andre@1086: From 6389827510dbeed12dfcc4a50d885fd70de6ac65 Mon Sep 17 00:00:00 2001 andre@998: From: Andre Heinecke andre@1002: Date: Tue, 2 Sep 2014 09:58:44 +0200 andre@1086: Subject: [PATCH 1/2] Add possibility to force polarssl ciphersuites. andre@998: andre@998: --- andre@1002: lib/vtls/polarssl.c | 41 +++++++++++++++++++++++++++++++++++++++-- andre@1002: 1 file changed, 39 insertions(+), 2 deletions(-) andre@998: andre@998: diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c andre@1086: index 5332b92..08dc4c6 100644 andre@998: --- a/lib/vtls/polarssl.c andre@998: +++ b/lib/vtls/polarssl.c andre@1002: @@ -55,6 +55,7 @@ andre@1002: #include "select.h" andre@1002: #include "rawstr.h" andre@1002: #include "polarssl_threadlock.h" andre@1002: +#include "strtok.h" andre@1002: andre@1002: #define _MPRINTF_REPLACE /* use our functions only */ andre@1002: #include andre@1002: @@ -67,6 +68,8 @@ andre@998: #define THREADING_SUPPORT andre@998: #endif andre@998: andre@998: +#define MAX_CIPHERSUITES 255 andre@998: + andre@998: #if defined(THREADING_SUPPORT) andre@998: static entropy_context entropy; andre@998: andre@1002: @@ -129,7 +132,7 @@ static void polarssl_debug(void *context, int level, const char *line) andre@998: andre@998: static Curl_recv polarssl_recv; andre@998: static Curl_send polarssl_send; andre@998: - andre@998: +static int ciphersuites[MAX_CIPHERSUITES + 1]; andre@998: andre@998: static CURLcode andre@998: polarssl_connect_step1(struct connectdata *conn, andre@1086: @@ -318,7 +321,41 @@ polarssl_connect_step1(struct connectdata *conn, andre@998: net_recv, &conn->sock[sockindex], andre@998: net_send, &conn->sock[sockindex]); andre@998: andre@998: - ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); andre@998: + if(!data->set.str[STRING_SSL_CIPHER_LIST]) andre@998: + ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); andre@998: + else { andre@998: + /* Convert string input to polarssl cipher id's */ andre@998: + char *tmp, andre@998: + *token, andre@998: + *tok_buf; andre@1000: + int i = 0; andre@998: + andre@998: + memset(ciphersuites, 0, MAX_CIPHERSUITES + 1); andre@998: + andre@998: + tmp = strdup (data->set.str[STRING_SSL_CIPHER_LIST]); andre@998: + if(!tmp) andre@998: + return CURLE_OUT_OF_MEMORY; andre@998: + andre@998: + for (token = strtok_r(tmp, ":", &tok_buf); andre@998: + token != NULL; andre@998: + token = strtok_r(NULL, ":", &tok_buf)) { andre@998: + andre@998: + ciphersuites[i] = ssl_get_ciphersuite_id(token); andre@998: + if (!ciphersuites[i]) { andre@998: + infof(data, "WARNING: failed to set cipher: %s\n", token); andre@998: + /* Do not increase i as the first 0 is the end andre@998: + of the list so we overwrite it with the next andre@998: + valid cipher. Maybe we should fail? */ andre@998: + continue; andre@998: + } andre@998: + i++; andre@998: + } andre@998: + free(tmp); andre@998: + /* Beware, polarssl does not make a copy of the ciphersuites andre@998: + so the data needs to be valid during the call. */ andre@998: + ssl_set_ciphersuites(&connssl->ssl, ciphersuites); andre@998: + } andre@998: + andre@998: if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) { andre@998: memcpy(&connssl->ssn, old_session, old_session_size); andre@998: infof(data, "PolarSSL re-using session\n"); andre@998: -- andre@998: 1.9.1 andre@998: