Skip to content

Commit 26a59d9

Browse files
author
Geoff Thorpe
committed
Fix no-ssl3 configuration option
CVE-2014-3568 Reviewed-by: Emilia Kasper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
1 parent 7fd4ce6 commit 26a59d9

File tree

2 files changed

+16
-11
lines changed

2 files changed

+16
-11
lines changed

Diff for: ssl/s23_clnt.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
125125
if (ver == SSL2_VERSION)
126126
return(SSLv2_client_method());
127127
#endif
128+
#ifndef OPENSSL_NO_SSL3
128129
if (ver == SSL3_VERSION)
129130
return(SSLv3_client_method());
130-
else if (ver == TLS1_VERSION)
131+
#endif
132+
if (ver == TLS1_VERSION)
131133
return(TLSv1_client_method());
132134
else if (ver == TLS1_1_VERSION)
133135
return(TLSv1_1_client_method());
@@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s)
698700
{
699701
/* we have sslv3 or tls1 (server hello or alert) */
700702

703+
#ifndef OPENSSL_NO_SSL3
701704
if ((p[2] == SSL3_VERSION_MINOR) &&
702705
!(s->options & SSL_OP_NO_SSLv3))
703706
{
@@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s)
712715
s->version=SSL3_VERSION;
713716
s->method=SSLv3_client_method();
714717
}
715-
else if ((p[2] == TLS1_VERSION_MINOR) &&
718+
else
719+
#endif
720+
if ((p[2] == TLS1_VERSION_MINOR) &&
716721
!(s->options & SSL_OP_NO_TLSv1))
717722
{
718723
s->version=TLS1_VERSION;

Diff for: ssl/s23_srvr.c

+9-9
Original file line numberDiff line numberDiff line change
@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
127127
if (ver == SSL2_VERSION)
128128
return(SSLv2_server_method());
129129
#endif
130+
#ifndef OPENSSL_NO_SSL3
130131
if (ver == SSL3_VERSION)
131132
return(SSLv3_server_method());
132-
else if (ver == TLS1_VERSION)
133+
#endif
134+
if (ver == TLS1_VERSION)
133135
return(TLSv1_server_method());
134136
else if (ver == TLS1_1_VERSION)
135137
return(TLSv1_1_server_method());
@@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
600602
if ((type == 2) || (type == 3))
601603
{
602604
/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
605+
s->method = ssl23_get_server_method(s->version);
606+
if (s->method == NULL)
607+
{
608+
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
609+
goto err;
610+
}
603611

604612
if (!ssl_init_wbio_buffer(s,1)) goto err;
605613

@@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
627635
s->s3->rbuf.left=0;
628636
s->s3->rbuf.offset=0;
629637
}
630-
if (s->version == TLS1_2_VERSION)
631-
s->method = TLSv1_2_server_method();
632-
else if (s->version == TLS1_1_VERSION)
633-
s->method = TLSv1_1_server_method();
634-
else if (s->version == TLS1_VERSION)
635-
s->method = TLSv1_server_method();
636-
else
637-
s->method = SSLv3_server_method();
638638
#if 0 /* ssl3_get_client_hello does this */
639639
s->client_version=(v[0]<<8)|v[1];
640640
#endif

0 commit comments

Comments
 (0)