Commit 75d3925c authored by Rafaël Carré's avatar Rafaël Carré
Browse files

don't duplicate sha1 hashes with strdup() (not \0 terminated)

update the release documentation, only supported signatures are v3 signatures (gpg 2.x generates v3 sigs by default, but not gpg 1.x)
parent 09db1d4c
......@@ -25,6 +25,7 @@
- copy the tar.gz and tar.bz2 file on ftp.videolan.org in
/opt/ftp/pub/videolan/testing/vlc-X.X.X/
- generate md5 hashes and gpg signature of these files
(use gpg --sign --detach --armor --force-v3-sigs)
* Contribs
- Put a copy of the libraries or svn snapshot in vlc-X.X.X/contrib
......@@ -37,6 +38,7 @@
Build in the "buildbeos" chroot on altair.
# add the .zip files to /opt/ftp/pub/videolan/testing/vlc-X.X.X/beos/
generate md5 hashes and gpg signature of these files
(use gpg --sign --detach --armor --force-v3-sigs)
* Win32 Packages
make the packages using the nightly builds configure/options/... , don't forget --enable-update-check
......@@ -44,10 +46,12 @@
kind of suxxs)
add the .zip and .exe files to /opt/ftp/pub/videolan/testing/vlc-X.X.X/win32/
generate md5 hashes and gpg signature of these files
(use gpg --sign --detach --armor --force-v3-sigs)
* OS X packages
configure with --enable-update-check
generate md5 hashes and gpg signature of these files
(use gpg --sign --detach --armor --force-v3-sigs)
* Commit changes ... it never works the first time
......
......@@ -22,7 +22,9 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
*****************************************************************************/
/*
* XXX: should use v4 signatures for binary files (already used for public key)
*/
/**
* \file
* This file contains functions related to VLC update management
......@@ -414,7 +416,12 @@ static int download_signature( vlc_object_t *p_this,
int i_bytes = pgp_unarmor( p_buf, i_size, (uint8_t*)p_sig, 65 );
free( p_buf );
if( i_bytes > 65 )
if( i_bytes == 0 )
{
msg_Dbg( p_this, "Unarmoring failed" );
return VLC_EGENERIC;
}
else if( i_bytes > 65 )
{
msg_Dbg( p_this, "Signature is too big: %d bytes", i_bytes );
return VLC_EGENERIC;
......@@ -424,7 +431,8 @@ static int download_signature( vlc_object_t *p_this,
int i_r_len = mpi_len( p_sig->r );
if( i_r_len > 20 )
{
msg_Dbg( p_this, "Signature invalid" );
msg_Dbg( p_this, "Invalid signature, r number too big: %d bytes",
i_r_len );
return VLC_EGENERIC;
}
else if( i_r_len < 20 )
......@@ -667,8 +675,10 @@ static uint8_t *hash_sha1_from_file( const char *psz_file,
fclose( f );
gcry_md_final( hd );
uint8_t *p_hash = (uint8_t*) gcry_md_read( hd, GCRY_MD_SHA1);
p_hash = strdup( p_hash );
uint8_t *p_tmp = (uint8_t*) gcry_md_read( hd, GCRY_MD_SHA1);
uint8_t *p_hash = malloc( 20 );
if( p_hash )
memcpy( p_hash, p_tmp, 20 );
gcry_md_close( hd );
return p_hash;
}
......@@ -801,16 +811,19 @@ static uint8_t *key_sign_hash( public_key_t *p_pkey )
gcry_md_final( hd );
uint8_t *p_hash = gcry_md_read( hd, GCRY_MD_SHA1);
uint8_t *p_tmp = gcry_md_read( hd, GCRY_MD_SHA1);
if( p_hash[0] != p_pkey->sig.hash_verification[0] ||
p_hash[1] != p_pkey->sig.hash_verification[1] )
if( !p_tmp ||
p_tmp[0] != p_pkey->sig.hash_verification[0] ||
p_tmp[1] != p_pkey->sig.hash_verification[1] )
{
gcry_md_close( hd );
return NULL;
}
p_hash = strdup( p_hash );
uint8_t *p_hash = malloc( 20 );
if( p_hash )
memcpy( p_hash, p_tmp, 20 );
gcry_md_close( hd );
return p_hash;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment