tedu the SSL export cipher handling - since we do not have enabled export

ciphers we no longer need the flags or code to support it. ok beck@ miod@
author: jsing <> 2014-07-09 11:25:42 +0000
committer: jsing <> 2014-07-09 11:25:42 +0000
commit: c90a1a4bb021e5a2622323df8464bf574d0c4364 (patch)
tree: 604b9084e9f8d9e522922bc0cd6be5e22478e9ee /src/lib/libssl/ssl_lib.c
parent: 4afcbff6153d561348af47fa000f298df3693a3c (diff)
download: openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.gz
openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.bz2
openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.zip
1 files changed, 5 insertions, 66 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f867daab0e..51772eb618 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.69 2014/06/19 21:29:51 tedu Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.70 2014/07/09 11:25:42 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1956,9 +1956,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 {
        CERT_PKEY       *cpk;
        int              rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
-        int              rsa_enc_export, dh_rsa_export, dh_dsa_export;
+        unsigned long    mask_k, mask_a;
-        int              rsa_tmp_export, dh_tmp_export, kl;
-        unsigned long    mask_k, mask_a, emask_k, emask_a;
        int              have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
        int              have_ecdh_tmp;
        X509            *x = NULL;
@@ -1968,39 +1966,25 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        if (c == NULL)
                return;
-        kl = SSL_C_EXPORT_PKEYLENGTH(cipher);
        rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
-        rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
-        (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
        dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
-        dh_tmp_export = (c->dh_tmp_cb != NULL ||
-        (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
        have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
        cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
        rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
        rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
        cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
        dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
        cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
        dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
 /* FIX THIS EAY EAY EAY */
        dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk = &(c->pkeys[SSL_PKEY_ECC]);
        have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
        mask_k = 0;
        mask_a = 0;
-        emask_k = 0;
-        emask_a = 0;
        cpk = &(c->pkeys[SSL_PKEY_GOST01]);
        if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
@@ -2015,38 +1999,23 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        if (rsa_enc || (rsa_tmp && rsa_sign))
                mask_k|=SSL_kRSA;
-        if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
-                emask_k|=SSL_kRSA;
-        if (dh_tmp_export)
-                emask_k|=SSL_kEDH;
        if (dh_tmp)
                mask_k|=SSL_kEDH;
        if (dh_rsa)
                mask_k|=SSL_kDHr;
-        if (dh_rsa_export)
-                emask_k|=SSL_kDHr;
        if (dh_dsa)
                mask_k|=SSL_kDHd;
-        if (dh_dsa_export)
-                emask_k|=SSL_kDHd;
-        if (rsa_enc || rsa_sign) {
+        if (rsa_enc || rsa_sign)
                mask_a|=SSL_aRSA;
-                emask_a|=SSL_aRSA;
-        }
-        if (dsa_sign) {
+        if (dsa_sign)
                mask_a|=SSL_aDSS;
-                emask_a|=SSL_aDSS;
-        }
        mask_a|=SSL_aNULL;
-        emask_a|=SSL_aNULL;
        /*
         * An ECC certificate may be usable for ECDH and/or
@@ -2069,47 +2038,30 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
                }
                if (ecdh_ok) {
                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
                                mask_k|=SSL_kECDHr;
                                mask_a|=SSL_aECDH;
-                                if (ecc_pkey_size <= 163) {
-                                        emask_k|=SSL_kECDHr;
-                                        emask_a|=SSL_aECDH;
-                                }
                        }
                        if (pk_nid == NID_X9_62_id_ecPublicKey) {
                                mask_k|=SSL_kECDHe;
                                mask_a|=SSL_aECDH;
-                                if (ecc_pkey_size <= 163) {
-                                        emask_k|=SSL_kECDHe;
-                                        emask_a|=SSL_aECDH;
-                                }
                        }
                }
-                if (ecdsa_ok) {
+                if (ecdsa_ok)
                        mask_a|=SSL_aECDSA;
-                        emask_a|=SSL_aECDSA;
-                }
        }
        if (have_ecdh_tmp) {
                mask_k|=SSL_kEECDH;
-                emask_k|=SSL_kEECDH;
        }
 #ifndef OPENSSL_NO_PSK
        mask_k |= SSL_kPSK;
        mask_a |= SSL_aPSK;
-        emask_k |= SSL_kPSK;
-        emask_a |= SSL_aPSK;
 #endif
        c->mask_k = mask_k;
        c->mask_a = mask_a;
-        c->export_mask_k = emask_k;
-        c->export_mask_a = emask_a;
        c->valid = 1;
 }
@@ -2122,25 +2074,12 @@ int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 {
        unsigned long            alg_k, alg_a;
-        EVP_PKEY                *pkey = NULL;
-        int                      keysize = 0;
        int                      signature_nid = 0, md_nid = 0, pk_nid = 0;
        const SSL_CIPHER        *cs = s->s3->tmp.new_cipher;
        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
-        if (SSL_C_IS_EXPORT(cs)) {
-                /* ECDH key length in export ciphers must be <= 163 bits */
-                pkey = X509_get_pubkey(x);
-                if (pkey == NULL)
-                        return (0);
-                keysize = EVP_PKEY_bits(pkey);
-                EVP_PKEY_free(pkey);
-                if (keysize > 163)
-                        return (0);
-        }
        /* This call populates the ex_flags field correctly */
        X509_check_purpose(x, -1, 0);
        if ((x->sig_alg) && (x->sig_alg->algorithm)) {
author	jsing <>	2014-07-09 11:25:42 +0000
committer	jsing <>	2014-07-09 11:25:42 +0000
commit	c90a1a4bb021e5a2622323df8464bf574d0c4364 (patch)
tree	604b9084e9f8d9e522922bc0cd6be5e22478e9ee /src/lib/libssl/ssl_lib.c
parent	4afcbff6153d561348af47fa000f298df3693a3c (diff)
download	openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.gz openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.bz2 openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.zip