From 911a534951a7133a0e7f2314d3a57682c584c2f7 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 31 Oct 2014 14:51:01 +0000
Subject: Remove support for ephemeral/temporary RSA private keys.

The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).

ok bcook@ miod@
---
 src/lib/libssl/ssl_cert.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

(limited to 'src/lib/libssl/ssl_cert.c')

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 6f1815067b..beea31c64b 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.42 2014/10/03 13:58:18 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.43 2014/10/31 14:51:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -205,12 +205,6 @@ ssl_cert_dup(CERT *cert)
 	ret->mask_k = cert->mask_k;
 	ret->mask_a = cert->mask_a;
 
-	if (cert->rsa_tmp != NULL) {
-		RSA_up_ref(cert->rsa_tmp);
-		ret->rsa_tmp = cert->rsa_tmp;
-	}
-	ret->rsa_tmp_cb = cert->rsa_tmp_cb;
-
 	if (cert->dh_tmp != NULL) {
 		ret->dh_tmp = DHparams_dup(cert->dh_tmp);
 		if (ret->dh_tmp == NULL) {
@@ -305,7 +299,6 @@ ssl_cert_dup(CERT *cert)
 	return (ret);
 
 err:
-	RSA_free(ret->rsa_tmp);
 	DH_free(ret->dh_tmp);
 	EC_KEY_free(ret->ecdh_tmp);
 
@@ -331,7 +324,6 @@ ssl_cert_free(CERT *c)
 	if (i > 0)
 		return;
 
-	RSA_free(c->rsa_tmp);
 	DH_free(c->dh_tmp);
 	EC_KEY_free(c->ecdh_tmp);
 
-- 
cgit v1.2.3-55-g6feb