disable SSLv3 by default

2025-08-03 04:34:41 +02:00 · 2015-08-12 16:39:13 -07:00
parent ffa75d40e0
commit 46e7e9acf9
10 changed files with 83 additions and 25 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -887,6 +887,19 @@ else
 fi


+# SSLv3
+AC_ARG_ENABLE([sslv3],
+    [  --enable-sslv3         Enable SSL version 3.0 (default: disabled)],
+    [ ENABLED_SSLV3=$enableval ],
+    [ ENABLED_SSLV3=no]
+    )
+
+if test "$ENABLED_SSLV3" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3"
+fi
+
+
 # STACK SIZE info for examples
 AC_ARG_ENABLE([stacksize],
    [  --enable-stacksize      Enable stack size info on examples (default: disabled)],
@@ -2128,6 +2141,10 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
      [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
       ENABLED_OLD_TLS=no])

+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
+       test "x$ENABLED_SSLV3" = "xyes"],
+      [AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])])
+

 # OPTIMIZE FLAGS
 if test "$GCC" = "yes"
@@ -2359,6 +2376,7 @@ echo "   * STUNNEL:                   $ENABLED_STUNNEL"
 echo "   * ERROR_STRINGS:             $ENABLED_ERROR_STRINGS"
 echo "   * DTLS:                      $ENABLED_DTLS"
 echo "   * Old TLS Versions:          $ENABLED_OLD_TLS"
+echo "   * SSL version 3.0:           $ENABLED_SSLV3"
 echo "   * OCSP:                      $ENABLED_OCSP"
 echo "   * CRL:                       $ENABLED_CRL"
 echo "   * CRL-MONITOR:               $ENABLED_CRL_MONITOR"
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -525,16 +525,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)

 #ifdef USE_WOLFSSL_MEMORY
    if (trackMemory)
-        InitMemoryTracker(); 
+        InitMemoryTracker();
 #endif

    switch (version) {
 #ifndef NO_OLD_TLS
+    #ifdef WOLFSSL_ALLOW_SSLV3
        case 0:
            method = wolfSSLv3_client_method();
            break;
-                
-                
+    #endif
+
    #ifndef NO_TLS
        case 1:
            method = wolfTLSv1_client_method();
@@ -544,9 +545,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
            method = wolfTLSv1_1_client_method();
            break;
    #endif /* NO_TLS */
-                
+
 #endif  /* NO_OLD_TLS */
-                
+
 #ifndef NO_TLS
        case 3:
            method = wolfTLSv1_2_client_method();
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -111,8 +111,10 @@ void echoclient_test(void* args)
    method  = DTLSv1_2_client_method();
 #elif  !defined(NO_TLS)
    method = CyaSSLv23_client_method();
-#else
+#elif defined(WOLFSSL_ALLOW_SSLV3)
    method = SSLv3_client_method();
+#else
+    #error "no valid client method type"
 #endif
    ctx    = SSL_CTX_new(method);

--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@@ -132,8 +132,10 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
    method  = CyaDTLSv1_2_server_method();
 #elif  !defined(NO_TLS)
    method = CyaSSLv23_server_method();
-#else
+#elif defined(WOLFSSL_ALLOW_SSLV3)
    method = CyaSSLv3_server_method();
+#else
+    #error "no valid server method built in"
 #endif
    ctx    = CyaSSL_CTX_new(method);
    /* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -402,14 +402,16 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)

 #ifdef USE_CYASSL_MEMORY
    if (trackMemory)
-        InitMemoryTracker(); 
+        InitMemoryTracker();
 #endif

    switch (version) {
 #ifndef NO_OLD_TLS
+    #ifdef WOLFSSL_ALLOW_SSLV3
        case 0:
            method = SSLv3_server_method();
            break;
+    #endif

    #ifndef NO_TLS
        case 1:
--- a/src/internal.c
+++ b/src/internal.c
@@ -2371,7 +2371,7 @@ DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)

 #endif /* WOLFSSL_DTLS */

-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)

 ProtocolVersion MakeSSLv3(void)
 {
@@ -2382,7 +2382,7 @@ ProtocolVersion MakeSSLv3(void)
    return pv;
 }

-#endif /* NO_OLD_TLS */
+#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */


 #ifdef WOLFSSL_DTLS
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -1118,7 +1118,7 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,
        sniffer->server = serverIp;
        sniffer->port = port;

-        sniffer->ctx = SSL_CTX_new(SSLv3_client_method());
+        sniffer->ctx = SSL_CTX_new(TLSv1_client_method());
        if (!sniffer->ctx) {
            SetError(MEMORY_STR, error, NULL, 0);
 #ifdef HAVE_SNI
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1765,7 +1765,7 @@ int wolfSSL_set_group_messages(WOLFSSL* ssl)
 static int SetMinVersionHelper(byte* minVersion, int version)
 {
    switch (version) {
-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
        case WOLFSSL_SSLV3:
            *minVersion = SSLv3_MINOR;
            break;
@@ -1836,7 +1836,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
    }

    switch (version) {
-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
        case WOLFSSL_SSLV3:
            ssl->version = MakeSSLv3();
            break;
@@ -3026,16 +3026,16 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
 static INLINE WOLFSSL_METHOD* cm_pick_method(void)
 {
    #ifndef NO_WOLFSSL_CLIENT
-        #ifdef NO_OLD_TLS
-            return wolfTLSv1_2_client_method();
-        #else
+        #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
            return wolfSSLv3_client_method();
+        #else
+            return wolfTLSv1_2_client_method();
        #endif
    #elif !defined(NO_WOLFSSL_SERVER)
-        #ifdef NO_OLD_TLS
-            return wolfTLSv1_2_server_method();
-        #else
+        #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
            return wolfSSLv3_server_method();
+        #else
+            return wolfTLSv1_2_server_method();
        #endif
    #else
        return NULL;
@@ -5335,7 +5335,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
 /* client only parts */
 #ifndef NO_WOLFSSL_CLIENT

-    #ifndef NO_OLD_TLS
+    #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
    WOLFSSL_METHOD* wolfSSLv3_client_method(void)
    {
        WOLFSSL_METHOD* method =
@@ -5623,7 +5623,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
 /* server only parts */
 #ifndef NO_WOLFSSL_SERVER

-    #ifndef NO_OLD_TLS
+    #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
    WOLFSSL_METHOD* wolfSSLv3_server_method(void)
    {
        WOLFSSL_METHOD* method =
--- a/tests/api.c
+++ b/tests/api.c
@@ -101,8 +101,10 @@ static void test_wolfSSL_Method_Allocators(void)
            TEST_METHOD_ALLOCATOR(a, AssertNull)

 #ifndef NO_OLD_TLS
-    TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method);
-    TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method);
+    #ifdef WOLFSSL_ALLOW_SSLV3
+        TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method);
+        TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method);
+    #endif
    TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method);
    TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method);
    TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method);
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -36,7 +36,7 @@
 #define MAX_COMMAND_SZ 240
 #define MAX_SUITE_SZ 80 
 #define NOT_BUILT_IN -123
-#ifdef NO_OLD_TLS
+#if defined(NO_OLD_TLS) || !defined(WOLFSSL_ALLOW_SSLV3)
    #define VERSION_TOO_OLD -124
 #endif

@@ -52,6 +52,28 @@ static char flagSep[] = " ";
 static char svrPort[] = "0";


+#ifndef WOLFSSL_ALLOW_SSLV3
+/* if the protocol version is sslv3 return 1, else 0 */
+static int IsSslVersion(const char* line)
+{
+    const char* find = "-v ";
+    char* begin = strstr(line, find);
+
+    if (begin) {
+        int version = -1;
+
+        begin += 3;
+
+        version = atoi(begin);
+
+        if (version == 0)
+            return 1;
+    }
+
+    return 0;
+}
+#endif /* !WOLFSSL_ALLOW_SSLV3 */
+
 #ifdef NO_OLD_TLS
 /* if the protocol version is less than tls 1.2 return 1, else 0 */
 static int IsOldTlsVersion(const char* line)
@@ -71,7 +93,7 @@ static int IsOldTlsVersion(const char* line)
    }

    return 0;
-} 
+}
 #endif /* NO_OLD_TLS */


@@ -168,6 +190,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
        return NOT_BUILT_IN;
    }

+#ifndef WOLFSSL_ALLOW_SSLV3
+    if (IsSslVersion(commandLine) == 1) {
+        #ifdef DEBUG_SUITE_TESTS
+            printf("protocol version on line %s is too old\n", commandLine);
+        #endif
+        return VERSION_TOO_OLD;
+    }
+#endif
+
 #ifdef NO_OLD_TLS
    if (IsOldTlsVersion(commandLine) == 1) {
        #ifdef DEBUG_SUITE_TESTS