From: Ian Beckwith Date: Thu, 10 Dec 2015 18:10:29 +0000 (+0000) Subject: DISABLE_SSLV3 option, disables SSLv3 at compile time X-Git-Url: http://erislabs.net/gitweb/?p=ckermit.git;a=commitdiff_plain;h=051725bc40aea63ff1e9c53fcde4803f476255c3 DISABLE_SSLV3 option, disables SSLv3 at compile time Needed to link with debian's openssl, which has SSLv3_{client,server}_method disabled --- diff --git a/ck_ssl.c b/ck_ssl.c index 6df7507..cc8a4ed 100644 --- a/ck_ssl.c +++ b/ck_ssl.c @@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode; /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); +#ifndef DISABLE_SSLV3 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); } if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv3_client_method failed",0); +#endif last_ssl_mode = -1; return(0); } @@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode; debug(F110,"ssl_tn_init","SSLv23_client_method OK",0); } else { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); +#ifndef DISABLE_SSLV3 tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); +#endif /* DISABLE_SSLV3 */ if ( !tls_ctx ) { +#ifndef DISABLE_SSLV3 debug(F110, - "ssl_tn_init","TLSv1_client_method failed",0); + "ssl_tn_init","SSLv3_client_method failed",0); +#endif /* DISABLE_SSLV3 */ debug(F110, "ssl_tn_init","All SSL client methods failed",0); last_ssl_mode = -1; @@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode; /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); +#ifndef DISABLE_SSLV3 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method()); } if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv3_server_method failed",0); +#endif last_ssl_mode = -1; return(0); } @@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode; * that cannot read poorly written specs :-) * for TLS be sure to prevent use of SSLv2 */ - SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2 +#ifdef DISABLE_SSLV3 + |SSL_OP_NO_SSLv3 +#endif + ); SSL_CTX_set_options(tls_ctx, - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); + SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA +#ifdef DISABLE_SSLV3 + |SSL_OP_NO_SSLv3 +#endif + ); SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback); SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback); @@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname; * for TLS be sure to prevent use of SSLv2 */ SSL_CTX_set_options(tls_http_ctx, - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); + SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA +#ifdef DISABLE_SSLV3 + |SSL_OP_NO_SSLv3 +#endif + ); SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback); diff --git a/ckcftp.c b/ckcftp.c index 9c145f5..79139f1 100644 --- a/ckcftp.c +++ b/ckcftp.c @@ -10210,9 +10210,11 @@ ssl_auth() { if (ftp_bug_use_ssl_v2) { /* allow SSL 2.0 or later */ client_method = SSLv23_client_method(); +#ifndef DISABLE_SSLV3 } else if (ftp_bug_use_ssl_v3) { /* allow SSL 3.0 ONLY - previous default */ client_method = SSLv3_client_method(); +#endif /* DISABLE_SSLV3 */ } else { /* default - allow TLS 1.0 or later */ client_method = TLSv1_client_method(); @@ -10223,6 +10225,9 @@ ssl_auth() { return(0); SSL_CTX_set_options(ssl_ftp_ctx, SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA +#ifdef DISABLE_SSLV3 + |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 +#endif ); } else { ssl_ftp_ctx = SSL_CTX_new(client_method); @@ -10231,6 +10236,9 @@ ssl_auth() { SSL_CTX_set_options(ssl_ftp_ctx, (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)| SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA +#ifdef DISABLE_SSLV3 + |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 +#endif ); } SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx, diff --git a/debian/changelog b/debian/changelog index f993665..5ee68d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,12 @@ ckermit (302-6) unstable; urgency=medium * New patch: 050_tls.patch. SSL/TLS changes from upstream dev12 version, including code to default to TLS. + * New patch: 060_disable_sslv3.patch. + Adds DISABLE_SSLV3 preprocessor option + to disable SSL v3 at compile time, needed to link + with Debian's openssl. - -- Ian Beckwith Wed, 09 Dec 2015 16:36:01 +0000 + -- Ian Beckwith Thu, 10 Dec 2015 18:19:45 +0000 ckermit (302-5) unstable; urgency=low diff --git a/debian/patches/060_disable_sslv3.patch b/debian/patches/060_disable_sslv3.patch new file mode 100644 index 0000000..596031a --- /dev/null +++ b/debian/patches/060_disable_sslv3.patch @@ -0,0 +1,115 @@ +Index: ckermit/ck_ssl.c +=================================================================== +--- ckermit.orig/ck_ssl.c ++++ ckermit/ck_ssl.c +@@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode; + /* This can fail because we do not have RSA available */ + if ( !ssl_ctx ) { + debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); ++#ifndef DISABLE_SSLV3 + ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); + } + if ( !ssl_ctx ) { + debug(F110,"ssl_tn_init","SSLv3_client_method failed",0); ++#endif + last_ssl_mode = -1; + return(0); + } +@@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode; + debug(F110,"ssl_tn_init","SSLv23_client_method OK",0); + } else { + debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); ++#ifndef DISABLE_SSLV3 + tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); ++#endif /* DISABLE_SSLV3 */ + if ( !tls_ctx ) { ++#ifndef DISABLE_SSLV3 + debug(F110, +- "ssl_tn_init","TLSv1_client_method failed",0); ++ "ssl_tn_init","SSLv3_client_method failed",0); ++#endif /* DISABLE_SSLV3 */ + debug(F110, + "ssl_tn_init","All SSL client methods failed",0); + last_ssl_mode = -1; +@@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode; + /* This can fail because we do not have RSA available */ + if ( !ssl_ctx ) { + debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); ++#ifndef DISABLE_SSLV3 + ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method()); + } + if ( !ssl_ctx ) { + debug(F110,"ssl_tn_init","SSLv3_server_method failed",0); ++#endif + last_ssl_mode = -1; + return(0); + } +@@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode; + * that cannot read poorly written specs :-) + * for TLS be sure to prevent use of SSLv2 + */ +- SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2); ++ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2 ++#ifdef DISABLE_SSLV3 ++ |SSL_OP_NO_SSLv3 ++#endif ++ ); + SSL_CTX_set_options(tls_ctx, +- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); ++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA ++#ifdef DISABLE_SSLV3 ++ |SSL_OP_NO_SSLv3 ++#endif ++ ); + + SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback); + SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback); +@@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname; + * for TLS be sure to prevent use of SSLv2 + */ + SSL_CTX_set_options(tls_http_ctx, +- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); ++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA ++#ifdef DISABLE_SSLV3 ++ |SSL_OP_NO_SSLv3 ++#endif ++ ); + + SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback); + +Index: ckermit/ckcftp.c +=================================================================== +--- ckermit.orig/ckcftp.c ++++ ckermit/ckcftp.c +@@ -10210,9 +10210,11 @@ ssl_auth() { + if (ftp_bug_use_ssl_v2) { + /* allow SSL 2.0 or later */ + client_method = SSLv23_client_method(); ++#ifndef DISABLE_SSLV3 + } else if (ftp_bug_use_ssl_v3) { + /* allow SSL 3.0 ONLY - previous default */ + client_method = SSLv3_client_method(); ++#endif /* DISABLE_SSLV3 */ + } else { + /* default - allow TLS 1.0 or later */ + client_method = TLSv1_client_method(); +@@ -10223,6 +10225,9 @@ ssl_auth() { + return(0); + SSL_CTX_set_options(ssl_ftp_ctx, + SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA ++#ifdef DISABLE_SSLV3 ++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 ++#endif + ); + } else { + ssl_ftp_ctx = SSL_CTX_new(client_method); +@@ -10231,6 +10236,9 @@ ssl_auth() { + SSL_CTX_set_options(ssl_ftp_ctx, + (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)| + SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA ++#ifdef DISABLE_SSLV3 ++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 ++#endif + ); + } + SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx, diff --git a/debian/patches/series b/debian/patches/series index dcb1121..8b3872e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,4 +3,5 @@ 030_fix_dialmessage.patch 040_fix_types.patch 050_tls.patch +060_disable_sslv3.patch 900_ck_patch.patch diff --git a/debian/rules b/debian/rules index c0a0e4d..08e7b49 100755 --- a/debian/rules +++ b/debian/rules @@ -13,7 +13,7 @@ CFLAGS += `dpkg-buildflags --get CPPFLAGS` CFLAGS +=-g \ -DIKSDCONF=\\\\\\\\\\\\\\\"/etc/kermit/iksd.conf\\\\\\\\\\\\\\\" \ -DCK_SYSINI=\\\\\\\\\\\\\\\"/etc/kermit/kermrc\\\\\\\\\\\\\\\" \ - -DCK_INI_B -DX509_SUBJECT_ALT_NAME_TO_USER + -DCK_INI_B -DX509_SUBJECT_ALT_NAME_TO_USER -DDISABLE_SSLV3 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0