Remove alert mapping machinery.
For TLS, this machinery only exists to swallow no_certificate alerts
which only get sent in an SSL 3.0 codepath anyway. It's much less a
no-op for SSL 3.0 which, strictly speaking, has only a subset of TLS's
alerts.
This gets messy around version negotiation because of the complex
relationship between enc_method, have_version, and version which all get
set at different times. Given that SSL 3.0 is nearly dead and all these
alerts are fatal to the connection anyway, this doesn't seem worth
carrying around. (It doesn't work very well anyway. An SSLv3-only server
may still send a record_overflow alert before version negotiation.)
This removes the last place enc_method is accessed prior to version
negotiation.
Change-Id: I79a704259fca69e4df76bd5a6846c9373f46f5a9
Reviewed-on: https://boringssl-review.googlesource.com/6843
Reviewed-by: Adam Langley <alangley@gmail.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index 8a5ebe9..0324061 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -856,7 +856,6 @@
const uint8_t *seed2, size_t seed2_len);
int (*final_finish_mac)(SSL *ssl, int from_server, uint8_t *out);
int (*cert_verify_mac)(SSL *, int, uint8_t *);
- int (*alert_value)(int);
};
#define SSL_HM_HEADER_LENGTH(ssl) ssl->method->hhlen
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 16c2a31..a25877c 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -386,109 +386,10 @@
return ret;
}
-static int ssl3_alert_code(int code) {
- switch (code) {
- case SSL_AD_CLOSE_NOTIFY:
- return SSL3_AD_CLOSE_NOTIFY;
- case SSL_AD_UNEXPECTED_MESSAGE:
- return SSL3_AD_UNEXPECTED_MESSAGE;
-
- case SSL_AD_BAD_RECORD_MAC:
- return SSL3_AD_BAD_RECORD_MAC;
-
- case SSL_AD_DECRYPTION_FAILED:
- return SSL3_AD_BAD_RECORD_MAC;
-
- case SSL_AD_RECORD_OVERFLOW:
- return SSL3_AD_BAD_RECORD_MAC;
-
- case SSL_AD_DECOMPRESSION_FAILURE:
- return SSL3_AD_DECOMPRESSION_FAILURE;
-
- case SSL_AD_HANDSHAKE_FAILURE:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_NO_CERTIFICATE:
- return SSL3_AD_NO_CERTIFICATE;
-
- case SSL_AD_BAD_CERTIFICATE:
- return SSL3_AD_BAD_CERTIFICATE;
-
- case SSL_AD_UNSUPPORTED_CERTIFICATE:
- return SSL3_AD_UNSUPPORTED_CERTIFICATE;
-
- case SSL_AD_CERTIFICATE_REVOKED:
- return SSL3_AD_CERTIFICATE_REVOKED;
-
- case SSL_AD_CERTIFICATE_EXPIRED:
- return SSL3_AD_CERTIFICATE_EXPIRED;
-
- case SSL_AD_CERTIFICATE_UNKNOWN:
- return SSL3_AD_CERTIFICATE_UNKNOWN;
-
- case SSL_AD_ILLEGAL_PARAMETER:
- return SSL3_AD_ILLEGAL_PARAMETER;
-
- case SSL_AD_UNKNOWN_CA:
- return SSL3_AD_BAD_CERTIFICATE;
-
- case SSL_AD_ACCESS_DENIED:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_DECODE_ERROR:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_DECRYPT_ERROR:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_EXPORT_RESTRICTION:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_PROTOCOL_VERSION:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_INSUFFICIENT_SECURITY:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_INTERNAL_ERROR:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_USER_CANCELLED:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_NO_RENEGOTIATION:
- return -1; /* Don't send it. */
-
- case SSL_AD_UNSUPPORTED_EXTENSION:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_CERTIFICATE_UNOBTAINABLE:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_UNRECOGNIZED_NAME:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_UNKNOWN_PSK_IDENTITY:
- return TLS1_AD_UNKNOWN_PSK_IDENTITY;
-
- case SSL_AD_INAPPROPRIATE_FALLBACK:
- return SSL3_AD_INAPPROPRIATE_FALLBACK;
-
- default:
- return -1;
- }
-}
const SSL3_ENC_METHOD SSLv3_enc_data = {
ssl3_prf,
ssl3_final_finish_mac,
ssl3_cert_verify_mac,
- ssl3_alert_code,
};
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 51084d3..81d163e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -638,16 +638,6 @@
}
int ssl3_send_alert(SSL *ssl, int level, int desc) {
- /* Map tls/ssl alert value to correct one */
- desc = ssl->enc_method->alert_value(desc);
- if (ssl->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) {
- /* SSL 3.0 does not have protocol_version alerts */
- desc = SSL_AD_HANDSHAKE_FAILURE;
- }
- if (desc < 0) {
- return -1;
- }
-
/* If a fatal one, remove from cache */
if (level == 2 && ssl->session != NULL) {
SSL_CTX_remove_session(ssl->ctx, ssl->session);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index c728a0a..39711d5 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -554,108 +554,8 @@
return ret;
}
-static int tls1_alert_code(int code) {
- switch (code) {
- case SSL_AD_CLOSE_NOTIFY:
- return SSL3_AD_CLOSE_NOTIFY;
-
- case SSL_AD_UNEXPECTED_MESSAGE:
- return SSL3_AD_UNEXPECTED_MESSAGE;
-
- case SSL_AD_BAD_RECORD_MAC:
- return SSL3_AD_BAD_RECORD_MAC;
-
- case SSL_AD_DECRYPTION_FAILED:
- return TLS1_AD_DECRYPTION_FAILED;
-
- case SSL_AD_RECORD_OVERFLOW:
- return TLS1_AD_RECORD_OVERFLOW;
-
- case SSL_AD_DECOMPRESSION_FAILURE:
- return SSL3_AD_DECOMPRESSION_FAILURE;
-
- case SSL_AD_HANDSHAKE_FAILURE:
- return SSL3_AD_HANDSHAKE_FAILURE;
-
- case SSL_AD_NO_CERTIFICATE:
- return -1;
-
- case SSL_AD_BAD_CERTIFICATE:
- return SSL3_AD_BAD_CERTIFICATE;
-
- case SSL_AD_UNSUPPORTED_CERTIFICATE:
- return SSL3_AD_UNSUPPORTED_CERTIFICATE;
-
- case SSL_AD_CERTIFICATE_REVOKED:
- return SSL3_AD_CERTIFICATE_REVOKED;
-
- case SSL_AD_CERTIFICATE_EXPIRED:
- return SSL3_AD_CERTIFICATE_EXPIRED;
-
- case SSL_AD_CERTIFICATE_UNKNOWN:
- return SSL3_AD_CERTIFICATE_UNKNOWN;
-
- case SSL_AD_ILLEGAL_PARAMETER:
- return SSL3_AD_ILLEGAL_PARAMETER;
-
- case SSL_AD_UNKNOWN_CA:
- return TLS1_AD_UNKNOWN_CA;
-
- case SSL_AD_ACCESS_DENIED:
- return TLS1_AD_ACCESS_DENIED;
-
- case SSL_AD_DECODE_ERROR:
- return TLS1_AD_DECODE_ERROR;
-
- case SSL_AD_DECRYPT_ERROR:
- return TLS1_AD_DECRYPT_ERROR;
- case SSL_AD_EXPORT_RESTRICTION:
- return TLS1_AD_EXPORT_RESTRICTION;
-
- case SSL_AD_PROTOCOL_VERSION:
- return TLS1_AD_PROTOCOL_VERSION;
-
- case SSL_AD_INSUFFICIENT_SECURITY:
- return TLS1_AD_INSUFFICIENT_SECURITY;
-
- case SSL_AD_INTERNAL_ERROR:
- return TLS1_AD_INTERNAL_ERROR;
-
- case SSL_AD_USER_CANCELLED:
- return TLS1_AD_USER_CANCELLED;
-
- case SSL_AD_NO_RENEGOTIATION:
- return TLS1_AD_NO_RENEGOTIATION;
-
- case SSL_AD_UNSUPPORTED_EXTENSION:
- return TLS1_AD_UNSUPPORTED_EXTENSION;
-
- case SSL_AD_CERTIFICATE_UNOBTAINABLE:
- return TLS1_AD_CERTIFICATE_UNOBTAINABLE;
-
- case SSL_AD_UNRECOGNIZED_NAME:
- return TLS1_AD_UNRECOGNIZED_NAME;
-
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
- return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
- return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE;
-
- case SSL_AD_UNKNOWN_PSK_IDENTITY:
- return TLS1_AD_UNKNOWN_PSK_IDENTITY;
-
- case SSL_AD_INAPPROPRIATE_FALLBACK:
- return SSL3_AD_INAPPROPRIATE_FALLBACK;
-
- default:
- return -1;
- }
-}
-
const SSL3_ENC_METHOD TLSv1_enc_data = {
tls1_prf,
tls1_final_finish_mac,
tls1_cert_verify_mac,
- tls1_alert_code,
};
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index baafc06..75f56ce 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3249,11 +3249,7 @@
} else {
shouldFail = true
expectedError = ":UNSUPPORTED_PROTOCOL:"
- if runnerVers.version > VersionSSL30 {
- expectedLocalError = "remote error: protocol version not supported"
- } else {
- expectedLocalError = "remote error: handshake failure"
- }
+ expectedLocalError = "remote error: protocol version not supported"
}
testCases = append(testCases, testCase{
