summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authorjsing <>2014-07-12 13:11:53 +0000
committerjsing <>2014-07-12 13:11:53 +0000
commitf369cbd2df9afb8ac061dda10793999764e0368b (patch)
treedd77c44528a0b25f7964c067da56be1302be9ee2 /src/lib/libssl/s3_srvr.c
parente38eced5b24c9ac14880daf6256db41e61f7b6ac (diff)
downloadopenbsd-f369cbd2df9afb8ac061dda10793999764e0368b.tar.gz
openbsd-f369cbd2df9afb8ac061dda10793999764e0368b.tar.bz2
openbsd-f369cbd2df9afb8ac061dda10793999764e0368b.zip
Remove remnants from PSK, KRB5 and SRP.
ok beck@ miod@
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c56
1 files changed, 16 insertions, 40 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 2d1bee1723..e0a7d78995 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -373,13 +373,9 @@ ssl3_accept(SSL *s)
373 373
374 case SSL3_ST_SW_CERT_A: 374 case SSL3_ST_SW_CERT_A:
375 case SSL3_ST_SW_CERT_B: 375 case SSL3_ST_SW_CERT_B:
376 /* Check if it is anon DH or anon ECDH, */ 376 /* Check if it is anon DH or anon ECDH. */
377 /* normal PSK or KRB5 or SRP */ 377 if (!(s->s3->tmp.new_cipher->algorithm_auth &
378 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 378 SSL_aNULL)) {
379 && !(s->s3->tmp.new_cipher->algorithm_mkey &
380 SSL_kPSK)
381 && !(s->s3->tmp.new_cipher->algorithm_auth &
382 SSL_aKRB5)) {
383 ret = ssl3_send_server_certificate(s); 379 ret = ssl3_send_server_certificate(s);
384 if (ret <= 0) 380 if (ret <= 0)
385 goto end; 381 goto end;
@@ -417,10 +413,7 @@ ssl3_accept(SSL *s)
417 413
418 /* 414 /*
419 * Only send if a DH key exchange, fortezza or 415 * Only send if a DH key exchange, fortezza or
420 * RSA but we have a sign only certificate 416 * RSA but we have a sign only certificate.
421 *
422 * PSK: send ServerKeyExchange if PSK identity
423 * hint is provided
424 * 417 *
425 * For ECC ciphersuites, we send a serverKeyExchange 418 * For ECC ciphersuites, we send a serverKeyExchange
426 * message only if the cipher suite is either 419 * message only if the cipher suite is either
@@ -428,13 +421,12 @@ ssl3_accept(SSL *s)
428 * server certificate contains the server's 421 * server certificate contains the server's
429 * public key for key exchange. 422 * public key for key exchange.
430 */ 423 */
431 if (s->s3->tmp.use_rsa_tmp 424 if (s->s3->tmp.use_rsa_tmp ||
432 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 425 (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) ||
433 || (alg_k & SSL_kEECDH) 426 (alg_k & SSL_kEECDH) ||
434 || ((alg_k & SSL_kRSA) 427 ((alg_k & SSL_kRSA) &&
435 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == 428 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
436 NULL 429 NULL))) {
437 ))) {
438 ret = ssl3_send_server_key_exchange(s); 430 ret = ssl3_send_server_key_exchange(s);
439 if (ret <= 0) 431 if (ret <= 0)
440 goto end; 432 goto end;
@@ -463,22 +455,13 @@ ssl3_accept(SSL *s)
463 * and in RFC 2246) ... except when the application 455 * and in RFC 2246) ... except when the application
464 * insists on verification (against the specs, but 456 * insists on verification (against the specs, but
465 * s3_clnt.c accepts this for SSL 3). 457 * s3_clnt.c accepts this for SSL 3).
466 *
467 * - We are using a Kerberos ciphersuite.
468 *
469 * - We are using normal PSK certificates and
470 * Certificate Requests are omitted
471 */ 458 */
472 if (!(s->verify_mode & SSL_VERIFY_PEER) || 459 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
473 ((s->session->peer != NULL) && 460 ((s->session->peer != NULL) &&
474 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 461 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
475 ((s->s3->tmp.new_cipher->algorithm_auth & 462 ((s->s3->tmp.new_cipher->algorithm_auth &
476 SSL_aNULL) && !(s->verify_mode & 463 SSL_aNULL) && !(s->verify_mode &
477 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 464 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
478 (s->s3->tmp.new_cipher->algorithm_auth &
479 SSL_aKRB5) ||
480 (s->s3->tmp.new_cipher->algorithm_mkey &
481 SSL_kPSK)) {
482 /* No cert request */ 465 /* No cert request */
483 skip = 1; 466 skip = 1;
484 s->s3->tmp.cert_request = 0; 467 s->s3->tmp.cert_request = 0;
@@ -1605,8 +1588,7 @@ ssl3_send_server_key_exchange(SSL *s)
1605 n += 2 + nr[i]; 1588 n += 2 + nr[i];
1606 } 1589 }
1607 1590
1608 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 1591 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
1609 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1610 if ((pkey = ssl_get_sign_pkey( 1592 if ((pkey = ssl_get_sign_pkey(
1611 s, s->s3->tmp.new_cipher, &md)) == NULL) { 1593 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1612 al = SSL_AD_DECODE_ERROR; 1594 al = SSL_AD_DECODE_ERROR;
@@ -2681,15 +2663,9 @@ ssl3_send_server_certificate(SSL *s)
2681 if (s->state == SSL3_ST_SW_CERT_A) { 2663 if (s->state == SSL3_ST_SW_CERT_A) {
2682 x = ssl_get_server_send_cert(s); 2664 x = ssl_get_server_send_cert(s);
2683 if (x == NULL) { 2665 if (x == NULL) {
2684 /* VRS: allow null cert if auth == KRB5 */ 2666 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2685 if ((s->s3->tmp.new_cipher->algorithm_auth != 2667 ERR_R_INTERNAL_ERROR);
2686 SSL_aKRB5) || 2668 return (0);
2687 (s->s3->tmp.new_cipher->algorithm_mkey &
2688 SSL_kKRB5)) {
2689 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
2690 ERR_R_INTERNAL_ERROR);
2691 return (0);
2692 }
2693 } 2669 }
2694 2670
2695 l = ssl3_output_cert_chain(s, x); 2671 l = ssl3_output_cert_chain(s, x);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 01:41:29 +0000