matthew/The-Powder-Toy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Wire up SECURE_CIPHERS_ONLY

Browse Source 
This has been in the codebase for ages but apparently never enabled or wired up at all. Defaults to false for now.
This commit is contained in:
Tamás Bálint Misius 2023-06-11 18:36:16 +02:00
parent b6c6cf00d0
commit ced2700c34
No known key found for this signature in database
GPG Key ID: 5B472A12F6ECA9F2
4 changed files with 44 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
meson_options.txt
View File

@ -202,6 +202,12 @@ option(
value: true, value: true,
description: 'Enforce encrypted HTTP traffic, may be disabled for debugging' description: 'Enforce encrypted HTTP traffic, may be disabled for debugging'
) )
option(
'secure_ciphers_only',
type: 'boolean',
value: false,
description: 'Use only secure ciphers for encrypted HTTP traffic, please review cipher list before enabling'
)
option( option(
'prepare', 'prepare',
type: 'boolean', type: 'boolean',

1
src/Config.template.h
View File

@ -14,6 +14,7 @@ constexpr bool CAN_INSTALL = @CAN_INSTALL@;
constexpr bool INSTALL_CHECK = @INSTALL_CHECK@; constexpr bool INSTALL_CHECK = @INSTALL_CHECK@;
constexpr bool IGNORE_UPDATES = @IGNORE_UPDATES@; constexpr bool IGNORE_UPDATES = @IGNORE_UPDATES@;
constexpr bool ENFORCE_HTTPS = @ENFORCE_HTTPS@; constexpr bool ENFORCE_HTTPS = @ENFORCE_HTTPS@;
constexpr bool SECURE_CIPHERS_ONLY = @SECURE_CIPHERS_ONLY@;
constexpr char PATH_SEP_CHAR = '@PATH_SEP_CHAR@'; constexpr char PATH_SEP_CHAR = '@PATH_SEP_CHAR@';
constexpr char SERVER[] = "@SERVER@"; constexpr char SERVER[] = "@SERVER@";

5
src/client/http/requestmanager/Libcurl.cpp
View File

@ -496,7 +496,8 @@ namespace http
void SetupCurlEasyCiphers(CURL *easy) void SetupCurlEasyCiphers(CURL *easy)
{ {
#ifdef SECURE_CIPHERS_ONLY if constexpr (SECURE_CIPHERS_ONLY)
{
curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW); curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW);
ByteString ssl_type = version_info->ssl_version; ByteString ssl_type = version_info->ssl_version;
if (ssl_type.Contains("OpenSSL")) if (ssl_type.Contains("OpenSSL"))
@ -533,7 +534,7 @@ namespace http
// TODO: add more cipher algorithms // TODO: add more cipher algorithms
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM")); HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM"));
} }
#endif }
// TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0 // TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0
HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2)); HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2));
#if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0) #if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0)

2
src/meson.build
View File

@ -21,10 +21,12 @@ conf_data.set('UPDATESERVER', update_server)
conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false') conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false')
enforce_https = get_option('enforce_https') enforce_https = get_option('enforce_https')
secure_ciphers_only = get_option('secure_ciphers_only')
if not is_debug and not enforce_https if not is_debug and not enforce_https
error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error') error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error')
endif endif
conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false') conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false')
conf_data.set('SECURE_CIPHERS_ONLY', secure_ciphers_only ? 'true' : 'false')
conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false') conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false')
conf_data.set('SERVER', get_option('server')) conf_data.set('SERVER', get_option('server'))