Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3 functions. Future commits will remove the rest of the SSLv3 support. Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@, sthen@, naddy@, and deraadt@. ok jsing@, beck@
author: doug <doug@openbsd.org> 2015-08-27 06:21:15 +0000
committer: doug <doug@openbsd.org> 2015-08-27 06:21:15 +0000
commit: ad8a4f4defc760164e2271b0a43a8d6331a93eaa (patch)
tree: 8dde52e8d47e15300a875fc3b4082d02fa829386 /lib/libssl/src
parent: simple sizes for free() (diff)
download: wireguard-openbsd-ad8a4f4defc760164e2271b0a43a8d6331a93eaa.tar.xz
wireguard-openbsd-ad8a4f4defc760164e2271b0a43a8d6331a93eaa.zip
11 files changed, 19 insertions, 98 deletions
diff --git a/lib/libssl/src/crypto/opensslfeatures.h b/lib/libssl/src/crypto/opensslfeatures.h
index 45848c5a357..6b6784754dd 100644
--- a/lib/libssl/src/crypto/opensslfeatures.h
+++ b/lib/libssl/src/crypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c
index 458eb37d5f2..a99a7691bd4 100644
--- a/lib/libssl/src/ssl/s23_clnt.c
+++ b/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_client_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_client_method());
 	if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
 	 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
 	 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
 	 */
-	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
 	version = TLS1_2_VERSION;
 
 	if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
 	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
 		version = TLS1_VERSION;
 	mask &= ~SSL_OP_NO_TLSv1;
-	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-		version = SSL3_VERSION;
-	mask &= ~SSL_OP_NO_SSLv3;
 
 	buf = (unsigned char *)s->init_buf->data;
 	if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
 		} else if (version == TLS1_VERSION) {
 			version_major = TLS1_VERSION_MAJOR;
 			version_minor = TLS1_VERSION_MINOR;
-		} else if (version == SSL3_VERSION) {
-			version_major = SSL3_VERSION_MAJOR;
-			version_minor = SSL3_VERSION_MINOR;
 		} else {
 			SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
 			return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
 	    (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
 		/* we have sslv3 or tls1 (server hello or alert) */
 
-		if ((p[2] == SSL3_VERSION_MINOR) &&
-		    !(s->options & SSL_OP_NO_SSLv3)) {
-			s->version = SSL3_VERSION;
-			s->method = SSLv3_client_method();
-		} else if ((p[2] == TLS1_VERSION_MINOR) &&
+		if ((p[2] == TLS1_VERSION_MINOR) &&
 		    !(s->options & SSL_OP_NO_TLSv1)) {
 			s->version = TLS1_VERSION;
 			s->method = TLSv1_client_method();
diff --git a/lib/libssl/src/ssl/s23_meth.c b/lib/libssl/src/ssl/s23_meth.c
index 04152eda413..acc8315b911 100644
--- a/lib/libssl/src/ssl/s23_meth.c
+++ b/lib/libssl/src/ssl/s23_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_meth.c,v 1.19 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_meth.c,v 1.20 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -106,8 +106,6 @@ SSLv23_method(void)
 static const SSL_METHOD *
 ssl23_get_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_method());
 	if (ver == TLS1_1_VERSION)
diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c
index b5241246811..7b2107680e7 100644
--- a/lib/libssl/src/ssl/s23_srvr.c
+++ b/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_server_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_server_method());
 	if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
 						/* type=2; */ /* done later to survive restarts */
 						s->state = SSL23_ST_SR_CLNT_HELLO_B;
 					} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-						s->version = SSL3_VERSION;
-						/* type=2; */
-						s->state = SSL23_ST_SR_CLNT_HELLO_B;
+						type = 1;
 					} else if (!(s->options & SSL_OP_NO_SSLv2)) {
 						type = 1;
 					}
 				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					/* type=2; */
-					s->state = SSL23_ST_SR_CLNT_HELLO_B;
+					type = 1;
 				} else if (!(s->options & SSL_OP_NO_SSLv2))
 					type = 1;
 
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
 				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
 					s->version = TLS1_VERSION;
 					type = 3;
-				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
 				}
 			} else {
-				/* client requests SSL 3.0 */
-				if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
-				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
+				if (!(s->options & SSL_OP_NO_TLSv1)) {
 					/* we won't be able to use TLS of course,
 					 * but this will send an appropriate alert */
 					s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
 			s->method = TLSv1_2_server_method();
 		else if (s->version == TLS1_1_VERSION)
 			s->method = TLSv1_1_server_method();
-		else if (s->version == TLS1_VERSION)
-			s->method = TLSv1_server_method();
 		else
-			s->method = SSLv3_server_method();
+			s->method = TLSv1_server_method();
 		s->handshake_func = s->method->ssl_accept;
 	}
 
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index b739711732b..30f679eac35 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,12 +170,6 @@
 
 #include "bytestring.h"
 
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
-
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
 
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-	return &SSLv3_client_method_data;
-}
-
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_client_method());
 	return (NULL);
 }
 
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c
index c8bdac0214b..42396a21e9d 100644
--- a/lib/libssl/src/ssl/s3_lib.c
+++ b/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
 	s->s3->total_renegotiations = 0;
 	s->s3->num_renegotiations = 0;
 	s->s3->in_read_app_data = 0;
-	s->version = SSL3_VERSION;
+	s->version = TLS1_VERSION;
 
 	free(s->next_proto_negotiated);
 	s->next_proto_negotiated = NULL;
diff --git a/lib/libssl/src/ssl/s3_meth.c b/lib/libssl/src/ssl/s3_meth.c
index c5f043e944a..43fcbd4ade5 100644
--- a/lib/libssl/src/ssl/s3_meth.c
+++ b/lib/libssl/src/ssl/s3_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_meth.c,v 1.15 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,12 +62,6 @@
 
 #include "ssl_locl.h"
 
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_method,
-    "SSLv3_method() enables the use of insecure protocols");
-#endif
-
 static const SSL_METHOD *ssl3_get_method(int ver);
 
 const SSL_METHOD SSLv3_method_data = {
@@ -102,16 +96,8 @@ const SSL_METHOD SSLv3_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
-const SSL_METHOD *
-SSLv3_method(void)
-{
-	return &SSLv3_method_data;
-}
-
 static const SSL_METHOD *
 ssl3_get_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_method());
 	return (NULL);
 }
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 7d2ec4d1328..5574884b896 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,12 +166,6 @@
 
 #include "bytestring.h"
 
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
-
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-	return &SSLv3_server_method_data;
-}
-
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_server_method());
 	return (NULL);
 }
 
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 0cd220778b9..e7873f5ed49 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-const SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);	/* SSLv3 */
-
 const SSL_METHOD *SSLv23_method(void);		/* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);	/* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);	/* SSLv3 or TLSv1.* */
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c
index 629ad035542..a93c16de65a 100644
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
 		return (SSL_TXT_DTLS1_BAD);
 	case DTLS1_VERSION:
 		return (SSL_TXT_DTLS1);
-	case SSL3_VERSION:
-		return (SSL_TXT_SSLV3);
 	case TLS1_VERSION:
 		return (SSL_TXT_TLSV1);
 	case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
 	if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
 	    max_version >= TLS1_VERSION)
 		return (TLS1_VERSION);
-	if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-	    max_version >= SSL3_VERSION)
-		return (SSL3_VERSION);
 
 	return (0);
 }
diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c
index ef5b9be56d1..a688b9ef410 100644
--- a/lib/libssl/src/ssl/ssl_sess.c
+++ b/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
 
 	if (session) {
 		switch (s->version) {
-		case SSL3_VERSION:
 		case TLS1_VERSION:
 		case TLS1_1_VERSION:
 		case TLS1_2_VERSION:
author	doug <doug@openbsd.org>	2015-08-27 06:21:15 +0000
committer	doug <doug@openbsd.org>	2015-08-27 06:21:15 +0000
commit	ad8a4f4defc760164e2271b0a43a8d6331a93eaa (patch)
tree	8dde52e8d47e15300a875fc3b4082d02fa829386 /lib/libssl/src
parent	simple sizes for free() (diff)
download	wireguard-openbsd-ad8a4f4defc760164e2271b0a43a8d6331a93eaa.tar.xz wireguard-openbsd-ad8a4f4defc760164e2271b0a43a8d6331a93eaa.zip