[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Feb 26 23:23:39 UTC 2015
The branch master has been updated
via 7a4dadc3a6a487db92619622b820eb4f7be512c9 (commit)
from f7812493a0da6b740274135ce340ff7505027057 (commit)
- Log -----------------------------------------------------------------
commit 7a4dadc3a6a487db92619622b820eb4f7be512c9
Author: Matt Caswell <matt at openssl.org>
Date: Thu Feb 5 17:13:46 2015 +0000
Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed
the "-hack" option from s_server that set this option.
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/s_server.c | 47 ---------------------------------------
doc/apps/s_server.pod | 6 -----
doc/ssl/SSL_CTX_set_options.pod | 3 ---
ssl/s3_srvr.c | 25 +--------------------
ssl/ssl.h | 3 ++-
5 files changed, 3 insertions(+), 81 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 4311d6d..1792a3c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -266,7 +266,6 @@ static int s_brief = 0;
static char *keymatexportlabel = NULL;
static int keymatexportlen = 20;
-static int hack = 0;
#ifndef OPENSSL_NO_ENGINE
static char *engine_id = NULL;
#endif
@@ -423,7 +422,6 @@ static void s_server_init(void)
s_msg = 0;
s_quiet = 0;
s_brief = 0;
- hack = 0;
# ifndef OPENSSL_NO_ENGINE
engine_id = NULL;
# endif
@@ -554,8 +552,6 @@ static void sv_usage(void)
"-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
BIO_printf(bio_err,
- " -hack - workaround for early Netscape code\n");
- BIO_printf(bio_err,
" -www - Respond to a 'GET /' with a status page\n");
BIO_printf(bio_err,
" -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[])
sdebug = 1;
} else if (strcmp(*argv, "-security_debug_verbose") == 0) {
sdebug = 2;
- } else if (strcmp(*argv, "-hack") == 0) {
- hack = 1;
} else if (strcmp(*argv, "-state") == 0) {
state = 1;
} else if (strcmp(*argv, "-crlf") == 0) {
@@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx, 1);
- if (hack)
- SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx, exc);
@@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx2, 1);
- if (hack)
- SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx2, exc);
@@ -2729,43 +2719,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
}
for (;;) {
- if (hack) {
- i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
- while (i <= 0
- && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
- srp_callback_parm.login);
- srp_callback_parm.user =
- SRP_VBASE_get_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- i = SSL_accept(con);
- }
-#endif
- switch (SSL_get_error(con, i)) {
- case SSL_ERROR_NONE:
- break;
- case SSL_ERROR_WANT_WRITE:
- case SSL_ERROR_WANT_READ:
- case SSL_ERROR_WANT_X509_LOOKUP:
- continue;
- case SSL_ERROR_SYSCALL:
- case SSL_ERROR_SSL:
- case SSL_ERROR_ZERO_RETURN:
- ret = 1;
- goto err;
- /* break; */
- }
-
- SSL_renegotiate(con);
- SSL_write(con, NULL, 0);
- }
-
i = BIO_gets(io, buf, bufsize - 1);
if (i < 0) { /* error */
if (!BIO_should_retry(io)) {
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index a442452..b2c2907 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -73,7 +73,6 @@ B<openssl> B<s_server>
[B<-no_ecdhe>]
[B<-bugs>]
[B<-brief>]
-[B<-hack>]
[B<-www>]
[B<-WWW>]
[B<-HTTP>]
@@ -294,11 +293,6 @@ option enables various workarounds.
only provide a brief summary of connection parameters instead of the
normal verbose output.
-=item B<-hack>
-
-this option enables a further workaround for some some early Netscape
-SSL code (?).
-
=item B<-cipher cipherlist>
this allows the cipher list used by the server to be modified. When
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index dc3d4f1..1078f09 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses.
...
-=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-
-...
=item SSL_OP_NO_SSLv2
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 8819fed..6adf4dc 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -148,7 +148,6 @@
* OTHERWISE.
*/
-#define REUSE_CIPHER_BUG
#define NETSCAPE_HANG_BUG
#include <stdio.h>
@@ -1384,29 +1383,7 @@ int ssl3_get_client_hello(SSL *s)
s->tlsext_ticket_expected = 0;
} else {
/* Session-id reuse */
-#ifdef REUSE_CIPHER_BUG
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *nc = NULL;
- SSL_CIPHER *ec = NULL;
-
- if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
- sk = s->session->ciphers;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
- c = sk_SSL_CIPHER_value(sk, i);
- if (c->algorithm_enc & SSL_eNULL)
- nc = c;
- if (SSL_C_IS_EXPORT(c))
- ec = c;
- }
- if (nc != NULL)
- s->s3->tmp.new_cipher = nc;
- else if (ec != NULL)
- s->s3->tmp.new_cipher = ec;
- else
- s->s3->tmp.new_cipher = s->session->cipher;
- } else
-#endif
- s->s3->tmp.new_cipher = s->session->cipher;
+ s->s3->tmp.new_cipher = s->session->cipher;
}
if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 13fb053..160d37c 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -480,7 +480,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
/* Removed as of OpenSSL 1.1.0 */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
-# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
+/* Removed as of OpenSSL 1.1.0 */
+# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0L
/*
* Make server add server-hello extension from early version of cryptopro
* draft, when GOST ciphersuite is negotiated. Required for interoperability
More information about the openssl-commits
mailing list