Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

Tue, 08 Jul 2014 01:44:20 -0700 

----- Original Message -----
> On 07/07/14 21:46, Tomas Hozza wrote:
> > Hi.
> >
> > In Fedora we are moving to a system-wide policy of used
> > ciphers. [1] Therefore we need wget to be compiled with other
> > than hard-coded set of ciphers when using OpenSSL.
> >
> > I'm attaching patch adding new configure option
> > --with-openssl-ciphers-list=LIST, which can be used
> > to redefine the ciphers list when compiled with OpenSSL.
> > It can be used only if --with-ssl=openssl. If not
> > defined, the previously used (by wget) ciphers list is used.
> >
> > [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
> >
> >
> > Regards,
> Hello Tomas,
> 
> Thanks for your patch. Some comments:
> 
> You are only changing the override for --secure-protocol=pfs
> IMHO this is wrong. --secure-protocol= command line should
> override the system policy.

The system policy in the Fedora change proposal is meant only for
used algorithms, not protocols. The patch IMHO does not change the
behavior in this regard. IOW the --secure-protocol will work as it
did before.
 
> Additionally I would recommend using just --with-ciphers-list=LIST
> and make it work with either OpenSSL or GnuTLS (but maybe you
> don't need it after all?)

Yes, I know the option is kind of long and not nice. In Fedora we compile
wget against OpenSSL. Initially I wanted to contribute the option you are
suggesting (also for GnuTLS). However the GnuTLS code seems to be too
complicated to me, to do the change in a simple way. Therefore I decided
to go the "only openssl" way. If anyone is willing to help me to make
it work also for GnuTLS, I'll rename it.

> Finally, if you redefine the cipher list on wget code, I think it should
> be noted in the output of
>   wget --version

Added in v2 of the patch (attached)

Thanks for the feedback.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com

From c9190274c14bb3c8c03f9b1876d1fb467435f306 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <[email protected]>
Date: Mon, 7 Jul 2014 13:20:52 +0200
Subject: [PATCH 1/2] Add configure option --with-openssl-ciphers-list v2

Allow the users to redefine the ciphers list used
when compiled with OpenSSL. This is usable for
distributions, that distribute wget as binary package
and want to use own system-wide ciphers list.

version 2:
Print the ciphers list with --version, if it was
redefined using configure script option.

Signed-off-by: Tomas Hozza <[email protected]>
---
 ChangeLog       |  5 +++++
 configure.ac    | 15 +++++++++++++++
 src/ChangeLog   |  7 +++++++
 src/Makefile.am |  2 ++
 src/main.c      | 14 ++++++++++++++
 src/openssl.c   |  6 +++++-
 6 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2bfae67..8a1ff73 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-07  Tomas Hozza  <[email protected]>
+
+	* configure.ac: Add --with-openssl-ciphers-list to allow redefining the
+	ciphers list when using OpenSSL.
+
 2014-06-28  Giuseppe Scrivano  <[email protected]>
 
 	* cfg.mk (local-checks-to-skip): Remove some checks.
diff --git a/configure.ac b/configure.ac
index abc92fb..8aaf4b9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,12 @@ AC_ARG_WITH(ssl,
 [[  --without-ssl           disable SSL autodetection
   --with-ssl={gnutls,openssl} specify the SSL backend.  GNU TLS is the default.]])
 
+AC_ARG_WITH([openssl-ciphers-list],
+[  --with-openssl-ciphers-list=LIST  Use SSL cipers list for OpenSSL defined as
+                                    an argument.],
+[with_openssl_ciphers_list="$withval"],
+[with_openssl_ciphers_list=no])
+
 AC_ARG_WITH(zlib,
 [[  --without-zlib          disable zlib ]])
 
@@ -364,6 +370,15 @@ else
   fi
 fi
 
+# check which ciphers list should be used for OpenSSL
+AS_IF([test x"$with_openssl_ciphers_list" != xno], [
+       AS_IF([test x"$with_ssl" != xopenssl], [
+              AC_MSG_ERROR([--with-openssl-ciphers-list can be used only with --with-ssl=openssl])
+              ])
+       AC_DEFINE_UNQUOTED([OPENSSL_CIPHERS_LIST], ["$with_openssl_ciphers_list"], [Use defined ciphers list for OpenSSL])
+       CIPHERS_LIST="$with_openssl_ciphers_list"
+       AC_SUBST(CIPHERS_LIST)
+])
 
 dnl **********************************************************************
 dnl Checks for IPv6
diff --git a/src/ChangeLog b/src/ChangeLog
index 6360303..3693ce5 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2014-07-07  Tomas Hozza  <[email protected]>
+
+	* openssl.c: Add definition of OPENSSL_CIPHERS_LIST
+	* openssl.c (ssl_init): Use the predefined OPENSSL_CIPHERS_LIST
+	* main.c (print_version): Print OpenSSL ciphers list if it was redefined
+	* Makefile.am: Add clist_string variable into version.c
+
 2014-07-05  Darshit Shah  <[email protected]>
 
 	* cookies.c (check_domain_match): Libpsl requires that all domain names
diff --git a/src/Makefile.am b/src/Makefile.am
index 3a43aa9..21b0eb4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -59,6 +59,7 @@ EXTRA_wget_SOURCES = iri.c
 LDADD = $(LIBOBJS) ../lib/libgnu.a
 AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
 
+CIPHERS_LIST = @CIPHERS_LIST@
 
 ../lib/libgnu.a:
 	cd ../lib && $(MAKE) $(AM_MAKEFLAGS)
@@ -80,6 +81,7 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
 	echo 'const char *link_string = "'$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) $(LIBS) $(wget_LDADD)'";' \
 	    | $(ESCAPEQUOTE) >> $@
+	echo 'const char *clist_string = "$(CIPHERS_LIST)";' >> $@
 
 css.c: $(srcdir)/css.l
 	$(LEX) $(LFLAGS) -o $@ $^
diff --git a/src/main.c b/src/main.c
index 70930dd..b6dc230 100644
--- a/src/main.c
+++ b/src/main.c
@@ -82,6 +82,9 @@ extern char *version_string;
 extern char *compilation_string;
 extern char *system_getrc;
 extern char *link_string;
+#ifdef OPENSSL_CIPHERS_LIST
+extern char *clist_string;
+#endif
 /* defined in build_info.c */
 extern const char *compiled_features[];
 /* Used for --version output in print_version */
@@ -886,6 +889,9 @@ print_version (void)
   const char *locale_title  = _("Locale: ");
   const char *compile_title = _("Compile: ");
   const char *link_title    = _("Link: ");
+#ifdef OPENSSL_CIPHERS_LIST
+  const char *clist_title   = _("OpenSSL ciphers list:");
+#endif
   char *env_wgetrc, *user_wgetrc;
   int i;
 
@@ -951,6 +957,14 @@ print_version (void)
                                MAX_CHARS_PER_LINE) < 0)
       exit (WGET_EXIT_IO_FAIL);
 
+#ifdef OPENSSL_CIPHERS_LIST
+  if (clist_string != NULL)
+    if (format_and_print_line (clist_title,
+                               clist_string,
+                               MAX_CHARS_PER_LINE) < 0)
+      exit (WGET_EXIT_IO_FAIL);
+#endif
+
   if (printf ("\n") < 0)
     exit (WGET_EXIT_IO_FAIL);
 
diff --git a/src/openssl.c b/src/openssl.c
index 879b27e..18ba21d 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -50,6 +50,10 @@ as that of the covered work.  */
 # include <w32sock.h>
 #endif
 
+#ifndef OPENSSL_CIPHERS_LIST
+# define OPENSSL_CIPHERS_LIST "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH"
+#endif
+
 /* Application-wide SSL context.  This is common to all SSL
    connections.  */
 static SSL_CTX *ssl_ctx;
@@ -223,7 +227,7 @@ ssl_init (void)
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
   if (opt.secure_protocol == secure_protocol_pfs)
-    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
+    SSL_CTX_set_cipher_list (ssl_ctx, OPENSSL_CIPHERS_LIST);
 
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
-- 
1.9.3

Reply via email to