Commit 63eab8a6 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Remove MS SGC 



MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 4f605ccb

doc/crypto/BIO_f_ssl.pod

+1 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ SSL BIOs are exceptional in that if the underlying transport 
is non blocking they can still request a retry in exceptional

circumstances. Specifically this will happen if a session

renegotiation takes place during a BIO_read() operation, one

case where this happens is when SGC or step up occurs.

case where this happens is when step up occurs.



In OpenSSL 0.9.6 and later the SSL flag SSL_AUTO_RETRY can be

set to disable this behaviour. That is when this flag is set

doc/ssl/SSL_accept.pod

+1 −4
Original line number Diff line number Diff line
@@ -21,10 +21,7 @@ B<ssl> by setting an underlying B<BIO>. 
The behaviour of SSL_accept() depends on the underlying BIO. 



If the underlying BIO is B<blocking>, SSL_accept() will only return once the

handshake has been finished or an error occurred, except for SGC (Server

Gated Cryptography). For SGC, SSL_accept() may return with -1, but

SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and SSL_accept()

should be called again.

handshake has been finished or an error occurred.



If the underlying BIO is B<non-blocking>, SSL_accept() will also return

when the underlying BIO could not satisfy the needs of SSL_accept()

doc/ssl/SSL_do_handshake.pod

+1 −4
Original line number Diff line number Diff line
@@ -23,10 +23,7 @@ L<SSL_set_accept_state(3)|SSL_set_accept_state(3)>. 
The behaviour of SSL_do_handshake() depends on the underlying BIO.



If the underlying BIO is B<blocking>, SSL_do_handshake() will only return

once the handshake has been finished or an error occurred, except for SGC

(Server Gated Cryptography). For SGC, SSL_do_handshake() may return with -1,

but SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and

SSL_do_handshake() should be called again.

once the handshake has been finished or an error occurred.



If the underlying BIO is B<non-blocking>, SSL_do_handshake() will also return

when the underlying BIO could not satisfy the needs of SSL_do_handshake()

ssl/d1_srvr.c

+5 −16
Original line number Diff line number Diff line
@@ -610,16 +610,6 @@ int dtls1_accept(SSL *s) 


		case SSL3_ST_SR_CERT_A:

		case SSL3_ST_SR_CERT_B:

			/* Check for second client hello (MS SGC) */

			ret = ssl3_check_client_hello(s);

			if (ret <= 0)

				goto end;

			if (ret == 2)

				{

				dtls1_stop_timer(s);

				s->state = SSL3_ST_SR_CLNT_HELLO_C;

				}

			else {

			if (s->s3->tmp.cert_request)

				{

				ret=ssl3_get_client_certificate(s);
@@ -627,7 +617,6 @@ int dtls1_accept(SSL *s) 
				}

			s->init_num=0;

			s->state=SSL3_ST_SR_KEY_EXCH_A;

			}

			break;



		case SSL3_ST_SR_KEY_EXCH_A:

ssl/s3_both.c

+0 −11
Original line number Diff line number Diff line
@@ -412,17 +412,6 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 
			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);

			goto f_err;

			}

		if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&

					(st1 == SSL3_ST_SR_CERT_A) &&

					(stn == SSL3_ST_SR_CERT_B))

			{

			/* At this point we have got an MS SGC second client

			 * hello (maybe we should always allow the client to

			 * start a new handshake?). We need to restart the mac.

			 * Don't increment {num,total}_renegotiations because

			 * we have not completed the handshake. */

			ssl3_init_finished_mac(s);

			}



		s->s3->tmp.message_type= *(p++);