diff options
Diffstat (limited to 'libopkg/opkg_download.c')
-rw-r--r-- | libopkg/opkg_download.c | 142 |
1 files changed, 140 insertions, 2 deletions
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index f185f22..e31c49c 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -20,8 +20,17 @@ #ifdef HAVE_CURL #include <curl/curl.h> #endif -#ifdef HAVE_GPGME +#if defined(HAVE_GPGME) #include <gpgme.h> +#elif defined(HAVE_OPENSSL) +#include <openssl/bio.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/hmac.h> + #endif #include "includes.h" @@ -35,6 +44,12 @@ #include "str_util.h" #include "opkg_defines.h" + +#ifdef HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath); +static void init_openssl(void); +#endif + int opkg_download(opkg_conf_t *conf, const char *src, const char *dest_file_name, curl_progress_func cb, void *data) { @@ -307,7 +322,7 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name int opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) { -#ifdef HAVE_GPGME +#if defined HAVE_GPGME if (conf->check_signature == 0 ) return 0; int status = -1; @@ -375,7 +390,130 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) gpgme_release (ctx); return status; +#elif defined HAVE_OPENSSL + X509_STORE *store = NULL; + PKCS7 *p7 = NULL; + BIO *in = NULL, *indata = NULL; + + // Sig check failed by default ! + int status = -1; + + init_openssl(); + + // Set-up the key store + if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){ + opkg_message(conf, OPKG_ERROR, + "Can't open CA certificates\n"); + goto verify_file_end; + } + + // Open a BIO to read the sig file + if (!(in = BIO_new_file(sig_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open signature file %s\n", sig_file); + goto verify_file_end; + } + + // Read the PKCS7 block contained in the sig file + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + if(!p7){ + opkg_message(conf, OPKG_ERROR, + "Can't read signature file (Corrupted ?)\n"); + goto verify_file_end; + } + + // Open the Package file to authenticate + if (!(indata = BIO_new_file(text_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open file %s\n", text_file); + goto verify_file_end; + } + + // Let's verify the autenticity ! + if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){ + // Get Off My Lawn! + opkg_message(conf, OPKG_ERROR, + "Verification failure\n"); + }else{ + // Victory ! + status = 0; + } + +verify_file_end: + BIO_free(in); + BIO_free(indata); + PKCS7_free(p7); + X509_STORE_free(store); + + return status; #else return 0; #endif } + + +#if defined HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){ + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + if(!(store = X509_STORE_new())){ + // Something bad is happening... + goto end; + } + + // adds the X509 file lookup method + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL){ + goto end; + } + + // Autenticating against one CA file + if (CAfile) { + if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { + // Invalid CA => Bye bye + opkg_message(conf, OPKG_ERROR, + "Error loading file %s\n", CAfile); + goto end; + } + } else { + X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // Now look into CApath directory if supplied + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL){ + goto end; + } + + if (CApath) { + if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { + opkg_message(conf, OPKG_ERROR, + "Error loading directory %s\n", CApath); + goto end; + } + } else { + X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // All right ! + ERR_clear_error(); + return store; + +end: + + X509_STORE_free(store); + return NULL; + +} + +static void init_openssl(void){ + static int init = 0; + + if(!init){ + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + init = 1; + } +} +#endif |