diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-28 00:05:12 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-05-28 20:36:34 +0200 |
| commit | 86b05a4f1bc6827e8c16095dd7afc0d546761eda (patch) | |
| tree | 4d6372cc22fec23cc2b25666b7dcc50c3314cc4b | |
| parent | 7df9acaacd31997c1ac15243a644ef129376e4a7 (diff) | |
| download | aports-86b05a4f1bc6827e8c16095dd7afc0d546761eda.tar.bz2 aports-86b05a4f1bc6827e8c16095dd7afc0d546761eda.tar.xz | |
main/busybox: wget: verify certificate when openssl helper is used
| -rw-r--r-- | main/busybox/0002-wget-verify-certificate-when-openssl-helper-is-used.patch | 71 | ||||
| -rw-r--r-- | main/busybox/APKBUILD | 4 |
2 files changed, 74 insertions, 1 deletions
diff --git a/main/busybox/0002-wget-verify-certificate-when-openssl-helper-is-used.patch b/main/busybox/0002-wget-verify-certificate-when-openssl-helper-is-used.patch new file mode 100644 index 0000000000..ca00a61f1b --- /dev/null +++ b/main/busybox/0002-wget-verify-certificate-when-openssl-helper-is-used.patch @@ -0,0 +1,71 @@ +From: Jakub Jirutka <jakub@jirutka.cz> +Date: Mon, 28 May 2018 00:04:00 +0200 +Subject: [PATCH] wget: verify certificate when openssl helper is used + +This patch is based on +http://lists.busybox.net/pipermail/busybox/2018-May/086458.html. + +When TLS verification fails, e.g. due to invalid certificate, wget will print: + + Connecting to example.org (...:443) + wget: error getting response: Connection reset by peer + +wget executes openssl s_client as an external command and communicates +with it using stdin/stdout. Since s_client prints debug output to stderr +even when -quiet option is used, wget throws it to /dev/null. s_client +also does not disquish various error states using different exit codes, +so if openssl s_client exits prematurely, it cannot know why. + +--- a/networking/wget.c ++++ b/networking/wget.c +@@ -709,7 +709,12 @@ + pid = xvfork(); + if (pid == 0) { + /* Child */ ++#if ENABLE_FEATURE_WGET_LONG_OPTIONS ++ char *argv[13]; ++ int argc; ++#else + char *argv[8]; ++#endif + + close(sp[0]); + xmove_fd(sp[1], 0); +@@ -735,7 +740,26 @@ + if (!is_ip_address(servername)) { + argv[5] = (char*)"-servername"; + argv[6] = (char*)servername; ++#if ENABLE_FEATURE_WGET_LONG_OPTIONS ++ argc = 7; ++ } else ++ argc = 5; ++ ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { ++ argv[argc++] = (char*)"-verify"; ++ argv[argc++] = (char*)"16"; ++ argv[argc++] = (char*)"-verify_return_error"; ++ ++ if (is_ip_address(servername)) ++ argv[argc++] = (char*)"-verify_ip"; ++ else ++ argv[argc++] = (char*)"-verify_hostname"; ++ ++ argv[argc++] = (char*)servername; + } ++#else ++ } ++#endif + + BB_EXECVP(argv[0], argv); + xmove_fd(3, 2); +@@ -1068,6 +1092,10 @@ + int fd = spawn_https_helper_openssl(server.host, server.port); + # if ENABLE_FEATURE_WGET_HTTPS + if (fd < 0) { /* no openssl? try internal */ ++# if ENABLE_FEATURE_WGET_LONG_OPTIONS ++ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) ++ bb_error_msg_and_die("unable to validate the server's certificate"); ++# endif + sfp = open_socket(lsa); + spawn_ssl_client(server.host, fileno(sfp)); + goto socket_opened; diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index 6549f14841..fcb4a906af 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.27.2 -pkgrel=8 +pkgrel=9 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net arch="all" @@ -45,6 +45,7 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 top-buffer-overflow.patch 0001-wget-print-warning-when-internal-tls-is-used.patch + 0002-wget-verify-certificate-when-openssl-helper-is-used.patch acpid.logrotate busyboxconfig @@ -210,6 +211,7 @@ a09a64b3bce8048c58a68dcd2dd9e63c911009c06195d6bb4e5aecfb5700e479c25b34635c608991 de61c39a31a7b43d3e23c48e1712faf1a468781a3b18872a937bf507980c474f3d66af815fb1708d282e53def32502f033bb2283926a506cb8f138e0667b1ebd 0001-ash-introduce-a-config-option-to-search-current.patch 524e858b52cb31fb8d24e8c7f18606fff349aeab6a14da9cca3902641f6127980daed73c53586c6e8b41eecda06cdb29c40ff1dde2dc82a318c2649680458921 top-buffer-overflow.patch 38973e70fc77450ba1bf4d2aa7db5425d57f18eab9ae5676d457294ade12ae6b44300ae41f100f452e2efa1d027612fa501c9ac0f95ce340519e1dce497e4971 0001-wget-print-warning-when-internal-tls-is-used.patch +2af27d1f6f1a0b028464a0f5abed79311d39d27f2ba99abe91fb15e24ed93d0df69edd8cfbf5c6444d10af1eb8b343ec8d5053010f385fe77a6cc71abb3cdcbd 0002-wget-verify-certificate-when-openssl-helper-is-used.patch a9b1403c844c51934637215307dd9e2adb9458921047acff0d86dcf229b6e0027f4b2c6cdaa25a58407aad9d098fb5685d58eb5ff8d2aa3de4912cdea21fe54c acpid.logrotate c201ba9316450bac561a2ec831cabd6e98149e387721a140c95a2b441ed8d7589fb12cab9760315bfef491280e7638781e68905feed9a6fcfc55c0d864608964 busyboxconfig 7759d1611ce72f7aa9e4afbd48f410806b3bd59701fe8a570675898c504c0e15f85bacbc1578f87345197844ee6175117d348acc4fe29a742b7ac96b84fe7386 busyboxconfig-extras |