Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3 functions. Future commits will remove the rest of the SSLv3 support. Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@, sthen@, naddy@, and deraadt@. ok jsing@, beck@
author: doug <> 2015-08-27 06:21:15 +0000
committer: doug <> 2015-08-27 06:21:15 +0000
commit: 86bf43c0754f7de02e216a110bff784aace5fea7 (patch)
tree: edcaf86fcb7a4c7c49e4f2bbefde1665cfd57458 /src
parent: 9b2397328086b49e1f5d15b4248c6aa164c42a4d (diff)
download: openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.tar.gz
openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.tar.bz2
openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.zip
20 files changed, 36 insertions, 178 deletions
diff --git a/src/lib/libcrypto/opensslfeatures.h b/src/lib/libcrypto/opensslfeatures.h
index 45848c5a35..6b6784754d 100644
--- a/src/lib/libcrypto/opensslfeatures.h
+++ b/src/lib/libcrypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 458eb37d5f..a99a7691bd 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_client_method());
        if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
         */
-        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
        version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
        mask &= ~SSL_OP_NO_TLSv1;
-        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-                version = SSL3_VERSION;
-        mask &= ~SSL_OP_NO_SSLv3;
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
                } else if (version == TLS1_VERSION) {
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
-                } else if (version == SSL3_VERSION) {
-                        version_major = SSL3_VERSION_MAJOR;
-                        version_minor = SSL3_VERSION_MINOR;
                } else {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
            (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
                /* we have sslv3 or tls1 (server hello or alert) */
-                if ((p[2] == SSL3_VERSION_MINOR) &&
+                if ((p[2] == TLS1_VERSION_MINOR) &&
-                    !(s->options & SSL_OP_NO_SSLv3)) {
-                        s->version = SSL3_VERSION;
-                        s->method = SSLv3_client_method();
-                } else if ((p[2] == TLS1_VERSION_MINOR) &&
                    !(s->options & SSL_OP_NO_TLSv1)) {
                        s->version = TLS1_VERSION;
                        s->method = TLSv1_client_method();
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_server_method());
        if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                                s->version = SSL3_VERSION;
+                                                type = 1;
-                                                /* type=2; */
-                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
                                                type = 1;
                                        }
                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
+                                        type = 1;
-                                        /* type=2; */
-                                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                } else if (!(s->options & SSL_OP_NO_SSLv2))
                                        type = 1;
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
                                }
                        } else {
-                                /* client requests SSL 3.0 */
+                                if (!(s->options & SSL_OP_NO_TLSv1)) {
-                                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
                else
-                        s->method = SSLv3_server_method();
+                        s->method = TLSv1_server_method();
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b739711732..30f679eac3 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -170,12 +170,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-        return &SSLv3_client_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index c8bdac0214..42396a21e9 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
        s->s3->total_renegotiations = 0;
        s->s3->num_renegotiations = 0;
        s->s3->in_read_app_data = 0;
-        s->version = SSL3_VERSION;
+        s->version = TLS1_VERSION;
        free(s->next_proto_negotiated);
        s->next_proto_negotiated = NULL;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 7d2ec4d132..5574884b89 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -166,12 +166,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-        return &SSLv3_server_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/crypto/opensslfeatures.h b/src/lib/libssl/src/crypto/opensslfeatures.h
index 45848c5a35..6b6784754d 100644
--- a/src/lib/libssl/src/crypto/opensslfeatures.h
+++ b/src/lib/libssl/src/crypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 458eb37d5f..a99a7691bd 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_client_method());
        if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
         */
-        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
        version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
        mask &= ~SSL_OP_NO_TLSv1;
-        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-                version = SSL3_VERSION;
-        mask &= ~SSL_OP_NO_SSLv3;
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
                } else if (version == TLS1_VERSION) {
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
-                } else if (version == SSL3_VERSION) {
-                        version_major = SSL3_VERSION_MAJOR;
-                        version_minor = SSL3_VERSION_MINOR;
                } else {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
            (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
                /* we have sslv3 or tls1 (server hello or alert) */
-                if ((p[2] == SSL3_VERSION_MINOR) &&
+                if ((p[2] == TLS1_VERSION_MINOR) &&
-                    !(s->options & SSL_OP_NO_SSLv3)) {
-                        s->version = SSL3_VERSION;
-                        s->method = SSLv3_client_method();
-                } else if ((p[2] == TLS1_VERSION_MINOR) &&
                    !(s->options & SSL_OP_NO_TLSv1)) {
                        s->version = TLS1_VERSION;
                        s->method = TLSv1_client_method();
diff --git a/src/lib/libssl/src/ssl/s23_meth.c b/src/lib/libssl/src/ssl/s23_meth.c
index 04152eda41..acc8315b91 100644
--- a/src/lib/libssl/src/ssl/s23_meth.c
+++ b/src/lib/libssl/src/ssl/s23_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_meth.c,v 1.19 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_meth.c,v 1.20 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -106,8 +106,6 @@ SSLv23_method(void)
 static const SSL_METHOD *
 ssl23_get_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_method());
        if (ver == TLS1_1_VERSION)
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_server_method());
        if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                                s->version = SSL3_VERSION;
+                                                type = 1;
-                                                /* type=2; */
-                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
                                                type = 1;
                                        }
                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
+                                        type = 1;
-                                        /* type=2; */
-                                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                } else if (!(s->options & SSL_OP_NO_SSLv2))
                                        type = 1;
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
                                }
                        } else {
-                                /* client requests SSL 3.0 */
+                                if (!(s->options & SSL_OP_NO_TLSv1)) {
-                                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
                else
-                        s->method = SSLv3_server_method();
+                        s->method = TLSv1_server_method();
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index b739711732..30f679eac3 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -170,12 +170,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-        return &SSLv3_client_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index c8bdac0214..42396a21e9 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
        s->s3->total_renegotiations = 0;
        s->s3->num_renegotiations = 0;
        s->s3->in_read_app_data = 0;
-        s->version = SSL3_VERSION;
+        s->version = TLS1_VERSION;
        free(s->next_proto_negotiated);
        s->next_proto_negotiated = NULL;
diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c
index c5f043e944..43fcbd4ade 100644
--- a/src/lib/libssl/src/ssl/s3_meth.c
+++ b/src/lib/libssl/src/ssl/s3_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_meth.c,v 1.15 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,12 +62,6 @@
 #include "ssl_locl.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_method,
-    "SSLv3_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_method(int ver);
 const SSL_METHOD SSLv3_method_data = {
@@ -102,16 +96,8 @@ const SSL_METHOD SSLv3_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_method(void)
-{
-        return &SSLv3_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 7d2ec4d132..5574884b89 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -166,12 +166,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-        return &SSLv3_server_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 0cd220778b..e7873f5ed4 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-const SSL_METHOD *SSLv3_method(void);           /* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);    /* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);    /* SSLv3 */
 const SSL_METHOD *SSLv23_method(void);          /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);   /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);   /* SSLv3 or TLSv1.* */
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 629ad03554..a93c16de65 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
                return (SSL_TXT_DTLS1_BAD);
        case DTLS1_VERSION:
                return (SSL_TXT_DTLS1);
-        case SSL3_VERSION:
-                return (SSL_TXT_SSLV3);
        case TLS1_VERSION:
                return (SSL_TXT_TLSV1);
        case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
            max_version >= TLS1_VERSION)
                return (TLS1_VERSION);
-        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-            max_version >= SSL3_VERSION)
-                return (SSL3_VERSION);
        return (0);
 }
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index ef5b9be56d..a688b9ef41 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
        if (session) {
                switch (s->version) {
-                case SSL3_VERSION:
                case TLS1_VERSION:
                case TLS1_1_VERSION:
                case TLS1_2_VERSION:
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 0cd220778b..e7873f5ed4 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-const SSL_METHOD *SSLv3_method(void);           /* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);    /* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);    /* SSLv3 */
 const SSL_METHOD *SSLv23_method(void);          /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);   /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);   /* SSLv3 or TLSv1.* */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 629ad03554..a93c16de65 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
                return (SSL_TXT_DTLS1_BAD);
        case DTLS1_VERSION:
                return (SSL_TXT_DTLS1);
-        case SSL3_VERSION:
-                return (SSL_TXT_SSLV3);
        case TLS1_VERSION:
                return (SSL_TXT_TLSV1);
        case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
            max_version >= TLS1_VERSION)
                return (TLS1_VERSION);
-        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-            max_version >= SSL3_VERSION)
-                return (SSL3_VERSION);
        return (0);
 }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index ef5b9be56d..a688b9ef41 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
        if (session) {
                switch (s->version) {
-                case SSL3_VERSION:
                case TLS1_VERSION:
                case TLS1_1_VERSION:
                case TLS1_2_VERSION:
author	doug <>	2015-08-27 06:21:15 +0000
committer	doug <>	2015-08-27 06:21:15 +0000
commit	86bf43c0754f7de02e216a110bff784aace5fea7 (patch)
tree	edcaf86fcb7a4c7c49e4f2bbefde1665cfd57458 /src
parent	9b2397328086b49e1f5d15b4248c6aa164c42a4d (diff)
download	openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.tar.gz openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.tar.bz2 openbsd-86bf43c0754f7de02e216a110bff784aace5fea7.zip