Date: Sat, 26 Oct 2013 03:44:08 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r257148 - head/usr.sbin/pkg Message-ID: <201310260344.r9Q3i8cl081485@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery (ports committer) Date: Sat Oct 26 03:44:08 2013 New Revision: 257148 URL: http://svnweb.freebsd.org/changeset/base/257148 Log: Tell which fingerprint pkg is being validated against. Approved by: bapt MFC after: 2 days Modified: head/usr.sbin/pkg/pkg.c Modified: head/usr.sbin/pkg/pkg.c ============================================================================== --- head/usr.sbin/pkg/pkg.c Sat Oct 26 03:43:02 2013 (r257147) +++ head/usr.sbin/pkg/pkg.c Sat Oct 26 03:44:08 2013 (r257148) @@ -58,6 +58,7 @@ __FBSDID("$FreeBSD$"); #include "config.h" struct sig_cert { + char *name; unsigned char *sig; int siglen; unsigned char *cert; @@ -72,6 +73,7 @@ typedef enum { struct fingerprint { hash_t type; + char *name; char hash[BUFSIZ]; STAILQ_ENTRY(fingerprint) next; }; @@ -316,6 +318,19 @@ parse_fingerprint(yaml_document_t *doc, return (f); } +static void +free_fingerprint_list(struct fingerprint_list* list) +{ + struct fingerprint* fingerprint; + + STAILQ_FOREACH(fingerprint, list, next) { + if (fingerprint->name) + free(fingerprint->name); + free(fingerprint); + } + free(list); +} + static struct fingerprint * load_fingerprint(const char *dir, const char *filename) { @@ -342,6 +357,7 @@ load_fingerprint(const char *dir, const goto out; f = parse_fingerprint(&doc, node); + f->name = strdup(filename); out: yaml_document_delete(&doc); @@ -511,7 +527,6 @@ rsa_verify_cert(int fd, const unsigned c } /* Verify signature of the SHA256(pkg) is valid. */ - printf("Verifying signature... "); if ((mdctx = EVP_MD_CTX_create()) == NULL) { warnx("%s", ERR_error_string(ERR_get_error(), errbuf)); goto error; @@ -631,6 +646,7 @@ verify_signature(int fd_pkg, int fd_sig) char path[MAXPATHLEN]; char hash[SHA256_DIGEST_LENGTH * 2 + 1]; + sc = NULL; trusted = revoked = NULL; ret = false; @@ -672,8 +688,9 @@ verify_signature(int fd_pkg, int fd_sig) if (revoked != NULL) { STAILQ_FOREACH(fingerprint, revoked, next) { if (strcasecmp(fingerprint->hash, hash) == 0) { - fprintf(stderr, "The certificate has been " - "revoked\n"); + fprintf(stderr, "The package was signed with " + "revoked certificate %s\n", + fingerprint->name); goto cleanup; } } @@ -682,17 +699,19 @@ verify_signature(int fd_pkg, int fd_sig) STAILQ_FOREACH(fingerprint, trusted, next) { if (strcasecmp(fingerprint->hash, hash) == 0) { sc->trusted = true; + sc->name = strdup(fingerprint->name); break; } } if (sc->trusted == false) { - fprintf(stderr, "No trusted certificate found matching " + fprintf(stderr, "No trusted fingerprint found matching " "package's certificate\n"); goto cleanup; } /* Verify the signature. */ + printf("Verifying signature with trusted certificate %s... ", sc->name); if (rsa_verify_cert(fd_pkg, sc->cert, sc->certlen, sc->sig, sc->siglen) == false) { fprintf(stderr, "Signature is not valid\n"); @@ -702,21 +721,17 @@ verify_signature(int fd_pkg, int fd_sig) ret = true; cleanup: - if (trusted) { - STAILQ_FOREACH(fingerprint, trusted, next) - free(fingerprint); - free(trusted); - } - if (revoked) { - STAILQ_FOREACH(fingerprint, revoked, next) - free(fingerprint); - free(revoked); - } + if (trusted) + free_fingerprint_list(trusted); + if (revoked) + free_fingerprint_list(revoked); if (sc) { if (sc->cert) free(sc->cert); if (sc->sig) free(sc->sig); + if (sc->name) + free(sc->name); free(sc); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310260344.r9Q3i8cl081485>