From db3b86e7f34f4c3ccb42e98465f2069aa642a85f Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Tue, 7 Jun 2011 17:29:55 -0500 Subject: Do database signature checking at load time This is the ideal place to do it as all clients should be checking the return value and ensuring there are no errors. This is similar to pkg_load(). We also add an additional step of validation after we download a new database; a subsequent '-y' operation can potentially invalidate the original check at registration time. Note that this implementation is still a bit naive; if a signature is invalid it is currently impossible to refresh and re-download the file without manually deleting it first. Similarly, if one downloads a database and the check fails, the database object is still there and can be used. These shortcomings will be addressed in a future commit. Signed-off-by: Dan McGee --- lib/libalpm/be_sync.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) (limited to 'lib/libalpm/be_sync.c') diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index e5fc6a70..2cf90544 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -20,7 +20,9 @@ #include "config.h" +#include #include +#include /* libarchive */ #include @@ -65,6 +67,37 @@ static char *get_sync_dir(pmhandle_t *handle) return syncpath; } +static int sync_db_validate(pmdb_t *db) +{ + /* this takes into account the default verification level if UNKNOWN + * was assigned to this db */ + pgp_verify_t check_sig = _alpm_db_get_sigverify_level(db); + + if(check_sig != PM_PGP_VERIFY_NEVER) { + int ret; + const char *dbpath = _alpm_db_path(db); + if(!dbpath) { + /* pm_errno set in _alpm_db_path() */ + return -1; + } + + /* we can skip any validation if the database doesn't exist */ + if(access(dbpath, R_OK) != 0 && errno == ENOENT) { + return 0; + } + + _alpm_log(db->handle, PM_LOG_DEBUG, "checking signature for %s\n", + db->treename); + ret = _alpm_gpgme_checksig(db->handle, dbpath, NULL); + if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || + (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { + RET_ERR(db->handle, PM_ERR_SIG_INVALID, -1); + } + } + + return 0; +} + /** Update a package database * * An update of the package database \a db will be attempted. Unless @@ -144,6 +177,15 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) if(ret == 0 && (check_sig == PM_PGP_VERIFY_ALWAYS || check_sig == PM_PGP_VERIFY_OPTIONAL)) { + /* an existing sig file is no good at this point */ + char *sigpath = _alpm_db_sig_path(db); + if(!sigpath) { + ret = -1; + break; + } + unlink(sigpath); + free(sigpath); + int errors_ok = (check_sig == PM_PGP_VERIFY_OPTIONAL); /* if we downloaded a DB, we want the .sig from the same server */ snprintf(fileurl, len, "%s/%s.db.sig", server, db->treename); @@ -173,6 +215,11 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) /* Cache needs to be rebuilt */ _alpm_db_free_pkgcache(db); + if(sync_db_validate(db)) { + /* pm_errno should be set */ + ret = -1; + } + cleanup: free(syncpath); @@ -523,7 +570,8 @@ struct db_operations sync_db_ops = { .version = sync_db_version, }; -pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename) +pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename, + pgp_verify_t level) { pmdb_t *db; @@ -535,6 +583,12 @@ pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename) } db->ops = &sync_db_ops; db->handle = handle; + db->pgp_verify = level; + + if(sync_db_validate(db)) { + _alpm_db_free(db); + return NULL; + } handle->dbs_sync = alpm_list_add(handle->dbs_sync, db); return db; -- cgit v1.2.3-2-g168b From 1150d9e15aaea2ae1f259995d11442f491ef0af7 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Wed, 20 Apr 2011 19:54:01 -0500 Subject: Move database 'version' check to registration time This is another step toward doing both local database validation (ensuring we don't have depends files) and sync database validation (via signatures if present) when the database is registered. Signed-off-by: Dan McGee --- lib/libalpm/be_sync.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'lib/libalpm/be_sync.c') diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index 2cf90544..1a434f24 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -559,15 +559,9 @@ error: return -1; } -static int sync_db_version(pmdb_t UNUSED *db) -{ - return 2; -} - struct db_operations sync_db_ops = { .populate = sync_db_populate, .unregister = _alpm_db_unregister, - .version = sync_db_version, }; pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename, -- cgit v1.2.3-2-g168b From 79e98316ea89486d107466858543e965bcfbb0a9 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Tue, 7 Jun 2011 20:42:15 -0500 Subject: Add a 'valid' flag to the database object Start by converting all of our flags to a 'status' bitmask (pkgcache status, grpcache status). Add a new 'valid' flag as well. This will let us keep track if the database itself has been marked valid in whatever fashion. For local databases at the moment we ensure there are no depends files; for sync databases we ensure the PGP signature is valid if required/requested. The loading of the pkgcache is prohibited if the database is invalid. Signed-off-by: Dan McGee --- lib/libalpm/be_sync.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'lib/libalpm/be_sync.c') diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index 1a434f24..c1703ffe 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -69,9 +69,15 @@ static char *get_sync_dir(pmhandle_t *handle) static int sync_db_validate(pmdb_t *db) { + pgp_verify_t check_sig; + + if(db->status & DB_STATUS_VALID) { + return 0; + } + /* this takes into account the default verification level if UNKNOWN * was assigned to this db */ - pgp_verify_t check_sig = _alpm_db_get_sigverify_level(db); + check_sig = _alpm_db_get_sigverify_level(db); if(check_sig != PM_PGP_VERIFY_NEVER) { int ret; @@ -83,6 +89,7 @@ static int sync_db_validate(pmdb_t *db) /* we can skip any validation if the database doesn't exist */ if(access(dbpath, R_OK) != 0 && errno == ENOENT) { + goto valid; return 0; } @@ -95,6 +102,8 @@ static int sync_db_validate(pmdb_t *db) } } +valid: + db->status |= DB_STATUS_VALID; return 0; } @@ -215,6 +224,7 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) /* Cache needs to be rebuilt */ _alpm_db_free_pkgcache(db); + db->status &= ~DB_STATUS_VALID; if(sync_db_validate(db)) { /* pm_errno should be set */ ret = -1; -- cgit v1.2.3-2-g168b From 4f8ae2bab61c8fc678589c6840d44977c82d4cc2 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Fri, 24 Jun 2011 04:11:38 -0500 Subject: Don't require a transaction for sync DB updates Instead, just do the required locking directly in the backend in calls to alpm_db_update(). Signed-off-by: Dan McGee --- lib/libalpm/be_sync.c | 42 ++++++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 18 deletions(-) (limited to 'lib/libalpm/be_sync.c') diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index c1703ffe..f51ab97a 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -113,26 +113,22 @@ valid: * \a force is true, the update will only be performed if the remote * database was modified since the last update. * - * A transaction is necessary for this operation, in order to obtain a - * database lock. During this transaction the front-end will be informed - * of the download progress of the database via the download callback. + * This operation requires a database lock, and will return an applicable error + * if the lock could not be obtained. * * Example: * @code * alpm_list_t *syncs = alpm_option_get_syncdbs(); - * if(alpm_trans_init(0, NULL, NULL, NULL) == 0) { - * for(i = syncs; i; i = alpm_list_next(i)) { - * pmdb_t *db = alpm_list_getdata(i); - * result = alpm_db_update(0, db); - * alpm_trans_release(); + * for(i = syncs; i; i = alpm_list_next(i)) { + * pmdb_t *db = alpm_list_getdata(i); + * result = alpm_db_update(0, db); * - * if(result < 0) { - * printf("Unable to update database: %s\n", alpm_strerrorlast()); - * } else if(result == 1) { - * printf("Database already up to date\n"); - * } else { - * printf("Database updated\n"); - * } + * if(result < 0) { + * printf("Unable to update database: %s\n", alpm_strerrorlast()); + * } else if(result == 1) { + * printf("Database already up to date\n"); + * } else { + * printf("Database updated\n"); * } * } * @endcode @@ -162,15 +158,21 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) ASSERT(db != handle->db_local, RET_ERR(handle, PM_ERR_WRONG_ARGS, -1)); ASSERT(db->servers != NULL, RET_ERR(handle, PM_ERR_SERVER_NONE, -1)); - /* make sure we have a sane umask */ - oldmask = umask(0022); - syncpath = get_sync_dir(handle); if(!syncpath) { return -1; } + + /* make sure we have a sane umask */ + oldmask = umask(0022); + check_sig = _alpm_db_get_sigverify_level(db); + /* attempt to grab a lock */ + if(_alpm_handle_lock(handle)) { + RET_ERR(handle, PM_ERR_HANDLE_LOCK, -1); + } + for(i = db->servers; i; i = i->next) { const char *server = i->data; char *fileurl; @@ -232,6 +234,10 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) cleanup: + if(_alpm_handle_unlock(handle)) { + _alpm_log(handle, PM_LOG_WARNING, _("could not remove lock file %s\n"), + alpm_option_get_lockfile(handle)); + } free(syncpath); umask(oldmask); return ret; -- cgit v1.2.3-2-g168b