diff options
| author | jsing <> | 2014-10-31 14:51:01 +0000 |
|---|---|---|
| committer | jsing <> | 2014-10-31 14:51:01 +0000 |
| commit | 911a534951a7133a0e7f2314d3a57682c584c2f7 (patch) | |
| tree | cbc34cc64480c58a9e6b221bf4a12687fac6fd93 /src | |
| parent | 21b4fa8d2a511b2b7e7215bb18cb3836173fb390 (diff) | |
| download | openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.gz openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.bz2 openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.zip | |
Remove support for ephemeral/temporary RSA private keys.
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/d1_srvr.c | 58 | ||||
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 103 | ||||
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 94 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/d1_srvr.c | 58 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_lib.c | 103 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 94 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl3.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_cert.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 5 | ||||
| -rw-r--r-- | src/lib/libssl/ssl3.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 5 |
14 files changed, 88 insertions, 474 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index a85715753c..d2f642f877 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.41 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -446,27 +446,8 @@ dtls1_accept(SSL *s) | |||
| 446 | case SSL3_ST_SW_KEY_EXCH_B: | 446 | case SSL3_ST_SW_KEY_EXCH_B: |
| 447 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 447 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 448 | 448 | ||
| 449 | /* clear this, it may get reset by | 449 | /* Only send if using a DH key exchange. */ |
| 450 | * send_server_key_exchange */ | 450 | if (alg_k & (SSL_kDHE|SSL_kECDHE)) { |
| 451 | if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
| 452 | ) | ||
| 453 | /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key | ||
| 454 | * even when forbidden by protocol specs | ||
| 455 | * (handshake may fail as clients are not required to | ||
| 456 | * be able to handle this) */ | ||
| 457 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 458 | else | ||
| 459 | s->s3->tmp.use_rsa_tmp = 0; | ||
| 460 | |||
| 461 | /* only send if a DH key exchange or | ||
| 462 | * RSA but we have a sign only certificate */ | ||
| 463 | if (s->s3->tmp.use_rsa_tmp | ||
| 464 | || (alg_k & (SSL_kDHE|SSL_kECDHE)) | ||
| 465 | || ((alg_k & SSL_kRSA) | ||
| 466 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL | ||
| 467 | ) | ||
| 468 | ) | ||
| 469 | ) { | ||
| 470 | dtls1_start_timer(s); | 451 | dtls1_start_timer(s); |
| 471 | ret = dtls1_send_server_key_exchange(s); | 452 | ret = dtls1_send_server_key_exchange(s); |
| 472 | if (ret <= 0) | 453 | if (ret <= 0) |
| @@ -994,7 +975,6 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 994 | { | 975 | { |
| 995 | unsigned char *q; | 976 | unsigned char *q; |
| 996 | int j, num; | 977 | int j, num; |
| 997 | RSA *rsa; | ||
| 998 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 978 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 999 | unsigned int u; | 979 | unsigned int u; |
| 1000 | DH *dh = NULL, *dhp; | 980 | DH *dh = NULL, *dhp; |
| @@ -1024,28 +1004,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1024 | 1004 | ||
| 1025 | r[0] = r[1] = r[2] = r[3] = NULL; | 1005 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1026 | n = 0; | 1006 | n = 0; |
| 1027 | if (type & SSL_kRSA) { | 1007 | |
| 1028 | rsa = cert->rsa_tmp; | ||
| 1029 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { | ||
| 1030 | rsa = s->cert->rsa_tmp_cb(s, 0, | ||
| 1031 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1032 | if (rsa == NULL) { | ||
| 1033 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1034 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | ||
| 1035 | goto f_err; | ||
| 1036 | } | ||
| 1037 | RSA_up_ref(rsa); | ||
| 1038 | cert->rsa_tmp = rsa; | ||
| 1039 | } | ||
| 1040 | if (rsa == NULL) { | ||
| 1041 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1042 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY); | ||
| 1043 | goto f_err; | ||
| 1044 | } | ||
| 1045 | r[0] = rsa->n; | ||
| 1046 | r[1] = rsa->e; | ||
| 1047 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 1048 | } else | ||
| 1049 | if (type & SSL_kDHE) { | 1008 | if (type & SSL_kDHE) { |
| 1050 | dhp = cert->dh_tmp; | 1009 | dhp = cert->dh_tmp; |
| 1051 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1010 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) |
| @@ -1087,8 +1046,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1087 | r[0] = dh->p; | 1046 | r[0] = dh->p; |
| 1088 | r[1] = dh->g; | 1047 | r[1] = dh->g; |
| 1089 | r[2] = dh->pub_key; | 1048 | r[2] = dh->pub_key; |
| 1090 | } else | 1049 | } else if (type & SSL_kECDHE) { |
| 1091 | if (type & SSL_kECDHE) { | ||
| 1092 | const EC_GROUP *group; | 1050 | const EC_GROUP *group; |
| 1093 | 1051 | ||
| 1094 | ecdhp = cert->ecdh_tmp; | 1052 | ecdhp = cert->ecdh_tmp; |
| @@ -1185,10 +1143,10 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1185 | r[1] = NULL; | 1143 | r[1] = NULL; |
| 1186 | r[2] = NULL; | 1144 | r[2] = NULL; |
| 1187 | r[3] = NULL; | 1145 | r[3] = NULL; |
| 1188 | } else | 1146 | } else { |
| 1189 | { | ||
| 1190 | al = SSL_AD_HANDSHAKE_FAILURE; | 1147 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1191 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 1148 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, |
| 1149 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | ||
| 1192 | goto f_err; | 1150 | goto f_err; |
| 1193 | } | 1151 | } |
| 1194 | for (i = 0; r[i] != NULL; i++) { | 1152 | for (i = 0; r[i] != NULL; i++) { |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 42f8074f8c..08c5111129 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.82 2014/10/03 13:58:17 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1934,8 +1934,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1934 | { | 1934 | { |
| 1935 | int ret = 0; | 1935 | int ret = 0; |
| 1936 | 1936 | ||
| 1937 | if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || | 1937 | if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { |
| 1938 | cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { | ||
| 1939 | if (!ssl_cert_inst(&s->cert)) { | 1938 | if (!ssl_cert_inst(&s->cert)) { |
| 1940 | SSLerr(SSL_F_SSL3_CTRL, | 1939 | SSLerr(SSL_F_SSL3_CTRL, |
| 1941 | ERR_R_MALLOC_FAILURE); | 1940 | ERR_R_MALLOC_FAILURE); |
| @@ -1963,36 +1962,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1963 | ret = (int)(s->s3->flags); | 1962 | ret = (int)(s->s3->flags); |
| 1964 | break; | 1963 | break; |
| 1965 | case SSL_CTRL_NEED_TMP_RSA: | 1964 | case SSL_CTRL_NEED_TMP_RSA: |
| 1966 | if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && | 1965 | ret = 0; |
| 1967 | ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | ||
| 1968 | (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) | ||
| 1969 | > (512 / 8)))) | ||
| 1970 | ret = 1; | ||
| 1971 | break; | 1966 | break; |
| 1972 | case SSL_CTRL_SET_TMP_RSA: | 1967 | case SSL_CTRL_SET_TMP_RSA: |
| 1973 | { | ||
| 1974 | RSA *rsa = (RSA *)parg; | ||
| 1975 | if (rsa == NULL) { | ||
| 1976 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1977 | ERR_R_PASSED_NULL_PARAMETER); | ||
| 1978 | return (ret); | ||
| 1979 | } | ||
| 1980 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { | ||
| 1981 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1982 | ERR_R_RSA_LIB); | ||
| 1983 | return (ret); | ||
| 1984 | } | ||
| 1985 | RSA_free(s->cert->rsa_tmp); | ||
| 1986 | s->cert->rsa_tmp = rsa; | ||
| 1987 | ret = 1; | ||
| 1988 | } | ||
| 1989 | break; | ||
| 1990 | case SSL_CTRL_SET_TMP_RSA_CB: | 1968 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 1991 | { | 1969 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 1992 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1993 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | ||
| 1994 | return (ret); | ||
| 1995 | } | ||
| 1996 | break; | 1970 | break; |
| 1997 | case SSL_CTRL_SET_TMP_DH: | 1971 | case SSL_CTRL_SET_TMP_DH: |
| 1998 | { | 1972 | { |
| @@ -2144,7 +2118,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
| 2144 | { | 2118 | { |
| 2145 | int ret = 0; | 2119 | int ret = 0; |
| 2146 | 2120 | ||
| 2147 | if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) { | 2121 | if (cmd == SSL_CTRL_SET_TMP_DH_CB) { |
| 2148 | if (!ssl_cert_inst(&s->cert)) { | 2122 | if (!ssl_cert_inst(&s->cert)) { |
| 2149 | SSLerr(SSL_F_SSL3_CALLBACK_CTRL, | 2123 | SSLerr(SSL_F_SSL3_CALLBACK_CTRL, |
| 2150 | ERR_R_MALLOC_FAILURE); | 2124 | ERR_R_MALLOC_FAILURE); |
| @@ -2154,20 +2128,13 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
| 2154 | 2128 | ||
| 2155 | switch (cmd) { | 2129 | switch (cmd) { |
| 2156 | case SSL_CTRL_SET_TMP_RSA_CB: | 2130 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2157 | { | 2131 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2158 | s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | ||
| 2159 | } | ||
| 2160 | break; | 2132 | break; |
| 2161 | case SSL_CTRL_SET_TMP_DH_CB: | 2133 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2162 | { | 2134 | s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; |
| 2163 | s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | ||
| 2164 | } | ||
| 2165 | break; | 2135 | break; |
| 2166 | case SSL_CTRL_SET_TMP_ECDH_CB: | 2136 | case SSL_CTRL_SET_TMP_ECDH_CB: |
| 2167 | { | 2137 | s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; |
| 2168 | s->cert->ecdh_tmp_cb = | ||
| 2169 | (EC_KEY *(*)(SSL *, int, int))fp; | ||
| 2170 | } | ||
| 2171 | break; | 2138 | break; |
| 2172 | case SSL_CTRL_SET_TLSEXT_DEBUG_CB: | 2139 | case SSL_CTRL_SET_TLSEXT_DEBUG_CB: |
| 2173 | s->tlsext_debug_cb = (void (*)(SSL *, int , int, | 2140 | s->tlsext_debug_cb = (void (*)(SSL *, int , int, |
| @@ -2188,45 +2155,11 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2188 | 2155 | ||
| 2189 | switch (cmd) { | 2156 | switch (cmd) { |
| 2190 | case SSL_CTRL_NEED_TMP_RSA: | 2157 | case SSL_CTRL_NEED_TMP_RSA: |
| 2191 | if ((cert->rsa_tmp == NULL) && | 2158 | return (0); |
| 2192 | ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | ||
| 2193 | (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > | ||
| 2194 | (512 / 8)))) | ||
| 2195 | return (1); | ||
| 2196 | else | ||
| 2197 | return (0); | ||
| 2198 | /* break; */ | ||
| 2199 | case SSL_CTRL_SET_TMP_RSA: | 2159 | case SSL_CTRL_SET_TMP_RSA: |
| 2200 | { | ||
| 2201 | RSA *rsa; | ||
| 2202 | int i; | ||
| 2203 | |||
| 2204 | rsa = (RSA *)parg; | ||
| 2205 | i = 1; | ||
| 2206 | if (rsa == NULL) | ||
| 2207 | i = 0; | ||
| 2208 | else { | ||
| 2209 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) | ||
| 2210 | i = 0; | ||
| 2211 | } | ||
| 2212 | if (!i) { | ||
| 2213 | SSLerr(SSL_F_SSL3_CTX_CTRL, | ||
| 2214 | ERR_R_RSA_LIB); | ||
| 2215 | return (0); | ||
| 2216 | } else { | ||
| 2217 | RSA_free(cert->rsa_tmp); | ||
| 2218 | cert->rsa_tmp = rsa; | ||
| 2219 | return (1); | ||
| 2220 | } | ||
| 2221 | } | ||
| 2222 | /* break; */ | ||
| 2223 | case SSL_CTRL_SET_TMP_RSA_CB: | 2160 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2224 | { | 2161 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2225 | SSLerr(SSL_F_SSL3_CTX_CTRL, | 2162 | return (0); |
| 2226 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | ||
| 2227 | return (0); | ||
| 2228 | } | ||
| 2229 | break; | ||
| 2230 | case SSL_CTRL_SET_TMP_DH: | 2163 | case SSL_CTRL_SET_TMP_DH: |
| 2231 | { | 2164 | { |
| 2232 | DH *new = NULL, *dh; | 2165 | DH *new = NULL, *dh; |
| @@ -2366,19 +2299,13 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
| 2366 | 2299 | ||
| 2367 | switch (cmd) { | 2300 | switch (cmd) { |
| 2368 | case SSL_CTRL_SET_TMP_RSA_CB: | 2301 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2369 | { | 2302 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2370 | cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | 2303 | return (0); |
| 2371 | } | ||
| 2372 | break; | ||
| 2373 | case SSL_CTRL_SET_TMP_DH_CB: | 2304 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2374 | { | 2305 | cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; |
| 2375 | cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | ||
| 2376 | } | ||
| 2377 | break; | 2306 | break; |
| 2378 | case SSL_CTRL_SET_TMP_ECDH_CB: | 2307 | case SSL_CTRL_SET_TMP_ECDH_CB: |
| 2379 | { | 2308 | cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; |
| 2380 | cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; | ||
| 2381 | } | ||
| 2382 | break; | 2309 | break; |
| 2383 | case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: | 2310 | case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: |
| 2384 | ctx->tlsext_servername_callback = | 2311 | ctx->tlsext_servername_callback = |
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 719b4c56c1..1b97895f76 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -392,37 +392,14 @@ ssl3_accept(SSL *s) | |||
| 392 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 392 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 393 | 393 | ||
| 394 | /* | 394 | /* |
| 395 | * Clear this, it may get reset by | 395 | * Only send if using a DH key exchange. |
| 396 | * send_server_key_exchange. | ||
| 397 | */ | ||
| 398 | if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
| 399 | ) | ||
| 400 | /* | ||
| 401 | * option SSL_OP_EPHEMERAL_RSA sends temporary | ||
| 402 | * RSA key even when forbidden by protocol | ||
| 403 | * specs (handshake may fail as clients are | ||
| 404 | * not required to be able to handle this) | ||
| 405 | */ | ||
| 406 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 407 | else | ||
| 408 | s->s3->tmp.use_rsa_tmp = 0; | ||
| 409 | |||
| 410 | |||
| 411 | /* | ||
| 412 | * Only send if a DH key exchange, fortezza or | ||
| 413 | * RSA but we have a sign only certificate. | ||
| 414 | * | 396 | * |
| 415 | * For ECC ciphersuites, we send a serverKeyExchange | 397 | * For ECC ciphersuites, we send a ServerKeyExchange |
| 416 | * message only if the cipher suite is either | 398 | * message only if the cipher suite is ECDHE. In other |
| 417 | * ECDH-anon or ECDHE. In other cases, the | 399 | * cases, the server certificate contains the server's |
| 418 | * server certificate contains the server's | ||
| 419 | * public key for key exchange. | 400 | * public key for key exchange. |
| 420 | */ | 401 | */ |
| 421 | if (s->s3->tmp.use_rsa_tmp || | 402 | if (alg_k & (SSL_kDHE|SSL_kECDHE)) { |
| 422 | (alg_k & (SSL_kDHE|SSL_kECDHE)) || | ||
| 423 | ((alg_k & SSL_kRSA) && | ||
| 424 | (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == | ||
| 425 | NULL))) { | ||
| 426 | ret = ssl3_send_server_key_exchange(s); | 403 | ret = ssl3_send_server_key_exchange(s); |
| 427 | if (ret <= 0) | 404 | if (ret <= 0) |
| 428 | goto end; | 405 | goto end; |
| @@ -1352,7 +1329,6 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1352 | { | 1329 | { |
| 1353 | unsigned char *q; | 1330 | unsigned char *q; |
| 1354 | int j, num; | 1331 | int j, num; |
| 1355 | RSA *rsa; | ||
| 1356 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 1332 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 1357 | unsigned int u; | 1333 | unsigned int u; |
| 1358 | DH *dh = NULL, *dhp; | 1334 | DH *dh = NULL, *dhp; |
| @@ -1383,31 +1359,6 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1383 | 1359 | ||
| 1384 | r[0] = r[1] = r[2] = r[3] = NULL; | 1360 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1385 | n = 0; | 1361 | n = 0; |
| 1386 | if (type & SSL_kRSA) { | ||
| 1387 | rsa = cert->rsa_tmp; | ||
| 1388 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { | ||
| 1389 | rsa = s->cert->rsa_tmp_cb(s, 0, | ||
| 1390 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1391 | if (rsa == NULL) { | ||
| 1392 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1393 | SSLerr( | ||
| 1394 | SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1395 | SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | ||
| 1396 | goto f_err; | ||
| 1397 | } | ||
| 1398 | RSA_up_ref(rsa); | ||
| 1399 | cert->rsa_tmp = rsa; | ||
| 1400 | } | ||
| 1401 | if (rsa == NULL) { | ||
| 1402 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1403 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1404 | SSL_R_MISSING_TMP_RSA_KEY); | ||
| 1405 | goto f_err; | ||
| 1406 | } | ||
| 1407 | r[0] = rsa->n; | ||
| 1408 | r[1] = rsa->e; | ||
| 1409 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 1410 | } else | ||
| 1411 | if (type & SSL_kDHE) { | 1362 | if (type & SSL_kDHE) { |
| 1412 | dhp = cert->dh_tmp; | 1363 | dhp = cert->dh_tmp; |
| 1413 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1364 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) |
| @@ -1855,32 +1806,15 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1855 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 1806 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1856 | 1807 | ||
| 1857 | if (alg_k & SSL_kRSA) { | 1808 | if (alg_k & SSL_kRSA) { |
| 1858 | /* FIX THIS UP EAY EAY EAY EAY */ | 1809 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; |
| 1859 | if (s->s3->tmp.use_rsa_tmp) { | 1810 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || |
| 1860 | if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) | 1811 | (pkey->pkey.rsa == NULL)) { |
| 1861 | rsa = s->cert->rsa_tmp; | 1812 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1862 | /* | 1813 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 1863 | * Don't do a callback because rsa_tmp should | 1814 | SSL_R_MISSING_RSA_CERTIFICATE); |
| 1864 | * be sent already | 1815 | goto f_err; |
| 1865 | */ | ||
| 1866 | if (rsa == NULL) { | ||
| 1867 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1868 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||
| 1869 | SSL_R_MISSING_TMP_RSA_PKEY); | ||
| 1870 | goto f_err; | ||
| 1871 | |||
| 1872 | } | ||
| 1873 | } else { | ||
| 1874 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; | ||
| 1875 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | ||
| 1876 | (pkey->pkey.rsa == NULL)) { | ||
| 1877 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1878 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||
| 1879 | SSL_R_MISSING_RSA_CERTIFICATE); | ||
| 1880 | goto f_err; | ||
| 1881 | } | ||
| 1882 | rsa = pkey->pkey.rsa; | ||
| 1883 | } | 1816 | } |
| 1817 | rsa = pkey->pkey.rsa; | ||
| 1884 | 1818 | ||
| 1885 | /* TLS and [incidentally] DTLS{0xFEFF} */ | 1819 | /* TLS and [incidentally] DTLS{0xFEFF} */ |
| 1886 | if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) { | 1820 | if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) { |
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c index a85715753c..d2f642f877 100644 --- a/src/lib/libssl/src/ssl/d1_srvr.c +++ b/src/lib/libssl/src/ssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.41 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -446,27 +446,8 @@ dtls1_accept(SSL *s) | |||
| 446 | case SSL3_ST_SW_KEY_EXCH_B: | 446 | case SSL3_ST_SW_KEY_EXCH_B: |
| 447 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 447 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 448 | 448 | ||
| 449 | /* clear this, it may get reset by | 449 | /* Only send if using a DH key exchange. */ |
| 450 | * send_server_key_exchange */ | 450 | if (alg_k & (SSL_kDHE|SSL_kECDHE)) { |
| 451 | if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
| 452 | ) | ||
| 453 | /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key | ||
| 454 | * even when forbidden by protocol specs | ||
| 455 | * (handshake may fail as clients are not required to | ||
| 456 | * be able to handle this) */ | ||
| 457 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 458 | else | ||
| 459 | s->s3->tmp.use_rsa_tmp = 0; | ||
| 460 | |||
| 461 | /* only send if a DH key exchange or | ||
| 462 | * RSA but we have a sign only certificate */ | ||
| 463 | if (s->s3->tmp.use_rsa_tmp | ||
| 464 | || (alg_k & (SSL_kDHE|SSL_kECDHE)) | ||
| 465 | || ((alg_k & SSL_kRSA) | ||
| 466 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL | ||
| 467 | ) | ||
| 468 | ) | ||
| 469 | ) { | ||
| 470 | dtls1_start_timer(s); | 451 | dtls1_start_timer(s); |
| 471 | ret = dtls1_send_server_key_exchange(s); | 452 | ret = dtls1_send_server_key_exchange(s); |
| 472 | if (ret <= 0) | 453 | if (ret <= 0) |
| @@ -994,7 +975,6 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 994 | { | 975 | { |
| 995 | unsigned char *q; | 976 | unsigned char *q; |
| 996 | int j, num; | 977 | int j, num; |
| 997 | RSA *rsa; | ||
| 998 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 978 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 999 | unsigned int u; | 979 | unsigned int u; |
| 1000 | DH *dh = NULL, *dhp; | 980 | DH *dh = NULL, *dhp; |
| @@ -1024,28 +1004,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1024 | 1004 | ||
| 1025 | r[0] = r[1] = r[2] = r[3] = NULL; | 1005 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1026 | n = 0; | 1006 | n = 0; |
| 1027 | if (type & SSL_kRSA) { | 1007 | |
| 1028 | rsa = cert->rsa_tmp; | ||
| 1029 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { | ||
| 1030 | rsa = s->cert->rsa_tmp_cb(s, 0, | ||
| 1031 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1032 | if (rsa == NULL) { | ||
| 1033 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1034 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | ||
| 1035 | goto f_err; | ||
| 1036 | } | ||
| 1037 | RSA_up_ref(rsa); | ||
| 1038 | cert->rsa_tmp = rsa; | ||
| 1039 | } | ||
| 1040 | if (rsa == NULL) { | ||
| 1041 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1042 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY); | ||
| 1043 | goto f_err; | ||
| 1044 | } | ||
| 1045 | r[0] = rsa->n; | ||
| 1046 | r[1] = rsa->e; | ||
| 1047 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 1048 | } else | ||
| 1049 | if (type & SSL_kDHE) { | 1008 | if (type & SSL_kDHE) { |
| 1050 | dhp = cert->dh_tmp; | 1009 | dhp = cert->dh_tmp; |
| 1051 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1010 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) |
| @@ -1087,8 +1046,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1087 | r[0] = dh->p; | 1046 | r[0] = dh->p; |
| 1088 | r[1] = dh->g; | 1047 | r[1] = dh->g; |
| 1089 | r[2] = dh->pub_key; | 1048 | r[2] = dh->pub_key; |
| 1090 | } else | 1049 | } else if (type & SSL_kECDHE) { |
| 1091 | if (type & SSL_kECDHE) { | ||
| 1092 | const EC_GROUP *group; | 1050 | const EC_GROUP *group; |
| 1093 | 1051 | ||
| 1094 | ecdhp = cert->ecdh_tmp; | 1052 | ecdhp = cert->ecdh_tmp; |
| @@ -1185,10 +1143,10 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1185 | r[1] = NULL; | 1143 | r[1] = NULL; |
| 1186 | r[2] = NULL; | 1144 | r[2] = NULL; |
| 1187 | r[3] = NULL; | 1145 | r[3] = NULL; |
| 1188 | } else | 1146 | } else { |
| 1189 | { | ||
| 1190 | al = SSL_AD_HANDSHAKE_FAILURE; | 1147 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1191 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 1148 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, |
| 1149 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | ||
| 1192 | goto f_err; | 1150 | goto f_err; |
| 1193 | } | 1151 | } |
| 1194 | for (i = 0; r[i] != NULL; i++) { | 1152 | for (i = 0; r[i] != NULL; i++) { |
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 42f8074f8c..08c5111129 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.82 2014/10/03 13:58:17 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.83 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1934,8 +1934,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1934 | { | 1934 | { |
| 1935 | int ret = 0; | 1935 | int ret = 0; |
| 1936 | 1936 | ||
| 1937 | if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || | 1937 | if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { |
| 1938 | cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { | ||
| 1939 | if (!ssl_cert_inst(&s->cert)) { | 1938 | if (!ssl_cert_inst(&s->cert)) { |
| 1940 | SSLerr(SSL_F_SSL3_CTRL, | 1939 | SSLerr(SSL_F_SSL3_CTRL, |
| 1941 | ERR_R_MALLOC_FAILURE); | 1940 | ERR_R_MALLOC_FAILURE); |
| @@ -1963,36 +1962,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | |||
| 1963 | ret = (int)(s->s3->flags); | 1962 | ret = (int)(s->s3->flags); |
| 1964 | break; | 1963 | break; |
| 1965 | case SSL_CTRL_NEED_TMP_RSA: | 1964 | case SSL_CTRL_NEED_TMP_RSA: |
| 1966 | if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && | 1965 | ret = 0; |
| 1967 | ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | ||
| 1968 | (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) | ||
| 1969 | > (512 / 8)))) | ||
| 1970 | ret = 1; | ||
| 1971 | break; | 1966 | break; |
| 1972 | case SSL_CTRL_SET_TMP_RSA: | 1967 | case SSL_CTRL_SET_TMP_RSA: |
| 1973 | { | ||
| 1974 | RSA *rsa = (RSA *)parg; | ||
| 1975 | if (rsa == NULL) { | ||
| 1976 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1977 | ERR_R_PASSED_NULL_PARAMETER); | ||
| 1978 | return (ret); | ||
| 1979 | } | ||
| 1980 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { | ||
| 1981 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1982 | ERR_R_RSA_LIB); | ||
| 1983 | return (ret); | ||
| 1984 | } | ||
| 1985 | RSA_free(s->cert->rsa_tmp); | ||
| 1986 | s->cert->rsa_tmp = rsa; | ||
| 1987 | ret = 1; | ||
| 1988 | } | ||
| 1989 | break; | ||
| 1990 | case SSL_CTRL_SET_TMP_RSA_CB: | 1968 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 1991 | { | 1969 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 1992 | SSLerr(SSL_F_SSL3_CTRL, | ||
| 1993 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | ||
| 1994 | return (ret); | ||
| 1995 | } | ||
| 1996 | break; | 1970 | break; |
| 1997 | case SSL_CTRL_SET_TMP_DH: | 1971 | case SSL_CTRL_SET_TMP_DH: |
| 1998 | { | 1972 | { |
| @@ -2144,7 +2118,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
| 2144 | { | 2118 | { |
| 2145 | int ret = 0; | 2119 | int ret = 0; |
| 2146 | 2120 | ||
| 2147 | if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) { | 2121 | if (cmd == SSL_CTRL_SET_TMP_DH_CB) { |
| 2148 | if (!ssl_cert_inst(&s->cert)) { | 2122 | if (!ssl_cert_inst(&s->cert)) { |
| 2149 | SSLerr(SSL_F_SSL3_CALLBACK_CTRL, | 2123 | SSLerr(SSL_F_SSL3_CALLBACK_CTRL, |
| 2150 | ERR_R_MALLOC_FAILURE); | 2124 | ERR_R_MALLOC_FAILURE); |
| @@ -2154,20 +2128,13 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) | |||
| 2154 | 2128 | ||
| 2155 | switch (cmd) { | 2129 | switch (cmd) { |
| 2156 | case SSL_CTRL_SET_TMP_RSA_CB: | 2130 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2157 | { | 2131 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2158 | s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | ||
| 2159 | } | ||
| 2160 | break; | 2132 | break; |
| 2161 | case SSL_CTRL_SET_TMP_DH_CB: | 2133 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2162 | { | 2134 | s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; |
| 2163 | s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | ||
| 2164 | } | ||
| 2165 | break; | 2135 | break; |
| 2166 | case SSL_CTRL_SET_TMP_ECDH_CB: | 2136 | case SSL_CTRL_SET_TMP_ECDH_CB: |
| 2167 | { | 2137 | s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; |
| 2168 | s->cert->ecdh_tmp_cb = | ||
| 2169 | (EC_KEY *(*)(SSL *, int, int))fp; | ||
| 2170 | } | ||
| 2171 | break; | 2138 | break; |
| 2172 | case SSL_CTRL_SET_TLSEXT_DEBUG_CB: | 2139 | case SSL_CTRL_SET_TLSEXT_DEBUG_CB: |
| 2173 | s->tlsext_debug_cb = (void (*)(SSL *, int , int, | 2140 | s->tlsext_debug_cb = (void (*)(SSL *, int , int, |
| @@ -2188,45 +2155,11 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2188 | 2155 | ||
| 2189 | switch (cmd) { | 2156 | switch (cmd) { |
| 2190 | case SSL_CTRL_NEED_TMP_RSA: | 2157 | case SSL_CTRL_NEED_TMP_RSA: |
| 2191 | if ((cert->rsa_tmp == NULL) && | 2158 | return (0); |
| 2192 | ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | ||
| 2193 | (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > | ||
| 2194 | (512 / 8)))) | ||
| 2195 | return (1); | ||
| 2196 | else | ||
| 2197 | return (0); | ||
| 2198 | /* break; */ | ||
| 2199 | case SSL_CTRL_SET_TMP_RSA: | 2159 | case SSL_CTRL_SET_TMP_RSA: |
| 2200 | { | ||
| 2201 | RSA *rsa; | ||
| 2202 | int i; | ||
| 2203 | |||
| 2204 | rsa = (RSA *)parg; | ||
| 2205 | i = 1; | ||
| 2206 | if (rsa == NULL) | ||
| 2207 | i = 0; | ||
| 2208 | else { | ||
| 2209 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) | ||
| 2210 | i = 0; | ||
| 2211 | } | ||
| 2212 | if (!i) { | ||
| 2213 | SSLerr(SSL_F_SSL3_CTX_CTRL, | ||
| 2214 | ERR_R_RSA_LIB); | ||
| 2215 | return (0); | ||
| 2216 | } else { | ||
| 2217 | RSA_free(cert->rsa_tmp); | ||
| 2218 | cert->rsa_tmp = rsa; | ||
| 2219 | return (1); | ||
| 2220 | } | ||
| 2221 | } | ||
| 2222 | /* break; */ | ||
| 2223 | case SSL_CTRL_SET_TMP_RSA_CB: | 2160 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2224 | { | 2161 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2225 | SSLerr(SSL_F_SSL3_CTX_CTRL, | 2162 | return (0); |
| 2226 | ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | ||
| 2227 | return (0); | ||
| 2228 | } | ||
| 2229 | break; | ||
| 2230 | case SSL_CTRL_SET_TMP_DH: | 2163 | case SSL_CTRL_SET_TMP_DH: |
| 2231 | { | 2164 | { |
| 2232 | DH *new = NULL, *dh; | 2165 | DH *new = NULL, *dh; |
| @@ -2366,19 +2299,13 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
| 2366 | 2299 | ||
| 2367 | switch (cmd) { | 2300 | switch (cmd) { |
| 2368 | case SSL_CTRL_SET_TMP_RSA_CB: | 2301 | case SSL_CTRL_SET_TMP_RSA_CB: |
| 2369 | { | 2302 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 2370 | cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | 2303 | return (0); |
| 2371 | } | ||
| 2372 | break; | ||
| 2373 | case SSL_CTRL_SET_TMP_DH_CB: | 2304 | case SSL_CTRL_SET_TMP_DH_CB: |
| 2374 | { | 2305 | cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; |
| 2375 | cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | ||
| 2376 | } | ||
| 2377 | break; | 2306 | break; |
| 2378 | case SSL_CTRL_SET_TMP_ECDH_CB: | 2307 | case SSL_CTRL_SET_TMP_ECDH_CB: |
| 2379 | { | 2308 | cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; |
| 2380 | cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; | ||
| 2381 | } | ||
| 2382 | break; | 2309 | break; |
| 2383 | case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: | 2310 | case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: |
| 2384 | ctx->tlsext_servername_callback = | 2311 | ctx->tlsext_servername_callback = |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 719b4c56c1..1b97895f76 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -392,37 +392,14 @@ ssl3_accept(SSL *s) | |||
| 392 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 392 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 393 | 393 | ||
| 394 | /* | 394 | /* |
| 395 | * Clear this, it may get reset by | 395 | * Only send if using a DH key exchange. |
| 396 | * send_server_key_exchange. | ||
| 397 | */ | ||
| 398 | if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
| 399 | ) | ||
| 400 | /* | ||
| 401 | * option SSL_OP_EPHEMERAL_RSA sends temporary | ||
| 402 | * RSA key even when forbidden by protocol | ||
| 403 | * specs (handshake may fail as clients are | ||
| 404 | * not required to be able to handle this) | ||
| 405 | */ | ||
| 406 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 407 | else | ||
| 408 | s->s3->tmp.use_rsa_tmp = 0; | ||
| 409 | |||
| 410 | |||
| 411 | /* | ||
| 412 | * Only send if a DH key exchange, fortezza or | ||
| 413 | * RSA but we have a sign only certificate. | ||
| 414 | * | 396 | * |
| 415 | * For ECC ciphersuites, we send a serverKeyExchange | 397 | * For ECC ciphersuites, we send a ServerKeyExchange |
| 416 | * message only if the cipher suite is either | 398 | * message only if the cipher suite is ECDHE. In other |
| 417 | * ECDH-anon or ECDHE. In other cases, the | 399 | * cases, the server certificate contains the server's |
| 418 | * server certificate contains the server's | ||
| 419 | * public key for key exchange. | 400 | * public key for key exchange. |
| 420 | */ | 401 | */ |
| 421 | if (s->s3->tmp.use_rsa_tmp || | 402 | if (alg_k & (SSL_kDHE|SSL_kECDHE)) { |
| 422 | (alg_k & (SSL_kDHE|SSL_kECDHE)) || | ||
| 423 | ((alg_k & SSL_kRSA) && | ||
| 424 | (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == | ||
| 425 | NULL))) { | ||
| 426 | ret = ssl3_send_server_key_exchange(s); | 403 | ret = ssl3_send_server_key_exchange(s); |
| 427 | if (ret <= 0) | 404 | if (ret <= 0) |
| 428 | goto end; | 405 | goto end; |
| @@ -1352,7 +1329,6 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1352 | { | 1329 | { |
| 1353 | unsigned char *q; | 1330 | unsigned char *q; |
| 1354 | int j, num; | 1331 | int j, num; |
| 1355 | RSA *rsa; | ||
| 1356 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 1332 | unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 1357 | unsigned int u; | 1333 | unsigned int u; |
| 1358 | DH *dh = NULL, *dhp; | 1334 | DH *dh = NULL, *dhp; |
| @@ -1383,31 +1359,6 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1383 | 1359 | ||
| 1384 | r[0] = r[1] = r[2] = r[3] = NULL; | 1360 | r[0] = r[1] = r[2] = r[3] = NULL; |
| 1385 | n = 0; | 1361 | n = 0; |
| 1386 | if (type & SSL_kRSA) { | ||
| 1387 | rsa = cert->rsa_tmp; | ||
| 1388 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { | ||
| 1389 | rsa = s->cert->rsa_tmp_cb(s, 0, | ||
| 1390 | SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1391 | if (rsa == NULL) { | ||
| 1392 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1393 | SSLerr( | ||
| 1394 | SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1395 | SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | ||
| 1396 | goto f_err; | ||
| 1397 | } | ||
| 1398 | RSA_up_ref(rsa); | ||
| 1399 | cert->rsa_tmp = rsa; | ||
| 1400 | } | ||
| 1401 | if (rsa == NULL) { | ||
| 1402 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1403 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, | ||
| 1404 | SSL_R_MISSING_TMP_RSA_KEY); | ||
| 1405 | goto f_err; | ||
| 1406 | } | ||
| 1407 | r[0] = rsa->n; | ||
| 1408 | r[1] = rsa->e; | ||
| 1409 | s->s3->tmp.use_rsa_tmp = 1; | ||
| 1410 | } else | ||
| 1411 | if (type & SSL_kDHE) { | 1362 | if (type & SSL_kDHE) { |
| 1412 | dhp = cert->dh_tmp; | 1363 | dhp = cert->dh_tmp; |
| 1413 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1364 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) |
| @@ -1855,32 +1806,15 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1855 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 1806 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1856 | 1807 | ||
| 1857 | if (alg_k & SSL_kRSA) { | 1808 | if (alg_k & SSL_kRSA) { |
| 1858 | /* FIX THIS UP EAY EAY EAY EAY */ | 1809 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; |
| 1859 | if (s->s3->tmp.use_rsa_tmp) { | 1810 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || |
| 1860 | if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) | 1811 | (pkey->pkey.rsa == NULL)) { |
| 1861 | rsa = s->cert->rsa_tmp; | 1812 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1862 | /* | 1813 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 1863 | * Don't do a callback because rsa_tmp should | 1814 | SSL_R_MISSING_RSA_CERTIFICATE); |
| 1864 | * be sent already | 1815 | goto f_err; |
| 1865 | */ | ||
| 1866 | if (rsa == NULL) { | ||
| 1867 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1868 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||
| 1869 | SSL_R_MISSING_TMP_RSA_PKEY); | ||
| 1870 | goto f_err; | ||
| 1871 | |||
| 1872 | } | ||
| 1873 | } else { | ||
| 1874 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; | ||
| 1875 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | ||
| 1876 | (pkey->pkey.rsa == NULL)) { | ||
| 1877 | al = SSL_AD_HANDSHAKE_FAILURE; | ||
| 1878 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||
| 1879 | SSL_R_MISSING_RSA_CERTIFICATE); | ||
| 1880 | goto f_err; | ||
| 1881 | } | ||
| 1882 | rsa = pkey->pkey.rsa; | ||
| 1883 | } | 1816 | } |
| 1817 | rsa = pkey->pkey.rsa; | ||
| 1884 | 1818 | ||
| 1885 | /* TLS and [incidentally] DTLS{0xFEFF} */ | 1819 | /* TLS and [incidentally] DTLS{0xFEFF} */ |
| 1886 | if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) { | 1820 | if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) { |
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h index 9a28b4701f..18afa304c9 100644 --- a/src/lib/libssl/src/ssl/ssl3.h +++ b/src/lib/libssl/src/ssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.26 2014/08/11 01:10:42 jsing Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.27 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -473,7 +473,7 @@ typedef struct ssl3_state_st { | |||
| 473 | char ctype[SSL3_CT_NUMBER]; | 473 | char ctype[SSL3_CT_NUMBER]; |
| 474 | STACK_OF(X509_NAME) *ca_names; | 474 | STACK_OF(X509_NAME) *ca_names; |
| 475 | 475 | ||
| 476 | int use_rsa_tmp; | 476 | int use_rsa_tmp; /* XXX - remove at next bump. */ |
| 477 | 477 | ||
| 478 | int key_block_length; | 478 | int key_block_length; |
| 479 | unsigned char *key_block; | 479 | unsigned char *key_block; |
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c index 6f1815067b..beea31c64b 100644 --- a/src/lib/libssl/src/ssl/ssl_cert.c +++ b/src/lib/libssl/src/ssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.42 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.43 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -205,12 +205,6 @@ ssl_cert_dup(CERT *cert) | |||
| 205 | ret->mask_k = cert->mask_k; | 205 | ret->mask_k = cert->mask_k; |
| 206 | ret->mask_a = cert->mask_a; | 206 | ret->mask_a = cert->mask_a; |
| 207 | 207 | ||
| 208 | if (cert->rsa_tmp != NULL) { | ||
| 209 | RSA_up_ref(cert->rsa_tmp); | ||
| 210 | ret->rsa_tmp = cert->rsa_tmp; | ||
| 211 | } | ||
| 212 | ret->rsa_tmp_cb = cert->rsa_tmp_cb; | ||
| 213 | |||
| 214 | if (cert->dh_tmp != NULL) { | 208 | if (cert->dh_tmp != NULL) { |
| 215 | ret->dh_tmp = DHparams_dup(cert->dh_tmp); | 209 | ret->dh_tmp = DHparams_dup(cert->dh_tmp); |
| 216 | if (ret->dh_tmp == NULL) { | 210 | if (ret->dh_tmp == NULL) { |
| @@ -305,7 +299,6 @@ ssl_cert_dup(CERT *cert) | |||
| 305 | return (ret); | 299 | return (ret); |
| 306 | 300 | ||
| 307 | err: | 301 | err: |
| 308 | RSA_free(ret->rsa_tmp); | ||
| 309 | DH_free(ret->dh_tmp); | 302 | DH_free(ret->dh_tmp); |
| 310 | EC_KEY_free(ret->ecdh_tmp); | 303 | EC_KEY_free(ret->ecdh_tmp); |
| 311 | 304 | ||
| @@ -331,7 +324,6 @@ ssl_cert_free(CERT *c) | |||
| 331 | if (i > 0) | 324 | if (i > 0) |
| 332 | return; | 325 | return; |
| 333 | 326 | ||
| 334 | RSA_free(c->rsa_tmp); | ||
| 335 | DH_free(c->dh_tmp); | 327 | DH_free(c->dh_tmp); |
| 336 | EC_KEY_free(c->ecdh_tmp); | 328 | EC_KEY_free(c->ecdh_tmp); |
| 337 | 329 | ||
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 3fa8f5039f..579c005cc3 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1931,7 +1931,7 @@ void | |||
| 1931 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | 1931 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) |
| 1932 | { | 1932 | { |
| 1933 | CERT_PKEY *cpk; | 1933 | CERT_PKEY *cpk; |
| 1934 | int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign; | 1934 | int rsa_enc, rsa_sign, dh_tmp, dsa_sign; |
| 1935 | unsigned long mask_k, mask_a; | 1935 | unsigned long mask_k, mask_a; |
| 1936 | int have_ecc_cert, ecdh_ok, ecdsa_ok; | 1936 | int have_ecc_cert, ecdh_ok, ecdsa_ok; |
| 1937 | int have_ecdh_tmp; | 1937 | int have_ecdh_tmp; |
| @@ -1942,7 +1942,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1942 | if (c == NULL) | 1942 | if (c == NULL) |
| 1943 | return; | 1943 | return; |
| 1944 | 1944 | ||
| 1945 | rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); | ||
| 1946 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); |
| 1947 | 1946 | ||
| 1948 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || | 1947 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || |
| @@ -1970,7 +1969,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1970 | mask_a |= SSL_aGOST94; | 1969 | mask_a |= SSL_aGOST94; |
| 1971 | } | 1970 | } |
| 1972 | 1971 | ||
| 1973 | if (rsa_enc || (rsa_tmp && rsa_sign)) | 1972 | if (rsa_enc) |
| 1974 | mask_k|=SSL_kRSA; | 1973 | mask_k|=SSL_kRSA; |
| 1975 | 1974 | ||
| 1976 | if (dh_tmp) | 1975 | if (dh_tmp) |
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 976f835c92..955c169244 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.71 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.72 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -440,9 +440,6 @@ typedef struct cert_st { | |||
| 440 | unsigned long mask_k; | 440 | unsigned long mask_k; |
| 441 | unsigned long mask_a; | 441 | unsigned long mask_a; |
| 442 | 442 | ||
| 443 | RSA *rsa_tmp; | ||
| 444 | RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); | ||
| 445 | |||
| 446 | DH *dh_tmp; | 443 | DH *dh_tmp; |
| 447 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| 448 | 445 | ||
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 9a28b4701f..18afa304c9 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.26 2014/08/11 01:10:42 jsing Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.27 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -473,7 +473,7 @@ typedef struct ssl3_state_st { | |||
| 473 | char ctype[SSL3_CT_NUMBER]; | 473 | char ctype[SSL3_CT_NUMBER]; |
| 474 | STACK_OF(X509_NAME) *ca_names; | 474 | STACK_OF(X509_NAME) *ca_names; |
| 475 | 475 | ||
| 476 | int use_rsa_tmp; | 476 | int use_rsa_tmp; /* XXX - remove at next bump. */ |
| 477 | 477 | ||
| 478 | int key_block_length; | 478 | int key_block_length; |
| 479 | unsigned char *key_block; | 479 | unsigned char *key_block; |
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 6f1815067b..beea31c64b 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.42 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.43 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -205,12 +205,6 @@ ssl_cert_dup(CERT *cert) | |||
| 205 | ret->mask_k = cert->mask_k; | 205 | ret->mask_k = cert->mask_k; |
| 206 | ret->mask_a = cert->mask_a; | 206 | ret->mask_a = cert->mask_a; |
| 207 | 207 | ||
| 208 | if (cert->rsa_tmp != NULL) { | ||
| 209 | RSA_up_ref(cert->rsa_tmp); | ||
| 210 | ret->rsa_tmp = cert->rsa_tmp; | ||
| 211 | } | ||
| 212 | ret->rsa_tmp_cb = cert->rsa_tmp_cb; | ||
| 213 | |||
| 214 | if (cert->dh_tmp != NULL) { | 208 | if (cert->dh_tmp != NULL) { |
| 215 | ret->dh_tmp = DHparams_dup(cert->dh_tmp); | 209 | ret->dh_tmp = DHparams_dup(cert->dh_tmp); |
| 216 | if (ret->dh_tmp == NULL) { | 210 | if (ret->dh_tmp == NULL) { |
| @@ -305,7 +299,6 @@ ssl_cert_dup(CERT *cert) | |||
| 305 | return (ret); | 299 | return (ret); |
| 306 | 300 | ||
| 307 | err: | 301 | err: |
| 308 | RSA_free(ret->rsa_tmp); | ||
| 309 | DH_free(ret->dh_tmp); | 302 | DH_free(ret->dh_tmp); |
| 310 | EC_KEY_free(ret->ecdh_tmp); | 303 | EC_KEY_free(ret->ecdh_tmp); |
| 311 | 304 | ||
| @@ -331,7 +324,6 @@ ssl_cert_free(CERT *c) | |||
| 331 | if (i > 0) | 324 | if (i > 0) |
| 332 | return; | 325 | return; |
| 333 | 326 | ||
| 334 | RSA_free(c->rsa_tmp); | ||
| 335 | DH_free(c->dh_tmp); | 327 | DH_free(c->dh_tmp); |
| 336 | EC_KEY_free(c->ecdh_tmp); | 328 | EC_KEY_free(c->ecdh_tmp); |
| 337 | 329 | ||
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3fa8f5039f..579c005cc3 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1931,7 +1931,7 @@ void | |||
| 1931 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | 1931 | ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) |
| 1932 | { | 1932 | { |
| 1933 | CERT_PKEY *cpk; | 1933 | CERT_PKEY *cpk; |
| 1934 | int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign; | 1934 | int rsa_enc, rsa_sign, dh_tmp, dsa_sign; |
| 1935 | unsigned long mask_k, mask_a; | 1935 | unsigned long mask_k, mask_a; |
| 1936 | int have_ecc_cert, ecdh_ok, ecdsa_ok; | 1936 | int have_ecc_cert, ecdh_ok, ecdsa_ok; |
| 1937 | int have_ecdh_tmp; | 1937 | int have_ecdh_tmp; |
| @@ -1942,7 +1942,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1942 | if (c == NULL) | 1942 | if (c == NULL) |
| 1943 | return; | 1943 | return; |
| 1944 | 1944 | ||
| 1945 | rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); | ||
| 1946 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 1945 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); |
| 1947 | 1946 | ||
| 1948 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || | 1947 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || |
| @@ -1970,7 +1969,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1970 | mask_a |= SSL_aGOST94; | 1969 | mask_a |= SSL_aGOST94; |
| 1971 | } | 1970 | } |
| 1972 | 1971 | ||
| 1973 | if (rsa_enc || (rsa_tmp && rsa_sign)) | 1972 | if (rsa_enc) |
| 1974 | mask_k|=SSL_kRSA; | 1973 | mask_k|=SSL_kRSA; |
| 1975 | 1974 | ||
| 1976 | if (dh_tmp) | 1975 | if (dh_tmp) |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 976f835c92..955c169244 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.71 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.72 2014/10/31 14:51:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -440,9 +440,6 @@ typedef struct cert_st { | |||
| 440 | unsigned long mask_k; | 440 | unsigned long mask_k; |
| 441 | unsigned long mask_a; | 441 | unsigned long mask_a; |
| 442 | 442 | ||
| 443 | RSA *rsa_tmp; | ||
| 444 | RSA *(*rsa_tmp_cb)(SSL *ssl, int is_export, int keysize); | ||
| 445 | |||
| 446 | DH *dh_tmp; | 443 | DH *dh_tmp; |
| 447 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); | 444 | DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); |
| 448 | 445 | ||