From 06fc719231b58cfec87cc45e8d3047e32aa9b54e Mon Sep 17 00:00:00 2001 From: Josh Roys Date: Sat, 23 Jul 2022 11:23:16 -0400 Subject: [PATCH] scripts: always check certificates Remove flags from wget and curl instructing them to ignore bad server certificates. Although other mechanisms can protect against malicious modifications of downloads, other vectors of attack may be available to an adversary. TLS certificate verification can be disabled by turning oof the "Enable TLS certificate verification during package download" option enabled by default in the "Global build settings" in "make menuconfig" Signed-off-by: Josh Roys [ add additional info on how to disable this option ] Signed-off-by: Christian Marangi --- config/Config-build.in | 4 ++++ rules.mk | 3 +++ scripts/download.pl | 6 ++++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index 342859b7c..196d4e67a 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -58,6 +58,10 @@ menu "Global build settings" bool "Enable signature checking in opkg" default SIGNED_PACKAGES + config DOWNLOAD_CHECK_CERTIFICATE + bool "Enable TLS certificate verification during package download" + default y + comment "General build options" config TESTING_KERNEL diff --git a/rules.mk b/rules.mk index dbb2396e6..0463b02c2 100644 --- a/rules.mk +++ b/rules.mk @@ -269,6 +269,9 @@ ESED:=$(STAGING_DIR_HOST)/bin/sed -E -i -e MKHASH:=$(STAGING_DIR_HOST)/bin/mkhash # MKHASH is used in /scripts, so we export it here. export MKHASH +# DOWNLOAD_CHECK_CERTIFICATE is used in /scripts, so we export it here. +DOWNLOAD_CHECK_CERTIFICATE:=$(CONFIG_DOWNLOAD_CHECK_CERTIFICATE) +export DOWNLOAD_CHECK_CERTIFICATE CP:=cp -fpR LN:=ln -sf XARGS:=xargs -r diff --git a/scripts/download.pl b/scripts/download.pl index dd19a52e0..82d6e9080 100755 --- a/scripts/download.pl +++ b/scripts/download.pl @@ -24,6 +24,8 @@ my $scriptdir = dirname($0); my @mirrors; my $ok; +my $check_certificate = $ENV{DOWNLOAD_CHECK_CERTIFICATE} eq "y"; + $url_filename or $url_filename = $filename; sub localmirrors { @@ -82,8 +84,8 @@ sub download_cmd($) { } return $have_curl - ? (qw(curl -f --connect-timeout 20 --retry 5 --location --insecure), shellwords($ENV{CURL_OPTIONS} || ''), $url) - : (qw(wget --tries=5 --timeout=20 --no-check-certificate --output-document=-), shellwords($ENV{WGET_OPTIONS} || ''), $url) + ? (qw(curl -f --connect-timeout 20 --retry 5 --location), $check_certificate ? '' : '--insecure', shellwords($ENV{CURL_OPTIONS} || ''), $url) + : (qw(wget --tries=5 --timeout=20 --output-document=-), $check_certificate ? '' : '--no-check-certificate', shellwords($ENV{WGET_OPTIONS} || ''), $url) ; }