From 66299660976540fa59450a5edc700e61ce4685d0 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Wed, 9 Mar 2016 18:10:52 +0100 Subject: [PATCH] Add no-ssl2-method Reviewed-by: Viktor Dukhovni MR: #2341 (cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086) --- CHANGES | 4 ++++ ssl/s2_meth.c | 14 ++++++++++++-- ssl/ssl.h | 2 ++ util/mk1mf.pl | 1 + util/mkdef.pl | 6 +++++- util/ssleay.num | 6 +++--- 6 files changed, 27 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index b0222cfa8..d4e988737 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,10 @@ default. [Kurt Roeckx] + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] + Changes between 1.0.1r and 1.0.1s [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c index 019d9dcf6..73885b7ec 100644 --- a/ssl/s2_meth.c +++ b/ssl/s2_meth.c @@ -57,7 +57,8 @@ */ #include "ssl_locl.h" -#ifndef OPENSSL_NO_SSL2 +#ifndef OPENSSL_NO_SSL2_METHOD +# ifndef OPENSSL_NO_SSL2 # include # include @@ -72,10 +73,19 @@ static const SSL_METHOD *ssl2_get_method(int ver) IMPLEMENT_ssl2_meth_func(SSLv2_method, ssl2_accept, ssl2_connect, ssl2_get_method) -#else /* !OPENSSL_NO_SSL2 */ + +# else /* !OPENSSL_NO_SSL2 */ const SSL_METHOD *SSLv2_method(void) { return NULL; } const SSL_METHOD *SSLv2_client_method(void) { return NULL; } const SSL_METHOD *SSLv2_server_method(void) { return NULL; } +# endif + +#else /* !OPENSSL_NO_SSL2_METHOD */ + +# if PEDANTIC +static void *dummy = &dummy; +# endif + #endif diff --git a/ssl/ssl.h b/ssl/ssl.h index 06eb66165..d6c475c27 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2017,9 +2017,11 @@ const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); +# ifndef OPENSSL_NO_SSL2_METHOD const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ +# endif # ifndef OPENSSL_NO_SSL3_METHOD const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ diff --git a/util/mk1mf.pl b/util/mk1mf.pl index e5fe37c42..02dc0106d 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -1115,6 +1115,7 @@ sub read_options "nw-mwasm" => \$nw_mwasm, "gaswin" => \$gaswin, "no-ssl2" => \$no_ssl2, + "no-ssl2-method" => 0, "no-ssl3" => \$no_ssl3, "no-ssl3-method" => 0, "no-tlsext" => \$no_tlsext, diff --git a/util/mkdef.pl b/util/mkdef.pl index 894f0529f..0b97aa4db 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CAPIENG", # SSL v2 "SSL2", + # SSL v2 method + "SSL2_METHOD", # SSL v3 method "SSL3_METHOD", # JPAKE @@ -143,7 +145,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; my $no_nextprotoneg; my $no_sctp; my $no_srtp; -my $no_unit_test; my $no_ssl3_method; +my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method; my $fips; @@ -238,6 +240,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; } elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; } elsif (/^no-ssl2$/) { $no_ssl2=1; } + elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; } elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; } elsif (/^no-capieng$/) { $no_capieng=1; } elsif (/^no-jpake$/) { $no_jpake=1; } @@ -1211,6 +1214,7 @@ sub is_valid if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc) { return 0; } if ($keyword eq "SSL2" && $no_ssl2) { return 0; } + if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { return 0; } if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; } if ($keyword eq "CAPIENG" && $no_capieng) { return 0; } if ($keyword eq "JPAKE" && $no_jpake) { return 0; } diff --git a/util/ssleay.num b/util/ssleay.num index dd1c5e882..dd5811a90 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms 109 NOEXIST::FUNCTION: SSLv23_client_method 110 EXIST::FUNCTION:RSA SSLv23_method 111 EXIST::FUNCTION:RSA SSLv23_server_method 112 EXIST::FUNCTION:RSA -SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2 -SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2 -SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2 +SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2_METHOD +SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2_METHOD +SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2_METHOD SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD