The branch stable/13 has been updated by kevans:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4e33c2e91835162f994589bceff9a16ed4613d49
commit 4e33c2e91835162f994589bceff9a16ed4613d49
Author: Kyle Evans <kev...@freebsd.org>
AuthorDate: 2025-01-01 21:10:28 +0000
Commit: Kyle Evans <kev...@freebsd.org>
CommitDate: 2025-01-11 02:48:31 +0000
pkg: add a pkgsign_verify_data callback
This will be used to verify raw payloads, as if signed by pkg-key(8).
It will be used specifically in pkg(7) to verify .pubkeysig as published
by poudriere.
Amend verify_pubsignature() now to use it. For the RSA signer, we need
to verify using a sha256 of the data instead of the data itself.
Reviewed by: bapt
(cherry picked from commit 2e065d74a5b0ea32db7d4f6e3f78eaa17ee7685e)
---
usr.sbin/pkg/pkg.c | 30 +++++++++++++++++++++++++++++-
usr.sbin/pkg/pkg.h | 4 ++++
usr.sbin/pkg/rsa.c | 50 ++++++++++++++++++++++++++++++++------------------
3 files changed, 65 insertions(+), 19 deletions(-)
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c
index 5cc9c3b8dbfe..8980cca2bb2d 100644
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@@ -141,6 +141,17 @@ pkgsign_verify_cert(const struct pkgsign_ctx *ctx, int fd,
const char *sigfile,
key, keylen, sig, siglen));
}
+static bool
+pkgsign_verify_data(const struct pkgsign_ctx *ctx, const char *data,
+ size_t datasz, const char *sigfile, const unsigned char *key, int keylen,
+ unsigned char *sig, int siglen)
+{
+
+ return ((*ctx->impl->pi_ops->pkgsign_verify_data)(ctx, data, datasz,
+ sigfile, key, keylen, sig, siglen));
+}
+
+
static int
extract_pkg_static(int fd, char *p, int sz)
{
@@ -573,12 +584,15 @@ verify_pubsignature(int fd_pkg, int fd_sig)
{
struct pubkey *pk;
const char *pubkey;
+ char *data;
struct pkgsign_ctx *sctx;
+ size_t datasz;
bool ret;
pk = NULL;
pubkey = NULL;
sctx = NULL;
+ data = NULL;
ret = false;
if (config_string(PUBKEY, &pubkey) != 0) {
warnx("No CONFIG_PUBKEY defined");
@@ -590,6 +604,19 @@ verify_pubsignature(int fd_pkg, int fd_sig)
goto cleanup;
}
+ if (lseek(fd_pkg, 0, SEEK_SET) == -1) {
+ warn("lseek");
+ goto cleanup;
+ }
+
+ /* Future types shouldn't do this. */
+ if ((data = sha256_fd(fd_pkg)) == NULL) {
+ warnx("Error creating SHA256 hash for package");
+ goto cleanup;
+ }
+
+ datasz = strlen(data);
+
if (pkgsign_new("rsa", &sctx) != 0) {
warnx("Failed to fetch 'rsa' signer");
goto cleanup;
@@ -597,7 +624,7 @@ verify_pubsignature(int fd_pkg, int fd_sig)
/* Verify the signature. */
printf("Verifying signature with public key %s... ", pubkey);
- if (pkgsign_verify_cert(sctx, fd_pkg, pubkey, NULL, 0, pk->sig,
+ if (pkgsign_verify_data(sctx, data, datasz, pubkey, NULL, 0, pk->sig,
pk->siglen) == false) {
fprintf(stderr, "Signature is not valid\n");
goto cleanup;
@@ -606,6 +633,7 @@ verify_pubsignature(int fd_pkg, int fd_sig)
ret = true;
cleanup:
+ free(data);
if (pk) {
free(pk->sig);
free(pk);
diff --git a/usr.sbin/pkg/pkg.h b/usr.sbin/pkg/pkg.h
index 2d0dab96a20f..b9fe9b5fa566 100644
--- a/usr.sbin/pkg/pkg.h
+++ b/usr.sbin/pkg/pkg.h
@@ -40,11 +40,15 @@ struct pkgsign_ctx {
typedef int pkgsign_new_cb(const char *, struct pkgsign_ctx *);
typedef bool pkgsign_verify_cert_cb(const struct pkgsign_ctx *, int,
const char *, const unsigned char *, int, unsigned char *, int);
+typedef bool pkgsign_verify_data_cb(const struct pkgsign_ctx *,
+ const char *, size_t, const char *, const unsigned char *, int,
+ unsigned char *, int);
struct pkgsign_ops {
size_t pkgsign_ctx_size;
pkgsign_new_cb *pkgsign_new;
pkgsign_verify_cert_cb *pkgsign_verify_cert;
+ pkgsign_verify_data_cb *pkgsign_verify_data;
};
extern const struct pkgsign_ops pkgsign_rsa;
diff --git a/usr.sbin/pkg/rsa.c b/usr.sbin/pkg/rsa.c
index b6345cdcecb8..b28f44ec1953 100644
--- a/usr.sbin/pkg/rsa.c
+++ b/usr.sbin/pkg/rsa.c
@@ -78,33 +78,20 @@ load_public_key_buf(const unsigned char *cert, int certlen)
}
static bool
-rsa_verify_cert(const struct pkgsign_ctx *ctx __unused, int fd,
- const char *sigfile, const unsigned char *key, int keylen,
- unsigned char *sig, int siglen)
+rsa_verify_data(const struct pkgsign_ctx *ctx __unused,
+ const char *data, size_t datasz, const char *sigfile,
+ const unsigned char *key, int keylen, unsigned char *sig, int siglen)
{
EVP_MD_CTX *mdctx;
EVP_PKEY *pkey;
- char *sha256;
char errbuf[1024];
bool ret;
- sha256 = NULL;
pkey = NULL;
mdctx = NULL;
ret = false;
-
SSL_load_error_strings();
- /* Compute SHA256 of the package. */
- if (lseek(fd, 0, 0) == -1) {
- warn("lseek");
- goto cleanup;
- }
- if ((sha256 = sha256_fd(fd)) == NULL) {
- warnx("Error creating SHA256 hash for package");
- goto cleanup;
- }
-
if (sigfile != NULL) {
if ((pkey = load_public_key_file(sigfile)) == NULL) {
warnx("Error reading public key");
@@ -127,7 +114,7 @@ rsa_verify_cert(const struct pkgsign_ctx *ctx __unused, int
fd,
warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
goto error;
}
- if (EVP_DigestVerifyUpdate(mdctx, sha256, strlen(sha256)) != 1) {
+ if (EVP_DigestVerifyUpdate(mdctx, data, datasz) != 1) {
warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
goto error;
}
@@ -145,7 +132,6 @@ error:
printf("failed\n");
cleanup:
- free(sha256);
if (pkey)
EVP_PKEY_free(pkey);
if (mdctx)
@@ -155,6 +141,34 @@ cleanup:
return (ret);
}
+static bool
+rsa_verify_cert(const struct pkgsign_ctx *ctx __unused, int fd,
+ const char *sigfile, const unsigned char *key, int keylen,
+ unsigned char *sig, int siglen)
+{
+ char *sha256;
+ bool ret;
+
+ sha256 = NULL;
+
+ /* Compute SHA256 of the package. */
+ if (lseek(fd, 0, 0) == -1) {
+ warn("lseek");
+ return (false);
+ }
+ if ((sha256 = sha256_fd(fd)) == NULL) {
+ warnx("Error creating SHA256 hash for package");
+ return (false);
+ }
+
+ ret = rsa_verify_data(ctx, sha256, strlen(sha256), sigfile, key, keylen,
+ sig, siglen);
+ free(sha256);
+
+ return (ret);
+}
+
const struct pkgsign_ops pkgsign_rsa = {
.pkgsign_verify_cert = rsa_verify_cert,
+ .pkgsign_verify_data = rsa_verify_data,
};
