diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-20 15:01:49 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-05-20 15:02:54 +0200 |
| commit | ac1f960d4ac4345b5ec2f766cdc69e47632136d6 (patch) | |
| tree | 050d8db7a8cfbe6614a32e3862768bcfdfca9d62 | |
| parent | 369a364007a141c73831e95b60be4cd81eec0d63 (diff) | |
| download | gnutls-ac1f960d4ac4345b5ec2f766cdc69e47632136d6.tar.gz | |
Allow for conditional compilation of SSL 2.0 client hello support
This allows to completely remove SSL 2.0 support by calling configure
with the '--disable-ssl2-support' option.
Relates #97
| -rw-r--r-- | configure.ac | 3 | ||||
| -rw-r--r-- | lib/buffers.c | 10 | ||||
| -rw-r--r-- | lib/debug.c | 2 | ||||
| -rw-r--r-- | lib/handshake.c | 2 | ||||
| -rw-r--r-- | lib/record.c | 14 | ||||
| -rw-r--r-- | lib/sslv2_compat.c | 2 | ||||
| -rw-r--r-- | m4/hooks.m4 | 15 |
7 files changed, 43 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac index 6ab9cdcbf7..ff47b6289a 100644 --- a/configure.ac +++ b/configure.ac @@ -942,7 +942,8 @@ AC_MSG_NOTICE([Optional features: (note that included applications might not compile properly if features are disabled) - SSL3 support: $ac_enable_ssl3 + SSL3.0 support: $ac_enable_ssl3 + SSL2.0 client hello: $ac_enable_ssl2 DTLS-SRTP support: $ac_enable_srtp ALPN support: $ac_enable_alpn OCSP support: $ac_enable_ocsp diff --git a/lib/buffers.c b/lib/buffers.c index e43a0c4b5d..f0faa709ae 100644 --- a/lib/buffers.c +++ b/lib/buffers.c @@ -887,6 +887,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel, dataptr = _mbuffer_get_udata_ptr(bufel); /* if reading a client hello of SSLv2 */ +#ifdef ENABLE_SSL2 if (unlikely (!IS_DTLS(session) && bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)) { @@ -903,7 +904,9 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel, hsk->sequence = 0; hsk->start_offset = 0; hsk->end_offset = hsk->length; - } else { /* TLS or DTLS handshake headers */ + } else +#endif + { /* TLS or DTLS handshake headers */ hsk->htype = dataptr[0]; @@ -1075,7 +1078,10 @@ inline static int cmp_hsk_types(gnutls_handshake_description_t expected, gnutls_handshake_description_t recvd) { if ((expected != GNUTLS_HANDSHAKE_CLIENT_HELLO - || recvd != GNUTLS_HANDSHAKE_CLIENT_HELLO_V2) +#ifdef ENABLE_SSL2 + || recvd != GNUTLS_HANDSHAKE_CLIENT_HELLO_V2 +#endif + ) && (expected != recvd)) return 0; diff --git a/lib/debug.c b/lib/debug.c index 6ab12c6943..252f2470a6 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -90,9 +90,11 @@ const char case GNUTLS_HANDSHAKE_CLIENT_HELLO: return "CLIENT HELLO"; break; +#ifdef ENABLE_SSL2 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2: return "SSL2 CLIENT HELLO"; break; +#endif case GNUTLS_HANDSHAKE_SERVER_HELLO: return "SERVER HELLO"; break; diff --git a/lib/handshake.c b/lib/handshake.c index 0f65a67c2c..965698e3ca 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1469,12 +1469,14 @@ _gnutls_recv_handshake(gnutls_session_t session, case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2: case GNUTLS_HANDSHAKE_CLIENT_HELLO: case GNUTLS_HANDSHAKE_SERVER_HELLO: +#ifdef ENABLE_SSL2 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2) ret = _gnutls_read_client_hello_v2(session, hsk.data.data, hsk.data.length); else +#endif ret = recv_hello(session, hsk.data.data, hsk.data.length); diff --git a/lib/record.c b/lib/record.c index aae1a1443a..ad60967662 100644 --- a/lib/record.c +++ b/lib/record.c @@ -61,7 +61,9 @@ struct tls_record_st { uint16_t packet_size; /* header_size + length */ content_type_t type; uint16_t epoch; /* valid in DTLS only */ +#ifdef ENABLE_SSL2 unsigned v2:1; /* whether an SSLv2 client hello */ +#endif /* the data */ }; @@ -948,6 +950,7 @@ record_read_headers(gnutls_session_t session, * version 2 message */ +#ifdef ENABLE_SSL2 if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && type == GNUTLS_HANDSHAKE && headers[0] > 127 && !(IS_DTLS(session))) { @@ -977,9 +980,13 @@ record_read_headers(gnutls_session_t session, session, _gnutls_packet2str(record->type), record->length); - } else { + } else +#endif + { /* dtls version 1.0 and TLS version 1.x */ +#ifdef ENABLE_SSL2 record->v2 = 0; +#endif record->type = headers[0]; record->version[0] = headers[1]; @@ -1290,9 +1297,12 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type, goto begin; } +#ifdef ENABLE_SSL2 if (record.v2) { decrypted->htype = GNUTLS_HANDSHAKE_CLIENT_HELLO_V2; - } else { + } else +#endif + { uint8_t *p = _mbuffer_get_udata_ptr(decrypted); decrypted->htype = p[0]; } diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c index f742a098d8..f85fb8c163 100644 --- a/lib/sslv2_compat.c +++ b/lib/sslv2_compat.c @@ -41,6 +41,7 @@ #include "sslv2_compat.h" #include "constate.h" +#ifdef ENABLE_SSL2 /* This selects the best supported ciphersuite from the ones provided */ static int _gnutls_handshake_select_v2_suite(gnutls_session_t session, @@ -254,3 +255,4 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, return sret; } +#endif diff --git a/m4/hooks.m4 b/m4/hooks.m4 index 9d057951d9..08499cdcd9 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -155,6 +155,21 @@ LIBTASN1_MINIMUM=4.3 fi AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl3" != "no") + ac_enable_ssl2=yes + AC_MSG_CHECKING([whether to disable the SSL 2.0 client hello]) + AC_ARG_ENABLE(ssl2-support, + AS_HELP_STRING([--disable-ssl2-support], + [disable support for the SSL 2.0 client hello]), + ac_enable_ssl2=$enableval) + if test x$ac_enable_ssl2 != xno; then + AC_MSG_RESULT(no) + AC_DEFINE([ENABLE_SSL2], 1, [enable SSL2.0 support for client hello]) + else + ac_full=0 + AC_MSG_RESULT(yes) + fi + AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl2" != "no") + ac_enable_srtp=yes AC_MSG_CHECKING([whether to disable DTLS-SRTP extension]) AC_ARG_ENABLE(dtls-srtp-support, |