From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Thu, 9 Feb 2017 14:51:28 +0200 Subject: [PATCH] curl: allow overriding default CA certificate file Similar to curl, --cacert can now be used in cve-check-tool and cve-check-update to override the default CA certificate file. Useful in cases where the system default is unsuitable (for example, out-dated) or broken (as in OE's current native libcurl, which embeds a path string from one build host and then uses it on another although the right path may have become something different). Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] Signed-off-by: Patrick Ohly Took Patrick Ohlys original patch from meta-security-isafw, rebased on top of other patches. Signed-off-by: Jussi Kukkonen --- src/library/cve-check-tool.h | 1 + src/library/fetch.c | 10 +++++++++- src/library/fetch.h | 3 ++- src/main.c | 5 ++++- src/update-main.c | 4 +++- src/update.c | 12 +++++++----- src/update.h | 2 +- 7 files changed, 27 insertions(+), 10 deletions(-) diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h index e4bb5b1..f89eade 100644 --- a/src/library/cve-check-tool.h +++ b/src/library/cve-check-tool.h @@ -43,6 +43,7 @@ typedef struct CveCheckTool { bool bugs; /**output_file = output_file; + self->cacert_file = cacert_file; if (!csv_mode && self->output_file) { quiet = false; @@ -530,7 +533,7 @@ int main(int argc, char **argv) if (status) { fprintf(stderr, "Update of db forced\n"); cve_db_unlock(); - if (!update_db(quiet, db_path->str)) { + if (!update_db(quiet, db_path->str, self->cacert_file)) { fprintf(stderr, "DB update failure\n"); goto cleanup; } diff --git a/src/update-main.c b/src/update-main.c index 2379cfa..c52d9d0 100644 --- a/src/update-main.c +++ b/src/update-main.c @@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ static gchar *nvds = NULL; static bool _show_version = false; static bool _quiet = false; +static const char *_cacert_file = NULL; static GOptionEntry _entries[] = { { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, + { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, { .short_name = 0 } }; @@ -88,7 +90,7 @@ int main(int argc, char **argv) goto end; } - if (update_db(_quiet, db_path->str)) { + if (update_db(_quiet, db_path->str, _cacert_file)) { ret = EXIT_SUCCESS; } else { fprintf(stderr, "Failed to update database\n"); diff --git a/src/update.c b/src/update.c index 070560a..8cb4a39 100644 --- a/src/update.c +++ b/src/update.c @@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, bool db_exist, bool verbose, - unsigned int this_percent, unsigned int next_percent) + unsigned int this_percent, unsigned int next_percent, + const char *cacert_file) { const char nvd_uri[] = URI_PREFIX; autofree(cve_string) *uri_meta = NULL; @@ -331,14 +332,14 @@ refetch: } /* Fetch NVD META file */ - st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); + st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); if (st == FETCH_STATUS_FAIL) { fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); return -1; } /* Fetch NVD XML file */ - st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); + st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); switch (st) { case FETCH_STATUS_FAIL: fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); @@ -391,7 +392,7 @@ refetch: return 0; } -bool update_db(bool quiet, const char *db_file) +bool update_db(bool quiet, const char *db_file, const char *cacert_file) { autofree(char) *db_dir = NULL; autofree(CveDB) *cve_db = NULL; @@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) if (!quiet) fprintf(stderr, "completed: %u%%\r", start_percent); rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, - start_percent, end_percent); + start_percent, end_percent, + cacert_file); switch (rc) { case 0: if (!quiet) diff --git a/src/update.h b/src/update.h index b8e9911..ceea0c3 100644 --- a/src/update.h +++ b/src/update.h @@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); int update_required(const char *db_file); -bool update_db(bool quiet, const char *db_file); +bool update_db(bool quiet, const char *db_file, const char *cacert_file); /* -- 2.1.4