From 813388093465b8723394960bc8e489fa64bb1a85 Mon Sep 17 00:00:00 2001 From: pixdamix Date: Thu, 5 Nov 2009 16:07:47 +0000 Subject: [PATCH] Some refactoring of pathfinder support git-svn-id: http://opkg.googlecode.com/svn/trunk@263 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358 --- libopkg/opkg_conf.c | 7 +++++++ libopkg/opkg_conf.h | 3 +++ libopkg/opkg_download.c | 22 ++++++++++++---------- libopkg/opkg_pathfinder.c | 18 +++++++++++------- 4 files changed, 33 insertions(+), 17 deletions(-) diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c index cfbdc5b..b6ca4a8 100644 --- a/libopkg/opkg_conf.c +++ b/libopkg/opkg_conf.c @@ -80,6 +80,9 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options) { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file }, { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path }, #endif +#if defined(HAVE_PATHFINDER) + { "check_x509_path", OPKG_OPT_TYPE_INT, &conf->check_x509_path }, +#endif #if defined(HAVE_SSLCURL) && defined(HAVE_CURL) { "ssl_engine", OPKG_OPT_TYPE_STRING, &conf->ssl_engine }, { "ssl_cert", OPKG_OPT_TYPE_STRING, &conf->ssl_cert }, @@ -130,6 +133,10 @@ int opkg_conf_init(opkg_conf_t *conf, const args_t *args) memset(conf, 0, sizeof(opkg_conf_t)); +#if defined(HAVE_PATHFINDER) + conf->check_x509_path = 1; +#endif + pkg_src_list_init(&conf->pkg_src_list); nv_pair_list_init(&tmp_dest_nv_pair_list); diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h index ecfe9ea..a219c6c 100644 --- a/libopkg/opkg_conf.h +++ b/libopkg/opkg_conf.h @@ -90,6 +90,9 @@ struct opkg_conf char *ssl_ca_path; int ssl_dont_verify_peer; #endif +#ifdef HAVE_PATHFINDER + int check_x509_path; +#endif /* proxy options */ char *http_proxy; diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index 0e67927..2d6d72c 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -419,11 +419,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) goto verify_file_end; } #if defined(HAVE_PATHFINDER) - if(!pkcs7_pathfinder_verify_signers(p7)){ - opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: " - "Path verification failed\n"); + if(conf->check_x509_path){ + if(!pkcs7_pathfinder_verify_signers(p7)){ + opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: " + "Path verification failed\n"); + goto verify_file_end; + } } - #endif // Open the Package file to authenticate @@ -609,13 +611,13 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); }else{ #ifdef HAVE_PATHFINDER - if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){ - opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n"); - }else{ - curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL); + if(conf->check_x509_path){ + if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){ + opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n"); + }else{ + curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL); + } } - - //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder); #endif } diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c index 793c3a4..01912eb 100644 --- a/libopkg/opkg_pathfinder.c +++ b/libopkg/opkg_pathfinder.c @@ -20,13 +20,14 @@ #include #include -#include "includes.h" -#include "opkg_message.h" #if defined(HAVE_SSLCURL) #include #endif +#include "includes.h" +#include "opkg_message.h" + #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL) /* * This callback is called instead of X509_verify_cert to perform path @@ -66,12 +67,11 @@ static int pathfinder_verify_callback(X509_STORE_CTX *ctx, void *arg) } #endif - #if defined(HAVE_OPENSSL) int pkcs7_pathfinder_verify_signers(PKCS7* p7) { STACK_OF(X509) *signers; - int i; + int i, ret = 1; /* signers are verified by default */ signers = PKCS7_get0_signers(p7, NULL, 0); @@ -80,11 +80,15 @@ int pkcs7_pathfinder_verify_signers(PKCS7* p7) .cert = sk_X509_value(signers, i), }; - if(!pathfinder_verify_callback(&ctx, NULL)) - return 0; + if(!pathfinder_verify_callback(&ctx, NULL)){ + /* Signer isn't verified ! goto jail; */ + ret = 0; + break; + } } - return 1; + sk_X509_free(signers); + return ret; } #endif -- 2.25.1