# HG changeset patch # User Emanuel Schuetze # Date 1409651715 -7200 # Node ID 2fb6071c666959008b6d34f178e9224ca6a45744 # Parent b75bd6686f43e88661793272745106a40d3215a4# Parent 6aa115b206dfe54b1b76e8c65f0a774175b21552 Merged diff -r b75bd6686f43 -r 2fb6071c6669 INSTALL --- a/INSTALL Tue Sep 02 11:52:59 2014 +0200 +++ b/INSTALL Tue Sep 02 11:55:15 2014 +0200 @@ -61,12 +61,21 @@ cmake .. -DCMAKE_C_FLAGS=-fpic -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make test && make install +Trustbridge checkout: +At this point you need a trustbridge checkout as curl needs to be patched +to enable the certificate pinning and the force of SSL Ciphersuites when +using polarssl. + + hg clone https://wald.intevation.org/hg/trustbridge/ + Libcurl: + wget http://curl.haxx.se/download/curl-7.37.1.tar.gz a32492a38c10a097344892f5fd2041e54698cb909696852311b1161e4aa979f3 curl-7.37.1.tar.gz tar -xf curl-7.37.1.tar.gz cd curl-7.37.1/ + patch -p1 < ../trustbridge/patches/*.patch mkdir build cd build @@ -84,7 +93,6 @@ To compile the software you can use plain cmake. An out of source build is highly suggested. For build options see CMakeList.txt - hg clone https://wald.intevation.org/hg/trustbridge/ cd trustbridge hg clone https://wald.intevation.org/hg/trustbridge/nss-cmake-static mkdir build-linux @@ -171,13 +179,15 @@ cp polarssl-1.3.7-gpl.tgz hiawatha-9.5/polarssl/polarssl.tgz cd hiawatha-9.5/polarssl sed -i 's/wget.*//' upgrade - ./upgrade 1.3.7 + ./upgrade 1.3.8 cd .. mkdir build cd build cmake .. -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make install + + Osslsigncode (for binverify unit test) ====================================== Osslsigncode is used to create PKCS#7 embedded signatures for Windows Authenticode @@ -232,7 +242,7 @@ cmake .. \ -DCMAKE_PREFIX_PATH="$MXETARGET/qt5;$MXETARGET;" \ -DCMAKE_TOOLCHAIN_FILE="$MXETARGET/share/cmake/mxe-conf.cmake" \ - -DCMAKE_VERBOSE_MAKEFILE=True + -DCMAKE_VERBOSE_MAKEFILE=True -DUSE_CURL=OFF Runtime Depdendencies ===================== diff -r b75bd6686f43 -r 2fb6071c6669 patches/0001-Implement-CURLOPT_SSLVERSION-for-polarssl.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0001-Implement-CURLOPT_SSLVERSION-for-polarssl.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,47 @@ +From bebf7d617091042828fc5838170b35c42ab60396 Mon Sep 17 00:00:00 2001 +From: Andre Heinecke +Date: Mon, 1 Sep 2014 16:06:03 +0200 +Subject: [PATCH 1/3] Implement CURLOPT_SSLVERSION for polarssl + + Forwards the setting as minimum ssl version to polarssl. + If the server does not support the requested version the + SSL Handshake will fail. +--- + lib/vtls/polarssl.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index f948486..e18cadf 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -270,6 +270,27 @@ polarssl_connect_step1(struct connectdata *conn, + return CURLE_SSL_CONNECT_ERROR; + } + ++ if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_0); ++ infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_0) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_1); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_1) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_2); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_2) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_3); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n"); ++ } ++ + ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT); + ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL); + +-- +1.9.1 + diff -r b75bd6686f43 -r 2fb6071c6669 patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,138 @@ +From c57d951c3bda8b1ca66cac45dfd6270fa34b01d3 Mon Sep 17 00:00:00 2001 +From: Andre Heinecke +Date: Mon, 1 Sep 2014 16:55:40 +0200 +Subject: [PATCH 2/3] Add CURLOPT_PEERCERT option to pin a peer cert + + Only implemented for a specific usecase with polarssl +--- + include/curl/curl.h | 3 +++ + include/curl/typecheck-gcc.h | 1 + + lib/url.c | 8 ++++++++ + lib/urldata.h | 1 + + lib/vtls/polarssl.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 5 files changed, 53 insertions(+), 2 deletions(-) + +diff --git a/include/curl/curl.h b/include/curl/curl.h +index d40b2db..20a9d82 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1611,6 +1611,9 @@ typedef enum { + /* Pass in a bitmask of "header options" */ + CINIT(HEADEROPT, LONG, 229), + ++ /* Peer certificate */ ++ CINIT(PEERCERT, OBJECTPOINT, 230), ++ + CURLOPT_LASTENTRY /* the last unused */ + } CURLoption; + +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 69d41a2..241529d 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, + (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ + (option) == CURLOPT_CRLFILE || \ + (option) == CURLOPT_ISSUERCERT || \ ++ (option) == CURLOPT_PEERCERT || \ + (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ + (option) == CURLOPT_SSH_KNOWNHOSTS || \ + (option) == CURLOPT_MAIL_FROM || \ +diff --git a/lib/url.c b/lib/url.c +index 89c3fd5..b089cdf 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], + va_arg(param, char *)); + break; ++ case CURLOPT_PEERCERT: ++ /* ++ * Set peer certificate file ++ * to check peer certificate against ++ */ ++ result = setstropt(&data->set.str[STRING_SSL_PEERCERT], ++ va_arg(param, char *)); ++ break; + case CURLOPT_TELNETOPTIONS: + /* + * Set a linked list of telnet options +diff --git a/lib/urldata.h b/lib/urldata.h +index 8594c2f..a6dc1ae 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1391,6 +1391,7 @@ enum dupstring { + STRING_USERAGENT, /* User-Agent string */ + STRING_SSL_CRLFILE, /* crl file to check certificate */ + STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ ++ STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ + STRING_USERNAME, /* , if used */ + STRING_PASSWORD, /* , if used */ + STRING_OPTIONS, /* , if used */ +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index e18cadf..2c40e36 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -360,6 +360,7 @@ polarssl_connect_step2(struct connectdata *conn, + #ifdef HAS_ALPN + const char* next_protocol; + #endif ++ const x509_crt *peer_cert = NULL; + + char errorbuf[128]; + memset(errorbuf, 0, sizeof(errorbuf)); +@@ -419,12 +420,49 @@ polarssl_connect_step2(struct connectdata *conn, + return CURLE_PEER_FAILED_VERIFICATION; + } + +- if(ssl_get_peer_cert(&(connssl->ssl))) { ++ peer_cert = ssl_get_peer_cert(&(connssl->ssl)); ++ if(peer_cert) { ++ if(data->set.str[STRING_SSL_PEERCERT]) { ++ x509_crt pinned_cert; ++ unsigned int i; ++ ++ /* Handle pinned certificate */ ++ x509_crt_init(&pinned_cert); ++ ret = x509_crt_parse_file(&pinned_cert, ++ data->set.str[STRING_SSL_PEERCERT]); ++ ++ if(ret) { ++#ifdef POLARSSL_ERROR_C ++ error_strerror(ret, errorbuf, sizeof(errorbuf)); ++#endif /* POLARSSL_ERROR_C */ ++ failf(data, "Error reading peer cert file %s - PolarSSL: (-0x%04X) %s", ++ data->set.str[STRING_SSL_PEERCERT], -ret, errorbuf); ++ ++ x509_crt_free(&pinned_cert); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ ++ if (peer_cert->raw.len == 0 || ++ peer_cert->raw.len != pinned_cert.raw.len) { ++ failf(data, "Error validating peer certificate. Size does " ++ "not match the certificate set with PEERCERT option.\n"); ++ x509_crt_free(&pinned_cert); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ for (i = 0; i < peer_cert->raw.len; i++) { ++ if (peer_cert->raw.p[i] != pinned_cert.raw.p[i]) { ++ failf(data, "Error validating peer certificate. Does " ++ "not match the certificate set with PEERCERT option.\n"); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ } ++ } ++ + /* If the session was resumed, there will be no peer certs */ + memset(buffer, 0, sizeof(buffer)); + + if(x509_crt_info(buffer, sizeof(buffer), (char *)"* ", +- ssl_get_peer_cert(&(connssl->ssl))) != -1) ++ peer_cert) != -1) + infof(data, "Dumping cert info:\n%s\n", buffer); + } + +-- +1.9.1 + diff -r b75bd6686f43 -r 2fb6071c6669 patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,85 @@ +From a36ec2b65e81109c151759b282c221daf91b83ee Mon Sep 17 00:00:00 2001 +From: Andre Heinecke +Date: Tue, 2 Sep 2014 09:58:44 +0200 +Subject: [PATCH] Add possibility to force polarssl ciphersuites. + +--- + lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 39 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index 2c40e36..c3f1b8e 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -55,6 +55,7 @@ + #include "select.h" + #include "rawstr.h" + #include "polarssl_threadlock.h" ++#include "strtok.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include +@@ -67,6 +68,8 @@ + #define THREADING_SUPPORT + #endif + ++#define MAX_CIPHERSUITES 255 ++ + #if defined(THREADING_SUPPORT) + static entropy_context entropy; + +@@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line) + + static Curl_recv polarssl_recv; + static Curl_send polarssl_send; +- ++static int ciphersuites[MAX_CIPHERSUITES + 1]; + + static CURLcode + polarssl_connect_step1(struct connectdata *conn, +@@ -300,7 +303,41 @@ polarssl_connect_step1(struct connectdata *conn, + net_recv, &conn->sock[sockindex], + net_send, &conn->sock[sockindex]); + +- ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); ++ if(!data->set.str[STRING_SSL_CIPHER_LIST]) ++ ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); ++ else { ++ /* Convert string input to polarssl cipher id's */ ++ char *tmp, ++ *token, ++ *tok_buf; ++ int i = 0; ++ ++ memset(ciphersuites, 0, MAX_CIPHERSUITES + 1); ++ ++ tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]); ++ if(!tmp) ++ return CURLE_OUT_OF_MEMORY; ++ ++ for (token = strtok_r(tmp, ":", &tok_buf); ++ token != NULL; ++ token = strtok_r(NULL, ":", &tok_buf)) { ++ ++ ciphersuites[i] = ssl_get_ciphersuite_id(token); ++ if (!ciphersuites[i]) { ++ infof(data, "WARNING: failed to set cipher: %s\n", token); ++ /* Do not increase i as the first 0 is the end ++ of the list so we overwrite it with the next ++ valid cipher. Maybe we should fail? */ ++ continue; ++ } ++ i++; ++ } ++ free(tmp); ++ /* Beware, polarssl does not make a copy of the ciphersuites ++ so the data needs to be valid during the call. */ ++ ssl_set_ciphersuites(&connssl->ssl, ciphersuites); ++ } ++ + if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) { + memcpy(&connssl->ssn, old_session, old_session_size); + infof(data, "PolarSSL re-using session\n"); +-- +1.9.1 + diff -r b75bd6686f43 -r 2fb6071c6669 ui/administratorwindow.cpp --- a/ui/administratorwindow.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/administratorwindow.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -23,12 +23,17 @@ #include #include #include +#include +#include #include "certificatetabledelegate.h" #include "createinstallerdialog.h" #include "createcertlistdialog.h" #include "certificatediffdialog.h" #include "aboutdialog.h" +#include "util.h" + +#define HELP_PATH "/doc/index.html" AdministratorWindow::AdministratorWindow() { setWindowTitle(tr("TrustBridge Administration")); @@ -53,10 +58,13 @@ menuBar->addMenu(menu); QAction *createInstaller = menu->addAction(tr("Create installer ...")); QAction *about = menu->addAction(tr("About TrustBridge")); + QAction *help = menu->addAction(tr("Help")); + help->setIcon(QIcon(":/img/show-help_16.png")); menu->addSeparator(); QAction *quit = menu->addAction(tr("Quit")); connect(createInstaller, SIGNAL(triggered()), this, SLOT(createInstaller())); connect(about, SIGNAL(triggered()), this, SLOT(showAbout())); + connect(help, SIGNAL(triggered()), this, SLOT(showHelp())); connect(quit, SIGNAL(triggered()), qApp, SLOT(quit())); setMenuBar(menuBar); } @@ -298,3 +306,27 @@ } return changed; } + +void AdministratorWindow::showHelp() +{ + char *inst_dir = get_install_dir(); + if (!inst_dir) { + qDebug() << "Failed to find install dir"; + return; + } + QString helpPath = QString::fromUtf8(inst_dir); + helpPath += HELP_PATH; + QFileInfo fiHelp(helpPath); + qDebug() << "Opening help: " << fiHelp.absoluteFilePath(); + if (!fiHelp.exists()) { + QMessageBox::warning(this, tr("Error!"), tr ("Failed to find the manual")); + return; + } +#ifdef Q_OS_WIN + QDesktopServices::openUrl(QUrl("file:///" + fiHelp.absoluteFilePath())); +#else + QDesktopServices::openUrl(QUrl(fiHelp.absoluteFilePath())); +#endif + free (inst_dir); + return; +} diff -r b75bd6686f43 -r 2fb6071c6669 ui/administratorwindow.h --- a/ui/administratorwindow.h Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/administratorwindow.h Tue Sep 02 11:55:15 2014 +0200 @@ -60,6 +60,7 @@ private slots: void createInstaller(); void showAbout(); + void showHelp(); void loadCertificateFile(); void saveCertificateFile(); void addCertificates(); diff -r b75bd6686f43 -r 2fb6071c6669 ui/installwrapper.cpp --- a/ui/installwrapper.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/installwrapper.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -96,7 +96,7 @@ shExecInfo.cbSize = sizeof(SHELLEXECUTEINFOW); shExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; - if (!is_admin() || !is_system_install()) { + if (!is_system_install()) { shExecInfo.lpVerb = L"open"; } else { shExecInfo.lpVerb = L"runas"; diff -r b75bd6686f43 -r 2fb6071c6669 ui/l10n/trustbridge_de_DE.ts --- a/ui/l10n/trustbridge_de_DE.ts Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/l10n/trustbridge_de_DE.ts Tue Sep 02 11:55:15 2014 +0200 @@ -184,29 +184,29 @@ Neue Vorschläge für Wurzelzertifikate sind verfügbar. Klicken Sie hier zum Installieren. - - + + Check for Updates Neue Empfehlungen suchen - - + + Quit Beenden - + TrustBridge TrustBridge - + Installed certificates from: Empfehlungen bereits berücksichtigt bis: - + TrustBridge Version: TrustBridge Version: @@ -215,19 +215,19 @@ Zuletzt nach Aktualisierungen gesucht: - - + + Last successful update check: Zuletzt nach neuen Empfehlungen gesucht: - + Updates Neue Empfehlungen - + Revoked certificates Abgeratene @@ -242,41 +242,41 @@ Aktualisierungen (%1/%2) - - + + Quit without saving Beenden ohne Schreiben - - + + Remove revoked certificates (%1/%2) Abgeratene Wurzelzertifikate entfernen (%1/%2) - + Trusted certificates Empfohlene Wurzelzertifikate - + The following list of trusted root certificates is managed by the BSI. The BSI validates independently the authenticity, security and actuality of these certificates. Die folgenden Wurzelzertifikate wurden bisher vom BSI zur Installation vorgeschlagen. Sie können erkennen, welche Sie bereits geschrieben haben. - + Please choose the certificates you want to trust or untrust. TrustBridge will install these certificates for your secure communication for email and internet. Legen Sie fest, ob Sie der Empfehlung ganz oder teilweise folgen möchten. TrustBridge wird die Änderungen an den Wurzelzertifikaten vornehmen. - + Trusted certificates Empfohlene Wurzelzertifikate - + Information and help Informationen @@ -303,31 +303,31 @@ Aktualisierungen einspielen - - + + Install new trusted certificates (%1/%2) Neue, empfohlene Wurzelzertifikate installieren (%1/%2) - - - - - - - - - + + + + + + + + + Show details Details einblenden - + Revoked certificates Abgeratene Wurzelzertifikate - + Certificates can be corrupted or stolen and misused in many ways. Therefore the BSI recommends to remove all revoked certificates from your system. Wurzelzertifikate können veraltet sein, korrumpiert, gestohlen oder missbraucht werden. Die Wurzelzertifikate , von denen das BSI abrät, sollten umgehend entfernt werden. @@ -336,15 +336,15 @@ Von den folgenden, ehemals empfohlenen Wurzelzerts, rät das BSI nun ab. Über diese Anwendung können sie auch nicht mehr installiert werden. Markieren Sie verbleibende Wurzelzerts zur Löschung, sobald Sie können. - - - - + + + + Manually changed certificates (%1) Abweichend zu behandelnde Wurzelzertifikate (%1) - + Trust in your digital communication Vertrauen in Ihre digitale Kommunikation @@ -353,8 +353,8 @@ Änderungen - - + + Certificates unchanged Wurzelzertifikate unverändert @@ -371,46 +371,46 @@ Es wird empfohlen, die nachfolgenden Änderungen an Ihren Wurzelzertifikaten zu übernehmen. - + Apply changes Änderungen schreiben - + Version: Version: - + An updated certificate list is available. Neue Vorschläge für Wurzelzertifikate sind verfügbar. - + Click here to install. Klicken Sie hier zum Installieren. - - + + An update for %1 is available. Eine Aktualisierung für %1 ist verfügbar. - + Click here to download and install the update. Hier klicken, um Download und Installation zu starten. - - + + There are currently no changes for your certificate stores. Es liegem keine neuen Empfehlungen vor. - - + + Install certificates again Wurzelzertifikate erneut schreiben @@ -443,12 +443,12 @@ Änderungen (%1) - + install Installieren - + ignore Ignorieren @@ -457,9 +457,9 @@ Installierte Zertifikate vom: %1 - - - + + + Hide details Details ausblenden @@ -468,7 +468,7 @@ Letzte erfolgreiche Prüfung nach Aktualisierungen: %1 - + Sucessfully checked for updates. Suche nach neuen Empfehlungen erfolgreich. @@ -479,102 +479,102 @@ Hier klicken, um Download und Installation zu starten. - + TrustBridge is a root certificate installer for Windows and GNU/Linux.<br/> TrustBridge ist eine Wurzelzertifikatsinstaller für Windows und GNU/Linux.<br/> - + The root certificate lists are managed by the German <a href="https://www.bsi.bund.de">Federal Office for Information Security (BSI)</a>.<br/><br/> Die Wurzelzertifikate werden vom <a href="https://www.bsi.bund.de">Bundesamt für Sicherheit in der Informationstechnik (BSI)</a> vorgeschlagen.<br/><br/> - + The software was developed by the companies <a href="http://www.intevation.de">Intevation GmbH</a> and <a href="http://www.dn-systems.de">DN-Systems GmbH</a>, <br> contracted by the German Federal Office for Information Security (BSI).<br/><br/> Die Software wurde von den Unternehmen <a href="http://www.intevation.de">Intevation GmbH</a> und <a href="http://www.dn-systems.de">DN-Systems GmbH</a> entwickelt, <br> beauftragt vom Bundesamt für Sicherheit in der Informationstechnik (BSI).<br/><br/> - + TrustBridge is Free Software licensed under GNU GPL v2+.<br/><br/>Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik TrustBridge ist Freie Software, lizensiert unter der GNU GPL v2+.<br/><br/>(C) 2014. Die Rechte liegen beim Bundesamt für Sicherheit in der Informationstechnik. - + Show Help - + Hilfe anzeigen - + Proxy settings - + Proxy-Einstellungen - + No connection with the updateserver. Keine Verbindung zum Updateserver. - + Update Aktualisieren - - - + + + Details Details - + The following unsecure certificates were revoked by the BSI. Already uninstalled certificates cannot be reinstalled. It is recommended that you select all certificates to uninstall if you still have revoked certificates installed. Von den folgenden, ehemals empfohlenen Wurzelzertifikaten, rät das BSI ab. Über diese Anwendung können sie auch nicht mehr installiert werden. Markieren Sie verbleibende Wurzelzertifikate zur Löschung, sobald Sie können. - + You should apply the following, recommended changes to your certificate stores. Es wird empfohlen, die nachfolgenden Änderungen an Ihren Zertifikatsspeichern vorzunehmen. - + You can apply the following, changes to your certificate stores. Der Unterschied "can", "should" könnte nicht signifikant genug sein. Sie können die nachfolgenden Änderungen an Ihren Zertifikatsspeichern vornehmen. - + Changes to certificate stores (%1) Neue empfohlene Änderungen (%1) - + Error executing update Fehler bei der Aktualisierung - + Installation with standard user account - + Installation mit Standardbenutzerkonto - - Windows will now ask you to confirm qeach root certificate modification because TrustBridge does not have the necessary privileges to install root certificates into the Windows certificate store silently. - + + Windows will now ask you to confirm each root certificate modification because TrustBridge does not have the necessary privileges to install root certificates into the Windows certificate store silently. + Windows wird Sie nun bitten, jede Wurzelzertifikatsänderung zu bestätigen. Grund dafür: TrustBridge besitzt nicht die nötigen Privilegien, um Wurzelzertifikate ohne Nachfrage in den Windows-Zertifikatsspeicher zu installieren. - + Installing certificates... Wurzelzertifikate werden geändert... - + Error! - + Fehler! - + Failed to find the manual - + Fehler beim Finden des Handbuchs @@ -595,37 +595,37 @@ Proxy server settings - + Proxy-Server-Einstellungen Please enter the proxy server to use in the field below. - + Bitte geben Sie den zu verwendenden Proxy-Server ein. The URL can follow the scheme: - + Die URL kann folgendem Schema folgen: &lt;username&gt;:&lt;password&gt;@&lt;hostname&gt;:&lt;port&gt; - + &lt;Benutzername&gt;:&lt;Passwort&gt;@&lt;Hostname&gt;:&lt;Port&gt; Proxy Server: - + Proxy-Server: &Save - + &Speichern &Cancel - + &Abbrechen diff -r b75bd6686f43 -r 2fb6071c6669 ui/mainwindow.cpp --- a/ui/mainwindow.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/mainwindow.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -312,7 +312,7 @@ // shExecInfo.fMask = SEE_MASK_NOASYNC; shExecInfo.nShow = SW_SHOWDEFAULT; - if (!is_system_install() || !is_admin()) { + if (!is_system_install()) { shExecInfo.lpVerb = L"open"; } else { shExecInfo.lpVerb = L"runas"; @@ -623,7 +623,7 @@ mInstallButton = new QPushButton(" " + tr("Install certificates again")); mInstallButton->setFixedHeight(30); #ifdef Q_OS_WIN - if (is_admin() && is_system_install()) { + if (is_system_install()) { QIcon uacShield = QApplication::style()->standardIcon(QStyle::SP_VistaShield); mInstallButton->setIcon(uacShield); } @@ -1109,20 +1109,17 @@ } void MainWindow::installerSuccess() { - if (mCurState == NewListAvailable || mCurState == NewSoftwareAvailable) { + if (mCurState == NewListAvailable ) { mCurState = NothingChanged; mCurMessage = QString(); + } - QString listFileName = mSettings.value("List/available").toString(); - QDateTime listFileDate = mSettings.value("List/availableDate").toDateTime(); - + QString listFileName = mSettings.value("List/available").toString(); + QDateTime listFileDate = mSettings.value("List/availableDate").toDateTime(); + if (!listFileName.isEmpty() && listFileDate.isValid()) { mSettings.remove("List/available"); mSettings.remove("List/availableDate"); - if (listFileName.isEmpty() || !listFileDate.isValid()) { - qWarning() << "Error accessing settings"; - return; /* Try again with next check */ - } /* Rename the installed list to list-installed.txt so that external * programs (like the uninstaller can easily recognize it). */ QString dataLoc = @@ -1159,9 +1156,8 @@ mSettings.remove("List/installed"); mSettings.remove("List/installedDate"); } - mListToInstall = CertificateList(); - } + mListToInstall = CertificateList(); mUpdatesManual->clear(); loadCertificateList(); } @@ -1194,10 +1190,10 @@ unselected << mRemoveList->unselectedCertificates(); #ifdef Q_OS_WIN - if (!is_admin() || !is_system_install()) { - QMessageBox::information(this, + if (!is_system_install()) { + QMessageBox::warning(this, tr("Installation with standard user account"), - tr("Windows will now ask you to confirm qeach root certificate modification " + tr("Windows will now ask you to confirm each root certificate modification " "because TrustBridge does not have the necessary privileges to install " "root certificates into the Windows certificate store silently.")); } diff -r b75bd6686f43 -r 2fb6071c6669 ui/sslconnection_curl.cpp --- a/ui/sslconnection_curl.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/sslconnection_curl.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -7,9 +7,11 @@ */ #include "sslconnection_curl.h" + +#include #include -#define CONNECTION_DEBUG +#undef CONNECTION_DEBUG SSLConnectionCurl::SSLConnectionCurl(const QString& url, const QByteArray& certificate): @@ -24,7 +26,25 @@ return; } +#ifdef RELEASE_BUILD if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 1L) != CURLE_OK) { +#else + /* For testing we do not have to trust the issuer. This should not + * be dangerous as we pin the peer certificate directly. */ + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 0L) != CURLE_OK) { +#endif + /* Should be default anyway */ + qDebug() << "Setting verifypeer failed"; + return; + } + +#ifdef RELEASE_BUILD + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 1L) != CURLE_OK) { +#else + /* For testing we do not have to trust host. This should not + * be dangerous as we pin the peer certificate directly. */ + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 0L) != CURLE_OK) { +#endif /* Should be default anyway */ qDebug() << "Setting verifypeer failed"; return; @@ -35,6 +55,13 @@ return; } +#ifdef RELEASE_BUILD + if (curl_easy_setopt(mCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2) != CURLE_OK) { + qDebug() << "Setting ssl version failed."; + return; + } +#endif + mCertFile.open(); if (mCertFile.write(mPinnedCert) != mPinnedCert.size()) { qDebug() << "Failed to write temporary certificate"; @@ -44,10 +71,17 @@ if (curl_easy_setopt(mCurl, CURLOPT_CAINFO, mCertFile.fileName().toUtf8().constData()) != CURLE_OK) { - qDebug() << "Failed to write temporary certificate"; + qDebug() << "Failed to set ca certificate"; return; } + /* If the build fails here maybe you probably forgot to apply the + * trustbridge patches to curl */ + if (curl_easy_setopt(mCurl, CURLOPT_PEERCERT, + mCertFile.fileName().toUtf8().constData()) != CURLE_OK) { + qDebug() << "Failed set peer certificate."; + return; + } mInitialized = true; #ifdef CONNECTION_DEBUG @@ -84,6 +118,10 @@ mErrorState = InvalidCertificate; return -1; } + if (retval == CURLE_SSL_CONNECT_ERROR) { + mErrorState = SSLHandshakeFailed; + return -1; + } mErrorState = NoConnection; return -1; @@ -226,5 +264,14 @@ } void SSLConnectionCurl::setCiphersuites(int ciphers[]) { - qDebug() << "Set ciphersuites not supported."; + QStringList cipher_list; + for (int i = 0; ciphers[i] != 0; i++) { + cipher_list << ssl_get_ciphersuite_name(ciphers[i]); + } + + if (curl_easy_setopt(mCurl, CURLOPT_SSL_CIPHER_LIST, + cipher_list.join(":").toLatin1().constData()) != CURLE_OK) { + qDebug() << "Failed to set cipher list"; + return; + } } diff -r b75bd6686f43 -r 2fb6071c6669 ui/tests/downloadertest.cpp --- a/ui/tests/downloadertest.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/tests/downloadertest.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -148,22 +148,22 @@ QVERIFY(error == SSLConnection::NoConnection); } +static int accept_ciphers[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + 0 +}; void DownloaderTest::testForcedCiphers() { Downloader* downloader = new Downloader(this, - QString::fromLatin1("https://files.intevation.de:443"), + QString::fromLatin1(SERVER_URL), QByteArray(), /* Use default testing certificate */ QDateTime::currentDateTime(), QDateTime::fromString("2010", "YYYY"), "/users/aheinecke/development/TrustBridge-development.exe", "/users/aheinecke/development/zertifikatsliste.txt"); - int accept_ciphers[] = { - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - 0 - }; downloader->setCiphersuites(accept_ciphers);