Google Git
Sign in
boringssl / boringssl.git / ef2116d33c3c1b38005eb59caa2aaa6300a9b450^! / . / ssl / t1_lib.c
commitef2116d33c3c1b38005eb59caa2aaa6300a9b450[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Tue Aug 19 20:21:56 2014 -0400
committerAdam Langley <agl@google.com>Wed Aug 20 02:14:40 2014 +0000
treedc0b4d4eb99317f1bb97f10a06af36588079781f
parentcff6472442de2e65f95fa04893b12b1412118f60 [diff] [blame]
Remove DSA-based cipher suites and client auth.

DSA is not connected up to EVP, so it wouldn't work anyway. We shouldn't
advertise a cipher suite we don't support. Chrome UMA data says virtually no
handshakes end up negotiating one of these.

Change-Id: I874d934432da6318f05782ebd149432c1d1e5275
Reviewed-on: https://boringssl-review.googlesource.com/1566
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fbab382..5aa4d2c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -720,12 +720,6 @@
 
 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
 
-#ifdef OPENSSL_NO_DSA
-#define tlsext_sigalg_dsa(md) /* */
-#else
-#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
-#endif
-
 #ifdef OPENSSL_NO_ECDSA
 #define tlsext_sigalg_ecdsa(md) /* */
 #else
@@ -734,7 +728,6 @@
 
 #define tlsext_sigalg(md) \
 		tlsext_sigalg_rsa(md) \
-		tlsext_sigalg_dsa(md) \
 		tlsext_sigalg_ecdsa(md)
 
 static const uint8_t tls12_sigalgs[] = {
@@ -859,7 +852,7 @@
 	CERT *c = s->cert;
 	const unsigned char *sigalgs;
 	size_t i, sigalgslen;
-	int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
+	int have_rsa = 0, have_ecdsa = 0;
 	c->mask_a = 0;
 	c->mask_k = 0;
 	/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
@@ -879,11 +872,6 @@
 		case TLSEXT_signature_rsa:
 			have_rsa = 1;
 			break;
-#ifndef OPENSSL_NO_DSA
-		case TLSEXT_signature_dsa:
-			have_dsa = 1;
-			break;
-#endif
 #ifndef OPENSSL_NO_ECDSA
 		case TLSEXT_signature_ecdsa:
 			have_ecdsa = 1;
@@ -898,10 +886,6 @@
 		{
 		c->mask_a |= SSL_aRSA;
 		}
-	if (!have_dsa)
-		{
-		c->mask_a |= SSL_aDSS;
-		}
 	if (!have_ecdsa)
 		{
 		c->mask_a |= SSL_aECDSA;
@@ -2747,7 +2731,6 @@
 
 static const tls12_lookup tls12_sig[] = {
 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
-	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
 };
 
@@ -2830,10 +2813,6 @@
 		{
 	case TLSEXT_signature_rsa:
 		return SSL_PKEY_RSA_SIGN;
-#ifndef OPENSSL_NO_DSA
-	case TLSEXT_signature_dsa:
-		return SSL_PKEY_DSA_SIGN;
-#endif
 #ifndef OPENSSL_NO_ECDSA
 	case TLSEXT_signature_ecdsa:
 		return SSL_PKEY_ECC;
@@ -3396,12 +3375,6 @@
 				default_nid = NID_sha1WithRSAEncryption;
 				break;
 
-			case SSL_PKEY_DSA_SIGN:
-			case SSL_PKEY_DH_DSA:
-				rsign = TLSEXT_signature_dsa;
-				default_nid = NID_dsaWithSHA1;
-				break;
-
 			case SSL_PKEY_ECC:
 				rsign = TLSEXT_signature_ecdsa;
 				default_nid = NID_ecdsa_with_SHA1;