Prune removed key types from SSL_PKEY_*.
Remove all the logic managing key types that aren't being used anymore.
Change-Id: I101369164588048e64ba1c84a6b8aac8f3a221cd
Reviewed-on: https://boringssl-review.googlesource.com/1567
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index d053354..8ce6b3b 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -498,27 +498,12 @@
{
ret=SSL_PKEY_RSA_ENC;
}
- else if (i == EVP_PKEY_DSA)
- {
- ret=SSL_PKEY_DSA_SIGN;
- }
#ifndef OPENSSL_NO_EC
else if (i == EVP_PKEY_EC)
{
ret = SSL_PKEY_ECC;
}
#endif
- else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX))
- {
- /* For DH two cases: DH certificate signed with RSA and
- * DH certificate signed with DSA.
- */
- i = X509_certificate_type(x, pk);
- if (i & EVP_PKS_RSA)
- ret = SSL_PKEY_DH_RSA;
- else if (i & EVP_PKS_DSA)
- ret = SSL_PKEY_DH_DSA;
- }
err:
if(!pkey) EVP_PKEY_free(pk);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index fa3088c..ce2758b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2360,7 +2360,7 @@
* DigestInfo. */
md = NULL;
}
- else if (pkey->type == EVP_PKEY_DSA || pkey->type == EVP_PKEY_EC)
+ else if (pkey->type == EVP_PKEY_EC)
{
s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, digest);
digest_length = SHA_DIGEST_LENGTH;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 1f0ff55..3e82fdf 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -159,9 +159,6 @@
void ssl_cert_set_default_md(CERT *cert)
{
/* Set digest values to defaults */
-#ifndef OPENSSL_NO_DSA
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-#endif
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
#ifndef OPENSSL_NO_ECDSA
@@ -281,15 +278,6 @@
/* We have an RSA key. */
break;
- case SSL_PKEY_DSA_SIGN:
- /* We have a DSA key. */
- break;
-
- case SSL_PKEY_DH_RSA:
- case SSL_PKEY_DH_DSA:
- /* We have a DH key. */
- break;
-
case SSL_PKEY_ECC:
/* We have an ECC key */
break;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 278fba1..952805b 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -395,11 +395,8 @@
/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
#define SSL_PKEY_RSA_SIGN 1
-#define SSL_PKEY_DSA_SIGN 2
-#define SSL_PKEY_DH_RSA 3
-#define SSL_PKEY_DH_DSA 4
-#define SSL_PKEY_ECC 5
-#define SSL_PKEY_NUM 6
+#define SSL_PKEY_ECC 2
+#define SSL_PKEY_NUM 3
/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 7933863..30629d3 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -182,23 +182,8 @@
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
{
int i;
- /* Special case for DH: check two DH certificate types for a match.
- * This means for DH certificates we must set the certificate first.
- */
- if (pkey->type == EVP_PKEY_DH)
- {
- X509 *x;
- i = -1;
- x = c->pkeys[SSL_PKEY_DH_RSA].x509;
- if (x && X509_check_private_key(x, pkey))
- i = SSL_PKEY_DH_RSA;
- x = c->pkeys[SSL_PKEY_DH_DSA].x509;
- if (i == -1 && x && X509_check_private_key(x, pkey))
- i = SSL_PKEY_DH_DSA;
- ERR_clear_error();
- }
- else
- i=ssl_cert_type(NULL,pkey);
+
+ i=ssl_cert_type(NULL,pkey);
if (i < 0)
{
OPENSSL_PUT_ERROR(SSL, ssl_set_pkey, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5aa4d2c..d5cb5f4 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3016,10 +3016,6 @@
/* Set any remaining keys to default values. NOTE: if alg is
* not supported it stays as NULL.
*/
-#ifndef OPENSSL_NO_DSA
- if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-#endif
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
{
c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
@@ -3177,8 +3173,6 @@
if (!strcmp(etmp, "RSA"))
sig_alg = EVP_PKEY_RSA;
- else if (!strcmp(etmp, "DSA"))
- sig_alg = EVP_PKEY_DSA;
else if (!strcmp(etmp, "ECDSA"))
sig_alg = EVP_PKEY_EC;
else return 0;
@@ -3370,7 +3364,6 @@
{
case SSL_PKEY_RSA_ENC:
case SSL_PKEY_RSA_SIGN:
- case SSL_PKEY_DH_RSA:
rsign = TLSEXT_signature_rsa;
default_nid = NID_sha1WithRSAEncryption;
break;
@@ -3468,21 +3461,9 @@
case EVP_PKEY_RSA:
check_type = TLS_CT_RSA_SIGN;
break;
- case EVP_PKEY_DSA:
- check_type = TLS_CT_DSS_SIGN;
- break;
case EVP_PKEY_EC:
check_type = TLS_CT_ECDSA_SIGN;
break;
- case EVP_PKEY_DH:
- case EVP_PKEY_DHX:
- {
- int cert_type = X509_certificate_type(x, pk);
- if (cert_type & EVP_PKS_RSA)
- check_type = TLS_CT_RSA_FIXED_DH;
- if (cert_type & EVP_PKS_DSA)
- check_type = TLS_CT_DSS_FIXED_DH;
- }
}
if (check_type)
{
@@ -3563,9 +3544,6 @@
{
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
}
/* User level utiity function to check a chain is suitable */
