Clean up SSL_OP_* a bit (80a2fc41) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

include/openssl/ssl.h

+58 −42

Original line number	Diff line number	Diff line
		@@ -313,42 +313,18 @@ typedef int (SSL_verify_cb)(int preverify_ok, X509_STORE_CTX x509_ctx);

		/* Allow initial connection to servers that don't support RI */
		# define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U
		/* Removed from OpenSSL 0.9.8q and 1.0.0c */
		/* Dead forever, see CVE-2010-4180. */
		# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0U
		# define SSL_OP_TLSEXT_PADDING 0x00000010U
		# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0U
		# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
		/* Ancient SSLeay version, retained for compatibility */
		# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
		# define SSL_OP_TLS_D5_BUG 0x0U
		/* Removed from OpenSSL 1.1.0 */
		# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0U

		/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
		# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
		/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
		# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
		/* Related to removed SSLv2 */
		# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
		# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0

		/*
		* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
		* OpenSSL 0.9.6d. Usually (depending on the application protocol) the
		* workaround is not needed. Unfortunately some broken SSL/TLS
		* implementations cannot handle it at all, which is why we include it in
		* SSL_OP_ALL.
		* SSL_OP_ALL. Added in 0.9.6e
		*/
		/* added in 0.9.6e */
		# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800U

		/*
		* SSL_OP_ALL: various bug workarounds that should be rather harmless. This
		* used to be 0x000FFFFFL before 0.9.7.
		*/
		# define SSL_OP_ALL 0x80000BFFU

		/* DTLS options */
		# define SSL_OP_NO_QUERY_MTU 0x00001000U
		/* Turn on Cookie Exchange (on relevant for servers) */
		@@ -369,12 +345,6 @@ typedef int (SSL_verify_cb)(int preverify_ok, X509_STORE_CTX x509_ctx);
		# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000U
		/* Disable encrypt-then-mac */
		# define SSL_OP_NO_ENCRYPT_THEN_MAC 0x00080000U
		/* Does nothing: retained for compatibility */
		# define SSL_OP_SINGLE_ECDH_USE 0x0
		/* Does nothing: retained for compatibility */
		# define SSL_OP_SINGLE_DH_USE 0x0
		/* Does nothing: retained for compatibility */
		# define SSL_OP_EPHEMERAL_RSA 0x0
		/*
		* Set on servers to choose the cipher according to the server's preferences
		*/
		@@ -387,7 +357,6 @@ typedef int (SSL_verify_cb)(int preverify_ok, X509_STORE_CTX x509_ctx);
		*/
		# define SSL_OP_TLS_ROLLBACK_BUG 0x00800000U

		# define SSL_OP_NO_SSLv2 0x00000000U
		# define SSL_OP_NO_SSLv3 0x02000000U
		# define SSL_OP_NO_TLSv1 0x04000000U
		# define SSL_OP_NO_TLSv1_2 0x08000000U
		@@ -401,12 +370,6 @@ typedef int (SSL_verify_cb)(int preverify_ok, X509_STORE_CTX x509_ctx);
		SSL_OP_NO_TLSv1\|SSL_OP_NO_TLSv1_1\|SSL_OP_NO_TLSv1_2\|SSL_OP_NO_TLSv1_3)
		# define SSL_OP_NO_DTLS_MASK (SSL_OP_NO_DTLSv1\|SSL_OP_NO_DTLSv1_2)


		/* Removed from previous versions */
		# define SSL_OP_PKCS1_CHECK_1 0x0
		# define SSL_OP_PKCS1_CHECK_2 0x0
		# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
		# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0U
		/*
		* Make server add server-hello extension from early version of cryptopro
		* draft, when GOST ciphersuite is negotiated. Required for interoperability
		@@ -414,6 +377,59 @@ typedef int (SSL_verify_cb)(int preverify_ok, X509_STORE_CTX x509_ctx);
		*/
		# define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000U

		/*
		* SSL_OP_ALL: various bug workarounds that should be rather harmless.
		* This used to be 0x000FFFFFL before 0.9.7.
		* This used to be 0x80000BFFU before 1.1.1.
		*/
		# define SSL_OP_ALL (SSL_OP_CRYPTOPRO_TLSEXT_BUG\|\
		SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\|\
		SSL_OP_LEGACY_SERVER_CONNECT\|\
		SSL_OP_TLSEXT_PADDING\|\
		SSL_OP_SAFARI_ECDHE_ECDSA_BUG)

		/* OBSOLETE OPTIONS: retained for compatibility */

		/* Removed from OpenSSL 1.1.0. Was 0x00000001L */
		/* Related to removed SSLv2. */
		# define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00000002L */
		/* Related to removed SSLv2. */
		# define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x0
		/* Removed from OpenSSL 0.9.8q and 1.0.0c. Was 0x00000008L */
		/* Dead forever, see CVE-2010-4180 */
		# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
		/* Removed from OpenSSL 1.0.1h and 1.0.2. Was 0x00000010L */
		/* Refers to ancient SSLREF and SSLv2. */
		# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00000020 */
		# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0
		/* Removed from OpenSSL 0.9.7h and 0.9.8b. Was 0x00000040L */
		# define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00000080 */
		/* Ancient SSLeay version. */
		# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00000100L */
		# define SSL_OP_TLS_D5_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00000200L */
		# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
		# define SSL_OP_SINGLE_ECDH_USE 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x00100000L */
		# define SSL_OP_SINGLE_DH_USE 0x0
		/* Removed from OpenSSL 1.0.1k and 1.0.2. Was 0x00200000L */
		# define SSL_OP_EPHEMERAL_RSA 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x01000000L */
		# define SSL_OP_NO_SSLv2 0x0
		/* Removed from OpenSSL 1.0.1. Was 0x08000000L */
		# define SSL_OP_PKCS1_CHECK_1 0x0
		/* Removed from OpenSSL 1.0.1. Was 0x10000000L */
		# define SSL_OP_PKCS1_CHECK_2 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x20000000L */
		# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
		/* Removed from OpenSSL 1.1.0. Was 0x40000000L */
		# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0

		/*
		* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
		* when just a single record has been written):