RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson
Root: /v/rpm/cvs Email: jbj@rpm5.org
Module: rpm Date: 09-Sep-2007 22:32:44
Branch: HEAD Handle: 2007090921324201
Modified files:
rpm CHANGES
rpm/lib package.c rpmchecksig.c rpmlib.h rpmts.c rpmts.h
signature.c
rpm/rpmio librpmio.vers rpmio_internal.h rpmpgp.c rpmpgp.h
Log:
- jbj: uncouple signature verification from transaction sets.
- jbj: add (*findPubkey) (_ts, _dig) callback in pgpDig.
Summary:
Revision Changes Path
1.1632 +2 -0 rpm/CHANGES
2.159 +2 -2 rpm/lib/package.c
1.145 +1 -1 rpm/lib/rpmchecksig.c
2.434 +3 -10 rpm/lib/rpmlib.h
2.96 +8 -6 rpm/lib/rpmts.c
2.73 +3 -2 rpm/lib/rpmts.h
2.191 +19 -26 rpm/lib/signature.c
2.12 +2 -0 rpm/rpmio/librpmio.vers
2.81 +5 -0 rpm/rpmio/rpmio_internal.h
2.59 +18 -0 rpm/rpmio/rpmpgp.c
2.49 +19 -0 rpm/rpmio/rpmpgp.h
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: rpm/CHANGES
============================================================================
$ cvs diff -u -r1.1631 -r1.1632 CHANGES
--- rpm/CHANGES 9 Sep 2007 19:06:50 -0000 1.1631
+++ rpm/CHANGES 9 Sep 2007 20:32:42 -0000 1.1632
@@ -1,4 +1,6 @@
4.5 -> 5.0:
+ - jbj: uncouple signature verification from transaction sets.
+ - jbj: add (*findPubkey) (_ts, _dig) callback in pgpDig.
- jbj: fix: headerUnload() size implies HEADER_MAGIC_NO, no hackery needed.
- jbj: sum per-dig digest/signature stats into ts stats in rpmtsCleanDig.
- jbj: initialize pgpVSFlags with pgpNewDig(vsflags).
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/package.c
============================================================================
$ cvs diff -u -r2.158 -r2.159 package.c
--- rpm/lib/package.c 9 Sep 2007 17:56:41 -0000 2.158
+++ rpm/lib/package.c 9 Sep 2007 20:32:42 -0000 2.159
@@ -568,7 +568,7 @@
/*@-boundswrite@*/
buf[0] = '\0';
/*@=boundswrite@*/
- rc = rpmVerifySignature(ts, buf);
+ rc = rpmVerifySignature(dig, buf);
/*@-boundswrite@*/
buf[sizeof(buf)-1] = '\0';
@@ -1007,7 +1007,7 @@
/*@-boundswrite@*/
buf[0] = '\0';
/*@=boundswrite@*/
- rc = rpmVerifySignature(ts, buf);
+ rc = rpmVerifySignature(dig, buf);
switch (rc) {
case RPMRC_OK: /* Signature is OK. */
rpmMessage(RPMMESS_DEBUG, "%s: %s", fn, buf);
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/rpmchecksig.c
============================================================================
$ cvs diff -u -r1.144 -r1.145 rpmchecksig.c
--- rpm/lib/rpmchecksig.c 9 Sep 2007 19:06:50 -0000 1.144
+++ rpm/lib/rpmchecksig.c 9 Sep 2007 20:32:42 -0000 1.145
@@ -953,7 +953,7 @@
/*@notreached@*/ /*@switchbreak@*/ break;
}
- res3 = rpmVerifySignature(ts, result);
+ res3 = rpmVerifySignature(dig, result);
/*@-bounds@*/
if (res3) {
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/rpmlib.h
============================================================================
$ cvs diff -u -r2.433 -r2.434 rpmlib.h
--- rpm/lib/rpmlib.h 8 Sep 2007 22:42:36 -0000 2.433
+++ rpm/lib/rpmlib.h 9 Sep 2007 20:32:42 -0000 2.434
@@ -996,20 +996,13 @@
/** \ingroup signature
* Verify a signature from a package.
*
- * This needs the following variables from the transaction set:
- * - ts->sigtag type of signature
- * - ts->sig signature itself (from signature header)
- * - ts->siglen no. of bytes in signature
- * - ts->dig signature/pubkey parameters (malloc'd workspace)
- *
- * @param ts transaction set
+ * @param _dig container
* @retval result detailed text result of signature verification
* @return result of signature verification
*/
-rpmRC rpmVerifySignature(const rpmts ts,
- /*@out@*/ char * result)
+rpmRC rpmVerifySignature(void * _dig, /*@out@*/ char * result)
/*@globals rpmGlobalMacroContext, h_errno, fileSystem, internalState @*/
- /*@modifies ts, *result, rpmGlobalMacroContext,
+ /*@modifies _dig, *result, rpmGlobalMacroContext,
fileSystem, internalState @*/;
/*@}*/
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/rpmts.c
============================================================================
$ cvs diff -u -r2.95 -r2.96 rpmts.c
--- rpm/lib/rpmts.c 9 Sep 2007 19:06:50 -0000 2.95
+++ rpm/lib/rpmts.c 9 Sep 2007 20:32:42 -0000 2.96
@@ -240,12 +240,12 @@
}
/*@=compdef@*/
-rpmRC rpmtsFindPubkey(rpmts ts)
+rpmRC rpmtsFindPubkey(rpmts ts, void * _dig)
{
- const void * sig = rpmtsSig(ts);
- pgpDig dig = rpmtsDig(ts);
- pgpDigParams sigp = rpmtsSignature(ts);
- pgpDigParams pubp = rpmtsPubkey(ts);
+ pgpDig dig = (_dig ? _dig : rpmtsDig(ts));
+ const void * sig = pgpGetSig(dig);
+ pgpDigParams sigp = pgpGetSignature(dig);
+ pgpDigParams pubp = pgpGetPubkey(dig);
rpmRC res = RPMRC_NOKEY;
const char * pubkeysource = NULL;
int krcache = 1; /* XXX assume pubkeys are cached in keyutils keyring. */
@@ -1146,8 +1146,10 @@
pgpDig rpmtsDig(rpmts ts)
{
/*@-mods@*/ /* FIX: hide lazy malloc for now */
- if (ts->dig == NULL)
+ if (ts->dig == NULL) {
ts->dig = pgpNewDig(ts->vsflags);
+ (void) pgpSetFindPubkey(ts->dig, (int (*)(void *, void *))rpmtsFindPubkey, ts);
+ }
/*@=mods@*/
if (ts->dig == NULL)
return NULL;
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/rpmts.h
============================================================================
$ cvs diff -u -r2.72 -r2.73 rpmts.h
--- rpm/lib/rpmts.h 9 Sep 2007 17:56:41 -0000 2.72
+++ rpm/lib/rpmts.h 9 Sep 2007 20:32:42 -0000 2.73
@@ -408,12 +408,13 @@
/**
* Retrieve pubkey from rpm database.
* @param ts rpm transaction
+ * @param _dig container (NULL uses rpmtsDig(ts) instead).
* @return RPMRC_OK on success, RPMRC_NOKEY if not found
*/
/*@-exportlocal@*/
-rpmRC rpmtsFindPubkey(rpmts ts)
+rpmRC rpmtsFindPubkey(rpmts ts, /*@null@*/ void * _dig)
/*@globals rpmGlobalMacroContext, h_errno, fileSystem, internalState @*/
- /*@modifies ts, rpmGlobalMacroContext, fileSystem, internalState */;
+ /*@modifies ts, _dig, rpmGlobalMacroContext, fileSystem, internalState */;
/*@=exportlocal@*/
/** \ingroup rpmts
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/signature.c
============================================================================
$ cvs diff -u -r2.190 -r2.191 signature.c
--- rpm/lib/signature.c 9 Sep 2007 19:06:50 -0000 2.190
+++ rpm/lib/signature.c 9 Sep 2007 20:32:42 -0000 2.191
@@ -12,8 +12,6 @@
#include <rpmmacro.h> /* XXX for rpmGetPath() */
#include "rpmdb.h"
-#include "rpmts.h"
-
#include "misc.h" /* XXX for dosetenv() and makeTempFile() */
#include "legacy.h" /* XXX for mdbinfile() */
#include <pkgio.h>
@@ -705,10 +703,9 @@
}
static rpmRC
-verifySizeSignature(const rpmts ts, /*@out@*/ char * t)
+verifySizeSignature(const pgpDig dig, /*@out@*/ char * t)
/*@modifies *t @*/
{
- pgpDig dig = rpmtsDig(ts);
const void * sig = pgpGetSig(dig);
rpmRC res;
int_32 size = 0x7fffffff;
@@ -740,12 +737,11 @@
}
static rpmRC
-verifyMD5Signature(const rpmts ts, /*@out@*/ char * t,
+verifyMD5Signature(const pgpDig dig, /*@out@*/ char * t,
/*@null@*/ DIGEST_CTX md5ctx)
/*@globals internalState @*/
/*@modifies *t, internalState @*/
{
- pgpDig dig = rpmtsDig(ts);
const void * sig = pgpGetSig(dig);
int_32 siglen = pgpGetSiglen(dig);
rpmRC res;
@@ -792,18 +788,17 @@
/**
* Verify header immutable region SHA1 digest.
- * @param ts transaction set
+ * @param dig container
* @retval t verbose success/failure text
* @param sha1ctx
* @return RPMRC_OK on success
*/
static rpmRC
-verifySHA1Signature(const rpmts ts, /*@out@*/ char * t,
+verifySHA1Signature(const pgpDig dig, /*@out@*/ char * t,
/*@null@*/ DIGEST_CTX sha1ctx)
/*@globals internalState @*/
/*@modifies *t, internalState @*/
{
- pgpDig dig = rpmtsDig(ts);
const void * sig = pgpGetSig(dig);
#ifdef NOTYET
int_32 siglen = pgpGetSiglen(dig);
@@ -866,18 +861,17 @@
/**
* Verify RSA signature.
- * @param ts transaction set
+ * @param dig container
* @retval t verbose success/failure text
* @param md5ctx
* @return RPMRC_OK on success
*/
static rpmRC
-verifyRSASignature(rpmts ts, /*@out@*/ char * t,
+verifyRSASignature(pgpDig dig, /*@out@*/ char * t,
/*@null@*/ DIGEST_CTX md5ctx)
/*@globals rpmGlobalMacroContext, h_errno, fileSystem, internalState @*/
/*@modifies ts, *t, rpmGlobalMacroContext, fileSystem, internalState */
{
- pgpDig dig = rpmtsDig(ts);
const void * sig = pgpGetSig(dig);
#ifdef NOTYET
int_32 siglen = pgpGetSiglen(dig);
@@ -1031,7 +1025,7 @@
}
/* Retrieve the matching public key. */
- res = rpmtsFindPubkey(ts);
+ res = pgpFindPubkey(dig);
if (res != RPMRC_OK)
goto exit;
@@ -1061,18 +1055,17 @@
/**
* Verify DSA signature.
- * @param ts transaction set
+ * @param dig container
* @retval t verbose success/failure text
* @param sha1ctx
* @return RPMRC_OK on success
*/
static rpmRC
-verifyDSASignature(rpmts ts, /*@out@*/ char * t,
+verifyDSASignature(pgpDig dig, /*@out@*/ char * t,
/*@null@*/ DIGEST_CTX sha1ctx)
/*@globals rpmGlobalMacroContext, h_errno, fileSystem, internalState @*/
/*@modifies ts, *t, rpmGlobalMacroContext, fileSystem, internalState */
{
- pgpDig dig = rpmtsDig(ts);
const void * sig = pgpGetSig(dig);
#ifdef NOTYET
int_32 siglen = pgpGetSiglen(dig);
@@ -1147,7 +1140,7 @@
}
/* Retrieve the matching public key. */
- res = rpmtsFindPubkey(ts);
+ res = pgpFindPubkey(dig);
if (res != RPMRC_OK)
goto exit;
@@ -1173,9 +1166,9 @@
}
rpmRC
-rpmVerifySignature(const rpmts ts, char * result)
+rpmVerifySignature(void * _dig, char * result)
{
- pgpDig dig = rpmtsDig(ts);
+ pgpDig dig = _dig;
const void * sig = pgpGetSig(dig);
int_32 siglen = pgpGetSiglen(dig);
int_32 sigtag = pgpGetSigtag(dig);
@@ -1188,31 +1181,31 @@
switch (sigtag) {
case RPMSIGTAG_SIZE:
- res = verifySizeSignature(ts, result);
+ res = verifySizeSignature(dig, result);
break;
case RPMSIGTAG_MD5:
- res = verifyMD5Signature(ts, result, dig->md5ctx);
+ res = verifyMD5Signature(dig, result, dig->md5ctx);
break;
case RPMSIGTAG_SHA1:
- res = verifySHA1Signature(ts, result, dig->hdrsha1ctx);
+ res = verifySHA1Signature(dig, result, dig->hdrsha1ctx);
break;
case RPMSIGTAG_RSA:
- res = verifyRSASignature(ts, result, dig->hdrmd5ctx);
+ res = verifyRSASignature(dig, result, dig->hdrmd5ctx);
break;
#if defined(SUPPORT_RPMV3_VERIFY_RSA)
case RPMSIGTAG_PGP5: /* XXX legacy */
case RPMSIGTAG_PGP:
- res = verifyRSASignature(ts, result,
+ res = verifyRSASignature(dig, result,
((dig->signature.hash_algo == PGPHASHALGO_MD5)
? dig->md5ctx : dig->sha1ctx));
break;
#endif
case RPMSIGTAG_DSA:
- res = verifyDSASignature(ts, result, dig->hdrsha1ctx);
+ res = verifyDSASignature(dig, result, dig->hdrsha1ctx);
break;
#if defined(SUPPORT_RPMV3_VERIFY_DSA)
case RPMSIGTAG_GPG:
- res = verifyDSASignature(ts, result, dig->sha1ctx);
+ res = verifyDSASignature(dig, result, dig->sha1ctx);
break;
#endif
#if defined(SUPPORT_RPMV3_BROKEN)
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/librpmio.vers
============================================================================
$ cvs diff -u -r2.11 -r2.12 librpmio.vers
--- rpm/rpmio/librpmio.vers 9 Sep 2007 19:06:52 -0000 2.11
+++ rpm/rpmio/librpmio.vers 9 Sep 2007 20:32:43 -0000 2.12
@@ -147,6 +147,7 @@
pgpArmorWrap;
pgpCleanDig;
pgpCompressionTbl;
+ pgpFindPubkey;
pgpFreeDig;
pgpGetPubkey;
pgpGetSignature;
@@ -171,6 +172,7 @@
pgpPktLen;
pgpPubkeyTbl;
pgpReadPkts;
+ pgpSetFindPubkey;
pgpSetSig;
pgpSetVSFlags;
pgpSigTypeTbl;
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/rpmio_internal.h
============================================================================
$ cvs diff -u -r2.80 -r2.81 rpmio_internal.h
--- rpm/rpmio/rpmio_internal.h 9 Sep 2007 19:06:52 -0000 2.80
+++ rpm/rpmio/rpmio_internal.h 9 Sep 2007 20:32:43 -0000 2.81
@@ -72,6 +72,11 @@
struct rpmop_s dops; /*!< Digest operation statistics. */
struct rpmop_s sops; /*!< Signature operation statistics. */
+ int (*findPubkey) (void * _ts, /*@null@*/ void * _dig)
+ /*@modifies *_ts, *_dig @*/;/*!< Find pubkey, i.e. rpmtsFindPubkey(). */
+/*@null@*/
+ void * _ts; /*!< Find pubkey argument, i.e. rpmts. */
+
byte ** ppkts;
int npkts;
size_t nbytes; /*!< No. bytes of plain text. */
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/rpmpgp.c
============================================================================
$ cvs diff -u -r2.58 -r2.59 rpmpgp.c
--- rpm/rpmio/rpmpgp.c 9 Sep 2007 19:06:52 -0000 2.58
+++ rpm/rpmio/rpmpgp.c 9 Sep 2007 20:32:43 -0000 2.59
@@ -1211,6 +1211,24 @@
return ovsflags;
}
+int pgpSetFindPubkey(pgpDig dig,
+ int (*findPubkey) (void *ts, void *dig), void * _ts)
+{
+ if (dig) {
+ dig->findPubkey = findPubkey;
+ dig->_ts = _ts;
+ }
+ return 0;
+}
+
+int pgpFindPubkey(pgpDig dig)
+{
+ int rc = 1; /* XXX RPMRC_NOTFOUND */
+ if (dig && dig->findPubkey && dig->_ts)
+ rc = (*dig->findPubkey) (dig->_ts, dig);
+ return rc;
+}
+
static int pgpGrabPkts(const byte * pkts, unsigned int pktlen,
/*@out@*/ byte *** pppkts, /*@out@*/ int * pnpkts)
/*@modifies *pppkts, *pnpkts @*/
@@ .
patch -p0 <<'@@ .'
Index: rpm/rpmio/rpmpgp.h
============================================================================
$ cvs diff -u -r2.48 -r2.49 rpmpgp.h
--- rpm/rpmio/rpmpgp.h 9 Sep 2007 19:06:52 -0000 2.48
+++ rpm/rpmio/rpmpgp.h 9 Sep 2007 20:32:43 -0000 2.49
@@ -1478,6 +1478,25 @@
/*@modifies dig @*/;
/**
+ * Set find pubkey vector.
+ * @param dig container
+ * @param findPubkey routine to find a pubkey.
+ * @param ts argument to routine
+ * @return 0 always
+ */
+int pgpSetFindPubkey(pgpDig dig,
+ int (*findPubkey) (void *ts, void *dig), void * _ts)
+ /*@modifies dig @*/;
+
+/**
+ * Call find pubkey vector.
+ * @param dig container
+ * @return rpmRC return code
+ */
+int pgpFindPubkey(pgpDig dig)
+ /*@modifies dig @*/;
+
+/**
* Is buffer at beginning of an OpenPGP packet?
* @param p buffer
* @return 1 if an OpenPGP packet, 0 otherwise
@@ .
Received on Sun Sep 9 22:32:44 2007