|
 |
4bf471 |
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
|
|
|
4bf471 |
From: Peter Jones <pjones@redhat.com>
|
|
|
4bf471 |
Date: Thu, 11 Jun 2020 16:23:14 -0400
|
|
|
4bf471 |
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
|
|
|
4bf471 |
vise versa
|
|
|
4bf471 |
|
|
|
4bf471 |
This makes the version of the sign API that takes a file type optional,
|
|
|
4bf471 |
and makes the client attempt to negotiate which version it's getting.
|
|
|
4bf471 |
It also leaves the server able to still handle the version from before
|
|
|
4bf471 |
the file type was added.
|
|
|
4bf471 |
|
|
|
4bf471 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
4bf471 |
---
|
|
|
4bf471 |
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
|
|
|
4bf471 |
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
|
|
|
4bf471 |
src/daemon.h | 2 ++
|
|
|
4bf471 |
3 files changed, 97 insertions(+), 42 deletions(-)
|
|
|
4bf471 |
|
|
|
4bf471 |
diff --git a/src/client.c b/src/client.c
|
|
|
4bf471 |
index aa373abd981..57bcc09cbe8 100644
|
|
|
4bf471 |
--- a/src/client.c
|
|
|
4bf471 |
+++ b/src/client.c
|
|
|
4bf471 |
@@ -11,6 +11,7 @@
|
|
|
4bf471 |
#include <fcntl.h>
|
|
|
4bf471 |
#include <popt.h>
|
|
|
4bf471 |
#include <pwd.h>
|
|
|
4bf471 |
+#include <stdbool.h>
|
|
|
4bf471 |
#include <stddef.h>
|
|
|
4bf471 |
#include <stdlib.h>
|
|
|
4bf471 |
#include <sys/socket.h>
|
|
|
4bf471 |
@@ -84,8 +85,8 @@ connect_to_server(void)
|
|
|
4bf471 |
static int32_t
|
|
|
4bf471 |
check_response(int sd, char **srvmsg);
|
|
|
4bf471 |
|
|
|
4bf471 |
-static void
|
|
|
4bf471 |
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
|
4bf471 |
+static int
|
|
|
4bf471 |
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
|
|
|
4bf471 |
{
|
|
|
4bf471 |
struct msghdr msg;
|
|
|
4bf471 |
struct iovec iov[1];
|
|
|
4bf471 |
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
|
4bf471 |
ssize_t n;
|
|
|
4bf471 |
n = sendmsg(sd, &msg, 0);
|
|
|
4bf471 |
if (n < 0) {
|
|
|
4bf471 |
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
|
|
|
4bf471 |
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
|
|
|
4bf471 |
exit(1);
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
|
4bf471 |
|
|
|
4bf471 |
char *srvmsg = NULL;
|
|
|
4bf471 |
int32_t rc = check_response(sd, &srvmsg);
|
|
|
4bf471 |
- if (rc < 0)
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ if (do_exit && rc < 0)
|
|
|
4bf471 |
errx(1, "command \"%s\" not known by server", name);
|
|
|
4bf471 |
- if (rc != version)
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ if (do_exit && rc != version)
|
|
|
4bf471 |
errx(1, "command \"%s\": client version %d, server version %d",
|
|
|
4bf471 |
name, version, rc);
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ if (rc < 0)
|
|
|
4bf471 |
+ return rc;
|
|
|
4bf471 |
+ return rc == version;
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
static void
|
|
|
4bf471 |
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
|
|
|
4bf471 |
struct iovec iov;
|
|
|
4bf471 |
pesignd_msghdr pm;
|
|
|
4bf471 |
|
|
|
4bf471 |
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
|
|
|
4bf471 |
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
|
|
|
4bf471 |
|
|
|
4bf471 |
pm.version = PESIGND_VERSION;
|
|
|
4bf471 |
pm.command = CMD_KILL_DAEMON;
|
|
|
4bf471 |
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
|
|
|
4bf471 |
|
|
|
4bf471 |
uint32_t size1 = pesignd_string_size(pin);
|
|
|
4bf471 |
|
|
|
4bf471 |
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
|
|
|
4bf471 |
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
|
|
|
4bf471 |
|
|
|
4bf471 |
pm.version = PESIGND_VERSION;
|
|
|
4bf471 |
pm.command = CMD_UNLOCK_TOKEN;
|
|
|
4bf471 |
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
|
|
|
4bf471 |
|
|
|
4bf471 |
uint32_t size0 = pesignd_string_size(tokenname);
|
|
|
4bf471 |
|
|
|
4bf471 |
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
|
|
|
4bf471 |
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
|
|
|
4bf471 |
|
|
|
4bf471 |
pm.version = PESIGND_VERSION;
|
|
|
4bf471 |
pm.command = CMD_IS_TOKEN_UNLOCKED;
|
|
|
4bf471 |
@@ -452,6 +459,9 @@ static void
|
|
|
4bf471 |
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
|
|
|
4bf471 |
int attached, uint32_t format)
|
|
|
4bf471 |
{
|
|
|
4bf471 |
+ int rc;
|
|
|
4bf471 |
+ bool add_file_type;
|
|
|
4bf471 |
+
|
|
|
4bf471 |
int infd = open(infile, O_RDONLY);
|
|
|
4bf471 |
if (infd < 0) {
|
|
|
4bf471 |
fprintf(stderr, "pesign-client: could not open input file "
|
|
|
4bf471 |
@@ -481,12 +491,28 @@ oom:
|
|
|
4bf471 |
exit(1);
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
|
|
|
4bf471 |
- attached ? "sign-attached" : "sign-detached", 0);
|
|
|
4bf471 |
+ rc = check_cmd_version(sd,
|
|
|
4bf471 |
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
|
|
4bf471 |
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
|
4bf471 |
+ attached ? "sign-attached" : "sign-detached",
|
|
|
4bf471 |
+ 0, format == FORMAT_KERNEL_MODULE);
|
|
|
4bf471 |
+ if (rc >= 0) {
|
|
|
4bf471 |
+ add_file_type = true;
|
|
|
4bf471 |
+ } else {
|
|
|
4bf471 |
+ add_file_type = false;
|
|
|
4bf471 |
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
|
|
|
4bf471 |
+ : CMD_SIGN_DETACHED,
|
|
|
4bf471 |
+ attached ? "sign-attached" : "sign-detached",
|
|
|
4bf471 |
+ 0, true);
|
|
|
4bf471 |
+ }
|
|
|
4bf471 |
|
|
|
4bf471 |
+ printf("add_file_type:%d\n", add_file_type);
|
|
|
4bf471 |
pm->version = PESIGND_VERSION;
|
|
|
4bf471 |
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
|
|
|
4bf471 |
- pm->size = size0 + size1 + sizeof(format);
|
|
|
4bf471 |
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
|
|
4bf471 |
+ : CMD_SIGN_ATTACHED)
|
|
|
4bf471 |
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
|
|
|
4bf471 |
+ : CMD_SIGN_DETACHED);
|
|
|
4bf471 |
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
|
|
|
4bf471 |
iov[0].iov_base = pm;
|
|
|
4bf471 |
iov[0].iov_len = sizeof (*pm);
|
|
|
4bf471 |
|
|
|
4bf471 |
@@ -503,25 +529,31 @@ oom:
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
char *buffer;
|
|
|
4bf471 |
- buffer = malloc(size0 + size1);
|
|
|
4bf471 |
+ buffer = malloc(pm->size);
|
|
|
4bf471 |
if (!buffer)
|
|
|
4bf471 |
goto oom;
|
|
|
4bf471 |
|
|
|
4bf471 |
- iov[0].iov_base = &format;
|
|
|
4bf471 |
- iov[0].iov_len = sizeof(format);
|
|
|
4bf471 |
+ int pos = 0;
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ if (add_file_type) {
|
|
|
4bf471 |
+ iov[pos].iov_base = &format;
|
|
|
4bf471 |
+ iov[pos].iov_len = sizeof(format);
|
|
|
4bf471 |
+ pos++;
|
|
|
4bf471 |
+ }
|
|
|
4bf471 |
|
|
|
4bf471 |
pesignd_string *tn = (pesignd_string *)buffer;
|
|
|
4bf471 |
pesignd_string_set(tn, tokenname);
|
|
|
4bf471 |
- iov[1].iov_base = tn;
|
|
|
4bf471 |
- iov[1].iov_len = size0;
|
|
|
4bf471 |
+ iov[pos].iov_base = tn;
|
|
|
4bf471 |
+ iov[pos].iov_len = size0;
|
|
|
4bf471 |
+ pos++;
|
|
|
4bf471 |
|
|
|
4bf471 |
pesignd_string *cn = pesignd_string_next(tn);
|
|
|
4bf471 |
pesignd_string_set(cn, certname);
|
|
|
4bf471 |
- iov[2].iov_base = cn;
|
|
|
4bf471 |
- iov[2].iov_len = size1;
|
|
|
4bf471 |
+ iov[pos].iov_base = cn;
|
|
|
4bf471 |
+ iov[pos].iov_len = size1;
|
|
|
4bf471 |
|
|
|
4bf471 |
msg.msg_iov = iov;
|
|
|
4bf471 |
- msg.msg_iovlen = 3;
|
|
|
4bf471 |
+ msg.msg_iovlen = add_file_type ? 3 : 2;
|
|
|
4bf471 |
|
|
|
4bf471 |
n = sendmsg(sd, &msg, 0);
|
|
|
4bf471 |
if (n < 0) {
|
|
|
4bf471 |
@@ -535,7 +567,7 @@ oom:
|
|
|
4bf471 |
send_fd(sd, outfd);
|
|
|
4bf471 |
|
|
|
4bf471 |
char *srvmsg = NULL;
|
|
|
4bf471 |
- int rc = check_response(sd, &srvmsg);
|
|
|
4bf471 |
+ rc = check_response(sd, &srvmsg);
|
|
|
4bf471 |
if (rc < 0) {
|
|
|
4bf471 |
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
|
|
|
4bf471 |
srvmsg);
|
|
|
4bf471 |
diff --git a/src/daemon.c b/src/daemon.c
|
|
|
4bf471 |
index 9374d59be30..494beb9af72 100644
|
|
|
4bf471 |
--- a/src/daemon.c
|
|
|
4bf471 |
+++ b/src/daemon.c
|
|
|
4bf471 |
@@ -12,6 +12,7 @@
|
|
|
4bf471 |
#include <poll.h>
|
|
|
4bf471 |
#include <pwd.h>
|
|
|
4bf471 |
#include <signal.h>
|
|
|
4bf471 |
+#include <stdbool.h>
|
|
|
4bf471 |
#include <stdlib.h>
|
|
|
4bf471 |
#include <stdio.h>
|
|
|
4bf471 |
#include <string.h>
|
|
|
4bf471 |
@@ -561,7 +562,7 @@ out:
|
|
|
4bf471 |
|
|
|
4bf471 |
static void
|
|
|
4bf471 |
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
|
|
|
4bf471 |
- int attached)
|
|
|
4bf471 |
+ int attached, bool with_file_type)
|
|
|
4bf471 |
{
|
|
|
4bf471 |
struct msghdr msg;
|
|
|
4bf471 |
struct iovec iov;
|
|
|
4bf471 |
@@ -585,8 +586,12 @@ oom:
|
|
|
4bf471 |
|
|
|
4bf471 |
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
|
|
|
4bf471 |
|
|
|
4bf471 |
- file_format = *((uint32_t *) buffer);
|
|
|
4bf471 |
- n -= sizeof(uint32_t);
|
|
|
4bf471 |
+ if (with_file_type) {
|
|
|
4bf471 |
+ file_format = *((uint32_t *) buffer);
|
|
|
4bf471 |
+ n -= sizeof(uint32_t);
|
|
|
4bf471 |
+ } else {
|
|
|
4bf471 |
+ file_format = FORMAT_PE_BINARY;
|
|
|
4bf471 |
+ }
|
|
|
4bf471 |
|
|
|
4bf471 |
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
|
|
|
4bf471 |
if (n < (long long)sizeof(tn->size)) {
|
|
|
4bf471 |
@@ -666,34 +671,44 @@ finish:
|
|
|
4bf471 |
teardown_digests(ctx->cms);
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
+static inline void
|
|
|
4bf471 |
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
|
|
|
4bf471 |
+ int attached, bool with_file_type)
|
|
|
4bf471 |
+{
|
|
|
4bf471 |
+ int rc = cms_context_alloc(&ctx->cms);
|
|
|
4bf471 |
+ if (rc < 0)
|
|
|
4bf471 |
+ return;
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
|
|
|
4bf471 |
+
|
|
|
4bf471 |
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
|
4bf471 |
+ cms_context_fini(ctx->cms);
|
|
|
4bf471 |
+}
|
|
|
4bf471 |
+
|
|
|
4bf471 |
static void
|
|
|
4bf471 |
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
|
4bf471 |
{
|
|
|
4bf471 |
- int rc = cms_context_alloc(&ctx->cms);
|
|
|
4bf471 |
- if (rc < 0)
|
|
|
4bf471 |
- return;
|
|
|
4bf471 |
+ handle_sign_helper(ctx, pollfd, size, 1, false);
|
|
|
4bf471 |
+}
|
|
|
4bf471 |
|
|
|
4bf471 |
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
|
4bf471 |
-
|
|
|
4bf471 |
- handle_signing(ctx, pollfd, size, 1);
|
|
|
4bf471 |
-
|
|
|
4bf471 |
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
|
4bf471 |
- cms_context_fini(ctx->cms);
|
|
|
4bf471 |
+static void
|
|
|
4bf471 |
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
|
4bf471 |
+{
|
|
|
4bf471 |
+ handle_sign_helper(ctx, pollfd, size, 1, true);
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
static void
|
|
|
4bf471 |
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
|
4bf471 |
{
|
|
|
4bf471 |
- int rc = cms_context_alloc(&ctx->cms);
|
|
|
4bf471 |
- if (rc < 0)
|
|
|
4bf471 |
- return;
|
|
|
4bf471 |
+ handle_sign_helper(ctx, pollfd, size, 0, false);
|
|
|
4bf471 |
+}
|
|
|
4bf471 |
|
|
|
4bf471 |
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
|
4bf471 |
-
|
|
|
4bf471 |
- handle_signing(ctx, pollfd, size, 0);
|
|
|
4bf471 |
-
|
|
|
4bf471 |
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
|
4bf471 |
- cms_context_fini(ctx->cms);
|
|
|
4bf471 |
+static void
|
|
|
4bf471 |
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
|
4bf471 |
+{
|
|
|
4bf471 |
+ handle_sign_helper(ctx, pollfd, size, 0, true);
|
|
|
4bf471 |
}
|
|
|
4bf471 |
|
|
|
4bf471 |
static void
|
|
|
4bf471 |
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
|
|
|
4bf471 |
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
|
|
|
4bf471 |
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
|
|
|
4bf471 |
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
|
|
|
4bf471 |
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
|
|
4bf471 |
+ handle_sign_attached_with_file_type,
|
|
|
4bf471 |
+ "sign-attached-with-file-type", 0 },
|
|
|
4bf471 |
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
|
4bf471 |
+ handle_sign_detached_with_file_type,
|
|
|
4bf471 |
+ "sign-detached-with-file-type", 0 },
|
|
|
4bf471 |
{ CMD_RESPONSE, NULL, "response", 0 },
|
|
|
4bf471 |
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
|
|
|
4bf471 |
"is-token-unlocked", 0 },
|
|
|
4bf471 |
diff --git a/src/daemon.h b/src/daemon.h
|
|
|
4bf471 |
index dd430512f1a..834d62c72d0 100644
|
|
|
4bf471 |
--- a/src/daemon.h
|
|
|
4bf471 |
+++ b/src/daemon.h
|
|
|
4bf471 |
@@ -33,6 +33,8 @@ typedef enum {
|
|
|
4bf471 |
CMD_RESPONSE,
|
|
|
4bf471 |
CMD_IS_TOKEN_UNLOCKED,
|
|
|
4bf471 |
CMD_GET_CMD_VERSION,
|
|
|
4bf471 |
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
|
|
4bf471 |
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
|
4bf471 |
CMD_LIST_END
|
|
|
4bf471 |
} pesignd_cmd;
|
|
|
4bf471 |
|
|
|
4bf471 |
--
|
|
|
4bf471 |
2.26.2
|
|
|
4bf471 |
|