diff options
| author | pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> | 2009-11-05 03:46:33 (EST) |
|---|---|---|
| committer | pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358> | 2009-11-05 03:46:33 (EST) |
| commit | 00d9ca3aaa56c083cfbb051235f3bdcbe6c8c253 (patch) | |
| tree | 35f945f01329ccb860f33f81a494eb17c9eed549 /libopkg/opkg_download.c | |
| parent | af66c658642635a3c951bb0ee130e40e7f084fd9 (diff) | |
Add pathfinder support for certificate validation
From http://code.google.com/p/pathfinder-pki/
PathFinder is designed to provide a mechanism for any program to
perform RFC3280-compliant path validation of X509 certificates,
even when some of the intermediate certificates are not present
on the local machine. By design, Pathfinder automatically
downloads any such certificates from the Internet as needed using
the AIA and CRL distribution point extensions of the certificates
it is processing. It has the ability to do revocation status
checking either using CRL or OCSP, or both. And, given the recent
vulnerabilities that have rendered the MD5 algorithm highly
suspect, it allows the administrator to choose to not validate
certificates using that algorithm anywhere in the trust path.
git-svn-id: http://opkg.googlecode.com/svn/trunk@261 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358
Diffstat (limited to 'libopkg/opkg_download.c')
| -rw-r--r-- | libopkg/opkg_download.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index 77dc8e4..0e67927 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -26,6 +26,7 @@ #include <openssl/conf.h> #include <openssl/evp.h> #include <openssl/err.h> +#include <openssl/ssl.h> #endif #if defined(HAVE_GPGME) @@ -49,6 +50,10 @@ #include "opkg_defines.h" #include "libbb/libbb.h" +#ifdef HAVE_PATHFINDER +#include "opkg_pathfinder.h" +#endif + #if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL) static void openssl_init(void); #endif @@ -413,6 +418,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) "Can't read signature file (Corrupted ?)\n"); goto verify_file_end; } +#if defined(HAVE_PATHFINDER) + if(!pkcs7_pathfinder_verify_signers(p7)){ + opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: " + "Path verification failed\n"); + } + +#endif // Open the Package file to authenticate if (!(indata = BIO_new_file(text_file, "rb"))){ @@ -595,6 +607,16 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data * CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10) */ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + }else{ +#ifdef HAVE_PATHFINDER + if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){ + opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n"); + }else{ + curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL); + } + + //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder); +#endif } /* certification authority file and/or path */ |