Skip to content

Commit

Permalink
Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed
Browse files Browse the repository at this point in the history 
the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>
  • Loading branch information
@mattcaswell
mattcaswell committed Feb 26, 2015
1 parent f781249 commit 7a4dadc
Show file tree
Hide file tree
Showing 5 changed files with 3 additions and 81 deletions.
47 changes: 0 additions & 47 deletions apps/s_server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,6 @@ static int s_brief = 0;
static char *keymatexportlabel = NULL;
static int keymatexportlen = 20;

static int hack = 0;
#ifndef OPENSSL_NO_ENGINE
static char *engine_id = NULL;
#endif
Expand Down Expand Up @@ -423,7 +422,6 @@ static void s_server_init(void)
s_msg = 0;
s_quiet = 0;
s_brief = 0;
hack = 0;
# ifndef OPENSSL_NO_ENGINE
engine_id = NULL;
# endif
Expand Down Expand Up @@ -553,8 +551,6 @@ static void sv_usage(void)
BIO_printf(bio_err,
"-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
BIO_printf(bio_err,
" -hack - workaround for early Netscape code\n");
BIO_printf(bio_err,
" -www - Respond to a 'GET /' with a status page\n");
BIO_printf(bio_err,
Expand Down Expand Up @@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[])
sdebug = 1;
} else if (strcmp(*argv, "-security_debug_verbose") == 0) {
sdebug = 2;
} else if (strcmp(*argv, "-hack") == 0) {
hack = 1;
} else if (strcmp(*argv, "-state") == 0) {
state = 1;
} else if (strcmp(*argv, "-crlf") == 0) {
Expand Down Expand Up @@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx, 1);
if (hack)
SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx, exc);

Expand Down Expand Up @@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx2, 1);
if (hack)
SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx2, exc);

Expand Down Expand Up @@ -2729,43 +2719,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
}

for (;;) {
if (hack) {
i = SSL_accept(con);
#ifndef OPENSSL_NO_SRP
while (i <= 0
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
srp_callback_parm.login);
srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb,
srp_callback_parm.login);
if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info);
else
BIO_printf(bio_s_out, "LOOKUP not successful\n");
i = SSL_accept(con);
}
#endif
switch (SSL_get_error(con, i)) {
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
continue;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
case SSL_ERROR_ZERO_RETURN:
ret = 1;
goto err;
/* break; */
}

SSL_renegotiate(con);
SSL_write(con, NULL, 0);
}

i = BIO_gets(io, buf, bufsize - 1);
if (i < 0) { /* error */
if (!BIO_should_retry(io)) {
Expand Down
6 changes: 0 additions & 6 deletions doc/apps/s_server.pod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ B<openssl> B<s_server>
[B<-no_ecdhe>]
[B<-bugs>]
[B<-brief>]
[B<-hack>]
[B<-www>]
[B<-WWW>]
[B<-HTTP>]
Expand Down Expand Up @@ -294,11 +293,6 @@ option enables various workarounds.
only provide a brief summary of connection parameters instead of the
normal verbose output.

=item B<-hack>

this option enables a further workaround for some some early Netscape
SSL code (?).

=item B<-cipher cipherlist>

this allows the cipher list used by the server to be modified. When
Expand Down
3 changes: 0 additions & 3 deletions doc/ssl/SSL_CTX_set_options.pod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses.
...


=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

...

=item SSL_OP_NO_SSLv2

Expand Down
25 changes: 1 addition & 24 deletions ssl/s3_srvr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,6 @@
* OTHERWISE.
*/

#define REUSE_CIPHER_BUG
#define NETSCAPE_HANG_BUG

#include <stdio.h>
Expand Down Expand Up @@ -1384,29 +1383,7 @@ int ssl3_get_client_hello(SSL *s)
s->tlsext_ticket_expected = 0;
} else {
/* Session-id reuse */
#ifdef REUSE_CIPHER_BUG
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *nc = NULL;
SSL_CIPHER *ec = NULL;

if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
sk = s->session->ciphers;
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
c = sk_SSL_CIPHER_value(sk, i);
if (c->algorithm_enc & SSL_eNULL)
nc = c;
if (SSL_C_IS_EXPORT(c))
ec = c;
}
if (nc != NULL)
s->s3->tmp.new_cipher = nc;
else if (ec != NULL)
s->s3->tmp.new_cipher = ec;
else
s->s3->tmp.new_cipher = s->session->cipher;
} else
#endif
s->s3->tmp.new_cipher = s->session->cipher;
s->s3->tmp.new_cipher = s->session->cipher;
}

if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
Expand Down
3 changes: 2 additions & 1 deletion ssl/ssl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -480,7 +480,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,

/* Removed as of OpenSSL 1.1.0 */
# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/* Removed as of OpenSSL 1.1.0 */
# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0L
/*
* Make server add server-hello extension from early version of cryptopro
* draft, when GOST ciphersuite is negotiated. Required for interoperability
Expand Down

0 comments on commit 7a4dadc

Please sign in to comment.