Some refactoring of pathfinder support

git-svn-id: http://opkg.googlecode.com/svn/trunk@263 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358
author: pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> 2009-11-05 11:07:47 (EST)
committer: pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> 2009-11-05 11:07:47 (EST)
commit: 813388093465b8723394960bc8e489fa64bb1a85 (patch)
tree: 201df512f8e12e2472781f5c70bca0da2d27443b
parent: f0fe187f841a29675317835723c3591b149fdeb1 (diff)
4 files changed, 33 insertions, 17 deletions
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index cfbdc5b..b6ca4a8 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -80,6 +80,9 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options)
 	  { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
 	  { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
 #endif
+#if defined(HAVE_PATHFINDER)
+          { "check_x509_path", OPKG_OPT_TYPE_INT, &conf->check_x509_path }, 
+#endif
 #if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
           { "ssl_engine", OPKG_OPT_TYPE_STRING, &conf->ssl_engine },
           { "ssl_cert", OPKG_OPT_TYPE_STRING, &conf->ssl_cert },
@@ -130,6 +133,10 @@ int opkg_conf_init(opkg_conf_t *conf, const args_t *args)
 
      memset(conf, 0, sizeof(opkg_conf_t));
 
+#if defined(HAVE_PATHFINDER)
+     conf->check_x509_path = 1;
+#endif
+
      pkg_src_list_init(&conf->pkg_src_list);
 
      nv_pair_list_init(&tmp_dest_nv_pair_list);
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index ecfe9ea..a219c6c 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -90,6 +90,9 @@ struct opkg_conf
      char *ssl_ca_path;
      int ssl_dont_verify_peer;
 #endif
+#ifdef HAVE_PATHFINDER
+     int check_x509_path;
+#endif
 
      /* proxy options */
      char *http_proxy;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 0e67927..2d6d72c 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -419,11 +419,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
         goto verify_file_end;
     }
 #if defined(HAVE_PATHFINDER)
-    if(!pkcs7_pathfinder_verify_signers(p7)){
-	opkg_message(conf,  OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
-		"Path verification failed\n");
+    if(conf->check_x509_path){
+	if(!pkcs7_pathfinder_verify_signers(p7)){
+	    opkg_message(conf,  OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+		    "Path verification failed\n");
+	    goto verify_file_end;
+	}
     }
-
 #endif
 
     // Open the Package file to authenticate
@@ -609,13 +611,13 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data
 	    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
 	}else{
 #ifdef HAVE_PATHFINDER
-	    if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
-		opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
-	    }else{
-		curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+	    if(conf->check_x509_path){
+    	        if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+		    opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+		}else{
+		    curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+		}
 	    }
-
-	    //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
 #endif
 	}
 
diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c
index 793c3a4..01912eb 100644
--- a/libopkg/opkg_pathfinder.c
+++ b/libopkg/opkg_pathfinder.c
@@ -20,13 +20,14 @@
 
 #include <openssl/ssl.h>
 #include <libpathfinder.h>
-#include "includes.h"
-#include "opkg_message.h"
 
 #if defined(HAVE_SSLCURL)
 #include <curl/curl.h>
 #endif
 
+#include "includes.h"
+#include "opkg_message.h"
+
 #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
 /*
  *      This callback is called instead of X509_verify_cert to perform path
@@ -66,12 +67,11 @@ static int pathfinder_verify_callback(X509_STORE_CTX *ctx, void *arg)
 }
 #endif
 
-
 #if defined(HAVE_OPENSSL)
 int pkcs7_pathfinder_verify_signers(PKCS7* p7)
 {
     STACK_OF(X509) *signers;
-    int i;
+    int i, ret = 1; /* signers are verified by default */
 
     signers = PKCS7_get0_signers(p7, NULL, 0);
 
@@ -80,11 +80,15 @@ int pkcs7_pathfinder_verify_signers(PKCS7* p7)
 	    .cert = sk_X509_value(signers, i),
 	};
 
-	if(!pathfinder_verify_callback(&ctx, NULL))
-	    return 0;
+	if(!pathfinder_verify_callback(&ctx, NULL)){
+	    /* Signer isn't verified ! goto jail; */
+	    ret = 0;
+	    break;
+	}
     }
 
-    return 1;
+    sk_X509_free(signers);
+    return ret;
 }
 #endif
author	pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>	2009-11-05 11:07:47 (EST)
committer	pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>	2009-11-05 11:07:47 (EST)
commit	813388093465b8723394960bc8e489fa64bb1a85 (patch)
tree	201df512f8e12e2472781f5c70bca0da2d27443b
parent	f0fe187f841a29675317835723c3591b149fdeb1 (diff)