wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 20:54:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

disable SSLv3 by default

Browse Source
This commit is contained in:
toddouska
2015-08-12 16:39:13 -07:00
parent ffa75d40e0
commit 46e7e9acf9
10 changed files with 83 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
configure.ac
View File

@@ -887,6 +887,19 @@ else
fi fi
# SSLv3
AC_ARG_ENABLE([sslv3],
[ --enable-sslv3 Enable SSL version 3.0 (default: disabled)],
[ ENABLED_SSLV3=$enableval ],
[ ENABLED_SSLV3=no]
)
if test "$ENABLED_SSLV3" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3"
fi
# STACK SIZE info for examples # STACK SIZE info for examples
AC_ARG_ENABLE([stacksize], AC_ARG_ENABLE([stacksize],
[ --enable-stacksize Enable stack size info on examples (default: disabled)], [ --enable-stacksize Enable stack size info on examples (default: disabled)],
@@ -2128,6 +2141,10 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
[AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
ENABLED_OLD_TLS=no]) ENABLED_OLD_TLS=no])
AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
test "x$ENABLED_SSLV3" = "xyes"],
[AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])])
# OPTIMIZE FLAGS # OPTIMIZE FLAGS
if test "$GCC" = "yes" if test "$GCC" = "yes"
@@ -2359,6 +2376,7 @@ echo " * STUNNEL: $ENABLED_STUNNEL"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS" echo " * DTLS: $ENABLED_DTLS"
echo " * Old TLS Versions: $ENABLED_OLD_TLS" echo " * Old TLS Versions: $ENABLED_OLD_TLS"
echo " * SSL version 3.0: $ENABLED_SSLV3"
echo " * OCSP: $ENABLED_OCSP" echo " * OCSP: $ENABLED_OCSP"
echo " * CRL: $ENABLED_CRL" echo " * CRL: $ENABLED_CRL"
echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR"

11
examples/client/client.c
View File

@@ -525,16 +525,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef USE_WOLFSSL_MEMORY #ifdef USE_WOLFSSL_MEMORY
if (trackMemory) if (trackMemory)
InitMemoryTracker(); InitMemoryTracker();
#endif #endif
switch (version) { switch (version) {
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
case 0: case 0:
method = wolfSSLv3_client_method(); method = wolfSSLv3_client_method();
break; break;
#endif
#ifndef NO_TLS #ifndef NO_TLS
case 1: case 1:
method = wolfTLSv1_client_method(); method = wolfTLSv1_client_method();
@@ -544,9 +545,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
method = wolfTLSv1_1_client_method(); method = wolfTLSv1_1_client_method();
break; break;
#endif /* NO_TLS */ #endif /* NO_TLS */
#endif /* NO_OLD_TLS */ #endif /* NO_OLD_TLS */
#ifndef NO_TLS #ifndef NO_TLS
case 3: case 3:
method = wolfTLSv1_2_client_method(); method = wolfTLSv1_2_client_method();

4
examples/echoclient/echoclient.c
View File

@@ -111,8 +111,10 @@ void echoclient_test(void* args)
method = DTLSv1_2_client_method(); method = DTLSv1_2_client_method();
#elif !defined(NO_TLS) #elif !defined(NO_TLS)
method = CyaSSLv23_client_method(); method = CyaSSLv23_client_method();
#else #elif defined(WOLFSSL_ALLOW_SSLV3)
method = SSLv3_client_method(); method = SSLv3_client_method();
#else
#error "no valid client method type"
#endif #endif
ctx = SSL_CTX_new(method); ctx = SSL_CTX_new(method);

4
examples/echoserver/echoserver.c
View File

@@ -132,8 +132,10 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
method = CyaDTLSv1_2_server_method(); method = CyaDTLSv1_2_server_method();
#elif !defined(NO_TLS) #elif !defined(NO_TLS)
method = CyaSSLv23_server_method(); method = CyaSSLv23_server_method();
#else #elif defined(WOLFSSL_ALLOW_SSLV3)
method = CyaSSLv3_server_method(); method = CyaSSLv3_server_method();
#else
#error "no valid server method built in"
#endif #endif
ctx = CyaSSL_CTX_new(method); ctx = CyaSSL_CTX_new(method);
/* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */ /* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */

4
examples/server/server.c
View File

@@ -402,14 +402,16 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef USE_CYASSL_MEMORY #ifdef USE_CYASSL_MEMORY
if (trackMemory) if (trackMemory)
InitMemoryTracker(); InitMemoryTracker();
#endif #endif
switch (version) { switch (version) {
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
case 0: case 0:
method = SSLv3_server_method(); method = SSLv3_server_method();
break; break;
#endif
#ifndef NO_TLS #ifndef NO_TLS
case 1: case 1:

4
src/internal.c
View File

@@ -2371,7 +2371,7 @@ DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
#ifndef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
ProtocolVersion MakeSSLv3(void) ProtocolVersion MakeSSLv3(void)
{ {
@@ -2382,7 +2382,7 @@ ProtocolVersion MakeSSLv3(void)
return pv; return pv;
} }
#endif /* NO_OLD_TLS */ #endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS

2
src/sniffer.c
View File

@@ -1118,7 +1118,7 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,
sniffer->server = serverIp; sniffer->server = serverIp;
sniffer->port = port; sniffer->port = port;
sniffer->ctx = SSL_CTX_new(SSLv3_client_method()); sniffer->ctx = SSL_CTX_new(TLSv1_client_method());
if (!sniffer->ctx) { if (!sniffer->ctx) {
SetError(MEMORY_STR, error, NULL, 0); SetError(MEMORY_STR, error, NULL, 0);
#ifdef HAVE_SNI #ifdef HAVE_SNI

20
src/ssl.c
View File

@@ -1765,7 +1765,7 @@ int wolfSSL_set_group_messages(WOLFSSL* ssl)
static int SetMinVersionHelper(byte* minVersion, int version) static int SetMinVersionHelper(byte* minVersion, int version)
{ {
switch (version) { switch (version) {
#ifndef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case WOLFSSL_SSLV3: case WOLFSSL_SSLV3:
*minVersion = SSLv3_MINOR; *minVersion = SSLv3_MINOR;
break; break;
@@ -1836,7 +1836,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
} }
switch (version) { switch (version) {
#ifndef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case WOLFSSL_SSLV3: case WOLFSSL_SSLV3:
ssl->version = MakeSSLv3(); ssl->version = MakeSSLv3();
break; break;
@@ -3026,16 +3026,16 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
static INLINE WOLFSSL_METHOD* cm_pick_method(void) static INLINE WOLFSSL_METHOD* cm_pick_method(void)
{ {
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
#ifdef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
return wolfTLSv1_2_client_method();
#else
return wolfSSLv3_client_method(); return wolfSSLv3_client_method();
#else
return wolfTLSv1_2_client_method();
#endif #endif
#elif !defined(NO_WOLFSSL_SERVER) #elif !defined(NO_WOLFSSL_SERVER)
#ifdef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
return wolfTLSv1_2_server_method();
#else
return wolfSSLv3_server_method(); return wolfSSLv3_server_method();
#else
return wolfTLSv1_2_server_method();
#endif #endif
#else #else
return NULL; return NULL;
@@ -5335,7 +5335,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
/* client only parts */ /* client only parts */
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
#ifndef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
WOLFSSL_METHOD* wolfSSLv3_client_method(void) WOLFSSL_METHOD* wolfSSLv3_client_method(void)
{ {
WOLFSSL_METHOD* method = WOLFSSL_METHOD* method =
@@ -5623,7 +5623,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
/* server only parts */ /* server only parts */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
#ifndef NO_OLD_TLS #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
WOLFSSL_METHOD* wolfSSLv3_server_method(void) WOLFSSL_METHOD* wolfSSLv3_server_method(void)
{ {
WOLFSSL_METHOD* method = WOLFSSL_METHOD* method =

6
tests/api.c
View File

@@ -101,8 +101,10 @@ static void test_wolfSSL_Method_Allocators(void)
TEST_METHOD_ALLOCATOR(a, AssertNull) TEST_METHOD_ALLOCATOR(a, AssertNull)
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS
TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method); #ifdef WOLFSSL_ALLOW_SSLV3
TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method); TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method);
TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method);
#endif
TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method);
TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method);
TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method); TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method);

35
tests/suites.c
View File

@@ -36,7 +36,7 @@
#define MAX_COMMAND_SZ 240 #define MAX_COMMAND_SZ 240
#define MAX_SUITE_SZ 80 #define MAX_SUITE_SZ 80
#define NOT_BUILT_IN -123 #define NOT_BUILT_IN -123
#ifdef NO_OLD_TLS #if defined(NO_OLD_TLS) || !defined(WOLFSSL_ALLOW_SSLV3)
#define VERSION_TOO_OLD -124 #define VERSION_TOO_OLD -124
#endif #endif
@@ -52,6 +52,28 @@ static char flagSep[] = " ";
static char svrPort[] = "0"; static char svrPort[] = "0";
#ifndef WOLFSSL_ALLOW_SSLV3
/* if the protocol version is sslv3 return 1, else 0 */
static int IsSslVersion(const char* line)
{
const char* find = "-v ";
char* begin = strstr(line, find);
if (begin) {
int version = -1;
begin += 3;
version = atoi(begin);
if (version == 0)
return 1;
}
return 0;
}
#endif /* !WOLFSSL_ALLOW_SSLV3 */
#ifdef NO_OLD_TLS #ifdef NO_OLD_TLS
/* if the protocol version is less than tls 1.2 return 1, else 0 */ /* if the protocol version is less than tls 1.2 return 1, else 0 */
static int IsOldTlsVersion(const char* line) static int IsOldTlsVersion(const char* line)
@@ -71,7 +93,7 @@ static int IsOldTlsVersion(const char* line)
} }
return 0; return 0;
} }
#endif /* NO_OLD_TLS */ #endif /* NO_OLD_TLS */
@@ -168,6 +190,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return NOT_BUILT_IN; return NOT_BUILT_IN;
} }
#ifndef WOLFSSL_ALLOW_SSLV3
if (IsSslVersion(commandLine) == 1) {
#ifdef DEBUG_SUITE_TESTS
printf("protocol version on line %s is too old\n", commandLine);
#endif
return VERSION_TOO_OLD;
}
#endif
#ifdef NO_OLD_TLS #ifdef NO_OLD_TLS
if (IsOldTlsVersion(commandLine) == 1) { if (IsOldTlsVersion(commandLine) == 1) {
#ifdef DEBUG_SUITE_TESTS #ifdef DEBUG_SUITE_TESTS