From 6e37f91580bf8e077c11c85155cef0381d8ef35c Mon Sep 17 00:00:00 2001
From: doug <>
Date: Mon, 15 Jun 2015 05:16:56 +0000
Subject: Remove ancient compat hack SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG.

This was imported into OpenSSL from SSLeay.  It was recently deleted
in OpenSSL commit 7a4dadc3a6a487db92619622b820eb4f7be512c9
---
 src/lib/libssl/doc/SSL_CTX_set_options.3         |  6 +++--
 src/lib/libssl/s3_srvr.c                         | 25 +-------------------
 src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 |  6 +++--
 src/lib/libssl/src/ssl/s3_srvr.c                 | 25 +-------------------
 src/usr.bin/openssl/s_server.c                   | 30 +-----------------------
 5 files changed, 11 insertions(+), 81 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
index bacd3b84f0..8bb22b7cc6 100644
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $
+.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -197,7 +197,9 @@ non-self-signed CA which does not have its CA in netscape, and the browser has
 a cert, it will crash/hang.
 Works for 3.x and 4.xbeta
 .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_NO_SSLv2
 As of
 .Ox 5.6 ,
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 7f6a5a0bbd..7b6af070c9 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -148,8 +148,6 @@
  * OTHERWISE.
  */
 
-#define REUSE_CIPHER_BUG
-
 #include <stdio.h>
 
 #include "ssl_locl.h"
@@ -1126,27 +1124,6 @@ ssl3_get_client_hello(SSL *s)
 		}
 		s->s3->tmp.new_cipher = c;
 	} else {
-		/* Session-id reuse */
-#ifdef REUSE_CIPHER_BUG
-		STACK_OF(SSL_CIPHER) *sk;
-		SSL_CIPHER *nc = NULL;
-		SSL_CIPHER *ec = NULL;
-
-		if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
-			sk = s->session->ciphers;
-			for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-				c = sk_SSL_CIPHER_value(sk, i);
-				if (c->algorithm_enc & SSL_eNULL)
-					nc = c;
-			}
-			if (nc != NULL)
-				s->s3->tmp.new_cipher = nc;
-			else if (ec != NULL)
-				s->s3->tmp.new_cipher = ec;
-			else
-				s->s3->tmp.new_cipher = s->session->cipher;
-		} else
-#endif
 		s->s3->tmp.new_cipher = s->session->cipher;
 	}
 
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index bacd3b84f0..8bb22b7cc6 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.4 2015/06/15 03:32:59 doug Exp $
+.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -197,7 +197,9 @@ non-self-signed CA which does not have its CA in netscape, and the browser has
 a cert, it will crash/hang.
 Works for 3.x and 4.xbeta
 .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_NO_SSLv2
 As of
 .Ox 5.6 ,
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 7f6a5a0bbd..7b6af070c9 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.104 2015/06/15 03:32:59 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -148,8 +148,6 @@
  * OTHERWISE.
  */
 
-#define REUSE_CIPHER_BUG
-
 #include <stdio.h>
 
 #include "ssl_locl.h"
@@ -1126,27 +1124,6 @@ ssl3_get_client_hello(SSL *s)
 		}
 		s->s3->tmp.new_cipher = c;
 	} else {
-		/* Session-id reuse */
-#ifdef REUSE_CIPHER_BUG
-		STACK_OF(SSL_CIPHER) *sk;
-		SSL_CIPHER *nc = NULL;
-		SSL_CIPHER *ec = NULL;
-
-		if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
-			sk = s->session->ciphers;
-			for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-				c = sk_SSL_CIPHER_value(sk, i);
-				if (c->algorithm_enc & SSL_eNULL)
-					nc = c;
-			}
-			if (nc != NULL)
-				s->s3->tmp.new_cipher = nc;
-			else if (ec != NULL)
-				s->s3->tmp.new_cipher = ec;
-			else
-				s->s3->tmp.new_cipher = s->session->cipher;
-		} else
-#endif
 		s->s3->tmp.new_cipher = s->session->cipher;
 	}
 
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 5ef801ad95..61b70a5569 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.10 2015/04/14 12:56:36 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.11 2015/06/15 05:16:56 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -226,7 +226,6 @@ static int s_quiet = 0;
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
-static int hack = 0;
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
 #endif
@@ -263,7 +262,6 @@ s_server_init(void)
 	s_debug = 0;
 	s_msg = 0;
 	s_quiet = 0;
-	hack = 0;
 #ifndef OPENSSL_NO_ENGINE
 	engine_id = NULL;
 #endif
@@ -776,8 +774,6 @@ s_server_main(int argc, char *argv[])
 		}
 		else if (strcmp(*argv, "-msg") == 0) {
 			s_msg = 1;
-		} else if (strcmp(*argv, "-hack") == 0) {
-			hack = 1;
 		} else if (strcmp(*argv, "-state") == 0) {
 			state = 1;
 		} else if (strcmp(*argv, "-crlf") == 0) {
@@ -1029,8 +1025,6 @@ bad:
 	SSL_CTX_set_quiet_shutdown(ctx, 1);
 	if (bugs)
 		SSL_CTX_set_options(ctx, SSL_OP_ALL);
-	if (hack)
-		SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
 	SSL_CTX_set_options(ctx, off);
 	/*
 	 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
@@ -1088,8 +1082,6 @@ bad:
 		SSL_CTX_set_quiet_shutdown(ctx2, 1);
 		if (bugs)
 			SSL_CTX_set_options(ctx2, SSL_OP_ALL);
-		if (hack)
-			SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
 		SSL_CTX_set_options(ctx2, off);
 		/*
 		 * DTLS: partial reads end up discarding unread UDP bytes :-(
@@ -1811,26 +1803,6 @@ www_body(char *hostname, int s, unsigned char *context)
 		SSL_set_msg_callback_arg(con, bio_s_out);
 	}
 	for (;;) {
-		if (hack) {
-			i = SSL_accept(con);
-			switch (SSL_get_error(con, i)) {
-			case SSL_ERROR_NONE:
-				break;
-			case SSL_ERROR_WANT_WRITE:
-			case SSL_ERROR_WANT_READ:
-			case SSL_ERROR_WANT_X509_LOOKUP:
-				continue;
-			case SSL_ERROR_SYSCALL:
-			case SSL_ERROR_SSL:
-			case SSL_ERROR_ZERO_RETURN:
-				ret = 1;
-				goto err;
-				/* break; */
-			}
-
-			SSL_renegotiate(con);
-			SSL_write(con, NULL, 0);
-		}
 		i = BIO_gets(io, buf, bufsize - 1);
 		if (i < 0) {	/* error */
 			if (!BIO_should_retry(io)) {
-- 
cgit v1.2.3-55-g6feb