From e3c48eafe0154622eafba012710f7ab75f94720e Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Thu, 28 May 2020 13:27:19 +0300 Subject: [PATCH 1/3] Bump version to mark beginning of a new development cycle --- configure.ac | 2 +- tests/rpmsigdig.at | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 071a9e920d..321bfb4831 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ(2.61) -AC_INIT(rpm, 4.15.90, rpm-maint@lists.rpm.org) +AC_INIT(rpm, 4.16.90, rpm-maint@lists.rpm.org) AC_CONFIG_SRCDIR([rpm.c]) AC_CONFIG_HEADERS([config.h]) diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 8fe0241a81..d232b589e4 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -175,9 +175,9 @@ done runroot rpmkeys -Kv /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm ], [0], -[SHA256HEADER: 272c5eb30fb2caf7abf5ab02ab7a53ef52c71c88545b9ab08a940f724f920baf -SHA1HEADER: 4d630ee2a75757adfdbd2aed1fe803b5e3c8664d -SIGMD5: ef85784d929890a1653ed0b959784f50 +[SHA256HEADER: 8257777b3c09ad7cefce087af2437e9d711063677fe49c60811c30fbf1f2f779 +SHA1HEADER: cc3d3a91b32587f0afd4935ca0d7e38cc71221f5 +SIGMD5: 0c21d2620a279b07c69d4d6171568d98 PAYLOADDIGEST: 749d8980cc5889419da8cdbe9a5b3292742af8a227db3635f84966481b7612a8 PAYLOADDIGESTALT: 749d8980cc5889419da8cdbe9a5b3292742af8a227db3635f84966481b7612a8 /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm: From 48eec22ef05d2aca11faafb7d4bab5468036a012 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Thu, 28 May 2020 13:38:09 +0300 Subject: [PATCH 2/3] Remove support for beecrypt Beecrypt whose upstream is dead for more than ten years now, was deprecated in rpm 4.16 (in commit 0910e6aa9eec7295772c6ad904063f73dd0eb8d6). --- INSTALL | 4 +- Makefile.am | 1 - build/Makefile.am | 1 - configure.ac | 31 +-- lib/Makefile.am | 1 - rpm.pc.in | 2 +- rpmio/Makefile.am | 15 -- rpmio/digest_beecrypt.c | 507 ---------------------------------------- sign/Makefile.am | 1 - 9 files changed, 4 insertions(+), 559 deletions(-) delete mode 100644 rpmio/digest_beecrypt.c diff --git a/INSTALL b/INSTALL index 35a22a8335..e3efe6e6f3 100644 --- a/INSTALL +++ b/INSTALL @@ -14,9 +14,9 @@ The source for the file utility + library is available from ftp://ftp.astron.com/pub/file/ You will need a cryptographic library to support digests and signatures. -This library may be libgcrypt, Mozilla NSS, OpenSSL or beecrypt. +This library may be libgcrypt, Mozilla NSS or OpenSSL. Which library to use can be specified with the ---with-crypto=[libgcrypt|beecrypt|nss|openssl] argument to configure, +--with-crypto=[libgcrypt|nss|openssl] argument to configure, libgcrypt is the default. libgcrypt library is available from https://www.gnupg.org/software/libgcrypt/ diff --git a/Makefile.am b/Makefile.am index 33ccb0de13..99eb8535ae 100644 --- a/Makefile.am +++ b/Makefile.am @@ -53,7 +53,6 @@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ AM_CPPFLAGS += -I$(top_srcdir)/build AM_CPPFLAGS += -I$(top_srcdir)/lib AM_CPPFLAGS += -I$(top_srcdir)/rpmio -AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_OPENSSL_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ diff --git a/build/Makefile.am b/build/Makefile.am index 2fe3f586fe..2f1304948a 100644 --- a/build/Makefile.am +++ b/build/Makefile.am @@ -5,7 +5,6 @@ AM_CFLAGS = @RPMCFLAGS@ AM_CFLAGS += @OPENMP_CFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_MAGIC_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ diff --git a/configure.ac b/configure.ac index 321bfb4831..9904b55514 100644 --- a/configure.ac +++ b/configure.ac @@ -246,39 +246,10 @@ AM_CONDITIONAL(LIBDWARF,[test "$WITH_LIBDWARF" = yes]) # Select crypto library AC_ARG_WITH(crypto, [AC_HELP_STRING([--with-crypto=CRYPTO_LIB], - [The cryptographic library to use (nss|beecrypt|openssl|libgcrypt). The default is libgcrypt. beecrypt and nss are DEPRECATED.]) + [The cryptographic library to use (nss|openssl|libgcrypt). The default is libgcrypt. nss is DEPRECATED.]) ],[], [with_crypto=libgcrypt]) -# Check for beecrypt library if requested. -AC_ARG_WITH(internal_beecrypt, [ --with-internal-beecrypt build with internal beecrypt library (DEPRECATED)],,[with_internal_beecrypt=no]) -AM_CONDITIONAL([WITH_INTERNAL_BEECRYPT],[test "$with_internal_beecrypt" = yes]) -if test "$with_internal_beecrypt" = yes ; then - with_crypto=beecrypt -fi -AM_CONDITIONAL([WITH_BEECRYPT],[test "$with_crypto" = beecrypt]) - -WITH_BEECRYPT_INCLUDE= -WITH_BEECRYPT_LIB= -if test "$with_crypto" = beecrypt ; then - AC_MSG_WARN([Using the beecrypt library with rpm is deprecated and support will be removed in a future release!]) - AC_DEFINE(WITH_BEECRYPT, 1, [Build with beecrypt instead of nss3 support?]) - if test "$with_internal_beecrypt" = yes ; then - WITH_BEECRYPT_INCLUDE="-I\$(top_srcdir)/beecrypt" - AC_DEFINE(HAVE_BEECRYPT_API_H, 1, [Define to 1 if you have the header file.]) - else - AC_CHECK_LIB(beecrypt, mpfprintln, [ - WITH_BEECRYPT_LIB="-lbeecrypt" - ],[ - AC_MSG_ERROR([missing required library 'beecrypt']) - ]) - AC_CHECK_HEADER([beecrypt/api.h], [AC_DEFINE(HAVE_BEECRYPT_API_H, 1, [Define to 1 if you have the header file.]) - ]) - fi -fi -AC_SUBST(WITH_BEECRYPT_LIB) -AC_SUBST(WITH_BEECRYPT_INCLUDE) - #================= # Check for OpenSSL library. # We need evp.h from OpenSSL. diff --git a/lib/Makefile.am b/lib/Makefile.am index c561ad5529..a28435beb9 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -4,7 +4,6 @@ include $(top_srcdir)/rpm.am AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc diff --git a/rpm.pc.in b/rpm.pc.in index 555fd32b6d..bfcdfa975d 100644 --- a/rpm.pc.in +++ b/rpm.pc.in @@ -12,4 +12,4 @@ Requires.private: @ZSTD_REQUIRES@ # Conflicts: Cflags: -I${includedir} Libs: -L${libdir} -lrpm -lrpmio -Libs.private: -lpopt -lrt -lpthread @WITH_LZMA_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @WITH_BEECRYPT_LIB@ @WITH_NSS_LIB@ @LUA_LIBS@ +Libs.private: -lpopt -lrt -lpthread @WITH_LZMA_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @WITH_NSS_LIB@ @LUA_LIBS@ diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am index 484df6bddd..1cfb52eb8a 100644 --- a/rpmio/Makefile.am +++ b/rpmio/Makefile.am @@ -5,7 +5,6 @@ AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ AM_CPPFLAGS += @WITH_NSS_INCLUDE@ -AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_OPENSSL_INCLUDE@ AM_CPPFLAGS += @WITH_LIBGCRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ @@ -24,9 +23,6 @@ librpmio_la_SOURCES = \ rpmstring.c rpmfileutil.c rpmglob.c \ rpmkeyring.c rpmstrpool.c rpmmacro_internal.h -if WITH_BEECRYPT -librpmio_la_SOURCES += digest_beecrypt.c -else if WITH_OPENSSL librpmio_la_SOURCES += digest_openssl.c else @@ -36,14 +32,12 @@ else librpmio_la_SOURCES += digest_nss.c endif endif -endif librpmio_la_LDFLAGS = -version-info $(rpm_version_info) librpmio_la_LIBADD = \ ../misc/libmisc.la \ @WITH_NSS_LIB@ \ - @WITH_BEECRYPT_LIB@ \ @WITH_OPENSSL_LIB@ \ @WITH_LIBGCRYPT_LIB@ \ @WITH_BZ2_LIB@ \ @@ -53,15 +47,6 @@ librpmio_la_LIBADD = \ $(ZSTD_LIBS) \ -lpthread -if WITH_INTERNAL_BEECRYPT -librpmio_la_LIBADD += $(libbeecrypt_la) - -libbeecrypt_la = $(top_builddir)/beecrypt/libbeecrypt_nolibdir.la - -$(top_builddir)/beecrypt/libbeecrypt_nolibdir.la: $(top_builddir)/beecrypt/libbeecrypt.la - sed -e 's/libdir=.*/libdir=/' < $(top_builddir)/beecrypt/libbeecrypt.la > $(top_builddir)/beecrypt/libbeecrypt_nolibdir.la -endif - if WITH_LUA AM_CPPFLAGS += -I$(top_srcdir)/luaext/ AM_CPPFLAGS += @LUA_CFLAGS@ diff --git a/rpmio/digest_beecrypt.c b/rpmio/digest_beecrypt.c deleted file mode 100644 index ab69eefdfd..0000000000 --- a/rpmio/digest_beecrypt.c +++ /dev/null @@ -1,507 +0,0 @@ -#include "system.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#if HAVE_BEECRYPT_API_H -#include -#include -#include -#endif - -#include -#include "rpmio/digest.h" -#include "rpmio/rpmio_internal.h" -#include "debug.h" - -/** - * MD5/SHA1 digest private data. - */ -struct DIGEST_CTX_s { - rpmDigestFlags flags; /*!< Bit(s) to control digest operation. */ - int algo; /*!< Used hash algorithm */ - uint32_t datalen; /*!< No. bytes in block of plaintext data. */ - uint32_t paramlen; /*!< No. bytes of digest parameters. */ - uint32_t digestlen; /*!< No. bytes of digest. */ - void * param; /*!< Digest parameters. */ - int (*Reset) (void * param); /*!< Digest initialize. */ - int (*Update) (void * param, const byte * data, size_t size); /*!< Digest transform. */ - int (*Digest) (void * param, byte * digest); /*!< Digest finish. */ -}; - - -/**************************** init ************************************/ - -int rpmInitCrypto(void) { - return 0; -} - -int rpmFreeCrypto(void) { - return 0; -} - -/**************************** digest ************************************/ - -DIGEST_CTX rpmDigestDup(DIGEST_CTX octx) -{ - DIGEST_CTX nctx = NULL; - if (octx) { - nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx)); - nctx->param = memcpy(xcalloc(1, nctx->paramlen), octx->param, nctx->paramlen); - } - return nctx; -} - -size_t rpmDigestLength(int hashalgo) -{ - switch (hashalgo) { - case PGPHASHALGO_MD5: - return 16; - case PGPHASHALGO_SHA1: - return 20; -#if HAVE_BEECRYPT_API_H - case PGPHASHALGO_SHA256: - return 32; - case PGPHASHALGO_SHA384: - return 48; - case PGPHASHALGO_SHA512: - return 64; -#endif - default: - return 0; - } -} - -DIGEST_CTX rpmDigestInit(int hashalgo, rpmDigestFlags flags) -{ - DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx)); - - ctx->flags = flags; - ctx->algo = hashalgo; - - switch (hashalgo) { - case PGPHASHALGO_MD5: - ctx->digestlen = 16; - ctx->datalen = 64; - ctx->paramlen = sizeof(md5Param); - ctx->param = xcalloc(1, ctx->paramlen); - ctx->Reset = (void *) md5Reset; - ctx->Update = (void *) md5Update; - ctx->Digest = (void *) md5Digest; - break; - case PGPHASHALGO_SHA1: - ctx->digestlen = 20; - ctx->datalen = 64; - ctx->paramlen = sizeof(sha1Param); - ctx->param = xcalloc(1, ctx->paramlen); - ctx->Reset = (void *) sha1Reset; - ctx->Update = (void *) sha1Update; - ctx->Digest = (void *) sha1Digest; - break; -#if HAVE_BEECRYPT_API_H - case PGPHASHALGO_SHA256: - ctx->digestlen = 32; - ctx->datalen = 64; - ctx->paramlen = sizeof(sha256Param); - ctx->param = xcalloc(1, ctx->paramlen); - ctx->Reset = (void *) sha256Reset; - ctx->Update = (void *) sha256Update; - ctx->Digest = (void *) sha256Digest; - break; - case PGPHASHALGO_SHA384: - ctx->digestlen = 48; - ctx->datalen = 128; - ctx->paramlen = sizeof(sha384Param); - ctx->param = xcalloc(1, ctx->paramlen); - ctx->Reset = (void *) sha384Reset; - ctx->Update = (void *) sha384Update; - ctx->Digest = (void *) sha384Digest; - break; - case PGPHASHALGO_SHA512: - ctx->digestlen = 64; - ctx->datalen = 128; - ctx->paramlen = sizeof(sha512Param); - ctx->param = xcalloc(1, ctx->paramlen); - ctx->Reset = (void *) sha512Reset; - ctx->Update = (void *) sha512Update; - ctx->Digest = (void *) sha512Digest; - break; -#endif - default: - free(ctx); - return NULL; - } - - (*ctx->Reset)(ctx->param); - return ctx; -} - -int rpmDigestUpdate(DIGEST_CTX ctx, const void * data, size_t len) -{ - if (ctx == NULL) - return -1; - - return (*ctx->Update) (ctx->param, data, len); -} - -int rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii) -{ - byte * digest; - char * t; - int i; - - if (ctx == NULL) - return -1; - digest = xmalloc(ctx->digestlen); - - /* FIX: check rc */ - (void) (*ctx->Digest) (ctx->param, digest); - - /* Return final digest. */ - if (!asAscii) { - if (lenp) *lenp = ctx->digestlen; - if (datap) { - *datap = digest; - digest = NULL; - } - } else { - if (lenp) *lenp = (2*ctx->digestlen) + 1; - if (datap) { - const byte * s = (const byte *) digest; - static const char hex[] = "0123456789abcdef"; - - *datap = t = xmalloc((2*ctx->digestlen) + 1); - for (i = 0 ; i < ctx->digestlen; i++) { - *t++ = hex[ (unsigned)((*s >> 4) & 0x0f) ]; - *t++ = hex[ (unsigned)((*s++ ) & 0x0f) ]; - } - *t = '\0'; - } - } - if (digest) { - memset(digest, 0, ctx->digestlen); /* In case it's sensitive */ - free(digest); - } - memset(ctx->param, 0, ctx->paramlen); /* In case it's sensitive */ - free(ctx->param); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ - free(ctx); - return 0; -} - - -/****************************** RSA **************************************/ - -struct pgpDigSigRSA_s { - mpnumber c; -}; - -struct pgpDigKeyRSA_s { - rsapk rsa_pk; - int nbytes; -}; - -static int pgpSetSigMpiRSA(pgpDigAlg pgpsig, int num, const uint8_t *p) -{ - struct pgpDigSigRSA_s *sig = pgpsig->data; - int mlen = pgpMpiLen(p) - 2; - int rc = 1; - - if (!sig) - sig = pgpsig->data = xcalloc(1, sizeof(*sig)); - - switch (num) { - case 0: - if (!mpnsetbin(&sig->c, p + 2, mlen)) - rc = 0; - break; - } - return rc; -} - -static int pgpSetKeyMpiRSA(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - struct pgpDigKeyRSA_s *key = pgpkey->data; - int mlen = pgpMpiLen(p) - 2; - int rc = 1; - - if (!key) - key = pgpkey->data = xcalloc(1, sizeof(*key)); - - switch (num) { - case 0: - key->nbytes = mlen; - if (!mpbsetbin(&key->rsa_pk.n, p + 2, mlen)) - rc = 0; - break; - case 1: - if (!mpnsetbin(&key->rsa_pk.e, p + 2, mlen)) - rc = 0; - break; - } - return rc; -} - -static int pkcs1pad(mpnumber *rsahm, int nbytes, const char *prefix, uint8_t *hash, size_t hashlen) -{ - int datalen = strlen(prefix) / 2 + hashlen; - byte *buf, *bp; - int rc = 1; - - if (nbytes < 4 + datalen) - return 1; - buf = xmalloc(nbytes); - memset(buf, 0xff, nbytes); - buf[0] = 0x00; - buf[1] = 0x01; - bp = buf + nbytes - datalen; - bp[-1] = 0; - for (; *prefix; prefix += 2) - *bp++ = (rnibble(prefix[0]) << 4) | rnibble(prefix[1]); - memcpy(bp, hash, hashlen); - if (!mpnsetbin(rsahm, buf, nbytes)) - rc = 0; - buf = _free(buf); - return rc; -} - -static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, uint8_t *hash, size_t hashlen, int hash_algo) -{ - struct pgpDigKeyRSA_s *key = pgpkey->data; - struct pgpDigSigRSA_s *sig = pgpsig->data; - const char * prefix = NULL; - mpnumber rsahm; - int rc = 1; - - if (!sig || !key) - return rc; - - switch (hash_algo) { - case PGPHASHALGO_MD5: - prefix = "3020300c06082a864886f70d020505000410"; - break; - case PGPHASHALGO_SHA1: - prefix = "3021300906052b0e03021a05000414"; - break; - case PGPHASHALGO_SHA256: - prefix = "3031300d060960864801650304020105000420"; - break; - case PGPHASHALGO_SHA384: - prefix = "3041300d060960864801650304020205000430"; - break; - case PGPHASHALGO_SHA512: - prefix = "3051300d060960864801650304020305000440"; - break; - default: - return 1; - } - - memset(&rsahm, 0, sizeof(rsahm)); - if (pkcs1pad(&rsahm, key->nbytes, prefix, hash, hashlen) != 0) - return 1; - -#if HAVE_BEECRYPT_API_H - rc = rsavrfy(&key->rsa_pk.n, &key->rsa_pk.e, &sig->c, &rsahm) == 1 ? 0 : 1; -#else - rc = rsavrfy(&key->rsa_pk, &rsahm, &sig->c) == 1 ? 0 : 1; -#endif - mpnfree(&rsahm); - return rc; -} - -static void pgpFreeSigRSA(pgpDigAlg pgpsig) -{ - struct pgpDigSigRSA_s *sig = pgpsig->data; - if (sig) { - mpnfree(&sig->c); - pgpsig->data = _free(sig); - } -} - -static void pgpFreeKeyRSA(pgpDigAlg pgpkey) -{ - struct pgpDigKeyRSA_s *key = pgpkey->data; - if (key) { - mpbfree(&key->rsa_pk.n); - mpnfree(&key->rsa_pk.e); - pgpkey->data = _free(key); - } -} - - -/****************************** DSA **************************************/ - -struct pgpDigSigDSA_s { - mpnumber r; - mpnumber s; -}; - -struct pgpDigKeyDSA_s { - mpbarrett p; - mpbarrett q; - mpnumber g; - mpnumber y; - int qbytes; -}; - -static int pgpSetSigMpiDSA(pgpDigAlg pgpsig, int num, const uint8_t *p) -{ - struct pgpDigSigDSA_s *sig = pgpsig->data; - int mlen = pgpMpiLen(p) - 2; - int rc = 1; - - if (!sig) - sig = pgpsig->data = xcalloc(1, sizeof(*sig)); - - switch (num) { - case 0: - if (!mpnsetbin(&sig->r, p + 2, mlen)) - rc = 0; - break; - case 1: - if (!mpnsetbin(&sig->s, p + 2, mlen)) - rc = 0; - break; - } - return rc; -} - -static int pgpSetKeyMpiDSA(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - struct pgpDigKeyDSA_s *key = pgpkey->data; - int mlen = pgpMpiLen(p) - 2; - int rc = 1; - - if (!key) - key = pgpkey->data = xcalloc(1, sizeof(*key)); - - switch (num) { - case 0: - if (!mpbsetbin(&key->p, p + 2, mlen)) - rc = 0; - break; - case 1: - key->qbytes = mlen; - if (!mpbsetbin(&key->q, p + 2, mlen)) - rc = 0; - break; - case 2: - if (!mpnsetbin(&key->g, p + 2, mlen)) - rc = 0; - break; - case 3: - if (!mpnsetbin(&key->y, p + 2, mlen)) - rc = 0; - break; - } - return rc; -} - -static int pgpVerifySigDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, uint8_t *hash, size_t hashlen, int hash_algo) -{ - struct pgpDigKeyDSA_s *key = pgpkey->data; - struct pgpDigSigDSA_s *sig = pgpsig->data; - mpnumber hm; - int rc = 1; - - if (sig && key && hashlen >= key->qbytes) { - mpnzero(&hm); - mpnsetbin(&hm, hash, key->qbytes); - rc = dsavrfy(&key->p, &key->q, &key->g, &hm, &key->y, &sig->r, &sig->s) == 1 ? 0 : 1; - mpnfree(&hm); - } - return rc; -} - -static void pgpFreeSigDSA(pgpDigAlg pgpsig) -{ - struct pgpDigSigDSA_s *sig = pgpsig->data; - if (sig) { - mpnfree(&sig->r); - mpnfree(&sig->s); - pgpsig->data = _free(sig); - } -} - -static void pgpFreeKeyDSA(pgpDigAlg pgpkey) -{ - struct pgpDigKeyDSA_s *key = pgpkey->data; - if (key) { - mpbfree(&key->p); - mpbfree(&key->q); - mpnfree(&key->g); - mpnfree(&key->y); - pgpkey->data = _free(key); - } -} - - -/****************************** NULL **************************************/ - -static int pgpSetMpiNULL(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - return 1; -} - -static int pgpVerifyNULL(pgpDigAlg pgpkey, pgpDigAlg pgpsig, - uint8_t *hash, size_t hashlen, int hash_algo) -{ - return 1; -} - -pgpDigAlg pgpPubkeyNew(int algo, int curve) -{ - pgpDigAlg ka = xcalloc(1, sizeof(*ka));; - - switch (algo) { - case PGPPUBKEYALGO_RSA: - ka->setmpi = pgpSetKeyMpiRSA; - ka->free = pgpFreeKeyRSA; - ka->mpis = 2; - break; - case PGPPUBKEYALGO_DSA: - ka->setmpi = pgpSetKeyMpiDSA; - ka->free = pgpFreeKeyDSA; - ka->mpis = 4; - break; - default: - ka->setmpi = pgpSetMpiNULL; - ka->mpis = -1; - break; - } - - ka->verify = pgpVerifyNULL; /* keys can't be verified */ - - return ka; -} - -pgpDigAlg pgpSignatureNew(int algo) -{ - pgpDigAlg sa = xcalloc(1, sizeof(*sa)); - - switch (algo) { - case PGPPUBKEYALGO_RSA: - sa->setmpi = pgpSetSigMpiRSA; - sa->free = pgpFreeSigRSA; - sa->verify = pgpVerifySigRSA; - sa->mpis = 1; - break; - case PGPPUBKEYALGO_DSA: - sa->setmpi = pgpSetSigMpiDSA; - sa->free = pgpFreeSigDSA; - sa->verify = pgpVerifySigDSA; - sa->mpis = 2; - break; - default: - sa->setmpi = pgpSetMpiNULL; - sa->verify = pgpVerifyNULL; - sa->mpis = -1; - break; - } - return sa; -} diff --git a/sign/Makefile.am b/sign/Makefile.am index db774de0e1..c1bb992f4a 100644 --- a/sign/Makefile.am +++ b/sign/Makefile.am @@ -4,7 +4,6 @@ include $(top_srcdir)/rpm.am AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc From 294692aadac5c9723b022f6f3169d16139dc1a74 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Thu, 28 May 2020 13:48:26 +0300 Subject: [PATCH 3/3] Remove support for NSS NSS is a behemoth of a library which drags in a whole runtime subsystem of its own which is often at odds with normal Unix system behavior (hello SIGPIPE). Now that we have nicer alternatives available there's little reason to lug this baggage along. NSS was deprecated in rpm 4.16 (commit 0b9efb93fb38310a48142e2f009740fc5e4abde6). --- INSTALL | 16 +- Makefile.am | 1 - build/Makefile.am | 1 - configure.ac | 34 +-- lib/Makefile.am | 1 - po/POTFILES.in | 1 - rpm.pc.in | 2 +- rpmio/Makefile.am | 5 - rpmio/digest_nss.c | 532 --------------------------------------------- sign/Makefile.am | 1 - 10 files changed, 4 insertions(+), 590 deletions(-) delete mode 100644 rpmio/digest_nss.c diff --git a/INSTALL b/INSTALL index e3efe6e6f3..94fa88b220 100644 --- a/INSTALL +++ b/INSTALL @@ -14,24 +14,12 @@ The source for the file utility + library is available from ftp://ftp.astron.com/pub/file/ You will need a cryptographic library to support digests and signatures. -This library may be libgcrypt, Mozilla NSS or OpenSSL. -Which library to use can be specified with the ---with-crypto=[libgcrypt|nss|openssl] argument to configure, +This library may be libgcrypt or OpenSSL, and can be specified with the +--with-crypto=[libgcrypt|openssl] argument to configure. libgcrypt is the default. libgcrypt library is available from https://www.gnupg.org/software/libgcrypt/ -If using the Mozilla NSS library for encyption (and NSPR library which -NSS uses) it must be version 3.12 or later. Both NSPR and NSS libraries and -headers need to be installed during RPM compilation. As NSPR and NSS -typically install their headers outside the regular include search path, -you need to tell configure about this, eg something like: - ./configure <......> CPPFLAGS="-I/usr/include/nspr -I/usr/include/nss" - -The NSPR and NSS libraries are available from - http://www.mozilla.org/projects/security/pki/nss/ - http://www.mozilla.org/projects/nspr/ - If using the OpenSSL library for encryption, it must be version 1.0.2 or later. Note: when compiling against OpenSSL, there is a possible license incompatibility. For more details on this, see diff --git a/Makefile.am b/Makefile.am index 99eb8535ae..70237c20d9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -53,7 +53,6 @@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ AM_CPPFLAGS += -I$(top_srcdir)/build AM_CPPFLAGS += -I$(top_srcdir)/lib AM_CPPFLAGS += -I$(top_srcdir)/rpmio -AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_OPENSSL_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc diff --git a/build/Makefile.am b/build/Makefile.am index 2f1304948a..41cc170424 100644 --- a/build/Makefile.am +++ b/build/Makefile.am @@ -5,7 +5,6 @@ AM_CFLAGS = @RPMCFLAGS@ AM_CFLAGS += @OPENMP_CFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_MAGIC_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc diff --git a/configure.ac b/configure.ac index 9904b55514..88a07b4691 100644 --- a/configure.ac +++ b/configure.ac @@ -246,7 +246,7 @@ AM_CONDITIONAL(LIBDWARF,[test "$WITH_LIBDWARF" = yes]) # Select crypto library AC_ARG_WITH(crypto, [AC_HELP_STRING([--with-crypto=CRYPTO_LIB], - [The cryptographic library to use (nss|openssl|libgcrypt). The default is libgcrypt. nss is DEPRECATED.]) + [The cryptographic library to use (openssl|libgcrypt). The default is libgcrypt.]) ],[], [with_crypto=libgcrypt]) @@ -356,38 +356,6 @@ AM_CONDITIONAL([WITH_LIBGCRYPT],[test "$with_crypto" = libgcrypt]) AC_SUBST(WITH_LIBGCRYPT_INCLUDE) AC_SUBST(WITH_LIBGCRYPT_LIB) -#================= -# Check for NSS library. -# We need nss.h from NSS which needs nspr.h. Unfortunately both glibc and NSS -# have a header named nss.h... so make extra check for NSS's sechash.h -# which we use too and hopefully is slightly more unique to NSS. -WITH_NSS_INCLUDE= -WITH_NSS_LIB= -if test "$with_crypto" = nss; then -AC_MSG_WARN([Using the nss library with rpm is deprecated and support will be removed in a future release!]) -# If we have pkgconfig make sure CPPFLAGS are setup correctly for the nss -# -I include path. Otherwise the below checks will fail because nspr.h -# cannot be found. -AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no], [$PATH:/usr/bin:/usr/local/bin]) -if test "x$PKGCONFIG" != "xno"; then - CPPFLAGS="$CPPFLAGS $($PKGCONFIG --cflags nss)" -fi -AC_CHECK_HEADERS([nspr.h nss.h sechash.h], [], [ - AC_MSG_ERROR([missing required NSPR / NSS header]) -]) -AC_CHECK_LIB(nss3, VFY_VerifyDigestDirect, [ - WITH_NSS_LIB=-lnss3 - AC_CHECK_LIB(nss3, NSS_InitContext, [ - AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [Define to 1 if NSS has NSS_InitContext]) - AC_SUBST(HAVE_NSS_INITCONTEXT, [1]) - ]) -], [ - AC_MSG_ERROR([required NSS library 'nss3' missing or too old]) -]) -fi -AC_SUBST(WITH_NSS_INCLUDE) -AC_SUBST(WITH_NSS_LIB) - #================= # Check for magic library. WITH_MAGIC_INCLUDE= diff --git a/lib/Makefile.am b/lib/Makefile.am index a28435beb9..79ce5f014c 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -4,7 +4,6 @@ include $(top_srcdir)/rpm.am AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc AM_CPPFLAGS += -DLOCALEDIR="\"$(localedir)\"" diff --git a/po/POTFILES.in b/po/POTFILES.in index 0fed2a6e42..2a48950ab2 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -82,7 +82,6 @@ plugins/systemd_inhibit.c python/rpmts-py.c rpmio/argv.c rpmio/digest.c -rpmio/digest_nss.c rpmio/expression.c rpmio/macro.c rpmio/rpmfileutil.c diff --git a/rpm.pc.in b/rpm.pc.in index bfcdfa975d..68c0bad06c 100644 --- a/rpm.pc.in +++ b/rpm.pc.in @@ -12,4 +12,4 @@ Requires.private: @ZSTD_REQUIRES@ # Conflicts: Cflags: -I${includedir} Libs: -L${libdir} -lrpm -lrpmio -Libs.private: -lpopt -lrt -lpthread @WITH_LZMA_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @WITH_NSS_LIB@ @LUA_LIBS@ +Libs.private: -lpopt -lrt -lpthread @WITH_LZMA_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @LUA_LIBS@ diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am index 1cfb52eb8a..c4e9c2a7a2 100644 --- a/rpmio/Makefile.am +++ b/rpmio/Makefile.am @@ -4,7 +4,6 @@ include $(top_srcdir)/rpm.am AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_OPENSSL_INCLUDE@ AM_CPPFLAGS += @WITH_LIBGCRYPT_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ @@ -28,16 +27,12 @@ librpmio_la_SOURCES += digest_openssl.c else if WITH_LIBGCRYPT librpmio_la_SOURCES += digest_libgcrypt.c -else -librpmio_la_SOURCES += digest_nss.c endif endif - librpmio_la_LDFLAGS = -version-info $(rpm_version_info) librpmio_la_LIBADD = \ ../misc/libmisc.la \ - @WITH_NSS_LIB@ \ @WITH_OPENSSL_LIB@ \ @WITH_LIBGCRYPT_LIB@ \ @WITH_BZ2_LIB@ \ diff --git a/rpmio/digest_nss.c b/rpmio/digest_nss.c deleted file mode 100644 index 3a99774388..0000000000 --- a/rpmio/digest_nss.c +++ /dev/null @@ -1,532 +0,0 @@ -#include "system.h" - -#include -#include -#include -#include -#include -#include -#include - -#include -#include "rpmio/digest.h" -#include "debug.h" - - -static int _crypto_initialized = 0; -static int _new_process = 1; - -#if HAVE_NSS_INITCONTEXT -static NSSInitContext * _nss_ctx = NULL; -#endif - -/** - * MD5/SHA1 digest private data. - */ -struct DIGEST_CTX_s { - rpmDigestFlags flags; /*!< Bit(s) to control digest operation. */ - HASHContext *hashctx; /*!< Internal NSS hash context. */ - int algo; /*!< Used hash algorithm */ -}; - -/* - * Only flag for re-initialization here, in the common case the child - * exec()'s something else shutting down NSS here would be waste of time. - */ -static void at_forkchild(void) -{ - _new_process = 1; -} - -int rpmInitCrypto(void) -{ - int rc = 0; - - /* Lazy NSS shutdown for re-initialization after fork() */ - if (_new_process && _crypto_initialized) { - rpmFreeCrypto(); - } - - /* - * Initialize NSS if not already done. - * NSS prior to 3.12.5 only supports a global context which can cause - * trouble when an API user wants to use NSS for their own purposes, use - * a private context if possible. - */ - if (!_crypto_initialized) { - /* NSPR sets SIGPIPE to ignore behind our back, save and restore */ - struct sigaction oact; - sigaction(SIGPIPE, NULL, &oact); -#if HAVE_NSS_INITCONTEXT - PRUint32 flags = (NSS_INIT_READONLY|NSS_INIT_NOCERTDB| - NSS_INIT_NOMODDB|NSS_INIT_FORCEOPEN| - NSS_INIT_NOROOTINIT|NSS_INIT_OPTIMIZESPACE); - _nss_ctx = NSS_InitContext(NULL, NULL, NULL, NULL, NULL, flags); - if (_nss_ctx == NULL) { -#else - if (NSS_NoDB_Init(NULL) != SECSuccess) { -#endif - rpmlog(RPMLOG_ERR, _("Failed to initialize NSS library\n")); - rc = -1; - } else { - _crypto_initialized = 1; - } - sigaction(SIGPIPE, &oact, NULL); - } - - /* Register one post-fork handler per process */ - if (_new_process) { - if (pthread_atfork(NULL, NULL, at_forkchild) != 0) { - rpmlog(RPMLOG_WARNING, _("Failed to register fork handler: %m\n")); - } - _new_process = 0; - } - return rc; -} - -int rpmFreeCrypto(void) -{ - int rc = 0; - if (_crypto_initialized) { -#if HAVE_NSS_INITCONTEXT - rc = (NSS_ShutdownContext(_nss_ctx) != SECSuccess); - _nss_ctx = NULL; -#else - rc = (NSS_Shutdown() != SECSuccess); -#endif - _crypto_initialized = 0; - } - return rc; -} - -DIGEST_CTX rpmDigestDup(DIGEST_CTX octx) -{ - DIGEST_CTX nctx = NULL; - if (octx) { - HASHContext *hctx = HASH_Clone(octx->hashctx); - if (hctx) { - nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx)); - nctx->hashctx = hctx; - } - } - return nctx; -} - -RPM_GNUC_PURE -static HASH_HashType getHashType(int hashalgo) -{ - switch (hashalgo) { - case PGPHASHALGO_MD5: return HASH_AlgMD5; - case PGPHASHALGO_SHA1: return HASH_AlgSHA1; -#ifdef SHA224_LENGTH - case PGPHASHALGO_SHA224: return HASH_AlgSHA224; -#endif - case PGPHASHALGO_SHA256: return HASH_AlgSHA256; - case PGPHASHALGO_SHA384: return HASH_AlgSHA384; - case PGPHASHALGO_SHA512: return HASH_AlgSHA512; - } - return HASH_AlgNULL; -} - -size_t rpmDigestLength(int hashalgo) -{ - return HASH_ResultLen(getHashType(hashalgo)); -} - -DIGEST_CTX rpmDigestInit(int hashalgo, rpmDigestFlags flags) -{ - HASH_HashType type = getHashType(hashalgo); - HASHContext *hashctx = NULL; - DIGEST_CTX ctx = NULL; - - if (type == HASH_AlgNULL || rpmInitCrypto() < 0) - goto exit; - - if ((hashctx = HASH_Create(type)) != NULL) { - ctx = xcalloc(1, sizeof(*ctx)); - ctx->flags = flags; - ctx->algo = hashalgo; - ctx->hashctx = hashctx; - HASH_Begin(ctx->hashctx); - } - -exit: - return ctx; -} - -int rpmDigestUpdate(DIGEST_CTX ctx, const void * data, size_t len) -{ - size_t partlen; - const unsigned char *ptr = data; - - if (ctx == NULL) - return -1; - - partlen = ~(unsigned int)0xFF; - while (len > 0) { - if (len < partlen) { - partlen = len; - } - HASH_Update(ctx->hashctx, ptr, partlen); - ptr += partlen; - len -= partlen; - } - return 0; -} - -int rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii) -{ - unsigned char * digest; - unsigned int digestlen; - - if (ctx == NULL) - return -1; - digestlen = HASH_ResultLenContext(ctx->hashctx); - digest = xmalloc(digestlen); - -/* FIX: check rc */ - HASH_End(ctx->hashctx, digest, (unsigned int *) &digestlen, digestlen); - - /* Return final digest. */ - if (!asAscii) { - if (lenp) *lenp = digestlen; - if (datap) { - *datap = digest; - digest = NULL; - } - } else { - if (lenp) *lenp = (2*digestlen) + 1; - if (datap) { - const uint8_t * s = (const uint8_t *) digest; - *datap = pgpHexStr(s, digestlen); - } - } - if (digest) { - memset(digest, 0, digestlen); /* In case it's sensitive */ - free(digest); - } - HASH_Destroy(ctx->hashctx); - memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ - free(ctx); - return 0; -} - -RPM_GNUC_PURE -static SECOidTag getHashAlg(unsigned int hashalgo) -{ - switch (hashalgo) { - case PGPHASHALGO_MD5: return SEC_OID_MD5; - case PGPHASHALGO_SHA1: return SEC_OID_SHA1; -#ifdef SHA224_LENGTH - case PGPHASHALGO_SHA224: return SEC_OID_SHA224; -#endif - case PGPHASHALGO_SHA256: return SEC_OID_SHA256; - case PGPHASHALGO_SHA384: return SEC_OID_SHA384; - case PGPHASHALGO_SHA512: return SEC_OID_SHA512; - } - return SEC_OID_UNKNOWN; -} - -static int pgpMpiSet(unsigned int lbits, uint8_t *dest, const uint8_t * p) -{ - unsigned int mbits = pgpMpiBits(p); - unsigned int nbits; - size_t nbytes; - uint8_t *t = dest; - unsigned int ix; - - if (mbits > lbits) - return 1; - - nbits = (lbits > mbits ? lbits : mbits); - nbytes = ((nbits + 7) >> 3); - ix = (nbits - mbits) >> 3; - - if (ix > 0) - memset(t, '\0', ix); - memcpy(t+ix, p+2, nbytes-ix); - - return 0; -} - -static SECItem *pgpMpiItem(PRArenaPool *arena, SECItem *item, const uint8_t *p) -{ - size_t nbytes = pgpMpiLen(p)-2; - - if (item == NULL) { - if ((item=SECITEM_AllocItem(arena, item, nbytes)) == NULL) - return item; - } else { - if (arena != NULL) - item->data = PORT_ArenaGrow(arena, item->data, item->len, nbytes); - else - item->data = PORT_Realloc(item->data, nbytes); - - if (item->data == NULL) { - if (arena == NULL) - SECITEM_FreeItem(item, PR_TRUE); - return NULL; - } - } - - memcpy(item->data, p+2, nbytes); - item->len = nbytes; - return item; -} - -static SECKEYPublicKey *pgpNewPublicKey(KeyType type) -{ - PRArenaPool *arena; - SECKEYPublicKey *key; - - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) - return NULL; - - key = PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); - - if (key == NULL) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; - } - - key->keyType = type; - key->pkcs11ID = CK_INVALID_HANDLE; - key->pkcs11Slot = NULL; - key->arena = arena; - return key; -} - -/* compatibility with nss < 3.14 */ -#ifndef DSA1_SUBPRIME_LEN -#define DSA1_SUBPRIME_LEN DSA_SUBPRIME_LEN -#endif -#ifndef DSA1_SIGNATURE_LEN -#define DSA1_SIGNATURE_LEN DSA_SIGNATURE_LEN -#endif -#ifndef DSA1_Q_BITS -#define DSA1_Q_BITS DSA_Q_BITS -#endif - -static int pgpSetSigMpiDSA(pgpDigAlg pgpsig, int num, const uint8_t *p) -{ - SECItem *sig = pgpsig->data; - unsigned int qbits = DSA1_Q_BITS; - unsigned int subprlen = DSA1_SUBPRIME_LEN; - unsigned int siglen = DSA1_SIGNATURE_LEN; - int rc = 1; /* assume failure */ - - switch (num) { - case 0: - sig = pgpsig->data = SECITEM_AllocItem(NULL, NULL, siglen); - if (sig) { - memset(sig->data, 0, siglen); - rc = pgpMpiSet(qbits, sig->data, p); - } - break; - case 1: - if (sig && pgpMpiSet(qbits, sig->data+subprlen, p) == 0) { - SECItem *signew = SECITEM_AllocItem(NULL, NULL, 0); - if (signew == NULL) - break; - if (DSAU_EncodeDerSigWithLen(signew, sig, siglen) == SECSuccess) { - SECITEM_FreeItem(sig, PR_TRUE); - pgpsig->data = signew; - rc = 0; - } - } - break; - } - - return rc; -} - -static int pgpSetKeyMpiDSA(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - SECItem *mpi = NULL; - SECKEYPublicKey *key = pgpkey->data; - - if (key == NULL) - key = pgpkey->data = pgpNewPublicKey(dsaKey); - - if (key) { - switch (num) { - case 0: - mpi = pgpMpiItem(key->arena, &key->u.dsa.params.prime, p); - break; - case 1: - mpi = pgpMpiItem(key->arena, &key->u.dsa.params.subPrime, p); - break; - case 2: - mpi = pgpMpiItem(key->arena, &key->u.dsa.params.base, p); - break; - case 3: - mpi = pgpMpiItem(key->arena, &key->u.dsa.publicValue, p); - break; - } - } - - return (mpi == NULL); -} - -static int pgpVerifySigDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, - uint8_t *hash, size_t hashlen, int hash_algo) -{ - SECItem digest = { .type = siBuffer, .data = hash, .len = hashlen }; - SECOidTag encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; - SECOidTag hashAlg = getHashAlg(hash_algo); - SECStatus rc; - - if (hashAlg == SEC_OID_UNKNOWN) - return 1; - - rc = VFY_VerifyDigestDirect(&digest, pgpkey->data, pgpsig->data, - encAlg, hashAlg, NULL); - - return (rc != SECSuccess); -} - -static int pgpSetSigMpiRSA(pgpDigAlg pgpsig, int num, const uint8_t *p) -{ - SECItem *sigitem = NULL; - - if (num == 0) { - sigitem = pgpMpiItem(NULL, pgpsig->data, p); - if (sigitem) - pgpsig->data = sigitem; - } - return (sigitem == NULL); -} - -static int pgpSetKeyMpiRSA(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - SECItem *kitem = NULL; - SECKEYPublicKey *key = pgpkey->data; - - if (key == NULL) - key = pgpkey->data = pgpNewPublicKey(rsaKey); - - if (key) { - switch (num) { - case 0: - kitem = pgpMpiItem(key->arena, &key->u.rsa.modulus, p); - break; - case 1: - kitem = pgpMpiItem(key->arena, &key->u.rsa.publicExponent, p); - break; - } - } - - return (kitem == NULL); -} - -static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, - uint8_t *hash, size_t hashlen, int hash_algo) -{ - SECItem digest = { .type = siBuffer, .data = hash, .len = hashlen }; - SECItem *sig = pgpsig->data; - SECKEYPublicKey *key = pgpkey->data; - SECItem *padded = NULL; - SECOidTag encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; - SECOidTag hashAlg = getHashAlg(hash_algo); - SECStatus rc = SECFailure; - size_t siglen, padlen; - - if (hashAlg == SEC_OID_UNKNOWN) - return 1; - - /* Zero-pad signature to expected size if necessary */ - siglen = SECKEY_SignatureLen(key); - padlen = siglen - sig->len; - if (padlen) { - padded = SECITEM_AllocItem(NULL, NULL, siglen); - if (padded == NULL) - return 1; - memset(padded->data, 0, padlen); - memcpy(padded->data + padlen, sig->data, sig->len); - sig = padded; - } - - rc = VFY_VerifyDigestDirect(&digest, key, sig, encAlg, hashAlg, NULL); - - if (padded) - SECITEM_ZfreeItem(padded, PR_TRUE); - - return (rc != SECSuccess); -} - -static void pgpFreeSigRSADSA(pgpDigAlg sa) -{ - SECITEM_ZfreeItem(sa->data, PR_TRUE); - sa->data = NULL; -} - -static void pgpFreeKeyRSADSA(pgpDigAlg ka) -{ - SECKEY_DestroyPublicKey(ka->data); - ka->data = NULL; -} - -static int pgpSetMpiNULL(pgpDigAlg pgpkey, int num, const uint8_t *p) -{ - return 1; -} - -static int pgpVerifyNULL(pgpDigAlg pgpkey, pgpDigAlg pgpsig, - uint8_t *hash, size_t hashlen, int hash_algo) -{ - return 1; -} - -pgpDigAlg pgpPubkeyNew(int algo, int curve) -{ - pgpDigAlg ka = xcalloc(1, sizeof(*ka));; - - switch (algo) { - case PGPPUBKEYALGO_RSA: - ka->setmpi = pgpSetKeyMpiRSA; - ka->free = pgpFreeKeyRSADSA; - ka->mpis = 2; - break; - case PGPPUBKEYALGO_DSA: - ka->setmpi = pgpSetKeyMpiDSA; - ka->free = pgpFreeKeyRSADSA; - ka->mpis = 4; - break; - default: - ka->setmpi = pgpSetMpiNULL; - ka->mpis = -1; - break; - } - - ka->verify = pgpVerifyNULL; /* keys can't be verified */ - - return ka; -} - -pgpDigAlg pgpSignatureNew(int algo) -{ - pgpDigAlg sa = xcalloc(1, sizeof(*sa)); - - switch (algo) { - case PGPPUBKEYALGO_RSA: - sa->setmpi = pgpSetSigMpiRSA; - sa->free = pgpFreeSigRSADSA; - sa->verify = pgpVerifySigRSA; - sa->mpis = 1; - break; - case PGPPUBKEYALGO_DSA: - sa->setmpi = pgpSetSigMpiDSA; - sa->free = pgpFreeSigRSADSA; - sa->verify = pgpVerifySigDSA; - sa->mpis = 2; - break; - default: - sa->setmpi = pgpSetMpiNULL; - sa->verify = pgpVerifyNULL; - sa->mpis = -1; - break; - } - return sa; -} - diff --git a/sign/Makefile.am b/sign/Makefile.am index c1bb992f4a..813005709c 100644 --- a/sign/Makefile.am +++ b/sign/Makefile.am @@ -4,7 +4,6 @@ include $(top_srcdir)/rpm.am AM_CFLAGS = @RPMCFLAGS@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir) -I$(top_builddir)/include/ -AM_CPPFLAGS += @WITH_NSS_INCLUDE@ AM_CPPFLAGS += @WITH_POPT_INCLUDE@ AM_CPPFLAGS += -I$(top_srcdir)/misc