Many fixes on recent changes. To be continued

8 years ago · 0b52dfca5f
parent 598f6290e6
commit 0b52dfca5f
9 changed files with 195 additions and 135 deletions
--- a/dist/src/lib/keyring.c
+++ b/dist/src/lib/keyring.c
@ -193,7 +193,9 @@ pgp_key_find_uid_cond(
        unsigned(*uidcond) ( uint8_t *, void *),
        void *uidcondarg,
        unsigned(*sigcond) ( const pgp_sig_info_t *),
-        time_t	*youngest)
+        time_t	*youngest,
+        unsigned checkrevoke,
+        unsigned checkexpiry)
 {
    unsigned    	 	 uididx = 0;
    unsigned    	 	 uidsigidx = 0;
@ -201,6 +203,11 @@ pgp_key_find_uid_cond(
    int32_t    	 	 lastgood;
    uint8_t			**uidp;
    pgp_uidsig_t    *uidsigp;
+    time_t           yngst = 0;
+
+    /* If not maximum age given, take default */
+    if(!youngest)
+        youngest = &yngst;

    /* Loop over key's user ids*/
    uidp = key->uids;
@ -221,7 +228,7 @@ pgp_key_find_uid_cond(
                if(uidsigp->siginfo.type == PGP_SIG_REV_CERT)
                {
                    /* ignore revocation if secret */
-                    if(pgp_is_key_secret(key))
+                    if(!checkrevoke)
                        continue;

                    /* revert to last good candidate */
@ -230,8 +237,7 @@ pgp_key_find_uid_cond(
                }

                /* in sig validity time frame */
-                if(pgp_is_key_secret(key) || /* ignore if secret */
-                       siginfo_in_time(&uidsigp->siginfo))
+                if(!checkexpiry || siginfo_in_time(&uidsigp->siginfo))
                {
                    /* sig cond is ok ? */
                    if(!sigcond || sigcond(&uidsigp->siginfo))
@ -261,7 +267,9 @@ pgp_key_find_key_conds(
        const pgp_key_t *key, 
        unsigned(*keycond) ( const pgp_pubkey_t *, const uint8_t *, void*),
        void *keycondarg,
-        unsigned(*sigcond) ( const pgp_sig_info_t *))
+        unsigned(*sigcond) ( const pgp_sig_info_t *),
+        unsigned checkrevoke,
+        unsigned checkexpiry)
 {
    unsigned    	 	 subkeyidx = 0;
    unsigned    	 	 subkeysigidx = 0;
@ -291,15 +299,14 @@ pgp_key_find_key_conds(
            if(directsigp->siginfo.type == PGP_SIG_REV_SUBKEY)
            {
                /* ignore revocation if secret */
-                if(pgp_is_key_secret(key))
+                if(!checkrevoke)
                    continue;

                return -2; /* Key is globally revoked, no result */
            }

            /* in sig validity time frame */
-            if(pgp_is_key_secret(key) || /* ignore if secret */
-                    siginfo_in_time(&directsigp->siginfo))
+            if(!checkexpiry || siginfo_in_time(&directsigp->siginfo))
            {
                /* condition on sig is ok */
                if(sigcond(&directsigp->siginfo))
@ -314,9 +321,13 @@ pgp_key_find_key_conds(
            }
        }

-        uidres = pgp_key_find_uid_cond(key, NULL, NULL, sigcond, &youngest);
-        if(uidres != -1){
-            res = uidres;
+        uidres = pgp_key_find_uid_cond(
+                key, NULL, NULL, sigcond, &youngest, 
+                checkrevoke, checkexpiry);
+
+        /* if matching uid sig, then primary is machin key */
+        if(uidres != -1){ 
+            res = -1;
        }
    }

@ -343,7 +354,7 @@ pgp_key_find_key_conds(
                if(subkeysigp->siginfo.type == PGP_SIG_REV_SUBKEY)
                {
                    /* ignore revocation if secret */
-                    if(pgp_is_key_secret(key))
+                    if(!checkrevoke)
                        continue;

                    /* revert to last good candidate */
@ -352,11 +363,10 @@ pgp_key_find_key_conds(
                }

                /* in sig validity time frame */
-                if(pgp_is_key_secret(key) ||
-                        siginfo_in_time(&subkeysigp->siginfo))
+                if(!checkexpiry || siginfo_in_time(&subkeysigp->siginfo))
                {
-                    /* subkey is primary */
-                    if(sigcond(&subkeysigp->siginfo))
+                    /* subkey sig condition is ok */
+                    if(!sigcond || sigcond(&subkeysigp->siginfo))
                    {
                        /* youngest signature is deciding */
                        if(subkeysigp->siginfo.birthtime > youngest)
@ -453,19 +463,21 @@ static unsigned is_signing_role(const pgp_sig_info_t *siginfo)
    return siginfo->key_flags & PGP_KEYFLAG_SIGN_DATA;
 }

+/* Get a pub key to check signature */
 const pgp_pubkey_t *
 pgp_key_get_sigkey(const pgp_key_t *key)
 {
    int32_t subkeyidx = 
-        pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role);
+        pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role, 0, 0);
    return key_get_pubkey_from_subidx(key, NULL, subkeyidx);
 }

+/* Get a sec key to write a signature */
 const pgp_seckey_t *
 pgp_key_get_certkey(const pgp_key_t *key)
 {
    int32_t subkeyidx = 
-        pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role);
+        pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role, 1, 0);
    return key_get_seckey_from_subidx(key, NULL, subkeyidx);
 }

@ -478,7 +490,7 @@ const pgp_pubkey_t *
 pgp_key_get_enckey(const pgp_key_t *key, const uint8_t **id)
 {
    int32_t subkeyidx = 
-        pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role);
+        pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role, 1, 0);

    return key_get_pubkey_from_subidx(key, id, subkeyidx);
 }
@ -487,7 +499,7 @@ const pgp_seckey_t *
 pgp_key_get_deckey(const pgp_key_t *key, const uint8_t **id)
 {
    int32_t subkeyidx = 
-        pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role);
+        pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role, 0, 0);

    return key_get_seckey_from_subidx(key, id, subkeyidx);
 }
@ -499,14 +511,12 @@ static unsigned primary_uid_sigcond(const pgp_sig_info_t *siginfo)

 const int32_t pgp_key_get_uid0(const pgp_key_t *key)
 {
-    time_t	youngest = 0;
    int32_t res = 
-        pgp_key_find_uid_cond(key, NULL, NULL, &primary_uid_sigcond, &youngest);
+        pgp_key_find_uid_cond(key, NULL, NULL, &primary_uid_sigcond, NULL, 1, 1);

-    youngest = 0;
    /* arbitrarily use youngest uid if no primary is found */
    return res == -1 ? 
-        pgp_key_find_uid_cond(key, NULL, NULL, NULL, 0): 
+        pgp_key_find_uid_cond(key, NULL, NULL, NULL, NULL, 1, 1): 
        res;
 }

@ -948,7 +958,11 @@ unsigned key_id_match(const pgp_pubkey_t *key, const uint8_t *keyid, void *refid
 */
 const pgp_key_t *
 pgp_getkeybyid(pgp_io_t *io, const pgp_keyring_t *keyring,
-			   const uint8_t *keyid, unsigned *from, const pgp_pubkey_t **pubkey)
+			   const uint8_t *keyid, unsigned *from, 
+               const pgp_pubkey_t **pubkey,
+               const pgp_seckey_t **seckey,
+               unsigned checkrevoke,
+               unsigned checkexpiry)
 {
 	uint8_t	nullid[PGP_KEY_ID_SIZE];

@ -962,12 +976,16 @@ pgp_getkeybyid(pgp_io_t *io, const pgp_keyring_t *keyring,
 		}

        subkeyidx = pgp_key_find_key_conds(key, &key_id_match,
-                                           (void*)keyid, NULL);
+                                           (void*)keyid, NULL, 
+                                           checkrevoke, checkexpiry);

 		if (subkeyidx != -2) {
 			if (pubkey) {
 				*pubkey = key_get_pubkey_from_subidx(key, NULL, subkeyidx);
 			}
+			if (seckey) {
+				*seckey = key_get_seckey_from_subidx(key, NULL, subkeyidx);
+			}
 			return key;
 		}
 	}
@ -982,7 +1000,7 @@ pgp_deletekeybyid(pgp_io_t *io, pgp_keyring_t *keyring,
 	pgp_key_t *key;

 	if ((key = (pgp_key_t *)pgp_getkeybyid(io, keyring, keyid,
-                                           &from, NULL)) == NULL) {
+                                           &from, NULL, NULL, 0, 0)) == NULL) {
 		return 0;
 	}
    /* 'from' is now index of key to delete */
@ -1120,7 +1138,8 @@ getkeybyname(pgp_io_t *io,
 		hexdump(io->outs, "keyid", keyid, 4);
 	}
 	savedstart = *from;
-	if ((kp = pgp_getkeybyid(io, keyring, keyid, from, NULL)) != NULL) {
+	if ((kp = pgp_getkeybyid(io, keyring, keyid, from, 
+                             NULL, NULL, 0, 0)) != NULL) {
 		return kp;
 	}
 	*from = savedstart;
@ -1307,7 +1326,7 @@ pgp_key_t *pgp_ensure_pubkey(
    /* fill in what we already know */
    key->type = PGP_PTAG_CT_PUBLIC_KEY;
    pgp_pubkey_dup(&key->key.pubkey, pubkey);
-    (void) memcpy(&key->pubkeyid, pubkeyid, sizeof(PGP_KEY_ID_SIZE));
+    (void) memcpy(&key->pubkeyid, pubkeyid, PGP_KEY_ID_SIZE);
    pgp_fingerprint(&key->pubkeyfpr, pubkey, keyring->hashtype);

    return key;
@ -1337,7 +1356,7 @@ pgp_key_t *pgp_ensure_seckey(
    /* fill in what we already know */
    key->type = PGP_PTAG_CT_SECRET_KEY;
    pgp_seckey_dup(&key->key.seckey, seckey);
-    (void) memcpy(&key->pubkeyid, pubkeyid, sizeof(PGP_KEY_ID_SIZE));
+    (void) memcpy(&key->pubkeyid, pubkeyid, PGP_KEY_ID_SIZE);
    pgp_fingerprint(&key->pubkeyfpr, &seckey->pubkey, keyring->hashtype);

    return key;
--- a/dist/src/lib/keyring.h
+++ b/dist/src/lib/keyring.h
@ -77,7 +77,10 @@ const pgp_key_t *pgp_getkeybyid(pgp_io_t *,
 					const pgp_keyring_t *,
 					const uint8_t *,
 					unsigned *,
-					const pgp_pubkey_t **);
+					const pgp_pubkey_t **,
+					const pgp_seckey_t **,
+                    unsigned checkrevoke,
+                    unsigned checkexpiry);
 unsigned pgp_deletekeybyid(pgp_io_t *, 
                    pgp_keyring_t *,
 			        const uint8_t *);
@ -211,6 +214,8 @@ pgp_key_find_uid_cond(
        unsigned(*uidcond) ( uint8_t *, void *),
        void *uidcondarg,
        unsigned(*sigcond) ( const pgp_sig_info_t *),
-        time_t	*youngest);
+        time_t	*youngest,
+        unsigned checkrevoke,
+        unsigned checkexpiry);

 #endif /* KEYRING_H_ */
--- a/dist/src/lib/netpgp.c
+++ b/dist/src/lib/netpgp.c
@ -164,7 +164,7 @@ resultp(pgp_io_t *io,
 		from = 0;
 		key = pgp_getkeybyid(io, ring,
 			(const uint8_t *) res->valid_sigs[i].signer_id,
-			&from, &sigkey);
+			&from, &sigkey, NULL, 0, 0);
 		pgp_print_keydata(io, ring, key, "signature ", &key->key.pubkey, 0);
 	}
 }
--- a/dist/src/lib/netpgpdigest.h
+++ b/dist/src/lib/netpgpdigest.h
@ -50,6 +50,7 @@
 /* SHA1 Hash Size */
 #define PGP_SHA1_HASH_SIZE 	SHA_DIGEST_LENGTH
 #define PGP_SHA256_HASH_SIZE	SHA256_DIGEST_LENGTH
+#define PGP_SHA512_HASH_SIZE	SHA512_DIGEST_LENGTH
 #define PGP_CHECKHASH_SIZE	PGP_SHA1_HASH_SIZE

 #endif /* NETPGPDIGEST_H_ */
--- a/dist/src/lib/packet-parse.c
+++ b/dist/src/lib/packet-parse.c
@ -929,9 +929,9 @@ free_BN(BIGNUM **pp)
 }

 static void 
-dup_BN(BIGNUM *dst, const BIGNUM *src)
+dup_BN(BIGNUM **dst, const BIGNUM *src)
 {
-	dst = BN_dup(src);
+	*dst = BN_dup(src);
 }

 void 
@ -948,17 +948,17 @@ copy_sig_info(pgp_sig_info_t *dst, const pgp_sig_info_t *src)
 	switch (src->key_alg) {
 	case PGP_PKA_RSA:
 	case PGP_PKA_RSA_SIGN_ONLY:
-		dup_BN(dst->sig.rsa.sig, src->sig.rsa.sig);
+		dup_BN(&dst->sig.rsa.sig, src->sig.rsa.sig);
 		break;

 	case PGP_PKA_DSA:
-		dup_BN(dst->sig.dsa.r, src->sig.dsa.r);
-		dup_BN(dst->sig.dsa.s, src->sig.dsa.s);
+		dup_BN(&dst->sig.dsa.r, src->sig.dsa.r);
+		dup_BN(&dst->sig.dsa.s, src->sig.dsa.s);
 		break;

 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
-		dup_BN(dst->sig.elgamal.r, src->sig.elgamal.r);
-		dup_BN(dst->sig.elgamal.s, src->sig.elgamal.s);
+		dup_BN(&dst->sig.elgamal.r, src->sig.elgamal.r);
+		dup_BN(&dst->sig.elgamal.s, src->sig.elgamal.s);
 		break;

 	case PGP_PKA_PRIVATE00:
@ -984,8 +984,8 @@ copy_sig_info(pgp_sig_info_t *dst, const pgp_sig_info_t *src)
 * \brief Free the memory used when parsing a signature
 * \param sig
 */
-static void 
-sig_info_free(pgp_sig_info_t *info)
+void 
+pgp_free_sig_info(pgp_sig_info_t *info)
 {
    free(info->v4_hashed);

@ -1022,12 +1022,13 @@ sig_info_free(pgp_sig_info_t *info)
 	default:
 		(void) fprintf(stderr, "info-free: bad info-type\n");
 	}
+    memset(info, 0, sizeof(pgp_sig_info_t));
 }

 static void 
 sig_free(pgp_sig_t *sig)
 {
-    sig_info_free(&sig->info);
+    pgp_free_sig_info(&sig->info);
 }


@ -1268,22 +1269,22 @@ pgp_pubkey_dup(pgp_pubkey_t *dst, pgp_pubkey_t *src)
 	case PGP_PKA_RSA:
 	case PGP_PKA_RSA_ENCRYPT_ONLY:
 	case PGP_PKA_RSA_SIGN_ONLY:
-		dup_BN(dst->key.rsa.n, src->key.rsa.n);
-		dup_BN(dst->key.rsa.e, src->key.rsa.e);
+		dup_BN(&dst->key.rsa.n, src->key.rsa.n);
+		dup_BN(&dst->key.rsa.e, src->key.rsa.e);
 		break;

 	case PGP_PKA_DSA:
-		dup_BN(dst->key.dsa.p, src->key.dsa.p);
-		dup_BN(dst->key.dsa.q, src->key.dsa.q);
-		dup_BN(dst->key.dsa.g, src->key.dsa.g);
-		dup_BN(dst->key.dsa.y, src->key.dsa.y);
+		dup_BN(&dst->key.dsa.p, src->key.dsa.p);
+		dup_BN(&dst->key.dsa.q, src->key.dsa.q);
+		dup_BN(&dst->key.dsa.g, src->key.dsa.g);
+		dup_BN(&dst->key.dsa.y, src->key.dsa.y);
 		break;

 	case PGP_PKA_ELGAMAL:
 	case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
-		dup_BN(dst->key.elgamal.p, src->key.elgamal.p);
-		dup_BN(dst->key.elgamal.g, src->key.elgamal.g);
-		dup_BN(dst->key.elgamal.y, src->key.elgamal.y);
+		dup_BN(&dst->key.elgamal.p, src->key.elgamal.p);
+		dup_BN(&dst->key.elgamal.g, src->key.elgamal.g);
+		dup_BN(&dst->key.elgamal.y, src->key.elgamal.y);
 		break;

 	case PGP_PKA_NOTHING:
@ -2431,18 +2432,20 @@ pgp_seckey_free(pgp_seckey_t *key)
 int 
 pgp_seckey_dup(pgp_seckey_t *dst, pgp_seckey_t *src)
 {
+    memcpy(dst, src, sizeof(*src));
+
 	switch (src->pubkey.alg) {
 	case PGP_PKA_RSA:
 	case PGP_PKA_RSA_ENCRYPT_ONLY:
 	case PGP_PKA_RSA_SIGN_ONLY:
-		dup_BN(src->key.rsa.d, src->key.rsa.d);
-		dup_BN(src->key.rsa.p, src->key.rsa.p);
-		dup_BN(src->key.rsa.q, src->key.rsa.q);
-		dup_BN(src->key.rsa.u, src->key.rsa.u);
+		dup_BN(&dst->key.rsa.d, src->key.rsa.d);
+		dup_BN(&dst->key.rsa.p, src->key.rsa.p);
+		dup_BN(&dst->key.rsa.q, src->key.rsa.q);
+		dup_BN(&dst->key.rsa.u, src->key.rsa.u);
 		break;

 	case PGP_PKA_DSA:
-		dup_BN(src->key.dsa.x, src->key.dsa.x);
+		dup_BN(&dst->key.dsa.x, src->key.dsa.x);
 		break;

 	default:
@ -2453,11 +2456,13 @@ pgp_seckey_dup(pgp_seckey_t *dst, pgp_seckey_t *src)
        return 0;
 	}

-    if ((dst->checkhash = calloc(1, PGP_CHECKHASH_SIZE)) == NULL) {
-        (void) fprintf(stderr, "pgp_seckey_dup: bad alloc\n");
-        return 0;
-    }else{
-        memcpy(dst->checkhash, src->checkhash, PGP_CHECKHASH_SIZE);
+    if(src->checkhash) {
+        if ((dst->checkhash = calloc(1, PGP_CHECKHASH_SIZE)) == NULL) {
+            (void) fprintf(stderr, "pgp_seckey_dup: bad alloc\n");
+            return 0;
+        }else{
+            memcpy(dst->checkhash, src->checkhash, PGP_CHECKHASH_SIZE);
+        }
    }

    pgp_pubkey_dup(&dst->pubkey, &src->pubkey);
@ -2497,7 +2502,7 @@ consume_packet(pgp_region_t *region, pgp_stream_t *stream, unsigned warn)
 * \brief Parse a secret key
 */
 static int 
-parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
+parse_seckey(pgp_content_enum tag, pgp_region_t *region, pgp_stream_t *stream)
 {
 	pgp_packet_t		pkt;
 	pgp_region_t		encregion;
@ -2734,9 +2739,10 @@ parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
 	if (pgp_get_debug_level(__FILE__)) {
 		fprintf(stderr, "parse_seckey: end of crypted passphrase\n");
 	}
+
+    /* XXX - Hard-coded SHA1 here ?? Check */
+    pkt.u.seckey.checkhash = calloc(1, PGP_SHA1_HASH_SIZE);
 	if (pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED) {
-		/* XXX - Hard-coded SHA1 here ?? Check */
-		pkt.u.seckey.checkhash = calloc(1, PGP_SHA1_HASH_SIZE);
 		if (pkt.u.seckey.checkhash == NULL) {
 			(void) fprintf(stderr, "parse_seckey: bad alloc\n");
 			return 0;
@ -2845,7 +2851,7 @@ parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
 	if (!ret) {
 		return 0;
 	}
-	CALLBACK(PGP_PTAG_CT_SECRET_KEY, &stream->cbinfo, &pkt);
+	CALLBACK(tag, &stream->cbinfo, &pkt);
 	if (pgp_get_debug_level(__FILE__)) {
 		(void) fprintf(stderr, "--- end of parse_seckey\n\n");
 	}
@ -3335,11 +3341,8 @@ parse_packet(pgp_stream_t *stream, uint32_t *pktlen)
 		break;

 	case PGP_PTAG_CT_SECRET_KEY:
-		ret = parse_seckey(&region, stream);
-		break;
-
 	case PGP_PTAG_CT_SECRET_SUBKEY:
-		ret = parse_seckey(&region, stream);
+		ret = parse_seckey((pgp_content_enum)pkt.u.ptag.type, &region, stream);
 		break;

 	case PGP_PTAG_CT_PK_SESSION_KEY:
--- a/dist/src/lib/packet-print.c
+++ b/dist/src/lib/packet-print.c
@ -386,7 +386,7 @@ static int
 isrevoked(const pgp_key_t *key, unsigned uid)
 {
    return (pgp_key_find_uid_cond(key, &uidmatch, (void*)(key->uids[uid]),
-                                  NULL,0) == -1)? 
+                                  NULL, NULL, 1, 0) == -1)? 
            0 :  /* None found ? -> revoked (or expired) -> 0*/
            -1 ; /* Found one -> not revoked -> -1 */
 }
@ -395,7 +395,7 @@ static int
 iskeyrevoked(const pgp_key_t *key)
 {
    return (pgp_key_find_uid_cond(key, NULL, NULL,
-                                  NULL,0) == -1)? 
+                                  NULL, NULL, 1, 0) == -1)? 
            0 :  /* None found ? -> revoked (or expired) -> 0*/
            -1 ; /* Found one -> not revoked -> -1 */
 }
@ -456,7 +456,7 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 				}
 			}
 			from = 0;
-			trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
+			trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
 			if (key->uidsigs[j].siginfo.version == 4 &&
 					key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
 				psubkeybinding(&uidbuf[n], sizeof(uidbuf) - n, key, expired);
@ -546,7 +546,7 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
 				mj_append(&sub_obj, "integer",
 					(int64_t)(key->uidsigs[j].siginfo.birthtime));
 				from = 0;
-				trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
+				trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
 				mj_append(&sub_obj, "string",
 					(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]", -1);
 				mj_append_field(keyjson, "sig", "array", &sub_obj);
@ -600,7 +600,7 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 				}
 			}
 			from = 0;
-			trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
+			trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
 			if (key->uidsigs[j].siginfo.version == 4 &&
 					key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
 				n += snprintf(&uidbuf[n], sizeof(uidbuf) - n, "sub:%d:%d:%s:%lld:%lld\n",
--- a/dist/src/lib/reader.c
+++ b/dist/src/lib/reader.c
@ -2182,7 +2182,8 @@ pgp_pk_sesskey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 		from = 0;
 		cbinfo->cryptinfo.keydata =
 			pgp_getkeybyid(io, cbinfo->cryptinfo.secring,
-				content->pk_sesskey.key_id, &from, NULL);
+				content->pk_sesskey.key_id, &from, NULL, NULL, 
+                0, 0); /* accepts revoked and expired */
 		if (!cbinfo->cryptinfo.keydata) {
 			break;
 		}
@ -2214,11 +2215,11 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 {
 	const pgp_contents_t	*content = &pkt->u;
 	const pgp_seckey_t	*secret;
-	const pgp_key_t		*pubkey;
-	const pgp_key_t		*keypair;
+	// const pgp_key_t		*pubkey;
+	//const pgp_key_t		*keypair;
 	unsigned		 from;
 	pgp_io_t		*io;
-	int			 i;
+	//int			 i;

 	io = cbinfo->io;
 	if (pgp_get_debug_level(__FILE__)) {
@ -2227,43 +2228,45 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 	switch (pkt->tag) {
 	case PGP_GET_SECKEY:
 		/* print key from pubring */
-		from = 0;
-		pubkey = pgp_getkeybyid(io, cbinfo->cryptinfo.pubring,
-				content->get_seckey.pk_sesskey->key_id,
-				&from, NULL);
-		/* validate key from secring */
+		// from = 0;
+		// pubkey = pgp_getkeybyid(io, cbinfo->cryptinfo.pubring,
+		// 		content->get_seckey.pk_sesskey->key_id,
+		// 		&from, NULL);
+		// /* validate key from secring */
 		from = 0;
 		cbinfo->cryptinfo.keydata =
 			pgp_getkeybyid(io, cbinfo->cryptinfo.secring,
 				content->get_seckey.pk_sesskey->key_id,
-				&from, NULL);
+				&from, NULL, &secret, 0, 0);
 		if (!cbinfo->cryptinfo.keydata ||
+            !secret ||
 		    !pgp_is_key_secret(cbinfo->cryptinfo.keydata)) {
 			return (pgp_cb_ret_t)0;
 		}
-		keypair = cbinfo->cryptinfo.keydata;
-		if (pubkey == NULL) {
-			pubkey = keypair;
-		}
-		secret = NULL;
-		cbinfo->gotpass = 0;
-		for (i = 0 ; cbinfo->numtries == -1 || i < cbinfo->numtries ; i++) {
-			/* print out the user id */
-			pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
-				"signature ", &pubkey->key.pubkey, 0);
-			/* now decrypt key */
-			secret = pgp_get_seckey(keypair);
-                // FIXME : support encrypted seckeys again
-                // pgp_decrypt_seckey(keypair, cbinfo->passfp);
-			if (secret != NULL) {
-				break;
-			}
-			(void) fprintf(io->errs, "Bad passphrase\n");
-		}
-		if (secret == NULL) {
-			(void) fprintf(io->errs, "Exhausted passphrase attempts\n");
-			return (pgp_cb_ret_t)PGP_RELEASE_MEMORY;
-		}
+
+        // FIXME : support encrypted seckeys again
+		// keypair = cbinfo->cryptinfo.keydata;
+        // if (pubkey == NULL) {
+        // 	pubkey = keypair;
+        // }
+		// secret = NULL;
+		// cbinfo->gotpass = 0;
+		// for (i = 0 ; cbinfo->numtries == -1 || i < cbinfo->numtries ; i++) {
+		// 	/* print out the user id */
+		// 	pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
+		// 		"signature ", &pubkey->key.pubkey, 0);
+		// 	/* now decrypt key */
+        //     pgp_decrypt_seckey(keypair, cbinfo->passfp);
+		// 	if (secret != NULL) {
+		// 		break;
+		// 	}
+		// 	(void) fprintf(io->errs, "Bad passphrase\n");
+		// }
+		// if (secret == NULL) {
+		// 	(void) fprintf(io->errs, "Exhausted passphrase attempts\n");
+		// 	return (pgp_cb_ret_t)PGP_RELEASE_MEMORY;
+		// }
+
 		cbinfo->gotpass = 1;
 		*content->get_seckey.seckey = secret;
 		break;
--- a/dist/src/lib/signature.c
+++ b/dist/src/lib/signature.c
@ -136,6 +136,11 @@ static uint8_t prefix_sha256[] = {
 	0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
 };

+static uint8_t prefix_sha512[] = {
+    0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+    0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+    0x00, 0x04, 0x40
+};

 /* XXX: both this and verify would be clearer if the signature were */
 /* treated as an MPI. */
@ -161,11 +166,16 @@ rsa_sign(pgp_hash_t *hash,
 		prefix = prefix_sha1;
 		prefixsize = sizeof(prefix_sha1);
 		expected = PGP_SHA1_HASH_SIZE;
-	} else {
+	} else if (strcmp(hash->name, "SHA256") == 0) {
 		hashsize = PGP_SHA256_HASH_SIZE + sizeof(prefix_sha256);
 		prefix = prefix_sha256;
 		prefixsize = sizeof(prefix_sha256);
 		expected = PGP_SHA256_HASH_SIZE;
+	} else {
+		hashsize = PGP_SHA512_HASH_SIZE + sizeof(prefix_sha512);
+		prefix = prefix_sha512;
+		prefixsize = sizeof(prefix_sha512);
+		expected = PGP_SHA512_HASH_SIZE;
 	}
 	keysize = (BN_num_bits(pubrsa->n) + 7) / 8;
 	if (keysize > sizeof(hashbuf)) {
@ -302,6 +312,10 @@ rsa_verify(pgp_hash_alg_t type,
 		prefix = prefix_sha256;
 		plen = sizeof(prefix_sha256);
 		break;
+	case PGP_HASH_SHA512:
+		prefix = prefix_sha512;
+		plen = sizeof(prefix_sha512);
+		break;
 	default:
 		(void) fprintf(stderr, "Unknown hash algorithm: %d\n", type);
 		return 0;
--- a/dist/src/lib/validate.c
+++ b/dist/src/lib/validate.c
@ -126,11 +126,6 @@ __RCSID("$NetBSD$");
 // 	return (int)length;
 // }

-void pgp_free_sig_info(pgp_sig_info_t *sig)
-{
-	free(sig->v4_hashed);
-}
-
 static void 
 free_sig_info(pgp_sig_info_t *sig)
 {
@ -238,11 +233,16 @@ static void validate_key_cb_free (validate_key_cb_t *vdata){
        pgp_seckey_free(&vdata->key.seckey);
        pgp_seckey_free(&vdata->subkey.seckey);
    }
+    memset(&vdata->key, 0, sizeof(vdata->key));
+    memset(&vdata->subkey, 0, sizeof(vdata->subkey));
 	vdata->type = PGP_PTAG_CT_RESERVED; /* 0 */

 	pgp_userid_free(&vdata->userid);
 	pgp_data_free(&vdata->userattr);
-    pgp_free_sig_info(&vdata->valid_sig_info);
+
+	if(vdata->valid_sig_info.key_alg) {
+        pgp_free_sig_info(&vdata->valid_sig_info);
+    }
 }

 pgp_cb_ret_t
@ -283,7 +283,6 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 		vdata->key.seckey = content->seckey;
 	    pgp_keyid(vdata->pubkeyid, PGP_KEY_ID_SIZE, 
                  &vdata->key.seckey.pubkey, PGP_HASH_SHA1); /* TODO v3*/
-
 		vdata->last_seen = LS_PRIMARY;
 	    vdata->type = PGP_PTAG_CT_SECRET_KEY;
        vdata->not_commited = 1;
@ -310,7 +309,8 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 		if(vdata->type == PGP_PTAG_CT_SECRET_KEY && (
               vdata->last_seen == LS_ID ||
               vdata->last_seen == LS_ATTRIBUTE)){
-            pgp_seckey_free(&vdata->subkey.seckey);
+	        if(vdata->subkey.seckey.pubkey.alg)
+                pgp_seckey_free(&vdata->subkey.seckey);
            vdata->subkey.seckey = content->seckey;
            vdata->last_seen = LS_SUBKEY;
            return PGP_KEEP_MEMORY;
@ -381,7 +381,8 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
            /* Returned key ignored, care about ID-targeted pubkey only */
            pgp_getkeybyid(io, vdata->keyring,
                         content->sig.info.signer_id,
-                         &from, &sigkey);
+                         &from, &sigkey, NULL, 
+                         1, 0); /* reject revoked, accept expired */
        } else {
            /* If no keyring is given to check against
             * then this is a self certification check.
@ -393,7 +394,7 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
            }
        }
        if (!sigkey) {
-            if (&vdata->result && !add_sig_to_list(&content->sig.info,
+            if (vdata->result && !add_sig_to_list(&content->sig.info,
                &vdata->result->unknown_sigs,
                &vdata->result->unknownc)) {
                    (void) fprintf(io->errs,
@ -458,19 +459,23 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 		case PGP_SIG_PRIMARY:
 		case PGP_SIG_TIMESTAMP:
 		case PGP_SIG_3RD_PARTY:
-			PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
-				"Sig Verification type 0x%02x not done yet\n",
-				content->sig.info.type);
-			break;
+            if (vdata->result){
+                PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
+                    "Sig Verification type 0x%02x not done yet\n",
+                    content->sig.info.type);
+                break;
+            }

 		default:
-			PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
-				    "Unexpected signature type 0x%02x\n",
-				    	content->sig.info.type);
+            if (vdata->result){
+                PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
+                        "Unexpected signature type 0x%02x\n",
+                            content->sig.info.type);
+            }
 		}

 		if (valid) {
-			if (&vdata->result && !add_sig_to_list(&content->sig.info,
+			if (vdata->result && !add_sig_to_list(&content->sig.info,
 				&vdata->result->valid_sigs,
 				&vdata->result->validc)) {
 				PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED, "%s",
@ -479,10 +484,10 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 	        vdata->sig_is_valid = 1;
            copy_sig_info(&vdata->valid_sig_info,
                          &content->sig.info);
-		} else {
+		} else if (vdata->result){
 			PGP_ERROR_1(errors, PGP_E_V_BAD_SIGNATURE, "%s",
 			    "Bad Sig");
-			if (&vdata->result && !add_sig_to_list(&content->sig.info,
+			if (!add_sig_to_list(&content->sig.info,
 				&vdata->result->invalid_sigs,
 				&vdata->result->invalidc)) {
 				PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED, "%s",
@ -516,7 +521,7 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 	// 	break;

 	default:
-		(void) fprintf(stderr, "unexpected tag=0x%x\n", pkt->tag);
+		// (void) fprintf(stderr, "unexpected tag=0x%x\n", pkt->tag);
 	    return PGP_RELEASE_MEMORY;
 	}
 	return PGP_RELEASE_MEMORY;
@ -579,10 +584,13 @@ validate_data_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 			hexdump(io->outs, "signer id", content->sig.info.signer_id,
 				sizeof(content->sig.info.signer_id));
 		}
+			hexdump(io->outs, "LOOOOOOOOOOK signer id", content->sig.info.signer_id,
+				sizeof(content->sig.info.signer_id));
 		from = 0;
        sigkey = NULL;
 		signer = pgp_getkeybyid(io, data->keyring,
-					 content->sig.info.signer_id, &from, &sigkey);
+					 content->sig.info.signer_id, &from, &sigkey, NULL,
+                     0, 0); /* check neither revocation nor expiry */
 		if (!signer || !sigkey) {
 			PGP_ERROR_1(errors, PGP_E_V_UNKNOWN_SIGNER,
 			    "%s", "Unknown Signer");
@ -773,9 +781,6 @@ static pgp_cb_ret_t key_filter_cb (
    key_filter_cb_t *filter = vdata->on_valid_args;

    if(vdata->not_commited){
-        printf("New key ************************************** \n");
-		hexdump(stdout, "pubkey ID", vdata->pubkeyid,
-                sizeof(vdata->pubkeyid));

        if((filter->pubkey = pgp_ensure_pubkey(filter->destpubring,
                (vdata->type == PGP_PTAG_CT_PUBLIC_KEY) ? 
@ -793,7 +798,12 @@ static pgp_cb_ret_t key_filter_cb (
                            vdata->pubkeyid))==NULL){
                return PGP_RELEASE_MEMORY;
            }
+            printf("SECRET ");
        }
+
+        printf("New key ************************************** \n");
+		hexdump(stdout, "pubkey ID", vdata->pubkeyid,
+                sizeof(vdata->pubkeyid));
    }

    pubkey = filter->pubkey;
@ -894,6 +904,11 @@ pgp_filter_keys_fileread(
 		pgp_reader_push_dearmour(stream);
 	}

+	vdata.keyring = certring;
+
+	vdata.on_valid = &key_filter_cb;
+	vdata.on_valid_args = &filter;
+
 	res = pgp_parse(stream, 0);

    validate_key_cb_free(&vdata);
@ -941,7 +956,7 @@ pgp_filter_keys_from_mem(pgp_io_t *io,
 	vdata.keyring = certring;

 	vdata.on_valid = &key_filter_cb;
-	vdata.on_valid_args = NULL;
+	vdata.on_valid_args = &filter;

 	res = pgp_parse(stream, 0);