Enable SSLv3 option for libcurl #58

jasonacox · jasonacox · commit f0491b5d2eb4 · 2022-05-30T02:34:51.000-07:00
diff --git a/build.sh b/build.sh
@@ -186,7 +186,7 @@ fi
 echo
 echo -e "${bold}Building Curl${normal}"
 cd curl
-./libcurl-build.sh -v "$LIBCURL" $disablebitcode $colorflag $buildnghttp2 $catalyst $OSARGS
+./libcurl-build.sh -v "$LIBCURL" $disablebitcode $colorflag $buildnghttp2 $catalyst $sslv3 $OSARGS
 cd ..
 
 ## Archive Libraries and Clean Up
diff --git a/curl/libcurl-build.sh b/curl/libcurl-build.sh
@@ -37,6 +37,7 @@ trap 'echo -e "${alert}** ERROR with Build - Check /tmp/curl*.log${alertdim}"; t
 CURL_VERSION="curl-7.74.0"
 nohttp2="0"
 catalyst="0"
+FORCE_SSLV3="no"
 
 # Set minimum OS versions for target
 MACOS_X86_64_VERSION=""			# Empty = use host version
@@ -73,13 +74,14 @@ usage ()
 	echo "         -u   Mac Catalyst iOS min target version (default $CATALYST_IOS)"
 	echo "         -m   compile Mac Catalyst library [beta]"
 	echo "         -x   disable color output"
+	echo "         -3   enable SSLv3 support"
 	echo "         -h   show usage"
 	echo
 	trap - INT TERM EXIT
 	exit 127
 }
 
-while getopts "v:s:t:i:a:u:nmbxh\?" o; do
+while getopts "v:s:t:i:a:u:nmb3xh\?" o; do
     case "${o}" in
         v)
 			CURL_VERSION="curl-${OPTARG}"
@@ -118,6 +120,9 @@ while getopts "v:s:t:i:a:u:nmbxh\?" o; do
 			alertdim=""
 			archbold=""
 			;;
+		3)
+			FORCE_SSLV3="yes"
+			;;
         *)
             usage
             ;;
@@ -501,6 +506,14 @@ fi
 echo "Unpacking curl"
 tar xfz "${CURL_VERSION}.tar.gz"
 
+if [ ${FORCE_SSLV3} == 'yes' ]; then
+	# for library
+	sed -i '' '/version == CURL_SSLVERSION_SSLv3/d' "${CURL_VERSION}/lib/setopt.c"
+	patch "${CURL_VERSION}/lib/vtls/openssl.c" sslv3.patch
+	# for command line
+	sed -i '' -e 's/warnf(global, \"Ignores instruction to use SSLv3\\n\");/config->ssl_version = CURL_SSLVERSION_SSLv3;/g' "${CURL_VERSION}/src/tool_getparam.c"
+fi
+
 echo -e "${bold}Building Mac libraries${dim}"
 buildMac "x86_64"
 buildMac "arm64"
diff --git a/curl/sslv3.patch b/curl/sslv3.patch
@@ -0,0 +1,34 @@
+--- openssl.c	2022-05-30 01:05:13.000000000 -0700
++++ openssl.c.2	2022-05-30 01:25:52.000000000 -0700
+@@ -2709,8 +2709,9 @@
+     failf(data, "No SSLv2 support");
+     return CURLE_NOT_BUILT_IN;
+   case CURL_SSLVERSION_SSLv3:
+-    failf(data, "No SSLv3 support");
+-    return CURLE_NOT_BUILT_IN;
++    req_method = SSLv3_client_method();
++    use_sni(FALSE);
++    break;
+   default:
+     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
+     return CURLE_SSL_CONNECT_ERROR;
+@@ -2798,9 +2799,18 @@
+ 
+   switch(ssl_version) {
+     case CURL_SSLVERSION_SSLv2:
+-    case CURL_SSLVERSION_SSLv3:
+       return CURLE_NOT_BUILT_IN;
+ 
++    case CURL_SSLVERSION_SSLv3:
++      SSL_CTX_set_min_proto_version(backend->ctx, SSL3_VERSION);
++      SSL_CTX_set_max_proto_version(backend->ctx, SSL3_VERSION);
++      ctx_options |= SSL_OP_NO_SSLv2;
++      ctx_options |= SSL_OP_NO_TLSv1;
++      ctx_options |= SSL_OP_NO_TLSv1_1;
++      ctx_options |= SSL_OP_NO_TLSv1_2;
++      ctx_options |= SSL_OP_NO_TLSv1_3;
++      break;
++
+     /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
+     case CURL_SSLVERSION_DEFAULT:
+     case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
