[opkg][opkg-0.4.5 PATCH 0/3] [RFC] Deprecate OpenSSL signature verification
48 views
Skip to first unread message
Alex Stewart
Feb 5, 2021, 1:07:07 PM2/5/21
to opkg-...@googlegroups.com, alex.s...@ni.com
When we filed Bugzilla #8564 [1], OpenSSL used an independent license
which had poor compatibility with GPL v2. Since 2015, OpenSSL 3.0 has
released on the Apache 2.0 license, which has *better* compatibility.
[2]
However, feed signature verification using OpenSSL (versus GPGME) seems
to be relatively rare in the community (so says google) and openssl
verification has not been the default for many releases.
So I think it's still reasonable to deprecate OpenSSL verification, and
the pathfinder-pki optional link, going forward.
The first commit of this patchset announces to opkg builders that
OpenSSL signature verification and pathfinder-pki will be deprecated in
"future releases".
Commits 2 and 3 actually perform the deprecation.
This patchset would also deprecate the `signature_ca_file`,
`signature_ca_path`, and `check_x509_path` opkg conf settings.
If there is agreement in the community, I will merge the first commit
for release 0.4.5 and then merge the latter commits for a 0.5.0 release
(on the normal, semi-annual release schedule).
Note that SSL-cURL functionality should be unaffected by these patches.
[RFC]
Are my assumptions about OpenSSL signature verification being uncommon,
correct? Is anyone using `--enable-openssl` and/or `--enable-pathfinder`
in their opkg builds?
Are there general objections to deprecating this feature?
[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8564
[2] https://www.gnu.org/licenses/license-list.en.html#apache2
Alex Stewart (3):
configure.ac: announce openssl sig checking deprecation
deprecate pathfinder x509 checking
deprecate OpenSSL signature verification
configure.ac | 28 ----
libopkg/Makefile.am | 8 +-
libopkg/opkg_conf.c | 10 --
libopkg/opkg_conf.h | 8 --
libopkg/opkg_download_curl.c | 22 ----
libopkg/opkg_openssl.c | 246 -----------------------------------
libopkg/opkg_openssl.h | 39 ------
libopkg/opkg_verify.c | 16 ---
man/opkg.conf.5.in | 9 --
9 files changed, 2 insertions(+), 384 deletions(-)
delete mode 100644 libopkg/opkg_openssl.c
delete mode 100644 libopkg/opkg_openssl.h
--
2.30.0
which had poor compatibility with GPL v2. Since 2015, OpenSSL 3.0 has
released on the Apache 2.0 license, which has *better* compatibility.
[2]
However, feed signature verification using OpenSSL (versus GPGME) seems
to be relatively rare in the community (so says google) and openssl
verification has not been the default for many releases.
So I think it's still reasonable to deprecate OpenSSL verification, and
the pathfinder-pki optional link, going forward.
The first commit of this patchset announces to opkg builders that
OpenSSL signature verification and pathfinder-pki will be deprecated in
"future releases".
Commits 2 and 3 actually perform the deprecation.
This patchset would also deprecate the `signature_ca_file`,
`signature_ca_path`, and `check_x509_path` opkg conf settings.
If there is agreement in the community, I will merge the first commit
for release 0.4.5 and then merge the latter commits for a 0.5.0 release
(on the normal, semi-annual release schedule).
Note that SSL-cURL functionality should be unaffected by these patches.
[RFC]
Are my assumptions about OpenSSL signature verification being uncommon,
correct? Is anyone using `--enable-openssl` and/or `--enable-pathfinder`
in their opkg builds?
Are there general objections to deprecating this feature?
[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8564
[2] https://www.gnu.org/licenses/license-list.en.html#apache2
Alex Stewart (3):
configure.ac: announce openssl sig checking deprecation
deprecate pathfinder x509 checking
deprecate OpenSSL signature verification
configure.ac | 28 ----
libopkg/Makefile.am | 8 +-
libopkg/opkg_conf.c | 10 --
libopkg/opkg_conf.h | 8 --
libopkg/opkg_download_curl.c | 22 ----
libopkg/opkg_openssl.c | 246 -----------------------------------
libopkg/opkg_openssl.h | 39 ------
libopkg/opkg_verify.c | 16 ---
man/opkg.conf.5.in | 9 --
9 files changed, 2 insertions(+), 384 deletions(-)
delete mode 100644 libopkg/opkg_openssl.c
delete mode 100644 libopkg/opkg_openssl.h
--
2.30.0
Alex Stewart
Feb 5, 2021, 1:07:16 PM2/5/21
to opkg-...@googlegroups.com, alex.s...@ni.com
Assert that OpenSSL signature checking is a relatively unused feature by
opkg integrators. Further, the OpenSSL licenses have never been
accomodating to static builders.
So begin to deprecate OpenSSL signature checking by first announcing
our intentions to builders with an AutoConf warning.
Signed-off-by: Alex Stewart <alex.s...@ni.com>
---
configure.ac | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/configure.ac b/configure.ac
index 56e1f0d3bc3708e733f64f2cd1b459f818357c02..c40bef82d6acb55eaa2ec1ce2b601fb927644aae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,6 +62,8 @@ AC_ARG_ENABLE(pathfinder,
[want_pathfinder="$enableval"], [want_pathfinder="no"])
dnl Check for libpathfinder
if test "x$want_pathfinder" = "xyes"; then
+ AC_MSG_WARN(Pathfinder-pki x509 path validation is depracted and will be \
+removed in future releases.)
PKG_CHECK_MODULES([PATHFINDER], [pathfinder-openssl dbus-1 openssl])
if test -n "$PATHFINDER_CFLAGS$PATHFINDER_LIBS"; then
AC_DEFINE(HAVE_PATHFINDER, 1, [we have pathfinder])
@@ -134,6 +136,8 @@ AC_ARG_ENABLE(openssl,
[want_openssl="$enableval"], [want_openssl="no"])
if test "x$want_openssl" = "xyes"; then
+ AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
+removed in future releases. Consider using GPGME (--enable-gpg) instead.)
AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
NEED_SSL_LIBS="yes"
fi
--
2.30.0
opkg integrators. Further, the OpenSSL licenses have never been
accomodating to static builders.
So begin to deprecate OpenSSL signature checking by first announcing
our intentions to builders with an AutoConf warning.
Signed-off-by: Alex Stewart <alex.s...@ni.com>
---
configure.ac | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/configure.ac b/configure.ac
index 56e1f0d3bc3708e733f64f2cd1b459f818357c02..c40bef82d6acb55eaa2ec1ce2b601fb927644aae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -62,6 +62,8 @@ AC_ARG_ENABLE(pathfinder,
[want_pathfinder="$enableval"], [want_pathfinder="no"])
dnl Check for libpathfinder
if test "x$want_pathfinder" = "xyes"; then
+ AC_MSG_WARN(Pathfinder-pki x509 path validation is depracted and will be \
+removed in future releases.)
PKG_CHECK_MODULES([PATHFINDER], [pathfinder-openssl dbus-1 openssl])
if test -n "$PATHFINDER_CFLAGS$PATHFINDER_LIBS"; then
AC_DEFINE(HAVE_PATHFINDER, 1, [we have pathfinder])
@@ -134,6 +136,8 @@ AC_ARG_ENABLE(openssl,
[want_openssl="$enableval"], [want_openssl="no"])
if test "x$want_openssl" = "xyes"; then
+ AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
+removed in future releases. Consider using GPGME (--enable-gpg) instead.)
AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
NEED_SSL_LIBS="yes"
fi
--
2.30.0
Alex Stewart
Feb 5, 2021, 1:07:16 PM2/5/21
to opkg-...@googlegroups.com, alex.s...@ni.com
pathfinder-pki is an option extension to OpenSSL which facilitates
path-validation of x509 certificates. It is linked into libopkg when
--enable-pathfinder is asserted at configure-time.
Assert that pathfinder is not frequently used by opkg integrators and
the library itself is obsolescent. (The project name is also obnoxiously
common when trying to google.)
Remove:
* all references to pathfinder-pki
* the --enable-pathfinder AutoConf option
* the `check_x509_path` opkg conf setting
configure.ac | 18 --------
libopkg/Makefile.am | 4 +-
libopkg/opkg_conf.c | 6 ---
libopkg/opkg_conf.h | 5 ---
libopkg/opkg_download_curl.c | 16 -------
libopkg/opkg_openssl.c | 84 ------------------------------------
libopkg/opkg_openssl.h | 4 --
7 files changed, 2 insertions(+), 135 deletions(-)
diff --git a/configure.ac b/configure.ac
index c40bef82d6acb55eaa2ec1ce2b601fb927644aae..0e9bd567302659a30c8f50907cb37f5bbf61dfbf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,24 +55,6 @@ else
PKG_CHECK_MODULES([LIBARCHIVE], [libarchive])
fi
-dnl extra argument: --enable-pathfinder
-AC_ARG_ENABLE(pathfinder,
- AC_HELP_STRING([--enable-pathfinder], [Enable libpathfinder support.
- [[default=no]] ]),
- [want_pathfinder="$enableval"], [want_pathfinder="no"])
-dnl Check for libpathfinder
-if test "x$want_pathfinder" = "xyes"; then
- AC_MSG_WARN(Pathfinder-pki x509 path validation is depracted and will be \
-removed in future releases.)
- PKG_CHECK_MODULES([PATHFINDER], [pathfinder-openssl dbus-1 openssl])
- if test -n "$PATHFINDER_CFLAGS$PATHFINDER_LIBS"; then
- AC_DEFINE(HAVE_PATHFINDER, 1, [we have pathfinder])
- fi
- AC_SUBST(PATHFINDER_CFLAGS)
- AC_SUBST(PATHFINDER_LIBS)
-fi
-AM_CONDITIONAL(HAVE_PATHFINDER, test "x$want_pathfinder" = "xyes")
-
# check for xz
AC_ARG_ENABLE(xz,
AC_HELP_STRING([--enable-xz], [Enable xz compressor support
diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
index 2e2fb050614a5603a7e4cd6801c24f21b88e4972..ca4a2eeb5f1e0c94b671eca7ce11dbe801231d9f 100644
--- a/libopkg/Makefile.am
+++ b/libopkg/Makefile.am
@@ -2,7 +2,7 @@
AM_CFLAGS=-Wall -DHOST_CPU_STR=\"@host_cpu@\" -DDATADIR=\"@datadir@\" \
-DSYSCONFDIR=\"@sysconfdir@\" -DVARDIR=\"@localstatedir@\" \
-I$(top_srcdir) $(LIBARCHIVE_CFLAGS) $(BIGENDIAN_CFLAGS) $(CURL_CFLAGS) \
- $(GPGME_CFLAGS) $(GPGERR_CFLAGS) $(PATHFINDER_CFLAGS) $(SOLVER_CFLAGS)
+ $(GPGME_CFLAGS) $(GPGERR_CFLAGS) $(SOLVER_CFLAGS)
libopkg_includedir=$(includedir)/libopkg
@@ -69,6 +69,6 @@ endif
libopkg_la_LIBADD = $(LIBARCHIVE_LIBS) \
$(CURL_LIBS) $(GPGME_LIBS) $(GPGERR_LIBS) $(OPENSSL_LIBS) \
- $(PATHFINDER_LIBS) $(SOLVER_LIBS)
+ $(SOLVER_LIBS)
libopkg_la_LDFLAGS = -version-info 1:0:0
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index b49f5fb6b6e942aeaaea82b9759d1d94e982b52e..c0d448e900b6a4fccc9d7a4e9b086b329e864371 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -98,9 +98,6 @@ static opkg_option_t options[] = {
{"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
{"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
#endif
-#if defined(HAVE_PATHFINDER)
- {"check_x509_path", OPKG_OPT_TYPE_BOOL, &_conf.check_x509_path},
-#endif
#if defined(HAVE_CURL)
{"connect_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.connect_timeout_ms},
{"transfer_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.transfer_timeout_ms},
@@ -685,9 +682,6 @@ int opkg_conf_load(void)
opkg_config->restrict_to_default_dest = 0;
opkg_config->default_dest = NULL;
-#if defined(HAVE_PATHFINDER)
- opkg_config->check_x509_path = 1;
-#endif
if (!opkg_config->offline_root)
opkg_config->offline_root = xstrdup(getenv("OFFLINE_ROOT"));
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 4c56f0cbe0ea079053b3f764f3ecbd8355c8fd6b..293d239b00f230c497b8258cc219247653df1a8a 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -155,11 +155,6 @@ typedef struct opkg_conf {
*/
char *http_auth;
- /* pathfinder options: used only when opkg is configured with
- * '--enable-pathfinder', otherwise always NULL or 0 as above.
- */
- int check_x509_path;
-
/* proxy options */
char *http_proxy;
char *https_proxy;
diff --git a/libopkg/opkg_download_curl.c b/libopkg/opkg_download_curl.c
index 17ad3a4efe45189fb2f01adbdfda286481dd2871..a28293ecd0b4721a2db8050067f7792720bd0184 100644
--- a/libopkg/opkg_download_curl.c
+++ b/libopkg/opkg_download_curl.c
@@ -130,16 +130,6 @@ static char *replace_token_in_str(const char *str, const char *token,
return replaced_str;
}
-
-#if defined(HAVE_PATHFINDER) && defined(HAVE_OPENSSL)
-static CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm)
-{
- SSL_CTX *ctx = (SSL_CTX *) sslctx;
- SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
-
- return CURLE_OK;
-}
-#endif /* HAVE_PATHFINDER && HAVE_OPENSSL */
#endif /* HAVE_SSLCURL */
/** \brief create_file_stamp: creates stamp for file
@@ -432,12 +422,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
* CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
*/
setopt(CURLOPT_SSL_VERIFYPEER, 0);
-#if defined(HAVE_PATHFINDER) && defined(HAVE_OPENSSL)
- else if (opkg_config->check_x509_path) {
- setopt(CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function);
- setopt(CURLOPT_SSL_CTX_DATA, NULL);
- }
-#endif
/* certification authority file and/or path */
if (opkg_config->ssl_ca_file)
diff --git a/libopkg/opkg_openssl.c b/libopkg/opkg_openssl.c
index f0ce01fb9a31c55a0fbd3008f70193143d481d04..19015c9799892e970861485f81a0ce1ee716b55a 100644
--- a/libopkg/opkg_openssl.c
+++ b/libopkg/opkg_openssl.c
@@ -36,81 +36,6 @@
#include "opkg_message.h"
#include "opkg_openssl.h"
-#ifdef HAVE_PATHFINDER
-#include <libpathfinder.h>
-#include <stdlib.h>
-#include "xfuncs.h"
-
-/* This callback is called instead of X509_verify_cert to perform path
- * validation on a certificate using pathfinder.
- */
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
- char *errmsg;
- const char *hex = "0123456789ABCDEF";
- size_t size = i2d_X509(ctx->cert, NULL);
- unsigned char *keybuf, *iend;
- iend = keybuf = xmalloc(size);
- i2d_X509(ctx->cert, &iend);
- char *certdata_str = xmalloc(size * 2 + 1);
- unsigned char *cp = keybuf;
- char *certdata_str_i = certdata_str;
- while (cp < iend) {
- unsigned char ch = *cp++;
- *certdata_str_i++ = hex[(ch >> 4) & 0xf];
- *certdata_str_i++ = hex[ch & 0xf];
- }
- *certdata_str_i = 0;
- free(keybuf);
-
- const char *policy = "2.5.29.32.0"; // anyPolicy
- int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
-
- if (!validated)
- opkg_msg(ERROR, "Path verification failed: %s.\n", errmsg);
-
- free(certdata_str);
- free(errmsg);
-
- return validated;
-}
-
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
- STACK_OF(X509) * signers;
- int i, ret = 1; /* signers are verified by default */
-
- signers = PKCS7_get0_signers(p7, NULL, 0);
-
- for (i = 0; i < sk_X509_num(signers); i++) {
- X509_STORE_CTX ctx = {
- .cert = sk_X509_value(signers, i),
- };
-
- if (!pathfinder_verify_callback(&ctx, NULL)) {
- /* Signer isn't verified ! goto jail; */
- ret = 0;
- break;
- }
- }
-
- sk_X509_free(signers);
- return ret;
-}
-#else
-/* Dummy functions */
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
- opkg_msg(ERROR, "Pathfinder support not enabled.\n");
- return 0;
-}
-
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
- opkg_msg(ERROR, "Pathfinder support not enabled.\n");
- return 0;
-}
-#endif /* HAVE_PATHFINDER */
static X509_STORE *setup_verify(char *CAfile, char *CApath)
{
@@ -211,15 +136,6 @@ int opkg_verify_openssl_signature(const char *file, const char *sigfile)
sigfile);
goto verify_file_end;
}
- if (opkg_config->check_x509_path) {
- r = pkcs7_pathfinder_verify_signers(p7);
- if (!r) {
- opkg_msg(ERROR,
- "pkcs7_pathfinder_verify_signers: "
- "Path verification failed.\n");
- goto verify_file_end;
- }
- }
// Open the Package file to authenticate
indata = BIO_new_file(file, "rb");
if (!indata) {
diff --git a/libopkg/opkg_openssl.h b/libopkg/opkg_openssl.h
index 47ebcdcfaa6040e0e0c5f95c2f9aa30d9f477433..418067804a6d55cad884abc9350afdc72330a0a2 100644
--- a/libopkg/opkg_openssl.h
+++ b/libopkg/opkg_openssl.h
@@ -29,10 +29,6 @@ extern "C" {
void openssl_init(void);
int opkg_verify_openssl_signature(const char *file, const char *sigfile);
-/* Pathfinder functions. */
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7);
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg);
-
#ifdef __cplusplus
}
#endif
--
2.30.0
path-validation of x509 certificates. It is linked into libopkg when
--enable-pathfinder is asserted at configure-time.
Assert that pathfinder is not frequently used by opkg integrators and
the library itself is obsolescent. (The project name is also obnoxiously
common when trying to google.)
Remove:
* all references to pathfinder-pki
* the --enable-pathfinder AutoConf option
* the `check_x509_path` opkg conf setting
configure.ac | 18 --------
libopkg/Makefile.am | 4 +-
libopkg/opkg_conf.c | 6 ---
libopkg/opkg_conf.h | 5 ---
libopkg/opkg_download_curl.c | 16 -------
libopkg/opkg_openssl.c | 84 ------------------------------------
libopkg/opkg_openssl.h | 4 --
7 files changed, 2 insertions(+), 135 deletions(-)
diff --git a/configure.ac b/configure.ac
index c40bef82d6acb55eaa2ec1ce2b601fb927644aae..0e9bd567302659a30c8f50907cb37f5bbf61dfbf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,24 +55,6 @@ else
PKG_CHECK_MODULES([LIBARCHIVE], [libarchive])
fi
-dnl extra argument: --enable-pathfinder
-AC_ARG_ENABLE(pathfinder,
- AC_HELP_STRING([--enable-pathfinder], [Enable libpathfinder support.
- [[default=no]] ]),
- [want_pathfinder="$enableval"], [want_pathfinder="no"])
-dnl Check for libpathfinder
-if test "x$want_pathfinder" = "xyes"; then
- AC_MSG_WARN(Pathfinder-pki x509 path validation is depracted and will be \
-removed in future releases.)
- PKG_CHECK_MODULES([PATHFINDER], [pathfinder-openssl dbus-1 openssl])
- if test -n "$PATHFINDER_CFLAGS$PATHFINDER_LIBS"; then
- AC_DEFINE(HAVE_PATHFINDER, 1, [we have pathfinder])
- fi
- AC_SUBST(PATHFINDER_CFLAGS)
- AC_SUBST(PATHFINDER_LIBS)
-fi
-AM_CONDITIONAL(HAVE_PATHFINDER, test "x$want_pathfinder" = "xyes")
-
# check for xz
AC_ARG_ENABLE(xz,
AC_HELP_STRING([--enable-xz], [Enable xz compressor support
diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
index 2e2fb050614a5603a7e4cd6801c24f21b88e4972..ca4a2eeb5f1e0c94b671eca7ce11dbe801231d9f 100644
--- a/libopkg/Makefile.am
+++ b/libopkg/Makefile.am
@@ -2,7 +2,7 @@
AM_CFLAGS=-Wall -DHOST_CPU_STR=\"@host_cpu@\" -DDATADIR=\"@datadir@\" \
-DSYSCONFDIR=\"@sysconfdir@\" -DVARDIR=\"@localstatedir@\" \
-I$(top_srcdir) $(LIBARCHIVE_CFLAGS) $(BIGENDIAN_CFLAGS) $(CURL_CFLAGS) \
- $(GPGME_CFLAGS) $(GPGERR_CFLAGS) $(PATHFINDER_CFLAGS) $(SOLVER_CFLAGS)
+ $(GPGME_CFLAGS) $(GPGERR_CFLAGS) $(SOLVER_CFLAGS)
libopkg_includedir=$(includedir)/libopkg
@@ -69,6 +69,6 @@ endif
libopkg_la_LIBADD = $(LIBARCHIVE_LIBS) \
$(CURL_LIBS) $(GPGME_LIBS) $(GPGERR_LIBS) $(OPENSSL_LIBS) \
- $(PATHFINDER_LIBS) $(SOLVER_LIBS)
+ $(SOLVER_LIBS)
libopkg_la_LDFLAGS = -version-info 1:0:0
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index b49f5fb6b6e942aeaaea82b9759d1d94e982b52e..c0d448e900b6a4fccc9d7a4e9b086b329e864371 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -98,9 +98,6 @@ static opkg_option_t options[] = {
{"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
{"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
#endif
-#if defined(HAVE_PATHFINDER)
- {"check_x509_path", OPKG_OPT_TYPE_BOOL, &_conf.check_x509_path},
-#endif
#if defined(HAVE_CURL)
{"connect_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.connect_timeout_ms},
{"transfer_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.transfer_timeout_ms},
@@ -685,9 +682,6 @@ int opkg_conf_load(void)
opkg_config->restrict_to_default_dest = 0;
opkg_config->default_dest = NULL;
-#if defined(HAVE_PATHFINDER)
- opkg_config->check_x509_path = 1;
-#endif
if (!opkg_config->offline_root)
opkg_config->offline_root = xstrdup(getenv("OFFLINE_ROOT"));
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 4c56f0cbe0ea079053b3f764f3ecbd8355c8fd6b..293d239b00f230c497b8258cc219247653df1a8a 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -155,11 +155,6 @@ typedef struct opkg_conf {
*/
char *http_auth;
- /* pathfinder options: used only when opkg is configured with
- * '--enable-pathfinder', otherwise always NULL or 0 as above.
- */
- int check_x509_path;
-
/* proxy options */
char *http_proxy;
char *https_proxy;
diff --git a/libopkg/opkg_download_curl.c b/libopkg/opkg_download_curl.c
index 17ad3a4efe45189fb2f01adbdfda286481dd2871..a28293ecd0b4721a2db8050067f7792720bd0184 100644
--- a/libopkg/opkg_download_curl.c
+++ b/libopkg/opkg_download_curl.c
@@ -130,16 +130,6 @@ static char *replace_token_in_str(const char *str, const char *token,
return replaced_str;
}
-
-#if defined(HAVE_PATHFINDER) && defined(HAVE_OPENSSL)
-static CURLcode curl_ssl_ctx_function(CURL * curl, void *sslctx, void *parm)
-{
- SSL_CTX *ctx = (SSL_CTX *) sslctx;
- SSL_CTX_set_cert_verify_callback(ctx, pathfinder_verify_callback, parm);
-
- return CURLE_OK;
-}
-#endif /* HAVE_PATHFINDER && HAVE_OPENSSL */
#endif /* HAVE_SSLCURL */
/** \brief create_file_stamp: creates stamp for file
@@ -432,12 +422,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
* CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10)
*/
setopt(CURLOPT_SSL_VERIFYPEER, 0);
-#if defined(HAVE_PATHFINDER) && defined(HAVE_OPENSSL)
- else if (opkg_config->check_x509_path) {
- setopt(CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function);
- setopt(CURLOPT_SSL_CTX_DATA, NULL);
- }
-#endif
/* certification authority file and/or path */
if (opkg_config->ssl_ca_file)
diff --git a/libopkg/opkg_openssl.c b/libopkg/opkg_openssl.c
index f0ce01fb9a31c55a0fbd3008f70193143d481d04..19015c9799892e970861485f81a0ce1ee716b55a 100644
--- a/libopkg/opkg_openssl.c
+++ b/libopkg/opkg_openssl.c
@@ -36,81 +36,6 @@
#include "opkg_message.h"
#include "opkg_openssl.h"
-#ifdef HAVE_PATHFINDER
-#include <libpathfinder.h>
-#include <stdlib.h>
-#include "xfuncs.h"
-
-/* This callback is called instead of X509_verify_cert to perform path
- * validation on a certificate using pathfinder.
- */
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
- char *errmsg;
- const char *hex = "0123456789ABCDEF";
- size_t size = i2d_X509(ctx->cert, NULL);
- unsigned char *keybuf, *iend;
- iend = keybuf = xmalloc(size);
- i2d_X509(ctx->cert, &iend);
- char *certdata_str = xmalloc(size * 2 + 1);
- unsigned char *cp = keybuf;
- char *certdata_str_i = certdata_str;
- while (cp < iend) {
- unsigned char ch = *cp++;
- *certdata_str_i++ = hex[(ch >> 4) & 0xf];
- *certdata_str_i++ = hex[ch & 0xf];
- }
- *certdata_str_i = 0;
- free(keybuf);
-
- const char *policy = "2.5.29.32.0"; // anyPolicy
- int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0, &errmsg);
-
- if (!validated)
- opkg_msg(ERROR, "Path verification failed: %s.\n", errmsg);
-
- free(certdata_str);
- free(errmsg);
-
- return validated;
-}
-
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
- STACK_OF(X509) * signers;
- int i, ret = 1; /* signers are verified by default */
-
- signers = PKCS7_get0_signers(p7, NULL, 0);
-
- for (i = 0; i < sk_X509_num(signers); i++) {
- X509_STORE_CTX ctx = {
- .cert = sk_X509_value(signers, i),
- };
-
- if (!pathfinder_verify_callback(&ctx, NULL)) {
- /* Signer isn't verified ! goto jail; */
- ret = 0;
- break;
- }
- }
-
- sk_X509_free(signers);
- return ret;
-}
-#else
-/* Dummy functions */
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg)
-{
- opkg_msg(ERROR, "Pathfinder support not enabled.\n");
- return 0;
-}
-
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7)
-{
- opkg_msg(ERROR, "Pathfinder support not enabled.\n");
- return 0;
-}
-#endif /* HAVE_PATHFINDER */
static X509_STORE *setup_verify(char *CAfile, char *CApath)
{
@@ -211,15 +136,6 @@ int opkg_verify_openssl_signature(const char *file, const char *sigfile)
sigfile);
goto verify_file_end;
}
- if (opkg_config->check_x509_path) {
- r = pkcs7_pathfinder_verify_signers(p7);
- if (!r) {
- opkg_msg(ERROR,
- "pkcs7_pathfinder_verify_signers: "
- "Path verification failed.\n");
- goto verify_file_end;
- }
- }
// Open the Package file to authenticate
indata = BIO_new_file(file, "rb");
if (!indata) {
diff --git a/libopkg/opkg_openssl.h b/libopkg/opkg_openssl.h
index 47ebcdcfaa6040e0e0c5f95c2f9aa30d9f477433..418067804a6d55cad884abc9350afdc72330a0a2 100644
--- a/libopkg/opkg_openssl.h
+++ b/libopkg/opkg_openssl.h
@@ -29,10 +29,6 @@ extern "C" {
void openssl_init(void);
int opkg_verify_openssl_signature(const char *file, const char *sigfile);
-/* Pathfinder functions. */
-int pkcs7_pathfinder_verify_signers(PKCS7 * p7);
-int pathfinder_verify_callback(X509_STORE_CTX * ctx, void *arg);
-
#ifdef __cplusplus
}
#endif
--
2.30.0
Alex Stewart
Feb 5, 2021, 1:07:18 PM2/5/21
to opkg-...@googlegroups.com, alex.s...@ni.com
The OpenSSL libraries are used by libopkg directly, as an optional
method of verifying package feed signatures against a locally stored CA
certificate. They are enabled only when the --enable-openssl argument is
passed to AutoConf.
Assert that --enable-openssl is not widely used by opkg integrators and
that GPG feed signing (--enable-gpg) is preferred in all cases.
Remove:
* OpenSSL signature verification
* the --enable-openssl AutoConf option
* the `signature_ca_file` opkg conf setting
* the `signature_ca_path` opkg conf setting
configure.ac | 14 ---
libopkg/Makefile.am | 4 -
libopkg/opkg_conf.c | 4 -
libopkg/opkg_conf.h | 3 -
libopkg/opkg_download_curl.c | 6 --
libopkg/opkg_openssl.c | 162 -----------------------------------
libopkg/opkg_openssl.h | 35 --------
libopkg/opkg_verify.c | 16 ----
man/opkg.conf.5.in | 9 --
9 files changed, 253 deletions(-)
index 0e9bd567302659a30c8f50907cb37f5bbf61dfbf..c21b6576f2ae140f39b44ee9d20187c5a4928da9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,20 +111,6 @@ if test "x$want_sha256" = "xyes"; then
fi
AM_CONDITIONAL(HAVE_SHA256, test "x$want_sha256" = "xyes")
-# check for openssl
-AC_ARG_ENABLE(openssl,
- AC_HELP_STRING([--enable-openssl], [Enable signature checking with OpenSSL
- [[default=no]] ]),
- [want_openssl="$enableval"], [want_openssl="no"])
-
-if test "x$want_openssl" = "xyes"; then
- AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
-removed in future releases. Consider using GPGME (--enable-gpg) instead.)
- AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
- NEED_SSL_LIBS="yes"
-fi
-AM_CONDITIONAL(HAVE_OPENSSL, test "x$want_openssl" = "xyes")
-
# check for libssl-curl
AC_ARG_ENABLE(ssl-curl,
AC_HELP_STRING([--enable-ssl-curl], [Enable certificate authentication with curl
diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
index ca4a2eeb5f1e0c94b671eca7ce11dbe801231d9f..887cbc302db83b53044ed3aab8089704cc6e934e 100644
--- a/libopkg/Makefile.am
+++ b/libopkg/Makefile.am
@@ -36,10 +36,6 @@ if HAVE_SHA256
opkg_sources += sha256.c
opkg_headers += sha256.h
endif
-if HAVE_OPENSSL
-opkg_sources += opkg_openssl.c
-opkg_headers += opkg_openssl.h
-endif
if HAVE_GPGME
opkg_sources += opkg_gpg.c
opkg_headers += opkg_gpg.h
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index c0d448e900b6a4fccc9d7a4e9b086b329e864371..3cb27eff15015de3e330aec2087d2e985ea448a2 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -94,10 +94,6 @@ static opkg_option_t options[] = {
{"gpg_dir", OPKG_OPT_TYPE_STRING, &_conf.gpg_dir},
{"gpg_trust_level", OPKG_OPT_TYPE_STRING, &_conf.gpg_trust_level},
#endif
-#if defined(HAVE_OPENSSL)
- {"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
- {"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
index 293d239b00f230c497b8258cc219247653df1a8a..b7caa74a86d5d8ddc0c64863a7a4e448aea8c65d 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -163,9 +163,6 @@ typedef struct opkg_conf {
char *proxy_user;
char *proxy_passwd;
- char *signature_ca_file;
- char *signature_ca_path;
-
hash_table_t pkg_hash;
hash_table_t file_hash;
hash_table_t obs_file_hash;
diff --git a/libopkg/opkg_download_curl.c b/libopkg/opkg_download_curl.c
index a28293ecd0b4721a2db8050067f7792720bd0184..8fb4764a8c314a6c373e410a3d5bf673b4631640 100644
--- a/libopkg/opkg_download_curl.c
+++ b/libopkg/opkg_download_curl.c
@@ -35,9 +35,6 @@
#include "file_util.h"
#include "xfuncs.h"
-#ifdef HAVE_OPENSSL
-#include "opkg_openssl.h"
-#endif
/*
* Make curl an instance variable so we don't have to instanciate it
@@ -372,9 +369,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
curl = curl_easy_init();
#ifdef HAVE_SSLCURL
-#ifdef HAVE_OPENSSL
- openssl_init();
-#endif /* HAVE_OPENSSL */
if (opkg_config->ssl_engine) {
/* use crypto engine */
diff --git a/libopkg/opkg_openssl.c b/libopkg/opkg_openssl.c
deleted file mode 100644
index 19015c9799892e970861485f81a0ce1ee716b55a..0000000000000000000000000000000000000000
--- a/libopkg/opkg_openssl.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/* vi: set expandtab sw=4 sts=4: */
-/* opkg_openssl.c - the opkg package management system
-
- Copyright (C) 2001 University of Southern California
- Copyright (C) 2008 OpenMoko Inc
- Copyright (C) 2009 Camille Moncelier <monc...@devlife.org>
- Copyright (C) 2014 Paul Barker
-
- SPDX-License-Identifier: GPL-2.0-or-later
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#include "config.h"
-
-#include <openssl/conf.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
-#include "config.h"
-#include "opkg_conf.h"
-#include "opkg_message.h"
-#include "opkg_openssl.h"
-
-
-static X509_STORE *setup_verify(char *CAfile, char *CApath)
-{
- int r;
- X509_STORE *store = NULL;
- X509_LOOKUP *lookup = NULL;
-
- store = X509_STORE_new();
- if (!store) {
- // Something bad is happening...
- goto end;
- }
- // adds the X509 file lookup method
- lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
- if (!lookup) {
- goto end;
- }
- // Autenticating against one CA file
- if (CAfile) {
- r = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
- if (!r) {
- // Invalid CA => Bye bye
- opkg_msg(ERROR, "Error loading file %s.\n", CAfile);
- goto end;
- }
- } else {
- X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
- }
-
- // Now look into CApath directory if supplied
- lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- if (lookup == NULL) {
- goto end;
- }
-
- if (CApath) {
- r = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
- if (!r) {
- opkg_msg(ERROR, "Error loading directory %s.\n", CApath);
- goto end;
- }
- } else {
- X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- }
-
- // All right !
- ERR_clear_error();
- return store;
-
- end:
-
- X509_STORE_free(store);
- return NULL;
-
-}
-
-void openssl_init(void)
-{
- static int init = 0;
-
- if (!init) {
- OPENSSL_config(NULL);
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- init = 1;
- }
-}
-
-int opkg_verify_openssl_signature(const char *file, const char *sigfile)
-{
- X509_STORE *store = NULL;
- PKCS7 *p7 = NULL;
- BIO *in = NULL, *indata = NULL;
- int r;
-
- // Sig check failed by default !
- int status = -1;
-
- openssl_init();
-
- // Set-up the key store
- store = setup_verify(opkg_config->signature_ca_file,
- opkg_config->signature_ca_path);
- if (!store) {
- opkg_msg(ERROR, "Can't open CA certificates.\n");
- goto verify_file_end;
- }
- // Open a BIO to read the sig file
- in = BIO_new_file(sigfile, "rb");
- if (!in) {
- opkg_msg(ERROR, "Can't open signature file %s.\n", sigfile);
- goto verify_file_end;
- }
- // Read the PKCS7 block contained in the sig file
- p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
- if (!p7) {
- opkg_msg(ERROR, "Can't read signature file %s (Corrupted ?).\n",
- sigfile);
- if (!indata) {
- opkg_msg(ERROR, "Can't open file %s.\n", file);
- goto verify_file_end;
- }
- // Let's verify the autenticity !
- r = PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY);
- if (r != 1) {
- // Get Off My Lawn!
- opkg_msg(ERROR, "Verification failure.\n");
- } else {
- // Victory !
- status = 0;
- }
-
- verify_file_end:
- BIO_free(in);
- BIO_free(indata);
- PKCS7_free(p7);
- X509_STORE_free(store);
-
- return status;
-}
diff --git a/libopkg/opkg_openssl.h b/libopkg/opkg_openssl.h
deleted file mode 100644
index 418067804a6d55cad884abc9350afdc72330a0a2..0000000000000000000000000000000000000000
--- a/libopkg/opkg_openssl.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* vi: set expandtab sw=4 sts=4: */
-/* opkg_openssl.h - the opkg package management system
-
- Copyright (C) 2001 University of Southern California
- Copyright (C) 2014 Paul Barker
-
- SPDX-License-Identifier: GPL-2.0-or-later
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#ifndef OPKG_OPENSSL_H
-#define OPKG_OPENSSL_H
-
-#include <openssl/ssl.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void openssl_init(void);
-int opkg_verify_openssl_signature(const char *file, const char *sigfile);
-
-#ifdef __cplusplus
-}
-#endif
-#endif
diff --git a/libopkg/opkg_verify.c b/libopkg/opkg_verify.c
index 2c36841db75c998206ebc5c5810879c976b82f3d..d80ffc9ddea68670dbbed3d27c6238464e28bb31 100644
--- a/libopkg/opkg_verify.c
+++ b/libopkg/opkg_verify.c
@@ -41,20 +41,6 @@ int opkg_verify_gpg_signature(const char *file, const char *sigfile)
}
#endif
-#ifdef HAVE_OPENSSL
-#include "opkg_openssl.h"
-#else
-/* Dummy openssl signature verification. */
-int opkg_verify_openssl_signature(const char *file, const char *sigfile)
-{
- (void)file;
- (void)sigfile;
-
- opkg_msg(ERROR, "OpenSSL signature checking not supported\n");
- return -1;
-}
-#endif
-
int opkg_verify_md5sum(const char *file, const char *md5sum)
{
int r;
@@ -104,8 +90,6 @@ int opkg_verify_signature(const char *file, const char *sigfile)
|| (strcmp(opkg_config->signature_type, "gpg-asc") == 0);
if (use_gpg)
return opkg_verify_gpg_signature(file, sigfile);
- else if (strcmp(opkg_config->signature_type, "openssl") == 0)
- return opkg_verify_openssl_signature(file, sigfile);
opkg_msg(ERROR, "signature_type option '%s' not understood.\n",
opkg_config->signature_type);
diff --git a/man/opkg.conf.5.in b/man/opkg.conf.5.in
index cf2f1b2b965b4a86d251d2a5635bddae4db99c24..94296e77269205eab6d13fcb701aa3a2052dee76 100644
--- a/man/opkg.conf.5.in
+++ b/man/opkg.conf.5.in
@@ -74,9 +74,6 @@ Performs a signature check against a package. The signature file should be next
\fBcheck_signature\fP
Performs a signature check against the package index. The signature file should be next to the package index (default is 0)
.TP
-\fBcheck_x509_path\fP
-Validates the x509 certificate all the way back to the Certificate Authority (default is 0)
-.TP
\fBcombine\fP
Combines upgrade and install operations, this may be needed to resolve dependency issues. Only available for the internal solver backend (default is 0).
.TP
@@ -199,12 +196,6 @@ User name to use for proxy authentication.
\fBquery-all\fP
Executes a query against all packages from all repositories, not just install packages (default is 0).
.TP
-\fBsignature_ca_file\fP
-Path to the CA certificate file.
-.TP
-\fBsignature_ca_path\fP
-Path to certificates directory.
-.TP
\fBsignature_type\fP
The type of signatures to check against.
.fi
--
2.30.0
method of verifying package feed signatures against a locally stored CA
certificate. They are enabled only when the --enable-openssl argument is
passed to AutoConf.
Assert that --enable-openssl is not widely used by opkg integrators and
that GPG feed signing (--enable-gpg) is preferred in all cases.
Remove:
* OpenSSL signature verification
* the --enable-openssl AutoConf option
* the `signature_ca_file` opkg conf setting
* the `signature_ca_path` opkg conf setting
configure.ac | 14 ---
libopkg/Makefile.am | 4 -
libopkg/opkg_conf.c | 4 -
libopkg/opkg_conf.h | 3 -
libopkg/opkg_download_curl.c | 6 --
libopkg/opkg_openssl.c | 162 -----------------------------------
libopkg/opkg_openssl.h | 35 --------
libopkg/opkg_verify.c | 16 ----
man/opkg.conf.5.in | 9 --
9 files changed, 253 deletions(-)
delete mode 100644 libopkg/opkg_openssl.c
delete mode 100644 libopkg/opkg_openssl.h
diff --git a/configure.ac b/configure.ac
delete mode 100644 libopkg/opkg_openssl.h
index 0e9bd567302659a30c8f50907cb37f5bbf61dfbf..c21b6576f2ae140f39b44ee9d20187c5a4928da9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,20 +111,6 @@ if test "x$want_sha256" = "xyes"; then
fi
AM_CONDITIONAL(HAVE_SHA256, test "x$want_sha256" = "xyes")
-# check for openssl
-AC_ARG_ENABLE(openssl,
- AC_HELP_STRING([--enable-openssl], [Enable signature checking with OpenSSL
- [[default=no]] ]),
- [want_openssl="$enableval"], [want_openssl="no"])
-
-if test "x$want_openssl" = "xyes"; then
- AC_MSG_WARN(OpenSSL signature-checking support is depracted and will be \
-removed in future releases. Consider using GPGME (--enable-gpg) instead.)
- AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
- NEED_SSL_LIBS="yes"
-fi
-AM_CONDITIONAL(HAVE_OPENSSL, test "x$want_openssl" = "xyes")
-
# check for libssl-curl
AC_ARG_ENABLE(ssl-curl,
AC_HELP_STRING([--enable-ssl-curl], [Enable certificate authentication with curl
diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
index ca4a2eeb5f1e0c94b671eca7ce11dbe801231d9f..887cbc302db83b53044ed3aab8089704cc6e934e 100644
--- a/libopkg/Makefile.am
+++ b/libopkg/Makefile.am
@@ -36,10 +36,6 @@ if HAVE_SHA256
opkg_sources += sha256.c
opkg_headers += sha256.h
endif
-if HAVE_OPENSSL
-opkg_sources += opkg_openssl.c
-opkg_headers += opkg_openssl.h
-endif
if HAVE_GPGME
opkg_sources += opkg_gpg.c
opkg_headers += opkg_gpg.h
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index c0d448e900b6a4fccc9d7a4e9b086b329e864371..3cb27eff15015de3e330aec2087d2e985ea448a2 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -94,10 +94,6 @@ static opkg_option_t options[] = {
{"gpg_dir", OPKG_OPT_TYPE_STRING, &_conf.gpg_dir},
{"gpg_trust_level", OPKG_OPT_TYPE_STRING, &_conf.gpg_trust_level},
#endif
-#if defined(HAVE_OPENSSL)
- {"signature_ca_file", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_file},
- {"signature_ca_path", OPKG_OPT_TYPE_STRING, &_conf.signature_ca_path},
-#endif
#if defined(HAVE_CURL)
{"connect_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.connect_timeout_ms},
{"transfer_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.transfer_timeout_ms},
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
#if defined(HAVE_CURL)
{"connect_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.connect_timeout_ms},
{"transfer_timeout_ms", OPKG_OPT_TYPE_INT, &_conf.transfer_timeout_ms},
index 293d239b00f230c497b8258cc219247653df1a8a..b7caa74a86d5d8ddc0c64863a7a4e448aea8c65d 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -163,9 +163,6 @@ typedef struct opkg_conf {
char *proxy_user;
char *proxy_passwd;
- char *signature_ca_file;
- char *signature_ca_path;
-
hash_table_t pkg_hash;
hash_table_t file_hash;
hash_table_t obs_file_hash;
diff --git a/libopkg/opkg_download_curl.c b/libopkg/opkg_download_curl.c
index a28293ecd0b4721a2db8050067f7792720bd0184..8fb4764a8c314a6c373e410a3d5bf673b4631640 100644
--- a/libopkg/opkg_download_curl.c
+++ b/libopkg/opkg_download_curl.c
@@ -35,9 +35,6 @@
#include "file_util.h"
#include "xfuncs.h"
-#ifdef HAVE_OPENSSL
-#include "opkg_openssl.h"
-#endif
/*
* Make curl an instance variable so we don't have to instanciate it
@@ -372,9 +369,6 @@ static CURL *opkg_curl_init(curl_progress_func cb, void *data)
curl = curl_easy_init();
#ifdef HAVE_SSLCURL
-#ifdef HAVE_OPENSSL
- openssl_init();
-#endif /* HAVE_OPENSSL */
if (opkg_config->ssl_engine) {
/* use crypto engine */
diff --git a/libopkg/opkg_openssl.c b/libopkg/opkg_openssl.c
deleted file mode 100644
index 19015c9799892e970861485f81a0ce1ee716b55a..0000000000000000000000000000000000000000
--- a/libopkg/opkg_openssl.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/* vi: set expandtab sw=4 sts=4: */
-/* opkg_openssl.c - the opkg package management system
-
- Copyright (C) 2001 University of Southern California
- Copyright (C) 2008 OpenMoko Inc
- Copyright (C) 2009 Camille Moncelier <monc...@devlife.org>
- Copyright (C) 2014 Paul Barker
-
- SPDX-License-Identifier: GPL-2.0-or-later
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#include "config.h"
-
-#include <openssl/conf.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/hmac.h>
-
-#include "config.h"
-#include "opkg_conf.h"
-#include "opkg_message.h"
-#include "opkg_openssl.h"
-
-
-static X509_STORE *setup_verify(char *CAfile, char *CApath)
-{
- int r;
- X509_STORE *store = NULL;
- X509_LOOKUP *lookup = NULL;
-
- store = X509_STORE_new();
- if (!store) {
- // Something bad is happening...
- goto end;
- }
- // adds the X509 file lookup method
- lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
- if (!lookup) {
- goto end;
- }
- // Autenticating against one CA file
- if (CAfile) {
- r = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
- if (!r) {
- // Invalid CA => Bye bye
- opkg_msg(ERROR, "Error loading file %s.\n", CAfile);
- goto end;
- }
- } else {
- X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
- }
-
- // Now look into CApath directory if supplied
- lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- if (lookup == NULL) {
- goto end;
- }
-
- if (CApath) {
- r = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
- if (!r) {
- opkg_msg(ERROR, "Error loading directory %s.\n", CApath);
- goto end;
- }
- } else {
- X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- }
-
- // All right !
- ERR_clear_error();
- return store;
-
- end:
-
- X509_STORE_free(store);
- return NULL;
-
-}
-
-void openssl_init(void)
-{
- static int init = 0;
-
- if (!init) {
- OPENSSL_config(NULL);
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- init = 1;
- }
-}
-
-int opkg_verify_openssl_signature(const char *file, const char *sigfile)
-{
- X509_STORE *store = NULL;
- PKCS7 *p7 = NULL;
- BIO *in = NULL, *indata = NULL;
- int r;
-
- // Sig check failed by default !
- int status = -1;
-
- openssl_init();
-
- // Set-up the key store
- store = setup_verify(opkg_config->signature_ca_file,
- opkg_config->signature_ca_path);
- if (!store) {
- opkg_msg(ERROR, "Can't open CA certificates.\n");
- goto verify_file_end;
- }
- // Open a BIO to read the sig file
- in = BIO_new_file(sigfile, "rb");
- if (!in) {
- opkg_msg(ERROR, "Can't open signature file %s.\n", sigfile);
- goto verify_file_end;
- }
- // Read the PKCS7 block contained in the sig file
- p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
- if (!p7) {
- opkg_msg(ERROR, "Can't read signature file %s (Corrupted ?).\n",
- sigfile);
- goto verify_file_end;
- }
- // Open the Package file to authenticate
- indata = BIO_new_file(file, "rb");
- }
- // Open the Package file to authenticate
- if (!indata) {
- opkg_msg(ERROR, "Can't open file %s.\n", file);
- goto verify_file_end;
- }
- // Let's verify the autenticity !
- r = PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY);
- if (r != 1) {
- // Get Off My Lawn!
- opkg_msg(ERROR, "Verification failure.\n");
- } else {
- // Victory !
- status = 0;
- }
-
- verify_file_end:
- BIO_free(in);
- BIO_free(indata);
- PKCS7_free(p7);
- X509_STORE_free(store);
-
- return status;
-}
diff --git a/libopkg/opkg_openssl.h b/libopkg/opkg_openssl.h
deleted file mode 100644
index 418067804a6d55cad884abc9350afdc72330a0a2..0000000000000000000000000000000000000000
--- a/libopkg/opkg_openssl.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* vi: set expandtab sw=4 sts=4: */
-/* opkg_openssl.h - the opkg package management system
-
- Copyright (C) 2001 University of Southern California
- Copyright (C) 2014 Paul Barker
-
- SPDX-License-Identifier: GPL-2.0-or-later
-
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License as
- published by the Free Software Foundation; either version 2, or (at
- your option) any later version.
-
- This program is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-*/
-
-#ifndef OPKG_OPENSSL_H
-#define OPKG_OPENSSL_H
-
-#include <openssl/ssl.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void openssl_init(void);
-int opkg_verify_openssl_signature(const char *file, const char *sigfile);
-
-#ifdef __cplusplus
-}
-#endif
-#endif
diff --git a/libopkg/opkg_verify.c b/libopkg/opkg_verify.c
index 2c36841db75c998206ebc5c5810879c976b82f3d..d80ffc9ddea68670dbbed3d27c6238464e28bb31 100644
--- a/libopkg/opkg_verify.c
+++ b/libopkg/opkg_verify.c
@@ -41,20 +41,6 @@ int opkg_verify_gpg_signature(const char *file, const char *sigfile)
}
#endif
-#ifdef HAVE_OPENSSL
-#include "opkg_openssl.h"
-#else
-/* Dummy openssl signature verification. */
-int opkg_verify_openssl_signature(const char *file, const char *sigfile)
-{
- (void)file;
- (void)sigfile;
-
- opkg_msg(ERROR, "OpenSSL signature checking not supported\n");
- return -1;
-}
-#endif
-
int opkg_verify_md5sum(const char *file, const char *md5sum)
{
int r;
@@ -104,8 +90,6 @@ int opkg_verify_signature(const char *file, const char *sigfile)
|| (strcmp(opkg_config->signature_type, "gpg-asc") == 0);
if (use_gpg)
return opkg_verify_gpg_signature(file, sigfile);
- else if (strcmp(opkg_config->signature_type, "openssl") == 0)
- return opkg_verify_openssl_signature(file, sigfile);
opkg_msg(ERROR, "signature_type option '%s' not understood.\n",
opkg_config->signature_type);
diff --git a/man/opkg.conf.5.in b/man/opkg.conf.5.in
index cf2f1b2b965b4a86d251d2a5635bddae4db99c24..94296e77269205eab6d13fcb701aa3a2052dee76 100644
--- a/man/opkg.conf.5.in
+++ b/man/opkg.conf.5.in
@@ -74,9 +74,6 @@ Performs a signature check against a package. The signature file should be next
\fBcheck_signature\fP
Performs a signature check against the package index. The signature file should be next to the package index (default is 0)
.TP
-\fBcheck_x509_path\fP
-Validates the x509 certificate all the way back to the Certificate Authority (default is 0)
-.TP
\fBcombine\fP
Combines upgrade and install operations, this may be needed to resolve dependency issues. Only available for the internal solver backend (default is 0).
.TP
@@ -199,12 +196,6 @@ User name to use for proxy authentication.
\fBquery-all\fP
Executes a query against all packages from all repositories, not just install packages (default is 0).
.TP
-\fBsignature_ca_file\fP
-Path to the CA certificate file.
-.TP
-\fBsignature_ca_path\fP
-Path to certificates directory.
-.TP
\fBsignature_type\fP
The type of signatures to check against.
.fi
--
2.30.0
Reply all
Reply to author
Forward
0 new messages