Remove SSLv3_method and friends.

SSLv3_method, SSLv3_client_method, and SSLv3_server_method produce SSL_CTXs which fail every handshake. They appear no longer necessary for compatibility, so remove them. SSLv3 is still accessible to callers who explicitly re-enable SSLv3 on a TLS_method, but that will be removed completely later this year. Meanwhile, clear out a weird hack we had here. Update-Note: I believe there are no more callers of these functions. Any that were were already non-functional as these methods haven't been unable to handshake for a while now. Change-Id: I622f785b428ab0ceab77b5a9db05b2b0df28145a Reviewed-on: https://boringssl-review.googlesource.com/26004 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
AmosChenYQ · Feb 15, 2018 · c03ecb9 · c03ecb9
1 parent 1bf2337
commit c03ecb9
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 61 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -3621,17 +3621,12 @@ OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
 OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
 
-// SSLv3_method returns an |SSL_METHOD| with no versions enabled.
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-
 // These client- and server-specific methods call their corresponding generic
 // methods.
 OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
 OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);

diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
@@ -581,12 +581,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
   ret->mode = SSL_MODE_NO_AUTO_CHAIN;
 
   // Lock the SSL_CTX to the specified version, for compatibility with legacy
-  // uses of SSL_METHOD, but we do not set the minimum version for
-  // |SSLv3_method|.
+  // uses of SSL_METHOD.
   if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
-      !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
-                                              ? 0  // default
-                                              : method->version)) {
+      !SSL_CTX_set_min_proto_version(ret, method->version)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     goto err2;
   }

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
@@ -3535,40 +3535,6 @@ INSTANTIATE_TEST_CASE_P(
                         ssl_test_ticket_aead_open_soft_fail,
                         ssl_test_ticket_aead_open_hard_fail)));
 
-TEST(SSLTest, SSL3Method) {
-  bssl::UniquePtr<X509> cert = GetTestCertificate();
-  ASSERT_TRUE(cert);
-
-  // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
-  bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
-  ASSERT_TRUE(ssl3_ctx);
-  ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
-  bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
-  EXPECT_TRUE(ssl);
-
-  // Create a normal TLS context to test against.
-  bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
-  ASSERT_TRUE(tls_ctx);
-  ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
-
-  // However, handshaking an SSLv3_method server should fail to resolve the
-  // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
-  // way to enable SSL 3.0.
-  bssl::UniquePtr<SSL> client, server;
-  EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
-                                      ssl3_ctx.get()));
-  uint32_t err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
-  EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-
-  // Likewise for SSLv3_method clients.
-  EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
-                                      tls_ctx.get()));
-  err = ERR_get_error();
-  EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
-  EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-}
-
 TEST(SSLTest, SelectNextProto) {
   uint8_t *result;
   uint8_t result_len;

diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
@@ -231,15 +231,6 @@ const SSL_METHOD *TLSv1_method(void) {
   return &kMethod;
 }
 
-const SSL_METHOD *SSLv3_method(void) {
-  static const SSL_METHOD kMethod = {
-      SSL3_VERSION,
-      &kTLSProtocolMethod,
-      &ssl_crypto_x509_method,
-  };
-  return &kMethod;
-}
-
 // Legacy side-specific methods.
 
 const SSL_METHOD *TLSv1_2_server_method(void) {
@@ -254,10 +245,6 @@ const SSL_METHOD *TLSv1_server_method(void) {
   return TLSv1_method();
 }
 
-const SSL_METHOD *SSLv3_server_method(void) {
-  return SSLv3_method();
-}
-
 const SSL_METHOD *TLSv1_2_client_method(void) {
   return TLSv1_2_method();
 }
@@ -270,10 +257,6 @@ const SSL_METHOD *TLSv1_client_method(void) {
   return TLSv1_method();
 }
 
-const SSL_METHOD *SSLv3_client_method(void) {
-  return SSLv3_method();
-}
-
 const SSL_METHOD *SSLv23_server_method(void) {
   return SSLv23_method();
 }