]>
Commit | Line | Data |
---|---|---|
1 | #include <config.h> | |
2 | ||
3 | #include <apt-pkg/configuration.h> | |
4 | #include <apt-pkg/error.h> | |
5 | #include <apt-pkg/gpgv.h> | |
6 | #include <apt-pkg/strutl.h> | |
7 | #include <apt-pkg/fileutl.h> | |
8 | #include "aptmethod.h" | |
9 | ||
10 | #include <ctype.h> | |
11 | #include <errno.h> | |
12 | #include <stddef.h> | |
13 | #include <stdio.h> | |
14 | #include <stdlib.h> | |
15 | #include <string.h> | |
16 | #include <sys/wait.h> | |
17 | #include <unistd.h> | |
18 | ||
19 | #include <array> | |
20 | #include <algorithm> | |
21 | #include <sstream> | |
22 | #include <iterator> | |
23 | #include <iostream> | |
24 | #include <string> | |
25 | #include <vector> | |
26 | ||
27 | #include <apti18n.h> | |
28 | ||
29 | using std::string; | |
30 | using std::vector; | |
31 | ||
32 | #define GNUPGPREFIX "[GNUPG:]" | |
33 | #define GNUPGBADSIG "[GNUPG:] BADSIG" | |
34 | #define GNUPGERRSIG "[GNUPG:] ERRSIG" | |
35 | #define GNUPGNOPUBKEY "[GNUPG:] NO_PUBKEY" | |
36 | #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG" | |
37 | #define GNUPGGOODSIG "[GNUPG:] GOODSIG" | |
38 | #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG" | |
39 | #define GNUPGEXPSIG "[GNUPG:] EXPSIG" | |
40 | #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" | |
41 | #define GNUPGNODATA "[GNUPG:] NODATA" | |
42 | ||
43 | struct Digest { | |
44 | enum class State { | |
45 | Untrusted, | |
46 | Weak, | |
47 | Trusted, | |
48 | } state; | |
49 | char name[32]; | |
50 | ||
51 | State getState() const { | |
52 | std::string optionUntrusted; | |
53 | std::string optionWeak; | |
54 | strprintf(optionUntrusted, "APT::Hashes::%s::Untrusted", name); | |
55 | strprintf(optionWeak, "APT::Hashes::%s::Weak", name); | |
56 | if (_config->FindB(optionUntrusted, state == State::Untrusted) == true) | |
57 | return State::Untrusted; | |
58 | if (_config->FindB(optionWeak, state == State::Weak) == true) | |
59 | return State::Weak; | |
60 | ||
61 | return state; | |
62 | } | |
63 | }; | |
64 | ||
65 | static constexpr Digest Digests[] = { | |
66 | {Digest::State::Untrusted, "Invalid digest"}, | |
67 | {Digest::State::Untrusted, "MD5"}, | |
68 | {Digest::State::Weak, "SHA1"}, | |
69 | {Digest::State::Weak, "RIPE-MD/160"}, | |
70 | {Digest::State::Trusted, "Reserved digest"}, | |
71 | {Digest::State::Trusted, "Reserved digest"}, | |
72 | {Digest::State::Trusted, "Reserved digest"}, | |
73 | {Digest::State::Trusted, "Reserved digest"}, | |
74 | {Digest::State::Trusted, "SHA256"}, | |
75 | {Digest::State::Trusted, "SHA384"}, | |
76 | {Digest::State::Trusted, "SHA512"}, | |
77 | {Digest::State::Trusted, "SHA224"}, | |
78 | }; | |
79 | ||
80 | static Digest FindDigest(std::string const & Digest) | |
81 | { | |
82 | int id = atoi(Digest.c_str()); | |
83 | if (id >= 0 && static_cast<unsigned>(id) < _count(Digests)) { | |
84 | return Digests[id]; | |
85 | } else { | |
86 | return Digests[0]; | |
87 | } | |
88 | } | |
89 | ||
90 | struct Signer { | |
91 | std::string key; | |
92 | std::string note; | |
93 | }; | |
94 | static bool IsTheSameKey(std::string const &validsig, std::string const &goodsig) { | |
95 | // VALIDSIG reports a keyid (40 = 24 + 16), GOODSIG is a longid (16) only | |
96 | return validsig.compare(24, 16, goodsig, strlen("GOODSIG "), 16) == 0; | |
97 | } | |
98 | ||
99 | class GPGVMethod : public aptMethod | |
100 | { | |
101 | private: | |
102 | string VerifyGetSigners(const char *file, const char *outfile, | |
103 | std::string const &key, | |
104 | vector<string> &GoodSigners, | |
105 | vector<string> &BadSigners, | |
106 | vector<string> &WorthlessSigners, | |
107 | vector<Signer> &SoonWorthlessSigners, | |
108 | vector<string> &NoPubKeySigners); | |
109 | protected: | |
110 | virtual bool URIAcquire(std::string const &Message, FetchItem *Itm) APT_OVERRIDE; | |
111 | public: | |
112 | GPGVMethod() : aptMethod("gpgv","1.0",SingleInstance | SendConfig) {}; | |
113 | }; | |
114 | static void PushEntryWithKeyID(std::vector<std::string> &Signers, char * const buffer, bool const Debug) | |
115 | { | |
116 | char * const msg = buffer + sizeof(GNUPGPREFIX); | |
117 | char *p = msg; | |
118 | // skip the message | |
119 | while (*p && !isspace(*p)) | |
120 | ++p; | |
121 | // skip the seperator whitespace | |
122 | ++p; | |
123 | // skip the hexdigit fingerprint | |
124 | while (*p && isxdigit(*p)) | |
125 | ++p; | |
126 | // cut the rest from the message | |
127 | *p = '\0'; | |
128 | if (Debug == true) | |
129 | std::clog << "Got " << msg << " !" << std::endl; | |
130 | Signers.push_back(msg); | |
131 | } | |
132 | static void PushEntryWithUID(std::vector<std::string> &Signers, char * const buffer, bool const Debug) | |
133 | { | |
134 | std::string msg = buffer + sizeof(GNUPGPREFIX); | |
135 | auto const nuke = msg.find_last_not_of("\n\t\r"); | |
136 | if (nuke != std::string::npos) | |
137 | msg.erase(nuke + 1); | |
138 | if (Debug == true) | |
139 | std::clog << "Got " << msg << " !" << std::endl; | |
140 | Signers.push_back(msg); | |
141 | } | |
142 | string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, | |
143 | std::string const &key, | |
144 | vector<string> &GoodSigners, | |
145 | vector<string> &BadSigners, | |
146 | vector<string> &WorthlessSigners, | |
147 | vector<Signer> &SoonWorthlessSigners, | |
148 | vector<string> &NoPubKeySigners) | |
149 | { | |
150 | bool const Debug = _config->FindB("Debug::Acquire::gpgv", false); | |
151 | ||
152 | if (Debug == true) | |
153 | std::clog << "inside VerifyGetSigners" << std::endl; | |
154 | ||
155 | int fd[2]; | |
156 | bool const keyIsID = (key.empty() == false && key[0] != '/'); | |
157 | ||
158 | if (pipe(fd) < 0) | |
159 | return "Couldn't create pipe"; | |
160 | ||
161 | pid_t pid = fork(); | |
162 | if (pid < 0) | |
163 | return string("Couldn't spawn new process") + strerror(errno); | |
164 | else if (pid == 0) | |
165 | ExecGPGV(outfile, file, 3, fd, (keyIsID ? "" : key)); | |
166 | close(fd[1]); | |
167 | ||
168 | FILE *pipein = fdopen(fd[0], "r"); | |
169 | ||
170 | // Loop over the output of apt-key (which really is gnupg), and check the signatures. | |
171 | std::vector<std::string> ValidSigners; | |
172 | std::vector<std::string> ErrSigners; | |
173 | size_t buffersize = 0; | |
174 | char *buffer = NULL; | |
175 | bool gotNODATA = false; | |
176 | while (1) | |
177 | { | |
178 | if (getline(&buffer, &buffersize, pipein) == -1) | |
179 | break; | |
180 | if (Debug == true) | |
181 | std::clog << "Read: " << buffer << std::endl; | |
182 | ||
183 | // Push the data into three separate vectors, which | |
184 | // we later concatenate. They're kept separate so | |
185 | // if we improve the apt method communication stuff later | |
186 | // it will be better. | |
187 | if (strncmp(buffer, GNUPGBADSIG, sizeof(GNUPGBADSIG)-1) == 0) | |
188 | PushEntryWithUID(BadSigners, buffer, Debug); | |
189 | else if (strncmp(buffer, GNUPGERRSIG, sizeof(GNUPGERRSIG)-1) == 0) | |
190 | PushEntryWithKeyID(ErrSigners, buffer, Debug); | |
191 | else if (strncmp(buffer, GNUPGNOPUBKEY, sizeof(GNUPGNOPUBKEY)-1) == 0) | |
192 | { | |
193 | PushEntryWithKeyID(NoPubKeySigners, buffer, Debug); | |
194 | ErrSigners.erase(std::remove_if(ErrSigners.begin(), ErrSigners.end(), [&](std::string const &errsig) { | |
195 | return errsig.compare(strlen("ERRSIG "), 16, buffer, sizeof(GNUPGNOPUBKEY), 16) == 0; }), ErrSigners.end()); | |
196 | } | |
197 | else if (strncmp(buffer, GNUPGNODATA, sizeof(GNUPGNODATA)-1) == 0) | |
198 | gotNODATA = true; | |
199 | else if (strncmp(buffer, GNUPGEXPKEYSIG, sizeof(GNUPGEXPKEYSIG)-1) == 0) | |
200 | PushEntryWithUID(WorthlessSigners, buffer, Debug); | |
201 | else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0) | |
202 | PushEntryWithUID(WorthlessSigners, buffer, Debug); | |
203 | else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0) | |
204 | PushEntryWithUID(WorthlessSigners, buffer, Debug); | |
205 | else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) | |
206 | PushEntryWithKeyID(GoodSigners, buffer, Debug); | |
207 | else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) | |
208 | { | |
209 | std::istringstream iss(buffer + sizeof(GNUPGVALIDSIG)); | |
210 | vector<string> tokens{std::istream_iterator<string>{iss}, | |
211 | std::istream_iterator<string>{}}; | |
212 | auto const sig = tokens[0]; | |
213 | // Reject weak digest algorithms | |
214 | Digest digest = FindDigest(tokens[7]); | |
215 | switch (digest.getState()) { | |
216 | case Digest::State::Weak: | |
217 | // Treat them like an expired key: For that a message about expiry | |
218 | // is emitted, a VALIDSIG, but no GOODSIG. | |
219 | SoonWorthlessSigners.push_back({sig, digest.name}); | |
220 | if (Debug == true) | |
221 | std::clog << "Got weak VALIDSIG, key ID: " << sig << std::endl; | |
222 | break; | |
223 | case Digest::State::Untrusted: | |
224 | // Treat them like an expired key: For that a message about expiry | |
225 | // is emitted, a VALIDSIG, but no GOODSIG. | |
226 | WorthlessSigners.push_back(sig); | |
227 | GoodSigners.erase(std::remove_if(GoodSigners.begin(), GoodSigners.end(), [&](std::string const &goodsig) { | |
228 | return IsTheSameKey(sig, goodsig); }), GoodSigners.end()); | |
229 | if (Debug == true) | |
230 | std::clog << "Got untrusted VALIDSIG, key ID: " << sig << std::endl; | |
231 | break; | |
232 | ||
233 | case Digest::State::Trusted: | |
234 | if (Debug == true) | |
235 | std::clog << "Got trusted VALIDSIG, key ID: " << sig << std::endl; | |
236 | break; | |
237 | } | |
238 | ||
239 | ValidSigners.push_back(sig); | |
240 | } | |
241 | } | |
242 | fclose(pipein); | |
243 | free(buffer); | |
244 | std::move(ErrSigners.begin(), ErrSigners.end(), std::back_inserter(WorthlessSigners)); | |
245 | ||
246 | // apt-key has a --keyid parameter, but this requires gpg, so we call it without it | |
247 | // and instead check after the fact which keyids where used for verification | |
248 | if (keyIsID == true) | |
249 | { | |
250 | if (Debug == true) | |
251 | std::clog << "GoodSigs needs to be limited to keyid " << key << std::endl; | |
252 | bool foundGood = false; | |
253 | for (auto const &k: VectorizeString(key, ',')) | |
254 | { | |
255 | if (std::find(ValidSigners.begin(), ValidSigners.end(), k) == ValidSigners.end()) | |
256 | continue; | |
257 | // we look for GOODSIG here as well as an expired sig is a valid sig as well (but not a good one) | |
258 | std::string const goodlongkeyid = "GOODSIG " + k.substr(24, 16); | |
259 | foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodlongkeyid) != GoodSigners.end(); | |
260 | if (Debug == true) | |
261 | std::clog << "Key " << k << " is valid sig, is " << goodlongkeyid << " also a good one? " << (foundGood ? "yes" : "no") << std::endl; | |
262 | if (foundGood == false) | |
263 | continue; | |
264 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::back_insert_iterator<std::vector<std::string> >(NoPubKeySigners)); | |
265 | GoodSigners.clear(); | |
266 | GoodSigners.push_back(goodlongkeyid); | |
267 | NoPubKeySigners.erase(std::remove(NoPubKeySigners.begin(), NoPubKeySigners.end(), goodlongkeyid), NoPubKeySigners.end()); | |
268 | break; | |
269 | } | |
270 | if (foundGood == false) | |
271 | { | |
272 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::back_insert_iterator<std::vector<std::string> >(NoPubKeySigners)); | |
273 | GoodSigners.clear(); | |
274 | } | |
275 | } | |
276 | ||
277 | int status; | |
278 | waitpid(pid, &status, 0); | |
279 | if (Debug == true) | |
280 | { | |
281 | ioprintf(std::clog, "gpgv exited with status %i\n", WEXITSTATUS(status)); | |
282 | } | |
283 | ||
284 | if (Debug) | |
285 | { | |
286 | std::cerr << "Summary:" << std::endl << " Good: "; | |
287 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
288 | std::cerr << std::endl << " Bad: "; | |
289 | std::copy(BadSigners.begin(), BadSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
290 | std::cerr << std::endl << " Worthless: "; | |
291 | std::copy(WorthlessSigners.begin(), WorthlessSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
292 | std::cerr << std::endl << " SoonWorthless: "; | |
293 | std::for_each(SoonWorthlessSigners.begin(), SoonWorthlessSigners.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); | |
294 | std::cerr << std::endl << " NoPubKey: "; | |
295 | std::copy(NoPubKeySigners.begin(), NoPubKeySigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
296 | std::cerr << std::endl << " NODATA: " << (gotNODATA ? "yes" : "no") << std::endl; | |
297 | } | |
298 | ||
299 | if (WEXITSTATUS(status) == 112) | |
300 | { | |
301 | // acquire system checks for "NODATA" to generate GPG errors (the others are only warnings) | |
302 | std::string errmsg; | |
303 | //TRANSLATORS: %s is a single techy word like 'NODATA' | |
304 | strprintf(errmsg, _("Clearsigned file isn't valid, got '%s' (does the network require authentication?)"), "NODATA"); | |
305 | return errmsg; | |
306 | } | |
307 | else if (gotNODATA) | |
308 | { | |
309 | // acquire system checks for "NODATA" to generate GPG errors (the others are only warnings) | |
310 | std::string errmsg; | |
311 | //TRANSLATORS: %s is a single techy word like 'NODATA' | |
312 | strprintf(errmsg, _("Signed file isn't valid, got '%s' (does the network require authentication?)"), "NODATA"); | |
313 | return errmsg; | |
314 | } | |
315 | else if (WEXITSTATUS(status) == 0) | |
316 | { | |
317 | if (keyIsID) | |
318 | { | |
319 | // gpgv will report success, but we want to enforce a certain keyring | |
320 | // so if we haven't found the key the valid we found is in fact invalid | |
321 | if (GoodSigners.empty()) | |
322 | return _("At least one invalid signature was encountered."); | |
323 | } | |
324 | else | |
325 | { | |
326 | if (GoodSigners.empty()) | |
327 | return _("Internal error: Good signature, but could not determine key fingerprint?!"); | |
328 | } | |
329 | return ""; | |
330 | } | |
331 | else if (WEXITSTATUS(status) == 1) | |
332 | return _("At least one invalid signature was encountered."); | |
333 | else if (WEXITSTATUS(status) == 111) | |
334 | return _("Could not execute 'apt-key' to verify signature (is gnupg installed?)"); | |
335 | else | |
336 | return _("Unknown error executing apt-key"); | |
337 | } | |
338 | ||
339 | bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) | |
340 | { | |
341 | URI const Get = Itm->Uri; | |
342 | string const Path = Get.Host + Get.Path; // To account for relative paths | |
343 | std::string const key = LookupTag(Message, "Signed-By"); | |
344 | vector<string> GoodSigners; | |
345 | vector<string> BadSigners; | |
346 | // a worthless signature is a expired or revoked one | |
347 | vector<string> WorthlessSigners; | |
348 | vector<Signer> SoonWorthlessSigners; | |
349 | vector<string> NoPubKeySigners; | |
350 | ||
351 | FetchResult Res; | |
352 | Res.Filename = Itm->DestFile; | |
353 | URIStart(Res); | |
354 | ||
355 | // Run apt-key on file, extract contents and get the key ID of the signer | |
356 | string msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(), key, | |
357 | GoodSigners, BadSigners, WorthlessSigners, | |
358 | SoonWorthlessSigners, NoPubKeySigners); | |
359 | ||
360 | // Check if all good signers are soon worthless and warn in that case | |
361 | if (std::all_of(GoodSigners.begin(), GoodSigners.end(), [&](std::string const &good) { | |
362 | return std::any_of(SoonWorthlessSigners.begin(), SoonWorthlessSigners.end(), [&](Signer const &weak) { | |
363 | return IsTheSameKey(weak.key, good); | |
364 | }); | |
365 | })) | |
366 | { | |
367 | for (auto const & Signer : SoonWorthlessSigners) | |
368 | // TRANSLATORS: The second %s is the reason and is untranslated for repository owners. | |
369 | Warning(_("Signature by key %s uses weak digest algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); | |
370 | } | |
371 | ||
372 | if (GoodSigners.empty() || !BadSigners.empty() || !NoPubKeySigners.empty()) | |
373 | { | |
374 | string errmsg; | |
375 | // In this case, something bad probably happened, so we just go | |
376 | // with what the other method gave us for an error message. | |
377 | if (BadSigners.empty() && WorthlessSigners.empty() && NoPubKeySigners.empty()) | |
378 | errmsg = msg; | |
379 | else | |
380 | { | |
381 | if (!BadSigners.empty()) | |
382 | { | |
383 | errmsg += _("The following signatures were invalid:\n"); | |
384 | for (vector<string>::iterator I = BadSigners.begin(); | |
385 | I != BadSigners.end(); ++I) | |
386 | errmsg += (*I + "\n"); | |
387 | } | |
388 | if (!WorthlessSigners.empty()) | |
389 | { | |
390 | errmsg += _("The following signatures were invalid:\n"); | |
391 | for (vector<string>::iterator I = WorthlessSigners.begin(); | |
392 | I != WorthlessSigners.end(); ++I) | |
393 | errmsg += (*I + "\n"); | |
394 | } | |
395 | if (!NoPubKeySigners.empty()) | |
396 | { | |
397 | errmsg += _("The following signatures couldn't be verified because the public key is not available:\n"); | |
398 | for (vector<string>::iterator I = NoPubKeySigners.begin(); | |
399 | I != NoPubKeySigners.end(); ++I) | |
400 | errmsg += (*I + "\n"); | |
401 | } | |
402 | } | |
403 | // this is only fatal if we have no good sigs or if we have at | |
404 | // least one bad signature. good signatures and NoPubKey signatures | |
405 | // happen easily when a file is signed with multiple signatures | |
406 | if(GoodSigners.empty() or !BadSigners.empty()) | |
407 | return _error->Error("%s", errmsg.c_str()); | |
408 | } | |
409 | ||
410 | // Just pass the raw output up, because passing it as a real data | |
411 | // structure is too difficult with the method stuff. We keep it | |
412 | // as three separate vectors for future extensibility. | |
413 | Res.GPGVOutput = GoodSigners; | |
414 | std::move(BadSigners.begin(), BadSigners.end(), std::back_inserter(Res.GPGVOutput)); | |
415 | std::move(NoPubKeySigners.begin(), NoPubKeySigners.end(), std::back_inserter(Res.GPGVOutput)); | |
416 | URIDone(Res); | |
417 | ||
418 | if (_config->FindB("Debug::Acquire::gpgv", false)) | |
419 | { | |
420 | std::clog << "apt-key succeeded\n"; | |
421 | } | |
422 | ||
423 | return true; | |
424 | } | |
425 | ||
426 | ||
427 | int main() | |
428 | { | |
429 | return GPGVMethod().Run(); | |
430 | } |