Remove bogus DTLS checks to disable ECC and OCSP.

ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.

ok tb@

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index b67f856..a48d97f 100644 (file)
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.244 2021/01/28 17:00:38 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.245 2021/02/08 17:20:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1368,8 +1368,6 @@ ssl_has_ecc_ciphers(SSL *s)
        SSL_CIPHER *cipher;
        int i;
 
-       if (s->version == DTLS1_VERSION)
-               return 0;
        if ((ciphers = SSL_get_ciphers(s)) == NULL)
                return 0;
 

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index e12820b..dca9de0 100644 (file)
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.85 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -401,9 +401,6 @@ tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type)
 {
-       if (s->version == DTLS1_VERSION)
-               return 0;
-
        return ssl_using_ecc_cipher(s);
 }
 
@@ -848,14 +845,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 
 
 /*
- *Certificate Status Request - RFC 6066 section 8.
+ * Certificate Status Request - RFC 6066 section 8.
  */
 
 int
 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
 {
-       if (SSL_is_dtls(s))
-               return 0;
        if (msg_type != SSL_TLSEXT_MSG_CH)
                return 0;