diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2015-07-18 01:42:27 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2015-07-18 01:42:27 +0000 |
| commit | 3da37385c7b5675050f0c850943619c3bbb13d3c (patch) | |
| tree | ac07bbfd110d30f5029e0019e35bf3541f634b52 /lib | |
| parent | 89236c73e190cfc5eca18db02a6d4a697a8e52c4 (diff) | |
Remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay.
This is a 17 year old workaround from SSLeay 0.9.0b. It was for
clients that send RSA client key exchange in TLS using SSLv3 format
(no length prefix).
ok jsing@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/doc/SSL_CTX_set_options.3 | 8 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 12 | ||||
| -rw-r--r-- | lib/libssl/ssl.h | 5 |
3 files changed, 11 insertions, 14 deletions
diff --git a/lib/libssl/doc/SSL_CTX_set_options.3 b/lib/libssl/doc/SSL_CTX_set_options.3 index 91a1c9ad92d..0ffa025ce20 100644 --- a/lib/libssl/doc/SSL_CTX_set_options.3 +++ b/lib/libssl/doc/SSL_CTX_set_options.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.8 2015/07/17 15:50:37 doug Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.9 2015/07/18 01:42:26 doug Exp $ .\" -.Dd $Mdocdate: July 17 2015 $ +.Dd $Mdocdate: July 18 2015 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -124,7 +124,9 @@ As of .Ox 5.8 , this option has no effect. .It Dv SSL_OP_TLS_D5_BUG -\&... +As of +.Ox 5.8 , +this option has no effect. .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG As of .Ox 5.8 , diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index e70f8af4406..cd5bc2a6cbc 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.110 2015/07/14 05:16:47 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1708,13 +1708,9 @@ ssl3_get_client_key_exchange(SSL *s) goto truncated; n2s(p, i); if (n != i + 2) { - if (!(s->options & SSL_OP_TLS_D5_BUG)) { - SSLerr( - SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); - goto err; - } else - p -= 2; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); + goto err; } else n = i; } diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 33aaadcd20e..7d3e3c8171c 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.89 2015/07/17 15:50:37 doug Exp $ */ +/* $OpenBSD: ssl.h,v 1.90 2015/07/18 01:42:26 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -520,7 +520,6 @@ struct ssl_session_st { #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L #define SSL_OP_TLSEXT_PADDING 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_TLS_D5_BUG 0x00000100L /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) @@ -574,7 +573,6 @@ struct ssl_session_st { (SSL_OP_LEGACY_SERVER_CONNECT | \ SSL_OP_TLSEXT_PADDING | \ SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | \ - SSL_OP_TLS_D5_BUG | \ SSL_OP_CRYPTOPRO_TLSEXT_BUG) /* Obsolete flags kept for compatibility. No sane code should use them. */ @@ -592,6 +590,7 @@ struct ssl_session_st { #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 +#define SSL_OP_TLS_D5_BUG 0x0 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ |