Commit 30badc5b authored by Jakub Jirutka's avatar Jakub Jirutka

main/busybox: wget: verify certificate when openssl helper is used

parent a93da0e8
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Mon, 28 May 2018 00:04:00 +0200
Subject: [PATCH] wget: verify certificate when openssl helper is used
This patch is based on
http://lists.busybox.net/pipermail/busybox/2018-May/086458.html.
When TLS verification fails, e.g. due to invalid certificate, wget will print:
Connecting to example.org (...:443)
wget: error getting response: Connection reset by peer
wget executes openssl s_client as an external command and communicates
with it using stdin/stdout. Since s_client prints debug output to stderr
even when -quiet option is used, wget throws it to /dev/null. s_client
also does not disquish various error states using different exit codes,
so if openssl s_client exits prematurely, it cannot know why.
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -709,7 +709,12 @@
pid = xvfork();
if (pid == 0) {
/* Child */
+#if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ char *argv[13];
+ int argc;
+#else
char *argv[8];
+#endif
close(sp[0]);
xmove_fd(sp[1], 0);
@@ -735,7 +740,26 @@
if (!is_ip_address(servername)) {
argv[5] = (char*)"-servername";
argv[6] = (char*)servername;
+#if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ argc = 7;
+ } else
+ argc = 5;
+
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+ argv[argc++] = (char*)"-verify";
+ argv[argc++] = (char*)"16";
+ argv[argc++] = (char*)"-verify_return_error";
+
+ if (is_ip_address(servername))
+ argv[argc++] = (char*)"-verify_ip";
+ else
+ argv[argc++] = (char*)"-verify_hostname";
+
+ argv[argc++] = (char*)servername;
}
+#else
+ }
+#endif
BB_EXECVP(argv[0], argv);
xmove_fd(3, 2);
@@ -1068,6 +1092,10 @@
int fd = spawn_https_helper_openssl(server.host, server.port);
# if ENABLE_FEATURE_WGET_HTTPS
if (fd < 0) { /* no openssl? try internal */
+# if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT))
+ bb_error_msg_and_die("unable to validate the server's certificate");
+# endif
sfp = open_socket(lsa);
spawn_ssl_client(server.host, fileno(sfp));
goto socket_opened;
......@@ -43,6 +43,7 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
0002-nsenter-fix-parsing-of-t-S-and-G-options.patch
0001-wget-print-warning-when-internal-tls-is-used.patch
0002-wget-verify-certificate-when-openssl-helper-is-used.patch
acpid.logrotate
busyboxconfig
......@@ -208,6 +209,7 @@ d90d6b3406760fe3df6dbed46a0f4d1c02a69d5184ebc86d8c1692bc4576532127283ba3ff9a81e6
d2364e20b12c5215c4baecc3c6faf903e6e1e2bee95d697af047d680e9d57e7aeea54c8584d062d92daa0ea64898b502fbae010b22ab236ec4018966b74deeec 0001-nsenter-Rename-network-option-to-net.patch
0dbffae82b62317fc4144a01940ebc601e58b0e14eb8338bc42db79407d0b74dbe9f0f44758b9a5baa399eb90f8e8ee8f9c344bebd1b03bdd2ce520cb2b28d5e 0002-nsenter-fix-parsing-of-t-S-and-G-options.patch
38973e70fc77450ba1bf4d2aa7db5425d57f18eab9ae5676d457294ade12ae6b44300ae41f100f452e2efa1d027612fa501c9ac0f95ce340519e1dce497e4971 0001-wget-print-warning-when-internal-tls-is-used.patch
2af27d1f6f1a0b028464a0f5abed79311d39d27f2ba99abe91fb15e24ed93d0df69edd8cfbf5c6444d10af1eb8b343ec8d5053010f385fe77a6cc71abb3cdcbd 0002-wget-verify-certificate-when-openssl-helper-is-used.patch
a9b1403c844c51934637215307dd9e2adb9458921047acff0d86dcf229b6e0027f4b2c6cdaa25a58407aad9d098fb5685d58eb5ff8d2aa3de4912cdea21fe54c acpid.logrotate
035f2a28719971d9ff805d208d70bc1144fd3701235dc46ef581a559e696ef92265f28f7debf0248a2cee004a773dcd07828bcc088716f5aff944ccdce15d30f busyboxconfig
0efbe22e2fd56993d92b6542d4ccffb2b42d50495be085c98f417a71f503b4071e2f092afcec77f78064d33ffb0922c28daa3cb9958e6d7fb26d5a660abd90f4 busyboxconfig-extras
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment