Add no-ssl2-method

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #2341
(cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086)

diff --git a/CHANGES b/CHANGES
index b0222cfa8bc557ed6499a562f7eeb20ea9a008b2..d4e9887370c8733885851625a72301bc90275b2d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
      default.
      [Kurt Roeckx]
 
+  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+     methods are enabled and ssl2 is disabled the methods return NULL.
+     [Kurt Roeckx]
+
  Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index 019d9dcf6c7f4d5c63025e0a0f6dcbef520e8bbd..73885b7ecff8e7671d820659ca65170a8b13a7b6 100644 (file)
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -57,7 +57,8 @@
  */
 
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
+#ifndef OPENSSL_NO_SSL2_METHOD
+# ifndef OPENSSL_NO_SSL2
 # include <stdio.h>
 # include <openssl/objects.h>
 
@@ -72,10 +73,19 @@ static const SSL_METHOD *ssl2_get_method(int ver)
 
 IMPLEMENT_ssl2_meth_func(SSLv2_method,
                          ssl2_accept, ssl2_connect, ssl2_get_method)
-#else                           /* !OPENSSL_NO_SSL2 */
+
+# else /* !OPENSSL_NO_SSL2 */
 
 const SSL_METHOD *SSLv2_method(void) { return NULL; }
 const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
 const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
 
+# endif
+
+#else /* !OPENSSL_NO_SSL2_METHOD */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
 #endif

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 06eb6616524a15d3ee86b687d9bb6b3bfe9effa9..d6c475c27c08e144095f374dd04ad01fed39a336 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2017,9 +2017,11 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
+# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+# endif
 
 # ifndef OPENSSL_NO_SSL3_METHOD
 const SSL_METHOD *SSLv3_method(void); /* SSLv3 */

diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index e5fe37c426f61bd55161685ba37286095d93f2f3..02dc0106da6453ac7ad7a4a2c6b698be28323407 100755 (executable)
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -1115,6 +1115,7 @@ sub read_options
                "nw-mwasm" => \$nw_mwasm,
                "gaswin" => \$gaswin,
                "no-ssl2" => \$no_ssl2,
+               "no-ssl2-method" => 0,
                "no-ssl3" => \$no_ssl3,
                "no-ssl3-method" => 0,
                "no-tlsext" => \$no_tlsext,

diff --git a/util/mkdef.pl b/util/mkdef.pl
index 894f0529fc475e83bf3168b4e970c7c605bbe65c..0b97aa4dbe94570818758e1badf023c5a9b4a5b6 100755 (executable)
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CAPIENG",
                         # SSL v2
                         "SSL2",
+                        # SSL v2 method
+                        "SSL2_METHOD",
                         # SSL v3 method
                         "SSL3_METHOD",
                         # JPAKE
@@ -143,7 +145,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp;
-my $no_unit_test; my $no_ssl3_method;
+my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
 
 my $fips;
 
@@ -238,6 +240,7 @@ foreach (@ARGV, split(/ /, $options))
        elsif (/^no-ec_nistp_64_gcc_128$/)      { $no_nistp_gcc=1; }
        elsif (/^no-nextprotoneg$/)     { $no_nextprotoneg=1; }
        elsif (/^no-ssl2$/)     { $no_ssl2=1; }
+       elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; }
        elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
        elsif (/^no-capieng$/)  { $no_capieng=1; }
        elsif (/^no-jpake$/)    { $no_jpake=1; }
@@ -1211,6 +1214,7 @@ sub is_valid
                        if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
                                        { return 0; }
                        if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+                       if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { return 0; }
                        if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
                        if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
                        if ($keyword eq "JPAKE" && $no_jpake) { return 0; }

diff --git a/util/ssleay.num b/util/ssleay.num
index dd1c5e88239e3a734e44f2b115d394f76c9fdeec..dd5811a905df0ee34cbbdb0e58f0f4003b569231 100755 (executable)
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms               109   NOEXIST::FUNCTION:
 SSLv23_client_method                    110    EXIST::FUNCTION:RSA
 SSLv23_method                           111    EXIST::FUNCTION:RSA
 SSLv23_server_method                    112    EXIST::FUNCTION:RSA
-SSLv2_client_method                     113    EXIST::FUNCTION:RSA,SSL2
-SSLv2_method                            114    EXIST::FUNCTION:RSA,SSL2
-SSLv2_server_method                     115    EXIST::FUNCTION:RSA,SSL2
+SSLv2_client_method                     113    EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_method                            114    EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_server_method                     115    EXIST::FUNCTION:RSA,SSL2_METHOD
 SSLv3_client_method                     116    EXIST::FUNCTION:SSL3_METHOD
 SSLv3_method                            117    EXIST::FUNCTION:SSL3_METHOD
 SSLv3_server_method                     118    EXIST::FUNCTION:SSL3_METHOD