From 926ce18e7111ed216cb29761d69533568f55f9e4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 8 Feb 2021 17:20:47 +0000
Subject: Remove bogus DTLS checks to disable ECC and OCSP.

ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.

ok tb@
---
 src/lib/libssl/ssl_lib.c    | 4 +---
 src/lib/libssl/ssl_tlsext.c | 9 ++-------
 2 files changed, 3 insertions(+), 10 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index b67f8569cc..a48d97f17e 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.244 2021/01/28 17:00:38 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.245 2021/02/08 17:20:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1368,8 +1368,6 @@ ssl_has_ecc_ciphers(SSL *s)
 	SSL_CIPHER *cipher;
 	int i;
 
-	if (s->version == DTLS1_VERSION)
-		return 0;
 	if ((ciphers = SSL_get_ciphers(s)) == NULL)
 		return 0;
 
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index e12820ba62..dca9de0305 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.85 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -401,9 +401,6 @@ tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
 {
-	if (s->version == DTLS1_VERSION)
-		return 0;
-
 	return ssl_using_ecc_cipher(s);
 }
 
@@ -848,14 +845,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 
 
 /*
- *Certificate Status Request - RFC 6066 section 8.
+ * Certificate Status Request - RFC 6066 section 8.
  */
 
 int
 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
 {
-	if (SSL_is_dtls(s))
-		return 0;
 	if (msg_type != SSL_TLSEXT_MSG_CH)
 		return 0;
 
-- 
cgit v1.2.3-55-g6feb