view patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch @ 1371:23df332b2a4c

(issue179) Read install signature timestamp from config This also changes the way the sigDt is propgated to the MainWindow. It no longer uses the settings but hands it over as a parameter directly.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 24 Nov 2014 15:48:49 +0100
parents 93325618ac7b
children
line wrap: on
line source
From 6389827510dbeed12dfcc4a50d885fd70de6ac65 Mon Sep 17 00:00:00 2001
From: Andre Heinecke <aheinecke@intevation.de>
Date: Tue, 2 Sep 2014 09:58:44 +0200
Subject: [PATCH 1/2] Add possibility to force polarssl ciphersuites.

---
 lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 5332b92..08dc4c6 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -55,6 +55,7 @@
 #include "select.h"
 #include "rawstr.h"
 #include "polarssl_threadlock.h"
+#include "strtok.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -67,6 +68,8 @@
 #define THREADING_SUPPORT
 #endif
 
+#define MAX_CIPHERSUITES 255
+
 #if defined(THREADING_SUPPORT)
 static entropy_context entropy;
 
@@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line)
 
 static Curl_recv polarssl_recv;
 static Curl_send polarssl_send;
-
+static int ciphersuites[MAX_CIPHERSUITES + 1];
 
 static CURLcode
 polarssl_connect_step1(struct connectdata *conn,
@@ -318,7 +321,41 @@ polarssl_connect_step1(struct connectdata *conn,
               net_recv, &conn->sock[sockindex],
               net_send, &conn->sock[sockindex]);
 
-  ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+  if(!data->set.str[STRING_SSL_CIPHER_LIST])
+    ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+  else {
+    /* Convert string input to polarssl cipher id's */
+    char *tmp,
+         *token,
+         *tok_buf;
+    int i = 0;
+
+    memset(ciphersuites, 0, MAX_CIPHERSUITES + 1);
+
+    tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]);
+    if(!tmp)
+      return CURLE_OUT_OF_MEMORY;
+
+    for (token = strtok_r(tmp, ":", &tok_buf);
+         token != NULL;
+         token = strtok_r(NULL, ":", &tok_buf)) {
+
+      ciphersuites[i] = ssl_get_ciphersuite_id(token);
+      if (!ciphersuites[i]) {
+        infof(data, "WARNING: failed to set cipher: %s\n", token);
+        /* Do not increase i as the first 0 is the end
+           of the list so we overwrite it with the next
+           valid cipher. Maybe we should fail? */
+        continue;
+      }
+      i++;
+    }
+    free(tmp);
+    /* Beware, polarssl does not make a copy of the ciphersuites
+       so the data needs to be valid during the call. */
+    ssl_set_ciphersuites(&connssl->ssl, ciphersuites);
+  }
+
   if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
     memcpy(&connssl->ssn, old_session, old_session_size);
     infof(data, "PolarSSL re-using session\n");
-- 
1.9.1

http://wald.intevation.org/projects/trustbridge/