Page MenuHomeFreeBSD
Files F107966579

D48109.id148011.diff
No OneTemporary
Actions

D48109.id148011.diff
View Options

diff --git a/usr.sbin/pkg/pkg.h b/usr.sbin/pkg/pkg.h
--- a/usr.sbin/pkg/pkg.h
+++ b/usr.sbin/pkg/pkg.h
@@ -40,11 +40,15 @@
typedef int pkgsign_new_cb(const char *, struct pkgsign_ctx *);
typedef bool pkgsign_verify_cert_cb(const struct pkgsign_ctx *, int,
const char *, const unsigned char *, int, unsigned char *, int);
+typedef bool pkgsign_verify_data_cb(const struct pkgsign_ctx *,
+ const char *, size_t, const char *, const unsigned char *, int,
+ unsigned char *, int);
struct pkgsign_ops {
size_t pkgsign_ctx_size;
pkgsign_new_cb *pkgsign_new;
pkgsign_verify_cert_cb *pkgsign_verify_cert;
+ pkgsign_verify_data_cb *pkgsign_verify_data;
};
extern const struct pkgsign_ops pkgsign_rsa;
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@@ -142,6 +142,17 @@
key, keylen, sig, siglen));
}
+static bool
+pkgsign_verify_data(const struct pkgsign_ctx *ctx, const char *data,
+ size_t datasz, const char *sigfile, const unsigned char *key, int keylen,
+ unsigned char *sig, int siglen)
+{
+
+ return ((*ctx->impl->pi_ops->pkgsign_verify_data)(ctx, data, datasz,
+ sigfile, key, keylen, sig, siglen));
+}
+
+
static int
extract_pkg_static(int fd, char *p, int sz)
{
@@ -574,12 +585,15 @@
{
struct pubkey *pk;
const char *pubkey;
+ char *data;
struct pkgsign_ctx *sctx;
+ size_t datasz;
bool ret;
pk = NULL;
pubkey = NULL;
sctx = NULL;
+ data = NULL;
ret = false;
if (config_string(PUBKEY, &pubkey) != 0) {
warnx("No CONFIG_PUBKEY defined");
@@ -591,6 +605,19 @@
goto cleanup;
}
+ if (lseek(fd_pkg, 0, SEEK_SET) == -1) {
+ warn("lseek");
+ goto cleanup;
+ }
+
+ /* Future types shouldn't do this. */
+ if ((data = sha256_fd(fd_pkg)) == NULL) {
+ warnx("Error creating SHA256 hash for package");
+ goto cleanup;
+ }
+
+ datasz = strlen(data);
+
if (pkgsign_new("rsa", &sctx) != 0) {
warnx("Failed to fetch 'rsa' signer");
goto cleanup;
@@ -598,7 +625,7 @@
/* Verify the signature. */
printf("Verifying signature with public key %s... ", pubkey);
- if (pkgsign_verify_cert(sctx, fd_pkg, pubkey, NULL, 0, pk->sig,
+ if (pkgsign_verify_data(sctx, data, datasz, pubkey, NULL, 0, pk->sig,
pk->siglen) == false) {
fprintf(stderr, "Signature is not valid\n");
goto cleanup;
@@ -607,6 +634,7 @@
ret = true;
cleanup:
+ free(data);
if (pk) {
free(pk->sig);
free(pk);
diff --git a/usr.sbin/pkg/rsa.c b/usr.sbin/pkg/rsa.c
--- a/usr.sbin/pkg/rsa.c
+++ b/usr.sbin/pkg/rsa.c
@@ -78,33 +78,20 @@
}
static bool
-rsa_verify_cert(const struct pkgsign_ctx *ctx __unused, int fd,
- const char *sigfile, const unsigned char *key, int keylen,
- unsigned char *sig, int siglen)
+rsa_verify_data(const struct pkgsign_ctx *ctx __unused,
+ const char *data, size_t datasz, const char *sigfile,
+ const unsigned char *key, int keylen, unsigned char *sig, int siglen)
{
EVP_MD_CTX *mdctx;
EVP_PKEY *pkey;
- char *sha256;
char errbuf[1024];
bool ret;
- sha256 = NULL;
pkey = NULL;
mdctx = NULL;
ret = false;
-
SSL_load_error_strings();
- /* Compute SHA256 of the package. */
- if (lseek(fd, 0, 0) == -1) {
- warn("lseek");
- goto cleanup;
- }
- if ((sha256 = sha256_fd(fd)) == NULL) {
- warnx("Error creating SHA256 hash for package");
- goto cleanup;
- }
-
if (sigfile != NULL) {
if ((pkey = load_public_key_file(sigfile)) == NULL) {
warnx("Error reading public key");
@@ -127,7 +114,7 @@
warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
goto error;
}
- if (EVP_DigestVerifyUpdate(mdctx, sha256, strlen(sha256)) != 1) {
+ if (EVP_DigestVerifyUpdate(mdctx, data, datasz) != 1) {
warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
goto error;
}
@@ -145,7 +132,6 @@
printf("failed\n");
cleanup:
- free(sha256);
if (pkey)
EVP_PKEY_free(pkey);
if (mdctx)
@@ -155,6 +141,34 @@
return (ret);
}
+static bool
+rsa_verify_cert(const struct pkgsign_ctx *ctx __unused, int fd,
+ const char *sigfile, const unsigned char *key, int keylen,
+ unsigned char *sig, int siglen)
+{
+ char *sha256;
+ bool ret;
+
+ sha256 = NULL;
+
+ /* Compute SHA256 of the package. */
+ if (lseek(fd, 0, 0) == -1) {
+ warn("lseek");
+ return (false);
+ }
+ if ((sha256 = sha256_fd(fd)) == NULL) {
+ warnx("Error creating SHA256 hash for package");
+ return (false);
+ }
+
+ ret = rsa_verify_data(ctx, sha256, strlen(sha256), sigfile, key, keylen,
+ sig, siglen);
+ free(sha256);
+
+ return (ret);
+}
+
const struct pkgsign_ops pkgsign_rsa = {
.pkgsign_verify_cert = rsa_verify_cert,
+ .pkgsign_verify_data = rsa_verify_data,
};

File Metadata

Mime Type
text/plain
Expires
Tue, Jan 21, 1:17 AM (18 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15991109
Default Alt Text
D48109.id148011.diff (4 KB)

Event Timeline