00001
00005 #include "system.h"
00006
00007 #include "rpmio_internal.h"
00008 #include <rpmlib.h>
00009 #include <rpmmacro.h>
00010 #include "rpmdb.h"
00011
00012 #include "rpmts.h"
00013
00014 #include "misc.h"
00015 #include "legacy.h"
00016 #include "rpmlead.h"
00017 #include "signature.h"
00018 #include "header_internal.h"
00019 #include "debug.h"
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029 #if !defined(__GLIBC__) && !defined(__APPLE__)
00030 char ** environ = NULL;
00031 #endif
00032
00033 int rpmLookupSignatureType(int action)
00034 {
00035
00036 static int disabled = 0;
00037 int rc = 0;
00038
00039 switch (action) {
00040 case RPMLOOKUPSIG_DISABLE:
00041 disabled = -2;
00042 break;
00043 case RPMLOOKUPSIG_ENABLE:
00044 disabled = 0;
00045
00046 case RPMLOOKUPSIG_QUERY:
00047 if (disabled)
00048 break;
00049
00050 { const char *name = rpmExpand("%{?_signature}", NULL);
00051 if (!(name && *name != '\0'))
00052 rc = 0;
00053 else if (!xstrcasecmp(name, "none"))
00054 rc = 0;
00055 else if (!xstrcasecmp(name, "pgp"))
00056 rc = RPMSIGTAG_PGP;
00057 else if (!xstrcasecmp(name, "pgp5"))
00058 rc = RPMSIGTAG_PGP;
00059 else if (!xstrcasecmp(name, "gpg"))
00060 rc = RPMSIGTAG_GPG;
00061 else
00062 rc = -1;
00063 name = _free(name);
00064 } break;
00065
00066 }
00067 return rc;
00068 }
00069
00070
00071
00072
00073 const char * rpmDetectPGPVersion(pgpVersion * pgpVer)
00074 {
00075
00076
00077
00078
00079 static pgpVersion saved_pgp_version = PGP_UNKNOWN;
00080 const char *pgpbin = rpmGetPath("%{?_pgpbin}", NULL);
00081
00082 if (saved_pgp_version == PGP_UNKNOWN) {
00083 char *pgpvbin;
00084 struct stat st;
00085
00086
00087 if (!(pgpbin && pgpbin[0] != '\0')) {
00088 pgpbin = _free(pgpbin);
00089 saved_pgp_version = -1;
00090 return NULL;
00091 }
00092
00093
00094 pgpvbin = (char *)alloca(strlen(pgpbin) + sizeof("v"));
00095 (void)stpcpy(stpcpy(pgpvbin, pgpbin), "v");
00096
00097
00098 if (stat(pgpvbin, &st) == 0)
00099 saved_pgp_version = PGP_5;
00100 else if (stat(pgpbin, &st) == 0)
00101 saved_pgp_version = PGP_2;
00102 else
00103 saved_pgp_version = PGP_NOTDETECTED;
00104 }
00105
00106
00107 if (pgpVer && pgpbin)
00108 *pgpVer = saved_pgp_version;
00109
00110 return pgpbin;
00111 }
00112
00122 static inline rpmRC printSize(FD_t fd, int siglen, int pad, int datalen)
00123
00124
00125 {
00126 struct stat st;
00127 int fdno = Fileno(fd);
00128
00129
00130 if (fdno == 123456789) {
00131 st.st_size = 0;
00132
00133 st.st_size -= sizeof(struct rpmlead)+siglen+pad+datalen;
00134
00135 } else if (fstat(fdno, &st) < 0)
00136 return RPMRC_FAIL;
00137
00138
00139 rpmMessage(RPMMESS_DEBUG,
00140 _("Expected size: %12d = lead(%d)+sigs(%d)+pad(%d)+data(%d)\n"),
00141 (int)sizeof(struct rpmlead)+siglen+pad+datalen,
00142 (int)sizeof(struct rpmlead), siglen, pad, datalen);
00143
00144 rpmMessage(RPMMESS_DEBUG,
00145 _(" Actual size: %12d\n"), (int)st.st_size);
00146
00147 return RPMRC_OK;
00148 }
00149
00150
00151 static unsigned char header_magic[8] = {
00152 0x8e, 0xad, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00
00153 };
00154
00155 rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type,
00156 const char ** msg)
00157 {
00158 char buf[BUFSIZ];
00159 int_32 block[4];
00160 int_32 il;
00161 int_32 dl;
00162 int_32 * ei = NULL;
00163 entryInfo pe;
00164 size_t nb;
00165 int_32 ril = 0;
00166 indexEntry entry = memset(alloca(sizeof(*entry)), 0, sizeof(*entry));
00167 entryInfo info = memset(alloca(sizeof(*info)), 0, sizeof(*info));
00168 unsigned char * dataStart;
00169 unsigned char * dataEnd = NULL;
00170 Header sigh = NULL;
00171 rpmRC rc = RPMRC_FAIL;
00172 int xx;
00173 int i;
00174
00175
00176 if (sighp)
00177 *sighp = NULL;
00178
00179 buf[0] = '\0';
00180
00181
00182 if (sig_type != RPMSIGTYPE_HEADERSIG)
00183 goto exit;
00184
00185 memset(block, 0, sizeof(block));
00186 if ((xx = timedRead(fd, (char *)block, sizeof(block))) != sizeof(block)) {
00187 (void) snprintf(buf, sizeof(buf),
00188 _("sigh size(%d): BAD, read returned %d\n"), (int)sizeof(block), xx);
00189 goto exit;
00190 }
00191 if (memcmp(block, header_magic, sizeof(header_magic))) {
00192 (void) snprintf(buf, sizeof(buf),
00193 _("sigh magic: BAD\n"));
00194 goto exit;
00195 }
00196
00197 il = ntohl(block[2]);
00198
00199 if (il < 0 || il > 32) {
00200 (void) snprintf(buf, sizeof(buf),
00201 _("sigh tags: BAD, no. of tags(%d) out of range\n"), il);
00202 goto exit;
00203 }
00204
00205 dl = ntohl(block[3]);
00206
00207 if (dl < 0 || dl > 8192) {
00208 (void) snprintf(buf, sizeof(buf),
00209 _("sigh data: BAD, no. of bytes(%d) out of range\n"), dl);
00210 goto exit;
00211 }
00212
00213
00214 nb = (il * sizeof(struct entryInfo_s)) + dl;
00215
00216 ei = xmalloc(sizeof(il) + sizeof(dl) + nb);
00217
00218 ei[0] = block[2];
00219 ei[1] = block[3];
00220 pe = (entryInfo) &ei[2];
00221
00222 dataStart = (unsigned char *) (pe + il);
00223 if ((xx = timedRead(fd, (char *)pe, nb)) != nb) {
00224 (void) snprintf(buf, sizeof(buf),
00225 _("sigh blob(%d): BAD, read returned %d\n"), (int)nb, xx);
00226 goto exit;
00227 }
00228
00229
00230 xx = headerVerifyInfo(1, dl, pe, &entry->info, 0);
00231 if (xx != -1) {
00232 (void) snprintf(buf, sizeof(buf),
00233 _("tag[%d]: BAD, tag %d type %d offset %d count %d\n"),
00234 0, entry->info.tag, entry->info.type,
00235 entry->info.offset, entry->info.count);
00236 goto exit;
00237 }
00238
00239
00240
00241 if (entry->info.tag == RPMTAG_HEADERSIGNATURES
00242 && entry->info.type == RPM_BIN_TYPE
00243 && entry->info.count == REGION_TAG_COUNT)
00244 {
00245
00246
00247 if (entry->info.offset >= dl) {
00248 (void) snprintf(buf, sizeof(buf),
00249 _("region offset: BAD, tag %d type %d offset %d count %d\n"),
00250 entry->info.tag, entry->info.type,
00251 entry->info.offset, entry->info.count);
00252 goto exit;
00253 }
00254
00255
00256 dataEnd = dataStart + entry->info.offset;
00257
00258
00259 (void) memcpy(info, dataEnd, REGION_TAG_COUNT);
00260
00261 if (info->tag == htonl(RPMTAG_HEADERIMAGE)) {
00262 int_32 stag = htonl(RPMTAG_HEADERSIGNATURES);
00263 info->tag = stag;
00264 memcpy(dataEnd, &stag, sizeof(stag));
00265 }
00266
00267 dataEnd += REGION_TAG_COUNT;
00268
00269 xx = headerVerifyInfo(1, dl, info, &entry->info, 1);
00270 if (xx != -1 ||
00271 !((entry->info.tag == RPMTAG_HEADERSIGNATURES || entry->info.tag == RPMTAG_HEADERIMAGE)
00272 && entry->info.type == RPM_BIN_TYPE
00273 && entry->info.count == REGION_TAG_COUNT))
00274 {
00275 (void) snprintf(buf, sizeof(buf),
00276 _("region trailer: BAD, tag %d type %d offset %d count %d\n"),
00277 entry->info.tag, entry->info.type,
00278 entry->info.offset, entry->info.count);
00279 goto exit;
00280 }
00281
00282
00283 memset(info, 0, sizeof(*info));
00284
00285
00286
00287 ril = entry->info.offset/sizeof(*pe);
00288 if ((entry->info.offset % sizeof(*pe)) || ril > il) {
00289 (void) snprintf(buf, sizeof(buf),
00290 _("region size: BAD, ril(%d) > il(%d)\n"), ril, il);
00291 goto exit;
00292 }
00293 }
00294
00295
00296
00297 memset(info, 0, sizeof(*info));
00298
00299 for (i = 1; i < il; i++) {
00300 xx = headerVerifyInfo(1, dl, pe+i, &entry->info, 0);
00301 if (xx != -1) {
00302 (void) snprintf(buf, sizeof(buf),
00303 _("sigh tag[%d]: BAD, tag %d type %d offset %d count %d\n"),
00304 i, entry->info.tag, entry->info.type,
00305 entry->info.offset, entry->info.count);
00306 goto exit;
00307 }
00308 }
00309
00310
00311 sigh = headerLoad(ei);
00312 if (sigh == NULL) {
00313 (void) snprintf(buf, sizeof(buf), _("sigh load: BAD\n"));
00314 goto exit;
00315 }
00316 sigh->flags |= HEADERFLAG_ALLOCATED;
00317
00318 { int sigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
00319 int pad = (8 - (sigSize % 8)) % 8;
00320 int_32 * archSize = NULL;
00321
00322
00323 if (pad && (xx = timedRead(fd, (char *)block, pad)) != pad) {
00324 (void) snprintf(buf, sizeof(buf),
00325 _("sigh pad(%d): BAD, read %d bytes\n"), pad, xx);
00326 goto exit;
00327 }
00328
00329
00330 if (headerGetEntry(sigh, RPMSIGTAG_SIZE, NULL,(void **)&archSize, NULL)) {
00331 rc = printSize(fd, sigSize, pad, *archSize);
00332 if (rc != RPMRC_OK)
00333 (void) snprintf(buf, sizeof(buf),
00334 _("sigh sigSize(%d): BAD, fstat(2) failed\n"), sigSize);
00335 }
00336 }
00337
00338 exit:
00339
00340 if (sighp && sigh && rc == RPMRC_OK)
00341 *sighp = headerLink(sigh);
00342 sigh = headerFree(sigh);
00343
00344 if (msg != NULL) {
00345 buf[sizeof(buf)-1] = '\0';
00346 *msg = xstrdup(buf);
00347 }
00348
00349
00350 return rc;
00351 }
00352
00353 int rpmWriteSignature(FD_t fd, Header sigh)
00354 {
00355 static byte buf[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
00356 int sigSize, pad;
00357 int rc;
00358
00359 rc = headerWrite(fd, sigh, HEADER_MAGIC_YES);
00360 if (rc)
00361 return rc;
00362
00363 sigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
00364 pad = (8 - (sigSize % 8)) % 8;
00365 if (pad) {
00366
00367 if (Fwrite(buf, sizeof(buf[0]), pad, fd) != pad)
00368 rc = 1;
00369
00370 }
00371 rpmMessage(RPMMESS_DEBUG, _("Signature: size(%d)+pad(%d)\n"), sigSize, pad);
00372 return rc;
00373 }
00374
00375 Header rpmNewSignature(void)
00376 {
00377 Header sigh = headerNew();
00378 return sigh;
00379 }
00380
00381 Header rpmFreeSignature(Header sigh)
00382 {
00383 return headerFree(sigh);
00384 }
00385
00395 static int makePGPSignature(const char * file, int_32 * sigTagp,
00396 byte ** pktp, int_32 * pktlenp,
00397 const char * passPhrase)
00398
00399
00400
00401
00402 {
00403 char * sigfile = alloca(1024);
00404 int pid, status;
00405 int inpipe[2];
00406 struct stat st;
00407 const char * cmd;
00408 char *const *av;
00409 pgpDig dig = NULL;
00410 pgpDigParams sigp = NULL;
00411 int rc;
00412
00413
00414 (void) stpcpy( stpcpy(sigfile, file), ".sig");
00415
00416
00417 addMacro(NULL, "__plaintext_filename", NULL, file, -1);
00418 addMacro(NULL, "__signature_filename", NULL, sigfile, -1);
00419
00420 inpipe[0] = inpipe[1] = 0;
00421
00422 (void) pipe(inpipe);
00423
00424
00425 if (!(pid = fork())) {
00426 const char *pgp_path = rpmExpand("%{?_pgp_path}", NULL);
00427 const char *path;
00428 pgpVersion pgpVer;
00429
00430 (void) close(STDIN_FILENO);
00431 (void) dup2(inpipe[0], 3);
00432 (void) close(inpipe[1]);
00433
00434 (void) dosetenv("PGPPASSFD", "3", 1);
00435
00436 if (pgp_path && *pgp_path != '\0')
00437 (void) dosetenv("PGPPATH", pgp_path, 1);
00438
00439
00440
00441
00442 unsetenv("MALLOC_CHECK_");
00443 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
00444 switch(pgpVer) {
00445 case PGP_2:
00446 cmd = rpmExpand("%{?__pgp_sign_cmd}", NULL);
00447 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00448
00449 if (!rc)
00450 rc = execve(av[0], av+1, environ);
00451
00452 break;
00453 case PGP_5:
00454 cmd = rpmExpand("%{?__pgp5_sign_cmd}", NULL);
00455 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00456
00457 if (!rc)
00458 rc = execve(av[0], av+1, environ);
00459
00460 break;
00461 case PGP_UNKNOWN:
00462 case PGP_NOTDETECTED:
00463 errno = ENOENT;
00464 break;
00465 }
00466 }
00467 rpmError(RPMERR_EXEC, _("Could not exec %s: %s\n"), "pgp",
00468 strerror(errno));
00469 _exit(RPMERR_EXEC);
00470 }
00471
00472 delMacro(NULL, "__plaintext_filename");
00473 delMacro(NULL, "__signature_filename");
00474
00475 (void) close(inpipe[0]);
00476 if (passPhrase)
00477 (void) write(inpipe[1], passPhrase, strlen(passPhrase));
00478 (void) write(inpipe[1], "\n", 1);
00479 (void) close(inpipe[1]);
00480
00481 (void)waitpid(pid, &status, 0);
00482 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
00483 rpmError(RPMERR_SIGGEN, _("pgp failed\n"));
00484 return 1;
00485 }
00486
00487 if (stat(sigfile, &st)) {
00488
00489 if (sigfile) (void) unlink(sigfile);
00490 rpmError(RPMERR_SIGGEN, _("pgp failed to write signature\n"));
00491 return 1;
00492 }
00493
00494
00495 *pktlenp = st.st_size;
00496 rpmMessage(RPMMESS_DEBUG, _("PGP sig size: %d\n"), *pktlenp);
00497 *pktp = xmalloc(*pktlenp);
00498
00499
00500
00501 { FD_t fd;
00502
00503 rc = 0;
00504 fd = Fopen(sigfile, "r.fdio");
00505 if (fd != NULL && !Ferror(fd)) {
00506 rc = timedRead(fd, *pktp, *pktlenp);
00507 if (sigfile) (void) unlink(sigfile);
00508 (void) Fclose(fd);
00509 }
00510 if (rc != *pktlenp) {
00511
00512 *pktp = _free(*pktp);
00513
00514 rpmError(RPMERR_SIGGEN, _("unable to read the signature\n"));
00515 return 1;
00516 }
00517 }
00518
00519 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of PGP sig\n"), *pktlenp);
00520
00521
00522 #ifdef NOTYET
00523
00524 dig = pgpNewDig();
00525
00526 (void) pgpPrtPkts(*pktp, *pktlenp, dig, 0);
00527 sigp = &dig->signature;
00528
00529 dig = pgpFreeDig(dig);
00530 #endif
00531
00532 return 0;
00533 }
00534
00544 static int makeGPGSignature(const char * file, int_32 * sigTagp,
00545 byte ** pktp, int_32 * pktlenp,
00546 const char * passPhrase)
00547
00548
00549
00550
00551 {
00552 char * sigfile = alloca(strlen(file)+sizeof(".sig"));
00553 int pid, status;
00554 int inpipe[2];
00555 FILE * fpipe;
00556 struct stat st;
00557 const char * cmd;
00558 char *const *av;
00559 pgpDig dig = NULL;
00560 pgpDigParams sigp = NULL;
00561 int rc;
00562
00563
00564 (void) stpcpy( stpcpy(sigfile, file), ".sig");
00565
00566
00567 addMacro(NULL, "__plaintext_filename", NULL, file, -1);
00568 addMacro(NULL, "__signature_filename", NULL, sigfile, -1);
00569
00570 inpipe[0] = inpipe[1] = 0;
00571
00572 (void) pipe(inpipe);
00573
00574
00575 if (!(pid = fork())) {
00576 const char *gpg_path = rpmExpand("%{?_gpg_path}", NULL);
00577
00578 (void) close(STDIN_FILENO);
00579 (void) dup2(inpipe[0], 3);
00580 (void) close(inpipe[1]);
00581
00582
00583 if (gpg_path && *gpg_path != '\0')
00584 (void) dosetenv("GNUPGHOME", gpg_path, 1);
00585
00586 (void) dosetenv("LC_ALL", "C", 1);
00587
00588 unsetenv("MALLOC_CHECK_");
00589 cmd = rpmExpand("%{?__gpg_sign_cmd}", NULL);
00590 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00591
00592 if (!rc)
00593 rc = execve(av[0], av+1, environ);
00594
00595
00596 rpmError(RPMERR_EXEC, _("Could not exec %s: %s\n"), "gpg",
00597 strerror(errno));
00598 _exit(RPMERR_EXEC);
00599 }
00600
00601 delMacro(NULL, "__plaintext_filename");
00602 delMacro(NULL, "__signature_filename");
00603
00604 fpipe = fdopen(inpipe[1], "w");
00605 (void) close(inpipe[0]);
00606 if (fpipe) {
00607 fprintf(fpipe, "%s\n", (passPhrase ? passPhrase : ""));
00608 (void) fclose(fpipe);
00609 }
00610
00611 (void) waitpid(pid, &status, 0);
00612 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
00613 rpmError(RPMERR_SIGGEN, _("gpg exec failed (%d)\n"), WEXITSTATUS(status));
00614 return 1;
00615 }
00616
00617 if (stat(sigfile, &st)) {
00618
00619 if (sigfile) (void) unlink(sigfile);
00620 rpmError(RPMERR_SIGGEN, _("gpg failed to write signature\n"));
00621 return 1;
00622 }
00623
00624
00625 *pktlenp = st.st_size;
00626 rpmMessage(RPMMESS_DEBUG, _("GPG sig size: %d\n"), *pktlenp);
00627 *pktp = xmalloc(*pktlenp);
00628
00629
00630
00631 { FD_t fd;
00632
00633 rc = 0;
00634 fd = Fopen(sigfile, "r.fdio");
00635 if (fd != NULL && !Ferror(fd)) {
00636 rc = timedRead(fd, *pktp, *pktlenp);
00637 if (sigfile) (void) unlink(sigfile);
00638 (void) Fclose(fd);
00639 }
00640 if (rc != *pktlenp) {
00641
00642 *pktp = _free(*pktp);
00643
00644 rpmError(RPMERR_SIGGEN, _("unable to read the signature\n"));
00645 return 1;
00646 }
00647 }
00648
00649 rpmMessage(RPMMESS_DEBUG, _("Got %d bytes of GPG sig\n"), *pktlenp);
00650
00651
00652
00653 dig = pgpNewDig();
00654
00655 (void) pgpPrtPkts(*pktp, *pktlenp, dig, 0);
00656 sigp = &dig->signature;
00657
00658 switch (*sigTagp) {
00659 case RPMSIGTAG_SIZE:
00660 case RPMSIGTAG_MD5:
00661 case RPMSIGTAG_SHA1:
00662 break;
00663 case RPMSIGTAG_GPG:
00664
00665 if (sigp->pubkey_algo == PGPPUBKEYALGO_RSA)
00666 *sigTagp = RPMSIGTAG_PGP;
00667 break;
00668 case RPMSIGTAG_PGP5:
00669 case RPMSIGTAG_PGP:
00670 if (sigp->pubkey_algo == PGPPUBKEYALGO_DSA)
00671 *sigTagp = RPMSIGTAG_GPG;
00672 break;
00673 case RPMSIGTAG_DSA:
00674
00675 if (sigp->pubkey_algo == PGPPUBKEYALGO_RSA)
00676 *sigTagp = RPMSIGTAG_RSA;
00677 break;
00678 case RPMSIGTAG_RSA:
00679 if (sigp->pubkey_algo == PGPPUBKEYALGO_DSA)
00680 *sigTagp = RPMSIGTAG_DSA;
00681 break;
00682 }
00683
00684 dig = pgpFreeDig(dig);
00685
00686 return 0;
00687 }
00688
00697 static int makeHDRSignature(Header sigh, const char * file, int_32 sigTag,
00698 const char * passPhrase)
00699
00700
00701 {
00702 Header h = NULL;
00703 FD_t fd = NULL;
00704 byte * pkt;
00705 int_32 pktlen;
00706 const char * fn = NULL;
00707 const char * SHA1 = NULL;
00708 int ret = -1;
00709
00710 switch (sigTag) {
00711 case RPMSIGTAG_SIZE:
00712 case RPMSIGTAG_MD5:
00713 case RPMSIGTAG_PGP5:
00714 case RPMSIGTAG_PGP:
00715 case RPMSIGTAG_GPG:
00716 goto exit;
00717 break;
00718 case RPMSIGTAG_SHA1:
00719 fd = Fopen(file, "r.fdio");
00720 if (fd == NULL || Ferror(fd))
00721 goto exit;
00722 h = headerRead(fd, HEADER_MAGIC_YES);
00723 if (h == NULL)
00724 goto exit;
00725 (void) Fclose(fd); fd = NULL;
00726
00727 if (headerIsEntry(h, RPMTAG_HEADERIMMUTABLE)) {
00728 DIGEST_CTX ctx;
00729 void * uh;
00730 int_32 uht, uhc;
00731
00732 if (!headerGetEntry(h, RPMTAG_HEADERIMMUTABLE, &uht, &uh, &uhc)
00733 || uh == NULL)
00734 {
00735 rpmlog(RPMERR_FREAD,
00736 _("Immutable header region could not be read. "
00737 "Corrupted package?\n"));
00738 h = headerFree(h);
00739 goto exit;
00740 }
00741 ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
00742 (void) rpmDigestUpdate(ctx, header_magic, sizeof(header_magic));
00743 (void) rpmDigestUpdate(ctx, uh, uhc);
00744 (void) rpmDigestFinal(ctx, (void **)&SHA1, NULL, 1);
00745 uh = headerFreeData(uh, uht);
00746 }
00747 h = headerFree(h);
00748
00749 if (SHA1 == NULL)
00750 goto exit;
00751 if (!headerAddEntry(sigh, RPMSIGTAG_SHA1, RPM_STRING_TYPE, SHA1, 1))
00752 goto exit;
00753 ret = 0;
00754 break;
00755 case RPMSIGTAG_DSA:
00756 fd = Fopen(file, "r.fdio");
00757 if (fd == NULL || Ferror(fd))
00758 goto exit;
00759 h = headerRead(fd, HEADER_MAGIC_YES);
00760 if (h == NULL)
00761 goto exit;
00762 (void) Fclose(fd); fd = NULL;
00763 if (makeTempFile(NULL, &fn, &fd))
00764 goto exit;
00765 if (headerWrite(fd, h, HEADER_MAGIC_YES))
00766 goto exit;
00767 (void) Fclose(fd); fd = NULL;
00768 if (makeGPGSignature(fn, &sigTag, &pkt, &pktlen, passPhrase)
00769 || !headerAddEntry(sigh, sigTag, RPM_BIN_TYPE, pkt, pktlen))
00770 goto exit;
00771 ret = 0;
00772 break;
00773 case RPMSIGTAG_RSA:
00774 fd = Fopen(file, "r.fdio");
00775 if (fd == NULL || Ferror(fd))
00776 goto exit;
00777 h = headerRead(fd, HEADER_MAGIC_YES);
00778 if (h == NULL)
00779 goto exit;
00780 (void) Fclose(fd); fd = NULL;
00781 if (makeTempFile(NULL, &fn, &fd))
00782 goto exit;
00783 if (headerWrite(fd, h, HEADER_MAGIC_YES))
00784 goto exit;
00785 (void) Fclose(fd); fd = NULL;
00786 if (makePGPSignature(fn, &sigTag, &pkt, &pktlen, passPhrase)
00787 || !headerAddEntry(sigh, sigTag, RPM_BIN_TYPE, pkt, pktlen))
00788 goto exit;
00789 ret = 0;
00790 break;
00791 }
00792
00793 exit:
00794 if (fn) {
00795 (void) unlink(fn);
00796 fn = _free(fn);
00797 }
00798 SHA1 = _free(SHA1);
00799 h = headerFree(h);
00800 if (fd != NULL) (void) Fclose(fd);
00801 return ret;
00802 }
00803
00804 int rpmAddSignature(Header sigh, const char * file, int_32 sigTag,
00805 const char * passPhrase)
00806 {
00807 struct stat st;
00808 byte * pkt;
00809 int_32 pktlen;
00810 int ret = -1;
00811
00812 switch (sigTag) {
00813 case RPMSIGTAG_SIZE:
00814 if (stat(file, &st) != 0)
00815 break;
00816 pktlen = st.st_size;
00817 if (!headerAddEntry(sigh, sigTag, RPM_INT32_TYPE, &pktlen, 1))
00818 break;
00819 ret = 0;
00820 break;
00821 case RPMSIGTAG_MD5:
00822 pktlen = 16;
00823 pkt = memset(alloca(pktlen), 0, pktlen);
00824 if (domd5(file, pkt, 0, NULL)
00825 || !headerAddEntry(sigh, sigTag, RPM_BIN_TYPE, pkt, pktlen))
00826 break;
00827 ret = 0;
00828 break;
00829 case RPMSIGTAG_PGP5:
00830 case RPMSIGTAG_PGP:
00831 if (makePGPSignature(file, &sigTag, &pkt, &pktlen, passPhrase)
00832 || !headerAddEntry(sigh, sigTag, RPM_BIN_TYPE, pkt, pktlen))
00833 break;
00834 #ifdef NOTYET
00835
00836 ret = makeHDRSignature(sigh, file, RPMSIGTAG_RSA, passPhrase);
00837 #endif
00838 ret = 0;
00839 break;
00840 case RPMSIGTAG_GPG:
00841 if (makeGPGSignature(file, &sigTag, &pkt, &pktlen, passPhrase)
00842 || !headerAddEntry(sigh, sigTag, RPM_BIN_TYPE, pkt, pktlen))
00843 break;
00844
00845 ret = makeHDRSignature(sigh, file, RPMSIGTAG_DSA, passPhrase);
00846 break;
00847 case RPMSIGTAG_RSA:
00848 case RPMSIGTAG_DSA:
00849 case RPMSIGTAG_SHA1:
00850 ret = makeHDRSignature(sigh, file, sigTag, passPhrase);
00851 break;
00852 }
00853
00854 return ret;
00855 }
00856
00857 static int checkPassPhrase(const char * passPhrase, const int sigTag)
00858
00859
00860 {
00861 int passPhrasePipe[2];
00862 int pid, status;
00863 int rc;
00864 int xx;
00865
00866 passPhrasePipe[0] = passPhrasePipe[1] = 0;
00867
00868 xx = pipe(passPhrasePipe);
00869
00870 if (!(pid = fork())) {
00871 const char * cmd;
00872 char *const *av;
00873 int fdno;
00874
00875 xx = close(STDIN_FILENO);
00876 xx = close(STDOUT_FILENO);
00877 xx = close(passPhrasePipe[1]);
00878 if (! rpmIsVerbose())
00879 xx = close(STDERR_FILENO);
00880 if ((fdno = open("/dev/null", O_RDONLY)) != STDIN_FILENO) {
00881 xx = dup2(fdno, STDIN_FILENO);
00882 xx = close(fdno);
00883 }
00884 if ((fdno = open("/dev/null", O_WRONLY)) != STDOUT_FILENO) {
00885 xx = dup2(fdno, STDOUT_FILENO);
00886 xx = close(fdno);
00887 }
00888 xx = dup2(passPhrasePipe[0], 3);
00889
00890 unsetenv("MALLOC_CHECK_");
00891 switch (sigTag) {
00892 case RPMSIGTAG_DSA:
00893 case RPMSIGTAG_GPG:
00894 { const char *gpg_path = rpmExpand("%{?_gpg_path}", NULL);
00895
00896
00897 if (gpg_path && *gpg_path != '\0')
00898 (void) dosetenv("GNUPGHOME", gpg_path, 1);
00899
00900
00901 cmd = rpmExpand("%{?__gpg_check_password_cmd}", NULL);
00902 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00903
00904 if (!rc)
00905 rc = execve(av[0], av+1, environ);
00906
00907
00908 rpmError(RPMERR_EXEC, _("Could not exec %s: %s\n"), "gpg",
00909 strerror(errno));
00910 } break;
00911 case RPMSIGTAG_RSA:
00912 case RPMSIGTAG_PGP5:
00913 case RPMSIGTAG_PGP:
00914 { const char *pgp_path = rpmExpand("%{?_pgp_path}", NULL);
00915 const char *path;
00916 pgpVersion pgpVer;
00917
00918 (void) dosetenv("PGPPASSFD", "3", 1);
00919
00920 if (pgp_path && *pgp_path != '\0')
00921 xx = dosetenv("PGPPATH", pgp_path, 1);
00922
00923
00924 if ((path = rpmDetectPGPVersion(&pgpVer)) != NULL) {
00925 switch(pgpVer) {
00926 case PGP_2:
00927 cmd = rpmExpand("%{?__pgp_check_password_cmd}", NULL);
00928 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00929
00930 if (!rc)
00931 rc = execve(av[0], av+1, environ);
00932
00933 break;
00934 case PGP_5:
00935 cmd = rpmExpand("%{?__pgp5_check_password_cmd}", NULL);
00936 rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
00937
00938 if (!rc)
00939 rc = execve(av[0], av+1, environ);
00940
00941 break;
00942 case PGP_UNKNOWN:
00943 case PGP_NOTDETECTED:
00944 break;
00945 }
00946 }
00947 rpmError(RPMERR_EXEC, _("Could not exec %s: %s\n"), "pgp",
00948 strerror(errno));
00949 _exit(RPMERR_EXEC);
00950 } break;
00951 default:
00952 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file\n"));
00953 _exit(RPMERR_SIGGEN);
00954 break;
00955 }
00956 }
00957
00958 xx = close(passPhrasePipe[0]);
00959 xx = write(passPhrasePipe[1], passPhrase, strlen(passPhrase));
00960 xx = write(passPhrasePipe[1], "\n", 1);
00961 xx = close(passPhrasePipe[1]);
00962
00963 (void) waitpid(pid, &status, 0);
00964
00965 return ((!WIFEXITED(status) || WEXITSTATUS(status)) ? 1 : 0);
00966 }
00967
00968 char * rpmGetPassPhrase(const char * prompt, const int sigTag)
00969 {
00970 char *pass = NULL;
00971 int aok = 0;
00972
00973 switch (sigTag) {
00974 case RPMSIGTAG_DSA:
00975 case RPMSIGTAG_GPG:
00976
00977 { const char *name = rpmExpand("%{?_gpg_name}", NULL);
00978 aok = (name && *name != '\0');
00979 name = _free(name);
00980 }
00981
00982 if (aok)
00983 break;
00984 rpmError(RPMERR_SIGGEN,
00985 _("You must set \"%%_gpg_name\" in your macro file\n"));
00986 break;
00987 case RPMSIGTAG_RSA:
00988 case RPMSIGTAG_PGP5:
00989 case RPMSIGTAG_PGP:
00990
00991 { const char *name = rpmExpand("%{?_pgp_name}", NULL);
00992 aok = (name && *name != '\0');
00993 name = _free(name);
00994 }
00995
00996 if (aok)
00997 break;
00998 rpmError(RPMERR_SIGGEN,
00999 _("You must set \"%%_pgp_name\" in your macro file\n"));
01000 break;
01001 default:
01002
01003
01004
01005 rpmError(RPMERR_SIGGEN, _("Invalid %%_signature spec in macro file\n"));
01006 break;
01007 }
01008
01009 if (aok) {
01010
01011 pass = getpass( (prompt ? prompt : "") );
01012
01013
01014 if (checkPassPhrase(pass, sigTag))
01015 pass = NULL;
01016 }
01017
01018 return pass;
01019 }
01020
01021 static const char * rpmSigString(rpmRC res)
01022
01023 {
01024 const char * str;
01025 switch (res) {
01026 case RPMRC_OK: str = "OK"; break;
01027 case RPMRC_FAIL: str = "BAD"; break;
01028 case RPMRC_NOKEY: str = "NOKEY"; break;
01029 case RPMRC_NOTTRUSTED: str = "NOTRUSTED"; break;
01030 default:
01031 case RPMRC_NOTFOUND: str = "UNKNOWN"; break;
01032 }
01033 return str;
01034 }
01035
01036
01037 static rpmRC
01038 verifySizeSignature(const rpmts ts, char * t)
01039
01040 {
01041 const void * sig = rpmtsSig(ts);
01042 pgpDig dig = rpmtsDig(ts);
01043 rpmRC res;
01044 int_32 size = 0x7fffffff;
01045
01046 *t = '\0';
01047 t = stpcpy(t, _("Header+Payload size: "));
01048
01049 if (sig == NULL || dig == NULL || dig->nbytes == 0) {
01050 res = RPMRC_NOKEY;
01051 t = stpcpy(t, rpmSigString(res));
01052 goto exit;
01053 }
01054
01055 memcpy(&size, sig, sizeof(size));
01056
01057 if (size != dig->nbytes) {
01058 res = RPMRC_FAIL;
01059 t = stpcpy(t, rpmSigString(res));
01060 sprintf(t, " Expected(%d) != (%d)\n", (int)size, (int)dig->nbytes);
01061 } else {
01062 res = RPMRC_OK;
01063 t = stpcpy(t, rpmSigString(res));
01064 sprintf(t, " (%d)", (int)dig->nbytes);
01065 }
01066
01067 exit:
01068 t = stpcpy(t, "\n");
01069 return res;
01070 }
01071
01072
01073
01074 static rpmRC
01075 verifyMD5Signature(const rpmts ts, char * t,
01076 DIGEST_CTX md5ctx)
01077
01078
01079 {
01080 const void * sig = rpmtsSig(ts);
01081 int_32 siglen = rpmtsSiglen(ts);
01082 pgpDig dig = rpmtsDig(ts);
01083 rpmRC res;
01084 byte * md5sum = NULL;
01085 size_t md5len = 0;
01086
01087 *t = '\0';
01088 t = stpcpy(t, _("MD5 digest: "));
01089
01090 if (md5ctx == NULL || sig == NULL || dig == NULL) {
01091 res = RPMRC_NOKEY;
01092 t = stpcpy(t, rpmSigString(res));
01093 goto exit;
01094 }
01095
01096 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01097 (void) rpmDigestFinal(rpmDigestDup(md5ctx),
01098 (void **)&md5sum, &md5len, 0);
01099 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01100 rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;
01101
01102 if (md5len != siglen || memcmp(md5sum, sig, md5len)) {
01103 res = RPMRC_FAIL;
01104 t = stpcpy(t, rpmSigString(res));
01105 t = stpcpy(t, " Expected(");
01106 (void) pgpHexCvt(t, sig, siglen);
01107 t += strlen(t);
01108 t = stpcpy(t, ") != (");
01109 } else {
01110 res = RPMRC_OK;
01111 t = stpcpy(t, rpmSigString(res));
01112 t = stpcpy(t, " (");
01113 }
01114 (void) pgpHexCvt(t, md5sum, md5len);
01115 t += strlen(t);
01116 t = stpcpy(t, ")");
01117
01118 exit:
01119 md5sum = _free(md5sum);
01120 t = stpcpy(t, "\n");
01121 return res;
01122 }
01123
01124
01125
01133 static rpmRC
01134 verifySHA1Signature(const rpmts ts, char * t,
01135 DIGEST_CTX sha1ctx)
01136
01137
01138 {
01139 const void * sig = rpmtsSig(ts);
01140 #ifdef NOTYET
01141 int_32 siglen = rpmtsSiglen(ts);
01142 #endif
01143 pgpDig dig = rpmtsDig(ts);
01144 rpmRC res;
01145 const char * SHA1 = NULL;
01146
01147 *t = '\0';
01148 t = stpcpy(t, _("Header SHA1 digest: "));
01149
01150 if (sha1ctx == NULL || sig == NULL || dig == NULL) {
01151 res = RPMRC_NOKEY;
01152 t = stpcpy(t, rpmSigString(res));
01153 goto exit;
01154 }
01155
01156 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01157 (void) rpmDigestFinal(rpmDigestDup(sha1ctx),
01158 (void **)&SHA1, NULL, 1);
01159 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01160
01161 if (SHA1 == NULL || strlen(SHA1) != strlen(sig) || strcmp(SHA1, sig)) {
01162 res = RPMRC_FAIL;
01163 t = stpcpy(t, rpmSigString(res));
01164 t = stpcpy(t, " Expected(");
01165 t = stpcpy(t, sig);
01166 t = stpcpy(t, ") != (");
01167 } else {
01168 res = RPMRC_OK;
01169 t = stpcpy(t, rpmSigString(res));
01170 t = stpcpy(t, " (");
01171 }
01172 if (SHA1)
01173 t = stpcpy(t, SHA1);
01174 t = stpcpy(t, ")");
01175
01176 exit:
01177 SHA1 = _free(SHA1);
01178 t = stpcpy(t, "\n");
01179 return res;
01180 }
01181
01182
01188 static inline unsigned char nibble(char c)
01189
01190 {
01191 if (c >= '0' && c <= '9')
01192 return (c - '0');
01193 if (c >= 'A' && c <= 'F')
01194 return (c - 'A') + 10;
01195 if (c >= 'a' && c <= 'f')
01196 return (c - 'a') + 10;
01197 return 0;
01198 }
01199
01200
01208 static rpmRC
01209 verifyRSASignature(rpmts ts, char * t,
01210 DIGEST_CTX md5ctx)
01211
01212
01213 {
01214 const void * sig = rpmtsSig(ts);
01215 #ifdef NOTYET
01216 int_32 siglen = rpmtsSiglen(ts);
01217 #endif
01218 int_32 sigtag = rpmtsSigtag(ts);
01219 pgpDig dig = rpmtsDig(ts);
01220 pgpDigParams sigp = rpmtsSignature(ts);
01221 SECOidTag sigalg;
01222 rpmRC res = RPMRC_OK;
01223 int xx;
01224 SECItem digest;
01225
01226 *t = '\0';
01227 if (dig != NULL && dig->hdrmd5ctx == md5ctx)
01228 t = stpcpy(t, _("Header "));
01229 *t++ = 'V';
01230 switch (sigp->version) {
01231 case 3: *t++ = '3'; break;
01232 case 4: *t++ = '4'; break;
01233 }
01234
01235 if (md5ctx == NULL || sig == NULL || dig == NULL || sigp == NULL) {
01236 res = RPMRC_NOKEY;
01237 }
01238
01239
01240 switch (sigp->pubkey_algo) {
01241 case PGPPUBKEYALGO_RSA:
01242 if (sigtag == RPMSIGTAG_PGP || sigtag == RPMSIGTAG_PGP5 || sigtag == RPMSIGTAG_RSA)
01243 break;
01244
01245 default:
01246 res = RPMRC_NOKEY;
01247 break;
01248 }
01249
01250
01251
01252 switch (sigp->hash_algo) {
01253 case PGPHASHALGO_MD5:
01254 t = stpcpy(t, " RSA/MD5");
01255 sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
01256 break;
01257 case PGPHASHALGO_SHA1:
01258 t = stpcpy(t, " RSA/SHA1");
01259 sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
01260 break;
01261 case PGPHASHALGO_RIPEMD160:
01262 res = RPMRC_NOKEY;
01263 break;
01264 case PGPHASHALGO_MD2:
01265 t = stpcpy(t, " RSA/MD2");
01266 sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
01267 break;
01268 case PGPHASHALGO_TIGER192:
01269 res = RPMRC_NOKEY;
01270 break;
01271 case PGPHASHALGO_HAVAL_5_160:
01272 res = RPMRC_NOKEY;
01273 break;
01274 case PGPHASHALGO_SHA256:
01275 t = stpcpy(t, " RSA/SHA256");
01276 sigalg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
01277 break;
01278 case PGPHASHALGO_SHA384:
01279 t = stpcpy(t, " RSA/SHA384");
01280 sigalg = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
01281 break;
01282 case PGPHASHALGO_SHA512:
01283 t = stpcpy(t, " RSA/SHA512");
01284 sigalg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
01285 break;
01286 default:
01287 res = RPMRC_NOKEY;
01288 sigalg = SEC_OID_UNKNOWN;
01289 break;
01290 }
01291
01292 t = stpcpy(t, _(" signature: "));
01293 if (res != RPMRC_OK) {
01294 goto exit;
01295 }
01296
01297 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01298 { DIGEST_CTX ctx = rpmDigestDup(md5ctx);
01299
01300 if (sigp->hash != NULL)
01301 xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
01302
01303 #ifdef NOTYET
01304 if (!(sigp->sigtype == PGPSIGTYPE_BINARY || sigp->sigtype == PGP_SIGTYPE_TEXT)) {
01305 int nb = dig->nbytes + sigp->hashlen;
01306 byte trailer[6];
01307 nb = htonl(nb);
01308 trailer[0] = 0x4;
01309 trailer[1] = 0xff;
01310 memcpy(trailer+2, &nb, sizeof(nb));
01311 xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
01312 }
01313 #endif
01314
01315 xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 0);
01316 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
01317 rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;
01318
01319
01320 if (memcmp(dig->md5, sigp->signhash16, 2)) {
01321 res = RPMRC_FAIL;
01322 goto exit;
01323 }
01324 digest.type = siBuffer;
01325 digest.data = dig->md5;
01326 digest.len = dig->md5len;
01327 }
01328
01329
01330 res = rpmtsFindPubkey(ts);
01331 if (res != RPMRC_OK)
01332 goto exit;
01333
01334 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
01335 if (VFY_VerifyDigest(&digest, dig->rsa, dig->rsasig, sigalg, NULL) == SECSuccess)
01336 res = RPMRC_OK;
01337 else
01338 res = RPMRC_FAIL;
01339 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
01340
01341 exit:
01342 t = stpcpy(t, rpmSigString(res));
01343 if (sigp != NULL) {
01344 t = stpcpy(t, ", key ID ");
01345 (void) pgpHexCvt(t, sigp->signid+4, sizeof(sigp->signid)-4);
01346 t += strlen(t);
01347 }
01348 t = stpcpy(t, "\n");
01349 return res;
01350 }
01351
01352
01360
01361 static rpmRC
01362 verifyDSASignature(rpmts ts, char * t,
01363 DIGEST_CTX sha1ctx)
01364
01365
01366 {
01367 const void * sig = rpmtsSig(ts);
01368 #ifdef NOTYET
01369 int_32 siglen = rpmtsSiglen(ts);
01370 #endif
01371 int_32 sigtag = rpmtsSigtag(ts);
01372 pgpDig dig = rpmtsDig(ts);
01373 pgpDigParams sigp = rpmtsSignature(ts);
01374 rpmRC res;
01375 int xx;
01376 SECItem digest;
01377
01378 *t = '\0';
01379 if (dig != NULL && dig->hdrsha1ctx == sha1ctx)
01380 t = stpcpy(t, _("Header "));
01381 *t++ = 'V';
01382 switch (sigp->version) {
01383 case 3: *t++ = '3'; break;
01384 case 4: *t++ = '4'; break;
01385 }
01386 t = stpcpy(t, _(" DSA signature: "));
01387
01388 if (sha1ctx == NULL || sig == NULL || dig == NULL || sigp == NULL) {
01389 res = RPMRC_NOKEY;
01390 goto exit;
01391 }
01392
01393
01394 if (!((sigtag == RPMSIGTAG_GPG || sigtag == RPMSIGTAG_DSA)
01395 && sigp->pubkey_algo == PGPPUBKEYALGO_DSA
01396 && sigp->hash_algo == PGPHASHALGO_SHA1))
01397 {
01398 res = RPMRC_NOKEY;
01399 goto exit;
01400 }
01401
01402 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
01403 { DIGEST_CTX ctx = rpmDigestDup(sha1ctx);
01404
01405 if (sigp->hash != NULL)
01406 xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
01407
01408 if (sigp->version == 4) {
01409 int nb = sigp->hashlen;
01410 byte trailer[6];
01411 nb = htonl(nb);
01412 trailer[0] = sigp->version;
01413 trailer[1] = 0xff;
01414 memcpy(trailer+2, &nb, sizeof(nb));
01415 xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
01416 }
01417 xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
01418 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
01419 rpmtsOp(ts, RPMTS_OP_DIGEST)->count--;
01420
01421
01422 if (memcmp(dig->sha1, sigp->signhash16, 2)) {
01423 res = RPMRC_FAIL;
01424 goto exit;
01425 }
01426 digest.type = siBuffer;
01427 digest.data = dig->sha1;
01428 digest.len = dig->sha1len;
01429 }
01430
01431
01432 res = rpmtsFindPubkey(ts);
01433 if (res != RPMRC_OK)
01434 goto exit;
01435
01436 (void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
01437 if (VFY_VerifyDigest(&digest, dig->dsa, dig->dsasig,
01438 SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL) == SECSuccess)
01439 res = RPMRC_OK;
01440 else
01441 res = RPMRC_FAIL;
01442 (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
01443
01444 exit:
01445 t = stpcpy(t, rpmSigString(res));
01446 if (sigp != NULL) {
01447 t = stpcpy(t, ", key ID ");
01448 (void) pgpHexCvt(t, sigp->signid+4, sizeof(sigp->signid)-4);
01449 t += strlen(t);
01450 }
01451 t = stpcpy(t, "\n");
01452 return res;
01453 }
01454
01455
01456 rpmRC
01457 rpmVerifySignature(const rpmts ts, char * result)
01458 {
01459 const void * sig = rpmtsSig(ts);
01460 int_32 siglen = rpmtsSiglen(ts);
01461 int_32 sigtag = rpmtsSigtag(ts);
01462 pgpDig dig = rpmtsDig(ts);
01463 rpmRC res;
01464
01465 if (sig == NULL || siglen <= 0 || dig == NULL) {
01466 sprintf(result, _("Verify signature: BAD PARAMETERS\n"));
01467 return RPMRC_NOTFOUND;
01468 }
01469
01470 switch (sigtag) {
01471 case RPMSIGTAG_SIZE:
01472 res = verifySizeSignature(ts, result);
01473 break;
01474 case RPMSIGTAG_MD5:
01475 res = verifyMD5Signature(ts, result, dig->md5ctx);
01476 break;
01477 case RPMSIGTAG_SHA1:
01478 res = verifySHA1Signature(ts, result, dig->hdrsha1ctx);
01479 break;
01480 case RPMSIGTAG_RSA:
01481 res = verifyRSASignature(ts, result, dig->hdrmd5ctx);
01482 break;
01483 case RPMSIGTAG_PGP5:
01484 case RPMSIGTAG_PGP:
01485 res = verifyRSASignature(ts, result,
01486 ((dig->signature.hash_algo == PGPHASHALGO_MD5)
01487 ? dig->md5ctx : dig->sha1ctx));
01488 break;
01489 case RPMSIGTAG_DSA:
01490 res = verifyDSASignature(ts, result, dig->hdrsha1ctx);
01491 break;
01492 case RPMSIGTAG_GPG:
01493 res = verifyDSASignature(ts, result, dig->sha1ctx);
01494 break;
01495 case RPMSIGTAG_LEMD5_1:
01496 case RPMSIGTAG_LEMD5_2:
01497 sprintf(result, _("Broken MD5 digest: UNSUPPORTED\n"));
01498 res = RPMRC_NOTFOUND;
01499 break;
01500 default:
01501 sprintf(result, _("Signature: UNKNOWN (%d)\n"), sigtag);
01502 res = RPMRC_NOTFOUND;
01503 break;
01504 }
01505 return res;
01506 }