Mercurial > trustbridge > trustbridge

view patches/0003-Add-possibility-to-force-polarssl-ciphersuites.patch @ 1000:c6c8f4ce48f8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix force ciphersuites patch
author Andre Heinecke <andre.heinecke@intevation.de>
date Tue, 02 Sep 2014 09:49:27 +0200
parents patches/0003-Add-possibility-to-fore-polarssl-ciphersuites.patch@0570b1e562c2
children e9ff3107b885
line wrap: on
line source
From 7b70a13b983979ccf7a672c0065c232cd7dc0c37 Mon Sep 17 00:00:00 2001
From: Andre Heinecke <aheinecke@intevation.de>
Date: Tue, 2 Sep 2014 09:48:01 +0200
Subject: [PATCH] Add possibility to force polarssl ciphersuites.

---
 lib/vtls/polarssl.c | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 2c40e36..e0cfb90 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -67,6 +67,8 @@
 #define THREADING_SUPPORT
 #endif
 
+#define MAX_CIPHERSUITES 255
+
 #if defined(THREADING_SUPPORT)
 static entropy_context entropy;
 
@@ -129,7 +131,7 @@ static void polarssl_debug(void *context, int level, const char *line)
 
 static Curl_recv polarssl_recv;
 static Curl_send polarssl_send;
-
+static int ciphersuites[MAX_CIPHERSUITES + 1];
 
 static CURLcode
 polarssl_connect_step1(struct connectdata *conn,
@@ -300,7 +302,41 @@ polarssl_connect_step1(struct connectdata *conn,
               net_recv, &conn->sock[sockindex],
               net_send, &conn->sock[sockindex]);
 
-  ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+  if(!data->set.str[STRING_SSL_CIPHER_LIST])
+    ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+  else {
+    /* Convert string input to polarssl cipher id's */
+    char *tmp,
+         *token,
+         *tok_buf;
+    int i = 0;
+
+    memset(ciphersuites, 0, MAX_CIPHERSUITES + 1);
+
+    tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]);
+    if(!tmp)
+      return CURLE_OUT_OF_MEMORY;
+
+    for (token = strtok_r(tmp, ":", &tok_buf);
+         token != NULL;
+         token = strtok_r(NULL, ":", &tok_buf)) {
+
+      ciphersuites[i] = ssl_get_ciphersuite_id(token);
+      if (!ciphersuites[i]) {
+        infof(data, "WARNING: failed to set cipher: %s\n", token);
+        /* Do not increase i as the first 0 is the end
+           of the list so we overwrite it with the next
+           valid cipher. Maybe we should fail? */
+        continue;
+      }
+      i++;
+    }
+    free(tmp);
+    /* Beware, polarssl does not make a copy of the ciphersuites
+       so the data needs to be valid during the call. */
+    ssl_set_ciphersuites(&connssl->ssl, ciphersuites);
+  }
+
   if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
     memcpy(&connssl->ssn, old_session, old_session_size);
     infof(data, "PolarSSL re-using session\n");
-- 
1.9.1
http://wald.intevation.org/projects/trustbridge/