]> granicus.if.org Git - openssl/commitdiff
Remove SSLv2 support
authorKurt Roeckx <kurt@roeckx.be>
Sun, 30 Nov 2014 14:35:22 +0000 (15:35 +0100)
committerKurt Roeckx <kurt@roeckx.be>
Thu, 4 Dec 2014 10:55:03 +0000 (11:55 +0100)
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
69 files changed:
Configure
INSTALL.VMS
Netware/do_tests.pl
apps/ciphers.c
apps/s_cb.c
apps/s_client.c
apps/s_server.c
apps/s_time.c
crypto/err/openssl.ec
crypto/evp/c_alld.c
crypto/threads/mttest.c
demos/ssl/cli.cpp
doc/apps/ciphers.pod
doc/apps/s_client.pod
doc/apps/s_server.pod
doc/apps/s_time.pod
doc/apps/sess_id.pod
doc/ssl/SSL_CIPHER_get_name.pod
doc/ssl/SSL_CONF_cmd.pod
doc/ssl/SSL_CTX_new.pod
doc/ssl/SSL_CTX_set_cipher_list.pod
doc/ssl/SSL_CTX_set_generate_session_id.pod
doc/ssl/SSL_CTX_set_options.pod
doc/ssl/SSL_get_default_timeout.pod
doc/ssl/SSL_get_version.pod
doc/ssl/SSL_new.pod
doc/ssl/SSL_shutdown.pod
doc/ssl/ssl.pod
makevms.com
ms/test.bat
ms/testce.bat
ssl/Makefile
ssl/s23_clnt.c
ssl/s23_lib.c
ssl/s23_meth.c
ssl/s23_srvr.c
ssl/s2_clnt.c [deleted file]
ssl/s2_enc.c [deleted file]
ssl/s2_lib.c [deleted file]
ssl/s2_meth.c [deleted file]
ssl/s2_pkt.c [deleted file]
ssl/s2_srvr.c [deleted file]
ssl/s3_enc.c
ssl/s3_lib.c
ssl/ssl.h
ssl/ssl2.h
ssl/ssl_algs.c
ssl/ssl_asn1.c
ssl/ssl_cert.c
ssl/ssl_ciph.c
ssl/ssl_conf.c
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_sess.c
ssl/ssl_stat.c
ssl/ssl_task.c
ssl/ssl_txt.c
ssl/ssltest.c
ssl/t1_enc.c
ssl/t1_trce.c
test/Makefile
test/testsid.pem
test/testssl
test/testssl.com
util/bat.sh
util/mk1mf.pl
util/mkdef.pl
util/ssleay.num

index 708594a7e5ccc80634cebc85513cba9783b2949f..5e9337c504b5d70d213b1b6a399b39f4cb406bfe 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -847,7 +847,6 @@ PROCESS_ARGS:
                                {
                                if ($1 eq "ssl")
                                        {
-                                       $disabled{"ssl2"} = "option(ssl)";
                                        $disabled{"ssl3"} = "option(ssl)";
                                        }
                                elsif ($1 eq "tls")
@@ -1062,12 +1061,6 @@ if (defined($disabled{"ec"}))
        $disabled{"ecdh"} = "forced";
        }
 
-# SSL 2.0 requires MD5 and RSA
-if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
-       {
-       $disabled{"ssl2"} = "forced";
-       }
-
 # SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
 if (defined($disabled{"md5"}) || defined($disabled{"sha"})
     || (defined($disabled{"rsa"})
index e5d43a57ab57414240491b53051109f4a03e7b78..6a50e6f4e7ab223f989e6b708b641fa2ea15c3b1 100644 (file)
@@ -134,7 +134,7 @@ Currently, the logical names supported are:
                         will not be implemented.  Supported algorithms to
                         do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
                         SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
-                        SSL2.  So, for example, having the logical name
+                        SSL3.  So, for example, having the logical name
                         OPENSSL_NO_RSA with the value YES means that the
                         LIBCRYPTO.OLB library will not contain an RSA
                         implementation.
index ac482dbe2b8daa234177a17d8d8c0693e931dbb8..f8909a43cce739875be486305448915076127ca9 100644 (file)
@@ -270,22 +270,6 @@ sub ssl_tests
    print( OUT "\n========================================================\n");
    print( OUT "SSL TESTS:\n\n");
 
-   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2:");
-   log_output("ssltest -ssl2", $outFile);
-
-   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with server authentication:");
-   log_output("$ssltest -ssl2 -server_auth", $outFile);
-
-   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with client authentication:");
-   log_output("$ssltest -ssl2 -client_auth", $outFile);
-
-   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with both client and server authentication:");
-   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
-
    system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3:");
    log_output("ssltest -ssl3", $outFile);
@@ -318,26 +302,10 @@ sub ssl_tests
    log_desc("Testing sslv2/sslv3 with both client and server authentication:");
    log_output("$ssltest -server_auth -client_auth", $outFile);
 
-   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 via BIO pair:");
-   log_output("ssltest -bio_pair -ssl2", $outFile);
-
    system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
    log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
 
-   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with client authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
-
    system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3 via BIO pair:");
    log_output("ssltest -bio_pair -ssl3", $outFile);
index 85760cd42dec5f17e84be380bac1a96dec5fe27c..7de7dd3b3817b733d62e011769792338ccd2354d 100644 (file)
@@ -73,7 +73,6 @@ static const char *ciphers_usage[]={
 "usage: ciphers args\n",
 " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
 " -V          - even more verbose\n",
-" -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
 " -tls1       - TLS1 mode\n",
 NULL
@@ -130,10 +129,6 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-stdname") == 0)
                        stdname=verbose=1;
 #endif
-#ifndef OPENSSL_NO_SSL2
-               else if (strcmp(*argv,"-ssl2") == 0)
-                       meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3
                else if (strcmp(*argv,"-ssl3") == 0)
                        meth=SSLv3_client_method();
@@ -210,9 +205,7 @@ int MAIN(int argc, char **argv)
                                int id2 = (int)((id >> 8) & 0xffL);
                                int id3 = (int)(id & 0xffL);
                                
-                               if ((id & 0xff000000L) == 0x02000000L)
-                                       BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
-                               else if ((id & 0xff000000L) == 0x03000000L)
+                               if ((id & 0xff000000L) == 0x03000000L)
                                        BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
                                else
                                        BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
index 0184125447feff47aada1d0c28c00f5118422cec..f3892f92e613dd9f65cc92752136dc2c0aa30ab4 100644 (file)
@@ -621,8 +621,6 @@ static const char *ssl_version_str(int version)
        {
        switch (version)
                {
-       case SSL2_VERSION:
-               return "SSL 2.0";
        case SSL3_VERSION:
                return "SSL 3.0";
        case TLS1_VERSION:
@@ -649,67 +647,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
        str_version = ssl_version_str(version);
 
-       if (version == SSL2_VERSION)
-               {
-               str_details1 = "???";
-
-               if (len > 0)
-                       {
-                       switch (((const unsigned char*)buf)[0])
-                               {
-                               case 0:
-                                       str_details1 = ", ERROR:";
-                                       str_details2 = " ???";
-                                       if (len >= 3)
-                                               {
-                                               unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];
-                                               
-                                               switch (err)
-                                                       {
-                                               case 0x0001:
-                                                       str_details2 = " NO-CIPHER-ERROR";
-                                                       break;
-                                               case 0x0002:
-                                                       str_details2 = " NO-CERTIFICATE-ERROR";
-                                                       break;
-                                               case 0x0004:
-                                                       str_details2 = " BAD-CERTIFICATE-ERROR";
-                                                       break;
-                                               case 0x0006:
-                                                       str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
-                                                       break;
-                                                       }
-                                               }
-
-                                       break;
-                               case 1:
-                                       str_details1 = ", CLIENT-HELLO";
-                                       break;
-                               case 2:
-                                       str_details1 = ", CLIENT-MASTER-KEY";
-                                       break;
-                               case 3:
-                                       str_details1 = ", CLIENT-FINISHED";
-                                       break;
-                               case 4:
-                                       str_details1 = ", SERVER-HELLO";
-                                       break;
-                               case 5:
-                                       str_details1 = ", SERVER-VERIFY";
-                                       break;
-                               case 6:
-                                       str_details1 = ", SERVER-FINISHED";
-                                       break;
-                               case 7:
-                                       str_details1 = ", REQUEST-CERTIFICATE";
-                                       break;
-                               case 8:
-                                       str_details1 = ", CLIENT-CERTIFICATE";
-                                       break;
-                               }
-                       }
-               }
-
        if (version == SSL3_VERSION ||
            version == TLS1_VERSION ||
            version == TLS1_1_VERSION ||
@@ -1829,11 +1766,6 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
        case SSL_SECOP_CURVE_CHECK:
                nm = "Check Curve";
                break;
-       case SSL_SECOP_SSL2_COMPAT:
-               BIO_puts(sdb->out, "SSLv2 compatible");
-               show_bits = 0;
-               nm = NULL;
-               break;
        case SSL_SECOP_VERSION:
                BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid));
                show_bits = 0;
index cde77133008d3030abdcb91d270de7dc842ff6fa..1a30ef224136e04b07c458675b3d5df31a7bae30 100644 (file)
@@ -335,7 +335,6 @@ static void sc_usage(void)
        BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
        BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
-       BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
 #endif
@@ -345,9 +344,8 @@ static void sc_usage(void)
        BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
        BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
        BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
-       BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+       BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n");
        BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
-       BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
        BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
        BIO_printf(bio_err,"                 command to see what is available\n");
        BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
@@ -912,10 +910,6 @@ static char *jpake_secret = NULL;
                        meth=TLSv1_client_method();
                        }
 #endif
-#ifndef OPENSSL_NO_SSL2
-               else if (strcmp(*argv,"-ssl2") == 0)
-                       meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
                else if (strcmp(*argv,"-ssl3") == 0)
                        meth=SSLv3_client_method();
@@ -2198,14 +2192,12 @@ end:
 static void print_stuff(BIO *bio, SSL *s, int full)
        {
        X509 *peer=NULL;
-       char *p;
-       static const char *space="                ";
        char buf[BUFSIZ];
        STACK_OF(X509) *sk;
        STACK_OF(X509_NAME) *sk2;
        const SSL_CIPHER *c;
        X509_NAME *xn;
-       int j,i;
+       int i;
 #ifndef OPENSSL_NO_COMP
        const COMP_METHOD *comp, *expansion;
 #endif
@@ -2267,34 +2259,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                        {
                        BIO_printf(bio,"---\nNo client certificate CA names sent\n");
                        }
-               p=SSL_get_shared_ciphers(s,buf,sizeof buf);
-               if (p != NULL)
-                       {
-                       /* This works only for SSL 2.  In later protocol
-                        * versions, the client does not know what other
-                        * ciphers (in addition to the one to be used
-                        * in the current connection) the server supports. */
-
-                       BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
-                       j=i=0;
-                       while (*p)
-                               {
-                               if (*p == ':')
-                                       {
-                                       BIO_write(bio,space,15-j%25);
-                                       i++;
-                                       j=0;
-                                       BIO_write(bio,((i%3)?" ":"\n"),1);
-                                       }
-                               else
-                                       {
-                                       BIO_write(bio,p,1);
-                                       j++;
-                                       }
-                               p++;
-                               }
-                       BIO_write(bio,"\n",1);
-                       }
 
                ssl_print_sigalgs(bio, s);
                ssl_print_tmp_key(bio, s);
index d7d3ab25d6a707b9c3fbebb788d0bd8606ab3de0..504d3d9f0729bd8607d84c08f58e5cd4f3588683 100644 (file)
@@ -508,7 +508,6 @@ static void sv_usage(void)
        BIO_printf(bio_err," -srpvfile file      - The verifier file for SRP\n");
        BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
-       BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
 #endif
@@ -520,7 +519,6 @@ static void sv_usage(void)
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
        BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
        BIO_printf(bio_err," -chain        - Read a certificate chain\n");
-       BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
        BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
        BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
        BIO_printf(bio_err," -no_tls1_1    - Just disable TLSv1.1\n");
@@ -1406,13 +1404,6 @@ int MAIN(int argc, char *argv[])
                        { www=2; }
                else if (strcmp(*argv,"-HTTP") == 0)
                        { www=3; }
-#ifndef OPENSSL_NO_SSL2
-               else if (strcmp(*argv,"-ssl2") == 0)
-                       {
-                       no_ecdhe=1;
-                       meth=SSLv2_server_method();
-                       }
-#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
                else if (strcmp(*argv,"-ssl3") == 0)
                        { meth=SSLv3_server_method(); }
@@ -1768,9 +1759,6 @@ bad:
                if(strlen(session_id_prefix) >= 32)
                        BIO_printf(bio_err,
 "warning: id_prefix is too long, only one new session will be possible\n");
-               else if(strlen(session_id_prefix) >= 16)
-                       BIO_printf(bio_err,
-"warning: id_prefix is too long if you use SSLv2\n");
                if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
                        {
                        BIO_printf(bio_err,"error setting 'id_prefix'\n");
@@ -1855,9 +1843,6 @@ bad:
                        if(strlen(session_id_prefix) >= 32)
                                BIO_printf(bio_err,
                                        "warning: id_prefix is too long, only one new session will be possible\n");
-                       else if(strlen(session_id_prefix) >= 16)
-                               BIO_printf(bio_err,
-                                       "warning: id_prefix is too long if you use SSLv2\n");
                        if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
                                {
                                BIO_printf(bio_err,"error setting 'id_prefix'\n");
index 81dad53243a4e0ec5599e1c0cddf16cdfb35638e..6542be28275ead995dbe20d88928d10ab843abd6 100644 (file)
@@ -186,7 +186,6 @@ static void s_time_usage(void)
        printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME);
 #ifdef FIONBIO
        printf("-nbio         - Run with non-blocking IO\n");
-       printf("-ssl2         - Just use SSLv2\n");
        printf("-ssl3         - Just use SSLv3\n");
        printf("-bugs         - Turn on SSL bug compatibility\n");
        printf("-new          - Just time new connections\n");
@@ -282,10 +281,6 @@ static int parseArgs(int argc, char **argv)
                }
        else if(strcmp(*argv,"-bugs") == 0)
            st_bugs=1;
-#ifndef OPENSSL_NO_SSL2
-       else if(strcmp(*argv,"-ssl2") == 0)
-           s_time_meth=SSLv2_client_method();
-#endif
 #ifndef OPENSSL_NO_SSL3
        else if(strcmp(*argv,"-ssl3") == 0)
            s_time_meth=SSLv3_client_method();
@@ -430,8 +425,6 @@ int MAIN(int argc, char **argv)
                                ver='t';
                        else if (ver == SSL3_VERSION)
                                ver='3';
-                       else if (ver == SSL2_VERSION)
-                               ver='2';
                        else
                                ver='*';
                        }
@@ -523,8 +516,6 @@ next:
                                ver='t';
                        else if (ver == SSL3_VERSION)
                                ver='3';
-                       else if (ver == SSL2_VERSION)
-                               ver='2';
                        else
                                ver='*';
                        }
index 547796baa7108d6c3d925381e0cd39cc8cbe8a52..33005ccee39d399c2c60f008958d5b30f837a3bc 100644 (file)
@@ -51,7 +51,6 @@ F RSAREF_F_RSA_PRIVATE_DECRYPT
 F RSAREF_F_RSA_PRIVATE_ENCRYPT
 F RSAREF_F_RSA_PUBLIC_DECRYPT
 F RSAREF_F_RSA_PUBLIC_ENCRYPT
-#F SSL_F_CLIENT_CERTIFICATE
 
 R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE         1010
 R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC             1020
index 311e1fe2f8517bed047be77608238d8db0dc75da..99f9cd568fb706f88aac586b63bf3d4dfa7cad98 100644 (file)
@@ -69,7 +69,6 @@ void OpenSSL_add_all_digests(void)
 #endif
 #ifndef OPENSSL_NO_MD5
        EVP_add_digest(EVP_md5());
-       EVP_add_digest_alias(SN_md5,"ssl2-md5");
        EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
index eba7aa8a6ebcc432533ab522a295ad9afddf64a4..da2707ef7ab57e86ce240f8b74e156e694567e16 100644 (file)
@@ -217,8 +217,6 @@ int main(int argc, char *argv[])
                        cache_stats=1;
                else if (strcmp(*argv,"-ssl3") == 0)
                        ssl_method=SSLv3_method();
-               else if (strcmp(*argv,"-ssl2") == 0)
-                       ssl_method=SSLv2_method();
                else if (strcmp(*argv,"-CApath") == 0)
                        {
                        if (--argc < 1) goto bad;
index 5b4406d16f1985ba6eaaedd2dec1c7959107b1fa..a5bee1c7b996099fe59f7fc4bc62ef14da833c1b 100644 (file)
@@ -38,7 +38,7 @@ void main ()
   SSL_METHOD *meth;
 
   SSLeay_add_ssl_algorithms();
-  meth = SSLv2_client_method();
+  meth = SSLv23_client_method();
   SSL_load_error_strings();
   ctx = SSL_CTX_new (meth);                        CHK_NULL(ctx);
 
index 6bdc07746e03f19be8768075359f33c1e204e610..5f8dac4e197ae8f316c7156ecddb23da4a449af2 100644 (file)
@@ -10,7 +10,6 @@ B<openssl> B<ciphers>
 [B<-s>]
 [B<-v>]
 [B<-V>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 [B<-stdname>]
@@ -35,12 +34,9 @@ not used then ciphers excluded by the security level will still be listed.
 =item B<-v>
 
 Verbose option. List ciphers with a complete description of
-protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange,
+protocol version, key exchange,
 authentication, encryption and mac algorithms used along with any key size
 restrictions and whether the algorithm is classed as an "export" cipher.
-Note that without the B<-v> option, ciphers may seem to appear twice
-in a cipher list; this is when similar ciphers are available for
-SSL v2 and for SSL v3/TLS v1.
 
 =item B<-V>
 
@@ -50,10 +46,6 @@ Like B<-v>, but include cipher suite codes in output (hex format).
 
 only include SSL v3 ciphers.
 
-=item B<-ssl2>
-
-only include SSL v2 ciphers.
-
 =item B<-tls1>
 
 only include TLS v1 ciphers.
@@ -259,9 +251,9 @@ keys.
 ciphers suites using FORTEZZA key exchange, authentication, encryption or all
 FORTEZZA algorithms. Not implemented.
 
-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
+=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
 
-TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
+TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
 there are no ciphersuites specific to TLS v1.1.
 
 =item B<AES128>, B<AES256>, B<AES>
@@ -605,17 +597,6 @@ Note: these ciphers can also be used in SSL v3.
  TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
  TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
 
-=head2 Deprecated SSL v2.0 cipher suites.
-
- SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
- SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
-
-
 =head1 NOTES
 
 Some compiled versions of OpenSSL may not include all the ciphers
index 2057dc86e0e0f8049d742e39ba25177d5d6bd22e..17308b4801a28399a630e981d32173cd9ec6a9dc 100644 (file)
@@ -58,10 +58,8 @@ B<openssl> B<s_client>
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-quiet>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_tls1_1>]
@@ -248,11 +246,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 
 Unfortunately there are still ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
@@ -279,10 +277,6 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
-=item B<-serverpref>
-
-use the server's cipher preferences; only used for SSLV2.
-
 =item B<-starttls protocol>
 
 send the protocol-specific message(s) to switch to TLS for communication.
@@ -373,8 +367,8 @@ would typically be used (https uses port 443). If the connection succeeds
 then an HTTP command can be given such as "GET /" to retrieve a web page.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
+nothing obvious like no client certificate then the B<-bugs>,
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
 
@@ -396,10 +390,6 @@ on the command line is no guarantee that the certificate works.
 If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show the whole chain.
 
-Since the SSLv23 client hello cannot include compression methods or extensions
-these will only be supported if its use is disabled, for example by using the
-B<-no_sslv2> option.
-
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. None test
index 3085944e4b5236c488cb00bb1a4e460dd6065e8e..1cc965f3e91f503414577277d55e76ddafee9fae 100644 (file)
@@ -64,10 +64,8 @@ B<openssl> B<s_server>
 [B<-serverpref>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
@@ -279,11 +277,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 
 =item B<-bugs>
 
index 5a38aa2e03944f29ba3f93b8ea29609fefd4c4f8..b8dad09a0334dead75a5ac8502fbe35be34237ad 100644 (file)
@@ -19,7 +19,6 @@ B<openssl> B<s_time>
 [B<-verify depth>]
 [B<-nbio>]
 [B<-time seconds>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
@@ -92,18 +91,17 @@ specified, they are both on by default and executed in sequence.
 
 turns on non-blocking I/O.
 
-=item B<-ssl2>, B<-ssl3>
+=item B<-ssl3>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
 the L<s_client(1)|s_client(1)> program and may not connect to all servers.
 
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-ssl3> option; others
-will only support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off with the B<-ssl3> option.
 
 =item B<-bugs>
 
@@ -137,7 +135,7 @@ which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command
 for details.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+nothing obvious like no client certificate then the B<-bugs> and
 B<-ssl3> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
index fb5ce1296273dbe2522892fd2299c02ef24111f6..a8b0ef09eb988ed0d45dc83c03392d7ad43b0337 100644 (file)
@@ -92,7 +92,7 @@ Theses are described below in more detail.
 
 =item B<Protocol>
 
-this is the protocol in use TLSv1, SSLv3 or SSLv2.
+this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
 
 =item B<Cipher>
 
@@ -111,10 +111,6 @@ the session ID context in hex format.
 
 this is the SSL session master key.
 
-=item B<Key-Arg>
-
-the key argument, this is only used in SSL v2.
-
 =item B<Start Time>
 
 this is the session start time represented as an integer in standard Unix format.
index 2048bfb8a18d78bb80be8308dfb1d68044304242..ec7011efe96b47266846ce53b7d27eec6bcf6198 100644 (file)
@@ -25,7 +25,7 @@ chosen algorithm. If B<cipher> is NULL, 0 is returned.
 
 SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
 version that first defined the cipher.
-This is currently B<SSLv2> or B<TLSv1/SSLv3>.
+This is currently B<TLSv1/SSLv3>.
 In some cases it should possibly return "TLSv1.2" but does not;
 use SSL_CIPHER_description() instead.
 If B<cipher> is NULL, "(NONE)" is returned.
@@ -56,7 +56,7 @@ Textual representation of the cipher name.
 
 =item <protocol version>
 
-Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
+Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
 flagged with SSLv3. No new ciphers were added by TLSv1.1.
 
 =item Kx=<key exchange>
index f96d8d941d26ee858100ed3c9b40964d5802f937..90a20d6c49479699e7e2e6ae27b677e9b9f7e406 100644 (file)
@@ -109,10 +109,10 @@ Attempts to use the file B<value> as the set of temporary DH parameters for
 the appropriate context. This option is only supported if certificate
 operations are permitted.
 
-=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
-Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 
-by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
+Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 
+by setting the corresponding options B<SSL_OP_NO_SSL3>,
 B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.
 
 =item B<-bugs>
@@ -259,7 +259,7 @@ The supported versions of the SSL or TLS protocol.
 The B<value> argument is a comma separated list of supported protocols to
 enable or disable. If an protocol is preceded by B<-> that version is disabled.
 All versions are enabled by default, though applications may choose to
-explicitly disable some. Currently supported protocol values are B<SSLv2>,
+explicitly disable some. Currently supported protocol values are 
 B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers
 to all supported versions.
 
@@ -435,4 +435,7 @@ L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
 
 SSL_CONF_cmd() was first added to OpenSSL 1.0.2
 
+B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept
+for backward compatibility.
+
 =cut
index 7593cf60cf231ba26bd85b9d509cc413a1c1a967..0da3f7be8e25eab8a50d03c25209217ade05a452 100644 (file)
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-SSL_CTX_new, SSLv2_method, SSLv2_server_method, SSLv2_client_method, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions
+SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions
 
 =head1 SYNOPSIS
 
@@ -23,14 +23,6 @@ client only type. B<method> can be of the following types:
 
 =over 4
 
-=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
-
-A TLS/SSL connection established with these methods will only understand
-the SSLv2 protocol. A client will send out SSLv2 client hello messages
-and will also indicate that it only understand SSLv2. A server will only
-understand SSLv2 client hello messages. The SSLv2 protocol is deprecated 
-and very broken: its use is B<strongly> discouraged.
-
 =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
 
 A TLS/SSL connection established with these methods will only understand the
@@ -62,33 +54,25 @@ SSLv3 client hello messages.
 
 =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
 
-A TLS/SSL connection established with these methods may understand the SSLv2,
+A TLS/SSL connection established with these methods may understand the
 SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
 
-If the cipher list does not contain any SSLv2 ciphersuites (the default
-cipher list does not) or extensions are required (for example server name)
+If extensions are required (for example server name)
 a client will send out TLSv1 client hello messages including extensions and
 will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
 fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
 protocols. This is the best choice when compatibility is a concern.
 
-If any SSLv2 ciphersuites are included in the cipher list and no extensions
-are required then SSLv2 compatible client hellos will be used by clients and
-SSLv2 will be accepted by servers. This is B<not> recommended due to the
-insecurity of SSLv2 and the limited nature of the SSLv2 client hello
-prohibiting the use of extensions.
-
 =back
 
-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
+The list of protocols available can later be limited using the
 SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
 options of the SSL_CTX_set_options() or SSL_set_options() functions.
 Using these options it is possible to choose e.g. SSLv23_server_method() and
 be able to negotiate with all possible clients, but to only allow newer
 protocols like TLSv1, TLSv1.1 or TLS v1.2.
 
-Applications which never want to support SSLv2 (even is the cipher string
-is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
 
 SSL_CTX_new() initializes the list of ciphers, the session cache setting,
 the callbacks, the keys and certificates and the options to its default
@@ -111,6 +95,11 @@ The return value points to an allocated SSL_CTX object.
 
 =back
 
+=head1 HISTORY
+
+SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in
+OpenSSL 1.1.0.
+
 =head1 SEE ALSO
 
 L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
index 8b41917334b7bf95c654a23c7224eba48491372c..c2c349f65e7b6c2fea47715f8f8bad111858d31c 100644 (file)
@@ -54,10 +54,6 @@ of 512 bits and the server is not configured to use temporary RSA
 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
 and the handshake will fail.
 
-If the cipher list does not contain any SSLv2 cipher suites (this is the
-default) then SSLv2 is effectively disabled and neither clients nor servers
-will attempt to use SSLv2.
-
 =head1 RETURN VALUES
 
 SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
index 798e8443a711eef2bcfd7748a7d1d73facba4c5b..cd72572b27ba6f82293e3bde2826a0adc73b682d 100644 (file)
@@ -32,9 +32,8 @@ of the parent context of B<ssl>.
 
 When a new session is established between client and server, the server
 generates a session id. The session id is an arbitrary sequence of bytes.
-The length of the session id is 16 bytes for SSLv2 sessions and between
-1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
-but must be unique for the server. Additionally, the session id is
+The length of the session id is between 1 and 32 bytes.  The session id is not
+security critical but must be unique for the server. Additionally, the session id is
 transmitted in the clear when reusing the session so it must not contain
 sensitive information.
 
@@ -51,21 +50,14 @@ The callback is only allowed to generate a shorter id and reduce B<id_len>;
 the callback B<must never> increase B<id_len> or write to the location
 B<id> exceeding the given limit.
 
-If a SSLv2 session id is generated and B<id_len> is reduced, it will be
-restored after the callback has finished and the session id will be padded
-with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions.
-The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function
-to check, whether the session is of type SSLv2.
-
 The location B<id> is filled with 0x00 before the callback is called, so the
 callback may only fill part of the possible length and leave B<id_len>
 untouched while maintaining reproducibility.
 
 Since the sessions must be distinguished, session ids must be unique.
 Without the callback a random number is used, so that the probability
-of generating the same session id is extremely small (2^128 possible ids
-for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
-uniqueness of the generated session id, the callback must call
+of generating the same session id is extremely small (2^256 for SSLv3/TLSv1).
+In order to assure the uniqueness of the generated session id, the callback must call
 SSL_has_matching_session_id() and generate another id if a conflict occurs.
 If an id conflict is not resolved, the handshake will fail.
 If the application codes e.g. a unique host id, a unique process number, and
@@ -85,10 +77,6 @@ Collisions can also occur when using an external session cache, since
 the external cache is not tested with SSL_has_matching_session_id()
 and the same race condition applies.
 
-When calling SSL_has_matching_session_id() for an SSLv2 session with
-reduced B<id_len>, the match operation will be performed using the
-fixed length required and with a 0x00 padded id.
-
 The callback must return 0 if it cannot generate a session id for whatever
 reason and return 1 on success.
 
@@ -104,12 +92,6 @@ server id given, and will fill the rest with pseudo random bytes:
                               unsigned int *id_len)
       {
       unsigned int count = 0;
-      const char *version;
-
-      version = SSL_get_version(ssl);
-      if (!strcmp(version, "SSLv2"))
-         /* we must not change id_len */;
-
       do      {
               RAND_pseudo_bytes(id, *id_len);
               /* Prefix the session_id with the required prefix. NB: If our
index 65062ad68cf53450e2e816d07d14c74e853f65b4..1594fb6eecd2dae83fb845b67261476e377992bf 100644 (file)
@@ -63,18 +63,11 @@ The following B<bug workaround> options are available:
 
 =item SSL_OP_MICROSOFT_SESS_ID_BUG
 
-www.microsoft.com - when talking SSLv2, if session-id reuse is
-performed, the session-id passed back in the server-finished message
-is different from the one decided upon.
+As of OpenSSL 1.0.0 this option has no effect.
 
 =item SSL_OP_NETSCAPE_CHALLENGE_BUG
 
-Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
-challenge but then appears to only use 16 bytes when generating the
-encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
-According to the SSLv3 spec, one should use 32 bytes for the challenge
-when operating in SSLv2/v3 compatibility mode, but as mentioned above,
-this breaks this server so 16 bytes is the way to go.
+As of OpenSSL 1.0.0 this option has no effect.
 
 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 
index a648a9b82df606592f4eaf04a92d9ad1eae35f80..3a067fe892fc681b96f8b81aef891bbcec86bcad 100644 (file)
@@ -24,7 +24,7 @@ L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, the hardcoded default
 timeout for the protocol will be used.
 
 SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
-for all currently supported protocols (SSLv2, SSLv3, and TLSv1).
+for all currently supported protocols.
 
 =head1 RETURN VALUES
 
index 9ae6f2550858a6677b9bd20a66d13e7678d5275d..b91bb47f78d17e849b8abb20fa72b4ac36624825 100644 (file)
@@ -21,10 +21,6 @@ The following strings can be returned:
 
 =over 4
 
-=item SSLv2
-
-The connection uses the SSLv2 protocol.
-
 =item SSLv3
 
 The connection uses the SSLv3 protocol.
index 25300e978f026e64845ed1d1d43629f9fb77989f..f0774a57ae18ce2ef5a0075632f015102d9729d8 100644 (file)
@@ -14,7 +14,7 @@ SSL_new - create a new SSL structure for a connection
 
 SSL_new() creates a new B<SSL> structure which is needed to hold the
 data for a TLS/SSL connection. The new structure inherits the settings
-of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1),
+of the underlying context B<ctx>: connection method,
 options, verification settings, timeout settings.
 
 =head1 RETURN VALUES
index efbff5a0a3230ace064b5a5951aabc39cae2be4b..b2bf9cb1b8a9844f02ea262992bf8372264424e2 100644 (file)
@@ -60,9 +60,7 @@ SSL_get_shutdown() (see also L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> call.
 
 It is therefore recommended, to check the return value of SSL_shutdown()
 and call SSL_shutdown() again, if the bidirectional shutdown is not yet
-complete (return value of the first call is 0). As the shutdown is not
-specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on
-the first call.
+complete (return value of the first call is 0).
 
 The behaviour of SSL_shutdown() additionally depends on the underlying BIO. 
 
index 8d5b8c380e179d3ae629dfd39cff2e9e4714443e..ceb9766245ac5fab27a68ae22177c84e05ca78dd 100644 (file)
@@ -45,8 +45,8 @@ structures:
 =item B<SSL_METHOD> (SSL Method)
 
 That's a dispatch structure describing the internal B<ssl> library
-methods/functions which implement the various protocol versions (SSLv1, SSLv2
-and TLSv1). It's needed to create an B<SSL_CTX>.
+methods/functions which implement the various protocol versions (SSLv3
+TLSv1, ...). It's needed to create an B<SSL_CTX>.
 
 =item B<SSL_CIPHER> (SSL Cipher)
 
@@ -105,8 +105,8 @@ it's already included by ssl.h>.
 
 =item B<ssl23.h>
 
-That's the sub header file dealing with the combined use of the SSLv2 and
-SSLv3 protocols.
+That's the sub header file dealing with the combined use of different
+protocol version.
 I<Usually you don't have to include it explicitly because
 it's already included by ssl.h>.
 
@@ -130,18 +130,6 @@ protocol methods defined in B<SSL_METHOD> structures.
 
 =over 4
 
-=item const SSL_METHOD *B<SSLv2_client_method>(void);
-
-Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
-
-=item const SSL_METHOD *B<SSLv2_server_method>(void);
-
-Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
-
-=item const SSL_METHOD *B<SSLv2_method>(void);
-
-Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
-
 =item const SSL_METHOD *B<SSLv3_client_method>(void);
 
 Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
@@ -189,7 +177,7 @@ I<alg_bits>) and the bits which are actually used (the return value).
 =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
 
 Return the internal name of I<cipher> as a string. These are the various
-strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
 definitions in the header files.
 
 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
@@ -758,5 +746,8 @@ L<SSL_get_psk_identity(3)|SSL_get_psk_identity(3)>
 
 The L<ssl(3)|ssl(3)> document appeared in OpenSSL 0.9.2
 
+B<SSLv2_client_method>, B<SSLv2_server_method> and B<SSLv2_method> where removed
+in OpenSSL 1.1.0.
+
 =cut
 
index d5a25264b15441173cf95334dad586506b2c4232..37e1e3ce185db8dc236d59b03e760bae3f483f55 100755 (executable)
@@ -300,7 +300,6 @@ $ CONFIG_LOGICALS := AES,-
                     SHA512,-
                     SOCK,-
                     SRP,-
-                    SSL2,-
                     SSL_INTERN,-
                     STACK,-
                     STATIC_ENGINE,-
@@ -330,10 +329,8 @@ $! algos part.
 $ CONFIG_DISABLE_RULES := RIJNDAEL/AES;-
                          DES/MDC2;-
                          EC/ECDSA,ECDH;-
-                         MD5/SSL2,SSL3,TLS1;-
+                         MD5/SSL3,TLS1;-
                          SHA/SSL3,TLS1;-
-                         RSA/SSL2;-
-                         RSA,DSA/SSL2;-
                          DH/SSL3,TLS1;-
                          TLS1/TLSEXT;-
                          EC/GOST;-
index f490546ebb97754d0b0d29bd8e25246d5f14eb4e..d0b60600e21c87208b8b1e68fa7fff5895def5ca 100755 (executable)
@@ -77,22 +77,6 @@ if errorlevel 1 goto done
 
 set SSL_TEST=ssltest -key keyU.ss -cert certU.ss -c_key keyU.ss -c_cert certU.ss -CAfile certCA.ss
 
-echo test sslv2
-ssltest -ssl2
-if errorlevel 1 goto done
-
-echo test sslv2 with server authentication
-%SSL_TEST% -ssl2 -server_auth
-if errorlevel 1 goto done
-
-echo test sslv2 with client authentication
-%SSL_TEST% -ssl2 -client_auth
-if errorlevel 1 goto done
-
-echo test sslv2 with both client and server authentication
-%SSL_TEST% -ssl2 -server_auth -client_auth
-if errorlevel 1 goto done
-
 echo test sslv3
 ssltest -ssl3
 if errorlevel 1 goto done
@@ -125,26 +109,10 @@ echo test sslv2/sslv3 with both client and server authentication
 %SSL_TEST% -server_auth -client_auth
 if errorlevel 1 goto done
 
-echo test sslv2 via BIO pair
-ssltest -bio_pair -ssl2
-if errorlevel 1 goto done
-
 echo test sslv2/sslv3 with 1024 bit DHE via BIO pair
 ssltest -bio_pair -dhe1024dsa -v
 if errorlevel 1 goto done
 
-echo test sslv2 with server authentication via BIO pair
-%SSL_TEST% -bio_pair -ssl2 -server_auth
-if errorlevel 1 goto done
-
-echo test sslv2 with client authentication via BIO pair
-%SSL_TEST% -bio_pair -ssl2 -client_auth
-if errorlevel 1 goto done
-
-echo test sslv2 with both client and server authentication via BIO pair
-%SSL_TEST% -bio_pair -ssl2 -server_auth -client_auth
-if errorlevel 1 goto done
-
 echo test sslv3 via BIO pair
 ssltest -bio_pair -ssl3
 if errorlevel 1 goto done
index 2ab010be6af02901733ea2eba0733bc8a182e6aa..8de94a43b242dc2b5ab17fc1a319e50d5581dccc 100644 (file)
@@ -123,22 +123,6 @@ cecopy ssltest.exe CE:\OpenSSL
 cecopy ..\apps\server.pem CE:\OpenSSL
 cecopy ..\apps\client.pem CE:\OpenSSL
 
-echo test sslv2
-cerun CE:\OpenSSL\ssltest -ssl2
-if errorlevel 1 goto done
-
-echo test sslv2 with server authentication
-cerun CE:\OpenSSL\ssltest -ssl2 -server_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
-echo test sslv2 with client authentication
-cerun CE:\OpenSSL\ssltest -ssl2 -client_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
-echo test sslv2 with both client and server authentication
-cerun CE:\OpenSSL\ssltest -ssl2 -server_auth -client_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
 echo test sslv3
 cerun CE:\OpenSSL\ssltest -ssl3
 if errorlevel 1 goto done
@@ -171,26 +155,10 @@ echo test sslv2/sslv3 with both client and server authentication
 cerun CE:\OpenSSL\ssltest -server_auth -client_auth -CAfile \OpenSSL\cert.tmp
 if errorlevel 1 goto done
 
-echo test sslv2 via BIO pair
-cerun CE:\OpenSSL\ssltest -bio_pair -ssl2
-if errorlevel 1 goto done
-
 echo test sslv2/sslv3 with 1024 bit DHE via BIO pair
 cerun CE:\OpenSSL\ssltest -bio_pair -dhe1024dsa -v
 if errorlevel 1 goto done
 
-echo test sslv2 with server authentication via BIO pair
-cerun CE:\OpenSSL\ssltest -bio_pair -ssl2 -server_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
-echo test sslv2 with client authentication via BIO pair
-cerun CE:\OpenSSL\ssltest -bio_pair -ssl2 -client_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
-echo test sslv2 with both client and server authentication via BIO pair
-cerun CE:\OpenSSL\ssltest -bio_pair -ssl2 -server_auth -client_auth -CAfile \OpenSSL\cert.tmp
-if errorlevel 1 goto done
-
 echo test sslv3 via BIO pair
 cerun CE:\OpenSSL\ssltest -bio_pair -ssl3
 if errorlevel 1 goto done
index 739e1ea7931f4b6d0949c0a26904f18e1dae5b60..ebbdedc7f43761b33352871eaa3fddc750c015a9 100644 (file)
@@ -21,7 +21,6 @@ APPS=
 LIB=$(TOP)/libssl.a
 SHARED_LIB= libssl$(SHLIB_EXT)
 LIBSRC=        \
-       s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \
        s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
        s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
        t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c t1_ext.c \
@@ -32,7 +31,6 @@ LIBSRC=       \
        ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \
        bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c
 LIBOBJ= \
-       s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
        s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
        s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
        t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o t1_ext.o \
@@ -386,126 +384,6 @@ s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s23_srvr.o: ../include/openssl/x509_vfy.h s23_srvr.c ssl_locl.h
-s2_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_clnt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_clnt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
-s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_enc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_enc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_enc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c
-s2_enc.o: ssl_locl.h
-s2_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h
-s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_meth.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_meth.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_meth.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_meth.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_meth.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_meth.c
-s2_meth.o: ssl_locl.h
-s2_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_pkt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_pkt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_pkt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_pkt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s2_pkt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
-s2_pkt.o: ssl_locl.h
-s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h
 s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
index 42c3d6861f9a4eeb285fc402cd3c74d3e3254066..37b3e23784facf989614818652c720a0642c1c90 100644 (file)
@@ -121,10 +121,6 @@ static int ssl23_client_hello(SSL *s);
 static int ssl23_get_server_hello(SSL *s);
 static const SSL_METHOD *ssl23_get_client_method(int ver)
        {
-#ifndef OPENSSL_NO_SSL2
-       if (ver == SSL2_VERSION)
-               return(SSLv2_client_method());
-#endif
 #ifndef OPENSSL_NO_SSL3
        if (ver == SSL3_VERSION)
                return(SSLv3_client_method());
@@ -256,24 +252,6 @@ end:
        return(ret);
        }
 
-static int ssl23_no_ssl2_ciphers(SSL *s)
-       {
-       SSL_CIPHER *cipher;
-       STACK_OF(SSL_CIPHER) *ciphers;
-       int i;
-       ssl_set_client_disabled(s);
-       ciphers = SSL_get_ciphers(s);
-       for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
-               {
-               cipher = sk_SSL_CIPHER_value(ciphers, i);
-               if (ssl_cipher_disabled(s, cipher, SSL_SECOP_CIPHER_SUPPORTED))
-                       continue;
-               if (cipher->algorithm_ssl == SSL_SSLV2)
-                       return 0;
-               }
-       return 1;
-       }
-
 /* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
  * on failure, 1 on success. */
 int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
@@ -300,9 +278,8 @@ static int ssl23_client_hello(SSL *s)
        {
        unsigned char *buf;
        unsigned char *p,*d;
-       int i,ch_len;
+       int i;
        unsigned long l;
-       int ssl2_compat;
        int version = 0, version_major, version_minor;
        int al = 0;
 #ifndef OPENSSL_NO_COMP
@@ -312,13 +289,6 @@ static int ssl23_client_hello(SSL *s)
        int ret;
        unsigned long mask, options = s->options;
 
-       ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
-
-       if (ssl2_compat && !ssl_security(s, SSL_SECOP_SSL2_COMPAT, 0, 0, NULL))
-               ssl2_compat = 0;
-       if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
-               ssl2_compat = 0;
-
        /*
         * SSL_OP_NO_X disables all protocols above X *if* there are
         * some protocols below X enabled. This is required in order
@@ -330,9 +300,6 @@ static int ssl23_client_hello(SSL *s)
        mask =  SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
 #if !defined(OPENSSL_NO_SSL3)
                |SSL_OP_NO_SSLv3
-#endif
-#if !defined(OPENSSL_NO_SSL2)
-               |(ssl2_compat?SSL_OP_NO_SSLv2:0)
 #endif
                ;
 #if !defined(OPENSSL_NO_TLS1_2_CLIENT)
@@ -352,28 +319,6 @@ static int ssl23_client_hello(SSL *s)
                version = SSL3_VERSION;
        mask &= ~SSL_OP_NO_SSLv3;
 #endif
-#if !defined(OPENSSL_NO_SSL2)
-       if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
-               version = SSL2_VERSION;
-#endif
-
-#ifndef OPENSSL_NO_TLSEXT
-       if (version != SSL2_VERSION)
-               {
-               /* have to disable SSL 2.0 compatibility if we need TLS extensions */
-
-               if (s->tlsext_hostname != NULL)
-                       ssl2_compat = 0;
-               if (s->tlsext_status_type != -1)
-                       ssl2_compat = 0;
-#ifdef TLSEXT_TYPE_opaque_prf_input
-               if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)
-                       ssl2_compat = 0;
-#endif
-               if (s->cert->cli_ext.meths_count != 0)
-                       ssl2_compat = 0;
-               }
-#endif
 
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
@@ -424,11 +369,6 @@ static int ssl23_client_hello(SSL *s)
                        version_major = SSL3_VERSION_MAJOR;
                        version_minor = SSL3_VERSION_MINOR;
                        }
-               else if (version == SSL2_VERSION)
-                       {
-                       version_major = SSL2_VERSION_MAJOR;
-                       version_minor = SSL2_VERSION_MINOR;
-                       }
                else
                        {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_PROTOCOLS_AVAILABLE);
@@ -437,169 +377,105 @@ static int ssl23_client_hello(SSL *s)
 
                s->client_version = version;
 
-               if (ssl2_compat)
-                       {
-                       /* create SSL 2.0 compatible Client Hello */
+               /* create Client Hello in SSL 3.0/TLS 1.0 format */
 
-                       /* two byte record header will be written last */
-                       d = &(buf[2]);
-                       p = d + 9; /* leave space for message type, version, individual length fields */
+               /* do the record header (5 bytes) and handshake message header (4 bytes) last */
+               d = p = &(buf[9]);
+               
+               *(p++) = version_major;
+               *(p++) = version_minor;
 
-                       *(d++) = SSL2_MT_CLIENT_HELLO;
-                       *(d++) = version_major;
-                       *(d++) = version_minor;
-                       
-                       /* Ciphers supported */
-                       i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),p,0);
-                       if (i == 0)
-                               {
-                               /* no ciphers */
-                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                               return -1;
-                               }
-                       s2n(i,d);
-                       p+=i;
-                       
-                       /* put in the session-id length (zero since there is no reuse) */
-#if 0
-                       s->session->session_id_length=0;
-#endif
-                       s2n(0,d);
-
-                       if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                               ch_len=SSL2_CHALLENGE_LENGTH;
-                       else
-                               ch_len=SSL2_MAX_CHALLENGE_LENGTH;
-
-                       /* write out sslv2 challenge */
-                       /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32),
-                          because it is one of SSL2_MAX_CHALLENGE_LENGTH (32)
-                          or SSL2_MAX_CHALLENGE_LENGTH (16), but leave the
-                          check in for futurproofing */
-                       if (SSL3_RANDOM_SIZE < ch_len)
-                               i=SSL3_RANDOM_SIZE;
-                       else
-                               i=ch_len;
-                       s2n(i,d);
-                       memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-                       if (RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0)
-                               return -1;
-
-                       memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-                       p+=i;
-
-                       i= p- &(buf[2]);
-                       buf[0]=((i>>8)&0xff)|0x80;
-                       buf[1]=(i&0xff);
-
-                       /* number of bytes to write */
-                       s->init_num=i+2;
-                       s->init_off=0;
-
-                       ssl3_finish_mac(s,&(buf[2]),i);
-                       }
-               else
-                       {
-                       /* create Client Hello in SSL 3.0/TLS 1.0 format */
-
-                       /* do the record header (5 bytes) and handshake message header (4 bytes) last */
-                       d = p = &(buf[9]);
-                       
-                       *(p++) = version_major;
-                       *(p++) = version_minor;
+               /* Random stuff */
+               memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
+               p += SSL3_RANDOM_SIZE;
 
-                       /* Random stuff */
-                       memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
-                       p += SSL3_RANDOM_SIZE;
+               /* Session ID (zero since there is no reuse) */
+               *(p++) = 0;
 
-                       /* Session ID (zero since there is no reuse) */
-                       *(p++) = 0;
-
-                       /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
-                       i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
-                       if (i == 0)
-                               {
-                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                               return -1;
-                               }
+               /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
+               i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),ssl3_put_cipher_by_char);
+               if (i == 0)
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+                       return -1;
+                       }
 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-                       /* Some servers hang if client hello > 256 bytes
-                        * as hack workaround chop number of supported ciphers
-                        * to keep it well below this if we use TLS v1.2
-                        */
-                       if (TLS1_get_version(s) >= TLS1_2_VERSION
-                               && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-                               i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+               /* Some servers hang if client hello > 256 bytes
+                * as hack workaround chop number of supported ciphers
+                * to keep it well below this if we use TLS v1.2
+                */
+               if (TLS1_get_version(s) >= TLS1_2_VERSION
+                       && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+                       i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
 #endif
-                       s2n(i,p);
-                       p+=i;
+               s2n(i,p);
+               p+=i;
 
-                       /* COMPRESSION */
+               /* COMPRESSION */
 #ifdef OPENSSL_NO_COMP
-                       *(p++)=1;
+               *(p++)=1;
 #else
-                       if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
-                               j=0;
-                       else
-                               j=sk_SSL_COMP_num(s->ctx->comp_methods);
-                       *(p++)=1+j;
-                       for (i=0; i<j; i++)
-                               {
-                               comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
-                               *(p++)=comp->id;
-                               }
+               if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
+                       j=0;
+               else
+                       j=sk_SSL_COMP_num(s->ctx->comp_methods);
+               *(p++)=1+j;
+               for (i=0; i<j; i++)
+                       {
+                       comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
+                       *(p++)=comp->id;
+                       }
 #endif
-                       *(p++)=0; /* Add the NULL method */
+               *(p++)=0; /* Add the NULL method */
 
 #ifndef OPENSSL_NO_TLSEXT
-                       /* TLS extensions*/
-                       if (ssl_prepare_clienthello_tlsext(s) <= 0)
-                               {
-                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
-                               return -1;
-                               }
-                       if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, &al)) == NULL)
-                               {
-                               ssl3_send_alert(s,SSL3_AL_FATAL,al);
-                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
-                               return -1;
-                               }
+               /* TLS extensions*/
+               if (ssl_prepare_clienthello_tlsext(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       return -1;
+                       }
+               if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, &al)) == NULL)
+                       {
+                       ssl3_send_alert(s,SSL3_AL_FATAL,al);
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+                       return -1;
+                       }
 #endif
-                       
-                       l = p-d;
+               
+               l = p-d;
 
-                       /* fill in 4-byte handshake header */
-                       d=&(buf[5]);
-                       *(d++)=SSL3_MT_CLIENT_HELLO;
-                       l2n3(l,d);
+               /* fill in 4-byte handshake header */
+               d=&(buf[5]);
+               *(d++)=SSL3_MT_CLIENT_HELLO;
+               l2n3(l,d);
 
-                       l += 4;
+               l += 4;
 
-                       if (l > SSL3_RT_MAX_PLAIN_LENGTH)
-                               {
-                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
-                               return -1;
-                               }
-                       
-                       /* fill in 5-byte record header */
-                       d=buf;
-                       *(d++) = SSL3_RT_HANDSHAKE;
-                       *(d++) = version_major;
-                       /* Some servers hang if we use long client hellos
-                        * and a record number > TLS 1.0.
-                        */
-                       if (TLS1_get_client_version(s) > TLS1_VERSION)
-                               *(d++) = 1;
-                       else
-                               *(d++) = version_minor;
-                       s2n((int)l,d);
-
-                       /* number of bytes to write */
-                       s->init_num=p-buf;
-                       s->init_off=0;
-
-                       ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
+               if (l > SSL3_RT_MAX_PLAIN_LENGTH)
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+                       return -1;
                        }
+               
+               /* fill in 5-byte record header */
+               d=buf;
+               *(d++) = SSL3_RT_HANDSHAKE;
+               *(d++) = version_major;
+               /* Some servers hang if we use long client hellos
+                * and a record number > TLS 1.0.
+                */
+               if (TLS1_get_client_version(s) > TLS1_VERSION)
+                       *(d++) = 1;
+               else
+                       *(d++) = version_minor;
+               s2n((int)l,d);
+
+               /* number of bytes to write */
+               s->init_num=p-buf;
+               s->init_off=0;
+
+               ssl3_finish_mac(s,&(buf[5]), s->init_num - 5);
 
                s->state=SSL23_ST_CW_CLNT_HELLO_B;
                s->init_off=0;
@@ -611,14 +487,8 @@ static int ssl23_client_hello(SSL *s)
        if ((ret >= 2) && s->msg_callback)
                {
                /* Client Hello has been sent; tell msg_callback */
-
-               if (ssl2_compat)
-                       s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg);
-               else
-                       {
-                       s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s, s->msg_callback_arg);
-                       s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
-                       }
+               s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s, s->msg_callback_arg);
+               s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data+5, ret-5, s, s->msg_callback_arg);
                }
 
        return ret;
@@ -638,78 +508,7 @@ static int ssl23_get_server_hello(SSL *s)
 
        memcpy(buf,p,n);
 
-       if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
-               (p[5] == 0x00) && (p[6] == 0x02))
-               {
-#ifdef OPENSSL_NO_SSL2
-               SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-               goto err;
-#else
-               /* we are talking sslv2 */
-               /* we need to clean up the SSLv3 setup and put in the
-                * sslv2 stuff. */
-               int ch_len;
-
-               if (s->options & SSL_OP_NO_SSLv2)
-                       {
-                       SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-                       goto err;
-                       }
-               if (s->s2 == NULL)
-                       {
-                       if (!ssl2_new(s))
-                               goto err;
-                       }
-               else
-                       ssl2_clear(s);
-
-               if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-                       ch_len=SSL2_CHALLENGE_LENGTH;
-               else
-                       ch_len=SSL2_MAX_CHALLENGE_LENGTH;
-
-               /* write out sslv2 challenge */
-               /* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
-                  it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
-                  SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
-                  futurproofing */
-               i=(SSL3_RANDOM_SIZE < ch_len)
-                       ?SSL3_RANDOM_SIZE:ch_len;
-               s->s2->challenge_length=i;
-               memcpy(s->s2->challenge,
-                       &(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-
-               if (s->s3 != NULL) ssl3_free(s);
-
-               if (!BUF_MEM_grow_clean(s->init_buf,
-                       SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                       {
-                       SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
-                       goto err;
-                       }
-
-               s->state=SSL2_ST_GET_SERVER_HELLO_A;
-               if (!(s->client_version == SSL2_VERSION))
-                       /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
-                       s->s2->ssl2_rollback=1;
-
-               /* setup the 7 bytes we have read so we get them from
-                * the sslv2 buffer */
-               s->rstate=SSL_ST_READ_HEADER;
-               s->packet_length=n;
-               s->packet= &(s->s2->rbuf[0]);
-               memcpy(s->packet,buf,n);
-               s->s2->rbuf_left=n;
-               s->s2->rbuf_offs=0;
-
-               /* we have already written one */
-               s->s2->write_sequence=1;
-
-               s->method=SSLv2_client_method();
-               s->handshake_func=s->method->ssl_connect;
-#endif
-               }
-       else if (p[1] == SSL3_VERSION_MAJOR &&
+       if (p[1] == SSL3_VERSION_MAJOR &&
                 p[2] <= TLS1_2_VERSION_MINOR &&
                 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
                  (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
index f3c29d1dde61ec93d6e3fce69853d53539769e73..961159939e72073b980927fb6da2214a65bac4bf 100644 (file)
@@ -67,46 +67,26 @@ long ssl23_default_timeout(void)
 
 int ssl23_num_ciphers(void)
        {
-       return(ssl3_num_ciphers()
-#ifndef OPENSSL_NO_SSL2
-              + ssl2_num_ciphers()
-#endif
-           );
+       return(ssl3_num_ciphers());
        }
 
 const SSL_CIPHER *ssl23_get_cipher(unsigned int u)
        {
-       unsigned int uu=ssl3_num_ciphers();
-
-       if (u < uu)
-               return(ssl3_get_cipher(u));
-       else
-#ifndef OPENSSL_NO_SSL2
-               return(ssl2_get_cipher(u-uu));
-#else
-               return(NULL);
-#endif
+       return(ssl3_get_cipher(u));
        }
 
 /* This function needs to check if the ciphers required are actually
  * available */
 const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
        {
-       const SSL_CIPHER *cp;
-
-       cp=ssl3_get_cipher_by_char(p);
-#ifndef OPENSSL_NO_SSL2
-       if (cp == NULL)
-               cp=ssl2_get_cipher_by_char(p);
-#endif
-       return(cp);
+       return(ssl3_get_cipher_by_char(p));
        }
 
 int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
        {
        long l;
 
-       /* We can write SSLv2 and SSLv3 ciphers */
+       /* We can write SSLv3 ciphers */
        /* but no ECC ciphers */
        if (c->algorithm_mkey == SSL_kECDHr ||
                c->algorithm_mkey == SSL_kECDHe ||
index 40eae0f0be624868f85f7cfb471aa80a32f5e368..bf4736d3abb2b12bd0081d01dcee77d5dedaf6a9 100644 (file)
 static const SSL_METHOD *ssl23_get_method(int ver);
 static const SSL_METHOD *ssl23_get_method(int ver)
        {
-#ifndef OPENSSL_NO_SSL2
-       if (ver == SSL2_VERSION)
-               return(SSLv2_method());
-       else
-#endif
 #ifndef OPENSSL_NO_SSL3
        if (ver == SSL3_VERSION)
                return(SSLv3_method());
index 858420dbeffdaf1d16cc75019d18666b4399e32e..cc91cc2ef4bc5b34ff295ac53a13281af966ead2 100644 (file)
@@ -123,10 +123,6 @@ static const SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
 static const SSL_METHOD *ssl23_get_server_method(int ver)
        {
-#ifndef OPENSSL_NO_SSL2
-       if (ver == SSL2_VERSION)
-               return(SSLv2_server_method());
-#endif
 #ifndef OPENSSL_NO_SSL3
        if (ver == SSL3_VERSION)
                return(SSLv3_server_method());
@@ -236,7 +232,6 @@ end:
        return(ret);
        }
 
-
 int ssl23_get_client_hello(SSL *s)
        {
        char buf_space[11]; /* Request this many bytes in initial read.
@@ -283,8 +278,6 @@ int ssl23_get_client_hello(SSL *s)
                                {
                                v[0]=p[3]; v[1]=p[4];
                                /* SSLv2 */
-                               if (!(s->options & SSL_OP_NO_SSLv2))
-                                       type=1;
                                }
                        else if (p[3] == SSL3_VERSION_MAJOR)
                                {
@@ -317,10 +310,6 @@ int ssl23_get_client_hello(SSL *s)
                                                /* type=2; */
                                                s->state=SSL23_ST_SR_CLNT_HELLO_B;
                                                }
-                                       else if (!(s->options & SSL_OP_NO_SSLv2))
-                                               {
-                                               type=1;
-                                               }
                                        }
                                else if (!(s->options & SSL_OP_NO_SSLv3))
                                        {
@@ -328,9 +317,6 @@ int ssl23_get_client_hello(SSL *s)
                                        /* type=2; */
                                        s->state=SSL23_ST_SR_CLNT_HELLO_B;
                                        }
-                               else if (!(s->options & SSL_OP_NO_SSLv2))
-                                       type=1;
-
                                }
                        }
                else if ((p[0] == SSL3_RT_HANDSHAKE) &&
@@ -564,54 +550,6 @@ int ssl23_get_client_hello(SSL *s)
        /* imaginary new state (for program structure): */
        /* s->state = SSL23_SR_CLNT_HELLO_C */
 
-       if (type == 1)
-               {
-#ifdef OPENSSL_NO_SSL2
-               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-               goto err;
-#else
-               /* we are talking sslv2 */
-               /* we need to clean up the SSLv3/TLSv1 setup and put in the
-                * sslv2 stuff. */
-
-               if (s->s2 == NULL)
-                       {
-                       if (!ssl2_new(s))
-                               goto err;
-                       }
-               else
-                       ssl2_clear(s);
-
-               if (s->s3 != NULL) ssl3_free(s);
-
-               if (!BUF_MEM_grow_clean(s->init_buf,
-                       SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                       {
-                       goto err;
-                       }
-
-               s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-               if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
-                       s->s2->ssl2_rollback=0;
-               else
-                       /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
-                        * (SSL 3.0 draft/RFC 2246, App. E.2) */
-                       s->s2->ssl2_rollback=1;
-
-               /* setup the n bytes we have read so we get them from
-                * the sslv2 buffer */
-               s->rstate=SSL_ST_READ_HEADER;
-               s->packet_length=n;
-               s->packet= &(s->s2->rbuf[0]);
-               memcpy(s->packet,buf,n);
-               s->s2->rbuf_left=n;
-               s->s2->rbuf_offs=0;
-
-               s->method=SSLv2_server_method();
-               s->handshake_func=s->method->ssl_accept;
-#endif
-               }
-
        if ((type == 2) || (type == 3))
                {
                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
@@ -655,8 +593,7 @@ int ssl23_get_client_hello(SSL *s)
 #endif
                s->handshake_func=s->method->ssl_accept;
                }
-       
-       if ((type < 1) || (type > 3))
+       else
                {
                /* bad, very bad */
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
deleted file mode 100644 (file)
index fbbd529..0000000
+++ /dev/null
@@ -1,1132 +0,0 @@
-/* ssl/s2_clnt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-#include <openssl/rand.h>
-#include <openssl/buffer.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-
-static const SSL_METHOD *ssl2_get_client_method(int ver);
-static int get_server_finished(SSL *s);
-static int get_server_verify(SSL *s);
-static int get_server_hello(SSL *s);
-static int client_hello(SSL *s); 
-static int client_master_key(SSL *s);
-static int client_finished(SSL *s);
-static int client_certificate(SSL *s);
-static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
-       unsigned char *to,int padding);
-#define BREAK  break
-
-static const SSL_METHOD *ssl2_get_client_method(int ver)
-       {
-       if (ver == SSL2_VERSION)
-               return(SSLv2_client_method());
-       else
-               return(NULL);
-       }
-
-IMPLEMENT_ssl2_meth_func(SSLv2_client_method,
-                       ssl_undefined_function,
-                       ssl2_connect,
-                       ssl2_get_client_method)
-
-int ssl2_connect(SSL *s)
-       {
-       unsigned long l=(unsigned long)time(NULL);
-       BUF_MEM *buf=NULL;
-       int ret= -1;
-       void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       int new_state,state;
-
-       RAND_add(&l,sizeof(l),0);
-       ERR_clear_error();
-       clear_sys_error();
-
-       if (s->info_callback != NULL)
-               cb=s->info_callback;
-       else if (s->ctx->info_callback != NULL)
-               cb=s->ctx->info_callback;
-
-       /* init things to blank */
-       s->in_handshake++;
-       if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
-
-       for (;;)
-               {
-               state=s->state;
-
-               switch (s->state)
-                       {
-               case SSL_ST_BEFORE:
-               case SSL_ST_CONNECT:
-               case SSL_ST_BEFORE|SSL_ST_CONNECT:
-               case SSL_ST_OK|SSL_ST_CONNECT:
-
-                       s->server=0;
-                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-
-                       s->version=SSL2_VERSION;
-                       s->type=SSL_ST_CONNECT;
-
-                       buf=s->init_buf;
-                       if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-                               {
-                               ret= -1;
-                               goto end;
-                               }
-                       if (!BUF_MEM_grow(buf,
-                               SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                               {
-                               if (buf == s->init_buf)
-                                       buf=NULL;
-                               ret= -1;
-                               goto end;
-                               }
-                       s->init_buf=buf;
-                       buf=NULL;
-                       s->init_num=0;
-                       s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
-                       s->ctx->stats.sess_connect++;
-                       s->handshake_func=ssl2_connect;
-                       BREAK;
-
-               case SSL2_ST_SEND_CLIENT_HELLO_A:
-               case SSL2_ST_SEND_CLIENT_HELLO_B:
-                       s->shutdown=0;
-                       ret=client_hello(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_GET_SERVER_HELLO_A;
-                       BREAK;
-               
-               case SSL2_ST_GET_SERVER_HELLO_A:
-               case SSL2_ST_GET_SERVER_HELLO_B:
-                       ret=get_server_hello(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       if (!s->hit) /* new session */
-                               {
-                               s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_A;
-                               BREAK; 
-                               }
-                       else
-                               {
-                               s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
-                               break;
-                               }
-       
-               case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:
-               case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:
-                       ret=client_master_key(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
-                       break;
-
-               case SSL2_ST_CLIENT_START_ENCRYPTION:
-                       /* Ok, we now have all the stuff needed to
-                        * start encrypting, so lets fire it up :-) */
-                       if (!ssl2_enc_init(s,1))
-                               {
-                               ret= -1;
-                               goto end;
-                               }
-                       s->s2->clear_text=0;
-                       s->state=SSL2_ST_SEND_CLIENT_FINISHED_A;
-                       break;
-
-               case SSL2_ST_SEND_CLIENT_FINISHED_A:
-               case SSL2_ST_SEND_CLIENT_FINISHED_B:
-                       ret=client_finished(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_GET_SERVER_VERIFY_A;
-                       break;
-
-               case SSL2_ST_GET_SERVER_VERIFY_A:
-               case SSL2_ST_GET_SERVER_VERIFY_B:
-                       ret=get_server_verify(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_GET_SERVER_FINISHED_A;
-                       break;
-
-               case SSL2_ST_GET_SERVER_FINISHED_A:
-               case SSL2_ST_GET_SERVER_FINISHED_B:
-                       ret=get_server_finished(s);
-                       if (ret <= 0) goto end;
-                       break;
-
-               case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:
-               case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:
-               case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:
-               case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:
-               case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:
-                       ret=client_certificate(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_GET_SERVER_FINISHED_A;
-                       break;
-
-               case SSL_ST_OK:
-                       if (s->init_buf != NULL)
-                               {
-                               BUF_MEM_free(s->init_buf);
-                               s->init_buf=NULL;
-                               }
-                       s->init_num=0;
-               /*      ERR_clear_error();*/
-
-                       /* If we want to cache session-ids in the client
-                        * and we successfully add the session-id to the
-                        * cache, and there is a callback, then pass it out.
-                        * 26/11/96 - eay - only add if not a re-used session.
-                        */
-
-                       ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
-                       if (s->hit) s->ctx->stats.sess_hit++;
-
-                       ret=1;
-                       /* s->server=0; */
-                       s->ctx->stats.sess_connect_good++;
-
-                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
-
-                       goto end;
-                       /* break; */
-               default:
-                       SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE);
-                       return(-1);
-                       /* break; */
-                       }
-
-               if ((cb != NULL) && (s->state != state))
-                       {
-                       new_state=s->state;
-                       s->state=state;
-                       cb(s,SSL_CB_CONNECT_LOOP,1);
-                       s->state=new_state;
-                       }
-               }
-end:
-       s->in_handshake--;
-       if (buf != NULL)
-               BUF_MEM_free(buf);
-       if (cb != NULL) 
-               cb(s,SSL_CB_CONNECT_EXIT,ret);
-       return(ret);
-       }
-
-static int get_server_hello(SSL *s)
-       {
-       unsigned char *buf;
-       unsigned char *p;
-       int i,j;
-       unsigned long len;
-       STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
-
-       buf=(unsigned char *)s->init_buf->data;
-       p=buf;
-       if (s->state == SSL2_ST_GET_SERVER_HELLO_A)
-               {
-               i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
-               if (i < (11-s->init_num)) 
-                       return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
-               s->init_num = 11;
-
-               if (*(p++) != SSL2_MT_SERVER_HELLO)
-                       {
-                       if (p[-1] != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_SERVER_HELLO,
-                                       SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               SSLerr(SSL_F_GET_SERVER_HELLO,
-                                       SSL_R_PEER_ERROR);
-                       return(-1);
-                       }
-#if 0
-               s->hit=(*(p++))?1:0;
-               /* Some [PPC?] compilers fail to increment p in above
-                  statement, e.g. one provided with Rhapsody 5.5, but
-                  most recent example XL C 11.1 for AIX, even without
-                  optimization flag... */
-#else
-               s->hit=(*p)?1:0; p++;
-#endif
-               s->s2->tmp.cert_type= *(p++);
-               n2s(p,i);
-               if (i < s->version) s->version=i;
-               n2s(p,i); s->s2->tmp.cert_length=i;
-               n2s(p,i); s->s2->tmp.csl=i;
-               n2s(p,i); s->s2->tmp.conn_id_length=i;
-               s->state=SSL2_ST_GET_SERVER_HELLO_B;
-               }
-
-       /* SSL2_ST_GET_SERVER_HELLO_B */
-       len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length;
-       if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-               {
-               SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG);
-               return -1;
-               }
-       j = (int)len - s->init_num;
-       i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
-       if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
-
-       /* things are looking good */
-
-       p = buf + 11;
-       if (s->hit)
-               {
-               if (s->s2->tmp.cert_length != 0) 
-                       {
-                       SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_LENGTH_NOT_ZERO);
-                       return(-1);
-                       }
-               if (s->s2->tmp.cert_type != 0)
-                       {
-                       if (!(s->options &
-                               SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG))
-                               {
-                               SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_TYPE_NOT_ZERO);
-                               return(-1);
-                               }
-                       }
-               if (s->s2->tmp.csl != 0)
-                       {
-                       SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CIPHER_LIST_NOT_ZERO);
-                       return(-1);
-                       }
-               }
-       else
-               {
-#if 0
-               /* very bad */
-               memset(s->session->session_id,0,
-                       SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES);
-               s->session->session_id_length=0;
-#endif
-
-               /* we need to do this in case we were trying to reuse a 
-                * client session but others are already reusing it.
-                * If this was a new 'blank' session ID, the session-id
-                * length will still be 0 */
-               if (s->session->session_id_length > 0)
-                       {
-                       if (!ssl_get_new_session(s,0))
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               return(-1);
-                               }
-                       }
-
-               if (ssl2_set_certificate(s,s->s2->tmp.cert_type,
-                       s->s2->tmp.cert_length,p) <= 0)
-                       {
-                       ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
-                       return(-1);
-                       }
-               p+=s->s2->tmp.cert_length;
-
-               if (s->s2->tmp.csl == 0)
-                       {
-                       ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-                       SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_LIST);
-                       return(-1);
-                       }
-
-               /* We have just received a list of ciphers back from the
-                * server.  We need to get the ones that match, then select
-                * the one we want the most :-). */
-
-               /* load the ciphers */
-               sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl,
-                                           &s->session->ciphers);
-               p+=s->s2->tmp.csl;
-               if (sk == NULL)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
-                       return(-1);
-                       }
-
-               (void)sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
-
-               /* get the array of ciphers we will accept */
-               cl=SSL_get_ciphers(s);
-               (void)sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp);
-
-               /*
-                * If server preference flag set, choose the first
-                * (highest priority) cipher the server sends, otherwise
-                * client preference has priority.
-                */
-               if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
-                   {
-                   prio = sk;
-                   allow = cl;
-                   }
-               else
-                   {
-                   prio = cl;
-                   allow = sk;
-                   }
-               /* In theory we could have ciphers sent back that we
-                * don't want to use but that does not matter since we
-                * will check against the list we originally sent and
-                * for performance reasons we should not bother to match
-                * the two lists up just to check. */
-               for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
-                       {
-                       if (sk_SSL_CIPHER_find(allow,
-                                            sk_SSL_CIPHER_value(prio,i)) >= 0)
-                               break;
-                       }
-
-               if (i >= sk_SSL_CIPHER_num(prio))
-                       {
-                       ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-                       SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
-                       return(-1);
-                       }
-               s->session->cipher=sk_SSL_CIPHER_value(prio,i);
-
-
-               if (s->session->peer != NULL) /* can't happen*/
-                       {
-                       ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
-                       return(-1);
-                       }
-
-               s->session->peer = s->session->sess_cert->peer_key->x509;
-               /* peer_key->x509 has been set by ssl2_set_certificate. */
-               CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
-               }
-
-       if (s->session->sess_cert == NULL 
-      || s->session->peer != s->session->sess_cert->peer_key->x509)
-               /* can't happen */
-               {
-               ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
-               return(-1);
-               }
-               
-       s->s2->conn_id_length=s->s2->tmp.conn_id_length;
-       if (s->s2->conn_id_length > sizeof s->s2->conn_id)
-               {
-               ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG);
-               return -1;
-               }
-       memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
-       return(1);
-       }
-
-static int client_hello(SSL *s)
-       {
-       unsigned char *buf;
-       unsigned char *p,*d;
-/*     CIPHER **cipher;*/
-       int i,n,j;
-
-       buf=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A)
-               {
-               if ((s->session == NULL) ||
-                       (s->session->ssl_version != s->version))
-                       {
-                       if (!ssl_get_new_session(s,0))
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               return(-1);
-                               }
-                       }
-               /* else use the pre-loaded session */
-
-               p=buf;                                  /* header */
-               d=p+9;                                  /* data section */
-               *(p++)=SSL2_MT_CLIENT_HELLO;            /* type */
-               s2n(SSL2_VERSION,p);                    /* version */
-               n=j=0;
-
-               n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d,0);
-               d+=n;
-
-               if (n == 0)
-                       {
-                       SSLerr(SSL_F_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
-                       return(-1);
-                       }
-
-               s2n(n,p);                       /* cipher spec num bytes */
-
-               if ((s->session->session_id_length > 0) &&
-                       (s->session->session_id_length <=
-                       SSL2_MAX_SSL_SESSION_ID_LENGTH))
-                       {
-                       i=s->session->session_id_length;
-                       s2n(i,p);               /* session id length */
-                       memcpy(d,s->session->session_id,(unsigned int)i);
-                       d+=i;
-                       }
-               else
-                       {
-                       s2n(0,p);
-                       }
-
-               s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
-               s2n(SSL2_CHALLENGE_LENGTH,p);           /* challenge length */
-               /*challenge id data*/
-               if (RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
-                       return -1;
-               memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
-               d+=SSL2_CHALLENGE_LENGTH;
-
-               s->state=SSL2_ST_SEND_CLIENT_HELLO_B;
-               s->init_num=d-buf;
-               s->init_off=0;
-               }
-       /* SSL2_ST_SEND_CLIENT_HELLO_B */
-       return(ssl2_do_write(s));
-       }
-
-static int client_master_key(SSL *s)
-       {
-       unsigned char *buf;
-       unsigned char *p,*d;
-       int clear,enc,karg,i;
-       SSL_SESSION *sess;
-       const EVP_CIPHER *c;
-       const EVP_MD *md;
-
-       buf=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
-               {
-
-               if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL, 0))
-                       {
-                       ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-                       SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
-                       return(-1);
-                       }
-               sess=s->session;
-               p=buf;
-               d=p+10;
-               *(p++)=SSL2_MT_CLIENT_MASTER_KEY;/* type */
-
-               i=ssl_put_cipher_by_char(s,sess->cipher,p);
-               p+=i;
-
-               /* make key_arg data */
-               i=EVP_CIPHER_iv_length(c);
-               sess->key_arg_length=i;
-               if (i > SSL_MAX_KEY_ARG_LENGTH)
-                       {
-                       ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
-                       return -1;
-                       }
-               if (i > 0)
-                       if (RAND_pseudo_bytes(sess->key_arg,i) <= 0)
-                               return -1;
-
-               /* make a master key */
-               i=EVP_CIPHER_key_length(c);
-               sess->master_key_length=i;
-               if (i > 0)
-                       {
-                       if (i > (int)sizeof(sess->master_key))
-                               {
-                               ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
-                               return -1;
-                               }
-                       if (RAND_bytes(sess->master_key,i) <= 0)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               return(-1);
-                               }
-                       }
-
-               if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
-                       enc=8;
-               else if (SSL_C_IS_EXPORT(sess->cipher))
-                       enc=5;
-               else
-                       enc=i;
-
-               if ((int)i < enc)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_CIPHER_TABLE_SRC_ERROR);
-                       return(-1);
-                       }
-               clear=i-enc;
-               s2n(clear,p);
-               memcpy(d,sess->master_key,(unsigned int)clear);
-               d+=clear;
-
-               enc=ssl_rsa_public_encrypt(sess->sess_cert,enc,
-                       &(sess->master_key[clear]),d,
-                       (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-               if (enc <= 0)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
-                       return(-1);
-                       }
-#ifdef PKCS1_CHECK
-               if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++;
-               if (s->options & SSL_OP_PKCS1_CHECK_2)
-                       sess->master_key[clear]++;
-#endif
-               s2n(enc,p);
-               d+=enc;
-               karg=sess->key_arg_length;      
-               s2n(karg,p); /* key arg size */
-               if (karg > (int)sizeof(sess->key_arg))
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
-                       return -1;
-                       }
-               memcpy(d,sess->key_arg,(unsigned int)karg);
-               d+=karg;
-
-               s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_B;
-               s->init_num=d-buf;
-               s->init_off=0;
-               }
-
-       /* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */
-       return(ssl2_do_write(s));
-       }
-
-static int client_finished(SSL *s)
-       {
-       unsigned char *p;
-
-       if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A)
-               {
-               p=(unsigned char *)s->init_buf->data;
-               *(p++)=SSL2_MT_CLIENT_FINISHED;
-               if (s->s2->conn_id_length > sizeof s->s2->conn_id)
-                       {
-                       SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
-                       return -1;
-                       }
-               memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
-
-               s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
-               s->init_num=s->s2->conn_id_length+1;
-               s->init_off=0;
-               }
-       return(ssl2_do_write(s));
-       }
-
-/* read the data and then respond */
-static int client_certificate(SSL *s)
-       {
-       unsigned char *buf;
-       unsigned char *p,*d;
-       int i;
-       unsigned int n;
-       int cert_ch_len;
-       unsigned char *cert_ch;
-
-       buf=(unsigned char *)s->init_buf->data;
-
-       /* We have a cert associated with the SSL, so attach it to
-        * the session if it does not have one */
-
-       if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
-               {
-               i=ssl2_read(s,(char *)&(buf[s->init_num]),
-                       SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
-               if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
-                       return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
-               s->init_num += i;
-               if (s->msg_callback)
-                       s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */
-
-               /* type=buf[0]; */
-               /* type eq x509 */
-               if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
-                       SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE);
-                       return(-1);
-                       }
-
-               if ((s->cert == NULL) ||
-                       (s->cert->key->x509 == NULL) ||
-                       (s->cert->key->privatekey == NULL))
-                       {
-                       s->state=SSL2_ST_X509_GET_CLIENT_CERTIFICATE;
-                       }
-               else
-                       s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
-               }
-
-       cert_ch = buf + 2;
-       cert_ch_len = s->init_num - 2;
-
-       if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE)
-               {
-               X509 *x509=NULL;
-               EVP_PKEY *pkey=NULL;
-
-               /* If we get an error we need to
-                * ssl->rwstate=SSL_X509_LOOKUP;
-                * return(error);
-                * We should then be retried when things are ok and we
-                * can get a cert or not */
-
-               i=0;
-               if (s->ctx->client_cert_cb != NULL)
-                       {
-                       i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
-                       }
-
-               if (i < 0)
-                       {
-                       s->rwstate=SSL_X509_LOOKUP;
-                       return(-1);
-                       }
-               s->rwstate=SSL_NOTHING;
-
-               if ((i == 1) && (pkey != NULL) && (x509 != NULL))
-                       {
-                       s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
-                       if (    !SSL_use_certificate(s,x509) || 
-                               !SSL_use_PrivateKey(s,pkey))
-                               {
-                               i=0;
-                               }
-                       X509_free(x509);
-                       EVP_PKEY_free(pkey);
-                       }
-               else if (i == 1)
-                       {
-                       if (x509 != NULL) X509_free(x509);
-                       if (pkey != NULL) EVP_PKEY_free(pkey);
-                       SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-                       i=0;
-                       }
-
-               if (i == 0)
-                       {
-                       /* We have no client certificate to respond with
-                        * so send the correct error message back */
-                       s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_B;
-                       p=buf;
-                       *(p++)=SSL2_MT_ERROR;
-                       s2n(SSL2_PE_NO_CERTIFICATE,p);
-                       s->init_off=0;
-                       s->init_num=3;
-                       /* Write is done at the end */
-                       }
-               }
-
-       if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B)
-               {
-               return(ssl2_do_write(s));
-               }
-
-       if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C)
-               {
-               EVP_MD_CTX ctx;
-
-               /* ok, now we calculate the checksum
-                * do it first so we can reuse buf :-) */
-               p=buf;
-               EVP_MD_CTX_init(&ctx);
-               EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL);
-               EVP_SignUpdate(&ctx,s->s2->key_material,
-                              s->s2->key_material_length);
-               EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
-               i=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
-               /* Don't update the signature if it fails - FIXME: probably should handle this better */
-               if(i > 0)
-                       EVP_SignUpdate(&ctx,buf,(unsigned int)i);
-
-               p=buf;
-               d=p+6;
-               *(p++)=SSL2_MT_CLIENT_CERTIFICATE;
-               *(p++)=SSL2_CT_X509_CERTIFICATE;
-               n=i2d_X509(s->cert->key->x509,&d);
-               s2n(n,p);
-
-               if (!EVP_SignFinal(&ctx,d,&n,s->cert->key->privatekey))
-                       {
-                       /* this is not good.  If things have failed it
-                        * means there so something wrong with the key.
-                        * We will continue with a 0 length signature
-                        */
-                       }
-               EVP_MD_CTX_cleanup(&ctx);
-               s2n(n,p);
-               d+=n;
-
-               s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_D;
-               s->init_num=d-buf;
-               s->init_off=0;
-               }
-       /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */
-       return(ssl2_do_write(s));
-       }
-
-static int get_server_verify(SSL *s)
-       {
-       unsigned char *p;
-       int i, n, len;
-
-       p=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_GET_SERVER_VERIFY_A)
-               {
-               i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
-               if (i < (1-s->init_num)) 
-                       return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
-               s->init_num += i;
-
-               s->state= SSL2_ST_GET_SERVER_VERIFY_B;
-               if (*p != SSL2_MT_SERVER_VERIFY)
-                       {
-                       if (p[0] != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_SERVER_VERIFY,
-                                       SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               {
-                               SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR);
-                               /* try to read the error message */
-                               i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
-                               return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
-                               }
-                       return(-1);
-                       }
-               }
-       
-       p=(unsigned char *)s->init_buf->data;
-       len = 1 + s->s2->challenge_length;
-       n =  len - s->init_num;
-       i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-       if (i < n)
-               return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
-       p += 1;
-
-       if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
-               return(-1);
-               }
-       return(1);
-       }
-
-static int get_server_finished(SSL *s)
-       {
-       unsigned char *buf;
-       unsigned char *p;
-       int i, n, len;
-
-       buf=(unsigned char *)s->init_buf->data;
-       p=buf;
-       if (s->state == SSL2_ST_GET_SERVER_FINISHED_A)
-               {
-               i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num);
-               if (i < (1-s->init_num))
-                       return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
-               s->init_num += i;
-
-               if (*p == SSL2_MT_REQUEST_CERTIFICATE)
-                       {
-                       s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
-                       return(1);
-                       }
-               else if (*p != SSL2_MT_SERVER_FINISHED)
-                       {
-                       if (p[0] != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               {
-                               SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
-                               /* try to read the error message */
-                               i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
-                               return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
-                               }
-                       return(-1);
-                       }
-               s->state=SSL2_ST_GET_SERVER_FINISHED_B;
-               }
-
-       len = 1 + SSL2_SSL_SESSION_ID_LENGTH;
-       n = len - s->init_num;
-       i = ssl2_read(s,(char *)&(buf[s->init_num]), n);
-       if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
-               return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
-       s->init_num += i;
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */
-
-       if (!s->hit) /* new session */
-               {
-               /* new session-id */
-               /* Make sure we were not trying to re-use an old SSL_SESSION
-                * or bad things can happen */
-               /* ZZZZZZZZZZZZZ */
-               s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-               memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
-               }
-       else
-               {
-               if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
-                       {
-                       if ((s->session->session_id_length > sizeof s->session->session_id)
-                           || (0 != memcmp(buf + 1, s->session->session_id,
-                                           (unsigned int)s->session->session_id_length)))
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_SSL_SESSION_ID_IS_DIFFERENT);
-                               return(-1);
-                               }
-                       }
-               }
-       s->state = SSL_ST_OK;
-       return(1);
-       }
-
-/* loads in the certificate from the server */
-int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data)
-       {
-       STACK_OF(X509) *sk=NULL;
-       EVP_PKEY *pkey=NULL;
-       SESS_CERT *sc=NULL;
-       int i;
-       X509 *x509=NULL;
-       int ret=0;
-       
-       x509=d2i_X509(NULL,&data,(long)len);
-       if (x509 == NULL)
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_X509_LIB);
-               goto err;
-               }
-
-       if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509))
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-               goto err;
-               }
-
-       i=ssl_verify_cert_chain(s,sk);
-               
-       if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0))
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
-               goto err;
-               }
-       ERR_clear_error(); /* but we keep s->verify_result */
-       s->session->verify_result = s->verify_result;
-
-       if (i > 1)
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE, i);
-               goto err;
-               }
-
-       /* server's cert for this session */
-       sc=ssl_sess_cert_new();
-       if (sc == NULL)
-               {
-               ret= -1;
-               goto err;
-               }
-       if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
-       s->session->sess_cert=sc;
-
-       sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509;
-       sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
-
-       pkey=X509_get_pubkey(x509);
-       x509=NULL;
-       if (pkey == NULL)
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY);
-               goto err;
-               }
-       if (pkey->type != EVP_PKEY_RSA)
-               {
-               SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_PUBLIC_KEY_NOT_RSA);
-               goto err;
-               }
-
-       if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE))
-               goto err;
-       ret=1;
-err:
-       sk_X509_free(sk);
-       X509_free(x509);
-       EVP_PKEY_free(pkey);
-       return(ret);
-       }
-
-static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
-            unsigned char *to, int padding)
-       {
-       EVP_PKEY *pkey=NULL;
-       int i= -1;
-
-       if ((sc == NULL) || (sc->peer_key->x509 == NULL) ||
-               ((pkey=X509_get_pubkey(sc->peer_key->x509)) == NULL))
-               {
-               SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_NO_PUBLICKEY);
-               return(-1);
-               }
-       if (pkey->type != EVP_PKEY_RSA)
-               {
-               SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
-               goto end;
-               }
-
-       /* we have the public key */
-       i=RSA_public_encrypt(len,from,to,pkey->pkey.rsa,padding);
-       if (i < 0)
-               SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB);
-end:
-       EVP_PKEY_free(pkey);
-       return(i);
-       }
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c
deleted file mode 100644 (file)
index 329006a..0000000
+++ /dev/null
@@ -1,197 +0,0 @@
-/* ssl/s2_enc.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-
-int ssl2_enc_init(SSL *s, int client)
-       {
-       /* Max number of bytes needed */
-       EVP_CIPHER_CTX *rs,*ws;
-       const EVP_CIPHER *c;
-       const EVP_MD *md;
-       int num;
-
-       if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL, 0))
-               {
-               ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-               SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
-               return(0);
-               }
-       ssl_replace_hash(&s->read_hash,md);
-       ssl_replace_hash(&s->write_hash,md);
-
-       if ((s->enc_read_ctx == NULL) &&
-               ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
-               OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
-               goto err;
-
-       /* make sure it's intialized in case the malloc for enc_write_ctx fails
-        * and we exit with an error */
-       rs= s->enc_read_ctx;
-       EVP_CIPHER_CTX_init(rs);
-
-       if ((s->enc_write_ctx == NULL) &&
-               ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
-               OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
-               goto err;
-
-       ws= s->enc_write_ctx;
-       EVP_CIPHER_CTX_init(ws);
-
-       num=c->key_len;
-       s->s2->key_material_length=num*2;
-       OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
-
-       if (ssl2_generate_key_material(s) <= 0)
-               return 0;
-
-       OPENSSL_assert(c->iv_len <= (int)sizeof(s->session->key_arg));
-       EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
-               s->session->key_arg);
-       EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
-               s->session->key_arg);
-       s->s2->read_key=  &(s->s2->key_material[(client)?0:num]);
-       s->s2->write_key= &(s->s2->key_material[(client)?num:0]);
-       return(1);
-err:
-       SSLerr(SSL_F_SSL2_ENC_INIT,ERR_R_MALLOC_FAILURE);
-       return(0);
-       }
-
-/* read/writes from s->s2->mac_data using length for encrypt and 
- * decrypt.  It sets s->s2->padding and s->[rw]length
- * if we are encrypting
- * Returns 0 on error and 1 on success */
-int ssl2_enc(SSL *s, int send)
-       {
-       EVP_CIPHER_CTX *ds;
-       unsigned long l;
-       int bs;
-
-       if (send)
-               {
-               ds=s->enc_write_ctx;
-               l=s->s2->wlength;
-               }
-       else
-               {
-               ds=s->enc_read_ctx;
-               l=s->s2->rlength;
-               }
-
-       /* check for NULL cipher */
-       if (ds == NULL) return 1;
-
-
-       bs=ds->cipher->block_size;
-       /* This should be using (bs-1) and bs instead of 7 and 8, but
-        * what the hell. */
-       if (bs == 8)
-               l=(l+7)/8*8;
-
-       if(EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l) < 1)
-               return 0;
-
-       return 1;
-       }
-
-void ssl2_mac(SSL *s, unsigned char *md, int send)
-       {
-       EVP_MD_CTX c;
-       unsigned char sequence[4],*p,*sec,*act;
-       unsigned long seq;
-       unsigned int len;
-
-       if (send)
-               {
-               seq=s->s2->write_sequence;
-               sec=s->s2->write_key;
-               len=s->s2->wact_data_length;
-               act=s->s2->wact_data;
-               }
-       else
-               {
-               seq=s->s2->read_sequence;
-               sec=s->s2->read_key;
-               len=s->s2->ract_data_length;
-               act=s->s2->ract_data;
-               }
-
-       p= &(sequence[0]);
-       l2n(seq,p);
-
-       /* There has to be a MAC algorithm. */
-       EVP_MD_CTX_init(&c);
-       EVP_MD_CTX_copy(&c, s->read_hash);
-       EVP_DigestUpdate(&c,sec,
-               EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
-       EVP_DigestUpdate(&c,act,len); 
-       /* the above line also does the pad data */
-       EVP_DigestUpdate(&c,sequence,4); 
-       EVP_DigestFinal_ex(&c,md,NULL);
-       EVP_MD_CTX_cleanup(&c);
-       }
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
deleted file mode 100644 (file)
index 41818dc..0000000
+++ /dev/null
@@ -1,555 +0,0 @@
-/* ssl/s2_lib.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/md5.h>
-
-const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT;
-
-#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
-
-/* list of available SSLv2 ciphers (sorted by id) */
-OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
-#if 0
-/* NULL_WITH_MD5 v3 */
-       {
-       1,
-       SSL2_TXT_NULL_WITH_MD5,
-       SSL2_CK_NULL_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_eNULL,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
-       0,
-       0,
-       0,
-       },
-#endif
-
-/* RC4_128_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC4_128_WITH_MD5,
-       SSL2_CK_RC4_128_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_RC4,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_MEDIUM,
-       0,
-       128,
-       128,
-       },
-
-/* RC4_128_EXPORT40_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
-       SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_RC4,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_EXPORT|SSL_EXP40,
-       SSL2_CF_5_BYTE_ENC,
-       40,
-       128,
-       },
-
-/* RC2_128_CBC_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC2_128_CBC_WITH_MD5,
-       SSL2_CK_RC2_128_CBC_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_RC2,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_MEDIUM,
-       0,
-       128,
-       128,
-       },
-
-/* RC2_128_CBC_EXPORT40_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
-       SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_RC2,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_EXPORT|SSL_EXP40,
-       SSL2_CF_5_BYTE_ENC,
-       40,
-       128,
-       },
-
-#ifndef OPENSSL_NO_IDEA
-/* IDEA_128_CBC_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_IDEA_128_CBC_WITH_MD5,
-       SSL2_CK_IDEA_128_CBC_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_IDEA,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_MEDIUM,
-       0,
-       128,
-       128,
-       },
-#endif
-
-/* DES_64_CBC_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_DES_64_CBC_WITH_MD5,
-       SSL2_CK_DES_64_CBC_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_DES,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_LOW,
-       0,
-       56,
-       56,
-       },
-
-/* DES_192_EDE3_CBC_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
-       SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_3DES,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_HIGH,
-       0,
-       112,
-       168,
-       },
-
-#if 0
-/* RC4_64_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC4_64_WITH_MD5,
-       SSL2_CK_RC4_64_WITH_MD5,
-       SSL_kRSA,
-       SSL_aRSA,
-       SSL_RC4,
-       SSL_MD5,
-       SSL_SSLV2,
-       SSL_NOT_EXP|SSL_LOW,
-       SSL2_CF_8_BYTE_ENC,
-       64,
-       64,
-       },
-#endif
-
-#if 0
-/* NULL SSLeay (testing) */
-       {       
-       0,
-       SSL2_TXT_NULL,
-       SSL2_CK_NULL,
-       0,
-       0,
-       0,
-       0,
-       SSL_SSLV2,
-       SSL_STRONG_NONE,
-       0,
-       0,
-       0,
-       },
-#endif
-
-/* end of list :-) */
-       };
-
-long ssl2_default_timeout(void)
-       {
-       return(300);
-       }
-
-int ssl2_num_ciphers(void)
-       {
-       return(SSL2_NUM_CIPHERS);
-       }
-
-const SSL_CIPHER *ssl2_get_cipher(unsigned int u)
-       {
-       if (u < SSL2_NUM_CIPHERS)
-               return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u]));
-       else
-               return(NULL);
-       }
-
-int ssl2_pending(const SSL *s)
-       {
-       return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
-       }
-
-int ssl2_new(SSL *s)
-       {
-       SSL2_STATE *s2;
-
-       if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
-       memset(s2,0,sizeof *s2);
-
-#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
-#  error "assertion failed"
-#endif
-
-       if ((s2->rbuf=OPENSSL_malloc(
-               SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
-       /* wbuf needs one byte more because when using two-byte headers,
-        * we leave the first byte unused in do_ssl_write (s2_pkt.c) */
-       if ((s2->wbuf=OPENSSL_malloc(
-               SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
-       s->s2=s2;
-
-       ssl2_clear(s);
-       return(1);
-err:
-       if (s2 != NULL)
-               {
-               if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
-               if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
-               OPENSSL_free(s2);
-               }
-       return(0);
-       }
-
-void ssl2_free(SSL *s)
-       {
-       SSL2_STATE *s2;
-
-       if(s == NULL)
-           return;
-
-       s2=s->s2;
-       if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
-       if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
-       OPENSSL_cleanse(s2,sizeof *s2);
-       OPENSSL_free(s2);
-       s->s2=NULL;
-       }
-
-void ssl2_clear(SSL *s)
-       {
-       SSL2_STATE *s2;
-       unsigned char *rbuf,*wbuf;
-
-       s2=s->s2;
-
-       rbuf=s2->rbuf;
-       wbuf=s2->wbuf;
-
-       memset(s2,0,sizeof *s2);
-
-       s2->rbuf=rbuf;
-       s2->wbuf=wbuf;
-       s2->clear_text=1;
-       s->packet=s2->rbuf;
-       s->version=SSL2_VERSION;
-       s->packet_length=0;
-       }
-
-long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
-       {
-       int ret=0;
-
-       switch(cmd)
-               {
-       case SSL_CTRL_GET_SESSION_REUSED:
-               ret=s->hit;
-               break;
-       case SSL_CTRL_CHECK_PROTO_VERSION:
-               return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
-       default:
-               break;
-               }
-       return(ret);
-       }
-
-long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
-       {
-       return(0);
-       }
-
-long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
-       {
-       return(0);
-       }
-
-long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
-       {
-       return(0);
-       }
-
-/* This function needs to check if the ciphers required are actually
- * available */
-const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
-       {
-       SSL_CIPHER c;
-       const SSL_CIPHER *cp;
-       unsigned long id;
-
-       id=0x02000000L|((unsigned long)p[0]<<16L)|
-               ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
-       c.id=id;
-       cp = OBJ_bsearch_ssl_cipher_id(&c, ssl2_ciphers, SSL2_NUM_CIPHERS);
-       return cp;
-       }
-
-int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
-       {
-       long l;
-
-       if (p != NULL)
-               {
-               l=c->id;
-               if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
-               p[0]=((unsigned char)(l>>16L))&0xFF;
-               p[1]=((unsigned char)(l>> 8L))&0xFF;
-               p[2]=((unsigned char)(l     ))&0xFF;
-               }
-       return(3);
-       }
-
-int ssl2_generate_key_material(SSL *s)
-       {
-       unsigned int i;
-       EVP_MD_CTX ctx;
-       unsigned char *km;
-       unsigned char c='0';
-       const EVP_MD *md5;
-       int md_size;
-
-       md5 = EVP_md5();
-
-#ifdef CHARSET_EBCDIC
-       c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0',
-                               see SSLv2 docu */
-#endif
-       EVP_MD_CTX_init(&ctx);
-       km=s->s2->key_material;
-
-       if (s->session->master_key_length < 0 ||
-                       s->session->master_key_length > (int)sizeof(s->session->master_key))
-               {
-               SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
-               return 0;
-               }
-       md_size = EVP_MD_size(md5);
-       if (md_size < 0)
-           return 0;
-       for (i=0; i<s->s2->key_material_length; i += md_size)
-               {
-               if (((km - s->s2->key_material) + md_size) >
-                               (int)sizeof(s->s2->key_material))
-                       {
-                       /* EVP_DigestFinal_ex() below would write beyond buffer */
-                       SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
-                       return 0;
-                       }
-
-               EVP_DigestInit_ex(&ctx, md5, NULL);
-
-               OPENSSL_assert(s->session->master_key_length >= 0
-                   && s->session->master_key_length
-                   < (int)sizeof(s->session->master_key));
-               EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
-               EVP_DigestUpdate(&ctx,&c,1);
-               c++;
-               EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length);
-               EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length);
-               EVP_DigestFinal_ex(&ctx,km,NULL);
-               km += md_size;
-               }
-
-       EVP_MD_CTX_cleanup(&ctx);
-       return 1;
-       }
-
-void ssl2_return_error(SSL *s, int err)
-       {
-       if (!s->error)
-               {
-               s->error=3;
-               s->error_code=err;
-
-               ssl2_write_error(s);
-               }
-       }
-
-
-void ssl2_write_error(SSL *s)
-       {
-       unsigned char buf[3];
-       int i,error;
-
-       buf[0]=SSL2_MT_ERROR;
-       buf[1]=(s->error_code>>8)&0xff;
-       buf[2]=(s->error_code)&0xff;
-
-/*     state=s->rwstate;*/
-
-       error=s->error; /* number of bytes left to write */
-       s->error=0;
-       OPENSSL_assert(error >= 0 && error <= (int)sizeof(buf));
-       i=ssl2_write(s,&(buf[3-error]),error);
-
-/*     if (i == error) s->rwstate=state; */
-
-       if (i < 0)
-               s->error=error;
-       else
-               {
-               s->error=error-i;
-
-               if (s->error == 0)
-                       if (s->msg_callback)
-                               s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */
-               }
-       }
-
-int ssl2_shutdown(SSL *s)
-       {
-       s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
-       return(1);
-       }
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
deleted file mode 100644 (file)
index f0e8ca5..0000000
+++ /dev/null
@@ -1,84 +0,0 @@
-/* ssl/s2_meth.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-#include <openssl/objects.h>
-
-static const SSL_METHOD *ssl2_get_method(int ver);
-static const SSL_METHOD *ssl2_get_method(int ver)
-       {
-       if (ver == SSL2_VERSION)
-               return(SSLv2_method());
-       else
-               return(NULL);
-       }
-
-IMPLEMENT_ssl2_meth_func(SSLv2_method,
-                        ssl2_accept,
-                        ssl2_connect,
-                        ssl2_get_method)
-
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
deleted file mode 100644 (file)
index acd61dc..0000000
+++ /dev/null
@@ -1,748 +0,0 @@
-/* ssl/s2_pkt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-#include <errno.h>
-#define USE_SOCKETS
-
-static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
-static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
-static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
-static int ssl_mt_error(int n);
-
-
-/* SSL 2.0 imlementation for SSL_read/SSL_peek -
- * This routine will return 0 to len bytes, decrypted etc if required.
- */
-static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
-       {
-       int n;
-       unsigned char mac[MAX_MAC_SIZE];
-       unsigned char *p;
-       int i;
-       int mac_size;
-
- ssl2_read_again:
-       if (SSL_in_init(s) && !s->in_handshake)
-               {
-               n=s->handshake_func(s);
-               if (n < 0) return(n);
-               if (n == 0)
-                       {
-                       SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE);
-                       return(-1);
-                       }
-               }
-
-       clear_sys_error();
-       s->rwstate=SSL_NOTHING;
-       if (len <= 0) return(len);
-
-       if (s->s2->ract_data_length != 0) /* read from buffer */
-               {
-               if (len > s->s2->ract_data_length)
-                       n=s->s2->ract_data_length;
-               else
-                       n=len;
-
-               memcpy(buf,s->s2->ract_data,(unsigned int)n);
-               if (!peek)
-                       {
-                       s->s2->ract_data_length-=n;
-                       s->s2->ract_data+=n;
-                       if (s->s2->ract_data_length == 0)
-                               s->rstate=SSL_ST_READ_HEADER;
-                       }
-
-               return(n);
-               }
-
-       /* s->s2->ract_data_length == 0
-        * 
-        * Fill the buffer, then goto ssl2_read_again.
-        */
-
-       if (s->rstate == SSL_ST_READ_HEADER)
-               {
-               if (s->first_packet)
-                       {
-                       n=read_n(s,5,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
-                       if (n <= 0) return(n); /* error or non-blocking */
-                       s->first_packet=0;
-                       p=s->packet;
-                       if (!((p[0] & 0x80) && (
-                               (p[2] == SSL2_MT_CLIENT_HELLO) ||
-                               (p[2] == SSL2_MT_SERVER_HELLO))))
-                               {
-                               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET);
-                               return(-1);
-                               }
-                       }
-               else
-                       {
-                       n=read_n(s,2,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
-                       if (n <= 0) return(n); /* error or non-blocking */
-                       }
-               /* part read stuff */
-
-               s->rstate=SSL_ST_READ_BODY;
-               p=s->packet;
-               /* Do header */
-               /*s->s2->padding=0;*/
-               s->s2->escape=0;
-               s->s2->rlength=(((unsigned int)p[0])<<8)|((unsigned int)p[1]);
-               if ((p[0] & TWO_BYTE_BIT))              /* Two byte header? */
-                       {
-                       s->s2->three_byte_header=0;
-                       s->s2->rlength&=TWO_BYTE_MASK;  
-                       }
-               else
-                       {
-                       s->s2->three_byte_header=1;
-                       s->s2->rlength&=THREE_BYTE_MASK;
-
-                       /* security >s2->escape */
-                       s->s2->escape=((p[0] & SEC_ESC_BIT))?1:0;
-                       }
-               }
-
-       if (s->rstate == SSL_ST_READ_BODY)
-               {
-               n=s->s2->rlength+2+s->s2->three_byte_header;
-               if (n > (int)s->packet_length)
-                       {
-                       n-=s->packet_length;
-                       i=read_n(s,(unsigned int)n,(unsigned int)n,1);
-                       if (i <= 0) return(i); /* ERROR */
-                       }
-
-               p= &(s->packet[2]);
-               s->rstate=SSL_ST_READ_HEADER;
-               if (s->s2->three_byte_header)
-                       s->s2->padding= *(p++);
-               else    s->s2->padding=0;
-
-               /* Data portion */
-               if (s->s2->clear_text)
-                       {
-                       mac_size = 0;
-                       s->s2->mac_data=p;
-                       s->s2->ract_data=p;
-                       if (s->s2->padding)
-                               {
-                               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
-                               return(-1);
-                               }
-                       }
-               else
-                       {
-                       mac_size=EVP_MD_CTX_size(s->read_hash);
-                       if (mac_size < 0)
-                               return -1;
-                       OPENSSL_assert(mac_size <= MAX_MAC_SIZE);
-                       s->s2->mac_data=p;
-                       s->s2->ract_data= &p[mac_size];
-                       if (s->s2->padding + mac_size > s->s2->rlength)
-                               {
-                               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
-                               return(-1);
-                               }
-                       }
-
-               s->s2->ract_data_length=s->s2->rlength;
-               /* added a check for length > max_size in case
-                * encryption was not turned on yet due to an error */
-               if ((!s->s2->clear_text) &&
-                       (s->s2->rlength >= (unsigned int)mac_size))
-                       {
-                       if(!ssl2_enc(s,0))
-                               {
-                               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_DECRYPTION_FAILED);
-                               return(-1);
-                               }
-                       s->s2->ract_data_length-=mac_size;
-                       ssl2_mac(s,mac,0);
-                       s->s2->ract_data_length-=s->s2->padding;
-                       if (    (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
-                               (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
-                               {
-                               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
-                               return(-1);
-                               }
-                       }
-               INC32(s->s2->read_sequence); /* expect next number */
-               /* s->s2->ract_data is now available for processing */
-
-               /* Possibly the packet that we just read had 0 actual data bytes.
-                * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
-                * In this case, returning 0 would be interpreted by the caller
-                * as indicating EOF, so it's not a good idea.  Instead, we just
-                * continue reading; thus ssl2_read_internal may have to process
-                * multiple packets before it can return.
-                *
-                * [Note that using select() for blocking sockets *never* guarantees
-                * that the next SSL_read will not block -- the available
-                * data may contain incomplete packets, and except for SSL 2,
-                * renegotiation can confuse things even more.] */
-
-               goto ssl2_read_again; /* This should really be
-                                      * "return ssl2_read(s,buf,len)",
-                                      * but that would allow for
-                                      * denial-of-service attacks if a
-                                      * C compiler is used that does not
-                                      * recognize end-recursion. */
-               }
-       else
-               {
-               SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE);
-                       return(-1);
-               }
-       }
-
-int ssl2_read(SSL *s, void *buf, int len)
-       {
-       return ssl2_read_internal(s, buf, len, 0);
-       }
-
-int ssl2_peek(SSL *s, void *buf, int len)
-       {
-       return ssl2_read_internal(s, buf, len, 1);
-       }
-
-static int read_n(SSL *s, unsigned int n, unsigned int max,
-            unsigned int extend)
-       {
-       int i,off,newb;
-
-       /* if there is stuff still in the buffer from a previous read,
-        * and there is more than we want, take some. */
-       if (s->s2->rbuf_left >= (int)n)
-               {
-               if (extend)
-                       s->packet_length+=n;
-               else
-                       {
-                       s->packet= &(s->s2->rbuf[s->s2->rbuf_offs]);
-                       s->packet_length=n;
-                       }
-               s->s2->rbuf_left-=n;
-               s->s2->rbuf_offs+=n;
-               return(n);
-               }
-
-       if (!s->read_ahead) max=n;
-       if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2))
-               max=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2;
-       
-
-       /* Else we want more than we have.
-        * First, if there is some left or we want to extend */
-       off=0;
-       if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend))
-               {
-               newb=s->s2->rbuf_left;
-               if (extend)
-                       {
-                       off=s->packet_length;
-                       if (s->packet != s->s2->rbuf)
-                               memcpy(s->s2->rbuf,s->packet,
-                                       (unsigned int)newb+off);
-                       }
-               else if (s->s2->rbuf_offs != 0)
-                       {
-                       memcpy(s->s2->rbuf,&(s->s2->rbuf[s->s2->rbuf_offs]),
-                               (unsigned int)newb);
-                       s->s2->rbuf_offs=0;
-                       }
-               s->s2->rbuf_left=0;
-               }
-       else
-               newb=0;
-
-       /* off is the offset to start writing too.
-        * r->s2->rbuf_offs is the 'unread data', now 0. 
-        * newb is the number of new bytes so far
-        */
-       s->packet=s->s2->rbuf;
-       while (newb < (int)n)
-               {
-               clear_sys_error();
-               if (s->rbio != NULL)
-                       {
-                       s->rwstate=SSL_READING;
-                       i=BIO_read(s->rbio,(char *)&(s->s2->rbuf[off+newb]),
-                               max-newb);
-                       }
-               else
-                       {
-                       SSLerr(SSL_F_READ_N,SSL_R_READ_BIO_NOT_SET);
-                       i= -1;
-                       }
-#ifdef PKT_DEBUG
-               if (s->debug & 0x01) sleep(1);
-#endif
-               if (i <= 0)
-                       {
-                       s->s2->rbuf_left+=newb;
-                       return(i);
-                       }
-               newb+=i;
-               }
-
-       /* record unread data */
-       if (newb > (int)n)
-               {
-               s->s2->rbuf_offs=n+off;
-               s->s2->rbuf_left=newb-n;
-               }
-       else
-               {
-               s->s2->rbuf_offs=0;
-               s->s2->rbuf_left=0;
-               }
-       if (extend)
-               s->packet_length+=n;
-       else
-               s->packet_length=n;
-       s->rwstate=SSL_NOTHING;
-       return(n);
-       }
-
-int ssl2_write(SSL *s, const void *_buf, int len)
-       {
-       const unsigned char *buf=_buf;
-       unsigned int n,tot;
-       int i;
-
-       if (SSL_in_init(s) && !s->in_handshake)
-               {
-               i=s->handshake_func(s);
-               if (i < 0) return(i);
-               if (i == 0)
-                       {
-                       SSLerr(SSL_F_SSL2_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
-                       return(-1);
-                       }
-               }
-
-       if (s->error)
-               {
-               ssl2_write_error(s);
-               if (s->error)
-                       return(-1);
-               }
-
-       clear_sys_error();
-       s->rwstate=SSL_NOTHING;
-       if (len <= 0) return(len);
-
-       tot=s->s2->wnum;
-       s->s2->wnum=0;
-
-       n=(len-tot);
-       for (;;)
-               {
-               i=n_do_ssl_write(s,&(buf[tot]),n);
-               if (i <= 0)
-                       {
-                       s->s2->wnum=tot;
-                       return(i);
-                       }
-               if ((i == (int)n) ||
-                       (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))
-                       {
-                       return(tot+i);
-                       }
-               
-               n-=i;
-               tot+=i;
-               }
-       }
-
-static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
-       {
-       int i;
-
-       /* s->s2->wpend_len != 0 MUST be true. */
-
-       /* check that they have given us the same buffer to
-        * write */
-       if ((s->s2->wpend_tot > (int)len) ||
-               ((s->s2->wpend_buf != buf) &&
-                !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)))
-               {
-               SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
-               return(-1);
-               }
-
-       for (;;)
-               {
-               clear_sys_error();
-               if (s->wbio != NULL)
-                       {
-                       s->rwstate=SSL_WRITING;
-                       i=BIO_write(s->wbio,
-                               (char *)&(s->s2->write_ptr[s->s2->wpend_off]),
-                               (unsigned int)s->s2->wpend_len);
-                       }
-               else
-                       {
-                       SSLerr(SSL_F_WRITE_PENDING,SSL_R_WRITE_BIO_NOT_SET);
-                       i= -1;
-                       }
-#ifdef PKT_DEBUG
-               if (s->debug & 0x01) sleep(1);
-#endif
-               if (i == s->s2->wpend_len)
-                       {
-                       s->s2->wpend_len=0;
-                       s->rwstate=SSL_NOTHING;
-                       return(s->s2->wpend_ret);
-                       }
-               else if (i <= 0)
-                       return(i);
-               s->s2->wpend_off+=i;
-               s->s2->wpend_len-=i;
-               }
-       }
-
-static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
-       {
-       unsigned int j,k,olen,p,bs;
-       int mac_size;
-       register unsigned char *pp;
-
-       olen=len;
-
-       /* first check if there is data from an encryption waiting to
-        * be sent - it must be sent because the other end is waiting.
-        * This will happen with non-blocking IO.  We print it and then
-        * return.
-        */
-       if (s->s2->wpend_len != 0) return(write_pending(s,buf,len));
-
-       /* set mac_size to mac size */
-       if (s->s2->clear_text)
-               mac_size=0;
-       else
-               {
-               mac_size=EVP_MD_CTX_size(s->write_hash);
-               if (mac_size < 0)
-                       return -1;
-               }
-
-       /* lets set the pad p */
-       if (s->s2->clear_text)
-               {
-               if (len > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
-                       len=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
-               p=0;
-               s->s2->three_byte_header=0;
-               /* len=len; */
-               }
-       else
-               {
-               bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
-               j=len+mac_size;
-               /* Two-byte headers allow for a larger record length than
-                * three-byte headers, but we can't use them if we need
-                * padding or if we have to set the escape bit. */
-               if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
-                       (!s->s2->escape))
-                       {
-                       if (j > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
-                               j=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
-                       /* set k to the max number of bytes with 2
-                        * byte header */
-                       k=j-(j%bs);
-                       /* how many data bytes? */
-                       len=k-mac_size; 
-                       s->s2->three_byte_header=0;
-                       p=0;
-                       }
-               else if ((bs <= 1) && (!s->s2->escape))
-                       {
-                       /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
-                        * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
-                       s->s2->three_byte_header=0;
-                       p=0;
-                       }
-               else /* we may have to use a 3 byte header */
-                       {
-                       /* If s->s2->escape is not set, then
-                        * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
-                        * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
-                       p=(j%bs);
-                       p=(p == 0)?0:(bs-p);
-                       if (s->s2->escape)
-                               {
-                               s->s2->three_byte_header=1;
-                               if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-                                       j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
-                               }
-                       else
-                               s->s2->three_byte_header=(p == 0)?0:1;
-                       }
-               }
-
-       /* Now
-        *      j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
-        * holds, and if s->s2->three_byte_header is set, then even
-        *      j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
-        */
-
-       /* mac_size is the number of MAC bytes
-        * len is the number of data bytes we are going to send
-        * p is the number of padding bytes
-        * (if it is a two-byte header, then p == 0) */
-
-       s->s2->wlength=len;
-       s->s2->padding=p;
-       s->s2->mac_data= &(s->s2->wbuf[3]);
-       s->s2->wact_data= &(s->s2->wbuf[3+mac_size]);
-       /* we copy the data into s->s2->wbuf */
-       memcpy(s->s2->wact_data,buf,len);
-       if (p)
-               memset(&(s->s2->wact_data[len]),0,p); /* arbitrary padding */
-
-       if (!s->s2->clear_text)
-               {
-               s->s2->wact_data_length=len+p;
-               ssl2_mac(s,s->s2->mac_data,1);
-               s->s2->wlength+=p+mac_size;
-               if(ssl2_enc(s,1) < 1)
-                       return -1;
-               }
-
-       /* package up the header */
-       s->s2->wpend_len=s->s2->wlength;
-       if (s->s2->three_byte_header) /* 3 byte header */
-               {
-               pp=s->s2->mac_data;
-               pp-=3;
-               pp[0]=(s->s2->wlength>>8)&(THREE_BYTE_MASK>>8);
-               if (s->s2->escape) pp[0]|=SEC_ESC_BIT;
-               pp[1]=s->s2->wlength&0xff;
-               pp[2]=s->s2->padding;
-               s->s2->wpend_len+=3;
-               }
-       else
-               {
-               pp=s->s2->mac_data;
-               pp-=2;
-               pp[0]=((s->s2->wlength>>8)&(TWO_BYTE_MASK>>8))|TWO_BYTE_BIT;
-               pp[1]=s->s2->wlength&0xff;
-               s->s2->wpend_len+=2;
-               }
-       s->s2->write_ptr=pp;
-       
-       INC32(s->s2->write_sequence); /* expect next number */
-
-       /* lets try to actually write the data */
-       s->s2->wpend_tot=olen;
-       s->s2->wpend_buf=buf;
-
-       s->s2->wpend_ret=len;
-
-       s->s2->wpend_off=0;
-       return(write_pending(s,buf,olen));
-       }
-
-int ssl2_part_read(SSL *s, unsigned long f, int i)
-       {
-       unsigned char *p;
-       int j;
-
-       if (i < 0)
-               {
-               /* ssl2_return_error(s); */
-               /* for non-blocking io,
-                * this is not necessarily fatal */
-               return(i);
-               }
-       else
-               {
-               s->init_num+=i;
-
-               /* Check for error.  While there are recoverable errors,
-                * this function is not called when those must be expected;
-                * any error detected here is fatal. */
-               if (s->init_num >= 3)
-                       {
-                       p=(unsigned char *)s->init_buf->data;
-                       if (p[0] == SSL2_MT_ERROR)
-                               {
-                               j=(p[1]<<8)|p[2];
-                               SSLerr((int)f,ssl_mt_error(j));
-                               s->init_num -= 3;
-                               if (s->init_num > 0)
-                                       memmove(p, p+3, s->init_num);
-                               }
-                       }
-
-               /* If it's not an error message, we have some error anyway --
-                * the message was shorter than expected.  This too is treated
-                * as fatal (at least if SSL_get_error is asked for its opinion). */
-               return(0);
-               }
-       }
-
-int ssl2_do_write(SSL *s)
-       {
-       int ret;
-
-       ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
-       if (ret == s->init_num)
-               {
-               if (s->msg_callback)
-                       s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
-               return(1);
-               }
-       if (ret < 0)
-               return(-1);
-       s->init_off+=ret;
-       s->init_num-=ret;
-       return(0);
-       }
-
-static int ssl_mt_error(int n)
-       {
-       int ret;
-
-       switch (n)
-               {
-       case SSL2_PE_NO_CIPHER:
-               ret=SSL_R_PEER_ERROR_NO_CIPHER;
-               break;
-       case SSL2_PE_NO_CERTIFICATE:
-               ret=SSL_R_PEER_ERROR_NO_CERTIFICATE;
-               break;
-       case SSL2_PE_BAD_CERTIFICATE:
-               ret=SSL_R_PEER_ERROR_CERTIFICATE;
-               break;
-       case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE:
-               ret=SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
-               break;
-       default:
-               ret=SSL_R_UNKNOWN_REMOTE_ERROR_TYPE;
-               break;
-               }
-       return(ret);
-       }
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
deleted file mode 100644 (file)
index 71f677b..0000000
+++ /dev/null
@@ -1,1154 +0,0 @@
-/* ssl/s2_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
-#include <stdio.h>
-#include <openssl/bio.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-
-static const SSL_METHOD *ssl2_get_server_method(int ver);
-static int get_client_master_key(SSL *s);
-static int get_client_hello(SSL *s);
-static int server_hello(SSL *s); 
-static int get_client_finished(SSL *s);
-static int server_verify(SSL *s);
-static int server_finish(SSL *s);
-static int request_certificate(SSL *s);
-static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
-       unsigned char *to,int padding);
-#define BREAK  break
-
-static const SSL_METHOD *ssl2_get_server_method(int ver)
-       {
-       if (ver == SSL2_VERSION)
-               return(SSLv2_server_method());
-       else
-               return(NULL);
-       }
-
-IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
-                       ssl2_accept,
-                       ssl_undefined_function,
-                       ssl2_get_server_method)
-
-int ssl2_accept(SSL *s)
-       {
-       unsigned long l=(unsigned long)time(NULL);
-       BUF_MEM *buf=NULL;
-       int ret= -1;
-       long num1;
-       void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       int new_state,state;
-
-       RAND_add(&l,sizeof(l),0);
-       ERR_clear_error();
-       clear_sys_error();
-
-       if (s->info_callback != NULL)
-               cb=s->info_callback;
-       else if (s->ctx->info_callback != NULL)
-               cb=s->ctx->info_callback;
-
-       /* init things to blank */
-       s->in_handshake++;
-       if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
-
-       if (s->cert == NULL)
-               {
-               SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
-               return(-1);
-               }
-
-       clear_sys_error();
-       for (;;)
-               {
-               state=s->state;
-
-               switch (s->state)
-                       {
-               case SSL_ST_BEFORE:
-               case SSL_ST_ACCEPT:
-               case SSL_ST_BEFORE|SSL_ST_ACCEPT:
-               case SSL_ST_OK|SSL_ST_ACCEPT:
-
-                       s->server=1;
-                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-
-                       s->version=SSL2_VERSION;
-                       s->type=SSL_ST_ACCEPT;
-
-                       buf=s->init_buf;
-                       if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-                               { ret= -1; goto end; }
-                       if (!BUF_MEM_grow(buf,(int)
-                               SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-                               { ret= -1; goto end; }
-                       s->init_buf=buf;
-                       s->init_num=0;
-                       s->ctx->stats.sess_accept++;
-                       s->handshake_func=ssl2_accept;
-                       s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-                       BREAK;
-
-               case SSL2_ST_GET_CLIENT_HELLO_A:
-               case SSL2_ST_GET_CLIENT_HELLO_B:
-               case SSL2_ST_GET_CLIENT_HELLO_C:
-                       s->shutdown=0;
-                       ret=get_client_hello(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_SEND_SERVER_HELLO_A;
-                       BREAK;
-
-               case SSL2_ST_SEND_SERVER_HELLO_A:
-               case SSL2_ST_SEND_SERVER_HELLO_B:
-                       ret=server_hello(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       if (!s->hit)
-                               {
-                               s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
-                               BREAK;
-                               }
-                       else
-                               {
-                               s->state=SSL2_ST_SERVER_START_ENCRYPTION;
-                               BREAK;
-                               }
-               case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
-               case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
-                       ret=get_client_master_key(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_SERVER_START_ENCRYPTION;
-                       BREAK;
-
-               case SSL2_ST_SERVER_START_ENCRYPTION:
-                       /* Ok we how have sent all the stuff needed to
-                        * start encrypting, the next packet back will
-                        * be encrypted. */
-                       if (!ssl2_enc_init(s,0))
-                               { ret= -1; goto end; }
-                       s->s2->clear_text=0;
-                       s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
-                       BREAK;
-
-               case SSL2_ST_SEND_SERVER_VERIFY_A:
-               case SSL2_ST_SEND_SERVER_VERIFY_B:
-                       ret=server_verify(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       if (s->hit)
-                               {
-                               /* If we are in here, we have been
-                                * buffering the output, so we need to
-                                * flush it and remove buffering from
-                                * future traffic */
-                               s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
-                               BREAK;
-                               }
-                       else
-                               {
-                               s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
-                               break;
-                               }
-
-               case SSL2_ST_SEND_SERVER_VERIFY_C:
-                       /* get the number of bytes to write */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                       if (num1 > 0)
-                               {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
-                               }
-
-                       /* flushed and now remove buffering */
-                       s->wbio=BIO_pop(s->wbio);
-
-                       s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
-                       BREAK;
-
-               case SSL2_ST_GET_CLIENT_FINISHED_A:
-               case SSL2_ST_GET_CLIENT_FINISHED_B:
-                       ret=get_client_finished(s);
-                       if (ret <= 0)
-                               goto end;
-                       s->init_num=0;
-                       s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
-                       BREAK;
-
-               case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
-               case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
-               case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
-               case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
-                       /* don't do a 'request certificate' if we
-                        * don't want to, or we already have one, and
-                        * we only want to do it once. */
-                       if (!(s->verify_mode & SSL_VERIFY_PEER) ||
-                               ((s->session->peer != NULL) &&
-                               (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
-                               {
-                               s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
-                               break;
-                               }
-                       else
-                               {
-                               ret=request_certificate(s);
-                               if (ret <= 0) goto end;
-                               s->init_num=0;
-                               s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
-                               }
-                       BREAK;
-
-               case SSL2_ST_SEND_SERVER_FINISHED_A:
-               case SSL2_ST_SEND_SERVER_FINISHED_B:
-                       ret=server_finish(s);
-                       if (ret <= 0) goto end;
-                       s->init_num=0;
-                       s->state=SSL_ST_OK;
-                       break;
-
-               case SSL_ST_OK:
-                       BUF_MEM_free(s->init_buf);
-                       ssl_free_wbio_buffer(s);
-                       s->init_buf=NULL;
-                       s->init_num=0;
-               /*      ERR_clear_error();*/
-
-                       ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
-
-                       s->ctx->stats.sess_accept_good++;
-                       /* s->server=1; */
-                       ret=1;
-
-                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
-
-                       goto end;
-                       /* BREAK; */
-
-               default:
-                       SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
-                       ret= -1;
-                       goto end;
-                       /* BREAK; */
-                       }
-               
-               if ((cb != NULL) && (s->state != state))
-                       {
-                       new_state=s->state;
-                       s->state=state;
-                       cb(s,SSL_CB_ACCEPT_LOOP,1);
-                       s->state=new_state;
-                       }
-               }
-end:
-       s->in_handshake--;
-       if (cb != NULL)
-               cb(s,SSL_CB_ACCEPT_EXIT,ret);
-       return(ret);
-       }
-
-static int get_client_master_key(SSL *s)
-       {
-       int is_export,i,n,keya,ek;
-       unsigned long len;
-       unsigned char *p;
-       const SSL_CIPHER *cp;
-       const EVP_CIPHER *c;
-       const EVP_MD *md;
-
-       p=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
-               {
-               i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
-
-               if (i < (10-s->init_num))
-                       return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
-               s->init_num = 10;
-
-               if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
-                       {
-                       if (p[-1] != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
-                       return(-1);
-                       }
-
-               cp=ssl2_get_cipher_by_char(p);
-               if (cp == NULL)
-                       {
-                       ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-                       SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
-                       return(-1);
-                       }
-               s->session->cipher= cp;
-
-               p+=3;
-               n2s(p,i); s->s2->tmp.clear=i;
-               n2s(p,i); s->s2->tmp.enc=i;
-               n2s(p,i);
-               if(i > SSL_MAX_KEY_ARG_LENGTH)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
-                       return -1;
-                       }
-               s->session->key_arg_length=i;
-               s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
-               }
-
-       /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
-       p=(unsigned char *)s->init_buf->data;
-       if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
-               return -1;
-               }
-       keya=s->session->key_arg_length;
-       len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
-       if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
-               return -1;
-               }
-       n = (int)len - s->init_num;
-       i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-       if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
-       p += 10;
-
-       memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
-               (unsigned int)keya);
-
-       if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
-               return(-1);
-               }
-       i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
-               &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
-               (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-
-       is_export=SSL_C_IS_EXPORT(s->session->cipher);
-       
-       if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL, 0))
-               {
-               ssl2_return_error(s,SSL2_PE_NO_CIPHER);
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
-               return(0);
-               }
-
-       if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
-               {
-               is_export=1;
-               ek=8;
-               }
-       else
-               ek=5;
-
-       /* bad decrypt */
-#if 1
-       /* If a bad decrypt, continue with protocol but with a
-        * random master secret (Bleichenbacher attack) */
-       if ((i < 0) ||
-               ((!is_export && (i != EVP_CIPHER_key_length(c)))
-               || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
-                       (unsigned int)EVP_CIPHER_key_length(c))))))
-               {
-               ERR_clear_error();
-               if (is_export)
-                       i=ek;
-               else
-                       i=EVP_CIPHER_key_length(c);
-               if (RAND_pseudo_bytes(p,i) <= 0)
-                       return 0;
-               }
-#else
-       if (i < 0)
-               {
-               error=1;
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
-               }
-       /* incorrect number of key bytes for non export cipher */
-       else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
-               || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
-                       EVP_CIPHER_key_length(c)))))
-               {
-               error=1;
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
-               }
-       if (error)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               return(-1);
-               }
-#endif
-
-       if (is_export) i+=s->s2->tmp.clear;
-
-       if (i > SSL_MAX_MASTER_KEY_LENGTH)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
-               return -1;
-               }
-       s->session->master_key_length=i;
-       memcpy(s->session->master_key,p,(unsigned int)i);
-       return(1);
-       }
-
-static int get_client_hello(SSL *s)
-       {
-       int i,n;
-       unsigned long len;
-       unsigned char *p;
-       STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
-       STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
-       STACK_OF(SSL_CIPHER) *prio, *allow;
-       int z;
-
-       /* This is a bit of a hack to check for the correct packet
-        * type the first time round. */
-       if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
-               {
-               s->first_packet=1;
-               s->state=SSL2_ST_GET_CLIENT_HELLO_B;
-               }
-
-       p=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
-               {
-               i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
-               if (i < (9-s->init_num)) 
-                       return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
-               s->init_num = 9;
-       
-               if (*(p++) != SSL2_MT_CLIENT_HELLO)
-                       {
-                       if (p[-1] != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
-                       return(-1);
-                       }
-               n2s(p,i);
-               if (i < s->version) s->version=i;
-               n2s(p,i); s->s2->tmp.cipher_spec_length=i;
-               n2s(p,i); s->s2->tmp.session_id_length=i;
-               n2s(p,i); s->s2->challenge_length=i;
-               if (    (i < SSL2_MIN_CHALLENGE_LENGTH) ||
-                       (i > SSL2_MAX_CHALLENGE_LENGTH))
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
-                       return(-1);
-                       }
-               s->state=SSL2_ST_GET_CLIENT_HELLO_C;
-               }
-
-       /* SSL2_ST_GET_CLIENT_HELLO_C */
-       p=(unsigned char *)s->init_buf->data;
-       len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
-       if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
-               return -1;
-               }
-       n = (int)len - s->init_num;
-       i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-       if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
-       p += 9;
-
-       /* get session-id before cipher stuff so we can get out session
-        * structure if it is cached */
-       /* session-id */
-       if ((s->s2->tmp.session_id_length != 0) && 
-               (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
-               return(-1);
-               }
-
-       if (s->s2->tmp.session_id_length == 0)
-               {
-               if (!ssl_get_new_session(s,1))
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       return(-1);
-                       }
-               }
-       else
-               {
-               i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
-                       s->s2->tmp.session_id_length, NULL);
-               if (i == 1)
-                       { /* previous session */
-                       s->hit=1;
-                       }
-               else if (i == -1)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       return(-1);
-                       }
-               else
-                       {
-                       if (s->cert == NULL)
-                               {
-                               ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
-                               SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
-                               return(-1);
-                               }
-
-                       if (!ssl_get_new_session(s,1))
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               return(-1);
-                               }
-                       }
-               }
-
-       if (!s->hit)
-               {
-               cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
-                       &s->session->ciphers);
-               if (cs == NULL) goto mem_err;
-
-               cl=SSL_get_ciphers(s);
-
-               if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
-                   {
-                   prio=sk_SSL_CIPHER_dup(cl);
-                   if (prio == NULL) goto mem_err;
-                   allow = cs;
-                   }
-               else
-                   {
-                   prio = cs;
-                   allow = cl;
-                   }
-               for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
-                       {
-                       if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
-                               {
-                               (void)sk_SSL_CIPHER_delete(prio,z);
-                               z--;
-                               }
-                       }
-               if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
-                   {
-                   sk_SSL_CIPHER_free(s->session->ciphers);
-                   s->session->ciphers = prio;
-                   }
-               /* s->session->ciphers should now have a list of
-                * ciphers that are on both the client and server.
-                * This list is ordered by the order the client sent
-                * the ciphers or in the order of the server's preference
-                * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
-                */
-               }
-       p+=s->s2->tmp.cipher_spec_length;
-       /* done cipher selection */
-
-       /* session id extracted already */
-       p+=s->s2->tmp.session_id_length;
-
-       /* challenge */
-       if (s->s2->challenge_length > sizeof s->s2->challenge)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-               return -1;
-               }
-       memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
-       return(1);
-mem_err:
-       SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
-       return(0);
-       }
-
-static int server_hello(SSL *s)
-       {
-       unsigned char *p,*d;
-       int n,hit;
-
-       p=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
-               {
-               d=p+11;
-               *(p++)=SSL2_MT_SERVER_HELLO;            /* type */
-               hit=s->hit;
-               *(p++)=(unsigned char)hit;
-#if 1
-               if (!hit)
-                       {
-                       if (s->session->sess_cert != NULL)
-                               /* This can't really happen because get_client_hello
-                                * has called ssl_get_new_session, which does not set
-                                * sess_cert. */
-                               ssl_sess_cert_free(s->session->sess_cert);
-                       s->session->sess_cert = ssl_sess_cert_new();
-                       if (s->session->sess_cert == NULL)
-                               {
-                               SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
-                               return(-1);
-                               }
-                       }
-               /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
-                * depending on whether it survived in the internal cache
-                * or was retrieved from an external cache.
-                * If it is NULL, we cannot put any useful data in it anyway,
-                * so we don't touch it.
-                */
-
-#else /* That's what used to be done when cert_st and sess_cert_st were
-          * the same. */
-               if (!hit)
-                       {                       /* else add cert to session */
-                       CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
-                       if (s->session->sess_cert != NULL)
-                               ssl_cert_free(s->session->sess_cert);
-                       s->session->sess_cert=s->cert;          
-                       }
-               else    /* We have a session id-cache hit, if the
-                        * session-id has no certificate listed against
-                        * the 'cert' structure, grab the 'old' one
-                        * listed against the SSL connection */
-                       {
-                       if (s->session->sess_cert == NULL)
-                               {
-                               CRYPTO_add(&s->cert->references,1,
-                                       CRYPTO_LOCK_SSL_CERT);
-                               s->session->sess_cert=s->cert;
-                               }
-                       }
-#endif
-
-               if (s->cert == NULL)
-                       {
-                       ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
-                       SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
-                       return(-1);
-                       }
-
-               if (hit)
-                       {
-                       *(p++)=0;               /* no certificate type */
-                       s2n(s->version,p);      /* version */
-                       s2n(0,p);               /* cert len */
-                       s2n(0,p);               /* ciphers len */
-                       }
-               else
-                       {
-                       /* EAY EAY */
-                       /* put certificate type */
-                       *(p++)=SSL2_CT_X509_CERTIFICATE;
-                       s2n(s->version,p);      /* version */
-                       n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
-                       s2n(n,p);               /* certificate length */
-                       i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
-                       n=0;
-                       
-                       /* lets send out the ciphers we like in the
-                        * prefered order */
-                       n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
-                       d+=n;
-                       s2n(n,p);               /* add cipher length */
-                       }
-
-               /* make and send conn_id */
-               s2n(SSL2_CONNECTION_ID_LENGTH,p);       /* add conn_id length */
-               s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-               if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
-                       return -1;
-               memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
-               d+=SSL2_CONNECTION_ID_LENGTH;
-
-               s->state=SSL2_ST_SEND_SERVER_HELLO_B;
-               s->init_num=d-(unsigned char *)s->init_buf->data;
-               s->init_off=0;
-               }
-       /* SSL2_ST_SEND_SERVER_HELLO_B */
-       /* If we are using TCP/IP, the performance is bad if we do 2
-        * writes without a read between them.  This occurs when
-        * Session-id reuse is used, so I will put in a buffering module
-        */
-       if (s->hit)
-               {
-               if (!ssl_init_wbio_buffer(s,1)) return(-1);
-               }
-       return(ssl2_do_write(s));
-       }
-
-static int get_client_finished(SSL *s)
-       {
-       unsigned char *p;
-       int i, n;
-       unsigned long len;
-
-       p=(unsigned char *)s->init_buf->data;
-       if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
-               {
-               i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
-               if (i < 1-s->init_num)
-                       return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
-               s->init_num += i;
-
-               if (*p != SSL2_MT_CLIENT_FINISHED)
-                       {
-                       if (*p != SSL2_MT_ERROR)
-                               {
-                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                               SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
-                               }
-                       else
-                               {
-                               SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
-                               /* try to read the error message */
-                               i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
-                               return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
-                               }
-                       return(-1);
-                       }
-               s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
-               }
-
-       /* SSL2_ST_GET_CLIENT_FINISHED_B */
-       if (s->s2->conn_id_length > sizeof s->s2->conn_id)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
-               return -1;
-               }
-       len = 1 + (unsigned long)s->s2->conn_id_length;
-       n = (int)len - s->init_num;
-       i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-       if (i < n)
-               {
-               return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
-               }
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
-       p += 1;
-       if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
-               {
-               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-               SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
-               return(-1);
-               }
-       return(1);
-       }
-
-static int server_verify(SSL *s)
-       {
-       unsigned char *p;
-
-       if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
-               {
-               p=(unsigned char *)s->init_buf->data;
-               *(p++)=SSL2_MT_SERVER_VERIFY;
-               if (s->s2->challenge_length > sizeof s->s2->challenge)
-                       {
-                       SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
-                       return -1;
-                       }
-               memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
-               /* p+=s->s2->challenge_length; */
-
-               s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
-               s->init_num=s->s2->challenge_length+1;
-               s->init_off=0;
-               }
-       return(ssl2_do_write(s));
-       }
-
-static int server_finish(SSL *s)
-       {
-       unsigned char *p;
-
-       if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
-               {
-               p=(unsigned char *)s->init_buf->data;
-               *(p++)=SSL2_MT_SERVER_FINISHED;
-
-               if (s->session->session_id_length > sizeof s->session->session_id)
-                       {
-                       SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
-                       return -1;
-                       }
-               memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
-               /* p+=s->session->session_id_length; */
-
-               s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
-               s->init_num=s->session->session_id_length+1;
-               s->init_off=0;
-               }
-
-       /* SSL2_ST_SEND_SERVER_FINISHED_B */
-       return(ssl2_do_write(s));
-       }
-
-/* send the request and check the response */
-static int request_certificate(SSL *s)
-       {
-       const unsigned char *cp;
-       unsigned char *p,*p2,*buf2;
-       unsigned char *ccd;
-       int i,j,ctype,ret= -1;
-       unsigned long len;
-       X509 *x509=NULL;
-       STACK_OF(X509) *sk=NULL;
-
-       ccd=s->s2->tmp.ccl;
-       if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
-               {
-               p=(unsigned char *)s->init_buf->data;
-               *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
-               *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-               if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
-                       return -1;
-               memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
-
-               s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
-               s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
-               s->init_off=0;
-               }
-
-       if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
-               {
-               i=ssl2_do_write(s);
-               if (i <= 0)
-                       {
-                       ret=i;
-                       goto end;
-                       }
-
-               s->init_num=0;
-               s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
-               }
-
-       if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
-               {
-               p=(unsigned char *)s->init_buf->data;
-               i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */
-               if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
-                                       * (probably NO-CERTIFICATE-ERROR) */
-                       {
-                       ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
-                       goto end;
-                       }
-               s->init_num += i;
-
-               if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
-                       {
-                       n2s(p,i);
-                       if (i != SSL2_PE_NO_CERTIFICATE)
-                               {
-                               /* not the error message we expected -- let ssl2_part_read handle it */
-                               s->init_num -= 3;
-                               ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3);
-                               goto end;
-                               }
-
-                       if (s->msg_callback)
-                               s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
-
-                       /* this is the one place where we can recover from an SSL 2.0 error */
-
-                       if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-                               {
-                               ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
-                               SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-                               goto end;
-                               }
-                       ret=1;
-                       goto end;
-                       }
-               if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6))
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-                       SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
-                       goto end;
-                       }
-               if (s->init_num != 6)
-                       {
-                       SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
-                       goto end;
-                       }
-               
-               /* ok we have a response */
-               /* certificate type, there is only one right now. */
-               ctype= *(p++);
-               if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
-                       {
-                       ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
-                       SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
-                       goto end;
-                       }
-               n2s(p,i); s->s2->tmp.clen=i;
-               n2s(p,i); s->s2->tmp.rlen=i;
-               s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
-               }
-
-       /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
-       p=(unsigned char *)s->init_buf->data;
-       len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
-       if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-               {
-               SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
-               goto end;
-               }
-       j = (int)len - s->init_num;
-       i = ssl2_read(s,(char *)&(p[s->init_num]),j);
-       if (i < j) 
-               {
-               ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
-               goto end;
-               }
-       if (s->msg_callback)
-               s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
-       p += 6;
-
-       cp = p;
-       x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
-       if (x509 == NULL)
-               {
-               SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
-               goto msg_end;
-               }
-
-       if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
-               {
-               SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-               goto msg_end;
-               }
-
-       i=ssl_verify_cert_chain(s,sk);
-
-       if (i > 1)
-               {
-               SSLerr(SSL_F_REQUEST_CERTIFICATE, i);
-               goto msg_end;
-               }
-
-       if (i > 0)      /* we like the packet, now check the chksum */
-               {
-               EVP_MD_CTX ctx;
-               EVP_PKEY *pkey=NULL;
-
-               EVP_MD_CTX_init(&ctx);
-               if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL)
-                   || !EVP_VerifyUpdate(&ctx,s->s2->key_material,
-                                        s->s2->key_material_length)
-                   || !EVP_VerifyUpdate(&ctx,ccd,
-                                        SSL2_MIN_CERT_CHALLENGE_LENGTH))
-                       goto msg_end;
-
-               i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
-               buf2=OPENSSL_malloc((unsigned int)i);
-               if (buf2 == NULL)
-                       {
-                       SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
-                       goto msg_end;
-                       }
-               p2=buf2;
-               i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
-               if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i))
-                       {
-                       OPENSSL_free(buf2);
-                       goto msg_end;
-                       }
-               OPENSSL_free(buf2);
-
-               pkey=X509_get_pubkey(x509);
-               if (pkey == NULL) goto end;
-               i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
-               EVP_PKEY_free(pkey);
-               EVP_MD_CTX_cleanup(&ctx);
-
-               if (i > 0)
-                       {
-                       if (s->session->peer != NULL)
-                               X509_free(s->session->peer);
-                       s->session->peer=x509;
-                       CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
-                       s->session->verify_result = s->verify_result;
-                       ret=1;
-                       goto end;
-                       }
-               else
-                       {
-                       SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
-                       goto msg_end;
-                       }
-               }
-       else
-               {
-msg_end:
-               ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
-               }
-end:
-       sk_X509_free(sk);
-       X509_free(x509);
-       return(ret);
-       }
-
-static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
-            unsigned char *to, int padding)
-       {
-       RSA *rsa;
-       int i;
-
-       if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
-               {
-               SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
-               return(-1);
-               }
-       if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
-               {
-               SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
-               return(-1);
-               }
-       rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
-
-       /* we have the public key */
-       i=RSA_private_decrypt(len,from,to,rsa,padding);
-       if (i < 0)
-               SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
-       return(i);
-       }
-#else /* !OPENSSL_NO_SSL2 */
-
-# if PEDANTIC
-static void *dummy=&dummy;
-# endif
-
-#endif
index 63774bcc8746d078e2b6c25b7cfe21b4a2bb33a7..7765de176f29c96471aebce3b154ff7a8179cd6c 100644 (file)
@@ -371,8 +371,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        }
                }
 
-       s->session->key_arg_length=0;
-
        EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
 
 #ifdef OPENSSL_SSL_TRACE_CRYPTO
index d670ff0ec00ca71824742033abc89cccc7523ff1..51a4ec3e89bce6f3d8e86e924c4a8b3773fc9818 100644 (file)
@@ -3946,8 +3946,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                                return s->version == TLS1_VERSION;
                        if (!(s->options & SSL_OP_NO_SSLv3))
                                return s->version == SSL3_VERSION;
-                       if (!(s->options & SSL_OP_NO_SSLv2))
-                               return s->version == SSL2_VERSION;
                        }
                return 0; /* Unexpected state; fail closed. */
 
index 104e4f1e8199dcbdc6e54f13e228db5275aa73fc..388d4005c1cac030b922055f07a427bb41a62010 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -177,16 +177,6 @@ extern "C" {
 #define SSL_SESSION_ASN1_VERSION 0x0001
 
 /* text strings for the ciphers */
-#define SSL_TXT_NULL_WITH_MD5          SSL2_TXT_NULL_WITH_MD5                  
-#define SSL_TXT_RC4_128_WITH_MD5       SSL2_TXT_RC4_128_WITH_MD5               
-#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5   
-#define SSL_TXT_RC2_128_CBC_WITH_MD5   SSL2_TXT_RC2_128_CBC_WITH_MD5           
-#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5   
-#define SSL_TXT_IDEA_128_CBC_WITH_MD5  SSL2_TXT_IDEA_128_CBC_WITH_MD5          
-#define SSL_TXT_DES_64_CBC_WITH_MD5    SSL2_TXT_DES_64_CBC_WITH_MD5            
-#define SSL_TXT_DES_64_CBC_WITH_SHA    SSL2_TXT_DES_64_CBC_WITH_SHA            
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5   
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA   
 
 /*    VRS Additional Kerberos5 entries
  */
@@ -305,7 +295,6 @@ extern "C" {
 #define SSL_TXT_SHA256         "SHA256"
 #define SSL_TXT_SHA384         "SHA384"
 
-#define SSL_TXT_SSLV2          "SSLv2"
 #define SSL_TXT_SSLV3          "SSLv3"
 #define SSL_TXT_TLSV1          "TLSv1"
 #define SSL_TXT_TLSV1_1                "TLSv1.1"
@@ -336,7 +325,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST        "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST        "ALL:!aNULL:!eNULL"
 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
  * throwing out anonymous and unencrypted ciphersuites!
@@ -356,10 +345,6 @@ extern "C" {
 extern "C" {
 #endif
 
-#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
-#define OPENSSL_NO_SSL2
-#endif
-
 #define SSL_FILETYPE_ASN1      X509_FILETYPE_ASN1
 #define SSL_FILETYPE_PEM       X509_FILETYPE_PEM
 
@@ -498,9 +483,6 @@ struct ssl_session_st
        int ssl_version;        /* what ssl version session info is
                                 * being kept in here? */
 
-       /* only really used in SSLv2 */
-       unsigned int key_arg_length;
-       unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
        int master_key_length;
        unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
        /* session_id - valid? */
@@ -575,8 +557,6 @@ struct ssl_session_st
 
 #endif
 
-#define SSL_OP_MICROSOFT_SESS_ID_BUG                   0x00000001L
-#define SSL_OP_NETSCAPE_CHALLENGE_BUG                  0x00000002L
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT                   0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG                0x00000008L
@@ -591,6 +571,9 @@ struct ssl_session_st
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING                  0x0
 /* Refers to ancient SSLREF and SSLv2, retained for compatibility */
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG             0x0
+/* Related to removed SSLv2 */
+#define SSL_OP_MICROSOFT_SESS_ID_BUG                   0x0
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG                  0x0
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
@@ -634,7 +617,7 @@ struct ssl_session_st
  * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG                                0x00800000L
 
-#define SSL_OP_NO_SSLv2                                        0x01000000L
+#define SSL_OP_NO_SSLv2                                        0x00000000L
 #define SSL_OP_NO_SSLv3                                        0x02000000L
 #define SSL_OP_NO_TLSv1                                        0x04000000L
 #define SSL_OP_NO_TLSv1_2                              0x08000000L
@@ -643,7 +626,7 @@ struct ssl_session_st
 #define SSL_OP_NO_DTLSv1                               0x04000000L
 #define SSL_OP_NO_DTLSv1_2                             0x08000000L
 
-#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|\
+#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv3|\
        SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2)
 
 /* These next two were never actually used for anything since SSLeay
@@ -868,11 +851,8 @@ int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
  * 'ssl' value they're passed by;
  *      SSL_has_matching_session_id(ssl, id, *id_len)
  * The length value passed in is set at the maximum size the session ID can be.
- * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
- * can alter this length to be less if desired, but under SSLv2 session IDs are
- * supposed to be fixed at 16 bytes so the id will be padded after the callback
- * returns in this case. It is also an error for the callback to set the size to
- * zero. */
+ * In SSLv3/TLSv1 it is 32 bytes. The callback can alter this length to be less
+ * if desired. It is also an error for the callback to set the size to zero. */
 typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
                                unsigned int *id_len);
 
@@ -982,7 +962,6 @@ struct ssl_ctx_st
 
        CRYPTO_EX_DATA ex_data;
 
-       const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */
        const EVP_MD *md5;      /* For SSLv3/TLSv1 'ssl3-md5' */
        const EVP_MD *sha1;   /* For SSLv3/TLSv1 'ssl3->sha1' */
 
@@ -1363,7 +1342,6 @@ struct ssl_st
        unsigned char *packet;
        unsigned int packet_length;
 
-       struct ssl2_state_st *s2; /* SSLv2 variables */
        struct ssl3_state_st *s3; /* SSLv3 variables */
        struct dtls1_state_st *d1; /* DTLSv1 variables */
 
@@ -1423,7 +1401,7 @@ struct ssl_st
        /* Default generate session ID callback. */
        GEN_SESSION_CB generate_session_id;
 
-       /* Used in SSL2 and SSL3 */
+       /* Used in SSL3 */
        int verify_mode;        /* 0 don't care about verify failure.
                                 * 1 fail if verify fails */
        int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
@@ -2235,12 +2213,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-#ifndef OPENSSL_NO_SSL2
-const SSL_METHOD *SSLv2_method(void);          /* SSLv2 */
-const SSL_METHOD *SSLv2_server_method(void);   /* SSLv2 */
-const SSL_METHOD *SSLv2_client_method(void);   /* SSLv2 */
-#endif
-
 #ifndef OPENSSL_NO_SSL3_METHOD
 const SSL_METHOD *SSLv3_method(void);          /* SSLv3 */
 const SSL_METHOD *SSLv3_server_method(void);   /* SSLv3 */
@@ -2503,8 +2475,6 @@ const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
 #define SSL_SECOP_CURVE_CHECK          (6 | SSL_SECOP_OTHER_CURVE)
 /* Temporary DH key */
 #define SSL_SECOP_TMP_DH               (7 | SSL_SECOP_OTHER_DH)
-/* Whether to use SSLv2 compatible client hello */
-#define SSL_SECOP_SSL2_COMPAT          (8 | SSL_SECOP_OTHER_NONE)
 /* SSL/TLS version */
 #define SSL_SECOP_VERSION              (9 | SSL_SECOP_OTHER_NONE)
 /* Session tickets */
@@ -2560,10 +2530,6 @@ void ERR_load_SSL_strings(void);
 
 /* Function codes. */
 #define SSL_F_CHECK_SUITEB_CIPHER_LIST                  331
-#define SSL_F_CLIENT_CERTIFICATE                        100
-#define SSL_F_CLIENT_FINISHED                           167
-#define SSL_F_CLIENT_HELLO                              101
-#define SSL_F_CLIENT_MASTER_KEY                                 102
 #define SSL_F_D2I_SSL_SESSION                           103
 #define SSL_F_DO_DTLS1_WRITE                            245
 #define SSL_F_DO_SSL3_WRITE                             104
@@ -2595,18 +2561,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_DTLS1_SEND_SERVER_HELLO                   266
 #define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE            267
 #define SSL_F_DTLS1_WRITE_APP_DATA_BYTES                268
-#define SSL_F_GET_CLIENT_FINISHED                       105
-#define SSL_F_GET_CLIENT_HELLO                          106
-#define SSL_F_GET_CLIENT_MASTER_KEY                     107
-#define SSL_F_GET_SERVER_FINISHED                       108
-#define SSL_F_GET_SERVER_HELLO                          109
-#define SSL_F_GET_SERVER_VERIFY                                 110
-#define SSL_F_I2D_SSL_SESSION                           111
-#define SSL_F_READ_N                                    112
-#define SSL_F_REQUEST_CERTIFICATE                       113
-#define SSL_F_SERVER_FINISH                             239
-#define SSL_F_SERVER_HELLO                              114
-#define SSL_F_SERVER_VERIFY                             240
 #define SSL_F_SSL23_ACCEPT                              115
 #define SSL_F_SSL23_CLIENT_HELLO                        116
 #define SSL_F_SSL23_CONNECT                             117
@@ -2615,15 +2569,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL23_PEEK                                237
 #define SSL_F_SSL23_READ                                120
 #define SSL_F_SSL23_WRITE                               121
-#define SSL_F_SSL2_ACCEPT                               122
-#define SSL_F_SSL2_CONNECT                              123
-#define SSL_F_SSL2_ENC_INIT                             124
-#define SSL_F_SSL2_GENERATE_KEY_MATERIAL                241
-#define SSL_F_SSL2_PEEK                                         234
-#define SSL_F_SSL2_READ                                         125
-#define SSL_F_SSL2_READ_INTERNAL                        236
-#define SSL_F_SSL2_SET_CERTIFICATE                      126
-#define SSL_F_SSL2_WRITE                                127
 #define SSL_F_SSL3_ACCEPT                               128
 #define SSL_F_SSL3_ADD_CERT_TO_BUF                      296
 #define SSL_F_SSL3_CALLBACK_CTRL                        233
@@ -2742,8 +2687,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT            281
 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT            282
 #define SSL_F_SSL_READ                                  223
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                   187
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                    188
 #define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT               320
 #define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT               321
 #define SSL_F_SSL_SESSION_NEW                           189
@@ -2790,15 +2733,12 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_PRF                                  284
 #define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
 #define SSL_F_TLS1_SET_SERVER_SIGALGS                   335
-#define SSL_F_WRITE_PENDING                             212
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE                     100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
 #define SSL_R_BAD_ALERT_RECORD                          101
-#define SSL_R_BAD_AUTHENTICATION_TYPE                   102
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC                    103
-#define SSL_R_BAD_CHECKSUM                              104
 #define SSL_R_BAD_DATA                                  390
 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK             106
 #define SSL_R_BAD_DECOMPRESSION                                 107
@@ -2813,13 +2753,11 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_HANDSHAKE_LENGTH                      332
 #define SSL_R_BAD_HELLO_REQUEST                                 105
 #define SSL_R_BAD_LENGTH                                271
-#define SSL_R_BAD_MAC_DECODE                            113
 #define SSL_R_BAD_MAC_LENGTH                            333
 #define SSL_R_BAD_MESSAGE_TYPE                          114
 #define SSL_R_BAD_PACKET_LENGTH                                 115
 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER               116
 #define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH              316
-#define SSL_R_BAD_RESPONSE_ARGUMENT                     117
 #define SSL_R_BAD_RSA_DECRYPT                           118
 #define SSL_R_BAD_RSA_ENCRYPT                           119
 #define SSL_R_BAD_RSA_E_LENGTH                          120
@@ -2835,8 +2773,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_SRTP_MKI_VALUE                        352
 #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST          353
 #define SSL_R_BAD_SSL_FILETYPE                          124
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH                         125
-#define SSL_R_BAD_STATE                                         126
 #define SSL_R_BAD_VALUE                                         384
 #define SSL_R_BAD_WRITE_RETRY                           127
 #define SSL_R_BIO_NOT_SET                               128
@@ -2850,17 +2786,14 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CERTIFICATE_VERIFY_FAILED                         134
 #define SSL_R_CERT_CB_ERROR                             377
 #define SSL_R_CERT_LENGTH_MISMATCH                      135
-#define SSL_R_CHALLENGE_IS_DIFFERENT                    136
 #define SSL_R_CIPHER_CODE_WRONG_LENGTH                  137
 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                138
-#define SSL_R_CIPHER_TABLE_SRC_ERROR                    139
 #define SSL_R_CLIENTHELLO_TLSEXT                        226
 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG                140
 #define SSL_R_COMPRESSION_DISABLED                      343
 #define SSL_R_COMPRESSION_FAILURE                       141
 #define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE   307
 #define SSL_R_COMPRESSION_LIBRARY_ERROR                         142
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT                143
 #define SSL_R_CONNECTION_TYPE_NOT_SET                   144
 #define SSL_R_COOKIE_MISMATCH                           308
 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED             145
@@ -2889,11 +2822,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION          356
 #define SSL_R_HTTPS_PROXY_REQUEST                       155
 #define SSL_R_HTTP_REQUEST                              156
-#define SSL_R_ILLEGAL_PADDING                           283
 #define SSL_R_ILLEGAL_SUITEB_DIGEST                     380
 #define SSL_R_INAPPROPRIATE_FALLBACK                    373
 #define SSL_R_INCONSISTENT_COMPRESSION                  340
-#define SSL_R_INVALID_CHALLENGE_LENGTH                  158
 #define SSL_R_INVALID_COMMAND                           280
 #define SSL_R_INVALID_COMPRESSION_ALGORITHM             341
 #define SSL_R_INVALID_NULL_CMD_NAME                     385
@@ -2903,8 +2834,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_INVALID_STATUS_RESPONSE                   328
 #define SSL_R_INVALID_TICKET_KEYS_LENGTH                325
 #define SSL_R_INVALID_TRUST                             279
-#define SSL_R_KEY_ARG_TOO_LONG                          284
-#define SSL_R_KEY_TOO_SMALL                             395
 #define SSL_R_KRB5                                      285
 #define SSL_R_KRB5_C_CC_PRINC                           286
 #define SSL_R_KRB5_C_GET_CRED                           287
@@ -2920,7 +2849,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_LENGTH_TOO_SHORT                          160
 #define SSL_R_LIBRARY_BUG                               274
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS                    161
-#define SSL_R_MESSAGE_TOO_LONG                          296
 #define SSL_R_MISSING_DH_DSA_CERT                       162
 #define SSL_R_MISSING_DH_KEY                            163
 #define SSL_R_MISSING_DH_RSA_CERT                       164
@@ -2939,16 +2867,13 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_TMP_RSA_PKEY                      173
 #define SSL_R_MISSING_VERIFY_MESSAGE                    174
 #define SSL_R_MULTIPLE_SGC_RESTARTS                     346
-#define SSL_R_NON_SSLV2_INITIAL_PACKET                  175
 #define SSL_R_NO_CERTIFICATES_RETURNED                  176
 #define SSL_R_NO_CERTIFICATE_ASSIGNED                   177
 #define SSL_R_NO_CERTIFICATE_RETURNED                   178
 #define SSL_R_NO_CERTIFICATE_SET                        179
-#define SSL_R_NO_CERTIFICATE_SPECIFIED                  180
 #define SSL_R_NO_CIPHERS_AVAILABLE                      181
 #define SSL_R_NO_CIPHERS_PASSED                                 182
 #define SSL_R_NO_CIPHERS_SPECIFIED                      183
-#define SSL_R_NO_CIPHER_LIST                            184
 #define SSL_R_NO_CIPHER_MATCH                           185
 #define SSL_R_NO_CLIENT_CERT_METHOD                     331
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                   186
@@ -2956,10 +2881,8 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER          330
 #define SSL_R_NO_METHOD_SPECIFIED                       188
 #define SSL_R_NO_PEM_EXTENSIONS                                 389
-#define SSL_R_NO_PRIVATEKEY                             189
 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED                   190
 #define SSL_R_NO_PROTOCOLS_AVAILABLE                    191
-#define SSL_R_NO_PUBLICKEY                              192
 #define SSL_R_NO_RENEGOTIATION                          339
 #define SSL_R_NO_REQUIRED_DIGEST                        324
 #define SSL_R_NO_SHARED_CIPHER                          193
@@ -2978,25 +2901,15 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_PARSE_TLSEXT                              227
 #define SSL_R_PATH_TOO_LONG                             270
 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE                 199
-#define SSL_R_PEER_ERROR                                200
-#define SSL_R_PEER_ERROR_CERTIFICATE                    201
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE                         202
-#define SSL_R_PEER_ERROR_NO_CIPHER                      203
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE   204
 #define SSL_R_PEM_NAME_BAD_PREFIX                       391
 #define SSL_R_PEM_NAME_TOO_SHORT                        392
 #define SSL_R_PRE_MAC_LENGTH_TOO_LONG                   205
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS                 206
 #define SSL_R_PROTOCOL_IS_SHUTDOWN                      207
 #define SSL_R_PSK_IDENTITY_NOT_FOUND                    223
 #define SSL_R_PSK_NO_CLIENT_CB                          224
 #define SSL_R_PSK_NO_SERVER_CB                          225
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                  208
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                     209
-#define SSL_R_PUBLIC_KEY_NOT_RSA                        210
 #define SSL_R_READ_BIO_NOT_SET                          211
 #define SSL_R_READ_TIMEOUT_EXPIRED                      312
-#define SSL_R_READ_WRONG_PACKET_TYPE                    212
 #define SSL_R_RECORD_LENGTH_MISMATCH                    213
 #define SSL_R_RECORD_TOO_LARGE                          214
 #define SSL_R_RECORD_TOO_SMALL                          298
@@ -3005,13 +2918,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_RENEGOTIATION_MISMATCH                    337
 #define SSL_R_REQUIRED_CIPHER_MISSING                   215
 #define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING   342
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                216
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                  217
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                218
 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING          345
 #define SSL_R_SERVERHELLO_TLSEXT                        275
 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED          277
-#define SSL_R_SHORT_READ                                219
 #define SSL_R_SIGNATURE_ALGORITHMS_ERROR                360
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE     220
 #define SSL_R_SRP_A_CALC                                361
@@ -3019,7 +2928,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG     363
 #define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE           364
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE              221
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG               299
 #define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT            321
 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME               319
 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE          320
@@ -3044,7 +2952,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SSL_SESSION_ID_CONFLICT                   302
 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG           273
 #define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH             303
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               231
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED                         1049
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR                  1050
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED             1021
@@ -3073,12 +2980,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER           235
 #define SSL_R_UNABLE_TO_DECODE_DH_CERTS                         236
 #define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS               313
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY              237
 #define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS              238
 #define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS            314
 #define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS      239
 #define SSL_R_UNABLE_TO_FIND_SSL_METHOD                         240
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES          241
 #define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES          242
 #define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES                 243
 #define SSL_R_UNEXPECTED_MESSAGE                        244
@@ -3106,12 +3011,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNSUPPORTED_STATUS_TYPE                   329
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED                   369
 #define SSL_R_VERSION_TOO_LOW                           396
-#define SSL_R_WRITE_BIO_NOT_SET                                 260
 #define SSL_R_WRONG_CERTIFICATE_TYPE                    383
 #define SSL_R_WRONG_CIPHER_RETURNED                     261
 #define SSL_R_WRONG_CURVE                               378
 #define SSL_R_WRONG_MESSAGE_TYPE                        262
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                  263
 #define SSL_R_WRONG_SIGNATURE_LENGTH                    264
 #define SSL_R_WRONG_SIGNATURE_SIZE                      265
 #define SSL_R_WRONG_SIGNATURE_TYPE                      370
index eb25dcb0bf569f42361c3f28eee29d4b97832172..5c6a2381f6ec7edb898b417481eab33d4706088d 100644 (file)
 extern "C" {
 #endif
 
-/* Protocol Version Codes */
 #define SSL2_VERSION           0x0002
-#define SSL2_VERSION_MAJOR     0x00
-#define SSL2_VERSION_MINOR     0x02
-/* #define SSL2_CLIENT_VERSION 0x0002 */
-/* #define SSL2_SERVER_VERSION 0x0002 */
 
-/* Protocol Message Codes */
-#define SSL2_MT_ERROR                  0
 #define SSL2_MT_CLIENT_HELLO           1
-#define SSL2_MT_CLIENT_MASTER_KEY      2
-#define SSL2_MT_CLIENT_FINISHED                3
-#define SSL2_MT_SERVER_HELLO           4
-#define SSL2_MT_SERVER_VERIFY          5
-#define SSL2_MT_SERVER_FINISHED                6
-#define SSL2_MT_REQUEST_CERTIFICATE    7
-#define SSL2_MT_CLIENT_CERTIFICATE     8
-
-/* Error Message Codes */
-#define SSL2_PE_UNDEFINED_ERROR                0x0000
-#define SSL2_PE_NO_CIPHER              0x0001
-#define SSL2_PE_NO_CERTIFICATE         0x0002
-#define SSL2_PE_BAD_CERTIFICATE                0x0004
-#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
-
-/* Cipher Kind Values */
-#define SSL2_CK_NULL_WITH_MD5                  0x02000000 /* v3 */
-#define SSL2_CK_RC4_128_WITH_MD5               0x02010080
-#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5      0x02020080
-#define SSL2_CK_RC2_128_CBC_WITH_MD5           0x02030080
-#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5  0x02040080
-#define SSL2_CK_IDEA_128_CBC_WITH_MD5          0x02050080
-#define SSL2_CK_DES_64_CBC_WITH_MD5            0x02060040
-#define SSL2_CK_DES_64_CBC_WITH_SHA            0x02060140 /* v3 */
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5      0x020700c0
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA      0x020701c0 /* v3 */
-#define SSL2_CK_RC4_64_WITH_MD5                        0x02080080 /* MS hack */
-#define SSL2_CK_DES_64_CFB64_WITH_MD5_1                0x02ff0800 /* SSLeay */
-#define SSL2_CK_NULL                           0x02ff0810 /* SSLeay */
-
-#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1       "DES-CFB-M1"
-#define SSL2_TXT_NULL_WITH_MD5                 "NULL-MD5"
-#define SSL2_TXT_RC4_128_WITH_MD5              "RC4-MD5"
-#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5     "EXP-RC4-MD5"
-#define SSL2_TXT_RC2_128_CBC_WITH_MD5          "RC2-CBC-MD5"
-#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 "EXP-RC2-CBC-MD5"
-#define SSL2_TXT_IDEA_128_CBC_WITH_MD5         "IDEA-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_MD5           "DES-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_SHA           "DES-CBC-SHA"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5     "DES-CBC3-MD5"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA     "DES-CBC3-SHA"
-#define SSL2_TXT_RC4_64_WITH_MD5               "RC4-64-MD5"
-
-#define SSL2_TXT_NULL                          "NULL"
-
-/* Flags for the SSL_CIPHER.algorithm2 field */
-#define SSL2_CF_5_BYTE_ENC                     0x01
-#define SSL2_CF_8_BYTE_ENC                     0x02
-
-/* Certificate Type Codes */
-#define SSL2_CT_X509_CERTIFICATE               0x01
-
-/* Authentication Type Code */
-#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION                0x01
-
-#define SSL2_MAX_SSL_SESSION_ID_LENGTH         32
-
-/* Upper/Lower Bounds */
-#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS     256
-#ifdef OPENSSL_SYS_MPE
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER   29998u
-#else
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER   32767u  /* 2^15-1 */
-#endif
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER   16383 /* 2^14-1 */
-
-#define SSL2_CHALLENGE_LENGTH  16
-/*#define SSL2_CHALLENGE_LENGTH        32 */
-#define SSL2_MIN_CHALLENGE_LENGTH      16
-#define SSL2_MAX_CHALLENGE_LENGTH      32
-#define SSL2_CONNECTION_ID_LENGTH      16
-#define SSL2_MAX_CONNECTION_ID_LENGTH  16
-#define SSL2_SSL_SESSION_ID_LENGTH     16
-#define SSL2_MAX_CERT_CHALLENGE_LENGTH 32
-#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
-#define SSL2_MAX_KEY_MATERIAL_LENGTH   24
-
-#ifndef HEADER_SSL_LOCL_H
-#define  CERT          char
-#endif
-
-#ifndef OPENSSL_NO_SSL_INTERN
-
-typedef struct ssl2_state_st
-       {
-       int three_byte_header;
-       int clear_text;         /* clear text */
-       int escape;             /* not used in SSLv2 */
-       int ssl2_rollback;      /* used if SSLv23 rolled back to SSLv2 */
-
-       /* non-blocking io info, used to make sure the same
-        * args were passwd */
-       unsigned int wnum;      /* number of bytes sent so far */
-       int wpend_tot;
-       const unsigned char *wpend_buf;
-
-       int wpend_off;  /* offset to data to write */
-       int wpend_len;  /* number of bytes passwd to write */
-       int wpend_ret;  /* number of bytes to return to caller */
-
-       /* buffer raw data */
-       int rbuf_left;
-       int rbuf_offs;
-       unsigned char *rbuf;
-       unsigned char *wbuf;
-
-       unsigned char *write_ptr;/* used to point to the start due to
-                                 * 2/3 byte header. */
-
-       unsigned int padding;
-       unsigned int rlength; /* passed to ssl2_enc */
-       int ract_data_length; /* Set when things are encrypted. */
-       unsigned int wlength; /* passed to ssl2_enc */
-       int wact_data_length; /* Set when things are decrypted. */
-       unsigned char *ract_data;
-       unsigned char *wact_data;
-       unsigned char *mac_data;
-
-       unsigned char *read_key;
-       unsigned char *write_key;
-
-               /* Stuff specifically to do with this SSL session */
-       unsigned int challenge_length;
-       unsigned char challenge[SSL2_MAX_CHALLENGE_LENGTH];
-       unsigned int conn_id_length;
-       unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
-       unsigned int key_material_length;
-       unsigned char key_material[SSL2_MAX_KEY_MATERIAL_LENGTH*2];
-
-       unsigned long read_sequence;
-       unsigned long write_sequence;
-
-       struct  {
-               unsigned int conn_id_length;
-               unsigned int cert_type; 
-               unsigned int cert_length;
-               unsigned int csl; 
-               unsigned int clear;
-               unsigned int enc; 
-               unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH];
-               unsigned int cipher_spec_length;
-               unsigned int session_id_length;
-               unsigned int clen;
-               unsigned int rlen;
-               } tmp;
-       } SSL2_STATE;
-
-#endif
-
-/* SSLv2 */
-/* client */
-#define SSL2_ST_SEND_CLIENT_HELLO_A            (0x10|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_HELLO_B            (0x11|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_HELLO_A             (0x20|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_HELLO_B             (0x21|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_MASTER_KEY_A       (0x30|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_MASTER_KEY_B       (0x31|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_FINISHED_A         (0x40|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_FINISHED_B         (0x41|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_A      (0x50|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_B      (0x51|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_C      (0x52|SSL_ST_CONNECT)
-#define SSL2_ST_SEND_CLIENT_CERTIFICATE_D      (0x53|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_VERIFY_A            (0x60|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_VERIFY_B            (0x61|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_FINISHED_A          (0x70|SSL_ST_CONNECT)
-#define SSL2_ST_GET_SERVER_FINISHED_B          (0x71|SSL_ST_CONNECT)
-#define SSL2_ST_CLIENT_START_ENCRYPTION                (0x80|SSL_ST_CONNECT)
-#define SSL2_ST_X509_GET_CLIENT_CERTIFICATE    (0x90|SSL_ST_CONNECT)
-/* server */
-#define SSL2_ST_GET_CLIENT_HELLO_A             (0x10|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_HELLO_B             (0x11|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_HELLO_C             (0x12|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_HELLO_A            (0x20|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_HELLO_B            (0x21|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_MASTER_KEY_A                (0x30|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_MASTER_KEY_B                (0x31|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_A           (0x40|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_B           (0x41|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_VERIFY_C           (0x42|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_FINISHED_A          (0x50|SSL_ST_ACCEPT)
-#define SSL2_ST_GET_CLIENT_FINISHED_B          (0x51|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_FINISHED_A         (0x60|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_SERVER_FINISHED_B         (0x61|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_A     (0x70|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_B     (0x71|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_C     (0x72|SSL_ST_ACCEPT)
-#define SSL2_ST_SEND_REQUEST_CERTIFICATE_D     (0x73|SSL_ST_ACCEPT)
-#define SSL2_ST_SERVER_START_ENCRYPTION                (0x80|SSL_ST_ACCEPT)
-#define SSL2_ST_X509_GET_SERVER_CERTIFICATE    (0x90|SSL_ST_ACCEPT)
 
 #ifdef  __cplusplus
 }
index d3646aef9721cfa75ff752676bed9de42d29d354..c4bf75040ae268b023a6a4ec8876ec7c7b54bd14 100644 (file)
@@ -110,7 +110,6 @@ int SSL_library_init(void)
   
 #ifndef OPENSSL_NO_MD5
        EVP_add_digest(EVP_md5());
-       EVP_add_digest_alias(SN_md5,"ssl2-md5");
        EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
 #ifndef OPENSSL_NO_SHA
index 4775003710271ef6ee4462a96d948b6f61f59125..ba5f33d9a9a0e7bb29c882e0a646ed8dcb676315 100644 (file)
@@ -98,7 +98,6 @@ typedef struct ssl_session_asn1_st
        ASN1_OCTET_STRING master_key;
        ASN1_OCTET_STRING session_id;
        ASN1_OCTET_STRING session_id_context;
-       ASN1_OCTET_STRING key_arg;
 #ifndef OPENSSL_NO_KRB5
         ASN1_OCTET_STRING krb5_princ;
 #endif /* OPENSSL_NO_KRB5 */
@@ -165,19 +164,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                l=in->cipher_id;
        else
                l=in->cipher->id;
-       if (in->ssl_version == SSL2_VERSION)
-               {
-               a.cipher.length=3;
-               buf[0]=((unsigned char)(l>>16L))&0xff;
-               buf[1]=((unsigned char)(l>> 8L))&0xff;
-               buf[2]=((unsigned char)(l     ))&0xff;
-               }
-       else
-               {
-               a.cipher.length=2;
-               buf[0]=((unsigned char)(l>>8L))&0xff;
-               buf[1]=((unsigned char)(l    ))&0xff;
-               }
+       a.cipher.length=2;
+       buf[0]=((unsigned char)(l>>8L))&0xff;
+       buf[1]=((unsigned char)(l    ))&0xff;
+
 
 #ifndef OPENSSL_NO_COMP
        if (in->compress_meth)
@@ -201,10 +191,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
        a.session_id_context.type=V_ASN1_OCTET_STRING;
        a.session_id_context.data=in->sid_ctx;
 
-       a.key_arg.length=in->key_arg_length;
-       a.key_arg.type=V_ASN1_OCTET_STRING;
-       a.key_arg.data=in->key_arg;
-
 #ifndef OPENSSL_NO_KRB5
        if (in->krb5_client_princ_len)
                {
@@ -291,8 +277,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
        if (in->krb5_client_princ_len)
                M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
 #endif /* OPENSSL_NO_KRB5 */
-       if (in->key_arg_length > 0)
-               M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
        if (in->time != 0L)
                M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
        if (in->timeout != 0L)
@@ -337,8 +321,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
        if (in->krb5_client_princ_len)
                M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
 #endif /* OPENSSL_NO_KRB5 */
-       if (in->key_arg_length > 0)
-               M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
        if (in->time != 0L)
                M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
        if (in->timeout != 0L)
@@ -403,20 +385,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 
        os.data=NULL; os.length=0;
        M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-       if (ssl_version == SSL2_VERSION)
-               {
-               if (os.length != 3)
-                       {
-                       c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
-                       c.line=__LINE__;
-                       goto err;
-                       }
-               id=0x02000000L|
-                       ((unsigned long)os.data[0]<<16L)|
-                       ((unsigned long)os.data[1]<< 8L)|
-                        (unsigned long)os.data[2];
-               }
-       else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
+       if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
                {
                if (os.length != 2)
                        {
@@ -439,10 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
        ret->cipher_id=id;
 
        M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-       if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
-               i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-       else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
-               i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
+       i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
 
        if (os.length > i)
                os.length = i;
@@ -481,11 +447,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 #endif /* OPENSSL_NO_KRB5 */
 
        M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
-       if (os.length > SSL_MAX_KEY_ARG_LENGTH)
-               ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
-       else
-               ret->key_arg_length=os.length;
-       memcpy(ret->key_arg,os.data,ret->key_arg_length);
        if (os.data != NULL) OPENSSL_free(os.data);
 
        ai.length=0;
index 6264fe93c7ad1d0e89c6f1820d7a3e6d5b1265f8..f214bafe4a5511be9e73ea1ab9beb128205cea84 100644 (file)
@@ -1389,9 +1389,6 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits,
                /* No ciphers below security level */
                if (bits < minbits)
                        return 0;
-               /* No SSLv2 ciphers */
-               if ((SSL_CIPHER_get_id(c) >> 24) == 0x2)
-                       return 0;
                /* No unauthenticated ciphersuites */
                if (c->algorithm_auth & SSL_aNULL)
                        return 0;
@@ -1410,9 +1407,6 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits,
                break;
                }
        case SSL_SECOP_VERSION:
-               /* SSLv2 allowed only on level zero */
-               if (nid == SSL2_VERSION)
-                       return 0;
                /* SSLv3 not allowed on level 2 */
                if (nid <= SSL3_VERSION && level >= 2)
                        return 0;
@@ -1432,9 +1426,6 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op, int bits,
                if (level >= 3)
                        return 0;
                break;
-       case SSL_SECOP_SSL2_COMPAT:
-               /* SSLv2 compatible client hello only for level zero */
-               return 0;
        default:
                if (bits < minbits)
                        return 0;
index 3c005f7e1a6707bec379c2f3d3ea25a8f7811959..464a767efe84304959578b105e72ebeb77d5b70f 100644 (file)
@@ -314,7 +314,6 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_SHA384,0,    0,0,0,SSL_SHA384,  0,0,0,0,0},
 
        /* protocol version aliases */
-       {0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
        {0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
        {0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
        {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
@@ -815,7 +814,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 
        /*
         * We have num_of_ciphers descriptions compiled in, depending on the
-        * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+        * method selected (SSLv3, TLSv1 etc).
         * These will later be sorted in a linked list with at most num
         * entries.
         */
@@ -1653,7 +1652,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        int is_export,pkl,kl;
        const char *ver,*exp_str;
        const char *kx,*au,*enc,*mac;
-       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
+       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl;
 #ifdef KSSL_DEBUG
        static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
@@ -1666,16 +1665,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        alg_mac = cipher->algorithm_mac;
        alg_ssl = cipher->algorithm_ssl;
 
-       alg2=cipher->algorithm2;
-
        is_export=SSL_C_IS_EXPORT(cipher);
        pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
        kl=SSL_C_EXPORT_KEYLENGTH(cipher);
        exp_str=is_export?" export":"";
        
-       if (alg_ssl & SSL_SSLV2)
-               ver="SSLv2";
-       else if (alg_ssl & SSL_SSLV3)
+       if (alg_ssl & SSL_SSLV3)
                ver="SSLv3";
        else if (alg_ssl & SSL_TLSV1_2)
                ver="TLSv1.2";
@@ -1770,8 +1765,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
                enc="3DES(168)";
                break;
        case SSL_RC4:
-               enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
-                 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+               enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)"):"RC4(128)";
                break;
        case SSL_RC2:
                enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
@@ -1864,8 +1858,6 @@ char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
        i=(int)(c->id>>24L);
        if (i == 3)
                return("TLSv1/SSLv3");
-       else if (i == 2)
-               return("SSLv2");
        else
                return("unknown");
        }
index cdefd206a2c3fd8cdfd91e0b6b3e8502e3817f56..3785b4f78ffe6e7b7646bf7fd34f8f42567afd1d 100644 (file)
@@ -198,7 +198,6 @@ static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
        {
        static const ssl_flag_tbl ssl_option_single[] =
                {
-               SSL_FLAG_TBL("no_ssl2", SSL_OP_NO_SSLv2),
                SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3),
                SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1),
                SSL_FLAG_TBL("no_tls1_1", SSL_OP_NO_TLSv1_1),
@@ -334,7 +333,6 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
        static const ssl_flag_tbl ssl_protocol_list[] =
                {
                SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
-               SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
                SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
                SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
                SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),
index c115522fcd801386f1dc3f3d1ec5dc739e909de3..220b6d7c9a6f69378bfb90c73d510903fa714f09 100644 (file)
 static ERR_STRING_DATA SSL_str_functs[]=
        {
 {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
-{ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
-{ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
-{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),    "CLIENT_MASTER_KEY"},
 {ERR_FUNC(SSL_F_D2I_SSL_SESSION),      "d2i_SSL_SESSION"},
 {ERR_FUNC(SSL_F_DO_DTLS1_WRITE),       "do_dtls1_write"},
 {ERR_FUNC(SSL_F_DO_SSL3_WRITE),        "DO_SSL3_WRITE"},
@@ -105,18 +101,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO),      "dtls1_send_server_hello"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),       "dtls1_send_server_key_exchange"},
 {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),   "dtls1_write_app_data_bytes"},
-{ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),  "GET_CLIENT_FINISHED"},
-{ERR_FUNC(SSL_F_GET_CLIENT_HELLO),     "GET_CLIENT_HELLO"},
-{ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY),        "GET_CLIENT_MASTER_KEY"},
-{ERR_FUNC(SSL_F_GET_SERVER_FINISHED),  "GET_SERVER_FINISHED"},
-{ERR_FUNC(SSL_F_GET_SERVER_HELLO),     "GET_SERVER_HELLO"},
-{ERR_FUNC(SSL_F_GET_SERVER_VERIFY),    "GET_SERVER_VERIFY"},
-{ERR_FUNC(SSL_F_I2D_SSL_SESSION),      "i2d_SSL_SESSION"},
-{ERR_FUNC(SSL_F_READ_N),       "READ_N"},
-{ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),  "REQUEST_CERTIFICATE"},
-{ERR_FUNC(SSL_F_SERVER_FINISH),        "SERVER_FINISH"},
-{ERR_FUNC(SSL_F_SERVER_HELLO), "SERVER_HELLO"},
-{ERR_FUNC(SSL_F_SERVER_VERIFY),        "SERVER_VERIFY"},
 {ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
 {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),   "SSL23_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_SSL23_CONNECT),        "ssl23_connect"},
@@ -125,15 +109,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL23_PEEK),   "ssl23_peek"},
 {ERR_FUNC(SSL_F_SSL23_READ),   "ssl23_read"},
 {ERR_FUNC(SSL_F_SSL23_WRITE),  "ssl23_write"},
-{ERR_FUNC(SSL_F_SSL2_ACCEPT),  "ssl2_accept"},
-{ERR_FUNC(SSL_F_SSL2_CONNECT), "ssl2_connect"},
-{ERR_FUNC(SSL_F_SSL2_ENC_INIT),        "ssl2_enc_init"},
-{ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),   "ssl2_generate_key_material"},
-{ERR_FUNC(SSL_F_SSL2_PEEK),    "ssl2_peek"},
-{ERR_FUNC(SSL_F_SSL2_READ),    "ssl2_read"},
-{ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),   "SSL2_READ_INTERNAL"},
-{ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "ssl2_set_certificate"},
-{ERR_FUNC(SSL_F_SSL2_WRITE),   "ssl2_write"},
 {ERR_FUNC(SSL_F_SSL3_ACCEPT),  "ssl3_accept"},
 {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"},
 {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),   "ssl3_callback_ctrl"},
@@ -252,8 +227,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),       "ssl_prepare_clienthello_tlsext"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),       "ssl_prepare_serverhello_tlsext"},
 {ERR_FUNC(SSL_F_SSL_READ),     "SSL_read"},
-{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),      "SSL_RSA_PRIVATE_DECRYPT"},
-{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),       "SSL_RSA_PUBLIC_ENCRYPT"},
 {ERR_FUNC(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT),  "SSL_SCAN_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT),  "SSL_SCAN_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_SESSION_NEW),      "SSL_SESSION_new"},
@@ -300,7 +273,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_PRF),     "tls1_prf"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
 {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS),      "tls1_set_server_sigalgs"},
-{ERR_FUNC(SSL_F_WRITE_PENDING),        "WRITE_PENDING"},
 {0,NULL}
        };
 
@@ -309,9 +281,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
 {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
 {ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
-{ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
 {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
-{ERR_REASON(SSL_R_BAD_CHECKSUM)          ,"bad checksum"},
 {ERR_REASON(SSL_R_BAD_DATA)              ,"bad data"},
 {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),"bad data returned by callback"},
 {ERR_REASON(SSL_R_BAD_DECOMPRESSION)     ,"bad decompression"},
@@ -326,13 +296,11 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH)  ,"bad handshake length"},
 {ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
 {ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
-{ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},
 {ERR_REASON(SSL_R_BAD_MAC_LENGTH)        ,"bad mac length"},
 {ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      ,"bad message type"},
 {ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     ,"bad packet length"},
 {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},
 {ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH),"bad psk identity hint length"},
-{ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) ,"bad response argument"},
 {ERR_REASON(SSL_R_BAD_RSA_DECRYPT)       ,"bad rsa decrypt"},
 {ERR_REASON(SSL_R_BAD_RSA_ENCRYPT)       ,"bad rsa encrypt"},
 {ERR_REASON(SSL_R_BAD_RSA_E_LENGTH)      ,"bad rsa e length"},
@@ -348,8 +316,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE)    ,"bad srtp mki value"},
 {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
 {ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      ,"bad ssl filetype"},
-{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
-{ERR_REASON(SSL_R_BAD_STATE)             ,"bad state"},
 {ERR_REASON(SSL_R_BAD_VALUE)             ,"bad value"},
 {ERR_REASON(SSL_R_BAD_WRITE_RETRY)       ,"bad write retry"},
 {ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
@@ -363,17 +329,14 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
 {ERR_REASON(SSL_R_CERT_CB_ERROR)         ,"cert cb error"},
 {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  ,"cert length mismatch"},
-{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
 {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
 {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
-{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
 {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    ,"clienthello tlsext"},
 {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG),"compressed length too long"},
 {ERR_REASON(SSL_R_COMPRESSION_DISABLED)  ,"compression disabled"},
 {ERR_REASON(SSL_R_COMPRESSION_FAILURE)   ,"compression failure"},
 {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),"compression id not within private range"},
 {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
-{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
 {ERR_REASON(SSL_R_COOKIE_MISMATCH)       ,"cookie mismatch"},
 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
@@ -402,11 +365,9 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
 {ERR_REASON(SSL_R_HTTP_REQUEST)          ,"http request"},
-{ERR_REASON(SSL_R_ILLEGAL_PADDING)       ,"illegal padding"},
 {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST) ,"illegal Suite B digest"},
 {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
 {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
-{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
 {ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME) ,"invalid null cmd name"},
@@ -416,8 +377,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
 {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
 {ERR_REASON(SSL_R_INVALID_TRUST)         ,"invalid trust"},
-{ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      ,"key arg too long"},
-{ERR_REASON(SSL_R_KEY_TOO_SMALL)         ,"key too small"},
 {ERR_REASON(SSL_R_KRB5)                  ,"krb5"},
 {ERR_REASON(SSL_R_KRB5_C_CC_PRINC)       ,"krb5 client cc principal (no tkt?)"},
 {ERR_REASON(SSL_R_KRB5_C_GET_CRED)       ,"krb5 client get cred"},
@@ -433,7 +392,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_LENGTH_TOO_SHORT)      ,"length too short"},
 {ERR_REASON(SSL_R_LIBRARY_BUG)           ,"library bug"},
 {ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
-{ERR_REASON(SSL_R_MESSAGE_TOO_LONG)      ,"message too long"},
 {ERR_REASON(SSL_R_MISSING_DH_DSA_CERT)   ,"missing dh dsa cert"},
 {ERR_REASON(SSL_R_MISSING_DH_KEY)        ,"missing dh key"},
 {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   ,"missing dh rsa cert"},
@@ -452,16 +410,13 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
 {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
 {ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
-{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
 {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
 {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
 {ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no certificate returned"},
 {ERR_REASON(SSL_R_NO_CERTIFICATE_SET)    ,"no certificate set"},
-{ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED),"no certificate specified"},
 {ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE)  ,"no ciphers available"},
 {ERR_REASON(SSL_R_NO_CIPHERS_PASSED)     ,"no ciphers passed"},
 {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
-{ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
 {ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
 {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
@@ -469,10 +424,8 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
 {ERR_REASON(SSL_R_NO_PEM_EXTENSIONS)     ,"no pem extensions"},
-{ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
-{ERR_REASON(SSL_R_NO_PUBLICKEY)          ,"no publickey"},
 {ERR_REASON(SSL_R_NO_RENEGOTIATION)      ,"no renegotiation"},
 {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST)    ,"digest requred for handshake isn't computed"},
 {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      ,"no shared cipher"},
@@ -491,25 +444,15 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_PARSE_TLSEXT)          ,"parse tlsext"},
 {ERR_REASON(SSL_R_PATH_TOO_LONG)         ,"path too long"},
 {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR)            ,"peer error"},
-{ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE),"peer error certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE),"peer error no certificate"},
-{ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  ,"peer error no cipher"},
-{ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"peer error unsupported certificate type"},
 {ERR_REASON(SSL_R_PEM_NAME_BAD_PREFIX)   ,"pem name bad prefix"},
 {ERR_REASON(SSL_R_PEM_NAME_TOO_SHORT)    ,"pem name too short"},
 {ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG),"pre mac length too long"},
-{ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS),"problems mapping cipher functions"},
 {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  ,"protocol is shutdown"},
 {ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND),"psk identity not found"},
 {ERR_REASON(SSL_R_PSK_NO_CLIENT_CB)      ,"psk no client cb"},
 {ERR_REASON(SSL_R_PSK_NO_SERVER_CB)      ,"psk no server cb"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR),"public key encrypt error"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
-{ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
 {ERR_REASON(SSL_R_READ_BIO_NOT_SET)      ,"read bio not set"},
 {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED)  ,"read timeout expired"},
-{ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
 {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
 {ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},
 {ERR_REASON(SSL_R_RECORD_TOO_SMALL)      ,"record too small"},
@@ -518,13 +461,9 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH),"renegotiation mismatch"},
 {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING),"required cipher missing"},
 {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING),"required compresssion algorithm missing"},
-{ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO),"reuse cert length not zero"},
-{ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO),"reuse cert type not zero"},
-{ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO),"reuse cipher list not zero"},
 {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),"scsv received when renegotiating"},
 {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT)    ,"serverhello tlsext"},
 {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
-{ERR_REASON(SSL_R_SHORT_READ)            ,"short read"},
 {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR),"signature algorithms error"},
 {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
 {ERR_REASON(SSL_R_SRP_A_CALC)            ,"error with the srp params"},
@@ -532,7 +471,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),"srtp protection profile list too long"},
 {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),"srtp unknown protection profile"},
 {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
-{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"},
 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),"ssl3 ext invalid servername"},
 {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),"ssl3 ext invalid servername type"},
@@ -557,7 +495,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT),"ssl session id conflict"},
 {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),"ssl session id context too long"},
 {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),"ssl session id has bad length"},
-{ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT),"ssl session id is different"},
 {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),"tlsv1 alert access denied"},
 {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR),"tlsv1 alert decode error"},
 {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
@@ -586,12 +523,10 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
-{ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY),"unable to extract public key"},
 {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),"unable to find dh parameters"},
 {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),"unable to find ecdh parameters"},
 {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),"unable to find public key parameters"},
 {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),"unable to find ssl method"},
-{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES),"unable to load ssl2 md5 routines"},
 {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),"unable to load ssl3 md5 routines"},
 {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),"unable to load ssl3 sha1 routines"},
 {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE)    ,"unexpected message"},
@@ -619,12 +554,10 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
 {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
 {ERR_REASON(SSL_R_VERSION_TOO_LOW)       ,"version too low"},
-{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
 {ERR_REASON(SSL_R_WRONG_CERTIFICATE_TYPE),"wrong certificate type"},
 {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
 {ERR_REASON(SSL_R_WRONG_CURVE)           ,"wrong curve"},
 {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
-{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
 {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
 {ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE)  ,"wrong signature size"},
 {ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE)  ,"wrong signature type"},
index f45b6dd6d38b0ea4a688225aacb9a33ea1cebfb1..5543defa477a3814e76b61f9092f730255d4e4fe 100644 (file)
@@ -263,7 +263,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth)
 
        sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
                &(ctx->cipher_list_by_id),
-               meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ctx->cert);
+               SSL_DEFAULT_CIPHER_LIST, ctx->cert);
        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
                {
                SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
@@ -488,17 +488,6 @@ int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
        r.ssl_version = ssl->version;
        r.session_id_length = id_len;
        memcpy(r.session_id, id, id_len);
-       /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
-        * callback is calling us to check the uniqueness of a shorter ID, it
-        * must be compared as a padded-out ID because that is what it will be
-        * converted to when the callback has finished choosing it. */
-       if((r.ssl_version == SSL2_VERSION) &&
-                       (id_len < SSL2_SSL_SESSION_ID_LENGTH))
-               {
-               memset(r.session_id + id_len, 0,
-                       SSL2_SSL_SESSION_ID_LENGTH - id_len);
-               r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
-               }
 
        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
        p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
@@ -1943,7 +1932,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 /*     ret->cipher=NULL;*/
 /*     ret->s2->challenge=NULL;
        ret->master_key=NULL;
-       ret->key_arg=NULL;
        ret->s2->conn_id=NULL; */
 
        ret->info_callback=NULL;
@@ -1977,7 +1965,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 
        ssl_create_cipher_list(ret->method,
                &ret->cipher_list,&ret->cipher_list_by_id,
-               meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ret->cert);
+               SSL_DEFAULT_CIPHER_LIST, ret->cert);
        if (ret->cipher_list == NULL
            || sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
                {
@@ -1989,11 +1977,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        if (!ret->param)
                goto err;
 
-       if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL)
-               {
-               SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES);
-               goto err2;
-               }
        if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
@@ -2780,17 +2763,9 @@ int SSL_get_error(const SSL *s,int i)
 
        if (i == 0)
                {
-               if (s->version == SSL2_VERSION)
-                       {
-                       /* assume it is the socket being closed */
+               if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
+                       (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
                        return(SSL_ERROR_ZERO_RETURN);
-                       }
-               else
-                       {
-                       if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
-                               (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
-                               return(SSL_ERROR_ZERO_RETURN);
-                       }
                }
        return(SSL_ERROR_SYSCALL);
        }
@@ -2874,8 +2849,6 @@ const char *SSL_get_version(const SSL *s)
                return("TLSv1");
        else if (s->version == SSL3_VERSION)
                return("SSLv3");
-       else if (s->version == SSL2_VERSION)
-               return("SSLv2");
        else
                return("unknown");
        }
index ffbf75b10c67b15a23bfe43b4f327f1b72714943..4e307e44c126466ff15ddd74b192e51146d48e73 100644 (file)
 #define SSL_AEAD               0x00000040L
 
 /* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV2              0x00000001L
 #define SSL_SSLV3              0x00000002L
 #define SSL_TLSV1              SSL_SSLV3       /* for now */
 #define SSL_TLSV1_2            0x00000004L
@@ -673,7 +672,7 @@ typedef struct cert_st
 
 typedef struct sess_cert_st
        {
-       STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
+       STACK_OF(X509) *cert_chain; /* as received from peer */
 
        /* The 'peer_...' members are used only by clients. */
        int peer_cert_type;
@@ -803,7 +802,6 @@ typedef struct ssl3_buf_freelist_entry_st
 #endif
 
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[];
 OPENSSL_EXTERN const SSL_CIPHER ssl3_ciphers[];
 
 
@@ -928,43 +926,6 @@ const SSL_METHOD *func_name(void)  \
        return &func_name##_data; \
        }
 
-#define IMPLEMENT_ssl2_meth_func(func_name, s_accept, s_connect, s_get_meth) \
-const SSL_METHOD *func_name(void)  \
-       { \
-       static const SSL_METHOD func_name##_data= { \
-               SSL2_VERSION, \
-               ssl2_new,       /* local */ \
-               ssl2_clear,     /* local */ \
-               ssl2_free,      /* local */ \
-               s_accept, \
-               s_connect, \
-               ssl2_read, \
-               ssl2_peek, \
-               ssl2_write, \
-               ssl2_shutdown, \
-               ssl_ok, /* NULL - renegotiate */ \
-               ssl_ok, /* NULL - check renegotiate */ \
-               NULL, /* NULL - ssl_get_message */ \
-               NULL, /* NULL - ssl_get_record */ \
-               NULL, /* NULL - ssl_write_bytes */ \
-               NULL, /* NULL - dispatch_alert */ \
-               ssl2_ctrl,      /* local */ \
-               ssl2_ctx_ctrl,  /* local */ \
-               ssl2_get_cipher_by_char, \
-               ssl2_put_cipher_by_char, \
-               ssl2_pending, \
-               ssl2_num_ciphers, \
-               ssl2_get_cipher, \
-               s_get_meth, \
-               ssl2_default_timeout, \
-               &ssl3_undef_enc_method, \
-               ssl_undefined_void_function, \
-               ssl2_callback_ctrl,     /* local */ \
-               ssl2_ctx_callback_ctrl, /* local */ \
-       }; \
-       return &func_name##_data; \
-       }
-
 #define IMPLEMENT_dtls1_meth_func(version, func_name, s_accept, s_connect, \
                                        s_get_meth, enc_data) \
 const SSL_METHOD *func_name(void)  \
@@ -1078,35 +1039,6 @@ int ssl_verify_alarm_type(long type);
 void ssl_load_ciphers(void);
 int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
 
-int ssl2_enc_init(SSL *s, int client);
-int ssl2_generate_key_material(SSL *s);
-int ssl2_enc(SSL *s,int send_data);
-void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
-const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
-int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
-int ssl2_part_read(SSL *s, unsigned long f, int i);
-int ssl2_do_write(SSL *s);
-int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data);
-void ssl2_return_error(SSL *s,int reason);
-void ssl2_write_error(SSL *s);
-int ssl2_num_ciphers(void);
-const SSL_CIPHER *ssl2_get_cipher(unsigned int u);
-int    ssl2_new(SSL *s);
-void   ssl2_free(SSL *s);
-int    ssl2_accept(SSL *s);
-int    ssl2_connect(SSL *s);
-int    ssl2_read(SSL *s, void *buf, int len);
-int    ssl2_peek(SSL *s, void *buf, int len);
-int    ssl2_write(SSL *s, const void *buf, int len);
-int    ssl2_shutdown(SSL *s);
-void   ssl2_clear(SSL *s);
-long   ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
-long   ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
-long   ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
-long   ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
-int    ssl2_pending(const SSL *s);
-long   ssl2_default_timeout(void );
-
 const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
 void ssl3_init_finished_mac(SSL *s);
index 3f9bad10a4d3769df4b6bb7eacfcdef45ed355db..3bac2dbc6939643a15e7d4976654f5980f83bf19 100644 (file)
@@ -236,13 +236,13 @@ unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
        return s->compress_meth;
        }
 
-/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
- * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
+/* SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
+ * the ID with random junk repeatedly
  * until we have no conflict is going to complete in one iteration pretty much
  * "most" of the time (btw: understatement). So, if it takes us 10 iterations
  * and we still can't avoid a conflict - well that's a reasonable point to call
  * it quits. Either the RAND code is broken or someone is trying to open roughly
- * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
+ * very close to 2^256 SSL sessions to our server. How you might
  * store that many sessions is perhaps a more interesting question ... */
 
 #define MAX_SESS_ID_ATTEMPTS 10
@@ -293,12 +293,7 @@ int ssl_get_new_session(SSL *s, int session)
 
        if (session)
                {
-               if (s->version == SSL2_VERSION)
-                       {
-                       ss->ssl_version=SSL2_VERSION;
-                       ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
-                       }
-               else if (s->version == SSL3_VERSION)
+               if (s->version == SSL3_VERSION)
                        {
                        ss->ssl_version=SSL3_VERSION;
                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
@@ -388,11 +383,7 @@ int ssl_get_new_session(SSL *s, int session)
                        SSL_SESSION_free(ss);
                        return(0);
                        }
-               /* If the session length was shrunk and we're SSLv2, pad it */
-               if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
-                       memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
-               else
-                       ss->session_id_length = tmp;
+               ss->session_id_length = tmp;
                /* Finally, check for a conflict */
                if(SSL_has_matching_session_id(s, ss->session_id,
                                                ss->session_id_length))
@@ -745,7 +736,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 
-       OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
        OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
        OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
        if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
index c5a15ce548240d429ac9717ccd9fe7ed4c07e07c..ad44756a8f47c897414cfb67bfa15a5cdcac4c4d 100644 (file)
@@ -100,46 +100,6 @@ case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
 case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
 case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
 case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
-#ifndef OPENSSL_NO_SSL2
-case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
-case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_B: str="SSLv2 write client hello B"; break;
-case SSL2_ST_GET_SERVER_HELLO_A: str="SSLv2 read server hello A"; break;
-case SSL2_ST_GET_SERVER_HELLO_B: str="SSLv2 read server hello B"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: str="SSLv2 write client master key A"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: str="SSLv2 write client master key B"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_A: str="SSLv2 write client finished A"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_B: str="SSLv2 write client finished B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: str="SSLv2 write client certificate A"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: str="SSLv2 write client certificate B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: str="SSLv2 write client certificate C"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: str="SSLv2 write client certificate D"; break;
-case SSL2_ST_GET_SERVER_VERIFY_A: str="SSLv2 read server verify A"; break;
-case SSL2_ST_GET_SERVER_VERIFY_B: str="SSLv2 read server verify B"; break;
-case SSL2_ST_GET_SERVER_FINISHED_A: str="SSLv2 read server finished A"; break;
-case SSL2_ST_GET_SERVER_FINISHED_B: str="SSLv2 read server finished B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_A: str="SSLv2 read client hello A"; break;
-case SSL2_ST_GET_CLIENT_HELLO_B: str="SSLv2 read client hello B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_C: str="SSLv2 read client hello C"; break;
-case SSL2_ST_SEND_SERVER_HELLO_A: str="SSLv2 write server hello A"; break;
-case SSL2_ST_SEND_SERVER_HELLO_B: str="SSLv2 write server hello B"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_A: str="SSLv2 read client master key A"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_B: str="SSLv2 read client master key B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_A: str="SSLv2 write server verify A"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_B: str="SSLv2 write server verify B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_C: str="SSLv2 write server verify C"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_A: str="SSLv2 read client finished A"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_B: str="SSLv2 read client finished B"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_A: str="SSLv2 write server finished A"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_B: str="SSLv2 write server finished B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: str="SSLv2 write request certificate A"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: str="SSLv2 write request certificate B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: str="SSLv2 write request certificate C"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: str="SSLv2 write request certificate D"; break;
-case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificate"; break;
-case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
-#endif
 
 #ifndef OPENSSL_NO_SSL3
 /* SSLv3 additions */
@@ -257,46 +217,6 @@ case SSL_ST_BEFORE:                                str="PINIT "; break;
 case SSL_ST_ACCEPT:                            str="AINIT "; break;
 case SSL_ST_CONNECT:                           str="CINIT "; break;
 case SSL_ST_OK:                                        str="SSLOK "; break;
-#ifndef OPENSSL_NO_SSL2
-case SSL2_ST_CLIENT_START_ENCRYPTION:          str="2CSENC"; break;
-case SSL2_ST_SERVER_START_ENCRYPTION:          str="2SSENC"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_A:              str="2SCH_A"; break;
-case SSL2_ST_SEND_CLIENT_HELLO_B:              str="2SCH_B"; break;
-case SSL2_ST_GET_SERVER_HELLO_A:               str="2GSH_A"; break;
-case SSL2_ST_GET_SERVER_HELLO_B:               str="2GSH_B"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:         str="2SCMKA"; break;
-case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:         str="2SCMKB"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_A:           str="2SCF_A"; break;
-case SSL2_ST_SEND_CLIENT_FINISHED_B:           str="2SCF_B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:                str="2SCC_A"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:                str="2SCC_B"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:                str="2SCC_C"; break;
-case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:                str="2SCC_D"; break;
-case SSL2_ST_GET_SERVER_VERIFY_A:              str="2GSV_A"; break;
-case SSL2_ST_GET_SERVER_VERIFY_B:              str="2GSV_B"; break;
-case SSL2_ST_GET_SERVER_FINISHED_A:            str="2GSF_A"; break;
-case SSL2_ST_GET_SERVER_FINISHED_B:            str="2GSF_B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_A:               str="2GCH_A"; break;
-case SSL2_ST_GET_CLIENT_HELLO_B:               str="2GCH_B"; break;
-case SSL2_ST_GET_CLIENT_HELLO_C:               str="2GCH_C"; break;
-case SSL2_ST_SEND_SERVER_HELLO_A:              str="2SSH_A"; break;
-case SSL2_ST_SEND_SERVER_HELLO_B:              str="2SSH_B"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_A:          str="2GCMKA"; break;
-case SSL2_ST_GET_CLIENT_MASTER_KEY_B:          str="2GCMKA"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_A:             str="2SSV_A"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_B:             str="2SSV_B"; break;
-case SSL2_ST_SEND_SERVER_VERIFY_C:             str="2SSV_C"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_A:            str="2GCF_A"; break;
-case SSL2_ST_GET_CLIENT_FINISHED_B:            str="2GCF_B"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_A:           str="2SSF_A"; break;
-case SSL2_ST_SEND_SERVER_FINISHED_B:           str="2SSF_B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:       str="2SRC_A"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:       str="2SRC_B"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:       str="2SRC_C"; break;
-case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:       str="2SRC_D"; break;
-case SSL2_ST_X509_GET_SERVER_CERTIFICATE:      str="2X9GSC"; break;
-case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:      str="2X9GCC"; break;
-#endif
 
 #ifndef OPENSSL_NO_SSL3
 /* SSLv3 additions */
index b5ce44b47c56e44fcd245089742002a2fbb0fed0..9c4982cb864ca1f3d685dd3d46886528558444cd 100644 (file)
@@ -228,10 +228,7 @@ int main ( int argc, char **argv )
        SSL_load_error_strings();
        OpenSSL_add_all_algorithms();
 
-/* DRM, this was the original, but there is no such thing as SSLv2()
-       s_ctx=SSL_CTX_new(SSLv2());
-*/
-       s_ctx=SSL_CTX_new(SSLv2_server_method());
+       s_ctx=SSL_CTX_new(SSLv23_server_method());
 
        if (s_ctx == NULL) goto end;
 
index 0ffdcb0ea233f1724cdeacce9bf5665a55b0fe30..b09fecad81a8eccab98d099c14bd51cf9f22996c 100644 (file)
@@ -111,9 +111,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 
        if (x == NULL) goto err;
        if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err;
-       if (x->ssl_version == SSL2_VERSION)
-               s="SSLv2";
-       else if (x->ssl_version == SSL3_VERSION)
+       if (x->ssl_version == SSL3_VERSION)
                s="SSLv3";
        else if (x->ssl_version == TLS1_2_VERSION)
                s="TLSv1.2";
@@ -165,16 +163,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                {
                if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err;
                }
-       if (BIO_puts(bp,"\n    Key-Arg   : ") <= 0) goto err;
-       if (x->key_arg_length == 0)
-               {
-               if (BIO_puts(bp,"None") <= 0) goto err;
-               }
-       else
-               for (i=0; i<x->key_arg_length; i++)
-                       {
-                       if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
-                       }
 #ifndef OPENSSL_NO_KRB5
        if (BIO_puts(bp,"\n    Krb5 Principal: ") <= 0) goto err;
             if (x->krb5_client_princ_len == 0)
index 4f2f477a043d23871283cca5e306f544206abb5e..05f75aab12076250b965255372dc79eadfcacda1 100644 (file)
@@ -773,9 +773,6 @@ static void sv_usage(void)
        fprintf(stderr," -srpuser user  - SRP username to use\n");
        fprintf(stderr," -srppass arg   - password for 'user'\n");
 #endif
-#ifndef OPENSSL_NO_SSL2
-       fprintf(stderr," -ssl2         - use SSLv2\n");
-#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
        fprintf(stderr," -ssl3         - use SSLv3\n");
 #endif
@@ -981,7 +978,7 @@ int main(int argc, char *argv[])
        int badop=0;
        int bio_pair=0;
        int force=0;
-       int tls1=0,ssl2=0,ssl3=0,ret=1;
+       int tls1=0,ssl3=0,ret=1;
        int client_auth=0;
        int server_auth=0,i;
        struct app_verify_arg app_verify_arg =
@@ -1164,13 +1161,6 @@ int main(int argc, char *argv[])
                        tls1=1;
                        }
 #endif
-               else if (strcmp(*argv,"-ssl2") == 0)
-                       {
-#ifdef OPENSSL_NO_SSL2
-                       no_protocol = 1;
-#endif
-                       ssl2 = 1;
-                       }
                else if (strcmp(*argv,"-tls1") == 0)
                        {
 #ifdef OPENSSL_NO_TLS1
@@ -1398,15 +1388,15 @@ bad:
                goto end;
                }
 
-       if (ssl2 + ssl3 + tls1 > 1)
+       if (ssl3 + tls1 > 1)
                {
-               fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
+               fprintf(stderr, "At most one of -ssl3, or -tls1 should "
                        "be requested.\n");
                EXIT(1);
                }
 
        /*
-        * Testing was requested for a compiled-out protocol (e.g. SSLv2).
+        * Testing was requested for a compiled-out protocol (e.g. SSLv3).
          * Ideally, we would error out, but the generic test wrapper can't know
         * when to expect failure. So we do nothing and return success.
         */
@@ -1418,11 +1408,11 @@ bad:
                goto end;
                }
 
-       if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
+       if (!ssl3 && !tls1 && number > 1 && !reuse && !force)
                {
                fprintf(stderr, "This case cannot work.  Use -f to perform "
                        "the test anyway (and\n-d to see what happens), "
-                       "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
+                       "or add one of -ssl3, -tls1, -reuse\n"
                        "to avoid protocol mismatch.\n");
                EXIT(1);
                }
@@ -1496,14 +1486,9 @@ bad:
        }
 #endif
 
-/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available.
+/* At this point, ssl3/tls1 is only set if the protocol is available.
  * (Otherwise we exit early.)
  * However the compiler doesn't know this, so we ifdef. */
-#ifndef OPENSSL_NO_SSL2
-       if (ssl2)
-               meth=SSLv2_method();
-       else
-#endif
 #ifndef OPENSSL_NO_SSL3
        if (ssl3)
                meth=SSLv3_method();
@@ -2252,18 +2237,6 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
                                if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
                                        {
                                        fprintf(stderr, "ERROR: got stuck\n");
-                                       if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
-                                               {
-                                               fprintf(stderr, "This can happen for SSL2 because "
-                                                       "CLIENT-FINISHED and SERVER-VERIFY are written \n"
-                                                       "concurrently ...");
-                                               if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
-                                                       && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
-                                                       {
-                                                       fprintf(stderr, " ok.\n");
-                                                       goto end;
-                                                       }
-                                               }
                                        fprintf(stderr, " ERROR.\n");
                                        goto err;
                                        }
@@ -3347,21 +3320,6 @@ static int do_test_cipherlist(void)
        const SSL_METHOD *meth;
        const SSL_CIPHER *ci, *tci = NULL;
 
-#ifndef OPENSSL_NO_SSL2
-       fprintf(stderr, "testing SSLv2 cipher list order: ");
-       meth = SSLv2_method();
-       while ((ci = meth->get_cipher(i++)) != NULL)
-               {
-               if (tci != NULL)
-                       if (ci->id >= tci->id)
-                               {
-                               fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
-                               return 0;
-                               }
-               tci = ci;
-               }
-       fprintf(stderr, "ok\n");
-#endif
 #ifndef OPENSSL_NO_SSL3
        fprintf(stderr, "testing SSLv3 cipher list order: ");
        meth = SSLv3_method();
index 47ff82b1e45a747293b5cdb65b3eef5b76bb7968..1358bfbd447b19268732f54a97137786fb4036be 100644 (file)
@@ -535,7 +535,6 @@ printf("which = %04X\nmac key=",which);
                        }
                }
 
-       s->session->key_arg_length=0;
 #ifdef KSSL_DEBUG
        {
         int i;
index 0799a7af51bdfd6d72afd5b26efce6821100e294..36733c64df6d106841d41edae800a33d20a0dd9d 100644 (file)
@@ -106,7 +106,6 @@ static int do_ssl_trace_list(BIO *bio, int indent,
 /* Version number */
 
 static ssl_trace_tbl ssl_version_tbl[] = {
-       {SSL2_VERSION,          "SSL 2.0"},
        {SSL3_VERSION,          "SSL 3.0"},
        {TLS1_VERSION,          "TLS 1.0"},
        {TLS1_1_VERSION,        "TLS 1.1"},
@@ -1252,8 +1251,6 @@ static int ssl_print_heartbeat(BIO *bio, int indent,
 
 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c)
        {
-       if (c->algorithm_ssl & SSL_SSLV2)
-               return NULL;
        return ssl_trace_str(c->id & 0xFFFF, ssl_ciphers_tbl);
        }
 
index 7680fab1f968f287820cbc077ff4b61670f139fd..948b99608bcc77c2cf940c647f8a67ea0485a48c 100644 (file)
@@ -934,11 +934,8 @@ jpaketest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
 jpaketest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 jpaketest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 jpaketest.o: ../include/openssl/symhacks.h jpaketest.c
-md2test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
-md2test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
-md2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-md2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-md2test.o: ../include/openssl/symhacks.h md2test.c
+md2test.o: ../e_os.h ../include/openssl/e_os2.h
+md2test.o: ../include/openssl/opensslconf.h md2test.c
 md4test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 md4test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 md4test.o: ../include/openssl/evp.h ../include/openssl/md4.h
index 7ffd008f6660d17a9718ec9ee006ac80785ecab6..a90fb6ef1227793754e50af997f1b027a0ae56fe 100644 (file)
@@ -1,12 +1,38 @@
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIB1gIBAQIBAgQDAQCABBCi11xa5qkOP8xrr02K/NQCBBBkIYQZM0Bt95W0EHNV
-bA58oQYCBDIBr7WiBAICASyjggGGMIIBgjCCASwCAQMwDQYJKoZIhvcNAQEEBQAw
-ODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3Jz
-YSB0ZXN0IENBMB4XDTk1MTAwOTIzMzEzNFoXDTk4MDcwNTIzMzEzNFowYDELMAkG
-A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRk
-LjELMAkGA1UECxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIGNsaWVudDBcMA0G
-CSqGSIb3DQEBAQUAA0sAMEgCQQC4pcXEL1lgVA+B5Q3TcuW/O3LZHoA73IYm8oFD
-TezgCDhL2RTMn+seKWF36UtJKRIOBU9jZHCVVd0Me5ls6BEjAgMBAAEwDQYJKoZI
-hvcNAQEEBQADQQBoIpOcwUY1qlVF7j3ROSGvUsbvByOBFmYWkIBgsCqR+9qo1A7L
-CrWF5i8LWt/vLwAHaxWNx2YuBJMFyuK81fTvpA0EC3Rlc3Rjb250ZXh0
+MIIGpAIBAQICAwMEAsAwBCABkpk0q01VEnPtcNWLtYg1xZJLreP0C1r4wPOakiLu
+8AQwi0opOLa+Omt26PqbLUcmI1H7F/n7qRy6TaL9Lxf2/ZBUDgRG3aSuSejO+gki
+F2U9oQYCBFR6XVaiBAICASyjggVjMIIFXzCCBEegAwIBAgIQNdDRF5hINFi7kAeK
+0fP5FjANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FO
+REkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMjMx
+MDAwMDAwWhcNMTQxMjMxMjM1OTU5WjBYMSEwHwYDVQQLExhEb21haW4gQ29udHJv
+bCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNTTDEWMBQGA1UE
+AxMNZGIuZGViaWFuLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGB
+AN/7DlZZKR5SELzF7rdn6LWxuebpVyFu1eXltzxi+Mig9cR0ZZD3hp0JcUresABO
+zE66AuhGtcFus/J/88CGM2r39u3n5ac5O/4Ypp57997YJRV725dL4oX75Vpc4p8j
+EI/LyIFteZN22ziv9zW7qCKKahnq1tuqDkV+84BEARpVdIaaWmn/KqsEgxeNKomy
+OLvn96IVCTAF78rudPmJHfSCl++NFmg0yu7DPyuXf8YJfA6j8/kFueanK2B1y/ww
+8MSbL3iAdgLwVtRJkwRYyKn8p5+ybwzX9L36GWgYs9OXUn8x494T5GjbGQVxUNt7
+qJnRtiUwYVoiOARrv1EI0Cq4ANXVaLDckc5y0a2PY3c4NWVlKGYbdxdQC1n6nH93
+mWDIr6vu7JX3CqDDr8FBlNVVtiBiv0q/eiVb9dzBzOntt3hA6GOJFAuwDDf7g7nq
+Gq8qqcr7EIyVB8ytQ5XMgtLCpmJkLzIdRYfdsQMa7cAbl0THAwwXigcotFA0aYIP
+BQIDAQABo4IBujCCAbYwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQEDGneSEw
+HQYDVR0OBBYEFDJGWXznCu/+qyFLCmUI4cmXy1DCMA4GA1UdDwEB/wQEAwIFoDAM
+BgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBgBgNV
+HSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cu
+Z2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EMAQIBMDwG
+A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRpU3RhbmRh
+cmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChitodHRwOi8v
+Y3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsGAQUFBzAB
+hhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKwYDVR0RBCQwIoINZGIuZGViaWFuLm9y
+Z4IRd3d3LmRiLmRlYmlhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBAK+ix7EQNPgU
+qDx46gAPifcm6b2FvXq+gtlB9h6UaDDO7fxDzmoU5V4WtdBM5uvIfOmpeNuCxPaj
+18cUlj9PPjL3eK43UCVu6w5hN3p2/2BPvFjQRhtBcIcEWsMal1DCtS/vCBkQt1lS
+gd4/xiMfK4cQYtwRu47gB0HuM2lecYHA42EC5hqupY/2tHo54AdyU46TxgUQcm0e
+icLtYuTjIYQWdUgM92heDw8caey5GKL2/TmYM2iWy/csFLm4tJAwPMtvy1KWdJQE
+iqYIuI9Lb4/xOyjSwVNLIJmbEzE6Sds9sjxqEcU4CconTVJazvHZtnBRV8GiRYKa
+d/xgQ6J+/Z2kAgQAqQQCAgEsqoHDBIHAPGxCacLRMYb3hbL3lRqQIfH3xoufIwKn
+zOAIyjxH7GPZpI87/e93AF1uw6eyy+aWJM6G/71E8Ln1iQtZjrGkGQCjEcIrUhEk
+Bgg93A28zly2zu2aBwi2yT4bUcyHxE3P3Q4R8xkQxrdWSMfCjCy9HKUViOENKET6
+avKXF7lDT1iG/x8RtTHtFGYX4YcFVhdEqcqnZ7tw5sqkHG2D0gLzO2SETF9KPHCq
+zAHQtw5r4Dgl+a+BGLczh6as4yIH+xH+
 -----END SSL SESSION PARAMETERS-----
index 3a63e5d1e5bc2e32b1bc092b8cac8e749fba8ec5..9c790e3ab52c111957f8b809d6d54bb38ddec6a5 100644 (file)
@@ -34,20 +34,6 @@ serverinfo="./serverinfo.pem"
 
 #############################################################################
 
-echo test sslv2
-$ssltest -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication
-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication
-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
 echo test sslv3
 $ssltest -ssl3 $extra || exit 1
 
@@ -72,20 +58,6 @@ $ssltest -client_auth $CA $extra || exit 1
 echo test sslv2/sslv3 with both client and server authentication
 $ssltest -server_auth -client_auth $CA $extra || exit 1
 
-echo test sslv2 via BIO pair
-$ssltest -bio_pair -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication via BIO pair
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
 echo test sslv3 via BIO pair
 $ssltest -bio_pair -ssl3 $extra || exit 1
 
index f19edc4719f85f6735258b9f92180687e5a2e9c1..3782e352bb9a9967913bfd184534979d7198c58f 100644 (file)
@@ -49,25 +49,6 @@ $    endif
 $
 $!###########################################################################
 $
-$      write sys$output "test sslv2"
-$      'ssltest' -ssl2
-$      if $severity .ne. 1 then goto exit3
-$
-$      write sys$output "test sslv2 with server authentication"
-$      'ssltest' -ssl2 -server_auth 'CA'
-$      if $severity .ne. 1 then goto exit3
-$
-$      if .not. dsa_cert
-$      then
-$          write sys$output "test sslv2 with client authentication"
-$          'ssltest' -ssl2 -client_auth 'CA'
-$          if $severity .ne. 1 then goto exit3
-$
-$          write sys$output "test sslv2 with both client and server authentication"
-$          'ssltest' -ssl2 -server_auth -client_auth 'CA'
-$          if $severity .ne. 1 then goto exit3
-$      endif
-$
 $      write sys$output "test sslv3"
 $      'ssltest' -ssl3
 $      if $severity .ne. 1 then goto exit3
@@ -100,25 +81,6 @@ $   write sys$output "test sslv2/sslv3 with both client and server authentication"
 $      'ssltest' -server_auth -client_auth 'CA'
 $      if $severity .ne. 1 then goto exit3
 $
-$      write sys$output "test sslv2 via BIO pair"
-$      'ssltest' -bio_pair -ssl2 
-$      if $severity .ne. 1 then goto exit3
-$
-$      write sys$output "test sslv2 with server authentication via BIO pair"
-$      'ssltest' -bio_pair -ssl2 -server_auth 'CA' 
-$      if $severity .ne. 1 then goto exit3
-$
-$      if .not. dsa_cert
-$      then
-$          write sys$output "test sslv2 with client authentication via BIO pair"
-$          'ssltest' -bio_pair -ssl2 -client_auth 'CA' 
-$          if $severity .ne. 1 then goto exit3
-$
-$          write sys$output "test sslv2 with both client and server authentication via BIO pair"
-$          'ssltest' -bio_pair -ssl2 -server_auth -client_auth 'CA' 
-$          if $severity .ne. 1 then goto exit3
-$      endif
-$
 $      write sys$output "test sslv3 via BIO pair"
 $      'ssltest' -bio_pair -ssl3 
 $      if $severity .ne. 1 then goto exit3
index 4d9a8287d0cfdf9dea9c59a4ba0060bd5e100054..459cd9f7e334986713fbae98681f65900647ea74 100755 (executable)
@@ -94,7 +94,6 @@ sub var_add
        @a=grep(!/^e_.*_c$/,@a) if $no_cast;
        @a=grep(!/^e_rc4$/,@a) if $no_rc4;
 
-       @a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
        @a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
 
        @a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock;
index 0fcadcbad8609eebedf519dc208c71873315be2d..e83ef7d37df0d24cfd8fbb4b5c13970d9b784f19 100755 (executable)
@@ -136,7 +136,7 @@ and [options] can be one of
        no-rc2 no-rc4 no-rc5 no-idea no-des     - Skip this symetric cipher
        no-bf no-cast no-aes no-camellia no-seed
        no-rsa no-dsa no-dh                     - Skip this public key cipher
-       no-ssl2 no-ssl3                         - Skip this version of SSL
+       no-ssl3                                 - Skip this version of SSL
        just-ssl                                - remove all non-ssl keys/digest
        no-asm                                  - No x86 asm
        no-krb5                                 - No KRB5
@@ -180,9 +180,6 @@ $no_mdc2=1 if ($no_des);
 $no_ssl3=1 if ($no_md5 || $no_sha);
 $no_ssl3=1 if ($no_rsa && $no_dh);
 
-$no_ssl2=1 if ($no_md5);
-$no_ssl2=1 if ($no_rsa);
-
 $out_def="out";
 $inc_def="outinc";
 $tmp_def="tmp";
@@ -296,7 +293,6 @@ $cflags.=" -DOPENSSL_NO_DSA"  if $no_dsa;
 $cflags.=" -DOPENSSL_NO_DH"   if $no_dh;
 $cflags.=" -DOPENSSL_NO_WHIRLPOOL"   if $no_whirlpool;
 $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock;
-$cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_SRP" if $no_srp;
@@ -1107,7 +1103,6 @@ sub var_add
        @a=grep(!/^e_camellia$/,@a) if $no_camellia;
        @a=grep(!/^e_seed$/,@a) if $no_seed;
 
-       #@a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2;
        #@a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3;
 
        @a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock;
@@ -1430,7 +1425,6 @@ sub read_options
                "nw-nasm" => \$nw_nasm,
                "nw-mwasm" => \$nw_mwasm,
                "gaswin" => \$gaswin,
-               "no-ssl2" => \$no_ssl2,
                "no-ssl3" => \$no_ssl3,
                "no-ssl3-method" => 0,
                "no-tlsext" => \$no_tlsext,
@@ -1451,7 +1445,7 @@ sub read_options
                "just-ssl" =>
                        [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,
                          \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh,
-                         \$no_ssl2, \$no_err, \$no_ripemd, \$no_rc5,
+                         \$no_err, \$no_ripemd, \$no_rc5,
                          \$no_aes, \$no_camellia, \$no_seed, \$no_srp],
                "rsaref" => 0,
                "gcc" => \$gcc,
index 460d56523ab4af2fac29b7127bb184e6f388228a..651fa6acd5079375795841ed7edf7dda84fecaf4 100755 (executable)
@@ -106,8 +106,6 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CMS",
                         # CryptoAPI Engine
                         "CAPIENG",
-                        # SSL v2
-                        "SSL2",
                         # SSL v3 method
                         "SSL3_METHOD",
                         # JPAKE
@@ -144,7 +142,7 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
 my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
-my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
+my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
 my $no_unit_test; my $no_ssl3_method;
 
@@ -240,7 +238,6 @@ foreach (@ARGV, split(/ /, $options))
        elsif (/^no-ec2m$/)     { $no_ec2m=1; }
        elsif (/^no-ec-nistp224-64-gcc-128$/)   { $no_nistp_gcc=1; }
        elsif (/^no-nextprotoneg$/)     { $no_nextprotoneg=1; }
-       elsif (/^no-ssl2$/)     { $no_ssl2=1; }
        elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
        elsif (/^no-ssl-trace$/) { $no_ssl_trace=1; }
        elsif (/^no-capieng$/)  { $no_capieng=1; }
@@ -1212,7 +1209,6 @@ sub is_valid
                                        { return 0; }
                        if ($keyword eq "EC2M" && $no_ec2m) { return 0; }
                        if ($keyword eq "NEXTPROTONEG" && $no_nextprotoneg) { return 0; }
-                       if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
                        if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
                        if ($keyword eq "SSL_TRACE" && $no_ssl_trace) { return 0; }
                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
index a289559c200c88882c5f9029fd517ce71bdc6432..53dbe6dabbecadbec6fb90cc26832ea9775be420 100755 (executable)
@@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms               109   NOEXIST::FUNCTION:
 SSLv23_client_method                    110    EXIST::FUNCTION:RSA
 SSLv23_method                           111    EXIST::FUNCTION:RSA
 SSLv23_server_method                    112    EXIST::FUNCTION:RSA
-SSLv2_client_method                     113    EXIST::FUNCTION:RSA,SSL2
-SSLv2_method                            114    EXIST::FUNCTION:RSA,SSL2
-SSLv2_server_method                     115    EXIST::FUNCTION:RSA,SSL2
+SSLv2_client_method                     113    NOEXIST::FUNCTION:
+SSLv2_method                            114    NOEXIST::FUNCTION:
+SSLv2_server_method                     115    NOEXIST::FUNCTION:
 SSLv3_client_method                     116    EXIST::FUNCTION:SSL3_METHOD
 SSLv3_method                            117    EXIST::FUNCTION:SSL3_METHOD
 SSLv3_server_method                     118    EXIST::FUNCTION:SSL3_METHOD