|
 |
657fb1 |
From 6052efe94992ee591b72b495b209777fc71d0f6a Mon Sep 17 00:00:00 2001
|
|
|
657fb1 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
657fb1 |
Date: Thu, 3 Oct 2019 14:58:11 +0300
|
|
|
657fb1 |
Subject: [PATCH 03/33] Implement support for alternative (uncompressed)
|
|
|
657fb1 |
payload digest
|
|
|
657fb1 |
|
|
|
657fb1 |
During build, also calculate a digest for the uncompressed payload data
|
|
|
657fb1 |
and add to packages. On verify side this is equivalent to the existing
|
|
|
657fb1 |
payload digest (through sharing the same disabler), which allows
|
|
|
657fb1 |
either one to be used for verification. This means deltarpm and similar
|
|
|
657fb1 |
don't need to recompress the data which is both expensive and error-prone
|
|
|
657fb1 |
due to minor differences in compressed stream despite the actual data
|
|
|
657fb1 |
being identical.
|
|
|
657fb1 |
|
|
|
657fb1 |
Add a testcase for the basic behavior and update other test output
|
|
|
657fb1 |
expectations where necessary.
|
|
|
657fb1 |
---
|
|
|
657fb1 |
build/pack.c | 16 ++++++++++++----
|
|
|
657fb1 |
lib/rpmchecksig.c | 1 +
|
|
|
657fb1 |
lib/rpmtag.h | 1 +
|
|
|
657fb1 |
lib/rpmvs.c | 4 ++++
|
|
|
657fb1 |
tests/rpmgeneral.at | 1 +
|
|
|
657fb1 |
tests/rpmsigdig.at | 32 ++++++++++++++++++++++++++++++++
|
|
|
657fb1 |
tests/rpmvfylevel.at | 2 ++
|
|
|
657fb1 |
7 files changed, 53 insertions(+), 4 deletions(-)
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/build/pack.c b/build/pack.c
|
|
|
657fb1 |
index c7c1d8f46..9293e98e4 100644
|
|
|
657fb1 |
--- a/build/pack.c
|
|
|
657fb1 |
+++ b/build/pack.c
|
|
|
657fb1 |
@@ -70,7 +70,8 @@ static int rpmPackageFilesArchive(rpmfiles fi, int isSrc,
|
|
|
657fb1 |
* @todo Create transaction set *much* earlier.
|
|
|
657fb1 |
*/
|
|
|
657fb1 |
static rpmRC cpio_doio(FD_t fdo, Package pkg, const char * fmodeMacro,
|
|
|
657fb1 |
- rpm_loff_t *archiveSize)
|
|
|
657fb1 |
+ int pld_algo,
|
|
|
657fb1 |
+ rpm_loff_t *archiveSize, char ** pldig)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
char *failedFile = NULL;
|
|
|
657fb1 |
FD_t cfd;
|
|
|
657fb1 |
@@ -81,9 +82,12 @@ static rpmRC cpio_doio(FD_t fdo, Package pkg, const char * fmodeMacro,
|
|
|
657fb1 |
if (cfd == NULL)
|
|
|
657fb1 |
return RPMRC_FAIL;
|
|
|
657fb1 |
|
|
|
657fb1 |
+ /* Calculate alternative (uncompressed) payload digest while writing */
|
|
|
657fb1 |
+ fdInitDigestID(cfd, pld_algo, RPMTAG_PAYLOADDIGESTALT, 0);
|
|
|
657fb1 |
fsmrc = rpmPackageFilesArchive(pkg->cpioList, headerIsSource(pkg->header),
|
|
|
657fb1 |
cfd, pkg->dpaths,
|
|
|
657fb1 |
archiveSize, &failedFile);
|
|
|
657fb1 |
+ fdFiniDigest(cfd, RPMTAG_PAYLOADDIGESTALT, (void **)pldig, NULL, 1);
|
|
|
657fb1 |
|
|
|
657fb1 |
if (fsmrc) {
|
|
|
657fb1 |
char *emsg = rpmfileStrerror(fsmrc);
|
|
|
657fb1 |
@@ -512,6 +516,7 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
|
|
|
657fb1 |
char * SHA256 = NULL;
|
|
|
657fb1 |
uint8_t * MD5 = NULL;
|
|
|
657fb1 |
char * pld = NULL;
|
|
|
657fb1 |
+ char * upld = NULL;
|
|
|
657fb1 |
uint32_t pld_algo = PGPHASHALGO_SHA256; /* TODO: macro configuration */
|
|
|
657fb1 |
rpmRC rc = RPMRC_FAIL; /* assume failure */
|
|
|
657fb1 |
rpm_loff_t archiveSize = 0;
|
|
|
657fb1 |
@@ -532,10 +537,11 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
|
|
|
657fb1 |
headerPutString(pkg->header, RPMTAG_COOKIE, *cookie);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
- /* Create a dummy payload digest to get the header size right */
|
|
|
657fb1 |
+ /* Create a dummy payload digests to get the header size right */
|
|
|
657fb1 |
pld = nullDigest(pld_algo, 1);
|
|
|
657fb1 |
headerPutUint32(pkg->header, RPMTAG_PAYLOADDIGESTALGO, &pld_algo, 1);
|
|
|
657fb1 |
headerPutString(pkg->header, RPMTAG_PAYLOADDIGEST, pld);
|
|
|
657fb1 |
+ headerPutString(pkg->header, RPMTAG_PAYLOADDIGESTALT, pld);
|
|
|
657fb1 |
pld = _free(pld);
|
|
|
657fb1 |
|
|
|
657fb1 |
/* Check for UTF-8 encoding of string tags, add encoding tag if all good */
|
|
|
657fb1 |
@@ -576,7 +582,7 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
|
|
|
657fb1 |
|
|
|
657fb1 |
/* Write payload section (cpio archive) */
|
|
|
657fb1 |
payloadStart = Ftell(fd);
|
|
|
657fb1 |
- if (cpio_doio(fd, pkg, rpmio_flags, &archiveSize))
|
|
|
657fb1 |
+ if (cpio_doio(fd, pkg, rpmio_flags, pld_algo, &archiveSize, &upld))
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
payloadEnd = Ftell(fd);
|
|
|
657fb1 |
|
|
|
657fb1 |
@@ -586,9 +592,11 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
fdFiniDigest(fd, RPMTAG_PAYLOADDIGEST, (void **)&pld, NULL, 1);
|
|
|
657fb1 |
|
|
|
657fb1 |
- /* Insert the payload digest in main header */
|
|
|
657fb1 |
+ /* Insert the payload digests in main header */
|
|
|
657fb1 |
headerDel(pkg->header, RPMTAG_PAYLOADDIGEST);
|
|
|
657fb1 |
headerPutString(pkg->header, RPMTAG_PAYLOADDIGEST, pld);
|
|
|
657fb1 |
+ headerDel(pkg->header, RPMTAG_PAYLOADDIGESTALT);
|
|
|
657fb1 |
+ headerPutString(pkg->header, RPMTAG_PAYLOADDIGESTALT, upld);
|
|
|
657fb1 |
pld = _free(pld);
|
|
|
657fb1 |
|
|
|
657fb1 |
/* Write the final header */
|
|
|
657fb1 |
diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c
|
|
|
657fb1 |
index beca0e7b2..c4986b99c 100644
|
|
|
657fb1 |
--- a/lib/rpmchecksig.c
|
|
|
657fb1 |
+++ b/lib/rpmchecksig.c
|
|
|
657fb1 |
@@ -189,6 +189,7 @@ rpmRC rpmpkgRead(struct rpmvs_s *vs, FD_t fd,
|
|
|
657fb1 |
|
|
|
657fb1 |
/* Fish interesting tags from the main header. This is a bit hacky... */
|
|
|
657fb1 |
rpmvsAppendTag(vs, blob, RPMTAG_PAYLOADDIGEST);
|
|
|
657fb1 |
+ rpmvsAppendTag(vs, blob, RPMTAG_PAYLOADDIGESTALT);
|
|
|
657fb1 |
|
|
|
657fb1 |
/* If needed and not explicitly disabled, read the payload as well. */
|
|
|
657fb1 |
if (rpmvsRange(vs) & RPMSIG_PAYLOAD) {
|
|
|
657fb1 |
diff --git a/lib/rpmtag.h b/lib/rpmtag.h
|
|
|
657fb1 |
index 002492d20..8bdf34405 100644
|
|
|
657fb1 |
--- a/lib/rpmtag.h
|
|
|
657fb1 |
+++ b/lib/rpmtag.h
|
|
|
657fb1 |
@@ -371,6 +371,7 @@ typedef enum rpmTag_e {
|
|
|
657fb1 |
RPMTAG_AUTOINSTALLED = 5094, /* i reservation (unimplemented) */
|
|
|
657fb1 |
RPMTAG_IDENTITY = 5095, /* s reservation (unimplemented) */
|
|
|
657fb1 |
RPMTAG_MODULARITYLABEL = 5096, /* s */
|
|
|
657fb1 |
+ RPMTAG_PAYLOADDIGESTALT = 5097, /* s[] */
|
|
|
657fb1 |
|
|
|
657fb1 |
RPMTAG_FIRSTFREE_TAG /*!< internal */
|
|
|
657fb1 |
} rpmTag;
|
|
|
657fb1 |
diff --git a/lib/rpmvs.c b/lib/rpmvs.c
|
|
|
657fb1 |
index 0d475af86..9a90e2eb8 100644
|
|
|
657fb1 |
--- a/lib/rpmvs.c
|
|
|
657fb1 |
+++ b/lib/rpmvs.c
|
|
|
657fb1 |
@@ -40,6 +40,7 @@ static const struct vfytag_s rpmvfytags[] = {
|
|
|
657fb1 |
{ RPMSIGTAG_LONGARCHIVESIZE, RPM_INT64_TYPE, 1, 8, },
|
|
|
657fb1 |
{ RPMTAG_SHA256HEADER, RPM_STRING_TYPE, 1, 65, },
|
|
|
657fb1 |
{ RPMTAG_PAYLOADDIGEST, RPM_STRING_ARRAY_TYPE, 0, 0, },
|
|
|
657fb1 |
+ { RPMTAG_PAYLOADDIGESTALT, RPM_STRING_ARRAY_TYPE, 0, 0, },
|
|
|
657fb1 |
{ 0 } /* sentinel */
|
|
|
657fb1 |
};
|
|
|
657fb1 |
|
|
|
657fb1 |
@@ -89,6 +90,9 @@ static const struct vfyinfo_s rpmvfyitems[] = {
|
|
|
657fb1 |
{ RPMTAG_PAYLOADDIGEST, 0,
|
|
|
657fb1 |
{ RPMSIG_DIGEST_TYPE, RPMVSF_NOPAYLOAD,
|
|
|
657fb1 |
(RPMSIG_PAYLOAD), PGPHASHALGO_SHA256, 0, }, },
|
|
|
657fb1 |
+ { RPMTAG_PAYLOADDIGESTALT, 0,
|
|
|
657fb1 |
+ { RPMSIG_DIGEST_TYPE, RPMVSF_NOPAYLOAD,
|
|
|
657fb1 |
+ (RPMSIG_PAYLOAD), PGPHASHALGO_SHA256, 0, 1, }, },
|
|
|
657fb1 |
{ 0 } /* sentinel */
|
|
|
657fb1 |
};
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/tests/rpmgeneral.at b/tests/rpmgeneral.at
|
|
|
657fb1 |
index 45d38698b..7f100774c 100644
|
|
|
657fb1 |
--- a/tests/rpmgeneral.at
|
|
|
657fb1 |
+++ b/tests/rpmgeneral.at
|
|
|
657fb1 |
@@ -192,6 +192,7 @@ PATCHESVERSION
|
|
|
657fb1 |
PAYLOADCOMPRESSOR
|
|
|
657fb1 |
PAYLOADDIGEST
|
|
|
657fb1 |
PAYLOADDIGESTALGO
|
|
|
657fb1 |
+PAYLOADDIGESTALT
|
|
|
657fb1 |
PAYLOADFLAGS
|
|
|
657fb1 |
PAYLOADFORMAT
|
|
|
657fb1 |
PKGID
|
|
|
657fb1 |
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
|
|
|
657fb1 |
index 880e5edd0..f6ad72589 100644
|
|
|
657fb1 |
--- a/tests/rpmsigdig.at
|
|
|
657fb1 |
+++ b/tests/rpmsigdig.at
|
|
|
657fb1 |
@@ -26,6 +26,34 @@ runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64.rpm /data/RPMS/hello-1.0-1.i38
|
|
|
657fb1 |
[])
|
|
|
657fb1 |
AT_CLEANUP
|
|
|
657fb1 |
|
|
|
657fb1 |
+AT_SETUP([rpmkeys -Kv <reconstructed> 1])
|
|
|
657fb1 |
+AT_KEYWORDS([rpmkeys digest])
|
|
|
657fb1 |
+AT_CHECK([
|
|
|
657fb1 |
+RPMDB_CLEAR
|
|
|
657fb1 |
+RPMDB_INIT
|
|
|
657fb1 |
+rm -rf "${TOPDIR}"
|
|
|
657fb1 |
+
|
|
|
657fb1 |
+cp "${RPMTEST}"/data/misc/hello.intro "${RPMTEST}"/data/misc/hello.payload .
|
|
|
657fb1 |
+gzip -cd < hello.payload > hello.uc-payload
|
|
|
657fb1 |
+cat hello.intro hello.payload > "${RPMTEST}"/tmp/hello-c.rpm
|
|
|
657fb1 |
+cat hello.intro hello.uc-payload > "${RPMTEST}"/tmp/hello-uc.rpm
|
|
|
657fb1 |
+runroot rpmkeys -Kv /tmp/hello-c.rpm /tmp/hello-uc.rpm
|
|
|
657fb1 |
+],
|
|
|
657fb1 |
+[1],
|
|
|
657fb1 |
+[/tmp/hello-c.rpm:
|
|
|
657fb1 |
+ Header SHA256 digest: OK
|
|
|
657fb1 |
+ Header SHA1 digest: OK
|
|
|
657fb1 |
+ Payload SHA256 digest: OK
|
|
|
657fb1 |
+ MD5 digest: OK
|
|
|
657fb1 |
+/tmp/hello-uc.rpm:
|
|
|
657fb1 |
+ Header SHA256 digest: OK
|
|
|
657fb1 |
+ Header SHA1 digest: OK
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: OK
|
|
|
657fb1 |
+ MD5 digest: BAD (Expected 055607c4dee6464b9415ae726e7d81a7 != 839d24c30e5188e0b83599fbe3865919)
|
|
|
657fb1 |
+],
|
|
|
657fb1 |
+[])
|
|
|
657fb1 |
+AT_CLEANUP
|
|
|
657fb1 |
+
|
|
|
657fb1 |
# ------------------------------
|
|
|
657fb1 |
# Test corrupted package verification (corrupted signature)
|
|
|
657fb1 |
AT_SETUP([rpmkeys -Kv <corrupted unsigned> 1])
|
|
|
657fb1 |
@@ -96,6 +124,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: NOTFOUND
|
|
|
657fb1 |
MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
|
|
|
657fb1 |
],
|
|
|
657fb1 |
[])
|
|
|
657fb1 |
@@ -145,6 +174,7 @@ runroot rpmkeys -Kv /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm
|
|
|
657fb1 |
[/build/RPMS/noarch/attrtest-1.0-1.noarch.rpm:
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: OK
|
|
|
657fb1 |
MD5 digest: OK
|
|
|
657fb1 |
],
|
|
|
657fb1 |
@@ -376,6 +406,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: NOTFOUND
|
|
|
657fb1 |
V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
|
|
|
657fb1 |
MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
|
|
|
657fb1 |
/tmp/hello-2.0-1.x86_64-signed.rpm:
|
|
|
657fb1 |
@@ -383,6 +414,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: NOTFOUND
|
|
|
657fb1 |
V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
|
|
|
657fb1 |
MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
|
|
|
657fb1 |
],
|
|
|
657fb1 |
diff --git a/tests/rpmvfylevel.at b/tests/rpmvfylevel.at
|
|
|
657fb1 |
index 17531b0fe..cb5e48ad7 100644
|
|
|
657fb1 |
--- a/tests/rpmvfylevel.at
|
|
|
657fb1 |
+++ b/tests/rpmvfylevel.at
|
|
|
657fb1 |
@@ -117,6 +117,7 @@ nopl
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: NOTFOUND
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: NOTFOUND
|
|
|
657fb1 |
MD5 digest: NOTFOUND
|
|
|
657fb1 |
1
|
|
|
657fb1 |
nosha1
|
|
|
657fb1 |
@@ -338,6 +339,7 @@ noplds
|
|
|
657fb1 |
Header SHA256 digest: OK
|
|
|
657fb1 |
Header SHA1 digest: OK
|
|
|
657fb1 |
Payload SHA256 digest: NOTFOUND
|
|
|
657fb1 |
+ Payload SHA256 ALT digest: NOTFOUND
|
|
|
657fb1 |
RSA signature: NOTFOUND
|
|
|
657fb1 |
DSA signature: NOTFOUND
|
|
|
657fb1 |
MD5 digest: OK
|
|
|
657fb1 |
--
|
|
|
657fb1 |
2.13.5
|
|
|
657fb1 |
|