#include <sys/stat.h>
#include <sys/types.h>
#include <assert.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <libintl.h>
#include <libscf.h>
#include <libuutil.h>
#include <limits.h>
#include <md5.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <manifest_hash.h>
char *
mhash_filename_to_propname(const char *in, boolean_t deathrow)
{
char *out, *cp, *base;
size_t len, piece_len;
size_t base_sz = 0;
out = uu_zalloc(PATH_MAX + 1);
if (deathrow) {
if (strlcpy(out, in, PATH_MAX + 1) >= (PATH_MAX + 1)) {
uu_free(out);
return (NULL);
}
} else {
if (realpath(in, out) == NULL) {
uu_free(out);
return (NULL);
}
}
base = getenv("PKG_INSTALL_ROOT");
if (base != NULL && strncmp(out, base, strlen(base)) == 0)
base_sz = strlen(base);
cp = out + base_sz;
if (*cp == '/')
cp++;
(void) memmove(out, cp, strlen(cp) + 1);
len = strlen(out);
if (len > scf_limit(SCF_LIMIT_MAX_NAME_LENGTH)) {
piece_len = (scf_limit(SCF_LIMIT_MAX_NAME_LENGTH) - 3) / 2;
(void) strncpy(out + piece_len, "__", 2);
(void) memmove(out + piece_len + 2, out + (len - piece_len),
piece_len + 1);
}
if (!isalpha(*out))
*out = 'A';
for (cp = out + 1; *cp != '\0'; ++cp) {
if (!(isalnum(*cp) || *cp == '_' || *cp == '-'))
*cp = '_';
}
return (out);
}
int
mhash_retrieve_entry(scf_handle_t *hndl, const char *name, uchar_t *hash,
apply_action_t *action)
{
scf_scope_t *scope;
scf_service_t *svc;
scf_propertygroup_t *pg;
scf_property_t *prop;
scf_value_t *val;
scf_error_t err;
ssize_t szret;
int result = 0;
if (action)
*action = APPLY_NONE;
if ((scope = scf_scope_create(hndl)) == NULL ||
(svc = scf_service_create(hndl)) == NULL ||
(pg = scf_pg_create(hndl)) == NULL ||
(prop = scf_property_create(hndl)) == NULL ||
(val = scf_value_create(hndl)) == NULL) {
result = -1;
goto out;
}
if (scf_handle_get_local_scope(hndl, scope) < 0) {
result = -1;
goto out;
}
if (scf_scope_get_service(scope, MHASH_SVC, svc) < 0) {
result = -1;
goto out;
}
if (scf_service_get_pg(svc, name, pg) != SCF_SUCCESS) {
result = -1;
goto out;
}
if (scf_pg_get_property(pg, MHASH_PROP, prop) != SCF_SUCCESS) {
result = -1;
goto out;
}
if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
result = -1;
goto out;
}
szret = scf_value_get_opaque(val, hash, MHASH_SIZE);
if (szret < 0) {
result = -1;
goto out;
}
if (szret == MHASH_SIZE_OLD) {
(void) memset(hash + MHASH_SIZE_OLD, 0,
MHASH_SIZE - MHASH_SIZE_OLD);
} else if (szret != MHASH_SIZE) {
scf_value_destroy(val);
result = -1;
goto out;
}
if (action != NULL) {
uint8_t apply_value;
if (scf_pg_get_property(pg, MHASH_APPLY_PROP, prop) !=
SCF_SUCCESS) {
err = scf_error();
if ((err != SCF_ERROR_DELETED) &&
(err != SCF_ERROR_NOT_FOUND)) {
result = -1;
}
goto out;
}
if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
err = scf_error();
if ((err != SCF_ERROR_DELETED) &&
(err != SCF_ERROR_NOT_FOUND)) {
result = -1;
}
goto out;
}
if (scf_value_get_boolean(val, &apply_value) != SCF_SUCCESS) {
result = -1;
goto out;
}
if (apply_value)
*action = APPLY_LATE;
}
out:
(void) scf_value_destroy(val);
scf_property_destroy(prop);
scf_pg_destroy(pg);
scf_service_destroy(svc);
scf_scope_destroy(scope);
return (result);
}
int
mhash_store_entry(scf_handle_t *hndl, const char *name, const char *fname,
uchar_t *hash, apply_action_t apply_late, char **errstr)
{
scf_scope_t *scope = NULL;
scf_service_t *svc = NULL;
scf_propertygroup_t *pg = NULL;
scf_property_t *prop = NULL;
scf_value_t *aval = NULL;
scf_value_t *val = NULL;
scf_value_t *fval = NULL;
scf_transaction_t *tx = NULL;
scf_transaction_entry_t *ae = NULL;
scf_transaction_entry_t *e = NULL;
scf_transaction_entry_t *fe = NULL;
scf_error_t err;
int ret, result = 0;
char *base;
size_t base_sz = 0;
int i;
if ((scope = scf_scope_create(hndl)) == NULL ||
(svc = scf_service_create(hndl)) == NULL ||
(pg = scf_pg_create(hndl)) == NULL ||
(prop = scf_property_create(hndl)) == NULL) {
if (errstr != NULL)
*errstr = gettext("Could not create scf objects");
result = -1;
goto out;
}
if (scf_handle_get_local_scope(hndl, scope) != SCF_SUCCESS) {
if (errstr != NULL)
*errstr = gettext("Could not get local scope");
result = -1;
goto out;
}
for (i = 0; i < 5; ++i) {
if (scf_scope_get_service(scope, MHASH_SVC, svc) ==
SCF_SUCCESS)
break;
if (scf_error() != SCF_ERROR_NOT_FOUND) {
if (errstr != NULL)
*errstr = gettext("Could not get manifest hash "
"service");
result = -1;
goto out;
}
if (scf_scope_add_service(scope, MHASH_SVC, svc) ==
SCF_SUCCESS)
break;
err = scf_error();
if (err == SCF_ERROR_EXISTS)
continue;
else if (err == SCF_ERROR_PERMISSION_DENIED) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"permission denied.\n");
result = -1;
goto out;
}
if (errstr != NULL)
*errstr = gettext("Could not add manifest hash "
"service");
result = -1;
goto out;
}
if (i == 5) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"service addition contention.\n");
result = -1;
goto out;
}
for (i = 0; i < 5; ++i) {
if (scf_service_get_pg(svc, name, pg) == SCF_SUCCESS)
break;
if (scf_error() != SCF_ERROR_NOT_FOUND) {
if (errstr != NULL)
*errstr = gettext("Could not get service's "
"hash record)");
result = -1;
goto out;
}
if (scf_service_add_pg(svc, name, MHASH_PG_TYPE,
MHASH_PG_FLAGS, pg) == SCF_SUCCESS)
break;
err = scf_error();
if (err == SCF_ERROR_EXISTS)
continue;
else if (err == SCF_ERROR_PERMISSION_DENIED) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"permission denied.\n");
result = -1;
goto out;
}
if (errstr != NULL)
*errstr = gettext("Could not store file hash");
result = -1;
goto out;
}
if (i == 5) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"property group addition contention.\n");
result = -1;
goto out;
}
if ((e = scf_entry_create(hndl)) == NULL ||
(val = scf_value_create(hndl)) == NULL ||
(fe = scf_entry_create(hndl)) == NULL ||
(fval = scf_value_create(hndl)) == NULL ||
(ae = scf_entry_create(hndl)) == NULL ||
(aval = scf_value_create(hndl)) == NULL) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"permission denied.\n");
result = -1;
goto out;
}
base = getenv("PKG_INSTALL_ROOT");
if (base != NULL && strncmp(fname, base, strlen(base)) == 0)
base_sz = strlen(base);
ret = scf_value_set_opaque(val, hash, MHASH_SIZE);
assert(ret == SCF_SUCCESS);
ret = scf_value_set_astring(fval, fname + base_sz);
assert(ret == SCF_SUCCESS);
if (apply_late == APPLY_LATE) {
scf_value_set_boolean(aval, 1);
}
tx = scf_transaction_create(hndl);
if (tx == NULL) {
if (errstr != NULL)
*errstr = gettext("Could not create transaction");
result = -1;
goto out;
}
do {
if (scf_pg_update(pg) == -1) {
if (errstr != NULL)
*errstr = gettext("Could not update hash "
"entry");
result = -1;
goto out;
}
if (scf_transaction_start(tx, pg) != SCF_SUCCESS) {
if (scf_error() != SCF_ERROR_PERMISSION_DENIED) {
if (errstr != NULL)
*errstr = gettext("Could not start "
"hash transaction.\n");
result = -1;
goto out;
}
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"permission denied.\n");
result = -1;
scf_transaction_destroy(tx);
(void) scf_entry_destroy(e);
goto out;
}
if (scf_transaction_property_new(tx, e, MHASH_PROP,
SCF_TYPE_OPAQUE) != SCF_SUCCESS &&
scf_transaction_property_change_type(tx, e, MHASH_PROP,
SCF_TYPE_OPAQUE) != SCF_SUCCESS) {
if (errstr != NULL)
*errstr = gettext("Could not modify hash "
"entry");
result = -1;
goto out;
}
ret = scf_entry_add_value(e, val);
assert(ret == SCF_SUCCESS);
if (scf_transaction_property_new(tx, fe, MHASH_FILE_PROP,
SCF_TYPE_ASTRING) != SCF_SUCCESS &&
scf_transaction_property_change_type(tx, fe,
MHASH_FILE_PROP, SCF_TYPE_ASTRING) != SCF_SUCCESS) {
if (errstr != NULL)
*errstr = gettext("Could not modify file "
"entry");
result = -1;
goto out;
}
ret = scf_entry_add_value(fe, fval);
assert(ret == SCF_SUCCESS);
switch (apply_late) {
case APPLY_NONE:
if (scf_transaction_property_delete(tx, ae,
MHASH_APPLY_PROP) != 0) {
err = scf_error();
if ((err != SCF_ERROR_DELETED) &&
(err != SCF_ERROR_NOT_FOUND)) {
if (errstr != NULL) {
*errstr = gettext("Could not "
"delete apply_late "
"property");
}
result = -1;
goto out;
}
}
break;
case APPLY_LATE:
if ((scf_transaction_property_new(tx, ae,
MHASH_APPLY_PROP,
SCF_TYPE_BOOLEAN) != SCF_SUCCESS) &&
(scf_transaction_property_change_type(tx, ae,
MHASH_APPLY_PROP, SCF_TYPE_BOOLEAN) !=
SCF_SUCCESS)) {
if (errstr != NULL) {
*errstr = gettext("Could not modify "
"apply_late property");
}
result = -1;
goto out;
}
ret = scf_entry_add_value(ae, aval);
assert(ret == SCF_SUCCESS);
break;
default:
abort();
};
ret = scf_transaction_commit(tx);
if (ret == 0)
scf_transaction_reset(tx);
} while (ret == 0);
if (ret < 0) {
if (scf_error() != SCF_ERROR_PERMISSION_DENIED) {
if (errstr != NULL)
*errstr = gettext("Could not store file hash: "
"permission denied.\n");
result = -1;
goto out;
}
if (errstr != NULL)
*errstr = gettext("Could not commit transaction");
result = -1;
}
scf_transaction_destroy(tx);
(void) scf_entry_destroy(e);
(void) scf_entry_destroy(fe);
(void) scf_entry_destroy(ae);
out:
(void) scf_value_destroy(val);
(void) scf_value_destroy(fval);
(void) scf_value_destroy(aval);
scf_property_destroy(prop);
scf_pg_destroy(pg);
scf_service_destroy(svc);
scf_scope_destroy(scope);
return (result);
}
static int
md5_hash_file(const char *file, off64_t sz, uchar_t *hash)
{
char *buf;
int fd;
ssize_t res;
int ret;
fd = open(file, O_RDONLY);
if (fd < 0)
return (-1);
buf = malloc(sz);
if (buf == NULL) {
(void) close(fd);
return (-1);
}
res = read(fd, buf, (size_t)sz);
(void) close(fd);
if (res == sz) {
ret = 0;
md5_calc(hash, (uchar_t *)buf, (unsigned int) sz);
} else {
ret = -1;
}
free(buf);
return (ret);
}
int
mhash_test_file(scf_handle_t *hndl, const char *file, uint_t is_profile,
char **pnamep, uchar_t *hashbuf)
{
apply_action_t action;
boolean_t do_hash;
struct stat64 st;
char *cp;
char *data;
uchar_t stored_hash[MHASH_SIZE];
uchar_t hash[MHASH_SIZE];
char *pname;
int ret;
int hashash;
int metahashok = 0;
if (pnamep)
*pnamep = NULL;
cp = getenv("SVCCFG_CHECKHASH");
do_hash = (cp != NULL && *cp != '\0');
if (!do_hash) {
return (MHASH_NEWFILE);
}
pname = mhash_filename_to_propname(file, B_FALSE);
if (pname == NULL)
return (MHASH_FAILURE);
hashash = mhash_retrieve_entry(hndl, pname, stored_hash, &action) == 0;
if (is_profile == 0) {
assert(action == APPLY_NONE);
}
if (hashash && is_profile) {
cp = getenv("SMF_FMRI");
if ((cp == NULL) ||
(strcmp(cp, SCF_INSTANCE_MI) != 0) ||
(action != APPLY_LATE)) {
uu_free(pname);
return (MHASH_RECONCILED);
}
}
if (!hashash && hashbuf == NULL) {
uu_free(pname);
return (MHASH_NEWFILE);
}
do {
ret = stat64(file, &st);
} while (ret < 0 && errno == EINTR);
if (ret < 0) {
uu_free(pname);
return (MHASH_FAILURE);
}
data = uu_msprintf(MHASH_FORMAT_V2, st.st_uid, st.st_gid,
st.st_size, st.st_mtime);
if (data == NULL) {
uu_free(pname);
return (MHASH_FAILURE);
}
(void) memset(hash, 0, MHASH_SIZE);
md5_calc(hash, (uchar_t *)data, strlen(data));
uu_free(data);
if (hashash && memcmp(hash, stored_hash, MD5_DIGEST_LENGTH) == 0) {
int i;
metahashok = 1;
for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
if (stored_hash[MD5_DIGEST_LENGTH+i] != 0) {
if (action == APPLY_LATE) {
if (pnamep != NULL)
*pnamep = pname;
ret = MHASH_NEWFILE;
} else {
uu_free(pname);
ret = MHASH_RECONCILED;
}
return (ret);
}
}
}
if (md5_hash_file(file, st.st_size, &hash[MHASH_SIZE_OLD]) != 0) {
uu_free(pname);
return (MHASH_FAILURE);
}
if (hashash) {
uchar_t hash_v1[MHASH_SIZE_OLD];
if (metahashok ||
memcmp(&hash[MHASH_SIZE_OLD], &stored_hash[MHASH_SIZE_OLD],
MD5_DIGEST_LENGTH) == 0) {
(void) mhash_store_entry(hndl, pname, file, hash,
APPLY_NONE, NULL);
if (action == APPLY_LATE) {
if (pnamep != NULL)
*pnamep = pname;
ret = MHASH_NEWFILE;
} else {
uu_free(pname);
ret = MHASH_RECONCILED;
}
return (ret);
}
data = uu_msprintf(MHASH_FORMAT_V1, st.st_ino, st.st_uid,
st.st_size, st.st_mtime);
if (data == NULL) {
uu_free(pname);
return (MHASH_FAILURE);
}
md5_calc(hash_v1, (uchar_t *)data, strlen(data));
uu_free(data);
if (memcmp(hash_v1, stored_hash, MD5_DIGEST_LENGTH) == 0) {
(void) mhash_store_entry(hndl, pname, file, hash,
APPLY_NONE, NULL);
uu_free(pname);
return (MHASH_RECONCILED);
}
}
if (pnamep != NULL)
*pnamep = pname;
else
uu_free(pname);
if (hashbuf != NULL)
(void) memcpy(hashbuf, hash, MHASH_SIZE);
return (MHASH_NEWFILE);
}
