aboutsummaryrefslogtreecommitdiffstats
path: root/main/busybox/external_ssl_client.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-05-30 09:52:20 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-05-30 10:44:48 +0000
commit1d0560a9b6b5597b191e5aff69a31c2fe0aba273 (patch)
tree23e808e7b123643b55e2eb07101b8467b429b975 /main/busybox/external_ssl_client.patch
parent782065ccea8a1415f01f568f5bce411898f4d7fb (diff)
downloadaports-1d0560a9b6b5597b191e5aff69a31c2fe0aba273.tar.gz
aports-1d0560a9b6b5597b191e5aff69a31c2fe0aba273.tar.bz2
aports-1d0560a9b6b5597b191e5aff69a31c2fe0aba273.tar.xz
main/busybox: properly fix wget https support
fix busybox wget https support by using an external ssl_client helper for https. Disable the use of external openssl. This was fixed to check certificates as a temporary solution. openssl can not produce any useful error messages on certificate errors. It is big. So we simply disable its use. For dynamic busybox we disable the internal ssl_client and the internal (broken) tls code, and build our own ssl_client which properly verifies the certificates. For the static busybox we enable the internal ssl_client and tls code, but we only allow its use with --no-check-certificates. This is so we still can fetch things from https in an emergency situation. We auto-install ssl_client if both libssl and busybox are installed. This is to keep backwards compatibility.
Diffstat (limited to 'main/busybox/external_ssl_client.patch')
-rw-r--r--main/busybox/external_ssl_client.patch52
1 files changed, 52 insertions, 0 deletions
diff --git a/main/busybox/external_ssl_client.patch b/main/busybox/external_ssl_client.patch
new file mode 100644
index 0000000000..8adb7b41be
--- /dev/null
+++ b/main/busybox/external_ssl_client.patch
@@ -0,0 +1,52 @@
+diff --git a/networking/wget.c b/networking/wget.c
+index cd92b3a28..a12c921cd 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -50,7 +50,6 @@
+ //config: bool "Support HTTPS using internal TLS code"
+ //config: default y
+ //config: depends on WGET
+-//config: select TLS
+ //config: help
+ //config: wget will use internal TLS code to connect to https:// URLs.
+ //config: Note:
+@@ -767,8 +766,8 @@ static void spawn_ssl_client(const char *host, int network_fd)
+ int pid;
+ char *servername, *p;
+
+- if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT))
+- bb_error_msg("note: TLS certificate validation not implemented");
++ if (ENABLE_SSL_CLIENT && !(option_mask32 & WGET_OPT_NO_CHECK_CERT))
++ bb_error_msg_and_die("note: TLS certificate validation not implemented");
+
+ servername = xstrdup(host);
+ p = strrchr(servername, ':');
+@@ -785,21 +784,25 @@ static void spawn_ssl_client(const char *host, int network_fd)
+ close(sp[0]);
+ xmove_fd(sp[1], 0);
+ xdup2(0, 1);
+- if (BB_MMU) {
++ if (BB_MMU && ENABLE_TLS && (option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+ tls_state_t *tls = new_tls_state();
+ tls->ifd = tls->ofd = network_fd;
+ tls_handshake(tls, servername);
+ tls_run_copy_loop(tls);
+ exit(0);
+ } else {
+- char *argv[5];
++ char *argv[6];
+ xmove_fd(network_fd, 3);
+ argv[0] = (char*)"ssl_client";
+ argv[1] = (char*)"-s3";
+ //TODO: if (!is_ip_address(servername))...
+ argv[2] = (char*)"-n";
+ argv[3] = servername;
+- argv[4] = NULL;
++ if (!ENABLE_SSL_CLIENT &&(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
++ argv[4] = (char*)"-I";
++ argv[5] = NULL;
++ } else
++ argv[4] = NULL;
+ BB_EXECVP(argv[0], argv);
+ bb_perror_msg_and_die("can't execute '%s'", argv[0]);
+ }