From 8ad1884f1f42c6ba3d21832d57287028eedd6f03 Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Tue, 20 Dec 2022 23:16:12 +0200
Subject: apk, fetch: implement --no-check-certificate

fixes #10650
---
 libfetch/common.c | 13 +++++++++++--
 libfetch/fetch.h  |  2 ++
 2 files changed, 13 insertions(+), 2 deletions(-)

(limited to 'libfetch')

diff --git a/libfetch/common.c b/libfetch/common.c
index 4a6b867..f867373 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -55,6 +55,8 @@
 
 /*** Local data **************************************************************/
 
+static int ssl_verify_mode = SSL_VERIFY_PEER;
+
 /*
  * Error messages for resolver errors
  */
@@ -79,6 +81,12 @@ fetch_finderr(struct fetcherr *p, int e)
 	return (p);
 }
 
+void
+fetch_no_check_certificate(void)
+{
+	ssl_verify_mode = SSL_VERIFY_NONE;
+}
+
 /*
  * Set error code
  */
@@ -466,7 +474,7 @@ static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 	else
 		SSL_CTX_set_default_verify_paths(ctx);
 
-	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
+	SSL_CTX_set_verify(ctx, ssl_verify_mode, 0);
 	return 1;
 }
 
@@ -573,7 +581,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 				NULL) != 1) {
 			fprintf(stderr, "SSL certificate subject doesn't match host %s\n",
 				URL->host);
-			return -1;
+			if (ssl_verify_mode != SSL_VERIFY_NONE)
+				return -1;
 		}
 	}
 
diff --git a/libfetch/fetch.h b/libfetch/fetch.h
index 66b77f4..0c07c05 100644
--- a/libfetch/fetch.h
+++ b/libfetch/fetch.h
@@ -101,6 +101,8 @@ struct url_list {
 extern "C" {
 #endif
 
+void		fetch_no_check_certificate(void);
+
 void		fetchIO_close(fetchIO *);
 ssize_t		fetchIO_read(fetchIO *, void *, size_t);
 ssize_t		fetchIO_write(fetchIO *, const void *, size_t);
-- 
cgit v1.2.3-60-g2f50