@@ -21,6 +21,7 @@ UDEV_RULE_DIR?=/lib/udev/rules.d/
# keys are put when building. For example you can run
# with make PUBKEY_DIR=/usr/lib/crda/pubkeys
PUBKEY_DIR?=pubkeys
+RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
CFLAGS += -Wall -g
@@ -29,7 +30,7 @@ all: all_noverify verify
all_noverify: crda intersect regdbdump
ifeq ($(USE_OPENSSL),1)
-CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl`
+CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
LDLIBS += `pkg-config --libs openssl`
reglib.o: keys-ssl.c
@@ -1,12 +1,15 @@
#include <errno.h>
#include <stdio.h>
#include <arpa/inet.h>
+#include <sys/types.h>
+#include <dirent.h>
#include "reglib.h"
#ifdef USE_OPENSSL
#include <openssl/objects.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
+#include <openssl/pem.h>
#endif
#ifdef USE_GCRYPT
@@ -48,6 +51,10 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
__u8 hash[SHA_DIGEST_LENGTH];
unsigned int i;
int ok = 0;
+ DIR *pubkey_dir;
+ struct dirent *nextfile;
+ FILE *keyfile;
+ char filename[PATH_MAX];
if (SHA1(db, dblen, hash) != hash) {
fprintf(stderr, "Failed to calculate SHA1 sum.\n");
@@ -71,6 +78,22 @@ int crda_verify_db_signature(__u8 *db, int dblen, int siglen)
rsa->n = NULL;
RSA_free(rsa);
}
+ if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
+ while (!ok && (nextfile = readdir(pubkey_dir))) {
+ snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
+ nextfile->d_name);
+ if ((keyfile = fopen(filename, "rb"))) {
+ rsa = PEM_read_RSA_PUBKEY(keyfile,
+ NULL, NULL, NULL);
+ if (rsa)
+ ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
+ db + dblen, siglen, rsa) == 1;
+ RSA_free(rsa);
+ fclose(keyfile);
+ }
+ }
+ closedir(pubkey_dir);
+ }
#endif
#ifdef USE_GCRYPT