From 10b295afc013f860b231131232decaa92b0ef4c0 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 8 Feb 2021 17:20:47 +0000 Subject: [PATCH] Remove bogus DTLS checks to disable ECC and OCSP. ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@ --- lib/libssl/ssl_lib.c | 4 +--- lib/libssl/ssl_tlsext.c | 9 ++------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index b67f8569cc2..a48d97f17e4 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.244 2021/01/28 17:00:38 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.245 2021/02/08 17:20:47 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1368,8 +1368,6 @@ ssl_has_ecc_ciphers(SSL *s) SSL_CIPHER *cipher; int i; - if (s->version == DTLS1_VERSION) - return 0; if ((ciphers = SSL_get_ciphers(s)) == NULL) return 0; diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index e12820ba624..dca9de03050 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.85 2020/10/14 16:57:33 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -401,9 +401,6 @@ tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) { - if (s->version == DTLS1_VERSION) - return 0; - return ssl_using_ecc_cipher(s); } @@ -848,14 +845,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* - *Certificate Status Request - RFC 6066 section 8. + * Certificate Status Request - RFC 6066 section 8. */ int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) { - if (SSL_is_dtls(s)) - return 0; if (msg_type != SSL_TLSEXT_MSG_CH) return 0; -- 2.20.1