Age | Commit message (Collapse) | Author |
|
|
|
memcpy is marked as nonnull for its input, but ignores the input anyhow
if the declared length is zero. Our SHA2 implementations do this as
well, it was "just" MD5 and SHA1 missing, so we add the length check
here as well as along the callstack as it is really pointless to do all
these method calls for "nothing".
Reported-By: gcc -fsanitize=undefined
|
|
Introduces APT::Hashes::<NAME> with entries Untrusted and Weak
which can be set to true to cause the hash to be treated as
untrusted and/or weak.
|
|
SHA1 is not reasonably secure anymore, so we should not consider it
usable anymore. The test suite is adjusted to account for this.
|
|
We want to declare some hashes as not enough for security, so that a
user will need --allow-unauthenticated or similar to get data secured
only by those hashes, but we can still us these hashes for integrity
checks if we got them.
|
|
The md5sum hash is broken since some time and we should no longer
consider it a usable hash. Also update the tests to reflect this.
|
|
Doing this disables the implicit copy assignment operator (among others)
which would cause hovac if used on the classes as it would just copy the
pointer, not the data the d-pointer points to. For most of the classes
we don't need a copy assignment operator anyway and in many classes it
was broken before as many contain a pointer of some sort.
Only for our Cacheset Container interfaces we define an explicit copy
assignment operator which could later be implemented to copy the data
from one d-pointer to the other if we need it.
Git-Dch: Ignore
|
|
Some of them modify the ABI, but given that we prepare a big one
already, these few hardly count for much.
Git-Dch: Ignore
|
|
At the moment we only have hashes for the uncompressed pdiff files, but
via the new '$HASH-Download' field in the .diff/Index hashes can be
provided for the .gz compressed pdiff file, which apt will pick up now
and use to verify the download. Now, we "just" need a buy in from the
creators of repositories…
|
|
Having every item having its own code to verify the file(s) it handles
is an errorprune process and easy to break, especially if items move
through various stages (download, uncompress, patching, …). With a giant
rework we centralize (most of) the verification to have a better
enforcement rate and (hopefully) less chance for bugs, but it breaks the
ABI bigtime in exchange – and as we break it anyway, it is broken even
harder.
It shouldn't effect most frontends as they don't deal with the acquire
system at all or implement their own items, but some do and will need to
be patched (might be an opportunity to use apt on-board material).
The theory is simple: Items implement methods to decide if hashes need to
be checked (in this stage) and to return the expected hashes for this
item (in this stage). The verification itself is done in worker message
passing which has the benefit that a hashsum error is now a proper error
for the acquire system rather than a Done() which is later revised to a
Failed().
|
|
It isn't used much compared to what the methodname suggests, but in the
remaining uses it can't hurt to check more than strictly necessary by
calculating and verifying with all hashes we can compare with rather
than "just" the best known hash.
|
|
Methods get told which hashes are expected by the acquire system, which
means we can use this list to restrict what we calculate in the methods
as any extra we are calculating is wasted effort as we can't compare it
with anything anyway.
Adding support for a new hash algorithm is therefore 'free' now and if a
algorithm is no longer provided in a repository for a file, we
automatically stop calculating it.
In practice this results in a speed-up in Debian as we don't have SHA512
here (so far), so we practically stop calculating it.
|
|
For compatibility we use/provide and fill quiet some deprecated methods
and fields, which subsequently earns us a warning for using them. These
warnings therefore have to be disabled for these codeparts and that is
what this change does now in a slightly more elegant way.
Git-Dch: Ignore
|
|
It is a very simple hashstring, which is why it isn't contributing to
the usability of a list of them, but it is also trivial to check and
calculate, so it doesn't hurt checking it either as it can combined even
with the simplest other hashes greatly complicate attacks on them as you
suddenly need a same-size hash collision, which is usually a lot harder
to achieve.
|
|
The fileformat of a pdiff index stores currently only SHA1 hashes. With
this change, we look for all other hashes we support as well and take
what we get, so that we can work after the release of jessie to get
right of SHA1 if we want to.
Note that the completely patched file is and was checked against the
hashes collected from the Release file, so this transition isn't mission
critical.
|
|
It is not very extensible to have the supported Hashes hardcoded
everywhere and especially if it is part of virtual method names.
It is also possible that a method does not support the 'best' hash
(yet), so we might end up not being able to verify a file even though we
have a common subset of supported hashes. And those are just two of the
cases in which it is handy to have a more dynamic selection.
The downside is that this is a MAJOR API break, but the HashStringList
has a string constructor for compatibility, so with a bit of luck the
few frontends playing with the acquire system directly are okay.
|
|
APT supports more than just one HashString and even allows to enforce
the usage of a specific hash. This class is intended to help with
storage and passing around of the HashStrings.
Git-Dch: Ignore
|
|
|
|
Git-Dch: Ignore
Reported-By: gcc -Wsuggest-attribute={pure,const,noreturn}
|
|
Beside being a bit cleaner it hopefully also resolves oddball problems
I have with high levels of parallel jobs.
Git-Dch: Ignore
Reported-By: iwyu (include-what-you-use)
|
|
The most "visible" change is from utime to utimensat/futimens
as the first one isn't part of POSIX anymore.
Reported-By: cppcheck
Git-Dch: Ignore
|
|
|
|
on the FileFd instead
|
|
|
|
size are pretty unlikely for now, but we need it for deb
packages which could become bigger than 4GB now (LP: #815895)
|
|
|
|
|
|
|
|
|
|
|
|
* add hook for MarkInstall and MarkDelete (closes: #470035)
* add the various foldmarkers in apt-pkg & cmdline (no code change)
* versions with a pin of -1 shouldn't be a candidate (Closes: #355237)
* prefer mmap as memory allocator in MMap instead of a static char
array which can (at least in theory) grow dynamic
* eliminate (hopefully all) segfaults in pkgcachegen.cc and mmap.cc
which can arise if cache doesn't fit into the mmap (Closes: #535218)
* display warnings instead of errors if the parts dirs doesn't exist
* honor the dpkg hold state in new Marker hooks (closes: #64141)
|
|
- Support reading until EOF if Size=0 to match behaviour of
SHA1Summation and SHA256Summation
|
|
|
|
- rename "hash" into ExpectedHash in pkgAcqFile, pkgAcqIndex
- add missing HashSum() call to class pkgAcqIndex
- use the data provided by acquire-method (and send via the
{SHA256,SHA1,MD5Sum}-Hash tag when comparing the hash, this
avoids calculating the hash twice (just like old libapt)
* apt-pkg/acquire-method.cc:
- send MD5Sum-Hash tag to libapt to be consistant with
HashString::SupportedHashes()
* apt-pkg/acquire-worker.cc:
- check with "Owner->HashSum().HashType()" what hash the frontend
is expecting and pass it to pkgAcquireItem::Done() in the new
HashString format
- add some debugging output
* apt-pkg/contrib/hashes.cc:
- fix off-by-one error when constructing a HashString from a single
input string
* apt-pkg/contrib/hashes.h:
- add "HashType()" method
* apt-pkg/init.h, apt-pkg/makefile, methods/makefile:
- break ABI
|
|
and fallback
|
|
|
|
|
|
Patches applied:
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-4
Merge from mainline
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-5
Merge from mainline
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-6
Collapse both pkgAcquire::Run() methods into one, with a default value
* michael.vogt@ubuntu.com--2005/apt--fixes--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-79
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-1
* merged obvious fixes into the tree to make it easy for matt to merge
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-2
* more merges from otavio that looks good/uncritical
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-3
* merged Matts misc-abi-changes tree
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-4
* finalized the changelog for a ubuntu build
* otavio@debian.org--2005/apt--fixes--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-71
* otavio@debian.org--2005/apt--fixes--0--patch-1
Fix comments about the need of xmlto
* otavio@debian.org--2005/apt--fixes--0--patch-2
Fix a compile warning
* otavio@debian.org--2005/apt--fixes--0--patch-3
Sync with apt--main--0--patch-76
* otavio@debian.org--2005/apt--fixes--0--patch-4
Sync with apt--main--0--patch-78
* otavio@debian.org--2005/apt--fixes--0--patch-5
Add fixes that was wrongly included on DDTP changes.
* otavio@debian.org--2005/apt--fixes--0--patch-8
Add information about the other fixes include on this branch now.
* otavio@debian.org--2005/apt--fixes--0--patch-9
Merge last changes from apt--main--0.
* otavio@debian.org--2005/apt--fixes--0--patch-10
Fix warnings about min/max change in gcc-4.0
* otavio@debian.org--2005/apt--fixes--0--patch-11
Fix remaning warnings while compiling gcc-4.0
* otavio@debian.org--2005/apt--fixes--0--patch-12
Add changelog entry about the fixes for warnings while compiling using GCC 4.0 compiler.
|
|
Author: jgg
Date: 2001-03-06 07:15:29 GMT
More SHA-1 prep
|