diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-11-08 15:21:03 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-11-08 15:21:03 +0000 |
| commit | d7ada8f1ae2d4d4685798a90b0786ee7964dd01b (patch) | |
| tree | c68d6b397bc2490e5f28b4863bd327b718c218c9 /lib | |
| parent | 90bf52e23c4f9ea260671e3c5b312484a208622a (diff) | |
Clean up more SSLv2 remnants.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 22 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | lib/libssl/ssl_sess.c | 19 |
3 files changed, 15 insertions, 29 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 1645f6af491..6193cd1a666 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.71 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.72 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -450,10 +450,6 @@ static const SSL_CIPHER cipher_aliases[] = { /* protocol version aliases */ { - .name = SSL_TXT_SSLV2, - .algorithm_ssl = SSL_SSLV2, - }, - { .name = SSL_TXT_SSLV3, .algorithm_ssl = SSL_SSLV3, }, @@ -872,9 +868,8 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) /* * We have num_of_ciphers descriptions compiled in, depending on the - * method selected (SSLv2 and/or SSLv3, TLSv1 etc). - * These will later be sorted in a linked list with at most num - * entries. + * method selected (SSLv3, TLSv1, etc). These will later be sorted in + * a linked list with at most num entries. */ /* Get the initial list of ciphers */ @@ -1560,9 +1555,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg2 = cipher->algorithm2; - if (alg_ssl & SSL_SSLV2) - ver = "SSLv2"; - else if (alg_ssl & SSL_SSLV3) + if (alg_ssl & SSL_SSLV3) ver = "SSLv3"; else if (alg_ssl & SSL_TLSV1_2) ver = "TLSv1.2"; @@ -1691,15 +1684,10 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char * SSL_CIPHER_get_version(const SSL_CIPHER *c) { - int i; - if (c == NULL) return("(NONE)"); - i = (int)(c->id >> 24L); - if (i == 3) + if ((c->id >> 24) == 3) return("TLSv1/SSLv3"); - else if (i == 2) - return("SSLv2"); else return("unknown"); } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 9aa9bc60ffe..8888d6c5a59 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.74 2014/11/02 10:42:38 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.75 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -301,7 +301,6 @@ #define SSL_AEAD 0x00000040L /* Bits for algorithm_ssl (protocol version) */ -#define SSL_SSLV2 0x00000001L #define SSL_SSLV3 0x00000002L #define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_TLSV1_2 0x00000004L diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index d76fb8b9c85..8f6032a491c 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.43 2014/11/08 15:21:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -238,15 +238,14 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s) } /* - * Even with SSLv2, we have 16 bytes (128 bits) of session ID space. - * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random - * gunk repeatedly until we have no conflict is going to complete in one - * iteration pretty much "most" of the time (btw: understatement). So, if it - * takes us 10 iterations and we still can't avoid a conflict - well that's a - * reasonable point to call it quits. Either the RAND code is broken or someone - * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our - * server. How you might store that many sessions is perhaps a more interesting - * question... + * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling + * the ID with random gunk repeatedly until we have no conflict is going to + * complete in one iteration pretty much "most" of the time (btw: + * understatement). So, if it takes us 10 iterations and we still can't avoid + * a conflict - well that's a reasonable point to call it quits. Either the + * arc4random code is broken or someone is trying to open roughly very close to + * 2^128 (or 2^256) SSL sessions to our server. How you might store that many + * sessions is perhaps a more interesting question... */ #define MAX_SESS_ID_ATTEMPTS 10 |