Mercurial > trustbridge
view patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch @ 1395:a2574a029322
Fix Base 64 signature size calculation.
If the signature byte size is not equally dividable
by three the base 64 encoding needs three additional bytes.
The value is now fixed to avoid such errors in the future.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 26 Jan 2015 13:17:32 +0100 |
parents | 93325618ac7b |
children |
line wrap: on
line source
From 6389827510dbeed12dfcc4a50d885fd70de6ac65 Mon Sep 17 00:00:00 2001 From: Andre Heinecke <aheinecke@intevation.de> Date: Tue, 2 Sep 2014 09:58:44 +0200 Subject: [PATCH 1/2] Add possibility to force polarssl ciphersuites. --- lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 5332b92..08dc4c6 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -55,6 +55,7 @@ #include "select.h" #include "rawstr.h" #include "polarssl_threadlock.h" +#include "strtok.h" #define _MPRINTF_REPLACE /* use our functions only */ #include <curl/mprintf.h> @@ -67,6 +68,8 @@ #define THREADING_SUPPORT #endif +#define MAX_CIPHERSUITES 255 + #if defined(THREADING_SUPPORT) static entropy_context entropy; @@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line) static Curl_recv polarssl_recv; static Curl_send polarssl_send; - +static int ciphersuites[MAX_CIPHERSUITES + 1]; static CURLcode polarssl_connect_step1(struct connectdata *conn, @@ -318,7 +321,41 @@ polarssl_connect_step1(struct connectdata *conn, net_recv, &conn->sock[sockindex], net_send, &conn->sock[sockindex]); - ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + if(!data->set.str[STRING_SSL_CIPHER_LIST]) + ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + else { + /* Convert string input to polarssl cipher id's */ + char *tmp, + *token, + *tok_buf; + int i = 0; + + memset(ciphersuites, 0, MAX_CIPHERSUITES + 1); + + tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]); + if(!tmp) + return CURLE_OUT_OF_MEMORY; + + for (token = strtok_r(tmp, ":", &tok_buf); + token != NULL; + token = strtok_r(NULL, ":", &tok_buf)) { + + ciphersuites[i] = ssl_get_ciphersuite_id(token); + if (!ciphersuites[i]) { + infof(data, "WARNING: failed to set cipher: %s\n", token); + /* Do not increase i as the first 0 is the end + of the list so we overwrite it with the next + valid cipher. Maybe we should fail? */ + continue; + } + i++; + } + free(tmp); + /* Beware, polarssl does not make a copy of the ciphersuites + so the data needs to be valid during the call. */ + ssl_set_ciphersuites(&connssl->ssl, ciphersuites); + } + if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) { memcpy(&connssl->ssn, old_session, old_session_size); infof(data, "PolarSSL re-using session\n"); -- 1.9.1