Bug 1228555 - Remove support for SSLv2 r=mt,wtc,ekr

sailfishos-mirror · Mar 11, 2016 · ab3775f · ab3775f
1 parent 230f3af
commit ab3775f
Show file tree

Hide file tree

Showing 72 changed files with 484 additions and 63,819 deletions.
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
@@ -3697,10 +3697,6 @@ SECU_GetSSLVersionFromName(const char *buf, size_t bufLen, PRUint16 *version)
         return SECFailure;
     }
 
-    if (!PL_strncasecmp(buf, "ssl2", bufLen)) {
-        *version = SSL_LIBRARY_VERSION_2;
-        return SECSuccess;
-    }
     if (!PL_strncasecmp(buf, "ssl3", bufLen)) {
         *version = SSL_LIBRARY_VERSION_3_0;
         return SECSuccess;
@@ -3730,21 +3726,26 @@ SECU_GetSSLVersionFromName(const char *buf, size_t bufLen, PRUint16 *version)
 SECStatus
 SECU_ParseSSLVersionRangeString(const char *input,
                                 const SSLVersionRange defaultVersionRange,
-                                const PRBool defaultEnableSSL2,
-                                SSLVersionRange *vrange, PRBool *enableSSL2)
+                                SSLVersionRange *vrange)
 {
     const char *colonPos;
     size_t colonIndex;
     const char *maxStr;
 
-    if (!input || !vrange || !enableSSL2) {
+    if (!input || !vrange) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    // We don't support SSL2 any longer.
+    if (defaultVersionRange.min < SSL_LIBRARY_VERSION_3_0 ||
+        defaultVersionRange.max < SSL_LIBRARY_VERSION_3_0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     if (!strcmp(input, ":")) {
         /* special value, use default */
-        *enableSSL2 = defaultEnableSSL2;
         *vrange = defaultVersionRange;
         return SECSuccess;
     }
@@ -3760,7 +3761,6 @@ SECU_ParseSSLVersionRangeString(const char *input,
 
     if (!colonIndex) {
         /* colon was first character, min version is empty */
-        *enableSSL2 = defaultEnableSSL2;
         vrange->min = defaultVersionRange.min;
     } else {
         PRUint16 version;
@@ -3770,13 +3770,7 @@ SECU_ParseSSLVersionRangeString(const char *input,
             return SECFailure;
         }
 
-        if (version == SSL_LIBRARY_VERSION_2) {
-            *enableSSL2 = PR_TRUE;
-            vrange->min = defaultVersionRange.min;
-        } else {
-            *enableSSL2 = PR_FALSE;
-            vrange->min = version;
-        }
+        vrange->min = version;
     }
 
     if (!*maxStr) {
@@ -3790,18 +3784,12 @@ SECU_ParseSSLVersionRangeString(const char *input,
             return SECFailure;
         }
 
-        if (version == SSL_LIBRARY_VERSION_2) {
-            /* consistency checking, require that min allows enableSSL2, too */
-            if (!*enableSSL2) {
-                PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                return SECFailure;
-            }
-            /* we use 0 because SSL_LIBRARY_VERSION_NONE is private: */
-            vrange->min = 0;
-            vrange->max = 0;
-        } else {
-            vrange->max = version;
-        }
+        vrange->max = version;
+    }
+
+    if (vrange->min > vrange->max) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     return SECSuccess;

diff --git a/cmd/lib/secutil.h b/cmd/lib/secutil.h
@@ -398,21 +398,15 @@ SECU_SECItemHexStringToBinary(SECItem* srcdest);
  * and all implemented versions greater than or equal to min will be enabled.
  * A string consisting of a colon only means "all versions enabled".
  *
- * Because output parameter type SSLVersionRange doesn't allow to set
- * version 2 values, we use a separate boolean output parameter
- * to return whether SSL 2 is enabled.
- *
  * In order to avoid a link dependency from libsectool to libssl,
  * the caller must provide the desired default values for the min/max values,
- * by providing defaultEnableSSL2 and defaultVersionRange
- * (which can be obtained from libssl by calling SSL_VersionRangeGetSupported).
+ * by providing defaultVersionRange (which can be obtained from libssl by
+ * calling SSL_VersionRangeGetSupported).
  */
 SECStatus
 SECU_ParseSSLVersionRangeString(const char *input,
                                 const SSLVersionRange defaultVersionRange,
-                                const PRBool defaultEnableSSL2,
-                                SSLVersionRange *vrange,
-                                PRBool *enableSSL2);
+                                SSLVersionRange *vrange);
 
 /*
  *

diff --git a/cmd/listsuites/listsuites.c b/cmd/listsuites/listsuites.c
@@ -54,8 +54,7 @@ int main(int argc, char **argv)
 		info.keaTypeName, info.authAlgorithmName, info.symCipherName, 
 		info.effectiveKeyBits, info.macAlgorithmName, 
 		enabled           ? "Enabled"     : "Disabled",
-		info.isFIPS       ? "FIPS" : 
-		  (SSL_IS_SSL2_CIPHER(info.cipherSuite) ? "SSL2" : ""),
+		info.isFIPS       ? "FIPS"        : "",
 		info.isExportable ? "Export"      : "Domestic",
 		info.nonStandard  ? "nonStandard" : "");
     }

diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
@@ -94,16 +94,6 @@ typedef enum ocspStaplingModeEnum ocspStaplingModeType;
 static char *ocspStaplingCA = NULL;
 static SECItemArray *certStatus[kt_kea_size] = { NULL };
 
-const int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,			/* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,		/* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,		/* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,	/* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
-    0
-};
-
 const int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	 * b */
@@ -178,7 +168,7 @@ PrintParameterUsage()
     fputs(
 "-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
 "   All versions are enabled by default.\n"
-"   Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
+"   Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
 "   Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
 "-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
 "-q checks for bypassability\n"
@@ -242,13 +232,6 @@ PrintCipherUsage(const char *progName)
     PrintUsageHeader(progName);
     fputs(
 "-c ciphers   Letter(s) chosen from the following list\n"
-"A    SSL2 RC4 128 WITH MD5\n"
-"B    SSL2 RC4 128 EXPORT40 WITH MD5\n"
-"C    SSL2 RC2 128 CBC WITH MD5\n"
-"D    SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
-"E    SSL2 DES 64 CBC WITH MD5\n"
-"F    SSL2 DES 192 EDE3 CBC WITH MD5\n"
-"\n"
 "c    SSL3 RSA WITH RC4 128 MD5\n"
 "d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
 "e    SSL3 RSA WITH DES CBC SHA\n"
@@ -828,7 +811,6 @@ logger(void *arg)
 
 PRBool useModelSocket  = PR_FALSE;
 static SSLVersionRange enabledVersions;
-PRBool enableSSL2      = PR_TRUE;
 PRBool disableRollBack = PR_FALSE;
 PRBool NoReuse         = PR_FALSE;
 PRBool hasSidCache     = PR_FALSE;
@@ -1865,8 +1847,7 @@ server_main(
     }
 
     /* do SSL configuration. */
-    rv = SSL_OptionSet(model_sock, SSL_SECURITY, 
-                       enableSSL2 || enabledVersions.min != 0);
+    rv = SSL_OptionSet(model_sock, SSL_SECURITY, enabledVersions.min != 0);
     if (rv < 0) {
 	errExit("SSL_OptionSet SSL_SECURITY");
     }
@@ -1876,11 +1857,6 @@ server_main(
 	errExit("error setting SSL/TLS version range ");
     }
 
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, enableSSL2);
-    if (rv != SECSuccess) {
-       errExit("error enabling SSLv2 ");
-    }
-
     rv = SSL_OptionSet(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack);
     if (rv != SECSuccess) {
 	errExit("error enabling RollBack detection ");
@@ -2282,8 +2258,7 @@ main(int argc, char **argv)
 	case 'U': configureReuseECDHE = (PORT_Atoi(optstate->value) != 0); break;
 
         case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
-                          enabledVersions, enableSSL2,
-                          &enabledVersions, &enableSSL2) != SECSuccess) {
+                          enabledVersions, &enabledVersions) != SECSuccess) {
                       Usage(progName);
                   }
                   break;
@@ -2544,7 +2519,7 @@ main(int argc, char **argv)
     	}
     }
 
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    /* all SSL3 cipher suites are enabled by default. */
     if (cipherString) {
     	char *cstringSaved = cipherString;
     	int ndx;
@@ -2553,12 +2528,11 @@ main(int argc, char **argv)
 	disableAllSSLCiphers();
 
 	while (0 != (ndx = *cipherString++)) {
-	    int  cipher;
+            int cipher = 0;
 
 	    if (ndx == ':') {
 		int ctmp;
 
-		cipher = 0;
 		HEXCHAR_TO_INT(*cipherString, ctmp)
 		cipher |= (ctmp << 12);
 		cipherString++;
@@ -2572,16 +2546,15 @@ main(int argc, char **argv)
 		cipher |= ctmp;
 		cipherString++;
 	    } else {
-		const int *cptr;
-
 		if (! isalpha(ndx)) {
 		    fprintf(stderr, 
 			    "Non-alphabetic char in cipher string (-c arg).\n");
 		    exit(9);
 		}
-		cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-		    /* do nothing */;
+                ndx = tolower(ndx) - 'a';
+                if (ndx < PR_ARRAY_SIZE(ssl3CipherSuites)) {
+                    cipher = ssl3CipherSuites[ndx];
+                }
 	    }
 	    if (cipher > 0) {
 		SECStatus status;

diff --git a/cmd/strsclnt/strsclnt.c b/cmd/strsclnt/strsclnt.c
@@ -46,16 +46,6 @@
  * cipher selection code.
  */
 
-int ssl2CipherSuites[] = {
-    SSL_EN_RC4_128_WITH_MD5,                    /* A */
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,           /* B */
-    SSL_EN_RC2_128_CBC_WITH_MD5,                /* C */
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,       /* D */
-    SSL_EN_DES_64_CBC_WITH_MD5,                 /* E */
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,           /* F */
-    0
-};
-
 int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA     * b */
@@ -122,7 +112,6 @@ static SSL3Statistics * ssl3stats;
 
 static int failed_already = 0;
 static SSLVersionRange enabledVersions;
-static PRBool enableSSL2      = PR_TRUE;
 static PRBool bypassPKCS11    = PR_FALSE;
 static PRBool disableLocking  = PR_FALSE;
 static PRBool ignoreErrors    = PR_FALSE;
@@ -163,7 +152,7 @@ Usage(const char *progName)
 	"       -P means do a specified percentage of full handshakes (0-100)\n"
         "       -V [min]:[max] restricts the set of enabled SSL/TLS protocols versions.\n"
         "          All versions are enabled by default.\n"
-        "          Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
+        "          Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
         "          Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
         "       -U means enable throttling up threads\n"
 	"       -B bypasses the PKCS11 layer for SSL encryption and MACing\n"
@@ -1097,7 +1086,7 @@ client_main(
     /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
     NSS_SetDomesticPolicy();
 
-    /* all the SSL2 and SSL3 cipher suites are enabled by default. */
+    /* all SSL3 cipher suites are enabled by default. */
     if (cipherString) {
         int ndx;
 
@@ -1125,11 +1114,10 @@ client_main(
 		}
 	    } else {
 		if (isalpha(ndx)) {
-		    const int *cptr;
-
-		    cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
-		    for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) 
-			/* do nothing */;
+                    ndx = tolower(ndx) - 'a';
+                    if (ndx < PR_ARRAY_SIZE(ssl3CipherSuites)) {
+                        cipher = ssl3CipherSuites[ndx];
+                    }
 		}
 	    	if (cipher <= 0) {
 		    fprintf(stderr, "strsclnt: Invalid cipher letter: %c\n", 
@@ -1163,8 +1151,7 @@ client_main(
 
     /* do SSL configuration. */
 
-    rv = SSL_OptionSet(model_sock, SSL_SECURITY,
-                       enableSSL2 || enabledVersions.min != 0);
+    rv = SSL_OptionSet(model_sock, SSL_SECURITY, enabledVersions.min != 0);
     if (rv < 0) {
 	errExit("SSL_OptionSet SSL_SECURITY");
     }
@@ -1174,16 +1161,6 @@ client_main(
         errExit("error setting SSL/TLS version range ");
     }
 
-    rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL2, enableSSL2);
-    if (rv != SECSuccess) {
-       errExit("error enabling SSLv2 ");
-    }
-
-    rv = SSL_OptionSet(model_sock, SSL_V2_COMPATIBLE_HELLO, enableSSL2);
-    if (rv != SECSuccess) {
-        errExit("error enabling SSLv2 compatible hellos ");
-    }
-
     if (bigBuf.data) { /* doing FDX */
 	rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
 	if (rv < 0) {
@@ -1368,8 +1345,7 @@ main(int argc, char **argv)
 	case 'U': ThrottleUp = PR_TRUE; break;
 
         case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
-                          enabledVersions, enableSSL2,
-                          &enabledVersions, &enableSSL2) != SECSuccess) {
+                          enabledVersions, &enabledVersions) != SECSuccess) {
                       Usage(progName);
                   }
                   break;
@@ -1510,22 +1486,13 @@ main(int argc, char **argv)
     PL_strfree(hostName);
 
     /* some final stats. */
-    if (ssl3stats->hsh_sid_cache_hits +
-	ssl3stats->hsh_sid_cache_misses +
-	ssl3stats->hsh_sid_cache_not_ok +
-	ssl3stats->hsh_sid_stateless_resumes == 0) {
-	/* presumably we were testing SSL2. */
-	printf("strsclnt: SSL2 - %d server certificates tested.\n",
-               certsTested);
-    } else {
-	printf(
-	"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
-	"          %ld stateless resumes\n",
-	    ssl3stats->hsh_sid_cache_hits, 
-	    ssl3stats->hsh_sid_cache_misses,
-	    ssl3stats->hsh_sid_cache_not_ok,
-	    ssl3stats->hsh_sid_stateless_resumes);
-    }
+    printf(
+    "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
+    "          %ld stateless resumes\n",
+        ssl3stats->hsh_sid_cache_hits,
+        ssl3stats->hsh_sid_cache_misses,
+        ssl3stats->hsh_sid_cache_not_ok,
+        ssl3stats->hsh_sid_stateless_resumes);
 
     if (!NoReuse) {
 	if (enableSessionTickets)
@@ -1539,16 +1506,9 @@ main(int argc, char **argv)
     } else {
 	printf("strsclnt: NoReuse - %d server certificates tested.\n",
                certsTested);
-        if (ssl3stats->hsh_sid_cache_hits +
-            ssl3stats->hsh_sid_cache_misses +
-            ssl3stats->hsh_sid_cache_not_ok +
-            ssl3stats->hsh_sid_stateless_resumes > 0) {
-            exitVal = (ssl3stats->hsh_sid_cache_misses != connections) ||
-                (ssl3stats->hsh_sid_stateless_resumes != 0) ||
-                (certsTested != connections);
-        } else {                /* ssl2 connections */
-            exitVal = (certsTested != connections);
-        }
+        exitVal = (ssl3stats->hsh_sid_cache_misses != connections) ||
+            (ssl3stats->hsh_sid_stateless_resumes != 0) ||
+            (certsTested != connections);
     }
 
     exitVal = ( exitVal || failed_already );