Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(10293)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 289790043: Bug 1240529 - Remove RC2 cipher suites (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
8 years, 3 months ago by ttaubert
Modified:
7 years, 7 months ago
Reviewers:
mt, wtc, wtc1, ekr-rietveld
Visibility:
Public.

Description

Bug 1240529 - Remove RC2 cipher suites

Patch Set 1 #

Total comments: 23

Patch Set 2 : Addressed mt's and ekr's comments #

Total comments: 4
Unified diffs Side-by-side diffs Delta from patch set Stats (+37 lines, -140 lines) Patch
M cmd/selfserv/selfserv.c View 1 4 chunks +4 lines, -7 lines 0 comments Download
M cmd/strsclnt/strsclnt.c View 1 2 chunks +3 lines, -3 lines 0 comments Download
M cmd/tstclnt/tstclnt.c View 1 4 chunks +3 lines, -6 lines 0 comments Download
M cmd/vfyserv/vfyutil.c View 1 2 chunks +4 lines, -3 lines 0 comments Download
M lib/ssl/derive.c View 1 chunk +0 lines, -1 line 0 comments Download
M lib/ssl/ssl3con.c View 1 13 chunks +2 lines, -47 lines 0 comments Download
M lib/ssl/sslcon.c View 1 10 chunks +3 lines, -30 lines 1 comment Download
M lib/ssl/sslenum.c View 2 chunks +0 lines, -3 lines 0 comments Download
M lib/ssl/sslimpl.h View 1 4 chunks +3 lines, -7 lines 1 comment Download
M lib/ssl/sslinfo.c View 3 chunks +0 lines, -4 lines 0 comments Download
M lib/ssl/sslproto.h View 1 3 chunks +5 lines, -11 lines 1 comment Download
M lib/ssl/sslt.h View 1 1 chunk +7 lines, -9 lines 1 comment Download
M tests/ssl/ssl.sh View 2 chunks +3 lines, -3 lines 0 comments Download
M tests/ssl/sslcov.txt View 3 chunks +0 lines, -6 lines 0 comments Download

Messages

Total messages: 7
mt
LGTM https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c File lib/ssl/ssl3con.c (left): https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c#oldcode461 lib/ssl/ssl3con.c:461: }; It might pay to add PR_STATIC_ASSERT(PR_ARRAY_SIZE(cipher_suite_defs) == ...
8 years, 3 months ago (2016-01-18 20:49:30 UTC) #1
ekr-rietveld
I see a reference to RC2 in ssl3_CipherSuiteAllowedForVersionRange that I think you want to remove. ...
8 years, 3 months ago (2016-01-19 01:35:26 UTC) #2
ttaubert
https://codereview.appspot.com/289790043/diff/1/cmd/selfserv/selfserv.c File cmd/selfserv/selfserv.c (right): https://codereview.appspot.com/289790043/diff/1/cmd/selfserv/selfserv.c#newcode115 cmd/selfserv/selfserv.c:115: -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ On 2016/01/19 01:35:26, ...
8 years, 3 months ago (2016-01-19 11:34:49 UTC) #3
wtc1
Review comments on patch set 2: I only reviewed the changes in lib/ssl. 1. The ...
8 years, 3 months ago (2016-01-19 17:50:07 UTC) #4
wtc1
https://codereview.appspot.com/289790043/diff/1/lib/ssl/sslproto.h File lib/ssl/sslproto.h (right): https://codereview.appspot.com/289790043/diff/1/lib/ssl/sslproto.h#newcode73 lib/ssl/sslproto.h:73: #define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x04 /* deprecated */ On 2016/01/18 20:49:30, ...
8 years, 3 months ago (2016-01-19 17:53:48 UTC) #5
mt
On 2016/01/19 17:53:48, wtc1 wrote: > https://codereview.appspot.com/289790043/diff/1/lib/ssl/sslproto.h > File lib/ssl/sslproto.h (right): > > https://codereview.appspot.com/289790043/diff/1/lib/ssl/sslproto.h#newcode73 > ...
8 years, 3 months ago (2016-01-19 23:03:06 UTC) #6
mt
8 years, 3 months ago (2016-01-19 23:03:41 UTC) #7 
https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c
File lib/ssl/ssl3con.c (left):

https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c#oldcode461
lib/ssl/ssl3con.c:461: };
On 2016/01/19 11:34:49, ttaubert wrote:
> On 2016/01/18 20:49:30, mt wrote:
> > It might pay to add PR_STATIC_ASSERT(PR_ARRAY_SIZE(cipher_suite_defs) ==
> > ssl_V3_SUITES_IMPLEMENTED) here.
> 
> cipher_suite_defs[] has 72 entries right now, whereas
> ssl_V3_SUITES_IMPLEMENTED=63. Should we do that in a follow-up and remove
> surplus entries from cipher_suite_defs[]?

Yeah, a follow-up would be ideal.  I don't see any reason to include definitions
for stuff we don't implement.

https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c
File lib/ssl/ssl3con.c (right):

https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c#newcode476
lib/ssl/ssl3con.c:476: { calg_rc2      , CKM_RC2_CBC			}, /* deprecated */
On 2016/01/19 11:34:49, ttaubert wrote:
> On 2016/01/19 01:35:26, ekr-webrtc wrote:
> > On 2016/01/18 20:49:30, mt wrote:
> > > You can probably safely delete this line, and the calg_rc2 enum
> > 
> > If you opt to do that, also perhaps remove skipjack on line 480
> 
> Removed both lines, had to touch SSLCipherAlgorithm in sslt.h because
alg2Mech[]
> is indexed by those values. Is it okay to change all those values or should we
> rather insert null entries into alg2Mech[]?

Hmm, I think that we might need to keep the dead values here in that case. 
There might be code that has calg_aes_gcm value and we don't want to have that
get out of sync.  I think that you can delete the calg_rc2 value from sslt.h,
but you need to keep the values the same.

https://codereview.appspot.com/289790043/diff/1/lib/ssl/ssl3con.c#newcode5578
lib/ssl/ssl3con.c:5578: CKM_SKIPJACK_CBC64,
I don't know how far you want to go here, but this entire list is bad.  We can
probably reduce this to AES.  Can you file a follow-up?
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b