From: Konstantin Demin Date: Wed, 31 Jan 2024 09:24:53 +0000 (+0300) Subject: nmap: ncat: use default CA bundle X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=c8793c02857d8d7ad2981cd862223e42862f9059;p=feed%2Fpackages.git nmap: ncat: use default CA bundle Signed-off-by: Konstantin Demin --- diff --git a/net/nmap/Makefile b/net/nmap/Makefile index 55c52b9399..8cd0020261 100644 --- a/net/nmap/Makefile +++ b/net/nmap/Makefile @@ -73,14 +73,14 @@ endef define Package/ncat-ssl $(call Package/nmap/default) - DEPENDS:=$(NCAT_DEPENDS) +libopenssl + DEPENDS:=$(NCAT_DEPENDS) +libopenssl +ca-bundle VARIANT:=ssl TITLE:=Ncat (with OpenSSL support) endef define Package/ncat-full $(call Package/nmap/default) - DEPENDS:=$(NCAT_DEPENDS) +libopenssl +liblua5.3 + DEPENDS:=$(NCAT_DEPENDS) +libopenssl +ca-bundle +liblua5.3 VARIANT:=full TITLE:=Ncat (with OpenSSL and scripting support) endef @@ -179,7 +179,6 @@ endef define Package/ncat-ssl/install $(call Package/ncat/install,$(1)) $(INSTALL_DIR) $(1)/usr/share/ncat - $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/ncat/ca-bundle.crt $(1)/usr/share/ncat/ endef Package/ncat-full/install=$(Package/ncat-ssl/install) diff --git a/net/nmap/patches/030-ncat-drop-ca-bundle.patch b/net/nmap/patches/030-ncat-drop-ca-bundle.patch new file mode 100644 index 0000000000..0112c03f09 --- /dev/null +++ b/net/nmap/patches/030-ncat-drop-ca-bundle.patch @@ -0,0 +1,66 @@ +Author: Konstantin Demin +Title: ncat: avoid shipping/using internal ca-bundle.crt + +1. ca-bundle.crt may provide outdated trusted CAs. +2. maintain trusted CAs in one place. + +Also remove references to NCAT_CA_CERTS_FILE and NCAT_CA_CERTS_PATH in order to catch future errors early (i.e. at compile-time). + + ncat/Makefile.in | 1 - + ncat/ncat_posix.c | 13 +------------ + ncat/ncat_ssl.h | 2 -- + 3 files changed, 1 insertion(+), 15 deletions(-) + +--- a/ncat/Makefile.in ++++ b/ncat/Makefile.in +@@ -80,7 +80,6 @@ DATAFILES = + ifneq ($(HAVE_OPENSSL),) + SRCS += http_digest.c + OBJS += http_digest.o +-DATAFILES = certs/ca-bundle.crt + endif + + ifneq ($(NOLUA),yes) +--- a/ncat/ncat_posix.c ++++ b/ncat/ncat_posix.c +@@ -347,28 +347,17 @@ void set_lf_mode(void) + + #ifdef HAVE_OPENSSL + +-#define NCAT_CA_CERTS_PATH (NCAT_DATADIR "/" NCAT_CA_CERTS_FILE) +- + int ssl_load_default_ca_certs(SSL_CTX *ctx) + { + int rc; + + if (o.debug) +- logdebug("Using system default trusted CA certificates and those in %s.\n", NCAT_CA_CERTS_PATH); ++ logdebug("Using system default trusted CA certificates.\n"); + + /* Load distribution-provided defaults, if any. */ + rc = SSL_CTX_set_default_verify_paths(ctx); + ncat_assert(rc > 0); + +- /* Also load the trusted certificates we ship. */ +- rc = SSL_CTX_load_verify_locations(ctx, NCAT_CA_CERTS_PATH, NULL); +- if (rc != 1) { +- if (o.debug) +- logdebug("Unable to load trusted CA certificates from %s: %s\n", +- NCAT_CA_CERTS_PATH, ERR_error_string(ERR_get_error(), NULL)); +- return -1; +- } +- + return 0; + } + #endif +--- a/ncat/ncat_ssl.h ++++ b/ncat/ncat_ssl.h +@@ -67,8 +67,6 @@ + #include + #include + +-#define NCAT_CA_CERTS_FILE "ca-bundle.crt" +- + enum { + SHA1_BYTES = 160 / 8, + /* 40 bytes for hex digits and 9 bytes for ' '. */