Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from

the SSLv23_* client code. The server continues to accept it. It also kills the bits for SSL2 SESSIONs; even when the server gets an SSLv2-style compat handshake, the session that it creates has the correct version internally. ok tedu@ beck@
author: guenther <> 2014-04-16 15:10:07 +0000
committer: guenther <> 2014-04-16 15:10:07 +0000
commit: 07d70e2f624616050545c4fb6f6ba748c12b342e (patch)
tree: cd6b7bd17edfb25d9928b1c38f811f45391e4e97 /src/lib/libssl/ssl_asn1.c
parent: 0e08f2db38e867e26107d9826aa489a211882fb1 (diff)
download: openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.gz
openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.bz2
openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.zip
1 files changed, 5 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 51668db785..28e295f6a4 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -165,16 +165,9 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                l = in->cipher_id;
        else
                l = in->cipher->id;
-        if (in->ssl_version == SSL2_VERSION) {
+        a.cipher.length = 2;
-                a.cipher.length = 3;
+        buf[0] = ((unsigned char)(l >> 8L))&0xff;
-                buf[0] = ((unsigned char)(l >> 16L))&0xff;
+        buf[1] = ((unsigned char)(l    ))&0xff;
-                buf[1] = ((unsigned char)(l >> 8L))&0xff;
-                buf[2] = ((unsigned char)(l     ))&0xff;
-        } else {
-                a.cipher.length = 2;
-                buf[0] = ((unsigned char)(l >> 8L))&0xff;
-                buf[1] = ((unsigned char)(l    ))&0xff;
-        }
 #ifndef OPENSSL_NO_COMP
        if (in->compress_meth) {
@@ -400,16 +393,7 @@ long length)
        os.data = NULL;
        os.length = 0;
        M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
-        if (ssl_version == SSL2_VERSION) {
+        if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
-                if (os.length != 3) {
-                        c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
-                        goto err;
-                }
-                id = 0x02000000L|
-                ((unsigned long)os.data[0]<<16L)|
-                ((unsigned long)os.data[1]<< 8L)|
-                (unsigned long)os.data[2];
-        } else if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
                if (os.length != 2) {
                        c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
                        goto err;
@@ -426,10 +410,7 @@ long length)
        ret->cipher_id = id;
        M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
-        if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR)
+        i = SSL3_MAX_SSL_SESSION_ID_LENGTH;
-                i = SSL3_MAX_SSL_SESSION_ID_LENGTH;
-        else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
-        i = SSL2_MAX_SSL_SESSION_ID_LENGTH;
        if (os.length > i)
                os.length = i;
author	guenther <>	2014-04-16 15:10:07 +0000
committer	guenther <>	2014-04-16 15:10:07 +0000
commit	07d70e2f624616050545c4fb6f6ba748c12b342e (patch)
tree	cd6b7bd17edfb25d9928b1c38f811f45391e4e97 /src/lib/libssl/ssl_asn1.c
parent	0e08f2db38e867e26107d9826aa489a211882fb1 (diff)
download	openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.gz openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.bz2 openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.zip