wget: add a big explanation what TLS code implements and what does not

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2017-01-30 16:27:37 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2017-01-30 16:27:37 +0100
commit: 67f6db6b2768e9af44132b0a11fbadf15c330283 (patch)
tree: 92f517e4161239008659d7156e2846163656331c
parent: 35b54a3c247235b1bffe2a22784a1d5be10267f3 (diff)
download: busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.tar.gz
busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.tar.bz2
busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.zip
2 files changed, 36 insertions, 3 deletions
diff --git a/networking/wget.c b/networking/wget.c
index 90eedaf7a..252f94dc6 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -58,6 +58,39 @@
 //config:         On NOMMU machines, ssl_helper applet should be available
 //config:         in the $PATH for this to work. Make sure to select that applet.
 //config:
+//config:         Note: currently, TLS code only makes TLS I/O work, it
+//config:         does *not* check that the peer is who it claims to be, etc.
+//config:         IOW: it uses peer-supplied public keys to establish encryption
+//config:         and signing keys, then encrypts and signs outgoing data and
+//config:         decrypts incoming data.
+//config:         It does not check signature hashes on the incoming data:
+//config:         this means that attackers manipulating TCP packets can
+//config:         send altered data and we unknowingly receive garbage.
+//config:         (This check might be relatively easy to add).
+//config:         It does not check public key's certificate:
+//config:         this means that the peer may be an attacker impersonating
+//config:         the server we think we are talking to.
+//config:
+//config:         If you think this is unacceptable, consider this. As more and more
+//config:         servers switch to HTTPS-only operation, without such "crippled"
+//config:         TLS code it is *impossible* to simply download a kernel source
+//config:         from kernel.org. Which can in real world translate into
+//config:         "my small automatic tooling to build cross-compilers from sources
+//config:         no longer works, I need to additionally keep a local copy
+//config:         of ~4 megabyte source tarball of a SSL library and ~2 megabyte
+//config:         source of wget, need to compile and built both before I can
+//config:         download anything. All this despite the fact that the build
+//config:         is done in a QEMU sandbox on a machine with absolutely nothing
+//config:         worth stealing, so I don't care if someone would go to a lot
+//config:         of trouble to intercept my HTTPS download to send me an altered
+//config:         kernel tarball".
+//config:
+//config:         If you still think this is unacceptable, send patches.
+//config:
+//config:         If you still think this is unacceptable, do not want to send
+//config:         patches, but do want to waste bandwidth expaining how wrong
+//config:         it is, you will be ignored.
+//config:
 //config:config FEATURE_WGET_OPENSSL
 //config:       bool "Try to connect to HTTPS using openssl"
 //config:       default y
diff --git a/shell/Config.src b/shell/Config.src
index 6a7e12aa7..ccb1b15fe 100644
--- a/shell/Config.src
+++ b/shell/Config.src
@@ -123,9 +123,9 @@ config FEATURE_SH_STANDALONE
          This is implemented by re-execing /proc/self/exe (typically)
          with right parameters.
-          However, there are drawbacks: it is problematic in chroot jails without
+          However, there are drawbacks: it is problematic in chroot jails
-          mounted /proc, and ps/top may show command name as 'exe' for applets
+          without mounted /proc, and ps/top may show command name as 'exe'
-          started this way.
+          for applets started this way.
 config FEATURE_SH_NOFORK
        bool "Run 'nofork' applets directly"
author	Denys Vlasenko <vda.linux@googlemail.com>	2017-01-30 16:27:37 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2017-01-30 16:27:37 +0100
commit	67f6db6b2768e9af44132b0a11fbadf15c330283 (patch)
tree	92f517e4161239008659d7156e2846163656331c
parent	35b54a3c247235b1bffe2a22784a1d5be10267f3 (diff)
download	busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.tar.gz busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.tar.bz2 busybox-w32-67f6db6b2768e9af44132b0a11fbadf15c330283.zip

diff --git a/networking/wget.c b/networking/wget.c index 90eedaf7a..252f94dc6 100644 --- a/networking/wget.c +++ b/networking/wget.c
@@ -58,6 +58,39 @@
58	//config: On NOMMU machines, ssl_helper applet should be available	58	//config: On NOMMU machines, ssl_helper applet should be available
59	//config: in the $PATH for this to work. Make sure to select that applet.	59	//config: in the $PATH for this to work. Make sure to select that applet.
60	//config:	60	//config:
		61	//config: Note: currently, TLS code only makes TLS I/O work, it
		62	//config: does not check that the peer is who it claims to be, etc.
		63	//config: IOW: it uses peer-supplied public keys to establish encryption
		64	//config: and signing keys, then encrypts and signs outgoing data and
		65	//config: decrypts incoming data.
		66	//config: It does not check signature hashes on the incoming data:
		67	//config: this means that attackers manipulating TCP packets can
		68	//config: send altered data and we unknowingly receive garbage.
		69	//config: (This check might be relatively easy to add).
		70	//config: It does not check public key's certificate:
		71	//config: this means that the peer may be an attacker impersonating
		72	//config: the server we think we are talking to.
		73	//config:
		74	//config: If you think this is unacceptable, consider this. As more and more
		75	//config: servers switch to HTTPS-only operation, without such "crippled"
		76	//config: TLS code it is impossible to simply download a kernel source
		77	//config: from kernel.org. Which can in real world translate into
		78	//config: "my small automatic tooling to build cross-compilers from sources
		79	//config: no longer works, I need to additionally keep a local copy
		80	//config: of ~4 megabyte source tarball of a SSL library and ~2 megabyte
		81	//config: source of wget, need to compile and built both before I can
		82	//config: download anything. All this despite the fact that the build
		83	//config: is done in a QEMU sandbox on a machine with absolutely nothing
		84	//config: worth stealing, so I don't care if someone would go to a lot
		85	//config: of trouble to intercept my HTTPS download to send me an altered
		86	//config: kernel tarball".
		87	//config:
		88	//config: If you still think this is unacceptable, send patches.
		89	//config:
		90	//config: If you still think this is unacceptable, do not want to send
		91	//config: patches, but do want to waste bandwidth expaining how wrong
		92	//config: it is, you will be ignored.
		93	//config:
61	//config:config FEATURE_WGET_OPENSSL	94	//config:config FEATURE_WGET_OPENSSL
62	//config: bool "Try to connect to HTTPS using openssl"	95	//config: bool "Try to connect to HTTPS using openssl"
63	//config: default y	96	//config: default y


diff --git a/shell/Config.src b/shell/Config.src index 6a7e12aa7..ccb1b15fe 100644 --- a/shell/Config.src +++ b/shell/Config.src
@@ -123,9 +123,9 @@ config FEATURE_SH_STANDALONE
123	This is implemented by re-execing /proc/self/exe (typically)	123	This is implemented by re-execing /proc/self/exe (typically)
124	with right parameters.	124	with right parameters.
125		125
126	However, there are drawbacks: it is problematic in chroot jails without	126	However, there are drawbacks: it is problematic in chroot jails
127	mounted /proc, and ps/top may show command name as 'exe' for applets	127	without mounted /proc, and ps/top may show command name as 'exe'
128	started this way.	128	for applets started this way.
129		129
130	config FEATURE_SH_NOFORK	130	config FEATURE_SH_NOFORK
131	bool "Run 'nofork' applets directly"	131	bool "Run 'nofork' applets directly"