Date: Sun, 13 Sep 2015 11:22:24 +0200 From: "Klaus T. Aehlig" <aehlig@linta.de> To: jvarner@gmail.com Cc: ctm-users@freebsd.org, Peter Wemm <peter@wemm.org> Subject: Re: Future of CTM Message-ID: <20150913092224.GC3041@howard.linta.de> In-Reply-To: <201509051839.t85IdmIJ047044@eden.local> References: <2133149.u1BgRHIO00@overcee.wemm.org> <201509051839.t85IdmIJ047044@eden.local>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
> {
>
> :0 c: ${MAILDIR}/ctm-ports.${LOCKEXT}
> | rcvstore +ctm-ports -nounseen
>
> :0 c
> | gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify
>
> :0 a
> | ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/deltas -l ${PMDIR}/ctm.log
> }
If I read your example correctly (I'm not familiar with procmail), you're
only verifying that there is a part with a good signature by the right key
but you pass on the whole mail. Isn't this vulnerable to someone taking a
well-signed mail (e.g., one of those saying the delta is too big and should
be received via ftp) and appending a non-signed clear-text malicious ctm delta?
To avoid those kind of attacks I only take the "decrypted" contents of the
mail and verify the status fd to check that the mail only contains the parts
I expect (one block followed by a good signature with the correct key
and nothing else following). The script is attached (all the mentioned directories
under /usr/ctm can only be written to by the uucp user). Note, however, that my
set-up is slightly different, as I forward the ctm mails from my mail server
to my FreeBSD machines via uucp.
Regards,
Klaus
[-- Attachment #2 --]
#!/usr/local/bin/perl -w
umask 0022;
my $name = `date +%Y-%m-%d-%H:%M:%S`;
chomp($name);
$name .= "-$$";
open(DROP,">","/usr/ctm/incomming/$name")
or die "Failed to open $name in dropdir ($!)\n";
while(<STDIN>) {
print DROP $_;
}
close(DROP)
or die "Failed to close $name in dropdir ($!)\n";
## Check signatures
my $dropname = "/usr/ctm/incomming/$name";
my $plainname = "/usr/ctm/sigs/" . $name . "-plain";
my $logname = "/usr/ctm/sigs/" . $name . "-log";
my $statusname = "/usr/ctm/sigs/" . $name . "-status";
my $keyring = "/root/uucpkeyring";
system "gpg --no-default-keyring --keyring \Q$keyring\E --status-fd 3 -d < \Q$dropname\E > \Q$plainname\E 2> \Q$logname\E 3> \Q$statusname\E";
## Interpret signature check
open(STATUS,"<",$statusname);
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] PLAINTEXT 74 0/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] NEWSIG/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] SIG_ID/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] GOODSIG D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] VALIDSIG 57C2E2F809F114312EB326F9D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] TRUST/ or exit 0;
$line = <STATUS>; ! $line or exit 0;
close(STATUS);
## if reached here, signature is good and we can trust $plainname
my $goodname = "/usr/ctm/goodmails/" . $name;
rename $plainname, $goodname;
exit 0;
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150913092224.GC3041>