int conffile_has_been_modified(ipkg_conf_t *conf, conffile_t *conffile)
{
char *md5sum;
char *filename = conffile->name;
char *root_filename;
int ret;
if (conffile->value == NULL) {
ipkg_message(conf, IPKG_NOTICE, "%s: conffile %s has no md5sum\n", __FUNCTION__, conffile->name);
return 1;
}
root_filename = root_filename_alloc(conf, filename);
md5sum = file_md5sum_alloc(root_filename);
ret = strcmp(md5sum, conffile->value);
if (ret) {
ipkg_message(conf, IPKG_NOTICE, "%s: conffile %s: \t\nold md5=%s \t\nnew md5=%s\n", __FUNCTION__,
conffile->name, md5sum, conffile->value);
}
free(root_filename);
free(md5sum);
return ret;
}
int conffile_has_been_modified(conffile_t * conffile)
{
char *md5sum;
char *filename = conffile->name;
char *root_filename;
int ret = 1;
if (conffile->value == NULL) {
opkg_msg(NOTICE, "Conffile %s has no md5sum.\n", conffile->name);
return 1;
}
root_filename = root_filename_alloc(filename);
md5sum = file_md5sum_alloc(root_filename);
if (md5sum && (ret = strcmp(md5sum, conffile->value))) {
opkg_msg(INFO, "Conffile %s:\n\told md5=%s\n\tnew md5=%s\n",
conffile->name, md5sum, conffile->value);
}
free(root_filename);
if (md5sum)
free(md5sum);
return ret;
}
int
opkg_verify_file (char *text_file, char *sig_file)
{
#if defined HAVE_GPGME
if (conf->check_signature == 0 )
return 0;
int status = -1;
gpgme_ctx_t ctx;
gpgme_data_t sig, text, key;
gpgme_error_t err;
gpgme_verify_result_t result;
gpgme_signature_t s;
char *trusted_path = NULL;
gpgme_check_version (NULL);
err = gpgme_new (&ctx);
if (err)
return -1;
trusted_path = root_filename_alloc("/etc/opkg/trusted.gpg");
err = gpgme_data_new_from_file (&key, trusted_path, 1);
free (trusted_path);
if (err)
{
return -1;
}
err = gpgme_op_import (ctx, key);
if (err)
{
gpgme_data_release (key);
return -1;
}
gpgme_data_release (key);
err = gpgme_data_new_from_file (&sig, sig_file, 1);
if (err)
{
gpgme_release (ctx);
return -1;
}
err = gpgme_data_new_from_file (&text, text_file, 1);
if (err)
{
gpgme_data_release (sig);
gpgme_release (ctx);
return -1;
}
err = gpgme_op_verify (ctx, sig, text, NULL);
result = gpgme_op_verify_result (ctx);
if (!result)
return -1;
/* see if any of the signitures matched */
s = result->signatures;
while (s)
{
status = gpg_err_code (s->status);
if (status == GPG_ERR_NO_ERROR)
break;
s = s->next;
}
gpgme_data_release (sig);
gpgme_data_release (text);
gpgme_release (ctx);
return status;
#elif defined HAVE_OPENSSL
X509_STORE *store = NULL;
PKCS7 *p7 = NULL;
BIO *in = NULL, *indata = NULL;
// Sig check failed by default !
int status = -1;
openssl_init();
// Set-up the key store
if(!(store = setup_verify(conf->signature_ca_file, conf->signature_ca_path))){
opkg_msg(ERROR, "Can't open CA certificates.\n");
goto verify_file_end;
}
// Open a BIO to read the sig file
if (!(in = BIO_new_file(sig_file, "rb"))){
opkg_msg(ERROR, "Can't open signature file %s.\n", sig_file);
goto verify_file_end;
}
// Read the PKCS7 block contained in the sig file
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
if(!p7){
opkg_msg(ERROR, "Can't read signature file %s (Corrupted ?).\n",
sig_file);
goto verify_file_end;
}
#if defined(HAVE_PATHFINDER)
if(conf->check_x509_path){
if(!pkcs7_pathfinder_verify_signers(p7)){
opkg_msg(ERROR, "pkcs7_pathfinder_verify_signers: "
"Path verification failed.\n");
goto verify_file_end;
}
}
#endif
// Open the Package file to authenticate
if (!(indata = BIO_new_file(text_file, "rb"))){
opkg_msg(ERROR, "Can't open file %s.\n", text_file);
goto verify_file_end;
}
// Let's verify the autenticity !
if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){
// Get Off My Lawn!
opkg_msg(ERROR, "Verification failure.\n");
}else{
// Victory !
status = 0;
}
verify_file_end:
BIO_free(in);
BIO_free(indata);
PKCS7_free(p7);
X509_STORE_free(store);
return status;
#else
/* mute `unused variable' warnings. */
(void) sig_file;
(void) text_file;
(void) conf;
return 0;
#endif
}
int opkg_verify_gpg_signature(const char *file, const char *sigfile)
{
int status = -1;
int ret = -1;
gpgme_ctx_t ctx;
int have_ctx = 0;
gpgme_data_t sig, text, key;
int have_sig = 0, have_text = 0, have_key = 0;
gpgme_error_t err;
gpgme_verify_result_t result;
gpgme_signature_t s;
gpgme_protocol_t protocol = GPGME_PROTOCOL_OpenPGP;
char *trusted_path = NULL;
if (opkg_config->check_signature == 0)
return 0;
gpgme_check_version(NULL);
err = gpgme_new(&ctx);
if (err) {
opkg_msg(ERROR, "Unable to create gpgme context: %s\n",
gpg_strerror(err));
goto out_err;
}
have_ctx = 1;
err = gpgme_set_protocol(ctx, protocol);
if (err) {
opkg_msg(ERROR, "Unable to set gpgme protocol to OpenPGP: %s\n",
gpg_strerror(err));
goto out_err;
}
trusted_path = root_filename_alloc("/etc/opkg/trusted.gpg");
if (!trusted_path) {
opkg_msg(ERROR, "Out of memory!\n");
goto out_err;
}
err = gpgme_data_new_from_file(&key, trusted_path, 1);
if (err) {
opkg_msg(ERROR, "Unable to get data from file %s: %s\n", trusted_path,
gpg_strerror(err));
goto out_err;
}
have_key = 1;
err = gpgme_op_import(ctx, key);
if (err) {
opkg_msg(ERROR, "Unable to import key from file %s: %s\n", trusted_path,
gpg_strerror(err));
goto out_err;
}
err = gpgme_data_new_from_file(&sig, sigfile, 1);
if (err) {
opkg_msg(ERROR, "Unable to get data from file %s: %s\n", sigfile,
gpg_strerror(err));
goto out_err;
}
have_sig = 1;
err = gpgme_data_new_from_file(&text, file, 1);
if (err) {
opkg_msg(ERROR, "Unable to get data from file %s: %s\n", file,
gpg_strerror(err));
goto out_err;
}
have_text = 1;
err = gpgme_op_verify(ctx, sig, text, NULL);
if (err) {
opkg_msg(ERROR, "Unable to verify signature: %s\n", gpg_strerror(err));
goto out_err;
}
result = gpgme_op_verify_result(ctx);
if (!result) {
opkg_msg(ERROR, "Unable to get verification data: %s\n",
gpg_strerror(err));
goto out_err;
}
/* see if any of the signitures matched */
s = result->signatures;
while (s) {
status = gpg_err_code(s->status);
if (status == GPG_ERR_NO_ERROR) {
ret = 0;
break;
}
s = s->next;
}
out_err:
if (have_sig)
gpgme_data_release(sig);
if (have_text)
gpgme_data_release(text);
if (have_key)
gpgme_data_release(key);
if (trusted_path)
free(trusted_path);
if (have_ctx)
gpgme_release(ctx);
return ret;
}
