Panu Matilainen [Wed, 30 Nov 2011 09:00:40 +0000 (11:00 +0200)]
Update internal callers to use headerImport() instead of headerLoad()
- Pass size where possible, this is a bit redundant in places since
its already checked in various places but wont hurt anyway.
Panu Matilainen [Wed, 30 Nov 2011 07:12:48 +0000 (09:12 +0200)]
Add an enhanced interface for loading, aka importing, headers
- Unlike headerLoad(), headerImport() takes a blob size argument
to allow sanity checking the size calculated from the blob itself
against the "physical" passed-in blob size so its a bit safer.
Note that header size is capped by various things - its not size_t.
- headerImport() also takes a flags argument to allow controlling
various aspects of importing.
- Implement "take copy of blob" as a flag to headerImport(), push
the copying into headerCreate() where we already know the blob
size, avoiding the need to do double-calculations on headerCopyLoad()..
- headerLoad() and headerCopyLoad() are now just compat wrappers
around the new interface.
Panu Matilainen [Tue, 29 Nov 2011 12:27:13 +0000 (14:27 +0200)]
Consolidate header alignment calculations to helper function
- Replace no less than five copy-paste versions of the same thing into
an inlined helper function. No functional changes.
Panu Matilainen [Tue, 29 Nov 2011 08:05:44 +0000 (10:05 +0200)]
Optimize string tag length calculations in regionSwab()
- Calling memchr() is circa 35% faster on my system than doing the
same manually, and this in one of the most critical paths rpm has...
Panu Matilainen [Mon, 28 Nov 2011 12:00:45 +0000 (14:00 +0200)]
Fix classification of ELF binaries with setuid/setgid bit, oops...
Panu Matilainen [Fri, 25 Nov 2011 14:07:38 +0000 (16:07 +0200)]
Identify "font collection" (data etc) as fonts also (RhBug:757105)
Panu Matilainen [Thu, 24 Nov 2011 09:39:36 +0000 (11:39 +0200)]
Make gpg-pubkey headers properly verifiable
- The pubkey headers have been rpm v3 all the way until now, whoops :)
Pull the actual key part of the header into immutable region and
stomp a sha1 digest on the result, allowing a (much) better
verification on loading. This part inspired by stumbling on a
related discussion on rpm5.org mailing list so credits where...
- Since we only insert either literally constant data or data retrieved
from the actual key into the immutable part of the header, the
calculated digest is constant for a given key regardless of where
and when it was imported. This gives some added verification and/or
cross-checking possibilities (eg was the imported key exactly the
same as what shipped etc)
Panu Matilainen [Thu, 24 Nov 2011 09:28:15 +0000 (11:28 +0200)]
Sanitize makePubkeyHeader() calling semantics
- Create the header in makePubkeyHeader() as the name suggests,
return the newly created header to caller on success.
- Move the installtime & -tid addition to the "install" part,
makePubkeyHeader() only does the part that is specific to pubkey
headers, again as the name suggests.
- No functional changes
Panu Matilainen [Thu, 24 Nov 2011 09:25:53 +0000 (11:25 +0200)]
Make gpg-pubkey buildtime reflect the public key create time
- Pubkey buildtime has until now been the time of import, which equals
install time/tid. Which is of course the time when that header
does get created, but it seems rather redundant to have the same
thing recorded in three places. Having the key creation time
easily (easier than un-hexifying the version string, duh)
available seems like a potentially useful thing. Buildtime is
"wrong" for this, but ... so is everything.
- With this change, the "meat" of the pubkey headers is now constant
and repeatable regardless of where and when a key gets imported,
so we could stomp a digest on it and it'd be unique for that
particular key everywhere.
Panu Matilainen [Thu, 24 Nov 2011 09:19:11 +0000 (11:19 +0200)]
Add key userid into gpg-pubkey headers as "packager"
- The userid has only been available in a mildly obfuscated format
through summary, but this seems like a useful thing to have in
a directly usable format without requiring callers to parse out
the gpg() wrapping around it.
- Yes its a wonky mapping, but so is everything else wrt
gpg-pubkeys, and adding a tag just for this also seems silly.
Using vendor tag could be another possibility, dunno.
Panu Matilainen [Thu, 24 Nov 2011 09:16:19 +0000 (11:16 +0200)]
Log an error on attempt to sign V3 packages (RhBug:517818 & others)
- We haven't been able to sign V3 packages in the last decade or so,
might as well spit out an error on it instead of silently failing.
Panu Matilainen [Thu, 24 Nov 2011 08:44:14 +0000 (10:44 +0200)]
Fix dribble length calculation on headerLoad()
- When calculating length of dribbles, we need to take into account the
size up to that point, otherwise the alignment can be wrong causing
the sizes not to add up.
- With that mystery solved, we can now make the final length check
as strict as it should be.
Panu Matilainen [Tue, 22 Nov 2011 10:34:46 +0000 (12:34 +0200)]
Ehm, %pretrans failure shouldn't abort the entire transaction
- Brainfart in previous commit (
71c6b06b3f240021f2ece46f9cf7aa891f716710):
%pretrans failure should only cause that package to fail, not
abort the entire transaction. Doh.
- Failures are tracked via transaction elements but pre/posttrans
were specifically filtered out. All we need is removing that filtering
and the warn-only vs error logic in psm takes care of the rest.
The transaction.c changes in previous commit were just unnecessary.
Panu Matilainen [Tue, 22 Nov 2011 09:24:22 +0000 (11:24 +0200)]
Make %pretrans failure fail the install (RhBug:736960)
- %pre and %preun scriptlets cause the package install/erase to fail,
whereas %pretrans return has simply been ignored ever since its
introduction somewhere in rpm <= 4.4.x. This is just inconsistent,
make %pretrans more like the other %pre-scriptlets. %posttrans
exit code is still essentially ignored, just like %post and %postun etc.
- This can obviously affect installability of existing packages: if
they have been careless about their %pretrans exit code or outright
relying on the "yes it spits errors in some situations but who cares"
behavior, they will now fail to install at all. The way to write
"portable" %pretrans scriptlets is ensuring non-error exit.
Ales Kozumplik [Fri, 18 Nov 2011 10:36:20 +0000 (11:36 +0100)]
inverse the macro definition condition in c87ad03.
- thanks zpavlas for pointing this out.
Ales Kozumplik [Tue, 15 Nov 2011 14:49:33 +0000 (15:49 +0100)]
python: use the more modern PyCapsule over PyCObject (RhBug:623864).
- rpm.header.new() will still keep accepting PyCObject for now in case a
client library depends on this.
- involves macro trickery to make rpm buildable against python 2.6 still.
Ales Kozumplik [Thu, 10 Nov 2011 12:37:42 +0000 (13:37 +0100)]
cosmetic: indentation in rpmdbNextIterator.
- the hunk looked confusing with the wrong indentation.
Ales Kozumplik [Fri, 11 Nov 2011 09:38:49 +0000 (10:38 +0100)]
Recognize "<epoch>:" as a part of a label (ticket #117)
- for instance this works now:
$ rpm -q perl-4:5.14.1-188.fc16.x86_64
perl-5.14.1-188.fc16.x86_64
Ales Kozumplik [Mon, 14 Nov 2011 08:58:04 +0000 (09:58 +0100)]
Do not attempt running the test suite without fakechroot (ticket #851).
Partially resolves ticket #851.
Panu Matilainen [Mon, 14 Nov 2011 08:20:42 +0000 (10:20 +0200)]
Avoid XZ dependency in test-suite
- The two "hello" binaries packages used for various multilib checks were
accidentally using xz payload compression, causing test-suite to
fail when rpm was configured without xz support. Rebuild them with gzip
compression instead to avoid silly failures - gzip compression
support is mandatory, xz is not.
Panu Matilainen [Thu, 10 Nov 2011 06:46:23 +0000 (08:46 +0200)]
Doh, somehow managed to miss the warnings from these missing includes :(
- Should've been in commit
70f063cb773bedb7d336429d9bc8ed1d4e5d18f4
Panu Matilainen [Wed, 9 Nov 2011 13:04:13 +0000 (15:04 +0200)]
Make base64 encoding/decoding part of rpmio public API
- Base64 is present in headers and all, it's only reasonable that
our API users have access to this functionality without having
to link to other libraries. Even if we didn't want to carry the
implementation forever in our codebase, we should provide a wrapping
for this (much like the other crypto stuff) for the reason stated above.
- A bigger issue is that our dirty little (badly hidden) secret was using
non-namespaced function names, clashing with at least beecrypt. And we
couldn't have made these internal-only symbols even on platforms that
support it, because they are used all over the place outside rpmio.
So... rename the b64 functions to rpmLikeNamingStyle and make 'em public.
No functional changes, just trivial renaming despite touching numerous
places.
Panu Matilainen [Wed, 9 Nov 2011 11:55:08 +0000 (13:55 +0200)]
Eliminate uses of pgpDig in package signing routines
- No functional changes, just eliminates pile of unnecessary allocations
and other calls, simplifying the code a bit.
Panu Matilainen [Wed, 9 Nov 2011 11:43:09 +0000 (13:43 +0200)]
Eliminate uses of pgpDig in package reading & signature checking
- No functional changes, just eliminates pile of unnecessary allocations
and other calls, simplifying the code a bit.
Panu Matilainen [Wed, 9 Nov 2011 11:28:23 +0000 (13:28 +0200)]
Take advantage of pgpPrtParams() directly in pgpsigFormat() extension
- No functional changes, just bypassing an unnecessary round-trip to
a function really intended for other purposes, now that we can.
Panu Matilainen [Wed, 9 Nov 2011 11:05:08 +0000 (13:05 +0200)]
Switch to using rpmKeyringVerifySig() internally
- Change rpmVerifySignature() to take just the signature parameters
instead of the whole dig (this is an internal API so we're free
to mess with it) from which it only needed the signature params.
- The internal low-level verifySignature() is thus reduced to
to a call to rpmKeyringVerifySig() and spitting some silly
strings to msg.
- With this, keyring can now use and reuse the its internally stored
pgp key parameters instead of having to parse the same PGP packets
over and over. As a result, signature checking is faster now. Not
dramatically so but measurably nevertheless.
Panu Matilainen [Wed, 9 Nov 2011 10:47:02 +0000 (12:47 +0200)]
Add a signature verification method to keyring
- At least within rpm itself, callers aren't particularly interested
in the actual key that matches a given signature, they just want
simple good/bad/nokey answers. This makes life simple for them
and avoids exposing further rpmPubkey internals through APIs.
Panu Matilainen [Wed, 9 Nov 2011 10:31:23 +0000 (12:31 +0200)]
Split keyring find-by-signature to helper function, document...
- Document the broken rpmKeyringLookup() behavior / side-effect,
the new helper uses the values from our stored pgp parameters though.
- Shouldn't make any difference functionality-wise, but we'll need
the helper function shortly.
Panu Matilainen [Wed, 9 Nov 2011 09:59:31 +0000 (11:59 +0200)]
Parse pubkey parameters on rpmPubkeyNew() already and store results
- Yet more pre-requisites for separating key and signature management.
In addition this gains us more thorough initial sanity checking and
will allow reusing the parameters instead of having to parse
the same packets over and over again on every single verification
against this key. Unfortunately rpmKeyringLookup() is so braindead
it prevents us from doing this right now, we'll need a better
interface to take advantage of the stored pgp key parameters.
Panu Matilainen [Wed, 9 Nov 2011 09:04:51 +0000 (11:04 +0200)]
Add an alternative API for parsing PGP packets
- pgpPrtParams() returns a pointer to an allocated pgpDigParams
on success, eliminating the need for callers to worry about
freeing "target buffer" on failure and bypassing the now rather
useless pgpDig middleman. Also allows specifying the expected
packet type so if we expect a key we'll error out if we get a signature
instead.
- pgpPrtPkts() is basically just a wrapper to pgpPrtParams()
- Further pre-requisites for separating key and signature management.
- Yes, pgpPrtParams() is a stupid name for this. However all the saner
ones are already taken for other purposes (for which the names are
just as bad/misleading, sigh)
Panu Matilainen [Wed, 9 Nov 2011 07:49:26 +0000 (09:49 +0200)]
Allocate signature and pubkey dynamically within pgpDig on PGP parse
- This way we can parse the whole thing into a private storage first
and only if its actually successful we return anything through the
pgpDig. Previously we would return partial garbage on failure
and/or consecutive calls unless manually "cleaned" as we were
parsing directly into the pgpDig.
- Dynamic allocation is a pre-requirement separating management of
keys and signatures: while they walk hand in hand much of the time,
they come from different sources and have different lifetimes and
should be managed separately.
- Dynamic allocation of these is also a pre-requirement for handling
more than one public key, ie mainly subkeys.
Panu Matilainen [Wed, 9 Nov 2011 07:37:15 +0000 (09:37 +0200)]
Use pgpDigGetParams() in pgpVerifySig() compat wrapper too
- The fewer places that "know" about pgpDig allocation internals the better...
Panu Matilainen [Wed, 9 Nov 2011 07:19:48 +0000 (09:19 +0200)]
Don't make assumptions about how pgpDig allocates things
- Only call pgpDigGetParams() on the public key once we've at least
tried to fetch it via rpmKeyringLookup(). This way we dont assume
things about how pgpDig internal allocation is done - currently
it does return what's essentially a static pointer into pgpDig,
but this is not a reasonable assumption for an opaque type.
No functional changes.
Panu Matilainen [Tue, 8 Nov 2011 13:08:01 +0000 (15:08 +0200)]
Revert "Take advantage of pgpDigParamsCmp() in rpmKeyringLookup()"
- This only "works" because of other brokenness in the sig/key
parsing, revert while we can
- This reverts commit
4c51eff3f0fa5e67494b6b192aa1c087f57abed6.
Panu Matilainen [Tue, 8 Nov 2011 12:08:40 +0000 (14:08 +0200)]
Tolerate NULL key in pgpVerifySignature()
Ales Kozumplik [Tue, 8 Nov 2011 08:01:59 +0000 (09:01 +0100)]
Do not let 'rpm -q foo-' find package 'foo'. (RhBug:488567)
- Includes a test suite for the case.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
Panu Matilainen [Mon, 7 Nov 2011 13:39:39 +0000 (15:39 +0200)]
Eliminate unused params member from pgpDigParams
- Rpm has never used this for anything, amounting to helluva lot
unnecessary free()'s over the years.
Panu Matilainen [Mon, 7 Nov 2011 12:49:47 +0000 (14:49 +0200)]
Take advantage of pgpDigParamsCmp() in rpmKeyringLookup()
- Besides eliminating a couple of direct struct accesses,
pgpDigParamsCmp() does a much more thorough job of comparing
the parameters than we ever did here (ie less chance for returning
ok for for a wrong key, although because the interface is as
braindead as it is, it doesn't make a whole lot of difference)
Panu Matilainen [Mon, 7 Nov 2011 12:47:03 +0000 (14:47 +0200)]
Use pgpDigParamsAlgo() throughout the codebase
- Tedious but straightforward conversion to use the API instead
of going to the struct directly.
- Remove digest.h includes where no longer necessary
Panu Matilainen [Mon, 7 Nov 2011 12:42:13 +0000 (14:42 +0200)]
Add ad API for retrieving algorithm values from digest parameter containers
- Mildly annoying but necessary in order to make pgpDigParams properly
opaque some day (and also allow sane access to this data)
Panu Matilainen [Mon, 7 Nov 2011 11:18:13 +0000 (13:18 +0200)]
Add an API for comparing two digest parameter containers
- Lift the digest parameter comparison from librpmsign to rpmpgp.c
where it really belongs.
Panu Matilainen [Mon, 7 Nov 2011 10:56:55 +0000 (12:56 +0200)]
And finally, make pgpDig struct fully opaque
- As long as this was exposed and relied on, we couldn't really
make any changes to how this stuff is stored. Now we have a chance...
Panu Matilainen [Mon, 7 Nov 2011 10:56:03 +0000 (12:56 +0200)]
Eliminate direct pgpDig accesses from signing code
Panu Matilainen [Mon, 7 Nov 2011 10:55:27 +0000 (12:55 +0200)]
Eliminate direct pgpDig accesses from pubkey importing
Panu Matilainen [Mon, 7 Nov 2011 10:55:02 +0000 (12:55 +0200)]
Eliminate direct pgpDig access from package reading code
Panu Matilainen [Mon, 7 Nov 2011 10:54:30 +0000 (12:54 +0200)]
Eliminate direct pgpDig accesses from lowlevel signature code
Panu Matilainen [Mon, 7 Nov 2011 10:53:47 +0000 (12:53 +0200)]
Eliminate direct pgpDig accesses from keyring
Panu Matilainen [Mon, 7 Nov 2011 10:52:42 +0000 (12:52 +0200)]
Add a dumb API to retrieve pubkey / signature params from pgpDig
Panu Matilainen [Mon, 7 Nov 2011 09:19:25 +0000 (11:19 +0200)]
Take advantage of parsePGPSig() in pgpsigFormat() too
- Doesn't make for less lines in this case but unifying the accesses
is good anyway.
Panu Matilainen [Mon, 7 Nov 2011 09:09:08 +0000 (11:09 +0200)]
Unify the parsePGP() variants from package.c and rpmchecksig.c
- Hide allocation inside the helper, automatically free on failure
- Return pointer to the signature parameters on success to simplify
life for callers
- Don't bother checking or reporting the signature version: the
pgp parser errors out if it encounters unsupported version and
does not scrible anything to the version field in that case,
mumbling about "V0 signatures" is not particularly helpful.
- Log the bad package names from rpmpkgReadHeader() too
Panu Matilainen [Mon, 7 Nov 2011 08:45:56 +0000 (10:45 +0200)]
Hide pgpDig alloc etc details in the parsePGP helper
- Return a pointer to the signature part on success, hide allocation
(and free on failure) in the helper. Makes life a little bit
saner for the callers and limits the places where we access
the full pgpDig further.
Panu Matilainen [Mon, 7 Nov 2011 06:33:02 +0000 (08:33 +0200)]
Process all keys and signatures we find
- We still can't store more than one signature / key at a time, but
since we can easily *process* them without trashing already stored
values, lets do so to avoid returning errors from legal packets.
Also pay attention to only store data matching our expected type,
ie dont store signature data into pubkey parameters and vice versa.
- This mostly affects pubkey packets which can have more than one
key present and which (can) also carry certification signature
which we currently do not handle properly at all.
Panu Matilainen [Mon, 7 Nov 2011 06:20:14 +0000 (08:20 +0200)]
Make pgpPrtPubkeyParams() return an int like all the others do too
- No functional changes, just making the interfaces consistent
Panu Matilainen [Sun, 6 Nov 2011 18:58:56 +0000 (20:58 +0200)]
Add another pgpVerify variant which takes key and sig as separate args
- pgpVerifySig() is now just a dumb wrapper around pgpVerifySignature()
which does the real work.
- Update the sole caller to use the new interface instead, deprecate
the old dig interface.
- First steps towards getting rig of pgpDig which always was a
strange creature and now is nothing but a nuisance and obfuscation.
Yes keys and signatures walk hand in hand much of the time, but
they come from different sources and want to be handled as
separate data really.
Panu Matilainen [Sun, 6 Nov 2011 18:43:57 +0000 (20:43 +0200)]
Eliminate couple of unnecessary pgpDig usages
- stashKeyid() only wants the signature, not the whole dig
- dig argument to readFile() was simply unused
Panu Matilainen [Sun, 6 Nov 2011 15:54:38 +0000 (17:54 +0200)]
Clean up pgpPrtPkts() and friends a bit
- Use decodePkt() for added initial sanity check + grabbing the "main" tag
instead of duplicating the tag decoding here.
- Call decodePkt() from the main parse loop instead of pgpPrtPkt(),
and return simple ok/error codes from pgpPrtPkt() and do the
length calculation in the main loop.
- Besides making the code simpler and more obvious this fixes some
fishy cases where we previously would've returned 0 for success
despite there being an error.
Panu Matilainen [Fri, 4 Nov 2011 14:28:50 +0000 (16:28 +0200)]
Bury all NSS specifics into a separate source
- Not everybody needs/wants the certified monster that NSS is
(along with all its quirks), this leaves room for alternative
compile-time selectable crypto backends. Besides that, we get
a clean functionality separation for the PGP parser and the
cryptography parts.
- The whole crypto abstraction works inspired + somewhat based on
Michael Schroeder's similar patch in Suse, kudos.
- TODO: port beecrypt support from Suse to the new interface.
Panu Matilainen [Fri, 4 Nov 2011 14:28:13 +0000 (16:28 +0200)]
Add a couple of missing includes, masked by NSS headers
Panu Matilainen [Fri, 4 Nov 2011 14:05:59 +0000 (16:05 +0200)]
Implement PGP key & sig algorithm specific part OO-style
- Collect the crypto algorithm specific bits into new struct
with function pointers for the necessary set/verify/free methods,
adjust callers to operate on these. This will allow nice and
clean switching for different underlying crypto implementations
with differing supported algorithms etc with minimal internals exposure.
- pgpSignatureNew() and pgpPubkeyNew() never fail to avoid having
to check for NULL's over and over, they just return a "null object"
object for which all operations return failure instead.
- This shreds out some of the output --prtpkts used to give. Wouldn't
be hard to preserve but the stderr fprintf() spew is not very
useful nor library-like behavior.
Panu Matilainen [Fri, 4 Nov 2011 12:18:29 +0000 (14:18 +0200)]
Lift RSA/DSA specific signature verification to helper functions
- Use function pointers to call appropriate helper, cleaning up
pgpVerifySig() a bit. Supposedly no functional changes, just
further isolation of NSS specifics.
- Pass down pubkey and signature as separate pointers, we'll
want to get rid of pgpDig eventually as it only obfuscates things.
Panu Matilainen [Fri, 4 Nov 2011 12:17:48 +0000 (14:17 +0200)]
Lift RSA/DSA key MPI calculations to helper functions
- Same as commit
8473a5b6ce2050a8e899b0be4a012f5724eb0b6d, only for keys
- Use function pointers to call appropriate helper etc, cleaning up
pgpPrtPubkeyParams() considerably. Supposedly no functional changes,
just further isolating NSS specifics behind generic interfaces.
Panu Matilainen [Fri, 4 Nov 2011 12:15:26 +0000 (14:15 +0200)]
Lift RSA/DSA signature MPI calculations to helper functions
- Use function pointers to call appropriate helper, cleaning up
pgpPrtSigParams() considerably. Supposedly no functional changes.
- Also serves as first step towards isolating NSS-specific bits
and pieces behind more generic interfaces to enable using
alternative crypto "engines" later on.
Panu Matilainen [Fri, 4 Nov 2011 10:44:58 +0000 (12:44 +0200)]
Remove now redundant NULL digparam checks within the PGP parser
- Since the only entry to these is pgpPrtPkts() and that ensures
the internals are never called with non-NULL digp... Cleans up
and simplifies the internals.
Panu Matilainen [Fri, 4 Nov 2011 10:32:17 +0000 (12:32 +0200)]
Arrange temporary storage for parsing if called with NULL dig
- The only known caller with NULL dig is in the rather useless
wrapping of prtPrtPkts() in the python bindings, but since in
theory some other callers could use this just for validating
a PGP packet .. preserve the behavior since it's easy. The
actual benefit here is that this frees the parser internals
of having to check for NULL pointers everywhere.
Panu Matilainen [Fri, 4 Nov 2011 10:24:32 +0000 (12:24 +0200)]
Added sanity checks on pgpPrtPkts() entry
- Error out cleanly on NULL pkts pointer (caller error but not worth
dying for)
- Error out early if packet is clearly not valid
Panu Matilainen [Wed, 2 Nov 2011 09:02:28 +0000 (11:02 +0200)]
Eliminate bunch of unused/useless debug cruft from pgp parser
Panu Matilainen [Wed, 2 Nov 2011 08:26:34 +0000 (10:26 +0200)]
Split digest parameter freeing into a separate helper function
- The data is all the same except for rsa/dsa specific bits,
to me this calls for a function. We might want to export
pgpCleanDigParams() or such later on but for now keep it static.
No functional changes.
Panu Matilainen [Wed, 2 Nov 2011 08:00:32 +0000 (10:00 +0200)]
Store the rsa/dsa parameters in pgpDigParamers struct directly
- Avoids having to pass around pgpDig pointers in addition to
pgpDigParamrs pointers. The type (key vs sig) is determined
early on in pgpPrtPkts() and doesn't change, and the rsa/dsa
data is associated with that always. No functional changes,
just makes the whole thing just a little bit cleaner.
Panu Matilainen [Tue, 1 Nov 2011 09:23:34 +0000 (11:23 +0200)]
Verify PGP signature packet sizes and number of MPIs match expectations
- Similar to commit
807b402d95702f3f91e9e2bfbd2b5ca8c9964ed9 but
for signature packets: packet must be larger than the "intro"
structure, and verify the calculated sizes match our expectations.
Panu Matilainen [Tue, 1 Nov 2011 08:52:13 +0000 (10:52 +0200)]
Eliminate buggy pgpPrtComment()
- Removes another source of stupid bugs: for rpm's purposes we're not
interested in PGP comment tag contents, and the implementation
here was unsafe as it assumes there always is a terminating \0
somewhere in the packet which might not be true for a malformed packet.
Panu Matilainen [Tue, 1 Nov 2011 08:40:02 +0000 (10:40 +0200)]
Verify PGP key packet sizes and number of MPIs match expectations, part II
- Same as commit
807b402d95702f3f91e9e2bfbd2b5ca8c9964ed9 but for
retrieving the actual key data instead of its fingerprint.
- Only look inside keys whose pubkey algo we actually support:
DSA and RSA. Anything else is better left untouched and treated
as an error to avoid nasty surprises.
Panu Matilainen [Tue, 1 Nov 2011 07:44:31 +0000 (09:44 +0200)]
Verify PGP key packet sizes and number of MPIs match expectations
- A key packet must be larger than the "intro" structure to have
room for the trailing MPIs, ie in order to be valid. This also
ensures we can safely access the pubkey algorithm data.
- Verify the number of trailing MPI's and their total size matches
the expectations and packet size exactly before bothering with
digest calculations.
- Also use sizeof(keyid) instead of "magic eight" and memcpy()
instead of memmove(), the argument keyid and memory returned
from rpmDigestFinal() cannot overlap.
Panu Matilainen [Wed, 26 Oct 2011 11:01:41 +0000 (14:01 +0300)]
Verify MPI size is within packet boundary in pgpMpiItem()
- Malformed data can claim the MPI size to be "arbitrarily" large,
pass packet end pointer to pgpMpiItem() and validate we have enough
bytes in the packet to contain the MPI before copying.
Panu Matilainen [Wed, 26 Oct 2011 09:42:26 +0000 (12:42 +0300)]
Remove support for V3 public keys
- V3 keys have been long since deprecated and extinct for all practical
purposes for more than a decade by now (for example, Red Hat Linux 6.0
from 1999 was the last RHL to use a V3 key for signing). RFC-4880
says V3 keys MUST NOT be generated (they have a number of weaknesses),
but implementations MAY accept them. We choose not to accept them
anymore, eliminating a code path that would essentially only get
triggered by malformed packages. The said code path also contained
a few buffer overflows and other bugs, so its more than just
"good riddance."
- Worth nothing is that only support for V3 *keys* is removed, V3
signatures are still supported along with V4 ones.
Panu Matilainen [Wed, 26 Oct 2011 06:14:40 +0000 (09:14 +0300)]
We dont deal with secret keys, leave them alone
- As we only do OpenPGP signature verification and never signing /
encrypting content ourselves, we have no need to know anything
about secret keys. One less place to worry about, tripping up
on bad data that we dont even try to use would be pretty dumb.
Panu Matilainen [Tue, 25 Oct 2011 12:47:15 +0000 (15:47 +0300)]
Centralize PGP packet decoding and sanity checking into helper function
- Stricter sanity checking on both old and new packet types - whereas
new format packets were mostly covered by pgpLen() changes already,
old format has similar case where malformed packet could cause us
to read beyond packet (buffer) end.
- Collect the necessary packet data into a struct that's nicer to
pass around (taking advantage of this mostly left for next steps)
Panu Matilainen [Tue, 25 Oct 2011 11:47:44 +0000 (14:47 +0300)]
Verify there are sufficient number of bytes to calculate packet length
- The number of bytes used to store a PGP packet body length is not
known until we decode the first byte, pass remaining packet length
to pgpLen() and verify there are sufficient bytes for the
used encoding before reading them.
- Clarify the function description while at it.
Panu Matilainen [Tue, 25 Oct 2011 11:22:07 +0000 (14:22 +0300)]
Avoid redundant calculations on pubkey fingerprint retrieval
- In pgpPrtPkt() we just calculated the packet body and length,
avoid redoing it for the fingerprint by splitting the actual
fingerprint calculation out of pgpPubkeyFingerprint() into a helper
function and calling that instead.
Panu Matilainen [Tue, 25 Oct 2011 11:03:43 +0000 (14:03 +0300)]
pgpPubkeyFingerprint() can fail, propagate errors part II
- rpmPubkeyNew() needs to return NULL if we fail to grab the
keyid, make it so...
Panu Matilainen [Tue, 25 Oct 2011 10:53:42 +0000 (13:53 +0300)]
pgpPubkeyFingerprint() can fail, propagate errors
- Rpm itself doesn't even use pgpExtractPubkeyFingerprint() anymore
but there appear to be other users so leaving it alone for now,
just behave sanely on errors.
Panu Matilainen [Mon, 24 Oct 2011 10:45:00 +0000 (13:45 +0300)]
Eliminate useless pgpIsPkt() helper function
- While I can imagine uses for such a function, our only caller is
using it in a bogus way: decodePkts() is trying to avoid looking into
binary-only data by calling it, but then pgpIsPkt() returns
"not pgp tag" for various things that *are* pgp tags, making the
whole thing just moot. If such checks are actually needed, we'd be better
of checking for printable characters or such.
Panu Matilainen [Mon, 24 Oct 2011 09:39:51 +0000 (12:39 +0300)]
Eliminate broken pgpLen() from the API
- pgpLen() only works for new format packets, and even for those
its unsafe and cannot be fixed without breaking the API. Start
by taking it behind the barn for further, err, operations. Rpm has
no users outside rpmpgp.c now and anybody else using it will be
better off not doing so.
Panu Matilainen [Mon, 24 Oct 2011 09:21:01 +0000 (12:21 +0300)]
Sanitize pgpsigFormat()
- Eliminate bogus size calculations: we have a buffer of td->count size
that may or may not contain legal OpenPGP signature. Leave it up to
pgpPrtPkts() to validate & figure it out and check its return code instead,
eliminating need to repeat a bunch of tedious calculations here.
- Use non-zero signature version is used as a hint for valid signature,
should be "close enough" for the rest of the code.
Panu Matilainen [Mon, 24 Oct 2011 08:04:51 +0000 (11:04 +0300)]
Valid PGP packets are always at least two bytes long
- Old format tags encode the number of body length bytes in the packet
header, new format encodes it in the first body length byte. In
both cases there must be at least two bytes worth of data for it
to be a valid header. Sanity check before accessing.
Thomas Jarosch [Fri, 21 Oct 2011 21:05:54 +0000 (23:05 +0200)]
Fix unterminated buffer after readlink() call
readlink() never terminates the buffer.
Detected by "cppcheck" (git HEAD)
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
Panu Matilainen [Sun, 23 Oct 2011 11:23:12 +0000 (14:23 +0300)]
Log an error on signing if we can't even parse the gpg-generated signature
- The error message is not very helpful but if pgpPrtPkts() fails
we dont have a whole lot clue in the caller why it failed, spitting
out at least *some* error is better than silently failing
(RhBug:748116, RhBug:719154)
Panu Matilainen [Sun, 23 Oct 2011 10:59:46 +0000 (13:59 +0300)]
Warn but don't fail the build on missing excluded files (RhBug:745629)
- If a file/directory is not to be packaged, there's not a whole lot
point making the build fail if its missing. In case exclude is
used to leave certain files to sub-packages, the sub-package file
lists will catch out missing files that are really missing as a
result of actual build failure or such (except perhaps for some
glob cases but missing files can go unnoticed in those cases anyway)
Panu Matilainen [Sun, 23 Oct 2011 10:53:21 +0000 (13:53 +0300)]
Eliminate bunch of exit points in addFile()
- Assume failure, handle setting fl->processingFailed centrally at exit
(file too large wasn't resulting in processingFailed getting set)
Panu Matilainen [Fri, 21 Oct 2011 08:49:53 +0000 (11:49 +0300)]
Fix ancient off-by-one at end boundary in string array size calculation
- String array size calculation could read one byte past data end
pointer when expected count and number of \0's disagree (ie invalid data)
due to while condition side-effects + bounds checking being in
the inner loop.
- Lift the string length calculation to inline helper function, used for
both string and string array types.
- Streamline the calculations:
- Eliminate unnecessary length increments, calculate the length
from pointer distance
- Eliminate end pointer NULL checking within the loop: when caller
doesn't supply end pointer, cap to HEADER_MAX_DATA (ie 16MB),
anything larger would trip up in later hdrchkData() checks anyway.
- Avoid the off-by-one by eliminating the problematic inner loop.
Panu Matilainen [Thu, 20 Oct 2011 07:37:31 +0000 (10:37 +0300)]
Verify the entire region trailer, not just its offset, is within data area
- Offset being within the data area doesn't help if the actual data doesn't
fit. Since the trailer size is well known, we can just as easily
make the check accurate to prevent reading beyond end of data in case
the offset is subtly wrong.
- In headerLoad(), region offset of zero doesn't need sanity checking,
only validate if its something else and do so accurately there too.
Panu Matilainen [Mon, 17 Oct 2011 06:27:34 +0000 (09:27 +0300)]
Update man page(s) verify output description to match current behavior
- Since addition of file capability verification in rpm 4.7.x,
the verify output has nine characters, not eight (RhBug:746525)
Panu Matilainen [Wed, 12 Oct 2011 06:33:36 +0000 (09:33 +0300)]
Fix pretrans dependency calculation when provider is upgraded
- Pretrans-dependencies are twisty little beasts unlike anything else...
When a pretrans-dependency provider is updated, the currently installed
version is the provider for that transaction, unlike others where
the packages from installing set act as providers for updates. So
when looking up pretrans deps, we must not prune the to-be-erased
packages from the db match iterators. As an added twist, we also
must not cache these non-pruned cases as it would mess up the
cache for "regular" dependencies.
- Fixes this case reported on fedora-devel:
http://lists.fedoraproject.org/pipermail/devel/2011-October/158058.html
Mukund Sivaraman [Fri, 30 Sep 2011 10:04:44 +0000 (15:34 +0530)]
rpmio: Set a umask before using mkstemp()
This commit sets a restrictive umask before calling mkstemp().
This is because the permissions of files created by mkstemp() are
not defined in POSIX. Old versions of glibc created files with
mode 0666 which can be a security hole. Because the behavior is
implementation-dependent, we set a umask.
Mukund Sivaraman [Thu, 29 Sep 2011 07:09:13 +0000 (12:39 +0530)]
rpmio: Don't de-ref lzfile which was freed in lzclose()
Mukund Sivaraman [Thu, 29 Sep 2011 07:09:12 +0000 (12:39 +0530)]
build: Update .gitignore rules
Panu Matilainen [Tue, 11 Oct 2011 07:31:40 +0000 (10:31 +0300)]
Let headerLoad() failure message come through
- headerVerify() always returns with a message even for OK results,
which was masking the error message from headerLoad(), sometimes
giving not very helpful "headerRead failed: Header sanity check OK"
style messages.
Panu Matilainen [Thu, 6 Oct 2011 12:16:47 +0000 (15:16 +0300)]
Eliminate headerCheckPayloadFormat() from the API
- While we're on API killing spree... Exporting this was needless and
dumb to begin with (greetings to self in 2007...), bury it inside
depends.c as static and let rot there.
- Might be a better idea to kill it completely with some other
mechanism such as turning payload format into rpmlib() dependency
internally but just get it out of public sight for now.
Panu Matilainen [Thu, 6 Oct 2011 12:13:22 +0000 (15:13 +0300)]
Eliminate headerMergeLegacySigs() from the API
- No need to export this in the API - if you want merged signature
tags you use rpm's package reading functions.
Panu Matilainen [Thu, 6 Oct 2011 12:05:11 +0000 (15:05 +0300)]
Eliminate leftover headerRegenSigHeader() function
- This was only ever used by repackage support inside rpm and has been
orphan since 2008, likely more than just a little broken too as it
doesn't know about 64bit types and all. RIP.
Panu Matilainen [Thu, 6 Oct 2011 10:06:28 +0000 (13:06 +0300)]
Only bother allocating a pgpDig when needed
- Now that rpmVerifySignature() doesn't require a non-null dig
for digests, don't bother allocating one unless necessary.
- pgpNewDig() cannot fail so dont bother checking.