{"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
{"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
#endif
-#if defined(HAVE_PATHFINDER)
- {"check_x509_path", OPKG_OPT_TYPE_BOOL, &_conf.check_x509_path},
-#endif
#if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
{"ssl_engine", OPKG_OPT_TYPE_STRING, &_conf.ssl_engine},
{"ssl_cert", OPKG_OPT_TYPE_STRING, &_conf.ssl_cert},
conf->restrict_to_default_dest = 0;
conf->default_dest = NULL;
-#if defined(HAVE_PATHFINDER)
- conf->check_x509_path = 1;
-#endif
if (!conf->offline_root)
conf->offline_root = xstrdup(getenv("OFFLINE_ROOT"));
#include <openssl/hmac.h>
#endif
-#ifdef HAVE_PATHFINDER
-#include "opkg_pathfinder.h"
-#endif
-
#if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL)
static void openssl_init(void);
#endif
sig_file);
goto verify_file_end;
}
-#if defined(HAVE_PATHFINDER)
- if (conf->check_x509_path) {
- if (!pkcs7_pathfinder_verify_signers(p7)) {
- opkg_msg(ERROR, "pkcs7_pathfinder_verify_signers: "
- "Path verification failed.\n");
- goto verify_file_end;
- }
- }
-#endif
// Open the Package file to authenticate
if (!(indata = BIO_new_file(text_file, "rb"))) {
* CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
*/
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
- } else {
-#ifdef HAVE_PATHFINDER
- if (conf->check_x509_path) {
- if (curl_easy_setopt
- (curl, CURLOPT_SSL_CTX_FUNCTION,
- curl_ssl_ctx_function) != CURLE_OK) {
- opkg_msg(DEBUG,
- "Failed to set ssl path verification callback.\n");
- } else {
- curl_easy_setopt(curl,
- CURLOPT_SSL_CTX_DATA,
- NULL);
- }
- }
-#endif
}
/* certification authority file and/or path */
+++ /dev/null
-/* vi: set noexpandtab sw=4 sts=4: */
-/* opkg_pathfinder.c - the opkg package management system
-
- Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#include <openssl/ssl.h>
-#include <libpathfinder.h>
-#include <stdlib.h>
-#if defined(HAVE_SSLCURL)
-#include <curl/curl.h>
-#endif
-
-#include "libbb/libbb.h"
-#include "opkg_message.h"
-
-#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
-/*
- * This callback is called instead of X509_verify_cert to perform path
- * validation on a certificate using pathfinder.
- *
- */
-static int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
- char *errmsg;
- const char *hex = "0123456789ABCDEF";
- size_t size = i2d_X509(ctx->cert, NULL);
- unsigned char *keybuf, *iend;
- iend = keybuf = xmalloc(size);
- i2d_X509(ctx->cert, &iend);
- char *certdata_str = xmalloc(size * 2 + 1);
- unsigned char *cp = keybuf;
- char *certdata_str_i = certdata_str;
- while (cp < iend) {
- unsigned char ch = *cp++;
- *certdata_str_i++ = hex[(ch >> 4) & 0xf];
- *certdata_str_i++ = hex[ch & 0xf];
- }
- *certdata_str_i = 0;
- free(keybuf);
-
- const char *policy = "2.5.29.32.0"; // anyPolicy
- int validated =
- pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
-
- if (!validated)
- opkg_msg(ERROR, "Path verification failed: %s.\n", errmsg);
-
- free(certdata_str);
- free(errmsg);
-
- return validated;
-}
-#endif
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
- STACK_OF(X509) * signers;
- int i, ret = 1; /* signers are verified by default */
-
- signers = PKCS7_get0_signers(p7, NULL, 0);
-
- for (i = 0; i < sk_X509_num(signers); i++) {
- X509_STORE_CTX ctx = {
- .cert = sk_X509_value(signers, i),
- };
-
- if (!pathfinder_verify_callback(&ctx, NULL)) {
- /* Signer isn't verified ! goto jail; */
- ret = 0;
- break;
- }
- }
-
- sk_X509_free(signers);
- return ret;
-}
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm)
-{
-
- SSL_CTX *ctx = (SSL_CTX *) sslctx;
- SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
-
- return CURLE_OK;
-}
-#endif
+++ /dev/null
-/* opkg_pathfinder.h - the opkg package management system
-
- Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#ifndef OPKG_PATHFINDER_H
-#define OPKG_PATHFINDER_H
-
-#include "config.h"
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7);
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm);
-#endif
-
-#endif
projects / oweals / opkg-lede.git / commitdiff