nmap: ncat: use default CA bundle

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-06-17 04:44:10 +02:00 · 2024-01-31 12:24:53 +03:00 · 2024-01-31 12:24:53 +03:00 · c8793c0285
commit c8793c0285
parent 5aded5ac7d
2 changed files with 68 additions and 3 deletions
--- a/net/nmap/Makefile
+++ b/net/nmap/Makefile
@ -73,14 +73,14 @@ endef

 define Package/ncat-ssl
 $(call Package/nmap/default)
-  DEPENDS:=$(NCAT_DEPENDS) +libopenssl
+  DEPENDS:=$(NCAT_DEPENDS) +libopenssl +ca-bundle
  VARIANT:=ssl
  TITLE:=Ncat (with OpenSSL support)
 endef

 define Package/ncat-full
 $(call Package/nmap/default)
-  DEPENDS:=$(NCAT_DEPENDS) +libopenssl +liblua5.3
+  DEPENDS:=$(NCAT_DEPENDS) +libopenssl +ca-bundle +liblua5.3
  VARIANT:=full
  TITLE:=Ncat (with OpenSSL and scripting support)
 endef
@ -179,7 +179,6 @@ endef
 define Package/ncat-ssl/install
 	$(call Package/ncat/install,$(1))
 	$(INSTALL_DIR) $(1)/usr/share/ncat
-	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/ncat/ca-bundle.crt $(1)/usr/share/ncat/
 endef

 Package/ncat-full/install=$(Package/ncat-ssl/install)
--- a/net/nmap/patches/030-ncat-drop-ca-bundle.patch
+++ b/net/nmap/patches/030-ncat-drop-ca-bundle.patch
@ -0,0 +1,66 @@
+Author: Konstantin Demin <rockdrilla@gmail.com>
+Title: ncat: avoid shipping/using internal ca-bundle.crt
+
+1. ca-bundle.crt may provide outdated trusted CAs.
+2. maintain trusted CAs in one place.
+
+Also remove references to NCAT_CA_CERTS_FILE and NCAT_CA_CERTS_PATH in order to catch future errors early (i.e. at compile-time).
+
+ ncat/Makefile.in  |  1 -
+ ncat/ncat_posix.c | 13 +------------
+ ncat/ncat_ssl.h   |  2 --
+ 3 files changed, 1 insertion(+), 15 deletions(-)
+
+--- a/ncat/Makefile.in
+++ b/ncat/Makefile.in
+@@ -80,7 +80,6 @@ DATAFILES =
+ ifneq ($(HAVE_OPENSSL),)
+ SRCS += http_digest.c
+ OBJS += http_digest.o
+-DATAFILES = certs/ca-bundle.crt
+ endif
+ 
+ ifneq ($(NOLUA),yes)
+--- a/ncat/ncat_posix.c
+++ b/ncat/ncat_posix.c
+@@ -347,28 +347,17 @@ void set_lf_mode(void)
+ 
+ #ifdef HAVE_OPENSSL
+ 
+-#define NCAT_CA_CERTS_PATH (NCAT_DATADIR "/" NCAT_CA_CERTS_FILE)
+-
+ int ssl_load_default_ca_certs(SSL_CTX *ctx)
+ {
+     int rc;
+ 
+     if (o.debug)
+-        logdebug("Using system default trusted CA certificates and those in %s.\n", NCAT_CA_CERTS_PATH);
+        logdebug("Using system default trusted CA certificates.\n");
+ 
+     /* Load distribution-provided defaults, if any. */
+     rc = SSL_CTX_set_default_verify_paths(ctx);
+     ncat_assert(rc > 0);
+ 
+-    /* Also load the trusted certificates we ship. */
+-    rc = SSL_CTX_load_verify_locations(ctx, NCAT_CA_CERTS_PATH, NULL);
+-    if (rc != 1) {
+-        if (o.debug)
+-            logdebug("Unable to load trusted CA certificates from %s: %s\n",
+-                NCAT_CA_CERTS_PATH, ERR_error_string(ERR_get_error(), NULL));
+-        return -1;
+-    }
+-
+     return 0;
+ }
+ #endif
+--- a/ncat/ncat_ssl.h
+++ b/ncat/ncat_ssl.h
+@@ -67,8 +67,6 @@
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+ 
+-#define NCAT_CA_CERTS_FILE "ca-bundle.crt"
+-
+ enum {
+     SHA1_BYTES = 160 / 8,
+     /* 40 bytes for hex digits and 9 bytes for ' '. */