Add TLS_method, TLS_client_method and TLS_server_method.

Use these instead of SSLv23_*method when you want to make sure TLS is
used.

By default, we disable SSLv3 but it's still possible for the user to
re-enable it.  TLS_*method does not allow SSLv3.

Both BoringSSL and (next version of) OpenSSL have these methods.
However, they have changed the implementation significantly.  We will
as well, but not right now.

Riding the libssl major bump.

ok miod@ bcook@

5 files changed, 185 insertions, 5 deletions

diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c
index 30d97683a7e..00954777fcd 100644
--- a/lib/libssl/src/ssl/s23_clnt.c
+++ b/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.38 2015/03/31 13:17:48 jsing Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.39 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -120,6 +120,7 @@
 static const SSL_METHOD *ssl23_get_client_method(int ver);
 static int ssl23_client_hello(SSL *s);
 static int ssl23_get_server_hello(SSL *s);
+static const SSL_METHOD *tls_get_client_method(int ver);
 
 const SSL_METHOD SSLv23_client_method_data = {
 	.version = TLS1_2_VERSION,
@@ -153,6 +154,39 @@ const SSL_METHOD SSLv23_client_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
+const SSL_METHOD TLS_client_method_data = {
+	.version = TLS1_2_VERSION,
+	.ssl_new = tls1_new,
+	.ssl_clear = tls1_clear,
+	.ssl_free = tls1_free,
+	.ssl_accept = ssl_undefined_function,
+	.ssl_connect = tls_connect,
+	.ssl_read = ssl23_read,
+	.ssl_peek = ssl23_peek,
+	.ssl_write = ssl23_write,
+	.ssl_shutdown = ssl_undefined_function,
+	.ssl_renegotiate = ssl_undefined_function,
+	.ssl_renegotiate_check = ssl_ok,
+	.ssl_get_message = ssl3_get_message,
+	.ssl_read_bytes = ssl3_read_bytes,
+	.ssl_write_bytes = ssl3_write_bytes,
+	.ssl_dispatch_alert = ssl3_dispatch_alert,
+	.ssl_ctrl = ssl3_ctrl,
+	.ssl_ctx_ctrl = ssl3_ctx_ctrl,
+	.get_cipher_by_char = ssl3_get_cipher_by_char,
+	.put_cipher_by_char = ssl3_put_cipher_by_char,
+	.ssl_pending = ssl_undefined_const_function,
+	.num_ciphers = ssl3_num_ciphers,
+	.get_cipher = ssl3_get_cipher,
+	.get_ssl_method = tls_get_client_method,
+	.get_timeout = ssl23_default_timeout,
+	.ssl3_enc = &ssl3_undef_enc_method,
+	.ssl_version = ssl_undefined_void_function,
+	.ssl_callback_ctrl = ssl3_callback_ctrl,
+	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
+};
+
+
 const SSL_METHOD *
 SSLv23_client_method(void)
 {
@@ -544,3 +578,33 @@ ssl23_get_server_hello(SSL *s)
 err:
 	return (-1);
 }
+
+const SSL_METHOD *
+TLS_client_method(void)
+{
+	return &TLS_client_method_data;
+}
+
+static const SSL_METHOD *
+tls_get_client_method(int ver)
+{
+	if (ver == SSL3_VERSION)
+		return (NULL);
+	else
+		return ssl23_get_client_method(ver);
+}
+
+int
+tls_connect(SSL *s)
+{
+	int ret;
+	unsigned long old_options;
+
+	old_options = s->options;
+
+	s->options |= SSL_OP_NO_SSLv3;
+	ret = ssl23_connect(s);
+	s->options = old_options;
+
+	return ret;
+}
diff --git a/lib/libssl/src/ssl/s23_meth.c b/lib/libssl/src/ssl/s23_meth.c
index 164604001e2..93a398d70b8 100644
--- a/lib/libssl/src/ssl/s23_meth.c
+++ b/lib/libssl/src/ssl/s23_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_meth.c,v 1.17 2015/02/06 08:30:23 jsing Exp $ */
+/* $OpenBSD: s23_meth.c,v 1.18 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,6 +63,7 @@
 #include "ssl_locl.h"
 
 static const SSL_METHOD *ssl23_get_method(int ver);
+static const SSL_METHOD *tls_get_method(int ver);
 
 const SSL_METHOD SSLv23_method_data = {
 	.version = TLS1_2_VERSION,
@@ -115,3 +116,50 @@ ssl23_get_method(int ver)
 		return (TLSv1_2_method());
 	return (NULL);
 }
+
+const SSL_METHOD TLS_method_data = {
+	.version = TLS1_2_VERSION,
+	.ssl_new = tls1_new,
+	.ssl_clear = tls1_clear,
+	.ssl_free = tls1_free,
+	.ssl_accept = tls_accept,
+	.ssl_connect = tls_connect,
+	.ssl_read = ssl23_read,
+	.ssl_peek = ssl23_peek,
+	.ssl_write = ssl23_write,
+	.ssl_shutdown = ssl_undefined_function,
+	.ssl_renegotiate = ssl_undefined_function,
+	.ssl_renegotiate_check = ssl_ok,
+	.ssl_get_message = ssl3_get_message,
+	.ssl_read_bytes = ssl3_read_bytes,
+	.ssl_write_bytes = ssl3_write_bytes,
+	.ssl_dispatch_alert = ssl3_dispatch_alert,
+	.ssl_ctrl = ssl3_ctrl,
+	.ssl_ctx_ctrl = ssl3_ctx_ctrl,
+	.get_cipher_by_char = ssl3_get_cipher_by_char,
+	.put_cipher_by_char = ssl3_put_cipher_by_char,
+	.ssl_pending = ssl_undefined_const_function,
+	.num_ciphers = ssl3_num_ciphers,
+	.get_cipher = ssl3_get_cipher,
+	.get_ssl_method = tls_get_method,
+	.get_timeout = ssl23_default_timeout,
+	.ssl3_enc = &ssl3_undef_enc_method,
+	.ssl_version = ssl_undefined_void_function,
+	.ssl_callback_ctrl = ssl3_callback_ctrl,
+	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
+};
+
+const SSL_METHOD *
+TLS_method(void)
+{
+	return &TLS_method_data;
+}
+
+static const SSL_METHOD *
+tls_get_method(int ver)
+{
+	if (ver == SSL3_VERSION)
+		return (NULL);
+	else
+		return ssl23_get_method(ver);
+}
diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c
index 99bfaf07e4b..f1914e0e8e1 100644
--- a/lib/libssl/src/ssl/s23_srvr.c
+++ b/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.39 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.40 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -119,6 +119,7 @@
 
 static const SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
+static const SSL_METHOD *tls_get_server_method(int ver);
 
 const SSL_METHOD SSLv23_server_method_data = {
 	.version = TLS1_2_VERSION,
@@ -152,6 +153,38 @@ const SSL_METHOD SSLv23_server_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
+const SSL_METHOD TLS_server_method_data = {
+	.version = TLS1_2_VERSION,
+	.ssl_new = tls1_new,
+	.ssl_clear = tls1_clear,
+	.ssl_free = tls1_free,
+	.ssl_accept = tls_accept,
+	.ssl_connect = ssl_undefined_function,
+	.ssl_read = ssl23_read,
+	.ssl_peek = ssl23_peek,
+	.ssl_write = ssl23_write,
+	.ssl_shutdown = ssl_undefined_function,
+	.ssl_renegotiate = ssl_undefined_function,
+	.ssl_renegotiate_check = ssl_ok,
+	.ssl_get_message = ssl3_get_message,
+	.ssl_read_bytes = ssl3_read_bytes,
+	.ssl_write_bytes = ssl3_write_bytes,
+	.ssl_dispatch_alert = ssl3_dispatch_alert,
+	.ssl_ctrl = ssl3_ctrl,
+	.ssl_ctx_ctrl = ssl3_ctx_ctrl,
+	.get_cipher_by_char = ssl3_get_cipher_by_char,
+	.put_cipher_by_char = ssl3_put_cipher_by_char,
+	.ssl_pending = ssl_undefined_const_function,
+	.num_ciphers = ssl3_num_ciphers,
+	.get_cipher = ssl3_get_cipher,
+	.get_ssl_method = tls_get_server_method,
+	.get_timeout = ssl23_default_timeout,
+	.ssl3_enc = &ssl3_undef_enc_method,
+	.ssl_version = ssl_undefined_void_function,
+	.ssl_callback_ctrl = ssl3_callback_ctrl,
+	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
+};
+
 const SSL_METHOD *
 SSLv23_server_method(void)
 {
@@ -570,3 +603,33 @@ ssl23_get_client_hello(SSL *s)
 
 	return (SSL_accept(s));
 }
+
+const SSL_METHOD *
+TLS_server_method(void)
+{
+	return &TLS_server_method_data;
+}
+
+static const SSL_METHOD *
+tls_get_server_method(int ver)
+{
+	if (ver == SSL3_VERSION)
+		return (NULL);
+	else
+		return ssl23_get_server_method(ver);
+}
+
+int
+tls_accept(SSL *s)
+{
+	int ret;
+	unsigned long old_options;
+
+	old_options = s->options;
+
+	s->options |= SSL_OP_NO_SSLv3;
+	ret = ssl23_accept(s);
+	s->options = old_options;
+
+	return ret;
+}
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 0a0a711a201..0cd220778b9 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.91 2015/07/18 19:41:54 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1696,6 +1696,9 @@ const SSL_METHOD *TLSv1_2_method(void);		/* TLSv1.2 */
 const SSL_METHOD *TLSv1_2_server_method(void);	/* TLSv1.2 */
 const SSL_METHOD *TLSv1_2_client_method(void);	/* TLSv1.2 */
 
+const SSL_METHOD *TLS_method(void);		/* TLS v1.0 or later */
+const SSL_METHOD *TLS_server_method(void);	/* TLS v1.0 or later */
+const SSL_METHOD *TLS_client_method(void);	/* TLS v1.0 or later */
 
 const SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index ba8fc799645..1c78770dfa5 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.97 2015/07/18 23:00:23 doug Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.98 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -757,6 +757,8 @@ int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
 int ssl23_read_bytes(SSL *s, int n);
 int ssl23_write_bytes(SSL *s);
+int tls_accept(SSL *s);
+int tls_connect(SSL *s);
 
 int tls1_new(SSL *s);
 void tls1_free(SSL *s);