source: trunk/src/sh_gpg.c@ 202

Last change on this file since 202 was 198, checked in by katerina, 16 years ago

If debug output is chosen, don't redirect gpg stderr to /dev/null
File size: 31.8 KB
Line 
1/* SAMHAIN file system integrity testing */
2/* Copyright (C) 1999, 2000 Rainer Wichmann */
3/* */
4/* This program is free software; you can redistribute it */
5/* and/or modify */
6/* it under the terms of the GNU General Public License as */
7/* published by */
8/* the Free Software Foundation; either version 2 of the License, or */
9/* (at your option) any later version. */
10/* */
11/* This program is distributed in the hope that it will be useful, */
12/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14/* GNU General Public License for more details. */
15/* */
16/* You should have received a copy of the GNU General Public License */
17/* along with this program; if not, write to the Free Software */
18/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20#include "config_xor.h"
21
22#include <stdio.h>
23#include <stdlib.h>
24
25
26#if defined(WITH_GPG) || defined(WITH_PGP)
27
28#include <unistd.h>
29#include <fcntl.h>
30#include <signal.h>
31#if defined(SH_WITH_SERVER)
32#include <pwd.h>
33#endif
34#include <sys/stat.h>
35#include <sys/types.h>
36#include <errno.h>
37#include <sys/wait.h>
38
39#include <string.h>
40#ifdef HAVE_MEMORY_H
41#include <memory.h>
42#endif
43
44
45#if !defined(O_NONBLOCK)
46#if defined(O_NDELAY)
47#define O_NONBLOCK O_NDELAY
48#else
49#define O_NONBLOCK 0
50#endif
51#endif
52
53
54#include "samhain.h"
55#include "sh_utils.h"
56#include "sh_error.h"
57#include "sh_tiger.h"
58#if defined(SH_WITH_SERVER)
59#define SH_NEED_PWD_GRP 1
60#include "sh_static.h"
61#endif
62
63static struct {
64 char conf_id[SH_MINIBUF+1];
65 char conf_fp[SH_MINIBUF+1];
66 char data_id[SH_MINIBUF+1];
67 char data_fp[SH_MINIBUF+1];
68} gp;
69
70typedef struct {
71 pid_t pid;
72 FILE * pipe;
73} sh_gpg_popen_t;
74
75#define SH_GPG_OK 0
76#define SH_GPG_BAD 1
77#define SH_GPG_BADSIGN 2
78
79/* replace #if 0 by #if 1 and set an appropriate path in front of '/pdbg.'
80 * for debugging
81 */
82#if 0
83#define PDGBFILE "/pdbg."
84#endif
85
86#if defined(PDGBFILE)
87FILE * pdbg;
88FILE * pdbgc;
89#define PDBG_OPEN pdbg = fopen(PDGBFILE"main", "a")
90#define PDBG_CLOSE fclose (pdbg)
91#define PDBG(arg) fprintf(pdbg, "PDBG: step %d\n", arg); fflush(pdbg)
92#define PDBG_D(arg) fprintf(pdbg, "PDBG: %d\n", arg); fflush(pdbg)
93#define PDBG_S(arg) fprintf(pdbg, "PDBG: %s\n", arg); fflush(pdbg)
94
95#define PDBGC_OPEN pdbgc = fopen(PDGBFILE"child", "a")
96#define PDBGC_CLOSE fclose (pdbgc)
97#define PDBGC(arg) fprintf(pdbgc, "PDBG: step %d\n", arg); fflush(pdbgc)
98#define PDBGC_D(arg) fprintf(pdbgc, "PDBG: %d\n", arg); fflush(pdbgc)
99#define PDBGC_S(arg) fprintf(pdbgc, "PDBG: %s\n", arg); fflush(pdbgc)
100#else
101#define PDBG_OPEN
102#define PDBG_CLOSE
103#define PDBG(arg)
104#define PDBG_D(arg)
105#define PDBG_S(arg)
106#define PDBGC_OPEN
107#define PDBGC_CLOSE
108#define PDBGC(arg)
109#define PDBGC_D(arg)
110#define PDBGC_S(arg)
111#endif
112
113#undef FIL__
114#define FIL__ _("sh_gpg.c")
115
116#ifdef GPG_HASH
117
118static int sh_gpg_checksum (SL_TICKET checkfd, int flag)
119{
120 char * test_gpg;
121 char * test_ptr1 = NULL;
122 char * test_ptr2 = NULL;
123 char wstrip1[128];
124 char wstrip2[128];
125 int i, k;
126#include "sh_gpg_chksum.h"
127
128 SL_ENTER(_("sh_gpg_checksum"));
129
130#if defined(WITH_PGP)
131 test_gpg = sh_tiger_hash_gpg (DEFAULT_PGP_PATH, checkfd, TIGER_NOLIM);
132#else
133 test_gpg = sh_tiger_hash_gpg (DEFAULT_GPG_PATH, checkfd, TIGER_NOLIM);
134#endif
135
136 test_ptr1 = strchr(GPG_HASH, ':');
137 if (test_gpg != NULL)
138 test_ptr2 = strchr(test_gpg, ':');
139
140 if (test_ptr2 != NULL)
141 test_ptr2 += 2;
142 else
143 test_ptr2 = test_gpg;
144 if (test_ptr1 != NULL)
145 test_ptr1 += 2;
146 else
147 test_ptr1 = GPG_HASH;
148
149 /* Tue Jun 24 23:11:54 CEST 2003 (1.7.9) -- strip whitespace
150 */
151 k = 0;
152 for (i = 0; i < 127; ++i)
153 {
154 if (test_ptr1[i] == '\0')
155 break;
156 if (test_ptr1[i] != ' ')
157 {
158 wstrip1[k] = test_ptr1[i];
159 ++k;
160 }
161 }
162 wstrip1[k] = '\0';
163
164 for(i = 0; i < KEY_LEN; ++i)
165 {
166 if (gpgchk[i] != wstrip1[i])
167 {
168 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0, MSG_E_GPG_CHK,
169 gpgchk, wstrip1);
170 break;
171 }
172 }
173
174 k = 0;
175 for (i = 0; i < 127; ++i)
176 {
177 if (test_ptr2[i] == '\0')
178 break;
179 if (test_ptr2[i] != ' ')
180 {
181 wstrip2[k] = test_ptr2[i];
182 ++k;
183 }
184 }
185 wstrip2[k] = '\0';
186
187 if (0 != sl_strncmp(wstrip1, wstrip2, 127))
188 {
189 TPT(((0), FIL__, __LINE__, _("msg=<pgp checksum: %s>\n"), test_gpg));
190 TPT(((0), FIL__, __LINE__, _("msg=<Compiled-in : %s>\n"), GPG_HASH));
191 TPT(((0), FIL__, __LINE__, _("msg=<wstrip1 : %s>\n"), wstrip1));
192 TPT(((0), FIL__, __LINE__, _("msg=<wstrip2 : %s>\n"), wstrip2));
193 if (flag == 1)
194 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_GPG,
195 GPG_HASH, test_gpg);
196 dlog(1, FIL__, __LINE__, _("The compiled-in checksum of the gpg binary\n(%s)\ndoes not match the actual checksum\n(%s).\nYou need to recompile with the correct checksum."), wstrip1, wstrip2);
197 SH_FREE(test_gpg);
198 SL_RETURN((-1), _("sh_gpg_checksum"));
199 }
200 SH_FREE(test_gpg);
201 SL_RETURN( (0), _("sh_gpg_checksum"));
202}
203#endif
204
205struct startup_info {
206 long line;
207 char * program;
208 long uid;
209 char * path;
210 char * key_uid;
211 char * key_id;
212};
213
214static struct startup_info startInfo = { 0, NULL, 0, NULL, NULL, NULL };
215
216void sh_gpg_log_startup (void)
217{
218 if (startInfo.program != NULL)
219 {
220 sh_error_handle ((-1), FIL__, startInfo.line, 0, MSG_START_GH,
221 startInfo.program, startInfo.uid,
222 startInfo.path,
223 startInfo.key_uid, startInfo.key_id);
224 }
225 return;
226}
227
228static void sh_gpg_fill_startup (long line, char * program, long uid, char * path,
229 char * key_uid, char * key_id)
230{
231 startInfo.line = line;
232 startInfo.program = sh_util_strdup(program);
233 startInfo.uid = uid;
234 startInfo.path = sh_util_strdup(path);
235 startInfo.key_uid = sh_util_strdup(key_uid);
236 startInfo.key_id = sh_util_strdup(key_id);
237 return;
238}
239
240static FILE * sh_gpg_popen (sh_gpg_popen_t *source, int fd,
241 int mode, char * id, char * homedir)
242{
243 extern int flag_err_debug;
244 int pipedes[2];
245 FILE * outf = NULL;
246 char * envp[2];
247 size_t len;
248 char path[256];
249 char cc1[32];
250 char cc2[32];
251#if defined(WITH_PGP)
252 char cc3[32];
253 char cc0[3] = "-f";
254#endif
255#if defined(WITH_GPG)
256 char cc0[2] = "-";
257 char cc3[32];
258 char cc4[SH_PATHBUF+32];
259 char cc5[32] = "--no-tty";
260#endif
261
262 char * arg[9];
263
264#if defined(HAVE_GPG_CHECKSUM)
265 SL_TICKET checkfd;
266 int myrand;
267 int i;
268#if defined(__linux__)
269 int get_the_fd(SL_TICKET);
270 char pname[128];
271 int pfd;
272#endif
273#endif
274
275 SL_ENTER(_("sh_gpg_popen"));
276
277#if defined(WITH_GPG)
278 /* -- GnuPG -- */
279 sl_strlcpy (path, DEFAULT_GPG_PATH, 256);
280 sl_strlcpy (cc1, _("--status-fd"), 32);
281 sl_strlcpy (cc2, _("--verify"), 32);
282 sl_strlcpy (cc3, _("--homedir"), 32);
283 /* sl_strlcpy (cc4, sh.effective.home, SH_PATHBUF+32); */
284 sl_strlcpy (cc4, homedir, SH_PATHBUF+32);
285 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
286
287 /* fprintf(stderr, "YULE: homedir=%s\n", homedir); */
288
289#if defined(SH_WITH_SERVER)
290 if (0 == sl_ret_euid()) /* privileges not dropped yet */
291 {
292 struct stat lbuf;
293 int status_stat = 0;
294#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
295 struct passwd pwd;
296 char buffer[SH_PWBUF_SIZE];
297 struct passwd * tempres;
298 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
299#else
300 struct passwd * tempres = sh_getpwnam(DEFAULT_IDENT);
301#endif
302
303 if (!tempres)
304 {
305 dlog(1, FIL__, __LINE__,
306 _("User %s does not exist. Please add the user to your system.\n"),
307 DEFAULT_IDENT);
308 status_stat = -1;
309 }
310 if (!tempres->pw_dir || tempres->pw_dir[0] == '\0')
311 {
312 dlog(1, FIL__, __LINE__,
313 _("User %s does not have a home directory.\nPlease add the home directory for this user to your system.\n"),
314 DEFAULT_IDENT);
315 status_stat = -2;
316 }
317 if (status_stat == 0)
318 {
319 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
320 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
321 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
322 if (status_stat == -1)
323 {
324 dlog(1, FIL__, __LINE__,
325 _("Gnupg directory %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
326 cc4, DEFAULT_IDENT);
327 status_stat = -3;
328 }
329 }
330 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
331 {
332 dlog(1, FIL__, __LINE__,
333 _("Gnupg directory %s\nis not owned by user %s.\n"),
334 cc4, DEFAULT_IDENT);
335 status_stat = -4;
336 }
337 if (status_stat == 0)
338 {
339 sl_strlcat (cc4, _("/pubring.gpg"), SH_PATHBUF+32);
340 status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
341 if (status_stat == -1)
342 {
343 dlog(1, FIL__, __LINE__,
344 _("Gnupg public keyring %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg) there\nto verify the configuration file.\n"),
345 cc4, DEFAULT_IDENT);
346 status_stat = -5;
347 }
348 }
349 if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
350 {
351 dlog(1, FIL__, __LINE__,
352 _("Gnupg public keyring %s\nis not owned by user %s.\n"),
353 cc4, DEFAULT_IDENT);
354 status_stat = -6;
355 }
356 if (status_stat != 0)
357 {
358 sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
359 sh.prg_name);
360 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
361 }
362 sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
363 sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
364 }
365#endif
366
367 arg[0] = path;
368 arg[1] = cc1;
369 arg[2] = "1";
370 arg[3] = cc2;
371 arg[4] = cc3;
372 arg[5] = cc4;
373 arg[6] = cc5;
374 arg[7] = cc0;
375 arg[8] = NULL;
376
377 /* catch 'unused parameter' compiler warning
378 */
379 (void) mode;
380 (void) id;
381#elif defined(WITH_PGP)
382 /* -- PGP -- */
383 sl_strlcpy (path, DEFAULT_PGP_PATH, 256);
384 if (mode == 0)
385 {
386 sl_strlcpy (cc1, _("+language=en"), 32);
387 sl_strlcpy (cc2, _("-o"), 32);
388 sl_strlcpy (cc3, _("/dev/null"), 32);
389
390 arg[0] = path;
391 arg[1] = cc1;
392 arg[2] = cc2;
393 arg[3] = cc3;
394 arg[4] = cc0;
395 arg[5] = NULL;
396 }
397 else
398 {
399 sl_strlcpy (cc1, _("+language=en"), 32);
400 sl_strlcpy (cc2, _("-kvc"), 32);
401
402 arg[0] = path;
403 arg[1] = cc1;
404 arg[2] = cc2;
405 arg[3] = id;
406 arg[4] = NULL;
407 arg[5] = NULL;
408 }
409#endif
410
411 /* use homedir of effective user
412 */
413 if (sh.effective.home != NULL)
414 {
415 len = sl_strlen(sh.effective.home) + 6;
416 envp[0] = malloc (len); /* free() ok */
417 if (envp[0] != NULL)
418 sl_snprintf (envp[0], len, "HOME=%s", sh.effective.home);
419 envp[1] = NULL;
420 }
421 else
422 {
423 envp[0] = NULL;
424 }
425
426 /* Create the pipe
427 */
428 if (aud_pipe(FIL__, __LINE__, pipedes) < 0)
429 {
430 if (envp[0] != NULL)
431 free(envp[0]);
432 SL_RETURN( (NULL), _("sh_gpg_popen"));
433 }
434
435 fflush (NULL);
436
437 source->pid = aud_fork(FIL__, __LINE__);
438
439 /* Failure
440 */
441 if (source->pid == (pid_t) - 1)
442 {
443 close(pipedes[0]);
444 close(pipedes[1]);
445 if (envp[0] != NULL)
446 free(envp[0]);
447 SL_RETURN( (NULL), _("sh_gpg_popen"));
448 }
449
450 if (source->pid == (pid_t) 0)
451 {
452
453 /* child - make read side of the pipe stdout
454 */
455 if (retry_aud_dup2(FIL__, __LINE__,
456 pipedes[STDOUT_FILENO], STDOUT_FILENO) < 0)
457 {
458 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on pipe failed>\n")));
459 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
460 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
461 }
462
463 /* close the pipe descriptors
464 */
465 close (pipedes[STDIN_FILENO]);
466 close (pipedes[STDOUT_FILENO]);
467
468
469#if defined(WITH_PGP)
470 if (mode == 0)
471 {
472 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
473 {
474 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
475 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
476 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
477 }
478 }
479#else
480 if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
481 {
482 TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
483 dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
484 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
485 }
486#endif
487
488 /* don't leak file descriptors
489 */
490 sh_unix_closeall (3, -1, SL_TRUE); /* in child process */
491
492 if (flag_err_debug != SL_TRUE)
493 {
494 if (NULL == freopen(_("/dev/null"), "r+", stderr))
495 {
496 dlog(1, FIL__, __LINE__, _("Internal error: freopen failed\n"));
497 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
498 }
499 }
500
501
502 /* We should become privileged if SUID,
503 * to be able to read the keyring.
504 * We have checked that gpg is OK,
505 * AND that only a trusted user could overwrite
506 * gpg.
507 */
508 memset (skey, '\0', sizeof(sh_key_t));
509 aud_setuid(FIL__, __LINE__, geteuid());
510
511 PDBGC_OPEN;
512 PDBGC_D((int)getuid());
513 PDBGC_D((int)geteuid());
514
515 {
516 int i = 0;
517 while (arg[i] != NULL)
518 {
519 PDBGC_S(arg[i]);
520 ++i;
521 }
522 }
523 PDBGC_CLOSE;
524
525 /* exec the program */
526
527#if defined(__linux__) && defined(HAVE_GPG_CHECKSUM)
528 /*
529 * -- emulate an fexecve with checksum testing
530 */
531#if defined(WITH_PGP)
532 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_NOPRIV);
533#else
534 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_NOPRIV);
535#endif
536
537 if (0 != sh_gpg_checksum(checkfd, 0))
538 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
539
540 pfd = get_the_fd(checkfd);
541 sl_snprintf(pname, sizeof(pname), _("/proc/self/fd/%d"), pfd);
542 if (0 == access(pname, R_OK|X_OK)) /* flawfinder: ignore */
543
544 {
545 fcntl (pfd, F_SETFD, FD_CLOEXEC);
546 retry_aud_execve (FIL__, __LINE__, pname, arg, envp);
547
548 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
549 pname);
550 /* failed
551 */
552 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
553 }
554
555 /* procfs not working, go ahead
556 */
557 sl_close(checkfd);
558#endif
559
560#if defined(HAVE_GPG_CHECKSUM)
561 /* This is an incredibly ugly kludge to prevent an attacker
562 * from knowing when it is safe to slip in a fake executable
563 * between the integrity check and the execve
564 */
565 myrand = (int) taus_get ();
566
567 myrand = (myrand < 0) ? (-myrand) : myrand;
568 myrand = (myrand % 32) + 2;
569
570 for (i = 0; i < myrand; ++i)
571 {
572#if defined(WITH_PGP)
573 checkfd = sl_open_fastread(DEFAULT_PGP_PATH, SL_NOPRIV);
574#else
575 checkfd = sl_open_fastread(DEFAULT_GPG_PATH, SL_NOPRIV);
576#endif
577 if (0 != sh_gpg_checksum(checkfd, 0)) {
578 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
579 }
580 sl_close(checkfd);
581 }
582#endif
583
584
585#if defined(WITH_GPG)
586 retry_aud_execve (FIL__, __LINE__, DEFAULT_GPG_PATH, arg, envp);
587 dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
588 DEFAULT_GPG_PATH);
589#elif defined(WITH_PGP)
590 retry_aud_execve (FIL__, __LINE__, DEFAULT_PGP_PATH, arg, envp);
591#endif
592
593 /* failed
594 */
595 TPT(((0), FIL__, __LINE__, _("msg=<execve failed>\n")));
596 dlog(1, FIL__, __LINE__, _("Unexpected error: execve failed\n"));
597 aud__exit(FIL__, __LINE__, EXIT_FAILURE);
598 }
599
600 /* parent
601 */
602
603 if (envp[0] != NULL)
604 free(envp[0]);
605
606 close (pipedes[STDOUT_FILENO]);
607 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFD, FD_CLOEXEC);
608 retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFL, O_NONBLOCK);
609
610 outf = fdopen (pipedes[STDIN_FILENO], "r");
611
612 if (outf == NULL)
613 {
614 aud_kill (FIL__, __LINE__, source->pid, SIGKILL);
615 close (pipedes[STDOUT_FILENO]);
616 waitpid (source->pid, NULL, 0);
617 source->pid = 0;
618 SL_RETURN( (NULL), _("sh_gpg_popen"));
619 }
620
621 SL_RETURN( (outf), _("sh_gpg_popen"));
622}
623
624
625static int sh_gpg_pclose (sh_gpg_popen_t *source)
626{
627 int status = 0;
628
629 SL_ENTER(_("sh_gpg_pclose"));
630
631 status = fclose(source->pipe);
632 if (status)
633 SL_RETURN( (-1), _("sh_gpg_pclose"));
634
635 if (waitpid(source->pid, NULL, 0) != source->pid)
636 status = -1;
637
638 source->pipe = NULL;
639 source->pid = 0;
640 SL_RETURN( (status), _("sh_gpg_pclose"));
641}
642
643static
644int sh_gpg_check_file_sign(int fd, char * sign_id, char * sign_fp,
645 char * homedir, int whichfile)
646{
647 struct stat buf;
648 char line[256];
649 sh_gpg_popen_t source;
650 int have_id = BAD, have_fp = BAD, status = 0;
651#ifdef WITH_PGP
652 char *ptr;
653#endif
654
655#ifdef HAVE_GPG_CHECKSUM
656 SL_TICKET checkfd;
657#endif
658
659 SL_ENTER(_("sh_gpg_check_file_sign"));
660
661 /* check whether GnuPG exists and has the correct checksum
662 */
663#if defined(WITH_GPG)
664
665 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
666 TPT(((0), FIL__, __LINE__, _("msg=<gpg is %s>\n"), DEFAULT_GPG_PATH));
667
668 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_GPG_PATH, &buf))
669 {
670 char errbuf[SH_ERRBUF_SIZE];
671
672 status = errno;
673 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
674 sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_GPG_PATH);
675 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
676 }
677
678 if (0 != tf_trust_check (DEFAULT_GPG_PATH, SL_YESPRIV))
679 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
680
681#ifdef HAVE_GPG_CHECKSUM
682 checkfd = sl_open_read(DEFAULT_GPG_PATH, SL_YESPRIV);
683
684 if (0 != sh_gpg_checksum(checkfd, 1))
685 {
686 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
687 _("Checksum mismatch"),
688 _("gpg_check_file_sign"));
689 sl_close(checkfd);
690 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
691 }
692 sl_close(checkfd);
693#endif
694
695#elif defined(WITH_PGP)
696
697 TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
698 TPT(((0), FIL__, __LINE__, _("msg=<pgp is %s>\n"), DEFAULT_PGP_PATH));
699
700 if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_PGP_PATH, &buf))
701 {
702 char errbuf[SH_ERRBUF_SIZE];
703
704 status = errno;
705 sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
706 sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_PGP_PATH);
707 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
708 }
709 if (0 != tf_trust_check (DEFAULT_PGP_PATH, SL_YESPRIV))
710 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
711
712#ifdef HAVE_GPG_CHECKSUM
713 checkfd = sl_open_read(DEFAULT_PGP_PATH, SL_YESPRIV);
714
715 if (0 != sh_gpg_checksum(checkfd, 1))
716 {
717 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
718 _("Checksum mismatch"),
719 _("gpg_check_file_sign"));
720 sl_close(checkfd);
721 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
722 }
723 sl_close(checkfd);
724#endif
725
726#endif
727
728 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe to check signature>\n")));
729
730 fflush(NULL);
731
732 source.pipe = sh_gpg_popen ( &source, fd, 0, NULL, homedir );
733
734 if (NULL == source.pipe)
735 {
736 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
737 _("Could not open pipe"),
738 _("gpg_check_file_sign"));
739 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
740 }
741
742 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
743
744 xagain:
745
746 errno = 0;
747
748 while (NULL != fgets(line, sizeof(line), source.pipe))
749 {
750
751 TPT(((0), FIL__, __LINE__, _("msg=<gpg out: %s>\n"), line));
752 if (line[strlen(line)-1] == '\n')
753 line[strlen(line)-1] = ' ';
754 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
755 line,
756 _("gpg_check_file_sign"));
757
758 if (sl_strlen(line) < 18)
759 continue;
760#if defined(WITH_GPG)
761 /* Sun May 27 18:40:05 CEST 2001
762 */
763 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6) ||
764 0 == sl_strncmp(_("ERRSIG"), &line[9], 6) ||
765 0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6) ||
766 0 == sl_strncmp(_("NODATA"), &line[9], 6) ||
767 0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6))
768 {
769 if (0 == sl_strncmp(_("BADSIG"), &line[9], 6)) {
770 dlog(1, FIL__, __LINE__,
771 _("%s file is signed, but the signature is invalid."),
772 ((whichfile == 1) ? _("Configuration") : _("Database")));
773 }
774 else if (0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6)) {
775 dlog(1, FIL__, __LINE__,
776 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
777 ((whichfile == 1) ? _("Configuration") : _("Database")),
778 homedir);
779 }
780 else if (0 == sl_strncmp(_("ERRSIG"), &line[9], 6)) {
781 dlog(1, FIL__, __LINE__,
782 _("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
783 ((whichfile == 1) ? _("Configuration") : _("Database")),
784 homedir);
785 }
786 else if (0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6)) {
787 dlog(1, FIL__, __LINE__,
788 _("%s file is signed, but the public key to verify the signature has expired."),
789 ((whichfile == 1) ? _("Configuration") : _("Database")));
790 }
791 else if (0 == sl_strncmp(_("NODATA"), &line[9], 6)) {
792 dlog(1, FIL__, __LINE__,
793 _("%s file is not signed."),
794 ((whichfile == 1) ? _("Configuration") : _("Database")));
795 }
796
797 have_fp = BAD; have_id = BAD;
798 break;
799 }
800 if (0 == sl_strncmp(_("GOODSIG"), &line[9], 7))
801 {
802 sl_strlcpy (sign_id, &line[25], SH_MINIBUF+1);
803 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing '"' */
804 have_id = GOOD;
805 }
806 if (0 == sl_strncmp(_("VALIDSIG"), &line[9], 8))
807 {
808 strncpy (sign_fp, &line[18], 40);
809 sign_fp[40] = '\0';
810 have_fp = GOOD;
811 }
812#elif defined(WITH_PGP)
813 if (0 == sl_strncmp(_("Bad signature"), line, 13) ||
814 0 == sl_strncmp(_("Error"), line, 5) ||
815 0 == sl_strncmp(_("Malformed"), line, 9) ||
816 0 == sl_strncmp(_("WARNING"), line, 7) ||
817 0 == sl_strncmp(_("ERROR"), line, 5)
818 )
819 {
820 have_fp = BAD; have_id = BAD;
821 break;
822 }
823 if (0 == sl_strncmp(_("Good signature"), line, 14))
824 {
825 ptr = strchr ( line, '"');
826 ++ptr;
827 sl_strlcpy (sign_id, ptr, SH_MINIBUF+1);
828 sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing dot */
829 sign_id[sl_strlen(sign_id)-2] = '\0'; /* remove trailing '"' */
830 have_id = GOOD;
831 }
832#endif
833 }
834
835 if (ferror(source.pipe) && errno == EAGAIN)
836 {
837 clearerr(source.pipe);
838 goto xagain;
839 }
840
841 sh_gpg_pclose (&source);
842
843 TPT(((0), FIL__, __LINE__, _("msg=<Close pipe>\n")));
844
845#ifdef WITH_PGP
846 /* get the fingerprint */
847
848 source.pipe = sh_gpg_popen ( &source, fd, 1, sign_id, homedir);
849 if (NULL == source.pipe)
850 {
851 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
852 _("Could not open pipe for fp"),
853 _("gpg_check_file_sign"));
854 SL_RETURN( SH_GPG_BAD, _("sh_gpg_check_file_sign"));
855 }
856
857 TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
858
859 yagain:
860
861 errno = 0;
862
863 while (NULL != fgets(line, sizeof(line), source.pipe))
864 {
865#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
866 char * saveptr = NULL;
867#endif
868 if (line[strlen(line)-1] == '\n')
869 line[strlen(line)-1] = ' ';
870 sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
871 line,
872 _("gpg_check_file_sign"));
873
874 if (sl_strlen(line) < 18)
875 continue;
876#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
877 ptr = strtok_r (line, " ", &saveptr);
878#else
879 ptr = strtok (line, " ");
880#endif
881 while (ptr)
882 {
883#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
884 ptr = strtok_r (NULL, " ", &saveptr);
885#else
886 ptr = strtok (NULL, " ");
887#endif
888 if (ptr && 0 == sl_strncmp (ptr, _("fingerprint"), 11))
889 {
890#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
891 ptr = strtok_r (NULL, " ", &saveptr); /* to '=' */
892#else
893 ptr = strtok (NULL, " "); /* to '=' */
894#endif
895 sign_fp[0] = '\0';
896 while (ptr)
897 {
898#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_STRTOK_R)
899 ptr = strtok_r (NULL, " ", &saveptr); /* part of fingerprint */
900#else
901 ptr = strtok (NULL, " "); /* part of fingerprint */
902#endif
903 sl_strlcat (sign_fp, ptr, SH_MINIBUF+1);
904 }
905 /* sign_fp[sl_strlen(sign_fp)-1] = '\0'; remove trailing '\n' */
906 if (sl_strlen(sign_fp) > 0)
907 have_fp = GOOD;
908 break;
909 }
910 }
911 }
912
913 if (ferror(source.pipe) && errno == EAGAIN)
914 {
915 clearerr(source.pipe);
916 goto yagain;
917 }
918
919 sh_gpg_pclose (&source);
920#endif
921
922 if (have_id == GOOD)
923 {
924 TPT(((0), FIL__, __LINE__, _("msg=<Got signator ID>\n")));
925 ;
926 }
927 if (have_fp == GOOD)
928 {
929 TPT(((0), FIL__, __LINE__, _("msg=<Got fingerprint>\n")));
930 ;
931 }
932
933 if (have_id == GOOD && have_fp == GOOD)
934 SL_RETURN( SH_GPG_OK, _("sh_gpg_check_file_sign"));
935 else
936 {
937 if (have_id == BAD)
938 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
939 _("No good signature"),
940 _("gpg_check_file_sign"));
941 else
942 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
943 _("No fingerprint for key"),
944 _("gpg_check_file_sign"));
945 SL_RETURN( SH_GPG_BADSIGN, _("sh_gpg_check_file_sign"));
946 }
947}
948
949int get_the_fd(SL_TICKET file_1);
950
951int sh_gpg_check_sign (long file_1, long file_2, int what)
952{
953 int status = SH_GPG_BAD;
954 int fd1 = 0;
955 int fd2 = 0;
956 static int smsg = S_FALSE;
957 char * tmp;
958 char * tmp2;
959
960 char * homedir = sh.effective.home;
961#if defined(SH_WITH_SERVER)
962 struct passwd * tempres;
963#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
964 struct passwd pwd;
965 char buffer[SH_PWBUF_SIZE];
966#endif
967#endif
968
969#ifdef USE_FINGERPRINT
970#include "sh_gpg_fp.h"
971#endif
972
973 SL_ENTER(_("sh_gpg_check_sign"));
974
975
976 if (what == 0 || what == 1)
977 fd1 = get_the_fd(file_1);
978 if (what == 0 || what == 2)
979 fd2 = get_the_fd(file_2);
980
981
982 if (fd1 < 0 || fd2 < 0)
983 {
984 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
985 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
986 dlog(1, FIL__, __LINE__,
987 _("This looks like an unexpected internal error.\n"));
988 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_EXIT_ABORT1, sh.prg_name);
989 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
990 SL_RETURN( (-1), _("sh_gpg_check_sign"));
991 }
992
993 if (what == 0 || what == 1)
994 {
995 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD1 = %d>\n"), fd1));
996#if defined(SH_WITH_SERVER)
997#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
998 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
999#else
1000 tempres = sh_getpwnam(DEFAULT_IDENT);
1001#endif
1002
1003 if ((tempres != NULL) && (0 == sl_ret_euid()))
1004 {
1005 /* privileges not dropped yet*/
1006 homedir = tempres->pw_dir;
1007 }
1008#endif
1009 status = sh_gpg_check_file_sign(fd1, gp.conf_id, gp.conf_fp, homedir, 1);
1010 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGUSR: |%s|>\n"), gp.conf_id));
1011 TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGFP: |%s|>\n"), gp.conf_fp));
1012 }
1013
1014 if ((what == 0 && SH_GPG_OK == status) || what == 2)
1015 {
1016 TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD2 = %d>\n"), fd2));
1017#if defined(SH_WITH_SERVER)
1018#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1019 sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, sizeof(buffer), &tempres);
1020#else
1021 tempres = sh_getpwnam(DEFAULT_IDENT);
1022#endif
1023
1024 if ((tempres != NULL) && (0 == sl_ret_euid()))
1025 {
1026 /* privileges not dropped yet*/
1027 homedir = tempres->pw_dir;
1028 }
1029#endif
1030 status = sh_gpg_check_file_sign(fd2, gp.data_id, gp.data_fp, homedir, 2);
1031 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGUSR: |%s|>\n"), gp.data_id));
1032 TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGFP: |%s|>\n"), gp.data_fp));
1033 }
1034
1035 if (SH_GPG_OK == status && what == 1)
1036 {
1037#ifdef USE_FINGERPRINT
1038 if ((sl_strcmp(SH_GPG_FP, gp.conf_fp) == 0))
1039 {
1040 int i;
1041
1042 for(i = 0; i < (int) sl_strlen(gp.conf_fp); ++i)
1043 {
1044 if (gpgfp[i] != gp.conf_fp[i])
1045 {
1046 sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0,
1047 MSG_E_GPG_FP,
1048 gpgfp, gp.conf_fp);
1049 break;
1050 }
1051 }
1052
1053 if (smsg == S_FALSE)
1054 {
1055 tmp = sh_util_safe_name(gp.conf_id);
1056 sh_gpg_fill_startup (__LINE__,
1057 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
1058 sh.prg_name, sh.real.uid,
1059 (sh.flag.hidefile == S_TRUE) ?
1060 _("(hidden)") : file_path('C', 'R'),
1061 tmp,
1062 gp.conf_fp);
1063 SH_FREE(tmp);
1064 }
1065 smsg = S_TRUE;
1066 SL_RETURN(0, _("sh_gpg_check_sign"));
1067 }
1068 else
1069 {
1070 /* fp mismatch
1071 */
1072 dlog(1, FIL__, __LINE__,
1073 _("The fingerprint of the signing key: %s\ndoes not match the compiled-in fingerprint: %s.\nTherefore the signature could not be verified.\n"),
1074 gp.conf_fp, SH_GPG_FP);
1075 sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1076 _("Fingerprint mismatch"),
1077 _("gpg_check_sign"));
1078 status = SH_GPG_BADSIGN;
1079 }
1080#else
1081 if (smsg == S_FALSE)
1082 {
1083 tmp = sh_util_safe_name(gp.conf_id);
1084 sh_gpg_fill_startup (__LINE__,
1085 /* sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH, */
1086 sh.prg_name, sh.real.uid,
1087 (sh.flag.hidefile == S_TRUE) ?
1088 _("(hidden)") : file_path('C', 'R'),
1089 tmp,
1090 gp.conf_fp);
1091 SH_FREE(tmp);
1092 }
1093 smsg = S_TRUE;
1094 SL_RETURN(0, _("sh_gpg_check_sign"));
1095#endif
1096 }
1097
1098 else if (SH_GPG_OK == status && (what == 2 || what == 0))
1099 {
1100 if ((sl_strcmp(gp.data_id, gp.conf_id) == 0) &&
1101 (sl_strcmp(gp.data_fp, gp.conf_fp) == 0))
1102 {
1103 SL_RETURN(0, _("sh_gpg_check_sign"));
1104 }
1105 else
1106 {
1107 /* ID or fp not equal
1108 */
1109 dlog(1, FIL__, __LINE__,
1110 _("The fingerprint or ID of the signing key is not the same for the\nconfiguration file and the file signature database.\nTherefore the signature could not be verified.\n"));
1111 tmp = sh_util_safe_name (gp.conf_id);
1112 tmp2 = sh_util_safe_name (gp.data_id);
1113 sh_error_handle ((-1), FIL__, __LINE__, 0, MSG_START_GH2,
1114 sh.prg_name, sh.real.uid,
1115 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('C', 'R'),
1116 tmp, gp.conf_fp,
1117 (sh.flag.hidefile == S_TRUE) ? _("(hidden)") : file_path('D', 'R'),
1118 tmp2, gp.data_fp);
1119 SH_FREE(tmp);
1120 SH_FREE(tmp2);
1121 }
1122 }
1123
1124 if (status != SH_GPG_OK)
1125 {
1126 uid_t e_uid = sl_ret_euid();
1127 char * e_home = sh.effective.home;
1128
1129#if defined(SH_WITH_SERVER)
1130#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1131 struct passwd e_pwd;
1132 char e_buffer[SH_PWBUF_SIZE];
1133 struct passwd * e_tempres;
1134 sh_getpwnam_r(DEFAULT_IDENT, &e_pwd, e_buffer, sizeof(e_buffer), &e_tempres);
1135#else
1136 struct passwd * e_tempres = sh_getpwnam(DEFAULT_IDENT);
1137#endif
1138
1139 if ((e_tempres != NULL) && (0 == sl_ret_euid()))
1140 {
1141 /* privileges not dropped yet */
1142 e_uid = e_tempres->pw_uid;
1143 e_home = e_tempres->pw_dir;
1144 }
1145#endif
1146 dlog(1, FIL__, __LINE__,
1147 _("The signature of the configuration file or the file signature database\ncould not be verified. Possible reasons are:\n - gpg binary (%s) not found\n - invalid signature\n - the signature key is not in the private keyring of UID %d,\n - there is no keyring in %s/.gnupg, or\n - the file is not signed - did you move /filename.asc to /filename ?\nTo create a signed file, use (remove old signatures before):\n gpg -a --clearsign --not-dash-escaped FILE\n mv FILE.asc FILE\n"),
1148#if defined(WITH_GPG)
1149 DEFAULT_GPG_PATH,
1150#else
1151 DEFAULT_PGP_PATH,
1152#endif
1153 (int) e_uid, e_home);
1154 }
1155
1156 TPT(((0), FIL__, __LINE__, _("msg=<Status = %d>\n"), status));
1157
1158 sh_error_handle((-1), FIL__, __LINE__, status, MSG_EXIT_ABORT1, sh.prg_name);
1159 aud_exit (FIL__, __LINE__, EXIT_FAILURE);
1160
1161 return (-1); /* make compiler happy */
1162}
1163
1164/* #ifdef WITH_GPG */
1165#endif
1166
1167
1168
1169
1170
1171
1172
1173
Note: See TracBrowser for help on using the repository browser.