> Hello,
>
> I just noticed r1.44 to t1_lib.c. I'm not sure that auditing
> opaque_prf_input is a good use of anyone's time -- I think it might be
> better to just run "unifdef -U TLSEXT_TYPE_opaque_prf_input" and be done
> with it.
>
> Here's the history of opaque_prf_input as I understand it:
>
> - In 2006, the Department of Defense wanted a TLS extension that could
> provide extra random inputs for generating the master secret. A draft
> was produced for an extension that would let the client and server
> each contribute up to 64 KB of extra "random" material to the PRF. [1]
>
> - The draft was abandoned and expired in June of 2007. No extension type
> was ever assigned.
>
> - In September 2007, OpenSSL added support for the expired draft. [2]
> Of course, since there's no assigned extension type, users need to
> define one and recompile the library to use the extension.
>
>
> Given that the extension was dead on arrival and implemented
> post-mortem, I wouldn't be surprised to discover that opaque_prf_input
> has as many users as big-endian amd64 support.
You're right. What about the following diff? (major bump for libssl)
Index: src/apps/s_cb.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/apps/s_cb.c,v
retrieving revision 1.20
diff -u -p -r1.20 s_cb.c
--- src/apps/s_cb.c 18 May 2014 16:21:03 -0000 1.20
+++ src/apps/s_cb.c 9 Jun 2014 19:44:44 -0000
@@ -696,11 +696,6 @@ tlsext_cb(SSL * s, int client_server, in
extname = "renegotiation info";
break;
-#ifdef TLSEXT_TYPE_opaque_prf_input
- case TLSEXT_TYPE_opaque_prf_input:
- extname = "opaque PRF input";
- break;
-#endif
#ifdef TLSEXT_TYPE_next_proto_neg
case TLSEXT_TYPE_next_proto_neg:
extname = "next protocol";
Index: src/apps/s_client.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/apps/s_client.c,v
retrieving revision 1.59
diff -u -p -r1.59 s_client.c
--- src/apps/s_client.c 2 Jun 2014 16:23:18 -0000 1.59
+++ src/apps/s_client.c 9 Jun 2014 19:44:45 -0000
@@ -910,11 +910,6 @@ bad:
}
#endif
/* SSL_set_cipher_list(con,"RC4-MD5"); */
-#if 0
-#ifdef TLSEXT_TYPE_opaque_prf_input
- SSL_set_tlsext_opaque_prf_input(con, "Test client", 11);
-#endif
-#endif
re_start:
Index: src/apps/s_server.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/apps/s_server.c,v
retrieving revision 1.51
diff -u -p -r1.51 s_server.c
--- src/apps/s_server.c 2 Jun 2014 16:23:18 -0000 1.51
+++ src/apps/s_server.c 9 Jun 2014 19:44:45 -0000
@@ -1541,11 +1541,6 @@ sv_body(char *hostname, int s, unsigned
strlen((char *) context));
}
SSL_clear(con);
-#if 0
-#ifdef TLSEXT_TYPE_opaque_prf_input
- SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
-#endif
-#endif
if (SSL_version(con) == DTLS1_VERSION) {
Index: src/ssl/s3_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/s3_lib.c,v
retrieving revision 1.57
diff -u -p -r1.57 s3_lib.c
--- src/ssl/s3_lib.c 7 Jun 2014 14:40:55 -0000 1.57
+++ src/ssl/s3_lib.c 9 Jun 2014 19:44:47 -0000
@@ -2322,11 +2322,6 @@ ssl3_free(SSL *s)
if (s == NULL)
return;
-#ifdef TLSEXT_TYPE_opaque_prf_input
- free(s->s3->client_opaque_prf_input);
- free(s->s3->server_opaque_prf_input);
-#endif
-
ssl3_cleanup_key_block(s);
ssl3_release_read_buffer(s);
ssl3_release_write_buffer(s);
@@ -2351,13 +2346,6 @@ ssl3_clear(SSL *s)
size_t rlen, wlen;
int init_extra;
-#ifdef TLSEXT_TYPE_opaque_prf_input
- free(s->s3->client_opaque_prf_input);
- s->s3->client_opaque_prf_input = NULL;
- free(s->s3->server_opaque_prf_input);
- s->s3->server_opaque_prf_input = NULL;
-#endif
-
ssl3_cleanup_key_block(s);
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
@@ -2570,35 +2558,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, vo
ret = 1;
break;
-#ifdef TLSEXT_TYPE_opaque_prf_input
- case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT:
- if (larg > 12288) {
- /*
- * Actual internal limit is 2^16 for the complete
- * hello message (including the cert chain and
- * everything)
- */
- SSLerr(SSL_F_SSL3_CTRL,
- SSL_R_OPAQUE_PRF_INPUT_TOO_LONG);
- break;
- }
- free(s->tlsext_opaque_prf_input);
- if ((size_t)larg == 0) {
- s->tlsext_opaque_prf_input = NULL;
- s->tlsext_opaque_prf_input_len = 0;
- ret = 1;
- } else {
- s->tlsext_opaque_prf_input =
- BUF_memdup(parg, (size_t)larg);
- if (s->tlsext_opaque_prf_input != NULL) {
- s->tlsext_opaque_prf_input_len = (size_t)larg;
- ret = 1;
- } else
- s->tlsext_opaque_prf_input_len = 0;
- }
- break;
-#endif
-
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
s->tlsext_status_type = larg;
ret = 1;
@@ -2824,12 +2783,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, lon
return 1;
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG:
- ctx->tlsext_opaque_prf_input_callback_arg = parg;
- return 1;
-#endif
-
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
ctx->tlsext_status_arg = parg;
return 1;
@@ -2889,13 +2842,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int
ctx->tlsext_servername_callback =
(int (*)(SSL *, int *, void *))fp;
break;
-
-#ifdef TLSEXT_TYPE_opaque_prf_input
- case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB:
- ctx->tlsext_opaque_prf_input_callback =
- (int (*)(SSL *, void *, size_t, void *))fp;
- break;
-#endif
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
Index: src/ssl/ssl.h
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl.h,v
retrieving revision 1.51
diff -u -p -r1.51 ssl.h
--- src/ssl/ssl.h 8 Jun 2014 14:13:43 -0000 1.51
+++ src/ssl/ssl.h 9 Jun 2014 19:44:48 -0000
@@ -847,11 +847,6 @@ struct ssl_ctx_st {
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
- /* draft-rescorla-tls-opaque-prf-input-00.txt information */
- int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput,
- size_t len, void *arg);
- void *tlsext_opaque_prf_input_callback_arg;
-
#ifndef OPENSSL_NO_PSK
char *psk_identity_hint;
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -1201,10 +1196,6 @@ struct ssl_st {
size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist; /* our list */
- /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used
for handshakes */
- void *tlsext_opaque_prf_input;
- size_t tlsext_opaque_prf_input_len;
-
/* TLS Session Ticket extension override */
TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
@@ -1454,9 +1445,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
-#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT 60
-#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61
-#define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62
#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE 65
@@ -2259,7 +2247,6 @@ void ERR_load_SSL_strings(void);
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
-#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 327
#define SSL_R_PACKET_LENGTH_TOO_LONG 198
#define SSL_R_PARSE_TLSEXT 227
#define SSL_R_PATH_TOO_LONG 270
Index: src/ssl/ssl3.h
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl3.h,v
retrieving revision 1.20
diff -u -p -r1.20 ssl3.h
--- src/ssl/ssl3.h 8 Jun 2014 15:10:14 -0000 1.20
+++ src/ssl/ssl3.h 9 Jun 2014 19:44:48 -0000
@@ -452,15 +452,6 @@ typedef struct ssl3_state_st {
int in_read_app_data;
- /* Opaque PRF input as used for the current handshake.
- * These fields are used only if TLSEXT_TYPE_opaque_prf_input is defined
- * (otherwise, they are merely present to improve binary compatibility)
- */
- void *client_opaque_prf_input;
- size_t client_opaque_prf_input_len;
- void *server_opaque_prf_input;
- size_t server_opaque_prf_input_len;
-
struct {
/* actually only needs to be 16+20 */
unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
Index: src/ssl/ssl_err.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl_err.c,v
retrieving revision 1.22
diff -u -p -r1.22 ssl_err.c
--- src/ssl/ssl_err.c 8 Jun 2014 14:13:43 -0000 1.22
+++ src/ssl/ssl_err.c 9 Jun 2014 19:44:50 -0000
@@ -454,7 +454,6 @@ static ERR_STRING_DATA SSL_str_reasons[]
{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "old session cipher
not returned"},
{ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "old
session compression algorithm not returned"},
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "only tls allowed in
fips mode"},
- {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too
long"},
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
{ERR_REASON(SSL_R_PARSE_TLSEXT) , "parse tlsext"},
{ERR_REASON(SSL_R_PATH_TOO_LONG) , "path too long"},
Index: src/ssl/ssl_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v
retrieving revision 1.64
diff -u -p -r1.64 ssl_lib.c
--- src/ssl/ssl_lib.c 7 Jun 2014 14:03:50 -0000 1.64
+++ src/ssl/ssl_lib.c 9 Jun 2014 19:44:50 -0000
@@ -535,7 +535,6 @@ SSL_free(SSL *s)
SSL_CTX_free(s->initial_ctx);
free(s->tlsext_ecpointformatlist);
free(s->tlsext_ellipticcurvelist);
- free(s->tlsext_opaque_prf_input);
if (s->tlsext_ocsp_exts)
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
X509_EXTENSION_free);
Index: src/ssl/t1_enc.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/t1_enc.c,v
retrieving revision 1.51
diff -u -p -r1.51 t1_enc.c
--- src/ssl/t1_enc.c 8 Jun 2014 15:10:14 -0000 1.51
+++ src/ssl/t1_enc.c 9 Jun 2014 19:44:50 -0000
@@ -998,23 +998,6 @@ tls1_generate_master_secret(SSL *s, unsi
const void *co = NULL, *so = NULL;
int col = 0, sol = 0;
-#ifdef TLSEXT_TYPE_opaque_prf_input
- if (s->s3->client_opaque_prf_input != NULL &&
- s->s3->server_opaque_prf_input != NULL &&
- s->s3->client_opaque_prf_input_len > 0 &&
- s->s3->client_opaque_prf_input_len ==
- s->s3->server_opaque_prf_input_len) {
- /*
- * sol must be same as col - see section 3.1 of
- * draft-rescorla-tls-opaque-prf-input-00.txt.
- */
- co = s->s3->client_opaque_prf_input;
- col = s->s3->server_opaque_prf_input_len;
- so = s->s3->server_opaque_prf_input;
- sol = s->s3->client_opaque_prf_input_len;
- }
-#endif
-
tls1_PRF(ssl_get_algorithm2(s),
TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
s->s3->client_random, SSL3_RANDOM_SIZE, co, col,
Index: src/ssl/t1_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v
retrieving revision 1.44
diff -u -p -r1.44 t1_lib.c
--- src/ssl/t1_lib.c 4 Jun 2014 21:05:30 -0000 1.44
+++ src/ssl/t1_lib.c 9 Jun 2014 19:44:51 -0000
@@ -557,25 +557,6 @@ skip_ext:
ret += sizeof(tls12_sigalgs);
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- if (s->s3->client_opaque_prf_input != NULL &&
- s->version != DTLS1_VERSION) {
- size_t col = s->s3->client_opaque_prf_input_len;
-
- if ((size_t)(limit - ret) < 6 + col)
- return NULL;
- if (col > 0xFFFD) /* can't happen */
- return NULL;
-
- s2n(TLSEXT_TYPE_opaque_prf_input, ret);
-
- s2n(col + 2, ret);
- s2n(col, ret);
- memcpy(ret, s->s3->client_opaque_prf_input, col);
- ret += col;
- }
-#endif
-
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
s->version != DTLS1_VERSION) {
int i;
@@ -783,25 +764,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsig
s2n(0, ret);
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- if (s->s3->server_opaque_prf_input != NULL &&
- s->version != DTLS1_VERSION) {
- size_t sol = s->s3->server_opaque_prf_input_len;
-
- if ((size_t)(limit - ret) < 6 + sol)
- return NULL;
- if (sol > 0xFFFD) /* can't happen */
- return NULL;
-
- s2n(TLSEXT_TYPE_opaque_prf_input, ret);
-
- s2n(sol + 2, ret);
- s2n(sol, ret);
- memcpy(ret, s->s3->server_opaque_prf_input, sol);
- ret += sol;
- }
-#endif
-
#ifndef OPENSSL_NO_SRTP
if (s->srtp_profile) {
int el;
@@ -1131,35 +1093,6 @@ ssl_parse_clienthello_tlsext(SSL *s, uns
memcpy(s->session->tlsext_ellipticcurvelist,
sdata, ellipticcurvelist_length);
}
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- else if (type == TLSEXT_TYPE_opaque_prf_input &&
- s->version != DTLS1_VERSION) {
- unsigned char *sdata = data;
-
- if (size < 2) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
- n2s(sdata, s->s3->client_opaque_prf_input_len);
- if (s->s3->client_opaque_prf_input_len != size - 2) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- free(s->s3->client_opaque_prf_input);
- s->s3->client_opaque_prf_input = NULL;
-
- if (s->s3->client_opaque_prf_input_len != 0) {
- s->s3->client_opaque_prf_input =
- BUF_memdup(sdata,
- s->s3->client_opaque_prf_input_len);
- if (s->s3->client_opaque_prf_input == NULL) {
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
- }
- }
- }
-#endif
else if (type == TLSEXT_TYPE_session_ticket) {
if (s->tls_session_ticket_ext_cb &&
!s->tls_session_ticket_ext_cb(s, data, size,
s->tls_session_ticket_ext_cb_arg)) {
@@ -1428,35 +1361,6 @@ ssl_parse_serverhello_tlsext(SSL *s, uns
}
s->tlsext_ticket_expected = 1;
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- else if (type == TLSEXT_TYPE_opaque_prf_input &&
- s->version != DTLS1_VERSION) {
- unsigned char *sdata = data;
-
- if (size < 2) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
- n2s(sdata, s->s3->server_opaque_prf_input_len);
- if (s->s3->server_opaque_prf_input_len != size - 2) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- free(s->s3->server_opaque_prf_input);
- s->s3->server_opaque_prf_input = NULL;
-
- if (s->s3->server_opaque_prf_input_len != 0)
- s->s3->server_opaque_prf_input =
- BUF_memdup(sdata,
- s->s3->server_opaque_prf_input_len);
- if (s->s3->server_opaque_prf_input == NULL) {
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
- }
- }
- }
-#endif
else if (type == TLSEXT_TYPE_status_request &&
s->version != DTLS1_VERSION) {
/* MUST be empty and only sent if we've requested
@@ -1609,42 +1513,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
}
}
-#ifdef TLSEXT_TYPE_opaque_prf_input
- {
- int r = 1;
-
- if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
- r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
- s->ctx->tlsext_opaque_prf_input_callback_arg);
- if (!r)
- return -1;
- }
-
- if (s->tlsext_opaque_prf_input != NULL) {
- free(s->s3->client_opaque_prf_input);
- s->s3->client_opaque_prf_input = NULL;
- if (s->tlsext_opaque_prf_input_len != 0) {
- s->s3->client_opaque_prf_input =
- BUF_memdup(s->tlsext_opaque_prf_input,
- s->tlsext_opaque_prf_input_len);
- if (s->s3->client_opaque_prf_input == NULL) {
-
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
- ERR_R_MALLOC_FAILURE);
- return -1;
- }
- }
- s->s3->client_opaque_prf_input_len =
- s->tlsext_opaque_prf_input_len;
- }
-
- if (r == 2) {
- /* at callback's request, insist on receiving an
appropriate server opaque PRF input */
- s->s3->server_opaque_prf_input_len =
- s->tlsext_opaque_prf_input_len;
- }
- }
-#endif
-
return 1;
}
@@ -1694,65 +1562,6 @@ ssl_check_clienthello_tlsext_early(SSL *
else if (s->initial_ctx != NULL &&
s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, &al,
s->initial_ctx->tlsext_servername_arg);
-#ifdef TLSEXT_TYPE_opaque_prf_input
- {
- /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
- * but we might be sending an alert in response to the client
hello,
- * so this has to happen here in
- * ssl_check_clienthello_tlsext_early(). */
-
- int r = 1;
-
- if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
- r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
- s->ctx->tlsext_opaque_prf_input_callback_arg);
- if (!r) {
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_INTERNAL_ERROR;
- goto err;
- }
- }
-
- free(s->s3->server_opaque_prf_input);
- s->s3->server_opaque_prf_input = NULL;
-
- if (s->tlsext_opaque_prf_input != NULL) {
- if (s->s3->client_opaque_prf_input != NULL &&
- s->s3->client_opaque_prf_input_len ==
- s->tlsext_opaque_prf_input_len) {
- /*
- * Can only use this extension if we have a
- * server opaque PRF input of the same length
- * as the client opaque PRF input!
- */
- if (s->tlsext_opaque_prf_input_len != 0) {
- s->s3->server_opaque_prf_input =
-
BUF_memdup(s->tlsext_opaque_prf_input,
- s->tlsext_opaque_prf_input_len);
- if (s->s3->server_opaque_prf_input ==
- NULL) {
- ret =
SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_INTERNAL_ERROR;
- goto err;
- }
- }
- s->s3->server_opaque_prf_input_len =
- s->tlsext_opaque_prf_input_len;
- }
- }
-
- if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
- /* The callback wants to enforce use of the extension,
- * but we can't do that with the client opaque PRF
input;
- * abort the handshake.
- */
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_HANDSHAKE_FAILURE;
- }
- }
-
-err:
-#endif
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1866,27 +1675,6 @@ ssl_check_serverhello_tlsext(SSL *s)
ret = s->ctx->tlsext_servername_callback(s, &al,
s->ctx->tlsext_servername_arg);
else if (s->initial_ctx != NULL &&
s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, &al,
s->initial_ctx->tlsext_servername_arg);
-
-#ifdef TLSEXT_TYPE_opaque_prf_input
- if (s->s3->server_opaque_prf_input_len > 0) {
- /* This case may indicate that we, as a client, want to insist
on using opaque PRF inputs.
- * So first verify that we really have a value from the server
too. */
-
- if (s->s3->server_opaque_prf_input == NULL) {
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_HANDSHAKE_FAILURE;
- }
-
- /* Anytime the server *has* sent an opaque PRF input, we need
to check
- * that we have a client opaque PRF input of the same size. */
- if (s->s3->client_opaque_prf_input == NULL ||
- s->s3->client_opaque_prf_input_len !=
- s->s3->server_opaque_prf_input_len) {
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_ILLEGAL_PARAMETER;
- }
- }
-#endif
/* If we've requested certificate status and we wont get one
* tell the callback
Index: src/ssl/tls1.h
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/tls1.h,v
retrieving revision 1.16
diff -u -p -r1.16 tls1.h
--- src/ssl/tls1.h 31 May 2014 10:49:28 -0000 1.16
+++ src/ssl/tls1.h 9 Jun 2014 19:44:51 -0000
@@ -342,13 +342,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
-#define SSL_set_tlsext_opaque_prf_input(s, src, len) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT, len, src)
-#define SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) \
-SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB, (void
(*)(void))cb)
-#define SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) \
-SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG, 0, arg)
-
#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
Index: ssl/shlib_version
===================================================================
RCS file: /cvs/src/lib/libssl/ssl/shlib_version,v
retrieving revision 1.32
diff -u -p -r1.32 shlib_version
--- ssl/shlib_version 12 May 2014 19:14:14 -0000 1.32
+++ ssl/shlib_version 9 Jun 2014 19:44:51 -0000
@@ -1,2 +1,2 @@
-major=24
-minor=1
+major=25
+minor=0
