Backport c1fc044c
to release/3.5
This commit is contained in:
parent
07b6e728b5
commit
c9c2d6ea12
2 changed files with 60 additions and 3 deletions
|
@ -45,6 +45,8 @@
|
||||||
|
|
||||||
#include "mbedtls_embedded_data.h"
|
#include "mbedtls_embedded_data.h"
|
||||||
|
|
||||||
|
#define RB_MAX_CIPHERSUITES 512
|
||||||
|
|
||||||
typedef struct
|
typedef struct
|
||||||
{
|
{
|
||||||
mbedtls_x509_crt crt;
|
mbedtls_x509_crt crt;
|
||||||
|
@ -52,6 +54,7 @@ typedef struct
|
||||||
mbedtls_dhm_context dhp;
|
mbedtls_dhm_context dhp;
|
||||||
mbedtls_ssl_config server_cfg;
|
mbedtls_ssl_config server_cfg;
|
||||||
mbedtls_ssl_config client_cfg;
|
mbedtls_ssl_config client_cfg;
|
||||||
|
int suites[RB_MAX_CIPHERSUITES + 1];
|
||||||
size_t refcount;
|
size_t refcount;
|
||||||
} rb_mbedtls_cfg_context;
|
} rb_mbedtls_cfg_context;
|
||||||
|
|
||||||
|
@ -132,6 +135,8 @@ static rb_mbedtls_cfg_context *rb_mbedtls_cfg_new(void)
|
||||||
mbedtls_ssl_config_init(&cfg->server_cfg);
|
mbedtls_ssl_config_init(&cfg->server_cfg);
|
||||||
mbedtls_ssl_config_init(&cfg->client_cfg);
|
mbedtls_ssl_config_init(&cfg->client_cfg);
|
||||||
|
|
||||||
|
(void) memset(cfg->suites, 0x00, sizeof cfg->suites);
|
||||||
|
|
||||||
cfg->refcount = 1;
|
cfg->refcount = 1;
|
||||||
|
|
||||||
if((ret = mbedtls_ssl_config_defaults(&cfg->server_cfg,
|
if((ret = mbedtls_ssl_config_defaults(&cfg->server_cfg,
|
||||||
|
@ -505,7 +510,59 @@ rb_setup_ssl_server(const char *certfile, const char *keyfile, const char *dhfil
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* XXX support cipher lists when added to mbedtls */
|
if(cipher_list != NULL)
|
||||||
|
{
|
||||||
|
// The cipher_list is (const char *) -- we should not modify it
|
||||||
|
char *const cipher_list_dup = strdup(cipher_list);
|
||||||
|
|
||||||
|
if(cipher_list_dup == NULL)
|
||||||
|
{
|
||||||
|
rb_lib_log("rb_setup_ssl_server: strdup: %s", strerror(errno));
|
||||||
|
rb_lib_log("rb_setup_ssl_server: will not configure ciphersuites!");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
size_t suites_count = 0;
|
||||||
|
char *cipher_str = cipher_list_dup;
|
||||||
|
|
||||||
|
while(*cipher_str != '\0' && suites_count < RB_MAX_CIPHERSUITES)
|
||||||
|
{
|
||||||
|
// Arbitrary, but the same separator as OpenSSL uses
|
||||||
|
char *const cipher_idx = strchr(cipher_str, ':');
|
||||||
|
|
||||||
|
// This could legitimately be NULL (last ciphersuite in the list)
|
||||||
|
if(cipher_idx != NULL)
|
||||||
|
*cipher_idx = '\0';
|
||||||
|
|
||||||
|
size_t cipher_len = strlen(cipher_str);
|
||||||
|
int cipher_idn = 0;
|
||||||
|
|
||||||
|
// All MbedTLS ciphersuite names begin with these 4 characters
|
||||||
|
if(cipher_len > 4 && strncmp(cipher_str, "TLS-", 4) == 0)
|
||||||
|
cipher_idn = mbedtls_ssl_get_ciphersuite_id(cipher_str);
|
||||||
|
|
||||||
|
// Prevent the same ciphersuite being added multiple times
|
||||||
|
for(size_t x = 0; cipher_idn != 0 && newcfg->suites[x] != 0; x++)
|
||||||
|
if(newcfg->suites[x] == cipher_idn)
|
||||||
|
cipher_idn = 0;
|
||||||
|
|
||||||
|
// Add the suite to the list
|
||||||
|
if(cipher_idn != 0)
|
||||||
|
newcfg->suites[suites_count++] = cipher_idn;
|
||||||
|
|
||||||
|
// Advance the string to the next entry -- this could end the loop
|
||||||
|
cipher_str += (cipher_len + 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(suites_count > 0)
|
||||||
|
{
|
||||||
|
mbedtls_ssl_conf_ciphersuites(&newcfg->server_cfg, newcfg->suites);
|
||||||
|
mbedtls_ssl_conf_ciphersuites(&newcfg->client_cfg, newcfg->suites);
|
||||||
|
}
|
||||||
|
|
||||||
|
free(cipher_list_dup);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
rb_mbedtls_cfg_decref(rb_mbedtls_cfg);
|
rb_mbedtls_cfg_decref(rb_mbedtls_cfg);
|
||||||
rb_mbedtls_cfg = newcfg;
|
rb_mbedtls_cfg = newcfg;
|
||||||
|
|
|
@ -800,7 +800,7 @@ server_estab(struct Client *client_p)
|
||||||
EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id);
|
EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id);
|
||||||
|
|
||||||
/* pass info to new server */
|
/* pass info to new server */
|
||||||
send_capabilities(client_p, default_server_capabs
|
send_capabilities(client_p, default_server_capabs | CAP_MASK
|
||||||
| (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0)
|
| (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0)
|
||||||
| (ServerConfTb(server_p) ? CAP_TB : 0));
|
| (ServerConfTb(server_p) ? CAP_TB : 0));
|
||||||
|
|
||||||
|
@ -1357,7 +1357,7 @@ serv_connect_callback(rb_fde_t *F, int status, void *data)
|
||||||
EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id);
|
EmptyString(server_p->spasswd) ? "*" : server_p->spasswd, TS_CURRENT, me.id);
|
||||||
|
|
||||||
/* pass my info to the new server */
|
/* pass my info to the new server */
|
||||||
send_capabilities(client_p, default_server_capabs
|
send_capabilities(client_p, default_server_capabs | CAP_MASK
|
||||||
| (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0)
|
| (ServerConfCompressed(server_p) ? CAP_ZIP_SUPPORTED : 0)
|
||||||
| (ServerConfTb(server_p) ? CAP_TB : 0));
|
| (ServerConfTb(server_p) ? CAP_TB : 0));
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue