1 files changed, 1 insertions, 79 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 3d2e7510cf..7c9de0dd0e 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -122,10 +122,6 @@ static int ssl23_get_server_hello(SSL *s);
 static const SSL_METHOD
 *ssl23_get_client_method(int ver)
 {
-#ifndef OPENSSL_NO_SSL2
-        if (ver == SSL2_VERSION)
-                return (SSLv2_client_method());
-#endif
        if (ver == SSL3_VERSION)
                return (SSLv3_client_method());
        else if (ver == TLS1_VERSION)
@@ -320,14 +316,7 @@ ssl23_client_hello(SSL *s)
         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
         */
-        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
+        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
-#if !defined(OPENSSL_NO_SSL3)
-        |SSL_OP_NO_SSLv3
-#endif
-#if !defined(OPENSSL_NO_SSL2)
-        |(ssl2_compat ? SSL_OP_NO_SSLv2 : 0)
-#endif
-        ;
 #if !defined(OPENSSL_NO_TLS1_2_CLIENT)
        version = TLS1_2_VERSION;
@@ -340,15 +329,9 @@ ssl23_client_hello(SSL *s)
        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
        mask &= ~SSL_OP_NO_TLSv1;
-#if !defined(OPENSSL_NO_SSL3)
        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
                version = SSL3_VERSION;
        mask &= ~SSL_OP_NO_SSLv3;
-#endif
-#if !defined(OPENSSL_NO_SSL2)
-        if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
-                version = SSL2_VERSION;
-#endif
 #ifndef OPENSSL_NO_TLSEXT
        if (version != SSL2_VERSION) {
@@ -592,69 +575,8 @@ ssl23_get_server_hello(SSL *s)
        if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
                (p[5] == 0x00) && (p[6] == 0x02)) {
-#ifdef OPENSSL_NO_SSL2
                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
                goto err;
-#else
-                /* we are talking sslv2 */
-                /* we need to clean up the SSLv3 setup and put in the
-                 * sslv2 stuff. */
-                int ch_len;
-                if (s->options & SSL_OP_NO_SSLv2) {
-                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-                        goto err;
-                }
-                if (s->s2 == NULL) {
-                        if (!ssl2_new(s))
-                                goto err;
-                } else
-                        ssl2_clear(s);
-                if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                        ch_len = SSL2_CHALLENGE_LENGTH;
-                else
-                        ch_len = SSL2_MAX_CHALLENGE_LENGTH;
-                /* write out sslv2 challenge */
-                /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
-                   it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
-                   SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
-                   futurproofing */
-                i = (SSL3_RANDOM_SIZE < ch_len) ? SSL3_RANDOM_SIZE : ch_len;
-                s->s2->challenge_length = i;
-                memcpy(s->s2->challenge,
-                    &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i);
-                if (s->s3 != NULL)
-                        ssl3_free(s);
-                if (!BUF_MEM_grow_clean(s->init_buf,
-                    SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
-                        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB);
-                        goto err;
-                }
-                s->state = SSL2_ST_GET_SERVER_HELLO_A;
-                if (!(s->client_version == SSL2_VERSION))
-                        /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
-                        s->s2->ssl2_rollback = 1;
-                /* setup the 7 bytes we have read so we get them from
-                 * the sslv2 buffer */
-                s->rstate = SSL_ST_READ_HEADER;
-                s->packet_length = n;
-                s->packet = &(s->s2->rbuf[0]);
-                memcpy(s->packet, buf, n);
-                s->s2->rbuf_left = n;
-                s->s2->rbuf_offs = 0;
-                /* we have already written one */
-                s->s2->write_sequence = 1;
-                s->method = SSLv2_client_method();
-                s->handshake_func = s->method->ssl_connect;
-#endif
        } else if (p[1] == SSL3_VERSION_MAJOR &&
            p[2] <= TLS1_2_VERSION_MINOR &&
            ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||

diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 3d2e7510cf..7c9de0dd0e 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c
@@ -122,10 +122,6 @@ static int ssl23_get_server_hello(SSL *s);
122	static const SSL_METHOD	122	static const SSL_METHOD
123	*ssl23_get_client_method(int ver)	123	*ssl23_get_client_method(int ver)
124	{	124	{
125	#ifndef OPENSSL_NO_SSL2
126	if (ver == SSL2_VERSION)
127	return (SSLv2_client_method());
128	#endif
129	if (ver == SSL3_VERSION)	125	if (ver == SSL3_VERSION)
130	return (SSLv3_client_method());	126	return (SSLv3_client_method());
131	else if (ver == TLS1_VERSION)	127	else if (ver == TLS1_VERSION)
@@ -320,14 +316,7 @@ ssl23_client_hello(SSL *s)
320	* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the	316	* TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
321	* answer is SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2.	317	* answer is SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2.
322	*/	318	*/
323	mask = SSL_OP_NO_TLSv1_1\|SSL_OP_NO_TLSv1	319	mask = SSL_OP_NO_TLSv1_1\|SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3;
324	#if !defined(OPENSSL_NO_SSL3)
325	\|SSL_OP_NO_SSLv3
326	#endif
327	#if !defined(OPENSSL_NO_SSL2)
328	\|(ssl2_compat ? SSL_OP_NO_SSLv2 : 0)
329	#endif
330	;
331	#if !defined(OPENSSL_NO_TLS1_2_CLIENT)	320	#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
332	version = TLS1_2_VERSION;	321	version = TLS1_2_VERSION;
333		322
@@ -340,15 +329,9 @@ ssl23_client_hello(SSL *s)
340	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)	329	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
341	version = TLS1_VERSION;	330	version = TLS1_VERSION;
342	mask &= ~SSL_OP_NO_TLSv1;	331	mask &= ~SSL_OP_NO_TLSv1;
343	#if !defined(OPENSSL_NO_SSL3)
344	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)	332	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
345	version = SSL3_VERSION;	333	version = SSL3_VERSION;
346	mask &= ~SSL_OP_NO_SSLv3;	334	mask &= ~SSL_OP_NO_SSLv3;
347	#endif
348	#if !defined(OPENSSL_NO_SSL2)
349	if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
350	version = SSL2_VERSION;
351	#endif
352		335
353	#ifndef OPENSSL_NO_TLSEXT	336	#ifndef OPENSSL_NO_TLSEXT
354	if (version != SSL2_VERSION) {	337	if (version != SSL2_VERSION) {
@@ -592,69 +575,8 @@ ssl23_get_server_hello(SSL *s)
592		575
593	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&	576	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
594	(p[5] == 0x00) && (p[6] == 0x02)) {	577	(p[5] == 0x00) && (p[6] == 0x02)) {
595	#ifdef OPENSSL_NO_SSL2
596	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);	578	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
597	goto err;	579	goto err;
598	#else
599	/* we are talking sslv2 */
600	/* we need to clean up the SSLv3 setup and put in the
601	* sslv2 stuff. */
602	int ch_len;
603
604	if (s->options & SSL_OP_NO_SSLv2) {
605	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
606	goto err;
607	}
608	if (s->s2 == NULL) {
609	if (!ssl2_new(s))
610	goto err;
611	} else
612	ssl2_clear(s);
613
614	if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
615	ch_len = SSL2_CHALLENGE_LENGTH;
616	else
617	ch_len = SSL2_MAX_CHALLENGE_LENGTH;
618
619	/* write out sslv2 challenge */
620	/* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
621	it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
622	SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
623	futurproofing */
624	i = (SSL3_RANDOM_SIZE < ch_len) ? SSL3_RANDOM_SIZE : ch_len;
625	s->s2->challenge_length = i;
626	memcpy(s->s2->challenge,
627	&(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i);
628
629	if (s->s3 != NULL)
630	ssl3_free(s);
631
632	if (!BUF_MEM_grow_clean(s->init_buf,
633	SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
634	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB);
635	goto err;
636	}
637
638	s->state = SSL2_ST_GET_SERVER_HELLO_A;
639	if (!(s->client_version == SSL2_VERSION))
640	/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
641	s->s2->ssl2_rollback = 1;
642
643	/* setup the 7 bytes we have read so we get them from
644	* the sslv2 buffer */
645	s->rstate = SSL_ST_READ_HEADER;
646	s->packet_length = n;
647	s->packet = &(s->s2->rbuf[0]);
648	memcpy(s->packet, buf, n);
649	s->s2->rbuf_left = n;
650	s->s2->rbuf_offs = 0;
651
652	/* we have already written one */
653	s->s2->write_sequence = 1;
654
655	s->method = SSLv2_client_method();
656	s->handshake_func = s->method->ssl_connect;
657	#endif
658	} else if (p[1] == SSL3_VERSION_MAJOR &&	580	} else if (p[1] == SSL3_VERSION_MAJOR &&
659	p[2] <= TLS1_2_VERSION_MINOR &&	581	p[2] <= TLS1_2_VERSION_MINOR &&
660	((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|	582	((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) \|\|