Compare checksum for repodata against the downloaded rpm file

vmware · Aug 15, 2023 · 724aade · 724aade
1 parent c9896da
commit 724aade
Show file tree

Hide file tree

Showing 16 changed files with 553 additions and 302 deletions.
diff --git a/client/defines.h b/client/defines.h
@@ -237,6 +237,7 @@ typedef enum
     {ERROR_TDNF_NO_GPGKEY_CONF_ENTRY,         "ERROR_TDNF_NO_GPGKEY_CONF_ENTRY",         "gpgkey entry is missing for this repo. please add gpgkey in repo file or use --nogpgcheck to ignore."}, \
     {ERROR_TDNF_URL_INVALID,                          "ERROR_TDNF_URL_INVALID",          "URL is invalid."}, \
     {ERROR_TDNF_SIZE_MISMATCH,                       "ERROR_TDNF_SIZE_MISMATCH",                       "File size does not match."}, \
+    {ERROR_TDNF_CHECKSUM_MISMATCH,                   "ERROR_TDNF_CHECKSUM_MISMATCH",                   "File checksum does not match."}, \
     {ERROR_TDNF_BASEURL_DOES_NOT_EXISTS,             "ERROR_TDNF_BASEURL_DOES_NOT_EXISTS",             "Base URL and Metalink URL not found in the repo file"},\
     {ERROR_TDNF_CHECKSUM_VALIDATION_FAILED,          "ERROR_TDNF_CHECKSUM_VALIDATION_FAILED",          "Checksum Validation failed for the repomd.xml downloaded using URL from metalink"},\
     {ERROR_TDNF_METALINK_RESOURCE_VALIDATION_FAILED, "ERROR_TDNF_METALINK_RESOURCE_VALIDATION_FAILED", "No Resource present in metalink file for file download"},\

diff --git a/client/includes.h b/client/includes.h
@@ -63,13 +63,4 @@
 
 #include "config.h"
 
-// Enum in order of preference
-enum {
-    TDNF_HASH_MD5 = 0,
-    TDNF_HASH_SHA1,
-    TDNF_HASH_SHA256,
-    TDNF_HASH_SHA512,
-    TDNF_HASH_SENTINEL
-};
-
 #endif /* __CLIENT_INCLUDES_H__ */
diff --git a/client/packageutils.c b/client/packageutils.c
@@ -1082,6 +1082,7 @@ TDNFPopulatePkgInfos(
     Id dwPkgId = 0;
     PTDNF_PKG_INFO pPkgInfos = NULL;
     PTDNF_PKG_INFO pPkgInfo = NULL;
+    int nChecksumType = 0;
 
     if(!ppPkgInfos)
     {
@@ -1136,6 +1137,34 @@ TDNFPopulatePkgInfos(
                       &pPkgInfo->pszLocation);
         BAIL_ON_TDNF_ERROR(dwError);
 
+        dwError = SolvGetPkgChecksumFromId(
+                      pSack,
+                      dwPkgId,
+                      &nChecksumType,
+                      &pPkgInfo->pbChecksum);
+        //Ignore no data
+        if(dwError == ERROR_TDNF_NO_DATA)
+        {
+            dwError = 0;
+        } else if (nChecksumType == REPOKEY_TYPE_SHA512)
+        {
+            pPkgInfo->nChecksumType = TDNF_HASH_SHA512;
+        } else if (nChecksumType == REPOKEY_TYPE_SHA256)
+        {
+            pPkgInfo->nChecksumType = TDNF_HASH_SHA256;
+        } else if (nChecksumType == REPOKEY_TYPE_SHA1)
+        {
+            pPkgInfo->nChecksumType = TDNF_HASH_SHA1;
+        } else if (nChecksumType == REPOKEY_TYPE_MD5)
+        {
+            pPkgInfo->nChecksumType = TDNF_HASH_MD5;
+        } else
+        {
+            pPkgInfo->pbChecksum = NULL;
+        }
+
+        BAIL_ON_TDNF_ERROR(dwError);
+
         dwError = SolvGetPkgInstallSizeFromId(
                       pSack,
                       dwPkgId,

diff --git a/client/prototypes.h b/client/prototypes.h
@@ -10,9 +10,6 @@
 #define __CLIENT_PROTOTYPES_H__
 
 #include <unistd.h>
-#include <openssl/sha.h>
-#include <openssl/md5.h>
-#include <openssl/evp.h>
 
 extern uid_t gEuid;
 

diff --git a/client/rpmtrans.c b/client/rpmtrans.c
@@ -820,6 +820,8 @@ TDNFTransAddInstallPkg(
     PTDNF_CACHED_RPM_ENTRY pRpmCache = NULL;
     const char* pszPackageLocation = NULL;
     const char* pszPkgName = NULL;
+    uint8_t digest_from_file[EVP_MAX_MD_SIZE] = {0};
+    hash_op *hash = NULL;
     int nSize;
 
     if(!pTS || !pTdnf || !pInfo || !pRepo)
@@ -898,6 +900,20 @@ TDNFTransAddInstallPkg(
         BAIL_ON_TDNF_SYSTEM_ERROR(dwError);
     }
 
+    if(pInfo->pbChecksum != NULL) {
+        hash = hash_ops + pInfo->nChecksumType;
+
+        dwError = TDNFGetDigestForFile(pszFilePath, hash, digest_from_file);
+        BAIL_ON_TDNF_ERROR(dwError);
+
+        if (memcmp(digest_from_file, pInfo->pbChecksum, hash->length))
+        {
+            pr_err("rpm file (%s) Checksum FAILED (digest mismatch)\n", pszFilePath);
+            dwError = ERROR_TDNF_CHECKSUM_MISMATCH;
+            BAIL_ON_TDNF_ERROR(dwError);
+        }
+    }
+
     dwError = TDNFGetFileSize(pszFilePath, &nSize);
     BAIL_ON_TDNF_ERROR(dwError);
 

diff --git a/common/prototypes.h b/common/prototypes.h
@@ -323,4 +323,35 @@ int32_t strtoi(const char *ptr);
 
 int isTrue(const char *str);
 
+uint32_t
+TDNFGetDigestForFile(
+    const char *filename,
+    hash_op *hash,
+    uint8_t *digest
+    );
+
+uint32_t
+TDNFCheckHash(
+    const char *filename,
+    unsigned char *digest,
+    int type
+    );
+
+uint32_t
+TDNFCheckHexDigest(
+    const char *hex_digest,
+    int digest_length
+    );
+
+uint32_t
+TDNFHexToUint(
+    const char *hex_digest,
+    unsigned char *uintValue
+    );
+
+uint32_t
+TDNFChecksumFromHexDigest(
+    const char *hex_digest,
+    unsigned char *ppdigest
+    );
 #endif /* __COMMON_PROTOTYPES_H__ */
diff --git a/common/structs.h b/common/structs.h
@@ -1,5 +1,9 @@
 #pragma once
 
+#include <openssl/sha.h>
+#include <openssl/md5.h>
+#include <openssl/evp.h>
+
 typedef struct _KEYVALUE_
 {
     char *pszKey;
@@ -46,3 +50,26 @@ enum {
     TDNFLOCK_WRITE  = 1 << 1,
     TDNFLOCK_WAIT   = 1 << 2,
 };
+
+// Enum in order of preference
+enum {
+    TDNF_HASH_MD5 = 0,
+    TDNF_HASH_SHA1,
+    TDNF_HASH_SHA256,
+    TDNF_HASH_SHA512,
+    TDNF_HASH_SENTINEL
+};
+
+typedef struct _hash_op {
+    char *hash_type;
+    unsigned int length;
+} hash_op;
+
+typedef struct _hash_type {
+    char *hash_name;
+    unsigned int hash_value;
+}hash_type;
+
+extern hash_op hash_ops[TDNF_HASH_SENTINEL];
+
+extern hash_type hashType[7];