From: Matt Caswell <matt@openssl.org>
Date: Mon, 1 Feb 2021 15:45:44 +0000 (+0000)
Subject: Remove some TODO(OpenSSL1.2) references
X-Git-Tag: openssl-3.0.0-alpha12~139
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08cea586c9d0fd2fcf99ec1eacb7736a34139d8b;p=thirdparty%2Fopenssl.git

Remove some TODO(OpenSSL1.2) references

We had a couple of stray references to OpenSSL1.2 in libssl. We just
reword the comments to remove those references without changing any
behaviour.

The first one in t1_lib.c is a technical non-compliance in the TLSv1.3
spec where, under some circumstances, we offer DSA sigalgs even in a
ClientHello that eventually negotiates TLSv1.3. We explicitly chose to
accept this behaviour in 1.1.1 and we're not planning to change it for
3.0.

The second one in s3_lib.c is regarnding the behaviour of
SSL_set_tlsext_host_name(). Technically you shouldn't be able to call
this from a server - but we allow it and just ignore it rather than
raising an error. The TODO suggest we consider raising an error instead.
However, with 3.0 we are trying to minimise breaking changes so I suggest
not making this change now.

Fixes #13161

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14037)
---

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ae27add6df..a6c87ad75d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3491,7 +3491,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 #endif
     case SSL_CTRL_SET_TLSEXT_HOSTNAME:
         /*
-         * TODO(OpenSSL1.2)
          * This API is only used for a client to set what SNI it will request
          * from the server, but we currently allow it to be used on servers
          * as well, which is a programming error.  Currently we just clear
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c777a86eb7..7328c8e2b1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2036,7 +2036,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
     /* DSA is not allowed in TLS 1.3 */
     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
         return 0;
-    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
+    /*
+     * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
+     * spec
+     */
     if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION
         && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
             || lu->hash_idx == SSL_MD_MD5_IDX