From c92ebeb4892fd355489641ab544af502dcad0ae5 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Thu, 10 Jul 2014 14:14:19 +0200 Subject: [PATCH] Add configure option --with-ciphers-list v3 Allow the users to redefine the ciphers list used when compiled with OpenSSL. This is usable for distributions, that distribute wget as binary package and want to use own system-wide ciphers list. version 2: Print the ciphers list with --version, if it was redefined using configure script option. version 3: Option renamed to --with-ciphers-list. Added support to redefine hardcoded ciphers list also for GnuTLS. Signed-off-by: Tomas Hozza --- ChangeLog | 5 +++++ configure.ac | 15 +++++++++++++++ src/ChangeLog | 7 +++++++ src/Makefile.am | 2 ++ src/gnutls.c | 10 ++++++++++ src/main.c | 14 ++++++++++++++ src/openssl.c | 4 ++++ 7 files changed, 57 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2bfae67..c2ea802 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-07-10 Tomas Hozza + + * configure.ac: Add --with-ciphers-list to allow redefining the + default ciphers priority list for SSL. + 2014-06-28 Giuseppe Scrivano * cfg.mk (local-checks-to-skip): Remove some checks. diff --git a/configure.ac b/configure.ac index abc92fb..51ae56e 100644 --- a/configure.ac +++ b/configure.ac @@ -69,6 +69,12 @@ AC_ARG_WITH(ssl, [[ --without-ssl disable SSL autodetection --with-ssl={gnutls,openssl} specify the SSL backend. GNU TLS is the default.]]) +AC_ARG_WITH([ciphers-list], +[ --with-ciphers-list=LIST Use cipers priority list for SSL defined + as an argument.], +[with_ciphers_list="$withval"], +[with_ciphers_list=no]) + AC_ARG_WITH(zlib, [[ --without-zlib disable zlib ]]) @@ -364,6 +370,15 @@ else fi fi +# check if ciphers list was manually defined +AS_IF([test x"$with_ciphers_list" != xno], [ + AS_IF([test x"$with_ssl" == xno], [ + AC_MSG_ERROR([--with-ciphers-list can be used only with SSL enabled]) + ]) + AC_DEFINE_UNQUOTED([CIPHERS_LIST], ["$with_ciphers_list"], [Use defined ciphers list for SSL]) + CIPHERS_LIST="$with_ciphers_list" + AC_SUBST(CIPHERS_LIST) +]) dnl ********************************************************************** dnl Checks for IPv6 diff --git a/src/ChangeLog b/src/ChangeLog index 91eda5f..12a0533 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,10 @@ +2014-07-10 Tomas Hozza + + * openssl.c (ssl_init): Use CIPHERS_LIST if defined + * gnutls.c (ssl_connect_wget): Use CIPHERS_LIST if defined + * main.c (print_version): Print ciphers priority list if it was redefined + * Makefile.am: Add clist_string variable into version.c + 2014-07-07 Tomas Hozza * iri.c (locale_to_utf8): Fix checking of iconv_open return code. diff --git a/src/Makefile.am b/src/Makefile.am index 3a43aa9..21b0eb4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -59,6 +59,7 @@ EXTRA_wget_SOURCES = iri.c LDADD = $(LIBOBJS) ../lib/libgnu.a AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib +CIPHERS_LIST = @CIPHERS_LIST@ ../lib/libgnu.a: cd ../lib && $(MAKE) $(AM_MAKEFLAGS) @@ -80,6 +81,7 @@ version.c: $(wget_SOURCES) ../lib/libgnu.a echo 'const char *link_string = "'$(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) $(LIBS) $(wget_LDADD)'";' \ | $(ESCAPEQUOTE) >> $@ + echo 'const char *clist_string = "$(CIPHERS_LIST)";' >> $@ css.c: $(srcdir)/css.l $(LEX) $(LFLAGS) -o $@ $^ diff --git a/src/gnutls.c b/src/gnutls.c index a308065..32b9eb1 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -432,6 +432,15 @@ ssl_connect_wget (int fd, const char *hostname) #if HAVE_GNUTLS_PRIORITY_SET_DIRECT switch (opt.secure_protocol) { +#ifdef CIPHERS_LIST + case secure_protocol_auto: + case secure_protocol_sslv2: + case secure_protocol_sslv3: + case secure_protocol_tlsv1: + case secure_protocol_pfs: + err = gnutls_priority_set_direct (session, CIPHERS_LIST, NULL); + break; +#else case secure_protocol_auto: break; case secure_protocol_sslv2: @@ -447,6 +456,7 @@ ssl_connect_wget (int fd, const char *hostname) /* fallback if PFS is not available */ err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL); break; +#endif /* CIPHERS_LIST */ default: abort (); } diff --git a/src/main.c b/src/main.c index 70930dd..b119f4c 100644 --- a/src/main.c +++ b/src/main.c @@ -82,6 +82,9 @@ extern char *version_string; extern char *compilation_string; extern char *system_getrc; extern char *link_string; +#ifdef CIPHERS_LIST +extern char *clist_string; +#endif /* defined in build_info.c */ extern const char *compiled_features[]; /* Used for --version output in print_version */ @@ -886,6 +889,9 @@ print_version (void) const char *locale_title = _("Locale: "); const char *compile_title = _("Compile: "); const char *link_title = _("Link: "); +#ifdef CIPHERS_LIST + const char *clist_title = _("Ciphers list:"); +#endif char *env_wgetrc, *user_wgetrc; int i; @@ -951,6 +957,14 @@ print_version (void) MAX_CHARS_PER_LINE) < 0) exit (WGET_EXIT_IO_FAIL); +#ifdef CIPHERS_LIST + if (clist_string != NULL) + if (format_and_print_line (clist_title, + clist_string, + MAX_CHARS_PER_LINE) < 0) + exit (WGET_EXIT_IO_FAIL); +#endif + if (printf ("\n") < 0) exit (WGET_EXIT_IO_FAIL); diff --git a/src/openssl.c b/src/openssl.c index 879b27e..0582ae2 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -223,7 +223,11 @@ ssl_init (void) * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ if (opt.secure_protocol == secure_protocol_pfs) +#ifdef CIPHERS_LIST + SSL_CTX_set_cipher_list (ssl_ctx, CIPHERS_LIST); +#else SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"); +#endif SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); -- 1.9.3