Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed

the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/apps/s_server.c b/apps/s_server.c
index 4311d6d6fba98e83c3ceaad33b75622560b441bb..1792a3c1b12bb15af13ece7999af0667854ae9d5 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -266,7 +266,6 @@ static int s_brief = 0;
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 

-static int hack = 0;

 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
 #endif
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
 #endif


@@ -423,7 +422,6 @@ static void s_server_init(void)
     s_msg = 0;
     s_quiet = 0;
     s_brief = 0;
     s_msg = 0;
     s_quiet = 0;
     s_brief = 0;

-    hack = 0;

 # ifndef OPENSSL_NO_ENGINE
     engine_id = NULL;
 # endif
 # ifndef OPENSSL_NO_ENGINE
     engine_id = NULL;
 # endif


@@ -553,8 +551,6 @@ static void sv_usage(void)
     BIO_printf(bio_err,
                "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
     BIO_printf(bio_err, " -bugs         - Turn on SSL bug compatibility\n");
     BIO_printf(bio_err,
                "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
     BIO_printf(bio_err, " -bugs         - Turn on SSL bug compatibility\n");

-    BIO_printf(bio_err,
-               " -hack         - workaround for early Netscape code\n");

     BIO_printf(bio_err,
                " -www          - Respond to a 'GET /' with a status page\n");
     BIO_printf(bio_err,
     BIO_printf(bio_err,
                " -www          - Respond to a 'GET /' with a status page\n");
     BIO_printf(bio_err,


@@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[])
             sdebug = 1;
         } else if (strcmp(*argv, "-security_debug_verbose") == 0) {
             sdebug = 2;
             sdebug = 1;
         } else if (strcmp(*argv, "-security_debug_verbose") == 0) {
             sdebug = 2;

-        } else if (strcmp(*argv, "-hack") == 0) {
-            hack = 1;

         } else if (strcmp(*argv, "-state") == 0) {
             state = 1;
         } else if (strcmp(*argv, "-crlf") == 0) {
         } else if (strcmp(*argv, "-state") == 0) {
             state = 1;
         } else if (strcmp(*argv, "-crlf") == 0) {


@@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[])
         BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
     }
     SSL_CTX_set_quiet_shutdown(ctx, 1);
         BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
     }
     SSL_CTX_set_quiet_shutdown(ctx, 1);

-    if (hack)
-        SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);

     if (exc)
         ssl_ctx_set_excert(ctx, exc);
 
     if (exc)
         ssl_ctx_set_excert(ctx, exc);
 


@@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[])
             BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
         }
         SSL_CTX_set_quiet_shutdown(ctx2, 1);
             BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
         }
         SSL_CTX_set_quiet_shutdown(ctx2, 1);

-        if (hack)
-            SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);

         if (exc)
             ssl_ctx_set_excert(ctx2, exc);
 
         if (exc)
             ssl_ctx_set_excert(ctx2, exc);
 


@@ -2729,43 +2719,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
     }
 
     for (;;) {
     }
 
     for (;;) {

-        if (hack) {
-            i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
-            while (i <= 0
-                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
-                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
-                           srp_callback_parm.login);
-                srp_callback_parm.user =
-                    SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                          srp_callback_parm.login);
-                if (srp_callback_parm.user)
-                    BIO_printf(bio_s_out, "LOOKUP done %s\n",
-                               srp_callback_parm.user->info);
-                else
-                    BIO_printf(bio_s_out, "LOOKUP not successful\n");
-                i = SSL_accept(con);
-            }
-#endif
-            switch (SSL_get_error(con, i)) {
-            case SSL_ERROR_NONE:
-                break;
-            case SSL_ERROR_WANT_WRITE:
-            case SSL_ERROR_WANT_READ:
-            case SSL_ERROR_WANT_X509_LOOKUP:
-                continue;
-            case SSL_ERROR_SYSCALL:
-            case SSL_ERROR_SSL:
-            case SSL_ERROR_ZERO_RETURN:
-                ret = 1;
-                goto err;
-                /* break; */
-            }
-
-            SSL_renegotiate(con);
-            SSL_write(con, NULL, 0);
-        }
-

         i = BIO_gets(io, buf, bufsize - 1);
         if (i < 0) {            /* error */
             if (!BIO_should_retry(io)) {
         i = BIO_gets(io, buf, bufsize - 1);
         if (i < 0) {            /* error */
             if (!BIO_should_retry(io)) {

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index a4424521b863d71cc10d2e2d9f13debfbc2629d1..b2c2907c35e493debf39bdac3a3b325eacc766a1 100644 (file)
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -73,7 +73,6 @@ B<openssl> B<s_server>
 [B<-no_ecdhe>]
 [B<-bugs>]
 [B<-brief>]
 [B<-no_ecdhe>]
 [B<-bugs>]
 [B<-brief>]

-[B<-hack>]

 [B<-www>]
 [B<-WWW>]
 [B<-HTTP>]
 [B<-www>]
 [B<-WWW>]
 [B<-HTTP>]


@@ -294,11 +293,6 @@ option enables various workarounds.
 only provide a brief summary of connection parameters instead of the
 normal verbose output.
 
 only provide a brief summary of connection parameters instead of the
 normal verbose output.
 

-=item B<-hack>
-
-this option enables a further workaround for some some early Netscape
-SSL code (?).
-

 =item B<-cipher cipherlist>
 
 this allows the cipher list used by the server to be modified.  When
 =item B<-cipher cipherlist>
 
 this allows the cipher list used by the server to be modified.  When

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index dc3d4f188ac7ad046a15f87b5f777944547ae32c..1078f0983722f0b30e2cd8002789a0b973688b09 100644 (file)
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses.
 ...
 
 
 ...
 
 

-=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-
-...

 
 =item SSL_OP_NO_SSLv2
 
 
 =item SSL_OP_NO_SSLv2
 

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 8819fed7773c0af0cb0da600597e0806e37eeb8d..6adf4dc2a0216d6e5d2f9dc79807e11dd80494b1 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -148,7 +148,6 @@
  * OTHERWISE.
  */
 
  * OTHERWISE.
  */
 

-#define REUSE_CIPHER_BUG

 #define NETSCAPE_HANG_BUG
 
 #include <stdio.h>
 #define NETSCAPE_HANG_BUG
 
 #include <stdio.h>


@@ -1384,29 +1383,7 @@ int ssl3_get_client_hello(SSL *s)
             s->tlsext_ticket_expected = 0;
     } else {
         /* Session-id reuse */
             s->tlsext_ticket_expected = 0;
     } else {
         /* Session-id reuse */

-#ifdef REUSE_CIPHER_BUG
-        STACK_OF(SSL_CIPHER) *sk;
-        SSL_CIPHER *nc = NULL;
-        SSL_CIPHER *ec = NULL;
-
-        if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
-            sk = s->session->ciphers;
-            for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-                c = sk_SSL_CIPHER_value(sk, i);
-                if (c->algorithm_enc & SSL_eNULL)
-                    nc = c;
-                if (SSL_C_IS_EXPORT(c))
-                    ec = c;
-            }
-            if (nc != NULL)
-                s->s3->tmp.new_cipher = nc;
-            else if (ec != NULL)
-                s->s3->tmp.new_cipher = ec;
-            else
-                s->s3->tmp.new_cipher = s->session->cipher;
-        } else
-#endif
-            s->s3->tmp.new_cipher = s->session->cipher;
+        s->s3->tmp.new_cipher = s->session->cipher;

     }
 
     if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
     }
 
     if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 13fb053ffc21e53bd0a0ca9826435cbc67cfa961..160d37c437c8301bd2ab04af5de8da152f03192f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -480,7 +480,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
 
 /* Removed as of OpenSSL 1.1.0 */
 # define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
 
 /* Removed as of OpenSSL 1.1.0 */
 # define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0

-# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
+/* Removed as of OpenSSL 1.1.0 */
+# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x0L

 /*
  * Make server add server-hello extension from early version of cryptopro
  * draft, when GOST ciphersuite is negotiated. Required for interoperability
 /*
  * Make server add server-hello extension from early version of cryptopro
  * draft, when GOST ciphersuite is negotiated. Required for interoperability