Clean up more SSLv2 remnants.

6 files changed, 30 insertions, 58 deletions

diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 1645f6af49..6193cd1a66 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.71 2014/11/02 10:42:38 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.72 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -450,10 +450,6 @@ static const SSL_CIPHER cipher_aliases[] = {
         
         /* protocol version aliases */
         {
-                .name = SSL_TXT_SSLV2,
-                .algorithm_ssl = SSL_SSLV2,
-        },
-        {
                 .name = SSL_TXT_SSLV3,
                 .algorithm_ssl = SSL_SSLV3,
         },
@@ -872,9 +868,8 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 
         /*
          * We have num_of_ciphers descriptions compiled in, depending on the
-         * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
-         * These will later be sorted in a linked list with at most num
-         * entries.
+         * method selected (SSLv3, TLSv1, etc). These will later be sorted in
+         * a linked list with at most num entries.
          */
 
         /* Get the initial list of ciphers */
@@ -1560,9 +1555,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 
         alg2 = cipher->algorithm2;
 
-        if (alg_ssl & SSL_SSLV2)
-                ver = "SSLv2";
-        else if (alg_ssl & SSL_SSLV3)
+        if (alg_ssl & SSL_SSLV3)
                 ver = "SSLv3";
         else if (alg_ssl & SSL_TLSV1_2)
                 ver = "TLSv1.2";
@@ -1691,15 +1684,10 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 char *
 SSL_CIPHER_get_version(const SSL_CIPHER *c)
 {
-        int i;
-
         if (c == NULL)
                 return("(NONE)");
-        i = (int)(c->id >> 24L);
-        if (i == 3)
+        if ((c->id >> 24) == 3)
                 return("TLSv1/SSLv3");
-        else if (i == 2)
-                return("SSLv2");
         else
                 return("unknown");
 }
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 9aa9bc60ff..8888d6c5a5 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.74 2014/11/02 10:42:38 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.75 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -301,7 +301,6 @@
 #define SSL_AEAD                0x00000040L
 
 /* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV2               0x00000001L
 #define SSL_SSLV3               0x00000002L
 #define SSL_TLSV1               SSL_SSLV3       /* for now */
 #define SSL_TLSV1_2             0x00000004L
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index d76fb8b9c8..8f6032a491 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.43 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -238,15 +238,14 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s)
 }
 
 /*
- * Even with SSLv2, we have 16 bytes (128 bits) of session ID space.
- * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random
- * gunk repeatedly until we have no conflict is going to complete in one
- * iteration pretty much "most" of the time (btw: understatement). So, if it
- * takes us 10 iterations and we still can't avoid a conflict - well that's a
- * reasonable point to call it quits. Either the RAND code is broken or someone
- * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our
- * server. How you might store that many sessions is perhaps a more interesting
- * question...
+ * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
+ * the ID with random gunk repeatedly until we have no conflict is going to
+ * complete in one iteration pretty much "most" of the time (btw:
+ * understatement). So, if it takes us 10 iterations and we still can't avoid
+ * a conflict - well that's a reasonable point to call it quits. Either the
+ * arc4random code is broken or someone is trying to open roughly very close to
+ * 2^128 (or 2^256) SSL sessions to our server. How you might store that many
+ * sessions is perhaps a more interesting question...
  */
 
 #define MAX_SESS_ID_ATTEMPTS 10
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 1645f6af49..6193cd1a66 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.71 2014/11/02 10:42:38 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.72 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -450,10 +450,6 @@ static const SSL_CIPHER cipher_aliases[] = {
         
         /* protocol version aliases */
         {
-                .name = SSL_TXT_SSLV2,
-                .algorithm_ssl = SSL_SSLV2,
-        },
-        {
                 .name = SSL_TXT_SSLV3,
                 .algorithm_ssl = SSL_SSLV3,
         },
@@ -872,9 +868,8 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 
         /*
          * We have num_of_ciphers descriptions compiled in, depending on the
-         * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
-         * These will later be sorted in a linked list with at most num
-         * entries.
+         * method selected (SSLv3, TLSv1, etc). These will later be sorted in
+         * a linked list with at most num entries.
          */
 
         /* Get the initial list of ciphers */
@@ -1560,9 +1555,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 
         alg2 = cipher->algorithm2;
 
-        if (alg_ssl & SSL_SSLV2)
-                ver = "SSLv2";
-        else if (alg_ssl & SSL_SSLV3)
+        if (alg_ssl & SSL_SSLV3)
                 ver = "SSLv3";
         else if (alg_ssl & SSL_TLSV1_2)
                 ver = "TLSv1.2";
@@ -1691,15 +1684,10 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 char *
 SSL_CIPHER_get_version(const SSL_CIPHER *c)
 {
-        int i;
-
         if (c == NULL)
                 return("(NONE)");
-        i = (int)(c->id >> 24L);
-        if (i == 3)
+        if ((c->id >> 24) == 3)
                 return("TLSv1/SSLv3");
-        else if (i == 2)
-                return("SSLv2");
         else
                 return("unknown");
 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 9aa9bc60ff..8888d6c5a5 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.74 2014/11/02 10:42:38 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.75 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -301,7 +301,6 @@
 #define SSL_AEAD                0x00000040L
 
 /* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV2               0x00000001L
 #define SSL_SSLV3               0x00000002L
 #define SSL_TLSV1               SSL_SSLV3       /* for now */
 #define SSL_TLSV1_2             0x00000004L
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index d76fb8b9c8..8f6032a491 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.43 2014/11/08 15:21:02 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -238,15 +238,14 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s)
 }
 
 /*
- * Even with SSLv2, we have 16 bytes (128 bits) of session ID space.
- * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random
- * gunk repeatedly until we have no conflict is going to complete in one
- * iteration pretty much "most" of the time (btw: understatement). So, if it
- * takes us 10 iterations and we still can't avoid a conflict - well that's a
- * reasonable point to call it quits. Either the RAND code is broken or someone
- * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our
- * server. How you might store that many sessions is perhaps a more interesting
- * question...
+ * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
+ * the ID with random gunk repeatedly until we have no conflict is going to
+ * complete in one iteration pretty much "most" of the time (btw:
+ * understatement). So, if it takes us 10 iterations and we still can't avoid
+ * a conflict - well that's a reasonable point to call it quits. Either the
+ * arc4random code is broken or someone is trying to open roughly very close to
+ * 2^128 (or 2^256) SSL sessions to our server. How you might store that many
+ * sessions is perhaps a more interesting question...
  */
 
 #define MAX_SESS_ID_ATTEMPTS 10