diff options
author | joerg <joerg> | 2008-07-18 19:10:55 +0000 |
---|---|---|
committer | joerg <joerg> | 2008-07-18 19:10:55 +0000 |
commit | a9143019ebb76dcfa5c24a7277b65f0c2e84c1f6 (patch) | |
tree | 8adb1496ea6a78f63416f66cb8fbc97661145b29 | |
parent | 132f9d16c88d06fb5fdd60457b3c884b9669e67b (diff) | |
download | pkgsrc-a9143019ebb76dcfa5c24a7277b65f0c2e84c1f6.tar.gz |
Make pkg_verify_signature return with modified arguments if it can find
a signed package, but couldn't validate the signature.
Make pkg_info try to validate the signature. It will print an error to
stderr if it can't validate the signature, but otherwise continue.
-rw-r--r-- | pkgtools/pkg_install/files/info/perform.c | 35 | ||||
-rw-r--r-- | pkgtools/pkg_install/files/lib/pkg_signature.c | 16 |
2 files changed, 35 insertions, 16 deletions
diff --git a/pkgtools/pkg_install/files/info/perform.c b/pkgtools/pkg_install/files/info/perform.c index 48615ecca2a..8f6f7e1183b 100644 --- a/pkgtools/pkg_install/files/info/perform.c +++ b/pkgtools/pkg_install/files/info/perform.c @@ -1,4 +1,4 @@ -/* $NetBSD: perform.c,v 1.46.2.2 2008/05/23 15:36:48 joerg Exp $ */ +/* $NetBSD: perform.c,v 1.46.2.3 2008/07/18 19:10:55 joerg Exp $ */ #if HAVE_CONFIG_H #include "config.h" @@ -17,7 +17,7 @@ #if 0 static const char *rcsid = "from FreeBSD Id: perform.c,v 1.23 1997/10/13 15:03:53 jkh Exp"; #else -__RCSID("$NetBSD: perform.c,v 1.46.2.2 2008/05/23 15:36:48 joerg Exp $"); +__RCSID("$NetBSD: perform.c,v 1.46.2.3 2008/07/18 19:10:55 joerg Exp $"); #endif #endif @@ -174,10 +174,10 @@ free_pkg_meta(struct pkg_meta *meta) #ifndef BOOTSTRAP static struct pkg_meta * -read_meta_data_from_archive(struct archive *archive) +read_meta_data_from_archive(struct archive *archive, + struct archive_entry *entry) { struct pkg_meta *meta; - struct archive_entry *entry; const char *fname; const struct pkg_meta_desc *descr, *last_descr; char **target; @@ -192,7 +192,11 @@ read_meta_data_from_archive(struct archive *archive) memset(meta, 0, sizeof(*meta)); last_descr = 0; + if (entry != NULL) + goto has_entry; + while ((r = archive_read_next_header(archive, &entry)) == ARCHIVE_OK) { +has_entry: fname = archive_entry_pathname(entry); for (descr = pkg_meta_descriptors; descr->entry_filename; @@ -308,11 +312,30 @@ pkg_do(const char *pkg) #else struct archive *archive; void *archive_cookie; +# ifdef HAVE_SSL + void *signature_cookie; +# endif + struct archive_entry *entry; + char *pkgname; archive = open_archive(pkg, &archive_cookie); - - meta = read_meta_data_from_archive(archive); + if (archive == NULL) { + warnx("can't find package `%s', skipped", pkg); + return -1; + } + pkgname = NULL; + entry = NULL; +# ifdef HAVE_SSL + pkg_verify_signature(&archive, &entry, &pkgname, + &signature_cookie); +# endif + free(pkgname); + + meta = read_meta_data_from_archive(archive, entry); close_archive(archive_cookie); +# ifdef HAVE_SSL + pkg_free_signature(signature_cookie); +# endif if (!IS_URL(pkg)) binpkgfile = pkg; #endif diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c b/pkgtools/pkg_install/files/lib/pkg_signature.c index 425f37cd1c7..35c6c21b28a 100644 --- a/pkgtools/pkg_install/files/lib/pkg_signature.c +++ b/pkgtools/pkg_install/files/lib/pkg_signature.c @@ -1,4 +1,4 @@ -/* $NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $ */ +/* $NetBSD: pkg_signature.c,v 1.1.2.4 2008/07/18 19:10:55 joerg Exp $ */ #if HAVE_CONFIG_H #include "config.h" @@ -7,7 +7,7 @@ #if HAVE_SYS_CDEFS_H #include <sys/cdefs.h> #endif -__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $"); +__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.4 2008/07/18 19:10:55 joerg Exp $"); /*- * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>. @@ -322,7 +322,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry, struct archive *a; char *hash_file, *signature_file; size_t hash_len, signature_len; - int r; + int r, has_sig; *pkgname = NULL; *cookie = NULL; @@ -355,12 +355,8 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry, if (parse_hash_file(hash_file, pkgname, state)) goto no_valid_signature; - if (easy_pkcs7_verify(hash_file, hash_len, signature_file, - signature_len, certs_packages, 1)) { - free(signature_file); - free_signature_int(state); - goto no_valid_signature; - } + has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file, + signature_len, certs_packages, 1); free(signature_file); @@ -393,7 +389,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry, *entry = NULL; *cookie = state; - return 0; + return has_sig ? 0 : -1; no_valid_signature: return -1; |