From 587f690ff0ba0ec6b91bd4b83fa39305120e8e93 Mon Sep 17 00:00:00 2001 From: ticktock35 Date: Tue, 27 Oct 2009 08:45:24 -0400 Subject: Opkg support for smime (pkcs7) packages list signing Thanks to Camille Moncelier http://groups.google.com/group/opkg-devel/browse_thread/thread/6071ce290d5ceb77?utoken=qjR-TC0AAADKDldt5ZXsDDLs9sWCpWZI1zgeariQUwksg5ob1tmaFTCAL7MTcQRO6S85GfHgQ_k As promised :) here is a patch allowing opkg to authenticate a package list using smime and openssl instead of gpgme Example: Sign a package list: openssl smime -sign -in /path/to/repo/Packages \ -signer /root/server.pem -binary \ -outform PEM -out /path/to/repo/Packages.sig Configuration in /etc/opkg/opkg.conf option check_signature 1 option signature_ca_file /etc/serverCA.pem option signature_ca_path /path/to/certs/dir opkg update Downloading http://repo:8000/Packages Updated list of available packages in /usr/lib/opkg/lists/angstrom Downloading http://repo:8000/Packages.sig Signature check passed Package list corruption or MIM: Downloading http://repo:8000/Packages Updated list of available packages in /usr/lib/opkg/lists/angstrom Downloading http://repo:8000/Packages.sig Signature check failed Collected errors: * Verification failure Camille Moncelier http://devlife.org/ git-svn-id: http://opkg.googlecode.com/svn/trunk@221 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358 --- diff --git a/configure.ac b/configure.ac index 9c108f3..579a105 100644 --- a/configure.ac +++ b/configure.ac @@ -48,6 +48,17 @@ if test "x$want_sha256" = "xyes"; then fi AM_CONDITIONAL(HAVE_SHA256, test "x$want_sha256" = "xyes") +# check for openssl +AC_ARG_ENABLE(openssl, + AC_HELP_STRING([--enable-openssl], [Enable signature checking with OpenSSL + [[default=no]] ]), + [want_openssl="$enableval"], [want_openssl="no"]) + +if test "x$want_openssl" = "xyes"; then + PKG_CHECK_MODULES(OPENSSL, openssl) + AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support]) +fi + dnl ********** dnl GPGME @@ -171,6 +182,18 @@ if test x$opkgetcdir = x; then fi +dnl Some special cases for the wow64 build +if test "x$want_gpgme" = "xyes" +then + if test "x$want_openssl" = "xyes" + then + AC_MSG_ERROR([--enable-gpg and --enable-openssl are mutually exclusive. +Use --disable-gpg if you want OpenSSL smime signatures]) + fi +fi + + + AC_SUBST(opkglibdir) AC_SUBST(opkgetcdir) diff --git a/libopkg/args.c b/libopkg/args.c index ef2b496..bbe2e4d 100644 --- a/libopkg/args.c +++ b/libopkg/args.c @@ -62,7 +62,7 @@ int args_init(args_t *args) if (conf_file_dir == NULL || conf_file_dir[0] == '\0') { conf_file_dir = ARGS_DEFAULT_CONF_FILE_DIR; } - sprintf_alloc(&args->conf_file, "%s/%s", conf_file_dir, + sprintf_alloc(&args->conf_file, "%s/%s", OPKGETCDIR, ARGS_DEFAULT_CONF_FILE_NAME); args->force_defaults = ARGS_DEFAULT_FORCE_DEFAULTS; diff --git a/libopkg/opkg.c b/libopkg/opkg.c index a20023e..c6a86ea 100644 --- a/libopkg/opkg.c +++ b/libopkg/opkg.c @@ -852,7 +852,7 @@ opkg_update_package_lists (opkg_t *opkg, opkg_progress_callback_t progress_callb } free (url); -#ifdef HAVE_GPGME +#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) if ( opkg->conf->check_signature ) { char *sig_file_name; /* download detached signitures to verify the package lists */ diff --git a/libopkg/opkg_cmd.c b/libopkg/opkg_cmd.c index 6ac847a..4a0410c 100644 --- a/libopkg/opkg_cmd.c +++ b/libopkg/opkg_cmd.c @@ -259,8 +259,7 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) list_file_name); } free(url); - -#ifdef HAVE_GPGME +#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) if (conf->check_signature) { /* download detached signitures to verify the package lists */ /* get the url for the sig file */ @@ -273,7 +272,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) /* create temporary file for it */ char *tmp_file_name; - sprintf_alloc (&tmp_file_name, "%s/%s", tmp, "Packages.sig"); + /* Put the signature in the right place */ + sprintf_alloc (&tmp_file_name, "%s/%s.sig", lists_dir, src->name); err = opkg_download(conf, url, tmp_file_name, NULL, NULL); if (err) { @@ -287,7 +287,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv) else opkg_message (conf, OPKG_NOTICE, "Signature check failed\n"); } - unlink (tmp_file_name); + /* We shouldn't unlink the signature ! */ + // unlink (tmp_file_name); free (tmp_file_name); free (url); } diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c index 4d1306e..472b319 100644 --- a/libopkg/opkg_conf.c +++ b/libopkg/opkg_conf.c @@ -75,6 +75,8 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options) { "proxy_user", OPKG_OPT_TYPE_STRING, &conf->proxy_user }, { "query-all", OPKG_OPT_TYPE_BOOL, &conf->query_all }, { "verbosity", OPKG_OPT_TYPE_BOOL, &conf->verbosity }, + { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file }, + { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path }, { NULL } }; diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h index ca2661b..4bd50e5 100644 --- a/libopkg/opkg_conf.h +++ b/libopkg/opkg_conf.h @@ -82,6 +82,9 @@ struct opkg_conf char *proxy_user; char *proxy_passwd; + char *signature_ca_file; + char *signature_ca_path; + hash_table_t pkg_hash; hash_table_t file_hash; hash_table_t obs_file_hash; diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index f185f22..e31c49c 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -20,8 +20,17 @@ #ifdef HAVE_CURL #include #endif -#ifdef HAVE_GPGME +#if defined(HAVE_GPGME) #include +#elif defined(HAVE_OPENSSL) +#include +#include +#include +#include +#include +#include +#include + #endif #include "includes.h" @@ -35,6 +44,12 @@ #include "str_util.h" #include "opkg_defines.h" + +#ifdef HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath); +static void init_openssl(void); +#endif + int opkg_download(opkg_conf_t *conf, const char *src, const char *dest_file_name, curl_progress_func cb, void *data) { @@ -307,7 +322,7 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name int opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) { -#ifdef HAVE_GPGME +#if defined HAVE_GPGME if (conf->check_signature == 0 ) return 0; int status = -1; @@ -375,7 +390,130 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) gpgme_release (ctx); return status; +#elif defined HAVE_OPENSSL + X509_STORE *store = NULL; + PKCS7 *p7 = NULL; + BIO *in = NULL, *indata = NULL; + + // Sig check failed by default ! + int status = -1; + + init_openssl(); + + // Set-up the key store + if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){ + opkg_message(conf, OPKG_ERROR, + "Can't open CA certificates\n"); + goto verify_file_end; + } + + // Open a BIO to read the sig file + if (!(in = BIO_new_file(sig_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open signature file %s\n", sig_file); + goto verify_file_end; + } + + // Read the PKCS7 block contained in the sig file + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + if(!p7){ + opkg_message(conf, OPKG_ERROR, + "Can't read signature file (Corrupted ?)\n"); + goto verify_file_end; + } + + // Open the Package file to authenticate + if (!(indata = BIO_new_file(text_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open file %s\n", text_file); + goto verify_file_end; + } + + // Let's verify the autenticity ! + if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){ + // Get Off My Lawn! + opkg_message(conf, OPKG_ERROR, + "Verification failure\n"); + }else{ + // Victory ! + status = 0; + } + +verify_file_end: + BIO_free(in); + BIO_free(indata); + PKCS7_free(p7); + X509_STORE_free(store); + + return status; #else return 0; #endif } + + +#if defined HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){ + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + if(!(store = X509_STORE_new())){ + // Something bad is happening... + goto end; + } + + // adds the X509 file lookup method + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL){ + goto end; + } + + // Autenticating against one CA file + if (CAfile) { + if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { + // Invalid CA => Bye bye + opkg_message(conf, OPKG_ERROR, + "Error loading file %s\n", CAfile); + goto end; + } + } else { + X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // Now look into CApath directory if supplied + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL){ + goto end; + } + + if (CApath) { + if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { + opkg_message(conf, OPKG_ERROR, + "Error loading directory %s\n", CApath); + goto end; + } + } else { + X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // All right ! + ERR_clear_error(); + return store; + +end: + + X509_STORE_free(store); + return NULL; + +} + +static void init_openssl(void){ + static int init = 0; + + if(!init){ + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + init = 1; + } +} +#endif diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c index 750ea65..1bcaf25 100644 --- a/libopkg/opkg_install.c +++ b/libopkg/opkg_install.c @@ -837,7 +837,7 @@ int opkg_install_pkg(opkg_conf_t *conf, pkg_t *pkg, int from_upgrade) } /* check that the repository is valid */ - #if HAVE_GPGME + #if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) char *list_file_name, *sig_file_name, *lists_dir; /* check to ensure the package has come from a repository */ @@ -854,6 +854,8 @@ int opkg_install_pkg(opkg_conf_t *conf, pkg_t *pkg, int from_upgrade) { if (opkg_verify_file (conf, list_file_name, sig_file_name)) return OPKG_INSTALL_ERR_SIGNATURE; + }else{ + return OPKG_INSTALL_ERR_SIGNATURE; } free (lists_dir); -- cgit v0.9.1