ssl: 'noverifyssl' kernel boot argument.

Prevents Anaconda from verifying the ssl certificate for all https
connections with an exception of the additional repos (where --noverifyssl
can be set per repo).

For instance, this allows downloading kickstart specified as
ks=https://... where the server is using a self-signed certificate.

Resolves: rhbz#696696
Related: rhbz#728562

3 files changed, 7 insertions, 3 deletions

diff --git a/loader/loader.c b/loader/loader.c
index b072745c4..e15667f38 100644
--- a/loader/loader.c
+++ b/loader/loader.c
@@ -934,6 +934,8 @@ static void parseCmdLineFlags(struct loaderData_s * loaderData) {
         } else if (!strcasecmp(k, "sshd")) {
             logMessage(INFO, "early networking required for sshd");
             flags |= LOADER_FLAGS_EARLY_NETWORKING;
+        } else if (!strcasecmp(k, "noverifyssl")) {
+            flags |= LOADER_FLAGS_NOVERIFYSSL;
         } else if (v != NULL) {
             /* boot arguments that are of the form name=value */
             /* all arguments in this block require the value  */
@@ -2377,7 +2379,7 @@ int main(int argc, char ** argv) {
             }
         }
 
-        if (loaderData.instRepo_noverifyssl) {
+        if (loaderData.instRepo_noverifyssl || FL_NOVERIFYSSL(flags)) {
             *argptr++ = "--noverifyssl";
         }
 
diff --git a/loader/loader.h b/loader/loader.h
index 68b03f6ca..46031586e 100644
--- a/loader/loader.h
+++ b/loader/loader.h
@@ -72,6 +72,7 @@
 #define LOADER_FLAGS_KICKSTART_SEND_SERIAL   (((uint64_t) 1) << 39)
 #define LOADER_FLAGS_AUTOMODDISK        (((uint64_t) 1) << 40)
 #define LOADER_FLAGS_NOEJECT            (((uint64_t) 1) << 41)
+#define LOADER_FLAGS_NOVERIFYSSL        (((uint64_t) 1) << 42)
 
 #define FL_TEXT(a)               ((a) & LOADER_FLAGS_TEXT)
 #define FL_RESCUE(a)             ((a) & LOADER_FLAGS_RESCUE)
@@ -107,6 +108,7 @@
 #define FL_KICKSTART_SEND_SERIAL(a) ((a) & LOADER_FLAGS_KICKSTART_SEND_SERIAL)
 #define FL_AUTOMODDISK(a)        ((a) & LOADER_FLAGS_AUTOMODDISK)
 #define FL_NOEJECT(a)            ((a) & LOADER_FLAGS_NOEJECT)
+#define FL_NOVERIFYSSL(a)        ((a) & LOADER_FLAGS_NOVERIFYSSL)
 
 void doExit(int) __attribute__ ((noreturn));
 void startNewt(void);
diff --git a/loader/urls.c b/loader/urls.c
index b5f0a0a7c..f96e1e3c6 100644
--- a/loader/urls.c
+++ b/loader/urls.c
@@ -163,8 +163,8 @@ int urlinstTransfer(struct loaderData_s *loaderData, const char *src,
 
         curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
     }
-    
-    if (loaderData->instRepo_noverifyssl) {
+
+    if (loaderData->instRepo_noverifyssl || FL_NOVERIFYSSL(flags)) {
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
     }