Roll back some changes to support cross compile

- Dependencies.yaml: set the security module version EVerest#51 (comment) - libevse-security: remove the validation of sub-certs EVerest#51 (comment) - Make the context be unconst EVerest#51 (comment)
US-JOET · Jun 14, 2024 · 67ffdd7 · 67ffdd7
1 parent 964caaf
commit 67ffdd7
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 0 deletions.
diff --git a/manager/dependencies.patch b/manager/dependencies.patch
@@ -0,0 +1,13 @@
+diff --git a/dependencies.yaml b/dependencies.yaml
+index d1fdfba..e8b0d0e 100644
+--- a/dependencies.yaml
++++ b/dependencies.yaml
+@@ -50,7 +50,7 @@ libcurl:
+ # and would otherwise be overwritten by the version used there
+ libevse-security:
+   git: https://github.com/EVerest/libevse-security.git
+-  git_tag: v0.7.0
++  git_tag: 4330ce2e28e25535dd01558edb2331891c146769
+   cmake_condition: "EVEREST_DEPENDENCY_ENABLED_LIBEVSE_SECURITY"
+
+ # OCPP
diff --git a/manager/libevse-security.patch b/manager/libevse-security.patch
@@ -0,0 +1,31 @@
+diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
+index 3347b88..ee4f550 100644
+--- a/lib/evse_security/crypto/openssl/openssl_supplier.cpp
++++ b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
+@@ -591,25 +591,7 @@ CertificateValidationResult OpenSSLSupplier::x509_verify_certificate_chain(
+         }
+     }
+
+-    X509_STACK_UNSAFE_ptr untrusted = nullptr;
+-
+-    // Build potentially untrusted intermediary (subca) certificates
+-    if (false == untrusted_subcas.empty()) {
+-        untrusted = X509_STACK_UNSAFE_ptr(sk_X509_new_null());
+-        int flags = X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_NO_SS;
+-
+-        for (auto& untrusted_cert : untrusted_subcas) {
+-            if (1 != X509_add_cert(untrusted.get(), get(untrusted_cert), flags)) {
+-                EVLOG_error << "X509 could not create untrusted store stack!";
+-                return CertificateValidationResult::Unknown;
+-            }
+-        }
+-    }
+-
+-    if (1 != X509_STORE_CTX_init(store_ctx_ptr.get(), store_ptr.get(), get(target), untrusted.get())) {
+-        EVLOG_error << "X509 could not init x509 store ctx!";
+-        return CertificateValidationResult::Unknown;
+-    }
++    X509_STORE_CTX_init(store_ctx_ptr.get(), store_ptr.get(), get(target), NULL);
+
+     if (allow_future_certificates) {
+         // Manually check if cert is expired
diff --git a/manager/libocpp-ssl.patch b/manager/libocpp-ssl.patch
@@ -0,0 +1,47 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 07a310c..ffb36f8 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -25,7 +25,7 @@ endif()
+ # dependencies
+ find_package(Boost COMPONENTS program_options regex system thread REQUIRED)
+ find_package(SQLite3 REQUIRED)
+-find_package(OpenSSL 3 REQUIRED)
++find_package(OpenSSL REQUIRED)
+
+ if(NOT DISABLE_EDM)
+     evc_setup_edm()
+diff --git a/lib/ocpp/common/websocket/websocket_libwebsockets.cpp b/lib/ocpp/common/websocket/websocket_libwebsockets.cpp
+index 3139856..e9c5fbb 100644
+--- a/lib/ocpp/common/websocket/websocket_libwebsockets.cpp
++++ b/lib/ocpp/common/websocket/websocket_libwebsockets.cpp
+@@ -156,15 +156,18 @@ public:
+ static bool verify_csms_cn(const std::string& hostname, bool preverified, const X509_STORE_CTX* ctx,
+                            bool allow_wildcards) {
+
++    X509_STORE_CTX* non_const_ctx = X509_STORE_CTX_new();	
++    memcpy(non_const_ctx, ctx, sizeof(ctx)); // args are (dest, src, size)
++
+     // Error depth gives the depth in the chain (with 0 = leaf certificate) where
+     // a potential (!) error occurred; error here means current error code and can also be "OK".
+     // This thus gives also the position (in the chain)  of the currently to be verified certificate.
+     // If depth is 0, we need to check the leaf certificate;
+     // If depth > 0, we are verifying a CA (or SUB-CA) certificate and thus trust "preverified"
+-    int depth = X509_STORE_CTX_get_error_depth(ctx);
++    int depth = X509_STORE_CTX_get_error_depth(non_const_ctx);
+
+     if (!preverified) {
+-        int error = X509_STORE_CTX_get_error(ctx);
++        int error = X509_STORE_CTX_get_error(non_const_ctx);
+         EVLOG_warning << "Invalid certificate error '" << X509_verify_cert_error_string(error) << "' (at chain depth '"
+                       << depth << "')";
+     }
+@@ -172,7 +175,7 @@ static bool verify_csms_cn(const std::string& hostname, bool preverified, const
+     // only check for CSMS server certificate
+     if (depth == 0 and preverified) {
+         // Get server certificate
+-        X509* server_cert = X509_STORE_CTX_get_current_cert(ctx);
++        X509* server_cert = X509_STORE_CTX_get_current_cert(non_const_ctx);
+
+         // TODO (ioan): this manual verification is done because libwebsocket does not take into account
+         // the host parameter that we are setting during 'tls_init'. This function should be removed