Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed (7a4dadc3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/s_server.c

+0 −47

Original line number	Diff line number	Diff line
		@@ -266,7 +266,6 @@ static int s_brief = 0;
		static char *keymatexportlabel = NULL;
		static int keymatexportlen = 20;

		static int hack = 0;
		#ifndef OPENSSL_NO_ENGINE
		static char *engine_id = NULL;
		#endif
		@@ -423,7 +422,6 @@ static void s_server_init(void)
		s_msg = 0;
		s_quiet = 0;
		s_brief = 0;
		hack = 0;
		# ifndef OPENSSL_NO_ENGINE
		engine_id = NULL;
		# endif
		@@ -553,8 +551,6 @@ static void sv_usage(void)
		BIO_printf(bio_err,
		"-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
		BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
		BIO_printf(bio_err,
		" -hack - workaround for early Netscape code\n");
		BIO_printf(bio_err,
		" -www - Respond to a 'GET /' with a status page\n");
		BIO_printf(bio_err,
		@@ -1333,8 +1329,6 @@ int MAIN(int argc, char *argv[])
		sdebug = 1;
		} else if (strcmp(*argv, "-security_debug_verbose") == 0) {
		sdebug = 2;
		} else if (strcmp(*argv, "-hack") == 0) {
		hack = 1;
		} else if (strcmp(*argv, "-state") == 0) {
		state = 1;
		} else if (strcmp(*argv, "-crlf") == 0) {
		@@ -1712,8 +1706,6 @@ int MAIN(int argc, char *argv[])
		BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
		}
		SSL_CTX_set_quiet_shutdown(ctx, 1);
		if (hack)
		SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
		if (exc)
		ssl_ctx_set_excert(ctx, exc);

		@@ -1777,8 +1769,6 @@ int MAIN(int argc, char *argv[])
		BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
		}
		SSL_CTX_set_quiet_shutdown(ctx2, 1);
		if (hack)
		SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
		if (exc)
		ssl_ctx_set_excert(ctx2, exc);

		@@ -2729,43 +2719,6 @@ static int www_body(char hostname, int s, int stype, unsigned char context)
		}

		for (;;) {
		if (hack) {
		i = SSL_accept(con);
		#ifndef OPENSSL_NO_SRP
		while (i <= 0
		&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
		BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
		srp_callback_parm.login);
		srp_callback_parm.user =
		SRP_VBASE_get_by_user(srp_callback_parm.vb,
		srp_callback_parm.login);
		if (srp_callback_parm.user)
		BIO_printf(bio_s_out, "LOOKUP done %s\n",
		srp_callback_parm.user->info);
		else
		BIO_printf(bio_s_out, "LOOKUP not successful\n");
		i = SSL_accept(con);
		}
		#endif
		switch (SSL_get_error(con, i)) {
		case SSL_ERROR_NONE:
		break;
		case SSL_ERROR_WANT_WRITE:
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_X509_LOOKUP:
		continue;
		case SSL_ERROR_SYSCALL:
		case SSL_ERROR_SSL:
		case SSL_ERROR_ZERO_RETURN:
		ret = 1;
		goto err;
		/* break; */
		}

		SSL_renegotiate(con);
		SSL_write(con, NULL, 0);
		}

		i = BIO_gets(io, buf, bufsize - 1);
		if (i < 0) { /* error */
		if (!BIO_should_retry(io)) {

doc/apps/s_server.pod

+0 −6

Original line number	Diff line number	Diff line
		@@ -73,7 +73,6 @@ B<openssl> B<s_server>
		[B<-no_ecdhe>]
		[B<-bugs>]
		[B<-brief>]
		[B<-hack>]
		[B<-www>]
		[B<-WWW>]
		[B<-HTTP>]
		@@ -294,11 +293,6 @@ option enables various workarounds.
		only provide a brief summary of connection parameters instead of the
		normal verbose output.

		=item B<-hack>

		this option enables a further workaround for some some early Netscape
		SSL code (?).

		=item B<-cipher cipherlist>

		this allows the cipher list used by the server to be modified. When

doc/ssl/SSL_CTX_set_options.pod

+0 −3

Original line number	Diff line number	Diff line
		@@ -170,9 +170,6 @@ will send its list of preferences to the client and the client chooses.
		...


		=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

		...

		=item SSL_OP_NO_SSLv2

ssl/s3_srvr.c

+1 −24

Original line number	Diff line number	Diff line
		@@ -148,7 +148,6 @@
		* OTHERWISE.
		*/

		#define REUSE_CIPHER_BUG
		#define NETSCAPE_HANG_BUG

		#include <stdio.h>
		@@ -1384,28 +1383,6 @@ int ssl3_get_client_hello(SSL *s)
		s->tlsext_ticket_expected = 0;
		} else {
		/* Session-id reuse */
		#ifdef REUSE_CIPHER_BUG
		STACK_OF(SSL_CIPHER) *sk;
		SSL_CIPHER *nc = NULL;
		SSL_CIPHER *ec = NULL;

		if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
		sk = s->session->ciphers;
		for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
		c = sk_SSL_CIPHER_value(sk, i);
		if (c->algorithm_enc & SSL_eNULL)
		nc = c;
		if (SSL_C_IS_EXPORT(c))
		ec = c;
		}
		if (nc != NULL)
		s->s3->tmp.new_cipher = nc;
		else if (ec != NULL)
		s->s3->tmp.new_cipher = ec;
		else
		s->s3->tmp.new_cipher = s->session->cipher;
		} else
		#endif
		s->s3->tmp.new_cipher = s->session->cipher;
		}

ssl/ssl.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -480,7 +480,8 @@ typedef int (custom_ext_parse_cb) (SSL s, unsigned int ext_type,

		/* Removed as of OpenSSL 1.1.0 */
		# define SSL_OP_NETSCAPE_CA_DN_BUG 0x0
		# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
		/* Removed as of OpenSSL 1.1.0 */
		# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0L
		/*
		* Make server add server-hello extension from early version of cryptopro
		* draft, when GOST ciphersuite is negotiated. Required for interoperability