mirror
/
openwrt
mirror of https://git.openwrt.org/openwrt/openwrt.git
1
0
Fork 0
Code Releases Activity

scripts: always check certificates 

Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.

TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"

Signed-off-by: Josh Roys <roysjosh@gmail.com>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(cherry picked from commit 90c6e3aedf)
This commit is contained in:
Josh Roys 2022-07-23 11:23:16 -04:00 committed by Petr Štetiar
parent c6d3f39ecc
commit f0bca34f16
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/Config-build.in
View File

@ -58,6 +58,10 @@ menu "Global build settings"
bool "Enable signature checking in opkg"
default SIGNED_PACKAGES
config DOWNLOAD_CHECK_CERTIFICATE
bool "Enable TLS certificate verification during package download"
default y
comment "General build options"
config TESTING_KERNEL

3
rules.mk
View File

@ -265,6 +265,9 @@ TARGET_CXX:=$(TARGET_CROSS)g++
KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh
SED:=$(STAGING_DIR_HOST)/bin/sed -i -e
ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e
# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here.
DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE)
export DOWNLOAD_CHECK_CERTIFICATE
CP:=cp -fpR
LN:=ln -sf
XARGS:=xargs -r

6
scripts/download.pl
View File

@ -24,6 +24,8 @@ my $scriptdir = dirname($0);
my @mirrors;
my $ok;
my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y";
$url_filename or $url_filename = $filename;
sub localmirrors {
@ -82,8 +84,8 @@ sub download_cmd($) {
}
return $have_curl
? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url)
: (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url)
? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url)
: (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url)
;
}