diff options
| author | Conrad Meyer <cem@FreeBSD.org> | 2020-07-01 00:59:28 +0000 |
|---|---|---|
| committer | Conrad Meyer <cem@FreeBSD.org> | 2020-07-01 00:59:28 +0000 |
| commit | 80a315ffb6053e5e2b1a0d07d7571fad0e0a64bd (patch) | |
| tree | 80983adc0bdedafd1f7279a7652dbf8745b7edb8 /secure | |
| parent | 94bc2117b4adaf7101cc412f4277e5812ad61ae2 (diff) | |
| download | src-test-80a315ffb6053e5e2b1a0d07d7571fad0e0a64bd.tar.gz src-test-80a315ffb6053e5e2b1a0d07d7571fad0e0a64bd.zip | |
Replace OPENSSL_NO_SSL3_METHODs with dummies
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use
it, and if they must, they can use some implementation outside of base.
There are three symbols removed with OPENSSL_NO_SSL3_METHOD:
SSLv3_client_method
SSLv3_method
SSLv3_server_method
These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al). Applications
that do so have broken cryptography.
Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.
Reviewed by: gordon, jhb (earlier-but-equivalent version both)
Discussed with: bjk, kib
Differential Revision: https://reviews.freebsd.org/D25493
Notes
Notes:
svn path=/head/; revision=362818
Diffstat (limited to 'secure')
| -rw-r--r-- | secure/lib/libcrypto/opensslconf.h.in | 3 | ||||
| -rw-r--r-- | secure/lib/libssl/Makefile | 2 | ||||
| -rw-r--r-- | secure/lib/libssl/dummy_abi.c | 46 |
3 files changed, 51 insertions, 0 deletions
diff --git a/secure/lib/libcrypto/opensslconf.h.in b/secure/lib/libcrypto/opensslconf.h.in index 503a44c684808..1a68649dde0a4 100644 --- a/secure/lib/libcrypto/opensslconf.h.in +++ b/secure/lib/libcrypto/opensslconf.h.in @@ -79,6 +79,9 @@ extern "C" { #ifndef OPENSSL_NO_SSL3 # define OPENSSL_NO_SSL3 #endif +#ifndef OPENSSL_NO_SSL3_METHOD +# define OPENSSL_NO_SSL3_METHOD +#endif #ifndef OPENSSL_NO_UBSAN # define OPENSSL_NO_UBSAN #endif diff --git a/secure/lib/libssl/Makefile b/secure/lib/libssl/Makefile index ce97714504354..d97775b9afe4b 100644 --- a/secure/lib/libssl/Makefile +++ b/secure/lib/libssl/Makefile @@ -22,6 +22,8 @@ SRCS+= ssl3_record.c ssl3_record_tls13.c SRCS+= extensions.c extensions_clnt.c extensions_cust.c extensions_srvr.c SRCS+= statem.c statem_clnt.c statem_dtls.c statem_lib.c statem_srvr.c +SRCS+= dummy_abi.c + LIBADD= crypto CFLAGS+= -I${LCRYPTO_SRC}/ssl diff --git a/secure/lib/libssl/dummy_abi.c b/secure/lib/libssl/dummy_abi.c new file mode 100644 index 0000000000000..79d38a4200935 --- /dev/null +++ b/secure/lib/libssl/dummy_abi.c @@ -0,0 +1,46 @@ +/* This file is in the public domain. */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <stdbool.h> +#include <unistd.h> + +#include <openssl/ssl.h> + +static inline void +__SSLv3_dummy_method_impl(void) +{ + static const char warning[] = "SSLv3 use is deprecated.\n"; + static bool once = false; + + if (once) + return; + + once = true; + write(STDERR_FILENO, warning, sizeof(warning) - 1); +} + +const SSL_METHOD * +__SSLv3_method_fbsd12(void) +{ + __SSLv3_dummy_method_impl(); + return (NULL); +} +__sym_compat(SSLv3_method, __SSLv3_method_fbsd12, OPENSSL_1_1_0); + +const SSL_METHOD * +__SSLv3_client_method_fbsd12(void) +{ + __SSLv3_dummy_method_impl(); + return (NULL); +} +__sym_compat(SSLv3_client_method, __SSLv3_client_method_fbsd12, OPENSSL_1_1_0); + +const SSL_METHOD * +__SSLv3_server_method_fbsd12(void) +{ + __SSLv3_dummy_method_impl(); + return (NULL); +} +__sym_compat(SSLv3_server_method, __SSLv3_server_method_fbsd12, OPENSSL_1_1_0); |