tedu the SSL export cipher handling - since we do not have enabled export

ciphers we no longer need the flags or code to support it. ok beck@ miod@
author: jsing <> 2014-07-09 11:25:42 +0000
committer: jsing <> 2014-07-09 11:25:42 +0000
commit: c90a1a4bb021e5a2622323df8464bf574d0c4364 (patch)
tree: 604b9084e9f8d9e522922bc0cd6be5e22478e9ee /src/lib/libssl/s3_clnt.c
parent: 4afcbff6153d561348af47fa000f298df3693a3c (diff)
download: openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.gz
openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.bz2
openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.zip
1 files changed, 1 insertions, 31 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 0350019078..61de494244 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.72 2014/06/21 20:27:25 tedu Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.73 2014/07/09 11:25:42 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1490,14 +1490,6 @@ ssl3_get_key_exchange(SSL *s)
                group = EC_KEY_get0_group(ecdh);
-                if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
-                    (EC_GROUP_get_degree(group) > 163)) {
-                        al = SSL_AD_EXPORT_RESTRICTION;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
-                        goto f_err;
-                }
                p += 3;
                /* Next, get the encoded ECPoint */
@@ -2824,28 +2816,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
                goto f_err;
        }
-        if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
-            !has_bits(i, EVP_PKT_EXP)) {
-                if (alg_k & SSL_kRSA) {
-                        if (rsa == NULL || RSA_size(rsa) * 8 >
-                            SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
-                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-                                    SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
-                                goto f_err;
-                        }
-                } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
-                        if (dh == NULL || DH_size(dh) * 8 >
-                            SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
-                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-                                    SSL_R_MISSING_EXPORT_TMP_DH_KEY);
-                                goto f_err;
-                        }
-                } else {
-                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-                            SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
-                        goto f_err;
-                }
-        }
        return (1);
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
author	jsing <>	2014-07-09 11:25:42 +0000
committer	jsing <>	2014-07-09 11:25:42 +0000
commit	c90a1a4bb021e5a2622323df8464bf574d0c4364 (patch)
tree	604b9084e9f8d9e522922bc0cd6be5e22478e9ee /src/lib/libssl/s3_clnt.c
parent	4afcbff6153d561348af47fa000f298df3693a3c (diff)
download	openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.gz openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.tar.bz2 openbsd-c90a1a4bb021e5a2622323df8464bf574d0c4364.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 0350019078..61de494244 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.72 2014/06/21 20:27:25 tedu Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.73 2014/07/09 11:25:42 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1490,14 +1490,6 @@ ssl3_get_key_exchange(SSL *s)
1490		1490
1491	group = EC_KEY_get0_group(ecdh);	1491	group = EC_KEY_get0_group(ecdh);
1492		1492
1493	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1494	(EC_GROUP_get_degree(group) > 163)) {
1495	al = SSL_AD_EXPORT_RESTRICTION;
1496	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1497	SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1498	goto f_err;
1499	}
1500
1501	p += 3;	1493	p += 3;
1502		1494
1503	/* Next, get the encoded ECPoint */	1495	/* Next, get the encoded ECPoint */
@@ -2824,28 +2816,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2824	goto f_err;	2816	goto f_err;
2825	}	2817	}
2826		2818
2827	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
2828	!has_bits(i, EVP_PKT_EXP)) {
2829	if (alg_k & SSL_kRSA) {
2830	if (rsa == NULL \|\| RSA_size(rsa) * 8 >
2831	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
2832	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2833	SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2834	goto f_err;
2835	}
2836	} else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {
2837	if (dh == NULL \|\| DH_size(dh) * 8 >
2838	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
2839	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2840	SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2841	goto f_err;
2842	}
2843	} else {
2844	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2845	SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2846	goto f_err;
2847	}
2848	}
2849	return (1);	2819	return (1);
2850	f_err:	2820	f_err:
2851	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);	2821	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);