Always generate DH keys for ephemeral DH cipher suites.

Reviewed-by: Matt Caswell <matt@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-12-17 02:57:20 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2015-12-23 22:26:31 +0000
commit: ffaef3f1526ed87a46f82fa4924d5b08f2a2e631 (patch)
tree: d06a2a17643a20f35169253104528b6c2b377d0b /ssl
parent: d938e8dfee16e6bb5427eac7bda32337634ce130 (diff)
2 files changed, 7 insertions, 27 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 4fc4426cd9..f7cdd93bb1 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3499,13 +3499,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
                 return (ret);
             }
-            if (!(s->options & SSL_OP_SINGLE_DH_USE)) {
-                if (!DH_generate_key(dh)) {
-                    DH_free(dh);
-                    SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
-                    return (ret);
-                }
-            }
             DH_free(s->cert->dh_tmp);
             s->cert->dh_tmp = dh;
             ret = 1;
@@ -3887,12 +3880,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
                 return 0;
             }
-            if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) {
-                if (!DH_generate_key(new)) {
-                    SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
-                    DH_free(new);
-                    return 0;
-                }
+            if (!DH_generate_key(new)) {
+                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
+                DH_free(new);
+                return 0;
             }
             DH_free(cert->dh_tmp);
             cert->dh_tmp = new;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b8b18b74e9..abdff176f7 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1800,20 +1800,9 @@ int tls_construct_server_key_exchange(SSL *s)
         }
 
         s->s3->tmp.dh = dh;
-        if ((dhp->pub_key == NULL ||
-             dhp->priv_key == NULL ||
-             (s->options & SSL_OP_SINGLE_DH_USE))) {
-            if (!DH_generate_key(dh)) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
-                goto err;
-            }
-        } else {
-            dh->pub_key = BN_dup(dhp->pub_key);
-            dh->priv_key = BN_dup(dhp->priv_key);
-            if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
-                goto err;
-            }
+        if (!DH_generate_key(dh)) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
+            goto err;
         }
         r[0] = dh->p;
         r[1] = dh->g;
author	Dr. Stephen Henson <steve@openssl.org>	2015-12-17 02:57:20 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2015-12-23 22:26:31 +0000
commit	ffaef3f1526ed87a46f82fa4924d5b08f2a2e631 (patch)
tree	d06a2a17643a20f35169253104528b6c2b377d0b /ssl
parent	d938e8dfee16e6bb5427eac7bda32337634ce130 (diff)