From: Jo-Philipp Wich <jo@mein.io>
Date: Sat, 18 Feb 2017 13:57:20 +0000 (+0100)
Subject: libopkg: remove x509 support
X-Git-Url: https://git.librecmc.org/?p=oweals%2Fopkg-lede.git;a=commitdiff_plain;h=374d9aadeef27c7213999a1d63ba094aa8aecf51

libopkg: remove x509 support

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index dd4f189..03a9489 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -74,9 +74,6 @@ opkg_option_t options[] = {
 	{"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
 	{"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
 #endif
-#if defined(HAVE_PATHFINDER)
-	{"check_x509_path", OPKG_OPT_TYPE_BOOL, &_conf.check_x509_path},
-#endif
 #if defined(HAVE_SSLCURL) && defined(HAVE_CURL)
 	{"ssl_engine", OPKG_OPT_TYPE_STRING, &_conf.ssl_engine},
 	{"ssl_cert", OPKG_OPT_TYPE_STRING, &_conf.ssl_cert},
@@ -491,9 +488,6 @@ int opkg_conf_load(void)
 
 	conf->restrict_to_default_dest = 0;
 	conf->default_dest = NULL;
-#if defined(HAVE_PATHFINDER)
-	conf->check_x509_path = 1;
-#endif
 
 	if (!conf->offline_root)
 		conf->offline_root = xstrdup(getenv("OFFLINE_ROOT"));
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 3893f33..acb7fa0 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -104,9 +104,6 @@ struct opkg_conf {
 	char *ssl_ca_path;
 	int ssl_dont_verify_peer;
 #endif
-#ifdef HAVE_PATHFINDER
-	int check_x509_path;
-#endif
 
 	/* proxy options */
 	char *http_proxy;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 33b6e73..433f7fc 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -52,10 +52,6 @@
 #include <openssl/hmac.h>
 #endif
 
-#ifdef HAVE_PATHFINDER
-#include "opkg_pathfinder.h"
-#endif
-
 #if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL)
 static void openssl_init(void);
 #endif
@@ -473,15 +469,6 @@ int opkg_verify_file(char *text_file, char *sig_file)
 			 sig_file);
 		goto verify_file_end;
 	}
-#if defined(HAVE_PATHFINDER)
-	if (conf->check_x509_path) {
-		if (!pkcs7_pathfinder_verify_signers(p7)) {
-			opkg_msg(ERROR, "pkcs7_pathfinder_verify_signers: "
-				 "Path verification failed.\n");
-			goto verify_file_end;
-		}
-	}
-#endif
 
 	// Open the Package file to authenticate
 	if (!(indata = BIO_new_file(text_file, "rb"))) {
@@ -671,21 +658,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
 			 * CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
 			 */
 			curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
-		} else {
-#ifdef HAVE_PATHFINDER
-			if (conf->check_x509_path) {
-				if (curl_easy_setopt
-				    (curl, CURLOPT_SSL_CTX_FUNCTION,
-				     curl_ssl_ctx_function) != CURLE_OK) {
-					opkg_msg(DEBUG,
-						 "Failed to set ssl path verification callback.\n");
-				} else {
-					curl_easy_setopt(curl,
-							 CURLOPT_SSL_CTX_DATA,
-							 NULL);
-				}
-			}
-#endif
 		}
 
 		/* certification authority file and/or path */
diff --git a/libopkg/opkg_pathfinder.c b/libopkg/opkg_pathfinder.c
deleted file mode 100644
index 578328e..0000000
--- a/libopkg/opkg_pathfinder.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/* vi: set noexpandtab sw=4 sts=4: */
-/* opkg_pathfinder.c - the opkg package management system
-
-   Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License as
-   published by the Free Software Foundation; either version 2, or (at
-   your option) any later version.
-
-   This program is distributed in the hope that it will be useful, but
-   WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-*/
-
-#include <openssl/ssl.h>
-#include <libpathfinder.h>
-#include <stdlib.h>
-#if defined(HAVE_SSLCURL)
-#include <curl/curl.h>
-#endif
-
-#include "libbb/libbb.h"
-#include "opkg_message.h"
-
-#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL)
-/*
- *      This callback is called instead of X509_verify_cert to perform path
- *      validation on a certificate using pathfinder.
- *
- */
-static int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
-	char *errmsg;
-	const char *hex = "0123456789ABCDEF";
-	size_t size = i2d_X509(ctx->cert, NULL);
-	unsigned char *keybuf, *iend;
-	iend = keybuf = xmalloc(size);
-	i2d_X509(ctx->cert, &iend);
-	char *certdata_str = xmalloc(size * 2 + 1);
-	unsigned char *cp = keybuf;
-	char *certdata_str_i = certdata_str;
-	while (cp < iend) {
-		unsigned char ch = *cp++;
-		*certdata_str_i++ = hex[(ch >> 4) & 0xf];
-		*certdata_str_i++ = hex[ch & 0xf];
-	}
-	*certdata_str_i = 0;
-	free(keybuf);
-
-	const char *policy = "2.5.29.32.0";	// anyPolicy
-	int validated =
-	    pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
-
-	if (!validated)
-		opkg_msg(ERROR, "Path verification failed: %s.\n", errmsg);
-
-	free(certdata_str);
-	free(errmsg);
-
-	return validated;
-}
-#endif
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
-	STACK_OF(X509) * signers;
-	int i, ret = 1;		/* signers are verified by default */
-
-	signers = PKCS7_get0_signers(p7, NULL, 0);
-
-	for (i = 0; i < sk_X509_num(signers); i++) {
-		X509_STORE_CTX ctx = {
-			.cert = sk_X509_value(signers, i),
-		};
-
-		if (!pathfinder_verify_callback(&ctx, NULL)) {
-			/* Signer isn't verified ! goto jail; */
-			ret = 0;
-			break;
-		}
-	}
-
-	sk_X509_free(signers);
-	return ret;
-}
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm)
-{
-
-	SSL_CTX *ctx = (SSL_CTX *) sslctx;
-	SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
-
-	return CURLE_OK;
-}
-#endif
diff --git a/libopkg/opkg_pathfinder.h b/libopkg/opkg_pathfinder.h
deleted file mode 100644
index 33d1b10..0000000
--- a/libopkg/opkg_pathfinder.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* opkg_pathfinder.h - the opkg package management system
-
-   Copyright (C) 2009 Camille Moncelier <moncelier@devlife.org>
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License as
-   published by the Free Software Foundation; either version 2, or (at
-   your option) any later version.
-
-   This program is distributed in the hope that it will be useful, but
-   WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   General Public License for more details.
-*/
-
-#ifndef OPKG_PATHFINDER_H
-#define OPKG_PATHFINDER_H
-
-#include "config.h"
-
-#if defined(HAVE_OPENSSL)
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7);
-#endif
-
-#if defined(HAVE_SSLCURL)
-CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm);
-#endif
-
-#endif