Mercurial > trustbridge
changeset 1008:2fb6071c6669
Merged
author | Emanuel Schuetze <emanuel@intevation.de> |
---|---|
date | Tue, 02 Sep 2014 11:55:15 +0200 |
parents | b75bd6686f43 (current diff) 6aa115b206df (diff) |
children | c1f32c87716a |
files | |
diffstat | 11 files changed, 477 insertions(+), 121 deletions(-) [+] |
line wrap: on
line diff
--- a/INSTALL Tue Sep 02 11:52:59 2014 +0200 +++ b/INSTALL Tue Sep 02 11:55:15 2014 +0200 @@ -61,12 +61,21 @@ cmake .. -DCMAKE_C_FLAGS=-fpic -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make test && make install +Trustbridge checkout: +At this point you need a trustbridge checkout as curl needs to be patched +to enable the certificate pinning and the force of SSL Ciphersuites when +using polarssl. + + hg clone https://wald.intevation.org/hg/trustbridge/ + Libcurl: + wget http://curl.haxx.se/download/curl-7.37.1.tar.gz a32492a38c10a097344892f5fd2041e54698cb909696852311b1161e4aa979f3 curl-7.37.1.tar.gz tar -xf curl-7.37.1.tar.gz cd curl-7.37.1/ + patch -p1 < ../trustbridge/patches/*.patch mkdir build cd build @@ -84,7 +93,6 @@ To compile the software you can use plain cmake. An out of source build is highly suggested. For build options see CMakeList.txt - hg clone https://wald.intevation.org/hg/trustbridge/ cd trustbridge hg clone https://wald.intevation.org/hg/trustbridge/nss-cmake-static mkdir build-linux @@ -171,13 +179,15 @@ cp polarssl-1.3.7-gpl.tgz hiawatha-9.5/polarssl/polarssl.tgz cd hiawatha-9.5/polarssl sed -i 's/wget.*//' upgrade - ./upgrade 1.3.7 + ./upgrade 1.3.8 cd .. mkdir build cd build cmake .. -DCMAKE_INSTALL_PREFIX=$YOURPREFIX make && make install + + Osslsigncode (for binverify unit test) ====================================== Osslsigncode is used to create PKCS#7 embedded signatures for Windows Authenticode @@ -232,7 +242,7 @@ cmake .. \ -DCMAKE_PREFIX_PATH="$MXETARGET/qt5;$MXETARGET;" \ -DCMAKE_TOOLCHAIN_FILE="$MXETARGET/share/cmake/mxe-conf.cmake" \ - -DCMAKE_VERBOSE_MAKEFILE=True + -DCMAKE_VERBOSE_MAKEFILE=True -DUSE_CURL=OFF Runtime Depdendencies =====================
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0001-Implement-CURLOPT_SSLVERSION-for-polarssl.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,47 @@ +From bebf7d617091042828fc5838170b35c42ab60396 Mon Sep 17 00:00:00 2001 +From: Andre Heinecke <aheinecke@intevation.de> +Date: Mon, 1 Sep 2014 16:06:03 +0200 +Subject: [PATCH 1/3] Implement CURLOPT_SSLVERSION for polarssl + + Forwards the setting as minimum ssl version to polarssl. + If the server does not support the requested version the + SSL Handshake will fail. +--- + lib/vtls/polarssl.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index f948486..e18cadf 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -270,6 +270,27 @@ polarssl_connect_step1(struct connectdata *conn, + return CURLE_SSL_CONNECT_ERROR; + } + ++ if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_0); ++ infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_0) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_1); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_1) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_2); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1\n"); ++ } ++ else if(data->set.ssl.version == CURL_SSLVERSION_TLSv1_2) { ++ ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ++ SSL_MINOR_VERSION_3); ++ infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2\n"); ++ } ++ + ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT); + ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL); + +-- +1.9.1 +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0002-Add-CURLOPT_PEERCERT-option-to-pin-a-peer-cert.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,138 @@ +From c57d951c3bda8b1ca66cac45dfd6270fa34b01d3 Mon Sep 17 00:00:00 2001 +From: Andre Heinecke <aheinecke@intevation.de> +Date: Mon, 1 Sep 2014 16:55:40 +0200 +Subject: [PATCH 2/3] Add CURLOPT_PEERCERT option to pin a peer cert + + Only implemented for a specific usecase with polarssl +--- + include/curl/curl.h | 3 +++ + include/curl/typecheck-gcc.h | 1 + + lib/url.c | 8 ++++++++ + lib/urldata.h | 1 + + lib/vtls/polarssl.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 5 files changed, 53 insertions(+), 2 deletions(-) + +diff --git a/include/curl/curl.h b/include/curl/curl.h +index d40b2db..20a9d82 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1611,6 +1611,9 @@ typedef enum { + /* Pass in a bitmask of "header options" */ + CINIT(HEADEROPT, LONG, 229), + ++ /* Peer certificate */ ++ CINIT(PEERCERT, OBJECTPOINT, 230), ++ + CURLOPT_LASTENTRY /* the last unused */ + } CURLoption; + +diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h +index 69d41a2..241529d 100644 +--- a/include/curl/typecheck-gcc.h ++++ b/include/curl/typecheck-gcc.h +@@ -258,6 +258,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_slist, + (option) == CURLOPT_SSH_PRIVATE_KEYFILE || \ + (option) == CURLOPT_CRLFILE || \ + (option) == CURLOPT_ISSUERCERT || \ ++ (option) == CURLOPT_PEERCERT || \ + (option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \ + (option) == CURLOPT_SSH_KNOWNHOSTS || \ + (option) == CURLOPT_MAIL_FROM || \ +diff --git a/lib/url.c b/lib/url.c +index 89c3fd5..b089cdf 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2015,6 +2015,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + result = setstropt(&data->set.str[STRING_SSL_ISSUERCERT], + va_arg(param, char *)); + break; ++ case CURLOPT_PEERCERT: ++ /* ++ * Set peer certificate file ++ * to check peer certificate against ++ */ ++ result = setstropt(&data->set.str[STRING_SSL_PEERCERT], ++ va_arg(param, char *)); ++ break; + case CURLOPT_TELNETOPTIONS: + /* + * Set a linked list of telnet options +diff --git a/lib/urldata.h b/lib/urldata.h +index 8594c2f..a6dc1ae 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1391,6 +1391,7 @@ enum dupstring { + STRING_USERAGENT, /* User-Agent string */ + STRING_SSL_CRLFILE, /* crl file to check certificate */ + STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ ++ STRING_SSL_PEERCERT, /* issuer cert file to check certificate */ + STRING_USERNAME, /* <username>, if used */ + STRING_PASSWORD, /* <password>, if used */ + STRING_OPTIONS, /* <options>, if used */ +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index e18cadf..2c40e36 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -360,6 +360,7 @@ polarssl_connect_step2(struct connectdata *conn, + #ifdef HAS_ALPN + const char* next_protocol; + #endif ++ const x509_crt *peer_cert = NULL; + + char errorbuf[128]; + memset(errorbuf, 0, sizeof(errorbuf)); +@@ -419,12 +420,49 @@ polarssl_connect_step2(struct connectdata *conn, + return CURLE_PEER_FAILED_VERIFICATION; + } + +- if(ssl_get_peer_cert(&(connssl->ssl))) { ++ peer_cert = ssl_get_peer_cert(&(connssl->ssl)); ++ if(peer_cert) { ++ if(data->set.str[STRING_SSL_PEERCERT]) { ++ x509_crt pinned_cert; ++ unsigned int i; ++ ++ /* Handle pinned certificate */ ++ x509_crt_init(&pinned_cert); ++ ret = x509_crt_parse_file(&pinned_cert, ++ data->set.str[STRING_SSL_PEERCERT]); ++ ++ if(ret) { ++#ifdef POLARSSL_ERROR_C ++ error_strerror(ret, errorbuf, sizeof(errorbuf)); ++#endif /* POLARSSL_ERROR_C */ ++ failf(data, "Error reading peer cert file %s - PolarSSL: (-0x%04X) %s", ++ data->set.str[STRING_SSL_PEERCERT], -ret, errorbuf); ++ ++ x509_crt_free(&pinned_cert); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ ++ if (peer_cert->raw.len == 0 || ++ peer_cert->raw.len != pinned_cert.raw.len) { ++ failf(data, "Error validating peer certificate. Size does " ++ "not match the certificate set with PEERCERT option.\n"); ++ x509_crt_free(&pinned_cert); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ for (i = 0; i < peer_cert->raw.len; i++) { ++ if (peer_cert->raw.p[i] != pinned_cert.raw.p[i]) { ++ failf(data, "Error validating peer certificate. Does " ++ "not match the certificate set with PEERCERT option.\n"); ++ return CURLE_PEER_FAILED_VERIFICATION; ++ } ++ } ++ } ++ + /* If the session was resumed, there will be no peer certs */ + memset(buffer, 0, sizeof(buffer)); + + if(x509_crt_info(buffer, sizeof(buffer), (char *)"* ", +- ssl_get_peer_cert(&(connssl->ssl))) != -1) ++ peer_cert) != -1) + infof(data, "Dumping cert info:\n%s\n", buffer); + } + +-- +1.9.1 +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch Tue Sep 02 11:55:15 2014 +0200 @@ -0,0 +1,85 @@ +From a36ec2b65e81109c151759b282c221daf91b83ee Mon Sep 17 00:00:00 2001 +From: Andre Heinecke <aheinecke@intevation.de> +Date: Tue, 2 Sep 2014 09:58:44 +0200 +Subject: [PATCH] Add possibility to force polarssl ciphersuites. + +--- + lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 39 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c +index 2c40e36..c3f1b8e 100644 +--- a/lib/vtls/polarssl.c ++++ b/lib/vtls/polarssl.c +@@ -55,6 +55,7 @@ + #include "select.h" + #include "rawstr.h" + #include "polarssl_threadlock.h" ++#include "strtok.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include <curl/mprintf.h> +@@ -67,6 +68,8 @@ + #define THREADING_SUPPORT + #endif + ++#define MAX_CIPHERSUITES 255 ++ + #if defined(THREADING_SUPPORT) + static entropy_context entropy; + +@@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line) + + static Curl_recv polarssl_recv; + static Curl_send polarssl_send; +- ++static int ciphersuites[MAX_CIPHERSUITES + 1]; + + static CURLcode + polarssl_connect_step1(struct connectdata *conn, +@@ -300,7 +303,41 @@ polarssl_connect_step1(struct connectdata *conn, + net_recv, &conn->sock[sockindex], + net_send, &conn->sock[sockindex]); + +- ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); ++ if(!data->set.str[STRING_SSL_CIPHER_LIST]) ++ ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); ++ else { ++ /* Convert string input to polarssl cipher id's */ ++ char *tmp, ++ *token, ++ *tok_buf; ++ int i = 0; ++ ++ memset(ciphersuites, 0, MAX_CIPHERSUITES + 1); ++ ++ tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]); ++ if(!tmp) ++ return CURLE_OUT_OF_MEMORY; ++ ++ for (token = strtok_r(tmp, ":", &tok_buf); ++ token != NULL; ++ token = strtok_r(NULL, ":", &tok_buf)) { ++ ++ ciphersuites[i] = ssl_get_ciphersuite_id(token); ++ if (!ciphersuites[i]) { ++ infof(data, "WARNING: failed to set cipher: %s\n", token); ++ /* Do not increase i as the first 0 is the end ++ of the list so we overwrite it with the next ++ valid cipher. Maybe we should fail? */ ++ continue; ++ } ++ i++; ++ } ++ free(tmp); ++ /* Beware, polarssl does not make a copy of the ciphersuites ++ so the data needs to be valid during the call. */ ++ ssl_set_ciphersuites(&connssl->ssl, ciphersuites); ++ } ++ + if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) { + memcpy(&connssl->ssn, old_session, old_session_size); + infof(data, "PolarSSL re-using session\n"); +-- +1.9.1 +
--- a/ui/administratorwindow.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/administratorwindow.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -23,12 +23,17 @@ #include <QFileDialog> #include <QStandardPaths> #include <QSortFilterProxyModel> +#include <QDesktopServices> +#include <QFileInfo> #include "certificatetabledelegate.h" #include "createinstallerdialog.h" #include "createcertlistdialog.h" #include "certificatediffdialog.h" #include "aboutdialog.h" +#include "util.h" + +#define HELP_PATH "/doc/index.html" AdministratorWindow::AdministratorWindow() { setWindowTitle(tr("TrustBridge Administration")); @@ -53,10 +58,13 @@ menuBar->addMenu(menu); QAction *createInstaller = menu->addAction(tr("Create installer ...")); QAction *about = menu->addAction(tr("About TrustBridge")); + QAction *help = menu->addAction(tr("Help")); + help->setIcon(QIcon(":/img/show-help_16.png")); menu->addSeparator(); QAction *quit = menu->addAction(tr("Quit")); connect(createInstaller, SIGNAL(triggered()), this, SLOT(createInstaller())); connect(about, SIGNAL(triggered()), this, SLOT(showAbout())); + connect(help, SIGNAL(triggered()), this, SLOT(showHelp())); connect(quit, SIGNAL(triggered()), qApp, SLOT(quit())); setMenuBar(menuBar); } @@ -298,3 +306,27 @@ } return changed; } + +void AdministratorWindow::showHelp() +{ + char *inst_dir = get_install_dir(); + if (!inst_dir) { + qDebug() << "Failed to find install dir"; + return; + } + QString helpPath = QString::fromUtf8(inst_dir); + helpPath += HELP_PATH; + QFileInfo fiHelp(helpPath); + qDebug() << "Opening help: " << fiHelp.absoluteFilePath(); + if (!fiHelp.exists()) { + QMessageBox::warning(this, tr("Error!"), tr ("Failed to find the manual")); + return; + } +#ifdef Q_OS_WIN + QDesktopServices::openUrl(QUrl("file:///" + fiHelp.absoluteFilePath())); +#else + QDesktopServices::openUrl(QUrl(fiHelp.absoluteFilePath())); +#endif + free (inst_dir); + return; +}
--- a/ui/administratorwindow.h Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/administratorwindow.h Tue Sep 02 11:55:15 2014 +0200 @@ -60,6 +60,7 @@ private slots: void createInstaller(); void showAbout(); + void showHelp(); void loadCertificateFile(); void saveCertificateFile(); void addCertificates();
--- a/ui/installwrapper.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/installwrapper.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -96,7 +96,7 @@ shExecInfo.cbSize = sizeof(SHELLEXECUTEINFOW); shExecInfo.fMask = SEE_MASK_NOCLOSEPROCESS; - if (!is_admin() || !is_system_install()) { + if (!is_system_install()) { shExecInfo.lpVerb = L"open"; } else { shExecInfo.lpVerb = L"runas";
--- a/ui/l10n/trustbridge_de_DE.ts Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/l10n/trustbridge_de_DE.ts Tue Sep 02 11:55:15 2014 +0200 @@ -184,29 +184,29 @@ <translation type="vanished">Neue Vorschläge für Wurzelzertifikate sind verfügbar. Klicken Sie hier zum Installieren.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="462"/> - <location filename="../mainwindow.cpp" line="591"/> + <location filename="../mainwindow.cpp" line="464"/> + <location filename="../mainwindow.cpp" line="593"/> <source>Check for Updates</source> <translation>Neue Empfehlungen suchen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="464"/> - <location filename="../mainwindow.cpp" line="974"/> + <location filename="../mainwindow.cpp" line="466"/> + <location filename="../mainwindow.cpp" line="976"/> <source>Quit</source> <translation>Beenden</translation> </message> <message> - <location filename="../mainwindow.cpp" line="482"/> + <location filename="../mainwindow.cpp" line="484"/> <source>TrustBridge</source> <translation>TrustBridge</translation> </message> <message> - <location filename="../mainwindow.cpp" line="571"/> + <location filename="../mainwindow.cpp" line="573"/> <source>Installed certificates from:</source> <translation>Empfehlungen bereits berücksichtigt bis:</translation> </message> <message> - <location filename="../mainwindow.cpp" line="576"/> + <location filename="../mainwindow.cpp" line="578"/> <source>TrustBridge Version:</source> <translation>TrustBridge Version:</translation> </message> @@ -215,19 +215,19 @@ <translation type="vanished">Zuletzt nach Aktualisierungen gesucht:</translation> </message> <message> - <location filename="../mainwindow.cpp" line="583"/> - <location filename="../mainwindow.cpp" line="586"/> + <location filename="../mainwindow.cpp" line="585"/> + <location filename="../mainwindow.cpp" line="588"/> <source>Last successful update check:</source> <translation>Zuletzt nach neuen Empfehlungen gesucht:</translation> </message> <message> - <location filename="../mainwindow.cpp" line="861"/> + <location filename="../mainwindow.cpp" line="863"/> <source>Updates</source> <translation>Neue Empfehlungen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="883"/> + <location filename="../mainwindow.cpp" line="885"/> <source>Revoked certificates</source> <translation>Abgeratene @@ -242,41 +242,41 @@ <translation type="vanished">Aktualisierungen (%1/%2)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="617"/> - <location filename="../mainwindow.cpp" line="979"/> + <location filename="../mainwindow.cpp" line="619"/> + <location filename="../mainwindow.cpp" line="981"/> <source>Quit without saving</source> <translation>Beenden ohne Schreiben</translation> </message> <message> - <location filename="../mainwindow.cpp" line="671"/> - <location filename="../mainwindow.cpp" line="1015"/> + <location filename="../mainwindow.cpp" line="673"/> + <location filename="../mainwindow.cpp" line="1017"/> <source>Remove revoked certificates (%1/%2)</source> <translation>Abgeratene Wurzelzertifikate entfernen (%1/%2)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="752"/> + <location filename="../mainwindow.cpp" line="754"/> <source>Trusted certificates</source> <translation>Empfohlene Wurzelzertifikate</translation> </message> <message> - <location filename="../mainwindow.cpp" line="753"/> + <location filename="../mainwindow.cpp" line="755"/> <source>The following list of trusted root certificates is managed by the BSI. The BSI validates independently the authenticity, security and actuality of these certificates.</source> <translation>Die folgenden Wurzelzertifikate wurden bisher vom BSI zur Installation vorgeschlagen. Sie können erkennen, welche Sie bereits geschrieben haben.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="760"/> + <location filename="../mainwindow.cpp" line="762"/> <source>Please choose the certificates you want to trust or untrust. TrustBridge will install these certificates for your secure communication for email and internet.</source> <translation>Legen Sie fest, ob Sie der Empfehlung ganz oder teilweise folgen möchten. TrustBridge wird die Änderungen an den Wurzelzertifikaten vornehmen.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="874"/> + <location filename="../mainwindow.cpp" line="876"/> <source>Trusted certificates</source> <translation>Empfohlene Wurzelzertifikate</translation> </message> <message> - <location filename="../mainwindow.cpp" line="892"/> + <location filename="../mainwindow.cpp" line="894"/> <source>Information and help</source> <translation>Informationen @@ -303,31 +303,31 @@ <translation type="vanished">Aktualisierungen einspielen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="649"/> - <location filename="../mainwindow.cpp" line="999"/> + <location filename="../mainwindow.cpp" line="651"/> + <location filename="../mainwindow.cpp" line="1001"/> <source>Install new trusted certificates (%1/%2)</source> <translation>Neue, empfohlene Wurzelzertifikate installieren (%1/%2)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="653"/> - <location filename="../mainwindow.cpp" line="675"/> - <location filename="../mainwindow.cpp" line="697"/> - <location filename="../mainwindow.cpp" line="989"/> - <location filename="../mainwindow.cpp" line="1005"/> - <location filename="../mainwindow.cpp" line="1021"/> - <location filename="../mainwindow.cpp" line="1345"/> - <location filename="../mainwindow.cpp" line="1358"/> - <location filename="../mainwindow.cpp" line="1370"/> + <location filename="../mainwindow.cpp" line="655"/> + <location filename="../mainwindow.cpp" line="677"/> + <location filename="../mainwindow.cpp" line="699"/> + <location filename="../mainwindow.cpp" line="991"/> + <location filename="../mainwindow.cpp" line="1007"/> + <location filename="../mainwindow.cpp" line="1023"/> + <location filename="../mainwindow.cpp" line="1343"/> + <location filename="../mainwindow.cpp" line="1356"/> + <location filename="../mainwindow.cpp" line="1368"/> <source>Show details</source> <translation>Details einblenden</translation> </message> <message> - <location filename="../mainwindow.cpp" line="793"/> + <location filename="../mainwindow.cpp" line="795"/> <source>Revoked certificates</source> <translation>Abgeratene Wurzelzertifikate</translation> </message> <message> - <location filename="../mainwindow.cpp" line="794"/> + <location filename="../mainwindow.cpp" line="796"/> <source>Certificates can be corrupted or stolen and misused in many ways. Therefore the BSI recommends to remove all revoked certificates from your system.</source> <translation>Wurzelzertifikate können veraltet sein, korrumpiert, gestohlen oder missbraucht werden. Die Wurzelzertifikate , von denen das BSI abrät, sollten umgehend entfernt werden.</translation> </message> @@ -336,15 +336,15 @@ <translation type="obsolete">Von den folgenden, ehemals empfohlenen Wurzelzerts, rät das BSI nun ab. Über diese Anwendung können sie auch nicht mehr installiert werden. Markieren Sie verbleibende Wurzelzerts zur Löschung, sobald Sie können.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="693"/> - <location filename="../mainwindow.cpp" line="1100"/> - <location filename="../mainwindow.cpp" line="1270"/> - <location filename="../mainwindow.cpp" line="1280"/> + <location filename="../mainwindow.cpp" line="695"/> + <location filename="../mainwindow.cpp" line="1102"/> + <location filename="../mainwindow.cpp" line="1268"/> + <location filename="../mainwindow.cpp" line="1278"/> <source>Manually changed certificates (%1)</source> <translation>Abweichend zu behandelnde Wurzelzertifikate (%1)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="843"/> + <location filename="../mainwindow.cpp" line="845"/> <source>Trust in your digital communication</source> <translation>Vertrauen in Ihre digitale Kommunikation</translation> </message> @@ -353,8 +353,8 @@ <translation type="vanished">Änderungen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="569"/> - <location filename="../mainwindow.cpp" line="975"/> + <location filename="../mainwindow.cpp" line="571"/> + <location filename="../mainwindow.cpp" line="977"/> <source>Certificates unchanged</source> <translation>Wurzelzertifikate unverändert</translation> </message> @@ -371,46 +371,46 @@ <translation type="vanished">Es wird empfohlen, die nachfolgenden Änderungen an Ihren Wurzelzertifikaten zu übernehmen.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="983"/> + <location filename="../mainwindow.cpp" line="985"/> <source>Apply changes</source> <translation>Änderungen schreiben</translation> </message> <message> - <location filename="../mainwindow.cpp" line="495"/> + <location filename="../mainwindow.cpp" line="497"/> <source>Version: </source> <translation>Version:</translation> </message> <message> - <location filename="../mainwindow.cpp" line="260"/> <location filename="../mainwindow.cpp" line="262"/> + <location filename="../mainwindow.cpp" line="264"/> <source>An updated certificate list is available.</source> <translation>Neue Vorschläge für Wurzelzertifikate sind verfügbar.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="262"/> + <location filename="../mainwindow.cpp" line="264"/> <source>Click here to install.</source> <translation>Klicken Sie hier zum Installieren.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="272"/> - <location filename="../mainwindow.cpp" line="275"/> + <location filename="../mainwindow.cpp" line="274"/> + <location filename="../mainwindow.cpp" line="277"/> <source>An update for %1 is available.</source> <translation>Eine Aktualisierung für %1 ist verfügbar.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="276"/> + <location filename="../mainwindow.cpp" line="278"/> <source>Click here to download and install the update.</source> <translation>Hier klicken, um Download und Installation zu starten.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="614"/> - <location filename="../mainwindow.cpp" line="969"/> + <location filename="../mainwindow.cpp" line="616"/> + <location filename="../mainwindow.cpp" line="971"/> <source>There are currently no changes for your certificate stores.</source> <translation>Es liegem keine neuen Empfehlungen vor.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="621"/> - <location filename="../mainwindow.cpp" line="977"/> + <location filename="../mainwindow.cpp" line="623"/> + <location filename="../mainwindow.cpp" line="979"/> <source>Install certificates again</source> <translation>Wurzelzertifikate erneut schreiben</translation> </message> @@ -443,12 +443,12 @@ <translation type="vanished">Änderungen (%1)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1072"/> + <location filename="../mainwindow.cpp" line="1074"/> <source>install</source> <translation>Installieren</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1072"/> + <location filename="../mainwindow.cpp" line="1074"/> <source>ignore</source> <translation>Ignorieren</translation> </message> @@ -457,9 +457,9 @@ <translation type="vanished">Installierte Zertifikate vom: %1</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1339"/> - <location filename="../mainwindow.cpp" line="1352"/> - <location filename="../mainwindow.cpp" line="1365"/> + <location filename="../mainwindow.cpp" line="1337"/> + <location filename="../mainwindow.cpp" line="1350"/> + <location filename="../mainwindow.cpp" line="1363"/> <source>Hide details</source> <translation>Details ausblenden</translation> </message> @@ -468,7 +468,7 @@ <translation type="vanished">Letzte erfolgreiche Prüfung nach Aktualisierungen: %1</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1395"/> + <location filename="../mainwindow.cpp" line="1393"/> <source>Sucessfully checked for updates.</source> <translation>Suche nach neuen Empfehlungen erfolgreich.</translation> </message> @@ -479,102 +479,102 @@ Hier klicken, um Download und Installation zu starten.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="510"/> + <location filename="../mainwindow.cpp" line="512"/> <source>TrustBridge is a root certificate installer for Windows and GNU/Linux.<br/></source> <translation>TrustBridge ist eine Wurzelzertifikatsinstaller für Windows und GNU/Linux.<br/></translation> </message> <message> - <location filename="../mainwindow.cpp" line="512"/> + <location filename="../mainwindow.cpp" line="514"/> <source>The root certificate lists are managed by the German <a href="https://www.bsi.bund.de">Federal Office for Information Security (BSI)</a>.<br/><br/></source> <translation>Die Wurzelzertifikate werden vom <a href="https://www.bsi.bund.de">Bundesamt für Sicherheit in der Informationstechnik (BSI)</a> vorgeschlagen.<br/><br/></translation> </message> <message> - <location filename="../mainwindow.cpp" line="515"/> + <location filename="../mainwindow.cpp" line="517"/> <source>The software was developed by the companies <a href="http://www.intevation.de">Intevation GmbH</a> and <a href="http://www.dn-systems.de">DN-Systems GmbH</a>, <br> contracted by the German Federal Office for Information Security (BSI).<br/><br/></source> <translation>Die Software wurde von den Unternehmen <a href="http://www.intevation.de">Intevation GmbH</a> und <a href="http://www.dn-systems.de">DN-Systems GmbH</a> entwickelt, <br> beauftragt vom Bundesamt für Sicherheit in der Informationstechnik (BSI).<br/><br/></translation> </message> <message> - <location filename="../mainwindow.cpp" line="519"/> + <location filename="../mainwindow.cpp" line="521"/> <source>TrustBridge is Free Software licensed under GNU GPL v2+.<br/><br/>Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik</source> <translation>TrustBridge ist Freie Software, lizensiert unter der GNU GPL v2+.<br/><br/>(C) 2014. Die Rechte liegen beim Bundesamt für Sicherheit in der Informationstechnik.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="536"/> + <location filename="../mainwindow.cpp" line="538"/> <source>Show Help</source> - <translation type="unfinished"></translation> + <translation>Hilfe anzeigen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="541"/> + <location filename="../mainwindow.cpp" line="543"/> <source>Proxy settings</source> - <translation type="unfinished"></translation> + <translation>Proxy-Einstellungen</translation> </message> <message> - <location filename="../mainwindow.cpp" line="587"/> + <location filename="../mainwindow.cpp" line="589"/> <source>No connection with the updateserver.</source> <translation>Keine Verbindung zum Updateserver.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="589"/> + <location filename="../mainwindow.cpp" line="591"/> <source>Update</source> <translation>Aktualisieren</translation> </message> <message> - <location filename="../mainwindow.cpp" line="652"/> - <location filename="../mainwindow.cpp" line="674"/> - <location filename="../mainwindow.cpp" line="696"/> + <location filename="../mainwindow.cpp" line="654"/> + <location filename="../mainwindow.cpp" line="676"/> + <location filename="../mainwindow.cpp" line="698"/> <source>Details</source> <translation>Details</translation> </message> <message> - <location filename="../mainwindow.cpp" line="801"/> + <location filename="../mainwindow.cpp" line="803"/> <source>The following unsecure certificates were revoked by the BSI. Already uninstalled certificates cannot be reinstalled. It is recommended that you select all certificates to uninstall if you still have revoked certificates installed.</source> <translation>Von den folgenden, ehemals empfohlenen Wurzelzertifikaten, rät das BSI ab. Über diese Anwendung können sie auch nicht mehr installiert werden. Markieren Sie verbleibende Wurzelzertifikate zur Löschung, sobald Sie können.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="963"/> + <location filename="../mainwindow.cpp" line="965"/> <source>You should apply the following, recommended changes to your certificate stores.</source> <translation>Es wird empfohlen, die nachfolgenden Änderungen an Ihren Zertifikatsspeichern vorzunehmen.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="966"/> + <location filename="../mainwindow.cpp" line="968"/> <source>You can apply the following, changes to your certificate stores.</source> <translatorcomment>Der Unterschied "can", "should" könnte nicht signifikant genug sein.</translatorcomment> <translation>Sie können die nachfolgenden Änderungen an Ihren Zertifikatsspeichern vornehmen.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="980"/> + <location filename="../mainwindow.cpp" line="982"/> <source>Changes to certificate stores (%1)</source> <translation>Neue empfohlene Änderungen (%1)</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1106"/> + <location filename="../mainwindow.cpp" line="1108"/> <source>Error executing update</source> <translation>Fehler bei der Aktualisierung</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1197"/> + <location filename="../mainwindow.cpp" line="1195"/> <source>Installation with standard user account</source> - <translation type="unfinished"></translation> + <translation>Installation mit Standardbenutzerkonto</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1198"/> - <source>Windows will now ask you to confirm qeach root certificate modification because TrustBridge does not have the necessary privileges to install root certificates into the Windows certificate store silently.</source> - <translation type="unfinished"></translation> + <location filename="../mainwindow.cpp" line="1196"/> + <source>Windows will now ask you to confirm each root certificate modification because TrustBridge does not have the necessary privileges to install root certificates into the Windows certificate store silently.</source> + <translation>Windows wird Sie nun bitten, jede Wurzelzertifikatsänderung zu bestätigen. Grund dafür: TrustBridge besitzt nicht die nötigen Privilegien, um Wurzelzertifikate ohne Nachfrage in den Windows-Zertifikatsspeicher zu installieren.</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1206"/> + <location filename="../mainwindow.cpp" line="1204"/> <source>Installing certificates...</source> <translation>Wurzelzertifikate werden geändert...</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1436"/> + <location filename="../mainwindow.cpp" line="1434"/> <source>Error!</source> - <translation type="unfinished"></translation> + <translation>Fehler!</translation> </message> <message> - <location filename="../mainwindow.cpp" line="1436"/> + <location filename="../mainwindow.cpp" line="1434"/> <source>Failed to find the manual</source> - <translation type="unfinished"></translation> + <translation>Fehler beim Finden des Handbuchs</translation> </message> </context> <context> @@ -595,37 +595,37 @@ <message> <location filename="../proxysettingsdlg.cpp" line="25"/> <source>Proxy server settings</source> - <translation type="unfinished"></translation> + <translation>Proxy-Server-Einstellungen</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="37"/> <source>Please enter the proxy server to use in the field below.</source> - <translation type="unfinished"></translation> + <translation>Bitte geben Sie den zu verwendenden Proxy-Server ein.</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="38"/> <source>The URL can follow the scheme:</source> - <translation type="unfinished"></translation> + <translation>Die URL kann folgendem Schema folgen:</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="39"/> <source>&lt;username&gt;:&lt;password&gt;@&lt;hostname&gt;:&lt;port&gt;</source> - <translation type="unfinished"></translation> + <translation>&lt;Benutzername&gt;:&lt;Passwort&gt;@&lt;Hostname&gt;:&lt;Port&gt;</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="48"/> <source>Proxy Server:</source> - <translation type="unfinished"></translation> + <translation>Proxy-Server:</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="54"/> <source>&Save</source> - <translation type="unfinished"></translation> + <translation>&Speichern</translation> </message> <message> <location filename="../proxysettingsdlg.cpp" line="55"/> <source>&Cancel</source> - <translation type="unfinished"></translation> + <translation>&Abbrechen</translation> </message> </context> <context>
--- a/ui/mainwindow.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/mainwindow.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -312,7 +312,7 @@ // shExecInfo.fMask = SEE_MASK_NOASYNC; shExecInfo.nShow = SW_SHOWDEFAULT; - if (!is_system_install() || !is_admin()) { + if (!is_system_install()) { shExecInfo.lpVerb = L"open"; } else { shExecInfo.lpVerb = L"runas"; @@ -623,7 +623,7 @@ mInstallButton = new QPushButton(" " + tr("Install certificates again")); mInstallButton->setFixedHeight(30); #ifdef Q_OS_WIN - if (is_admin() && is_system_install()) { + if (is_system_install()) { QIcon uacShield = QApplication::style()->standardIcon(QStyle::SP_VistaShield); mInstallButton->setIcon(uacShield); } @@ -1109,20 +1109,17 @@ } void MainWindow::installerSuccess() { - if (mCurState == NewListAvailable || mCurState == NewSoftwareAvailable) { + if (mCurState == NewListAvailable ) { mCurState = NothingChanged; mCurMessage = QString(); + } - QString listFileName = mSettings.value("List/available").toString(); - QDateTime listFileDate = mSettings.value("List/availableDate").toDateTime(); - + QString listFileName = mSettings.value("List/available").toString(); + QDateTime listFileDate = mSettings.value("List/availableDate").toDateTime(); + if (!listFileName.isEmpty() && listFileDate.isValid()) { mSettings.remove("List/available"); mSettings.remove("List/availableDate"); - if (listFileName.isEmpty() || !listFileDate.isValid()) { - qWarning() << "Error accessing settings"; - return; /* Try again with next check */ - } /* Rename the installed list to list-installed.txt so that external * programs (like the uninstaller can easily recognize it). */ QString dataLoc = @@ -1159,9 +1156,8 @@ mSettings.remove("List/installed"); mSettings.remove("List/installedDate"); } - mListToInstall = CertificateList(); - } + mListToInstall = CertificateList(); mUpdatesManual->clear(); loadCertificateList(); } @@ -1194,10 +1190,10 @@ unselected << mRemoveList->unselectedCertificates(); #ifdef Q_OS_WIN - if (!is_admin() || !is_system_install()) { - QMessageBox::information(this, + if (!is_system_install()) { + QMessageBox::warning(this, tr("Installation with standard user account"), - tr("Windows will now ask you to confirm qeach root certificate modification " + tr("Windows will now ask you to confirm each root certificate modification " "because TrustBridge does not have the necessary privileges to install " "root certificates into the Windows certificate store silently.")); }
--- a/ui/sslconnection_curl.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/sslconnection_curl.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -7,9 +7,11 @@ */ #include "sslconnection_curl.h" + +#include <polarssl/ssl.h> #include <QSaveFile> -#define CONNECTION_DEBUG +#undef CONNECTION_DEBUG SSLConnectionCurl::SSLConnectionCurl(const QString& url, const QByteArray& certificate): @@ -24,7 +26,25 @@ return; } +#ifdef RELEASE_BUILD if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 1L) != CURLE_OK) { +#else + /* For testing we do not have to trust the issuer. This should not + * be dangerous as we pin the peer certificate directly. */ + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 0L) != CURLE_OK) { +#endif + /* Should be default anyway */ + qDebug() << "Setting verifypeer failed"; + return; + } + +#ifdef RELEASE_BUILD + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 1L) != CURLE_OK) { +#else + /* For testing we do not have to trust host. This should not + * be dangerous as we pin the peer certificate directly. */ + if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 0L) != CURLE_OK) { +#endif /* Should be default anyway */ qDebug() << "Setting verifypeer failed"; return; @@ -35,6 +55,13 @@ return; } +#ifdef RELEASE_BUILD + if (curl_easy_setopt(mCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2) != CURLE_OK) { + qDebug() << "Setting ssl version failed."; + return; + } +#endif + mCertFile.open(); if (mCertFile.write(mPinnedCert) != mPinnedCert.size()) { qDebug() << "Failed to write temporary certificate"; @@ -44,10 +71,17 @@ if (curl_easy_setopt(mCurl, CURLOPT_CAINFO, mCertFile.fileName().toUtf8().constData()) != CURLE_OK) { - qDebug() << "Failed to write temporary certificate"; + qDebug() << "Failed to set ca certificate"; return; } + /* If the build fails here maybe you probably forgot to apply the + * trustbridge patches to curl */ + if (curl_easy_setopt(mCurl, CURLOPT_PEERCERT, + mCertFile.fileName().toUtf8().constData()) != CURLE_OK) { + qDebug() << "Failed set peer certificate."; + return; + } mInitialized = true; #ifdef CONNECTION_DEBUG @@ -84,6 +118,10 @@ mErrorState = InvalidCertificate; return -1; } + if (retval == CURLE_SSL_CONNECT_ERROR) { + mErrorState = SSLHandshakeFailed; + return -1; + } mErrorState = NoConnection; return -1; @@ -226,5 +264,14 @@ } void SSLConnectionCurl::setCiphersuites(int ciphers[]) { - qDebug() << "Set ciphersuites not supported."; + QStringList cipher_list; + for (int i = 0; ciphers[i] != 0; i++) { + cipher_list << ssl_get_ciphersuite_name(ciphers[i]); + } + + if (curl_easy_setopt(mCurl, CURLOPT_SSL_CIPHER_LIST, + cipher_list.join(":").toLatin1().constData()) != CURLE_OK) { + qDebug() << "Failed to set cipher list"; + return; + } }
--- a/ui/tests/downloadertest.cpp Tue Sep 02 11:52:59 2014 +0200 +++ b/ui/tests/downloadertest.cpp Tue Sep 02 11:55:15 2014 +0200 @@ -148,22 +148,22 @@ QVERIFY(error == SSLConnection::NoConnection); } +static int accept_ciphers[] = { + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + 0 +}; void DownloaderTest::testForcedCiphers() { Downloader* downloader = new Downloader(this, - QString::fromLatin1("https://files.intevation.de:443"), + QString::fromLatin1(SERVER_URL), QByteArray(), /* Use default testing certificate */ QDateTime::currentDateTime(), QDateTime::fromString("2010", "YYYY"), "/users/aheinecke/development/TrustBridge-development.exe", "/users/aheinecke/development/zertifikatsliste.txt"); - int accept_ciphers[] = { - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - 0 - }; downloader->setCiphersuites(accept_ciphers);