diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2017-08-13 16:25:20 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2017-08-13 16:25:20 +0000 |
| commit | 23c6d669af8b1218dbcccdb6e718a10955ff0c7a (patch) | |
| tree | be5c61f541156ef23ea9b529abcfd3a252ed2d5d | |
| parent | 4819d952120301bfd514ad0e8d064a10debf07ca (diff) | |
Nuke SSL_OP_CRYPTOPRO_TLSEXT_BUG.
This was a workaround for a server that needed to talk GOST to old/broken
CryptoPro clients. This has no impact on TLS clients that are using GOST.
ok bcook@ beck@ doug@
| -rw-r--r-- | lib/libssl/ssl.h | 12 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 19 |
2 files changed, 4 insertions, 27 deletions
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index e816dec83cf..1a6f28911bc 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.130 2017/08/10 17:18:38 jsing Exp $ */ +/* $OpenBSD: ssl.h,v 1.131 2017/08/13 16:25:19 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -518,21 +518,15 @@ struct ssl_session_st { #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L -/* Make server add server-hello extension from early version of - * cryptopro draft, when GOST ciphersuite is negotiated. - * Required for interoperability with CryptoPro CSP 3.x - */ -#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x80000000L - /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */ #define SSL_OP_ALL \ (SSL_OP_LEGACY_SERVER_CONNECT | \ - SSL_OP_TLSEXT_PADDING | \ - SSL_OP_CRYPTOPRO_TLSEXT_BUG) + SSL_OP_TLSEXT_PADDING) /* Obsolete flags kept for compatibility. No sane code should use them. */ #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0 #define SSL_OP_CISCO_ANYCONNECT 0x0 +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0x0 #define SSL_OP_EPHEMERAL_RSA 0x0 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x0 diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 405f08ed33b..b8b54484edb 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.131 2017/08/12 23:38:12 beck Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.132 2017/08/13 16:25:19 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -812,23 +812,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) } #endif - if (((S3I(s)->hs.new_cipher->id & 0xFFFF) == 0x80 || - (S3I(s)->hs.new_cipher->id & 0xFFFF) == 0x81) && - (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { - static const unsigned char cryptopro_ext[36] = { - 0xfd, 0xe8, /*65000*/ - 0x00, 0x20, /*32 bytes length*/ - 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, - 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 - }; - if ((size_t)(limit - ret) < sizeof(cryptopro_ext)) - return NULL; - memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext)); - ret += sizeof(cryptopro_ext); - } - if (S3I(s)->alpn_selected != NULL) { const unsigned char *selected = S3I(s)->alpn_selected; unsigned int len = S3I(s)->alpn_selected_len; |