From 46e7e9acf94d9153f0b52180413c36fb3c17ea2a Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Aug 2015 16:39:13 -0700 Subject: [PATCH] disable SSLv3 by default --- configure.ac | 18 ++++++++++++++++ examples/client/client.c | 11 +++++----- examples/echoclient/echoclient.c | 4 +++- examples/echoserver/echoserver.c | 4 +++- examples/server/server.c | 4 +++- src/internal.c | 4 ++-- src/sniffer.c | 2 +- src/ssl.c | 20 +++++++++--------- tests/api.c | 6 ++++-- tests/suites.c | 35 ++++++++++++++++++++++++++++++-- 10 files changed, 83 insertions(+), 25 deletions(-) diff --git a/configure.ac b/configure.ac index 9f11a50b3..dfce641b1 100644 --- a/configure.ac +++ b/configure.ac @@ -887,6 +887,19 @@ else fi +# SSLv3 +AC_ARG_ENABLE([sslv3], + [ --enable-sslv3 Enable SSL version 3.0 (default: disabled)], + [ ENABLED_SSLV3=$enableval ], + [ ENABLED_SSLV3=no] + ) + +if test "$ENABLED_SSLV3" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3" +fi + + # STACK SIZE info for examples AC_ARG_ENABLE([stacksize], [ --enable-stacksize Enable stack size info on examples (default: disabled)], @@ -2128,6 +2141,10 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" ENABLED_OLD_TLS=no]) +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ + test "x$ENABLED_SSLV3" = "xyes"], + [AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])]) + # OPTIMIZE FLAGS if test "$GCC" = "yes" @@ -2359,6 +2376,7 @@ echo " * STUNNEL: $ENABLED_STUNNEL" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" echo " * Old TLS Versions: $ENABLED_OLD_TLS" +echo " * SSL version 3.0: $ENABLED_SSLV3" echo " * OCSP: $ENABLED_OCSP" echo " * CRL: $ENABLED_CRL" echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" diff --git a/examples/client/client.c b/examples/client/client.c index 5838c67b9..cb9c40f33 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -525,16 +525,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef USE_WOLFSSL_MEMORY if (trackMemory) - InitMemoryTracker(); + InitMemoryTracker(); #endif switch (version) { #ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 case 0: method = wolfSSLv3_client_method(); break; - - + #endif + #ifndef NO_TLS case 1: method = wolfTLSv1_client_method(); @@ -544,9 +545,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) method = wolfTLSv1_1_client_method(); break; #endif /* NO_TLS */ - + #endif /* NO_OLD_TLS */ - + #ifndef NO_TLS case 3: method = wolfTLSv1_2_client_method(); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 594d146cf..bbf82ea9e 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -111,8 +111,10 @@ void echoclient_test(void* args) method = DTLSv1_2_client_method(); #elif !defined(NO_TLS) method = CyaSSLv23_client_method(); -#else +#elif defined(WOLFSSL_ALLOW_SSLV3) method = SSLv3_client_method(); +#else + #error "no valid client method type" #endif ctx = SSL_CTX_new(method); diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index db499ae08..cb512f4d8 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -132,8 +132,10 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) method = CyaDTLSv1_2_server_method(); #elif !defined(NO_TLS) method = CyaSSLv23_server_method(); -#else +#elif defined(WOLFSSL_ALLOW_SSLV3) method = CyaSSLv3_server_method(); +#else + #error "no valid server method built in" #endif ctx = CyaSSL_CTX_new(method); /* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */ diff --git a/examples/server/server.c b/examples/server/server.c index c0687a195..7f0c07d61 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -402,14 +402,16 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef USE_CYASSL_MEMORY if (trackMemory) - InitMemoryTracker(); + InitMemoryTracker(); #endif switch (version) { #ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 case 0: method = SSLv3_server_method(); break; + #endif #ifndef NO_TLS case 1: diff --git a/src/internal.c b/src/internal.c index 3c7704a8a..bd04bdbec 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2371,7 +2371,7 @@ DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item) #endif /* WOLFSSL_DTLS */ -#ifndef NO_OLD_TLS +#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) ProtocolVersion MakeSSLv3(void) { @@ -2382,7 +2382,7 @@ ProtocolVersion MakeSSLv3(void) return pv; } -#endif /* NO_OLD_TLS */ +#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */ #ifdef WOLFSSL_DTLS diff --git a/src/sniffer.c b/src/sniffer.c index a12dafe57..9219d93ef 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1118,7 +1118,7 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port, sniffer->server = serverIp; sniffer->port = port; - sniffer->ctx = SSL_CTX_new(SSLv3_client_method()); + sniffer->ctx = SSL_CTX_new(TLSv1_client_method()); if (!sniffer->ctx) { SetError(MEMORY_STR, error, NULL, 0); #ifdef HAVE_SNI diff --git a/src/ssl.c b/src/ssl.c index 3cb82827f..2b34f41dc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1765,7 +1765,7 @@ int wolfSSL_set_group_messages(WOLFSSL* ssl) static int SetMinVersionHelper(byte* minVersion, int version) { switch (version) { -#ifndef NO_OLD_TLS +#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) case WOLFSSL_SSLV3: *minVersion = SSLv3_MINOR; break; @@ -1836,7 +1836,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) } switch (version) { -#ifndef NO_OLD_TLS +#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) case WOLFSSL_SSLV3: ssl->version = MakeSSLv3(); break; @@ -3026,16 +3026,16 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, static INLINE WOLFSSL_METHOD* cm_pick_method(void) { #ifndef NO_WOLFSSL_CLIENT - #ifdef NO_OLD_TLS - return wolfTLSv1_2_client_method(); - #else + #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) return wolfSSLv3_client_method(); + #else + return wolfTLSv1_2_client_method(); #endif #elif !defined(NO_WOLFSSL_SERVER) - #ifdef NO_OLD_TLS - return wolfTLSv1_2_server_method(); - #else + #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) return wolfSSLv3_server_method(); + #else + return wolfTLSv1_2_server_method(); #endif #else return NULL; @@ -5335,7 +5335,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) /* client only parts */ #ifndef NO_WOLFSSL_CLIENT - #ifndef NO_OLD_TLS + #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) WOLFSSL_METHOD* wolfSSLv3_client_method(void) { WOLFSSL_METHOD* method = @@ -5623,7 +5623,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) /* server only parts */ #ifndef NO_WOLFSSL_SERVER - #ifndef NO_OLD_TLS + #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) WOLFSSL_METHOD* wolfSSLv3_server_method(void) { WOLFSSL_METHOD* method = diff --git a/tests/api.c b/tests/api.c index 02d9cd9b6..a34ecebbc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -101,8 +101,10 @@ static void test_wolfSSL_Method_Allocators(void) TEST_METHOD_ALLOCATOR(a, AssertNull) #ifndef NO_OLD_TLS - TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method); - TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method); + #ifdef WOLFSSL_ALLOW_SSLV3 + TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method); + TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method); + #endif TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method); diff --git a/tests/suites.c b/tests/suites.c index 4095581e9..bd8a8da3f 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -36,7 +36,7 @@ #define MAX_COMMAND_SZ 240 #define MAX_SUITE_SZ 80 #define NOT_BUILT_IN -123 -#ifdef NO_OLD_TLS +#if defined(NO_OLD_TLS) || !defined(WOLFSSL_ALLOW_SSLV3) #define VERSION_TOO_OLD -124 #endif @@ -52,6 +52,28 @@ static char flagSep[] = " "; static char svrPort[] = "0"; +#ifndef WOLFSSL_ALLOW_SSLV3 +/* if the protocol version is sslv3 return 1, else 0 */ +static int IsSslVersion(const char* line) +{ + const char* find = "-v "; + char* begin = strstr(line, find); + + if (begin) { + int version = -1; + + begin += 3; + + version = atoi(begin); + + if (version == 0) + return 1; + } + + return 0; +} +#endif /* !WOLFSSL_ALLOW_SSLV3 */ + #ifdef NO_OLD_TLS /* if the protocol version is less than tls 1.2 return 1, else 0 */ static int IsOldTlsVersion(const char* line) @@ -71,7 +93,7 @@ static int IsOldTlsVersion(const char* line) } return 0; -} +} #endif /* NO_OLD_TLS */ @@ -168,6 +190,15 @@ static int execute_test_case(int svr_argc, char** svr_argv, return NOT_BUILT_IN; } +#ifndef WOLFSSL_ALLOW_SSLV3 + if (IsSslVersion(commandLine) == 1) { + #ifdef DEBUG_SUITE_TESTS + printf("protocol version on line %s is too old\n", commandLine); + #endif + return VERSION_TOO_OLD; + } +#endif + #ifdef NO_OLD_TLS if (IsOldTlsVersion(commandLine) == 1) { #ifdef DEBUG_SUITE_TESTS