From 7a4dadc3a6a487db92619622b820eb4f7be512c9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 5 Feb 2015 17:13:46 +0000 Subject: [PATCH] Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed the "-hack" option from s_server that set this option. Reviewed-by: Tim Hudson --- apps/s_server.c | 47 --------------------------------- doc/apps/s_server.pod | 6 ----- doc/ssl/SSL_CTX_set_options.pod | 3 --- ssl/s3_srvr.c | 25 +----------------- ssl/ssl.h | 3 ++- 5 files changed, 3 insertions(+), 81 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 4311d6d6fb..1792a3c1b1 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -266,7 +266,6 @@ static int s_brief = 0; static char *keymatexportlabel = NULL; static int keymatexportlen = 20; -static int hack = 0; #ifndef OPENSSL_NO_ENGINE static char *engine_id = NULL; #endif @@ -423,7 +422,6 @@ static void s_server_init(void) s_msg = 0; s_quiet = 0; s_brief = 0; - hack = 0; # ifndef OPENSSL_NO_ENGINE engine_id = NULL; # endif @@ -553,8 +551,6 @@ static void sv_usage(void) BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n"); BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n"); - BIO_printf(bio_err, - " -hack - workaround for early Netscape code\n"); BIO_printf(bio_err, " -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err, @@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[]) sdebug = 1; } else if (strcmp(*argv, "-security_debug_verbose") == 0) { sdebug = 2; - } else if (strcmp(*argv, "-hack") == 0) { - hack = 1; } else if (strcmp(*argv, "-state") == 0) { state = 1; } else if (strcmp(*argv, "-crlf") == 0) { @@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[]) BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx, 1); - if (hack) - SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); if (exc) ssl_ctx_set_excert(ctx, exc); @@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[]) BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx2, 1); - if (hack) - SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); if (exc) ssl_ctx_set_excert(ctx2, exc); @@ -2729,43 +2719,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) } for (;;) { - if (hack) { - i = SSL_accept(con); -#ifndef OPENSSL_NO_SRP - while (i <= 0 - && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { - BIO_printf(bio_s_out, "LOOKUP during accept %s\n", - srp_callback_parm.login); - srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); - i = SSL_accept(con); - } -#endif - switch (SSL_get_error(con, i)) { - case SSL_ERROR_NONE: - break; - case SSL_ERROR_WANT_WRITE: - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_X509_LOOKUP: - continue; - case SSL_ERROR_SYSCALL: - case SSL_ERROR_SSL: - case SSL_ERROR_ZERO_RETURN: - ret = 1; - goto err; - /* break; */ - } - - SSL_renegotiate(con); - SSL_write(con, NULL, 0); - } - i = BIO_gets(io, buf, bufsize - 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index a4424521b8..b2c2907c35 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -73,7 +73,6 @@ B B [B<-no_ecdhe>] [B<-bugs>] [B<-brief>] -[B<-hack>] [B<-www>] [B<-WWW>] [B<-HTTP>] @@ -294,11 +293,6 @@ option enables various workarounds. only provide a brief summary of connection parameters instead of the normal verbose output. -=item B<-hack> - -this option enables a further workaround for some some early Netscape -SSL code (?). - =item B<-cipher cipherlist> this allows the cipher list used by the server to be modified. When diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index dc3d4f188a..1078f09837 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses. ... -=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG - -... =item SSL_OP_NO_SSLv2 diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 8819fed777..6adf4dc2a0 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -148,7 +148,6 @@ * OTHERWISE. */ -#define REUSE_CIPHER_BUG #define NETSCAPE_HANG_BUG #include @@ -1384,29 +1383,7 @@ int ssl3_get_client_hello(SSL *s) s->tlsext_ticket_expected = 0; } else { /* Session-id reuse */ -#ifdef REUSE_CIPHER_BUG - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *nc = NULL; - SSL_CIPHER *ec = NULL; - - if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { - sk = s->session->ciphers; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - if (c->algorithm_enc & SSL_eNULL) - nc = c; - if (SSL_C_IS_EXPORT(c)) - ec = c; - } - if (nc != NULL) - s->s3->tmp.new_cipher = nc; - else if (ec != NULL) - s->s3->tmp.new_cipher = ec; - else - s->s3->tmp.new_cipher = s->session->cipher; - } else -#endif - s->s3->tmp.new_cipher = s->session->cipher; + s->s3->tmp.new_cipher = s->session->cipher; } if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) { diff --git a/ssl/ssl.h b/ssl/ssl.h index 13fb053ffc..160d37c437 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -480,7 +480,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, /* Removed as of OpenSSL 1.1.0 */ # define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 -# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L +/* Removed as of OpenSSL 1.1.0 */ +# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0L /* * Make server add server-hello extension from early version of cryptopro * draft, when GOST ciphersuite is negotiated. Required for interoperability -- 2.25.1