diff options
| author | Ron Yorston <rmy@pobox.com> | 2026-04-24 08:43:59 +0100 |
|---|---|---|
| committer | Ron Yorston <rmy@pobox.com> | 2026-04-24 08:43:59 +0100 |
| commit | 47bc5ee4e1f1635360856be1025d50d3552e80e3 (patch) | |
| tree | 9204d747038ee46d29746e946c7802a6eee3ae9e | |
| parent | 0495eb5c75d62fc574a8c5477f9196f0917f723d (diff) | |
| download | busybox-w32-47bc5ee4e1f1635360856be1025d50d3552e80e3.tar.gz busybox-w32-47bc5ee4e1f1635360856be1025d50d3552e80e3.tar.bz2 busybox-w32-47bc5ee4e1f1635360856be1025d50d3552e80e3.zip | |
wget: allow HTTPS certificate check to be skipped
The Microsoft Windows Schannel implementation of TLS validates
the server certificate. Enable the --no-check-certificate
option to wget to allow these checks to be skipped. This may
be useful to connect to badly configured websites.
Adds 202 bytes to the x86_64 build with Schannel enabled.
(GitHub issue #581)
| -rw-r--r-- | include/libbb.h | 2 | ||||
| -rw-r--r-- | networking/ssl_client.c | 9 | ||||
| -rw-r--r-- | networking/tls.c | 5 | ||||
| -rw-r--r-- | networking/wget.c | 22 |
4 files changed, 36 insertions, 2 deletions
diff --git a/include/libbb.h b/include/libbb.h index a73a04153..fdbab574d 100644 --- a/include/libbb.h +++ b/include/libbb.h | |||
| @@ -1026,6 +1026,7 @@ typedef struct tls_state { | |||
| 1026 | char *hostname; | 1026 | char *hostname; |
| 1027 | SecPkgContext_StreamSizes stream_sizes; | 1027 | SecPkgContext_StreamSizes stream_sizes; |
| 1028 | bool initialized; | 1028 | bool initialized; |
| 1029 | bool no_check_cert; | ||
| 1029 | enum schannel_connection_state connection_state; | 1030 | enum schannel_connection_state connection_state; |
| 1030 | } tls_state_t; | 1031 | } tls_state_t; |
| 1031 | #else | 1032 | #else |
| @@ -1105,6 +1106,7 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni); | |||
| 1105 | void FAST_FUNC tls_handshake_as_server(tls_state_t *tls, | 1106 | void FAST_FUNC tls_handshake_as_server(tls_state_t *tls, |
| 1106 | const char *pem_filename); | 1107 | const char *pem_filename); |
| 1107 | #define TLSLOOP_EXIT_ON_LOCAL_EOF (1 << 0) | 1108 | #define TLSLOOP_EXIT_ON_LOCAL_EOF (1 << 0) |
| 1109 | #define TLS_NO_CHECK_CERTIFICATE (1 << 1) | ||
| 1108 | void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; | 1110 | void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; |
| 1109 | 1111 | ||
| 1110 | 1112 | ||
diff --git a/networking/ssl_client.c b/networking/ssl_client.c index 4d021a4ec..50c2180b0 100644 --- a/networking/ssl_client.c +++ b/networking/ssl_client.c | |||
| @@ -19,6 +19,7 @@ | |||
| 19 | //usage: "[-n SNI] { -s FD [-r FD] | HOST | -e PROG ARGS }" | 19 | //usage: "[-n SNI] { -s FD [-r FD] | HOST | -e PROG ARGS }" |
| 20 | //usage: ) | 20 | //usage: ) |
| 21 | //usage: IF_PLATFORM_MINGW32( | 21 | //usage: IF_PLATFORM_MINGW32( |
| 22 | //usage: IF_FEATURE_TLS_SCHANNEL("[-c] ") | ||
| 22 | //usage: "[-e] -h handle [-n SNI]" | 23 | //usage: "[-e] -h handle [-n SNI]" |
| 23 | //usage: ) | 24 | //usage: ) |
| 24 | //usage:#define ssl_client_full_usage "" | 25 | //usage:#define ssl_client_full_usage "" |
| @@ -40,6 +41,9 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv) | |||
| 40 | OPT_s = (1 << 0), | 41 | OPT_s = (1 << 0), |
| 41 | OPT_h = (1 << 1), | 42 | OPT_h = (1 << 1), |
| 42 | OPT_n = (1 << 2), | 43 | OPT_n = (1 << 2), |
| 44 | # if ENABLE_FEATURE_TLS_SCHANNEL | ||
| 45 | OPT_c = (1 << 3), | ||
| 46 | # endif | ||
| 43 | }; | 47 | }; |
| 44 | #else | 48 | #else |
| 45 | enum { | 49 | enum { |
| @@ -53,12 +57,15 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv) | |||
| 53 | // INIT_G(); | 57 | // INIT_G(); |
| 54 | tls = new_tls_state(); | 58 | tls = new_tls_state(); |
| 55 | #if ENABLE_PLATFORM_MINGW32 | 59 | #if ENABLE_PLATFORM_MINGW32 |
| 56 | opt = getopt32(argv, "eh:n:", &hstr, &sni); | 60 | opt = getopt32(argv, "eh:n:"IF_FEATURE_TLS_SCHANNEL("c"), &hstr, &sni); |
| 57 | 61 | ||
| 58 | if (!hstr || sscanf(hstr, "%p", &h) != 1) | 62 | if (!hstr || sscanf(hstr, "%p", &h) != 1) |
| 59 | bb_error_msg_and_die("invalid handle"); | 63 | bb_error_msg_and_die("invalid handle"); |
| 60 | init_winsock(); | 64 | init_winsock(); |
| 61 | tls->ifd = tls->ofd = _open_osfhandle((intptr_t)h, _O_RDWR|_O_BINARY); | 65 | tls->ifd = tls->ofd = _open_osfhandle((intptr_t)h, _O_RDWR|_O_BINARY); |
| 66 | # if ENABLE_FEATURE_TLS_SCHANNEL | ||
| 67 | tls->no_check_cert = (opt & OPT_c) != 0; | ||
| 68 | # endif | ||
| 62 | #else | 69 | #else |
| 63 | /* "+": stop on first non-option */ | 70 | /* "+": stop on first non-option */ |
| 64 | opt = getopt32(argv, "^+" "s:+r:+n:e" "\0" | 71 | opt = getopt32(argv, "^+" "s:+r:+n:e" "\0" |
diff --git a/networking/tls.c b/networking/tls.c index c7015e044..cccdbf22e 100644 --- a/networking/tls.c +++ b/networking/tls.c | |||
| @@ -3544,6 +3544,11 @@ void FAST_FUNC tls_handshake(tls_state_t *state, const char *hostname) { | |||
| 3544 | }; | 3544 | }; |
| 3545 | #endif | 3545 | #endif |
| 3546 | 3546 | ||
| 3547 | if (state->no_check_cert) { | ||
| 3548 | credential.dwFlags &= ~SCH_CRED_AUTO_CRED_VALIDATION; | ||
| 3549 | credential.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION; | ||
| 3550 | } | ||
| 3551 | |||
| 3547 | state->in_buffer_offset = 0; | 3552 | state->in_buffer_offset = 0; |
| 3548 | 3553 | ||
| 3549 | state->out_buffer = NULL; | 3554 | state->out_buffer = NULL; |
diff --git a/networking/wget.c b/networking/wget.c index 6a64836fb..6bedd77b8 100644 --- a/networking/wget.c +++ b/networking/wget.c | |||
| @@ -140,8 +140,13 @@ | |||
| 140 | /* Since we ignore these opts, we don't show them in --help */ | 140 | /* Since we ignore these opts, we don't show them in --help */ |
| 141 | /* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ | 141 | /* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ |
| 142 | /* //usage: " [-nv] [-nc] [-nH] [-np]" */ | 142 | /* //usage: " [-nv] [-nc] [-nH] [-np]" */ |
| 143 | //usage: IF_PLATFORM_MINGW32( | ||
| 144 | //usage: " "IF_FEATURE_TLS_SCHANNEL("[--no-check-certificate] ")"[-P DIR] [-U AGENT]"IF_FEATURE_WGET_TIMEOUT(" [-T SEC]")" URL..." | ||
| 145 | //usage: ) | ||
| 146 | //usage: IF_PLATFORM_POSIX( | ||
| 143 | //usage: " "IF_FEATURE_WGET_OPENSSL("[--no-check-certificate] ")"[-P DIR] [-U AGENT]"IF_FEATURE_WGET_TIMEOUT(" [-T SEC]")" URL..." | 147 | //usage: " "IF_FEATURE_WGET_OPENSSL("[--no-check-certificate] ")"[-P DIR] [-U AGENT]"IF_FEATURE_WGET_TIMEOUT(" [-T SEC]")" URL..." |
| 144 | //usage: ) | 148 | //usage: ) |
| 149 | //usage: ) | ||
| 145 | //usage: IF_NOT_FEATURE_WGET_LONG_OPTIONS( | 150 | //usage: IF_NOT_FEATURE_WGET_LONG_OPTIONS( |
| 146 | //usage: "[-cqS] [-O FILE] [-o LOGFILE] [-Y on/off] [-P DIR] [-U AGENT]"IF_FEATURE_WGET_TIMEOUT(" [-T SEC]")" URL..." | 151 | //usage: "[-cqS] [-O FILE] [-o LOGFILE] [-Y on/off] [-P DIR] [-U AGENT]"IF_FEATURE_WGET_TIMEOUT(" [-T SEC]")" URL..." |
| 147 | //usage: ) | 152 | //usage: ) |
| @@ -155,6 +160,9 @@ | |||
| 155 | //usage: IF_FEATURE_WGET_OPENSSL( | 160 | //usage: IF_FEATURE_WGET_OPENSSL( |
| 156 | //usage: "\n --no-check-certificate Don't validate the server's certificate" | 161 | //usage: "\n --no-check-certificate Don't validate the server's certificate" |
| 157 | //usage: ) | 162 | //usage: ) |
| 163 | //usage: IF_FEATURE_TLS_SCHANNEL( | ||
| 164 | //usage: "\n --no-check-certificate Don't validate the server's certificate" | ||
| 165 | //usage: ) | ||
| 158 | //usage: ) | 166 | //usage: ) |
| 159 | //usage: "\n -c Continue retrieval of aborted transfer" | 167 | //usage: "\n -c Continue retrieval of aborted transfer" |
| 160 | //usage: "\n -q Quiet" | 168 | //usage: "\n -q Quiet" |
| @@ -847,9 +855,16 @@ static void spawn_ssl_client(const char *host, int network_fd, int flags) | |||
| 847 | 855 | ||
| 848 | fflush_all(); | 856 | fflush_all(); |
| 849 | 857 | ||
| 858 | # if !ENABLE_FEATURE_TLS_SCHANNEL | ||
| 850 | cmd = xasprintf("ssl_client -h %p -n %s%s", | 859 | cmd = xasprintf("ssl_client -h %p -n %s%s", |
| 851 | (void *)_get_osfhandle(network_fd), servername, | 860 | (void *)_get_osfhandle(network_fd), servername, |
| 852 | flags & TLSLOOP_EXIT_ON_LOCAL_EOF ? " -e" : ""); | 861 | flags & TLSLOOP_EXIT_ON_LOCAL_EOF ? " -e" : ""); |
| 862 | # else | ||
| 863 | cmd = xasprintf("ssl_client -h %p -n %s%s%s", | ||
| 864 | (void *)_get_osfhandle(network_fd), servername, | ||
| 865 | flags & TLSLOOP_EXIT_ON_LOCAL_EOF ? " -e" : "", | ||
| 866 | flags & TLS_NO_CHECK_CERTIFICATE ? " -c" : ""); | ||
| 867 | # endif | ||
| 853 | 868 | ||
| 854 | if ((fd1=mingw_popen_fd("ssl_client", cmd, "b", -1, NULL)) == -1) { | 869 | if ((fd1=mingw_popen_fd("ssl_client", cmd, "b", -1, NULL)) == -1) { |
| 855 | bb_perror_msg_and_die("can't execute ssl_client"); | 870 | bb_perror_msg_and_die("can't execute ssl_client"); |
| @@ -1255,7 +1270,12 @@ static void download_one_url(const char *url) | |||
| 1255 | /* Only internal TLS support is configured */ | 1270 | /* Only internal TLS support is configured */ |
| 1256 | sfp = open_socket(lsa); | 1271 | sfp = open_socket(lsa); |
| 1257 | if (server.protocol == P_HTTPS) | 1272 | if (server.protocol == P_HTTPS) |
| 1258 | spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); | 1273 | spawn_ssl_client(server.host, fileno(sfp), /*flags*/ |
| 1274 | # if ENABLE_FEATURE_TLS_SCHANNEL | ||
| 1275 | (option_mask32 & WGET_OPT_NO_CHECK_CERT) ? | ||
| 1276 | TLS_NO_CHECK_CERTIFICATE : | ||
| 1277 | # endif | ||
| 1278 | 0); | ||
| 1259 | #else | 1279 | #else |
| 1260 | /* ssl (https) support is not configured */ | 1280 | /* ssl (https) support is not configured */ |
| 1261 | sfp = open_socket(lsa); | 1281 | sfp = open_socket(lsa); |