Remove most of the SSLv3 version checks and a few TLS v1.0.

We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and DTLS1_BAD_VER support was removed. "reads ok" miod@
author: doug <> 2015-09-12 16:10:08 +0000
committer: doug <> 2015-09-12 16:10:08 +0000
commit: 56a3e20d1e41c02e4afd069925ec512ebb40b905 (patch)
tree: ecc6c8f80b7c9e9b5057a82b1842ccf8724eb149 /src/lib/libssl/s3_clnt.c
parent: efc74c6a34e219450e0cc4dd809c41889209b98d (diff)
download: openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.gz
openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.bz2
openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.zip
1 files changed, 21 insertions, 39 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 12677319cc..2863b7380e 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.130 2015/09/12 12:17:00 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -795,7 +795,7 @@ ssl3_get_server_hello(SSL *s)
         * Check if we want to resume the session based on external
         * pre-shared secret
         */
-        if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+        if (s->tls_session_secret_cb) {
                SSL_CIPHER *pref_cipher = NULL;
                s->session->master_key_length = sizeof(s->session->master_key);
                if (s->tls_session_secret_cb(s, s->session->master_key,
@@ -901,19 +901,14 @@ ssl3_get_server_hello(SSL *s)
        }
        /* TLS extensions*/
-        if (s->version >= SSL3_VERSION) {
+        if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
-                if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
+                /* 'al' set by ssl_parse_serverhello_tlsext */
-                        /* 'al' set by ssl_parse_serverhello_tlsext */
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                goto f_err;
-                            SSL_R_PARSE_TLSEXT);
+        }
-                        goto f_err;
+        if (ssl_check_serverhello_tlsext(s) <= 0) {
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
-                }
+                goto err;
-                if (ssl_check_serverhello_tlsext(s) <= 0) {
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                            SSL_R_SERVERHELLO_TLSEXT);
-                        goto err;
-                }
        }
        if (p != d + n)
@@ -1538,14 +1533,11 @@ ssl3_get_certificate_request(SSL *s)
        }
        /* TLS does not like anon-DH with client cert */
-        if (s->version > SSL3_VERSION) {
+        if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
-                if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
-                            SSL_AD_UNEXPECTED_MESSAGE);
+                    SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                goto err;
-                            SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-                        goto err;
-                }
        }
        if (n < 0)
@@ -1914,8 +1906,8 @@ ssl3_send_client_key_exchange(SSL *s)
                        q = p;
                        /* Fix buf for TLS and beyond */
-                        if (s->version > SSL3_VERSION)
+                        p += 2;
-                                p += 2;
                        n = RSA_public_encrypt(sizeof tmp_buf,
                        tmp_buf, p, rsa, RSA_PKCS1_PADDING);
                        if (n <= 0) {
@@ -1925,10 +1917,8 @@ ssl3_send_client_key_exchange(SSL *s)
                        }
                        /* Fix buf for TLS and beyond */
-                        if (s->version > SSL3_VERSION) {
+                        s2n(n, q);
-                                s2n(n, q);
+                        n += 2;
-                                n += 2;
-                        }
                        s->session->master_key_length =
                            s->method->ssl3_enc->generate_master_secret(
@@ -2448,16 +2438,8 @@ ssl3_send_client_certificate(SSL *s)
                if (x509 != NULL)
                        X509_free(x509);
                EVP_PKEY_free(pkey);
-                if (i == 0) {
+                if (i == 0)
-                        if (s->version == SSL3_VERSION) {
+                        s->s3->tmp.cert_req = 2;
-                                s->s3->tmp.cert_req = 0;
-                                ssl3_send_alert(s, SSL3_AL_WARNING,
-                                    SSL_AD_NO_CERTIFICATE);
-                                return (1);
-                        } else {
-                                s->s3->tmp.cert_req = 2;
-                        }
-                }
                /* Ok, we have a cert */
                s->state = SSL3_ST_CW_CERT_C;
author	doug <>	2015-09-12 16:10:08 +0000
committer	doug <>	2015-09-12 16:10:08 +0000
commit	56a3e20d1e41c02e4afd069925ec512ebb40b905 (patch)
tree	ecc6c8f80b7c9e9b5057a82b1842ccf8724eb149 /src/lib/libssl/s3_clnt.c
parent	efc74c6a34e219450e0cc4dd809c41889209b98d (diff)
download	openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.gz openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.bz2 openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 12677319cc..2863b7380e 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.130 2015/09/12 12:17:00 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.131 2015/09/12 16:10:07 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -795,7 +795,7 @@ ssl3_get_server_hello(SSL *s)
795	* Check if we want to resume the session based on external	795	* Check if we want to resume the session based on external
796	* pre-shared secret	796	* pre-shared secret
797	*/	797	*/
798	if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {	798	if (s->tls_session_secret_cb) {
799	SSL_CIPHER *pref_cipher = NULL;	799	SSL_CIPHER *pref_cipher = NULL;
800	s->session->master_key_length = sizeof(s->session->master_key);	800	s->session->master_key_length = sizeof(s->session->master_key);
801	if (s->tls_session_secret_cb(s, s->session->master_key,	801	if (s->tls_session_secret_cb(s, s->session->master_key,
@@ -901,19 +901,14 @@ ssl3_get_server_hello(SSL *s)
901	}	901	}
902		902
903	/* TLS extensions*/	903	/* TLS extensions*/
904	if (s->version >= SSL3_VERSION) {	904	if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
905	if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {	905	/* 'al' set by ssl_parse_serverhello_tlsext */
906	/* 'al' set by ssl_parse_serverhello_tlsext */	906	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
907	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,	907	goto f_err;
908	SSL_R_PARSE_TLSEXT);	908	}
909	goto f_err;	909	if (ssl_check_serverhello_tlsext(s) <= 0) {
910		910	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
911	}	911	goto err;
912	if (ssl_check_serverhello_tlsext(s) <= 0) {
913	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
914	SSL_R_SERVERHELLO_TLSEXT);
915	goto err;
916	}
917	}	912	}
918		913
919	if (p != d + n)	914	if (p != d + n)
@@ -1538,14 +1533,11 @@ ssl3_get_certificate_request(SSL *s)
1538	}	1533	}
1539		1534
1540	/* TLS does not like anon-DH with client cert */	1535	/* TLS does not like anon-DH with client cert */
1541	if (s->version > SSL3_VERSION) {	1536	if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1542	if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {	1537	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1543	ssl3_send_alert(s, SSL3_AL_FATAL,	1538	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1544	SSL_AD_UNEXPECTED_MESSAGE);	1539	SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1545	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,	1540	goto err;
1546	SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1547	goto err;
1548	}
1549	}	1541	}
1550		1542
1551	if (n < 0)	1543	if (n < 0)
@@ -1914,8 +1906,8 @@ ssl3_send_client_key_exchange(SSL *s)
1914		1906
1915	q = p;	1907	q = p;
1916	/* Fix buf for TLS and beyond */	1908	/* Fix buf for TLS and beyond */
1917	if (s->version > SSL3_VERSION)	1909	p += 2;
1918	p += 2;	1910
1919	n = RSA_public_encrypt(sizeof tmp_buf,	1911	n = RSA_public_encrypt(sizeof tmp_buf,
1920	tmp_buf, p, rsa, RSA_PKCS1_PADDING);	1912	tmp_buf, p, rsa, RSA_PKCS1_PADDING);
1921	if (n <= 0) {	1913	if (n <= 0) {
@@ -1925,10 +1917,8 @@ ssl3_send_client_key_exchange(SSL *s)
1925	}	1917	}
1926		1918
1927	/* Fix buf for TLS and beyond */	1919	/* Fix buf for TLS and beyond */
1928	if (s->version > SSL3_VERSION) {	1920	s2n(n, q);
1929	s2n(n, q);	1921	n += 2;
1930	n += 2;
1931	}
1932		1922
1933	s->session->master_key_length =	1923	s->session->master_key_length =
1934	s->method->ssl3_enc->generate_master_secret(	1924	s->method->ssl3_enc->generate_master_secret(
@@ -2448,16 +2438,8 @@ ssl3_send_client_certificate(SSL *s)
2448	if (x509 != NULL)	2438	if (x509 != NULL)
2449	X509_free(x509);	2439	X509_free(x509);
2450	EVP_PKEY_free(pkey);	2440	EVP_PKEY_free(pkey);
2451	if (i == 0) {	2441	if (i == 0)
2452	if (s->version == SSL3_VERSION) {	2442	s->s3->tmp.cert_req = 2;
2453	s->s3->tmp.cert_req = 0;
2454	ssl3_send_alert(s, SSL3_AL_WARNING,
2455	SSL_AD_NO_CERTIFICATE);
2456	return (1);
2457	} else {
2458	s->s3->tmp.cert_req = 2;
2459	}
2460	}
2461		2443
2462	/* Ok, we have a cert */	2444	/* Ok, we have a cert */
2463	s->state = SSL3_ST_CW_CERT_C;	2445	s->state = SSL3_ST_CW_CERT_C;