{ "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
{ "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
#endif
+#if defined(HAVE_PATHFINDER)
+ { "check_x509_path", OPKG_OPT_TYPE_INT, &conf->check_x509_path },
+#endif
#if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
{ "ssl_engine", OPKG_OPT_TYPE_STRING, &conf->ssl_engine },
{ "ssl_cert", OPKG_OPT_TYPE_STRING, &conf->ssl_cert },
memset(conf, 0, sizeof(opkg_conf_t));
+#if defined(HAVE_PATHFINDER)
+ conf->check_x509_path = 1;
+#endif
+
pkg_src_list_init(&conf->pkg_src_list);
nv_pair_list_init(&tmp_dest_nv_pair_list);
char *ssl_ca_path;
int ssl_dont_verify_peer;
#endif
+#ifdef HAVE_PATHFINDER
+ int check_x509_path;
+#endif
/* proxy options */
char *http_proxy;
goto verify_file_end;
}
#if defined(HAVE_PATHFINDER)
- if(!pkcs7_pathfinder_verify_signers(p7)){
- opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
- "Path verification failed\n");
+ if(conf->check_x509_path){
+ if(!pkcs7_pathfinder_verify_signers(p7)){
+ opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+ "Path verification failed\n");
+ goto verify_file_end;
+ }
}
-
#endif
// Open the Package file to authenticate
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
}else{
#ifdef HAVE_PATHFINDER
- if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
- opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
- }else{
- curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+ if(conf->check_x509_path){
+ if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+ opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+ }else{
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+ }
}
-
- //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
#endif
}
#include <openssl/ssl.h>
#include <libpathfinder.h>
-#include "includes.h"
-#include "opkg_message.h"
#if defined(HAVE_SSLCURL)
#include <curl/curl.h>
#endif
+#include "includes.h"
+#include "opkg_message.h"
+
#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
/*
* This callback is called instead of X509_verify_cert to perform path
}
#endif
-
#if defined(HAVE_OPENSSL)
int pkcs7_pathfinder_verify_signers(PKCS7* p7)
{
STACK_OF(X509) *signers;
- int i;
+ int i, ret = 1; /* signers are verified by default */
signers = PKCS7_get0_signers(p7, NULL, 0);
.cert = sk_X509_value(signers, i),
};
- if(!pathfinder_verify_callback(&ctx, NULL))
- return 0;
+ if(!pathfinder_verify_callback(&ctx, NULL)){
+ /* Signer isn't verified ! goto jail; */
+ ret = 0;
+ break;
+ }
}
- return 1;
+ sk_X509_free(signers);
+ return ret;
}
#endif
projects / oweals / opkg-lede.git / commitdiff