From c9190274c14bb3c8c03f9b1876d1fb467435f306 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <address@hidden>
Date: Mon, 7 Jul 2014 13:20:52 +0200
Subject: [PATCH 1/2] Add configure option --with-openssl-ciphers-list v2

Allow the users to redefine the ciphers list used
when compiled with OpenSSL. This is usable for
distributions, that distribute wget as binary package
and want to use own system-wide ciphers list.

version 2:
Print the ciphers list with --version, if it was
redefined using configure script option.

Signed-off-by: Tomas Hozza <address@hidden>
---
 ChangeLog       |  5 +++++
 configure.ac    | 15 +++++++++++++++
 src/ChangeLog   |  7 +++++++
 src/Makefile.am |  2 ++
 src/main.c      | 14 ++++++++++++++
 src/openssl.c   |  6 +++++-
 6 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2bfae67..8a1ff73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-07  Tomas Hozza  <address@hidden>
+
+	* configure.ac: Add --with-openssl-ciphers-list to allow redefining the
+	ciphers list when using OpenSSL.
+
 2014-06-28  Giuseppe Scrivano  <address@hidden>
 
 	* cfg.mk (local-checks-to-skip): Remove some checks.
diff --git a/configure.ac b/configure.ac
index abc92fb..8aaf4b9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,12 @@ AC_ARG_WITH(ssl,
 [[  --without-ssl           disable SSL autodetection
   --with-ssl={gnutls,openssl} specify the SSL backend.  GNU TLS is the default.]])
 
+AC_ARG_WITH([openssl-ciphers-list],
+[  --with-openssl-ciphers-list=LIST  Use SSL cipers list for OpenSSL defined as
+                                    an argument.],
+[with_openssl_ciphers_list="$withval"],
+[with_openssl_ciphers_list=no])
+
 AC_ARG_WITH(zlib,
 [[  --without-zlib          disable zlib ]])
 
@@ -364,6 +370,15 @@ else
   fi
 fi
 
+# check which ciphers list should be used for OpenSSL
+AS_IF([test x"$with_openssl_ciphers_list" != xno], [
+       AS_IF([test x"$with_ssl" != xopenssl], [
+              AC_MSG_ERROR([--with-openssl-ciphers-list can be used only with --with-ssl=openssl])
+              ])
+       AC_DEFINE_UNQUOTED([OPENSSL_CIPHERS_LIST], ["$with_openssl_ciphers_list"], [Use defined ciphers list for OpenSSL])
+       CIPHERS_LIST="$with_openssl_ciphers_list"
+       AC_SUBST(CIPHERS_LIST)
+])
 
 dnl **********************************************************************
 dnl Checks for IPv6
diff --git a/src/ChangeLog b/src/ChangeLog
index 6360303..3693ce5 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2014-07-07  Tomas Hozza  <address@hidden>
+
+	* openssl.c: Add definition of OPENSSL_CIPHERS_LIST
+	* openssl.c (ssl_init): Use the predefined OPENSSL_CIPHERS_LIST
+	* main.c (print_version): Print OpenSSL ciphers list if it was redefined
+	* Makefile.am: Add clist_string variable into version.c
+
 2014-07-05  Darshit Shah  <address@hidden>
 
 	* cookies.c (check_domain_match): Libpsl requires that all domain names
diff --git a/src/Makefile.am b/src/Makefile.am
index 3a43aa9..21b0eb4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -59,6 +59,7 @@ EXTRA_wget_SOURCES = iri.c
 LDADD = $(LIBOBJS) ../lib/libgnu.a
 AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
 
+CIPHERS_LIST = @CIPHERS_LIST@
 
 ../lib/libgnu.a:
 	cd ../lib && $(MAKE) $(AM_MAKEFLAGS)
@@ -80,6 +81,7 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
 	echo 'const char *link_string = "'$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) $(LIBS) $(wget_LDADD)'";' \
 	    | $(ESCAPEQUOTE) >> $@
+	echo 'const char *clist_string = "$(CIPHERS_LIST)";' >> $@
 
 css.c: $(srcdir)/css.l
 	$(LEX) $(LFLAGS) -o $@ $^
diff --git a/src/main.c b/src/main.c
index 70930dd..b6dc230 100644
--- a/src/main.c
+++ b/src/main.c
@@ -82,6 +82,9 @@ extern char *version_string;
 extern char *compilation_string;
 extern char *system_getrc;
 extern char *link_string;
+#ifdef OPENSSL_CIPHERS_LIST
+extern char *clist_string;
+#endif
 /* defined in build_info.c */
 extern const char *compiled_features[];
 /* Used for --version output in print_version */
@@ -886,6 +889,9 @@ print_version (void)
   const char *locale_title  = _("Locale: ");
   const char *compile_title = _("Compile: ");
   const char *link_title    = _("Link: ");
+#ifdef OPENSSL_CIPHERS_LIST
+  const char *clist_title   = _("OpenSSL ciphers list:");
+#endif
   char *env_wgetrc, *user_wgetrc;
   int i;
 
@@ -951,6 +957,14 @@ print_version (void)
                                MAX_CHARS_PER_LINE) < 0)
       exit (WGET_EXIT_IO_FAIL);
 
+#ifdef OPENSSL_CIPHERS_LIST
+  if (clist_string != NULL)
+    if (format_and_print_line (clist_title,
+                               clist_string,
+                               MAX_CHARS_PER_LINE) < 0)
+      exit (WGET_EXIT_IO_FAIL);
+#endif
+
   if (printf ("\n") < 0)
     exit (WGET_EXIT_IO_FAIL);
 
diff --git a/src/openssl.c b/src/openssl.c
index 879b27e..18ba21d 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -50,6 +50,10 @@ as that of the covered work.  */
 # include <w32sock.h>
 #endif
 
+#ifndef OPENSSL_CIPHERS_LIST
+# define OPENSSL_CIPHERS_LIST "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden"
+#endif
+
 /* Application-wide SSL context.  This is common to all SSL
    connections.  */
 static SSL_CTX *ssl_ctx;
@@ -223,7 +227,7 @@ ssl_init (void)
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
   if (opt.secure_protocol == secure_protocol_pfs)
-    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
+    SSL_CTX_set_cipher_list (ssl_ctx, OPENSSL_CIPHERS_LIST);
 
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
-- 
1.9.3