libopkg: remove x509 support
authorJo-Philipp Wich <jo@mein.io>
Sat, 18 Feb 2017 13:57:20 +0000 (14:57 +0100)
committerJo-Philipp Wich <jo@mein.io>
Sat, 18 Feb 2017 13:59:52 +0000 (14:59 +0100)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
libopkg/opkg_conf.c
libopkg/opkg_conf.h
libopkg/opkg_download.c
libopkg/opkg_pathfinder.c [deleted file]
libopkg/opkg_pathfinder.h [deleted file]

index dd4f189..03a9489 100644 (file)
@@ -74,9 +74,6 @@ opkg_option_t options[] = {
        {"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
        {"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
 #endif
-#if defined(HAVE_PATHFINDER)
-       {"check_x509_path", OPKG_OPT_TYPE_BOOL, &_conf.check_x509_path},
-#endif
 #if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
        {"ssl_engine", OPKG_OPT_TYPE_STRING, &_conf.ssl_engine},
        {"ssl_cert", OPKG_OPT_TYPE_STRING, &_conf.ssl_cert},
@@ -491,9 +488,6 @@ int opkg_conf_load(void)
 
        conf->restrict_to_default_dest = 0;
        conf->default_dest = NULL;
-#if defined(HAVE_PATHFINDER)
-       conf->check_x509_path = 1;
-#endif
 
        if (!conf->offline_root)
                conf->offline_root = xstrdup(getenv("OFFLINE_ROOT"));
index 3893f33..acb7fa0 100644 (file)
@@ -104,9 +104,6 @@ struct opkg_conf {
        char *ssl_ca_path;
        int ssl_dont_verify_peer;
 #endif
-#ifdef HAVE_PATHFINDER
-       int check_x509_path;
-#endif
 
        /* proxy options */
        char *http_proxy;
index 33b6e73..433f7fc 100644 (file)
 #include <openssl/hmac.h>
 #endif
 
-#ifdef HAVE_PATHFINDER
-#include "opkg_pathfinder.h"
-#endif
-
 #if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL)
 static void openssl_init(void);
 #endif
@@ -473,15 +469,6 @@ int opkg_verify_file(char *text_file, char *sig_file)
                         sig_file);
                goto verify_file_end;
        }
-#if defined(HAVE_PATHFINDER)
-       if (conf->check_x509_path) {
-               if (!pkcs7_pathfinder_verify_signers(p7)) {
-                       opkg_msg(ERROR, "pkcs7_pathfinder_verify_signers: "
-                                "Path verification failed.\n");
-                       goto verify_file_end;
-               }
-       }
-#endif
 
        // Open the Package file to authenticate
        if (!(indata = BIO_new_file(text_file, "rb"))) {
@@ -671,21 +658,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
                         * CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
                         */
                        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
-               } else {
-#ifdef HAVE_PATHFINDER
-                       if (conf->check_x509_path) {
-                               if (curl_easy_setopt
-                                   (curl, CURLOPT_SSL_CTX_FUNCTION,
-                                    curl_ssl_ctx_function) != CURLE_OK) {
-                                       opkg_msg(DEBUG,
-                                                "Failed to set ssl path verification callback.\n");
-                               } else {
-                                       curl_easy_setopt(curl,
-                                                        CURLOPT_SSL_CTX_DATA,
-                                                        NULL);
-                               }
-                       }
-#endif
                }
 
                /* certification authority file and/or path */
diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c
deleted file mode 100644 (file)
index 578328e..0000000
+++ /dev/null
@@ -1,100 +0,0 @@
-/* vi: set noexpandtab sw=4 sts=4: */
-/* opkg_pathfinder.c - the opkg package management system
-
-   Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License as
-   published by the Free Software Foundation; either version 2, or (at
-   your option) any later version.
-
-   This program is distributed in the hope that it will be useful, but
-   WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-*/
-
-#include <openssl/ssl.h>
-#include <libpathfinder.h>
-#include <stdlib.h>
-#if defined(HAVE_SSLCURL)
-#include <curl/curl.h>
-#endif
-
-#include "libbb/libbb.h"
-#include "opkg_message.h"
-
-#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
-/*
- *      This callback is called instead of X509_verify_cert to perform path
- *      validation on a certificate using pathfinder.
- *
- */
-static int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
-       char *errmsg;
-       const char *hex = "0123456789ABCDEF";
-       size_t size = i2d_X509(ctx->cert, NULL);
-       unsigned char *keybuf, *iend;
-       iend = keybuf = xmalloc(size);
-       i2d_X509(ctx->cert, &iend);
-       char *certdata_str = xmalloc(size * 2 + 1);
-       unsigned char *cp = keybuf;
-       char *certdata_str_i = certdata_str;
-       while (cp < iend) {
-               unsigned char ch = *cp++;
-               *certdata_str_i++ = hex[(ch >> 4) & 0xf];
-               *certdata_str_i++ = hex[ch & 0xf];
-       }
-       *certdata_str_i = 0;
-       free(keybuf);
-
-       const char *policy = "2.5.29.32.0";     // anyPolicy
-       int validated =
-           pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
-
-       if (!validated)
-               opkg_msg(ERROR, "Path verification failed: %s.\n", errmsg);
-
-       free(certdata_str);
-       free(errmsg);
-
-       return validated;
-}
-#endif
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
-       STACK_OF(X509) * signers;
-       int i, ret = 1;         /* signers are verified by default */
-
-       signers = PKCS7_get0_signers(p7, NULL, 0);
-
-       for (i = 0; i < sk_X509_num(signers); i++) {
-               X509_STORE_CTX ctx = {
-                       .cert = sk_X509_value(signers, i),
-               };
-
-               if (!pathfinder_verify_callback(&ctx, NULL)) {
-                       /* Signer isn't verified ! goto jail; */
-                       ret = 0;
-                       break;
-               }
-       }
-
-       sk_X509_free(signers);
-       return ret;
-}
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm)
-{
-
-       SSL_CTX *ctx = (SSL_CTX *) sslctx;
-       SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
-
-       return CURLE_OK;
-}
-#endif
diff --git a/libopkg/opkg_pathfinder.h b/libopkg/opkg_pathfinder.h
deleted file mode 100644 (file)
index 33d1b10..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-/* opkg_pathfinder.h - the opkg package management system
-
-   Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License as
-   published by the Free Software Foundation; either version 2, or (at
-   your option) any later version.
-
-   This program is distributed in the hope that it will be useful, but
-   WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-*/
-
-#ifndef OPKG_PATHFINDER_H
-#define OPKG_PATHFINDER_H
-
-#include "config.h"
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7);
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm);
-#endif
-
-#endif