diff --git a/src/database.c b/src/database.c index 425fb46..0f40ca5 100644 --- a/src/database.c +++ b/src/database.c @@ -1431,6 +1431,9 @@ static int apk_db_install_archive_entry(void *_ctx, const char *p; int r = 0, type = APK_SCRIPT_INVALID; + if (apk_sign_ctx_process_file(&ctx->sctx, ae, is) == 0) + return 0; + /* Package metainfo and script processing */ if (ae->name[0] == '.') { /* APK 2.0 format */ diff --git a/src/package.c b/src/package.c index 43018d7..3123834 100644 --- a/src/package.c +++ b/src/package.c @@ -346,15 +346,16 @@ void apk_sign_ctx_init(struct apk_sign_ctx *ctx, int action, } EVP_MD_CTX_init(&ctx->mdctx); EVP_DigestInit_ex(&ctx->mdctx, ctx->md, NULL); + EVP_MD_CTX_set_flags(&ctx->mdctx, EVP_MD_CTX_FLAG_ONESHOT); } - void apk_sign_ctx_free(struct apk_sign_ctx *ctx) { if (ctx->signature.data.ptr != NULL) free(ctx->signature.data.ptr); if (ctx->signature.pkey != NULL) EVP_PKEY_free(ctx->signature.pkey); + EVP_MD_CTX_cleanup(&ctx->mdctx); } int apk_sign_ctx_process_file(struct apk_sign_ctx *ctx, @@ -468,15 +469,19 @@ int apk_sign_ctx_mpart_cb(void *ctx, int part, apk_blob_t data) goto update_digest; /* Still in signature blocks? */ - if (!sctx->control_started) + if (!sctx->control_started) { + if (part == APK_MPART_END) + return -EKEYREJECTED; goto reset_digest; + } /* Grab state and mark all remaining block as data */ end_of_control = (sctx->data_started == 0); sctx->data_started = 1; /* End of control-block and control does not have data checksum? */ - if (sctx->has_data_checksum == 0 && end_of_control) + if (sctx->has_data_checksum == 0 && end_of_control && + part != APK_MPART_END) goto update_digest; /* Drool in the remaining of the digest block now, we will finish @@ -542,7 +547,6 @@ int apk_sign_ctx_mpart_cb(void *ctx, int part, apk_blob_t data) sctx->identity.type = EVP_MD_CTX_size(&sctx->mdctx); EVP_DigestFinal_ex(&sctx->mdctx, sctx->identity.data, NULL); } - reset_digest: EVP_DigestInit_ex(&sctx->mdctx, sctx->md, NULL); EVP_MD_CTX_set_flags(&sctx->mdctx, EVP_MD_CTX_FLAG_ONESHOT);