From 1a159fd8e383f69ad73e83491c396b1395385563 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 13 Feb 2004 12:40:23 +0000 Subject: [PATCH] * encrypt.c (init_dek): Check for too weak algorithms. * import.c (parse_p12, popen_protect_tool): New. * base64.c (gpgsm_create_reader): New arg ALLOW_MULTI_PEM. Changed all callers. (base64_reader_cb): Handle it here. (gpgsm_reader_eof_seen): New. (base64_reader_cb): Set a flag for EOF. (simple_reader_cb): Ditto. --- sm/ChangeLog | 18 +++ sm/base64.c | 42 +++++- sm/decrypt.c | 2 +- sm/encrypt.c | 19 ++- sm/gpgsm.c | 15 +- sm/gpgsm.h | 7 +- sm/import.c | 420 ++++++++++++++++++++++++++++++++++++++++++++------- sm/verify.c | 2 +- 8 files changed, 457 insertions(+), 68 deletions(-) diff --git a/sm/ChangeLog b/sm/ChangeLog index 77807d065..2e78d1f41 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,21 @@ +2004-02-13 Werner Koch + + * encrypt.c (init_dek): Check for too weak algorithms. + + * import.c (parse_p12, popen_protect_tool): New. + + * base64.c (gpgsm_create_reader): New arg ALLOW_MULTI_PEM. + Changed all callers. + (base64_reader_cb): Handle it here. + (gpgsm_reader_eof_seen): New. + (base64_reader_cb): Set a flag for EOF. + (simple_reader_cb): Ditto. + +2004-02-12 Werner Koch + + * gpgsm.h, gpgsm.c: New option --protect-tool-program. + * gpgsm.c (run_protect_tool): Use it. + 2004-02-11 Werner Koch * Makefile.am (AM_CPPFLAGS): Pass directory constants via -D; this diff --git a/sm/base64.c b/sm/base64.c index 11237dcc1..4cc6ffa27 100644 --- a/sm/base64.c +++ b/sm/base64.c @@ -48,9 +48,10 @@ struct reader_cb_parm_s { int have_lf; unsigned long line_counter; - int autodetect; /* try to detect the input encoding */ - int assume_pem; /* assume input encoding is PEM */ - int assume_base64; /* assume input is base64 encoded */ + int allow_multi_pem; /* Allow processing of multiple PEM objects. */ + int autodetect; /* Try to detect the input encoding. */ + int assume_pem; /* Assume input encoding is PEM. */ + int assume_base64; /* Assume input is base64 encoded. */ int identified; int is_pem; @@ -58,6 +59,8 @@ struct reader_cb_parm_s { int stop_seen; int might_be_smime; + int eof_seen; + struct { int idx; unsigned char val; @@ -171,6 +174,7 @@ base64_reader_cb (void *cb_value, char *buffer, size_t count, size_t *nread) c = getc (parm->fp); if (c == EOF) { + parm->eof_seen = 1; if (ferror (parm->fp)) return -1; break; @@ -268,7 +272,22 @@ base64_reader_cb (void *cb_value, char *buffer, size_t count, size_t *nread) { parm->identified = 0; parm->linelen = parm->readpos = 0; - /* let us return 0 */ + + /* If the caller want to read multiple PEM objects from one + file, we have to reset our internal state and return a + EOF immediately. The caller is the expected to use + ksba_reader_clear to clear the EOF condition and continue + to read. If we don't want to do that we just return 0 + bytes which will force the ksba_reader to skip until + EOF. */ + if (parm->allow_multi_pem) + { + parm->identified = 0; + parm->autodetect = 0; + parm->assume_pem = 1; + parm->stop_seen = 0; + return -1; /* Send EOF now. */ + } } else if (parm->stop_seen) { /* skip the rest of the line */ @@ -356,6 +375,7 @@ simple_reader_cb (void *cb_value, char *buffer, size_t count, size_t *nread) c = getc (parm->fp); if (c == EOF) { + parm->eof_seen = 1; if ( ferror (parm->fp) ) return -1; if (n) @@ -494,10 +514,13 @@ base64_finish_write (struct writer_cb_parm_s *parm) The function returns a Base64Context object which must be passed to the gpgme_destroy_reader function. The created KsbaReader object is also returned, but the caller must not call the - ksba_reader_release function on. */ + ksba_reader_release function on. If ALLOW_MULTI_PEM is true, the + reader expects that the caller uses ksba_reader_clear after EOF + until no more objects were found. */ int gpgsm_create_reader (Base64Context *ctx, - CTRL ctrl, FILE *fp, ksba_reader_t *r_reader) + CTRL ctrl, FILE *fp, int allow_multi_pem, + ksba_reader_t *r_reader) { int rc; ksba_reader_t r; @@ -506,6 +529,7 @@ gpgsm_create_reader (Base64Context *ctx, *ctx = xtrycalloc (1, sizeof **ctx); if (!*ctx) return OUT_OF_CORE (errno); + (*ctx)->u.rparm.allow_multi_pem = allow_multi_pem; rc = ksba_reader_new (&r); if (rc) @@ -546,6 +570,12 @@ gpgsm_create_reader (Base64Context *ctx, } +int +gpgsm_reader_eof_seen (Base64Context ctx) +{ + return ctx && ctx->u.rparm.eof_seen; +} + void gpgsm_destroy_reader (Base64Context ctx) { diff --git a/sm/decrypt.c b/sm/decrypt.c index c6eb8ab4b..427466a49 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -270,7 +270,7 @@ gpgsm_decrypt (CTRL ctrl, int in_fd, FILE *out_fp) goto leave; } - rc = gpgsm_create_reader (&b64reader, ctrl, in_fp, &reader); + rc = gpgsm_create_reader (&b64reader, ctrl, in_fp, 0, &reader); if (rc) { log_error ("can't create reader: %s\n", gpg_strerror (rc)); diff --git a/sm/encrypt.c b/sm/encrypt.c index 8f2c26b45..8cc9a8828 100644 --- a/sm/encrypt.c +++ b/sm/encrypt.c @@ -1,5 +1,5 @@ /* encrypt.c - Encrypt a message - * Copyright (C) 2001, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -74,6 +74,20 @@ init_dek (DEK dek) log_error ("unsupported algorithm `%s'\n", dek->algoid); return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); } + + /* Extra check for algorithms we considere to be to weak for + encryption, qlthough we suppor them fro decryption. Note that + there is another check below discriminating on the key length. */ + switch (dek->algo) + { + case GCRY_CIPHER_DES: + case GCRY_CIPHER_RFC2268_40: + log_error ("cipher algorithm `%s' not allowed: too weak\n", + gcry_cipher_algo_name (dek->algo)); + return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); + default: + break; + } dek->keylen = gcry_cipher_get_algo_keylen (dek->algo); if (!dek->keylen || dek->keylen > sizeof (dek->key)) @@ -83,8 +97,9 @@ init_dek (DEK dek) if (!dek->ivlen || dek->ivlen > sizeof (dek->iv)) return gpg_error (GPG_ERR_BUG); + /* Make sure we don't use weak keys. */ if (dek->keylen < 100/8) - { /* make sure we don't use weak keys */ + { log_error ("key length of `%s' too small\n", dek->algoid); return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); } diff --git a/sm/gpgsm.c b/sm/gpgsm.c index d1da02c59..fa3e1b203 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -98,6 +98,7 @@ enum cmd_and_opt_values { oLCmessages, oDirmngrProgram, + oProtectToolProgram, oFakedSystemTime, @@ -370,6 +371,7 @@ static ARGPARSE_OPTS opts[] = { { oLCctype, "lc-ctype", 2, "@" }, { oLCmessages, "lc-messages", 2, "@" }, { oDirmngrProgram, "dirmngr-program", 2 , "@" }, + { oProtectToolProgram, "protect-tool-program", 2 , "@" }, { oFakedSystemTime, "faked-system-time", 4, "@" }, /* (epoch time) */ @@ -947,6 +949,9 @@ main ( int argc, char **argv) case oLCctype: opt.lc_ctype = xstrdup (pargs.r.ret_str); break; case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break; case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break; + case oProtectToolProgram: + opt.protect_tool_program = pargs.r.ret_str; + break; case oFakedSystemTime: gnupg_set_time ( (time_t)pargs.r.ret_ulong, 0); @@ -1480,14 +1485,19 @@ open_fwrite (const char *filename) static void run_protect_tool (int argc, char **argv) { - char *pgm = GNUPG_DEFAULT_PROTECT_TOOL; + const char *pgm; char **av; int i; + if (!opt.protect_tool_program || !*opt.protect_tool_program) + pgm = GNUPG_DEFAULT_PROTECT_TOOL; + else + pgm = opt.protect_tool_program; + av = xcalloc (argc+2, sizeof *av); av[0] = strrchr (pgm, '/'); if (!av[0]) - av[0] = pgm; + av[0] = xstrdup (pgm); for (i=1; argc; i++, argc--, argv++) av[i] = *argv; av[i] = NULL; @@ -1495,4 +1505,3 @@ run_protect_tool (int argc, char **argv) log_error ("error executing `%s': %s\n", pgm, strerror (errno)); gpgsm_exit (2); } - diff --git a/sm/gpgsm.h b/sm/gpgsm.h index e8cdd93df..2132c564e 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -1,5 +1,5 @@ /* gpgsm.h - Global definitions for GpgSM - * Copyright (C) 2001, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -54,6 +54,7 @@ struct { char *lc_messages; const char *dirmngr_program; + const char *protect_tool_program; char *outfile; /* name of output file */ int with_key_data;/* include raw key in the column delimted output */ @@ -176,7 +177,9 @@ char *gpgsm_get_certid (ksba_cert_t cert); /*-- base64.c --*/ int gpgsm_create_reader (Base64Context *ctx, - ctrl_t ctrl, FILE *fp, ksba_reader_t *r_reader); + ctrl_t ctrl, FILE *fp, int allow_multi_pem, + ksba_reader_t *r_reader); +int gpgsm_reader_eof_seen (Base64Context ctx); void gpgsm_destroy_reader (Base64Context ctx); int gpgsm_create_writer (Base64Context *ctx, ctrl_t ctrl, FILE *fp, ksba_writer_t *r_writer); diff --git a/sm/import.c b/sm/import.c index 132b7403e..b11cd75b6 100644 --- a/sm/import.c +++ b/sm/import.c @@ -1,5 +1,5 @@ /* import.c - Import certificates - * Copyright (C) 2001, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -26,6 +26,9 @@ #include #include #include +#include +#include +#include #include "gpgsm.h" #include @@ -34,6 +37,13 @@ #include "keydb.h" #include "i18n.h" +#ifdef _POSIX_OPEN_MAX +#define MAX_OPEN_FDS _POSIX_OPEN_MAX +#else +#define MAX_OPEN_FDS 20 +#endif + + struct stats_s { unsigned long count; unsigned long imported; @@ -42,6 +52,9 @@ struct stats_s { }; +static gpg_error_t parse_p12 (ksba_reader_t reader, FILE **retfp); + + static void print_imported_status (CTRL ctrl, ksba_cert_t cert) @@ -208,6 +221,7 @@ import_one (CTRL ctrl, struct stats_s *stats, int in_fd) ksba_cms_t cms = NULL; FILE *fp = NULL; ksba_content_type_t ct; + int any = 0; fp = fdopen ( dup (in_fd), "rb"); if (!fp) @@ -217,75 +231,138 @@ import_one (CTRL ctrl, struct stats_s *stats, int in_fd) goto leave; } - rc = gpgsm_create_reader (&b64reader, ctrl, fp, &reader); + rc = gpgsm_create_reader (&b64reader, ctrl, fp, 1, &reader); if (rc) { log_error ("can't create reader: %s\n", gpg_strerror (rc)); goto leave; } - - ct = ksba_cms_identify (reader); - if (ct == KSBA_CT_SIGNED_DATA) - { /* This is probably a signed-only message - import the certs */ - ksba_stop_reason_t stopreason; - int i; - - rc = ksba_cms_new (&cms); - if (rc) - goto leave; - - rc = ksba_cms_set_reader_writer (cms, reader, NULL); - if (rc) - { - log_error ("ksba_cms_set_reader_writer failed: %s\n", - gpg_strerror (rc)); - goto leave; - } - - - do - { - rc = ksba_cms_parse (cms, &stopreason); + + + /* We need to loop here to handle multiple PEM objects in one + file. */ + do + { + ksba_cms_release (cms); cms = NULL; + ksba_cert_release (cert); cert = NULL; + + ct = ksba_cms_identify (reader); + if (ct == KSBA_CT_SIGNED_DATA) + { /* This is probably a signed-only message - import the certs */ + ksba_stop_reason_t stopreason; + int i; + + rc = ksba_cms_new (&cms); + if (rc) + goto leave; + + rc = ksba_cms_set_reader_writer (cms, reader, NULL); if (rc) { - log_error ("ksba_cms_parse failed: %s\n", gpg_strerror (rc)); + log_error ("ksba_cms_set_reader_writer failed: %s\n", + gpg_strerror (rc)); goto leave; } - if (stopreason == KSBA_SR_BEGIN_DATA) - log_info ("not a certs-only message\n"); - } - while (stopreason != KSBA_SR_READY); + do + { + rc = ksba_cms_parse (cms, &stopreason); + if (rc) + { + log_error ("ksba_cms_parse failed: %s\n", gpg_strerror (rc)); + goto leave; + } + + if (stopreason == KSBA_SR_BEGIN_DATA) + log_info ("not a certs-only message\n"); + } + while (stopreason != KSBA_SR_READY); - for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++) - { - check_and_store (ctrl, stats, cert, 0); - ksba_cert_release (cert); - cert = NULL; + for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++) + { + check_and_store (ctrl, stats, cert, 0); + ksba_cert_release (cert); + cert = NULL; + } + if (!i) + log_error ("no certificate found\n"); + else + any = 1; } - if (!i) - log_error ("no certificate found\n"); - } - else if (ct == KSBA_CT_NONE) - { /* Failed to identify this message - assume a certificate */ + else if (ct == KSBA_CT_PKCS12) + { /* This seems to be a pkcs12 message. We use an external + tool to parse the message and to store the private keys. + We need to use a another reader here to parse the + certificate we included in the p12 file; then we continue + to look for other pkcs12 files (works only if they are in + PEM format. */ + FILE *certfp; + Base64Context b64p12rdr; + ksba_reader_t p12rdr; + + rc = parse_p12 (reader, &certfp); + if (!rc) + { + any = 1; + + rewind (certfp); + rc = gpgsm_create_reader (&b64p12rdr, ctrl, certfp, 1, &p12rdr); + if (rc) + { + log_error ("can't create reader: %s\n", gpg_strerror (rc)); + fclose (certfp); + goto leave; + } - rc = ksba_cert_new (&cert); - if (rc) - goto leave; + do + { + ksba_cert_release (cert); cert = NULL; + rc = ksba_cert_new (&cert); + if (!rc) + { + rc = ksba_cert_read_der (cert, p12rdr); + if (!rc) + check_and_store (ctrl, stats, cert, 0); + } + ksba_reader_clear (p12rdr, NULL, NULL); + } + while (!rc && !gpgsm_reader_eof_seen (b64p12rdr)); - rc = ksba_cert_read_der (cert, reader); - if (rc) - goto leave; + if (gpg_err_code (rc) == GPG_ERR_EOF) + rc = 0; + gpgsm_destroy_reader (b64p12rdr); + fclose (certfp); + if (rc) + goto leave; + } + } + else if (ct == KSBA_CT_NONE) + { /* Failed to identify this message - assume a certificate */ - check_and_store (ctrl, stats, cert, 0); + rc = ksba_cert_new (&cert); + if (rc) + goto leave; + + rc = ksba_cert_read_der (cert, reader); + if (rc) + goto leave; + + check_and_store (ctrl, stats, cert, 0); + any = 1; + } + else + { + log_error ("can't extract certificates from input\n"); + rc = gpg_error (GPG_ERR_NO_DATA); + } + + ksba_reader_clear (reader, NULL, NULL); } - else - { - log_error ("can't extract certificates from input\n"); - rc = gpg_error (GPG_ERR_NO_DATA); - } - + while (!gpgsm_reader_eof_seen (b64reader)); + leave: + if (any && gpg_err_code (rc) == GPG_ERR_EOF) + rc = 0; ksba_cms_release (cms); ksba_cert_release (cert); gpgsm_destroy_reader (b64reader); @@ -345,3 +422,240 @@ gpgsm_import_files (CTRL ctrl, int nfiles, char **files, } +/* Fork and exec the protecttool, connect the file descriptor of + INFILE to stdin, return a new stream in STATUSFILE, write the + output to OUTFILE and the pid of the process in PID. Returns 0 on + success or an error code. */ +static gpg_error_t +popen_protect_tool (const char *pgmname, + FILE *infile, FILE *outfile, FILE **statusfile, pid_t *pid) +{ + gpg_error_t err; + int fd, fdout, rp[2]; + int n, i; + + fflush (infile); + rewind (infile); + fd = fileno (infile); + fdout = fileno (outfile); + if (fd == -1 || fdout == -1) + log_fatal ("no file descriptor for temporary file: %s\n", + strerror (errno)); + + /* Now start the protect-tool. */ + if (pipe (rp) == -1) + { + err = gpg_error_from_errno (errno); + log_error (_("error creating a pipe: %s\n"), strerror (errno)); + return err; + } + + *pid = fork (); + if (*pid == -1) + { + err = gpg_error_from_errno (errno); + log_error (_("error forking process: %s\n"), strerror (errno)); + close (rp[0]); + close (rp[1]); + return err; + } + + if (!*pid) + { /* Child. */ + const char *arg0; + + arg0 = strrchr (pgmname, '/'); + if (arg0) + arg0++; + else + arg0 = pgmname; + + /* Connect the infile to stdin. */ + if (fd != 0 && dup2 (fd, 0) == -1) + log_fatal ("dup2 stdin failed: %s\n", strerror (errno)); + + /* Connect the outfile to stdout. */ + if (fdout != 1 && dup2 (fdout, 1) == -1) + log_fatal ("dup2 stdout failed: %s\n", strerror (errno)); + + /* Connect stderr to our pipe. */ + if (rp[1] != 2 && dup2 (rp[1], 2) == -1) + log_fatal ("dup2 stderr failed: %s\n", strerror (errno)); + + /* Close all other files. */ + n = sysconf (_SC_OPEN_MAX); + if (n < 0) + n = MAX_OPEN_FDS; + for (i=3; i < n; i++) + close(i); + errno = 0; + + execlp (pgmname, arg0, + "--homedir", opt.homedir, + "--p12-import", + "--store", + "--no-fail-on-exist", + "--", + NULL); + /* No way to print anything, as we have closed all streams. */ + _exit (31); + } + + /* Parent. */ + close (rp[1]); + *statusfile = fdopen (rp[0], "r"); + if (!*statusfile) + { + err = gpg_error_from_errno (errno); + log_error ("can't fdopen pipe for reading: %s", strerror (errno)); + kill (*pid, SIGTERM); + return err; + } + + return 0; +} + + +/* Assume that the reader is at a pkcs#12 message and try to import + certificates from that stupid format. We will alos store secret + keys. All of the pkcs#12 parsing and key storing is handled by the + gpg-protect-tool, we merely have to take care of receiving the + certificates. On success RETFP returns a temporary file with + certificates. */ +static gpg_error_t +parse_p12 (ksba_reader_t reader, FILE **retfp) +{ + const char *pgmname; + gpg_error_t err = 0, child_err = 0; + int i, c, cont_line; + unsigned int pos; + FILE *tmpfp, *certfp = NULL, *fp = NULL; + char buffer[1024]; + size_t nread; + pid_t pid = -1; + + if (!opt.protect_tool_program || !*opt.protect_tool_program) + pgmname = GNUPG_DEFAULT_PROTECT_TOOL; + else + pgmname = opt.protect_tool_program; + + *retfp = NULL; + + /* To avoid an extra feeder process or doing selects and because + gpg-protect-tool will anyway parse the entire pkcs#12 message in + memory, we simply use tempfiles here and pass them to + the gpg-protect-tool. */ + tmpfp = tmpfile (); + if (!tmpfp) + { + err = gpg_error_from_errno (errno); + log_error (_("error creating temporary file: %s\n"), strerror (errno)); + goto cleanup; + } + while (!(err = ksba_reader_read (reader, buffer, sizeof buffer, &nread))) + { + if (fwrite (buffer, nread, 1, tmpfp) != 1) + { + err = gpg_error_from_errno (errno); + log_error (_("error writing to temporary file: %s\n"), + strerror (errno)); + goto cleanup; + } + } + if (gpg_err_code (err) == GPG_ERR_EOF) + err = 0; + if (err) + { + log_error (_("error reading input: %s\n"), gpg_strerror (err)); + goto cleanup; + } + + certfp = tmpfile (); + if (!certfp) + { + err = gpg_error_from_errno (errno); + log_error (_("error creating temporary file: %s\n"), strerror (errno)); + goto cleanup; + } + + err = popen_protect_tool (pgmname, tmpfp, certfp, &fp, &pid); + if (err) + { + pid = -1; + goto cleanup; + } + fclose (tmpfp); + tmpfp = NULL; + + /* Read stderr of the protect tool. */ + pos = 0; + cont_line = 0; + while ((c=getc (fp)) != EOF) + { + /* fixme: We could here grep for status information of the + protect tool to figure out better error codes for + CHILD_ERR. */ + buffer[pos++] = c; + if (pos >= 5 /*sizeof buffer - 1*/ || c == '\n') + { + buffer[pos - (c == '\n')] = 0; + if (cont_line) + log_printf ("%s", buffer); + else + log_info ("%s", buffer); + pos = 0; + cont_line = (c != '\n'); + } + } + + if (pos) + { + buffer[pos] = 0; + if (cont_line) + log_printf ("%s\n", buffer); + else + log_info ("%s\n", buffer); + } + + /* If we found no error in the output of the cild, setup a suitable + error code, which will later be reset if the exit status of the + child is 0. */ + if (!child_err) + child_err = gpg_error (GPG_ERR_DECRYPT_FAILED); + + + cleanup: + if (tmpfp) + fclose (tmpfp); + if (fp) + fclose (fp); + if (pid != -1) + { + int status; + + while ( (i=waitpid (pid, &status, 0)) == -1 && errno == EINTR) + ; + if (i == -1) + log_error (_("waiting for protect-tools to terminate failed: %s\n"), + strerror (errno)); + else if (WIFEXITED (status) && WEXITSTATUS (status) == 31) + log_error (_("error running `%s': probably not installed\n"), pgmname); + else if (WIFEXITED (status) && WEXITSTATUS (status)) + log_error (_("error running `%s': exit status %d\n"), pgmname, + WEXITSTATUS (status)); + else if (!WIFEXITED (status)) + log_error (_("error running `%s': terminated\n"), pgmname); + else + child_err = 0; + } + if (!err) + err = child_err; + if (err) + { + if (certfp) + fclose (certfp); + } + else + *retfp = certfp; + return err; +} diff --git a/sm/verify.c b/sm/verify.c index a10aff92c..2a95c81e7 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -118,7 +118,7 @@ gpgsm_verify (CTRL ctrl, int in_fd, int data_fd, FILE *out_fp) goto leave; } - rc = gpgsm_create_reader (&b64reader, ctrl, fp, &reader); + rc = gpgsm_create_reader (&b64reader, ctrl, fp, 0, &reader); if (rc) { log_error ("can't create reader: %s\n", gpg_strerror (rc));