Commit 7429427a authored by Paul Fertser's avatar Paul Fertser Committed by Luis R. Rodriguez

Implement runtime loading of RSA public keys

This patch allows crda to load and use additional keys from a
pre-configured location for the database signature verification. This
provides a convenient way for distro maintainers and card manufacturers to
supply a custom regulatory database along with their public keys, without
the need to recompile crda.

Implemented for USE_OPENSSL=1 case only because libgcrypt lacks PEM parser.

Default location for public keys in PEM format is
/etc/wireless-regdb/pubkeys and can be changed by specifying
RUNTIME_PUBKEY_DIR at the make command line.
Signed-off-by: 's avatarPaul Fertser <fercerpav@gmail.com>
parent 5351898d
......@@ -21,6 +21,7 @@ UDEV_RULE_DIR?=/lib/udev/rules.d/
# keys are put when building. For example you can run
# with make PUBKEY_DIR=/usr/lib/crda/pubkeys
PUBKEY_DIR?=pubkeys
RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
CFLAGS += -Wall -g
......@@ -29,7 +30,7 @@ all: all_noverify verify
all_noverify: crda intersect regdbdump
ifeq ($(USE_OPENSSL),1)
CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl`
CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
LDLIBS += `pkg-config --libs openssl`
reglib.o: keys-ssl.c
......
#include <errno.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <dirent.h>
#include "reglib.h"
#ifdef USE_OPENSSL
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
#include <openssl/pem.h>
#endif
#ifdef USE_GCRYPT
......@@ -48,6 +51,10 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
__u8 hash[SHA_DIGEST_LENGTH];
unsigned int i;
int ok = 0;
DIR *pubkey_dir;
struct dirent *nextfile;
FILE *keyfile;
char filename[PATH_MAX];
if (SHA1(db, dblen, hash) != hash) {
fprintf(stderr, "Failed to calculate SHA1 sum.\n");
......@@ -71,6 +78,22 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
rsa->n = NULL;
RSA_free(rsa);
}
if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
while (!ok && (nextfile = readdir(pubkey_dir))) {
snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
nextfile->d_name);
if ((keyfile = fopen(filename, "rb"))) {
rsa = PEM_read_RSA_PUBKEY(keyfile,
NULL, NULL, NULL);
if (rsa)
ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
db + dblen, siglen, rsa) == 1;
RSA_free(rsa);
fclose(keyfile);
}
}
closedir(pubkey_dir);
}
#endif
#ifdef USE_GCRYPT
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment