From a7f1c6569618905a042efceca3edc3812bc607b0 Mon Sep 17 00:00:00 2001 From: doug <> Date: Thu, 27 Aug 2015 06:21:15 +0000 Subject: Remove SSLv3 support from LibreSSL. This is the first wave of SSLv3 removal which removes the main SSLv3 functions. Future commits will remove the rest of the SSLv3 support. Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@, sthen@, naddy@, and deraadt@. ok jsing@, beck@ --- src/lib/libssl/s23_clnt.c | 18 +++--------------- src/lib/libssl/s23_srvr.c | 25 +++++-------------------- src/lib/libssl/s3_clnt.c | 16 +--------------- src/lib/libssl/s3_lib.c | 4 ++-- src/lib/libssl/s3_srvr.c | 16 +--------------- src/lib/libssl/src/crypto/opensslfeatures.h | 2 ++ src/lib/libssl/src/ssl/s23_clnt.c | 18 +++--------------- src/lib/libssl/src/ssl/s23_meth.c | 4 +--- src/lib/libssl/src/ssl/s23_srvr.c | 25 +++++-------------------- src/lib/libssl/src/ssl/s3_clnt.c | 16 +--------------- src/lib/libssl/src/ssl/s3_lib.c | 4 ++-- src/lib/libssl/src/ssl/s3_meth.c | 16 +--------------- src/lib/libssl/src/ssl/s3_srvr.c | 16 +--------------- src/lib/libssl/src/ssl/ssl.h | 6 +----- src/lib/libssl/src/ssl/ssl_lib.c | 7 +------ src/lib/libssl/src/ssl/ssl_sess.c | 3 +-- src/lib/libssl/ssl.h | 6 +----- src/lib/libssl/ssl_lib.c | 7 +------ src/lib/libssl/ssl_sess.c | 3 +-- 19 files changed, 34 insertions(+), 178 deletions(-) (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 458eb37d5f..a99a7691bd 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -196,8 +196,6 @@ SSLv23_client_method(void) static const SSL_METHOD * ssl23_get_client_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_client_method()); if (ver == TLS1_VERSION) return (TLSv1_client_method()); if (ver == TLS1_1_VERSION) @@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s) * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. */ - mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3; + mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1; version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) @@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s) if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) version = TLS1_VERSION; mask &= ~SSL_OP_NO_TLSv1; - if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) - version = SSL3_VERSION; - mask &= ~SSL_OP_NO_SSLv3; buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { @@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s) } else if (version == TLS1_VERSION) { version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; - } else if (version == SSL3_VERSION) { - version_major = SSL3_VERSION_MAJOR; - version_minor = SSL3_VERSION_MINOR; } else { SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE); return (-1); @@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s) (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { /* we have sslv3 or tls1 (server hello or alert) */ - if ((p[2] == SSL3_VERSION_MINOR) && - !(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - s->method = SSLv3_client_method(); - } else if ((p[2] == TLS1_VERSION_MINOR) && + if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { s->version = TLS1_VERSION; s->method = TLSv1_client_method(); diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index b524124681..7b2107680e 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,8 +194,6 @@ SSLv23_server_method(void) static const SSL_METHOD * ssl23_get_server_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_server_method()); if (ver == TLS1_VERSION) return (TLSv1_server_method()); if (ver == TLS1_1_VERSION) @@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s) /* type=2; */ /* done later to survive restarts */ s->state = SSL23_ST_SR_CLNT_HELLO_B; } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - /* type=2; */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; + type = 1; } else if (!(s->options & SSL_OP_NO_SSLv2)) { type = 1; } } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - /* type=2; */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; + type = 1; } else if (!(s->options & SSL_OP_NO_SSLv2)) type = 1; @@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s) } else if (!(s->options & SSL_OP_NO_TLSv1)) { s->version = TLS1_VERSION; type = 3; - } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - type = 3; } } else { - /* client requests SSL 3.0 */ - if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - type = 3; - } else if (!(s->options & SSL_OP_NO_TLSv1)) { + if (!(s->options & SSL_OP_NO_TLSv1)) { /* we won't be able to use TLS of course, * but this will send an appropriate alert */ s->version = TLS1_VERSION; @@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s) s->method = TLSv1_2_server_method(); else if (s->version == TLS1_1_VERSION) s->method = TLSv1_1_server_method(); - else if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); else - s->method = SSLv3_server_method(); + s->method = TLSv1_server_method(); s->handshake_func = s->method->ssl_accept; } diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index b739711732..30f679eac3 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,12 +170,6 @@ #include "bytestring.h" -#ifdef __OpenBSD__ -#include -__warn_references(SSLv3_client_method, - "SSLv3_client_method() enables the use of insecure protocols"); -#endif - static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); @@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = { .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, }; -const SSL_METHOD * -SSLv3_client_method(void) -{ - return &SSLv3_client_method_data; -} - static const SSL_METHOD * ssl3_get_client_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_client_method()); return (NULL); } diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index c8bdac0214..42396a21e9 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s) s->s3->total_renegotiations = 0; s->s3->num_renegotiations = 0; s->s3->in_read_app_data = 0; - s->version = SSL3_VERSION; + s->version = TLS1_VERSION; free(s->next_proto_negotiated); s->next_proto_negotiated = NULL; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 7d2ec4d132..5574884b89 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,12 +166,6 @@ #include "bytestring.h" -#ifdef __OpenBSD__ -#include -__warn_references(SSLv3_server_method, - "SSLv3_server_method() enables the use of insecure protocols"); -#endif - static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { @@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = { .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, }; -const SSL_METHOD * -SSLv3_server_method(void) -{ - return &SSLv3_server_method_data; -} - static const SSL_METHOD * ssl3_get_server_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_server_method()); return (NULL); } diff --git a/src/lib/libssl/src/crypto/opensslfeatures.h b/src/lib/libssl/src/crypto/opensslfeatures.h index 45848c5a35..6b6784754d 100644 --- a/src/lib/libssl/src/crypto/opensslfeatures.h +++ b/src/lib/libssl/src/crypto/opensslfeatures.h @@ -15,6 +15,8 @@ # define OPENSSL_NO_SEED # define OPENSSL_NO_SRP # define OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL3 +# define OPENSSL_NO_SSL3_METHOD # define OPENSSL_NO_STORE # define OPENSSL_NO_BUF_FREELISTS # define OPENSSL_NO_HEARTBEATS diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c index 458eb37d5f..a99a7691bd 100644 --- a/src/lib/libssl/src/ssl/s23_clnt.c +++ b/src/lib/libssl/src/ssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -196,8 +196,6 @@ SSLv23_client_method(void) static const SSL_METHOD * ssl23_get_client_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_client_method()); if (ver == TLS1_VERSION) return (TLSv1_client_method()); if (ver == TLS1_1_VERSION) @@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s) * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. */ - mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3; + mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1; version = TLS1_2_VERSION; if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) @@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s) if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) version = TLS1_VERSION; mask &= ~SSL_OP_NO_TLSv1; - if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) - version = SSL3_VERSION; - mask &= ~SSL_OP_NO_SSLv3; buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { @@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s) } else if (version == TLS1_VERSION) { version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; - } else if (version == SSL3_VERSION) { - version_major = SSL3_VERSION_MAJOR; - version_minor = SSL3_VERSION_MINOR; } else { SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE); return (-1); @@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s) (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { /* we have sslv3 or tls1 (server hello or alert) */ - if ((p[2] == SSL3_VERSION_MINOR) && - !(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - s->method = SSLv3_client_method(); - } else if ((p[2] == TLS1_VERSION_MINOR) && + if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { s->version = TLS1_VERSION; s->method = TLSv1_client_method(); diff --git a/src/lib/libssl/src/ssl/s23_meth.c b/src/lib/libssl/src/ssl/s23_meth.c index 04152eda41..acc8315b91 100644 --- a/src/lib/libssl/src/ssl/s23_meth.c +++ b/src/lib/libssl/src/ssl/s23_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_meth.c,v 1.19 2015/07/19 07:30:06 doug Exp $ */ +/* $OpenBSD: s23_meth.c,v 1.20 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -106,8 +106,6 @@ SSLv23_method(void) static const SSL_METHOD * ssl23_get_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_method()); if (ver == TLS1_VERSION) return (TLSv1_method()); if (ver == TLS1_1_VERSION) diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index b524124681..7b2107680e 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,8 +194,6 @@ SSLv23_server_method(void) static const SSL_METHOD * ssl23_get_server_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_server_method()); if (ver == TLS1_VERSION) return (TLSv1_server_method()); if (ver == TLS1_1_VERSION) @@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s) /* type=2; */ /* done later to survive restarts */ s->state = SSL23_ST_SR_CLNT_HELLO_B; } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - /* type=2; */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; + type = 1; } else if (!(s->options & SSL_OP_NO_SSLv2)) { type = 1; } } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - /* type=2; */ - s->state = SSL23_ST_SR_CLNT_HELLO_B; + type = 1; } else if (!(s->options & SSL_OP_NO_SSLv2)) type = 1; @@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s) } else if (!(s->options & SSL_OP_NO_TLSv1)) { s->version = TLS1_VERSION; type = 3; - } else if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - type = 3; } } else { - /* client requests SSL 3.0 */ - if (!(s->options & SSL_OP_NO_SSLv3)) { - s->version = SSL3_VERSION; - type = 3; - } else if (!(s->options & SSL_OP_NO_TLSv1)) { + if (!(s->options & SSL_OP_NO_TLSv1)) { /* we won't be able to use TLS of course, * but this will send an appropriate alert */ s->version = TLS1_VERSION; @@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s) s->method = TLSv1_2_server_method(); else if (s->version == TLS1_1_VERSION) s->method = TLSv1_1_server_method(); - else if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); else - s->method = SSLv3_server_method(); + s->method = TLSv1_server_method(); s->handshake_func = s->method->ssl_accept; } diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index b739711732..30f679eac3 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,12 +170,6 @@ #include "bytestring.h" -#ifdef __OpenBSD__ -#include -__warn_references(SSLv3_client_method, - "SSLv3_client_method() enables the use of insecure protocols"); -#endif - static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); @@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = { .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, }; -const SSL_METHOD * -SSLv3_client_method(void) -{ - return &SSLv3_client_method_data; -} - static const SSL_METHOD * ssl3_get_client_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_client_method()); return (NULL); } diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index c8bdac0214..42396a21e9 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s) s->s3->total_renegotiations = 0; s->s3->num_renegotiations = 0; s->s3->in_read_app_data = 0; - s->version = SSL3_VERSION; + s->version = TLS1_VERSION; free(s->next_proto_negotiated); s->next_proto_negotiated = NULL; diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c index c5f043e944..43fcbd4ade 100644 --- a/src/lib/libssl/src/ssl/s3_meth.c +++ b/src/lib/libssl/src/ssl/s3_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */ +/* $OpenBSD: s3_meth.c,v 1.15 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,12 +62,6 @@ #include "ssl_locl.h" -#ifdef __OpenBSD__ -#include -__warn_references(SSLv3_method, - "SSLv3_method() enables the use of insecure protocols"); -#endif - static const SSL_METHOD *ssl3_get_method(int ver); const SSL_METHOD SSLv3_method_data = { @@ -102,16 +96,8 @@ const SSL_METHOD SSLv3_method_data = { .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, }; -const SSL_METHOD * -SSLv3_method(void) -{ - return &SSLv3_method_data; -} - static const SSL_METHOD * ssl3_get_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_method()); return (NULL); } diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 7d2ec4d132..5574884b89 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,12 +166,6 @@ #include "bytestring.h" -#ifdef __OpenBSD__ -#include -__warn_references(SSLv3_server_method, - "SSLv3_server_method() enables the use of insecure protocols"); -#endif - static const SSL_METHOD *ssl3_get_server_method(int ver); const SSL_METHOD SSLv3_server_method_data = { @@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = { .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, }; -const SSL_METHOD * -SSLv3_server_method(void) -{ - return &SSLv3_server_method_data; -} - static const SSL_METHOD * ssl3_get_server_method(int ver) { - if (ver == SSL3_VERSION) - return (SSLv3_server_method()); return (NULL); } diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 0cd220778b..e7873f5ed4 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */ +/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); -const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ - const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 629ad03554..a93c16de65 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2549,8 +2549,6 @@ ssl_version_string(int ver) return (SSL_TXT_DTLS1_BAD); case DTLS1_VERSION: return (SSL_TXT_DTLS1); - case SSL3_VERSION: - return (SSL_TXT_SSLV3); case TLS1_VERSION: return (SSL_TXT_TLSV1); case TLS1_1_VERSION: @@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s) if ((s->options & SSL_OP_NO_TLSv1) == 0 && max_version >= TLS1_VERSION) return (TLS1_VERSION); - if ((s->options & SSL_OP_NO_SSLv3) == 0 && - max_version >= SSL3_VERSION) - return (SSL3_VERSION); return (0); } diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index ef5b9be56d..a688b9ef41 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session) if (session) { switch (s->version) { - case SSL3_VERSION: case TLS1_VERSION: case TLS1_1_VERSION: case TLS1_2_VERSION: diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 0cd220778b..e7873f5ed4 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */ +/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); -const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ - const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 629ad03554..a93c16de65 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2549,8 +2549,6 @@ ssl_version_string(int ver) return (SSL_TXT_DTLS1_BAD); case DTLS1_VERSION: return (SSL_TXT_DTLS1); - case SSL3_VERSION: - return (SSL_TXT_SSLV3); case TLS1_VERSION: return (SSL_TXT_TLSV1); case TLS1_1_VERSION: @@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s) if ((s->options & SSL_OP_NO_TLSv1) == 0 && max_version >= TLS1_VERSION) return (TLS1_VERSION); - if ((s->options & SSL_OP_NO_SSLv3) == 0 && - max_version >= SSL3_VERSION) - return (SSL3_VERSION); return (0); } diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index ef5b9be56d..a688b9ef41 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session) if (session) { switch (s->version) { - case SSL3_VERSION: case TLS1_VERSION: case TLS1_1_VERSION: case TLS1_2_VERSION: -- cgit v1.2.3-55-g6feb