whack a bunch of disabled code. ok beck lteo

author: tedu <> 2014-04-17 23:35:40 +0000
committer: tedu <> 2014-04-17 23:35:40 +0000
commit: 491821dca7e8e8f0007623a9bd8f0325d59b3b44 (patch)
tree: ef2f2b69483c17a9b88284fba5c8f09ea14b3362 /src/lib/libssl/s3_srvr.c
parent: f5747664d89e514145baf28fb79e5c88c97c33b9 (diff)
download: openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.tar.gz
openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.tar.bz2
openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.zip
1 files changed, 0 insertions, 18 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 19e0495fe6..79b89d7e95 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1129,24 +1129,6 @@ ssl3_get_client_hello(SSL *s)
                                break;
                        }
                }
-/*
- * Disabled because it can be used in a ciphersuite downgrade
- * attack: CVE-2010-4180.
- */
-#if 0
-                if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
-                        /* Special case as client bug workaround: the previously used cipher may
-                         * not be in the current list, the client instead might be trying to
-                         * continue using a cipher that before wasn't chosen due to server
-                         * preferences.  We'll have to reject the connection if the cipher is not
-                         * enabled, though. */
-                        c = sk_SSL_CIPHER_value(ciphers, 0);
-                        if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
-                                s->session->cipher = c;
-                                j = 1;
-                        }
-                }
-#endif
                if (j == 0) {
                        /* we need to have the cipher in the cipher
                         * list if we are asked to reuse it */
author	tedu <>	2014-04-17 23:35:40 +0000
committer	tedu <>	2014-04-17 23:35:40 +0000
commit	491821dca7e8e8f0007623a9bd8f0325d59b3b44 (patch)
tree	ef2f2b69483c17a9b88284fba5c8f09ea14b3362 /src/lib/libssl/s3_srvr.c
parent	f5747664d89e514145baf28fb79e5c88c97c33b9 (diff)
download	openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.tar.gz openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.tar.bz2 openbsd-491821dca7e8e8f0007623a9bd8f0325d59b3b44.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 19e0495fe6..79b89d7e95 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1129,24 +1129,6 @@ ssl3_get_client_hello(SSL *s)
1129	break;	1129	break;
1130	}	1130	}
1131	}	1131	}
1132	/*
1133	* Disabled because it can be used in a ciphersuite downgrade
1134	* attack: CVE-2010-4180.
1135	*/
1136	#if 0
1137	if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1138	/* Special case as client bug workaround: the previously used cipher may
1139	* not be in the current list, the client instead might be trying to
1140	* continue using a cipher that before wasn't chosen due to server
1141	* preferences. We'll have to reject the connection if the cipher is not
1142	* enabled, though. */
1143	c = sk_SSL_CIPHER_value(ciphers, 0);
1144	if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1145	s->session->cipher = c;
1146	j = 1;
1147	}
1148	}
1149	#endif
1150	if (j == 0) {	1132	if (j == 0) {
1151	/* we need to have the cipher in the cipher	1133	/* we need to have the cipher in the cipher
1152	* list if we are asked to reuse it */	1134	* list if we are asked to reuse it */