Some refactoring of pathfinder support
authorpixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>
Thu, 5 Nov 2009 16:07:47 +0000 (16:07 +0000)
committerpixdamix <pixdamix@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>
Thu, 5 Nov 2009 16:07:47 +0000 (16:07 +0000)
git-svn-id: http://opkg.googlecode.com/svn/trunk@263 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358

libopkg/opkg_conf.c
libopkg/opkg_conf.h
libopkg/opkg_download.c
libopkg/opkg_pathfinder.c

index cfbdc5b..b6ca4a8 100644 (file)
@@ -80,6 +80,9 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options)
          { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
          { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
 #endif
+#if defined(HAVE_PATHFINDER)
+          { "check_x509_path", OPKG_OPT_TYPE_INT, &conf->check_x509_path }, 
+#endif
 #if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
           { "ssl_engine", OPKG_OPT_TYPE_STRING, &conf->ssl_engine },
           { "ssl_cert", OPKG_OPT_TYPE_STRING, &conf->ssl_cert },
@@ -130,6 +133,10 @@ int opkg_conf_init(opkg_conf_t *conf, const args_t *args)
 
      memset(conf, 0, sizeof(opkg_conf_t));
 
+#if defined(HAVE_PATHFINDER)
+     conf->check_x509_path = 1;
+#endif
+
      pkg_src_list_init(&conf->pkg_src_list);
 
      nv_pair_list_init(&tmp_dest_nv_pair_list);
index ecfe9ea..a219c6c 100644 (file)
@@ -90,6 +90,9 @@ struct opkg_conf
      char *ssl_ca_path;
      int ssl_dont_verify_peer;
 #endif
+#ifdef HAVE_PATHFINDER
+     int check_x509_path;
+#endif
 
      /* proxy options */
      char *http_proxy;
index 0e67927..2d6d72c 100644 (file)
@@ -419,11 +419,13 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
         goto verify_file_end;
     }
 #if defined(HAVE_PATHFINDER)
-    if(!pkcs7_pathfinder_verify_signers(p7)){
-       opkg_message(conf,  OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
-               "Path verification failed\n");
+    if(conf->check_x509_path){
+       if(!pkcs7_pathfinder_verify_signers(p7)){
+           opkg_message(conf,  OPKG_ERROR, "pkcs7_pathfinder_verify_signers: "
+                   "Path verification failed\n");
+           goto verify_file_end;
+       }
     }
-
 #endif
 
     // Open the Package file to authenticate
@@ -609,13 +611,13 @@ static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data
            curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
        }else{
 #ifdef HAVE_PATHFINDER
-           if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
-               opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
-           }else{
-               curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+           if(conf->check_x509_path){
+               if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){
+                   opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n");
+               }else{
+                   curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
+               }
            }
-
-           //curl_easy_setopt(curl, CURLOPT_SSL_CERT_VERIFY_FUNCTION, curlcb_pathfinder);
 #endif
        }
 
index 793c3a4..01912eb 100644 (file)
 
 #include <openssl/ssl.h>
 #include <libpathfinder.h>
-#include "includes.h"
-#include "opkg_message.h"
 
 #if defined(HAVE_SSLCURL)
 #include <curl/curl.h>
 #endif
 
+#include "includes.h"
+#include "opkg_message.h"
+
 #if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
 /*
  *      This callback is called instead of X509_verify_cert to perform path
@@ -66,12 +67,11 @@ static int pathfinder_verify_callback(X509_STORE_CTX *ctx, void *arg)
 }
 #endif
 
-
 #if defined(HAVE_OPENSSL)
 int pkcs7_pathfinder_verify_signers(PKCS7* p7)
 {
     STACK_OF(X509) *signers;
-    int i;
+    int i, ret = 1; /* signers are verified by default */
 
     signers = PKCS7_get0_signers(p7, NULL, 0);
 
@@ -80,11 +80,15 @@ int pkcs7_pathfinder_verify_signers(PKCS7* p7)
            .cert = sk_X509_value(signers, i),
        };
 
-       if(!pathfinder_verify_callback(&ctx, NULL))
-           return 0;
+       if(!pathfinder_verify_callback(&ctx, NULL)){
+           /* Signer isn't verified ! goto jail; */
+           ret = 0;
+           break;
+       }
     }
 
-    return 1;
+    sk_X509_free(signers);
+    return ret;
 }
 #endif