db, audit: audit symlinks (by hash of the link target)

5 files changed, 34 insertions, 10 deletions

diff --git a/src/add.c b/src/add.c
index cb4c1eb..f287b24 100644
--- a/src/add.c
+++ b/src/add.c
@@ -77,7 +77,7 @@ static int add_main(void *ctx, struct apk_database *db, int argc, char **argv)
 		}
 		virtpkg->name = apk_db_get_name(db, APK_BLOB_STR(actx->virtpkg));
 		apk_blob_checksum(APK_BLOB_STR(virtpkg->name->name),
-				  apk_default_checksum(), &virtpkg->csum);
+				  apk_checksum_default(), &virtpkg->csum);
 		virtpkg->version = strdup("0");
 		virtpkg->description = strdup("virtual meta package");
 		apk_dep_from_pkg(&virtdep, db, virtpkg);
diff --git a/src/apk_blob.h b/src/apk_blob.h
index 68b8f7c..06cd8b2 100644
--- a/src/apk_blob.h
+++ b/src/apk_blob.h
@@ -27,6 +27,7 @@ typedef int (*apk_blob_cb)(void *ctx, apk_blob_t blob);
 #define APK_CHECKSUM_NONE	0
 #define APK_CHECKSUM_MD5	16
 #define APK_CHECKSUM_SHA1	20
+#define APK_CHECKSUM_DEFAULT	APK_CHECKSUM_SHA1
 
 /* Internal cointainer for MD5 or SHA1 */
 struct apk_checksum {
@@ -34,12 +35,7 @@ struct apk_checksum {
 	unsigned char type;
 };
 
-static inline const EVP_MD *apk_default_checksum(void)
-{
-	return EVP_sha1();
-}
-
-static inline const EVP_MD *apk_get_digest(int type)
+static inline const EVP_MD *apk_checksum_evp(int type)
 {
 	switch (type) {
 	case APK_CHECKSUM_MD5:
@@ -50,6 +46,11 @@ static inline const EVP_MD *apk_get_digest(int type)
 	return EVP_md_null();
 }
 
+static inline const EVP_MD *apk_checksum_default(void)
+{
+	return apk_checksum_evp(APK_CHECKSUM_DEFAULT);
+}
+
 #define APK_BLOB_IS_NULL(blob)		((blob).ptr == NULL)
 
 #define APK_BLOB_NULL			((apk_blob_t){0, NULL})
diff --git a/src/archive.c b/src/archive.c
index 8ace1e1..de141b6 100644
--- a/src/archive.c
+++ b/src/archive.c
@@ -205,7 +205,7 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
 			/* callback parser function */
 			if (teis.csum != NULL)
 				EVP_DigestInit_ex(&teis.mdctx,
-						  apk_default_checksum(), NULL);
+						  apk_checksum_default(), NULL);
 
 			r = parser(ctx, &entry, &teis.is);
 			free(entry.name);
diff --git a/src/database.c b/src/database.c
index b3845d5..0348ef5 100644
--- a/src/database.c
+++ b/src/database.c
@@ -1319,7 +1319,7 @@ int apk_db_add_repository(apk_database_t _db, apk_blob_t repository)
 	if (apk_url_local_file(repo->url) == NULL) {
 		char cacheitem[PATH_MAX];
 
-		apk_blob_checksum(repository, apk_default_checksum(), &repo->csum);
+		apk_blob_checksum(repository, apk_checksum_default(), &repo->csum);
 
 		if (apk_flags & APK_UPDATE_CACHE)
 			apk_repository_update(db, repo);
@@ -1567,6 +1567,16 @@ static int apk_db_install_archive_entry(void *_ctx,
 				struct apk_db_dir_instance *ldiri;
 				struct hlist_node *n;
 
+				if (S_ISLNK(ae->mode)) {
+					EVP_Digest(ae->link_target,
+						   strlen(ae->link_target),
+						   file->csum.data, NULL,
+						   apk_checksum_default(),
+						   NULL);
+					file->csum.type = APK_CHECKSUM_DEFAULT;
+					break;
+				}
+
 				if (!apk_blob_rsplit(APK_BLOB_STR(ae->link_target),
 						     '/', &bdir, &bfile))
 					break;
diff --git a/src/io.c b/src/io.c
index 50da3da..1b25355 100644
--- a/src/io.c
+++ b/src/io.c
@@ -488,12 +488,25 @@ int apk_file_get_info(int atfd, const char *filename, unsigned int flags,
 	if (checksum == APK_CHECKSUM_NONE)
 		return 0;
 
+	if ((flags & APK_FI_NOFOLLOW) && S_ISLNK(st.st_mode)) {
+		char *target = alloca(st.st_size);
+		if (target == NULL)
+			return -ENOMEM;
+		if (readlinkat(atfd, filename, target, st.st_size) < 0)
+			return -errno;
+
+		EVP_Digest(target, st.st_size, fi->csum.data, NULL,
+			   apk_checksum_evp(checksum), NULL);
+		fi->csum.type = checksum;
+		return 0;
+	}
+
 	bs = apk_bstream_from_file(atfd, filename);
 	if (bs != NULL) {
 		EVP_MD_CTX mdctx;
 		apk_blob_t blob;
 
-		EVP_DigestInit(&mdctx, apk_get_digest(checksum));
+		EVP_DigestInit(&mdctx, apk_checksum_evp(checksum));
 		if (bs->flags & APK_BSTREAM_SINGLE_READ)
 			EVP_MD_CTX_set_flags(&mdctx, EVP_MD_CTX_FLAG_ONESHOT);
 		while (!APK_BLOB_IS_NULL(blob = bs->read(bs, APK_BLOB_NULL)))