From 1c6c670ed44a77ab4784ea0d4ac5411d7b0648d8 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Wed, 7 Oct 2015 01:39:40 +0200 Subject: [PATCH] wget: make openssl/ssl_helper choice configurable I got sick of not being able to wget a https file... Signed-off-by: Denys Vlasenko --- include/applets.src.h | 1 - networking/Config.src | 42 -- networking/Kbuild.src | 1 - .../ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 | 22 + networking/ssl_helper-wolfssl/README | 15 + networking/ssl_helper-wolfssl/ssl_helper.c | 480 ++++++++++++++++++ networking/ssl_helper-wolfssl/ssl_helper.sh | 11 + networking/wget.c | 105 +++- 8 files changed, 623 insertions(+), 54 deletions(-) create mode 100755 networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 create mode 100644 networking/ssl_helper-wolfssl/README create mode 100644 networking/ssl_helper-wolfssl/ssl_helper.c create mode 100755 networking/ssl_helper-wolfssl/ssl_helper.sh diff --git a/include/applets.src.h b/include/applets.src.h index 9f3ac78cb..dac83e7fb 100644 --- a/include/applets.src.h +++ b/include/applets.src.h @@ -382,7 +382,6 @@ IF_VOLNAME(APPLET(volname, BB_DIR_USR_BIN, BB_SUID_DROP)) IF_WATCH(APPLET(watch, BB_DIR_BIN, BB_SUID_DROP)) IF_WATCHDOG(APPLET(watchdog, BB_DIR_SBIN, BB_SUID_DROP)) IF_WC(APPLET(wc, BB_DIR_USR_BIN, BB_SUID_DROP)) -IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) IF_WHICH(APPLET(which, BB_DIR_USR_BIN, BB_SUID_DROP)) IF_WHOAMI(APPLET_NOFORK(whoami, whoami, BB_DIR_USR_BIN, BB_SUID_DROP, whoami)) IF_YES(APPLET_NOFORK(yes, yes, BB_DIR_USR_BIN, BB_SUID_DROP, yes)) diff --git a/networking/Config.src b/networking/Config.src index da36e8627..76cbccf4a 100644 --- a/networking/Config.src +++ b/networking/Config.src @@ -947,48 +947,6 @@ config VCONFIG help Creates, removes, and configures VLAN interfaces -config WGET - bool "wget" - default y - help - wget is a utility for non-interactive download of files from HTTP - and FTP servers. - -config FEATURE_WGET_STATUSBAR - bool "Enable a nifty process meter (+2k)" - default y - depends on WGET - help - Enable the transfer progress bar for wget transfers. - -config FEATURE_WGET_AUTHENTICATION - bool "Enable HTTP authentication" - default y - depends on WGET - help - Support authenticated HTTP transfers. - -config FEATURE_WGET_LONG_OPTIONS - bool "Enable long options" - default y - depends on WGET && LONG_OPTS - help - Support long options for the wget applet. - -config FEATURE_WGET_TIMEOUT - bool "Enable timeout option -T SEC" - default y - depends on WGET - help - Supports network read and connect timeouts for wget, - so that wget will give up and timeout, through the -T - command line option. - - Currently only connect and network data read timeout are - supported (i.e., timeout is not applied to the DNS query). When - FEATURE_WGET_LONG_OPTIONS is also enabled, the --timeout option - will work in addition to -T. - config ZCIP bool "zcip" default y diff --git a/networking/Kbuild.src b/networking/Kbuild.src index 944f27be1..79f54824b 100644 --- a/networking/Kbuild.src +++ b/networking/Kbuild.src @@ -41,7 +41,6 @@ lib-$(CONFIG_TFTPD) += tftp.o lib-$(CONFIG_TRACEROUTE) += traceroute.o lib-$(CONFIG_TUNCTL) += tunctl.o lib-$(CONFIG_VCONFIG) += vconfig.o -lib-$(CONFIG_WGET) += wget.o lib-$(CONFIG_ZCIP) += zcip.o lib-$(CONFIG_TCPSVD) += tcpudp.o tcpudp_perhost.o diff --git a/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 b/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 new file mode 100755 index 000000000..27d0c41ee --- /dev/null +++ b/networking/ssl_helper-wolfssl/00cfg-wolfssl-3.6.8 @@ -0,0 +1,22 @@ +#!/bin/sh + +# How to configure & build a static wolfssl-3.6.8 library +# suitable for static build of ssl_helper. + +export CC="x86_64-gcc" +export CFLAGS="\ +-Os \ +-static \ +-fomit-frame-pointer \ +-falign-functions=1 -falign-labels=1 -falign-loops=1 -falign-jumps=1 \ +-ffunction-sections -fdata-sections \ +" + +./configure \ + --enable-static \ + --enable-singlethreaded \ + --disable-shared \ +|| exit $? + +make +exit $? diff --git a/networking/ssl_helper-wolfssl/README b/networking/ssl_helper-wolfssl/README new file mode 100644 index 000000000..17437606d --- /dev/null +++ b/networking/ssl_helper-wolfssl/README @@ -0,0 +1,15 @@ +Build instructions: + +* Unpack wolfssl-3.6.8.zip +* Build it: + ./configure --enable-static --disable-shared && make +* Drop this directory into wolfssl-3.6.8/ssl_helper +* Run ssl_helper.sh to compile and link the helper + +Usage: "ssl_helper -d FILE_DESCRIPTOR" where FILE_DESCRIPTOR is open to the peer. + +In bash, you can do it this way: +$ ssl_helper -d3 3<>/dev/tcp/HOST/PORT + +Stdin will be SSL-encrypted and sent to FILE_DESCRIPTOR. +Data from FILE_DESCRIPTOR will be decrypted and sent to stdout. diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c new file mode 100644 index 000000000..38b7b56c6 --- /dev/null +++ b/networking/ssl_helper-wolfssl/ssl_helper.c @@ -0,0 +1,480 @@ +/* + * Adapted from: + * + * client.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#if 0 +# define dbg(...) say(__VA_ARGS__) +#else +# define dbg(...) ((void)0) +#endif + +static ssize_t safe_write(int fd, const void *buf, size_t count) +{ + ssize_t n; + + do { + n = write(fd, buf, count); + } while (n < 0 && errno == EINTR); + + return n; +} + +static ssize_t full_write(int fd, const void *buf, size_t len) +{ + ssize_t cc; + ssize_t total; + + total = 0; + + while (len) { + cc = safe_write(fd, buf, len); + + if (cc < 0) { + if (total) { + /* we already wrote some! */ + /* user can do another write to know the error code */ + return total; + } + return cc; /* write() returns -1 on failure. */ + } + + total += cc; + buf = ((const char *)buf) + cc; + len -= cc; + } + + return total; +} + +static void say(const char *s, ...) +{ + char buf[256]; + va_list p; + int sz; + + va_start(p, s); + sz = vsnprintf(buf, sizeof(buf), s, p); + full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); + va_end(p); +} + +static void die(const char *s, ...) +{ + char buf[256]; + va_list p; + int sz; + + va_start(p, s); + sz = vsnprintf(buf, sizeof(buf), s, p); + full_write(STDERR_FILENO, buf, sz >= 0 && sz < sizeof(buf) ? sz : strlen(buf)); + exit(1); + va_end(p); +} + +static void err_sys(const char *msg) +{ + die("%s\n", msg); +} + +/* ==== */ + +#if 0 +static void showPeer(WOLFSSL* ssl) +{ + WOLFSSL_CIPHER* cipher; + WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); + if (peer) + ShowX509(peer, "peer's cert info:"); + else + say("peer has no cert!\n"); + say("SSL version is %s\n", wolfSSL_get_version(ssl)); + + cipher = wolfSSL_get_current_cipher(ssl); + say("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher)); + + { + WOLFSSL_X509_CHAIN* chain = wolfSSL_get_peer_chain(ssl); + int count = wolfSSL_get_chain_count(chain); + int i; + + for (i = 0; i < count; i++) { + int length; + unsigned char buffer[3072]; + WOLFSSL_X509* chainX509; + + wolfSSL_get_chain_cert_pem(chain, i, buffer, sizeof(buffer), &length); + buffer[length] = 0; + say("cert %d has length %d data = \n%s\n", i, length, buffer); + + chainX509 = wolfSSL_get_chain_X509(chain, i); + if (chainX509) + ShowX509(chainX509, "session cert info:"); + else + say("get_chain_X509 failed\n"); + wolfSSL_FreeX509(chainX509); + } + } +} +#endif + +WOLFSSL *prepare(int sockfd) +{ + WOLFSSL_METHOD* method; + WOLFSSL_CTX* ctx; + WOLFSSL* ssl; + + wolfSSL_Init(); + + method = wolfTLSv1_1_client_method(); + if (method == NULL) + err_sys("out of memory"); + ctx = wolfSSL_CTX_new(method); + if (ctx == NULL) + err_sys("out of memory"); +// if (cipherList) +// if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) +// err_sys("client can't set cipher list 1"); + +// if (fewerPackets) +// wolfSSL_CTX_set_group_messages(ctx); + +//#ifndef NO_DH +// wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits); +//#endif + +// if (usePsk) { +// wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); +// if (cipherList == NULL) { +// const char *defaultCipherList; +//#if defined(HAVE_AESGCM) && !defined(NO_DH) +// defaultCipherList = "DHE-PSK-AES128-GCM-SHA256"; +//#elif defined(HAVE_NULL_CIPHER) +// defaultCipherList = "PSK-NULL-SHA256"; +//#else +// defaultCipherList = "PSK-AES128-CBC-SHA256"; +//#endif +// if (wolfSSL_CTX_set_cipher_list(ctx,defaultCipherList) != SSL_SUCCESS) +// err_sys("client can't set cipher list 2"); +// } +// useClientCert = 0; +// } + +// if (useAnon) { +// if (cipherList == NULL) { +// wolfSSL_CTX_allow_anon_cipher(ctx); +// if (wolfSSL_CTX_set_cipher_list(ctx,"ADH-AES128-SHA") != SSL_SUCCESS) +// err_sys("client can't set cipher list 4"); +// } +// useClientCert = 0; +// } + +//#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +// wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); +//#endif + +// if (useOcsp) { +// if (ocspUrl != NULL) { +// wolfSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl); +// wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE +// | WOLFSSL_OCSP_URL_OVERRIDE); +// } +// else +// wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); +// } +// +//#ifdef USER_CA_CB +// wolfSSL_CTX_SetCACb(ctx, CaCb); +//#endif +// +//#ifdef VERIFY_CALLBACK +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); +//#endif +//#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) +// if (useClientCert) { +// if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) +// err_sys("can't load client cert file, check file and run from" +// " wolfSSL home dir"); +// if (wolfSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) +// err_sys("can't load client private key file, check file and run " +// "from wolfSSL home dir"); +// } +// +// if (!usePsk && !useAnon) { +// if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS) +// err_sys("can't load ca file, Please run from wolfSSL home dir"); +//#ifdef HAVE_ECC +// /* load ecc verify too, echoserver uses it by default w/ ecc */ +// if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) +// err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); +//#endif +// } +//#endif /* !NO_FILESYSTEM && !NO_CERTS */ + +//#if !defined(NO_CERTS) +// if (!usePsk && !useAnon && doPeerCheck == 0) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +// if (!usePsk && !useAnon && overrideDateErrors == 1) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myDateCb); +//#endif + + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); + +//#ifdef HAVE_SNI +// if (sniHostName) +// if (wolfSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)) != SSL_SUCCESS) +// err_sys("UseSNI failed"); +//#endif + +//#ifdef HAVE_MAX_FRAGMENT +// if (maxFragment) +// if (wolfSSL_CTX_UseMaxFragment(ctx, maxFragment) != SSL_SUCCESS) +// err_sys("UseMaxFragment failed"); +//#endif +//#ifdef HAVE_TRUNCATED_HMAC +// if (truncatedHMAC) +// if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) +// err_sys("UseTruncatedHMAC failed"); +//#endif +//#ifdef HAVE_SESSION_TICKET +// if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS) +// err_sys("UseSessionTicket failed"); +//#endif + +//#if defined(WOLFSSL_MDK_ARM) +// wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +//#endif + + ssl = wolfSSL_new(ctx); + if (ssl == NULL) + err_sys("out of memory"); + +//#ifdef HAVE_SESSION_TICKET +// wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); +//#endif + +// if (doDTLS) { +// SOCKADDR_IN_T addr; +// build_addr(&addr, host, port, 1); +// wolfSSL_dtls_set_peer(ssl, &addr, sizeof(addr)); +// tcp_socket(&sockfd, 1); +// } wlse { +// tcp_connect(&sockfd, host, port, 0); +// } + +//#ifdef HAVE_POLY1305 +// /* use old poly to connect with google server */ +// if (!XSTRNCMP(domain, "www.google.com", 14)) { +// if (wolfSSL_use_old_poly(ssl, 1) != 0) +// err_sys("unable to set to old poly"); +// } +//#endif + + wolfSSL_set_fd(ssl, sockfd); + +//#ifdef HAVE_CRL +// if (disableCRL == 0) { +// if (wolfSSL_EnableCRL(ssl, WOLFSSL_CRL_CHECKALL) != SSL_SUCCESS) +// err_sys("can't enable crl check"); +// if (wolfSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0) != SSL_SUCCESS) +// err_sys("can't load crl, check crlfile and date validity"); +// if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS) +// err_sys("can't set crl callback"); +// } +//#endif +//#ifdef HAVE_SECURE_RENEGOTIATION +// if (scr) { +// if (wolfSSL_UseSecureRenegotiation(ssl) != SSL_SUCCESS) +// err_sys("can't enable secure renegotiation"); +// } +//#endif +//#ifdef ATOMIC_USER +// if (atomicUser) +// SetupAtomicUser(ctx, ssl); +//#endif +//#ifdef HAVE_PK_CALLBACKS +// if (pkCallbacks) +// SetupPkCallbacks(ctx, ssl); +//#endif +// if (matchName && doPeerCheck) +// wolfSSL_check_domain_name(ssl, domain); + + if (wolfSSL_connect(ssl) != SSL_SUCCESS) { +// /* see note at top of README */ +// int err = wolfSSL_get_error(ssl, 0); +// char buffer[WOLFSSL_MAX_ERROR_SZ]; +// say("err = %d, %s\n", err, +// wolfSSL_ERR_error_string(err, buffer)); + err_sys("SSL_connect failed"); + } +// showPeer(ssl); + +//#ifdef HAVE_SECURE_RENEGOTIATION +// if (scr && forceScr) { +// if (wolfSSL_Rehandshake(ssl) != SSL_SUCCESS) { +// int err = wolfSSL_get_error(ssl, 0); +// char buffer[WOLFSSL_MAX_ERROR_SZ]; +// say("err = %d, %s\n", err, +// wolfSSL_ERR_error_string(err, buffer)); +// err_sys("wolfSSL_Rehandshake failed"); +// } +// } +//#endif + + return ssl; +} + +static struct pollfd pfd[2] = { + { -1, POLLIN|POLLERR|POLLHUP, 0 }, + { -1, POLLIN|POLLERR|POLLHUP, 0 }, +}; +#define STDIN pfd[0] +#define NETWORK pfd[1] +#define STDIN_READY() (pfd[0].revents & (POLLIN|POLLERR|POLLHUP)) +#define NETWORK_READY() (pfd[1].revents & (POLLIN|POLLERR|POLLHUP)) + +static void wait_for_input(void) +{ + if (STDIN.fd == NETWORK.fd) /* means both are -1 */ + exit(0); + dbg("polling\n"); + STDIN.revents = NETWORK.revents = 0; + while (poll(pfd, 2, -1) < 0 && errno == EINTR) + continue; +} + +static void do_io_until_eof_and_exit(WOLFSSL *ssl, int fd) +{ + int len; + char ibuf[4 * 1024]; + + NETWORK.fd = fd; + STDIN.fd = 0; + + len = 0; /* only to suppress compiler warning */ + for (;;) { + wait_for_input(); + + if (STDIN_READY()) { + dbg("reading stdin\n"); + len = read(STDIN_FILENO, ibuf, sizeof(ibuf)); + if (len < 0) + die("read error on stdin\n"); + if (len == 0) { + dbg("read len = 0, stdin not polled anymore\n"); + STDIN.fd = -1; + } else { + int n = wolfSSL_write(ssl, ibuf, len); + if (n != len) + die("SSL_write(%d) failed (returned %d)\n", len, n); + } + } + + if (NETWORK_READY()) { + dbg("%s%s%s\n", + (pfd[1].revents & POLLIN) ? "POLLIN" : "", + (pfd[1].revents & POLLERR) ? "|POLLERR" : "", + (pfd[1].revents & POLLHUP) ? "|POLLHUP" : "" + ); +/* We are using blocking socket here. + * (Nonblocking socket would complicate writing to it). + * Therefore, SSL_read _can block_ here. + * This is not what wget expects (it wants to see short reads). + * Therefore, we use smallish buffer here, to approximate that. + */ + len = wolfSSL_read(ssl, ibuf, + sizeof(ibuf) < 1024 ? sizeof(ibuf) : 1024 + ); + if (len < 0) + die("SSL_read error on network (%d)\n", len); + if (len > 0) { + int n; + n = full_write(STDOUT_FILENO, ibuf, len); + if (n != len) + die("write(%d) to stdout returned %d\n", len, n); + continue; + } +/* Blocking reads are easier wtr EOF detection (no EAGAIN error to check for) */ + dbg("read len = 0, network not polled anymore\n"); + NETWORK.fd = -1; + /* saw EOF on network, and we processed + * and wrote out all ssl data. Signal it: + */ + close(STDOUT_FILENO); + } + } +} + +int main(int argc, char **argv) +{ + WOLFSSL *ssl; + int fd; + char *fd_str; + + if (!argv[1]) + die("Syntax error\n"); + if (argv[1][0] != '-') + die("Syntax error\n"); + if (argv[1][1] != 'd') + die("Syntax error\n"); + fd_str = argv[1] + 2; + if (!fd_str[0]) + fd_str = argv[2]; + if (!fd_str || fd_str[0] < '0' || fd_str[0] > '9') + die("Syntax error\n"); + + fd = atoi(fd_str); + if (fd < 3) + die("Syntax error\n"); + + ssl = prepare(fd); + do_io_until_eof_and_exit(ssl, fd); + /* does not return */ + +// if (doDTLS == 0) { /* don't send alert after "break" command */ +// ret = wolfSSL_shutdown(ssl); +// if (wc_shutdown && ret == SSL_SHUTDOWN_NOT_DONE) +// wolfSSL_shutdown(ssl); /* bidirectional shutdown */ +// } +//#ifdef ATOMIC_USER +// if (atomicUser) +// FreeAtomicUser(ssl); +//#endif +// wolfSSL_free(ssl); +// CloseSocket(sockfd); +// wolfSSL_CTX_free(ctx); + + return 0; +} diff --git a/networking/ssl_helper-wolfssl/ssl_helper.sh b/networking/ssl_helper-wolfssl/ssl_helper.sh new file mode 100755 index 000000000..ddb4536c7 --- /dev/null +++ b/networking/ssl_helper-wolfssl/ssl_helper.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# I use this to build static uclibc based binary using Aboriginal Linux toolchain: +PREFIX=x86_64- +STATIC=-static +# Standard build: +#PREFIX="" +#STATIC="" + +${PREFIX}gcc -Os -Wall -I.. -c ssl_helper.c -o ssl_helper.o +${PREFIX}gcc $STATIC --start-group ssl_helper.o -lm ../src/.libs/libwolfssl.a --end-group -o ssl_helper diff --git a/networking/wget.c b/networking/wget.c index f744ea2de..baa7e0e78 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -9,6 +9,89 @@ * Kuhn's copyrights are licensed GPLv2-or-later. File as a whole remains GPLv2. */ +//config:config WGET +//config: bool "wget" +//config: default y +//config: help +//config: wget is a utility for non-interactive download of files from HTTP +//config: and FTP servers. +//config: +//config:config FEATURE_WGET_STATUSBAR +//config: bool "Enable a nifty process meter (+2k)" +//config: default y +//config: depends on WGET +//config: help +//config: Enable the transfer progress bar for wget transfers. +//config: +//config:config FEATURE_WGET_AUTHENTICATION +//config: bool "Enable HTTP authentication" +//config: default y +//config: depends on WGET +//config: help +//config: Support authenticated HTTP transfers. +//config: +//config:config FEATURE_WGET_LONG_OPTIONS +//config: bool "Enable long options" +//config: default y +//config: depends on WGET && LONG_OPTS +//config: help +//config: Support long options for the wget applet. +//config: +//config:config FEATURE_WGET_TIMEOUT +//config: bool "Enable timeout option -T SEC" +//config: default y +//config: depends on WGET +//config: help +//config: Supports network read and connect timeouts for wget, +//config: so that wget will give up and timeout, through the -T +//config: command line option. +//config: +//config: Currently only connect and network data read timeout are +//config: supported (i.e., timeout is not applied to the DNS query). When +//config: FEATURE_WGET_LONG_OPTIONS is also enabled, the --timeout option +//config: will work in addition to -T. +//config: +//config:choice +//config: prompt "Choose how to handle https:// URLs" +//config: depends on WGET +//config: default FEATURE_WGET_OPENSSL +//config: help +//config: Choose how wget establishes SSL connection for https:// URLs. +//config: +//config: Busybox itself contains no SSL code. wget will spawn +//config: a helper program to talk over HTTPS. +//config: +//config: OpenSSL has a simple SSL client for debug purposes. +//config: If you select "openssl" helper, wget will effectively call +//config: "openssl s_client -quiet -connect IP:443 2>/dev/null" +//config: and pipe its data through it. +//config: Note inconvenient API: host resolution is done twice, +//config: and there is no guarantee openssl's idea of IPv6 address +//config: format is the same as ours. +//config: Another problem is that s_client prints debug information +//config: to stderr, and it needs to be suppressed. This means +//config: all error messages get suppressed too. +//config: openssl is also a big binary, often dynamically linked +//config: against ~15 libraries. +//config: +//config: ssl_helper is a tool which can be built statically +//config: from busybox sources against a small embedded SSL library. +//config: Please see networking/ssl_helper/README. +//config: It does not require double host resolution and emits +//config: error messages to stderr. +//config: +//config:config FEATURE_WGET_OPENSSL +//config: bool "openssl" +//config: +//config:config FEATURE_WGET_SSL_HELPER +//config: bool "ssl_helper" +//config: +//config:endchoice + +//applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) + +//kbuild:lib-$(CONFIG_WGET) += wget.o + //usage:#define wget_trivial_usage //usage: IF_FEATURE_WGET_LONG_OPTIONS( //usage: "[-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE]\n" @@ -520,6 +603,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_ return sfp; } +#if ENABLE_FEATURE_WGET_OPENSSL static int spawn_https_helper(const char *host, unsigned port) { char *allocated = NULL; @@ -569,12 +653,11 @@ static int spawn_https_helper(const char *host, unsigned port) close(sp[1]); return sp[0]; } +#endif -/* See networking/ssl_helper/README */ -#define SSL_HELPER 0 - -#if SSL_HELPER -static void spawn_https_helper1(int network_fd) +/* See networking/ssl_helper/README how to build one */ +#if ENABLE_FEATURE_WGET_SSL_HELPER +static void spawn_https_helper(int network_fd) { int sp[2]; int pid; @@ -851,19 +934,21 @@ static void download_one_url(const char *url) int status; /* Open socket to http(s) server */ +#if ENABLE_FEATURE_WGET_OPENSSL if (target.protocol == P_HTTPS) { -/* openssl-based helper - * Inconvenient API since we can't give it an open fd - */ + /* openssl-based helper + * Inconvenient API since we can't give it an open fd + */ int fd = spawn_https_helper(server.host, server.port); sfp = fdopen(fd, "r+"); if (!sfp) bb_perror_msg_and_die(bb_msg_memory_exhausted); } else +#endif sfp = open_socket(lsa); -#if SSL_HELPER +#if ENABLE_FEATURE_WGET_SSL_HELPER if (target.protocol == P_HTTPS) - spawn_https_helper1(fileno(sfp)); + spawn_https_helper(fileno(sfp)); #endif /* Send HTTP request */ if (use_proxy) {