remove ssl2 support even more completely.

in the process, always include ssl3 and tls1, we don't need config options
for them. when the time comes to expire ssl3, it will be with an ax.
checked by miod

5 files changed, 3 insertions, 344 deletions

diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c
index 3d2e7510cf5..7c9de0dd0e4 100644
--- a/lib/libssl/s23_clnt.c
+++ b/lib/libssl/s23_clnt.c
@@ -122,10 +122,6 @@ static int ssl23_get_server_hello(SSL *s);
 static const SSL_METHOD
 *ssl23_get_client_method(int ver)
 {
-#ifndef OPENSSL_NO_SSL2
-	if (ver == SSL2_VERSION)
-		return (SSLv2_client_method());
-#endif
 	if (ver == SSL3_VERSION)
 		return (SSLv3_client_method());
 	else if (ver == TLS1_VERSION)
@@ -320,14 +316,7 @@ ssl23_client_hello(SSL *s)
 	 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
 	 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
 	 */
-	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
-#if !defined(OPENSSL_NO_SSL3)
-	|SSL_OP_NO_SSLv3
-#endif
-#if !defined(OPENSSL_NO_SSL2)
-	|(ssl2_compat ? SSL_OP_NO_SSLv2 : 0)
-#endif
-	;
+	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
 #if !defined(OPENSSL_NO_TLS1_2_CLIENT)
 	version = TLS1_2_VERSION;
 
@@ -340,15 +329,9 @@ ssl23_client_hello(SSL *s)
 	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
 		version = TLS1_VERSION;
 	mask &= ~SSL_OP_NO_TLSv1;
-#if !defined(OPENSSL_NO_SSL3)
 	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
 		version = SSL3_VERSION;
 	mask &= ~SSL_OP_NO_SSLv3;
-#endif
-#if !defined(OPENSSL_NO_SSL2)
-	if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
-		version = SSL2_VERSION;
-#endif
 
 #ifndef OPENSSL_NO_TLSEXT
 	if (version != SSL2_VERSION) {
@@ -592,69 +575,8 @@ ssl23_get_server_hello(SSL *s)
 
 	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
 		(p[5] == 0x00) && (p[6] == 0x02)) {
-#ifdef OPENSSL_NO_SSL2
 		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
-#else
-		/* we are talking sslv2 */
-		/* we need to clean up the SSLv3 setup and put in the
-		 * sslv2 stuff. */
-		int ch_len;
-
-		if (s->options & SSL_OP_NO_SSLv2) {
-			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-			goto err;
-		}
-		if (s->s2 == NULL) {
-			if (!ssl2_new(s))
-				goto err;
-		} else
-			ssl2_clear(s);
-
-		if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-			ch_len = SSL2_CHALLENGE_LENGTH;
-		else
-			ch_len = SSL2_MAX_CHALLENGE_LENGTH;
-
-		/* write out sslv2 challenge */
-		/* Note that ch_len must be <= SSL3_RANDOM_SIZE (32), because
-		   it is one of SSL2_MAX_CHALLENGE_LENGTH (32) or
-		   SSL2_MAX_CHALLENGE_LENGTH (16), but leave the check in for
-		   futurproofing */
-		i = (SSL3_RANDOM_SIZE < ch_len) ? SSL3_RANDOM_SIZE : ch_len;
-		s->s2->challenge_length = i;
-		memcpy(s->s2->challenge,
-		    &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i);
-
-		if (s->s3 != NULL)
-			ssl3_free(s);
-
-		if (!BUF_MEM_grow_clean(s->init_buf,
-		    SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
-			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, ERR_R_BUF_LIB);
-			goto err;
-		}
-
-		s->state = SSL2_ST_GET_SERVER_HELLO_A;
-		if (!(s->client_version == SSL2_VERSION))
-			/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
-			s->s2->ssl2_rollback = 1;
-
-		/* setup the 7 bytes we have read so we get them from
-		 * the sslv2 buffer */
-		s->rstate = SSL_ST_READ_HEADER;
-		s->packet_length = n;
-		s->packet = &(s->s2->rbuf[0]);
-		memcpy(s->packet, buf, n);
-		s->s2->rbuf_left = n;
-		s->s2->rbuf_offs = 0;
-
-		/* we have already written one */
-		s->s2->write_sequence = 1;
-
-		s->method = SSLv2_client_method();
-		s->handshake_func = s->method->ssl_connect;
-#endif
 	} else if (p[1] == SSL3_VERSION_MAJOR &&
 	    p[2] <= TLS1_2_VERSION_MINOR &&
 	    ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
diff --git a/lib/libssl/s23_lib.c b/lib/libssl/s23_lib.c
index 3a4d5a6ecb0..74afe01d944 100644
--- a/lib/libssl/s23_lib.c
+++ b/lib/libssl/s23_lib.c
@@ -69,11 +69,7 @@ ssl23_default_timeout(void)
 int
 ssl23_num_ciphers(void)
 {
-	return(ssl3_num_ciphers()
-#ifndef OPENSSL_NO_SSL2
-	+ ssl2_num_ciphers()
-#endif
-	);
+	return(ssl3_num_ciphers());
 }
 
 const SSL_CIPHER
@@ -84,11 +80,7 @@ const SSL_CIPHER
 	if (u < uu)
 		return (ssl3_get_cipher(u));
 	else
-#ifndef OPENSSL_NO_SSL2
-	return (ssl2_get_cipher(u - uu));
-#else
-	return (NULL);
-#endif
+		return (NULL);
 }
 
 /* This function needs to check if the ciphers required are actually
@@ -99,10 +91,6 @@ const SSL_CIPHER
 	const SSL_CIPHER *cp;
 
 	cp = ssl3_get_cipher_by_char(p);
-#ifndef OPENSSL_NO_SSL2
-	if (cp == NULL)
-		cp = ssl2_get_cipher_by_char(p);
-#endif
 	return (cp);
 }
 
diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c
index ca95d4e6362..a6062667a0f 100644
--- a/lib/libssl/s23_srvr.c
+++ b/lib/libssl/s23_srvr.c
@@ -121,10 +121,6 @@ int ssl23_get_client_hello(SSL *s);
 static const SSL_METHOD
 *ssl23_get_server_method(int ver)
 {
-#ifndef OPENSSL_NO_SSL2
-	if (ver == SSL2_VERSION)
-		return (SSLv2_server_method());
-#endif
 	if (ver == SSL3_VERSION)
 		return (SSLv3_server_method());
 	else if (ver == TLS1_VERSION)
@@ -480,48 +476,8 @@ ssl23_get_client_hello(SSL *s)
 	/* s->state = SSL23_SR_CLNT_HELLO_C */
 
 	if (type == 1) {
-#ifdef OPENSSL_NO_SSL2
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
-#else
-		/* we are talking sslv2 */
-		/* we need to clean up the SSLv3/TLSv1 setup and put in the
-		 * sslv2 stuff. */
-
-		if (s->s2 == NULL) {
-			if (!ssl2_new(s))
-				goto err;
-		} else
-			ssl2_clear(s);
-
-		if (s->s3 != NULL)
-			ssl3_free(s);
-
-		if (!BUF_MEM_grow_clean(s->init_buf,
-			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
-			goto err;
-		}
-
-		s->state = SSL2_ST_GET_CLIENT_HELLO_A;
-		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
-			s->s2->ssl2_rollback = 0;
-		else
-			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
-			 * (SSL 3.0 draft/RFC 2246, App. E.2) */
-		s->s2->ssl2_rollback = 1;
-
-		/* setup the n bytes we have read so we get them from
-		 * the sslv2 buffer */
-		s->rstate = SSL_ST_READ_HEADER;
-		s->packet_length = n;
-		s->packet = &(s->s2->rbuf[0]);
-		memcpy(s->packet, buf, n);
-		s->s2->rbuf_left = n;
-		s->s2->rbuf_offs = 0;
-
-		s->method = SSLv2_server_method();
-		s->handshake_func = s->method->ssl_accept;
-#endif
 	}
 
 	if ((type == 2) || (type == 3)) {
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 97e4a3f96c2..d3e015e738c 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -350,10 +350,6 @@ extern "C" {
 extern "C" {
 #endif
 
-#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
-#define OPENSSL_NO_SSL2
-#endif
-
 #define SSL_FILETYPE_ASN1	X509_FILETYPE_ASN1
 #define SSL_FILETYPE_PEM	X509_FILETYPE_PEM
 
@@ -1839,12 +1835,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-#ifndef OPENSSL_NO_SSL2
-const SSL_METHOD *SSLv2_method(void);		/* SSLv2 */
-const SSL_METHOD *SSLv2_server_method(void);	/* SSLv2 */
-const SSL_METHOD *SSLv2_client_method(void);	/* SSLv2 */
-#endif
-
 const SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
 const SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
 const SSL_METHOD *SSLv3_client_method(void);	/* SSLv3 */
diff --git a/lib/libssl/ssl_stat.c b/lib/libssl/ssl_stat.c
index 3d9371cdd7a..da55c92de2e 100644
--- a/lib/libssl/ssl_stat.c
+++ b/lib/libssl/ssl_stat.c
@@ -109,86 +109,6 @@ const char
 		str="before/accept initialization"; break;
 	case SSL_ST_OK|SSL_ST_ACCEPT:
 		str="ok/accept SSL initialization"; break;
-#ifndef OPENSSL_NO_SSL2
-	case SSL2_ST_CLIENT_START_ENCRYPTION:
-		str="SSLv2 client start encryption"; break;
-	case SSL2_ST_SERVER_START_ENCRYPTION:
-		str="SSLv2 server start encryption"; break;
-	case SSL2_ST_SEND_CLIENT_HELLO_A:
-		str="SSLv2 write client hello A"; break;
-	case SSL2_ST_SEND_CLIENT_HELLO_B:
-		str="SSLv2 write client hello B"; break;
-	case SSL2_ST_GET_SERVER_HELLO_A:
-		str="SSLv2 read server hello A"; break;
-	case SSL2_ST_GET_SERVER_HELLO_B:
-		str="SSLv2 read server hello B"; break;
-	case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:
-		str="SSLv2 write client master key A"; break;
-	case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:
-		str="SSLv2 write client master key B"; break;
-	case SSL2_ST_SEND_CLIENT_FINISHED_A:
-		str="SSLv2 write client finished A"; break;
-	case SSL2_ST_SEND_CLIENT_FINISHED_B:
-		str="SSLv2 write client finished B"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:
-		str="SSLv2 write client certificate A"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:
-		str="SSLv2 write client certificate B"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:
-		str="SSLv2 write client certificate C"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:
-		str="SSLv2 write client certificate D"; break;
-	case SSL2_ST_GET_SERVER_VERIFY_A:
-		str="SSLv2 read server verify A"; break;
-	case SSL2_ST_GET_SERVER_VERIFY_B:
-		str="SSLv2 read server verify B"; break;
-	case SSL2_ST_GET_SERVER_FINISHED_A:
-		str="SSLv2 read server finished A"; break;
-	case SSL2_ST_GET_SERVER_FINISHED_B:
-		str="SSLv2 read server finished B"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_A:
-		str="SSLv2 read client hello A"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_B:
-		str="SSLv2 read client hello B"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_C:
-		str="SSLv2 read client hello C"; break;
-	case SSL2_ST_SEND_SERVER_HELLO_A:
-		str="SSLv2 write server hello A"; break;
-	case SSL2_ST_SEND_SERVER_HELLO_B:
-		str="SSLv2 write server hello B"; break;
-	case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
-		str="SSLv2 read client master key A"; break;
-	case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
-		str="SSLv2 read client master key B"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_A:
-		str="SSLv2 write server verify A"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_B:
-		str="SSLv2 write server verify B"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_C:
-		str="SSLv2 write server verify C"; break;
-	case SSL2_ST_GET_CLIENT_FINISHED_A:
-		str="SSLv2 read client finished A"; break;
-	case SSL2_ST_GET_CLIENT_FINISHED_B:
-		str="SSLv2 read client finished B"; break;
-	case SSL2_ST_SEND_SERVER_FINISHED_A:
-		str="SSLv2 write server finished A"; break;
-	case SSL2_ST_SEND_SERVER_FINISHED_B:
-		str="SSLv2 write server finished B"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
-		str="SSLv2 write request certificate A"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
-		str="SSLv2 write request certificate B"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
-		str="SSLv2 write request certificate C"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
-		str="SSLv2 write request certificate D"; break;
-	case SSL2_ST_X509_GET_SERVER_CERTIFICATE:
-		str="SSLv2 X509 read server certificate"; break;
-	case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:
-		str="SSLv2 X509 read client certificate"; break;
-#endif
-
-#ifndef OPENSSL_NO_SSL3
 /* SSLv3 additions */
 	case SSL3_ST_CW_CLNT_HELLO_A:
 		str="SSLv3 write client hello A"; break;
@@ -312,25 +232,6 @@ const char
 		str="SSLv3 read certificate verify A"; break;
 	case SSL3_ST_SR_CERT_VRFY_B:
 		str="SSLv3 read certificate verify B"; break;
-#endif
-
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
-/* SSLv2/v3 compatibility states */
-/* client */
-	case SSL23_ST_CW_CLNT_HELLO_A:
-		str="SSLv2/v3 write client hello A"; break;
-	case SSL23_ST_CW_CLNT_HELLO_B:
-		str="SSLv2/v3 write client hello B"; break;
-	case SSL23_ST_CR_SRVR_HELLO_A:
-		str="SSLv2/v3 read server hello A"; break;
-	case SSL23_ST_CR_SRVR_HELLO_B:
-		str="SSLv2/v3 read server hello B"; break;
-/* server */
-	case SSL23_ST_SR_CLNT_HELLO_A:
-		str="SSLv2/v3 read client hello A"; break;
-	case SSL23_ST_SR_CLNT_HELLO_B:
-		str="SSLv2/v3 read client hello B"; break;
-#endif
 
 /* DTLS */
 	case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
@@ -380,86 +281,7 @@ const char
 		str="CINIT "; break;
 	case SSL_ST_OK:
 		str="SSLOK "; break;
-#ifndef OPENSSL_NO_SSL2
-	case SSL2_ST_CLIENT_START_ENCRYPTION:
-		str="2CSENC"; break;
-	case SSL2_ST_SERVER_START_ENCRYPTION:
-		str="2SSENC"; break;
-	case SSL2_ST_SEND_CLIENT_HELLO_A:
-		str="2SCH_A"; break;
-	case SSL2_ST_SEND_CLIENT_HELLO_B:
-		str="2SCH_B"; break;
-	case SSL2_ST_GET_SERVER_HELLO_A:
-		str="2GSH_A"; break;
-	case SSL2_ST_GET_SERVER_HELLO_B:
-		str="2GSH_B"; break;
-	case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:
-		str="2SCMKA"; break;
-	case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:
-		str="2SCMKB"; break;
-	case SSL2_ST_SEND_CLIENT_FINISHED_A:
-		str="2SCF_A"; break;
-	case SSL2_ST_SEND_CLIENT_FINISHED_B:
-		str="2SCF_B"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:
-		str="2SCC_A"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_B:
-		str="2SCC_B"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:
-		str="2SCC_C"; break;
-	case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:
-		str="2SCC_D"; break;
-	case SSL2_ST_GET_SERVER_VERIFY_A:
-		str="2GSV_A"; break;
-	case SSL2_ST_GET_SERVER_VERIFY_B:
-		str="2GSV_B"; break;
-	case SSL2_ST_GET_SERVER_FINISHED_A:
-		str="2GSF_A"; break;
-	case SSL2_ST_GET_SERVER_FINISHED_B:
-		str="2GSF_B"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_A:
-		str="2GCH_A"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_B:
-		str="2GCH_B"; break;
-	case SSL2_ST_GET_CLIENT_HELLO_C:
-		str="2GCH_C"; break;
-	case SSL2_ST_SEND_SERVER_HELLO_A:
-		str="2SSH_A"; break;
-	case SSL2_ST_SEND_SERVER_HELLO_B:
-		str="2SSH_B"; break;
-	case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
-		str="2GCMKA"; break;
-	case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
-		str="2GCMKA"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_A:
-		str="2SSV_A"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_B:
-		str="2SSV_B"; break;
-	case SSL2_ST_SEND_SERVER_VERIFY_C:
-		str="2SSV_C"; break;
-	case SSL2_ST_GET_CLIENT_FINISHED_A:
-		str="2GCF_A"; break;
-	case SSL2_ST_GET_CLIENT_FINISHED_B:
-		str="2GCF_B"; break;
-	case SSL2_ST_SEND_SERVER_FINISHED_A:
-		str="2SSF_A"; break;
-	case SSL2_ST_SEND_SERVER_FINISHED_B:
-		str="2SSF_B"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
-		str="2SRC_A"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_B:
-		str="2SRC_B"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_C:
-		str="2SRC_C"; break;
-	case SSL2_ST_SEND_REQUEST_CERTIFICATE_D:
-		str="2SRC_D"; break;
-	case SSL2_ST_X509_GET_SERVER_CERTIFICATE:
-		str="2X9GSC"; break;
-	case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:
-		str="2X9GCC"; break;
-#endif
 
-#ifndef OPENSSL_NO_SSL3
 /* SSLv3 additions */
 		case SSL3_ST_SW_FLUSH:
 	case SSL3_ST_CW_FLUSH:
@@ -574,25 +396,6 @@ const char
 		str="3RCV_A"; break;
 	case SSL3_ST_SR_CERT_VRFY_B:
 		str="3RCV_B"; break;
-#endif
-
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
-/* SSLv2/v3 compatibility states */
-/* client */
-	case SSL23_ST_CW_CLNT_HELLO_A:
-		str="23WCHA"; break;
-	case SSL23_ST_CW_CLNT_HELLO_B:
-		str="23WCHB"; break;
-	case SSL23_ST_CR_SRVR_HELLO_A:
-		str="23RSHA"; break;
-	case SSL23_ST_CR_SRVR_HELLO_B:
-		str="23RSHA"; break;
-/* server */
-	case SSL23_ST_SR_CLNT_HELLO_A:
-		str="23RCHA"; break;
-	case SSL23_ST_SR_CLNT_HELLO_B:
-		str="23RCHB"; break;
-#endif
 /* DTLS */
 	case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
 		str="DRCHVA"; break;