From 2f8b4cc5ff3e9b07f35636bc6abdcbca9e9df7ca Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 8 Nov 2014 15:21:02 +0000 Subject: Clean up more SSLv2 remnants. --- src/lib/libssl/src/ssl/ssl_ciph.c | 22 +++++----------------- src/lib/libssl/src/ssl/ssl_locl.h | 3 +-- src/lib/libssl/src/ssl/ssl_sess.c | 19 +++++++++---------- src/lib/libssl/ssl_ciph.c | 22 +++++----------------- src/lib/libssl/ssl_locl.h | 3 +-- src/lib/libssl/ssl_sess.c | 19 +++++++++---------- 6 files changed, 30 insertions(+), 58 deletions(-) diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 1645f6af49..6193cd1a66 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.71 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.72 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -449,10 +449,6 @@ static const SSL_CIPHER cipher_aliases[] = { }, /* protocol version aliases */ - { - .name = SSL_TXT_SSLV2, - .algorithm_ssl = SSL_SSLV2, - }, { .name = SSL_TXT_SSLV3, .algorithm_ssl = SSL_SSLV3, @@ -872,9 +868,8 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) /* * We have num_of_ciphers descriptions compiled in, depending on the - * method selected (SSLv2 and/or SSLv3, TLSv1 etc). - * These will later be sorted in a linked list with at most num - * entries. + * method selected (SSLv3, TLSv1, etc). These will later be sorted in + * a linked list with at most num entries. */ /* Get the initial list of ciphers */ @@ -1560,9 +1555,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg2 = cipher->algorithm2; - if (alg_ssl & SSL_SSLV2) - ver = "SSLv2"; - else if (alg_ssl & SSL_SSLV3) + if (alg_ssl & SSL_SSLV3) ver = "SSLv3"; else if (alg_ssl & SSL_TLSV1_2) ver = "TLSv1.2"; @@ -1691,15 +1684,10 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char * SSL_CIPHER_get_version(const SSL_CIPHER *c) { - int i; - if (c == NULL) return("(NONE)"); - i = (int)(c->id >> 24L); - if (i == 3) + if ((c->id >> 24) == 3) return("TLSv1/SSLv3"); - else if (i == 2) - return("SSLv2"); else return("unknown"); } diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 9aa9bc60ff..8888d6c5a5 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.74 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.75 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -301,7 +301,6 @@ #define SSL_AEAD 0x00000040L /* Bits for algorithm_ssl (protocol version) */ -#define SSL_SSLV2 0x00000001L #define SSL_SSLV3 0x00000002L #define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_TLSV1_2 0x00000004L diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index d76fb8b9c8..8f6032a491 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.43 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -238,15 +238,14 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s) } /* - * Even with SSLv2, we have 16 bytes (128 bits) of session ID space. - * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random - * gunk repeatedly until we have no conflict is going to complete in one - * iteration pretty much "most" of the time (btw: understatement). So, if it - * takes us 10 iterations and we still can't avoid a conflict - well that's a - * reasonable point to call it quits. Either the RAND code is broken or someone - * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our - * server. How you might store that many sessions is perhaps a more interesting - * question... + * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling + * the ID with random gunk repeatedly until we have no conflict is going to + * complete in one iteration pretty much "most" of the time (btw: + * understatement). So, if it takes us 10 iterations and we still can't avoid + * a conflict - well that's a reasonable point to call it quits. Either the + * arc4random code is broken or someone is trying to open roughly very close to + * 2^128 (or 2^256) SSL sessions to our server. How you might store that many + * sessions is perhaps a more interesting question... */ #define MAX_SESS_ID_ATTEMPTS 10 diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 1645f6af49..6193cd1a66 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.71 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.72 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -449,10 +449,6 @@ static const SSL_CIPHER cipher_aliases[] = { }, /* protocol version aliases */ - { - .name = SSL_TXT_SSLV2, - .algorithm_ssl = SSL_SSLV2, - }, { .name = SSL_TXT_SSLV3, .algorithm_ssl = SSL_SSLV3, @@ -872,9 +868,8 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) /* * We have num_of_ciphers descriptions compiled in, depending on the - * method selected (SSLv2 and/or SSLv3, TLSv1 etc). - * These will later be sorted in a linked list with at most num - * entries. + * method selected (SSLv3, TLSv1, etc). These will later be sorted in + * a linked list with at most num entries. */ /* Get the initial list of ciphers */ @@ -1560,9 +1555,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg2 = cipher->algorithm2; - if (alg_ssl & SSL_SSLV2) - ver = "SSLv2"; - else if (alg_ssl & SSL_SSLV3) + if (alg_ssl & SSL_SSLV3) ver = "SSLv3"; else if (alg_ssl & SSL_TLSV1_2) ver = "TLSv1.2"; @@ -1691,15 +1684,10 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char * SSL_CIPHER_get_version(const SSL_CIPHER *c) { - int i; - if (c == NULL) return("(NONE)"); - i = (int)(c->id >> 24L); - if (i == 3) + if ((c->id >> 24) == 3) return("TLSv1/SSLv3"); - else if (i == 2) - return("SSLv2"); else return("unknown"); } diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 9aa9bc60ff..8888d6c5a5 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.74 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.75 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -301,7 +301,6 @@ #define SSL_AEAD 0x00000040L /* Bits for algorithm_ssl (protocol version) */ -#define SSL_SSLV2 0x00000001L #define SSL_SSLV3 0x00000002L #define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_TLSV1_2 0x00000004L diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index d76fb8b9c8..8f6032a491 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.43 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -238,15 +238,14 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s) } /* - * Even with SSLv2, we have 16 bytes (128 bits) of session ID space. - * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random - * gunk repeatedly until we have no conflict is going to complete in one - * iteration pretty much "most" of the time (btw: understatement). So, if it - * takes us 10 iterations and we still can't avoid a conflict - well that's a - * reasonable point to call it quits. Either the RAND code is broken or someone - * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our - * server. How you might store that many sessions is perhaps a more interesting - * question... + * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling + * the ID with random gunk repeatedly until we have no conflict is going to + * complete in one iteration pretty much "most" of the time (btw: + * understatement). So, if it takes us 10 iterations and we still can't avoid + * a conflict - well that's a reasonable point to call it quits. Either the + * arc4random code is broken or someone is trying to open roughly very close to + * 2^128 (or 2^256) SSL sessions to our server. How you might store that many + * sessions is perhaps a more interesting question... */ #define MAX_SESS_ID_ATTEMPTS 10 -- cgit v1.2.3-55-g6feb