aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Roys <roysjosh@gmail.com>2022-07-23 11:23:16 -0400
committerChristian Marangi <ansuelsmth@gmail.com>2022-09-10 15:24:22 +0200
commit90c6e3aedf167b0ae1baf376e7800a631681e69a (patch)
treee63fad68ee73899024f0dedeee0d8d690666347d
parentf522c27385d6f94e5dbcc3e84968f0e38609ff1c (diff)
downloadupstream-90c6e3aedf167b0ae1baf376e7800a631681e69a.tar.gz
upstream-90c6e3aedf167b0ae1baf376e7800a631681e69a.tar.bz2
upstream-90c6e3aedf167b0ae1baf376e7800a631681e69a.zip
scripts: always check certificates
Remove flags from wget and curl instructing them to ignore bad server certificates. Although other mechanisms can protect against malicious modifications of downloads, other vectors of attack may be available to an adversary. TLS certificate verification can be disabled by turning oof the "Enable TLS certificate verification during package download" option enabled by default in the "Global build settings" in "make menuconfig" Signed-off-by: Josh Roys <roysjosh@gmail.com> [ add additional info on how to disable this option ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
-rw-r--r--config/Config-build.in4
-rw-r--r--rules.mk3
-rwxr-xr-xscripts/download.pl6
3 files changed, 11 insertions, 2 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 400bf15665..2eded2b288 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -58,6 +58,10 @@ menu "Global build settings"
bool "Enable signature checking in opkg"
default SIGNED_PACKAGES
+ config DOWNLOAD_CHECK_CERTIFICATE
+ bool "Enable TLS certificate verification during package download"
+ default y
+
comment "General build options"
config TESTING_KERNEL
diff --git a/rules.mk b/rules.mk
index 5a56fd6f4a..c893f61b0f 100644
--- a/rules.mk
+++ b/rules.mk
@@ -257,6 +257,9 @@ ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e
MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash
# MKHASH is used in /scripts, so we export it here.
export MKHASH
+# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here.
+DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE)
+export DOWNLOAD_CHECK_CERTIFICATE
CP:=cp -fpR
LN:=ln -sf
XARGS:=xargs -r
diff --git a/scripts/download.pl b/scripts/download.pl
index af13c0ae00..ab1801aad5 100755
--- a/scripts/download.pl
+++ b/scripts/download.pl
@@ -24,6 +24,8 @@ my $scriptdir = dirname($0);
my @mirrors;
my $ok;
+my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y";
+
$url_filename or $url_filename = $filename;
sub localmirrors {
@@ -80,8 +82,8 @@ sub download_cmd($) {
}
return $have_curl
- ? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url)
- : (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url)
+ ? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url)
+ : (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url)
;
}