[pacman-dev] [PATCH 3/3] pacman: add file checksum validation against mtree

Tue Dec 29 03:02:36 UTC 2020

On 24/12/20 8:43 am, Emil Velikov wrote:
> With libarchive v3.5.0 we have API to fetch the digest from the mtree.
> Use that to validate if the installed files are modified or not.
> 
> As always, a modified backup file will trigger a warning but will not
> result in an actual failure.
> 
> TODO: localization... no idea how that is even done :-)

Adding the _() around the strings is all that needed done.

> NOTE: indentation is likely all over the place - first time I see ts=2

For line wraps, we generally just use two indents, so really does not
matter what the tab system is.

> Signed-off-by: Emil Velikov <emil.l.velikov at gmail.com>
> ---
>  src/pacman/check.c | 66 +++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 59 insertions(+), 7 deletions(-)
> 
> diff --git a/src/pacman/check.c b/src/pacman/check.c
> index 02217d0f..083c547d 100644
> --- a/src/pacman/check.c
> +++ b/src/pacman/check.c
> @@ -176,19 +176,70 @@ static int check_file_size(const char *pkgname, const char *filepath,
>  	return 0;
>  }
>  
> -/* placeholders - libarchive currently does not read checksums from mtree files
> -static int check_file_md5sum(const char *pkgname, const char *filepath,
> -		struct stat *st, struct archive_entry *entry, int backup)
> +#if ARCHIVE_VERSION_NUMBER >= 3005000

This does not need wrapped in #if.  There is nothing libarchive specific
in this function.

> +static int check_file_cksum(const char *pkgname, const char *filepath,
> +		int backup, const char *cksum_name, const char *cksum_calc, const char *cksum_mtree)
>  {
> +	if(!cksum_calc || !cksum_mtree) {

Only one of these failures matches the error message.   Split into
"checkusm information not available" and "failed to calculate checksum"

> +		if(!config->quiet) {
> +			pm_printf(ALPM_LOG_WARNING, _("%s: %s (failed to compute %s checksum)\n"),
> +					pkgname, filepath, cksum_name);
> +		}
> +		return 1;
> +	}
> +
> +	if(strcmp(cksum_calc, cksum_mtree) != 0) {
> +		if(backup) {
> +			if(!config->quiet) {
> +				printf("%s%s%s: ", config->colstr.title, _("backup file"),
> +						config->colstr.nocolor);
> +				printf(_("%s: %s (%s checksum mismatch)\n"),
> +						pkgname, filepath, cksum_name);
> +			}
> +			return 0;
> +		}
> +		if(!config->quiet) {
> +			pm_printf(ALPM_LOG_WARNING, _("%s: %s (%s checksum mismatch)\n"),
> +					pkgname, filepath, cksum_name);
> +		}
> +		return 1;

OK.

> +	}
> +
>  	return 0;
>  }
> +#endif
> +
> +static int check_file_md5sum(const char *pkgname, const char *filepath,
> +		struct archive_entry *entry, int backup)
> +{
> +	int errors = 0;
> +#if ARCHIVE_VERSION_NUMBER >= 3005000
> +	char *cksum_calc = alpm_compute_md5sum(filepath);
> +	char *cksum_mtree = hex_representation(archive_entry_digest(entry,
> +													ARCHIVE_ENTRY_DIGEST_MD5), 16);
> +	errors = check_file_cksum(pkgname, filepath, backup, "MD5", cksum_calc,
> +									cksum_mtree);
> +	free(cksum_mtree);
> +	free(cksum_calc);
> +#endif
> +	return (errors != 0 ? 1 : 0);
> +}
>  
>  static int check_file_sha256sum(const char *pkgname, const char *filepath,
> -		struct stat *st, struct archive_entry *entry, int backup)
> +		struct archive_entry *entry, int backup)
>  {
> -	return 0;
> +	int errors = 0;
> +#if ARCHIVE_VERSION_NUMBER >= 3005000
> +	char *cksum_calc = alpm_compute_sha256sum(filepath);
> +	char *cksum_mtree = hex_representation(archive_entry_digest(entry,
> +													ARCHIVE_ENTRY_DIGEST_SHA256), 32);
> +	errors = check_file_cksum(pkgname, filepath, backup, "SHA256", cksum_calc,
> +									cksum_mtree);
> +	free(cksum_mtree);
> +	free(cksum_calc);
> +#endif
> +	return (errors != 0 ? 1 : 0);
>  }
> -*/
>  
>  /* Loop through the files of the package to check if they exist. */
>  int check_pkg_fast(alpm_pkg_t *pkg)
> @@ -369,7 +420,8 @@ int check_pkg_full(alpm_pkg_t *pkg)
>  
>  		if(type == AE_IFREG) {
>  			file_errors += check_file_size(pkgname, filepath, &st, entry, backup);
> -			/* file_errors += check_file_md5sum(pkgname, filepath, &st, entry, backup); */
> +			file_errors += check_file_md5sum(pkgname, filepath, entry, backup);
> +			file_errors += check_file_sha256sum(pkgname, filepath, entry, backup);
>  		}
>  
>  		if(config->quiet && file_errors) {
> 