Move the Checksums module from virt-builder mostly as it is; the only change is that on checksum mismatch an exception is raised rather than invoking "error" directly: this way users of verify_checksum & verify_checksums can do their own handling of the situation. --- builder/Makefile.am | 2 -- builder/builder.ml | 6 +++++- builder/checksums.ml | 57 --------------------------------------------------- builder/checksums.mli | 33 ----------------------------- mllib/Makefile.am | 4 +++- mllib/checksums.ml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++ mllib/checksums.mli | 35 +++++++++++++++++++++++++++++++ 7 files changed, 99 insertions(+), 94 deletions(-) delete mode 100644 builder/checksums.ml delete mode 100644 builder/checksums.mli create mode 100644 mllib/checksums.ml create mode 100644 mllib/checksums.mli diff --git a/builder/Makefile.am b/builder/Makefile.am index 7983223..5977d8b 100644 --- a/builder/Makefile.am +++ b/builder/Makefile.am @@ -44,7 +44,6 @@ SOURCES_MLI = \ cache.mli \ cmdline.mli \ downloader.mli \ - checksums.mli \ index.mli \ index_parser.mli \ ini_reader.mli \ @@ -61,7 +60,6 @@ SOURCES_ML = \ utils.ml \ pxzcat.ml \ setlocale.ml \ - checksums.ml \ index.ml \ ini_reader.ml \ yajl.ml \ diff --git a/builder/builder.ml b/builder/builder.ml index fdbe659..799208a 100644 --- a/builder/builder.ml +++ b/builder/builder.ml @@ -307,7 +307,11 @@ let main () = match entry with (* New-style: Using a checksum. *) | { Index.checksums = Some csums } -> - Checksums.verify_checksums csums template + (try Checksums.verify_checksums csums template + with Checksums.Mismatched_checksum (csum, csum_actual) -> + error (f_"%s checksum of template did not match the expected checksum!\n found checksum: %s\n expected checksum: %s\nTry:\n - Use the '-v' option and look for earlier error messages.\n - Delete the cache: virt-builder --delete-cache\n - Check no one has tampered with the website or your network!") + (Checksums.string_of_csum_t csum) csum_actual (Checksums.string_of_csum csum) + ) | { Index.checksums = None } -> (* Old-style: detached signature. *) diff --git a/builder/checksums.ml b/builder/checksums.ml deleted file mode 100644 index c8cdc98..0000000 --- a/builder/checksums.ml +++ /dev/null @@ -1,57 +0,0 @@ -(* virt-builder - * Copyright (C) 2015 Red Hat Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - *) - -open Common_gettext.Gettext -open Common_utils - -open Utils - -open Printf - -type csum_t = -| SHA256 of string -| SHA512 of string - -let string_of_csum_t = function - | SHA256 _ -> "sha256" - | SHA512 _ -> "sha512" - -let string_of_csum = function - | SHA256 c -> c - | SHA512 c -> c - -let verify_checksum csum filename = - let prog, csum_ref = - match csum with - | SHA256 c -> "sha256sum", c - | SHA512 c -> "sha512sum", c - in - - let cmd = sprintf "%s %s" prog (quote filename) in - let lines = external_command cmd in - match lines with - | [] -> - error (f_"%s did not return any output") prog - | line :: _ -> - let csum_actual = fst (String.split " " line) in - if csum_ref <> csum_actual then - error (f_"%s checksum of template did not match the expected checksum!\n found checksum: %s\n expected checksum: %s\nTry:\n - Use the '-v' option and look for earlier error messages.\n - Delete the cache: virt-builder --delete-cache\n - Check no one has tampered with the website or your network!") - (string_of_csum_t csum) csum_actual csum_ref - -let verify_checksums checksums filename = - List.iter (fun c -> verify_checksum c filename) checksums diff --git a/builder/checksums.mli b/builder/checksums.mli deleted file mode 100644 index ef26634..0000000 --- a/builder/checksums.mli +++ /dev/null @@ -1,33 +0,0 @@ -(* virt-builder - * Copyright (C) 2015 Red Hat Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - *) - -type csum_t = -| SHA256 of string -| SHA512 of string - -val verify_checksum : csum_t -> string -> unit -(** Verify the checksum of the file. *) - -val verify_checksums : csum_t list -> string -> unit -(** Verify all the checksums of the file. *) - -val string_of_csum_t : csum_t -> string -(** Return a string representation of the checksum type. *) - -val string_of_csum : csum_t -> string -(** Return a string representation of the checksum value. *) diff --git a/mllib/Makefile.am b/mllib/Makefile.am index 489529a..f100b2f 100644 --- a/mllib/Makefile.am +++ b/mllib/Makefile.am @@ -27,6 +27,7 @@ EXTRA_DIST = \ test-getopt.sh SOURCES_MLI = \ + checksums.mli \ common_utils.mli \ curl.mli \ dev_t.mli \ @@ -60,7 +61,8 @@ SOURCES_ML = \ StatVFS.ml \ JSON.ml \ curl.ml \ - exit.ml + exit.ml \ + checksums.ml SOURCES_C = \ ../fish/decrypt.c \ diff --git a/mllib/checksums.ml b/mllib/checksums.ml new file mode 100644 index 0000000..918a1c2 --- /dev/null +++ b/mllib/checksums.ml @@ -0,0 +1,56 @@ +(* virt-builder + * Copyright (C) 2015 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +open Common_gettext.Gettext +open Common_utils + +open Printf + +type csum_t = +| SHA256 of string +| SHA512 of string + +exception Mismatched_checksum of (csum_t * string) + +let string_of_csum_t = function + | SHA256 _ -> "sha256" + | SHA512 _ -> "sha512" + +let string_of_csum = function + | SHA256 c -> c + | SHA512 c -> c + +let verify_checksum csum filename = + let prog, csum_ref = + match csum with + | SHA256 c -> "sha256sum", c + | SHA512 c -> "sha512sum", c + in + + let cmd = sprintf "%s %s" prog (Filename.quote filename) in + let lines = external_command cmd in + match lines with + | [] -> + error (f_"%s did not return any output") prog + | line :: _ -> + let csum_actual = fst (String.split " " line) in + if csum_ref <> csum_actual then + raise (Mismatched_checksum (csum, csum_actual)) + +let verify_checksums checksums filename = + List.iter (fun c -> verify_checksum c filename) checksums diff --git a/mllib/checksums.mli b/mllib/checksums.mli new file mode 100644 index 0000000..202bdd1 --- /dev/null +++ b/mllib/checksums.mli @@ -0,0 +1,35 @@ +(* virt-builder + * Copyright (C) 2015 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + *) + +type csum_t = +| SHA256 of string +| SHA512 of string + +exception Mismatched_checksum of (csum_t * string) (* expected checksum, got *) + +val verify_checksum : csum_t -> string -> unit +(** Verify the checksum of the file. *) + +val verify_checksums : csum_t list -> string -> unit +(** Verify all the checksums of the file. *) + +val string_of_csum_t : csum_t -> string +(** Return a string representation of the checksum type. *) + +val string_of_csum : csum_t -> string +(** Return a string representation of the checksum value. *) -- 2.7.4

Make use of the Checksums module to ease the verification of the SHA1 checksums in manifests. --- v2v/input_ova.ml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/v2v/input_ova.ml b/v2v/input_ova.ml index 4f848e2..5731a45 100644 --- a/v2v/input_ova.ml +++ b/v2v/input_ova.ml @@ -143,18 +143,11 @@ object if Str.string_match rex line 0 then ( let disk = Str.matched_group 1 line in let expected = Str.matched_group 2 line in - let cmd = sprintf "sha1sum %s" (quote (mf_folder // disk)) in - let out = external_command cmd in - match out with - | [] -> - error (f_"no output from sha1sum command, see previous errors") - | [line] -> - let actual, _ = String.split " " line in - if actual <> expected then - error (f_"checksum of disk %s does not match manifest %s (actual sha1(%s) = %s, expected sha1 (%s) = %s)") - disk mf disk actual disk expected; - debug "sha1 of %s matches expected checksum %s" disk expected - | _::_ -> error (f_"cannot parse output of sha1sum command") + let csum = Checksums.SHA1 expected in + try Checksums.verify_checksum csum (mf_folder // disk) + with Checksums.Mismatched_checksum (_, actual) -> + error (f_"checksum of disk %s does not match manifest %s (actual sha1(%s) = %s, expected sha1 (%s) = %s)") + disk mf disk actual disk expected; ) in (try loop () with End_of_file -> ());