Remove SSLv3_method and friends.

SSLv3_method, SSLv3_client_method, and SSLv3_server_method produce SSL_CTXs which fail every handshake. They appear no longer necessary for compatibility, so remove them. SSLv3 is still accessible to callers who explicitly re-enable SSLv3 on a TLS_method, but that will be removed completely later this year. Meanwhile, clear out a weird hack we had here. Update-Note: I believe there are no more callers of these functions. Any that were were already non-functional as these methods haven't been unable to handshake for a while now. Change-Id: I622f785b428ab0ceab77b5a9db05b2b0df28145a Reviewed-on: https://boringssl-review.googlesource.com/26004 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-02-02 16:07:50 -05:00 · 2018-02-02 16:07:50 -05:00 · c03ecb93a2
commit c03ecb93a2
parent 1bf2337fe1
4 changed files with 2 additions and 61 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -3621,17 +3621,12 @@ OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);

-// SSLv3_method returns an |SSL_METHOD| with no versions enabled.
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-
 // These client- and server-specific methods call their corresponding generic
 // methods.
 OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@ -581,12 +581,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
  ret->mode = SSL_MODE_NO_AUTO_CHAIN;

  // Lock the SSL_CTX to the specified version, for compatibility with legacy
-  // uses of SSL_METHOD, but we do not set the minimum version for
-  // |SSLv3_method|.
+  // uses of SSL_METHOD.
  if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
-      !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
-                                              ? 0  // default
-                                              : method->version)) {
+      !SSL_CTX_set_min_proto_version(ret, method->version)) {
    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
    goto err2;
  }
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@ -3535,40 +3535,6 @@ INSTANTIATE_TEST_CASE_P(
                        ssl_test_ticket_aead_open_soft_fail,
                        ssl_test_ticket_aead_open_hard_fail)));

-TEST(SSLTest, SSL3Method) {
-  bssl::UniquePtr<X509> cert = GetTestCertificate();
-  ASSERT_TRUE(cert);
-
-  // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
-  bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
-  ASSERT_TRUE(ssl3_ctx);
-  ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
-  bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
-  EXPECT_TRUE(ssl);
-
-  // Create a normal TLS context to test against.
-  bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
-  ASSERT_TRUE(tls_ctx);
-  ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
-
-  // However, handshaking an SSLv3_method server should fail to resolve the
-  // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
-  // way to enable SSL 3.0.
-  bssl::UniquePtr<SSL> client, server;
-  EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
-                                      ssl3_ctx.get()));
-  uint32_t err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
-  EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-
-  // Likewise for SSLv3_method clients.
-  EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
-                                      tls_ctx.get()));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
-  EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-}
-
 TEST(SSLTest, SelectNextProto) {
  uint8_t *result;
  uint8_t result_len;
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@ -231,15 +231,6 @@ const SSL_METHOD *TLSv1_method(void) {
  return &kMethod;
 }

-const SSL_METHOD *SSLv3_method(void) {
-  static const SSL_METHOD kMethod = {
-      SSL3_VERSION,
-      &kTLSProtocolMethod,
-      &ssl_crypto_x509_method,
-  };
-  return &kMethod;
-}
-
 // Legacy side-specific methods.

 const SSL_METHOD *TLSv1_2_server_method(void) {
@ -254,10 +245,6 @@ const SSL_METHOD *TLSv1_server_method(void) {
  return TLSv1_method();
 }

-const SSL_METHOD *SSLv3_server_method(void) {
-  return SSLv3_method();
-}
-
 const SSL_METHOD *TLSv1_2_client_method(void) {
  return TLSv1_2_method();
 }
@ -270,10 +257,6 @@ const SSL_METHOD *TLSv1_client_method(void) {
  return TLSv1_method();
 }

-const SSL_METHOD *SSLv3_client_method(void) {
-  return SSLv3_method();
-}
-
 const SSL_METHOD *SSLv23_server_method(void) {
  return SSLv23_method();
 }