Remove the PSK code. We don't need to drag around this

baggage. ok miod@ jsing@
author: beck <> 2014-07-11 09:24:44 +0000
committer: beck <> 2014-07-11 09:24:44 +0000
commit: c1019dc8eea3a088ca93f060f86acc7cf2a0091f (patch)
tree: fc72650b10ed2f0609c79c34b5d36f8e132e4aa1 /src/lib/libssl/s3_srvr.c
parent: a647baf0c3708181c57ffd72cce852a6fda41a41 (diff)
download: openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.tar.gz
openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.tar.bz2
openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.zip
1 files changed, 1 insertions, 108 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 8fb041c4f5..c31ac39fe1 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.71 2014/07/10 21:36:49 bcook Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.72 2014/07/11 09:24:44 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -429,9 +429,6 @@ ssl3_accept(SSL *s)
                         * public key for key exchange.
                         */
                        if (s->s3->tmp.use_rsa_tmp
-#ifndef OPENSSL_NO_PSK
-                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
-#endif
                            || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
                            || (alg_k & SSL_kEECDH)
                            || ((alg_k & SSL_kRSA)
@@ -1383,9 +1380,6 @@ ssl3_send_server_key_exchange(SSL *s)
        int curve_id = 0;
        BN_CTX *bn_ctx = NULL;
-#ifndef OPENSSL_NO_PSK
-        size_t pskhintlen = 0;
-#endif
        EVP_PKEY *pkey;
        const EVP_MD *md = NULL;
        unsigned char *p, *d;
@@ -1592,13 +1586,6 @@ ssl3_send_server_key_exchange(SSL *s)
                        r[2] = NULL;
                        r[3] = NULL;
                } else
-#ifndef OPENSSL_NO_PSK
-                if (type & SSL_kPSK) {
-                        pskhintlen = strlen(s->ctx->psk_identity_hint);
-                        /* reserve size for record length and PSK identity hint*/
-                        n += 2 + pskhintlen;
-                } else
-#endif /* !OPENSSL_NO_PSK */
                {
                        al = SSL_AD_HANDSHAKE_FAILURE;
                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1661,15 +1648,6 @@ ssl3_send_server_key_exchange(SSL *s)
                        p += encodedlen;
                }
-#ifndef OPENSSL_NO_PSK
-                if (type & SSL_kPSK) {
-                        /* copy PSK identity hint */
-                        s2n(pskhintlen, p);
-                        memcpy(p, s->ctx->psk_identity_hint, pskhintlen);
-                        p += pskhintlen;
-                }
-#endif
                /* not anonymous */
                if (pkey != NULL) {
@@ -2196,91 +2174,6 @@ ssl3_get_client_key_exchange(SSL *s)
                OPENSSL_cleanse(p, i);
                return (ret);
        } else
-#ifndef OPENSSL_NO_PSK
-        if (alg_k & SSL_kPSK) {
-                unsigned char *t = NULL;
-                unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
-                unsigned int pre_ms_len = 0, psk_len = 0;
-                int psk_err = 1;
-                char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                n2s(p, i);
-                if (n != i + 2) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            SSL_R_LENGTH_MISMATCH);
-                        goto psk_err;
-                }
-                if (i > PSK_MAX_IDENTITY_LEN) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            SSL_R_DATA_LENGTH_TOO_LONG);
-                        goto psk_err;
-                }
-                if (s->psk_server_callback == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            SSL_R_PSK_NO_SERVER_CB);
-                        goto psk_err;
-                }
-                /*
-                 * Create guaranteed NULL-terminated identity
-                 * string for the callback
-                 */
-                memcpy(tmp_id, p, i);
-                memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
-                psk_len = s->psk_server_callback(s, tmp_id,
-                    psk_or_pre_ms, sizeof(psk_or_pre_ms));
-                OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
-                if (psk_len > PSK_MAX_PSK_LEN) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_INTERNAL_ERROR);
-                        goto psk_err;
-                } else if (psk_len == 0) {
-                        /* PSK related to the given identity not found */
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            SSL_R_PSK_IDENTITY_NOT_FOUND);
-                        al = SSL_AD_UNKNOWN_PSK_IDENTITY;
-                        goto psk_err;
-                }
-                /* create PSK pre_master_secret */
-                pre_ms_len = 2 + psk_len + 2 + psk_len;
-                t = psk_or_pre_ms;
-                memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
-                s2n(psk_len, t);
-                memset(t, 0, psk_len);
-                t += psk_len;
-                s2n(psk_len, t);
-                free(s->session->psk_identity);
-                s->session->psk_identity = BUF_strdup((char *)p);
-                if (s->session->psk_identity == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_MALLOC_FAILURE);
-                        goto psk_err;
-                }
-                free(s->session->psk_identity_hint);
-                s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
-                if (s->ctx->psk_identity_hint != NULL &&
-                        s->session->psk_identity_hint == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_MALLOC_FAILURE);
-                        goto psk_err;
-                }
-                s->session->master_key_length =
-                    s->method->ssl3_enc->generate_master_secret(
-                        s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
-                psk_err = 0;
-                psk_err:
-                OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
-                if (psk_err != 0)
-                        goto f_err;
-        } else
-#endif
        if (alg_k & SSL_kGOST) {
                int ret = 0;
                EVP_PKEY_CTX *pkey_ctx;
author	beck <>	2014-07-11 09:24:44 +0000
committer	beck <>	2014-07-11 09:24:44 +0000
commit	c1019dc8eea3a088ca93f060f86acc7cf2a0091f (patch)
tree	fc72650b10ed2f0609c79c34b5d36f8e132e4aa1 /src/lib/libssl/s3_srvr.c
parent	a647baf0c3708181c57ffd72cce852a6fda41a41 (diff)
download	openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.tar.gz openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.tar.bz2 openbsd-c1019dc8eea3a088ca93f060f86acc7cf2a0091f.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 8fb041c4f5..c31ac39fe1 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.71 2014/07/10 21:36:49 bcook Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.72 2014/07/11 09:24:44 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -429,9 +429,6 @@ ssl3_accept(SSL *s)
429	* public key for key exchange.	429	* public key for key exchange.
430	*/	430	*/
431	if (s->s3->tmp.use_rsa_tmp	431	if (s->s3->tmp.use_rsa_tmp
432	#ifndef OPENSSL_NO_PSK
433	\|\| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
434	#endif
435	\|\| (alg_k & (SSL_kDHr\|SSL_kDHd\|SSL_kEDH))	432	\|\| (alg_k & (SSL_kDHr\|SSL_kDHd\|SSL_kEDH))
436	\|\| (alg_k & SSL_kEECDH)	433	\|\| (alg_k & SSL_kEECDH)
437	\|\| ((alg_k & SSL_kRSA)	434	\|\| ((alg_k & SSL_kRSA)
@@ -1383,9 +1380,6 @@ ssl3_send_server_key_exchange(SSL *s)
1383	int curve_id = 0;	1380	int curve_id = 0;
1384	BN_CTX *bn_ctx = NULL;	1381	BN_CTX *bn_ctx = NULL;
1385		1382
1386	#ifndef OPENSSL_NO_PSK
1387	size_t pskhintlen = 0;
1388	#endif
1389	EVP_PKEY *pkey;	1383	EVP_PKEY *pkey;
1390	const EVP_MD *md = NULL;	1384	const EVP_MD *md = NULL;
1391	unsigned char p, d;	1385	unsigned char p, d;
@@ -1592,13 +1586,6 @@ ssl3_send_server_key_exchange(SSL *s)
1592	r[2] = NULL;	1586	r[2] = NULL;
1593	r[3] = NULL;	1587	r[3] = NULL;
1594	} else	1588	} else
1595	#ifndef OPENSSL_NO_PSK
1596	if (type & SSL_kPSK) {
1597	pskhintlen = strlen(s->ctx->psk_identity_hint);
1598	/* reserve size for record length and PSK identity hint*/
1599	n += 2 + pskhintlen;
1600	} else
1601	#endif /* !OPENSSL_NO_PSK */
1602	{	1589	{
1603	al = SSL_AD_HANDSHAKE_FAILURE;	1590	al = SSL_AD_HANDSHAKE_FAILURE;
1604	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,	1591	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1661,15 +1648,6 @@ ssl3_send_server_key_exchange(SSL *s)
1661	p += encodedlen;	1648	p += encodedlen;
1662	}	1649	}
1663		1650
1664	#ifndef OPENSSL_NO_PSK
1665	if (type & SSL_kPSK) {
1666	/* copy PSK identity hint */
1667	s2n(pskhintlen, p);
1668
1669	memcpy(p, s->ctx->psk_identity_hint, pskhintlen);
1670	p += pskhintlen;
1671	}
1672	#endif
1673		1651
1674	/* not anonymous */	1652	/* not anonymous */
1675	if (pkey != NULL) {	1653	if (pkey != NULL) {
@@ -2196,91 +2174,6 @@ ssl3_get_client_key_exchange(SSL *s)
2196	OPENSSL_cleanse(p, i);	2174	OPENSSL_cleanse(p, i);
2197	return (ret);	2175	return (ret);
2198	} else	2176	} else
2199	#ifndef OPENSSL_NO_PSK
2200	if (alg_k & SSL_kPSK) {
2201	unsigned char *t = NULL;
2202	unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2203	unsigned int pre_ms_len = 0, psk_len = 0;
2204	int psk_err = 1;
2205	char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
2206
2207	al = SSL_AD_HANDSHAKE_FAILURE;
2208
2209	n2s(p, i);
2210	if (n != i + 2) {
2211	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2212	SSL_R_LENGTH_MISMATCH);
2213	goto psk_err;
2214	}
2215	if (i > PSK_MAX_IDENTITY_LEN) {
2216	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2217	SSL_R_DATA_LENGTH_TOO_LONG);
2218	goto psk_err;
2219	}
2220	if (s->psk_server_callback == NULL) {
2221	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2222	SSL_R_PSK_NO_SERVER_CB);
2223	goto psk_err;
2224	}
2225
2226	/*
2227	* Create guaranteed NULL-terminated identity
2228	* string for the callback
2229	*/
2230	memcpy(tmp_id, p, i);
2231	memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2232	psk_len = s->psk_server_callback(s, tmp_id,
2233	psk_or_pre_ms, sizeof(psk_or_pre_ms));
2234	OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2235
2236	if (psk_len > PSK_MAX_PSK_LEN) {
2237	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2238	ERR_R_INTERNAL_ERROR);
2239	goto psk_err;
2240	} else if (psk_len == 0) {
2241	/* PSK related to the given identity not found */
2242	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2243	SSL_R_PSK_IDENTITY_NOT_FOUND);
2244	al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2245	goto psk_err;
2246	}
2247
2248	/* create PSK pre_master_secret */
2249	pre_ms_len = 2 + psk_len + 2 + psk_len;
2250	t = psk_or_pre_ms;
2251	memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2252	s2n(psk_len, t);
2253	memset(t, 0, psk_len);
2254	t += psk_len;
2255	s2n(psk_len, t);
2256
2257	free(s->session->psk_identity);
2258	s->session->psk_identity = BUF_strdup((char *)p);
2259	if (s->session->psk_identity == NULL) {
2260	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2261	ERR_R_MALLOC_FAILURE);
2262	goto psk_err;
2263	}
2264
2265	free(s->session->psk_identity_hint);
2266	s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2267	if (s->ctx->psk_identity_hint != NULL &&
2268	s->session->psk_identity_hint == NULL) {
2269	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2270	ERR_R_MALLOC_FAILURE);
2271	goto psk_err;
2272	}
2273
2274	s->session->master_key_length =
2275	s->method->ssl3_enc->generate_master_secret(
2276	s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
2277	psk_err = 0;
2278	psk_err:
2279	OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2280	if (psk_err != 0)
2281	goto f_err;
2282	} else
2283	#endif
2284	if (alg_k & SSL_kGOST) {	2177	if (alg_k & SSL_kGOST) {
2285	int ret = 0;	2178	int ret = 0;
2286	EVP_PKEY_CTX *pkey_ctx;	2179	EVP_PKEY_CTX *pkey_ctx;