ssl: Remove interoperability option v2_hello_compatible

12 files changed, 19 insertions, 158 deletions

diff --git a/lib/ssl/src/Makefile b/lib/ssl/src/Makefile
index 8eba5cf347..11b3e65912 100644
--- a/lib/ssl/src/Makefile
+++ b/lib/ssl/src/Makefile
@@ -84,7 +84,6 @@ MODULES= \
 	tls_record \
 	dtls_record \
 	ssl_record \
-	ssl_v2 \
 	ssl_v3 \
 	tls_v1 \
 	dtls_v1
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index fb12a729b1..7bc7fc3fc6 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -970,8 +970,7 @@ unprocessed_events(Events) ->
 update_handshake_history(#hello_verify_request{}, _, Hist) ->
     Hist;
 update_handshake_history(_, Handshake, Hist) ->
-    %% DTLS never needs option "v2_hello_compatible" to be true
-    ssl_handshake:update_handshake_history(Hist, iolist_to_binary(Handshake), false).
+    ssl_handshake:update_handshake_history(Hist, iolist_to_binary(Handshake)).
 prepare_flight(#state{flight_buffer = Flight,
 		      connection_states = ConnectionStates0,
 		      protocol_buffers = 
diff --git a/lib/ssl/src/dtls_record.erl b/lib/ssl/src/dtls_record.erl
index 316de05532..2938fd460f 100644
--- a/lib/ssl/src/dtls_record.erl
+++ b/lib/ssl/src/dtls_record.erl
@@ -440,7 +440,6 @@ get_dtls_records_aux(<<?BYTE(?CHANGE_CIPHER_SPEC),?BYTE(MajVer),?BYTE(MinVer),
 					 version = {MajVer, MinVer},
 					 epoch = Epoch, sequence_number = SequenceNumber,
 					 fragment = Data} | Acc]);
-
 get_dtls_records_aux(<<?BYTE(_), ?BYTE(_MajVer), ?BYTE(_MinVer),
 		       ?UINT16(Length), _/binary>>,
 		     _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH ->
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 3c6cd254c1..92f242df9c 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -9,7 +9,6 @@
 	       tls_socket,
 	       tls_v1,
 	       ssl_v3,
-	       ssl_v2,
 	       tls_connection_sup,
 	       %% DTLS
 	       dtls_connection,
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 82f62b51b9..4efd13a6fa 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -881,7 +881,6 @@ handle_options(Opts0, Role, Host) ->
 					     client, Role),
 		    crl_check = handle_option(crl_check, Opts, false),
 		    crl_cache = handle_option(crl_cache, Opts, {ssl_crl_cache, {internal, []}}),
-		    v2_hello_compatible = handle_option(v2_hello_compatible, Opts, false),
                     max_handshake_size = handle_option(max_handshake_size, Opts, ?DEFAULT_MAX_HANDSHAKE_SIZE)
 		   },
 
@@ -897,7 +896,7 @@ handle_options(Opts0, Role, Host) ->
 		  alpn_preferred_protocols, next_protocols_advertised,
 		  client_preferred_next_protocols, log_alert,
 		  server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache,
-		  fallback, signature_algs, eccs, honor_ecc_order, beast_mitigation, v2_hello_compatible,
+		  fallback, signature_algs, eccs, honor_ecc_order, beast_mitigation,
                   max_handshake_size],
 
     SockOpts = lists:foldl(fun(Key, PropList) ->
@@ -1134,8 +1133,6 @@ validate_option(beast_mitigation, Value) when Value == one_n_minus_one orelse
                                               Value == zero_n orelse
                                               Value == disabled ->
   Value;
-validate_option(v2_hello_compatible, Value) when is_boolean(Value)  ->
-    Value;
 validate_option(max_handshake_size, Value) when is_integer(Value)  andalso Value =< ?MAX_UNIT24 ->
     Value;
 validate_option(protocol, Value = tls) ->
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 2031735a71..f493c93726 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1119,8 +1119,7 @@ handle_common_event(internal, {handshake, {#hello_request{}, _}}, StateName, #st
   when StateName =/= connection ->
     {keep_state_and_data};
 handle_common_event(internal, {handshake, {Handshake, Raw}}, StateName,
-		    #state{tls_handshake_history = Hs0,
-			   ssl_options = #ssl_options{v2_hello_compatible = V2HComp}} = State0, 
+		    #state{tls_handshake_history = Hs0} = State0,
 		    Connection) ->
    
     PossibleSNI = Connection:select_sni_extension(Handshake),
@@ -1128,7 +1127,7 @@ handle_common_event(internal, {handshake, {Handshake, Raw}}, StateName,
     %% a client_hello, which needs to be determined by the connection callback.
     %% In other cases this is a noop
     State = handle_sni_extension(PossibleSNI, State0),
-    HsHist = ssl_handshake:update_handshake_history(Hs0, iolist_to_binary(Raw), V2HComp),
+    HsHist = ssl_handshake:update_handshake_history(Hs0, iolist_to_binary(Raw)),
     {next_state, StateName, State#state{tls_handshake_history = HsHist}, 
      [{next_event, internal, Handshake}]};
 handle_common_event(internal, {protocol_record, TLSorDTLSRecord}, StateName, State, Connection) -> 
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 09160e2f9c..46233078b7 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -52,7 +52,7 @@
 %% Handle handshake messages
 -export([certify/7, certificate_verify/6, verify_signature/5,
 	 master_secret/4, server_key_exchange_hash/2, verify_connection/6,
-	 init_handshake_history/0, update_handshake_history/3, verify_server_key/5,
+	 init_handshake_history/0, update_handshake_history/2, verify_server_key/5,
          select_version/3
 	]).
 
@@ -473,24 +473,12 @@ init_handshake_history() ->
     {[], []}.
 
 %%--------------------------------------------------------------------
--spec update_handshake_history(ssl_handshake:ssl_handshake_history(), Data ::term(), boolean()) ->
+-spec update_handshake_history(ssl_handshake:ssl_handshake_history(), Data ::term()) ->
 				      ssl_handshake:ssl_handshake_history().
 %%
 %% Description: Update the handshake history buffer with Data.
 %%--------------------------------------------------------------------
-update_handshake_history(Handshake, % special-case SSL2 client hello
-			 <<?CLIENT_HELLO, ?UINT24(_), ?BYTE(Major), ?BYTE(Minor),
-			   ?UINT16(CSLength), ?UINT16(0),
-			   ?UINT16(CDLength),
-			   CipherSuites:CSLength/binary,
-			   ChallengeData:CDLength/binary>>, true) ->
-    update_handshake_history(Handshake,
-			     <<?CLIENT_HELLO, ?BYTE(Major), ?BYTE(Minor),
-			       ?UINT16(CSLength), ?UINT16(0),
-			       ?UINT16(CDLength),
-			       CipherSuites:CSLength/binary,
-			       ChallengeData:CDLength/binary>>, true);
-update_handshake_history({Handshake0, _Prev}, Data, _) ->
+update_handshake_history({Handshake0, _Prev}, Data) ->
     {[Data|Handshake0], Handshake0}.
 
 verify_server_key(#server_key_params{params_bin = EncParams,
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index bbe1374fec..d354910f33 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -144,7 +144,6 @@
 	  signature_algs,
 	  eccs,
 	  honor_ecc_order            :: boolean(),
-	  v2_hello_compatible        :: boolean(),
           max_handshake_size         :: integer()
          }).
 
diff --git a/lib/ssl/src/ssl_v2.erl b/lib/ssl/src/ssl_v2.erl
deleted file mode 100644
index 37134cbe5d..0000000000
--- a/lib/ssl/src/ssl_v2.erl
+++ /dev/null
@@ -1,38 +0,0 @@
-%%
-%% %CopyrightBegin%
-%%
-%% Copyright Ericsson AB 2007-2016. All Rights Reserved.
-%%
-%% Licensed under the Apache License, Version 2.0 (the "License");
-%% you may not use this file except in compliance with the License.
-%% You may obtain a copy of the License at
-%%
-%%     http://www.apache.org/licenses/LICENSE-2.0
-%%
-%% Unless required by applicable law or agreed to in writing, software
-%% distributed under the License is distributed on an "AS IS" BASIS,
-%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-%% See the License for the specific language governing permissions and
-%% limitations under the License.
-%%
-%% %CopyrightEnd%
-%%
-
-%%
-%%----------------------------------------------------------------------
-%% Purpose: Handles sslv2 hello as clients supporting sslv2 and higher
-%% will send an sslv2 hello.
-%%----------------------------------------------------------------------
-
--module(ssl_v2).
-
--export([client_random/2]).
-
-client_random(ChallengeData, 32) ->
-    ChallengeData;
-client_random(ChallengeData, N) when N > 32 ->
-    <<NewChallengeData:32/binary, _/binary>> = ChallengeData,
-    NewChallengeData;
-client_random(ChallengeData, N) ->
-    Pad = list_to_binary(lists:duplicate(N, 0)),
-    <<Pad/binary, ChallengeData/binary>>.
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 2872ca9fe5..c35378f18f 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -266,10 +266,9 @@ send_handshake(Handshake, State) ->
 queue_handshake(Handshake, #state{negotiated_version = Version,
 				  tls_handshake_history = Hist0,
 				  flight_buffer = Flight0,
-				  ssl_options = #ssl_options{v2_hello_compatible = V2HComp},				  
 				  connection_states = ConnectionStates0} = State0) ->
     {BinHandshake, ConnectionStates, Hist} =
-	encode_handshake(Handshake, Version, ConnectionStates0, Hist0, V2HComp),
+	encode_handshake(Handshake, Version, ConnectionStates0, Hist0),
     State0#state{connection_states = ConnectionStates,
 		 tls_handshake_history = Hist,
 		 flight_buffer = Flight0 ++ [BinHandshake]}.
@@ -400,7 +399,7 @@ getopts(Transport, Socket, Tag) ->
 
 init({call, From}, {start, Timeout}, 
      #state{host = Host, port = Port, role = client,
-	    ssl_options = #ssl_options{v2_hello_compatible = V2HComp} = SslOpts,
+	    ssl_options = SslOpts,
 	    session = #session{own_certificate = Cert} = Session0,
 	    transport_cb = Transport, socket = Socket,
 	    connection_states = ConnectionStates0,
@@ -416,7 +415,7 @@ init({call, From}, {start, Timeout},
     HelloVersion = tls_record:hello_version(Version, SslOpts#ssl_options.versions),
     Handshake0 = ssl_handshake:init_handshake_history(),
     {BinMsg, ConnectionStates, Handshake} =
-        encode_handshake(Hello,  HelloVersion, ConnectionStates0, Handshake0, V2HComp),
+        encode_handshake(Hello,  HelloVersion, ConnectionStates0, Handshake0),
     send(Transport, Socket, BinMsg),
     State1 = State0#state{connection_states = ConnectionStates,
 			  negotiated_version = Version, %% Requested version
@@ -656,15 +655,11 @@ next_tls_record(Data, StateName, #state{protocol_buffers =
 	    handle_record_alert(Alert, State0)
     end.
 
-acceptable_record_versions(hello, #state{ssl_options = #ssl_options{v2_hello_compatible = true}}) ->
-    [tls_record:protocol_version(Vsn) || Vsn <- ?ALL_AVAILABLE_VERSIONS ++ ['sslv2']];
+
 acceptable_record_versions(hello, _) ->
     [tls_record:protocol_version(Vsn) || Vsn <- ?ALL_AVAILABLE_VERSIONS];
 acceptable_record_versions(_, #state{negotiated_version = Version}) ->
     [Version].
-handle_record_alert(#alert{description = ?BAD_RECORD_MAC}, 
-                    #state{ssl_options = #ssl_options{v2_hello_compatible = true}}) ->
-    ?ALERT_REC(?FATAL, ?PROTOCOL_VERSION);
 handle_record_alert(Alert, _) ->
     Alert.
 
@@ -727,9 +722,9 @@ handle_alerts([Alert | Alerts], {next_state, StateName, State}) ->
 handle_alerts([Alert | Alerts], {next_state, StateName, State, _Actions}) ->
      handle_alerts(Alerts, ssl_connection:handle_alert(Alert, StateName, State)).
 
-encode_handshake(Handshake, Version, ConnectionStates0, Hist0, V2HComp) ->
+encode_handshake(Handshake, Version, ConnectionStates0, Hist0) ->
     Frag = tls_handshake:encode_handshake(Handshake, Version),
-    Hist = ssl_handshake:update_handshake_history(Hist0, Frag, V2HComp),
+    Hist = ssl_handshake:update_handshake_history(Hist0, Frag),
     {Encoded, ConnectionStates} =
         tls_record:encode_handshake(Frag, Version, ConnectionStates0),
     {Encoded, ConnectionStates, Hist}.
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 8817418fb0..0058b9c8ae 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -39,7 +39,7 @@
 -export([encode_handshake/2]).
 
 %% Handshake decodeing
--export([get_tls_handshake/4, decode_handshake/4]).
+-export([get_tls_handshake/4, decode_handshake/3]).
 
 -type tls_handshake() :: #client_hello{} | ssl_handshake:ssl_handshake().
 
@@ -268,9 +268,9 @@ enc_handshake(HandshakeMsg, Version) ->
 %%--------------------------------------------------------------------
 get_tls_handshake_aux(Version, <<?BYTE(Type), ?UINT24(Length),
 				 Body:Length/binary,Rest/binary>>, 
-                      #ssl_options{v2_hello_compatible = V2Hello} = Opts,  Acc) ->
+                      Opts,  Acc) ->
     Raw = <<?BYTE(Type), ?UINT24(Length), Body/binary>>,
-    try decode_handshake(Version, Type, Body, V2Hello) of
+    try decode_handshake(Version, Type, Body) of
 	Handshake ->
 	    get_tls_handshake_aux(Version, Rest, Opts, [{Handshake,Raw} | Acc])
     catch
@@ -280,29 +280,15 @@ get_tls_handshake_aux(Version, <<?BYTE(Type), ?UINT24(Length),
 get_tls_handshake_aux(_Version, Data, _, Acc) ->
     {lists:reverse(Acc), Data}.
 
-decode_handshake(_, ?HELLO_REQUEST, <<>>, _) ->
+decode_handshake(_, ?HELLO_REQUEST, <<>>) ->
     #hello_request{};
-
-decode_handshake(_Version, ?CLIENT_HELLO, Bin, true) ->
-    try decode_hello(Bin) of
-        Hello ->
-            Hello
-    catch
-        _:_ ->
-            decode_v2_hello(Bin)
-    end;
-decode_handshake(_Version, ?CLIENT_HELLO, Bin, false) ->
-    decode_hello(Bin);
-
 decode_handshake(_Version, ?CLIENT_HELLO, 
                  <<?BYTE(Major), ?BYTE(Minor), Random:32/binary,
                    ?BYTE(SID_length), Session_ID:SID_length/binary,
                    ?UINT16(Cs_length), CipherSuites:Cs_length/binary,
                    ?BYTE(Cm_length), Comp_methods:Cm_length/binary,
-                   Extensions/binary>>, _) ->
-    
+                   Extensions/binary>>) ->
     DecodedExtensions = ssl_handshake:decode_hello_extensions({client, Extensions}),
-
     #client_hello{
        client_version = {Major,Minor},
        random = Random,
@@ -311,36 +297,7 @@ decode_handshake(_Version, ?CLIENT_HELLO,
        compression_methods = Comp_methods,
        extensions = DecodedExtensions
       };
-decode_handshake(Version, Tag, Msg, _) ->
+decode_handshake(Version, Tag, Msg) ->
     ssl_handshake:decode_handshake(Version, Tag, Msg).
 
 
-decode_hello(<<?BYTE(Major), ?BYTE(Minor), Random:32/binary,
-               ?BYTE(SID_length), Session_ID:SID_length/binary,
-               ?UINT16(Cs_length), CipherSuites:Cs_length/binary,
-               ?BYTE(Cm_length), Comp_methods:Cm_length/binary,
-               Extensions/binary>>) ->
-    DecodedExtensions = ssl_handshake:decode_hello_extensions({client, Extensions}),
-    
-    #client_hello{
-       client_version = {Major,Minor},
-       random = Random,
-       session_id = Session_ID,
-       cipher_suites = ssl_handshake:decode_suites('2_bytes', CipherSuites),
-       compression_methods = Comp_methods,
-       extensions = DecodedExtensions
-      }.
-%% The server must be able to receive such messages, from clients that
-%% are willing to use ssl v3 or higher, but have ssl v2 compatibility.
-decode_v2_hello(<<?BYTE(Major), ?BYTE(Minor),
-                  ?UINT16(CSLength), ?UINT16(0),
-                  ?UINT16(CDLength),
-                  CipherSuites:CSLength/binary,
-                  ChallengeData:CDLength/binary>>) ->
-    #client_hello{client_version = {Major, Minor},
-		  random = ssl_v2:client_random(ChallengeData, CDLength),
-		  session_id = 0,
-		  cipher_suites =  ssl_handshake:decode_suites('3_bytes', CipherSuites),
-		  compression_methods = [?NULL],
-		  extensions = #hello_extensions{}
-		 }.
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
index 188ec6809d..aa70508f1e 100644
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -394,16 +394,6 @@ initial_connection_state(ConnectionEnd, BeastMitigation) ->
       server_verify_data => undefined
      }.
 
-assert_version(<<1:1, Length0:15, Data0:Length0/binary, _/binary>>, Versions) ->
-    case Data0 of
-        <<?BYTE(?CLIENT_HELLO), ?BYTE(Major), ?BYTE(Minor), _/binary>> ->
-            %% First check v2_hello_compatible mode is active 
-            lists:member({2,0}, Versions) andalso
-            %% andalso we want to negotiate higher version
-                lists:member({Major, Minor}, Versions -- [{2,0}]); 
-        _ ->
-            false
-    end;
 assert_version(<<?BYTE(_), ?BYTE(MajVer), ?BYTE(MinVer), _/binary>>, Versions) ->
     is_acceptable_version({MajVer, MinVer}, Versions).
                    
@@ -431,32 +421,10 @@ get_tls_records_aux(<<?BYTE(?CHANGE_CIPHER_SPEC),?BYTE(MajVer),?BYTE(MinVer),
     get_tls_records_aux(Rest, [#ssl_tls{type = ?CHANGE_CIPHER_SPEC,
 					version = {MajVer, MinVer},
 					fragment = Data} | Acc]);
-%% Matches an ssl v2 client hello message.
-%% The server must be able to receive such messages, from clients that
-%% are willing to use ssl v3 or higher, but have ssl v2 compatibility.
-get_tls_records_aux(<<1:1, Length0:15, Data0:Length0/binary, Rest/binary>>,
-		    Acc) ->
-    case Data0 of
-	<<?BYTE(?CLIENT_HELLO), ?BYTE(MajVer), ?BYTE(MinVer), _/binary>> ->
-	    Length = Length0-1,
-	    <<?BYTE(_), Data1:Length/binary>> = Data0,
-	    Data = <<?BYTE(?CLIENT_HELLO), ?UINT24(Length), Data1/binary>>,
-	    get_tls_records_aux(Rest, [#ssl_tls{type = ?HANDSHAKE,
-						version = {MajVer, MinVer},
-						fragment = Data} | Acc]);
-	_ ->
-	    ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE)
-	    
-    end;
-
 get_tls_records_aux(<<0:1, _CT:7, ?BYTE(_MajVer), ?BYTE(_MinVer),
                       ?UINT16(Length), _/binary>>,
                     _Acc) when Length > ?MAX_CIPHER_TEXT_LENGTH ->
     ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);
-get_tls_records_aux(<<1:1, Length0:15, _/binary>>,_Acc) 
-  when Length0 > ?MAX_CIPHER_TEXT_LENGTH ->
-    ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);
-
 get_tls_records_aux(Data, Acc) ->
     case size(Data) =< ?MAX_CIPHER_TEXT_LENGTH + ?INITIAL_BYTES of
 	true ->