Browse Source

Many fixes on recent changes. To be continued

master
Edouard Tisserant 7 years ago
parent
commit
0b52dfca5f
9 changed files with 195 additions and 135 deletions
  1. +49
    -30
      dist/src/lib/keyring.c
  2. +7
    -2
      dist/src/lib/keyring.h
  3. +1
    -1
      dist/src/lib/netpgp.c
  4. +1
    -0
      dist/src/lib/netpgpdigest.h
  5. +40
    -37
      dist/src/lib/packet-parse.c
  6. +5
    -5
      dist/src/lib/packet-print.c
  7. +36
    -33
      dist/src/lib/reader.c
  8. +15
    -1
      dist/src/lib/signature.c
  9. +41
    -26
      dist/src/lib/validate.c

+ 49
- 30
dist/src/lib/keyring.c View File

@ -193,7 +193,9 @@ pgp_key_find_uid_cond(
unsigned(*uidcond) ( uint8_t *, void *),
void *uidcondarg,
unsigned(*sigcond) ( const pgp_sig_info_t *),
time_t *youngest)
time_t *youngest,
unsigned checkrevoke,
unsigned checkexpiry)
{
unsigned uididx = 0;
unsigned uidsigidx = 0;
@ -201,6 +203,11 @@ pgp_key_find_uid_cond(
int32_t lastgood;
uint8_t **uidp;
pgp_uidsig_t *uidsigp;
time_t yngst = 0;
/* If not maximum age given, take default */
if(!youngest)
youngest = &yngst;
/* Loop over key's user ids*/
uidp = key->uids;
@ -221,7 +228,7 @@ pgp_key_find_uid_cond(
if(uidsigp->siginfo.type == PGP_SIG_REV_CERT)
{
/* ignore revocation if secret */
if(pgp_is_key_secret(key))
if(!checkrevoke)
continue;
/* revert to last good candidate */
@ -230,8 +237,7 @@ pgp_key_find_uid_cond(
}
/* in sig validity time frame */
if(pgp_is_key_secret(key) || /* ignore if secret */
siginfo_in_time(&uidsigp->siginfo))
if(!checkexpiry || siginfo_in_time(&uidsigp->siginfo))
{
/* sig cond is ok ? */
if(!sigcond || sigcond(&uidsigp->siginfo))
@ -261,7 +267,9 @@ pgp_key_find_key_conds(
const pgp_key_t *key,
unsigned(*keycond) ( const pgp_pubkey_t *, const uint8_t *, void*),
void *keycondarg,
unsigned(*sigcond) ( const pgp_sig_info_t *))
unsigned(*sigcond) ( const pgp_sig_info_t *),
unsigned checkrevoke,
unsigned checkexpiry)
{
unsigned subkeyidx = 0;
unsigned subkeysigidx = 0;
@ -291,15 +299,14 @@ pgp_key_find_key_conds(
if(directsigp->siginfo.type == PGP_SIG_REV_SUBKEY)
{
/* ignore revocation if secret */
if(pgp_is_key_secret(key))
if(!checkrevoke)
continue;
return -2; /* Key is globally revoked, no result */
}
/* in sig validity time frame */
if(pgp_is_key_secret(key) || /* ignore if secret */
siginfo_in_time(&directsigp->siginfo))
if(!checkexpiry || siginfo_in_time(&directsigp->siginfo))
{
/* condition on sig is ok */
if(sigcond(&directsigp->siginfo))
@ -314,9 +321,13 @@ pgp_key_find_key_conds(
}
}
uidres = pgp_key_find_uid_cond(key, NULL, NULL, sigcond, &youngest);
if(uidres != -1){
res = uidres;
uidres = pgp_key_find_uid_cond(
key, NULL, NULL, sigcond, &youngest,
checkrevoke, checkexpiry);
/* if matching uid sig, then primary is machin key */
if(uidres != -1){
res = -1;
}
}
@ -343,7 +354,7 @@ pgp_key_find_key_conds(
if(subkeysigp->siginfo.type == PGP_SIG_REV_SUBKEY)
{
/* ignore revocation if secret */
if(pgp_is_key_secret(key))
if(!checkrevoke)
continue;
/* revert to last good candidate */
@ -352,11 +363,10 @@ pgp_key_find_key_conds(
}
/* in sig validity time frame */
if(pgp_is_key_secret(key) ||
siginfo_in_time(&subkeysigp->siginfo))
if(!checkexpiry || siginfo_in_time(&subkeysigp->siginfo))
{
/* subkey is primary */
if(sigcond(&subkeysigp->siginfo))
/* subkey sig condition is ok */
if(!sigcond || sigcond(&subkeysigp->siginfo))
{
/* youngest signature is deciding */
if(subkeysigp->siginfo.birthtime > youngest)
@ -453,19 +463,21 @@ static unsigned is_signing_role(const pgp_sig_info_t *siginfo)
return siginfo->key_flags & PGP_KEYFLAG_SIGN_DATA;
}
/* Get a pub key to check signature */
const pgp_pubkey_t *
pgp_key_get_sigkey(const pgp_key_t *key)
{
int32_t subkeyidx =
pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role);
pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role, 0, 0);
return key_get_pubkey_from_subidx(key, NULL, subkeyidx);
}
/* Get a sec key to write a signature */
const pgp_seckey_t *
pgp_key_get_certkey(const pgp_key_t *key)
{
int32_t subkeyidx =
pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role);
pgp_key_find_key_conds(key, NULL, NULL, &is_signing_role, 1, 0);
return key_get_seckey_from_subidx(key, NULL, subkeyidx);
}
@ -478,7 +490,7 @@ const pgp_pubkey_t *
pgp_key_get_enckey(const pgp_key_t *key, const uint8_t **id)
{
int32_t subkeyidx =
pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role);
pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role, 1, 0);
return key_get_pubkey_from_subidx(key, id, subkeyidx);
}
@ -487,7 +499,7 @@ const pgp_seckey_t *
pgp_key_get_deckey(const pgp_key_t *key, const uint8_t **id)
{
int32_t subkeyidx =
pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role);
pgp_key_find_key_conds(key, NULL, NULL, &is_encryption_role, 0, 0);
return key_get_seckey_from_subidx(key, id, subkeyidx);
}
@ -499,14 +511,12 @@ static unsigned primary_uid_sigcond(const pgp_sig_info_t *siginfo)
const int32_t pgp_key_get_uid0(const pgp_key_t *key)
{
time_t youngest = 0;
int32_t res =
pgp_key_find_uid_cond(key, NULL, NULL, &primary_uid_sigcond, &youngest);
pgp_key_find_uid_cond(key, NULL, NULL, &primary_uid_sigcond, NULL, 1, 1);
youngest = 0;
/* arbitrarily use youngest uid if no primary is found */
return res == -1 ?
pgp_key_find_uid_cond(key, NULL, NULL, NULL, 0):
pgp_key_find_uid_cond(key, NULL, NULL, NULL, NULL, 1, 1):
res;
}
@ -948,7 +958,11 @@ unsigned key_id_match(const pgp_pubkey_t *key, const uint8_t *keyid, void *refid
*/
const pgp_key_t *
pgp_getkeybyid(pgp_io_t *io, const pgp_keyring_t *keyring,
const uint8_t *keyid, unsigned *from, const pgp_pubkey_t **pubkey)
const uint8_t *keyid, unsigned *from,
const pgp_pubkey_t **pubkey,
const pgp_seckey_t **seckey,
unsigned checkrevoke,
unsigned checkexpiry)
{
uint8_t nullid[PGP_KEY_ID_SIZE];
@ -962,12 +976,16 @@ pgp_getkeybyid(pgp_io_t *io, const pgp_keyring_t *keyring,
}
subkeyidx = pgp_key_find_key_conds(key, &key_id_match,
(void*)keyid, NULL);
(void*)keyid, NULL,
checkrevoke, checkexpiry);
if (subkeyidx != -2) {
if (pubkey) {
*pubkey = key_get_pubkey_from_subidx(key, NULL, subkeyidx);
}
if (seckey) {
*seckey = key_get_seckey_from_subidx(key, NULL, subkeyidx);
}
return key;
}
}
@ -982,7 +1000,7 @@ pgp_deletekeybyid(pgp_io_t *io, pgp_keyring_t *keyring,
pgp_key_t *key;
if ((key = (pgp_key_t *)pgp_getkeybyid(io, keyring, keyid,
&from, NULL)) == NULL) {
&from, NULL, NULL, 0, 0)) == NULL) {
return 0;
}
/* 'from' is now index of key to delete */
@ -1120,7 +1138,8 @@ getkeybyname(pgp_io_t *io,
hexdump(io->outs, "keyid", keyid, 4);
}
savedstart = *from;
if ((kp = pgp_getkeybyid(io, keyring, keyid, from, NULL)) != NULL) {
if ((kp = pgp_getkeybyid(io, keyring, keyid, from,
NULL, NULL, 0, 0)) != NULL) {
return kp;
}
*from = savedstart;
@ -1307,7 +1326,7 @@ pgp_key_t *pgp_ensure_pubkey(
/* fill in what we already know */
key->type = PGP_PTAG_CT_PUBLIC_KEY;
pgp_pubkey_dup(&key->key.pubkey, pubkey);
(void) memcpy(&key->pubkeyid, pubkeyid, sizeof(PGP_KEY_ID_SIZE));
(void) memcpy(&key->pubkeyid, pubkeyid, PGP_KEY_ID_SIZE);
pgp_fingerprint(&key->pubkeyfpr, pubkey, keyring->hashtype);
return key;
@ -1337,7 +1356,7 @@ pgp_key_t *pgp_ensure_seckey(
/* fill in what we already know */
key->type = PGP_PTAG_CT_SECRET_KEY;
pgp_seckey_dup(&key->key.seckey, seckey);
(void) memcpy(&key->pubkeyid, pubkeyid, sizeof(PGP_KEY_ID_SIZE));
(void) memcpy(&key->pubkeyid, pubkeyid, PGP_KEY_ID_SIZE);
pgp_fingerprint(&key->pubkeyfpr, &seckey->pubkey, keyring->hashtype);
return key;


+ 7
- 2
dist/src/lib/keyring.h View File

@ -77,7 +77,10 @@ const pgp_key_t *pgp_getkeybyid(pgp_io_t *,
const pgp_keyring_t *,
const uint8_t *,
unsigned *,
const pgp_pubkey_t **);
const pgp_pubkey_t **,
const pgp_seckey_t **,
unsigned checkrevoke,
unsigned checkexpiry);
unsigned pgp_deletekeybyid(pgp_io_t *,
pgp_keyring_t *,
const uint8_t *);
@ -211,6 +214,8 @@ pgp_key_find_uid_cond(
unsigned(*uidcond) ( uint8_t *, void *),
void *uidcondarg,
unsigned(*sigcond) ( const pgp_sig_info_t *),
time_t *youngest);
time_t *youngest,
unsigned checkrevoke,
unsigned checkexpiry);
#endif /* KEYRING_H_ */

+ 1
- 1
dist/src/lib/netpgp.c View File

@ -164,7 +164,7 @@ resultp(pgp_io_t *io,
from = 0;
key = pgp_getkeybyid(io, ring,
(const uint8_t *) res->valid_sigs[i].signer_id,
&from, &sigkey);
&from, &sigkey, NULL, 0, 0);
pgp_print_keydata(io, ring, key, "signature ", &key->key.pubkey, 0);
}
}


+ 1
- 0
dist/src/lib/netpgpdigest.h View File

@ -50,6 +50,7 @@
/* SHA1 Hash Size */
#define PGP_SHA1_HASH_SIZE SHA_DIGEST_LENGTH
#define PGP_SHA256_HASH_SIZE SHA256_DIGEST_LENGTH
#define PGP_SHA512_HASH_SIZE SHA512_DIGEST_LENGTH
#define PGP_CHECKHASH_SIZE PGP_SHA1_HASH_SIZE
#endif /* NETPGPDIGEST_H_ */

+ 40
- 37
dist/src/lib/packet-parse.c View File

@ -929,9 +929,9 @@ free_BN(BIGNUM **pp)
}
static void
dup_BN(BIGNUM *dst, const BIGNUM *src)
dup_BN(BIGNUM **dst, const BIGNUM *src)
{
dst = BN_dup(src);
*dst = BN_dup(src);
}
void
@ -948,17 +948,17 @@ copy_sig_info(pgp_sig_info_t *dst, const pgp_sig_info_t *src)
switch (src->key_alg) {
case PGP_PKA_RSA:
case PGP_PKA_RSA_SIGN_ONLY:
dup_BN(dst->sig.rsa.sig, src->sig.rsa.sig);
dup_BN(&dst->sig.rsa.sig, src->sig.rsa.sig);
break;
case PGP_PKA_DSA:
dup_BN(dst->sig.dsa.r, src->sig.dsa.r);
dup_BN(dst->sig.dsa.s, src->sig.dsa.s);
dup_BN(&dst->sig.dsa.r, src->sig.dsa.r);
dup_BN(&dst->sig.dsa.s, src->sig.dsa.s);
break;
case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
dup_BN(dst->sig.elgamal.r, src->sig.elgamal.r);
dup_BN(dst->sig.elgamal.s, src->sig.elgamal.s);
dup_BN(&dst->sig.elgamal.r, src->sig.elgamal.r);
dup_BN(&dst->sig.elgamal.s, src->sig.elgamal.s);
break;
case PGP_PKA_PRIVATE00:
@ -984,8 +984,8 @@ copy_sig_info(pgp_sig_info_t *dst, const pgp_sig_info_t *src)
* \brief Free the memory used when parsing a signature
* \param sig
*/
static void
sig_info_free(pgp_sig_info_t *info)
void
pgp_free_sig_info(pgp_sig_info_t *info)
{
free(info->v4_hashed);
@ -1022,12 +1022,13 @@ sig_info_free(pgp_sig_info_t *info)
default:
(void) fprintf(stderr, "info-free: bad info-type\n");
}
memset(info, 0, sizeof(pgp_sig_info_t));
}
static void
sig_free(pgp_sig_t *sig)
{
sig_info_free(&sig->info);
pgp_free_sig_info(&sig->info);
}
@ -1268,22 +1269,22 @@ pgp_pubkey_dup(pgp_pubkey_t *dst, pgp_pubkey_t *src)
case PGP_PKA_RSA:
case PGP_PKA_RSA_ENCRYPT_ONLY:
case PGP_PKA_RSA_SIGN_ONLY:
dup_BN(dst->key.rsa.n, src->key.rsa.n);
dup_BN(dst->key.rsa.e, src->key.rsa.e);
dup_BN(&dst->key.rsa.n, src->key.rsa.n);
dup_BN(&dst->key.rsa.e, src->key.rsa.e);
break;
case PGP_PKA_DSA:
dup_BN(dst->key.dsa.p, src->key.dsa.p);
dup_BN(dst->key.dsa.q, src->key.dsa.q);
dup_BN(dst->key.dsa.g, src->key.dsa.g);
dup_BN(dst->key.dsa.y, src->key.dsa.y);
dup_BN(&dst->key.dsa.p, src->key.dsa.p);
dup_BN(&dst->key.dsa.q, src->key.dsa.q);
dup_BN(&dst->key.dsa.g, src->key.dsa.g);
dup_BN(&dst->key.dsa.y, src->key.dsa.y);
break;
case PGP_PKA_ELGAMAL:
case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
dup_BN(dst->key.elgamal.p, src->key.elgamal.p);
dup_BN(dst->key.elgamal.g, src->key.elgamal.g);
dup_BN(dst->key.elgamal.y, src->key.elgamal.y);
dup_BN(&dst->key.elgamal.p, src->key.elgamal.p);
dup_BN(&dst->key.elgamal.g, src->key.elgamal.g);
dup_BN(&dst->key.elgamal.y, src->key.elgamal.y);
break;
case PGP_PKA_NOTHING:
@ -2431,18 +2432,20 @@ pgp_seckey_free(pgp_seckey_t *key)
int
pgp_seckey_dup(pgp_seckey_t *dst, pgp_seckey_t *src)
{
memcpy(dst, src, sizeof(*src));
switch (src->pubkey.alg) {
case PGP_PKA_RSA:
case PGP_PKA_RSA_ENCRYPT_ONLY:
case PGP_PKA_RSA_SIGN_ONLY:
dup_BN(src->key.rsa.d, src->key.rsa.d);
dup_BN(src->key.rsa.p, src->key.rsa.p);
dup_BN(src->key.rsa.q, src->key.rsa.q);
dup_BN(src->key.rsa.u, src->key.rsa.u);
dup_BN(&dst->key.rsa.d, src->key.rsa.d);
dup_BN(&dst->key.rsa.p, src->key.rsa.p);
dup_BN(&dst->key.rsa.q, src->key.rsa.q);
dup_BN(&dst->key.rsa.u, src->key.rsa.u);
break;
case PGP_PKA_DSA:
dup_BN(src->key.dsa.x, src->key.dsa.x);
dup_BN(&dst->key.dsa.x, src->key.dsa.x);
break;
default:
@ -2453,11 +2456,13 @@ pgp_seckey_dup(pgp_seckey_t *dst, pgp_seckey_t *src)
return 0;
}
if ((dst->checkhash = calloc(1, PGP_CHECKHASH_SIZE)) == NULL) {
(void) fprintf(stderr, "pgp_seckey_dup: bad alloc\n");
return 0;
}else{
memcpy(dst->checkhash, src->checkhash, PGP_CHECKHASH_SIZE);
if(src->checkhash) {
if ((dst->checkhash = calloc(1, PGP_CHECKHASH_SIZE)) == NULL) {
(void) fprintf(stderr, "pgp_seckey_dup: bad alloc\n");
return 0;
}else{
memcpy(dst->checkhash, src->checkhash, PGP_CHECKHASH_SIZE);
}
}
pgp_pubkey_dup(&dst->pubkey, &src->pubkey);
@ -2497,7 +2502,7 @@ consume_packet(pgp_region_t *region, pgp_stream_t *stream, unsigned warn)
* \brief Parse a secret key
*/
static int
parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
parse_seckey(pgp_content_enum tag, pgp_region_t *region, pgp_stream_t *stream)
{
pgp_packet_t pkt;
pgp_region_t encregion;
@ -2734,9 +2739,10 @@ parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
if (pgp_get_debug_level(__FILE__)) {
fprintf(stderr, "parse_seckey: end of crypted passphrase\n");
}
/* XXX - Hard-coded SHA1 here ?? Check */
pkt.u.seckey.checkhash = calloc(1, PGP_SHA1_HASH_SIZE);
if (pkt.u.seckey.s2k_usage == PGP_S2KU_ENCRYPTED_AND_HASHED) {
/* XXX - Hard-coded SHA1 here ?? Check */
pkt.u.seckey.checkhash = calloc(1, PGP_SHA1_HASH_SIZE);
if (pkt.u.seckey.checkhash == NULL) {
(void) fprintf(stderr, "parse_seckey: bad alloc\n");
return 0;
@ -2845,7 +2851,7 @@ parse_seckey(pgp_region_t *region, pgp_stream_t *stream)
if (!ret) {
return 0;
}
CALLBACK(PGP_PTAG_CT_SECRET_KEY, &stream->cbinfo, &pkt);
CALLBACK(tag, &stream->cbinfo, &pkt);
if (pgp_get_debug_level(__FILE__)) {
(void) fprintf(stderr, "--- end of parse_seckey\n\n");
}
@ -3335,11 +3341,8 @@ parse_packet(pgp_stream_t *stream, uint32_t *pktlen)
break;
case PGP_PTAG_CT_SECRET_KEY:
ret = parse_seckey(&region, stream);
break;
case PGP_PTAG_CT_SECRET_SUBKEY:
ret = parse_seckey(&region, stream);
ret = parse_seckey((pgp_content_enum)pkt.u.ptag.type, &region, stream);
break;
case PGP_PTAG_CT_PK_SESSION_KEY:


+ 5
- 5
dist/src/lib/packet-print.c View File

@ -386,7 +386,7 @@ static int
isrevoked(const pgp_key_t *key, unsigned uid)
{
return (pgp_key_find_uid_cond(key, &uidmatch, (void*)(key->uids[uid]),
NULL,0) == -1)?
NULL, NULL, 1, 0) == -1)?
0 : /* None found ? -> revoked (or expired) -> 0*/
-1 ; /* Found one -> not revoked -> -1 */
}
@ -395,7 +395,7 @@ static int
iskeyrevoked(const pgp_key_t *key)
{
return (pgp_key_find_uid_cond(key, NULL, NULL,
NULL,0) == -1)?
NULL, NULL, 1, 0) == -1)?
0 : /* None found ? -> revoked (or expired) -> 0*/
-1 ; /* Found one -> not revoked -> -1 */
}
@ -456,7 +456,7 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
}
}
from = 0;
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
if (key->uidsigs[j].siginfo.version == 4 &&
key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
psubkeybinding(&uidbuf[n], sizeof(uidbuf) - n, key, expired);
@ -546,7 +546,7 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
mj_append(&sub_obj, "integer",
(int64_t)(key->uidsigs[j].siginfo.birthtime));
from = 0;
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
mj_append(&sub_obj, "string",
(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]", -1);
mj_append_field(keyjson, "sig", "array", &sub_obj);
@ -600,7 +600,7 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
}
}
from = 0;
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL, NULL, 0, 0);
if (key->uidsigs[j].siginfo.version == 4 &&
key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
n += snprintf(&uidbuf[n], sizeof(uidbuf) - n, "sub:%d:%d:%s:%lld:%lld\n",


+ 36
- 33
dist/src/lib/reader.c View File

@ -2182,7 +2182,8 @@ pgp_pk_sesskey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
from = 0;
cbinfo->cryptinfo.keydata =
pgp_getkeybyid(io, cbinfo->cryptinfo.secring,
content->pk_sesskey.key_id, &from, NULL);
content->pk_sesskey.key_id, &from, NULL, NULL,
0, 0); /* accepts revoked and expired */
if (!cbinfo->cryptinfo.keydata) {
break;
}
@ -2214,11 +2215,11 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
{
const pgp_contents_t *content = &pkt->u;
const pgp_seckey_t *secret;
const pgp_key_t *pubkey;
const pgp_key_t *keypair;
// const pgp_key_t *pubkey;
//const pgp_key_t *keypair;
unsigned from;
pgp_io_t *io;
int i;
//int i;
io = cbinfo->io;
if (pgp_get_debug_level(__FILE__)) {
@ -2227,43 +2228,45 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
switch (pkt->tag) {
case PGP_GET_SECKEY:
/* print key from pubring */
from = 0;
pubkey = pgp_getkeybyid(io, cbinfo->cryptinfo.pubring,
content->get_seckey.pk_sesskey->key_id,
&from, NULL);
/* validate key from secring */
// from = 0;
// pubkey = pgp_getkeybyid(io, cbinfo->cryptinfo.pubring,
// content->get_seckey.pk_sesskey->key_id,
// &from, NULL);
// /* validate key from secring */
from = 0;
cbinfo->cryptinfo.keydata =
pgp_getkeybyid(io, cbinfo->cryptinfo.secring,
content->get_seckey.pk_sesskey->key_id,
&from, NULL);
&from, NULL, &secret, 0, 0);
if (!cbinfo->cryptinfo.keydata ||
!secret ||
!pgp_is_key_secret(cbinfo->cryptinfo.keydata)) {
return (pgp_cb_ret_t)0;
}
keypair = cbinfo->cryptinfo.keydata;
if (pubkey == NULL) {
pubkey = keypair;
}
secret = NULL;
cbinfo->gotpass = 0;
for (i = 0 ; cbinfo->numtries == -1 || i < cbinfo->numtries ; i++) {
/* print out the user id */
pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
"signature ", &pubkey->key.pubkey, 0);
/* now decrypt key */
secret = pgp_get_seckey(keypair);
// FIXME : support encrypted seckeys again
// pgp_decrypt_seckey(keypair, cbinfo->passfp);
if (secret != NULL) {
break;
}
(void) fprintf(io->errs, "Bad passphrase\n");
}
if (secret == NULL) {
(void) fprintf(io->errs, "Exhausted passphrase attempts\n");
return (pgp_cb_ret_t)PGP_RELEASE_MEMORY;
}
// FIXME : support encrypted seckeys again
// keypair = cbinfo->cryptinfo.keydata;
// if (pubkey == NULL) {
// pubkey = keypair;
// }
// secret = NULL;
// cbinfo->gotpass = 0;
// for (i = 0 ; cbinfo->numtries == -1 || i < cbinfo->numtries ; i++) {
// /* print out the user id */
// pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
// "signature ", &pubkey->key.pubkey, 0);
// /* now decrypt key */
// pgp_decrypt_seckey(keypair, cbinfo->passfp);
// if (secret != NULL) {
// break;
// }
// (void) fprintf(io->errs, "Bad passphrase\n");
// }
// if (secret == NULL) {
// (void) fprintf(io->errs, "Exhausted passphrase attempts\n");
// return (pgp_cb_ret_t)PGP_RELEASE_MEMORY;
// }
cbinfo->gotpass = 1;
*content->get_seckey.seckey = secret;
break;


+ 15
- 1
dist/src/lib/signature.c View File

@ -136,6 +136,11 @@ static uint8_t prefix_sha256[] = {
0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
};
static uint8_t prefix_sha512[] = {
0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
0x00, 0x04, 0x40
};
/* XXX: both this and verify would be clearer if the signature were */
/* treated as an MPI. */
@ -161,11 +166,16 @@ rsa_sign(pgp_hash_t *hash,
prefix = prefix_sha1;
prefixsize = sizeof(prefix_sha1);
expected = PGP_SHA1_HASH_SIZE;
} else {
} else if (strcmp(hash->name, "SHA256") == 0) {
hashsize = PGP_SHA256_HASH_SIZE + sizeof(prefix_sha256);
prefix = prefix_sha256;
prefixsize = sizeof(prefix_sha256);
expected = PGP_SHA256_HASH_SIZE;
} else {
hashsize = PGP_SHA512_HASH_SIZE + sizeof(prefix_sha512);
prefix = prefix_sha512;
prefixsize = sizeof(prefix_sha512);
expected = PGP_SHA512_HASH_SIZE;
}
keysize = (BN_num_bits(pubrsa->n) + 7) / 8;
if (keysize > sizeof(hashbuf)) {
@ -302,6 +312,10 @@ rsa_verify(pgp_hash_alg_t type,
prefix = prefix_sha256;
plen = sizeof(prefix_sha256);
break;
case PGP_HASH_SHA512:
prefix = prefix_sha512;
plen = sizeof(prefix_sha512);
break;
default:
(void) fprintf(stderr, "Unknown hash algorithm: %d\n", type);
return 0;


+ 41
- 26
dist/src/lib/validate.c View File

@ -126,11 +126,6 @@ __RCSID("$NetBSD$");
// return (int)length;
// }
void pgp_free_sig_info(pgp_sig_info_t *sig)
{
free(sig->v4_hashed);
}
static void
free_sig_info(pgp_sig_info_t *sig)
{
@ -238,11 +233,16 @@ static void validate_key_cb_free (validate_key_cb_t *vdata){
pgp_seckey_free(&vdata->key.seckey);
pgp_seckey_free(&vdata->subkey.seckey);
}
memset(&vdata->key, 0, sizeof(vdata->key));
memset(&vdata->subkey, 0, sizeof(vdata->subkey));
vdata->type = PGP_PTAG_CT_RESERVED; /* 0 */
pgp_userid_free(&vdata->userid);
pgp_data_free(&vdata->userattr);
pgp_free_sig_info(&vdata->valid_sig_info);
if(vdata->valid_sig_info.key_alg) {
pgp_free_sig_info(&vdata->valid_sig_info);
}
}
pgp_cb_ret_t
@ -283,7 +283,6 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
vdata->key.seckey = content->seckey;
pgp_keyid(vdata->pubkeyid, PGP_KEY_ID_SIZE,
&vdata->key.seckey.pubkey, PGP_HASH_SHA1); /* TODO v3*/
vdata->last_seen = LS_PRIMARY;
vdata->type = PGP_PTAG_CT_SECRET_KEY;
vdata->not_commited = 1;
@ -310,7 +309,8 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
if(vdata->type == PGP_PTAG_CT_SECRET_KEY && (
vdata->last_seen == LS_ID ||
vdata->last_seen == LS_ATTRIBUTE)){
pgp_seckey_free(&vdata->subkey.seckey);
if(vdata->subkey.seckey.pubkey.alg)
pgp_seckey_free(&vdata->subkey.seckey);
vdata->subkey.seckey = content->seckey;
vdata->last_seen = LS_SUBKEY;
return PGP_KEEP_MEMORY;
@ -381,7 +381,8 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
/* Returned key ignored, care about ID-targeted pubkey only */
pgp_getkeybyid(io, vdata->keyring,
content->sig.info.signer_id,
&from, &sigkey);
&from, &sigkey, NULL,
1, 0); /* reject revoked, accept expired */
} else {
/* If no keyring is given to check against
* then this is a self certification check.
@ -393,7 +394,7 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
}
}
if (!sigkey) {
if (&vdata->result && !add_sig_to_list(&content->sig.info,
if (vdata->result && !add_sig_to_list(&content->sig.info,
&vdata->result->unknown_sigs,
&vdata->result->unknownc)) {
(void) fprintf(io->errs,
@ -458,19 +459,23 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
case PGP_SIG_PRIMARY:
case PGP_SIG_TIMESTAMP:
case PGP_SIG_3RD_PARTY:
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
"Sig Verification type 0x%02x not done yet\n",
content->sig.info.type);
break;
if (vdata->result){
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
"Sig Verification type 0x%02x not done yet\n",
content->sig.info.type);
break;
}
default:
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
"Unexpected signature type 0x%02x\n",
content->sig.info.type);
if (vdata->result){
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED,
"Unexpected signature type 0x%02x\n",
content->sig.info.type);
}
}
if (valid) {
if (&vdata->result && !add_sig_to_list(&content->sig.info,
if (vdata->result && !add_sig_to_list(&content->sig.info,
&vdata->result->valid_sigs,
&vdata->result->validc)) {
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED, "%s",
@ -479,10 +484,10 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
vdata->sig_is_valid = 1;
copy_sig_info(&vdata->valid_sig_info,
&content->sig.info);
} else {
} else if (vdata->result){
PGP_ERROR_1(errors, PGP_E_V_BAD_SIGNATURE, "%s",
"Bad Sig");
if (&vdata->result && !add_sig_to_list(&content->sig.info,
if (!add_sig_to_list(&content->sig.info,
&vdata->result->invalid_sigs,
&vdata->result->invalidc)) {
PGP_ERROR_1(errors, PGP_E_UNIMPLEMENTED, "%s",
@ -516,7 +521,7 @@ pgp_validate_key_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
// break;
default:
(void) fprintf(stderr, "unexpected tag=0x%x\n", pkt->tag);
// (void) fprintf(stderr, "unexpected tag=0x%x\n", pkt->tag);
return PGP_RELEASE_MEMORY;
}
return PGP_RELEASE_MEMORY;
@ -579,10 +584,13 @@ validate_data_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
hexdump(io->outs, "signer id", content->sig.info.signer_id,
sizeof(content->sig.info.signer_id));
}
hexdump(io->outs, "LOOOOOOOOOOK signer id", content->sig.info.signer_id,
sizeof(content->sig.info.signer_id));
from = 0;
sigkey = NULL;
signer = pgp_getkeybyid(io, data->keyring,
content->sig.info.signer_id, &from, &sigkey);
content->sig.info.signer_id, &from, &sigkey, NULL,
0, 0); /* check neither revocation nor expiry */
if (!signer || !sigkey) {
PGP_ERROR_1(errors, PGP_E_V_UNKNOWN_SIGNER,
"%s", "Unknown Signer");
@ -773,9 +781,6 @@ static pgp_cb_ret_t key_filter_cb (
key_filter_cb_t *filter = vdata->on_valid_args;
if(vdata->not_commited){
printf("New key ************************************** \n");
hexdump(stdout, "pubkey ID", vdata->pubkeyid,
sizeof(vdata->pubkeyid));
if((filter->pubkey = pgp_ensure_pubkey(filter->destpubring,
(vdata->type == PGP_PTAG_CT_PUBLIC_KEY) ?
@ -793,7 +798,12 @@ static pgp_cb_ret_t key_filter_cb (
vdata->pubkeyid))==NULL){
return PGP_RELEASE_MEMORY;
}
printf("SECRET ");
}
printf("New key ************************************** \n");
hexdump(stdout, "pubkey ID", vdata->pubkeyid,
sizeof(vdata->pubkeyid));
}
pubkey = filter->pubkey;
@ -894,6 +904,11 @@ pgp_filter_keys_fileread(
pgp_reader_push_dearmour(stream);
}
vdata.keyring = certring;
vdata.on_valid = &key_filter_cb;
vdata.on_valid_args = &filter;
res = pgp_parse(stream, 0);
validate_key_cb_free(&vdata);
@ -941,7 +956,7 @@ pgp_filter_keys_from_mem(pgp_io_t *io,
vdata.keyring = certring;
vdata.on_valid = &key_filter_cb;
vdata.on_valid_args = NULL;
vdata.on_valid_args = &filter;
res = pgp_parse(stream, 0);


Loading…
Cancel
Save