gatekeeper.git
2 years agoRevise exception handling
Jacob Bachmeyer [Sat, 5 Nov 2022 22:03:50 +0000 (17:03 -0500)]
Revise exception handling

The directive processed is now still emailed if a simple exception
terminates processing a packet.  Previously, the directive text was only
emailed during normal processing or if a structured exception was thrown.

2 years agoRemove fatal
Jacob Bachmeyer [Sat, 5 Nov 2022 22:01:21 +0000 (17:01 -0500)]
Remove fatal

The uses of fatal have been entirely converted to simple and structured
exceptions, allowing the gatekeeper to continue processing after a bad
upload is encountered.

2 years agoNormalize simple exception messages
Jacob Bachmeyer [Sat, 5 Nov 2022 21:52:52 +0000 (16:52 -0500)]
Normalize simple exception messages

2 years agoRemove remaining calls to fatal
Jacob Bachmeyer [Sat, 5 Nov 2022 21:52:24 +0000 (16:52 -0500)]
Remove remaining calls to fatal

These reflect system errors and are replaced with simple exceptions.

2 years agoUse structured exception to report an unsigned directive
Jacob Bachmeyer [Sat, 5 Nov 2022 21:28:00 +0000 (16:28 -0500)]
Use structured exception to report an unsigned directive

2 years agoUse structured exceptions in execute_commands
Jacob Bachmeyer [Sat, 5 Nov 2022 21:14:16 +0000 (16:14 -0500)]
Use structured exceptions in execute_commands

2 years agoFix incorrect error messages for empty directives
Jacob Bachmeyer [Sat, 5 Nov 2022 21:13:12 +0000 (16:13 -0500)]
Fix incorrect error messages for empty directives

2 years agoRevise install_files
Jacob Bachmeyer [Sat, 5 Nov 2022 21:02:36 +0000 (16:02 -0500)]
Revise install_files

 - eliminate unneeded intermediate variable
 - add separate variable for external public file name
 - adjust layout
 - replace call to fatal with structured exception

The message produced for an existing file is changed and shortened;
the testsuite is adjusted accordingly.

2 years agoRearrange comment to match pattern
Jacob Bachmeyer [Sat, 5 Nov 2022 20:48:12 +0000 (15:48 -0500)]
Rearrange comment to match pattern

2 years agoUse new mkdir_p helper in install_files
Jacob Bachmeyer [Sat, 5 Nov 2022 20:34:43 +0000 (15:34 -0500)]
Use new mkdir_p helper in install_files

Instead of using File::Path or invokgin the system mkdir, we now emulate
"mkdir -p" using about 5 lines of Perl elsewhere in the script.

2 years agoTidy split line that now fits on one line
Jacob Bachmeyer [Sat, 5 Nov 2022 20:33:11 +0000 (15:33 -0500)]
Tidy split line that now fits on one line

2 years agoFix example given in comment
Jacob Bachmeyer [Sat, 5 Nov 2022 20:31:15 +0000 (15:31 -0500)]
Fix example given in comment

2 years agoRevise archive procedure in gatekeeper
Jacob Bachmeyer [Sat, 5 Nov 2022 04:20:08 +0000 (23:20 -0500)]
Revise archive procedure in gatekeeper

 - a structured exception for general processing errors is added
 - the archive sub is renamed to archive_filepair
 - a file and its detached signature are now archived together
 - the archived filename now contains an extra number beyond the timestamp
   only if actually needed for uniqueness
   - the extra number, if used, matches between a file and its signature
   - the archived filename is claimed by creating an "archive stamp" file
 - the option to archive and overwrite a file using "replace" now handles
   the file and its signature as a pair
 - the system mkdir(1) and mv(1) commands are no longer invoked here
 - the testsuite is adjusted accordingly

2 years agoAdd helper procedure implementing "mkdir -p" in Perl
Jacob Bachmeyer [Sat, 5 Nov 2022 04:09:45 +0000 (23:09 -0500)]
Add helper procedure implementing "mkdir -p" in Perl

2 years agoUse File::Spec for symlink operations
Jacob Bachmeyer [Sat, 5 Nov 2022 04:05:40 +0000 (23:05 -0500)]
Use File::Spec for symlink operations

2 years agoUse structured exceptions for empty directive
Jacob Bachmeyer [Fri, 4 Nov 2022 00:03:40 +0000 (19:03 -0500)]
Use structured exceptions for empty directive

2 years agoAdd structured exception for GPG signature verification errors
Jacob Bachmeyer [Thu, 3 Nov 2022 22:48:48 +0000 (17:48 -0500)]
Add structured exception for GPG signature verification errors

This commit also adjusts check_files to use the package configuration
exception at the check for a lack of keyrings and tidies the syntax for a
similar check at top-level.

2 years agoAdd structured exception for known Automake vulnerabilities
Jacob Bachmeyer [Thu, 3 Nov 2022 22:37:07 +0000 (17:37 -0500)]
Add structured exception for known Automake vulnerabilities

2 years agoAdd structured exception for invalid signature timestamp
Jacob Bachmeyer [Thu, 3 Nov 2022 20:48:48 +0000 (15:48 -0500)]
Add structured exception for invalid signature timestamp

2 years agoAdd structured exception for filename mismatch
Jacob Bachmeyer [Thu, 3 Nov 2022 20:41:12 +0000 (15:41 -0500)]
Add structured exception for filename mismatch

This commit also changes the exception handling for exceptions carrying
long-form messages, instead of continuing to list their types individually
and removes testsuite support for a long-obsolete log message that could
never actually be produced.

2 years agoAdd structured exception for directive replay
Jacob Bachmeyer [Thu, 3 Nov 2022 20:13:46 +0000 (15:13 -0500)]
Add structured exception for directive replay

2 years agoAdd structured exception for unknown package error and move email check
Jacob Bachmeyer [Thu, 3 Nov 2022 20:09:45 +0000 (15:09 -0500)]
Add structured exception for unknown package error and move email check

The check for a missing per-package email list had to be moved to
validate_commands to allow the unknown package exception to be thrown.

This now makes the server misconfiguration scenario of a missing email
list distinguishable from the user error scenario of an unknown package.
The testsuite is adjusted accordingly.

2 years agoAdd structured exception for package configuration errors
Jacob Bachmeyer [Thu, 3 Nov 2022 04:00:32 +0000 (23:00 -0500)]
Add structured exception for package configuration errors

2 years agoFactor directory_package_name out of directory_email_addresses
Jacob Bachmeyer [Thu, 3 Nov 2022 03:48:48 +0000 (22:48 -0500)]
Factor directory_package_name out of directory_email_addresses

2 years agoMove check for missing "directory" element to interpret_directive
Jacob Bachmeyer [Thu, 3 Nov 2022 02:55:21 +0000 (21:55 -0500)]
Move check for missing "directory" element to interpret_directive

This is now considered a directive syntax error and detected earlier;
the testsuite is adjusted accordingly.

2 years agoSend the summary for a structured exception to syslog
Jacob Bachmeyer [Thu, 3 Nov 2022 02:24:48 +0000 (21:24 -0500)]
Send the summary for a structured exception to syslog

2 years agoAdd structured exception for directive syntax errors
Jacob Bachmeyer [Thu, 3 Nov 2022 02:19:00 +0000 (21:19 -0500)]
Add structured exception for directive syntax errors

This also improves the reporting of these errors, with a highlight line
inserted for each error encountered, in context.

2 years agoAdd initial structured exception infrastructure
Jacob Bachmeyer [Thu, 3 Nov 2022 02:17:48 +0000 (21:17 -0500)]
Add initial structured exception infrastructure

2 years agoRevise fatal to throw an exception and move report phase accordingly
Jacob Bachmeyer [Wed, 2 Nov 2022 23:47:32 +0000 (18:47 -0500)]
Revise fatal to throw an exception and move report phase accordingly

This is an intermediate step towards collecting reporting at top-level.

This commit also enables the cleanup processing that has long been present,
but was skipped due to fatal calling exit instead of throwing an exception.
The testsuite is adjusted accordingly.

2 years agoAdd final section dividers to older testsuite files
Jacob Bachmeyer [Wed, 2 Nov 2022 22:02:16 +0000 (17:02 -0500)]
Add final section dividers to older testsuite files

2 years agoFix oversight in find_directory
Jacob Bachmeyer [Wed, 2 Nov 2022 04:52:36 +0000 (23:52 -0500)]
Fix oversight in find_directory

An empty "directory" element would cause a warning from perl due to the
first element in the @values array being undefined.

2 years agoRename configurable directory variables and convert them to globals
Jacob Bachmeyer [Wed, 2 Nov 2022 02:57:26 +0000 (21:57 -0500)]
Rename configurable directory variables and convert them to globals

Uploads arrive in Inbox_dir and are atomically transferred to Scratch_dir
for processing.  Uploaded files to be published are copied to Stage_dir
and atomically transferred to locations underneath Public_dir, while files
withdrawn from publication are atomically transferred to locations
underneath Archive_dir.  The new variable names better describe the
purposes of these directories.

These variables are also converted from file-scope lexicals to true global
variables, with access scoped lexically using Perl's "our" feature.

2 years agoRemove testsuite logic that supported optional processing phase tags
Jacob Bachmeyer [Wed, 2 Nov 2022 02:21:30 +0000 (21:21 -0500)]
Remove testsuite logic that supported optional processing phase tags

All relevant messages now have phase tags in all cases.

2 years agoAdd processing phase tag "PV" for directive parsing and validation phase
Jacob Bachmeyer [Wed, 2 Nov 2022 02:02:32 +0000 (21:02 -0500)]
Add processing phase tag "PV" for directive parsing and validation phase

2 years agoAdd processing phase tag "AA" for authentication/authorization phase
Jacob Bachmeyer [Wed, 2 Nov 2022 01:42:00 +0000 (20:42 -0500)]
Add processing phase tag "AA" for authentication/authorization phase

2 years agoAdd processing phase tag "EX" for execution phase
Jacob Bachmeyer [Tue, 1 Nov 2022 04:51:35 +0000 (23:51 -0500)]
Add processing phase tag "EX" for execution phase

2 years agoAdd processing phase tag "RP" for report phase
Jacob Bachmeyer [Tue, 1 Nov 2022 04:11:00 +0000 (23:11 -0500)]
Add processing phase tag "RP" for report phase

2 years agoAdd processing phase tag "SC" for scan phase
Jacob Bachmeyer [Tue, 1 Nov 2022 04:04:16 +0000 (23:04 -0500)]
Add processing phase tag "SC" for scan phase

2 years agoAdd infrastructure to support logging current processing phase
Jacob Bachmeyer [Tue, 1 Nov 2022 03:50:26 +0000 (22:50 -0500)]
Add infrastructure to support logging current processing phase

This also collects the definition of $Log_Style to the Logging group in
preparation for future documentation improvements.

2 years agoReplace ftp_warn with general warning handler in gatekeeper
Jacob Bachmeyer [Tue, 1 Nov 2022 03:29:29 +0000 (22:29 -0500)]
Replace ftp_warn with general warning handler in gatekeeper

This also sends any warnings generated by perl itself to syslog, which
will cause random test failures with the current testsuite, thus ensuring
that all such warnings will be fixed.

2 years agoFix use of uninitialized values in interpret_directive
Jacob Bachmeyer [Tue, 1 Nov 2022 03:23:24 +0000 (22:23 -0500)]
Fix use of uninitialized values in interpret_directive

2 years agoMove test for missing version to interpret_directive
Jacob Bachmeyer [Sun, 30 Oct 2022 04:44:48 +0000 (23:44 -0500)]
Move test for missing version to interpret_directive

This changes the handling for this type of invalid directive.  These are
no longer sent to the ftp-upload-report address, but instead go only to
the ftp-upload-script box.  The testsuite is adjusted accordingly.

2 years agoRegularize mail sent by debug as compared to mail sent by mail
Jacob Bachmeyer [Sun, 30 Oct 2022 03:28:04 +0000 (22:28 -0500)]
Regularize mail sent by debug as compared to mail sent by mail

2 years agoFactor SMTP client out of mail and debug
Jacob Bachmeyer [Sun, 30 Oct 2022 03:26:24 +0000 (22:26 -0500)]
Factor SMTP client out of mail and debug

2 years agoFix bug in find_directory
Jacob Bachmeyer [Sun, 30 Oct 2022 02:04:48 +0000 (21:04 -0500)]
Fix bug in find_directory

Contrary to documentation, the return value was tainted.

2 years agoRemove useless check of operation list
Jacob Bachmeyer [Sat, 29 Oct 2022 04:28:14 +0000 (23:28 -0500)]
Remove useless check of operation list

The interpret_directive function either returns an operation list or
throws an exception, so testing the returned value is silly.  This code
had been carried over from previous refactoring when the return value of
read_directive_file was changed to an operation list; it had been a flag
nominally, but was actually a constant in read_directive_file.

2 years agoRevise main code to prepare for future improvements
Jacob Bachmeyer [Sat, 29 Oct 2022 04:22:55 +0000 (23:22 -0500)]
Revise main code to prepare for future improvements

2 years agoUse File::Spec in validate_commands
Jacob Bachmeyer [Sat, 29 Oct 2022 03:08:16 +0000 (22:08 -0500)]
Use File::Spec in validate_commands

2 years agoRemove temporary scaffolding
Jacob Bachmeyer [Sat, 29 Oct 2022 03:06:24 +0000 (22:06 -0500)]
Remove temporary scaffolding

2 years agoSplit read_directive_file into smaller functions
Jacob Bachmeyer [Sat, 29 Oct 2022 03:04:16 +0000 (22:04 -0500)]
Split read_directive_file into smaller functions

The overall logic was pulled up to top-level, while most of the code is now
in new functions without side-effects.

2 years agoRemove old model in interpret_directive
Jacob Bachmeyer [Sat, 29 Oct 2022 01:52:52 +0000 (20:52 -0500)]
Remove old model in interpret_directive

This removes most of the keys stored in the quasi-global %info hash, but
the current package and collection of email addresses remain to resolve.

2 years agoRevise directory_email_addresses
Jacob Bachmeyer [Fri, 28 Oct 2022 23:46:23 +0000 (18:46 -0500)]
Revise directory_email_addresses

Addresses are now collected in an array; repeated addresses are accepted at
this stage, and filtered out in the mail function.

2 years agoAdd central email address non-repetition filter
Jacob Bachmeyer [Fri, 28 Oct 2022 23:38:46 +0000 (18:38 -0500)]
Add central email address non-repetition filter

2 years agoRevise exclude_mail_blacklist
Jacob Bachmeyer [Fri, 28 Oct 2022 23:37:48 +0000 (18:37 -0500)]
Revise exclude_mail_blacklist

2 years agoAdd tests for email address handling
Jacob Bachmeyer [Fri, 28 Oct 2022 22:44:44 +0000 (17:44 -0500)]
Add tests for email address handling

2 years agoAdd testsuite infrastructure for detecting repeated email addresses
Jacob Bachmeyer [Fri, 28 Oct 2022 22:43:15 +0000 (17:43 -0500)]
Add testsuite infrastructure for detecting repeated email addresses

2 years agoFix emission of repeated email addresses
Jacob Bachmeyer [Fri, 28 Oct 2022 22:42:45 +0000 (17:42 -0500)]
Fix emission of repeated email addresses

This bug was discovered when support for checking for repeated email
addresses was developed for the testsuite.

2 years agoReject blatantly invalid email addresses
Jacob Bachmeyer [Fri, 28 Oct 2022 21:48:16 +0000 (16:48 -0500)]
Reject blatantly invalid email addresses

This was added after discovering that, while the maintainers file and
regular email lists were screened for validity, the addresses reported
by GPG were not.  Tests for this will soon be added to the testsuite.

2 years agoRevise email_addresses and rename it to directory_email_addresses
Jacob Bachmeyer [Fri, 28 Oct 2022 04:13:55 +0000 (23:13 -0500)]
Revise email_addresses and rename it to directory_email_addresses

This also adds a new feature:  email addresses can be registered only for
certain subdirectories belonging to a package if desired, by listing them
in an "email" file at the corresponding location in the configuration tree.
This uses the same code as is used to locate authorized keyrings.

The use of pattern matching to extract email addresses is a precaution,
although observant readers may notice that the patterns are very lax.
Perl taint mode checks do not require this, since the email addresses will
be written to a socket rather than passed as command arguments, and hash
keys, used here for efficient de-duplication, do not carry taintedness.

2 years agoChange example to mention only packages that actually exist
Jacob Bachmeyer [Fri, 28 Oct 2022 04:05:45 +0000 (23:05 -0500)]
Change example to mention only packages that actually exist

Mentioning a package that does not exist in a message reporting an attempt
to upload a file for a package that does not exist is certainly a clever
joke, but might be confusing to the recipient.

2 years agoFactor scanning loop out of directory_keyrings
Jacob Bachmeyer [Fri, 28 Oct 2022 03:59:19 +0000 (22:59 -0500)]
Factor scanning loop out of directory_keyrings

This allows the same loop to be used to support other per-directory items.

2 years agoRevise and rename keyring_file to directory_keyrings
Jacob Bachmeyer [Fri, 28 Oct 2022 02:09:42 +0000 (21:09 -0500)]
Revise and rename keyring_file to directory_keyrings

This fixes a long-standing bug, due to keyring_file never actually
returning an empty list, even if the "root" keyring does not actually
exist in the filesystem.  The testsuite is adjusted accordingly.

This also introduces another minor issue, in that processing for a
misconfigured package is now abandoned earlier, before email addresses
are gathered.  This will be corrected in later improvements.

This also eliminates the special handling for a "root" keyring, although
the feature remains available as part of the general case:  "pubring.gpg"
at the root of the package configuration tree applies to all directories
in all packages.  Be very careful with the keys on such a ring, as they
would be of immense value to an attacker.

2 years agoRemove parse_directory_line and guess_uploader_email
Jacob Bachmeyer [Thu, 27 Oct 2022 05:02:46 +0000 (00:02 -0500)]
Remove parse_directory_line and guess_uploader_email

The former has been merged into interpret_directive, and the latter is
no longer useful.  Both are now removed.

2 years agoRemove other call to guess_uploader_email in read_directive_file
Jacob Bachmeyer [Thu, 27 Oct 2022 05:01:10 +0000 (00:01 -0500)]
Remove other call to guess_uploader_email in read_directive_file

The directive has already been parsed and this call is useless here.

2 years agoAccept failure to verify signature during speculative check
Jacob Bachmeyer [Thu, 27 Oct 2022 04:59:32 +0000 (23:59 -0500)]
Accept failure to verify signature during speculative check

Previously, the tool would stop before examining the directive file if the
signature did not match a keyring somewhere.  Plans to replace this check
with a single check against the collected master keyring ran afoul of plans
to eliminate the collected master keyring.  Current future plans are to use
an index mapping long key IDs to email addresses to replace this, since GPG
will report the long key ID used to produce a signature even if the key is
not in the available keyrings.

This changed the email sent in two cases in the testsuite, which has been
adjusted accordingly in this commit.  Concerns about unauthorized parties
abusing the mechanism to spam ftp-upload-report are not relevant here,
since a reuse of a valid directive with a bogus file would be sufficient
to cause mail to be sent to that box.  In short, that is a separate issue.

2 years agoFactor email address collection out of directive-scanning loop
Jacob Bachmeyer [Thu, 27 Oct 2022 04:31:40 +0000 (23:31 -0500)]
Factor email address collection out of directive-scanning loop

2 years agoMerge parse_directory_line into interpret_directive
Jacob Bachmeyer [Thu, 27 Oct 2022 04:07:08 +0000 (23:07 -0500)]
Merge parse_directory_line into interpret_directive

The old code is still extant because it is also used elsewhere, but will
be cleaned up in future commits.

2 years agoAlso avoid further processing after other errors in directive files
Jacob Bachmeyer [Thu, 27 Oct 2022 04:05:20 +0000 (23:05 -0500)]
Also avoid further processing after other errors in directive files

2 years agoAvoid processing invalid directive elements
Jacob Bachmeyer [Thu, 27 Oct 2022 03:46:47 +0000 (22:46 -0500)]
Avoid processing invalid directive elements

The old code simply abandoned the entire loop at the first error; this
meant that a "directory" element after an error would not be seen and was
fixed in commit 86b458910ddda2c227622cafa3c37b10682d0561.  That commit
allowed the values of the capture variables from the last successful match
to be reused if a later line did not match its filter pattern.

No exploit was possible, since an error was recorded and an exception would
be thrown instead of returning the corrupted operation list, but this had
side effects that caused failures in the testsuite that were traced to this
issue, now fixed.

2 years agoAdjust pattern in testsuite
Jacob Bachmeyer [Thu, 27 Oct 2022 03:40:32 +0000 (22:40 -0500)]
Adjust pattern in testsuite

An empty "directory" element is considered invalid, but results in the
message "invalid directory" with no following text.  This was hidden by
another issue with the main code, where a failure in parse_directory_line
would add the complete contents of the directive to the message.

2 years agoAdd tests for tighter file name patterns in bad directory names
Jacob Bachmeyer [Thu, 27 Oct 2022 00:30:22 +0000 (19:30 -0500)]
Add tests for tighter file name patterns in bad directory names

Also fixes a minor bug in the testsuite that prevented $BDIR from being
properly substituted in messages for these tests.

2 years agoRevise timestamp check to use new operation list
Jacob Bachmeyer [Thu, 27 Oct 2022 00:29:13 +0000 (19:29 -0500)]
Revise timestamp check to use new operation list

2 years agoRecognize that an inability to execute gpgv is a server error
Jacob Bachmeyer [Thu, 27 Oct 2022 00:28:18 +0000 (19:28 -0500)]
Recognize that an inability to execute gpgv is a server error

This is an event that should never happen, therefore it now uses ftp_abort.

2 years agoRefactor directive validity checks
Jacob Bachmeyer [Thu, 27 Oct 2022 00:24:56 +0000 (19:24 -0500)]
Refactor directive validity checks

The check for the "replace" element appearing in a v1.1 directive is moved
to interpret_directive and directive processing no longer stops at the
first error, since the documentation states that the order of directive
elements is insignificant.

This also fixes a long-standing bug that resulted in the sending of email
to the registered maintainers for a package depending on the relative
location of the "directory" element; the testsuite is adjusted accordingly.

2 years agoReorganize gatekeeper to collect generic GPG support functions
Jacob Bachmeyer [Wed, 26 Oct 2022 23:55:11 +0000 (18:55 -0500)]
Reorganize gatekeeper to collect generic GPG support functions

Prior to committing, this was validated with:
(DIFF='git diff --cached';
 comm -3 <($DIFF | grep ^- | sed -e 's/^-//' | sort) \
         <($DIFF | grep ^+ | sed -e 's/^+//' | sort) )

The output shows only blank lines, comments, and a diff header were
added, and only a diff header removed, after all lines are sorted
and paired for analysis.  To replicate, change the "git diff" command
to compare this commit with its parent.

2 years agoRename slurp_directive_file to slurp_clearsigned_message
Jacob Bachmeyer [Wed, 26 Oct 2022 04:34:34 +0000 (23:34 -0500)]
Rename slurp_directive_file to slurp_clearsigned_message

2 years agoUse epoch timestamp from GPG instead of parsing the display timestamp
Jacob Bachmeyer [Wed, 26 Oct 2022 04:26:57 +0000 (23:26 -0500)]
Use epoch timestamp from GPG instead of parsing the display timestamp

The --status-fd option reports timestamps in epoch time directly, although
the documentation indicates that ISO 8601 format is also possible.  This
change eliminates several manipulations and removes the dependency on the
external Date::Manip module.

2 years agoReplace clearsigned message verification
Jacob Bachmeyer [Wed, 26 Oct 2022 03:24:59 +0000 (22:24 -0500)]
Replace clearsigned message verification

This removes the use of the shell to run gpgv when verifying directives.
This also improves the handling the of gpgv generally, since the use of
the --status-fd option is the recommended mechanism for automatic usage.

2 years agoFix bug in testing mock
Jacob Bachmeyer [Wed, 26 Oct 2022 02:13:41 +0000 (21:13 -0500)]
Fix bug in testing mock

If nonexistent files appear in the keyring list, grep will return an error
even if a later keyring contains a match; this will cause the mock tool to
incorrectly report not finding a key.  This bug was hidden by the main
gatekeeper only using one keyring on each gpgv run.

2 years agoComplete initial implementation of new clearsigned message verification
Jacob Bachmeyer [Wed, 26 Oct 2022 01:33:40 +0000 (20:33 -0500)]
Complete initial implementation of new clearsigned message verification

2 years agoAvoid passing tainted keyrings to signature verification
Jacob Bachmeyer [Wed, 26 Oct 2022 01:28:51 +0000 (20:28 -0500)]
Avoid passing tainted keyrings to signature verification

2 years agoUse revised ftp_abort in verify_clearsigned_message
Jacob Bachmeyer [Wed, 26 Oct 2022 01:27:55 +0000 (20:27 -0500)]
Use revised ftp_abort in verify_clearsigned_message

2 years agoRevise ftp_abort to be useful in a forked child process
Jacob Bachmeyer [Wed, 26 Oct 2022 01:25:55 +0000 (20:25 -0500)]
Revise ftp_abort to be useful in a forked child process

This commit introduces global variables to control the destination of an
abort message and the default exit code.  These variables are accessed
using lexical aliases and are only accessible in the code that uses them.

2 years agoAdd option to pipe signed message to mock signature verification tool
Jacob Bachmeyer [Tue, 25 Oct 2022 03:30:11 +0000 (22:30 -0500)]
Add option to pipe signed message to mock signature verification tool

2 years agoBegin to implement new gpgv clearsigned message verification
Jacob Bachmeyer [Sun, 23 Oct 2022 03:55:33 +0000 (22:55 -0500)]
Begin to implement new gpgv clearsigned message verification

The new code allows presenting gpgv with exactly the directive that was parsed
and eliminates all risk of confusion by keeping the output, log, and status
channels separate.  This also avoids using the shell to run gpgv.

The use of a dedicated pipe with --status-fd protects against CVE-2018-12020
and any similar future vulnerabilities.

2 years agoRevise execute_commands to use new model
Jacob Bachmeyer [Sat, 22 Oct 2022 04:28:38 +0000 (23:28 -0500)]
Revise execute_commands to use new model

2 years agoRevise install_files to use new model
Jacob Bachmeyer [Sat, 22 Oct 2022 04:23:23 +0000 (23:23 -0500)]
Revise install_files to use new model

2 years agoRevise use of system() in check_files
Jacob Bachmeyer [Sat, 22 Oct 2022 03:37:30 +0000 (22:37 -0500)]
Revise use of system() in check_files

The indirect object form of system absolutely does not use the shell.

2 years agoRevise check_files to use new model
Jacob Bachmeyer [Sat, 22 Oct 2022 03:36:12 +0000 (22:36 -0500)]
Revise check_files to use new model

2 years agoBegin to revise check_files, install_files, execute_commands
Jacob Bachmeyer [Sat, 22 Oct 2022 03:02:55 +0000 (22:02 -0500)]
Begin to revise check_files, install_files, execute_commands

This commit removes the local %info hashes in these functions.

2 years agoAdd operation list header to calls to check_files and install_files
Jacob Bachmeyer [Fri, 21 Oct 2022 04:29:39 +0000 (23:29 -0500)]
Add operation list header to calls to check_files and install_files

2 years agoRevise execute_commands to use new operation list
Jacob Bachmeyer [Fri, 21 Oct 2022 04:25:53 +0000 (23:25 -0500)]
Revise execute_commands to use new operation list

2 years agoAdd operation list to execute_commands call
Jacob Bachmeyer [Fri, 21 Oct 2022 03:51:25 +0000 (22:51 -0500)]
Add operation list to execute_commands call

This also adds a simple consistency check in execute_commands.

2 years agoChange return value of read_directive_file to operation list
Jacob Bachmeyer [Fri, 21 Oct 2022 03:50:31 +0000 (22:50 -0500)]
Change return value of read_directive_file to operation list

Previously, read_directive_file always returned zero or did not return.
We now return an operation list that will eventually replace the global
%info hash.

2 years agoTidy check for known Automake CVEs
Jacob Bachmeyer [Fri, 21 Oct 2022 03:31:13 +0000 (22:31 -0500)]
Tidy check for known Automake CVEs

While it is very unlikely that anyone will still use such an old version
of Automake, the potential risk is significant, so we still check.

2 years agoAvoid using the shell to run /bin/tar to examine uploads
Jacob Bachmeyer [Fri, 21 Oct 2022 03:15:45 +0000 (22:15 -0500)]
Avoid using the shell to run /bin/tar to examine uploads

This new code uses the list-form pipe open introduced in Perl 5.8.0.

2 years agoRemove intermediate array and send vulnerability check messages to syslog
Jacob Bachmeyer [Fri, 21 Oct 2022 02:58:37 +0000 (21:58 -0500)]
Remove intermediate array and send vulnerability check messages to syslog

2 years agoRevise handling of "filename" directive element
Jacob Bachmeyer [Fri, 21 Oct 2022 02:29:20 +0000 (21:29 -0500)]
Revise handling of "filename" directive element

All protocol versions so far imply an "install" command when a directive
is uploaded as part of a triplet.  This commit also adds infrastructure
to support a possible future explicit "install" command, removes a useless
validation of the packet stem against the directive file name, and cleans
up a now-unneeded variable that had been left as scaffolding.

2 years agoRemove unneeded scratchpad array when reading serials file
Jacob Bachmeyer [Fri, 21 Oct 2022 01:55:22 +0000 (20:55 -0500)]
Remove unneeded scratchpad array when reading serials file

2 years agoAdd tests for timestamp ratchet
Jacob Bachmeyer [Fri, 21 Oct 2022 01:48:56 +0000 (20:48 -0500)]
Add tests for timestamp ratchet