emo/xbps
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement per pkg RSA signatures and on-demand repository access.

Browse Source
This commit is contained in:
Juan RP
2013-12-24 10:43:55 +01:00
parent 3c0edd40c8
commit ec0d38c469
16 changed files with 703 additions and 697 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
bin/xbps-rindex/index-add.c
View File

@@ -37,26 +37,20 @@
#include <xbps.h>
#include "defs.h"
/*
* Adds a binary package into the index and removes old binary package
* and entry when it's necessary.
*/
int
index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
{
xbps_array_t filespkgar, pkg_files, pkg_links, pkg_cffiles;
xbps_dictionary_t idx, idxfiles, newpkgd, newpkgfilesd, curpkgd;
xbps_array_t array, pkg_files, pkg_links, pkg_cffiles;
xbps_dictionary_t idx, idxfiles, idxpkgd, binpkgd, pkg_filesd, curpkgd;
xbps_object_t obj, fileobj;
struct xbps_repo *repo;
struct stat st;
const char *arch;
char *pkgver, *opkgver, *oarch, *pkgname, *sha256, *repodir;
char *tmprepodir;
uint64_t instsize;
const char *arch, *desc;
char *sha256, *pkgver, *opkgver, *oarch, *pkgname, *tmprepodir, *repodir;
int rv = 0, ret = 0;
bool flush = false, found = false;
idx = idxfiles = newpkgd = newpkgfilesd = curpkgd = NULL;
if ((tmprepodir = strdup(argv[0])) == NULL)
return ENOMEM;
@@ -66,14 +60,14 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
repodir = dirname(tmprepodir);
repo = xbps_repo_open(xhp, repodir);
if (repo == NULL) {
idx = xbps_dictionary_create();
idxfiles = xbps_dictionary_create();
} else {
if (repo && repo->idx) {
xbps_repo_open_idxfiles(repo);
idx = xbps_dictionary_copy(repo->idx);
idxfiles = xbps_dictionary_copy(repo->idxfiles);
xbps_repo_close(repo);
} else {
idx = xbps_dictionary_create();
idxfiles = xbps_dictionary_create();
}
/*
@@ -83,20 +77,17 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
/*
* Read metadata props plist dictionary from binary package.
*/
newpkgd = xbps_get_pkg_plist_from_binpkg(argv[i],
binpkgd = xbps_get_pkg_plist_from_binpkg(argv[i],
"./props.plist");
if (newpkgd == NULL) {
fprintf(stderr, "failed to read %s metadata for `%s',"
" skipping!\n", XBPS_PKGPROPS, argv[i]);
if (binpkgd == NULL) {
fprintf(stderr, "failed to read %s metadata for `%s', skipping!\n", XBPS_PKGPROPS, argv[i]);
continue;
}
xbps_dictionary_get_cstring_nocopy(newpkgd, "architecture",
&arch);
xbps_dictionary_get_cstring(newpkgd, "pkgver", &pkgver);
xbps_dictionary_get_cstring_nocopy(binpkgd, "architecture", &arch);
xbps_dictionary_get_cstring(binpkgd, "pkgver", &pkgver);
if (!xbps_pkg_arch_match(xhp, arch, NULL)) {
fprintf(stderr, "index: ignoring %s, unmatched "
"arch (%s)\n", pkgver, arch);
xbps_object_release(newpkgd);
fprintf(stderr, "index: ignoring %s, unmatched arch (%s)\n", pkgver, arch);
xbps_object_release(binpkgd);
continue;
}
pkgname = xbps_pkg_name(pkgver);
@@ -121,10 +112,8 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
ret = xbps_cmpver(pkgver, opkgver);
if (ret <= 0) {
/* Same version or index version greater */
fprintf(stderr, "index: skipping `%s' "
"(%s), already registered.\n",
pkgver, arch);
xbps_object_release(newpkgd);
fprintf(stderr, "index: skipping `%s' (%s), already registered.\n", pkgver, arch);
xbps_object_release(binpkgd);
free(opkgver);
free(oarch);
free(pkgver);
@@ -141,75 +130,125 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
free(opkgver);
free(oarch);
}
idxpkgd = xbps_dictionary_create();
assert(idxpkgd);
/*
* We have the dictionary now, add the required
* objects for the index.
* Only copy relevant objects from binpkg:
* - architecture
* - pkgver
* - short_desc
* - installed_size
* - run_depends
* - provides
* - replaces
* - shlib-requires
*/
if (!xbps_dictionary_set_cstring(idxpkgd, "architecture", arch)) {
free(pkgver);
free(pkgname);
return errno;
}
if (!xbps_dictionary_set_cstring(idxpkgd, "pkgver", pkgver)) {
free(pkgver);
free(pkgname);
return errno;
}
xbps_dictionary_get_cstring_nocopy(binpkgd, "short_desc", &desc);
if (!xbps_dictionary_set_cstring(idxpkgd, "short_desc", desc)) {
free(pkgver);
free(pkgname);
return errno;
}
xbps_dictionary_get_uint64(binpkgd, "installed_size", &instsize);
if (!xbps_dictionary_set_uint64(idxpkgd, "installed_size", instsize)) {
free(pkgver);
free(pkgname);
return errno;
}
array = xbps_dictionary_get(binpkgd, "run_depends");
if (xbps_array_count(array) && !xbps_dictionary_set(idxpkgd, "run_depends", array)) {
free(pkgver);
free(pkgname);
return errno;
}
array = xbps_dictionary_get(binpkgd, "provides");
if (xbps_array_count(array) && !xbps_dictionary_set(idxpkgd, "provides", array)) {
free(pkgver);
free(pkgname);
return errno;
}
array = xbps_dictionary_get(binpkgd, "replaces");
if (xbps_array_count(array) && !xbps_dictionary_set(idxpkgd, "replaces", array)) {
free(pkgver);
free(pkgname);
return errno;
}
array = xbps_dictionary_get(binpkgd, "shlib-requires");
if (xbps_array_count(array) && !xbps_dictionary_set(idxpkgd, "shlib-requires", array)) {
free(pkgver);
free(pkgname);
return errno;
}
/*
* Add additional objects for repository ops:
* - filename-size
* - filename-sha256
*/
if ((sha256 = xbps_file_hash(argv[i])) == NULL) {
free(pkgver);
free(pkgname);
return errno;
}
if (!xbps_dictionary_set_cstring(newpkgd, "filename-sha256",
sha256)) {
if (!xbps_dictionary_set_cstring(idxpkgd, "filename-sha256", sha256)) {
free(pkgver);
free(pkgname);
return errno;
}
free(sha256);
if (stat(argv[i], &st) == -1) {
free(pkgver);
free(pkgname);
return errno;
}
if (!xbps_dictionary_set_uint64(newpkgd, "filename-size",
(uint64_t)st.st_size)) {
if (!xbps_dictionary_set_uint64(idxpkgd, "filename-size", (uint64_t)st.st_size)) {
free(pkgver);
free(pkgname);
return errno;
}
/*
* Remove obsolete package objects.
*/
xbps_dictionary_remove(newpkgd, "pkgname");
xbps_dictionary_remove(newpkgd, "version");
/*
* Add new pkg dictionary into the index.
*/
if (!xbps_dictionary_set(idx, pkgname, newpkgd)) {
if (!xbps_dictionary_set(idx, pkgname, idxpkgd)) {
free(pkgname);
return EINVAL;
}
free(pkgname);
flush = true;
printf("index: added `%s' (%s).\n", pkgver, arch);
xbps_object_release(idxpkgd);
xbps_object_release(binpkgd);
free(pkgname);
/*
* Add new pkg dictionary into the index-files.
*/
found = false;
newpkgfilesd = xbps_get_pkg_plist_from_binpkg(argv[i],
"./files.plist");
if (newpkgfilesd == NULL) {
pkg_filesd = xbps_get_pkg_plist_from_binpkg(argv[i], "./files.plist");
if (pkg_filesd == NULL) {
free(pkgver);
return EINVAL;
}
/* Find out if binary pkg stored in index contain any file */
pkg_cffiles = xbps_dictionary_get(newpkgfilesd, "conf_files");
pkg_cffiles = xbps_dictionary_get(pkg_filesd, "conf_files");
if (xbps_array_count(pkg_cffiles))
found = true;
else
pkg_cffiles = NULL;
pkg_files = xbps_dictionary_get(newpkgfilesd, "files");
pkg_files = xbps_dictionary_get(pkg_filesd, "files");
if (xbps_array_count(pkg_files))
found = true;
else
pkg_files = NULL;
pkg_links = xbps_dictionary_get(newpkgfilesd, "links");
pkg_links = xbps_dictionary_get(pkg_filesd, "links");
if (xbps_array_count(pkg_links))
found = true;
else
@@ -217,45 +256,42 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
/* If pkg does not contain any file, ignore it */
if (!found) {
xbps_object_release(newpkgfilesd);
xbps_object_release(newpkgd);
xbps_object_release(pkg_filesd);
free(pkgver);
continue;
}
/* create pkg files array */
filespkgar = xbps_array_create();
assert(filespkgar);
array = xbps_array_create();
assert(array);
/* add conf_files in pkg files array */
if (pkg_cffiles != NULL) {
for (unsigned int x = 0; x < xbps_array_count(pkg_cffiles); x++) {
obj = xbps_array_get(pkg_cffiles, x);
fileobj = xbps_dictionary_get(obj, "file");
xbps_array_add(filespkgar, fileobj);
xbps_array_add(array, fileobj);
}
}
/* add files array in pkg array */
/* add files array in pkg files array */
if (pkg_files != NULL) {
for (unsigned int x = 0; x < xbps_array_count(pkg_files); x++) {
obj = xbps_array_get(pkg_files, x);
fileobj = xbps_dictionary_get(obj, "file");
xbps_array_add(filespkgar, fileobj);
xbps_array_add(array, fileobj);
}
}
/* add links array in pkgd */
/* add links array in pkg files array */
if (pkg_links != NULL) {
for (unsigned int x = 0; x < xbps_array_count(pkg_links); x++) {
obj = xbps_array_get(pkg_links, x);
fileobj = xbps_dictionary_get(obj, "file");
xbps_array_add(filespkgar, fileobj);
xbps_array_add(array, fileobj);
}
}
xbps_object_release(newpkgfilesd);
/* add pkg files array into index-files */
xbps_dictionary_set(idxfiles, pkgver, filespkgar);
xbps_object_release(filespkgar);
xbps_object_release(newpkgd);
xbps_dictionary_set(idxfiles, pkgver, array);
xbps_object_release(array);
xbps_object_release(pkg_filesd);
free(pkgver);
}
/*
@@ -263,15 +299,12 @@ index_add(struct xbps_handle *xhp, int argc, char **argv, bool force)
*/
if (flush) {
if (!repodata_flush(xhp, repodir, idx, idxfiles, NULL)) {
fprintf(stderr, "failed to write repodata: %s\n",
strerror(errno));
fprintf(stderr, "failed to write repodata: %s\n", strerror(errno));
return -1;
}
}
printf("index: %u packages registered.\n",
xbps_dictionary_count(idx));
printf("index-files: %u packages registered.\n",
xbps_dictionary_count(idxfiles));
printf("index: %u packages registered.\n", xbps_dictionary_count(idx));
printf("index-files: %u packages registered.\n", xbps_dictionary_count(idxfiles));
return rv;
}

200
bin/xbps-rindex/sign.c
View File

@@ -92,52 +92,43 @@ pubkey_from_privkey(RSA *rsa)
return buf;
}
static RSA *
rsa_sign_buf(const char *privkey, const char *buf,
static bool
rsa_sign_buf(RSA *rsa, const char *buf, unsigned int buflen,
unsigned char **sigret, unsigned int *siglen)
{
SHA256_CTX context;
RSA *rsa;
unsigned char sha256[SHA256_DIGEST_LENGTH];
ERR_load_crypto_strings();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
rsa = load_rsa_privkey(privkey);
if (rsa == NULL) {
fprintf(stderr, "can't load private key from %s\n", privkey);
return NULL;
}
SHA256_Init(&context);
SHA256_Update(&context, buf, strlen(buf));
SHA256_Update(&context, buf, buflen);
SHA256_Final(sha256, &context);
*sigret = calloc(1, RSA_size(rsa) + 1);
if (RSA_sign(NID_sha1, sha256, sizeof(sha256),
*sigret, siglen, rsa) == 0) {
fprintf(stderr, "%s: %s\n", privkey,
ERR_error_string(ERR_get_error(), NULL));
return NULL;
if (!RSA_sign(NID_sha1, sha256, sizeof(sha256),
*sigret, siglen, rsa)) {
free(*sigret);
return false;
}
return rsa;
return true;
}
int
sign_repo(struct xbps_handle *xhp, const char *repodir,
const char *privkey, const char *signedby)
{
RSA *rsa = NULL;
struct stat st;
struct xbps_repo *repo;
xbps_dictionary_t idx, idxfiles, meta = NULL;
xbps_dictionary_t pkgd, idx, idxfiles, meta = NULL;
xbps_data_t data;
unsigned int siglen;
xbps_object_iterator_t iter = NULL;
xbps_object_t obj;
RSA *rsa = NULL;
unsigned char *sig;
char *buf = NULL, *xml = NULL, *defprivkey = NULL;
int rv = -1;
unsigned int siglen;
const char *arch, *pkgver;
char *binpkg, *binpkg_sig, *buf, *defprivkey;
int binpkg_fd, binpkg_sig_fd;
bool flush = false;
if (signedby == NULL) {
fprintf(stderr, "--signedby unset! cannot sign repository\n");
@@ -160,15 +151,6 @@ sign_repo(struct xbps_handle *xhp, const char *repodir,
idx = xbps_dictionary_copy(repo->idx);
idxfiles = xbps_dictionary_copy(repo->idxfiles);
xbps_repo_close(repo);
/*
* Externalize the index and then sign it.
*/
xml = xbps_dictionary_externalize(idx);
if (xml == NULL) {
fprintf(stderr, "failed to externalize repository index: %s\n", strerror(errno));
goto out;
}
/*
* If privkey not set, default to ~/.ssh/id_rsa.
*/
@@ -177,50 +159,116 @@ sign_repo(struct xbps_handle *xhp, const char *repodir,
else
defprivkey = strdup(privkey);
rsa = rsa_sign_buf(defprivkey, xml, &sig, &siglen);
if (rsa == NULL)
goto out;
/*
* If the signature in repo has not changed do not generate the
* repodata file again.
*/
if (xbps_data_equals_data(repo->signature, sig, siglen)) {
fprintf(stderr, "Not signing again, matched signature found.\n");
rv = 0;
goto out;
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
if ((rsa = load_rsa_privkey(defprivkey)) == NULL) {
fprintf(stderr, "failed to read the RSA privkey\n");
return -1;
}
/*
* Prepare the XBPS_REPOIDX_META for our repository data.
* Iterate over the idx dictionary and then sign all binary
* packages in this repository.
*/
meta = xbps_dictionary_create();
xbps_dictionary_set_cstring_nocopy(meta, "signature-by", signedby);
xbps_dictionary_set_cstring_nocopy(meta, "signature-type", "rsa");
data = xbps_data_create_data_nocopy(sig, siglen);
xbps_dictionary_set(meta, "signature", data);
iter = xbps_dictionary_iterator(idx);
while ((obj = xbps_object_iterator_next(iter))) {
pkgd = xbps_dictionary_get_keysym(idx, obj);
xbps_dictionary_get_cstring_nocopy(pkgd, "architecture", &arch);
xbps_dictionary_get_cstring_nocopy(pkgd, "pkgver", &pkgver);
buf = pubkey_from_privkey(rsa);
assert(buf);
data = xbps_data_create_data_nocopy(buf, strlen(buf));
xbps_dictionary_set(meta, "public-key", data);
xbps_dictionary_set_uint16(meta, "public-key-size", RSA_size(rsa) * 8);
/*
* and finally write our repodata file!
*/
if (!repodata_flush(xhp, repodir, idx, idxfiles, meta)) {
fprintf(stderr, "failed to write repodata: %s\n", strerror(errno));
goto out;
}
rv = 0;
out:
if (xml != NULL)
free(xml);
if (buf != NULL)
binpkg = xbps_xasprintf("%s/%s.%s.xbps", repodir, pkgver, arch);
binpkg_sig = xbps_xasprintf("%s.sig", binpkg);
/*
* Skip pkg if file signature exists
*/
if ((binpkg_sig_fd = open(binpkg_sig, O_RDONLY)) == 0) {
fprintf(stdout, "skipping %s, file signature found.\n", pkgver);
free(binpkg);
free(binpkg_sig);
close(binpkg_sig_fd);
continue;
}
/*
* Generate pkg file signature.
*/
if ((binpkg_fd = open(binpkg, O_RDONLY)) == -1) {
fprintf(stderr, "cannot read %s: %s\n", binpkg, strerror(errno));
free(binpkg);
free(binpkg_sig);
continue;
}
fstat(binpkg_fd, &st);
buf = malloc(st.st_size);
assert(buf);
if (read(binpkg_fd, buf, st.st_size) != st.st_size) {
fprintf(stderr, "failed to read %s: %s\n", binpkg, strerror(errno));
close(binpkg_fd);
free(buf);
free(binpkg);
free(binpkg_sig);
continue;
}
close(binpkg_fd);
if (!rsa_sign_buf(rsa, buf, st.st_size, &sig, &siglen)) {
fprintf(stderr, "failed to sign %s: %s\n", binpkg, strerror(errno));
free(buf);
free(binpkg);
free(binpkg_sig);
continue;
}
free(buf);
if (rsa != NULL)
RSA_free(rsa);
free(binpkg);
/*
* Write pkg file signature.
*/
binpkg_sig_fd = creat(binpkg_sig, 0644);
if (binpkg_sig_fd == -1) {
fprintf(stderr, "failed to create %s: %s\n", binpkg_sig, strerror(errno));
free(binpkg_sig);
continue;
}
if (write(binpkg_sig_fd, sig, siglen) != siglen) {
fprintf(stderr, "failed to write %s: %s\n", binpkg_sig, strerror(errno));
free(sig);
free(binpkg_sig);
close(binpkg_sig_fd);
continue;
}
flush = true;
free(sig);
free(binpkg_sig);
close(binpkg_sig_fd);
binpkg_fd = binpkg_sig_fd = -1;
printf("Signed successfully %s\n", pkgver);
}
xbps_object_iterator_release(iter);
return rv;
if (flush) {
/*
* Prepare the XBPS_REPOIDX_META for our repository data.
*/
meta = xbps_dictionary_create();
xbps_dictionary_set_cstring_nocopy(meta, "signature-by", signedby);
xbps_dictionary_set_cstring_nocopy(meta, "signature-type", "rsa");
buf = pubkey_from_privkey(rsa);
assert(buf);
data = xbps_data_create_data(buf, strlen(buf));
xbps_dictionary_set(meta, "public-key", data);
xbps_dictionary_set_uint16(meta, "public-key-size", RSA_size(rsa) * 8);
free(buf);
xbps_object_release(data);
/*
* and finally write our repodata file!
*/
if (!repodata_flush(xhp, repodir, idx, idxfiles, meta)) {
fprintf(stderr, "failed to write repodata: %s\n", strerror(errno));
RSA_free(rsa);
return -1;
}
}
RSA_free(rsa);
return 0;
}