From 6a4958d3134a3a61c036bc9ccaccc393c2bb99f2 Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 28 Mar 2016 03:34:54 +0200
Subject: Allow lowering trust level of a hash via config

Introduces APT::Hashes::<NAME> with entries Untrusted and Weak
which can be set to true to cause the hash to be treated as
untrusted and/or weak.
---
 methods/gpgv.cc | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

(limited to 'methods/gpgv.cc')

diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 43f1df878..60a7d4719 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -45,19 +45,20 @@ struct Digest {
       Untrusted,
       Weak,
       Trusted,
-      Configureable
    } state;
    char name[32];
 
    State getState() const {
-      if (state != Digest::State::Configureable)
-	 return state;
-      std::string const digestconfig = _config->Find("Debug::Acquire::gpgv::configdigest::truststate", "trusted");
-      if (digestconfig == "weak")
-	 return State::Weak;
-      else if (digestconfig == "untrusted")
+      std::string optionUntrusted;
+      std::string optionWeak;
+      strprintf(optionUntrusted, "APT::Hashes::%s::Untrusted", name);
+      strprintf(optionWeak, "APT::Hashes::%s::Weak", name);
+      if (_config->FindB(optionUntrusted, state == State::Untrusted) == true)
 	 return State::Untrusted;
-      return State::Trusted;
+      if (_config->FindB(optionWeak, state == State::Weak) == true)
+	 return State::Weak;
+
+      return state;
    }
 };
 
@@ -73,9 +74,8 @@ static constexpr Digest Digests[] = {
    {Digest::State::Trusted, "SHA256"},
    {Digest::State::Trusted, "SHA384"},
    {Digest::State::Trusted, "SHA512"},
-   {Digest::State::Configureable, "SHA224"},
+   {Digest::State::Trusted, "SHA224"},
 };
-static_assert(Digests[_count(Digests) - 1].state == Digest::State::Configureable, "the last digest algo isn't the configurable one which we expect for tests");
 
 static Digest FindDigest(std::string const & Digest)
 {
@@ -234,8 +234,8 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
 	    if (Debug == true)
 	       std::clog << "Got untrusted VALIDSIG, key ID: " << sig << std::endl;
             break;
-	 case Digest::State::Configureable:
-         case Digest::State::Trusted:
+
+	 case Digest::State::Trusted:
 	    if (Debug == true)
 	       std::clog << "Got trusted VALIDSIG, key ID: " << sig << std::endl;
             break;
-- 
cgit v1.2.3