From 00d9ca3aaa56c083cfbb051235f3bdcbe6c8c253 Mon Sep 17 00:00:00 2001
From: pixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>
Date: Thu, 05 Nov 2009 03:46:33 -0500
Subject: Add pathfinder support for certificate validation

  From http://code.google.com/p/pathfinder-pki/

       PathFinder is designed to provide a mechanism for any program to
       perform RFC3280-compliant path validation of X509 certificates,
       even when some of the intermediate certificates are not present
       on the local machine. By design, Pathfinder automatically
       downloads any such certificates from the Internet as needed using
       the AIA and CRL distribution point extensions of the certificates
       it is processing. It has the ability to do revocation status
       checking either using CRL or OCSP, or both. And, given the recent
       vulnerabilities that have rendered the MD5 algorithm highly
       suspect, it allows the administrator to choose to not validate
       certificates using that algorithm anywhere in the trust path.

git-svn-id: http://opkg.googlecode.com/svn/trunk@261 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358
---
(limited to 'libopkg/opkg_download.c')

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 77dc8e4..0e67927 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -26,6 +26,7 @@
 #include <openssl/conf.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#include <openssl/ssl.h>
 #endif
 
 #if defined(HAVE_GPGME)
@@ -49,6 +50,10 @@
 #include "opkg_defines.h"
 #include "libbb/libbb.h"
 
+#ifdef HAVE_PATHFINDER
+#include "opkg_pathfinder.h"
+#endif
+
 #if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL)
 static void openssl_init(void);
 #endif
@@ -413,6 +418,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
                 "Can't read signature file (Corrupted ?)\n");
         goto verify_file_end;
     }
+#if defined(HAVE_PATHFINDER)
+    if(!pkcs7_pathfinder_verify_signers(p7)){
+	opkg_message(conf,  OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+		"Path verification failed\n");
+    }
+
+#endif
 
     // Open the Package file to authenticate
     if (!(indata = BIO_new_file(text_file, "rb"))){
@@ -595,6 +607,16 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data
 	     * CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
 	     */
 	    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+	}else{
+#ifdef HAVE_PATHFINDER
+	    if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+		opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+	    }else{
+		curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+	    }
+
+	    //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
+#endif
 	}
 
 	/* certification authority file and/or path */
--
cgit v0.9.1