From: beck Date: Wed, 16 Apr 2014 18:05:55 +0000 (+0000) Subject: Thanks to the knobs in http://tools.ietf.org/html/rfc5746, we have a knob X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=900497b9d82698814a8de6c7f508f8f544542483;p=openbsd Thanks to the knobs in tools.ietf.org/html/rfc5746, we have a knob to say "allow this connection to negotiate insecurely". de-fang the code that respects this option to ignore it. ok miod@ --- diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 93510cb58ae..1a924f828e5 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -269,9 +269,7 @@ ssl3_accept(SSL *s) ssl3_init_finished_mac(s); s->state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; - } else if (!s->s3->send_connection_binding && - !(s->options & - SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + } else if (!s->s3->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 93510cb58ae..1a924f828e5 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -269,9 +269,7 @@ ssl3_accept(SSL *s) ssl3_init_finished_mac(s); s->state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; - } else if (!s->s3->send_connection_binding && - !(s->options & - SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + } else if (!s->s3->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 417b90381b5..c4eeb7a41d2 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Need RI if renegotiating */ - if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + if (!renegotiate_seen && s->renegotiate) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * absence on initial connect only. */ if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 417b90381b5..c4eeb7a41d2 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1296,8 +1296,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Need RI if renegotiating */ - if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + if (!renegotiate_seen && s->renegotiate) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); @@ -1533,8 +1532,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, * absence on initial connect only. */ if (!renegotiate_seen - && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);