From 3b57696a73af1a529a7d31394f3d3bf3737dcf9f Mon Sep 17 00:00:00 2001
From: Alexander M Pickering <alex@cogarr.net>
Date: Mon, 11 Nov 2024 18:54:42 -0600
Subject: test a hardcoded pem certificate

---
 config         |   2 +-
 libressl.patch | 113 +++++++++++++++++++++++++++++++++------------------------
 2 files changed, 66 insertions(+), 49 deletions(-)

diff --git a/config b/config
index 095668a..6725bcb 100644
--- a/config
+++ b/config
@@ -79,7 +79,7 @@ CONFIG_CROSS_COMPILER="gcc"
 CONFIG_SYSROOT=""
 CONFIG_EXTRA_CFLAGS=""
 CONFIG_EXTRA_LDFLAGS=""
-CONFIG_EXTRA_LDLIBS="tls ssl crypto bcrypt"
+CONFIG_EXTRA_LDLIBS="tls ssl crypto bcrypt crypt32"
 CONFIG_USE_PORTABLE_CODE=y
 CONFIG_STACK_OPTIMIZATION_386=y
 CONFIG_STATIC_LIBGCC=y
diff --git a/libressl.patch b/libressl.patch
index d10206f..3ff0493 100644
--- a/libressl.patch
+++ b/libressl.patch
@@ -135,7 +135,7 @@ index 9f1dd67ec..7e8da6df2 100644
  static void tls_xwrite(tls_state_t *tls, int len)
  {
 diff --git a/networking/wget.c b/networking/wget.c
-index 6a64836fb..99d0233ba 100644
+index 6a64836fb..1c1c6967d 100644
 --- a/networking/wget.c
 +++ b/networking/wget.c
 @@ -169,7 +169,11 @@
@@ -151,32 +151,47 @@ index 6a64836fb..99d0233ba 100644
  #if 0
  # define log_io(...) bb_error_msg(__VA_ARGS__)
  # define SENDFMT(fp, fmt, ...) \
-@@ -179,6 +183,24 @@
- 	} while (0);
- #else
- # define log_io(...) ((void)0)
-+/*
-+void SENDFMT(struct tls *ctx, const char *fmt, ...) {
-+	va_list args, args2;
-+	va_start(args, fmt);
-+	size_t strlen = vsnprintf(NULL, 0, fmt, args);
-+	va_end(args);
-+	char *buf = (char*)malloc(strlen);
-+	va_start(args2, fmt);
-+	vsnprintf(buf, strlen, fmt, args2);
-+	va_end(args2);
-+	ssize_t writelen = tls_write(ctx, buf, strlen);
-+	if(writelen == -1)
-+		bb_error_msg_and_die("tls_write error: %s", tls_error(ctx));
-+	if(writelen != strlen)
-+		bb_error_msg_and_die("tls_write incomplete");
-+	free(buf);
-+}
-+*/
- # define SENDFMT(fp, fmt, ...) fprintf(fp, fmt, ##__VA_ARGS__)
+@@ -354,6 +358,39 @@ static ALWAYS_INLINE void progress_meter(int flag UNUSED_PARAM) {}
  #endif
  
-@@ -488,26 +510,35 @@ static char fgets_trim_sanitize(FILE *fp, const char *fmt)
+ 
++#if ENABLE_PLATFORM_MINGW32
++/* Use windows installed certificates for wget */
++#include <openssl/ssl.h>
++#include <openssl/x509.h>
++#include <wincrypt.h>
++void gather_certificates(struct tls_config *cfg)
++{
++	printf("Gathering certificates\n");
++	HCERTSTORE dstore;
++	dstore = CertOpenSystemStore(0,"CA");
++	size_t numcerts;
++	if(!dstore)
++		bb_error_msg_and_die("Error opening 'CA' cert store");
++	X509_STORE *store = X509_STORE_new();
++	PCCERT_CONTEXT ctx = NULL;
++	for(;;)
++	{
++		ctx = CertEnumCertificatesInStore(dstore,ctx);
++		if(!ctx)
++			break;
++		char *dcert = ctx->pbCertEncoded;
++		size_t dcert_len = ctx->cbCertEncoded;
++		X509 *x509cert;
++		x509cert = d2i_X509(NULL,dcert,dcert_len);
++		if(x509cert == NULL)
++			bb_error_msg_and_die("Failed to convert cert");
++		X509_STORE_add_cert(store,x509cert);
++		X509_free(x509cert);
++	}
++	CertCloseStore(store, CERT_CLOSE_STORE_CHECK_FLAG);
++}
++
++#endif
+ /* IPv6 knows scoped address types i.e. link and site local addresses. Link
+  * local addresses can have a scope identifier to specify the
+  * interface/link an address is valid on (e.g. fe80::1%eth0). This scope
+@@ -488,26 +525,35 @@ static char fgets_trim_sanitize(FILE *fp, const char *fmt)
  	char c;
  	char *buf_ptr;
  
@@ -214,7 +229,7 @@ index 6a64836fb..99d0233ba 100644
  
  	return c;
  }
-@@ -689,6 +720,7 @@ static void reset_beg_range_to_zero(void)
+@@ -689,6 +735,7 @@ static void reset_beg_range_to_zero(void)
  }
  
  #if ENABLE_FEATURE_WGET_OPENSSL
@@ -222,7 +237,7 @@ index 6a64836fb..99d0233ba 100644
  static int spawn_https_helper_openssl(const char *host, unsigned port)
  {
  	char *allocated = NULL;
-@@ -777,6 +809,38 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
+@@ -777,6 +824,38 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
  # endif
  	return sp[0];
  }
@@ -261,7 +276,7 @@ index 6a64836fb..99d0233ba 100644
  #endif
  
  #if ENABLE_FEATURE_WGET_HTTPS
-@@ -1151,6 +1215,7 @@ static void download_one_url(const char *url)
+@@ -1151,6 +1230,7 @@ static void download_one_url(const char *url)
  	server.user = NULL;
  	target.user = NULL;
  
@@ -269,7 +284,7 @@ index 6a64836fb..99d0233ba 100644
  	parse_url(url, &target);
  
  	/* Use the proxy if necessary */
-@@ -1172,6 +1237,7 @@ static void download_one_url(const char *url)
+@@ -1172,6 +1252,7 @@ static void download_one_url(const char *url)
  			server.host = target.host;
  		}
  	}
@@ -277,7 +292,7 @@ index 6a64836fb..99d0233ba 100644
  
  	if (ENABLE_FEATURE_IPV6)
  		strip_ipv6_scope_id(target.host);
-@@ -1191,6 +1257,7 @@ static void download_one_url(const char *url)
+@@ -1191,6 +1272,7 @@ static void download_one_url(const char *url)
  			G.fname_out = fname_out_alloc = xstrdup(G.fname_out);
  		}
  	}
@@ -285,7 +300,7 @@ index 6a64836fb..99d0233ba 100644
  #if ENABLE_FEATURE_WGET_STATUSBAR
  	G.curfile = bb_get_last_path_component_nostrip(G.fname_out);
  #endif
-@@ -1206,15 +1273,19 @@ static void download_one_url(const char *url)
+@@ -1206,15 +1288,19 @@ static void download_one_url(const char *url)
  		 * We are not sure it exists on remote side */
  	}
  
@@ -305,7 +320,7 @@ index 6a64836fb..99d0233ba 100644
  	/*G.content_len = 0; - redundant, got_clen = 0 is enough */
  	G.got_clen = 0;
  	G.chunked = 0;
-@@ -1229,37 +1300,59 @@ static void download_one_url(const char *url)
+@@ -1229,37 +1315,61 @@ static void download_one_url(const char *url)
  
  		/* Open socket to http(s) server */
  #if ENABLE_FEATURE_WGET_OPENSSL
@@ -335,6 +350,8 @@ index 6a64836fb..99d0233ba 100644
 +			config = tls_config_new();
 +			if(config == NULL)
 +				bb_error_msg_and_die("Out of memory 2");
++			if(tls_config_set_ca_file(config, "test.pem") != 0)
++				bb_error_msg_and_die("Failed to set ca file");
 +			if(tls_configure(ctx,config) != 0)
 +				bb_error_msg_and_die("Failed to configure client");
 +			sfp = tmpfile();
@@ -378,7 +395,7 @@ index 6a64836fb..99d0233ba 100644
  		/* Send HTTP request */
  		if (use_proxy) {
  			SENDFMT(sfp, "GET %s://%s/%s HTTP/1.1\r\n",
-@@ -1270,6 +1363,7 @@ static void download_one_url(const char *url)
+@@ -1270,6 +1380,7 @@ static void download_one_url(const char *url)
  				(option_mask32 & WGET_OPT_POST) ? "POST" : "GET",
  				target.path);
  		}
@@ -386,7 +403,7 @@ index 6a64836fb..99d0233ba 100644
  		if (!USR_HEADER_HOST)
  			SENDFMT(sfp, "Host: %s\r\n", target.host);
  		if (!USR_HEADER_USER_AGENT)
-@@ -1280,6 +1374,7 @@ static void download_one_url(const char *url)
+@@ -1280,6 +1391,7 @@ static void download_one_url(const char *url)
  		 */
  		SENDFMT(sfp, "Connection: close\r\n");
  
@@ -394,7 +411,7 @@ index 6a64836fb..99d0233ba 100644
  #if ENABLE_FEATURE_WGET_AUTHENTICATION
  		if (target.user && !USR_HEADER_AUTH) {
  			SENDFMT(sfp, "Proxy-Authorization: Basic %s\r\n"+6,
-@@ -1291,6 +1386,7 @@ static void download_one_url(const char *url)
+@@ -1291,6 +1403,7 @@ static void download_one_url(const char *url)
  		}
  #endif
  
@@ -402,7 +419,7 @@ index 6a64836fb..99d0233ba 100644
  		if (G.beg_range != 0 && !USR_HEADER_RANGE)
  			SENDFMT(sfp, "Range: bytes=%"OFF_FMT"u-\r\n", G.beg_range);
  
-@@ -1300,6 +1396,7 @@ static void download_one_url(const char *url)
+@@ -1300,6 +1413,7 @@ static void download_one_url(const char *url)
  			fputs(G.extra_headers, sfp);
  		}
  
@@ -410,7 +427,7 @@ index 6a64836fb..99d0233ba 100644
  		if (option_mask32 & WGET_OPT_POST_FILE) {
  			int fd = xopen_stdin(G.post_file);
  			G.post_data = xmalloc_read(fd, NULL);
-@@ -1314,15 +1411,18 @@ static void download_one_url(const char *url)
+@@ -1314,15 +1428,18 @@ static void download_one_url(const char *url)
  				);
  			}
  # if ENABLE_PLATFORM_MINGW32
@@ -429,7 +446,7 @@ index 6a64836fb..99d0233ba 100644
  		} else
  # else
  			SENDFMT(sfp,
-@@ -1338,6 +1438,7 @@ static void download_one_url(const char *url)
+@@ -1338,6 +1455,7 @@ static void download_one_url(const char *url)
  			SENDFMT(sfp, "\r\n");
  		}
  
@@ -437,7 +454,7 @@ index 6a64836fb..99d0233ba 100644
  		fflush(sfp);
  
  /* Tried doing this unconditionally.
-@@ -1345,27 +1446,38 @@ static void download_one_url(const char *url)
+@@ -1345,27 +1463,38 @@ static void download_one_url(const char *url)
   */
  #if SSL_SUPPORTED
  		if (target.protocol == P_HTTPS) {
@@ -476,7 +493,7 @@ index 6a64836fb..99d0233ba 100644
  		switch (status) {
  		case 0:
  		case 100:
-@@ -1441,6 +1553,7 @@ However, in real world it was observed that some web servers
+@@ -1441,6 +1570,7 @@ However, in real world it was observed that some web servers
  		/*
  		 * Retrieve HTTP headers.
  		 */
@@ -484,7 +501,7 @@ index 6a64836fb..99d0233ba 100644
  		while ((str = get_sanitized_hdr(sfp)) != NULL) {
  			static const char keywords[] ALIGN1 =
  				"content-length\0""transfer-encoding\0""location\0";
-@@ -1497,6 +1610,7 @@ However, in real world it was observed that some web servers
+@@ -1497,6 +1627,7 @@ However, in real world it was observed that some web servers
  				goto establish_session;
  			}
  		}
@@ -492,7 +509,7 @@ index 6a64836fb..99d0233ba 100644
  //		if (status >= 300)
  //			bb_error_msg_and_die("bad redirection (no Location: header from server)");
  
-@@ -1514,6 +1628,7 @@ However, in real world it was observed that some web servers
+@@ -1514,6 +1645,7 @@ However, in real world it was observed that some web servers
  
  	free(lsa);
  
@@ -500,7 +517,7 @@ index 6a64836fb..99d0233ba 100644
  	if (!(option_mask32 & WGET_OPT_SPIDER)) {
  		if (G.output_fd < 0)
  			G.output_fd = xopen(G.fname_out, G.o_flags);
-@@ -1536,6 +1651,7 @@ However, in real world it was observed that some web servers
+@@ -1536,6 +1668,7 @@ However, in real world it was observed that some web servers
  		/* ftpcmd("QUIT", NULL, sfp); - why bother? */
  	}
  #endif
@@ -508,7 +525,7 @@ index 6a64836fb..99d0233ba 100644
  	fclose(sfp);
  
  	free(server.allocated);
-@@ -1544,11 +1660,13 @@ However, in real world it was observed that some web servers
+@@ -1544,11 +1677,13 @@ However, in real world it was observed that some web servers
  	free(target.user);
  	free(fname_out_alloc);
  	free(redirected_path);
@@ -522,7 +539,7 @@ index 6a64836fb..99d0233ba 100644
  #if ENABLE_FEATURE_WGET_LONG_OPTIONS
  	static const char wget_longopts[] ALIGN1 =
  		/* name, has_arg, val */
-@@ -1590,6 +1708,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
+@@ -1590,6 +1725,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
  #endif
  
  	INIT_G();
@@ -530,7 +547,7 @@ index 6a64836fb..99d0233ba 100644
  
  #if ENABLE_FEATURE_WGET_TIMEOUT
  	G.timeout_seconds = 900;
-@@ -1626,6 +1745,8 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
+@@ -1626,6 +1762,8 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
  		IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_data)
  		IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_file)
  	);
@@ -539,7 +556,7 @@ index 6a64836fb..99d0233ba 100644
  #if 0 /* option bits debug */
  	if (option_mask32 & WGET_OPT_RETRIES) bb_error_msg("-t NUM");
  	if (option_mask32 & WGET_OPT_nsomething) bb_error_msg("-nsomething");
-@@ -1670,6 +1791,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
+@@ -1670,6 +1808,7 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
  	}
  #endif
  
@@ -547,7 +564,7 @@ index 6a64836fb..99d0233ba 100644
  	G.output_fd = -1;
  	G.o_flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL;
  	if (G.fname_out) { /* -O FILE ? */
-@@ -1691,8 +1813,11 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
+@@ -1691,8 +1830,11 @@ IF_DESKTOP(	"no-parent\0"        No_argument       "\xf0")
  		}
  	}
  
-- 
cgit v1.2.3-55-g6feb