[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Rich Salz
rsalz at openssl.org
Fri May 12 16:00:05 UTC 2017
The branch OpenSSL_1_1_0-stable has been updated
via a6c1e4b01298da42fe6bb8f65642945c208eeafb (commit)
from 17bbc10a08b4f133d12d17f84801c5355aa1f526 (commit)
- Log -----------------------------------------------------------------
commit a6c1e4b01298da42fe6bb8f65642945c208eeafb
Author: Todd Short <tshort at akamai.com>
Date: Wed May 10 11:44:55 2017 -0400
Clean up SSL_OP_* a bit
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3439)
(cherry picked from commit 80a2fc4100daf6f1001eee33ef2f9b9eee05bedf)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 100 +++++++++++++++++++++++++++++---------------------
1 file changed, 58 insertions(+), 42 deletions(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index f7ea736..b2132f3 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -267,52 +267,28 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
/* Allow initial connection to servers that don't support RI */
# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
-/* Removed from OpenSSL 0.9.8q and 1.0.0c */
-/* Dead forever, see CVE-2010-4180. */
-# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0U
# define SSL_OP_TLSEXT_PADDING 0x00000010U
-# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0U
# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
-/* Ancient SSLeay version, retained for compatibility */
-# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
-# define SSL_OP_TLS_D5_BUG 0x0U
-/* Removed from OpenSSL 1.1.0 */
-# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0U
-
-/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
-# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
-/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
-# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
-/* Related to removed SSLv2 */
-# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
-# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
/*
* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
* OpenSSL 0.9.6d. Usually (depending on the application protocol) the
* workaround is not needed. Unfortunately some broken SSL/TLS
* implementations cannot handle it at all, which is why we include it in
- * SSL_OP_ALL.
+ * SSL_OP_ALL. Added in 0.9.6e
*/
-/* added in 0.9.6e */
# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U
-/*
- * SSL_OP_ALL: various bug workarounds that should be rather harmless. This
- * used to be 0x000FFFFFL before 0.9.7.
- */
-# define SSL_OP_ALL 0x80000BFFU
-
/* DTLS options */
-# define SSL_OP_NO_QUERY_MTU 0x00001000U
+# define SSL_OP_NO_QUERY_MTU 0x00001000U
/* Turn on Cookie Exchange (on relevant for servers) */
-# define SSL_OP_COOKIE_EXCHANGE 0x00002000U
+# define SSL_OP_COOKIE_EXCHANGE 0x00002000U
/* Don't use RFC4507 ticket extension */
-# define SSL_OP_NO_TICKET 0x00004000U
+# define SSL_OP_NO_TICKET 0x00004000U
# ifndef OPENSSL_NO_DTLS1_METHOD
/* Use Cisco's "speshul" version of DTLS_BAD_VER
* (only with deprecated DTLSv1_client_method()) */
-# define SSL_OP_CISCO_ANYCONNECT 0x00008000U
+# define SSL_OP_CISCO_ANYCONNECT 0x00008000U
# endif
/* As server, disallow session resumption on renegotiation */
@@ -321,12 +297,6 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
# define SSL_OP_NO_COMPRESSION 0x00020000U
/* Permit unsafe legacy renegotiation */
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
-/* Does nothing: retained for compatibility */
-# define SSL_OP_SINGLE_ECDH_USE 0x0
-/* Does nothing: retained for compatibility */
-# define SSL_OP_SINGLE_DH_USE 0x0
-/* Does nothing: retained for compatibility */
-# define SSL_OP_EPHEMERAL_RSA 0x0
/*
* Set on servers to choose the cipher according to the server's preferences
*/
@@ -339,7 +309,6 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
*/
# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U
-# define SSL_OP_NO_SSLv2 0x00000000U
# define SSL_OP_NO_SSLv3 0x02000000U
# define SSL_OP_NO_TLSv1 0x04000000U
# define SSL_OP_NO_TLSv1_2 0x08000000U
@@ -352,12 +321,6 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1|SSL_OP_NO_DTLSv1_2)
-
-/* Removed from previous versions */
-# define SSL_OP_PKCS1_CHECK_1 0x0
-# define SSL_OP_PKCS1_CHECK_2 0x0
-# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
-# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0U
/*
* Make server add server-hello extension from early version of cryptopro
* draft, when GOST ciphersuite is negotiated. Required for interoperability
@@ -366,6 +329,59 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U
/*
+ * SSL_OP_ALL: various bug workarounds that should be rather harmless.
+ * This used to be 0x000FFFFFL before 0.9.7.
+ * This used to be 0x80000BFFU before 1.1.1.
+ */
+# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG|\
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|\
+ SSL_OP_LEGACY_SERVER_CONNECT|\
+ SSL_OP_TLSEXT_PADDING|\
+ SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+
+/* OBSOLETE OPTIONS: retained for compatibility */
+
+/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
+/* Related to removed SSLv2. */
+# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
+/* Related to removed SSLv2. */
+# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
+/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
+/* Dead forever, see CVE-2010-4180 */
+# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
+/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
+/* Refers to ancient SSLREF and SSLv2. */
+# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
+# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
+/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
+# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
+/* Ancient SSLeay version. */
+# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
+# define SSL_OP_TLS_D5_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
+# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
+# define SSL_OP_SINGLE_ECDH_USE 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
+# define SSL_OP_SINGLE_DH_USE 0x0
+/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
+# define SSL_OP_EPHEMERAL_RSA 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
+# define SSL_OP_NO_SSLv2 0x0
+/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
+# define SSL_OP_PKCS1_CHECK_1 0x0
+/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
+# define SSL_OP_PKCS1_CHECK_2 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
+# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
+/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
+# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0
+
+/*
* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
* when just a single record has been written):
*/
More information about the openssl-commits
mailing list