Remove most of the SSLv3 version checks and a few TLS v1.0.

We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.

"reads ok" miod@

1 files changed, 5 insertions, 10 deletions

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 912ac8dbdbb..ce383bb209f 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.105 2015/09/12 15:03:39 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.106 2015/09/12 16:10:07 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2598,7 +2598,7 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
 #ifndef OPENSSL_NO_GOST
-	if ((alg_k & SSL_kGOST) && (s->version >= TLS1_VERSION)) {
+	if ((alg_k & SSL_kGOST)) {
 		p[ret++] = TLS_CT_GOST94_SIGN;
 		p[ret++] = TLS_CT_GOST01_SIGN;
 		p[ret++] = TLS_CT_GOST12_256_SIGN;
@@ -2610,13 +2610,9 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 		p[ret++] = SSL3_CT_RSA_FIXED_DH;
 		p[ret++] = SSL3_CT_DSS_FIXED_DH;
 	}
-	if (s->version == SSL3_VERSION && (alg_k & SSL_kDHE)) {
-		p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH;
-		p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH;
-	}
 	p[ret++] = SSL3_CT_RSA_SIGN;
 	p[ret++] = SSL3_CT_DSS_SIGN;
-	if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION)) {
+	if ((alg_k & (SSL_kECDHr|SSL_kECDHe))) {
 		p[ret++] = TLS_CT_RSA_FIXED_ECDH;
 		p[ret++] = TLS_CT_ECDSA_FIXED_ECDH;
 	}
@@ -2625,9 +2621,8 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 	 * ECDSA certs can be used with RSA cipher suites as well
 	 * so we don't need to check for SSL_kECDH or SSL_kECDHE
 	 */
-	if (s->version >= TLS1_VERSION) {
-		p[ret++] = TLS_CT_ECDSA_SIGN;
-	}
+	p[ret++] = TLS_CT_ECDSA_SIGN;
+
 	return (ret);
 }