kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove SSL_CTRL_SET_CLIENT_CERT_TYPES.

Browse Source 
This isn't called and, with the fixed-DH client cert types removed, is
only useful if a server wishes to not accept ECDSA certificates or
something.

BUG=404754

Change-Id: I21d8e1a71aedf446ce974fbeadc62f311ae086db
Reviewed-on: https://boringssl-review.googlesource.com/5673
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2015-08-09 11:09:57 -04:00 committed by Adam Langley
parent d27441a9cb
commit 2b9ec70558
4 changed files with 0 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/openssl/ssl.h
View File

@ -1989,7 +1989,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_CURVES 91
#define SSL_CTRL_SET_SIGALGS 97
#define SSL_CTRL_SET_CLIENT_SIGALGS 101
#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
* timeout in progress, it sets |*out| to the time remaining and returns one.
@ -2100,11 +2099,6 @@ OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
#define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
SSL_ctrl(ctx, SSL_CTRL_SET_CLIENT_SIGALGS, clistlen, (int *)slist)
#define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, (char *)clist)
#define SSL_set1_client_certificate_types(s, clist, clistlen) \
SSL_ctrl(s, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, (char *)clist)
OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls11(SSL_CTX *, const char *str);
OPENSSL_EXPORT long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);

6
ssl/internal.h
View File

@ -607,12 +607,6 @@ typedef struct cert_st {
* |SSL_CTX_set_tmp_ecdh_callback|. */
EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
/* Server-only: client_certificate_types is list of certificate types to
* include in the CertificateRequest message.
*/
uint8_t *client_certificate_types;
size_t num_client_certificate_types;
/* signature algorithms peer reports: e.g. supported signature
* algorithms extension for server or as part of a certificate
* request for client. */

40
ssl/s3_lib.c
View File

@ -243,8 +243,6 @@ void ssl3_free(SSL *s) {
s->s3 = NULL;
}
static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len);
int SSL_session_reused(const SSL *ssl) {
return ssl->hit;
}
@ -414,12 +412,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
if (!s->server) {
return 0;
}
return ssl3_set_req_cert_type(s->cert, parg, larg);
default:
break;
}
@ -439,9 +431,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
default:
return 0;
}
@ -592,13 +581,6 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
int have_rsa_sign = 0;
int have_ecdsa_sign = 0;
/* If we have custom certificate types set, use them */
if (s->cert->client_certificate_types) {
memcpy(p, s->cert->client_certificate_types,
s->cert->num_client_certificate_types);
return s->cert->num_client_certificate_types;
}
/* get configured sigalgs */
siglen = tls12_get_psigalgs(s, &sig);
for (i = 0; i < siglen; i += 2, sig += 2) {
@ -626,28 +608,6 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
return ret;
}
static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len) {
OPENSSL_free(c->client_certificate_types);
c->client_certificate_types = NULL;
c->num_client_certificate_types = 0;
if (!p || !len) {
return 1;
}
if (len > 0xff) {
return 0;
}
c->client_certificate_types = BUF_memdup(p, len);
if (!c->client_certificate_types) {
return 0;
}
c->num_client_certificate_types = len;
return 1;
}
/* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
* handshake macs if required. */
uint32_t ssl_get_algorithm_prf(SSL *s) {

11
ssl/ssl_cert.c
View File

@ -226,16 +226,6 @@ CERT *ssl_cert_dup(CERT *cert) {
ret->client_sigalgslen = cert->client_sigalgslen;
}
/* Copy any custom client certificate types */
if (cert->client_certificate_types) {
ret->client_certificate_types = BUF_memdup(
cert->client_certificate_types, cert->num_client_certificate_types);
if (!ret->client_certificate_types) {
goto err;
}
ret->num_client_certificate_types = cert->num_client_certificate_types;
}
ret->cert_cb = cert->cert_cb;
ret->cert_cb_arg = cert->cert_cb_arg;
@ -273,7 +263,6 @@ void ssl_cert_free(CERT *c) {
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->shared_sigalgs);
OPENSSL_free(c->client_certificate_types);
OPENSSL_free(c);
}