summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
authorjsing <>2016-10-19 16:38:40 +0000
committerjsing <>2016-10-19 16:38:40 +0000
commit8acc30923121ec4884a8cb19e75bd99889131e7f (patch)
tree69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/s3_clnt.c
parentac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff)
downloadopenbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2
openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip
Remove support for fixed ECDH cipher suites - these is not widely supported
and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
-rw-r--r--src/lib/libssl/s3_clnt.c19
1 files changed, 5 insertions, 14 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 264cb012d5..d7cd37dec8 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.138 2016/03/27 00:55:38 mmcc Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.139 2016/10/19 16:38:40 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1968,13 +1968,12 @@ err:
1968} 1968}
1969 1969
1970static int 1970static int
1971ssl3_send_client_kex_ecdh(SSL *s, SESS_CERT *sess_cert, unsigned char *p, 1971ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
1972 int *outlen) 1972 int *outlen)
1973{ 1973{
1974 EC_KEY *tkey, *clnt_ecdh = NULL; 1974 EC_KEY *tkey, *clnt_ecdh = NULL;
1975 const EC_GROUP *srvr_group = NULL; 1975 const EC_GROUP *srvr_group = NULL;
1976 const EC_POINT *srvr_ecpoint = NULL; 1976 const EC_POINT *srvr_ecpoint = NULL;
1977 EVP_PKEY *srvr_pub_pkey = NULL;
1978 BN_CTX *bn_ctx = NULL; 1977 BN_CTX *bn_ctx = NULL;
1979 unsigned char *encodedPoint = NULL; 1978 unsigned char *encodedPoint = NULL;
1980 unsigned char *key = NULL; 1979 unsigned char *key = NULL;
@@ -1994,14 +1993,6 @@ ssl3_send_client_kex_ecdh(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
1994 } 1993 }
1995 tkey = sess_cert->peer_ecdh_tmp; 1994 tkey = sess_cert->peer_ecdh_tmp;
1996 1995
1997 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
1998 /* Get the Server Public Key from certificate. */
1999 srvr_pub_pkey = X509_get_pubkey(
2000 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2001 if (srvr_pub_pkey != NULL && srvr_pub_pkey->type == EVP_PKEY_EC)
2002 tkey = srvr_pub_pkey->pkey.ec;
2003 }
2004
2005 if (tkey == NULL) { 1996 if (tkey == NULL) {
2006 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 1997 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2007 ERR_R_INTERNAL_ERROR); 1998 ERR_R_INTERNAL_ERROR);
@@ -2093,7 +2084,6 @@ err:
2093 BN_CTX_free(bn_ctx); 2084 BN_CTX_free(bn_ctx);
2094 free(encodedPoint); 2085 free(encodedPoint);
2095 EC_KEY_free(clnt_ecdh); 2086 EC_KEY_free(clnt_ecdh);
2096 EVP_PKEY_free(srvr_pub_pkey);
2097 2087
2098 return (ret); 2088 return (ret);
2099} 2089}
@@ -2242,8 +2232,9 @@ ssl3_send_client_key_exchange(SSL *s)
2242 } else if (alg_k & SSL_kDHE) { 2232 } else if (alg_k & SSL_kDHE) {
2243 if (ssl3_send_client_kex_dhe(s, sess_cert, p, &n) != 1) 2233 if (ssl3_send_client_kex_dhe(s, sess_cert, p, &n) != 1)
2244 goto err; 2234 goto err;
2245 } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { 2235 } else if (alg_k & SSL_kECDHE) {
2246 if (ssl3_send_client_kex_ecdh(s, sess_cert, p, &n) != 1) 2236 if (ssl3_send_client_kex_ecdhe(s, sess_cert, p,
2237 &n) != 1)
2247 goto err; 2238 goto err;
2248 } else if (alg_k & SSL_kGOST) { 2239 } else if (alg_k & SSL_kGOST) {
2249 if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1) 2240 if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 00:23:01 +0000