#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 268#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
272#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */ 269#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
273#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 270#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
274#define SSL_aKRB5 0x00000020L /* KRB5 auth */
275#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 271#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
276#define SSL_aPSK 0x00000080L /* PSK auth */
277#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ 272#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
278#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 273#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
279 274
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 9df4f8a0c9..a2dec527ca 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.64 2014/07/12 07:52:36 guenther Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -273,11 +273,6 @@ static const SSL_CIPHER cipher_aliases[] = {
273 }, 273 },
274 274
275 { 275 {
276 .name = SSL_TXT_kKRB5,
277 .algorithm_mkey = SSL_kKRB5,
278 },
279
280 {
281 .name = SSL_TXT_kECDHr, 276 .name = SSL_TXT_kECDHr,
282 .algorithm_mkey = SSL_kECDHr, 277 .algorithm_mkey = SSL_kECDHr,
283 }, 278 },
@@ -299,14 +294,6 @@ static const SSL_CIPHER cipher_aliases[] = {
299 }, 294 },
300 295
301 { 296 {
302 .name = SSL_TXT_kPSK,
303 .algorithm_mkey = SSL_kPSK,
304 },
305 {
306 .name = SSL_TXT_kSRP,
307 .algorithm_mkey = SSL_kSRP,
308 },
309 {
310 .name = SSL_TXT_kGOST, 297 .name = SSL_TXT_kGOST,
311 .algorithm_mkey = SSL_kGOST, 298 .algorithm_mkey = SSL_kGOST,
312 }, 299 },
@@ -325,10 +312,6 @@ static const SSL_CIPHER cipher_aliases[] = {
325 .algorithm_auth = SSL_aDSS, 312 .algorithm_auth = SSL_aDSS,
326 }, 313 },
327 { 314 {
328 .name = SSL_TXT_aKRB5,
329 .algorithm_auth = SSL_aKRB5,
330 },
331 {
332 .name = SSL_TXT_aNULL, 315 .name = SSL_TXT_aNULL,
333 .algorithm_auth = SSL_aNULL, 316 .algorithm_auth = SSL_aNULL,
334 }, 317 },
@@ -350,10 +333,6 @@ static const SSL_CIPHER cipher_aliases[] = {
350 .algorithm_auth = SSL_aECDSA, 333 .algorithm_auth = SSL_aECDSA,
351 }, 334 },
352 { 335 {
353 .name = SSL_TXT_aPSK,
354 .algorithm_auth = SSL_aPSK,
355 },
356 {
357 .name = SSL_TXT_aGOST94, 336 .name = SSL_TXT_aGOST94,
358 .algorithm_auth = SSL_aGOST94, 337 .algorithm_auth = SSL_aGOST94,
359 }, 338 },
@@ -382,11 +361,6 @@ static const SSL_CIPHER cipher_aliases[] = {
382 .algorithm_enc = SSL_eNULL, 361 .algorithm_enc = SSL_eNULL,
383 }, 362 },
384 { 363 {
385 .name = SSL_TXT_KRB5,
386 .algorithm_mkey = SSL_kKRB5,
387 .algorithm_auth = SSL_aKRB5,
388 },
389 {
390 .name = SSL_TXT_RSA, 364 .name = SSL_TXT_RSA,
391 .algorithm_mkey = SSL_kRSA, 365 .algorithm_mkey = SSL_kRSA,
392 .algorithm_auth = SSL_aRSA, 366 .algorithm_auth = SSL_aRSA,
@@ -401,16 +375,7 @@ static const SSL_CIPHER cipher_aliases[] = {
401 .algorithm_mkey = SSL_kEECDH, 375 .algorithm_mkey = SSL_kEECDH,
402 .algorithm_auth = SSL_aNULL, 376 .algorithm_auth = SSL_aNULL,
403 }, 377 },
404 { 378
405 .name = SSL_TXT_PSK,
406 .algorithm_mkey = SSL_kPSK,
407 .algorithm_auth = SSL_aPSK,
408 },
409 {
410 .name = SSL_TXT_SRP,
411 .algorithm_mkey = SSL_kSRP,
412 },
413
414 /* symmetric encryption aliases */ 379 /* symmetric encryption aliases */
415 { 380 {
416 .name = SSL_TXT_DES, 381 .name = SSL_TXT_DES,
@@ -881,11 +846,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
881 846
882 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 847 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
883 *auth |= SSL_aDH; 848 *auth |= SSL_aDH;
884 *mkey |= SSL_kKRB5; 849
885 *auth |= SSL_aKRB5;
886 *mkey |= SSL_kPSK;
887 *auth |= SSL_aPSK;
888 *mkey |= SSL_kSRP;
889 /* Check for presence of GOST 34.10 algorithms, and if they 850 /* Check for presence of GOST 34.10 algorithms, and if they
890 * do not present, disable appropriate auth and key exchange */ 851 * do not present, disable appropriate auth and key exchange */
891 if (!get_optional_pkey_id("gost94")) { 852 if (!get_optional_pkey_id("gost94")) {
@@ -1515,8 +1476,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1515 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1476 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1516 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ 1477 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1517 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1478 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1518 ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1519 ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1520 1479
1521 /* RC4 is sort-of broken -- move the the end */ 1480 /* RC4 is sort-of broken -- move the the end */
1522 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1481 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
@@ -1650,9 +1609,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1650 case SSL_kDHd: 1609 case SSL_kDHd:
1651 kx = "DH/DSS"; 1610 kx = "DH/DSS";
1652 break; 1611 break;
1653 case SSL_kKRB5:
1654 kx = "KRB5";
1655 break;
1656 case SSL_kEDH: 1612 case SSL_kEDH:
1657 kx = "DH"; 1613 kx = "DH";
1658 break; 1614 break;
@@ -1665,12 +1621,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1665 case SSL_kEECDH: 1621 case SSL_kEECDH:
1666 kx = "ECDH"; 1622 kx = "ECDH";
1667 break; 1623 break;
1668 case SSL_kPSK:
1669 kx = "PSK";
1670 break;
1671 case SSL_kSRP:
1672 kx = "SRP";
1673 break;
1674 default: 1624 default:
1675 kx = "unknown"; 1625 kx = "unknown";
1676 } 1626 }
@@ -1685,9 +1635,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1685 case SSL_aDH: 1635 case SSL_aDH:
1686 au = "DH"; 1636 au = "DH";
1687 break; 1637 break;
1688 case SSL_aKRB5:
1689 au = "KRB5";
1690 break;
1691 case SSL_aECDH: 1638 case SSL_aECDH:
1692 au = "ECDH"; 1639 au = "ECDH";
1693 break; 1640 break;
@@ -1697,9 +1644,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1697 case SSL_aECDSA: 1644 case SSL_aECDSA:
1698 au = "ECDSA"; 1645 au = "ECDSA";
1699 break; 1646 break;
1700 case SSL_aPSK:
1701 au = "PSK";
1702 break;
1703 default: 1647 default:
1704 au = "unknown"; 1648 au = "unknown";
1705 break; 1649 break;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c3169204f6..beb8089475 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.75 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2137,9 +2137,6 @@ ssl_get_server_send_pkey(const SSL *s)
2137 i = SSL_PKEY_RSA_SIGN; 2137 i = SSL_PKEY_RSA_SIGN;
2138 else 2138 else
2139 i = SSL_PKEY_RSA_ENC; 2139 i = SSL_PKEY_RSA_ENC;
2140 } else if (alg_a & SSL_aKRB5) {
2141 /* VRS something else here? */
2142 return (NULL);
2143 } else if (alg_a & SSL_aGOST94) { 2140 } else if (alg_a & SSL_aGOST94) {
2144 i = SSL_PKEY_GOST94; 2141 i = SSL_PKEY_GOST94;
2145 } else if (alg_a & SSL_aGOST01) { 2142 } else if (alg_a & SSL_aGOST01) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index c1e402b3a1..0d96ee5fe8 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.59 2014/07/11 08:17:36 miod Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.60 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -257,13 +257,10 @@
257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */ 257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */ 258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
259#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */ 259#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
260#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
261#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ 260#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
262#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ 261#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
263#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */ 262#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
264#define SSL_kPSK 0x00000100L /* PSK */ 263#define SSL_kGOST 0x00000200L /* GOST key exchange */
265#define SSL_kGOST 0x00000200L /* GOST key exchange */
266#define SSL_kSRP 0x00000400L /* SRP */
267 264
268/* Bits for algorithm_auth (server authentication) */ 265/* Bits for algorithm_auth (server authentication) */
269#define SSL_aRSA 0x00000001L /* RSA auth */ 266#define SSL_aRSA 0x00000001L /* RSA auth */
@@ -271,9 +268,7 @@
271#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 268#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
272#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */ 269#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
273#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 270#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
274#define SSL_aKRB5 0x00000020L /* KRB5 auth */
275#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 271#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
276#define SSL_aPSK 0x00000080L /* PSK auth */
277#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ 272#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
278#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 273#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
279 274
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 13:02:03 +0000