Remove most of the SSLv3 version checks and a few TLS v1.0.

We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and DTLS1_BAD_VER support was removed. "reads ok" miod@
author: doug <> 2015-09-12 16:10:08 +0000
committer: doug <> 2015-09-12 16:10:08 +0000
commit: 56a3e20d1e41c02e4afd069925ec512ebb40b905 (patch)
tree: ecc6c8f80b7c9e9b5057a82b1842ccf8724eb149 /src/lib/libssl/s3_srvr.c
parent: efc74c6a34e219450e0cc4dd809c41889209b98d (diff)
download: openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.gz
openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.bz2
openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.zip
1 files changed, 24 insertions, 37 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index dbcbc9b709..2fbf063140 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.120 2015/09/12 15:03:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.121 2015/09/12 16:10:07 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -942,13 +942,10 @@ ssl3_get_client_hello(SSL *s)
        }
        /* TLS extensions*/
-        if (s->version >= SSL3_VERSION) {
+        if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
-                if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
+                /* 'al' set by ssl_parse_clienthello_tlsext */
-                        /* 'al' set by ssl_parse_clienthello_tlsext */
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                goto f_err;
-                            SSL_R_PARSE_TLSEXT);
-                        goto f_err;
-                }
        }
        if (ssl_check_clienthello_tlsext_early(s) <= 0) {
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
@@ -964,7 +961,7 @@ ssl3_get_client_hello(SSL *s)
         */
        arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
-        if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+        if (!s->hit && s->tls_session_secret_cb) {
                SSL_CIPHER *pref_cipher = NULL;
                s->session->master_key_length = sizeof(s->session->master_key);
@@ -1054,12 +1051,9 @@ ssl3_get_client_hello(SSL *s)
         */
        /* Handles TLS extensions that we couldn't check earlier */
-        if (s->version >= SSL3_VERSION) {
+        if (ssl_check_clienthello_tlsext_late(s) <= 0) {
-                if (ssl_check_clienthello_tlsext_late(s) <= 0) {
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                goto err;
-                            SSL_R_CLIENTHELLO_TLSEXT);
-                        goto err;
-                }
        }
        if (ret < 0)
@@ -1646,18 +1640,15 @@ ssl3_get_client_key_exchange(SSL *s)
                }
                rsa = pkey->pkey.rsa;
-                /* TLS and [incidentally] DTLS{0xFEFF} */
+                if (2 > n)
-                if (s->version > SSL3_VERSION) {
+                        goto truncated;
-                        if (2 > n)
+                n2s(p, i);
-                                goto truncated;
+                if (n != i + 2) {
-                        n2s(p, i);
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                        if (n != i + 2) {
+                            SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        goto err;
-                                    SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+                } else
-                                goto err;
+                        n = i;
-                        } else
-                                n = i;
-                }
                i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
@@ -2300,7 +2291,7 @@ ssl3_get_client_certificate(SSL *s)
                 * If tls asked for a client cert,
                 * the client must return a 0 list.
                 */
-                if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
+                if (s->s3->tmp.cert_request) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                            SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
                            );
@@ -2365,15 +2356,11 @@ ssl3_get_client_certificate(SSL *s)
        }
        if (sk_X509_num(sk) <= 0) {
-                /* TLS does not mind 0 certs returned */
+                /*
-                if (s->version == SSL3_VERSION) {
+                 * TLS does not mind 0 certs returned.
-                        al = SSL_AD_HANDSHAKE_FAILURE;
+                 * Fail for TLS only if we required a certificate.
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                 */
-                            SSL_R_NO_CERTIFICATES_RETURNED);
+                if ((s->verify_mode & SSL_VERIFY_PEER) &&
-                        goto f_err;
-                }
-                /* Fail for TLS only if we required a certificate */
-                else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                    (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                            SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
author	doug <>	2015-09-12 16:10:08 +0000
committer	doug <>	2015-09-12 16:10:08 +0000
commit	56a3e20d1e41c02e4afd069925ec512ebb40b905 (patch)
tree	ecc6c8f80b7c9e9b5057a82b1842ccf8724eb149 /src/lib/libssl/s3_srvr.c
parent	efc74c6a34e219450e0cc4dd809c41889209b98d (diff)
download	openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.gz openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.tar.bz2 openbsd-56a3e20d1e41c02e4afd069925ec512ebb40b905.zip