Re: [yocto-security] [PATCH] busybox: use openssl for TLS connections whenever possible

Andre McCurdy

On Tue, Apr 20, 2021 at 10:23 AM Randy MacLeod
<randy.macleod@...> wrote:

Add the oe-core list where patches are usually discussed.

On 2021-04-17 10:41 a.m., Shachar Menashe wrote:

This adds proper TLS verification to wget

I think you should add some of the comments you made in the bugzilla here:


By enabling the busybox feature: WGET_OPENSSL it means that in builds WITH openssl (ex. sato)
the issue will be completely fixed, and in builds WITHOUT openssl, busybox will fallback
to using the internal (insecure) client which will print out a message
"note: TLS certificate validation not implemented" Note that busybox does not rely in any way on the OpenSSL library
(it just executes the standalone binary, if it is found) so
we shouldn't have linkage issues is CONFIG_FEATURE_WGET_OPENSSL is enabled but OpenSSL is not getting built.


Thanks for the explanation.
We could add a RSUGGESTS make the coupling more clear:

I don't use that feature at all and it's not widely used in oe-core so hopefully someone
opinionated will reply and help us out.


Signed-off-by: Shachar Menashe <shachar@...>
meta/recipes-core/busybox/ | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/busybox/ b/meta/recipes-core/busybox/
index 47fcb59302..8f274bd263 100644
--- a/meta/recipes-core/busybox/
+++ b/meta/recipes-core/busybox/
@@ -77,6 +77,7 @@ def features_to_busybox_settings(d):
busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv4', True, False, d), 'CONFIG_FEATURE_IFUPDOWN_IPV4', cnf, rem)
busybox_cfg(bb.utils.contains('DISTRO_FEATURES', 'ipv6', True, False, d), 'CONFIG_FEATURE_IFUPDOWN_IPV6', cnf, rem)
busybox_cfg(bb.utils.contains_any('DISTRO_FEATURES', 'bluetooth wifi', True, False, d), 'CONFIG_RFKILL', cnf, rem)
+ busybox_cfg(True, 'CONFIG_FEATURE_WGET_OPENSSL', cnf, rem)
return "\n".join(cnf), "\n".join(rem)

# X, Y = ${@features_to_busybox_settings(d)}
This was discussed on the list last year. The conclusion was that
FEATURE_WGET_HTTPS should be disabled by default (ie giving anyone who
needs to fetch from https URLs to clear hint that that should be using
full featured wget or curl) rather than enabling a hacky solution to
have busybox call out to the openssl command line tool. Has something
changed since then?

Join { to automatically receive all group messages.