| From 71e7e2fb35c806d20f9739d832cd9ae3a86fdee2 Mon Sep 17 00:00:00 2001 |
| From: Dimitri John Ledkov <xnox@ubuntu.com> |
| Date: Tue, 19 May 2020 18:20:39 +0100 |
| Subject: [PATCH] wget: implement TLS verification with |
| ENABLE_FEATURE_WGET_OPENSSL |
| |
| When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS |
| verification by default. And only ignore verification errors, if |
| --no-check-certificate was passed. |
| |
| Also note, that previously OPENSSL implementation did not implement |
| TLS verification, nor printed any warning messages that verification |
| was not performed. |
| |
| Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 |
| |
| CVE-2018-1000500 |
| |
| Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91] |
| CVE: CVE-2018-1000500 |
| |
| Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> |
| Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| Signed-off-by: Rahul Kumar <rahulk@mvista.com> |
| --- |
| networking/wget.c | 20 +++++++++++++++++--- |
| 1 file changed, 17 insertions(+), 3 deletions(-) |
| |
| diff --git a/networking/wget.c b/networking/wget.c |
| index 9153264..a7e6deb 100644 |
| --- a/networking/wget.c |
| +++ b/networking/wget.c |
| @@ -91,6 +91,9 @@ |
| //config: patches, but do want to waste bandwidth expaining how wrong |
| //config: it is, you will be ignored. |
| //config: |
| +//config: FEATURE_WGET_OPENSSL does implement TLS verification |
| +//config: using the certificates available to OpenSSL. |
| +//config: |
| //config:config FEATURE_WGET_OPENSSL |
| //config: bool "Try to connect to HTTPS using openssl" |
| //config: default y |
| @@ -115,6 +118,9 @@ |
| //config: If openssl can't be executed, internal TLS code will be used |
| //config: (if you enabled it); if openssl can be executed but fails later, |
| //config: wget can't detect this, and download will fail. |
| +//config: |
| +//config: By default TLS verification is performed, unless |
| +//config: --no-check-certificate option is passed. |
| |
| //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) |
| |
| @@ -124,8 +130,11 @@ |
| //usage: IF_FEATURE_WGET_LONG_OPTIONS( |
| //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" |
| //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" |
| +//usage: IF_FEATURE_WGET_OPENSSL( |
| +//usage: " [--no-check-certificate]\n" |
| +//usage: ) |
| /* Since we ignore these opts, we don't show them in --help */ |
| -/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ |
| +/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ |
| /* //usage: " [-nv] [-nc] [-nH] [-np]" */ |
| //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." |
| //usage: ) |
| @@ -137,7 +146,9 @@ |
| //usage: "Retrieve files via HTTP or FTP\n" |
| //usage: IF_FEATURE_WGET_LONG_OPTIONS( |
| //usage: "\n --spider Only check URL existence: $? is 0 if exists" |
| -///////: "\n --no-check-certificate Don't validate the server's certificate" |
| +//usage: IF_FEATURE_WGET_OPENSSL( |
| +//usage: "\n --no-check-certificate Don't validate the server's certificate" |
| +//usage: ) |
| //usage: ) |
| //usage: "\n -c Continue retrieval of aborted transfer" |
| //usage: "\n -q Quiet" |
| @@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) |
| pid = xvfork(); |
| if (pid == 0) { |
| /* Child */ |
| - char *argv[8]; |
| + char *argv[9]; |
| |
| close(sp[0]); |
| xmove_fd(sp[1], 0); |
| @@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) |
| argv[5] = (char*)"-servername"; |
| argv[6] = (char*)servername; |
| } |
| + if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { |
| + argv[7] = (char*)"-verify_return_error"; |
| + } |
| |
| BB_EXECVP(argv[0], argv); |
| xmove_fd(3, 2); |
| -- |
| 2.7.4 |
| |