summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPanu Matilainen <pmatilai@redhat.com>2007-11-02 10:02:40 +0200
committerPanu Matilainen <pmatilai@redhat.com>2007-11-02 10:02:40 +0200
commit8afe81c21445f96e4f5430b05304242c958a9ad0 (patch)
treeac18f50cccc3d07bff97006995221ee7519fcac4
parente7fd0807d3b0a024634bc62a3bf2571a1bd6098d (diff)
downloadrpm-8afe81c21445f96e4f5430b05304242c958a9ad0.tar.gz
rpm-8afe81c21445f96e4f5430b05304242c958a9ad0.tar.bz2
rpm-8afe81c21445f96e4f5430b05304242c958a9ad0.zip
Use NSS instead of beecrypt for encryption (Tomas Mraz)
-rw-r--r--Makefile.am19
-rw-r--r--build/Makefile.am2
-rw-r--r--configure.ac36
-rw-r--r--lib/Makefile.am4
-rw-r--r--lib/formats.c25
-rw-r--r--lib/package.c2
-rw-r--r--lib/rpmchecksig.c2
-rw-r--r--lib/rpmts.c4
-rw-r--r--lib/signature.c78
-rw-r--r--python/Makefile.am4
-rw-r--r--rpm.pc.in2
-rw-r--r--rpmdb/Makefile.am6
-rw-r--r--rpmio/Makefile.am6
-rw-r--r--rpmio/digest.c149
-rw-r--r--rpmio/rpmio_internal.h47
-rw-r--r--rpmio/rpmpgp.c217
-rw-r--r--rpmio/rpmpgp.h9
-rw-r--r--rpmio/tax.c4
-rw-r--r--rpmio/tkey.c62
-rw-r--r--tools/debugedit.c41
20 files changed, 350 insertions, 369 deletions
diff --git a/Makefile.am b/Makefile.am
index af7e94ad4..46e22cb1b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -24,7 +24,7 @@ AM_CPPFLAGS += -I$(top_srcdir)/build
AM_CPPFLAGS += -I$(top_srcdir)/lib
AM_CPPFLAGS += -I$(top_builddir)/rpmdb -I$(top_srcdir)/rpmdb
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += -I$(top_srcdir)/misc
AM_CPPFLAGS += @WITH_LIBELF_INCLUDE@
@@ -82,36 +82,36 @@ DISTCLEANFILES += find-requires
rpm_SOURCES = rpmqv.c debug.h system.h
rpm_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMDB -DIAM_RPMEIU -DIAM_RPMK -DIAM_RPMQV
rpm_LDADD = build/librpmbuild.la lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpm_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpm_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpmb_SOURCES = build.c rpmqv.c build.h debug.h system.h
rpmb_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMBT
rpmb_LDADD = build/librpmbuild.la lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpmb_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpmb_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpmd_SOURCES = rpmqv.c debug.h system.h
rpmd_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMDB
rpmd_LDADD = lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpmd_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpmd_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpmi_SOURCES = rpmqv.c debug.h system.h
rpmi_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMEIU
rpmi_LDADD = lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpmi_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpmi_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpmk_SOURCES = rpmqv.c debug.h system.h
rpmk_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMK
rpmk_LDADD = lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpmk_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpmk_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpmq_SOURCES = rpmqv.c debug.h system.h
rpmq_CPPFLAGS = $(AM_CPPFLAGS) -DIAM_RPMQV
rpmq_LDADD = build/librpmbuild.la lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpmq_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpmq_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
rpm2cpio_SOURCES = rpm2cpio.c debug.h system.h
rpm2cpio_LDADD = lib/librpm.la rpmdb/librpmdb.la rpmio/librpmio.la
-rpm2cpio_LDADD += @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+rpm2cpio_LDADD += @WITH_LIBELF_LIB@ @WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
if LIBELF
@@ -120,7 +120,8 @@ rpmconfig_SCRIPTS += scripts/find-debuginfo.sh
rpmlibexec_PROGRAMS += debugedit
debugedit_SOURCES = tools/debugedit.c tools/hashtab.c tools/hashtab.h
-debugedit_LDADD = @WITH_LIBELF_LIB@ @WITH_BEECRYPT_LIB@ @WITH_POPT_LIB@
+debugedit_LDADD = rpmio/librpmio.la
+debugedit_LDADD += @WITH_LIBELF_LIB@ @WITH_POPT_LIB@
endif
endif
diff --git a/build/Makefile.am b/build/Makefile.am
index c770cf353..36db3774e 100644
--- a/build/Makefile.am
+++ b/build/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS += -I$(top_srcdir)/build
AM_CPPFLAGS += -I$(top_srcdir)/lib
AM_CPPFLAGS += -I$(top_builddir)/rpmdb -I$(top_srcdir)/rpmdb
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_MAGIC_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += @WITH_LIBELF_INCLUDE@
diff --git a/configure.ac b/configure.ac
index a9423d123..d79e10a0b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -351,22 +351,32 @@ AC_CHECK_HEADERS([dwarf.h], [
AM_CONDITIONAL(LIBDWARF,[test "$WITH_LIBDWARF" = yes])
#=================
-# Check for beecrypt library.
-WITH_BEECRYPT_INCLUDE=
-WITH_BEECRYPT_LIB=
-AC_CHECK_HEADERS([beecrypt/beecrypt.h], [
- AC_CHECK_LIB(beecrypt, mpfprintln, [
- AC_CHECK_HEADERS([beecrypt/api.h])
- WITH_BEECRYPT_INCLUDE=
- WITH_BEECRYPT_LIB="-lbeecrypt"
- ],[
- AC_MSG_ERROR([missing required library beecrypt])
+# Check for NSS library.
+WITH_NSS_INCLUDE=
+WITH_NSS_LIB=
+check=`pkg-config --version 2>/dev/null`
+if test -n "$check"; then
+ addlib=$(pkg-config --libs nss | sed 's/-lsmime3//;s/-lssl3//')
+ addcppflags=$(pkg-config --cflags nss)
+else
+# Without pkg-config, we'll kludge in some defaults
+ addlib="-lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
+ addcppflags="-I/usr/include/nss3 -I/usr/include/nspr4"
+fi
+save_CPPFLAGS="$CPPFLAGS"
+CPPFLAGS="$save_CPPFLAGS $addcppflags"
+AC_CHECK_HEADER([nss3/nss.h], [
+ AC_CHECK_LIB(nss3, NSS_NoDB_Init, [
+ AC_DEFINE(HAVE_LIBNSS, 1, [Define to 1 if you have the 'NSS' library (-lnss3).])
+ WITH_NSS_INCLUDE="$addcppflags"
+ WITH_NSS_LIB="$addlib"
])
],[
- AC_MSG_ERROR([missing required header beecrypt/beecrypt.h])
+ AC_MSG_ERROR([missing required header nss3/nss.h])
])
-AC_SUBST(WITH_BEECRYPT_INCLUDE)
-AC_SUBST(WITH_BEECRYPT_LIB)
+CPPFLAGS="$save_CPPFLAGS"
+AC_SUBST(WITH_NSS_INCLUDE)
+AC_SUBST(WITH_NSS_LIB)
#=================
# Check for magic library.
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 89b0f7b5f..0fbfcd379 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir)
AM_CPPFLAGS += -I$(top_srcdir)/lib
AM_CPPFLAGS += -I$(top_builddir)/rpmdb -I$(top_srcdir)/rpmdb
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += -I$(top_srcdir)/misc
AM_CPPFLAGS += -DLOCALEDIR="\"$(localedir)\""
@@ -33,7 +33,7 @@ librpm_la_LDFLAGS = -release 4.4
librpm_la_LIBADD = \
$(top_builddir)/rpmdb/librpmdb.la \
$(top_builddir)/rpmio/librpmio.la \
- @WITH_BEECRYPT_LIB@ \
+ @WITH_NSS_LIB@ \
@WITH_POPT_LIB@ \
@WITH_SELINUX_LIB@ \
@LIBINTL@
diff --git a/lib/formats.c b/lib/formats.c
index 76594cf95..3f93dfebe 100644
--- a/lib/formats.c
+++ b/lib/formats.c
@@ -190,20 +190,16 @@ static char * base64Format(int32_t type, const void * data,
int lc;
/* XXX HACK ALERT: element field abused as no. bytes of binary data. */
size_t ns = element;
- size_t nt = ((ns + 2) / 3) * 4;
-
- /* Add additional bytes necessary for eol string(s). */
- if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
- lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
- if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
- ++lc;
- nt += lc * strlen(b64encode_eolstr);
+ size_t nt = 0;
+
+ if ((enc = b64encode(data, ns, -1)) != NULL) {
+ nt = strlen(enc);
}
val = t = xmalloc(nt + padding + 1);
*t = '\0';
- if ((enc = b64encode(data, ns)) != NULL) {
+ if (enc != NULL) {
t = stpcpy(t, enc);
enc = _free(enc);
}
@@ -277,10 +273,13 @@ static char * xmlFormat(int32_t type, const void * data,
xtag = "string";
break;
case RPM_BIN_TYPE:
- { int cpl = b64encode_chars_per_line;
- b64encode_chars_per_line = 0;
- s = base64Format(type, data, formatPrefix, padding, element);
- b64encode_chars_per_line = cpl;
+ {
+ /* XXX HACK ALERT: element field abused as no. bytes of binary data. */
+ size_t ns = element;
+ if ((s = b64encode(data, ns, 0)) == NULL) {
+ /* XXX proper error handling would be better. */
+ s = xcalloc(1, padding + (ns / 3) * 4 + 1);
+ }
xtag = "base64";
} break;
case RPM_CHAR_TYPE:
diff --git a/lib/package.c b/lib/package.c
index 9deeb80bc..525c5d7a5 100644
--- a/lib/package.c
+++ b/lib/package.c
@@ -929,11 +929,9 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
fddig->hashctx = NULL;
break;
case PGPHASHALGO_SHA1:
-#if HAVE_BEECRYPT_API_H
case PGPHASHALGO_SHA256:
case PGPHASHALGO_SHA384:
case PGPHASHALGO_SHA512:
-#endif
dig->sha1ctx = fddig->hashctx;
fddig->hashctx = NULL;
break;
diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c
index 46abd8297..57b2440b9 100644
--- a/lib/rpmchecksig.c
+++ b/lib/rpmchecksig.c
@@ -518,11 +518,9 @@ assert(dig->md5ctx == NULL);
fddig->hashctx = NULL;
break;
case PGPHASHALGO_SHA1:
-#if HAVE_BEECRYPT_API_H
case PGPHASHALGO_SHA256:
case PGPHASHALGO_SHA384:
case PGPHASHALGO_SHA512:
-#endif
assert(dig->sha1ctx == NULL);
dig->sha1ctx = fddig->hashctx;
fddig->hashctx = NULL;
diff --git a/lib/rpmts.c b/lib/rpmts.c
index 13a7626b9..31ad5b534 100644
--- a/lib/rpmts.c
+++ b/lib/rpmts.c
@@ -4,7 +4,7 @@
*/
#include "system.h"
-#include "rpmio_internal.h" /* XXX for pgp and beecrypt */
+#include "rpmio_internal.h" /* XXX for pgp */
#include "rpmlib.h"
#include "rpmmacro.h" /* XXX rpmtsOpenDB() needs rpmGetPath */
@@ -483,7 +483,7 @@ rpmRC rpmtsImportPubkey(const rpmts ts, const unsigned char * pkt, ssize_t pktle
if (rpmtsOpenDB(ts, (O_RDWR|O_CREAT)))
return RPMRC_FAIL;
- if ((enc = b64encode(pkt, pktlen)) == NULL)
+ if ((enc = b64encode(pkt, pktlen, -1)) == NULL)
goto exit;
dig = pgpNewDig();
diff --git a/lib/signature.c b/lib/signature.c
index 9644dcc9e..a839232a1 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -1093,9 +1093,10 @@ verifyRSASignature(rpmts ts, char * t,
int32_t sigtag = rpmtsSigtag(ts);
pgpDig dig = rpmtsDig(ts);
pgpDigParams sigp = rpmtsSignature(ts);
- const char * prefix = NULL;
+ SECOidTag sigalg;
rpmRC res = RPMRC_OK;
int xx;
+ SECItem digest;
*t = '\0';
if (dig != NULL && dig->hdrmd5ctx == md5ctx)
@@ -1125,43 +1126,40 @@ verifyRSASignature(rpmts ts, char * t,
switch (sigp->hash_algo) {
case PGPHASHALGO_MD5:
t = stpcpy(t, " RSA/MD5");
- prefix = "3020300c06082a864886f70d020505000410";
+ sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
break;
case PGPHASHALGO_SHA1:
t = stpcpy(t, " RSA/SHA1");
- prefix = "3021300906052b0e03021a05000414";
+ sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
break;
case PGPHASHALGO_RIPEMD160:
res = RPMRC_NOKEY;
- prefix = NULL;
break;
case PGPHASHALGO_MD2:
t = stpcpy(t, " RSA/MD2");
- prefix = "3020300c06082a864886f70d020205000410";
+ sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
break;
case PGPHASHALGO_TIGER192:
res = RPMRC_NOKEY;
- prefix = NULL;
break;
case PGPHASHALGO_HAVAL_5_160:
res = RPMRC_NOKEY;
- prefix = NULL;
break;
case PGPHASHALGO_SHA256:
t = stpcpy(t, " RSA/SHA256");
- prefix = "3031300d060960864801650304020105000420";
+ sigalg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
break;
case PGPHASHALGO_SHA384:
t = stpcpy(t, " RSA/SHA384");
- prefix = "3041300d060960864801650304020205000430";
+ sigalg = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
break;
case PGPHASHALGO_SHA512:
t = stpcpy(t, " RSA/SHA512");
- prefix = "3051300d060960864801650304020305000440";
+ sigalg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
break;
default:
res = RPMRC_NOKEY;
- prefix = NULL;
+ sigalg = SEC_OID_UNKNOWN;
break;
}
@@ -1172,8 +1170,6 @@ verifyRSASignature(rpmts ts, char * t,
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
{ DIGEST_CTX ctx = rpmDigestDup(md5ctx);
- byte signhash16[2];
- const char * s;
if (sigp->hash != NULL)
xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
@@ -1190,40 +1186,18 @@ verifyRSASignature(rpmts ts, char * t,
}
#endif
- xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 1);
+ xx = rpmDigestFinal(ctx, (void **)&dig->md5, &dig->md5len, 0);
(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
rpmtsOp(ts, RPMTS_OP_DIGEST)->count--; /* XXX one too many */
/* Compare leading 16 bits of digest for quick check. */
- s = dig->md5;
- signhash16[0] = (nibble(s[0]) << 4) | nibble(s[1]);
- signhash16[1] = (nibble(s[2]) << 4) | nibble(s[3]);
- if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
+ if (memcmp(dig->md5, sigp->signhash16, 2)) {
res = RPMRC_FAIL;
goto exit;
}
- }
-
- /* Generate RSA modulus parameter. */
- { unsigned int nbits = MP_WORDS_TO_BITS(dig->c.size);
- unsigned int nb = (nbits + 7) >> 3;
- const char * hexstr;
- char * tt;
-
-assert(prefix != NULL);
- hexstr = tt = xmalloc(2 * nb + 1);
- memset(tt, 'f', (2 * nb));
- tt[0] = '0'; tt[1] = '0';
- tt[2] = '0'; tt[3] = '1';
- tt += (2 * nb) - strlen(prefix) - strlen(dig->md5) - 2;
- *tt++ = '0'; *tt++ = '0';
- tt = stpcpy(tt, prefix);
- tt = stpcpy(tt, dig->md5);
-
- mpnzero(&dig->rsahm); (void) mpnsethex(&dig->rsahm, hexstr);
-
- hexstr = _free(hexstr);
-
+ digest.type = siBuffer;
+ digest.data = dig->md5;
+ digest.len = dig->md5len;
}
/* Retrieve the matching public key. */
@@ -1232,12 +1206,7 @@ assert(prefix != NULL);
goto exit;
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
-#if HAVE_BEECRYPT_API_H
- xx = rsavrfy(&dig->rsa_pk.n, &dig->rsa_pk.e, &dig->c, &dig->rsahm);
-#else
- xx = rsavrfy(&dig->rsa_pk, &dig->rsahm, &dig->c);
-#endif
- if (xx)
+ if (VFY_VerifyDigest(&digest, dig->rsa, dig->rsasig, sigalg, NULL) == SECSuccess)
res = RPMRC_OK;
else
res = RPMRC_FAIL;
@@ -1274,6 +1243,7 @@ verifyDSASignature(rpmts ts, char * t,
pgpDigParams sigp = rpmtsSignature(ts);
rpmRC res;
int xx;
+ SECItem digest;
*t = '\0';
if (dig != NULL && dig->hdrsha1ctx == sha1ctx)
@@ -1301,7 +1271,6 @@ verifyDSASignature(rpmts ts, char * t,
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_DIGEST), 0);
{ DIGEST_CTX ctx = rpmDigestDup(sha1ctx);
- byte signhash16[2];
if (sigp->hash != NULL)
xx = rpmDigestUpdate(ctx, sigp->hash, sigp->hashlen);
@@ -1315,19 +1284,18 @@ verifyDSASignature(rpmts ts, char * t,
memcpy(trailer+2, &nb, sizeof(nb));
xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
}
- xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 1);
+ xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
rpmtsOp(ts, RPMTS_OP_DIGEST)->count--; /* XXX one too many */
- mpnzero(&dig->hm); (void) mpnsethex(&dig->hm, dig->sha1);
-
/* Compare leading 16 bits of digest for quick check. */
- signhash16[0] = (*dig->hm.data >> 24) & 0xff;
- signhash16[1] = (*dig->hm.data >> 16) & 0xff;
- if (memcmp(signhash16, sigp->signhash16, sizeof(signhash16))) {
+ if (memcmp(dig->sha1, sigp->signhash16, 2)) {
res = RPMRC_FAIL;
goto exit;
}
+ digest.type = siBuffer;
+ digest.data = dig->sha1;
+ digest.len = dig->sha1len;
}
/* Retrieve the matching public key. */
@@ -1336,8 +1304,8 @@ verifyDSASignature(rpmts ts, char * t,
goto exit;
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_SIGNATURE), 0);
- if (dsavrfy(&dig->p, &dig->q, &dig->g,
- &dig->hm, &dig->y, &dig->r, &dig->s))
+ if (VFY_VerifyDigest(&digest, dig->dsa, dig->dsasig,
+ SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL) == SECSuccess)
res = RPMRC_OK;
else
res = RPMRC_FAIL;
diff --git a/python/Makefile.am b/python/Makefile.am
index 137f0f613..9c3715590 100644
--- a/python/Makefile.am
+++ b/python/Makefile.am
@@ -10,7 +10,7 @@ AM_CPPFLAGS += -I$(top_srcdir)/lib
AM_CPPFLAGS += -I$(top_srcdir)/rpmdb
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
AM_CPPFLAGS += @WITH_LIBELF_INCLUDE@
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += -I$(top_srcdir)/misc
AM_CPPFLAGS += -I@WITH_PYTHON_INCLUDE@
@@ -24,7 +24,7 @@ _rpmmodule_la_LIBADD = \
$(top_builddir)/lib/librpm.la \
$(top_builddir)/rpmdb/librpmdb.la \
$(top_builddir)/rpmio/librpmio.la \
- @WITH_BEECRYPT_LIB@ \
+ @WITH_NSS_LIB@ \
@WITH_POPT_LIB@ \
@WITH_LIBELF_LIB@ \
@WITH_PYTHON_LIB@
diff --git a/rpm.pc.in b/rpm.pc.in
index b8ed5c9d3..6b9b197b8 100644
--- a/rpm.pc.in
+++ b/rpm.pc.in
@@ -12,4 +12,4 @@ URL: http://rpm.org
# Conflicts:
Cflags: -I${includedir}/rpm
Libs: -L${libdir} -lrpmbuild -lrpm -lrpmdb -lrpmio -lrpmmisc
-Libs.private: -lpopt -lmagic -lbeecrypt -lrt -lpthread @WITH_SELINUX_LIB@ @WITH_SQLITE3_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@
+Libs.private: -lpopt -lmagic -lrt -lpthread @WITH_SELINUX_LIB@ @WITH_SQLITE3_LIB@ @WITH_DB_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @WITH_NSS_LIB@
diff --git a/rpmdb/Makefile.am b/rpmdb/Makefile.am
index 587363763..1ac822d74 100644
--- a/rpmdb/Makefile.am
+++ b/rpmdb/Makefile.am
@@ -7,7 +7,7 @@ AM_CPPFLAGS += -I$(top_builddir)/rpmdb -I$(top_srcdir)/rpmdb
AM_CPPFLAGS += -I$(top_srcdir)/build
AM_CPPFLAGS += -I$(top_srcdir)/lib
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += -I$(top_srcdir)/misc
AM_CPPFLAGS += @WITH_SQLITE3_INCLUDE@
@@ -34,7 +34,7 @@ endif
librpmdb_la_LDFLAGS = -release 4.4
librpmdb_la_LIBADD = \
$(top_builddir)/rpmio/librpmio.la \
- @WITH_BEECRYPT_LIB@ \
+ @WITH_NSS_LIB@ \
@WITH_POPT_LIB@ \
@WITH_SQLITE3_LIB@ \
@WITH_LIBELF_LIB@
@@ -177,4 +177,4 @@ tdbi_LDADD = librpmdb.la
check_PROGRAMS += tjfn
tjfn_SOURCES = tjfn.c
-tjfn_LDADD = librpmdb.la @WITH_BEECRYPT_LIB@
+tjfn_LDADD = librpmdb.la @WITH_NSS_LIB@
diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am
index a4770496f..5b5a11a54 100644
--- a/rpmio/Makefile.am
+++ b/rpmio/Makefile.am
@@ -2,7 +2,7 @@
AM_CPPFLAGS = -I$(top_builddir) -I$(top_srcdir)
AM_CPPFLAGS += -I$(top_srcdir)/rpmio
-AM_CPPFLAGS += @WITH_BEECRYPT_INCLUDE@
+AM_CPPFLAGS += @WITH_NSS_INCLUDE@
AM_CPPFLAGS += @WITH_LUA_INCLUDE@
AM_CPPFLAGS += @WITH_POPT_INCLUDE@
AM_CPPFLAGS += -I$(top_srcdir)/misc
@@ -11,14 +11,14 @@ AM_CPPFLAGS += -DRPMCONFIGDIR="\"@RPMCONFIGDIR@\""
usrlibdir = $(libdir)
usrlib_LTLIBRARIES = librpmio.la
librpmio_la_SOURCES = \
- argv.c digest.c fts.c macro.c \
+ argv.c base64.c digest.c fts.c macro.c \
rpmhook.c rpmio.c rpmlog.c rpmlua.c rpmmalloc.c \
rpmpgp.c rpmrpc.c rpmsq.c rpmsw.c strcasecmp.c url.c ugid.c \
rpmio_internal.h rpmlua.h rpmhook.h ugid.h fts.h rpmerr.h
librpmio_la_LDFLAGS = -release 4.4
librpmio_la_LIBADD = \
../misc/libmisc.la \
- @WITH_BEECRYPT_LIB@ \
+ @WITH_NSS_LIB@ \
@WITH_LUA_LIB@ \
@WITH_MAGIC_LIB@ \
@WITH_BZ2_LIB@ \
diff --git a/rpmio/digest.c b/rpmio/digest.c
index c846fd942..d5c4de755 100644
--- a/rpmio/digest.c
+++ b/rpmio/digest.c
@@ -18,13 +18,7 @@
*/
struct DIGEST_CTX_s {
rpmDigestFlags flags; /*!< Bit(s) to control digest operation. */
- uint32_t datalen; /*!< No. bytes in block of plaintext data. */
- uint32_t paramlen; /*!< No. bytes of digest parameters. */
- uint32_t digestlen; /*!< No. bytes of digest. */
- void * param; /*!< Digest parameters. */
- int (*Reset) (void * param); /*!< Digest initialize. */
- int (*Update) (void * param, const byte * data, size_t size); /*!< Digest transform. */
- int (*Digest) (void * param, byte * digest); /*!< Digest finish. */
+ HASHContext *hashctx; /*!< Internal NSS hash context. */
};
DIGEST_CTX
@@ -32,132 +26,132 @@ rpmDigestDup(DIGEST_CTX octx)
{
DIGEST_CTX nctx;
nctx = memcpy(xcalloc(1, sizeof(*nctx)), octx, sizeof(*nctx));
- nctx->param = memcpy(xcalloc(1, nctx->paramlen), octx->param, nctx->paramlen);
+ nctx->hashctx = HASH_Clone(octx->hashctx);
+ if (nctx->hashctx == NULL) {
+ fprintf(stderr, "HASH_Clone failed\n");
+ exit(EXIT_FAILURE); /* FIX: callers do not bother checking error return */
+ }
return nctx;
}
-DIGEST_CTX
-rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
+static HASH_HashType
+getHashType(pgpHashAlgo hashalgo)
{
- DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
- int xx;
-
- ctx->flags = flags;
-
switch (hashalgo) {
case PGPHASHALGO_MD5:
- ctx->digestlen = 16;
- ctx->datalen = 64;
-/* FIX: union, not void pointer */
- ctx->paramlen = sizeof(md5Param);
- ctx->param = xcalloc(1, ctx->paramlen);
-/* FIX: cast? */
- ctx->Reset = (void *) md5Reset;
- ctx->Update = (void *) md5Update;
- ctx->Digest = (void *) md5Digest;
+ return HASH_AlgMD5;
break;
case PGPHASHALGO_SHA1:
- ctx->digestlen = 20;
- ctx->datalen = 64;
-/* FIX: union, not void pointer */
- ctx->paramlen = sizeof(sha1Param);
- ctx->param = xcalloc(1, ctx->paramlen);
-/* FIX: cast? */
- ctx->Reset = (void *) sha1Reset;
- ctx->Update = (void *) sha1Update;
- ctx->Digest = (void *) sha1Digest;
+ return HASH_AlgSHA1;
break;
-#if HAVE_BEECRYPT_API_H
case PGPHASHALGO_SHA256:
- ctx->digestlen = 32;
- ctx->datalen = 64;
-/* FIX: union, not void pointer */
- ctx->paramlen = sizeof(sha256Param);
- ctx->param = xcalloc(1, ctx->paramlen);
-/* FIX: cast? */
- ctx->Reset = (void *) sha256Reset;
- ctx->Update = (void *) sha256Update;
- ctx->Digest = (void *) sha256Digest;
+ return HASH_AlgSHA256;
break;
case PGPHASHALGO_SHA384:
- ctx->digestlen = 48;
- ctx->datalen = 128;
-/* FIX: union, not void pointer */
- ctx->paramlen = sizeof(sha384Param);
- ctx->param = xcalloc(1, ctx->paramlen);
-/* FIX: cast? */
- ctx->Reset = (void *) sha384Reset;
- ctx->Update = (void *) sha384Update;
- ctx->Digest = (void *) sha384Digest;
+ return HASH_AlgSHA384;
break;
case PGPHASHALGO_SHA512:
- ctx->digestlen = 64;
- ctx->datalen = 128;
-/* FIX: union, not void pointer */
- ctx->paramlen = sizeof(sha512Param);
- ctx->param = xcalloc(1, ctx->paramlen);
-/* FIX: cast? */
- ctx->Reset = (void *) sha512Reset;
- ctx->Update = (void *) sha512Update;
- ctx->Digest = (void *) sha512Digest;
+ return HASH_AlgSHA512;
break;
-#endif
case PGPHASHALGO_RIPEMD160:
case PGPHASHALGO_MD2:
case PGPHASHALGO_TIGER192:
case PGPHASHALGO_HAVAL_5_160:
default:
+ return HASH_AlgNULL;
+ break;
+ }
+}
+
+size_t
+rpmDigestLength(pgpHashAlgo hashalgo)
+{
+ return HASH_ResultLen(getHashType(hashalgo));
+}
+
+DIGEST_CTX
+rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
+{
+ HASH_HashType type;
+ DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
+
+ if (NSS_NoDB_Init(NULL) != SECSuccess)
+ return NULL;
+
+ ctx->flags = flags;
+
+ type = getHashType(hashalgo);
+ if (type == HASH_AlgNULL) {
free(ctx);
return NULL;
- break;
}
- xx = (*ctx->Reset) (ctx->param);
+ ctx->hashctx = HASH_Create(type);
+ if (ctx->hashctx == NULL) {
+ free(ctx);
+ return NULL;
+ }
-DPRINTF((stderr, "*** Init(%x) ctx %p param %p\n", flags, ctx, ctx->param));
+ HASH_Begin(ctx->hashctx);
+
+DPRINTF((stderr, "*** Init(%x) ctx %p hashctx %p\n", flags, ctx, ctx->hashctx));
return ctx;
}
int
rpmDigestUpdate(DIGEST_CTX ctx, const void * data, size_t len)
{
+ unsigned int partlen;
+ const unsigned char *ptr = data;
+
if (ctx == NULL)
return -1;
-DPRINTF((stderr, "*** Update(%p,%p,%d) param %p \"%s\"\n", ctx, data, len, ctx->param, ((char *)data)));
- return (*ctx->Update) (ctx->param, data, len);
+DPRINTF((stderr, "*** Update(%p,%p,%d) hashctx %p \"%s\"\n", ctx, data, len, ctx->hashctx, ((char *)data)));
+ partlen = ~(unsigned int)0xFF;
+ while (len > 0) {
+ if (len < partlen) {
+ partlen = (unsigned int)len;
+ }
+ HASH_Update(ctx->hashctx, ptr, partlen);
+ ptr += partlen;
+ len -= partlen;
+ }
+ return 0;
}
int
rpmDigestFinal(DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii)
{
- byte * digest;
+ unsigned char * digest;
char * t;
int i;
+ unsigned int digestlen;
if (ctx == NULL)
return -1;
- digest = xmalloc(ctx->digestlen);
+ digestlen = HASH_ResultLenContext(ctx->hashctx);
+ digest = xmalloc(digestlen);
-DPRINTF((stderr, "*** Final(%p,%p,%p,%d) param %p digest %p\n", ctx, datap, lenp, asAscii, ctx->param, digest));
+DPRINTF((stderr, "*** Final(%p,%p,%p,%d) hashctx %p digest %p\n", ctx, datap, lenp, asAscii, ctx->hashctx, digest));
/* FIX: check rc */
- (void) (*ctx->Digest) (ctx->param, digest);
+ HASH_End(ctx->hashctx, digest, &digestlen, digestlen);
/* Return final digest. */
if (!asAscii) {
- if (lenp) *lenp = ctx->digestlen;
+ if (lenp) *lenp = digestlen;
if (datap) {
*datap = digest;
digest = NULL;
}
} else {
- if (lenp) *lenp = (2*ctx->digestlen) + 1;
+ if (lenp) *lenp = (2*digestlen) + 1;
if (datap) {
const byte * s = (const byte *) digest;
static const char hex[] = "0123456789abcdef";
- *datap = t = xmalloc((2*ctx->digestlen) + 1);
- for (i = 0 ; i < ctx->digestlen; i++) {
+ *datap = t = xmalloc((2*digestlen) + 1);
+ for (i = 0 ; i < digestlen; i++) {
*t++ = hex[ (unsigned)((*s >> 4) & 0x0f) ];
*t++ = hex[ (unsigned)((*s++ ) & 0x0f) ];
}
@@ -165,11 +159,10 @@ DPRINTF((stderr, "*** Final(%p,%p,%p,%d) param %p digest %p\n", ctx, datap, lenp
}
}
if (digest) {
- memset(digest, 0, ctx->digestlen); /* In case it's sensitive */
+ memset(digest, 0, digestlen); /* In case it's sensitive */
free(digest);
}
- memset(ctx->param, 0, ctx->paramlen); /* In case it's sensitive */
- free(ctx->param);
+ HASH_Destroy(ctx->hashctx);
memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */
free(ctx);
return 0;
diff --git a/rpmio/rpmio_internal.h b/rpmio/rpmio_internal.h
index 315144027..2ddff69af 100644
--- a/rpmio/rpmio_internal.h
+++ b/rpmio/rpmio_internal.h
@@ -10,30 +10,14 @@
#include "rpmio.h"
#include "rpmurl.h"
-#if HAVE_BEECRYPT_API_H
-#include <beecrypt/api.h>
-#else
-#include <beecrypt/beecrypt.api.h>
-#endif
-
+#include "base64.h"
#include "rpmpgp.h"
#include "rpmsw.h"
-/* Drag in the beecrypt includes. */
-#include <beecrypt/beecrypt.h>
-#include <beecrypt/base64.h>
-#include <beecrypt/dsa.h>
-#include <beecrypt/endianness.h>
-#include <beecrypt/md5.h>
-#include <beecrypt/mp.h>
-#include <beecrypt/rsa.h>
-#include <beecrypt/rsapk.h>
-#include <beecrypt/sha1.h>
-#if HAVE_BEECRYPT_API_H
-#include <beecrypt/sha256.h>
-#include <beecrypt/sha384.h>
-#include <beecrypt/sha512.h>
-#endif
+#include <nss.h>
+#include <sechash.h>
+#include <keyhi.h>
+#include <cryptohi.h>
/** \ingroup rpmio
* Values parsed from OpenPGP signature/pubkey packet(s).
@@ -78,20 +62,13 @@ struct pgpDig_s {
void * md5; /*!< (rsa) V3 signature hash. */
size_t md5len; /*!< (rsa) V3 signature hash length. */
- /* DSA parameters. */
- mpbarrett p;
- mpbarrett q;
- mpnumber g;
- mpnumber y;
- mpnumber hm;
- mpnumber r;
- mpnumber s;
-
- /* RSA parameters. */
- rsapk rsa_pk;
- mpnumber m;
- mpnumber c;
- mpnumber rsahm;
+ /* DSA parameters */
+ SECKEYPublicKey *dsa;
+ SECItem *dsasig;
+
+ /* RSA parameters */
+ SECKEYPublicKey *rsa;
+ SECItem *rsasig;
};
/** \ingroup rpmio
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 1335d31cb..eb822843b 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -225,36 +225,97 @@ const char * pgpMpiHex(const byte *p)
/**
* @return 0 on success
*/
-static int pgpHexSet(const char * pre, int lbits,
- mpnumber * mpn, const byte * p, const byte * pend)
+static int pgpMpiSet(const char * pre, int lbits,
+ void *dest, const byte * p, const byte * pend)
{
unsigned int mbits = pgpMpiBits(p);
unsigned int nbits;
unsigned int nbytes;
- char * t;
+ char *t = dest;
unsigned int ix;
if ((p + ((mbits+7) >> 3)) > pend)
return 1;
+ if (mbits > lbits)
+ return 1;
+
nbits = (lbits > mbits ? lbits : mbits);
nbytes = ((nbits + 7) >> 3);
- t = xmalloc(2*nbytes+1);
- ix = 2 * ((nbits - mbits) >> 3);
+ ix = (nbits - mbits) >> 3;
if (_debug)
-fprintf(stderr, "*** mbits %u nbits %u nbytes %u t %p[%d] ix %u\n", mbits, nbits, nbytes, t, (2*nbytes+1), ix);
- if (ix > 0) memset(t, (int)'0', ix);
- strcpy(t+ix, pgpMpiHex(p));
+fprintf(stderr, "*** mbits %u nbits %u nbytes %u ix %u\n", mbits, nbits, nbytes, ix);
+ if (ix > 0) memset(t, '\0', ix);
+ memcpy(t+ix, p+2, nbytes-ix);
if (_debug)
-fprintf(stderr, "*** %s %s\n", pre, t);
- (void) mpnsethex(mpn, t);
- t = _free(t);
-if (_debug && _print)
-fprintf(stderr, "\t %s ", pre), mpfprintln(stderr, mpn->size, mpn->data);
+fprintf(stderr, "*** %s %s\n", pre, pgpHexStr(dest, nbytes));
+
return 0;
}
+/**
+ * @return NULL on error
+ */
+static SECItem *pgpMpiItem(PRArenaPool *arena, SECItem *item, const byte *p)
+{
+ unsigned int nbytes = pgpMpiLen(p)-2;
+
+ if (item == NULL) {
+ if ((item=SECITEM_AllocItem(arena, item, nbytes)) == NULL)
+ return item;
+ } else {
+ if (arena != NULL)
+ item->data = PORT_ArenaGrow(arena, item->data, item->len, nbytes);
+ else
+ item->data = PORT_Realloc(item->data, nbytes);
+
+ if (item->data == NULL) {
+ if (arena == NULL)
+ SECITEM_FreeItem(item, PR_TRUE);
+ return NULL;
+ }
+ }
+
+ memcpy(item->data, p+2, nbytes);
+ item->len = nbytes;
+ return item;
+}
+/*@=boundswrite@*/
+
+static SECKEYPublicKey *pgpNewPublicKey(KeyType type)
+{
+ PRArenaPool *arena;
+ SECKEYPublicKey *key;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ return NULL;
+
+ key = PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+
+ if (key == NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+
+ key->keyType = type;
+ key->pkcs11ID = CK_INVALID_HANDLE;
+ key->pkcs11Slot = NULL;
+ key->arena = arena;
+ return key;
+}
+
+static SECKEYPublicKey *pgpNewRSAKey(void)
+{
+ return pgpNewPublicKey(rsaKey);
+}
+
+static SECKEYPublicKey *pgpNewDSAKey(void)
+{
+ return pgpNewPublicKey(dsaKey);
+}
+
int pgpPrtSubType(const byte *h, unsigned int hlen, pgpSigType sigtype)
{
const byte *p = h;
@@ -359,12 +420,22 @@ static const char * pgpSigDSA[] = {
NULL,
};
+#ifndef DSA_SUBPRIME_LEN
+#define DSA_SUBPRIME_LEN 20
+#endif
+
static int pgpPrtSigParams(pgpTag tag, byte pubkey_algo, byte sigtype,
const byte *p, const byte *h, unsigned int hlen)
{
const byte * pend = h + hlen;
int i;
+ SECItem dsaraw;
+ unsigned char dsabuf[2*DSA_SUBPRIME_LEN];
+ dsaraw.type = 0;
+ dsaraw.data = dsabuf;
+ dsaraw.len = sizeof(dsabuf);
+
for (i = 0; p < pend; i++, p += pgpMpiLen(p)) {
if (pubkey_algo == PGPPUBKEYALGO_RSA) {
if (i >= 1) break;
@@ -373,9 +444,9 @@ static int pgpPrtSigParams(pgpTag tag, byte pubkey_algo, byte sigtype,
{
switch (i) {
case 0: /* m**d */
- (void) mpnsethex(&_dig->c, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t m**d = "), mpfprintln(stderr, _dig->c.size, _dig->c.data);
+ _dig->rsasig = pgpMpiItem(NULL, _dig->rsasig, p);
+ if (_dig->rsasig == NULL)
+ return 1;
break;
default:
break;
@@ -390,11 +461,21 @@ fprintf(stderr, "\t m**d = "), mpfprintln(stderr, _dig->c.size, _dig->c.data);
int xx;
xx = 0;
switch (i) {
- case 0: /* r */
- xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->r, p, pend);
+ case 0:
+ memset(dsaraw.data, '\0', 2*DSA_SUBPRIME_LEN);
+ /* r */
+ xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data, p, pend);
break;
case 1: /* s */
- xx = pgpHexSet(pgpSigDSA[i], 160, &_dig->s, p, pend);
+ xx = pgpMpiSet(pgpSigDSA[i], DSA_SUBPRIME_LEN*8, dsaraw.data + DSA_SUBPRIME_LEN, p, pend);
+ if (_dig->dsasig != NULL)
+ SECITEM_FreeItem(_dig->dsasig, PR_FALSE);
+ else if ((_dig->dsasig=SECITEM_AllocItem(NULL, NULL, 0)) == NULL) {
+ xx = 1;
+ break;
+ }
+ if (DSAU_EncodeDerSig(_dig->dsasig, &dsaraw) != SECSuccess)
+ xx = 1;
break;
default:
xx = 1;
@@ -573,16 +654,17 @@ static const byte * pgpPrtPubkeyParams(byte pubkey_algo,
if (pubkey_algo == PGPPUBKEYALGO_RSA) {
if (i >= 2) break;
if (_dig) {
+ if (_dig->rsa == NULL) {
+ _dig->rsa = pgpNewRSAKey();
+ if (_dig->rsa == NULL)
+ break; /* error abort? */
+ }
switch (i) {
case 0: /* n */
- (void) mpbsethex(&_dig->rsa_pk.n, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t n = "), mpfprintln(stderr, _dig->rsa_pk.n.size, _dig->rsa_pk.n.modl);
+ pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.modulus, p);
break;
case 1: /* e */
- (void) mpnsethex(&_dig->rsa_pk.e, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t e = "), mpfprintln(stderr, _dig->rsa_pk.e.size, _dig->rsa_pk.e.data);
+ pgpMpiItem(_dig->rsa->arena, &_dig->rsa->u.rsa.publicExponent, p);
break;
default:
break;
@@ -592,26 +674,23 @@ fprintf(stderr, "\t e = "), mpfprintln(stderr, _dig->rsa_pk.e.size, _dig->r
} else if (pubkey_algo == PGPPUBKEYALGO_DSA) {
if (i >= 4) break;
if (_dig) {
+ if (_dig->dsa == NULL) {
+ _dig->dsa = pgpNewDSAKey();
+ if (_dig->dsa == NULL)
+ break; /* error abort? */
+ }
switch (i) {
case 0: /* p */
- (void) mpbsethex(&_dig->p, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t p = "), mpfprintln(stderr, _dig->p.size, _dig->p.modl);
+ pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.prime, p);
break;
case 1: /* q */
- (void) mpbsethex(&_dig->q, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t q = "), mpfprintln(stderr, _dig->q.size, _dig->q.modl);
+ pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.subPrime, p);
break;
case 2: /* g */
- (void) mpnsethex(&_dig->g, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t g = "), mpfprintln(stderr, _dig->g.size, _dig->g.data);
+ pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.params.base, p);
break;
case 3: /* y */
- (void) mpnsethex(&_dig->y, pgpMpiHex(p));
-if (_debug && _print)
-fprintf(stderr, "\t y = "), mpfprintln(stderr, _dig->y.size, _dig->y.data);
+ pgpMpiItem(_dig->dsa->arena, &_dig->dsa->u.dsa.publicValue, p);
break;
default:
break;
@@ -942,6 +1021,8 @@ int pgpPrtPkt(const byte *pkt, unsigned int pleft)
pgpDig pgpNewDig(void)
{
pgpDig dig = xcalloc(1, sizeof(*dig));
+ NSS_NoDB_Init(NULL);
+
return dig;
}
@@ -964,14 +1045,27 @@ void pgpCleanDig(pgpDig dig)
dig->md5 = _free(dig->md5);
dig->sha1 = _free(dig->sha1);
- mpnfree(&dig->hm);
- mpnfree(&dig->r);
- mpnfree(&dig->s);
-
- (void) rsapkFree(&dig->rsa_pk);
- mpnfree(&dig->m);
- mpnfree(&dig->c);
- mpnfree(&dig->rsahm);
+
+ if (dig->dsa != NULL) {
+ SECKEY_DestroyPublicKey(dig->dsa);
+ dig->dsa = NULL;
+ }
+
+ if (dig->dsasig != NULL) {
+ SECITEM_ZfreeItem(dig->dsasig, PR_TRUE);
+ dig->dsasig = NULL;
+ }
+
+ if (dig->rsa != NULL) {
+ SECKEY_DestroyPublicKey(dig->rsa);
+ dig->rsa = NULL;
+ }
+
+ if (dig->rsasig != NULL) {
+ SECITEM_ZfreeItem(dig->rsasig, PR_TRUE);
+ dig->rsasig = NULL;
+ }
+
}
return;
}
@@ -991,14 +1085,6 @@ pgpDig pgpFreeDig(pgpDig dig)
(void) rpmDigestFinal(dig->sha1ctx, NULL, NULL, 0);
dig->sha1ctx = NULL;
- mpbfree(&dig->p);
- mpbfree(&dig->q);
- mpnfree(&dig->g);
- mpnfree(&dig->y);
- mpnfree(&dig->hm);
- mpnfree(&dig->r);
- mpnfree(&dig->s);
-
#ifdef NOTYET
if (dig->hdrmd5ctx != NULL)
(void) rpmDigestFinal(dig->hdrmd5ctx, NULL, NULL, 0);
@@ -1009,12 +1095,6 @@ pgpDig pgpFreeDig(pgpDig dig)
(void) rpmDigestFinal(dig->md5ctx, NULL, NULL, 0);
dig->md5ctx = NULL;
- mpbfree(&dig->rsa_pk.n);
- mpnfree(&dig->rsa_pk.e);
- mpnfree(&dig->m);
- mpnfree(&dig->c);
- mpnfree(&dig->hm);
-
dig = _free(dig);
}
return dig;
@@ -1196,17 +1276,12 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns)
{
const char * enc;
char * t;
- size_t nt;
+ size_t nt = 0;
char * val;
- int lc;
-
- nt = ((ns + 2) / 3) * 4;
- /* Add additional bytes necessary for eol string(s). */
- if (b64encode_chars_per_line > 0 && b64encode_eolstr != NULL) {
- lc = (nt + b64encode_chars_per_line - 1) / b64encode_chars_per_line;
- if (((nt + b64encode_chars_per_line - 1) % b64encode_chars_per_line) != 0)
- ++lc;
- nt += lc * strlen(b64encode_eolstr);
+
+ enc = b64encode(s, ns, -1);
+ if (enc != NULL) {
+ nt = strlen(enc);
}
nt += 512; /* XXX slop for armor and crc */
@@ -1216,9 +1291,9 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns)
t = stpcpy(t, "-----BEGIN PGP ");
t = stpcpy(t, pgpValStr(pgpArmorTbl, atype));
t = stpcpy( stpcpy(t, "-----\nVersion: rpm-"), VERSION);
- t = stpcpy(t, " (beecrypt-4.1.2)\n\n");
+ t = stpcpy(t, " (NSS-3)\n\n");
- if ((enc = b64encode(s, ns)) != NULL) {
+ if (enc != NULL) {
t = stpcpy(t, enc);
enc = _free(enc);
if ((enc = b64crc(s, ns)) != NULL) {
diff --git a/rpmio/rpmpgp.h b/rpmio/rpmpgp.h
index d4a65d267..5d3e2ae5c 100644
--- a/rpmio/rpmpgp.h
+++ b/rpmio/rpmpgp.h
@@ -18,9 +18,7 @@
extern "C" {
#endif
-#if !defined(_BEECRYPT_API_H)
typedef unsigned char byte;
-#endif /* _BEECRYPT_API_H */
/**
*/
@@ -1316,6 +1314,13 @@ unsigned int pgpCRC(const byte *octets, size_t len)
DIGEST_CTX rpmDigestDup(DIGEST_CTX octx);
/** \ingroup rpmio
+ * Obtain digest length in bytes.
+ * @param hashalgo type of digest
+ * @return digest length
+ */
+size_t rpmDigestLength(pgpHashAlgo hashalgo);
+
+/** \ingroup rpmio
* Initialize digest.
* Set bit count to 0 and buffer to mysterious initialization constants.
* @param hashalgo type of digest
diff --git a/rpmio/tax.c b/rpmio/tax.c
index 9c2f5a9bb..474cf17e5 100644
--- a/rpmio/tax.c
+++ b/rpmio/tax.c
@@ -1,8 +1,6 @@
#include "system.h"
-#include <beecrypt/base64.h>
-#include <beecrypt/mpbarrett.h>
-#include <beecrypt/mp.h>
+#include "base64.h"
#include <popt.h>
#include "debug.h"
diff --git a/rpmio/tkey.c b/rpmio/tkey.c
index 83152e252..d142066b4 100644
--- a/rpmio/tkey.c
+++ b/rpmio/tkey.c
@@ -31,7 +31,7 @@ fprintf(stderr, "*** sig is\n%s\n", sig);
return rc;
}
- if ((enc = b64encode(dec, declen)) == NULL) {
+ if ((enc = b64encode(dec, declen, -1)) == NULL) {
fprintf(stderr, "*** b64encode failed\n");
return rc;
}
@@ -51,18 +51,6 @@ fprintf(stderr, "??? %5d %02x != %02x '%c' != '%c'\n", i, (*s & 0xff), (*t & 0xf
return rc;
}
-/* FIPS-186 test vectors. */
-static const char * fips_p = "8df2a494492276aa3d25759bb06869cbeac0d83afb8d0cf7cbb8324f0d7882e5d0762fc5b7210eafc2e9adac32ab7aac49693dfbf83724c2ec0736ee31c80291";
-static const char * fips_q = "c773218c737ec8ee993b4f2ded30f48edace915f";
-static const char * fips_g = "626d027839ea0a13413163a55b4cb500299d5522956cefcb3bff10f399ce2c2e71cb9de5fa24babf58e5b79521925c9cc42e9f6f464b088cc572af53e6d78802";
-
-static const char * fips_hm = "a9993e364706816aba3e25717850c26c9cd0d89d";
-
-static const char * fips_y = "19131871d75b1612a819f29d78d1b0d7346f7aa77bb62a859bfd6c5675da9d212d3a36ef1672ef660b8c7c255cc0ec74858fba33f44c06699630a76b030ee333";
-
-static const char * fips_r = "8bac1ab66410435cb7181f95b16ab97c92b341c0";
-static const char * fips_s = "41e2345f1f56df2458f426d155b4ba2db6dcd8c8";
-
/* Secret key */
static const char * jbjSecretDSA =
"lQFvBDu6XHwRAwCTIHRgKeIlOFUIEZeJVYSrXn0eUrM5S8OF471tTc+IV7AwiXBR"
@@ -108,28 +96,6 @@ main (int argc, char *argv[])
dig = pgpNewDig();
- mpbzero(&dig->p); mpbsethex(&dig->p, fips_p);
- mpbzero(&dig->q); mpbsethex(&dig->q, fips_q);
- mpnzero(&dig->g); mpnsethex(&dig->g, fips_g);
- mpnzero(&dig->y); mpnsethex(&dig->y, fips_y);
- mpnzero(&dig->r); mpnsethex(&dig->r, fips_r);
- mpnzero(&dig->s); mpnsethex(&dig->s, fips_s);
- mpnzero(&dig->hm); mpnsethex(&dig->hm, fips_hm);
-
- rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
- &dig->y, &dig->r, &dig->s);
-
-fprintf(stderr, "=============================== DSA FIPS-186-1: rc %d\n", rc);
-
- mpbfree(&dig->p);
- mpbfree(&dig->q);
- mpnfree(&dig->g);
- mpnfree(&dig->y);
-
- mpnfree(&dig->hm);
- mpnfree(&dig->r);
- mpnfree(&dig->s);
-
fprintf(stderr, "=============================== GPG Secret Key\n");
if ((rc = doit(jbjSecretDSA, dig, printing)) != 0)
fprintf(stderr, "==> FAILED: rc %d\n", rc);
@@ -144,39 +110,33 @@ fprintf(stderr, "=============================== GPG Signature of \"abc\"\n");
{ DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
struct pgpDigParams_s * dsig = &dig->signature;
- const char * digest = NULL;
+ void *digest = NULL;
size_t digestlen = 0;
const char * txt = "abc";
+ SECItem digitem;
rpmDigestUpdate(ctx, txt, strlen(txt));
rpmDigestUpdate(ctx, dsig->hash, dsig->hashlen);
- rpmDigestFinal(ctx, (void **)&digest, &digestlen, 1);
+ rpmDigestFinal(ctx, &digest, &digestlen, 0);
- mpnzero(&dig->hm); mpnsethex(&dig->hm, digest);
+fprintf(stderr, "\n hm = [ 160]: %s\n\n", pgpHexStr(digest, digestlen));
+ digitem.type = siBuffer;
+ digitem.data = digest;
+ digitem.len = digestlen;
-fprintf(stderr, "\n hm = [ 160]: %s\n\n", digest);
+ rc = VFY_VerifyDigest(&digitem, dig->dsa, dig->dsasig, SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST, NULL);
if (digest) {
- free((void *)digest);
+ free(digest);
digest = NULL;
}
}
- rc = dsavrfy(&dig->p, &dig->q, &dig->g, &dig->hm,
- &dig->y, &dig->r, &dig->s);
fprintf(stderr, "=============================== DSA verify: rc %d\n", rc);
- mpbfree(&dig->p);
- mpbfree(&dig->q);
- mpnfree(&dig->g);
- mpnfree(&dig->y);
-
- mpnfree(&dig->hm);
- mpnfree(&dig->r);
- mpnfree(&dig->s);
-
dig = pgpFreeDig(dig);
return rc;
}
+
diff --git a/tools/debugedit.c b/tools/debugedit.c
index e65f921af..cea532ecc 100644
--- a/tools/debugedit.c
+++ b/tools/debugedit.c
@@ -37,8 +37,8 @@
#include <gelf.h>
#include <dwarf.h>
-#include <beecrypt/beecrypt.h>
-
+#include <rpmio.h>
+#include <rpmpgp.h>
#include "hashtab.h"
#define DW_TAG_partial_unit 0x3c
@@ -1301,22 +1301,27 @@ error_out:
return NULL;
}
+static const pgpHashAlgo algorithms[] = { PGPHASHALGO_MD5,
+ PGPHASHALGO_SHA1, PGPHASHALGO_SHA256, PGPHASHALGO_SHA384, PGPHASHALGO_SHA512 };
+
/* Compute a fresh build ID bit-string from the editted file contents. */
static void
handle_build_id (DSO *dso, Elf_Data *build_id,
size_t build_id_offset, size_t build_id_size)
{
- hashFunctionContext ctx;
- const hashFunction *hf = NULL;
- int i = hashFunctionCount ();
+ DIGEST_CTX ctx;
+ pgpHashAlgo algorithm;
+ int i = sizeof(algorithms)/sizeof(algorithms[0]);
+ void *digest = NULL;
+ size_t len;
while (i-- > 0)
{
- hf = hashFunctionGet (i);
- if (hf != NULL && hf->digestsize == build_id_size)
+ algorithm = algorithms[i];
+ if (rpmDigestLength(algorithm) == build_id_size)
break;
}
- if (hf == NULL)
+ if (i < 0)
{
fprintf (stderr, "Cannot handle %Zu-byte build ID\n", build_id_size);
exit (1);
@@ -1332,7 +1337,7 @@ handle_build_id (DSO *dso, Elf_Data *build_id,
/* Clear the old bits so they do not affect the new hash. */
memset ((char *) build_id->d_buf + build_id_offset, 0, build_id_size);
- hashFunctionContextInit (&ctx, hf);
+ ctx = rpmDigestInit(algorithm, 0);
/* Slurp the relevant header bits and section contents and feed them
into the hash function. The only bits we ignore are the offset
@@ -1346,8 +1351,7 @@ handle_build_id (DSO *dso, Elf_Data *build_id,
inline void process (const void *data, size_t size);
inline void process (const void *data, size_t size)
{
- memchunk chunk = { .data = (void *) data, .size = size };
- hashFunctionContextUpdateMC (&ctx, &chunk);
+ rpmDigestUpdate(ctx, data, size);
}
union
@@ -1402,22 +1406,17 @@ handle_build_id (DSO *dso, Elf_Data *build_id,
}
}
- hashFunctionContextDigest (&ctx, (byte *) build_id->d_buf + build_id_offset);
- hashFunctionContextFree (&ctx);
+ rpmDigestFinal(ctx, &digest, &len, 0);
+ memcpy((unsigned char *)build_id->d_buf + build_id_offset, digest, build_id_size);
+ free(digest);
elf_flagdata (build_id, ELF_C_SET, ELF_F_DIRTY);
/* Now format the build ID bits in hex to print out. */
{
- const unsigned char * id = (unsigned char *) build_id->d_buf + build_id_offset;
+ const byte * id = (byte *)build_id->d_buf + build_id_offset;
char hex[build_id_size * 2 + 1];
- int n = snprintf (hex, 3, "%02" PRIx8, id[0]);
- assert (n == 2);
- for (i = 1; i < build_id_size; ++i)
- {
- n = snprintf (&hex[i * 2], 3, "%02" PRIx8, id[i]);
- assert (n == 2);
- }
+ pgpHexCvt(hex, id, build_id_size);
puts (hex);
}
}