summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
authortedu <>2014-04-17 21:37:37 +0000
committertedu <>2014-04-17 21:37:37 +0000
commitce6ab96382363d98326902c9baeb3f23ffd2794c (patch)
tree08e9b3a8cf6f35c7585646ca19c69f2ba87cc08c /src/lib/libssl/s3_clnt.c
parent2ca67c675bf3d9334c53074965440cb3de9df1d3 (diff)
downloadopenbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.tar.gz
openbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.tar.bz2
openbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.zip
always build in RSA and DSA. ok deraadt miod
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
-rw-r--r--src/lib/libssl/s3_clnt.c51
1 files changed, 0 insertions, 51 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 32405eac75..52e2174f6b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1183,18 +1183,14 @@ err:
1183int 1183int
1184ssl3_get_key_exchange(SSL *s) 1184ssl3_get_key_exchange(SSL *s)
1185{ 1185{
1186#ifndef OPENSSL_NO_RSA
1187 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; 1186 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1188#endif
1189 EVP_MD_CTX md_ctx; 1187 EVP_MD_CTX md_ctx;
1190 unsigned char *param, *p; 1188 unsigned char *param, *p;
1191 int al, i, j, param_len, ok; 1189 int al, i, j, param_len, ok;
1192 long n, alg_k, alg_a; 1190 long n, alg_k, alg_a;
1193 EVP_PKEY *pkey = NULL; 1191 EVP_PKEY *pkey = NULL;
1194 const EVP_MD *md = NULL; 1192 const EVP_MD *md = NULL;
1195#ifndef OPENSSL_NO_RSA
1196 RSA *rsa = NULL; 1193 RSA *rsa = NULL;
1197#endif
1198#ifndef OPENSSL_NO_DH 1194#ifndef OPENSSL_NO_DH
1199 DH *dh = NULL; 1195 DH *dh = NULL;
1200#endif 1196#endif
@@ -1232,12 +1228,10 @@ ssl3_get_key_exchange(SSL *s)
1232 1228
1233 param = p = (unsigned char *)s->init_msg; 1229 param = p = (unsigned char *)s->init_msg;
1234 if (s->session->sess_cert != NULL) { 1230 if (s->session->sess_cert != NULL) {
1235#ifndef OPENSSL_NO_RSA
1236 if (s->session->sess_cert->peer_rsa_tmp != NULL) { 1231 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1237 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1232 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1238 s->session->sess_cert->peer_rsa_tmp = NULL; 1233 s->session->sess_cert->peer_rsa_tmp = NULL;
1239 } 1234 }
1240#endif
1241#ifndef OPENSSL_NO_DH 1235#ifndef OPENSSL_NO_DH
1242 if (s->session->sess_cert->peer_dh_tmp) { 1236 if (s->session->sess_cert->peer_dh_tmp) {
1243 DH_free(s->session->sess_cert->peer_dh_tmp); 1237 DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -1356,20 +1350,12 @@ ssl3_get_key_exchange(SSL *s)
1356 n -= param_len; 1350 n -= param_len;
1357 1351
1358/* We must check if there is a certificate */ 1352/* We must check if there is a certificate */
1359#ifndef OPENSSL_NO_RSA
1360 if (alg_a & SSL_aRSA) 1353 if (alg_a & SSL_aRSA)
1361 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1354 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1362#else
1363 if (0)
1364;
1365#endif
1366#ifndef OPENSSL_NO_DSA
1367 else if (alg_a & SSL_aDSS) 1355 else if (alg_a & SSL_aDSS)
1368 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1356 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1369#endif
1370 } else 1357 } else
1371#endif /* !OPENSSL_NO_SRP */ 1358#endif /* !OPENSSL_NO_SRP */
1372#ifndef OPENSSL_NO_RSA
1373 if (alg_k & SSL_kRSA) { 1359 if (alg_k & SSL_kRSA) {
1374 if ((rsa = RSA_new()) == NULL) { 1360 if ((rsa = RSA_new()) == NULL) {
1375 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1361 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -1412,10 +1398,6 @@ ssl3_get_key_exchange(SSL *s)
1412 s->session->sess_cert->peer_rsa_tmp = rsa; 1398 s->session->sess_cert->peer_rsa_tmp = rsa;
1413 rsa = NULL; 1399 rsa = NULL;
1414 } 1400 }
1415#else /* OPENSSL_NO_RSA */
1416 if (0)
1417;
1418#endif
1419#ifndef OPENSSL_NO_DH 1401#ifndef OPENSSL_NO_DH
1420 else if (alg_k & SSL_kEDH) { 1402 else if (alg_k & SSL_kEDH) {
1421 if ((dh = DH_new()) == NULL) { 1403 if ((dh = DH_new()) == NULL) {
@@ -1462,17 +1444,10 @@ ssl3_get_key_exchange(SSL *s)
1462 p += i; 1444 p += i;
1463 n -= param_len; 1445 n -= param_len;
1464 1446
1465#ifndef OPENSSL_NO_RSA
1466 if (alg_a & SSL_aRSA) 1447 if (alg_a & SSL_aRSA)
1467 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1448 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1468#else
1469 if (0)
1470;
1471#endif
1472#ifndef OPENSSL_NO_DSA
1473 else if (alg_a & SSL_aDSS) 1449 else if (alg_a & SSL_aDSS)
1474 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1450 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1475#endif
1476 /* else anonymous DH, so no certificate or pkey. */ 1451 /* else anonymous DH, so no certificate or pkey. */
1477 1452
1478 s->session->sess_cert->peer_dh_tmp = dh; 1453 s->session->sess_cert->peer_dh_tmp = dh;
@@ -1561,10 +1536,8 @@ ssl3_get_key_exchange(SSL *s)
1561 * key exchange message. We do support RSA and ECDSA. 1536 * key exchange message. We do support RSA and ECDSA.
1562 */ 1537 */
1563 if (0); 1538 if (0);
1564#ifndef OPENSSL_NO_RSA
1565 else if (alg_a & SSL_aRSA) 1539 else if (alg_a & SSL_aRSA)
1566 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1540 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1567#endif
1568#ifndef OPENSSL_NO_ECDSA 1541#ifndef OPENSSL_NO_ECDSA
1569 else if (alg_a & SSL_aECDSA) 1542 else if (alg_a & SSL_aECDSA)
1570 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1543 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
@@ -1627,7 +1600,6 @@ ssl3_get_key_exchange(SSL *s)
1627 goto f_err; 1600 goto f_err;
1628 } 1601 }
1629 1602
1630#ifndef OPENSSL_NO_RSA
1631 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) { 1603 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1632 int num; 1604 int num;
1633 1605
@@ -1659,7 +1631,6 @@ ssl3_get_key_exchange(SSL *s)
1659 goto f_err; 1631 goto f_err;
1660 } 1632 }
1661 } else 1633 } else
1662#endif
1663 { 1634 {
1664 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1635 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1665 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1636 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
@@ -1693,10 +1664,8 @@ f_err:
1693 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1664 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1694err: 1665err:
1695 EVP_PKEY_free(pkey); 1666 EVP_PKEY_free(pkey);
1696#ifndef OPENSSL_NO_RSA
1697 if (rsa != NULL) 1667 if (rsa != NULL)
1698 RSA_free(rsa); 1668 RSA_free(rsa);
1699#endif
1700#ifndef OPENSSL_NO_DH 1669#ifndef OPENSSL_NO_DH
1701 if (dh != NULL) 1670 if (dh != NULL)
1702 DH_free(dh); 1671 DH_free(dh);
@@ -2042,10 +2011,8 @@ ssl3_send_client_key_exchange(SSL *s)
2042 unsigned char *p, *d; 2011 unsigned char *p, *d;
2043 int n; 2012 int n;
2044 unsigned long alg_k; 2013 unsigned long alg_k;
2045#ifndef OPENSSL_NO_RSA
2046 unsigned char *q; 2014 unsigned char *q;
2047 EVP_PKEY *pkey = NULL; 2015 EVP_PKEY *pkey = NULL;
2048#endif
2049#ifndef OPENSSL_NO_KRB5 2016#ifndef OPENSSL_NO_KRB5
2050 KSSL_ERR kssl_err; 2017 KSSL_ERR kssl_err;
2051#endif /* OPENSSL_NO_KRB5 */ 2018#endif /* OPENSSL_NO_KRB5 */
@@ -2067,7 +2034,6 @@ ssl3_send_client_key_exchange(SSL *s)
2067 /* Fool emacs indentation */ 2034 /* Fool emacs indentation */
2068 if (0) { 2035 if (0) {
2069 } 2036 }
2070#ifndef OPENSSL_NO_RSA
2071 else if (alg_k & SSL_kRSA) { 2037 else if (alg_k & SSL_kRSA) {
2072 RSA *rsa; 2038 RSA *rsa;
2073 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2039 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -2122,7 +2088,6 @@ ssl3_send_client_key_exchange(SSL *s)
2122 sizeof tmp_buf); 2088 sizeof tmp_buf);
2123 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2089 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2124 } 2090 }
2125#endif
2126#ifndef OPENSSL_NO_KRB5 2091#ifndef OPENSSL_NO_KRB5
2127 else if (alg_k & SSL_kKRB5) { 2092 else if (alg_k & SSL_kKRB5) {
2128 krb5_error_code krb5rc; 2093 krb5_error_code krb5rc;
@@ -2760,7 +2725,6 @@ ssl3_send_client_verify(SSL *s)
2760 if (!ssl3_digest_cached_records(s)) 2725 if (!ssl3_digest_cached_records(s))
2761 goto err; 2726 goto err;
2762 } else 2727 } else
2763#ifndef OPENSSL_NO_RSA
2764 if (pkey->type == EVP_PKEY_RSA) { 2728 if (pkey->type == EVP_PKEY_RSA) {
2765 s->method->ssl3_enc->cert_verify_mac( 2729 s->method->ssl3_enc->cert_verify_mac(
2766 s, NID_md5, &(data[0])); 2730 s, NID_md5, &(data[0]));
@@ -2773,8 +2737,6 @@ ssl3_send_client_verify(SSL *s)
2773 s2n(u, p); 2737 s2n(u, p);
2774 n = u + 2; 2738 n = u + 2;
2775 } else 2739 } else
2776#endif
2777#ifndef OPENSSL_NO_DSA
2778 if (pkey->type == EVP_PKEY_DSA) { 2740 if (pkey->type == EVP_PKEY_DSA) {
2779 if (!DSA_sign(pkey->save_type, 2741 if (!DSA_sign(pkey->save_type,
2780 &(data[MD5_DIGEST_LENGTH]), 2742 &(data[MD5_DIGEST_LENGTH]),
@@ -2786,7 +2748,6 @@ ssl3_send_client_verify(SSL *s)
2786 s2n(j, p); 2748 s2n(j, p);
2787 n = j + 2; 2749 n = j + 2;
2788 } else 2750 } else
2789#endif
2790#ifndef OPENSSL_NO_ECDSA 2751#ifndef OPENSSL_NO_ECDSA
2791 if (pkey->type == EVP_PKEY_EC) { 2752 if (pkey->type == EVP_PKEY_EC) {
2792 if (!ECDSA_sign(pkey->save_type, 2753 if (!ECDSA_sign(pkey->save_type,
@@ -2914,9 +2875,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2914 long alg_k, alg_a; 2875 long alg_k, alg_a;
2915 EVP_PKEY *pkey = NULL; 2876 EVP_PKEY *pkey = NULL;
2916 SESS_CERT *sc; 2877 SESS_CERT *sc;
2917#ifndef OPENSSL_NO_RSA
2918 RSA *rsa; 2878 RSA *rsa;
2919#endif
2920#ifndef OPENSSL_NO_DH 2879#ifndef OPENSSL_NO_DH
2921 DH *dh; 2880 DH *dh;
2922#endif 2881#endif
@@ -2934,9 +2893,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2934 goto err; 2893 goto err;
2935 } 2894 }
2936 2895
2937#ifndef OPENSSL_NO_RSA
2938 rsa = s->session->sess_cert->peer_rsa_tmp; 2896 rsa = s->session->sess_cert->peer_rsa_tmp;
2939#endif
2940#ifndef OPENSSL_NO_DH 2897#ifndef OPENSSL_NO_DH
2941 dh = s->session->sess_cert->peer_dh_tmp; 2898 dh = s->session->sess_cert->peer_dh_tmp;
2942#endif 2899#endif
@@ -2966,19 +2923,15 @@ ssl3_check_cert_and_algorithm(SSL *s)
2966 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT); 2923 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
2967 goto f_err; 2924 goto f_err;
2968 } 2925 }
2969#ifndef OPENSSL_NO_DSA
2970 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { 2926 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
2971 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT); 2927 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
2972 goto f_err; 2928 goto f_err;
2973 } 2929 }
2974#endif
2975#ifndef OPENSSL_NO_RSA
2976 if ((alg_k & SSL_kRSA) && 2930 if ((alg_k & SSL_kRSA) &&
2977 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { 2931 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
2978 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2932 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2979 goto f_err; 2933 goto f_err;
2980 } 2934 }
2981#endif
2982#ifndef OPENSSL_NO_DH 2935#ifndef OPENSSL_NO_DH
2983 if ((alg_k & SSL_kEDH) && 2936 if ((alg_k & SSL_kEDH) &&
2984 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2937 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
@@ -2988,16 +2941,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
2988 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT); 2941 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
2989 goto f_err; 2942 goto f_err;
2990 } 2943 }
2991#ifndef OPENSSL_NO_DSA
2992 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { 2944 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2993 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT); 2945 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
2994 goto f_err; 2946 goto f_err;
2995 } 2947 }
2996#endif 2948#endif
2997#endif
2998 2949
2999 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { 2950 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3000#ifndef OPENSSL_NO_RSA
3001 if (alg_k & SSL_kRSA) { 2951 if (alg_k & SSL_kRSA) {
3002 if (rsa == NULL || 2952 if (rsa == NULL ||
3003 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { 2953 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
@@ -3005,7 +2955,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
3005 goto f_err; 2955 goto f_err;
3006 } 2956 }
3007 } else 2957 } else
3008#endif
3009#ifndef OPENSSL_NO_DH 2958#ifndef OPENSSL_NO_DH
3010 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2959 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3011 if (dh == NULL || 2960 if (dh == NULL ||
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 22:35:19 +0000