Don't write core dump if --secure-option value isn't suppported.

2025-01-28 05:10:35 +08:00 · 2023-03-19 17:39:45 +00:00 · 2023-03-19 17:39:45 +00:00 · 9a35fe609c
commit 9a35fe609c
parent d96d20630b
3 changed files with 16 additions and 6 deletions
--- a/src/init.c
+++ b/src/init.c
@ -1756,6 +1756,7 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
    { "tlsv1_3", secure_protocol_tlsv1_3 },
    { "pfs", secure_protocol_pfs },
  };
+  snprintf (opt.secure_protocol_name, sizeof (opt.secure_protocol_name), "%s", val);
  int ok = decode_string (val, choices, countof (choices), place);
  if (!ok)
    fprintf (stderr, _("%s: %s: Invalid value %s.\n"), exec_name, com, quote (val));
--- a/src/openssl.c
+++ b/src/openssl.c
@ -56,6 +56,7 @@ as that of the covered work.  */
 #include "ptimer.h"
 #include "url.h"
 #include "ssl.h"
+#include "exits.h"

 #include <fcntl.h>

@ -177,7 +178,7 @@ static int ssl_true_initialized = 0;
 bool
 ssl_init (void)
 {
-  SSL_METHOD const *meth;
+  SSL_METHOD const *meth = NULL;
  long ssl_options = 0;
  char *ciphers_string = NULL;
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
@ -218,17 +219,17 @@ ssl_init (void)

  switch (opt.secure_protocol)
    {
-#if !defined OPENSSL_NO_SSL2 && OPENSSL_VERSION_NUMBER < 0x10100000L
    case secure_protocol_sslv2:
+#if !defined OPENSSL_NO_SSL2 && OPENSSL_VERSION_NUMBER < 0x10100000L
      meth = SSLv2_client_method ();
-      break;
 #endif
+      break;

-#ifndef OPENSSL_NO_SSL3_METHOD
    case secure_protocol_sslv3:
+#ifndef OPENSSL_NO_SSL3_METHOD
      meth = SSLv3_client_method ();
-      break;
 #endif
+      break;

    case secure_protocol_auto:
    case secure_protocol_pfs:
@ -289,9 +290,16 @@ ssl_init (void)
      abort ();
    }

+  if (!meth)
+    {
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version does not support option '%s'.\n"), opt.secure_protocol_name);
+      logprintf (LOG_NOTQUIET, _("Rebuilding Wget and/or OpenSSL may help in this situation.\n"));
+      exit (WGET_EXIT_GENERIC_ERROR);
+    }
+
  /* The type cast below accommodates older OpenSSL versions (0.9.8)
     where SSL_CTX_new() is declared without a "const" argument. */
-  ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth);
+  ssl_ctx = SSL_CTX_new ((SSL_METHOD *) meth);
  if (!ssl_ctx)
    goto error;

--- a/src/options.h
+++ b/src/options.h
@ -233,6 +233,7 @@ struct options
    secure_protocol_tlsv1_3,
    secure_protocol_pfs
  } secure_protocol;            /* type of secure protocol to use. */
+  char secure_protocol_name[8]; /* name of secure protocol to use. */
  int check_cert;               /* whether to validate the server's cert */
  char *cert_file;              /* external client certificate to use. */
  char *private_key;            /* private key file (if not internal). */