is this a patchbomb, and the preferred format you like to receive patches in?
cheers, acefael On Sun, May 03, 2015 at 04:30:48PM -0700, Brendan Cully wrote: > changeset: 6446:c46dfbdb5eff > user: Kevin McCarthy <[email protected]> > date: Sun May 03 16:25:45 2015 -0700 > link: http://dev.mutt.org/hg/mutt/rev/c46dfbdb5eff > > Provide SSL cipher selection option. (closes #3167) > > Creates a $ssl_ciphers option that allows direct selection of the > ciphers for OpenSSL (via SSL_CTX_set_cipher_list) and GnuTLS (via > gnutls_priority_set_direct). > > Thank you Sergio Gelato for the patch. > > diffs (139 lines): > > diff -r 755a18da99bc -r c46dfbdb5eff globals.h > --- a/globals.h Sat Apr 25 19:00:13 2015 -0700 > +++ b/globals.h Sun May 03 16:25:45 2015 -0700 > @@ -131,6 +131,7 @@ > WHERE char *SslCertFile INITVAL (NULL); > WHERE char *SslClientCert INITVAL (NULL); > WHERE char *SslEntropyFile INITVAL (NULL); > +WHERE char *SslCiphers INITVAL (NULL); > #ifdef USE_SSL_GNUTLS > WHERE short SslDHPrimeBits; > WHERE char *SslCACertFile INITVAL (NULL); > diff -r 755a18da99bc -r c46dfbdb5eff init.h > --- a/init.h Sat Apr 25 19:00:13 2015 -0700 > +++ b/init.h Sun May 03 16:25:45 2015 -0700 > @@ -3092,6 +3092,17 @@ > ** URL. You should only unset this for particular known hosts, using > ** the \fC$<account-hook>\fP function. > */ > + { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 }, > + /* > + ** .pp > + ** Contains a colon-seperated list of ciphers to use when using SSL. > + ** For OpenSSL, see ciphers(1) for the syntax of the string. > + ** .pp > + ** For GnuTLS, this option will be used in place of "NORMAL" at the > + ** start of the priority string. See gnutls_priority_init(3) for the > + ** syntax and more details. (Note: GnuTLS version 2.1.7 or higher is > + ** required.) > + */ > #endif /* defined(USE_SSL) */ > { "status_chars", DT_STR, R_BOTH, UL &StChars, UL "-*%A" }, > /* > diff -r 755a18da99bc -r c46dfbdb5eff mutt_ssl.c > --- a/mutt_ssl.c Sat Apr 25 19:00:13 2015 -0700 > +++ b/mutt_ssl.c Sun May 03 16:25:45 2015 -0700 > @@ -140,6 +140,13 @@ > > ssl_get_client_cert(ssldata, conn); > > + if (SslCiphers) { > + if (!SSL_CTX_set_cipher_list (ssldata->ctx, SslCiphers)) { > + dprint (1, (debugfile, "mutt_ssl_starttls: Could not select prefered > ciphers\n")); > + goto bail_ctx; > + } > + } > + > if (! (ssldata->ssl = SSL_new (ssldata->ctx))) > { > dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL\n")); > @@ -360,6 +367,10 @@ > > ssl_get_client_cert(data, conn); > > + if (SslCiphers) { > + SSL_CTX_set_cipher_list (data->ctx, SslCiphers); > + } > + > data->ssl = SSL_new (data->ctx); > SSL_set_fd (data->ssl, conn->fd); > > diff -r 755a18da99bc -r c46dfbdb5eff mutt_ssl_gnutls.c > --- a/mutt_ssl_gnutls.c Sat Apr 25 19:00:13 2015 -0700 > +++ b/mutt_ssl_gnutls.c Sun May 03 16:25:45 2015 -0700 > @@ -273,36 +273,44 @@ > static int tls_set_priority(tlssockdata *data) > { > size_t nproto = 4; > - char priority[SHORT_STRING]; > + char *priority; > + size_t priority_size; > int err; > > + priority_size = SHORT_STRING + mutt_strlen (SslCiphers); > + priority = safe_malloc (priority_size); > + > priority[0] = 0; > - safe_strcat (priority, sizeof (priority), "NORMAL"); > + if (SslCiphers) > + safe_strcat (priority, priority_size, SslCiphers); > + else > + safe_strcat (priority, priority_size, "NORMAL"); > > if (! option(OPTTLSV1_2)) > { > nproto--; > - safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.2"); > + safe_strcat (priority, priority_size, ":-VERS-TLS1.2"); > } > if (! option(OPTTLSV1_1)) > { > nproto--; > - safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.1"); > + safe_strcat (priority, priority_size, ":-VERS-TLS1.1"); > } > if (! option(OPTTLSV1)) > { > nproto--; > - safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.0"); > + safe_strcat (priority, priority_size, ":-VERS-TLS1.0"); > } > if (! option(OPTSSLV3)) > { > nproto--; > - safe_strcat (priority, sizeof (priority), ":-VERS-SSL3.0"); > + safe_strcat (priority, priority_size, ":-VERS-SSL3.0"); > } > > if (nproto == 0) > { > mutt_error (_("All available protocols for TLS/SSL connection > disabled")); > + FREE (&priority); > return -1; > } > > @@ -310,9 +318,11 @@ > { > mutt_error ("gnutls_priority_set_direct(%s): %s", priority, > gnutls_strerror(err)); > mutt_sleep (2); > + FREE (&priority); > return -1; > } > > + FREE (&priority); > return 0; > } > #else > @@ -342,6 +352,12 @@ > return -1; > } > > + if (SslCiphers) > + { > + mutt_error (_("Explicit ciphersuite selection via $ssl_ciphers not > supported")); > + mutt_sleep (2); > + } > + > /* We use default priorities (see gnutls documentation), > except for protocol version */ > gnutls_set_default_priority (data->state);
