diff options
| author | lloyd <[email protected]> | 2015-01-11 03:12:54 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2015-01-11 03:12:54 +0000 |
| commit | 53b1202b5a0597be40f40717ee4dc6213f1f0a0e (patch) | |
| tree | 13e9091983a9999d8449d8e21548b40cfd4c1ac6 /src/lib | |
| parent | ac5aae3fa32b51ac38cbbeb0f09116c1f258b9e1 (diff) | |
Remove SSLv3 and handling of SSLv2 client hellos.
Diffstat (limited to 'src/lib')
26 files changed, 38 insertions, 559 deletions
diff --git a/src/lib/engine/core_engine/lookup_mac.cpp b/src/lib/engine/core_engine/lookup_mac.cpp index 62e23eb57..ba5cd69c6 100644 --- a/src/lib/engine/core_engine/lookup_mac.cpp +++ b/src/lib/engine/core_engine/lookup_mac.cpp @@ -25,10 +25,6 @@ #include <botan/poly1305.h> #endif -#if defined(BOTAN_HAS_SSL3_MAC) - #include <botan/ssl3_mac.h> -#endif - #if defined(BOTAN_HAS_ANSI_X919_MAC) #include <botan/x919_mac.h> #endif @@ -62,11 +58,6 @@ Core_Engine::find_mac(const SCAN_Name& request, return new CBC_MAC(af.make_block_cipher(request.arg(0))); #endif -#if defined(BOTAN_HAS_SSL3_MAC) - if(request.algo_name() == "SSL3-MAC" && request.arg_count() == 1) - return new SSL3_MAC(af.make_hash_function(request.arg(0))); -#endif - #if defined(BOTAN_HAS_ANSI_X919_MAC) if(request.algo_name() == "X9.19-MAC" && request.arg_count() == 0) return new ANSI_X919_MAC(af.make_block_cipher("DES")); diff --git a/src/lib/kdf/kdf.cpp b/src/lib/kdf/kdf.cpp index 0d963e9a2..820e5234c 100644 --- a/src/lib/kdf/kdf.cpp +++ b/src/lib/kdf/kdf.cpp @@ -21,10 +21,6 @@ #include <botan/prf_x942.h> #endif -#if defined(BOTAN_HAS_SSL_V3_PRF) - #include <botan/prf_ssl3.h> -#endif - #if defined(BOTAN_HAS_TLS_V10_PRF) #include <botan/prf_tls.h> #endif @@ -55,11 +51,6 @@ KDF* get_kdf(const std::string& algo_spec) return new X942_PRF(request.arg(0)); // OID #endif -#if defined(BOTAN_HAS_SSL_V3_PRF) - if(request.algo_name() == "SSL3-PRF" && request.arg_count() == 0) - return new SSL3_PRF; -#endif - #if defined(BOTAN_HAS_TLS_V10_PRF) if(request.algo_name() == "TLS-PRF" && request.arg_count() == 0) return new TLS_PRF; diff --git a/src/lib/kdf/prf_ssl3/info.txt b/src/lib/kdf/prf_ssl3/info.txt deleted file mode 100644 index c4e830bac..000000000 --- a/src/lib/kdf/prf_ssl3/info.txt +++ /dev/null @@ -1,7 +0,0 @@ -define SSL_V3_PRF 20131128 - -<requires> -md5 -sha1 -algo_base -</requires> diff --git a/src/lib/kdf/prf_ssl3/prf_ssl3.cpp b/src/lib/kdf/prf_ssl3/prf_ssl3.cpp deleted file mode 100644 index 40bce53b0..000000000 --- a/src/lib/kdf/prf_ssl3/prf_ssl3.cpp +++ /dev/null @@ -1,75 +0,0 @@ -/* -* SSLv3 PRF -* (C) 2004-2006 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/prf_ssl3.h> -#include <botan/symkey.h> -#include <botan/exceptn.h> -#include <botan/sha160.h> -#include <botan/md5.h> - -namespace Botan { - -namespace { - -/* -* Return the next inner hash -*/ -OctetString next_hash(size_t where, size_t want, - HashFunction& md5, HashFunction& sha1, - const byte secret[], size_t secret_len, - const byte seed[], size_t seed_len) - { - BOTAN_ASSERT(want <= md5.output_length(), - "Output size producable by MD5"); - - const byte ASCII_A_CHAR = 0x41; - - for(size_t j = 0; j != where + 1; j++) - sha1.update(static_cast<byte>(ASCII_A_CHAR + where)); - sha1.update(secret, secret_len); - sha1.update(seed, seed_len); - secure_vector<byte> sha1_hash = sha1.final(); - - md5.update(secret, secret_len); - md5.update(sha1_hash); - secure_vector<byte> md5_hash = md5.final(); - - return OctetString(&md5_hash[0], want); - } - -} - -/* -* SSL3 PRF -*/ -secure_vector<byte> SSL3_PRF::derive(size_t key_len, - const byte secret[], size_t secret_len, - const byte seed[], size_t seed_len) const - { - if(key_len > 416) - throw Invalid_Argument("SSL3_PRF: Requested key length is too large"); - - MD5 md5; - SHA_160 sha1; - - OctetString output; - - int counter = 0; - while(key_len) - { - const size_t produce = std::min<size_t>(key_len, md5.output_length()); - - output = output + next_hash(counter++, produce, md5, sha1, - secret, secret_len, seed, seed_len); - - key_len -= produce; - } - - return output.bits_of(); - } - -} diff --git a/src/lib/kdf/prf_ssl3/prf_ssl3.h b/src/lib/kdf/prf_ssl3/prf_ssl3.h deleted file mode 100644 index 9679f744e..000000000 --- a/src/lib/kdf/prf_ssl3/prf_ssl3.h +++ /dev/null @@ -1,30 +0,0 @@ -/* -* SSLv3 PRF -* (C) 1999-2007 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_SSLV3_PRF_H__ -#define BOTAN_SSLV3_PRF_H__ - -#include <botan/kdf.h> - -namespace Botan { - -/** -* PRF used in SSLv3 -*/ -class BOTAN_DLL SSL3_PRF : public KDF - { - public: - secure_vector<byte> derive(size_t, const byte[], size_t, - const byte[], size_t) const; - - std::string name() const { return "SSL3-PRF"; } - KDF* clone() const { return new SSL3_PRF; } - }; - -} - -#endif diff --git a/src/lib/mac/ssl3mac/info.txt b/src/lib/mac/ssl3mac/info.txt deleted file mode 100644 index 5e69b0ae8..000000000 --- a/src/lib/mac/ssl3mac/info.txt +++ /dev/null @@ -1,5 +0,0 @@ -define SSL3_MAC 20131128 - -<requires> -hash -</requires> diff --git a/src/lib/mac/ssl3mac/ssl3_mac.cpp b/src/lib/mac/ssl3mac/ssl3_mac.cpp deleted file mode 100644 index 5ab5ff727..000000000 --- a/src/lib/mac/ssl3mac/ssl3_mac.cpp +++ /dev/null @@ -1,90 +0,0 @@ -/* -* SSL3-MAC -* (C) 1999-2004 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/ssl3_mac.h> - -namespace Botan { - -/* -* Update a SSL3-MAC Calculation -*/ -void SSL3_MAC::add_data(const byte input[], size_t length) - { - m_hash->update(input, length); - } - -/* -* Finalize a SSL3-MAC Calculation -*/ -void SSL3_MAC::final_result(byte mac[]) - { - m_hash->final(mac); - m_hash->update(m_okey); - m_hash->update(mac, output_length()); - m_hash->final(mac); - m_hash->update(m_ikey); - } - -/* -* SSL3-MAC Key Schedule -*/ -void SSL3_MAC::key_schedule(const byte key[], size_t length) - { - m_hash->clear(); - - // Quirk to deal with specification bug - const size_t inner_hash_length = - (m_hash->name() == "SHA-160") ? 60 : m_hash->hash_block_size(); - - m_ikey.resize(inner_hash_length); - m_okey.resize(inner_hash_length); - - std::fill(m_ikey.begin(), m_ikey.end(), 0x36); - std::fill(m_okey.begin(), m_okey.end(), 0x5C); - - copy_mem(&m_ikey[0], key, length); - copy_mem(&m_okey[0], key, length); - - m_hash->update(m_ikey); - } - -/* -* Clear memory of sensitive data -*/ -void SSL3_MAC::clear() - { - m_hash->clear(); - zap(m_ikey); - zap(m_okey); - } - -/* -* Return the name of this type -*/ -std::string SSL3_MAC::name() const - { - return "SSL3-MAC(" + m_hash->name() + ")"; - } - -/* -* Return a clone of this object -*/ -MessageAuthenticationCode* SSL3_MAC::clone() const - { - return new SSL3_MAC(m_hash->clone()); - } - -/* -* SSL3-MAC Constructor -*/ -SSL3_MAC::SSL3_MAC(HashFunction* hash) : m_hash(hash) - { - if(m_hash->hash_block_size() == 0) - throw Invalid_Argument("SSL3-MAC cannot be used with " + m_hash->name()); - } - -} diff --git a/src/lib/mac/ssl3mac/ssl3_mac.h b/src/lib/mac/ssl3mac/ssl3_mac.h deleted file mode 100644 index 290fffd01..000000000 --- a/src/lib/mac/ssl3mac/ssl3_mac.h +++ /dev/null @@ -1,48 +0,0 @@ -/* -* SSL3-MAC -* (C) 1999-2004 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_SSL3_MAC_H__ -#define BOTAN_SSL3_MAC_H__ - -#include <botan/hash.h> -#include <botan/mac.h> - -namespace Botan { - -/** -* A MAC only used in SSLv3. Do not use elsewhere! Use HMAC instead. -*/ -class BOTAN_DLL SSL3_MAC : public MessageAuthenticationCode - { - public: - std::string name() const; - size_t output_length() const { return m_hash->output_length(); } - MessageAuthenticationCode* clone() const; - - void clear(); - - Key_Length_Specification key_spec() const - { - return Key_Length_Specification(m_hash->output_length()); - } - - /** - * @param hash the underlying hash to use - */ - SSL3_MAC(HashFunction* hash); - private: - void add_data(const byte[], size_t); - void final_result(byte[]); - void key_schedule(const byte[], size_t); - - std::unique_ptr<HashFunction> m_hash; - secure_vector<byte> m_ikey, m_okey; - }; - -} - -#endif diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt index 530ee1121..f65da5eea 100644 --- a/src/lib/tls/info.txt +++ b/src/lib/tls/info.txt @@ -78,13 +78,11 @@ gcm hmac kdf2 md5 -prf_ssl3 prf_tls rng rsa sha1 sha2_32 srp6 -ssl3mac x509 </requires> diff --git a/src/lib/tls/msg_cert_verify.cpp b/src/lib/tls/msg_cert_verify.cpp index 769a8687e..3837e3871 100644 --- a/src/lib/tls/msg_cert_verify.cpp +++ b/src/lib/tls/msg_cert_verify.cpp @@ -30,20 +30,7 @@ Certificate_Verify::Certificate_Verify(Handshake_IO& io, PK_Signer signer(*priv_key, format.first, format.second); - if(state.version() == Protocol_Version::SSL_V3) - { - secure_vector<byte> md5_sha = state.hash().final_ssl3( - state.session_keys().master_secret()); - - if(priv_key->algo_name() == "DSA") - m_signature = signer.sign_message(&md5_sha[16], md5_sha.size()-16, rng); - else - m_signature = signer.sign_message(md5_sha, rng); - } - else - { - m_signature = signer.sign_message(state.hash().get_contents(), rng); - } + m_signature = signer.sign_message(state.hash().get_contents(), rng); state.hash().update(io.send(*this)); } @@ -99,15 +86,6 @@ bool Certificate_Verify::verify(const X509_Certificate& cert, PK_Verifier verifier(*key, format.first, format.second); - if(state.version() == Protocol_Version::SSL_V3) - { - secure_vector<byte> md5_sha = state.hash().final_ssl3( - state.session_keys().master_secret()); - - return verifier.verify_message(&md5_sha[16], md5_sha.size()-16, - &m_signature[0], m_signature.size()); - } - return verifier.verify_message(state.hash().get_contents(), m_signature); } diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp index cebe8ac9e..473d9235f 100644 --- a/src/lib/tls/msg_client_hello.cpp +++ b/src/lib/tls/msg_client_hello.cpp @@ -152,17 +152,6 @@ Client_Hello::Client_Hello(Handshake_IO& io, hash.update(io.send(*this)); } -/* -* Read a counterparty client hello -*/ -Client_Hello::Client_Hello(const std::vector<byte>& buf, Handshake_Type type) - { - if(type == CLIENT_HELLO) - deserialize(buf); - else - deserialize_sslv2(buf); - } - void Client_Hello::update_hello_cookie(const Hello_Verify_Request& hello_verify) { if(!m_version.is_datagram_protocol()) @@ -201,48 +190,10 @@ std::vector<byte> Client_Hello::serialize() const return buf; } -void Client_Hello::deserialize_sslv2(const std::vector<byte>& buf) - { - if(buf.size() < 12 || buf[0] != 1) - throw Decoding_Error("Client_Hello: SSLv2 hello corrupted"); - - const size_t cipher_spec_len = make_u16bit(buf[3], buf[4]); - const size_t m_session_id_len = make_u16bit(buf[5], buf[6]); - const size_t challenge_len = make_u16bit(buf[7], buf[8]); - - const size_t expected_size = - (9 + m_session_id_len + cipher_spec_len + challenge_len); - - if(buf.size() != expected_size) - throw Decoding_Error("Client_Hello: SSLv2 hello corrupted"); - - if(m_session_id_len != 0 || cipher_spec_len % 3 != 0 || - (challenge_len < 16 || challenge_len > 32)) - { - throw Decoding_Error("Client_Hello: SSLv2 hello corrupted"); - } - - m_version = Protocol_Version(buf[1], buf[2]); - - for(size_t i = 9; i != 9 + cipher_spec_len; i += 3) - { - if(buf[i] != 0) // a SSLv2 cipherspec; ignore it - continue; - - m_suites.push_back(make_u16bit(buf[i+1], buf[i+2])); - } - - m_random.resize(challenge_len); - copy_mem(&m_random[0], &buf[9+cipher_spec_len+m_session_id_len], challenge_len); - - if(offered_suite(static_cast<u16bit>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV))) - m_extensions.add(new Renegotiation_Extension()); - } - /* -* Deserialize a Client Hello message +* Read a counterparty client hello */ -void Client_Hello::deserialize(const std::vector<byte>& buf) +Client_Hello::Client_Hello(const std::vector<byte>& buf) { if(buf.size() == 0) throw Decoding_Error("Client_Hello: Packet corrupted"); diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp index 4bdd9983c..c8dc2aad8 100644 --- a/src/lib/tls/msg_client_kex.cpp +++ b/src/lib/tls/msg_client_kex.cpp @@ -239,12 +239,9 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io, PK_Encryptor_EME encryptor(*rsa_pub, "PKCS1v15"); - std::vector<byte> encrypted_key = encryptor.encrypt(m_pre_master, rng); + const std::vector<byte> encrypted_key = encryptor.encrypt(m_pre_master, rng); - if(state.version() == Protocol_Version::SSL_V3) - m_key_material = encrypted_key; // no length field - else - append_tls_length_value(m_key_material, encrypted_key, 2); + append_tls_length_value(m_key_material, encrypted_key, 2); } else throw TLS_Exception(Alert::HANDSHAKE_FAILURE, @@ -299,15 +296,8 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, try { - if(state.version() == Protocol_Version::SSL_V3) - { - m_pre_master = decryptor.decrypt(contents); - } - else - { - TLS_Data_Reader reader("ClientKeyExchange", contents); - m_pre_master = decryptor.decrypt(reader.get_range<byte>(2, 0, 65535)); - } + TLS_Data_Reader reader("ClientKeyExchange", contents); + m_pre_master = decryptor.decrypt(reader.get_range<byte>(2, 0, 65535)); if(m_pre_master.size() != 48 || client_version.major_version() != m_pre_master[0] || diff --git a/src/lib/tls/msg_finished.cpp b/src/lib/tls/msg_finished.cpp index c6c097c0d..b837172b6 100644 --- a/src/lib/tls/msg_finished.cpp +++ b/src/lib/tls/msg_finished.cpp @@ -20,44 +20,25 @@ namespace { std::vector<byte> finished_compute_verify(const Handshake_State& state, Connection_Side side) { - if(state.version() == Protocol_Version::SSL_V3) - { - const byte SSL_CLIENT_LABEL[] = { 0x43, 0x4C, 0x4E, 0x54 }; - const byte SSL_SERVER_LABEL[] = { 0x53, 0x52, 0x56, 0x52 }; + const byte TLS_CLIENT_LABEL[] = { + 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x66, 0x69, 0x6E, 0x69, + 0x73, 0x68, 0x65, 0x64 }; - Handshake_Hash hash = state.hash(); // don't modify state + const byte TLS_SERVER_LABEL[] = { + 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x66, 0x69, 0x6E, 0x69, + 0x73, 0x68, 0x65, 0x64 }; - std::vector<byte> ssl3_finished; + std::unique_ptr<KDF> prf(state.protocol_specific_prf()); - if(side == CLIENT) - hash.update(SSL_CLIENT_LABEL, sizeof(SSL_CLIENT_LABEL)); - else - hash.update(SSL_SERVER_LABEL, sizeof(SSL_SERVER_LABEL)); - - return unlock(hash.final_ssl3(state.session_keys().master_secret())); - } + std::vector<byte> input; + if(side == CLIENT) + input += std::make_pair(TLS_CLIENT_LABEL, sizeof(TLS_CLIENT_LABEL)); else - { - const byte TLS_CLIENT_LABEL[] = { - 0x63, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x66, 0x69, 0x6E, 0x69, - 0x73, 0x68, 0x65, 0x64 }; - - const byte TLS_SERVER_LABEL[] = { - 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x66, 0x69, 0x6E, 0x69, - 0x73, 0x68, 0x65, 0x64 }; - - std::unique_ptr<KDF> prf(state.protocol_specific_prf()); - - std::vector<byte> input; - if(side == CLIENT) - input += std::make_pair(TLS_CLIENT_LABEL, sizeof(TLS_CLIENT_LABEL)); - else - input += std::make_pair(TLS_SERVER_LABEL, sizeof(TLS_SERVER_LABEL)); + input += std::make_pair(TLS_SERVER_LABEL, sizeof(TLS_SERVER_LABEL)); - input += state.hash().final(state.version(), state.ciphersuite().prf_algo()); + input += state.hash().final(state.version(), state.ciphersuite().prf_algo()); - return unlock(prf->derive_key(12, state.session_keys().master_secret(), input)); - } + return unlock(prf->derive_key(12, state.session_keys().master_secret(), input)); } } diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp index a0fc008e8..73163a73b 100644 --- a/src/lib/tls/msg_server_hello.cpp +++ b/src/lib/tls/msg_server_hello.cpp @@ -35,10 +35,6 @@ Server_Hello::Server_Hello(Handshake_IO& io, m_ciphersuite(ciphersuite), m_comp_method(compression) { - /* - * Even a client that offered SSLv3 and sent the SCSV will get an - * extension back. This is probably the right thing to do. - */ if(client_hello.secure_renegotiation()) m_extensions.add(new Renegotiation_Extension(reneg_info)); @@ -94,10 +90,6 @@ Server_Hello::Server_Hello(Handshake_IO& io, m_ciphersuite(resumed_session.ciphersuite_code()), m_comp_method(resumed_session.compression_method()) { - /* - * Even a client that offered SSLv3 and sent the SCSV will get an - * extension back. This is probably the right thing to do. - */ if(client_hello.secure_renegotiation()) m_extensions.add(new Renegotiation_Extension(reneg_info)); diff --git a/src/lib/tls/tls_handshake_hash.cpp b/src/lib/tls/tls_handshake_hash.cpp index 77605309c..a4222c60e 100644 --- a/src/lib/tls/tls_handshake_hash.cpp +++ b/src/lib/tls/tls_handshake_hash.cpp @@ -38,48 +38,6 @@ secure_vector<byte> Handshake_Hash::final(Protocol_Version version, return hash->final(); } -/** -* Return a SSLv3 Handshake Hash -*/ -secure_vector<byte> Handshake_Hash::final_ssl3(const secure_vector<byte>& secret) const - { - const byte PAD_INNER = 0x36, PAD_OUTER = 0x5C; - - Algorithm_Factory& af = global_state().algorithm_factory(); - - std::unique_ptr<HashFunction> md5(af.make_hash_function("MD5")); - std::unique_ptr<HashFunction> sha1(af.make_hash_function("SHA-1")); - - md5->update(data); - sha1->update(data); - - md5->update(secret); - sha1->update(secret); - - for(size_t i = 0; i != 48; ++i) - md5->update(PAD_INNER); - for(size_t i = 0; i != 40; ++i) - sha1->update(PAD_INNER); - - secure_vector<byte> inner_md5 = md5->final(), inner_sha1 = sha1->final(); - - md5->update(secret); - sha1->update(secret); - - for(size_t i = 0; i != 48; ++i) - md5->update(PAD_OUTER); - for(size_t i = 0; i != 40; ++i) - sha1->update(PAD_OUTER); - - md5->update(inner_md5); - sha1->update(inner_sha1); - - secure_vector<byte> output; - output += md5->final(); - output += sha1->final(); - return output; - } - } } diff --git a/src/lib/tls/tls_handshake_hash.h b/src/lib/tls/tls_handshake_hash.h index 0b4fa7120..c6b412473 100644 --- a/src/lib/tls/tls_handshake_hash.h +++ b/src/lib/tls/tls_handshake_hash.h @@ -33,10 +33,7 @@ class Handshake_Hash secure_vector<byte> final(Protocol_Version version, const std::string& mac_algo) const; - secure_vector<byte> final_ssl3(const secure_vector<byte>& master_secret) const; - - const std::vector<byte>& get_contents() const - { return data; } + const std::vector<byte>& get_contents() const { return data; } void reset() { data.clear(); } private: diff --git a/src/lib/tls/tls_handshake_state.cpp b/src/lib/tls/tls_handshake_state.cpp index 4a6714f15..111087041 100644 --- a/src/lib/tls/tls_handshake_state.cpp +++ b/src/lib/tls/tls_handshake_state.cpp @@ -29,7 +29,6 @@ u32bit bitmask_for_handshake_type(Handshake_Type type) * Same code point for both client hello styles */ case CLIENT_HELLO: - case CLIENT_HELLO_SSLV2: return (1 << 2); case SERVER_HELLO: @@ -258,11 +257,7 @@ std::vector<byte> Handshake_State::session_ticket() const KDF* Handshake_State::protocol_specific_prf() const { - if(version() == Protocol_Version::SSL_V3) - { - return get_kdf("SSL3-PRF"); - } - else if(version().supports_ciphersuite_specific_prf()) + if(version().supports_ciphersuite_specific_prf()) { const std::string prf_algo = ciphersuite().prf_algo(); @@ -291,9 +286,6 @@ std::string choose_hash(const std::string& sig_algo, { if(!negotiated_version.supports_negotiable_signature_algorithms()) { - if(for_client_auth && negotiated_version == Protocol_Version::SSL_V3) - return "Raw"; - if(sig_algo == "RSA") return "Parallel(MD5,SHA-160)"; @@ -405,11 +397,7 @@ Handshake_State::understand_sig_format(const Public_Key& key, if(algo_name == "RSA") { - if(for_client_auth && this->version() == Protocol_Version::SSL_V3) - { - hash_algo = "Raw"; - } - else if(!this->version().supports_negotiable_signature_algorithms()) + if(!this->version().supports_negotiable_signature_algorithms()) { hash_algo = "Parallel(MD5,SHA-160)"; } @@ -419,11 +407,7 @@ Handshake_State::understand_sig_format(const Public_Key& key, } else if(algo_name == "DSA" || algo_name == "ECDSA") { - if(algo_name == "DSA" && for_client_auth && this->version() == Protocol_Version::SSL_V3) - { - hash_algo = "Raw"; - } - else if(!this->version().supports_negotiable_signature_algorithms()) + if(!this->version().supports_negotiable_signature_algorithms()) { hash_algo = "SHA-1"; } diff --git a/src/lib/tls/tls_magic.h b/src/lib/tls/tls_magic.h index 6a29ea0a1..4a7237722 100644 --- a/src/lib/tls/tls_magic.h +++ b/src/lib/tls/tls_magic.h @@ -39,7 +39,6 @@ enum Record_Type { enum Handshake_Type { HELLO_REQUEST = 0, CLIENT_HELLO = 1, - CLIENT_HELLO_SSLV2 = 253, // Not a wire value SERVER_HELLO = 2, HELLO_VERIFY_REQUEST = 3, NEW_SESSION_TICKET = 4, // RFC 5077 diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index 4fb3d2535..18cc90c39 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -181,13 +181,10 @@ class Client_Hello : public Handshake_Message const Session& resumed_session, bool next_protocol = false); - Client_Hello(const std::vector<byte>& buf, - Handshake_Type type); + Client_Hello(const std::vector<byte>& buf); private: std::vector<byte> serialize() const override; - void deserialize(const std::vector<byte>& buf); - void deserialize_sslv2(const std::vector<byte>& buf); Protocol_Version m_version; std::vector<byte> m_session_id; diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 0e81dd7f7..089494f24 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -138,10 +138,7 @@ class BOTAN_DLL Policy /** * @return true if and only if we are willing to accept this version - * Default accepts TLS v1.0 and later. - - * Override if you want to allow negotiating SSLv3 (*not recommended*) - * Override if you want to enable DTLS in your application. + * Default accepts TLS v1.0 and later or DTLS v1.2 or later. */ virtual bool acceptable_protocol_version(Protocol_Version version) const; diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index b2653c54a..3edeab7e3 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -26,8 +26,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version, const Session_Keys& keys) : m_start_time(std::chrono::system_clock::now()), m_nonce_bytes_from_handshake(suite.nonce_bytes_from_handshake()), - m_nonce_bytes_from_record(suite.nonce_bytes_from_record()), - m_is_ssl3(version == Protocol_Version::SSL_V3) + m_nonce_bytes_from_record(suite.nonce_bytes_from_record()) { SymmetricKey mac_key, cipher_key; InitializationVector iv; @@ -83,10 +82,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version, else throw Invalid_Argument("Unknown TLS cipher " + cipher_algo); - if(version == Protocol_Version::SSL_V3) - m_mac.reset(af.make_mac("SSL3-MAC(" + mac_algo + ")")); - else - m_mac.reset(af.make_mac("HMAC(" + mac_algo + ")")); + m_mac.reset(af.make_mac("HMAC(" + mac_algo + ")")); m_mac->set_key(mac_key); } @@ -128,11 +124,8 @@ Connection_Cipher_State::format_ad(u64bit msg_sequence, m_ad.push_back(get_byte(i, msg_sequence)); m_ad.push_back(msg_type); - if(version != Protocol_Version::SSL_V3) - { - m_ad.push_back(version.major_version()); - m_ad.push_back(version.minor_version()); - } + m_ad.push_back(version.major_version()); + m_ad.push_back(version.minor_version()); m_ad.push_back(get_byte(0, msg_length)); m_ad.push_back(get_byte(1, msg_length)); @@ -312,8 +305,7 @@ size_t fill_buffer_to(secure_vector<byte>& readbuf, * * @fixme This should run in constant time */ -size_t tls_padding_check(bool sslv3_padding, - size_t block_size, +size_t tls_padding_check(size_t block_size, const byte record[], size_t record_len) { @@ -323,18 +315,6 @@ size_t tls_padding_check(bool sslv3_padding, return 0; /* - * SSL v3 requires that the padding be less than the block size - * but not does specify the value of the padding bytes. - */ - if(sslv3_padding) - { - if(padding_length > 0 && padding_length < block_size) - return (padding_length + 1); - else - return 0; - } - - /* * TLS v1.0 and up require all the padding bytes be the same value * and allows up to 255 bytes. */ @@ -425,8 +405,7 @@ void decrypt_record(secure_vector<byte>& output, { cbc_decrypt_record(record_contents, record_len, cs, *bc); - pad_size = tls_padding_check(cs.cipher_padding_single_byte(), - cs.block_size(), + pad_size = tls_padding_check(cs.block_size(), record_contents, record_len); padding_bad = (pad_size == 0); @@ -490,43 +469,6 @@ size_t read_tls_record(secure_vector<byte>& readbuf, BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE, "Have an entire header"); } - // Possible SSLv2 format client hello - if(!sequence_numbers && (readbuf[0] & 0x80) && (readbuf[2] == 1)) - { - if(readbuf[3] == 0 && readbuf[4] == 2) - throw TLS_Exception(Alert::PROTOCOL_VERSION, - "Client claims to only support SSLv2, rejecting"); - - if(readbuf[3] >= 3) // SSLv2 mapped TLS hello, then? - { - const size_t record_len = make_u16bit(readbuf[0], readbuf[1]) & 0x7FFF; - - if(size_t needed = fill_buffer_to(readbuf, - input, input_sz, consumed, - record_len + 2)) - return needed; - - BOTAN_ASSERT_EQUAL(readbuf.size(), (record_len + 2), - "Have the entire SSLv2 hello"); - - // Fake v3-style handshake message wrapper - *record_version = Protocol_Version::TLS_V10; - *record_sequence = 0; - *record_type = HANDSHAKE; - - record.resize(4 + readbuf.size() - 2); - - record[0] = CLIENT_HELLO_SSLV2; - record[1] = 0; - record[2] = readbuf[0] & 0x7F; - record[3] = readbuf[1]; - copy_mem(&record[4], &readbuf[2], readbuf.size() - 2); - - readbuf.clear(); - return 0; - } - } - *record_version = Protocol_Version(readbuf[1], readbuf[2]); BOTAN_ASSERT(!record_version->is_datagram_protocol(), "Expected TLS"); diff --git a/src/lib/tls/tls_record.h b/src/lib/tls/tls_record.h index 5ed3ed6ea..c9bf8aade 100644 --- a/src/lib/tls/tls_record.h +++ b/src/lib/tls/tls_record.h @@ -69,8 +69,6 @@ class Connection_Cipher_State size_t nonce_bytes_from_handshake() const { return m_nonce_bytes_from_handshake; } - bool cipher_padding_single_byte() const { return m_is_ssl3; } - bool cbc_without_explicit_iv() const { return (m_block_size > 0) && (m_iv_size == 0); } @@ -94,7 +92,6 @@ class Connection_Cipher_State size_t m_nonce_bytes_from_handshake; size_t m_nonce_bytes_from_record; size_t m_iv_size = 0; - bool m_is_ssl3 = false; }; /** diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 43be3788d..1490fc2a4 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -269,13 +269,10 @@ void Server::process_handshake_msg(const Handshake_State* active_state, */ if(type != HANDSHAKE_CCS && type != FINISHED && type != CERTIFICATE_VERIFY) { - if(type == CLIENT_HELLO_SSLV2) - state.hash().update(contents); - else - state.hash().update(state.handshake_io().format(contents, type)); + state.hash().update(state.handshake_io().format(contents, type)); } - if(type == CLIENT_HELLO || type == CLIENT_HELLO_SSLV2) + if(type == CLIENT_HELLO) { const bool initial_handshake = !active_state; @@ -286,7 +283,7 @@ void Server::process_handshake_msg(const Handshake_State* active_state, return; } - state.client_hello(new Client_Hello(contents, type)); + state.client_hello(new Client_Hello(contents)); const Protocol_Version client_version = state.client_hello()->version(); diff --git a/src/lib/tls/tls_session_key.cpp b/src/lib/tls/tls_session_key.cpp index 570470732..574b6940b 100644 --- a/src/lib/tls/tls_session_key.cpp +++ b/src/lib/tls/tls_session_key.cpp @@ -41,10 +41,7 @@ Session_Keys::Session_Keys(const Handshake_State* state, else { secure_vector<byte> salt; - - if(state->version() != Protocol_Version::SSL_V3) - salt += std::make_pair(MASTER_SECRET_MAGIC, sizeof(MASTER_SECRET_MAGIC)); - + salt += std::make_pair(MASTER_SECRET_MAGIC, sizeof(MASTER_SECRET_MAGIC)); salt += state->client_hello()->random(); salt += state->server_hello()->random(); @@ -52,8 +49,7 @@ Session_Keys::Session_Keys(const Handshake_State* state, } secure_vector<byte> salt; - if(state->version() != Protocol_Version::SSL_V3) - salt += std::make_pair(KEY_GEN_MAGIC, sizeof(KEY_GEN_MAGIC)); + salt += std::make_pair(KEY_GEN_MAGIC, sizeof(KEY_GEN_MAGIC)); salt += state->server_hello()->random(); salt += state->client_hello()->random(); diff --git a/src/lib/tls/tls_version.cpp b/src/lib/tls/tls_version.cpp index 67069c738..37360b410 100644 --- a/src/lib/tls/tls_version.cpp +++ b/src/lib/tls/tls_version.cpp @@ -51,8 +51,7 @@ bool Protocol_Version::operator>(const Protocol_Version& other) const bool Protocol_Version::known_version() const { - return (m_version == Protocol_Version::SSL_V3 || - m_version == Protocol_Version::TLS_V10 || + return (m_version == Protocol_Version::TLS_V10 || m_version == Protocol_Version::TLS_V11 || m_version == Protocol_Version::TLS_V12 || m_version == Protocol_Version::DTLS_V10 || diff --git a/src/lib/tls/tls_version.h b/src/lib/tls/tls_version.h index 8e686e8e4..a025b27ba 100644 --- a/src/lib/tls/tls_version.h +++ b/src/lib/tls/tls_version.h @@ -22,7 +22,6 @@ class BOTAN_DLL Protocol_Version { public: enum Version_Code { - SSL_V3 = 0x0300, TLS_V10 = 0x0301, TLS_V11 = 0x0302, TLS_V12 = 0x0303, |