diff options
| author | jsing <> | 2014-07-09 11:25:42 +0000 |
|---|---|---|
| committer | jsing <> | 2014-07-09 11:25:42 +0000 |
| commit | c90a1a4bb021e5a2622323df8464bf574d0c4364 (patch) | |
| tree | 604b9084e9f8d9e522922bc0cd6be5e22478e9ee /src/lib/libssl/d1_srvr.c | |
| parent | 4afcbff6153d561348af47fa000f298df3693a3c (diff) | |
| download | openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.gz openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.bz2 openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.zip | |
tedu the SSL export cipher handling - since we do not have enabled export
ciphers we no longer need the flags or code to support it.
ok beck@ miod@
Diffstat (limited to 'src/lib/libssl/d1_srvr.c')
| -rw-r--r-- | src/lib/libssl/d1_srvr.c | 26 |
1 files changed, 5 insertions, 21 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index d4d564a688..c01dc77254 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.27 2014/06/30 14:13:27 tedu Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.28 2014/07/09 11:25:42 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -473,9 +473,6 @@ dtls1_accept(SSL *s) | |||
| 473 | || (alg_k & SSL_kEECDH) | 473 | || (alg_k & SSL_kEECDH) |
| 474 | || ((alg_k & SSL_kRSA) | 474 | || ((alg_k & SSL_kRSA) |
| 475 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL | 475 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL |
| 476 | || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) | ||
| 477 | && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) | ||
| 478 | ) | ||
| 479 | ) | 476 | ) |
| 480 | ) | 477 | ) |
| 481 | ) { | 478 | ) { |
| @@ -1047,9 +1044,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1047 | if (type & SSL_kRSA) { | 1044 | if (type & SSL_kRSA) { |
| 1048 | rsa = cert->rsa_tmp; | 1045 | rsa = cert->rsa_tmp; |
| 1049 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { | 1046 | if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { |
| 1050 | rsa = s->cert->rsa_tmp_cb(s, | 1047 | rsa = s->cert->rsa_tmp_cb(s, 0, 0); |
| 1051 | SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), | ||
| 1052 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1053 | if (rsa == NULL) { | 1048 | if (rsa == NULL) { |
| 1054 | al = SSL_AD_HANDSHAKE_FAILURE; | 1049 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1055 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | 1050 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); |
| @@ -1070,9 +1065,7 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1070 | if (type & SSL_kEDH) { | 1065 | if (type & SSL_kEDH) { |
| 1071 | dhp = cert->dh_tmp; | 1066 | dhp = cert->dh_tmp; |
| 1072 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) | 1067 | if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) |
| 1073 | dhp = s->cert->dh_tmp_cb(s, | 1068 | dhp = s->cert->dh_tmp_cb(s, 0, 0); |
| 1074 | SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), | ||
| 1075 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1076 | if (dhp == NULL) { | 1069 | if (dhp == NULL) { |
| 1077 | al = SSL_AD_HANDSHAKE_FAILURE; | 1070 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1078 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); | 1071 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); |
| @@ -1115,11 +1108,8 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1115 | const EC_GROUP *group; | 1108 | const EC_GROUP *group; |
| 1116 | 1109 | ||
| 1117 | ecdhp = cert->ecdh_tmp; | 1110 | ecdhp = cert->ecdh_tmp; |
| 1118 | if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) { | 1111 | if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) |
| 1119 | ecdhp = s->cert->ecdh_tmp_cb(s, | 1112 | ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0); |
| 1120 | SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), | ||
| 1121 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); | ||
| 1122 | } | ||
| 1123 | if (ecdhp == NULL) { | 1113 | if (ecdhp == NULL) { |
| 1124 | al = SSL_AD_HANDSHAKE_FAILURE; | 1114 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 1125 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); | 1115 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); |
| @@ -1160,12 +1150,6 @@ dtls1_send_server_key_exchange(SSL *s) | |||
| 1160 | goto err; | 1150 | goto err; |
| 1161 | } | 1151 | } |
| 1162 | 1152 | ||
| 1163 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && | ||
| 1164 | (EC_GROUP_get_degree(group) > 163)) { | ||
| 1165 | SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); | ||
| 1166 | goto err; | ||
| 1167 | } | ||
| 1168 | |||
| 1169 | /* XXX: For now, we only support ephemeral ECDH | 1153 | /* XXX: For now, we only support ephemeral ECDH |
| 1170 | * keys over named (not generic) curves. For | 1154 | * keys over named (not generic) curves. For |
| 1171 | * supported named curves, curve_id is non-zero. | 1155 | * supported named curves, curve_id is non-zero. |