-/* $OpenBSD: d1_clnt.c,v 1.29 2014/07/11 22:57:25 miod Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
s->init_num = 0;
break;
}
- /* Check if it is anon DH or PSK */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ /* Check if it is anon DH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
-/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- /* Check if it is anon DH or normal PSK */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ /* Check if it is anon DH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
dtls1_start_timer(s);
ret = dtls1_send_server_certificate(s);
if (ret <= 0)
* and in RFC 2246) ... except when the application
* insists on verification (against the specs, but
* s3_clnt.c accepts this for SSL 3).
- *
- * - We are using a Kerberos ciphersuite.
- *
- * - We are using normal PSK certificates and
- * Certificate Requests are omitted
*/
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
((s->s3->tmp.new_cipher->algorithm_auth &
SSL_aNULL) && !(s->verify_mode &
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- (s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* no cert request */
skip = 1;
s->s3->tmp.cert_request = 0;
n += 2 + nr[i];
}
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
if ((pkey = ssl_get_sign_pkey(s,
s->s3->tmp.new_cipher, NULL)) == NULL) {
al = SSL_AD_DECODE_ERROR;
if (s->state == SSL3_ST_SW_CERT_A) {
x = ssl_get_server_send_cert(s);
if (x == NULL) {
- /* VRS: allow null cert if auth == KRB5 */
- if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) {
- SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- return (0);
- }
+ SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
+ ERR_R_INTERNAL_ERROR);
+ return (0);
}
l = dtls1_output_cert_chain(s, x);
-/* $OpenBSD: s3_clnt.c,v 1.78 2014/07/11 22:57:25 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
s->init_num = 0;
break;
}
- /* Check if it is anon DH/ECDH or PSK */
+ /* Check if it is anon DH/ECDH. */
if (!(s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_aNULL)) {
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
SESS_CERT *sc;
EVP_PKEY *pkey = NULL;
- /* VRS: 0=> will allow null cert if auth == KRB5 */
int need_cert = 1;
n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
if (!ok)
return ((int)n);
- if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
- (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
+ if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)) {
s->s3->tmp.reuse_message = 1;
return (1);
}
pkey = X509_get_pubkey(x);
- /* VRS: allow null cert if auth == KRB5 */
- need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
- ? 0 : 1;
-
-
if (need_cert && ((pkey == NULL) ||
EVP_PKEY_missing_parameters(pkey))) {
x = NULL;
}
}
} else {
- /* aNULL or kPSK do not need public keys */
- if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) {
+ /* aNULL does not need public keys. */
+ if (!(alg_a & SSL_aNULL)) {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
/* We don't have a certificate. */
- if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
+ if (alg_a & (SSL_aDH|SSL_aNULL))
return (1);
sc = s->session->sess_cert;
-/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
SSL_R_NO_RENEGOTIATION);
goto f_err;
}
-#ifdef SSL_AD_MISSING_SRP_USERNAME
- else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return (0);
-#endif
} else if (alert_level == 2) {
/* fatal */
s->rwstate = SSL_NOTHING;
-/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- /* Check if it is anon DH or anon ECDH, */
- /* normal PSK or KRB5 or SRP */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- && !(s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)
- && !(s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5)) {
+ /* Check if it is anon DH or anon ECDH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
/*
* Only send if a DH key exchange, fortezza or
- * RSA but we have a sign only certificate
- *
- * PSK: send ServerKeyExchange if PSK identity
- * hint is provided
+ * RSA but we have a sign only certificate.
*
* For ECC ciphersuites, we send a serverKeyExchange
* message only if the cipher suite is either
* server certificate contains the server's
* public key for key exchange.
*/
- if (s->s3->tmp.use_rsa_tmp
- || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
- || (alg_k & SSL_kEECDH)
- || ((alg_k & SSL_kRSA)
- && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
- NULL
- ))) {
+ if (s->s3->tmp.use_rsa_tmp ||
+ (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) ||
+ (alg_k & SSL_kEECDH) ||
+ ((alg_k & SSL_kRSA) &&
+ (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
+ NULL))) {
ret = ssl3_send_server_key_exchange(s);
if (ret <= 0)
goto end;
* and in RFC 2246) ... except when the application
* insists on verification (against the specs, but
* s3_clnt.c accepts this for SSL 3).
- *
- * - We are using a Kerberos ciphersuite.
- *
- * - We are using normal PSK certificates and
- * Certificate Requests are omitted
*/
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
((s->s3->tmp.new_cipher->algorithm_auth &
SSL_aNULL) && !(s->verify_mode &
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- (s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* No cert request */
skip = 1;
s->s3->tmp.cert_request = 0;
n += 2 + nr[i];
}
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
if ((pkey = ssl_get_sign_pkey(
s, s->s3->tmp.new_cipher, &md)) == NULL) {
al = SSL_AD_DECODE_ERROR;
if (s->state == SSL3_ST_SW_CERT_A) {
x = ssl_get_server_send_cert(s);
if (x == NULL) {
- /* VRS: allow null cert if auth == KRB5 */
- if ((s->s3->tmp.new_cipher->algorithm_auth !=
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kKRB5)) {
- SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
- ERR_R_INTERNAL_ERROR);
- return (0);
- }
+ SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
+ ERR_R_INTERNAL_ERROR);
+ return (0);
}
l = ssl3_output_cert_chain(s, x);
-/* $OpenBSD: d1_clnt.c,v 1.29 2014/07/11 22:57:25 miod Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.30 2014/07/12 13:11:53 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
s->init_num = 0;
break;
}
- /* Check if it is anon DH or PSK */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ /* Check if it is anon DH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
-/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.32 2014/07/12 13:11:53 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- /* Check if it is anon DH or normal PSK */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ /* Check if it is anon DH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
dtls1_start_timer(s);
ret = dtls1_send_server_certificate(s);
if (ret <= 0)
* and in RFC 2246) ... except when the application
* insists on verification (against the specs, but
* s3_clnt.c accepts this for SSL 3).
- *
- * - We are using a Kerberos ciphersuite.
- *
- * - We are using normal PSK certificates and
- * Certificate Requests are omitted
*/
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
((s->s3->tmp.new_cipher->algorithm_auth &
SSL_aNULL) && !(s->verify_mode &
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- (s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* no cert request */
skip = 1;
s->s3->tmp.cert_request = 0;
n += 2 + nr[i];
}
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
if ((pkey = ssl_get_sign_pkey(s,
s->s3->tmp.new_cipher, NULL)) == NULL) {
al = SSL_AD_DECODE_ERROR;
if (s->state == SSL3_ST_SW_CERT_A) {
x = ssl_get_server_send_cert(s);
if (x == NULL) {
- /* VRS: allow null cert if auth == KRB5 */
- if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) {
- SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- return (0);
- }
+ SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
+ ERR_R_INTERNAL_ERROR);
+ return (0);
}
l = dtls1_output_cert_chain(s, x);
-/* $OpenBSD: s3_clnt.c,v 1.78 2014/07/11 22:57:25 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
s->init_num = 0;
break;
}
- /* Check if it is anon DH/ECDH or PSK */
+ /* Check if it is anon DH/ECDH. */
if (!(s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_aNULL)) {
ret = ssl3_get_server_certificate(s);
if (ret <= 0)
goto end;
SESS_CERT *sc;
EVP_PKEY *pkey = NULL;
- /* VRS: 0=> will allow null cert if auth == KRB5 */
int need_cert = 1;
n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
if (!ok)
return ((int)n);
- if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
- (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
+ if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)) {
s->s3->tmp.reuse_message = 1;
return (1);
}
pkey = X509_get_pubkey(x);
- /* VRS: allow null cert if auth == KRB5 */
- need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
- ? 0 : 1;
-
-
if (need_cert && ((pkey == NULL) ||
EVP_PKEY_missing_parameters(pkey))) {
x = NULL;
}
}
} else {
- /* aNULL or kPSK do not need public keys */
- if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) {
+ /* aNULL does not need public keys. */
+ if (!(alg_a & SSL_aNULL)) {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
/* We don't have a certificate. */
- if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
+ if (alg_a & (SSL_aDH|SSL_aNULL))
return (1);
sc = s->session->sess_cert;
-/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
SSL_R_NO_RENEGOTIATION);
goto f_err;
}
-#ifdef SSL_AD_MISSING_SRP_USERNAME
- else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return (0);
-#endif
} else if (alert_level == 2) {
/* fatal */
s->rwstate = SSL_NOTHING;
-/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- /* Check if it is anon DH or anon ECDH, */
- /* normal PSK or KRB5 or SRP */
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- && !(s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)
- && !(s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5)) {
+ /* Check if it is anon DH or anon ECDH. */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ SSL_aNULL)) {
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
/*
* Only send if a DH key exchange, fortezza or
- * RSA but we have a sign only certificate
- *
- * PSK: send ServerKeyExchange if PSK identity
- * hint is provided
+ * RSA but we have a sign only certificate.
*
* For ECC ciphersuites, we send a serverKeyExchange
* message only if the cipher suite is either
* server certificate contains the server's
* public key for key exchange.
*/
- if (s->s3->tmp.use_rsa_tmp
- || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
- || (alg_k & SSL_kEECDH)
- || ((alg_k & SSL_kRSA)
- && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
- NULL
- ))) {
+ if (s->s3->tmp.use_rsa_tmp ||
+ (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) ||
+ (alg_k & SSL_kEECDH) ||
+ ((alg_k & SSL_kRSA) &&
+ (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
+ NULL))) {
ret = ssl3_send_server_key_exchange(s);
if (ret <= 0)
goto end;
* and in RFC 2246) ... except when the application
* insists on verification (against the specs, but
* s3_clnt.c accepts this for SSL 3).
- *
- * - We are using a Kerberos ciphersuite.
- *
- * - We are using normal PSK certificates and
- * Certificate Requests are omitted
*/
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
((s->s3->tmp.new_cipher->algorithm_auth &
SSL_aNULL) && !(s->verify_mode &
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- (s->s3->tmp.new_cipher->algorithm_auth &
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kPSK)) {
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* No cert request */
skip = 1;
s->s3->tmp.cert_request = 0;
n += 2 + nr[i];
}
- if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
if ((pkey = ssl_get_sign_pkey(
s, s->s3->tmp.new_cipher, &md)) == NULL) {
al = SSL_AD_DECODE_ERROR;
if (s->state == SSL3_ST_SW_CERT_A) {
x = ssl_get_server_send_cert(s);
if (x == NULL) {
- /* VRS: allow null cert if auth == KRB5 */
- if ((s->s3->tmp.new_cipher->algorithm_auth !=
- SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey &
- SSL_kKRB5)) {
- SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
- ERR_R_INTERNAL_ERROR);
- return (0);
- }
+ SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
+ ERR_R_INTERNAL_ERROR);
+ return (0);
}
l = ssl3_output_cert_chain(s, x);
-/* $OpenBSD: ssl_ciph.c,v 1.64 2014/07/12 07:52:36 guenther Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
.algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kEDH,
},
- {
- .name = SSL_TXT_kKRB5,
- .algorithm_mkey = SSL_kKRB5,
- },
-
{
.name = SSL_TXT_kECDHr,
.algorithm_mkey = SSL_kECDHr,
.algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,
},
- {
- .name = SSL_TXT_kPSK,
- .algorithm_mkey = SSL_kPSK,
- },
- {
- .name = SSL_TXT_kSRP,
- .algorithm_mkey = SSL_kSRP,
- },
{
.name = SSL_TXT_kGOST,
.algorithm_mkey = SSL_kGOST,
.name = SSL_TXT_DSS,
.algorithm_auth = SSL_aDSS,
},
- {
- .name = SSL_TXT_aKRB5,
- .algorithm_auth = SSL_aKRB5,
- },
{
.name = SSL_TXT_aNULL,
.algorithm_auth = SSL_aNULL,
.name = SSL_TXT_ECDSA,
.algorithm_auth = SSL_aECDSA,
},
- {
- .name = SSL_TXT_aPSK,
- .algorithm_auth = SSL_aPSK,
- },
{
.name = SSL_TXT_aGOST94,
.algorithm_auth = SSL_aGOST94,
.name = SSL_TXT_NULL,
.algorithm_enc = SSL_eNULL,
},
- {
- .name = SSL_TXT_KRB5,
- .algorithm_mkey = SSL_kKRB5,
- .algorithm_auth = SSL_aKRB5,
- },
{
.name = SSL_TXT_RSA,
.algorithm_mkey = SSL_kRSA,
.algorithm_mkey = SSL_kEECDH,
.algorithm_auth = SSL_aNULL,
},
- {
- .name = SSL_TXT_PSK,
- .algorithm_mkey = SSL_kPSK,
- .algorithm_auth = SSL_aPSK,
- },
- {
- .name = SSL_TXT_SRP,
- .algorithm_mkey = SSL_kSRP,
- },
-
+
/* symmetric encryption aliases */
{
.name = SSL_TXT_DES,
*mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
*auth |= SSL_aDH;
- *mkey |= SSL_kKRB5;
- *auth |= SSL_aKRB5;
- *mkey |= SSL_kPSK;
- *auth |= SSL_aPSK;
- *mkey |= SSL_kSRP;
+
/* Check for presence of GOST 34.10 algorithms, and if they
* do not present, disable appropriate auth and key exchange */
if (!get_optional_pkey_id("gost94")) {
ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
/* RC4 is sort-of broken -- move the the end */
ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
case SSL_kDHd:
kx = "DH/DSS";
break;
- case SSL_kKRB5:
- kx = "KRB5";
- break;
case SSL_kEDH:
kx = "DH";
break;
case SSL_kEECDH:
kx = "ECDH";
break;
- case SSL_kPSK:
- kx = "PSK";
- break;
- case SSL_kSRP:
- kx = "SRP";
- break;
default:
kx = "unknown";
}
case SSL_aDH:
au = "DH";
break;
- case SSL_aKRB5:
- au = "KRB5";
- break;
case SSL_aECDH:
au = "ECDH";
break;
case SSL_aECDSA:
au = "ECDSA";
break;
- case SSL_aPSK:
- au = "PSK";
- break;
default:
au = "unknown";
break;
-/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.75 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
i = SSL_PKEY_RSA_SIGN;
else
i = SSL_PKEY_RSA_ENC;
- } else if (alg_a & SSL_aKRB5) {
- /* VRS something else here? */
- return (NULL);
} else if (alg_a & SSL_aGOST94) {
i = SSL_PKEY_GOST94;
} else if (alg_a & SSL_aGOST01) {
-/* $OpenBSD: ssl_locl.h,v 1.59 2014/07/11 08:17:36 miod Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.60 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
-#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000100L /* PSK */
-#define SSL_kGOST 0x00000200L /* GOST key exchange */
-#define SSL_kSRP 0x00000400L /* SRP */
+#define SSL_kGOST 0x00000200L /* GOST key exchange */
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5 0x00000020L /* KRB5 auth */
#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
-#define SSL_aPSK 0x00000080L /* PSK auth */
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
-/* $OpenBSD: ssl_ciph.c,v 1.64 2014/07/12 07:52:36 guenther Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.65 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
.algorithm_mkey = SSL_kDHr|SSL_kDHd|SSL_kEDH,
},
- {
- .name = SSL_TXT_kKRB5,
- .algorithm_mkey = SSL_kKRB5,
- },
-
{
.name = SSL_TXT_kECDHr,
.algorithm_mkey = SSL_kECDHr,
.algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,
},
- {
- .name = SSL_TXT_kPSK,
- .algorithm_mkey = SSL_kPSK,
- },
- {
- .name = SSL_TXT_kSRP,
- .algorithm_mkey = SSL_kSRP,
- },
{
.name = SSL_TXT_kGOST,
.algorithm_mkey = SSL_kGOST,
.name = SSL_TXT_DSS,
.algorithm_auth = SSL_aDSS,
},
- {
- .name = SSL_TXT_aKRB5,
- .algorithm_auth = SSL_aKRB5,
- },
{
.name = SSL_TXT_aNULL,
.algorithm_auth = SSL_aNULL,
.name = SSL_TXT_ECDSA,
.algorithm_auth = SSL_aECDSA,
},
- {
- .name = SSL_TXT_aPSK,
- .algorithm_auth = SSL_aPSK,
- },
{
.name = SSL_TXT_aGOST94,
.algorithm_auth = SSL_aGOST94,
.name = SSL_TXT_NULL,
.algorithm_enc = SSL_eNULL,
},
- {
- .name = SSL_TXT_KRB5,
- .algorithm_mkey = SSL_kKRB5,
- .algorithm_auth = SSL_aKRB5,
- },
{
.name = SSL_TXT_RSA,
.algorithm_mkey = SSL_kRSA,
.algorithm_mkey = SSL_kEECDH,
.algorithm_auth = SSL_aNULL,
},
- {
- .name = SSL_TXT_PSK,
- .algorithm_mkey = SSL_kPSK,
- .algorithm_auth = SSL_aPSK,
- },
- {
- .name = SSL_TXT_SRP,
- .algorithm_mkey = SSL_kSRP,
- },
-
+
/* symmetric encryption aliases */
{
.name = SSL_TXT_DES,
*mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
*auth |= SSL_aDH;
- *mkey |= SSL_kKRB5;
- *auth |= SSL_aKRB5;
- *mkey |= SSL_kPSK;
- *auth |= SSL_aPSK;
- *mkey |= SSL_kSRP;
+
/* Check for presence of GOST 34.10 algorithms, and if they
* do not present, disable appropriate auth and key exchange */
if (!get_optional_pkey_id("gost94")) {
ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */
ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
/* RC4 is sort-of broken -- move the the end */
ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
case SSL_kDHd:
kx = "DH/DSS";
break;
- case SSL_kKRB5:
- kx = "KRB5";
- break;
case SSL_kEDH:
kx = "DH";
break;
case SSL_kEECDH:
kx = "ECDH";
break;
- case SSL_kPSK:
- kx = "PSK";
- break;
- case SSL_kSRP:
- kx = "SRP";
- break;
default:
kx = "unknown";
}
case SSL_aDH:
au = "DH";
break;
- case SSL_aKRB5:
- au = "KRB5";
- break;
case SSL_aECDH:
au = "ECDH";
break;
case SSL_aECDSA:
au = "ECDSA";
break;
- case SSL_aPSK:
- au = "PSK";
- break;
default:
au = "unknown";
break;
-/* $OpenBSD: ssl_lib.c,v 1.74 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.75 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
i = SSL_PKEY_RSA_SIGN;
else
i = SSL_PKEY_RSA_ENC;
- } else if (alg_a & SSL_aKRB5) {
- /* VRS something else here? */
- return (NULL);
} else if (alg_a & SSL_aGOST94) {
i = SSL_PKEY_GOST94;
} else if (alg_a & SSL_aGOST01) {
-/* $OpenBSD: ssl_locl.h,v 1.59 2014/07/11 08:17:36 miod Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.60 2014/07/12 13:11:53 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
-#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000100L /* PSK */
-#define SSL_kGOST 0x00000200L /* GOST key exchange */
-#define SSL_kSRP 0x00000400L /* SRP */
+#define SSL_kGOST 0x00000200L /* GOST key exchange */
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5 0x00000020L /* KRB5 auth */
#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
-#define SSL_aPSK 0x00000080L /* PSK auth */
#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
projects / openbsd / commitdiff