cedric pushed a commit to branch master. http://git.enlightenment.org/core/efl.git/commit/?id=ae5e2c82843a5dea2474b79f5426207495b465a8
commit ae5e2c82843a5dea2474b79f5426207495b465a8 Author: Cedric BAIL <ced...@osg.samsung.com> Date: Mon Nov 2 14:11:09 2015 -0800 emile/ecore_con: drop SSLv3 support due to security issue. SSLv3 has been compromised a year ago by what is known as POODLE (https://en.wikipedia.org/wiki/POODLE). Every major browser have now dropped support for SSLv3 and distribution are starting to do so also. It is a good timing for us to do so, especially as it breaks build on some distribution. --- src/lib/ecore_con/Ecore_Con.h | 2 +- src/lib/ecore_con/ecore_con_private.h | 3 ++- src/lib/ecore_con/ecore_con_ssl.c | 26 +++++++++--------------- src/lib/emile/emile_cipher.h | 1 - src/lib/emile/emile_cipher_openssl.c | 6 ------ src/tests/ecore_con/ecore_con_test_ecore_con.c | 28 -------------------------- 6 files changed, 13 insertions(+), 53 deletions(-) diff --git a/src/lib/ecore_con/Ecore_Con.h b/src/lib/ecore_con/Ecore_Con.h index 2971221..09363f7 100644 --- a/src/lib/ecore_con/Ecore_Con.h +++ b/src/lib/ecore_con/Ecore_Con.h @@ -299,7 +299,7 @@ typedef enum _Ecore_Con_Type ECORE_CON_REMOTE_CORK = 8, /** Use SSL2: UNSUPPORTED. **/ ECORE_CON_USE_SSL2 = (1 << 4), - /** Use SSL3 */ + /** Use SSL3: UNSUPPORTED. **/ ECORE_CON_USE_SSL3 = (1 << 5), /** Use TLS */ ECORE_CON_USE_TLS = (1 << 6), diff --git a/src/lib/ecore_con/ecore_con_private.h b/src/lib/ecore_con/ecore_con_private.h index dff720b..181ca44 100644 --- a/src/lib/ecore_con/ecore_con_private.h +++ b/src/lib/ecore_con/ecore_con_private.h @@ -71,7 +71,8 @@ typedef enum _Ecore_Con_Ssl_Error ECORE_CON_SSL_ERROR_NOT_SUPPORTED, ECORE_CON_SSL_ERROR_INIT_FAILED, ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED, - ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED + ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED, + ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED } Ecore_Con_Ssl_Error; typedef enum _Ecore_Con_Ssl_Handshake diff --git a/src/lib/ecore_con/ecore_con_ssl.c b/src/lib/ecore_con/ecore_con_ssl.c index 03ce569..d66262d 100644 --- a/src/lib/ecore_con/ecore_con_ssl.c +++ b/src/lib/ecore_con/ecore_con_ssl.c @@ -497,6 +497,16 @@ ecore_con_ssl_server_prepare(Ecore_Con_Server *svr, if (!emile_cipher_init()) return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED; + // We forcibly disable SSL3 now + if (ssl_type & ECORE_CON_USE_MIXED) + ssl_type &= ~ECORE_CON_USE_SSL3; + + if (ssl_type & ECORE_CON_USE_SSL2) + return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; + + if (ssl_type & ECORE_CON_USE_SSL3) + return ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED; + return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type); } @@ -754,13 +764,8 @@ _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *obj, Ecore_Con_Server_Data *svr = eo_data_scope_get(obj, ECORE_CON_SERVER_CLASS); int ret; - if (ssl_type & ECORE_CON_USE_SSL2) - return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; - switch (ssl_type) { - case ECORE_CON_USE_SSL3: - case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: case ECORE_CON_USE_MIXED: @@ -1379,19 +1384,8 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server *obj, long options; int dh = 0; - if (ssl_type & ECORE_CON_USE_SSL2) - return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED; - switch (ssl_type) { - case ECORE_CON_USE_SSL3: - case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT: - if (!svr->created) - SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_client_method()))); - else - SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method()))); - break; - case ECORE_CON_USE_TLS: case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT: if (!svr->created) diff --git a/src/lib/emile/emile_cipher.h b/src/lib/emile/emile_cipher.h index 74a1b51..9d82d16 100644 --- a/src/lib/emile/emile_cipher.h +++ b/src/lib/emile/emile_cipher.h @@ -92,7 +92,6 @@ typedef struct _Emile_SSL Emile_SSL; typedef enum { EMILE_SSLv23, - EMILE_SSLv3, EMILE_TLSv1 } Emile_Cipher_Type; diff --git a/src/lib/emile/emile_cipher_openssl.c b/src/lib/emile/emile_cipher_openssl.c index b7f03c2..2bbe83f 100644 --- a/src/lib/emile/emile_cipher_openssl.c +++ b/src/lib/emile/emile_cipher_openssl.c @@ -294,9 +294,6 @@ emile_cipher_server_listen(Emile_Cipher_Type t) SSL_CTX_set_options(r->ssl_ctx, options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); break; - case EMILE_SSLv3: - r->ssl_ctx = SSL_CTX_new(SSLv3_server_method()); - break; case EMILE_TLSv1: r->ssl_ctx = SSL_CTX_new(TLSv1_server_method()); break; @@ -742,9 +739,6 @@ emile_cipher_server_connect(Emile_Cipher_Type t) SSL_CTX_set_options(r->ssl_ctx, options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); break; - case EMILE_SSLv3: - r->ssl_ctx = SSL_CTX_new(SSLv3_client_method()); - break; case EMILE_TLSv1: r->ssl_ctx = SSL_CTX_new(TLSv1_client_method()); break; diff --git a/src/tests/ecore_con/ecore_con_test_ecore_con.c b/src/tests/ecore_con/ecore_con_test_ecore_con.c index 6618221..249f39e 100644 --- a/src/tests/ecore_con/ecore_con_test_ecore_con.c +++ b/src/tests/ecore_con/ecore_con_test_ecore_con.c @@ -410,18 +410,6 @@ START_TEST(ecore_test_ecore_con_remote_nodelay) } END_TEST -START_TEST(ecore_test_ecore_con_remote_tcp_ssl3) -{ - _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345); -} -END_TEST - -START_TEST(ecore_test_ecore_con_remote_tcp_ssl3_load_cert) -{ - _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345); -} -END_TEST - START_TEST(ecore_test_ecore_con_remote_tcp_tls) { _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345); @@ -446,18 +434,6 @@ START_TEST(ecore_test_ecore_con_remote_tcp_mixed_load_cert) } END_TEST -START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3) -{ - _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345); -} -END_TEST - -START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3_load_cert) -{ - _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345); -} -END_TEST - START_TEST(ecore_test_ecore_con_remote_nodelay_tls) { _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY | ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345); @@ -595,15 +571,11 @@ void ecore_con_test_ecore_con(TCase *tc) tcase_add_test(tc, ecore_test_ecore_con_local_system_negport_fullpath); tcase_add_test(tc, ecore_test_ecore_con_local_abstract); tcase_add_test(tc, ecore_test_ecore_con_remote_tcp); - tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3); - tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3_load_cert); tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls); tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls_load_cert); tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed); tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed_load_cert); tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay); - tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3); - tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3_load_cert); tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls); tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls_load_cert); tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_mixed); --