static void verify_hashes(void) { u32 meta_n_hdr; u32 i; u8 *hashes; int res; meta_n_hdr = be32(ptr + meta_offset + 0x60 + 0xc); hashes = ptr + meta_offset + 0x80 + 0x30 * meta_n_hdr; printf("Hashes\n"); for (i = 0; i < meta_n_hdr; i++) { printf(" Section #%02d: ", i); res = verify_hash(ptr + meta_offset + 0x80 + 0x30 * i, hashes); if (res < 0) { did_fail = 1; printf("FAIL*\n"); } else if (res > 0) { printf("???\n"); } else { printf("OK\n"); } } printf("\n"); }
static struct pkg_vulnerabilities * parse_pkg_vuln(const char *input, size_t input_len, int check_sum) { struct pkg_vulnerabilities *pv; long version; char *end; const char *iter, *next; size_t allocated_vulns; int in_pgp_msg; pv = xmalloc(sizeof(*pv)); allocated_vulns = pv->entries = 0; pv->vulnerability = NULL; pv->classification = NULL; pv->advisory = NULL; if (strlen(input) != input_len) errx(1, "Invalid input (NUL character found)"); if (check_sum) verify_signature(input, input_len); if (strncmp(input, pgp_msg_start, strlen(pgp_msg_start)) == 0) { iter = input + strlen(pgp_msg_start); in_pgp_msg = 1; } else { iter = input; in_pgp_msg = 0; } for (; *iter; iter = next) { if ((next = strchr(iter, '\n')) == NULL) errx(EXIT_FAILURE, "Missing newline in pkg-vulnerabilities"); ++next; if (*iter == '\0' || *iter == '\n') continue; if (strncmp(iter, "Hash:", 5) == 0) continue; if (strncmp(iter, "# $NetBSD", 9) == 0) continue; if (*iter == '#' && isspace((unsigned char)iter[1])) { for (++iter; iter != next; ++iter) { if (!isspace((unsigned char)*iter)) errx(EXIT_FAILURE, "Invalid header"); } continue; } if (strncmp(iter, "#FORMAT", 7) != 0) errx(EXIT_FAILURE, "Input header is malformed"); iter += 7; if (!isspace((unsigned char)*iter)) errx(EXIT_FAILURE, "Invalid #FORMAT"); ++iter; version = strtol(iter, &end, 10); if (iter == end || version != 1 || *end != '.') errx(EXIT_FAILURE, "Input #FORMAT"); iter = end + 1; version = strtol(iter, &end, 10); if (iter == end || version != 1 || *end != '.') errx(EXIT_FAILURE, "Input #FORMAT"); iter = end + 1; version = strtol(iter, &end, 10); if (iter == end || version != 0) errx(EXIT_FAILURE, "Input #FORMAT"); for (iter = end; iter != next; ++iter) { if (!isspace((unsigned char)*iter)) errx(EXIT_FAILURE, "Input #FORMAT"); } break; } if (*iter == '\0') errx(EXIT_FAILURE, "Missing #CHECKSUM or content"); for (iter = next; *iter; iter = next) { if ((next = strchr(iter, '\n')) == NULL) errx(EXIT_FAILURE, "Missing newline in pkg-vulnerabilities"); ++next; if (*iter == '\0' || *iter == '\n') continue; if (in_pgp_msg && strncmp(iter, pgp_msg_end, strlen(pgp_msg_end)) == 0) break; if (!in_pgp_msg && strncmp(iter, pkcs7_begin, strlen(pkcs7_begin)) == 0) break; if (*iter == '#' && (iter[1] == '\0' || iter[1] == '\n' || isspace((unsigned char)iter[1]))) continue; if (strncmp(iter, "#CHECKSUM", 9) == 0) { iter += 9; if (!isspace((unsigned char)*iter)) errx(EXIT_FAILURE, "Invalid #CHECKSUM"); while (isspace((unsigned char)*iter)) ++iter; verify_hash(input, iter); continue; } if (*iter == '#') { /* * This should really be an error, * but it is still used. */ /* errx(EXIT_FAILURE, "Invalid data line starting with #"); */ continue; } add_vulnerability(pv, &allocated_vulns, iter); } if (pv->entries != allocated_vulns) { pv->vulnerability = xrealloc(pv->vulnerability, sizeof(char *) * pv->entries); pv->classification = xrealloc(pv->classification, sizeof(char *) * pv->entries); pv->advisory = xrealloc(pv->advisory, sizeof(char *) * pv->entries); } return pv; }