Remove support for ephemeral/temporary RSA private keys.

The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively a standards violation) and for RSA sign-only, should only be possible if you are using an export cipher and have an RSA private key that is more than 512 bits in size (however we no longer support export ciphers). ok bcook@ miod@
author: jsing <> 2014-10-31 14:51:01 +0000
committer: jsing <> 2014-10-31 14:51:01 +0000
commit: 911a534951a7133a0e7f2314d3a57682c584c2f7 (patch)
tree: cbc34cc64480c58a9e6b221bf4a12687fac6fd93 /src/lib/libssl/s3_lib.c
parent: 21b4fa8d2a511b2b7e7215bb18cb3836173fb390 (diff)
download: openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.gz
openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.bz2
openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.zip
1 files changed, 15 insertions, 88 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 42f8074f8c..08c5111129 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.82 2014/10/03 13:58:17 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1934,8 +1934,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 {
        int ret = 0;
-        if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+        if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
-            cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
                if (!ssl_cert_inst(&s->cert)) {
                        SSLerr(SSL_F_SSL3_CTRL,
                            ERR_R_MALLOC_FAILURE);
@@ -1963,36 +1962,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                ret = (int)(s->s3->flags);
                break;
        case SSL_CTRL_NEED_TMP_RSA:
-                if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
+                ret = 0;
-                    ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
-                    (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)
-                    > (512 / 8))))
-                        ret = 1;
                break;
        case SSL_CTRL_SET_TMP_RSA:
-                {
-                        RSA *rsa = (RSA *)parg;
-                        if (rsa == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
-                                    ERR_R_PASSED_NULL_PARAMETER);
-                                return (ret);
-                        }
-                        if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
-                                    ERR_R_RSA_LIB);
-                                return (ret);
-                        }
-                        RSA_free(s->cert->rsa_tmp);
-                        s->cert->rsa_tmp = rsa;
-                        ret = 1;
-                }
-                break;
        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
+                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        SSLerr(SSL_F_SSL3_CTRL,
-                            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        return (ret);
-                }
                break;
        case SSL_CTRL_SET_TMP_DH:
                {
@@ -2144,7 +2118,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 {
        int     ret = 0;
-        if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) {
+        if (cmd == SSL_CTRL_SET_TMP_DH_CB) {
                if (!ssl_cert_inst(&s->cert)) {
                        SSLerr(SSL_F_SSL3_CALLBACK_CTRL,
                            ERR_R_MALLOC_FAILURE);
@@ -2154,20 +2128,13 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
        switch (cmd) {
        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
+                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
-                }
                break;
        case SSL_CTRL_SET_TMP_DH_CB:
-                {
+                s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                        s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                }
                break;
        case SSL_CTRL_SET_TMP_ECDH_CB:
-                {
+                s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
-                        s->cert->ecdh_tmp_cb =
-                            (EC_KEY *(*)(SSL *, int, int))fp;
-                }
                break;
        case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
                s->tlsext_debug_cb = (void (*)(SSL *, int , int,
@@ -2188,45 +2155,11 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        switch (cmd) {
        case SSL_CTRL_NEED_TMP_RSA:
-                if ((cert->rsa_tmp == NULL) &&
+                return (0);
-                    ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
-                    (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) >
-                    (512 / 8))))
-                        return (1);
-                else
-                        return (0);
-                /* break; */
        case SSL_CTRL_SET_TMP_RSA:
-                {
-                        RSA *rsa;
-                        int i;
-                        rsa = (RSA *)parg;
-                        i = 1;
-                        if (rsa == NULL)
-                                i = 0;
-                        else {
-                                if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
-                                        i = 0;
-                        }
-                        if (!i) {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,
-                                    ERR_R_RSA_LIB);
-                                return (0);
-                        } else {
-                                RSA_free(cert->rsa_tmp);
-                                cert->rsa_tmp = rsa;
-                                return (1);
-                        }
-                }
-                /* break; */
        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
+                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        SSLerr(SSL_F_SSL3_CTX_CTRL,
+                return (0);
-                            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        return (0);
-                }
-                break;
        case SSL_CTRL_SET_TMP_DH:
                {
                        DH *new = NULL, *dh;
@@ -2366,19 +2299,13 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
        switch (cmd) {
        case SSL_CTRL_SET_TMP_RSA_CB:
-                {
+                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+                return (0);
-                }
-                break;
        case SSL_CTRL_SET_TMP_DH_CB:
-                {
+                cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                        cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
-                }
                break;
        case SSL_CTRL_SET_TMP_ECDH_CB:
-                {
+                cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
-                        cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
-                }
                break;
        case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
                ctx->tlsext_servername_callback =
author	jsing <>	2014-10-31 14:51:01 +0000
committer	jsing <>	2014-10-31 14:51:01 +0000
commit	911a534951a7133a0e7f2314d3a57682c584c2f7 (patch)
tree	cbc34cc64480c58a9e6b221bf4a12687fac6fd93 /src/lib/libssl/s3_lib.c
parent	21b4fa8d2a511b2b7e7215bb18cb3836173fb390 (diff)
download	openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.gz openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.bz2 openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.zip

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 42f8074f8c..08c5111129 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.82 2014/10/03 13:58:17 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1934,8 +1934,7 @@ ssl3_ctrl(SSL s, int cmd, long larg, void parg)
1934	{	1934	{
1935	int ret = 0;	1935	int ret = 0;
1936		1936
1937	if (cmd == SSL_CTRL_SET_TMP_RSA \|\| cmd == SSL_CTRL_SET_TMP_RSA_CB \|\|	1937	if (cmd == SSL_CTRL_SET_TMP_DH \|\| cmd == SSL_CTRL_SET_TMP_DH_CB) {
1938	cmd == SSL_CTRL_SET_TMP_DH \|\| cmd == SSL_CTRL_SET_TMP_DH_CB) {
1939	if (!ssl_cert_inst(&s->cert)) {	1938	if (!ssl_cert_inst(&s->cert)) {
1940	SSLerr(SSL_F_SSL3_CTRL,	1939	SSLerr(SSL_F_SSL3_CTRL,
1941	ERR_R_MALLOC_FAILURE);	1940	ERR_R_MALLOC_FAILURE);
@@ -1963,36 +1962,11 @@ ssl3_ctrl(SSL s, int cmd, long larg, void parg)
1963	ret = (int)(s->s3->flags);	1962	ret = (int)(s->s3->flags);
1964	break;	1963	break;
1965	case SSL_CTRL_NEED_TMP_RSA:	1964	case SSL_CTRL_NEED_TMP_RSA:
1966	if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&	1965	ret = 0;
1967	((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) \|\|
1968	(EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)
1969	> (512 / 8))))
1970	ret = 1;
1971	break;	1966	break;
1972	case SSL_CTRL_SET_TMP_RSA:	1967	case SSL_CTRL_SET_TMP_RSA:
1973	{
1974	RSA rsa = (RSA )parg;
1975	if (rsa == NULL) {
1976	SSLerr(SSL_F_SSL3_CTRL,
1977	ERR_R_PASSED_NULL_PARAMETER);
1978	return (ret);
1979	}
1980	if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) {
1981	SSLerr(SSL_F_SSL3_CTRL,
1982	ERR_R_RSA_LIB);
1983	return (ret);
1984	}
1985	RSA_free(s->cert->rsa_tmp);
1986	s->cert->rsa_tmp = rsa;
1987	ret = 1;
1988	}
1989	break;
1990	case SSL_CTRL_SET_TMP_RSA_CB:	1968	case SSL_CTRL_SET_TMP_RSA_CB:
1991	{	1969	SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1992	SSLerr(SSL_F_SSL3_CTRL,
1993	ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1994	return (ret);
1995	}
1996	break;	1970	break;
1997	case SSL_CTRL_SET_TMP_DH:	1971	case SSL_CTRL_SET_TMP_DH:
1998	{	1972	{
@@ -2144,7 +2118,7 @@ ssl3_callback_ctrl(SSL s, int cmd, void (fp)(void))
2144	{	2118	{
2145	int ret = 0;	2119	int ret = 0;
2146		2120
2147	if (cmd == SSL_CTRL_SET_TMP_RSA_CB \|\| cmd == SSL_CTRL_SET_TMP_DH_CB) {	2121	if (cmd == SSL_CTRL_SET_TMP_DH_CB) {
2148	if (!ssl_cert_inst(&s->cert)) {	2122	if (!ssl_cert_inst(&s->cert)) {
2149	SSLerr(SSL_F_SSL3_CALLBACK_CTRL,	2123	SSLerr(SSL_F_SSL3_CALLBACK_CTRL,
2150	ERR_R_MALLOC_FAILURE);	2124	ERR_R_MALLOC_FAILURE);
@@ -2154,20 +2128,13 @@ ssl3_callback_ctrl(SSL s, int cmd, void (fp)(void))
2154		2128
2155	switch (cmd) {	2129	switch (cmd) {
2156	case SSL_CTRL_SET_TMP_RSA_CB:	2130	case SSL_CTRL_SET_TMP_RSA_CB:
2157	{	2131	SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2158	s->cert->rsa_tmp_cb = (RSA ()(SSL *, int, int))fp;
2159	}
2160	break;	2132	break;
2161	case SSL_CTRL_SET_TMP_DH_CB:	2133	case SSL_CTRL_SET_TMP_DH_CB:
2162	{	2134	s->cert->dh_tmp_cb = (DH ()(SSL *, int, int))fp;
2163	s->cert->dh_tmp_cb = (DH ()(SSL *, int, int))fp;
2164	}
2165	break;	2135	break;
2166	case SSL_CTRL_SET_TMP_ECDH_CB:	2136	case SSL_CTRL_SET_TMP_ECDH_CB:
2167	{	2137	s->cert->ecdh_tmp_cb = (EC_KEY ()(SSL *, int, int))fp;
2168	s->cert->ecdh_tmp_cb =
2169	(EC_KEY ()(SSL *, int, int))fp;
2170	}
2171	break;	2138	break;
2172	case SSL_CTRL_SET_TLSEXT_DEBUG_CB:	2139	case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2173	s->tlsext_debug_cb = (void ()(SSL , int , int,	2140	s->tlsext_debug_cb = (void ()(SSL , int , int,
@@ -2188,45 +2155,11 @@ ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
2188		2155
2189	switch (cmd) {	2156	switch (cmd) {
2190	case SSL_CTRL_NEED_TMP_RSA:	2157	case SSL_CTRL_NEED_TMP_RSA:
2191	if ((cert->rsa_tmp == NULL) &&	2158	return (0);
2192	((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) \|\|
2193	(EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) >
2194	(512 / 8))))
2195	return (1);
2196	else
2197	return (0);
2198	/* break; */
2199	case SSL_CTRL_SET_TMP_RSA:	2159	case SSL_CTRL_SET_TMP_RSA:
2200	{
2201	RSA *rsa;
2202	int i;
2203
2204	rsa = (RSA *)parg;
2205	i = 1;
2206	if (rsa == NULL)
2207	i = 0;
2208	else {
2209	if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
2210	i = 0;
2211	}
2212	if (!i) {
2213	SSLerr(SSL_F_SSL3_CTX_CTRL,
2214	ERR_R_RSA_LIB);
2215	return (0);
2216	} else {
2217	RSA_free(cert->rsa_tmp);
2218	cert->rsa_tmp = rsa;
2219	return (1);
2220	}
2221	}
2222	/* break; */
2223	case SSL_CTRL_SET_TMP_RSA_CB:	2160	case SSL_CTRL_SET_TMP_RSA_CB:
2224	{	2161	SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2225	SSLerr(SSL_F_SSL3_CTX_CTRL,	2162	return (0);
2226	ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2227	return (0);
2228	}
2229	break;
2230	case SSL_CTRL_SET_TMP_DH:	2163	case SSL_CTRL_SET_TMP_DH:
2231	{	2164	{
2232	DH new = NULL, dh;	2165	DH new = NULL, dh;
@@ -2366,19 +2299,13 @@ ssl3_ctx_callback_ctrl(SSL_CTX ctx, int cmd, void (fp)(void))
2366		2299
2367	switch (cmd) {	2300	switch (cmd) {
2368	case SSL_CTRL_SET_TMP_RSA_CB:	2301	case SSL_CTRL_SET_TMP_RSA_CB:
2369	{	2302	SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
2370	cert->rsa_tmp_cb = (RSA ()(SSL *, int, int))fp;	2303	return (0);
2371	}
2372	break;
2373	case SSL_CTRL_SET_TMP_DH_CB:	2304	case SSL_CTRL_SET_TMP_DH_CB:
2374	{	2305	cert->dh_tmp_cb = (DH ()(SSL *, int, int))fp;
2375	cert->dh_tmp_cb = (DH ()(SSL *, int, int))fp;
2376	}
2377	break;	2306	break;
2378	case SSL_CTRL_SET_TMP_ECDH_CB:	2307	case SSL_CTRL_SET_TMP_ECDH_CB:
2379	{	2308	cert->ecdh_tmp_cb = (EC_KEY ()(SSL *, int, int))fp;
2380	cert->ecdh_tmp_cb = (EC_KEY ()(SSL *, int, int))fp;
2381	}
2382	break;	2309	break;
2383	case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:	2310	case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2384	ctx->tlsext_servername_callback =	2311	ctx->tlsext_servername_callback =