Google Git
Sign in
flutter / third_party / openssl / ce0c1f2bb2fd296f10a2847844205df0ed95fb8e^! / . / ssl / t1_lib.c
commitce0c1f2bb2fd296f10a2847844205df0ed95fb8e[log] [tgz]
authorDr. Stephen Henson <steve@openssl.org>Thu Feb 11 18:19:27 2016 +0000
committerDr. Stephen Henson <steve@openssl.org>Thu Feb 11 20:54:01 2016 +0000
tree402b30beaabc8f2c22809c704a7159d5add6c062
parentfd7dc201d3b9d43972de6a0e659f7ef6421c99cc [diff] [blame]
Remove static ECDH support.

Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d7a6f95..522f0e6 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1072,14 +1072,6 @@
     if (s->client_version == SSL3_VERSION)
         s->s3->tmp.mask_ssl |= SSL_TLSV1;
     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
-    /*
-     * Disable static DH if we don't include any appropriate signature
-     * algorithms.
-     */
-    if (s->s3->tmp.mask_a & SSL_aRSA)
-        s->s3->tmp.mask_k |= SSL_kECDHr;
-    if (s->s3->tmp.mask_a & SSL_aECDSA)
-        s->s3->tmp.mask_k |= SSL_kECDHe;
 # ifndef OPENSSL_NO_PSK
     /* with PSK there must be client callback set */
     if (!s->psk_client_callback) {
@@ -1130,8 +1122,8 @@
 
             alg_k = c->algorithm_mkey;
             alg_a = c->algorithm_auth;
-            if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)
-                 || (alg_a & SSL_aECDSA))) {
+            if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
+                 || (alg_a & SSL_aECDSA)) {
                 using_ecc = 1;
                 break;
             }
@@ -1507,8 +1499,7 @@
 #ifndef OPENSSL_NO_EC
     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-    int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
-        || (alg_a & SSL_aECDSA);
+    int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
 #endif
 
@@ -2815,8 +2806,7 @@
         && (s->tlsext_ecpointformatlist_length > 0)
         && (s->session->tlsext_ecpointformatlist != NULL)
         && (s->session->tlsext_ecpointformatlist_length > 0)
-        && ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
-            || (alg_a & SSL_aECDSA))) {
+        && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
         /* we are using an ECC cipher */
         size_t i;
         unsigned char *list;