summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_clnt.c4
-rw-r--r--src/lib/libssl/d1_srvr.c5
-rw-r--r--src/lib/libssl/s3_clnt.c19
-rw-r--r--src/lib/libssl/s3_lib.c7
-rw-r--r--src/lib/libssl/s3_srvr.c8
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c4
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c5
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c19
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c7
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c8
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c48
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c18
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h9
-rw-r--r--src/lib/libssl/ssl_ciph.c48
-rw-r--r--src/lib/libssl/ssl_lib.c18
-rw-r--r--src/lib/libssl/ssl_locl.h9
16 files changed, 54 insertions, 182 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 471871ff46..0cc4016d11 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.34 2014/08/10 14:42:55 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -982,7 +982,7 @@ dtls1_send_client_key_exchange(SSL *s)
982 s->session->master_key, 982 s->session->master_key,
983 tmp_buf, sizeof tmp_buf); 983 tmp_buf, sizeof tmp_buf);
984 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 984 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
985 } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { 985 } else if (alg_k & SSL_kDHE) {
986 DH *dh_srvr, *dh_clnt; 986 DH *dh_srvr, *dh_clnt;
987 987
988 if (s->session->sess_cert->peer_dh_tmp != NULL) 988 if (s->session->sess_cert->peer_dh_tmp != NULL)
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 4532a07da5..051d1e1ccf 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.37 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.38 2014/09/07 12:16:23 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -462,8 +462,7 @@ dtls1_accept(SSL *s)
462 /* only send if a DH key exchange or 462 /* only send if a DH key exchange or
463 * RSA but we have a sign only certificate */ 463 * RSA but we have a sign only certificate */
464 if (s->s3->tmp.use_rsa_tmp 464 if (s->s3->tmp.use_rsa_tmp
465 || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) 465 || (alg_k & (SSL_kDHE|SSL_kECDHE))
466 || (alg_k & SSL_kECDHE)
467 || ((alg_k & SSL_kRSA) 466 || ((alg_k & SSL_kRSA)
468 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 467 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
469 ) 468 )
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 9ccc67acb9..bbe2b91392 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.89 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1329,11 +1329,6 @@ ssl3_get_key_exchange(SSL *s)
1329 1329
1330 s->session->sess_cert->peer_dh_tmp = dh; 1330 s->session->sess_cert->peer_dh_tmp = dh;
1331 dh = NULL; 1331 dh = NULL;
1332 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1333 al = SSL_AD_ILLEGAL_PARAMETER;
1334 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1335 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1336 goto f_err;
1337 } else if (alg_k & SSL_kECDHE) { 1332 } else if (alg_k & SSL_kECDHE) {
1338 EC_GROUP *ngroup; 1333 EC_GROUP *ngroup;
1339 const EC_GROUP *group; 1334 const EC_GROUP *group;
@@ -2006,7 +2001,7 @@ ssl3_send_client_key_exchange(SSL *s)
2006 s->method->ssl3_enc->generate_master_secret( 2001 s->method->ssl3_enc->generate_master_secret(
2007 s, s->session->master_key, tmp_buf, sizeof tmp_buf); 2002 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2008 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2003 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2009 } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { 2004 } else if (alg_k & SSL_kDHE) {
2010 DH *dh_srvr, *dh_clnt; 2005 DH *dh_srvr, *dh_clnt;
2011 2006
2012 if (s->session->sess_cert == NULL) { 2007 if (s->session->sess_cert == NULL) {
@@ -2611,7 +2606,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2611 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2606 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2612 2607
2613 /* We don't have a certificate. */ 2608 /* We don't have a certificate. */
2614 if (alg_a & (SSL_aDH|SSL_aNULL)) 2609 if (alg_a & SSL_aNULL)
2615 return (1); 2610 return (1);
2616 2611
2617 sc = s->session->sess_cert; 2612 sc = s->session->sess_cert;
@@ -2664,14 +2659,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2664 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2659 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2665 SSL_R_MISSING_DH_KEY); 2660 SSL_R_MISSING_DH_KEY);
2666 goto f_err; 2661 goto f_err;
2667 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
2668 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2669 SSL_R_MISSING_DH_RSA_CERT);
2670 goto f_err;
2671 } else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2672 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2673 SSL_R_MISSING_DH_DSA_CERT);
2674 goto f_err;
2675 } 2662 }
2676 2663
2677 return (1); 2664 return (1);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 8d03512a26..d8b923afd4 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.79 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2610,12 +2610,11 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
2610 } 2610 }
2611#endif 2611#endif
2612 2612
2613 if (alg_k & (SSL_kDHr|SSL_kDHE)) { 2613 if (alg_k & SSL_kDHE) {
2614 p[ret++] = SSL3_CT_RSA_FIXED_DH; 2614 p[ret++] = SSL3_CT_RSA_FIXED_DH;
2615 p[ret++] = SSL3_CT_DSS_FIXED_DH; 2615 p[ret++] = SSL3_CT_DSS_FIXED_DH;
2616 } 2616 }
2617 if ((s->version == SSL3_VERSION) && 2617 if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) {
2618 (alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) {
2619 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 2618 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
2620 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 2619 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
2621 } 2620 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 597ddd4310..7ff3de77f3 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.82 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.83 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -420,8 +420,7 @@ ssl3_accept(SSL *s)
420 * public key for key exchange. 420 * public key for key exchange.
421 */ 421 */
422 if (s->s3->tmp.use_rsa_tmp || 422 if (s->s3->tmp.use_rsa_tmp ||
423 (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) || 423 (alg_k & (SSL_kDHE|SSL_kECDHE)) ||
424 (alg_k & SSL_kECDHE) ||
425 ((alg_k & SSL_kRSA) && 424 ((alg_k & SSL_kRSA) &&
426 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == 425 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
427 NULL))) { 426 NULL))) {
@@ -1967,8 +1966,7 @@ ssl3_get_client_key_exchange(SSL *s)
1967 s->session->master_key, 1966 s->session->master_key,
1968 p, i); 1967 p, i);
1969 OPENSSL_cleanse(p, i); 1968 OPENSSL_cleanse(p, i);
1970 } else 1969 } else if (alg_k & SSL_kDHE) {
1971 if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
1972 if (2 > n) 1970 if (2 > n)
1973 goto truncated; 1971 goto truncated;
1974 n2s(p, i); 1972 n2s(p, i);
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 471871ff46..0cc4016d11 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.34 2014/08/10 14:42:55 jsing Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -982,7 +982,7 @@ dtls1_send_client_key_exchange(SSL *s)
982 s->session->master_key, 982 s->session->master_key,
983 tmp_buf, sizeof tmp_buf); 983 tmp_buf, sizeof tmp_buf);
984 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 984 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
985 } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { 985 } else if (alg_k & SSL_kDHE) {
986 DH *dh_srvr, *dh_clnt; 986 DH *dh_srvr, *dh_clnt;
987 987
988 if (s->session->sess_cert->peer_dh_tmp != NULL) 988 if (s->session->sess_cert->peer_dh_tmp != NULL)
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index 4532a07da5..051d1e1ccf 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.37 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.38 2014/09/07 12:16:23 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -462,8 +462,7 @@ dtls1_accept(SSL *s)
462 /* only send if a DH key exchange or 462 /* only send if a DH key exchange or
463 * RSA but we have a sign only certificate */ 463 * RSA but we have a sign only certificate */
464 if (s->s3->tmp.use_rsa_tmp 464 if (s->s3->tmp.use_rsa_tmp
465 || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) 465 || (alg_k & (SSL_kDHE|SSL_kECDHE))
466 || (alg_k & SSL_kECDHE)
467 || ((alg_k & SSL_kRSA) 466 || ((alg_k & SSL_kRSA)
468 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 467 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
469 ) 468 )
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 9ccc67acb9..bbe2b91392 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.89 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1329,11 +1329,6 @@ ssl3_get_key_exchange(SSL *s)
1329 1329
1330 s->session->sess_cert->peer_dh_tmp = dh; 1330 s->session->sess_cert->peer_dh_tmp = dh;
1331 dh = NULL; 1331 dh = NULL;
1332 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1333 al = SSL_AD_ILLEGAL_PARAMETER;
1334 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1335 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1336 goto f_err;
1337 } else if (alg_k & SSL_kECDHE) { 1332 } else if (alg_k & SSL_kECDHE) {
1338 EC_GROUP *ngroup; 1333 EC_GROUP *ngroup;
1339 const EC_GROUP *group; 1334 const EC_GROUP *group;
@@ -2006,7 +2001,7 @@ ssl3_send_client_key_exchange(SSL *s)
2006 s->method->ssl3_enc->generate_master_secret( 2001 s->method->ssl3_enc->generate_master_secret(
2007 s, s->session->master_key, tmp_buf, sizeof tmp_buf); 2002 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2008 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2003 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2009 } else if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) { 2004 } else if (alg_k & SSL_kDHE) {
2010 DH *dh_srvr, *dh_clnt; 2005 DH *dh_srvr, *dh_clnt;
2011 2006
2012 if (s->session->sess_cert == NULL) { 2007 if (s->session->sess_cert == NULL) {
@@ -2611,7 +2606,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2611 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2606 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2612 2607
2613 /* We don't have a certificate. */ 2608 /* We don't have a certificate. */
2614 if (alg_a & (SSL_aDH|SSL_aNULL)) 2609 if (alg_a & SSL_aNULL)
2615 return (1); 2610 return (1);
2616 2611
2617 sc = s->session->sess_cert; 2612 sc = s->session->sess_cert;
@@ -2664,14 +2659,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2664 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2659 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2665 SSL_R_MISSING_DH_KEY); 2660 SSL_R_MISSING_DH_KEY);
2666 goto f_err; 2661 goto f_err;
2667 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
2668 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2669 SSL_R_MISSING_DH_RSA_CERT);
2670 goto f_err;
2671 } else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2672 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2673 SSL_R_MISSING_DH_DSA_CERT);
2674 goto f_err;
2675 } 2662 }
2676 2663
2677 return (1); 2664 return (1);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 8d03512a26..d8b923afd4 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.79 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.80 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -2610,12 +2610,11 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
2610 } 2610 }
2611#endif 2611#endif
2612 2612
2613 if (alg_k & (SSL_kDHr|SSL_kDHE)) { 2613 if (alg_k & SSL_kDHE) {
2614 p[ret++] = SSL3_CT_RSA_FIXED_DH; 2614 p[ret++] = SSL3_CT_RSA_FIXED_DH;
2615 p[ret++] = SSL3_CT_DSS_FIXED_DH; 2615 p[ret++] = SSL3_CT_DSS_FIXED_DH;
2616 } 2616 }
2617 if ((s->version == SSL3_VERSION) && 2617 if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) {
2618 (alg_k & (SSL_kDHE|SSL_kDHd|SSL_kDHr))) {
2619 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; 2618 p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
2620 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; 2619 p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
2621 } 2620 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 597ddd4310..7ff3de77f3 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.82 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.83 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -420,8 +420,7 @@ ssl3_accept(SSL *s)
420 * public key for key exchange. 420 * public key for key exchange.
421 */ 421 */
422 if (s->s3->tmp.use_rsa_tmp || 422 if (s->s3->tmp.use_rsa_tmp ||
423 (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kDHE)) || 423 (alg_k & (SSL_kDHE|SSL_kECDHE)) ||
424 (alg_k & SSL_kECDHE) ||
425 ((alg_k & SSL_kRSA) && 424 ((alg_k & SSL_kRSA) &&
426 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == 425 (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
427 NULL))) { 426 NULL))) {
@@ -1967,8 +1966,7 @@ ssl3_get_client_key_exchange(SSL *s)
1967 s->session->master_key, 1966 s->session->master_key,
1968 p, i); 1967 p, i);
1969 OPENSSL_cleanse(p, i); 1968 OPENSSL_cleanse(p, i);
1970 } else 1969 } else if (alg_k & SSL_kDHE) {
1971 if (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd)) {
1972 if (2 > n) 1970 if (2 > n)
1973 goto truncated; 1971 goto truncated;
1974 n2s(p, i); 1972 n2s(p, i);
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 70c91bf600..701d0f2277 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = {
249 .algorithm_mkey = SSL_kRSA, 249 .algorithm_mkey = SSL_kRSA,
250 }, 250 },
251 { 251 {
252 /* no such ciphersuites supported! */
253 .name = SSL_TXT_kDHr,
254 .algorithm_mkey = SSL_kDHr,
255 },
256 {
257 /* no such ciphersuites supported! */
258 .name = SSL_TXT_kDHd,
259 .algorithm_mkey = SSL_kDHd,
260 },
261 {
262 /* no such ciphersuites supported! */
263 .name = SSL_TXT_kDH,
264 .algorithm_mkey = SSL_kDHr|SSL_kDHd,
265 },
266 {
267 .name = SSL_TXT_kEDH, 252 .name = SSL_TXT_kEDH,
268 .algorithm_mkey = SSL_kDHE, 253 .algorithm_mkey = SSL_kDHE,
269 }, 254 },
270 { 255 {
271 .name = SSL_TXT_DH, 256 .name = SSL_TXT_DH,
272 .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, 257 .algorithm_mkey = SSL_kDHE,
273 }, 258 },
274 259
275 { 260 {
@@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = {
316 .algorithm_auth = SSL_aNULL, 301 .algorithm_auth = SSL_aNULL,
317 }, 302 },
318 { 303 {
319 /* no such ciphersuites supported! */
320 .name = SSL_TXT_aDH,
321 .algorithm_auth = SSL_aDH,
322 },
323 {
324 .name = SSL_TXT_aECDH, 304 .name = SSL_TXT_aECDH,
325 .algorithm_auth = SSL_aECDH, 305 .algorithm_auth = SSL_aECDH,
326 }, 306 },
@@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
836} 816}
837 817
838static void 818static void
839ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) 819ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
820 unsigned long *enc, unsigned long *mac, unsigned long *ssl)
840{ 821{
841 *mkey = 0; 822 *mkey = 0;
842 *auth = 0; 823 *auth = 0;
@@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
844 *mac = 0; 825 *mac = 0;
845 *ssl = 0; 826 *ssl = 0;
846 827
847 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 828 /*
848 *auth |= SSL_aDH; 829 * Check for presence of GOST 34.10 algorithms, and if they
849 830 * do not present, disable appropriate auth and key exchange.
850 /* Check for presence of GOST 34.10 algorithms, and if they 831 */
851 * do not present, disable appropriate auth and key exchange */
852 if (!get_optional_pkey_id("gost94")) { 832 if (!get_optional_pkey_id("gost94")) {
853 *auth |= SSL_aGOST94; 833 *auth |= SSL_aGOST94;
854 } 834 }
855 if (!get_optional_pkey_id("gost2001")) { 835 if (!get_optional_pkey_id("gost2001")) {
856 *auth |= SSL_aGOST01; 836 *auth |= SSL_aGOST01;
857 } 837 }
858 /* Disable GOST key exchange if no GOST signature algs are available * */ 838 /* Disable GOST key exchange if no GOST signature algs are available. */
859 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { 839 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
860 *mkey |= SSL_kGOST; 840 *mkey |= SSL_kGOST;
861 } 841 }
@@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1474 1454
1475 /* Move ciphers without forward secrecy to the end */ 1455 /* Move ciphers without forward secrecy to the end */
1476 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1456 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1477 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1478 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1457 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1479 1458
1480 /* RC4 is sort-of broken -- move the the end */ 1459 /* RC4 is sort-of broken -- move the the end */
@@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1603 case SSL_kRSA: 1582 case SSL_kRSA:
1604 kx = "RSA"; 1583 kx = "RSA";
1605 break; 1584 break;
1606 case SSL_kDHr:
1607 kx = "DH/RSA";
1608 break;
1609 case SSL_kDHd:
1610 kx = "DH/DSS";
1611 break;
1612 case SSL_kDHE: 1585 case SSL_kDHE:
1613 kx = "DH"; 1586 kx = "DH";
1614 break; 1587 break;
@@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1632 case SSL_aDSS: 1605 case SSL_aDSS:
1633 au = "DSS"; 1606 au = "DSS";
1634 break; 1607 break;
1635 case SSL_aDH:
1636 au = "DH";
1637 break;
1638 case SSL_aECDH: 1608 case SSL_aECDH:
1639 au = "ECDH"; 1609 au = "ECDH";
1640 break; 1610 break;
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index fad600a07e..bd5f9f6da1 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.83 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.84 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1929,7 +1929,7 @@ void
1929ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) 1929ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1930{ 1930{
1931 CERT_PKEY *cpk; 1931 CERT_PKEY *cpk;
1932 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; 1932 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign;
1933 unsigned long mask_k, mask_a; 1933 unsigned long mask_k, mask_a;
1934 int have_ecc_cert, ecdh_ok, ecdsa_ok; 1934 int have_ecc_cert, ecdh_ok, ecdsa_ok;
1935 int have_ecdh_tmp; 1935 int have_ecdh_tmp;
@@ -1950,11 +1950,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1950 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); 1950 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
1951 cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); 1951 cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1952 dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); 1952 dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
1953 cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
1954 dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
1955 cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
1956/* FIX THIS EAY EAY EAY */ 1953/* FIX THIS EAY EAY EAY */
1957 dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
1958 cpk = &(c->pkeys[SSL_PKEY_ECC]); 1954 cpk = &(c->pkeys[SSL_PKEY_ECC]);
1959 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); 1955 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
1960 mask_k = 0; 1956 mask_k = 0;
@@ -1977,12 +1973,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1977 if (dh_tmp) 1973 if (dh_tmp)
1978 mask_k|=SSL_kDHE; 1974 mask_k|=SSL_kDHE;
1979 1975
1980 if (dh_rsa)
1981 mask_k|=SSL_kDHr;
1982
1983 if (dh_dsa)
1984 mask_k|=SSL_kDHd;
1985
1986 if (rsa_enc || rsa_sign) 1976 if (rsa_enc || rsa_sign)
1987 mask_a|=SSL_aRSA; 1977 mask_a|=SSL_aRSA;
1988 1978
@@ -2124,10 +2114,6 @@ ssl_get_server_send_pkey(const SSL *s)
2124 i = SSL_PKEY_ECC; 2114 i = SSL_PKEY_ECC;
2125 } else if (alg_a & SSL_aECDSA) { 2115 } else if (alg_a & SSL_aECDSA) {
2126 i = SSL_PKEY_ECC; 2116 i = SSL_PKEY_ECC;
2127 } else if (alg_k & SSL_kDHr) {
2128 i = SSL_PKEY_DH_RSA;
2129 } else if (alg_k & SSL_kDHd) {
2130 i = SSL_PKEY_DH_DSA;
2131 } else if (alg_a & SSL_aDSS) { 2117 } else if (alg_a & SSL_aDSS) {
2132 i = SSL_PKEY_DSA_SIGN; 2118 i = SSL_PKEY_DSA_SIGN;
2133 } else if (alg_a & SSL_aRSA) { 2119 } else if (alg_a & SSL_aRSA) {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index ec8f0fb722..7c1aef68b1 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.67 2014/08/24 14:36:46 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.68 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -254,8 +254,6 @@
254 254
255/* Bits for algorithm_mkey (key exchange algorithm) */ 255/* Bits for algorithm_mkey (key exchange algorithm) */
256#define SSL_kRSA 0x00000001L /* RSA key exchange */ 256#define SSL_kRSA 0x00000001L /* RSA key exchange */
257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
259#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ 257#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
260#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ 258#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
261#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ 259#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
@@ -266,11 +264,10 @@
266#define SSL_aRSA 0x00000001L /* RSA auth */ 264#define SSL_aRSA 0x00000001L /* RSA auth */
267#define SSL_aDSS 0x00000002L /* DSS auth */ 265#define SSL_aDSS 0x00000002L /* DSS auth */
268#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
269#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
270#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
271#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
272#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ 269#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
273#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 270#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
274 271
275 272
276/* Bits for algorithm_enc (symmetric encryption) */ 273/* Bits for algorithm_enc (symmetric encryption) */
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 70c91bf600..701d0f2277 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.66 2014/07/12 22:33:39 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.67 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -249,27 +249,12 @@ static const SSL_CIPHER cipher_aliases[] = {
249 .algorithm_mkey = SSL_kRSA, 249 .algorithm_mkey = SSL_kRSA,
250 }, 250 },
251 { 251 {
252 /* no such ciphersuites supported! */
253 .name = SSL_TXT_kDHr,
254 .algorithm_mkey = SSL_kDHr,
255 },
256 {
257 /* no such ciphersuites supported! */
258 .name = SSL_TXT_kDHd,
259 .algorithm_mkey = SSL_kDHd,
260 },
261 {
262 /* no such ciphersuites supported! */
263 .name = SSL_TXT_kDH,
264 .algorithm_mkey = SSL_kDHr|SSL_kDHd,
265 },
266 {
267 .name = SSL_TXT_kEDH, 252 .name = SSL_TXT_kEDH,
268 .algorithm_mkey = SSL_kDHE, 253 .algorithm_mkey = SSL_kDHE,
269 }, 254 },
270 { 255 {
271 .name = SSL_TXT_DH, 256 .name = SSL_TXT_DH,
272 .algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kDHE, 257 .algorithm_mkey = SSL_kDHE,
273 }, 258 },
274 259
275 { 260 {
@@ -316,11 +301,6 @@ static const SSL_CIPHER cipher_aliases[] = {
316 .algorithm_auth = SSL_aNULL, 301 .algorithm_auth = SSL_aNULL,
317 }, 302 },
318 { 303 {
319 /* no such ciphersuites supported! */
320 .name = SSL_TXT_aDH,
321 .algorithm_auth = SSL_aDH,
322 },
323 {
324 .name = SSL_TXT_aECDH, 304 .name = SSL_TXT_aECDH,
325 .algorithm_auth = SSL_aECDH, 305 .algorithm_auth = SSL_aECDH,
326 }, 306 },
@@ -836,7 +816,8 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
836} 816}
837 817
838static void 818static void
839ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) 819ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
820 unsigned long *enc, unsigned long *mac, unsigned long *ssl)
840{ 821{
841 *mkey = 0; 822 *mkey = 0;
842 *auth = 0; 823 *auth = 0;
@@ -844,18 +825,17 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
844 *mac = 0; 825 *mac = 0;
845 *ssl = 0; 826 *ssl = 0;
846 827
847 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ 828 /*
848 *auth |= SSL_aDH; 829 * Check for presence of GOST 34.10 algorithms, and if they
849 830 * do not present, disable appropriate auth and key exchange.
850 /* Check for presence of GOST 34.10 algorithms, and if they 831 */
851 * do not present, disable appropriate auth and key exchange */
852 if (!get_optional_pkey_id("gost94")) { 832 if (!get_optional_pkey_id("gost94")) {
853 *auth |= SSL_aGOST94; 833 *auth |= SSL_aGOST94;
854 } 834 }
855 if (!get_optional_pkey_id("gost2001")) { 835 if (!get_optional_pkey_id("gost2001")) {
856 *auth |= SSL_aGOST01; 836 *auth |= SSL_aGOST01;
857 } 837 }
858 /* Disable GOST key exchange if no GOST signature algs are available * */ 838 /* Disable GOST key exchange if no GOST signature algs are available. */
859 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { 839 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
860 *mkey |= SSL_kGOST; 840 *mkey |= SSL_kGOST;
861 } 841 }
@@ -1474,7 +1454,6 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1474 1454
1475 /* Move ciphers without forward secrecy to the end */ 1455 /* Move ciphers without forward secrecy to the end */
1476 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1456 ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1477 /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
1478 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); 1457 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1479 1458
1480 /* RC4 is sort-of broken -- move the the end */ 1459 /* RC4 is sort-of broken -- move the the end */
@@ -1603,12 +1582,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1603 case SSL_kRSA: 1582 case SSL_kRSA:
1604 kx = "RSA"; 1583 kx = "RSA";
1605 break; 1584 break;
1606 case SSL_kDHr:
1607 kx = "DH/RSA";
1608 break;
1609 case SSL_kDHd:
1610 kx = "DH/DSS";
1611 break;
1612 case SSL_kDHE: 1585 case SSL_kDHE:
1613 kx = "DH"; 1586 kx = "DH";
1614 break; 1587 break;
@@ -1632,9 +1605,6 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1632 case SSL_aDSS: 1605 case SSL_aDSS:
1633 au = "DSS"; 1606 au = "DSS";
1634 break; 1607 break;
1635 case SSL_aDH:
1636 au = "DH";
1637 break;
1638 case SSL_aECDH: 1608 case SSL_aECDH:
1639 au = "ECDH"; 1609 au = "ECDH";
1640 break; 1610 break;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index fad600a07e..bd5f9f6da1 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.83 2014/08/24 14:36:45 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.84 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1929,7 +1929,7 @@ void
1929ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) 1929ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1930{ 1930{
1931 CERT_PKEY *cpk; 1931 CERT_PKEY *cpk;
1932 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; 1932 int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign;
1933 unsigned long mask_k, mask_a; 1933 unsigned long mask_k, mask_a;
1934 int have_ecc_cert, ecdh_ok, ecdsa_ok; 1934 int have_ecc_cert, ecdh_ok, ecdsa_ok;
1935 int have_ecdh_tmp; 1935 int have_ecdh_tmp;
@@ -1950,11 +1950,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1950 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); 1950 rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
1951 cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); 1951 cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
1952 dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); 1952 dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
1953 cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
1954 dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
1955 cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
1956/* FIX THIS EAY EAY EAY */ 1953/* FIX THIS EAY EAY EAY */
1957 dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL);
1958 cpk = &(c->pkeys[SSL_PKEY_ECC]); 1954 cpk = &(c->pkeys[SSL_PKEY_ECC]);
1959 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); 1955 have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
1960 mask_k = 0; 1956 mask_k = 0;
@@ -1977,12 +1973,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1977 if (dh_tmp) 1973 if (dh_tmp)
1978 mask_k|=SSL_kDHE; 1974 mask_k|=SSL_kDHE;
1979 1975
1980 if (dh_rsa)
1981 mask_k|=SSL_kDHr;
1982
1983 if (dh_dsa)
1984 mask_k|=SSL_kDHd;
1985
1986 if (rsa_enc || rsa_sign) 1976 if (rsa_enc || rsa_sign)
1987 mask_a|=SSL_aRSA; 1977 mask_a|=SSL_aRSA;
1988 1978
@@ -2124,10 +2114,6 @@ ssl_get_server_send_pkey(const SSL *s)
2124 i = SSL_PKEY_ECC; 2114 i = SSL_PKEY_ECC;
2125 } else if (alg_a & SSL_aECDSA) { 2115 } else if (alg_a & SSL_aECDSA) {
2126 i = SSL_PKEY_ECC; 2116 i = SSL_PKEY_ECC;
2127 } else if (alg_k & SSL_kDHr) {
2128 i = SSL_PKEY_DH_RSA;
2129 } else if (alg_k & SSL_kDHd) {
2130 i = SSL_PKEY_DH_DSA;
2131 } else if (alg_a & SSL_aDSS) { 2117 } else if (alg_a & SSL_aDSS) {
2132 i = SSL_PKEY_DSA_SIGN; 2118 i = SSL_PKEY_DSA_SIGN;
2133 } else if (alg_a & SSL_aRSA) { 2119 } else if (alg_a & SSL_aRSA) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index ec8f0fb722..7c1aef68b1 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.67 2014/08/24 14:36:46 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.68 2014/09/07 12:16:23 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -254,8 +254,6 @@
254 254
255/* Bits for algorithm_mkey (key exchange algorithm) */ 255/* Bits for algorithm_mkey (key exchange algorithm) */
256#define SSL_kRSA 0x00000001L /* RSA key exchange */ 256#define SSL_kRSA 0x00000001L /* RSA key exchange */
257#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
258#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
259#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ 257#define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */
260#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */ 258#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
261#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */ 259#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
@@ -266,11 +264,10 @@
266#define SSL_aRSA 0x00000001L /* RSA auth */ 264#define SSL_aRSA 0x00000001L /* RSA auth */
267#define SSL_aDSS 0x00000002L /* DSS auth */ 265#define SSL_aDSS 0x00000002L /* DSS auth */
268#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ 266#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
269#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
270#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */ 267#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
271#define SSL_aECDSA 0x00000040L /* ECDSA auth*/ 268#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
272#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */ 269#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
273#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ 270#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
274 271
275 272
276/* Bits for algorithm_enc (symmetric encryption) */ 273/* Bits for algorithm_enc (symmetric encryption) */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-30 04:21:47 +0000