The branch OpenSSL_1_0_2-stable has been updated
via 4256957570a233ed4e9840353e95e623dfd62086 (commit)
from e76f48539109829819aabc03953cf2cfd4612961 (commit)
- Log -----------------------------------------------------------------
commit 4256957570a233ed4e9840353e95e623dfd62086
Author: Kurt Roeckx <[email protected]>
Date: Wed Mar 9 18:10:52 2016 +0100
Add no-ssl2-method
Reviewed-by: Viktor Dukhovni <[email protected]>
MR: #2341
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 4 ++++
ssl/s2_meth.c | 14 ++++++++++++--
ssl/ssl.h | 2 ++
util/mk1mf.pl | 1 +
util/mkdef.pl | 6 +++++-
util/ssleay.num | 6 +++---
6 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/CHANGES b/CHANGES
index d0bc834..4e118e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
default.
[Kurt Roeckx]
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index 019d9dc..73885b7 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -57,7 +57,8 @@
*/
#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
+#ifndef OPENSSL_NO_SSL2_METHOD
+# ifndef OPENSSL_NO_SSL2
# include <stdio.h>
# include <openssl/objects.h>
@@ -72,10 +73,19 @@ static const SSL_METHOD *ssl2_get_method(int ver)
IMPLEMENT_ssl2_meth_func(SSLv2_method,
ssl2_accept, ssl2_connect, ssl2_get_method)
-#else /* !OPENSSL_NO_SSL2 */
+
+# else /* !OPENSSL_NO_SSL2 */
const SSL_METHOD *SSLv2_method(void) { return NULL; }
const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
+# endif
+
+#else /* !OPENSSL_NO_SSL2_METHOD */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
#endif
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 2e84b95..5ef56fa 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2345,9 +2345,11 @@ const char *SSL_get_version(const SSL *s);
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+# endif
# ifndef OPENSSL_NO_SSL3_METHOD
const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 2629a1c..9029c51 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -1198,6 +1198,7 @@ sub read_options
"nw-mwasm" => \$nw_mwasm,
"gaswin" => \$gaswin,
"no-ssl2" => \$no_ssl2,
+ "no-ssl2-method" => 0,
"no-ssl3" => \$no_ssl3,
"no-ssl3-method" => 0,
"no-tlsext" => \$no_tlsext,
diff --git a/util/mkdef.pl b/util/mkdef.pl
index c57c7f7..b9b159a 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA",
"DES", "BF",
"CAPIENG",
# SSL v2
"SSL2",
+ # SSL v2 method
+ "SSL2_METHOD",
# SSL v3 method
"SSL3_METHOD",
# JPAKE
@@ -145,7 +147,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my
$no_deprecated;
my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc;
my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
-my $no_unit_test; my $no_ssl3_method;
+my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
my $fips;
@@ -240,6 +242,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; }
elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
elsif (/^no-ssl2$/) { $no_ssl2=1; }
+ elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; }
elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
elsif (/^no-ssl-trace$/) { $no_ssl_trace=1; }
elsif (/^no-capieng$/) { $no_capieng=1; }
@@ -1215,6 +1218,7 @@ sub is_valid
if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
{ return 0; }
if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+ if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) {
return 0; }
if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) {
return 0; }
if ($keyword eq "SSL_TRACE" && $no_ssl_trace) { return
0; }
if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
diff --git a/util/ssleay.num b/util/ssleay.num
index 5a89913..5760bc4 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms 109
NOEXIST::FUNCTION:
SSLv23_client_method 110 EXIST::FUNCTION:RSA
SSLv23_method 111 EXIST::FUNCTION:RSA
SSLv23_server_method 112 EXIST::FUNCTION:RSA
-SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2
-SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2
-SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2
+SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2_METHOD
SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD
SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD
SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
