[LEDE-DEV] [PATCH][opkg-lede] opkg: add --force-ssl argument

Andrew McConachie andrew at depht.com
Thu May 11 08:57:33 PDT 2017 


On 5/11/17 11:13, Etienne Champetier wrote:
> Hi Alexandru,
>
> 2017-05-11 7:59 GMT-07:00 Alexandru Ardelean <ardeleanalex at gmail.com>:
>> For cases when artifacts are stored on https:// accessible
>> location and you don't want to install ca-certificates
>> (for various reasons).
>>
>> I'll admit, using SSL like this is not recommended,
>> but since wget (even uclient-fetch) allows the
>> --no-check-certificate option, it would be nice
>> for opkg to support setting it if needed/configured.
> Why not name this option --no-check-certificate then ?
>
> Regards
> Etienne
>
I agree.  --force-ssl sounds like you are forcing the use of SSL. Not 
that you are ignoring a validation check with the local certificate 
storage.

I also prefer --no-check-certificate. It makes more sense to me at least.

--Andrew

>> Signed-off-by: Alexandru Ardelean <ardeleanalex at gmail.com>
>> ---
>>   libopkg/opkg_conf.c     | 1 +
>>   libopkg/opkg_conf.h     | 1 +
>>   libopkg/opkg_download.c | 5 ++++-
>>   src/opkg-cl.c           | 6 ++++++
>>   4 files changed, 12 insertions(+), 1 deletion(-)
>>
>> diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
>> index 589fc49..1890145 100644
>> --- a/libopkg/opkg_conf.c
>> +++ b/libopkg/opkg_conf.c
>> @@ -54,6 +54,7 @@ opkg_option_t options[] = {
>>          {"force_postinstall", OPKG_OPT_TYPE_BOOL, &_conf.force_postinstall},
>>          {"force_checksum", OPKG_OPT_TYPE_BOOL, &_conf.force_checksum},
>>          {"check_signature", OPKG_OPT_TYPE_BOOL, &_conf.check_signature},
>> +       {"force_ssl", OPKG_OPT_TYPE_BOOL, &_conf.force_ssl},
>>          {"ftp_proxy", OPKG_OPT_TYPE_STRING, &_conf.ftp_proxy},
>>          {"http_proxy", OPKG_OPT_TYPE_STRING, &_conf.http_proxy},
>>          {"no_proxy", OPKG_OPT_TYPE_STRING, &_conf.no_proxy},
>> diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
>> index 9cf7681..a8c4a9e 100644
>> --- a/libopkg/opkg_conf.h
>> +++ b/libopkg/opkg_conf.h
>> @@ -78,6 +78,7 @@ struct opkg_conf {
>>          int force_checksum;
>>          int check_signature;
>>          int force_signature;
>> +       int force_ssl;
>>          int nodeps;             /* do not follow dependencies */
>>          int nocase;             /* perform case insensitive matching */
>>          char *offline_root;
>> diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
>> index db4c90f..c8e0013 100644
>> --- a/libopkg/opkg_download.c
>> +++ b/libopkg/opkg_download.c
>> @@ -87,11 +87,14 @@ opkg_download(const char *src, const char *dest_file_name,
>>
>>          {
>>                  int res;
>> -               const char *argv[8];
>> +               const char *argv[9];
>>                  int i = 0;
>>
>>                  argv[i++] = "wget";
>>                  argv[i++] = "-q";
>> +               if (conf->force_ssl) {
>> +                       argv[i++] = "--no-check-certificate";
>> +               }
>>                  if (conf->http_proxy || conf->ftp_proxy) {
>>                          argv[i++] = "-Y";
>>                          argv[i++] = "on";
>> diff --git a/src/opkg-cl.c b/src/opkg-cl.c
>> index c518bfc..77f59ff 100644
>> --- a/src/opkg-cl.c
>> +++ b/src/opkg-cl.c
>> @@ -52,6 +52,7 @@ enum {
>>          ARGS_OPT_AUTOREMOVE,
>>          ARGS_OPT_CACHE,
>>          ARGS_OPT_FORCE_SIGNATURE,
>> +       ARGS_OPT_FORCE_SSL,
>>          ARGS_OPT_SIZE,
>>   };
>>
>> @@ -91,6 +92,8 @@ static struct option long_options[] = {
>>          {"force_checksum", 0, 0, ARGS_OPT_FORCE_CHECKSUM},
>>          {"force-signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE},
>>          {"force_signature", 0, 0, ARGS_OPT_FORCE_SIGNATURE},
>> +       {"force-ssl", 0, 0, ARGS_OPT_FORCE_SSL},
>> +       {"force_ssl", 0, 0, ARGS_OPT_FORCE_SSL},
>>          {"noaction", 0, 0, ARGS_OPT_NOACTION},
>>          {"download-only", 0, 0, ARGS_OPT_DOWNLOAD_ONLY},
>>          {"nodeps", 0, 0, ARGS_OPT_NODEPS},
>> @@ -226,6 +229,8 @@ static int args_parse(int argc, char *argv[])
>>                  case ARGS_OPT_FORCE_SIGNATURE:
>>                          conf->force_signature = 1;
>>                          break;
>> +               case ARGS_OPT_FORCE_SSL:
>> +                       conf->force_ssl = 1;
>>                  case ':':
>>                          parse_err = -1;
>>                          break;
>> @@ -335,6 +340,7 @@ static void usage()
>>          printf
>>              ("\t--force-remove  Remove package even if prerm script fails\n");
>>          printf("\t--force-checksum      Don't fail on checksum mismatches\n");
>> +       printf("\t--force-ssl           Don't validate the server's certificate\n");
>>          printf("\t--noaction            No action -- test only\n");
>>          printf("\t--download-only       No action -- download only\n");
>>          printf("\t--nodeps              Do not follow dependencies\n");
>> --
>> 2.7.4
>>
>>
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev

More information about the Lede-dev mailing list