summaryrefslogtreecommitdiffstats
path: root/libopkg
diff options
context:
space:
mode:
Diffstat (limited to 'libopkg')
-rw-r--r--libopkg/Makefile.am9
-rw-r--r--libopkg/opkg_download.c22
-rw-r--r--libopkg/opkg_pathfinder.c99
-rw-r--r--libopkg/opkg_pathfinder.h32
4 files changed, 159 insertions, 3 deletions
diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
index 5aee171..067d867 100644
--- a/libopkg/Makefile.am
+++ b/libopkg/Makefile.am
@@ -1,5 +1,5 @@
-AM_CFLAGS=-Wall -Werror -DHOST_CPU_STR=\"@host_cpu@\" -DBUILD_CPU=@build_cpu@ -DLIBDIR=\"@libdir@\" -DOPKGLIBDIR=\"@opkglibdir@\" -DOPKGETCDIR=\"@opkgetcdir@\" -DDATADIR=\"@datadir@\" -I$(top_srcdir) $(BIGENDIAN_CFLAGS) $(CURL_CFLAGS) $(GPGME_CFLAGS)
+AM_CFLAGS=-Wall -Werror -DHOST_CPU_STR=\"@host_cpu@\" -DBUILD_CPU=@build_cpu@ -DLIBDIR=\"@libdir@\" -DOPKGLIBDIR=\"@opkglibdir@\" -DOPKGETCDIR=\"@opkgetcdir@\" -DDATADIR=\"@datadir@\" -I$(top_srcdir) $(BIGENDIAN_CFLAGS) $(CURL_CFLAGS) $(GPGME_CFLAGS) $(PATHFINDER_CFLAGS)
libopkg_includedir=$(includedir)/libopkg
libopkg_include_HEADERS= opkg.h
@@ -29,7 +29,9 @@ opkg_list_sources = conffile.c conffile.h conffile_list.c conffile_list.h \
opkg_util_sources = file_util.c file_util.h opkg_message.h opkg_message.c md5.c md5.h \
sprintf_alloc.c sprintf_alloc.h str_util.c str_util.h \
xregex.c xregex.h xsystem.c xsystem.h
-
+if HAVE_PATHFINDER
+opkg_util_sources += opkg_pathfinder.c opkg_pathfinder.h
+endif
if HAVE_SHA256
opkg_util_sources += sha256.c sha256.h
endif
@@ -40,7 +42,8 @@ libopkg_la_SOURCES = \
$(opkg_cmd_sources) $(opkg_db_sources) \
$(opkg_util_sources) $(opkg_list_sources)
-libopkg_la_LIBADD = $(top_builddir)/libbb/libbb.la $(CURL_LIBS) $(GPGME_LIBS) $(OPENSSL_LIBS)
+libopkg_la_LIBADD = $(top_builddir)/libbb/libbb.la $(CURL_LIBS) $(GPGME_LIBS) $(OPENSSL_LIBS) $(PATHFINDER_LIBS)
+
# make sure we only export symbols that are for public use
libopkg_la_LDFLAGS = -export-symbols-regex "^opkg_.*"
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 77dc8e4..0e67927 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -26,6 +26,7 @@
#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/ssl.h>
#endif
#if defined(HAVE_GPGME)
@@ -49,6 +50,10 @@
#include "opkg_defines.h"
#include "libbb/libbb.h"
+#ifdef HAVE_PATHFINDER
+#include "opkg_pathfinder.h"
+#endif
+
#if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL)
static void openssl_init(void);
#endif
@@ -413,6 +418,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
"Can't read signature file (Corrupted ?)\n");
goto verify_file_end;
}
+#if defined(HAVE_PATHFINDER)
+ if(!pkcs7_pathfinder_verify_signers(p7)){
+ opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+ "Path verification failed\n");
+ }
+
+#endif
// Open the Package file to authenticate
if (!(indata = BIO_new_file(text_file, "rb"))){
@@ -595,6 +607,16 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data
* CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
*/
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+ }else{
+#ifdef HAVE_PATHFINDER
+ if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+ opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+ }else{
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+ }
+
+ //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
+#endif
}
/* certification authority file and/or path */
diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c
new file mode 100644
index 0000000..793c3a4
--- /dev/null
+++ b/libopkg/opkg_pathfinder.c
@@ -0,0 +1,99 @@
+/* vi: set noexpandtab sw=4 sts=4: */
+/* opkg_download.c - the opkg package management system
+
+ Carl D. Worth
+
+ Copyright (C) 2001 University of Southern California
+ Copyright (C) 2008 OpenMoko Inc
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 2, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+*/
+#include "config.h"
+
+#include <openssl/ssl.h>
+#include <libpathfinder.h>
+#include "includes.h"
+#include "opkg_message.h"
+
+#if defined(HAVE_SSLCURL)
+#include <curl/curl.h>
+#endif
+
+#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
+/*
+ * This callback is called instead of X509_verify_cert to perform path
+ * validation on a certificate using pathfinder.
+ *
+ */
+static int pathfinder_verify_callback(X509_STORE_CTX *ctx, void *arg)
+{
+ char *errmsg;
+ const char *hex = "0123456789ABCDEF";
+ size_t size = i2d_X509(ctx->cert, NULL);
+ unsigned char *keybuf, *iend;
+ iend = keybuf = malloc(size);
+ i2d_X509(ctx->cert, &iend);
+ char *certdata_str = malloc(size * 2 + 1);
+ unsigned char *cp = keybuf;
+ char *certdata_str_i = certdata_str;
+ while (cp < iend)
+ {
+ unsigned char ch = *cp++;
+ *certdata_str_i++ = hex[(ch >> 4) & 0xf];
+ *certdata_str_i++ = hex[ch & 0xf];
+ }
+ *certdata_str_i = 0;
+ free(keybuf);
+
+ const char *policy = "2.5.29.32.0"; // anyPolicy
+ int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
+
+ if (!validated)
+ fprintf(stderr, "curlcb_pathfinder: Path verification failed: %s", errmsg);
+
+ free(certdata_str);
+ free(errmsg);
+
+ return validated;
+}
+#endif
+
+
+#if defined(HAVE_OPENSSL)
+int pkcs7_pathfinder_verify_signers(PKCS7* p7)
+{
+ STACK_OF(X509) *signers;
+ int i;
+
+ signers = PKCS7_get0_signers(p7, NULL, 0);
+
+ for(i = 0; i < sk_X509_num(signers); i++){
+ X509_STORE_CTX ctx = {
+ .cert = sk_X509_value(signers, i),
+ };
+
+ if(!pathfinder_verify_callback(&ctx, NULL))
+ return 0;
+ }
+
+ return 1;
+}
+#endif
+
+#if defined(HAVE_SSLCURL)
+CURLcode curl_ssl_ctx_function(CURL * curl, void * sslctx, void * parm) {
+
+ SSL_CTX * ctx = (SSL_CTX *) sslctx;
+ SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
+
+ return CURLE_OK ;
+}
+#endif
diff --git a/libopkg/opkg_pathfinder.h b/libopkg/opkg_pathfinder.h
new file mode 100644
index 0000000..446d861
--- /dev/null
+++ b/libopkg/opkg_pathfinder.h
@@ -0,0 +1,32 @@
+/* opkg_download.h - the opkg package management system
+
+ Camille Moncelier <moncelier@devlife.org>
+
+ Copyright (C) 2009 Camille Moncelier
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 2, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+*/
+
+#ifndef OPKG_PATHFINDER_H
+#define OPKG_PATHFINDER_H
+
+#include "config.h"
+
+#if defined(HAVE_OPENSSL)
+int pkcs7_pathfinder_verify_signers(PKCS7* p7);
+#endif
+
+#if defined(HAVE_SSLCURL)
+CURLcode curl_ssl_ctx_function(CURL * curl, void * sslctx, void * parm);
+#endif
+
+
+#endif