From 5e4f6e92476144313b14dbadee25f1e288583d41 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 17 Nov 2014 03:23:24 -0500 Subject: [PATCH] Remove some remnants of SSLv2. Change-Id: Id294821162c4c9ea6f2fce2a0be65bafcb616068 Reviewed-on: https://boringssl-review.googlesource.com/2311 Reviewed-by: Adam Langley --- include/openssl/ssl.h | 4 +--- ssl/s23_clnt.c | 5 ----- ssl/ssl_lib.c | 33 ++++-------------------------- ssl/ssl_sess.c | 47 +++++++++---------------------------------- ssl/ssl_txt.c | 4 +--- 5 files changed, 15 insertions(+), 78 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index af3d55f4..d3b8834b 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1185,9 +1185,7 @@ OPENSSL_EXPORT int ssl_get_new_session(SSL *s, int session); struct ssl_st { - /* protocol version - * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) - */ + /* version is the protocol version. */ int version; int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index ccb3e2c9..efa3cd2e 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -330,11 +330,6 @@ static int ssl23_client_hello(SSL *s) version_major = SSL3_VERSION_MAJOR; version_minor = SSL3_VERSION_MINOR; } - else if (version == SSL2_VERSION) - { - version_major = SSL2_VERSION_MAJOR; - version_minor = SSL2_VERSION_MINOR; - } else { OPENSSL_PUT_ERROR(SSL, ssl23_client_hello, SSL_R_NO_PROTOCOLS_AVAILABLE); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 550080be..eb55a79a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -259,9 +259,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth) sk=ssl_create_cipher_list( ctx->method, &ctx->cipher_list, &ctx->cipher_list_by_id, - meth->version == SSL2_VERSION ? - "SSLv2" : - SSL_DEFAULT_CIPHER_LIST, + SSL_DEFAULT_CIPHER_LIST, ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) @@ -481,17 +479,6 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, r.ssl_version = ssl->version; r.session_id_length = id_len; memcpy(r.session_id, id, id_len); - /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a - * callback is calling us to check the uniqueness of a shorter ID, it - * must be compared as a padded-out ID because that is what it will be - * converted to when the callback has finished choosing it. */ - if((r.ssl_version == SSL2_VERSION) && - (id_len < SSL2_SSL_SESSION_ID_LENGTH)) - { - memset(r.session_id + id_len, 0, - SSL2_SSL_SESSION_ID_LENGTH - id_len); - r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; - } CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); @@ -1952,7 +1939,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ssl_create_cipher_list(ret->method, &ret->cipher_list,&ret->cipher_list_by_id, - meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ret->cert); + SSL_DEFAULT_CIPHER_LIST, ret->cert); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) { @@ -2432,17 +2419,9 @@ int SSL_get_error(const SSL *s,int i) if (i == 0) { - if (s->version == SSL2_VERSION) - { - /* assume it is the socket being closed */ + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && + (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) return(SSL_ERROR_ZERO_RETURN); - } - else - { - if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && - (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) - return(SSL_ERROR_ZERO_RETURN); - } } return(SSL_ERROR_SYSCALL); } @@ -2526,8 +2505,6 @@ static const char *ssl_get_version(int version) return("TLSv1"); else if (version == SSL3_VERSION) return("SSLv3"); - else if (version == SSL2_VERSION) - return("SSLv2"); else return("unknown"); } @@ -3176,8 +3153,6 @@ int ssl_get_max_version(const SSL *s) return TLS1_VERSION; if (!(s->options & SSL_OP_NO_SSLv3)) return SSL3_VERSION; - if (!(s->options & SSL_OP_NO_SSLv2)) - return SSL2_VERSION; return 0; } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6b5f8c29..ee3daa9d 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -283,40 +283,15 @@ int ssl_get_new_session(SSL *s, int session) if (session) { - if (s->version == SSL2_VERSION) + if (s->version == SSL3_VERSION || + s->version == TLS1_VERSION || + s->version == TLS1_1_VERSION || + s->version == TLS1_2_VERSION || + s->version == DTLS1_VERSION || + s->version == DTLS1_2_VERSION) { - ss->ssl_version=SSL2_VERSION; - ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; - } - else if (s->version == SSL3_VERSION) - { - ss->ssl_version=SSL3_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } - else if (s->version == TLS1_VERSION) - { - ss->ssl_version=TLS1_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } - else if (s->version == TLS1_1_VERSION) - { - ss->ssl_version=TLS1_1_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } - else if (s->version == TLS1_2_VERSION) - { - ss->ssl_version=TLS1_2_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } - else if (s->version == DTLS1_VERSION) - { - ss->ssl_version=DTLS1_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } - else if (s->version == DTLS1_2_VERSION) - { - ss->ssl_version=DTLS1_2_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + ss->ssl_version = s->version; + ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; } else { @@ -355,11 +330,7 @@ int ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return(0); } - /* If the session length was shrunk and we're SSLv2, pad it */ - if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION)) - memset(ss->session_id + tmp, 0, ss->session_id_length - tmp); - else - ss->session_id_length = tmp; + ss->session_id_length = tmp; /* Finally, check for a conflict */ if(SSL_has_matching_session_id(s, ss->session_id, ss->session_id_length)) diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index a341901a..b91324e3 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -112,9 +112,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x == NULL) goto err; if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err; - if (x->ssl_version == SSL2_VERSION) - s="SSLv2"; - else if (x->ssl_version == SSL3_VERSION) + if (x->ssl_version == SSL3_VERSION) s="SSLv3"; else if (x->ssl_version == TLS1_2_VERSION) s="TLSv1.2";