samba-mirror/lib/mscat/mscat_pkcs7.c

/*
 * Copyright (c) 2016      Andreas Schneider <asn@samba.org>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include <errno.h>
#include <stdint.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#include <util/debug.h>
#include <util/data_blob.h>

#include "mscat.h"
#include "mscat_private.h"

#define PKCS7_CTL_OBJID                "1.3.6.1.4.1.311.10.1"

static int mscat_pkcs7_cleanup(struct mscat_pkcs7 *mp7)
{
	if (mp7->c != NULL) {
		gnutls_pkcs7_deinit(mp7->c);
	}

	return 0;
}

struct mscat_pkcs7 *mscat_pkcs7_init(TALLOC_CTX *mem_ctx)
{
	struct mscat_pkcs7 *pkcs7;
	int rc;

	pkcs7 = talloc_zero(mem_ctx, struct mscat_pkcs7);
	if (pkcs7 == NULL) {
		return NULL;
	}
	talloc_set_destructor(pkcs7, mscat_pkcs7_cleanup);

	rc = gnutls_pkcs7_init(&pkcs7->c);
	if (rc != 0) {
		talloc_free(pkcs7);
		return NULL;
	}

	return pkcs7;
}

static int mscat_read_file(TALLOC_CTX *mem_ctx,
			   const char *filename,
			   DATA_BLOB *pblob)
{
	struct stat sb = {0};
	size_t alloc_size;
	size_t count;
	DATA_BLOB blob = data_blob_null;
	FILE *fp;
	int rc;

	fp = fopen(filename, "r");
	if (fp == NULL) {
		return -1;
	}

	rc = fstat(fileno(fp), &sb);
	if (rc != 0) {
		goto error;
	}

	if (!S_ISREG(sb.st_mode)) {
		errno = EINVAL;
		rc = -1;
		goto error;
	}
	if (SIZE_MAX - 1 < (unsigned long)sb.st_size) {
		errno = ENOMEM;
		rc = -1;
		goto error;
	}
	alloc_size = sb.st_size + 1;

	blob = data_blob_talloc_zero(mem_ctx, alloc_size);
	if (blob.data == NULL) {
		rc = -1;
		goto error;
	}

	count = fread(blob.data, 1, blob.length, fp);
	if (count != blob.length) {
		if (ferror(fp)) {
			rc = -1;
			goto error;
		}
	}
	blob.data[count] = '\0';
	blob.length = count;
	fclose(fp);

	*pblob = blob;

	return 0;
error:
	data_blob_free(&blob);
	fclose(fp);
	return rc;
}

int mscat_pkcs7_import_catfile(struct mscat_pkcs7 *mp7,
			       const char *catfile)
{
	TALLOC_CTX *tmp_ctx;
	gnutls_datum_t mscat_data = {
		.size = 0,
	};
	DATA_BLOB blob = {
		.length = 0,
	};
	int rc;

	tmp_ctx = talloc_new(mp7);
	if (tmp_ctx == NULL) {
		return -1;
	}

	rc = mscat_read_file(tmp_ctx,
			     catfile,
			     &blob);
	if (rc == -1) {
		DBG_ERR("Failed to read catalog file '%s' - %s\n",
			catfile,
			strerror(errno));
		goto done;
	}

	mscat_data.data = blob.data;
	mscat_data.size = blob.length;

	rc = gnutls_pkcs7_import(mp7->c,
				 &mscat_data,
				 GNUTLS_X509_FMT_DER);
	if (rc < 0) {
		DBG_ERR("Failed to import PKCS7 from '%s' - %s\n",
			catfile,
			gnutls_strerror(rc));
		goto done;
	}

	rc = 0;
done:
	talloc_free(tmp_ctx);
	return rc;
}

int mscat_pkcs7_verify(struct mscat_pkcs7 *mp7,
		       const char *ca_file)
{
	TALLOC_CTX *tmp_ctx = NULL;
	gnutls_x509_trust_list_t tl = NULL;
	gnutls_datum_t ca_data;
	DATA_BLOB blob = {
		.length = 0,
	};
	uint32_t flags = 0;
	const char *oid;
	int count;
	int cmp;
	int rc;
	int i;

	oid = gnutls_pkcs7_get_embedded_data_oid(mp7->c);
	if (oid == NULL) {
		DBG_ERR("Failed to get oid - %s\n",
			gnutls_strerror(errno));
		return -1;
	}

	cmp = strcmp(oid, PKCS7_CTL_OBJID);
	if (cmp != 0) {
		DBG_ERR("Invalid oid in catalog file! oid: %s, expected: %s\n",
			oid,
			PKCS7_CTL_OBJID);
		return -1;
	}

	tmp_ctx = talloc_new(mp7);
	if (tmp_ctx == NULL) {
		return -1;
	}

	rc = gnutls_x509_trust_list_init(&tl,
					 0); /* default size */
	if (rc != 0) {
		DBG_ERR("Failed to create trust list - %s\n",
			gnutls_strerror(rc));
		goto done;
	}


	/* Load the system trust list */
	rc = gnutls_x509_trust_list_add_system_trust(tl, 0, 0);
	if (rc < 0) {
		DBG_ERR("Failed to add system trust list - %s\n",
			gnutls_strerror(rc));
		goto done;
	}
	DBG_INFO("Loaded %d CAs\n", rc);

	if (ca_file != NULL) {
		rc = mscat_read_file(tmp_ctx,
				     ca_file,
				     &blob);
		if (rc != 0) {
			DBG_ERR("Failed to read CA file '%s' - %s\n",
				ca_file,
				strerror(errno));
			goto done;
		}

		ca_data.data = blob.data;
		ca_data.size = blob.length;

		rc = gnutls_x509_trust_list_add_trust_mem(tl,
							  &ca_data,
							  NULL, /* crls */
							  GNUTLS_X509_FMT_DER,
							  0, /* tl_flags */
							  0); /* tl_vflags */
		if (rc < 0) {
			DBG_ERR("Failed to add '%s' to trust list - %s (%d)\n",
				ca_file,
				gnutls_strerror(rc),
				rc);
			goto done;
		}
		DBG_INFO("Loaded %d additional CAs\n", rc);
	}

	/*
	 * Drivers often exist for quite some time, so it is possible that one
	 * of the certificates in the trust list expired.
	 * This is not a big deal, but we need to disable the time checks
	 * or the verification will fail.
	 */
	flags = GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS|
		GNUTLS_VERIFY_DISABLE_TIME_CHECKS;

#if GNUTLS_VERSION_NUMBER >= 0x030600
	/* The "Microsoft Root Authority" certificate uses SHA1 */
	flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
#endif

	count = gnutls_pkcs7_get_signature_count(mp7->c);
	if (count == 0) {
		DBG_ERR("Failed to verify catalog file, no signatures found\n");
		goto done;
	}

	for (i = 0; i < count; i++) {
		rc = gnutls_pkcs7_verify(mp7->c,
					 tl,
					 NULL, /* vdata */
					 0,    /* vdata_size */
					 i,    /* index */
					 NULL, /* data */
					 flags);   /* flags */
		if (rc < 0) {
			DBG_ERR("Failed to verify catalog file - %s (%d)\n",
				gnutls_strerror(rc),
				rc);
			goto done;
		}
	}

	rc = 0;
done:
	gnutls_x509_trust_list_deinit(tl, 1);
	talloc_free(tmp_ctx);
	return rc;
}