From: doug Date: Mon, 15 Jun 2015 03:32:59 +0000 (+0000) Subject: Remove 1997's compat hack SSL_OP_SSLEAY_080_CLIENT_DH_BUG. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e30748dd3c2511101efea0cdecd95af3bcc0efcb;p=openbsd Remove 1997's compat hack SSL_OP_SSLEAY_080_CLIENT_DH_BUG. This is a hack for an old version of SSLeay which predates OpenSSL. --- diff --git a/lib/libssl/doc/SSL_CTX_set_options.3 b/lib/libssl/doc/SSL_CTX_set_options.3 index b940c3d7d07..bacd3b84f01 100644 --- a/lib/libssl/doc/SSL_CTX_set_options.3 +++ b/lib/libssl/doc/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.3 2015/06/15 02:57:05 doug Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $ .\" .Dd $Mdocdate: June 15 2015 $ .Dt SSL_CTX_SET_OPTIONS 3 @@ -119,7 +119,9 @@ this option has no effect. Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG -\&... +As of +.Ox 5.8 , +this option has no effect. .It Dv SSL_OP_TLS_D5_BUG \&... .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 921d7797809..7f6a5a0bbde 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.103 2015/05/15 11:00:14 jsg Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1867,14 +1867,9 @@ ssl3_get_client_key_exchange(SSL *s) goto truncated; n2s(p, i); if (n != i + 2) { - if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); - goto err; - } else { - p -= 2; - i = (int)n; - } + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); + goto err; } if (n == 0L) { diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 index b940c3d7d07..bacd3b84f01 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.3 2015/06/15 02:57:05 doug Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $ .\" .Dd $Mdocdate: June 15 2015 $ .Dt SSL_CTX_SET_OPTIONS 3 @@ -119,7 +119,9 @@ this option has no effect. Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG -\&... +As of +.Ox 5.8 , +this option has no effect. .It Dv SSL_OP_TLS_D5_BUG \&... .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 921d7797809..7f6a5a0bbde 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.103 2015/05/15 11:00:14 jsg Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1867,14 +1867,9 @@ ssl3_get_client_key_exchange(SSL *s) goto truncated; n2s(p, i); if (n != i + 2) { - if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); - goto err; - } else { - p -= 2; - i = (int)n; - } + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); + goto err; } if (n == 0L) {