summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2014-04-17 21:37:37 +0000
committertedu <>2014-04-17 21:37:37 +0000
commitce6ab96382363d98326902c9baeb3f23ffd2794c (patch)
tree08e9b3a8cf6f35c7585646ca19c69f2ba87cc08c /src
parent2ca67c675bf3d9334c53074965440cb3de9df1d3 (diff)
downloadopenbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.tar.gz
openbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.tar.bz2
openbsd-ce6ab96382363d98326902c9baeb3f23ffd2794c.zip
always build in RSA and DSA. ok deraadt miod
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_clnt.c12
-rw-r--r--src/lib/libssl/d1_srvr.c8
-rw-r--r--src/lib/libssl/s3_clnt.c51
-rw-r--r--src/lib/libssl/s3_lib.c45
-rw-r--r--src/lib/libssl/s3_srvr.c16
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c12
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c8
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c51
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c45
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c16
-rw-r--r--src/lib/libssl/src/ssl/ssl.h6
-rw-r--r--src/lib/libssl/src/ssl/ssl_algs.c2
-rw-r--r--src/lib/libssl/src/ssl/ssl_cert.c12
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c7
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c6
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/src/ssl/ssl_rsa.c10
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c16
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c20
-rw-r--r--src/lib/libssl/ssl.h6
-rw-r--r--src/lib/libssl/ssl_algs.c2
-rw-r--r--src/lib/libssl/ssl_cert.c12
-rw-r--r--src/lib/libssl/ssl_ciph.c7
-rw-r--r--src/lib/libssl/ssl_lib.c6
-rw-r--r--src/lib/libssl/ssl_locl.h8
-rw-r--r--src/lib/libssl/ssl_rsa.c10
-rw-r--r--src/lib/libssl/t1_lib.c20
27 files changed, 6 insertions, 416 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 3f159eed26..1ad65ba541 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -925,10 +925,8 @@ dtls1_send_client_key_exchange(SSL *s)
925 unsigned char *p, *d; 925 unsigned char *p, *d;
926 int n; 926 int n;
927 unsigned long alg_k; 927 unsigned long alg_k;
928#ifndef OPENSSL_NO_RSA
929 unsigned char *q; 928 unsigned char *q;
930 EVP_PKEY *pkey = NULL; 929 EVP_PKEY *pkey = NULL;
931#endif
932#ifndef OPENSSL_NO_KRB5 930#ifndef OPENSSL_NO_KRB5
933 KSSL_ERR kssl_err; 931 KSSL_ERR kssl_err;
934#endif /* OPENSSL_NO_KRB5 */ 932#endif /* OPENSSL_NO_KRB5 */
@@ -950,7 +948,6 @@ dtls1_send_client_key_exchange(SSL *s)
950 /* Fool emacs indentation */ 948 /* Fool emacs indentation */
951 if (0) { 949 if (0) {
952 } 950 }
953#ifndef OPENSSL_NO_RSA
954 else if (alg_k & SSL_kRSA) { 951 else if (alg_k & SSL_kRSA) {
955 RSA *rsa; 952 RSA *rsa;
956 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 953 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -1005,7 +1002,6 @@ dtls1_send_client_key_exchange(SSL *s)
1005 tmp_buf, sizeof tmp_buf); 1002 tmp_buf, sizeof tmp_buf);
1006 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1003 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1007 } 1004 }
1008#endif
1009#ifndef OPENSSL_NO_KRB5 1005#ifndef OPENSSL_NO_KRB5
1010 else if (alg_k & SSL_kKRB5) { 1006 else if (alg_k & SSL_kKRB5) {
1011 krb5_error_code krb5rc; 1007 krb5_error_code krb5rc;
@@ -1474,13 +1470,9 @@ dtls1_send_client_verify(SSL *s)
1474 unsigned char *p, *d; 1470 unsigned char *p, *d;
1475 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1471 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1476 EVP_PKEY *pkey; 1472 EVP_PKEY *pkey;
1477#ifndef OPENSSL_NO_RSA
1478 unsigned u = 0; 1473 unsigned u = 0;
1479#endif
1480 unsigned long n; 1474 unsigned long n;
1481#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
1482 int j; 1475 int j;
1483#endif
1484 1476
1485 if (s->state == SSL3_ST_CW_CERT_VRFY_A) { 1477 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
1486 d = (unsigned char *)s->init_buf->data; 1478 d = (unsigned char *)s->init_buf->data;
@@ -1490,7 +1482,6 @@ dtls1_send_client_verify(SSL *s)
1490 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, 1482 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
1491 &(data[MD5_DIGEST_LENGTH])); 1483 &(data[MD5_DIGEST_LENGTH]));
1492 1484
1493#ifndef OPENSSL_NO_RSA
1494 if (pkey->type == EVP_PKEY_RSA) { 1485 if (pkey->type == EVP_PKEY_RSA) {
1495 s->method->ssl3_enc->cert_verify_mac(s, 1486 s->method->ssl3_enc->cert_verify_mac(s,
1496 NID_md5, &(data[0])); 1487 NID_md5, &(data[0]));
@@ -1503,8 +1494,6 @@ dtls1_send_client_verify(SSL *s)
1503 s2n(u, p); 1494 s2n(u, p);
1504 n = u + 2; 1495 n = u + 2;
1505 } else 1496 } else
1506#endif
1507#ifndef OPENSSL_NO_DSA
1508 if (pkey->type == EVP_PKEY_DSA) { 1497 if (pkey->type == EVP_PKEY_DSA) {
1509 if (!DSA_sign(pkey->save_type, 1498 if (!DSA_sign(pkey->save_type,
1510 &(data[MD5_DIGEST_LENGTH]), 1499 &(data[MD5_DIGEST_LENGTH]),
@@ -1516,7 +1505,6 @@ dtls1_send_client_verify(SSL *s)
1516 s2n(j, p); 1505 s2n(j, p);
1517 n = j + 2; 1506 n = j + 2;
1518 } else 1507 } else
1519#endif
1520#ifndef OPENSSL_NO_ECDSA 1508#ifndef OPENSSL_NO_ECDSA
1521 if (pkey->type == EVP_PKEY_EC) { 1509 if (pkey->type == EVP_PKEY_EC) {
1522 if (!ECDSA_sign(pkey->save_type, 1510 if (!ECDSA_sign(pkey->save_type,
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index ce7b243c2d..6a10f7a3dd 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1000,13 +1000,11 @@ dtls1_send_server_done(SSL *s)
1000int 1000int
1001dtls1_send_server_key_exchange(SSL *s) 1001dtls1_send_server_key_exchange(SSL *s)
1002{ 1002{
1003#ifndef OPENSSL_NO_RSA
1004 unsigned char *q; 1003 unsigned char *q;
1005 int j, num; 1004 int j, num;
1006 RSA *rsa; 1005 RSA *rsa;
1007 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1006 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1008 unsigned int u; 1007 unsigned int u;
1009#endif
1010#ifndef OPENSSL_NO_DH 1008#ifndef OPENSSL_NO_DH
1011 DH *dh = NULL, *dhp; 1009 DH *dh = NULL, *dhp;
1012#endif 1010#endif
@@ -1041,7 +1039,6 @@ dtls1_send_server_key_exchange(SSL *s)
1041 1039
1042 r[0] = r[1] = r[2] = r[3] = NULL; 1040 r[0] = r[1] = r[2] = r[3] = NULL;
1043 n = 0; 1041 n = 0;
1044#ifndef OPENSSL_NO_RSA
1045 if (type & SSL_kRSA) { 1042 if (type & SSL_kRSA) {
1046 rsa = cert->rsa_tmp; 1043 rsa = cert->rsa_tmp;
1047 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1044 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
@@ -1065,7 +1062,6 @@ dtls1_send_server_key_exchange(SSL *s)
1065 r[1] = rsa->e; 1062 r[1] = rsa->e;
1066 s->s3->tmp.use_rsa_tmp = 1; 1063 s->s3->tmp.use_rsa_tmp = 1;
1067 } else 1064 } else
1068#endif
1069#ifndef OPENSSL_NO_DH 1065#ifndef OPENSSL_NO_DH
1070 if (type & SSL_kEDH) { 1066 if (type & SSL_kEDH) {
1071 dhp = cert->dh_tmp; 1067 dhp = cert->dh_tmp;
@@ -1310,7 +1306,6 @@ dtls1_send_server_key_exchange(SSL *s)
1310 /* n is the length of the params, they start at 1306 /* n is the length of the params, they start at
1311 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space 1307 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
1312 * at the end. */ 1308 * at the end. */
1313#ifndef OPENSSL_NO_RSA
1314 if (pkey->type == EVP_PKEY_RSA) { 1309 if (pkey->type == EVP_PKEY_RSA) {
1315 q = md_buf; 1310 q = md_buf;
1316 j = 0; 1311 j = 0;
@@ -1338,8 +1333,6 @@ dtls1_send_server_key_exchange(SSL *s)
1338 s2n(u, p); 1333 s2n(u, p);
1339 n += u + 2; 1334 n += u + 2;
1340 } else 1335 } else
1341#endif
1342#if !defined(OPENSSL_NO_DSA)
1343 if (pkey->type == EVP_PKEY_DSA) { 1336 if (pkey->type == EVP_PKEY_DSA) {
1344 /* lets do DSS */ 1337 /* lets do DSS */
1345 EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL); 1338 EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL);
@@ -1354,7 +1347,6 @@ dtls1_send_server_key_exchange(SSL *s)
1354 s2n(i, p); 1347 s2n(i, p);
1355 n += i + 2; 1348 n += i + 2;
1356 } else 1349 } else
1357#endif
1358#if !defined(OPENSSL_NO_ECDSA) 1350#if !defined(OPENSSL_NO_ECDSA)
1359 if (pkey->type == EVP_PKEY_EC) { 1351 if (pkey->type == EVP_PKEY_EC) {
1360 /* let's do ECDSA */ 1352 /* let's do ECDSA */
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 32405eac75..52e2174f6b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1183,18 +1183,14 @@ err:
1183int 1183int
1184ssl3_get_key_exchange(SSL *s) 1184ssl3_get_key_exchange(SSL *s)
1185{ 1185{
1186#ifndef OPENSSL_NO_RSA
1187 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; 1186 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1188#endif
1189 EVP_MD_CTX md_ctx; 1187 EVP_MD_CTX md_ctx;
1190 unsigned char *param, *p; 1188 unsigned char *param, *p;
1191 int al, i, j, param_len, ok; 1189 int al, i, j, param_len, ok;
1192 long n, alg_k, alg_a; 1190 long n, alg_k, alg_a;
1193 EVP_PKEY *pkey = NULL; 1191 EVP_PKEY *pkey = NULL;
1194 const EVP_MD *md = NULL; 1192 const EVP_MD *md = NULL;
1195#ifndef OPENSSL_NO_RSA
1196 RSA *rsa = NULL; 1193 RSA *rsa = NULL;
1197#endif
1198#ifndef OPENSSL_NO_DH 1194#ifndef OPENSSL_NO_DH
1199 DH *dh = NULL; 1195 DH *dh = NULL;
1200#endif 1196#endif
@@ -1232,12 +1228,10 @@ ssl3_get_key_exchange(SSL *s)
1232 1228
1233 param = p = (unsigned char *)s->init_msg; 1229 param = p = (unsigned char *)s->init_msg;
1234 if (s->session->sess_cert != NULL) { 1230 if (s->session->sess_cert != NULL) {
1235#ifndef OPENSSL_NO_RSA
1236 if (s->session->sess_cert->peer_rsa_tmp != NULL) { 1231 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1237 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1232 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1238 s->session->sess_cert->peer_rsa_tmp = NULL; 1233 s->session->sess_cert->peer_rsa_tmp = NULL;
1239 } 1234 }
1240#endif
1241#ifndef OPENSSL_NO_DH 1235#ifndef OPENSSL_NO_DH
1242 if (s->session->sess_cert->peer_dh_tmp) { 1236 if (s->session->sess_cert->peer_dh_tmp) {
1243 DH_free(s->session->sess_cert->peer_dh_tmp); 1237 DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -1356,20 +1350,12 @@ ssl3_get_key_exchange(SSL *s)
1356 n -= param_len; 1350 n -= param_len;
1357 1351
1358/* We must check if there is a certificate */ 1352/* We must check if there is a certificate */
1359#ifndef OPENSSL_NO_RSA
1360 if (alg_a & SSL_aRSA) 1353 if (alg_a & SSL_aRSA)
1361 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1354 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1362#else
1363 if (0)
1364;
1365#endif
1366#ifndef OPENSSL_NO_DSA
1367 else if (alg_a & SSL_aDSS) 1355 else if (alg_a & SSL_aDSS)
1368 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1356 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1369#endif
1370 } else 1357 } else
1371#endif /* !OPENSSL_NO_SRP */ 1358#endif /* !OPENSSL_NO_SRP */
1372#ifndef OPENSSL_NO_RSA
1373 if (alg_k & SSL_kRSA) { 1359 if (alg_k & SSL_kRSA) {
1374 if ((rsa = RSA_new()) == NULL) { 1360 if ((rsa = RSA_new()) == NULL) {
1375 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1361 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -1412,10 +1398,6 @@ ssl3_get_key_exchange(SSL *s)
1412 s->session->sess_cert->peer_rsa_tmp = rsa; 1398 s->session->sess_cert->peer_rsa_tmp = rsa;
1413 rsa = NULL; 1399 rsa = NULL;
1414 } 1400 }
1415#else /* OPENSSL_NO_RSA */
1416 if (0)
1417;
1418#endif
1419#ifndef OPENSSL_NO_DH 1401#ifndef OPENSSL_NO_DH
1420 else if (alg_k & SSL_kEDH) { 1402 else if (alg_k & SSL_kEDH) {
1421 if ((dh = DH_new()) == NULL) { 1403 if ((dh = DH_new()) == NULL) {
@@ -1462,17 +1444,10 @@ ssl3_get_key_exchange(SSL *s)
1462 p += i; 1444 p += i;
1463 n -= param_len; 1445 n -= param_len;
1464 1446
1465#ifndef OPENSSL_NO_RSA
1466 if (alg_a & SSL_aRSA) 1447 if (alg_a & SSL_aRSA)
1467 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1448 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1468#else
1469 if (0)
1470;
1471#endif
1472#ifndef OPENSSL_NO_DSA
1473 else if (alg_a & SSL_aDSS) 1449 else if (alg_a & SSL_aDSS)
1474 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1450 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1475#endif
1476 /* else anonymous DH, so no certificate or pkey. */ 1451 /* else anonymous DH, so no certificate or pkey. */
1477 1452
1478 s->session->sess_cert->peer_dh_tmp = dh; 1453 s->session->sess_cert->peer_dh_tmp = dh;
@@ -1561,10 +1536,8 @@ ssl3_get_key_exchange(SSL *s)
1561 * key exchange message. We do support RSA and ECDSA. 1536 * key exchange message. We do support RSA and ECDSA.
1562 */ 1537 */
1563 if (0); 1538 if (0);
1564#ifndef OPENSSL_NO_RSA
1565 else if (alg_a & SSL_aRSA) 1539 else if (alg_a & SSL_aRSA)
1566 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1540 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1567#endif
1568#ifndef OPENSSL_NO_ECDSA 1541#ifndef OPENSSL_NO_ECDSA
1569 else if (alg_a & SSL_aECDSA) 1542 else if (alg_a & SSL_aECDSA)
1570 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1543 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
@@ -1627,7 +1600,6 @@ ssl3_get_key_exchange(SSL *s)
1627 goto f_err; 1600 goto f_err;
1628 } 1601 }
1629 1602
1630#ifndef OPENSSL_NO_RSA
1631 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) { 1603 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1632 int num; 1604 int num;
1633 1605
@@ -1659,7 +1631,6 @@ ssl3_get_key_exchange(SSL *s)
1659 goto f_err; 1631 goto f_err;
1660 } 1632 }
1661 } else 1633 } else
1662#endif
1663 { 1634 {
1664 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1635 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1665 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1636 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
@@ -1693,10 +1664,8 @@ f_err:
1693 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1664 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1694err: 1665err:
1695 EVP_PKEY_free(pkey); 1666 EVP_PKEY_free(pkey);
1696#ifndef OPENSSL_NO_RSA
1697 if (rsa != NULL) 1667 if (rsa != NULL)
1698 RSA_free(rsa); 1668 RSA_free(rsa);
1699#endif
1700#ifndef OPENSSL_NO_DH 1669#ifndef OPENSSL_NO_DH
1701 if (dh != NULL) 1670 if (dh != NULL)
1702 DH_free(dh); 1671 DH_free(dh);
@@ -2042,10 +2011,8 @@ ssl3_send_client_key_exchange(SSL *s)
2042 unsigned char *p, *d; 2011 unsigned char *p, *d;
2043 int n; 2012 int n;
2044 unsigned long alg_k; 2013 unsigned long alg_k;
2045#ifndef OPENSSL_NO_RSA
2046 unsigned char *q; 2014 unsigned char *q;
2047 EVP_PKEY *pkey = NULL; 2015 EVP_PKEY *pkey = NULL;
2048#endif
2049#ifndef OPENSSL_NO_KRB5 2016#ifndef OPENSSL_NO_KRB5
2050 KSSL_ERR kssl_err; 2017 KSSL_ERR kssl_err;
2051#endif /* OPENSSL_NO_KRB5 */ 2018#endif /* OPENSSL_NO_KRB5 */
@@ -2067,7 +2034,6 @@ ssl3_send_client_key_exchange(SSL *s)
2067 /* Fool emacs indentation */ 2034 /* Fool emacs indentation */
2068 if (0) { 2035 if (0) {
2069 } 2036 }
2070#ifndef OPENSSL_NO_RSA
2071 else if (alg_k & SSL_kRSA) { 2037 else if (alg_k & SSL_kRSA) {
2072 RSA *rsa; 2038 RSA *rsa;
2073 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2039 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -2122,7 +2088,6 @@ ssl3_send_client_key_exchange(SSL *s)
2122 sizeof tmp_buf); 2088 sizeof tmp_buf);
2123 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2089 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2124 } 2090 }
2125#endif
2126#ifndef OPENSSL_NO_KRB5 2091#ifndef OPENSSL_NO_KRB5
2127 else if (alg_k & SSL_kKRB5) { 2092 else if (alg_k & SSL_kKRB5) {
2128 krb5_error_code krb5rc; 2093 krb5_error_code krb5rc;
@@ -2760,7 +2725,6 @@ ssl3_send_client_verify(SSL *s)
2760 if (!ssl3_digest_cached_records(s)) 2725 if (!ssl3_digest_cached_records(s))
2761 goto err; 2726 goto err;
2762 } else 2727 } else
2763#ifndef OPENSSL_NO_RSA
2764 if (pkey->type == EVP_PKEY_RSA) { 2728 if (pkey->type == EVP_PKEY_RSA) {
2765 s->method->ssl3_enc->cert_verify_mac( 2729 s->method->ssl3_enc->cert_verify_mac(
2766 s, NID_md5, &(data[0])); 2730 s, NID_md5, &(data[0]));
@@ -2773,8 +2737,6 @@ ssl3_send_client_verify(SSL *s)
2773 s2n(u, p); 2737 s2n(u, p);
2774 n = u + 2; 2738 n = u + 2;
2775 } else 2739 } else
2776#endif
2777#ifndef OPENSSL_NO_DSA
2778 if (pkey->type == EVP_PKEY_DSA) { 2740 if (pkey->type == EVP_PKEY_DSA) {
2779 if (!DSA_sign(pkey->save_type, 2741 if (!DSA_sign(pkey->save_type,
2780 &(data[MD5_DIGEST_LENGTH]), 2742 &(data[MD5_DIGEST_LENGTH]),
@@ -2786,7 +2748,6 @@ ssl3_send_client_verify(SSL *s)
2786 s2n(j, p); 2748 s2n(j, p);
2787 n = j + 2; 2749 n = j + 2;
2788 } else 2750 } else
2789#endif
2790#ifndef OPENSSL_NO_ECDSA 2751#ifndef OPENSSL_NO_ECDSA
2791 if (pkey->type == EVP_PKEY_EC) { 2752 if (pkey->type == EVP_PKEY_EC) {
2792 if (!ECDSA_sign(pkey->save_type, 2753 if (!ECDSA_sign(pkey->save_type,
@@ -2914,9 +2875,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2914 long alg_k, alg_a; 2875 long alg_k, alg_a;
2915 EVP_PKEY *pkey = NULL; 2876 EVP_PKEY *pkey = NULL;
2916 SESS_CERT *sc; 2877 SESS_CERT *sc;
2917#ifndef OPENSSL_NO_RSA
2918 RSA *rsa; 2878 RSA *rsa;
2919#endif
2920#ifndef OPENSSL_NO_DH 2879#ifndef OPENSSL_NO_DH
2921 DH *dh; 2880 DH *dh;
2922#endif 2881#endif
@@ -2934,9 +2893,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2934 goto err; 2893 goto err;
2935 } 2894 }
2936 2895
2937#ifndef OPENSSL_NO_RSA
2938 rsa = s->session->sess_cert->peer_rsa_tmp; 2896 rsa = s->session->sess_cert->peer_rsa_tmp;
2939#endif
2940#ifndef OPENSSL_NO_DH 2897#ifndef OPENSSL_NO_DH
2941 dh = s->session->sess_cert->peer_dh_tmp; 2898 dh = s->session->sess_cert->peer_dh_tmp;
2942#endif 2899#endif
@@ -2966,19 +2923,15 @@ ssl3_check_cert_and_algorithm(SSL *s)
2966 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT); 2923 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
2967 goto f_err; 2924 goto f_err;
2968 } 2925 }
2969#ifndef OPENSSL_NO_DSA
2970 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { 2926 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
2971 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT); 2927 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
2972 goto f_err; 2928 goto f_err;
2973 } 2929 }
2974#endif
2975#ifndef OPENSSL_NO_RSA
2976 if ((alg_k & SSL_kRSA) && 2930 if ((alg_k & SSL_kRSA) &&
2977 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { 2931 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
2978 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2932 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2979 goto f_err; 2933 goto f_err;
2980 } 2934 }
2981#endif
2982#ifndef OPENSSL_NO_DH 2935#ifndef OPENSSL_NO_DH
2983 if ((alg_k & SSL_kEDH) && 2936 if ((alg_k & SSL_kEDH) &&
2984 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2937 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
@@ -2988,16 +2941,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
2988 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT); 2941 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
2989 goto f_err; 2942 goto f_err;
2990 } 2943 }
2991#ifndef OPENSSL_NO_DSA
2992 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { 2944 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2993 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT); 2945 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
2994 goto f_err; 2946 goto f_err;
2995 } 2947 }
2996#endif 2948#endif
2997#endif
2998 2949
2999 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { 2950 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3000#ifndef OPENSSL_NO_RSA
3001 if (alg_k & SSL_kRSA) { 2951 if (alg_k & SSL_kRSA) {
3002 if (rsa == NULL || 2952 if (rsa == NULL ||
3003 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { 2953 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
@@ -3005,7 +2955,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
3005 goto f_err; 2955 goto f_err;
3006 } 2956 }
3007 } else 2957 } else
3008#endif
3009#ifndef OPENSSL_NO_DH 2958#ifndef OPENSSL_NO_DH
3010 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2959 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3011 if (dh == NULL || 2960 if (dh == NULL ||
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 8df07a1e4c..288d885d9e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -3098,23 +3098,13 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3098{ 3098{
3099 int ret = 0; 3099 int ret = 0;
3100 3100
3101#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 3101 if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3102 if ( 3102 cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
3103#ifndef OPENSSL_NO_RSA
3104 cmd == SSL_CTRL_SET_TMP_RSA ||
3105 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3106#endif
3107#ifndef OPENSSL_NO_DSA
3108 cmd == SSL_CTRL_SET_TMP_DH ||
3109 cmd == SSL_CTRL_SET_TMP_DH_CB ||
3110#endif
3111 0) {
3112 if (!ssl_cert_inst(&s->cert)) { 3103 if (!ssl_cert_inst(&s->cert)) {
3113 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); 3104 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
3114 return (0); 3105 return (0);
3115 } 3106 }
3116 } 3107 }
3117#endif
3118 3108
3119 switch (cmd) { 3109 switch (cmd) {
3120 case SSL_CTRL_GET_SESSION_REUSED: 3110 case SSL_CTRL_GET_SESSION_REUSED:
@@ -3135,7 +3125,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3135 case SSL_CTRL_GET_FLAGS: 3125 case SSL_CTRL_GET_FLAGS:
3136 ret = (int)(s->s3->flags); 3126 ret = (int)(s->s3->flags);
3137 break; 3127 break;
3138#ifndef OPENSSL_NO_RSA
3139 case SSL_CTRL_NEED_TMP_RSA: 3128 case SSL_CTRL_NEED_TMP_RSA:
3140 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 3129 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
3141 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 3130 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -3165,7 +3154,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3165 return (ret); 3154 return (ret);
3166 } 3155 }
3167 break; 3156 break;
3168#endif
3169#ifndef OPENSSL_NO_DH 3157#ifndef OPENSSL_NO_DH
3170 case SSL_CTRL_SET_TMP_DH: 3158 case SSL_CTRL_SET_TMP_DH:
3171 { 3159 {
@@ -3331,30 +3319,19 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
3331{ 3319{
3332 int ret = 0; 3320 int ret = 0;
3333 3321
3334#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 3322 if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) {
3335 if (
3336#ifndef OPENSSL_NO_RSA
3337 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3338#endif
3339#ifndef OPENSSL_NO_DSA
3340 cmd == SSL_CTRL_SET_TMP_DH_CB ||
3341#endif
3342 0) {
3343 if (!ssl_cert_inst(&s->cert)) { 3323 if (!ssl_cert_inst(&s->cert)) {
3344 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); 3324 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
3345 return (0); 3325 return (0);
3346 } 3326 }
3347 } 3327 }
3348#endif
3349 3328
3350 switch (cmd) { 3329 switch (cmd) {
3351#ifndef OPENSSL_NO_RSA
3352 case SSL_CTRL_SET_TMP_RSA_CB: 3330 case SSL_CTRL_SET_TMP_RSA_CB:
3353 { 3331 {
3354 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 3332 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
3355 } 3333 }
3356 break; 3334 break;
3357#endif
3358#ifndef OPENSSL_NO_DH 3335#ifndef OPENSSL_NO_DH
3359 case SSL_CTRL_SET_TMP_DH_CB: 3336 case SSL_CTRL_SET_TMP_DH_CB:
3360 { 3337 {
@@ -3389,7 +3366,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3389 cert = ctx->cert; 3366 cert = ctx->cert;
3390 3367
3391 switch (cmd) { 3368 switch (cmd) {
3392#ifndef OPENSSL_NO_RSA
3393 case SSL_CTRL_NEED_TMP_RSA: 3369 case SSL_CTRL_NEED_TMP_RSA:
3394 if ((cert->rsa_tmp == NULL) && 3370 if ((cert->rsa_tmp == NULL) &&
3395 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 3371 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -3429,7 +3405,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3429 return (0); 3405 return (0);
3430 } 3406 }
3431 break; 3407 break;
3432#endif
3433#ifndef OPENSSL_NO_DH 3408#ifndef OPENSSL_NO_DH
3434 case SSL_CTRL_SET_TMP_DH: 3409 case SSL_CTRL_SET_TMP_DH:
3435 { 3410 {
@@ -3599,13 +3574,11 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
3599 cert = ctx->cert; 3574 cert = ctx->cert;
3600 3575
3601 switch (cmd) { 3576 switch (cmd) {
3602#ifndef OPENSSL_NO_RSA
3603 case SSL_CTRL_SET_TMP_RSA_CB: 3577 case SSL_CTRL_SET_TMP_RSA_CB:
3604 { 3578 {
3605 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 3579 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
3606 } 3580 }
3607 break; 3581 break;
3608#endif
3609#ifndef OPENSSL_NO_DH 3582#ifndef OPENSSL_NO_DH
3610 case SSL_CTRL_SET_TMP_DH_CB: 3583 case SSL_CTRL_SET_TMP_DH_CB:
3611 { 3584 {
@@ -3962,29 +3935,17 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3962 3935
3963#ifndef OPENSSL_NO_DH 3936#ifndef OPENSSL_NO_DH
3964 if (alg_k & (SSL_kDHr|SSL_kEDH)) { 3937 if (alg_k & (SSL_kDHr|SSL_kEDH)) {
3965# ifndef OPENSSL_NO_RSA
3966 p[ret++] = SSL3_CT_RSA_FIXED_DH; 3938 p[ret++] = SSL3_CT_RSA_FIXED_DH;
3967# endif
3968# ifndef OPENSSL_NO_DSA
3969 p[ret++] = SSL3_CT_DSS_FIXED_DH; 3939 p[ret++] = SSL3_CT_DSS_FIXED_DH;
3970# endif
3971 } 3940 }
3972 if ((s->version == SSL3_VERSION) && 3941 if ((s->version == SSL3_VERSION) &&
3973 (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { 3942 (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) {
3974# ifndef OPENSSL_NO_RSA
3975 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 3943 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
3976# endif
3977# ifndef OPENSSL_NO_DSA
3978 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 3944 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
3979# endif
3980 } 3945 }
3981#endif /* !OPENSSL_NO_DH */ 3946#endif /* !OPENSSL_NO_DH */
3982#ifndef OPENSSL_NO_RSA
3983 p[ret++] = SSL3_CT_RSA_SIGN; 3947 p[ret++] = SSL3_CT_RSA_SIGN;
3984#endif
3985#ifndef OPENSSL_NO_DSA
3986 p[ret++] = SSL3_CT_DSS_SIGN; 3948 p[ret++] = SSL3_CT_DSS_SIGN;
3987#endif
3988#ifndef OPENSSL_NO_ECDH 3949#ifndef OPENSSL_NO_ECDH
3989 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { 3950 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) {
3990 p[ret++] = TLS_CT_RSA_FIXED_ECDH; 3951 p[ret++] = TLS_CT_RSA_FIXED_ECDH;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 927b0d7db1..19e0495fe6 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1554,13 +1554,11 @@ ssl3_send_server_done(SSL *s)
1554int 1554int
1555ssl3_send_server_key_exchange(SSL *s) 1555ssl3_send_server_key_exchange(SSL *s)
1556{ 1556{
1557#ifndef OPENSSL_NO_RSA
1558 unsigned char *q; 1557 unsigned char *q;
1559 int j, num; 1558 int j, num;
1560 RSA *rsa; 1559 RSA *rsa;
1561 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1560 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1562 unsigned int u; 1561 unsigned int u;
1563#endif
1564#ifndef OPENSSL_NO_DH 1562#ifndef OPENSSL_NO_DH
1565 DH *dh = NULL, *dhp; 1563 DH *dh = NULL, *dhp;
1566#endif 1564#endif
@@ -1596,7 +1594,6 @@ ssl3_send_server_key_exchange(SSL *s)
1596 1594
1597 r[0] = r[1] = r[2] = r[3] = NULL; 1595 r[0] = r[1] = r[2] = r[3] = NULL;
1598 n = 0; 1596 n = 0;
1599#ifndef OPENSSL_NO_RSA
1600 if (type & SSL_kRSA) { 1597 if (type & SSL_kRSA) {
1601 rsa = cert->rsa_tmp; 1598 rsa = cert->rsa_tmp;
1602 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1599 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
@@ -1623,7 +1620,6 @@ ssl3_send_server_key_exchange(SSL *s)
1623 r[1] = rsa->e; 1620 r[1] = rsa->e;
1624 s->s3->tmp.use_rsa_tmp = 1; 1621 s->s3->tmp.use_rsa_tmp = 1;
1625 } else 1622 } else
1626#endif
1627#ifndef OPENSSL_NO_DH 1623#ifndef OPENSSL_NO_DH
1628 if (type & SSL_kEDH) { 1624 if (type & SSL_kEDH) {
1629 dhp = cert->dh_tmp; 1625 dhp = cert->dh_tmp;
@@ -1913,7 +1909,6 @@ ssl3_send_server_key_exchange(SSL *s)
1913 * n is the length of the params, they start at &(d[4]) 1909 * n is the length of the params, they start at &(d[4])
1914 * and p points to the space at the end. 1910 * and p points to the space at the end.
1915 */ 1911 */
1916#ifndef OPENSSL_NO_RSA
1917 if (pkey->type == EVP_PKEY_RSA 1912 if (pkey->type == EVP_PKEY_RSA
1918 && TLS1_get_version(s) < TLS1_2_VERSION) { 1913 && TLS1_get_version(s) < TLS1_2_VERSION) {
1919 q = md_buf; 1914 q = md_buf;
@@ -1946,7 +1941,6 @@ ssl3_send_server_key_exchange(SSL *s)
1946 s2n(u, p); 1941 s2n(u, p);
1947 n += u + 2; 1942 n += u + 2;
1948 } else 1943 } else
1949#endif
1950 if (md) { 1944 if (md) {
1951 /* 1945 /*
1952 * For TLS1.2 and later send signature 1946 * For TLS1.2 and later send signature
@@ -2120,10 +2114,8 @@ ssl3_get_client_key_exchange(SSL *s)
2120 long n; 2114 long n;
2121 unsigned long alg_k; 2115 unsigned long alg_k;
2122 unsigned char *p; 2116 unsigned char *p;
2123#ifndef OPENSSL_NO_RSA
2124 RSA *rsa = NULL; 2117 RSA *rsa = NULL;
2125 EVP_PKEY *pkey = NULL; 2118 EVP_PKEY *pkey = NULL;
2126#endif
2127#ifndef OPENSSL_NO_DH 2119#ifndef OPENSSL_NO_DH
2128 BIGNUM *pub = NULL; 2120 BIGNUM *pub = NULL;
2129 DH *dh_srvr; 2121 DH *dh_srvr;
@@ -2149,7 +2141,6 @@ ssl3_get_client_key_exchange(SSL *s)
2149 2141
2150 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2142 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2151 2143
2152#ifndef OPENSSL_NO_RSA
2153 if (alg_k & SSL_kRSA) { 2144 if (alg_k & SSL_kRSA) {
2154 /* FIX THIS UP EAY EAY EAY EAY */ 2145 /* FIX THIS UP EAY EAY EAY EAY */
2155 if (s->s3->tmp.use_rsa_tmp) { 2146 if (s->s3->tmp.use_rsa_tmp) {
@@ -2259,7 +2250,6 @@ ssl3_get_client_key_exchange(SSL *s)
2259 p, i); 2250 p, i);
2260 OPENSSL_cleanse(p, i); 2251 OPENSSL_cleanse(p, i);
2261 } else 2252 } else
2262#endif
2263#ifndef OPENSSL_NO_DH 2253#ifndef OPENSSL_NO_DH
2264 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2254 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2265 n2s(p, i); 2255 n2s(p, i);
@@ -2851,9 +2841,7 @@ ssl3_get_client_key_exchange(SSL *s)
2851 return (1); 2841 return (1);
2852f_err: 2842f_err:
2853 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2843 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2854#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2855err: 2844err:
2856#endif
2857#ifndef OPENSSL_NO_ECDH 2845#ifndef OPENSSL_NO_ECDH
2858 EVP_PKEY_free(clnt_pub_pkey); 2846 EVP_PKEY_free(clnt_pub_pkey);
2859 EC_POINT_free(clnt_ecpoint); 2847 EC_POINT_free(clnt_ecpoint);
@@ -3010,7 +2998,6 @@ ssl3_get_cert_verify(SSL *s)
3010 goto f_err; 2998 goto f_err;
3011 } 2999 }
3012 } else 3000 } else
3013#ifndef OPENSSL_NO_RSA
3014 if (pkey->type == EVP_PKEY_RSA) { 3001 if (pkey->type == EVP_PKEY_RSA) {
3015 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3002 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3016 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, 3003 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
@@ -3028,8 +3015,6 @@ ssl3_get_cert_verify(SSL *s)
3028 goto f_err; 3015 goto f_err;
3029 } 3016 }
3030 } else 3017 } else
3031#endif
3032#ifndef OPENSSL_NO_DSA
3033 if (pkey->type == EVP_PKEY_DSA) { 3018 if (pkey->type == EVP_PKEY_DSA) {
3034 j = DSA_verify(pkey->save_type, 3019 j = DSA_verify(pkey->save_type,
3035 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3020 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
@@ -3042,7 +3027,6 @@ ssl3_get_cert_verify(SSL *s)
3042 goto f_err; 3027 goto f_err;
3043 } 3028 }
3044 } else 3029 } else
3045#endif
3046#ifndef OPENSSL_NO_ECDSA 3030#ifndef OPENSSL_NO_ECDSA
3047 if (pkey->type == EVP_PKEY_EC) { 3031 if (pkey->type == EVP_PKEY_EC) {
3048 j = ECDSA_verify(pkey->save_type, 3032 j = ECDSA_verify(pkey->save_type,
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 3f159eed26..1ad65ba541 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -925,10 +925,8 @@ dtls1_send_client_key_exchange(SSL *s)
925 unsigned char *p, *d; 925 unsigned char *p, *d;
926 int n; 926 int n;
927 unsigned long alg_k; 927 unsigned long alg_k;
928#ifndef OPENSSL_NO_RSA
929 unsigned char *q; 928 unsigned char *q;
930 EVP_PKEY *pkey = NULL; 929 EVP_PKEY *pkey = NULL;
931#endif
932#ifndef OPENSSL_NO_KRB5 930#ifndef OPENSSL_NO_KRB5
933 KSSL_ERR kssl_err; 931 KSSL_ERR kssl_err;
934#endif /* OPENSSL_NO_KRB5 */ 932#endif /* OPENSSL_NO_KRB5 */
@@ -950,7 +948,6 @@ dtls1_send_client_key_exchange(SSL *s)
950 /* Fool emacs indentation */ 948 /* Fool emacs indentation */
951 if (0) { 949 if (0) {
952 } 950 }
953#ifndef OPENSSL_NO_RSA
954 else if (alg_k & SSL_kRSA) { 951 else if (alg_k & SSL_kRSA) {
955 RSA *rsa; 952 RSA *rsa;
956 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 953 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -1005,7 +1002,6 @@ dtls1_send_client_key_exchange(SSL *s)
1005 tmp_buf, sizeof tmp_buf); 1002 tmp_buf, sizeof tmp_buf);
1006 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1003 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1007 } 1004 }
1008#endif
1009#ifndef OPENSSL_NO_KRB5 1005#ifndef OPENSSL_NO_KRB5
1010 else if (alg_k & SSL_kKRB5) { 1006 else if (alg_k & SSL_kKRB5) {
1011 krb5_error_code krb5rc; 1007 krb5_error_code krb5rc;
@@ -1474,13 +1470,9 @@ dtls1_send_client_verify(SSL *s)
1474 unsigned char *p, *d; 1470 unsigned char *p, *d;
1475 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1471 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1476 EVP_PKEY *pkey; 1472 EVP_PKEY *pkey;
1477#ifndef OPENSSL_NO_RSA
1478 unsigned u = 0; 1473 unsigned u = 0;
1479#endif
1480 unsigned long n; 1474 unsigned long n;
1481#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
1482 int j; 1475 int j;
1483#endif
1484 1476
1485 if (s->state == SSL3_ST_CW_CERT_VRFY_A) { 1477 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
1486 d = (unsigned char *)s->init_buf->data; 1478 d = (unsigned char *)s->init_buf->data;
@@ -1490,7 +1482,6 @@ dtls1_send_client_verify(SSL *s)
1490 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, 1482 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
1491 &(data[MD5_DIGEST_LENGTH])); 1483 &(data[MD5_DIGEST_LENGTH]));
1492 1484
1493#ifndef OPENSSL_NO_RSA
1494 if (pkey->type == EVP_PKEY_RSA) { 1485 if (pkey->type == EVP_PKEY_RSA) {
1495 s->method->ssl3_enc->cert_verify_mac(s, 1486 s->method->ssl3_enc->cert_verify_mac(s,
1496 NID_md5, &(data[0])); 1487 NID_md5, &(data[0]));
@@ -1503,8 +1494,6 @@ dtls1_send_client_verify(SSL *s)
1503 s2n(u, p); 1494 s2n(u, p);
1504 n = u + 2; 1495 n = u + 2;
1505 } else 1496 } else
1506#endif
1507#ifndef OPENSSL_NO_DSA
1508 if (pkey->type == EVP_PKEY_DSA) { 1497 if (pkey->type == EVP_PKEY_DSA) {
1509 if (!DSA_sign(pkey->save_type, 1498 if (!DSA_sign(pkey->save_type,
1510 &(data[MD5_DIGEST_LENGTH]), 1499 &(data[MD5_DIGEST_LENGTH]),
@@ -1516,7 +1505,6 @@ dtls1_send_client_verify(SSL *s)
1516 s2n(j, p); 1505 s2n(j, p);
1517 n = j + 2; 1506 n = j + 2;
1518 } else 1507 } else
1519#endif
1520#ifndef OPENSSL_NO_ECDSA 1508#ifndef OPENSSL_NO_ECDSA
1521 if (pkey->type == EVP_PKEY_EC) { 1509 if (pkey->type == EVP_PKEY_EC) {
1522 if (!ECDSA_sign(pkey->save_type, 1510 if (!ECDSA_sign(pkey->save_type,
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index ce7b243c2d..6a10f7a3dd 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1000,13 +1000,11 @@ dtls1_send_server_done(SSL *s)
1000int 1000int
1001dtls1_send_server_key_exchange(SSL *s) 1001dtls1_send_server_key_exchange(SSL *s)
1002{ 1002{
1003#ifndef OPENSSL_NO_RSA
1004 unsigned char *q; 1003 unsigned char *q;
1005 int j, num; 1004 int j, num;
1006 RSA *rsa; 1005 RSA *rsa;
1007 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1006 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1008 unsigned int u; 1007 unsigned int u;
1009#endif
1010#ifndef OPENSSL_NO_DH 1008#ifndef OPENSSL_NO_DH
1011 DH *dh = NULL, *dhp; 1009 DH *dh = NULL, *dhp;
1012#endif 1010#endif
@@ -1041,7 +1039,6 @@ dtls1_send_server_key_exchange(SSL *s)
1041 1039
1042 r[0] = r[1] = r[2] = r[3] = NULL; 1040 r[0] = r[1] = r[2] = r[3] = NULL;
1043 n = 0; 1041 n = 0;
1044#ifndef OPENSSL_NO_RSA
1045 if (type & SSL_kRSA) { 1042 if (type & SSL_kRSA) {
1046 rsa = cert->rsa_tmp; 1043 rsa = cert->rsa_tmp;
1047 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1044 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
@@ -1065,7 +1062,6 @@ dtls1_send_server_key_exchange(SSL *s)
1065 r[1] = rsa->e; 1062 r[1] = rsa->e;
1066 s->s3->tmp.use_rsa_tmp = 1; 1063 s->s3->tmp.use_rsa_tmp = 1;
1067 } else 1064 } else
1068#endif
1069#ifndef OPENSSL_NO_DH 1065#ifndef OPENSSL_NO_DH
1070 if (type & SSL_kEDH) { 1066 if (type & SSL_kEDH) {
1071 dhp = cert->dh_tmp; 1067 dhp = cert->dh_tmp;
@@ -1310,7 +1306,6 @@ dtls1_send_server_key_exchange(SSL *s)
1310 /* n is the length of the params, they start at 1306 /* n is the length of the params, they start at
1311 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space 1307 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
1312 * at the end. */ 1308 * at the end. */
1313#ifndef OPENSSL_NO_RSA
1314 if (pkey->type == EVP_PKEY_RSA) { 1309 if (pkey->type == EVP_PKEY_RSA) {
1315 q = md_buf; 1310 q = md_buf;
1316 j = 0; 1311 j = 0;
@@ -1338,8 +1333,6 @@ dtls1_send_server_key_exchange(SSL *s)
1338 s2n(u, p); 1333 s2n(u, p);
1339 n += u + 2; 1334 n += u + 2;
1340 } else 1335 } else
1341#endif
1342#if !defined(OPENSSL_NO_DSA)
1343 if (pkey->type == EVP_PKEY_DSA) { 1336 if (pkey->type == EVP_PKEY_DSA) {
1344 /* lets do DSS */ 1337 /* lets do DSS */
1345 EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL); 1338 EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL);
@@ -1354,7 +1347,6 @@ dtls1_send_server_key_exchange(SSL *s)
1354 s2n(i, p); 1347 s2n(i, p);
1355 n += i + 2; 1348 n += i + 2;
1356 } else 1349 } else
1357#endif
1358#if !defined(OPENSSL_NO_ECDSA) 1350#if !defined(OPENSSL_NO_ECDSA)
1359 if (pkey->type == EVP_PKEY_EC) { 1351 if (pkey->type == EVP_PKEY_EC) {
1360 /* let's do ECDSA */ 1352 /* let's do ECDSA */
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 32405eac75..52e2174f6b 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1183,18 +1183,14 @@ err:
1183int 1183int
1184ssl3_get_key_exchange(SSL *s) 1184ssl3_get_key_exchange(SSL *s)
1185{ 1185{
1186#ifndef OPENSSL_NO_RSA
1187 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; 1186 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1188#endif
1189 EVP_MD_CTX md_ctx; 1187 EVP_MD_CTX md_ctx;
1190 unsigned char *param, *p; 1188 unsigned char *param, *p;
1191 int al, i, j, param_len, ok; 1189 int al, i, j, param_len, ok;
1192 long n, alg_k, alg_a; 1190 long n, alg_k, alg_a;
1193 EVP_PKEY *pkey = NULL; 1191 EVP_PKEY *pkey = NULL;
1194 const EVP_MD *md = NULL; 1192 const EVP_MD *md = NULL;
1195#ifndef OPENSSL_NO_RSA
1196 RSA *rsa = NULL; 1193 RSA *rsa = NULL;
1197#endif
1198#ifndef OPENSSL_NO_DH 1194#ifndef OPENSSL_NO_DH
1199 DH *dh = NULL; 1195 DH *dh = NULL;
1200#endif 1196#endif
@@ -1232,12 +1228,10 @@ ssl3_get_key_exchange(SSL *s)
1232 1228
1233 param = p = (unsigned char *)s->init_msg; 1229 param = p = (unsigned char *)s->init_msg;
1234 if (s->session->sess_cert != NULL) { 1230 if (s->session->sess_cert != NULL) {
1235#ifndef OPENSSL_NO_RSA
1236 if (s->session->sess_cert->peer_rsa_tmp != NULL) { 1231 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1237 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1232 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1238 s->session->sess_cert->peer_rsa_tmp = NULL; 1233 s->session->sess_cert->peer_rsa_tmp = NULL;
1239 } 1234 }
1240#endif
1241#ifndef OPENSSL_NO_DH 1235#ifndef OPENSSL_NO_DH
1242 if (s->session->sess_cert->peer_dh_tmp) { 1236 if (s->session->sess_cert->peer_dh_tmp) {
1243 DH_free(s->session->sess_cert->peer_dh_tmp); 1237 DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -1356,20 +1350,12 @@ ssl3_get_key_exchange(SSL *s)
1356 n -= param_len; 1350 n -= param_len;
1357 1351
1358/* We must check if there is a certificate */ 1352/* We must check if there is a certificate */
1359#ifndef OPENSSL_NO_RSA
1360 if (alg_a & SSL_aRSA) 1353 if (alg_a & SSL_aRSA)
1361 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1354 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1362#else
1363 if (0)
1364;
1365#endif
1366#ifndef OPENSSL_NO_DSA
1367 else if (alg_a & SSL_aDSS) 1355 else if (alg_a & SSL_aDSS)
1368 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1356 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1369#endif
1370 } else 1357 } else
1371#endif /* !OPENSSL_NO_SRP */ 1358#endif /* !OPENSSL_NO_SRP */
1372#ifndef OPENSSL_NO_RSA
1373 if (alg_k & SSL_kRSA) { 1359 if (alg_k & SSL_kRSA) {
1374 if ((rsa = RSA_new()) == NULL) { 1360 if ((rsa = RSA_new()) == NULL) {
1375 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1361 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -1412,10 +1398,6 @@ ssl3_get_key_exchange(SSL *s)
1412 s->session->sess_cert->peer_rsa_tmp = rsa; 1398 s->session->sess_cert->peer_rsa_tmp = rsa;
1413 rsa = NULL; 1399 rsa = NULL;
1414 } 1400 }
1415#else /* OPENSSL_NO_RSA */
1416 if (0)
1417;
1418#endif
1419#ifndef OPENSSL_NO_DH 1401#ifndef OPENSSL_NO_DH
1420 else if (alg_k & SSL_kEDH) { 1402 else if (alg_k & SSL_kEDH) {
1421 if ((dh = DH_new()) == NULL) { 1403 if ((dh = DH_new()) == NULL) {
@@ -1462,17 +1444,10 @@ ssl3_get_key_exchange(SSL *s)
1462 p += i; 1444 p += i;
1463 n -= param_len; 1445 n -= param_len;
1464 1446
1465#ifndef OPENSSL_NO_RSA
1466 if (alg_a & SSL_aRSA) 1447 if (alg_a & SSL_aRSA)
1467 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1448 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1468#else
1469 if (0)
1470;
1471#endif
1472#ifndef OPENSSL_NO_DSA
1473 else if (alg_a & SSL_aDSS) 1449 else if (alg_a & SSL_aDSS)
1474 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1450 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1475#endif
1476 /* else anonymous DH, so no certificate or pkey. */ 1451 /* else anonymous DH, so no certificate or pkey. */
1477 1452
1478 s->session->sess_cert->peer_dh_tmp = dh; 1453 s->session->sess_cert->peer_dh_tmp = dh;
@@ -1561,10 +1536,8 @@ ssl3_get_key_exchange(SSL *s)
1561 * key exchange message. We do support RSA and ECDSA. 1536 * key exchange message. We do support RSA and ECDSA.
1562 */ 1537 */
1563 if (0); 1538 if (0);
1564#ifndef OPENSSL_NO_RSA
1565 else if (alg_a & SSL_aRSA) 1539 else if (alg_a & SSL_aRSA)
1566 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1540 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1567#endif
1568#ifndef OPENSSL_NO_ECDSA 1541#ifndef OPENSSL_NO_ECDSA
1569 else if (alg_a & SSL_aECDSA) 1542 else if (alg_a & SSL_aECDSA)
1570 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1543 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
@@ -1627,7 +1600,6 @@ ssl3_get_key_exchange(SSL *s)
1627 goto f_err; 1600 goto f_err;
1628 } 1601 }
1629 1602
1630#ifndef OPENSSL_NO_RSA
1631 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) { 1603 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1632 int num; 1604 int num;
1633 1605
@@ -1659,7 +1631,6 @@ ssl3_get_key_exchange(SSL *s)
1659 goto f_err; 1631 goto f_err;
1660 } 1632 }
1661 } else 1633 } else
1662#endif
1663 { 1634 {
1664 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1635 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1665 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1636 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
@@ -1693,10 +1664,8 @@ f_err:
1693 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1664 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1694err: 1665err:
1695 EVP_PKEY_free(pkey); 1666 EVP_PKEY_free(pkey);
1696#ifndef OPENSSL_NO_RSA
1697 if (rsa != NULL) 1667 if (rsa != NULL)
1698 RSA_free(rsa); 1668 RSA_free(rsa);
1699#endif
1700#ifndef OPENSSL_NO_DH 1669#ifndef OPENSSL_NO_DH
1701 if (dh != NULL) 1670 if (dh != NULL)
1702 DH_free(dh); 1671 DH_free(dh);
@@ -2042,10 +2011,8 @@ ssl3_send_client_key_exchange(SSL *s)
2042 unsigned char *p, *d; 2011 unsigned char *p, *d;
2043 int n; 2012 int n;
2044 unsigned long alg_k; 2013 unsigned long alg_k;
2045#ifndef OPENSSL_NO_RSA
2046 unsigned char *q; 2014 unsigned char *q;
2047 EVP_PKEY *pkey = NULL; 2015 EVP_PKEY *pkey = NULL;
2048#endif
2049#ifndef OPENSSL_NO_KRB5 2016#ifndef OPENSSL_NO_KRB5
2050 KSSL_ERR kssl_err; 2017 KSSL_ERR kssl_err;
2051#endif /* OPENSSL_NO_KRB5 */ 2018#endif /* OPENSSL_NO_KRB5 */
@@ -2067,7 +2034,6 @@ ssl3_send_client_key_exchange(SSL *s)
2067 /* Fool emacs indentation */ 2034 /* Fool emacs indentation */
2068 if (0) { 2035 if (0) {
2069 } 2036 }
2070#ifndef OPENSSL_NO_RSA
2071 else if (alg_k & SSL_kRSA) { 2037 else if (alg_k & SSL_kRSA) {
2072 RSA *rsa; 2038 RSA *rsa;
2073 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2039 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -2122,7 +2088,6 @@ ssl3_send_client_key_exchange(SSL *s)
2122 sizeof tmp_buf); 2088 sizeof tmp_buf);
2123 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2089 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2124 } 2090 }
2125#endif
2126#ifndef OPENSSL_NO_KRB5 2091#ifndef OPENSSL_NO_KRB5
2127 else if (alg_k & SSL_kKRB5) { 2092 else if (alg_k & SSL_kKRB5) {
2128 krb5_error_code krb5rc; 2093 krb5_error_code krb5rc;
@@ -2760,7 +2725,6 @@ ssl3_send_client_verify(SSL *s)
2760 if (!ssl3_digest_cached_records(s)) 2725 if (!ssl3_digest_cached_records(s))
2761 goto err; 2726 goto err;
2762 } else 2727 } else
2763#ifndef OPENSSL_NO_RSA
2764 if (pkey->type == EVP_PKEY_RSA) { 2728 if (pkey->type == EVP_PKEY_RSA) {
2765 s->method->ssl3_enc->cert_verify_mac( 2729 s->method->ssl3_enc->cert_verify_mac(
2766 s, NID_md5, &(data[0])); 2730 s, NID_md5, &(data[0]));
@@ -2773,8 +2737,6 @@ ssl3_send_client_verify(SSL *s)
2773 s2n(u, p); 2737 s2n(u, p);
2774 n = u + 2; 2738 n = u + 2;
2775 } else 2739 } else
2776#endif
2777#ifndef OPENSSL_NO_DSA
2778 if (pkey->type == EVP_PKEY_DSA) { 2740 if (pkey->type == EVP_PKEY_DSA) {
2779 if (!DSA_sign(pkey->save_type, 2741 if (!DSA_sign(pkey->save_type,
2780 &(data[MD5_DIGEST_LENGTH]), 2742 &(data[MD5_DIGEST_LENGTH]),
@@ -2786,7 +2748,6 @@ ssl3_send_client_verify(SSL *s)
2786 s2n(j, p); 2748 s2n(j, p);
2787 n = j + 2; 2749 n = j + 2;
2788 } else 2750 } else
2789#endif
2790#ifndef OPENSSL_NO_ECDSA 2751#ifndef OPENSSL_NO_ECDSA
2791 if (pkey->type == EVP_PKEY_EC) { 2752 if (pkey->type == EVP_PKEY_EC) {
2792 if (!ECDSA_sign(pkey->save_type, 2753 if (!ECDSA_sign(pkey->save_type,
@@ -2914,9 +2875,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2914 long alg_k, alg_a; 2875 long alg_k, alg_a;
2915 EVP_PKEY *pkey = NULL; 2876 EVP_PKEY *pkey = NULL;
2916 SESS_CERT *sc; 2877 SESS_CERT *sc;
2917#ifndef OPENSSL_NO_RSA
2918 RSA *rsa; 2878 RSA *rsa;
2919#endif
2920#ifndef OPENSSL_NO_DH 2879#ifndef OPENSSL_NO_DH
2921 DH *dh; 2880 DH *dh;
2922#endif 2881#endif
@@ -2934,9 +2893,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2934 goto err; 2893 goto err;
2935 } 2894 }
2936 2895
2937#ifndef OPENSSL_NO_RSA
2938 rsa = s->session->sess_cert->peer_rsa_tmp; 2896 rsa = s->session->sess_cert->peer_rsa_tmp;
2939#endif
2940#ifndef OPENSSL_NO_DH 2897#ifndef OPENSSL_NO_DH
2941 dh = s->session->sess_cert->peer_dh_tmp; 2898 dh = s->session->sess_cert->peer_dh_tmp;
2942#endif 2899#endif
@@ -2966,19 +2923,15 @@ ssl3_check_cert_and_algorithm(SSL *s)
2966 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT); 2923 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
2967 goto f_err; 2924 goto f_err;
2968 } 2925 }
2969#ifndef OPENSSL_NO_DSA
2970 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { 2926 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
2971 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT); 2927 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
2972 goto f_err; 2928 goto f_err;
2973 } 2929 }
2974#endif
2975#ifndef OPENSSL_NO_RSA
2976 if ((alg_k & SSL_kRSA) && 2930 if ((alg_k & SSL_kRSA) &&
2977 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { 2931 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
2978 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2932 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2979 goto f_err; 2933 goto f_err;
2980 } 2934 }
2981#endif
2982#ifndef OPENSSL_NO_DH 2935#ifndef OPENSSL_NO_DH
2983 if ((alg_k & SSL_kEDH) && 2936 if ((alg_k & SSL_kEDH) &&
2984 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2937 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
@@ -2988,16 +2941,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
2988 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT); 2941 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
2989 goto f_err; 2942 goto f_err;
2990 } 2943 }
2991#ifndef OPENSSL_NO_DSA
2992 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { 2944 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2993 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT); 2945 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
2994 goto f_err; 2946 goto f_err;
2995 } 2947 }
2996#endif 2948#endif
2997#endif
2998 2949
2999 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { 2950 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3000#ifndef OPENSSL_NO_RSA
3001 if (alg_k & SSL_kRSA) { 2951 if (alg_k & SSL_kRSA) {
3002 if (rsa == NULL || 2952 if (rsa == NULL ||
3003 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { 2953 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
@@ -3005,7 +2955,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
3005 goto f_err; 2955 goto f_err;
3006 } 2956 }
3007 } else 2957 } else
3008#endif
3009#ifndef OPENSSL_NO_DH 2958#ifndef OPENSSL_NO_DH
3010 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2959 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3011 if (dh == NULL || 2960 if (dh == NULL ||
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 8df07a1e4c..288d885d9e 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -3098,23 +3098,13 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3098{ 3098{
3099 int ret = 0; 3099 int ret = 0;
3100 3100
3101#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 3101 if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3102 if ( 3102 cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
3103#ifndef OPENSSL_NO_RSA
3104 cmd == SSL_CTRL_SET_TMP_RSA ||
3105 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3106#endif
3107#ifndef OPENSSL_NO_DSA
3108 cmd == SSL_CTRL_SET_TMP_DH ||
3109 cmd == SSL_CTRL_SET_TMP_DH_CB ||
3110#endif
3111 0) {
3112 if (!ssl_cert_inst(&s->cert)) { 3103 if (!ssl_cert_inst(&s->cert)) {
3113 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); 3104 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
3114 return (0); 3105 return (0);
3115 } 3106 }
3116 } 3107 }
3117#endif
3118 3108
3119 switch (cmd) { 3109 switch (cmd) {
3120 case SSL_CTRL_GET_SESSION_REUSED: 3110 case SSL_CTRL_GET_SESSION_REUSED:
@@ -3135,7 +3125,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3135 case SSL_CTRL_GET_FLAGS: 3125 case SSL_CTRL_GET_FLAGS:
3136 ret = (int)(s->s3->flags); 3126 ret = (int)(s->s3->flags);
3137 break; 3127 break;
3138#ifndef OPENSSL_NO_RSA
3139 case SSL_CTRL_NEED_TMP_RSA: 3128 case SSL_CTRL_NEED_TMP_RSA:
3140 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 3129 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
3141 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 3130 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -3165,7 +3154,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3165 return (ret); 3154 return (ret);
3166 } 3155 }
3167 break; 3156 break;
3168#endif
3169#ifndef OPENSSL_NO_DH 3157#ifndef OPENSSL_NO_DH
3170 case SSL_CTRL_SET_TMP_DH: 3158 case SSL_CTRL_SET_TMP_DH:
3171 { 3159 {
@@ -3331,30 +3319,19 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
3331{ 3319{
3332 int ret = 0; 3320 int ret = 0;
3333 3321
3334#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 3322 if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) {
3335 if (
3336#ifndef OPENSSL_NO_RSA
3337 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
3338#endif
3339#ifndef OPENSSL_NO_DSA
3340 cmd == SSL_CTRL_SET_TMP_DH_CB ||
3341#endif
3342 0) {
3343 if (!ssl_cert_inst(&s->cert)) { 3323 if (!ssl_cert_inst(&s->cert)) {
3344 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); 3324 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
3345 return (0); 3325 return (0);
3346 } 3326 }
3347 } 3327 }
3348#endif
3349 3328
3350 switch (cmd) { 3329 switch (cmd) {
3351#ifndef OPENSSL_NO_RSA
3352 case SSL_CTRL_SET_TMP_RSA_CB: 3330 case SSL_CTRL_SET_TMP_RSA_CB:
3353 { 3331 {
3354 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 3332 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
3355 } 3333 }
3356 break; 3334 break;
3357#endif
3358#ifndef OPENSSL_NO_DH 3335#ifndef OPENSSL_NO_DH
3359 case SSL_CTRL_SET_TMP_DH_CB: 3336 case SSL_CTRL_SET_TMP_DH_CB:
3360 { 3337 {
@@ -3389,7 +3366,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3389 cert = ctx->cert; 3366 cert = ctx->cert;
3390 3367
3391 switch (cmd) { 3368 switch (cmd) {
3392#ifndef OPENSSL_NO_RSA
3393 case SSL_CTRL_NEED_TMP_RSA: 3369 case SSL_CTRL_NEED_TMP_RSA:
3394 if ((cert->rsa_tmp == NULL) && 3370 if ((cert->rsa_tmp == NULL) &&
3395 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 3371 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -3429,7 +3405,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3429 return (0); 3405 return (0);
3430 } 3406 }
3431 break; 3407 break;
3432#endif
3433#ifndef OPENSSL_NO_DH 3408#ifndef OPENSSL_NO_DH
3434 case SSL_CTRL_SET_TMP_DH: 3409 case SSL_CTRL_SET_TMP_DH:
3435 { 3410 {
@@ -3599,13 +3574,11 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
3599 cert = ctx->cert; 3574 cert = ctx->cert;
3600 3575
3601 switch (cmd) { 3576 switch (cmd) {
3602#ifndef OPENSSL_NO_RSA
3603 case SSL_CTRL_SET_TMP_RSA_CB: 3577 case SSL_CTRL_SET_TMP_RSA_CB:
3604 { 3578 {
3605 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 3579 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
3606 } 3580 }
3607 break; 3581 break;
3608#endif
3609#ifndef OPENSSL_NO_DH 3582#ifndef OPENSSL_NO_DH
3610 case SSL_CTRL_SET_TMP_DH_CB: 3583 case SSL_CTRL_SET_TMP_DH_CB:
3611 { 3584 {
@@ -3962,29 +3935,17 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3962 3935
3963#ifndef OPENSSL_NO_DH 3936#ifndef OPENSSL_NO_DH
3964 if (alg_k & (SSL_kDHr|SSL_kEDH)) { 3937 if (alg_k & (SSL_kDHr|SSL_kEDH)) {
3965# ifndef OPENSSL_NO_RSA
3966 p[ret++] = SSL3_CT_RSA_FIXED_DH; 3938 p[ret++] = SSL3_CT_RSA_FIXED_DH;
3967# endif
3968# ifndef OPENSSL_NO_DSA
3969 p[ret++] = SSL3_CT_DSS_FIXED_DH; 3939 p[ret++] = SSL3_CT_DSS_FIXED_DH;
3970# endif
3971 } 3940 }
3972 if ((s->version == SSL3_VERSION) && 3941 if ((s->version == SSL3_VERSION) &&
3973 (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { 3942 (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) {
3974# ifndef OPENSSL_NO_RSA
3975 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 3943 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
3976# endif
3977# ifndef OPENSSL_NO_DSA
3978 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 3944 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
3979# endif
3980 } 3945 }
3981#endif /* !OPENSSL_NO_DH */ 3946#endif /* !OPENSSL_NO_DH */
3982#ifndef OPENSSL_NO_RSA
3983 p[ret++] = SSL3_CT_RSA_SIGN; 3947 p[ret++] = SSL3_CT_RSA_SIGN;
3984#endif
3985#ifndef OPENSSL_NO_DSA
3986 p[ret++] = SSL3_CT_DSS_SIGN; 3948 p[ret++] = SSL3_CT_DSS_SIGN;
3987#endif
3988#ifndef OPENSSL_NO_ECDH 3949#ifndef OPENSSL_NO_ECDH
3989 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { 3950 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) {
3990 p[ret++] = TLS_CT_RSA_FIXED_ECDH; 3951 p[ret++] = TLS_CT_RSA_FIXED_ECDH;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 927b0d7db1..19e0495fe6 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1554,13 +1554,11 @@ ssl3_send_server_done(SSL *s)
1554int 1554int
1555ssl3_send_server_key_exchange(SSL *s) 1555ssl3_send_server_key_exchange(SSL *s)
1556{ 1556{
1557#ifndef OPENSSL_NO_RSA
1558 unsigned char *q; 1557 unsigned char *q;
1559 int j, num; 1558 int j, num;
1560 RSA *rsa; 1559 RSA *rsa;
1561 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1560 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1562 unsigned int u; 1561 unsigned int u;
1563#endif
1564#ifndef OPENSSL_NO_DH 1562#ifndef OPENSSL_NO_DH
1565 DH *dh = NULL, *dhp; 1563 DH *dh = NULL, *dhp;
1566#endif 1564#endif
@@ -1596,7 +1594,6 @@ ssl3_send_server_key_exchange(SSL *s)
1596 1594
1597 r[0] = r[1] = r[2] = r[3] = NULL; 1595 r[0] = r[1] = r[2] = r[3] = NULL;
1598 n = 0; 1596 n = 0;
1599#ifndef OPENSSL_NO_RSA
1600 if (type & SSL_kRSA) { 1597 if (type & SSL_kRSA) {
1601 rsa = cert->rsa_tmp; 1598 rsa = cert->rsa_tmp;
1602 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1599 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
@@ -1623,7 +1620,6 @@ ssl3_send_server_key_exchange(SSL *s)
1623 r[1] = rsa->e; 1620 r[1] = rsa->e;
1624 s->s3->tmp.use_rsa_tmp = 1; 1621 s->s3->tmp.use_rsa_tmp = 1;
1625 } else 1622 } else
1626#endif
1627#ifndef OPENSSL_NO_DH 1623#ifndef OPENSSL_NO_DH
1628 if (type & SSL_kEDH) { 1624 if (type & SSL_kEDH) {
1629 dhp = cert->dh_tmp; 1625 dhp = cert->dh_tmp;
@@ -1913,7 +1909,6 @@ ssl3_send_server_key_exchange(SSL *s)
1913 * n is the length of the params, they start at &(d[4]) 1909 * n is the length of the params, they start at &(d[4])
1914 * and p points to the space at the end. 1910 * and p points to the space at the end.
1915 */ 1911 */
1916#ifndef OPENSSL_NO_RSA
1917 if (pkey->type == EVP_PKEY_RSA 1912 if (pkey->type == EVP_PKEY_RSA
1918 && TLS1_get_version(s) < TLS1_2_VERSION) { 1913 && TLS1_get_version(s) < TLS1_2_VERSION) {
1919 q = md_buf; 1914 q = md_buf;
@@ -1946,7 +1941,6 @@ ssl3_send_server_key_exchange(SSL *s)
1946 s2n(u, p); 1941 s2n(u, p);
1947 n += u + 2; 1942 n += u + 2;
1948 } else 1943 } else
1949#endif
1950 if (md) { 1944 if (md) {
1951 /* 1945 /*
1952 * For TLS1.2 and later send signature 1946 * For TLS1.2 and later send signature
@@ -2120,10 +2114,8 @@ ssl3_get_client_key_exchange(SSL *s)
2120 long n; 2114 long n;
2121 unsigned long alg_k; 2115 unsigned long alg_k;
2122 unsigned char *p; 2116 unsigned char *p;
2123#ifndef OPENSSL_NO_RSA
2124 RSA *rsa = NULL; 2117 RSA *rsa = NULL;
2125 EVP_PKEY *pkey = NULL; 2118 EVP_PKEY *pkey = NULL;
2126#endif
2127#ifndef OPENSSL_NO_DH 2119#ifndef OPENSSL_NO_DH
2128 BIGNUM *pub = NULL; 2120 BIGNUM *pub = NULL;
2129 DH *dh_srvr; 2121 DH *dh_srvr;
@@ -2149,7 +2141,6 @@ ssl3_get_client_key_exchange(SSL *s)
2149 2141
2150 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2142 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2151 2143
2152#ifndef OPENSSL_NO_RSA
2153 if (alg_k & SSL_kRSA) { 2144 if (alg_k & SSL_kRSA) {
2154 /* FIX THIS UP EAY EAY EAY EAY */ 2145 /* FIX THIS UP EAY EAY EAY EAY */
2155 if (s->s3->tmp.use_rsa_tmp) { 2146 if (s->s3->tmp.use_rsa_tmp) {
@@ -2259,7 +2250,6 @@ ssl3_get_client_key_exchange(SSL *s)
2259 p, i); 2250 p, i);
2260 OPENSSL_cleanse(p, i); 2251 OPENSSL_cleanse(p, i);
2261 } else 2252 } else
2262#endif
2263#ifndef OPENSSL_NO_DH 2253#ifndef OPENSSL_NO_DH
2264 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2254 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2265 n2s(p, i); 2255 n2s(p, i);
@@ -2851,9 +2841,7 @@ ssl3_get_client_key_exchange(SSL *s)
2851 return (1); 2841 return (1);
2852f_err: 2842f_err:
2853 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2843 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2854#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2855err: 2844err:
2856#endif
2857#ifndef OPENSSL_NO_ECDH 2845#ifndef OPENSSL_NO_ECDH
2858 EVP_PKEY_free(clnt_pub_pkey); 2846 EVP_PKEY_free(clnt_pub_pkey);
2859 EC_POINT_free(clnt_ecpoint); 2847 EC_POINT_free(clnt_ecpoint);
@@ -3010,7 +2998,6 @@ ssl3_get_cert_verify(SSL *s)
3010 goto f_err; 2998 goto f_err;
3011 } 2999 }
3012 } else 3000 } else
3013#ifndef OPENSSL_NO_RSA
3014 if (pkey->type == EVP_PKEY_RSA) { 3001 if (pkey->type == EVP_PKEY_RSA) {
3015 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3002 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3016 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, 3003 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
@@ -3028,8 +3015,6 @@ ssl3_get_cert_verify(SSL *s)
3028 goto f_err; 3015 goto f_err;
3029 } 3016 }
3030 } else 3017 } else
3031#endif
3032#ifndef OPENSSL_NO_DSA
3033 if (pkey->type == EVP_PKEY_DSA) { 3018 if (pkey->type == EVP_PKEY_DSA) {
3034 j = DSA_verify(pkey->save_type, 3019 j = DSA_verify(pkey->save_type,
3035 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3020 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
@@ -3042,7 +3027,6 @@ ssl3_get_cert_verify(SSL *s)
3042 goto f_err; 3027 goto f_err;
3043 } 3028 }
3044 } else 3029 } else
3045#endif
3046#ifndef OPENSSL_NO_ECDSA 3030#ifndef OPENSSL_NO_ECDSA
3047 if (pkey->type == EVP_PKEY_EC) { 3031 if (pkey->type == EVP_PKEY_EC) {
3048 j = ECDSA_verify(pkey->save_type, 3032 j = ECDSA_verify(pkey->save_type,
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index cefee6189d..ef829797b7 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1690,9 +1690,7 @@ int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *);
1690void SSL_set_verify(SSL *s, int mode, 1690void SSL_set_verify(SSL *s, int mode,
1691 int (*callback)(int ok, X509_STORE_CTX *ctx)); 1691 int (*callback)(int ok, X509_STORE_CTX *ctx));
1692void SSL_set_verify_depth(SSL *s, int depth); 1692void SSL_set_verify_depth(SSL *s, int depth);
1693#ifndef OPENSSL_NO_RSA
1694int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); 1693int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1695#endif
1696int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); 1694int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1697int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); 1695int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1698int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len); 1696int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len);
@@ -1765,9 +1763,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
1765 int (*callback)(int, X509_STORE_CTX *)); 1763 int (*callback)(int, X509_STORE_CTX *));
1766void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 1764void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
1767void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg); 1765void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg);
1768#ifndef OPENSSL_NO_RSA
1769int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); 1766int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1770#endif
1771int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); 1767int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1772int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); 1768int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1773int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len); 1769int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);
@@ -1963,13 +1959,11 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1963 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) 1959 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1964 1960
1965/* NB: the keylength is only applicable when is_export is true */ 1961/* NB: the keylength is only applicable when is_export is true */
1966#ifndef OPENSSL_NO_RSA
1967void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 1962void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1968 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1963 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1969 1964
1970void SSL_set_tmp_rsa_callback(SSL *ssl, 1965void SSL_set_tmp_rsa_callback(SSL *ssl,
1971 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1966 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1972#endif
1973#ifndef OPENSSL_NO_DH 1967#ifndef OPENSSL_NO_DH
1974void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 1968void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1975 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1969 DH *(*dh)(SSL *ssl, int is_export, int keylength));
diff --git a/src/lib/libssl/src/ssl/ssl_algs.c b/src/lib/libssl/src/ssl/ssl_algs.c
index 463bf8ad66..aaecb2da0f 100644
--- a/src/lib/libssl/src/ssl/ssl_algs.c
+++ b/src/lib/libssl/src/ssl/ssl_algs.c
@@ -111,12 +111,10 @@ SSL_library_init(void)
111 EVP_add_digest(EVP_sha256()); 111 EVP_add_digest(EVP_sha256());
112 EVP_add_digest(EVP_sha384()); 112 EVP_add_digest(EVP_sha384());
113 EVP_add_digest(EVP_sha512()); 113 EVP_add_digest(EVP_sha512());
114#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
115 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ 114 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
116 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); 115 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
117 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); 116 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
118 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); 117 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
119#endif
120#ifndef OPENSSL_NO_ECDSA 118#ifndef OPENSSL_NO_ECDSA
121 EVP_add_digest(EVP_ecdsa()); 119 EVP_add_digest(EVP_ecdsa());
122#endif 120#endif
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index cf5cfb97f6..a823c16edf 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -163,13 +163,9 @@ static void
163ssl_cert_set_default_md(CERT *cert) 163ssl_cert_set_default_md(CERT *cert)
164{ 164{
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 166 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
168#endif
169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 168 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif
173#ifndef OPENSSL_NO_ECDSA 169#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 170 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 171#endif
@@ -217,13 +213,11 @@ CERT
217 ret->export_mask_k = cert->export_mask_k; 213 ret->export_mask_k = cert->export_mask_k;
218 ret->export_mask_a = cert->export_mask_a; 214 ret->export_mask_a = cert->export_mask_a;
219 215
220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL) { 216 if (cert->rsa_tmp != NULL) {
222 RSA_up_ref(cert->rsa_tmp); 217 RSA_up_ref(cert->rsa_tmp);
223 ret->rsa_tmp = cert->rsa_tmp; 218 ret->rsa_tmp = cert->rsa_tmp;
224 } 219 }
225 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 220 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
226#endif
227 221
228#ifndef OPENSSL_NO_DH 222#ifndef OPENSSL_NO_DH
229 if (cert->dh_tmp != NULL) { 223 if (cert->dh_tmp != NULL) {
@@ -319,10 +313,8 @@ CERT
319#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) 313#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
320err: 314err:
321#endif 315#endif
322#ifndef OPENSSL_NO_RSA
323 if (ret->rsa_tmp != NULL) 316 if (ret->rsa_tmp != NULL)
324 RSA_free(ret->rsa_tmp); 317 RSA_free(ret->rsa_tmp);
325#endif
326#ifndef OPENSSL_NO_DH 318#ifndef OPENSSL_NO_DH
327 if (ret->dh_tmp != NULL) 319 if (ret->dh_tmp != NULL)
328 DH_free(ret->dh_tmp); 320 DH_free(ret->dh_tmp);
@@ -355,10 +347,8 @@ ssl_cert_free(CERT *c)
355 if (i > 0) 347 if (i > 0)
356 return; 348 return;
357 349
358#ifndef OPENSSL_NO_RSA
359 if (c->rsa_tmp) 350 if (c->rsa_tmp)
360 RSA_free(c->rsa_tmp); 351 RSA_free(c->rsa_tmp);
361#endif
362#ifndef OPENSSL_NO_DH 352#ifndef OPENSSL_NO_DH
363 if (c->dh_tmp) 353 if (c->dh_tmp)
364 DH_free(c->dh_tmp); 354 DH_free(c->dh_tmp);
@@ -452,10 +442,8 @@ ssl_sess_cert_free(SESS_CERT *sc)
452#endif 442#endif
453 } 443 }
454 444
455#ifndef OPENSSL_NO_RSA
456 if (sc->peer_rsa_tmp != NULL) 445 if (sc->peer_rsa_tmp != NULL)
457 RSA_free(sc->peer_rsa_tmp); 446 RSA_free(sc->peer_rsa_tmp);
458#endif
459#ifndef OPENSSL_NO_DH 447#ifndef OPENSSL_NO_DH
460 if (sc->peer_dh_tmp != NULL) 448 if (sc->peer_dh_tmp != NULL)
461 DH_free(sc->peer_dh_tmp); 449 DH_free(sc->peer_dh_tmp);
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index b56a93d4cb..140a00ceca 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -696,13 +696,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
696 *mac = 0; 696 *mac = 0;
697 *ssl = 0; 697 *ssl = 0;
698 698
699#ifdef OPENSSL_NO_RSA
700 *mkey |= SSL_kRSA;
701 *auth |= SSL_aRSA;
702#endif
703#ifdef OPENSSL_NO_DSA
704 *auth |= SSL_aDSS;
705#endif
706 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 699 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
707 *auth |= SSL_aDH; 700 *auth |= SSL_aDH;
708#ifdef OPENSSL_NO_DH 701#ifdef OPENSSL_NO_DH
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 3ab652a6a4..37fff3a38f 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1978,13 +1978,9 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1978 1978
1979 kl = SSL_C_EXPORT_PKEYLENGTH(cipher); 1979 kl = SSL_C_EXPORT_PKEYLENGTH(cipher);
1980 1980
1981#ifndef OPENSSL_NO_RSA
1982 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 1981 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1983 rsa_tmp_export = (c->rsa_tmp_cb != NULL || 1982 rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
1984 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 1983 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1985#else
1986 rsa_tmp = rsa_tmp_export = 0;
1987#endif
1988#ifndef OPENSSL_NO_DH 1984#ifndef OPENSSL_NO_DH
1989 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 1985 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1990 dh_tmp_export = (c->dh_tmp_cb != NULL || 1986 dh_tmp_export = (c->dh_tmp_cb != NULL ||
@@ -2990,7 +2986,6 @@ SSL_want(const SSL *s)
2990 * \param cb the callback 2986 * \param cb the callback
2991 */ 2987 */
2992 2988
2993#ifndef OPENSSL_NO_RSA
2994void 2989void
2995SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, 2990SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,
2996 int is_export, 2991 int is_export,
@@ -3006,7 +3001,6 @@ int keylength))
3006{ 3001{
3007 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 3002 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3008} 3003}
3009#endif
3010 3004
3011#ifdef DOXYGEN 3005#ifdef DOXYGEN
3012/*! 3006/*!
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 483723736a..5767c1dd4b 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -159,12 +159,8 @@
159#endif 159#endif
160#include <openssl/bio.h> 160#include <openssl/bio.h>
161#include <openssl/stack.h> 161#include <openssl/stack.h>
162#ifndef OPENSSL_NO_RSA
163#include <openssl/rsa.h> 162#include <openssl/rsa.h>
164#endif
165#ifndef OPENSSL_NO_DSA
166#include <openssl/dsa.h> 163#include <openssl/dsa.h>
167#endif
168#include <openssl/err.h> 164#include <openssl/err.h>
169#include <openssl/ssl.h> 165#include <openssl/ssl.h>
170 166
@@ -500,10 +496,8 @@ typedef struct cert_st {
500 unsigned long mask_a; 496 unsigned long mask_a;
501 unsigned long export_mask_k; 497 unsigned long export_mask_k;
502 unsigned long export_mask_a; 498 unsigned long export_mask_a;
503#ifndef OPENSSL_NO_RSA
504 RSA *rsa_tmp; 499 RSA *rsa_tmp;
505 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); 500 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize);
506#endif
507#ifndef OPENSSL_NO_DH 501#ifndef OPENSSL_NO_DH
508 DH *dh_tmp; 502 DH *dh_tmp;
509 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 503 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
@@ -531,9 +525,7 @@ typedef struct sess_cert_st {
531 /* Obviously we don't have the private keys of these, 525 /* Obviously we don't have the private keys of these,
532 * so maybe we shouldn't even use the CERT_PKEY type here. */ 526 * so maybe we shouldn't even use the CERT_PKEY type here. */
533 527
534#ifndef OPENSSL_NO_RSA
535 RSA *peer_rsa_tmp; /* not used for SSL 2 */ 528 RSA *peer_rsa_tmp; /* not used for SSL 2 */
536#endif
537#ifndef OPENSSL_NO_DH 529#ifndef OPENSSL_NO_DH
538 DH *peer_dh_tmp; /* not used for SSL 2 */ 530 DH *peer_dh_tmp; /* not used for SSL 2 */
539#endif 531#endif
diff --git a/src/lib/libssl/src/ssl/ssl_rsa.c b/src/lib/libssl/src/ssl/ssl_rsa.c
index 078df55f06..05d18de1d9 100644
--- a/src/lib/libssl/src/ssl/ssl_rsa.c
+++ b/src/lib/libssl/src/ssl/ssl_rsa.c
@@ -142,7 +142,6 @@ SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
142 return (ret); 142 return (ret);
143} 143}
144 144
145#ifndef OPENSSL_NO_RSA
146int 145int
147SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 146SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
148{ 147{
@@ -169,7 +168,6 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
169 EVP_PKEY_free(pkey); 168 EVP_PKEY_free(pkey);
170 return (ret); 169 return (ret);
171} 170}
172#endif
173 171
174static int 172static int
175ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 173ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
@@ -189,14 +187,12 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
189 EVP_PKEY_free(pktmp); 187 EVP_PKEY_free(pktmp);
190 ERR_clear_error(); 188 ERR_clear_error();
191 189
192#ifndef OPENSSL_NO_RSA
193 /* Don't check the public/private key, this is mostly 190 /* Don't check the public/private key, this is mostly
194 * for smart cards. */ 191 * for smart cards. */
195 if ((pkey->type == EVP_PKEY_RSA) && 192 if ((pkey->type == EVP_PKEY_RSA) &&
196 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 193 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
197; 194;
198 else 195 else
199#endif
200 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 196 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
201 X509_free(c->pkeys[i].x509); 197 X509_free(c->pkeys[i].x509);
202 c->pkeys[i].x509 = NULL; 198 c->pkeys[i].x509 = NULL;
@@ -214,7 +210,6 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
214 return (1); 210 return (1);
215} 211}
216 212
217#ifndef OPENSSL_NO_RSA
218#ifndef OPENSSL_NO_STDIO 213#ifndef OPENSSL_NO_STDIO
219int 214int
220SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 215SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
@@ -274,7 +269,6 @@ SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
274 RSA_free(rsa); 269 RSA_free(rsa);
275 return (ret); 270 return (ret);
276} 271}
277#endif /* !OPENSSL_NO_RSA */
278 272
279int 273int
280SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 274SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
@@ -390,7 +384,6 @@ ssl_set_cert(CERT *c, X509 *x)
390 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 384 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
391 ERR_clear_error(); 385 ERR_clear_error();
392 386
393#ifndef OPENSSL_NO_RSA
394 /* Don't check the public/private key, this is mostly 387 /* Don't check the public/private key, this is mostly
395 * for smart cards. */ 388 * for smart cards. */
396 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && 389 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
@@ -398,7 +391,6 @@ ssl_set_cert(CERT *c, X509 *x)
398 RSA_METHOD_FLAG_NO_CHECK)) 391 RSA_METHOD_FLAG_NO_CHECK))
399; 392;
400 else 393 else
401#endif /* OPENSSL_NO_RSA */
402 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 394 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
403 /* don't fail for a cert/key mismatch, just free 395 /* don't fail for a cert/key mismatch, just free
404 * current private key (when switching to a different 396 * current private key (when switching to a different
@@ -485,7 +477,6 @@ SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
485 return (ret); 477 return (ret);
486} 478}
487 479
488#ifndef OPENSSL_NO_RSA
489int 480int
490SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 481SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
491{ 482{
@@ -572,7 +563,6 @@ SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
572 RSA_free(rsa); 563 RSA_free(rsa);
573 return (ret); 564 return (ret);
574} 565}
575#endif /* !OPENSSL_NO_RSA */
576 566
577int 567int
578SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 568SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index a8228fbfa5..1ce08c957d 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -173,12 +173,8 @@
173#endif 173#endif
174#include <openssl/err.h> 174#include <openssl/err.h>
175#include <openssl/rand.h> 175#include <openssl/rand.h>
176#ifndef OPENSSL_NO_RSA
177#include <openssl/rsa.h> 176#include <openssl/rsa.h>
178#endif
179#ifndef OPENSSL_NO_DSA
180#include <openssl/dsa.h> 177#include <openssl/dsa.h>
181#endif
182#ifndef OPENSSL_NO_DH 178#ifndef OPENSSL_NO_DH
183#include <openssl/dh.h> 179#include <openssl/dh.h>
184#endif 180#endif
@@ -203,10 +199,8 @@
203#define COMP_ZLIB 1 199#define COMP_ZLIB 1
204 200
205static int verify_callback(int ok, X509_STORE_CTX *ctx); 201static int verify_callback(int ok, X509_STORE_CTX *ctx);
206#ifndef OPENSSL_NO_RSA
207static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); 202static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
208static void free_tmp_rsa(void); 203static void free_tmp_rsa(void);
209#endif
210static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); 204static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
211#define APP_CALLBACK_STRING "Test Callback Argument" 205#define APP_CALLBACK_STRING "Test Callback Argument"
212struct app_verify_arg { 206struct app_verify_arg {
@@ -363,22 +357,18 @@ print_details(SSL *c_ssl, const char *prefix)
363 if (pkey != NULL) { 357 if (pkey != NULL) {
364 if (0) 358 if (0)
365; 359;
366#ifndef OPENSSL_NO_RSA
367 else if (pkey->type == EVP_PKEY_RSA && 360 else if (pkey->type == EVP_PKEY_RSA &&
368 pkey->pkey.rsa != NULL && 361 pkey->pkey.rsa != NULL &&
369 pkey->pkey.rsa->n != NULL) { 362 pkey->pkey.rsa->n != NULL) {
370 BIO_printf(bio_stdout, ", %d bit RSA", 363 BIO_printf(bio_stdout, ", %d bit RSA",
371 BN_num_bits(pkey->pkey.rsa->n)); 364 BN_num_bits(pkey->pkey.rsa->n));
372 } 365 }
373#endif
374#ifndef OPENSSL_NO_DSA
375 else if (pkey->type == EVP_PKEY_DSA && 366 else if (pkey->type == EVP_PKEY_DSA &&
376 pkey->pkey.dsa != NULL && 367 pkey->pkey.dsa != NULL &&
377 pkey->pkey.dsa->p != NULL) { 368 pkey->pkey.dsa->p != NULL) {
378 BIO_printf(bio_stdout, ", %d bit DSA", 369 BIO_printf(bio_stdout, ", %d bit DSA",
379 BN_num_bits(pkey->pkey.dsa->p)); 370 BN_num_bits(pkey->pkey.dsa->p));
380 } 371 }
381#endif
382 EVP_PKEY_free(pkey); 372 EVP_PKEY_free(pkey);
383 } 373 }
384 X509_free(cert); 374 X509_free(cert);
@@ -837,9 +827,7 @@ bad:
837 (void)no_ecdhe; 827 (void)no_ecdhe;
838#endif 828#endif
839 829
840#ifndef OPENSSL_NO_RSA
841 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); 830 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
842#endif
843 831
844#ifdef TLSEXT_TYPE_opaque_prf_input 832#ifdef TLSEXT_TYPE_opaque_prf_input
845 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb); 833 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
@@ -997,9 +985,7 @@ end:
997 if (bio_stdout != NULL) 985 if (bio_stdout != NULL)
998 BIO_free(bio_stdout); 986 BIO_free(bio_stdout);
999 987
1000#ifndef OPENSSL_NO_RSA
1001 free_tmp_rsa(); 988 free_tmp_rsa();
1002#endif
1003#ifndef OPENSSL_NO_ENGINE 989#ifndef OPENSSL_NO_ENGINE
1004 ENGINE_cleanup(); 990 ENGINE_cleanup();
1005#endif 991#endif
@@ -2087,7 +2073,6 @@ app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2087 return (ok); 2073 return (ok);
2088} 2074}
2089 2075
2090#ifndef OPENSSL_NO_RSA
2091static RSA *rsa_tmp = NULL; 2076static RSA *rsa_tmp = NULL;
2092 2077
2093static RSA 2078static RSA
@@ -2125,7 +2110,6 @@ free_tmp_rsa(void)
2125 rsa_tmp = NULL; 2110 rsa_tmp = NULL;
2126 } 2111 }
2127} 2112}
2128#endif
2129 2113
2130#ifndef OPENSSL_NO_DH 2114#ifndef OPENSSL_NO_DH
2131/* These DH parameters have been generated as follows: 2115/* These DH parameters have been generated as follows:
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 304140d7f6..6ee2289153 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -310,17 +310,9 @@ tls1_ec_nid2curve_id(int nid)
310 * customisable at some point, for now include everything we support. 310 * customisable at some point, for now include everything we support.
311 */ 311 */
312 312
313#ifdef OPENSSL_NO_RSA
314#define tlsext_sigalg_rsa(md) /* */
315#else
316#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
317#endif
318 314
319#ifdef OPENSSL_NO_DSA
320#define tlsext_sigalg_dsa(md) /* */
321#else
322#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 315#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
323#endif
324 316
325#ifdef OPENSSL_NO_ECDSA 317#ifdef OPENSSL_NO_ECDSA
326#define tlsext_sigalg_ecdsa(md) /* */ 318#define tlsext_sigalg_ecdsa(md) /* */
@@ -2202,12 +2194,8 @@ static tls12_lookup tls12_md[] = {
2202}; 2194};
2203 2195
2204static tls12_lookup tls12_sig[] = { 2196static tls12_lookup tls12_sig[] = {
2205#ifndef OPENSSL_NO_RSA
2206 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2197 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2207#endif
2208#ifndef OPENSSL_NO_DSA
2209 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2198 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2210#endif
2211#ifndef OPENSSL_NO_ECDSA 2199#ifndef OPENSSL_NO_ECDSA
2212 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2200 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2213#endif 2201#endif
@@ -2307,16 +2295,12 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2307 unsigned char hash_alg = data[i], sig_alg = data[i + 1]; 2295 unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2308 2296
2309 switch (sig_alg) { 2297 switch (sig_alg) {
2310#ifndef OPENSSL_NO_RSA
2311 case TLSEXT_signature_rsa: 2298 case TLSEXT_signature_rsa:
2312 idx = SSL_PKEY_RSA_SIGN; 2299 idx = SSL_PKEY_RSA_SIGN;
2313 break; 2300 break;
2314#endif
2315#ifndef OPENSSL_NO_DSA
2316 case TLSEXT_signature_dsa: 2301 case TLSEXT_signature_dsa:
2317 idx = SSL_PKEY_DSA_SIGN; 2302 idx = SSL_PKEY_DSA_SIGN;
2318 break; 2303 break;
2319#endif
2320#ifndef OPENSSL_NO_ECDSA 2304#ifndef OPENSSL_NO_ECDSA
2321 case TLSEXT_signature_ecdsa: 2305 case TLSEXT_signature_ecdsa:
2322 idx = SSL_PKEY_ECC; 2306 idx = SSL_PKEY_ECC;
@@ -2341,16 +2325,12 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2341 /* Set any remaining keys to default values. NOTE: if alg is not 2325 /* Set any remaining keys to default values. NOTE: if alg is not
2342 * supported it stays as NULL. 2326 * supported it stays as NULL.
2343 */ 2327 */
2344#ifndef OPENSSL_NO_DSA
2345 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2328 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2346 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2329 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2347#endif
2348#ifndef OPENSSL_NO_RSA
2349 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2330 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2350 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2331 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2351 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2332 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2352 } 2333 }
2353#endif
2354#ifndef OPENSSL_NO_ECDSA 2334#ifndef OPENSSL_NO_ECDSA
2355 if (!c->pkeys[SSL_PKEY_ECC].digest) 2335 if (!c->pkeys[SSL_PKEY_ECC].digest)
2356 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2336 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index cefee6189d..ef829797b7 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1690,9 +1690,7 @@ int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *);
1690void SSL_set_verify(SSL *s, int mode, 1690void SSL_set_verify(SSL *s, int mode,
1691 int (*callback)(int ok, X509_STORE_CTX *ctx)); 1691 int (*callback)(int ok, X509_STORE_CTX *ctx));
1692void SSL_set_verify_depth(SSL *s, int depth); 1692void SSL_set_verify_depth(SSL *s, int depth);
1693#ifndef OPENSSL_NO_RSA
1694int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); 1693int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
1695#endif
1696int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); 1694int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
1697int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); 1695int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
1698int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len); 1696int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len);
@@ -1765,9 +1763,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
1765 int (*callback)(int, X509_STORE_CTX *)); 1763 int (*callback)(int, X509_STORE_CTX *));
1766void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 1764void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
1767void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg); 1765void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg);
1768#ifndef OPENSSL_NO_RSA
1769int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); 1766int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
1770#endif
1771int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); 1767int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
1772int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); 1768int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
1773int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len); 1769int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);
@@ -1963,13 +1959,11 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
1963 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL) 1959 SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
1964 1960
1965/* NB: the keylength is only applicable when is_export is true */ 1961/* NB: the keylength is only applicable when is_export is true */
1966#ifndef OPENSSL_NO_RSA
1967void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 1962void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1968 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1963 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1969 1964
1970void SSL_set_tmp_rsa_callback(SSL *ssl, 1965void SSL_set_tmp_rsa_callback(SSL *ssl,
1971 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1966 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1972#endif
1973#ifndef OPENSSL_NO_DH 1967#ifndef OPENSSL_NO_DH
1974void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 1968void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1975 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1969 DH *(*dh)(SSL *ssl, int is_export, int keylength));
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index 463bf8ad66..aaecb2da0f 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -111,12 +111,10 @@ SSL_library_init(void)
111 EVP_add_digest(EVP_sha256()); 111 EVP_add_digest(EVP_sha256());
112 EVP_add_digest(EVP_sha384()); 112 EVP_add_digest(EVP_sha384());
113 EVP_add_digest(EVP_sha512()); 113 EVP_add_digest(EVP_sha512());
114#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
115 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ 114 EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
116 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); 115 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
117 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); 116 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
118 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); 117 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
119#endif
120#ifndef OPENSSL_NO_ECDSA 118#ifndef OPENSSL_NO_ECDSA
121 EVP_add_digest(EVP_ecdsa()); 119 EVP_add_digest(EVP_ecdsa());
122#endif 120#endif
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index cf5cfb97f6..a823c16edf 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -163,13 +163,9 @@ static void
163ssl_cert_set_default_md(CERT *cert) 163ssl_cert_set_default_md(CERT *cert)
164{ 164{
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 166 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
168#endif
169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 167 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 168 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif
173#ifndef OPENSSL_NO_ECDSA 169#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 170 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 171#endif
@@ -217,13 +213,11 @@ CERT
217 ret->export_mask_k = cert->export_mask_k; 213 ret->export_mask_k = cert->export_mask_k;
218 ret->export_mask_a = cert->export_mask_a; 214 ret->export_mask_a = cert->export_mask_a;
219 215
220#ifndef OPENSSL_NO_RSA
221 if (cert->rsa_tmp != NULL) { 216 if (cert->rsa_tmp != NULL) {
222 RSA_up_ref(cert->rsa_tmp); 217 RSA_up_ref(cert->rsa_tmp);
223 ret->rsa_tmp = cert->rsa_tmp; 218 ret->rsa_tmp = cert->rsa_tmp;
224 } 219 }
225 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 220 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
226#endif
227 221
228#ifndef OPENSSL_NO_DH 222#ifndef OPENSSL_NO_DH
229 if (cert->dh_tmp != NULL) { 223 if (cert->dh_tmp != NULL) {
@@ -319,10 +313,8 @@ CERT
319#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH) 313#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
320err: 314err:
321#endif 315#endif
322#ifndef OPENSSL_NO_RSA
323 if (ret->rsa_tmp != NULL) 316 if (ret->rsa_tmp != NULL)
324 RSA_free(ret->rsa_tmp); 317 RSA_free(ret->rsa_tmp);
325#endif
326#ifndef OPENSSL_NO_DH 318#ifndef OPENSSL_NO_DH
327 if (ret->dh_tmp != NULL) 319 if (ret->dh_tmp != NULL)
328 DH_free(ret->dh_tmp); 320 DH_free(ret->dh_tmp);
@@ -355,10 +347,8 @@ ssl_cert_free(CERT *c)
355 if (i > 0) 347 if (i > 0)
356 return; 348 return;
357 349
358#ifndef OPENSSL_NO_RSA
359 if (c->rsa_tmp) 350 if (c->rsa_tmp)
360 RSA_free(c->rsa_tmp); 351 RSA_free(c->rsa_tmp);
361#endif
362#ifndef OPENSSL_NO_DH 352#ifndef OPENSSL_NO_DH
363 if (c->dh_tmp) 353 if (c->dh_tmp)
364 DH_free(c->dh_tmp); 354 DH_free(c->dh_tmp);
@@ -452,10 +442,8 @@ ssl_sess_cert_free(SESS_CERT *sc)
452#endif 442#endif
453 } 443 }
454 444
455#ifndef OPENSSL_NO_RSA
456 if (sc->peer_rsa_tmp != NULL) 445 if (sc->peer_rsa_tmp != NULL)
457 RSA_free(sc->peer_rsa_tmp); 446 RSA_free(sc->peer_rsa_tmp);
458#endif
459#ifndef OPENSSL_NO_DH 447#ifndef OPENSSL_NO_DH
460 if (sc->peer_dh_tmp != NULL) 448 if (sc->peer_dh_tmp != NULL)
461 DH_free(sc->peer_dh_tmp); 449 DH_free(sc->peer_dh_tmp);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index b56a93d4cb..140a00ceca 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -696,13 +696,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
696 *mac = 0; 696 *mac = 0;
697 *ssl = 0; 697 *ssl = 0;
698 698
699#ifdef OPENSSL_NO_RSA
700 *mkey |= SSL_kRSA;
701 *auth |= SSL_aRSA;
702#endif
703#ifdef OPENSSL_NO_DSA
704 *auth |= SSL_aDSS;
705#endif
706 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 699 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
707 *auth |= SSL_aDH; 700 *auth |= SSL_aDH;
708#ifdef OPENSSL_NO_DH 701#ifdef OPENSSL_NO_DH
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 3ab652a6a4..37fff3a38f 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1978,13 +1978,9 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1978 1978
1979 kl = SSL_C_EXPORT_PKEYLENGTH(cipher); 1979 kl = SSL_C_EXPORT_PKEYLENGTH(cipher);
1980 1980
1981#ifndef OPENSSL_NO_RSA
1982 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 1981 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
1983 rsa_tmp_export = (c->rsa_tmp_cb != NULL || 1982 rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
1984 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 1983 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
1985#else
1986 rsa_tmp = rsa_tmp_export = 0;
1987#endif
1988#ifndef OPENSSL_NO_DH 1984#ifndef OPENSSL_NO_DH
1989 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 1985 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
1990 dh_tmp_export = (c->dh_tmp_cb != NULL || 1986 dh_tmp_export = (c->dh_tmp_cb != NULL ||
@@ -2990,7 +2986,6 @@ SSL_want(const SSL *s)
2990 * \param cb the callback 2986 * \param cb the callback
2991 */ 2987 */
2992 2988
2993#ifndef OPENSSL_NO_RSA
2994void 2989void
2995SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, 2990SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,
2996 int is_export, 2991 int is_export,
@@ -3006,7 +3001,6 @@ int keylength))
3006{ 3001{
3007 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb); 3002 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
3008} 3003}
3009#endif
3010 3004
3011#ifdef DOXYGEN 3005#ifdef DOXYGEN
3012/*! 3006/*!
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 483723736a..5767c1dd4b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -159,12 +159,8 @@
159#endif 159#endif
160#include <openssl/bio.h> 160#include <openssl/bio.h>
161#include <openssl/stack.h> 161#include <openssl/stack.h>
162#ifndef OPENSSL_NO_RSA
163#include <openssl/rsa.h> 162#include <openssl/rsa.h>
164#endif
165#ifndef OPENSSL_NO_DSA
166#include <openssl/dsa.h> 163#include <openssl/dsa.h>
167#endif
168#include <openssl/err.h> 164#include <openssl/err.h>
169#include <openssl/ssl.h> 165#include <openssl/ssl.h>
170 166
@@ -500,10 +496,8 @@ typedef struct cert_st {
500 unsigned long mask_a; 496 unsigned long mask_a;
501 unsigned long export_mask_k; 497 unsigned long export_mask_k;
502 unsigned long export_mask_a; 498 unsigned long export_mask_a;
503#ifndef OPENSSL_NO_RSA
504 RSA *rsa_tmp; 499 RSA *rsa_tmp;
505 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); 500 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize);
506#endif
507#ifndef OPENSSL_NO_DH 501#ifndef OPENSSL_NO_DH
508 DH *dh_tmp; 502 DH *dh_tmp;
509 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 503 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
@@ -531,9 +525,7 @@ typedef struct sess_cert_st {
531 /* Obviously we don't have the private keys of these, 525 /* Obviously we don't have the private keys of these,
532 * so maybe we shouldn't even use the CERT_PKEY type here. */ 526 * so maybe we shouldn't even use the CERT_PKEY type here. */
533 527
534#ifndef OPENSSL_NO_RSA
535 RSA *peer_rsa_tmp; /* not used for SSL 2 */ 528 RSA *peer_rsa_tmp; /* not used for SSL 2 */
536#endif
537#ifndef OPENSSL_NO_DH 529#ifndef OPENSSL_NO_DH
538 DH *peer_dh_tmp; /* not used for SSL 2 */ 530 DH *peer_dh_tmp; /* not used for SSL 2 */
539#endif 531#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 078df55f06..05d18de1d9 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -142,7 +142,6 @@ SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
142 return (ret); 142 return (ret);
143} 143}
144 144
145#ifndef OPENSSL_NO_RSA
146int 145int
147SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 146SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
148{ 147{
@@ -169,7 +168,6 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
169 EVP_PKEY_free(pkey); 168 EVP_PKEY_free(pkey);
170 return (ret); 169 return (ret);
171} 170}
172#endif
173 171
174static int 172static int
175ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 173ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
@@ -189,14 +187,12 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
189 EVP_PKEY_free(pktmp); 187 EVP_PKEY_free(pktmp);
190 ERR_clear_error(); 188 ERR_clear_error();
191 189
192#ifndef OPENSSL_NO_RSA
193 /* Don't check the public/private key, this is mostly 190 /* Don't check the public/private key, this is mostly
194 * for smart cards. */ 191 * for smart cards. */
195 if ((pkey->type == EVP_PKEY_RSA) && 192 if ((pkey->type == EVP_PKEY_RSA) &&
196 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 193 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
197; 194;
198 else 195 else
199#endif
200 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 196 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
201 X509_free(c->pkeys[i].x509); 197 X509_free(c->pkeys[i].x509);
202 c->pkeys[i].x509 = NULL; 198 c->pkeys[i].x509 = NULL;
@@ -214,7 +210,6 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
214 return (1); 210 return (1);
215} 211}
216 212
217#ifndef OPENSSL_NO_RSA
218#ifndef OPENSSL_NO_STDIO 213#ifndef OPENSSL_NO_STDIO
219int 214int
220SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 215SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
@@ -274,7 +269,6 @@ SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
274 RSA_free(rsa); 269 RSA_free(rsa);
275 return (ret); 270 return (ret);
276} 271}
277#endif /* !OPENSSL_NO_RSA */
278 272
279int 273int
280SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 274SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
@@ -390,7 +384,6 @@ ssl_set_cert(CERT *c, X509 *x)
390 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 384 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
391 ERR_clear_error(); 385 ERR_clear_error();
392 386
393#ifndef OPENSSL_NO_RSA
394 /* Don't check the public/private key, this is mostly 387 /* Don't check the public/private key, this is mostly
395 * for smart cards. */ 388 * for smart cards. */
396 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && 389 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
@@ -398,7 +391,6 @@ ssl_set_cert(CERT *c, X509 *x)
398 RSA_METHOD_FLAG_NO_CHECK)) 391 RSA_METHOD_FLAG_NO_CHECK))
399; 392;
400 else 393 else
401#endif /* OPENSSL_NO_RSA */
402 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 394 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
403 /* don't fail for a cert/key mismatch, just free 395 /* don't fail for a cert/key mismatch, just free
404 * current private key (when switching to a different 396 * current private key (when switching to a different
@@ -485,7 +477,6 @@ SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
485 return (ret); 477 return (ret);
486} 478}
487 479
488#ifndef OPENSSL_NO_RSA
489int 480int
490SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 481SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
491{ 482{
@@ -572,7 +563,6 @@ SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
572 RSA_free(rsa); 563 RSA_free(rsa);
573 return (ret); 564 return (ret);
574} 565}
575#endif /* !OPENSSL_NO_RSA */
576 566
577int 567int
578SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 568SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 304140d7f6..6ee2289153 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -310,17 +310,9 @@ tls1_ec_nid2curve_id(int nid)
310 * customisable at some point, for now include everything we support. 310 * customisable at some point, for now include everything we support.
311 */ 311 */
312 312
313#ifdef OPENSSL_NO_RSA
314#define tlsext_sigalg_rsa(md) /* */
315#else
316#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa, 313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
317#endif
318 314
319#ifdef OPENSSL_NO_DSA
320#define tlsext_sigalg_dsa(md) /* */
321#else
322#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 315#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
323#endif
324 316
325#ifdef OPENSSL_NO_ECDSA 317#ifdef OPENSSL_NO_ECDSA
326#define tlsext_sigalg_ecdsa(md) /* */ 318#define tlsext_sigalg_ecdsa(md) /* */
@@ -2202,12 +2194,8 @@ static tls12_lookup tls12_md[] = {
2202}; 2194};
2203 2195
2204static tls12_lookup tls12_sig[] = { 2196static tls12_lookup tls12_sig[] = {
2205#ifndef OPENSSL_NO_RSA
2206 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2197 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2207#endif
2208#ifndef OPENSSL_NO_DSA
2209 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2198 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2210#endif
2211#ifndef OPENSSL_NO_ECDSA 2199#ifndef OPENSSL_NO_ECDSA
2212 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2200 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2213#endif 2201#endif
@@ -2307,16 +2295,12 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2307 unsigned char hash_alg = data[i], sig_alg = data[i + 1]; 2295 unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2308 2296
2309 switch (sig_alg) { 2297 switch (sig_alg) {
2310#ifndef OPENSSL_NO_RSA
2311 case TLSEXT_signature_rsa: 2298 case TLSEXT_signature_rsa:
2312 idx = SSL_PKEY_RSA_SIGN; 2299 idx = SSL_PKEY_RSA_SIGN;
2313 break; 2300 break;
2314#endif
2315#ifndef OPENSSL_NO_DSA
2316 case TLSEXT_signature_dsa: 2301 case TLSEXT_signature_dsa:
2317 idx = SSL_PKEY_DSA_SIGN; 2302 idx = SSL_PKEY_DSA_SIGN;
2318 break; 2303 break;
2319#endif
2320#ifndef OPENSSL_NO_ECDSA 2304#ifndef OPENSSL_NO_ECDSA
2321 case TLSEXT_signature_ecdsa: 2305 case TLSEXT_signature_ecdsa:
2322 idx = SSL_PKEY_ECC; 2306 idx = SSL_PKEY_ECC;
@@ -2341,16 +2325,12 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2341 /* Set any remaining keys to default values. NOTE: if alg is not 2325 /* Set any remaining keys to default values. NOTE: if alg is not
2342 * supported it stays as NULL. 2326 * supported it stays as NULL.
2343 */ 2327 */
2344#ifndef OPENSSL_NO_DSA
2345 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2328 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2346 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 2329 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2347#endif
2348#ifndef OPENSSL_NO_RSA
2349 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { 2330 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2350 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2331 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2351 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2332 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2352 } 2333 }
2353#endif
2354#ifndef OPENSSL_NO_ECDSA 2334#ifndef OPENSSL_NO_ECDSA
2355 if (!c->pkeys[SSL_PKEY_ECC].digest) 2335 if (!c->pkeys[SSL_PKEY_ECC].digest)
2356 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2336 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 23:07:12 +0000