From 77374e7b4ee9ed3b5622f1e04fed56e5dbb19799 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 15 Jun 2015 05:16:56 +0000 Subject: [PATCH] Remove ancient compat hack SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. This was imported into OpenSSL from SSLeay. It was recently deleted in OpenSSL commit 7a4dadc3a6a487db92619622b820eb4f7be512c9 --- lib/libssl/doc/SSL_CTX_set_options.3 | 6 ++-- lib/libssl/s3_srvr.c | 25 +--------------- lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 | 6 ++-- lib/libssl/src/ssl/s3_srvr.c | 25 +--------------- usr.bin/openssl/s_server.c | 30 +------------------- 5 files changed, 11 insertions(+), 81 deletions(-) diff --git a/lib/libssl/doc/SSL_CTX_set_options.3 b/lib/libssl/doc/SSL_CTX_set_options.3 index bacd3b84f01..8bb22b7cc6d 100644 --- a/lib/libssl/doc/SSL_CTX_set_options.3 +++ b/lib/libssl/doc/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $ .\" .Dd $Mdocdate: June 15 2015 $ .Dt SSL_CTX_SET_OPTIONS 3 @@ -197,7 +197,9 @@ non-self-signed CA which does not have its CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG -\&... +As of +.Ox 5.8 , +this option has no effect. .It Dv SSL_OP_NO_SSLv2 As of .Ox 5.6 , diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 7f6a5a0bbde..7b6af070c97 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -148,8 +148,6 @@ * OTHERWISE. */ -#define REUSE_CIPHER_BUG - #include #include "ssl_locl.h" @@ -1126,27 +1124,6 @@ ssl3_get_client_hello(SSL *s) } s->s3->tmp.new_cipher = c; } else { - /* Session-id reuse */ -#ifdef REUSE_CIPHER_BUG - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *nc = NULL; - SSL_CIPHER *ec = NULL; - - if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { - sk = s->session->ciphers; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - if (c->algorithm_enc & SSL_eNULL) - nc = c; - } - if (nc != NULL) - s->s3->tmp.new_cipher = nc; - else if (ec != NULL) - s->s3->tmp.new_cipher = ec; - else - s->s3->tmp.new_cipher = s->session->cipher; - } else -#endif s->s3->tmp.new_cipher = s->session->cipher; } diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 index bacd3b84f01..8bb22b7cc6d 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 @@ -1,5 +1,5 @@ .\" -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $ .\" .Dd $Mdocdate: June 15 2015 $ .Dt SSL_CTX_SET_OPTIONS 3 @@ -197,7 +197,9 @@ non-self-signed CA which does not have its CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG -\&... +As of +.Ox 5.8 , +this option has no effect. .It Dv SSL_OP_NO_SSLv2 As of .Ox 5.6 , diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 7f6a5a0bbde..7b6af070c97 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -148,8 +148,6 @@ * OTHERWISE. */ -#define REUSE_CIPHER_BUG - #include #include "ssl_locl.h" @@ -1126,27 +1124,6 @@ ssl3_get_client_hello(SSL *s) } s->s3->tmp.new_cipher = c; } else { - /* Session-id reuse */ -#ifdef REUSE_CIPHER_BUG - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *nc = NULL; - SSL_CIPHER *ec = NULL; - - if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { - sk = s->session->ciphers; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); - if (c->algorithm_enc & SSL_eNULL) - nc = c; - } - if (nc != NULL) - s->s3->tmp.new_cipher = nc; - else if (ec != NULL) - s->s3->tmp.new_cipher = ec; - else - s->s3->tmp.new_cipher = s->session->cipher; - } else -#endif s->s3->tmp.new_cipher = s->session->cipher; } diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c index 5ef801ad950..61b70a55692 100644 --- a/usr.bin/openssl/s_server.c +++ b/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.10 2015/04/14 12:56:36 jsing Exp $ */ +/* $OpenBSD: s_server.c,v 1.11 2015/06/15 05:16:56 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -226,7 +226,6 @@ static int s_quiet = 0; static char *keymatexportlabel = NULL; static int keymatexportlen = 20; -static int hack = 0; #ifndef OPENSSL_NO_ENGINE static char *engine_id = NULL; #endif @@ -263,7 +262,6 @@ s_server_init(void) s_debug = 0; s_msg = 0; s_quiet = 0; - hack = 0; #ifndef OPENSSL_NO_ENGINE engine_id = NULL; #endif @@ -776,8 +774,6 @@ s_server_main(int argc, char *argv[]) } else if (strcmp(*argv, "-msg") == 0) { s_msg = 1; - } else if (strcmp(*argv, "-hack") == 0) { - hack = 1; } else if (strcmp(*argv, "-state") == 0) { state = 1; } else if (strcmp(*argv, "-crlf") == 0) { @@ -1029,8 +1025,6 @@ bad: SSL_CTX_set_quiet_shutdown(ctx, 1); if (bugs) SSL_CTX_set_options(ctx, SSL_OP_ALL); - if (hack) - SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx, off); /* * DTLS: partial reads end up discarding unread UDP bytes :-( Setting @@ -1088,8 +1082,6 @@ bad: SSL_CTX_set_quiet_shutdown(ctx2, 1); if (bugs) SSL_CTX_set_options(ctx2, SSL_OP_ALL); - if (hack) - SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2, off); /* * DTLS: partial reads end up discarding unread UDP bytes :-( @@ -1811,26 +1803,6 @@ www_body(char *hostname, int s, unsigned char *context) SSL_set_msg_callback_arg(con, bio_s_out); } for (;;) { - if (hack) { - i = SSL_accept(con); - switch (SSL_get_error(con, i)) { - case SSL_ERROR_NONE: - break; - case SSL_ERROR_WANT_WRITE: - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_X509_LOOKUP: - continue; - case SSL_ERROR_SYSCALL: - case SSL_ERROR_SSL: - case SSL_ERROR_ZERO_RETURN: - ret = 1; - goto err; - /* break; */ - } - - SSL_renegotiate(con); - SSL_write(con, NULL, 0); - } i = BIO_gets(io, buf, bufsize - 1); if (i < 0) { /* error */ if (!BIO_should_retry(io)) { -- 2.20.1