summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2014-05-29 18:11:13 +0000
committertedu <>2014-05-29 18:11:13 +0000
commit36abfd12740be4329b29e295bfcee8fe22c637d4 (patch)
treee214d026b5b66638630daa4617eb61197c96abb9 /src
parent2aab478749f62f40d50f6200a1396b6352051369 (diff)
downloadopenbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.tar.gz
openbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.tar.bz2
openbsd-36abfd12740be4329b29e295bfcee8fe22c637d4.zip
unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.
ok deraadt jsing
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_clnt.c12
-rw-r--r--src/lib/libssl/d1_srvr.c16
-rw-r--r--src/lib/libssl/s3_clnt.c40
-rw-r--r--src/lib/libssl/s3_lib.c36
-rw-r--r--src/lib/libssl/s3_srvr.c30
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c12
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c16
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c40
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c36
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c30
-rw-r--r--src/lib/libssl/src/ssl/ssl.h4
-rw-r--r--src/lib/libssl/src/ssl/ssl3.h4
-rw-r--r--src/lib/libssl/src/ssl/ssl_algs.c2
-rw-r--r--src/lib/libssl/src/ssl/ssl_cert.c22
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c11
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c20
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h10
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c10
-rw-r--r--src/lib/libssl/ssl.h4
-rw-r--r--src/lib/libssl/ssl3.h4
-rw-r--r--src/lib/libssl/ssl_algs.c2
-rw-r--r--src/lib/libssl/ssl_cert.c22
-rw-r--r--src/lib/libssl/ssl_ciph.c11
-rw-r--r--src/lib/libssl/ssl_lib.c20
-rw-r--r--src/lib/libssl/ssl_locl.h10
-rw-r--r--src/lib/libssl/t1_lib.c10
26 files changed, 0 insertions, 434 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index d82b099e08..4b8a11426f 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -121,9 +121,7 @@
121#include <openssl/evp.h> 121#include <openssl/evp.h>
122#include <openssl/md5.h> 122#include <openssl/md5.h>
123#include <openssl/bn.h> 123#include <openssl/bn.h>
124#ifndef OPENSSL_NO_DH
125#include <openssl/dh.h> 124#include <openssl/dh.h>
126#endif
127 125
128static const SSL_METHOD *dtls1_get_client_method(int ver); 126static const SSL_METHOD *dtls1_get_client_method(int ver);
129static int dtls1_get_hello_verify(SSL *s); 127static int dtls1_get_hello_verify(SSL *s);
@@ -958,14 +956,12 @@ dtls1_send_client_key_exchange(SSL *s)
958 unsigned long alg_k; 956 unsigned long alg_k;
959 unsigned char *q; 957 unsigned char *q;
960 EVP_PKEY *pkey = NULL; 958 EVP_PKEY *pkey = NULL;
961#ifndef OPENSSL_NO_ECDH
962 EC_KEY *clnt_ecdh = NULL; 959 EC_KEY *clnt_ecdh = NULL;
963 const EC_POINT *srvr_ecpoint = NULL; 960 const EC_POINT *srvr_ecpoint = NULL;
964 EVP_PKEY *srvr_pub_pkey = NULL; 961 EVP_PKEY *srvr_pub_pkey = NULL;
965 unsigned char *encodedPoint = NULL; 962 unsigned char *encodedPoint = NULL;
966 int encoded_pt_len = 0; 963 int encoded_pt_len = 0;
967 BN_CTX * bn_ctx = NULL; 964 BN_CTX * bn_ctx = NULL;
968#endif
969 965
970 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 966 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
971 d = (unsigned char *)s->init_buf->data; 967 d = (unsigned char *)s->init_buf->data;
@@ -1021,7 +1017,6 @@ dtls1_send_client_key_exchange(SSL *s)
1021 tmp_buf, sizeof tmp_buf); 1017 tmp_buf, sizeof tmp_buf);
1022 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1018 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1023 } 1019 }
1024#ifndef OPENSSL_NO_DH
1025 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 1020 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
1026 DH *dh_srvr, *dh_clnt; 1021 DH *dh_srvr, *dh_clnt;
1027 1022
@@ -1071,8 +1066,6 @@ dtls1_send_client_key_exchange(SSL *s)
1071 1066
1072 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 1067 /* perhaps clean things up a bit EAY EAY EAY EAY*/
1073 } 1068 }
1074#endif
1075#ifndef OPENSSL_NO_ECDH
1076 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 1069 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
1077 const EC_GROUP *srvr_group = NULL; 1070 const EC_GROUP *srvr_group = NULL;
1078 EC_KEY *tkey; 1071 EC_KEY *tkey;
@@ -1236,7 +1229,6 @@ dtls1_send_client_key_exchange(SSL *s)
1236 EC_KEY_free(clnt_ecdh); 1229 EC_KEY_free(clnt_ecdh);
1237 EVP_PKEY_free(srvr_pub_pkey); 1230 EVP_PKEY_free(srvr_pub_pkey);
1238 } 1231 }
1239#endif /* !OPENSSL_NO_ECDH */
1240 1232
1241#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1242 else if (alg_k & SSL_kPSK) { 1234 else if (alg_k & SSL_kPSK) {
@@ -1340,13 +1332,11 @@ psk_err:
1340 /* SSL3_ST_CW_KEY_EXCH_B */ 1332 /* SSL3_ST_CW_KEY_EXCH_B */
1341 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1333 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1342err: 1334err:
1343#ifndef OPENSSL_NO_ECDH
1344 BN_CTX_free(bn_ctx); 1335 BN_CTX_free(bn_ctx);
1345 free(encodedPoint); 1336 free(encodedPoint);
1346 if (clnt_ecdh != NULL) 1337 if (clnt_ecdh != NULL)
1347 EC_KEY_free(clnt_ecdh); 1338 EC_KEY_free(clnt_ecdh);
1348 EVP_PKEY_free(srvr_pub_pkey); 1339 EVP_PKEY_free(srvr_pub_pkey);
1349#endif
1350 return (-1); 1340 return (-1);
1351} 1341}
1352 1342
@@ -1391,7 +1381,6 @@ dtls1_send_client_verify(SSL *s)
1391 s2n(j, p); 1381 s2n(j, p);
1392 n = j + 2; 1382 n = j + 2;
1393 } else 1383 } else
1394#ifndef OPENSSL_NO_ECDSA
1395 if (pkey->type == EVP_PKEY_EC) { 1384 if (pkey->type == EVP_PKEY_EC) {
1396 if (!ECDSA_sign(pkey->save_type, 1385 if (!ECDSA_sign(pkey->save_type,
1397 &(data[MD5_DIGEST_LENGTH]), 1386 &(data[MD5_DIGEST_LENGTH]),
@@ -1404,7 +1393,6 @@ dtls1_send_client_verify(SSL *s)
1404 s2n(j, p); 1393 s2n(j, p);
1405 n = j + 2; 1394 n = j + 2;
1406 } else 1395 } else
1407#endif
1408 { 1396 {
1409 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 1397 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
1410 goto err; 1398 goto err;
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index c8bfc1b03d..3f872de48b 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -122,9 +122,7 @@
122#include <openssl/x509.h> 122#include <openssl/x509.h>
123#include <openssl/md5.h> 123#include <openssl/md5.h>
124#include <openssl/bn.h> 124#include <openssl/bn.h>
125#ifndef OPENSSL_NO_DH
126#include <openssl/dh.h> 125#include <openssl/dh.h>
127#endif
128 126
129static const SSL_METHOD *dtls1_get_server_method(int ver); 127static const SSL_METHOD *dtls1_get_server_method(int ver);
130static int dtls1_send_hello_verify_request(SSL *s); 128static int dtls1_send_hello_verify_request(SSL *s);
@@ -1036,17 +1034,13 @@ dtls1_send_server_key_exchange(SSL *s)
1036 RSA *rsa; 1034 RSA *rsa;
1037 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1035 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1038 unsigned int u; 1036 unsigned int u;
1039#ifndef OPENSSL_NO_DH
1040 DH *dh = NULL, *dhp; 1037 DH *dh = NULL, *dhp;
1041#endif
1042#ifndef OPENSSL_NO_ECDH
1043 EC_KEY *ecdh = NULL, *ecdhp; 1038 EC_KEY *ecdh = NULL, *ecdhp;
1044 unsigned char *encodedPoint = NULL; 1039 unsigned char *encodedPoint = NULL;
1045 int encodedlen = 0; 1040 int encodedlen = 0;
1046 int curve_id = 0; 1041 int curve_id = 0;
1047 BN_CTX *bn_ctx = NULL; 1042 BN_CTX *bn_ctx = NULL;
1048 1043
1049#endif
1050#ifndef OPENSSL_NO_PSK 1044#ifndef OPENSSL_NO_PSK
1051 size_t pskhintlen = 0; 1045 size_t pskhintlen = 0;
1052#endif 1046#endif
@@ -1093,7 +1087,6 @@ dtls1_send_server_key_exchange(SSL *s)
1093 r[1] = rsa->e; 1087 r[1] = rsa->e;
1094 s->s3->tmp.use_rsa_tmp = 1; 1088 s->s3->tmp.use_rsa_tmp = 1;
1095 } else 1089 } else
1096#ifndef OPENSSL_NO_DH
1097 if (type & SSL_kEDH) { 1090 if (type & SSL_kEDH) {
1098 dhp = cert->dh_tmp; 1091 dhp = cert->dh_tmp;
1099 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1092 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1138,8 +1131,6 @@ dtls1_send_server_key_exchange(SSL *s)
1138 r[1] = dh->g; 1131 r[1] = dh->g;
1139 r[2] = dh->pub_key; 1132 r[2] = dh->pub_key;
1140 } else 1133 } else
1141#endif
1142#ifndef OPENSSL_NO_ECDH
1143 if (type & SSL_kEECDH) { 1134 if (type & SSL_kEECDH) {
1144 const EC_GROUP *group; 1135 const EC_GROUP *group;
1145 1136
@@ -1252,7 +1243,6 @@ dtls1_send_server_key_exchange(SSL *s)
1252 r[2] = NULL; 1243 r[2] = NULL;
1253 r[3] = NULL; 1244 r[3] = NULL;
1254 } else 1245 } else
1255#endif /* !OPENSSL_NO_ECDH */
1256#ifndef OPENSSL_NO_PSK 1246#ifndef OPENSSL_NO_PSK
1257 if (type & SSL_kPSK) { 1247 if (type & SSL_kPSK) {
1258 pskhintlen = strlen(s->ctx->psk_identity_hint); 1248 pskhintlen = strlen(s->ctx->psk_identity_hint);
@@ -1296,7 +1286,6 @@ dtls1_send_server_key_exchange(SSL *s)
1296 p += nr[i]; 1286 p += nr[i];
1297 } 1287 }
1298 1288
1299#ifndef OPENSSL_NO_ECDH
1300 if (type & SSL_kEECDH) { 1289 if (type & SSL_kEECDH) {
1301 /* XXX: For now, we only support named (not generic) curves. 1290 /* XXX: For now, we only support named (not generic) curves.
1302 * In this situation, the serverKeyExchange message has: 1291 * In this situation, the serverKeyExchange message has:
@@ -1318,7 +1307,6 @@ dtls1_send_server_key_exchange(SSL *s)
1318 encodedPoint = NULL; 1307 encodedPoint = NULL;
1319 p += encodedlen; 1308 p += encodedlen;
1320 } 1309 }
1321#endif
1322 1310
1323#ifndef OPENSSL_NO_PSK 1311#ifndef OPENSSL_NO_PSK
1324 if (type & SSL_kPSK) { 1312 if (type & SSL_kPSK) {
@@ -1376,7 +1364,6 @@ dtls1_send_server_key_exchange(SSL *s)
1376 s2n(i, p); 1364 s2n(i, p);
1377 n += i + 2; 1365 n += i + 2;
1378 } else 1366 } else
1379#if !defined(OPENSSL_NO_ECDSA)
1380 if (pkey->type == EVP_PKEY_EC) { 1367 if (pkey->type == EVP_PKEY_EC) {
1381 /* let's do ECDSA */ 1368 /* let's do ECDSA */
1382 EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL); 1369 EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL);
@@ -1391,7 +1378,6 @@ dtls1_send_server_key_exchange(SSL *s)
1391 s2n(i, p); 1378 s2n(i, p);
1392 n += i + 2; 1379 n += i + 2;
1393 } else 1380 } else
1394#endif
1395 { 1381 {
1396 /* Is this error check actually needed? */ 1382 /* Is this error check actually needed? */
1397 al = SSL_AD_HANDSHAKE_FAILURE; 1383 al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1418,10 +1404,8 @@ dtls1_send_server_key_exchange(SSL *s)
1418f_err: 1404f_err:
1419 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1405 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1420err: 1406err:
1421#ifndef OPENSSL_NO_ECDH
1422 free(encodedPoint); 1407 free(encodedPoint);
1423 BN_CTX_free(bn_ctx); 1408 BN_CTX_free(bn_ctx);
1424#endif
1425 EVP_MD_CTX_cleanup(&md_ctx); 1409 EVP_MD_CTX_cleanup(&md_ctx);
1426 return (-1); 1410 return (-1);
1427} 1411}
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 602ab03fe1..4df299de9d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -155,9 +155,7 @@
155#include <openssl/objects.h> 155#include <openssl/objects.h>
156#include <openssl/evp.h> 156#include <openssl/evp.h>
157#include <openssl/md5.h> 157#include <openssl/md5.h>
158#ifndef OPENSSL_NO_DH
159#include <openssl/dh.h> 158#include <openssl/dh.h>
160#endif
161#include <openssl/bn.h> 159#include <openssl/bn.h>
162#ifndef OPENSSL_NO_ENGINE 160#ifndef OPENSSL_NO_ENGINE
163#include <openssl/engine.h> 161#include <openssl/engine.h>
@@ -1263,16 +1261,12 @@ ssl3_get_key_exchange(SSL *s)
1263 EVP_PKEY *pkey = NULL; 1261 EVP_PKEY *pkey = NULL;
1264 const EVP_MD *md = NULL; 1262 const EVP_MD *md = NULL;
1265 RSA *rsa = NULL; 1263 RSA *rsa = NULL;
1266#ifndef OPENSSL_NO_DH
1267 DH *dh = NULL; 1264 DH *dh = NULL;
1268#endif
1269#ifndef OPENSSL_NO_ECDH
1270 EC_KEY *ecdh = NULL; 1265 EC_KEY *ecdh = NULL;
1271 BN_CTX *bn_ctx = NULL; 1266 BN_CTX *bn_ctx = NULL;
1272 EC_POINT *srvr_ecpoint = NULL; 1267 EC_POINT *srvr_ecpoint = NULL;
1273 int curve_nid = 0; 1268 int curve_nid = 0;
1274 int encoded_pt_len = 0; 1269 int encoded_pt_len = 0;
1275#endif
1276 1270
1277 /* 1271 /*
1278 * Use same message size as in ssl3_get_certificate_request() 1272 * Use same message size as in ssl3_get_certificate_request()
@@ -1306,18 +1300,14 @@ ssl3_get_key_exchange(SSL *s)
1306 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1300 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1307 s->session->sess_cert->peer_rsa_tmp = NULL; 1301 s->session->sess_cert->peer_rsa_tmp = NULL;
1308 } 1302 }
1309#ifndef OPENSSL_NO_DH
1310 if (s->session->sess_cert->peer_dh_tmp) { 1303 if (s->session->sess_cert->peer_dh_tmp) {
1311 DH_free(s->session->sess_cert->peer_dh_tmp); 1304 DH_free(s->session->sess_cert->peer_dh_tmp);
1312 s->session->sess_cert->peer_dh_tmp = NULL; 1305 s->session->sess_cert->peer_dh_tmp = NULL;
1313 } 1306 }
1314#endif
1315#ifndef OPENSSL_NO_ECDH
1316 if (s->session->sess_cert->peer_ecdh_tmp) { 1307 if (s->session->sess_cert->peer_ecdh_tmp) {
1317 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1308 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1318 s->session->sess_cert->peer_ecdh_tmp = NULL; 1309 s->session->sess_cert->peer_ecdh_tmp = NULL;
1319 } 1310 }
1320#endif
1321 } else { 1311 } else {
1322 s->session->sess_cert = ssl_sess_cert_new(); 1312 s->session->sess_cert = ssl_sess_cert_new();
1323 } 1313 }
@@ -1424,7 +1414,6 @@ ssl3_get_key_exchange(SSL *s)
1424 s->session->sess_cert->peer_rsa_tmp = rsa; 1414 s->session->sess_cert->peer_rsa_tmp = rsa;
1425 rsa = NULL; 1415 rsa = NULL;
1426 } 1416 }
1427#ifndef OPENSSL_NO_DH
1428 else if (alg_k & SSL_kEDH) { 1417 else if (alg_k & SSL_kEDH) {
1429 if ((dh = DH_new()) == NULL) { 1418 if ((dh = DH_new()) == NULL) {
1430 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1419 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -1495,9 +1484,7 @@ ssl3_get_key_exchange(SSL *s)
1495 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1484 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1496 goto f_err; 1485 goto f_err;
1497 } 1486 }
1498#endif /* !OPENSSL_NO_DH */
1499 1487
1500#ifndef OPENSSL_NO_ECDH
1501 else if (alg_k & SSL_kEECDH) { 1488 else if (alg_k & SSL_kEECDH) {
1502 EC_GROUP *ngroup; 1489 EC_GROUP *ngroup;
1503 const EC_GROUP *group; 1490 const EC_GROUP *group;
@@ -1585,12 +1572,10 @@ ssl3_get_key_exchange(SSL *s)
1585 pkey = X509_get_pubkey( 1572 pkey = X509_get_pubkey(
1586 s->session->sess_cert->peer_pkeys[ 1573 s->session->sess_cert->peer_pkeys[
1587 SSL_PKEY_RSA_ENC].x509); 1574 SSL_PKEY_RSA_ENC].x509);
1588#ifndef OPENSSL_NO_ECDSA
1589 else if (alg_a & SSL_aECDSA) 1575 else if (alg_a & SSL_aECDSA)
1590 pkey = X509_get_pubkey( 1576 pkey = X509_get_pubkey(
1591 s->session->sess_cert->peer_pkeys[ 1577 s->session->sess_cert->peer_pkeys[
1592 SSL_PKEY_ECC].x509); 1578 SSL_PKEY_ECC].x509);
1593#endif
1594 /* Else anonymous ECDH, so no certificate or pkey. */ 1579 /* Else anonymous ECDH, so no certificate or pkey. */
1595 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1580 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1596 s->session->sess_cert->peer_ecdh_tmp = ecdh; 1581 s->session->sess_cert->peer_ecdh_tmp = ecdh;
@@ -1605,7 +1590,6 @@ ssl3_get_key_exchange(SSL *s)
1605 SSL_R_UNEXPECTED_MESSAGE); 1590 SSL_R_UNEXPECTED_MESSAGE);
1606 goto f_err; 1591 goto f_err;
1607 } 1592 }
1608#endif /* !OPENSSL_NO_ECDH */
1609 1593
1610 /* p points to the next byte, there are 'n' bytes left */ 1594 /* p points to the next byte, there are 'n' bytes left */
1611 1595
@@ -1731,16 +1715,12 @@ ssl3_get_key_exchange(SSL *s)
1731 EVP_PKEY_free(pkey); 1715 EVP_PKEY_free(pkey);
1732 if (rsa != NULL) 1716 if (rsa != NULL)
1733 RSA_free(rsa); 1717 RSA_free(rsa);
1734#ifndef OPENSSL_NO_DH
1735 if (dh != NULL) 1718 if (dh != NULL)
1736 DH_free(dh); 1719 DH_free(dh);
1737#endif
1738#ifndef OPENSSL_NO_ECDH
1739 BN_CTX_free(bn_ctx); 1720 BN_CTX_free(bn_ctx);
1740 EC_POINT_free(srvr_ecpoint); 1721 EC_POINT_free(srvr_ecpoint);
1741 if (ecdh != NULL) 1722 if (ecdh != NULL)
1742 EC_KEY_free(ecdh); 1723 EC_KEY_free(ecdh);
1743#endif
1744 EVP_MD_CTX_cleanup(&md_ctx); 1724 EVP_MD_CTX_cleanup(&md_ctx);
1745 return (-1); 1725 return (-1);
1746} 1726}
@@ -2084,14 +2064,12 @@ ssl3_send_client_key_exchange(SSL *s)
2084 unsigned long alg_k; 2064 unsigned long alg_k;
2085 unsigned char *q; 2065 unsigned char *q;
2086 EVP_PKEY *pkey = NULL; 2066 EVP_PKEY *pkey = NULL;
2087#ifndef OPENSSL_NO_ECDH
2088 EC_KEY *clnt_ecdh = NULL; 2067 EC_KEY *clnt_ecdh = NULL;
2089 const EC_POINT *srvr_ecpoint = NULL; 2068 const EC_POINT *srvr_ecpoint = NULL;
2090 EVP_PKEY *srvr_pub_pkey = NULL; 2069 EVP_PKEY *srvr_pub_pkey = NULL;
2091 unsigned char *encodedPoint = NULL; 2070 unsigned char *encodedPoint = NULL;
2092 int encoded_pt_len = 0; 2071 int encoded_pt_len = 0;
2093 BN_CTX *bn_ctx = NULL; 2072 BN_CTX *bn_ctx = NULL;
2094#endif
2095 2073
2096 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 2074 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2097 d = (unsigned char *)s->init_buf->data; 2075 d = (unsigned char *)s->init_buf->data;
@@ -2151,7 +2129,6 @@ ssl3_send_client_key_exchange(SSL *s)
2151 s, s->session->master_key, tmp_buf, sizeof tmp_buf); 2129 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2152 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2130 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2153 } 2131 }
2154#ifndef OPENSSL_NO_DH
2155 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2132 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2156 DH *dh_srvr, *dh_clnt; 2133 DH *dh_srvr, *dh_clnt;
2157 2134
@@ -2217,9 +2194,7 @@ ssl3_send_client_key_exchange(SSL *s)
2217 2194
2218 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2195 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2219 } 2196 }
2220#endif
2221 2197
2222#ifndef OPENSSL_NO_ECDH
2223 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2198 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2224 const EC_GROUP *srvr_group = NULL; 2199 const EC_GROUP *srvr_group = NULL;
2225 EC_KEY *tkey; 2200 EC_KEY *tkey;
@@ -2399,7 +2374,6 @@ ssl3_send_client_key_exchange(SSL *s)
2399 EC_KEY_free(clnt_ecdh); 2374 EC_KEY_free(clnt_ecdh);
2400 EVP_PKEY_free(srvr_pub_pkey); 2375 EVP_PKEY_free(srvr_pub_pkey);
2401 } 2376 }
2402#endif /* !OPENSSL_NO_ECDH */
2403 else if (alg_k & SSL_kGOST) { 2377 else if (alg_k & SSL_kGOST) {
2404 /* GOST key exchange message creation */ 2378 /* GOST key exchange message creation */
2405 EVP_PKEY_CTX *pkey_ctx; 2379 EVP_PKEY_CTX *pkey_ctx;
@@ -2608,13 +2582,11 @@ ssl3_send_client_key_exchange(SSL *s)
2608 /* SSL3_ST_CW_KEY_EXCH_B */ 2582 /* SSL3_ST_CW_KEY_EXCH_B */
2609 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 2583 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2610 err: 2584 err:
2611#ifndef OPENSSL_NO_ECDH
2612 BN_CTX_free(bn_ctx); 2585 BN_CTX_free(bn_ctx);
2613 free(encodedPoint); 2586 free(encodedPoint);
2614 if (clnt_ecdh != NULL) 2587 if (clnt_ecdh != NULL)
2615 EC_KEY_free(clnt_ecdh); 2588 EC_KEY_free(clnt_ecdh);
2616 EVP_PKEY_free(srvr_pub_pkey); 2589 EVP_PKEY_free(srvr_pub_pkey);
2617#endif
2618 return (-1); 2590 return (-1);
2619} 2591}
2620 2592
@@ -2703,7 +2675,6 @@ ssl3_send_client_verify(SSL *s)
2703 s2n(j, p); 2675 s2n(j, p);
2704 n = j + 2; 2676 n = j + 2;
2705 } else 2677 } else
2706#ifndef OPENSSL_NO_ECDSA
2707 if (pkey->type == EVP_PKEY_EC) { 2678 if (pkey->type == EVP_PKEY_EC) {
2708 if (!ECDSA_sign(pkey->save_type, 2679 if (!ECDSA_sign(pkey->save_type,
2709 &(data[MD5_DIGEST_LENGTH]), 2680 &(data[MD5_DIGEST_LENGTH]),
@@ -2716,7 +2687,6 @@ ssl3_send_client_verify(SSL *s)
2716 s2n(j, p); 2687 s2n(j, p);
2717 n = j + 2; 2688 n = j + 2;
2718 } else 2689 } else
2719#endif
2720 if (pkey->type == NID_id_GostR3410_94 || 2690 if (pkey->type == NID_id_GostR3410_94 ||
2721 pkey->type == NID_id_GostR3410_2001) { 2691 pkey->type == NID_id_GostR3410_2001) {
2722 unsigned char signbuf[64]; 2692 unsigned char signbuf[64];
@@ -2836,9 +2806,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2836 EVP_PKEY *pkey = NULL; 2806 EVP_PKEY *pkey = NULL;
2837 SESS_CERT *sc; 2807 SESS_CERT *sc;
2838 RSA *rsa; 2808 RSA *rsa;
2839#ifndef OPENSSL_NO_DH
2840 DH *dh; 2809 DH *dh;
2841#endif
2842 2810
2843 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2811 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2844 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2812 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -2855,14 +2823,11 @@ ssl3_check_cert_and_algorithm(SSL *s)
2855 } 2823 }
2856 2824
2857 rsa = s->session->sess_cert->peer_rsa_tmp; 2825 rsa = s->session->sess_cert->peer_rsa_tmp;
2858#ifndef OPENSSL_NO_DH
2859 dh = s->session->sess_cert->peer_dh_tmp; 2826 dh = s->session->sess_cert->peer_dh_tmp;
2860#endif
2861 2827
2862 /* This is the passed certificate. */ 2828 /* This is the passed certificate. */
2863 2829
2864 idx = sc->peer_cert_type; 2830 idx = sc->peer_cert_type;
2865#ifndef OPENSSL_NO_ECDH
2866 if (idx == SSL_PKEY_ECC) { 2831 if (idx == SSL_PKEY_ECC) {
2867 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2832 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2868 s) == 0) 2833 s) == 0)
@@ -2874,7 +2839,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2874 return (1); 2839 return (1);
2875 } 2840 }
2876 } 2841 }
2877#endif
2878 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); 2842 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
2879 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); 2843 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
2880 EVP_PKEY_free(pkey); 2844 EVP_PKEY_free(pkey);
@@ -2897,7 +2861,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2897 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2861 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2898 goto f_err; 2862 goto f_err;
2899 } 2863 }
2900#ifndef OPENSSL_NO_DH
2901 if ((alg_k & SSL_kEDH) && 2864 if ((alg_k & SSL_kEDH) &&
2902 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2865 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
2903 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2866 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
@@ -2913,7 +2876,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2913 SSL_R_MISSING_DH_DSA_CERT); 2876 SSL_R_MISSING_DH_DSA_CERT);
2914 goto f_err; 2877 goto f_err;
2915 } 2878 }
2916#endif
2917 2879
2918 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 2880 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
2919 !has_bits(i, EVP_PKT_EXP)) { 2881 !has_bits(i, EVP_PKT_EXP)) {
@@ -2925,7 +2887,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2925 goto f_err; 2887 goto f_err;
2926 } 2888 }
2927 } else 2889 } else
2928#ifndef OPENSSL_NO_DH
2929 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2890 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2930 if (dh == NULL || DH_size(dh) * 8 > 2891 if (dh == NULL || DH_size(dh) * 8 >
2931 SSL_C_EXPORT_PKEYLENGTH( 2892 SSL_C_EXPORT_PKEYLENGTH(
@@ -2936,7 +2897,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2936 goto f_err; 2897 goto f_err;
2937 } 2898 }
2938 } else 2899 } else
2939#endif
2940 { 2900 {
2941 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2901 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2942 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 2902 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index e3770bd0ae..2c15a87269 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -157,9 +157,7 @@
157#endif /* OPENSSL_NO_EC */ 157#endif /* OPENSSL_NO_EC */
158#endif /* OPENSSL_NO_TLSEXT */ 158#endif /* OPENSSL_NO_TLSEXT */
159#include <openssl/md5.h> 159#include <openssl/md5.h>
160#ifndef OPENSSL_NO_DH
161#include <openssl/dh.h> 160#include <openssl/dh.h>
162#endif
163 161
164const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; 162const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
165 163
@@ -1523,7 +1521,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1523 .alg_bits = 256, 1521 .alg_bits = 256,
1524 }, 1522 },
1525 1523
1526#ifndef OPENSSL_NO_ECDH
1527 /* Cipher C001 */ 1524 /* Cipher C001 */
1528 { 1525 {
1529 .valid = 1, 1526 .valid = 1,
@@ -1923,9 +1920,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1923 .strength_bits = 256, 1920 .strength_bits = 256,
1924 .alg_bits = 256, 1921 .alg_bits = 256,
1925 }, 1922 },
1926#endif /* OPENSSL_NO_ECDH */
1927 1923
1928#ifndef OPENSSL_NO_ECDH
1929 1924
1930 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1925 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1931 1926
@@ -2187,7 +2182,6 @@ SSL_CIPHER ssl3_ciphers[] = {
2187 .alg_bits = 256, 2182 .alg_bits = 256,
2188 }, 2183 },
2189 2184
2190#endif /* OPENSSL_NO_ECDH */
2191 2185
2192 2186
2193#ifdef TEMP_GOST_TLS 2187#ifdef TEMP_GOST_TLS
@@ -2343,14 +2337,10 @@ ssl3_free(SSL *s)
2343 if (s->s3->wbuf.buf != NULL) 2337 if (s->s3->wbuf.buf != NULL)
2344 ssl3_release_write_buffer(s); 2338 ssl3_release_write_buffer(s);
2345 free(s->s3->rrec.comp); 2339 free(s->s3->rrec.comp);
2346#ifndef OPENSSL_NO_DH
2347 if (s->s3->tmp.dh != NULL) 2340 if (s->s3->tmp.dh != NULL)
2348 DH_free(s->s3->tmp.dh); 2341 DH_free(s->s3->tmp.dh);
2349#endif
2350#ifndef OPENSSL_NO_ECDH
2351 if (s->s3->tmp.ecdh != NULL) 2342 if (s->s3->tmp.ecdh != NULL)
2352 EC_KEY_free(s->s3->tmp.ecdh); 2343 EC_KEY_free(s->s3->tmp.ecdh);
2353#endif
2354 2344
2355 if (s->s3->tmp.ca_names != NULL) 2345 if (s->s3->tmp.ca_names != NULL)
2356 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); 2346 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
@@ -2385,18 +2375,14 @@ ssl3_clear(SSL *s)
2385 free(s->s3->rrec.comp); 2375 free(s->s3->rrec.comp);
2386 s->s3->rrec.comp = NULL; 2376 s->s3->rrec.comp = NULL;
2387 2377
2388#ifndef OPENSSL_NO_DH
2389 if (s->s3->tmp.dh != NULL) { 2378 if (s->s3->tmp.dh != NULL) {
2390 DH_free(s->s3->tmp.dh); 2379 DH_free(s->s3->tmp.dh);
2391 s->s3->tmp.dh = NULL; 2380 s->s3->tmp.dh = NULL;
2392 } 2381 }
2393#endif
2394#ifndef OPENSSL_NO_ECDH
2395 if (s->s3->tmp.ecdh != NULL) { 2382 if (s->s3->tmp.ecdh != NULL) {
2396 EC_KEY_free(s->s3->tmp.ecdh); 2383 EC_KEY_free(s->s3->tmp.ecdh);
2397 s->s3->tmp.ecdh = NULL; 2384 s->s3->tmp.ecdh = NULL;
2398 } 2385 }
2399#endif
2400#ifndef OPENSSL_NO_TLSEXT 2386#ifndef OPENSSL_NO_TLSEXT
2401#ifndef OPENSSL_NO_EC 2387#ifndef OPENSSL_NO_EC
2402 s->s3->is_probably_safari = 0; 2388 s->s3->is_probably_safari = 0;
@@ -2505,7 +2491,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2505 return (ret); 2491 return (ret);
2506 } 2492 }
2507 break; 2493 break;
2508#ifndef OPENSSL_NO_DH
2509 case SSL_CTRL_SET_TMP_DH: 2494 case SSL_CTRL_SET_TMP_DH:
2510 { 2495 {
2511 DH *dh = (DH *)parg; 2496 DH *dh = (DH *)parg;
@@ -2540,8 +2525,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2540 return (ret); 2525 return (ret);
2541 } 2526 }
2542 break; 2527 break;
2543#endif
2544#ifndef OPENSSL_NO_ECDH
2545 case SSL_CTRL_SET_TMP_ECDH: 2528 case SSL_CTRL_SET_TMP_ECDH:
2546 { 2529 {
2547 EC_KEY *ecdh = NULL; 2530 EC_KEY *ecdh = NULL;
@@ -2578,7 +2561,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2578 return (ret); 2561 return (ret);
2579 } 2562 }
2580 break; 2563 break;
2581#endif /* !OPENSSL_NO_ECDH */
2582#ifndef OPENSSL_NO_TLSEXT 2564#ifndef OPENSSL_NO_TLSEXT
2583 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2565 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2584 if (larg == TLSEXT_NAMETYPE_host_name) { 2566 if (larg == TLSEXT_NAMETYPE_host_name) {
@@ -2701,21 +2683,17 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2701 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2683 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
2702 } 2684 }
2703 break; 2685 break;
2704#ifndef OPENSSL_NO_DH
2705 case SSL_CTRL_SET_TMP_DH_CB: 2686 case SSL_CTRL_SET_TMP_DH_CB:
2706 { 2687 {
2707 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2688 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2708 } 2689 }
2709 break; 2690 break;
2710#endif
2711#ifndef OPENSSL_NO_ECDH
2712 case SSL_CTRL_SET_TMP_ECDH_CB: 2691 case SSL_CTRL_SET_TMP_ECDH_CB:
2713 { 2692 {
2714 s->cert->ecdh_tmp_cb = 2693 s->cert->ecdh_tmp_cb =
2715 (EC_KEY *(*)(SSL *, int, int))fp; 2694 (EC_KEY *(*)(SSL *, int, int))fp;
2716 } 2695 }
2717 break; 2696 break;
2718#endif
2719#ifndef OPENSSL_NO_TLSEXT 2697#ifndef OPENSSL_NO_TLSEXT
2720 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2698 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2721 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2699 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
@@ -2777,7 +2755,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2777 return (0); 2755 return (0);
2778 } 2756 }
2779 break; 2757 break;
2780#ifndef OPENSSL_NO_DH
2781 case SSL_CTRL_SET_TMP_DH: 2758 case SSL_CTRL_SET_TMP_DH:
2782 { 2759 {
2783 DH *new = NULL, *dh; 2760 DH *new = NULL, *dh;
@@ -2809,8 +2786,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2809 return (0); 2786 return (0);
2810 } 2787 }
2811 break; 2788 break;
2812#endif
2813#ifndef OPENSSL_NO_ECDH
2814 case SSL_CTRL_SET_TMP_ECDH: 2789 case SSL_CTRL_SET_TMP_ECDH:
2815 { 2790 {
2816 EC_KEY *ecdh = NULL; 2791 EC_KEY *ecdh = NULL;
@@ -2849,7 +2824,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2849 return (0); 2824 return (0);
2850 } 2825 }
2851 break; 2826 break;
2852#endif /* !OPENSSL_NO_ECDH */
2853#ifndef OPENSSL_NO_TLSEXT 2827#ifndef OPENSSL_NO_TLSEXT
2854 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2828 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2855 ctx->tlsext_servername_arg = parg; 2829 ctx->tlsext_servername_arg = parg;
@@ -2932,20 +2906,16 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2932 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2906 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
2933 } 2907 }
2934 break; 2908 break;
2935#ifndef OPENSSL_NO_DH
2936 case SSL_CTRL_SET_TMP_DH_CB: 2909 case SSL_CTRL_SET_TMP_DH_CB:
2937 { 2910 {
2938 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2911 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2939 } 2912 }
2940 break; 2913 break;
2941#endif
2942#ifndef OPENSSL_NO_ECDH
2943 case SSL_CTRL_SET_TMP_ECDH_CB: 2914 case SSL_CTRL_SET_TMP_ECDH_CB:
2944 { 2915 {
2945 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2916 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2946 } 2917 }
2947 break; 2918 break;
2948#endif
2949#ifndef OPENSSL_NO_TLSEXT 2919#ifndef OPENSSL_NO_TLSEXT
2950 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2920 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2951 ctx->tlsext_servername_callback = 2921 ctx->tlsext_servername_callback =
@@ -3255,7 +3225,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3255 } 3225 }
3256#endif 3226#endif
3257 3227
3258#ifndef OPENSSL_NO_DH
3259 if (alg_k & (SSL_kDHr|SSL_kEDH)) { 3228 if (alg_k & (SSL_kDHr|SSL_kEDH)) {
3260 p[ret++] = SSL3_CT_RSA_FIXED_DH; 3229 p[ret++] = SSL3_CT_RSA_FIXED_DH;
3261 p[ret++] = SSL3_CT_DSS_FIXED_DH; 3230 p[ret++] = SSL3_CT_DSS_FIXED_DH;
@@ -3265,17 +3234,13 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3265 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 3234 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
3266 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 3235 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
3267 } 3236 }
3268#endif /* !OPENSSL_NO_DH */
3269 p[ret++] = SSL3_CT_RSA_SIGN; 3237 p[ret++] = SSL3_CT_RSA_SIGN;
3270 p[ret++] = SSL3_CT_DSS_SIGN; 3238 p[ret++] = SSL3_CT_DSS_SIGN;
3271#ifndef OPENSSL_NO_ECDH
3272 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { 3239 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) {
3273 p[ret++] = TLS_CT_RSA_FIXED_ECDH; 3240 p[ret++] = TLS_CT_RSA_FIXED_ECDH;
3274 p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; 3241 p[ret++] = TLS_CT_ECDSA_FIXED_ECDH;
3275 } 3242 }
3276#endif
3277 3243
3278#ifndef OPENSSL_NO_ECDSA
3279 /* 3244 /*
3280 * ECDSA certs can be used with RSA cipher suites as well 3245 * ECDSA certs can be used with RSA cipher suites as well
3281 * so we don't need to check for SSL_kECDH or SSL_kEECDH 3246 * so we don't need to check for SSL_kECDH or SSL_kEECDH
@@ -3283,7 +3248,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3283 if (s->version >= TLS1_VERSION) { 3248 if (s->version >= TLS1_VERSION) {
3284 p[ret++] = TLS_CT_ECDSA_SIGN; 3249 p[ret++] = TLS_CT_ECDSA_SIGN;
3285 } 3250 }
3286#endif
3287 return (ret); 3251 return (ret);
3288} 3252}
3289 3253
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c16f7bb2ef..b53f27a47d 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -159,9 +159,7 @@
159#include <openssl/evp.h> 159#include <openssl/evp.h>
160#include <openssl/hmac.h> 160#include <openssl/hmac.h>
161#include <openssl/x509.h> 161#include <openssl/x509.h>
162#ifndef OPENSSL_NO_DH
163#include <openssl/dh.h> 162#include <openssl/dh.h>
164#endif
165#include <openssl/bn.h> 163#include <openssl/bn.h>
166#include <openssl/md5.h> 164#include <openssl/md5.h>
167 165
@@ -881,18 +879,14 @@ ssl3_check_client_hello(SSL *s)
881 * which will now be aborted. (A full SSL_clear would be too 879 * which will now be aborted. (A full SSL_clear would be too
882 * much.) 880 * much.)
883 */ 881 */
884#ifndef OPENSSL_NO_DH
885 if (s->s3->tmp.dh != NULL) { 882 if (s->s3->tmp.dh != NULL) {
886 DH_free(s->s3->tmp.dh); 883 DH_free(s->s3->tmp.dh);
887 s->s3->tmp.dh = NULL; 884 s->s3->tmp.dh = NULL;
888 } 885 }
889#endif
890#ifndef OPENSSL_NO_ECDH
891 if (s->s3->tmp.ecdh != NULL) { 886 if (s->s3->tmp.ecdh != NULL) {
892 EC_KEY_free(s->s3->tmp.ecdh); 887 EC_KEY_free(s->s3->tmp.ecdh);
893 s->s3->tmp.ecdh = NULL; 888 s->s3->tmp.ecdh = NULL;
894 } 889 }
895#endif
896 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 890 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
897 return (2); 891 return (2);
898 } 892 }
@@ -1509,17 +1503,13 @@ ssl3_send_server_key_exchange(SSL *s)
1509 RSA *rsa; 1503 RSA *rsa;
1510 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1504 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1511 unsigned int u; 1505 unsigned int u;
1512#ifndef OPENSSL_NO_DH
1513 DH *dh = NULL, *dhp; 1506 DH *dh = NULL, *dhp;
1514#endif
1515#ifndef OPENSSL_NO_ECDH
1516 EC_KEY *ecdh = NULL, *ecdhp; 1507 EC_KEY *ecdh = NULL, *ecdhp;
1517 unsigned char *encodedPoint = NULL; 1508 unsigned char *encodedPoint = NULL;
1518 int encodedlen = 0; 1509 int encodedlen = 0;
1519 int curve_id = 0; 1510 int curve_id = 0;
1520 BN_CTX *bn_ctx = NULL; 1511 BN_CTX *bn_ctx = NULL;
1521 1512
1522#endif
1523#ifndef OPENSSL_NO_PSK 1513#ifndef OPENSSL_NO_PSK
1524 size_t pskhintlen = 0; 1514 size_t pskhintlen = 0;
1525#endif 1515#endif
@@ -1570,7 +1560,6 @@ ssl3_send_server_key_exchange(SSL *s)
1570 r[1] = rsa->e; 1560 r[1] = rsa->e;
1571 s->s3->tmp.use_rsa_tmp = 1; 1561 s->s3->tmp.use_rsa_tmp = 1;
1572 } else 1562 } else
1573#ifndef OPENSSL_NO_DH
1574 if (type & SSL_kEDH) { 1563 if (type & SSL_kEDH) {
1575 dhp = cert->dh_tmp; 1564 dhp = cert->dh_tmp;
1576 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1565 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1620,8 +1609,6 @@ ssl3_send_server_key_exchange(SSL *s)
1620 r[1] = dh->g; 1609 r[1] = dh->g;
1621 r[2] = dh->pub_key; 1610 r[2] = dh->pub_key;
1622 } else 1611 } else
1623#endif
1624#ifndef OPENSSL_NO_ECDH
1625 if (type & SSL_kEECDH) { 1612 if (type & SSL_kEECDH) {
1626 const EC_GROUP *group; 1613 const EC_GROUP *group;
1627 1614
@@ -1747,7 +1734,6 @@ ssl3_send_server_key_exchange(SSL *s)
1747 r[2] = NULL; 1734 r[2] = NULL;
1748 r[3] = NULL; 1735 r[3] = NULL;
1749 } else 1736 } else
1750#endif /* !OPENSSL_NO_ECDH */
1751#ifndef OPENSSL_NO_PSK 1737#ifndef OPENSSL_NO_PSK
1752 if (type & SSL_kPSK) { 1738 if (type & SSL_kPSK) {
1753 pskhintlen = strlen(s->ctx->psk_identity_hint); 1739 pskhintlen = strlen(s->ctx->psk_identity_hint);
@@ -1793,7 +1779,6 @@ ssl3_send_server_key_exchange(SSL *s)
1793 p += nr[i]; 1779 p += nr[i];
1794 } 1780 }
1795 1781
1796#ifndef OPENSSL_NO_ECDH
1797 if (type & SSL_kEECDH) { 1782 if (type & SSL_kEECDH) {
1798 /* 1783 /*
1799 * XXX: For now, we only support named (not generic) 1784 * XXX: For now, we only support named (not generic)
@@ -1817,7 +1802,6 @@ ssl3_send_server_key_exchange(SSL *s)
1817 encodedPoint = NULL; 1802 encodedPoint = NULL;
1818 p += encodedlen; 1803 p += encodedlen;
1819 } 1804 }
1820#endif
1821 1805
1822#ifndef OPENSSL_NO_PSK 1806#ifndef OPENSSL_NO_PSK
1823 if (type & SSL_kPSK) { 1807 if (type & SSL_kPSK) {
@@ -1926,10 +1910,8 @@ ssl3_send_server_key_exchange(SSL *s)
1926f_err: 1910f_err:
1927 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1911 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1928err: 1912err:
1929#ifndef OPENSSL_NO_ECDH
1930 free(encodedPoint); 1913 free(encodedPoint);
1931 BN_CTX_free(bn_ctx); 1914 BN_CTX_free(bn_ctx);
1932#endif
1933 EVP_MD_CTX_cleanup(&md_ctx); 1915 EVP_MD_CTX_cleanup(&md_ctx);
1934 return (-1); 1916 return (-1);
1935} 1917}
@@ -2042,18 +2024,14 @@ ssl3_get_client_key_exchange(SSL *s)
2042 unsigned char *p; 2024 unsigned char *p;
2043 RSA *rsa = NULL; 2025 RSA *rsa = NULL;
2044 EVP_PKEY *pkey = NULL; 2026 EVP_PKEY *pkey = NULL;
2045#ifndef OPENSSL_NO_DH
2046 BIGNUM *pub = NULL; 2027 BIGNUM *pub = NULL;
2047 DH *dh_srvr; 2028 DH *dh_srvr;
2048#endif
2049 2029
2050#ifndef OPENSSL_NO_ECDH
2051 EC_KEY *srvr_ecdh = NULL; 2030 EC_KEY *srvr_ecdh = NULL;
2052 EVP_PKEY *clnt_pub_pkey = NULL; 2031 EVP_PKEY *clnt_pub_pkey = NULL;
2053 EC_POINT *clnt_ecpoint = NULL; 2032 EC_POINT *clnt_ecpoint = NULL;
2054 BN_CTX *bn_ctx = NULL; 2033 BN_CTX *bn_ctx = NULL;
2055 2034
2056#endif
2057 2035
2058 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, 2036 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2059 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2037 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
@@ -2173,7 +2151,6 @@ ssl3_get_client_key_exchange(SSL *s)
2173 p, i); 2151 p, i);
2174 OPENSSL_cleanse(p, i); 2152 OPENSSL_cleanse(p, i);
2175 } else 2153 } else
2176#ifndef OPENSSL_NO_DH
2177 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2154 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2178 n2s(p, i); 2155 n2s(p, i);
2179 if (n != i + 2) { 2156 if (n != i + 2) {
@@ -2229,9 +2206,7 @@ ssl3_get_client_key_exchange(SSL *s)
2229 s, s->session->master_key, p, i); 2206 s, s->session->master_key, p, i);
2230 OPENSSL_cleanse(p, i); 2207 OPENSSL_cleanse(p, i);
2231 } else 2208 } else
2232#endif
2233 2209
2234#ifndef OPENSSL_NO_ECDH
2235 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2210 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2236 int ret = 1; 2211 int ret = 1;
2237 int field_size = 0; 2212 int field_size = 0;
@@ -2375,7 +2350,6 @@ ssl3_get_client_key_exchange(SSL *s)
2375 OPENSSL_cleanse(p, i); 2350 OPENSSL_cleanse(p, i);
2376 return (ret); 2351 return (ret);
2377 } else 2352 } else
2378#endif
2379#ifndef OPENSSL_NO_PSK 2353#ifndef OPENSSL_NO_PSK
2380 if (alg_k & SSL_kPSK) { 2354 if (alg_k & SSL_kPSK) {
2381 unsigned char *t = NULL; 2355 unsigned char *t = NULL;
@@ -2542,13 +2516,11 @@ ssl3_get_client_key_exchange(SSL *s)
2542f_err: 2516f_err:
2543 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2517 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2544err: 2518err:
2545#ifndef OPENSSL_NO_ECDH
2546 EVP_PKEY_free(clnt_pub_pkey); 2519 EVP_PKEY_free(clnt_pub_pkey);
2547 EC_POINT_free(clnt_ecpoint); 2520 EC_POINT_free(clnt_ecpoint);
2548 if (srvr_ecdh != NULL) 2521 if (srvr_ecdh != NULL)
2549 EC_KEY_free(srvr_ecdh); 2522 EC_KEY_free(srvr_ecdh);
2550 BN_CTX_free(bn_ctx); 2523 BN_CTX_free(bn_ctx);
2551#endif
2552 return (-1); 2524 return (-1);
2553} 2525}
2554 2526
@@ -2722,7 +2694,6 @@ ssl3_get_cert_verify(SSL *s)
2722 goto f_err; 2694 goto f_err;
2723 } 2695 }
2724 } else 2696 } else
2725#ifndef OPENSSL_NO_ECDSA
2726 if (pkey->type == EVP_PKEY_EC) { 2697 if (pkey->type == EVP_PKEY_EC) {
2727 j = ECDSA_verify(pkey->save_type, 2698 j = ECDSA_verify(pkey->save_type,
2728 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2699 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
@@ -2735,7 +2706,6 @@ ssl3_get_cert_verify(SSL *s)
2735 goto f_err; 2706 goto f_err;
2736 } 2707 }
2737 } else 2708 } else
2738#endif
2739 if (pkey->type == NID_id_GostR3410_94 || 2709 if (pkey->type == NID_id_GostR3410_94 ||
2740 pkey->type == NID_id_GostR3410_2001) { 2710 pkey->type == NID_id_GostR3410_2001) {
2741 unsigned char signature[64]; 2711 unsigned char signature[64];
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index d82b099e08..4b8a11426f 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -121,9 +121,7 @@
121#include <openssl/evp.h> 121#include <openssl/evp.h>
122#include <openssl/md5.h> 122#include <openssl/md5.h>
123#include <openssl/bn.h> 123#include <openssl/bn.h>
124#ifndef OPENSSL_NO_DH
125#include <openssl/dh.h> 124#include <openssl/dh.h>
126#endif
127 125
128static const SSL_METHOD *dtls1_get_client_method(int ver); 126static const SSL_METHOD *dtls1_get_client_method(int ver);
129static int dtls1_get_hello_verify(SSL *s); 127static int dtls1_get_hello_verify(SSL *s);
@@ -958,14 +956,12 @@ dtls1_send_client_key_exchange(SSL *s)
958 unsigned long alg_k; 956 unsigned long alg_k;
959 unsigned char *q; 957 unsigned char *q;
960 EVP_PKEY *pkey = NULL; 958 EVP_PKEY *pkey = NULL;
961#ifndef OPENSSL_NO_ECDH
962 EC_KEY *clnt_ecdh = NULL; 959 EC_KEY *clnt_ecdh = NULL;
963 const EC_POINT *srvr_ecpoint = NULL; 960 const EC_POINT *srvr_ecpoint = NULL;
964 EVP_PKEY *srvr_pub_pkey = NULL; 961 EVP_PKEY *srvr_pub_pkey = NULL;
965 unsigned char *encodedPoint = NULL; 962 unsigned char *encodedPoint = NULL;
966 int encoded_pt_len = 0; 963 int encoded_pt_len = 0;
967 BN_CTX * bn_ctx = NULL; 964 BN_CTX * bn_ctx = NULL;
968#endif
969 965
970 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 966 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
971 d = (unsigned char *)s->init_buf->data; 967 d = (unsigned char *)s->init_buf->data;
@@ -1021,7 +1017,6 @@ dtls1_send_client_key_exchange(SSL *s)
1021 tmp_buf, sizeof tmp_buf); 1017 tmp_buf, sizeof tmp_buf);
1022 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1018 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1023 } 1019 }
1024#ifndef OPENSSL_NO_DH
1025 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 1020 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
1026 DH *dh_srvr, *dh_clnt; 1021 DH *dh_srvr, *dh_clnt;
1027 1022
@@ -1071,8 +1066,6 @@ dtls1_send_client_key_exchange(SSL *s)
1071 1066
1072 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 1067 /* perhaps clean things up a bit EAY EAY EAY EAY*/
1073 } 1068 }
1074#endif
1075#ifndef OPENSSL_NO_ECDH
1076 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 1069 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
1077 const EC_GROUP *srvr_group = NULL; 1070 const EC_GROUP *srvr_group = NULL;
1078 EC_KEY *tkey; 1071 EC_KEY *tkey;
@@ -1236,7 +1229,6 @@ dtls1_send_client_key_exchange(SSL *s)
1236 EC_KEY_free(clnt_ecdh); 1229 EC_KEY_free(clnt_ecdh);
1237 EVP_PKEY_free(srvr_pub_pkey); 1230 EVP_PKEY_free(srvr_pub_pkey);
1238 } 1231 }
1239#endif /* !OPENSSL_NO_ECDH */
1240 1232
1241#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1242 else if (alg_k & SSL_kPSK) { 1234 else if (alg_k & SSL_kPSK) {
@@ -1340,13 +1332,11 @@ psk_err:
1340 /* SSL3_ST_CW_KEY_EXCH_B */ 1332 /* SSL3_ST_CW_KEY_EXCH_B */
1341 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1333 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1342err: 1334err:
1343#ifndef OPENSSL_NO_ECDH
1344 BN_CTX_free(bn_ctx); 1335 BN_CTX_free(bn_ctx);
1345 free(encodedPoint); 1336 free(encodedPoint);
1346 if (clnt_ecdh != NULL) 1337 if (clnt_ecdh != NULL)
1347 EC_KEY_free(clnt_ecdh); 1338 EC_KEY_free(clnt_ecdh);
1348 EVP_PKEY_free(srvr_pub_pkey); 1339 EVP_PKEY_free(srvr_pub_pkey);
1349#endif
1350 return (-1); 1340 return (-1);
1351} 1341}
1352 1342
@@ -1391,7 +1381,6 @@ dtls1_send_client_verify(SSL *s)
1391 s2n(j, p); 1381 s2n(j, p);
1392 n = j + 2; 1382 n = j + 2;
1393 } else 1383 } else
1394#ifndef OPENSSL_NO_ECDSA
1395 if (pkey->type == EVP_PKEY_EC) { 1384 if (pkey->type == EVP_PKEY_EC) {
1396 if (!ECDSA_sign(pkey->save_type, 1385 if (!ECDSA_sign(pkey->save_type,
1397 &(data[MD5_DIGEST_LENGTH]), 1386 &(data[MD5_DIGEST_LENGTH]),
@@ -1404,7 +1393,6 @@ dtls1_send_client_verify(SSL *s)
1404 s2n(j, p); 1393 s2n(j, p);
1405 n = j + 2; 1394 n = j + 2;
1406 } else 1395 } else
1407#endif
1408 { 1396 {
1409 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 1397 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
1410 goto err; 1398 goto err;
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index c8bfc1b03d..3f872de48b 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -122,9 +122,7 @@
122#include <openssl/x509.h> 122#include <openssl/x509.h>
123#include <openssl/md5.h> 123#include <openssl/md5.h>
124#include <openssl/bn.h> 124#include <openssl/bn.h>
125#ifndef OPENSSL_NO_DH
126#include <openssl/dh.h> 125#include <openssl/dh.h>
127#endif
128 126
129static const SSL_METHOD *dtls1_get_server_method(int ver); 127static const SSL_METHOD *dtls1_get_server_method(int ver);
130static int dtls1_send_hello_verify_request(SSL *s); 128static int dtls1_send_hello_verify_request(SSL *s);
@@ -1036,17 +1034,13 @@ dtls1_send_server_key_exchange(SSL *s)
1036 RSA *rsa; 1034 RSA *rsa;
1037 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1035 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1038 unsigned int u; 1036 unsigned int u;
1039#ifndef OPENSSL_NO_DH
1040 DH *dh = NULL, *dhp; 1037 DH *dh = NULL, *dhp;
1041#endif
1042#ifndef OPENSSL_NO_ECDH
1043 EC_KEY *ecdh = NULL, *ecdhp; 1038 EC_KEY *ecdh = NULL, *ecdhp;
1044 unsigned char *encodedPoint = NULL; 1039 unsigned char *encodedPoint = NULL;
1045 int encodedlen = 0; 1040 int encodedlen = 0;
1046 int curve_id = 0; 1041 int curve_id = 0;
1047 BN_CTX *bn_ctx = NULL; 1042 BN_CTX *bn_ctx = NULL;
1048 1043
1049#endif
1050#ifndef OPENSSL_NO_PSK 1044#ifndef OPENSSL_NO_PSK
1051 size_t pskhintlen = 0; 1045 size_t pskhintlen = 0;
1052#endif 1046#endif
@@ -1093,7 +1087,6 @@ dtls1_send_server_key_exchange(SSL *s)
1093 r[1] = rsa->e; 1087 r[1] = rsa->e;
1094 s->s3->tmp.use_rsa_tmp = 1; 1088 s->s3->tmp.use_rsa_tmp = 1;
1095 } else 1089 } else
1096#ifndef OPENSSL_NO_DH
1097 if (type & SSL_kEDH) { 1090 if (type & SSL_kEDH) {
1098 dhp = cert->dh_tmp; 1091 dhp = cert->dh_tmp;
1099 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1092 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1138,8 +1131,6 @@ dtls1_send_server_key_exchange(SSL *s)
1138 r[1] = dh->g; 1131 r[1] = dh->g;
1139 r[2] = dh->pub_key; 1132 r[2] = dh->pub_key;
1140 } else 1133 } else
1141#endif
1142#ifndef OPENSSL_NO_ECDH
1143 if (type & SSL_kEECDH) { 1134 if (type & SSL_kEECDH) {
1144 const EC_GROUP *group; 1135 const EC_GROUP *group;
1145 1136
@@ -1252,7 +1243,6 @@ dtls1_send_server_key_exchange(SSL *s)
1252 r[2] = NULL; 1243 r[2] = NULL;
1253 r[3] = NULL; 1244 r[3] = NULL;
1254 } else 1245 } else
1255#endif /* !OPENSSL_NO_ECDH */
1256#ifndef OPENSSL_NO_PSK 1246#ifndef OPENSSL_NO_PSK
1257 if (type & SSL_kPSK) { 1247 if (type & SSL_kPSK) {
1258 pskhintlen = strlen(s->ctx->psk_identity_hint); 1248 pskhintlen = strlen(s->ctx->psk_identity_hint);
@@ -1296,7 +1286,6 @@ dtls1_send_server_key_exchange(SSL *s)
1296 p += nr[i]; 1286 p += nr[i];
1297 } 1287 }
1298 1288
1299#ifndef OPENSSL_NO_ECDH
1300 if (type & SSL_kEECDH) { 1289 if (type & SSL_kEECDH) {
1301 /* XXX: For now, we only support named (not generic) curves. 1290 /* XXX: For now, we only support named (not generic) curves.
1302 * In this situation, the serverKeyExchange message has: 1291 * In this situation, the serverKeyExchange message has:
@@ -1318,7 +1307,6 @@ dtls1_send_server_key_exchange(SSL *s)
1318 encodedPoint = NULL; 1307 encodedPoint = NULL;
1319 p += encodedlen; 1308 p += encodedlen;
1320 } 1309 }
1321#endif
1322 1310
1323#ifndef OPENSSL_NO_PSK 1311#ifndef OPENSSL_NO_PSK
1324 if (type & SSL_kPSK) { 1312 if (type & SSL_kPSK) {
@@ -1376,7 +1364,6 @@ dtls1_send_server_key_exchange(SSL *s)
1376 s2n(i, p); 1364 s2n(i, p);
1377 n += i + 2; 1365 n += i + 2;
1378 } else 1366 } else
1379#if !defined(OPENSSL_NO_ECDSA)
1380 if (pkey->type == EVP_PKEY_EC) { 1367 if (pkey->type == EVP_PKEY_EC) {
1381 /* let's do ECDSA */ 1368 /* let's do ECDSA */
1382 EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL); 1369 EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL);
@@ -1391,7 +1378,6 @@ dtls1_send_server_key_exchange(SSL *s)
1391 s2n(i, p); 1378 s2n(i, p);
1392 n += i + 2; 1379 n += i + 2;
1393 } else 1380 } else
1394#endif
1395 { 1381 {
1396 /* Is this error check actually needed? */ 1382 /* Is this error check actually needed? */
1397 al = SSL_AD_HANDSHAKE_FAILURE; 1383 al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1418,10 +1404,8 @@ dtls1_send_server_key_exchange(SSL *s)
1418f_err: 1404f_err:
1419 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1405 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1420err: 1406err:
1421#ifndef OPENSSL_NO_ECDH
1422 free(encodedPoint); 1407 free(encodedPoint);
1423 BN_CTX_free(bn_ctx); 1408 BN_CTX_free(bn_ctx);
1424#endif
1425 EVP_MD_CTX_cleanup(&md_ctx); 1409 EVP_MD_CTX_cleanup(&md_ctx);
1426 return (-1); 1410 return (-1);
1427} 1411}
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 602ab03fe1..4df299de9d 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -155,9 +155,7 @@
155#include <openssl/objects.h> 155#include <openssl/objects.h>
156#include <openssl/evp.h> 156#include <openssl/evp.h>
157#include <openssl/md5.h> 157#include <openssl/md5.h>
158#ifndef OPENSSL_NO_DH
159#include <openssl/dh.h> 158#include <openssl/dh.h>
160#endif
161#include <openssl/bn.h> 159#include <openssl/bn.h>
162#ifndef OPENSSL_NO_ENGINE 160#ifndef OPENSSL_NO_ENGINE
163#include <openssl/engine.h> 161#include <openssl/engine.h>
@@ -1263,16 +1261,12 @@ ssl3_get_key_exchange(SSL *s)
1263 EVP_PKEY *pkey = NULL; 1261 EVP_PKEY *pkey = NULL;
1264 const EVP_MD *md = NULL; 1262 const EVP_MD *md = NULL;
1265 RSA *rsa = NULL; 1263 RSA *rsa = NULL;
1266#ifndef OPENSSL_NO_DH
1267 DH *dh = NULL; 1264 DH *dh = NULL;
1268#endif
1269#ifndef OPENSSL_NO_ECDH
1270 EC_KEY *ecdh = NULL; 1265 EC_KEY *ecdh = NULL;
1271 BN_CTX *bn_ctx = NULL; 1266 BN_CTX *bn_ctx = NULL;
1272 EC_POINT *srvr_ecpoint = NULL; 1267 EC_POINT *srvr_ecpoint = NULL;
1273 int curve_nid = 0; 1268 int curve_nid = 0;
1274 int encoded_pt_len = 0; 1269 int encoded_pt_len = 0;
1275#endif
1276 1270
1277 /* 1271 /*
1278 * Use same message size as in ssl3_get_certificate_request() 1272 * Use same message size as in ssl3_get_certificate_request()
@@ -1306,18 +1300,14 @@ ssl3_get_key_exchange(SSL *s)
1306 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1300 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1307 s->session->sess_cert->peer_rsa_tmp = NULL; 1301 s->session->sess_cert->peer_rsa_tmp = NULL;
1308 } 1302 }
1309#ifndef OPENSSL_NO_DH
1310 if (s->session->sess_cert->peer_dh_tmp) { 1303 if (s->session->sess_cert->peer_dh_tmp) {
1311 DH_free(s->session->sess_cert->peer_dh_tmp); 1304 DH_free(s->session->sess_cert->peer_dh_tmp);
1312 s->session->sess_cert->peer_dh_tmp = NULL; 1305 s->session->sess_cert->peer_dh_tmp = NULL;
1313 } 1306 }
1314#endif
1315#ifndef OPENSSL_NO_ECDH
1316 if (s->session->sess_cert->peer_ecdh_tmp) { 1307 if (s->session->sess_cert->peer_ecdh_tmp) {
1317 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1308 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1318 s->session->sess_cert->peer_ecdh_tmp = NULL; 1309 s->session->sess_cert->peer_ecdh_tmp = NULL;
1319 } 1310 }
1320#endif
1321 } else { 1311 } else {
1322 s->session->sess_cert = ssl_sess_cert_new(); 1312 s->session->sess_cert = ssl_sess_cert_new();
1323 } 1313 }
@@ -1424,7 +1414,6 @@ ssl3_get_key_exchange(SSL *s)
1424 s->session->sess_cert->peer_rsa_tmp = rsa; 1414 s->session->sess_cert->peer_rsa_tmp = rsa;
1425 rsa = NULL; 1415 rsa = NULL;
1426 } 1416 }
1427#ifndef OPENSSL_NO_DH
1428 else if (alg_k & SSL_kEDH) { 1417 else if (alg_k & SSL_kEDH) {
1429 if ((dh = DH_new()) == NULL) { 1418 if ((dh = DH_new()) == NULL) {
1430 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1419 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -1495,9 +1484,7 @@ ssl3_get_key_exchange(SSL *s)
1495 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1484 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1496 goto f_err; 1485 goto f_err;
1497 } 1486 }
1498#endif /* !OPENSSL_NO_DH */
1499 1487
1500#ifndef OPENSSL_NO_ECDH
1501 else if (alg_k & SSL_kEECDH) { 1488 else if (alg_k & SSL_kEECDH) {
1502 EC_GROUP *ngroup; 1489 EC_GROUP *ngroup;
1503 const EC_GROUP *group; 1490 const EC_GROUP *group;
@@ -1585,12 +1572,10 @@ ssl3_get_key_exchange(SSL *s)
1585 pkey = X509_get_pubkey( 1572 pkey = X509_get_pubkey(
1586 s->session->sess_cert->peer_pkeys[ 1573 s->session->sess_cert->peer_pkeys[
1587 SSL_PKEY_RSA_ENC].x509); 1574 SSL_PKEY_RSA_ENC].x509);
1588#ifndef OPENSSL_NO_ECDSA
1589 else if (alg_a & SSL_aECDSA) 1575 else if (alg_a & SSL_aECDSA)
1590 pkey = X509_get_pubkey( 1576 pkey = X509_get_pubkey(
1591 s->session->sess_cert->peer_pkeys[ 1577 s->session->sess_cert->peer_pkeys[
1592 SSL_PKEY_ECC].x509); 1578 SSL_PKEY_ECC].x509);
1593#endif
1594 /* Else anonymous ECDH, so no certificate or pkey. */ 1579 /* Else anonymous ECDH, so no certificate or pkey. */
1595 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1580 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1596 s->session->sess_cert->peer_ecdh_tmp = ecdh; 1581 s->session->sess_cert->peer_ecdh_tmp = ecdh;
@@ -1605,7 +1590,6 @@ ssl3_get_key_exchange(SSL *s)
1605 SSL_R_UNEXPECTED_MESSAGE); 1590 SSL_R_UNEXPECTED_MESSAGE);
1606 goto f_err; 1591 goto f_err;
1607 } 1592 }
1608#endif /* !OPENSSL_NO_ECDH */
1609 1593
1610 /* p points to the next byte, there are 'n' bytes left */ 1594 /* p points to the next byte, there are 'n' bytes left */
1611 1595
@@ -1731,16 +1715,12 @@ ssl3_get_key_exchange(SSL *s)
1731 EVP_PKEY_free(pkey); 1715 EVP_PKEY_free(pkey);
1732 if (rsa != NULL) 1716 if (rsa != NULL)
1733 RSA_free(rsa); 1717 RSA_free(rsa);
1734#ifndef OPENSSL_NO_DH
1735 if (dh != NULL) 1718 if (dh != NULL)
1736 DH_free(dh); 1719 DH_free(dh);
1737#endif
1738#ifndef OPENSSL_NO_ECDH
1739 BN_CTX_free(bn_ctx); 1720 BN_CTX_free(bn_ctx);
1740 EC_POINT_free(srvr_ecpoint); 1721 EC_POINT_free(srvr_ecpoint);
1741 if (ecdh != NULL) 1722 if (ecdh != NULL)
1742 EC_KEY_free(ecdh); 1723 EC_KEY_free(ecdh);
1743#endif
1744 EVP_MD_CTX_cleanup(&md_ctx); 1724 EVP_MD_CTX_cleanup(&md_ctx);
1745 return (-1); 1725 return (-1);
1746} 1726}
@@ -2084,14 +2064,12 @@ ssl3_send_client_key_exchange(SSL *s)
2084 unsigned long alg_k; 2064 unsigned long alg_k;
2085 unsigned char *q; 2065 unsigned char *q;
2086 EVP_PKEY *pkey = NULL; 2066 EVP_PKEY *pkey = NULL;
2087#ifndef OPENSSL_NO_ECDH
2088 EC_KEY *clnt_ecdh = NULL; 2067 EC_KEY *clnt_ecdh = NULL;
2089 const EC_POINT *srvr_ecpoint = NULL; 2068 const EC_POINT *srvr_ecpoint = NULL;
2090 EVP_PKEY *srvr_pub_pkey = NULL; 2069 EVP_PKEY *srvr_pub_pkey = NULL;
2091 unsigned char *encodedPoint = NULL; 2070 unsigned char *encodedPoint = NULL;
2092 int encoded_pt_len = 0; 2071 int encoded_pt_len = 0;
2093 BN_CTX *bn_ctx = NULL; 2072 BN_CTX *bn_ctx = NULL;
2094#endif
2095 2073
2096 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 2074 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2097 d = (unsigned char *)s->init_buf->data; 2075 d = (unsigned char *)s->init_buf->data;
@@ -2151,7 +2129,6 @@ ssl3_send_client_key_exchange(SSL *s)
2151 s, s->session->master_key, tmp_buf, sizeof tmp_buf); 2129 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2152 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2130 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2153 } 2131 }
2154#ifndef OPENSSL_NO_DH
2155 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2132 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2156 DH *dh_srvr, *dh_clnt; 2133 DH *dh_srvr, *dh_clnt;
2157 2134
@@ -2217,9 +2194,7 @@ ssl3_send_client_key_exchange(SSL *s)
2217 2194
2218 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2195 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2219 } 2196 }
2220#endif
2221 2197
2222#ifndef OPENSSL_NO_ECDH
2223 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2198 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2224 const EC_GROUP *srvr_group = NULL; 2199 const EC_GROUP *srvr_group = NULL;
2225 EC_KEY *tkey; 2200 EC_KEY *tkey;
@@ -2399,7 +2374,6 @@ ssl3_send_client_key_exchange(SSL *s)
2399 EC_KEY_free(clnt_ecdh); 2374 EC_KEY_free(clnt_ecdh);
2400 EVP_PKEY_free(srvr_pub_pkey); 2375 EVP_PKEY_free(srvr_pub_pkey);
2401 } 2376 }
2402#endif /* !OPENSSL_NO_ECDH */
2403 else if (alg_k & SSL_kGOST) { 2377 else if (alg_k & SSL_kGOST) {
2404 /* GOST key exchange message creation */ 2378 /* GOST key exchange message creation */
2405 EVP_PKEY_CTX *pkey_ctx; 2379 EVP_PKEY_CTX *pkey_ctx;
@@ -2608,13 +2582,11 @@ ssl3_send_client_key_exchange(SSL *s)
2608 /* SSL3_ST_CW_KEY_EXCH_B */ 2582 /* SSL3_ST_CW_KEY_EXCH_B */
2609 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 2583 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2610 err: 2584 err:
2611#ifndef OPENSSL_NO_ECDH
2612 BN_CTX_free(bn_ctx); 2585 BN_CTX_free(bn_ctx);
2613 free(encodedPoint); 2586 free(encodedPoint);
2614 if (clnt_ecdh != NULL) 2587 if (clnt_ecdh != NULL)
2615 EC_KEY_free(clnt_ecdh); 2588 EC_KEY_free(clnt_ecdh);
2616 EVP_PKEY_free(srvr_pub_pkey); 2589 EVP_PKEY_free(srvr_pub_pkey);
2617#endif
2618 return (-1); 2590 return (-1);
2619} 2591}
2620 2592
@@ -2703,7 +2675,6 @@ ssl3_send_client_verify(SSL *s)
2703 s2n(j, p); 2675 s2n(j, p);
2704 n = j + 2; 2676 n = j + 2;
2705 } else 2677 } else
2706#ifndef OPENSSL_NO_ECDSA
2707 if (pkey->type == EVP_PKEY_EC) { 2678 if (pkey->type == EVP_PKEY_EC) {
2708 if (!ECDSA_sign(pkey->save_type, 2679 if (!ECDSA_sign(pkey->save_type,
2709 &(data[MD5_DIGEST_LENGTH]), 2680 &(data[MD5_DIGEST_LENGTH]),
@@ -2716,7 +2687,6 @@ ssl3_send_client_verify(SSL *s)
2716 s2n(j, p); 2687 s2n(j, p);
2717 n = j + 2; 2688 n = j + 2;
2718 } else 2689 } else
2719#endif
2720 if (pkey->type == NID_id_GostR3410_94 || 2690 if (pkey->type == NID_id_GostR3410_94 ||
2721 pkey->type == NID_id_GostR3410_2001) { 2691 pkey->type == NID_id_GostR3410_2001) {
2722 unsigned char signbuf[64]; 2692 unsigned char signbuf[64];
@@ -2836,9 +2806,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2836 EVP_PKEY *pkey = NULL; 2806 EVP_PKEY *pkey = NULL;
2837 SESS_CERT *sc; 2807 SESS_CERT *sc;
2838 RSA *rsa; 2808 RSA *rsa;
2839#ifndef OPENSSL_NO_DH
2840 DH *dh; 2809 DH *dh;
2841#endif
2842 2810
2843 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2811 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2844 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2812 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -2855,14 +2823,11 @@ ssl3_check_cert_and_algorithm(SSL *s)
2855 } 2823 }
2856 2824
2857 rsa = s->session->sess_cert->peer_rsa_tmp; 2825 rsa = s->session->sess_cert->peer_rsa_tmp;
2858#ifndef OPENSSL_NO_DH
2859 dh = s->session->sess_cert->peer_dh_tmp; 2826 dh = s->session->sess_cert->peer_dh_tmp;
2860#endif
2861 2827
2862 /* This is the passed certificate. */ 2828 /* This is the passed certificate. */
2863 2829
2864 idx = sc->peer_cert_type; 2830 idx = sc->peer_cert_type;
2865#ifndef OPENSSL_NO_ECDH
2866 if (idx == SSL_PKEY_ECC) { 2831 if (idx == SSL_PKEY_ECC) {
2867 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2832 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2868 s) == 0) 2833 s) == 0)
@@ -2874,7 +2839,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2874 return (1); 2839 return (1);
2875 } 2840 }
2876 } 2841 }
2877#endif
2878 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); 2842 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
2879 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); 2843 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
2880 EVP_PKEY_free(pkey); 2844 EVP_PKEY_free(pkey);
@@ -2897,7 +2861,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2897 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2861 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2898 goto f_err; 2862 goto f_err;
2899 } 2863 }
2900#ifndef OPENSSL_NO_DH
2901 if ((alg_k & SSL_kEDH) && 2864 if ((alg_k & SSL_kEDH) &&
2902 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 2865 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
2903 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2866 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
@@ -2913,7 +2876,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2913 SSL_R_MISSING_DH_DSA_CERT); 2876 SSL_R_MISSING_DH_DSA_CERT);
2914 goto f_err; 2877 goto f_err;
2915 } 2878 }
2916#endif
2917 2879
2918 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 2880 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
2919 !has_bits(i, EVP_PKT_EXP)) { 2881 !has_bits(i, EVP_PKT_EXP)) {
@@ -2925,7 +2887,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2925 goto f_err; 2887 goto f_err;
2926 } 2888 }
2927 } else 2889 } else
2928#ifndef OPENSSL_NO_DH
2929 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2890 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2930 if (dh == NULL || DH_size(dh) * 8 > 2891 if (dh == NULL || DH_size(dh) * 8 >
2931 SSL_C_EXPORT_PKEYLENGTH( 2892 SSL_C_EXPORT_PKEYLENGTH(
@@ -2936,7 +2897,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2936 goto f_err; 2897 goto f_err;
2937 } 2898 }
2938 } else 2899 } else
2939#endif
2940 { 2900 {
2941 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2901 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2942 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 2902 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index e3770bd0ae..2c15a87269 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -157,9 +157,7 @@
157#endif /* OPENSSL_NO_EC */ 157#endif /* OPENSSL_NO_EC */
158#endif /* OPENSSL_NO_TLSEXT */ 158#endif /* OPENSSL_NO_TLSEXT */
159#include <openssl/md5.h> 159#include <openssl/md5.h>
160#ifndef OPENSSL_NO_DH
161#include <openssl/dh.h> 160#include <openssl/dh.h>
162#endif
163 161
164const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; 162const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
165 163
@@ -1523,7 +1521,6 @@ SSL_CIPHER ssl3_ciphers[] = {
1523 .alg_bits = 256, 1521 .alg_bits = 256,
1524 }, 1522 },
1525 1523
1526#ifndef OPENSSL_NO_ECDH
1527 /* Cipher C001 */ 1524 /* Cipher C001 */
1528 { 1525 {
1529 .valid = 1, 1526 .valid = 1,
@@ -1923,9 +1920,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1923 .strength_bits = 256, 1920 .strength_bits = 256,
1924 .alg_bits = 256, 1921 .alg_bits = 256,
1925 }, 1922 },
1926#endif /* OPENSSL_NO_ECDH */
1927 1923
1928#ifndef OPENSSL_NO_ECDH
1929 1924
1930 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 1925 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
1931 1926
@@ -2187,7 +2182,6 @@ SSL_CIPHER ssl3_ciphers[] = {
2187 .alg_bits = 256, 2182 .alg_bits = 256,
2188 }, 2183 },
2189 2184
2190#endif /* OPENSSL_NO_ECDH */
2191 2185
2192 2186
2193#ifdef TEMP_GOST_TLS 2187#ifdef TEMP_GOST_TLS
@@ -2343,14 +2337,10 @@ ssl3_free(SSL *s)
2343 if (s->s3->wbuf.buf != NULL) 2337 if (s->s3->wbuf.buf != NULL)
2344 ssl3_release_write_buffer(s); 2338 ssl3_release_write_buffer(s);
2345 free(s->s3->rrec.comp); 2339 free(s->s3->rrec.comp);
2346#ifndef OPENSSL_NO_DH
2347 if (s->s3->tmp.dh != NULL) 2340 if (s->s3->tmp.dh != NULL)
2348 DH_free(s->s3->tmp.dh); 2341 DH_free(s->s3->tmp.dh);
2349#endif
2350#ifndef OPENSSL_NO_ECDH
2351 if (s->s3->tmp.ecdh != NULL) 2342 if (s->s3->tmp.ecdh != NULL)
2352 EC_KEY_free(s->s3->tmp.ecdh); 2343 EC_KEY_free(s->s3->tmp.ecdh);
2353#endif
2354 2344
2355 if (s->s3->tmp.ca_names != NULL) 2345 if (s->s3->tmp.ca_names != NULL)
2356 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); 2346 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
@@ -2385,18 +2375,14 @@ ssl3_clear(SSL *s)
2385 free(s->s3->rrec.comp); 2375 free(s->s3->rrec.comp);
2386 s->s3->rrec.comp = NULL; 2376 s->s3->rrec.comp = NULL;
2387 2377
2388#ifndef OPENSSL_NO_DH
2389 if (s->s3->tmp.dh != NULL) { 2378 if (s->s3->tmp.dh != NULL) {
2390 DH_free(s->s3->tmp.dh); 2379 DH_free(s->s3->tmp.dh);
2391 s->s3->tmp.dh = NULL; 2380 s->s3->tmp.dh = NULL;
2392 } 2381 }
2393#endif
2394#ifndef OPENSSL_NO_ECDH
2395 if (s->s3->tmp.ecdh != NULL) { 2382 if (s->s3->tmp.ecdh != NULL) {
2396 EC_KEY_free(s->s3->tmp.ecdh); 2383 EC_KEY_free(s->s3->tmp.ecdh);
2397 s->s3->tmp.ecdh = NULL; 2384 s->s3->tmp.ecdh = NULL;
2398 } 2385 }
2399#endif
2400#ifndef OPENSSL_NO_TLSEXT 2386#ifndef OPENSSL_NO_TLSEXT
2401#ifndef OPENSSL_NO_EC 2387#ifndef OPENSSL_NO_EC
2402 s->s3->is_probably_safari = 0; 2388 s->s3->is_probably_safari = 0;
@@ -2505,7 +2491,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2505 return (ret); 2491 return (ret);
2506 } 2492 }
2507 break; 2493 break;
2508#ifndef OPENSSL_NO_DH
2509 case SSL_CTRL_SET_TMP_DH: 2494 case SSL_CTRL_SET_TMP_DH:
2510 { 2495 {
2511 DH *dh = (DH *)parg; 2496 DH *dh = (DH *)parg;
@@ -2540,8 +2525,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2540 return (ret); 2525 return (ret);
2541 } 2526 }
2542 break; 2527 break;
2543#endif
2544#ifndef OPENSSL_NO_ECDH
2545 case SSL_CTRL_SET_TMP_ECDH: 2528 case SSL_CTRL_SET_TMP_ECDH:
2546 { 2529 {
2547 EC_KEY *ecdh = NULL; 2530 EC_KEY *ecdh = NULL;
@@ -2578,7 +2561,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2578 return (ret); 2561 return (ret);
2579 } 2562 }
2580 break; 2563 break;
2581#endif /* !OPENSSL_NO_ECDH */
2582#ifndef OPENSSL_NO_TLSEXT 2564#ifndef OPENSSL_NO_TLSEXT
2583 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 2565 case SSL_CTRL_SET_TLSEXT_HOSTNAME:
2584 if (larg == TLSEXT_NAMETYPE_host_name) { 2566 if (larg == TLSEXT_NAMETYPE_host_name) {
@@ -2701,21 +2683,17 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
2701 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2683 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
2702 } 2684 }
2703 break; 2685 break;
2704#ifndef OPENSSL_NO_DH
2705 case SSL_CTRL_SET_TMP_DH_CB: 2686 case SSL_CTRL_SET_TMP_DH_CB:
2706 { 2687 {
2707 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2688 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2708 } 2689 }
2709 break; 2690 break;
2710#endif
2711#ifndef OPENSSL_NO_ECDH
2712 case SSL_CTRL_SET_TMP_ECDH_CB: 2691 case SSL_CTRL_SET_TMP_ECDH_CB:
2713 { 2692 {
2714 s->cert->ecdh_tmp_cb = 2693 s->cert->ecdh_tmp_cb =
2715 (EC_KEY *(*)(SSL *, int, int))fp; 2694 (EC_KEY *(*)(SSL *, int, int))fp;
2716 } 2695 }
2717 break; 2696 break;
2718#endif
2719#ifndef OPENSSL_NO_TLSEXT 2697#ifndef OPENSSL_NO_TLSEXT
2720 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2698 case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
2721 s->tlsext_debug_cb = (void (*)(SSL *, int , int, 2699 s->tlsext_debug_cb = (void (*)(SSL *, int , int,
@@ -2777,7 +2755,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2777 return (0); 2755 return (0);
2778 } 2756 }
2779 break; 2757 break;
2780#ifndef OPENSSL_NO_DH
2781 case SSL_CTRL_SET_TMP_DH: 2758 case SSL_CTRL_SET_TMP_DH:
2782 { 2759 {
2783 DH *new = NULL, *dh; 2760 DH *new = NULL, *dh;
@@ -2809,8 +2786,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2809 return (0); 2786 return (0);
2810 } 2787 }
2811 break; 2788 break;
2812#endif
2813#ifndef OPENSSL_NO_ECDH
2814 case SSL_CTRL_SET_TMP_ECDH: 2789 case SSL_CTRL_SET_TMP_ECDH:
2815 { 2790 {
2816 EC_KEY *ecdh = NULL; 2791 EC_KEY *ecdh = NULL;
@@ -2849,7 +2824,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2849 return (0); 2824 return (0);
2850 } 2825 }
2851 break; 2826 break;
2852#endif /* !OPENSSL_NO_ECDH */
2853#ifndef OPENSSL_NO_TLSEXT 2827#ifndef OPENSSL_NO_TLSEXT
2854 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2828 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
2855 ctx->tlsext_servername_arg = parg; 2829 ctx->tlsext_servername_arg = parg;
@@ -2932,20 +2906,16 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2932 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2906 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
2933 } 2907 }
2934 break; 2908 break;
2935#ifndef OPENSSL_NO_DH
2936 case SSL_CTRL_SET_TMP_DH_CB: 2909 case SSL_CTRL_SET_TMP_DH_CB:
2937 { 2910 {
2938 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2911 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
2939 } 2912 }
2940 break; 2913 break;
2941#endif
2942#ifndef OPENSSL_NO_ECDH
2943 case SSL_CTRL_SET_TMP_ECDH_CB: 2914 case SSL_CTRL_SET_TMP_ECDH_CB:
2944 { 2915 {
2945 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2916 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
2946 } 2917 }
2947 break; 2918 break;
2948#endif
2949#ifndef OPENSSL_NO_TLSEXT 2919#ifndef OPENSSL_NO_TLSEXT
2950 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2920 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
2951 ctx->tlsext_servername_callback = 2921 ctx->tlsext_servername_callback =
@@ -3255,7 +3225,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3255 } 3225 }
3256#endif 3226#endif
3257 3227
3258#ifndef OPENSSL_NO_DH
3259 if (alg_k & (SSL_kDHr|SSL_kEDH)) { 3228 if (alg_k & (SSL_kDHr|SSL_kEDH)) {
3260 p[ret++] = SSL3_CT_RSA_FIXED_DH; 3229 p[ret++] = SSL3_CT_RSA_FIXED_DH;
3261 p[ret++] = SSL3_CT_DSS_FIXED_DH; 3230 p[ret++] = SSL3_CT_DSS_FIXED_DH;
@@ -3265,17 +3234,13 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3265 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 3234 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
3266 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 3235 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
3267 } 3236 }
3268#endif /* !OPENSSL_NO_DH */
3269 p[ret++] = SSL3_CT_RSA_SIGN; 3237 p[ret++] = SSL3_CT_RSA_SIGN;
3270 p[ret++] = SSL3_CT_DSS_SIGN; 3238 p[ret++] = SSL3_CT_DSS_SIGN;
3271#ifndef OPENSSL_NO_ECDH
3272 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { 3239 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) {
3273 p[ret++] = TLS_CT_RSA_FIXED_ECDH; 3240 p[ret++] = TLS_CT_RSA_FIXED_ECDH;
3274 p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; 3241 p[ret++] = TLS_CT_ECDSA_FIXED_ECDH;
3275 } 3242 }
3276#endif
3277 3243
3278#ifndef OPENSSL_NO_ECDSA
3279 /* 3244 /*
3280 * ECDSA certs can be used with RSA cipher suites as well 3245 * ECDSA certs can be used with RSA cipher suites as well
3281 * so we don't need to check for SSL_kECDH or SSL_kEECDH 3246 * so we don't need to check for SSL_kECDH or SSL_kEECDH
@@ -3283,7 +3248,6 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
3283 if (s->version >= TLS1_VERSION) { 3248 if (s->version >= TLS1_VERSION) {
3284 p[ret++] = TLS_CT_ECDSA_SIGN; 3249 p[ret++] = TLS_CT_ECDSA_SIGN;
3285 } 3250 }
3286#endif
3287 return (ret); 3251 return (ret);
3288} 3252}
3289 3253
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index c16f7bb2ef..b53f27a47d 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -159,9 +159,7 @@
159#include <openssl/evp.h> 159#include <openssl/evp.h>
160#include <openssl/hmac.h> 160#include <openssl/hmac.h>
161#include <openssl/x509.h> 161#include <openssl/x509.h>
162#ifndef OPENSSL_NO_DH
163#include <openssl/dh.h> 162#include <openssl/dh.h>
164#endif
165#include <openssl/bn.h> 163#include <openssl/bn.h>
166#include <openssl/md5.h> 164#include <openssl/md5.h>
167 165
@@ -881,18 +879,14 @@ ssl3_check_client_hello(SSL *s)
881 * which will now be aborted. (A full SSL_clear would be too 879 * which will now be aborted. (A full SSL_clear would be too
882 * much.) 880 * much.)
883 */ 881 */
884#ifndef OPENSSL_NO_DH
885 if (s->s3->tmp.dh != NULL) { 882 if (s->s3->tmp.dh != NULL) {
886 DH_free(s->s3->tmp.dh); 883 DH_free(s->s3->tmp.dh);
887 s->s3->tmp.dh = NULL; 884 s->s3->tmp.dh = NULL;
888 } 885 }
889#endif
890#ifndef OPENSSL_NO_ECDH
891 if (s->s3->tmp.ecdh != NULL) { 886 if (s->s3->tmp.ecdh != NULL) {
892 EC_KEY_free(s->s3->tmp.ecdh); 887 EC_KEY_free(s->s3->tmp.ecdh);
893 s->s3->tmp.ecdh = NULL; 888 s->s3->tmp.ecdh = NULL;
894 } 889 }
895#endif
896 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 890 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
897 return (2); 891 return (2);
898 } 892 }
@@ -1509,17 +1503,13 @@ ssl3_send_server_key_exchange(SSL *s)
1509 RSA *rsa; 1503 RSA *rsa;
1510 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1504 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1511 unsigned int u; 1505 unsigned int u;
1512#ifndef OPENSSL_NO_DH
1513 DH *dh = NULL, *dhp; 1506 DH *dh = NULL, *dhp;
1514#endif
1515#ifndef OPENSSL_NO_ECDH
1516 EC_KEY *ecdh = NULL, *ecdhp; 1507 EC_KEY *ecdh = NULL, *ecdhp;
1517 unsigned char *encodedPoint = NULL; 1508 unsigned char *encodedPoint = NULL;
1518 int encodedlen = 0; 1509 int encodedlen = 0;
1519 int curve_id = 0; 1510 int curve_id = 0;
1520 BN_CTX *bn_ctx = NULL; 1511 BN_CTX *bn_ctx = NULL;
1521 1512
1522#endif
1523#ifndef OPENSSL_NO_PSK 1513#ifndef OPENSSL_NO_PSK
1524 size_t pskhintlen = 0; 1514 size_t pskhintlen = 0;
1525#endif 1515#endif
@@ -1570,7 +1560,6 @@ ssl3_send_server_key_exchange(SSL *s)
1570 r[1] = rsa->e; 1560 r[1] = rsa->e;
1571 s->s3->tmp.use_rsa_tmp = 1; 1561 s->s3->tmp.use_rsa_tmp = 1;
1572 } else 1562 } else
1573#ifndef OPENSSL_NO_DH
1574 if (type & SSL_kEDH) { 1563 if (type & SSL_kEDH) {
1575 dhp = cert->dh_tmp; 1564 dhp = cert->dh_tmp;
1576 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1565 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1620,8 +1609,6 @@ ssl3_send_server_key_exchange(SSL *s)
1620 r[1] = dh->g; 1609 r[1] = dh->g;
1621 r[2] = dh->pub_key; 1610 r[2] = dh->pub_key;
1622 } else 1611 } else
1623#endif
1624#ifndef OPENSSL_NO_ECDH
1625 if (type & SSL_kEECDH) { 1612 if (type & SSL_kEECDH) {
1626 const EC_GROUP *group; 1613 const EC_GROUP *group;
1627 1614
@@ -1747,7 +1734,6 @@ ssl3_send_server_key_exchange(SSL *s)
1747 r[2] = NULL; 1734 r[2] = NULL;
1748 r[3] = NULL; 1735 r[3] = NULL;
1749 } else 1736 } else
1750#endif /* !OPENSSL_NO_ECDH */
1751#ifndef OPENSSL_NO_PSK 1737#ifndef OPENSSL_NO_PSK
1752 if (type & SSL_kPSK) { 1738 if (type & SSL_kPSK) {
1753 pskhintlen = strlen(s->ctx->psk_identity_hint); 1739 pskhintlen = strlen(s->ctx->psk_identity_hint);
@@ -1793,7 +1779,6 @@ ssl3_send_server_key_exchange(SSL *s)
1793 p += nr[i]; 1779 p += nr[i];
1794 } 1780 }
1795 1781
1796#ifndef OPENSSL_NO_ECDH
1797 if (type & SSL_kEECDH) { 1782 if (type & SSL_kEECDH) {
1798 /* 1783 /*
1799 * XXX: For now, we only support named (not generic) 1784 * XXX: For now, we only support named (not generic)
@@ -1817,7 +1802,6 @@ ssl3_send_server_key_exchange(SSL *s)
1817 encodedPoint = NULL; 1802 encodedPoint = NULL;
1818 p += encodedlen; 1803 p += encodedlen;
1819 } 1804 }
1820#endif
1821 1805
1822#ifndef OPENSSL_NO_PSK 1806#ifndef OPENSSL_NO_PSK
1823 if (type & SSL_kPSK) { 1807 if (type & SSL_kPSK) {
@@ -1926,10 +1910,8 @@ ssl3_send_server_key_exchange(SSL *s)
1926f_err: 1910f_err:
1927 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1911 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1928err: 1912err:
1929#ifndef OPENSSL_NO_ECDH
1930 free(encodedPoint); 1913 free(encodedPoint);
1931 BN_CTX_free(bn_ctx); 1914 BN_CTX_free(bn_ctx);
1932#endif
1933 EVP_MD_CTX_cleanup(&md_ctx); 1915 EVP_MD_CTX_cleanup(&md_ctx);
1934 return (-1); 1916 return (-1);
1935} 1917}
@@ -2042,18 +2024,14 @@ ssl3_get_client_key_exchange(SSL *s)
2042 unsigned char *p; 2024 unsigned char *p;
2043 RSA *rsa = NULL; 2025 RSA *rsa = NULL;
2044 EVP_PKEY *pkey = NULL; 2026 EVP_PKEY *pkey = NULL;
2045#ifndef OPENSSL_NO_DH
2046 BIGNUM *pub = NULL; 2027 BIGNUM *pub = NULL;
2047 DH *dh_srvr; 2028 DH *dh_srvr;
2048#endif
2049 2029
2050#ifndef OPENSSL_NO_ECDH
2051 EC_KEY *srvr_ecdh = NULL; 2030 EC_KEY *srvr_ecdh = NULL;
2052 EVP_PKEY *clnt_pub_pkey = NULL; 2031 EVP_PKEY *clnt_pub_pkey = NULL;
2053 EC_POINT *clnt_ecpoint = NULL; 2032 EC_POINT *clnt_ecpoint = NULL;
2054 BN_CTX *bn_ctx = NULL; 2033 BN_CTX *bn_ctx = NULL;
2055 2034
2056#endif
2057 2035
2058 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, 2036 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2059 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2037 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
@@ -2173,7 +2151,6 @@ ssl3_get_client_key_exchange(SSL *s)
2173 p, i); 2151 p, i);
2174 OPENSSL_cleanse(p, i); 2152 OPENSSL_cleanse(p, i);
2175 } else 2153 } else
2176#ifndef OPENSSL_NO_DH
2177 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 2154 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2178 n2s(p, i); 2155 n2s(p, i);
2179 if (n != i + 2) { 2156 if (n != i + 2) {
@@ -2229,9 +2206,7 @@ ssl3_get_client_key_exchange(SSL *s)
2229 s, s->session->master_key, p, i); 2206 s, s->session->master_key, p, i);
2230 OPENSSL_cleanse(p, i); 2207 OPENSSL_cleanse(p, i);
2231 } else 2208 } else
2232#endif
2233 2209
2234#ifndef OPENSSL_NO_ECDH
2235 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2210 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2236 int ret = 1; 2211 int ret = 1;
2237 int field_size = 0; 2212 int field_size = 0;
@@ -2375,7 +2350,6 @@ ssl3_get_client_key_exchange(SSL *s)
2375 OPENSSL_cleanse(p, i); 2350 OPENSSL_cleanse(p, i);
2376 return (ret); 2351 return (ret);
2377 } else 2352 } else
2378#endif
2379#ifndef OPENSSL_NO_PSK 2353#ifndef OPENSSL_NO_PSK
2380 if (alg_k & SSL_kPSK) { 2354 if (alg_k & SSL_kPSK) {
2381 unsigned char *t = NULL; 2355 unsigned char *t = NULL;
@@ -2542,13 +2516,11 @@ ssl3_get_client_key_exchange(SSL *s)
2542f_err: 2516f_err:
2543 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2517 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2544err: 2518err:
2545#ifndef OPENSSL_NO_ECDH
2546 EVP_PKEY_free(clnt_pub_pkey); 2519 EVP_PKEY_free(clnt_pub_pkey);
2547 EC_POINT_free(clnt_ecpoint); 2520 EC_POINT_free(clnt_ecpoint);
2548 if (srvr_ecdh != NULL) 2521 if (srvr_ecdh != NULL)
2549 EC_KEY_free(srvr_ecdh); 2522 EC_KEY_free(srvr_ecdh);
2550 BN_CTX_free(bn_ctx); 2523 BN_CTX_free(bn_ctx);
2551#endif
2552 return (-1); 2524 return (-1);
2553} 2525}
2554 2526
@@ -2722,7 +2694,6 @@ ssl3_get_cert_verify(SSL *s)
2722 goto f_err; 2694 goto f_err;
2723 } 2695 }
2724 } else 2696 } else
2725#ifndef OPENSSL_NO_ECDSA
2726 if (pkey->type == EVP_PKEY_EC) { 2697 if (pkey->type == EVP_PKEY_EC) {
2727 j = ECDSA_verify(pkey->save_type, 2698 j = ECDSA_verify(pkey->save_type,
2728 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2699 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
@@ -2735,7 +2706,6 @@ ssl3_get_cert_verify(SSL *s)
2735 goto f_err; 2706 goto f_err;
2736 } 2707 }
2737 } else 2708 } else
2738#endif
2739 if (pkey->type == NID_id_GostR3410_94 || 2709 if (pkey->type == NID_id_GostR3410_94 ||
2740 pkey->type == NID_id_GostR3410_2001) { 2710 pkey->type == NID_id_GostR3410_2001) {
2741 unsigned char signature[64]; 2711 unsigned char signature[64];
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 6765e3560a..69c0bb00e2 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1875,18 +1875,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1875 1875
1876void SSL_set_tmp_rsa_callback(SSL *ssl, 1876void SSL_set_tmp_rsa_callback(SSL *ssl,
1877 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1877 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1878#ifndef OPENSSL_NO_DH
1879void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 1878void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1880 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1879 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1881void SSL_set_tmp_dh_callback(SSL *ssl, 1880void SSL_set_tmp_dh_callback(SSL *ssl,
1882 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1881 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1883#endif
1884#ifndef OPENSSL_NO_ECDH
1885void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, 1882void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1886 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); 1883 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1887void SSL_set_tmp_ecdh_callback(SSL *ssl, 1884void SSL_set_tmp_ecdh_callback(SSL *ssl,
1888 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); 1885 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1889#endif
1890 1886
1891#ifndef OPENSSL_NO_COMP 1887#ifndef OPENSSL_NO_COMP
1892const COMP_METHOD *SSL_get_current_compression(SSL *s); 1888const COMP_METHOD *SSL_get_current_compression(SSL *s);
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 2b041d7e2f..2840b1320f 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -490,13 +490,9 @@ typedef struct ssl3_state_st {
490 490
491 /* used to hold the new cipher we are going to use */ 491 /* used to hold the new cipher we are going to use */
492 const SSL_CIPHER *new_cipher; 492 const SSL_CIPHER *new_cipher;
493#ifndef OPENSSL_NO_DH
494 DH *dh; 493 DH *dh;
495#endif
496 494
497#ifndef OPENSSL_NO_ECDH
498 EC_KEY *ecdh; /* holds short lived ECDH key */ 495 EC_KEY *ecdh; /* holds short lived ECDH key */
499#endif
500 496
501 /* used when SSL_ST_FLUSH_DATA is entered */ 497 /* used when SSL_ST_FLUSH_DATA is entered */
502 int next_state; 498 int next_state;
diff --git a/src/lib/libssl/src/ssl/ssl_algs.c b/src/lib/libssl/src/ssl/ssl_algs.c
index 46b3c41351..84f44889b5 100644
--- a/src/lib/libssl/src/ssl/ssl_algs.c
+++ b/src/lib/libssl/src/ssl/ssl_algs.c
@@ -111,9 +111,7 @@ SSL_library_init(void)
111 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); 111 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
112 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); 112 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
113 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); 113 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
114#ifndef OPENSSL_NO_ECDSA
115 EVP_add_digest(EVP_ecdsa()); 114 EVP_add_digest(EVP_ecdsa());
116#endif
117#ifndef OPENSSL_NO_COMP 115#ifndef OPENSSL_NO_COMP
118 /* This will initialise the built-in compression algorithms. 116 /* This will initialise the built-in compression algorithms.
119 The value returned is a STACK_OF(SSL_COMP), but that can 117 The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index d8b94b1285..f506ae685f 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -125,9 +125,7 @@
125#include <openssl/bio.h> 125#include <openssl/bio.h>
126#include <openssl/pem.h> 126#include <openssl/pem.h>
127#include <openssl/x509v3.h> 127#include <openssl/x509v3.h>
128#ifndef OPENSSL_NO_DH
129#include <openssl/dh.h> 128#include <openssl/dh.h>
130#endif
131#include <openssl/bn.h> 129#include <openssl/bn.h>
132#include "ssl_locl.h" 130#include "ssl_locl.h"
133 131
@@ -165,9 +163,7 @@ ssl_cert_set_default_md(CERT *cert)
165 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 163 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
166 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 164 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 165 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
168#ifndef OPENSSL_NO_ECDSA
169 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 166 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
170#endif
171} 167}
172 168
173CERT * 169CERT *
@@ -214,7 +210,6 @@ ssl_cert_dup(CERT *cert)
214 } 210 }
215 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 211 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
216 212
217#ifndef OPENSSL_NO_DH
218 if (cert->dh_tmp != NULL) { 213 if (cert->dh_tmp != NULL) {
219 ret->dh_tmp = DHparams_dup(cert->dh_tmp); 214 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
220 if (ret->dh_tmp == NULL) { 215 if (ret->dh_tmp == NULL) {
@@ -239,9 +234,7 @@ ssl_cert_dup(CERT *cert)
239 } 234 }
240 } 235 }
241 ret->dh_tmp_cb = cert->dh_tmp_cb; 236 ret->dh_tmp_cb = cert->dh_tmp_cb;
242#endif
243 237
244#ifndef OPENSSL_NO_ECDH
245 if (cert->ecdh_tmp) { 238 if (cert->ecdh_tmp) {
246 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); 239 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
247 if (ret->ecdh_tmp == NULL) { 240 if (ret->ecdh_tmp == NULL) {
@@ -250,7 +243,6 @@ ssl_cert_dup(CERT *cert)
250 } 243 }
251 } 244 }
252 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; 245 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
253#endif
254 246
255 for (i = 0; i < SSL_PKEY_NUM; i++) { 247 for (i = 0; i < SSL_PKEY_NUM; i++) {
256 if (cert->pkeys[i].x509 != NULL) { 248 if (cert->pkeys[i].x509 != NULL) {
@@ -305,19 +297,13 @@ ssl_cert_dup(CERT *cert)
305 297
306 return (ret); 298 return (ret);
307 299
308#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
309err: 300err:
310#endif
311 if (ret->rsa_tmp != NULL) 301 if (ret->rsa_tmp != NULL)
312 RSA_free(ret->rsa_tmp); 302 RSA_free(ret->rsa_tmp);
313#ifndef OPENSSL_NO_DH
314 if (ret->dh_tmp != NULL) 303 if (ret->dh_tmp != NULL)
315 DH_free(ret->dh_tmp); 304 DH_free(ret->dh_tmp);
316#endif
317#ifndef OPENSSL_NO_ECDH
318 if (ret->ecdh_tmp != NULL) 305 if (ret->ecdh_tmp != NULL)
319 EC_KEY_free(ret->ecdh_tmp); 306 EC_KEY_free(ret->ecdh_tmp);
320#endif
321 307
322 for (i = 0; i < SSL_PKEY_NUM; i++) { 308 for (i = 0; i < SSL_PKEY_NUM; i++) {
323 if (ret->pkeys[i].x509 != NULL) 309 if (ret->pkeys[i].x509 != NULL)
@@ -344,14 +330,10 @@ ssl_cert_free(CERT *c)
344 330
345 if (c->rsa_tmp) 331 if (c->rsa_tmp)
346 RSA_free(c->rsa_tmp); 332 RSA_free(c->rsa_tmp);
347#ifndef OPENSSL_NO_DH
348 if (c->dh_tmp) 333 if (c->dh_tmp)
349 DH_free(c->dh_tmp); 334 DH_free(c->dh_tmp);
350#endif
351#ifndef OPENSSL_NO_ECDH
352 if (c->ecdh_tmp) 335 if (c->ecdh_tmp)
353 EC_KEY_free(c->ecdh_tmp); 336 EC_KEY_free(c->ecdh_tmp);
354#endif
355 337
356 for (i = 0; i < SSL_PKEY_NUM; i++) { 338 for (i = 0; i < SSL_PKEY_NUM; i++) {
357 if (c->pkeys[i].x509 != NULL) 339 if (c->pkeys[i].x509 != NULL)
@@ -437,14 +419,10 @@ ssl_sess_cert_free(SESS_CERT *sc)
437 419
438 if (sc->peer_rsa_tmp != NULL) 420 if (sc->peer_rsa_tmp != NULL)
439 RSA_free(sc->peer_rsa_tmp); 421 RSA_free(sc->peer_rsa_tmp);
440#ifndef OPENSSL_NO_DH
441 if (sc->peer_dh_tmp != NULL) 422 if (sc->peer_dh_tmp != NULL)
442 DH_free(sc->peer_dh_tmp); 423 DH_free(sc->peer_dh_tmp);
443#endif
444#ifndef OPENSSL_NO_ECDH
445 if (sc->peer_ecdh_tmp != NULL) 424 if (sc->peer_ecdh_tmp != NULL)
446 EC_KEY_free(sc->peer_ecdh_tmp); 425 EC_KEY_free(sc->peer_ecdh_tmp);
447#endif
448 426
449 free(sc); 427 free(sc);
450} 428}
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 5e93a4cde1..72061035aa 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -708,19 +708,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
708 708
709 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 709 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
710 *auth |= SSL_aDH; 710 *auth |= SSL_aDH;
711#ifdef OPENSSL_NO_DH
712 *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
713 *auth |= SSL_aDH;
714#endif
715 *mkey |= SSL_kKRB5; 711 *mkey |= SSL_kKRB5;
716 *auth |= SSL_aKRB5; 712 *auth |= SSL_aKRB5;
717#ifdef OPENSSL_NO_ECDSA
718 *auth |= SSL_aECDSA;
719#endif
720#ifdef OPENSSL_NO_ECDH
721 *mkey |= SSL_kECDHe|SSL_kECDHr;
722 *auth |= SSL_aECDH;
723#endif
724#ifdef OPENSSL_NO_PSK 713#ifdef OPENSSL_NO_PSK
725 *mkey |= SSL_kPSK; 714 *mkey |= SSL_kPSK;
726 *auth |= SSL_aPSK; 715 *auth |= SSL_aPSK;
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 6cc02c8d7a..d134a4f22a 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -149,9 +149,7 @@
149#include <openssl/x509v3.h> 149#include <openssl/x509v3.h>
150#include <openssl/rand.h> 150#include <openssl/rand.h>
151#include <openssl/ocsp.h> 151#include <openssl/ocsp.h>
152#ifndef OPENSSL_NO_DH
153#include <openssl/dh.h> 152#include <openssl/dh.h>
154#endif
155#ifndef OPENSSL_NO_ENGINE 153#ifndef OPENSSL_NO_ENGINE
156#include <openssl/engine.h> 154#include <openssl/engine.h>
157#endif 155#endif
@@ -2002,9 +2000,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2002 int rsa_tmp_export, dh_tmp_export, kl; 2000 int rsa_tmp_export, dh_tmp_export, kl;
2003 unsigned long mask_k, mask_a, emask_k, emask_a; 2001 unsigned long mask_k, mask_a, emask_k, emask_a;
2004 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; 2002 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
2005#ifndef OPENSSL_NO_ECDH
2006 int have_ecdh_tmp; 2003 int have_ecdh_tmp;
2007#endif
2008 X509 *x = NULL; 2004 X509 *x = NULL;
2009 EVP_PKEY *ecc_pkey = NULL; 2005 EVP_PKEY *ecc_pkey = NULL;
2010 int signature_nid = 0, pk_nid = 0, md_nid = 0; 2006 int signature_nid = 0, pk_nid = 0, md_nid = 0;
@@ -2017,17 +2013,11 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2017 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 2013 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
2018 rsa_tmp_export = (c->rsa_tmp_cb != NULL || 2014 rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
2019 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 2015 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
2020#ifndef OPENSSL_NO_DH
2021 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 2016 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
2022 dh_tmp_export = (c->dh_tmp_cb != NULL || 2017 dh_tmp_export = (c->dh_tmp_cb != NULL ||
2023 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 2018 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
2024#else
2025 dh_tmp = dh_tmp_export = 0;
2026#endif
2027 2019
2028#ifndef OPENSSL_NO_ECDH
2029 have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); 2020 have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
2030#endif
2031 cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); 2021 cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
2032 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); 2022 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
2033 rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 2023 rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
@@ -2128,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2128 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 2118 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2129 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); 2119 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2130 } 2120 }
2131#ifndef OPENSSL_NO_ECDH
2132 if (ecdh_ok) { 2121 if (ecdh_ok) {
2133 2122
2134 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { 2123 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
@@ -2149,21 +2138,16 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2149 } 2138 }
2150 } 2139 }
2151 } 2140 }
2152#endif
2153#ifndef OPENSSL_NO_ECDSA
2154 if (ecdsa_ok) { 2141 if (ecdsa_ok) {
2155 mask_a|=SSL_aECDSA; 2142 mask_a|=SSL_aECDSA;
2156 emask_a|=SSL_aECDSA; 2143 emask_a|=SSL_aECDSA;
2157 } 2144 }
2158#endif
2159 } 2145 }
2160 2146
2161#ifndef OPENSSL_NO_ECDH
2162 if (have_ecdh_tmp) { 2147 if (have_ecdh_tmp) {
2163 mask_k|=SSL_kEECDH; 2148 mask_k|=SSL_kEECDH;
2164 emask_k|=SSL_kEECDH; 2149 emask_k|=SSL_kEECDH;
2165 } 2150 }
2166#endif
2167 2151
2168#ifndef OPENSSL_NO_PSK 2152#ifndef OPENSSL_NO_PSK
2169 mask_k |= SSL_kPSK; 2153 mask_k |= SSL_kPSK;
@@ -3072,7 +3056,6 @@ cb(SSL *ssl, int is_export, int keylength)
3072 * \param dh the callback 3056 * \param dh the callback
3073 */ 3057 */
3074 3058
3075#ifndef OPENSSL_NO_DH
3076void 3059void
3077SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, 3060SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export,
3078 int keylength)) 3061 int keylength))
@@ -3086,9 +3069,7 @@ SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
3086{ 3069{
3087 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 3070 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3088} 3071}
3089#endif
3090 3072
3091#ifndef OPENSSL_NO_ECDH
3092void 3073void
3093SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, 3074SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
3094 int is_export, int keylength)) 3075 int is_export, int keylength))
@@ -3103,7 +3084,6 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
3103{ 3084{
3104 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); 3085 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3105} 3086}
3106#endif
3107 3087
3108#ifndef OPENSSL_NO_PSK 3088#ifndef OPENSSL_NO_PSK
3109int 3089int
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 11250ba468..d80bf958fd 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -479,15 +479,11 @@ typedef struct cert_st {
479 unsigned long export_mask_a; 479 unsigned long export_mask_a;
480 RSA *rsa_tmp; 480 RSA *rsa_tmp;
481 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); 481 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize);
482#ifndef OPENSSL_NO_DH
483 DH *dh_tmp; 482 DH *dh_tmp;
484 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 483 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
485#endif
486#ifndef OPENSSL_NO_ECDH
487 EC_KEY *ecdh_tmp; 484 EC_KEY *ecdh_tmp;
488 /* Callback for generating ephemeral ECDH keys */ 485 /* Callback for generating ephemeral ECDH keys */
489 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); 486 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
490#endif
491 487
492 CERT_PKEY pkeys[SSL_PKEY_NUM]; 488 CERT_PKEY pkeys[SSL_PKEY_NUM];
493 489
@@ -507,12 +503,8 @@ typedef struct sess_cert_st {
507 * so maybe we shouldn't even use the CERT_PKEY type here. */ 503 * so maybe we shouldn't even use the CERT_PKEY type here. */
508 504
509 RSA *peer_rsa_tmp; /* not used for SSL 2 */ 505 RSA *peer_rsa_tmp; /* not used for SSL 2 */
510#ifndef OPENSSL_NO_DH
511 DH *peer_dh_tmp; /* not used for SSL 2 */ 506 DH *peer_dh_tmp; /* not used for SSL 2 */
512#endif
513#ifndef OPENSSL_NO_ECDH
514 EC_KEY *peer_ecdh_tmp; 507 EC_KEY *peer_ecdh_tmp;
515#endif
516 508
517 int references; /* actually always 1 at the moment */ 509 int references; /* actually always 1 at the moment */
518} SESS_CERT; 510} SESS_CERT;
@@ -836,9 +828,7 @@ int tls1_alert_code(int code);
836int ssl3_alert_code(int code); 828int ssl3_alert_code(int code);
837int ssl_ok(SSL *s); 829int ssl_ok(SSL *s);
838 830
839#ifndef OPENSSL_NO_ECDH
840int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); 831int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
841#endif
842 832
843SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); 833SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
844 834
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 1424eab6e6..b15465d550 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -364,11 +364,7 @@ tls1_ec_nid2curve_id(int nid)
364 364
365#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 365#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
366 366
367#ifdef OPENSSL_NO_ECDSA
368#define tlsext_sigalg_ecdsa(md) /* */
369#else
370#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 367#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
371#endif
372 368
373#define tlsext_sigalg(md) \ 369#define tlsext_sigalg(md) \
374 tlsext_sigalg_rsa(md) \ 370 tlsext_sigalg_rsa(md) \
@@ -2221,9 +2217,7 @@ static tls12_lookup tls12_md[] = {
2221static tls12_lookup tls12_sig[] = { 2217static tls12_lookup tls12_sig[] = {
2222 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2218 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2223 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2219 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2224#ifndef OPENSSL_NO_ECDSA
2225 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2220 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2226#endif
2227}; 2221};
2228 2222
2229static int 2223static int
@@ -2324,11 +2318,9 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2324 case TLSEXT_signature_dsa: 2318 case TLSEXT_signature_dsa:
2325 idx = SSL_PKEY_DSA_SIGN; 2319 idx = SSL_PKEY_DSA_SIGN;
2326 break; 2320 break;
2327#ifndef OPENSSL_NO_ECDSA
2328 case TLSEXT_signature_ecdsa: 2321 case TLSEXT_signature_ecdsa:
2329 idx = SSL_PKEY_ECC; 2322 idx = SSL_PKEY_ECC;
2330 break; 2323 break;
2331#endif
2332 default: 2324 default:
2333 continue; 2325 continue;
2334 } 2326 }
@@ -2353,10 +2345,8 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2353 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2345 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2354 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2346 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2355 } 2347 }
2356#ifndef OPENSSL_NO_ECDSA
2357 if (!c->pkeys[SSL_PKEY_ECC].digest) 2348 if (!c->pkeys[SSL_PKEY_ECC].digest)
2358 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2349 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2359#endif
2360 return 1; 2350 return 1;
2361} 2351}
2362 2352
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 6765e3560a..69c0bb00e2 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1875,18 +1875,14 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
1875 1875
1876void SSL_set_tmp_rsa_callback(SSL *ssl, 1876void SSL_set_tmp_rsa_callback(SSL *ssl,
1877 RSA *(*cb)(SSL *ssl, int is_export, int keylength)); 1877 RSA *(*cb)(SSL *ssl, int is_export, int keylength));
1878#ifndef OPENSSL_NO_DH
1879void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, 1878void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
1880 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1879 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1881void SSL_set_tmp_dh_callback(SSL *ssl, 1880void SSL_set_tmp_dh_callback(SSL *ssl,
1882 DH *(*dh)(SSL *ssl, int is_export, int keylength)); 1881 DH *(*dh)(SSL *ssl, int is_export, int keylength));
1883#endif
1884#ifndef OPENSSL_NO_ECDH
1885void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, 1882void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
1886 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); 1883 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1887void SSL_set_tmp_ecdh_callback(SSL *ssl, 1884void SSL_set_tmp_ecdh_callback(SSL *ssl,
1888 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)); 1885 EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
1889#endif
1890 1886
1891#ifndef OPENSSL_NO_COMP 1887#ifndef OPENSSL_NO_COMP
1892const COMP_METHOD *SSL_get_current_compression(SSL *s); 1888const COMP_METHOD *SSL_get_current_compression(SSL *s);
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 2b041d7e2f..2840b1320f 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -490,13 +490,9 @@ typedef struct ssl3_state_st {
490 490
491 /* used to hold the new cipher we are going to use */ 491 /* used to hold the new cipher we are going to use */
492 const SSL_CIPHER *new_cipher; 492 const SSL_CIPHER *new_cipher;
493#ifndef OPENSSL_NO_DH
494 DH *dh; 493 DH *dh;
495#endif
496 494
497#ifndef OPENSSL_NO_ECDH
498 EC_KEY *ecdh; /* holds short lived ECDH key */ 495 EC_KEY *ecdh; /* holds short lived ECDH key */
499#endif
500 496
501 /* used when SSL_ST_FLUSH_DATA is entered */ 497 /* used when SSL_ST_FLUSH_DATA is entered */
502 int next_state; 498 int next_state;
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index 46b3c41351..84f44889b5 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -111,9 +111,7 @@ SSL_library_init(void)
111 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2); 111 EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
112 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1"); 112 EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
113 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1"); 113 EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
114#ifndef OPENSSL_NO_ECDSA
115 EVP_add_digest(EVP_ecdsa()); 114 EVP_add_digest(EVP_ecdsa());
116#endif
117#ifndef OPENSSL_NO_COMP 115#ifndef OPENSSL_NO_COMP
118 /* This will initialise the built-in compression algorithms. 116 /* This will initialise the built-in compression algorithms.
119 The value returned is a STACK_OF(SSL_COMP), but that can 117 The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index d8b94b1285..f506ae685f 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -125,9 +125,7 @@
125#include <openssl/bio.h> 125#include <openssl/bio.h>
126#include <openssl/pem.h> 126#include <openssl/pem.h>
127#include <openssl/x509v3.h> 127#include <openssl/x509v3.h>
128#ifndef OPENSSL_NO_DH
129#include <openssl/dh.h> 128#include <openssl/dh.h>
130#endif
131#include <openssl/bn.h> 129#include <openssl/bn.h>
132#include "ssl_locl.h" 130#include "ssl_locl.h"
133 131
@@ -165,9 +163,7 @@ ssl_cert_set_default_md(CERT *cert)
165 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); 163 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
166 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 164 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
167 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 165 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
168#ifndef OPENSSL_NO_ECDSA
169 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 166 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
170#endif
171} 167}
172 168
173CERT * 169CERT *
@@ -214,7 +210,6 @@ ssl_cert_dup(CERT *cert)
214 } 210 }
215 ret->rsa_tmp_cb = cert->rsa_tmp_cb; 211 ret->rsa_tmp_cb = cert->rsa_tmp_cb;
216 212
217#ifndef OPENSSL_NO_DH
218 if (cert->dh_tmp != NULL) { 213 if (cert->dh_tmp != NULL) {
219 ret->dh_tmp = DHparams_dup(cert->dh_tmp); 214 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
220 if (ret->dh_tmp == NULL) { 215 if (ret->dh_tmp == NULL) {
@@ -239,9 +234,7 @@ ssl_cert_dup(CERT *cert)
239 } 234 }
240 } 235 }
241 ret->dh_tmp_cb = cert->dh_tmp_cb; 236 ret->dh_tmp_cb = cert->dh_tmp_cb;
242#endif
243 237
244#ifndef OPENSSL_NO_ECDH
245 if (cert->ecdh_tmp) { 238 if (cert->ecdh_tmp) {
246 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); 239 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
247 if (ret->ecdh_tmp == NULL) { 240 if (ret->ecdh_tmp == NULL) {
@@ -250,7 +243,6 @@ ssl_cert_dup(CERT *cert)
250 } 243 }
251 } 244 }
252 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb; 245 ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
253#endif
254 246
255 for (i = 0; i < SSL_PKEY_NUM; i++) { 247 for (i = 0; i < SSL_PKEY_NUM; i++) {
256 if (cert->pkeys[i].x509 != NULL) { 248 if (cert->pkeys[i].x509 != NULL) {
@@ -305,19 +297,13 @@ ssl_cert_dup(CERT *cert)
305 297
306 return (ret); 298 return (ret);
307 299
308#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
309err: 300err:
310#endif
311 if (ret->rsa_tmp != NULL) 301 if (ret->rsa_tmp != NULL)
312 RSA_free(ret->rsa_tmp); 302 RSA_free(ret->rsa_tmp);
313#ifndef OPENSSL_NO_DH
314 if (ret->dh_tmp != NULL) 303 if (ret->dh_tmp != NULL)
315 DH_free(ret->dh_tmp); 304 DH_free(ret->dh_tmp);
316#endif
317#ifndef OPENSSL_NO_ECDH
318 if (ret->ecdh_tmp != NULL) 305 if (ret->ecdh_tmp != NULL)
319 EC_KEY_free(ret->ecdh_tmp); 306 EC_KEY_free(ret->ecdh_tmp);
320#endif
321 307
322 for (i = 0; i < SSL_PKEY_NUM; i++) { 308 for (i = 0; i < SSL_PKEY_NUM; i++) {
323 if (ret->pkeys[i].x509 != NULL) 309 if (ret->pkeys[i].x509 != NULL)
@@ -344,14 +330,10 @@ ssl_cert_free(CERT *c)
344 330
345 if (c->rsa_tmp) 331 if (c->rsa_tmp)
346 RSA_free(c->rsa_tmp); 332 RSA_free(c->rsa_tmp);
347#ifndef OPENSSL_NO_DH
348 if (c->dh_tmp) 333 if (c->dh_tmp)
349 DH_free(c->dh_tmp); 334 DH_free(c->dh_tmp);
350#endif
351#ifndef OPENSSL_NO_ECDH
352 if (c->ecdh_tmp) 335 if (c->ecdh_tmp)
353 EC_KEY_free(c->ecdh_tmp); 336 EC_KEY_free(c->ecdh_tmp);
354#endif
355 337
356 for (i = 0; i < SSL_PKEY_NUM; i++) { 338 for (i = 0; i < SSL_PKEY_NUM; i++) {
357 if (c->pkeys[i].x509 != NULL) 339 if (c->pkeys[i].x509 != NULL)
@@ -437,14 +419,10 @@ ssl_sess_cert_free(SESS_CERT *sc)
437 419
438 if (sc->peer_rsa_tmp != NULL) 420 if (sc->peer_rsa_tmp != NULL)
439 RSA_free(sc->peer_rsa_tmp); 421 RSA_free(sc->peer_rsa_tmp);
440#ifndef OPENSSL_NO_DH
441 if (sc->peer_dh_tmp != NULL) 422 if (sc->peer_dh_tmp != NULL)
442 DH_free(sc->peer_dh_tmp); 423 DH_free(sc->peer_dh_tmp);
443#endif
444#ifndef OPENSSL_NO_ECDH
445 if (sc->peer_ecdh_tmp != NULL) 424 if (sc->peer_ecdh_tmp != NULL)
446 EC_KEY_free(sc->peer_ecdh_tmp); 425 EC_KEY_free(sc->peer_ecdh_tmp);
447#endif
448 426
449 free(sc); 427 free(sc);
450} 428}
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 5e93a4cde1..72061035aa 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -708,19 +708,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
708 708
709 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 709 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
710 *auth |= SSL_aDH; 710 *auth |= SSL_aDH;
711#ifdef OPENSSL_NO_DH
712 *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
713 *auth |= SSL_aDH;
714#endif
715 *mkey |= SSL_kKRB5; 711 *mkey |= SSL_kKRB5;
716 *auth |= SSL_aKRB5; 712 *auth |= SSL_aKRB5;
717#ifdef OPENSSL_NO_ECDSA
718 *auth |= SSL_aECDSA;
719#endif
720#ifdef OPENSSL_NO_ECDH
721 *mkey |= SSL_kECDHe|SSL_kECDHr;
722 *auth |= SSL_aECDH;
723#endif
724#ifdef OPENSSL_NO_PSK 713#ifdef OPENSSL_NO_PSK
725 *mkey |= SSL_kPSK; 714 *mkey |= SSL_kPSK;
726 *auth |= SSL_aPSK; 715 *auth |= SSL_aPSK;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6cc02c8d7a..d134a4f22a 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -149,9 +149,7 @@
149#include <openssl/x509v3.h> 149#include <openssl/x509v3.h>
150#include <openssl/rand.h> 150#include <openssl/rand.h>
151#include <openssl/ocsp.h> 151#include <openssl/ocsp.h>
152#ifndef OPENSSL_NO_DH
153#include <openssl/dh.h> 152#include <openssl/dh.h>
154#endif
155#ifndef OPENSSL_NO_ENGINE 153#ifndef OPENSSL_NO_ENGINE
156#include <openssl/engine.h> 154#include <openssl/engine.h>
157#endif 155#endif
@@ -2002,9 +2000,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2002 int rsa_tmp_export, dh_tmp_export, kl; 2000 int rsa_tmp_export, dh_tmp_export, kl;
2003 unsigned long mask_k, mask_a, emask_k, emask_a; 2001 unsigned long mask_k, mask_a, emask_k, emask_a;
2004 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; 2002 int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
2005#ifndef OPENSSL_NO_ECDH
2006 int have_ecdh_tmp; 2003 int have_ecdh_tmp;
2007#endif
2008 X509 *x = NULL; 2004 X509 *x = NULL;
2009 EVP_PKEY *ecc_pkey = NULL; 2005 EVP_PKEY *ecc_pkey = NULL;
2010 int signature_nid = 0, pk_nid = 0, md_nid = 0; 2006 int signature_nid = 0, pk_nid = 0, md_nid = 0;
@@ -2017,17 +2013,11 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2017 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); 2013 rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
2018 rsa_tmp_export = (c->rsa_tmp_cb != NULL || 2014 rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
2019 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); 2015 (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
2020#ifndef OPENSSL_NO_DH
2021 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); 2016 dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
2022 dh_tmp_export = (c->dh_tmp_cb != NULL || 2017 dh_tmp_export = (c->dh_tmp_cb != NULL ||
2023 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); 2018 (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
2024#else
2025 dh_tmp = dh_tmp_export = 0;
2026#endif
2027 2019
2028#ifndef OPENSSL_NO_ECDH
2029 have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); 2020 have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL);
2030#endif
2031 cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); 2021 cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
2032 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); 2022 rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
2033 rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); 2023 rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
@@ -2128,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2128 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 2118 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2129 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); 2119 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2130 } 2120 }
2131#ifndef OPENSSL_NO_ECDH
2132 if (ecdh_ok) { 2121 if (ecdh_ok) {
2133 2122
2134 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { 2123 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
@@ -2149,21 +2138,16 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2149 } 2138 }
2150 } 2139 }
2151 } 2140 }
2152#endif
2153#ifndef OPENSSL_NO_ECDSA
2154 if (ecdsa_ok) { 2141 if (ecdsa_ok) {
2155 mask_a|=SSL_aECDSA; 2142 mask_a|=SSL_aECDSA;
2156 emask_a|=SSL_aECDSA; 2143 emask_a|=SSL_aECDSA;
2157 } 2144 }
2158#endif
2159 } 2145 }
2160 2146
2161#ifndef OPENSSL_NO_ECDH
2162 if (have_ecdh_tmp) { 2147 if (have_ecdh_tmp) {
2163 mask_k|=SSL_kEECDH; 2148 mask_k|=SSL_kEECDH;
2164 emask_k|=SSL_kEECDH; 2149 emask_k|=SSL_kEECDH;
2165 } 2150 }
2166#endif
2167 2151
2168#ifndef OPENSSL_NO_PSK 2152#ifndef OPENSSL_NO_PSK
2169 mask_k |= SSL_kPSK; 2153 mask_k |= SSL_kPSK;
@@ -3072,7 +3056,6 @@ cb(SSL *ssl, int is_export, int keylength)
3072 * \param dh the callback 3056 * \param dh the callback
3073 */ 3057 */
3074 3058
3075#ifndef OPENSSL_NO_DH
3076void 3059void
3077SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, 3060SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export,
3078 int keylength)) 3061 int keylength))
@@ -3086,9 +3069,7 @@ SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
3086{ 3069{
3087 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh); 3070 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
3088} 3071}
3089#endif
3090 3072
3091#ifndef OPENSSL_NO_ECDH
3092void 3073void
3093SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, 3074SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
3094 int is_export, int keylength)) 3075 int is_export, int keylength))
@@ -3103,7 +3084,6 @@ SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
3103{ 3084{
3104 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh); 3085 SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
3105} 3086}
3106#endif
3107 3087
3108#ifndef OPENSSL_NO_PSK 3088#ifndef OPENSSL_NO_PSK
3109int 3089int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 11250ba468..d80bf958fd 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -479,15 +479,11 @@ typedef struct cert_st {
479 unsigned long export_mask_a; 479 unsigned long export_mask_a;
480 RSA *rsa_tmp; 480 RSA *rsa_tmp;
481 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); 481 RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize);
482#ifndef OPENSSL_NO_DH
483 DH *dh_tmp; 482 DH *dh_tmp;
484 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); 483 DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
485#endif
486#ifndef OPENSSL_NO_ECDH
487 EC_KEY *ecdh_tmp; 484 EC_KEY *ecdh_tmp;
488 /* Callback for generating ephemeral ECDH keys */ 485 /* Callback for generating ephemeral ECDH keys */
489 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize); 486 EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
490#endif
491 487
492 CERT_PKEY pkeys[SSL_PKEY_NUM]; 488 CERT_PKEY pkeys[SSL_PKEY_NUM];
493 489
@@ -507,12 +503,8 @@ typedef struct sess_cert_st {
507 * so maybe we shouldn't even use the CERT_PKEY type here. */ 503 * so maybe we shouldn't even use the CERT_PKEY type here. */
508 504
509 RSA *peer_rsa_tmp; /* not used for SSL 2 */ 505 RSA *peer_rsa_tmp; /* not used for SSL 2 */
510#ifndef OPENSSL_NO_DH
511 DH *peer_dh_tmp; /* not used for SSL 2 */ 506 DH *peer_dh_tmp; /* not used for SSL 2 */
512#endif
513#ifndef OPENSSL_NO_ECDH
514 EC_KEY *peer_ecdh_tmp; 507 EC_KEY *peer_ecdh_tmp;
515#endif
516 508
517 int references; /* actually always 1 at the moment */ 509 int references; /* actually always 1 at the moment */
518} SESS_CERT; 510} SESS_CERT;
@@ -836,9 +828,7 @@ int tls1_alert_code(int code);
836int ssl3_alert_code(int code); 828int ssl3_alert_code(int code);
837int ssl_ok(SSL *s); 829int ssl_ok(SSL *s);
838 830
839#ifndef OPENSSL_NO_ECDH
840int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); 831int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
841#endif
842 832
843SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); 833SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
844 834
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 1424eab6e6..b15465d550 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -364,11 +364,7 @@ tls1_ec_nid2curve_id(int nid)
364 364
365#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa, 365#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
366 366
367#ifdef OPENSSL_NO_ECDSA
368#define tlsext_sigalg_ecdsa(md) /* */
369#else
370#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa, 367#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
371#endif
372 368
373#define tlsext_sigalg(md) \ 369#define tlsext_sigalg(md) \
374 tlsext_sigalg_rsa(md) \ 370 tlsext_sigalg_rsa(md) \
@@ -2221,9 +2217,7 @@ static tls12_lookup tls12_md[] = {
2221static tls12_lookup tls12_sig[] = { 2217static tls12_lookup tls12_sig[] = {
2222 {EVP_PKEY_RSA, TLSEXT_signature_rsa}, 2218 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2223 {EVP_PKEY_DSA, TLSEXT_signature_dsa}, 2219 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2224#ifndef OPENSSL_NO_ECDSA
2225 {EVP_PKEY_EC, TLSEXT_signature_ecdsa} 2220 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2226#endif
2227}; 2221};
2228 2222
2229static int 2223static int
@@ -2324,11 +2318,9 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2324 case TLSEXT_signature_dsa: 2318 case TLSEXT_signature_dsa:
2325 idx = SSL_PKEY_DSA_SIGN; 2319 idx = SSL_PKEY_DSA_SIGN;
2326 break; 2320 break;
2327#ifndef OPENSSL_NO_ECDSA
2328 case TLSEXT_signature_ecdsa: 2321 case TLSEXT_signature_ecdsa:
2329 idx = SSL_PKEY_ECC; 2322 idx = SSL_PKEY_ECC;
2330 break; 2323 break;
2331#endif
2332 default: 2324 default:
2333 continue; 2325 continue;
2334 } 2326 }
@@ -2353,10 +2345,8 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2353 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 2345 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2354 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 2346 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2355 } 2347 }
2356#ifndef OPENSSL_NO_ECDSA
2357 if (!c->pkeys[SSL_PKEY_ECC].digest) 2348 if (!c->pkeys[SSL_PKEY_ECC].digest)
2358 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); 2349 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2359#endif
2360 return 1; 2350 return 1;
2361} 2351}
2362 2352
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 15:04:27 +0000