1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Mon, 28 May 2018 00:04:00 +0200
Subject: [PATCH] wget: verify certificate when openssl helper is used
This patch is based on
http://lists.busybox.net/pipermail/busybox/2018-May/086458.html.
When TLS verification fails, e.g. due to invalid certificate, wget will print:
Connecting to example.org (...:443)
wget: error getting response: Connection reset by peer
wget executes openssl s_client as an external command and communicates
with it using stdin/stdout. Since s_client prints debug output to stderr
even when -quiet option is used, wget throws it to /dev/null. s_client
also does not disquish various error states using different exit codes,
so if openssl s_client exits prematurely, it cannot know why.
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -709,7 +709,12 @@
pid = xvfork();
if (pid == 0) {
/* Child */
+#if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ char *argv[13];
+ int argc;
+#else
char *argv[8];
+#endif
close(sp[0]);
xmove_fd(sp[1], 0);
@@ -735,7 +740,26 @@
if (!is_ip_address(servername)) {
argv[5] = (char*)"-servername";
argv[6] = (char*)servername;
+#if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ argc = 7;
+ } else
+ argc = 5;
+
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+ argv[argc++] = (char*)"-verify";
+ argv[argc++] = (char*)"16";
+ argv[argc++] = (char*)"-verify_return_error";
+
+ if (is_ip_address(servername))
+ argv[argc++] = (char*)"-verify_ip";
+ else
+ argv[argc++] = (char*)"-verify_hostname";
+
+ argv[argc++] = (char*)servername;
}
+#else
+ }
+#endif
BB_EXECVP(argv[0], argv);
xmove_fd(3, 2);
@@ -1068,6 +1092,10 @@
int fd = spawn_https_helper_openssl(server.host, server.port);
# if ENABLE_FEATURE_WGET_HTTPS
if (fd < 0) { /* no openssl? try internal */
+# if ENABLE_FEATURE_WGET_LONG_OPTIONS
+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT))
+ bb_error_msg_and_die("unable to validate the server's certificate");
+# endif
sfp = open_socket(lsa);
spawn_ssl_client(server.host, fileno(sfp));
goto socket_opened;
|