git: e5dd5bfa55dc - main - pkg(7): now that we do use libmd, use it completly

Baptiste Daroussin Thu, 09 Mar 2023 12:31:44 -0800

The branch main has been updated by bapt:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e5dd5bfa55dc82686870330f547932486ba48db2


commit e5dd5bfa55dc82686870330f547932486ba48db2
Author:     Baptiste Daroussin <[email protected]>
AuthorDate: 2023-03-09 20:29:15 +0000
Commit:     Baptiste Daroussin <[email protected]>
CommitDate: 2023-03-09 20:31:30 +0000

    pkg(7): now that we do use libmd, use it completly
    
    Use SHA256_Fd and SHA256_Data instead of home made equivalent.
    wrap those functions into hash.c to avoid header collition between
    openssl and libmd
    
    Suggested by:   kevans
---
 usr.sbin/pkg/hash.c | 77 +++++------------------------------------------------
 usr.sbin/pkg/hash.h |  4 +--
 usr.sbin/pkg/pkg.c  | 12 ++++++---
 3 files changed, 16 insertions(+), 77 deletions(-)

diff --git a/usr.sbin/pkg/hash.c b/usr.sbin/pkg/hash.c
index 47bcae6c5b6a..9696738fcafc 100644
--- a/usr.sbin/pkg/hash.c
+++ b/usr.sbin/pkg/hash.c
@@ -27,86 +27,21 @@
  * SUCH DAMAGE.
  */
 
-#include <err.h>
 #include <sha256.h>
-#include <stdio.h>
 #include <unistd.h>
 
 #include "hash.h"
 
-static void
-sha256_hash(unsigned char hash[SHA256_DIGEST_LENGTH],
-    char out[SHA256_DIGEST_LENGTH * 2 + 1])
+char *
+sha256_buf(char *buf, size_t len)
 {
-       int i;
 
-       for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
-               sprintf(out + (i * 2), "%02x", hash[i]);
-
-       out[SHA256_DIGEST_LENGTH * 2] = '\0';
-}
-
-void
-sha256_buf(char *buf, size_t len, char out[SHA256_DIGEST_LENGTH * 2 + 1])
-{
-       unsigned char hash[SHA256_DIGEST_LENGTH];
-       SHA256_CTX sha256;
-
-       out[0] = '\0';
-
-       SHA256_Init(&sha256);
-       SHA256_Update(&sha256, buf, len);
-       SHA256_Final(hash, &sha256);
-       sha256_hash(hash, out);
+       return (SHA256_Data(buf, len, NULL));
 }
 
-int
-sha256_fd(int fd, char out[SHA256_DIGEST_LENGTH * 2 + 1])
+char *
+sha256_fd(int fd)
 {
-       int my_fd;
-       FILE *fp;
-       char buffer[BUFSIZ];
-       unsigned char hash[SHA256_DIGEST_LENGTH];
-       size_t r;
-       int ret;
-       SHA256_CTX sha256;
-
-       fp = NULL;
-       ret = 1;
-
-       out[0] = '\0';
-
-       /* Duplicate the fd so that fclose(3) does not close it. */
-       if ((my_fd = dup(fd)) == -1) {
-               warnx("dup");
-               goto cleanup;
-       }
-
-       if ((fp = fdopen(my_fd, "rb")) == NULL) {
-               warnx("fdopen");
-               goto cleanup;
-       }
-
-       SHA256_Init(&sha256);
-
-       while ((r = fread(buffer, 1, BUFSIZ, fp)) > 0)
-               SHA256_Update(&sha256, buffer, r);
-
-       if (ferror(fp) != 0) {
-               warnx("fread");
-               goto cleanup;
-       }
-
-       SHA256_Final(hash, &sha256);
-       sha256_hash(hash, out);
-       ret = 0;
-
-cleanup:
-       if (fp != NULL)
-               fclose(fp);
-       else if (my_fd != -1)
-               close(my_fd);
-       (void)lseek(fd, 0, SEEK_SET);
 
-       return (ret);
+       return (SHA256_Fd(fd, NULL));
 }
diff --git a/usr.sbin/pkg/hash.h b/usr.sbin/pkg/hash.h
index dcdc458b5e61..786d4371ef32 100644
--- a/usr.sbin/pkg/hash.h
+++ b/usr.sbin/pkg/hash.h
@@ -28,5 +28,5 @@
 
 #pragma once
 
-void sha256_buf(char *buf, size_t len, char out[]);
-int sha256_fd(int fd, char out[]);
+char *sha256_buf(char *buf, size_t len);
+char *sha256_fd(int fd);
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c
index 89870f2af683..3c89e6a171b0 100644
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@@ -445,10 +445,11 @@ rsa_verify_cert(int fd, const char *sigfile, const 
unsigned char *key,
 {
        EVP_MD_CTX *mdctx;
        EVP_PKEY *pkey;
-       char sha256[(SHA256_DIGEST_LENGTH * 2) + 2];
+       char *sha256;
        char errbuf[1024];
        bool ret;
 
+       sha256 = NULL;
        pkey = NULL;
        mdctx = NULL;
        ret = false;
@@ -460,7 +461,7 @@ rsa_verify_cert(int fd, const char *sigfile, const unsigned 
char *key,
                warn("lseek");
                goto cleanup;
        }
-       if ((sha256_fd(fd, sha256)) == -1) {
+       if ((sha256 = sha256_fd(fd)) == NULL) {
                warnx("Error creating SHA256 hash for package");
                goto cleanup;
        }
@@ -505,6 +506,7 @@ error:
        printf("failed\n");
 
 cleanup:
+       free(sha256);
        if (pkey)
                EVP_PKEY_free(pkey);
        if (mdctx)
@@ -667,8 +669,9 @@ verify_signature(int fd_pkg, int fd_sig)
        int trusted_count, revoked_count;
        const char *fingerprints;
        char path[MAXPATHLEN];
-       char hash[SHA256_DIGEST_LENGTH * 2 + 1];
+       char *hash;
 
+       hash = NULL;
        sc = NULL;
        trusted = revoked = NULL;
        ret = false;
@@ -705,7 +708,7 @@ verify_signature(int fd_pkg, int fd_sig)
        sc->trusted = false;
 
        /* Parse signature and pubkey out of the certificate */
-       sha256_buf(sc->cert, sc->certlen, hash);
+       hash = sha256_buf(sc->cert, sc->certlen);
 
        /* Check if this hash is revoked */
        if (revoked != NULL) {
@@ -744,6 +747,7 @@ verify_signature(int fd_pkg, int fd_sig)
        ret = true;
 
 cleanup:
+       free(hash);
        if (trusted)
                free_fingerprint_list(trusted);
        if (revoked)

git: e5dd5bfa55dc - main - pkg(7): now that we do use libmd, use it completly

Reply via email to