Opkg support for smime (pkcs7) packages list signing

[oweals/opkg-lede.git] / libopkg / opkg_download.c

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index f185f22af84fd0c8873b519b87c47df77c231704..e31c49c478354dd804faf56c2697befa8163b36d 100644 (file)
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -20,8 +20,17 @@
 #ifdef HAVE_CURL
 #include <curl/curl.h>
 #endif
 #ifdef HAVE_CURL
 #include <curl/curl.h>
 #endif

-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME)

 #include <gpgme.h>
 #include <gpgme.h>

+#elif defined(HAVE_OPENSSL)
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/hmac.h>
+

 #endif
 
 #include "includes.h"
 #endif
 
 #include "includes.h"


@@ -35,6 +44,12 @@
 #include "str_util.h"
 #include "opkg_defines.h"
 
 #include "str_util.h"
 #include "opkg_defines.h"
 

+
+#ifdef HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath);
+static void init_openssl(void);
+#endif
+

 int opkg_download(opkg_conf_t *conf, const char *src,
   const char *dest_file_name, curl_progress_func cb, void *data)
 {
 int opkg_download(opkg_conf_t *conf, const char *src,
   const char *dest_file_name, curl_progress_func cb, void *data)
 {


@@ -307,7 +322,7 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name
 int
 opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
 {
 int
 opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
 {

-#ifdef HAVE_GPGME
+#if defined HAVE_GPGME

     if (conf->check_signature == 0 )
         return 0;
     int status = -1;
     if (conf->check_signature == 0 )
         return 0;
     int status = -1;


@@ -374,8 +389,131 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
     gpgme_data_release (text);
     gpgme_release (ctx);
 
     gpgme_data_release (text);
     gpgme_release (ctx);
 

+    return status;
+#elif defined HAVE_OPENSSL
+    X509_STORE *store = NULL;
+    PKCS7 *p7 = NULL;
+    BIO *in = NULL, *indata = NULL;
+
+    // Sig check failed by default !
+    int status = -1;
+
+    init_openssl();
+
+    // Set-up the key store
+    if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open CA certificates\n");
+        goto verify_file_end;
+    }
+
+    // Open a BIO to read the sig file
+    if (!(in = BIO_new_file(sig_file, "rb"))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open signature file %s\n", sig_file);
+        goto verify_file_end;
+    }
+
+    // Read the PKCS7 block contained in the sig file
+    p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+    if(!p7){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't read signature file (Corrupted ?)\n");
+        goto verify_file_end;
+    }
+
+    // Open the Package file to authenticate
+    if (!(indata = BIO_new_file(text_file, "rb"))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open file %s\n", text_file);
+        goto verify_file_end;
+    }
+
+    // Let's verify the autenticity !
+    if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){
+        // Get Off My Lawn!
+        opkg_message(conf, OPKG_ERROR,
+                "Verification failure\n");
+    }else{
+        // Victory !
+        status = 0;
+    }
+
+verify_file_end:
+    BIO_free(in);
+    BIO_free(indata);
+    PKCS7_free(p7);
+    X509_STORE_free(store);
+

     return status;
 #else
     return 0;
 #endif
 }
     return status;
 #else
     return 0;
 #endif
 }

+
+
+#if defined HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){
+    X509_STORE *store = NULL;
+    X509_LOOKUP *lookup = NULL;
+
+    if(!(store = X509_STORE_new())){
+        // Something bad is happening...
+        goto end;
+    }
+
+    // adds the X509 file lookup method
+    lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file());
+    if (lookup == NULL){
+        goto end;
+    }
+
+    // Autenticating against one CA file
+    if (CAfile) {
+        if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+            // Invalid CA => Bye bye
+            opkg_message(conf, OPKG_ERROR,
+                    "Error loading file %s\n", CAfile);
+            goto end;
+        }
+    } else {
+        X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+    }
+
+    // Now look into CApath directory if supplied
+    lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+    if (lookup == NULL){
+        goto end;
+    }
+
+    if (CApath) {
+        if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+            opkg_message(conf, OPKG_ERROR,
+                    "Error loading directory %s\n", CApath);
+            goto end;
+        }
+    } else {
+        X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+    }
+
+    // All right !
+    ERR_clear_error();
+    return store;
+
+end:
+
+    X509_STORE_free(store);
+    return NULL;
+
+}
+
+static void init_openssl(void){
+    static int init = 0;
+
+    if(!init){      
+        OpenSSL_add_all_algorithms();       
+        ERR_load_crypto_strings();
+        init = 1;
+    }
+}
+#endif