diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-02-11 18:19:27 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-02-11 20:54:01 +0000 |
commit | ce0c1f2bb2fd296f10a2847844205df0ed95fb8e (patch) | |
tree | 402b30beaabc8f2c22809c704a7159d5add6c062 /ssl/statem | |
parent | fd7dc201d3b9d43972de6a0e659f7ef6421c99cc (diff) |
Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/statem_clnt.c | 18 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 16 |
2 files changed, 7 insertions, 27 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2da16fd664..302618784c 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2264,19 +2264,14 @@ psk_err: #endif #ifndef OPENSSL_NO_EC - else if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) { + else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (s->s3->peer_tmp != NULL) { - skey = s->s3->peer_tmp; - } else { - /* Get the Server Public Key from Cert */ - skey = X509_get0_pubkey(s->session->peer); - if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, + skey = s->s3->peer_tmp; + if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto err; + goto err; } - } ckey = ssl_generate_pkey(skey, NID_undef); @@ -2777,9 +2772,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_ECDSA_SIGNING_CERT); goto f_err; - } else if (alg_k & (SSL_kECDHr | SSL_kECDHe)) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_ECDH_CERT); - goto f_err; } #endif pkey = X509_get0_pubkey(s->session->peer); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index bc651c76ee..4d40d0f9f3 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2365,20 +2365,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) #endif #ifndef OPENSSL_NO_EC - if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) { - EVP_PKEY *skey = NULL; - - /* Let's get server private key and group information */ - if (alg_k & (SSL_kECDHr | SSL_kECDHe)) { - /* use the certificate */ - skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey; - } else { - /* - * use the ephermeral values we saved when generating the - * ServerKeyExchange msg. - */ - skey = s->s3->tmp.pkey; - } + if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { + EVP_PKEY *skey = s->s3->tmp.pkey; if (PACKET_remaining(pkt) == 0L) { /* We don't support ECDH client auth */ |