Remove SSL 2.0 support.

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 #include <map>
 
 #include "base/compiler_specific.h"
@@ skipping 92 matching lines @@
       return OK;
     default:
       LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
       return ERR_FAILED;
   }
 }
 
 //-----------------------------------------------------------------------------
 
 // A bitmask consisting of these bit flags encodes which versions of the SSL
-// protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled.
+// protocol (SSL 3.0 and TLS 1.0) are enabled.
 enum {
-  SSL2 = 1 << 0,
-  SSL3 = 1 << 1,
-  TLS1 = 1 << 2,
-  SSL_VERSION_MASKS = 1 << 3  // The number of SSL version bitmasks.
+  SSL3 = 1 << 0,

[agl, 2010/11/30 01:07:27]

If you're feeling in a maintenance mood, then I think that this enum can be
removed, see comments below.

(But I think it's also perfectly fine to leave the code as is.)

[wtc, 2010/11/30 02:14:30]

I will leave the code as is, because when we add TLS 1.1
and TLS 1.2 support, it'll be four bools instead of just
two bools, and it'll be more compact to encode them in a
bitmask.

+  TLS1 = 1 << 1,
+  SSL_VERSION_MASKS = 1 << 2  // The number of SSL version bitmasks.
 };
 
 // CredHandleClass simply gives a default constructor and a destructor to
 // SSPI's CredHandle type (a C struct).
 class CredHandleClass : public CredHandle {
  public:
   CredHandleClass() {
     SecInvalidateHandle(this);
   }
 
@@ skipping 62 matching lines @@
   // combinations of SSL versions.  Defined as an array for fast lookup.
   CredHandleClass anonymous_creds_[SSL_VERSION_MASKS];
 
   // CredHandles that use a client certificate.
   CredHandleMap client_cert_creds_;
 };
 
 // static
 int CredHandleTable::InitializeHandle(CredHandle* handle,
                                       PCCERT_CONTEXT client_cert,
                                       int ssl_version_mask) {

[agl, 2010/11/30 01:07:27]

the two bools could be passed in here.

   SCHANNEL_CRED schannel_cred = {0};
   schannel_cred.dwVersion = SCHANNEL_CRED_VERSION;
   if (client_cert) {
     schannel_cred.cCreds = 1;
     schannel_cred.paCred = &client_cert;
     // Schannel will make its own copy of client_cert.
   }
 
   // The global system registry settings take precedence over the value of
   // schannel_cred.grbitEnabledProtocols.
   schannel_cred.grbitEnabledProtocols = 0;
-  if (ssl_version_mask & SSL2)
-    schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL2;
   if (ssl_version_mask & SSL3)
     schannel_cred.grbitEnabledProtocols |= SP_PROT_SSL3;
   if (ssl_version_mask & TLS1)
     schannel_cred.grbitEnabledProtocols |= SP_PROT_TLS1;
 
   // The default session lifetime is 36000000 milliseconds (ten hours).  Set
   // schannel_cred.dwSessionLifespan to change the number of milliseconds that
   // Schannel keeps the session in its session cache.
 
   // We can set the key exchange algorithms (RSA or DH) in
@@ skipping 328 matching lines @@
   if (rv == ERR_IO_PENDING) {
     user_connect_callback_ = callback;
   } else {
     net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, NULL);
   }
   return rv;
 }
 
 int SSLClientSocketWin::InitializeSSLContext() {
   int ssl_version_mask = 0;
-  if (ssl_config_.ssl2_enabled)
-    ssl_version_mask |= SSL2;
   if (ssl_config_.ssl3_enabled)

[agl, 2010/11/30 01:07:27]

this section could turn into

if (!ssl_config_.ssl3_enabled && !ssl_config_.tls1_enabled)
  return ERR_NO_SSL_VERSIONS_ENABLED;

     ssl_version_mask |= SSL3;
   if (ssl_config_.tls1_enabled)
     ssl_version_mask |= TLS1;
   // If we pass 0 to GetCredHandle, we will let Schannel select the protocols,
   // rather than enabling no protocols.  So we have to fail here.
   if (ssl_version_mask == 0)
     return ERR_NO_SSL_VERSIONS_ENABLED;
   PCCERT_CONTEXT cert_context = NULL;
   if (ssl_config_.client_cert)
     cert_context = ssl_config_.client_cert->os_cert_handle();
@@ skipping 934 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net