diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/lpm.c | 119 | ||||
-rw-r--r-- | src/lpm.lua | 15 |
2 files changed, 68 insertions, 66 deletions
@@ -352,6 +352,17 @@ static int lpm_init(lua_State* L) { return 0; } +static int no_verify_ssl = 0; +static int has_setup_ssl = 0; +static mbedtls_x509_crt x509_certificate; +static mbedtls_entropy_context entropy_context; +static mbedtls_ctr_drbg_context drbg_context; +static mbedtls_ssl_config ssl_config; +static mbedtls_ssl_context ssl_context; + +static int lpm_git_transport_certificate_check_cb(struct git_cert *cert, int valid, const char *host, void *payload) { + return 0; +} static int lpm_fetch(lua_State* L) { git_repository* repository = luaL_checkgitrepo(L, 1); @@ -362,6 +373,8 @@ static int lpm_fetch(lua_State* L) { } git_fetch_options fetch_opts = GIT_FETCH_OPTIONS_INIT; fetch_opts.download_tags = GIT_REMOTE_DOWNLOAD_TAGS_ALL; + if (no_verify_ssl) + fetch_opts.callbacks.certificate_check = lpm_git_transport_certificate_check_cb; if (git_remote_fetch(remote, NULL, &fetch_opts, NULL)) { git_remote_free(remote); git_repository_free(repository); @@ -372,14 +385,6 @@ static int lpm_fetch(lua_State* L) { return 0; } - -static int has_setup_ssl = 0; -static mbedtls_x509_crt x509_certificate; -static mbedtls_entropy_context entropy_context; -static mbedtls_ctr_drbg_context drbg_context; -static mbedtls_ssl_config ssl_config; -static mbedtls_ssl_context ssl_context; - static int mbedtls_snprintf(char* buffer, int len, int status, const char* str, ...) { char mbed_buffer[128]; mbedtls_strerror(status, mbed_buffer, sizeof(mbed_buffer)); @@ -415,7 +420,6 @@ static void lpm_tls_debug(void *ctx, int level, const char *file, int line, cons static int lpm_certs(lua_State* L) { const char* type = luaL_checkstring(L, 1); - const char* path = luaL_checkstring(L, 2); int status; if (has_setup_ssl) { mbedtls_ssl_config_free(&ssl_config); @@ -442,61 +446,52 @@ static int lpm_certs(lua_State* L) { mbedtls_ssl_conf_dbg(&ssl_config, lpm_tls_debug, NULL); #endif has_setup_ssl = 1; - if (strcmp(type, "dir") == 0) { - git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, NULL, path); + if (strcmp(type, "noverify") == 0) { + no_verify_ssl = 1; + mbedtls_ssl_conf_authmode(&ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); } else { - if (strcmp(type, "system") == 0) { - #if _WIN32 - FILE* file = fopen(path, "wb"); - if (!file) - return luaL_error(L, "can't open cert store %s for writing: %s", path, strerror(errno)); - HCERTSTORE hSystemStore = CertOpenSystemStore(0, TEXT("ROOT")); - if (!hSystemStore) { - fclose(file); - return luaL_error(L, "error getting system certificate store"); - } - PCCERT_CONTEXT pCertContext = NULL; - while (1) { - pCertContext = CertEnumCertificatesInStore(hSystemStore, pCertContext); - if (!pCertContext) - break; - BYTE keyUsage[2]; - if (pCertContext->dwCertEncodingType & X509_ASN_ENCODING && (CertGetIntendedKeyUsage(pCertContext->dwCertEncodingType, pCertContext->pCertInfo, keyUsage, sizeof(keyUsage)) && (keyUsage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))) { - DWORD size = 0; - CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, NULL, &size); - char* buffer = malloc(size); - CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, buffer, &size); - fwrite(buffer, sizeof(char), size, file); - free(buffer); + const char* path = luaL_checkstring(L, 2); + if (strcmp(type, "dir") == 0) { + git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, NULL, path); + } else { + if (strcmp(type, "system") == 0) { + #if _WIN32 + FILE* file = fopen(path, "wb"); + if (!file) + return luaL_error(L, "can't open cert store %s for writing: %s", path, strerror(errno)); + HCERTSTORE hSystemStore = CertOpenSystemStore(0, TEXT("ROOT")); + if (!hSystemStore) { + fclose(file); + return luaL_error(L, "error getting system certificate store"); } - } - fclose(file); - CertCloseStore(hSystemStore, 0); - #elif __APPLE__ // https://developer.apple.com/forums/thread/691009; see also curl - /*CFStringRef keys[] = { kSecClass, kSecMatchLimit, kSecReturnRef }; - CFTypeRef values[] = { kSecClassCertificate, kSecMatchLimitAll, kCFBooleanTrue }; - CFDictionaryRef query = CFDictionaryCreate( - NULL, - (const void **) keys, - values, - sizeof(keys) / sizeof(keys[0]), - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks - ); - CFTypeRef copyResult = NULL; - OSStatus err = SecItemCopyMatching(query, ©Result); - if (err == errSecSuccess) { - // Try and - }*/ - return luaL_error(L, "can't use system on mac yet"); - #else - return luaL_error(L, "can't use system certificates except on windows or mac"); - #endif + PCCERT_CONTEXT pCertContext = NULL; + while (1) { + pCertContext = CertEnumCertificatesInStore(hSystemStore, pCertContext); + if (!pCertContext) + break; + BYTE keyUsage[2]; + if (pCertContext->dwCertEncodingType & X509_ASN_ENCODING && (CertGetIntendedKeyUsage(pCertContext->dwCertEncodingType, pCertContext->pCertInfo, keyUsage, sizeof(keyUsage)) && (keyUsage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))) { + DWORD size = 0; + CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, NULL, &size); + char* buffer = malloc(size); + CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, buffer, &size); + fwrite(buffer, sizeof(char), size, file); + free(buffer); + } + } + fclose(file); + CertCloseStore(hSystemStore, 0); + #elif __APPLE__ // https://developer.apple.com/forums/thread/691009; see also curl's mac version + return luaL_error(L, "can't use system on mac yet"); + #else + return luaL_error(L, "can't use system certificates except on windows or mac"); + #endif + } + git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, path, NULL); + if ((status = mbedtls_x509_crt_parse_file(&x509_certificate, path)) != 0) + return luaL_mbedtls_error(L, status, "mbedtls_x509_crt_parse_file failed to parse CA certificate %s", path); + mbedtls_ssl_conf_ca_chain(&ssl_config, &x509_certificate, NULL); } - git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, path, NULL); - if ((status = mbedtls_x509_crt_parse_file(&x509_certificate, path)) != 0) - return luaL_mbedtls_error(L, status, "mbedtls_x509_crt_parse_file failed to parse CA certificate %s", path); - mbedtls_ssl_conf_ca_chain(&ssl_config, &x509_certificate, NULL); } return 0; } @@ -697,7 +692,7 @@ static int lpm_get(lua_State* L) { mbedtls_snprintf(err, sizeof(err), status, "can't set hostname %s", hostname); goto cleanup; } else if ((status = mbedtls_ssl_handshake(&ssl_context)) != 0) { mbedtls_snprintf(err, sizeof(err), status, "can't handshake with %s", hostname); goto cleanup; - } else if ((status = mbedtls_ssl_get_verify_result(&ssl_context)) != 0) { + } else if (((status = mbedtls_ssl_get_verify_result(&ssl_context)) != 0) && !no_verify_ssl) { mbedtls_snprintf(err, sizeof(err), status, "can't verify result for %s", hostname); goto cleanup; } } else { diff --git a/src/lpm.lua b/src/lpm.lua index 16c20f0..55c16d5 100644 --- a/src/lpm.lua +++ b/src/lpm.lua @@ -1607,7 +1607,8 @@ Flags have the following effects: --mod-version Sets the mod version of lite-xl to install plugins. --version Returns version information. --help Displays this help text. - --ssl_certs Sets the SSL certificate store. + --ssl_certs Sets the SSL certificate store. Can be a directory, + or path to a certificate bundle. --arch Sets the architecture (default: ]] .. _G.ARCH .. [[). --assume-yes Ignores any prompts, and automatically answers yes to all. @@ -1624,6 +1625,8 @@ in any circumstance unless explicitly supplied. binaries if there is a native compilation step. --remotes Automatically adds any specified remotes in the repository to the end of the resolution list. + --ssl_certs=noverify Ignores SSL certificate validation. Opens you up to + man-in-the-middle attacks. ]] ) return 0 @@ -1652,9 +1655,13 @@ in any circumstance unless explicitly supplied. repositories = {} if ARGS[2] == "purge" then return lpm_purge() end if ARGS["ssl_certs"] then - local stat = system.stat(ARGS["ssl_certs"]) - if not stat then error("can't find " .. ARGS["ssl_certs"]) end - system.certs(stat.type, ARGS["ssl_certs"]) + if ARGS["ssl_certs"] == "noverify" then + system.certs("noverify") + else + local stat = system.stat(ARGS["ssl_certs"]) + if not stat then error("can't find " .. ARGS["ssl_certs"]) end + system.certs(stat.type, ARGS["ssl_certs"]) + end elseif not os.getenv("SSL_CERT_DIR") and not os.getenv("SSL_CERT_FILE") then local paths = { -- https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux#comment1155804_62500 "/etc/ssl/certs/ca-certificates.crt", -- Debian/Ubuntu/Gentoo etc. |