Thanks to Victor Pereira from the SUSE Security team for auditing
this and recommending better options.
This has been discussed several times but knowone ever got to
commiting it.
In case when _ecore_con_ssl_client_init_(gnutls/openssl) finished
successful a enum ECORE_CON_SSL_ERROR_NONE value (0) returned. Function
ecore_con_ssl_client_upgrade return Eina_Bool and in case of success
EINA_FALSE was returned.
@fix
SSLv3 has been compromised a year ago by what is known as POODLE
(https://en.wikipedia.org/wiki/POODLE). Every major browser have now
dropped support for SSLv3 and distribution are starting to do so also.
It is a good timing for us to do so, especially as it breaks build on
some distribution.
Summary:
strcat will look for the null-terminator, interpret that as the end of the string, and append the new text there, overwriting the null-terminator in the process, and writing a new null-terminator at the end of the concatenation. buf is uninitialized, so it might start with NULL, or it might not have NULL anywhere within it. So this might produce undefined behaviour. So replaced with strncpy.
Signed-off-by: Srivardhan Hebbar <sri.hebbar@samsung.com>
Reviewers: cedric
Subscribers: cedric
Differential Revision: https://phab.enlightenment.org/D3094
Signed-off-by: Cedric BAIL <cedric@osg.samsung.com>
Summary: _init_con_ssl_init_count should not go below zero. This can occur if a developer mistakenly calls ssl shutdown before calling ssl init. So adding the check to prevent this.
Reviewers: cedric
Subscribers: cedric
Differential Revision: https://phab.enlightenment.org/D1925
Signed-off-by: Cedric BAIL <cedric@osg.samsung.com>
* rename USE_GNUTLS and USE_OPENSSL to HAVE_GNUTLS and HAVE_OPENSSL
in ecore_con, to match other modules such as Eet.
* define requirements_pc_crypto, requirements_pc_deps_crypto and
requirements_libs_crypto so modules can use that.
* move to a common check section.
SVN revision: 80288