diff options
author | Dimitri John Ledkov <xnox@ubuntu.com> | 2020-05-19 18:20:39 +0100 |
---|---|---|
committer | Denys Vlasenko <vda.linux@googlemail.com> | 2020-05-20 15:10:44 +0200 |
commit | 45fa3f18adf57ef9d743038743d9c90573aeeb91 (patch) | |
tree | bb23b4ce9517ad2a547828e2712fc9ae3a61d8e7 | |
parent | 9f3b410006956c59896034bb790b20e655f8b4cb (diff) | |
download | busybox-45fa3f18adf57ef9d743038743d9c90573aeeb91.tar.gz |
wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
verification by default. And only ignore verification errors, if
--no-check-certificate was passed.
Also note, that previously OPENSSL implementation did not implement
TLS verification, nor printed any warning messages that verification
was not performed.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
CVE-2018-1000500
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | networking/wget.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/networking/wget.c b/networking/wget.c index f2fc9e215..6a8c08324 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -91,6 +91,9 @@ //config: patches, but do want to waste bandwidth expaining how wrong //config: it is, you will be ignored. //config: +//config: FEATURE_WGET_OPENSSL does implement TLS verification +//config: using the certificates available to OpenSSL. +//config: //config:config FEATURE_WGET_OPENSSL //config: bool "Try to connect to HTTPS using openssl" //config: default y @@ -115,6 +118,9 @@ //config: If openssl can't be executed, internal TLS code will be used //config: (if you enabled it); if openssl can be executed but fails later, //config: wget can't detect this, and download will fail. +//config: +//config: By default TLS verification is performed, unless +//config: --no-check-certificate option is passed. //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) @@ -124,8 +130,11 @@ //usage: IF_FEATURE_WGET_LONG_OPTIONS( //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" +//usage: IF_FEATURE_WGET_OPENSSL( +//usage: " [--no-check-certificate]\n" +//usage: ) /* Since we ignore these opts, we don't show them in --help */ -/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ +/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ /* //usage: " [-nv] [-nc] [-nH] [-np]" */ //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." //usage: ) @@ -137,7 +146,9 @@ //usage: "Retrieve files via HTTP or FTP\n" //usage: IF_FEATURE_WGET_LONG_OPTIONS( //usage: "\n --spider Only check URL existence: $? is 0 if exists" -///////: "\n --no-check-certificate Don't validate the server's certificate" +//usage: IF_FEATURE_WGET_OPENSSL( +//usage: "\n --no-check-certificate Don't validate the server's certificate" +//usage: ) //usage: ) //usage: "\n -c Continue retrieval of aborted transfer" //usage: "\n -q Quiet" @@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) pid = xvfork(); if (pid == 0) { /* Child */ - char *argv[8]; + char *argv[9]; close(sp[0]); xmove_fd(sp[1], 0); @@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) argv[5] = (char*)"-servername"; argv[6] = (char*)servername; } + if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { + argv[7] = (char*)"-verify_return_error"; + } BB_EXECVP(argv[0], argv); xmove_fd(3, 2); |