diff options
| author | jsing <> | 2016-10-19 16:38:40 +0000 |
|---|---|---|
| committer | jsing <> | 2016-10-19 16:38:40 +0000 |
| commit | 8acc30923121ec4884a8cb19e75bd99889131e7f (patch) | |
| tree | 69cebce9957786fdcd7943948cd528b764891fb2 /src/lib/libssl/s3_srvr.c | |
| parent | ac7c37977891b32e21ccb19829cc10dc20c3d5ca (diff) | |
| download | openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.gz openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.tar.bz2 openbsd-8acc30923121ec4884a8cb19e75bd99889131e7f.zip | |
Remove support for fixed ECDH cipher suites - these is not widely supported
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 22 |
1 files changed, 7 insertions, 15 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index d2a03e05d2..8ecd51669a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.127 2016/09/22 07:17:41 guenther Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.128 2016/10/19 16:38:40 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1764,9 +1764,7 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1764 | s->method->ssl3_enc->generate_master_secret( | 1764 | s->method->ssl3_enc->generate_master_secret( |
| 1765 | s, s->session->master_key, p, i); | 1765 | s, s->session->master_key, p, i); |
| 1766 | explicit_bzero(p, i); | 1766 | explicit_bzero(p, i); |
| 1767 | } else | 1767 | } else if (alg_k & SSL_kECDHE) { |
| 1768 | |||
| 1769 | if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) { | ||
| 1770 | int ret = 1; | 1768 | int ret = 1; |
| 1771 | int key_size; | 1769 | int key_size; |
| 1772 | const EC_KEY *tkey; | 1770 | const EC_KEY *tkey; |
| @@ -1780,17 +1778,11 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1780 | goto err; | 1778 | goto err; |
| 1781 | } | 1779 | } |
| 1782 | 1780 | ||
| 1783 | /* Let's get server private key and group information. */ | 1781 | /* |
| 1784 | if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { | 1782 | * Use the ephemeral values we saved when |
| 1785 | /* Use the certificate */ | 1783 | * generating the ServerKeyExchange message. |
| 1786 | tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; | 1784 | */ |
| 1787 | } else { | 1785 | tkey = s->s3->tmp.ecdh; |
| 1788 | /* | ||
| 1789 | * Use the ephermeral values we saved when | ||
| 1790 | * generating the ServerKeyExchange msg. | ||
| 1791 | */ | ||
| 1792 | tkey = s->s3->tmp.ecdh; | ||
| 1793 | } | ||
| 1794 | 1786 | ||
| 1795 | group = EC_KEY_get0_group(tkey); | 1787 | group = EC_KEY_get0_group(tkey); |
| 1796 | priv_key = EC_KEY_get0_private_key(tkey); | 1788 | priv_key = EC_KEY_get0_private_key(tkey); |