summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s23_clnt.c
diff options
context:
space:
mode:
authortedu <>2014-04-15 21:47:56 +0000
committertedu <>2014-04-15 21:47:56 +0000
commitd29691e0c778ae0a3a5eb74acbb053caacdee990 (patch)
treee9ca306a8d286d0b62f82cb4b82cffd7dfbb0e70 /src/lib/libssl/s23_clnt.c
parent0fccfaa49773dea8f4e6d9930d774dd2a44b33db (diff)
downloadopenbsd-d29691e0c778ae0a3a5eb74acbb053caacdee990.tar.gz
openbsd-d29691e0c778ae0a3a5eb74acbb053caacdee990.tar.bz2
openbsd-d29691e0c778ae0a3a5eb74acbb053caacdee990.zip
remove ssl2 support even more completely.
in the process, always include ssl3 and tls1, we don't need config options for them. when the time comes to expire ssl3, it will be with an ax. checked by miod
Diffstat (limited to 'src/lib/libssl/s23_clnt.c')
-rw-r--r--src/lib/libssl/s23_clnt.c80
1 files changed, 1 insertions, 79 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 3d2e7510cf..7c9de0dd0e 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -122,10 +122,6 @@ static int ssl23_get_server_hello(SSL *s);
122static const SSL_METHOD 122static const SSL_METHOD
123*ssl23_get_client_method(int ver) 123*ssl23_get_client_method(int ver)
124{ 124{
125#ifndef OPENSSL_NO_SSL2
126 if (ver == SSL2_VERSION)
127 return (SSLv2_client_method());
128#endif
129 if (ver == SSL3_VERSION) 125 if (ver == SSL3_VERSION)
130 return (SSLv3_client_method()); 126 return (SSLv3_client_method());
131 else if (ver == TLS1_VERSION) 127 else if (ver == TLS1_VERSION)
@@ -320,14 +316,7 @@ ssl23_client_hello(SSL *s)
320 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the 316 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
321 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. 317 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
322 */ 318 */
323 mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1 319 mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
324#if !defined(OPENSSL_NO_SSL3)
325 |SSL_OP_NO_SSLv3
326#endif
327#if !defined(OPENSSL_NO_SSL2)
328 |(ssl2_compat ? SSL_OP_NO_SSLv2 : 0)
329#endif
330 ;
331#if !defined(OPENSSL_NO_TLS1_2_CLIENT) 320#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
332 version = TLS1_2_VERSION; 321 version = TLS1_2_VERSION;
333 322
@@ -340,15 +329,9 @@ ssl23_client_hello(SSL *s)
340 if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) 329 if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
341 version = TLS1_VERSION; 330 version = TLS1_VERSION;
342 mask &= ~SSL_OP_NO_TLSv1; 331 mask &= ~SSL_OP_NO_TLSv1;
343#if !defined(OPENSSL_NO_SSL3)
344 if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) 332 if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
345 version = SSL3_VERSION; 333 version = SSL3_VERSION;
346 mask &= ~SSL_OP_NO_SSLv3; 334 mask &= ~SSL_OP_NO_SSLv3;
347#endif
348#if !defined(OPENSSL_NO_SSL2)
349 if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
350 version = SSL2_VERSION;
351#endif
352 335
353#ifndef OPENSSL_NO_TLSEXT 336#ifndef OPENSSL_NO_TLSEXT
354 if (version != SSL2_VERSION) { 337 if (version != SSL2_VERSION) {
@@ -592,69 +575,8 @@ ssl23_get_server_hello(SSL *s)
592 575
593 if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && 576 if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
594 (p[5] == 0x00) && (p[6] == 0x02)) { 577 (p[5] == 0x00) && (p[6] == 0x02)) {
595#ifdef OPENSSL_NO_SSL2
596 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL); 578 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
597 goto err; 579 goto err;
598#else
599 /* we are talking sslv2 */
600 /* we need to clean up the SSLv3 setup and put in the
601 * sslv2 stuff. */
602 int ch_len;
603
604 if (s->options & SSL_OP_NO_SSLv2) {
605 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
606 goto err;
607 }
608 if (s->s2 == NULL) {
609 if (!ssl2_new(s))
610 goto err;
611 } else
612 ssl2_clear(s);
613
614 if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
615 ch_len = SSL2_CHALLENGE_LENGTH;
616 else
617 ch_len = SSL2_MAX_CHALLENGE_LENGTH;
618
619 /* write out sslv2 challenge */
620 /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
621 it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
622 SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
623 futurproofing */
624 i = (SSL3_RANDOM_SIZE < ch_len) ? SSL3_RANDOM_SIZE : ch_len;
625 s->s2->challenge_length = i;
626 memcpy(s->s2->challenge,
627 &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i);
628
629 if (s->s3 != NULL)
630 ssl3_free(s);
631
632 if (!BUF_MEM_grow_clean(s->init_buf,
633 SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
634 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB);
635 goto err;
636 }
637
638 s->state = SSL2_ST_GET_SERVER_HELLO_A;
639 if (!(s->client_version == SSL2_VERSION))
640 /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
641 s->s2->ssl2_rollback = 1;
642
643 /* setup the 7 bytes we have read so we get them from
644 * the sslv2 buffer */
645 s->rstate = SSL_ST_READ_HEADER;
646 s->packet_length = n;
647 s->packet = &(s->s2->rbuf[0]);
648 memcpy(s->packet, buf, n);
649 s->s2->rbuf_left = n;
650 s->s2->rbuf_offs = 0;
651
652 /* we have already written one */
653 s->s2->write_sequence = 1;
654
655 s->method = SSLv2_client_method();
656 s->handshake_func = s->method->ssl_connect;
657#endif
658 } else if (p[1] == SSL3_VERSION_MAJOR && 580 } else if (p[1] == SSL3_VERSION_MAJOR &&
659 p[2] <= TLS1_2_VERSION_MINOR && 581 p[2] <= TLS1_2_VERSION_MINOR &&
660 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 582 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 10:19:43 +0000