[openwrt/openwrt] scripts: always check certificates

LEDE Commits lede-commits at lists.infradead.org
Fri Sep 16 09:51:18 PDT 2022


ynezz pushed a commit to openwrt/openwrt.git, branch openwrt-22.03:
https://git.openwrt.org/340b138932c3720db227821415f494ac81e8b675

commit 340b138932c3720db227821415f494ac81e8b675
Author: Josh Roys <roysjosh at gmail.com>
AuthorDate: Sat Jul 23 11:23:16 2022 -0400

    scripts: always check certificates
    
    Remove flags from wget and curl instructing them to ignore bad server
    certificates. Although other mechanisms can protect against malicious
    modifications of downloads, other vectors of attack may be available
    to an adversary.
    
    TLS certificate verification can be disabled by turning oof the
    "Enable TLS certificate verification during package download" option
    enabled by default in the "Global build settings" in "make menuconfig"
    
    Signed-off-by: Josh Roys <roysjosh at gmail.com>
    [ add additional info on how to disable this option ]
    Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
    (cherry picked from commit 90c6e3aedf167b0ae1baf376e7800a631681e69a)
---
 config/Config-build.in | 4 ++++
 rules.mk               | 3 +++
 scripts/download.pl    | 6 ++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/config/Config-build.in b/config/Config-build.in
index ef1a10c28d..e682277964 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -58,6 +58,10 @@ menu "Global build settings"
 		bool "Enable signature checking in opkg"
 		default SIGNED_PACKAGES
 
+	config DOWNLOAD_CHECK_CERTIFICATE
+		bool "Enable TLS certificate verification during package download"
+		default y
+
 	comment "General build options"
 
 	config TESTING_KERNEL
diff --git a/rules.mk b/rules.mk
index 8a4254e638..1d63d61ee1 100644
--- a/rules.mk
+++ b/rules.mk
@@ -265,6 +265,9 @@ ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e
 MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash
 # MKHASH is used in /scripts, so we export it here.
 export MKHASH
+# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here.
+DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE)
+export DOWNLOAD_CHECK_CERTIFICATE
 CP:=cp -fpR
 LN:=ln -sf
 XARGS:=xargs -r
diff --git a/scripts/download.pl b/scripts/download.pl
index af13c0ae00..ab1801aad5 100755
--- a/scripts/download.pl
+++ b/scripts/download.pl
@@ -24,6 +24,8 @@ my $scriptdir = dirname($0);
 my @mirrors;
 my $ok;
 
+my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y";
+
 $url_filename or $url_filename = $filename;
 
 sub localmirrors {
@@ -80,8 +82,8 @@ sub download_cmd($) {
 	}
 
 	return $have_curl
-		? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url)
-		: (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url)
+		? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url)
+		: (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url)
 	;
 }
 




More information about the lede-commits mailing list