static void verify_hashes(void)
{
u32 meta_n_hdr;
u32 i;
u8 *hashes;
int res;
meta_n_hdr = be32(ptr + meta_offset + 0x60 + 0xc);
hashes = ptr + meta_offset + 0x80 + 0x30 * meta_n_hdr;
printf("Hashes\n");
for (i = 0; i < meta_n_hdr; i++) {
printf(" Section #%02d: ", i);
res = verify_hash(ptr + meta_offset + 0x80 + 0x30 * i, hashes);
if (res < 0) {
did_fail = 1;
printf("FAIL*\n");
} else if (res > 0) {
printf("???\n");
} else {
printf("OK\n");
}
}
printf("\n");
}
static struct pkg_vulnerabilities *
parse_pkg_vuln(const char *input, size_t input_len, int check_sum)
{
struct pkg_vulnerabilities *pv;
long version;
char *end;
const char *iter, *next;
size_t allocated_vulns;
int in_pgp_msg;
pv = xmalloc(sizeof(*pv));
allocated_vulns = pv->entries = 0;
pv->vulnerability = NULL;
pv->classification = NULL;
pv->advisory = NULL;
if (strlen(input) != input_len)
errx(1, "Invalid input (NUL character found)");
if (check_sum)
verify_signature(input, input_len);
if (strncmp(input, pgp_msg_start, strlen(pgp_msg_start)) == 0) {
iter = input + strlen(pgp_msg_start);
in_pgp_msg = 1;
} else {
iter = input;
in_pgp_msg = 0;
}
for (; *iter; iter = next) {
if ((next = strchr(iter, '\n')) == NULL)
errx(EXIT_FAILURE, "Missing newline in pkg-vulnerabilities");
++next;
if (*iter == '\0' || *iter == '\n')
continue;
if (strncmp(iter, "Hash:", 5) == 0)
continue;
if (strncmp(iter, "# $NetBSD", 9) == 0)
continue;
if (*iter == '#' && isspace((unsigned char)iter[1])) {
for (++iter; iter != next; ++iter) {
if (!isspace((unsigned char)*iter))
errx(EXIT_FAILURE, "Invalid header");
}
continue;
}
if (strncmp(iter, "#FORMAT", 7) != 0)
errx(EXIT_FAILURE, "Input header is malformed");
iter += 7;
if (!isspace((unsigned char)*iter))
errx(EXIT_FAILURE, "Invalid #FORMAT");
++iter;
version = strtol(iter, &end, 10);
if (iter == end || version != 1 || *end != '.')
errx(EXIT_FAILURE, "Input #FORMAT");
iter = end + 1;
version = strtol(iter, &end, 10);
if (iter == end || version != 1 || *end != '.')
errx(EXIT_FAILURE, "Input #FORMAT");
iter = end + 1;
version = strtol(iter, &end, 10);
if (iter == end || version != 0)
errx(EXIT_FAILURE, "Input #FORMAT");
for (iter = end; iter != next; ++iter) {
if (!isspace((unsigned char)*iter))
errx(EXIT_FAILURE, "Input #FORMAT");
}
break;
}
if (*iter == '\0')
errx(EXIT_FAILURE, "Missing #CHECKSUM or content");
for (iter = next; *iter; iter = next) {
if ((next = strchr(iter, '\n')) == NULL)
errx(EXIT_FAILURE, "Missing newline in pkg-vulnerabilities");
++next;
if (*iter == '\0' || *iter == '\n')
continue;
if (in_pgp_msg && strncmp(iter, pgp_msg_end, strlen(pgp_msg_end)) == 0)
break;
if (!in_pgp_msg && strncmp(iter, pkcs7_begin, strlen(pkcs7_begin)) == 0)
break;
if (*iter == '#' &&
(iter[1] == '\0' || iter[1] == '\n' || isspace((unsigned char)iter[1])))
continue;
if (strncmp(iter, "#CHECKSUM", 9) == 0) {
iter += 9;
if (!isspace((unsigned char)*iter))
errx(EXIT_FAILURE, "Invalid #CHECKSUM");
while (isspace((unsigned char)*iter))
++iter;
verify_hash(input, iter);
continue;
}
if (*iter == '#') {
/*
* This should really be an error,
* but it is still used.
*/
/* errx(EXIT_FAILURE, "Invalid data line starting with #"); */
continue;
}
add_vulnerability(pv, &allocated_vulns, iter);
}
if (pv->entries != allocated_vulns) {
pv->vulnerability = xrealloc(pv->vulnerability,
sizeof(char *) * pv->entries);
pv->classification = xrealloc(pv->classification,
sizeof(char *) * pv->entries);
pv->advisory = xrealloc(pv->advisory,
sizeof(char *) * pv->entries);
}
return pv;
}