Mercurial > trustbridge
view patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch @ 1243:cf5784d2c3a8
(issue54) Safeguard to prohibit starting the application as root
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Wed, 24 Sep 2014 19:22:47 +0200 |
parents | 93325618ac7b |
children |
line wrap: on
line source
From 6389827510dbeed12dfcc4a50d885fd70de6ac65 Mon Sep 17 00:00:00 2001 From: Andre Heinecke <aheinecke@intevation.de> Date: Tue, 2 Sep 2014 09:58:44 +0200 Subject: [PATCH 1/2] Add possibility to force polarssl ciphersuites. --- lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 5332b92..08dc4c6 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -55,6 +55,7 @@ #include "select.h" #include "rawstr.h" #include "polarssl_threadlock.h" +#include "strtok.h" #define _MPRINTF_REPLACE /* use our functions only */ #include <curl/mprintf.h> @@ -67,6 +68,8 @@ #define THREADING_SUPPORT #endif +#define MAX_CIPHERSUITES 255 + #if defined(THREADING_SUPPORT) static entropy_context entropy; @@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line) static Curl_recv polarssl_recv; static Curl_send polarssl_send; - +static int ciphersuites[MAX_CIPHERSUITES + 1]; static CURLcode polarssl_connect_step1(struct connectdata *conn, @@ -318,7 +321,41 @@ polarssl_connect_step1(struct connectdata *conn, net_recv, &conn->sock[sockindex], net_send, &conn->sock[sockindex]); - ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + if(!data->set.str[STRING_SSL_CIPHER_LIST]) + ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + else { + /* Convert string input to polarssl cipher id's */ + char *tmp, + *token, + *tok_buf; + int i = 0; + + memset(ciphersuites, 0, MAX_CIPHERSUITES + 1); + + tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]); + if(!tmp) + return CURLE_OUT_OF_MEMORY; + + for (token = strtok_r(tmp, ":", &tok_buf); + token != NULL; + token = strtok_r(NULL, ":", &tok_buf)) { + + ciphersuites[i] = ssl_get_ciphersuite_id(token); + if (!ciphersuites[i]) { + infof(data, "WARNING: failed to set cipher: %s\n", token); + /* Do not increase i as the first 0 is the end + of the list so we overwrite it with the next + valid cipher. Maybe we should fail? */ + continue; + } + i++; + } + free(tmp); + /* Beware, polarssl does not make a copy of the ciphersuites + so the data needs to be valid during the call. */ + ssl_set_ciphersuites(&connssl->ssl, ciphersuites); + } + if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) { memcpy(&connssl->ssn, old_session, old_session_size); infof(data, "PolarSSL re-using session\n"); -- 1.9.1