Remove 1997's compat hack SSL_OP_SSLEAY_080_CLIENT_DH_BUG.

This is a hack for an old version of SSLeay which predates OpenSSL.

diff --git a/lib/libssl/doc/SSL_CTX_set_options.3 b/lib/libssl/doc/SSL_CTX_set_options.3
index b940c3d..bacd3b8 100644 (file)
--- a/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"    $OpenBSD: SSL_CTX_set_options.3,v 1.3 2015/06/15 02:57:05 doug Exp $
+.\"    $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -119,7 +119,9 @@ this option has no effect.
 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
 OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
 .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_TLS_D5_BUG
 \&...
 .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG

diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 921d779..7f6a5a0 100644 (file)
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.103 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1867,14 +1867,9 @@ ssl3_get_client_key_exchange(SSL *s)
                        goto truncated;
                n2s(p, i);
                if (n != i + 2) {
-                       if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
-                               goto err;
-                       } else {
-                               p -= 2;
-                               i = (int)n;
-                       }
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                           SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+                       goto err;
                }
 
                if (n == 0L) {

diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index b940c3d..bacd3b8 100644 (file)
--- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"    $OpenBSD: SSL_CTX_set_options.3,v 1.3 2015/06/15 02:57:05 doug Exp $
+.\"    $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -119,7 +119,9 @@ this option has no effect.
 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
 OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
 .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_TLS_D5_BUG
 \&...
 .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG

diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 921d779..7f6a5a0 100644 (file)
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.103 2015/05/15 11:00:14 jsg Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1867,14 +1867,9 @@ ssl3_get_client_key_exchange(SSL *s)
                        goto truncated;
                n2s(p, i);
                if (n != i + 2) {
-                       if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
-                               goto err;
-                       } else {
-                               p -= 2;
-                               i = (int)n;
-                       }
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                           SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+                       goto err;
                }
 
                if (n == 0L) {