From 2b9ec7055844ae2d0b0a9567191fcf6de110c70f Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Sun, 9 Aug 2015 11:09:57 -0400
Subject: [PATCH] Remove SSL_CTRL_SET_CLIENT_CERT_TYPES.

This isn't called and, with the fixed-DH client cert types removed, is
only useful if a server wishes to not accept ECDSA certificates or
something.

BUG=404754

Change-Id: I21d8e1a71aedf446ce974fbeadc62f311ae086db
Reviewed-on: https://boringssl-review.googlesource.com/5673
Reviewed-by: Adam Langley <agl@google.com>
---
 include/openssl/ssl.h |  6 ------
 ssl/internal.h        |  6 ------
 ssl/s3_lib.c          | 40 ----------------------------------------
 ssl/ssl_cert.c        | 11 -----------
 4 files changed, 63 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7d008d23..82f2cb0e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1989,7 +1989,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_CURVES 91
 #define SSL_CTRL_SET_SIGALGS 97
 #define SSL_CTRL_SET_CLIENT_SIGALGS 101
-#define SSL_CTRL_SET_CLIENT_CERT_TYPES 104
 
 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
  * timeout in progress, it sets |*out| to the time remaining and returns one.
@@ -2100,11 +2099,6 @@ OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
 #define SSL_set1_client_sigalgs(ctx, slist, slistlen) \
   SSL_ctrl(ctx, SSL_CTRL_SET_CLIENT_SIGALGS, clistlen, (int *)slist)
 
-#define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, (char *)clist)
-#define SSL_set1_client_certificate_types(s, clist, clistlen) \
-  SSL_ctrl(s, SSL_CTRL_SET_CLIENT_CERT_TYPES, clistlen, (char *)clist)
-
 OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
 OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls11(SSL_CTX *, const char *str);
 OPENSSL_EXPORT long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
diff --git a/ssl/internal.h b/ssl/internal.h
index ac58f792..7d4214d3 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -607,12 +607,6 @@ typedef struct cert_st {
    * |SSL_CTX_set_tmp_ecdh_callback|. */
   EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
 
-  /* Server-only: client_certificate_types is list of certificate types to
-   * include in the CertificateRequest message.
-   */
-  uint8_t *client_certificate_types;
-  size_t num_client_certificate_types;
-
   /* signature algorithms peer reports: e.g. supported signature
    * algorithms extension for server or as part of a certificate
    * request for client. */
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 55c291c5..005267ff 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -243,8 +243,6 @@ void ssl3_free(SSL *s) {
   s->s3 = NULL;
 }
 
-static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len);
-
 int SSL_session_reused(const SSL *ssl) {
   return ssl->hit;
 }
@@ -414,12 +412,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
     case SSL_CTRL_SET_CLIENT_SIGALGS:
       return tls1_set_sigalgs(s->cert, parg, larg, 1);
 
-    case SSL_CTRL_SET_CLIENT_CERT_TYPES:
-      if (!s->server) {
-        return 0;
-      }
-      return ssl3_set_req_cert_type(s->cert, parg, larg);
-
     default:
       break;
   }
@@ -439,9 +431,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
     case SSL_CTRL_SET_CLIENT_SIGALGS:
       return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
 
-    case SSL_CTRL_SET_CLIENT_CERT_TYPES:
-      return ssl3_set_req_cert_type(ctx->cert, parg, larg);
-
     default:
       return 0;
   }
@@ -592,13 +581,6 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
   int have_rsa_sign = 0;
   int have_ecdsa_sign = 0;
 
-  /* If we have custom certificate types set, use them */
-  if (s->cert->client_certificate_types) {
-    memcpy(p, s->cert->client_certificate_types,
-           s->cert->num_client_certificate_types);
-    return s->cert->num_client_certificate_types;
-  }
-
   /* get configured sigalgs */
   siglen = tls12_get_psigalgs(s, &sig);
   for (i = 0; i < siglen; i += 2, sig += 2) {
@@ -626,28 +608,6 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
   return ret;
 }
 
-static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len) {
-  OPENSSL_free(c->client_certificate_types);
-  c->client_certificate_types = NULL;
-  c->num_client_certificate_types = 0;
-
-  if (!p || !len) {
-    return 1;
-  }
-
-  if (len > 0xff) {
-    return 0;
-  }
-
-  c->client_certificate_types = BUF_memdup(p, len);
-  if (!c->client_certificate_types) {
-    return 0;
-  }
-
-  c->num_client_certificate_types = len;
-  return 1;
-}
-
 /* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
  * handshake macs if required. */
 uint32_t ssl_get_algorithm_prf(SSL *s) {
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 553d4c95..5e5c37aa 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -226,16 +226,6 @@ CERT *ssl_cert_dup(CERT *cert) {
     ret->client_sigalgslen = cert->client_sigalgslen;
   }
 
-  /* Copy any custom client certificate types */
-  if (cert->client_certificate_types) {
-    ret->client_certificate_types = BUF_memdup(
-        cert->client_certificate_types, cert->num_client_certificate_types);
-    if (!ret->client_certificate_types) {
-      goto err;
-    }
-    ret->num_client_certificate_types = cert->num_client_certificate_types;
-  }
-
   ret->cert_cb = cert->cert_cb;
   ret->cert_cb_arg = cert->cert_cb_arg;
 
@@ -273,7 +263,6 @@ void ssl_cert_free(CERT *c) {
   OPENSSL_free(c->conf_sigalgs);
   OPENSSL_free(c->client_sigalgs);
   OPENSSL_free(c->shared_sigalgs);
-  OPENSSL_free(c->client_certificate_types);
 
   OPENSSL_free(c);
 }