Remove fixed DH ciphersuites. (bc71f910) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/s3_lib.c

+1 −399

Original line number	Diff line number	Diff line
		@@ -261,38 +261,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		168,
		},

		/* Cipher 0D */
		{
		1,
		SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
		SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_3DES,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		112,
		168,
		},

		/* Cipher 10 */
		{
		1,
		SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
		SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_3DES,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		112,
		168,
		},

		/* Cipher 13 */
		{
		1,
		@@ -420,36 +388,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		128,
		128,
		},
		/* Cipher 30 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
		TLS1_CK_DH_DSS_WITH_AES_128_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES128,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},
		/* Cipher 31 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
		TLS1_CK_DH_RSA_WITH_AES_128_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES128,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},
		/* Cipher 32 */
		{
		1,
		@@ -511,37 +449,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		256,
		},
		/* Cipher 36 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
		TLS1_CK_DH_DSS_WITH_AES_256_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES256,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 37 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
		TLS1_CK_DH_RSA_WITH_AES_256_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES256,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 38 */
		{
		@@ -640,38 +547,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		},

		/* Cipher 3E */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
		TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES128,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 3F */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
		TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES128,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 40 */
		{
		1,
		@@ -707,38 +582,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		128,
		},

		/* Cipher 42 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
		TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_CAMELLIA128,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 43 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
		TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_CAMELLIA128,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 44 */
		{
		1,
		@@ -805,38 +648,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		128,
		},

		/* Cipher 68 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
		TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES256,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 69 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
		TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES256,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 6A */
		{
		1,
		@@ -950,37 +761,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		256,
		},
		/* Cipher 85 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
		TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_CAMELLIA256,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 86 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
		TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_CAMELLIA256,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		256,
		256,
		},

		/* Cipher 87 */
		{
		@@ -1245,38 +1025,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		128,
		},

		/* Cipher 97 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_SEED_SHA,
		TLS1_CK_DH_DSS_WITH_SEED_SHA,
		SSL_kDHd,
		SSL_aDH,
		SSL_SEED,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_MEDIUM,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 98 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_SEED_SHA,
		TLS1_CK_DH_RSA_WITH_SEED_SHA,
		SSL_kDHr,
		SSL_aDH,
		SSL_SEED,
		SSL_SHA1,
		SSL_SSLV3,
		SSL_MEDIUM,
		SSL_HANDSHAKE_MAC_DEFAULT \| TLS1_PRF,
		128,
		128,
		},

		/* Cipher 99 */
		{
		1,
		@@ -1393,38 +1141,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		},

		/* Cipher A0 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
		TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES128GCM,
		SSL_AEAD,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		128,
		128,
		},

		/* Cipher A1 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
		TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
		SSL_kDHr,
		SSL_aDH,
		SSL_AES256GCM,
		SSL_AEAD,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_SHA384 \| TLS1_PRF_SHA384,
		256,
		256,
		},

		/* Cipher A2 */
		{
		1,
		@@ -1457,38 +1173,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		},

		/* Cipher A4 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
		TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES128GCM,
		SSL_AEAD,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		128,
		128,
		},

		/* Cipher A5 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
		TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
		SSL_kDHd,
		SSL_aDH,
		SSL_AES256GCM,
		SSL_AEAD,
		SSL_TLSV1_2,
		SSL_HIGH \| SSL_FIPS,
		SSL_HANDSHAKE_MAC_SHA384 \| TLS1_PRF_SHA384,
		256,
		256,
		},

		/* Cipher A6 */
		{
		1,
		@@ -1831,38 +1515,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		128,
		},

		/* Cipher BB */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
		TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
		SSL_kDHd,
		SSL_aDH,
		SSL_CAMELLIA128,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		128,
		128,
		},

		/* Cipher BC */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
		TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
		SSL_kDHr,
		SSL_aDH,
		SSL_CAMELLIA128,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		128,
		128,
		},

		/* Cipher BD */
		{
		1,
		@@ -1927,38 +1579,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
		256,
		},

		/* Cipher C1 */
		{
		1,
		TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
		TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
		SSL_kDHd,
		SSL_aDH,
		SSL_CAMELLIA256,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		256,
		256,
		},

		/* Cipher C2 */
		{
		1,
		TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
		TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
		SSL_kDHr,
		SSL_aDH,
		SSL_CAMELLIA256,
		SSL_SHA256,
		SSL_TLSV1_2,
		SSL_HIGH,
		SSL_HANDSHAKE_MAC_SHA256 \| TLS1_PRF_SHA256,
		256,
		256,
		},

		/* Cipher C3 */
		{
		1,
		@@ -4665,7 +4285,6 @@ SSL_CIPHER ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) *clnt,
		int ssl3_get_req_cert_type(SSL s, unsigned char p)
		{
		int ret = 0;
		int nostrict = 1;
		uint32_t alg_k, alg_a = 0;

		/* If we have custom certificate types set, use them */
		@@ -4675,8 +4294,6 @@ int ssl3_get_req_cert_type(SSL s, unsigned char p)
		}
		/* Get mask of algorithms disabled by signature list */
		ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
		if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
		nostrict = 0;

		alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

		@@ -4691,23 +4308,8 @@ int ssl3_get_req_cert_type(SSL s, unsigned char p)
		}
		#endif

		if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) {
		#ifndef OPENSSL_NO_DH
		if (alg_k & (SSL_kDHr \| SSL_kDHE)) {
		# ifndef OPENSSL_NO_RSA
		/*
		* Since this refers to a certificate signed with an RSA algorithm,
		* only check for rsa signing in strict mode.
		*/
		if (nostrict \|\| !(alg_a & SSL_aRSA))
		p[ret++] = SSL3_CT_RSA_FIXED_DH;
		# endif
		# ifndef OPENSSL_NO_DSA
		if (nostrict \|\| !(alg_a & SSL_aDSS))
		p[ret++] = SSL3_CT_DSS_FIXED_DH;
		# endif
		}
		if ((s->version == SSL3_VERSION) &&
		(alg_k & (SSL_kDHE \| SSL_kDHd \| SSL_kDHr))) {
		# ifndef OPENSSL_NO_RSA
		p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
		# endif

ssl/ssl_ciph.c

+2 −21

Original line number	Diff line number	Diff line
		@@ -306,12 +306,9 @@ static const SSL_CIPHER cipher_aliases[] = {
		*/
		{0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0},

		{0, SSL_TXT_kDHr, 0, SSL_kDHr, 0, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_kDHd, 0, SSL_kDHd, 0, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_kDH, 0, SSL_kDHr \| SSL_kDHd, 0, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_kEDH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_kDHE, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_DH, 0, SSL_kDHr \| SSL_kDHd \| SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
		{0, SSL_TXT_DH, 0, SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
		0},

		{0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0},
		@@ -334,8 +331,6 @@ static const SSL_CIPHER cipher_aliases[] = {
		{0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
		/* no such ciphersuites supported! */
		{0, SSL_TXT_aDH, 0, 0, SSL_aDH, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
		{0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
		@@ -506,8 +501,7 @@ void ssl_load_ciphers(void)
		disabled_auth_mask \|= SSL_aDSS;
		#endif
		#ifdef OPENSSL_NO_DH
		disabled_mkey_mask \|= SSL_kDHr \| SSL_kDHd \| SSL_kDHE \| SSL_kDHEPSK;
		disabled_auth_mask \|= SSL_aDH;
		disabled_mkey_mask \|= SSL_kDHE \| SSL_kDHEPSK;
		#endif
		#ifdef OPENSSL_NO_EC
		disabled_mkey_mask \|= SSL_kECDHe \| SSL_kECDHr \| SSL_kECDHEPSK;
		@@ -1614,12 +1608,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
		case SSL_kRSA:
		kx = "RSA";
		break;
		case SSL_kDHr:
		kx = "DH/RSA";
		break;
		case SSL_kDHd:
		kx = "DH/DSS";
		break;
		case SSL_kDHE:
		kx = "DH";
		break;
		@@ -1661,9 +1649,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
		case SSL_aDSS:
		au = "DSS";
		break;
		case SSL_aDH:
		au = "DH";
		break;
		case SSL_aECDH:
		au = "ECDH";
		break;
		@@ -1980,10 +1965,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
		return SSL_PKEY_ECC;
		} else if (alg_a & SSL_aECDSA)
		return SSL_PKEY_ECC;
		else if (alg_k & SSL_kDHr)
		return SSL_PKEY_DH_RSA;
		else if (alg_k & SSL_kDHd)
		return SSL_PKEY_DH_DSA;
		else if (alg_a & SSL_aDSS)
		return SSL_PKEY_DSA_SIGN;
		else if (alg_a & SSL_aRSA)

ssl/ssl_lib.c

+1 −12

Original line number	Diff line number	Diff line
		@@ -2006,7 +2006,7 @@ void ssl_set_masks(SSL s, const SSL_CIPHER cipher)
		#endif
		CERT *c = s->cert;
		uint32_t *pvalid = s->s3->tmp.valid_flags;
		int rsa_enc, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
		int rsa_enc, rsa_sign, dh_tmp, dsa_sign;
		unsigned long mask_k, mask_a;
		#ifndef OPENSSL_NO_EC
		int have_ecc_cert, ecdsa_ok;
		@@ -2026,8 +2026,6 @@ void ssl_set_masks(SSL s, const SSL_CIPHER cipher)
		rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
		rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
		dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
		dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
		dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
		#ifndef OPENSSL_NO_EC
		have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
		#endif
		@@ -2064,15 +2062,6 @@ void ssl_set_masks(SSL s, const SSL_CIPHER cipher)
		if (dh_tmp)
		mask_k \|= SSL_kDHE;

		if (dh_rsa)
		mask_k \|= SSL_kDHr;

		if (dh_dsa)
		mask_k \|= SSL_kDHd;

		if (mask_k & (SSL_kDHr \| SSL_kDHd))
		mask_a \|= SSL_aDH;

		if (rsa_enc \|\| rsa_sign) {
		mask_a \|= SSL_aRSA;
		}

ssl/ssl_locl.h

+21 −29

Original line number	Diff line number	Diff line
		@@ -295,32 +295,28 @@
		/* Bits for algorithm_mkey (key exchange algorithm) */
		/* RSA key exchange */
		# define SSL_kRSA 0x00000001U
		/* DH cert, RSA CA cert */
		# define SSL_kDHr 0x00000002U
		/* DH cert, DSA CA cert */
		# define SSL_kDHd 0x00000004U
		/* tmp DH key no DH cert */
		# define SSL_kDHE 0x00000008U
		# define SSL_kDHE 0x00000002U
		/* synonym */
		# define SSL_kEDH SSL_kDHE
		/* ECDH cert, RSA CA cert */
		# define SSL_kECDHr 0x00000020U
		# define SSL_kECDHr 0x00000004U
		/* ECDH cert, ECDSA CA cert */
		# define SSL_kECDHe 0x00000040U
		# define SSL_kECDHe 0x00000008U
		/* ephemeral ECDH */
		# define SSL_kECDHE 0x00000080U
		# define SSL_kECDHE 0x00000010U
		/* synonym */
		# define SSL_kEECDH SSL_kECDHE
		/* PSK */
		# define SSL_kPSK 0x00000100U
		# define SSL_kPSK 0x00000020U
		/* GOST key exchange */
		# define SSL_kGOST 0x00000200U
		# define SSL_kGOST 0x00000040U
		/* SRP */
		# define SSL_kSRP 0x00000400U
		# define SSL_kSRP 0x00000080U

		# define SSL_kRSAPSK 0x00000800U
		# define SSL_kECDHEPSK 0x00001000U
		# define SSL_kDHEPSK 0x00002000U
		# define SSL_kRSAPSK 0x00000100U
		# define SSL_kECDHEPSK 0x00000200U
		# define SSL_kDHEPSK 0x00000400U

		/* all PSK */

		@@ -333,20 +329,18 @@
		# define SSL_aDSS 0x00000002U
		/* no auth (i.e. use ADH or AECDH) */
		# define SSL_aNULL 0x00000004U
		/* Fixed DH auth (kDHd or kDHr) */
		# define SSL_aDH 0x00000008U
		/* Fixed ECDH auth (kECDHe or kECDHr) */
		# define SSL_aECDH 0x00000010U
		# define SSL_aECDH 0x00000008U
		/* ECDSA auth*/
		# define SSL_aECDSA 0x00000040U
		# define SSL_aECDSA 0x00000010U
		/* PSK auth */
		# define SSL_aPSK 0x00000080U
		# define SSL_aPSK 0x00000020U
		/* GOST R 34.10-2001 signature auth */
		# define SSL_aGOST01 0x00000200U
		# define SSL_aGOST01 0x00000040U
		/* SRP auth */
		# define SSL_aSRP 0x00000400U
		# define SSL_aSRP 0x00000080U
		/* GOST R 34.10-2012 signature auth */
		# define SSL_aGOST12 0x00000800U
		# define SSL_aGOST12 0x00000100U

		/* Bits for algorithm_enc (symmetric encryption) */
		# define SSL_DES 0x00000001U
		@@ -485,13 +479,11 @@
		# define SSL_PKEY_RSA_ENC 0
		# define SSL_PKEY_RSA_SIGN 1
		# define SSL_PKEY_DSA_SIGN 2
		# define SSL_PKEY_DH_RSA 3
		# define SSL_PKEY_DH_DSA 4
		# define SSL_PKEY_ECC 5
		# define SSL_PKEY_GOST01 7
		# define SSL_PKEY_GOST12_256 8
		# define SSL_PKEY_GOST12_512 9
		# define SSL_PKEY_NUM 10
		# define SSL_PKEY_ECC 3
		# define SSL_PKEY_GOST01 4
		# define SSL_PKEY_GOST12_256 5
		# define SSL_PKEY_GOST12_512 6
		# define SSL_PKEY_NUM 7
		/*
		* Pseudo-constant. GOST cipher suites can use different certs for 1
		* SSL_CIPHER. So let's see which one we have in fact.

ssl/ssl_rsa.c

+1 −16

Original line number	Diff line number	Diff line
		@@ -171,21 +171,6 @@ int SSL_use_RSAPrivateKey(SSL ssl, RSA rsa)
		static int ssl_set_pkey(CERT c, EVP_PKEY pkey)
		{
		int i;
		/*
		* Special case for DH: check two DH certificate types for a match. This
		* means for DH certificates we must set the certificate first.
		*/
		if (pkey->type == EVP_PKEY_DH) {
		X509 *x;
		i = -1;
		x = c->pkeys[SSL_PKEY_DH_RSA].x509;
		if (x && X509_check_private_key(x, pkey))
		i = SSL_PKEY_DH_RSA;
		x = c->pkeys[SSL_PKEY_DH_DSA].x509;
		if (i == -1 && x && X509_check_private_key(x, pkey))
		i = SSL_PKEY_DH_DSA;
		ERR_clear_error();
		} else
		i = ssl_cert_type(NULL, pkey);
		if (i < 0) {
		SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);