generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove MS SGC

Browse Source 
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 63eab8a620944a990ab3985620966ccd9f48d681)
This commit is contained in:
Dr. Stephen Henson 2014-10-24 02:36:13 +01:00
parent 47606dda67
commit cf95b2d66a
7 changed files with 15 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/crypto/BIO_f_ssl.pod
View File

@ -108,7 +108,7 @@ SSL BIOs are exceptional in that if the underlying transport
is non blocking they can still request a retry in exceptional
circumstances. Specifically this will happen if a session
renegotiation takes place during a BIO_read() operation, one
case where this happens is when SGC or step up occurs.
case where this happens is when step up occurs.
In OpenSSL 0.9.6 and later the SSL flag SSL_AUTO_RETRY can be
set to disable this behaviour. That is when this flag is set

5
doc/ssl/SSL_accept.pod
View File

@ -21,10 +21,7 @@ B<ssl> by setting an underlying B<BIO>.
The behaviour of SSL_accept() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_accept() will only return once the
handshake has been finished or an error occurred, except for SGC (Server
Gated Cryptography). For SGC, SSL_accept() may return with -1, but
SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and SSL_accept()
should be called again.
handshake has been finished or an error occurred.
If the underlying BIO is B<non-blocking>, SSL_accept() will also return
when the underlying BIO could not satisfy the needs of SSL_accept()

5
doc/ssl/SSL_do_handshake.pod
View File

@ -23,10 +23,7 @@ L<SSL_set_accept_state(3)|SSL_set_accept_state(3)>.
The behaviour of SSL_do_handshake() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_do_handshake() will only return
once the handshake has been finished or an error occurred, except for SGC
(Server Gated Cryptography). For SGC, SSL_do_handshake() may return with -1,
but SSL_get_error() will yield B<SSL_ERROR_WANT_READ/WRITE> and
SSL_do_handshake() should be called again.
once the handshake has been finished or an error occurred.
If the underlying BIO is B<non-blocking>, SSL_do_handshake() will also return
when the underlying BIO could not satisfy the needs of SSL_do_handshake()

21
ssl/d1_srvr.c
View File

@ -610,24 +610,13 @@ int dtls1_accept(SSL *s)
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
/* Check for second client hello (MS SGC) */
ret = ssl3_check_client_hello(s);
if (ret <= 0)
goto end;
if (ret == 2)
if (s->s3->tmp.cert_request)
{
dtls1_stop_timer(s);
s->state = SSL3_ST_SR_CLNT_HELLO_C;
ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end;
}
else {
if (s->s3->tmp.cert_request)
{
ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end;
}
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
break;
case SSL3_ST_SR_KEY_EXCH_A:

11
ssl/s3_both.c
View File

@ -411,17 +411,6 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
(st1 == SSL3_ST_SR_CERT_A) &&
(stn == SSL3_ST_SR_CERT_B))
{
/* At this point we have got an MS SGC second client
* hello (maybe we should always allow the client to
* start a new handshake?). We need to restart the mac.
* Don't increment {num,total}_renegotiations because
* we have not completed the handshake. */
ssl3_init_finished_mac(s);
}
s->s3->tmp.message_type= *(p++);

69
ssl/s3_srvr.c
View File

@ -300,7 +300,6 @@ int ssl3_accept(SSL *s)
}
s->init_num=0;
s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
/* Should have been reset by ssl3_get_finished, too. */
@ -585,21 +584,13 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
/* Check for second client hello (MS SGC) */
ret = ssl3_check_client_hello(s);
if (ret <= 0)
goto end;
if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
if (s->s3->tmp.cert_request)
{
ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end;
}
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
if (s->s3->tmp.cert_request)
{
ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end;
}
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
break;
case SSL3_ST_SR_KEY_EXCH_A:
@ -900,52 +891,6 @@ int ssl3_send_hello_request(SSL *s)
return ssl_do_write(s);
}
int ssl3_check_client_hello(SSL *s)
{
int ok;
long n;
/* this function is called when we really expect a Certificate message,
* so permit appropriate message length */
n=s->method->ssl_get_message(s,
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
s->max_cert_list,
&ok);
if (!ok) return((int)n);
s->s3->tmp.reuse_message = 1;
if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
{
/* We only allow the client to restart the handshake once per
* negotiation. */
if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
{
SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
return -1;
}
/* Throw away what we have done so far in the current handshake,
* which will now be aborted. (A full SSL_clear would be too much.) */
#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
{
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
}
#endif
#ifndef OPENSSL_NO_ECDH
if (s->s3->tmp.ecdh != NULL)
{
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
}
#endif
s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
return 2;
}
return 1;
}
int ssl3_get_client_hello(SSL *s)
{
int i,j,ok,al=SSL_AD_INTERNAL_ERROR,ret= -1;

1
ssl/ssl_locl.h
View File

@ -1233,7 +1233,6 @@ int ssl3_send_hello_request(SSL *s);
int ssl3_send_server_key_exchange(SSL *s);
int ssl3_send_certificate_request(SSL *s);
int ssl3_send_server_done(SSL *s);
int ssl3_check_client_hello(SSL *s);
int ssl3_get_client_certificate(SSL *s);
int ssl3_get_client_key_exchange(SSL *s);
int ssl3_get_cert_verify(SSL *s);