From c90a1a4bb021e5a2622323df8464bf574d0c4364 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 9 Jul 2014 11:25:42 +0000
Subject: tedu the SSL export cipher handling - since we do not have enabled
 export ciphers we no longer need the flags or code to support it.

ok beck@ miod@
---
 src/lib/libssl/d1_srvr.c | 26 +++++---------------------
 1 file changed, 5 insertions(+), 21 deletions(-)

(limited to 'src/lib/libssl/d1_srvr.c')

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index d4d564a688..c01dc77254 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.27 2014/06/30 14:13:27 tedu Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.28 2014/07/09 11:25:42 jsing Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -473,9 +473,6 @@ dtls1_accept(SSL *s)
 			|| (alg_k & SSL_kEECDH)
 			|| ((alg_k & SSL_kRSA)
 			&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
-			|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
-			&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
-			)
 			)
 			)
 			) {
@@ -1047,9 +1044,7 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kRSA) {
 			rsa = cert->rsa_tmp;
 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s,
-				SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-				SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				rsa = s->cert->rsa_tmp_cb(s, 0, 0);
 				if (rsa == NULL) {
 					al = SSL_AD_HANDSHAKE_FAILURE;
 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
@@ -1070,9 +1065,7 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kEDH) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-				dhp = s->cert->dh_tmp_cb(s,
-				    SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-				    SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+				dhp = s->cert->dh_tmp_cb(s, 0, 0);
 			if (dhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
@@ -1115,11 +1108,8 @@ dtls1_send_server_key_exchange(SSL *s)
 			const EC_GROUP *group;
 
 			ecdhp = cert->ecdh_tmp;
-			if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
-				ecdhp = s->cert->ecdh_tmp_cb(s,
-				SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
-				SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
-			}
+			if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL)
+				ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0);
 			if (ecdhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
@@ -1160,12 +1150,6 @@ dtls1_send_server_key_exchange(SSL *s)
 				goto err;
 			}
 
-			if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
-			    (EC_GROUP_get_degree(group) > 163)) {
-				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
-				goto err;
-			}
-
 			/* XXX: For now, we only support ephemeral ECDH
 			 * keys over named (not generic) curves. For 
 			 * supported named curves, curve_id is non-zero.
-- 
cgit v1.2.3-55-g6feb