From 911a534951a7133a0e7f2314d3a57682c584c2f7 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 31 Oct 2014 14:51:01 +0000
Subject: Remove support for ephemeral/temporary RSA private keys.

The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).

ok bcook@ miod@
---
 src/lib/libssl/d1_srvr.c | 58 +++++++-----------------------------------------
 1 file changed, 8 insertions(+), 50 deletions(-)

(limited to 'src/lib/libssl/d1_srvr.c')

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index a85715753c..d2f642f877 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.41 2014/10/31 14:51:01 jsing Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -446,27 +446,8 @@ dtls1_accept(SSL *s)
 		case SSL3_ST_SW_KEY_EXCH_B:
 			alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
-			/* clear this, it may get reset by
-			 * send_server_key_exchange */
-			if ((s->options & SSL_OP_EPHEMERAL_RSA)
-			)
-				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-				 * even when forbidden by protocol specs
-				 * (handshake may fail as clients are not required to
-				 * be able to handle this) */
-				s->s3->tmp.use_rsa_tmp = 1;
-			else
-				s->s3->tmp.use_rsa_tmp = 0;
-
-			/* only send if a DH key exchange or
-			 * RSA but we have a sign only certificate */
-			if (s->s3->tmp.use_rsa_tmp
-			|| (alg_k & (SSL_kDHE|SSL_kECDHE))
-			|| ((alg_k & SSL_kRSA)
-			&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
-			)
-			)
-			) {
+			/* Only send if using a DH key exchange. */
+			if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
 				dtls1_start_timer(s);
 				ret = dtls1_send_server_key_exchange(s);
 				if (ret <= 0)
@@ -994,7 +975,6 @@ dtls1_send_server_key_exchange(SSL *s)
 {
 	unsigned char *q;
 	int j, num;
-	RSA *rsa;
 	unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
 	unsigned int u;
 	DH *dh = NULL, *dhp;
@@ -1024,28 +1004,7 @@ dtls1_send_server_key_exchange(SSL *s)
 
 		r[0] = r[1] = r[2] = r[3] = NULL;
 		n = 0;
-		if (type & SSL_kRSA) {
-			rsa = cert->rsa_tmp;
-			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s, 0,
-				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
-				if (rsa == NULL) {
-					al = SSL_AD_HANDSHAKE_FAILURE;
-					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
-					goto f_err;
-				}
-				RSA_up_ref(rsa);
-				cert->rsa_tmp = rsa;
-			}
-			if (rsa == NULL) {
-				al = SSL_AD_HANDSHAKE_FAILURE;
-				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY);
-				goto f_err;
-			}
-			r[0] = rsa->n;
-			r[1] = rsa->e;
-			s->s3->tmp.use_rsa_tmp = 1;
-		} else
+
 		if (type & SSL_kDHE) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1087,8 +1046,7 @@ dtls1_send_server_key_exchange(SSL *s)
 			r[0] = dh->p;
 			r[1] = dh->g;
 			r[2] = dh->pub_key;
-		} else
-		if (type & SSL_kECDHE) {
+		} else if (type & SSL_kECDHE) {
 			const EC_GROUP *group;
 
 			ecdhp = cert->ecdh_tmp;
@@ -1185,10 +1143,10 @@ dtls1_send_server_key_exchange(SSL *s)
 			r[1] = NULL;
 			r[2] = NULL;
 			r[3] = NULL;
-		} else
-		{
+		} else {
 			al = SSL_AD_HANDSHAKE_FAILURE;
-			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
+			    SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
 			goto f_err;
 		}
 		for (i = 0; r[i] != NULL; i++) {
-- 
cgit v1.2.3-55-g6feb