diff options
| author | tedu <> | 2014-05-29 18:11:13 +0000 |
|---|---|---|
| committer | tedu <> | 2014-05-29 18:11:13 +0000 |
| commit | 36abfd12740be4329b29e295bfcee8fe22c637d4 (patch) | |
| tree | e214d026b5b66638630daa4617eb61197c96abb9 /src/lib/libssl/s3_clnt.c | |
| parent | 2aab478749f62f40d50f6200a1396b6352051369 (diff) | |
| download | openbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.tar.gz openbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.tar.bz2 openbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.zip | |
unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.
ok deraadt jsing
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 40 |
1 files changed, 0 insertions, 40 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 602ab03fe1..4df299de9d 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -155,9 +155,7 @@ | |||
| 155 | #include <openssl/objects.h> | 155 | #include <openssl/objects.h> |
| 156 | #include <openssl/evp.h> | 156 | #include <openssl/evp.h> |
| 157 | #include <openssl/md5.h> | 157 | #include <openssl/md5.h> |
| 158 | #ifndef OPENSSL_NO_DH | ||
| 159 | #include <openssl/dh.h> | 158 | #include <openssl/dh.h> |
| 160 | #endif | ||
| 161 | #include <openssl/bn.h> | 159 | #include <openssl/bn.h> |
| 162 | #ifndef OPENSSL_NO_ENGINE | 160 | #ifndef OPENSSL_NO_ENGINE |
| 163 | #include <openssl/engine.h> | 161 | #include <openssl/engine.h> |
| @@ -1263,16 +1261,12 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1263 | EVP_PKEY *pkey = NULL; | 1261 | EVP_PKEY *pkey = NULL; |
| 1264 | const EVP_MD *md = NULL; | 1262 | const EVP_MD *md = NULL; |
| 1265 | RSA *rsa = NULL; | 1263 | RSA *rsa = NULL; |
| 1266 | #ifndef OPENSSL_NO_DH | ||
| 1267 | DH *dh = NULL; | 1264 | DH *dh = NULL; |
| 1268 | #endif | ||
| 1269 | #ifndef OPENSSL_NO_ECDH | ||
| 1270 | EC_KEY *ecdh = NULL; | 1265 | EC_KEY *ecdh = NULL; |
| 1271 | BN_CTX *bn_ctx = NULL; | 1266 | BN_CTX *bn_ctx = NULL; |
| 1272 | EC_POINT *srvr_ecpoint = NULL; | 1267 | EC_POINT *srvr_ecpoint = NULL; |
| 1273 | int curve_nid = 0; | 1268 | int curve_nid = 0; |
| 1274 | int encoded_pt_len = 0; | 1269 | int encoded_pt_len = 0; |
| 1275 | #endif | ||
| 1276 | 1270 | ||
| 1277 | /* | 1271 | /* |
| 1278 | * Use same message size as in ssl3_get_certificate_request() | 1272 | * Use same message size as in ssl3_get_certificate_request() |
| @@ -1306,18 +1300,14 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1306 | RSA_free(s->session->sess_cert->peer_rsa_tmp); | 1300 | RSA_free(s->session->sess_cert->peer_rsa_tmp); |
| 1307 | s->session->sess_cert->peer_rsa_tmp = NULL; | 1301 | s->session->sess_cert->peer_rsa_tmp = NULL; |
| 1308 | } | 1302 | } |
| 1309 | #ifndef OPENSSL_NO_DH | ||
| 1310 | if (s->session->sess_cert->peer_dh_tmp) { | 1303 | if (s->session->sess_cert->peer_dh_tmp) { |
| 1311 | DH_free(s->session->sess_cert->peer_dh_tmp); | 1304 | DH_free(s->session->sess_cert->peer_dh_tmp); |
| 1312 | s->session->sess_cert->peer_dh_tmp = NULL; | 1305 | s->session->sess_cert->peer_dh_tmp = NULL; |
| 1313 | } | 1306 | } |
| 1314 | #endif | ||
| 1315 | #ifndef OPENSSL_NO_ECDH | ||
| 1316 | if (s->session->sess_cert->peer_ecdh_tmp) { | 1307 | if (s->session->sess_cert->peer_ecdh_tmp) { |
| 1317 | EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); | 1308 | EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); |
| 1318 | s->session->sess_cert->peer_ecdh_tmp = NULL; | 1309 | s->session->sess_cert->peer_ecdh_tmp = NULL; |
| 1319 | } | 1310 | } |
| 1320 | #endif | ||
| 1321 | } else { | 1311 | } else { |
| 1322 | s->session->sess_cert = ssl_sess_cert_new(); | 1312 | s->session->sess_cert = ssl_sess_cert_new(); |
| 1323 | } | 1313 | } |
| @@ -1424,7 +1414,6 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1424 | s->session->sess_cert->peer_rsa_tmp = rsa; | 1414 | s->session->sess_cert->peer_rsa_tmp = rsa; |
| 1425 | rsa = NULL; | 1415 | rsa = NULL; |
| 1426 | } | 1416 | } |
| 1427 | #ifndef OPENSSL_NO_DH | ||
| 1428 | else if (alg_k & SSL_kEDH) { | 1417 | else if (alg_k & SSL_kEDH) { |
| 1429 | if ((dh = DH_new()) == NULL) { | 1418 | if ((dh = DH_new()) == NULL) { |
| 1430 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, | 1419 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, |
| @@ -1495,9 +1484,7 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1495 | SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); | 1484 | SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); |
| 1496 | goto f_err; | 1485 | goto f_err; |
| 1497 | } | 1486 | } |
| 1498 | #endif /* !OPENSSL_NO_DH */ | ||
| 1499 | 1487 | ||
| 1500 | #ifndef OPENSSL_NO_ECDH | ||
| 1501 | else if (alg_k & SSL_kEECDH) { | 1488 | else if (alg_k & SSL_kEECDH) { |
| 1502 | EC_GROUP *ngroup; | 1489 | EC_GROUP *ngroup; |
| 1503 | const EC_GROUP *group; | 1490 | const EC_GROUP *group; |
| @@ -1585,12 +1572,10 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1585 | pkey = X509_get_pubkey( | 1572 | pkey = X509_get_pubkey( |
| 1586 | s->session->sess_cert->peer_pkeys[ | 1573 | s->session->sess_cert->peer_pkeys[ |
| 1587 | SSL_PKEY_RSA_ENC].x509); | 1574 | SSL_PKEY_RSA_ENC].x509); |
| 1588 | #ifndef OPENSSL_NO_ECDSA | ||
| 1589 | else if (alg_a & SSL_aECDSA) | 1575 | else if (alg_a & SSL_aECDSA) |
| 1590 | pkey = X509_get_pubkey( | 1576 | pkey = X509_get_pubkey( |
| 1591 | s->session->sess_cert->peer_pkeys[ | 1577 | s->session->sess_cert->peer_pkeys[ |
| 1592 | SSL_PKEY_ECC].x509); | 1578 | SSL_PKEY_ECC].x509); |
| 1593 | #endif | ||
| 1594 | /* Else anonymous ECDH, so no certificate or pkey. */ | 1579 | /* Else anonymous ECDH, so no certificate or pkey. */ |
| 1595 | EC_KEY_set_public_key(ecdh, srvr_ecpoint); | 1580 | EC_KEY_set_public_key(ecdh, srvr_ecpoint); |
| 1596 | s->session->sess_cert->peer_ecdh_tmp = ecdh; | 1581 | s->session->sess_cert->peer_ecdh_tmp = ecdh; |
| @@ -1605,7 +1590,6 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1605 | SSL_R_UNEXPECTED_MESSAGE); | 1590 | SSL_R_UNEXPECTED_MESSAGE); |
| 1606 | goto f_err; | 1591 | goto f_err; |
| 1607 | } | 1592 | } |
| 1608 | #endif /* !OPENSSL_NO_ECDH */ | ||
| 1609 | 1593 | ||
| 1610 | /* p points to the next byte, there are 'n' bytes left */ | 1594 | /* p points to the next byte, there are 'n' bytes left */ |
| 1611 | 1595 | ||
| @@ -1731,16 +1715,12 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1731 | EVP_PKEY_free(pkey); | 1715 | EVP_PKEY_free(pkey); |
| 1732 | if (rsa != NULL) | 1716 | if (rsa != NULL) |
| 1733 | RSA_free(rsa); | 1717 | RSA_free(rsa); |
| 1734 | #ifndef OPENSSL_NO_DH | ||
| 1735 | if (dh != NULL) | 1718 | if (dh != NULL) |
| 1736 | DH_free(dh); | 1719 | DH_free(dh); |
| 1737 | #endif | ||
| 1738 | #ifndef OPENSSL_NO_ECDH | ||
| 1739 | BN_CTX_free(bn_ctx); | 1720 | BN_CTX_free(bn_ctx); |
| 1740 | EC_POINT_free(srvr_ecpoint); | 1721 | EC_POINT_free(srvr_ecpoint); |
| 1741 | if (ecdh != NULL) | 1722 | if (ecdh != NULL) |
| 1742 | EC_KEY_free(ecdh); | 1723 | EC_KEY_free(ecdh); |
| 1743 | #endif | ||
| 1744 | EVP_MD_CTX_cleanup(&md_ctx); | 1724 | EVP_MD_CTX_cleanup(&md_ctx); |
| 1745 | return (-1); | 1725 | return (-1); |
| 1746 | } | 1726 | } |
| @@ -2084,14 +2064,12 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2084 | unsigned long alg_k; | 2064 | unsigned long alg_k; |
| 2085 | unsigned char *q; | 2065 | unsigned char *q; |
| 2086 | EVP_PKEY *pkey = NULL; | 2066 | EVP_PKEY *pkey = NULL; |
| 2087 | #ifndef OPENSSL_NO_ECDH | ||
| 2088 | EC_KEY *clnt_ecdh = NULL; | 2067 | EC_KEY *clnt_ecdh = NULL; |
| 2089 | const EC_POINT *srvr_ecpoint = NULL; | 2068 | const EC_POINT *srvr_ecpoint = NULL; |
| 2090 | EVP_PKEY *srvr_pub_pkey = NULL; | 2069 | EVP_PKEY *srvr_pub_pkey = NULL; |
| 2091 | unsigned char *encodedPoint = NULL; | 2070 | unsigned char *encodedPoint = NULL; |
| 2092 | int encoded_pt_len = 0; | 2071 | int encoded_pt_len = 0; |
| 2093 | BN_CTX *bn_ctx = NULL; | 2072 | BN_CTX *bn_ctx = NULL; |
| 2094 | #endif | ||
| 2095 | 2073 | ||
| 2096 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) { | 2074 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) { |
| 2097 | d = (unsigned char *)s->init_buf->data; | 2075 | d = (unsigned char *)s->init_buf->data; |
| @@ -2151,7 +2129,6 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2151 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); | 2129 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); |
| 2152 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | 2130 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); |
| 2153 | } | 2131 | } |
| 2154 | #ifndef OPENSSL_NO_DH | ||
| 2155 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | 2132 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2156 | DH *dh_srvr, *dh_clnt; | 2133 | DH *dh_srvr, *dh_clnt; |
| 2157 | 2134 | ||
| @@ -2217,9 +2194,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2217 | 2194 | ||
| 2218 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | 2195 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ |
| 2219 | } | 2196 | } |
| 2220 | #endif | ||
| 2221 | 2197 | ||
| 2222 | #ifndef OPENSSL_NO_ECDH | ||
| 2223 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { | 2198 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { |
| 2224 | const EC_GROUP *srvr_group = NULL; | 2199 | const EC_GROUP *srvr_group = NULL; |
| 2225 | EC_KEY *tkey; | 2200 | EC_KEY *tkey; |
| @@ -2399,7 +2374,6 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2399 | EC_KEY_free(clnt_ecdh); | 2374 | EC_KEY_free(clnt_ecdh); |
| 2400 | EVP_PKEY_free(srvr_pub_pkey); | 2375 | EVP_PKEY_free(srvr_pub_pkey); |
| 2401 | } | 2376 | } |
| 2402 | #endif /* !OPENSSL_NO_ECDH */ | ||
| 2403 | else if (alg_k & SSL_kGOST) { | 2377 | else if (alg_k & SSL_kGOST) { |
| 2404 | /* GOST key exchange message creation */ | 2378 | /* GOST key exchange message creation */ |
| 2405 | EVP_PKEY_CTX *pkey_ctx; | 2379 | EVP_PKEY_CTX *pkey_ctx; |
| @@ -2608,13 +2582,11 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2608 | /* SSL3_ST_CW_KEY_EXCH_B */ | 2582 | /* SSL3_ST_CW_KEY_EXCH_B */ |
| 2609 | return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); | 2583 | return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); |
| 2610 | err: | 2584 | err: |
| 2611 | #ifndef OPENSSL_NO_ECDH | ||
| 2612 | BN_CTX_free(bn_ctx); | 2585 | BN_CTX_free(bn_ctx); |
| 2613 | free(encodedPoint); | 2586 | free(encodedPoint); |
| 2614 | if (clnt_ecdh != NULL) | 2587 | if (clnt_ecdh != NULL) |
| 2615 | EC_KEY_free(clnt_ecdh); | 2588 | EC_KEY_free(clnt_ecdh); |
| 2616 | EVP_PKEY_free(srvr_pub_pkey); | 2589 | EVP_PKEY_free(srvr_pub_pkey); |
| 2617 | #endif | ||
| 2618 | return (-1); | 2590 | return (-1); |
| 2619 | } | 2591 | } |
| 2620 | 2592 | ||
| @@ -2703,7 +2675,6 @@ ssl3_send_client_verify(SSL *s) | |||
| 2703 | s2n(j, p); | 2675 | s2n(j, p); |
| 2704 | n = j + 2; | 2676 | n = j + 2; |
| 2705 | } else | 2677 | } else |
| 2706 | #ifndef OPENSSL_NO_ECDSA | ||
| 2707 | if (pkey->type == EVP_PKEY_EC) { | 2678 | if (pkey->type == EVP_PKEY_EC) { |
| 2708 | if (!ECDSA_sign(pkey->save_type, | 2679 | if (!ECDSA_sign(pkey->save_type, |
| 2709 | &(data[MD5_DIGEST_LENGTH]), | 2680 | &(data[MD5_DIGEST_LENGTH]), |
| @@ -2716,7 +2687,6 @@ ssl3_send_client_verify(SSL *s) | |||
| 2716 | s2n(j, p); | 2687 | s2n(j, p); |
| 2717 | n = j + 2; | 2688 | n = j + 2; |
| 2718 | } else | 2689 | } else |
| 2719 | #endif | ||
| 2720 | if (pkey->type == NID_id_GostR3410_94 || | 2690 | if (pkey->type == NID_id_GostR3410_94 || |
| 2721 | pkey->type == NID_id_GostR3410_2001) { | 2691 | pkey->type == NID_id_GostR3410_2001) { |
| 2722 | unsigned char signbuf[64]; | 2692 | unsigned char signbuf[64]; |
| @@ -2836,9 +2806,7 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2836 | EVP_PKEY *pkey = NULL; | 2806 | EVP_PKEY *pkey = NULL; |
| 2837 | SESS_CERT *sc; | 2807 | SESS_CERT *sc; |
| 2838 | RSA *rsa; | 2808 | RSA *rsa; |
| 2839 | #ifndef OPENSSL_NO_DH | ||
| 2840 | DH *dh; | 2809 | DH *dh; |
| 2841 | #endif | ||
| 2842 | 2810 | ||
| 2843 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 2811 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 2844 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | 2812 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; |
| @@ -2855,14 +2823,11 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2855 | } | 2823 | } |
| 2856 | 2824 | ||
| 2857 | rsa = s->session->sess_cert->peer_rsa_tmp; | 2825 | rsa = s->session->sess_cert->peer_rsa_tmp; |
| 2858 | #ifndef OPENSSL_NO_DH | ||
| 2859 | dh = s->session->sess_cert->peer_dh_tmp; | 2826 | dh = s->session->sess_cert->peer_dh_tmp; |
| 2860 | #endif | ||
| 2861 | 2827 | ||
| 2862 | /* This is the passed certificate. */ | 2828 | /* This is the passed certificate. */ |
| 2863 | 2829 | ||
| 2864 | idx = sc->peer_cert_type; | 2830 | idx = sc->peer_cert_type; |
| 2865 | #ifndef OPENSSL_NO_ECDH | ||
| 2866 | if (idx == SSL_PKEY_ECC) { | 2831 | if (idx == SSL_PKEY_ECC) { |
| 2867 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | 2832 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, |
| 2868 | s) == 0) | 2833 | s) == 0) |
| @@ -2874,7 +2839,6 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2874 | return (1); | 2839 | return (1); |
| 2875 | } | 2840 | } |
| 2876 | } | 2841 | } |
| 2877 | #endif | ||
| 2878 | pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); | 2842 | pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); |
| 2879 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); | 2843 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); |
| 2880 | EVP_PKEY_free(pkey); | 2844 | EVP_PKEY_free(pkey); |
| @@ -2897,7 +2861,6 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2897 | SSL_R_MISSING_RSA_ENCRYPTING_CERT); | 2861 | SSL_R_MISSING_RSA_ENCRYPTING_CERT); |
| 2898 | goto f_err; | 2862 | goto f_err; |
| 2899 | } | 2863 | } |
| 2900 | #ifndef OPENSSL_NO_DH | ||
| 2901 | if ((alg_k & SSL_kEDH) && | 2864 | if ((alg_k & SSL_kEDH) && |
| 2902 | !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { | 2865 | !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { |
| 2903 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2866 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| @@ -2913,7 +2876,6 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2913 | SSL_R_MISSING_DH_DSA_CERT); | 2876 | SSL_R_MISSING_DH_DSA_CERT); |
| 2914 | goto f_err; | 2877 | goto f_err; |
| 2915 | } | 2878 | } |
| 2916 | #endif | ||
| 2917 | 2879 | ||
| 2918 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && | 2880 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && |
| 2919 | !has_bits(i, EVP_PKT_EXP)) { | 2881 | !has_bits(i, EVP_PKT_EXP)) { |
| @@ -2925,7 +2887,6 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2925 | goto f_err; | 2887 | goto f_err; |
| 2926 | } | 2888 | } |
| 2927 | } else | 2889 | } else |
| 2928 | #ifndef OPENSSL_NO_DH | ||
| 2929 | if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | 2890 | if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2930 | if (dh == NULL || DH_size(dh) * 8 > | 2891 | if (dh == NULL || DH_size(dh) * 8 > |
| 2931 | SSL_C_EXPORT_PKEYLENGTH( | 2892 | SSL_C_EXPORT_PKEYLENGTH( |
| @@ -2936,7 +2897,6 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2936 | goto f_err; | 2897 | goto f_err; |
| 2937 | } | 2898 | } |
| 2938 | } else | 2899 | } else |
| 2939 | #endif | ||
| 2940 | { | 2900 | { |
| 2941 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2901 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2942 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 2902 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); |