Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/sysinst If the install medium does not come with an...
details: https://anonhg.NetBSD.org/src/rev/c3b6d97ccc6a
branches: trunk
changeset: 376297:c3b6d97ccc6a
user: martin <martin%NetBSD.org@localhost>
date: Fri Jun 09 18:44:16 2023 +0000
description:
If the install medium does not come with any openssl trusted root certs,
tell ftp(1) not to verify trust chains when doing https downloads.
diffstat:
usr.sbin/sysinst/main.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 49 insertions(+), 1 deletions(-)
diffs (75 lines):
diff -r c435b76045b1 -r c3b6d97ccc6a usr.sbin/sysinst/main.c
--- a/usr.sbin/sysinst/main.c Fri Jun 09 18:09:30 2023 +0000
+++ b/usr.sbin/sysinst/main.c Fri Jun 09 18:44:16 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.30 2022/07/10 10:52:40 martin Exp $ */
+/* $NetBSD: main.c,v 1.31 2023/06/09 18:44:16 martin Exp $ */
/*
* Copyright 1997 Piermont Information Systems Inc.
@@ -97,6 +97,7 @@ static void select_language(const char*)
static void ttysighandler(int);
static void cleanup(void);
static void process_f_flag(char *);
+static bool no_openssl_trust_anchors_available(void);
static int exit_cleanly = 0; /* Did we finish nicely? */
FILE *logfp; /* log file */
@@ -264,6 +265,10 @@ main(int argc, char **argv)
/* Initialize the partitioning subsystem */
partitions_init();
+ /* do we need to tell ftp(1) to avoid checking certificate chains? */
+ if (no_openssl_trust_anchors_available())
+ setenv("FTPSSLNOVERIFY", "1", 1);
+
/* initialize message window */
if (menu_init()) {
__menu_initerror();
@@ -635,3 +640,46 @@ process_f_flag(char *f_name)
fclose(fp);
}
+
+/*
+ * return true if we do not have any root certificates installed,
+ * so can not verify any trust chain.
+ * We rely on /etc/openssl being the OPENSSLDIR and test the
+ * "all in one" /etc/openssl/cert.pem first, if that is not found
+ * check if there are multiple regular files or symlinks in
+ * /etc/openssl/certs/.
+ */
+static bool
+no_openssl_trust_anchors_available(void)
+{
+ struct stat sb;
+ DIR *dir;
+ struct dirent *ent;
+ size_t cnt;
+
+ /* check the omnibus single file variant first */
+ if (stat("/etc/openssl/cert.pem", &sb) == 0 &&
+ S_ISREG(sb.st_mode) && sb.st_size > 0)
+ return false; /* exists and is a non-empty file */
+
+ /* look for files/symlinks in the certs subdirectory */
+ dir = opendir("/etc/openssl/certs");
+ if (dir == NULL)
+ return true;
+ for (cnt = 0; cnt < 2; ) {
+ ent = readdir(dir);
+ if (ent == NULL)
+ break;
+ switch (ent->d_type) {
+ case DT_REG:
+ case DT_LNK:
+ cnt++;
+ break;
+ default:
+ break;
+ }
+ }
+ closedir(dir);
+
+ return cnt < 2;
+}
Home |
Main Index |
Thread Index |
Old Index