Inicio Explorar Ayuda
Registro Iniciar sesión
OpenWrt
/
openwrt
espejo de https://github.com/openwrt/openwrt.git
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

scripts: always check certificates

Remove flags from wget and curl instructing them to ignore bad server
certificates. Although other mechanisms can protect against malicious
modifications of downloads, other vectors of attack may be available
to an adversary.

TLS certificate verification can be disabled by turning oof the
"Enable TLS certificate verification during package download" option
enabled by default in the "Global build settings" in "make menuconfig"

Signed-off-by: Josh Roys <[email protected]>
[ add additional info on how to disable this option ]
Signed-off-by: Christian Marangi <[email protected]>
Josh Roys hace 3 años
padre
f522c27385
commit
90c6e3aedf
Se han modificado 3 ficheros con 11 adiciones y 2 borrados
Unificar vista Mostrar estadísticas de diff
  1. 4 0
      config/Config-build.in
  2. 3 0
      rules.mk
  3. 4 2
      scripts/download.pl

+ 4 - 0
config/Config-build.in
Ver fichero 

@@ -58,6 +58,10 @@ menu "Global build settings"
 
 		bool "Enable signature checking in opkg"
 
 		bool "Enable signature checking in opkg"
 
 		default SIGNED_PACKAGES
 
 		default SIGNED_PACKAGES
 
 
 
+	config DOWNLOAD_CHECK_CERTIFICATE
 
+		bool "Enable TLS certificate verification during package download"
 
+		default y
 
+
 
 	comment "General build options"
 
 	comment "General build options"
 
 
 
 	config TESTING_KERNEL
 
 	config TESTING_KERNEL

+ 3 - 0
rules.mk
Ver fichero 

@@ -257,6 +257,9 @@ ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e
 
 MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash
 
 MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash
 
 # MKHASH is used in /scripts, so we export it here.
 
 # MKHASH is used in /scripts, so we export it here.
 
 export MKHASH
 
 export MKHASH
 
+# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here.
 
+DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE)
 
+export DOWNLOAD_CHECK_CERTIFICATE
 
 CP:=cp -fpR
 
 CP:=cp -fpR
 
 LN:=ln -sf
 
 LN:=ln -sf
 
 XARGS:=xargs -r
 
 XARGS:=xargs -r

+ 4 - 2
scripts/download.pl
Ver fichero 

@@ -24,6 +24,8 @@ my $scriptdir = dirname($0);
 
 my @mirrors;
 
 my @mirrors;
 
 my $ok;
 
 my $ok;
 
 
 
+my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y";
 
+
 
 $url_filename or $url_filename = $filename;
 
 $url_filename or $url_filename = $filename;
 
 
 
 sub localmirrors {
 
 sub localmirrors {
 
@@ -80,8 +82,8 @@ sub download_cmd($) {
 
 	}
 
 	}
 
 
 
 	return $have_curl
 
 	return $have_curl
 
-		? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url)
 
-		: (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url)
 
+		? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url)
 
+		: (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url)
 
 	;
 
 	;
 
 }
 
 }