Commit d92f0bb6 authored by Lutz Jänicke's avatar Lutz Jänicke
Browse files

Remove SSL_OP_NON_EXPORT_FIRST: 

It did not work, it was deactivated by #if 0/#endif anyway _and_ we now have
the working SSL_OP_CIPHER_SERVER_PREFERENCE.
parent 710e5d56

ssl/s23_srvr.c

+0 −66
Original line number Diff line number Diff line
@@ -270,72 +270,6 @@ int ssl23_get_client_hello(SSL *s) 
				else if (!(s->options & SSL_OP_NO_SSLv2))

					type=1;



				if (s->options & SSL_OP_NON_EXPORT_FIRST)

					/* Not only utterly confusing, but broken

					 * ('fractured programming'?) -- the details

					 * of this block nearly make it work

					 * as intended in this environment, but on one

					 * of the fine points (w.r.t. restarts) it fails.

					 * The obvious fix would be even more devastating

					 * to program structure; if you want the functionality,

					 * throw this away and implement it in a way

					 * that makes sense */

					{

#if 0

					STACK_OF(SSL_CIPHER) *sk;

					SSL_CIPHER *c;

					int ne2,ne3;



					j=((p[0]&0x7f)<<8)|p[1];

					if (j > (1024*4))

						{

						SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);

						goto err;

						}



					n=ssl23_read_bytes(s,j+2);

					if (n <= 0) return(n);

					p=s->packet;



					if ((buf=OPENSSL_malloc(n)) == NULL)

						{

						SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);

						goto err;

						}

					memcpy(buf,p,n);



					p+=5;

					n2s(p,csl);

					p+=4;



					sk=ssl_bytes_to_cipher_list(

						s,p,csl,NULL);

					if (sk != NULL)

						{

						ne2=ne3=0;

						for (j=0; j<sk_SSL_CIPHER_num(sk); j++)

							{

							c=sk_SSL_CIPHER_value(sk,j);

							if (!SSL_C_IS_EXPORT(c))

								{

								if ((c->id>>24L) == 2L)

									ne2=1;

								else

									ne3=1;

								}

							}

						if (ne2 && !ne3)

							{

							type=1;

							use_sslv2_strong=1;

							goto next_bit;

							}

						}

#else

					SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);

					goto err;

#endif

					}

				}

			}

		else if ((p[0] == SSL3_RT_HANDSHAKE) &&

ssl/ssl.h

+1 −3
Original line number Diff line number Diff line
@@ -347,9 +347,7 @@ typedef struct ssl_session_st 
#define SSL_OP_PKCS1_CHECK_1				0x08000000L

#define SSL_OP_PKCS1_CHECK_2				0x10000000L

#define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L

/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */

#define SSL_OP_NON_EXPORT_FIRST 			0x40000000L

#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x80000000L

#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x40000000L

#define SSL_OP_ALL					0x000FFFFFL



#define SSL_OP_NO_SSLv2					0x01000000L