This reverts commit 1ff4c95f115028cd3786f249ef77500767c904bf.
Intended side effect so that the launcher will have access to the vars
published by config.sh -- when the launcher starts the actual script
the script itself will source the config.sh again causing the env_init()
to be called for all participating COMMANDS. This ensures the env_init()
call is locked by default.
Running the grep below lights up a few spots still:
# git grep 'pkg[^/\[\.a-z'"'"',()_+"]'
Make a few decisions for the future:
* Use "pkg-static" outside the firmware code consistently
with a full path
* Modify ambiguous code or comments to not be found by the
grep above
* Firmware uses PKG now if we ever have to pivot to pkg-static
or when we need to overwise modify the call.
The goal of this excerise was to find all stray package manager
spots that may run their own embedded pkg-update without the
proper environment which should be gone for now.
While debugging some missing TLS parameters, I noticed the ciphers where different than expected. Digging a bit deeper seemed to indicate env_init() wasn't called on my end.
If SELF should be the command, the intention was likely to pass the parameter instead of the script name (which is always launcher)
cc @fichtner
If we convert groups to a model, we will switch the nested <member> tags into comma separated fields, e.g.
<member>1</member>
<member>12</member>
will convert to:
<member>1,12</member>
using this commit we support both for areas where these are being read.
We do not currently use /usr/local/share/certs/untrusted either,
but keep it for future use. The other directories are not used
by FreeBSD 14 or newer so just remove their use.
Unfortunately python requests/urllib3/ssl ignores platform openssl defaults, but do choose defaults which do not always match expectations.
Below per configuration item (system_default_sect) the current situation:
* CipherString --> supported, using ciphers list
* Ciphersuites --> not supported, but does seem to follow configuration defaults. When python adds support, we likely have to change something.
* SignatureAlgorithms --> not supported, but seem as above
* Groups (Curves) --> partly supported, only one may be offered, we select the first item in the list, knowing that is a bit flaky (see: set_ecdh_curve())
* MinProtocol --> supported
Allow for an extra argument as sometimes we just want one
component. There's no way to access this easily but it makes
sense for testing.
Squelch the CRL warnings in the rquery as we want to parse
it correctly anyway intead of reading error messages.
Add version annotation to core check.
Since pyOpenSSL doesn't support generating hashses for CRL's, we calculated one with the functions available in the libraries.
Unfortunately X509Name doesn't seem to support duplicate attributes, causing mismatches on our end.
This commit replaces the previous logic with a direct call to openssl, although it's slower, it will deliver the expected outcome.
Also provide an env_init() call for internal launcher commands
to set up relevant things.We do this to move the special libfetch
handling into the locked spot underneath the launcher.sh invoke.
