always build in RSA and DSA. ok deraadt miod

author: tedu <tedu@openbsd.org> 2014-04-17 21:37:37 +0000
committer: tedu <tedu@openbsd.org> 2014-04-17 21:37:37 +0000
commit: f9cd3d10235bfe2564dce844f01425b5129af89a (patch)
tree: 59a1f3426b9d422136eaa74ec4dcab48b5cb7bc6 /lib/libssl/src/ssl/s3_clnt.c
parent: kill REF_PRINT/REF_CHECK debugging framework noone would use (diff)
download: wireguard-openbsd-f9cd3d10235bfe2564dce844f01425b5129af89a.tar.xz
wireguard-openbsd-f9cd3d10235bfe2564dce844f01425b5129af89a.zip
1 files changed, 0 insertions, 51 deletions
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index 32405eac752..52e2174f6bb 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -1183,18 +1183,14 @@ err:
 int
 ssl3_get_key_exchange(SSL *s)
 {
-#ifndef OPENSSL_NO_RSA
 	unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
-#endif
 	EVP_MD_CTX md_ctx;
 	unsigned char *param, *p;
 	int al, i, j, param_len, ok;
 	long n, alg_k, alg_a;
 	EVP_PKEY *pkey = NULL;
 	const EVP_MD *md = NULL;
-#ifndef OPENSSL_NO_RSA
 	RSA *rsa = NULL;
-#endif
 #ifndef OPENSSL_NO_DH
 	DH *dh = NULL;
 #endif
@@ -1232,12 +1228,10 @@ ssl3_get_key_exchange(SSL *s)
 
 	param = p = (unsigned char *)s->init_msg;
 	if (s->session->sess_cert != NULL) {
-#ifndef OPENSSL_NO_RSA
 		if (s->session->sess_cert->peer_rsa_tmp != NULL) {
 			RSA_free(s->session->sess_cert->peer_rsa_tmp);
 			s->session->sess_cert->peer_rsa_tmp = NULL;
 		}
-#endif
 #ifndef OPENSSL_NO_DH
 		if (s->session->sess_cert->peer_dh_tmp) {
 			DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -1356,20 +1350,12 @@ ssl3_get_key_exchange(SSL *s)
 		n -= param_len;
 
 /* We must check if there is a certificate */
-#ifndef OPENSSL_NO_RSA
 		if (alg_a & SSL_aRSA)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-#else
-		if (0)
-;
-#endif
-#ifndef OPENSSL_NO_DSA
 		else if (alg_a & SSL_aDSS)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
-#endif
 	} else
 #endif /* !OPENSSL_NO_SRP */
-#ifndef OPENSSL_NO_RSA
 	if (alg_k & SSL_kRSA) {
 		if ((rsa = RSA_new()) == NULL) {
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -1412,10 +1398,6 @@ ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_rsa_tmp = rsa;
 		rsa = NULL;
 	}
-#else /* OPENSSL_NO_RSA */
-	if (0)
-;
-#endif
 #ifndef OPENSSL_NO_DH
 	else if (alg_k & SSL_kEDH) {
 		if ((dh = DH_new()) == NULL) {
@@ -1462,17 +1444,10 @@ ssl3_get_key_exchange(SSL *s)
 		p += i;
 		n -= param_len;
 
-#ifndef OPENSSL_NO_RSA
 		if (alg_a & SSL_aRSA)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-#else
-		if (0)
-;
-#endif
-#ifndef OPENSSL_NO_DSA
 		else if (alg_a & SSL_aDSS)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
-#endif
 		/* else anonymous DH, so no certificate or pkey. */
 
 		s->session->sess_cert->peer_dh_tmp = dh;
@@ -1561,10 +1536,8 @@ ssl3_get_key_exchange(SSL *s)
 		 * key exchange message. We do support RSA and ECDSA.
 		 */
 		if (0);
-#ifndef OPENSSL_NO_RSA
 		else if (alg_a & SSL_aRSA)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-#endif
 #ifndef OPENSSL_NO_ECDSA
 		else if (alg_a & SSL_aECDSA)
 			pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
@@ -1627,7 +1600,6 @@ ssl3_get_key_exchange(SSL *s)
 			goto f_err;
 		}
 
-#ifndef OPENSSL_NO_RSA
 		if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
 			int num;
 
@@ -1659,7 +1631,6 @@ ssl3_get_key_exchange(SSL *s)
 				goto f_err;
 			}
 		} else
-#endif
 		{
 			EVP_VerifyInit_ex(&md_ctx, md, NULL);
 			EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
@@ -1693,10 +1664,8 @@ f_err:
 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
 	EVP_PKEY_free(pkey);
-#ifndef OPENSSL_NO_RSA
 	if (rsa != NULL)
 		RSA_free(rsa);
-#endif
 #ifndef OPENSSL_NO_DH
 	if (dh != NULL)
 		DH_free(dh);
@@ -2042,10 +2011,8 @@ ssl3_send_client_key_exchange(SSL *s)
 	unsigned char *p, *d;
 	int n;
 	unsigned long alg_k;
-#ifndef OPENSSL_NO_RSA
 	unsigned char *q;
 	EVP_PKEY *pkey = NULL;
-#endif
 #ifndef OPENSSL_NO_KRB5
 	KSSL_ERR kssl_err;
 #endif /* OPENSSL_NO_KRB5 */
@@ -2067,7 +2034,6 @@ ssl3_send_client_key_exchange(SSL *s)
 		/* Fool emacs indentation */
 		if (0) {
 		}
-#ifndef OPENSSL_NO_RSA
 		else if (alg_k & SSL_kRSA) {
 			RSA *rsa;
 			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -2122,7 +2088,6 @@ ssl3_send_client_key_exchange(SSL *s)
 			        sizeof tmp_buf);
 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
 		}
-#endif
 #ifndef OPENSSL_NO_KRB5
 		else if (alg_k & SSL_kKRB5) {
 			krb5_error_code	krb5rc;
@@ -2760,7 +2725,6 @@ ssl3_send_client_verify(SSL *s)
 			if (!ssl3_digest_cached_records(s))
 				goto err;
 		} else
-#ifndef OPENSSL_NO_RSA
 		if (pkey->type == EVP_PKEY_RSA) {
 			s->method->ssl3_enc->cert_verify_mac(
 			    s, NID_md5, &(data[0]));
@@ -2773,8 +2737,6 @@ ssl3_send_client_verify(SSL *s)
 			s2n(u, p);
 			n = u + 2;
 		} else
-#endif
-#ifndef OPENSSL_NO_DSA
 		if (pkey->type == EVP_PKEY_DSA) {
 			if (!DSA_sign(pkey->save_type,
 			    &(data[MD5_DIGEST_LENGTH]),
@@ -2786,7 +2748,6 @@ ssl3_send_client_verify(SSL *s)
 			s2n(j, p);
 			n = j + 2;
 		} else
-#endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_EC) {
 			if (!ECDSA_sign(pkey->save_type,
@@ -2914,9 +2875,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
 	long alg_k, alg_a;
 	EVP_PKEY *pkey = NULL;
 	SESS_CERT *sc;
-#ifndef OPENSSL_NO_RSA
 	RSA *rsa;
-#endif
 #ifndef OPENSSL_NO_DH
 	DH *dh;
 #endif
@@ -2934,9 +2893,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
 		goto err;
 	}
 
-#ifndef OPENSSL_NO_RSA
 	rsa = s->session->sess_cert->peer_rsa_tmp;
-#endif
 #ifndef OPENSSL_NO_DH
 	dh = s->session->sess_cert->peer_dh_tmp;
 #endif
@@ -2966,19 +2923,15 @@ ssl3_check_cert_and_algorithm(SSL *s)
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
 		goto f_err;
 	}
-#ifndef OPENSSL_NO_DSA
 	else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
 		goto f_err;
 	}
-#endif
-#ifndef OPENSSL_NO_RSA
 	if ((alg_k & SSL_kRSA) &&
 	    !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
 		goto f_err;
 	}
-#endif
 #ifndef OPENSSL_NO_DH
 	if ((alg_k & SSL_kEDH) &&
 	    !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
@@ -2988,16 +2941,13 @@ ssl3_check_cert_and_algorithm(SSL *s)
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
 		goto f_err;
 	}
-#ifndef OPENSSL_NO_DSA
 	else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
 		goto f_err;
 	}
 #endif
-#endif
 
 	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
-#ifndef OPENSSL_NO_RSA
 		if (alg_k & SSL_kRSA) {
 			if (rsa == NULL ||
 			    RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
@@ -3005,7 +2955,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
 				goto f_err;
 			}
 		} else
-#endif
 #ifndef OPENSSL_NO_DH
 		if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
 			if (dh == NULL ||
author	tedu <tedu@openbsd.org>	2014-04-17 21:37:37 +0000
committer	tedu <tedu@openbsd.org>	2014-04-17 21:37:37 +0000
commit	f9cd3d10235bfe2564dce844f01425b5129af89a (patch)
tree	59a1f3426b9d422136eaa74ec4dcab48b5cb7bc6 /lib/libssl/src/ssl/s3_clnt.c
parent	kill REF_PRINT/REF_CHECK debugging framework noone would use (diff)
download	wireguard-openbsd-f9cd3d10235bfe2564dce844f01425b5129af89a.tar.xz wireguard-openbsd-f9cd3d10235bfe2564dce844f01425b5129af89a.zip