summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCedric BAIL <cedric@osg.samsung.com>2015-11-02 14:11:09 -0800
committerCedric BAIL <cedric@osg.samsung.com>2015-11-02 14:22:42 -0800
commitae5e2c82843a5dea2474b79f5426207495b465a8 (patch)
tree76d1e6145c2bcaf60d458fabd28e46b131b7bd73
parent99d0f03c6fa966ac95930d076dc2bb70472029b6 (diff)
emile/ecore_con: drop SSLv3 support due to security issue.
SSLv3 has been compromised a year ago by what is known as POODLE (https://en.wikipedia.org/wiki/POODLE). Every major browser have now dropped support for SSLv3 and distribution are starting to do so also. It is a good timing for us to do so, especially as it breaks build on some distribution.
-rw-r--r--src/lib/ecore_con/Ecore_Con.h2
-rw-r--r--src/lib/ecore_con/ecore_con_private.h3
-rw-r--r--src/lib/ecore_con/ecore_con_ssl.c26
-rw-r--r--src/lib/emile/emile_cipher.h1
-rw-r--r--src/lib/emile/emile_cipher_openssl.c6
-rw-r--r--src/tests/ecore_con/ecore_con_test_ecore_con.c28
6 files changed, 13 insertions, 53 deletions
diff --git a/src/lib/ecore_con/Ecore_Con.h b/src/lib/ecore_con/Ecore_Con.h
index 2971221adc..09363f76ca 100644
--- a/src/lib/ecore_con/Ecore_Con.h
+++ b/src/lib/ecore_con/Ecore_Con.h
@@ -299,7 +299,7 @@ typedef enum _Ecore_Con_Type
299 ECORE_CON_REMOTE_CORK = 8, 299 ECORE_CON_REMOTE_CORK = 8,
300 /** Use SSL2: UNSUPPORTED. **/ 300 /** Use SSL2: UNSUPPORTED. **/
301 ECORE_CON_USE_SSL2 = (1 << 4), 301 ECORE_CON_USE_SSL2 = (1 << 4),
302 /** Use SSL3 */ 302 /** Use SSL3: UNSUPPORTED. **/
303 ECORE_CON_USE_SSL3 = (1 << 5), 303 ECORE_CON_USE_SSL3 = (1 << 5),
304 /** Use TLS */ 304 /** Use TLS */
305 ECORE_CON_USE_TLS = (1 << 6), 305 ECORE_CON_USE_TLS = (1 << 6),
diff --git a/src/lib/ecore_con/ecore_con_private.h b/src/lib/ecore_con/ecore_con_private.h
index dff720be42..181ca44012 100644
--- a/src/lib/ecore_con/ecore_con_private.h
+++ b/src/lib/ecore_con/ecore_con_private.h
@@ -71,7 +71,8 @@ typedef enum _Ecore_Con_Ssl_Error
71 ECORE_CON_SSL_ERROR_NOT_SUPPORTED, 71 ECORE_CON_SSL_ERROR_NOT_SUPPORTED,
72 ECORE_CON_SSL_ERROR_INIT_FAILED, 72 ECORE_CON_SSL_ERROR_INIT_FAILED,
73 ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED, 73 ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED,
74 ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED 74 ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED,
75 ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED
75} Ecore_Con_Ssl_Error; 76} Ecore_Con_Ssl_Error;
76 77
77typedef enum _Ecore_Con_Ssl_Handshake 78typedef enum _Ecore_Con_Ssl_Handshake
diff --git a/src/lib/ecore_con/ecore_con_ssl.c b/src/lib/ecore_con/ecore_con_ssl.c
index 03ce5699fd..d66262da84 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -497,6 +497,16 @@ ecore_con_ssl_server_prepare(Ecore_Con_Server *svr,
497 if (!emile_cipher_init()) 497 if (!emile_cipher_init())
498 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; 498 return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
499 499
500 // We forcibly disable SSL3 now
501 if (ssl_type & ECORE_CON_USE_MIXED)
502 ssl_type &= ~ECORE_CON_USE_SSL3;
503
504 if (ssl_type & ECORE_CON_USE_SSL2)
505 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
506
507 if (ssl_type & ECORE_CON_USE_SSL3)
508 return ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED;
509
500 return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type); 510 return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type);
501} 511}
502 512
@@ -754,13 +764,8 @@ _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *obj,
754 Ecore_Con_Server_Data *svr = eo_data_scope_get(obj, ECORE_CON_SERVER_CLASS); 764 Ecore_Con_Server_Data *svr = eo_data_scope_get(obj, ECORE_CON_SERVER_CLASS);
755 int ret; 765 int ret;
756 766
757 if (ssl_type & ECORE_CON_USE_SSL2)
758 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
759
760 switch (ssl_type) 767 switch (ssl_type)
761 { 768 {
762 case ECORE_CON_USE_SSL3:
763 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
764 case ECORE_CON_USE_TLS: 769 case ECORE_CON_USE_TLS:
765 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: 770 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
766 case ECORE_CON_USE_MIXED: 771 case ECORE_CON_USE_MIXED:
@@ -1379,19 +1384,8 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *obj,
1379 long options; 1384 long options;
1380 int dh = 0; 1385 int dh = 0;
1381 1386
1382 if (ssl_type & ECORE_CON_USE_SSL2)
1383 return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
1384
1385 switch (ssl_type) 1387 switch (ssl_type)
1386 { 1388 {
1387 case ECORE_CON_USE_SSL3:
1388 case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
1389 if (!svr->created)
1390 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_client_method())));
1391 else
1392 SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method())));
1393 break;
1394
1395 case ECORE_CON_USE_TLS: 1389 case ECORE_CON_USE_TLS:
1396 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: 1390 case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
1397 if (!svr->created) 1391 if (!svr->created)
diff --git a/src/lib/emile/emile_cipher.h b/src/lib/emile/emile_cipher.h
index 74a1b51b9d..9d82d168bd 100644
--- a/src/lib/emile/emile_cipher.h
+++ b/src/lib/emile/emile_cipher.h
@@ -92,7 +92,6 @@ typedef struct _Emile_SSL Emile_SSL;
92typedef enum 92typedef enum
93{ 93{
94 EMILE_SSLv23, 94 EMILE_SSLv23,
95 EMILE_SSLv3,
96 EMILE_TLSv1 95 EMILE_TLSv1
97} Emile_Cipher_Type; 96} Emile_Cipher_Type;
98 97
diff --git a/src/lib/emile/emile_cipher_openssl.c b/src/lib/emile/emile_cipher_openssl.c
index b7f03c2a15..2bbe83fb50 100644
--- a/src/lib/emile/emile_cipher_openssl.c
+++ b/src/lib/emile/emile_cipher_openssl.c
@@ -294,9 +294,6 @@ emile_cipher_server_listen(Emile_Cipher_Type t)
294 SSL_CTX_set_options(r->ssl_ctx, 294 SSL_CTX_set_options(r->ssl_ctx,
295 options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); 295 options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
296 break; 296 break;
297 case EMILE_SSLv3:
298 r->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
299 break;
300 case EMILE_TLSv1: 297 case EMILE_TLSv1:
301 r->ssl_ctx = SSL_CTX_new(TLSv1_server_method()); 298 r->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
302 break; 299 break;
@@ -742,9 +739,6 @@ emile_cipher_server_connect(Emile_Cipher_Type t)
742 SSL_CTX_set_options(r->ssl_ctx, 739 SSL_CTX_set_options(r->ssl_ctx,
743 options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); 740 options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
744 break; 741 break;
745 case EMILE_SSLv3:
746 r->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
747 break;
748 case EMILE_TLSv1: 742 case EMILE_TLSv1:
749 r->ssl_ctx = SSL_CTX_new(TLSv1_client_method()); 743 r->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
750 break; 744 break;
diff --git a/src/tests/ecore_con/ecore_con_test_ecore_con.c b/src/tests/ecore_con/ecore_con_test_ecore_con.c
index 66182216ca..249f39ed8c 100644
--- a/src/tests/ecore_con/ecore_con_test_ecore_con.c
+++ b/src/tests/ecore_con/ecore_con_test_ecore_con.c
@@ -410,18 +410,6 @@ START_TEST(ecore_test_ecore_con_remote_nodelay)
410} 410}
411END_TEST 411END_TEST
412 412
413START_TEST(ecore_test_ecore_con_remote_tcp_ssl3)
414{
415 _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345);
416}
417END_TEST
418
419START_TEST(ecore_test_ecore_con_remote_tcp_ssl3_load_cert)
420{
421 _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
422}
423END_TEST
424
425START_TEST(ecore_test_ecore_con_remote_tcp_tls) 413START_TEST(ecore_test_ecore_con_remote_tcp_tls)
426{ 414{
427 _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345); 415 _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345);
@@ -446,18 +434,6 @@ START_TEST(ecore_test_ecore_con_remote_tcp_mixed_load_cert)
446} 434}
447END_TEST 435END_TEST
448 436
449START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3)
450{
451 _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345);
452}
453END_TEST
454
455START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3_load_cert)
456{
457 _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
458}
459END_TEST
460
461START_TEST(ecore_test_ecore_con_remote_nodelay_tls) 437START_TEST(ecore_test_ecore_con_remote_nodelay_tls)
462{ 438{
463 _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345); 439 _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345);
@@ -595,15 +571,11 @@ void ecore_con_test_ecore_con(TCase *tc)
595 tcase_add_test(tc, ecore_test_ecore_con_local_system_negport_fullpath); 571 tcase_add_test(tc, ecore_test_ecore_con_local_system_negport_fullpath);
596 tcase_add_test(tc, ecore_test_ecore_con_local_abstract); 572 tcase_add_test(tc, ecore_test_ecore_con_local_abstract);
597 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp); 573 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp);
598 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3);
599 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3_load_cert);
600 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls); 574 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls);
601 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls_load_cert); 575 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls_load_cert);
602 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed); 576 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed);
603 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed_load_cert); 577 tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed_load_cert);
604 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay); 578 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay);
605 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3);
606 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3_load_cert);
607 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls); 579 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls);
608 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls_load_cert); 580 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls_load_cert);
609 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_mixed); 581 tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_mixed);