diff options
-rw-r--r-- | lib/libssl/d1_pkt.c | 7 | ||||
-rw-r--r-- | lib/libssl/s23_srvr.c | 5 | ||||
-rw-r--r-- | lib/libssl/s3_clnt.c | 20 | ||||
-rw-r--r-- | lib/libssl/s3_lib.c | 169 | ||||
-rw-r--r-- | lib/libssl/s3_pkt.c | 14 | ||||
-rw-r--r-- | lib/libssl/s3_srvr.c | 18 | ||||
-rw-r--r-- | lib/libssl/ssl_algs.c | 5 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 8 |
8 files changed, 3 insertions, 243 deletions
diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 69f3d457347..80a4c076bf3 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1220,14 +1220,7 @@ start: if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { -#if 0 /* worked only because C operator preferences are not as expected (and - * because this is not really needed for clients except for detecting - * protocol violations): */ - s->state = SSL_ST_BEFORE | - (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#endif s->renegotiate = 1; s->new_session = 1; } diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c index 8010d72fa72..c63ede8680a 100644 --- a/lib/libssl/s23_srvr.c +++ b/lib/libssl/s23_srvr.c @@ -324,12 +324,7 @@ ssl23_get_client_hello(SSL *s) * so we simply assume TLS 1.0 to avoid protocol version downgrade * attacks. */ if (p[3] == 0 && p[4] < 6) { -#if 0 - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL); - goto err; -#else v[1] = TLS1_VERSION_MINOR; -#endif } /* if major version number > 3 set minor to a value * which will use the highest version 3 we support. diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index abae12a8d16..8aef4b4f3d2 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -920,15 +920,9 @@ ssl3_get_server_hello(SSL *s) if (s->session->cipher) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { -/* Workaround is now obsolete */ -#if 0 - if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) -#endif - { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; - } + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + goto f_err; } s->s3->tmp.new_cipher = c; /* Don't digest cached records if TLS v1.2: we may need them for @@ -1763,14 +1757,6 @@ ssl3_get_certificate_request(SSL *s) /* get the CA RDNs */ n2s(p, llen); -#if 0 - { - FILE *out; - out = fopen("/tmp/vsign.der", "w"); - fwrite(p, 1, llen, out); - fclose(out); - } -#endif if ((unsigned long)(p - d + llen) != n) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 288d885d9ec..7833779f6b0 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -605,58 +605,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { 168, 168, }, - -/* Fortezza ciphersuite from SSL 3.0 spec */ -#if 0 -/* Cipher 1C */ - { - 0, - SSL3_TXT_FZA_DMS_NULL_SHA, - SSL3_CK_FZA_DMS_NULL_SHA, - SSL_kFZA, - SSL_aFZA, - SSL_eNULL, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 0, - 0, - }, - -/* Cipher 1D */ - { - 0, - SSL3_TXT_FZA_DMS_FZA_SHA, - SSL3_CK_FZA_DMS_FZA_SHA, - SSL_kFZA, - SSL_aFZA, - SSL_eFZA, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 0, - 0, - }, - -/* Cipher 1E */ - { - 0, - SSL3_TXT_FZA_DMS_RC4_SHA, - SSL3_CK_FZA_DMS_RC4_SHA, - SSL_kFZA, - SSL_aFZA, - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP|SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 128, - 128, - }, -#endif - #ifndef OPENSSL_NO_KRB5 /* The Kerberos ciphers*/ /* Cipher 1E */ @@ -1268,123 +1216,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ -#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES - /* New TLS Export CipherSuites from expired ID */ -#if 0 - /* Cipher 60 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC4, - SSL_MD5, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 128, - }, - - /* Cipher 61 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC2, - SSL_MD5, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 128, - }, -#endif - - /* Cipher 62 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_DES, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 56, - }, - - /* Cipher 63 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - SSL_kEDH, - SSL_aDSS, - SSL_DES, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 56, - }, - - /* Cipher 64 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 128, - }, - - /* Cipher 65 */ - { - 1, - TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - SSL_kEDH, - SSL_aDSS, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 56, - 128, - }, - - /* Cipher 66 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, - TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, - SSL_kEDH, - SSL_aDSS, - SSL_RC4, - SSL_SHA1, - SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 128, - 128, - }, -#endif - /* TLS v1.2 ciphersuites */ /* Cipher 67 */ { diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index d6c8756a1ac..e901268a341 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -313,9 +313,6 @@ again: ssl_minor= *(p++); version = (ssl_major << 8)|ssl_minor; n2s(p, rr->length); -#if 0 - fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); -#endif /* Lets check version */ if (!s->first_packet) { @@ -495,10 +492,6 @@ again: if (rr->length == 0) goto again; -#if 0 - fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length); -#endif - return (1); f_err: @@ -1214,14 +1207,7 @@ start: if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { -#if 0 /* worked only because C operator preferences are not as expected (and - * because this is not really needed for clients except for detecting - * protocol violations): */ - s->state = SSL_ST_BEFORE | - (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#endif s->renegotiate = 1; s->new_session = 1; } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 19e0495fe63..79b89d7e958 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1129,24 +1129,6 @@ ssl3_get_client_hello(SSL *s) break; } } -/* - * Disabled because it can be used in a ciphersuite downgrade - * attack: CVE-2010-4180. - */ -#if 0 - if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { - /* Special case as client bug workaround: the previously used cipher may - * not be in the current list, the client instead might be trying to - * continue using a cipher that before wasn't chosen due to server - * preferences. We'll have to reject the connection if the cipher is not - * enabled, though. */ - c = sk_SSL_CIPHER_value(ciphers, 0); - if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { - s->session->cipher = c; - j = 1; - } - } -#endif if (j == 0) { /* we need to have the cipher in the cipher * list if we are asked to reuse it */ diff --git a/lib/libssl/ssl_algs.c b/lib/libssl/ssl_algs.c index aaecb2da0fa..3c7006ed91b 100644 --- a/lib/libssl/ssl_algs.c +++ b/lib/libssl/ssl_algs.c @@ -118,11 +118,6 @@ SSL_library_init(void) #ifndef OPENSSL_NO_ECDSA EVP_add_digest(EVP_ecdsa()); #endif - /* If you want support for phased out ciphers, add the following */ -#if 0 - EVP_add_digest(EVP_sha()); - EVP_add_digest(EVP_dss()); -#endif #ifndef OPENSSL_NO_COMP /* This will initialise the built-in compression algorithms. The value returned is a STACK_OF(SSL_COMP), but that can diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 37fff3a38fc..dc36747833d 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -197,18 +197,10 @@ SSL_clear(SSL *s) s->hit = 0; s->shutdown = 0; -#if 0 /* Disabled since version 1.10 of this file (early return not - * needed because SSL_clear is not called when doing renegotiation) */ - /* This is set if we are doing dynamic renegotiation so keep - * the old cipher. It is sort of a SSL_clear_lite :-) */ - if (s->renegotiate) - return (1); -#else if (s->renegotiate) { SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); return 0; } -#endif s->type = 0; |