1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
From 6792cfef0ebfbe83e41bc81df6bc675604d7c943 Mon Sep 17 00:00:00 2001
From: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Date: Tue, 16 Aug 2016 10:55:15 +0300
Subject: [PATCH] Make pinned pubkey configurable
The server may move to a new location where a different pubkey
needs to be used and the hardcoded one won't work.
This patch makes pinned pubkey configurable.
Upstream-Status: Submitted [https://github.com/clearlinux/swupd-client/pull/110]
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
---
configure.ac | 2 ++
include/swupd.h | 1 +
src/curl.c | 2 +-
src/globals.c | 14 ++++++++++++++
4 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 83007aa..883553a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -114,6 +114,7 @@ AH_TEMPLATE([LOCK_DIR],[Directory for lock file])
AH_TEMPLATE([BUNDLES_DIR],[Directory to use for bundles])
AH_TEMPLATE([UPDATE_CA_CERTS_PATH],[Location of CA certificates])
AH_TEMPLATE([MOTD_FILE],[motd file path])
+AH_TEMPLATE([PINNED_PUBKEY_PATH],[Path to pinned public key])
if test "$enable_linux_rootfs_build" = "yes"; then
AC_DEFINE([SWUPD_LINUX_ROOTFS],1)
@@ -124,6 +125,7 @@ if test "$enable_linux_rootfs_build" = "yes"; then
AC_DEFINE([BUNDLES_DIR],["/usr/share/clear/bundles"])
AC_DEFINE_UNQUOTED([UPDATE_CA_CERTS_PATH],["$certs_path"])
AC_DEFINE([MOTD_FILE],["/usr/lib/motd.d/001-new-release"])
+ AC_DEFINE_UNQUOTED([PINNED_PUBKEY_PATH],["${certs_path}/425b0f6b.key"])
else
AC_MSG_ERROR([Unknown build variant])
fi
diff --git a/include/swupd.h b/include/swupd.h
index 5c722d3..3658dc8 100644
--- a/include/swupd.h
+++ b/include/swupd.h
@@ -132,6 +132,7 @@ extern void *tm_dlhandle;
extern char *bundle_to_add;
extern struct timeval start_time;
extern char *state_dir;
+extern char *pinned_pubkey_path;
extern char *version_url;
extern char *content_url;
diff --git a/src/curl.c b/src/curl.c
index 6b6099f..b14193b 100644
--- a/src/curl.c
+++ b/src/curl.c
@@ -447,7 +447,7 @@ static CURLcode swupd_curl_set_security_opts(CURL *curl)
goto exit;
}
- curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, "/usr/share/clear/update-ca/425b0f6b.key");
+ curl_ret = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, pinned_pubkey_path);
if (curl_ret != CURLE_OK) {
goto exit;
}
diff --git a/src/globals.c b/src/globals.c
index f2f1200..d0858df 100644
--- a/src/globals.c
+++ b/src/globals.c
@@ -51,6 +51,7 @@ char *mounted_dirs = NULL;
char *bundle_to_add = NULL;
struct timeval start_time;
char *state_dir = NULL;
+char *pinned_pubkey_path = NULL;
/* NOTE: Today the content and version server urls are the same in
* all cases. It is highly likely these will eventually differ, eg:
@@ -68,6 +69,7 @@ long update_server_port = -1;
static const char *default_version_url_path = "/usr/share/defaults/swupd/versionurl";
static const char *default_content_url_path = "/usr/share/defaults/swupd/contenturl";
static const char *default_format_path = "/usr/share/defaults/swupd/format";
+static const char *default_pinnedpubkey_path = "/usr/share/defaults/swupd/pinnedpubkey";
static int set_default_value(char **global, const char *path)
{
@@ -194,6 +196,16 @@ bool set_state_dir(char *path)
return true;
}
+void set_pinned_pubkey_path()
+{
+ int ret;
+
+ ret = set_default_value(&pinned_pubkey_path, default_pinnedpubkey_path);
+ if (ret < 0) {
+ string_or_die(&pinned_pubkey_path, "%s", PINNED_PUBKEY_PATH);
+ }
+}
+
bool set_format_string(char *userinput)
{
int ret;
@@ -322,6 +334,7 @@ bool init_globals(void)
(void)set_format_string(NULL);
set_version_url(NULL);
set_content_url(NULL);
+ set_pinned_pubkey_path();
/* must set this global after version_url and content_url */
set_local_download();
@@ -337,6 +350,7 @@ void free_globals(void)
free(format_string);
free(mounted_dirs);
free(state_dir);
+ free(pinned_pubkey_path);
if (bundle_to_add != NULL) {
free(bundle_to_add);
}
|