diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2011-11-09 13:05:08 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2011-11-09 13:12:01 +0200 |
| commit | bbf2f636762afefa12b1acabb6fed764d82c7945 (patch) | |
| tree | 87742920ee19393b51562828952f2ac96f60980c | |
| parent | 9e58316b0fd69da9e57cdbaee0aeeab8c47b033a (diff) | |
| download | rpm-bbf2f636762afefa12b1acabb6fed764d82c7945.tar.gz rpm-bbf2f636762afefa12b1acabb6fed764d82c7945.tar.bz2 rpm-bbf2f636762afefa12b1acabb6fed764d82c7945.zip | |
Switch to using rpmKeyringVerifySig() internally
- Change rpmVerifySignature() to take just the signature parameters
instead of the whole dig (this is an internal API so we're free
to mess with it) from which it only needed the signature params.
- The internal low-level verifySignature() is thus reduced to
to a call to rpmKeyringVerifySig() and spitting some silly
strings to msg.
- With this, keyring can now use and reuse the its internally stored
pgp key parameters instead of having to parse the same PGP packets
over and over. As a result, signature checking is faster now. Not
dramatically so but measurably nevertheless.
| -rw-r--r-- | lib/package.c | 4 | ||||
| -rw-r--r-- | lib/rpmchecksig.c | 2 | ||||
| -rw-r--r-- | lib/signature.c | 38 | ||||
| -rw-r--r-- | lib/signature.h | 5 |
4 files changed, 21 insertions, 28 deletions
diff --git a/lib/package.c b/lib/package.c index e29c23c9f..b5e238e20 100644 --- a/lib/package.c +++ b/lib/package.c @@ -275,7 +275,7 @@ static rpmRC headerSigVerify(rpmKeyring keyring, rpmVSFlags vsflags, rpmDigestUpdate(ctx, pe, (ril * sizeof(*pe))); rpmDigestUpdate(ctx, dataStart, rdl); - rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, buf); + rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, buf); rpmDigestFinal(ctx, NULL, NULL, 0); } @@ -649,7 +649,7 @@ static rpmRC rpmpkgRead(rpmKeyring keyring, rpmVSFlags vsflags, } /** @todo Implement disable/enable/warn/error/anal policy. */ - rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, &msg); + rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &msg); switch (rc) { case RPMRC_OK: /* Signature is OK. */ diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c index 597ceafbb..3624f41dc 100644 --- a/lib/rpmchecksig.c +++ b/lib/rpmchecksig.c @@ -364,7 +364,7 @@ static int rpmpkgVerifySigs(rpmKeyring keyring, rpmQueryFlags flags, break; } - rc = rpmVerifySignature(keyring, &sigtd, dig, ctx, &result); + rc = rpmVerifySignature(keyring, &sigtd, sig, ctx, &result); rpmDigestFinal(ctx, NULL, NULL, 0); formatResult(sigtd.tag, rc, result, havekey, diff --git a/lib/signature.c b/lib/signature.c index c5a06de16..a1293cb4f 100644 --- a/lib/signature.c +++ b/lib/signature.c @@ -462,37 +462,29 @@ exit: /** * Verify DSA/RSA signature. * @param keyring pubkey keyring - * @param dig OpenPGP container + * @param sig OpenPGP signature parameters * @param hashctx digest context * @param isHdr header-only signature? * @retval msg verbose success/failure text * @return RPMRC_OK on success */ static rpmRC -verifySignature(rpmKeyring keyring, pgpDig dig, DIGEST_CTX hashctx, int isHdr, - char **msg) +verifySignature(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX hashctx, + int isHdr, char **msg) { - rpmRC res = RPMRC_FAIL; /* assume failure */ - char *sigid = NULL; - *msg = NULL; - pgpDigParams sig = pgpDigGetParams(dig, PGPTAG_SIGNATURE); - - /* Call verify even if we dont have a key for a basic sanity check */ - if (sig) { - (void) rpmKeyringLookup(keyring, dig); - res = pgpVerifySignature(pgpDigGetParams(dig, PGPTAG_PUBLIC_KEY), - sig, hashctx); - - sigid = pgpIdentItem(sig); - rasprintf(msg, "%s%s: %s\n", isHdr ? _("Header ") : "", sigid, - rpmSigString(res)); - free(sigid); - } + + rpmRC res = rpmKeyringVerifySig(keyring, sig, hashctx); + + char *sigid = pgpIdentItem(sig); + rasprintf(msg, "%s%s: %s\n", isHdr ? _("Header ") : "", sigid, + rpmSigString(res)); + free(sigid); return res; } rpmRC -rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx, char ** result) +rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDigParams sig, + DIGEST_CTX ctx, char ** result) { rpmRC res = RPMRC_NOTFOUND; char *msg = NULL; @@ -515,8 +507,8 @@ rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx, case RPMSIGTAG_PGP5: /* XXX legacy */ case RPMSIGTAG_PGP: case RPMSIGTAG_GPG: - if (dig != NULL) - res = verifySignature(keyring, dig, ctx, hdrsig, &msg); + if (sig != NULL) + res = verifySignature(keyring, sig, ctx, hdrsig, &msg); break; default: break; @@ -526,7 +518,7 @@ exit: if (res == RPMRC_NOTFOUND) { rasprintf(&msg, _("Verify signature: BAD PARAMETERS (%d %p %d %p %p)\n"), - sigtd->tag, sigtd->data, sigtd->count, ctx, dig); + sigtd->tag, sigtd->data, sigtd->count, ctx, sig); res = RPMRC_FAIL; } diff --git a/lib/signature.h b/lib/signature.h index 781ffd61a..136b70db8 100644 --- a/lib/signature.h +++ b/lib/signature.h @@ -58,12 +58,13 @@ int rpmGenDigest(Header sigh, const char * file, rpmTagVal sigTag); * * @param keyring keyring handle * @param sigtd signature tag data container - * @param dig signature/pubkey parameters + * @param sig signature/pubkey parameters * @retval result detailed text result of signature verification * (malloc'd) * @return result of signature verification */ -rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, DIGEST_CTX ctx, char ** result); +rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDigParams sig, + DIGEST_CTX ctx, char ** result); /** \ingroup signature * Destroy signature header from package. |