GCC Code Coverage Report

Directory: cvmfs/
File: cvmfs/whitelist.cc
Date: 2024-04-28 02:33:07
Exec Total Coverage
Lines: 184 273 67.4%
Branches: 120 286 42.0%
Line Branch Exec Source
1 /**
2 * This file is part of the CernVM File System.
3 */
4
5 #include "cvmfs_config.h"
6 #include "whitelist.h"
7
8 #include <algorithm>
9 #include <cassert>
10 #include <cstring>
11 #include <ctime>
12
13 #include "crypto/signature.h"
14 #include "network/download.h"
15 #include "util/logging.h"
16 #include "util/smalloc.h"
17 #include "util/string.h"
18
19 using namespace std; // NOLINT
20
21 namespace whitelist {
22
23 const int Whitelist::kFlagVerifyRsa = 0x01;
24 const int Whitelist::kFlagVerifyPkcs7 = 0x02;
25 const int Whitelist::kFlagVerifyCaChain = 0x04;
26
27
28 21 void Whitelist::CopyBuffers(unsigned *plain_size, unsigned char **plain_buf,
29 unsigned *pkcs7_size, unsigned char **pkcs7_buf)
30 const
31 {
32 21 *plain_size = plain_size_;
33 21 *pkcs7_size = pkcs7_size_;
34 21 *plain_buf = NULL;
35 21 *pkcs7_buf = NULL;
36
1/2
✓ Branch 0 taken 21 times.
✗ Branch 1 not taken.
 21 if (plain_size_ > 0) {
37 21 *plain_buf = reinterpret_cast<unsigned char *>(smalloc(plain_size_));
38 21 memcpy(*plain_buf, plain_buf_, plain_size_);
39 }
40
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 21 times.
 21 if (pkcs7_size_ > 0) {
41 *pkcs7_buf = reinterpret_cast<unsigned char *>(smalloc(pkcs7_size_));
42 memcpy(*pkcs7_buf, pkcs7_buf_, pkcs7_size_);
43 }
44 21 }
45
46
47 3 std::string Whitelist::CreateString(
48 const std::string &fqrn,
49 int validity_days,
50 shash::Algorithms hash_algorithm,
51 signature::SignatureManager *signature_manager)
52 {
53 std::string to_sign =
54
3/6
✓ Branch 2 taken 3 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 3 times.
✗ Branch 6 not taken.
✓ Branch 8 taken 3 times.
✗ Branch 9 not taken.
 6 WhitelistTimestamp(time(NULL)) + "\n" +
55
4/8
✓ Branch 2 taken 3 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 3 times.
✗ Branch 6 not taken.
✓ Branch 8 taken 3 times.
✗ Branch 9 not taken.
✓ Branch 11 taken 3 times.
✗ Branch 12 not taken.
 12 "E" + WhitelistTimestamp(time(NULL) + validity_days * 24 * 3600) + "\n" +
56
3/6
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 3 times.
✗ Branch 5 not taken.
✓ Branch 7 taken 3 times.
✗ Branch 8 not taken.
 6 "N" + fqrn + "\n" +
57
2/4
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 3 times.
✗ Branch 5 not taken.
 6 signature_manager->FingerprintCertificate(hash_algorithm) + "\n";
58
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 shash::Any hash(hash_algorithm);
59
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 shash::HashString(to_sign, &hash);
60
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 std::string hash_str = hash.ToString();
61
62
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 std::string whitelist(to_sign);
63
3/6
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 3 times.
✗ Branch 5 not taken.
✓ Branch 7 taken 3 times.
✗ Branch 8 not taken.
 3 whitelist += "--\n" + hash_str + "\n";
64 unsigned char *signature;
65 unsigned signature_size;
66
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 bool retval = signature_manager->SignRsa(
67 3 reinterpret_cast<const unsigned char *>(hash_str.data()), hash_str.length(),
68 &signature, &signature_size);
69
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 3 times.
 3 assert(retval);
70
2/4
✓ Branch 2 taken 3 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 3 times.
✗ Branch 6 not taken.
 3 whitelist += std::string(reinterpret_cast<char *>(signature), signature_size);
71 3 free(signature);
72
73 6 return whitelist;
74 3 }
75
76
77 1 std::string Whitelist::ExportString() const {
78
1/4
✗ Branch 0 not taken.
✓ Branch 1 taken 1 times.
✗ Branch 4 not taken.
✗ Branch 5 not taken.
 1 if (plain_buf_ == NULL) return "";
79
1/2
✓ Branch 2 taken 1 times.
✗ Branch 3 not taken.
 1 return std::string(reinterpret_cast<char *>(plain_buf_), plain_size_);
80 }
81
82
83 time_t Whitelist::expires() const {
84 assert(status_ == kStAvailable);
85 return expires_;
86 }
87
88
89 bool Whitelist::IsExpired() const {
90 assert(status_ == kStAvailable);
91 return time(NULL) > expires_;
92 }
93
94
95 23 Failures Whitelist::VerifyLoadedCertificate() const {
96
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
 23 assert(status_ == kStAvailable);
97
98
1/2
✓ Branch 1 taken 23 times.
✗ Branch 2 not taken.
 23 vector<string> blacklist = signature_manager_->GetBlacklist();
99
2/2
✓ Branch 1 taken 3 times.
✓ Branch 2 taken 21 times.
 24 for (unsigned i = 0; i < blacklist.size(); ++i) {
100 shash::Any this_hash =
101
1/2
✓ Branch 2 taken 3 times.
✗ Branch 3 not taken.
 3 signature::SignatureManager::MkFromFingerprint(blacklist[i]);
102
2/2
✓ Branch 1 taken 1 times.
✓ Branch 2 taken 2 times.
 3 if (this_hash.IsNull())
103 1 continue;
104
105 2 shash::Algorithms algorithm = this_hash.algorithm;
106
2/5
✓ Branch 1 taken 2 times.
✗ Branch 2 not taken.
✗ Branch 3 not taken.
✓ Branch 4 taken 2 times.
✗ Branch 5 not taken.
 2 if (this_hash == signature_manager_->HashCertificate(algorithm))
107 2 return kFailBlacklisted;
108 }
109
110
1/2
✓ Branch 1 taken 21 times.
✗ Branch 2 not taken.
 21 for (unsigned i = 0; i < fingerprints_.size(); ++i) {
111 21 shash::Algorithms algorithm = fingerprints_[i].algorithm;
112
2/5
✓ Branch 2 taken 21 times.
✗ Branch 3 not taken.
✗ Branch 4 not taken.
✓ Branch 5 taken 21 times.
✗ Branch 6 not taken.
 21 if (signature_manager_->HashCertificate(algorithm) == fingerprints_[i]) {
113
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 21 times.
 21 if (verification_flags_ & kFlagVerifyCaChain) {
114 bool retval = signature_manager_->VerifyCaChain();
115 if (!retval)
116 return kFailBadCaChain;
117 }
118 21 return kFailOk;
119 }
120 }
121 return kFailNotListed;
122 23 }
123
124
125 /**
126 * Expects whitelist to be loaded into plain_buf_ / plain_size_ and already
127 * parsed so that verification_flags_ is set
128 */
129 25 Failures Whitelist::VerifyWhitelist() {
130 bool retval_b;
131 whitelist::Failures retval_wl;
132
133
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25 times.
 25 assert(verification_flags_ != 0);
134
135
1/2
✓ Branch 0 taken 25 times.
✗ Branch 1 not taken.
 25 if (verification_flags_ & kFlagVerifyRsa) {
136 25 retval_b = signature_manager_->VerifyLetter(plain_buf_, plain_size_, true);
137
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25 times.
 25 if (!retval_b) {
138 LogCvmfs(kLogCvmfs, kLogDebug, "failed to verify repository whitelist");
139 return kFailBadSignature;
140 }
141 }
142
143
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 25 times.
 25 if (verification_flags_ & kFlagVerifyPkcs7) {
144 unsigned char *extracted_whitelist;
145 unsigned extracted_whitelist_size;
146 vector<string> alt_uris;
147 retval_b =
148 signature_manager_->VerifyPkcs7(pkcs7_buf_, pkcs7_size_,
149 &extracted_whitelist,
150 &extracted_whitelist_size,
151 &alt_uris);
152 if (!retval_b) {
153 LogCvmfs(kLogCvmfs, kLogDebug,
154 "failed to verify repository whitelist (pkcs#7): %s",
155 signature_manager_->GetCryptoError().c_str());
156 return kFailBadPkcs7;
157 }
158
159 // Check for subject alternative name matching the repository name
160 bool found_uri = false;
161 for (unsigned i = 0; i < alt_uris.size(); ++i) {
162 LogCvmfs(kLogSignature, kLogDebug, "found pkcs#7 signer uri %s",
163 alt_uris[i].c_str());
164 if (alt_uris[i] == "cvmfs:" + fqrn_) {
165 found_uri = true;
166 break;
167 }
168 }
169 if (!found_uri) {
170 LogCvmfs(kLogCvmfs, kLogDebug,
171 "failed to find whitelist signer with SAN/URI cvmfs:%s",
172 fqrn_.c_str());
173 free(extracted_whitelist);
174 return kFailBadSignaturePkcs7;
175 }
176
177 // Check once again the extracted whitelist
178 Reset();
179 LogCvmfs(kLogCvmfs, kLogDebug, "Extracted pkcs#7 whitelist:\n%s",
180 string(reinterpret_cast<char *>(extracted_whitelist),
181 extracted_whitelist_size).c_str());
182 retval_wl = ParseWhitelist(extracted_whitelist, extracted_whitelist_size);
183 if (retval_wl != kFailOk) {
184 LogCvmfs(kLogCvmfs, kLogDebug,
185 "failed to verify repository certificate against pkcs#7 "
186 "whitelist");
187 return kFailMalformedPkcs7;
188 }
189 }
190
191 25 status_ = kStAvailable;
192 25 return kFailOk;
193 }
194
195
196 4 Failures Whitelist::LoadMem(const std::string &whitelist) {
197 Failures retval_wl;
198
199 4 Reset();
200
201 4 plain_size_ = whitelist.length();
202 4 plain_buf_ = reinterpret_cast<unsigned char *>(smalloc(plain_size_));
203 4 memcpy(plain_buf_, whitelist.data(), plain_size_);
204
205 4 retval_wl = ParseWhitelist(plain_buf_, plain_size_);
206
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 2 times.
 4 if (retval_wl != kFailOk)
207 2 return retval_wl;
208 // TODO(jblomer): PKCS7 verification unsupported when loading from memory
209
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 2 times.
 2 if (verification_flags_ & kFlagVerifyPkcs7)
210 return kFailLoadPkcs7;
211
212 2 return VerifyWhitelist();
213 }
214
215
216 23 Failures Whitelist::LoadUrl(const std::string &base_url) {
217 23 const bool probe_hosts = base_url == "";
218 download::Failures retval_dl;
219 Failures retval_wl;
220
221 23 Reset();
222
223
2/4
✓ Branch 2 taken 23 times.
✗ Branch 3 not taken.
✓ Branch 5 taken 23 times.
✗ Branch 6 not taken.
 46 const string whitelist_url = base_url + string("/.cvmfswhitelist");
224 23 cvmfs::MemSink whitelist_memsink;
225 download::JobInfo download_whitelist(&whitelist_url, false, probe_hosts, NULL,
226
1/2
✓ Branch 1 taken 23 times.
✗ Branch 2 not taken.
 23 &whitelist_memsink);
227
1/2
✓ Branch 1 taken 23 times.
✗ Branch 2 not taken.
 23 retval_dl = download_manager_->Fetch(&download_whitelist);
228
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
 23 if (retval_dl != download::kFailOk)
229 return kFailLoad;
230 23 plain_size_ = whitelist_memsink.pos();
231
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
 23 if (plain_size_ == 0)
232 return kFailEmpty;
233 23 whitelist_memsink.Release();
234 23 plain_buf_ = whitelist_memsink.data();
235
236
1/2
✓ Branch 1 taken 23 times.
✗ Branch 2 not taken.
 23 retval_wl = ParseWhitelist(plain_buf_, plain_size_);
237
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
 23 if (retval_wl != kFailOk)
238 return retval_wl;
239
240
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 23 times.
 23 if (verification_flags_ & kFlagVerifyPkcs7) {
241 // Load the separate whitelist pkcs7 structure
242 const string whitelist_pkcs7_url =
243 base_url + string("cvmfswhitelist.pkcs7");
244 cvmfs::MemSink pkcs7_memsink;
245 download::JobInfo download_whitelist_pkcs7(&whitelist_pkcs7_url, false,
246 probe_hosts, NULL, &pkcs7_memsink);
247 retval_dl = download_manager_->Fetch(&download_whitelist_pkcs7);
248 if (retval_dl != download::kFailOk)
249 return kFailLoadPkcs7;
250 pkcs7_size_ = pkcs7_memsink.pos();
251 if (pkcs7_size_ == 0)
252 return kFailEmptyPkcs7;
253 pkcs7_memsink.Release();
254 pkcs7_buf_ = pkcs7_memsink.data();
255 }
256
257
1/2
✓ Branch 1 taken 23 times.
✗ Branch 2 not taken.
 23 return VerifyWhitelist();
258 23 }
259
260
261 /**
262 * Helps for the time being with whitelists valid until after Y2038 on 32 bit
263 * systems.
264 */
265 31 bool Whitelist::IsBefore(time_t now, const struct tm &t_whitelist) {
266 struct tm t_local;
267
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 31 times.
 31 if (gmtime_r(&now, &t_local) == NULL)
268 return false;
269
2/2
✓ Branch 0 taken 16 times.
✓ Branch 1 taken 15 times.
 31 if (t_local.tm_year < t_whitelist.tm_year) return true;
270
2/2
✓ Branch 0 taken 1 times.
✓ Branch 1 taken 14 times.
 15 if (t_local.tm_year > t_whitelist.tm_year) return false;
271
2/2
✓ Branch 0 taken 7 times.
✓ Branch 1 taken 7 times.
 14 if (t_local.tm_mon < t_whitelist.tm_mon) return true;
272
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 7 times.
 7 if (t_local.tm_mon > t_whitelist.tm_mon) return false;
273
2/2
✓ Branch 0 taken 3 times.
✓ Branch 1 taken 4 times.
 7 if (t_local.tm_mday < t_whitelist.tm_mday) return true;
274
2/2
✓ Branch 0 taken 2 times.
✓ Branch 1 taken 2 times.
 4 if (t_local.tm_mday > t_whitelist.tm_mday) return false;
275
1/2
✓ Branch 0 taken 2 times.
✗ Branch 1 not taken.
 2 if (t_local.tm_hour < t_whitelist.tm_hour) return true;
276 return false;
277 }
278
279
280 33 Failures Whitelist::ParseWhitelist(const unsigned char *whitelist,
281 const unsigned whitelist_size)
282 {
283 33 time_t local_timestamp = time(NULL);
284 33 string line;
285 33 unsigned payload_bytes = 0;
286 33 bool verify_pkcs7 = false;
287 33 bool verify_cachain = false;
288
289 // Check timestamp (UTC), ignore issue date (legacy)
290
1/2
✓ Branch 1 taken 33 times.
✗ Branch 2 not taken.
 33 line = GetLineMem(reinterpret_cast<const char *>(whitelist), whitelist_size);
291
2/2
✓ Branch 1 taken 1 times.
✓ Branch 2 taken 32 times.
 33 if (line.length() != 14) {
292
1/2
✓ Branch 1 taken 1 times.
✗ Branch 2 not taken.
 1 LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp format");
293 1 return kFailMalformed;
294 }
295 32 payload_bytes += 15;
296
297 // Expiry date
298 32 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
299
1/2
✓ Branch 1 taken 32 times.
✗ Branch 2 not taken.
 32 whitelist_size-payload_bytes);
300
2/2
✓ Branch 1 taken 1 times.
✓ Branch 2 taken 31 times.
 32 if (line.length() != 15) {
301
1/2
✓ Branch 1 taken 1 times.
✗ Branch 2 not taken.
 1 LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp format");
302 1 return kFailMalformed;
303 }
304 struct tm tm_wl;
305 31 memset(&tm_wl, 0, sizeof(struct tm));
306
2/4
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 31 times.
✗ Branch 5 not taken.
 31 tm_wl.tm_year = String2Int64(line.substr(1, 4))-1900;
307
2/4
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 31 times.
✗ Branch 5 not taken.
 31 tm_wl.tm_mon = String2Int64(line.substr(5, 2)) - 1;
308
2/4
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 31 times.
✗ Branch 5 not taken.
 31 tm_wl.tm_mday = String2Int64(line.substr(7, 2));
309
2/4
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 31 times.
✗ Branch 5 not taken.
 31 tm_wl.tm_hour = String2Int64(line.substr(9, 2));
310 31 tm_wl.tm_min = tm_wl.tm_sec = 0; // exact on hours level
311 31 time_t timestamp = timegm(&tm_wl);
312
1/2
✓ Branch 2 taken 31 times.
✗ Branch 3 not taken.
 31 LogCvmfs(kLogSignature, kLogDebug,
313 "whitelist UTC expiry timestamp in localtime: %s",
314
1/2
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
 62 StringifyTime(timestamp, false).c_str());
315
1/2
✓ Branch 2 taken 31 times.
✗ Branch 3 not taken.
 31 LogCvmfs(kLogSignature, kLogDebug, "local time: %s",
316
1/2
✓ Branch 1 taken 31 times.
✗ Branch 2 not taken.
 62 StringifyTime(local_timestamp, true).c_str());
317 // Makeshift solution to deal with whitelists valid after Y2038 on 32bit
318 // machines. Still unclear how glibc is going to treat the problem.
319
2/2
✓ Branch 1 taken 3 times.
✓ Branch 2 taken 28 times.
 31 if (!IsBefore(local_timestamp, tm_wl)) {
320
1/2
✓ Branch 1 taken 3 times.
✗ Branch 2 not taken.
 3 LogCvmfs(kLogSignature, kLogDebug | kLogSyslogErr,
321 "whitelist lifetime verification failed, expired");
322 3 return kFailExpired;
323 }
324 // if (timestamp < 0) {
325 // LogCvmfs(kLogSignature, kLogDebug, "invalid timestamp");
326 // return kFailMalformed;
327 // }
328 // if (local_timestamp > timestamp) {
329 // LogCvmfs(kLogSignature, kLogDebug | kLogSyslogErr,
330 // "whitelist lifetime verification failed, expired");
331 // return kFailExpired;
332 // }
333 28 expires_ = timestamp;
334 28 payload_bytes += 16;
335
336 // Check repository name
337 28 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
338
1/2
✓ Branch 1 taken 28 times.
✗ Branch 2 not taken.
 28 whitelist_size-payload_bytes);
339
7/14
✓ Branch 1 taken 28 times.
✗ Branch 2 not taken.
✓ Branch 4 taken 28 times.
✗ Branch 5 not taken.
✗ Branch 6 not taken.
✓ Branch 7 taken 2 times.
✓ Branch 8 taken 26 times.
✓ Branch 9 taken 28 times.
✗ Branch 10 not taken.
✗ Branch 11 not taken.
✓ Branch 12 taken 2 times.
✓ Branch 13 taken 26 times.
✗ Branch 14 not taken.
✗ Branch 15 not taken.
 28 if ((fqrn_ != "") && ("N" + fqrn_ != line)) {
340
1/2
✓ Branch 3 taken 2 times.
✗ Branch 4 not taken.
 2 LogCvmfs(kLogSignature, kLogDebug,
341 "repository name on the whitelist does not match "
342 "(found %s, expected %s)",
343 line.c_str(), fqrn_.c_str());
344 2 return kFailNameMismatch;
345 }
346 26 payload_bytes += line.length() + 1;
347
348 // Check for PKCS7
349 26 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
350
1/2
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
 26 whitelist_size-payload_bytes);
351
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 26 times.
 26 if (line == "Vpkcs7") {
352 LogCvmfs(kLogSignature, kLogDebug, "whitelist verification: pkcs#7");
353 verify_pkcs7 = true;
354 payload_bytes += line.length() + 1;
355 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
356 whitelist_size-payload_bytes);
357 }
358
359 // Check for CA chain verification
360 26 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
361
1/2
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
 26 whitelist_size-payload_bytes);
362
1/2
✗ Branch 1 not taken.
✓ Branch 2 taken 26 times.
 26 if (line == "Wcachain") {
363 LogCvmfs(kLogSignature, kLogDebug,
364 "whitelist imposes ca chain verification of manifest signature");
365 verify_cachain = true;
366 payload_bytes += line.length() + 1;
367 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
368 whitelist_size-payload_bytes);
369 }
370
371 do {
372
2/2
✓ Branch 1 taken 25 times.
✓ Branch 2 taken 26 times.
 51 if (line == "--") break;
373
1/2
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
 26 shash::Any this_hash = signature::SignatureManager::MkFromFingerprint(line);
374
2/2
✓ Branch 1 taken 25 times.
✓ Branch 2 taken 1 times.
 26 if (!this_hash.IsNull())
375
1/2
✓ Branch 1 taken 25 times.
✗ Branch 2 not taken.
 25 fingerprints_.push_back(this_hash);
376
377 26 payload_bytes += line.length() + 1;
378 26 line = GetLineMem(reinterpret_cast<const char *>(whitelist)+payload_bytes,
379
1/2
✓ Branch 1 taken 26 times.
✗ Branch 2 not taken.
 26 whitelist_size-payload_bytes);
380
2/2
✓ Branch 0 taken 25 times.
✓ Branch 1 taken 1 times.
 26 } while (payload_bytes < whitelist_size);
381
382
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 26 times.
 26 verification_flags_ = verify_pkcs7 ? kFlagVerifyPkcs7 : kFlagVerifyRsa;
383
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 26 times.
 26 if (verify_cachain)
384 verification_flags_ |= kFlagVerifyCaChain;
385 26 return kFailOk;
386 33 }
387
388
389 86 void Whitelist::Reset() {
390 86 status_ = kStNone;
391 86 fingerprints_.clear();
392 86 expires_ = 0;
393 86 verification_flags_ = 0;
394
2/2
✓ Branch 0 taken 27 times.
✓ Branch 1 taken 59 times.
 86 if (plain_buf_)
395 27 free(plain_buf_);
396
1/2
✗ Branch 0 not taken.
✓ Branch 1 taken 86 times.
 86 if (pkcs7_buf_)
397 free(pkcs7_buf_);
398 86 plain_buf_ = NULL;
399 86 pkcs7_buf_ = NULL;
400 86 plain_size_ = 0;
401 86 pkcs7_size_ = 0;
402 86 }
403
404
405 29 Whitelist::Whitelist(const string &fqrn,
406 download::DownloadManager *download_manager,
407 29 signature::SignatureManager *signature_manager) :
408 29 fqrn_(fqrn),
409 29 download_manager_(download_manager),
410 29 signature_manager_(signature_manager),
411 29 plain_buf_(NULL),
412 29 plain_size_(0),
413 29 pkcs7_buf_(NULL),
414 29 pkcs7_size_(0)
415 {
416 29 Reset();
417 29 }
418
419
420 Whitelist::Whitelist(const Whitelist &other) :
421 fqrn_(other.fqrn_),
422 download_manager_(other.download_manager_),
423 signature_manager_(other.signature_manager_),
424 status_(other.status_),
425 fingerprints_(other.fingerprints_),
426 expires_(other.expires_),
427 verification_flags_(other.verification_flags_)
428 {
429 other.CopyBuffers(&plain_size_, &plain_buf_, &pkcs7_size_, &pkcs7_buf_);
430 }
431
432
433 // Testing only
434 1 Whitelist::Whitelist()
435 1 : download_manager_(NULL)
436 1 , signature_manager_(NULL)
437 1 , status_(kStNone)
438 1 , expires_(0)
439 1 , verification_flags_(0)
440 1 , plain_buf_(NULL)
441 1 , plain_size_(0)
442 1 , pkcs7_buf_(NULL)
443 1 , pkcs7_size_(0)
444 {
445 1 }
446
447 Whitelist &Whitelist::operator= (const Whitelist &other) {
448 if (&other == this)
449 return *this;
450
451 Reset();
452 fqrn_ = other.fqrn_;
453 download_manager_ = other.download_manager_;
454 signature_manager_ = other.signature_manager_;
455 status_ = other.status_;
456 fingerprints_ = other.fingerprints_;
457 expires_ = other.expires_;
458 verification_flags_ = other.verification_flags_;
459 other.CopyBuffers(&plain_size_, &plain_buf_, &pkcs7_size_, &pkcs7_buf_);
460
461 return *this;
462 }
463
464
465 30 Whitelist::~Whitelist() {
466 30 Reset();
467 30 }
468
469 } // namespace whitelist
470