1 files changed, 8 insertions, 46 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 2b64eb7a9a..72f774e7a9 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.76 2014/12/06 15:27:45 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -488,42 +488,6 @@ static const SSL_CIPHER cipher_aliases[] = {
        },
 };
-/* Search for public key algorithm with given name and 
- * return its pkey_id if it is available. Otherwise return 0
- */
-#ifdef OPENSSL_NO_ENGINE
-static int
-get_optional_pkey_id(const char *pkey_name)
-{
-        const EVP_PKEY_ASN1_METHOD *ameth;
-        int pkey_id = 0;
-        ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
-        if (ameth) {
-                EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
-        }
-        return pkey_id;
-}
-#else
-static int
-get_optional_pkey_id(const char *pkey_name)
-{
-        const EVP_PKEY_ASN1_METHOD *ameth;
-        ENGINE *tmpeng = NULL;
-        int pkey_id = 0;
-        ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
-        if (ameth) {
-                EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
-        }
-        if (tmpeng)
-                ENGINE_finish(tmpeng);
-        return pkey_id;
-}
-#endif
 void
 ssl_load_ciphers(void)
 {
@@ -840,19 +804,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
        *ssl = 0;
        /*
-         * Check for presence of GOST 34.10 algorithms, and if they
+         * Check for the availability of GOST 34.10 public/private key
-         * do not present, disable  appropriate auth and key exchange.
+         * algorithms. If they are not available disable the associated
+         * authentication and key exchange algorithms.
         */
-        if (!get_optional_pkey_id("gost94")) {
+        if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL)
                *auth |= SSL_aGOST94;
-        }
+        if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL)
-        if (!get_optional_pkey_id("gost2001")) {
                *auth |= SSL_aGOST01;
-        }
+        if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0)
-        /* Disable GOST key exchange if no GOST signature algs are available. */
-        if (((~*auth) & (SSL_aGOST94|SSL_aGOST01)) == 0) {
                *mkey |= SSL_kGOST;
-        }
 #ifdef SSL_FORBID_ENULL
        *enc |= SSL_eNULL;
 #endif

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 2b64eb7a9a..72f774e7a9 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_ciph.c,v 1.76 2014/12/06 15:27:45 jsing Exp $ */	1	/* $OpenBSD: ssl_ciph.c,v 1.77 2014/12/07 12:13:06 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -488,42 +488,6 @@ static const SSL_CIPHER cipher_aliases[] = {
488	},	488	},
489	};	489	};
490		490
491	/* Search for public key algorithm with given name and
492	* return its pkey_id if it is available. Otherwise return 0
493	*/
494	#ifdef OPENSSL_NO_ENGINE
495
496	static int
497	get_optional_pkey_id(const char *pkey_name)
498	{
499	const EVP_PKEY_ASN1_METHOD *ameth;
500	int pkey_id = 0;
501	ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
502	if (ameth) {
503	EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
504	}
505	return pkey_id;
506	}
507
508	#else
509
510	static int
511	get_optional_pkey_id(const char *pkey_name)
512	{
513	const EVP_PKEY_ASN1_METHOD *ameth;
514	ENGINE *tmpeng = NULL;
515	int pkey_id = 0;
516	ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
517	if (ameth) {
518	EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
519	}
520	if (tmpeng)
521	ENGINE_finish(tmpeng);
522	return pkey_id;
523	}
524
525	#endif
526
527	void	491	void
528	ssl_load_ciphers(void)	492	ssl_load_ciphers(void)
529	{	493	{
@@ -840,19 +804,17 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth,
840	*ssl = 0;	804	*ssl = 0;
841		805
842	/*	806	/*
843	* Check for presence of GOST 34.10 algorithms, and if they	807	* Check for the availability of GOST 34.10 public/private key
844	* do not present, disable appropriate auth and key exchange.	808	* algorithms. If they are not available disable the associated
		809	* authentication and key exchange algorithms.
845	*/	810	*/
846	if (!get_optional_pkey_id("gost94")) {	811	if (EVP_PKEY_meth_find(NID_id_GostR3410_94) == NULL)
847	*auth \|= SSL_aGOST94;	812	*auth \|= SSL_aGOST94;
848	}	813	if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL)
849	if (!get_optional_pkey_id("gost2001")) {
850	*auth \|= SSL_aGOST01;	814	*auth \|= SSL_aGOST01;
851	}	815	if (((~*auth) & (SSL_aGOST94\|SSL_aGOST01)) == 0)
852	/* Disable GOST key exchange if no GOST signature algs are available. */
853	if (((~*auth) & (SSL_aGOST94\|SSL_aGOST01)) == 0) {
854	*mkey \|= SSL_kGOST;	816	*mkey \|= SSL_kGOST;
855	}	817
856	#ifdef SSL_FORBID_ENULL	818	#ifdef SSL_FORBID_ENULL
857	*enc \|= SSL_eNULL;	819	*enc \|= SSL_eNULL;
858	#endif	820	#endif