lib/process: Add process_get_stdout
[petitboot] / lib / security / gpg.c
1 /*
2  *  Copyright (C) 2016 Raptor Engineering, LLC
3  *
4  *  This program is free software; you can redistribute it and/or modify
5  *  it under the terms of the GNU General Public License as published by
6  *  the Free Software Foundation; version 2 of the License.
7  *
8  *  This program is distributed in the hope that it will be useful,
9  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
10  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11  *  GNU General Public License for more details.
12  *
13  *  You should have received a copy of the GNU General Public License
14  *  along with this program; if not, write to the Free Software
15  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
16  */
17
18 #if defined(HAVE_CONFIG_H)
19 #include "config.h"
20 #endif
21
22 #include <stdbool.h>
23 #include <stdlib.h>
24 #include <assert.h>
25 #include <dirent.h>
26 #include <string.h>
27 #include <fcntl.h>
28 #include <locale.h>
29 #include <sys/types.h>
30
31 #include <log/log.h>
32 #include <file/file.h>
33 #include <talloc/talloc.h>
34 #include <url/url.h>
35 #include <util/util.h>
36 #include <i18n/i18n.h>
37
38 #include <gpgme.h>
39
40 #include "security.h"
41
42 /*
43  * If --with-signed-boot is enabled lib/security provides the ability to handle
44  * gpg-signed and/or encrypted boot sources (kernel, initrd, etc).
45  * This can be used to enable a form of secure boot, but it is important to
46  * recognise that it depends on the security of the entire system, for example
47  * a full trusted-boot implementation. Petitboot can not and will not be able
48  * to guarantee secure boot by itself.
49  */
50
51 int decrypt_file(const char *filename,
52         FILE *authorized_signatures_handle, const char *keyring_path)
53 {
54         int result = 0;
55         int valid = 0;
56         size_t bytes_read = 0;
57         unsigned char buffer[8192];
58
59         if (filename == NULL)
60                 return -1;
61
62         gpgme_signature_t verification_signatures;
63         gpgme_verify_result_t verification_result;
64         gpgme_data_t ciphertext_data;
65         gpgme_data_t plaintext_data;
66         gpgme_engine_info_t enginfo;
67         gpgme_ctx_t gpg_context;
68         gpgme_error_t err;
69
70         /* Initialize gpgme */
71         setlocale (LC_ALL, "");
72         gpgme_check_version(NULL);
73         gpgme_set_locale(NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL));
74         err = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
75         if (err != GPG_ERR_NO_ERROR) {
76                 pb_log_fn("OpenPGP support not available\n");
77                 return -1;
78         }
79         err = gpgme_get_engine_info(&enginfo);
80         if (err != GPG_ERR_NO_ERROR) {
81                 pb_log_fn("GPG engine failed to initialize\n");
82                 return -1;
83         }
84         err = gpgme_new(&gpg_context);
85         if (err != GPG_ERR_NO_ERROR) {
86                 pb_log_fn("GPG context could not be created\n");
87                 return -1;
88         }
89         err = gpgme_set_protocol(gpg_context, GPGME_PROTOCOL_OpenPGP);
90         if (err != GPG_ERR_NO_ERROR) {
91                 pb_log_fn("GPG protocol could not be set\n");
92                 return -1;
93         }
94         if (keyring_path)
95                 err = gpgme_ctx_set_engine_info (gpg_context,
96                         GPGME_PROTOCOL_OpenPGP,
97                         enginfo->file_name, keyring_path);
98         else
99                 err = gpgme_ctx_set_engine_info (gpg_context,
100                         GPGME_PROTOCOL_OpenPGP,
101                         enginfo->file_name, enginfo->home_dir);
102         if (err != GPG_ERR_NO_ERROR) {
103                 pb_log_fn("Could not set GPG engine information\n");
104                 return -1;
105         }
106         err = gpgme_data_new(&plaintext_data);
107         if (err != GPG_ERR_NO_ERROR) {
108                 pb_log("%s: Could not create GPG plaintext data buffer\n",
109                         __func__);
110                 return -1;
111         }
112         err = gpgme_data_new_from_file(&ciphertext_data, filename, 1);
113         if (err != GPG_ERR_NO_ERROR) {
114                 pb_log("%s: Could not create GPG ciphertext data buffer"
115                         " from file '%s'\n", __func__, filename);
116                 return -1;
117         }
118
119         /* Decrypt and verify file */
120         err = gpgme_op_decrypt_verify(gpg_context, ciphertext_data,
121                 plaintext_data);
122         if (err != GPG_ERR_NO_ERROR) {
123                 pb_log_fn("Could not decrypt file\n");
124                 return -1;
125         }
126         verification_result = gpgme_op_verify_result(gpg_context);
127         verification_signatures = verification_result->signatures;
128         while (verification_signatures) {
129                 if (verification_signatures->status == GPG_ERR_NO_ERROR) {
130                         pb_log("%s: Good signature for key ID '%s' ('%s')\n",
131                                 __func__,
132                                 verification_signatures->fpr, filename);
133                         /* Verify fingerprint is present in authorized
134                          * signatures file
135                          */
136                         char *auth_sig_line = NULL;
137                         size_t auth_sig_len = 0;
138                         ssize_t auth_sig_read;
139                         rewind(authorized_signatures_handle);
140                         while ((auth_sig_read = getline(&auth_sig_line,
141                                 &auth_sig_len,
142                                 authorized_signatures_handle)) != -1) {
143                                 auth_sig_len = strlen(auth_sig_line);
144                                 while ((auth_sig_line[auth_sig_len-1] == '\n')
145                                         || (auth_sig_line[auth_sig_len-1] == '\r'))
146                                         auth_sig_len--;
147                                 auth_sig_line[auth_sig_len] = 0;
148                                 if (strcmp(auth_sig_line,
149                                         verification_signatures->fpr) == 0)
150                                         valid = 1;
151                         }
152                         free(auth_sig_line);
153                 }
154                 else {
155                         pb_log("%s: Signature for key ID '%s' ('%s') invalid."
156                                 "  Status: %08x\n", __func__,
157                                 verification_signatures->fpr, filename,
158                                 verification_signatures->status);
159                 }
160                 verification_signatures = verification_signatures->next;
161         }
162
163         gpgme_data_release(ciphertext_data);
164
165         if (valid) {
166                 /* Write decrypted file over ciphertext */
167                 FILE *plaintext_file_handle = NULL;
168                 plaintext_file_handle = fopen(filename, "wb");
169                 if (!plaintext_file_handle) {
170                         pb_log("%s: Could not create GPG plaintext file '%s'\n",
171                                 __func__, filename);
172                         gpgme_data_release(plaintext_data);
173                         gpgme_release(gpg_context);
174                         return -1;
175                 }
176                 gpgme_data_seek(plaintext_data, 0, SEEK_SET);
177                 if (err != GPG_ERR_NO_ERROR) {
178                         pb_log("%s: Could not seek in GPG plaintext buffer\n",
179                                 __func__);
180                         gpgme_data_release(plaintext_data);
181                         gpgme_release(gpg_context);
182                         fclose(plaintext_file_handle);
183                         return -1;
184                 }
185                 while ((bytes_read = gpgme_data_read(plaintext_data, buffer,
186                         8192)) > 0) {
187                         size_t l2 = fwrite(buffer, 1, bytes_read,
188                                 plaintext_file_handle);
189                         if (l2 < bytes_read) {
190                                 if (ferror(plaintext_file_handle)) {
191                                         /* General error */
192                                         result = -1;
193                                         pb_log("%s: failed: unknown fault\n",
194                                                 __func__);
195                                 }
196                                 else {
197                                         /* No space on destination device */
198                                         result = -1;
199                                         pb_log("%s: failed: temporary storage"
200                                                 " full\n", __func__);
201                                 }
202                                 break;
203                         }
204                 }
205                 fclose(plaintext_file_handle);
206         }
207
208         /* Clean up */
209         gpgme_data_release(plaintext_data);
210         gpgme_release(gpg_context);
211
212         if (!valid) {
213                 pb_log_fn("Incorrect GPG signature\n");
214                 return -1;
215         }
216
217         pb_log("%s: GPG signature for decrypted file '%s' verified\n",
218                 __func__, filename);
219
220         return result;
221 }
222
223 int verify_file_signature(const char *plaintext_filename,
224         const char *signature_filename, FILE *authorized_signatures_handle,
225         const char *keyring_path)
226 {
227         int valid = 0;
228         gpgme_signature_t verification_signatures;
229         gpgme_verify_result_t verification_result;
230         gpgme_data_t plaintext_data;
231         gpgme_data_t signature_data;
232         gpgme_engine_info_t enginfo;
233         gpgme_ctx_t gpg_context;
234         gpgme_error_t err;
235
236         if (signature_filename == NULL)
237                 return -1;
238
239         /* Initialize gpgme */
240         setlocale (LC_ALL, "");
241         gpgme_check_version(NULL);
242         gpgme_set_locale(NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL));
243         err = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
244         if (err != GPG_ERR_NO_ERROR) {
245                 pb_log_fn("OpenPGP support not available\n");
246                 return -1;
247         }
248         err = gpgme_get_engine_info(&enginfo);
249         if (err != GPG_ERR_NO_ERROR) {
250                 pb_log_fn("GPG engine failed to initialize\n");
251                 return -1;
252         }
253         err = gpgme_new(&gpg_context);
254         if (err != GPG_ERR_NO_ERROR) {
255                 pb_log_fn("GPG context could not be created\n");
256                 return -1;
257         }
258         err = gpgme_set_protocol(gpg_context, GPGME_PROTOCOL_OpenPGP);
259         if (err != GPG_ERR_NO_ERROR) {
260                 pb_log_fn("GPG protocol could not be set\n");
261                 return -1;
262         }
263         if (keyring_path)
264                 err = gpgme_ctx_set_engine_info (gpg_context,
265                         GPGME_PROTOCOL_OpenPGP, enginfo->file_name,
266                         keyring_path);
267         else
268                 err = gpgme_ctx_set_engine_info (gpg_context,
269                         GPGME_PROTOCOL_OpenPGP, enginfo->file_name,
270                         enginfo->home_dir);
271         if (err != GPG_ERR_NO_ERROR) {
272                 pb_log_fn("Could not set GPG engine information\n");
273                 return -1;
274         }
275         err = gpgme_data_new_from_file(&plaintext_data, plaintext_filename, 1);
276         if (err != GPG_ERR_NO_ERROR) {
277                 pb_log("%s: Could not create GPG plaintext data buffer"
278                         " from file '%s'\n", __func__, plaintext_filename);
279                 return -1;
280         }
281         err = gpgme_data_new_from_file(&signature_data, signature_filename, 1);
282         if (err != GPG_ERR_NO_ERROR) {
283                 pb_log("%s: Could not create GPG signature data buffer"
284                         " from file '%s'\n", __func__, signature_filename);
285                 return -1;
286         }
287
288         /* Check signature */
289         err = gpgme_op_verify(gpg_context, signature_data, plaintext_data,
290                 NULL);
291         if (err != GPG_ERR_NO_ERROR) {
292                 pb_log("%s: Could not verify file using GPG signature '%s'\n",
293                         __func__, signature_filename);
294                 return -1;
295         }
296         verification_result = gpgme_op_verify_result(gpg_context);
297         verification_signatures = verification_result->signatures;
298         while (verification_signatures) {
299                 if (verification_signatures->status != GPG_ERR_NO_ERROR) {
300                         /* Signature verification failure */
301                         pb_log("%s: Signature for key ID '%s' ('%s') invalid."
302                                 "  Status: %08x\n", __func__,
303                                 verification_signatures->fpr,
304                                 signature_filename,
305                                 verification_signatures->status);
306                         verification_signatures = verification_signatures->next;
307                         continue;
308                 }
309
310                 /* Signature check passed with no error */
311                 pb_log("%s: Good signature for key ID '%s' ('%s')\n",
312                         __func__, verification_signatures->fpr,
313                         signature_filename);
314                 /* Verify fingerprint is present in
315                         * authorized signatures file
316                         */
317                 char *auth_sig_line = NULL;
318                 size_t auth_sig_len = 0;
319                 ssize_t auth_sig_read;
320                 rewind(authorized_signatures_handle);
321                 while ((auth_sig_read = getline(&auth_sig_line,
322                         &auth_sig_len,
323                         authorized_signatures_handle)) != -1) {
324                         auth_sig_len = strlen(auth_sig_line);
325                         while ((auth_sig_line[auth_sig_len-1] == '\n')
326                                 || (auth_sig_line[auth_sig_len-1] == '\r'))
327                                 auth_sig_len--;
328                         auth_sig_line[auth_sig_len] = '\0';
329                         if (strcmp(auth_sig_line,
330                                 verification_signatures->fpr) == 0)
331                                 valid = 1;
332                 }
333                 free(auth_sig_line);
334                 verification_signatures = verification_signatures->next;
335         }
336
337         /* Clean up */
338         gpgme_data_release(plaintext_data);
339         gpgme_data_release(signature_data);
340         gpgme_release(gpg_context);
341
342         if (!valid) {
343                 pb_log_fn("Incorrect GPG signature\n");
344                 return -1;
345         }
346
347         pb_log("%s: GPG signature '%s' for file '%s' verified\n",
348                 __func__, signature_filename, plaintext_filename);
349
350         return 0;
351 }
352
353 int lockdown_status() {
354         /* assume most restrictive lockdown type */
355         int ret = PB_LOCKDOWN_SIGN;
356
357 #if !defined(HARD_LOCKDOWN)
358         if (access(LOCKDOWN_FILE, F_OK) == -1)
359                 return PB_LOCKDOWN_NONE;
360 #endif
361
362         /* determine lockdown type */
363         FILE *authorized_signatures_handle = NULL;
364         authorized_signatures_handle = fopen(LOCKDOWN_FILE, "r");
365         if (!authorized_signatures_handle)
366                 return ret;
367
368         char *auth_sig_line = NULL;
369         size_t auth_sig_len = 0;
370         ssize_t auth_sig_read;
371         rewind(authorized_signatures_handle);
372         if ((auth_sig_read = getline(&auth_sig_line,
373                 &auth_sig_len,
374                 authorized_signatures_handle)) != -1) {
375                 auth_sig_len = strlen(auth_sig_line);
376                 while ((auth_sig_line[auth_sig_len-1] == '\n')
377                     || (auth_sig_line[auth_sig_len-1] == '\r'))
378                         auth_sig_len--;
379                 auth_sig_line[auth_sig_len] = 0;
380                 if (strcmp(auth_sig_line, "ENCRYPTED") == 0) {
381                         /* first line indicates encrypted files
382                          * expected.  enable decryption.
383                          */
384                         ret = PB_LOCKDOWN_DECRYPT;
385                 }
386         }
387         free(auth_sig_line);
388
389     return ret;
390 }
391