static gboolean
rspamd_map_check_file_sig (const char *fname,
struct rspamd_map *map,
struct rspamd_map_backend *bk,
const guchar *input,
gsize inlen)
{
gchar fpath[PATH_MAX];
guchar *data;
struct rspamd_cryptobox_pubkey *pk = NULL;
GString *b32_key;
gboolean ret;
gsize len = 0;
if (bk->trusted_pubkey == NULL) {
/* Try to load and check pubkey */
rspamd_snprintf (fpath, sizeof (fpath), "%s.pub", fname);
data = rspamd_file_xmap (fpath, PROT_READ, &len);
if (data == NULL) {
msg_err_map ("can't open pubkey %s: %s", fpath, strerror (errno));
return FALSE;
}
pk = rspamd_pubkey_from_base32 (data, len, RSPAMD_KEYPAIR_SIGN,
RSPAMD_CRYPTOBOX_MODE_25519);
munmap (data, len);
if (pk == NULL) {
msg_err_map ("can't load pubkey %s", fpath);
return FALSE;
}
/* We just check pk against the trusted db of keys */
b32_key = rspamd_pubkey_print (pk,
RSPAMD_KEYPAIR_BASE32|RSPAMD_KEYPAIR_PUBKEY);
g_assert (b32_key != NULL);
if (g_hash_table_lookup (map->cfg->trusted_keys, b32_key->str) == NULL) {
msg_err_map ("pubkey loaded from %s is untrusted: %v", fpath,
b32_key);
g_string_free (b32_key, TRUE);
rspamd_pubkey_unref (pk);
return FALSE;
}
g_string_free (b32_key, TRUE);
}
else {
pk = rspamd_pubkey_ref (bk->trusted_pubkey);
}
ret = rspamd_map_check_sig_pk (fname, map, input, inlen, pk);
rspamd_pubkey_unref (pk);
return ret;
}
static int
http_map_finish (struct rspamd_http_connection *conn,
struct rspamd_http_message *msg)
{
struct http_callback_data *cbd = conn->ud;
struct rspamd_map *map;
rspamd_mempool_t *pool;
char fpath[PATH_MAX];
guchar *aux_data, *in = NULL;
gsize inlen = 0;
struct stat st;
map = cbd->map;
pool = cbd->map->pool;
if (msg->code == 200) {
if (cbd->stage == map_load_file) {
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
/* Maybe we need to check signature ? */
if (map->is_signed) {
close (cbd->out_fd);
if (map->trusted_pubkey) {
/* No need to load key */
cbd->stage = map_load_signature;
cbd->pk = rspamd_pubkey_ref (map->trusted_pubkey);
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig",
cbd->tmpfile);
}
else {
rspamd_snprintf (fpath, sizeof (fpath), "%s.pub",
cbd->tmpfile);
cbd->stage = map_load_pubkey;
}
cbd->out_fd = rspamd_file_xopen (fpath, O_RDWR|O_CREAT, 00644);
if (cbd->out_fd == -1) {
msg_err_pool ("cannot open pubkey file %s for writing: %s",
fpath, strerror (errno));
goto end;
}
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
goto end;
}
else {
/* Unsinged version - just open file */
in = rspamd_file_xmap (cbd->tmpfile, PROT_READ, &inlen);
if (in == NULL) {
msg_err_pool ("cannot read tempfile %s: %s", cbd->tmpfile,
strerror (errno));
goto end;
}
}
}
else if (cbd->stage == map_load_pubkey) {
/* We now can load pubkey */
(void)lseek (cbd->out_fd, 0, SEEK_SET);
if (fstat (cbd->out_fd, &st) == -1) {
msg_err_pool ("cannot stat pubkey file %s: %s",
fpath, strerror (errno));
goto end;
}
aux_data = mmap (NULL, st.st_size, PROT_READ, MAP_SHARED,
cbd->out_fd, 0);
close (cbd->out_fd);
cbd->out_fd = -1;
if (aux_data == MAP_FAILED) {
msg_err_pool ("cannot map pubkey file %s: %s",
fpath, strerror (errno));
goto end;
}
cbd->pk = rspamd_pubkey_from_base32 (aux_data, st.st_size,
RSPAMD_KEYPAIR_SIGN, RSPAMD_CRYPTOBOX_MODE_25519);
munmap (aux_data, st.st_size);
if (cbd->pk == NULL) {
msg_err_pool ("cannot load pubkey file %s: bad pubkey",
fpath);
goto end;
}
rspamd_snprintf (fpath, sizeof (fpath), "%s.sig", cbd->tmpfile);
cbd->out_fd = rspamd_file_xopen (fpath, O_RDWR|O_CREAT, 00644);
if (cbd->out_fd == -1) {
msg_err_pool ("cannot open signature file %s for writing: %s",
fpath, strerror (errno));
goto end;
}
cbd->stage = map_load_signature;
rspamd_http_connection_reset (cbd->conn);
write_http_request (cbd);
goto end;
}
else if (cbd->stage == map_load_signature) {
/* We can now check signature */
close (cbd->out_fd);
cbd->out_fd = -1;
in = rspamd_file_xmap (cbd->tmpfile, PROT_READ, &inlen);
if (in == NULL) {
msg_err_pool ("cannot read tempfile %s: %s", cbd->tmpfile,
strerror (errno));
goto end;
}
if (!rspamd_map_check_sig_pk (cbd->tmpfile, map, in, inlen, cbd->pk)) {
goto end;
}
}
g_assert (in != NULL);
map->read_callback (map->pool, in, inlen, &cbd->cbdata, TRUE);
map->fin_callback (map->pool, &cbd->cbdata);
*map->user_data = cbd->cbdata.cur_data;
msg_info_pool ("read map data from %s", cbd->data->host);
}
else if (msg->code == 304 && cbd->stage == map_load_file) {
msg_debug_pool ("data is not modified for server %s",
cbd->data->host);
if (msg->last_modified) {
cbd->data->last_checked = msg->last_modified;
}
else {
cbd->data->last_checked = msg->date;
}
}
else {
msg_info_pool ("cannot load map %s from %s: HTTP error %d",
map->uri, cbd->data->host, msg->code);
}
end:
REF_RELEASE (cbd);
return 0;
}
