From fad09b90be5a30598349a06adfd7574ef7264599 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 12 Aug 2017 02:55:22 +0000
Subject: Remove support for DSS/DSA, since we removed the cipher suites a
while back.
ok guenther@
---
src/lib/libssl/s3_lib.c | 6 +-----
src/lib/libssl/ssl_algs.c | 6 +-----
src/lib/libssl/ssl_both.c | 4 +---
src/lib/libssl/ssl_cert.c | 8 +-------
src/lib/libssl/ssl_clnt.c | 21 ++-------------------
src/lib/libssl/ssl_lib.c | 16 +++-------------
src/lib/libssl/ssl_locl.h | 13 +++++--------
src/lib/libssl/ssl_srvr.c | 13 +------------
src/lib/libssl/t1_lib.c | 14 +-------------
9 files changed, 16 insertions(+), 85 deletions(-)
(limited to 'src/lib')
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index ad627d10d8..3a11d62893 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.157 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2460,14 +2460,10 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb)
if ((alg_k & SSL_kDHE) != 0) {
if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
return 0;
- if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
- return 0;
}
if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
return 0;
- if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
- return 0;
/*
* ECDSA certs can be used with RSA cipher suites as well
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index ca84891e72..b63f36b3f1 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_algs.c,v 1.26 2017/04/29 22:31:42 beck Exp $ */
+/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -112,10 +112,6 @@ SSL_library_init(void)
EVP_add_digest(EVP_sha256());
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
- EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
- EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
- EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
- EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
EVP_add_digest(EVP_ecdsa());
#ifndef OPENSSL_NO_GOST
EVP_add_digest(EVP_gostr341194());
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 4a724560f2..17f93f551b 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.9 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.10 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -568,8 +568,6 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
i = pk->type;
if (i == EVP_PKEY_RSA) {
ret = SSL_PKEY_RSA_ENC;
- } else if (i == EVP_PKEY_DSA) {
- ret = SSL_PKEY_DSA_SIGN;
} else if (i == EVP_PKEY_EC) {
ret = SSL_PKEY_ECC;
} else if (i == NID_id_GostR3410_2001 ||
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 174441c70e..a244353b88 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.65 2017/08/10 17:18:38 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.66 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -162,7 +162,6 @@ static void
ssl_cert_set_default_md(CERT *cert)
{
/* Set digest values to defaults */
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
@@ -267,12 +266,7 @@ ssl_cert_dup(CERT *cert)
/* We have an RSA key. */
break;
- case SSL_PKEY_DSA_SIGN:
- /* We have a DSA key. */
- break;
-
case SSL_PKEY_DH_RSA:
- case SSL_PKEY_DH_DSA:
/* We have a DH key. */
break;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index a1745143f0..865c961db7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.14 2017/05/07 04:22:24 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.15 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1162,8 +1162,6 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
if (alg_a & SSL_aRSA)
*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
- else if (alg_a & SSL_aDSS)
- *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
else
/* XXX - Anonymous DH, so no certificate or pkey. */
*pkey = NULL;
@@ -2395,16 +2393,6 @@ ssl3_send_client_verify(SSL *s)
}
s2n(u, p);
n = u + 2;
- } else if (pkey->type == EVP_PKEY_DSA) {
- if (!DSA_sign(pkey->save_type,
- &(data[MD5_DIGEST_LENGTH]),
- SHA_DIGEST_LENGTH, &(p[2]),
- (unsigned int *)&j, pkey->pkey.dsa)) {
- SSLerror(s, ERR_R_DSA_LIB);
- goto err;
- }
- s2n(j, p);
- n = j + 2;
} else if (pkey->type == EVP_PKEY_EC) {
if (!ECDSA_sign(pkey->save_type,
&(data[MD5_DIGEST_LENGTH]),
@@ -2593,13 +2581,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
goto f_err;
- } else if ((alg_a & SSL_aDSS) &&
- !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
- SSLerror(s, SSL_R_MISSING_DSA_SIGNING_CERT);
- goto f_err;
}
- if ((alg_k & SSL_kRSA) &&
- !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
+ if ((alg_k & SSL_kRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6e555898ad..de78ad2fcf 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.165 2017/08/11 21:06:52 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.166 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2041,7 +2041,7 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
void
ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
{
- int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
+ int rsa_enc, rsa_sign, dh_tmp;
int have_ecc_cert;
unsigned long mask_k, mask_a;
X509 *x = NULL;
@@ -2057,8 +2057,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
- cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
cpk = &(c->pkeys[SSL_PKEY_ECC]);
have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
@@ -2080,9 +2078,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
if (rsa_enc || rsa_sign)
mask_a |= SSL_aRSA;
- if (dsa_sign)
- mask_a |= SSL_aDSS;
-
mask_a |= SSL_aNULL;
/*
@@ -2159,8 +2154,6 @@ ssl_get_server_send_pkey(const SSL *s)
if (alg_a & SSL_aECDSA) {
i = SSL_PKEY_ECC;
- } else if (alg_a & SSL_aDSS) {
- i = SSL_PKEY_DSA_SIGN;
} else if (alg_a & SSL_aRSA) {
if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
i = SSL_PKEY_RSA_SIGN;
@@ -2197,10 +2190,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
alg_a = cipher->algorithm_auth;
c = s->cert;
- if ((alg_a & SSL_aDSS) &&
- (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
- idx = SSL_PKEY_DSA_SIGN;
- else if (alg_a & SSL_aRSA) {
+ if (alg_a & SSL_aRSA) {
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
idx = SSL_PKEY_RSA_SIGN;
else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 52e4b6c5e9..6f9be12fa7 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.187 2017/08/11 20:14:13 doug Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.188 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -341,15 +341,12 @@ __BEGIN_HIDDEN_DECLS
#define SSL_USE_TLS1_2_CIPHERS(s) \
(s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
-/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
#define SSL_PKEY_RSA_SIGN 1
-#define SSL_PKEY_DSA_SIGN 2
-#define SSL_PKEY_DH_RSA 3
-#define SSL_PKEY_DH_DSA 4
-#define SSL_PKEY_ECC 5
-#define SSL_PKEY_GOST01 6
-#define SSL_PKEY_NUM 7
+#define SSL_PKEY_DH_RSA 2
+#define SSL_PKEY_ECC 3
+#define SSL_PKEY_GOST01 4
+#define SSL_PKEY_NUM 5
#define SSL_MAX_EMPTY_RECORDS 32
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index e370b7571c..a21039e727 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.20 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2256,17 +2256,6 @@ ssl3_get_cert_verify(SSL *s)
goto f_err;
}
} else
- if (pkey->type == EVP_PKEY_DSA) {
- j = DSA_verify(pkey->save_type,
- &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
- SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
- if (j <= 0) {
- /* bad signature */
- al = SSL_AD_DECRYPT_ERROR;
- SSLerror(s, SSL_R_BAD_DSA_SIGNATURE);
- goto f_err;
- }
- } else
if (pkey->type == EVP_PKEY_EC) {
j = ECDSA_verify(pkey->save_type,
&(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 4983ad27fa..3e5133ab54 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.126 2017/08/11 20:14:13 doug Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.127 2017/08/12 02:55:22 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -631,18 +631,15 @@ tls1_check_ec_tmp_key(SSL *s)
static unsigned char tls12_sigalgs[] = {
TLSEXT_hash_sha512, TLSEXT_signature_rsa,
- TLSEXT_hash_sha512, TLSEXT_signature_dsa,
TLSEXT_hash_sha512, TLSEXT_signature_ecdsa,
#ifndef OPENSSL_NO_GOST
TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512,
#endif
TLSEXT_hash_sha384, TLSEXT_signature_rsa,
- TLSEXT_hash_sha384, TLSEXT_signature_dsa,
TLSEXT_hash_sha384, TLSEXT_signature_ecdsa,
TLSEXT_hash_sha256, TLSEXT_signature_rsa,
- TLSEXT_hash_sha256, TLSEXT_signature_dsa,
TLSEXT_hash_sha256, TLSEXT_signature_ecdsa,
#ifndef OPENSSL_NO_GOST
@@ -651,11 +648,9 @@ static unsigned char tls12_sigalgs[] = {
#endif
TLSEXT_hash_sha224, TLSEXT_signature_rsa,
- TLSEXT_hash_sha224, TLSEXT_signature_dsa,
TLSEXT_hash_sha224, TLSEXT_signature_ecdsa,
TLSEXT_hash_sha1, TLSEXT_signature_rsa,
- TLSEXT_hash_sha1, TLSEXT_signature_dsa,
TLSEXT_hash_sha1, TLSEXT_signature_ecdsa,
};
@@ -1932,7 +1927,6 @@ static tls12_lookup tls12_md[] = {
static tls12_lookup tls12_sig[] = {
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
- {EVP_PKEY_DSA, TLSEXT_signature_dsa},
{EVP_PKEY_EC, TLSEXT_signature_ecdsa},
{EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01},
};
@@ -2020,7 +2014,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
CBS_init(&cbs, data, dsize);
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
c->pkeys[SSL_PKEY_ECC].digest = NULL;
@@ -2039,9 +2032,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
case TLSEXT_signature_rsa:
idx = SSL_PKEY_RSA_SIGN;
break;
- case TLSEXT_signature_dsa:
- idx = SSL_PKEY_DSA_SIGN;
- break;
case TLSEXT_signature_ecdsa:
idx = SSL_PKEY_ECC;
break;
@@ -2068,8 +2058,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
/* Set any remaining keys to default values. NOTE: if alg is not
* supported it stays as NULL.
*/
- if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
--
cgit v1.2.3-55-g6feb