Re: [Bug-wget] [PATCH] Allow to redefine ciphers list for OpenSSL

Thu, 10 Jul 2014 05:45:22 -0700 

----- Original Message -----
> On Tuesday 08 July 2014 16:14:42 Petr Pisar wrote:
> > On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> > > I'm afraid this is not suitable for us. We need to be able to define the
> > > policy somewhere in /etc, where the user is not able to change it (only
> > > the system administrator).
> > 
> > I hope can also prevent the user from running his own wget executable, or
> > ld-preloading modified OpenSSL library, or intercepting open(2) calls to
> > provide fake /etc file.
> > 
> > > Also the main intention to have a single place to set the policy for all
> > > system components, therefore wgetrc is not the right place for us.
> > 
> > What about to change wget to call OPENSSL_config(NULL) instead of setting
> > some hard-coded preference string. Then you can teach OpenSSL to load your
> > /etc configuration instead of patching each application.
> > 
> > -- Petr
> 
> Tomas intention is to only change the (Wget hard-coded) cipher list for
> --secure-protocol=PFS. At least, that's what I understood so far.

It may seem so, but my intention was to be able to redefine any occurrence of
explicitly hard-coded ciphers priority list. In openssl.c it was only in the
code that was executed if --secure-protocol=PFS was used.

> Tomas, could you rename the ./configure --with-openssl-ciphers-list=LIST to
> something like --with-PFS-ciphers-list=LIST and rename OPENSSL_CIPHERS_LIST
> to
> PFS_CIPHERS_LIST ?
> I will add the gnutls code in a second patch, though it is very easy - if you
> want to add it:
> 
> The current code in gnutsl.c is
>       err = gnutls_priority_set_direct (session, "PFS", NULL);
>       if (err != GNUTLS_E_SUCCESS)
>         /* fallback if PFS is not available */
>         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> 
> which should simply be replaced by:
> #ifdef PFS_CIPHERS_LIST
>       err = gnutls_priority_set_direct (session, PFS_CIPHERS_LIST, NULL);
> #else
>       err = gnutls_priority_set_direct (session, "PFS", NULL);
>       if (err != GNUTLS_E_SUCCESS)
>         /* fallback if PFS is not available */
>         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
> #endif
> 
> Tim

Thank you Tim for the help. I actually renamed the option to --with-ciphers-list
so the defined list will replace all hard-coded ciphers lists regardless if
using GnuTLS or OpenSSL.

The version 3 of the patch is attached.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com

From c92ebeb4892fd355489641ab544af502dcad0ae5 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <tho...@redhat.com>
Date: Thu, 10 Jul 2014 14:14:19 +0200
Subject: [PATCH] Add configure option --with-ciphers-list v3

Allow the users to redefine the ciphers list used
when compiled with OpenSSL. This is usable for
distributions, that distribute wget as binary package
and want to use own system-wide ciphers list.

version 2:
Print the ciphers list with --version, if it was
redefined using configure script option.

version 3:
Option renamed to --with-ciphers-list.
Added support to redefine hardcoded ciphers list
also for GnuTLS.

Signed-off-by: Tomas Hozza <tho...@redhat.com>
---
 ChangeLog       |  5 +++++
 configure.ac    | 15 +++++++++++++++
 src/ChangeLog   |  7 +++++++
 src/Makefile.am |  2 ++
 src/gnutls.c    | 10 ++++++++++
 src/main.c      | 14 ++++++++++++++
 src/openssl.c   |  4 ++++
 7 files changed, 57 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 2bfae67..c2ea802 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-07-10  Tomas Hozza  <tho...@redhat.com>
+
+	* configure.ac: Add --with-ciphers-list to allow redefining the
+	default ciphers priority list for SSL.
+
 2014-06-28  Giuseppe Scrivano  <gscri...@redhat.com>
 
 	* cfg.mk (local-checks-to-skip): Remove some checks.
diff --git a/configure.ac b/configure.ac
index abc92fb..51ae56e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,6 +69,12 @@ AC_ARG_WITH(ssl,
 [[  --without-ssl           disable SSL autodetection
   --with-ssl={gnutls,openssl} specify the SSL backend.  GNU TLS is the default.]])
 
+AC_ARG_WITH([ciphers-list],
+[  --with-ciphers-list=LIST  Use cipers priority list for SSL defined
+                               as an argument.],
+[with_ciphers_list="$withval"],
+[with_ciphers_list=no])
+
 AC_ARG_WITH(zlib,
 [[  --without-zlib          disable zlib ]])
 
@@ -364,6 +370,15 @@ else
   fi
 fi
 
+# check if ciphers list was manually defined
+AS_IF([test x"$with_ciphers_list" != xno], [
+       AS_IF([test x"$with_ssl" == xno], [
+              AC_MSG_ERROR([--with-ciphers-list can be used only with SSL enabled])
+              ])
+       AC_DEFINE_UNQUOTED([CIPHERS_LIST], ["$with_ciphers_list"], [Use defined ciphers list for SSL])
+       CIPHERS_LIST="$with_ciphers_list"
+       AC_SUBST(CIPHERS_LIST)
+])
 
 dnl **********************************************************************
 dnl Checks for IPv6
diff --git a/src/ChangeLog b/src/ChangeLog
index 91eda5f..12a0533 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2014-07-10  Tomas Hozza  <tho...@redhat.com>
+
+	* openssl.c (ssl_init): Use CIPHERS_LIST if defined
+	* gnutls.c (ssl_connect_wget): Use CIPHERS_LIST if defined
+	* main.c (print_version): Print ciphers priority list if it was redefined
+	* Makefile.am: Add clist_string variable into version.c
+
 2014-07-07  Tomas Hozza  <tho...@redhat.com>
 
 	* iri.c (locale_to_utf8): Fix checking of iconv_open return code.
diff --git a/src/Makefile.am b/src/Makefile.am
index 3a43aa9..21b0eb4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -59,6 +59,7 @@ EXTRA_wget_SOURCES = iri.c
 LDADD = $(LIBOBJS) ../lib/libgnu.a
 AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
 
+CIPHERS_LIST = @CIPHERS_LIST@
 
 ../lib/libgnu.a:
 	cd ../lib && $(MAKE) $(AM_MAKEFLAGS)
@@ -80,6 +81,7 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
 	echo 'const char *link_string = "'$(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) $(LIBS) $(wget_LDADD)'";' \
 	    | $(ESCAPEQUOTE) >> $@
+	echo 'const char *clist_string = "$(CIPHERS_LIST)";' >> $@
 
 css.c: $(srcdir)/css.l
 	$(LEX) $(LFLAGS) -o $@ $^
diff --git a/src/gnutls.c b/src/gnutls.c
index a308065..32b9eb1 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -432,6 +432,15 @@ ssl_connect_wget (int fd, const char *hostname)
 #if HAVE_GNUTLS_PRIORITY_SET_DIRECT
   switch (opt.secure_protocol)
     {
+#ifdef CIPHERS_LIST
+    case secure_protocol_auto:
+    case secure_protocol_sslv2:
+    case secure_protocol_sslv3:
+    case secure_protocol_tlsv1:
+    case secure_protocol_pfs:
+      err = gnutls_priority_set_direct (session, CIPHERS_LIST, NULL);
+      break;
+#else
     case secure_protocol_auto:
       break;
     case secure_protocol_sslv2:
@@ -447,6 +456,7 @@ ssl_connect_wget (int fd, const char *hostname)
         /* fallback if PFS is not available */
         err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
       break;
+#endif  /* CIPHERS_LIST */
     default:
       abort ();
     }
diff --git a/src/main.c b/src/main.c
index 70930dd..b119f4c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -82,6 +82,9 @@ extern char *version_string;
 extern char *compilation_string;
 extern char *system_getrc;
 extern char *link_string;
+#ifdef CIPHERS_LIST
+extern char *clist_string;
+#endif
 /* defined in build_info.c */
 extern const char *compiled_features[];
 /* Used for --version output in print_version */
@@ -886,6 +889,9 @@ print_version (void)
   const char *locale_title  = _("Locale: ");
   const char *compile_title = _("Compile: ");
   const char *link_title    = _("Link: ");
+#ifdef CIPHERS_LIST
+  const char *clist_title   = _("Ciphers list:");
+#endif
   char *env_wgetrc, *user_wgetrc;
   int i;
 
@@ -951,6 +957,14 @@ print_version (void)
                                MAX_CHARS_PER_LINE) < 0)
       exit (WGET_EXIT_IO_FAIL);
 
+#ifdef CIPHERS_LIST
+  if (clist_string != NULL)
+    if (format_and_print_line (clist_title,
+                               clist_string,
+                               MAX_CHARS_PER_LINE) < 0)
+      exit (WGET_EXIT_IO_FAIL);
+#endif
+
   if (printf ("\n") < 0)
     exit (WGET_EXIT_IO_FAIL);
 
diff --git a/src/openssl.c b/src/openssl.c
index 879b27e..0582ae2 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -223,7 +223,11 @@ ssl_init (void)
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */
   if (opt.secure_protocol == secure_protocol_pfs)
+#ifdef CIPHERS_LIST
+    SSL_CTX_set_cipher_list (ssl_ctx, CIPHERS_LIST);
+#else
     SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH");
+#endif
 
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
-- 
1.9.3

Reply via email to