Don't alow TLS v1.0 ciphersuites for SSLv3

[openssl.git] / ssl / ssl_asn1.c

diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index fb2a49556dc2cb7762bc997cb869d14d6c6d7725..1d11b21765efd35d376f70f87d3e5932755ee5d6 100644 (file)
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -95,21 +95,16 @@ typedef struct {
     ASN1_OCTET_STRING *comp_id;
     ASN1_OCTET_STRING *master_key;
     ASN1_OCTET_STRING *session_id;
-#ifndef OPENSSL_NO_KRB5
-    ASN1_OCTET_STRING *krb5_princ;
-#endif
     ASN1_OCTET_STRING *key_arg;
     long time;
     long timeout;
     X509 *peer;
     ASN1_OCTET_STRING *session_id_context;
     long verify_result;
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_OCTET_STRING *tlsext_hostname;
     long tlsext_tick_lifetime_hint;
     ASN1_OCTET_STRING *tlsext_tick;
-#endif
-#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_PSK
     ASN1_OCTET_STRING *psk_identity_hint;
     ASN1_OCTET_STRING *psk_identity;
 #endif
@@ -125,32 +120,25 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
     ASN1_SIMPLE(SSL_SESSION_ASN1, cipher, ASN1_OCTET_STRING),
     ASN1_SIMPLE(SSL_SESSION_ASN1, session_id, ASN1_OCTET_STRING),
     ASN1_SIMPLE(SSL_SESSION_ASN1, master_key, ASN1_OCTET_STRING),
-#ifndef OPENSSL_NO_KRB5
-    ASN1_OPT(SSL_SESSION_ASN1, krb5_princ, ASN1_OCTET_STRING),
-#endif
     ASN1_IMP_OPT(SSL_SESSION_ASN1, key_arg, ASN1_OCTET_STRING, 0),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, time, ZLONG, 1),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, timeout, ZLONG, 2),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, peer, X509, 3),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, session_id_context, ASN1_OCTET_STRING, 4),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, verify_result, ZLONG, 5),
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_hostname, ASN1_OCTET_STRING, 6),
-#endif
 #ifndef OPENSSL_NO_PSK
     ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity_hint, ASN1_OCTET_STRING, 7),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity, ASN1_OCTET_STRING, 8),
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_lifetime_hint, ZLONG, 9),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick, ASN1_OCTET_STRING, 10),
-#endif
     ASN1_EXP_OPT(SSL_SESSION_ASN1, comp_id, ASN1_OCTET_STRING, 11),
 #ifndef OPENSSL_NO_SRP
     ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12),
 #endif
     ASN1_EXP_OPT(SSL_SESSION_ASN1, flags, ZLONG, 13)
-} ASN1_SEQUENCE_END(SSL_SESSION_ASN1)
+} static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1)
 
 IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1)
 
@@ -191,13 +179,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
     unsigned char comp_id_data;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_OCTET_STRING tlsext_hostname, tlsext_tick;
-#endif
-
-#ifndef OPENSSL_NO_KRB5
-    ASN1_OCTET_STRING krb5_princ;
-#endif
 
 #ifndef OPENSSL_NO_SRP
     ASN1_OCTET_STRING srp_username;
@@ -241,12 +223,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 
     ssl_session_oinit(&as.session_id_context, &sid_ctx,
                       in->sid_ctx, in->sid_ctx_length);
-#ifndef OPENSSL_NO_KRB5
-    if (in->krb5_client_princ_len) {
-        ssl_session_oinit(&as.krb5_princ, &krb5_princ,
-                          in->krb5_client_princ, in->krb5_client_princ_len);
-    }
-#endif                          /* OPENSSL_NO_KRB5 */
 
     as.time = in->time;
     as.timeout = in->timeout;
@@ -254,7 +230,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 
     as.peer = in->peer;
 
-#ifndef OPENSSL_NO_TLSEXT
     ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname,
                       in->tlsext_hostname);
     if (in->tlsext_tick) {
@@ -263,7 +238,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
     }
     if (in->tlsext_tick_lifetime_hint > 0)
         as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint;
-#endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_PSK
     ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint,
                       in->psk_identity_hint);
@@ -285,10 +259,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 
 static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src)
 {
-    if (*pdst) {
-        OPENSSL_free(*pdst);
-        *pdst = NULL;
-    }
+    OPENSSL_free(*pdst);
+    *pdst = NULL;
     if (src == NULL)
         return 1;
     *pdst = BUF_strndup((char *)src->data, src->length);
@@ -327,10 +299,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
     if (as == NULL)
         goto err;
 
-    if (0) {
-        i2d_SSL_SESSION_ASN1(NULL, NULL);
-    }
-
     if (!a || !*a) {
         ret = SSL_SESSION_new();
         if (ret == NULL)
@@ -374,12 +342,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 
     ret->master_key_length = tmpl;
 
-#ifndef OPENSSL_NO_KRB5
-    if (!ssl_session_memcpy(ret->krb5_client_princ, &ret->krb5_client_princ_len,
-                            as->krb5_princ, SSL_MAX_PRINCIPAL_LENGTH))
-        goto err;
-#endif                          /* OPENSSL_NO_KRB5 */
-
     if (as->time != 0)
         ret->time = as->time;
     else
@@ -401,10 +363,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
     /* NB: this defaults to zero which is X509_V_OK */
     ret->verify_result = as->verify_result;
 
-#ifndef OPENSSL_NO_TLSEXT
     if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname))
         goto err;
-#endif                          /* OPENSSL_NO_TLSEXT */
 
 #ifndef OPENSSL_NO_PSK
     if (!ssl_session_strndup(&ret->psk_identity_hint, as->psk_identity_hint))
@@ -413,7 +373,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         goto err;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
     ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
     if (as->tlsext_tick) {
         ret->tlsext_tick = as->tlsext_tick->data;
@@ -422,7 +381,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
     } else {
         ret->tlsext_tick = NULL;
     }
-#endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_COMP
     if (as->comp_id) {
         if (as->comp_id->length != 1) {