Header signatures were the new hot almost exactly twenty years ago, we
haven't supported anything else in a very, very, very, very very long time.
Drop the useless argument to rpmReadSignature() and bury the last remaining
related constant into rpmlead.c which is the only place that "needs" it.
No functional changes.
In rpm V4 packages both the signature and mail header consist of one
contiguous immutable region when read from package files and any
disparities in index or data size means malformed package.
Once the signature header is merged into the main header this is
no longer true of course and installation adds further tags, so for
headers from other sources (such as rpmdb), tags outside the immutable
region (known as "dribbles" in rpm lore) must be allowed, and eg
headerCheck() cannot require exact match.
This patch exports generateSignature under the new name rpmGenerateSignature
so that includeFileSignatures can call it.
[lkardos@redhat.com: fixed indentation]
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
- New internal API to "parse" signature tags, performing various
sanity checks, classifying the type (digest, actual signature etc)
and gathering other relevant info.
- Unused as of this commit...
- There's nothing md5/sha1-specific in either of these functions,
the only real difference is whether we're dealing with ascii or
binary digest.
- Always operate in ascii mode: we need to convert the digest to ascii
for the return message string anyway, so this only makes things much
simpler, and this way we wont crash and burn even if the digest tag
were of mismatching type as rpmtdFormat() can convert anything into
a string.
- AFAICT rpm never actually created signature headers with HEADER_IMAGE
as region trailer tag, except when trying to sign V3 packages with
old rpm 4.x versions (newer ones refuse to do so). This region trailer
quirk doesn't actually make such packages work any better, they just
fail in a different way (such as RhBug:517818)
- This is not a buffer where anything gets written to, its only
used as a source for writing zero-padding into signature headers.
Rename to "zeros" and make it const which it is.
- There are no guarantees Fread() will return all of the requested size:
it can return partial data eg on signals and pipe descriptors. Introduce
a helper function to handle this centrally for all package read IO,
effectively reintroducing timedRead() but without the caveats:
timedRead() did not work on compressed streams, did not handle
eg EINTR correctly and while really being an internal helper,
was exported in the API.
- Undo the ancient broken fix for RhBug:71996 from commit
9e06e3b8ca76ae55eaf2c4e37ba9cac729789014: instead of disabling
the check, pass in the correct upper range which is entirely
different from everything else for the region trailer tag.
- Fixes CVE-2012-0815
- Non-existent region tag is very different from existing but invalid
one - the former is not an error but the latter one is, and needs
to be handled as such. Previously an invalid region tag would cause
us to treat it like rpm v3 package on entry, skipping all the region
sanity checks and then crashing and burning later on when the immutable
tag is fetched.
- Refer to REGION_TAG_TYPE instead of RPM_BIN_TYPE wrt the expected
type of region tag for consistency and clarity, they are the same
exact thing though.
- Should unify these damn copy-slop check one of these days, sigh...
For now, settling for the easily backportable approach.
- Fixes the other half of CVE-2012-0060
- Change rpmVerifySignature() to take just the signature parameters
instead of the whole dig (this is an internal API so we're free
to mess with it) from which it only needed the signature params.
- The internal low-level verifySignature() is thus reduced to
to a call to rpmKeyringVerifySig() and spitting some silly
strings to msg.
- With this, keyring can now use and reuse the its internally stored
pgp key parameters instead of having to parse the same PGP packets
over and over. As a result, signature checking is faster now. Not
dramatically so but measurably nevertheless.
- Only call pgpDigGetParams() on the public key once we've at least
tried to fetch it via rpmKeyringLookup(). This way we dont assume
things about how pgpDig internal allocation is done - currently
it does return what's essentially a static pointer into pgpDig,
but this is not a reasonable assumption for an opaque type.
No functional changes.
- pgpVerifySig() is now just a dumb wrapper around pgpVerifySignature()
which does the real work.
- Update the sole caller to use the new interface instead, deprecate
the old dig interface.
- First steps towards getting rig of pgpDig which always was a
strange creature and now is nothing but a nuisance and obfuscation.
Yes keys and signatures walk hand in hand much of the time, but
they come from different sources and want to be handled as
separate data really.
- Offset being within the data area doesn't help if the actual data doesn't
fit. Since the trailer size is well known, we can just as easily
make the check accurate to prevent reading beyond end of data in case
the offset is subtly wrong.
- In headerLoad(), region offset of zero doesn't need sanity checking,
only validate if its something else and do so accurately there too.
- sigtd->data and dig checking (where needed) is done at
rpmVerifySignature() level, dont bother double-checking
- Hash context is dup'ed, which CAN fail, so while we dont need
to check the argument for non-null, the dup result needs to
be checked for digests. For actual signatures the dup happens
elsewhere, we dont need to check the argument for non-null here.
- Hash context is required for everything, require non-NULL ctx
in rpmVerifySignature() already
- pgpDig is only relevant for true signature, digest checking doesn't
need it - dont require dummy dig to be passed for digests.
- Treat unknown signatures as a case of bad parameters: we're the
only caller of rpmVerifySignature() so it'd be us screwing up if
we ask for unknown signature to be verified.
- Treat bad parameters as a hard failure instead of "not found",
bad parameters mean we cannot verify the signature which really
equals FAIL.
- Fixes a regression originating all the way back from commit
c7fc09d585 (ie rpm >= 4.8.0)
where a package with a bogus signature can slip through undetected
if we dont have a key for it.
- This additional sanity check on the signature prevents is enough
to prevent the fuzzed package in RhBug:721225 from crashing us
by stopping the bad package at the front door. That we don't have
proper tag data validation is another, much wider issue...
- Some of these might actually be "correct" but about one case from
librpmbuild cascades down here ... just not worth the trouble to
keep the as rpmSigTags.
- Similar in spirit to commit 825691afb2,
these have fairly little in common really.
- Change the function names to force breakage on users (these are exported
in ABI but not in public headers so "users" are internal uses in
practise): the automatically generated bits in signature header are
not signatures, but digests (even size is a checksum of sorts) ...
and fix the couple of internal uses.
- These have fairly little in common in reality: one is always
automatically created on package generation, the other is optional
extra step requiring passphrases and all sorts of other things.
- The switch-cases are now fairly hysterical but leaving them for
later spring-clean to keep changes minimal for this step.
- No functional changes (supposedly ;)
- makeGPGSignature() figures the signature type by parsing the
created signature, use that instead of the rather bogus tag
based on %_signature macro value passed from the cli level.
- Execve() failure wasn't returning an error code, causing rpm to
think the password was ok when we couldn't even try verifying
- Stricter return code checking from the password checking child:
the password can only be ok if the child exits with WIFEXITED() *and*
WIFEXITCODE() of 0. Also WIFEXITCODE() should only be called if
WIFEXITED() returns true.
Panu Matilainen