From 85bda7b83ce5c9f5db97200efe9d057e175bb7a7 Mon Sep 17 00:00:00 2001 From: jsing Date: Fri, 31 Oct 2014 14:51:01 +0000 Subject: Remove support for ephemeral/temporary RSA private keys. The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively a standards violation) and for RSA sign-only, should only be possible if you are using an export cipher and have an RSA private key that is more than 512 bits in size (however we no longer support export ciphers). ok bcook@ miod@ --- lib/libssl/src/ssl/ssl_lib.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'lib/libssl/src/ssl/ssl_lib.c') diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 3fa8f5039f8..579c005cc33 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1931,7 +1931,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { CERT_PKEY *cpk; - int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dsa_sign; + int rsa_enc, rsa_sign, dh_tmp, dsa_sign; unsigned long mask_k, mask_a; int have_ecc_cert, ecdh_ok, ecdsa_ok; int have_ecdh_tmp; @@ -1942,7 +1942,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (c == NULL) return; - rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL || @@ -1970,7 +1969,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_a |= SSL_aGOST94; } - if (rsa_enc || (rsa_tmp && rsa_sign)) + if (rsa_enc) mask_k|=SSL_kRSA; if (dh_tmp) -- cgit v1.2.3-59-g8ed1b