summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Lidén Borell <samuel@kodafritt.se>2014-02-07 23:17:23 +0100
committerSamuel Lidén Borell <samuel@kodafritt.se>2014-02-07 23:17:23 +0100
commitdbd66319771f9328b4297b85481962f2835e7f36 (patch)
tree6c410905d9eaccc311796e9c339cf2d4894ac9e8
parent38fc78093e6c2360027d250a6fc37fc7880f7737 (diff)
downloadfribid-dbd66319771f9328b4297b85481962f2835e7f36.tar.gz
fribid-dbd66319771f9328b4297b85481962f2835e7f36.tar.bz2
fribid-dbd66319771f9328b4297b85481962f2835e7f36.zip
Remove version expiry status checking system
This system had two purposes: 1) to make FriBID able to determine the latest version of the official software it could emulate, without having to upgrade FriBID itself. 2) to make it possible to "revoke" old versions of FriBID in case of security problems. It has turned out that this system is not necessary. 1) was never really needed because the official software was updated quite rarely anyway and only a few web sites cared about the version string anyway. 2) is a kind of "kill switch" but it's not very useful since it's only checked when you use the FriBID user interface. Hence users who use FriBID (the user interface) infrequently or users who do not use it any longer would not see the warning message. And it seems that most users only use FriBID infrequently (typically once a year or so). This change removes a lot of code. One of the function calls removed is platform_seedRandom which was ONLY used for the "expiry" feature which used rand(). This does not affect the crypto stuff which uses OpenSSL's random generator which in turn uses /dev/random.
-rw-r--r--client/bankid.c174
-rw-r--r--client/bankid.h5
-rw-r--r--client/gtk.c8
-rw-r--r--client/main.c13
-rw-r--r--client/platform.h10
-rw-r--r--client/posix.c53
-rw-r--r--common/defines.h2
-rw-r--r--translations/sv.po14
8 files changed, 8 insertions, 271 deletions
diff --git a/client/bankid.c b/client/bankid.c
index e7d3010..bc9fcd4 100644
--- a/client/bankid.c
+++ b/client/bankid.c
@@ -1,6 +1,6 @@
/*
- Copyright (c) 2009-2011 Samuel Lidén Borell <samuel@kodafritt.se>
+ Copyright (c) 2009-2014 Samuel Lidén Borell <samuel@kodafritt.se>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
@@ -38,9 +38,6 @@
#include "platform.h"
#include "prefs.h"
-#define EXPIRY_RAND (rand() % 65535)
-#define DEFAULT_EXPIRY (RELEASE_TIME + 30*24*3600)
-
/**
* Returns the version string. The version string is identical to that of
* Nexus Personal for Linux in order to be compatible with all servers, which
@@ -67,175 +64,16 @@ static char *getVersionString() {
"os_version=unknown&"
"best_before=%2$" PRId64 "&";
- long lexpiry;
- int64_t expiry;
- const char *versionToEmulate;
- bool allocated = false;
-
- if (prefs_bankid_emulatedversion) {
- /* Manual override */
- versionToEmulate = prefs_bankid_emulatedversion;
- expiry = time(NULL) + 30*24*3600;
- } else {
- /* Use automatic version from DNS */
- PlatformConfig *cfg = platform_openConfig(BINNAME, "expiry");
-
- if (platform_getConfigInteger(cfg, "expiry", "best-before", &lexpiry)) {
- expiry = lexpiry;
- } else {
- expiry = DEFAULT_EXPIRY;
- }
-
- if (platform_getConfigString(cfg, "expiry", "version-to-emulate", (char**)&versionToEmulate)) {
- allocated = true;
- } else {
- versionToEmulate = EMULATED_VERSION;
- }
-
- platform_freeConfig(cfg);
- }
-
- char *result = rasprintf(template, versionToEmulate, expiry);
-
- if (allocated) {
- free((char*)versionToEmulate);
- }
- return result;
-}
-
-/**
- * Checks the validity of the current version and gets the maximum version
- * that we can emulate. This works by sending a DNS A request and parsing
- * the result. The left-most octet is always 127. The remaining octets make
- * up a 24-bit integer, where the octet to the left is the most significant.
- * The highest two bits make up a status code. The following 4, 6, 6 and 6
- * bits make up components of the version, in from the left to the right.
- *
- * @param valid This variable will receive the status.
- *
- * @return true if successful, false if not.
- */
-static bool checkValidity(bool *valid, char **versionToEmulate) {
- uint32_t response = platform_lookupTypeARecord(DNSVERSION STATUSDOMAIN);
-
- if (response >> 24 != 127) return false;
-
- enum { OK = 1, EXPIRED = 2 } status = (response >> 22) & 0x3;
-
- if ((status != OK) && (status != EXPIRED)) return false;
-
- *valid = (status == OK);
+ int64_t expiry = time(NULL) + 29*24*3600;
- *versionToEmulate = rasprintf("%d.%d.%d.%d",
- (response >> 18) & 0xF,
- (response >> 12) & 0x3F,
- (response >> 6) & 0x3F,
- response & 0x3F);
+ const char *versionToEmulate = (prefs_bankid_emulatedversion ?
+ prefs_bankid_emulatedversion : /* Manual override */
+ EMULATED_VERSION); /* Recommended version number */
- return true;
+ return rasprintf(template, versionToEmulate, expiry);
}
-static void storeExpiryParameters(PlatformConfig *cfg,
- int64_t lastCheck, bool valid,
- const char *emulatedVersion) {
- if (valid) {
- platform_setConfigInteger(cfg, "expiry", "best-before",
- lastCheck - EXPIRY_RAND + 30*24*3600);
- }
- platform_setConfigBool(cfg, "expiry", "still-valid", valid);
- platform_setConfigString(cfg, "expiry", "version-to-emulate", emulatedVersion);
- platform_setConfigString(cfg, "expiry", "checked-with-version", DNSVERSION);
-
- if (!platform_saveConfig(cfg)) {
- fprintf(stderr, BINNAME ": failed to create expiry file.\n");
- }
-}
-
-/**
- * Checks the validity of the emulated version and stores the status
- * in the configuration file.
- */
-static void versionCheckFunction(void *ignored) {
- PlatformConfig *cfg = platform_openConfig(BINNAME, "expiry");
- bool valid;
- char *versionToEmulate;
-
- if (checkValidity(&valid, &versionToEmulate)) {
- storeExpiryParameters(cfg, time(NULL), valid,
- versionToEmulate);
- free(versionToEmulate);
- }
-
- platform_freeConfig(cfg);
-}
-
-/**
- * This function checks the validity of the emulated version. If the current
- * version needs checking immidiatly, then this function blocks until it has
- * received an answer from the server (see above). If the current version will
- * need checking within 14 days, then the check will be asynchronous.
- */
-void bankid_checkVersionValidity() {
- if (prefs_bankid_emulatedversion)
- return;
-
- PlatformConfig *cfg = platform_openConfig(BINNAME, "expiry");
-
- char *checkedWithVersion = NULL;
- if (platform_getConfigString(cfg, "expiry", "checked-with-version", &checkedWithVersion) &&
- strcmp(checkedWithVersion, DNSVERSION) != 0) {
- // The last check was done with another version, so overwrite the
- // old configuration with the defaults
- storeExpiryParameters(cfg, DEFAULT_EXPIRY, true,
- EMULATED_VERSION);
-
- }
- free(checkedWithVersion);
-
- long lexpiry;
- time_t expiry;
- if (platform_getConfigInteger(cfg, "expiry", "best-before", &lexpiry)) {
- expiry = lexpiry;
- } else {
- expiry = 0;
- }
-
- bool maybeValid;
- if (!platform_getConfigBool(cfg, "expiry", "still-valid", &maybeValid)) {
- maybeValid = true;
- }
-
- platform_freeConfig(cfg);
-
- // Check the expiry
- time_t now = time(NULL);
- if (now >= expiry) {
- // Expired
- if (maybeValid) {
- versionCheckFunction(NULL);
- }
- } else if (now >= expiry - 14*24*3600) {
- // Expires in 14 days
- platform_asyncCall(versionCheckFunction, NULL);
- }
-}
-
-bool bankid_versionHasExpired() {
- if (prefs_bankid_emulatedversion)
- return false;
-
- PlatformConfig *cfg = platform_openConfig(BINNAME, "expiry");
-
- bool valid;
- if (!platform_getConfigBool(cfg, "expiry", "still-valid", &valid)) {
- valid = true;
- }
-
- platform_freeConfig(cfg);
- return !valid;
-}
-
/* Version objects */
char *bankid_getVersion() {
return getVersionString();
diff --git a/client/bankid.h b/client/bankid.h
index 32788fb..4de82d6 100644
--- a/client/bankid.h
+++ b/client/bankid.h
@@ -1,6 +1,6 @@
/*
- Copyright (c) 2009-2011 Samuel Lidén Borell <samuel@kodafritt.se>
+ Copyright (c) 2009-2014 Samuel Lidén Borell <samuel@kodafritt.se>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
@@ -32,11 +32,8 @@
#include "../common/biderror.h"
#include "../common/bidtypes.h"
-void bankid_checkVersionValidity();
-bool bankid_versionHasExpired();
char *bankid_getVersion();
-
BankIDError bankid_authenticate(Token *token,
const char *challenge, int32_t serverTime,
const char *hostname, const char *ip,
diff --git a/client/gtk.c b/client/gtk.c
index 463aabc..2bc6c41 100644
--- a/client/gtk.c
+++ b/client/gtk.c
@@ -723,12 +723,4 @@ void platform_showError(TokenError error) {
}
}
-void platform_versionExpiredError() {
- showMessage(GTK_MESSAGE_ERROR, _("This software version has expired, and "
- "will probably not be accepted on all web sites.\n"
- "\n"
- "Please download a newer version (if available), or use "
- "the officially supported software (Nexus Personal) instead."));
-}
-
diff --git a/client/main.c b/client/main.c
index f20806e..d824ed5 100644
--- a/client/main.c
+++ b/client/main.c
@@ -158,10 +158,6 @@ void pipeCommand(PipeCommand command, const char *url, const char *hostname,
platform_setMessage(decodedMessage);
free(decodedMessage);
}
-
- if (bankid_versionHasExpired()) {
- platform_versionExpiredError();
- }
while (platform_sign(&token, password, password_maxsize)) {
// Set the password (not used by all backends)
@@ -254,10 +250,6 @@ void pipeCommand(PipeCommand command, const char *url, const char *hostname,
input.minPasswordNonDigits,
input.minPasswordDigits);
- if (bankid_versionHasExpired()) {
- platform_versionExpiredError();
- }
-
for (;;) {
error = RUERR_UserCancel;
// Ask for a password
@@ -332,12 +324,7 @@ void pipeData() {
int main(int argc, char **argv) {
bool ipc = false, error = false;
- platform_seedRandom();
prefs_load();
-
- /* Check whether the current version is still valid */
- bankid_checkVersionValidity();
-
error = secmem_init_pool();
if (error) {
fprintf(stderr, BINNAME ": could not initialize secure memory");
diff --git a/client/platform.h b/client/platform.h
index 68df2bc..4279171 100644
--- a/client/platform.h
+++ b/client/platform.h
@@ -33,9 +33,6 @@
/* Initialization */
void platform_init(int *argc, char ***argv);
-/* Random number generation */
-void platform_seedRandom();
-
/* Pipe I/O */
typedef void (PlatformPipeFunction) ();
void platform_setupPipe(PlatformPipeFunction *pipeFunction);
@@ -78,13 +75,6 @@ void platform_setConfigInteger(PLATFORM_CFGPARAMS, long value);
void platform_setConfigBool(PLATFORM_CFGPARAMS, bool value);
void platform_setConfigString(PLATFORM_CFGPARAMS, const char *value);
-/* Asynchronous calls / threads */
-typedef void (AsyncCallFunction) (void *);
-void platform_asyncCall(AsyncCallFunction *function, void *param);
-
-/* Network */
-uint32_t platform_lookupTypeARecord(const char *hostname);
-
/* User interface */
// This value has to match the value in the window system
diff --git a/client/posix.c b/client/posix.c
index d484321..2d4e779 100644
--- a/client/posix.c
+++ b/client/posix.c
@@ -1,6 +1,6 @@
/*
- Copyright (c) 2009-2010 Samuel Lidén Borell <samuel@kodafritt.se>
+ Copyright (c) 2009-2014 Samuel Lidén Borell <samuel@kodafritt.se>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
@@ -50,13 +50,6 @@
struct flock file_lock(short ltype);
-void platform_seedRandom() {
- struct timeval tv;
- gettimeofday(&tv, NULL);
-
- srand(tv.tv_sec ^ tv.tv_usec ^ getpid());
-}
-
struct PlatformDirIter {
DIR *dir;
char *path;
@@ -239,50 +232,6 @@ char *platform_getFilenameForKey(const char *nameAttr) {
return filename;
}
-void platform_asyncCall(AsyncCallFunction *function, void *param) {
- pid_t child = fork();
- if (child == -1) {
- // Call the function synchronously instead
- function(param);
- } else if (child == 0) {
- // This is done asynchronously
- function(param);
- exit(0);
- } else {
- // "Dereference" the process id
- waitpid(-1, NULL, WNOHANG);
- }
-}
-
-/**
- * Looks up an A record, and returns it as an 32-bit integer.
- * Useful for API:s that use DNS.
- */
-uint32_t platform_lookupTypeARecord(const char *hostname) {
- assert(hostname != NULL);
-
- const struct addrinfo hints = {
- .ai_flags = 0,
- .ai_family = AF_INET,
- .ai_socktype = SOCK_STREAM,
- };
- struct addrinfo *ai;
-
- if (getaddrinfo(hostname, NULL, &hints, &ai) != 0) {
- return 0;
- }
-
- if (ai == NULL) return 0;
-
- uint32_t arecord = 0;
- if (ai->ai_addr && ai->ai_addr->sa_family == AF_INET) {
- arecord = ntohl(((struct sockaddr_in*)ai->ai_addr)->sin_addr.s_addr);
- }
-
- freeaddrinfo(ai);
- return arecord;
-}
-
/**
* Returns a flock struct used as an argument to fcntl to
* lock a file.
diff --git a/common/defines.h b/common/defines.h
index 4ec7fc5..0812b1b 100644
--- a/common/defines.h
+++ b/common/defines.h
@@ -40,8 +40,6 @@
#define IPCVERSION "10"
#define EMULATED_VERSION "4.15.0.14"
-#define DNSVERSION "2"
-#define STATUSDOMAIN ".status.fribid.se"
#define LIB_PATH LIBDIR "/" BINNAME
#define LIBEXEC_PATH LIBEXECDIR "/" BINNAME
diff --git a/translations/sv.po b/translations/sv.po
index a8d9369..2dc51c7 100644
--- a/translations/sv.po
+++ b/translations/sv.po
@@ -136,20 +136,6 @@ msgid_plural "The password must have at least %d digits"
msgstr[0] "Lösenordet måste ha minst en siffra"
msgstr[1] "Lösenordet måste ha minst %d siffror"
-#: ../client/gtk.c:676
-msgid ""
-"This software version has expired, and will probably not be accepted on all "
-"web sites.\n"
-"\n"
-"Please download a newer version (if available), or use the officially "
-"supported software (Nexus Personal) instead."
-msgstr ""
-"Denna programvara har gått ut, och kanske inte kommer att accepteras på alla "
-"webbsidor.\n"
-"\n"
-"Du behöver ladda ner en nyare version (om det finns någon) eller, "
-"alternativt, använda den officiella programvaran (Nexus Personal) istället."
-
#: ../client/gtk/sign.glade:89
msgid "Text to sign:"
msgstr "Text att skriva under:"