summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>2009-11-05 11:07:47 (EST)
committer pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>2009-11-05 11:07:47 (EST)
commit813388093465b8723394960bc8e489fa64bb1a85 (patch)
tree201df512f8e12e2472781f5c70bca0da2d27443b
parentf0fe187f841a29675317835723c3591b149fdeb1 (diff)
Some refactoring of pathfinder support
git-svn-id: http://opkg.googlecode.com/svn/trunk@263 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358
-rw-r--r--libopkg/opkg_conf.c7
-rw-r--r--libopkg/opkg_conf.h3
-rw-r--r--libopkg/opkg_download.c22
-rw-r--r--libopkg/opkg_pathfinder.c18
4 files changed, 33 insertions, 17 deletions
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index cfbdc5b..b6ca4a8 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -80,6 +80,9 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options)
{ "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
{ "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
#endif
+#if defined(HAVE_PATHFINDER)
+ { "check_x509_path", OPKG_OPT_TYPE_INT, &conf->check_x509_path },
+#endif
#if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
{ "ssl_engine", OPKG_OPT_TYPE_STRING, &conf->ssl_engine },
{ "ssl_cert", OPKG_OPT_TYPE_STRING, &conf->ssl_cert },
@@ -130,6 +133,10 @@ int opkg_conf_init(opkg_conf_t *conf, const args_t *args)
memset(conf, 0, sizeof(opkg_conf_t));
+#if defined(HAVE_PATHFINDER)
+ conf->check_x509_path = 1;
+#endif
+
pkg_src_list_init(&conf->pkg_src_list);
nv_pair_list_init(&tmp_dest_nv_pair_list);
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index ecfe9ea..a219c6c 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -90,6 +90,9 @@ struct opkg_conf
char *ssl_ca_path;
int ssl_dont_verify_peer;
#endif
+#ifdef HAVE_PATHFINDER
+ int check_x509_path;
+#endif
/* proxy options */
char *http_proxy;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 0e67927..2d6d72c 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -419,11 +419,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
goto verify_file_end;
}
#if defined(HAVE_PATHFINDER)
- if(!pkcs7_pathfinder_verify_signers(p7)){
- opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
- "Path verification failed\n");
+ if(conf->check_x509_path){
+ if(!pkcs7_pathfinder_verify_signers(p7)){
+ opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+ "Path verification failed\n");
+ goto verify_file_end;
+ }
}
-
#endif
// Open the Package file to authenticate
@@ -609,13 +611,13 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
}else{
#ifdef HAVE_PATHFINDER
- if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
- opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
- }else{
- curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+ if(conf->check_x509_path){
+ if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+ opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+ }else{
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+ }
}
-
- //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
#endif
}
diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c
index 793c3a4..01912eb 100644
--- a/libopkg/opkg_pathfinder.c
+++ b/libopkg/opkg_pathfinder.c
@@ -20,13 +20,14 @@
#include <openssl/ssl.h>
#include <libpathfinder.h>
-#include "includes.h"
-#include "opkg_message.h"
#if defined(HAVE_SSLCURL)
#include <curl/curl.h>
#endif
+#include "includes.h"
+#include "opkg_message.h"
+
#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
/*
* This callback is called instead of X509_verify_cert to perform path
@@ -66,12 +67,11 @@ static int pathfinder_verify_callback(X509_STORE_CTX *ctx, void *arg)
}
#endif
-
#if defined(HAVE_OPENSSL)
int pkcs7_pathfinder_verify_signers(PKCS7* p7)
{
STACK_OF(X509) *signers;
- int i;
+ int i, ret = 1; /* signers are verified by default */
signers = PKCS7_get0_signers(p7, NULL, 0);
@@ -80,11 +80,15 @@ int pkcs7_pathfinder_verify_signers(PKCS7* p7)
.cert = sk_X509_value(signers, i),
};
- if(!pathfinder_verify_callback(&ctx, NULL))
- return 0;
+ if(!pathfinder_verify_callback(&ctx, NULL)){
+ /* Signer isn't verified ! goto jail; */
+ ret = 0;
+ break;
+ }
}
- return 1;
+ sk_X509_free(signers);
+ return ret;
}
#endif