Neuter the SSL_set_debug(3) API

The TLSv1.3 stack didn't support this in the first place, and in the legacy
stack it only added some dubious BIO_flush(3) calls. The sleep call between
SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has
been a sleep call in the s_server since time immemorial, nota bene between
calls to BIO_gets(3). Anyway. This can all go and what remains will go with
the next major bump.

ok jsing

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 76ed10f..52f5de3 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.162 2023/11/19 15:50:29 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.163 2023/12/29 12:24:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -631,11 +631,6 @@ ssl3_connect(SSL *s)
 
                /* did we do anything */
                if (!s->s3->hs.tls12.reuse_message && !skip) {
-                       if (s->debug) {
-                               if ((ret = BIO_flush(s->wbio)) <= 0)
-                                       goto end;
-                       }
-
                        if (s->s3->hs.state != state) {
                                new_state = s->s3->hs.state;
                                s->s3->hs.state = state;

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index ce14ce7..c97441c 100644 (file)
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.317 2023/11/29 13:39:34 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.318 2023/12/29 12:24:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2933,8 +2933,6 @@ SSL_dup(SSL *s)
 
        SSL_set_info_callback(ret, SSL_get_info_callback(s));
 
-       ret->debug = s->debug;
-
        /* copy app data, a little dangerous perhaps */
        if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL,
            &ret->ex_data, &s->ex_data))
@@ -3488,7 +3486,7 @@ LSSL_ALIAS(SSL_set_msg_callback);
 void
 SSL_set_debug(SSL *s, int debug)
 {
-       s->debug = debug;
+       SSLerror(s, ERR_R_DISABLED);
 }
 LSSL_ALIAS(SSL_set_debug);
 

diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h
index a2c2588..bd6275f 100644 (file)
--- a/lib/libssl/ssl_local.h
+++ b/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.11 2023/11/29 13:39:34 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.12 2023/12/29 12:24:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1074,9 +1074,6 @@ struct ssl_st {
        /* for server side, keep the list of CA_dn we can use */
        STACK_OF(X509_NAME) *client_CA;
 
-       /* set this flag to 1 and a sleep(1) is put into all SSL_read()
-        * and SSL_write() calls, good for nbio debugging :-) */
-       int debug;
        long max_cert_list;
        int first_packet;
 

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index a571549..f26fde5 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.157 2023/11/18 10:51:09 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.158 2023/12/29 12:24:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -740,12 +740,6 @@ ssl3_accept(SSL *s)
                }
 
                if (!s->s3->hs.tls12.reuse_message && !skip) {
-                       if (s->debug) {
-                               if ((ret = BIO_flush(s->wbio)) <= 0)
-                                       goto end;
-                       }
-
-
                        if (s->s3->hs.state != state) {
                                new_state = s->s3->hs.state;
                                s->s3->hs.state = state;