diff options
| author | Paul Fertser <fercerpav@gmail.com> | 2010-01-23 14:34:14 +0300 |
|---|---|---|
| committer | Luis R. Rodriguez <lrodriguez@atheros.com> | 2010-01-25 09:40:49 -0800 |
| commit | 7429427a13c6ae244df6f60b811d6d1152e1d451 (patch) | |
| tree | 2fdecfca27e648aa2af0f7cdc8f1af17d038e402 | |
| parent | 5351898d6b33d642026a5e57a9a457939e58bf5e (diff) | |
| download | crda-7429427a13c6ae244df6f60b811d6d1152e1d451.tar.gz | |
Implement runtime loading of RSA public keys
This patch allows crda to load and use additional keys from a
pre-configured location for the database signature verification. This
provides a convenient way for distro maintainers and card manufacturers to
supply a custom regulatory database along with their public keys, without
the need to recompile crda.
Implemented for USE_OPENSSL=1 case only because libgcrypt lacks PEM parser.
Default location for public keys in PEM format is
/etc/wireless-regdb/pubkeys and can be changed by specifying
RUNTIME_PUBKEY_DIR at the make command line.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | reglib.c | 23 |
2 files changed, 25 insertions, 1 deletions
@@ -21,6 +21,7 @@ UDEV_RULE_DIR?=/lib/udev/rules.d/ # keys are put when building. For example you can run # with make PUBKEY_DIR=/usr/lib/crda/pubkeys PUBKEY_DIR?=pubkeys +RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys CFLAGS += -Wall -g @@ -29,7 +30,7 @@ all: all_noverify verify all_noverify: crda intersect regdbdump ifeq ($(USE_OPENSSL),1) -CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl` +CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl` LDLIBS += `pkg-config --libs openssl` reglib.o: keys-ssl.c @@ -1,12 +1,15 @@ #include <errno.h> #include <stdio.h> #include <arpa/inet.h> +#include <sys/types.h> +#include <dirent.h> #include "reglib.h" #ifdef USE_OPENSSL #include <openssl/objects.h> #include <openssl/rsa.h> #include <openssl/sha.h> +#include <openssl/pem.h> #endif #ifdef USE_GCRYPT @@ -48,6 +51,10 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen) __u8 hash[SHA_DIGEST_LENGTH]; unsigned int i; int ok = 0; + DIR *pubkey_dir; + struct dirent *nextfile; + FILE *keyfile; + char filename[PATH_MAX]; if (SHA1(db, dblen, hash) != hash) { fprintf(stderr, "Failed to calculate SHA1 sum.\n"); @@ -71,6 +78,22 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen) rsa->n = NULL; RSA_free(rsa); } + if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) { + while (!ok && (nextfile = readdir(pubkey_dir))) { + snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, + nextfile->d_name); + if ((keyfile = fopen(filename, "rb"))) { + rsa = PEM_read_RSA_PUBKEY(keyfile, + NULL, NULL, NULL); + if (rsa) + ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, + db + dblen, siglen, rsa) == 1; + RSA_free(rsa); + fclose(keyfile); + } + } + closedir(pubkey_dir); + } #endif #ifdef USE_GCRYPT |