You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

477 lines
15 KiB

  1. // -*- mode: cpp; mode: fold -*-
  2. // Include Files /*{{{*/
  3. #include <config.h>
  4. #include <apt-pkg/configuration.h>
  5. #include <apt-pkg/error.h>
  6. #include <apt-pkg/fileutl.h>
  7. #include <apt-pkg/gpgv.h>
  8. #include <apt-pkg/strutl.h>
  9. #include <errno.h>
  10. #include <fcntl.h>
  11. #include <stddef.h>
  12. #include <stdio.h>
  13. #include <stdlib.h>
  14. #include <string.h>
  15. #include <sys/wait.h>
  16. #include <unistd.h>
  17. #include <algorithm>
  18. #include <fstream>
  19. #include <iostream>
  20. #include <memory>
  21. #include <sstream>
  22. #include <string>
  23. #include <vector>
  24. #include <apti18n.h>
  25. /*}}}*/
  26. static bool GetLineErrno(std::unique_ptr<char, decltype(&free)> &buffer, size_t *n, FILE *stream, std::string const &InFile, bool acceptEoF = false)/*{{{*/
  27. {
  28. errno = 0;
  29. auto lineptr = buffer.release();
  30. auto const result = getline(&lineptr, n, stream);
  31. buffer.reset(lineptr);
  32. if (errno != 0)
  33. return _error->Errno("getline", "Could not read from %s", InFile.c_str());
  34. if (result == -1)
  35. {
  36. if (acceptEoF)
  37. return false;
  38. return _error->Error("Splitting of clearsigned file %s failed as it doesn't contain all expected parts", InFile.c_str());
  39. }
  40. // We remove all whitespaces including newline here as
  41. // a) gpgv ignores them for signature
  42. // b) we can write out a \n in code later instead of dealing with \r\n or not
  43. _strrstrip(buffer.get());
  44. return true;
  45. }
  46. /*}}}*/
  47. // ExecGPGV - returns the command needed for verify /*{{{*/
  48. // ---------------------------------------------------------------------
  49. /* Generating the commandline for calling gpg is somehow complicated as
  50. we need to add multiple keyrings and user supplied options.
  51. Also, as gpg has no options to enforce a certain reduced style of
  52. clear-signed files (=the complete content of the file is signed and
  53. the content isn't encoded) we do a divide and conquer approach here
  54. and split up the clear-signed file in message and signature for gpg.
  55. And as a cherry on the cake, we use our apt-key wrapper to do part
  56. of the lifting in regards to merging keyrings. Fun for the whole family.
  57. */
  58. static bool iovprintf(std::ostream &out, const char *format,
  59. va_list &args, ssize_t &size) {
  60. char *S = (char*)malloc(size);
  61. ssize_t const n = vsnprintf(S, size, format, args);
  62. if (n > -1 && n < size) {
  63. out << S;
  64. free(S);
  65. return true;
  66. } else {
  67. if (n > -1)
  68. size = n + 1;
  69. else
  70. size *= 2;
  71. }
  72. free(S);
  73. return false;
  74. }
  75. static void APT_PRINTF(4) apt_error(std::ostream &outterm, int const statusfd, int fd[2], const char *format, ...)
  76. {
  77. std::ostringstream outstr;
  78. std::ostream &out = (statusfd == -1) ? outterm : outstr;
  79. va_list args;
  80. ssize_t size = 400;
  81. while (true) {
  82. bool ret;
  83. va_start(args,format);
  84. ret = iovprintf(out, format, args, size);
  85. va_end(args);
  86. if (ret == true)
  87. break;
  88. }
  89. if (statusfd != -1)
  90. {
  91. auto const errtag = "[APTKEY:] ERROR ";
  92. outstr << '\n';
  93. auto const errtext = outstr.str();
  94. if (FileFd::Write(fd[1], errtag, strlen(errtag)) == false ||
  95. FileFd::Write(fd[1], errtext.data(), errtext.size()) == false)
  96. outterm << errtext << std::flush;
  97. }
  98. }
  99. void ExecGPGV(std::string const &File, std::string const &FileGPG,
  100. int const &statusfd, int fd[2], std::string const &key)
  101. {
  102. #define EINTERNAL 111
  103. std::string const aptkey = _config->Find("Dir::Bin::apt-key", CMAKE_INSTALL_FULL_BINDIR "/apt-key");
  104. bool const Debug = _config->FindB("Debug::Acquire::gpgv", false);
  105. struct exiter {
  106. std::vector<const char *> files;
  107. void operator ()(int code) APT_NORETURN {
  108. std::for_each(files.begin(), files.end(), unlink);
  109. exit(code);
  110. }
  111. } local_exit;
  112. std::vector<const char *> Args;
  113. Args.reserve(10);
  114. Args.push_back(aptkey.c_str());
  115. Args.push_back("--quiet");
  116. Args.push_back("--readonly");
  117. auto const keysFileFpr = VectorizeString(key, ',');
  118. for (auto const &k: keysFileFpr)
  119. {
  120. if (unlikely(k.empty()))
  121. continue;
  122. if (k[0] == '/')
  123. {
  124. Args.push_back("--keyring");
  125. Args.push_back(k.c_str());
  126. }
  127. else
  128. {
  129. Args.push_back("--keyid");
  130. Args.push_back(k.c_str());
  131. }
  132. }
  133. Args.push_back("verify");
  134. char statusfdstr[10];
  135. if (statusfd != -1)
  136. {
  137. Args.push_back("--status-fd");
  138. snprintf(statusfdstr, sizeof(statusfdstr), "%i", statusfd);
  139. Args.push_back(statusfdstr);
  140. }
  141. Configuration::Item const *Opts;
  142. Opts = _config->Tree("Acquire::gpgv::Options");
  143. if (Opts != 0)
  144. {
  145. Opts = Opts->Child;
  146. for (; Opts != 0; Opts = Opts->Next)
  147. {
  148. if (Opts->Value.empty() == true)
  149. continue;
  150. Args.push_back(Opts->Value.c_str());
  151. }
  152. }
  153. enum { DETACHED, CLEARSIGNED } releaseSignature = (FileGPG != File) ? DETACHED : CLEARSIGNED;
  154. std::unique_ptr<char, decltype(&free)> sig{nullptr, &free};
  155. std::unique_ptr<char, decltype(&free)> data{nullptr, &free};
  156. std::unique_ptr<char, decltype(&free)> conf{nullptr, &free};
  157. // Dump the configuration so apt-key picks up the correct Dir values
  158. {
  159. {
  160. std::string tmpfile;
  161. strprintf(tmpfile, "%s/apt.conf.XXXXXX", GetTempDir().c_str());
  162. conf.reset(strdup(tmpfile.c_str()));
  163. }
  164. if (conf == nullptr) {
  165. apt_error(std::cerr, statusfd, fd, "Couldn't create tempfile names for passing config to apt-key");
  166. local_exit(EINTERNAL);
  167. }
  168. int confFd = mkstemp(conf.get());
  169. if (confFd == -1) {
  170. apt_error(std::cerr, statusfd, fd, "Couldn't create temporary file %s for passing config to apt-key", conf.get());
  171. local_exit(EINTERNAL);
  172. }
  173. local_exit.files.push_back(conf.get());
  174. std::ofstream confStream(conf.get());
  175. close(confFd);
  176. _config->Dump(confStream);
  177. confStream.close();
  178. setenv("APT_CONFIG", conf.get(), 1);
  179. }
  180. if (releaseSignature == DETACHED)
  181. {
  182. std::unique_ptr<FILE, decltype(&fclose)> detached{fopen(FileGPG.c_str(), "r"), &fclose};
  183. if (detached.get() == nullptr)
  184. {
  185. apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' could not be opened", FileGPG.c_str());
  186. local_exit(EINTERNAL);
  187. }
  188. std::unique_ptr<char, decltype(&free)> buf{nullptr, &free};
  189. size_t buf_size = 0;
  190. bool open_signature = false;
  191. bool found_badcontent = false;
  192. size_t found_signatures = 0;
  193. while (GetLineErrno(buf, &buf_size, detached.get(), FileGPG, true))
  194. {
  195. if (open_signature && strcmp(buf.get(), "-----END PGP SIGNATURE-----") == 0)
  196. open_signature = false;
  197. else if (open_signature == false && strcmp(buf.get(), "-----BEGIN PGP SIGNATURE-----") == 0)
  198. {
  199. open_signature = true;
  200. ++found_signatures;
  201. }
  202. else if (open_signature == false)
  203. found_badcontent = true;
  204. }
  205. if (found_signatures == 0 && statusfd != -1)
  206. {
  207. // This is not an attack attempt but a file even gpgv would complain about
  208. // likely the result of a paywall which is covered by the gpgv method
  209. auto const errtag = "[GNUPG:] NODATA\n";
  210. FileFd::Write(fd[1], errtag, strlen(errtag));
  211. local_exit(113);
  212. }
  213. else if (found_badcontent)
  214. {
  215. apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' contains lines not belonging to a signature", FileGPG.c_str());
  216. local_exit(112);
  217. }
  218. if (open_signature == true)
  219. {
  220. apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' contains unclosed signatures", FileGPG.c_str());
  221. local_exit(112);
  222. }
  223. Args.push_back(FileGPG.c_str());
  224. Args.push_back(File.c_str());
  225. }
  226. else // clear-signed file
  227. {
  228. FileFd signature;
  229. if (GetTempFile("apt.sig", false, &signature) == nullptr)
  230. local_exit(EINTERNAL);
  231. sig.reset(strdup(signature.Name().c_str()));
  232. local_exit.files.push_back(sig.get());
  233. FileFd message;
  234. if (GetTempFile("apt.data", false, &message) == nullptr)
  235. local_exit(EINTERNAL);
  236. data.reset(strdup(message.Name().c_str()));
  237. local_exit.files.push_back(data.get());
  238. if (signature.Failed() == true || message.Failed() == true ||
  239. SplitClearSignedFile(File, &message, nullptr, &signature) == false)
  240. {
  241. apt_error(std::cerr, statusfd, fd, "Splitting up %s into data and signature failed", File.c_str());
  242. local_exit(112);
  243. }
  244. Args.push_back(sig.get());
  245. Args.push_back(data.get());
  246. }
  247. Args.push_back(NULL);
  248. if (Debug == true)
  249. {
  250. std::clog << "Preparing to exec: ";
  251. for (std::vector<const char *>::const_iterator a = Args.begin(); *a != NULL; ++a)
  252. std::clog << " " << *a;
  253. std::clog << std::endl;
  254. }
  255. if (statusfd != -1)
  256. {
  257. int const nullfd = open("/dev/null", O_WRONLY);
  258. close(fd[0]);
  259. // Redirect output to /dev/null; we read from the status fd
  260. if (statusfd != STDOUT_FILENO)
  261. dup2(nullfd, STDOUT_FILENO);
  262. if (statusfd != STDERR_FILENO)
  263. dup2(nullfd, STDERR_FILENO);
  264. // Redirect the pipe to the status fd (3)
  265. dup2(fd[1], statusfd);
  266. putenv((char *)"LANG=");
  267. putenv((char *)"LC_ALL=");
  268. putenv((char *)"LC_MESSAGES=");
  269. }
  270. // We have created tempfiles we have to clean up
  271. // and we do an additional check, so fork yet another time …
  272. pid_t pid = ExecFork();
  273. if(pid < 0) {
  274. apt_error(std::cerr, statusfd, fd, "Fork failed for %s to check %s", Args[0], File.c_str());
  275. local_exit(EINTERNAL);
  276. }
  277. if(pid == 0)
  278. {
  279. if (statusfd != -1)
  280. dup2(fd[1], statusfd);
  281. execvp(Args[0], (char **) &Args[0]);
  282. apt_error(std::cerr, statusfd, fd, "Couldn't execute %s to check %s", Args[0], File.c_str());
  283. local_exit(EINTERNAL);
  284. }
  285. // Wait and collect the error code - taken from WaitPid as we need the exact Status
  286. int Status;
  287. while (waitpid(pid,&Status,0) != pid)
  288. {
  289. if (errno == EINTR)
  290. continue;
  291. apt_error(std::cerr, statusfd, fd, _("Waited for %s but it wasn't there"), "apt-key");
  292. local_exit(EINTERNAL);
  293. }
  294. // check if it exit'ed normally …
  295. if (WIFEXITED(Status) == false)
  296. {
  297. apt_error(std::cerr, statusfd, fd, _("Sub-process %s exited unexpectedly"), "apt-key");
  298. local_exit(EINTERNAL);
  299. }
  300. // … and with a good exit code
  301. if (WEXITSTATUS(Status) != 0)
  302. {
  303. // we forward the statuscode, so don't generate a message on the fd in this case
  304. apt_error(std::cerr, -1, fd, _("Sub-process %s returned an error code (%u)"), "apt-key", WEXITSTATUS(Status));
  305. local_exit(WEXITSTATUS(Status));
  306. }
  307. // everything fine
  308. local_exit(0);
  309. }
  310. /*}}}*/
  311. // SplitClearSignedFile - split message into data/signature /*{{{*/
  312. bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
  313. std::vector<std::string> * const ContentHeader, FileFd * const SignatureFile)
  314. {
  315. std::unique_ptr<FILE, decltype(&fclose)> in{fopen(InFile.c_str(), "r"), &fclose};
  316. if (in.get() == nullptr)
  317. return _error->Errno("fopen", "can not open %s", InFile.c_str());
  318. struct ScopedErrors
  319. {
  320. ScopedErrors() { _error->PushToStack(); }
  321. ~ScopedErrors() { _error->MergeWithStack(); }
  322. } scoped;
  323. std::unique_ptr<char, decltype(&free)> buf{nullptr, &free};
  324. size_t buf_size = 0;
  325. // start of the message
  326. if (GetLineErrno(buf, &buf_size, in.get(), InFile) == false)
  327. return false; // empty or read error
  328. if (strcmp(buf.get(), "-----BEGIN PGP SIGNED MESSAGE-----") != 0)
  329. {
  330. // this might be an unsigned file we don't want to report errors for,
  331. // but still finish unsuccessful none the less.
  332. while (GetLineErrno(buf, &buf_size, in.get(), InFile, true))
  333. if (strcmp(buf.get(), "-----BEGIN PGP SIGNED MESSAGE-----") == 0)
  334. return _error->Error("Clearsigned file '%s' does not start with a signed message block.", InFile.c_str());
  335. return false;
  336. }
  337. // save "Hash" Armor Headers
  338. while (true)
  339. {
  340. if (GetLineErrno(buf, &buf_size, in.get(), InFile) == false)
  341. return false;
  342. if (*buf == '\0')
  343. break; // empty line ends the Armor Headers
  344. if (ContentHeader != NULL && strncmp(buf.get(), "Hash: ", strlen("Hash: ")) == 0)
  345. ContentHeader->push_back(buf.get());
  346. }
  347. // the message itself
  348. bool first_line = true;
  349. bool good_write = true;
  350. while (true)
  351. {
  352. if (good_write == false || GetLineErrno(buf, &buf_size, in.get(), InFile) == false)
  353. return false;
  354. if (strcmp(buf.get(), "-----BEGIN PGP SIGNATURE-----") == 0)
  355. {
  356. if (SignatureFile != nullptr)
  357. {
  358. good_write &= SignatureFile->Write(buf.get(), strlen(buf.get()));
  359. good_write &= SignatureFile->Write("\n", 1);
  360. }
  361. break;
  362. }
  363. // we don't have any fields which need dash-escaped,
  364. // but implementations are free to encode all lines …
  365. char const *dashfree = buf.get();
  366. if (strncmp(dashfree, "- ", 2) == 0)
  367. dashfree += 2;
  368. if (first_line == true) // first line does not need a newline
  369. first_line = false;
  370. else if (ContentFile != nullptr)
  371. good_write &= ContentFile->Write("\n", 1);
  372. if (ContentFile != nullptr)
  373. good_write &= ContentFile->Write(dashfree, strlen(dashfree));
  374. }
  375. // collect all signatures
  376. bool open_signature = true;
  377. while (true)
  378. {
  379. if (good_write == false)
  380. return false;
  381. if (GetLineErrno(buf, &buf_size, in.get(), InFile, true) == false)
  382. break;
  383. if (open_signature && strcmp(buf.get(), "-----END PGP SIGNATURE-----") == 0)
  384. open_signature = false;
  385. else if (open_signature == false && strcmp(buf.get(), "-----BEGIN PGP SIGNATURE-----") == 0)
  386. open_signature = true;
  387. else if (open_signature == false)
  388. return _error->Error("Clearsigned file '%s' contains unsigned lines.", InFile.c_str());
  389. if (SignatureFile != nullptr)
  390. {
  391. good_write &= SignatureFile->Write(buf.get(), strlen(buf.get()));
  392. good_write &= SignatureFile->Write("\n", 1);
  393. }
  394. }
  395. if (open_signature == true)
  396. return _error->Error("Signature in file %s wasn't closed", InFile.c_str());
  397. // Flush the files
  398. if (SignatureFile != nullptr)
  399. SignatureFile->Flush();
  400. if (ContentFile != nullptr)
  401. ContentFile->Flush();
  402. // Catch-all for "unhandled" read/sync errors
  403. if (_error->PendingError())
  404. return false;
  405. return true;
  406. }
  407. /*}}}*/
  408. bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &MessageFile) /*{{{*/
  409. {
  410. if (GetTempFile("clearsigned.message", true, &MessageFile) == nullptr)
  411. return false;
  412. if (MessageFile.Failed() == true)
  413. return _error->Error("Couldn't open temporary file to work with %s", ClearSignedFileName.c_str());
  414. _error->PushToStack();
  415. bool const splitDone = SplitClearSignedFile(ClearSignedFileName, &MessageFile, NULL, NULL);
  416. bool const errorDone = _error->PendingError();
  417. _error->MergeWithStack();
  418. if (splitDone == false)
  419. {
  420. MessageFile.Close();
  421. if (errorDone == true)
  422. return false;
  423. // we deal with an unsigned file
  424. MessageFile.Open(ClearSignedFileName, FileFd::ReadOnly);
  425. }
  426. else // clear-signed
  427. {
  428. if (MessageFile.Seek(0) == false)
  429. return _error->Errno("lseek", "Unable to seek back in message for file %s", ClearSignedFileName.c_str());
  430. }
  431. return MessageFile.Failed() == false;
  432. }
  433. /*}}}*/