aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Roys <roysjosh@gmail.com>2022-07-23 11:23:16 -0400
committerPetr Štetiar <ynezz@true.cz>2022-09-21 11:52:40 +0200
commitf0bca34f16327c6001515f9c73c2c284574c7b6d (patch)
treee408167cf567fb7daa8cde7e689e5fbb0a9c6838
parentc6d3f39ecce43c4a9858157e9e2ee8718750a9ab (diff)
downloadupstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.tar.gz
upstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.tar.bz2
upstream-f0bca34f16327c6001515f9c73c2c284574c7b6d.zip
scripts: always check certificates
Remove flags from wget and curl instructing them to ignore bad server certificates. Although other mechanisms can protect against malicious modifications of downloads, other vectors of attack may be available to an adversary. TLS certificate verification can be disabled by turning oof the "Enable TLS certificate verification during package download" option enabled by default in the "Global build settings" in "make menuconfig" Signed-off-by: Josh Roys <roysjosh@gmail.com> [ add additional info on how to disable this option ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport] (cherry picked from commit 90c6e3aedf167b0ae1baf376e7800a631681e69a)
-rw-r--r--config/Config-build.in4
-rw-r--r--rules.mk3
-rwxr-xr-xscripts/download.pl6
3 files changed, 11 insertions, 2 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 342859b7c0..196d4e67a0 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -58,6 +58,10 @@ menu "Global build settings"
bool "Enable signature checking in opkg"
default SIGNED_PACKAGES
+ config DOWNLOAD_CHECK_CERTIFICATE
+ bool "Enable TLS certificate verification during package download"
+ default y
+
comment "General build options"
config TESTING_KERNEL
diff --git a/rules.mk b/rules.mk
index da9bee2899..7c83d90eda 100644
--- a/rules.mk
+++ b/rules.mk
@@ -265,6 +265,9 @@ TARGET_CXX:=$(TARGET_CROSS)g++
KPATCH:=$(SCRIPT_DIR)/patch-kernel.sh
SED:=$(STAGING_DIR_HOST)/bin/sed -i -e
ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e
+# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here.
+DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE)
+export DOWNLOAD_CHECK_CERTIFICATE
CP:=cp -fpR
LN:=ln -sf
XARGS:=xargs -r
diff --git a/scripts/download.pl b/scripts/download.pl
index beb3abdeee..99708c456f 100755
--- a/scripts/download.pl
+++ b/scripts/download.pl
@@ -24,6 +24,8 @@ my $scriptdir = dirname($0);
my @mirrors;
my $ok;
+my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y";
+
$url_filename or $url_filename = $filename;
sub localmirrors {
@@ -82,8 +84,8 @@ sub download_cmd($) {
}
return $have_curl
- ? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url)
- : (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url)
+ ? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url)
+ : (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url)
;
}