From 86bf43c0754f7de02e216a110bff784aace5fea7 Mon Sep 17 00:00:00 2001
From: doug <>
Date: Thu, 27 Aug 2015 06:21:15 +0000
Subject: Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions.  Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15.  Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@
---
 src/lib/libssl/s23_srvr.c | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

(limited to 'src/lib/libssl/s23_srvr.c')

diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_server_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_server_method());
 	if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
 						/* type=2; */ /* done later to survive restarts */
 						s->state = SSL23_ST_SR_CLNT_HELLO_B;
 					} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-						s->version = SSL3_VERSION;
-						/* type=2; */
-						s->state = SSL23_ST_SR_CLNT_HELLO_B;
+						type = 1;
 					} else if (!(s->options & SSL_OP_NO_SSLv2)) {
 						type = 1;
 					}
 				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					/* type=2; */
-					s->state = SSL23_ST_SR_CLNT_HELLO_B;
+					type = 1;
 				} else if (!(s->options & SSL_OP_NO_SSLv2))
 					type = 1;
 
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
 				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
 					s->version = TLS1_VERSION;
 					type = 3;
-				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
 				}
 			} else {
-				/* client requests SSL 3.0 */
-				if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
-				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
+				if (!(s->options & SSL_OP_NO_TLSv1)) {
 					/* we won't be able to use TLS of course,
 					 * but this will send an appropriate alert */
 					s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
 			s->method = TLSv1_2_server_method();
 		else if (s->version == TLS1_1_VERSION)
 			s->method = TLSv1_1_server_method();
-		else if (s->version == TLS1_VERSION)
-			s->method = TLSv1_server_method();
 		else
-			s->method = SSLv3_server_method();
+			s->method = TLSv1_server_method();
 		s->handshake_func = s->method->ssl_accept;
 	}
 
-- 
cgit v1.2.3-55-g6feb