netstar pushed a commit to branch master. http://git.enlightenment.org/core/efl.git/commit/?id=d1cbd161bdf1bcb9c0c8429210647245a31559a4
commit d1cbd161bdf1bcb9c0c8429210647245a31559a4 Author: Alastair Poole <[email protected]> Date: Wed Jun 20 14:11:52 2018 +0100 Patch for T6342 Summary: Deprecate SSLv3. Reviewers: zmike, raster, devilhorns Reviewed By: zmike Subscribers: cedric, #committers Tags: #efl Differential Revision: https://phab.enlightenment.org/D6334 --- src/examples/ecore/efl_net_server_example.c | 3 --- src/examples/ecore/efl_net_server_simple_example.c | 3 --- .../ecore/efl_net_socket_ssl_dialer_example.c | 3 --- .../ecore/efl_net_socket_ssl_server_example.c | 3 --- src/lib/ecore_con/ecore_con_legacy.c | 15 ++++++++++++--- src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c | 3 --- src/lib/ecore_con/efl_net_ssl_ctx-openssl.c | 22 +++------------------- src/lib/ecore_con/efl_net_ssl_types.eot | 1 - 8 files changed, 15 insertions(+), 38 deletions(-) diff --git a/src/examples/ecore/efl_net_server_example.c b/src/examples/ecore/efl_net_server_example.c index 25188b31c4..d98e66bb35 100644 --- a/src/examples/ecore/efl_net_server_example.c +++ b/src/examples/ecore/efl_net_server_example.c @@ -467,7 +467,6 @@ static const char * protocols[] = { static const char *ciphers_strs[] = { "auto", - "sslv3", "tlsv1", "tlsv1.1", "tlsv1.2", @@ -702,8 +701,6 @@ efl_main(void *data EINA_UNUSED, { if (strcmp(cipher_choice, "auto") == 0) cipher = EFL_NET_SSL_CIPHER_AUTO; - else if (strcmp(cipher_choice, "sslv3") == 0) - cipher = EFL_NET_SSL_CIPHER_SSLV3; else if (strcmp(cipher_choice, "tlsv1") == 0) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (strcmp(cipher_choice, "tlsv1.1") == 0) diff --git a/src/examples/ecore/efl_net_server_simple_example.c b/src/examples/ecore/efl_net_server_simple_example.c index 998ad66ca5..a68e9b9fb9 100644 --- a/src/examples/ecore/efl_net_server_simple_example.c +++ b/src/examples/ecore/efl_net_server_simple_example.c @@ -271,7 +271,6 @@ static const char * protocols[] = { static const char *ciphers_strs[] = { "auto", - "sslv3", "tlsv1", "tlsv1.1", "tlsv1.2", @@ -510,8 +509,6 @@ efl_main(void *data EINA_UNUSED, { if (strcmp(cipher_choice, "auto") == 0) cipher = EFL_NET_SSL_CIPHER_AUTO; - else if (strcmp(cipher_choice, "sslv3") == 0) - cipher = EFL_NET_SSL_CIPHER_SSLV3; else if (strcmp(cipher_choice, "tlsv1") == 0) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (strcmp(cipher_choice, "tlsv1.1") == 0) diff --git a/src/examples/ecore/efl_net_socket_ssl_dialer_example.c b/src/examples/ecore/efl_net_socket_ssl_dialer_example.c index 75acb0b42d..10cec47dda 100644 --- a/src/examples/ecore/efl_net_socket_ssl_dialer_example.c +++ b/src/examples/ecore/efl_net_socket_ssl_dialer_example.c @@ -231,7 +231,6 @@ static const char *verify_mode_strs[] = { static const char *ciphers_strs[] = { "auto", - "sslv3", "tlsv1", "tlsv1.1", "tlsv1.2", @@ -416,8 +415,6 @@ efl_main(void *data EINA_UNUSED, { if (strcmp(cipher_choice, "auto") == 0) cipher = EFL_NET_SSL_CIPHER_AUTO; - else if (strcmp(cipher_choice, "sslv3") == 0) - cipher = EFL_NET_SSL_CIPHER_SSLV3; else if (strcmp(cipher_choice, "tlsv1") == 0) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (strcmp(cipher_choice, "tlsv1.1") == 0) diff --git a/src/examples/ecore/efl_net_socket_ssl_server_example.c b/src/examples/ecore/efl_net_socket_ssl_server_example.c index 38e93b6dbe..2babc8b6a0 100644 --- a/src/examples/ecore/efl_net_socket_ssl_server_example.c +++ b/src/examples/ecore/efl_net_socket_ssl_server_example.c @@ -157,7 +157,6 @@ EFL_CALLBACKS_ARRAY_DEFINE(server_cbs, static const char *ciphers_strs[] = { "auto", - "sslv3", "tlsv1", "tlsv1.1", "tlsv1.2", @@ -291,8 +290,6 @@ efl_main(void *data EINA_UNUSED, { if (strcmp(cipher_choice, "auto") == 0) cipher = EFL_NET_SSL_CIPHER_AUTO; - else if (strcmp(cipher_choice, "sslv3") == 0) - cipher = EFL_NET_SSL_CIPHER_SSLV3; else if (strcmp(cipher_choice, "tlsv1") == 0) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (strcmp(cipher_choice, "tlsv1.1") == 0) diff --git a/src/lib/ecore_con/ecore_con_legacy.c b/src/lib/ecore_con/ecore_con_legacy.c index 067cf712fb..4534c5d884 100644 --- a/src/lib/ecore_con/ecore_con_legacy.c +++ b/src/lib/ecore_con/ecore_con_legacy.c @@ -1609,7 +1609,10 @@ _ecore_con_server_ssl_ctx_create(const Ecore_Con_Server *svr) else if (ssl_type & ECORE_CON_USE_TLS) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (ssl_type & ECORE_CON_USE_SSL3) - cipher = EFL_NET_SSL_CIPHER_SSLV3; + { + ERR("SSLv3 is unsupported!"); + return NULL; + } else if (ssl_type & ECORE_CON_USE_SSL2) { ERR("SSLv2 is unsupported!"); @@ -1986,7 +1989,10 @@ _ecore_con_server_dialer_ssl_job(void *data, const Eina_Value v, else if (ssl_type & ECORE_CON_USE_TLS) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (ssl_type & ECORE_CON_USE_SSL3) - cipher = EFL_NET_SSL_CIPHER_SSLV3; + { + ERR("SSLv3 is unsupported!"); + goto error_ssl_ctx; + } else if (ssl_type & ECORE_CON_USE_SSL2) { ERR("SSLv2 is unsupported!"); @@ -2078,7 +2084,10 @@ _ecore_con_server_dialer_ssl_upgrade_job(void *data, const Eina_Value v, else if (ssl_type & ECORE_CON_USE_TLS) cipher = EFL_NET_SSL_CIPHER_TLSV1; else if (ssl_type & ECORE_CON_USE_SSL3) - cipher = EFL_NET_SSL_CIPHER_SSLV3; + { + ERR("SSLv3 is unsupported!"); + goto error_ssl_ctx; + } else if (ssl_type & ECORE_CON_USE_SSL2) { ERR("SSLv2 is unsupported!"); diff --git a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c b/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c index 67b7c25c53..7a92a821e9 100644 --- a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c +++ b/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c @@ -215,9 +215,6 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) case EFL_NET_SSL_CIPHER_AUTO: priority = NULL; break; - case EFL_NET_SSL_CIPHER_SSLV3: - priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2"; - break; case EFL_NET_SSL_CIPHER_TLSV1: priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2"; break; diff --git a/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c b/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c index 0fef44e3bf..1e3e14c2de 100644 --- a/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c +++ b/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c @@ -263,14 +263,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) switch (cfg.cipher) { case EFL_NET_SSL_CIPHER_AUTO: - ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); - break; - case EFL_NET_SSL_CIPHER_SSLV3: -#ifndef OPENSSL_NO_SSL3_METHOD - ctx->ssl_ctx = SSL_CTX_new(SSLv3_client_method()); -#else - ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); -#endif + ctx->ssl_ctx = SSL_CTX_new(TLS_client_method()); break; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) case EFL_NET_SSL_CIPHER_TLSV1: @@ -301,14 +294,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) switch (cfg.cipher) { case EFL_NET_SSL_CIPHER_AUTO: - ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); - break; - case EFL_NET_SSL_CIPHER_SSLV3: -#ifndef OPENSSL_NO_SSL3_METHOD - ctx->ssl_ctx = SSL_CTX_new(SSLv3_server_method()); -#else - ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); -#endif + ctx->ssl_ctx = SSL_CTX_new(TLS_server_method()); break; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) case EFL_NET_SSL_CIPHER_TLSV1: @@ -338,9 +324,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg) options = SSL_CTX_get_options(ctx->ssl_ctx); options |= SSL_OP_NO_SSLv2; options |= SSL_OP_SINGLE_DH_USE; - - if (cfg.cipher != EFL_NET_SSL_CIPHER_SSLV3) - options |= SSL_OP_NO_SSLv3; + options |= SSL_OP_NO_SSLv3; SSL_CTX_set_options(ctx->ssl_ctx, options); diff --git a/src/lib/ecore_con/efl_net_ssl_types.eot b/src/lib/ecore_con/efl_net_ssl_types.eot index 6556f7cfa7..5c41b921c5 100644 --- a/src/lib/ecore_con/efl_net_ssl_types.eot +++ b/src/lib/ecore_con/efl_net_ssl_types.eot @@ -19,7 +19,6 @@ enum Efl.Net.Ssl.Cipher { @since 1.19 ]] auto, [[The default. Use the best your system supports, disables dangerous ciphers]] - sslv3, [[SSLv3, insecure and unsupported - DANGEROUS]] tlsv1, [[TLSv1, secure and widely available]] tlsv1_1, [[TLSv1.1, secure]] tlsv1_2, [[TLSv1.2, secure]] --
