| Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 1 | From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 |
| 2 | From: Jussi Kukkonen <jussi.kukkonen@intel.com> |
| 3 | Date: Thu, 9 Feb 2017 14:51:28 +0200 |
| 4 | Subject: [PATCH] curl: allow overriding default CA certificate file |
| 5 | |
| 6 | Similar to curl, --cacert can now be used in cve-check-tool and |
| 7 | cve-check-update to override the default CA certificate file. Useful |
| 8 | in cases where the system default is unsuitable (for example, |
| 9 | out-dated) or broken (as in OE's current native libcurl, which embeds |
| 10 | a path string from one build host and then uses it on another although |
| 11 | the right path may have become something different). |
| 12 | |
| 13 | Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] |
| 14 | |
| 15 | Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> |
| 16 | |
| 17 | |
| 18 | Took Patrick Ohlys original patch from meta-security-isafw, rebased |
| 19 | on top of other patches. |
| 20 | |
| 21 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> |
| 22 | --- |
| 23 | src/library/cve-check-tool.h | 1 + |
| 24 | src/library/fetch.c | 10 +++++++++- |
| 25 | src/library/fetch.h | 3 ++- |
| 26 | src/main.c | 5 ++++- |
| 27 | src/update-main.c | 4 +++- |
| 28 | src/update.c | 12 +++++++----- |
| 29 | src/update.h | 2 +- |
| 30 | 7 files changed, 27 insertions(+), 10 deletions(-) |
| 31 | |
| 32 | diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h |
| 33 | index e4bb5b1..f89eade 100644 |
| 34 | --- a/src/library/cve-check-tool.h |
| 35 | +++ b/src/library/cve-check-tool.h |
| 36 | @@ -43,6 +43,7 @@ typedef struct CveCheckTool { |
| 37 | bool bugs; /**<Whether bug tracking is enabled */ |
| 38 | GHashTable *mapping; /**<CVE Mapping */ |
| 39 | const char *output_file; /**<Output file, if any */ |
| 40 | + const char *cacert_file; /**<Non-default SSL certificate file, if any */ |
| 41 | } CveCheckTool; |
| 42 | |
| 43 | /** |
| 44 | diff --git a/src/library/fetch.c b/src/library/fetch.c |
| 45 | index 0fe6d76..8f998c3 100644 |
| 46 | --- a/src/library/fetch.c |
| 47 | +++ b/src/library/fetch.c |
| 48 | @@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow |
| 49 | } |
| 50 | |
| 51 | FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, |
| 52 | - unsigned int start_percent, unsigned int end_percent) |
| 53 | + unsigned int start_percent, unsigned int end_percent, |
| 54 | + const char *cacert_file) |
| 55 | { |
| 56 | FetchStatus ret = FETCH_STATUS_FAIL; |
| 57 | CURLcode res; |
| 58 | @@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, |
| 59 | return ret; |
| 60 | } |
| 61 | |
| 62 | + if (cacert_file) { |
| 63 | + res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file); |
| 64 | + if (res != CURLE_OK) { |
| 65 | + goto bail; |
| 66 | + } |
| 67 | + } |
| 68 | + |
| 69 | if (stat(target, &st) == 0) { |
| 70 | res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE); |
| 71 | if (res != CURLE_OK) { |
| 72 | diff --git a/src/library/fetch.h b/src/library/fetch.h |
| 73 | index 4cce5d1..836c7d7 100644 |
| 74 | --- a/src/library/fetch.h |
| 75 | +++ b/src/library/fetch.h |
| 76 | @@ -29,7 +29,8 @@ typedef enum { |
| 77 | * @return A FetchStatus, indicating the operation taken |
| 78 | */ |
| 79 | FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, |
| 80 | - unsigned int this_percent, unsigned int next_percent); |
| 81 | + unsigned int this_percent, unsigned int next_percent, |
| 82 | + const char *cacert_file); |
| 83 | |
| 84 | /** |
| 85 | * Attempt to extract the given gzipped file |
| 86 | diff --git a/src/main.c b/src/main.c |
| 87 | index 8e6f158..ae69d47 100644 |
| 88 | --- a/src/main.c |
| 89 | +++ b/src/main.c |
| 90 | @@ -280,6 +280,7 @@ static bool csv_mode = false; |
| 91 | static char *modified_stamp = NULL; |
| 92 | static gchar *mapping_file = NULL; |
| 93 | static gchar *output_file = NULL; |
| 94 | +static gchar *cacert_file = NULL; |
| 95 | |
| 96 | static GOptionEntry _entries[] = { |
| 97 | { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL }, |
| 98 | @@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { |
| 99 | { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL }, |
| 100 | { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL}, |
| 101 | { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL}, |
| 102 | + { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, |
| 103 | { .short_name = 0 } |
| 104 | }; |
| 105 | |
| 106 | @@ -492,6 +494,7 @@ int main(int argc, char **argv) |
| 107 | |
| 108 | quiet = csv_mode || !no_html; |
| 109 | self->output_file = output_file; |
| 110 | + self->cacert_file = cacert_file; |
| 111 | |
| 112 | if (!csv_mode && self->output_file) { |
| 113 | quiet = false; |
| 114 | @@ -530,7 +533,7 @@ int main(int argc, char **argv) |
| 115 | if (status) { |
| 116 | fprintf(stderr, "Update of db forced\n"); |
| 117 | cve_db_unlock(); |
| 118 | - if (!update_db(quiet, db_path->str)) { |
| 119 | + if (!update_db(quiet, db_path->str, self->cacert_file)) { |
| 120 | fprintf(stderr, "DB update failure\n"); |
| 121 | goto cleanup; |
| 122 | } |
| 123 | diff --git a/src/update-main.c b/src/update-main.c |
| 124 | index 2379cfa..c52d9d0 100644 |
| 125 | --- a/src/update-main.c |
| 126 | +++ b/src/update-main.c |
| 127 | @@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ |
| 128 | static gchar *nvds = NULL; |
| 129 | static bool _show_version = false; |
| 130 | static bool _quiet = false; |
| 131 | +static const char *_cacert_file = NULL; |
| 132 | |
| 133 | static GOptionEntry _entries[] = { |
| 134 | { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, |
| 135 | { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, |
| 136 | { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, |
| 137 | + { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, |
| 138 | { .short_name = 0 } |
| 139 | }; |
| 140 | |
| 141 | @@ -88,7 +90,7 @@ int main(int argc, char **argv) |
| 142 | goto end; |
| 143 | } |
| 144 | |
| 145 | - if (update_db(_quiet, db_path->str)) { |
| 146 | + if (update_db(_quiet, db_path->str, _cacert_file)) { |
| 147 | ret = EXIT_SUCCESS; |
| 148 | } else { |
| 149 | fprintf(stderr, "Failed to update database\n"); |
| 150 | diff --git a/src/update.c b/src/update.c |
| 151 | index 070560a..8cb4a39 100644 |
| 152 | --- a/src/update.c |
| 153 | +++ b/src/update.c |
| 154 | @@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) |
| 155 | |
| 156 | static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, |
| 157 | bool db_exist, bool verbose, |
| 158 | - unsigned int this_percent, unsigned int next_percent) |
| 159 | + unsigned int this_percent, unsigned int next_percent, |
| 160 | + const char *cacert_file) |
| 161 | { |
| 162 | const char nvd_uri[] = URI_PREFIX; |
| 163 | autofree(cve_string) *uri_meta = NULL; |
| 164 | @@ -331,14 +332,14 @@ refetch: |
| 165 | } |
| 166 | |
| 167 | /* Fetch NVD META file */ |
| 168 | - st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); |
| 169 | + st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); |
| 170 | if (st == FETCH_STATUS_FAIL) { |
| 171 | fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); |
| 172 | return -1; |
| 173 | } |
| 174 | |
| 175 | /* Fetch NVD XML file */ |
| 176 | - st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); |
| 177 | + st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); |
| 178 | switch (st) { |
| 179 | case FETCH_STATUS_FAIL: |
| 180 | fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); |
| 181 | @@ -391,7 +392,7 @@ refetch: |
| 182 | return 0; |
| 183 | } |
| 184 | |
| 185 | -bool update_db(bool quiet, const char *db_file) |
| 186 | +bool update_db(bool quiet, const char *db_file, const char *cacert_file) |
| 187 | { |
| 188 | autofree(char) *db_dir = NULL; |
| 189 | autofree(CveDB) *cve_db = NULL; |
| 190 | @@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) |
| 191 | if (!quiet) |
| 192 | fprintf(stderr, "completed: %u%%\r", start_percent); |
| 193 | rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, |
| 194 | - start_percent, end_percent); |
| 195 | + start_percent, end_percent, |
| 196 | + cacert_file); |
| 197 | switch (rc) { |
| 198 | case 0: |
| 199 | if (!quiet) |
| 200 | diff --git a/src/update.h b/src/update.h |
| 201 | index b8e9911..ceea0c3 100644 |
| 202 | --- a/src/update.h |
| 203 | +++ b/src/update.h |
| 204 | @@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); |
| 205 | |
| 206 | int update_required(const char *db_file); |
| 207 | |
| 208 | -bool update_db(bool quiet, const char *db_file); |
| 209 | +bool update_db(bool quiet, const char *db_file, const char *cacert_file); |
| 210 | |
| 211 | |
| 212 | /* |
| 213 | -- |
| 214 | 2.1.4 |
| 215 | |