summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorJussi Kukkonen <jussi.kukkonen@intel.com>2017-02-09 21:38:33 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-02-15 09:29:56 -0800
commitd887c24d5af0f570a259985fa99af5c56158fcfa (patch)
treeae5d59972c956d573f5795615d29ba22b3b0e204 /meta
parentea616d122676e7d5bbf606b7dbfa8f62c63d4a27 (diff)
downloadpoky-d887c24d5af0f570a259985fa99af5c56158fcfa.tar.gz
cve-check-tool: Use CA cert bundle in correct sysroot
Native libcurl looks for CA certs in the wrong place by default. * Add patch that allows overriding the default CA certificate location. Patch is originally from meta-security-isafw. * Use the new --cacert to set the correct CA bundle path (From OE-Core rev: 73bd11d5190a072064128cc13b4537154d07b129) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb4
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch215
2 files changed, 218 insertions, 1 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index c78af6728c..fcd3182931 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
9SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ 9SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
10 file://check-for-malloc_trim-before-using-it.patch \ 10 file://check-for-malloc_trim-before-using-it.patch \
11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ 11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
12 file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
12 " 13 "
13 14
14SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" 15SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
@@ -39,7 +40,8 @@ do_populate_cve_db() {
39 [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" 40 [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
40 41
41 bbdebug 2 "Updating cve-check-tool database located in $cve_dir" 42 bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
42 if cve-check-update -d "$cve_dir" ; then 43 # --cacert works around curl-native not finding the CA bundle
44 if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
43 printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" 45 printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
44 else 46 else
45 bbwarn "Error in executing cve-check-update" 47 bbwarn "Error in executing cve-check-update"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
new file mode 100644
index 0000000000..3d8ebd1bd2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
@@ -0,0 +1,215 @@
1From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
2From: Jussi Kukkonen <jussi.kukkonen@intel.com>
3Date: Thu, 9 Feb 2017 14:51:28 +0200
4Subject: [PATCH] curl: allow overriding default CA certificate file
5
6Similar to curl, --cacert can now be used in cve-check-tool and
7cve-check-update to override the default CA certificate file. Useful
8in cases where the system default is unsuitable (for example,
9out-dated) or broken (as in OE's current native libcurl, which embeds
10a path string from one build host and then uses it on another although
11the right path may have become something different).
12
13Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
14
15Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
16
17
18Took Patrick Ohlys original patch from meta-security-isafw, rebased
19on top of other patches.
20
21Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
22---
23 src/library/cve-check-tool.h | 1 +
24 src/library/fetch.c | 10 +++++++++-
25 src/library/fetch.h | 3 ++-
26 src/main.c | 5 ++++-
27 src/update-main.c | 4 +++-
28 src/update.c | 12 +++++++-----
29 src/update.h | 2 +-
30 7 files changed, 27 insertions(+), 10 deletions(-)
31
32diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
33index e4bb5b1..f89eade 100644
34--- a/src/library/cve-check-tool.h
35+++ b/src/library/cve-check-tool.h
36@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
37 bool bugs; /**<Whether bug tracking is enabled */
38 GHashTable *mapping; /**<CVE Mapping */
39 const char *output_file; /**<Output file, if any */
40+ const char *cacert_file; /**<Non-default SSL certificate file, if any */
41 } CveCheckTool;
42
43 /**
44diff --git a/src/library/fetch.c b/src/library/fetch.c
45index 0fe6d76..8f998c3 100644
46--- a/src/library/fetch.c
47+++ b/src/library/fetch.c
48@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
49 }
50
51 FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
52- unsigned int start_percent, unsigned int end_percent)
53+ unsigned int start_percent, unsigned int end_percent,
54+ const char *cacert_file)
55 {
56 FetchStatus ret = FETCH_STATUS_FAIL;
57 CURLcode res;
58@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
59 return ret;
60 }
61
62+ if (cacert_file) {
63+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
64+ if (res != CURLE_OK) {
65+ goto bail;
66+ }
67+ }
68+
69 if (stat(target, &st) == 0) {
70 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
71 if (res != CURLE_OK) {
72diff --git a/src/library/fetch.h b/src/library/fetch.h
73index 4cce5d1..836c7d7 100644
74--- a/src/library/fetch.h
75+++ b/src/library/fetch.h
76@@ -29,7 +29,8 @@ typedef enum {
77 * @return A FetchStatus, indicating the operation taken
78 */
79 FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
80- unsigned int this_percent, unsigned int next_percent);
81+ unsigned int this_percent, unsigned int next_percent,
82+ const char *cacert_file);
83
84 /**
85 * Attempt to extract the given gzipped file
86diff --git a/src/main.c b/src/main.c
87index 8e6f158..ae69d47 100644
88--- a/src/main.c
89+++ b/src/main.c
90@@ -280,6 +280,7 @@ static bool csv_mode = false;
91 static char *modified_stamp = NULL;
92 static gchar *mapping_file = NULL;
93 static gchar *output_file = NULL;
94+static gchar *cacert_file = NULL;
95
96 static GOptionEntry _entries[] = {
97 { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
98@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
99 { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
100 { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
101 { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
102+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
103 { .short_name = 0 }
104 };
105
106@@ -492,6 +494,7 @@ int main(int argc, char **argv)
107
108 quiet = csv_mode || !no_html;
109 self->output_file = output_file;
110+ self->cacert_file = cacert_file;
111
112 if (!csv_mode && self->output_file) {
113 quiet = false;
114@@ -530,7 +533,7 @@ int main(int argc, char **argv)
115 if (status) {
116 fprintf(stderr, "Update of db forced\n");
117 cve_db_unlock();
118- if (!update_db(quiet, db_path->str)) {
119+ if (!update_db(quiet, db_path->str, self->cacert_file)) {
120 fprintf(stderr, "DB update failure\n");
121 goto cleanup;
122 }
123diff --git a/src/update-main.c b/src/update-main.c
124index 2379cfa..c52d9d0 100644
125--- a/src/update-main.c
126+++ b/src/update-main.c
127@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
128 static gchar *nvds = NULL;
129 static bool _show_version = false;
130 static bool _quiet = false;
131+static const char *_cacert_file = NULL;
132
133 static GOptionEntry _entries[] = {
134 { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
135 { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
136 { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
137+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
138 { .short_name = 0 }
139 };
140
141@@ -88,7 +90,7 @@ int main(int argc, char **argv)
142 goto end;
143 }
144
145- if (update_db(_quiet, db_path->str)) {
146+ if (update_db(_quiet, db_path->str, _cacert_file)) {
147 ret = EXIT_SUCCESS;
148 } else {
149 fprintf(stderr, "Failed to update database\n");
150diff --git a/src/update.c b/src/update.c
151index 070560a..8cb4a39 100644
152--- a/src/update.c
153+++ b/src/update.c
154@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
155
156 static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
157 bool db_exist, bool verbose,
158- unsigned int this_percent, unsigned int next_percent)
159+ unsigned int this_percent, unsigned int next_percent,
160+ const char *cacert_file)
161 {
162 const char nvd_uri[] = URI_PREFIX;
163 autofree(cve_string) *uri_meta = NULL;
164@@ -331,14 +332,14 @@ refetch:
165 }
166
167 /* Fetch NVD META file */
168- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
169+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
170 if (st == FETCH_STATUS_FAIL) {
171 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
172 return -1;
173 }
174
175 /* Fetch NVD XML file */
176- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
177+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
178 switch (st) {
179 case FETCH_STATUS_FAIL:
180 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
181@@ -391,7 +392,7 @@ refetch:
182 return 0;
183 }
184
185-bool update_db(bool quiet, const char *db_file)
186+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
187 {
188 autofree(char) *db_dir = NULL;
189 autofree(CveDB) *cve_db = NULL;
190@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
191 if (!quiet)
192 fprintf(stderr, "completed: %u%%\r", start_percent);
193 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
194- start_percent, end_percent);
195+ start_percent, end_percent,
196+ cacert_file);
197 switch (rc) {
198 case 0:
199 if (!quiet)
200diff --git a/src/update.h b/src/update.h
201index b8e9911..ceea0c3 100644
202--- a/src/update.h
203+++ b/src/update.h
204@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
205
206 int update_required(const char *db_file);
207
208-bool update_db(bool quiet, const char *db_file);
209+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
210
211
212 /*
213--
2142.1.4
215