Search Linux Wireless

Re: [PATCH] Implement runtime loading of RSA public keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jan 23, 2010 at 02:54:14PM +0300, Paul Fertser wrote:
> +	if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
> +		while (!ok && (nextfile = readdir(pubkey_dir))) {
> +			if ((keyfile = fopen(nextfile->d_name, "rb"))) {

Duh, of course it's wrong but i managed to have that key in the
current directory during testing :(

Amended version attached.

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@xxxxxxxxx
>From 3ad6149a22346c2f34224227a580c1424eed6b57 Mon Sep 17 00:00:00 2001
From: Paul Fertser <fercerpav@xxxxxxxxx>
Date: Sat, 23 Jan 2010 14:34:14 +0300
Subject: [PATCH] Implement runtime loading of RSA public keys

This patch allows crda to load and use additional keys from a
pre-configured location for the database signature verification. This
provides a convenient way for distro maintainers and card manufacturers to
supply a custom regulatory database along with their public keys, without
the need to recompile crda.

Implemented for USE_OPENSSL=1 case only because libgcrypt lacks PEM parser.

Default location for public keys in PEM format is
/etc/wireless-regdb/pubkeys and can be changed by specifying
RUNTIME_PUBKEY_DIR at the make command line.

Signed-off-by: Paul Fertser <fercerpav@xxxxxxxxx>
---
 Makefile |    3 ++-
 reglib.c |   23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletions(-)

diff --git a/Makefile b/Makefile
index 3cc61c2..b8bc7d3 100644
--- a/Makefile
+++ b/Makefile
@@ -21,6 +21,7 @@ UDEV_RULE_DIR?=/lib/udev/rules.d/
 # keys are put when building. For example you can run
 # with make PUBKEY_DIR=/usr/lib/crda/pubkeys
 PUBKEY_DIR?=pubkeys
+RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
 
 CFLAGS += -Wall -g
 
@@ -29,7 +30,7 @@ all: all_noverify verify
 all_noverify: crda intersect regdbdump
 
 ifeq ($(USE_OPENSSL),1)
-CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl`
+CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
 LDLIBS += `pkg-config --libs openssl`
 
 reglib.o: keys-ssl.c
diff --git a/reglib.c b/reglib.c
index 6aeadcb..80ae062 100644
--- a/reglib.c
+++ b/reglib.c
@@ -1,12 +1,15 @@
 #include <errno.h>
 #include <stdio.h>
 #include <arpa/inet.h>
+#include <sys/types.h>
+#include <dirent.h>
 #include "reglib.h"
 
 #ifdef USE_OPENSSL
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
+#include <openssl/pem.h>
 #endif
 
 #ifdef USE_GCRYPT
@@ -48,6 +51,10 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
 	__u8 hash[SHA_DIGEST_LENGTH];
 	unsigned int i;
 	int ok = 0;
+	DIR *pubkey_dir;
+	struct dirent *nextfile;
+	FILE *keyfile;
+	char filename[PATH_MAX];
 
 	if (SHA1(db, dblen, hash) != hash) {
 		fprintf(stderr, "Failed to calculate SHA1 sum.\n");
@@ -71,6 +78,22 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
 		rsa->n = NULL;
 		RSA_free(rsa);
 	}
+	if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
+		while (!ok && (nextfile = readdir(pubkey_dir))) {
+			snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
+				nextfile->d_name);
+			if ((keyfile = fopen(filename, "rb"))) {
+				rsa = PEM_read_RSA_PUBKEY(keyfile,
+					NULL, NULL, NULL);
+				if (rsa) 
+					ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
+						db + dblen, siglen, rsa) == 1;
+				RSA_free(rsa);
+				fclose(keyfile);
+			}
+		}
+		closedir(pubkey_dir);
+	}
 #endif
 
 #ifdef USE_GCRYPT
-- 
1.6.4.4


[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux