From 75d3925cbbf774e92fdc382dbf2fffe0e3a7d672 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Sun, 24 Feb 2008 21:23:54 +0000 Subject: [PATCH] don't duplicate sha1 hashes with strdup() (not \0 terminated) update the release documentation, only supported signatures are v3 signatures (gpg 2.x generates v3 sigs by default, but not gpg 1.x) --- doc/release-howto.txt | 4 ++++ src/misc/update.c | 31 ++++++++++++++++++++++--------- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/doc/release-howto.txt b/doc/release-howto.txt index ce8bea4f8d..05f521008e 100644 --- a/doc/release-howto.txt +++ b/doc/release-howto.txt @@ -25,6 +25,7 @@ - copy the tar.gz and tar.bz2 file on ftp.videolan.org in /opt/ftp/pub/videolan/testing/vlc-X.X.X/ - generate md5 hashes and gpg signature of these files + (use gpg --sign --detach --armor --force-v3-sigs) * Contribs - Put a copy of the libraries or svn snapshot in vlc-X.X.X/contrib @@ -37,6 +38,7 @@ Build in the "buildbeos" chroot on altair. # add the .zip files to /opt/ftp/pub/videolan/testing/vlc-X.X.X/beos/ generate md5 hashes and gpg signature of these files + (use gpg --sign --detach --armor --force-v3-sigs) * Win32 Packages make the packages using the nightly builds configure/options/... , don't forget --enable-update-check @@ -44,10 +46,12 @@ kind of suxxs) add the .zip and .exe files to /opt/ftp/pub/videolan/testing/vlc-X.X.X/win32/ generate md5 hashes and gpg signature of these files + (use gpg --sign --detach --armor --force-v3-sigs) * OS X packages configure with --enable-update-check generate md5 hashes and gpg signature of these files + (use gpg --sign --detach --armor --force-v3-sigs) * Commit changes ... it never works the first time diff --git a/src/misc/update.c b/src/misc/update.c index f1b8bb9ce1..6b6088b075 100644 --- a/src/misc/update.c +++ b/src/misc/update.c @@ -22,7 +22,9 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. *****************************************************************************/ - +/* + * XXX: should use v4 signatures for binary files (already used for public key) + */ /** * \file * This file contains functions related to VLC update management @@ -414,7 +416,12 @@ static int download_signature( vlc_object_t *p_this, int i_bytes = pgp_unarmor( p_buf, i_size, (uint8_t*)p_sig, 65 ); free( p_buf ); - if( i_bytes > 65 ) + if( i_bytes == 0 ) + { + msg_Dbg( p_this, "Unarmoring failed" ); + return VLC_EGENERIC; + } + else if( i_bytes > 65 ) { msg_Dbg( p_this, "Signature is too big: %d bytes", i_bytes ); return VLC_EGENERIC; @@ -424,7 +431,8 @@ static int download_signature( vlc_object_t *p_this, int i_r_len = mpi_len( p_sig->r ); if( i_r_len > 20 ) { - msg_Dbg( p_this, "Signature invalid" ); + msg_Dbg( p_this, "Invalid signature, r number too big: %d bytes", + i_r_len ); return VLC_EGENERIC; } else if( i_r_len < 20 ) @@ -667,8 +675,10 @@ static uint8_t *hash_sha1_from_file( const char *psz_file, fclose( f ); gcry_md_final( hd ); - uint8_t *p_hash = (uint8_t*) gcry_md_read( hd, GCRY_MD_SHA1); - p_hash = strdup( p_hash ); + uint8_t *p_tmp = (uint8_t*) gcry_md_read( hd, GCRY_MD_SHA1); + uint8_t *p_hash = malloc( 20 ); + if( p_hash ) + memcpy( p_hash, p_tmp, 20 ); gcry_md_close( hd ); return p_hash; } @@ -801,16 +811,19 @@ static uint8_t *key_sign_hash( public_key_t *p_pkey ) gcry_md_final( hd ); - uint8_t *p_hash = gcry_md_read( hd, GCRY_MD_SHA1); + uint8_t *p_tmp = gcry_md_read( hd, GCRY_MD_SHA1); - if( p_hash[0] != p_pkey->sig.hash_verification[0] || - p_hash[1] != p_pkey->sig.hash_verification[1] ) + if( !p_tmp || + p_tmp[0] != p_pkey->sig.hash_verification[0] || + p_tmp[1] != p_pkey->sig.hash_verification[1] ) { gcry_md_close( hd ); return NULL; } - p_hash = strdup( p_hash ); + uint8_t *p_hash = malloc( 20 ); + if( p_hash ) + memcpy( p_hash, p_tmp, 20 ); gcry_md_close( hd ); return p_hash; } -- 2.39.2