diff --git a/lib/common/cib_secrets.c b/lib/common/cib_secrets.c index 3b22aa6ad7..1e2b06a9cd 100644 --- a/lib/common/cib_secrets.c +++ b/lib/common/cib_secrets.c @@ -1,164 +1,185 @@ /* * Copyright 2011-2025 the Pacemaker project contributors * * The version control history for this file may have further details. * * This source code is licensed under the GNU Lesser General Public License * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY. */ #include #include #include #include #include #include #include #include #include #include #include #include #define MAX_VALUE_LEN 255 -static bool -check_md5_hash(char *hash, char *value) -{ - bool rc = false; - char *hash2 = NULL; - - hash2 = crm_md5sum(value); - crm_debug("hash: %s, calculated hash: %s", hash, hash2); - if (pcmk__str_eq(hash, hash2, pcmk__str_casei)) { - rc = true; - } - free(hash2); - return rc; -} - static char * read_local_file(char *local_file) { FILE *fp = fopen(local_file, "r"); char buf[MAX_VALUE_LEN+1]; char *p; if (!fp) { if (errno != ENOENT) { crm_perror(LOG_ERR, "cannot open %s" , local_file); } return NULL; } if (!fgets(buf, MAX_VALUE_LEN, fp)) { crm_perror(LOG_ERR, "cannot read %s", local_file); fclose(fp); return NULL; } fclose(fp); // Strip trailing white space for (p = buf + strlen(buf) - 1; (p >= buf) && isspace(*p); p--); *(p+1) = '\0'; - return strdup(buf); + return pcmk__str_copy(buf); +} + +/*! + * \internal + * \brief Read checksum from a file and compare against calculated checksum + * + * \param[in] filename File containing stored checksum + * \param[in] secret_value String to calculate checksum from + * \param[in] rsc_id Resource ID (for logging only) + * \param[in] param Parameter name (for logging only) + * + * \return Standard Pacemaker return code + */ +static int +validate_hash(const char *filename, const char *secret_value, + const char *rsc_id, const char *param) +{ + char *stored = NULL; + char *calculated = NULL; + int rc = pcmk_rc_ok; + + stored = read_local_file(filename); + if (stored == NULL) { + crm_err("Could not read md5 sum for resource %s parameter '%s' from " + "file '%s'", + rsc_id, param, filename); + rc = ENOENT; + goto done; + } + + calculated = crm_md5sum(secret_value); + if (calculated == NULL) { + // Should be impossible + rc = EINVAL; + goto done; + } + + crm_trace("Stored hash: %s, calculated hash: %s", stored, calculated); + + if (!pcmk__str_eq(stored, calculated, pcmk__str_casei)) { + crm_err("Calculated md5 sum for resource %s parameter '%s' does not " + "match stored md5 sum", + rsc_id, param); + rc = pcmk_rc_cib_corrupt; + } + +done: + free(stored); + free(calculated); + return rc; } /*! * \internal * \brief Read secret parameter values from file * * Given a table of resource parameters, if any of their values are the * magic string indicating a CIB secret, replace that string with the * secret read from the file appropriate to the given resource. * * \param[in] rsc_id Resource whose parameters are being checked * \param[in,out] params Resource parameters to check * * \return Standard Pacemaker return code */ int pcmk__substitute_secrets(const char *rsc_id, GHashTable *params) { GHashTableIter iter; char *param = NULL; char *value = NULL; GString *filename = NULL; gsize dir_len = 0; int rc = pcmk_rc_ok; if (params == NULL) { return pcmk_rc_ok; } // Some params are sent with operations, so we cannot cache secret params g_hash_table_iter_init(&iter, params); while (g_hash_table_iter_next(&iter, (gpointer *) ¶m, (gpointer *) &value)) { char *secret_value = NULL; - char *hash = NULL; + int hash_rc = pcmk_rc_ok; if (!pcmk__str_eq(value, "lrm://", pcmk__str_none)) { // Not a secret parameter continue; } if (filename == NULL) { // First secret parameter. Fill in directory path for use with all. crm_debug("Replacing secret parameters for resource %s", rsc_id); filename = g_string_sized_new(128); pcmk__g_strcat(filename, PCMK__CIB_SECRETS_DIR "/", rsc_id, "/", NULL); dir_len = filename->len; } else { // Reset filename to the resource's secrets directory path g_string_truncate(filename, dir_len); } // Path to file containing secret value for this parameter g_string_append(filename, param); secret_value = read_local_file(filename->str); if (secret_value == NULL) { crm_err("Secret value for resource %s parameter '%s' not found in " PCMK__CIB_SECRETS_DIR, rsc_id, param); rc = ENOENT; continue; } // Path to file containing md5 sum for this parameter g_string_append(filename, ".sign"); - hash = read_local_file(filename->str); - if (hash == NULL) { - crm_err("Could not read md5 sum for resource %s parameter '%s' " - "from file '%s'", - rsc_id, param, filename->str); - free(secret_value); - rc = ENOENT; - continue; - } - - if (!check_md5_hash(hash, secret_value)) { - crm_err("Calculated md5 sum for resource %s parameter '%s' does " - "not match stored md5 sum", - rsc_id, param); + hash_rc = validate_hash(filename->str, secret_value, rsc_id, param); + if (hash_rc != pcmk_rc_ok) { + rc = hash_rc; free(secret_value); - free(hash); - rc = pcmk_rc_cib_corrupt; continue; } - free(hash); g_hash_table_iter_replace(&iter, (gpointer) secret_value); } if (filename != NULL) { g_string_free(filename, TRUE); } return rc; }