source: trunk/src/sh_gpg.c@ 93

Last change on this file since 93 was 87, checked in by rainer, 18 years ago

Fixed compile failure if --with-fp is used.

File size: 29.9 KB
RevLine 
[1]1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999, 2000 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#include "config_xor.h"
21
22#include <stdio.h>
23#include <stdlib.h>
24
25
26#if defined(WITH_GPG) || defined(WITH_PGP)
27
28#include <unistd.h>
29#include <fcntl.h>
30#include <signal.h>
31#if defined(SH_WITH_SERVER)
32#include <pwd.h>
33#endif
34#include <sys/stat.h>
35#include <sys/types.h>
36#include <errno.h>
37#include <sys/wait.h>
38
39#include <string.h>
40#ifdef HAVE_MEMORY_H
41#include <memory.h>
42#endif
43
44
45#if !defined(O_NONBLOCK)
46#if defined(O_NDELAY)
47#define O_NONBLOCK O_NDELAY
48#else
49#define O_NONBLOCK 0
50#endif
51#endif
52
53
54#include "samhain.h"
55#include "sh_utils.h"
56#include "sh_error.h"
57#include "sh_tiger.h"
58#if defined(SH_WITH_SERVER)
59#define SH_NEED_PWD_GRP 1
60#include "sh_static.h"
61#endif
62
63static struct {
64 char conf_id[SH_MINIBUF+1];
65 char conf_fp[SH_MINIBUF+1];
66 char data_id[SH_MINIBUF+1];
67 char data_fp[SH_MINIBUF+1];
68} gp;
69
70typedef struct {
71 pid_t pid;
72 FILE * pipe;
73} sh_gpg_popen_t;
74
75#define SH_GPG_OK 0
76#define SH_GPG_BAD 1
77#define SH_GPG_BADSIGN 2
78
79/* replace #if 0 by #if 1 and set an appropriate path in front of '/pdbg.'
80 * for debugging
81 */
82#if 0
83#define PDGBFILE "/pdbg."
84#endif
85
86#if defined(PDGBFILE)
87FILE * pdbg;
88FILE * pdbgc;
89#define PDBG_OPEN pdbg = fopen(PDGBFILE"main", "a")
90#define PDBG_CLOSE fclose (pdbg)
91#define PDBG(arg) fprintf(pdbg, "PDBG: step %d\n", arg); fflush(pdbg)
92#define PDBG_D(arg) fprintf(pdbg, "PDBG: %d\n", arg); fflush(pdbg)
93#define PDBG_S(arg) fprintf(pdbg, "PDBG: %s\n", arg); fflush(pdbg)
94
95#define PDBGC_OPEN pdbgc = fopen(PDGBFILE"child", "a")
96#define PDBGC_CLOSE fclose (pdbgc)
97#define PDBGC(arg) fprintf(pdbgc, "PDBG: step %d\n", arg); fflush(pdbgc)
98#define PDBGC_D(arg) fprintf(pdbgc, "PDBG: %d\n", arg); fflush(pdbgc)
99#define PDBGC_S(arg) fprintf(pdbgc, "PDBG: %s\n", arg); fflush(pdbgc)
100#else
101#define PDBG_OPEN
102#define PDBG_CLOSE
103#define PDBG(arg)
104#define PDBG_D(arg)
105#define PDBG_S(arg)
106#define PDBGC_OPEN
107#define PDBGC_CLOSE
108#define PDBGC(arg)
109#define PDBGC_D(arg)
110#define PDBGC_S(arg)
111#endif
112
113#undef FIL__
114#define FIL__ _("sh_gpg.c")
115
116#ifdef GPG_HASH
[86]117
[1]118static int sh_gpg_checksum (SL_TICKET checkfd, int flag)
119{
120 char * test_gpg;
121 char * test_ptr1 = NULL;
122 char * test_ptr2 = NULL;
123 char wstrip1[128];
124 char wstrip2[128];
125 int i, k;
126#include "sh_gpg_chksum.h"
127
128 SL_ENTER(_("sh_gpg_checksum"));
129
130 tiger_fd = checkfd;
131#if defined(WITH_PGP)
132 test_gpg = sh_tiger_hash_gpg (DEFAULT_PGP_PATH, TIGER_FD, 0);
133#else
134 test_gpg = sh_tiger_hash_gpg (DEFAULT_GPG_PATH, TIGER_FD, 0);
135#endif
136
137 test_ptr1 = strchr(GPG_HASH, ':');
138 if (test_gpg != NULL)
139 test_ptr2 = strchr(test_gpg, ':');
140
141 if (test_ptr2 != NULL)
142 test_ptr2 += 2;
143 else
144 test_ptr2 = test_gpg;
145 if (test_ptr1 != NULL)
146 test_ptr1 += 2;
147 else
148 test_ptr1 = GPG_HASH;
149
150 /* Tue Jun 24 23:11:54 CEST 2003 (1.7.9) -- strip whitespace
151 */
152 k = 0;
153 for (i = 0; i < 127; ++i)
154 {
155 if (test_ptr1[i] == '\0')
156 break;
157 if (test_ptr1[i] != ' ')
158 {
159 wstrip1[k] = test_ptr1[i];
160 ++k;
161 }
162 }
163 wstrip1[k] = '\0';
164
165 for(i = 0; i < KEY_LEN; ++i)
166 {
167 if (gpgchk[i] != wstrip1[i])
168 {
169 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0, MSG_E_GPG_CHK,
170 gpgchk, wstrip1);
171 break;
172 }
173 }
174
175 k = 0;
176 for (i = 0; i < 127; ++i)
177 {
178 if (test_ptr2[i] == '\0')
179 break;
180 if (test_ptr2[i] != ' ')
181 {
182 wstrip2[k] = test_ptr2[i];
183 ++k;
184 }
185 }
186 wstrip2[k] = '\0';
187
188 if (0 != sl_strncmp(wstrip1, wstrip2, 127))
189 {
190 TPT(((0), FIL__, __LINE__, _("msg=<pgp checksum: %s>\n"), test_gpg));
191 TPT(((0), FIL__, __LINE__, _("msg=<Compiled-in : %s>\n"), GPG_HASH));
192 TPT(((0), FIL__, __LINE__, _("msg=<wstrip1 : %s>\n"), wstrip1));
193 TPT(((0), FIL__, __LINE__, _("msg=<wstrip2 : %s>\n"), wstrip2));
194 if (flag == 1)
195 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_GPG,
196 GPG_HASH, test_gpg);
197 dlog(1, FIL__, __LINE__, _("The compiled-in checksum of the gpg binary\n(%s)\ndoes not match the actual checksum\n(%s).\nYou need to recompile with the correct checksum."), wstrip1, wstrip2);
198 SH_FREE(test_gpg);
199 SL_RETURN((-1), _("sh_gpg_checksum"));
200 }
201 SH_FREE(test_gpg);
202 SL_RETURN( (0), _("sh_gpg_checksum"));
203}
204#endif
205
[86]206struct startup_info {
207 long line;
208 char * program;
209 long uid;
210 char * path;
211 char * key_uid;
212 char * key_id;
213};
214
215static struct startup_info startInfo = { 0, NULL, 0, NULL, NULL, NULL };
216
217void sh_gpg_log_startup ()
218{
219 if (startInfo.program != NULL)
220 {
221 sh_error_handle ((-1), FIL__, startInfo.line, 0, MSG_START_GH,
222 startInfo.program, startInfo.uid,
223 startInfo.path,
224 startInfo.key_uid, startInfo.key_id);
225 }
226 return;
227}
228
229static void sh_gpg_fill_startup (long line, char * program, long uid, char * path,
230 char * key_uid, char * key_id)
231{
232 startInfo.line = line;
233 startInfo.program = sh_util_strdup(program);
234 startInfo.uid = uid;
235 startInfo.path = sh_util_strdup(path);
236 startInfo.key_uid = sh_util_strdup(key_uid);
237 startInfo.key_id = sh_util_strdup(key_id);
238 return;
239}
240
[1]241static FILE * sh_gpg_popen (sh_gpg_popen_t *source, int fd,
242 int mode, char * id, char * homedir)
243{
244 int pipedes[2];
245 FILE * outf = NULL;
246 char * envp[2];
[22]247 size_t len;
[1]248 char path[256];
249 char cc1[32];
250 char cc2[32];
251#if defined(WITH_PGP)
252 char cc3[32];
253 char cc0[3] = "-f";
254#endif
255#if defined(WITH_GPG)
256 char cc0[2] = "-";
257 char cc3[32];
258 char cc4[SH_PATHBUF+32];
259 char cc5[32] = "--no-tty";
260#endif
261
262 char * arg[9];
263
264#if defined(HAVE_GPG_CHECKSUM)
265 SL_TICKET checkfd;
266 int myrand;
267 int i;
268#if defined(__linux__)
269 int get_the_fd(SL_TICKET);
270 char pname[128];
271 int pfd;
272#endif
273#endif
274
275 SL_ENTER(_("sh_gpg_popen"));
276
277#if defined(WITH_GPG)
278 /* -- GnuPG -- */
279 sl_strlcpy (path, DEFAULT_GPG_PATH, 256);
280 sl_strlcpy (cc1, _("--status-fd"), 32);
281 sl_strlcpy (cc2, _("--verify"), 32);
282 sl_strlcpy (cc3, _("--homedir"), 32);
283 /* sl_strlcpy (cc4, sh.effective.home, SH_PATHBUF+32); */
284 sl_strlcpy (cc4, homedir, SH_PATHBUF+32);
285 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
286
287 /* fprintf(stderr, "YULE: homedir=%s\n", homedir); */
288
289#if defined(SH_WITH_SERVER)
290 if (0 == sl_ret_euid()) /* privileges not dropped yet */
291 {
292 struct stat lbuf;
293 int status_stat = 0;
294 struct passwd * tempres = getpwnam(DEFAULT_IDENT);
295 if (!tempres)
296 tempres = sh_getpwnam(DEFAULT_IDENT);
297 if (!tempres)
298 {
299 dlog(1, FIL__, __LINE__,
300 _("User %s does not exist. Please add the user to your system.\n"),
301 DEFAULT_IDENT);
302 status_stat = -1;
303 }
304 if (!tempres->pw_dir || tempres->pw_dir[0] == '\0')
305 {
306 dlog(1, FIL__, __LINE__,
307 _("User %s does not have a home directory.\nPlease add the home directory for this user to your system.\n"),
308 DEFAULT_IDENT);
309 status_stat = -2;
310 }
311 if (status_stat == 0)
312 {
313 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
314 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
315 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
316 if (status_stat == -1)
317 {
318 dlog(1, FIL__, __LINE__,
319 _("Gnupg directory %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
320 cc4, DEFAULT_IDENT);
321 status_stat = -3;
322 }
323 }
324 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
325 {
326 dlog(1, FIL__, __LINE__,
327 _("Gnupg directory %s\nis not owned by user %s.\n"),
328 cc4, DEFAULT_IDENT);
329 status_stat = -4;
330 }
331 if (status_stat == 0)
332 {
333 sl_strlcat (cc4, _("/pubring.gpg"), SH_PATHBUF+32);
334 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
335 if (status_stat == -1)
336 {
337 dlog(1, FIL__, __LINE__,
338 _("Gnupg public keyring %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
339 cc4, DEFAULT_IDENT);
340 status_stat = -5;
341 }
342 }
343 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
344 {
345 dlog(1, FIL__, __LINE__,
346 _("Gnupg public keyring %s\nis not owned by user %s.\n"),
347 cc4, DEFAULT_IDENT);
348 status_stat = -6;
349 }
350 if (status_stat != 0)
351 {
352 sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
353 sh.prg_name);
354 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
355 }
356 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
357 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
358 }
359#endif
360
361 arg[0] = path;
362 arg[1] = cc1;
363 arg[2] = "1";
364 arg[3] = cc2;
365 arg[4] = cc3;
366 arg[5] = cc4;
367 arg[6] = cc5;
368 arg[7] = cc0;
369 arg[8] = NULL;
370
371 /* catch 'unused parameter' compiler warning
372 */
373 (void) mode;
374 (void) id;
375#elif defined(WITH_PGP)
376 /* -- PGP -- */
377 sl_strlcpy (path, DEFAULT_PGP_PATH, 256);
378 if (mode == 0)
379 {
380 sl_strlcpy (cc1, _("+language=en"), 32);
381 sl_strlcpy (cc2, _("-o"), 32);
382 sl_strlcpy (cc3, _("/dev/null"), 32);
383
384 arg[0] = path;
385 arg[1] = cc1;
386 arg[2] = cc2;
387 arg[3] = cc3;
388 arg[4] = cc0;
389 arg[5] = NULL;
390 }
391 else
392 {
393 sl_strlcpy (cc1, _("+language=en"), 32);
394 sl_strlcpy (cc2, _("-kvc"), 32);
395
396 arg[0] = path;
397 arg[1] = cc1;
398 arg[2] = cc2;
399 arg[3] = id;
400 arg[4] = NULL;
401 arg[5] = NULL;
402 }
403#endif
404
405 /* use homedir of effective user
406 */
407 if (sh.effective.home != NULL)
408 {
[22]409 len = sl_strlen(sh.effective.home) + 6;
410 envp[0] = malloc (len); /* free() ok */
[1]411 if (envp[0] != NULL)
[22]412 sl_snprintf (envp[0], len, "HOME=%s", sh.effective.home);
[1]413 envp[1] = NULL;
414 }
415 else
416 {
417 envp[0] = NULL;
418 }
419
420 /* Create the pipe
421 */
422 if (aud_pipe(FIL__, __LINE__, pipedes) < 0)
423 {
424 if (envp[0] != NULL)
425 free(envp[0]);
426 SL_RETURN( (NULL), _("sh_gpg_popen"));
427 }
428
429 source->pid = aud_fork(FIL__, __LINE__);
430
431 /* Failure
432 */
433 if (source->pid == (pid_t) - 1)
434 {
435 close(pipedes[0]);
436 close(pipedes[1]);
437 if (envp[0] != NULL)
438 free(envp[0]);
439 SL_RETURN( (NULL), _("sh_gpg_popen"));
440 }
441
442 if (source->pid == (pid_t) 0)
443 {
444
445 /* child - make read side of the pipe stdout
446 */
447 if (retry_aud_dup2(FIL__, __LINE__,
448 pipedes[STDOUT_FILENO], STDOUT_FILENO) < 0)
449 {
450 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on pipe failed>\n")));
451 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
452 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
453 }
454
455 /* close the pipe descriptors
456 */
457 close (pipedes[STDIN_FILENO]);
458 close (pipedes[STDOUT_FILENO]);
459
460
461#if defined(WITH_PGP)
462 if (mode == 0)
463 {
464 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
465 {
466 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
467 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
468 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
469 }
470 }
471#else
472 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
473 {
474 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
475 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
476 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
477 }
478#endif
479
480 /* don't leak file descriptors
481 */
482 sh_unix_closeall (3, -1); /* in child process */
483
484 freopen(_("/dev/null"), "r+", stderr);
485
486 /* We should become privileged if SUID,
487 * to be able to read the keyring.
488 * We have checked that gpg is OK,
489 * AND that only a trusted user could overwrite
490 * gpg.
491 */
492 memset (skey, '\0', sizeof(sh_key_t));
493 aud_setuid(FIL__, __LINE__, geteuid());
494
495 PDBGC_OPEN;
496 PDBGC_D((int)getuid());
497 PDBGC_D((int)geteuid());
498
499 {
500 int i = 0;
501 while (arg[i] != NULL)
502 {
503 PDBGC_S(arg[i]);
504 ++i;
505 }
506 }
507 PDBGC_CLOSE;
508
509 /* exec the program */
510
511#if defined(__linux__) && defined(HAVE_GPG_CHECKSUM)
512 /*
513 * -- emulate an fexecve with checksum testing
514 */
515#if defined(WITH_PGP)
516 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_NOPRIV);
517#else
518 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_NOPRIV);
519#endif
520
521 if (0 != sh_gpg_checksum(checkfd, 0))
522 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
523
524 pfd = get_the_fd(checkfd);
[22]525 sl_snprintf(pname, sizeof(pname), _("/proc/self/fd/%d"), pfd);
526 if (0 == access(pname, R_OK|X_OK)) /* flawfinder: ignore */
527
[1]528 {
529 fcntl (pfd, F_SETFD, FD_CLOEXEC);
530 retry_aud_execve (FIL__, __LINE__, pname, arg, envp);
531
532 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
533 pname);
534 /* failed
535 */
536 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
537 }
538
539 /* procfs not working, go ahead
540 */
541 sl_close(checkfd);
542#endif
543
544#if defined(HAVE_GPG_CHECKSUM)
545 /* This is an incredibly ugly kludge to prevent an attacker
546 * from knowing when it is safe to slip in a fake executable
547 * between the integrity check and the execve
548 */
549 myrand = (int) taus_get (&(skey->rng0[0]), &(skey->rng1[0]),
550 &(skey->rng2[0]));
551 myrand = (myrand < 0) ? (-myrand) : myrand;
552 myrand = (myrand % 32) + 2;
553
554 for (i = 0; i < myrand; ++i)
555 {
556#if defined(WITH_PGP)
557 checkfd = sl_open_fastread(DEFAULT_PGP_PATH, SL_NOPRIV);
558#else
559 checkfd = sl_open_fastread(DEFAULT_GPG_PATH, SL_NOPRIV);
560#endif
561 if (0 != sh_gpg_checksum(checkfd, 0)) {
562 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
563 }
564 sl_close(checkfd);
565 }
566#endif
567
568
569#if defined(WITH_GPG)
570 retry_aud_execve (FIL__, __LINE__, DEFAULT_GPG_PATH, arg, envp);
571 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
572 DEFAULT_GPG_PATH);
573#elif defined(WITH_PGP)
574 retry_aud_execve (FIL__, __LINE__, DEFAULT_PGP_PATH, arg, envp);
575#endif
576
577 /* failed
578 */
579 TPT(((0), FIL__, __LINE__, _("msg=<execve failed>\n")));
580 dlog(1, FIL__, __LINE__, _("Unexpected error: execve failed\n"));
581 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
582 }
583
584 /* parent
585 */
586
587 if (envp[0] != NULL)
588 free(envp[0]);
589
590 close (pipedes[STDOUT_FILENO]);
591 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFD, FD_CLOEXEC);
592 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFL, O_NONBLOCK);
593
594 outf = fdopen (pipedes[STDIN_FILENO], "r");
595
596 if (outf == NULL)
597 {
598 aud_kill (FIL__, __LINE__, source->pid, SIGKILL);
599 close (pipedes[STDOUT_FILENO]);
600 waitpid (source->pid, NULL, 0);
601 source->pid = 0;
602 SL_RETURN( (NULL), _("sh_gpg_popen"));
603 }
604
605 SL_RETURN( (outf), _("sh_gpg_popen"));
606}
607
608
609static int sh_gpg_pclose (sh_gpg_popen_t *source)
610{
611 int status = 0;
612
613 SL_ENTER(_("sh_gpg_pclose"));
614
615 status = fclose(source->pipe);
616 if (status)
617 SL_RETURN( (-1), _("sh_gpg_pclose"));
618
619 if (waitpid(source->pid, NULL, 0) != source->pid)
620 status = -1;
621
622 source->pipe = NULL;
623 source->pid = 0;
624 SL_RETURN( (status), _("sh_gpg_pclose"));
625}
626
627static
628int sh_gpg_check_file_sign(int fd, char * sign_id, char * sign_fp,
629 char * homedir, int whichfile)
630{
631 struct stat buf;
632 char line[256];
633 sh_gpg_popen_t source;
634 int have_id = BAD, have_fp = BAD, status = 0;
635#ifdef WITH_PGP
636 char *ptr;
637#endif
638
639#ifdef HAVE_GPG_CHECKSUM
640 SL_TICKET checkfd;
641#endif
642
643 SL_ENTER(_("sh_gpg_check_file_sign"));
644
645 /* check whether GnuPG exists and has the correct checksum
646 */
647#if defined(WITH_GPG)
648
649 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
650 TPT(((0), FIL__, __LINE__, _("msg=<gpg is %s>\n"), DEFAULT_GPG_PATH));
651
652 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_GPG_PATH, &buf))
653 {
654 status = errno;
655 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
656 sh_error_message(status), DEFAULT_GPG_PATH);
657 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
658 }
659
660 if (0 != tf_trust_check (DEFAULT_GPG_PATH, SL_YESPRIV))
661 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
662
663#ifdef HAVE_GPG_CHECKSUM
664 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_YESPRIV);
665
666 if (0 != sh_gpg_checksum(checkfd, 1))
667 {
668 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
669 _("Checksum mismatch"),
670 _("gpg_check_file_sign"));
671 sl_close(checkfd);
672 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
673 }
674 sl_close(checkfd);
675#endif
676
677#elif defined(WITH_PGP)
678
679 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
680 TPT(((0), FIL__, __LINE__, _("msg=<pgp is %s>\n"), DEFAULT_PGP_PATH));
681
682 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_PGP_PATH, &buf))
683 {
684 status = errno;
685 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
686 sh_error_message(status), DEFAULT_PGP_PATH);
687 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
688 }
689 if (0 != tf_trust_check (DEFAULT_PGP_PATH, SL_YESPRIV))
690 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
691
692#ifdef HAVE_GPG_CHECKSUM
693 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_YESPRIV);
694
695 if (0 != sh_gpg_checksum(checkfd, 1))
696 {
697 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
698 _("Checksum mismatch"),
699 _("gpg_check_file_sign"));
700 sl_close(checkfd);
701 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
702 }
703 sl_close(checkfd);
704#endif
705
706#endif
707
708 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe to check signature>\n")));
709
710 fflush(NULL);
711
712 source.pipe = sh_gpg_popen ( &source, fd, 0, NULL, homedir );
713
714 if (NULL == source.pipe)
715 {
716 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
717 _("Could not open pipe"),
718 _("gpg_check_file_sign"));
719 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
720 }
721
722 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
723
724 xagain:
725
726 errno = 0;
727
[34]728 while (NULL != fgets(line, sizeof(line), source.pipe))
[1]729 {
730
731 TPT(((0), FIL__, __LINE__, _("msg=<gpg out: %s>\n"), line));
732 if (line[strlen(line)-1] == '\n')
733 line[strlen(line)-1] = ' ';
734 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
735 line,
736 _("gpg_check_file_sign"));
737
738 if (sl_strlen(line) < 18)
739 continue;
740#if defined(WITH_GPG)
741 /* Sun May 27 18:40:05 CEST 2001
742 */
743 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6) ||
744 0 == sl_strncmp(_("ERRSIG"), &line[9], 6) ||
745 0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6) ||
746 0 == sl_strncmp(_("NODATA"), &line[9], 6) ||
747 0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6))
748 {
749 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6)) {
750 dlog(1, FIL__, __LINE__,
751 _("%s file is signed, but the signature is invalid."),
752 ((whichfile == 1) ? _("Configuration") : _("Database")));
753 }
754 else if (0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6)) {
755 dlog(1, FIL__, __LINE__,
756 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
757 ((whichfile == 1) ? _("Configuration") : _("Database")),
758 homedir);
759 }
760 else if (0 == sl_strncmp(_("ERRSIG"), &line[9], 6)) {
761 dlog(1, FIL__, __LINE__,
762 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
763 ((whichfile == 1) ? _("Configuration") : _("Database")),
764 homedir);
765 }
766 else if (0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6)) {
767 dlog(1, FIL__, __LINE__,
768 _("%s file is signed, but the public key to verify the signature has expired."),
769 ((whichfile == 1) ? _("Configuration") : _("Database")));
770 }
771 else if (0 == sl_strncmp(_("NODATA"), &line[9], 6)) {
772 dlog(1, FIL__, __LINE__,
773 _("%s file is not signed."),
774 ((whichfile == 1) ? _("Configuration") : _("Database")));
775 }
776
777 have_fp = BAD; have_id = BAD;
778 break;
779 }
780 if (0 == sl_strncmp(_("GOODSIG"), &line[9], 7))
781 {
782 sl_strlcpy (sign_id, &line[25], SH_MINIBUF+1);
783 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing '"' */
784 have_id = GOOD;
785 }
786 if (0 == sl_strncmp(_("VALIDSIG"), &line[9], 8))
787 {
788 strncpy (sign_fp, &line[18], 40);
789 sign_fp[40] = '\0';
790 have_fp = GOOD;
791 }
792#elif defined(WITH_PGP)
793 if (0 == sl_strncmp(_("Bad signature"), line, 13) ||
794 0 == sl_strncmp(_("Error"), line, 5) ||
795 0 == sl_strncmp(_("Malformed"), line, 9) ||
796 0 == sl_strncmp(_("WARNING"), line, 7) ||
797 0 == sl_strncmp(_("ERROR"), line, 5)
798 )
799 {
800 have_fp = BAD; have_id = BAD;
801 break;
802 }
803 if (0 == sl_strncmp(_("Good signature"), line, 14))
804 {
805 ptr = strchr ( line, '"');
806 ++ptr;
807 sl_strlcpy (sign_id, ptr, SH_MINIBUF+1);
808 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing dot */
809 sign_id[sl_strlen(sign_id)-2] = '\0'; /* remove trailing '"' */
810 have_id = GOOD;
811 }
812#endif
813 }
814
815 if (ferror(source.pipe) && errno == EAGAIN)
816 {
817 clearerr(source.pipe);
818 goto xagain;
819 }
820
821 sh_gpg_pclose (&source);
822
823 TPT(((0), FIL__, __LINE__, _("msg=<Close pipe>\n")));
824
825#ifdef WITH_PGP
826 /* get the fingerprint */
827
828 source.pipe = sh_gpg_popen ( &source, fd, 1, sign_id, homedir);
829 if (NULL == source.pipe)
830 {
831 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
832 _("Could not open pipe for fp"),
833 _("gpg_check_file_sign"));
834 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
835 }
836
837 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
838
839 yagain:
840
841 errno = 0;
842
[34]843 while (NULL != fgets(line, sizeof(line), source.pipe))
[1]844 {
845 if (line[strlen(line)-1] == '\n')
846 line[strlen(line)-1] = ' ';
847 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
848 line,
849 _("gpg_check_file_sign"));
850
851 if (sl_strlen(line) < 18)
852 continue;
853 ptr = strtok (line, " ");
854 while (ptr)
855 {
856 ptr = strtok (NULL, " ");
857 if (ptr && 0 == sl_strncmp (ptr, _("fingerprint"), 11))
858 {
859 ptr = strtok (NULL, " "); /* to '=' */
860 sign_fp[0] = '\0';
861 while (ptr)
862 {
863 ptr = strtok (NULL, " "); /* part of fingerprint */
864 sl_strlcat (sign_fp, ptr, SH_MINIBUF+1);
865 }
866 /* sign_fp[sl_strlen(sign_fp)-1] = '\0'; remove trailing '\n' */
867 if (sl_strlen(sign_fp) > 0)
868 have_fp = GOOD;
869 break;
870 }
871 }
872 }
873
874 if (ferror(source.pipe) && errno == EAGAIN)
875 {
876 clearerr(source.pipe);
877 goto yagain;
878 }
879
880 sh_gpg_pclose (&source);
881#endif
882
883 if (have_id == GOOD)
884 {
885 TPT(((0), FIL__, __LINE__, _("msg=<Got signator ID>\n")));
886 ;
887 }
888 if (have_fp == GOOD)
889 {
890 TPT(((0), FIL__, __LINE__, _("msg=<Got fingerprint>\n")));
891 ;
892 }
893
894 if (have_id == GOOD && have_fp == GOOD)
895 SL_RETURN( SH_GPG_OK, _("sh_gpg_check_file_sign"));
896 else
897 {
898 if (have_id == BAD)
899 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
900 _("No good signature"),
901 _("gpg_check_file_sign"));
902 else
903 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
904 _("No fingerprint for key"),
905 _("gpg_check_file_sign"));
906 SL_RETURN( SH_GPG_BADSIGN, _("sh_gpg_check_file_sign"));
907 }
908}
909
910int get_the_fd(SL_TICKET file_1);
911
912int sh_gpg_check_sign (long file_1, long file_2, int what)
913{
914 int status = SH_GPG_BAD;
915 int fd1 = 0;
916 int fd2 = 0;
917 static int smsg = S_FALSE;
918 char * tmp;
919 char * tmp2;
920
921 char * homedir = sh.effective.home;
922#if defined(SH_WITH_SERVER)
923 struct passwd * tempres;
924#endif
925#ifdef USE_FINGERPRINT
926#include "sh_gpg_fp.h"
927#endif
928
929 SL_ENTER(_("sh_gpg_check_sign"));
930
931
932 if (what == 0 || what == 1)
933 fd1 = get_the_fd(file_1);
934 if (what == 0 || what == 2)
935 fd2 = get_the_fd(file_2);
936
937
938 if (fd1 < 0 || fd2 < 0)
939 {
940 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
941 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
942 dlog(1, FIL__, __LINE__,
943 _("This looks like an unexpected internal error.\n"));
944 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_EXIT_ABORT1, sh.prg_name);
945 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
946 SL_RETURN( (-1), _("sh_gpg_check_sign"));
947 }
948
949 if (what == 0 || what == 1)
950 {
951 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
952#if defined(SH_WITH_SERVER)
953 tempres = getpwnam(DEFAULT_IDENT);
954 if (!tempres)
955 tempres = sh_getpwnam(DEFAULT_IDENT);
956 if ((tempres != NULL) && (0 == sl_ret_euid()))
957 {
958 /* privileges not dropped yet*/
959 homedir = tempres->pw_dir;
960 }
961#endif
962 status = sh_gpg_check_file_sign(fd1, gp.conf_id, gp.conf_fp, homedir, 1);
963 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGUSR: |%s|>\n"), gp.conf_id));
964 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGFP: |%s|>\n"), gp.conf_fp));
965 }
966
967 if ((what == 0 && SH_GPG_OK == status) || what == 2)
968 {
969 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
970#if defined(SH_WITH_SERVER)
971 tempres = getpwnam(DEFAULT_IDENT);
972 if (!tempres)
973 tempres = sh_getpwnam(DEFAULT_IDENT);
974 if ((tempres != NULL) && (0 == sl_ret_euid()))
975 {
976 /* privileges not dropped yet*/
977 homedir = tempres->pw_dir;
978 }
979#endif
980 status = sh_gpg_check_file_sign(fd2, gp.data_id, gp.data_fp, homedir, 2);
981 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGUSR: |%s|>\n"), gp.data_id));
982 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGFP: |%s|>\n"), gp.data_fp));
983 }
984
985 if (SH_GPG_OK == status && what == 1)
986 {
987#ifdef USE_FINGERPRINT
988 if ((sl_strcmp(SH_GPG_FP, gp.conf_fp) == 0))
989 {
990 int i;
991
992 for(i = 0; i < (int) sl_strlen(gp.conf_fp); ++i)
993 {
994 if (gpgfp[i] != gp.conf_fp[i])
995 {
996 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0,
997 MSG_E_GPG_FP,
998 gpgfp, gp.conf_fp);
999 break;
1000 }
1001 }
1002
1003 if (smsg == S_FALSE)
1004 {
1005 tmp = sh_util_safe_name(gp.conf_id);
[87]1006 sh_gpg_fill_startup (__LINE__,
[86]1007 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
[1]1008 sh.prg_name, sh.real.uid,
1009 (sh.flag.hidefile == S_TRUE) ?
1010 _("(hidden)") : file_path('C', 'R'),
1011 tmp,
1012 gp.conf_fp);
1013 SH_FREE(tmp);
1014 }
1015 smsg = S_TRUE;
1016 SL_RETURN(0, _("sh_gpg_check_sign"));
1017 }
1018 else
1019 {
1020 /* fp mismatch
1021 */
1022 dlog(1, FIL__, __LINE__,
1023 _("The fingerprint of the signing key: %s\ndoes not match the compiled-in fingerprint: %s.\nTherefore the signature could not be verified.\n"),
1024 gp.conf_fp, SH_GPG_FP);
1025 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1026 _("Fingerprint mismatch"),
1027 _("gpg_check_sign"));
1028 status = SH_GPG_BADSIGN;
1029 }
1030#else
1031 if (smsg == S_FALSE)
1032 {
1033 tmp = sh_util_safe_name(gp.conf_id);
[86]1034 sh_gpg_fill_startup (__LINE__,
1035 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
[1]1036 sh.prg_name, sh.real.uid,
1037 (sh.flag.hidefile == S_TRUE) ?
1038 _("(hidden)") : file_path('C', 'R'),
1039 tmp,
1040 gp.conf_fp);
1041 SH_FREE(tmp);
1042 }
1043 smsg = S_TRUE;
1044 SL_RETURN(0, _("sh_gpg_check_sign"));
1045#endif
1046 }
1047
1048 else if (SH_GPG_OK == status && (what == 2 || what == 0))
1049 {
1050 if ((sl_strcmp(gp.data_id, gp.conf_id) == 0) &&
1051 (sl_strcmp(gp.data_fp, gp.conf_fp) == 0))
1052 {
1053 SL_RETURN(0, _("sh_gpg_check_sign"));
1054 }
1055 else
1056 {
1057 /* ID or fp not equal
1058 */
1059 dlog(1, FIL__, __LINE__,
1060 _("The fingerprint or ID of the signing key is not the same for the\nconfiguration file and the file signature database.\nTherefore the signature could not be verified.\n"));
1061 tmp = sh_util_safe_name (gp.conf_id);
1062 tmp2 = sh_util_safe_name (gp.data_id);
1063 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH2,
1064 sh.prg_name, sh.real.uid,
1065 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('C', 'R'),
1066 tmp, gp.conf_fp,
1067 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('D', 'R'),
1068 tmp2, gp.data_fp);
1069 SH_FREE(tmp);
1070 SH_FREE(tmp2);
1071 }
1072 }
1073
1074 if (status != SH_GPG_OK)
1075 {
1076 uid_t e_uid = sl_ret_euid();
1077 char * e_home = sh.effective.home;
1078
1079#if defined(SH_WITH_SERVER)
1080 struct passwd * e_tempres = getpwnam(DEFAULT_IDENT);
1081 if (!e_tempres)
1082 e_tempres = sh_getpwnam(DEFAULT_IDENT);
1083 if ((e_tempres != NULL) && (0 == sl_ret_euid()))
1084 {
1085 /* privileges not dropped yet */
1086 e_uid = e_tempres->pw_uid;
1087 e_home = e_tempres->pw_dir;
1088 }
1089#endif
1090 dlog(1, FIL__, __LINE__,
1091 _("The signature of the configuration file or the file signature database\ncould not be verified. Possible reasons are:\n - gpg binary (%s) not found\n - invalid signature\n - the signature key is not in the private keyring of UID %d,\n - there is no keyring in %s/.gnupg, or\n - the file is not signed - did you move /filename.asc to /filename ?\nTo create a signed file, use (remove old signatures before):\n gpg -a --clearsign --not-dash-escaped FILE\n mv FILE.asc FILE\n"),
1092#if defined(WITH_GPG)
1093 DEFAULT_GPG_PATH,
1094#else
1095 DEFAULT_PGP_PATH,
1096#endif
1097 (int) e_uid, e_home);
1098 }
1099
1100 TPT(((0), FIL__, __LINE__, _("msg=<Status = %d>\n"), status));
1101
1102 sh_error_handle((-1), FIL__, __LINE__, status, MSG_EXIT_ABORT1, sh.prg_name);
1103 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
1104
1105 return (-1); /* make compiler happy */
1106}
1107
1108/* #ifdef WITH_GPG */
1109#endif
1110
1111
1112
1113
1114
1115
1116
1117
Note: See TracBrowser for help on using the repository browser.