diff options
| author | David Benjamin <davidben@chromium.org> | 2014-08-20 00:02:38 +0400 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-08-20 06:07:00 +0400 |
| commit | bd30f8e34a38d04bf34df51ea0a2ce159e8ab273 (patch) | |
| tree | 2cd1c3951471097a803cea6021cba8d669f338d2 /ssl/s3_lib.c | |
| parent | d0639af978a51036376b98cd57abac7c07bad06b (diff) | |
Remove support on both sides for *_fixed_(ec)dh client auth.
In the fixed_ecdh case, it wasn't even implemented, but there was stub code for
it. It complicates the ClientKeyExchange (the client parameters become implicit
in the certificate) and isn't used.
Change-Id: I3627a37042539c90e05e59cd0cb3cd6c56225561
Reviewed-on: https://boringssl-review.googlesource.com/1563
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/s3_lib.c')
| -rw-r--r-- | ssl/s3_lib.c | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index bd8761e8..c151a8b9 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2538,8 +2538,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) #ifndef OPENSSL_NO_ECDSA int have_ecdsa_sign = 0; #endif - int nostrict = 1; - unsigned long alg_k; /* If we have custom certificate types set, use them */ if (s->cert->client_certificate_types) @@ -2550,8 +2548,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) } /* get configured sigalgs */ siglen = tls12_get_psigalgs(s, &sig); - if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) - nostrict = 0; for (i = 0; i < siglen; i+=2, sig+=2) { switch(sig[1]) @@ -2571,45 +2567,12 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) } } - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - -#ifndef OPENSSL_NO_DH - if (alg_k & (SSL_kDHr|SSL_kEDH)) - { - /* Since this refers to a certificate signed with an RSA - * algorithm, only check for rsa signing in strict mode. - */ - if (nostrict || have_rsa_sign) - p[ret++]=SSL3_CT_RSA_FIXED_DH; -# ifndef OPENSSL_NO_DSA - if (nostrict || have_dsa_sign) - p[ret++]=SSL3_CT_DSS_FIXED_DH; -# endif - } - if ((s->version == SSL3_VERSION) && - (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) - { - p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; -# ifndef OPENSSL_NO_DSA - p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; -# endif - } -#endif /* !OPENSSL_NO_DH */ if (have_rsa_sign) p[ret++]=SSL3_CT_RSA_SIGN; #ifndef OPENSSL_NO_DSA if (have_dsa_sign) p[ret++]=SSL3_CT_DSS_SIGN; #endif -#ifndef OPENSSL_NO_ECDH - if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) - { - if (nostrict || have_rsa_sign) - p[ret++]=TLS_CT_RSA_FIXED_ECDH; - if (nostrict || have_ecdsa_sign) - p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; - } -#endif #ifndef OPENSSL_NO_ECDSA /* ECDSA certs can be used with RSA cipher suites as well |