diff options
author | Jussi Kukkonen <jussi.kukkonen@intel.com> | 2017-02-09 21:38:33 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-02-15 09:29:56 -0800 |
commit | d887c24d5af0f570a259985fa99af5c56158fcfa (patch) | |
tree | ae5d59972c956d573f5795615d29ba22b3b0e204 /meta | |
parent | ea616d122676e7d5bbf606b7dbfa8f62c63d4a27 (diff) | |
download | poky-d887c24d5af0f570a259985fa99af5c56158fcfa.tar.gz |
cve-check-tool: Use CA cert bundle in correct sysroot
Native libcurl looks for CA certs in the wrong place by
default.
* Add patch that allows overriding the default CA certificate
location. Patch is originally from meta-security-isafw.
* Use the new --cacert to set the correct CA bundle path
(From OE-Core rev: 73bd11d5190a072064128cc13b4537154d07b129)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | 4 | ||||
-rw-r--r-- | meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch | 215 |
2 files changed, 218 insertions, 1 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index c78af6728c..fcd3182931 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | |||
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" | |||
9 | SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ | 9 | SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ |
10 | file://check-for-malloc_trim-before-using-it.patch \ | 10 | file://check-for-malloc_trim-before-using-it.patch \ |
11 | file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ | 11 | file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ |
12 | file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ | ||
12 | " | 13 | " |
13 | 14 | ||
14 | SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" | 15 | SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" |
@@ -39,7 +40,8 @@ do_populate_cve_db() { | |||
39 | [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" | 40 | [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" |
40 | 41 | ||
41 | bbdebug 2 "Updating cve-check-tool database located in $cve_dir" | 42 | bbdebug 2 "Updating cve-check-tool database located in $cve_dir" |
42 | if cve-check-update -d "$cve_dir" ; then | 43 | # --cacert works around curl-native not finding the CA bundle |
44 | if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then | ||
43 | printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" | 45 | printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" |
44 | else | 46 | else |
45 | bbwarn "Error in executing cve-check-update" | 47 | bbwarn "Error in executing cve-check-update" |
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch new file mode 100644 index 0000000000..3d8ebd1bd2 --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch | |||
@@ -0,0 +1,215 @@ | |||
1 | From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 | ||
2 | From: Jussi Kukkonen <jussi.kukkonen@intel.com> | ||
3 | Date: Thu, 9 Feb 2017 14:51:28 +0200 | ||
4 | Subject: [PATCH] curl: allow overriding default CA certificate file | ||
5 | |||
6 | Similar to curl, --cacert can now be used in cve-check-tool and | ||
7 | cve-check-update to override the default CA certificate file. Useful | ||
8 | in cases where the system default is unsuitable (for example, | ||
9 | out-dated) or broken (as in OE's current native libcurl, which embeds | ||
10 | a path string from one build host and then uses it on another although | ||
11 | the right path may have become something different). | ||
12 | |||
13 | Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] | ||
14 | |||
15 | Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> | ||
16 | |||
17 | |||
18 | Took Patrick Ohlys original patch from meta-security-isafw, rebased | ||
19 | on top of other patches. | ||
20 | |||
21 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | ||
22 | --- | ||
23 | src/library/cve-check-tool.h | 1 + | ||
24 | src/library/fetch.c | 10 +++++++++- | ||
25 | src/library/fetch.h | 3 ++- | ||
26 | src/main.c | 5 ++++- | ||
27 | src/update-main.c | 4 +++- | ||
28 | src/update.c | 12 +++++++----- | ||
29 | src/update.h | 2 +- | ||
30 | 7 files changed, 27 insertions(+), 10 deletions(-) | ||
31 | |||
32 | diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h | ||
33 | index e4bb5b1..f89eade 100644 | ||
34 | --- a/src/library/cve-check-tool.h | ||
35 | +++ b/src/library/cve-check-tool.h | ||
36 | @@ -43,6 +43,7 @@ typedef struct CveCheckTool { | ||
37 | bool bugs; /**<Whether bug tracking is enabled */ | ||
38 | GHashTable *mapping; /**<CVE Mapping */ | ||
39 | const char *output_file; /**<Output file, if any */ | ||
40 | + const char *cacert_file; /**<Non-default SSL certificate file, if any */ | ||
41 | } CveCheckTool; | ||
42 | |||
43 | /** | ||
44 | diff --git a/src/library/fetch.c b/src/library/fetch.c | ||
45 | index 0fe6d76..8f998c3 100644 | ||
46 | --- a/src/library/fetch.c | ||
47 | +++ b/src/library/fetch.c | ||
48 | @@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow | ||
49 | } | ||
50 | |||
51 | FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, | ||
52 | - unsigned int start_percent, unsigned int end_percent) | ||
53 | + unsigned int start_percent, unsigned int end_percent, | ||
54 | + const char *cacert_file) | ||
55 | { | ||
56 | FetchStatus ret = FETCH_STATUS_FAIL; | ||
57 | CURLcode res; | ||
58 | @@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, | ||
59 | return ret; | ||
60 | } | ||
61 | |||
62 | + if (cacert_file) { | ||
63 | + res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file); | ||
64 | + if (res != CURLE_OK) { | ||
65 | + goto bail; | ||
66 | + } | ||
67 | + } | ||
68 | + | ||
69 | if (stat(target, &st) == 0) { | ||
70 | res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE); | ||
71 | if (res != CURLE_OK) { | ||
72 | diff --git a/src/library/fetch.h b/src/library/fetch.h | ||
73 | index 4cce5d1..836c7d7 100644 | ||
74 | --- a/src/library/fetch.h | ||
75 | +++ b/src/library/fetch.h | ||
76 | @@ -29,7 +29,8 @@ typedef enum { | ||
77 | * @return A FetchStatus, indicating the operation taken | ||
78 | */ | ||
79 | FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, | ||
80 | - unsigned int this_percent, unsigned int next_percent); | ||
81 | + unsigned int this_percent, unsigned int next_percent, | ||
82 | + const char *cacert_file); | ||
83 | |||
84 | /** | ||
85 | * Attempt to extract the given gzipped file | ||
86 | diff --git a/src/main.c b/src/main.c | ||
87 | index 8e6f158..ae69d47 100644 | ||
88 | --- a/src/main.c | ||
89 | +++ b/src/main.c | ||
90 | @@ -280,6 +280,7 @@ static bool csv_mode = false; | ||
91 | static char *modified_stamp = NULL; | ||
92 | static gchar *mapping_file = NULL; | ||
93 | static gchar *output_file = NULL; | ||
94 | +static gchar *cacert_file = NULL; | ||
95 | |||
96 | static GOptionEntry _entries[] = { | ||
97 | { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL }, | ||
98 | @@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { | ||
99 | { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL }, | ||
100 | { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL}, | ||
101 | { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL}, | ||
102 | + { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, | ||
103 | { .short_name = 0 } | ||
104 | }; | ||
105 | |||
106 | @@ -492,6 +494,7 @@ int main(int argc, char **argv) | ||
107 | |||
108 | quiet = csv_mode || !no_html; | ||
109 | self->output_file = output_file; | ||
110 | + self->cacert_file = cacert_file; | ||
111 | |||
112 | if (!csv_mode && self->output_file) { | ||
113 | quiet = false; | ||
114 | @@ -530,7 +533,7 @@ int main(int argc, char **argv) | ||
115 | if (status) { | ||
116 | fprintf(stderr, "Update of db forced\n"); | ||
117 | cve_db_unlock(); | ||
118 | - if (!update_db(quiet, db_path->str)) { | ||
119 | + if (!update_db(quiet, db_path->str, self->cacert_file)) { | ||
120 | fprintf(stderr, "DB update failure\n"); | ||
121 | goto cleanup; | ||
122 | } | ||
123 | diff --git a/src/update-main.c b/src/update-main.c | ||
124 | index 2379cfa..c52d9d0 100644 | ||
125 | --- a/src/update-main.c | ||
126 | +++ b/src/update-main.c | ||
127 | @@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ | ||
128 | static gchar *nvds = NULL; | ||
129 | static bool _show_version = false; | ||
130 | static bool _quiet = false; | ||
131 | +static const char *_cacert_file = NULL; | ||
132 | |||
133 | static GOptionEntry _entries[] = { | ||
134 | { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, | ||
135 | { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, | ||
136 | { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, | ||
137 | + { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, | ||
138 | { .short_name = 0 } | ||
139 | }; | ||
140 | |||
141 | @@ -88,7 +90,7 @@ int main(int argc, char **argv) | ||
142 | goto end; | ||
143 | } | ||
144 | |||
145 | - if (update_db(_quiet, db_path->str)) { | ||
146 | + if (update_db(_quiet, db_path->str, _cacert_file)) { | ||
147 | ret = EXIT_SUCCESS; | ||
148 | } else { | ||
149 | fprintf(stderr, "Failed to update database\n"); | ||
150 | diff --git a/src/update.c b/src/update.c | ||
151 | index 070560a..8cb4a39 100644 | ||
152 | --- a/src/update.c | ||
153 | +++ b/src/update.c | ||
154 | @@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) | ||
155 | |||
156 | static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, | ||
157 | bool db_exist, bool verbose, | ||
158 | - unsigned int this_percent, unsigned int next_percent) | ||
159 | + unsigned int this_percent, unsigned int next_percent, | ||
160 | + const char *cacert_file) | ||
161 | { | ||
162 | const char nvd_uri[] = URI_PREFIX; | ||
163 | autofree(cve_string) *uri_meta = NULL; | ||
164 | @@ -331,14 +332,14 @@ refetch: | ||
165 | } | ||
166 | |||
167 | /* Fetch NVD META file */ | ||
168 | - st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); | ||
169 | + st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); | ||
170 | if (st == FETCH_STATUS_FAIL) { | ||
171 | fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); | ||
172 | return -1; | ||
173 | } | ||
174 | |||
175 | /* Fetch NVD XML file */ | ||
176 | - st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); | ||
177 | + st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); | ||
178 | switch (st) { | ||
179 | case FETCH_STATUS_FAIL: | ||
180 | fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); | ||
181 | @@ -391,7 +392,7 @@ refetch: | ||
182 | return 0; | ||
183 | } | ||
184 | |||
185 | -bool update_db(bool quiet, const char *db_file) | ||
186 | +bool update_db(bool quiet, const char *db_file, const char *cacert_file) | ||
187 | { | ||
188 | autofree(char) *db_dir = NULL; | ||
189 | autofree(CveDB) *cve_db = NULL; | ||
190 | @@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) | ||
191 | if (!quiet) | ||
192 | fprintf(stderr, "completed: %u%%\r", start_percent); | ||
193 | rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, | ||
194 | - start_percent, end_percent); | ||
195 | + start_percent, end_percent, | ||
196 | + cacert_file); | ||
197 | switch (rc) { | ||
198 | case 0: | ||
199 | if (!quiet) | ||
200 | diff --git a/src/update.h b/src/update.h | ||
201 | index b8e9911..ceea0c3 100644 | ||
202 | --- a/src/update.h | ||
203 | +++ b/src/update.h | ||
204 | @@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); | ||
205 | |||
206 | int update_required(const char *db_file); | ||
207 | |||
208 | -bool update_db(bool quiet, const char *db_file); | ||
209 | +bool update_db(bool quiet, const char *db_file, const char *cacert_file); | ||
210 | |||
211 | |||
212 | /* | ||
213 | -- | ||
214 | 2.1.4 | ||
215 | |||