From 73bd11d5190a072064128cc13b4537154d07b129 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Thu, 9 Feb 2017 21:38:33 +0200 Subject: cve-check-tool: Use CA cert bundle in correct sysroot Native libcurl looks for CA certs in the wrong place by default. * Add patch that allows overriding the default CA certificate location. Patch is originally from meta-security-isafw. * Use the new --cacert to set the correct CA bundle path Signed-off-by: Jussi Kukkonen Signed-off-by: Ross Burton --- .../cve-check-tool/cve-check-tool_5.6.4.bb | 4 +- ...ow-overriding-default-CA-certificate-file.patch | 215 +++++++++++++++++++++ 2 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch (limited to 'meta/recipes-devtools/cve-check-tool') diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index c78af6728c..fcd3182931 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ file://check-for-malloc_trim-before-using-it.patch \ file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ + file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ " SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" @@ -39,7 +40,8 @@ do_populate_cve_db() { [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" bbdebug 2 "Updating cve-check-tool database located in $cve_dir" - if cve-check-update -d "$cve_dir" ; then + # --cacert works around curl-native not finding the CA bundle + if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" else bbwarn "Error in executing cve-check-update" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch new file mode 100644 index 0000000000..3d8ebd1bd2 --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch @@ -0,0 +1,215 @@ +From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 +From: Jussi Kukkonen +Date: Thu, 9 Feb 2017 14:51:28 +0200 +Subject: [PATCH] curl: allow overriding default CA certificate file + +Similar to curl, --cacert can now be used in cve-check-tool and +cve-check-update to override the default CA certificate file. Useful +in cases where the system default is unsuitable (for example, +out-dated) or broken (as in OE's current native libcurl, which embeds +a path string from one build host and then uses it on another although +the right path may have become something different). + +Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] + +Signed-off-by: Patrick Ohly + + +Took Patrick Ohlys original patch from meta-security-isafw, rebased +on top of other patches. + +Signed-off-by: Jussi Kukkonen +--- + src/library/cve-check-tool.h | 1 + + src/library/fetch.c | 10 +++++++++- + src/library/fetch.h | 3 ++- + src/main.c | 5 ++++- + src/update-main.c | 4 +++- + src/update.c | 12 +++++++----- + src/update.h | 2 +- + 7 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h +index e4bb5b1..f89eade 100644 +--- a/src/library/cve-check-tool.h ++++ b/src/library/cve-check-tool.h +@@ -43,6 +43,7 @@ typedef struct CveCheckTool { + bool bugs; /**output_file = output_file; ++ self->cacert_file = cacert_file; + + if (!csv_mode && self->output_file) { + quiet = false; +@@ -530,7 +533,7 @@ int main(int argc, char **argv) + if (status) { + fprintf(stderr, "Update of db forced\n"); + cve_db_unlock(); +- if (!update_db(quiet, db_path->str)) { ++ if (!update_db(quiet, db_path->str, self->cacert_file)) { + fprintf(stderr, "DB update failure\n"); + goto cleanup; + } +diff --git a/src/update-main.c b/src/update-main.c +index 2379cfa..c52d9d0 100644 +--- a/src/update-main.c ++++ b/src/update-main.c +@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ + static gchar *nvds = NULL; + static bool _show_version = false; + static bool _quiet = false; ++static const char *_cacert_file = NULL; + + static GOptionEntry _entries[] = { + { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, + { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, + { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, ++ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, + { .short_name = 0 } + }; + +@@ -88,7 +90,7 @@ int main(int argc, char **argv) + goto end; + } + +- if (update_db(_quiet, db_path->str)) { ++ if (update_db(_quiet, db_path->str, _cacert_file)) { + ret = EXIT_SUCCESS; + } else { + fprintf(stderr, "Failed to update database\n"); +diff --git a/src/update.c b/src/update.c +index 070560a..8cb4a39 100644 +--- a/src/update.c ++++ b/src/update.c +@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) + + static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, + bool db_exist, bool verbose, +- unsigned int this_percent, unsigned int next_percent) ++ unsigned int this_percent, unsigned int next_percent, ++ const char *cacert_file) + { + const char nvd_uri[] = URI_PREFIX; + autofree(cve_string) *uri_meta = NULL; +@@ -331,14 +332,14 @@ refetch: + } + + /* Fetch NVD META file */ +- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); ++ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); + if (st == FETCH_STATUS_FAIL) { + fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); + return -1; + } + + /* Fetch NVD XML file */ +- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); ++ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); + switch (st) { + case FETCH_STATUS_FAIL: + fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); +@@ -391,7 +392,7 @@ refetch: + return 0; + } + +-bool update_db(bool quiet, const char *db_file) ++bool update_db(bool quiet, const char *db_file, const char *cacert_file) + { + autofree(char) *db_dir = NULL; + autofree(CveDB) *cve_db = NULL; +@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) + if (!quiet) + fprintf(stderr, "completed: %u%%\r", start_percent); + rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, +- start_percent, end_percent); ++ start_percent, end_percent, ++ cacert_file); + switch (rc) { + case 0: + if (!quiet) +diff --git a/src/update.h b/src/update.h +index b8e9911..ceea0c3 100644 +--- a/src/update.h ++++ b/src/update.h +@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); + + int update_required(const char *db_file); + +-bool update_db(bool quiet, const char *db_file); ++bool update_db(bool quiet, const char *db_file, const char *cacert_file); + + + /* +-- +2.1.4 + -- cgit v1.2.3