From fad09b90be5a30598349a06adfd7574ef7264599 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 12 Aug 2017 02:55:22 +0000
Subject: Remove support for DSS/DSA, since we removed the cipher suites a
 while back.

ok guenther@
---
 src/lib/libssl/ssl_lib.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

(limited to 'src/lib/libssl/ssl_lib.c')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6e555898ad..de78ad2fcf 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.165 2017/08/11 21:06:52 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2041,7 +2041,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
 void
 ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 {
-	int		 rsa_enc, rsa_sign, dh_tmp, dsa_sign;
+	int		 rsa_enc, rsa_sign, dh_tmp;
 	int		 have_ecc_cert;
 	unsigned long	 mask_k, mask_a;
 	X509		*x = NULL;
@@ -2057,8 +2057,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
 	cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
 	rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
-	cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-	dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
 	cpk = &(c->pkeys[SSL_PKEY_ECC]);
 	have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
 
@@ -2080,9 +2078,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	if (rsa_enc || rsa_sign)
 		mask_a |= SSL_aRSA;
 
-	if (dsa_sign)
-		mask_a |= SSL_aDSS;
-
 	mask_a |= SSL_aNULL;
 
 	/*
@@ -2159,8 +2154,6 @@ ssl_get_server_send_pkey(const SSL *s)
 
 	if (alg_a & SSL_aECDSA) {
 		i = SSL_PKEY_ECC;
-	} else if (alg_a & SSL_aDSS) {
-		i = SSL_PKEY_DSA_SIGN;
 	} else if (alg_a & SSL_aRSA) {
 		if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
 			i = SSL_PKEY_RSA_SIGN;
@@ -2197,10 +2190,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
 	alg_a = cipher->algorithm_auth;
 	c = s->cert;
 
-	if ((alg_a & SSL_aDSS) &&
-	    (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-		idx = SSL_PKEY_DSA_SIGN;
-	else if (alg_a & SSL_aRSA) {
+	if (alg_a & SSL_aRSA) {
 		if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
 			idx = SSL_PKEY_RSA_SIGN;
 		else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-- 
cgit v1.2.3-55-g6feb