wget: make openssl/ssl_helper choice configurable

I got sick of not being able to wget a https file...

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

8 files changed, 623 insertions, 54 deletions

diff --git a/include/applets.src.h b/include/applets.src.h
index 9f3ac78cb..dac83e7fb 100644
--- a/include/applets.src.h
+++ b/include/applets.src.h
@@ -382,7 +382,6 @@ IF_VOLNAME(APPLET(volname, BB_DIR_USR_BIN, BB_SUID_DROP))
 IF_WATCH(APPLET(watch, BB_DIR_BIN, BB_SUID_DROP))
 IF_WATCHDOG(APPLET(watchdog, BB_DIR_SBIN, BB_SUID_DROP))
 IF_WC(APPLET(wc, BB_DIR_USR_BIN, BB_SUID_DROP))
-IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
 IF_WHICH(APPLET(which, BB_DIR_USR_BIN, BB_SUID_DROP))
 IF_WHOAMI(APPLET_NOFORK(whoami, whoami, BB_DIR_USR_BIN, BB_SUID_DROP, whoami))
 IF_YES(APPLET_NOFORK(yes, yes, BB_DIR_USR_BIN, BB_SUID_DROP, yes))
diff --git a/networking/Config.src b/networking/Config.src
index da36e8627..76cbccf4a 100644
--- a/networking/Config.src
+++ b/networking/Config.src
@@ -947,48 +947,6 @@ config VCONFIG
         help
           Creates, removes, and configures VLAN interfaces
 
-config WGET
-        bool "wget"
-        default y
-        help
-          wget is a utility for non-interactive download of files from HTTP
-          and FTP servers.
-
-config FEATURE_WGET_STATUSBAR
-        bool "Enable a nifty process meter (+2k)"
-        default y
-        depends on WGET
-        help
-          Enable the transfer progress bar for wget transfers.
-
-config FEATURE_WGET_AUTHENTICATION
-        bool "Enable HTTP authentication"
-        default y
-        depends on WGET
-        help
-          Support authenticated HTTP transfers.
-
-config FEATURE_WGET_LONG_OPTIONS
-        bool "Enable long options"
-        default y
-        depends on WGET && LONG_OPTS
-        help
-          Support long options for the wget applet.
-
-config FEATURE_WGET_TIMEOUT
-        bool "Enable timeout option -T SEC"
-        default y
-        depends on WGET
-        help
-          Supports network read and connect timeouts for wget,
-          so that wget will give up and timeout, through the -T
-          command line option.
-
-          Currently only connect and network data read timeout are
-          supported (i.e., timeout is not applied to the DNS query). When
-          FEATURE_WGET_LONG_OPTIONS is also enabled, the --timeout option
-          will work in addition to -T.
-
 config ZCIP
         bool "zcip"
         default y
diff --git a/networking/Kbuild.src b/networking/Kbuild.src
index 944f27be1..79f54824b 100644
--- a/networking/Kbuild.src
+++ b/networking/Kbuild.src
@@ -41,7 +41,6 @@ lib-$(CONFIG_TFTPD)        += tftp.o
 lib-$(CONFIG_TRACEROUTE)   += traceroute.o
 lib-$(CONFIG_TUNCTL)       += tunctl.o
 lib-$(CONFIG_VCONFIG)      += vconfig.o
-lib-$(CONFIG_WGET)         += wget.o
 lib-$(CONFIG_ZCIP)         += zcip.o
 
 lib-$(CONFIG_TCPSVD)       += tcpudp.o tcpudp_perhost.o
diff --git a/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 b/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8
new file mode 100755
index 000000000..27d0c41ee
--- /dev/null
+++ b/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# How to configure & build a static wolfssl-3.6.8 library
+# suitable for static build of ssl_helper.
+
+export CC="x86_64-gcc"
+export CFLAGS="\
+-Os \
+-static \
+-fomit-frame-pointer \
+-falign-functions=1 -falign-labels=1 -falign-loops=1 -falign-jumps=1 \
+-ffunction-sections -fdata-sections \
+"
+
+./configure \
+        --enable-static \
+        --enable-singlethreaded \
+        --disable-shared \
+|| exit $?
+
+make
+exit $?
diff --git a/networking/ssl_helper-wolfssl/README b/networking/ssl_helper-wolfssl/README
new file mode 100644
index 000000000..17437606d
--- /dev/null
+++ b/networking/ssl_helper-wolfssl/README
@@ -0,0 +1,15 @@
+Build instructions:
+
+* Unpack wolfssl-3.6.8.zip
+* Build it:
+  ./configure --enable-static --disable-shared && make
+* Drop this directory into wolfssl-3.6.8/ssl_helper
+* Run ssl_helper.sh to compile and link the helper
+
+Usage: "ssl_helper -d FILE_DESCRIPTOR" where FILE_DESCRIPTOR is open to the peer.
+
+In bash, you can do it this way:
+$ ssl_helper -d3 3<>/dev/tcp/HOST/PORT
+
+Stdin will be SSL-encrypted and sent to FILE_DESCRIPTOR.
+Data from FILE_DESCRIPTOR will be decrypted and sent to stdout.
diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c
new file mode 100644
index 000000000..38b7b56c6
--- /dev/null
+++ b/networking/ssl_helper-wolfssl/ssl_helper.c
@@ -0,0 +1,480 @@
+/*
+ * Adapted from:
+ *
+ * client.c
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <time.h>
+#include <poll.h>
+#include <sys/socket.h>
+
+#include <wolfssl/wolfcrypt/types.h>
+#include <wolfssl/ssl.h>
+
+#if 0
+# define dbg(...) say(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+static ssize_t safe_write(int fd, const void *buf, size_t count)
+{
+        ssize_t n;
+
+        do {
+                n = write(fd, buf, count);
+        } while (n < 0 && errno == EINTR);
+
+        return n;
+}
+
+static ssize_t full_write(int fd, const void *buf, size_t len)
+{
+        ssize_t cc;
+        ssize_t total;
+
+        total = 0;
+
+        while (len) {
+                cc = safe_write(fd, buf, len);
+
+                if (cc < 0) {
+                        if (total) {
+                                /* we already wrote some! */
+                                /* user can do another write to know the error code */
+                                return total;
+                        }
+                        return cc;  /* write() returns -1 on failure. */
+                }
+
+                total += cc;
+                buf = ((const char *)buf) + cc;
+                len -= cc;
+        }
+
+        return total;
+}
+
+static void say(const char *s, ...)
+{
+        char buf[256];
+        va_list p;
+        int sz;
+
+        va_start(p, s);
+        sz = vsnprintf(buf, sizeof(buf), s, p);
+        full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
+        va_end(p);
+}
+
+static void die(const char *s, ...)
+{
+        char buf[256];
+        va_list p;
+        int sz;
+
+        va_start(p, s);
+        sz = vsnprintf(buf, sizeof(buf), s, p);
+        full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf));
+        exit(1);
+        va_end(p);
+}
+
+static void err_sys(const char *msg)
+{
+        die("%s\n", msg);
+}
+
+/* ==== */
+
+#if 0
+static void showPeer(WOLFSSL* ssl)
+{
+        WOLFSSL_CIPHER* cipher;
+        WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
+        if (peer)
+                ShowX509(peer, "peer's cert info:");
+        else
+                say("peer has no cert!\n");
+        say("SSL version is %s\n", wolfSSL_get_version(ssl));
+
+        cipher = wolfSSL_get_current_cipher(ssl);
+        say("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher));
+
+        {
+                WOLFSSL_X509_CHAIN* chain = wolfSSL_get_peer_chain(ssl);
+                int count = wolfSSL_get_chain_count(chain);
+                int i;
+
+                for (i = 0; i < count; i++) {
+                        int length;
+                        unsigned char buffer[3072];
+                        WOLFSSL_X509* chainX509;
+
+                        wolfSSL_get_chain_cert_pem(chain, i, buffer, sizeof(buffer), &length);
+                        buffer[length] = 0;
+                        say("cert %d has length %d data = \n%s\n", i, length, buffer);
+
+                        chainX509 = wolfSSL_get_chain_X509(chain, i);
+                        if (chainX509)
+                                ShowX509(chainX509, "session cert info:");
+                        else
+                                say("get_chain_X509 failed\n");
+                        wolfSSL_FreeX509(chainX509);
+                }
+        }
+}
+#endif
+
+WOLFSSL *prepare(int sockfd)
+{
+        WOLFSSL_METHOD* method;
+        WOLFSSL_CTX* ctx;
+        WOLFSSL* ssl;
+
+        wolfSSL_Init();
+
+        method = wolfTLSv1_1_client_method();
+        if (method == NULL)
+                err_sys("out of memory");
+        ctx = wolfSSL_CTX_new(method);
+        if (ctx == NULL)
+                err_sys("out of memory");
+//      if (cipherList)
+//              if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
+//                      err_sys("client can't set cipher list 1");
+
+//      if (fewerPackets)
+//              wolfSSL_CTX_set_group_messages(ctx);
+
+//#ifndef NO_DH
+//      wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits);
+//#endif
+
+//      if (usePsk) {
+//              wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
+//              if (cipherList == NULL) {
+//                      const char *defaultCipherList;
+//#if defined(HAVE_AESGCM) && !defined(NO_DH)
+//                      defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
+//#elif defined(HAVE_NULL_CIPHER)
+//                      defaultCipherList = "PSK-NULL-SHA256";
+//#else
+//                      defaultCipherList = "PSK-AES128-CBC-SHA256";
+//#endif
+//                      if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) != SSL_SUCCESS)
+//                              err_sys("client can't set cipher list 2");
+//              }
+//              useClientCert = 0;
+//      }
+
+//      if (useAnon) {
+//              if (cipherList == NULL) {
+//                      wolfSSL_CTX_allow_anon_cipher(ctx);
+//                      if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA") != SSL_SUCCESS)
+//                              err_sys("client can't set cipher list 4");
+//              }
+//              useClientCert = 0;
+//      }
+
+//#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+//      wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
+//#endif
+
+//      if (useOcsp) {
+//              if (ocspUrl != NULL) {
+//                      wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
+//                      wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE
+//                                      | WOLFSSL_OCSP_URL_OVERRIDE);
+//              }
+//              else
+//                      wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
+//      }
+//
+//#ifdef USER_CA_CB
+//      wolfSSL_CTX_SetCACb(ctx, CaCb);
+//#endif
+//
+//#ifdef VERIFY_CALLBACK
+//      wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify);
+//#endif
+//#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
+//      if (useClientCert) {
+//              if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS)
+//                      err_sys("can't load client cert file, check file and run from"
+//                              " wolfSSL home dir");
+//              if (wolfSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS)
+//                      err_sys("can't load client private key file, check file and run "
+//                              "from wolfSSL home dir");
+//      }
+//
+//      if (!usePsk && !useAnon) {
+//              if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS)
+//                      err_sys("can't load ca file, Please run from wolfSSL home dir");
+//#ifdef HAVE_ECC
+//              /* load ecc verify too, echoserver uses it by default w/ ecc */
+//              if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS)
+//                      err_sys("can't load ecc ca file, Please run from wolfSSL home dir");
+//#endif
+//      }
+//#endif /* !NO_FILESYSTEM && !NO_CERTS */
+
+//#if !defined(NO_CERTS)
+//      if (!usePsk && !useAnon && doPeerCheck == 0)
+//              wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
+//      if (!usePsk && !useAnon && overrideDateErrors == 1)
+//              wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myDateCb);
+//#endif
+
+        wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
+
+//#ifdef HAVE_SNI
+//      if (sniHostName)
+//              if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) != SSL_SUCCESS)
+//                      err_sys("UseSNI failed");
+//#endif
+
+//#ifdef HAVE_MAX_FRAGMENT
+//      if (maxFragment)
+//              if (wolfSSL_CTX_UseMaxFragment(ctx, maxFragment) != SSL_SUCCESS)
+//                      err_sys("UseMaxFragment failed");
+//#endif
+//#ifdef HAVE_TRUNCATED_HMAC
+//      if (truncatedHMAC)
+//              if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS)
+//                      err_sys("UseTruncatedHMAC failed");
+//#endif
+//#ifdef HAVE_SESSION_TICKET
+//      if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS)
+//              err_sys("UseSessionTicket failed");
+//#endif
+
+//#if defined(WOLFSSL_MDK_ARM)
+//      wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
+//#endif
+
+        ssl = wolfSSL_new(ctx);
+        if (ssl == NULL)
+                err_sys("out of memory");
+
+//#ifdef HAVE_SESSION_TICKET
+//      wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
+//#endif
+
+//      if (doDTLS) {
+//              SOCKADDR_IN_T addr;
+//              build_addr(&addr, host, port, 1);
+//              wolfSSL_dtls_set_peer(ssl, &addr, sizeof(addr));
+//              tcp_socket(&sockfd, 1);
+//      } wlse {
+//              tcp_connect(&sockfd, host, port, 0);
+//      }
+
+//#ifdef HAVE_POLY1305
+//      /* use old poly to connect with google server */
+//      if (!XSTRNCMP(domain, "www.google.com", 14)) {
+//              if (wolfSSL_use_old_poly(ssl, 1) != 0)
+//                      err_sys("unable to set to old poly");
+//      }
+//#endif
+
+        wolfSSL_set_fd(ssl, sockfd);
+
+//#ifdef HAVE_CRL
+//      if (disableCRL == 0) {
+//              if (wolfSSL_EnableCRL(ssl, WOLFSSL_CRL_CHECKALL) != SSL_SUCCESS)
+//                      err_sys("can't enable crl check");
+//              if (wolfSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0) != SSL_SUCCESS)
+//                      err_sys("can't load crl, check crlfile and date validity");
+//              if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS)
+//                      err_sys("can't set crl callback");
+//      }
+//#endif
+//#ifdef HAVE_SECURE_RENEGOTIATION
+//      if (scr) {
+//              if (wolfSSL_UseSecureRenegotiation(ssl) != SSL_SUCCESS)
+//                      err_sys("can't enable secure renegotiation");
+//      }
+//#endif
+//#ifdef ATOMIC_USER
+//      if (atomicUser)
+//              SetupAtomicUser(ctx, ssl);
+//#endif
+//#ifdef HAVE_PK_CALLBACKS
+//      if (pkCallbacks)
+//              SetupPkCallbacks(ctx, ssl);
+//#endif
+//      if (matchName && doPeerCheck)
+//              wolfSSL_check_domain_name(ssl, domain);
+
+        if (wolfSSL_connect(ssl) != SSL_SUCCESS) {
+//              /* see note at top of README */
+//              int  err = wolfSSL_get_error(ssl, 0);
+//              char buffer[WOLFSSL_MAX_ERROR_SZ];
+//              say("err = %d, %s\n", err,
+//                      wolfSSL_ERR_error_string(err, buffer));
+                err_sys("SSL_connect failed");
+        }
+//      showPeer(ssl);
+
+//#ifdef HAVE_SECURE_RENEGOTIATION
+//      if (scr && forceScr) {
+//              if (wolfSSL_Rehandshake(ssl) != SSL_SUCCESS) {
+//                      int err = wolfSSL_get_error(ssl, 0);
+//                      char buffer[WOLFSSL_MAX_ERROR_SZ];
+//                      say("err = %d, %s\n", err,
+//                              wolfSSL_ERR_error_string(err, buffer));
+//                      err_sys("wolfSSL_Rehandshake failed");
+//              }
+//      }
+//#endif
+
+        return ssl;
+}
+
+static struct pollfd pfd[2] = {
+        { -1, POLLIN|POLLERR|POLLHUP, 0 },
+        { -1, POLLIN|POLLERR|POLLHUP, 0 },
+};
+#define STDIN           pfd[0]
+#define NETWORK         pfd[1]
+#define STDIN_READY()   (pfd[0].revents & (POLLIN|POLLERR|POLLHUP))
+#define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP))
+
+static void wait_for_input(void)
+{
+        if (STDIN.fd == NETWORK.fd) /* means both are -1 */
+                exit(0);
+        dbg("polling\n");
+        STDIN.revents = NETWORK.revents = 0;
+        while (poll(pfd, 2, -1) < 0 && errno == EINTR)
+                continue;
+}
+
+static void do_io_until_eof_and_exit(WOLFSSL *ssl, int fd)
+{
+        int len;
+        char ibuf[4 * 1024];
+
+        NETWORK.fd = fd;
+        STDIN.fd = 0;
+
+        len = 0; /* only to suppress compiler warning */
+        for (;;) {
+                wait_for_input();
+
+                if (STDIN_READY()) {
+                        dbg("reading stdin\n");
+                        len = read(STDIN_FILENO, ibuf, sizeof(ibuf));
+                        if (len < 0)
+                                die("read error on stdin\n");
+                        if (len == 0) {
+                                dbg("read len = 0, stdin not polled anymore\n");
+                                STDIN.fd = -1;
+                        } else {
+                                int n = wolfSSL_write(ssl, ibuf, len);
+                                if (n != len)
+                                        die("SSL_write(%d) failed (returned %d)\n", len, n);
+                        }
+                }
+
+                if (NETWORK_READY()) {
+                        dbg("%s%s%s\n",
+                                (pfd[1].revents & POLLIN)  ? "POLLIN"  : "",
+                                (pfd[1].revents & POLLERR) ? "|POLLERR" : "",
+                                (pfd[1].revents & POLLHUP) ? "|POLLHUP" : ""
+                        );
+/* We are using blocking socket here.
+ * (Nonblocking socket would complicate writing to it).
+ * Therefore, SSL_read _can block_ here.
+ * This is not what wget expects (it wants to see short reads).
+ * Therefore, we use smallish buffer here, to approximate that.
+ */
+                        len = wolfSSL_read(ssl, ibuf,
+                                sizeof(ibuf) < 1024 ? sizeof(ibuf) : 1024
+                        );
+                        if (len < 0)
+                                die("SSL_read error on network (%d)\n", len);
+                        if (len > 0) {
+                                int n;
+                                n = full_write(STDOUT_FILENO, ibuf, len);
+                                if (n != len)
+                                        die("write(%d) to stdout returned %d\n", len, n);
+                                continue;
+                        }
+/* Blocking reads are easier wtr EOF detection (no EAGAIN error to check for) */
+                        dbg("read len = 0, network not polled anymore\n");
+                        NETWORK.fd = -1;
+                        /* saw EOF on network, and we processed
+                         * and wrote out all ssl data. Signal it:
+                         */
+                        close(STDOUT_FILENO);
+                }
+        }
+}
+
+int main(int argc, char **argv)
+{
+        WOLFSSL *ssl;
+        int fd;
+        char *fd_str;
+
+        if (!argv[1])
+                die("Syntax error\n");
+        if (argv[1][0] != '-')
+                die("Syntax error\n");
+        if (argv[1][1] != 'd')
+                die("Syntax error\n");
+        fd_str = argv[1] + 2;
+        if (!fd_str[0])
+                fd_str = argv[2];
+        if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9')
+                die("Syntax error\n");
+
+        fd = atoi(fd_str);
+        if (fd < 3)
+                die("Syntax error\n");
+
+        ssl = prepare(fd);
+        do_io_until_eof_and_exit(ssl, fd);
+        /* does not return */
+
+//      if (doDTLS == 0) { /* don't send alert after "break" command */
+//              ret = wolfSSL_shutdown(ssl);
+//              if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE)
+//                      wolfSSL_shutdown(ssl); /* bidirectional shutdown */
+//      }
+//#ifdef ATOMIC_USER
+//      if (atomicUser)
+//              FreeAtomicUser(ssl);
+//#endif
+//      wolfSSL_free(ssl);
+//      CloseSocket(sockfd);
+//      wolfSSL_CTX_free(ctx);
+
+        return 0;
+}
diff --git a/networking/ssl_helper-wolfssl/ssl_helper.sh b/networking/ssl_helper-wolfssl/ssl_helper.sh
new file mode 100755
index 000000000..ddb4536c7
--- /dev/null
+++ b/networking/ssl_helper-wolfssl/ssl_helper.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# I use this to build static uclibc based binary using Aboriginal Linux toolchain:
+PREFIX=x86_64-
+STATIC=-static
+# Standard build:
+#PREFIX=""
+#STATIC=""
+
+${PREFIX}gcc -Os -Wall -I.. -c ssl_helper.c -o ssl_helper.o
+${PREFIX}gcc $STATIC --start-group ssl_helper.o -lm ../src/.libs/libwolfssl.a --end-group -o ssl_helper
diff --git a/networking/wget.c b/networking/wget.c
index f744ea2de..baa7e0e78 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -9,6 +9,89 @@
  * Kuhn's copyrights are licensed GPLv2-or-later.  File as a whole remains GPLv2.
  */
 
+//config:config WGET
+//config:       bool "wget"
+//config:       default y
+//config:       help
+//config:         wget is a utility for non-interactive download of files from HTTP
+//config:         and FTP servers.
+//config:
+//config:config FEATURE_WGET_STATUSBAR
+//config:       bool "Enable a nifty process meter (+2k)"
+//config:       default y
+//config:       depends on WGET
+//config:       help
+//config:         Enable the transfer progress bar for wget transfers.
+//config:
+//config:config FEATURE_WGET_AUTHENTICATION
+//config:       bool "Enable HTTP authentication"
+//config:       default y
+//config:       depends on WGET
+//config:       help
+//config:         Support authenticated HTTP transfers.
+//config:
+//config:config FEATURE_WGET_LONG_OPTIONS
+//config:       bool "Enable long options"
+//config:       default y
+//config:       depends on WGET && LONG_OPTS
+//config:       help
+//config:         Support long options for the wget applet.
+//config:
+//config:config FEATURE_WGET_TIMEOUT
+//config:       bool "Enable timeout option -T SEC"
+//config:       default y
+//config:       depends on WGET
+//config:       help
+//config:         Supports network read and connect timeouts for wget,
+//config:         so that wget will give up and timeout, through the -T
+//config:         command line option.
+//config:
+//config:         Currently only connect and network data read timeout are
+//config:         supported (i.e., timeout is not applied to the DNS query). When
+//config:         FEATURE_WGET_LONG_OPTIONS is also enabled, the --timeout option
+//config:         will work in addition to -T.
+//config:
+//config:choice
+//config:       prompt "Choose how to handle https:// URLs"
+//config:       depends on WGET
+//config:       default FEATURE_WGET_OPENSSL
+//config:       help
+//config:         Choose how wget establishes SSL connection for https:// URLs.
+//config:
+//config:         Busybox itself contains no SSL code. wget will spawn
+//config:         a helper program to talk over HTTPS.
+//config:
+//config:         OpenSSL has a simple SSL client for debug purposes.
+//config:         If you select "openssl" helper, wget will effectively call
+//config:         "openssl s_client -quiet -connect IP:443 2>/dev/null"
+//config:         and pipe its data through it.
+//config:         Note inconvenient API: host resolution is done twice,
+//config:         and there is no guarantee openssl's idea of IPv6 address
+//config:         format is the same as ours.
+//config:         Another problem is that s_client prints debug information
+//config:         to stderr, and it needs to be suppressed. This means
+//config:         all error messages get suppressed too.
+//config:         openssl is also a big binary, often dynamically linked
+//config:         against ~15 libraries.
+//config:
+//config:         ssl_helper is a tool which can be built statically
+//config:         from busybox sources against a small embedded SSL library.
+//config:         Please see networking/ssl_helper/README.
+//config:         It does not require double host resolution and emits
+//config:         error messages to stderr.
+//config:
+//config:config FEATURE_WGET_OPENSSL
+//config:       bool "openssl"
+//config:
+//config:config FEATURE_WGET_SSL_HELPER
+//config:       bool "ssl_helper"
+//config:
+//config:endchoice
+
+//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
+
+//kbuild:lib-$(CONFIG_WGET) += wget.o
+
 //usage:#define wget_trivial_usage
 //usage:        IF_FEATURE_WGET_LONG_OPTIONS(
 //usage:       "[-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE]\n"
@@ -520,6 +603,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
         return sfp;
 }
 
+#if ENABLE_FEATURE_WGET_OPENSSL
 static int spawn_https_helper(const char *host, unsigned port)
 {
         char *allocated = NULL;
@@ -569,12 +653,11 @@ static int spawn_https_helper(const char *host, unsigned port)
         close(sp[1]);
         return sp[0];
 }
+#endif
 
-/* See networking/ssl_helper/README */
-#define SSL_HELPER 0
-
-#if SSL_HELPER
-static void spawn_https_helper1(int network_fd)
+/* See networking/ssl_helper/README how to build one */
+#if ENABLE_FEATURE_WGET_SSL_HELPER
+static void spawn_https_helper(int network_fd)
 {
         int sp[2];
         int pid;
@@ -851,19 +934,21 @@ static void download_one_url(const char *url)
                 int status;
 
                 /* Open socket to http(s) server */
+#if ENABLE_FEATURE_WGET_OPENSSL
                 if (target.protocol == P_HTTPS) {
-/* openssl-based helper
- * Inconvenient API since we can't give it an open fd
- */
+                        /* openssl-based helper
+                         * Inconvenient API since we can't give it an open fd
+                         */
                         int fd = spawn_https_helper(server.host, server.port);
                         sfp = fdopen(fd, "r+");
                         if (!sfp)
                                 bb_perror_msg_and_die(bb_msg_memory_exhausted);
                 } else
+#endif
                         sfp = open_socket(lsa);
-#if SSL_HELPER
+#if ENABLE_FEATURE_WGET_SSL_HELPER
                 if (target.protocol == P_HTTPS)
-                        spawn_https_helper1(fileno(sfp));
+                        spawn_https_helper(fileno(sfp));
 #endif
                 /* Send HTTP request */
                 if (use_proxy) {