New option no-ssl3-method which removes SSLv3_*method
authorDr. Stephen Henson <steve@openssl.org>
Wed, 29 Oct 2014 12:51:31 +0000 (12:51 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 19 Nov 2014 22:57:51 +0000 (22:57 +0000)
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3881d8106df732fc433d30446625dfa2396da42d)

Conflicts:
util/mkdef.pl

Configure
apps/s_client.c
apps/s_server.c
ssl/s3_clnt.c
ssl/s3_meth.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssltest.c
util/mk1mf.pl
util/mkdef.pl
util/ssleay.num

index 6f0da76..541be9e 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -804,6 +804,11 @@ PROCESS_ARGS:
                                        {
                                        $disabled{"tls1"} = "option(tls)"
                                        }
+                               elsif ($1 eq "ssl3-method")
+                                       {
+                                       $disabled{"ssl3-method"} = "option(ssl)";
+                                       $disabled{"ssl3"} = "option(ssl)";
+                                       }
                                else
                                        {
                                        $disabled{$1} = "option";
index c2e160c..a156e2f 100644 (file)
@@ -332,7 +332,9 @@ static void sc_usage(void)
        BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
        BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+#endif
        BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
        BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - just use TLSv1\n");
@@ -807,7 +809,7 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-ssl2") == 0)
                        meth=SSLv2_client_method();
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
                else if (strcmp(*argv,"-ssl3") == 0)
                        meth=SSLv3_client_method();
 #endif
index fe7ad88..4ff30d8 100644 (file)
@@ -515,7 +515,9 @@ static void sv_usage(void)
        BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+#endif
        BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
        BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
@@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[])
                else if (strcmp(*argv,"-ssl2") == 0)
                        { meth=SSLv2_server_method(); }
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
                else if (strcmp(*argv,"-ssl3") == 0)
                        { meth=SSLv3_server_method(); }
 #endif
index 1e691b9..403b684 100644 (file)
 #include <openssl/engine.h>
 #endif
 
-static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_client_method(int ver)
        {
        if (ver == SSL3_VERSION)
@@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
                        ssl_undefined_function,
                        ssl3_connect,
                        ssl3_get_client_method)
+#endif
 
 int ssl3_connect(SSL *s)
        {
index cdddb17..4dec703 100644 (file)
@@ -60,7 +60,7 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-static const SSL_METHOD *ssl3_get_method(int ver);
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_method(int ver)
        {
        if (ver == SSL3_VERSION)
@@ -73,5 +73,4 @@ IMPLEMENT_ssl3_meth_func(SSLv3_method,
                         ssl3_accept,
                         ssl3_connect,
                         ssl3_get_method)
-
-
+#endif
index c23d987..9ac7e8a 100644 (file)
 #endif
 #include <openssl/md5.h>
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 static const SSL_METHOD *ssl3_get_server_method(int ver)
@@ -180,6 +181,12 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
                return(NULL);
        }
 
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+                       ssl3_accept,
+                       ssl_undefined_function,
+                       ssl3_get_server_method)
+#endif
+
 #ifndef OPENSSL_NO_SRP
 static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
        {
@@ -206,11 +213,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
        }
 #endif
 
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
-                       ssl3_accept,
-                       ssl_undefined_function,
-                       ssl3_get_server_method)
-
 int ssl3_accept(SSL *s)
        {
        BUF_MEM *buf;
index e61413c..da6b2eb 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1883,9 +1883,11 @@ const SSL_METHOD *SSLv2_server_method(void);     /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void);   /* SSLv2 */
 #endif
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 const SSL_METHOD *SSLv3_method(void);          /* SSLv3 */
 const SSL_METHOD *SSLv3_server_method(void);   /* SSLv3 */
 const SSL_METHOD *SSLv3_client_method(void);   /* SSLv3 */
+#endif
 
 const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */
 const SSL_METHOD *SSLv23_server_method(void);  /* SSLv3 but can rollback to v2 */
index 7f2e1ae..0888956 100644 (file)
@@ -345,7 +345,7 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
        fprintf(stderr," -ssl3         - use SSLv3\n");
 #endif
 #ifndef OPENSSL_NO_TLS1
@@ -676,7 +676,7 @@ int main(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-ssl3") == 0)
                        {
-#ifdef OPENSSL_NO_SSL3
+#ifdef OPENSSL_NO_SSL3_METHOD
                        no_protocol = 1;
 #endif
                        ssl3 = 1;
index 559a683..d3f5424 100755 (executable)
@@ -1071,12 +1071,17 @@ sub do_copy_rule
        return($ret);
        }
 
+# Options picked up from the OPTIONS line in the top level Makefile
+# generated by Configure.
+
 sub read_options
        {
        # Many options are handled in a similar way. In particular
        # no-xxx sets zero or more scalars to 1.
-       # Process these using a hash containing the option name and
-       # reference to the scalars to set.
+       # Process these using the %valid_options hash containing the option
+       # name and reference to the scalars to set. In some cases the option
+       # needs no special handling and can be ignored: this is done by
+       # setting the value to 0.
 
        my %valid_options = (
                "no-rc2" => \$no_rc2,
@@ -1110,6 +1115,7 @@ sub read_options
                "gaswin" => \$gaswin,
                "no-ssl2" => \$no_ssl2,
                "no-ssl3" => \$no_ssl3,
+               "no-ssl3-method" => 0,
                "no-tlsext" => \$no_tlsext,
                "no-srp" => \$no_srp,
                "no-cms" => \$no_cms,
index 1eaa7b8..894f052 100755 (executable)
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CAPIENG",
                         # SSL v2
                         "SSL2",
+                        # SSL v3 method
+                        "SSL3_METHOD",
                         # JPAKE
                         "JPAKE",
                         # NEXTPROTONEG
@@ -141,7 +143,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp;
-my $no_unit_test;
+my $no_unit_test; my $no_ssl3_method;
 
 my $fips;
 
@@ -236,6 +238,7 @@ foreach (@ARGV, split(/ /, $options))
        elsif (/^no-ec_nistp_64_gcc_128$/)      { $no_nistp_gcc=1; }
        elsif (/^no-nextprotoneg$/)     { $no_nextprotoneg=1; }
        elsif (/^no-ssl2$/)     { $no_ssl2=1; }
+       elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
        elsif (/^no-capieng$/)  { $no_capieng=1; }
        elsif (/^no-jpake$/)    { $no_jpake=1; }
        elsif (/^no-srp$/)      { $no_srp=1; }
@@ -1208,6 +1211,7 @@ sub is_valid
                        if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
                                        { return 0; }
                        if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+                       if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
                        if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
                        if ($keyword eq "SRP" && $no_srp) { return 0; }
index dd21e95..dd1c5e8 100755 (executable)
@@ -101,9 +101,9 @@ SSLv23_server_method                    112 EXIST::FUNCTION:RSA
 SSLv2_client_method                     113    EXIST::FUNCTION:RSA,SSL2
 SSLv2_method                            114    EXIST::FUNCTION:RSA,SSL2
 SSLv2_server_method                     115    EXIST::FUNCTION:RSA,SSL2
-SSLv3_client_method                     116    EXIST::FUNCTION:
-SSLv3_method                            117    EXIST::FUNCTION:
-SSLv3_server_method                     118    EXIST::FUNCTION:
+SSLv3_client_method                     116    EXIST::FUNCTION:SSL3_METHOD
+SSLv3_method                            117    EXIST::FUNCTION:SSL3_METHOD
+SSLv3_server_method                     118    EXIST::FUNCTION:SSL3_METHOD
 d2i_SSL_SESSION                         119    EXIST::FUNCTION:
 i2d_SSL_SESSION                         120    EXIST::FUNCTION:
 BIO_f_ssl                               121    EXIST::FUNCTION:BIO