emile/ecore_con: drop SSLv3 support due to security issue.

author Cedric BAIL <cedric@osg.samsung.com>

Mon, 2 Nov 2015 22:11:09 +0000 (14:11 -0800)

committer Cedric BAIL <cedric@osg.samsung.com>

Mon, 2 Nov 2015 22:22:42 +0000 (14:22 -0800)
author Cedric BAIL <cedric@osg.samsung.com>
Mon, 2 Nov 2015 22:11:09 +0000 (14:11 -0800)
committer Cedric BAIL <cedric@osg.samsung.com>
Mon, 2 Nov 2015 22:22:42 +0000 (14:22 -0800)
diff --git a/src/lib/ecore_con/Ecore_Con.h b/src/lib/ecore_con/Ecore_Con.h

index 2971221adca6205e4aaf7e8c4c896f9399e0dff0..09363f76caf29149e844212c58aacd0d76301209 100644 (file)
--- a/src/lib/ecore_con/Ecore_Con.h
+++ b/src/lib/ecore_con/Ecore_Con.h
@@ -299,7 +299,7 @@ typedef enum _Ecore_Con_Type
     ECORE_CON_REMOTE_CORK = 8,
     /** Use SSL2: UNSUPPORTED. **/
     ECORE_CON_USE_SSL2 = (1 << 4),
-   /** Use SSL3 */
+   /** Use SSL3: UNSUPPORTED. **/
     ECORE_CON_USE_SSL3 = (1 << 5),
     /** Use TLS */
     ECORE_CON_USE_TLS = (1 << 6),
diff --git a/src/lib/ecore_con/ecore_con_private.h b/src/lib/ecore_con/ecore_con_private.h

index dff720be42ee5492da8f07542e57c30243171f7f..181ca44012abd3cddc4fe084d0fa1e90ed81c3a3 100644 (file)
--- a/src/lib/ecore_con/ecore_con_private.h
+++ b/src/lib/ecore_con/ecore_con_private.h
@@ -71,7 +71,8 @@ typedef enum _Ecore_Con_Ssl_Error
     ECORE_CON_SSL_ERROR_NOT_SUPPORTED,
     ECORE_CON_SSL_ERROR_INIT_FAILED,
     ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED,
-   ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED
+   ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED,
+   ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED
  } Ecore_Con_Ssl_Error;
  
  typedef enum _Ecore_Con_Ssl_Handshake
diff --git a/src/lib/ecore_con/ecore_con_ssl.c b/src/lib/ecore_con/ecore_con_ssl.c

index 03ce5699fd5dfe8d97dbdc93304bccfd52fe9113..d66262da8493097cf0812a18b36add4a074d294c 100644 (file)
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -497,6 +497,16 @@ ecore_con_ssl_server_prepare(Ecore_Con_Server *svr,
     if (!emile_cipher_init())
       return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
  
+   // We forcibly disable SSL3 now
+   if (ssl_type & ECORE_CON_USE_MIXED)
+     ssl_type &= ~ECORE_CON_USE_SSL3;
+
+   if (ssl_type & ECORE_CON_USE_SSL2)
+     return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
+
+   if (ssl_type & ECORE_CON_USE_SSL3)
+     return ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED;
+
     return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type);
  }
  
@@ -754,13 +764,8 @@ _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *obj,
     Ecore_Con_Server_Data *svr = eo_data_scope_get(obj, ECORE_CON_SERVER_CLASS);
     int ret;
  
-   if (ssl_type & ECORE_CON_USE_SSL2)
-     return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
-
     switch (ssl_type)
       {
-      case ECORE_CON_USE_SSL3:
-      case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
        case ECORE_CON_USE_TLS:
        case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
        case ECORE_CON_USE_MIXED:
@@ -1379,19 +1384,8 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *obj,
     long options;
     int dh = 0;
  
-   if (ssl_type & ECORE_CON_USE_SSL2)
-     return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
-
     switch (ssl_type)
       {
-      case ECORE_CON_USE_SSL3:
-      case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
-        if (!svr->created)
-          SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_client_method())));
-        else
-          SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method())));
-        break;
-
        case ECORE_CON_USE_TLS:
        case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
          if (!svr->created)
diff --git a/src/lib/emile/emile_cipher.h b/src/lib/emile/emile_cipher.h

index 74a1b51b9daa6fc6c23b096772b1aacb9c783a68..9d82d168bd9d3f2f12c835deac84891c0cf0a5a1 100644 (file)
--- a/src/lib/emile/emile_cipher.h
+++ b/src/lib/emile/emile_cipher.h
@@ -92,7 +92,6 @@ typedef struct _Emile_SSL Emile_SSL;
  typedef enum
  {
    EMILE_SSLv23,
-  EMILE_SSLv3,
    EMILE_TLSv1
  } Emile_Cipher_Type;
  
diff --git a/src/lib/emile/emile_cipher_openssl.c b/src/lib/emile/emile_cipher_openssl.c

index b7f03c2a1556fe88ac25110f256cd9e8e6ea1037..2bbe83fb505619dc8acc30963e83726455deed2e 100644 (file)
--- a/src/lib/emile/emile_cipher_openssl.c
+++ b/src/lib/emile/emile_cipher_openssl.c
@@ -294,9 +294,6 @@ emile_cipher_server_listen(Emile_Cipher_Type t)
           SSL_CTX_set_options(r->ssl_ctx,
                               options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
           break;
-      case EMILE_SSLv3:
-         r->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
-         break;
        case EMILE_TLSv1:
           r->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
           break;
@@ -742,9 +739,6 @@ emile_cipher_server_connect(Emile_Cipher_Type t)
           SSL_CTX_set_options(r->ssl_ctx,
                               options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
           break;
-      case EMILE_SSLv3:
-         r->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
-         break;
        case EMILE_TLSv1:
           r->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
           break;
diff --git a/src/tests/ecore_con/ecore_con_test_ecore_con.c b/src/tests/ecore_con/ecore_con_test_ecore_con.c

index 66182216ca06d7cbd192fb58269ce8107a0777c3..249f39ed8c840115072589f2b22176d816414a43 100644 (file)
--- a/src/tests/ecore_con/ecore_con_test_ecore_con.c
+++ b/src/tests/ecore_con/ecore_con_test_ecore_con.c
@@ -410,18 +410,6 @@ START_TEST(ecore_test_ecore_con_remote_nodelay)
  }
  END_TEST
  
-START_TEST(ecore_test_ecore_con_remote_tcp_ssl3)
-{
-   _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
-START_TEST(ecore_test_ecore_con_remote_tcp_ssl3_load_cert)
-{
-   _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
  START_TEST(ecore_test_ecore_con_remote_tcp_tls)
  {
     _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345);
@@ -446,18 +434,6 @@ START_TEST(ecore_test_ecore_con_remote_tcp_mixed_load_cert)
  }
  END_TEST
  
-START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3)
-{
-   _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
-START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3_load_cert)
-{
-   _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
  START_TEST(ecore_test_ecore_con_remote_nodelay_tls)
  {
     _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345);
@@ -595,15 +571,11 @@ void ecore_con_test_ecore_con(TCase *tc)
     tcase_add_test(tc, ecore_test_ecore_con_local_system_negport_fullpath);
     tcase_add_test(tc, ecore_test_ecore_con_local_abstract);
     tcase_add_test(tc, ecore_test_ecore_con_remote_tcp);
-   tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3);
-   tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3_load_cert);
     tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls);
     tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls_load_cert);
     tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed);
     tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed_load_cert);
     tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay);
-   tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3);
-   tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3_load_cert);
     tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls);
     tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls_load_cert);
     tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_mixed);
author	Cedric BAIL <cedric@osg.samsung.com>
	Mon, 2 Nov 2015 22:11:09 +0000 (14:11 -0800)
committer	Cedric BAIL <cedric@osg.samsung.com>
	Mon, 2 Nov 2015 22:22:42 +0000 (14:22 -0800)
src/lib/ecore_con/Ecore_Con.h		patch \| blob \| history
src/lib/ecore_con/ecore_con_private.h		patch \| blob \| history
src/lib/ecore_con/ecore_con_ssl.c		patch \| blob \| history
src/lib/emile/emile_cipher.h		patch \| blob \| history
src/lib/emile/emile_cipher_openssl.c		patch \| blob \| history
src/tests/ecore_con/ecore_con_test_ecore_con.c		patch \| blob \| history