Browse Source

Now keys (pgp_key_t) contains only validated keys, uid or subkey,

along with signature info and signature raw packet.

Effects :
 - Should import untrusted key data safely, keyring file/mem read replaced
   by validating filter. Only keys, uid or subkey with valid sig can enter.
 - Keyring queries use stored signature infos to elect best result. Uses
   youngest relevant signature to decide about expiration.
 - Support for key/subkey encryption and signing roles described in rfc4880
   through the Key Flags subpacket.

Side effects:
 - Encrypted seckey support broken
 - SSH keyring support broken
 - Probably some quircks in packet-print.c

Status:
 - Builds
 - Untested
master
Edouard Tisserant 7 years ago
parent
commit
d99aff2a70
17 changed files with 1224 additions and 1360 deletions
  1. +124
    -104
      dist/src/lib/create.c
  2. +8
    -7
      dist/src/lib/create.h
  3. +0
    -1
      dist/src/lib/crypto.c
  4. +575
    -569
      dist/src/lib/keyring.c
  5. +58
    -22
      dist/src/lib/keyring.h
  6. +0
    -99
      dist/src/lib/misc.c
  7. +91
    -87
      dist/src/lib/netpgp.c
  8. +3
    -8
      dist/src/lib/openssl_crypto.c
  9. +2
    -0
      dist/src/lib/packet-parse.c
  10. +43
    -39
      dist/src/lib/packet-print.c
  11. +13
    -33
      dist/src/lib/packet.h
  12. +3
    -1
      dist/src/lib/reader.c
  13. +1
    -15
      dist/src/lib/signature.c
  14. +13
    -5
      dist/src/lib/signature.h
  15. +8
    -5
      dist/src/lib/ssh2pgp.c
  16. +259
    -346
      dist/src/lib/validate.c
  17. +23
    -19
      dist/src/lib/validate.h

+ 124
- 104
dist/src/lib/create.c View File

@ -480,13 +480,20 @@ write_seckey_body(const pgp_seckey_t *key,
* \return 1 if OK, otherwise 0
*/
unsigned
pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
pgp_write_struct_pubkey_ptag(
pgp_output_t *output,
const pgp_pubkey_t *key,
pgp_content_enum ptag)
{
return pgp_write_ptag(output, PGP_PTAG_CT_PUBLIC_KEY) &&
pgp_write_length(output, 1 + 4 + 1 + pubkey_length(key)) &&
write_pubkey_body(key, output);
}
unsigned
pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
{
return pgp_write_struct_pubkey_ptag(output, key, PGP_PTAG_CT_PUBLIC_KEY);
}
/**
\ingroup HighLevel_KeyWrite
@ -500,55 +507,110 @@ pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
*/
unsigned
pgp_write_xfer_pubkey(pgp_output_t *output,
const pgp_key_t *key,
const unsigned armoured)
pgp_write_xfer_key(pgp_output_t *output,
const pgp_key_t *key,
const unsigned armoured)
{
unsigned /*i,*/ j;
unsigned directsigidx = 0;
pgp_directsig_t *directsigp;
unsigned uididx = 0;
unsigned uidsigidx = 0;
uint8_t **uidp;
pgp_uidsig_t *uidsigp;
pgp_subkey_t *subkeyp;
unsigned subkeyidx = 0;
unsigned subkeysigidx = 0;
pgp_subkeysig_t *subkeysigp;
if (armoured) {
pgp_writer_push_armoured(output, PGP_PGP_PUBLIC_KEY_BLOCK);
}
if (armoured) {
pgp_writer_push_armoured(output, PGP_PGP_PUBLIC_KEY_BLOCK);
}
/* public key */
if (!pgp_write_struct_pubkey(output, &key->key.pubkey)) {
return 0;
}
/* primary key */
if (key->type == PGP_PTAG_CT_PUBLIC_KEY) {
if (!pgp_write_struct_pubkey(output, &key->key.pubkey)) {
return 0;
}
}else{
if (!pgp_write_struct_seckey(&key->key.seckey, (const uint8_t *)"", 0, output)) {
return 0;
}
}
/* TODO: revocation signatures go here */
/* TODO : fix this */
// /* user ids and corresponding signatures */
// for (i = 0; i < key->uidc; i++) {
// if (!pgp_write_struct_userid(output, key->uids[i])) {
// return 0;
// }
// for (j = 0; j < key->packetc; j++) {
// if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
// return 0;
// }
// }
// }
/* until fixed, output all raw subpackets, except 1st, the key itself */
for (j = 1; j < key->packetc; j++) {
if (!pgp_write(output, key->packets[j].raw,
(unsigned)key->packets[j].length)) {
return 0;
}
}
directsigp = key->directsigs;
for (directsigidx = 0 ; directsigidx < key->directsigc;
directsigidx++, directsigp++)
{
if (!pgp_write(output, directsigp->packet.raw,
(unsigned)directsigp->packet.length)) {
return 0;
}
}
/* TODO: user attributes and corresponding signatures */
/* Loop over key's user ids*/
uidp = key->uids;
for (uididx = 0 ; uididx < key->uidc; uididx++, uidp++)
{
if (!pgp_write_struct_userid(output, *uidp)) {
return 0;
}
/* Loop over key's user ids sigs */
uidsigp = key->uidsigs;
for (uidsigidx = 0 ; uidsigidx < key->uidsigc; uidsigidx++, uidsigp++)
{
/* matching selected user id */
if(uidsigp->uid == uididx)
{
if (!pgp_write(output, &uidsigp->packet.raw,
(unsigned)uidsigp->packet.length)) {
return 0;
}
}
}
}
/*
* subkey packets and corresponding signatures and optional
* revocation
*/
/* TODO attibutes */
/* Loop over key's subkeys */
subkeyp = key->subkeys;
for (subkeyidx = 0 ; subkeyidx < key->subkeyc; subkeyidx++, subkeyp++)
{
if (key->type == PGP_PTAG_CT_PUBLIC_KEY) {
if (!pgp_write_struct_pubkey_ptag(
output, &subkeyp->key.pubkey,
PGP_PTAG_CT_PUBLIC_SUBKEY)) {
return 0;
}
}else{
if (!pgp_write_struct_seckey_ptag(
/* TODO support passphrase again */
&subkeyp->key.seckey, (const uint8_t *)"", 0, output,
PGP_PTAG_CT_SECRET_SUBKEY)) {
return 0;
}
}
if (armoured) {
pgp_writer_info_finalise(&output->errors, &output->writer);
pgp_writer_pop(output);
}
return 1;
/* Loop over key's subkeys sigs */
subkeysigp = key->subkeysigs;
for (subkeysigidx = 0 ; subkeysigidx < key->subkeysigc;
subkeysigidx++, subkeysigp++)
{
/* matching selected subkey */
if(subkeysigp->subkey == subkeyidx)
{
if (!pgp_write(output, &subkeysigp->packet.raw,
(unsigned)subkeysigp->packet.length)) {
return 0;
}
}
}
}
if (armoured) {
pgp_writer_info_finalise(&output->errors, &output->writer);
pgp_writer_pop(output);
}
return 1;
}
/**
@ -563,61 +625,14 @@ pgp_write_xfer_pubkey(pgp_output_t *output,
\param output Output stream
*/
/* TODO have encrypted key export again
unsigned
pgp_write_xfer_seckey(pgp_output_t *output,
const pgp_key_t *key,
const uint8_t *passphrase,
const size_t pplen,
unsigned armoured)
{
unsigned /*i,*/ j;
if (armoured) {
pgp_writer_push_armoured(output, PGP_PGP_PRIVATE_KEY_BLOCK);
}
/* public key */
if (!pgp_write_struct_seckey(&key->key.seckey, passphrase,
pplen, output)) {
return 0;
}
/* TODO: revocation signatures go here */
/* TODO : fix this */
// /* user ids and corresponding signatures */
// for (i = 0; i < key->uidc; i++) {
// if (!pgp_write_struct_userid(output, key->uids[i])) {
// return 0;
// }
// for (j = 0; j < key->packetc; j++) {
// if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
// return 0;
// }
// }
// }
/* until fixed, output all raw subpackets, except 1st, the key itself */
for (j = 1; j < key->packetc; j++) {
if (!pgp_write(output, key->packets[j].raw,
(unsigned)key->packets[j].length)) {
return 0;
}
}
/* TODO: user attributes and corresponding signatures */
/*
* subkey packets and corresponding signatures and optional
* revocation
*/
if (armoured) {
pgp_writer_info_finalise(&output->errors, &output->writer);
pgp_writer_pop(output);
}
return 1;
}
*/
/**
* \ingroup Core_WritePackets
@ -711,10 +726,11 @@ pgp_fast_create_rsa_seckey(pgp_seckey_t *key, time_t t,
* \return 1 if OK; else 0
*/
unsigned
pgp_write_struct_seckey(const pgp_seckey_t *key,
pgp_write_struct_seckey_ptag(const pgp_seckey_t *key,
const uint8_t *passphrase,
const size_t pplen,
pgp_output_t *output)
pgp_output_t *output,
pgp_content_enum ptag)
{
int length = 0;
@ -794,12 +810,21 @@ pgp_write_struct_seckey(const pgp_seckey_t *key,
/* secret key and public key MPIs */
length += (unsigned)seckey_length(key);
return pgp_write_ptag(output, PGP_PTAG_CT_SECRET_KEY) &&
return pgp_write_ptag(output, ptag) &&
/* pgp_write_length(output,1+4+1+1+seckey_length(key)+2) && */
pgp_write_length(output, (unsigned)length) &&
write_seckey_body(key, passphrase, pplen, output);
}
unsigned
pgp_write_struct_seckey(const pgp_seckey_t *key,
const uint8_t *passphrase,
const size_t pplen,
pgp_output_t *output)
{
return pgp_write_struct_seckey_ptag(
key, passphrase, pplen, output, PGP_PTAG_CT_SECRET_KEY);
}
/**
* \ingroup Core_Create
*
@ -968,13 +993,8 @@ pgp_create_pk_sesskey(const pgp_key_t *key, const char *ciphername, pgp_pk_sessk
uint8_t *encoded_m_buf;
size_t sz_encoded_m_buf;
if (memcmp(key->encid, "\0\0\0\0\0\0\0\0", 8) == 0) {
pubkey = pgp_get_pubkey(key);
id = key->sigid;
} else {
pubkey = &key->enckey;
id = key->encid;
}
pubkey = pgp_key_get_enckey(key, &id);
/* allocate unencoded_m_buf here */
(void) memset(&cipherinfo, 0x0, sizeof(cipherinfo));
pgp_crypt_any(&cipherinfo,


+ 8
- 7
dist/src/lib/create.h View File

@ -79,6 +79,11 @@ void pgp_build_pubkey(pgp_memory_t *, const pgp_pubkey_t *, unsigned);
unsigned pgp_calc_sesskey_checksum(pgp_pk_sesskey_t *, uint8_t *);
unsigned pgp_write_struct_userid(pgp_output_t *, const uint8_t *);
unsigned pgp_write_ss_header(pgp_output_t *, unsigned, pgp_content_enum);
unsigned pgp_write_struct_seckey_ptag(const pgp_seckey_t *key,
const uint8_t *passphrase,
const size_t pplen,
pgp_output_t *output,
pgp_content_enum ptag);
unsigned pgp_write_struct_seckey(const pgp_seckey_t *,
const uint8_t *,
const size_t,
@ -94,13 +99,9 @@ unsigned pgp_write_litdata(pgp_output_t *,
const pgp_litdata_enum);
pgp_pk_sesskey_t *pgp_create_pk_sesskey(const pgp_key_t *, const char *, pgp_pk_sesskey_t *);
unsigned pgp_write_pk_sesskey(pgp_output_t *, pgp_pk_sesskey_t *);
unsigned pgp_write_xfer_pubkey(pgp_output_t *,
const pgp_key_t *, const unsigned);
unsigned pgp_write_xfer_seckey(pgp_output_t *,
const pgp_key_t *,
const uint8_t *,
const size_t,
const unsigned);
unsigned pgp_write_xfer_key(pgp_output_t *output,
const pgp_key_t *key,
const unsigned armoured);
void pgp_fast_create_userid(uint8_t **, uint8_t *);
unsigned pgp_write_userid(const uint8_t *, pgp_output_t *);


+ 0
- 1
dist/src/lib/crypto.c View File

@ -700,7 +700,6 @@ pgp_decrypt_and_validate_buf(pgp_io_t *io,
validation.keyring = pubring;
validation.mem = pgp_memory_new();
pgp_memory_init(validation.mem, 128);
validation.reader = stream->readinfo.arg;
/* setup for writing decrypted contents to given output file */
pgp_setup_memory_write(&stream->cbinfo.output, &outmem, insize);


+ 575
- 569
dist/src/lib/keyring.c
File diff suppressed because it is too large
View File


+ 58
- 22
dist/src/lib/keyring.h View File

@ -56,6 +56,7 @@
#include "packet.h"
#include "packet-parse.h"
#include "mj.h"
#include "memory.h"
enum {
MAX_ID_LENGTH = 128,
@ -76,7 +77,7 @@ const pgp_key_t *pgp_getkeybyid(pgp_io_t *,
const pgp_keyring_t *,
const uint8_t *,
unsigned *,
pgp_pubkey_t **);
const pgp_pubkey_t **);
unsigned pgp_deletekeybyid(pgp_io_t *,
pgp_keyring_t *,
const uint8_t *);
@ -98,44 +99,52 @@ const pgp_key_t *pgp_getnextkeybyname(pgp_io_t *,
unsigned *);
void pgp_key_free(pgp_key_t *);
void pgp_keydata_free(pgp_key_t *);
int pgp_keydata_dup(pgp_key_t *, pgp_key_t *, unsigned);
void pgp_keyring_free(pgp_keyring_t *);
void pgp_keyring_purge(pgp_keyring_t *);
void pgp_dump_keyring(const pgp_keyring_t *);
const pgp_pubkey_t *pgp_get_pubkey(const pgp_key_t *);
const pgp_pubkey_t *pgp_key_get_pubkey(const pgp_key_t *);
unsigned pgp_is_key_secret(const pgp_key_t *);
const pgp_seckey_t *pgp_get_seckey(const pgp_key_t *);
pgp_seckey_t *pgp_get_writable_seckey(pgp_key_t *);
pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, void *);
unsigned pgp_keyring_fileread(pgp_keyring_t *, const unsigned,
const char *);
// pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, void *);
unsigned
pgp_keyring_fileread(
pgp_keyring_t *pubring,
pgp_keyring_t *secring,
const unsigned armour,
const char *filename);
unsigned
pgp_keyring_read_from_mem(pgp_io_t *io,
pgp_keyring_t *pubring,
pgp_keyring_t *secring,
const unsigned armour,
pgp_memory_t *mem);
int pgp_keyring_list(pgp_io_t *, const pgp_keyring_t *, const int);
int pgp_keyring_json(pgp_io_t *, const pgp_keyring_t *, mj_t *, const int);
void pgp_set_seckey(pgp_contents_t *, const pgp_key_t *);
void pgp_forget(void *, unsigned);
const uint8_t *pgp_get_key_id(const pgp_key_t *);
unsigned pgp_get_userid_count(const pgp_key_t *);
const uint8_t *pgp_get_userid(const pgp_key_t *, unsigned);
unsigned pgp_is_key_supported(const pgp_key_t *);
// uint8_t *pgp_add_userid(pgp_key_t *, const uint8_t *);
unsigned pgp_update_userid(
pgp_key_t *key,
uint8_t *userid,
const pgp_subpacket_t *sigpkt,
pgp_sig_info_t *siginfo);
uint8_t *pgp_add_userid(pgp_key_t *, const uint8_t *);
pgp_subpacket_t *pgp_add_subpacket(pgp_key_t *,
const pgp_subpacket_t *);
pgp_subpacket_t *pgp_replace_subpacket(pgp_key_t *,
const pgp_subpacket_t *,
unsigned );
// pgp_subpacket_t *pgp_add_subpacket(pgp_key_t *,
// const pgp_subpacket_t *);
// pgp_subpacket_t *pgp_replace_subpacket(pgp_key_t *,
// const pgp_subpacket_t *,
// unsigned );
unsigned pgp_add_selfsigned_userid(pgp_key_t *, uint8_t *);
pgp_key_t *pgp_keydata_new(void);
void pgp_keydata_init(pgp_key_t *, const pgp_content_enum);
int pgp_parse_and_accumulate(pgp_keyring_t *, pgp_stream_t *);
int pgp_sprint_keydata(pgp_io_t *, const pgp_keyring_t *,
const pgp_key_t *, char **, const char *,
const pgp_pubkey_t *, const int);
@ -163,15 +172,42 @@ int pgp_list_packets(pgp_io_t *,
char *pgp_export_key(pgp_io_t *, const pgp_key_t *, uint8_t *);
int pgp_keyring_add(pgp_keyring_t *, const pgp_key_t *);
int pgp_add_to_pubring(pgp_keyring_t *, const pgp_pubkey_t *, pgp_content_enum tag);
// int pgp_add_to_pubring(pgp_keyring_t *, const pgp_pubkey_t *, pgp_content_enum tag);
pgp_key_t *pgp_ensure_pubkey(
pgp_keyring_t *,
pgp_pubkey_t *,
uint8_t *);
int pgp_add_to_secring(pgp_keyring_t *, const pgp_seckey_t *);
pgp_key_t *pgp_ensure_seckey(
pgp_keyring_t *keyring,
pgp_seckey_t *seckey,
uint8_t *pubkeyid);
unsigned pgp_add_directsig(
pgp_key_t *key,
const pgp_subpacket_t *sigpkt,
pgp_sig_info_t *siginfo);
unsigned pgp_update_subkey(
pgp_key_t *key,
pgp_content_enum subkeytype,
pgp_keydata_key_t *subkey,
const pgp_subpacket_t *sigpkt,
pgp_sig_info_t *siginfo);
// int pgp_add_to_secring(pgp_keyring_t *, const pgp_seckey_t *);
int pgp_append_keyring(pgp_keyring_t *, pgp_keyring_t *);
pgp_subpacket_t * pgp_copy_packet(pgp_subpacket_t *, const pgp_subpacket_t *);
uint8_t * pgp_copy_userid(uint8_t **dst, const uint8_t *src);
const int32_t pgp_key_get_uid0(const pgp_key_t *keydata);
const pgp_pubkey_t * pgp_key_get_enckey(const pgp_key_t *key, const uint8_t **id);
const int32_t
pgp_key_find_uid_cond(
const pgp_key_t *key,
unsigned(*uidcond) ( uint8_t *, void *),
void *uidcondarg,
unsigned(*sigcond) ( const pgp_sig_info_t *),
time_t *youngest);
#endif /* KEYRING_H_ */

+ 0
- 99
dist/src/lib/misc.c View File

@ -96,105 +96,6 @@ __RCSID("$NetBSD$");
#define vsnprintf _vsnprintf
#endif
typedef struct {
pgp_keyring_t *keyring;
} accumulate_t;
/**
* \ingroup Core_Callbacks
*/
static pgp_cb_ret_t
accumulate_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
{
const pgp_contents_t *content = &pkt->u;
pgp_keyring_t *keyring;
accumulate_t *accumulate;
if (pgp_get_debug_level(__FILE__)) {
(void) fprintf(stderr, "accumulate callback: packet tag %u\n", pkt->tag);
}
accumulate = pgp_callback_arg(cbinfo);
keyring = accumulate->keyring;
switch (pkt->tag) {
case PGP_PTAG_CT_PUBLIC_KEY:
case PGP_PTAG_CT_PUBLIC_SUBKEY:
pgp_add_to_pubring(keyring, &content->pubkey, pkt->tag);
return PGP_KEEP_MEMORY;
case PGP_PTAG_CT_SECRET_KEY:
case PGP_PTAG_CT_ENCRYPTED_SECRET_KEY:
pgp_add_to_secring(keyring, &content->seckey);
return PGP_KEEP_MEMORY;
case PGP_PTAG_CT_USER_ID:
if (pgp_get_debug_level(__FILE__)) {
(void) fprintf(stderr, "User ID: %s for key %d\n",
content->userid,
keyring->keyc - 1);
}
if (keyring->keyc == 0) {
PGP_ERROR_1(cbinfo->errors, PGP_E_P_NO_USERID, "%s",
"No userid found");
} else {
pgp_add_userid(&keyring->keys[keyring->keyc - 1], content->userid);
}
return PGP_KEEP_MEMORY;
case PGP_PARSER_PACKET_END:
if (keyring->keyc > 0) {
pgp_add_subpacket(&keyring->keys[keyring->keyc - 1],
&content->packet);
return PGP_KEEP_MEMORY;
}
return PGP_RELEASE_MEMORY;
case PGP_PARSER_ERROR:
(void) fprintf(stderr, "Error: %s\n", content->error);
return PGP_FINISHED;
case PGP_PARSER_ERRCODE:
(void) fprintf(stderr, "parse error: %s\n",
pgp_errcode(content->errcode.errcode));
break;
default:
break;
}
/* XXX: we now exclude so many things, we should either drop this or */
/* do something to pass on copies of the stuff we keep */
return pgp_stacked_callback(pkt, cbinfo);
}
/**
* \ingroup Core_Parse
*
* Parse packets from an input stream until EOF or error.
*
* Key data found in the parsed data is added to #keyring.
*
* \param keyring Pointer to an existing keyring
* \param parse Options to use when parsing
*/
int
pgp_parse_and_accumulate(pgp_keyring_t *keyring, pgp_stream_t *parse)
{
accumulate_t accumulate;
const int printerrors = 1;
int ret;
if (parse->readinfo.accumulate) {
(void) fprintf(stderr,
"pgp_parse_and_accumulate: already init\n");
return 0;
}
(void) memset(&accumulate, 0x0, sizeof(accumulate));
accumulate.keyring = keyring;
pgp_callback_push(parse, accumulate_cb, &accumulate);
parse->readinfo.accumulate = 1;
ret = pgp_parse(parse, !printerrors);
return ret;
}
/** \file
* \brief Error Handling
*/


+ 91
- 87
dist/src/lib/netpgp.c View File

@ -142,7 +142,7 @@ resultp(pgp_io_t *io,
pgp_keyring_t *ring)
{
const pgp_key_t *key;
pgp_pubkey_t *sigkey;
const pgp_pubkey_t *sigkey;
unsigned from;
unsigned i;
time_t t;
@ -165,11 +165,6 @@ resultp(pgp_io_t *io,
key = pgp_getkeybyid(io, ring,
(const uint8_t *) res->valid_sigs[i].signer_id,
&from, &sigkey);
if (sigkey == &key->enckey) {
(void) fprintf(io->res,
"WARNING: signature for %s made with encryption key\n",
(f) ? f : "<stdin>");
}
pgp_print_keydata(io, ring, key, "signature ", &key->key.pubkey, 0);
}
}
@ -223,10 +218,12 @@ findvar(netpgp_t *netpgp, const char *name)
}
/* read a keyring and return it */
static void *
readkeyring(netpgp_t *netpgp, const char *name)
static unsigned
readkeyring(netpgp_t *netpgp,
const char *name,
pgp_keyring_t *pubring,
pgp_keyring_t *secring)
{
pgp_keyring_t *keyring;
const unsigned noarmor = 0;
char f[MAXPATHLEN];
char *filename;
@ -237,17 +234,12 @@ readkeyring(netpgp_t *netpgp, const char *name)
(void) snprintf(f, sizeof(f), "%s/%s.gpg", homedir, name);
filename = f;
}
if ((keyring = calloc(1, sizeof(*keyring))) == NULL) {
(void) fprintf(stderr, "readkeyring: bad alloc\n");
return NULL;
}
if (!pgp_keyring_fileread(keyring, noarmor, filename)) {
free(keyring);
if (!pgp_keyring_fileread(pubring, secring, noarmor, filename)) {
(void) fprintf(stderr, "Can't read %s %s\n", name, filename);
return NULL;
return 0;
}
netpgp_setvar(netpgp, name, filename);
return keyring;
return 1;
}
/* read keys from ssh key files */
@ -342,7 +334,7 @@ get_first_ring(pgp_keyring_t *ring, char *id, size_t len, int last)
return 0;
}
(void) memset(id, 0x0, len);
src = ring->keys[(last) ? ring->keyc - 1 : 0].sigid;
src = ring->keys[(last) ? ring->keyc - 1 : 0].pubkeyid;
for (i = 0, n = 0 ; i < PGP_KEY_ID_SIZE ; i += 2) {
n += snprintf(&id[n], len - n, "%02x%02x", src[i], src[i + 1]);
}
@ -457,7 +449,7 @@ appendkey(pgp_io_t *io, pgp_key_t *key, char *ringfile)
(void) fprintf(io->errs, "can't open pubring '%s'\n", ringfile);
return 0;
}
if (!pgp_write_xfer_pubkey(create, key, noarmor)) {
if (!pgp_write_xfer_key(create, key, noarmor)) {
(void) fprintf(io->errs, "Cannot write pubkey\n");
return 0;
}
@ -721,43 +713,43 @@ formatbignum(char *buffer, BIGNUM *bn)
#define MAX_PASSPHRASE_ATTEMPTS 3
#define INFINITE_ATTEMPTS -1
/* get the passphrase from the user */
static int
find_passphrase(FILE *passfp, const char *id, char *passphrase, size_t size, int attempts)
{
char prompt[BUFSIZ];
char buf[128];
char *cp;
int cc;
int i;
if (passfp) {
if (fgets(passphrase, (int)size, passfp) == NULL) {
return 0;
}
return (int)strlen(passphrase);
}
for (i = 0 ; i < attempts ; i++) {
(void) snprintf(prompt, sizeof(prompt), "Enter passphrase for %.16s: ", id);
if ((cp = getpass(prompt)) == NULL) {
break;
}
cc = snprintf(buf, sizeof(buf), "%s", cp);
(void) snprintf(prompt, sizeof(prompt), "Repeat passphrase for %.16s: ", id);
if ((cp = getpass(prompt)) == NULL) {
break;
}
cc = snprintf(passphrase, size, "%s", cp);
if (strcmp(buf, passphrase) == 0) {
(void) memset(buf, 0x0, sizeof(buf));
return cc;
}
}
(void) memset(buf, 0x0, sizeof(buf));
(void) memset(passphrase, 0x0, size);
return 0;
}
// FIXME support passphrase again
// /* get the passphrase from the user */
// static int
// find_passphrase(FILE *passfp, const char *id, char *passphrase, size_t size, int attempts)
// {
// char prompt[BUFSIZ];
// char buf[128];
// char *cp;
// int cc;
// int i;
//
// if (passfp) {
// if (fgets(passphrase, (int)size, passfp) == NULL) {
// return 0;
// }
// return (int)strlen(passphrase);
// }
// for (i = 0 ; i < attempts ; i++) {
// (void) snprintf(prompt, sizeof(prompt), "Enter passphrase for %.16s: ", id);
// if ((cp = getpass(prompt)) == NULL) {
// break;
// }
// cc = snprintf(buf, sizeof(buf), "%s", cp);
// (void) snprintf(prompt, sizeof(prompt), "Repeat passphrase for %.16s: ", id);
// if ((cp = getpass(prompt)) == NULL) {
// break;
// }
// cc = snprintf(passphrase, size, "%s", cp);
// if (strcmp(buf, passphrase) == 0) {
// (void) memset(buf, 0x0, sizeof(buf));
// return cc;
// }
// }
// (void) memset(buf, 0x0, sizeof(buf));
// (void) memset(passphrase, 0x0, size);
// return 0;
// }
/***************************************************************************/
/* exported functions start here */
@ -840,9 +832,20 @@ netpgp_init(netpgp_t *netpgp)
return 0;
}
if (netpgp_getvar(netpgp, "ssh keys") == NULL) {
/* read from ordinary pgp keyrings */
netpgp->pubring = readkeyring(netpgp, "pubring");
if (netpgp->pubring == NULL) {
if ((netpgp->pubring = calloc(1, sizeof(pgp_keyring_t))) == NULL) {
(void) fprintf(io->errs, "Can't alloc pubring\n");
return 0;
}
if ((netpgp->secring = calloc(1, sizeof(pgp_keyring_t))) == NULL) {
(void) fprintf(io->errs, "Can't alloc secring\n");
return 0;
}
if (!readkeyring(netpgp,
"pubring",
netpgp->pubring,
netpgp->secring)) {
(void) fprintf(io->errs, "Can't read pub keyring\n");
return 0;
}
@ -858,8 +861,10 @@ netpgp_init(netpgp_t *netpgp)
/* only read secret keys if we need to */
if (netpgp_getvar(netpgp, "need seckey")) {
/* read the secret ring */
netpgp->secring = readkeyring(netpgp, "secring");
if (netpgp->secring == NULL) {
if (!readkeyring(netpgp,
"secring",
netpgp->pubring,
netpgp->secring)) {
(void) fprintf(io->errs, "Can't read sec keyring\n");
return 0;
}
@ -1192,16 +1197,7 @@ netpgp_save_ring(netpgp_t *netpgp,
}
for (n = 0, key = keyring->keys; n < keyring->keyc; ++n, ++key) {
/* Dump raw key packets to ring file */
unsigned j;
for (j = 0; j < key->packetc; j++) {
if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
err = 1;
(void) fprintf(io->errs,
"netpgp_save_%s : couldn't save key #%d\n", name, n);
break;
}
}
pgp_write_xfer_key(output, key, 1);
}
pgp_teardown_file_write(output, fd);
@ -1246,7 +1242,10 @@ netpgp_import_key(netpgp_t *netpgp, char *f)
io = netpgp->io;
realarmor = isarmoured(io, f, NULL, IMPORT_ARMOR_HEAD);
done = pgp_keyring_fileread(netpgp->pubring, realarmor, f);
done = pgp_keyring_fileread(
netpgp->pubring,
netpgp->secring,
realarmor, f);
if (!done) {
(void) fprintf(io->errs, "Cannot import key from file %s\n", f);
return 0;
@ -1265,7 +1264,7 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
pgp_key_t *key;
pgp_io_t *io;
uint8_t *uid;
char passphrase[128];
/*char passphrase[128];*/
char newid[1024];
char filename[MAXPATHLEN];
char dir[MAXPATHLEN];
@ -1273,7 +1272,7 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
char *ringfile;
char *numtries;
int attempts;
int passc;
/*int passc;*/
int fd;
int cc;
@ -1329,8 +1328,9 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
} else if (strcmp(numtries, "unlimited") == 0) {
attempts = INFINITE_ATTEMPTS;
}
passc = find_passphrase(netpgp->passfp, &cp[ID_OFFSET], passphrase, sizeof(passphrase), attempts);
if (!pgp_write_xfer_seckey(create, key, (uint8_t *)passphrase, (const unsigned)passc, noarmor)) {
/* TODO use passphrase again */
/* passc = find_passphrase(netpgp->passfp, &cp[ID_OFFSET], passphrase, sizeof(passphrase), attempts);*/
if (!pgp_write_xfer_key(create, key, noarmor)) {
(void) fprintf(io->errs, "Cannot write seckey\n");
return 0;
}
@ -1423,7 +1423,7 @@ netpgp_sign_file(netpgp_t *netpgp,
const pgp_key_t *keypair;
const pgp_key_t *pubkey;
const unsigned overwrite = 1;
pgp_seckey_t *seckey;
const pgp_seckey_t *seckey;
const char *hashalg;
pgp_io_t *io;
char *numtries;
@ -1464,7 +1464,9 @@ netpgp_sign_file(netpgp_t *netpgp,
}
if (netpgp_getvar(netpgp, "ssh keys") == NULL) {
/* now decrypt key */
seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
seckey = pgp_get_seckey(keypair);
// FIXME : support encrypted seckeys again
// seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
if (seckey == NULL) {
(void) fprintf(io->errs, "Bad passphrase\n");
}
@ -1497,7 +1499,8 @@ netpgp_sign_file(netpgp_t *netpgp,
(unsigned)armored, (unsigned)cleartext,
overwrite);
}
pgp_forget(seckey, (unsigned)sizeof(*seckey));
/* FIXME should forget if key would have been unencrypted */
// pgp_forget(seckey, (unsigned)sizeof(*seckey));
return ret;
}
@ -1552,7 +1555,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
{
const pgp_key_t *keypair;
const pgp_key_t *pubkey;
pgp_seckey_t *seckey;
const pgp_seckey_t *seckey;
pgp_memory_t *signedmem;
const char *hashalg;
pgp_io_t *io;
@ -1592,7 +1595,9 @@ netpgp_sign_memory(netpgp_t *netpgp,
}
}
/* now decrypt key */
seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
seckey = pgp_get_seckey(keypair);
// FIXME : support encrypted seckeys again
// seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
if (seckey == NULL) {
(void) fprintf(io->errs, "Bad passphrase\n");
}
@ -1621,7 +1626,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
} else {
ret = 0;
}
pgp_forget(seckey, (unsigned)sizeof(*seckey));
// pgp_forget(seckey, (unsigned)sizeof(*seckey));
return ret;
}
@ -1832,7 +1837,7 @@ netpgp_list_packets(netpgp_t *netpgp, char *f, int armor, char *pubringname)
(void) fprintf(io->errs, "netpgp_list_packets: bad alloc\n");
return 0;
}
if (!pgp_keyring_fileread(keyring, noarmor, pubringname)) {
if (!pgp_keyring_fileread(keyring, NULL, noarmor, pubringname)) {
free(keyring);
(void) fprintf(io->errs, "Cannot read pub keyring %s\n",
pubringname);
@ -1959,9 +1964,8 @@ netpgp_set_homedir(netpgp_t *netpgp, char *home, const char *subdir, const int q
int
netpgp_validate_sigs(netpgp_t *netpgp)
{
pgp_validation_t result;
return (int)pgp_validate_all_sigs(&result, netpgp->pubring, NULL);
/* keys in keyring are now forced to be valid */
return 1;
}
/* print the json out on 'fp' */
@ -2024,7 +2028,7 @@ netpgp_write_sshkey(netpgp_t *netpgp, char *s, const char *userid, char *out, si
(void) fprintf(stderr, "netpgp_save_sshpub: bad alloc 2\n");
goto done;
}
if (!pgp_keyring_fileread(netpgp->pubring = keyring, 1, f)) {
if (!pgp_keyring_fileread(netpgp->pubring = keyring, NULL, 1, f)) {
(void) fprintf(stderr, "can't import key\n");
goto done;
}


+ 3
- 8
dist/src/lib/openssl_crypto.c View File

@ -736,8 +736,8 @@ pgp_rsa_generate_keypair(pgp_key_t *keydata,
RSA_free(rsa);
pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg);
pgp_keyid(keydata->pubkeyid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
pgp_fingerprint(&keydata->pubkeyfpr, &keydata->key.seckey.pubkey, seckey->hash_alg);
/* Generate checksum */
@ -783,12 +783,7 @@ pgp_rsa_generate_keypair(pgp_key_t *keydata,
if (!pgp_write_struct_seckey(seckey, passphrase, pplen, output)) {
return 0;
}else{
pgp_subpacket_t seckeypacket;
seckeypacket.length = pgp_mem_len(mem);
seckeypacket.raw = pgp_mem_data(mem);
(void) pgp_add_subpacket(keydata, &seckeypacket);
}
}
pgp_writer_close(output);
pgp_teardown_memory_write(output, mem);


+ 2
- 0
dist/src/lib/packet-parse.c View File

@ -1256,6 +1256,7 @@ pgp_pubkey_free(pgp_pubkey_t *p)
default:
(void) fprintf(stderr, "pgp_pubkey_free: bad alg\n");
}
memset(p, 0, sizeof(*p));
}
int
@ -2424,6 +2425,7 @@ pgp_seckey_free(pgp_seckey_t *key)
}
free(key->checkhash);
pgp_pubkey_free(&key->pubkey);
memset(key, 0, sizeof(*key));
}
int


+ 43
- 39
dist/src/lib/packet-print.c View File

@ -366,26 +366,38 @@ psubkeybinding(char *buf, size_t size, const pgp_key_t *key, const char *expired
{
char keyid[512];
char t[32];
const uint8_t *encid;
const pgp_pubkey_t *enckey = pgp_key_get_enckey(key, &encid);
return snprintf(buf, size, "encryption %d/%s %s %s %s\n",
numkeybits(&key->enckey),
pgp_show_pka(key->enckey.alg),
strhexdump(keyid, key->encid, PGP_KEY_ID_SIZE, ""),
ptimestr(t, sizeof(t), key->enckey.birthtime),
numkeybits(enckey),
pgp_show_pka(enckey->alg),
strhexdump(keyid, encid, PGP_KEY_ID_SIZE, ""),
ptimestr(t, sizeof(t), enckey->birthtime),
expired);
}
static unsigned uidmatch ( uint8_t *id, void *arg){
const char *refuid = arg;
return (strcmp((const char*)id, refuid) == 0);
}
static int
isrevoked(const pgp_key_t *key, unsigned uid)
{
unsigned r;
return (pgp_key_find_uid_cond(key, &uidmatch, (void*)(key->uids[uid]),
NULL,0) == -1)?
0 : /* None found ? -> revoked (or expired) -> 0*/
-1 ; /* Found one -> not revoked -> -1 */
}
for (r = 0 ; r < key->revokec ; r++) {
if (key->revokes[r].uid == uid) {
return r;
}
}
return -1;
static int
iskeyrevoked(const pgp_key_t *key)
{
return (pgp_key_find_uid_cond(key, NULL, NULL,
NULL,0) == -1)?
0 : /* None found ? -> revoked (or expired) -> 0*/
-1 ; /* Found one -> not revoked -> -1 */
}
#ifndef KB
@ -410,9 +422,8 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
char t[32];
int cc;
int n;
int r;
if (key == NULL || key->revoked) {
if (key == NULL || iskeyrevoked(key)) {
return -1;
}
now = time(NULL);
@ -428,10 +439,6 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
expired[0] = 0x0;
}
for (i = 0, n = 0; i < key->uidc; i++) {
if ((r = isrevoked(key, i)) >= 0 &&
key->revokes[r].code == PGP_REVOCATION_COMPROMISED) {
continue;
}
n += snprintf(&uidbuf[n], sizeof(uidbuf) - n, "uid%s%s%s\n",
(psigs) ? " " : " ",
key->uids[i],
@ -458,7 +465,7 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
"sig %s %s %s\n",
strhexdump(keyid, key->uidsigs[j].siginfo.signer_id, PGP_KEY_ID_SIZE, ""),
ptimestr(t, sizeof(t), key->uidsigs[j].siginfo.birthtime),
(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "[unknown]");
(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]");
}
}
}
@ -466,10 +473,10 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
header,
numkeybits(pubkey),
pgp_show_pka(pubkey->alg),
strhexdump(keyid, key->sigid, PGP_KEY_ID_SIZE, ""),
strhexdump(keyid, key->pubkeyid, PGP_KEY_ID_SIZE, ""),
ptimestr(t, sizeof(t), pubkey->birthtime),
expired,
strhexdump(fp, key->sigfingerprint.fingerprint, key->sigfingerprint.length, " "),
strhexdump(fp, key->pubkeyfpr.fingerprint, key->pubkeyfpr.length, " "),
uidbuf);
}
@ -486,9 +493,8 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
mj_t sub_obj;
char keyid[PGP_KEY_ID_SIZE * 3];
char fp[(PGP_FINGERPRINT_SIZE * 3) + 1];
int r;
if (key == NULL || key->revoked) {
if (key == NULL || iskeyrevoked(key)) {
return -1;
}
(void) memset(keyjson, 0x0, sizeof(*keyjson));
@ -496,20 +502,16 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
mj_append_field(keyjson, "header", "string", header, -1);
mj_append_field(keyjson, "key bits", "integer", (int64_t) numkeybits(pubkey));
mj_append_field(keyjson, "pka", "string", pgp_show_pka(pubkey->alg), -1);
mj_append_field(keyjson, "key id", "string", strhexdump(keyid, key->sigid, PGP_KEY_ID_SIZE, ""), -1);
mj_append_field(keyjson, "key id", "string", strhexdump(keyid, key->pubkeyid, PGP_KEY_ID_SIZE, ""), -1);
mj_append_field(keyjson, "fingerprint", "string",
strhexdump(fp, key->sigfingerprint.fingerprint, key->sigfingerprint.length, " "), -1);
strhexdump(fp, key->pubkeyfpr.fingerprint, key->pubkeyfpr.length, " "), -1);
mj_append_field(keyjson, "birthtime", "integer", pubkey->birthtime);
mj_append_field(keyjson, "duration", "integer", pubkey->duration);
for (i = 0; i < key->uidc; i++) {
if ((r = isrevoked(key, i)) >= 0 &&
key->revokes[r].code == PGP_REVOCATION_COMPROMISED) {
continue;
}
(void) memset(&sub_obj, 0x0, sizeof(sub_obj));
mj_create(&sub_obj, "array");
mj_append(&sub_obj, "string", key->uids[i], -1);
mj_append(&sub_obj, "string", (r >= 0) ? "[REVOKED]" : "", -1);
//mj_append(&sub_obj, "string", (r >= 0) ? "[REVOKED]" : "", -1);
mj_append_field(keyjson, "uid", "array", &sub_obj);
mj_delete(&sub_obj);
for (j = 0 ; j < key->uidsigc ; j++) {
@ -528,12 +530,14 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
mj_create(&sub_obj, "array");
if (key->uidsigs[j].siginfo.version == 4 &&
key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
mj_append(&sub_obj, "integer", (int64_t)numkeybits(&key->enckey));
const uint8_t *encid;
const pgp_pubkey_t *enckey = pgp_key_get_enckey(key, &encid);
mj_append(&sub_obj, "integer", (int64_t)numkeybits(enckey));
mj_append(&sub_obj, "string",
(const char *)pgp_show_pka(key->enckey.alg), -1);
(const char *)pgp_show_pka(enckey->alg), -1);
mj_append(&sub_obj, "string",
strhexdump(keyid, key->encid, PGP_KEY_ID_SIZE, ""), -1);
mj_append(&sub_obj, "integer", (int64_t)key->enckey.birthtime);
strhexdump(keyid, encid, PGP_KEY_ID_SIZE, ""), -1);
mj_append(&sub_obj, "integer", (int64_t)enckey->birthtime);
mj_append_field(keyjson, "encryption", "array", &sub_obj);
mj_delete(&sub_obj);
} else {
@ -544,7 +548,7 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
from = 0;
trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
mj_append(&sub_obj, "string",
(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "[unknown]", -1);
(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]", -1);
mj_append_field(keyjson, "sig", "array", &sub_obj);
mj_delete(&sub_obj);
}
@ -574,7 +578,7 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
char fp[(PGP_FINGERPRINT_SIZE * 3) + 1];
int n;
if (key->revoked) {
if (iskeyrevoked(key)) {
return -1;
}
for (i = 0, n = 0; i < key->uidc; i++) {
@ -610,12 +614,12 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
"sig:%s:%lld:%s\n",
strhexdump(keyid, key->uidsigs[j].siginfo.signer_id, PGP_KEY_ID_SIZE, ""),
(long long)key->uidsigs[j].siginfo.birthtime,
(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "");
(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "");
}
}
}
return pgp_asprintf(buf, "pub:%s:%d:%d:%lld:%lld\n%s",
strhexdump(fp, key->sigfingerprint.fingerprint, PGP_FINGERPRINT_SIZE, ""),
strhexdump(fp, key->pubkeyfpr.fingerprint, PGP_FINGERPRINT_SIZE, ""),
pubkey->alg,
numkeybits(pubkey),
(long long)pubkey->birthtime,
@ -689,8 +693,8 @@ pgp_sprint_pubkey(const pgp_key_t *key, char *out, size_t outsize)
int cc;
cc = snprintf(out, outsize, "key=%s\nname=%s\ncreation=%lld\nexpiry=%lld\nversion=%d\nalg=%d\n",
strhexdump(fp, key->sigfingerprint.fingerprint, PGP_FINGERPRINT_SIZE, ""),
key->uids[key->uid0],
strhexdump(fp, key->pubkeyfpr.fingerprint, PGP_FINGERPRINT_SIZE, ""),
key->uids[pgp_key_get_uid0(key)],
(long long)key->key.pubkey.birthtime,
(long long)key->key.pubkey.days_valid,
key->key.pubkey.version,


+ 13
- 33
dist/src/lib/packet.h View File

@ -640,6 +640,16 @@ typedef struct pgp_sig_info_t {
unsigned primary_userid:1;
} pgp_sig_info_t;
typedef enum {
PGP_KEYFLAG_CERT_KEYS = 0x01,
PGP_KEYFLAG_SIGN_DATA = 0x02,
PGP_KEYFLAG_ENC_COMM = 0x04,
PGP_KEYFLAG_ENC_STORAGE = 0x08,
PGP_KEYFLAG_SPLIT = 0x10,
PGP_KEYFLAG_AUTH = 0x20,
PGP_KEYFLAG_GROUP = 0x80
} pgp_key_flags_t;
/** Struct used when parsing a signature */
typedef struct pgp_sig_t {
pgp_sig_info_t info; /* The signature information */
@ -948,21 +958,12 @@ typedef union {
pgp_seckey_t seckey;
} pgp_keydata_key_t;
/* user revocation info */
typedef struct pgp_revoke_t {
uint32_t uid; /* index in uid array */
uint8_t code; /* revocation code */
char *reason; /* c'mon, spill the beans */
pgp_subpacket_t *packet;
} pgp_revoke_t;
/** userid signature subpackets */
typedef struct pgp_uidsig_t {
uint32_t uid; /* index in userid array in key */
pgp_sig_info_t siginfo;
uint8_t trustlevel; /* level of trust */
uint8_t trustamount; /* amount of trust */
uint8_t revoked; /* sigs revokes uid */
pgp_subpacket_t packet;
} pgp_uidsig_t;
@ -970,7 +971,6 @@ typedef struct pgp_uidsig_t {
typedef struct pgp_subkeysig_t {
uint32_t subkey; /* index of subkey in array */
pgp_sig_info_t siginfo;
uint8_t revoked; /* sigs revokes subkey */
pgp_subpacket_t packet;
} pgp_subkeysig_t;
@ -989,39 +989,19 @@ struct pgp_key_t {
pgp_content_enum type; /* type of key */
pgp_keydata_key_t key; /* pubkey/seckey data */
/* TODO remove */
DYNARRAY(pgp_subpacket_t, packet); /* array of raw subpackets */
DYNARRAY(pgp_directsig_t, directsig); /* direct signatures */
DYNARRAY(uint8_t *, uid); /* array of user ids */
DYNARRAY(pgp_uidsig_t, uidsig); /* array of signature for user ids */
/* TODO remove */
uint32_t uid0; /* primary uid index in uids array */
/* TODO user attributes */
/* TODO remove */
DYNARRAY(pgp_revoke_t, revoke); /* array of signature revocations */
DYNARRAY(pgp_subkey_t, subkey); /* array of subkeys */
DYNARRAY(pgp_subkeysig_t, subkeysig); /* array of sigs for subkeys */
pgp_pubkey_t sigkey; /* signature key */
uint8_t sigid[PGP_KEY_ID_SIZE];
pgp_fingerprint_t sigfingerprint; /* pgp signature fingerprint */
pgp_pubkey_t enckey; /* encryption key */
uint8_t encid[PGP_KEY_ID_SIZE];
pgp_fingerprint_t encfingerprint; /* pgp encryption id fingerprint */
DYNARRAY(pgp_directsig_t, directsig); /* direct signatures */
uint8_t revoked; /* key has been revoked */
pgp_sig_info_t revokeinfo; /* trust signature */
pgp_subpacket_t revokepacket;
/* TODO remove */
pgp_revoke_t revocation; /* revocation reason */
uint8_t pubkeyid[PGP_KEY_ID_SIZE];
pgp_fingerprint_t pubkeyfpr; /* pgp signature fingerprint */
};
#define MDC_PKT_TAG 0xd3
#endif /* PACKET_H_ */

+ 3
- 1
dist/src/lib/reader.c View File

@ -2252,7 +2252,9 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
"signature ", &pubkey->key.pubkey, 0);
/* now decrypt key */
secret = pgp_decrypt_seckey(keypair, cbinfo->passfp);
secret = pgp_get_seckey(keypair);
// FIXME : support encrypted seckeys again
// pgp_decrypt_seckey(keypair, cbinfo->passfp);
if (secret != NULL) {
break;
}


+ 1
- 15
dist/src/lib/signature.c View File

@ -87,19 +87,6 @@ __RCSID("$NetBSD$");
#include "netpgpdigest.h"
/** \ingroup Core_Create
* needed for signature creation
*/
struct pgp_create_sig_t {
pgp_hash_t hash;
pgp_sig_t sig;
pgp_memory_t *mem;
pgp_output_t *output; /* how to do the writing */
unsigned hashoff; /* hashed count offset */
unsigned hashlen;
unsigned unhashoff;
};
/**
\ingroup Core_Signature
Creates new pgp_create_sig_t
@ -1194,7 +1181,7 @@ int
pgp_sign_detached(pgp_io_t *io,
const char *f,
char *sigfile,
pgp_seckey_t *seckey,
const pgp_seckey_t *seckey,
const char *hash,
const int64_t from,
const uint64_t duration,
@ -1247,7 +1234,6 @@ pgp_sign_detached(pgp_io_t *io,
pgp_end_hashed_subpkts(sig);
pgp_write_sig(output, sig, &seckey->pubkey, seckey);
pgp_teardown_file_write(output, fd);
pgp_seckey_free(seckey);
return 1;
}

+ 13
- 5
dist/src/lib/signature.h View File

@ -118,7 +118,7 @@ unsigned pgp_sign_file(pgp_io_t *,
int pgp_sign_detached(pgp_io_t *,
const char *,
char *,
pgp_seckey_t *,
const pgp_seckey_t *,
const char *,
const int64_t,
const uint64_t,
@ -159,9 +159,17 @@ pgp_memory_t *pgp_sign_buf(pgp_io_t *,
const unsigned,
const unsigned);
unsigned pgp_keyring_read_from_mem(pgp_io_t *,
pgp_keyring_t *,
const unsigned,
pgp_memory_t *);
/** \ingroup Core_Create
* needed for signature creation
*/
struct pgp_create_sig_t {
pgp_hash_t hash;
pgp_sig_t sig;
pgp_memory_t *mem;
pgp_output_t *output; /* how to do the writing */
unsigned hashoff; /* hashed count offset */
unsigned hashlen;
unsigned unhashoff;
};
#endif /* SIGNATURE_H_ */

+ 8
- 5
dist/src/lib/ssh2pgp.c View File

@ -325,9 +325,10 @@ pgp_ssh2pubkey(pgp_io_t *io, const char *f, pgp_key_t *key, pgp_hash_alg_t hasht
hostname,
f,
owner);
pgp_keyid(key->sigid, sizeof(key->sigid), pubkey, hashtype);
pgp_add_userid(key, userid);
pgp_fingerprint(&key->sigfingerprint, pubkey, hashtype);
pgp_keyid(key->pubkeyid, sizeof(key->pubkeyid), pubkey, hashtype);
// XXX FIXME !
// pgp_add_userid(key, userid);
pgp_fingerprint(&key->pubkeyfpr, pubkey, hashtype);
free(userid);
if (pgp_get_debug_level(__FILE__)) {
/*pgp_print_keydata(io, keyring, key, "pub", pubkey, 0);*/
@ -423,8 +424,10 @@ pgp_ssh2seckey(pgp_io_t *io, const char *f, pgp_key_t *key, pgp_pubkey_t *pubkey
crypted.set_crypt_key(&crypted, sesskey);
pgp_encrypt_init(&crypted);
key->key.seckey.pubkey.alg = PGP_PKA_RSA;
pgp_fingerprint(&key->sigfingerprint, pubkey, hashtype);
pgp_keyid(key->sigid, sizeof(key->sigid), pubkey, hashtype);
pgp_fingerprint(&key->pubkeyfpr, pubkey, hashtype);
pgp_keyid(key->pubkeyid, sizeof(key->pubkeyid), pubkey, hashtype);
return 1;
}


+ 259
- 346
dist/src/lib/validate.c View File

@ -88,42 +88,43 @@ __RCSID("$NetBSD$");
#include <fcntl.h>
#endif
static int
keydata_reader(pgp_stream_t *stream, void *dest, size_t length, pgp_error_t **errors,
pgp_reader_t *readinfo,
pgp_cbdata_t *cbinfo)
{
validate_reader_t *reader = pgp_reader_get_arg(readinfo);
__PGP_USED(stream);
__PGP_USED(errors);
__PGP_USED(cbinfo);
if (reader->offset == reader->key->packets[reader->packet].length) {
reader->packet += 1;
reader->offset = 0;
}
if (reader->packet == reader->key->packetc) {
return 0;
}