From 56f1acf5ef8a432992497a04792ff4b3b2c6f286 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Wed, 17 Feb 2016 21:37:15 -0500
Disable SSLv2 default build, default negotiation and weak

SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Upstream-Status: Backport
[Removed CHANGES and NEWS from the original patch]

Reviewed-by: Emilia KÃ¤sper <emilia@openssl.org>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/Configure b/Configure
--- a/Configure	2016-03-04 08:36:29.390151489 +0100
+++ b/Configure	2016-03-04 08:37:24.731804074 +0100
@@ -780,8 +780,9 @@
 		 "md2"            => "default",
 		 "rc5"            => "default",
 		 "rfc3779"	  => "default",
-		 "sctp"       => "default",
+		 "sctp"           => "default",
 		 "shared"         => "default",
+		 "ssl2"           => "default",
 		 "store"	  => "experimental",
 		 "unit-test"	  => "default",
 		 "zlib"           => "default",
diff -ruN a/ssl/s2_lib.c b/ssl/s2_lib.c
--- a/ssl/s2_lib.c	2015-07-09 14:21:24.000000000 +0200
+++ b/ssl/s2_lib.c	2016-03-04 08:37:24.731804074 +0100
@@ -156,6 +156,7 @@
      128,
      },
 
+# if 0
 /* RC4_128_EXPORT40_WITH_MD5 */
     {
      1,
@@ -171,6 +172,7 @@
      40,
      128,
      },
+# endif
 
 /* RC2_128_CBC_WITH_MD5 */
     {
@@ -188,6 +190,7 @@
      128,
      },
 
+# if 0
 /* RC2_128_CBC_EXPORT40_WITH_MD5 */
     {
      1,
@@ -203,6 +206,7 @@
      40,
      128,
      },
+# endif
 
 # ifndef OPENSSL_NO_IDEA
 /* IDEA_128_CBC_WITH_MD5 */
@@ -222,6 +226,7 @@
      },
 # endif
 
+# if 0
 /* DES_64_CBC_WITH_MD5 */
     {
      1,
@@ -237,6 +242,7 @@
      56,
      56,
      },
+# endif
 
 /* DES_192_EDE3_CBC_WITH_MD5 */
     {
diff -ruN a/ssl/ssl_lib.c b/ssl/ssl_lib.c
--- a/ssl/ssl_lib.c	2015-07-09 14:21:24.000000000 +0200
+++ b/ssl/ssl_lib.c	2016-03-04 08:37:24.735803905 +0100
@@ -1896,6 +1896,13 @@
      */
     ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
+    /*
+     * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
+     * explicitly clear this option via either of SSL_CTX_clear_options() or
+     * SSL_clear_options().
+     */
+    ret->options |= SSL_OP_NO_SSLv2;
+
     return (ret);
  err:
     SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);