From ced2700c34efaa3a43c4e7bfa96d99fcae5aa52c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tam=C3=A1s=20B=C3=A1lint=20Misius?= Date: Sun, 11 Jun 2023 18:36:16 +0200 Subject: [PATCH] Wire up SECURE_CIPHERS_ONLY This has been in the codebase for ages but apparently never enabled or wired up at all. Defaults to false for now. --- meson_options.txt | 6 ++ src/Config.template.h | 1 + src/client/http/requestmanager/Libcurl.cpp | 69 +++++++++++----------- src/meson.build | 2 + 4 files changed, 44 insertions(+), 34 deletions(-) diff --git a/meson_options.txt b/meson_options.txt index 790399613..6cc15b608 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -202,6 +202,12 @@ option( value: true, description: 'Enforce encrypted HTTP traffic, may be disabled for debugging' ) +option( + 'secure_ciphers_only', + type: 'boolean', + value: false, + description: 'Use only secure ciphers for encrypted HTTP traffic, please review cipher list before enabling' +) option( 'prepare', type: 'boolean', diff --git a/src/Config.template.h b/src/Config.template.h index fa98ff459..9ef9dea16 100644 --- a/src/Config.template.h +++ b/src/Config.template.h @@ -14,6 +14,7 @@ constexpr bool CAN_INSTALL = @CAN_INSTALL@; constexpr bool INSTALL_CHECK = @INSTALL_CHECK@; constexpr bool IGNORE_UPDATES = @IGNORE_UPDATES@; constexpr bool ENFORCE_HTTPS = @ENFORCE_HTTPS@; +constexpr bool SECURE_CIPHERS_ONLY = @SECURE_CIPHERS_ONLY@; constexpr char PATH_SEP_CHAR = '@PATH_SEP_CHAR@'; constexpr char SERVER[] = "@SERVER@"; diff --git a/src/client/http/requestmanager/Libcurl.cpp b/src/client/http/requestmanager/Libcurl.cpp index 0451b9a7d..a0f9c4cb5 100644 --- a/src/client/http/requestmanager/Libcurl.cpp +++ b/src/client/http/requestmanager/Libcurl.cpp @@ -496,44 +496,45 @@ namespace http void SetupCurlEasyCiphers(CURL *easy) { -#ifdef SECURE_CIPHERS_ONLY - curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW); - ByteString ssl_type = version_info->ssl_version; - if (ssl_type.Contains("OpenSSL")) + if constexpr (SECURE_CIPHERS_ONLY) { - HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, - "ECDHE-ECDSA-AES256-GCM-SHA384" ":" - "ECDHE-ECDSA-AES128-GCM-SHA256" ":" - "ECDHE-ECDSA-AES256-SHA384" ":" - "DHE-RSA-AES256-GCM-SHA384" ":" - "ECDHE-RSA-AES256-GCM-SHA384" ":" - "ECDHE-RSA-AES128-GCM-SHA256" ":" - "ECDHE-ECDSA-AES128-SHA" ":" - "ECDHE-ECDSA-AES128-SHA256" ":" - "ECDHE-RSA-CHACHA20-POLY1305" ":" - "ECDHE-RSA-AES256-SHA384" ":" - "ECDHE-RSA-AES128-SHA256" ":" - "ECDHE-ECDSA-CHACHA20-POLY1305" ":" - "ECDHE-ECDSA-AES256-SHA" ":" - "ECDHE-RSA-AES128-SHA" ":" - "DHE-RSA-AES128-GCM-SHA256" - )); + curl_version_info_data *version_info = curl_version_info(CURLVERSION_NOW); + ByteString ssl_type = version_info->ssl_version; + if (ssl_type.Contains("OpenSSL")) + { + HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, + "ECDHE-ECDSA-AES256-GCM-SHA384" ":" + "ECDHE-ECDSA-AES128-GCM-SHA256" ":" + "ECDHE-ECDSA-AES256-SHA384" ":" + "DHE-RSA-AES256-GCM-SHA384" ":" + "ECDHE-RSA-AES256-GCM-SHA384" ":" + "ECDHE-RSA-AES128-GCM-SHA256" ":" + "ECDHE-ECDSA-AES128-SHA" ":" + "ECDHE-ECDSA-AES128-SHA256" ":" + "ECDHE-RSA-CHACHA20-POLY1305" ":" + "ECDHE-RSA-AES256-SHA384" ":" + "ECDHE-RSA-AES128-SHA256" ":" + "ECDHE-ECDSA-CHACHA20-POLY1305" ":" + "ECDHE-ECDSA-AES256-SHA" ":" + "ECDHE-RSA-AES128-SHA" ":" + "DHE-RSA-AES128-GCM-SHA256" + )); #ifdef REQUEST_USE_CURL_TLSV13CL - HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS, - "TLS_AES_256_GCM_SHA384" ":" - "TLS_CHACHA20_POLY1305_SHA256" ":" - "TLS_AES_128_GCM_SHA256" ":" - "TLS_AES_128_CCM_8_SHA256" ":" - "TLS_AES_128_CCM_SHA256" - )); + HandleCURLcode(curl_easy_setopt(easy, CURLOPT_TLS13_CIPHERS, + "TLS_AES_256_GCM_SHA384" ":" + "TLS_CHACHA20_POLY1305_SHA256" ":" + "TLS_AES_128_GCM_SHA256" ":" + "TLS_AES_128_CCM_8_SHA256" ":" + "TLS_AES_128_CCM_SHA256" + )); #endif + } + else if (ssl_type.Contains("Schannel")) + { + // TODO: add more cipher algorithms + HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM")); + } } - else if (ssl_type.Contains("Schannel")) - { - // TODO: add more cipher algorithms - HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSL_CIPHER_LIST, "CALG_ECDH_EPHEM")); - } -#endif // TODO: Find out what TLS1.2 is supported on, might need to also allow TLS1.0 HandleCURLcode(curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2)); #if defined(CURL_AT_LEAST_VERSION) && CURL_AT_LEAST_VERSION(7, 70, 0) diff --git a/src/meson.build b/src/meson.build index 2e40a2437..a5607a331 100644 --- a/src/meson.build +++ b/src/meson.build @@ -21,10 +21,12 @@ conf_data.set('UPDATESERVER', update_server) conf_data.set('USE_UPDATESERVER', update_server != '' ? 'true' : 'false') enforce_https = get_option('enforce_https') +secure_ciphers_only = get_option('secure_ciphers_only') if not is_debug and not enforce_https error('refusing to build a release binary without enforcing HTTPS, configure with -Denforce_https=true to fix this error') endif conf_data.set('ENFORCE_HTTPS', enforce_https ? 'true' : 'false') +conf_data.set('SECURE_CIPHERS_ONLY', secure_ciphers_only ? 'true' : 'false') conf_data.set('IGNORE_UPDATES', get_option('ignore_updates') ? 'true' : 'false') conf_data.set('SERVER', get_option('server'))