From patchwork Mon Aug 24 13:09:59 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baptiste Jonglez <baptiste@bitsofnetworks.org>
X-Patchwork-Id: 1350368
X-Patchwork-Delegate: baptiste@bitsofnetworks.org
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=bitsofnetworks.org
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=merlin.20170209 header.b=J0ssd+FY;
	dkim-atps=neutral
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4BZswP5yw0z9sRK
	for <incoming@patchwork.ozlabs.org>; Mon, 24 Aug 2020 23:12:05 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	 bh=3h61D/4brURcnjYnXV168cTL4m57aYLh2r3MPYzLElA=; b=J0ssd+FYy5Xq7KaerHpXIxAvN
	tG/0JJfMWYDK1htwqRBcln8l/EJv5zJH3uQQfWGq4RW6uJZEQQBMlU51F4nuxQwvEHpjFazw7ZOnW
	etWbKCmj28wG6U9XrG/SmuodzUUEwyxzd3lGPC5knGhPtidXoCN40qO+GDNGZetxdmgeCoYScvLRo
	BmFme15aMB0e5gsNVKchA52Nf9vhW2/bjrszrt6052VXrMYysKSa9+QTD2GVtHFuGKIwr8z4zRJwO
	SaQFsm9CsYDI9Awm60slugKc70FrrybYuAKyRejHQgGRdWb0tAMCGsEYiStqdbR9NYe7bbaevyzMW
	Mt+PINjwQ==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1kACEk-0007hG-II; Mon, 24 Aug 2020 13:10:10 +0000
Received: from mails.bitsofnetworks.org ([2001:912:1800:ff::131])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1kACEi-0007gV-7k
 for openwrt-devel@lists.openwrt.org; Mon, 24 Aug 2020 13:10:09 +0000
Received: from [2001:912:1800::5c8] (helo=localhost.localdomain)
 by mails.bitsofnetworks.org with esmtp (Exim 4.89)
 (envelope-from <baptiste@bitsofnetworks.org>)
 id 1kACEh-0007Ud-6p; Mon, 24 Aug 2020 15:10:07 +0200
From: Baptiste Jonglez <baptiste@bitsofnetworks.org>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH opkg v2] libopkg: harden checksum verification in error cases
Date: Mon, 24 Aug 2020 15:09:59 +0200
Message-Id: <20200824130959.437942-1-baptiste@bitsofnetworks.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200824115220.436145-1-baptiste@bitsofnetworks.org>
References: <20200824115220.436145-1-baptiste@bitsofnetworks.org>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20200824_091008_471642_D8123C1F 
X-CRM114-Status: GOOD (  17.08  )
X-Spam-Score: 0.0 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (0.0 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Baptiste Jonglez <git@bitsofnetworks.org>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

From: Baptiste Jonglez <git@bitsofnetworks.org>

This should make it harder to exploit bugs such as CVE-2020-7982.

If we can't compute the checksum of a package, we should abort.

Similarly, if we can't find any checksum in the package index, this should
yield an error.

As an exception, installing a package directly from a file is allowed even
if no checksum is found, because this is typically used without any
package index.  This can be useful when installing packages "manually" on
a device, but is also done in several places during the OpenWrt build
process.

In any case, it is always possible to use the existing --force-checksum
option to manually bypass these new verifications.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
---

v2: rebase to avoid depending on the other patch "libopkg: move file size
check after checksum verification".

 libopkg/opkg_install.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c
index 27c9484..18a2511 100644
--- a/libopkg/opkg_install.c
+++ b/libopkg/opkg_install.c
@@ -1395,6 +1395,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 	pkg_md5 = pkg_get_md5(pkg);
 	if (pkg_md5) {
 		file_md5 = file_md5sum_alloc(local_filename);
+		if (!file_md5 && !conf->force_checksum) {
+			opkg_msg(ERROR, "Failed to compute md5sum of package %s.\n",
+				 pkg->name);
+			return -1;
+		}
 		if (file_md5 && strcmp(file_md5, pkg_md5)) {
 			if (!conf->force_checksum) {
 				opkg_msg(ERROR, "Package %s md5sum mismatch. "
@@ -1416,6 +1421,11 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 	pkg_sha256 = pkg_get_sha256(pkg);
 	if (pkg_sha256) {
 		file_sha256 = file_sha256sum_alloc(local_filename);
+		if (!file_sha256 && !conf->force_checksum) {
+			opkg_msg(ERROR, "Failed to compute sha256sum of package %s.\n",
+				 pkg->name);
+			return -1;
+		}
 		if (file_sha256 && strcmp(file_sha256, pkg_sha256)) {
 			if (!conf->force_checksum) {
 				opkg_msg(ERROR,
@@ -1434,6 +1444,16 @@ int opkg_install_pkg(pkg_t * pkg, int from_upgrade)
 			free(file_sha256);
 	}
 
+	/* Check that at least one type of checksum was found.  There are
+	 * two acceptable exceptions:
+	 * 1) the package is explicitly installed from a local file;
+	 * 2) the --force-checksum option is used to disable checksum verification. */
+	if (!pkg_md5 && !pkg_sha256 && !pkg->provided_by_hand && !conf->force_checksum) {
+		opkg_msg(ERROR, "Failed to obtain checksum of package %s from package index.\n",
+			 pkg->name);
+		return -1;
+	}
+
 	if (conf->download_only) {
 		if (conf->nodeps == 0) {
 			err = satisfy_dependencies_for(pkg);