Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions.  Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15.  Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

1 files changed, 5 insertions, 20 deletions

diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
         if (ver == TLS1_VERSION)
                 return (TLSv1_server_method());
         if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
                                                 /* type=2; */ /* done later to survive restarts */
                                                 s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                         } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                                s->version = SSL3_VERSION;
-                                                /* type=2; */
-                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
+                                                type = 1;
                                         } else if (!(s->options & SSL_OP_NO_SSLv2)) {
                                                 type = 1;
                                         }
                                 } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        /* type=2; */
-                                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
+                                        type = 1;
                                 } else if (!(s->options & SSL_OP_NO_SSLv2))
                                         type = 1;
 
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
                                 } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                         s->version = TLS1_VERSION;
                                         type = 3;
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
                                 }
                         } else {
-                                /* client requests SSL 3.0 */
-                                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
+                                if (!(s->options & SSL_OP_NO_TLSv1)) {
                                         /* we won't be able to use TLS of course,
                                          * but this will send an appropriate alert */
                                         s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
                         s->method = TLSv1_2_server_method();
                 else if (s->version == TLS1_1_VERSION)
                         s->method = TLSv1_1_server_method();
-                else if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
                 else
-                        s->method = SSLv3_server_method();
+                        s->method = TLSv1_server_method();
                 s->handshake_func = s->method->ssl_accept;
         }