Radish alpha
H
HardenedBSD-pkg
rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9
HardenedBSD Package Manager
Radicle
Git
Commits 941340d
Merge branch 'master' of github.com:freebsd/pkg
Matthew Seaman committed 12 years ago
commit 941340d28b5134cf6aeb80f93741d85042aeb2b8
parent d8585bf
3 files changed +59 -23
modified libpkg/pkg_config.c
@@ -856,7 +856,7 @@ pkg_init(const char *path, const char *reposdir)
			break;

		}

		if (o != NULL) {
- 
			if (ncfg != NULL)
+ 
			if (ncfg == NULL)

				ncfg = ucl_object_typed_new(UCL_OBJECT);

			ucl_object_insert_key(ncfg, o, key, strlen(key), true);

		}
modified libpkg/rsa.c
@@ -121,7 +121,8 @@ rsa_verify_cert_cb(int fd, void *ud)
	RSA *rsa = NULL;

	int ret;
- 
	sha256_fd(fd, sha256);
+ 
	if (sha256_fd(fd, sha256) != EPKG_OK)
+ 
		return (EPKG_FATAL);



	sha256_buf_bin(sha256, strlen(sha256), hash);
@@ -133,6 +134,7 @@ rsa_verify_cert_cb(int fd, void *ud)
	if (ret == 0) {

		pkg_emit_error("rsa verify failed: %s",

				ERR_error_string(ERR_get_error(), errbuf));
+ 
		RSA_free(rsa);

		return (EPKG_FATAL);

	}
@@ -174,46 +176,80 @@ rsa_verify_cert(const char *path, unsigned char *key, int keylen,
	return (ret);

}
- 
/*
- 
 * XXX: this function is deprecated and should be removed in the next pkg releases
- 
 */
- 
int
- 
rsa_verify(const char *path, const char *key, unsigned char *sig,
- 
    unsigned int sig_len, int fd)
+ 
static int
+ 
rsa_verify_cb(int fd, void *ud)

{
+ 
	struct rsa_verify_cbdata *cbdata = ud;

	char sha256[SHA256_DIGEST_LENGTH *2 +1];

	char errbuf[1024];

	RSA *rsa = NULL;

	int ret;
- 
	if (fd != -1) {
- 
		(void)lseek(fd, 0, SEEK_SET);
- 
		sha256_fd(fd, sha256);
- 
	} else
- 
		sha256_file(path, sha256);
-
- 
	SSL_load_error_strings();
- 
	OpenSSL_add_all_algorithms();
- 
	OpenSSL_add_all_ciphers();
+ 
	if (sha256_fd(fd, sha256) != EPKG_OK)
+ 
		return (EPKG_FATAL);
- 
	rsa = _load_rsa_public_key(key);
+ 
	rsa = _load_rsa_public_key_buf(cbdata->key, cbdata->keylen);

	if (rsa == NULL)

		return(EPKG_FATAL);
- 
	ret = RSA_verify(NID_sha1, sha256, sizeof(sha256), sig, sig_len, rsa);
+ 
	ret = RSA_verify(NID_sha1, sha256, sizeof(sha256), cbdata->sig,
+ 
			cbdata->siglen, rsa);

	if (ret == 0) {
- 
		pkg_emit_error("%s: %s", key,
- 
		    ERR_error_string(ERR_get_error(), errbuf));
+ 
		pkg_emit_error("%s: %s", cbdata->key,
+ 
				ERR_error_string(ERR_get_error(), errbuf));
+ 
		RSA_free(rsa);

		return (EPKG_FATAL);

	}



	RSA_free(rsa);
- 
	ERR_free_strings();



	return (EPKG_OK);

}



int
+ 
rsa_verify(const char *path, const char *key, unsigned char *sig,
+ 
    unsigned int sig_len, int fd)
+ 
{
+ 
	int ret;
+ 
	bool need_close = false;
+ 
	struct rsa_verify_cbdata cbdata;
+ 
	unsigned char *key_buf;
+ 
	off_t key_len;
+
+ 
	if (file_to_buffer(key, (char**)&key_buf, &key_len) != EPKG_OK) {
+ 
		pkg_emit_errno("rsa_verify", "cannot read key");
+ 
		return (EPKG_FATAL);
+ 
	}
+
+ 
	if (fd == -1) {
+ 
		if ((fd = open(path, O_RDONLY)) == -1) {
+ 
			pkg_emit_errno("fopen", path);
+ 
			free(key_buf);
+ 
			return (EPKG_FATAL);
+ 
		}
+ 
		need_close = true;
+ 
	}
+ 
	(void)lseek(fd, 0, SEEK_SET);
+
+ 
	cbdata.key = key_buf;
+ 
	cbdata.keylen = key_len;
+ 
	cbdata.sig = sig;
+ 
	cbdata.siglen = sig_len;
+
+ 
	SSL_load_error_strings();
+ 
	OpenSSL_add_all_algorithms();
+ 
	OpenSSL_add_all_ciphers();
+
+ 
	ret = pkg_emit_sandbox_call(rsa_verify_cb, fd, &cbdata);
+ 
	if (need_close)
+ 
		close(fd);
+
+ 
	free(key_buf);
+
+ 
	return (ret);
+ 
}
+
+ 
int

rsa_sign(char *path, struct rsa_key *rsa, unsigned char **sigret, unsigned int *siglen)

{

	char errbuf[1024];
modified src/main.c
@@ -562,7 +562,7 @@ main(int argc, char **argv)
	optreset = 1;

	optind = 1;
- 
	if (debug == 0)
+ 
	if (debug == 0 && version == 0)

		start_process_worker();



	if (jail_str != NULL && chroot_path != NULL) {