GCC Code Coverage Report

Directory: cvmfs/
File: cvmfs/whitelist.cc
Date: 2025-11-09 02:35:23
Exec Total Coverage
Lines: 192 284 67.6%
Branches: 120 286 42.0%
Line Branch Exec Source
1 /**
2 * This file is part of the CernVM File System.
3 */
4
5
6 #include "whitelist.h"
7
8 #include <algorithm>
9 #include <cassert>
10 #include <cstring>
11 #include <ctime>
12
13 #include "crypto/signature.h"
14 #include "network/download.h"
15 #include "util/logging.h"
16 #include "util/smalloc.h"
17 #include "util/string.h"
18
19 using namespace std; // NOLINT
20
21 namespace whitelist {
22
23 const int Whitelist::kFlagVerifyRsa = 0x01;
24 const int Whitelist::kFlagVerifyPkcs7 = 0x02;
25 const int Whitelist::kFlagVerifyCaChain = 0x04;
26
27
28 548 void Whitelist::CopyBuffers(unsigned *plain_size, unsigned char **plain_buf,
29 unsigned *pkcs7_size,
30 unsigned char **pkcs7_buf) const {
31 548 *plain_size = plain_size_;
32 548 *pkcs7_size = pkcs7_size_;
33 548 *plain_buf = NULL;
34 548 *pkcs7_buf = NULL;
35
1/2
✓ Branch 0 taken 548 times.
✗ Branch 1 not taken.
 548 if (plain_size_ > 0) {
36 548 *plain_buf = reinterpret_cast<unsigned char *>(smalloc(plain_size_));
37 548 memcpy(*plain_buf, plain_buf_, plain_size_);
38 }
39
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 548 times.
 548 if (pkcs7_size_ > 0) {
40 *pkcs7_buf = reinterpret_cast<unsigned char *>(smalloc(pkcs7_size_));
41 memcpy(*pkcs7_buf, pkcs7_buf_, pkcs7_size_);
42 }
43 548 }
44
45
46 27 std::string Whitelist::CreateString(
47 const std::string &fqrn,
48 int validity_days,
49 shash::Algorithms hash_algorithm,
50 signature::SignatureManager *signature_manager) {
51
3/6
✓ Branch 2 taken 27 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 27 times.
✗ Branch 6 not taken.
✓ Branch 8 taken 27 times.
✗ Branch 9 not taken.
 54 const std::string to_sign = WhitelistTimestamp(time(NULL)) + "\n" + "E"
52
1/2
✓ Branch 2 taken 27 times.
✗ Branch 3 not taken.
 108 + WhitelistTimestamp(time(NULL)
53
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 + validity_days * 24 * 3600)
54
4/8
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 27 times.
✗ Branch 5 not taken.
✓ Branch 7 taken 27 times.
✗ Branch 8 not taken.
✓ Branch 10 taken 27 times.
✗ Branch 11 not taken.
 54 + "\n" + "N" + fqrn + "\n"
55
2/4
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 27 times.
✗ Branch 5 not taken.
 81 + signature_manager->FingerprintCertificate(
56 hash_algorithm)
57
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 + "\n";
58
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 shash::Any hash(hash_algorithm);
59
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 shash::HashString(to_sign, &hash);
60
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 std::string hash_str = hash.ToString();
61
62
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 std::string whitelist(to_sign);
63
3/6
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 27 times.
✗ Branch 5 not taken.
✓ Branch 7 taken 27 times.
✗ Branch 8 not taken.
 27 whitelist += "--\n" + hash_str + "\n";
64 unsigned char *signature;
65 unsigned signature_size;
66
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 const bool retval = signature_manager->SignRsa(
67 27 reinterpret_cast<const unsigned char *>(hash_str.data()),
68 27 hash_str.length(), &signature, &signature_size);
69
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 27 times.
 27 assert(retval);
70
2/4
✓ Branch 2 taken 27 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 27 times.
✗ Branch 6 not taken.
 27 whitelist += std::string(reinterpret_cast<char *>(signature), signature_size);
71 27 free(signature);
72
73 54 return whitelist;
74 27 }
75
76
77 9 std::string Whitelist::ExportString() const {
78
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 9 times.
 9 if (plain_buf_ == NULL)
79 return "";
80
1/2
✓ Branch 2 taken 9 times.
✗ Branch 3 not taken.
 9 return std::string(reinterpret_cast<char *>(plain_buf_), plain_size_);
81 }
82
83
84 time_t Whitelist::expires() const {
85 assert(status_ == kStAvailable);
86 return expires_;
87 }
88
89
90 bool Whitelist::IsExpired() const {
91 assert(status_ == kStAvailable);
92 return time(NULL) > expires_;
93 }
94
95
96 582 Failures Whitelist::VerifyLoadedCertificate() const {
97
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 582 times.
 582 assert(status_ == kStAvailable);
98
99
1/2
✓ Branch 1 taken 582 times.
✗ Branch 2 not taken.
 582 vector<string> blacklist = signature_manager_->GetBlacklist();
100
2/2
✓ Branch 1 taken 51 times.
✓ Branch 2 taken 548 times.
 599 for (unsigned i = 0; i < blacklist.size(); ++i) {
101
1/2
✓ Branch 1 taken 51 times.
✗ Branch 2 not taken.
 51 const shash::Any this_hash = signature::SignatureManager::MkFromFingerprint(
102 51 blacklist[i]);
103
2/2
✓ Branch 1 taken 17 times.
✓ Branch 2 taken 34 times.
 51 if (this_hash.IsNull())
104 17 continue;
105
106 34 const shash::Algorithms algorithm = this_hash.algorithm;
107
2/5
✓ Branch 1 taken 34 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
✓ Branch 4 taken 34 times.
✗ Branch 5 not taken.
 34 if (this_hash == signature_manager_->HashCertificate(algorithm))
108 34 return kFailBlacklisted;
109 }
110
111
1/2
✓ Branch 1 taken 548 times.
✗ Branch 2 not taken.
 548 for (unsigned i = 0; i < fingerprints_.size(); ++i) {
112 548 const shash::Algorithms algorithm = fingerprints_[i].algorithm;
113
2/5
✓ Branch 2 taken 548 times.
✗ Branch 3 not taken.
✗ Branch 4 not taken.
✓ Branch 5 taken 548 times.
✗ Branch 6 not taken.
 548 if (signature_manager_->HashCertificate(algorithm) == fingerprints_[i]) {
114
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 548 times.
 548 if (verification_flags_ & kFlagVerifyCaChain) {
115 const bool retval = signature_manager_->VerifyCaChain();
116 if (!retval)
117 return kFailBadCaChain;
118 }
119 548 return kFailOk;
120 }
121 }
122 return kFailNotListed;
123 582 }
124
125
126 /**
127 * Expects whitelist to be loaded into plain_buf_ / plain_size_ and already
128 * parsed so that verification_flags_ is set
129 */
130 600 Failures Whitelist::VerifyWhitelist() {
131 bool retval_b;
132 whitelist::Failures retval_wl;
133
134
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 600 times.
 600 assert(verification_flags_ != 0);
135
136
1/2
✓ Branch 0 taken 600 times.
✗ Branch 1 not taken.
 600 if (verification_flags_ & kFlagVerifyRsa) {
137 600 retval_b = signature_manager_->VerifyLetter(plain_buf_, plain_size_, true);
138
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 600 times.
 600 if (!retval_b) {
139 LogCvmfs(kLogCvmfs, kLogDebug, "failed to verify repository whitelist");
140 return kFailBadSignature;
141 }
142 }
143
144
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 600 times.
 600 if (verification_flags_ & kFlagVerifyPkcs7) {
145 unsigned char *extracted_whitelist;
146 unsigned extracted_whitelist_size;
147 vector<string> alt_uris;
148 retval_b = signature_manager_->VerifyPkcs7(
149 pkcs7_buf_, pkcs7_size_, &extracted_whitelist,
150 &extracted_whitelist_size, &alt_uris);
151 if (!retval_b) {
152 LogCvmfs(kLogCvmfs, kLogDebug,
153 "failed to verify repository whitelist (pkcs#7): %s",
154 signature_manager_->GetCryptoError().c_str());
155 return kFailBadPkcs7;
156 }
157
158 // Check for subject alternative name matching the repository name
159 bool found_uri = false;
160 for (unsigned i = 0; i < alt_uris.size(); ++i) {
161 LogCvmfs(kLogSignature, kLogDebug, "found pkcs#7 signer uri %s",
162 alt_uris[i].c_str());
163 if (alt_uris[i] == "cvmfs:" + fqrn_) {
164 found_uri = true;
165 break;
166 }
167 }
168 if (!found_uri) {
169 LogCvmfs(kLogCvmfs, kLogDebug,
170 "failed to find whitelist signer with SAN/URI cvmfs:%s",
171 fqrn_.c_str());
172 free(extracted_whitelist);
173 return kFailBadSignaturePkcs7;
174 }
175
176 // Check once again the extracted whitelist
177 Reset();
178 LogCvmfs(kLogCvmfs, kLogDebug, "Extracted pkcs#7 whitelist:\n%s",
179 string(reinterpret_cast<char *>(extracted_whitelist),
180 extracted_whitelist_size)
181 .c_str());
182 retval_wl = ParseWhitelist(extracted_whitelist, extracted_whitelist_size);
183 if (retval_wl != kFailOk) {
184 LogCvmfs(kLogCvmfs, kLogDebug,
185 "failed to verify repository certificate against pkcs#7 "
186 "whitelist");
187 return kFailMalformedPkcs7;
188 }
189 }
190
191 600 status_ = kStAvailable;
192 600 return kFailOk;
193 }
194
195
196 36 Failures Whitelist::LoadMem(const std::string &whitelist) {
197 Failures retval_wl;
198
199 36 Reset();
200
201 36 plain_size_ = whitelist.length();
202 36 plain_buf_ = reinterpret_cast<unsigned char *>(smalloc(plain_size_));
203 36 memcpy(plain_buf_, whitelist.data(), plain_size_);
204
205 36 retval_wl = ParseWhitelist(plain_buf_, plain_size_);
206
2/2
✓ Branch 0 taken 18 times.
✓ Branch 1 taken 18 times.
 36 if (retval_wl != kFailOk)
207 18 return retval_wl;
208 // TODO(jblomer): PKCS7 verification unsupported when loading from memory
209
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 18 times.
 18 if (verification_flags_ & kFlagVerifyPkcs7)
210 return kFailLoadPkcs7;
211
212 18 return VerifyWhitelist();
213 }
214
215
216 582 Failures Whitelist::LoadUrl(const std::string &base_url) {
217 582 const bool probe_hosts = base_url == "";
218 download::Failures retval_dl;
219 Failures retval_wl;
220
221 582 Reset();
222
223
2/4
✓ Branch 2 taken 582 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 582 times.
✗ Branch 6 not taken.
 1164 const string whitelist_url = base_url + string("/.cvmfswhitelist");
224 582 cvmfs::MemSink whitelist_memsink;
225 download::JobInfo download_whitelist(&whitelist_url, false, probe_hosts, NULL,
226
1/2
✓ Branch 1 taken 582 times.
✗ Branch 2 not taken.
 582 &whitelist_memsink);
227
1/2
✓ Branch 1 taken 582 times.
✗ Branch 2 not taken.
 582 retval_dl = download_manager_->Fetch(&download_whitelist);
228
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 582 times.
 582 if (retval_dl != download::kFailOk)
229 return kFailLoad;
230 582 plain_size_ = whitelist_memsink.pos();
231
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 582 times.
 582 if (plain_size_ == 0)
232 return kFailEmpty;
233 582 whitelist_memsink.Release();
234 582 plain_buf_ = whitelist_memsink.data();
235
236
1/2
✓ Branch 1 taken 582 times.
✗ Branch 2 not taken.
 582 retval_wl = ParseWhitelist(plain_buf_, plain_size_);
237
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 582 times.
 582 if (retval_wl != kFailOk)
238 return retval_wl;
239
240
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 582 times.
 582 if (verification_flags_ & kFlagVerifyPkcs7) {
241 // Load the separate whitelist pkcs7 structure
242 const string whitelist_pkcs7_url = base_url
243 + string("cvmfswhitelist.pkcs7");
244 cvmfs::MemSink pkcs7_memsink;
245 download::JobInfo download_whitelist_pkcs7(
246 &whitelist_pkcs7_url, false, probe_hosts, NULL, &pkcs7_memsink);
247 retval_dl = download_manager_->Fetch(&download_whitelist_pkcs7);
248 if (retval_dl != download::kFailOk)
249 return kFailLoadPkcs7;
250 pkcs7_size_ = pkcs7_memsink.pos();
251 if (pkcs7_size_ == 0)
252 return kFailEmptyPkcs7;
253 pkcs7_memsink.Release();
254 pkcs7_buf_ = pkcs7_memsink.data();
255 }
256
257
1/2
✓ Branch 1 taken 582 times.
✗ Branch 2 not taken.
 582 return VerifyWhitelist();
258 582 }
259
260
261 /**
262 * Helps for the time being with whitelists valid until after Y2038 on 32 bit
263 * systems.
264 */
265 654 bool Whitelist::IsBefore(time_t now, const struct tm &t_whitelist) {
266 struct tm t_local;
267
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 654 times.
 654 if (gmtime_r(&now, &t_local) == NULL)
268 return false;
269
2/2
✓ Branch 0 taken 260 times.
✓ Branch 1 taken 394 times.
 654 if (t_local.tm_year < t_whitelist.tm_year)
270 260 return true;
271
2/2
✓ Branch 0 taken 9 times.
✓ Branch 1 taken 385 times.
 394 if (t_local.tm_year > t_whitelist.tm_year)
272 9 return false;
273
2/2
✓ Branch 0 taken 322 times.
✓ Branch 1 taken 63 times.
 385 if (t_local.tm_mon < t_whitelist.tm_mon)
274 322 return true;
275
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 63 times.
 63 if (t_local.tm_mon > t_whitelist.tm_mon)
276 return false;
277
2/2
✓ Branch 0 taken 27 times.
✓ Branch 1 taken 36 times.
 63 if (t_local.tm_mday < t_whitelist.tm_mday)
278 27 return true;
279
2/2
✓ Branch 0 taken 18 times.
✓ Branch 1 taken 18 times.
 36 if (t_local.tm_mday > t_whitelist.tm_mday)
280 18 return false;
281
1/2
✓ Branch 0 taken 18 times.
✗ Branch 1 not taken.
 18 if (t_local.tm_hour < t_whitelist.tm_hour)
282 18 return true;
283 return false;
284 }
285
286
287 672 Failures Whitelist::ParseWhitelist(const unsigned char *whitelist,
288 const unsigned whitelist_size) {
289 672 const time_t local_timestamp = time(NULL);
290 672 string line;
291 672 unsigned payload_bytes = 0;
292 672 bool verify_pkcs7 = false;
293 672 bool verify_cachain = false;
294
295 // Check timestamp (UTC), ignore issue date (legacy)
296
1/2
✓ Branch 1 taken 672 times.
✗ Branch 2 not taken.
 672 line = GetLineMem(reinterpret_cast<const char *>(whitelist), whitelist_size);
297
2/2
✓ Branch 1 taken 9 times.
✓ Branch 2 taken 663 times.
 672 if (line.length() != 14) {
298
1/2
✓ Branch 1 taken 9 times.
✗ Branch 2 not taken.
 9 LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp format");
299 9 return kFailMalformed;
300 }
301 663 payload_bytes += 15;
302
303 // Expiry date
304 663 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
305
1/2
✓ Branch 1 taken 663 times.
✗ Branch 2 not taken.
 663 whitelist_size - payload_bytes);
306
2/2
✓ Branch 1 taken 9 times.
✓ Branch 2 taken 654 times.
 663 if (line.length() != 15) {
307
1/2
✓ Branch 1 taken 9 times.
✗ Branch 2 not taken.
 9 LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp format");
308 9 return kFailMalformed;
309 }
310 struct tm tm_wl;
311 654 memset(&tm_wl, 0, sizeof(struct tm));
312
2/4
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 654 times.
✗ Branch 5 not taken.
 654 tm_wl.tm_year = String2Int64(line.substr(1, 4)) - 1900;
313
2/4
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 654 times.
✗ Branch 5 not taken.
 654 tm_wl.tm_mon = String2Int64(line.substr(5, 2)) - 1;
314
2/4
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 654 times.
✗ Branch 5 not taken.
 654 tm_wl.tm_mday = String2Int64(line.substr(7, 2));
315
2/4
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 654 times.
✗ Branch 5 not taken.
 654 tm_wl.tm_hour = String2Int64(line.substr(9, 2));
316 654 tm_wl.tm_min = tm_wl.tm_sec = 0; // exact on hours level
317 654 const time_t timestamp = timegm(&tm_wl);
318
1/2
✓ Branch 2 taken 654 times.
✗ Branch 3 not taken.
 654 LogCvmfs(kLogSignature, kLogDebug,
319 "whitelist UTC expiry timestamp in localtime: %s",
320
1/2
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
 1308 StringifyTime(timestamp, false).c_str());
321
1/2
✓ Branch 2 taken 654 times.
✗ Branch 3 not taken.
 654 LogCvmfs(kLogSignature, kLogDebug, "local time: %s",
322
1/2
✓ Branch 1 taken 654 times.
✗ Branch 2 not taken.
 1308 StringifyTime(local_timestamp, true).c_str());
323 // Makeshift solution to deal with whitelists valid after Y2038 on 32bit
324 // machines. Still unclear how glibc is going to treat the problem.
325
2/2
✓ Branch 1 taken 27 times.
✓ Branch 2 taken 627 times.
 654 if (!IsBefore(local_timestamp, tm_wl)) {
326
1/2
✓ Branch 1 taken 27 times.
✗ Branch 2 not taken.
 27 LogCvmfs(kLogSignature, kLogDebug | kLogSyslogErr,
327 "whitelist lifetime verification failed, expired");
328 27 return kFailExpired;
329 }
330 // if (timestamp < 0) {
331 // LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp");
332 // return kFailMalformed;
333 // }
334 // if (local_timestamp > timestamp) {
335 // LogCvmfs(kLogSignature, kLogDebug | kLogSyslogErr,
336 // "whitelist lifetime verification failed, expired");
337 // return kFailExpired;
338 // }
339 627 expires_ = timestamp;
340 627 payload_bytes += 16;
341
342 // Check repository name
343 627 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
344
1/2
✓ Branch 1 taken 627 times.
✗ Branch 2 not taken.
 627 whitelist_size - payload_bytes);
345
7/14
✓ Branch 1 taken 627 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 627 times.
✗ Branch 5 not taken.
✗ Branch 6 not taken.
✓ Branch 7 taken 18 times.
✓ Branch 8 taken 609 times.
✓ Branch 9 taken 627 times.
✗ Branch 10 not taken.
✗ Branch 11 not taken.
✓ Branch 12 taken 18 times.
✓ Branch 13 taken 609 times.
✗ Branch 14 not taken.
✗ Branch 15 not taken.
 627 if ((fqrn_ != "") && ("N" + fqrn_ != line)) {
346
1/2
✓ Branch 3 taken 18 times.
✗ Branch 4 not taken.
 18 LogCvmfs(kLogSignature, kLogDebug,
347 "repository name on the whitelist does not match "
348 "(found %s, expected %s)",
349 line.c_str(), fqrn_.c_str());
350 18 return kFailNameMismatch;
351 }
352 609 payload_bytes += line.length() + 1;
353
354 // Check for PKCS7
355 609 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
356
1/2
✓ Branch 1 taken 609 times.
✗ Branch 2 not taken.
 609 whitelist_size - payload_bytes);
357
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 609 times.
 609 if (line == "Vpkcs7") {
358 LogCvmfs(kLogSignature, kLogDebug, "whitelist verification: pkcs#7");
359 verify_pkcs7 = true;
360 payload_bytes += line.length() + 1;
361 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
362 whitelist_size - payload_bytes);
363 }
364
365 // Check for CA chain verification
366 609 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
367
1/2
✓ Branch 1 taken 609 times.
✗ Branch 2 not taken.
 609 whitelist_size - payload_bytes);
368
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 609 times.
 609 if (line == "Wcachain") {
369 LogCvmfs(kLogSignature, kLogDebug,
370 "whitelist imposes ca chain verification of manifest signature");
371 verify_cachain = true;
372 payload_bytes += line.length() + 1;
373 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
374 whitelist_size - payload_bytes);
375 }
376
377 do {
378
2/2
✓ Branch 1 taken 600 times.
✓ Branch 2 taken 609 times.
 1209 if (line == "--")
379 600 break;
380
1/2
✓ Branch 1 taken 609 times.
✗ Branch 2 not taken.
 609 const shash::Any this_hash = signature::SignatureManager::MkFromFingerprint(
381 line);
382
2/2
✓ Branch 1 taken 600 times.
✓ Branch 2 taken 9 times.
 609 if (!this_hash.IsNull())
383
1/2
✓ Branch 1 taken 600 times.
✗ Branch 2 not taken.
 600 fingerprints_.push_back(this_hash);
384
385 609 payload_bytes += line.length() + 1;
386 609 line = GetLineMem(reinterpret_cast<const char *>(whitelist) + payload_bytes,
387
1/2
✓ Branch 1 taken 609 times.
✗ Branch 2 not taken.
 609 whitelist_size - payload_bytes);
388
2/2
✓ Branch 0 taken 600 times.
✓ Branch 1 taken 9 times.
 609 } while (payload_bytes < whitelist_size);
389
390
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 609 times.
 609 verification_flags_ = verify_pkcs7 ? kFlagVerifyPkcs7 : kFlagVerifyRsa;
391
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 609 times.
 609 if (verify_cachain)
392 verification_flags_ |= kFlagVerifyCaChain;
393 609 return kFailOk;
394 672 }
395
396
397 1939 void Whitelist::Reset() {
398 1939 status_ = kStNone;
399 1939 fingerprints_.clear();
400 1939 expires_ = 0;
401 1939 verification_flags_ = 0;
402
2/2
✓ Branch 0 taken 618 times.
✓ Branch 1 taken 1321 times.
 1939 if (plain_buf_)
403 618 free(plain_buf_);
404
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 1939 times.
 1939 if (pkcs7_buf_)
405 free(pkcs7_buf_);
406 1939 plain_buf_ = NULL;
407 1939 pkcs7_buf_ = NULL;
408 1939 plain_size_ = 0;
409 1939 pkcs7_size_ = 0;
410 1939 }
411
412
413 656 Whitelist::Whitelist(const string &fqrn,
414 download::DownloadManager *download_manager,
415 656 signature::SignatureManager *signature_manager)
416 656 : fqrn_(fqrn)
417 656 , download_manager_(download_manager)
418 656 , signature_manager_(signature_manager)
419 656 , plain_buf_(NULL)
420 656 , plain_size_(0)
421 656 , pkcs7_buf_(NULL)
422 656 , pkcs7_size_(0) {
423 656 Reset();
424 656 }
425
426
427 Whitelist::Whitelist(const Whitelist &other)
428 : fqrn_(other.fqrn_)
429 , download_manager_(other.download_manager_)
430 , signature_manager_(other.signature_manager_)
431 , status_(other.status_)
432 , fingerprints_(other.fingerprints_)
433 , expires_(other.expires_)
434 , verification_flags_(other.verification_flags_) {
435 other.CopyBuffers(&plain_size_, &plain_buf_, &pkcs7_size_, &pkcs7_buf_);
436 }
437
438
439 // Testing only
440 9 Whitelist::Whitelist()
441 9 : download_manager_(NULL)
442 9 , signature_manager_(NULL)
443 9 , status_(kStNone)
444 9 , expires_(0)
445 9 , verification_flags_(0)
446 9 , plain_buf_(NULL)
447 9 , plain_size_(0)
448 9 , pkcs7_buf_(NULL)
449 9 , pkcs7_size_(0) { }
450
451 Whitelist &Whitelist::operator=(const Whitelist &other) {
452 if (&other == this)
453 return *this;
454
455 Reset();
456 fqrn_ = other.fqrn_;
457 download_manager_ = other.download_manager_;
458 signature_manager_ = other.signature_manager_;
459 status_ = other.status_;
460 fingerprints_ = other.fingerprints_;
461 expires_ = other.expires_;
462 verification_flags_ = other.verification_flags_;
463 other.CopyBuffers(&plain_size_, &plain_buf_, &pkcs7_size_, &pkcs7_buf_);
464
465 return *this;
466 }
467
468
469 665 Whitelist::~Whitelist() { Reset(); }
470
471 } // namespace whitelist
472