diff options
| author | doug <> | 2015-09-12 16:10:08 +0000 |
|---|---|---|
| committer | doug <> | 2015-09-12 16:10:08 +0000 |
| commit | 56a3e20d1e41c02e4afd069925ec512ebb40b905 (patch) | |
| tree | ecc6c8f80b7c9e9b5057a82b1842ccf8724eb149 /src/lib/libssl/s3_lib.c | |
| parent | efc74c6a34e219450e0cc4dd809c41889209b98d (diff) | |
| download | openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.gz openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.bz2 openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.zip | |
Remove most of the SSLv3 version checks and a few TLS v1.0.
We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.
"reads ok" miod@
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 15 |
1 files changed, 5 insertions, 10 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 912ac8dbdb..ce383bb209 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.105 2015/09/12 15:03:39 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.106 2015/09/12 16:10:07 doug Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2598,7 +2598,7 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
| 2598 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 2598 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 2599 | 2599 | ||
| 2600 | #ifndef OPENSSL_NO_GOST | 2600 | #ifndef OPENSSL_NO_GOST |
| 2601 | if ((alg_k & SSL_kGOST) && (s->version >= TLS1_VERSION)) { | 2601 | if ((alg_k & SSL_kGOST)) { |
| 2602 | p[ret++] = TLS_CT_GOST94_SIGN; | 2602 | p[ret++] = TLS_CT_GOST94_SIGN; |
| 2603 | p[ret++] = TLS_CT_GOST01_SIGN; | 2603 | p[ret++] = TLS_CT_GOST01_SIGN; |
| 2604 | p[ret++] = TLS_CT_GOST12_256_SIGN; | 2604 | p[ret++] = TLS_CT_GOST12_256_SIGN; |
| @@ -2610,13 +2610,9 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
| 2610 | p[ret++] = SSL3_CT_RSA_FIXED_DH; | 2610 | p[ret++] = SSL3_CT_RSA_FIXED_DH; |
| 2611 | p[ret++] = SSL3_CT_DSS_FIXED_DH; | 2611 | p[ret++] = SSL3_CT_DSS_FIXED_DH; |
| 2612 | } | 2612 | } |
| 2613 | if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) { | ||
| 2614 | p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; | ||
| 2615 | p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; | ||
| 2616 | } | ||
| 2617 | p[ret++] = SSL3_CT_RSA_SIGN; | 2613 | p[ret++] = SSL3_CT_RSA_SIGN; |
| 2618 | p[ret++] = SSL3_CT_DSS_SIGN; | 2614 | p[ret++] = SSL3_CT_DSS_SIGN; |
| 2619 | if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) { | 2615 | if ((alg_k & (SSL_kECDHr|SSL_kECDHe))) { |
| 2620 | p[ret++] = TLS_CT_RSA_FIXED_ECDH; | 2616 | p[ret++] = TLS_CT_RSA_FIXED_ECDH; |
| 2621 | p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; | 2617 | p[ret++] = TLS_CT_ECDSA_FIXED_ECDH; |
| 2622 | } | 2618 | } |
| @@ -2625,9 +2621,8 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) | |||
| 2625 | * ECDSA certs can be used with RSA cipher suites as well | 2621 | * ECDSA certs can be used with RSA cipher suites as well |
| 2626 | * so we don't need to check for SSL_kECDH or SSL_kECDHE | 2622 | * so we don't need to check for SSL_kECDH or SSL_kECDHE |
| 2627 | */ | 2623 | */ |
| 2628 | if (s->version >= TLS1_VERSION) { | 2624 | p[ret++] = TLS_CT_ECDSA_SIGN; |
| 2629 | p[ret++] = TLS_CT_ECDSA_SIGN; | 2625 | |
| 2630 | } | ||
| 2631 | return (ret); | 2626 | return (ret); |
| 2632 | } | 2627 | } |
| 2633 | 2628 | ||