Context Navigation

source: trunk/src/sh_sig.c@ 575

Last change on this file since 575 was 571, checked in by katerina, 3 years ago
Fix for ticket #459 (new gpg pubring name).
File size: 46.2 KB

Line
1	/* SAMHAIN file system integrity testing */
2	/* Copyright (C) 1999, 2000 Rainer Wichmann */
3	/* */
4	/* This program is free software; you can redistribute it */
5	/* and/or modify */
6	/* it under the terms of the GNU General Public License as */
7	/* published by */
8	/* the Free Software Foundation; either version 2 of the License, or */
9	/* (at your option) any later version. */
10	/* */
11	/* This program is distributed in the hope that it will be useful, */
12	/* but WITHOUT ANY WARRANTY; without even the implied warranty of */
13	/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
14	/* GNU General Public License for more details. */
15	/* */
16	/* You should have received a copy of the GNU General Public License */
17	/* along with this program; if not, write to the Free Software */
18	/* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
19
20	#include "config_xor.h"
21
22	#include <stdio.h>
23	#include <stdlib.h>
24
25
26	#if defined(WITH_SIG)
27
28	#include <unistd.h>
29	#include <fcntl.h>
30	#include <signal.h>
31	#if defined(SH_WITH_SERVER)
32	#include <pwd.h>
33	#endif
34	#include <sys/stat.h>
35	#include <sys/types.h>
36	#include <errno.h>
37	#include <sys/wait.h>
38
39	#include <string.h>
40	#ifdef HAVE_MEMORY_H
41	#include <memory.h>
42	#endif
43
44
45	#if !defined(O_NONBLOCK)
46	#if defined(O_NDELAY)
47	#define O_NONBLOCK O_NDELAY
48	#else
49	#define O_NONBLOCK 0
50	#endif
51	#endif
52
53
54	#include "samhain.h"
55	#include "sh_utils.h"
56	#include "sh_error.h"
57	#include "sh_tiger.h"
58	#if defined(SH_WITH_SERVER)
59	#define SH_NEED_PWD_GRP 1
60	#include "sh_static.h"
61	#endif
62	#include "sh_sig.h"
63
64	int get_the_fd(SL_TICKET file_1);
65
66	#if defined(WITH_GPG)
67	static struct {
68	char conf_id[SH_MINIBUF+1];
69	char conf_fp[SH_MINIBUF+1];
70	char data_id[SH_MINIBUF+1];
71	char data_fp[SH_MINIBUF+1];
72	} gp;
73	#endif
74
75	typedef struct {
76	pid_t pid;
77	FILE * pipe;
78	} sh_gpg_popen_t;
79
80	#define SH_SIG_OK 0
81	#define SH_SIG_BAD 1
82	#define SH_SIG_BADSIGN 2
83
84	/* replace #if 0 by #if 1 and set an appropriate path in front of '/pdbg.'
85	* for debugging
86	*/
87	#if 0
88	#define PDGBFILE "/pdbg."
89	#endif
90
91	#if defined(PDGBFILE)
92	FILE * pdbg;
93	FILE * pdbgc;
94	#define PDBG_OPEN pdbg = fopen(PDGBFILE"main", "a")
95	#define PDBG_CLOSE sl_fclose (FIL__, __LINE__, pdbg)
96	#define PDBG(arg) fprintf(pdbg, "PDBG: step %d\n", arg); fflush(pdbg)
97	#define PDBG_D(arg) fprintf(pdbg, "PDBG: %d\n", arg); fflush(pdbg)
98	#define PDBG_S(arg) fprintf(pdbg, "PDBG: %s\n", arg); fflush(pdbg)
99
100	#define PDBGC_OPEN pdbgc = fopen(PDGBFILE"child", "a")
101	#define PDBGC_CLOSE sl_fclose (FIL__, __LINE__, pdbgc)
102	#define PDBGC(arg) fprintf(pdbgc, "PDBG: step %d\n", arg); fflush(pdbgc)
103	#define PDBGC_D(arg) fprintf(pdbgc, "PDBG: %d\n", arg); fflush(pdbgc)
104	#define PDBGC_S(arg) fprintf(pdbgc, "PDBG: %s\n", arg); fflush(pdbgc)
105	#else
106	#define PDBG_OPEN
107	#define PDBG_CLOSE
108	#define PDBG(arg)
109	#define PDBG_D(arg)
110	#define PDBG_S(arg)
111	#define PDBGC_OPEN
112	#define PDBGC_CLOSE
113	#define PDBGC(arg)
114	#define PDBGC_D(arg)
115	#define PDBGC_S(arg)
116	#endif
117
118	#undef FIL__
119	#define FIL__ _("sh_sig.c")
120
121	#if defined(SIG_HASH) \|\| defined(SIG_KEY_HASH)
122
123	typedef enum { SIG_HASH_REPORT, SIG_HASH_REPORTFULL, SIG_HASH_OTHER } checksum_flag;
124
125	static int sh_sig_checksum (SL_TICKET checkfd, checksum_flag flag, const char * expected_in, const char * path)
126	{
127	char * test_sig;
128	char * expected = NULL;
129	char * test_ptr1 = NULL;
130	char * test_ptr2 = NULL;
131	char wstrip1[128];
132	char wstrip2[128];
133	int i, k;
134	#include "sh_sig_chksum.h"
135
136	SL_ENTER(_("sh_sig_checksum"));
137
138
139	if (flag == SIG_HASH_OTHER)
140	expected = sh_util_strdup(expected_in);
141
142	if (flag == SIG_HASH_OTHER)
143	test_sig = sh_tiger_hash_gpg (path, checkfd, TIGER_NOLIM);
144	else
145	test_sig = sh_tiger_hash_gpg (DEFAULT_SIG_PATH, checkfd, TIGER_NOLIM);
146
147	test_ptr1 = (flag == SIG_HASH_OTHER) ? strchr(expected, ':') : strchr(SIG_HASH, ':');
148	if (test_ptr1 != NULL)
149	test_ptr1 += 2;
150	else
151	test_ptr1 = (flag == SIG_HASH_OTHER) ? expected : SIG_HASH;
152
153	if (test_sig != NULL)
154	test_ptr2 = strchr(test_sig, ':');
155	if (test_ptr2 != NULL)
156	test_ptr2 += 2;
157	else
158	test_ptr2 = test_sig;
159
160	/* Tue Jun 24 23:11:54 CEST 2003 (1.7.9) -- strip whitespace
161	*/
162	k = 0;
163	for (i = 0; i < 127; ++i)
164	{
165	if (test_ptr1[i] == '\0')
166	break;
167	if (test_ptr1[i] != ' ')
168	{
169	wstrip1[k] = test_ptr1[i];
170	++k;
171	}
172	}
173	wstrip1[k] = '\0';
174
175	if (flag != SIG_HASH_OTHER)
176	{
177	for(i = 0; i < KEY_LEN; ++i)
178	{
179	if (sigchk[i] != wstrip1[i])
180	{
181	sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0, MSG_E_GPG_CHK,
182	sigchk, wstrip1);
183	break;
184	}
185	}
186	}
187
188	k = 0;
189	if (test_ptr2)
190	{
191	for (i = 0; i < 127; ++i)
192	{
193	if (test_ptr2[i] == '\0')
194	break;
195	if (test_ptr2[i] != ' ')
196	{
197	wstrip2[k] = test_ptr2[i];
198	++k;
199	}
200	}
201	}
202	wstrip2[k] = '\0';
203
204	if (0 != sl_strncmp(wstrip1, wstrip2, 127))
205	{
206	TPT(((0), FIL__, __LINE__, _("msg=<sig checksum: %s>\n"), test_sig));
207	TPT(((0), FIL__, __LINE__, _("msg=<compiled in : %s>\n"), (flag == SIG_HASH_OTHER) ? expected : SIG_HASH));
208	TPT(((0), FIL__, __LINE__, _("msg=<wstrip1 : %s>\n"), wstrip1));
209	TPT(((0), FIL__, __LINE__, _("msg=<wstrip2 : %s>\n"), wstrip2));
210	if (flag == SIG_HASH_REPORTFULL)
211	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_GPG,
212	SIG_HASH, test_sig);
213	if (flag == SIG_HASH_OTHER)
214	dlog(1, FIL__, __LINE__, _("The compiled-in checksum of the public key %s\n(%s)\ndoes not match the actual checksum\n(%s).\nYou need to recompile with the correct checksum."), path, wstrip1, wstrip2);
215	else
216	dlog(1, FIL__, __LINE__, _("The compiled-in checksum of the signature checking binary %s\n(%s)\ndoes not match the actual checksum\n(%s).\nYou need to recompile with the correct checksum."), DEFAULT_SIG_PATH, wstrip1, wstrip2);
217	SH_FREE(test_sig);
218	if (expected)
219	SH_FREE(expected);
220	SL_RETURN((-1), _("sh_sig_checksum"));
221	}
222	SH_FREE(test_sig);
223	if (expected)
224	SH_FREE(expected);
225	SL_RETURN( (0), _("sh_sig_checksum"));
226	}
227	#endif
228
229	struct startup_info {
230	long line;
231	char * program;
232	long uid;
233	char * path;
234	char * key_uid;
235	char * key_id;
236	};
237
238	static struct startup_info startInfo = { 0, NULL, 0, NULL, NULL, NULL };
239
240	static void sh_sig_fill_startup (long line, char * program, long uid, char * path,
241	char * key_uid, char * key_id)
242	{
243	startInfo.line = line;
244	startInfo.program = sh_util_strdup(program);
245	startInfo.uid = uid;
246	startInfo.path = sh_util_strdup(path);
247	if (key_uid)
248	startInfo.key_uid = sh_util_strdup(key_uid);
249	else
250	startInfo.key_uid = sh_util_strdup(_("(not given)"));
251	if (key_id)
252	startInfo.key_id = sh_util_strdup(key_id);
253	else
254	startInfo.key_id = sh_util_strdup(_("(not given)"));
255	return;
256	}
257
258	typedef enum { SIG_DATASIG, SIG_DATAONLY } extractlevel;
259
260
261	static FILE * sh_sig_popen (char const argv[], sh_gpg_popen_t source, int fd);
262
263
264	static FILE * sh_sig_popen (char const arg[], sh_gpg_popen_t source, int fd)
265	{
266	size_t len;
267	extern int flag_err_debug;
268	int pipedes[2];
269	FILE * outf = NULL;
270	char * envp[2];
271
272	#if defined(HAVE_SIG_CHECKSUM)
273	SL_TICKET checkfd = -1;
274	int myrand;
275	int i;
276	#if defined(__linux__)
277	int get_the_fd(SL_TICKET);
278	char pname[128];
279	int pfd;
280	int val_return;
281	#endif
282	#endif
283
284	SL_ENTER(_("sh_sig_popen"));
285
286	/* use homedir of effective user
287	*/
288	len = sl_strlen(sh.effective.home) + 6;
289	envp[0] = calloc(1, len); /* free() ok */
290	if (envp[0] != NULL)
291	sl_snprintf (envp[0], len, _("HOME=%s"), sh.effective.home);
292	envp[1] = NULL;
293
294	/* Create the pipe
295	*/
296	if (aud_pipe(FIL__, __LINE__, pipedes) < 0)
297	{
298	if (envp[0] != NULL)
299	free(envp[0]);
300	SL_RETURN( (NULL), _("sh_gpg_popen"));
301	}
302
303	fflush (NULL);
304
305	source->pid = aud_fork(FIL__, __LINE__);
306
307	/* Failure
308	*/
309	if (source->pid == (pid_t) - 1)
310	{
311	sl_close_fd(FIL__, __LINE__, pipedes[0]);
312	sl_close_fd(FIL__, __LINE__, pipedes[1]);
313	if (envp[0] != NULL)
314	free(envp[0]);
315	SL_RETURN( (NULL), _("sh_sig_popen"));
316	}
317
318	if (source->pid == (pid_t) 0)
319	{
320
321	/* child - make read side of the pipe stdout
322	*/
323	if (retry_aud_dup2(FIL__, __LINE__,
324	pipedes[STDOUT_FILENO], STDOUT_FILENO) < 0)
325	{
326	TPT(((0), FIL__, __LINE__, _("msg=<dup2 on pipe failed>\n")));
327	dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
328	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
329	}
330
331	/* close the pipe descriptors
332	*/
333	sl_close_fd (FIL__, __LINE__, pipedes[STDIN_FILENO]);
334	sl_close_fd (FIL__, __LINE__, pipedes[STDOUT_FILENO]);
335
336	if (retry_aud_dup2(FIL__, __LINE__, fd, STDIN_FILENO) < 0)
337	{
338	TPT(((0), FIL__, __LINE__, _("msg=<dup2 on fd failed>\n")));
339	dlog(1, FIL__, __LINE__, _("Internal error: dup2 failed\n"));
340	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
341	}
342
343	/* don't leak file descriptors
344	*/
345	sh_unix_closeall (3, -1, S_TRUE); /* in child process */
346
347	if (flag_err_debug != S_TRUE)
348	{
349	if (NULL == freopen(_("/dev/null"), "r+", stderr))
350	{
351	dlog(1, FIL__, __LINE__, _("Internal error: freopen failed\n"));
352	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
353	}
354	}
355
356
357	/* We should become privileged if SUID,
358	* to be able to read the keyring.
359	* We have checked that gpg is OK,
360	* AND that only a trusted user could overwrite
361	* gpg.
362	*/
363	memset (skey, 0, sizeof(sh_key_t));
364	aud_setuid(FIL__, __LINE__, geteuid());
365
366	PDBGC_OPEN;
367	PDBGC_D((int)getuid());
368	PDBGC_D((int)geteuid());
369
370	{
371	int i = 0;
372	while (arg[i] != NULL)
373	{
374	PDBGC_S(arg[i]);
375	++i;
376	}
377	}
378	PDBGC_CLOSE;
379
380	/* exec the program */
381
382	#if defined(__linux__) && defined(HAVE_SIG_CHECKSUM)
383	/*
384	* -- emulate an fexecve with checksum testing
385	*/
386	checkfd = sl_open_read(FIL__, __LINE__, DEFAULT_SIG_PATH, SL_NOPRIV);
387
388	if (0 != sh_sig_checksum(checkfd, SIG_HASH_REPORT, NULL, NULL))
389	{
390	sl_close(checkfd);
391	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
392	}
393
394	pfd = get_the_fd(checkfd);
395	do {
396	val_return = dup (pfd);
397	} while (val_return < 0 && errno == EINTR);
398	pfd = val_return;
399	sl_close(checkfd);
400	/* checkfd = -1; // never read */
401
402	sl_snprintf(pname, sizeof(pname), _("/proc/self/fd/%d"), pfd);
403	if (0 == access(pname, R_OK\|X_OK)) /* flawfinder: ignore */
404
405	{
406	fcntl (pfd, F_SETFD, FD_CLOEXEC);
407	retry_aud_execve (FIL__, __LINE__, pname, arg, envp);
408
409	dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
410	pname);
411	/* failed
412	*/
413	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
414	}
415
416	/* procfs not working, go ahead
417	*/
418	#endif
419
420	#if defined(HAVE_SIG_CHECKSUM)
421	/* This is an incredibly ugly kludge to prevent an attacker
422	* from knowing when it is safe to slip in a fake executable
423	* between the integrity check and the execve
424	*/
425	myrand = (int) taus_get ();
426
427	myrand = (myrand < 0) ? (-myrand) : myrand;
428	myrand = (myrand % 32) + 2;
429
430	for (i = 0; i < myrand; ++i)
431	{
432	checkfd = sl_open_fastread(FIL__, __LINE__,
433	DEFAULT_SIG_PATH, SL_NOPRIV);
434
435	if (0 != sh_sig_checksum(checkfd, SIG_HASH_REPORT, NULL, NULL)) {
436	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
437	}
438	sl_close(checkfd);
439	}
440	#endif
441
442	retry_aud_execve (FIL__, __LINE__, DEFAULT_SIG_PATH, arg, envp);
443	dlog(1, FIL__, __LINE__, _("Unexpected error: execve %s failed\n"),
444	DEFAULT_SIG_PATH);
445
446	/* failed
447	*/
448	TPT(((0), FIL__, __LINE__, _("msg=<execve failed>\n")));
449	dlog(1, FIL__, __LINE__, _("Unexpected error: execve failed\n"));
450	aud__exit(FIL__, __LINE__, EXIT_FAILURE);
451	}
452
453	/* parent
454	*/
455
456	if (envp[0] != NULL)
457	free(envp[0]);
458
459	sl_close_fd (FIL__, __LINE__, pipedes[STDOUT_FILENO]);
460	retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFD, FD_CLOEXEC);
461	retry_fcntl (FIL__, __LINE__, pipedes[STDIN_FILENO], F_SETFL, O_NONBLOCK);
462
463	outf = fdopen (pipedes[STDIN_FILENO], "r");
464
465	if (outf == NULL)
466	{
467	aud_kill (FIL__, __LINE__, source->pid, SIGKILL);
468	sl_close_fd (FIL__, __LINE__, pipedes[STDOUT_FILENO]);
469	waitpid (source->pid, NULL, 0);
470	source->pid = 0;
471	SL_RETURN( (NULL), _("sh_sig_popen"));
472	}
473
474	SL_RETURN( (outf), _("sh_sig_popen"));
475	}
476
477
478	static int sh_sig_pclose (sh_gpg_popen_t *source)
479	{
480	int status = 0;
481
482	SL_ENTER(_("sh_sig_pclose"));
483
484	status = sl_fclose(FIL__, __LINE__, source->pipe);
485	if (status)
486	SL_RETURN( (-1), _("sh_sig_pclose"));
487
488	if (waitpid(source->pid, NULL, 0) != source->pid)
489	status = -1;
490
491	source->pipe = NULL;
492	source->pid = 0;
493	SL_RETURN( (status), _("sh_sig_pclose"));
494	}
495
496	/* This is signify specific stuff
497	*/
498	#if defined(WITH_SIGNIFY)
499
500	#include <ctype.h>
501
502	static
503	int sh_signify_comp_comm(const char * line, size_t * commlen)
504	{
505	/* check for a valid comment line: not exceeding 1023 chars and
506	* starting with 'untrusted comment: ' */
507	static char cmp[SH_MINIBUF];
508	static size_t cmp_len = 0;
509
510	size_t len = sl_strlen(line);
511
512	if (cmp_len == 0) {
513	sl_strlcpy(cmp, _("untrusted comment: "), sizeof(cmp));
514	cmp_len = strlen(cmp);
515	}
516
517	if (line[len-1] == '\n') {
518	/* signify will replace the '\n' with '\0', so 1024 -> 1023, which fits */
519	if (len > 1024) return S_FALSE;
520	else *commlen = len;
521	} else {
522	if (len > 1023) return S_FALSE;
523	else *commlen = (len+1);
524	}
525
526	if (len >= cmp_len && 0 == strncmp(cmp, line, cmp_len))
527	return S_TRUE;
528	return S_FALSE;
529	}
530
531	static const char bto64_0[] = N_("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
532	static char bto64[65] = { '\0' };
533
534	static
535	int sh_signify_comp_sig(const char * line, size_t commlen)
536	{
537	char cmp[128];
538	char out[128];
539	size_t len = sl_strlen(line);
540	size_t i, j = 0;
541	int padf = 0;
542
543	if (bto64[0] == '\0')
544	memcpy(bto64, _(bto64_0), 65);
545
546	if (line[len-1] == '\n') {
547	if ((len+commlen) > 2047) return S_FALSE;
548	} else {
549	if ((len+commlen) > 2046) return S_FALSE;
550	}
551
552	for (i = 0; i < len; ++i)
553	{
554	if (isspace(line[i])) {
555	/* signify will skip arbitrary space, using isspace() */
556	continue;
557	}
558	if (line[i] == '=') {
559	if (padf > 1) /* more than two padding '=' */
560	return S_FALSE;
561	else
562	++padf;
563	} else if (!strchr(bto64, line[i]) \|\| (line[i] == '=' && padf > 0)) {
564	return S_FALSE;
565	}
566	if (j < sizeof(cmp)) {
567	cmp[j] = line[i]; ++j;
568	}
569	}
570
571	/* signature is 'Ed' + 8 byte random + 64 bytes = 74 bytes
572	* => 1 pad byte => 75 bytes => 100 b64 bytes */
573	if (j != 100 \|\| padf != 1)
574	return S_FALSE;
575
576	cmp[j] = '\0'; /* j == 100 */
577	sh_util_base64_dec((unsigned char ) out, (unsigned char ) cmp, j);
578	if(out[0] == 'E' && out[1] == 'd')
579	return S_TRUE;
580
581	return S_FALSE;
582	}
583	static
584	int sh_signify_msg_start(const char * line)
585	{
586	static int step = 0;
587	static size_t commlen = 0;
588
589	if (step == 0) {
590	if (S_TRUE == sh_signify_comp_comm(line, &commlen))
591	++step;
592	}
593	else if (step == 1) {
594	if (S_TRUE == sh_signify_comp_sig(line, commlen)) {
595	++step;
596	}
597	else {
598	step = 0; commlen = 0;
599	}
600	}
601	else if (step == 2) {
602	step = 0; commlen = 0;
603	return S_TRUE;
604	}
605	return S_FALSE;
606	}
607
608	static
609	int sh_signify_msg_startdata(const char * line)
610	{
611	(void) line;
612	return S_TRUE;
613	}
614
615	static
616	int sh_signify_msg_end(const char * line)
617	{
618	if (line[0] != '\0')
619	return S_FALSE;
620	return S_TRUE;
621	}
622
623	static
624	int sh_signify_data_end(const char * line)
625	{
626	if (line[0] == '[' && line[1] == 'E' && line[2] == 'O' &&
627	line[3] == 'F' && line[4] == ']')
628	return S_TRUE;
629	else if (line[0] != '\0')
630	return S_FALSE;
631	return S_TRUE;
632	}
633
634	static
635	SL_TICKET sh_signify_extract_signed(SL_TICKET fd, extractlevel extract_level)
636	{
637	const int fgets_buf_size = 16384;
638	FILE * fin_cp = NULL;
639	char * buf = NULL;
640	int bufc;
641	char * comment = NULL;
642	size_t commlen = 0;
643
644	int flag_comm = S_FALSE;
645	int flag_sig = S_FALSE;
646	SL_TICKET fdTmp = (-1);
647	SL_TICKET open_tmp (void);
648
649	/* extract the data and copy to temporary file
650	*/
651	fdTmp = open_tmp();
652	if (SL_ISERROR(fdTmp))
653	{
654	dlog(1, FIL__, __LINE__, _("Error opening temporary file.\n"));
655	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
656	_("Error opening temporary file."),
657	_("sh_signify_extract_signed"));
658	return -1;
659	}
660
661	fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
662	buf = SH_ALLOC(fgets_buf_size);
663
664	while (NULL != fgets(buf, fgets_buf_size, fin_cp))
665	{
666
667	bufc = 0;
668	while (bufc < fgets_buf_size) {
669	if (buf[bufc] == '\n') { ++bufc; break; }
670	++bufc;
671	}
672
673	if (flag_comm == S_FALSE)
674	{
675	if (sh_signify_comp_comm(buf, &commlen) == S_TRUE)
676	{
677	flag_comm = S_TRUE;
678	if (extract_level == SIG_DATASIG)
679	{
680	comment = sh_util_strdup(buf);
681	commlen = bufc;
682	}
683	}
684	continue;
685	}
686	else if (flag_comm == S_TRUE && flag_sig == S_FALSE)
687	{
688	if (sh_signify_comp_sig(buf, commlen) == S_TRUE)
689	{
690	flag_sig = S_TRUE;
691	if (extract_level == SIG_DATASIG)
692	{
693	sl_write(fdTmp, comment, commlen);
694	sl_write(fdTmp, buf, bufc);
695	}
696	if (comment != NULL)
697	SH_FREE(comment);
698	comment = NULL;
699	}
700	else
701	{
702	if (comment != NULL)
703	SH_FREE(comment);
704	comment = NULL; commlen = 0; flag_comm = 0;
705	}
706	continue;
707	}
708
709	if (flag_sig == S_TRUE)
710	{
711	sl_write(fdTmp, buf, bufc);
712	}
713	}
714	if (comment != NULL)
715	SH_FREE(comment);
716	sl_fclose(FIL__, __LINE__, fin_cp);
717	sl_rewind (fdTmp);
718
719	#if defined(SH_DEBUG_SIGNIFY)
720	fin_cp = fdopen(dup(get_the_fd(fdTmp)), "rb");
721	FILE * fout = fopen("xxx.out", "w+");
722	while (NULL != fgets(buf, fgets_buf_size, fin_cp))
723	{
724	fputs(buf, fout);
725	}
726	fclose(fout);
727	sl_rewind(fdTmp);
728	#endif
729
730	SH_FREE(buf);
731	return fdTmp;
732	}
733
734
735	static FILE * sh_signify_popen (sh_gpg_popen_t source, int fd, char homedir)
736	{
737	char path[256];
738	char cc1[32];
739	char cc2[32];
740	char cc3[32];
741	char cc4[SH_PATHBUF+32];
742	char cc5[32];
743	char cc6[32];
744	char * argv[9];
745	FILE * retval = NULL;
746
747	struct stat lbuf;
748	int status_stat = 0;
749
750	#ifdef HAVE_SIG_KEY_HASH
751	SL_TICKET checkfd;
752	#endif
753
754
755	SL_ENTER(_("sh_signify_popen"));
756
757	sl_strlcpy (path, DEFAULT_SIG_PATH, 256);
758
759	sl_strlcpy (cc1, _("-Vem"), 32);
760	sl_strlcpy (cc2, _("/dev/null"), 32);
761
762	sl_strlcpy (cc3, _("-p"), 32);
763	sl_strlcpy (cc4, homedir, SH_PATHBUF+32);
764	sl_strlcat (cc4, _("/.signify/"), SH_PATHBUF+32);
765	sl_strlcat (cc4, SH_INSTALL_NAME, SH_PATHBUF+32);
766	sl_strlcat (cc4, _(".pub"), SH_PATHBUF+32);
767
768	/* read signed message from stdin */
769	sl_strlcpy (cc5, _("-x"), 32);
770	sl_strlcpy (cc6, _("-"), 32);
771
772	status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
773	if (status_stat == -1)
774	{
775	dlog(1, FIL__, __LINE__,
776	_("Signify public key %s\ndoes not exist or is not accessible.\nPlease add the directory and put the key there\nto allow signature verification.\n"),
777	cc4);
778	sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
779	sh.prg_name);
780	aud_exit (FIL__, __LINE__, EXIT_FAILURE);
781	}
782	#ifdef HAVE_SIG_KEY_HASH
783	checkfd = sl_open_read(FIL__, __LINE__, cc4, SL_YESPRIV);
784
785	if (0 != sh_sig_checksum(checkfd, SIG_HASH_OTHER, SIG_KEY_HASH, cc4))
786	{
787	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
788	_("Checksum mismatch for signify public key"),
789	_("signify_popen"));
790	sl_close(checkfd);
791	sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
792	sh.prg_name);
793	aud_exit (FIL__, __LINE__, EXIT_FAILURE);
794	}
795	sl_close(checkfd);
796	#endif
797
798	argv[0] = path;
799	argv[1] = cc1;
800	argv[2] = cc2;
801	argv[3] = cc3;
802	argv[4] = cc4;
803	argv[5] = cc5;
804	argv[6] = cc6;
805	argv[7] = NULL;
806
807	retval = sh_sig_popen(argv, source, fd);
808	SL_RETURN((retval), _("sh_signify_popen"));
809	}
810
811	static
812	int sh_signify_check_file_sign(int fd, char * homedir)
813	{
814	struct stat buf;
815	char line[256];
816	sh_gpg_popen_t source;
817	int status = 0;
818	unsigned int n_goodsig = 0;
819	unsigned int n_lines = 0;
820
821	#ifdef HAVE_SIG_CHECKSUM
822	SL_TICKET checkfd;
823	#endif
824
825	SL_ENTER(_("sh_signify_check_file_sign"));
826
827	/* check whether signify exists and has the correct checksum
828	*/
829	TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
830	TPT(((0), FIL__, __LINE__, _("msg=<signify is %s>\n"), DEFAULT_SIG_PATH));
831
832	if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_SIG_PATH, &buf))
833	{
834	char errbuf[SH_ERRBUF_SIZE];
835
836	status = errno;
837	sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
838	sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_SIG_PATH);
839	SL_RETURN( SH_SIG_BAD, _("sh_signify_check_file_sign"));
840	}
841
842	if (0 != tf_trust_check (DEFAULT_SIG_PATH, SL_YESPRIV))
843	SL_RETURN( SH_SIG_BAD, _("sh_signify_check_file_sign"));
844
845	#ifdef HAVE_SIG_CHECKSUM
846	checkfd = sl_open_read(FIL__, __LINE__, DEFAULT_SIG_PATH, SL_YESPRIV);
847
848	if (0 != sh_sig_checksum(checkfd, SIG_HASH_REPORTFULL, NULL, NULL))
849	{
850	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
851	_("Checksum mismatch"),
852	_("signify_check_file_sign"));
853	sl_close(checkfd);
854	SL_RETURN( SH_SIG_BAD, _("sh_signify_check_file_sign"));
855	}
856	sl_close(checkfd);
857	#endif
858
859	TPT(((0), FIL__, __LINE__, _("msg=<Open pipe to check signature>\n")));
860
861	fflush(NULL);
862
863	source.pipe = sh_signify_popen ( &source, fd, homedir );
864
865	if (NULL == source.pipe)
866	{
867	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
868	_("Could not open pipe"),
869	_("signify_check_file_sign"));
870	SL_RETURN( SH_SIG_BAD, _("sh_signify_check_file_sign"));
871	}
872
873	TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
874
875	xagain:
876
877	errno = 0;
878
879	while (NULL != fgets(line, sizeof(line), source.pipe))
880	{
881	TPT(((0), FIL__, __LINE__, _("msg=<signify out: %s>\n"), line));
882	if (line[strlen(line)-1] == '\n')
883	line[strlen(line)-1] = ' ';
884	sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
885	line,
886	_("signify_check_file_sign"));
887
888	++n_lines;
889
890	/* the '\n' has been replaced with ' ' for logging */
891	if (0 == sl_strcmp(_("Signature Verified "), line))
892	{
893	++n_goodsig;
894	}
895	}
896
897	if (ferror(source.pipe) && errno == EAGAIN)
898	{
899	/* sleep 10 ms to avoid starving the gpg child writing to the pipe */
900	retry_msleep(0,10);
901	clearerr(source.pipe);
902	goto xagain;
903	}
904
905	if (0 != sh_sig_pclose (&source))
906	{
907	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
908	_("Error on closing process pipe"),
909	_("signify_check_file_sign"));
910	n_goodsig = 0;
911	}
912
913	TPT(((0), FIL__, __LINE__, _("msg=<Close pipe>\n")));
914
915	if (n_goodsig == 1 && n_lines == 1)
916	{
917	TPT(((0), FIL__, __LINE__, _("msg=<Signature Verified>\n")));
918	SL_RETURN( SH_SIG_OK, _("sh_signature_check_file_sign"));
919	}
920	else
921	{
922	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
923	_("Error verifying file signature"),
924	_("signify_check_file_sign"));
925	}
926	SL_RETURN( SH_SIG_BADSIGN, _("sh_signature_check_file_sign"));
927	}
928
929
930	int sh_signify_check_signature (SL_TICKET file, ShSigFile what)
931	{
932	int status = SH_SIG_BAD;
933	int fd = 0;
934
935	static int smsg = S_FALSE;
936
937	char * homedir = sh.effective.home;
938	char * home_alloc = NULL;
939	#if defined(SH_WITH_SERVER)
940	struct passwd * tempres;
941	#if defined(USE_GETPWNAM_R)
942	struct passwd pwd;
943	char * buffer = SH_ALLOC(SH_PWBUF_SIZE);
944	#endif
945	#endif
946
947	SL_ENTER(_("sh_signify_check_sign"));
948
949	(void) what;
950
951	fd = get_the_fd(file);
952
953	if (fd < 0)
954	{
955	TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD = %d>\n"), fd));
956	dlog(1, FIL__, __LINE__,
957	_("This looks like an unexpected internal error.\n"));
958	#if defined(SH_WITH_SERVER) && defined(USE_GETPWNAM_R)
959	SH_FREE(buffer);
960	#endif
961	SL_RETURN( (-1), _("sh_signify_check_sign"));
962	}
963
964	#if defined(SH_WITH_SERVER)
965	#if defined(USE_GETPWNAM_R)
966	sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, SH_PWBUF_SIZE, &tempres);
967	#else
968	tempres = sh_getpwnam(DEFAULT_IDENT);
969	#endif
970	if ((tempres != NULL) && (0 == sl_ret_euid()))
971	{
972	/* privileges not dropped yet*/
973	homedir = tempres->pw_dir;
974	}
975	#endif
976
977	home_alloc = sh_util_strdup(homedir);
978
979	TPT(((0), FIL__, __LINE__, _("msg=<SIGNIFY_CHECK: FD = %d>\n"), fd));
980	status = sh_signify_check_file_sign(fd, homedir);
981
982	if (status != SH_SIG_OK)
983	{
984	TPT(((0), FIL__, __LINE__, _("msg=<Status = %d>\n"), status));
985	dlog(1, FIL__, __LINE__,
986	_("The signature of the configuration file or the file signature database\ncould not be verified. Possible reasons are:\n - signify binary (%s) not found\n - invalid signature\n - there is no keyfile in %s/.signify/%s.pub, or\n - the file is not signed - did you move /filename.sig to /filename ?\nTo create a signed file, use (remove old signatures before):\n signify\|signify-openbsd -Se -s KEYNAME.sec -m FILE\n mv FILE.sig FILE\n"),
987	DEFAULT_SIG_PATH, home_alloc, SH_INSTALL_NAME);
988	SH_FREE(home_alloc);
989	SL_RETURN( (-1), _("sh_signify_check_sign"));
990	}
991
992	if (smsg == S_FALSE)
993	{
994	sh_sig_fill_startup (__LINE__,
995	sh.prg_name, sh.real.uid,
996	(sh.flag.hidefile == S_TRUE) ?
997	_("(hidden)") : file_path('C', 'R'),
998	NULL, NULL);
999	}
1000	smsg = S_TRUE;
1001
1002	SH_FREE(home_alloc);
1003	SL_RETURN(0, _("sh_signify_check_sign"));
1004	}
1005
1006	/* This is GPG specific stuff
1007	*/
1008	#elif defined(WITH_GPG)
1009	static FILE * sh_gpg_popen (sh_gpg_popen_t source, int fd, char homedir)
1010	{
1011	char path[256];
1012	char cc1[32];
1013	char cc2[32];
1014
1015	char cc0[2] = "-";
1016	char cc3[32];
1017	char cc4[SH_PATHBUF+32];
1018	char cc5[32];
1019	char * argv[9];
1020	FILE * retval = NULL;
1021
1022
1023	SL_ENTER(_("sh_gpg_popen"));
1024
1025	/* -- GnuPG -- */
1026	sl_strlcpy (path, DEFAULT_SIG_PATH, 256);
1027	sl_strlcpy (cc1, _("--status-fd"), 32);
1028	sl_strlcpy (cc2, _("--verify"), 32);
1029	sl_strlcpy (cc3, _("--homedir"), 32);
1030	/* sl_strlcpy (cc4, sh.effective.home, SH_PATHBUF+32); */
1031	sl_strlcpy (cc4, homedir, SH_PATHBUF+32);
1032	sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
1033	sl_strlcpy (cc5, _("--no-tty"), 32);
1034
1035	#if defined(SH_WITH_SERVER)
1036	if (0 == sl_ret_euid()) /* privileges not dropped yet */
1037	{
1038	struct stat lbuf;
1039	int status_stat = 0;
1040	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1041	struct passwd pwd;
1042	char * buffer = SH_ALLOC(SH_PWBUF_SIZE);
1043	struct passwd * tempres;
1044	sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, SH_PWBUF_SIZE, &tempres);
1045	#else
1046	struct passwd * tempres = sh_getpwnam(DEFAULT_IDENT);
1047	#endif
1048
1049	if (!tempres)
1050	{
1051	dlog(1, FIL__, __LINE__,
1052	_("User %s does not exist. Please add the user to your system.\n"),
1053	DEFAULT_IDENT);
1054	status_stat = -1;
1055	}
1056	if (!tempres->pw_dir \|\| tempres->pw_dir[0] == '\0')
1057	{
1058	dlog(1, FIL__, __LINE__,
1059	_("User %s does not have a home directory.\nPlease add the home directory for this user to your system.\n"),
1060	DEFAULT_IDENT);
1061	status_stat = -2;
1062	}
1063	if (status_stat == 0)
1064	{
1065	sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
1066	sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
1067	status_stat = retry_lstat(FIL__, __LINE__, cc4, &lbuf);
1068	if (status_stat == -1)
1069	{
1070	dlog(1, FIL__, __LINE__,
1071	_("Gnupg directory %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg or pubring.kbx) there\nto verify the configuration file.\n"),
1072	cc4, DEFAULT_IDENT);
1073	status_stat = -3;
1074	}
1075	}
1076	if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
1077	{
1078	dlog(1, FIL__, __LINE__,
1079	_("Gnupg directory %s\nis not owned by user %s.\n"),
1080	cc4, DEFAULT_IDENT);
1081	status_stat = -4;
1082	}
1083	if (status_stat == 0)
1084	{
1085	char cc4_test[SH_PATHBUF+32];
1086
1087	sl_strlcpy(cc4_test, cc4, SH_PATHBUF+32);
1088	sl_strlcat (cc4_test, _("/pubring.gpg"), SH_PATHBUF+32);
1089
1090	status_stat = retry_lstat(FIL__, __LINE__, cc4_test, &lbuf);
1091	if (status_stat == -1)
1092	{
1093	sl_strlcpy(cc4_test, cc4, SH_PATHBUF+32);
1094	sl_strlcat (cc4_test, _("/pubring.kbx"), SH_PATHBUF+32);
1095
1096	status_stat = retry_lstat(FIL__, __LINE__, cc4_test, &lbuf);
1097	if (status_stat == -1)
1098	{
1099	sl_strlcpy(cc4_test, cc4, SH_PATHBUF+32);
1100	sl_strlcat (cc4_test, _("/pubring.(gpg\|kbx)"), SH_PATHBUF+32);
1101
1102	dlog(1, FIL__, __LINE__,
1103	_("Gnupg public keyring %s for user %s\ndoes not exist or is not accessible.\nPlease add the directory and put the keyring (pubring.gpg or pubring.kbx) there\nto verify the configuration file.\n"),
1104	cc4_test, DEFAULT_IDENT);
1105	status_stat = -5;
1106	}
1107	}
1108	}
1109	if (status_stat == 0 && lbuf.st_uid != tempres->pw_uid)
1110	{
1111	dlog(1, FIL__, __LINE__,
1112	_("Gnupg public keyring %s\nis not owned by user %s.\n"),
1113	cc4, DEFAULT_IDENT);
1114	status_stat = -6;
1115	}
1116	if (status_stat != 0)
1117	{
1118	sh_error_handle((-1), FIL__, __LINE__, status_stat, MSG_EXIT_ABORT1,
1119	sh.prg_name);
1120	aud_exit (FIL__, __LINE__, EXIT_FAILURE);
1121	}
1122	sl_strlcpy (cc4, tempres->pw_dir, SH_PATHBUF+32);
1123	sl_strlcat (cc4, _("/.gnupg"), SH_PATHBUF+32);
1124	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && defined(HAVE_GETPWNAM_R)
1125	SH_FREE(buffer);
1126	#endif
1127	}
1128	#endif
1129
1130	argv[0] = path;
1131	argv[1] = cc1;
1132	argv[2] = "1";
1133	argv[3] = cc2;
1134	argv[4] = cc3;
1135	argv[5] = cc4;
1136	argv[6] = cc5;
1137	argv[7] = cc0;
1138	argv[8] = NULL;
1139
1140	retval = sh_sig_popen(argv, source, fd);
1141	SL_RETURN((retval), _("sh_gpg_popen"));
1142	}
1143
1144	static
1145	int sh_gpg_check_file_sign(int fd, char * sign_id, char * sign_fp,
1146	char * homedir, ShSigFile whichfile)
1147	{
1148	struct stat buf;
1149	char line[256];
1150	sh_gpg_popen_t source;
1151	int have_id = BAD, have_fp = BAD, status = 0;
1152	unsigned int n_newsig = 0;
1153	unsigned int n_goodsig = 0;
1154	unsigned int n_validsig = 0;
1155
1156	#ifdef HAVE_SIG_CHECKSUM
1157	SL_TICKET checkfd;
1158	#endif
1159
1160	SL_ENTER(_("sh_gpg_check_file_sign"));
1161
1162	/* check whether GnuPG exists and has the correct checksum
1163	*/
1164	TPT(((0), FIL__, __LINE__, _("msg=<Check signature>\n")));
1165	TPT(((0), FIL__, __LINE__, _("msg=<gpg is %s>\n"), DEFAULT_SIG_PATH));
1166
1167	if (0 != retry_lstat(FIL__, __LINE__, DEFAULT_SIG_PATH, &buf))
1168	{
1169	char errbuf[SH_ERRBUF_SIZE];
1170
1171	status = errno;
1172	sh_error_handle(SH_ERR_ERR, FIL__, __LINE__, status, MSG_ERR_LSTAT,
1173	sh_error_message(status, errbuf, sizeof(errbuf)), DEFAULT_SIG_PATH);
1174	SL_RETURN( SH_SIG_BAD, _("sh_gpg_check_file_sign"));
1175	}
1176
1177	if (0 != tf_trust_check (DEFAULT_SIG_PATH, SL_YESPRIV))
1178	SL_RETURN( SH_SIG_BAD, _("sh_gpg_check_file_sign"));
1179
1180	#ifdef HAVE_SIG_CHECKSUM
1181	checkfd = sl_open_read(FIL__, __LINE__, DEFAULT_SIG_PATH, SL_YESPRIV);
1182
1183	if (0 != sh_sig_checksum(checkfd, SIG_HASH_REPORTFULL, NULL, NULL))
1184	{
1185	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1186	_("Checksum mismatch"),
1187	_("gpg_check_file_sign"));
1188	sl_close(checkfd);
1189	SL_RETURN( SH_SIG_BAD, _("sh_gpg_check_file_sign"));
1190	}
1191	sl_close(checkfd);
1192	#endif
1193
1194	TPT(((0), FIL__, __LINE__, _("msg=<Open pipe to check signature>\n")));
1195
1196	fflush(NULL);
1197
1198	source.pipe = sh_gpg_popen ( &source, fd, homedir );
1199
1200	if (NULL == source.pipe)
1201	{
1202	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1203	_("Could not open pipe"),
1204	_("gpg_check_file_sign"));
1205	SL_RETURN( SH_SIG_BAD, _("sh_gpg_check_file_sign"));
1206	}
1207
1208	TPT(((0), FIL__, __LINE__, _("msg=<Open pipe success>\n")));
1209
1210	xagain:
1211
1212	errno = 0;
1213
1214	while (NULL != fgets(line, sizeof(line), source.pipe))
1215	{
1216
1217	TPT(((0), FIL__, __LINE__, _("msg=<gpg out: %s>\n"), line));
1218	if (line[strlen(line)-1] == '\n')
1219	line[strlen(line)-1] = ' ';
1220	sh_error_handle(SH_ERR_ALL, FIL__, __LINE__, 0, MSG_E_SUBGEN,
1221	line,
1222	_("gpg_check_file_sign"));
1223
1224	if (sl_strlen(line) < 12)
1225	continue;
1226
1227	/* Sun May 27 18:40:05 CEST 2001
1228	*/
1229	if (0 == sl_strncmp(_("BADSIG"), &line[9], 6) \|\|
1230	0 == sl_strncmp(_("ERRSIG"), &line[9], 6) \|\|
1231	0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6) \|\|
1232	0 == sl_strncmp(_("NODATA"), &line[9], 6) \|\|
1233	0 == sl_strncmp(_("ERROR"), &line[9], 5) \|\|
1234	0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6))
1235	{
1236	if (0 == sl_strncmp(_("BADSIG"), &line[9], 6)) {
1237	dlog(1, FIL__, __LINE__,
1238	_("%s file is signed, but the signature is invalid."),
1239	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")));
1240	}
1241	else if (0 == sl_strncmp(_("NO_PUBKEY"), &line[9], 6)) {
1242	dlog(1, FIL__, __LINE__,
1243	_("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
1244	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")),
1245	homedir);
1246	}
1247	else if (0 == sl_strncmp(_("ERRSIG"), &line[9], 6)) {
1248	dlog(1, FIL__, __LINE__,
1249	_("%s file is signed, but the public key to verify the signature is not in my keyring %s/.gnupg/pubring.asc."),
1250	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")),
1251	homedir);
1252	}
1253	else if (0 == sl_strncmp(_("SIGEXPIRED"), &line[9], 6)) {
1254	dlog(1, FIL__, __LINE__,
1255	_("%s file is signed, but the public key to verify the signature has expired."),
1256	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")));
1257	}
1258	else if (0 == sl_strncmp(_("NODATA"), &line[9], 6)) {
1259	dlog(1, FIL__, __LINE__,
1260	_("%s file is not signed."),
1261	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")));
1262	}
1263	else if (0 == sl_strncmp(_("ERROR"), &line[9], 5)) {
1264	dlog(1, FIL__, __LINE__,
1265	_("%s file is not correctly signed. An error occured while verifying the signature."),
1266	((whichfile == SIG_CONF) ? _("Configuration") : _("Database")));
1267	}
1268
1269	have_fp = BAD; have_id = BAD;
1270	break;
1271	}
1272	if (0 == sl_strncmp(_("GOODSIG"), &line[9], 7))
1273	{
1274	++n_goodsig;
1275	sl_strlcpy (sign_id, &line[25], SH_MINIBUF+1);
1276	if (sign_id)
1277	sign_id[sl_strlen(sign_id)-1] = '\0'; /* remove trailing '"' */
1278	have_id = GOOD;
1279	}
1280	else if (0 == sl_strncmp(_("VALIDSIG"), &line[9], 8))
1281	{
1282	++n_validsig;
1283	strncpy (sign_fp, &line[18], 40);
1284	sign_fp[40] = '\0';
1285	have_fp = GOOD;
1286	}
1287	else if (0 == sl_strncmp(_("NEWSIG"), &line[9], 6))
1288	{
1289	++n_newsig;
1290	}
1291
1292	}
1293
1294	if (ferror(source.pipe) && errno == EAGAIN)
1295	{
1296	/* sleep 10 ms to avoid starving the gpg child writing to the pipe */
1297	retry_msleep(0,10);
1298	clearerr(source.pipe);
1299	goto xagain;
1300	}
1301
1302	if (0 != sh_sig_pclose (&source))
1303	{
1304	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1305	_("Error on closing process pipe"),
1306	_("gpg_check_file_sign"));
1307	have_id = BAD;
1308	}
1309
1310	TPT(((0), FIL__, __LINE__, _("msg=<Close pipe>\n")));
1311
1312	if (n_goodsig != n_validsig \|\| n_newsig > 1 \|\| n_goodsig > 1)
1313	{
1314	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1315	_("Too many or invalid signatures"),
1316	_("gpg_check_file_sign"));
1317	have_id = BAD;
1318	}
1319
1320	if (have_id == GOOD)
1321	{
1322	TPT(((0), FIL__, __LINE__, _("msg=<Got signator ID>\n")));
1323	}
1324	if (have_fp == GOOD)
1325	{
1326	TPT(((0), FIL__, __LINE__, _("msg=<Got fingerprint>\n")));
1327	}
1328
1329	if (have_id == GOOD && have_fp == GOOD)
1330	SL_RETURN( SH_SIG_OK, _("sh_gpg_check_file_sign"));
1331	else
1332	{
1333	if (have_id == BAD)
1334	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1335	_("No good signature"),
1336	_("gpg_check_file_sign"));
1337	else
1338	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1339	_("No fingerprint for key"),
1340	_("gpg_check_file_sign"));
1341	SL_RETURN( SH_SIG_BADSIGN, _("sh_gpg_check_file_sign"));
1342	}
1343	}
1344
1345	#if defined(HAVE_PTHREAD) && defined (_POSIX_THREAD_SAFE_FUNCTIONS) && \
1346	defined(HAVE_GETPWNAM_R)
1347	#define USE_GETPWNAM_R 1
1348	#endif
1349
1350	static
1351	int sh_gpg_check_signature (SL_TICKET file, ShSigFile what)
1352	{
1353	int status = SH_SIG_BAD;
1354	int fd = 0;
1355
1356	static int smsg = S_FALSE;
1357	char * tmp;
1358
1359	char * sig_id;
1360	char * sig_fp;
1361
1362	char * homedir = sh.effective.home;
1363	#if defined(SH_WITH_SERVER)
1364	struct passwd * tempres;
1365	#if defined(USE_GETPWNAM_R)
1366	struct passwd pwd;
1367	char * buffer = SH_ALLOC(SH_PWBUF_SIZE);
1368	#endif
1369	#endif
1370
1371	#ifdef USE_FINGERPRINT
1372	#include "sh_gpg_fp.h"
1373	#endif
1374
1375	SL_ENTER(_("sh_gpg_check_sign"));
1376
1377
1378	if (what == SIG_CONF)
1379	fd = get_the_fd(file);
1380	if (what == SIG_DATA)
1381	fd = get_the_fd(file);
1382
1383
1384	if (fd < 0)
1385	{
1386	TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD = %d>\n"), fd));
1387	dlog(1, FIL__, __LINE__,
1388	_("This looks like an unexpected internal error.\n"));
1389	#if defined(SH_WITH_SERVER) && defined(USE_GETPWNAM_R)
1390	SH_FREE(buffer);
1391	#endif
1392	SL_RETURN( (-1), _("sh_gpg_check_sign"));
1393	}
1394
1395	#if defined(SH_WITH_SERVER)
1396	#if defined(USE_GETPWNAM_R)
1397	sh_getpwnam_r(DEFAULT_IDENT, &pwd, buffer, SH_PWBUF_SIZE, &tempres);
1398	#else
1399	tempres = sh_getpwnam(DEFAULT_IDENT);
1400	#endif
1401	if ((tempres != NULL) && (0 == sl_ret_euid()))
1402	{
1403	/* privileges not dropped yet*/
1404	homedir = tempres->pw_dir;
1405	}
1406	#endif
1407
1408	if (what == SIG_CONF)
1409	{
1410	TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD = %d>\n"), fd));
1411	status = sh_gpg_check_file_sign(fd, gp.conf_id, gp.conf_fp, homedir, SIG_CONF);
1412	TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGUSR: \|%s\|>\n"), gp.conf_id));
1413	TPT(((0), FIL__, __LINE__, _("msg=<CONF SIGFP: \|%s\|>\n"), gp.conf_fp));
1414	sig_id = gp.conf_id; sig_fp = gp.conf_fp;
1415	}
1416
1417	if (what == SIG_DATA)
1418	{
1419	TPT(((0), FIL__, __LINE__, _("msg=<GPG_CHECK: FD = %d>\n"), fd));
1420	status = sh_gpg_check_file_sign(fd, gp.data_id, gp.data_fp, homedir, SIG_DATA);
1421	TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGUSR: \|%s\|>\n"), gp.data_id));
1422	TPT(((0), FIL__, __LINE__, _("msg=<DATA SIGFP: \|%s\|>\n"), gp.data_fp));
1423	sig_id = gp.data_id; sig_fp = gp.data_fp;
1424	}
1425
1426	if (SH_SIG_OK == status)
1427	{
1428	#ifdef USE_FINGERPRINT
1429	if ((sl_strcmp(SH_GPG_FP, sig_fp) == 0))
1430	{
1431	int i;
1432
1433	for(i = 0; i < (int) sl_strlen(sig_fp); ++i) {
1434	if (gpgfp[i] != sig_fp[i]) {
1435	sh_error_handle(SH_ERR_SEVERE, FIL__, __LINE__, 0,
1436	MSG_E_GPG_FP, gpgfp, sig_fp);
1437	break; }
1438	}
1439
1440	if (smsg == S_FALSE) {
1441	tmp = sh_util_safe_name(sig_id);
1442	sh_sig_fill_startup (__LINE__, sh.prg_name, sh.real.uid,
1443	(sh.flag.hidefile == S_TRUE) ?
1444	_("(hidden)") : file_path('C', 'R'),
1445	tmp,
1446	sig_fp);
1447	SH_FREE(tmp); }
1448	smsg = S_TRUE;
1449
1450	#if defined(SH_WITH_SERVER) && defined(USE_GETPWNAM_R)
1451	SH_FREE(buffer);
1452	#endif
1453	SL_RETURN(0, _("sh_gpg_check_sign"));
1454	}
1455	else
1456	{
1457	/* fp mismatch */
1458	dlog(1, FIL__, __LINE__,
1459	_("The fingerprint of the signing key: %s\ndoes not match the compiled-in fingerprint: %s.\nTherefore the signature could not be verified.\n"),
1460	sig_fp, SH_GPG_FP);
1461	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1462	_("Fingerprint mismatch"), _("gpg_check_sign"));
1463	status = SH_SIG_BADSIGN;
1464	}
1465	#else /* ifdef USE_FINGERPRINT */
1466	if (smsg == S_FALSE)
1467	{
1468	tmp = sh_util_safe_name(sig_id);
1469	sh_sig_fill_startup (__LINE__,
1470	sh.prg_name, sh.real.uid,
1471	(sh.flag.hidefile == S_TRUE) ?
1472	_("(hidden)") : file_path('C', 'R'),
1473	tmp, sig_fp);
1474	SH_FREE(tmp);
1475	}
1476	smsg = S_TRUE;
1477
1478	#if defined(SH_WITH_SERVER) && defined(USE_GETPWNAM_R)
1479	SH_FREE(buffer);
1480	#endif
1481
1482	/* status == OK and no fp checking */
1483	SL_RETURN(0, _("sh_gpg_check_sign"));
1484	#endif /* !ifdef USE_FINGERPRINT */
1485	}
1486
1487	if (status != SH_SIG_OK)
1488	{
1489	uid_t e_uid = sl_ret_euid();
1490	char * e_home = sh.effective.home;
1491
1492	#if defined(SH_WITH_SERVER)
1493	#if defined(USE_GETPWNAM_R)
1494	struct passwd e_pwd;
1495	char * e_buffer = SH_ALLOC(SH_PWBUF_SIZE);
1496	struct passwd * e_tempres;
1497	sh_getpwnam_r(DEFAULT_IDENT, &e_pwd, e_buffer, SH_PWBUF_SIZE, &e_tempres);
1498	#else
1499	struct passwd * e_tempres = sh_getpwnam(DEFAULT_IDENT);
1500	#endif
1501
1502	if ((e_tempres != NULL) && (0 == sl_ret_euid()))
1503	{
1504	/* privileges not dropped yet */
1505	e_uid = e_tempres->pw_uid;
1506	e_home = e_tempres->pw_dir;
1507	}
1508	#endif
1509	dlog(1, FIL__, __LINE__,
1510	_("The signature of the configuration file or the file signature database\ncould not be verified. Possible reasons are:\n - gpg binary (%s) not found\n - invalid signature\n - the signature key is not in the private keyring of UID %d,\n - there is no keyring in %s/.gnupg, or\n - the file is not signed - did you move /filename.asc to /filename ?\nTo create a signed file, use (remove old signatures before):\n gpg -a --clearsign --not-dash-escaped FILE\n mv FILE.asc FILE\n"),
1511	DEFAULT_SIG_PATH,
1512	(int) e_uid, e_home);
1513
1514	#if defined(SH_WITH_SERVER) && defined(USE_GETPWNAM_R)
1515	SH_FREE(e_buffer);
1516	#endif
1517	}
1518
1519	TPT(((0), FIL__, __LINE__, _("msg=<Status = %d>\n"), status));
1520
1521	SL_RETURN(-1, _("sh_gpg_check_sign")); /* make compiler happy */
1522	}
1523
1524	static int sh_gpg_comp(const char * line, const char * cmp)
1525	{
1526	int retval = S_FALSE;
1527
1528	if (line && line[0] == '-' && line[1] == '-')
1529	{
1530	char * dup = sh_util_strdup(line);
1531	char * tmp = dup + sl_strlen( dup );
1532	--tmp;
1533	if (tmp == '\n') { tmp = '\0'; --tmp; }
1534	while( (tmp == '\t' \|\| tmp == ' ' \|\| tmp == '\r' ) && tmp >= dup ) tmp-- = '\0';
1535
1536	if (0 == sl_strcmp(dup, cmp))
1537	retval = S_TRUE;
1538	SH_FREE(dup);
1539	}
1540	return retval;
1541	}
1542
1543	static
1544	int sh_gpg_msg_start(const char * line)
1545	{
1546	static char cmp[SH_MINIBUF];
1547	static int initialized = 0;
1548
1549	if (initialized == 0) {
1550	sl_strlcpy(cmp, _("-----BEGIN PGP SIGNED MESSAGE-----"), sizeof(cmp));
1551	initialized = 1;
1552	}
1553	return sh_gpg_comp(line, cmp);
1554	}
1555
1556	static
1557	int sh_gpg_msg_startdata(const char * line)
1558	{
1559	if (line[0] == '\n')
1560	return S_TRUE;
1561	return S_FALSE;
1562	}
1563
1564	static
1565	int sh_gpg_msg_end(const char * line)
1566	{
1567	static char cmp[SH_MINIBUF];
1568	static int initialized = 0;
1569
1570	if (initialized == 0) {
1571	sl_strlcpy(cmp, _("-----BEGIN PGP SIGNATURE-----"), sizeof(cmp));
1572	initialized = 1;
1573	}
1574	return sh_gpg_comp(line, cmp);
1575	}
1576
1577	static
1578	int sh_gpg_sig_end(const char * line)
1579	{
1580	static char cmp[SH_MINIBUF];
1581	static int initialized = 0;
1582
1583	if (initialized == 0) {
1584	sl_strlcpy(cmp, _("-----END PGP SIGNATURE-----"), sizeof(cmp));
1585	initialized = 1;
1586	}
1587	return sh_gpg_comp(line, cmp);
1588	}
1589
1590	static
1591	SL_TICKET sh_gpg_extract_signed(SL_TICKET fd, extractlevel extract_level)
1592	{
1593	const int fgets_buf_size = 16384;
1594	FILE * fin_cp = NULL;
1595	char * buf = NULL;
1596	int bufc;
1597	int flag_pgp = S_FALSE;
1598	int flag_nohead = S_FALSE;
1599	SL_TICKET fdTmp = (-1);
1600	SL_TICKET open_tmp (void);
1601
1602	/* extract the data and copy to temporary file
1603	*/
1604	fdTmp = open_tmp();
1605	if (SL_ISERROR(fdTmp))
1606	{
1607	dlog(1, FIL__, __LINE__, _("Error opening temporary file.\n"));
1608	sh_error_handle((-1), FIL__, __LINE__, 0, MSG_E_SUBGEN,
1609	_("Error opening temporary file."),
1610	_("sh_gpg_extract_signed"));
1611	return -1;
1612	}
1613
1614	fin_cp = fdopen(dup(get_the_fd(fd)), "rb");
1615	buf = SH_ALLOC(fgets_buf_size);
1616
1617	while (NULL != fgets(buf, fgets_buf_size, fin_cp))
1618	{
1619	bufc = 0;
1620	while (bufc < fgets_buf_size) {
1621	if (buf[bufc] == '\n') { ++bufc; break; }
1622	++bufc;
1623	}
1624
1625	if (flag_pgp == S_FALSE && sh_gpg_msg_start(buf) == S_TRUE)
1626	{
1627	flag_pgp = S_TRUE;
1628	if (extract_level == SIG_DATASIG)
1629	sl_write(fdTmp, buf, bufc);
1630	continue;
1631	}
1632
1633	if (flag_pgp == S_TRUE && flag_nohead == S_FALSE)
1634	{
1635	/* Header finished */
1636	if (buf[0] == '\n')
1637	{
1638	flag_nohead = S_TRUE;
1639	if (extract_level == SIG_DATASIG)
1640	sl_write(fdTmp, buf, 1);
1641	continue;
1642	}
1643	/* copy these headers */
1644	else if (0 == sl_strncmp(buf, _("Hash:"), 5) \|\|
1645	0 == sl_strncmp(buf, _("NotDashEscaped:"), 15))
1646	{
1647	if (extract_level == SIG_DATASIG)
1648	sl_write(fdTmp, buf, bufc);
1649	continue;
1650	}
1651	/* ignore other headers */
1652	else
1653	continue;
1654	}
1655
1656	if (flag_pgp == S_TRUE && buf[0] == '\n')
1657	{
1658	sl_write(fdTmp, buf, 1);
1659	}
1660	else if (flag_pgp == S_TRUE)
1661	{
1662	if (extract_level == SIG_DATASIG) {
1663	sl_write(fdTmp, buf, bufc);
1664	}
1665	else {
1666	if (sh_gpg_msg_end(buf) == S_TRUE)
1667	break;
1668	else
1669	sl_write(fdTmp, buf, bufc);
1670	}
1671	}
1672
1673	/* This is after the copy has been done. */
1674	if (flag_pgp == S_TRUE && sh_gpg_sig_end(buf) == S_TRUE)
1675	break;
1676	}
1677	SH_FREE(buf);
1678	sl_fclose(FIL__, __LINE__, fin_cp);
1679	sl_rewind (fdTmp);
1680
1681	return fdTmp;
1682	}
1683	#endif
1684
1685	/*********************************************************************
1686	*
1687	* Exported functions
1688	*
1689	*********************************************************************/
1690
1691	int sh_sig_check_signature (SL_TICKET file, ShSigFile what)
1692	{
1693	#if defined(WITH_GPG)
1694	return sh_gpg_check_signature (file, what);
1695	#elif defined(WITH_SIGNIFY)
1696	return sh_signify_check_signature (file, what);
1697	#endif
1698	}
1699
1700	SL_TICKET sh_sig_extract_signed(SL_TICKET fd)
1701	{
1702	#if defined(WITH_GPG)
1703	return sh_gpg_extract_signed(fd, SIG_DATASIG);
1704	#elif defined(WITH_SIGNIFY)
1705	return sh_signify_extract_signed(fd, SIG_DATASIG);
1706	#endif
1707	}
1708
1709	SL_TICKET sh_sig_extract_signed_data(SL_TICKET fd)
1710	{
1711	#if defined(WITH_GPG)
1712	return sh_gpg_extract_signed(fd, SIG_DATAONLY);
1713	#elif defined(WITH_SIGNIFY)
1714	return sh_signify_extract_signed(fd, SIG_DATAONLY);
1715	#endif
1716	}
1717
1718	int sh_sig_msg_start(const char * line)
1719	{
1720	#if defined(WITH_GPG)
1721	return sh_gpg_msg_start(line);
1722	#elif defined(WITH_SIGNIFY)
1723	return sh_signify_msg_start(line);
1724	#endif
1725	}
1726
1727	int sh_sig_msg_startdata(const char * line)
1728	{
1729	#if defined(WITH_GPG)
1730	return sh_gpg_msg_startdata(line);
1731	#elif defined(WITH_SIGNIFY)
1732	return sh_signify_msg_startdata(line);
1733	#endif
1734	}
1735
1736	int sh_sig_msg_end(const char * line)
1737	{
1738	#if defined(WITH_GPG)
1739	return sh_gpg_msg_end(line);
1740	#elif defined(WITH_SIGNIFY)
1741	return sh_signify_msg_end(line);
1742	#endif
1743	}
1744
1745	int sh_sig_data_end(const char * line)
1746	{
1747	#if defined(WITH_GPG)
1748	return sh_gpg_sig_end(line);
1749	#elif defined(WITH_SIGNIFY)
1750	return sh_signify_data_end(line);
1751	#endif
1752	}
1753
1754	void sh_sig_log_startup (void)
1755	{
1756	if (startInfo.program != NULL)
1757	{
1758	sh_error_handle ((-1), FIL__, startInfo.line, 0, MSG_START_GH,
1759	startInfo.program, startInfo.uid,
1760	startInfo.path,
1761	startInfo.key_uid, startInfo.key_id);
1762	}
1763	return;
1764	}
1765
1766	/* #ifdef WITH_SIG */
1767	#endif
1768
1769
1770
1771
1772
1773
1774
1775

Note: See TracBrowser for help on using the repository browser.

Download in other formats: