Пример #1
0
int conffile_has_been_modified(ipkg_conf_t *conf, conffile_t *conffile)
{
    char *md5sum;
    char *filename = conffile->name;
    char *root_filename;
    int ret;

    if (conffile->value == NULL) {
	 ipkg_message(conf, IPKG_NOTICE, "%s: conffile %s has no md5sum\n", __FUNCTION__, conffile->name);
	 return 1;
    }

    root_filename = root_filename_alloc(conf, filename);

    md5sum = file_md5sum_alloc(root_filename);

    ret = strcmp(md5sum, conffile->value);
    if (ret) {
      ipkg_message(conf, IPKG_NOTICE, "%s: conffile %s: \t\nold md5=%s \t\nnew md5=%s\n", __FUNCTION__,
              conffile->name, md5sum, conffile->value);
    }

    free(root_filename);
    free(md5sum);

    return ret;
}
Пример #2
0
int conffile_has_been_modified(conffile_t * conffile)
{
    char *md5sum;
    char *filename = conffile->name;
    char *root_filename;
    int ret = 1;

    if (conffile->value == NULL) {
        opkg_msg(NOTICE, "Conffile %s has no md5sum.\n", conffile->name);
        return 1;
    }

    root_filename = root_filename_alloc(filename);

    md5sum = file_md5sum_alloc(root_filename);

    if (md5sum && (ret = strcmp(md5sum, conffile->value))) {
        opkg_msg(INFO, "Conffile %s:\n\told md5=%s\n\tnew md5=%s\n",
                 conffile->name, md5sum, conffile->value);
    }

    free(root_filename);
    if (md5sum)
        free(md5sum);

    return ret;
}
Пример #3
0
int
opkg_verify_file (char *text_file, char *sig_file)
{
#if defined HAVE_GPGME
    if (conf->check_signature == 0 )
        return 0;
    int status = -1;
    gpgme_ctx_t ctx;
    gpgme_data_t sig, text, key;
    gpgme_error_t err;
    gpgme_verify_result_t result;
    gpgme_signature_t s;
    char *trusted_path = NULL;

    gpgme_check_version (NULL);

    err = gpgme_new (&ctx);

    if (err)
	return -1;

    trusted_path = root_filename_alloc("/etc/opkg/trusted.gpg");
    err = gpgme_data_new_from_file (&key, trusted_path, 1);
    free (trusted_path);
    if (err)
    {
      return -1;
    }
    err = gpgme_op_import (ctx, key);
    if (err)
    {
      gpgme_data_release (key);
      return -1;
    }
    gpgme_data_release (key);

    err = gpgme_data_new_from_file (&sig, sig_file, 1);
    if (err)
    {
	gpgme_release (ctx);
	return -1;
    }

    err = gpgme_data_new_from_file (&text, text_file, 1);
    if (err)
    {
        gpgme_data_release (sig);
	gpgme_release (ctx);
	return -1;
    }

    err = gpgme_op_verify (ctx, sig, text, NULL);

    result = gpgme_op_verify_result (ctx);
    if (!result)
	return -1;

    /* see if any of the signitures matched */
    s = result->signatures;
    while (s)
    {
	status = gpg_err_code (s->status);
	if (status == GPG_ERR_NO_ERROR)
	    break;
	s = s->next;
    }


    gpgme_data_release (sig);
    gpgme_data_release (text);
    gpgme_release (ctx);

    return status;
#elif defined HAVE_OPENSSL
    X509_STORE *store = NULL;
    PKCS7 *p7 = NULL;
    BIO *in = NULL, *indata = NULL;

    // Sig check failed by default !
    int status = -1;

    openssl_init();

    // Set-up the key store
    if(!(store = setup_verify(conf->signature_ca_file, conf->signature_ca_path))){
        opkg_msg(ERROR, "Can't open CA certificates.\n");
        goto verify_file_end;
    }

    // Open a BIO to read the sig file
    if (!(in = BIO_new_file(sig_file, "rb"))){
        opkg_msg(ERROR, "Can't open signature file %s.\n", sig_file);
        goto verify_file_end;
    }

    // Read the PKCS7 block contained in the sig file
    p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
    if(!p7){
        opkg_msg(ERROR, "Can't read signature file %s (Corrupted ?).\n",
		sig_file);
        goto verify_file_end;
    }
#if defined(HAVE_PATHFINDER)
    if(conf->check_x509_path){
	if(!pkcs7_pathfinder_verify_signers(p7)){
	    opkg_msg(ERROR, "pkcs7_pathfinder_verify_signers: "
		    "Path verification failed.\n");
	    goto verify_file_end;
	}
    }
#endif

    // Open the Package file to authenticate
    if (!(indata = BIO_new_file(text_file, "rb"))){
        opkg_msg(ERROR, "Can't open file %s.\n", text_file);
        goto verify_file_end;
    }

    // Let's verify the autenticity !
    if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){
        // Get Off My Lawn!
        opkg_msg(ERROR, "Verification failure.\n");
    }else{
        // Victory !
        status = 0;
    }

verify_file_end:
    BIO_free(in);
    BIO_free(indata);
    PKCS7_free(p7);
    X509_STORE_free(store);

    return status;
#else
    /* mute `unused variable' warnings. */
    (void) sig_file;
    (void) text_file;
    (void) conf;
    return 0;
#endif
}
Пример #4
0
int opkg_verify_gpg_signature(const char *file, const char *sigfile)
{
    int status = -1;
    int ret = -1;
    gpgme_ctx_t ctx;
    int have_ctx = 0;
    gpgme_data_t sig, text, key;
    int have_sig = 0, have_text = 0, have_key = 0;
    gpgme_error_t err;
    gpgme_verify_result_t result;
    gpgme_signature_t s;
    gpgme_protocol_t protocol = GPGME_PROTOCOL_OpenPGP;
    char *trusted_path = NULL;

    if (opkg_config->check_signature == 0)
        return 0;

    gpgme_check_version(NULL);

    err = gpgme_new(&ctx);
    if (err) {
        opkg_msg(ERROR, "Unable to create gpgme context: %s\n",
                 gpg_strerror(err));
        goto out_err;
    }
    have_ctx = 1;

    err = gpgme_set_protocol(ctx, protocol);
    if (err) {
        opkg_msg(ERROR, "Unable to set gpgme protocol to OpenPGP: %s\n",
                 gpg_strerror(err));
        goto out_err;
    }

    trusted_path = root_filename_alloc("/etc/opkg/trusted.gpg");
    if (!trusted_path) {
        opkg_msg(ERROR, "Out of memory!\n");
        goto out_err;
    }

    err = gpgme_data_new_from_file(&key, trusted_path, 1);
    if (err) {
        opkg_msg(ERROR, "Unable to get data from file %s: %s\n", trusted_path,
                 gpg_strerror(err));
        goto out_err;
    }
    have_key = 1;

    err = gpgme_op_import(ctx, key);
    if (err) {
        opkg_msg(ERROR, "Unable to import key from file %s: %s\n", trusted_path,
                 gpg_strerror(err));
        goto out_err;
    }

    err = gpgme_data_new_from_file(&sig, sigfile, 1);
    if (err) {
        opkg_msg(ERROR, "Unable to get data from file %s: %s\n", sigfile,
                 gpg_strerror(err));
        goto out_err;
    }
    have_sig = 1;

    err = gpgme_data_new_from_file(&text, file, 1);
    if (err) {
        opkg_msg(ERROR, "Unable to get data from file %s: %s\n", file,
                 gpg_strerror(err));
        goto out_err;
    }
    have_text = 1;

    err = gpgme_op_verify(ctx, sig, text, NULL);
    if (err) {
        opkg_msg(ERROR, "Unable to verify signature: %s\n", gpg_strerror(err));
        goto out_err;
    }

    result = gpgme_op_verify_result(ctx);
    if (!result) {
        opkg_msg(ERROR, "Unable to get verification data: %s\n",
                 gpg_strerror(err));
        goto out_err;
    }

    /* see if any of the signitures matched */
    s = result->signatures;
    while (s) {
        status = gpg_err_code(s->status);
        if (status == GPG_ERR_NO_ERROR) {
            ret = 0;
            break;
        }
        s = s->next;
    }

 out_err:
    if (have_sig)
        gpgme_data_release(sig);
    if (have_text)
        gpgme_data_release(text);
    if (have_key)
        gpgme_data_release(key);
    if (trusted_path)
        free(trusted_path);
    if (have_ctx)
        gpgme_release(ctx);

    return ret;
}