source: trunk/src/sh_gpg.c@ 158

Last change on this file since 158 was 153, checked in by katerina, 17 years ago

Use -D_FORTIFY_SOURCE=1 -fstack-protector-all if supported. Compiler warnings fixed.
File size: 31.7 KB
Line 
1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999, 2000 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#include "config_xor.h"
21
22#include <stdio.h>
23#include <stdlib.h>
24
25
26#if defined(WITH_GPG) || defined(WITH_PGP)
27
28#include <unistd.h>
29#include <fcntl.h>
30#include <signal.h>
31#if defined(SH_WITH_SERVER)
32#include <pwd.h>
33#endif
34#include <sys/stat.h>
35#include <sys/types.h>
36#include <errno.h>
37#include <sys/wait.h>
38
39#include <string.h>
40#ifdef HAVE_MEMORY_H
41#include <memory.h>
42#endif
43
44
45#if !defined(O_NONBLOCK)
46#if defined(O_NDELAY)
47#define O_NONBLOCK O_NDELAY
48#else
49#define O_NONBLOCK 0
50#endif
51#endif
52
53
54#include "samhain.h"
55#include "sh_utils.h"
56#include "sh_error.h"
57#include "sh_tiger.h"
58#if defined(SH_WITH_SERVER)
59#define SH_NEED_PWD_GRP 1
60#include "sh_static.h"
61#endif
62
63static struct {
64 char conf_id[SH_MINIBUF+1];
65 char conf_fp[SH_MINIBUF+1];
66 char data_id[SH_MINIBUF+1];
67 char data_fp[SH_MINIBUF+1];
68} gp;
69
70typedef struct {
71 pid_t pid;
72 FILE * pipe;
73} sh_gpg_popen_t;
74
75#define SH_GPG_OK 0
76#define SH_GPG_BAD 1
77#define SH_GPG_BADSIGN 2
78
79/* replace #if 0 by #if 1 and set an appropriate path in front of '/pdbg.'
80 * for debugging
81 */
82#if 0
83#define PDGBFILE "/pdbg."
84#endif
85
86#if defined(PDGBFILE)
87FILE * pdbg;
88FILE * pdbgc;
89#define PDBG_OPEN pdbg = fopen(PDGBFILE"main", "a")
90#define PDBG_CLOSE fclose (pdbg)
91#define PDBG(arg) fprintf(pdbg, "PDBG: step %d\n", arg); fflush(pdbg)
92#define PDBG_D(arg) fprintf(pdbg, "PDBG: %d\n", arg); fflush(pdbg)
93#define PDBG_S(arg) fprintf(pdbg, "PDBG: %s\n", arg); fflush(pdbg)
94
95#define PDBGC_OPEN pdbgc = fopen(PDGBFILE"child", "a")
96#define PDBGC_CLOSE fclose (pdbgc)
97#define PDBGC(arg) fprintf(pdbgc, "PDBG: step %d\n", arg); fflush(pdbgc)
98#define PDBGC_D(arg) fprintf(pdbgc, "PDBG: %d\n", arg); fflush(pdbgc)
99#define PDBGC_S(arg) fprintf(pdbgc, "PDBG: %s\n", arg); fflush(pdbgc)
100#else
101#define PDBG_OPEN
102#define PDBG_CLOSE
103#define PDBG(arg)
104#define PDBG_D(arg)
105#define PDBG_S(arg)
106#define PDBGC_OPEN
107#define PDBGC_CLOSE
108#define PDBGC(arg)
109#define PDBGC_D(arg)
110#define PDBGC_S(arg)
111#endif
112
113#undef FIL__
114#define FIL__ _("sh_gpg.c")
115
116#ifdef GPG_HASH
117
118static int sh_gpg_checksum (SL_TICKET checkfd, int flag)
119{
120 char * test_gpg;
121 char * test_ptr1 = NULL;
122 char * test_ptr2 = NULL;
123 char wstrip1[128];
124 char wstrip2[128];
125 int i, k;
126#include "sh_gpg_chksum.h"
127
128 SL_ENTER(_("sh_gpg_checksum"));
129
130#if defined(WITH_PGP)
131 test_gpg = sh_tiger_hash_gpg (DEFAULT_PGP_PATH, checkfd, 0);
132#else
133 test_gpg = sh_tiger_hash_gpg (DEFAULT_GPG_PATH, checkfd, 0);
134#endif
135
136 test_ptr1 = strchr(GPG_HASH, ':');
137 if (test_gpg != NULL)
138 test_ptr2 = strchr(test_gpg, ':');
139
140 if (test_ptr2 != NULL)
141 test_ptr2 += 2;
142 else
143 test_ptr2 = test_gpg;
144 if (test_ptr1 != NULL)
145 test_ptr1 += 2;
146 else
147 test_ptr1 = GPG_HASH;
148
149 /* Tue Jun 24 23:11:54 CEST 2003 (1.7.9) -- strip whitespace
150 */
151 k = 0;
152 for (i = 0; i < 127; ++i)
153 {
154 if (test_ptr1[i] == '\0')
155 break;
156 if (test_ptr1[i] != ' ')
157 {
158 wstrip1[k] = test_ptr1[i];
159 ++k;
160 }
161 }
162 wstrip1[k] = '\0';
163
164 for(i = 0; i < KEY_LEN; ++i)
165 {
166 if (gpgchk[i] != wstrip1[i])
167 {
168 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0, MSG_E_GPG_CHK,
169 gpgchk, wstrip1);
170 break;
171 }
172 }
173
174 k = 0;
175 for (i = 0; i < 127; ++i)
176 {
177 if (test_ptr2[i] == '\0')
178 break;
179 if (test_ptr2[i] != ' ')
180 {
181 wstrip2[k] = test_ptr2[i];
182 ++k;
183 }
184 }
185 wstrip2[k] = '\0';
186
187 if (0 != sl_strncmp(wstrip1, wstrip2, 127))
188 {
189 TPT(((0), FIL__, __LINE__, _("msg=<pgp checksum: %s>\n"), test_gpg));
190 TPT(((0), FIL__, __LINE__, _("msg=<Compiled-in : %s>\n"), GPG_HASH));
191 TPT(((0), FIL__, __LINE__, _("msg=<wstrip1 : %s>\n"), wstrip1));
192 TPT(((0), FIL__, __LINE__, _("msg=<wstrip2 : %s>\n"), wstrip2));
193 if (flag == 1)
194 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_GPG,
195 GPG_HASH, test_gpg);
196 dlog(1, FIL__, __LINE__, _("The compiled-in checksum of the gpg binary\n(%s)\ndoes not match the actual checksum\n(%s).\nYou need to recompile with the correct checksum."), wstrip1, wstrip2);
197 SH_FREE(test_gpg);
198 SL_RETURN((-1), _("sh_gpg_checksum"));
199 }
200 SH_FREE(test_gpg);
201 SL_RETURN( (0), _("sh_gpg_checksum"));
202}
203#endif
204
205struct startup_info {
206 long line;
207 char * program;
208 long uid;
209 char * path;
210 char * key_uid;
211 char * key_id;
212};
213
214static struct startup_info startInfo = { 0, NULL, 0, NULL, NULL, NULL };
215
216void sh_gpg_log_startup ()
217{
218 if (startInfo.program != NULL)
219 {
220 sh_error_handle ((-1), FIL__, startInfo.line, 0, MSG_START_GH,
221 startInfo.program, startInfo.uid,
222 startInfo.path,
223 startInfo.key_uid, startInfo.key_id);
224 }
225 return;
226}
227
228static void sh_gpg_fill_startup (long line, char * program, long uid, char * path,
229 char * key_uid, char * key_id)
230{
231 startInfo.line = line;
232 startInfo.program = sh_util_strdup(program);
233 startInfo.uid = uid;
234 startInfo.path = sh_util_strdup(path);
235 startInfo.key_uid = sh_util_strdup(key_uid);
236 startInfo.key_id = sh_util_strdup(key_id);
237 return;
238}
239
240static FILE * sh_gpg_popen (sh_gpg_popen_t *source, int fd,
241 int mode, char * id, char * homedir)
242{
243 int pipedes[2];
244 FILE * outf = NULL;
245 char * envp[2];
246 size_t len;
247 char path[256];
248 char cc1[32];
249 char cc2[32];
250#if defined(WITH_PGP)
251 char cc3[32];
252 char cc0[3] = "-f";
253#endif
254#if defined(WITH_GPG)
255 char cc0[2] = "-";
256 char cc3[32];
257 char cc4[SH_PATHBUF+32];
258 char cc5[32] = "--no-tty";
259#endif
260
261 char * arg[9];
262
263#if defined(HAVE_GPG_CHECKSUM)
264 SL_TICKET checkfd;
265 int myrand;
266 int i;
267#if defined(__linux__)
268 int get_the_fd(SL_TICKET);
269 char pname[128];
270 int pfd;
271#endif
272#endif
273
274 SL_ENTER(_("sh_gpg_popen"));
275
276#if defined(WITH_GPG)
277 /* -- GnuPG -- */
278 sl_strlcpy (path, DEFAULT_GPG_PATH, 256);
279 sl_strlcpy (cc1, _("--status-fd"), 32);
280 sl_strlcpy (cc2, _("--verify"), 32);
281 sl_strlcpy (cc3, _("--homedir"), 32);
282 /* sl_strlcpy (cc4, sh.effective.home, SH_PATHBUF+32); */
283 sl_strlcpy (cc4, homedir, SH_PATHBUF+32);
284 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
285
286 /* fprintf(stderr, "YULE: homedir=%s\n", homedir); */
287
288#if defined(SH_WITH_SERVER)
289 if (0 == sl_ret_euid()) /* privileges not dropped yet */
290 {
291 struct stat lbuf;
292 int status_stat = 0;
293#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
294 struct passwd pwd;
295 char buffer[SH_PWBUF_SIZE];
296 struct passwd * tempres;
297 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
298#else
299 struct passwd * tempres = sh_getpwnam(DEFAULT_IDENT);
300#endif
301
302 if (!tempres)
303 {
304 dlog(1, FIL__, __LINE__,
305 _("User %s does not exist. Please add the user to your system.\n"),
306 DEFAULT_IDENT);
307 status_stat = -1;
308 }
309 if (!tempres->pw_dir || tempres->pw_dir[0] == '\0')
310 {
311 dlog(1, FIL__, __LINE__,
312 _("User %s does not have a home directory.\nPlease add the home directory for this user to your system.\n"),
313 DEFAULT_IDENT);
314 status_stat = -2;
315 }
316 if (status_stat == 0)
317 {
318 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
319 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
320 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
321 if (status_stat == -1)
322 {
323 dlog(1, FIL__, __LINE__,
324 _("Gnupg directory %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
325 cc4, DEFAULT_IDENT);
326 status_stat = -3;
327 }
328 }
329 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
330 {
331 dlog(1, FIL__, __LINE__,
332 _("Gnupg directory %s\nis not owned by user %s.\n"),
333 cc4, DEFAULT_IDENT);
334 status_stat = -4;
335 }
336 if (status_stat == 0)
337 {
338 sl_strlcat (cc4, _("/pubring.gpg"), SH_PATHBUF+32);
339 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
340 if (status_stat == -1)
341 {
342 dlog(1, FIL__, __LINE__,
343 _("Gnupg public keyring %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
344 cc4, DEFAULT_IDENT);
345 status_stat = -5;
346 }
347 }
348 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
349 {
350 dlog(1, FIL__, __LINE__,
351 _("Gnupg public keyring %s\nis not owned by user %s.\n"),
352 cc4, DEFAULT_IDENT);
353 status_stat = -6;
354 }
355 if (status_stat != 0)
356 {
357 sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
358 sh.prg_name);
359 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
360 }
361 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
362 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
363 }
364#endif
365
366 arg[0] = path;
367 arg[1] = cc1;
368 arg[2] = "1";
369 arg[3] = cc2;
370 arg[4] = cc3;
371 arg[5] = cc4;
372 arg[6] = cc5;
373 arg[7] = cc0;
374 arg[8] = NULL;
375
376 /* catch 'unused parameter' compiler warning
377 */
378 (void) mode;
379 (void) id;
380#elif defined(WITH_PGP)
381 /* -- PGP -- */
382 sl_strlcpy (path, DEFAULT_PGP_PATH, 256);
383 if (mode == 0)
384 {
385 sl_strlcpy (cc1, _("+language=en"), 32);
386 sl_strlcpy (cc2, _("-o"), 32);
387 sl_strlcpy (cc3, _("/dev/null"), 32);
388
389 arg[0] = path;
390 arg[1] = cc1;
391 arg[2] = cc2;
392 arg[3] = cc3;
393 arg[4] = cc0;
394 arg[5] = NULL;
395 }
396 else
397 {
398 sl_strlcpy (cc1, _("+language=en"), 32);
399 sl_strlcpy (cc2, _("-kvc"), 32);
400
401 arg[0] = path;
402 arg[1] = cc1;
403 arg[2] = cc2;
404 arg[3] = id;
405 arg[4] = NULL;
406 arg[5] = NULL;
407 }
408#endif
409
410 /* use homedir of effective user
411 */
412 if (sh.effective.home != NULL)
413 {
414 len = sl_strlen(sh.effective.home) + 6;
415 envp[0] = malloc (len); /* free() ok */
416 if (envp[0] != NULL)
417 sl_snprintf (envp[0], len, "HOME=%s", sh.effective.home);
418 envp[1] = NULL;
419 }
420 else
421 {
422 envp[0] = NULL;
423 }
424
425 /* Create the pipe
426 */
427 if (aud_pipe(FIL__, __LINE__, pipedes) < 0)
428 {
429 if (envp[0] != NULL)
430 free(envp[0]);
431 SL_RETURN( (NULL), _("sh_gpg_popen"));
432 }
433
434 fflush (NULL);
435
436 source->pid = aud_fork(FIL__, __LINE__);
437
438 /* Failure
439 */
440 if (source->pid == (pid_t) - 1)
441 {
442 close(pipedes[0]);
443 close(pipedes[1]);
444 if (envp[0] != NULL)
445 free(envp[0]);
446 SL_RETURN( (NULL), _("sh_gpg_popen"));
447 }
448
449 if (source->pid == (pid_t) 0)
450 {
451
452 /* child - make read side of the pipe stdout
453 */
454 if (retry_aud_dup2(FIL__, __LINE__,
455 pipedes[STDOUT_FILENO], STDOUT_FILENO) < 0)
456 {
457 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on pipe failed>\n")));
458 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
459 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
460 }
461
462 /* close the pipe descriptors
463 */
464 close (pipedes[STDIN_FILENO]);
465 close (pipedes[STDOUT_FILENO]);
466
467
468#if defined(WITH_PGP)
469 if (mode == 0)
470 {
471 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
472 {
473 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
474 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
475 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
476 }
477 }
478#else
479 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
480 {
481 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
482 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
483 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
484 }
485#endif
486
487 /* don't leak file descriptors
488 */
489 sh_unix_closeall (3, -1); /* in child process */
490
491 if (NULL == freopen(_("/dev/null"), "r+", stderr))
492 {
493 dlog(1, FIL__, __LINE__, _("Internal error: freopen failed\n"));
494 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
495 }
496
497 /* We should become privileged if SUID,
498 * to be able to read the keyring.
499 * We have checked that gpg is OK,
500 * AND that only a trusted user could overwrite
501 * gpg.
502 */
503 memset (skey, '\0', sizeof(sh_key_t));
504 aud_setuid(FIL__, __LINE__, geteuid());
505
506 PDBGC_OPEN;
507 PDBGC_D((int)getuid());
508 PDBGC_D((int)geteuid());
509
510 {
511 int i = 0;
512 while (arg[i] != NULL)
513 {
514 PDBGC_S(arg[i]);
515 ++i;
516 }
517 }
518 PDBGC_CLOSE;
519
520 /* exec the program */
521
522#if defined(__linux__) && defined(HAVE_GPG_CHECKSUM)
523 /*
524 * -- emulate an fexecve with checksum testing
525 */
526#if defined(WITH_PGP)
527 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_NOPRIV);
528#else
529 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_NOPRIV);
530#endif
531
532 if (0 != sh_gpg_checksum(checkfd, 0))
533 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
534
535 pfd = get_the_fd(checkfd);
536 sl_snprintf(pname, sizeof(pname), _("/proc/self/fd/%d"), pfd);
537 if (0 == access(pname, R_OK|X_OK)) /* flawfinder: ignore */
538
539 {
540 fcntl (pfd, F_SETFD, FD_CLOEXEC);
541 retry_aud_execve (FIL__, __LINE__, pname, arg, envp);
542
543 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
544 pname);
545 /* failed
546 */
547 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
548 }
549
550 /* procfs not working, go ahead
551 */
552 sl_close(checkfd);
553#endif
554
555#if defined(HAVE_GPG_CHECKSUM)
556 /* This is an incredibly ugly kludge to prevent an attacker
557 * from knowing when it is safe to slip in a fake executable
558 * between the integrity check and the execve
559 */
560 myrand = (int) taus_get ();
561
562 myrand = (myrand < 0) ? (-myrand) : myrand;
563 myrand = (myrand % 32) + 2;
564
565 for (i = 0; i < myrand; ++i)
566 {
567#if defined(WITH_PGP)
568 checkfd = sl_open_fastread(DEFAULT_PGP_PATH, SL_NOPRIV);
569#else
570 checkfd = sl_open_fastread(DEFAULT_GPG_PATH, SL_NOPRIV);
571#endif
572 if (0 != sh_gpg_checksum(checkfd, 0)) {
573 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
574 }
575 sl_close(checkfd);
576 }
577#endif
578
579
580#if defined(WITH_GPG)
581 retry_aud_execve (FIL__, __LINE__, DEFAULT_GPG_PATH, arg, envp);
582 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
583 DEFAULT_GPG_PATH);
584#elif defined(WITH_PGP)
585 retry_aud_execve (FIL__, __LINE__, DEFAULT_PGP_PATH, arg, envp);
586#endif
587
588 /* failed
589 */
590 TPT(((0), FIL__, __LINE__, _("msg=<execve failed>\n")));
591 dlog(1, FIL__, __LINE__, _("Unexpected error: execve failed\n"));
592 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
593 }
594
595 /* parent
596 */
597
598 if (envp[0] != NULL)
599 free(envp[0]);
600
601 close (pipedes[STDOUT_FILENO]);
602 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFD, FD_CLOEXEC);
603 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFL, O_NONBLOCK);
604
605 outf = fdopen (pipedes[STDIN_FILENO], "r");
606
607 if (outf == NULL)
608 {
609 aud_kill (FIL__, __LINE__, source->pid, SIGKILL);
610 close (pipedes[STDOUT_FILENO]);
611 waitpid (source->pid, NULL, 0);
612 source->pid = 0;
613 SL_RETURN( (NULL), _("sh_gpg_popen"));
614 }
615
616 SL_RETURN( (outf), _("sh_gpg_popen"));
617}
618
619
620static int sh_gpg_pclose (sh_gpg_popen_t *source)
621{
622 int status = 0;
623
624 SL_ENTER(_("sh_gpg_pclose"));
625
626 status = fclose(source->pipe);
627 if (status)
628 SL_RETURN( (-1), _("sh_gpg_pclose"));
629
630 if (waitpid(source->pid, NULL, 0) != source->pid)
631 status = -1;
632
633 source->pipe = NULL;
634 source->pid = 0;
635 SL_RETURN( (status), _("sh_gpg_pclose"));
636}
637
638static
639int sh_gpg_check_file_sign(int fd, char * sign_id, char * sign_fp,
640 char * homedir, int whichfile)
641{
642 struct stat buf;
643 char line[256];
644 sh_gpg_popen_t source;
645 int have_id = BAD, have_fp = BAD, status = 0;
646#ifdef WITH_PGP
647 char *ptr;
648#endif
649
650#ifdef HAVE_GPG_CHECKSUM
651 SL_TICKET checkfd;
652#endif
653
654 SL_ENTER(_("sh_gpg_check_file_sign"));
655
656 /* check whether GnuPG exists and has the correct checksum
657 */
658#if defined(WITH_GPG)
659
660 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
661 TPT(((0), FIL__, __LINE__, _("msg=<gpg is %s>\n"), DEFAULT_GPG_PATH));
662
663 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_GPG_PATH, &buf))
664 {
665 char errbuf[SH_ERRBUF_SIZE];
666
667 status = errno;
668 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
669 sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_GPG_PATH);
670 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
671 }
672
673 if (0 != tf_trust_check (DEFAULT_GPG_PATH, SL_YESPRIV))
674 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
675
676#ifdef HAVE_GPG_CHECKSUM
677 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_YESPRIV);
678
679 if (0 != sh_gpg_checksum(checkfd, 1))
680 {
681 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
682 _("Checksum mismatch"),
683 _("gpg_check_file_sign"));
684 sl_close(checkfd);
685 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
686 }
687 sl_close(checkfd);
688#endif
689
690#elif defined(WITH_PGP)
691
692 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
693 TPT(((0), FIL__, __LINE__, _("msg=<pgp is %s>\n"), DEFAULT_PGP_PATH));
694
695 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_PGP_PATH, &buf))
696 {
697 char errbuf[SH_ERRBUF_SIZE];
698
699 status = errno;
700 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
701 sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_PGP_PATH);
702 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
703 }
704 if (0 != tf_trust_check (DEFAULT_PGP_PATH, SL_YESPRIV))
705 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
706
707#ifdef HAVE_GPG_CHECKSUM
708 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_YESPRIV);
709
710 if (0 != sh_gpg_checksum(checkfd, 1))
711 {
712 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
713 _("Checksum mismatch"),
714 _("gpg_check_file_sign"));
715 sl_close(checkfd);
716 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
717 }
718 sl_close(checkfd);
719#endif
720
721#endif
722
723 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe to check signature>\n")));
724
725 fflush(NULL);
726
727 source.pipe = sh_gpg_popen ( &source, fd, 0, NULL, homedir );
728
729 if (NULL == source.pipe)
730 {
731 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
732 _("Could not open pipe"),
733 _("gpg_check_file_sign"));
734 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
735 }
736
737 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
738
739 xagain:
740
741 errno = 0;
742
743 while (NULL != fgets(line, sizeof(line), source.pipe))
744 {
745
746 TPT(((0), FIL__, __LINE__, _("msg=<gpg out: %s>\n"), line));
747 if (line[strlen(line)-1] == '\n')
748 line[strlen(line)-1] = ' ';
749 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
750 line,
751 _("gpg_check_file_sign"));
752
753 if (sl_strlen(line) < 18)
754 continue;
755#if defined(WITH_GPG)
756 /* Sun May 27 18:40:05 CEST 2001
757 */
758 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6) ||
759 0 == sl_strncmp(_("ERRSIG"), &line[9], 6) ||
760 0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6) ||
761 0 == sl_strncmp(_("NODATA"), &line[9], 6) ||
762 0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6))
763 {
764 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6)) {
765 dlog(1, FIL__, __LINE__,
766 _("%s file is signed, but the signature is invalid."),
767 ((whichfile == 1) ? _("Configuration") : _("Database")));
768 }
769 else if (0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6)) {
770 dlog(1, FIL__, __LINE__,
771 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
772 ((whichfile == 1) ? _("Configuration") : _("Database")),
773 homedir);
774 }
775 else if (0 == sl_strncmp(_("ERRSIG"), &line[9], 6)) {
776 dlog(1, FIL__, __LINE__,
777 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
778 ((whichfile == 1) ? _("Configuration") : _("Database")),
779 homedir);
780 }
781 else if (0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6)) {
782 dlog(1, FIL__, __LINE__,
783 _("%s file is signed, but the public key to verify the signature has expired."),
784 ((whichfile == 1) ? _("Configuration") : _("Database")));
785 }
786 else if (0 == sl_strncmp(_("NODATA"), &line[9], 6)) {
787 dlog(1, FIL__, __LINE__,
788 _("%s file is not signed."),
789 ((whichfile == 1) ? _("Configuration") : _("Database")));
790 }
791
792 have_fp = BAD; have_id = BAD;
793 break;
794 }
795 if (0 == sl_strncmp(_("GOODSIG"), &line[9], 7))
796 {
797 sl_strlcpy (sign_id, &line[25], SH_MINIBUF+1);
798 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing '"' */
799 have_id = GOOD;
800 }
801 if (0 == sl_strncmp(_("VALIDSIG"), &line[9], 8))
802 {
803 strncpy (sign_fp, &line[18], 40);
804 sign_fp[40] = '\0';
805 have_fp = GOOD;
806 }
807#elif defined(WITH_PGP)
808 if (0 == sl_strncmp(_("Bad signature"), line, 13) ||
809 0 == sl_strncmp(_("Error"), line, 5) ||
810 0 == sl_strncmp(_("Malformed"), line, 9) ||
811 0 == sl_strncmp(_("WARNING"), line, 7) ||
812 0 == sl_strncmp(_("ERROR"), line, 5)
813 )
814 {
815 have_fp = BAD; have_id = BAD;
816 break;
817 }
818 if (0 == sl_strncmp(_("Good signature"), line, 14))
819 {
820 ptr = strchr ( line, '"');
821 ++ptr;
822 sl_strlcpy (sign_id, ptr, SH_MINIBUF+1);
823 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing dot */
824 sign_id[sl_strlen(sign_id)-2] = '\0'; /* remove trailing '"' */
825 have_id = GOOD;
826 }
827#endif
828 }
829
830 if (ferror(source.pipe) && errno == EAGAIN)
831 {
832 clearerr(source.pipe);
833 goto xagain;
834 }
835
836 sh_gpg_pclose (&source);
837
838 TPT(((0), FIL__, __LINE__, _("msg=<Close pipe>\n")));
839
840#ifdef WITH_PGP
841 /* get the fingerprint */
842
843 source.pipe = sh_gpg_popen ( &source, fd, 1, sign_id, homedir);
844 if (NULL == source.pipe)
845 {
846 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
847 _("Could not open pipe for fp"),
848 _("gpg_check_file_sign"));
849 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
850 }
851
852 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
853
854 yagain:
855
856 errno = 0;
857
858 while (NULL != fgets(line, sizeof(line), source.pipe))
859 {
860#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
861 char * saveptr = NULL;
862#endif
863 if (line[strlen(line)-1] == '\n')
864 line[strlen(line)-1] = ' ';
865 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
866 line,
867 _("gpg_check_file_sign"));
868
869 if (sl_strlen(line) < 18)
870 continue;
871#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
872 ptr = strtok_r (line, " ", &saveptr);
873#else
874 ptr = strtok (line, " ");
875#endif
876 while (ptr)
877 {
878#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
879 ptr = strtok_r (NULL, " ", &saveptr);
880#else
881 ptr = strtok (NULL, " ");
882#endif
883 if (ptr && 0 == sl_strncmp (ptr, _("fingerprint"), 11))
884 {
885#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
886 ptr = strtok_r (NULL, " ", &saveptr); /* to '=' */
887#else
888 ptr = strtok (NULL, " "); /* to '=' */
889#endif
890 sign_fp[0] = '\0';
891 while (ptr)
892 {
893#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
894 ptr = strtok_r (NULL, " ", &saveptr); /* part of fingerprint */
895#else
896 ptr = strtok (NULL, " "); /* part of fingerprint */
897#endif
898 sl_strlcat (sign_fp, ptr, SH_MINIBUF+1);
899 }
900 /* sign_fp[sl_strlen(sign_fp)-1] = '\0'; remove trailing '\n' */
901 if (sl_strlen(sign_fp) > 0)
902 have_fp = GOOD;
903 break;
904 }
905 }
906 }
907
908 if (ferror(source.pipe) && errno == EAGAIN)
909 {
910 clearerr(source.pipe);
911 goto yagain;
912 }
913
914 sh_gpg_pclose (&source);
915#endif
916
917 if (have_id == GOOD)
918 {
919 TPT(((0), FIL__, __LINE__, _("msg=<Got signator ID>\n")));
920 ;
921 }
922 if (have_fp == GOOD)
923 {
924 TPT(((0), FIL__, __LINE__, _("msg=<Got fingerprint>\n")));
925 ;
926 }
927
928 if (have_id == GOOD && have_fp == GOOD)
929 SL_RETURN( SH_GPG_OK, _("sh_gpg_check_file_sign"));
930 else
931 {
932 if (have_id == BAD)
933 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
934 _("No good signature"),
935 _("gpg_check_file_sign"));
936 else
937 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
938 _("No fingerprint for key"),
939 _("gpg_check_file_sign"));
940 SL_RETURN( SH_GPG_BADSIGN, _("sh_gpg_check_file_sign"));
941 }
942}
943
944int get_the_fd(SL_TICKET file_1);
945
946int sh_gpg_check_sign (long file_1, long file_2, int what)
947{
948 int status = SH_GPG_BAD;
949 int fd1 = 0;
950 int fd2 = 0;
951 static int smsg = S_FALSE;
952 char * tmp;
953 char * tmp2;
954
955 char * homedir = sh.effective.home;
956#if defined(SH_WITH_SERVER)
957 struct passwd * tempres;
958#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
959 struct passwd pwd;
960 char buffer[SH_PWBUF_SIZE];
961#endif
962#endif
963
964#ifdef USE_FINGERPRINT
965#include "sh_gpg_fp.h"
966#endif
967
968 SL_ENTER(_("sh_gpg_check_sign"));
969
970
971 if (what == 0 || what == 1)
972 fd1 = get_the_fd(file_1);
973 if (what == 0 || what == 2)
974 fd2 = get_the_fd(file_2);
975
976
977 if (fd1 < 0 || fd2 < 0)
978 {
979 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
980 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
981 dlog(1, FIL__, __LINE__,
982 _("This looks like an unexpected internal error.\n"));
983 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_EXIT_ABORT1, sh.prg_name);
984 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
985 SL_RETURN( (-1), _("sh_gpg_check_sign"));
986 }
987
988 if (what == 0 || what == 1)
989 {
990 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
991#if defined(SH_WITH_SERVER)
992#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
993 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
994#else
995 tempres = sh_getpwnam(DEFAULT_IDENT);
996#endif
997
998 if ((tempres != NULL) && (0 == sl_ret_euid()))
999 {
1000 /* privileges not dropped yet*/
1001 homedir = tempres->pw_dir;
1002 }
1003#endif
1004 status = sh_gpg_check_file_sign(fd1, gp.conf_id, gp.conf_fp, homedir, 1);
1005 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGUSR: |%s|>\n"), gp.conf_id));
1006 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGFP: |%s|>\n"), gp.conf_fp));
1007 }
1008
1009 if ((what == 0 && SH_GPG_OK == status) || what == 2)
1010 {
1011 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
1012#if defined(SH_WITH_SERVER)
1013#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1014 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
1015#else
1016 tempres = sh_getpwnam(DEFAULT_IDENT);
1017#endif
1018
1019 if ((tempres != NULL) && (0 == sl_ret_euid()))
1020 {
1021 /* privileges not dropped yet*/
1022 homedir = tempres->pw_dir;
1023 }
1024#endif
1025 status = sh_gpg_check_file_sign(fd2, gp.data_id, gp.data_fp, homedir, 2);
1026 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGUSR: |%s|>\n"), gp.data_id));
1027 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGFP: |%s|>\n"), gp.data_fp));
1028 }
1029
1030 if (SH_GPG_OK == status && what == 1)
1031 {
1032#ifdef USE_FINGERPRINT
1033 if ((sl_strcmp(SH_GPG_FP, gp.conf_fp) == 0))
1034 {
1035 int i;
1036
1037 for(i = 0; i < (int) sl_strlen(gp.conf_fp); ++i)
1038 {
1039 if (gpgfp[i] != gp.conf_fp[i])
1040 {
1041 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0,
1042 MSG_E_GPG_FP,
1043 gpgfp, gp.conf_fp);
1044 break;
1045 }
1046 }
1047
1048 if (smsg == S_FALSE)
1049 {
1050 tmp = sh_util_safe_name(gp.conf_id);
1051 sh_gpg_fill_startup (__LINE__,
1052 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
1053 sh.prg_name, sh.real.uid,
1054 (sh.flag.hidefile == S_TRUE) ?
1055 _("(hidden)") : file_path('C', 'R'),
1056 tmp,
1057 gp.conf_fp);
1058 SH_FREE(tmp);
1059 }
1060 smsg = S_TRUE;
1061 SL_RETURN(0, _("sh_gpg_check_sign"));
1062 }
1063 else
1064 {
1065 /* fp mismatch
1066 */
1067 dlog(1, FIL__, __LINE__,
1068 _("The fingerprint of the signing key: %s\ndoes not match the compiled-in fingerprint: %s.\nTherefore the signature could not be verified.\n"),
1069 gp.conf_fp, SH_GPG_FP);
1070 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1071 _("Fingerprint mismatch"),
1072 _("gpg_check_sign"));
1073 status = SH_GPG_BADSIGN;
1074 }
1075#else
1076 if (smsg == S_FALSE)
1077 {
1078 tmp = sh_util_safe_name(gp.conf_id);
1079 sh_gpg_fill_startup (__LINE__,
1080 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
1081 sh.prg_name, sh.real.uid,
1082 (sh.flag.hidefile == S_TRUE) ?
1083 _("(hidden)") : file_path('C', 'R'),
1084 tmp,
1085 gp.conf_fp);
1086 SH_FREE(tmp);
1087 }
1088 smsg = S_TRUE;
1089 SL_RETURN(0, _("sh_gpg_check_sign"));
1090#endif
1091 }
1092
1093 else if (SH_GPG_OK == status && (what == 2 || what == 0))
1094 {
1095 if ((sl_strcmp(gp.data_id, gp.conf_id) == 0) &&
1096 (sl_strcmp(gp.data_fp, gp.conf_fp) == 0))
1097 {
1098 SL_RETURN(0, _("sh_gpg_check_sign"));
1099 }
1100 else
1101 {
1102 /* ID or fp not equal
1103 */
1104 dlog(1, FIL__, __LINE__,
1105 _("The fingerprint or ID of the signing key is not the same for the\nconfiguration file and the file signature database.\nTherefore the signature could not be verified.\n"));
1106 tmp = sh_util_safe_name (gp.conf_id);
1107 tmp2 = sh_util_safe_name (gp.data_id);
1108 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH2,
1109 sh.prg_name, sh.real.uid,
1110 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('C', 'R'),
1111 tmp, gp.conf_fp,
1112 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('D', 'R'),
1113 tmp2, gp.data_fp);
1114 SH_FREE(tmp);
1115 SH_FREE(tmp2);
1116 }
1117 }
1118
1119 if (status != SH_GPG_OK)
1120 {
1121 uid_t e_uid = sl_ret_euid();
1122 char * e_home = sh.effective.home;
1123
1124#if defined(SH_WITH_SERVER)
1125#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1126 struct passwd e_pwd;
1127 char e_buffer[SH_PWBUF_SIZE];
1128 struct passwd * e_tempres;
1129 sh_getpwnam_r(DEFAULT_IDENT, &e_pwd, e_buffer, sizeof(e_buffer), &e_tempres);
1130#else
1131 struct passwd * e_tempres = sh_getpwnam(DEFAULT_IDENT);
1132#endif
1133
1134 if ((e_tempres != NULL) && (0 == sl_ret_euid()))
1135 {
1136 /* privileges not dropped yet */
1137 e_uid = e_tempres->pw_uid;
1138 e_home = e_tempres->pw_dir;
1139 }
1140#endif
1141 dlog(1, FIL__, __LINE__,
1142 _("The signature of the configuration file or the file signature database\ncould not be verified. Possible reasons are:\n - gpg binary (%s) not found\n - invalid signature\n - the signature key is not in the private keyring of UID %d,\n - there is no keyring in %s/.gnupg, or\n - the file is not signed - did you move /filename.asc to /filename ?\nTo create a signed file, use (remove old signatures before):\n gpg -a --clearsign --not-dash-escaped FILE\n mv FILE.asc FILE\n"),
1143#if defined(WITH_GPG)
1144 DEFAULT_GPG_PATH,
1145#else
1146 DEFAULT_PGP_PATH,
1147#endif
1148 (int) e_uid, e_home);
1149 }
1150
1151 TPT(((0), FIL__, __LINE__, _("msg=<Status = %d>\n"), status));
1152
1153 sh_error_handle((-1), FIL__, __LINE__, status, MSG_EXIT_ABORT1, sh.prg_name);
1154 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
1155
1156 return (-1); /* make compiler happy */
1157}
1158
1159/* #ifdef WITH_GPG */
1160#endif
1161
1162
1163
1164
1165
1166
1167
1168
Note: See TracBrowser for help on using the repository browser.