Remove SSLv3_method and friends.
SSLv3_method, SSLv3_client_method, and SSLv3_server_method produce
SSL_CTXs which fail every handshake. They appear no longer necessary for
compatibility, so remove them.
SSLv3 is still accessible to callers who explicitly re-enable SSLv3 on a
TLS_method, but that will be removed completely later this year.
Meanwhile, clear out a weird hack we had here.
Update-Note: I believe there are no more callers of these functions. Any
that were were already non-functional as these methods haven't been
unable to handshake for a while now.
Change-Id: I622f785b428ab0ceab77b5a9db05b2b0df28145a
Reviewed-on: https://boringssl-review.googlesource.com/26004
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 249fce1..760d68b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3621,17 +3621,12 @@
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
-// SSLv3_method returns an |SSL_METHOD| with no versions enabled.
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-
// These client- and server-specific methods call their corresponding generic
// methods.
OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);
OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 2fd3beb..0a4c117 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -581,12 +581,9 @@
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
// Lock the SSL_CTX to the specified version, for compatibility with legacy
- // uses of SSL_METHOD, but we do not set the minimum version for
- // |SSLv3_method|.
+ // uses of SSL_METHOD.
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
- !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
- ? 0 // default
- : method->version)) {
+ !SSL_CTX_set_min_proto_version(ret, method->version)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err2;
}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 0f2a33c..9f77f14 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -3535,40 +3535,6 @@
ssl_test_ticket_aead_open_soft_fail,
ssl_test_ticket_aead_open_hard_fail)));
-TEST(SSLTest, SSL3Method) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- ASSERT_TRUE(cert);
-
- // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
- bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
- ASSERT_TRUE(ssl3_ctx);
- ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
- bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
- EXPECT_TRUE(ssl);
-
- // Create a normal TLS context to test against.
- bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(tls_ctx);
- ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
-
- // However, handshaking an SSLv3_method server should fail to resolve the
- // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
- // way to enable SSL 3.0.
- bssl::UniquePtr<SSL> client, server;
- EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
- ssl3_ctx.get()));
- uint32_t err = ERR_get_error();
- EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
- EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-
- // Likewise for SSLv3_method clients.
- EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
- tls_ctx.get()));
- err = ERR_get_error();
- EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
- EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-}
-
TEST(SSLTest, SelectNextProto) {
uint8_t *result;
uint8_t result_len;
diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
index 4eacf64..2ad2817 100644
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -231,15 +231,6 @@
return &kMethod;
}
-const SSL_METHOD *SSLv3_method(void) {
- static const SSL_METHOD kMethod = {
- SSL3_VERSION,
- &kTLSProtocolMethod,
- &ssl_crypto_x509_method,
- };
- return &kMethod;
-}
-
// Legacy side-specific methods.
const SSL_METHOD *TLSv1_2_server_method(void) {
@@ -254,10 +245,6 @@
return TLSv1_method();
}
-const SSL_METHOD *SSLv3_server_method(void) {
- return SSLv3_method();
-}
-
const SSL_METHOD *TLSv1_2_client_method(void) {
return TLSv1_2_method();
}
@@ -270,10 +257,6 @@
return TLSv1_method();
}
-const SSL_METHOD *SSLv3_client_method(void) {
- return SSLv3_method();
-}
-
const SSL_METHOD *SSLv23_server_method(void) {
return SSLv23_method();
}