File wget-implement-TLS-verification-with-ENABLE_FEATURE_WGET_OPENSSL.patch of Package busybox.20467

From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Tue May 19 18:20:39 2020 +0100
Subject: wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
Patch-mainline: 45fa3f18adf57ef9d743038743d9c90573aeeb91
Git-repo: https://git.busybox.net/busybox
Git-commit: 39abdcd280343ce89ca45debcda39b3c4b970399
References: 

When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
verification by default. And only ignore verification errors, if
--no-check-certificate was passed.

Also note, that previously OPENSSL implementation did not implement
TLS verification, nor printed any warning messages that verification
was not performed.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533

CVE-2018-1000500

Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
 networking/wget.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/networking/wget.c b/networking/wget.c
index da8c44e18..bfadd742f 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -75,6 +75,9 @@
 //config:	  openssl is also a big binary, often dynamically linked
 //config:	  against ~15 libraries.
 //config:
+//config:	  By default TLS verification is performed, unless
+//config:	  --no-check-certificate option is passed.
+//config:
 //config:config FEATURE_WGET_SSL_HELPER
 //config:	bool "Try to connect to HTTPS using ssl_helper"
 //config:	default y
@@ -102,8 +105,11 @@
 //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
 //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
 //usage:       "	[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]\n"
+//usage:	IF_FEATURE_WGET_OPENSSL(
+//usage:       "	[--no-check-certificate]\n"
+//usage:	)
 /* Since we ignore these opts, we don't show them in --help */
-/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
 /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
 //usage:       "	[-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
 //usage:	)
@@ -115,7 +121,9 @@
 //usage:       "Retrieve files via HTTP or FTP\n"
 //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
 //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
-///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
+//usage:	IF_FEATURE_WGET_OPENSSL(
+//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
+//usage:	)
 //usage:	)
 //usage:     "\n	-c		Continue retrieval of aborted transfer"
 //usage:     "\n	-q		Quiet"
@@ -708,7 +716,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
 	pid = xvfork();
 	if (pid == 0) {
 		/* Child */
-		char *argv[8];
+		char *argv[9];
 
 		close(sp[0]);
 		xmove_fd(sp[1], 0);
@@ -735,6 +743,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
 			argv[5] = (char*)"-servername";
 			argv[6] = (char*)servername;
 		}
+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
+			argv[7] = (char*)"-verify_return_error";
+		}
 
 		BB_EXECVP(argv[0], argv);
 		xmove_fd(3, 2);