[PATCH] (issue118) Add signature check for cinst.exe and mozilla.exe

Wald Commits scm-commit at wald.intevation.org
Thu Sep 11 15:49:18 CEST 2014


# HG changeset patch
# User Andre Heinecke <andre.heinecke at intevation.de>
# Date 1410441459 -7200
# Node ID b8fb6bf7f980d0c4374e8396fe99e58398fb0b69
# Parent  d6dc1144895bd2ba1685df4cb2922e74308c7a4f
(issue118) Add signature check for cinst.exe and mozilla.exe

diff -r d6dc1144895b -r b8fb6bf7f980 cinst/nssstore_win.c
--- a/cinst/nssstore_win.c	Thu Sep 11 15:24:02 2014 +0200
+++ b/cinst/nssstore_win.c	Thu Sep 11 15:17:39 2014 +0200
@@ -51,6 +51,7 @@
 #include "logging.h"
 #include "util.h"
 #include "strhelp.h"
+#include "binverify.h"
 
 #ifndef APPNAME
 #define APPNAME L"cinst"
@@ -693,6 +694,7 @@
   char *install_dir = get_install_dir();
   wchar_t *w_inst_dir;
   size_t w_path_len = 0;
+  bin_verify_result v_res;
 
   if (!selection_file)
     {
@@ -747,6 +749,22 @@
       return false;
     }
 
+  /* Verify the binary */
+    {
+      char *utf8_name = wchar_to_utf8 (lpApplicationPath, wcslen(lpApplicationPath));
+      v_res = verify_binary (utf8_name, strlen(utf8_name));
+      xfree(utf8_name);
+    }
+
+  if (v_res.result != VerifyValid)
+    {
+      ERRORPRINTF ("Failed to verify the NSS installer.\n");
+      syslog_error_printf ("Integrity check of the certificate installation subprocess for NSS failed.\n");
+      xfree (lpApplicationPath);
+      xfree (lpCommandLine);
+      return false;
+    }
+
   DEBUGPRINTF ("Starting %S with command line %S\n", lpApplicationPath, lpCommandLine);
 
   success = CreateProcessAsUserW (hToken,
@@ -760,6 +778,7 @@
                                   NULL, /* Current working directory */
                                   &siStartInfo,
                                   &piProcInfo);
+  fclose (v_res.fptr);
   xfree (lpApplicationPath);
   xfree (lpCommandLine);
   if (!success)
diff -r d6dc1144895b -r b8fb6bf7f980 ui/installwrapper.cpp
--- a/ui/installwrapper.cpp	Thu Sep 11 15:24:02 2014 +0200
+++ b/ui/installwrapper.cpp	Thu Sep 11 15:17:39 2014 +0200
@@ -16,6 +16,7 @@
 
 #include "logging.h"
 #include "util.h"
+#include "binverify.h"
 
 #define INSTALL_TIMEOUT 3600000 /* Wait up to an hour */
 
@@ -79,6 +80,15 @@
     }
 
 #ifdef WIN32
+    bin_verify_result vres = verify_binary(cinstFileName.toUtf8().constData(),
+            cinstFileName.toUtf8().size());
+
+    if (vres.result != VerifyValid) {
+        emit error(tr("Integrity check of the certificate installation process failed. ") 
+                + "\n" + tr("Please reinstall the Software."));
+        return;
+    }
+
     /* QProcess on Windows uses CreateProcess but we have to
      * use the runas shell command to get the UAC prompt if necessary.
      * So we have to handle the process ourself. Starting with
@@ -116,6 +126,7 @@
         QString qerrmsg = QString::fromUtf8(errmsg);
         free(errmsg);
         emit error(tr("Error executing process: %1").arg(qerrmsg));
+        fclose(vres.fptr);
         return;
     }
 
@@ -127,9 +138,11 @@
             QString qerrmsg = QString::fromUtf8(errmsg);
             free(errmsg);
             emit error (tr("Error monitoring process: %1").arg(qerrmsg));
+            fclose(vres.fptr);
             return;
         } else {
             emit error (tr("Certificate installation timed out."));
+            fclose(vres.fptr);
             return;
         }
     }
@@ -144,9 +157,11 @@
         free(errmsg);
         emit error (tr("Failed to check process status: %1").arg(qerrmsg));
         CloseHandle(shExecInfo.hProcess);
+        fclose(vres.fptr);
         return;
     }
     CloseHandle(shExecInfo.hProcess);
+    fclose(vres.fptr);
 
     if (retval != 0) {
         /* TODO make this nicer */


More information about the Trustbridge-commits mailing list