[Toybox] [PATCH] wget: add TLS support

Eric Molitor emolitor at molitor.org
Mon Oct 18 02:22:22 PDT 2021


Updated patch including make.sh.

On Alpine to build install libretls-dev which should pull in the
dependencies. For my embedded builds I manually build BearSSL and
https://github.com/michaelforney/libtls-bearssl adding appropriate -L flags
in LDFLAGS. I've also tested that it works with libtls+libressl. The
existing wget toy is broken in a few ways in how it handles the HTTP
protocol, as an example github wont work. I'll refactor how the toy handles
headers to fix that in the near future.

Rob, do you still prefer email patches? I can also push these to github if
you so desire but this patch is based on your local git so should cleanly
apply.

- Eric

On Sun, Oct 17, 2021 at 8:48 PM Eric Molitor <emolitor at molitor.org> wrote:

> Let me take a look at signify I'll also send the missing part of the patch
> with -ltls shortly.
>
> Alpine has libtls, either the openssl port in the libretls package or the
> original openbsd lbressl-tls. For my embedded stuff I'm statically linking
> BearSSL and https://github.com/michaelforney/libtls-bearssl
>
> I've not looked at Denny's implementation. But will take a peak at what he
> is doing.
>
> And yes, this violates the library policy, although I'd rather leverage a
> relatively known good TLS rather than implement a new one. This is
> definitely me scratching an itch that might not be worth integrating for
> everyone.
>
> - Eric
>
> On Sun, 17 Oct 2021, 8:04 pm Rob Landley, <rob at landley.net> wrote:
>
>> On 10/17/21 8:44 AM, Eric Molitor wrote:
>> > Attached is a relatively quick and certainly dirty patch to wget adding
>> TLS
>> > support via libtls.
>>
>>
>> https://landley.net/toybox/design.html#:~:text=policy%20on%20shared%20libraries
>>
>> > I threw this together on a plane but it's working reasonably
>> > well for me allowing me to remove Curl/libcurl on a few projects. I
>> will submit
>> > further patches to clean up this toy as it's in pretty dire shape.
>>
>> Which of the libraries in make.sh contained the https stuff? You didn't
>> add
>> anything to:
>>
>>   for i in util crypt m resolv rt selinux smack attr crypto z log iconv
>>
>> And yet it built for you? I haven't even got a tls.h in my /usr/include
>> (except
>> the linux/ one), presumably I need to install a -dev for that.
>>
>> > When statically building with bearssl and libtls-bearssl this adds
>> about 175K
>> > which isn't too bad for a TLS 1.1/1.2 implementation.
>>
>> According to make baseline/bloatcheck the one Denys Vlasenko implemented
>> in
>> busybox (CONFIG_FEATURE_WGET_HTTPS) is 22,564 bytes on x86-64. It's the
>> networking/tls* code.
>>
>> > Building with libressl's
>> > tls implementation expands this by about 400K but also gets you TLS 1.3
>> support.
>> > By default only TLS 1.1 and 1.2 are enabled. I'll add another
>> configuration
>> > option to enable TLS 1.3.
>> >
>> > Feedback greatly appreciated.
>>
>> I haven't looked at Denys' implementation closely to see what he's done. I
>> downloaded BearSSL, matrixssl, and Rich Felker pointed me at a library
>> called
>> signify (https://github.com/aperezdc/signify) for when I get around to
>> this todo
>> item, but I'm really trying to get through the shell first.
>>
>> > - Eric
>>
>> Rob
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20211018/890c867e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wget-tls.patch
Type: application/octet-stream
Size: 7177 bytes
Desc: not available
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20211018/890c867e/attachment-0003.obj>


More information about the Toybox mailing list