summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2017-01-30 16:27:37 +0100
committerDenys Vlasenko <vda.linux@googlemail.com>2017-01-30 16:27:37 +0100
commit67f6db6b2768e9af44132b0a11fbadf15c330283 (patch)
tree92f517e4161239008659d7156e2846163656331c
parent35b54a3c247235b1bffe2a22784a1d5be10267f3 (diff)
wget: add a big explanation what TLS code implements and what does not
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--networking/wget.c33
-rw-r--r--shell/Config.src6
2 files changed, 36 insertions, 3 deletions
diff --git a/networking/wget.c b/networking/wget.c
index 90eedaf7a..252f94dc6 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -58,6 +58,39 @@
//config: On NOMMU machines, ssl_helper applet should be available
//config: in the $PATH for this to work. Make sure to select that applet.
//config:
+//config: Note: currently, TLS code only makes TLS I/O work, it
+//config: does *not* check that the peer is who it claims to be, etc.
+//config: IOW: it uses peer-supplied public keys to establish encryption
+//config: and signing keys, then encrypts and signs outgoing data and
+//config: decrypts incoming data.
+//config: It does not check signature hashes on the incoming data:
+//config: this means that attackers manipulating TCP packets can
+//config: send altered data and we unknowingly receive garbage.
+//config: (This check might be relatively easy to add).
+//config: It does not check public key's certificate:
+//config: this means that the peer may be an attacker impersonating
+//config: the server we think we are talking to.
+//config:
+//config: If you think this is unacceptable, consider this. As more and more
+//config: servers switch to HTTPS-only operation, without such "crippled"
+//config: TLS code it is *impossible* to simply download a kernel source
+//config: from kernel.org. Which can in real world translate into
+//config: "my small automatic tooling to build cross-compilers from sources
+//config: no longer works, I need to additionally keep a local copy
+//config: of ~4 megabyte source tarball of a SSL library and ~2 megabyte
+//config: source of wget, need to compile and built both before I can
+//config: download anything. All this despite the fact that the build
+//config: is done in a QEMU sandbox on a machine with absolutely nothing
+//config: worth stealing, so I don't care if someone would go to a lot
+//config: of trouble to intercept my HTTPS download to send me an altered
+//config: kernel tarball".
+//config:
+//config: If you still think this is unacceptable, send patches.
+//config:
+//config: If you still think this is unacceptable, do not want to send
+//config: patches, but do want to waste bandwidth expaining how wrong
+//config: it is, you will be ignored.
+//config:
//config:config FEATURE_WGET_OPENSSL
//config: bool "Try to connect to HTTPS using openssl"
//config: default y
diff --git a/shell/Config.src b/shell/Config.src
index 6a7e12aa7..ccb1b15fe 100644
--- a/shell/Config.src
+++ b/shell/Config.src
@@ -123,9 +123,9 @@ config FEATURE_SH_STANDALONE
This is implemented by re-execing /proc/self/exe (typically)
with right parameters.
- However, there are drawbacks: it is problematic in chroot jails without
- mounted /proc, and ps/top may show command name as 'exe' for applets
- started this way.
+ However, there are drawbacks: it is problematic in chroot jails
+ without mounted /proc, and ps/top may show command name as 'exe'
+ for applets started this way.
config FEATURE_SH_NOFORK
bool "Run 'nofork' applets directly"