[pkg-wpa-devel] [PATCH]: do not embed crypto data when USE_OPENSSL=1

Mon Mar 1 14:43:44 UTC 2010

If USE_OPENSSL=1 do not embed crypto data into binary and use the PUBKEY_DIR
variable just as it is when USE_GCRYPT=1. When verification fails provide
information about the PUBKEY_DIR variable.

This change removes support for runtime pubkey dir /etc/wireless-regdb/pubkeys
as wireless-regdb does not currently install custom pubkeys to
/etc/wireless-regdb/pubkeys and I can't see any value in modifying
wireless-regdb to do that.

Fix typo (s/make noverify/makeall_noverify).

Signed-off-by: Kel Modderman <kel at otaku42.de>
---

--- a/Makefile
+++ b/Makefile
@@ -16,13 +16,6 @@ UDEV_LEVEL=$(CRDA_UDEV_LEVEL)-
 # a different location.
 UDEV_RULE_DIR?=/lib/udev/rules.d/
 
-# If your distribution requires a custom pubkeys dir
-# you must update this variable to reflect where the
-# keys are put when building. For example you can run
-# with make PUBKEY_DIR=/usr/lib/crda/pubkeys
-PUBKEY_DIR?=pubkeys
-RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
-
 CFLAGS += -Wall -g
 
 all: all_noverify verify
@@ -30,12 +23,12 @@ all: all_noverify verify
 all_noverify: crda intersect regdbdump
 
 ifeq ($(USE_OPENSSL),1)
-CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
+PUBKEY_DIR?=$(PREFIX)/lib/crda/pubkeys
+CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" `pkg-config --cflags openssl`
 LDLIBS += `pkg-config --libs openssl`
 
-reglib.o: keys-ssl.c
-
 else
+PUBKEY_DIR?=pubkeys
 CFLAGS += -DUSE_GCRYPT
 LDLIBS += -lgcrypt
 
@@ -82,7 +75,13 @@ $(REG_BIN):
 	$(NQ) $(REG_GIT)
 	$(NQ)
 	$(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)"
-	$(NQ) "Use \"make noverify\" to disable verification"
+	$(NQ)
+	$(NQ) "If your distribution requires a custom pubkeys dir you must set"
+	$(NQ) "PUBKEY_DIR to path where the keys are installed by wireless-regdb."
+	$(NQ) "For example:"
+	$(NQ) "    make PUBKEY_DIR=/usr/lib/crda/pubkeys"
+	$(NQ)
+	$(NQ) "Use \"make all_noverify\" to disable verification"
 	$(NQ)
 	$(Q) exit 1
 
--- a/reglib.c
+++ b/reglib.c
@@ -18,10 +18,6 @@
 
 #include "reglib.h"
 
-#ifdef USE_OPENSSL
-#include "keys-ssl.c"
-#endif
-
 #ifdef USE_GCRYPT
 #include "keys-gcrypt.c"
 #endif
@@ -49,7 +45,6 @@ int crda_verify_db_signature(__u8 *db, i
 #ifdef USE_OPENSSL
 	RSA *rsa;
 	__u8 hash[SHA_DIGEST_LENGTH];
-	unsigned int i;
 	int ok = 0;
 	DIR *pubkey_dir;
 	struct dirent *nextfile;
@@ -61,24 +56,7 @@ int crda_verify_db_signature(__u8 *db, i
 		goto out;
 	}
 
-	for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) {
-		rsa = RSA_new();
-		if (!rsa) {
-			fprintf(stderr, "Failed to create RSA key.\n");
-			goto out;
-		}
-
-		rsa->e = &keys[i].e;
-		rsa->n = &keys[i].n;
-
-		ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
-				db + dblen, siglen, rsa) == 1;
-
-		rsa->e = NULL;
-		rsa->n = NULL;
-		RSA_free(rsa);
-	}
-	if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
+	if ((pubkey_dir = opendir(PUBKEY_DIR))) {
 		while (!ok && (nextfile = readdir(pubkey_dir))) {
 			snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
 				nextfile->d_name);
---

